<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">On 5/14/2018 12:11 PM, Manoj Gupta
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAH=QcsgVSVFTFKOyMLD_FDE=yTe3GZ7TOmX-iyu7wYiD=MgTAA@mail.gmail.com">
<div dir="ltr"><br>
<br>
<div class="gmail_quote">
<div dir="ltr">On Mon, May 14, 2018 at 12:07 PM Friedman, Eli
<<a href="mailto:efriedma@codeaurora.org"
moz-do-not-send="true">efriedma@codeaurora.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">On
5/12/2018 9:23 PM, Philip Reames via llvm-dev wrote:<br>
> Fair warning, the following is a devil's advocate
position, but it's <br>
> also a serious question.<br>
><br>
> Given the entire point of this flag appears to be bug
mitigation, why <br>
> not frame this as a sanitizer? If we had a
hypothetical <br>
> -fsanitize=dereference which tried to catch
dereferenced pointers <br>
> derived from null, wouldn't that handle the case at
hand?<br>
<br>
It's called "-fsanitize=null": it catches stuff like "x[3]"
where x is <br>
null. It's not quite complete; we don't check for arithmetic
on a null <br>
pointer.<br>
<br>
Yes, that would handle the situation in question, but
putting implicit <br>
null checks all over the place is pretty expensive; I don't
think most <br>
people would turn that on in production.<br>
<br>
-Eli<br>
</blockquote>
<div><br>
</div>
<div>
<div
style="color:rgb(34,34,34);font-family:sans-serif;font-size:13px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">We
had a similar discussion on an internal thread a while
back if we can use "-fsanitize=null" where clang</div>
<div
style="color:rgb(34,34,34);font-family:sans-serif;font-size:13px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">would
generate ud2 instruction for null pointer dereferences.
Unfortunately, this doesn't work in kernel context.</div>
<div
style="color:rgb(34,34,34);font-family:sans-serif;font-size:13px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br>
</div>
<div
style="color:rgb(34,34,34);font-family:sans-serif;font-size:13px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">Quoting
the reply from our kernel team:</div>
<div
style="color:rgb(34,34,34);font-family:sans-serif;font-size:13px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial"><br>
</div>
<div
style="color:rgb(34,34,34);font-family:sans-serif;font-size:13px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">"It
will not cause a kernel panic: it's an exception trigger,
and it's<br>
</div>
<div
style="color:rgb(34,34,34);font-family:sans-serif;font-size:13px;font-style:normal;font-variant-ligatures:normal;font-variant-caps:normal;font-weight:400;letter-spacing:normal;text-align:start;text-indent:0px;text-transform:none;white-space:normal;word-spacing:0px;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial">
<div>up to the exception handler to decide if it will
return (WARN) or not</div>
<div>(BUG). In the referenced function, this is calling
WARN_ON() which</div>
<div>will resume execution. (And note that the BUG()
implementations are</div>
<div>specifically marked with __attribute__((noreturn)). "</div>
</div>
</div>
</div>
</div>
</blockquote>
<p>If the kernel can't use -fsanitize-trap, it could use some
alternative like "-fsanitize=null -fno-sanitize-recover=null
-fsanitize-minimal-runtime". That doesn't seem like a fundamental
flaw in the approach.<br>
</p>
<p>-Eli<br>
</p>
<pre class="moz-signature" cols="72">--
Employee of Qualcomm Innovation Center, Inc.
Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project</pre>
</body>
</html>