[LLVMdev] LLVM-based address sanity checker

Kostya Serebryany kcc at google.com
Fri Jun 17 05:34:02 PDT 2011


On Fri, Jun 17, 2011 at 12:42 PM, Renato Golin <rengolin at systemcall.org>wrote:

> On 17 June 2011 09:14, Kostya Serebryany <kcc at google.com> wrote:
>
>> Maybe the fallback code should just use a function call. Much simpler for
>> documentation purposes.
>
>
> Sounds good.
>

I implemented the asm-free way to report warnings as an option to the llvm
instrumentation pass (uses a call to run-time).
It generates more code, it also creates prologue/epilogue in otherwise leaf
functions.
Such mode may still be useful if for whatever reason we can not use SIGILL.

Default (use ud2):
  402ed5:       48 89 d8                mov    %rbx,%rax  << move the
address to rax
  402ed8:       0f 0b                   ud2a              << crash
  402eda:       52                      push   %rdx       << encode is_write
and size in the opcode
(note: with a good disassembler and some work we can leave just ud2 or
equivalent)

-mllvm -asan-use-call
  402ed5:       48 89 df                mov    %rbx,%rdi  << address is the
paremeter to __asan_report_error_2
  402ed8:       e8 53 69 00 00          callq  409830
<__asan_report_error_2>  << is_write and size is encoded in the function
name


--kcc


>
>
> On 32-bit, the shadow region is:
>>  [0x28000000, 0x3fffffff] HighShadow [0x24000000, 0x27ffffff] ShadowGap [0x20000000,
>> 0x23ffffff] LowShadow
>>
>> This is 0.5G total. So, I mmap all these three shadow subregions and
>> 'mprotect' the ShadowGap.
>> This is done at startup. If the mmap fails, an assert will fire.
>>
>
>
> I see. On embedded platforms that won't work with all cases. Most
> implementations have fragmented memory, memory mapped I/O, secure zones,
> etc. Depending on what you're trying to do, mmap will work but writing to
> memory won't.
>
> On ARM world, SoC designers can come up with any number of configurations,
> which makes a generic implementation impossible. You'll need some kind of
> tablegen to define writeable regions and how to map between memory and
> shadow. Manufacturers generally provide this information when you buy the
> kit.
>
> But again, most OSes should take care of that for you, so that's only
> relevant for bare-metal applications.
>
>
>
>
>>
>> On 64-bit, the shadow looks like this:
>>  [0x0000140000000000, 0x00001fffffffffff] HighShadow [0x0000120000000000,
>> 0x000013ffffffffff] ShadowGap [0x0000100000000000, 0x000011ffffffffff]LowShadow
>>
>> This is quite a lot, I can not mmap/mprotect this thing.
>> So, I basically *hope* that it won't be used by anyone but the ASAN run
>> time (of course, there are asserts here and there to check it).
>> When some part of the shadow region is being written to (when we poison
>> memory), SEGV happens and the SEGV handler mmaps the required region.
>>
>
> Ok, if you allocate big enough regions you shouldn't need to SEGV that
> often.
>
>
> --
> cheers,
> --renato
>
> http://systemcall.org/
>
> Reclaim your digital rights, eliminate DRM, learn more at
> http://www.defectivebydesign.org/what_is_drm
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20110617/84ede3fc/attachment.html>


More information about the llvm-dev mailing list