[llvm-branch-commits] [HWASan] always use unused bits in free tags (PR #191914)
via llvm-branch-commits
llvm-branch-commits at lists.llvm.org
Mon Apr 13 16:48:23 PDT 2026
llvmbot wrote:
<!--LLVM PR SUMMARY COMMENT-->
@llvm/pr-subscribers-compiler-rt-sanitizer
Author: Florian Mayer (fmayer)
<details>
<summary>Changes</summary>
That helps us improve LSan, because now we can tell whether a memory
region is freed.
---
Full diff: https://github.com/llvm/llvm-project/pull/191914.diff
3 Files Affected:
- (modified) compiler-rt/lib/hwasan/hwasan.h (+1)
- (modified) compiler-rt/lib/hwasan/hwasan_allocator.cpp (+9-2)
- (modified) compiler-rt/lib/hwasan/hwasan_poisoning.cpp (+3)
``````````diff
diff --git a/compiler-rt/lib/hwasan/hwasan.h b/compiler-rt/lib/hwasan/hwasan.h
index 9201ed0452602..3f27cebe0423a 100644
--- a/compiler-rt/lib/hwasan/hwasan.h
+++ b/compiler-rt/lib/hwasan/hwasan.h
@@ -130,6 +130,7 @@ void InitializeInterceptors();
void HwasanAllocatorInit();
void HwasanAllocatorLock();
void HwasanAllocatorUnlock();
+unsigned HwasanTagBits();
void *hwasan_malloc(uptr size, StackTrace *stack);
void *hwasan_calloc(uptr nmemb, uptr size, StackTrace *stack);
diff --git a/compiler-rt/lib/hwasan/hwasan_allocator.cpp b/compiler-rt/lib/hwasan/hwasan_allocator.cpp
index 80cc8e1b69a23..eb25102c7d824 100644
--- a/compiler-rt/lib/hwasan/hwasan_allocator.cpp
+++ b/compiler-rt/lib/hwasan/hwasan_allocator.cpp
@@ -48,6 +48,7 @@ alignas(16) static u8 tail_magic[kShadowAlignment - 1];
static uptr max_malloc_size;
static unsigned hwasan_tag_bits;
static tag_t fallback_alloc_tag;
+static tag_t free_bits;
bool HwasanChunkView::IsAllocated() const {
return metadata_ && metadata_->IsAllocated();
@@ -147,6 +148,8 @@ uptr GetAliasRegionStart() {
#endif
}
+unsigned HwasanTagBits() { return hwasan_tag_bits; }
+
void HwasanAllocatorInit() {
atomic_store_relaxed(&hwasan_allocator_tagging_enabled,
!flags()->disable_allocator_tagging);
@@ -155,6 +158,10 @@ void HwasanAllocatorInit() {
hwasan_tag_bits = flags_tag_bits;
else
hwasan_tag_bits = kTagBits;
+ if (hwasan_tag_bits < 8)
+ free_bits = 1 << 7;
+ else
+ free_bits = 0;
// With flags_tag_bits we want to restrict the number of bits in the
// pointer. That's why we don't need to mask out the kFallbackFreeTag,
// because that one is only used for the memory tag, never the pointer
@@ -362,13 +369,13 @@ static void HwasanDeallocate(StackTrace *stack, void *tagged_ptr) {
// would make us attempt to read the memory on a UaF.
// The tag can be zero if tagging is disabled on this thread.
do {
- tag = t->GenerateRandomTag(/*num_bits=*/8);
+ tag = t->GenerateRandomTag(/*num_bits=*/8) | free_bits;
} while (
UNLIKELY((tag < kShadowAlignment || tag == pointer_tag) && tag != 0));
} else {
static_assert(kFallbackFreeTag >= kShadowAlignment,
"fallback tag must not be a short granule tag.");
- tag = kFallbackFreeTag;
+ tag = kFallbackFreeTag | free_bits;
}
TagMemoryAligned(reinterpret_cast<uptr>(aligned_ptr), TaggedSize(orig_size),
tag);
diff --git a/compiler-rt/lib/hwasan/hwasan_poisoning.cpp b/compiler-rt/lib/hwasan/hwasan_poisoning.cpp
index a4e5935754a8a..5e9eeef68714d 100644
--- a/compiler-rt/lib/hwasan/hwasan_poisoning.cpp
+++ b/compiler-rt/lib/hwasan/hwasan_poisoning.cpp
@@ -12,6 +12,7 @@
#include "hwasan_poisoning.h"
+#include "hwasan.h"
#include "hwasan_mapping.h"
#include "interception/interception.h"
#include "sanitizer_common/sanitizer_common.h"
@@ -30,6 +31,8 @@ uptr TagMemory(uptr p, uptr size, tag_t tag) {
// --- Implementation of LSan-specific functions --- {{{1
namespace __lsan {
bool WordIsPoisoned(uptr addr) {
+ tag_t Tag = GetTagFromPointer(addr);
+ return Tag >= (1 << __hwasan::HwasanTagBits());
// Fixme: implement actual tag checking.
return false;
}
``````````
</details>
https://github.com/llvm/llvm-project/pull/191914
More information about the llvm-branch-commits
mailing list