This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
compiler-rt/lib/fuzzer/
-
lib/
-
fuzzer/
6/6
FuzzerUtilFuchsia.cpp

Differential D69579

[libFuzzer] Fix unwinding for Fuchsia
ClosedPublic

Authored by charco on Oct 29 2019, 12:05 PM.

Download Raw Diff

Details

Reviewers

mcgrathr
jakehehrlich
phosek
kcc
aarongreen

Commits

rG46c7fc22cfb1: [libFuzzer] Fix unwinding for Fuchsia

Summary

This commit fixes part of the issues with stack unwinding in fuchsia for
arm64 and x86_64. It consists of multiple fixes:

(1) The cfa_offset calculation was wrong, instead of pointing to the
previous stack pointer, it was pointing to the correct one. It worked in
most of the cases because the crashing functions already had a
prologue and had their cfa information relative to another register. The
fix consists on adding a constant that can be used to calculate the
crashing function's stack pointer, and base all the cfi information
relative to that offset.

(2) (arm64) Due to errors with the syntax for the dwarf information, most
of the OP_NUM macros were not working. The problem was that they were
referred to as r##NUM (like r14), when it should have been x##num
(like x14), or even without the x.

(3) (arm64) The link register was being considered a part of the main
registers (r30), when in the real struct it has its own field. Given
that the link register is in the same spot in the struct as r[30] would be,
and that C++ doesn't care about anything, the calculation was still correct.

(4) (x86_64) The stack doesn't need to be aligned to 16 bytes when we
jump to the trampoline function, but it needs to be before performing
call instructions. Encoding that logic in cfi information was tricky, so
we decided to make the cfa information relative to rbp and align rsp.
Note that this could have been done using another register directly,
but it seems cleaner to make a new fake stack frame.

There are some other minor changes like adding a brk 1 instruction in
arm64 to make sure that we never return to the crash trampoline (similar to
what we do in x86_64).

Sadly this commit does not fix unwinding for all use cases for arm64.
Crashing functions that do not add information related to the return column in
their cfi information will fail to unwind due to a bug in libunwinder.

Diff Detail

Repository: rG LLVM Github Monorepo

Event Timeline

charco created this revision.Oct 29 2019, 12:05 PM

Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptOct 29 2019, 12:05 PM

Herald added subscribers: llvm-commits, Restricted Project, kristof.beyls, aprantl. · View Herald Transcript

Harbormaster completed remote builds in B40215: Diff 226950.Oct 29 2019, 12:09 PM

phosek added inline comments.Nov 5 2019, 11:09 AM

compiler-rt/lib/fuzzer/FuzzerUtilFuchsia.cpp
89	s/cfa_offset/CFAOffset/ to follow LLVM naming conventions.
91	Nit: s/arm64/aarch64/ for consistency.
147	Can you leave this here as well?
194	Nit: be consistent about the case for CFI and CFA in comments.

Make code consistent with llvm code style.

Harbormaster completed remote builds in B40550: Diff 227975.Nov 5 2019, 3:33 PM

Thanks for the comments, Petr!

LGTM

This revision is now accepted and ready to land.Nov 7 2019, 11:39 PM

@phosek would you land this change? I don't have land access

Just a small note on the writeup in the comments.

compiler-rt/lib/fuzzer/FuzzerUtilFuchsia.cpp
80	Nit: sign error, SP + offset = SP_prev

Update comments & commit message.

Thanks for the comments!

@phosek can you land this change?

compiler-rt/lib/fuzzer/FuzzerUtilFuchsia.cpp
80	Thanks for catching this!

Harbormaster completed remote builds in B41214: Diff 230181.Nov 19 2019, 6:05 PM

Closed by commit rG46c7fc22cfb1: [libFuzzer] Fix unwinding for Fuchsia (authored by charco). · Explain WhyNov 21 2019, 3:52 PM

This revision was automatically updated to reflect the committed changes.

Revision Contents

Path

Size

compiler-rt/

lib/

fuzzer/

FuzzerUtilFuchsia.cpp

64 lines

Diff 230555

compiler-rt/lib/fuzzer/FuzzerUtilFuchsia.cpp

Show First 20 Lines • Show All 70 Lines • ▼ Show 20 Lines	void InterruptHandler() {
do {		do {
FD_ZERO(&readfds);		FD_ZERO(&readfds);
FD_SET(STDIN_FILENO, &readfds);		FD_SET(STDIN_FILENO, &readfds);
select(STDIN_FILENO + 1, &readfds, nullptr, nullptr, nullptr);		select(STDIN_FILENO + 1, &readfds, nullptr, nullptr, nullptr);
} while(!FD_ISSET(STDIN_FILENO, &readfds) \|\| getchar() != 0x03);		} while(!FD_ISSET(STDIN_FILENO, &readfds) \|\| getchar() != 0x03);
Fuzzer::StaticInterruptCallback();		Fuzzer::StaticInterruptCallback();
}		}

		// CFAOffset is used to reference the stack pointer before entering the
		// trampoline (Stack Pointer + CFAOffset = prev Stack Pointer). Before jumping
		eepUnsubmitted Done Reply Inline Actions Nit: sign error, SP + offset = SP_prev eep: Nit: sign error, SP + offset = SP_prev
		charcoAuthorUnsubmitted Done Reply Inline Actions Thanks for catching this! charco: Thanks for catching this!
		// to the trampoline we copy all the registers onto the stack. We need to make
		// sure that the new stack has enough space to store all the registers.
		//
		// The trampoline holds CFI information regarding the registers stored in the
		// stack, which is then used by the unwinder to restore them.
		#if defined(__x86_64__)
		// In x86_64 the crashing function might also be using the red zone (128 bytes
		// on top of their rsp).
		constexpr size_t CFAOffset = 128 + sizeof(zx_thread_state_general_regs_t);
		phosekUnsubmitted Done Reply Inline Actions s/cfa_offset/CFAOffset/ to follow LLVM naming conventions. phosek: s/cfa_offset/CFAOffset/ to follow LLVM naming conventions.
		#elif defined(__aarch64__)
		// In aarch64 we need to always have the stack pointer aligned to 16 bytes, so we
		phosekUnsubmitted Done Reply Inline Actions Nit: s/arm64/aarch64/ for consistency. phosek: Nit: s/arm64/aarch64/ for consistency.
		// make sure that we are keeping that same alignment.
		constexpr size_t CFAOffset = (sizeof(zx_thread_state_general_regs_t) + 15) & -(uintptr_t)16;
		#endif

// For the crash handler, we need to call Fuzzer::StaticCrashSignalCallback		// For the crash handler, we need to call Fuzzer::StaticCrashSignalCallback
// without POSIX signal handlers. To achieve this, we use an assembly function		// without POSIX signal handlers. To achieve this, we use an assembly function
// to add the necessary CFI unwinding information and a C function to bridge		// to add the necessary CFI unwinding information and a C function to bridge
// from that back into C++.		// from that back into C++.

// FIXME: This works as a short-term solution, but this code really shouldn't be		// FIXME: This works as a short-term solution, but this code really shouldn't be
// architecture dependent. A better long term solution is to implement remote		// architecture dependent. A better long term solution is to implement remote
// unwinding and expose the necessary APIs through sanitizer_common and/or ASAN		// unwinding and expose the necessary APIs through sanitizer_common and/or ASAN
▲ Show 20 Lines • Show All 48 Lines • ▼ Show 20 Lines	#define FOREACH_REGISTER(OP_REG, OP_NUM) \
OP_NUM(22) \		OP_NUM(22) \
OP_NUM(23) \		OP_NUM(23) \
OP_NUM(24) \		OP_NUM(24) \
OP_NUM(25) \		OP_NUM(25) \
OP_NUM(26) \		OP_NUM(26) \
OP_NUM(27) \		OP_NUM(27) \
OP_NUM(28) \		OP_NUM(28) \
OP_NUM(29) \		OP_NUM(29) \
OP_NUM(30) \
OP_REG(sp)		OP_REG(sp)

#else		#else
#error "Unsupported architecture for fuzzing on Fuchsia"		#error "Unsupported architecture for fuzzing on Fuchsia"
phosekUnsubmitted Done Reply Inline Actions Can you leave this here as well? phosek: Can you leave this here as well?
#endif		#endif

// Produces a CFI directive for the named or numbered register.		// Produces a CFI directive for the named or numbered register.
		// The value used refers to an assembler immediate operand with the same name
		// as the register (see ASM_OPERAND_REG).
#define CFI_OFFSET_REG(reg) ".cfi_offset " #reg ", %c[" #reg "]\n"		#define CFI_OFFSET_REG(reg) ".cfi_offset " #reg ", %c[" #reg "]\n"
#define CFI_OFFSET_NUM(num) CFI_OFFSET_REG(r##num)		#define CFI_OFFSET_NUM(num) CFI_OFFSET_REG(x##num)

// Produces an assembler input operand for the named or numbered register.		// Produces an assembler immediate operand for the named or numbered register.
		// This operand contains the offset of the register relative to the CFA.
#define ASM_OPERAND_REG(reg) \		#define ASM_OPERAND_REG(reg) \
[reg] "i"(offsetof(zx_thread_state_general_regs_t, reg)),		[reg] "i"(offsetof(zx_thread_state_general_regs_t, reg) - CFAOffset),
#define ASM_OPERAND_NUM(num) \		#define ASM_OPERAND_NUM(num) \
[r##num] "i"(offsetof(zx_thread_state_general_regs_t, r[num])),		[x##num] "i"(offsetof(zx_thread_state_general_regs_t, r[num]) - CFAOffset),

// Trampoline to bridge from the assembly below to the static C++ crash		// Trampoline to bridge from the assembly below to the static C++ crash
// callback.		// callback.
__attribute__((noreturn))		__attribute__((noreturn))
static void StaticCrashHandler() {		static void StaticCrashHandler() {
Fuzzer::StaticCrashSignalCallback();		Fuzzer::StaticCrashSignalCallback();
for (;;) {		for (;;) {
_Exit(1);		_Exit(1);
}		}
}		}

// Creates the trampoline with the necessary CFI information to unwind through		// Creates the trampoline with the necessary CFI information to unwind through
// to the crashing call stack. The attribute is necessary because the function		// to the crashing call stack:
		// * Defining the CFA so that it points to the stack pointer at the point
		// of crash.
		// * Storing all registers at the point of crash in the stack and refer to them
		// via CFI information (relative to the CFA).
		phosekUnsubmitted Done Reply Inline Actions Nit: be consistent about the case for CFI and CFA in comments. phosek: Nit: be consistent about the case for CFI and CFA in comments.
		// * Setting the return column so the unwinder knows how to continue unwinding.
		// * (x86_64) making sure rsp is aligned before calling StaticCrashHandler.
		// * Calling StaticCrashHandler that will trigger the unwinder.
		//
		// The __attribute__((used)) is necessary because the function
// is never called; it's just a container around the assembly to allow it to		// is never called; it's just a container around the assembly to allow it to
// use operands for compile-time computed constants.		// use operands for compile-time computed constants.
__attribute__((used))		__attribute__((used))
void MakeTrampoline() {		void MakeTrampoline() {
__asm__(".cfi_endproc\n"		__asm__(".cfi_endproc\n"
".pushsection .text.CrashTrampolineAsm\n"		".pushsection .text.CrashTrampolineAsm\n"
".type CrashTrampolineAsm,STT_FUNC\n"		".type CrashTrampolineAsm,STT_FUNC\n"
"CrashTrampolineAsm:\n"		"CrashTrampolineAsm:\n"
".cfi_startproc simple\n"		".cfi_startproc simple\n"
".cfi_signal_frame\n"		".cfi_signal_frame\n"
#if defined(__x86_64__)		#if defined(__x86_64__)
".cfi_return_column rip\n"		".cfi_return_column rip\n"
".cfi_def_cfa rsp, 0\n"		".cfi_def_cfa rsp, %c[CFAOffset]\n"
FOREACH_REGISTER(CFI_OFFSET_REG, CFI_OFFSET_NUM)		FOREACH_REGISTER(CFI_OFFSET_REG, CFI_OFFSET_NUM)
		"mov %%rsp, %%rbp\n"
		".cfi_def_cfa_register rbp\n"
		"andq $-16, %%rsp\n"
"call %c[StaticCrashHandler]\n"		"call %c[StaticCrashHandler]\n"
"ud2\n"		"ud2\n"
#elif defined(__aarch64__)		#elif defined(__aarch64__)
".cfi_return_column 33\n"		".cfi_return_column 33\n"
".cfi_def_cfa sp, 0\n"		".cfi_def_cfa sp, %c[CFAOffset]\n"
".cfi_offset 33, %c[pc]\n"
FOREACH_REGISTER(CFI_OFFSET_REG, CFI_OFFSET_NUM)		FOREACH_REGISTER(CFI_OFFSET_REG, CFI_OFFSET_NUM)
"bl %[StaticCrashHandler]\n"		".cfi_offset 33, %c[pc]\n"
		".cfi_offset 30, %c[lr]\n"
		"bl %c[StaticCrashHandler]\n"
		"brk 1\n"
#else		#else
#error "Unsupported architecture for fuzzing on Fuchsia"		#error "Unsupported architecture for fuzzing on Fuchsia"
#endif		#endif
".cfi_endproc\n"		".cfi_endproc\n"
".size CrashTrampolineAsm, . - CrashTrampolineAsm\n"		".size CrashTrampolineAsm, . - CrashTrampolineAsm\n"
".popsection\n"		".popsection\n"
".cfi_startproc\n"		".cfi_startproc\n"
: // No outputs		: // No outputs
: FOREACH_REGISTER(ASM_OPERAND_REG, ASM_OPERAND_NUM)		: FOREACH_REGISTER(ASM_OPERAND_REG, ASM_OPERAND_NUM)
#if defined(__aarch64__)		#if defined(__aarch64__)
ASM_OPERAND_REG(pc)		ASM_OPERAND_REG(pc)
		ASM_OPERAND_REG(lr)
#endif		#endif
[StaticCrashHandler] "i" (StaticCrashHandler));		[StaticCrashHandler] "i" (StaticCrashHandler),
		[CFAOffset] "i" (CFAOffset));
}		}

void CrashHandler(zx_handle_t *Event) {		void CrashHandler(zx_handle_t *Event) {
// This structure is used to ensure we close handles to objects we create in		// This structure is used to ensure we close handles to objects we create in
// this handler.		// this handler.
struct ScopedHandle {		struct ScopedHandle {
~ScopedHandle() { _zx_handle_close(Handle); }		~ScopedHandle() { _zx_handle_close(Handle); }
zx_handle_t Handle = ZX_HANDLE_INVALID;		zx_handle_t Handle = ZX_HANDLE_INVALID;
▲ Show 20 Lines • Show All 49 Lines • ▼ Show 20 Lines	ExitOnErr(_zx_thread_read_state(Thread.Handle, ZX_THREAD_STATE_GENERAL_REGS,
&GeneralRegisters,		&GeneralRegisters,
sizeof(GeneralRegisters)),		sizeof(GeneralRegisters)),
"_zx_thread_read_state");		"_zx_thread_read_state");

// To unwind properly, we need to push the crashing thread's register state		// To unwind properly, we need to push the crashing thread's register state
// onto the stack and jump into a trampoline with CFI instructions on how		// onto the stack and jump into a trampoline with CFI instructions on how
// to restore it.		// to restore it.
#if defined(__x86_64__)		#if defined(__x86_64__)
uintptr_t StackPtr =		uintptr_t StackPtr = GeneralRegisters.rsp - CFAOffset;
(GeneralRegisters.rsp - (128 + sizeof(GeneralRegisters))) &
-(uintptr_t)16;
__unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters,		__unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters,
sizeof(GeneralRegisters));		sizeof(GeneralRegisters));
GeneralRegisters.rsp = StackPtr;		GeneralRegisters.rsp = StackPtr;
GeneralRegisters.rip = reinterpret_cast<zx_vaddr_t>(CrashTrampolineAsm);		GeneralRegisters.rip = reinterpret_cast<zx_vaddr_t>(CrashTrampolineAsm);

#elif defined(__aarch64__)		#elif defined(__aarch64__)
uintptr_t StackPtr =		uintptr_t StackPtr = GeneralRegisters.sp - CFAOffset;
(GeneralRegisters.sp - sizeof(GeneralRegisters)) & -(uintptr_t)16;
__unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters,		__unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters,
sizeof(GeneralRegisters));		sizeof(GeneralRegisters));
GeneralRegisters.sp = StackPtr;		GeneralRegisters.sp = StackPtr;
GeneralRegisters.pc = reinterpret_cast<zx_vaddr_t>(CrashTrampolineAsm);		GeneralRegisters.pc = reinterpret_cast<zx_vaddr_t>(CrashTrampolineAsm);

#else		#else
#error "Unsupported architecture for fuzzing on Fuchsia"		#error "Unsupported architecture for fuzzing on Fuchsia"
#endif		#endif
▲ Show 20 Lines • Show All 212 Lines • Show Last 20 Lines