Isn't this redundant? __annotate_short_string_check() already checks this.

The indentation is wrong.

I think the annotations in __grow_by are wrong. Since __grow_by doesn't change the size of the string, it should annotate the memory to be __old_sz large, not that all the memory is available. That should fix the inconsistency here. Then you can just call __null_terminate_at before traits_type::assign and everything should be working properly. This would then also catch problems in a user-defined traits_type::assign.

All these checks are libc++-specific, so we should mark them that way.

But for long strings it also has to be checked, as every string is long during constant evaluation.

bool __is_long() const _NOEXCEPT {
    if (__libcpp_is_constant_evaluated())
        return true;

It has to be checked here and we cannot wait until the check in __annotate_contiguous_container, because during constant evaluation, next line would rise cannot perform pointer arithmetic on null pointer.

I don't want to remove it from __annotate_short_string_check(), because then returned values won't be correct.
And I don't want to remove it from __annotate_contiguous_container to make sure it can be simply called.
It also has no impact on performance.

Possibly it may be changed to __annotate_short_string_check() || (!__libcpp_is_constant_evaluated() && __is_long()), but I have a strong preference for current version, as that would suggest possibility of poisoning short string during constant evaluation.

Ugh... my original comment was correct, please ignore my previous response. Sorry for confusion.

Since __grow_by doesn't change the size of the string, it should annotate the memory to be __old_sz large, not that all the memory is available.

I agree, it makes more sense. I changed it. Now it works like that.

Btw. previous implementation didn't just unpoison whole memory. as __grow_by knows how many elements will be added, it unpoisoned exact number of bytes, so the buffer were ready.

The problem is with size value. In original implementation, __grow_by does not call __set_long_size, therefore if it's called in a short string, size value is no longer correct.

• I added a call to __set_long_size inside __grow_by.
• Fixed how it annotates buffers (1).
• I made minimal changes to functions using __grow_by (now diff with master is much smaller).

The real problem was later in __annotate_increace(n) called by __null_terminate_at, which requires a correct size value.

I see that my last patch failed, but it should be easy to fix, I had to make a mistake with updating some value.
Somewhere inside ::assign(size_type __n, value_type __c).

$ "/usr/bin/python3.10" "/home/libcxx-builder/.buildkite-agent/builds/356fcbab9cbd-1/llvm-project/libcxx-ci/libcxx/test/../utils/run.py" "--execdir" "/home/libcxx-builder/.buildkite-agent/builds/356fcbab9cbd-1/llvm-project/libcxx-ci/build/generic-asan/test/std/strings/basic.string/string.modifiers/string_assign/Output/size_char.pass.cpp.dir" "--" "/home/libcxx-builder/.buildkite-agent/builds/356fcbab9cbd-1/llvm-project/libcxx-ci/build/generic-asan/test/std/strings/basic.string/string.modifiers/string_assign/Output/size_char.pass.cpp.dir/t.tmp.exe"
# command stderr:
AddressSanitizer: CHECK failed: asan_poisoning.cpp:454 "((*(u8 *)MemToShadow(a))) == ((0))" (0x2, 0x0) (tid=354701)
    #0 0x5651a5546f51 in __asan::CheckUnwind() asan_rtl.cpp.o
    #1 0x5651a555ea32 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) (/home/libcxx-builder/.buildkite-agent/builds/356fcbab9cbd-1/llvm-project/libcxx-ci/build/generic-asan/test/std/strings/basic.string/string.modifiers/string_assign/Output/size_char.pass.cpp.dir/t.tmp.exe+0xdaa32) (BuildId: 05ded1d03f29cb11827d1b47b24d2ce97422315a)
    #2 0x5651a55402ca in __sanitizer_annotate_contiguous_container (/home/libcxx-builder/.buildkite-agent/builds/356fcbab9cbd-1/llvm-project/libcxx-ci/build/generic-asan/test/std/strings/basic.string/string.modifiers/string_assign/Output/size_char.pass.cpp.dir/t.tmp.exe+0xbc2ca) (BuildId: 05ded1d03f29cb11827d1b47b24d2ce97422315a)
    #3 0x5651a557cfbb in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>::__annotate_contiguous_container[abi:v170000](void const*, void const*, void const*, void const*) const /home/libcxx-builder/.buildkite-agent/builds/356fcbab9cbd-1/llvm-project/libcxx-ci/build/generic-asan/include/c++/v1/string:1841:11
    #4 0x5651a557f60a in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>::__annotate_shrink[abi:v170000](unsigned long) const /home/libcxx-builder/.buildkite-agent/builds/356fcbab9cbd-1/llvm-project/libcxx-ci/build/generic-asan/include/c++/v1/string:1874:9
    #5 0x5651a557c32d in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>::__null_terminate_at[abi:v170000](char*, unsigned long) /home/libcxx-builder/.buildkite-agent/builds/356fcbab9cbd-1/llvm-project/libcxx-ci/build/generic-asan/include/c++/v1/string:2050:9
    #6 0x5651a557b48f in std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>::assign(unsigned long, char) /home/libcxx-builder/.buildkite-agent/builds/356fcbab9cbd-1/llvm-project/libcxx-ci/build/generic-asan/include/c++/v1/string:2608:12

In general, ASan does accept false positives in situation when part of the program is compiled without ASan. That may happen with std::vector annotations already. But minimizing the risk of it is a good course of action.
I agree that a separate built is the goal solution. I think, it may work as a temporary solution and then be changed into a separate library built. What do you think?

But I understand if you disagree, just I'm also not sure what has to be changed here to add an ASan library build to llvm. What has to be done? Where should I look to learn it?
Please, let me know.

It's not necessary, I added it after discussion about problems ChromeOS had as another way to turn off annotations more granularly. However, I believe that D145628 already answers that problem. Removed it.

I believe this means that -fsanitize=address would have to cause a different libc++.dylib to be linked. So for example, the driver would add e.g. -l c++asan instead of -l c++, and we would have to produce libc++asan.dylib in addition to libc++.dylib. That's not a small change though, since it seems like this might be the first time a sanitizer has an effect on the version of libc++ we have to link against. But it might be the right way to go (probably the only way to go, really). In practice, disabling extern templates like this is only going to give users the impression that things work and then they will run into issues.

CC @vitalybuka

Would __annotate_short_string_check be better called something like __short_string_is_annotated()?

Isn't that a pre-existing problem that should be fixed in its own patch?

I feel like this function would be a lot simpler if we instead called __annotate_contiguous_container directly, no?

This whole set of changes feels kind of clunky. Why don't we annotate delete and then annotate new instead? Wouldn't that get rid of the special this check?

I created a separate revision with that change: D148693
I will remove it from this patch in the next update.

I changed it to __asan_short_string_is_annotated, but I don't fully like those names. I added asan so it is clear what kind of annotations are [not] there.

I do not think so, and I don't like the idea of calling __annotate_contiguous_container directly, but I did improve the function a lot. Hope it's ok now.

No, it wouldn't. Here we are working on __str and not *this. We cannot __annotate_delete __str, if it's long because we would have to annotate whole string every time (big performance hit and stil check).

We also shouldn't call __annotate_delete on *this and __str if those are the same objects.

So, the check would be just earlier. Or maybe I don't see something here?

@vitalybuka do you have any suggestion how to implement it?

Btw. a separate dylib may help with issue described here: https://github.com/llvm/llvm-project/issues/62431 (not sure, tho).

Hey @ldionne,
could you tell me where I should look to modify it? I don't really know how to start working on that change and I believe, it's the only missing part after landing D148693. I would appreciate letting me know at what files I should look first.

Btw. it won't affect the issue mentioned above.

I think we would want to start with a RFC on Discourse. This would be the first time that we introduce another shared library for libc++ and there are a few things to coordinate:

1. We need to build this new version of the library (do we do that with multiple CMake invocations or do we do like compiler-rt and allow building multiple libraries from a single invocation?)
2. We need to ship this library as part of the LLVM release and vendors need to also start shipping it with their own releases if they want -fsanitize=address to work
3. Do we need to also provide a -fsanitize=address version of other components in the LLVM stack? For example, if we ship another library that uses libc++ and we want it to work with -fsanitize=address, we would likely need to provide a sanitized version of it or else if e.g. a std::string is created inside that component and passed to another component that was compiled with -fsanitize=address, then you'd get a mismatch.

So this is unfortunately kind of involved, but I think knowing how to do this would benefit us since we have similar needs for other efforts. For example, it would be conceivable to ship an unstable-ABI version of the library, and a hardened version as well, and doing that would follow the exact same steps.

I believe this means that -fsanitize=address would have to cause a different libc++.dylib to be linked. So for example, the driver would add e.g. -l c++asan instead of -l c++, and we would have to produce libc++asan.dylib in addition to libc++.dylib. That's not a small change though, since it seems like this might be the first time a sanitizer has an effect on the version of libc++ we have to link against. But it might be the right way to go (probably the only way to go, really). In practice, disabling extern templates like this is only going to give users the impression that things work and then they will run into issues.

For msan, tsan, instrumented libc++ was requirement all the time.
For asan, hwasan it's highly recommended.

For all use-case I work, we do that on build system level.
Our sanitizer*bootstrap build bots do that as well.

It would be nice if libc++ is shipped with each version. Sometimes additional flags may affect behavior of sanitizer, but even version instrumented with default flags will be useful.

CC @vitalybuka

@vitalybuka do you have any suggestion how to implement it?

I don't have specific thoughts on how to implemented.
I guess libc++ could install all sanitized versions with some prefixes: asan/msan/tsan/hwasan
Then the driver will pick one to link.

Btw. a separate dylib may help with issue described here: https://github.com/llvm/llvm-project/issues/62431 (not sure, tho).

I believe this means that -fsanitize=address would have to cause a different libc++.dylib to be linked. So for example, the driver would add e.g. -l c++asan instead of -l c++, and we would have to produce libc++asan.dylib in addition to libc++.dylib. That's not a small change though, since it seems like this might be the first time a sanitizer has an effect on the version of libc++ we have to link against. But it might be the right way to go (probably the only way to go, really). In practice, disabling extern templates like this is only going to give users the impression that things work and then they will run into issues.

CC @vitalybuka

I think we would want to start with a RFC on Discourse. This would be the first time that we introduce another shared library for libc++ and there are a few things to coordinate:

1. We need to build this new version of the library (do we do that with multiple CMake invocations or do we do like compiler-rt and allow building multiple libraries from a single invocation?)

Single invocation would be nice, as it's better scale on other sanitizers.

2. We need to ship this library as part of the LLVM release and vendors need to also start shipping it with their own releases if they want -fsanitize=address to work

please include msan/hwasan/tsan versions into the plan

lsan/ubsan do not needed special libc++.
dfsan is close to msan, but it's very specific tool, so we can skip for now.

Created a RFC: https://discourse.llvm.org/t/rfc-instrumented-versions-of-libc-for-different-sanitizers/71653

Who can I/should I ping there? Who can I ping from vendors?

The issue described above is addressed in D148693 and solved by rG6a9c41fdd4ca834a46fd866278c90a35f2375333. This revision has to be updated. Now the size is correct after __grow_by_without_replace.