[compiler-rt] r238401 - [ASan] New approach to dynamic allocas unpoisoning. Patch by Max Ostapenko!
Yury Gribov
y.gribov at samsung.com
Thu May 28 00:49:06 PDT 2015
Author: ygribov
Date: Thu May 28 02:49:05 2015
New Revision: 238401
URL: http://llvm.org/viewvc/llvm-project?rev=238401&view=rev
Log:
[ASan] New approach to dynamic allocas unpoisoning. Patch by Max Ostapenko!
Differential Revision: http://reviews.llvm.org/D7098
Added:
compiler-rt/trunk/test/asan/TestCases/alloca_loop_unpoisoning.cc
compiler-rt/trunk/test/asan/TestCases/alloca_vla_interact.cc
compiler-rt/trunk/test/asan/TestCases/vla_chrome_testcase.cc
compiler-rt/trunk/test/asan/TestCases/vla_condition_overflow.cc
compiler-rt/trunk/test/asan/TestCases/vla_loop_overfow.cc
Modified:
compiler-rt/trunk/lib/asan/asan_fake_stack.cc
compiler-rt/trunk/lib/asan/asan_interface_internal.h
compiler-rt/trunk/test/asan/TestCases/Linux/interface_symbols_linux.c
Modified: compiler-rt/trunk/lib/asan/asan_fake_stack.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_fake_stack.cc?rev=238401&r1=238400&r2=238401&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_fake_stack.cc (original)
+++ compiler-rt/trunk/lib/asan/asan_fake_stack.cc Thu May 28 02:49:05 2015
@@ -22,6 +22,9 @@ static const u64 kMagic2 = (kMagic1 << 8
static const u64 kMagic4 = (kMagic2 << 16) | kMagic2;
static const u64 kMagic8 = (kMagic4 << 32) | kMagic4;
+static const u64 kAllocaRedzoneSize = 32UL;
+static const u64 kAllocaRedzoneMask = 31UL;
+
// For small size classes inline PoisonShadow for better performance.
ALWAYS_INLINE void SetShadow(uptr ptr, uptr size, uptr class_id, u64 magic) {
CHECK_EQ(SHADOW_SCALE, 3); // This code expects SHADOW_SCALE=3.
@@ -253,4 +256,24 @@ void *__asan_addr_is_in_fake_stack(void
if (end) *end = reinterpret_cast<void*>(frame_end);
return reinterpret_cast<void*>(frame->real_stack);
}
+
+SANITIZER_INTERFACE_ATTRIBUTE
+void __asan_alloca_poison(uptr addr, uptr size) {
+ uptr LeftRedzoneAddr = addr - kAllocaRedzoneSize;
+ uptr PartialRzAddr = addr + size;
+ uptr RightRzAddr = (PartialRzAddr + kAllocaRedzoneMask) & ~kAllocaRedzoneMask;
+ uptr PartialRzAligned = PartialRzAddr & ~(SHADOW_GRANULARITY - 1);
+ FastPoisonShadow(LeftRedzoneAddr, kAllocaRedzoneSize, kAsanAllocaLeftMagic);
+ FastPoisonShadowPartialRightRedzone(
+ PartialRzAligned, PartialRzAddr % SHADOW_GRANULARITY,
+ RightRzAddr - PartialRzAligned, kAsanAllocaRightMagic);
+ FastPoisonShadow(RightRzAddr, kAllocaRedzoneSize, kAsanAllocaRightMagic);
+}
+
+SANITIZER_INTERFACE_ATTRIBUTE
+void __asan_allocas_unpoison(uptr top, uptr bottom) {
+ if ((!top) || (top > bottom)) return;
+ REAL(memset)(reinterpret_cast<void*>(MemToShadow(top)), 0,
+ (bottom - top) / SHADOW_GRANULARITY);
+}
} // extern "C"
Modified: compiler-rt/trunk/lib/asan/asan_interface_internal.h
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_interface_internal.h?rev=238401&r1=238400&r2=238401&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_interface_internal.h (original)
+++ compiler-rt/trunk/lib/asan/asan_interface_internal.h Thu May 28 02:49:05 2015
@@ -195,6 +195,10 @@ extern "C" {
void __asan_poison_intra_object_redzone(uptr p, uptr size);
SANITIZER_INTERFACE_ATTRIBUTE
void __asan_unpoison_intra_object_redzone(uptr p, uptr size);
+ SANITIZER_INTERFACE_ATTRIBUTE
+ void __asan_alloca_poison(uptr addr, uptr size);
+ SANITIZER_INTERFACE_ATTRIBUTE
+ void __asan_allocas_unpoison(uptr top, uptr bottom);
} // extern "C"
#endif // ASAN_INTERFACE_INTERNAL_H
Modified: compiler-rt/trunk/test/asan/TestCases/Linux/interface_symbols_linux.c
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/asan/TestCases/Linux/interface_symbols_linux.c?rev=238401&r1=238400&r2=238401&view=diff
==============================================================================
--- compiler-rt/trunk/test/asan/TestCases/Linux/interface_symbols_linux.c (original)
+++ compiler-rt/trunk/test/asan/TestCases/Linux/interface_symbols_linux.c Thu May 28 02:49:05 2015
@@ -38,6 +38,8 @@
// RUN: echo __asan_report_exp_store_n >> %t.interface
// RUN: echo __asan_get_current_fake_stack >> %t.interface
// RUN: echo __asan_addr_is_in_fake_stack >> %t.interface
+// RUN: echo __asan_alloca_poison >> %t.interface
+// RUN: echo __asan_allocas_unpoison >> %t.interface
// RUN: cat %t.interface | sort -u | diff %t.symbols -
// FIXME: nm -D on powerpc somewhy shows ASan interface symbols residing
Added: compiler-rt/trunk/test/asan/TestCases/alloca_loop_unpoisoning.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/asan/TestCases/alloca_loop_unpoisoning.cc?rev=238401&view=auto
==============================================================================
--- compiler-rt/trunk/test/asan/TestCases/alloca_loop_unpoisoning.cc (added)
+++ compiler-rt/trunk/test/asan/TestCases/alloca_loop_unpoisoning.cc Thu May 28 02:49:05 2015
@@ -0,0 +1,32 @@
+// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t
+// RUN: %run %t 2>&1
+//
+
+// This testcase checks that allocas and VLAs inside loop are correctly unpoisoned.
+
+#include <assert.h>
+#include <alloca.h>
+#include <stdint.h>
+#include "sanitizer/asan_interface.h"
+
+void *top, *bot;
+
+__attribute__((noinline)) void foo(int len) {
+ char x;
+ top = &x;
+ char array[len]; // NOLINT
+ assert(!(reinterpret_cast<uintptr_t>(array) & 31L));
+ alloca(len);
+ for (int i = 0; i < 32; ++i) {
+ char array[i]; // NOLINT
+ bot = alloca(i);
+ assert(!(reinterpret_cast<uintptr_t>(bot) & 31L));
+ }
+}
+
+int main(int argc, char **argv) {
+ foo(32);
+ void *q = __asan_region_is_poisoned(bot, (char *)top - (char *)bot);
+ assert(!q);
+ return 0;
+}
Added: compiler-rt/trunk/test/asan/TestCases/alloca_vla_interact.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/asan/TestCases/alloca_vla_interact.cc?rev=238401&view=auto
==============================================================================
--- compiler-rt/trunk/test/asan/TestCases/alloca_vla_interact.cc (added)
+++ compiler-rt/trunk/test/asan/TestCases/alloca_vla_interact.cc Thu May 28 02:49:05 2015
@@ -0,0 +1,39 @@
+// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t
+// RUN: %run %t 2>&1
+//
+
+// This testcase checks correct interaction between VLAs and allocas.
+
+#include <assert.h>
+#include <alloca.h>
+#include <stdint.h>
+#include "sanitizer/asan_interface.h"
+
+#define RZ 32
+
+__attribute__((noinline)) void foo(int len) {
+ char *top, *bot;
+ // This alloca call should live until the end of foo.
+ char *alloca1 = (char *)alloca(len);
+ assert(!(reinterpret_cast<uintptr_t>(alloca1) & 31L));
+ // This should be first poisoned address after loop.
+ top = alloca1 - RZ;
+ for (int i = 0; i < 32; ++i) {
+ // Check that previous alloca was unpoisoned at the end of iteration.
+ if (i) assert(!__asan_region_is_poisoned(bot, 96));
+ // VLA is unpoisoned at the end of iteration.
+ volatile char array[i];
+ assert(!(reinterpret_cast<uintptr_t>(array) & 31L));
+ // Alloca is unpoisoned at the end of iteration,
+ // because dominated by VLA.
+ bot = (char *)alloca(i) - RZ;
+ }
+ // Check that all allocas from loop were unpoisoned correctly.
+ void *q = __asan_region_is_poisoned(bot, (char *)top - (char *)bot + 1);
+ assert(q == top);
+}
+
+int main(int argc, char **argv) {
+ foo(32);
+ return 0;
+}
Added: compiler-rt/trunk/test/asan/TestCases/vla_chrome_testcase.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/asan/TestCases/vla_chrome_testcase.cc?rev=238401&view=auto
==============================================================================
--- compiler-rt/trunk/test/asan/TestCases/vla_chrome_testcase.cc (added)
+++ compiler-rt/trunk/test/asan/TestCases/vla_chrome_testcase.cc Thu May 28 02:49:05 2015
@@ -0,0 +1,30 @@
+// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t
+// RUN: not %run %t 2>&1 | FileCheck %s
+//
+
+// This is reduced testcase based on Chromium code.
+// See http://reviews.llvm.org/D6055?vs=on&id=15616&whitespace=ignore-all#toc.
+
+#include <stdint.h>
+#include <assert.h>
+
+int a = 7;
+int b;
+int c;
+int *p;
+
+__attribute__((noinline)) void fn3(int *first, int second) {
+}
+
+int main() {
+ int d = b && c;
+ int e[a]; // NOLINT
+ assert(!(reinterpret_cast<uintptr_t>(e) & 31L));
+ int f;
+ if (d)
+ fn3(&f, sizeof 0 * (&c - e));
+ e[a] = 0;
+// CHECK: ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]]
+// CHECK: WRITE of size 4 at [[ADDR]] thread T0
+ return 0;
+}
Added: compiler-rt/trunk/test/asan/TestCases/vla_condition_overflow.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/asan/TestCases/vla_condition_overflow.cc?rev=238401&view=auto
==============================================================================
--- compiler-rt/trunk/test/asan/TestCases/vla_condition_overflow.cc (added)
+++ compiler-rt/trunk/test/asan/TestCases/vla_condition_overflow.cc Thu May 28 02:49:05 2015
@@ -0,0 +1,21 @@
+// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t
+// RUN: not %run %t 2>&1 | FileCheck %s
+//
+
+#include <assert.h>
+#include <stdint.h>
+
+__attribute__((noinline)) void foo(int index, int len) {
+ if (index > len) {
+ char str[len]; //NOLINT
+ assert(!(reinterpret_cast<uintptr_t>(str) & 31L));
+ str[index] = '1'; // BOOM
+// CHECK: ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]]
+// CHECK: WRITE of size 1 at [[ADDR]] thread T0
+ }
+}
+
+int main(int argc, char **argv) {
+ foo(33, 10);
+ return 0;
+}
Added: compiler-rt/trunk/test/asan/TestCases/vla_loop_overfow.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/asan/TestCases/vla_loop_overfow.cc?rev=238401&view=auto
==============================================================================
--- compiler-rt/trunk/test/asan/TestCases/vla_loop_overfow.cc (added)
+++ compiler-rt/trunk/test/asan/TestCases/vla_loop_overfow.cc Thu May 28 02:49:05 2015
@@ -0,0 +1,21 @@
+// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t
+// RUN: not %run %t 2>&1 | FileCheck %s
+//
+
+#include <assert.h>
+#include <stdint.h>
+
+void foo(int index, int len) {
+ for (int i = 1; i < len; ++i) {
+ char array[len]; // NOLINT
+ assert(!(reinterpret_cast<uintptr_t>(array) & 31L));
+ array[index + i] = 0;
+// CHECK: ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]]
+// CHECK: WRITE of size 1 at [[ADDR]] thread T0
+ }
+}
+
+int main(int argc, char **argv) {
+ foo(9, 21);
+ return 0;
+}
More information about the llvm-commits
mailing list