[compiler-rt] [HWASan] Prevent same tag for adjacent heap objects (PR #69337)

[Evgenii Stepanov via llvm-commits]

================
@@ -345,13 +364,21 @@ static void HwasanDeallocate(StackTrace *stack, void *tagged_ptr) {
     // Always store full 8-bit tags on free to maximize UAF detection.
     tag_t tag;
     if (t) {
-      // Make sure we are not using a short granule tag as a poison tag. This
-      // would make us attempt to read the memory on a UaF.
-      // The tag can be zero if tagging is disabled on this thread.
-      do {
-        tag = t->GenerateRandomTag(/*num_bits=*/8);
-      } while (
-          UNLIKELY((tag < kShadowAlignment || tag == pointer_tag) && tag != 0));
+      if (t->TaggingDisabled()) {
+        tag = 0;
+      } else {
+        tag_t previous_tag = *(tag_t *)(MemToShadow((uptr)(aligned_ptr)-1));
+        tag_t following_tag = *(
+            tag_t *)(MemToShadow((uptr)(aligned_ptr) + TaggedSize(orig_size)));
+        // Make sure we are not using a short granule tag as a poison tag. This
+        // would make us attempt to read the memory on a UaF.
+        // The tag can be zero if tagging is disabled on this thread.
+        do {
+          tag = t->GenerateRandomTag(/*num_bits=*/8);
+        } while (UNLIKELY(tag < kShadowAlignment || tag == pointer_tag ||
+                          tag == previous_tag || tag == following_tag) &&
+                 tag != 0);
----------------
eugenis wrote:

I think it was there because of the TaggingDisabled case where the tag generator would return zeroes repeatedly. But since you've removed the (!tag) condition from GenerateRandomTag, there can be "spurious" zero tags returned that the callee needs to filter out.

TBH I'm starting to agree with Vitaly - this is introducing too much complexity for a very soft guarantee, without evidence that it actually meaningfully improves things in practice.

https://github.com/llvm/llvm-project/pull/69337