Branch data Line data Source code
1 : : /* Copyright (C) 2013-2024 Free Software Foundation, Inc.
2 : :
3 : : This file is part of GCC.
4 : :
5 : : GCC is free software; you can redistribute it and/or modify it under
6 : : the terms of the GNU General Public License as published by the Free
7 : : Software Foundation; either version 3, or (at your option) any later
8 : : version.
9 : :
10 : : GCC is distributed in the hope that it will be useful, but WITHOUT ANY
11 : : WARRANTY; without even the implied warranty of MERCHANTABILITY or
12 : : FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 : : for more details.
14 : :
15 : : You should have received a copy of the GNU General Public License
16 : : along with GCC; see the file COPYING3. If not see
17 : : <http://www.gnu.org/licenses/>. */
18 : :
19 : : /* Virtual Table Pointer Security Pass - Detect corruption of vtable pointers
20 : : before using them for virtual method dispatches. */
21 : :
22 : : /* This file is part of the vtable security feature implementation.
23 : : The vtable security feature is designed to detect when a virtual
24 : : call is about to be made through an invalid vtable pointer
25 : : (possibly due to data corruption or malicious attacks). The
26 : : compiler finds every virtual call, and inserts a verification call
27 : : before the virtual call. The verification call takes the actual
28 : : vtable pointer value in the object through which the virtual call
29 : : is being made, and compares the vtable pointer against a set of all
30 : : valid vtable pointers that the object could contain (this set is
31 : : based on the declared type of the object). If the pointer is in
32 : : the valid set, execution is allowed to continue; otherwise the
33 : : program is halted.
34 : :
35 : : There are several pieces needed in order to make this work: 1. For
36 : : every virtual class in the program (i.e. a class that contains
37 : : virtual methods), we need to build the set of all possible valid
38 : : vtables that an object of that class could point to. This includes
39 : : vtables for any class(es) that inherit from the class under
40 : : consideration. 2. For every such data set we build up, we need a
41 : : way to find and reference the data set. This is complicated by the
42 : : fact that the real vtable addresses are not known until runtime,
43 : : when the program is loaded into memory, but we need to reference the
44 : : sets at compile time when we are inserting verification calls into
45 : : the program. 3. We need to find every virtual call in the program,
46 : : and insert the verification call (with the appropriate arguments)
47 : : before the virtual call. 4. We need some runtime library pieces:
48 : : the code to build up the data sets at runtime; the code to actually
49 : : perform the verification using the data sets; and some code to set
50 : : protections on the data sets, so they themselves do not become
51 : : hacker targets.
52 : :
53 : : To find and reference the set of valid vtable pointers for any given
54 : : virtual class, we create a special global variable for each virtual
55 : : class. We refer to this as the "vtable map variable" for that
56 : : class. The vtable map variable has the type "void *", and is
57 : : initialized by the compiler to NULL. At runtime when the set of
58 : : valid vtable pointers for a virtual class, e.g. class Foo, is built,
59 : : the vtable map variable for class Foo is made to point to the set.
60 : : During compile time, when the compiler is inserting verification
61 : : calls into the program, it passes the vtable map variable for the
62 : : appropriate class to the verification call, so that at runtime the
63 : : verification call can find the appropriate data set.
64 : :
65 : : The actual set of valid vtable pointers for a virtual class,
66 : : e.g. class Foo, cannot be built until runtime, when the vtables get
67 : : loaded into memory and their addresses are known. But the knowledge
68 : : about which vtables belong in which class' hierarchy is only known
69 : : at compile time. Therefore at compile time we collect class
70 : : hierarchy and vtable information about every virtual class, and we
71 : : generate calls to build up the data sets at runtime. To build the
72 : : data sets, we call one of the functions we add to the runtime
73 : : library, __VLTRegisterPair. __VLTRegisterPair takes two arguments,
74 : : a vtable map variable and the address of a vtable. If the vtable
75 : : map variable is currently NULL, it creates a new data set (hash
76 : : table), makes the vtable map variable point to the new data set, and
77 : : inserts the vtable address into the data set. If the vtable map
78 : : variable is not NULL, it just inserts the vtable address into the
79 : : data set. In order to make sure that our data sets are built before
80 : : any verification calls happen, we create a special constructor
81 : : initialization function for each compilation unit, give it a very
82 : : high initialization priority, and insert all of our calls to
83 : : __VLTRegisterPair into our special constructor initialization
84 : : function.
85 : :
86 : : The vtable verification feature is controlled by the flag
87 : : '-fvtable-verify='. There are three flavors of this:
88 : : '-fvtable-verify=std', '-fvtable-verify=preinit', and
89 : : '-fvtable-verify=none'. If the option '-fvtable-verfy=preinit' is
90 : : used, then our constructor initialization function gets put into the
91 : : preinit array. This is necessary if there are data sets that need
92 : : to be built very early in execution. If the constructor
93 : : initialization function gets put into the preinit array, the we also
94 : : add calls to __VLTChangePermission at the beginning and end of the
95 : : function. The call at the beginning sets the permissions on the
96 : : data sets and vtable map variables to read/write, and the one at the
97 : : end makes them read-only. If the '-fvtable-verify=std' option is
98 : : used, the constructor initialization functions are executed at their
99 : : normal time, and the __VLTChangePermission calls are handled
100 : : differently (see the comments in libstdc++-v3/libsupc++/vtv_rts.cc).
101 : : The option '-fvtable-verify=none' turns off vtable verification.
102 : :
103 : : This file contains code for the tree pass that goes through all the
104 : : statements in each basic block, looking for virtual calls, and
105 : : inserting a call to __VLTVerifyVtablePointer (with appropriate
106 : : arguments) before each one. It also contains the hash table
107 : : functions for the data structures used for collecting the class
108 : : hierarchy data and building/maintaining the vtable map variable data
109 : : are defined in gcc/vtable-verify.h. These data structures are
110 : : shared with the code in the C++ front end that collects the class
111 : : hierarchy & vtable information and generates the vtable map
112 : : variables (see cp/vtable-class-hierarchy.cc). This tree pass should
113 : : run just before the gimple is converted to RTL.
114 : :
115 : : Some implementation details for this pass:
116 : :
117 : : To find all of the virtual calls, we iterate through all the
118 : : gimple statements in each basic block, looking for any call
119 : : statement with the code "OBJ_TYPE_REF". Once we have found the
120 : : virtual call, we need to find the vtable pointer through which the
121 : : call is being made, and the type of the object containing the
122 : : pointer (to find the appropriate vtable map variable). We then use
123 : : these to build a call to __VLTVerifyVtablePointer, passing the
124 : : vtable map variable, and the vtable pointer. We insert the
125 : : verification call just after the gimple statement that gets the
126 : : vtable pointer out of the object, and we update the next
127 : : statement to depend on the result returned from
128 : : __VLTVerifyVtablePointer (the vtable pointer value), to ensure
129 : : subsequent compiler phases don't remove or reorder the call (it's no
130 : : good to have the verification occur after the virtual call, for
131 : : example). To find the vtable pointer being used (and the type of
132 : : the object) we search backwards through the def_stmts chain from the
133 : : virtual call (see verify_bb_vtables for more details). */
134 : :
135 : : #include "config.h"
136 : : #include "system.h"
137 : : #include "coretypes.h"
138 : : #include "backend.h"
139 : : #include "tree.h"
140 : : #include "gimple.h"
141 : : #include "tree-pass.h"
142 : : #include "ssa.h"
143 : : #include "gimple-iterator.h"
144 : :
145 : : #include "vtable-verify.h"
146 : :
147 : : unsigned num_vtable_map_nodes = 0;
148 : : int total_num_virtual_calls = 0;
149 : : int total_num_verified_vcalls = 0;
150 : :
151 : : extern GTY(()) tree verify_vtbl_ptr_fndecl;
152 : : tree verify_vtbl_ptr_fndecl = NULL_TREE;
153 : :
154 : : /* Keep track of whether or not any virtual call were verified. */
155 : : static bool any_verification_calls_generated = false;
156 : :
157 : : unsigned int vtable_verify_main (void);
158 : :
159 : :
160 : : /* The following few functions are for the vtbl pointer hash table
161 : : in the 'registered' field of the struct vtable_map_node. The hash
162 : : table keeps track of which vtable pointers have been used in
163 : : calls to __VLTRegisterPair with that particular vtable map variable. */
164 : :
165 : : /* This function checks to see if a particular VTABLE_DECL and OFFSET are
166 : : already in the 'registered' hash table for NODE. */
167 : :
168 : : bool
169 : 0 : vtbl_map_node_registration_find (struct vtbl_map_node *node,
170 : : tree vtable_decl,
171 : : unsigned offset)
172 : : {
173 : 0 : struct vtable_registration key;
174 : 0 : struct vtable_registration **slot;
175 : :
176 : 0 : gcc_assert (node && node->registered);
177 : :
178 : 0 : key.vtable_decl = vtable_decl;
179 : 0 : slot = node->registered->find_slot (&key, NO_INSERT);
180 : :
181 : 0 : if (slot && (*slot))
182 : : {
183 : : unsigned i;
184 : 0 : for (i = 0; i < ((*slot)->offsets).length (); ++i)
185 : 0 : if ((*slot)->offsets[i] == offset)
186 : : return true;
187 : : }
188 : :
189 : : return false;
190 : : }
191 : :
192 : : /* This function inserts VTABLE_DECL and OFFSET into the 'registered'
193 : : hash table for NODE. It returns a boolean indicating whether or not
194 : : it actually inserted anything. */
195 : :
196 : : bool
197 : 8 : vtbl_map_node_registration_insert (struct vtbl_map_node *node,
198 : : tree vtable_decl,
199 : : unsigned offset)
200 : : {
201 : 8 : struct vtable_registration key;
202 : 8 : struct vtable_registration **slot;
203 : 8 : bool inserted_something = false;
204 : :
205 : 8 : if (!node || !node->registered)
206 : : return false;
207 : :
208 : 8 : key.vtable_decl = vtable_decl;
209 : 8 : slot = node->registered->find_slot (&key, INSERT);
210 : :
211 : 8 : if (! *slot)
212 : : {
213 : 4 : struct vtable_registration *node;
214 : 4 : node = XNEW (struct vtable_registration);
215 : 4 : node->vtable_decl = vtable_decl;
216 : :
217 : 4 : (node->offsets).create (10);
218 : 4 : (node->offsets).safe_push (offset);
219 : 4 : *slot = node;
220 : 4 : inserted_something = true;
221 : : }
222 : : else
223 : : {
224 : : /* We found the vtable_decl slot; we need to see if it already
225 : : contains the offset. If not, we need to add the offset. */
226 : : unsigned i;
227 : : bool found = false;
228 : 8 : for (i = 0; i < ((*slot)->offsets).length () && !found; ++i)
229 : 4 : if ((*slot)->offsets[i] == offset)
230 : 4 : found = true;
231 : :
232 : 4 : if (!found)
233 : : {
234 : 0 : ((*slot)->offsets).safe_push (offset);
235 : 0 : inserted_something = true;
236 : : }
237 : : }
238 : : return inserted_something;
239 : : }
240 : :
241 : : /* Hashtable functions for vtable_registration hashtables. */
242 : :
243 : : inline hashval_t
244 : 10 : registration_hasher::hash (const vtable_registration *p)
245 : : {
246 : 10 : const struct vtable_registration *n = (const struct vtable_registration *) p;
247 : 10 : return (hashval_t) (DECL_UID (n->vtable_decl));
248 : : }
249 : :
250 : : inline bool
251 : 4 : registration_hasher::equal (const vtable_registration *p1,
252 : : const vtable_registration *p2)
253 : : {
254 : 4 : const struct vtable_registration *n1 =
255 : : (const struct vtable_registration *) p1;
256 : 4 : const struct vtable_registration *n2 =
257 : : (const struct vtable_registration *) p2;
258 : 4 : return (DECL_UID (n1->vtable_decl) == DECL_UID (n2->vtable_decl));
259 : : }
260 : :
261 : : /* End of hashtable functions for "registered" hashtables. */
262 : :
263 : :
264 : :
265 : : /* Hashtable definition and functions for vtbl_map_hash. */
266 : :
267 : : struct vtbl_map_hasher : nofree_ptr_hash <struct vtbl_map_node>
268 : : {
269 : : static inline hashval_t hash (const vtbl_map_node *);
270 : : static inline bool equal (const vtbl_map_node *, const vtbl_map_node *);
271 : : };
272 : :
273 : : /* Returns a hash code for P. */
274 : :
275 : : inline hashval_t
276 : 24 : vtbl_map_hasher::hash (const vtbl_map_node *p)
277 : : {
278 : 24 : const struct vtbl_map_node n = *((const struct vtbl_map_node *) p);
279 : 24 : return (hashval_t) IDENTIFIER_HASH_VALUE (n.class_name);
280 : : }
281 : :
282 : : /* Returns nonzero if P1 and P2 are equal. */
283 : :
284 : : inline bool
285 : 8 : vtbl_map_hasher::equal (const vtbl_map_node *p1, const vtbl_map_node *p2)
286 : : {
287 : 8 : const struct vtbl_map_node n1 = *((const struct vtbl_map_node *) p1);
288 : 8 : const struct vtbl_map_node n2 = *((const struct vtbl_map_node *) p2);
289 : 8 : return (IDENTIFIER_HASH_VALUE (n1.class_name) ==
290 : 8 : IDENTIFIER_HASH_VALUE (n2.class_name));
291 : : }
292 : :
293 : : /* Here are the two structures into which we insert vtable map nodes.
294 : : We use two data structures because of the vastly different ways we need
295 : : to find the nodes for various tasks (see comments in vtable-verify.h
296 : : for more details. */
297 : :
298 : : typedef hash_table<vtbl_map_hasher> vtbl_map_table_type;
299 : : typedef vtbl_map_table_type::iterator vtbl_map_iterator_type;
300 : :
301 : : /* Vtable map variable nodes stored in a hash table. */
302 : : static vtbl_map_table_type *vtbl_map_hash;
303 : :
304 : : /* Vtable map variable nodes stored in a vector. */
305 : : vec<struct vtbl_map_node *> vtbl_map_nodes_vec;
306 : :
307 : : /* Vector of mangled names for anonymous classes. */
308 : : extern GTY(()) vec<tree, va_gc> *vtbl_mangled_name_types;
309 : : extern GTY(()) vec<tree, va_gc> *vtbl_mangled_name_ids;
310 : : vec<tree, va_gc> *vtbl_mangled_name_types;
311 : : vec<tree, va_gc> *vtbl_mangled_name_ids;
312 : :
313 : : /* Look up class_type (a type decl for record types) in the vtbl_mangled_names_*
314 : : vectors. This is a linear lookup. Return the associated mangled name for
315 : : the class type. This is for handling types from anonymous namespaces, whose
316 : : DECL_ASSEMBLER_NAME ends up being "<anon>", which is useless for our
317 : : purposes.
318 : :
319 : : We use two vectors of trees to keep track of the mangled names: One is a
320 : : vector of class types and the other is a vector of the mangled names. The
321 : : assumption is that these two vectors are kept in perfect lock-step so that
322 : : vtbl_mangled_name_ids[i] is the mangled name for
323 : : vtbl_mangled_name_types[i]. */
324 : :
325 : : static tree
326 : 0 : vtbl_find_mangled_name (tree class_type)
327 : : {
328 : 0 : tree result = NULL_TREE;
329 : 0 : unsigned i;
330 : :
331 : 0 : if (!vtbl_mangled_name_types or !vtbl_mangled_name_ids)
332 : : return result;
333 : :
334 : 0 : if (vtbl_mangled_name_types->length() != vtbl_mangled_name_ids->length())
335 : : return result;
336 : :
337 : 0 : for (i = 0; i < vtbl_mangled_name_types->length(); ++i)
338 : 0 : if ((*vtbl_mangled_name_types)[i] == class_type)
339 : : {
340 : 0 : result = (*vtbl_mangled_name_ids)[i];
341 : 0 : break;
342 : : }
343 : :
344 : : return result;
345 : : }
346 : :
347 : : /* Store a class type decl and its mangled name, for an anonymous RECORD_TYPE,
348 : : in the vtbl_mangled_names vector. Make sure there is not already an
349 : : entry for the class type before adding it. */
350 : :
351 : : void
352 : 0 : vtbl_register_mangled_name (tree class_type, tree mangled_name)
353 : : {
354 : 0 : if (!vtbl_mangled_name_types)
355 : 0 : vec_alloc (vtbl_mangled_name_types, 10);
356 : :
357 : 0 : if (!vtbl_mangled_name_ids)
358 : 0 : vec_alloc (vtbl_mangled_name_ids, 10);
359 : :
360 : 0 : gcc_assert (vtbl_mangled_name_types->length() ==
361 : : vtbl_mangled_name_ids->length());
362 : :
363 : :
364 : 0 : if (vtbl_find_mangled_name (class_type) == NULL_TREE)
365 : : {
366 : 0 : vec_safe_push (vtbl_mangled_name_types, class_type);
367 : 0 : vec_safe_push (vtbl_mangled_name_ids, mangled_name);
368 : : }
369 : 0 : }
370 : :
371 : : /* Return vtbl_map node for CLASS_NAME without creating a new one. */
372 : :
373 : : struct vtbl_map_node *
374 : 16 : vtbl_map_get_node (tree class_type)
375 : : {
376 : 16 : struct vtbl_map_node key;
377 : 16 : struct vtbl_map_node **slot;
378 : :
379 : 16 : tree class_type_decl;
380 : 16 : tree class_name;
381 : 16 : unsigned int type_quals;
382 : :
383 : 16 : if (!vtbl_map_hash)
384 : : return NULL;
385 : :
386 : 8 : gcc_assert (TREE_CODE (class_type) == RECORD_TYPE);
387 : :
388 : :
389 : : /* Find the TYPE_DECL for the class. */
390 : 8 : class_type_decl = TYPE_NAME (class_type);
391 : :
392 : : /* Verify that there aren't any qualifiers on the type. */
393 : 8 : type_quals = TYPE_QUALS (TREE_TYPE (class_type_decl));
394 : 8 : gcc_assert (type_quals == TYPE_UNQUALIFIED);
395 : :
396 : : /* Get the mangled name for the unqualified type. */
397 : 8 : gcc_assert (HAS_DECL_ASSEMBLER_NAME_P (class_type_decl));
398 : 8 : class_name = DECL_ASSEMBLER_NAME (class_type_decl);
399 : :
400 : 8 : if (strstr (IDENTIFIER_POINTER (class_name), "<anon>") != NULL)
401 : 0 : class_name = vtbl_find_mangled_name (class_type_decl);
402 : :
403 : 8 : key.class_name = class_name;
404 : 8 : slot = (struct vtbl_map_node **) vtbl_map_hash->find_slot (&key, NO_INSERT);
405 : 8 : if (!slot)
406 : : return NULL;
407 : 8 : return *slot;
408 : : }
409 : :
410 : : /* Return vtbl_map node assigned to BASE_CLASS_TYPE. Create new one
411 : : when needed. */
412 : :
413 : : struct vtbl_map_node *
414 : 8 : find_or_create_vtbl_map_node (tree base_class_type)
415 : : {
416 : 8 : struct vtbl_map_node key;
417 : 8 : struct vtbl_map_node *node;
418 : 8 : struct vtbl_map_node **slot;
419 : 8 : tree class_type_decl;
420 : 8 : unsigned int type_quals;
421 : :
422 : 8 : if (!vtbl_map_hash)
423 : 8 : vtbl_map_hash = new vtbl_map_table_type (10);
424 : :
425 : : /* Find the TYPE_DECL for the class. */
426 : 8 : class_type_decl = TYPE_NAME (base_class_type);
427 : :
428 : : /* Verify that there aren't any type qualifiers on type. */
429 : 8 : type_quals = TYPE_QUALS (TREE_TYPE (class_type_decl));
430 : 8 : gcc_assert (type_quals == TYPE_UNQUALIFIED);
431 : :
432 : 8 : gcc_assert (HAS_DECL_ASSEMBLER_NAME_P (class_type_decl));
433 : 8 : key.class_name = DECL_ASSEMBLER_NAME (class_type_decl);
434 : :
435 : 8 : if (strstr (IDENTIFIER_POINTER (key.class_name), "<anon>") != NULL)
436 : 0 : key.class_name = vtbl_find_mangled_name (class_type_decl);
437 : :
438 : 8 : slot = (struct vtbl_map_node **) vtbl_map_hash->find_slot (&key, INSERT);
439 : :
440 : 8 : if (*slot)
441 : : return *slot;
442 : :
443 : 8 : node = XNEW (struct vtbl_map_node);
444 : 8 : node->vtbl_map_decl = NULL_TREE;
445 : 8 : node->class_name = key.class_name;
446 : 8 : node->uid = num_vtable_map_nodes++;
447 : :
448 : 8 : node->class_info = XNEW (struct vtv_graph_node);
449 : 8 : node->class_info->class_type = base_class_type;
450 : 8 : node->class_info->class_uid = node->uid;
451 : 8 : node->class_info->num_processed_children = 0;
452 : :
453 : 8 : (node->class_info->parents).create (4);
454 : 8 : (node->class_info->children).create (4);
455 : :
456 : 8 : node->registered = new register_table_type (16);
457 : :
458 : 8 : node->is_used = false;
459 : :
460 : 8 : vtbl_map_nodes_vec.safe_push (node);
461 : 8 : gcc_assert (vtbl_map_nodes_vec[node->uid] == node);
462 : :
463 : 8 : *slot = node;
464 : 8 : return node;
465 : : }
466 : :
467 : : /* End of hashtable functions for vtable_map variables hash table. */
468 : :
469 : : /* Given a gimple STMT, this function checks to see if the statement
470 : : is an assignment, the rhs of which is getting the vtable pointer
471 : : value out of an object. (i.e. it's the value we need to verify
472 : : because its the vtable pointer that will be used for a virtual
473 : : call). */
474 : :
475 : : static bool
476 : 144 : is_vtable_assignment_stmt (gimple *stmt)
477 : : {
478 : :
479 : 144 : if (gimple_code (stmt) != GIMPLE_ASSIGN)
480 : : return false;
481 : : else
482 : : {
483 : 60 : tree lhs = gimple_assign_lhs (stmt);
484 : 60 : tree rhs = gimple_assign_rhs1 (stmt);
485 : :
486 : 60 : if (TREE_CODE (lhs) != SSA_NAME)
487 : : return false;
488 : :
489 : 52 : if (TREE_CODE (rhs) != COMPONENT_REF)
490 : : return false;
491 : :
492 : 8 : if (! (TREE_OPERAND (rhs, 1))
493 : 8 : || (TREE_CODE (TREE_OPERAND (rhs, 1)) != FIELD_DECL))
494 : : return false;
495 : :
496 : 8 : if (! DECL_VIRTUAL_P (TREE_OPERAND (rhs, 1)))
497 : 0 : return false;
498 : : }
499 : :
500 : : return true;
501 : : }
502 : :
503 : : /* This function attempts to recover the declared class of an object
504 : : that is used in making a virtual call. We try to get the type from
505 : : the type cast in the gimple assignment statement that extracts the
506 : : vtable pointer from the object (DEF_STMT). The gimple statement
507 : : usually looks something like this:
508 : :
509 : : D.2201_4 = MEM[(struct Event *)this_1(D)]._vptr.Event */
510 : :
511 : : static tree
512 : 0 : extract_object_class_type (tree rhs)
513 : : {
514 : 0 : tree result = NULL_TREE;
515 : :
516 : : /* Try to find and extract the type cast from that stmt. */
517 : 0 : if (TREE_CODE (rhs) == COMPONENT_REF)
518 : : {
519 : 0 : tree op0 = TREE_OPERAND (rhs, 0);
520 : 0 : tree op1 = TREE_OPERAND (rhs, 1);
521 : :
522 : 0 : if (TREE_CODE (op1) == FIELD_DECL
523 : 0 : && DECL_VIRTUAL_P (op1))
524 : : {
525 : 0 : if (TREE_CODE (op0) == COMPONENT_REF
526 : 0 : && TREE_CODE (TREE_OPERAND (op0, 0)) == MEM_REF
527 : 0 : && TREE_CODE (TREE_TYPE (TREE_OPERAND (op0, 0)))== RECORD_TYPE)
528 : 0 : result = TREE_TYPE (TREE_OPERAND (op0, 0));
529 : : else
530 : 0 : result = TREE_TYPE (op0);
531 : : }
532 : 0 : else if (TREE_CODE (op0) == COMPONENT_REF)
533 : : {
534 : 0 : result = extract_object_class_type (op0);
535 : 0 : if (result == NULL_TREE
536 : 0 : && TREE_CODE (op1) == COMPONENT_REF)
537 : : result = extract_object_class_type (op1);
538 : : }
539 : : }
540 : :
541 : 0 : return result;
542 : : }
543 : :
544 : : /* This function traces forward through the def-use chain of an SSA
545 : : variable to see if it ever gets used in a virtual function call. It
546 : : returns a boolean indicating whether or not it found a virtual call in
547 : : the use chain. */
548 : :
549 : : static bool
550 : 16 : var_is_used_for_virtual_call_p (tree lhs, int *mem_ref_depth,
551 : : int *recursion_depth)
552 : : {
553 : 16 : imm_use_iterator imm_iter;
554 : 16 : bool found_vcall = false;
555 : 16 : use_operand_p use_p;
556 : :
557 : 16 : if (TREE_CODE (lhs) != SSA_NAME)
558 : : return false;
559 : :
560 : 16 : if (*mem_ref_depth > 2)
561 : : return false;
562 : :
563 : 16 : if (*recursion_depth > 25)
564 : : /* If we've recursed this far the chances are pretty good that
565 : : we're not going to find what we're looking for, and that we've
566 : : gone down a recursion black hole. Time to stop. */
567 : : return false;
568 : :
569 : 16 : *recursion_depth = *recursion_depth + 1;
570 : :
571 : : /* Iterate through the immediate uses of the current variable. If
572 : : it's a virtual function call, we're done. Otherwise, if there's
573 : : an LHS for the use stmt, add the ssa var to the work list
574 : : (assuming it's not already in the list and is not a variable
575 : : we've already examined. */
576 : :
577 : 24 : FOR_EACH_IMM_USE_FAST (use_p, imm_iter, lhs)
578 : : {
579 : 16 : gimple *stmt2 = USE_STMT (use_p);
580 : :
581 : 16 : if (is_gimple_call (stmt2))
582 : : {
583 : 8 : tree fncall = gimple_call_fn (stmt2);
584 : 8 : if (fncall && TREE_CODE (fncall) == OBJ_TYPE_REF)
585 : : found_vcall = true;
586 : : else
587 : : return false;
588 : : }
589 : 8 : else if (gimple_code (stmt2) == GIMPLE_PHI)
590 : : {
591 : 0 : found_vcall = var_is_used_for_virtual_call_p
592 : 0 : (gimple_phi_result (stmt2),
593 : : mem_ref_depth,
594 : : recursion_depth);
595 : : }
596 : 8 : else if (is_gimple_assign (stmt2))
597 : : {
598 : 8 : tree rhs = gimple_assign_rhs1 (stmt2);
599 : 8 : if (TREE_CODE (rhs) == ADDR_EXPR
600 : 8 : || TREE_CODE (rhs) == MEM_REF)
601 : 0 : *mem_ref_depth = *mem_ref_depth + 1;
602 : :
603 : 8 : if (TREE_CODE (rhs) == COMPONENT_REF)
604 : : {
605 : 0 : while (TREE_CODE (TREE_OPERAND (rhs, 0)) == COMPONENT_REF)
606 : 0 : rhs = TREE_OPERAND (rhs, 0);
607 : :
608 : 0 : if (TREE_CODE (TREE_OPERAND (rhs, 0)) == ADDR_EXPR
609 : 0 : || TREE_CODE (TREE_OPERAND (rhs, 0)) == MEM_REF)
610 : 0 : *mem_ref_depth = *mem_ref_depth + 1;
611 : : }
612 : :
613 : 8 : if (*mem_ref_depth < 3)
614 : 8 : found_vcall = var_is_used_for_virtual_call_p
615 : 8 : (gimple_assign_lhs (stmt2),
616 : : mem_ref_depth,
617 : : recursion_depth);
618 : : }
619 : :
620 : : else
621 : : break;
622 : :
623 : 8 : if (found_vcall)
624 : 0 : return true;
625 : : }
626 : :
627 : : return false;
628 : : }
629 : :
630 : : /* Search through all the statements in a basic block (BB), searching
631 : : for virtual method calls. For each virtual method dispatch, find
632 : : the vptr value used, and the statically declared type of the
633 : : object; retrieve the vtable map variable for the type of the
634 : : object; generate a call to __VLTVerifyVtablePointer; and insert the
635 : : generated call into the basic block, after the point where the vptr
636 : : value is gotten out of the object and before the virtual method
637 : : dispatch. Make the virtual method dispatch depend on the return
638 : : value from the verification call, so that subsequent optimizations
639 : : cannot reorder the two calls. */
640 : :
641 : : static void
642 : 88 : verify_bb_vtables (basic_block bb)
643 : : {
644 : 88 : gimple_seq stmts;
645 : 88 : gimple *stmt = NULL;
646 : 88 : gimple_stmt_iterator gsi_vtbl_assign;
647 : 88 : gimple_stmt_iterator gsi_virtual_call;
648 : :
649 : 88 : stmts = bb_seq (bb);
650 : 88 : gsi_virtual_call = gsi_start (stmts);
651 : 232 : for (; !gsi_end_p (gsi_virtual_call); gsi_next (&gsi_virtual_call))
652 : : {
653 : 144 : stmt = gsi_stmt (gsi_virtual_call);
654 : :
655 : : /* Count virtual calls. */
656 : 144 : if (is_gimple_call (stmt))
657 : : {
658 : 56 : tree fncall = gimple_call_fn (stmt);
659 : 56 : if (fncall && TREE_CODE (fncall) == OBJ_TYPE_REF)
660 : 0 : total_num_virtual_calls++;
661 : : }
662 : :
663 : 144 : if (is_vtable_assignment_stmt (stmt))
664 : : {
665 : 8 : tree lhs = gimple_assign_lhs (stmt);
666 : 8 : tree vtbl_var_decl = NULL_TREE;
667 : 8 : struct vtbl_map_node *vtable_map_node;
668 : 8 : tree vtbl_decl = NULL_TREE;
669 : 8 : gcall *call_stmt;
670 : 8 : const char *vtable_name = "<unknown>";
671 : 8 : tree tmp0;
672 : 8 : bool found;
673 : 8 : int mem_ref_depth = 0;
674 : 8 : int recursion_depth = 0;
675 : :
676 : : /* Make sure this vptr field access is for a virtual call. */
677 : 8 : if (!var_is_used_for_virtual_call_p (lhs, &mem_ref_depth,
678 : : &recursion_depth))
679 : 8 : continue;
680 : :
681 : : /* Now we have found the virtual method dispatch and
682 : : the preceding access of the _vptr.* field... Next
683 : : we need to find the statically declared type of
684 : : the object, so we can find and use the right
685 : : vtable map variable in the verification call. */
686 : 0 : tree class_type = extract_object_class_type
687 : 0 : (gimple_assign_rhs1 (stmt));
688 : :
689 : 0 : gsi_vtbl_assign = gsi_for_stmt (stmt);
690 : :
691 : 0 : if (class_type
692 : 0 : && (TREE_CODE (class_type) == RECORD_TYPE)
693 : 0 : && TYPE_BINFO (class_type))
694 : : {
695 : : /* Get the vtable VAR_DECL for the type. */
696 : 0 : vtbl_var_decl = BINFO_VTABLE (TYPE_BINFO (class_type));
697 : :
698 : 0 : if (TREE_CODE (vtbl_var_decl) == POINTER_PLUS_EXPR)
699 : 0 : vtbl_var_decl = TREE_OPERAND (TREE_OPERAND (vtbl_var_decl, 0),
700 : : 0);
701 : :
702 : 0 : gcc_assert (vtbl_var_decl);
703 : :
704 : 0 : vtbl_decl = vtbl_var_decl;
705 : 0 : vtable_map_node = vtbl_map_get_node
706 : 0 : (TYPE_MAIN_VARIANT (class_type));
707 : :
708 : 0 : gcc_assert (verify_vtbl_ptr_fndecl);
709 : :
710 : : /* Given the vtable pointer for the base class of the
711 : : object, build the call to __VLTVerifyVtablePointer to
712 : : verify that the object's vtable pointer (contained in
713 : : lhs) is in the set of valid vtable pointers for the
714 : : base class. */
715 : :
716 : 0 : if (vtable_map_node && vtable_map_node->vtbl_map_decl)
717 : : {
718 : 0 : vtable_map_node->is_used = true;
719 : 0 : vtbl_var_decl = vtable_map_node->vtbl_map_decl;
720 : :
721 : 0 : if (VAR_P (vtbl_decl))
722 : 0 : vtable_name = IDENTIFIER_POINTER (DECL_NAME (vtbl_decl));
723 : :
724 : : /* Call different routines if we are interested in
725 : : trace information to debug problems. */
726 : 0 : if (flag_vtv_debug)
727 : : {
728 : 0 : call_stmt = gimple_build_call
729 : 0 : (verify_vtbl_ptr_fndecl, 4,
730 : : build1 (ADDR_EXPR,
731 : 0 : TYPE_POINTER_TO
732 : : (TREE_TYPE (vtbl_var_decl)),
733 : : vtbl_var_decl),
734 : : lhs,
735 : : build_string_literal
736 : 0 : (DECL_NAME (vtbl_var_decl)),
737 : : build_string_literal (vtable_name));
738 : : }
739 : : else
740 : 0 : call_stmt = gimple_build_call
741 : 0 : (verify_vtbl_ptr_fndecl, 2,
742 : : build1 (ADDR_EXPR,
743 : 0 : TYPE_POINTER_TO
744 : : (TREE_TYPE (vtbl_var_decl)),
745 : : vtbl_var_decl),
746 : : lhs);
747 : :
748 : :
749 : : /* Create a new SSA_NAME var to hold the call's
750 : : return value, and make the call_stmt use the
751 : : variable for that purpose. */
752 : 0 : tmp0 = make_temp_ssa_name (TREE_TYPE (lhs), NULL, "VTV");
753 : 0 : gimple_call_set_lhs (call_stmt, tmp0);
754 : 0 : update_stmt (call_stmt);
755 : :
756 : : /* Replace all uses of lhs with tmp0. */
757 : 0 : found = false;
758 : 0 : imm_use_iterator iterator;
759 : 0 : gimple *use_stmt;
760 : 0 : FOR_EACH_IMM_USE_STMT (use_stmt, iterator, lhs)
761 : : {
762 : 0 : use_operand_p use_p;
763 : 0 : if (use_stmt == call_stmt)
764 : 0 : continue;
765 : 0 : FOR_EACH_IMM_USE_ON_STMT (use_p, iterator)
766 : 0 : SET_USE (use_p, tmp0);
767 : 0 : update_stmt (use_stmt);
768 : 0 : found = true;
769 : 0 : }
770 : :
771 : 0 : gcc_assert (found);
772 : :
773 : : /* Insert the new verification call just after the
774 : : statement that gets the vtable pointer out of the
775 : : object. */
776 : 0 : gcc_assert (gsi_stmt (gsi_vtbl_assign) == stmt);
777 : 0 : gsi_insert_after (&gsi_vtbl_assign, call_stmt,
778 : : GSI_NEW_STMT);
779 : :
780 : 0 : any_verification_calls_generated = true;
781 : 0 : total_num_verified_vcalls++;
782 : : }
783 : : }
784 : : }
785 : : }
786 : 88 : }
787 : :
788 : : /* Definition of this optimization pass. */
789 : :
790 : : namespace {
791 : :
792 : : const pass_data pass_data_vtable_verify =
793 : : {
794 : : GIMPLE_PASS, /* type */
795 : : "vtable-verify", /* name */
796 : : OPTGROUP_NONE, /* optinfo_flags */
797 : : TV_VTABLE_VERIFICATION, /* tv_id */
798 : : ( PROP_cfg | PROP_ssa ), /* properties_required */
799 : : 0, /* properties_provided */
800 : : 0, /* properties_destroyed */
801 : : 0, /* todo_flags_start */
802 : : TODO_update_ssa, /* todo_flags_finish */
803 : : };
804 : :
805 : : class pass_vtable_verify : public gimple_opt_pass
806 : : {
807 : : public:
808 : 281914 : pass_vtable_verify (gcc::context *ctxt)
809 : 563828 : : gimple_opt_pass (pass_data_vtable_verify, ctxt)
810 : : {}
811 : :
812 : : /* opt_pass methods: */
813 : 1427379 : bool gate (function *) final override { return (flag_vtable_verify); }
814 : : unsigned int execute (function *) final override;
815 : :
816 : : }; // class pass_vtable_verify
817 : :
818 : : /* Loop through all the basic blocks in the current function, passing them to
819 : : verify_bb_vtables, which searches for virtual calls, and inserts
820 : : calls to __VLTVerifyVtablePointer. */
821 : :
822 : : unsigned int
823 : 28 : pass_vtable_verify::execute (function *fun)
824 : : {
825 : 28 : unsigned int ret = 1;
826 : 28 : basic_block bb;
827 : :
828 : 116 : FOR_ALL_BB_FN (bb, fun)
829 : 88 : verify_bb_vtables (bb);
830 : :
831 : 28 : return ret;
832 : : }
833 : :
834 : : } // anon namespace
835 : :
836 : : gimple_opt_pass *
837 : 281914 : make_pass_vtable_verify (gcc::context *ctxt)
838 : : {
839 : 281914 : return new pass_vtable_verify (ctxt);
840 : : }
841 : :
842 : : #include "gt-vtable-verify.h"
|
