This is an archive of the discontinued LLVM Phabricator instance.

Differential D157552

[asan] Fix GC of FakeFrames
ClosedPublic

Authored by vitalybuka on Aug 9 2023, 2:58 PM.

Details

Reviewers
kstoimenov
thurston
fmayer
Commits
rG9be8892908d4: [asan] Fix GC of FakeFrames
Summary

When FakeStack GC from altstack, it may see default stack on lower
addressed and incorectly disard all frames.

Fixes bug exposed by D153536.

Diff Detail

Event Timeline

vitalybuka created this revision.Aug 9 2023, 2:58 PM
Herald added a project: Restricted Project. · View Herald TranscriptAug 9 2023, 2:58 PM
Herald added a subscriber: Enna1. · View Herald Transcript
vitalybuka requested review of this revision.Aug 9 2023, 2:58 PM
Herald added a project: Restricted Project. · View Herald TranscriptAug 9 2023, 2:58 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
vitalybuka added a reviewer: fmayer.Aug 9 2023, 3:02 PM
fmayer added inline comments.Aug 9 2023, 3:05 PM
compiler-rt/lib/asan/asan_fake_stack.cpp
138

just confirming (not that familiar with ASan) that this leads to false negatives, correct?

vitalybuka added inline comments.Aug 9 2023, 3:12 PM
compiler-rt/lib/asan/asan_fake_stack.cpp
138

No, nested stacks may still cause false positives, if we discard frame, which is actually alive.

vitalybuka updated this revision to Diff 548781.Aug 9 2023, 3:15 PM

update comment

Harbormaster completed remote builds in B251496: Diff 548777.Aug 9 2023, 3:15 PM
vitalybuka updated this revision to Diff 548784.Aug 9 2023, 3:17 PM

comment

Harbormaster completed remote builds in B251502: Diff 548784.Aug 9 2023, 3:31 PM
vitalybuka updated this revision to Diff 548792.Aug 9 2023, 3:37 PM

-pthread

Harbormaster completed remote builds in B251507: Diff 548792.Aug 9 2023, 3:55 PM
kstoimenov accepted this revision.Aug 9 2023, 3:58 PM
kstoimenov added inline comments.
compiler-rt/lib/asan/asan_fake_stack.cpp
167–168

Add a comment what is the intent of this code.

This revision is now accepted and ready to land.Aug 9 2023, 3:58 PM
vitalybuka updated this revision to Diff 548868.Aug 9 2023, 8:46 PM

comment

vitalybuka marked an inline comment as done.Aug 9 2023, 8:46 PM
This revision was landed with ongoing or failed builds.Aug 9 2023, 8:47 PM
Closed by commit rG9be8892908d4: [asan] Fix GC of FakeFrames (authored by vitalybuka). · Explain Why
This revision was automatically updated to reflect the committed changes.
vitalybuka added a commit: rG9be8892908d4: [asan] Fix GC of FakeFrames.
Harbormaster completed remote builds in B251569: Diff 548868.Aug 9 2023, 9:18 PM
vitalybuka mentioned this in rG6b7b45c213d4: [test][asan] Disable new test from D157552 on Android.Aug 9 2023, 11:02 PM
ro added a subscriber: ro.Aug 10 2023, 12:18 AM

The new test SEGVs on Solaris/amd64. I haven't started investigating yet.

ro added a comment.Aug 10 2023, 1:38 AM
In D157552#4575681, @ro wrote:

The new test SEGVs on Solaris/amd64. I haven't started investigating yet.

I've digged some more: here's the stacktrace from the SEGV:

Thread 3 received signal SIGSEGV, Segmentation fault.
0x08158265 in Fn<715u> ()
    at /opt/llvm-buildbot/home/solaris11-amd64/clang-solaris11-amd64/llvm/compiler-rt/test/asan/TestCases/Posix/fake_stack_gc.cpp:23
23	template <size_t N> void Fn() {
1: x/i $pc
=> 0x8158265 <_Z2FnILj715EEvv+101>:	movl   $0x41b58ab3,(%eax)
(gdb) bt
#0  0x08158265 in Fn<715u> ()
    at /opt/llvm-buildbot/home/solaris11-amd64/clang-solaris11-amd64/llvm/compiler-rt/test/asan/TestCases/Posix/fake_stack_gc.cpp:23
#1  0x08158187 in Fn<716u> ()
    at /opt/llvm-buildbot/home/solaris11-amd64/clang-solaris11-amd64/llvm/compiler-rt/test/asan/TestCases/Posix/fake_stack_gc.cpp:27
[...]
#285 0x0813e067 in Fn<1000u> ()
    at /opt/llvm-buildbot/home/solaris11-amd64/clang-solaris11-amd64/llvm/compiler-rt/test/asan/TestCases/Posix/fake_stack_gc.cpp:27
#286 0x0813d848 in Handler (signo=6)
    at /opt/llvm-buildbot/home/solaris11-amd64/clang-solaris11-amd64/llvm/compiler-rt/test/asan/TestCases/Posix/fake_stack_gc.cpp:36
#287 <signal handler called>
#288 0xfe15e145 in __lwp_sigqueue () from /lib/libc.so.1
#289 0xfe155eaf in thr_kill () from /lib/libc.so.1
#290 0xfe08d9c2 in raise () from /lib/libc.so.1
#291 0xfe05b094 in abort () from /lib/libc.so.1
#292 0x0813d7f8 in Thread (arg=0xfdafe800)
    at /opt/llvm-buildbot/home/solaris11-amd64/clang-solaris11-amd64/llvm/compiler-rt/test/asan/TestCases/Posix/fake_stack_gc.cpp:64
#293 0x0810315c in asan_thread_start ()
    at /opt/llvm-buildbot/home/solaris11-amd64/clang-solaris11-amd64/llvm/compiler-rt/lib/asan/asan_interceptors.cpp:234
#294 0xfe158a9b in _thrp_setup () from /lib/libc.so.1
#295 0xfe158dd0 in ?? () from /lib/libc.so.1
#296 0x00000000 in ?? ()

At that point, %eax is 0xfdafc6c0. If you look at the process mappings with pmap -x, you get:

4093:	/opt/llvm-buildbot/home/solaris11-amd64/clang-solaris11-amd64/stage1/p
 Address Kbytes  RSS Anon Lock Mode     Mapped File
08050000   1332  836    -    - r-x----  [ text ] fake_stack_gc.cpp.tmp
081AC000    188  188   16    - rwx----  [ data ] fake_stack_gc.cpp.tmp
081DB000   9160  232  232    - rwx----  [ data ] fake_stack_gc.cpp.tmp
08ACD000      4    4    4    - rwx----  [ heap ]
21010000      4    4    4    - rw--R-E  [ anon ]
[...]
FD9FA000   1032   20   20    - rw-----  [ anon ]
FDAFD000   1032 1032 1032    - rw-----  [ anon ]
FDC00000   2184    -    -    - rw-----  [ anon ]

The mapping at 0xFD9FA000 is from FD9FA000 to FDAFC000. So %eax points to unmapped memory, thus a stack overflow. It seems the test assumes larger stacks somehow.

vitalybuka mentioned this in D153536: [Clang] Implement P2169 A nice placeholder with no name.Aug 10 2023, 8:37 AM
steven_wu added a subscriber: steven_wu.EditedAug 10 2023, 8:56 AM

This breaks macOS bot: https://green.lab.llvm.org/green/job/clang-stage1-RA/35236/

arphaman added a subscriber: arphaman.Aug 10 2023, 11:43 AM
arphaman added a comment.Aug 10 2023, 4:48 PM

@vitalybuka could you please take a look at the failure on the macOS bot that Steven highlighted above?

arphaman mentioned this in rGa52c6a877a48: [compiler-rt][test] mark asan/TestCases/Posix/fake_stack_gc.cpp as unsupported….Aug 11 2023, 12:31 PM
arphaman added a comment.Aug 11 2023, 12:32 PM

I marked it as Unsupported on Darwin for now while it's being investigated. Please let me know if you can resolve it.

GitHub <noreply@github.com> mentioned this in rGbeae31523831: [test][asan] Reduce recursion to avoid stack overflow.Aug 11 2023, 2:25 PM
vitalybuka added a comment.Aug 11 2023, 2:29 PM

Thanks for feedback. Probably fixed and reenabled on Darwin.
Recursion stack usage was expected to be least 2Mb (more with redzones), but I allocated only 1Mb. Strange that it consistently passed on Linux x86_64, aarch64 bots.

vitalybuka mentioned this in rG368a0acea56e: Revert part of "[test][asan] Disable new test from D157552 on Android".Aug 11 2023, 3:08 PM
ro added a comment.Aug 12 2023, 1:57 AM
In D157552#4581365, @vitalybuka wrote:

Recursion stack usage was expected to be least 2Mb (more with redzones), but I allocated only 1Mb. Strange that it consistently passed on Linux x86_64, aarch64 bots.

That patch also fixed the Solaris/amd64 buildbot. Thanks.

arphaman added a comment.Aug 14 2023, 3:09 PM

Thanks for feedback. Probably fixed and reenabled on Darwin.

Unfortunately it looks like it still fails on Darwin even after that change:

<stdin>:1:1: note: scanning from here
Assertion failed: (pthread_attr_setstack(&attr, main_stack, kStackSize) == 0), function main, file /Users/buildslave/jenkins/workspace/clang-stage1-RA/llvm-project/compiler-rt/test/asan/TestCases/Posix/fake_stack_gc.cpp, line 79.
^

https://green.lab.llvm.org/green/job/clang-stage1-RA/35285/testReport/junit/AddressSanitizer-x86_64-darwin/TestCases_Posix/fake_stack_gc_cpp/

Could you please take another look?

arphaman mentioned this in rG3e068f2fd7da: [compiler-rt][test] recommit: mark asan/TestCases/Posix/fake_stack_gc.cpp as….Aug 14 2023, 3:16 PM
vitalybuka added a reverting change: rG515c435e378b: [asan] Fix stack pointers comparison in FakeStack.Aug 18 2023, 12:28 AM

Revision Contents

PathSize
compiler-rt/
lib/
asan/
20 lines
test/
asan/
TestCases/
Posix/
92 lines

Diff 548868

compiler-rt/lib/asan/asan_fake_stack.cpp

Show First 20 LinesShow All 127 Lines▼ Show 20 Linesuptr FakeStack::AddrIsInFakeStack(uptr ptr, uptr *frame_beg, uptr *frame_end) {
*frame_beg = res + sizeof(FakeFrame); *frame_beg = res + sizeof(FakeFrame);
return res; return res;
} }
void FakeStack::HandleNoReturn() { void FakeStack::HandleNoReturn() {
needs_gc_ = true; needs_gc_ = true;
} }
// Hack: The statement below is not true if we take into account sigaltstack or
// makecontext. It should be possible to make GC to discard wrong stack frame if
// we use these tools. For now, let's support the simplest case and allow GC to
fmayerUnsubmitted
Not Done
ReplyInline Actions

just confirming (not that familiar with ASan) that this leads to false negatives, correct?

fmayer: just confirming (not that familiar with ASan) that this leads to false negatives, correct?
vitalybukaAuthorUnsubmitted
Done
ReplyInline Actions

No, nested stacks may still cause false positives, if we discard frame, which is actually alive.

vitalybuka: No, nested stacks may still cause false positives, if we discard frame, which is actually alive.
// discard only frames from the default stack, assuming there is no buffer on
// the stack which is used for makecontext or sigaltstack.
//
// When throw, longjmp or some such happens we don't call OnFree() and // When throw, longjmp or some such happens we don't call OnFree() and
// as the result may leak one or more fake frames, but the good news is that // as the result may leak one or more fake frames, but the good news is that
// we are notified about all such events by HandleNoReturn(). // we are notified about all such events by HandleNoReturn().
// If we recently had such no-return event we need to collect garbage frames. // If we recently had such no-return event we need to collect garbage frames.
// We do it based on their 'real_stack' values -- everything that is lower // We do it based on their 'real_stack' values -- everything that is lower
// than the current real_stack is garbage. // than the current real_stack is garbage.
NOINLINE void FakeStack::GC(uptr real_stack) { NOINLINE void FakeStack::GC(uptr real_stack) {
AsanThread *curr_thread = GetCurrentThread();
if (!curr_thread)
return; // Try again when we have a thread.
auto top = curr_thread->stack_top();
auto bottom = curr_thread->stack_bottom();
if (real_stack < top || real_stack > bottom)
return; // Not the default stack.
for (uptr class_id = 0; class_id < kNumberOfSizeClasses; class_id++) { for (uptr class_id = 0; class_id < kNumberOfSizeClasses; class_id++) {
u8 *flags = GetFlags(stack_size_log(), class_id); u8 *flags = GetFlags(stack_size_log(), class_id);
for (uptr i = 0, n = NumberOfFrames(stack_size_log(), class_id); i < n; for (uptr i = 0, n = NumberOfFrames(stack_size_log(), class_id); i < n;
i++) { i++) {
if (flags[i] == 0) continue; // not allocated. if (flags[i] == 0) continue; // not allocated.
FakeFrame *ff = reinterpret_cast<FakeFrame *>( FakeFrame *ff = reinterpret_cast<FakeFrame *>(
GetFrame(stack_size_log(), class_id, i)); GetFrame(stack_size_log(), class_id, i));
if (ff->real_stack < real_stack) { // GC only on the default stack.
if (ff->real_stack < real_stack && ff->real_stack >= top) {
flags[i] = 0; flags[i] = 0;
// Poison the frame, so the any access will be reported as UAR.
SetShadow(reinterpret_cast<uptr>(ff), BytesInSizeClass(class_id),
kstoimenovUnsubmitted
Done
ReplyInline Actions

Add a comment what is the intent of this code.

kstoimenov: Add a comment what is the intent of this code.
class_id, kMagic8);
} }
} }
} }
needs_gc_ = false; needs_gc_ = false;
} }
void FakeStack::ForEachFakeFrame(RangeIteratorCallback callback, void *arg) { void FakeStack::ForEachFakeFrame(RangeIteratorCallback callback, void *arg) {
for (uptr class_id = 0; class_id < kNumberOfSizeClasses; class_id++) { for (uptr class_id = 0; class_id < kNumberOfSizeClasses; class_id++) {
▲ Show 20 LinesShow All 151 LinesShow Last 20 Lines

compiler-rt/test/asan/TestCases/Posix/fake_stack_gc.cpp

  • This file was added.
// RUN: %clangxx_asan -O0 -pthread %s -o %t && %env_asan_opts=use_sigaltstack=0 %run not --crash %t 2>&1 | FileCheck %s
// Check that fake stack does not discard frames on the main stack, when GC is
// triggered from high alt stack.
#include <algorithm>
#include <assert.h>
#include <csignal>
#include <cstdint>
#include <pthread.h>
#include <signal.h>
#include <stdio.h>
#include <stdlib.h>
const size_t kStackSize = 0x100000;
int *on_thread;
int *p;
template <size_t N> void Fn() {
int t[N];
p = t;
if constexpr (N > 1)
Fn<N - 1>();
}
static void Handler(int signo) {
fprintf(stderr, "Handler Frame:%p\n", __builtin_frame_address(0));
// Trigger GC and create a lot of frame to reuse "Thread" frame if it was
// discarded.
for (int i = 0; i < 1000; ++i)
Fn<1000>();
// If we discarder and reused "Thread" frame, the next line will crash with
// false report.
*on_thread = 10;
fprintf(stderr, "SUCCESS\n");
// CHECK: SUCCESS
}
void *Thread(void *arg) {
fprintf(stderr, "Thread Frame:%p\n", __builtin_frame_address(0));
stack_t stack = {
.ss_sp = arg,
.ss_flags = 0,
.ss_size = kStackSize,
};
assert(sigaltstack(&stack, nullptr) == 0);
struct sigaction sa = {};
sa.sa_handler = Handler;
sa.sa_flags = SA_ONSTACK;
sigaction(SIGABRT, &sa, nullptr);
// Store pointer to the local var, so we can access this frame from the signal
// handler when the frame is still alive.
int n;
on_thread = &n;
// Abort should schedule FakeStack GC and call handler on alt stack.
abort();
}
int main(void) {
// Allocate main and alt stack for future thread.
void *main_stack = malloc(kStackSize);
void *alt_stack = malloc(kStackSize);
// Pick the lower stack as the main stack, as we want to trigger GC in
// FakeStack from alt stack in a such way that main stack is allocated below.
if ((uintptr_t)main_stack > (uintptr_t)alt_stack)
std::swap(alt_stack, main_stack);
pthread_attr_t attr;
assert(pthread_attr_init(&attr) == 0);
assert(pthread_attr_setstack(&attr, main_stack, kStackSize) == 0);
fprintf(stderr, "main_stack: %p-%p\n", main_stack,
(char *)main_stack + kStackSize);
fprintf(stderr, "alt_stack: %p-%p\n", alt_stack,
(char *)alt_stack + kStackSize);
pthread_t tid;
assert(pthread_create(&tid, &attr, Thread, alt_stack) == 0);
pthread_join(tid, nullptr);
free(main_stack);
free(alt_stack);
return 0;
}