This is an archive of the discontinued LLVM Phabricator instance.

Differential D105261

[scudo] Untag BlockEnd in reallocate
ClosedPublic

Authored by vitalybuka on Jun 30 2021, 8:33 PM.

Details

Reviewers
pcc
Commits
rGfe30963600ea: [scudo] Untag BlockEnd in reallocate
Summary

If we get here from reallocate, BlockEnd is tagged. Then we
will storeTag(UntaggedEnd) into the header of the next chunk.

Luckily header tag is 0 so unpatched code still works.

Diff Detail

Event Timeline

vitalybuka requested review of this revision.Jun 30 2021, 8:33 PM
vitalybuka created this revision.
Herald added a project: Restricted Project. · View Herald TranscriptJun 30 2021, 8:33 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
vitalybuka edited the summary of this revision. (Show Details)Jun 30 2021, 8:39 PM
Harbormaster completed remote builds in B111903: Diff 355760.Jun 30 2021, 9:11 PM
vitalybuka edited the summary of this revision. (Show Details)Jul 1 2021, 11:58 AM
pcc added a comment.Jul 1 2021, 12:04 PM

Can we untag BlockEnd in reallocate instead?

vitalybuka added a comment.Jul 1 2021, 12:08 PM
In D105261#2853702, @pcc wrote:

Can we untag BlockEnd in reallocate instead?

Yes, but it looks a little bit inconsistent when untag End here

vitalybuka added a comment.Jul 1 2021, 12:10 PM
In D105261#2853736, @vitalybuka wrote:
In D105261#2853702, @pcc wrote:

Can we untag BlockEnd in reallocate instead?

Yes, but it looks a little bit inconsistent when untag End here

I can change to make both arguments of storeEndMarker must be untagged

pcc added a comment.Jul 1 2021, 12:15 PM
In D105261#2853749, @vitalybuka wrote:
In D105261#2853736, @vitalybuka wrote:
In D105261#2853702, @pcc wrote:

Can we untag BlockEnd in reallocate instead?

Yes, but it looks a little bit inconsistent when untag End here

That's because they are different pointers. End refers to chunks (tagged) and BlockEnd refers to blocks (untagged).

I can change to make both arguments of storeEndMarker must be untagged

That's not going to work, we may need to store the original tag in this function.

vitalybuka added a comment.Jul 1 2021, 12:22 PM
In D105261#2853767, @pcc wrote:
In D105261#2853749, @vitalybuka wrote:
In D105261#2853736, @vitalybuka wrote:
In D105261#2853702, @pcc wrote:

Can we untag BlockEnd in reallocate instead?

Yes, but it looks a little bit inconsistent when untag End here

That's because they are different pointers. End refers to chunks (tagged) and BlockEnd refers to blocks (untagged).

Sure, if it does not bother you, I'll update this way.

I can change to make both arguments of storeEndMarker must be untagged

That's not going to work, we may need to store the original tag in this function.

Oh, I see.

vitalybuka updated this revision to Diff 355975.Jul 1 2021, 12:29 PM

untag in reallocate

vitalybuka retitled this revision from [scudo] Untag BlockEnd in storeEndMarker to [scudo] Untag BlockEnd in reallocate.Jul 1 2021, 12:29 PM
pcc added inline comments.Jul 1 2021, 12:36 PM
compiler-rt/lib/scudo/standalone/combined.h
1156–1157

No need to rename, we don't have both kinds of pointers in this function so no need for a long name to distinguish. The DCHECK you added below is documentation enough.

vitalybuka updated this revision to Diff 355985.Jul 1 2021, 12:51 PM
vitalybuka marked an inline comment as done.

no rename

pcc accepted this revision.Jul 1 2021, 12:55 PM

LGTM

This revision is now accepted and ready to land.Jul 1 2021, 12:55 PM
This revision was landed with ongoing or failed builds.Jul 1 2021, 1:03 PM
Closed by commit rGfe30963600ea: [scudo] Untag BlockEnd in reallocate (authored by vitalybuka). · Explain Why
This revision was automatically updated to reflect the committed changes.
vitalybuka added a commit: rGfe30963600ea: [scudo] Untag BlockEnd in reallocate.
Harbormaster completed remote builds in B112065: Diff 355985.Jul 1 2021, 1:54 PM
pcc mentioned this in D114022: [scudo] Fix MTE crash in storeEndMarker..Nov 16 2021, 12:35 PM
eugenis mentioned this in rG913d78c40c37: [scudo] Regression test for the MTE crash in storeEndMarker..Nov 16 2021, 1:43 PM

Revision Contents

PathSize
compiler-rt/
lib/
scudo/
standalone/
3 lines

Diff 355994

compiler-rt/lib/scudo/standalone/combined.h

Show First 20 LinesShow All 633 Lines▼ Show 20 Lines if (reinterpret_cast<uptr>(OldTaggedPtr) + NewSize <= BlockEnd) {
: BlockEnd - : BlockEnd -
(reinterpret_cast<uptr>(OldTaggedPtr) + NewSize)) & (reinterpret_cast<uptr>(OldTaggedPtr) + NewSize)) &
Chunk::SizeOrUnusedBytesMask; Chunk::SizeOrUnusedBytesMask;
Chunk::compareExchangeHeader(Cookie, OldPtr, &NewHeader, &OldHeader); Chunk::compareExchangeHeader(Cookie, OldPtr, &NewHeader, &OldHeader);
if (UNLIKELY(useMemoryTagging<Params>(Options))) { if (UNLIKELY(useMemoryTagging<Params>(Options))) {
if (ClassId) { if (ClassId) {
resizeTaggedChunk(reinterpret_cast<uptr>(OldTaggedPtr) + OldSize, resizeTaggedChunk(reinterpret_cast<uptr>(OldTaggedPtr) + OldSize,
reinterpret_cast<uptr>(OldTaggedPtr) + NewSize, reinterpret_cast<uptr>(OldTaggedPtr) + NewSize,
NewSize, BlockEnd); NewSize, untagPointer(BlockEnd));
storePrimaryAllocationStackMaybe(Options, OldPtr); storePrimaryAllocationStackMaybe(Options, OldPtr);
} else { } else {
storeSecondaryAllocationStackMaybe(Options, OldPtr, NewSize); storeSecondaryAllocationStackMaybe(Options, OldPtr, NewSize);
} }
} }
return OldTaggedPtr; return OldTaggedPtr;
} }
} }
▲ Show 20 LinesShow All 497 Lines▼ Show 20 Lines#endif
// block and our block is at the end of a mapping. The tag of the next block's // block and our block is at the end of a mapping. The tag of the next block's
// header granule will be set to 0, so it will serve the purpose of catching // header granule will be set to 0, so it will serve the purpose of catching
// linear overflows in this case. // linear overflows in this case.
// //
// For allocations of size 0 we do not end up storing the address tag to the // For allocations of size 0 we do not end up storing the address tag to the
// memory tag space, which getInlineErrorInfo() normally relies on to match // memory tag space, which getInlineErrorInfo() normally relies on to match
// address tags against chunks. To allow matching in this case we store the // address tags against chunks. To allow matching in this case we store the
// address tag in the first byte of the chunk. // address tag in the first byte of the chunk.
void storeEndMarker(uptr End, uptr Size, uptr BlockEnd) { void storeEndMarker(uptr End, uptr Size, uptr BlockEnd) {
DCHECK_EQ(BlockEnd, untagPointer(BlockEnd));
pccUnsubmitted
Done
ReplyInline Actions

No need to rename, we don't have both kinds of pointers in this function so no need for a long name to distinguish. The DCHECK you added below is documentation enough.

pcc: No need to rename, we don't have both kinds of pointers in this function so no need for a long…
uptr UntaggedEnd = untagPointer(End); uptr UntaggedEnd = untagPointer(End);
if (UntaggedEnd != BlockEnd) { if (UntaggedEnd != BlockEnd) {
storeTag(UntaggedEnd); storeTag(UntaggedEnd);
if (Size == 0) if (Size == 0)
*reinterpret_cast<u8 *>(UntaggedEnd) = extractTag(End); *reinterpret_cast<u8 *>(UntaggedEnd) = extractTag(End);
} }
} }
▲ Show 20 LinesShow All 265 LinesShow Last 20 Lines