//===-- X86AsmInstrumentation.cpp - Instrument X86 inline assembly C++ -*-===//
//
// The LLVM Compiler Infrastructure
//
// This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details.
//
//===----------------------------------------------------------------------===//
#include "MCTargetDesc/X86BaseInfo.h"
#include "X86AsmInstrumentation.h"
#include "X86Operand.h"
#include "llvm/ADT/StringExtras.h"
#include "llvm/ADT/Triple.h"
#include "llvm/IR/Function.h"
#include "llvm/MC/MCContext.h"
#include "llvm/MC/MCInst.h"
#include "llvm/MC/MCInstBuilder.h"
#include "llvm/MC/MCInstrInfo.h"
#include "llvm/MC/MCParser/MCParsedAsmOperand.h"
#include "llvm/MC/MCStreamer.h"
#include "llvm/MC/MCSubtargetInfo.h"
#include "llvm/MC/MCTargetAsmParser.h"
#include "llvm/MC/MCTargetOptions.h"
#include "llvm/Support/CommandLine.h"
namespace llvm {
namespace {
static cl::opt<bool> ClAsanInstrumentAssembly(
"asan-instrument-assembly",
cl::desc("instrument assembly with AddressSanitizer checks"), cl::Hidden,
cl::init(false));
bool IsStackReg(unsigned Reg) {
return Reg == X86::RSP || Reg == X86::ESP || Reg == X86::SP;
}
std::string FuncName(unsigned AccessSize, bool IsWrite) {
return std::string("__asan_report_") + (IsWrite ? "store" : "load") +
utostr(AccessSize);
}
class X86AddressSanitizer : public X86AsmInstrumentation {
public:
X86AddressSanitizer(const MCSubtargetInfo &STI) : STI(STI) {}
virtual ~X86AddressSanitizer() {}
// X86AsmInstrumentation implementation:
virtual void InstrumentInstruction(
const MCInst &Inst, OperandVector &Operands, MCContext &Ctx,
const MCInstrInfo &MII, MCStreamer &Out) override {
InstrumentMOV(Inst, Operands, Ctx, MII, Out);
}
// Should be implemented differently in x86_32 and x86_64 subclasses.
virtual void InstrumentMemOperandSmallImpl(
X86Operand &Op, unsigned AccessSize, bool IsWrite, MCContext &Ctx,
MCStreamer &Out) = 0;
virtual void InstrumentMemOperandLargeImpl(
X86Operand &Op, unsigned AccessSize, bool IsWrite, MCContext &Ctx,
MCStreamer &Out) = 0;
void InstrumentMemOperand(MCParsedAsmOperand &Op, unsigned AccessSize,
bool IsWrite, MCContext &Ctx, MCStreamer &Out);
void InstrumentMOV(const MCInst &Inst, OperandVector &Operands,
MCContext &Ctx, const MCInstrInfo &MII, MCStreamer &Out);
void EmitInstruction(MCStreamer &Out, const MCInst &Inst) {
Out.EmitInstruction(Inst, STI);
}
void EmitLabel(MCStreamer &Out, MCSymbol *Label) { Out.EmitLabel(Label); }
protected:
const MCSubtargetInfo &STI;
};
void X86AddressSanitizer::InstrumentMemOperand(
MCParsedAsmOperand &Op, unsigned AccessSize, bool IsWrite, MCContext &Ctx,
MCStreamer &Out) {
assert(Op.isMem() && "Op should be a memory operand.");
assert((AccessSize & (AccessSize - 1)) == 0 && AccessSize <= 16 &&
"AccessSize should be a power of two, less or equal than 16.");
X86Operand &MemOp = static_cast<X86Operand &>(Op);
// FIXME: get rid of this limitation.
if (IsStackReg(MemOp.getMemBaseReg()) || IsStackReg(MemOp.getMemIndexReg()))
return;
// FIXME: take into account load/store alignment.
if (AccessSize < 8)
InstrumentMemOperandSmallImpl(MemOp, AccessSize, IsWrite, Ctx, Out);
else
InstrumentMemOperandLargeImpl(MemOp, AccessSize, IsWrite, Ctx, Out);
}
void X86AddressSanitizer::InstrumentMOV(
const MCInst &Inst, OperandVector &Operands, MCContext &Ctx,
const MCInstrInfo &MII, MCStreamer &Out) {
// Access size in bytes.
unsigned AccessSize = 0;
switch (Inst.getOpcode()) {
case X86::MOV8mi:
case X86::MOV8mr:
case X86::MOV8rm:
AccessSize = 1;
break;
case X86::MOV16mi:
case X86::MOV16mr:
case X86::MOV16rm:
AccessSize = 2;
break;
case X86::MOV32mi:
case X86::MOV32mr:
case X86::MOV32rm:
AccessSize = 4;
break;
case X86::MOV64mi32:
case X86::MOV64mr:
case X86::MOV64rm:
AccessSize = 8;
break;
case X86::MOVAPDmr:
case X86::MOVAPSmr:
case X86::MOVAPDrm:
case X86::MOVAPSrm:
AccessSize = 16;
break;
default:
return;
}
const bool IsWrite = MII.get(Inst.getOpcode()).mayStore();
for (unsigned Ix = 0; Ix < Operands.size(); ++Ix) {
assert(Operands[Ix]);
MCParsedAsmOperand &Op = *Operands[Ix];
if (Op.isMem())
InstrumentMemOperand(Op, AccessSize, IsWrite, Ctx, Out);
}
}
class X86AddressSanitizer32 : public X86AddressSanitizer {
public:
static const long kShadowOffset = 0x20000000;
X86AddressSanitizer32(const MCSubtargetInfo &STI)
: X86AddressSanitizer(STI) {}
virtual ~X86AddressSanitizer32() {}
virtual void InstrumentMemOperandSmallImpl(
X86Operand &Op, unsigned AccessSize, bool IsWrite, MCContext &Ctx,
MCStreamer &Out) override;
virtual void InstrumentMemOperandLargeImpl(
X86Operand &Op, unsigned AccessSize, bool IsWrite, MCContext &Ctx,
MCStreamer &Out) override;
private:
void EmitCallAsanReport(MCContext &Ctx, MCStreamer &Out, unsigned AccessSize,
bool IsWrite, unsigned AddressReg) {
EmitInstruction(Out, MCInstBuilder(X86::CLD));
EmitInstruction(Out, MCInstBuilder(X86::MMX_EMMS));
EmitInstruction(Out, MCInstBuilder(X86::AND64ri8).addReg(X86::ESP)
.addReg(X86::ESP).addImm(-16));
EmitInstruction(Out, MCInstBuilder(X86::PUSH32r).addReg(AddressReg));
const std::string& Fn = FuncName(AccessSize, IsWrite);
MCSymbol *FnSym = Ctx.GetOrCreateSymbol(StringRef(Fn));
const MCSymbolRefExpr *FnExpr =
MCSymbolRefExpr::Create(FnSym, MCSymbolRefExpr::VK_PLT, Ctx);
EmitInstruction(Out, MCInstBuilder(X86::CALLpcrel32).addExpr(FnExpr));
}
};
void X86AddressSanitizer32::InstrumentMemOperandSmallImpl(
X86Operand &Op, unsigned AccessSize, bool IsWrite, MCContext &Ctx,
MCStreamer &Out) {
EmitInstruction(Out, MCInstBuilder(X86::PUSH32r).addReg(X86::EAX));
EmitInstruction(Out, MCInstBuilder(X86::PUSH32r).addReg(X86::ECX));
EmitInstruction(Out, MCInstBuilder(X86::PUSH32r).addReg(X86::EDX));
EmitInstruction(Out, MCInstBuilder(X86::PUSHF32));
{
MCInst Inst;
Inst.setOpcode(X86::LEA32r);
Inst.addOperand(MCOperand::CreateReg(X86::EAX));
Op.addMemOperands(Inst, 5);
EmitInstruction(Out, Inst);
}
EmitInstruction(
Out, MCInstBuilder(X86::MOV32rr).addReg(X86::ECX).addReg(X86::EAX));
EmitInstruction(Out, MCInstBuilder(X86::SHR32ri).addReg(X86::ECX)
.addReg(X86::ECX).addImm(3));
{
MCInst Inst;
Inst.setOpcode(X86::MOV8rm);
Inst.addOperand(MCOperand::CreateReg(X86::CL));
const MCExpr *Disp = MCConstantExpr::Create(kShadowOffset, Ctx);
std::unique_ptr<X86Operand> Op(
X86Operand::CreateMem(0, Disp, X86::ECX, 0, 1, SMLoc(), SMLoc()));
Op->addMemOperands(Inst, 5);
EmitInstruction(Out, Inst);
}
EmitInstruction(Out,
MCInstBuilder(X86::TEST8rr).addReg(X86::CL).addReg(X86::CL));
MCSymbol *DoneSym = Ctx.CreateTempSymbol();
const MCExpr *DoneExpr = MCSymbolRefExpr::Create(DoneSym, Ctx);
EmitInstruction(Out, MCInstBuilder(X86::JE_4).addExpr(DoneExpr));
EmitInstruction(
Out, MCInstBuilder(X86::MOV32rr).addReg(X86::EDX).addReg(X86::EAX));
EmitInstruction(Out, MCInstBuilder(X86::AND32ri).addReg(X86::EDX)
.addReg(X86::EDX).addImm(7));
switch (AccessSize) {
case 1:
break;
case 2: {
MCInst Inst;
Inst.setOpcode(X86::LEA32r);
Inst.addOperand(MCOperand::CreateReg(X86::EDX));
const MCExpr *Disp = MCConstantExpr::Create(1, Ctx);
std::unique_ptr<X86Operand> Op(
X86Operand::CreateMem(0, Disp, X86::EDX, 0, 1, SMLoc(), SMLoc()));
Op->addMemOperands(Inst, 5);
EmitInstruction(Out, Inst);
break;
}
case 4:
EmitInstruction(Out, MCInstBuilder(X86::ADD32ri8).addReg(X86::EDX)
.addReg(X86::EDX).addImm(3));
break;
default:
assert(false && "Incorrect access size");
break;
}
EmitInstruction(
Out, MCInstBuilder(X86::MOVSX32rr8).addReg(X86::ECX).addReg(X86::CL));
EmitInstruction(
Out, MCInstBuilder(X86::CMP32rr).addReg(X86::EDX).addReg(X86::ECX));
EmitInstruction(Out, MCInstBuilder(X86::JL_4).addExpr(DoneExpr));
EmitCallAsanReport(Ctx, Out, AccessSize, IsWrite, X86::EAX);
EmitLabel(Out, DoneSym);
EmitInstruction(Out, MCInstBuilder(X86::POPF32));
EmitInstruction(Out, MCInstBuilder(X86::POP32r).addReg(X86::EDX));
EmitInstruction(Out, MCInstBuilder(X86::POP32r).addReg(X86::ECX));
EmitInstruction(Out, MCInstBuilder(X86::POP32r).addReg(X86::EAX));
}
void X86AddressSanitizer32::InstrumentMemOperandLargeImpl(
X86Operand &Op, unsigned AccessSize, bool IsWrite, MCContext &Ctx,
MCStreamer &Out) {
EmitInstruction(Out, MCInstBuilder(X86::PUSH32r).addReg(X86::EAX));
EmitInstruction(Out, MCInstBuilder(X86::PUSH32r).addReg(X86::ECX));
EmitInstruction(Out, MCInstBuilder(X86::PUSHF32));
{
MCInst Inst;
Inst.setOpcode(X86::LEA32r);
Inst.addOperand(MCOperand::CreateReg(X86::EAX));
Op.addMemOperands(Inst, 5);
EmitInstruction(Out, Inst);
}
EmitInstruction(
Out, MCInstBuilder(X86::MOV32rr).addReg(X86::ECX).addReg(X86::EAX));
EmitInstruction(Out, MCInstBuilder(X86::SHR32ri).addReg(X86::ECX)
.addReg(X86::ECX).addImm(3));
{
MCInst Inst;
switch (AccessSize) {
case 8:
Inst.setOpcode(X86::CMP8mi);
break;
case 16:
Inst.setOpcode(X86::CMP16mi);
break;
default:
assert(false && "Incorrect access size");
break;
}
const MCExpr *Disp = MCConstantExpr::Create(kShadowOffset, Ctx);
std::unique_ptr<X86Operand> Op(
X86Operand::CreateMem(0, Disp, X86::ECX, 0, 1, SMLoc(), SMLoc()));
Op->addMemOperands(Inst, 5);
Inst.addOperand(MCOperand::CreateImm(0));
EmitInstruction(Out, Inst);
}
MCSymbol *DoneSym = Ctx.CreateTempSymbol();
const MCExpr *DoneExpr = MCSymbolRefExpr::Create(DoneSym, Ctx);
EmitInstruction(Out, MCInstBuilder(X86::JE_4).addExpr(DoneExpr));
EmitCallAsanReport(Ctx, Out, AccessSize, IsWrite, X86::EAX);
EmitLabel(Out, DoneSym);
EmitInstruction(Out, MCInstBuilder(X86::POPF32));
EmitInstruction(Out, MCInstBuilder(X86::POP32r).addReg(X86::ECX));
EmitInstruction(Out, MCInstBuilder(X86::POP32r).addReg(X86::EAX));
}
class X86AddressSanitizer64 : public X86AddressSanitizer {
public:
static const long kShadowOffset = 0x7fff8000;
X86AddressSanitizer64(const MCSubtargetInfo &STI)
: X86AddressSanitizer(STI) {}
virtual ~X86AddressSanitizer64() {}
virtual void InstrumentMemOperandSmallImpl(
X86Operand &Op, unsigned AccessSize, bool IsWrite, MCContext &Ctx,
MCStreamer &Out) override;
virtual void InstrumentMemOperandLargeImpl(
X86Operand &Op, unsigned AccessSize, bool IsWrite, MCContext &Ctx,
MCStreamer &Out) override;
private:
void EmitAdjustRSP(MCContext &Ctx, MCStreamer &Out, long Offset) {
MCInst Inst;
Inst.setOpcode(X86::LEA64r);
Inst.addOperand(MCOperand::CreateReg(X86::RSP));
const MCExpr *Disp = MCConstantExpr::Create(Offset, Ctx);
std::unique_ptr<X86Operand> Op(
X86Operand::CreateMem(0, Disp, X86::RSP, 0, 1, SMLoc(), SMLoc()));
Op->addMemOperands(Inst, 5);
EmitInstruction(Out, Inst);
}
void EmitCallAsanReport(MCContext &Ctx, MCStreamer &Out, unsigned AccessSize,
bool IsWrite) {
EmitInstruction(Out, MCInstBuilder(X86::CLD));
EmitInstruction(Out, MCInstBuilder(X86::MMX_EMMS));
EmitInstruction(Out, MCInstBuilder(X86::AND64ri8).addReg(X86::RSP)
.addReg(X86::RSP).addImm(-16));
const std::string& Fn = FuncName(AccessSize, IsWrite);
MCSymbol *FnSym = Ctx.GetOrCreateSymbol(StringRef(Fn));
const MCSymbolRefExpr *FnExpr =
MCSymbolRefExpr::Create(FnSym, MCSymbolRefExpr::VK_PLT, Ctx);
EmitInstruction(Out, MCInstBuilder(X86::CALL64pcrel32).addExpr(FnExpr));
}
};
void X86AddressSanitizer64::InstrumentMemOperandSmallImpl(
X86Operand &Op, unsigned AccessSize, bool IsWrite, MCContext &Ctx,
MCStreamer &Out) {
EmitAdjustRSP(Ctx, Out, -128);
EmitInstruction(Out, MCInstBuilder(X86::PUSH64r).addReg(X86::RAX));
EmitInstruction(Out, MCInstBuilder(X86::PUSH64r).addReg(X86::RCX));
EmitInstruction(Out, MCInstBuilder(X86::PUSH64r).addReg(X86::RDI));
EmitInstruction(Out, MCInstBuilder(X86::PUSHF64));
{
MCInst Inst;
Inst.setOpcode(X86::LEA64r);
Inst.addOperand(MCOperand::CreateReg(X86::RDI));
Op.addMemOperands(Inst, 5);
EmitInstruction(Out, Inst);
}
EmitInstruction(
Out, MCInstBuilder(X86::MOV64rr).addReg(X86::RAX).addReg(X86::RDI));
EmitInstruction(Out, MCInstBuilder(X86::SHR64ri).addReg(X86::RAX)
.addReg(X86::RAX).addImm(3));
{
MCInst Inst;
Inst.setOpcode(X86::MOV8rm);
Inst.addOperand(MCOperand::CreateReg(X86::AL));
const MCExpr *Disp = MCConstantExpr::Create(kShadowOffset, Ctx);
std::unique_ptr<X86Operand> Op(
X86Operand::CreateMem(0, Disp, X86::RAX, 0, 1, SMLoc(), SMLoc()));
Op->addMemOperands(Inst, 5);
EmitInstruction(Out, Inst);
}
EmitInstruction(Out,
MCInstBuilder(X86::TEST8rr).addReg(X86::AL).addReg(X86::AL));
MCSymbol *DoneSym = Ctx.CreateTempSymbol();
const MCExpr *DoneExpr = MCSymbolRefExpr::Create(DoneSym, Ctx);
EmitInstruction(Out, MCInstBuilder(X86::JE_4).addExpr(DoneExpr));
EmitInstruction(
Out, MCInstBuilder(X86::MOV32rr).addReg(X86::ECX).addReg(X86::EDI));
EmitInstruction(Out, MCInstBuilder(X86::AND32ri).addReg(X86::ECX)
.addReg(X86::ECX).addImm(7));
switch (AccessSize) {
case 1:
break;
case 2: {
MCInst Inst;
Inst.setOpcode(X86::LEA32r);
Inst.addOperand(MCOperand::CreateReg(X86::ECX));
const MCExpr *Disp = MCConstantExpr::Create(1, Ctx);
std::unique_ptr<X86Operand> Op(
X86Operand::CreateMem(0, Disp, X86::ECX, 0, 1, SMLoc(), SMLoc()));
Op->addMemOperands(Inst, 5);
EmitInstruction(Out, Inst);
break;
}
case 4:
EmitInstruction(Out, MCInstBuilder(X86::ADD32ri8).addReg(X86::ECX)
.addReg(X86::ECX).addImm(3));
break;
default:
assert(false && "Incorrect access size");
break;
}
EmitInstruction(
Out, MCInstBuilder(X86::MOVSX32rr8).addReg(X86::EAX).addReg(X86::AL));
EmitInstruction(
Out, MCInstBuilder(X86::CMP32rr).addReg(X86::ECX).addReg(X86::EAX));
EmitInstruction(Out, MCInstBuilder(X86::JL_4).addExpr(DoneExpr));
EmitCallAsanReport(Ctx, Out, AccessSize, IsWrite);
EmitLabel(Out, DoneSym);
EmitInstruction(Out, MCInstBuilder(X86::POPF64));
EmitInstruction(Out, MCInstBuilder(X86::POP64r).addReg(X86::RDI));
EmitInstruction(Out, MCInstBuilder(X86::POP64r).addReg(X86::RCX));
EmitInstruction(Out, MCInstBuilder(X86::POP64r).addReg(X86::RAX));
EmitAdjustRSP(Ctx, Out, 128);
}
void X86AddressSanitizer64::InstrumentMemOperandLargeImpl(
X86Operand &Op, unsigned AccessSize, bool IsWrite, MCContext &Ctx,
MCStreamer &Out) {
EmitAdjustRSP(Ctx, Out, -128);
EmitInstruction(Out, MCInstBuilder(X86::PUSH64r).addReg(X86::RAX));
EmitInstruction(Out, MCInstBuilder(X86::PUSHF64));
{
MCInst Inst;
Inst.setOpcode(X86::LEA64r);
Inst.addOperand(MCOperand::CreateReg(X86::RAX));
Op.addMemOperands(Inst, 5);
EmitInstruction(Out, Inst);
}
EmitInstruction(Out, MCInstBuilder(X86::SHR64ri).addReg(X86::RAX)
.addReg(X86::RAX).addImm(3));
{
MCInst Inst;
switch (AccessSize) {
case 8:
Inst.setOpcode(X86::CMP8mi);
break;
case 16:
Inst.setOpcode(X86::CMP16mi);
break;
default:
assert(false && "Incorrect access size");
break;
}
const MCExpr *Disp = MCConstantExpr::Create(kShadowOffset, Ctx);
std::unique_ptr<X86Operand> Op(
X86Operand::CreateMem(0, Disp, X86::RAX, 0, 1, SMLoc(), SMLoc()));
Op->addMemOperands(Inst, 5);
Inst.addOperand(MCOperand::CreateImm(0));
EmitInstruction(Out, Inst);
}
MCSymbol *DoneSym = Ctx.CreateTempSymbol();
const MCExpr *DoneExpr = MCSymbolRefExpr::Create(DoneSym, Ctx);
EmitInstruction(Out, MCInstBuilder(X86::JE_4).addExpr(DoneExpr));
EmitCallAsanReport(Ctx, Out, AccessSize, IsWrite);
EmitLabel(Out, DoneSym);
EmitInstruction(Out, MCInstBuilder(X86::POPF64));
EmitInstruction(Out, MCInstBuilder(X86::POP64r).addReg(X86::RAX));
EmitAdjustRSP(Ctx, Out, 128);
}
} // End anonymous namespace
X86AsmInstrumentation::X86AsmInstrumentation() {}
X86AsmInstrumentation::~X86AsmInstrumentation() {}
void X86AsmInstrumentation::InstrumentInstruction(
const MCInst &Inst, OperandVector &Operands, MCContext &Ctx,
const MCInstrInfo &MII, MCStreamer &Out) {}
X86AsmInstrumentation *
CreateX86AsmInstrumentation(const MCTargetOptions &MCOptions,
const MCContext &Ctx, const MCSubtargetInfo &STI) {
Triple T(STI.getTargetTriple());
const bool hasCompilerRTSupport = T.isOSLinux();
if (ClAsanInstrumentAssembly && hasCompilerRTSupport &&
MCOptions.SanitizeAddress) {
if ((STI.getFeatureBits() & X86::Mode32Bit) != 0)
return new X86AddressSanitizer32(STI);
if ((STI.getFeatureBits() & X86::Mode64Bit) != 0)
return new X86AddressSanitizer64(STI);
}
return new X86AsmInstrumentation();
}
} // End llvm namespace