This is an archive of the discontinued LLVM Phabricator instance.

Differential D155338

[HWASAN][LSAN] Fix false positive memory leak reports on X86_64
ClosedPublic

Authored by kstoimenov on Jul 14 2023, 1:54 PM.

Details

Reviewers
vitalybuka
Commits
rG0365ccd2a1b3: [HWASAN][LSAN] Fix false positive memory leak reports on X86_64
Summary

Before this patch when running HWASAN on x86_64 with memory tagging support we got a bunch of false memory leak reports. The reason for that is that the heuristic used to detect if an 8 bytes could be a user pointer was not valid when memory tagging is used as the top byte could contain non-zero information.

Diff Detail

Event Timeline

kstoimenov created this revision.Jul 14 2023, 1:54 PM
Herald added a project: Restricted Project. · View Herald TranscriptJul 14 2023, 1:54 PM
Herald added a subscriber: Enna1. · View Herald Transcript
kstoimenov requested review of this revision.Jul 14 2023, 1:54 PM
Herald added a project: Restricted Project. · View Herald TranscriptJul 14 2023, 1:54 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B245487: Diff 540557.Jul 14 2023, 2:19 PM
vitalybuka added a subscriber: vitalybuka.Jul 14 2023, 2:21 PM
vitalybuka added inline comments.
compiler-rt/lib/lsan/lsan_common.cpp
279

we should query this from kernel, like in CanUseTaggingAbi

kstoimenov added a reviewer: vitalybuka.Jul 14 2023, 2:26 PM
vitalybuka added inline comments.Jul 14 2023, 2:28 PM
compiler-rt/lib/lsan/lsan_common.cpp
271–273

I am confused.
This one masking out 55:48, not the top byte?

279

Maybe it's fine keep it simple and handle the worst case https://lwn.net/Articles/902094/

vitalybuka added inline comments.Jul 17 2023, 11:48 AM
compiler-rt/lib/lsan/lsan_common.cpp
271–273

Never mind, the point to distinguish user space, so we check top bits AFTER top byte.

279

I measured "return true" and on average it's 1.5% regressions.

So it's measureable, current 17 bit vs 8 bit, I can't measure a difference, but still think it's safe to keep as much as possible bits, 11 should work for us.

Please drop TODO that we will need to refactore this code for LAM48, or 5 level page tables.

kstoimenov updated this revision to Diff 541251.Jul 17 2023, 3:20 PM

Added a test.

kstoimenov updated this revision to Diff 541253.Jul 17 2023, 3:23 PM

Updated comment.

kstoimenov updated this revision to Diff 541254.Jul 17 2023, 3:23 PM

Removed include.

vitalybuka added inline comments.Jul 17 2023, 3:28 PM
compiler-rt/lib/lsan/lsan_common.cpp
279

not done?

compiler-rt/test/lsan/TestCases/user_pointer.cpp
10–18

Maybe something more stronger

Harbormaster completed remote builds in B246015: Diff 541254.Jul 17 2023, 4:30 PM
kstoimenov updated this revision to Diff 541283.Jul 17 2023, 5:23 PM

Addressed comments.

kstoimenov marked 2 inline comments as done.Jul 17 2023, 5:23 PM
kstoimenov added inline comments.
compiler-rt/test/lsan/TestCases/user_pointer.cpp
10–18

This code actually generates memory leaks because the allocated memory is not referenced by any pointer. I had a version where there are 2 arrays: one with the pointer and the other one with & ' p & (255ULL << 48)', but I am not sure how with would help. Probably the best is just to leave with one

Harbormaster completed remote builds in B246038: Diff 541283.Jul 17 2023, 5:41 PM
vitalybuka accepted this revision.Jul 18 2023, 11:03 AM
vitalybuka added inline comments.
compiler-rt/test/lsan/TestCases/user_pointer.cpp
15

I see. So if we set masked bits, it will still fail other LSAN checks

so the test as is is not very useful, but not easy way change that.

This revision is now accepted and ready to land.Jul 18 2023, 11:03 AM
kstoimenov retitled this revision from [HWASAN][LSAN] Fix false positive memeory leak reports on X86 to [HWASAN][LSAN] Fix false positive memory leak reports on X86.Jul 18 2023, 11:24 AM
kstoimenov retitled this revision from [HWASAN][LSAN] Fix false positive memory leak reports on X86 to [HWASAN][LSAN] Fix false positive memory leak reports on X86_64.Jul 18 2023, 11:28 AM
kstoimenov edited the summary of this revision. (Show Details)
Herald added a subscriber: pengfei. · View Herald TranscriptJul 18 2023, 11:28 AM
kstoimenov added inline comments.Jul 18 2023, 11:30 AM
compiler-rt/test/lsan/TestCases/user_pointer.cpp
15

I will catch false positives. This test failed with HWASAN on x86 without my fix. Granted a bunch of other tests would have also failed, but it is good to have an explicit one.

Closed by commit rG0365ccd2a1b3: [HWASAN][LSAN] Fix false positive memory leak reports on X86_64 (authored by kstoimenov). · Explain WhyJul 18 2023, 12:04 PM
This revision was automatically updated to reflect the committed changes.
kstoimenov added a commit: rG0365ccd2a1b3: [HWASAN][LSAN] Fix false positive memory leak reports on X86_64.
kstoimenov edited the summary of this revision. (Show Details)Jul 18 2023, 2:16 PM

Revision Contents

PathSize
compiler-rt/
lib/
lsan/
11 lines
test/
lsan/
TestCases/
17 lines

Diff 541664

compiler-rt/lib/lsan/lsan_common.cpp

Show First 20 LinesShow All 254 Lines▼ Show 20 Lines
static inline bool MaybeUserPointer(uptr p) { static inline bool MaybeUserPointer(uptr p) {
// Since our heap is located in mmap-ed memory, we can assume a sensible lower // Since our heap is located in mmap-ed memory, we can assume a sensible lower
// bound on heap addresses. // bound on heap addresses.
const uptr kMinAddress = 4 * 4096; const uptr kMinAddress = 4 * 4096;
if (p < kMinAddress) if (p < kMinAddress)
return false; return false;
# if defined(__x86_64__) # if defined(__x86_64__)
// TODO: add logic similar to ARM when Intel LAM is available. // TODO: support LAM48 and 5 level page tables.
// Accept only canonical form user-space addresses. // LAM_U57 mask format
return ((p >> 47) == 0); // * top byte: 0x81 because the format is: [0] [6-bit tag] [0]
// * top-1 byte: 0xff because it should be 0
// * top-2 byte: 0x80 because Linux uses 128 TB VMA ending at 0x7fffffffffff
constexpr uptr kLAM_U57Mask = 0x81ff80;
constexpr uptr kPointerMask = kLAM_U57Mask << 40;
return ((p & kPointerMask) == 0);
# elif defined(__mips64) # elif defined(__mips64)
return ((p >> 40) == 0); return ((p >> 40) == 0);
# elif defined(__aarch64__) # elif defined(__aarch64__)
// TBI (Top Byte Ignore) feature of AArch64: bits [63:56] are ignored in // TBI (Top Byte Ignore) feature of AArch64: bits [63:56] are ignored in
// address translation and can be used to store a tag. // address translation and can be used to store a tag.
constexpr uptr kPointerMask = 255ULL << 48; constexpr uptr kPointerMask = 255ULL << 48;
// Accept up to 48 bit VMA. // Accept up to 48 bit VMA.
return ((p & kPointerMask) == 0); return ((p & kPointerMask) == 0);
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

I am confused.
This one masking out 55:48, not the top byte?

vitalybuka: I am confused. This one masking out 55:48, not the top byte?
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Never mind, the point to distinguish user space, so we check top bits AFTER top byte.

vitalybuka: Never mind, the point to distinguish user space, so we check top bits AFTER top byte.
# elif defined(__loongarch_lp64) # elif defined(__loongarch_lp64)
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

we should query this from kernel, like in CanUseTaggingAbi

vitalybuka: we should query this from kernel, like in CanUseTaggingAbi
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Maybe it's fine keep it simple and handle the worst case https://lwn.net/Articles/902094/

vitalybuka: Maybe it's fine keep it simple and handle the worst case https://lwn.net/Articles/902094/
vitalybukaUnsubmitted
Done
ReplyInline Actions

I measured "return true" and on average it's 1.5% regressions.

So it's measureable, current 17 bit vs 8 bit, I can't measure a difference, but still think it's safe to keep as much as possible bits, 11 should work for us.

Please drop TODO that we will need to refactore this code for LAM48, or 5 level page tables.

vitalybuka: I measured "return true" and on average it's 1.5% regressions. So it's measureable, current 17…
vitalybukaUnsubmitted
Done
ReplyInline Actions

not done?

vitalybuka: not done?
// Allow 47-bit user-space VMA at current. // Allow 47-bit user-space VMA at current.
return ((p >> 47) == 0); return ((p >> 47) == 0);
# else # else
return true; return true;
# endif # endif
} }
// Scans the memory range, looking for byte patterns that point into allocator // Scans the memory range, looking for byte patterns that point into allocator
▲ Show 20 LinesShow All 816 LinesShow Last 20 Lines

compiler-rt/test/lsan/TestCases/user_pointer.cpp

  • This file was added.
// Checks if a user pointer is found by the leak sanitizer.
// RUN: %clang_lsan %s -o %t
// RUN: %run %t 2>&1
#include <cstdint>
#include <stdio.h>
#include <stdlib.h>
uintptr_t glob[1024];
int main() {
for (int i = 0; i < 1024; ++i) {
// Check that the pointers will not be falsely reported as leaks.
glob[i] = (uintptr_t)malloc(sizeof(int *));
}
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

I see. So if we set masked bits, it will still fail other LSAN checks

so the test as is is not very useful, but not easy way change that.

vitalybuka: I see. So if we set masked bits, it will still fail other LSAN checks so the test as is is not…
kstoimenovAuthorUnsubmitted
Done
ReplyInline Actions

I will catch false positives. This test failed with HWASAN on x86 without my fix. Granted a bunch of other tests would have also failed, but it is good to have an explicit one.

kstoimenov: I will catch false positives. This test failed with HWASAN on x86 without my fix. Granted a…
return 0;
}