[cfe-dev] annotating libc++ to catch buffer overflows in vector/string with asan

Tue Nov 19 01:57:34 PST 2013

>
>
> > Do you like the idea?
>
> Yes - very much so.
>
> > Any comments about the prototype patch?
>
> Yes.
>
> 1) I would implement it with inline functions other than macros.
>
> Like this:
>
>
> extern "C" void __sanitizer_annotate_contiguous_container(void *, void *,
> void *, void *);
> void inline __annotate_contiguous container
>         ( const void *__beg, const void *__end, const void *__old_mid,
> const void *new_mid )
> #if __has_feature(address_sanitizer)
>         {  __sanitizer_annotate_contiguous_container(beg, end, old_mid,
> new_mid); }
> #else
>         {}
> #endif
>

Makes sense, see below.
We''l probably want to move __annotate_contiguous container into a separate
file so that both string and vector use it.
But let's do the whole thing with vector before moving to string.



>
> 2) I'd like more information about what
> __sanitizer_annotate_contiguous_container does ;-)
>

In short, it [un]poisons the parts of shadow memory that correspond to the
container's memory.
More details in compiler-rt files:
 include/sanitizer/common_interface_defs.h and lib/asan/asan_poisoning.cc



>
> > Any suggestion how to test these annotations in libc++ (we need some
> kind of DEATH tests)?
>
> We already have failing tests in libc++.
> they are named XXXX.fail.cpp.
>

These are tests that fail to compile.
for asan annotations we need tests that build and run, and then either fail
at run-time or check the state of shadow.
Like these:
compiler-rt/lib/asan/lit_tests/TestCases/contiguous_container.cc
compiler-rt/lib/asan/lit_tests/TestCases/contiguous_container_crash.cc

Suggestions?

--kcc

--- include/vector      (revision 195116)
+++ include/vector      (working copy)
@@ -288,6 +288,16 @@

 _LIBCPP_BEGIN_NAMESPACE_STD

+extern "C" void __sanitizer_annotate_contiguous_container(
+  const void *, const void *, const void *, const void *);
+void inline __annotate_contiguous_container
+    (const void *__beg, const void *__end, const void *__old_mid, const
void *__new_mid)
+#if __has_feature(address_sanitizer)
+    {  __sanitizer_annotate_contiguous_container(__beg, __end, __old_mid,
__new_mid); }
+#else
+    {}
+#endif
+
 template <bool>
 class __vector_base_common
 {
@@ -1525,7 +1535,12 @@
     // __v.push_back(_VSTD::forward<_Up>(__x));
     __alloc_traits::construct(__a, _VSTD::__to_raw_pointer(__v.__end_),
_VSTD::forward<_Up>(__x));
     __v.__end_++;
+    if (data())
+      __annotate_contiguous_container(
+          data(), data() + capacity(), data() + size(), data() +
capacity());
     __swap_out_circular_buffer(__v);
+    __annotate_contiguous_container(data(), data() + capacity(),
+                                          data() + capacity(), data() +
size());
 }
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/cfe-dev/attachments/20131119/161c4ef1/attachment.html>
