This is an archive of the discontinued LLVM Phabricator instance.

Differential D108457

[hwasan] Do not instrument accesses to uninteresting allocas.
ClosedPublic

Authored by fmayer on Aug 20 2021, 5:03 AM.

Details

Reviewers
eugenis
Commits
rG09391e7e507f: [hwasan] Do not instrument accesses to uninteresting allocas.
Summary

This leads to a statistically significant improvement when using -hwasan-instrument-stack=0: https://bit.ly/3AZUIKI.
When enabling stack instrumentation, the data appears gets better but not statistically significantly so. This is consistent
with the very moderate improvements I have seen for stack safety otherwise, so I expect it to improve when the underlying
issue of that is resolved.

Diff Detail

Unit TestsFailed

TimeTest
4,030 msx64 debian > libFuzzer.libFuzzer::fuzzer-leak.test

Event Timeline

fmayer created this revision.Aug 20 2021, 5:03 AM
Herald added a subscriber: hiraditya. · View Herald TranscriptAug 20 2021, 5:03 AM
fmayer retitled this revision from [hwasan] Do not instrument accesses to safe allocas. to [hwasan] Do not instrument accesses to uninteresting allocas..Aug 20 2021, 5:04 AM
Harbormaster completed remote builds in B120533: Diff 367761.Aug 20 2021, 5:42 AM
fmayer updated this revision to Diff 367778.Aug 20 2021, 6:31 AM

better test.

Harbormaster completed remote builds in B120545: Diff 367778.Aug 20 2021, 7:11 AM
fmayer updated this revision to Diff 367790.Aug 20 2021, 7:28 AM

ignore all alloca access if stack not instrumented

Harbormaster completed remote builds in B120554: Diff 367790.Aug 20 2021, 8:03 AM
fmayer edited the summary of this revision. (Show Details)Aug 20 2021, 9:25 AM
fmayer edited the summary of this revision. (Show Details)Aug 20 2021, 11:26 AM
fmayer updated this revision to Diff 367842.Aug 20 2021, 11:29 AM

better variable naming.

Harbormaster completed remote builds in B120587: Diff 367842.Aug 20 2021, 12:10 PM
fmayer updated this revision to Diff 368055.Aug 23 2021, 3:22 AM

add test

Harbormaster completed remote builds in B120751: Diff 368055.Aug 23 2021, 3:56 AM
fmayer updated this revision to Diff 368113.Aug 23 2021, 8:10 AM

allow to control strictness of alloc matching

fmayer updated this revision to Diff 368116.Aug 23 2021, 8:20 AM

format

fmayer updated this revision to Diff 368118.Aug 23 2021, 8:21 AM

remove comment

fmayer published this revision for review.Aug 23 2021, 8:23 AM
fmayer added a reviewer: eugenis.
Herald added a project: Restricted Project. · View Herald TranscriptAug 23 2021, 8:23 AM
Herald added a subscriber: llvm-commits. · View Herald Transcript
fmayer updated this revision to Diff 368120.Aug 23 2021, 8:40 AM

simplify code

Harbormaster completed remote builds in B120800: Diff 368120.Aug 23 2021, 9:21 AM
eugenis added a comment.Aug 24 2021, 3:01 PM

I don't like the new flag. If we want this as a mitigation, IMHO it's a bad idea to allow overflows from stack. Even constant sized ones. Well, maybe reasonably small constant overflows are ok.

Consider adopting AddressSanitizer::isSafeAccess instead.

eugenis added a comment.Aug 24 2021, 3:03 PM

In face, isSafeAccess seems pretty limited. Surely ScalarEvolution (similar to how it is used in StackSafetyAnalysis) can capture more cases, including a non-constant offset that can be proven to be within range?

fmayer updated this revision to Diff 370554.Sep 3 2021, 5:23 AM

rework to address comment

fmayer added a comment.Sep 3 2021, 5:24 AM
In D108457#2963679, @eugenis wrote:

In face, isSafeAccess seems pretty limited. Surely ScalarEvolution (similar to how it is used in StackSafetyAnalysis) can capture more cases, including a non-constant offset that can be proven to be within range?

Done. PTAL.

What I do right now is not emit any checks when we can we disable stack instrumentation and we can trace back an operation to an alloca. While we could potentially overflow towards other regions, I think it is not unexpected that we do not catch this if stack instrumentation is disabled. What do you think?

Harbormaster completed remote builds in B122497: Diff 370554.Sep 3 2021, 6:00 AM
fmayer added a child revision: D109233: [hwasan] Respect returns attribute when tracking values..Sep 3 2021, 6:28 AM
eugenis added a comment.Sep 3 2021, 2:41 PM

This is pretty cool, I thought it would be more complicated.

This change needs comprehensive tests in llvm/test/Analysis/StackSafetyAnalysis. Update the print() method to show safe/unsafe instructions (or maybe only list known safe instruction).

What if an instruction may access either stack or heap?

i32 *p = flag ? p_heap_i16 : &stack_i32;
*p = 42;

The analysis will say "safe" because it is only scanning from the stack roots.
This should probably be fixed in hwasan by tracking the underlying alloca.

fmayer updated this revision to Diff 370869.Sep 6 2021, 2:38 AM

handle stores that might or might not use an alloca

fmayer added a comment.Sep 6 2021, 2:38 AM
In D108457#2983236, @eugenis wrote:

What if an instruction may access either stack or heap?

i32 *p = flag ? p_heap_i16 : &stack_i32;
*p = 42;

The analysis will say "safe" because it is only scanning from the stack roots.
This should probably be fixed in hwasan by tracking the underlying alloca.

Ah yes, I did handle this but then accidentally lost that when I refactored around some stuff. Put that back and added an IR test.

fmayer updated this revision to Diff 370870.Sep 6 2021, 2:43 AM

don't use argument in select test

Harbormaster completed remote builds in B122731: Diff 370870.Sep 6 2021, 3:21 AM
fmayer added a comment.EditedSep 6 2021, 5:56 AM
In D108457#2984855, @fmayer wrote:
In D108457#2983236, @eugenis wrote:

What if an instruction may access either stack or heap?

i32 *p = flag ? p_heap_i16 : &stack_i32;
*p = 42;

The analysis will say "safe" because it is only scanning from the stack roots.
This should probably be fixed in hwasan by tracking the underlying alloca.

Ah yes, I did handle this but then accidentally lost that when I refactored around some stuff. Put that back and added an IR test.

Thinking again I remembered why I removed the explicit case for this during the refactoring: in this case, SCEV will not be able to calculate an in-range offset between the operant of the store and the alloca, so it will not be judged a safe access

fmayer updated this revision to Diff 370948.Sep 6 2021, 11:51 AM

add tests for stack safety analysis

Harbormaster completed remote builds in B122788: Diff 370948.Sep 6 2021, 12:22 PM
fmayer updated this revision to Diff 370961.Sep 6 2021, 12:39 PM

format

Harbormaster completed remote builds in B122799: Diff 370961.Sep 6 2021, 1:18 PM
fmayer added a comment.EditedSep 7 2021, 7:25 AM

EDIT: I ran pdfium benchmarks and had some results here, but I spoke too early and need to run some more.

eugenis added a subscriber: vitalybuka.Sep 7 2021, 3:41 PM

@vitalybuka

Ideas for more analysis tests:

  • unsafe alloca with a mix of safe and unsafe accesses
  • memcpy that is safe on one side and unsafe on the other. Either between two allocas, or within the same (memmove?). Or between alloca and non-stack memory.
In D108457#2985198, @fmayer wrote:
In D108457#2984855, @fmayer wrote:
In D108457#2983236, @eugenis wrote:

What if an instruction may access either stack or heap?

i32 *p = flag ? p_heap_i16 : &stack_i32;
*p = 42;

The analysis will say "safe" because it is only scanning from the stack roots.
This should probably be fixed in hwasan by tracking the underlying alloca.

Ah yes, I did handle this but then accidentally lost that when I refactored around some stuff. Put that back and added an IR test.

Thinking again I remembered why I removed the explicit case for this during the refactoring: in this case, SCEV will not be able to calculate an in-range offset between the operant of the store and the alloca, so it will not be judged a safe access

Right, of course. Any reachable instruction we would require to be *always* within the alloca range.

llvm/lib/Analysis/StackSafetyAnalysis.cpp
836 ↗(On Diff #370961)

This affect compilation time and memory. Ideally we would not do it if the client can not use this info (ex. MTE).

llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
778

if (findAllocaForValue(Ptr)) return true;

fmayer updated this revision to Diff 371276.Sep 8 2021, 1:45 AM

address comment

fmayer updated this revision to Diff 371279.Sep 8 2021, 1:55 AM
fmayer marked an inline comment as done.

remove unnecessary check

Harbormaster completed remote builds in B123012: Diff 371279.Sep 8 2021, 2:35 AM
fmayer updated this revision to Diff 371342.Sep 8 2021, 8:17 AM

only calculate address information when needed.

fmayer marked an inline comment as done.Sep 8 2021, 8:17 AM
fmayer updated this revision to Diff 371347.Sep 8 2021, 8:31 AM

revert unneeded change

Harbormaster completed remote builds in B123057: Diff 371347.Sep 8 2021, 9:24 AM
fmayer updated this revision to Diff 371382.Sep 8 2021, 10:03 AM

clang format

Harbormaster completed remote builds in B123079: Diff 371382.Sep 8 2021, 10:47 AM
eugenis added a comment.Sep 8 2021, 1:05 PM

still missing test cases for combinations of mixed safe/unsafe accesses

llvm/include/llvm/Analysis/StackSafetyAnalysis.h
69 ↗(On Diff #371382)

you want either DenseMap or SmallPtrSet here. std::map is unnecessarily ordered, logarithmic, and wastes memory

vitalybuka added inline comments.Sep 8 2021, 1:59 PM
llvm/include/llvm/Analysis/StackSafetyAnalysis.h
67 ↗(On Diff #371382)

why do we need bool if missing instruction is equivalent to false?
std::set?

67 ↗(On Diff #371382)

just std::map<const Instruction *, bool>Accesses;

InfoTy in unique_ptr to avoid exposing it into the header.

69 ↗(On Diff #371382)

std set/map seems fine
class is movable, DenseMap or SmallPtrSet don't support efficient move.

69 ↗(On Diff #371382)

I don't see value in ::getAccesses when accessIsSafe can access the field.

llvm/lib/Analysis/StackSafetyAnalysis.cpp
136–139 ↗(On Diff #371382)

Less boilerplate this way:
auto Ins = Accesses.emplace(I, R);
Then use Ins.first and Ins.second where needed.

141–143 ↗(On Diff #371382)

the point of <it, bool> result that you can update if insert failed and avoid the second lookup

455 ↗(On Diff #371382)

may I ask you to extract two NFC patches which you can land without review:

  1. break -> return !US.Range.isFullSet(); I assume no tests need updates.
  2. Wrap updateRange into trivial:
void addRange(I, R) {
   // the rest you will add in D108457
   updateRange(R);
 }

I assume also not tests should be affected.

813 ↗(On Diff #371382)

this is a separate NFC patch

826 ↗(On Diff #371382)

so we lazily construct this on the request
if so I am pretty sure we can have sorted std::vector<Instruction*> Accesses for free;
and accessIsSafe can use std::binary_search and it will be faster then map/set lookups.

836 ↗(On Diff #370961)

I am a little bit skeptical that we can measure a difference. I'd rather keep it simple.

llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
283

HWAsan and related tests should be in a separate patch

fmayer mentioned this in rG6e12c73316b7: [NFC] [stack-safety] add placeholder addRange..Sep 9 2021, 5:13 AM
fmayer updated this revision to Diff 371581.Sep 9 2021, 6:48 AM
fmayer marked 9 inline comments as done.

split change

fmayer added a comment.Sep 9 2021, 6:49 AM

I split the stack safety change to D109503 and added more tests to that.

llvm/include/llvm/Analysis/StackSafetyAnalysis.h
67 ↗(On Diff #371382)

While I build this up, there are two cases:

the instruction hadn't been considered yet
the instruction was considered but wasn't safe.
This allows to conveniently keep them apart.

67 ↗(On Diff #371382)

I reverted to calculating this in getInfo and putting it into the InfoTy.

@eugenis is that okay?

llvm/lib/Analysis/StackSafetyAnalysis.cpp
141–143 ↗(On Diff #371382)

That doesn't work, because it's not move constructible (I think, I don't fully remember what exactly it complained about when I did that).

455 ↗(On Diff #371382)

Actually no one looks at the return value, so I just made it void.

836 ↗(On Diff #370961)

I reverted it to what it was before for simplicity. We can change it again later if it becomes a problem.

fmayer added a parent revision: D109503: [stack-safety] Allow to determine safe accesses..Sep 9 2021, 6:51 AM
Harbormaster completed remote builds in B123211: Diff 371581.Sep 9 2021, 7:01 AM
fmayer updated this revision to Diff 371583.Sep 9 2021, 7:06 AM

remove unnecessary check (again)

fmayer updated this revision to Diff 371585.Sep 9 2021, 7:09 AM

style

Harbormaster completed remote builds in B123215: Diff 371585.Sep 9 2021, 7:49 AM
eugenis accepted this revision.Sep 9 2021, 1:27 PM

LGTM

llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp
777

I'm still on the fence about this. A stack pointer can be used to access heap if the offset is attacker controlled, but that sounds a bit exotic.

But let's land it like this for now.

One thing I'd like to explore is applying the same SCEV computation as in StackSafetyAnalysis and excluding instrumentation for anything with offset provably within 32 bits or less - that should be reasonably common (indices are often int, not long) and safe (heap is unlikely to be within 4Gb from stack on 64-bit).

This revision is now accepted and ready to land.Sep 9 2021, 1:27 PM
fmayer updated this revision to Diff 371924.Sep 10 2021, 8:00 AM

rebase

fmayer marked an inline comment as done.Sep 10 2021, 8:12 AM
Harbormaster completed remote builds in B123448: Diff 371924.Sep 10 2021, 8:39 AM
Closed by commit rG09391e7e507f: [hwasan] Do not instrument accesses to uninteresting allocas. (authored by fmayer). · Explain WhySep 10 2021, 11:29 AM
This revision was automatically updated to reflect the committed changes.
fmayer added a commit: rG09391e7e507f: [hwasan] Do not instrument accesses to uninteresting allocas..
fmayer removed a child revision: D109233: [hwasan] Respect returns attribute when tracking values..Sep 13 2021, 2:04 AM

Revision Contents

PathSize
llvm/
lib/
Transforms/
Instrumentation/
3 lines
test/
Instrumentation/
HWAddressSanitizer/
10 lines

Diff 367778

llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp

Show First 20 LinesShow All 274 Lines▼ Show 20 Linespublic:
void untagPointerOperand(Instruction *I, Value *Addr); void untagPointerOperand(Instruction *I, Value *Addr);
Value *memToShadow(Value *Shadow, IRBuilder<> &IRB); Value *memToShadow(Value *Shadow, IRBuilder<> &IRB);
void instrumentMemAccessInline(Value *Ptr, bool IsWrite, void instrumentMemAccessInline(Value *Ptr, bool IsWrite,
unsigned AccessSizeIndex, unsigned AccessSizeIndex,
Instruction *InsertBefore); Instruction *InsertBefore);
void instrumentMemIntrinsic(MemIntrinsic *MI); void instrumentMemIntrinsic(MemIntrinsic *MI);
bool instrumentMemAccess(InterestingMemoryOperand &O); bool instrumentMemAccess(InterestingMemoryOperand &O);
bool ignoreAccess(Value *Ptr); bool ignoreAccess(Value *Ptr);
vitalybukaUnsubmitted
Done
ReplyInline Actions

HWAsan and related tests should be in a separate patch

vitalybuka: HWAsan and related tests should be in a separate patch
void getInterestingMemoryOperands( void getInterestingMemoryOperands(
Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting); Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting);
bool isInterestingAlloca(const AllocaInst &AI); bool isInterestingAlloca(const AllocaInst &AI);
void tagAlloca(IRBuilder<> &IRB, AllocaInst *AI, Value *Tag, size_t Size); void tagAlloca(IRBuilder<> &IRB, AllocaInst *AI, Value *Tag, size_t Size);
Value *tagPointer(IRBuilder<> &IRB, Type *Ty, Value *PtrLong, Value *Tag); Value *tagPointer(IRBuilder<> &IRB, Type *Ty, Value *PtrLong, Value *Tag);
Value *untagPointer(IRBuilder<> &IRB, Value *PtrLong); Value *untagPointer(IRBuilder<> &IRB, Value *PtrLong);
bool instrumentStack( bool instrumentStack(
▲ Show 20 LinesShow All 476 Lines▼ Show 20 Linesbool HWAddressSanitizer::ignoreAccess(Value *Ptr) {
// Ignore swifterror addresses. // Ignore swifterror addresses.
// swifterror memory addresses are mem2reg promoted by instruction // swifterror memory addresses are mem2reg promoted by instruction
// selection. As such they cannot have regular uses like an instrumentation // selection. As such they cannot have regular uses like an instrumentation
// function and it makes no sense to track them as memory. // function and it makes no sense to track them as memory.
if (Ptr->isSwiftError()) if (Ptr->isSwiftError())
return true; return true;
auto *MaybeAlloca = findAllocaForValue(Ptr);
if (MaybeAlloca && !isInterestingAlloca(*MaybeAlloca))
eugenisUnsubmitted
Done
ReplyInline Actions

I'm still on the fence about this. A stack pointer can be used to access heap if the offset is attacker controlled, but that sounds a bit exotic.

But let's land it like this for now.

One thing I'd like to explore is applying the same SCEV computation as in StackSafetyAnalysis and excluding instrumentation for anything with offset provably within 32 bits or less - that should be reasonably common (indices are often int, not long) and safe (heap is unlikely to be within 4Gb from stack on 64-bit).

eugenis: I'm still on the fence about this. A stack pointer can be used to access heap if the offset is…
return true;
eugenisUnsubmitted
Done
ReplyInline Actions

if (findAllocaForValue(Ptr)) return true;

eugenis: `if (findAllocaForValue(Ptr)) return true;`
return false; return false;
} }
void HWAddressSanitizer::getInterestingMemoryOperands( void HWAddressSanitizer::getInterestingMemoryOperands(
Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting) { Instruction *I, SmallVectorImpl<InterestingMemoryOperand> &Interesting) {
// Skip memory accesses inserted by another instrumentation. // Skip memory accesses inserted by another instrumentation.
if (I->hasMetadata("nosanitize")) if (I->hasMetadata("nosanitize"))
return; return;
▲ Show 20 LinesShow All 1,019 LinesShow Last 20 Lines

llvm/test/Instrumentation/HWAddressSanitizer/stack-safety-analysis.ll

; RUN: opt -hwasan -hwasan-use-stack-safety=1 -hwasan-generate-tags-with-calls -S < %s | FileCheck %s --check-prefixes=SAFETY ; RUN: opt -hwasan -hwasan-instrument-with-calls -hwasan-use-stack-safety=1 -hwasan-generate-tags-with-calls -S < %s | FileCheck %s --check-prefixes=SAFETY
; RUN: opt -hwasan -hwasan-use-stack-safety=0 -hwasan-generate-tags-with-calls -S < %s | FileCheck %s --check-prefixes=NOSAFETY ; RUN: opt -hwasan -hwasan-instrument-with-calls -hwasan-use-stack-safety=0 -hwasan-generate-tags-with-calls -S < %s | FileCheck %s --check-prefixes=NOSAFETY
; RUN: opt -hwasan -hwasan-generate-tags-with-calls -S < %s | FileCheck %s --check-prefixes=SAFETY ; RUN: opt -hwasan -hwasan-instrument-with-calls -hwasan-generate-tags-with-calls -S < %s | FileCheck %s --check-prefixes=SAFETY
target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128" target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "aarch64-unknown-linux-gnu" target triple = "aarch64-unknown-linux-gnu"
; Check a safe alloca to ensure it does not get a tag. ; Check a safe alloca to ensure it does not get a tag.
define i32 @test_load(i32* %a) sanitize_hwaddress { define i32 @test_load(i32* %a) sanitize_hwaddress {
entry: entry:
; NOSAFETY: call {{.*}}__hwasan_generate_tag ; NOSAFETY: call {{.*}}__hwasan_generate_tag
; NOSAFETY: call {{.*}}__hwasan_store
; SAFETY-NOT: call {{.*}}__hwasan_generate_tag ; SAFETY-NOT: call {{.*}}__hwasan_generate_tag
; SAFETY-NOT: call {{.*}}__hwasan_store
%buf.sroa.0 = alloca i8, align 4 %buf.sroa.0 = alloca i8, align 4
call void @llvm.lifetime.start.p0i8(i64 1, i8* nonnull %buf.sroa.0) call void @llvm.lifetime.start.p0i8(i64 1, i8* nonnull %buf.sroa.0)
store volatile i8 0, i8* %buf.sroa.0, align 4, !tbaa !8 store volatile i8 0, i8* %buf.sroa.0, align 4, !tbaa !8
call void @llvm.lifetime.end.p0i8(i64 1, i8* nonnull %buf.sroa.0) call void @llvm.lifetime.end.p0i8(i64 1, i8* nonnull %buf.sroa.0)
ret i32 0 ret i32 0
} }
; Check a non-safe alloca to ensure it gets a tag. ; Check a non-safe alloca to ensure it gets a tag.
define i32 @test_use(i32* %a) sanitize_hwaddress { define i32 @test_use(i32* %a) sanitize_hwaddress {
entry: entry:
; NOSAFETY: call {{.*}}__hwasan_generate_tag ; NOSAFETY: call {{.*}}__hwasan_generate_tag
; NOSAFETY: call {{.*}}__hwasan_store
; SAFETY: call {{.*}}__hwasan_generate_tag ; SAFETY: call {{.*}}__hwasan_generate_tag
; SAFETY: call {{.*}}__hwasan_store
%buf.sroa.0 = alloca i8, align 4 %buf.sroa.0 = alloca i8, align 4
call void @use(i8* nonnull %buf.sroa.0) call void @use(i8* nonnull %buf.sroa.0)
call void @llvm.lifetime.start.p0i8(i64 1, i8* nonnull %buf.sroa.0) call void @llvm.lifetime.start.p0i8(i64 1, i8* nonnull %buf.sroa.0)
store volatile i8 0, i8* %buf.sroa.0, align 4, !tbaa !8 store volatile i8 0, i8* %buf.sroa.0, align 4, !tbaa !8
call void @llvm.lifetime.end.p0i8(i64 1, i8* nonnull %buf.sroa.0) call void @llvm.lifetime.end.p0i8(i64 1, i8* nonnull %buf.sroa.0)
ret i32 0 ret i32 0
} }
Show All 11 Lines