<div dir="ltr"><div dir="ltr">Kostya, this is making thread-uaf.c flaky on the buildbot. Please take a look. <a href="http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux/builds/15270/steps/test%20standalone%20compiler-rt%20with%20symbolizer/logs/stdio">http://lab.llvm.org:8011/builders/sanitizer-x86_64-linux/builds/15270/steps/test%20standalone%20compiler-rt%20with%20symbolizer/logs/stdio</a></div><div dir="ltr"><br></div><div dir="ltr"><pre style="font-family:"Courier New",courier,monotype,monospace;color:rgb(0,0,0);font-size:medium"><span class="gmail-stdout">FAIL: HWAddressSanitizer-x86_64 :: TestCases/thread-uaf.c (3067 of 6725)
******************** TEST 'HWAddressSanitizer-x86_64 :: TestCases/thread-uaf.c' FAI</span><span class="gmail-stdout">LED ********************
</span><span class="gmail-stdout">Script:
--
: 'RUN: at line 3'; /b/sanitizer-x86_64-linux/build/llvm_build64/bin/clang -fsanitize=hwaddress -mllvm -hwasan-generate-tags-with-calls -m64 -gline-tables-only /b/sanitizer-x86_64-linux/build/llvm/projects/compiler-rt/test/hwasan/TestCases/thread-uaf.c -o /b/sanitizer-x86_64-linux/build/compiler_rt_build/test/hwasan/X86_64/TestCases/Output/thread-uaf.c.tmp && not /b/sanitizer-x86_64-linux/build/compiler_rt_build/test/hwasan/X86_64/TestCases/Output/thread-uaf.c.tmp 2>&1 | FileCheck /b/sanitizer-x86_64-linux/build/llvm/projects/compiler-rt/test/hwasan/TestCases/thread-uaf.c
--
Exit Code: 1
Command Output (stderr):
--
/b/sanitizer-x86_64-linux/build/llvm/projects/compiler-rt/test/hwasan/TestCases/thread-uaf.c:33:12: error: CHECK: expected string not found in input
// CHECK: WRITE of size 1 {{.*}} in thread T3
^
<stdin>:1:61: note: scanning from here
==24433==ERROR: HWAddressSanitizer: tag-mismatch on address 0x77867e8003d5 at pc 0x5588d4c102ae
^
<stdin>:2:1: note: possible intended match here
WRITE of size 1 at 0x77867e8003d5 tags: 04/02 (ptr/mem) in thread T2
^
</span></pre><br class="gmail-Apple-interchange-newline"></div></div><br><div class="gmail_quote"><div dir="ltr">On Tue, Sep 4, 2018 at 6:17 PM Kostya Serebryany via llvm-commits <<a href="mailto:llvm-commits@lists.llvm.org" target="_blank">llvm-commits@lists.llvm.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Author: kcc<br>
Date: Tue Sep 4 18:16:50 2018<br>
New Revision: 341438<br>
<br>
URL: <a href="http://llvm.org/viewvc/llvm-project?rev=341438&view=rev" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project?rev=341438&view=rev</a><br>
Log:<br>
[hwasan] print thread IDs when reporting a bug (also had to fix pthread_create on Linux)<br>
<br>
Modified:<br>
compiler-rt/trunk/lib/hwasan/hwasan_interceptors.cc<br>
compiler-rt/trunk/lib/hwasan/hwasan_report.cc<br>
compiler-rt/trunk/lib/hwasan/hwasan_thread.cc<br>
compiler-rt/trunk/lib/hwasan/hwasan_thread.h<br>
compiler-rt/trunk/test/hwasan/TestCases/many-threads-uaf.c<br>
compiler-rt/trunk/test/hwasan/TestCases/thread-uaf.c<br>
<br>
Modified: compiler-rt/trunk/lib/hwasan/hwasan_interceptors.cc<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/hwasan/hwasan_interceptors.cc?rev=341438&r1=341437&r2=341438&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/hwasan/hwasan_interceptors.cc?rev=341438&r1=341437&r2=341438&view=diff</a><br>
==============================================================================<br>
--- compiler-rt/trunk/lib/hwasan/hwasan_interceptors.cc (original)<br>
+++ compiler-rt/trunk/lib/hwasan/hwasan_interceptors.cc Tue Sep 4 18:16:50 2018<br>
@@ -292,16 +292,23 @@ INTERCEPTOR(void *, malloc, SIZE_T size)<br>
extern "C" int pthread_attr_init(void *attr);<br>
extern "C" int pthread_attr_destroy(void *attr);<br>
<br>
+struct ThreadStartArg {<br>
+ thread_callback_t callback;<br>
+ void *param;<br>
+};<br>
+<br>
static void *HwasanThreadStartFunc(void *arg) {<br>
__hwasan_thread_enter();<br>
- ThreadStartArg *A = reinterpret_cast<ThreadStartArg*>(arg);<br>
- return A->callback(A->param);<br>
+ ThreadStartArg A = *reinterpret_cast<ThreadStartArg*>(arg);<br>
+ UnmapOrDie(arg, GetPageSizeCached());<br>
+ return A.callback(A.param);<br>
}<br>
<br>
INTERCEPTOR(int, pthread_create, void *th, void *attr, void *(*callback)(void*),<br>
void * param) {<br>
ScopedTaggingDisabler disabler;<br>
- ThreadStartArg *A = GetCurrentThread()->thread_start_arg();<br>
+ ThreadStartArg *A = reinterpret_cast<ThreadStartArg *> (MmapOrDie(<br>
+ GetPageSizeCached(), "pthread_create"));<br>
*A = {callback, param};<br>
int res = REAL(pthread_create)(UntagPtr(th), UntagPtr(attr),<br>
&HwasanThreadStartFunc, A);<br>
<br>
Modified: compiler-rt/trunk/lib/hwasan/hwasan_report.cc<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/hwasan/hwasan_report.cc?rev=341438&r1=341437&r2=341438&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/hwasan/hwasan_report.cc?rev=341438&r1=341437&r2=341438&view=diff</a><br>
==============================================================================<br>
--- compiler-rt/trunk/lib/hwasan/hwasan_report.cc (original)<br>
+++ compiler-rt/trunk/lib/hwasan/hwasan_report.cc Tue Sep 4 18:16:50 2018<br>
@@ -43,6 +43,7 @@ class Decorator: public __sanitizer::San<br>
const char *Origin() const { return Magenta(); }<br>
const char *Name() const { return Green(); }<br>
const char *Location() { return Green(); }<br>
+ const char *Thread() { return Green(); }<br>
};<br>
<br>
bool FindHeapAllocation(HeapAllocationsRingBuffer *rb,<br>
@@ -116,7 +117,7 @@ void PrintAddressDescription(uptr tagged<br>
har.requested_size, UntagAddr(har.tagged_addr),<br>
UntagAddr(har.tagged_addr) + har.requested_size);<br>
Printf("%s", d.Allocation());<br>
- Printf("freed by thread %p here:\n", t);<br>
+ Printf("freed by thread T%zd here:\n", t->unique_id());<br>
Printf("%s", d.Default());<br>
GetStackTraceFromId(har.free_context_id).Print();<br>
<br>
@@ -124,6 +125,7 @@ void PrintAddressDescription(uptr tagged<br>
Printf("previously allocated here:\n", t);<br>
Printf("%s", d.Default());<br>
GetStackTraceFromId(har.alloc_context_id).Print();<br>
+ t->Announce();<br>
<br>
num_descriptions_printed++;<br>
}<br>
@@ -131,8 +133,10 @@ void PrintAddressDescription(uptr tagged<br>
// Very basic check for stack memory.<br>
if (t->AddrIsInStack(untagged_addr)) {<br>
Printf("%s", d.Location());<br>
- Printf("Address %p is located in stack of thread %p\n", untagged_addr, t);<br>
- Printf("%s", d.Default());<br>
+ Printf("Address %p is located in stack of thread T%zd\n", untagged_addr,<br>
+ t->unique_id());<br>
+ t->Announce();<br>
+<br>
num_descriptions_printed++;<br>
}<br>
});<br>
@@ -230,18 +234,21 @@ void ReportTagMismatch(StackTrace *stack<br>
Report("ERROR: %s: %s on address %p at pc %p\n", SanitizerToolName, bug_type,<br>
untagged_addr, pc);<br>
<br>
+ Thread *t = GetCurrentThread();<br>
+<br>
tag_t ptr_tag = GetTagFromPointer(tagged_addr);<br>
tag_t *tag_ptr = reinterpret_cast<tag_t*>(MemToShadow(untagged_addr));<br>
tag_t mem_tag = *tag_ptr;<br>
Printf("%s", d.Access());<br>
- Printf("%s of size %zu at %p tags: %02x/%02x (ptr/mem)\n",<br>
+ Printf("%s of size %zu at %p tags: %02x/%02x (ptr/mem) in thread T%zd\n",<br>
is_store ? "WRITE" : "READ", access_size, untagged_addr, ptr_tag,<br>
- mem_tag);<br>
+ mem_tag, t->unique_id());<br>
Printf("%s", d.Default());<br>
<br>
stack->Print();<br>
<br>
PrintAddressDescription(tagged_addr, access_size);<br>
+ t->Announce();<br>
<br>
PrintTagsAroundAddr(tag_ptr);<br>
<br>
<br>
Modified: compiler-rt/trunk/lib/hwasan/hwasan_thread.cc<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/hwasan/hwasan_thread.cc?rev=341438&r1=341437&r2=341438&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/hwasan/hwasan_thread.cc?rev=341438&r1=341437&r2=341438&view=diff</a><br>
==============================================================================<br>
--- compiler-rt/trunk/lib/hwasan/hwasan_thread.cc (original)<br>
+++ compiler-rt/trunk/lib/hwasan/hwasan_thread.cc Tue Sep 4 18:16:50 2018<br>
@@ -63,10 +63,11 @@ void Thread::Create() {<br>
uptr size = RoundUpTo(sizeof(Thread), PageSize);<br>
Thread *thread = (Thread*)MmapOrDie(size, __func__);<br>
thread->destructor_iterations_ = GetPthreadDestructorIterations();<br>
- thread->random_state_ = flags()->random_tags ? RandomSeed() : 0;<br>
+ thread->unique_id_ = unique_id++;<br>
+ thread->random_state_ =<br>
+ flags()->random_tags ? RandomSeed() : thread->unique_id_;<br>
if (auto sz = flags()->heap_history_size)<br>
thread->heap_allocations_ = RingBuffer<HeapAllocationRecord>::New(sz);<br>
- thread->unique_id_ = unique_id++;<br>
InsertIntoThreadList(thread);<br>
SetCurrentThread(thread);<br>
thread->Init();<br>
@@ -100,7 +101,7 @@ void Thread::Init() {<br>
CHECK(MemIsApp(stack_top_ - 1));<br>
}<br>
if (flags()->verbose_threads)<br>
- Print("Creating ");<br>
+ Print("Creating : ");<br>
}<br>
<br>
void Thread::ClearShadowForThreadStackAndTLS() {<br>
@@ -112,7 +113,7 @@ void Thread::ClearShadowForThreadStackAn<br>
<br>
void Thread::Destroy() {<br>
if (flags()->verbose_threads)<br>
- Print("Destroying");<br>
+ Print("Destroying: ");<br>
malloc_storage().CommitBack();<br>
ClearShadowForThreadStackAndTLS();<br>
RemoveFromThreadList(this);<br>
@@ -124,8 +125,8 @@ void Thread::Destroy() {<br>
}<br>
<br>
void Thread::Print(const char *Prefix) {<br>
- Printf("%s: thread %p id: %zd stack: [%p,%p) sz: %zd tls: [%p,%p)\n", Prefix,<br>
- this, unique_id_, stack_bottom(), stack_top(),<br>
+ Printf("%sT%zd %p stack: [%p,%p) sz: %zd tls: [%p,%p)\n", Prefix,<br>
+ unique_id_, this, stack_bottom(), stack_top(),<br>
stack_top() - stack_bottom(),<br>
tls_begin(), tls_end());<br>
}<br>
<br>
Modified: compiler-rt/trunk/lib/hwasan/hwasan_thread.h<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/hwasan/hwasan_thread.h?rev=341438&r1=341437&r2=341438&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/hwasan/hwasan_thread.h?rev=341438&r1=341437&r2=341438&view=diff</a><br>
==============================================================================<br>
--- compiler-rt/trunk/lib/hwasan/hwasan_thread.h (original)<br>
+++ compiler-rt/trunk/lib/hwasan/hwasan_thread.h Tue Sep 4 18:16:50 2018<br>
@@ -19,11 +19,6 @@<br>
<br>
namespace __hwasan {<br>
<br>
-struct ThreadStartArg {<br>
- thread_callback_t callback;<br>
- void *param;<br>
-};<br>
-<br>
class Thread {<br>
public:<br>
static void Create(); // Must be called from the thread itself.<br>
@@ -73,9 +68,12 @@ class Thread {<br>
}<br>
}<br>
<br>
- // Return a scratch ThreadStartArg object to be used in<br>
- // pthread_create interceptor.<br>
- ThreadStartArg *thread_start_arg() { return &thread_start_arg_; }<br>
+ u64 unique_id() const { return unique_id_; }<br>
+ void Announce() {<br>
+ if (announced_) return;<br>
+ announced_ = true;<br>
+ Print("Thread: ");<br>
+ }<br>
<br>
private:<br>
// NOTE: There is no Thread constructor. It is allocated<br>
@@ -108,7 +106,7 @@ class Thread {<br>
<br>
u32 tagging_disabled_; // if non-zero, malloc uses zero tag in this thread.<br>
<br>
- ThreadStartArg thread_start_arg_;<br>
+ bool announced_;<br>
};<br>
<br>
Thread *GetCurrentThread();<br>
<br>
Modified: compiler-rt/trunk/test/hwasan/TestCases/many-threads-uaf.c<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/hwasan/TestCases/many-threads-uaf.c?rev=341438&r1=341437&r2=341438&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/hwasan/TestCases/many-threads-uaf.c?rev=341438&r1=341437&r2=341438&view=diff</a><br>
==============================================================================<br>
--- compiler-rt/trunk/test/hwasan/TestCases/many-threads-uaf.c (original)<br>
+++ compiler-rt/trunk/test/hwasan/TestCases/many-threads-uaf.c Tue Sep 4 18:16:50 2018<br>
@@ -14,12 +14,12 @@ void *BoringThread(void *arg) {<br>
return NULL;<br>
}<br>
<br>
-// CHECK: Creating : thread {{.*}} id: 0<br>
-// CHECK: Creating : thread {{.*}} id: 1<br>
-// CHECK: Destroying: thread {{.*}} id: 1<br>
-// CHECK: Creating : thread {{.*}} id: 1100<br>
-// CHECK: Destroying: thread {{.*}} id: 1100<br>
-// CHECK: Creating : thread {{.*}} id: 1101<br>
+// CHECK: Creating : T0<br>
+// CHECK: Creating : T1<br>
+// CHECK: Destroying: T1<br>
+// CHECK: Creating : T1100<br>
+// CHECK: Destroying: T1100<br>
+// CHECK: Creating : T1101<br>
<br>
void *UAFThread(void *arg) {<br>
char * volatile x = (char*)malloc(10);<br>
@@ -29,6 +29,7 @@ void *UAFThread(void *arg) {<br>
// CHECK: ERROR: HWAddressSanitizer: tag-mismatch on address<br>
// CHECK: WRITE of size 1<br>
// CHECK: many-threads-uaf.c:[[@LINE-3]]<br>
+ // CHECK: Thread: T1101<br>
return NULL;<br>
}<br>
<br>
<br>
Modified: compiler-rt/trunk/test/hwasan/TestCases/thread-uaf.c<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/hwasan/TestCases/thread-uaf.c?rev=341438&r1=341437&r2=341438&view=diff" rel="noreferrer" target="_blank">http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/hwasan/TestCases/thread-uaf.c?rev=341438&r1=341437&r2=341438&view=diff</a><br>
==============================================================================<br>
--- compiler-rt/trunk/test/hwasan/TestCases/thread-uaf.c (original)<br>
+++ compiler-rt/trunk/test/hwasan/TestCases/thread-uaf.c Tue Sep 4 18:16:50 2018<br>
@@ -1,3 +1,5 @@<br>
+// Tests UAF detection where Allocate/Deallocate/Use<br>
+// happen in separate threads.<br>
// RUN: %clang_hwasan %s -o %t && not %run %t 2>&1 | FileCheck %s<br>
// REQUIRES: stable-runtime<br>
<br>
@@ -7,20 +9,48 @@<br>
<br>
#include <sanitizer/hwasan_interface.h><br>
<br>
-void *Thread(void *arg) {<br>
- char * volatile x = (char*)malloc(10);<br>
- fprintf(stderr, "ZZZ %p\n", x);<br>
+char *volatile x;<br>
+int state;<br>
+<br>
+void *Allocate(void *arg) {<br>
+ x = (char*)malloc(10);<br>
+ __sync_fetch_and_add(&state, 1);<br>
+ while (__sync_fetch_and_add(&state, 0) != 3) {}<br>
+ return NULL;<br>
+}<br>
+void *Deallocate(void *arg) {<br>
+ while (__sync_fetch_and_add(&state, 0) != 1) {}<br>
free(x);<br>
+ __sync_fetch_and_add(&state, 1);<br>
+ while (__sync_fetch_and_add(&state, 0) != 3) {}<br>
+ return NULL;<br>
+}<br>
+<br>
+void *Use(void *arg) {<br>
+ while (__sync_fetch_and_add(&state, 0) != 2) {}<br>
x[5] = 42;<br>
// CHECK: ERROR: HWAddressSanitizer: tag-mismatch on address<br>
- // CHECK: WRITE of size 1<br>
+ // CHECK: WRITE of size 1 {{.*}} in thread T3<br>
// CHECK: thread-uaf.c:[[@LINE-3]]<br>
+ // CHECK: freed by thread T2 here<br>
+ // CHECK: in Deallocate<br>
+ // CHECK: previously allocated here:<br>
+ // CHECK: in Allocate<br>
+ // CHECK: Thread: T2 0x<br>
+ // CHECK: Thread: T3 0x<br>
+ __sync_fetch_and_add(&state, 1);<br>
return NULL;<br>
}<br>
<br>
int main() {<br>
__hwasan_enable_allocator_tagging();<br>
- pthread_t t;<br>
- pthread_create(&t, NULL, Thread, NULL);<br>
- pthread_join(t, NULL);<br>
+ pthread_t t1, t2, t3;<br>
+<br>
+ pthread_create(&t1, NULL, Allocate, NULL);<br>
+ pthread_create(&t2, NULL, Deallocate, NULL);<br>
+ pthread_create(&t3, NULL, Use, NULL);<br>
+<br>
+ pthread_join(t1, NULL);<br>
+ pthread_join(t2, NULL);<br>
+ pthread_join(t3, NULL);<br>
}<br>
<br>
<br>
_______________________________________________<br>
llvm-commits mailing list<br>
<a href="mailto:llvm-commits@lists.llvm.org" target="_blank">llvm-commits@lists.llvm.org</a><br>
<a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits" rel="noreferrer" target="_blank">http://lists.llvm.org/cgi-bin/mailman/listinfo/llvm-commits</a><br>
</blockquote></div>