[PATCH] D95835: [dfsan] Support origin tracking

stephan.yichao.zhao via Phabricator via llvm-commits llvm-commits at lists.llvm.org
Mon Feb 1 16:42:09 PST 2021 

stephan.yichao.zhao created this revision.
stephan.yichao.zhao added a reviewer: morehouse.
Herald added subscribers: jfb, hiraditya.
stephan.yichao.zhao requested review of this revision.
Herald added projects: Sanitizers, LLVM.
Herald added subscribers: llvm-commits, Sanitizers.

After DFSan reports taint sinks, the next questions are "How did they

  get it?", "When did that happen?", "Who has tainted data originally?",
  etc. This change addresses this by adding origin tracking.
  
  This change will be split into small diffs for incremental review.
  
  ////////////
  The Design
  ////////////
  
  Inspired by MSan's origin tracking.
  
  1) The new flag -dfsan-track-origins is added. It works only with 16bit
  mode.
  
  2) Each 4 contiguous user bytes share one 4-byte origin information
  aligned by 4: the user byte at addr uses an origin at addr && ~3UL +
  origin_start_addr.
  
  3) An 4-byte origin is a hash of an origin chain. An origin chain is a
  pair of a stack hash id and a hash to its previous origin chain. 0 means
  no previous origin chains exist. We limit the length of a chain to be
  16. With origin_history_size = 0, the limit is removed.
  
  4) Only at store and memory transfer operations, new chains are created
  when taint data are written. This is to reduce chain lengths.
  
  5) At each instruction with > 1 operands, only one origin chain is
  propagated. This is to reduce chain widths.
  
  6) Each customized function has two wrappers. The
  first one is for the normal shadow propagation. The second one is used
  when origin tracking is on. It calls the first one, and does additional
  origin propagation. Which one to use can be decided at instrumentation
  time. This is to ensure minimal additional overhead when origin tracking
  is off.
  
  7) Provide an API dfsan_print_origin_trace that reports stack traces
  along a trace.


Repository:
  rG LLVM Github Monorepo

https://reviews.llvm.org/D95835

Files:
  compiler-rt/include/sanitizer/dfsan_interface.h
  compiler-rt/lib/dfsan/dfsan.cpp
  compiler-rt/lib/dfsan/dfsan.h
  compiler-rt/lib/dfsan/dfsan.syms.extra
  compiler-rt/lib/dfsan/dfsan_chained_origin_depot.cpp
  compiler-rt/lib/dfsan/dfsan_chained_origin_depot.h
  compiler-rt/lib/dfsan/dfsan_custom.cpp
  compiler-rt/lib/dfsan/dfsan_flags.inc
  compiler-rt/lib/dfsan/dfsan_origin.h
  compiler-rt/lib/dfsan/dfsan_platform.h
  compiler-rt/lib/dfsan/dfsan_thread.cpp
  compiler-rt/lib/dfsan/dfsan_thread.h
  compiler-rt/lib/dfsan/done_abilist.txt
  compiler-rt/test/dfsan/custom.cpp
  compiler-rt/test/dfsan/origin_add_label.c
  compiler-rt/test/dfsan/origin_custom.cpp
  compiler-rt/test/dfsan/origin_fork.cpp
  compiler-rt/test/dfsan/origin_ld_lost.c
  compiler-rt/test/dfsan/origin_ldst.c
  compiler-rt/test/dfsan/origin_limit.c
  compiler-rt/test/dfsan/origin_memcpy.c
  compiler-rt/test/dfsan/origin_memmove.c
  compiler-rt/test/dfsan/origin_memset.c
  compiler-rt/test/dfsan/origin_overlapped.c
  compiler-rt/test/dfsan/origin_pthread.c
  compiler-rt/test/dfsan/origin_set_label.c
  compiler-rt/test/dfsan/origin_signal_stress_test.cpp
  compiler-rt/test/dfsan/origin_unaligned_memtrans.c
  compiler-rt/test/dfsan/origin_with_sigactions.c
  compiler-rt/test/dfsan/origin_with_signals.cpp
  llvm/lib/Transforms/Instrumentation/DataFlowSanitizer.cpp
  llvm/test/Instrumentation/DataFlowSanitizer/basic.ll
  llvm/test/Instrumentation/DataFlowSanitizer/memset.ll
  llvm/test/Instrumentation/DataFlowSanitizer/origin_abilist.ll
  llvm/test/Instrumentation/DataFlowSanitizer/origin_cached_shadows.ll
  llvm/test/Instrumentation/DataFlowSanitizer/origin_call.ll
  llvm/test/Instrumentation/DataFlowSanitizer/origin_ldst.ll
  llvm/test/Instrumentation/DataFlowSanitizer/origin_mem_intrinsic.ll
  llvm/test/Instrumentation/DataFlowSanitizer/origin_other_ops.ll
  llvm/test/Instrumentation/DataFlowSanitizer/origin_select.ll
  llvm/test/Instrumentation/DataFlowSanitizer/origin_store_threshold.ll

-------------- next part --------------
A non-text attachment was scrubbed...
Name: D95835.320633.patch
Type: text/x-patch
Size: 353297 bytes
Desc: not available
URL: <http://lists.llvm.org/pipermail/llvm-commits/attachments/20210202/2328070d/attachment-0001.bin>

More information about the llvm-commits mailing list