This is an archive of the discontinued LLVM Phabricator instance.

Differential D149252

[hwasan] fix false positive when hwasan-match-all-tag flag is enabled and short granules are used
ClosedPublic

Authored by Enna1 on Apr 26 2023, 5:11 AM.

Details

Reviewers
vitalybuka
eugenis
pcc
Commits
rGd961f66b28c5: [hwasan] fix false positive when hwasan-match-all-tag flag is enabled and short…
Summary

When hwasan-match-all-tag flag is enabled and short granules are used, at the point checking if this is a short tag case, the tag from pointer is stored in X16 register,
which breaks the assumption that tag from shadow memory is stored in X16 register, this will cause a false positive.

Diff Detail

Event Timeline

Enna1 created this revision.Apr 26 2023, 5:11 AM
Herald added a project: Restricted Project. · View Herald TranscriptApr 26 2023, 5:11 AM
Herald added a subscriber: hiraditya. · View Herald Transcript
Enna1 updated this revision to Diff 517131.Apr 26 2023, 5:15 AM

update

Enna1 edited the summary of this revision. (Show Details)Apr 26 2023, 5:32 AM
Enna1 added reviewers: vitalybuka, eugenis, pcc.
Enna1 added a subscriber: MTC.
Enna1 updated this revision to Diff 517133.Apr 26 2023, 5:35 AM

update

Enna1 published this revision for review.Apr 26 2023, 5:36 AM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptApr 26 2023, 5:36 AM
Herald added subscribers: llvm-commits, Restricted Project. · View Herald Transcript
Enna1 updated this revision to Diff 517136.Apr 26 2023, 5:51 AM

update

vitalybuka added inline comments.Apr 26 2023, 7:26 PM
compiler-rt/test/hwasan/TestCases/short-granule-and-match-all-tag.cpp
1–18

exit 0 is enough for this test

llvm/test/CodeGen/AArch64/hwasan-check-memaccess.ll
115

can you please precommit this test with the current state of HWASAN, so we can see a difference here

Enna1 updated this revision to Diff 517442.Apr 26 2023, 8:41 PM
  • only test
Harbormaster completed remote builds in B228479: Diff 517442.Apr 27 2023, 12:14 AM
Enna1 added a comment.Apr 27 2023, 12:54 AM

UNSUPPORTED: HWAddressSanitizer-x86_64 :: TestCases/short-granule-and-match-all-tag.cpp (19669 of 70430)

Pre-merge checks buildbot does not support HWASAN test, so we can not see this test failure in premerge checks .
Do you mean I create another differential only containing this testcase, commit it to llvm trunk and check if sanitizer-aarch64-linux-bootstrap-hwasan(https://lab.llvm.org/buildbot/#/builders/236) will fail?

vitalybuka added a comment.Apr 27 2023, 4:43 PM
In D149252#4301314, @Enna1 wrote:

UNSUPPORTED: HWAddressSanitizer-x86_64 :: TestCases/short-granule-and-match-all-tag.cpp (19669 of 70430)

Pre-merge checks buildbot does not support HWASAN test, so we can not see this test failure in premerge checks .
Do you mean I create another differential only containing this testcase, commit it to llvm trunk and check if sanitizer-aarch64-linux-bootstrap-hwasan(https://lab.llvm.org/buildbot/#/builders/236) will fail?

Sorry, I was asking to precommit hwasan-check-accessible with checks generated for that current state of LLVM
short-granule-and-match-all-tag.cpp should stay in the main patch

Enna1 updated this revision to Diff 517771.Apr 27 2023, 7:05 PM

update

Harbormaster completed remote builds in B228712: Diff 517771.Apr 27 2023, 7:06 PM
Enna1 updated this revision to Diff 517772.Apr 27 2023, 7:06 PM

update

Harbormaster completed remote builds in B228713: Diff 517772.Apr 27 2023, 7:06 PM
Enna1 added a parent revision: D149399: [hwasan][test] add test for hwasan-check-memaccess when hwasan-match-all-tag flag and short granules both used.Apr 27 2023, 7:06 PM
vitalybuka accepted this revision.Apr 27 2023, 10:20 PM
This revision is now accepted and ready to land.Apr 27 2023, 10:20 PM
Closed by commit rGd961f66b28c5: [hwasan] fix false positive when hwasan-match-all-tag flag is enabled and short… (authored by Enna1). · Explain WhyApr 28 2023, 2:01 AM
This revision was automatically updated to reflect the committed changes.
Enna1 added a commit: rGd961f66b28c5: [hwasan] fix false positive when hwasan-match-all-tag flag is enabled and short….

Revision Contents

PathSize
compiler-rt/
test/
hwasan/
TestCases/
18 lines
llvm/
lib/
Target/
AArch64/
4 lines
test/
CodeGen/
AArch64/
39 lines

Diff 517136

compiler-rt/test/hwasan/TestCases/short-granule-and-match-all-tag.cpp

  • This file was added.
// RUN: %clang_hwasan -mllvm -hwasan-match-all-tag=0 %s -o %t && %run %t 2>&1 | FileCheck %s
#include <sanitizer/hwasan_interface.h>
#include <stdio.h>
#include <stdlib.h>
int main() {
__hwasan_enable_allocator_tagging();
fprintf(stderr, "main\n");
char *x = (char *)malloc(40);
char volatile z = *x;
free(x);
return 0;
}
// CHECK: main
// CHECK-NOT: ERROR: HWAddressSanitizer: tag-mismatch on address {{.*}} at pc {{[0x]+}}
// CHECK-NOT: WRITE of size 1 {{.*}} in thread T0
vitalybukaUnsubmitted
Not Done
ReplyInline Actions
- // RUN: %clang_hwasan -mllvm -hwasan-match-all-tag=0 %s -o %t && %run %t 2>&1 | FileCheck %s
+ // RUN: %clang_hwasan -mllvm -hwasan-match-all-tag=0 %s -o %t && %run %t
#include <sanitizer/hwasan_interface.h>
- #include <stdio.h>
#include <stdlib.h>
int main() {
__hwasan_enable_allocator_tagging();
- fprintf(stderr, "main\n");
char *x = (char *)malloc(40);
char volatile z = *x;
free(x);
return 0;
}
-
- // CHECK: main
- // CHECK-NOT: ERROR: HWAddressSanitizer: tag-mismatch on address {{.*}} at pc {{[0x]+}}
- // CHECK-NOT: WRITE of size 1 {{.*}} in thread T0

exit 0 is enough for this test

vitalybuka: exit 0 is enough for this test

llvm/lib/Target/AArch64/AArch64AsmPrinter.cpp

Show First 20 LinesShow All 525 Lines▼ Show 20 Lines for (auto &P : HwasanMemaccessSymbols) {
MCSymbol *ReturnSym = OutContext.createTempSymbol(); MCSymbol *ReturnSym = OutContext.createTempSymbol();
OutStreamer->emitLabel(ReturnSym); OutStreamer->emitLabel(ReturnSym);
OutStreamer->emitInstruction( OutStreamer->emitInstruction(
MCInstBuilder(AArch64::RET).addReg(AArch64::LR), *STI); MCInstBuilder(AArch64::RET).addReg(AArch64::LR), *STI);
OutStreamer->emitLabel(HandleMismatchOrPartialSym); OutStreamer->emitLabel(HandleMismatchOrPartialSym);
if (HasMatchAllTag) { if (HasMatchAllTag) {
OutStreamer->emitInstruction(MCInstBuilder(AArch64::UBFMXri) OutStreamer->emitInstruction(MCInstBuilder(AArch64::UBFMXri)
.addReg(AArch64::X16) .addReg(AArch64::X17)
.addReg(Reg) .addReg(Reg)
.addImm(56) .addImm(56)
.addImm(63), .addImm(63),
*STI); *STI);
OutStreamer->emitInstruction(MCInstBuilder(AArch64::SUBSXri) OutStreamer->emitInstruction(MCInstBuilder(AArch64::SUBSXri)
.addReg(AArch64::XZR) .addReg(AArch64::XZR)
.addReg(AArch64::X16) .addReg(AArch64::X17)
.addImm(MatchAllTag) .addImm(MatchAllTag)
.addImm(0), .addImm(0),
*STI); *STI);
OutStreamer->emitInstruction( OutStreamer->emitInstruction(
MCInstBuilder(AArch64::Bcc) MCInstBuilder(AArch64::Bcc)
.addImm(AArch64CC::EQ) .addImm(AArch64CC::EQ)
.addExpr(MCSymbolRefExpr::create(ReturnSym, OutContext)), .addExpr(MCSymbolRefExpr::create(ReturnSym, OutContext)),
*STI); *STI);
▲ Show 20 LinesShow All 1,136 LinesShow Last 20 Lines

llvm/test/CodeGen/AArch64/hwasan-check-memaccess.ll

Show All 30 Lines
} }
define void @f3(ptr %x0, ptr %x1) { define void @f3(ptr %x0, ptr %x1) {
; 0x3ff0000 (kernel, match-all = 0xff) ; 0x3ff0000 (kernel, match-all = 0xff)
call void @llvm.hwasan.check.memaccess(ptr %x0, ptr %x1, i32 67043328) call void @llvm.hwasan.check.memaccess(ptr %x0, ptr %x1, i32 67043328)
ret void ret void
} }
define void @f4(ptr %x0, ptr %x1) {
; 0x1000010 (access-size-index = 0, is-write = 1, match-all = 0x0)
call void @llvm.hwasan.check.memaccess.shortgranules(ptr %x0, ptr %x1, i32 16777232)
ret void
}
declare void @llvm.hwasan.check.memaccess(ptr, ptr, i32) declare void @llvm.hwasan.check.memaccess(ptr, ptr, i32)
declare void @llvm.hwasan.check.memaccess.shortgranules(ptr, ptr, i32) declare void @llvm.hwasan.check.memaccess.shortgranules(ptr, ptr, i32)
; CHECK: .section .text.hot,"axG",@progbits,__hwasan_check_x0_2_short_v2,comdat ; CHECK: .section .text.hot,"axG",@progbits,__hwasan_check_x0_2_short_v2,comdat
; CHECK-NEXT: .type __hwasan_check_x0_2_short_v2,@function ; CHECK-NEXT: .type __hwasan_check_x0_2_short_v2,@function
; CHECK-NEXT: .weak __hwasan_check_x0_2_short_v2 ; CHECK-NEXT: .weak __hwasan_check_x0_2_short_v2
; CHECK-NEXT: .hidden __hwasan_check_x0_2_short_v2 ; CHECK-NEXT: .hidden __hwasan_check_x0_2_short_v2
; CHECK-NEXT: __hwasan_check_x0_2_short_v2: ; CHECK-NEXT: __hwasan_check_x0_2_short_v2:
▲ Show 20 LinesShow All 46 Lines▼ Show 20 Lines
; CHECK: __hwasan_check_x1_67043328: ; CHECK: __hwasan_check_x1_67043328:
; CHECK-NEXT: sbfx x16, x1, #4, #52 ; CHECK-NEXT: sbfx x16, x1, #4, #52
; CHECK-NEXT: ldrb w16, [x9, x16] ; CHECK-NEXT: ldrb w16, [x9, x16]
; CHECK-NEXT: cmp x16, x1, lsr #56 ; CHECK-NEXT: cmp x16, x1, lsr #56
; CHECK-NEXT: b.ne .Ltmp5 ; CHECK-NEXT: b.ne .Ltmp5
; CHECK-NEXT: .Ltmp6: ; CHECK-NEXT: .Ltmp6:
; CHECK-NEXT: ret ; CHECK-NEXT: ret
; CHECK-NEXT: .Ltmp5: ; CHECK-NEXT: .Ltmp5:
; CHECK-NEXT: lsr x16, x1, #56 ; CHECK-NEXT: lsr x17, x1, #56
; CHECK-NEXT: cmp x16, #255 ; CHECK-NEXT: cmp x17, #255
; CHECK-NEXT: b.eq .Ltmp6 ; CHECK-NEXT: b.eq .Ltmp6
; CHECK-NEXT: stp x0, x1, [sp, #-256]! ; CHECK-NEXT: stp x0, x1, [sp, #-256]!
; CHECK-NEXT: stp x29, x30, [sp, #232] ; CHECK-NEXT: stp x29, x30, [sp, #232]
; CHECK-NEXT: mov x0, x1 ; CHECK-NEXT: mov x0, x1
; CHECK-NEXT: mov x1, #0 ; CHECK-NEXT: mov x1, #0
; CHECK-NEXT: b __hwasan_tag_mismatch ; CHECK-NEXT: b __hwasan_tag_mismatch
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

can you please precommit this test with the current state of HWASAN, so we can see a difference here

vitalybuka: can you please precommit this test with the current state of HWASAN, so we can see a difference…
; CHECK: __hwasan_check_x1_16777232_short_v2:
; CHECK-NEXT: sbfx x16, x1, #4, #52
; CHECK-NEXT: ldrb w16, [x20, x16]
; CHECK-NEXT: cmp x16, x1, lsr #56
; CHECK-NEXT: b.ne .Ltmp7
; CHECK-NEXT: .Ltmp8:
; CHECK-NEXT: ret
; CHECK-NEXT: .Ltmp7:
; CHECK-NEXT: lsr x17, x1, #56
; CHECK-NEXT: cmp x17, #0
; CHECK-NEXT: b.eq .Ltmp8
; CHECK-NEXT: cmp w16, #15
; CHECK-NEXT: b.hi .Ltmp9
; CHECK-NEXT: and x17, x1, #0xf
; CHECK-NEXT: cmp w16, w17
; CHECK-NEXT: b.ls .Ltmp9
; CHECK-NEXT: orr x16, x1, #0xf
; CHECK-NEXT: ldrb w16, [x16]
; CHECK-NEXT: cmp x16, x1, lsr #56
; CHECK-NEXT: b.eq .Ltmp8
; CHECK-NEXT: .Ltmp9:
; CHECK-NEXT: stp x0, x1, [sp, #-256]!
; CHECK-NEXT: stp x29, x30, [sp, #232]
; CHECK-NEXT: mov x0, x1
; CHECK-NEXT: mov x1, #16
; CHECK-NEXT: adrp x16, :got:__hwasan_tag_mismatch_v2
; CHECK-NEXT: ldr x16, [x16, :got_lo12:__hwasan_tag_mismatch_v2]
; CHECK-NEXT: br x16