This is an archive of the discontinued LLVM Phabricator instance.

call __asan_load_cxx_array_cookie when loading array cookie in asan mode.
ClosedPublic

Authored by kcc on Aug 28 2014, 3:42 PM.

Download Raw Diff

Details

Reviewers

Commits

rG4a9187a81054: call __asan_load_cxx_array_cookie when loading array cookie in asan mode.
rC216702: call __asan_load_cxx_array_cookie when loading array cookie in asan mode.
rL216702: call __asan_load_cxx_array_cookie when loading array cookie in asan mode.

Summary

The current implementation of asan cookie is incorrect:
we add nosanitize metadata to the cookie load, but the metadata may be lost
and we will instrument the load from poisoned memory.
This change replaces the load with a call to __asan_load_cxx_array_cookie (r216692)

Diff Detail

Event Timeline

kcc updated this revision to Diff 13060.Aug 28 2014, 3:42 PM

kcc retitled this revision from to call __asan_load_cxx_array_cookie when loading array cookie in asan mode..

kcc updated this object.

kcc edited the test plan for this revision. (Show Details)

kcc added a reviewer: rsmith.

kcc added a subscriber: Unknown Object (MLST).

rsmith added inline comments.Aug 28 2014, 5:31 PM

lib/CodeGen/ItaniumCXXABI.cpp
1513–1514	Please extend this comment to point out why we need to do this.
1516	I don't think we can support address spaces other than 0 like this (the ASan runtime function will only accept address space 0 pointers). How does ASan deal with non-zero address spaces?

Extend the comment and check that address space is 0 (otherwise asan doesn't want to handle the pointer)

PTAL

LGTM

This revision is now accepted and ready to land.Aug 28 2014, 6:05 PM

kcc closed this revision.Aug 28 2014, 6:10 PM

rsundahl mentioned this in D125195: [asan][ARMCXXABI] Added missing asan poison array cookie hooks..May 9 2022, 1:25 PM

Revision Contents

Path

Size

lib/

CodeGen/

ItaniumCXXABI.cpp

19 lines

test/

CodeGen/

address-sanitizer-and-array-cookie.cpp

3 lines

Diff 13067

lib/CodeGen/ItaniumCXXABI.cpp

Show First 20 Lines • Show All 1,470 Lines • ▼ Show 20 Lines	if (!CookieOffset.isZero())
CookiePtr = CGF.Builder.CreateConstInBoundsGEP1_64(CookiePtr,		CookiePtr = CGF.Builder.CreateConstInBoundsGEP1_64(CookiePtr,
CookieOffset.getQuantity());		CookieOffset.getQuantity());

// Write the number of elements into the appropriate slot.		// Write the number of elements into the appropriate slot.
llvm::Type *NumElementsTy = CGF.ConvertType(SizeTy)->getPointerTo(AS);		llvm::Type *NumElementsTy = CGF.ConvertType(SizeTy)->getPointerTo(AS);
llvm::Value *NumElementsPtr =		llvm::Value *NumElementsPtr =
CGF.Builder.CreateBitCast(CookiePtr, NumElementsTy);		CGF.Builder.CreateBitCast(CookiePtr, NumElementsTy);
llvm::Instruction *SI = CGF.Builder.CreateStore(NumElements, NumElementsPtr);		llvm::Instruction *SI = CGF.Builder.CreateStore(NumElements, NumElementsPtr);
if (CGM.getLangOpts().Sanitize.Address &&		if (CGM.getLangOpts().Sanitize.Address && AS == 0 &&
expr->getOperatorNew()->isReplaceableGlobalAllocationFunction()) {		expr->getOperatorNew()->isReplaceableGlobalAllocationFunction()) {
		// The store to the CookiePtr does not need to be instrumented.
CGM.getSanitizerMetadata()->disableSanitizerForInstruction(SI);		CGM.getSanitizerMetadata()->disableSanitizerForInstruction(SI);
llvm::FunctionType *FTy =		llvm::FunctionType *FTy =
llvm::FunctionType::get(CGM.VoidTy, NumElementsTy, false);		llvm::FunctionType::get(CGM.VoidTy, NumElementsTy, false);
llvm::Constant *F =		llvm::Constant *F =
CGM.CreateRuntimeFunction(FTy, "__asan_poison_cxx_array_cookie");		CGM.CreateRuntimeFunction(FTy, "__asan_poison_cxx_array_cookie");
CGF.Builder.CreateCall(F, NumElementsPtr);		CGF.Builder.CreateCall(F, NumElementsPtr);
}		}

Show All 13 Lines	llvm::Value *ItaniumCXXABI::readArrayCookieImpl(CodeGenFunction &CGF,
if (!numElementsOffset.isZero())		if (!numElementsOffset.isZero())
numElementsPtr =		numElementsPtr =
CGF.Builder.CreateConstInBoundsGEP1_64(numElementsPtr,		CGF.Builder.CreateConstInBoundsGEP1_64(numElementsPtr,
numElementsOffset.getQuantity());		numElementsOffset.getQuantity());

unsigned AS = allocPtr->getType()->getPointerAddressSpace();		unsigned AS = allocPtr->getType()->getPointerAddressSpace();
numElementsPtr =		numElementsPtr =
CGF.Builder.CreateBitCast(numElementsPtr, CGF.SizeTy->getPointerTo(AS));		CGF.Builder.CreateBitCast(numElementsPtr, CGF.SizeTy->getPointerTo(AS));
llvm::Instruction *LI = CGF.Builder.CreateLoad(numElementsPtr);		if (!CGM.getLangOpts().Sanitize.Address \|\| AS != 0)
if (CGM.getLangOpts().Sanitize.Address)		return CGF.Builder.CreateLoad(numElementsPtr);
CGM.getSanitizerMetadata()->disableSanitizerForInstruction(LI);		// In asan mode emit a function call instead of a regular load and let the
return LI;		// run-time deal with it: if the shadow is properly poisoned return the
		rsmithUnsubmitted Not Done Reply Inline Actions Please extend this comment to point out why we need to do this. rsmith: Please extend this comment to point out why we need to do this.
		// cookie, otherwise return 0 to avoid an infinite loop calling DTORs.
		// We can't simply ignore this load using nosanitize metadata because
		rsmithUnsubmitted Not Done Reply Inline Actions I don't think we can support address spaces other than 0 like this (the ASan runtime function will only accept address space 0 pointers). How does ASan deal with non-zero address spaces? rsmith: I don't think we can support address spaces other than 0 like this (the ASan runtime function…
		// the metadata may be lost.
		llvm::FunctionType *FTy =
		llvm::FunctionType::get(CGF.SizeTy, CGF.SizeTy->getPointerTo(0), false);
		llvm::Constant *F =
		CGM.CreateRuntimeFunction(FTy, "__asan_load_cxx_array_cookie");
		return CGF.Builder.CreateCall(F, numElementsPtr);
}		}

CharUnits ARMCXXABI::getArrayCookieSizeImpl(QualType elementType) {		CharUnits ARMCXXABI::getArrayCookieSizeImpl(QualType elementType) {
// ARM says that the cookie is always:		// ARM says that the cookie is always:
// struct array_cookie {		// struct array_cookie {
// std::size_t element_size; // element_size != 0		// std::size_t element_size; // element_size != 0
// std::size_t element_count;		// std::size_t element_count;
// };		// };
▲ Show 20 Lines • Show All 1,480 Lines • Show Last 20 Lines

test/CodeGen/address-sanitizer-and-array-cookie.cpp

	Show All 37 Lines

	void CallDelete(C *c) {			void CallDelete(C *c) {
	delete [] c;			delete [] c;
	}			}

	// PLAIN-LABEL: CallDelete			// PLAIN-LABEL: CallDelete
	// PLAIN-NOT: nosanitize			// PLAIN-NOT: nosanitize
	// ASAN-LABEL: CallDelete			// ASAN-LABEL: CallDelete
	// ASAN: load{{.*}}!nosanitize			// ASAN-NOT: nosanitize
				// ASAN: call i64 @__asan_load_cxx_array_cookie
	// ASAN-NOT: nosanitize			// ASAN-NOT: nosanitize

	char Buffer[20];			char Buffer[20];
	C *CallPlacementNew() {			C *CallPlacementNew() {
	return new (Buffer) C[20];			return new (Buffer) C[20];
	}			}
	// ASAN-LABEL: CallPlacementNew			// ASAN-LABEL: CallPlacementNew
	// ASAN-NOT: __asan_poison_cxx_array_cookie			// ASAN-NOT: __asan_poison_cxx_array_cookie