[compiler-rt] [sanitizer-common] [Darwin] Provide warnings for common sandbox issues (PR #165907)

Andrew Haberlandt via llvm-commits llvm-commits at lists.llvm.org
Sat Nov 1 12:50:03 PDT 2025 

https://github.com/ndrewh updated https://github.com/llvm/llvm-project/pull/165907

>From d41ba6149ddff40e4e05d7510b9c57fc2ffa383e Mon Sep 17 00:00:00 2001
From: Andrew Haberlandt <ahaberlandt at apple.com>
Date: Fri, 31 Oct 2025 11:40:22 -0700
Subject: [PATCH 1/4] [sanitizer-common] [Darwin] Provide warning if
 task_set_exc_guard_behavior errors

---
 compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp
index b0a29db908639..b3c2ede4f6fb4 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp
@@ -960,7 +960,18 @@ static void DisableMmapExcGuardExceptions() {
       RTLD_DEFAULT, "task_set_exc_guard_behavior");
   if (set_behavior == nullptr) return;
   const task_exc_guard_behavior_t task_exc_guard_none = 0;
-  set_behavior(mach_task_self(), task_exc_guard_none);
+  kern_return_t res = set_behavior(mach_task_self(), task_exc_guard_none);
+  if (res != KERN_SUCCESS) {
+    Report(
+        "WARN: task_set_exc_guard_behavior returned %d (%s), "
+        "mmap may fail unexpectedly.\n",
+        res, mach_error_string(res));
+    if (res == KERN_DENIED) {
+      Report(
+          "HINT: Check that task_set_exc_guard_behavior is allowed by "
+          "sandbox.\n");
+    }
+  }
 }
 
 static void VerifyInterceptorsWorking();

>From 76548b0f335feab26da4367d544430a9ae0bc2ae Mon Sep 17 00:00:00 2001
From: Andrew Haberlandt <ahaberlandt at apple.com>
Date: Fri, 31 Oct 2025 23:33:09 -0700
Subject: [PATCH 2/4] Warn when no external symbolizers are found.

---
 .../sanitizer_symbolizer_posix_libcdep.cpp                 | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp
index f8d821e125b7a..d005f712d68b9 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp
@@ -505,6 +505,13 @@ static void ChooseSymbolizerTools(IntrusiveList<SymbolizerTool> *list,
   }
 
 #  if SANITIZER_APPLE
+  if (list.size() == 0) {
+    Report(
+        "WARN: No external symbolizers found. Symbols will be missing or "
+        "unreliable.\n");
+    Report(
+        "HINT: Is PATH set? Does sandbox allow file-read of /usr/bin/atos?\n");
+  }
   VReport(2, "Using dladdr symbolizer.\n");
   list->push_back(new (*allocator) DlAddrSymbolizer());
 #  endif  // SANITIZER_APPLE

>From f0cd4337d637cadb6bfd26b3faf14b2745eac233 Mon Sep 17 00:00:00 2001
From: Andrew Haberlandt <ahaberlandt at apple.com>
Date: Sat, 1 Nov 2025 11:43:20 -0700
Subject: [PATCH 3/4] nits

---
 compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp            | 3 +--
 .../sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp   | 4 ++--
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp
index b3c2ede4f6fb4..90c0b66f81b5b 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp
@@ -966,11 +966,10 @@ static void DisableMmapExcGuardExceptions() {
         "WARN: task_set_exc_guard_behavior returned %d (%s), "
         "mmap may fail unexpectedly.\n",
         res, mach_error_string(res));
-    if (res == KERN_DENIED) {
+    if (res == KERN_DENIED)
       Report(
           "HINT: Check that task_set_exc_guard_behavior is allowed by "
           "sandbox.\n");
-    }
   }
 }
 
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp
index d005f712d68b9..4e891cfdaf31b 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp
@@ -505,9 +505,9 @@ static void ChooseSymbolizerTools(IntrusiveList<SymbolizerTool> *list,
   }
 
 #  if SANITIZER_APPLE
-  if (list.size() == 0) {
+  if (list.empty()) {
     Report(
-        "WARN: No external symbolizers found. Symbols will be missing or "
+        "WARN: No external symbolizers found. Symbols may be missing or "
         "unreliable.\n");
     Report(
         "HINT: Is PATH set? Does sandbox allow file-read of /usr/bin/atos?\n");

>From 0cc143769c33d45d008fd2267a71c7e569806308 Mon Sep 17 00:00:00 2001
From: Andrew Haberlandt <ahaberlandt at apple.com>
Date: Sat, 1 Nov 2025 12:49:44 -0700
Subject: [PATCH 4/4] fix nits

---
 .../lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp
index 4e891cfdaf31b..7eb0c9756d64a 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp
@@ -505,7 +505,7 @@ static void ChooseSymbolizerTools(IntrusiveList<SymbolizerTool> *list,
   }
 
 #  if SANITIZER_APPLE
-  if (list.empty()) {
+  if (list->empty()) {
     Report(
         "WARN: No external symbolizers found. Symbols may be missing or "
         "unreliable.\n");

More information about the llvm-commits mailing list