This is an archive of the discontinued LLVM Phabricator instance.

Differential D16844

[asan] Improved support for swapcontext()
Needs ReviewPublic

Authored by pdziepak on Feb 3 2016, 12:55 AM.

Details

Reviewers
kcc
Summary

These changess improve ASan support for swapcontext() and friends mainly
focusing on eliminating false positives caused by throwing and catching
exceptions when on a custom user stack.

This is achieved by:

  1. Making swapcontext() and getcontext() fill ucontext_t::uc_stack with proper

values.

  1. Adding ability to AsanThread to change current stack (in an async-safe way).

Some of the things that are still not fully supported:

  • swapcontext() and fake stacks
  • changing context from signal handlers
  • changing context using longjmp()
  • final context change via ucontext_t::uc_link

Diff Detail

Event Timeline

pdziepak updated this revision to Diff 46753.Feb 3 2016, 12:55 AM
pdziepak retitled this revision from to [asan] Improved support for swapcontext().
pdziepak updated this object.
pdziepak added a reviewer: kcc.
pdziepak added a subscriber: llvm-commits.
kcc edited edge metadata.Feb 3 2016, 6:30 PM

Thanks for this work, but, just curious, what is your motivation?
What kind of software are you trying to apply asan to?
I haven't heard about swapcontext for a loooong time.

The change in AsanThread is quite intrusive and potentially risky.
While I don't see what may go wrong, I'd like to have more tests, e.g. with threads, leaks, signals, etc.

Besides, I'd like to have another pair of eyes here. Anyone?

lib/asan/asan_interceptors.cc
350

initialize these just in case (with =0); same below.

351

do you know a situation where curr_thread is nullptr? same below

test/asan/TestCases/Linux/swapcontext_test.cc
32

shouldn't we call Func from Throw() or some such?

test/lsan/TestCases/swapcontext.cc
5

don't we still want to test the case with heap memory?

samsonov added a subscriber: samsonov.Feb 5 2016, 3:20 PM
samsonov added inline comments.
lib/asan/asan_interceptors.cc
351

Yeah, I believe this happens during thread destruction.

354

Won't these be overwritten anyway by real swapcontext(), when it will be copying ucp to oucp?

392

Why do you need this?

lib/asan/asan_thread.cc
204

Maybe, just add a constructor for StackDescriptor that would fill everything with zeroes?

lib/asan/asan_thread.h
170

Note: you can replace three pointers with a single "int current_stack_;", where
next_stack_ = &stacks_[current_stack_];
previous_stack_ = &stacks_[(current_stack_ + 1) % 3];
temp_stack_ = &stacks_[(current_stack_ + 2) % 3];

test/lsan/TestCases/swapcontext.cc
5

We definitely still want to run it. Can we predict if LSan will or won't report leak in this case?

pdziepak added a comment.Feb 8 2016, 2:36 AM

The main motivation is to avoid false positives we have been getting in SeaStar ( http://www.seastar-project.org/ ). It is a future/promise/continuation based framework that also implements coroutines using swapcontext() and friends, so that we get something similar to resumable functions (actually, it's using mostly longjmp() but that's more difficult to support properly in ASan). With these changes the false positives we've been seeing so far are gone.

lib/asan/asan_interceptors.cc
351

Every use of GetCurrentThread() I've seen in ASan code has guard against the function returning nullptr. I admit I haven't dug deeper but just wanted to be safe and followed what is done in the other places.

354

swapcontext() doesn't copy ucp to oucp. It saves the current context to oucp (so that when it is restored it behaves as if swapcontext() has returned 0) and switches to ucp.
However, glibc implementations of swapcontext() and getcontext() (at least their x86 versions) don't write anything to ucontext_t::uc_stack and that's why that WriteContextStack() is needed – to preserve stack information across setcontext/getcontext/swapcontext calls. If swapcontext() actually writes something to uc_stack it is ok as long it is valid data and not zeroes or some garbage.

392

Like I mentioned in earlier reply, getcontext() (or at least some its implementations) doesn't write anything to ucontext_t::uc_stack. Relying in setcontext() and swapcontext() on the fact that uc_stack contains valid information makes thing much easier so I decided to "fix" getcontext() and swapcontext().

lib/asan/asan_thread.h
170

Is it worth it? We save no more than 24 bytes per thread which usually will be much less than 1% percent of memory used by the thread stack, but make code both harder to read (another layer of indirection since logic needed to get stack pointer will have to be hidden in some function) and longer to execute (mod non-power-of-two).

test/asan/TestCases/Linux/swapcontext_test.cc
32

What these changes are trying to fix is mainly the false positive like this:

  1. An exception is thrown on custom stack.
  2. __asan_handle_no_return() is called but doesn't have correct stack information so just prints a warning and bails out, as a result stack shadow memory is not cleared
  3. Exception is handled, stack is unwind. Execution continues.
  4. Function called from exception handler or after exception was handled touches stack, but the shadow memory contains stale information (that was supposed to be cleared by __asan_handle_no_return()). Result: false positive.

So that's what I am testing here. Throw() has some data on stack, exception is thrown and handled and then another function touches the stack in places that Throw() has used before.

test/lsan/TestCases/swapcontext.cc
5

LSan will retain its original behaviour (i.e. not reporting leaks on custom stack). The solution would be to either add similar changes to LSan (or perhaps reduce code duplication between LSan and ASan) or write these testing directives so that different behaviour is expected from LSan than from ASan. I am not sure if the latter is possible.

Revision Contents

PathSize
lib/
asan/
42 lines
1 line
10 lines
4 lines
54 lines
21 lines
4 lines
test/
asan/
TestCases/
Linux/
15 lines
lsan/
TestCases/
4 lines

Diff 46753

lib/asan/asan_interceptors.cc

Show First 20 LinesShow All 340 Lines▼ Show 20 Lines Report("WARNING: ASan doesn't fully support makecontext/swapcontext "
"functions and may produce false positives in some cases!\n"); "functions and may produce false positives in some cases!\n");
reported_warning = true; reported_warning = true;
} }
// Clear shadow memory for new context (it may share stack // Clear shadow memory for new context (it may share stack
// with current context). // with current context).
uptr stack, ssize; uptr stack, ssize;
ReadContextStack(ucp, &stack, &ssize); ReadContextStack(ucp, &stack, &ssize);
ClearShadowMemoryForContextStack(stack, ssize); ClearShadowMemoryForContextStack(stack, ssize);
AsanThread *curr_thread = GetCurrentThread();
uptr old_stack, old_ssize;
kccUnsubmitted
Not Done
ReplyInline Actions

initialize these just in case (with =0); same below.

kcc: initialize these just in case (with =0); same below.
if (curr_thread) {
kccUnsubmitted
Not Done
ReplyInline Actions

do you know a situation where curr_thread is nullptr? same below

kcc: do you know a situation where curr_thread is nullptr? same below
samsonovUnsubmitted
Not Done
ReplyInline Actions

Yeah, I believe this happens during thread destruction.

samsonov: Yeah, I believe this happens during thread destruction.
pdziepakAuthorUnsubmitted
Not Done
ReplyInline Actions

Every use of GetCurrentThread() I've seen in ASan code has guard against the function returning nullptr. I admit I haven't dug deeper but just wanted to be safe and followed what is done in the other places.

pdziepak: Every use of GetCurrentThread() I've seen in ASan code has guard against the function returning…
old_stack = curr_thread->stack_bottom();
old_ssize = curr_thread->stack_size();
WriteContextStack(oucp, old_stack, old_ssize);
samsonovUnsubmitted
Not Done
ReplyInline Actions

Won't these be overwritten anyway by real swapcontext(), when it will be copying ucp to oucp?

samsonov: Won't these be overwritten anyway by real swapcontext(), when it will be copying ucp to oucp?
pdziepakAuthorUnsubmitted
Not Done
ReplyInline Actions

swapcontext() doesn't copy ucp to oucp. It saves the current context to oucp (so that when it is restored it behaves as if swapcontext() has returned 0) and switches to ucp.
However, glibc implementations of swapcontext() and getcontext() (at least their x86 versions) don't write anything to ucontext_t::uc_stack and that's why that WriteContextStack() is needed – to preserve stack information across setcontext/getcontext/swapcontext calls. If swapcontext() actually writes something to uc_stack it is ok as long it is valid data and not zeroes or some garbage.

pdziepak: swapcontext() doesn't copy ucp to oucp. It saves the current context to oucp (so that when it…
curr_thread->SetUserStack(stack, ssize);
}
int res = REAL(swapcontext)(oucp, ucp); int res = REAL(swapcontext)(oucp, ucp);
if (curr_thread) {
curr_thread->SetUserStack(old_stack, old_ssize);
}
// swapcontext technically does not return, but program may swap context to // swapcontext technically does not return, but program may swap context to
// "oucp" later, that would look as if swapcontext() returned 0. // "oucp" later, that would look as if swapcontext() returned 0.
// We need to clear shadow for ucp once again, as it may be in arbitrary // We need to clear shadow for ucp once again, as it may be in arbitrary
// state. // state.
ClearShadowMemoryForContextStack(stack, ssize); ClearShadowMemoryForContextStack(stack, ssize);
return res; return res;
} }
INTERCEPTOR(int, setcontext, struct ucontext_t *ucp) {
uptr stack, ssize;
ReadContextStack(ucp, &stack, &ssize);
ClearShadowMemoryForContextStack(stack, ssize);
AsanThread *curr_thread = GetCurrentThread();
uptr old_stack, old_ssize;
if (curr_thread) {
old_stack = curr_thread->stack_bottom();
old_ssize = curr_thread->stack_size();
curr_thread->SetUserStack(stack, ssize);
}
int res = REAL(setcontext)(ucp);
if (curr_thread) {
curr_thread->SetUserStack(old_stack, old_ssize);
}
return res;
}
INTERCEPTOR(int, getcontext, struct ucontext_t *ucp) {
int res = REAL(getcontext)(ucp);
AsanThread *curr_thread = GetCurrentThread();
if (!res && curr_thread) {
WriteContextStack(ucp, curr_thread->stack_bottom(),
samsonovUnsubmitted
Not Done
ReplyInline Actions

Why do you need this?

samsonov: Why do you need this?
pdziepakAuthorUnsubmitted
Not Done
ReplyInline Actions

Like I mentioned in earlier reply, getcontext() (or at least some its implementations) doesn't write anything to ucontext_t::uc_stack. Relying in setcontext() and swapcontext() on the fact that uc_stack contains valid information makes thing much easier so I decided to "fix" getcontext() and swapcontext().

pdziepak: Like I mentioned in earlier reply, getcontext() (or at least some its implementations) doesn't…
curr_thread->stack_size());
}
return res;
}
#endif // ASAN_INTERCEPT_SWAPCONTEXT #endif // ASAN_INTERCEPT_SWAPCONTEXT
INTERCEPTOR(void, longjmp, void *env, int val) { INTERCEPTOR(void, longjmp, void *env, int val) {
__asan_handle_no_return(); __asan_handle_no_return();
REAL(longjmp)(env, val); REAL(longjmp)(env, val);
} }
#if ASAN_INTERCEPT__LONGJMP #if ASAN_INTERCEPT__LONGJMP
▲ Show 20 LinesShow All 426 Lines▼ Show 20 Lines#if ASAN_INTERCEPT_SIGNAL_AND_SIGACTION
ASAN_INTERCEPT_FUNC(sigaction); ASAN_INTERCEPT_FUNC(sigaction);
#if SANITIZER_ANDROID #if SANITIZER_ANDROID
ASAN_INTERCEPT_FUNC(bsd_signal); ASAN_INTERCEPT_FUNC(bsd_signal);
#endif #endif
ASAN_INTERCEPT_FUNC(signal); ASAN_INTERCEPT_FUNC(signal);
#endif #endif
#if ASAN_INTERCEPT_SWAPCONTEXT #if ASAN_INTERCEPT_SWAPCONTEXT
ASAN_INTERCEPT_FUNC(swapcontext); ASAN_INTERCEPT_FUNC(swapcontext);
ASAN_INTERCEPT_FUNC(setcontext);
ASAN_INTERCEPT_FUNC(getcontext);
#endif #endif
#if ASAN_INTERCEPT__LONGJMP #if ASAN_INTERCEPT__LONGJMP
ASAN_INTERCEPT_FUNC(_longjmp); ASAN_INTERCEPT_FUNC(_longjmp);
#endif #endif
#if ASAN_INTERCEPT_SIGLONGJMP #if ASAN_INTERCEPT_SIGLONGJMP
ASAN_INTERCEPT_FUNC(siglongjmp); ASAN_INTERCEPT_FUNC(siglongjmp);
#endif #endif
Show All 30 Lines

lib/asan/asan_internal.h

Show First 20 LinesShow All 70 Lines▼ Show 20 Lines
// asan_linux.cc / asan_mac.cc / asan_win.cc // asan_linux.cc / asan_mac.cc / asan_win.cc
void *AsanDoesNotSupportStaticLinkage(); void *AsanDoesNotSupportStaticLinkage();
void AsanCheckDynamicRTPrereqs(); void AsanCheckDynamicRTPrereqs();
void AsanCheckIncompatibleRT(); void AsanCheckIncompatibleRT();
void AsanOnDeadlySignal(int, void *siginfo, void *context); void AsanOnDeadlySignal(int, void *siginfo, void *context);
void ReadContextStack(void *context, uptr *stack, uptr *ssize); void ReadContextStack(void *context, uptr *stack, uptr *ssize);
void WriteContextStack(void *context, uptr stack, uptr ssize);
void StopInitOrderChecking(); void StopInitOrderChecking();
// Wrapper for TLS/TSD. // Wrapper for TLS/TSD.
void AsanTSDInit(void (*destructor)(void *tsd)); void AsanTSDInit(void (*destructor)(void *tsd));
void *AsanTSDGet(); void *AsanTSDGet();
void AsanTSDSet(void *tsd); void AsanTSDSet(void *tsd);
void PlatformTSDDtor(void *tsd); void PlatformTSDDtor(void *tsd);
▲ Show 20 LinesShow All 55 LinesShow Last 20 Lines

lib/asan/asan_linux.cc

Show First 20 LinesShow All 150 Lines▼ Show 20 Lines
#endif // SANITIZER_ANDROID #endif // SANITIZER_ANDROID
#if !SANITIZER_ANDROID #if !SANITIZER_ANDROID
void ReadContextStack(void *context, uptr *stack, uptr *ssize) { void ReadContextStack(void *context, uptr *stack, uptr *ssize) {
ucontext_t *ucp = (ucontext_t*)context; ucontext_t *ucp = (ucontext_t*)context;
*stack = (uptr)ucp->uc_stack.ss_sp; *stack = (uptr)ucp->uc_stack.ss_sp;
*ssize = ucp->uc_stack.ss_size; *ssize = ucp->uc_stack.ss_size;
} }
void WriteContextStack(void *context, uptr stack, uptr ssize) {
ucontext_t *ucp = (ucontext_t*)context;
ucp->uc_stack.ss_sp = (void*)stack;
ucp->uc_stack.ss_size = ssize;
}
#else #else
void ReadContextStack(void *context, uptr *stack, uptr *ssize) { void ReadContextStack(void *context, uptr *stack, uptr *ssize) {
UNIMPLEMENTED(); UNIMPLEMENTED();
} }
void WriteContextStack(void *context, uptr stack, uptr ssize) {
UNIMPLEMENTED();
}
#endif #endif
void *AsanDlSymNext(const char *sym) { void *AsanDlSymNext(const char *sym) {
return dlsym(RTLD_NEXT, sym); return dlsym(RTLD_NEXT, sym);
} }
} // namespace __asan } // namespace __asan
#endif // SANITIZER_FREEBSD || SANITIZER_LINUX #endif // SANITIZER_FREEBSD || SANITIZER_LINUX

lib/asan/asan_mac.cc

Show First 20 LinesShow All 64 Lines▼ Show 20 Lines
// No-op. Mac does not support static linkage anyway. // No-op. Mac does not support static linkage anyway.
void AsanCheckIncompatibleRT() {} void AsanCheckIncompatibleRT() {}
void ReadContextStack(void *context, uptr *stack, uptr *ssize) { void ReadContextStack(void *context, uptr *stack, uptr *ssize) {
UNIMPLEMENTED(); UNIMPLEMENTED();
} }
void WriteContextStack(void *context, uptr stack, uptr ssize) {
UNIMPLEMENTED();
}
// Support for the following functions from libdispatch on Mac OS: // Support for the following functions from libdispatch on Mac OS:
// dispatch_async_f() // dispatch_async_f()
// dispatch_async() // dispatch_async()
// dispatch_sync_f() // dispatch_sync_f()
// dispatch_sync() // dispatch_sync()
// dispatch_after_f() // dispatch_after_f()
// dispatch_after() // dispatch_after()
// dispatch_group_async_f() // dispatch_group_async_f()
▲ Show 20 LinesShow All 189 LinesShow Last 20 Lines

lib/asan/asan_thread.h

Show First 20 LinesShow All 60 Lines▼ Show 20 Lines static AsanThread *Create(thread_callback_t start_routine, void *arg,
u32 parent_tid, StackTrace *stack, bool detached); u32 parent_tid, StackTrace *stack, bool detached);
static void TSDDtor(void *tsd); static void TSDDtor(void *tsd);
void Destroy(); void Destroy();
void Init(); // Should be called from the thread itself. void Init(); // Should be called from the thread itself.
thread_return_t ThreadStart(uptr os_id, thread_return_t ThreadStart(uptr os_id,
atomic_uintptr_t *signal_thread_is_registered); atomic_uintptr_t *signal_thread_is_registered);
uptr stack_top() { return stack_top_; } struct StackDescriptor {
uptr stack_bottom() { return stack_bottom_; } uptr stack_top;
uptr stack_size() { return stack_size_; } uptr stack_bottom;
uptr stack_size;
};
uptr stack_top() { return CurrentStack()->stack_top; }
uptr stack_bottom() { return CurrentStack()->stack_bottom; }
uptr stack_size() { return CurrentStack()->stack_size; }
uptr tls_begin() { return tls_begin_; } uptr tls_begin() { return tls_begin_; }
uptr tls_end() { return tls_end_; } uptr tls_end() { return tls_end_; }
DTLS *dtls() { return dtls_; } DTLS *dtls() { return dtls_; }
u32 tid() { return context_->tid; } u32 tid() { return context_->tid; }
AsanThreadContext *context() { return context_; } AsanThreadContext *context() { return context_; }
void set_context(AsanThreadContext *context) { context_ = context; } void set_context(AsanThreadContext *context) { context_ = context; }
void SetUserStack(uptr base, uptr size) {
temp_stack_->stack_bottom = base;
temp_stack_->stack_top = base + size;
temp_stack_->stack_size = size;
StackDescriptor* oprev = previous_stack_;
previous_stack_ = next_stack_;
next_stack_ = temp_stack_;
temp_stack_ = oprev;
}
struct StackFrameAccess { struct StackFrameAccess {
uptr offset; uptr offset;
uptr frame_pc; uptr frame_pc;
const char *frame_descr; const char *frame_descr;
}; };
bool GetStackFrameAccessByAddr(uptr addr, StackFrameAccess *access); bool GetStackFrameAccessByAddr(uptr addr, StackFrameAccess *access);
bool AddrIsInStack(StackDescriptor *stack, uptr addr) {
return addr >= stack->stack_bottom && addr < stack->stack_top;
}
StackDescriptor *CurrentStack() {
int local;
if (AddrIsInStack(previous_stack_, (uptr)&local)) {
return previous_stack_;
} else {
return next_stack_;
}
}
bool AddrIsInStack(uptr addr) { bool AddrIsInStack(uptr addr) {
return addr >= stack_bottom_ && addr < stack_top_; return AddrIsInStack(CurrentStack(), addr);
} }
void DeleteFakeStack(int tid) { void DeleteFakeStack(int tid) {
if (!fake_stack_) return; if (!fake_stack_) return;
FakeStack *t = fake_stack_; FakeStack *t = fake_stack_;
fake_stack_ = nullptr; fake_stack_ = nullptr;
SetTLSFakeStack(nullptr); SetTLSFakeStack(nullptr);
t->Destroy(tid); t->Destroy(tid);
Show All 29 Lines private:
// via mmap() and *must* be valid in zero-initialized state. // via mmap() and *must* be valid in zero-initialized state.
void SetThreadStackAndTls(); void SetThreadStackAndTls();
void ClearShadowForThreadStackAndTLS(); void ClearShadowForThreadStackAndTLS();
FakeStack *AsyncSignalSafeLazyInitFakeStack(); FakeStack *AsyncSignalSafeLazyInitFakeStack();
AsanThreadContext *context_; AsanThreadContext *context_;
thread_callback_t start_routine_; thread_callback_t start_routine_;
void *arg_; void *arg_;
uptr stack_top_;
uptr stack_bottom_; // We have three stack descriptors for async-safe stack change. New stack
// stack_size_ == stack_top_ - stack_bottom_; // information is written to temp_stack_. Then previous_stack_ is made to
// It needs to be set in a async-signal-safe manner. // point to the same descriptor that next_stack_ does. Finally, temp_stack_
uptr stack_size_; // is assigned to next_stack_. The result is that at any time either
// previous_stack_ or next_stack_ contain the correct stack information.
StackDescriptor stacks_[3];
StackDescriptor* temp_stack_;
samsonovUnsubmitted
Not Done
ReplyInline Actions

Note: you can replace three pointers with a single "int current_stack_;", where
next_stack_ = &stacks_[current_stack_];
previous_stack_ = &stacks_[(current_stack_ + 1) % 3];
temp_stack_ = &stacks_[(current_stack_ + 2) % 3];

samsonov: Note: you can replace three pointers with a single "int current_stack_;", where next_stack_ =…
pdziepakAuthorUnsubmitted
Not Done
ReplyInline Actions

Is it worth it? We save no more than 24 bytes per thread which usually will be much less than 1% percent of memory used by the thread stack, but make code both harder to read (another layer of indirection since logic needed to get stack pointer will have to be hidden in some function) and longer to execute (mod non-power-of-two).

pdziepak: Is it worth it? We save no more than 24 bytes per thread which usually will be much less than…
StackDescriptor* next_stack_;
StackDescriptor* previous_stack_;
uptr tls_begin_; uptr tls_begin_;
uptr tls_end_; uptr tls_end_;
DTLS *dtls_; DTLS *dtls_;
FakeStack *fake_stack_; FakeStack *fake_stack_;
AsanThreadLocalMallocStorage malloc_storage_; AsanThreadLocalMallocStorage malloc_storage_;
AsanStats stats_; AsanStats stats_;
bool unwinding_; bool unwinding_;
▲ Show 20 LinesShow All 46 LinesShow Last 20 Lines

lib/asan/asan_thread.cc

Show First 20 LinesShow All 144 Lines▼ Show 20 Lines if (atomic_compare_exchange_strong(
fake_stack_ = FakeStack::Create(stack_size_log); fake_stack_ = FakeStack::Create(stack_size_log);
SetTLSFakeStack(fake_stack_); SetTLSFakeStack(fake_stack_);
return fake_stack_; return fake_stack_;
} }
return nullptr; return nullptr;
} }
void AsanThread::Init() { void AsanThread::Init() {
temp_stack_ = &stacks_[0];
next_stack_ = &stacks_[1];
previous_stack_ = &stacks_[2];
fake_stack_ = nullptr; // Will be initialized lazily if needed. fake_stack_ = nullptr; // Will be initialized lazily if needed.
CHECK_EQ(this->stack_size(), 0U); CHECK_EQ(this->stack_size(), 0U);
SetThreadStackAndTls(); SetThreadStackAndTls();
CHECK_GT(this->stack_size(), 0U); CHECK_GT(this->stack_size(), 0U);
CHECK(AddrIsInMem(stack_bottom_)); CHECK(AddrIsInMem(stack_bottom()));
CHECK(AddrIsInMem(stack_top_ - 1)); CHECK(AddrIsInMem(stack_top() - 1));
ClearShadowForThreadStackAndTLS(); ClearShadowForThreadStackAndTLS();
int local = 0; int local = 0;
VReport(1, "T%d: stack [%p,%p) size 0x%zx; local=%p\n", tid(), VReport(1, "T%d: stack [%p,%p) size 0x%zx; local=%p\n", tid(),
(void *)stack_bottom_, (void *)stack_top_, stack_top_ - stack_bottom_, (void *)stack_bottom(), (void *)stack_top(),
&local); stack_top() - stack_bottom(), &local);
} }
thread_return_t AsanThread::ThreadStart( thread_return_t AsanThread::ThreadStart(
uptr os_id, atomic_uintptr_t *signal_thread_is_registered) { uptr os_id, atomic_uintptr_t *signal_thread_is_registered) {
Init(); Init();
asanThreadRegistry().StartThread(tid(), os_id, nullptr); asanThreadRegistry().StartThread(tid(), os_id, nullptr);
if (signal_thread_is_registered) if (signal_thread_is_registered)
atomic_store(signal_thread_is_registered, 1, memory_order_release); atomic_store(signal_thread_is_registered, 1, memory_order_release);
Show All 18 Linesthread_return_t AsanThread::ThreadStart(
if (!SANITIZER_POSIX) if (!SANITIZER_POSIX)
this->Destroy(); this->Destroy();
return res; return res;
} }
void AsanThread::SetThreadStackAndTls() { void AsanThread::SetThreadStackAndTls() {
uptr tls_size = 0; uptr tls_size = 0;
GetThreadStackAndTls(tid() == 0, &stack_bottom_, &stack_size_, &tls_begin_, GetThreadStackAndTls(tid() == 0, &next_stack_->stack_bottom,
&tls_size); &next_stack_->stack_size, &tls_begin_, &tls_size);
stack_top_ = stack_bottom_ + stack_size_; next_stack_->stack_top = next_stack_->stack_bottom + next_stack_->stack_size;
previous_stack_->stack_top = previous_stack_->stack_bottom = 0;
samsonovUnsubmitted
Not Done
ReplyInline Actions

Maybe, just add a constructor for StackDescriptor that would fill everything with zeroes?

samsonov: Maybe, just add a constructor for StackDescriptor that would fill everything with zeroes?
previous_stack_->stack_size = 0;
tls_end_ = tls_begin_ + tls_size; tls_end_ = tls_begin_ + tls_size;
dtls_ = DTLS_Get(); dtls_ = DTLS_Get();
int local; int local;
CHECK(AddrIsInStack((uptr)&local)); CHECK(AddrIsInStack((uptr)&local));
} }
void AsanThread::ClearShadowForThreadStackAndTLS() { void AsanThread::ClearShadowForThreadStackAndTLS() {
PoisonShadow(stack_bottom_, stack_top_ - stack_bottom_, 0); PoisonShadow(stack_bottom(), stack_top() - stack_bottom(), 0);
if (tls_begin_ != tls_end_) if (tls_begin_ != tls_end_)
PoisonShadow(tls_begin_, tls_end_ - tls_begin_, 0); PoisonShadow(tls_begin_, tls_end_ - tls_begin_, 0);
} }
bool AsanThread::GetStackFrameAccessByAddr(uptr addr, bool AsanThread::GetStackFrameAccessByAddr(uptr addr,
StackFrameAccess *access) { StackFrameAccess *access) {
uptr bottom = 0; uptr bottom = 0;
if (AddrIsInStack(addr)) { if (AddrIsInStack(addr)) {
▲ Show 20 LinesShow All 142 LinesShow Last 20 Lines

lib/asan/asan_win.cc

Show First 20 LinesShow All 184 Lines▼ Show 20 Lines
void AsanCheckDynamicRTPrereqs() {} void AsanCheckDynamicRTPrereqs() {}
void AsanCheckIncompatibleRT() {} void AsanCheckIncompatibleRT() {}
void ReadContextStack(void *context, uptr *stack, uptr *ssize) { void ReadContextStack(void *context, uptr *stack, uptr *ssize) {
UNIMPLEMENTED(); UNIMPLEMENTED();
} }
void WriteContextStack(void *context, uptr stack, uptr ssize) {
UNIMPLEMENTED();
}
void AsanOnDeadlySignal(int, void *siginfo, void *context) { void AsanOnDeadlySignal(int, void *siginfo, void *context) {
UNIMPLEMENTED(); UNIMPLEMENTED();
} }
static LPTOP_LEVEL_EXCEPTION_FILTER default_seh_handler; static LPTOP_LEVEL_EXCEPTION_FILTER default_seh_handler;
static long WINAPI SEHHandler(EXCEPTION_POINTERS *info) { static long WINAPI SEHHandler(EXCEPTION_POINTERS *info) {
EXCEPTION_RECORD *exception_record = info->ExceptionRecord; EXCEPTION_RECORD *exception_record = info->ExceptionRecord;
▲ Show 20 LinesShow All 54 LinesShow Last 20 Lines

test/asan/TestCases/Linux/swapcontext_test.cc

Show All 11 Lines
#include <ucontext.h> #include <ucontext.h>
#include <unistd.h> #include <unistd.h>
ucontext_t orig_context; ucontext_t orig_context;
ucontext_t child_context; ucontext_t child_context;
const int kStackSize = 1 << 20; const int kStackSize = 1 << 20;
volatile int force_write;
__attribute__((noinline)) __attribute__((noinline))
void Throw() { void Throw() {
char buf[1024];
for (int i = 0; i < 1024; i++) {
buf[i] = force_write;
}
throw 1; throw 1;
} }
__attribute__((noinline)) __attribute__((noinline))
void Func() {
kccUnsubmitted
Not Done
ReplyInline Actions

shouldn't we call Func from Throw() or some such?

kcc: shouldn't we call Func from Throw() or some such?
pdziepakAuthorUnsubmitted
Not Done
ReplyInline Actions

What these changes are trying to fix is mainly the false positive like this:

  1. An exception is thrown on custom stack.
  2. __asan_handle_no_return() is called but doesn't have correct stack information so just prints a warning and bails out, as a result stack shadow memory is not cleared
  3. Exception is handled, stack is unwind. Execution continues.
  4. Function called from exception handler or after exception was handled touches stack, but the shadow memory contains stale information (that was supposed to be cleared by __asan_handle_no_return()). Result: false positive.

So that's what I am testing here. Throw() has some data on stack, exception is thrown and handled and then another function touches the stack in places that Throw() has used before.

pdziepak: What these changes are trying to fix is mainly the false positive like this: 1. An exception is…
int buf[4 * 1024];
for (int i = 0; i < 4 * 1024; i++) {
buf[i] = force_write;
}
}
__attribute__((noinline))
void ThrowAndCatch() { void ThrowAndCatch() {
try { try {
Throw(); Throw();
} catch(int a) { } catch(int a) {
Func();
printf("ThrowAndCatch: %d\n", a); printf("ThrowAndCatch: %d\n", a);
} }
} }
void Child(int mode) { void Child(int mode) {
char x[32] = {0}; // Stack gets poisoned. char x[32] = {0}; // Stack gets poisoned.
printf("Child: %p\n", x); printf("Child: %p\n", x);
ThrowAndCatch(); // Simulate __asan_handle_no_return(). ThrowAndCatch(); // Simulate __asan_handle_no_return().
▲ Show 20 LinesShow All 53 LinesShow Last 20 Lines

test/lsan/TestCases/swapcontext.cc

// We can't unwind stack if we're running coroutines on heap-allocated
// memory. Make sure we don't report these leaks.
// RUN: %clangxx_lsan %s -o %t // RUN: %clangxx_lsan %s -o %t
// RUN: %run %t 2>&1
kccUnsubmitted
Not Done
ReplyInline Actions

don't we still want to test the case with heap memory?

kcc: don't we still want to test the case with heap memory?
samsonovUnsubmitted
Not Done
ReplyInline Actions

We definitely still want to run it. Can we predict if LSan will or won't report leak in this case?

samsonov: We definitely still want to run it. Can we predict if LSan will or won't report leak in this…
pdziepakAuthorUnsubmitted
Not Done
ReplyInline Actions

LSan will retain its original behaviour (i.e. not reporting leaks on custom stack). The solution would be to either add similar changes to LSan (or perhaps reduce code duplication between LSan and ASan) or write these testing directives so that different behaviour is expected from LSan than from ASan. I am not sure if the latter is possible.

pdziepak: LSan will retain its original behaviour (i.e. not reporting leaks on custom stack). The…
// RUN: not %run %t foo 2>&1 | FileCheck %s // RUN: not %run %t foo 2>&1 | FileCheck %s
#include <stdio.h> #include <stdio.h>
#if defined(__APPLE__) #if defined(__APPLE__)
// Note: ucontext.h is deprecated on OSX, so this test may stop working // Note: ucontext.h is deprecated on OSX, so this test may stop working
// someday. We define _XOPEN_SOURCE to keep using ucontext.h for now. // someday. We define _XOPEN_SOURCE to keep using ucontext.h for now.
#define _XOPEN_SOURCE 1 #define _XOPEN_SOURCE 1
#endif #endif
Show All 34 Lines