clang  14.0.0git
SanitizerMetadata.cpp
Go to the documentation of this file.
1 //===--- SanitizerMetadata.cpp - Ignored entities for sanitizers ----------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // Class which emits metadata consumed by sanitizer instrumentation passes.
10 //
11 //===----------------------------------------------------------------------===//
12 #include "SanitizerMetadata.h"
13 #include "CodeGenModule.h"
14 #include "clang/AST/Attr.h"
15 #include "clang/AST/Type.h"
17 #include "llvm/ADT/StringRef.h"
18 #include "llvm/IR/Constants.h"
19 
20 using namespace clang;
21 using namespace CodeGen;
22 
23 SanitizerMetadata::SanitizerMetadata(CodeGenModule &CGM) : CGM(CGM) {}
24 
25 static bool isAsanHwasanOrMemTag(const SanitizerSet& SS) {
26  return SS.hasOneOf(SanitizerKind::Address | SanitizerKind::KernelAddress |
27  SanitizerKind::HWAddress | SanitizerKind::KernelHWAddress |
28  SanitizerKind::MemTag);
29 }
30 
31 void SanitizerMetadata::reportGlobalToASan(llvm::GlobalVariable *GV,
32  SourceLocation Loc, StringRef Name,
33  QualType Ty, bool IsDynInit,
34  bool IsExcluded) {
36  return;
37  IsDynInit &= !CGM.isInNoSanitizeList(GV, Loc, Ty, "init");
38  IsExcluded |= CGM.isInNoSanitizeList(GV, Loc, Ty);
39 
40  llvm::Metadata *LocDescr = nullptr;
41  llvm::Metadata *GlobalName = nullptr;
42  llvm::LLVMContext &VMContext = CGM.getLLVMContext();
43  if (!IsExcluded) {
44  // Don't generate source location and global name if it is on
45  // the NoSanitizeList - it won't be instrumented anyway.
46  LocDescr = getLocationMetadata(Loc);
47  if (!Name.empty())
48  GlobalName = llvm::MDString::get(VMContext, Name);
49  }
50 
51  llvm::Metadata *GlobalMetadata[] = {
52  llvm::ConstantAsMetadata::get(GV), LocDescr, GlobalName,
53  llvm::ConstantAsMetadata::get(
54  llvm::ConstantInt::get(llvm::Type::getInt1Ty(VMContext), IsDynInit)),
55  llvm::ConstantAsMetadata::get(llvm::ConstantInt::get(
56  llvm::Type::getInt1Ty(VMContext), IsExcluded))};
57 
58  llvm::MDNode *ThisGlobal = llvm::MDNode::get(VMContext, GlobalMetadata);
59  llvm::NamedMDNode *AsanGlobals =
60  CGM.getModule().getOrInsertNamedMetadata("llvm.asan.globals");
61  AsanGlobals->addOperand(ThisGlobal);
62 }
63 
64 void SanitizerMetadata::reportGlobalToASan(llvm::GlobalVariable *GV,
65  const VarDecl &D, bool IsDynInit) {
67  return;
68  std::string QualName;
69  llvm::raw_string_ostream OS(QualName);
70  D.printQualifiedName(OS);
71 
72  bool IsExcluded = false;
73  for (auto Attr : D.specific_attrs<NoSanitizeAttr>())
74  if (Attr->getMask() & SanitizerKind::Address)
75  IsExcluded = true;
76  reportGlobalToASan(GV, D.getLocation(), OS.str(), D.getType(), IsDynInit,
77  IsExcluded);
78 }
79 
80 void SanitizerMetadata::disableSanitizerForGlobal(llvm::GlobalVariable *GV) {
81  // For now, just make sure the global is not modified by the ASan
82  // instrumentation.
84  reportGlobalToASan(GV, SourceLocation(), "", QualType(), false, true);
85 }
86 
88  I->setMetadata(CGM.getModule().getMDKindID("nosanitize"),
89  llvm::MDNode::get(CGM.getLLVMContext(), None));
90 }
91 
92 llvm::MDNode *SanitizerMetadata::getLocationMetadata(SourceLocation Loc) {
94  if (!PLoc.isValid())
95  return nullptr;
96  llvm::LLVMContext &VMContext = CGM.getLLVMContext();
97  llvm::Metadata *LocMetadata[] = {
98  llvm::MDString::get(VMContext, PLoc.getFilename()),
99  llvm::ConstantAsMetadata::get(llvm::ConstantInt::get(
100  llvm::Type::getInt32Ty(VMContext), PLoc.getLine())),
101  llvm::ConstantAsMetadata::get(llvm::ConstantInt::get(
102  llvm::Type::getInt32Ty(VMContext), PLoc.getColumn())),
103  };
104  return llvm::MDNode::get(VMContext, LocMetadata);
105 }
clang::interp::Add
bool Add(InterpState &S, CodePtr OpPC)
Definition: Interp.h:134
efficiently
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these efficiently
Definition: README.txt:56
example
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these we use functional data individual Checkers work by also manipulating the analysis state The analyzer engine talks to them via a visitor interface For example
Definition: README.txt:61
type
string
string(SUBSTRING ${CMAKE_CURRENT_BINARY_DIR} 0 ${PATH_LIB_START} PATH_HEAD) string(SUBSTRING $
Definition: CMakeLists.txt:22
clang::PresumedLoc::getLine
unsigned getLine() const
Return the presumed line number of this location.
Definition: SourceLocation.h:339
PreVisitCallExpr
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these we use functional data individual Checkers work by also manipulating the analysis state The analyzer engine talks to them via a visitor interface For the PreVisitCallExpr() method is called by GRExprEngine to tell the Checker that we are about to analyze a CallExpr
clang::if
if(T->getSizeExpr()) TRY_TO(TraverseStmt(T -> getSizeExpr()))
Definition: RecursiveASTVisitor.h:1002
clang::SourceLocation
Encodes a location in the source.
Definition: SourceLocation.h:88
dot
float __ovld __cnfn dot(float p0, float p1)
Compute dot product.
clang::CodeGen::SanitizerMetadata::reportGlobalToASan
void reportGlobalToASan(llvm::GlobalVariable *GV, const VarDecl &D, bool IsDynInit=false)
Definition: SanitizerMetadata.cpp:64
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:673
Attr.h
AttributeLangSupport::C
@ C
Definition: SemaDeclAttr.cpp:54
clang::CodeGen::SanitizerMetadata::disableSanitizerForInstruction
void disableSanitizerForInstruction(llvm::Instruction *I)
Definition: SanitizerMetadata.cpp:87
clang::CodeGen::CodeGenModule::getContext
ASTContext & getContext() const
Definition: CodeGenModule.h:702
clang::SanitizerSet::hasOneOf
bool hasOneOf(SanitizerMask K) const
Check if one or more sanitizers are enabled.
Definition: Sanitizers.h:161
change
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to change
Definition: README.txt:32
SourceManager.h
clang::CodeGen::CodeGenModule::getLangOpts
const LangOptions & getLangOpts() const
Definition: CodeGenModule.h:703
clang::SourceManager::getPresumedLoc
PresumedLoc getPresumedLoc(SourceLocation Loc, bool UseLineDirectives=true) const
Returns the "presumed" location of a SourceLocation specifies.
Definition: SourceManager.cpp:1518
clang::ASTContext::getSourceManager
SourceManager & getSourceManager()
Definition: ASTContext.h:694
engine
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis engine
Definition: README.txt:15
interfaces
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor interfaces(Checker.h and CheckerVisitor.h). The Checker interface is designed to be minimal and simple for checker writers
graph
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded graph(ExplodedGraph). The term "exploded" comes from exploding the control-flow edges in the control-flow graph(CFG). Conceptually the analyzer does a reachability analysis through the ExplodedGraph. We start at a root node
nothing
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these we use functional data individual Checkers work by also manipulating the analysis state The analyzer engine talks to them via a visitor interface For the and the checker is asked to check for any preconditions that might not be satisfied The checker can do nothing
Definition: README.txt:64
not
#define not
Definition: iso646.h:19
clang::SanitizerSet
Definition: Sanitizers.h:153
clang::Decl::specific_attrs
llvm::iterator_range< specific_attr_iterator< T > > specific_attrs() const
Definition: DeclBase.h:529
clang::PresumedLoc::getFilename
const char * getFilename() const
Return the presumed filename of this location.
Definition: SourceLocation.h:326
clang::CodeGen::CodeGenModule::getModule
llvm::Module & getModule() const
Definition: CodeGenModule.h:709
isAsanHwasanOrMemTag
static bool isAsanHwasanOrMemTag(const SanitizerSet &SS)
Definition: SanitizerMetadata.cpp:25
Type.h
clang::VarDecl
Represents a variable declaration or definition.
Definition: Decl.h:876
problem
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these we use functional data individual Checkers work by also manipulating the analysis state The analyzer engine talks to them via a visitor interface For the and the checker is asked to check for any preconditions that might not be satisfied The checker can do or it can generate a new ProgramState and ExplodedNode which contains updated checker state If it finds a it can tell the BugReporter object about the providing it an ExplodedNode which is the last node in the path that triggered the problem
Definition: README.txt:70
clang::PresumedLoc::getColumn
unsigned getColumn() const
Return the presumed column number of this location.
Definition: SourceLocation.h:347
clang::for
for(auto typeArg :T->getTypeArgsAsWritten())
Definition: RecursiveASTVisitor.h:1063
CodeGenModule.h
x
IRgen optimization opportunities The common pattern of short x
Definition: README.txt:7
state
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial state
Definition: README.txt:30
clang::CodeGen::SanitizerMetadata::disableSanitizerForGlobal
void disableSanitizerForGlobal(llvm::GlobalVariable *GV)
Definition: SanitizerMetadata.cpp:80
sign
float __ovld __cnfn sign(float x)
Returns 1.0 if x > 0, -0.0 if x = -0.0, +0.0 if x = +0.0, or -1.0 if x < 0.
clang::LangOptions::Sanitize
SanitizerSet Sanitize
Set of enabled sanitizers.
Definition: LangOptions.h:294
and
#define and
Definition: iso646.h:14
clang::serialized_diags::create
std::unique_ptr< DiagnosticConsumer > create(StringRef OutputFile, DiagnosticOptions *Diags, bool MergeChildRecords=false)
Returns a DiagnosticConsumer that serializes diagnostics to a bitcode file.
Definition: SerializedDiagnosticPrinter.cpp:302
bug
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these we use functional data individual Checkers work by also manipulating the analysis state The analyzer engine talks to them via a visitor interface For the and the checker is asked to check for any preconditions that might not be satisfied The checker can do or it can generate a new ProgramState and ExplodedNode which contains updated checker state If it finds a bug
Definition: README.txt:66
SanitizerMetadata.h
dump
static void dump(llvm::raw_ostream &OS, StringRef FunctionName, ArrayRef< CounterExpression > Expressions, ArrayRef< CounterMappingRegion > Regions)
Definition: CoverageMappingGen.cpp:1521
clang::CodeGen::CodeGenModule
This class organizes the cross-function state that is used while generating LLVM code.
Definition: CodeGenModule.h:284
clang::transformer::expression
Stencil expression(llvm::StringRef Id)
Generates the source of the expression bound to Id, wrapping it in parentheses if it may parse differ...
Definition: Stencil.cpp:425
ProgramState
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a ProgramState
Definition: README.txt:34
program
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the program(values of variables and expressions) is encapsulated by the state(ProgramState). A location in the program is called a program point(ProgramPoint)
clang::transformer::between
RangeSelector between(RangeSelector R1, RangeSelector R2)
Selects the range between R1 and `R2.
Definition: RangeSelector.h:60
contains
static bool contains(const std::set< tok::TokenKind > &Terminators, const Token &Tok)
Definition: SourceCode.cpp:108
clang::PresumedLoc::isValid
bool isValid() const
Definition: SourceLocation.h:321
clang::interp::This
bool This(InterpState &S, CodePtr OpPC)
Definition: Interp.h:829
clang
Definition: CalledOnceCheck.h:17
clang::Attr
Attr - This represents one attribute.
Definition: Attr.h:46
clang::transformer::node
RangeSelector node(std::string ID)
Selects a node, including trailing semicolon, if any (for declarations and non-expression statements)...
Definition: RangeSelector.cpp:141
clang::PresumedLoc
Represents an unpacked "presumed" location which can be presented to the user.
Definition: SourceLocation.h:304
any
int __ovld __cnfn any(char x)
Returns 1 if the most significant bit in any component of x is set; otherwise returns 0.
clang::ValueDecl::getType
QualType getType() const
Definition: Decl.h:687
all
int __ovld __cnfn all(char x)
Returns 1 if the most significant bit in all components of x is set; otherwise returns 0.
clang::NamedDecl::printQualifiedName
void printQualifiedName(raw_ostream &OS) const
Returns a human-readable qualified name for this declaration, like A::B::i, for i being member of nam...
Definition: Decl.cpp:1573
clang::transformer::before
RangeSelector before(RangeSelector Selector)
Selects the (empty) range [B,B) when Selector selects the range [B,E).
Definition: RangeSelector.cpp:106
clang::ast_matchers::has
const internal::ArgumentAdaptingMatcherFunc< internal::HasMatcher > has
Matches AST nodes that have child AST nodes that match the provided matcher.
Definition: ASTMatchersInternal.cpp:994
clang::Decl::getLocation
SourceLocation getLocation() const
Definition: DeclBase.h:430
GCCTypeClass::None
@ None
or
#define or
Definition: iso646.h:21
clang::CodeGen::CodeGenModule::getLLVMContext
llvm::LLVMContext & getLLVMContext()
Definition: CodeGenModule.h:720
structures
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these we use functional data structures(e.g., ImmutableMaps) which share data between instances. Finally
clang::ento::simplify
SymbolRef simplify(ProgramStateRef State, SymbolRef Sym)
Try to simplify a given symbolic expression's associated value based on the constraints in State.
Definition: RangedConstraintManager.cpp:229
clang::CodeGen::CodeGenModule::isInNoSanitizeList
bool isInNoSanitizeList(SanitizerMask Kind, llvm::Function *Fn, SourceLocation Loc) const
Definition: CodeGenModule.cpp:2603