This is an archive of the discontinued LLVM Phabricator instance.

Differential D105178

[lldb][AArch64] Annotate synchronous tag faults
ClosedPublic

Authored by DavidSpickett on Jun 30 2021, 3:05 AM.

Details

Reviewers
omjavaid
pcc
Commits
rGd510b5f199d6: [lldb][AArch64] Annotate synchronous tag faults
Summary

In the latest Linux kernels synchronous tag faults
include the tag bits in their address.
This change adds logical and allocation tags to the
description of synchronous tag faults.
(asynchronous faults have no address)

Process 1626 stopped

  • thread #1, name = 'a.out', stop reason = signal SIGSEGV: sync tag check fault (fault address: 0x900fffff7ff9010 logical tag: 0x9 allocation tag: 0x0)

This extends the existing description and will
show as much as it can on the rare occasion something
fails.

This change supports AArch64 MTE only but other
architectures could be added by extending the
switch at the start of AnnotateSyncTagCheckFault.
The rest of the function is generic code.

Tests have been added for synchronous and asynchronous
MTE faults.

Diff Detail

Event Timeline

DavidSpickett created this revision.Jun 30 2021, 3:05 AM
Herald added subscribers: danielkiss, kristof.beyls. · View Herald TranscriptJun 30 2021, 3:05 AM
DavidSpickett requested review of this revision.Jun 30 2021, 3:05 AM
Herald added a project: Restricted Project. · View Herald TranscriptJun 30 2021, 3:05 AM
Herald added a subscriber: lldb-commits. · View Herald Transcript
DavidSpickett added reviewers: omjavaid, pcc.Jun 30 2021, 3:09 AM
DavidSpickett added a subscriber: pcc.

@pcc This makes use of the kernel changes you did, let me know if I have anything wrong.

Note that the situation where you can't read the allocation tag isn't testable, but the code will just show the logical tag in the event it did happen.

Herald added a subscriber: JDevlieghere. · View Herald TranscriptJun 30 2021, 3:09 AM
Harbormaster completed remote builds in B111714: Diff 355488.Jun 30 2021, 3:34 AM
tschuett added a subscriber: tschuett.Jun 30 2021, 3:54 AM
omjavaid accepted this revision.Jul 12 2021, 3:11 AM
omjavaid added inline comments.
lldb/test/API/linux/aarch64/mte_tag_faults/main.c
30

Can we add a bit more detail on what this and following mmap step is doing.?

This revision is now accepted and ready to land.Jul 12 2021, 3:11 AM
pcc added a comment.Jul 12 2021, 6:14 PM

Programs must enable the tagged address ABI to
receive these signals and are also opting into the
presence of these tag bits.

This is actually independent of the tagged address ABI. For siginfo data structures read via ptrace(PTRACE_GETSIGINFO) we will always have the tag in si_addr provided that the kernel is new enough. It's only the signal delivery via sigaction where the user program needs to opt in (via SA_EXPOSE_TAGBITS), and that is again independent of the tagged address ABI.

lldb/test/API/linux/aarch64/mte_tag_faults/main.c
39

This seems like a bit of a roundabout way to set the address tag to 10. Why not just set it directly? i.e.

char *tagged_buf = buf + (10ULL << 56);

Or wrap that in a function to make things more self documenting. Then you don't need to set the inclusion mask in the prctl call.

DavidSpickett updated this revision to Diff 358276.Jul 13 2021, 8:39 AM
  • Removed use of tagged address ABI
  • Set pointer tags with a function instead of generator intrinsic
  • Add a memory access to confirm mapping was done properly
  • Add a few more comments about mmap and others
DavidSpickett edited the summary of this revision. (Show Details)Jul 13 2021, 8:40 AM
DavidSpickett marked an inline comment as done.

This is actually independent of the tagged address ABI.

Thanks for the info, I keep thinking I need to enable it but never do. Updated the test case and commit msg.

DavidSpickett updated this revision to Diff 358277.Jul 13 2021, 8:42 AM

clang-format the test file.

DavidSpickett marked an inline comment as done.Jul 13 2021, 8:44 AM
Harbormaster completed remote builds in B113747: Diff 358277.Jul 13 2021, 9:20 AM
DavidSpickett added a child revision: D105630: [lldb][AArch64] Refactor memory tag range handling.Jul 14 2021, 2:00 AM
DavidSpickett removed a child revision: D105630: [lldb][AArch64] Refactor memory tag range handling.
DavidSpickett updated this revision to Diff 358972.Jul 15 2021, 8:16 AM

Rebase

Harbormaster completed remote builds in B114241: Diff 358972.Jul 15 2021, 8:51 AM
DavidSpickett updated this revision to Diff 359278.Jul 16 2021, 3:57 AM

Account for fault addresses not being granule aligned by asking
for fault_addr to fault_addr+1 which always gives you 1 tag back.
(same trick we do in "memory tag read" if we only have a start address)

DavidSpickett updated this revision to Diff 359279.Jul 16 2021, 3:59 AM

Correct potentitally -> potentially.

Harbormaster completed remote builds in B114469: Diff 359279.Jul 16 2021, 4:28 AM
This revision was landed with ongoing or failed builds.Jul 29 2021, 2:26 AM
Closed by commit rGd510b5f199d6: [lldb][AArch64] Annotate synchronous tag faults (authored by DavidSpickett). · Explain Why
This revision was automatically updated to reflect the committed changes.
DavidSpickett added a commit: rGd510b5f199d6: [lldb][AArch64] Annotate synchronous tag faults.

Revision Contents

PathSize
lldb/
source/
Plugins/
Process/
Linux/
5 lines
59 lines
test/
API/
linux/
aarch64/
mte_tag_faults/
4 lines
62 lines
59 lines

Diff 362685

lldb/source/Plugins/Process/Linux/NativeThreadLinux.h

Show First 20 LinesShow All 96 Lines▼ Show 20 Linesprivate:
Status RequestStop(); Status RequestStop();
// Private interface // Private interface
void MaybeLogStateChange(lldb::StateType new_state); void MaybeLogStateChange(lldb::StateType new_state);
void SetStopped(); void SetStopped();
/// Extend m_stop_description with logical and allocation tag values.
/// If there is an error along the way just add the information we were able
/// to get.
void AnnotateSyncTagCheckFault(const siginfo_t *info);
// Member Variables // Member Variables
lldb::StateType m_state; lldb::StateType m_state;
ThreadStopInfo m_stop_info; ThreadStopInfo m_stop_info;
std::unique_ptr<NativeRegisterContextLinux> m_reg_context_up; std::unique_ptr<NativeRegisterContextLinux> m_reg_context_up;
std::string m_stop_description; std::string m_stop_description;
using WatchpointIndexMap = std::map<lldb::addr_t, uint32_t>; using WatchpointIndexMap = std::map<lldb::addr_t, uint32_t>;
WatchpointIndexMap m_watchpoint_index_map; WatchpointIndexMap m_watchpoint_index_map;
WatchpointIndexMap m_hw_break_index_map; WatchpointIndexMap m_hw_break_index_map;
std::unique_ptr<SingleStepWorkaround> m_step_workaround; std::unique_ptr<SingleStepWorkaround> m_step_workaround;
}; };
} // namespace process_linux } // namespace process_linux
} // namespace lldb_private } // namespace lldb_private
#endif // #ifndef liblldb_NativeThreadLinux_H_ #endif // #ifndef liblldb_NativeThreadLinux_H_

lldb/source/Plugins/Process/Linux/NativeThreadLinux.cpp

Show All 20 Lines
#include "lldb/Utility/LLDBAssert.h" #include "lldb/Utility/LLDBAssert.h"
#include "lldb/Utility/Log.h" #include "lldb/Utility/Log.h"
#include "lldb/Utility/State.h" #include "lldb/Utility/State.h"
#include "lldb/lldb-enumerations.h" #include "lldb/lldb-enumerations.h"
#include "llvm/ADT/SmallString.h" #include "llvm/ADT/SmallString.h"
#include "Plugins/Process/POSIX/CrashReason.h" #include "Plugins/Process/POSIX/CrashReason.h"
#include "Plugins/Process/Utility/MemoryTagManagerAArch64MTE.h"
#include <sys/syscall.h> #include <sys/syscall.h>
// Try to define a macro to encapsulate the tgkill syscall // Try to define a macro to encapsulate the tgkill syscall
#define tgkill(pid, tid, sig) \ #define tgkill(pid, tid, sig) \
syscall(__NR_tgkill, static_cast<::pid_t>(pid), static_cast<::pid_t>(tid), \ syscall(__NR_tgkill, static_cast<::pid_t>(pid), static_cast<::pid_t>(tid), \
sig) sig)
using namespace lldb; using namespace lldb;
▲ Show 20 LinesShow All 257 Lines▼ Show 20 Lines if (info) {
case SIGILL: case SIGILL:
// In case of MIPS64 target, SI_KERNEL is generated for invalid 64bit // In case of MIPS64 target, SI_KERNEL is generated for invalid 64bit
// address. // address.
const auto reason = const auto reason =
(info->si_signo == SIGBUS && info->si_code == SI_KERNEL) (info->si_signo == SIGBUS && info->si_code == SI_KERNEL)
? CrashReason::eInvalidAddress ? CrashReason::eInvalidAddress
: GetCrashReason(*info); : GetCrashReason(*info);
m_stop_description = GetCrashReasonString(reason, *info); m_stop_description = GetCrashReasonString(reason, *info);
if (reason == CrashReason::eSyncTagCheckFault) {
AnnotateSyncTagCheckFault(info);
}
break; break;
} }
} }
} }
void NativeThreadLinux::AnnotateSyncTagCheckFault(const siginfo_t *info) {
int32_t allocation_tag_type = 0;
switch (GetProcess().GetArchitecture().GetMachine()) {
// aarch64_32 deliberately not here because there's no 32 bit MTE
case llvm::Triple::aarch64:
case llvm::Triple::aarch64_be:
allocation_tag_type = MemoryTagManagerAArch64MTE::eMTE_allocation;
break;
default:
return;
}
auto details =
GetRegisterContext().GetMemoryTaggingDetails(allocation_tag_type);
if (!details) {
llvm::consumeError(details.takeError());
return;
}
// We assume that the stop description is currently:
// signal SIGSEGV: sync tag check fault (fault address: <addr>)
// Remove the closing )
m_stop_description.pop_back();
std::stringstream ss;
lldb::addr_t fault_addr = reinterpret_cast<uintptr_t>(info->si_addr);
std::unique_ptr<MemoryTagManager> manager(std::move(details->manager));
ss << " logical tag: 0x" << std::hex << manager->GetLogicalTag(fault_addr);
std::vector<uint8_t> allocation_tag_data;
// The fault address may not be granule aligned. ReadMemoryTags will granule
// align any range you give it, potentially making it larger.
// To prevent this set len to 1. This always results in a range that is at
// most 1 granule in size and includes fault_addr.
Status status = GetProcess().ReadMemoryTags(allocation_tag_type, fault_addr,
1, allocation_tag_data);
if (status.Success()) {
llvm::Expected<std::vector<lldb::addr_t>> allocation_tag =
manager->UnpackTagsData(allocation_tag_data, 1);
if (allocation_tag) {
ss << " allocation tag: 0x" << std::hex << allocation_tag->front() << ")";
} else {
llvm::consumeError(allocation_tag.takeError());
ss << ")";
}
} else
ss << ")";
m_stop_description += ss.str();
}
bool NativeThreadLinux::IsStopped(int *signo) { bool NativeThreadLinux::IsStopped(int *signo) {
if (!StateIsStoppedState(m_state, false)) if (!StateIsStoppedState(m_state, false))
return false; return false;
// If we are stopped by a signal, return the signo. // If we are stopped by a signal, return the signo.
if (signo && m_state == StateType::eStateStopped && if (signo && m_state == StateType::eStateStopped &&
m_stop_info.reason == StopReason::eStopReasonSignal) { m_stop_info.reason == StopReason::eStopReasonSignal) {
*signo = m_stop_info.details.signal.signo; *signo = m_stop_info.details.signal.signo;
▲ Show 20 LinesShow All 165 LinesShow Last 20 Lines

lldb/test/API/linux/aarch64/mte_tag_faults/Makefile

  • This file was added.
C_SOURCES := main.c
CFLAGS_EXTRAS := -march=armv8.5-a+memtag
include Makefile.rules

lldb/test/API/linux/aarch64/mte_tag_faults/TestAArch64LinuxMTEMemoryTagFaults.py

  • This file was added.
"""
Test reporting of MTE tag access faults.
"""
import lldb
from lldbsuite.test.decorators import *
from lldbsuite.test.lldbtest import *
from lldbsuite.test import lldbutil
class AArch64LinuxMTEMemoryTagFaultsTestCase(TestBase):
mydir = TestBase.compute_mydir(__file__)
NO_DEBUG_INFO_TESTCASE = True
def setup_mte_test(self, fault_type):
if not self.isAArch64MTE():
self.skipTest('Target must support MTE.')
self.build()
self.runCmd("file " + self.getBuildArtifact("a.out"), CURRENT_EXECUTABLE_SET)
lldbutil.run_break_set_by_file_and_line(self, "main.c",
line_number('main.c', '// Breakpoint here'),
num_expected_locations=1)
self.runCmd("run {}".format(fault_type), RUN_SUCCEEDED)
if self.process().GetState() == lldb.eStateExited:
self.fail("Test program failed to run.")
self.expect("thread list", STOPPED_DUE_TO_BREAKPOINT,
substrs=['stopped',
'stop reason = breakpoint'])
@skipUnlessArch("aarch64")
@skipUnlessPlatform(["linux"])
@skipUnlessAArch64MTELinuxCompiler
def test_mte_tag_fault_sync(self):
self.setup_mte_test("sync")
# The logical tag should be included in the fault address
# and we know what the bottom byte should be.
# It will be 0x10 (to be in the 2nd granule), +1 to be 0x11.
# Which tests that lldb-server handles fault addresses that
# are not granule aligned.
self.expect("continue",
patterns=[
"\* thread #1, name = 'a.out', stop reason = signal SIGSEGV: "
"sync tag check fault \(fault address: 0x9[0-9A-Fa-f]+11\ "
"logical tag: 0x9 allocation tag: 0xa\)"])
@skipUnlessArch("aarch64")
@skipUnlessPlatform(["linux"])
@skipUnlessAArch64MTELinuxCompiler
def test_mte_tag_fault_async(self):
self.setup_mte_test("async")
self.expect("continue",
substrs=[
"* thread #1, name = 'a.out', stop reason = "
"signal SIGSEGV: async tag check fault"])

lldb/test/API/linux/aarch64/mte_tag_faults/main.c

  • This file was added.
#include <arm_acle.h>
#include <asm/hwcap.h>
#include <asm/mman.h>
#include <stdbool.h>
#include <string.h>
#include <sys/auxv.h>
#include <sys/mman.h>
#include <sys/prctl.h>
#include <unistd.h>
// Set bits 59-56 to tag, removing any existing tag
static char *set_tag(char *ptr, size_t tag) {
return (char *)(((size_t)ptr & ~((size_t)0xf << 56)) | (tag << 56));
}
int main(int argc, char const *argv[]) {
// We assume that the test runner has checked we're on an MTE system
// Only expect to get the fault type
if (argc != 2)
return 1;
unsigned long prctl_arg2 = 0;
if (!strcmp(argv[1], "sync"))
prctl_arg2 = PR_MTE_TCF_SYNC;
else if (!strcmp(argv[1], "async"))
prctl_arg2 = PR_MTE_TCF_ASYNC;
else
return 1;
omjavaidUnsubmitted
Done
ReplyInline Actions

Can we add a bit more detail on what this and following mmap step is doing.?

omjavaid: Can we add a bit more detail on what this and following mmap step is doing.?
// Set fault type
if (prctl(PR_SET_TAGGED_ADDR_CTRL, prctl_arg2, 0, 0, 0))
return 1;
// Allocate some memory with tagging enabled that we
// can read/write if we use correct tags.
char *buf = mmap(0, sysconf(_SC_PAGESIZE), PROT_MTE | PROT_READ | PROT_WRITE,
MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
if (buf == MAP_FAILED)
pccUnsubmitted
Done
ReplyInline Actions

This seems like a bit of a roundabout way to set the address tag to 10. Why not just set it directly? i.e.

char *tagged_buf = buf + (10ULL << 56);

Or wrap that in a function to make things more self documenting. Then you don't need to set the inclusion mask in the prctl call.

pcc: This seems like a bit of a roundabout way to set the address tag to 10. Why not just set it…
return 1;
// Our pointer will have tag 9
char *tagged_buf = set_tag(buf, 9);
// Set allocation tags for the first 2 granules
__arm_mte_set_tag(set_tag(tagged_buf, 9));
__arm_mte_set_tag(set_tag(tagged_buf + 16, 10));
// Confirm that we can write when tags match
*tagged_buf = ' ';
// Breakpoint here
// Faults because tag 9 in the ptr != allocation tag of 10.
// + 16 puts us in the second granule and +1 makes the fault address
// misaligned relative to the granule size. This misalignment must
// be accounted for by lldb-server.
*(tagged_buf + 16 + 1) = '?';
return 0;
}