[compiler-rt] r363636 - hwasan: Use bits [3..11) of the ring buffer entry address as the base stack tag.

Mon Jun 17 16:39:51 PDT 2019

Author: pcc
Date: Mon Jun 17 16:39:51 2019
New Revision: 363636

URL: http://llvm.org/viewvc/llvm-project?rev=363636&view=rev
Log:
hwasan: Use bits [3..11) of the ring buffer entry address as the base stack tag.

This saves roughly 32 bytes of instructions per function with stack objects
and causes us to preserve enough information that we can recover the original
tags of all stack variables.

Now that stack tags are deterministic, we no longer need to pass
-hwasan-generate-tags-with-calls during check-hwasan. This also means that
the new stack tag generation mechanism is exercised by check-hwasan.

Differential Revision: https://reviews.llvm.org/D63360

Modified:
    compiler-rt/trunk/lib/hwasan/hwasan_thread.cpp
    compiler-rt/trunk/test/hwasan/TestCases/random-align-right.c
    compiler-rt/trunk/test/hwasan/TestCases/stack-history-length.c
    compiler-rt/trunk/test/hwasan/lit.cfg

Modified: compiler-rt/trunk/lib/hwasan/hwasan_thread.cpp
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/hwasan/hwasan_thread.cpp?rev=363636&r1=363635&r2=363636&view=diff
==============================================================================

--- compiler-rt/trunk/lib/hwasan/hwasan_thread.cpp (original)
+++ compiler-rt/trunk/lib/hwasan/hwasan_thread.cpp Mon Jun 17 16:39:51 2019
@@ -27,6 +27,11 @@ static u32 RandomSeed() {
 
 void Thread::InitRandomState() {
   random_state_ = flags()->random_tags ? RandomSeed() : unique_id_;
+
+  // Push a random number of zeros onto the ring buffer so that the first stack
+  // tag base will be random.
+  for (tag_t i = 0, e = GenerateRandomTag(); i != e; ++i)
+    stack_allocations_->push(0);
 }
 
 void Thread::Init(uptr stack_buffer_start, uptr stack_buffer_size) {

Modified: compiler-rt/trunk/test/hwasan/TestCases/random-align-right.c
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/hwasan/TestCases/random-align-right.c?rev=363636&r1=363635&r2=363636&view=diff
==============================================================================
--- compiler-rt/trunk/test/hwasan/TestCases/random-align-right.c (original)
+++ compiler-rt/trunk/test/hwasan/TestCases/random-align-right.c Mon Jun 17 16:39:51 2019
@@ -1,9 +1,11 @@
 // Tests malloc_align_right=1 and 8 (randomly aligning right).
 // RUN: %clang_hwasan  %s -o %t
 //
-// RUN: %run %t
-// RUN: %env_hwasan_opts=malloc_align_right=1 not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK1
-// RUN: %env_hwasan_opts=malloc_align_right=8 not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK8
+// RUN: %run %t 20
+// RUN: %run %t 30
+// RUN: %env_hwasan_opts=malloc_align_right=1 not %run %t 20 2>&1 | FileCheck %s --check-prefix=CHECK20
+// RUN: %env_hwasan_opts=malloc_align_right=1 not %run %t 30 2>&1 | FileCheck %s --check-prefix=CHECK30
+// RUN: %env_hwasan_opts=malloc_align_right=8 not %run %t 30 2>&1 | FileCheck %s --check-prefix=CHECK30
 
 // REQUIRES: stable-runtime
 
@@ -15,6 +17,7 @@ static volatile void *sink;
 
 int main(int argc, char **argv) {
   __hwasan_enable_allocator_tagging();
+  int index = atoi(argv[1]);
 
   // Perform 1000 buffer overflows within the 16-byte granule,
   // so that random right-alignment has a very high chance of
@@ -22,14 +25,11 @@ int main(int argc, char **argv) {
   for (int i = 0; i < 1000; i++) {
     char *p = (char*)malloc(20);
     sink = p;
-    fprintf(stderr, "[%d] p: %p; accessing p[20]:\n", i, p);
-    p[20 * argc] = 0;  // requires malloc_align_right=1 to catch
-    fprintf(stderr, "[%d] p: %p; accessing p[30]:\n", i, p);
-    p[30 * argc] = 0;  // requires malloc_align_right={1,8} to catch
-// CHECK1: accessing p[20]
-// CHECK1-NEXT: HWAddressSanitizer: tag-mismatch
-// CHECK8: accessing p[30]:
-// CHECK8-NEXT: HWAddressSanitizer: tag-mismatch
+    p[index] = 0;
+// index=20 requires malloc_align_right=1 to catch
+// CHECK20: HWAddressSanitizer: tag-mismatch
+// index=30 requires malloc_align_right={1,8} to catch
+// CHECK30: HWAddressSanitizer: tag-mismatch
   }
 }
 

Modified: compiler-rt/trunk/test/hwasan/TestCases/stack-history-length.c
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/hwasan/TestCases/stack-history-length.c?rev=363636&r1=363635&r2=363636&view=diff
==============================================================================
--- compiler-rt/trunk/test/hwasan/TestCases/stack-history-length.c (original)
+++ compiler-rt/trunk/test/hwasan/TestCases/stack-history-length.c Mon Jun 17 16:39:51 2019
@@ -1,5 +1,5 @@
 // RUN: %clang_hwasan -O1 %s -o %t
-// RUN: %env_hwasan_opts=stack_history_size=2048 not %run %t 2046 2>&1 | FileCheck %s --check-prefix=YES
+// RUN: %env_hwasan_opts=stack_history_size=2048 not %run %t 2045 2>&1 | FileCheck %s --check-prefix=YES
 // RUN: %env_hwasan_opts=stack_history_size=2048 not %run %t 2047 2>&1 | FileCheck %s --check-prefix=NO
 
 // REQUIRES: stable-runtime
@@ -22,6 +22,9 @@ int main(int argc, char **argv) {
   FUNC0();
   for (int i = 0; i < X; ++i)
     FUNC();
+  // Make at least one call to OOB where base tag != 0 so that the bug is caught
+  // at least once.
+  OOB();
   OOB();
 }
 

Modified: compiler-rt/trunk/test/hwasan/lit.cfg
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/hwasan/lit.cfg?rev=363636&r1=363635&r2=363636&view=diff
==============================================================================
--- compiler-rt/trunk/test/hwasan/lit.cfg (original)
+++ compiler-rt/trunk/test/hwasan/lit.cfg Mon Jun 17 16:39:51 2019
@@ -11,7 +11,7 @@ config.test_source_root = os.path.dirnam
 # Setup default compiler flags used with -fsanitize=memory option.
 clang_cflags = [config.target_cflags] + config.debug_info_flags
 clang_cxxflags = config.cxx_mode_flags + clang_cflags
-clang_hwasan_cflags = ["-fsanitize=hwaddress", "-mllvm", "-hwasan-generate-tags-with-calls"] + clang_cflags
+clang_hwasan_cflags = ["-fsanitize=hwaddress"] + clang_cflags
 clang_hwasan_cxxflags = config.cxx_mode_flags + clang_hwasan_cflags
 
 def build_invocation(compile_flags):


