1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
|
(*
*
* Copyright (c) 2001-2002,
* George C. Necula <necula@cs.berkeley.edu>
* Scott McPeak <smcpeak@cs.berkeley.edu>
* Wes Weimer <weimer@cs.berkeley.edu>
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions are
* met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. The names of the contributors may not be used to endorse or promote
* products derived from this software without specific prior written
* permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS
* IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
* TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
* PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER
* OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
* EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
* PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
* PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
* LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
* NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
* SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*)
(*
* Heapify: a program transform that looks over functions, finds those
* that have local (stack) variables that contain arrays, puts all such
* local variables into a single heap allocated structure, changes all
* accesses to such variables into accesses to fields of that structure
* and frees the structure on return.
*)
open Cil
(* utilities that should be in Cil.ml *)
(* sfg: this function appears to never be called *)
let mkSimpleField ci fn ft fl =
{ fcomp = ci ; fname = fn ; ftype = ft ; fbitfield = None ; fattr = [];
floc = fl }
(* actual Heapify begins *)
let heapifyNonArrays = ref false
(* Does this local var contain an array? *)
let rec containsArray (t:typ) : bool = (* does this type contain an array? *)
match unrollType t with
TArray _ -> true
| TComp(ci, _) -> (* look at the types of the fields *)
List.exists (fun fi -> containsArray fi.ftype) ci.cfields
| _ ->
(* Ignore other types, including TInt and TPtr. We don't care whether
there are arrays in the base types of pointers; only about whether
this local variable itself needs to be moved to the heap. *)
false
class heapifyModifyVisitor big_struct big_struct_fields varlist free
(currentFunction: fundec) = object(self)
inherit nopCilVisitor (* visit lvalues and statements *)
method vlval l = match l with (* should we change this one? *)
Var(vi),vi_offset when List.mem_assoc vi varlist -> (* check list *)
let i = List.assoc vi varlist in (* find field offset *)
let big_struct_field = List.nth big_struct_fields i in
let new_lval = Mem(Lval(big_struct, NoOffset)),
Field(big_struct_field,vi_offset) in (* rewrite the lvalue *)
ChangeDoChildrenPost(new_lval, (fun l -> l))
| _ -> DoChildren (* ignore other lvalues *)
method vstmt s = match s.skind with (* also rewrite the return *)
Return(None,loc) ->
let free_instr = Call(None,free,[Lval(big_struct,NoOffset)],loc) in
self#queueInstr [free_instr]; (* insert free_instr before the return *)
DoChildren
| Return(Some exp ,loc) ->
(* exp may depend on big_struct, so evaluate it before calling free.
* This becomes: tmp = exp; free(big_struct); return tmp; *)
let exp_new = visitCilExpr (self :> cilVisitor) exp in
let ret_tmp = makeTempVar currentFunction (typeOf exp_new) in
let eval_ret_instr = Set(var ret_tmp, exp_new, loc) in
let free_instr = Call(None,free,[Lval(big_struct,NoOffset)],loc) in
(* insert the instructions before the return *)
self#queueInstr [eval_ret_instr; free_instr];
s.skind <- (Return(Some(Lval(var ret_tmp)), loc));
DoChildren
| _ -> DoChildren (* ignore other statements *)
end
class heapifyAnalyzeVisitor f alloc free = object
inherit nopCilVisitor (* only look at function bodies *)
method vglob gl = match gl with
GFun(fundec,funloc) ->
let counter = ref 0 in (* the number of local vars containing arrays *)
let varlist = ref [] in (* a list of (var,id) pairs, in reverse order *)
List.iter (fun vi ->
(* find all local vars with arrays. If the user requests it,
we also look for non-array vars whose address is taken. *)
if (containsArray vi.vtype) || (vi.vaddrof && !heapifyNonArrays)
then begin
varlist := (vi,!counter) :: !varlist ; (* add it to the list *)
incr counter (* put the next such var in the next slot *)
end
) fundec.slocals ;
if (!varlist <> []) then begin (* some local vars contain arrays *)
let name = (fundec.svar.vname ^ "_heapify") in
let ci = mkCompInfo true name (* make a big structure *)
(fun _ -> List.rev_map (* reverse the list to fix the order *)
(* each local var becomes a field *)
(fun (vi,i) -> vi.vname,vi.vtype,None,[],vi.vdecl) !varlist) [] in
let vi = makeLocalVar fundec name (TPtr(TComp(ci,[]),[])) in
let modify = new heapifyModifyVisitor (Var(vi)) ci.cfields
!varlist free fundec in (* rewrite accesses to local vars *)
fundec.sbody <- visitCilBlock modify fundec.sbody ;
let alloc_stmt = mkStmt (* allocate the big struct on the heap *)
(Instr [Call(Some(Var(vi),NoOffset), alloc,
[SizeOf(TComp(ci,[]))],funloc)]) in
fundec.sbody.bstmts <- alloc_stmt :: fundec.sbody.bstmts ;
fundec.slocals <- List.filter (fun vi -> (* remove local vars *)
not (List.mem_assoc vi !varlist)) fundec.slocals ;
let typedec = (GCompTag(ci,funloc)) in (* declare the big struct *)
ChangeTo([typedec ; GFun(fundec,funloc)]) (* done! *)
end else
DoChildren (* ignore everything else *)
| _ -> DoChildren
end
let heapify (f : file) (alloc : exp) (free : exp) =
visitCilFile (new heapifyAnalyzeVisitor f alloc free) f;
f
(* heapify code ends here *)
let default_heapify (f : file) =
let alloc_fun = emptyFunction "malloc" in
let free_fun = emptyFunction "free" in
let alloc_exp = (Lval((Var(alloc_fun.svar)),NoOffset)) in
let free_exp = (Lval((Var(free_fun.svar)),NoOffset)) in
ignore (heapify f alloc_exp free_exp)
(* StackGuard clone *)
class sgModifyVisitor restore_ra_stmt = object
inherit nopCilVisitor
method vstmt s = match s.skind with (* also rewrite the return *)
Return(_,loc) -> let new_block = mkBlock [restore_ra_stmt ; s] in
ChangeTo(mkStmt (Block(new_block)))
| _ -> DoChildren (* ignore other statements *)
end
class sgAnalyzeVisitor f push pop get_ra set_ra = object
inherit nopCilVisitor
method vfunc fundec =
let needs_guarding = List.fold_left
(fun acc vi -> acc || containsArray vi.vtype)
false fundec.slocals in
if needs_guarding then begin
let ra_tmp = makeLocalVar fundec "return_address" voidPtrType in
let ra_exp = Lval(Var(ra_tmp),NoOffset) in
let save_ra_stmt = mkStmt (* save the current return address *)
(Instr [Call(Some(Var(ra_tmp),NoOffset), get_ra, [], locUnknown) ;
Call(None, push, [ra_exp], locUnknown)]) in
let restore_ra_stmt = mkStmt (* restore the old return address *)
(Instr [Call(Some(Var(ra_tmp),NoOffset), pop, [], locUnknown) ;
Call(None, set_ra, [ra_exp], locUnknown)]) in
let modify = new sgModifyVisitor restore_ra_stmt in
fundec.sbody <- visitCilBlock modify fundec.sbody ;
fundec.sbody.bstmts <- save_ra_stmt :: fundec.sbody.bstmts ;
ChangeTo(fundec) (* done! *)
end else DoChildren
end
let stackguard (f : file) (push : exp) (pop : exp)
(get_ra : exp) (set_ra : exp) =
visitCilFileSameGlobals (new sgAnalyzeVisitor f push pop get_ra set_ra) f;
f
(* stackguard code ends *)
let default_stackguard (f : file) =
let expify fundec = Lval(Var(fundec.svar),NoOffset) in
let push = expify (emptyFunction "stackguard_push") in
let pop = expify (emptyFunction "stackguard_pop") in
let get_ra = expify (emptyFunction "stackguard_get_ra") in
let set_ra = expify (emptyFunction "stackguard_set_ra") in
let global_decl =
"extern void * stackguard_get_ra();
extern void stackguard_set_ra(void *new_ra);
/* You must provide an implementation for functions that get and set the
* return address. Such code is unfortunately architecture specific.
*/
struct stackguard_stack {
void * data;
struct stackguard_stack * next;
} * stackguard_stack;
void stackguard_push(void *ra) {
void * old = stackguard_stack;
stackguard_stack = (struct stackguard_stack *)
malloc(sizeof(stackguard_stack));
stackguard_stack->data = ra;
stackguard_stack->next = old;
}
void * stackguard_pop() {
void * ret = stackguard_stack->data;
void * next = stackguard_stack->next;
free(stackguard_stack);
stackguard_stack->next = next;
return ret;
}" in
f.globals <- GText(global_decl) :: f.globals ;
ignore (stackguard f push pop get_ra set_ra )
let feature1 : featureDescr =
{ fd_name = "stackGuard";
fd_enabled = Cilutil.doStackGuard;
fd_description = "instrument function calls and returns to maintain a separate stack for return addresses" ;
fd_extraopt = [];
fd_doit = (function (f: file) -> default_stackguard f);
fd_post_check = true;
}
let feature2 : featureDescr =
{ fd_name = "heapify";
fd_enabled = Cilutil.doHeapify;
fd_description = "move stack-allocated arrays to the heap" ;
fd_extraopt = [
"--heapifyAll", Arg.Set heapifyNonArrays,
"When using heapify, move all local vars whose address is taken, not just arrays.";
];
fd_doit = (function (f: file) -> default_heapify f);
fd_post_check = true;
}
|
