This is an archive of the discontinued LLVM Phabricator instance.

Differential D149769

[sanitizer][asan][win][msvc] Correct interception of strdup on windows, additionally correclty intercept memmove/memcpy on i386 windows.
Needs RevisionPublic

Authored by barcharcraz on May 3 2023, 10:01 AM.

Details

Reviewers
vitalybuka
alvinhochun
mstorsjo
strega-nil
Summary

We (Microsoft) have a bunch of changes on top of LLVM-14 to enable asan to work on windows with msvc. We'd like to start working in the open, on LLVM main, but our branch has diverged somewhat. We've thrown some changesets over the wall previously and I'm going to be resuming the effort.

In any event this is a very self-contained set of fixes to interception. It intercepts _strdup on windows instead of strdup and changes the way memcpy is intercepted on I386 windows. For strdup windows does not define an actual strdup function, only _strdup (because strdup is in POSIX, not C, until C23). Note that _strdup_dbg ends up calling _strdup. For memcpy the behavior is changed on I386 windows to intercept with asan's version of memmove. On I386 windows memcpy and memmove are actually separate functions, even though they have identical implementations, thus memcpy needs to be intercepted with asan's memmove to avoid having asan check for overlapping ranges, which could break programs relying on this behavior (this is a bit of a judgement call though, we think preserving the memmoving behavior of memcpy makes asan more useful for catching real bugs, but our memcpy isn't actually documented as being memmove on all architectures.)

[asan][win][msvc] Intercept memcpy in addition to memmove on i386 windows.

[asan][win][test] Add tests ensuring memcpy and memmove are properly intercepted on windows

Diff Detail

Event Timeline

barcharcraz created this revision.May 3 2023, 10:01 AM
Herald added a project: Restricted Project. · View Herald TranscriptMay 3 2023, 10:01 AM
Herald added a subscriber: Enna1. · View Herald Transcript
barcharcraz retitled this revision from [asan][win][msvc] Correct interception of strdup on windows, additionally correclty intercept memmove/memcpy on i386 windows. to [sanitizer][asan][win][msvc] Correct interception of strdup on windows, additionally correclty intercept memmove/memcpy on i386 windows..May 3 2023, 10:10 AM
barcharcraz added a project: Restricted Project.
Harbormaster completed remote builds in B229733: Diff 519142.May 3 2023, 10:26 AM
barcharcraz edited the summary of this revision. (Show Details)May 3 2023, 11:53 AM
barcharcraz added a reviewer: vitalybuka.
barcharcraz updated this revision to Diff 519198.May 3 2023, 11:59 AM
  • clang-format
barcharcraz published this revision for review.May 3 2023, 12:05 PM
Herald added a subscriber: Restricted Project. · View Herald TranscriptMay 3 2023, 12:05 PM
Harbormaster completed remote builds in B229774: Diff 519198.May 3 2023, 12:18 PM
vitalybuka added a comment.May 3 2023, 4:18 PM

Please split patches, changes are unrelated.

compiler-rt/lib/asan/asan_interceptors.cpp
466 ↗(On Diff #519198)

please use:
#if WIndows
#define strdup _strdup
#endif

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
907

isn't this constant for the platform?

barcharcraz updated this revision to Diff 519569.May 4 2023, 10:59 AM

remove the changes to strdup from this diff.

barcharcraz added inline comments.May 4 2023, 11:10 AM
compiler-rt/lib/asan/asan_interceptors.cpp
466 ↗(On Diff #519198)

This is a little dangerous if <string.h> ends up getting included in this file, since we define strdup to _strdup_dbg or _strdup there (and in asan we want to intercept _strdup even in debug mode).

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
907

I'm not 100% sure for armv7. I think it's not the case for IA64, but .... it's IA64, we don't really support it anymore.

Harbormaster completed remote builds in B230038: Diff 519569.May 4 2023, 11:19 AM
barcharcraz added inline comments.May 8 2023, 10:12 AM
compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
907

are you saying that you'd prefer to have the preprocessor logic on lines 202-210 inlined here (and at other usages)

vitalybuka added a comment.May 9 2023, 10:58 AM

memmove and strdup should be two different patches

compiler-rt/lib/asan/asan_interceptors.cpp
466 ↗(On Diff #519198)

Is this even would compile if you include string.h here?

We are doing this for other platforms, and I would like consistency.
and i don't like repeating this code 3 times

alternative approach:
in a separate patch extract common code from 2 functions
in this patch use the code for the third one

470–481 ↗(On Diff #519198)

Move GET_STACK_TRACE_MALLOC and extract this
You need REAL(memcpy) as parameters

485 ↗(On Diff #519198)

Please introduce ASAN_INTERCEPT_STRDUP and ASAN_INTERCEPT__STRDUP and use instead of SANITIZER_WINDOWS

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
906–907

I am asking to remove selected condition condition

barcharcraz updated this revision to Diff 521384.May 11 2023, 11:22 AM
  • revert changes to INIT_MEMCPY as they are redundant
  • clang format
barcharcraz added inline comments.May 11 2023, 11:23 AM
compiler-rt/lib/asan/asan_interceptors.cpp
466 ↗(On Diff #519198)

I ended up using push/pop macro, and those changes appear in https://reviews.llvm.org/D149876 (which contains only the strdup changes, as requested).

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
906–907

Ah I see, it's redundant with the code already in the memcpy interceptor. I've reverted the changes to INIT_MEMCPY.

Harbormaster completed remote builds in B231397: Diff 521384.May 11 2023, 11:53 AM
vitalybuka added a reviewer: alvinhochun.May 11 2023, 1:31 PM
vitalybuka accepted this revision.May 11 2023, 1:34 PM
This revision is now accepted and ready to land.May 11 2023, 1:34 PM
alvinhochun added a reviewer: mstorsjo.May 12 2023, 2:24 AM

Thanks for adding me in the loop. The change itself looks fine, though I haven't tried it on MinGW-w64 target yet. Some comments on the tests:

  • It seems the two tests memcpy_sanity.cpp and memmove_sanity.cpp does the same thing for the most part. Can they be merged into one single test file and switch between testing memmove and memcpy by checking argc/argv?
  • These tests will not work on MinGW-w64 as is because of the use of clang-cl command line flags. I have been fixing the asan tests to work on MinGW-w64 targets (see for example D150269) and there are now nightly builds that run asan tests. Please add // UNSUPPORTED: target={{.*-windows-gnu}} to disable the new tests for now. (It would be nice if you can make the test compatible with MinGW-w64, but that might be asking for too much.)
barcharcraz added a comment.May 12 2023, 4:16 PM
In D149769#4337197, @alvinhochun wrote:

Thanks for adding me in the loop. The change itself looks fine, though I haven't tried it on MinGW-w64 target yet. Some comments on the tests:

  • It seems the two tests memcpy_sanity.cpp and memmove_sanity.cpp does the same thing for the most part. Can they be merged into one single test file and switch between testing memmove and memcpy by checking argc/argv?
  • These tests will not work on MinGW-w64 as is because of the use of clang-cl command line flags. I have been fixing the asan tests to work on MinGW-w64 targets (see for example D150269) and there are now nightly builds that run asan tests. Please add // UNSUPPORTED: target={{.*-windows-gnu}} to disable the new tests for now. (It would be nice if you can make the test compatible with MinGW-w64, but that might be asking for too much.)

Honestly I do want to make them work with mingw, but there's an additional complication ....

Our internal test harness treats "%clang_cl_asan" as "real" cl.exe, so clang style flags won't actually work at all (although in this case I had to add the no-builtin flags anyway). In the end I'll probably add some kind of conditional macro in lit to allow specifying separate cl and clang style flags. For now, I agree that just making them unsupported on -gnu would be easiest.

Also, on mingw could lit make clang_cl_asan work by just telling it to build for the gnu target instead of the msvc one? I'm not sure how well this is supported.

barcharcraz updated this revision to Diff 522686.May 16 2023, 10:11 AM
  • Make memcpy and memmove tests unsupported on mingw
Harbormaster completed remote builds in B232363: Diff 522686.May 16 2023, 10:30 AM
barcharcraz updated this revision to Diff 522783.May 16 2023, 2:06 PM
  • merge the memcpy and memmove tests
  • clang-format
Harbormaster completed remote builds in B232431: Diff 522783.May 16 2023, 2:09 PM
alvinhochun added inline comments.May 19 2023, 4:36 AM
compiler-rt/test/asan/TestCases/Windows/memcpy_memmove_sanity.cpp
1–13

This will allow the test to run on mingw-w64. @vitalybuka how do you feel about this?

strega-nil requested changes to this revision.May 25 2023, 10:22 AM
strega-nil added a subscriber: strega-nil.
strega-nil added inline comments.
compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc
204

In line with our conversation yesterday, we'd prefer to not lose the memcpy/memmove distinction when it comes to diagnostics; we still want to diagnose:

cxx
int main() {
  char buf[] = "Hello!";
  memcpy(&buf[1], &buf[0], (sizeof buf) - 1);
}
This revision now requires changes to proceed.May 25 2023, 10:22 AM
strega-nil added a comment.May 25 2023, 10:23 AM

Probably good to rename the title as well.

Revision Contents

PathSize
compiler-rt/
lib/
sanitizer_common/
29 lines
test/
asan/
TestCases/
Windows/
36 lines

Diff 522783

compiler-rt/lib/sanitizer_common/sanitizer_common_interceptors.inc

  • This file is larger than 256 KB, so syntax highlighting is disabled by default.
Show First 20 LinesShow All 193 Lines▼ Show 20 Lines
#define utimensat __utimensat_time64 #define utimensat __utimensat_time64
#define utimes __utimes_time64 #define utimes __utimes_time64
#define utime __utime64 #define utime __utime64
#define wait3 __wait3_time64 #define wait3 __wait3_time64
#define wait4 __wait4_time64 #define wait4 __wait4_time64
#endif #endif
// Platform-specific options. // Platform-specific options.
#if SANITIZER_APPLE #if SANITIZER_APPLE || (SANITIZER_WINDOWS && SANITIZER_X64)
#define PLATFORM_HAS_DIFFERENT_MEMCPY_AND_MEMMOVE 0
#elif SANITIZER_WINDOWS64
#define PLATFORM_HAS_DIFFERENT_MEMCPY_AND_MEMMOVE 0 # define PLATFORM_HAS_DIFFERENT_MEMCPY_AND_MEMMOVE 0
# define PLATFORM_MEMCPY_MEMMOVE_CAN_BE_FOLDED 0
strega-nilUnsubmitted
Not Done
ReplyInline Actions

In line with our conversation yesterday, we'd prefer to not lose the memcpy/memmove distinction when it comes to diagnostics; we still want to diagnose:

cxx
int main() {
  char buf[] = "Hello!";
  memcpy(&buf[1], &buf[0], (sizeof buf) - 1);
}
strega-nil: In line with our conversation yesterday, we'd prefer to not lose the `memcpy`/`memmove`…
#elif SANITIZER_WINDOWS && SANITIZER_I386
# define PLATFORM_HAS_DIFFERENT_MEMCPY_AND_MEMMOVE 1
# define PLATFORM_MEMCPY_MEMMOVE_CAN_BE_FOLDED 1
#else #else
#define PLATFORM_HAS_DIFFERENT_MEMCPY_AND_MEMMOVE 1 #define PLATFORM_HAS_DIFFERENT_MEMCPY_AND_MEMMOVE 1
# define PLATFORM_MEMCPY_MEMMOVE_CAN_BE_FOLDED 0
#endif // SANITIZER_APPLE #endif // SANITIZER_APPLE
#ifndef COMMON_INTERCEPTOR_INITIALIZE_RANGE #ifndef COMMON_INTERCEPTOR_INITIALIZE_RANGE
#define COMMON_INTERCEPTOR_INITIALIZE_RANGE(p, size) {} #define COMMON_INTERCEPTOR_INITIALIZE_RANGE(p, size) {}
#endif #endif
#ifndef COMMON_INTERCEPTOR_UNPOISON_PARAM #ifndef COMMON_INTERCEPTOR_UNPOISON_PARAM
#define COMMON_INTERCEPTOR_UNPOISON_PARAM(count) {} #define COMMON_INTERCEPTOR_UNPOISON_PARAM(count) {}
▲ Show 20 LinesShow All 650 Lines▼ Show 20 Lines
#if SANITIZER_INTERCEPT_MEMCPY #if SANITIZER_INTERCEPT_MEMCPY
INTERCEPTOR(void *, memcpy, void *dst, const void *src, uptr size) { INTERCEPTOR(void *, memcpy, void *dst, const void *src, uptr size) {
// On OS X, calling internal_memcpy here will cause memory corruptions, // On OS X, calling internal_memcpy here will cause memory corruptions,
// because memcpy and memmove are actually aliases of the same // because memcpy and memmove are actually aliases of the same
// implementation. We need to use internal_memmove here. // implementation. We need to use internal_memmove here.
// N.B.: If we switch this to internal_ we'll have to use internal_memmove // N.B.: If we switch this to internal_ we'll have to use internal_memmove
// due to memcpy being an alias of memmove on OS X. // due to memcpy being an alias of memmove on OS X.
void *ctx; void *ctx;
#if PLATFORM_HAS_DIFFERENT_MEMCPY_AND_MEMMOVE # ifndef PLATFORM_HAS_DIFFERENT_MEMCPY_AND_MEMMOVE
# error "Undefined"
# endif
# ifndef PLATFORM_MEMCPY_MEMMOVE_CAN_BE_FOLDED
# error "Undefined"
# endif
# if PLATFORM_HAS_DIFFERENT_MEMCPY_AND_MEMMOVE && \
!PLATFORM_MEMCPY_MEMMOVE_CAN_BE_FOLDED
COMMON_INTERCEPTOR_MEMCPY_IMPL(ctx, dst, src, size); COMMON_INTERCEPTOR_MEMCPY_IMPL(ctx, dst, src, size);
#else # else
COMMON_INTERCEPTOR_MEMMOVE_IMPL(ctx, dst, src, size); COMMON_INTERCEPTOR_MEMMOVE_IMPL(ctx, dst, src, size);
#endif # endif
} }
#define INIT_MEMCPY \ #define INIT_MEMCPY \
do { \ do { \
if (PLATFORM_HAS_DIFFERENT_MEMCPY_AND_MEMMOVE) { \ if (PLATFORM_HAS_DIFFERENT_MEMCPY_AND_MEMMOVE) { \
COMMON_INTERCEPT_FUNCTION(memcpy); \ COMMON_INTERCEPT_FUNCTION(memcpy); \
} else { \ } else { \
ASSIGN_REAL(memcpy, memmove); \ ASSIGN_REAL(memcpy, memmove); \
} \ } \
CHECK(REAL(memcpy)); \ CHECK(REAL(memcpy)); \
} while (false) } while (false)
#else #else
#define INIT_MEMCPY #define INIT_MEMCPY
#endif #endif
#if SANITIZER_INTERCEPT_MEMCMP #if SANITIZER_INTERCEPT_MEMCMP
DECLARE_WEAK_INTERCEPTOR_HOOK(__sanitizer_weak_hook_memcmp, uptr called_pc, DECLARE_WEAK_INTERCEPTOR_HOOK(__sanitizer_weak_hook_memcmp, uptr called_pc,
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

isn't this constant for the platform?

vitalybuka: isn't this constant for the platform?
barcharcrazAuthorUnsubmitted
Done
ReplyInline Actions

I'm not 100% sure for armv7. I think it's not the case for IA64, but .... it's IA64, we don't really support it anymore.

barcharcraz: I'm not 100% sure for armv7. I think it's not the case for IA64, but .... it's IA64, we don't…
barcharcrazAuthorUnsubmitted
Done
ReplyInline Actions

are you saying that you'd prefer to have the preprocessor logic on lines 202-210 inlined here (and at other usages)

barcharcraz: are you saying that you'd prefer to have the preprocessor logic on lines 202-210 inlined here…
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

I am asking to remove selected condition condition

vitalybuka: I am asking to remove selected condition condition
barcharcrazAuthorUnsubmitted
Done
ReplyInline Actions

Ah I see, it's redundant with the code already in the memcpy interceptor. I've reverted the changes to INIT_MEMCPY.

barcharcraz: Ah I see, it's redundant with the code already in the memcpy interceptor. I've reverted the…
const void *s1, const void *s2, uptr n, const void *s1, const void *s2, uptr n,
int result) int result)
// Common code for `memcmp` and `bcmp`. // Common code for `memcmp` and `bcmp`.
int MemcmpInterceptorCommon(void *ctx, int MemcmpInterceptorCommon(void *ctx,
int (*real_fn)(const void *, const void *, uptr), int (*real_fn)(const void *, const void *, uptr),
const void *a1, const void *a2, uptr size) { const void *a1, const void *a2, uptr size) {
if (common_flags()->intercept_memcmp) { if (common_flags()->intercept_memcmp) {
▲ Show 20 LinesShow All 9,774 LinesShow Last 20 Lines

compiler-rt/test/asan/TestCases/Windows/memcpy_memmove_sanity.cpp

  • This file was added.
// RUN: %clang_cl_asan %s -Fe%t.icf.ref /clang:-fno-builtin-memcpy /clang:-fno-builtin-memmove /link /OPT:ICF /OPT:REF
// RUN: %clang_cl_asan %s -Fe%t.noicf.ref /clang:-fno-builtin-memcpy /clang:-fno-builtin-memmove /link /OPT:NOICF /OPT:REF
// RUN: %clang_cl_asan %s -Fe%t.icf.noref /clang:-fno-builtin-memcpy /clang:-fno-builtin-memmove /link /OPT:ICF /OPT:NOREF
// RUN: %clang_cl_asan %s -Fe%t.noicf.noref /clang:-fno-builtin-memcpy /clang:-fno-builtin-memmove /link /OPT:NOICF /OPT:NOREF
// RUN: not %run %t.icf.ref memcpy 2>&1 | FileCheck %s
// RUN: not %run %t.noicf.ref memcpy 2>&1 | FileCheck %s
// RUN: not %run %t.icf.noref memcpy 2>&1 | FileCheck %s
// RUN: not %run %t.noicf.noref memcpy 2>&1 | FileCheck %s
// RUN: not %run %t.icf.ref memmove 2>&1 | FileCheck %s
// RUN: not %run %t.noicf.ref memmove 2>&1 | FileCheck %s
// RUN: not %run %t.icf.noref memmove 2>&1 | FileCheck %s
// RUN: not %run %t.noicf.noref memmove 2>&1 | FileCheck %s
// UNSUPPORTED: target={{.*-windows-gnu}}
alvinhochunUnsubmitted
Not Done
ReplyInline Actions
- // RUN: %clang_cl_asan %s -Fe%t.icf.ref /clang:-fno-builtin-memcpy /clang:-fno-builtin-memmove /link /OPT:ICF /OPT:REF
- // RUN: %clang_cl_asan %s -Fe%t.noicf.ref /clang:-fno-builtin-memcpy /clang:-fno-builtin-memmove /link /OPT:NOICF /OPT:REF
- // RUN: %clang_cl_asan %s -Fe%t.icf.noref /clang:-fno-builtin-memcpy /clang:-fno-builtin-memmove /link /OPT:ICF /OPT:NOREF
- // RUN: %clang_cl_asan %s -Fe%t.noicf.noref /clang:-fno-builtin-memcpy /clang:-fno-builtin-memmove /link /OPT:NOICF /OPT:NOREF
+ // RUN: %clang_cl_asan %s %Fe%t.icf.ref -fno-builtin-memcpy -fno-builtin-memmove \
+ // RUN: %if target={{.*-windows-gnu}} %{ -Wl,--icf=all,--gc-sections %} \
+ // RUN: %else %{ -link -opt:icf -opt:ref %}
+ // RUN: %clang_cl_asan %s %Fe%t.noicf.ref -fno-builtin-memcpy -fno-builtin-memmove \
+ // RUN: %if target={{.*-windows-gnu}} %{ -Wl,--icf=none,--gc-sections %} \
+ // RUN: %else %{ -link -opt:noicf -opt:ref %}
+ // RUN: %clang_cl_asan %s %Fe%t.icf.noref -fno-builtin-memcpy -fno-builtin-memmove \
+ // RUN: %if target={{.*-windows-gnu}} %{ -Wl,--icf=all,--no-gc-sections %} \
+ // RUN: %else %{ -link -opt:icf -opt:noref %}
+ // RUN: %clang_cl_asan %s %Fe%t.noicf.noref -fno-builtin-memcpy -fno-builtin-memmove \
+ // RUN: %if target={{.*-windows-gnu}} %{ -Wl,--icf=none,--no-gc-sections %} \
+ // RUN: %else %{ -link -opt:noicf -opt:noref %}
// RUN: not %run %t.icf.ref memcpy 2>&1 | FileCheck %s
// RUN: not %run %t.noicf.ref memcpy 2>&1 | FileCheck %s
// RUN: not %run %t.icf.noref memcpy 2>&1 | FileCheck %s
// RUN: not %run %t.noicf.noref memcpy 2>&1 | FileCheck %s
// RUN: not %run %t.icf.ref memmove 2>&1 | FileCheck %s
// RUN: not %run %t.noicf.ref memmove 2>&1 | FileCheck %s
// RUN: not %run %t.icf.noref memmove 2>&1 | FileCheck %s
// RUN: not %run %t.noicf.noref memmove 2>&1 | FileCheck %s
- // UNSUPPORTED: target={{.*-windows-gnu}}
#include <stdlib.h>

This will allow the test to run on mingw-w64. @vitalybuka how do you feel about this?

alvinhochun: This will allow the test to run on mingw-w64. @vitalybuka how do you feel about this?
#include <stdlib.h>
#include <string.h>
int main(int argc, char **argv) {
int *buf = new int[4];
memmove(buf + 1, buf, 3 * sizeof(int));
memcpy(buf + 1, buf, 3 * sizeof(int));
delete[] buf;
if (argc != 2) {
abort();
}
if (strcmp(argv[1], "memcpy") == 0) {
memcpy(buf + 1, buf, 3 * sizeof(int));
} else if (strcmp(argv[1], "memmove") == 0) {
memmove(buf + 1, buf, 3 * sizeof(int));
}
// CHECK: AddressSanitizer: heap-use-after-free
return 0;
}