This is an archive of the discontinued LLVM Phabricator instance.

Differential D138095

[asan] Keep Itanium mangled names in global metadata
ClosedPublic

Authored by MaskRay on Nov 15 2022, 11:22 PM.

Details

Reviewers
hctim
kstoimenov
vitalybuka
Group Reviewers
Restricted Project
Commits
rG00be3578e084: [asan] Keep Itanium mangled names in global metadata
Summary

The runtime calls MaybeDemangleGlobalName for error reporting and
__cxxabiv1::__cxa_demangle is called if available, so demanging Itanium
mangled names in global metadata is unnecessary and wastes data size.

Add MaybeDemangleGlobalName in ODR violation detection to support demangled
names in a suppressions file. MaybeDemangleGlobalName may call
DemangleCXXABI and leak memory. Use an internal allocation to prevent lsan
leak (in case there is no fatal asan error).

The debug feature report_globals=2 prints information for all instrumented
global variables. MaybeDemangleGlobalName would be slow, so don't do that.
The output looks like Added Global[0x56448f092d60]: beg=0x56448fa66d60 size=4/32 name=_ZL13test_global_2
and I think the mangled name is fine.

Other mangled schemes e.g. Windows (see win-string-literal.ll) remain the
current behavior.

Diff Detail

Event Timeline

MaskRay created this revision.Nov 15 2022, 11:22 PM
Herald added a project: Restricted Project. · View Herald TranscriptNov 15 2022, 11:22 PM
Herald added subscribers: Enna1, StephenFan, hiraditya. · View Herald Transcript
MaskRay requested review of this revision.Nov 15 2022, 11:22 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptNov 15 2022, 11:22 PM
Herald added a subscriber: llvm-commits. · View Herald Transcript
Harbormaster completed remote builds in B197911: Diff 475695.Nov 16 2022, 12:19 AM
MaskRay updated this revision to Diff 475711.Nov 16 2022, 12:32 AM

always keep original name for __odr_gen_asan_

Harbormaster completed remote builds in B197926: Diff 475711.Nov 16 2022, 1:35 AM
hctim accepted this revision as: hctim.Nov 16 2022, 10:37 AM

couple nits, otherwise lgtm

compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp
49–62

Can you maybe update this entire fixme?

Looks like all the current callers would be tolerant to a function-local static buffer, but this feels like a gunfoot, so I guess we'll continue to leak the memory, unless you also want to go ahead and create an InternalAlloc-RAII-wrapper class and patch up the callers.

FIXME: This pointer currently leaks in the callers, but we specifically copy the demangled contents into an InternalAlloc so that LSan doesn't see a leak from the malloc() done by cxa_demangle.

55

nit: if you're here, can you change these parameters to nullptr?

This revision is now accepted and ready to land.Nov 16 2022, 10:37 AM
MaskRay updated this revision to Diff 475882.Nov 16 2022, 11:22 AM
MaskRay marked 2 inline comments as done.

address comments

Thanks for the comment suggestion!

dblaikie added a subscriber: dblaikie.Nov 16 2022, 11:30 AM

Huh, fascinating - so we used the unmangled name as a symbol name, punctuation, spaces, and all?

(interesting to know that sanitizers end up with their own copies of mangled names too - another thing we could consider deduplicating/maybe sharing with some debug info/symbol table reductions at some point (I guess if we just simplify mangled names enough - use hashes, etc, this'd fall out naturally for the sanitizers (though all demanglers would need to have access to some side table of hash->mangled name table, which I guess sanitizers need at runtime, so couldn't be dropped during linking (previously had considered this strategy since the linker would need to produce good diagnostics - but I guess runtime symbolizers need useful symbol names too, etc)))

Harbormaster completed remote builds in B198042: Diff 475882.Nov 16 2022, 12:06 PM
hctim added a comment.Nov 16 2022, 12:25 PM
In D138095#3931484, @dblaikie wrote:

Huh, fascinating - so we used the unmangled name as a symbol name, punctuation, spaces, and all?

(interesting to know that sanitizers end up with their own copies of mangled names too - another thing we could consider deduplicating/maybe sharing with some debug info/symbol table reductions at some point (I guess if we just simplify mangled names enough - use hashes, etc, this'd fall out naturally for the sanitizers (though all demanglers would need to have access to some side table of hash->mangled name table, which I guess sanitizers need at runtime, so couldn't be dropped during linking (previously had considered this strategy since the linker would need to produce good diagnostics - but I guess runtime symbolizers need useful symbol names too, etc)))

nice triple-nested parenthetical thought!

yes - this is a room for opportunity :). i think the major thing that would need to happen is for llvm-symbolizer to be able to symbolize an address half way through a GV (although it may be possible to find the start pointer using the sanitizer metadata).

MaskRay added a comment.EditedNov 16 2022, 12:34 PM
In D138095#3931582, @hctim wrote:
In D138095#3931484, @dblaikie wrote:

Huh, fascinating - so we used the unmangled name as a symbol name, punctuation, spaces, and all?

(interesting to know that sanitizers end up with their own copies of mangled names too - another thing we could consider deduplicating/maybe sharing with some debug info/symbol table reductions at some point (I guess if we just simplify mangled names enough - use hashes, etc, this'd fall out naturally for the sanitizers (though all demanglers would need to have access to some side table of hash->mangled name table, which I guess sanitizers need at runtime, so couldn't be dropped during linking (previously had considered this strategy since the linker would need to produce good diagnostics - but I guess runtime symbolizers need useful symbol names too, etc)))

nice triple-nested parenthetical thought!

yes - this is a room for opportunity :). i think the major thing that would need to happen is for llvm-symbolizer to be able to symbolize an address half way through a GV (although it may be possible to find the start pointer using the sanitizer metadata).

Yes, definitely room for improvement. The instrumentation - runtime protocol is more private than DWARF debug information (which has more consumers and therefore has more restriction on things like string table usage.)
In some operating systems that adopt .ctf, I think .ctf just reuses the ELF symbol table .symtab and .strtab, resulting in some saving. (This is some work going on in binutils, but I don't actively keep an eye on it.)

The compression+hash idea has been deployed elsewhere in llvm-project.
In instrumentaiton-based PGO, __llvm_prf_nm uses compressed content with hashes indexing into it. If asan is happy with requiring a non-SHF_ALLOC section for symbolization: we can use a generalized --compress-debug-sections= : https://sourceware.org/bugzilla/show_bug.cgi?id=27452

This revision was landed with ongoing or failed builds.Nov 18 2022, 5:06 PM
Closed by commit rG00be3578e084: [asan] Keep Itanium mangled names in global metadata (authored by MaskRay). · Explain Why
This revision was automatically updated to reflect the committed changes.
MaskRay added a commit: rG00be3578e084: [asan] Keep Itanium mangled names in global metadata.
gulfem added a subscriber: gulfem.Nov 21 2022, 11:00 AM

We started seeing the following test failures.

Failed Tests (8):
  AddressSanitizer-x86_64-linux :: TestCases/Linux/odr-violation.cpp
  AddressSanitizer-x86_64-linux :: TestCases/global-demangle.cpp
  AddressSanitizer-x86_64-linux :: TestCases/global-location-nodebug.cpp
  AddressSanitizer-x86_64-linux :: TestCases/global-location.cpp
  AddressSanitizer-x86_64-linux-dynamic :: TestCases/Linux/odr-violation.cpp
  AddressSanitizer-x86_64-linux-dynamic :: TestCases/global-demangle.cpp
  AddressSanitizer-x86_64-linux-dynamic :: TestCases/global-location-nodebug.cpp
  AddressSanitizer-x86_64-linux-dynamic :: TestCases/global-location.cpp

https://luci-milo.appspot.com/ui/p/fuchsia/builders/toolchain.ci/clang-linux-x64/b8797107374001425041/overview

The error is message from global-demangle.cpp is as the following:

FAIL: AddressSanitizer-x86_64-linux :: TestCases/global-demangle.cpp (560 of 12394)
******************** TEST 'AddressSanitizer-x86_64-linux :: TestCases/global-demangle.cpp' FAILED ********************
Script:
--
: 'RUN: at line 1';      /b/s/w/ir/x/w/staging/llvm_build/./bin/clang  --driver-mode=g++ -fsanitize=address -mno-omit-leaf-frame-pointer -fno-omit-frame-pointer -fno-optimize-sibling-calls -gline-tables-only   -Wthread-safety -Wthread-safety-reference -Wthread-safety-beta   -O0 /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp -o /b/s/w/ir/x/w/staging/llvm_build/runtimes/runtimes-x86_64-unknown-linux-gnu-bins/compiler-rt/test/asan/X86_64LinuxConfig/TestCases/Output/global-demangle.cpp.tmp && not  /b/s/w/ir/x/w/staging/llvm_build/runtimes/runtimes-x86_64-unknown-linux-gnu-bins/compiler-rt/test/asan/X86_64LinuxConfig/TestCases/Output/global-demangle.cpp.tmp 2>&1 | FileCheck /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp
--
Exit Code: 1

Command Output (stderr):
--
/b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp:15:12: error: CHECK: expected string not found in input
 // CHECK: '{{.*}}XXX::YYY::ZZZ{{.*}}' {{.*}} of size 4
           ^
<stdin>:8:56: note: scanning from here
0x561bdea237e6 is located 2 bytes after global variable '_ZN3XXX3YYY3ZZZE' defined in '/b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp' (0x561bdea237e0) of size 4
                                                       ^
<stdin>:8:165: note: possible intended match here
0x561bdea237e6 is located 2 bytes after global variable '_ZN3XXX3YYY3ZZZE' defined in '/b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp' (0x561bdea237e0) of size 4
                                                                                                                                                                    ^

Input file: <stdin>
Check file: /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp

-dump-input=help explains the following input dump.

Input was:
<<<<<<
            1: ================================================================= 
            2: ==315196==ERROR: AddressSanitizer: global-buffer-overflow on address 0x561bdea237e6 at pc 0x561bdea15d7e bp 0x7ffda4270b00 sp 0x7ffda4270af8 
            3: READ of size 1 at 0x561bdea237e6 thread T0 
            4:  #0 0x561bdea15d7d in main /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp:12:15 
            5:  #1 0x7fe9bc8a1d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09) (BuildId: 814ca45fb917d1b757796ff5f456237c263711c7) 
            6:  #2 0x561bde940339 in _start (/b/s/w/ir/x/w/staging/llvm_build/runtimes/runtimes-x86_64-unknown-linux-gnu-bins/compiler-rt/test/asan/X86_64LinuxConfig/TestCases/Output/global-demangle.cpp.tmp+0x59339) (BuildId: 4e75c435413f2362) 
            7:  
            8: 0x561bdea237e6 is located 2 bytes after global variable '_ZN3XXX3YYY3ZZZE' defined in '/b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp' (0x561bdea237e0) of size 4 
check:15'0                                                            X~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ error: no match found
check:15'1                                                                                                                                                                         ?                                   possible intended match
            9:  '_ZN3XXX3YYY3ZZZE' is ascii string 'abc' 
check:15'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           10: SUMMARY: AddressSanitizer: global-buffer-overflow /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp:12:15 in main 
check:15'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           11: Shadow bytes around the buggy address: 
check:15'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           12:  0x561bdea23500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
check:15'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           13:  0x561bdea23580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
check:15'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
            .
            .
            .
>>>>>>
MaskRay added a comment.EditedNov 21 2022, 11:52 AM
In D138095#3941776, @gulfem wrote:

We started seeing the following test failures.

Failed Tests (8):
  AddressSanitizer-x86_64-linux :: TestCases/Linux/odr-violation.cpp
  AddressSanitizer-x86_64-linux :: TestCases/global-demangle.cpp
  AddressSanitizer-x86_64-linux :: TestCases/global-location-nodebug.cpp
  AddressSanitizer-x86_64-linux :: TestCases/global-location.cpp
  AddressSanitizer-x86_64-linux-dynamic :: TestCases/Linux/odr-violation.cpp
  AddressSanitizer-x86_64-linux-dynamic :: TestCases/global-demangle.cpp
  AddressSanitizer-x86_64-linux-dynamic :: TestCases/global-location-nodebug.cpp
  AddressSanitizer-x86_64-linux-dynamic :: TestCases/global-location.cpp

https://luci-milo.appspot.com/ui/p/fuchsia/builders/toolchain.ci/clang-linux-x64/b8797107374001425041/overview

The error is message from global-demangle.cpp is as the following:

FAIL: AddressSanitizer-x86_64-linux :: TestCases/global-demangle.cpp (560 of 12394)
******************** TEST 'AddressSanitizer-x86_64-linux :: TestCases/global-demangle.cpp' FAILED ********************
Script:
--
: 'RUN: at line 1';      /b/s/w/ir/x/w/staging/llvm_build/./bin/clang  --driver-mode=g++ -fsanitize=address -mno-omit-leaf-frame-pointer -fno-omit-frame-pointer -fno-optimize-sibling-calls -gline-tables-only   -Wthread-safety -Wthread-safety-reference -Wthread-safety-beta   -O0 /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp -o /b/s/w/ir/x/w/staging/llvm_build/runtimes/runtimes-x86_64-unknown-linux-gnu-bins/compiler-rt/test/asan/X86_64LinuxConfig/TestCases/Output/global-demangle.cpp.tmp && not  /b/s/w/ir/x/w/staging/llvm_build/runtimes/runtimes-x86_64-unknown-linux-gnu-bins/compiler-rt/test/asan/X86_64LinuxConfig/TestCases/Output/global-demangle.cpp.tmp 2>&1 | FileCheck /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp
--
Exit Code: 1

Command Output (stderr):
--
/b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp:15:12: error: CHECK: expected string not found in input
 // CHECK: '{{.*}}XXX::YYY::ZZZ{{.*}}' {{.*}} of size 4
           ^
<stdin>:8:56: note: scanning from here
0x561bdea237e6 is located 2 bytes after global variable '_ZN3XXX3YYY3ZZZE' defined in '/b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp' (0x561bdea237e0) of size 4
                                                       ^
<stdin>:8:165: note: possible intended match here
0x561bdea237e6 is located 2 bytes after global variable '_ZN3XXX3YYY3ZZZE' defined in '/b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp' (0x561bdea237e0) of size 4
                                                                                                                                                                    ^

Input file: <stdin>
Check file: /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp

-dump-input=help explains the following input dump.

Input was:
<<<<<<
            1: ================================================================= 
            2: ==315196==ERROR: AddressSanitizer: global-buffer-overflow on address 0x561bdea237e6 at pc 0x561bdea15d7e bp 0x7ffda4270b00 sp 0x7ffda4270af8 
            3: READ of size 1 at 0x561bdea237e6 thread T0 
            4:  #0 0x561bdea15d7d in main /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp:12:15 
            5:  #1 0x7fe9bc8a1d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09) (BuildId: 814ca45fb917d1b757796ff5f456237c263711c7) 
            6:  #2 0x561bde940339 in _start (/b/s/w/ir/x/w/staging/llvm_build/runtimes/runtimes-x86_64-unknown-linux-gnu-bins/compiler-rt/test/asan/X86_64LinuxConfig/TestCases/Output/global-demangle.cpp.tmp+0x59339) (BuildId: 4e75c435413f2362) 
            7:  
            8: 0x561bdea237e6 is located 2 bytes after global variable '_ZN3XXX3YYY3ZZZE' defined in '/b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp' (0x561bdea237e0) of size 4 
check:15'0                                                            X~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ error: no match found
check:15'1                                                                                                                                                                         ?                                   possible intended match
            9:  '_ZN3XXX3YYY3ZZZE' is ascii string 'abc' 
check:15'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           10: SUMMARY: AddressSanitizer: global-buffer-overflow /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp:12:15 in main 
check:15'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           11: Shadow bytes around the buggy address: 
check:15'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           12:  0x561bdea23500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
check:15'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           13:  0x561bdea23580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
check:15'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
            .
            .
            .
>>>>>>

I'll appreciate some debugging since other sanitizer bots seem fine? Does your build bot not link asan tests with libc++abi or libstdc++ which provides __cxa_demangle? Then a mangled name is expected.
I vaguely remember that Fuchsia does things somewhat differently.

MaskRay added a comment.Nov 21 2022, 12:07 PM

Perhaps you use -static-libstdc++ for both %dynamiclib and the main executable? Then there is no defined __cxa_demangle in the process.
I wonder whether a demangled name in odr-violation diagnostics is useful... Personally whether it is mangled/demangled doesn't concern me.

hctim added a comment.Nov 21 2022, 12:21 PM
In D138095#3941942, @MaskRay wrote:

I wonder whether a demangled name in odr-violation diagnostics is useful... Personally whether it is mangled/demangled doesn't concern me.

Given the amount of "what does this use-after-free report mean, stop bothering me" we get, I'm appreciate a demangled name because it likely reduces the amount of bug reports assigned to me ;).

MaskRay added a comment.Nov 21 2022, 12:24 PM
In D138095#3941961, @hctim wrote:
In D138095#3941942, @MaskRay wrote:

I wonder whether a demangled name in odr-violation diagnostics is useful... Personally whether it is mangled/demangled doesn't concern me.

Given the amount of "what does this use-after-free report mean, stop bothering me" we get, I'm appreciate a demangled name because it likely reduces the amount of bug reports assigned to me ;).

Thanks for the quick reply! Then I'll probably revert this patch and not consider reinstating it.

compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp uses an undefined weak __cxa_demangle which does not pull in an archive definition.
So a -static-libstdc++ mostly-statically executable won't get demangled names.

MaskRay mentioned this in rGdb7c82231c32: Restore global descriptor demangling after D138095 "[asan] Keep Itanium mangled….Nov 21 2022, 12:52 PM
zequanwu added a subscriber: zequanwu.EditedNov 22 2022, 3:08 PM

Hi, this causes two tests failure on mac.

Failed Tests (2):
   SanitizerCommon-tsan-x86_64-Darwin :: Darwin/symbolizer-function-offset-dladdr.cpp
   ThreadSanitizer-x86_64 :: Darwin/symbolizer-dladdr.cpp

https://reviews.llvm.org/rGdb7c82231c32074440d5426870051228435c6bce doesn't seem to fix the test because our cron job picks 57fd7ffe which includes it and failed on 3 tests:

Failed Tests (3):
   AddressSanitizer-x86_64-darwin :: TestCases/Darwin/interface_symbols_darwin.cpp
   SanitizerCommon-tsan-x86_64-Darwin :: Darwin/symbolizer-function-offset-dladdr.cpp
   ThreadSanitizer-x86_64 :: Darwin/symbolizer-dladdr.cpp

See https://bugs.chromium.org/p/chromium/issues/detail?id=1392533 for details. Please revert those two commits if it takes a while to fix.

MaskRay added a comment.Nov 22 2022, 3:19 PM
In D138095#3945190, @zequanwu wrote:

Hi, this causes two tests failure on mac.

Failed Tests (2):
   SanitizerCommon-tsan-x86_64-Darwin :: Darwin/symbolizer-function-offset-dladdr.cpp
   ThreadSanitizer-x86_64 :: Darwin/symbolizer-dladdr.cpp

https://reviews.llvm.org/rGdb7c82231c32074440d5426870051228435c6bce doesn't seem to fix the test because our cron job picks 57fd7ffe which includes it and failed on 3 tests:

Failed Tests (3):
   AddressSanitizer-x86_64-darwin :: TestCases/Darwin/interface_symbols_darwin.cpp
   SanitizerCommon-tsan-x86_64-Darwin :: Darwin/symbolizer-function-offset-dladdr.cpp
   ThreadSanitizer-x86_64 :: Darwin/symbolizer-dladdr.cpp

See https://bugs.chromium.org/p/chromium/issues/detail?id=1392533 for details. Please revert those two commits if it takes a while to fix.

I don't have a macOS to check issues but don't think the combination of 00be3578e0841dd9abe408e5b4946180de0bf46b+db7c82231c32074440d5426870051228435c6bce (which just changed a __cxa_demangle call site and the ODR indicator symbol name) can suppress a tsan failure).

compiler-rt/test/asan/TestCases/Darwin/interface_symbols_darwin.cpp looks like a test which is nearly impossible to investigate without a macOS though I don't think it has connection with this patch.

MaskRay added a comment.Nov 22 2022, 3:23 PM

The reverse of the combined commits is the following. Any chance you found the wrong culprit?

diff --git a/compiler-rt/lib/asan/asan_globals.cpp b/compiler-rt/lib/asan/asan_globals.cpp
index 2b4a9e01c8a3..b780128c9adb 100644
--- a/compiler-rt/lib/asan/asan_globals.cpp
+++ b/compiler-rt/lib/asan/asan_globals.cpp
@@ -151,4 +151,4 @@ static void CheckODRViolationViaIndicator(const Global *g) {
         !IsODRViolationSuppressed(g->name))
-      ReportODRViolation(g, FindRegistrationSite(g), l->g,
-                         FindRegistrationSite(l->g));
+      ReportODRViolation(g, FindRegistrationSite(g),
+                         l->g, FindRegistrationSite(l->g));
   }
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp
index d505d96bd653..b223f6cd01e3 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp
@@ -51,13 +51,8 @@ const char *DemangleCXXABI(const char *name) {
   // own demangler (libc++abi's implementation could be adapted so that
-  // it does not allocate). For now, we just call it anyway, and use
-  // InternalAlloc to prevent lsan error.
-  if (&__cxxabiv1::__cxa_demangle) {
-    if (char *demangled_name = __cxxabiv1::__cxa_demangle(name, 0, 0, 0)) {
-      size_t size = internal_strlen(demangled_name) + 1;
-      char *buf = (char *)InternalAlloc(size);
-      internal_memcpy(buf, demangled_name, size);
-      free(demangled_name);
-      return buf;
-    }
-  }
+  // it does not allocate). For now, we just call it anyway, and we leak
+  // the returned value.
+  if (&__cxxabiv1::__cxa_demangle)
+    if (const char *demangled_name =
+          __cxxabiv1::__cxa_demangle(name, 0, 0, 0))
+      return demangled_name;
 
diff --git a/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp b/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
index a4d4cc73c482..ff05454aa920 100644
--- a/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
+++ b/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
@@ -2266,8 +2266,7 @@ bool ModuleAddressSanitizer::InstrumentGlobals(IRBuilder<> &IRB, Module &M,
 
-    // The runtime library tries demangling symbol names in the descriptor but
-    // functionality like __cxa_demangle may be unavailable (e.g.
-    // -static-libstdc++). So we demangle the symbol names here.
-    std::string NameForGlobal = G->getName().str();
+    // TODO: Symbol names in the descriptor can be demangled by the runtime
+    // library. This could save ~0.4% of VM size for a private large binary.
+    std::string NameForGlobal = llvm::demangle(G->getName().str());
     GlobalVariable *Name =
-        createPrivateGlobalForString(M, llvm::demangle(NameForGlobal),
+        createPrivateGlobalForString(M, NameForGlobal,
                                      /*AllowMerging*/ true, kAsanGenPrefix);
gulfem added a comment.Nov 22 2022, 3:53 PM
In D138095#3941913, @MaskRay wrote:
In D138095#3941776, @gulfem wrote:

We started seeing the following test failures.

Failed Tests (8):
  AddressSanitizer-x86_64-linux :: TestCases/Linux/odr-violation.cpp
  AddressSanitizer-x86_64-linux :: TestCases/global-demangle.cpp
  AddressSanitizer-x86_64-linux :: TestCases/global-location-nodebug.cpp
  AddressSanitizer-x86_64-linux :: TestCases/global-location.cpp
  AddressSanitizer-x86_64-linux-dynamic :: TestCases/Linux/odr-violation.cpp
  AddressSanitizer-x86_64-linux-dynamic :: TestCases/global-demangle.cpp
  AddressSanitizer-x86_64-linux-dynamic :: TestCases/global-location-nodebug.cpp
  AddressSanitizer-x86_64-linux-dynamic :: TestCases/global-location.cpp

https://luci-milo.appspot.com/ui/p/fuchsia/builders/toolchain.ci/clang-linux-x64/b8797107374001425041/overview

The error is message from global-demangle.cpp is as the following:

FAIL: AddressSanitizer-x86_64-linux :: TestCases/global-demangle.cpp (560 of 12394)
******************** TEST 'AddressSanitizer-x86_64-linux :: TestCases/global-demangle.cpp' FAILED ********************
Script:
--
: 'RUN: at line 1';      /b/s/w/ir/x/w/staging/llvm_build/./bin/clang  --driver-mode=g++ -fsanitize=address -mno-omit-leaf-frame-pointer -fno-omit-frame-pointer -fno-optimize-sibling-calls -gline-tables-only   -Wthread-safety -Wthread-safety-reference -Wthread-safety-beta   -O0 /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp -o /b/s/w/ir/x/w/staging/llvm_build/runtimes/runtimes-x86_64-unknown-linux-gnu-bins/compiler-rt/test/asan/X86_64LinuxConfig/TestCases/Output/global-demangle.cpp.tmp && not  /b/s/w/ir/x/w/staging/llvm_build/runtimes/runtimes-x86_64-unknown-linux-gnu-bins/compiler-rt/test/asan/X86_64LinuxConfig/TestCases/Output/global-demangle.cpp.tmp 2>&1 | FileCheck /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp
--
Exit Code: 1

Command Output (stderr):
--
/b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp:15:12: error: CHECK: expected string not found in input
 // CHECK: '{{.*}}XXX::YYY::ZZZ{{.*}}' {{.*}} of size 4
           ^
<stdin>:8:56: note: scanning from here
0x561bdea237e6 is located 2 bytes after global variable '_ZN3XXX3YYY3ZZZE' defined in '/b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp' (0x561bdea237e0) of size 4
                                                       ^
<stdin>:8:165: note: possible intended match here
0x561bdea237e6 is located 2 bytes after global variable '_ZN3XXX3YYY3ZZZE' defined in '/b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp' (0x561bdea237e0) of size 4
                                                                                                                                                                    ^

Input file: <stdin>
Check file: /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp

-dump-input=help explains the following input dump.

Input was:
<<<<<<
            1: ================================================================= 
            2: ==315196==ERROR: AddressSanitizer: global-buffer-overflow on address 0x561bdea237e6 at pc 0x561bdea15d7e bp 0x7ffda4270b00 sp 0x7ffda4270af8 
            3: READ of size 1 at 0x561bdea237e6 thread T0 
            4:  #0 0x561bdea15d7d in main /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp:12:15 
            5:  #1 0x7fe9bc8a1d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09) (BuildId: 814ca45fb917d1b757796ff5f456237c263711c7) 
            6:  #2 0x561bde940339 in _start (/b/s/w/ir/x/w/staging/llvm_build/runtimes/runtimes-x86_64-unknown-linux-gnu-bins/compiler-rt/test/asan/X86_64LinuxConfig/TestCases/Output/global-demangle.cpp.tmp+0x59339) (BuildId: 4e75c435413f2362) 
            7:  
            8: 0x561bdea237e6 is located 2 bytes after global variable '_ZN3XXX3YYY3ZZZE' defined in '/b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp' (0x561bdea237e0) of size 4 
check:15'0                                                            X~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ error: no match found
check:15'1                                                                                                                                                                         ?                                   possible intended match
            9:  '_ZN3XXX3YYY3ZZZE' is ascii string 'abc' 
check:15'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           10: SUMMARY: AddressSanitizer: global-buffer-overflow /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp:12:15 in main 
check:15'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           11: Shadow bytes around the buggy address: 
check:15'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           12:  0x561bdea23500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
check:15'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           13:  0x561bdea23580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
check:15'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
            .
            .
            .
>>>>>>

I'll appreciate some debugging since other sanitizer bots seem fine? Does your build bot not link asan tests with libc++abi or libstdc++ which provides __cxa_demangle? Then a mangled name is expected.
I vaguely remember that Fuchsia does things somewhat differently.

After https://reviews.llvm.org/rGdb7c82231c32074440d5426870051228435c6bce, we do not see the test asan test failures anymore.
Are you planning to reland this patch or did you abandon it? We encountered the issue while building the Fuchsia toolchain for the host (Linux), and these tests failed on Linux, not Fuchsia.

zequanwu added a comment.Nov 22 2022, 3:55 PM
In D138095#3945215, @MaskRay wrote:

The reverse of the combined commits is the following. Any chance you found the wrong culprit?

diff --git a/compiler-rt/lib/asan/asan_globals.cpp b/compiler-rt/lib/asan/asan_globals.cpp
index 2b4a9e01c8a3..b780128c9adb 100644
--- a/compiler-rt/lib/asan/asan_globals.cpp
+++ b/compiler-rt/lib/asan/asan_globals.cpp
@@ -151,4 +151,4 @@ static void CheckODRViolationViaIndicator(const Global *g) {
         !IsODRViolationSuppressed(g->name))
-      ReportODRViolation(g, FindRegistrationSite(g), l->g,
-                         FindRegistrationSite(l->g));
+      ReportODRViolation(g, FindRegistrationSite(g),
+                         l->g, FindRegistrationSite(l->g));
   }
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp
index d505d96bd653..b223f6cd01e3 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp
@@ -51,13 +51,8 @@ const char *DemangleCXXABI(const char *name) {
   // own demangler (libc++abi's implementation could be adapted so that
-  // it does not allocate). For now, we just call it anyway, and use
-  // InternalAlloc to prevent lsan error.
-  if (&__cxxabiv1::__cxa_demangle) {
-    if (char *demangled_name = __cxxabiv1::__cxa_demangle(name, 0, 0, 0)) {
-      size_t size = internal_strlen(demangled_name) + 1;
-      char *buf = (char *)InternalAlloc(size);
-      internal_memcpy(buf, demangled_name, size);
-      free(demangled_name);
-      return buf;
-    }
-  }
+  // it does not allocate). For now, we just call it anyway, and we leak
+  // the returned value.
+  if (&__cxxabiv1::__cxa_demangle)
+    if (const char *demangled_name =
+          __cxxabiv1::__cxa_demangle(name, 0, 0, 0))
+      return demangled_name;
 
diff --git a/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp b/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
index a4d4cc73c482..ff05454aa920 100644
--- a/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
+++ b/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
@@ -2266,8 +2266,7 @@ bool ModuleAddressSanitizer::InstrumentGlobals(IRBuilder<> &IRB, Module &M,
 
-    // The runtime library tries demangling symbol names in the descriptor but
-    // functionality like __cxa_demangle may be unavailable (e.g.
-    // -static-libstdc++). So we demangle the symbol names here.
-    std::string NameForGlobal = G->getName().str();
+    // TODO: Symbol names in the descriptor can be demangled by the runtime
+    // library. This could save ~0.4% of VM size for a private large binary.
+    std::string NameForGlobal = llvm::demangle(G->getName().str());
     GlobalVariable *Name =
-        createPrivateGlobalForString(M, llvm::demangle(NameForGlobal),
+        createPrivateGlobalForString(M, NameForGlobal,
                                      /*AllowMerging*/ true, kAsanGenPrefix);

I just manually double checked. At least this change causes these two tests(symbolizer-function-offset-dladdr.cpp and symbolizer-dladdr.cpp) to fail, not sure about interface_symbols_darwin.cpp.
I have a macbook and can help with debugging the tests.

MaskRay added a comment.Nov 22 2022, 3:56 PM
In D138095#3945279, @gulfem wrote:
In D138095#3941913, @MaskRay wrote:
In D138095#3941776, @gulfem wrote:

We started seeing the following test failures.

Failed Tests (8):
  AddressSanitizer-x86_64-linux :: TestCases/Linux/odr-violation.cpp
  AddressSanitizer-x86_64-linux :: TestCases/global-demangle.cpp
  AddressSanitizer-x86_64-linux :: TestCases/global-location-nodebug.cpp
  AddressSanitizer-x86_64-linux :: TestCases/global-location.cpp
  AddressSanitizer-x86_64-linux-dynamic :: TestCases/Linux/odr-violation.cpp
  AddressSanitizer-x86_64-linux-dynamic :: TestCases/global-demangle.cpp
  AddressSanitizer-x86_64-linux-dynamic :: TestCases/global-location-nodebug.cpp
  AddressSanitizer-x86_64-linux-dynamic :: TestCases/global-location.cpp

https://luci-milo.appspot.com/ui/p/fuchsia/builders/toolchain.ci/clang-linux-x64/b8797107374001425041/overview

The error is message from global-demangle.cpp is as the following:

FAIL: AddressSanitizer-x86_64-linux :: TestCases/global-demangle.cpp (560 of 12394)
******************** TEST 'AddressSanitizer-x86_64-linux :: TestCases/global-demangle.cpp' FAILED ********************
Script:
--
: 'RUN: at line 1';      /b/s/w/ir/x/w/staging/llvm_build/./bin/clang  --driver-mode=g++ -fsanitize=address -mno-omit-leaf-frame-pointer -fno-omit-frame-pointer -fno-optimize-sibling-calls -gline-tables-only   -Wthread-safety -Wthread-safety-reference -Wthread-safety-beta   -O0 /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp -o /b/s/w/ir/x/w/staging/llvm_build/runtimes/runtimes-x86_64-unknown-linux-gnu-bins/compiler-rt/test/asan/X86_64LinuxConfig/TestCases/Output/global-demangle.cpp.tmp && not  /b/s/w/ir/x/w/staging/llvm_build/runtimes/runtimes-x86_64-unknown-linux-gnu-bins/compiler-rt/test/asan/X86_64LinuxConfig/TestCases/Output/global-demangle.cpp.tmp 2>&1 | FileCheck /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp
--
Exit Code: 1

Command Output (stderr):
--
/b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp:15:12: error: CHECK: expected string not found in input
 // CHECK: '{{.*}}XXX::YYY::ZZZ{{.*}}' {{.*}} of size 4
           ^
<stdin>:8:56: note: scanning from here
0x561bdea237e6 is located 2 bytes after global variable '_ZN3XXX3YYY3ZZZE' defined in '/b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp' (0x561bdea237e0) of size 4
                                                       ^
<stdin>:8:165: note: possible intended match here
0x561bdea237e6 is located 2 bytes after global variable '_ZN3XXX3YYY3ZZZE' defined in '/b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp' (0x561bdea237e0) of size 4
                                                                                                                                                                    ^

Input file: <stdin>
Check file: /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp

-dump-input=help explains the following input dump.

Input was:
<<<<<<
            1: ================================================================= 
            2: ==315196==ERROR: AddressSanitizer: global-buffer-overflow on address 0x561bdea237e6 at pc 0x561bdea15d7e bp 0x7ffda4270b00 sp 0x7ffda4270af8 
            3: READ of size 1 at 0x561bdea237e6 thread T0 
            4:  #0 0x561bdea15d7d in main /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp:12:15 
            5:  #1 0x7fe9bc8a1d09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x23d09) (BuildId: 814ca45fb917d1b757796ff5f456237c263711c7) 
            6:  #2 0x561bde940339 in _start (/b/s/w/ir/x/w/staging/llvm_build/runtimes/runtimes-x86_64-unknown-linux-gnu-bins/compiler-rt/test/asan/X86_64LinuxConfig/TestCases/Output/global-demangle.cpp.tmp+0x59339) (BuildId: 4e75c435413f2362) 
            7:  
            8: 0x561bdea237e6 is located 2 bytes after global variable '_ZN3XXX3YYY3ZZZE' defined in '/b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp' (0x561bdea237e0) of size 4 
check:15'0                                                            X~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ error: no match found
check:15'1                                                                                                                                                                         ?                                   possible intended match
            9:  '_ZN3XXX3YYY3ZZZE' is ascii string 'abc' 
check:15'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           10: SUMMARY: AddressSanitizer: global-buffer-overflow /b/s/w/ir/x/w/llvm-llvm-project/compiler-rt/test/asan/TestCases/global-demangle.cpp:12:15 in main 
check:15'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           11: Shadow bytes around the buggy address: 
check:15'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           12:  0x561bdea23500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
check:15'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
           13:  0x561bdea23580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 
check:15'0     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
            .
            .
            .
>>>>>>

I'll appreciate some debugging since other sanitizer bots seem fine? Does your build bot not link asan tests with libc++abi or libstdc++ which provides __cxa_demangle? Then a mangled name is expected.
I vaguely remember that Fuchsia does things somewhat differently.

After https://reviews.llvm.org/rGdb7c82231c32074440d5426870051228435c6bce, we do not see the test asan test failures anymore.
Are you planning to reland this patch or did you abandon it? We encountered the issue while building the Fuchsia toolchain for the host (Linux), and these tests failed on Linux, not Fuchsia.

Thanks for checking. db7c82231c32074440d5426870051228435c6bce restored the original behavior and I do not plan to reland the demangling part of the patch (infeasible since -fsanitize=address user may not link in libc++abi/libstdc++).

MaskRay added a reverting change: rG06c74b5e7367: Revert D138095 Use InernalAlloc in DemangleCXXABI.Nov 22 2022, 4:29 PM
MaskRay added a comment.Nov 22 2022, 4:33 PM

Reverted it for now. Debugged a bit using @zequanwu's macOS, running a test under lldb said that free(demangled_name) in compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp segfaulted.
This is really puzzling. It's a standard practice to call free on __cxxabiv1::__cxa_demangle allocated string (realloc under the hood). Both realloc/free are intercepted by sanitizers.

MaskRay mentioned this in rG297a1830228a: [asan] Don't demangle __odr_asan_gen_* symbols.Nov 22 2022, 4:47 PM
MaskRay added a comment.Nov 22 2022, 4:51 PM

Will appreciate some help why macOS doesn't like free(demangled_name) in compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp ... This doesn't feel like a code issue to me.

Revision Contents

PathSize
compiler-rt/
lib/
asan/
8 lines
sanitizer_common/
17 lines
test/
asan/
TestCases/
Linux/
4 lines
llvm/
lib/
Transforms/
Instrumentation/
8 lines
test/
Instrumentation/
AddressSanitizer/
7 lines

Diff 476638

compiler-rt/lib/asan/asan_globals.cpp

Show First 20 LinesShow All 142 Lines▼ Show 20 Lines if (*odr_indicator == UNREGISTERED) {
*odr_indicator = REGISTERED; *odr_indicator = REGISTERED;
return; return;
} }
// If *odr_indicator is DEFINED, some module have already registered // If *odr_indicator is DEFINED, some module have already registered
// externally visible symbol with the same name. This is an ODR violation. // externally visible symbol with the same name. This is an ODR violation.
for (ListOfGlobals *l = list_of_all_globals; l; l = l->next) { for (ListOfGlobals *l = list_of_all_globals; l; l = l->next) {
if (g->odr_indicator == l->g->odr_indicator && if (g->odr_indicator == l->g->odr_indicator &&
(flags()->detect_odr_violation >= 2 || g->size != l->g->size) && (flags()->detect_odr_violation >= 2 || g->size != l->g->size) &&
!IsODRViolationSuppressed(g->name)) !IsODRViolationSuppressed(MaybeDemangleGlobalName(g->name)))
ReportODRViolation(g, FindRegistrationSite(g), ReportODRViolation(g, FindRegistrationSite(g), l->g,
l->g, FindRegistrationSite(l->g)); FindRegistrationSite(l->g));
} }
} }
// Check ODR violation for given global G by checking if it's already poisoned. // Check ODR violation for given global G by checking if it's already poisoned.
// We use this method in case compiler doesn't use private aliases for global // We use this method in case compiler doesn't use private aliases for global
// variables. // variables.
static void CheckODRViolationViaPoisoning(const Global *g) { static void CheckODRViolationViaPoisoning(const Global *g) {
if (__asan_region_is_poisoned(g->beg, g->size_with_redzone)) { if (__asan_region_is_poisoned(g->beg, g->size_with_redzone)) {
// This check may not be enough: if the first global is much larger // This check may not be enough: if the first global is much larger
// the entire redzone of the second global may be within the first global. // the entire redzone of the second global may be within the first global.
for (ListOfGlobals *l = list_of_all_globals; l; l = l->next) { for (ListOfGlobals *l = list_of_all_globals; l; l = l->next) {
if (g->beg == l->g->beg && if (g->beg == l->g->beg &&
(flags()->detect_odr_violation >= 2 || g->size != l->g->size) && (flags()->detect_odr_violation >= 2 || g->size != l->g->size) &&
!IsODRViolationSuppressed(g->name)) !IsODRViolationSuppressed(MaybeDemangleGlobalName(g->name)))
ReportODRViolation(g, FindRegistrationSite(g), ReportODRViolation(g, FindRegistrationSite(g),
l->g, FindRegistrationSite(l->g)); l->g, FindRegistrationSite(l->g));
} }
} }
} }
// Clang provides two different ways for global variables protection: // Clang provides two different ways for global variables protection:
// it can poison the global itself or its private alias. In former // it can poison the global itself or its private alias. In former
▲ Show 20 LinesShow All 285 LinesShow Last 20 Lines

compiler-rt/lib/sanitizer_common/sanitizer_symbolizer_posix_libcdep.cpp

Show All 40 Linesnamespace __cxxabiv1 {
char *__cxa_demangle(const char *mangled, char *buffer, char *__cxa_demangle(const char *mangled, char *buffer,
size_t *length, int *status); size_t *length, int *status);
} }
namespace __sanitizer { namespace __sanitizer {
// Attempts to demangle the name via __cxa_demangle from __cxxabiv1. // Attempts to demangle the name via __cxa_demangle from __cxxabiv1.
const char *DemangleCXXABI(const char *name) { const char *DemangleCXXABI(const char *name) {
// FIXME: __cxa_demangle aggressively insists on allocating memory. // FIXME: __cxa_demangle aggressively insists on allocating memory.
// There's not much we can do about that, short of providing our // There's not much we can do about that, short of providing our
// own demangler (libc++abi's implementation could be adapted so that // own demangler (libc++abi's implementation could be adapted so that
// it does not allocate). For now, we just call it anyway, and we leak // it does not allocate). For now, we just call it anyway, and use
// the returned value. // InternalAlloc to prevent lsan error.
if (&__cxxabiv1::__cxa_demangle) if (&__cxxabiv1::__cxa_demangle) {
if (const char *demangled_name = if (char *demangled_name = __cxxabiv1::__cxa_demangle(name, 0, 0, 0)) {
hctimUnsubmitted
Done
ReplyInline Actions

nit: if you're here, can you change these parameters to nullptr?

hctim: nit: if you're here, can you change these parameters to `nullptr`?
__cxxabiv1::__cxa_demangle(name, 0, 0, 0)) size_t size = internal_strlen(demangled_name) + 1;
return demangled_name; char *buf = (char *)InternalAlloc(size);
internal_memcpy(buf, demangled_name, size);
free(demangled_name);
return buf;
}
}
hctimUnsubmitted
Done
ReplyInline Actions

Can you maybe update this entire fixme?

Looks like all the current callers would be tolerant to a function-local static buffer, but this feels like a gunfoot, so I guess we'll continue to leak the memory, unless you also want to go ahead and create an InternalAlloc-RAII-wrapper class and patch up the callers.

FIXME: This pointer currently leaks in the callers, but we specifically copy the demangled contents into an InternalAlloc so that LSan doesn't see a leak from the malloc() done by cxa_demangle.

hctim: Can you maybe update this entire fixme? Looks like all the current callers would be tolerant…
return name; return name;
} }
// As of now, there are no headers for the Swift runtime. Once they are // As of now, there are no headers for the Swift runtime. Once they are
// present, we will weakly link since we do not require Swift runtime to be // present, we will weakly link since we do not require Swift runtime to be
// linked. // linked.
typedef char *(*swift_demangle_ft)(const char *mangledName, typedef char *(*swift_demangle_ft)(const char *mangledName,
▲ Show 20 LinesShow All 445 LinesShow Last 20 Lines

compiler-rt/test/asan/TestCases/Linux/odr_indicators.cpp

// RUN: %clangxx_asan -fno-sanitize-address-use-odr-indicator -fPIC %s -o %t // RUN: %clangxx_asan -fno-sanitize-address-use-odr-indicator -fPIC %s -o %t
// RUN: %env_asan_opts=report_globals=2 %run %t 2>&1 | FileCheck %s --check-prefixes=CHECK,INDICATOR0 // RUN: %env_asan_opts=report_globals=2 %run %t 2>&1 | FileCheck %s --check-prefixes=CHECK,INDICATOR0
// RUN: %clangxx_asan -fsanitize-address-use-odr-indicator -fPIC %s -o %t // RUN: %clangxx_asan -fsanitize-address-use-odr-indicator -fPIC %s -o %t
// RUN: %env_asan_opts=report_globals=2 %run %t 2>&1 | FileCheck %s --check-prefixes=CHECK,INDICATOR1 // RUN: %env_asan_opts=report_globals=2 %run %t 2>&1 | FileCheck %s --check-prefixes=CHECK,INDICATOR1
#include <stdio.h> #include <stdio.h>
int test_global_1; int test_global_1;
// INDICATOR0-DAG: Added Global{{.*}} name=test_global_1{{.*}} odr_indicator={{0x0+$}} // INDICATOR0-DAG: Added Global{{.*}} name=test_global_1{{.*}} odr_indicator={{0x0+$}}
// INDICATOR1-DAG: Added Global{{.*}} name=test_global_1{{.*}} odr_indicator={{0x0*[^0]+.*$}} // INDICATOR1-DAG: Added Global{{.*}} name=test_global_1{{.*}} odr_indicator={{0x0*[^0]+.*$}}
static int test_global_2; static int test_global_2;
// CHECK-DAG: Added Global{{.*}} name=test_global_2{{.*}} odr_indicator={{0xf+$}} // CHECK-DAG: Added Global{{.*}} name=_ZL13test_global_2 {{.*}} odr_indicator={{0xf+$}}
namespace { namespace {
static int test_global_3; static int test_global_3;
// CHECK-DAG: Added Global{{.*}} name={{.*}}::test_global_3{{.*}} odr_indicator={{0xf+$}} // CHECK-DAG: Added Global{{.*}} name=_ZN12_GLOBAL__N_113test_global_3E {{.*}} odr_indicator={{0xf+$}}
} // namespace } // namespace
int main() { int main() {
const char f[] = "%d %d %d\n"; const char f[] = "%d %d %d\n";
// CHECK-DAG: Added Global{{.*}} name=__const.main.f{{.*}} odr_indicator={{0xf+$}} // CHECK-DAG: Added Global{{.*}} name=__const.main.f{{.*}} odr_indicator={{0xf+$}}
printf(f, test_global_1, test_global_2, test_global_3); printf(f, test_global_1, test_global_2, test_global_3);
return 0; return 0;
} }

llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp

Show First 20 LinesShow All 2,258 Lines▼ Show 20 Linesbool ModuleAddressSanitizer::InstrumentGlobals(IRBuilder<> &IRB, Module &M,
for (size_t i = 0; i < n; i++) { for (size_t i = 0; i < n; i++) {
GlobalVariable *G = GlobalsToChange[i]; GlobalVariable *G = GlobalsToChange[i];
GlobalValue::SanitizerMetadata MD; GlobalValue::SanitizerMetadata MD;
if (G->hasSanitizerMetadata()) if (G->hasSanitizerMetadata())
MD = G->getSanitizerMetadata(); MD = G->getSanitizerMetadata();
// TODO: Symbol names in the descriptor can be demangled by the runtime // ASan runtime demangles Itanium mangled names, so keep the original name
// library. This could save ~0.4% of VM size for a private large binary. // to prevent unneeded size increase of the string table.
std::string NameForGlobal = llvm::demangle(G->getName().str()); std::string NameForGlobal = G->getName().str();
if (!StringRef(NameForGlobal).startswith("_Z"))
NameForGlobal = llvm::demangle(NameForGlobal);
GlobalVariable *Name = GlobalVariable *Name =
createPrivateGlobalForString(M, NameForGlobal, createPrivateGlobalForString(M, NameForGlobal,
/*AllowMerging*/ true, kAsanGenPrefix); /*AllowMerging*/ true, kAsanGenPrefix);
Type *Ty = G->getValueType(); Type *Ty = G->getValueType();
const uint64_t SizeInBytes = DL.getTypeAllocSize(Ty); const uint64_t SizeInBytes = DL.getTypeAllocSize(Ty);
const uint64_t RightRedzoneSize = getRedzoneSizeForGlobal(SizeInBytes); const uint64_t RightRedzoneSize = getRedzoneSizeForGlobal(SizeInBytes);
Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize); Type *RightRedZoneTy = ArrayType::get(IRB.getInt8Ty(), RightRedzoneSize);
▲ Show 20 LinesShow All 1,187 LinesShow Last 20 Lines

llvm/test/Instrumentation/AddressSanitizer/local_alias.ll

; Defaults ; Defaults
; RUN: opt < %s -passes=asan -S | FileCheck %s --check-prefixes=CHECK-ALIAS,CHECK-INDICATOR ; RUN: opt < %s -passes=asan -S | FileCheck %s --check-prefixes=CHECK-ALIAS,CHECK-INDICATOR
; {newPM,legacyPM} x {alias0,alias1} x {odr0,odr1} ; {newPM,legacyPM} x {alias0,alias1} x {odr0,odr1}
; RUN: opt < %s -passes=asan -asan-use-private-alias=0 -asan-use-odr-indicator=0 -S | FileCheck %s --check-prefixes=CHECK-NOALIAS,CHECK-NOINDICATOR ; RUN: opt < %s -passes=asan -asan-use-private-alias=0 -asan-use-odr-indicator=0 -S | FileCheck %s --check-prefixes=CHECK-NOALIAS,CHECK-NOINDICATOR
; RUN: opt < %s -passes=asan -asan-use-private-alias=1 -asan-use-odr-indicator=0 -S | FileCheck %s --check-prefixes=CHECK-ALIAS,CHECK-NOINDICATOR ; RUN: opt < %s -passes=asan -asan-use-private-alias=1 -asan-use-odr-indicator=0 -S | FileCheck %s --check-prefixes=CHECK-ALIAS,CHECK-NOINDICATOR
; RUN: opt < %s -passes=asan -asan-use-private-alias=0 -asan-use-odr-indicator=1 -S | FileCheck %s --check-prefixes=CHECK-NOALIAS,CHECK-INDICATOR ; RUN: opt < %s -passes=asan -asan-use-private-alias=0 -asan-use-odr-indicator=1 -S | FileCheck %s --check-prefixes=CHECK-NOALIAS,CHECK-INDICATOR
; RUN: opt < %s -passes=asan -asan-use-private-alias=1 -asan-use-odr-indicator=1 -S | FileCheck %s --check-prefixes=CHECK-ALIAS,CHECK-INDICATOR ; RUN: opt < %s -passes=asan -asan-use-private-alias=1 -asan-use-odr-indicator=1 -S | FileCheck %s --check-prefixes=CHECK-ALIAS,CHECK-INDICATOR
target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128" target datalayout = "e-m:e-i64:64-f80:128-n8:16:32:64-S128"
target triple = "x86_64-unknown-linux-gnu" target triple = "x86_64-unknown-linux-gnu"
@a = dso_local global [2 x i32] zeroinitializer, align 4 @a = dso_local global [2 x i32] zeroinitializer, align 4
@b = private global [2 x i32] zeroinitializer, align 4 @b = private global [2 x i32] zeroinitializer, align 4
@c = internal global [2 x i32] zeroinitializer, align 4 @c = internal global [2 x i32] zeroinitializer, align 4
@d = unnamed_addr global [2 x i32] zeroinitializer, align 4 @_ZL1d = unnamed_addr global [2 x i32] zeroinitializer, align 4
; Check that we generate internal alias and odr indicator symbols for global to be protected. ; Check that we generate internal alias and odr indicator symbols for global to be protected.
; CHECK-NOINDICATOR-NOT: __odr_asan_gen_a ; CHECK-NOINDICATOR-NOT: __odr_asan_gen_a
; CHECK-NOALIAS-NOT: private alias ; CHECK-NOALIAS-NOT: private alias
; CHECK-INDICATOR: @___asan_gen_.1 = private unnamed_addr constant [2 x i8] c"a\00", align 1
; CHECK-INDICATOR: @__odr_asan_gen_a = global i8 0, align 1 ; CHECK-INDICATOR: @__odr_asan_gen_a = global i8 0, align 1
; CHECK-INDICATOR: @___asan_gen_.4 = private unnamed_addr constant [6 x i8] c"_ZL1d\00", align 1
; CHECK-INDICATOR: @__odr_asan_gen__ZL1d = global i8 0, align 1
; CHECK-ALIAS: @0 = private alias { [2 x i32], [24 x i8] }, ptr @a ; CHECK-ALIAS: @0 = private alias { [2 x i32], [24 x i8] }, ptr @a
; CHECK-ALIAS: @1 = private alias { [2 x i32], [24 x i8] }, ptr @b ; CHECK-ALIAS: @1 = private alias { [2 x i32], [24 x i8] }, ptr @b
; CHECK-ALIAS: @2 = private alias { [2 x i32], [24 x i8] }, ptr @c ; CHECK-ALIAS: @2 = private alias { [2 x i32], [24 x i8] }, ptr @c
; CHECK-ALIAS: @3 = private alias { [2 x i32], [24 x i8] }, ptr @d ; CHECK-ALIAS: @3 = private alias { [2 x i32], [24 x i8] }, ptr @_ZL1d
; Function Attrs: nounwind sanitize_address uwtable ; Function Attrs: nounwind sanitize_address uwtable
define i32 @foo(i32 %M) #0 { define i32 @foo(i32 %M) #0 {
entry: entry:
%M.addr = alloca i32, align 4 %M.addr = alloca i32, align 4
store i32 %M, ptr %M.addr, align 4 store i32 %M, ptr %M.addr, align 4
store volatile i32 6, ptr getelementptr inbounds ([2 x i32], ptr @a, i64 2, i64 0), align 4 store volatile i32 6, ptr getelementptr inbounds ([2 x i32], ptr @a, i64 2, i64 0), align 4
%0 = load i32, ptr %M.addr, align 4 %0 = load i32, ptr %M.addr, align 4
%idxprom = sext i32 %0 to i64 %idxprom = sext i32 %0 to i64
%arrayidx = getelementptr inbounds [2 x i32], ptr @a, i64 0, i64 %idxprom %arrayidx = getelementptr inbounds [2 x i32], ptr @a, i64 0, i64 %idxprom
%1 = load volatile i32, ptr %arrayidx, align 4 %1 = load volatile i32, ptr %arrayidx, align 4
ret i32 %1 ret i32 %1
} }