This is an archive of the discontinued LLVM Phabricator instance.

Differential D106725

[libFuzzer] Fix CFI Directives for fuchsia
ClosedPublic

Authored by charco on Jul 23 2021, 4:36 PM.

Details

Reviewers
mcgrathr
phosek
Commits
rGa9c515983dc2: [libFuzzer] Fix CFI Directives for fuchsia
Summary

This commit fixes the CFI directives in the crash trampoline so
libunwind can get a backtrace during a crash.

In order to get a backtrace from a libfuzzer crash in fuchsia, we
resume execution in the crashed thread, forcing it to call the
StaticCrashHandler. We do this by setting a "crash trampoline" that has
all the necessary cfi directives for an unwinder to get full backtrace
for that thread.

Due to a bug in libunwind, it was not possible to restore the RSP
pointer, as it was always set to the call frame address (CFA). The
previous version worked around this issue by setting the CFA to the
value of the stack pointer at the point of the crash.

The bug in libunwind is now fixed[0], so I am correcting the CFI
annotations so that the CFA correctly points to the beginning of the
trampoline's call frame.

[0]: https://reviews.llvm.org/D106626

Diff Detail

Event Timeline

charco requested review of this revision.Jul 23 2021, 4:36 PM
charco created this revision.
Herald added a project: Restricted Project. · View Herald TranscriptJul 23 2021, 4:36 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
charco updated this revision to Diff 361382.Jul 23 2021, 4:41 PM

correct clang-format as it has no idea what it's doing.

Harbormaster completed remote builds in B115975: Diff 361382.Jul 23 2021, 5:12 PM
mcgrathr accepted this revision.Jul 27 2021, 4:38 PM

lgtm

This revision is now accepted and ready to land.Jul 27 2021, 4:38 PM
This revision was landed with ongoing or failed builds.Jul 28 2021, 5:59 PM
Closed by commit rGa9c515983dc2: [libFuzzer] Fix CFI Directives for fuchsia (authored by charco). · Explain Why
This revision was automatically updated to reflect the committed changes.
charco added a commit: rGa9c515983dc2: [libFuzzer] Fix CFI Directives for fuchsia.

Revision Contents

PathSize
compiler-rt/
lib/
fuzzer/
105 lines

Diff 362592

compiler-rt/lib/fuzzer/FuzzerUtilFuchsia.cpp

Show First 20 LinesShow All 62 Lines▼ Show 20 Lines
void AlarmHandler(int Seconds) { void AlarmHandler(int Seconds) {
while (true) { while (true) {
SleepSeconds(Seconds); SleepSeconds(Seconds);
Fuzzer::StaticAlarmCallback(); Fuzzer::StaticAlarmCallback();
} }
} }
// CFAOffset is used to reference the stack pointer before entering the
// trampoline (Stack Pointer + CFAOffset = prev Stack Pointer). Before jumping
// to the trampoline we copy all the registers onto the stack. We need to make
// sure that the new stack has enough space to store all the registers.
//
// The trampoline holds CFI information regarding the registers stored in the
// stack, which is then used by the unwinder to restore them.
#if defined(__x86_64__)
// In x86_64 the crashing function might also be using the red zone (128 bytes
// on top of their rsp).
constexpr size_t CFAOffset = 128 + sizeof(zx_thread_state_general_regs_t);
#elif defined(__aarch64__)
// In aarch64 we need to always have the stack pointer aligned to 16 bytes, so we
// make sure that we are keeping that same alignment.
constexpr size_t CFAOffset = (sizeof(zx_thread_state_general_regs_t) + 15) & -(uintptr_t)16;
#endif
// For the crash handler, we need to call Fuzzer::StaticCrashSignalCallback // For the crash handler, we need to call Fuzzer::StaticCrashSignalCallback
// without POSIX signal handlers. To achieve this, we use an assembly function // without POSIX signal handlers. To achieve this, we use an assembly function
// to add the necessary CFI unwinding information and a C function to bridge // to add the necessary CFI unwinding information and a C function to bridge
// from that back into C++. // from that back into C++.
// FIXME: This works as a short-term solution, but this code really shouldn't be // FIXME: This works as a short-term solution, but this code really shouldn't be
// architecture dependent. A better long term solution is to implement remote // architecture dependent. A better long term solution is to implement remote
// unwinding and expose the necessary APIs through sanitizer_common and/or ASAN // unwinding and expose the necessary APIs through sanitizer_common and/or ASAN
▲ Show 20 LinesShow All 62 Lines▼ Show 20 Lines
// Produces a CFI directive for the named or numbered register. // Produces a CFI directive for the named or numbered register.
// The value used refers to an assembler immediate operand with the same name // The value used refers to an assembler immediate operand with the same name
// as the register (see ASM_OPERAND_REG). // as the register (see ASM_OPERAND_REG).
#define CFI_OFFSET_REG(reg) ".cfi_offset " #reg ", %c[" #reg "]\n" #define CFI_OFFSET_REG(reg) ".cfi_offset " #reg ", %c[" #reg "]\n"
#define CFI_OFFSET_NUM(num) CFI_OFFSET_REG(x##num) #define CFI_OFFSET_NUM(num) CFI_OFFSET_REG(x##num)
// Produces an assembler immediate operand for the named or numbered register. // Produces an assembler immediate operand for the named or numbered register.
// This operand contains the offset of the register relative to the CFA. // This operand contains the offset of the register relative to the CFA.
#define ASM_OPERAND_REG(reg) \ #define ASM_OPERAND_REG(reg) \
[reg] "i"(offsetof(zx_thread_state_general_regs_t, reg) - CFAOffset), [reg] "i"(offsetof(zx_thread_state_general_regs_t, reg)),
#define ASM_OPERAND_NUM(num) \ #define ASM_OPERAND_NUM(num) \
[x##num] "i"(offsetof(zx_thread_state_general_regs_t, r[num]) - CFAOffset), [x##num] "i"(offsetof(zx_thread_state_general_regs_t, r[num])),
// Trampoline to bridge from the assembly below to the static C++ crash // Trampoline to bridge from the assembly below to the static C++ crash
// callback. // callback.
__attribute__((noreturn)) __attribute__((noreturn))
static void StaticCrashHandler() { static void StaticCrashHandler() {
Fuzzer::StaticCrashSignalCallback(); Fuzzer::StaticCrashSignalCallback();
for (;;) { for (;;) {
_Exit(1); _Exit(1);
} }
} }
// Creates the trampoline with the necessary CFI information to unwind through // This trampoline function has the necessary CFI information to unwind
// to the crashing call stack: // and get a backtrace:
// * Defining the CFA so that it points to the stack pointer at the point // * The stack contains a copy of all the registers at the point of crash,
// of crash. // the code has CFI directives specifying how to restore them.
// * Storing all registers at the point of crash in the stack and refer to them // * A call to StaticCrashHandler, which will print the stacktrace and exit
// via CFI information (relative to the CFA). // the fuzzer, generating a crash artifact.
// * Setting the return column so the unwinder knows how to continue unwinding.
// * (x86_64) making sure rsp is aligned before calling StaticCrashHandler.
// * Calling StaticCrashHandler that will trigger the unwinder.
// //
// The __attribute__((used)) is necessary because the function // The __attribute__((used)) is necessary because the function
// is never called; it's just a container around the assembly to allow it to // is never called; it's just a container around the assembly to allow it to
// use operands for compile-time computed constants. // use operands for compile-time computed constants.
__attribute__((used)) __attribute__((used))
void MakeTrampoline() { void MakeTrampoline() {
__asm__(".cfi_endproc\n" __asm__(
".cfi_endproc\n"
".pushsection .text.CrashTrampolineAsm\n" ".pushsection .text.CrashTrampolineAsm\n"
".type CrashTrampolineAsm,STT_FUNC\n" ".type CrashTrampolineAsm,STT_FUNC\n"
"CrashTrampolineAsm:\n" "CrashTrampolineAsm:\n"
".cfi_startproc simple\n" ".cfi_startproc simple\n"
".cfi_signal_frame\n" ".cfi_signal_frame\n"
#if defined(__x86_64__) #if defined(__x86_64__)
".cfi_return_column rip\n" ".cfi_return_column rip\n"
".cfi_def_cfa rsp, %c[CFAOffset]\n" ".cfi_def_cfa rsp, 0\n"
FOREACH_REGISTER(CFI_OFFSET_REG, CFI_OFFSET_NUM) FOREACH_REGISTER(CFI_OFFSET_REG, CFI_OFFSET_NUM)
"mov %%rsp, %%rbp\n"
".cfi_def_cfa_register rbp\n"
"andq $-16, %%rsp\n"
"call %c[StaticCrashHandler]\n" "call %c[StaticCrashHandler]\n"
"ud2\n" "ud2\n"
#elif defined(__aarch64__) #elif defined(__aarch64__)
".cfi_return_column 33\n" ".cfi_return_column 33\n"
".cfi_def_cfa sp, %c[CFAOffset]\n" ".cfi_def_cfa sp, 0\n"
FOREACH_REGISTER(CFI_OFFSET_REG, CFI_OFFSET_NUM) FOREACH_REGISTER(CFI_OFFSET_REG, CFI_OFFSET_NUM)
".cfi_offset 33, %c[pc]\n" ".cfi_offset 33, %c[pc]\n"
".cfi_offset 30, %c[lr]\n" ".cfi_offset 30, %c[lr]\n"
"bl %c[StaticCrashHandler]\n" "bl %c[StaticCrashHandler]\n"
"brk 1\n" "brk 1\n"
#else #else
#error "Unsupported architecture for fuzzing on Fuchsia" #error "Unsupported architecture for fuzzing on Fuchsia"
#endif #endif
".cfi_endproc\n" ".cfi_endproc\n"
".size CrashTrampolineAsm, . - CrashTrampolineAsm\n" ".size CrashTrampolineAsm, . - CrashTrampolineAsm\n"
".popsection\n" ".popsection\n"
".cfi_startproc\n" ".cfi_startproc\n"
: // No outputs : // No outputs
: FOREACH_REGISTER(ASM_OPERAND_REG, ASM_OPERAND_NUM) : FOREACH_REGISTER(ASM_OPERAND_REG, ASM_OPERAND_NUM)
#if defined(__aarch64__) #if defined(__aarch64__)
ASM_OPERAND_REG(pc) ASM_OPERAND_REG(pc) ASM_OPERAND_REG(lr)
ASM_OPERAND_REG(lr)
#endif #endif
[StaticCrashHandler] "i" (StaticCrashHandler), [StaticCrashHandler] "i"(StaticCrashHandler));
[CFAOffset] "i" (CFAOffset));
} }
void CrashHandler(zx_handle_t *Event) { void CrashHandler(zx_handle_t *Event) {
// This structure is used to ensure we close handles to objects we create in // This structure is used to ensure we close handles to objects we create in
// this handler. // this handler.
struct ScopedHandle { struct ScopedHandle {
~ScopedHandle() { _zx_handle_close(Handle); } ~ScopedHandle() { _zx_handle_close(Handle); }
zx_handle_t Handle = ZX_HANDLE_INVALID; zx_handle_t Handle = ZX_HANDLE_INVALID;
▲ Show 20 LinesShow All 49 Lines▼ Show 20 Lines ExitOnErr(_zx_thread_read_state(Thread.Handle, ZX_THREAD_STATE_GENERAL_REGS,
&GeneralRegisters, &GeneralRegisters,
sizeof(GeneralRegisters)), sizeof(GeneralRegisters)),
"_zx_thread_read_state"); "_zx_thread_read_state");
// To unwind properly, we need to push the crashing thread's register state // To unwind properly, we need to push the crashing thread's register state
// onto the stack and jump into a trampoline with CFI instructions on how // onto the stack and jump into a trampoline with CFI instructions on how
// to restore it. // to restore it.
#if defined(__x86_64__) #if defined(__x86_64__)
uintptr_t StackPtr = GeneralRegisters.rsp - CFAOffset; uintptr_t StackPtr =
(GeneralRegisters.rsp - (128 + sizeof(GeneralRegisters))) &
-(uintptr_t)16;
__unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters, __unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters,
sizeof(GeneralRegisters)); sizeof(GeneralRegisters));
GeneralRegisters.rsp = StackPtr; GeneralRegisters.rsp = StackPtr;
GeneralRegisters.rip = reinterpret_cast<zx_vaddr_t>(CrashTrampolineAsm); GeneralRegisters.rip = reinterpret_cast<zx_vaddr_t>(CrashTrampolineAsm);
#elif defined(__aarch64__) #elif defined(__aarch64__)
uintptr_t StackPtr = GeneralRegisters.sp - CFAOffset; uintptr_t StackPtr =
(GeneralRegisters.sp - sizeof(GeneralRegisters)) & -(uintptr_t)16;
__unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters, __unsanitized_memcpy(reinterpret_cast<void *>(StackPtr), &GeneralRegisters,
sizeof(GeneralRegisters)); sizeof(GeneralRegisters));
GeneralRegisters.sp = StackPtr; GeneralRegisters.sp = StackPtr;
GeneralRegisters.pc = reinterpret_cast<zx_vaddr_t>(CrashTrampolineAsm); GeneralRegisters.pc = reinterpret_cast<zx_vaddr_t>(CrashTrampolineAsm);
#else #else
#error "Unsupported architecture for fuzzing on Fuchsia" #error "Unsupported architecture for fuzzing on Fuchsia"
#endif #endif
▲ Show 20 LinesShow All 236 LinesShow Last 20 Lines