[llvm-bugs] [Bug 49169] New: AArch64 Memory Tagging with setjmp and longjmp crash

via llvm-bugs llvm-bugs at lists.llvm.org
Fri Feb 12 16:34:11 PST 2021 

https://bugs.llvm.org/show_bug.cgi?id=49169

            Bug ID: 49169
           Summary: AArch64 Memory Tagging with setjmp and longjmp crash
           Product: clang
           Version: trunk
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: -New Bugs
          Assignee: unassignedclangbugs at nondot.org
          Reporter: steplong at quicinc.com
                CC: htmldeveloper at gmail.com, llvm-bugs at lists.llvm.org,
                    neeilans at live.com, richard-llvm at metafoo.co.uk

Hi, I am seeing an issue with running the following code on AArch64 (compiled
with -fsanitize=memtag):

#include <stdint.h>
#include <stdio.h>
#include <setjmp.h>

jmp_buf env;
volatile uint64_t *copy;

__attribute__((noinline))
void call_longjmp(jmp_buf env) {
    uint64_t a;
    // Assign a to copy so the compiler won't optimize
    // out local variable a
    copy = &a;
    longjmp(env, 1);
}

__attribute__((noinline))
void foo(void) {
    if (setjmp(env) == 0) {
        call_longjmp(env);
    }
}

__attribute__((noinline))
void foo2(void) {
    __asm__(
        "stp x29, x30, [sp, #-16]!\n\t"
        "stp x15, xzr, [sp, #-16]!\n\t"
        "stp x13, x14, [sp, #-16]!\n\t"
        "stp x11, x12, [sp, #-16]!\n\t"
        "stp x9, x10, [sp, #-16]!\n\t"
        "ldp x9, x10, [sp], #16\n\t"
        "ldp x11, x12, [sp], #16\n\t"
        "ldp x13, x14, [sp], #16\n\t"
        "ldp x15, xzr, [sp], #16\n\t"
        "ldp x29, x30, [sp], #16\n\t"
    );
}

int main(void) {
    foo();
    foo2();
    return 0;
}

Since call_longjmp() never returns, it never gets to untag variable a. When
foo2() tries to push to the stack, it will trigger a tag collision when it
tries to write over a. I'm currently using a custom QEMU to run this
executable. The executable runs OK if I add
__attribute__((no_sanitize("memtag"))) to call_longjmp

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20210213/8a9d10c2/attachment.html>

More information about the llvm-bugs mailing list