clang  15.0.0git
SanitizerMetadata.cpp
Go to the documentation of this file.
1 //===--- SanitizerMetadata.cpp - Ignored entities for sanitizers ----------===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // Class which emits metadata consumed by sanitizer instrumentation passes.
10 //
11 //===----------------------------------------------------------------------===//
12 #include "SanitizerMetadata.h"
13 #include "CodeGenModule.h"
14 #include "clang/AST/Attr.h"
15 #include "clang/AST/Type.h"
16 #include "clang/Basic/SourceManager.h"
17 #include "llvm/ADT/StringRef.h"
18 #include "llvm/IR/Constants.h"
19 
20 using namespace clang;
21 using namespace CodeGen;
22 
23 SanitizerMetadata::SanitizerMetadata(CodeGenModule &CGM) : CGM(CGM) {}
24 
25 static bool isAsanHwasanOrMemTag(const SanitizerSet& SS) {
26  return SS.hasOneOf(SanitizerKind::Address | SanitizerKind::KernelAddress |
27  SanitizerKind::HWAddress | SanitizerKind::KernelHWAddress |
28  SanitizerKind::MemTag);
29 }
30 
31 void SanitizerMetadata::reportGlobalToASan(llvm::GlobalVariable *GV,
32  SourceLocation Loc, StringRef Name,
33  QualType Ty, bool IsDynInit,
34  bool IsExcluded) {
35  if (!isAsanHwasanOrMemTag(CGM.getLangOpts().Sanitize))
36  return;
37  IsDynInit &= !CGM.isInNoSanitizeList(GV, Loc, Ty, "init");
38  IsExcluded |= CGM.isInNoSanitizeList(GV, Loc, Ty);
39 
40  llvm::Metadata *LocDescr = nullptr;
41  llvm::Metadata *GlobalName = nullptr;
42  llvm::LLVMContext &VMContext = CGM.getLLVMContext();
43  if (!IsExcluded) {
44  // Don't generate source location and global name if it is on
45  // the NoSanitizeList - it won't be instrumented anyway.
46  LocDescr = getLocationMetadata(Loc);
47  if (!Name.empty())
48  GlobalName = llvm::MDString::get(VMContext, Name);
49  }
50 
51  llvm::Metadata *GlobalMetadata[] = {
52  llvm::ConstantAsMetadata::get(GV), LocDescr, GlobalName,
53  llvm::ConstantAsMetadata::get(
54  llvm::ConstantInt::get(llvm::Type::getInt1Ty(VMContext), IsDynInit)),
55  llvm::ConstantAsMetadata::get(llvm::ConstantInt::get(
56  llvm::Type::getInt1Ty(VMContext), IsExcluded))};
57 
58  llvm::MDNode *ThisGlobal = llvm::MDNode::get(VMContext, GlobalMetadata);
59  llvm::NamedMDNode *AsanGlobals =
60  CGM.getModule().getOrInsertNamedMetadata("llvm.asan.globals");
61  AsanGlobals->addOperand(ThisGlobal);
62 }
63 
64 void SanitizerMetadata::reportGlobalToASan(llvm::GlobalVariable *GV,
65  const VarDecl &D, bool IsDynInit) {
66  if (!isAsanHwasanOrMemTag(CGM.getLangOpts().Sanitize))
67  return;
68  std::string QualName;
69  llvm::raw_string_ostream OS(QualName);
70  D.printQualifiedName(OS);
71 
72  bool IsExcluded = false;
73  for (auto Attr : D.specific_attrs<NoSanitizeAttr>())
74  if (Attr->getMask() & SanitizerKind::Address)
75  IsExcluded = true;
76  if (D.hasAttr<DisableSanitizerInstrumentationAttr>())
77  IsExcluded = true;
78  reportGlobalToASan(GV, D.getLocation(), OS.str(), D.getType(), IsDynInit,
79  IsExcluded);
80 }
81 
82 void SanitizerMetadata::disableSanitizerForGlobal(llvm::GlobalVariable *GV) {
83  // For now, just make sure the global is not modified by the ASan
84  // instrumentation.
85  if (isAsanHwasanOrMemTag(CGM.getLangOpts().Sanitize))
86  reportGlobalToASan(GV, SourceLocation(), "", QualType(), false, true);
87 }
88 
89 void SanitizerMetadata::disableSanitizerForInstruction(llvm::Instruction *I) {
90  I->setMetadata(CGM.getModule().getMDKindID("nosanitize"),
91  llvm::MDNode::get(CGM.getLLVMContext(), None));
92 }
93 
94 llvm::MDNode *SanitizerMetadata::getLocationMetadata(SourceLocation Loc) {
95  PresumedLoc PLoc = CGM.getContext().getSourceManager().getPresumedLoc(Loc);
96  if (!PLoc.isValid())
97  return nullptr;
98  llvm::LLVMContext &VMContext = CGM.getLLVMContext();
99  llvm::Metadata *LocMetadata[] = {
100  llvm::MDString::get(VMContext, PLoc.getFilename()),
101  llvm::ConstantAsMetadata::get(llvm::ConstantInt::get(
102  llvm::Type::getInt32Ty(VMContext), PLoc.getLine())),
103  llvm::ConstantAsMetadata::get(llvm::ConstantInt::get(
104  llvm::Type::getInt32Ty(VMContext), PLoc.getColumn())),
105  };
106  return llvm::MDNode::get(VMContext, LocMetadata);
107 }
all
int __ovld __cnfn all(char)
Returns 1 if the most significant bit in all components of x is set; otherwise returns 0.
clang::interp::Add
bool Add(InterpState &S, CodePtr OpPC)
Definition: Interp.h:134
efficiently
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these efficiently
Definition: README.txt:56
example
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these we use functional data individual Checkers work by also manipulating the analysis state The analyzer engine talks to them via a visitor interface For example
Definition: README.txt:61
type
clang::for
for(unsigned I=0, E=TL.getNumArgs();I !=E;++I)
Definition: RecursiveASTVisitor.h:1401
string
string(SUBSTRING ${CMAKE_CURRENT_BINARY_DIR} 0 ${PATH_LIB_START} PATH_HEAD) string(SUBSTRING $
Definition: CMakeLists.txt:22
clang::PresumedLoc::getLine
unsigned getLine() const
Return the presumed line number of this location.
Definition: SourceLocation.h:337
clang::Decl::hasAttr
bool hasAttr() const
Definition: DeclBase.h:542
PreVisitCallExpr
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these we use functional data individual Checkers work by also manipulating the analysis state The analyzer engine talks to them via a visitor interface For the PreVisitCallExpr() method is called by GRExprEngine to tell the Checker that we are about to analyze a CallExpr
clang::ShaderStage::Library
@ Library
clang::if
if(T->getSizeExpr()) TRY_TO(TraverseStmt(T -> getSizeExpr()))
Definition: RecursiveASTVisitor.h:1098
clang::SourceLocation
Encodes a location in the source.
Definition: SourceLocation.h:86
clang::CodeGen::SanitizerMetadata::reportGlobalToASan
void reportGlobalToASan(llvm::GlobalVariable *GV, const VarDecl &D, bool IsDynInit=false)
Definition: SanitizerMetadata.cpp:64
clang::QualType
A (possibly-)qualified type.
Definition: Type.h:675
Attr.h
AttributeLangSupport::C
@ C
Definition: SemaDeclAttr.cpp:55
clang::CodeGen::SanitizerMetadata::disableSanitizerForInstruction
void disableSanitizerForInstruction(llvm::Instruction *I)
Definition: SanitizerMetadata.cpp:89
clang::CodeGen::CodeGenModule::getContext
ASTContext & getContext() const
Definition: CodeGenModule.h:697
clang::SanitizerSet::hasOneOf
bool hasOneOf(SanitizerMask K) const
Check if one or more sanitizers are enabled.
Definition: Sanitizers.h:161
change
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to change
Definition: README.txt:32
SourceManager.h
clang::CodeGen::CodeGenModule::getLangOpts
const LangOptions & getLangOpts() const
Definition: CodeGenModule.h:698
clang::SourceManager::getPresumedLoc
PresumedLoc getPresumedLoc(SourceLocation Loc, bool UseLineDirectives=true) const
Returns the "presumed" location of a SourceLocation specifies.
Definition: SourceManager.cpp:1513
clang::ASTContext::getSourceManager
SourceManager & getSourceManager()
Definition: ASTContext.h:716
engine
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis engine
Definition: README.txt:15
interfaces
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor interfaces(Checker.h and CheckerVisitor.h). The Checker interface is designed to be minimal and simple for checker writers
any
int __ovld __cnfn any(char)
Returns 1 if the most significant bit in any component of x is set; otherwise returns 0.
graph
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded graph(ExplodedGraph). The term "exploded" comes from exploding the control-flow edges in the control-flow graph(CFG). Conceptually the analyzer does a reachability analysis through the ExplodedGraph. We start at a root node
nothing
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these we use functional data individual Checkers work by also manipulating the analysis state The analyzer engine talks to them via a visitor interface For the and the checker is asked to check for any preconditions that might not be satisfied The checker can do nothing
Definition: README.txt:64
not
#define not
Definition: iso646.h:19
clang::SanitizerSet
Definition: Sanitizers.h:153
clang::Decl::specific_attrs
llvm::iterator_range< specific_attr_iterator< T > > specific_attrs() const
Definition: DeclBase.h:524
clang::PresumedLoc::getFilename
const char * getFilename() const
Return the presumed filename of this location.
Definition: SourceLocation.h:324
clang::CodeGen::CodeGenModule::getModule
llvm::Module & getModule() const
Definition: CodeGenModule.h:704
isAsanHwasanOrMemTag
static bool isAsanHwasanOrMemTag(const SanitizerSet &SS)
Definition: SanitizerMetadata.cpp:25
Type.h
clang::VarDecl
Represents a variable declaration or definition.
Definition: Decl.h:874
problem
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these we use functional data individual Checkers work by also manipulating the analysis state The analyzer engine talks to them via a visitor interface For the and the checker is asked to check for any preconditions that might not be satisfied The checker can do or it can generate a new ProgramState and ExplodedNode which contains updated checker state If it finds a it can tell the BugReporter object about the providing it an ExplodedNode which is the last node in the path that triggered the problem
Definition: README.txt:70
clang::PresumedLoc::getColumn
unsigned getColumn() const
Return the presumed column number of this location.
Definition: SourceLocation.h:345
CodeGenModule.h
x
IRgen optimization opportunities The common pattern of short x
Definition: README.txt:7
state
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial state
Definition: README.txt:30
clang::CodeGen::SanitizerMetadata::disableSanitizerForGlobal
void disableSanitizerForGlobal(llvm::GlobalVariable *GV)
Definition: SanitizerMetadata.cpp:82
clang::LangOptions::Sanitize
SanitizerSet Sanitize
Set of enabled sanitizers.
Definition: LangOptions.h:361
and
#define and
Definition: iso646.h:14
clang::serialized_diags::create
std::unique_ptr< DiagnosticConsumer > create(StringRef OutputFile, DiagnosticOptions *Diags, bool MergeChildRecords=false)
Returns a DiagnosticConsumer that serializes diagnostics to a bitcode file.
Definition: SerializedDiagnosticPrinter.cpp:301
bug
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these we use functional data individual Checkers work by also manipulating the analysis state The analyzer engine talks to them via a visitor interface For the and the checker is asked to check for any preconditions that might not be satisfied The checker can do or it can generate a new ProgramState and ExplodedNode which contains updated checker state If it finds a bug
Definition: README.txt:66
SanitizerMetadata.h
dump
static void dump(llvm::raw_ostream &OS, StringRef FunctionName, ArrayRef< CounterExpression > Expressions, ArrayRef< CounterMappingRegion > Regions)
Definition: CoverageMappingGen.cpp:1519
clang::CodeGen::CodeGenModule
This class organizes the cross-function state that is used while generating LLVM code.
Definition: CodeGenModule.h:275
clang::transformer::expression
Stencil expression(llvm::StringRef Id)
Generates the source of the expression bound to Id, wrapping it in parentheses if it may parse differ...
Definition: Stencil.cpp:437
ProgramState
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a ProgramState
Definition: README.txt:34
program
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the program(values of variables and expressions) is encapsulated by the state(ProgramState). A location in the program is called a program point(ProgramPoint)
clang::transformer::between
RangeSelector between(RangeSelector R1, RangeSelector R2)
Selects the range between R1 and `R2.
Definition: RangeSelector.h:60
sign
float __ovld __cnfn sign(float)
Returns 1.0 if x > 0, -0.0 if x = -0.0, +0.0 if x = +0.0, or -1.0 if x < 0.
dot
float __ovld __cnfn dot(float, float)
Compute dot product.
contains
static bool contains(const std::set< tok::TokenKind > &Terminators, const Token &Tok)
Definition: SourceCode.cpp:108
clang::PresumedLoc::isValid
bool isValid() const
Definition: SourceLocation.h:319
clang::interp::This
bool This(InterpState &S, CodePtr OpPC)
Definition: Interp.h:829
clang
Definition: CalledOnceCheck.h:17
clang::Attr
Attr - This represents one attribute.
Definition: Attr.h:41
clang::transformer::node
RangeSelector node(std::string ID)
Selects a node, including trailing semicolon, if any (for declarations and non-expression statements)...
Definition: RangeSelector.cpp:141
clang::PresumedLoc
Represents an unpacked "presumed" location which can be presented to the user.
Definition: SourceLocation.h:302
clang::ValueDecl::getType
QualType getType() const
Definition: Decl.h:685
clang::NamedDecl::printQualifiedName
void printQualifiedName(raw_ostream &OS) const
Returns a human-readable qualified name for this declaration, like A::B::i, for i being member of nam...
Definition: Decl.cpp:1612
clang::transformer::before
RangeSelector before(RangeSelector Selector)
Selects the (empty) range [B,B) when Selector selects the range [B,E).
Definition: RangeSelector.cpp:106
clang::ast_matchers::has
const internal::ArgumentAdaptingMatcherFunc< internal::HasMatcher > has
Matches AST nodes that have child AST nodes that match the provided matcher.
Definition: ASTMatchersInternal.cpp:1008
clang::Decl::getLocation
SourceLocation getLocation() const
Definition: DeclBase.h:425
GCCTypeClass::None
@ None
or
#define or
Definition: iso646.h:21
clang::CodeGen::CodeGenModule::getLLVMContext
llvm::LLVMContext & getLLVMContext()
Definition: CodeGenModule.h:715
structures
and static some checkers Checker The latter are built on top of the former via the Checker and CheckerVisitor and attempts to isolate them from much of the gore of the internal analysis the analyzer is basically a source code simulator that traces out possible paths of execution The state of the and the combination of state and program point is a node in an exploded which has the entry program point and initial and then simulate transitions by analyzing individual expressions The analysis of an expression can cause the state to resulting in a new node in the ExplodedGraph with an updated program point and an updated state A bug is found by hitting a node that satisfies some bug condition(basically a violation of a checking invariant). The analyzer traces out multiple paths by reasoning about branches and then bifurcating the state it can contain cycles as paths loop back onto each other and cache out ProgramState and ExplodedNodes are basically immutable once created Once one creates a you need to create a new one to get a new ProgramState This immutability is key since the ExplodedGraph represents the behavior of the analyzed program from the entry point To represent these we use functional data structures(e.g., ImmutableMaps) which share data between instances. Finally
clang::ento::simplify
SymbolRef simplify(ProgramStateRef State, SymbolRef Sym)
Try to simplify a given symbolic expression based on the constraints in State.
Definition: RangedConstraintManager.cpp:240
clang::CodeGen::CodeGenModule::isInNoSanitizeList
bool isInNoSanitizeList(SanitizerMask Kind, llvm::Function *Fn, SourceLocation Loc) const
Definition: CodeGenModule.cpp:2745
Generated on Fri May 20 2022 02:01:15 for clang by   doxygen 1.8.17