This is an archive of the discontinued LLVM Phabricator instance.

Differential D15642

[asan] Use private aliases for global variables (LLVM part).
ClosedPublic

Authored by m.ostapenko on Dec 18 2015, 8:11 AM.

Details

Reviewers
kcc
samsonov
eugenis
Commits
rGb1e3f60fb932: [asan] Introduce new hidden -asan-use-private-alias option.
rL260075: [asan] Introduce new hidden -asan-use-private-alias option.
Summary

As discussed in https://github.com/google/sanitizers/issues/398, with current implementation of poisoning globals we can have some CHECK failures or false positives in case of mixing instrumented and non-instrumented code due to ASan poisons innocent globals from non-sanitized binary/library. We can use private aliases to avoid such errors. In addition, to preserve ODR violation detection, we introduce new _asan_genXXX symbol for each instrumented global that indicates if this global was already registered. To detect ODR violation in runtime, we should only check the value of indicator and report an error if it's not equal to zero.

Diff Detail

Repository
rL LLVM

Event Timeline

m.ostapenko updated this revision to Diff 43228.Dec 18 2015, 8:11 AM
m.ostapenko retitled this revision from to [asan] Use private aliases for global variables (LLVM part)..
m.ostapenko updated this object.
m.ostapenko added reviewers: kcc, eugenis, samsonov.
m.ostapenko set the repository for this revision to rL LLVM.
m.ostapenko added subscribers: ygribov, llvm-commits.
kcc edited edge metadata.Dec 18 2015, 11:10 AM
kcc added subscribers: samsonov, eugenis.

The change in general makes sense, but is potentially very intrusive, and hard to test on the small set of unit tests.
We'll need to test it on a larger code base. Did you test it on something large?
I afraid Chromium tests are not an adequate test target for this functionality, but it would be a good start.

Alexey, WDYT?
One way I can see is to put this functionality under a combination of a compile-time and a run-time flags.
That'll bloat the code, but I can't see a better way to test it (other than applying the patch locally).
__asan_global will need to be changed unconditionally, but that's ok.

Also, please don't mention the bugs in the source -- it's enough to mention them in the commit message.

m.ostapenko added a comment.Dec 22 2015, 9:38 AM
In D15642#313943, @kcc wrote:

The change in general makes sense, but is potentially very intrusive, and hard to test on the small set of unit tests.
We'll need to test it on a larger code base. Did you test it on something large?
I afraid Chromium tests are not an adequate test target for this functionality, but it would be a good start.

Yeah, you are right, the change seems to be intrusive. I ran Chromium tests with the patch and hit on -fvisibililty=hidden stuff (we should not export _asan_genXXX symbols for hidden globals), so we should be very careful here. I'm updating the diff.

As for something really big, I thought Android would be a good candidate (AFAIK, Eugeni hit on ODR fiasco there), but I'm not sure I can build and run it without help (at least I don't have a target device). It would be nice if you could help me here somehow.

m.ostapenko updated this revision to Diff 43455.Dec 22 2015, 9:40 AM
m.ostapenko edited edge metadata.
m.ostapenko removed rL LLVM as the repository for this revision.

Updating the diff. Don't export _asan_genXXX symbols in -fvisibility=hidden case.

m.ostapenko updated this revision to Diff 43541.Dec 23 2015, 9:01 AM

Changing symbol linkage basing on visibility attribute is not intuitive and error prone. Instead, we should just copy attributes from NewGlobal to new indicator symbol. However, if we use asan_* pattern, we end up with indicator to be always exported because of --dynamic-list=/usr/local/bin/../lib/clang/3.8.0/lib/linux/libclang_rt.asan-x86_64.a.syms link option and this file contains asan_*. So, just add new __odr_gen* pattern and use it for ODR indicators.

m.ostapenko updated this revision to Diff 45279.Jan 19 2016, 10:09 AM
m.ostapenko set the repository for this revision to rL LLVM.

Back here. Hide using private aliases for globals behind -asan-use-private-alias compile option. Generate ODR indicator symbol if use aliases and pass it's address to Global structure, pass 0 otherwise. Tested on Chromium (build chrome itself, build and run unit tests).

ygribov added inline comments.Jan 19 2016, 12:51 PM
lib/Transforms/Instrumentation/AddressSanitizer.cpp
1399 ↗(On Diff #45279)

Would it make sense to disable this on platforms that don't have aliases (Windows and maybe OSX)?

1408 ↗(On Diff #45279)

Perhaps just reuse ODRIndicator here?

m.ostapenko added inline comments.Jan 20 2016, 6:16 AM
lib/Transforms/Instrumentation/AddressSanitizer.cpp
1399 ↗(On Diff #45279)

Yes, you are right, perhaps something like this:

bool CanUsePrivateAliases = TargetTriple.isOSBinFormatELF();
if (CanUsePrivateAliases && ClUsePrivateAliasForGlobals) {
  ...

?

1408 ↗(On Diff #45279)

I use ODRIndicatorSym->copyAttributesFrom() that would be inaccessible if use ODRIndicator (that is Constant *). Perhaps we can change it's type to support copyAttributesFrom() interface, but I failed to find reasonable default value for it. If use Constant *, we can just use zero.

m.ostapenko updated this revision to Diff 45405.Jan 20 2016, 10:06 AM

Updating according to Yura's feedback.

ygribov added inline comments.Jan 20 2016, 12:49 PM
lib/Transforms/Instrumentation/AddressSanitizer.cpp
1399 ↗(On Diff #45405)

Yeah.

1402 ↗(On Diff #45405)

May also mention support for RTLD_DEEPBIND.

1408 ↗(On Diff #45405)

Got it.

ygribov added a comment.Jan 26 2016, 5:55 AM

Guys, what do you think? This is complex but we see no other way to robustly support globals.

m.ostapenko marked 2 inline comments as done.Feb 1 2016, 7:33 AM

Ping. Kostya, could you please take a look?

samsonov edited edge metadata.Feb 2 2016, 10:37 AM

Sorry for delayed response. Please add an LLVM test for this instrumentation.

lib/Transforms/Instrumentation/AddressSanitizer.cpp
104 ↗(On Diff #45405)

Consider naming this to __asan_odr_gen, so that we could know that these new globals are smth. added by ASan.

m.ostapenko added inline comments.Feb 2 2016, 11:40 AM
lib/Transforms/Instrumentation/AddressSanitizer.cpp
104 ↗(On Diff #45405)

I'd like to, but I hit on this in Firefox: ASan explicitly exports all __asan_* symbols and if we compile our code with e.g -fvisibility=hidden, we can have false positive ODR violation errors.

samsonov added inline comments.Feb 2 2016, 2:23 PM
lib/Transforms/Instrumentation/AddressSanitizer.cpp
104 ↗(On Diff #45405)

Oh, I see... __odr_asan_gen_ ? :)

m.ostapenko updated this revision to Diff 47006.Feb 5 2016, 3:30 AM
m.ostapenko updated this object.
m.ostapenko edited edge metadata.

Updating according to Alexey's review.

I've also realized, that we should not copy all attributes from NewGlobal (e.g. we don't need it's alignment and section name) to ODR indicator symbol (thanks Yura for pointing to this!), we just need some of them (Visibility, DLLStorageClass and ThreadLocalMode). Full list of attributes available for copying is here:

LinkageType               (set in constructor)
VisibilityType
DLLStorageClassType
Section
Alignment
ThreadLocalMode      (set in constructor)
isExternallyInitialized  (set in constructor)

Does this look better now?

m.ostapenko marked 8 inline comments as done.Feb 5 2016, 3:31 AM
samsonov accepted this revision.Feb 5 2016, 2:26 PM
samsonov edited edge metadata.

LGTM

lib/Transforms/Instrumentation/AddressSanitizer.cpp
1412 ↗(On Diff #47006)

Side note: M.getName() might not be unique when you compile/link together a bunch of source files. It shouldn't be relevant here, as global has internal linkage.

test/Instrumentation/AddressSanitizer/local_alias.ll
26 ↗(On Diff #47006)

Do you actually need two functions in this test?

This revision is now accepted and ready to land.Feb 5 2016, 2:26 PM
m.ostapenko updated this revision to Diff 47163.Feb 8 2016, 12:24 AM
m.ostapenko edited edge metadata.

Alexey, thank you! Uploading the patch to be committed.

Closed by commit rL260075: [asan] Introduce new hidden -asan-use-private-alias option. (authored by chefmax). · Explain WhyFeb 8 2016, 12:35 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents

PathSize
llvm/
trunk/
lib/
Transforms/
Instrumentation/
50 lines
test/
Instrumentation/
AddressSanitizer/
23 lines

Diff 47165

llvm/trunk/lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show First 20 LinesShow All 90 Lines▼ Show 20 Lines
static const char *const kAsanReportErrorTemplate = "__asan_report_"; static const char *const kAsanReportErrorTemplate = "__asan_report_";
static const char *const kAsanRegisterGlobalsName = "__asan_register_globals"; static const char *const kAsanRegisterGlobalsName = "__asan_register_globals";
static const char *const kAsanUnregisterGlobalsName = static const char *const kAsanUnregisterGlobalsName =
"__asan_unregister_globals"; "__asan_unregister_globals";
static const char *const kAsanPoisonGlobalsName = "__asan_before_dynamic_init"; static const char *const kAsanPoisonGlobalsName = "__asan_before_dynamic_init";
static const char *const kAsanUnpoisonGlobalsName = "__asan_after_dynamic_init"; static const char *const kAsanUnpoisonGlobalsName = "__asan_after_dynamic_init";
static const char *const kAsanInitName = "__asan_init"; static const char *const kAsanInitName = "__asan_init";
static const char *const kAsanVersionCheckName = static const char *const kAsanVersionCheckName =
"__asan_version_mismatch_check_v6"; "__asan_version_mismatch_check_v7";
static const char *const kAsanPtrCmp = "__sanitizer_ptr_cmp"; static const char *const kAsanPtrCmp = "__sanitizer_ptr_cmp";
static const char *const kAsanPtrSub = "__sanitizer_ptr_sub"; static const char *const kAsanPtrSub = "__sanitizer_ptr_sub";
static const char *const kAsanHandleNoReturnName = "__asan_handle_no_return"; static const char *const kAsanHandleNoReturnName = "__asan_handle_no_return";
static const int kMaxAsanStackMallocSizeClass = 10; static const int kMaxAsanStackMallocSizeClass = 10;
static const char *const kAsanStackMallocNameTemplate = "__asan_stack_malloc_"; static const char *const kAsanStackMallocNameTemplate = "__asan_stack_malloc_";
static const char *const kAsanStackFreeNameTemplate = "__asan_stack_free_"; static const char *const kAsanStackFreeNameTemplate = "__asan_stack_free_";
static const char *const kAsanGenPrefix = "__asan_gen_"; static const char *const kAsanGenPrefix = "__asan_gen_";
static const char *const kODRGenPrefix = "__odr_asan_gen_";
static const char *const kSanCovGenPrefix = "__sancov_gen_"; static const char *const kSanCovGenPrefix = "__sancov_gen_";
static const char *const kAsanPoisonStackMemoryName = static const char *const kAsanPoisonStackMemoryName =
"__asan_poison_stack_memory"; "__asan_poison_stack_memory";
static const char *const kAsanUnpoisonStackMemoryName = static const char *const kAsanUnpoisonStackMemoryName =
"__asan_unpoison_stack_memory"; "__asan_unpoison_stack_memory";
static const char *const kAsanOptionDetectUAR = static const char *const kAsanOptionDetectUAR =
"__asan_option_detect_stack_use_after_return"; "__asan_option_detect_stack_use_after_return";
▲ Show 20 LinesShow All 109 Lines▼ Show 20 Linesstatic cl::opt<bool> ClDynamicAllocaStack(
cl::desc("Use dynamic alloca to represent stack variables"), cl::Hidden, cl::desc("Use dynamic alloca to represent stack variables"), cl::Hidden,
cl::init(true)); cl::init(true));
static cl::opt<uint32_t> ClForceExperiment( static cl::opt<uint32_t> ClForceExperiment(
"asan-force-experiment", "asan-force-experiment",
cl::desc("Force optimization experiment (for testing)"), cl::Hidden, cl::desc("Force optimization experiment (for testing)"), cl::Hidden,
cl::init(0)); cl::init(0));
static cl::opt<bool>
ClUsePrivateAliasForGlobals("asan-use-private-alias",
cl::desc("Use private aliases for global"
" variables"),
cl::Hidden, cl::init(false));
// Debug flags. // Debug flags.
static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden, static cl::opt<int> ClDebug("asan-debug", cl::desc("debug"), cl::Hidden,
cl::init(0)); cl::init(0));
static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"), static cl::opt<int> ClDebugStack("asan-debug-stack", cl::desc("debug stack"),
cl::Hidden, cl::init(0)); cl::Hidden, cl::init(0));
static cl::opt<std::string> ClDebugFunc("asan-debug-func", cl::Hidden, static cl::opt<std::string> ClDebugFunc("asan-debug-func", cl::Hidden,
cl::desc("Debug func")); cl::desc("Debug func"));
static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"), static cl::opt<int> ClDebugMin("asan-debug-min", cl::desc("Debug min inst"),
▲ Show 20 LinesShow All 578 Lines▼ Show 20 Lines auto GV = new GlobalVariable(M, LocStruct->getType(), true,
GlobalValue::PrivateLinkage, LocStruct, GlobalValue::PrivateLinkage, LocStruct,
kAsanGenPrefix); kAsanGenPrefix);
GV->setUnnamedAddr(true); GV->setUnnamedAddr(true);
return GV; return GV;
} }
static bool GlobalWasGeneratedByAsan(GlobalVariable *G) { static bool GlobalWasGeneratedByAsan(GlobalVariable *G) {
return G->getName().find(kAsanGenPrefix) == 0 || return G->getName().find(kAsanGenPrefix) == 0 ||
G->getName().find(kSanCovGenPrefix) == 0; G->getName().find(kSanCovGenPrefix) == 0 ||
G->getName().find(kODRGenPrefix) == 0;
} }
Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) { Value *AddressSanitizer::memToShadow(Value *Shadow, IRBuilder<> &IRB) {
// Shadow >> scale // Shadow >> scale
Shadow = IRB.CreateLShr(Shadow, Mapping.Scale); Shadow = IRB.CreateLShr(Shadow, Mapping.Scale);
if (Mapping.Offset == 0) return Shadow; if (Mapping.Offset == 0) return Shadow;
// (Shadow >> scale) | offset // (Shadow >> scale) | offset
if (Mapping.OrShadowOffset) if (Mapping.OrShadowOffset)
▲ Show 20 LinesShow All 481 Lines▼ Show 20 Linesbool AddressSanitizerModule::InstrumentGlobals(IRBuilder<> &IRB, Module &M) {
// A global is described by a structure // A global is described by a structure
// size_t beg; // size_t beg;
// size_t size; // size_t size;
// size_t size_with_redzone; // size_t size_with_redzone;
// const char *name; // const char *name;
// const char *module_name; // const char *module_name;
// size_t has_dynamic_init; // size_t has_dynamic_init;
// void *source_location; // void *source_location;
// size_t odr_indicator;
// We initialize an array of such structures and pass it to a run-time call. // We initialize an array of such structures and pass it to a run-time call.
StructType *GlobalStructTy = StructType *GlobalStructTy =
StructType::get(IntptrTy, IntptrTy, IntptrTy, IntptrTy, IntptrTy, StructType::get(IntptrTy, IntptrTy, IntptrTy, IntptrTy, IntptrTy,
IntptrTy, IntptrTy, nullptr); IntptrTy, IntptrTy, IntptrTy, nullptr);
SmallVector<Constant *, 16> Initializers(n); SmallVector<Constant *, 16> Initializers(n);
bool HasDynamicallyInitializedGlobals = false; bool HasDynamicallyInitializedGlobals = false;
// We shouldn't merge same module names, as this string serves as unique // We shouldn't merge same module names, as this string serves as unique
// module ID in runtime. // module ID in runtime.
GlobalVariable *ModuleName = createPrivateGlobalForString( GlobalVariable *ModuleName = createPrivateGlobalForString(
M, M.getModuleIdentifier(), /*AllowMerging*/ false); M, M.getModuleIdentifier(), /*AllowMerging*/ false);
auto &DL = M.getDataLayout(); auto &DL = M.getDataLayout();
for (size_t i = 0; i < n; i++) { for (size_t i = 0; i < n; i++) {
static const uint64_t kMaxGlobalRedzone = 1 << 18; static const uint64_t kMaxGlobalRedzone = 1 << 18;
GlobalVariable *G = GlobalsToChange[i]; GlobalVariable *G = GlobalsToChange[i];
auto MD = GlobalsMD.get(G); auto MD = GlobalsMD.get(G);
StringRef NameForGlobal = G->getName();
// Create string holding the global name (use global name from metadata // Create string holding the global name (use global name from metadata
// if it's available, otherwise just write the name of global variable). // if it's available, otherwise just write the name of global variable).
GlobalVariable *Name = createPrivateGlobalForString( GlobalVariable *Name = createPrivateGlobalForString(
M, MD.Name.empty() ? G->getName() : MD.Name, M, MD.Name.empty() ? NameForGlobal : MD.Name,
/*AllowMerging*/ true); /*AllowMerging*/ true);
Type *Ty = G->getValueType(); Type *Ty = G->getValueType();
uint64_t SizeInBytes = DL.getTypeAllocSize(Ty); uint64_t SizeInBytes = DL.getTypeAllocSize(Ty);
uint64_t MinRZ = MinRedzoneSizeForGlobal(); uint64_t MinRZ = MinRedzoneSizeForGlobal();
// MinRZ <= RZ <= kMaxGlobalRedzone // MinRZ <= RZ <= kMaxGlobalRedzone
// and trying to make RZ to be ~ 1/4 of SizeInBytes. // and trying to make RZ to be ~ 1/4 of SizeInBytes.
uint64_t RZ = std::max( uint64_t RZ = std::max(
Show All 31 Lines for (size_t i = 0; i < n; i++) {
Constant *SourceLoc; Constant *SourceLoc;
if (!MD.SourceLoc.empty()) { if (!MD.SourceLoc.empty()) {
auto SourceLocGlobal = createPrivateGlobalForSourceLoc(M, MD.SourceLoc); auto SourceLocGlobal = createPrivateGlobalForSourceLoc(M, MD.SourceLoc);
SourceLoc = ConstantExpr::getPointerCast(SourceLocGlobal, IntptrTy); SourceLoc = ConstantExpr::getPointerCast(SourceLocGlobal, IntptrTy);
} else { } else {
SourceLoc = ConstantInt::get(IntptrTy, 0); SourceLoc = ConstantInt::get(IntptrTy, 0);
} }
Constant *ODRIndicator = ConstantExpr::getNullValue(IRB.getInt8PtrTy());
GlobalValue *InstrumentedGlobal = NewGlobal;
bool CanUsePrivateAliases = TargetTriple.isOSBinFormatELF();
if (CanUsePrivateAliases && ClUsePrivateAliasForGlobals) {
// Create local alias for NewGlobal to avoid crash on ODR between
// instrumented and non-instrumented libraries.
auto *GA = GlobalAlias::create(GlobalValue::InternalLinkage,
NameForGlobal + M.getName(), NewGlobal);
// With local aliases, we need to provide another externally visible
// symbol __odr_asan_XXX to detect ODR violation.
auto *ODRIndicatorSym =
new GlobalVariable(M, IRB.getInt8Ty(), false, Linkage,
Constant::getNullValue(IRB.getInt8Ty()),
kODRGenPrefix + NameForGlobal, nullptr,
NewGlobal->getThreadLocalMode());
// Set meaningful attributes for indicator symbol.
ODRIndicatorSym->setVisibility(NewGlobal->getVisibility());
ODRIndicatorSym->setDLLStorageClass(NewGlobal->getDLLStorageClass());
ODRIndicatorSym->setAlignment(1);
ODRIndicator = ODRIndicatorSym;
InstrumentedGlobal = GA;
}
Initializers[i] = ConstantStruct::get( Initializers[i] = ConstantStruct::get(
GlobalStructTy, ConstantExpr::getPointerCast(NewGlobal, IntptrTy), GlobalStructTy,
ConstantExpr::getPointerCast(InstrumentedGlobal, IntptrTy),
ConstantInt::get(IntptrTy, SizeInBytes), ConstantInt::get(IntptrTy, SizeInBytes),
ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize), ConstantInt::get(IntptrTy, SizeInBytes + RightRedzoneSize),
ConstantExpr::getPointerCast(Name, IntptrTy), ConstantExpr::getPointerCast(Name, IntptrTy),
ConstantExpr::getPointerCast(ModuleName, IntptrTy), ConstantExpr::getPointerCast(ModuleName, IntptrTy),
ConstantInt::get(IntptrTy, MD.IsDynInit), SourceLoc, nullptr); ConstantInt::get(IntptrTy, MD.IsDynInit), SourceLoc,
ConstantExpr::getPointerCast(ODRIndicator, IntptrTy), nullptr);
if (ClInitializers && MD.IsDynInit) HasDynamicallyInitializedGlobals = true; if (ClInitializers && MD.IsDynInit) HasDynamicallyInitializedGlobals = true;
DEBUG(dbgs() << "NEW GLOBAL: " << *NewGlobal << "\n"); DEBUG(dbgs() << "NEW GLOBAL: " << *NewGlobal << "\n");
} }
ArrayType *ArrayOfGlobalStructTy = ArrayType::get(GlobalStructTy, n); ArrayType *ArrayOfGlobalStructTy = ArrayType::get(GlobalStructTy, n);
GlobalVariable *AllGlobals = new GlobalVariable( GlobalVariable *AllGlobals = new GlobalVariable(
▲ Show 20 LinesShow All 762 LinesShow Last 20 Lines

llvm/trunk/test/Instrumentation/AddressSanitizer/local_alias.ll

; RUN: opt < %s -asan -asan-module -asan-use-private-alias=1 -S | FileCheck %s
target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu"
@a = internal global [2 x i32] zeroinitializer, align 4
; Check that we generate internal alias and odr indicator symbols for global to be protected.
; CHECK: @__odr_asan_gen_a = internal global i8 0, align 1
; CHECK: @"a<stdin>" = internal alias { [2 x i32], [56 x i8] }, { [2 x i32], [56 x i8] }* @a
; Function Attrs: nounwind sanitize_address uwtable
define i32 @foo(i32 %M) #0 {
entry:
%M.addr = alloca i32, align 4
store i32 %M, i32* %M.addr, align 4
store volatile i32 6, i32* getelementptr inbounds ([2 x i32], [2 x i32]* @a, i64 2, i64 0), align 4
%0 = load i32, i32* %M.addr, align 4
%idxprom = sext i32 %0 to i64
%arrayidx = getelementptr inbounds [2 x i32], [2 x i32]* @a, i64 0, i64 %idxprom
%1 = load volatile i32, i32* %arrayidx, align 4
ret i32 %1
}