This is an archive of the discontinued LLVM Phabricator instance.

Differential D19495

[sanitizers] read/write page fault detection on mac.
ClosedPublic

Authored by aizatsky on Apr 25 2016, 1:55 PM.

Details

Reviewers
ochang
eugenis
Commits
rGf2bee298a069: [sanitizers] read/write page fault detection on mac.
rCRT267477: [sanitizers] read/write page fault detection on mac.
rL267477: [sanitizers] read/write page fault detection on mac.

Diff Detail

Repository
rL LLVM

Event Timeline

aizatsky updated this revision to Diff 54899.Apr 25 2016, 1:55 PM
aizatsky retitled this revision from to [sanitizers] read/write page fault detection on mac..
aizatsky updated this object.
Herald added a subscriber: kubamracek. · View Herald TranscriptApr 25 2016, 1:55 PM
aizatsky added reviewers: eugenis, ochang.Apr 25 2016, 2:07 PM
aizatsky added a subscriber: llvm-commits.
aizatsky updated this revision to Diff 54906.Apr 25 2016, 2:13 PM

nit

eugenis accepted this revision.Apr 25 2016, 2:36 PM
eugenis edited edge metadata.

LGTM

This revision is now accepted and ready to land.Apr 25 2016, 2:36 PM
Closed by commit rL267477: [sanitizers] read/write page fault detection on mac. (authored by aizatsky). · Explain WhyApr 25 2016, 2:50 PM
This revision was automatically updated to reflect the committed changes.
vsk added a subscriber: vsk.Apr 25 2016, 7:21 PM

Hi Mike, some of our internal bots are having an issue with this commit:

error: no member named '__err' in '__darwin_arm_exception_state'
  return ucontext->uc_mcontext->__es.__err & 2 /*T_PF_WRITE*/ ? WRITE : READ;

I'd really appreciate it if you could shed some light on this. I see two definitions of this structure in the OS, and neither contain '__err'. Can you share which OS you built this code against?

aizatsky added a subscriber: aizatsky.Apr 25 2016, 10:51 PM

Vedant,

I believe it is 10.11 on Intel. This could be CPU difference. I'll try to
add appropriate ifdefs tomorrow.

mehdi_amini added a subscriber: mehdi_amini.Apr 26 2016, 12:03 AM

I'll revert in the meantime. Feel free to reapply with the fix.

For reference from what I see here: http://opensource.apple.com//source/cctools/cctools-836/include/mach/arm/_structs.h this was hitting:

#define _STRUCT_ARM_EXCEPTION_STATE	struct __darwin_arm_exception_state
_STRUCT_ARM_EXCEPTION_STATE
{
	__uint32_t	__exception; /* number of arm exception taken */
	__uint32_t	__fsr; /* Fault status */
	__uint32_t	__far; /* Virtual Fault Address */
};
aizatsky added a comment.Apr 26 2016, 11:17 AM

Is there a kernel source as well for mac on aarch64? I'm trying to determine if illegal write or read has happened. Would be bad to leave aarch out of the implementation.

vsk added a comment.Apr 26 2016, 11:41 AM

Do the xnu sources here help? The latest publicly-available one appears to be xnu-3248.20.55 (http://opensource.apple.com/source/xnu/).

aizatsky added a comment.Apr 26 2016, 2:59 PM

New review with feature enabled only on intel: http://reviews.llvm.org/D19561

I can't find aarch64 support in published xnu sources.

Revision Contents

PathSize
compiler-rt/
trunk/
lib/
sanitizer_common/
3 lines
test/
asan/
TestCases/
Linux/
26 lines
Posix/
26 lines

Diff 54913

compiler-rt/trunk/lib/sanitizer_common/sanitizer_mac.cc

Show First 20 LinesShow All 494 Lines▼ Show 20 Lines#endif
BlockingMutexLock l(&syslog_lock); BlockingMutexLock l(&syslog_lock);
if (common_flags()->log_to_syslog) if (common_flags()->log_to_syslog)
WriteToSyslog(buffer); WriteToSyslog(buffer);
// The report is added to CrashLog as part of logging all of Printf output. // The report is added to CrashLog as part of logging all of Printf output.
} }
SignalContext::WriteFlag SignalContext::GetWriteFlag(void *context) { SignalContext::WriteFlag SignalContext::GetWriteFlag(void *context) {
return UNKNOWN; // FIXME: implement this. ucontext_t *ucontext = static_cast<ucontext_t*>(context);
return ucontext->uc_mcontext->__es.__err & 2 /*T_PF_WRITE*/ ? WRITE : READ;
} }
void GetPcSpBp(void *context, uptr *pc, uptr *sp, uptr *bp) { void GetPcSpBp(void *context, uptr *pc, uptr *sp, uptr *bp) {
ucontext_t *ucontext = (ucontext_t*)context; ucontext_t *ucontext = (ucontext_t*)context;
# if defined(__aarch64__) # if defined(__aarch64__)
*pc = ucontext->uc_mcontext->__ss.__pc; *pc = ucontext->uc_mcontext->__ss.__pc;
# if defined(__IPHONE_8_0) && __IPHONE_OS_VERSION_MAX_ALLOWED >= __IPHONE_8_0 # if defined(__IPHONE_8_0) && __IPHONE_OS_VERSION_MAX_ALLOWED >= __IPHONE_8_0
*bp = ucontext->uc_mcontext->__ss.__fp; *bp = ucontext->uc_mcontext->__ss.__fp;
▲ Show 20 LinesShow All 213 LinesShow Last 20 Lines

compiler-rt/trunk/test/asan/TestCases/Linux/segv_read_write.c

// RUN: %clangxx_asan -std=c++11 -O0 %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s --check-prefix=READ
// RUN: not %run %t write 2>&1 | FileCheck %s --check-prefix=WRITE
// UNSUPPORTED: powerpc64,mips
#include <sys/mman.h>
static volatile int sink;
__attribute__((noinline)) void Read(int *ptr) { sink = *ptr; }
__attribute__((noinline)) void Write(int *ptr) { *ptr = 0; }
int main(int argc, char **argv) {
// Writes to shadow are detected as reads from shadow gap (because of how the
// shadow mapping works). This is kinda hard to fix. Test a random address in
// the application part of the address space.
void *volatile p =
mmap(nullptr, 4096, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
munmap(p, 4096);
if (argc == 1)
Read((int *)p);
else
Write((int *)p);
}
// READ: AddressSanitizer: SEGV on unknown address
// READ: The signal is caused by a READ memory access.
// WRITE: AddressSanitizer: SEGV on unknown address
// WRITE: The signal is caused by a WRITE memory access.

compiler-rt/trunk/test/asan/TestCases/Posix/segv_read_write.c

// RUN: %clangxx_asan -std=c++11 -O0 %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s --check-prefix=READ
// RUN: not %run %t write 2>&1 | FileCheck %s --check-prefix=WRITE
// UNSUPPORTED: powerpc64,mips
#include <sys/mman.h>
static volatile int sink;
__attribute__((noinline)) void Read(int *ptr) { sink = *ptr; }
__attribute__((noinline)) void Write(int *ptr) { *ptr = 0; }
int main(int argc, char **argv) {
// Writes to shadow are detected as reads from shadow gap (because of how the
// shadow mapping works). This is kinda hard to fix. Test a random address in
// the application part of the address space.
void *volatile p =
mmap(nullptr, 4096, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
munmap(p, 4096);
if (argc == 1)
Read((int *)p);
else
Write((int *)p);
}
// READ: AddressSanitizer: SEGV on unknown address
// READ: The signal is caused by a READ memory access.
// WRITE: AddressSanitizer: SEGV on unknown address
// WRITE: The signal is caused by a WRITE memory access.
compiler-rt/trunk/lib/sanitizer_common/sanitizer_mac.cc