r321027 - [hwasan] update the design doc

Kostya Serebryany via cfe-commits cfe-commits at lists.llvm.org
Mon Dec 18 13:40:07 PST 2017 

Author: kcc
Date: Mon Dec 18 13:40:07 2017
New Revision: 321027

URL: http://llvm.org/viewvc/llvm-project?rev=321027&view=rev
Log:
[hwasan] update the design doc

Modified:
    cfe/trunk/docs/HardwareAssistedAddressSanitizerDesign.rst

Modified: cfe/trunk/docs/HardwareAssistedAddressSanitizerDesign.rst
URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/docs/HardwareAssistedAddressSanitizerDesign.rst?rev=321027&r1=321026&r2=321027&view=diff
==============================================================================
--- cfe/trunk/docs/HardwareAssistedAddressSanitizerDesign.rst (original)
+++ cfe/trunk/docs/HardwareAssistedAddressSanitizerDesign.rst Mon Dec 18 13:40:07 2017
@@ -21,7 +21,7 @@ The redzones, the quarantine, and, to a
 sources of AddressSanitizer's memory overhead.
 See the `AddressSanitizer paper`_ for details.
 
-AArch64 has the `Address Tagging`_, a hardware feature that allows
+AArch64 has the `Address Tagging`_ (or top-byte-ignore, TBI), a hardware feature that allows
 software to use 8 most significant bits of a 64-bit pointer as
 a tag. HWASAN uses `Address Tagging`_
 to implement a memory safety tool, similar to :doc:`AddressSanitizer`,
@@ -31,7 +31,7 @@ accuracy guarantees.
 Algorithm
 =========
 * Every heap/stack/global memory object is forcibly aligned by `N` bytes
-  (`N` is e.g. 16 or 64)
+  (`N` is e.g. 16 or 64). We call `N` the **granularity** of tagging.
 * For every such object a random `K`-bit tag `T` is chosen (`K` is e.g. 4 or 8)
 * The pointer to the object is tagged with `T`.
 * The memory for the object is also tagged with `T`
@@ -44,19 +44,35 @@ Instrumentation
 
 Memory Accesses
 ---------------
-All memory accesses are prefixed with a call to a run-time function.
-The function encodes the type and the size of access in its name;
-it receives the address as a parameter, e.g. `__hwasan_load4(void *ptr)`;
-it loads the memory tag, compares it with the
-pointer tag, and executes `__builtin_trap` (or calls `__hwasan_error_load4(void *ptr)`) on mismatch.
+All memory accesses are prefixed with an inline instruction sequence that
+verifies the tags. Currently, the following sequence is used:
 
-It's possible to inline this callback too.
+
+.. code-block:: asm
+
+  // int foo(int *a) { return *a; }
+  // clang -O2 --target=aarch64-linux -fsanitize=hwaddress -c load.c
+  foo:
+       0:	08 dc 44 d3 	ubfx	x8, x0, #4, #52  // shadow address
+       4:	08 01 40 39 	ldrb	w8, [x8]         // load shadow
+       8:	09 fc 78 d3 	lsr	x9, x0, #56      // address tag
+       c:	3f 01 08 6b 	cmp	w9, w8           // compare tags
+      10:	61 00 00 54 	b.ne	#12              // jump on mismatch
+      14:	00 00 40 b9 	ldr	w0, [x0]         // original load
+      18:	c0 03 5f d6 	ret             
+      1c:	40 20 40 d4 	hlt	#0x102           // halt
+      20:	00 00 40 b9 	ldr	w0, [x0]         // original load
+      24:	c0 03 5f d6 	ret
+
+
+Alternatively, memory accesses are prefixed with a function call.
 
 Heap
 ----
 
 Tagging the heap memory/pointers is done by `malloc`.
 This can be based on any malloc that forces all objects to be N-aligned.
+`free` tags the memory with a different tag.
 
 Stack
 -----
@@ -75,7 +91,7 @@ TODO: details.
 Error reporting
 ---------------
 
-Errors are generated by `__builtin_trap` and are handled by a signal handler.
+Errors are generated by the `HLT` instruction and are handled by a signal handler.
 
 Attribute
 ---------

More information about the cfe-commits mailing list