This is an archive of the discontinued LLVM Phabricator instance.

Differential D129219

[libasan] Remove 4Mb stack limit for swapcontext unpoisoning
ClosedPublic

Authored by itrofimow on Jul 6 2022, 10:18 AM.

Details

Reviewers
vitalybuka
eugenis
Commits
rG15e9b1d0c0be: [libasan] Remove 4Mb stack limit for swapcontext unpoisoning
rGd0751c9725aa: [libasan] Remove 4Mb stack limit for swapcontext unpoisoning

Diff Detail

Event Timeline

itrofimow created this revision.Jul 6 2022, 10:18 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 6 2022, 10:18 AM
Herald added a subscriber: Enna1. · View Herald Transcript
itrofimow requested review of this revision.Jul 6 2022, 10:18 AM
Herald added a project: Restricted Project. · View Herald TranscriptJul 6 2022, 10:18 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
itrofimow added a comment.Jul 6 2022, 10:21 AM

Based on https://github.com/google/sanitizers/issues/1494

kMaxSaneContextStackSize was introduced 9 years ago, and with increasing popularity of coroutines in c++ world (be that std or boost coroutines) this limitation seems a bit off.
After all, is >4Mb coroutine stack actually insane in 2022?

vitalybuka added a subscriber: vitalybuka.Jul 6 2022, 10:35 AM

Could you please add a test?

compiler-rt/lib/asan/asan_interceptors.cpp
251

It should probably a CHECK
e.g. CHECK_LE(ssize, 1<<28)

vitalybuka added a reviewer: vitalybuka.Jul 6 2022, 10:35 AM
Harbormaster completed remote builds in B173938: Diff 442624.Jul 6 2022, 10:36 AM
eugenis accepted this revision.Jul 6 2022, 10:41 AM
eugenis added a subscriber: eugenis.

LGTM

This revision is now accepted and ready to land.Jul 6 2022, 10:41 AM
eugenis added a comment.Jul 6 2022, 10:42 AM

I guess some sanity check would be good, but since we get are not guessing this value but getting it directly from the OS, it's fine either way?

itrofimow added a comment.Jul 6 2022, 11:10 AM
In D129219#3633411, @eugenis wrote:

I guess some sanity check would be good, but since we get are not guessing this value but getting it directly from the OS, it's fine either way?

In boost::Coroutine2 stack size might be user-provided and i am not sure if there is a limitation at all.

In D129219#3633402, @vitalybuka wrote:

Could you please add a test?

Sure, but could you please suggest an appropriate place for that and where to look for references? - i'm not familiar with the codebase

vitalybuka added a comment.Jul 6 2022, 11:20 AM
In D129219#3633460, @itrofimow wrote:
In D129219#3633411, @eugenis wrote:

I guess some sanity check would be good, but since we get are not guessing this value but getting it directly from the OS, it's fine either way?

In boost::Coroutine2 stack size might be user-provided and i am not sure if there is a limitation at all.

In D129219#3633402, @vitalybuka wrote:

Could you please add a test?

Sure, but could you please suggest an appropriate place for that and where to look for references? - i'm not familiar with the codebase

Take a look at:
compiler-rt/test/asan/TestCases/Linux/swapcontext_test.cpp
compiler-rt/test/asan/TestCases/Linux/swapcontext_annotation.cpp

You may consider to modify them, or just fork and throw away unneeded stuff.
I expect new test is just simplest piece of code which use this function and fails without patch and passes with the patch.

eugenis added a comment.Jul 6 2022, 11:20 AM
In D129219#3633460, @itrofimow wrote:
In D129219#3633411, @eugenis wrote:

I guess some sanity check would be good, but since we get are not guessing this value but getting it directly from the OS, it's fine either way?

In boost::Coroutine2 stack size might be user-provided and i am not sure if there is a limitation at all.

Right, same as ex. the size argument in memset. If it's wrong, we crash, but that's the user's fault. As opposed to some heuristic to detect stack limits, or that thing where we peek at glibc internals to parse the thread header which keeps changing between versions...

itrofimow updated this revision to Diff 443535.Jul 10 2022, 5:58 PM

making sure this test breaks on trunk

Harbormaster completed remote builds in B174588: Diff 443535.Jul 10 2022, 6:15 PM
itrofimow updated this revision to Diff 443537.Jul 10 2022, 6:45 PM

now checking the test with a patch

Harbormaster completed remote builds in B174590: Diff 443537.Jul 10 2022, 7:04 PM
itrofimow updated this revision to Diff 443539.Jul 10 2022, 7:16 PM

+ clang-format

Harbormaster completed remote builds in B174592: Diff 443539.Jul 10 2022, 7:34 PM
itrofimow added a comment.Jul 11 2022, 5:05 AM
In D129219#3633478, @vitalybuka wrote:
In D129219#3633460, @itrofimow wrote:
In D129219#3633411, @eugenis wrote:

I guess some sanity check would be good, but since we get are not guessing this value but getting it directly from the OS, it's fine either way?

In boost::Coroutine2 stack size might be user-provided and i am not sure if there is a limitation at all.

In D129219#3633402, @vitalybuka wrote:

Could you please add a test?

Sure, but could you please suggest an appropriate place for that and where to look for references? - i'm not familiar with the codebase

Take a look at:
compiler-rt/test/asan/TestCases/Linux/swapcontext_test.cpp
compiler-rt/test/asan/TestCases/Linux/swapcontext_annotation.cpp

You may consider to modify them, or just fork and throw away unneeded stuff.
I expect new test is just simplest piece of code which use this function and fails without patch and passes with the patch.

Added a test, could you please have a look?
It's not exactly the simplest piece of code unfortunately, but i guess it's not that bad:
it resembles pretty close to what boost.Coroutine2 does, and fixing that was the motivation for the patch.

P.S. I did check that it fails without the patch, that could be seen in builds history

vitalybuka mentioned this in rGf20a3cbefd81: [NFC][asan] Clang-format a test.Jul 11 2022, 10:12 AM
vitalybuka updated this revision to Diff 443683.Jul 11 2022, 10:26 AM

rebase

vitalybuka accepted this revision.Jul 11 2022, 10:28 AM

Thanks, LGTM.

compiler-rt/test/asan/TestCases/Linux/swapcontext_annotation.cpp
68

I moved formatting into a separate patch

This revision was landed with ongoing or failed builds.Jul 11 2022, 10:32 AM
Closed by commit rGd0751c9725aa: [libasan] Remove 4Mb stack limit for swapcontext unpoisoning (authored by itrofimow, committed by vitalybuka). · Explain Why
This revision was automatically updated to reflect the committed changes.
vitalybuka added a commit: rGd0751c9725aa: [libasan] Remove 4Mb stack limit for swapcontext unpoisoning.
Harbormaster completed remote builds in B174700: Diff 443683.Jul 11 2022, 10:44 AM
vitalybuka added a reverting change: rG868e1ee1d02c: Revert "[libasan] Remove 4Mb stack limit for swapcontext unpoisoning".Jul 19 2022, 9:40 PM
vitalybuka reopened this revision.Jul 19 2022, 9:41 PM
This revision is now accepted and ready to land.Jul 19 2022, 9:41 PM
vitalybuka updated this revision to Diff 446334.Jul 20 2022, 7:18 PM

rebase

Harbormaster completed remote builds in B176645: Diff 446334.Jul 20 2022, 7:18 PM
vitalybuka added a parent revision: D130218: [asan] Reset stack bounds of context.Jul 20 2022, 7:18 PM
itrofimow added a comment.Jul 21 2022, 8:38 AM
In D129219#3667281, @vitalybuka wrote:

rebase

Hi! I see this got reverted, can i help with landing it once again?

vitalybuka added a comment.Jul 21 2022, 11:03 AM
In D129219#3669035, @itrofimow wrote:
In D129219#3667281, @vitalybuka wrote:

rebase

Hi! I see this got reverted, can i help with landing it once again?

I uploaded it with slight modifications here. Hopefully it will work with D130218. Maybe you can check both, or even test in your environment.
It's not perfect, but better then we had before.

vitalybuka updated this revision to Diff 446968.Jul 22 2022, 1:42 PM

rebase

Harbormaster completed remote builds in B177104: Diff 446968.Jul 22 2022, 2:01 PM
Closed by commit rG15e9b1d0c0be: [libasan] Remove 4Mb stack limit for swapcontext unpoisoning (authored by itrofimow, committed by vitalybuka). · Explain WhyJul 22 2022, 5:37 PM
This revision was automatically updated to reflect the committed changes.
vitalybuka added a commit: rG15e9b1d0c0be: [libasan] Remove 4Mb stack limit for swapcontext unpoisoning.
itrofimow mentioned this in D137654: [runtimes][asan] Fix swapcontext interception.Nov 10 2022, 8:22 AM

Revision Contents

PathSize
compiler-rt/
lib/
asan/
10 lines
test/
asan/
TestCases/
Linux/
53 lines

Diff 447014

compiler-rt/lib/asan/asan_interceptors.cpp

Show First 20 LinesShow All 237 Lines▼ Show 20 LinesINTERCEPTOR(int, pthread_join, void *t, void **arg) {
return real_pthread_join(t, arg); return real_pthread_join(t, arg);
} }
DEFINE_REAL_PTHREAD_FUNCTIONS DEFINE_REAL_PTHREAD_FUNCTIONS
#endif // ASAN_INTERCEPT_PTHREAD_CREATE #endif // ASAN_INTERCEPT_PTHREAD_CREATE
#if ASAN_INTERCEPT_SWAPCONTEXT #if ASAN_INTERCEPT_SWAPCONTEXT
static void ClearShadowMemoryForContextStack(uptr stack, uptr ssize) { static void ClearShadowMemoryForContextStack(uptr stack, uptr ssize) {
// Only clear if we know the stack. This should be true only for contexts
// created with makecontext().
if (!ssize)
return;
// Align to page size. // Align to page size.
uptr PageSize = GetPageSizeCached(); uptr PageSize = GetPageSizeCached();
uptr bottom = RoundDownTo(stack, PageSize); uptr bottom = RoundDownTo(stack, PageSize);
if (!AddrIsInMem(bottom))
return;
ssize += stack - bottom; ssize += stack - bottom;
ssize = RoundUpTo(ssize, PageSize); ssize = RoundUpTo(ssize, PageSize);
static const uptr kMaxSaneContextStackSize = 1 << 22; // 4 Mb
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

It should probably a CHECK
e.g. CHECK_LE(ssize, 1<<28)

vitalybuka: It should probably a CHECK e.g. CHECK_LE(ssize, 1<<28)
if (AddrIsInMem(bottom) && ssize && ssize <= kMaxSaneContextStackSize)
PoisonShadow(bottom, ssize, 0); PoisonShadow(bottom, ssize, 0);
} }
INTERCEPTOR(int, getcontext, struct ucontext_t *ucp) { INTERCEPTOR(int, getcontext, struct ucontext_t *ucp) {
// API does not requires to have ucp clean, and sets only part of fields. We // API does not requires to have ucp clean, and sets only part of fields. We
// use ucp->uc_stack to unpoison new stack. We prefer to have zeroes then // use ucp->uc_stack to unpoison new stack. We prefer to have zeroes then
// uninitialized bytes. // uninitialized bytes.
ResetContextStack(ucp); ResetContextStack(ucp);
return REAL(getcontext)(ucp); return REAL(getcontext)(ucp);
▲ Show 20 LinesShow All 461 LinesShow Last 20 Lines

compiler-rt/test/asan/TestCases/Linux/swapcontext_annotation.cpp

Show First 20 LinesShow All 59 Lines▼ Show 20 Linesvoid NextChild() {
printf("NextChild from: %p %zu\n", from_stack, from_stacksize); printf("NextChild from: %p %zu\n", from_stack, from_stacksize);
char x[32] = {0}; // Stack gets poisoned. char x[32] = {0}; // Stack gets poisoned.
printf("NextChild: %p\n", x); printf("NextChild: %p\n", x);
CallNoReturn(); CallNoReturn();
__sanitizer_start_switch_fiber(nullptr, main_thread_stack, __sanitizer_start_switch_fiber(nullptr, main_thread_stack,
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

I moved formatting into a separate patch

vitalybuka: I moved formatting into a separate patch
main_thread_stacksize); main_thread_stacksize);
CallNoReturn(); CallNoReturn();
if (swapcontext(&next_child_context, &orig_context) < 0) { if (swapcontext(&next_child_context, &orig_context) < 0) {
perror("swapcontext"); perror("swapcontext");
_exit(1); _exit(1);
} }
} }
▲ Show 20 LinesShow All 64 Lines▼ Show 20 Linesint Run(int arg, int mode, char *child_stack) {
// Touch childs's stack to make sure it's unpoisoned. // Touch childs's stack to make sure it's unpoisoned.
for (int i = 0; i < kStackSize; i++) { for (int i = 0; i < kStackSize; i++) {
child_stack[i] = i; child_stack[i] = i;
} }
return child_stack[arg]; return child_stack[arg];
} }
ucontext_t orig_huge_stack_context;
ucontext_t child_huge_stack_context;
// There used to be a limitation for stack unpoisoning (size <= 4Mb), check that it's gone.
const int kHugeStackSize = 1 << 23;
void ChildHugeStack() {
__sanitizer_finish_switch_fiber(nullptr, &main_thread_stack,
&main_thread_stacksize);
char x[32] = {0}; // Stack gets poisoned.
__sanitizer_start_switch_fiber(nullptr, main_thread_stack,
main_thread_stacksize);
if (swapcontext(&child_huge_stack_context, &orig_huge_stack_context) < 0) {
perror("swapcontext");
_exit(1);
}
}
void DoRunHugeStack(char *child_stack) {
getcontext(&child_huge_stack_context);
child_huge_stack_context.uc_stack.ss_sp = child_stack;
child_huge_stack_context.uc_stack.ss_size = kHugeStackSize;
makecontext(&child_huge_stack_context, (void (*)())ChildHugeStack, 0);
void *fake_stack_save;
__sanitizer_start_switch_fiber(&fake_stack_save,
child_huge_stack_context.uc_stack.ss_sp,
child_huge_stack_context.uc_stack.ss_size);
if (swapcontext(&orig_huge_stack_context, &child_huge_stack_context) < 0) {
perror("swapcontext");
_exit(1);
}
__sanitizer_finish_switch_fiber(
fake_stack_save, (const void **)&child_huge_stack_context.uc_stack.ss_sp,
&child_huge_stack_context.uc_stack.ss_size);
for (int i = 0; i < kHugeStackSize; ++i) {
child_stack[i] = i;
}
}
void RunHugeStack() {
const int run_offset = 1 << 14;
char *heap = new char[kHugeStackSize + run_offset + 1];
DoRunHugeStack(heap);
DoRunHugeStack(heap + run_offset);
DoRunHugeStack(heap);
delete[] heap;
}
void handler(int sig) { CallNoReturn(); } void handler(int sig) { CallNoReturn(); }
int main(int argc, char **argv) { int main(int argc, char **argv) {
// CHECK: WARNING: ASan doesn't fully support makecontext/swapcontext
// CHECK-NOT: ASan is ignoring requested __asan_handle_no_return
RunHugeStack();
// set up a signal that will spam and trigger __asan_handle_no_return at // set up a signal that will spam and trigger __asan_handle_no_return at
// tricky moments // tricky moments
struct sigaction act = {}; struct sigaction act = {};
act.sa_handler = &handler; act.sa_handler = &handler;
if (sigaction(SIGPROF, &act, 0)) { if (sigaction(SIGPROF, &act, 0)) {
perror("sigaction"); perror("sigaction");
_exit(1); _exit(1);
} }
itimerval t; itimerval t;
t.it_interval.tv_sec = 0; t.it_interval.tv_sec = 0;
t.it_interval.tv_usec = 10; t.it_interval.tv_usec = 10;
t.it_value = t.it_interval; t.it_value = t.it_interval;
if (setitimer(ITIMER_PROF, &t, 0)) { if (setitimer(ITIMER_PROF, &t, 0)) {
perror("setitimer"); perror("setitimer");
_exit(1); _exit(1);
} }
char *heap = new char[kStackSize + 1]; char *heap = new char[kStackSize + 1];
next_child_stack = new char[kStackSize + 1]; next_child_stack = new char[kStackSize + 1];
char stack[kStackSize + 1]; char stack[kStackSize + 1];
// CHECK: WARNING: ASan doesn't fully support makecontext/swapcontext
int ret = 0; int ret = 0;
// CHECK-NOT: ASan is ignoring requested __asan_handle_no_return // CHECK-NOT: ASan is ignoring requested __asan_handle_no_return
for (unsigned int i = 0; i < 30; ++i) { for (unsigned int i = 0; i < 30; ++i) {
ret += Run(argc - 1, 0, stack); ret += Run(argc - 1, 0, stack);
// LOOPCHECK: Child stack: [[CHILD_STACK:0x[0-9a-f]*]] // LOOPCHECK: Child stack: [[CHILD_STACK:0x[0-9a-f]*]]
// LOOPCHECK: Main context from: [[CHILD_STACK]] 524288 // LOOPCHECK: Main context from: [[CHILD_STACK]] 524288
ret += Run(argc - 1, 1, stack); ret += Run(argc - 1, 1, stack);
// LOOPCHECK: Child stack: [[CHILD_STACK:0x[0-9a-f]*]] // LOOPCHECK: Child stack: [[CHILD_STACK:0x[0-9a-f]*]]
Show All 20 Lines