This is an archive of the discontinued LLVM Phabricator instance.

Differential D118647

[hwasan] work around lifetime issue with setjmp.
ClosedPublic

Authored by fmayer on Jan 31 2022, 1:29 PM.

Details

Reviewers
eugenis
Commits
rGaefb2e134dd7: [hwasan] work around lifetime issue with setjmp.
Summary

setjmp can return twice, but PostDominatorTree is unaware of this. as
such, it overestimates postdominance, leaving some cases (see attached
compiler-rt) where memory does not get untagged on return. this causes
false positives later in the program execution.

this is a crude workaround to unblock use-after-scope for now, in the
longer term PostDominatorTree should bemade aware of returns_twice
function, as this may cause problems elsewhere.

Diff Detail

Event Timeline

fmayer created this revision.Jan 31 2022, 1:29 PM
Herald added a subscriber: hiraditya. · View Herald TranscriptJan 31 2022, 1:29 PM
fmayer requested review of this revision.Jan 31 2022, 1:29 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptJan 31 2022, 1:29 PM
Herald added subscribers: llvm-commits, Restricted Project. · View Herald Transcript
fmayer updated this revision to Diff 404708.Jan 31 2022, 1:30 PM

missing newline at eof

fmayer updated this revision to Diff 404709.Jan 31 2022, 1:31 PM

comment

fmayer updated this revision to Diff 404713.Jan 31 2022, 1:33 PM

even more comments

fmayer updated this revision to Diff 404716.Jan 31 2022, 1:36 PM

cosmetic changes

fmayer updated this revision to Diff 404718.Jan 31 2022, 1:37 PM

more cosmetic changes

eugenis added subscribers: pcc, eugenis.Jan 31 2022, 1:53 PM

This is a great find. @pcc
It seems like it would affect AArch64StackTagging, and some of the sanitizers as well (ASan in particular).
Also I don't see anything in CodeGen/StackColoring.cpp to avoid this case - is it possible for it to cause erroneous stack slot reuse?

llvm/test/Instrumentation/HWAddressSanitizer/use-after-scope-setjmp.ll
27

so the callee of this may longjmp, bypassing the lifetime.end. Effectively, this adds a DT edge from any call site in this function to immediately after the setjmp call.

Please add some comments here explaining this.

eugenis added inline comments.Jan 31 2022, 1:54 PM
llvm/test/Instrumentation/HWAddressSanitizer/use-after-scope-setjmp.ll
27

I meant to say "call graph edge".

fmayer updated this revision to Diff 404742.Jan 31 2022, 2:49 PM
fmayer marked an inline comment as done.

cosmetic changes

fmayer marked an inline comment as done.Jan 31 2022, 2:50 PM
In D118647#3285567, @eugenis wrote:

This is a great find. @pcc
It seems like it would affect AArch64StackTagging, and some of the sanitizers as well (ASan in particular).
Also I don't see anything in CodeGen/StackColoring.cpp to avoid this case - is it possible for it to cause erroneous stack slot reuse?

yep, as explained in the commit message i sent this CL to unblock the use-after-scope rollout while we figure out how to deal with the potentially bigger problem.

fmayer added a reviewer: eugenis.Jan 31 2022, 3:04 PM
Harbormaster completed remote builds in B146782: Diff 404742.Jan 31 2022, 6:04 PM
fmayer updated this revision to Diff 404801.Jan 31 2022, 8:18 PM

stylistic change

Harbormaster completed remote builds in B146816: Diff 404801.Jan 31 2022, 8:50 PM
eugenis added a comment.Feb 1 2022, 11:11 AM

Did you forget to include a file?

eugenis added a comment.Feb 1 2022, 11:13 AM

Oh I get it you are shadowing a class member. Let's not do that, it's confusing.

fmayer updated this revision to Diff 405015.Feb 1 2022, 11:21 AM

naming

fmayer added a comment.Feb 1 2022, 11:22 AM
In D118647#3288135, @eugenis wrote:

Oh I get it you are shadowing a class member. Let's not do that, it's confusing.

Fixed.

eugenis accepted this revision.Feb 1 2022, 11:30 AM

LGTM

compiler-rt/test/hwasan/TestCases/use-after-scope-setjmp.cpp
5

I don't see any reason to limit the test to aarch64.

This revision is now accepted and ready to land.Feb 1 2022, 11:30 AM
fmayer marked an inline comment as done.Feb 1 2022, 12:13 PM
fmayer added inline comments.
compiler-rt/test/hwasan/TestCases/use-after-scope-setjmp.cpp
5

I'll leave this for now for consistency with the other hwasan compiler-rt tests. We can bulk remove them after.

This revision was landed with ongoing or failed builds.Feb 1 2022, 12:14 PM
Closed by commit rGaefb2e134dd7: [hwasan] work around lifetime issue with setjmp. (authored by fmayer). · Explain Why
This revision was automatically updated to reflect the committed changes.
fmayer marked an inline comment as done.
fmayer added a commit: rGaefb2e134dd7: [hwasan] work around lifetime issue with setjmp..
Harbormaster completed remote builds in B146961: Diff 405015.Feb 1 2022, 1:21 PM
fmayer mentioned this in D118749: [mte] work around lifetime issue with setjmp..Feb 1 2022, 5:15 PM
fmayer mentioned this in rG8680d6db1e45: [mte] work around lifetime issue with setjmp..Feb 2 2022, 1:55 PM

Revision Contents

PathSize
compiler-rt/
test/
hwasan/
TestCases/
59 lines
llvm/
lib/
Transforms/
Instrumentation/
17 lines
test/
Instrumentation/
HWAddressSanitizer/
43 lines

Diff 405043

compiler-rt/test/hwasan/TestCases/use-after-scope-setjmp.cpp

  • This file was added.
// RUN: %clangxx_hwasan -mllvm -hwasan-use-stack-safety=0 -mllvm -hwasan-use-after-scope -O2 %s -o %t && \
// RUN: %run %t 2>&1
// REQUIRES: aarch64-target-arch
// REQUIRES: stable-runtime
eugenisUnsubmitted
Done
ReplyInline Actions

I don't see any reason to limit the test to aarch64.

eugenis: I don't see any reason to limit the test to aarch64.
fmayerAuthorUnsubmitted
Done
ReplyInline Actions

I'll leave this for now for consistency with the other hwasan compiler-rt tests. We can bulk remove them after.

fmayer: I'll leave this for now for consistency with the other hwasan compiler-rt tests. We can bulk…
#include <sanitizer/hwasan_interface.h>
#include <setjmp.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <unistd.h>
volatile const char *stackbuf = nullptr;
jmp_buf jbuf;
__attribute__((noinline)) bool jump() {
// Fool the compiler so it cannot deduce noreturn.
if (getpid() != 0) {
longjmp(jbuf, 1);
return true;
}
return false;
}
bool target() {
switch (setjmp(jbuf)) {
case 1:
return false;
default:
break;
}
while (true) {
char buf[4096];
stackbuf = buf;
if (!jump()) {
break;
};
}
return true;
}
int main() {
target();
void *untagged = __hwasan_tag_pointer(stackbuf, 0);
if (stackbuf == untagged) {
// The buffer wasn't tagged in the first place, so the test will not work
// as expected.
return 2;
}
if (__hwasan_test_shadow(untagged, 4096) != -1) {
return 1;
}
return 0;
}

llvm/lib/Transforms/Instrumentation/HWAddressSanitizer.cpp

Show First 20 LinesShow All 298 Lines▼ Show 20 Linespublic:
bool isInterestingAlloca(const AllocaInst &AI); bool isInterestingAlloca(const AllocaInst &AI);
void tagAlloca(IRBuilder<> &IRB, AllocaInst *AI, Value *Tag, size_t Size); void tagAlloca(IRBuilder<> &IRB, AllocaInst *AI, Value *Tag, size_t Size);
Value *tagPointer(IRBuilder<> &IRB, Type *Ty, Value *PtrLong, Value *Tag); Value *tagPointer(IRBuilder<> &IRB, Type *Ty, Value *PtrLong, Value *Tag);
Value *untagPointer(IRBuilder<> &IRB, Value *PtrLong); Value *untagPointer(IRBuilder<> &IRB, Value *PtrLong);
static bool isStandardLifetime(const AllocaInfo &AllocaInfo, static bool isStandardLifetime(const AllocaInfo &AllocaInfo,
const DominatorTree &DT); const DominatorTree &DT);
bool instrumentStack( bool instrumentStack(
bool ShouldDetectUseAfterScope,
MapVector<AllocaInst *, AllocaInfo> &AllocasToInstrument, MapVector<AllocaInst *, AllocaInfo> &AllocasToInstrument,
SmallVector<Instruction *, 4> &UnrecognizedLifetimes, SmallVector<Instruction *, 4> &UnrecognizedLifetimes,
DenseMap<AllocaInst *, std::vector<DbgVariableIntrinsic *>> &AllocaDbgMap, DenseMap<AllocaInst *, std::vector<DbgVariableIntrinsic *>> &AllocaDbgMap,
SmallVectorImpl<Instruction *> &RetVec, Value *StackTag, SmallVectorImpl<Instruction *> &RetVec, Value *StackTag,
llvm::function_ref<const DominatorTree &()> GetDT, llvm::function_ref<const DominatorTree &()> GetDT,
llvm::function_ref<const PostDominatorTree &()> GetPDT); llvm::function_ref<const PostDominatorTree &()> GetPDT);
Value *readRegister(IRBuilder<> &IRB, StringRef Name); Value *readRegister(IRBuilder<> &IRB, StringRef Name);
bool instrumentLandingPads(SmallVectorImpl<Instruction *> &RetVec); bool instrumentLandingPads(SmallVectorImpl<Instruction *> &RetVec);
▲ Show 20 LinesShow All 1,039 Lines▼ Show 20 Linesbool HWAddressSanitizer::isStandardLifetime(const AllocaInfo &AllocaInfo,
// at most one of them is actually used for each execution of the function. // at most one of them is actually used for each execution of the function.
return AllocaInfo.LifetimeStart.size() == 1 && return AllocaInfo.LifetimeStart.size() == 1 &&
(AllocaInfo.LifetimeEnd.size() == 1 || (AllocaInfo.LifetimeEnd.size() == 1 ||
(AllocaInfo.LifetimeEnd.size() > 0 && (AllocaInfo.LifetimeEnd.size() > 0 &&
!maybeReachableFromEachOther(AllocaInfo.LifetimeEnd, DT))); !maybeReachableFromEachOther(AllocaInfo.LifetimeEnd, DT)));
} }
bool HWAddressSanitizer::instrumentStack( bool HWAddressSanitizer::instrumentStack(
bool ShouldDetectUseAfterScope,
MapVector<AllocaInst *, AllocaInfo> &AllocasToInstrument, MapVector<AllocaInst *, AllocaInfo> &AllocasToInstrument,
SmallVector<Instruction *, 4> &UnrecognizedLifetimes, SmallVector<Instruction *, 4> &UnrecognizedLifetimes,
DenseMap<AllocaInst *, std::vector<DbgVariableIntrinsic *>> &AllocaDbgMap, DenseMap<AllocaInst *, std::vector<DbgVariableIntrinsic *>> &AllocaDbgMap,
SmallVectorImpl<Instruction *> &RetVec, Value *StackTag, SmallVectorImpl<Instruction *> &RetVec, Value *StackTag,
llvm::function_ref<const DominatorTree &()> GetDT, llvm::function_ref<const DominatorTree &()> GetDT,
llvm::function_ref<const PostDominatorTree &()> GetPDT) { llvm::function_ref<const PostDominatorTree &()> GetPDT) {
// Ideally, we want to calculate tagged stack base pointer, and rewrite all // Ideally, we want to calculate tagged stack base pointer, and rewrite all
// alloca addresses using that. Unfortunately, offsets are not known yet // alloca addresses using that. Unfortunately, offsets are not known yet
Show All 35 Lines for (auto &KV : AllocasToInstrument) {
size_t AlignedSize = alignTo(Size, Mapping.getObjectAlignment()); size_t AlignedSize = alignTo(Size, Mapping.getObjectAlignment());
auto TagEnd = [&](Instruction *Node) { auto TagEnd = [&](Instruction *Node) {
IRB.SetInsertPoint(Node); IRB.SetInsertPoint(Node);
Value *UARTag = getUARTag(IRB, StackTag); Value *UARTag = getUARTag(IRB, StackTag);
tagAlloca(IRB, AI, UARTag, AlignedSize); tagAlloca(IRB, AI, UARTag, AlignedSize);
}; };
bool StandardLifetime = bool StandardLifetime =
UnrecognizedLifetimes.empty() && isStandardLifetime(Info, GetDT()); UnrecognizedLifetimes.empty() && isStandardLifetime(Info, GetDT());
if (DetectUseAfterScope && StandardLifetime) { if (ShouldDetectUseAfterScope && StandardLifetime) {
IntrinsicInst *Start = Info.LifetimeStart[0]; IntrinsicInst *Start = Info.LifetimeStart[0];
IRB.SetInsertPoint(Start->getNextNode()); IRB.SetInsertPoint(Start->getNextNode());
tagAlloca(IRB, AI, Tag, Size); tagAlloca(IRB, AI, Tag, Size);
if (!forAllReachableExits(GetDT(), GetPDT(), Start, Info.LifetimeEnd, if (!forAllReachableExits(GetDT(), GetPDT(), Start, Info.LifetimeEnd,
RetVec, TagEnd)) { RetVec, TagEnd)) {
for (auto *End : Info.LifetimeEnd) for (auto *End : Info.LifetimeEnd)
End->eraseFromParent(); End->eraseFromParent();
} }
▲ Show 20 LinesShow All 78 Lines▼ Show 20 Linesbool HWAddressSanitizer::sanitizeFunction(
SmallVector<InterestingMemoryOperand, 16> OperandsToInstrument; SmallVector<InterestingMemoryOperand, 16> OperandsToInstrument;
SmallVector<MemIntrinsic *, 16> IntrinToInstrument; SmallVector<MemIntrinsic *, 16> IntrinToInstrument;
MapVector<AllocaInst *, AllocaInfo> AllocasToInstrument; MapVector<AllocaInst *, AllocaInfo> AllocasToInstrument;
SmallVector<Instruction *, 8> RetVec; SmallVector<Instruction *, 8> RetVec;
SmallVector<Instruction *, 8> LandingPadVec; SmallVector<Instruction *, 8> LandingPadVec;
SmallVector<Instruction *, 4> UnrecognizedLifetimes; SmallVector<Instruction *, 4> UnrecognizedLifetimes;
DenseMap<AllocaInst *, std::vector<DbgVariableIntrinsic *>> AllocaDbgMap; DenseMap<AllocaInst *, std::vector<DbgVariableIntrinsic *>> AllocaDbgMap;
bool CallsReturnTwice = false;
for (auto &BB : F) { for (auto &BB : F) {
for (auto &Inst : BB) { for (auto &Inst : BB) {
if (CallInst *CI = dyn_cast<CallInst>(&Inst)) {
if (CI->canReturnTwice()) {
CallsReturnTwice = true;
}
}
if (InstrumentStack) { if (InstrumentStack) {
if (AllocaInst *AI = dyn_cast<AllocaInst>(&Inst)) { if (AllocaInst *AI = dyn_cast<AllocaInst>(&Inst)) {
if (isInterestingAlloca(*AI)) if (isInterestingAlloca(*AI))
AllocasToInstrument.insert({AI, {}}); AllocasToInstrument.insert({AI, {}});
continue; continue;
} }
auto *II = dyn_cast<IntrinsicInst>(&Inst); auto *II = dyn_cast<IntrinsicInst>(&Inst);
if (II && (II->getIntrinsicID() == Intrinsic::lifetime_start || if (II && (II->getIntrinsicID() == Intrinsic::lifetime_start ||
▲ Show 20 LinesShow All 67 Lines▼ Show 20 Linesbool HWAddressSanitizer::sanitizeFunction(
IRBuilder<> EntryIRB(InsertPt); IRBuilder<> EntryIRB(InsertPt);
emitPrologue(EntryIRB, emitPrologue(EntryIRB,
/*WithFrameRecord*/ ClRecordStackHistory && /*WithFrameRecord*/ ClRecordStackHistory &&
Mapping.WithFrameRecord && !AllocasToInstrument.empty()); Mapping.WithFrameRecord && !AllocasToInstrument.empty());
if (!AllocasToInstrument.empty()) { if (!AllocasToInstrument.empty()) {
Value *StackTag = Value *StackTag =
ClGenerateTagsWithCalls ? nullptr : getStackBaseTag(EntryIRB); ClGenerateTagsWithCalls ? nullptr : getStackBaseTag(EntryIRB);
instrumentStack(AllocasToInstrument, UnrecognizedLifetimes, AllocaDbgMap, // Calls to functions that may return twice (e.g. setjmp) confuse the
// postdominator analysis, and will leave us to keep memory tagged after
// function return. Work around this by always untagging at every return
// statement if return_twice functions are called.
instrumentStack(DetectUseAfterScope && !CallsReturnTwice,
AllocasToInstrument, UnrecognizedLifetimes, AllocaDbgMap,
RetVec, StackTag, GetDT, GetPDT); RetVec, StackTag, GetDT, GetPDT);
} }
// Pad and align each of the allocas that we instrumented to stop small // Pad and align each of the allocas that we instrumented to stop small
// uninteresting allocas from hiding in instrumented alloca's padding and so // uninteresting allocas from hiding in instrumented alloca's padding and so
// that we have enough space to store real tags for short granules. // that we have enough space to store real tags for short granules.
DenseMap<AllocaInst *, AllocaInst *> AllocaToPaddedAllocaMap = DenseMap<AllocaInst *, AllocaInst *> AllocaToPaddedAllocaMap =
padInterestingAllocas(AllocasToInstrument); padInterestingAllocas(AllocasToInstrument);
▲ Show 20 LinesShow All 285 LinesShow Last 20 Lines

llvm/test/Instrumentation/HWAddressSanitizer/use-after-scope-setjmp.ll

  • This file was added.
; RUN: opt -passes=hwasan -hwasan-use-stack-safety=0 -hwasan-use-after-scope -S < %s | FileCheck %s
target datalayout = "e-m:e-i8:8:32-i16:16:32-i64:64-i128:128-n32:64-S128"
target triple = "aarch64-unknown-linux-android29"
@stackbuf = dso_local local_unnamed_addr global i8* null, align 8
@jbuf = dso_local global [32 x i64] zeroinitializer, align 8
declare void @may_jump()
define dso_local noundef i1 @_Z6targetv() sanitize_hwaddress {
entry:
%buf = alloca [4096 x i8], align 1
%call = call i32 @setjmp(i64* noundef getelementptr inbounds ([32 x i64], [32 x i64]* @jbuf, i64 0, i64 0))
switch i32 %call, label %while.body [
i32 1, label %return
i32 2, label %sw.bb1
]
sw.bb1: ; preds = %entry
br label %return
while.body: ; preds = %entry
%0 = getelementptr inbounds [4096 x i8], [4096 x i8]* %buf, i64 0, i64 0
call void @llvm.lifetime.start.p0i8(i64 4096, i8* nonnull %0) #10
store i8* %0, i8** @stackbuf, align 8
; may_jump may call longjmp, going back to the switch (and then the return),
; bypassing the lifetime.end. This is why we need to untag on the return,
eugenisUnsubmitted
Done
ReplyInline Actions

so the callee of this may longjmp, bypassing the lifetime.end. Effectively, this adds a DT edge from any call site in this function to immediately after the setjmp call.

Please add some comments here explaining this.

eugenis: so the callee of this may longjmp, bypassing the lifetime.end. Effectively, this adds a DT edge…
eugenisUnsubmitted
Done
ReplyInline Actions

I meant to say "call graph edge".

eugenis: I meant to say "call graph edge".
; rather than the lifetime.end.
call void @may_jump()
call void @llvm.lifetime.end.p0i8(i64 4096, i8* nonnull %0) #10
br label %return
; CHECK-LABEL: return:
; CHECK: void @llvm.memset.p0i8.i64({{.*}}, i8 0, i64 256, i1 false)
return: ; preds = %entry, %while.body, %sw.bb1
%retval.0 = phi i1 [ true, %while.body ], [ true, %sw.bb1 ], [ false, %entry ]
ret i1 %retval.0
}
declare i32 @setjmp(i64* noundef) returns_twice
declare void @llvm.lifetime.start.p0i8(i64 immarg, i8* nocapture)
declare void @llvm.lifetime.end.p0i8(i64 immarg, i8* nocapture)