1 //===-- ForwardControlFlowIntegrity.h: Forward-Edge CFI ---------*- C++ -*-===//
3 // This file is distributed under the University of Illinois Open Source
4 // License. See LICENSE.TXT for details.
6 //===----------------------------------------------------------------------===//
8 // This pass instruments indirect calls with checks to ensure that these calls
9 // pass through the appropriate jump-instruction table generated by
12 //===----------------------------------------------------------------------===//
14 #ifndef LLVM_CODEGEN_FORWARDCONTROLFLOWINTEGRITY_H
15 #define LLVM_CODEGEN_FORWARDCONTROLFLOWINTEGRITY_H
17 #include "llvm/ADT/DenseMap.h"
18 #include "llvm/ADT/SmallVector.h"
19 #include "llvm/Pass.h"
20 #include "llvm/Target/TargetOptions.h"
34 /// ForwardControlFlowIntegrity uses the information from JumpInstrTableInfo to
35 /// prepend checks to indirect calls to make sure that these calls target valid
37 class ForwardControlFlowIntegrity : public ModulePass {
41 ForwardControlFlowIntegrity();
42 ForwardControlFlowIntegrity(JumpTable::JumpTableType JTT,
44 bool CFIEnforcing, std::string CFIFuncName);
45 ~ForwardControlFlowIntegrity() override;
47 /// Runs the CFI pass on a given module. This works best if the module in
48 /// question is the result of link-time optimization (see lib/LTO).
49 bool runOnModule(Module &M) override;
50 const char *getPassName() const override {
51 return "Forward Control-Flow Integrity";
53 void getAnalysisUsage(AnalysisUsage &AU) const override;
56 typedef SmallVector<Instruction *, 64> CallSet;
58 /// A structure that is used to keep track of constant table information.
65 /// A map from function type to the base of the table for this type and a mask
67 typedef DenseMap<FunctionType *, CFIConstants> CFITables;
69 CallSet IndirectCalls;
71 /// The type of jumptable implementation.
72 JumpTable::JumpTableType JTType;
74 /// The type of CFI check to add before each indirect call.
77 /// A value that controls whether or not CFI violations cause a halt.
80 /// The name of the function to call in case of a CFI violation when
81 /// CFIEnforcing is false. There is a default function that ignores
83 std::string CFIFuncName;
85 /// The alignment of each entry in the table, from JumpInstrTableInfo. The
86 /// JumpInstrTableInfo class always makes this a power of two.
87 uint64_t ByteAlignment;
89 /// The base-2 logarithm of ByteAlignment, needed for some of the transforms
90 /// (like CFIntegrity::Ror)
91 unsigned LogByteAlignment;
93 /// Adds checks to each indirect call site to make sure that it is calling a
94 /// function in our jump table.
95 void updateIndirectCalls(Module &M, CFITables &CFIT);
97 /// Walks the instructions to find all the indirect calls.
98 void getIndirectCalls(Module &M);
100 /// Adds a function that handles violations in non-enforcing mode
101 /// (!CFIEnforcing). The default warning function simply returns, since the
102 /// exact details of how to handle CFI violations depend on the application.
103 void addWarningFunction(Module &M);
105 /// Rewrites a function pointer in a call/invoke instruction to force it into
107 void rewriteFunctionPointer(Module &M, Instruction *I, Value *FunPtr,
108 Constant *JumpTableStart, Constant *JumpTableMask,
109 Constant *JumpTableSize);
111 /// Inserts a check and a call to a warning function at a given instruction
112 /// that must be an indirect call.
113 void insertWarning(Module &M, BasicBlock *Block, Instruction *I,
118 createForwardControlFlowIntegrityPass(JumpTable::JumpTableType JTT,
120 bool CFIEnforcing, StringRef CFIFuncName);
123 #endif // LLVM_CODEGEN_FORWARDCONTROLFLOWINTEGRITY_H