[compiler-rt] r260163 - [asan] Implement SEGV read vs write detection for ARM and AArch64.
Evgeniy Stepanov via llvm-commits
llvm-commits at lists.llvm.org
Mon Feb 8 14:50:25 PST 2016
Author: eugenis
Date: Mon Feb 8 16:50:25 2016
New Revision: 260163
URL: http://llvm.org/viewvc/llvm-project?rev=260163&view=rev
Log:
[asan] Implement SEGV read vs write detection for ARM and AArch64.
Modified:
compiler-rt/trunk/lib/asan/asan_report.cc
compiler-rt/trunk/lib/sanitizer_common/sanitizer_common.h
compiler-rt/trunk/lib/sanitizer_common/sanitizer_linux.cc
compiler-rt/trunk/lib/sanitizer_common/sanitizer_mac.cc
compiler-rt/trunk/lib/sanitizer_common/sanitizer_posix.cc
compiler-rt/trunk/test/asan/TestCases/Linux/segv_read_write.c
Modified: compiler-rt/trunk/lib/asan/asan_report.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_report.cc?rev=260163&r1=260162&r2=260163&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_report.cc (original)
+++ compiler-rt/trunk/lib/asan/asan_report.cc Mon Feb 8 16:50:25 2016
@@ -755,7 +755,7 @@ void ReportStackOverflow(const SignalCon
}
void ReportDeadlySignal(const char *description, const SignalContext &sig) {
- ScopedInErrorReport in_report(/*report*/nullptr, /*fatal*/true);
+ ScopedInErrorReport in_report(/*report*/ nullptr, /*fatal*/ true);
Decorator d;
Printf("%s", d.Warning());
Report(
@@ -768,17 +768,22 @@ void ReportDeadlySignal(const char *desc
if (sig.pc < GetPageSizeCached())
Report("Hint: pc points to the zero page.\n");
if (sig.is_memory_access) {
- Report("The signal is caused by a %s memory access.\n",
- sig.is_write ? "WRITE" : "READ");
+ const char *access_type =
+ sig.write_flag == SignalContext::WRITE
+ ? "WRITE"
+ : (sig.write_flag == SignalContext::READ ? "READ" : "UNKNOWN");
+ Report("The signal is caused by a %s memory access.\n", access_type);
if (sig.addr < GetPageSizeCached()) {
Report("Hint: address points to the zero page.\n");
SS.Scare(10, "null-deref");
} else if (sig.addr == sig.pc) {
SS.Scare(60, "wild-jump");
- } else if (sig.is_write) {
+ } else if (sig.write_flag == SignalContext::WRITE) {
SS.Scare(30, "wild-addr-write");
- } else {
+ } else if (sig.write_flag == SignalContext::READ) {
SS.Scare(20, "wild-addr-read");
+ } else {
+ SS.Scare(25, "wild-addr");
}
} else {
SS.Scare(10, "signal");
Modified: compiler-rt/trunk/lib/sanitizer_common/sanitizer_common.h
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/sanitizer_common/sanitizer_common.h?rev=260163&r1=260162&r2=260163&view=diff
==============================================================================
--- compiler-rt/trunk/lib/sanitizer_common/sanitizer_common.h (original)
+++ compiler-rt/trunk/lib/sanitizer_common/sanitizer_common.h Mon Feb 8 16:50:25 2016
@@ -750,19 +750,26 @@ struct SignalContext {
uptr sp;
uptr bp;
bool is_memory_access;
- bool is_write;
+
+ enum WriteFlag { UNKNOWN, READ, WRITE } write_flag;
SignalContext(void *context, uptr addr, uptr pc, uptr sp, uptr bp,
- bool is_memory_access, bool is_write)
- : context(context), addr(addr), pc(pc), sp(sp), bp(bp),
- is_memory_access(is_memory_access), is_write(is_write) {}
+ bool is_memory_access, WriteFlag write_flag)
+ : context(context),
+ addr(addr),
+ pc(pc),
+ sp(sp),
+ bp(bp),
+ is_memory_access(is_memory_access),
+ write_flag(write_flag) {}
// Creates signal context in a platform-specific manner.
static SignalContext Create(void *siginfo, void *context);
+
+ // Returns true if the "context" indicates a memory write.
+ static WriteFlag GetWriteFlag(void *context);
};
-// Returns true if the "context" indicates a memory write.
-bool GetSigContextWriteFlag(void *context);
void GetPcSpBp(void *context, uptr *pc, uptr *sp, uptr *bp);
void DisableReexec();
Modified: compiler-rt/trunk/lib/sanitizer_common/sanitizer_linux.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/sanitizer_common/sanitizer_linux.cc?rev=260163&r1=260162&r2=260163&view=diff
==============================================================================
--- compiler-rt/trunk/lib/sanitizer_common/sanitizer_linux.cc (original)
+++ compiler-rt/trunk/lib/sanitizer_common/sanitizer_linux.cc Mon Feb 8 16:50:25 2016
@@ -1155,16 +1155,55 @@ void *internal_start_thread(void (*func)
void internal_join_thread(void *th) {}
#endif
-bool GetSigContextWriteFlag(void *context) {
+#if defined(__aarch64__)
+// Android headers in the older NDK releases miss this definition.
+struct __sanitizer_esr_context {
+ struct _aarch64_ctx head;
+ uint64_t esr;
+};
+
+static bool Aarch64GetESR(ucontext_t *ucontext, u64 *esr) {
+ static const u32 kEsrMagic = 0x45535201;
+ u8 *aux = ucontext->uc_mcontext.__reserved;
+ while (true) {
+ _aarch64_ctx *ctx = (_aarch64_ctx *)aux;
+ if (ctx->size == 0) break;
+ Printf("ctx magic %x\n", ctx->magic);
+ if (ctx->magic == kEsrMagic) {
+ *esr = ((__sanitizer_esr_context *)ctx)->esr;
+ return true;
+ }
+ aux += ctx->size;
+ }
+ return false;
+}
+#endif
+
+SignalContext::WriteFlag SignalContext::GetWriteFlag(void *context) {
+ ucontext_t *ucontext = (ucontext_t *)context;
#if defined(__x86_64__) || defined(__i386__)
- ucontext_t *ucontext = (ucontext_t*)context;
+ static const uptr PF_WRITE = 1U << 1;
#if SANITIZER_FREEBSD
- return ucontext->uc_mcontext.mc_err & 2;
+ uptr err = ucontext->uc_mcontext.mc_err;
#else
- return ucontext->uc_mcontext.gregs[REG_ERR] & 2;
+ uptr err = ucontext->uc_mcontext.gregs[REG_ERR];
#endif
+ return err & PF_WRITE ? WRITE : READ;
+#elif defined(__arm__)
+ static const uptr FSR_WRITE = 1U << 11;
+ uptr fsr = ucontext->uc_mcontext.error_code;
+ // FSR bits 5:0 describe the abort type, and are never 0 (or so it seems).
+ // Zero FSR indicates an older kernel that does not pass this information to
+ // the userspace.
+ if (fsr == 0) return UNKNOWN;
+ return fsr & FSR_WRITE ? WRITE : READ;
+#elif defined(__aarch64__)
+ static const u64 ESR_ELx_WNR = 1U << 6;
+ u64 esr;
+ if (!Aarch64GetESR(ucontext, &esr)) return UNKNOWN;
+ return esr & ESR_ELx_WNR ? WRITE : READ;
#else
- return false; // FIXME: Implement.
+ return UNKNOWN; // FIXME: Implement.
#endif
}
Modified: compiler-rt/trunk/lib/sanitizer_common/sanitizer_mac.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/sanitizer_common/sanitizer_mac.cc?rev=260163&r1=260162&r2=260163&view=diff
==============================================================================
--- compiler-rt/trunk/lib/sanitizer_common/sanitizer_mac.cc (original)
+++ compiler-rt/trunk/lib/sanitizer_common/sanitizer_mac.cc Mon Feb 8 16:50:25 2016
@@ -491,8 +491,8 @@ void LogFullErrorReport(const char *buff
// The report is added to CrashLog as part of logging all of Printf output.
}
-bool GetSigContextWriteFlag(void *context) {
- return false; // FIXME: implement this.
+SignalContext::WriteFlag SignalContext::GetWriteFlag(void *context) {
+ return UNKNOWN; // FIXME: implement this.
}
void GetPcSpBp(void *context, uptr *pc, uptr *sp, uptr *bp) {
Modified: compiler-rt/trunk/lib/sanitizer_common/sanitizer_posix.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/sanitizer_common/sanitizer_posix.cc?rev=260163&r1=260162&r2=260163&view=diff
==============================================================================
--- compiler-rt/trunk/lib/sanitizer_common/sanitizer_posix.cc (original)
+++ compiler-rt/trunk/lib/sanitizer_common/sanitizer_posix.cc Mon Feb 8 16:50:25 2016
@@ -323,13 +323,13 @@ bool GetCodeRangeForFile(const char *mod
}
SignalContext SignalContext::Create(void *siginfo, void *context) {
- auto si = (siginfo_t*)siginfo;
+ auto si = (siginfo_t *)siginfo;
uptr addr = (uptr)si->si_addr;
uptr pc, sp, bp;
GetPcSpBp(context, &pc, &sp, &bp);
- bool is_write = GetSigContextWriteFlag(context);
+ WriteFlag write_flag = GetWriteFlag(context);
bool is_memory_access = si->si_signo == SIGSEGV;
- return SignalContext(context, addr, pc, sp, bp, is_memory_access, is_write);
+ return SignalContext(context, addr, pc, sp, bp, is_memory_access, write_flag);
}
} // namespace __sanitizer
Modified: compiler-rt/trunk/test/asan/TestCases/Linux/segv_read_write.c
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/asan/TestCases/Linux/segv_read_write.c?rev=260163&r1=260162&r2=260163&view=diff
==============================================================================
--- compiler-rt/trunk/test/asan/TestCases/Linux/segv_read_write.c (original)
+++ compiler-rt/trunk/test/asan/TestCases/Linux/segv_read_write.c Mon Feb 8 16:50:25 2016
@@ -1,16 +1,24 @@
-// RUN: %clangxx_asan -O0 %s -o %t
+// RUN: %clangxx_asan -std=c++11 -O0 %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s --check-prefix=READ
// RUN: not %run %t write 2>&1 | FileCheck %s --check-prefix=WRITE
-// REQUIRES: x86_64-supported-target
+// UNSUPPORTED: powerpc64,mips
+
+#include <sys/mman.h>
static volatile int sink;
__attribute__((noinline)) void Read(int *ptr) { sink = *ptr; }
__attribute__((noinline)) void Write(int *ptr) { *ptr = 0; }
int main(int argc, char **argv) {
+ // Writes to shadow are detected as reads from shadow gap (because of how the
+ // shadow mapping works). This is kinda hard to fix. Test a random address in
+ // the application part of the address space.
+ void *volatile p =
+ mmap(nullptr, 4096, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
+ munmap(p, 4096);
if (argc == 1)
- Read((int *)0);
+ Read((int *)p);
else
- Write((int *)0);
+ Write((int *)p);
}
// READ: AddressSanitizer: SEGV on unknown address
// READ: The signal is caused by a READ memory access.
More information about the llvm-commits
mailing list