This is an archive of the discontinued LLVM Phabricator instance.

Differential D23018

[sanitizer] Implement a __asan_default_options() equivalent for Scudo
ClosedPublic

Authored by cryptoad on Aug 1 2016, 9:16 AM.

Details

Reviewers
kcc
llvm-commits
Commits
rG707894b09270: [sanitizer] Implement a __asan_default_options() equivalent for Scudo
rCRT277536: [sanitizer] Implement a __asan_default_options() equivalent for Scudo
rL277536: [sanitizer] Implement a __asan_default_options() equivalent for Scudo
Summary

Currently, the Scudo Hardened Allocator only gets its flags via the SCUDO_OPTIONS environment variable.
With this patch, we offer the opportunity for programs to define their own options via scudo_default_options() which behaves like asan_default_options() (weak symbol).
A relevant test has been added as well, and the documentation updated accordingly.
I also used this patch as an opportunity to rename a few variables to comply with the LLVM naming scheme, and replaced a use of Report with dieWithMessage for consistency (and to avoid a callback).

Diff Detail

Event Timeline

cryptoad updated this revision to Diff 66331.Aug 1 2016, 9:16 AM
cryptoad retitled this revision from to [sanitizer] Implement a __asan_default_options() equivalent for Scudo.
cryptoad updated this object.
cryptoad added reviewers: kcc, llvm-commits.
kcc edited edge metadata.Aug 2 2016, 11:54 AM

Is your choice of the name (getScudoDefaultOptions, w/o "") deliberate?
With you are guaranteed that no user code will have such a name since __ names are reserved for the implementation.
With getScudoDefaultOptions you don't have such guarantee.

Otherwise LG

cryptoad added a comment.Aug 2 2016, 12:27 PM
In D23018#503660, @kcc wrote:

Is your choice of the name (getScudoDefaultOptions, w/o "") deliberate?
With you are guaranteed that no user code will have such a name since __ names are reserved for the implementation.
With getScudoDefaultOptions you don't have such guarantee.

Otherwise LG

I couldn't find anything in the coding standards (http://llvm.org/docs/CodingStandards.html) that was covering this case, so I went with the default naming for a function.
If that's acceptable to prefix with __, then I am all for it!

kcc added a comment.Aug 2 2016, 2:25 PM

I think it *has* to be prefixed with __ to avoid clashing with user code (according to the C++ standard, afiact, user functions can not start with )
For consistency with asan's asan_default_options, I would call it __scudo_default_options.

(We already broke the consistency a bit by using CamelCase in the names of options)

cryptoad updated this revision to Diff 66567.Aug 2 2016, 3:24 PM
cryptoad updated this object.
cryptoad edited edge metadata.
cryptoad added a comment.Aug 2 2016, 3:27 PM

Diff updated with changes to the documentation. __scudo_default_options is now the name of the weak symbol used for options.
Additionally, using this as a vehicle to remove a use of Report in CheckFailed that was inconsistent with the rest, for the preferred dieWithMessage (this will be needed for the new Printf).

kcc accepted this revision.Aug 2 2016, 3:30 PM
kcc edited edge metadata.

LGTM, let me land it.

This revision is now accepted and ready to land.Aug 2 2016, 3:30 PM
kcc closed this revision.Aug 2 2016, 3:33 PM
eugenis added a subscriber: eugenis.Aug 2 2016, 4:24 PM

/code/llvm/projects/compiler-rt/lib/scudo/scudo_termination.cpp:40:1: error: function declared 'noreturn' should not return [-Werror,-Winvalid-noreturn]
}
^
1 error generated.

Please test with LLVM_ENABLE_WERROR.

Revision Contents

PathSize
docs/
29 lines
projects/
compiler-rt/
lib/
scudo/
2 lines
24 lines
17 lines
2 lines
test/
scudo/
25 lines

Diff 66567

docs/ScudoHardenedAllocator.rst

Show First 20 LinesShow All 83 Lines▼ Show 20 Lines
"whole-archive" linker flag (or equivalent), depending on your linker. "whole-archive" linker flag (or equivalent), depending on your linker.
Additional flags might also be necessary. Additional flags might also be necessary.
Your linked binary should now make use of the Scudo allocation and deallocation Your linked binary should now make use of the Scudo allocation and deallocation
functions. functions.
Options Options
------- -------
Several aspects of the allocator can be configured through environment options, Several aspects of the allocator can be configured through the following ways:
following the usual ASan options syntax, through the variable SCUDO_OPTIONS.
- by defining a __scudo_default_options function in one's program that returns
the options string to be parsed. Said function must have the following
prototype: ``extern "C" const char* __scudo_default_options()``.
- through the environment variable SCUDO_OPTIONS, containing the options string
to be parsed. Options defined this way will override any definition made
through __scudo_default_options;
The options string follows a syntax similar to ASan, where distinct options
can be assigned in the same string, separated by colons.
For example, using the environment variable:
.. code::
SCUDO_OPTIONS="DeleteSizeMismatch=1:QuarantineSizeMb=16" ./a.out
Or using the function:
.. code::
extern "C" const char *__scudo_default_options() {
return "DeleteSizeMismatch=1:QuarantineSizeMb=16";
}
For example: SCUDO_OPTIONS="DeleteSizeMismatch=1:QuarantineSizeMb=16".
The following options are available: The following options are available:
- QuarantineSizeMb (integer, defaults to 64): the size (in Mb) of quarantine - QuarantineSizeMb (integer, defaults to 64): the size (in Mb) of quarantine
used to delay the actual deallocation of chunks. Lower value may reduce used to delay the actual deallocation of chunks. Lower value may reduce
memory usage but decrease the effectiveness of the mitigation; a negative memory usage but decrease the effectiveness of the mitigation; a negative
value will fallback to a default of 64Mb; value will fallback to a default of 64Mb;
Show All 14 Lines

projects/compiler-rt/lib/scudo/scudo_allocator.cpp

Show First 20 LinesShow All 70 Lines▼ Show 20 Linesstruct UnpackedHeader {
u64 RequestedSize : 40; // Needed for reallocation purposes. u64 RequestedSize : 40; // Needed for reallocation purposes.
u8 State : 2; // available, allocated, or quarantined u8 State : 2; // available, allocated, or quarantined
u8 AllocType : 2; // malloc, new, new[], or memalign u8 AllocType : 2; // malloc, new, new[], or memalign
u8 Unused_0_ : 4; u8 Unused_0_ : 4;
// 2nd 8 bytes // 2nd 8 bytes
u64 Offset : 20; // Offset from the beginning of the backend u64 Offset : 20; // Offset from the beginning of the backend
// allocation to the beginning chunk itself, in // allocation to the beginning chunk itself, in
// multiples of MinAlignment. See comment about its // multiples of MinAlignment. See comment about its
// maximum value and test in Initialize. // maximum value and test in init().
u64 Unused_1_ : 28; u64 Unused_1_ : 28;
u16 Salt : 16; u16 Salt : 16;
}; };
COMPILER_CHECK(sizeof(UnpackedHeader) == sizeof(PackedHeader)); COMPILER_CHECK(sizeof(UnpackedHeader) == sizeof(PackedHeader));
const uptr ChunkHeaderSize = sizeof(PackedHeader); const uptr ChunkHeaderSize = sizeof(PackedHeader);
▲ Show 20 LinesShow All 548 LinesShow Last 20 Lines

projects/compiler-rt/lib/scudo/scudo_flags.cpp

Show All 11 Lines
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "scudo_flags.h" #include "scudo_flags.h"
#include "scudo_utils.h" #include "scudo_utils.h"
#include "sanitizer_common/sanitizer_flags.h" #include "sanitizer_common/sanitizer_flags.h"
#include "sanitizer_common/sanitizer_flag_parser.h" #include "sanitizer_common/sanitizer_flag_parser.h"
extern "C" SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE
const char* __scudo_default_options();
namespace __scudo { namespace __scudo {
Flags scudo_flags_dont_use_directly; // use via flags(). Flags ScudoFlags; // Use via getFlags().
void Flags::setDefaults() { void Flags::setDefaults() {
#define SCUDO_FLAG(Type, Name, DefaultValue, Description) Name = DefaultValue; #define SCUDO_FLAG(Type, Name, DefaultValue, Description) Name = DefaultValue;
#include "scudo_flags.inc" #include "scudo_flags.inc"
#undef SCUDO_FLAG #undef SCUDO_FLAG
} }
static void RegisterScudoFlags(FlagParser *parser, Flags *f) { static void RegisterScudoFlags(FlagParser *parser, Flags *f) {
#define SCUDO_FLAG(Type, Name, DefaultValue, Description) \ #define SCUDO_FLAG(Type, Name, DefaultValue, Description) \
RegisterFlag(parser, #Name, Description, &f->Name); RegisterFlag(parser, #Name, Description, &f->Name);
#include "scudo_flags.inc" #include "scudo_flags.inc"
#undef SCUDO_FLAG #undef SCUDO_FLAG
} }
static const char *callGetScudoDefaultOptions() {
return (&__scudo_default_options) ? __scudo_default_options() : "";
}
void initFlags() { void initFlags() {
SetCommonFlagsDefaults(); SetCommonFlagsDefaults();
{ {
CommonFlags cf; CommonFlags cf;
cf.CopyFrom(*common_flags()); cf.CopyFrom(*common_flags());
cf.exitcode = 1; cf.exitcode = 1;
OverrideCommonFlags(cf); OverrideCommonFlags(cf);
} }
Flags *f = getFlags(); Flags *f = getFlags();
f->setDefaults(); f->setDefaults();
FlagParser scudo_parser; FlagParser ScudoParser;
RegisterScudoFlags(&scudo_parser, f); RegisterScudoFlags(&ScudoParser, f);
RegisterCommonFlags(&scudo_parser); RegisterCommonFlags(&ScudoParser);
// Override from user-specified string.
const char *ScudoDefaultOptions = callGetScudoDefaultOptions();
ScudoParser.ParseString(ScudoDefaultOptions);
scudo_parser.ParseString(GetEnv("SCUDO_OPTIONS")); // Override from environment.
ScudoParser.ParseString(GetEnv("SCUDO_OPTIONS"));
InitializeCommonFlags(); InitializeCommonFlags();
// Sanity checks and default settings for the Quarantine parameters. // Sanity checks and default settings for the Quarantine parameters.
if (f->QuarantineSizeMb < 0) { if (f->QuarantineSizeMb < 0) {
const int DefaultQuarantineSizeMb = 64; const int DefaultQuarantineSizeMb = 64;
f->QuarantineSizeMb = DefaultQuarantineSizeMb; f->QuarantineSizeMb = DefaultQuarantineSizeMb;
Show All 9 Linesvoid initFlags() {
// And an upper limit of 128Mb for the thread quarantine cache. // And an upper limit of 128Mb for the thread quarantine cache.
if (f->ThreadLocalQuarantineSizeKb > (128 * 1024)) { if (f->ThreadLocalQuarantineSizeKb > (128 * 1024)) {
dieWithMessage("ERROR: the per thread quarantine cache size is too " dieWithMessage("ERROR: the per thread quarantine cache size is too "
"large\n"); "large\n");
} }
} }
Flags *getFlags() { Flags *getFlags() {
return &scudo_flags_dont_use_directly; return &ScudoFlags;
} }
} }

projects/compiler-rt/lib/scudo/scudo_termination.cpp

//===-- scudo_termination.cpp -----------------------------------*- C++ -*-===// //===-- scudo_termination.cpp -----------------------------------*- C++ -*-===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
/// ///
/// This file contains bare-bones termination functions to replace the /// This file contains bare-bones termination functions to replace the
/// __sanitizer ones, in order to avoid any potential abuse of the callbacks /// __sanitizer ones, in order to avoid any potential abuse of the callbacks
/// functionality. /// functionality.
/// ///
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "scudo_utils.h"
#include "sanitizer_common/sanitizer_common.h" #include "sanitizer_common/sanitizer_common.h"
namespace __sanitizer { namespace __sanitizer {
bool AddDieCallback(DieCallbackType callback) { return true; } bool AddDieCallback(DieCallbackType Callback) { return true; }
bool RemoveDieCallback(DieCallbackType callback) { return true; } bool RemoveDieCallback(DieCallbackType Callback) { return true; }
void SetUserDieCallback(DieCallbackType callback) {} void SetUserDieCallback(DieCallbackType Callback) {}
void NORETURN Die() { void NORETURN Die() {
if (common_flags()->abort_on_error) if (common_flags()->abort_on_error)
Abort(); Abort();
internal__exit(common_flags()->exitcode); internal__exit(common_flags()->exitcode);
} }
void SetCheckFailedCallback(CheckFailedCallbackType callback) {} void SetCheckFailedCallback(CheckFailedCallbackType callback) {}
void NORETURN CheckFailed(const char *file, int line, const char *cond, void NORETURN CheckFailed(const char *File, int Line, const char *Condition,
u64 v1, u64 v2) { u64 Value1, u64 Value2) {
Report("Sanitizer CHECK failed: %s:%d %s (%lld, %lld)\n", file, line, cond, __scudo::dieWithMessage("Scudo CHECK failed: %s:%d %s (%lld, %lld)\n",
v1, v2); File, Line, Condition, Value1, Value2);
Die();
} }
} // namespace __sanitizer } // namespace __sanitizer

projects/compiler-rt/lib/scudo/scudo_utils.cpp

Show All 27 Lines
extern int VSNPrintf(char *buff, int buff_length, const char *format, extern int VSNPrintf(char *buff, int buff_length, const char *format,
va_list args); va_list args);
} // namespace __sanitizer } // namespace __sanitizer
namespace __scudo { namespace __scudo {
FORMAT(1, 2) FORMAT(1, 2)
void dieWithMessage(const char *Format, ...) { void NORETURN dieWithMessage(const char *Format, ...) {
// Our messages are tiny, 128 characters is more than enough. // Our messages are tiny, 128 characters is more than enough.
char Message[128]; char Message[128];
va_list Args; va_list Args;
va_start(Args, Format); va_start(Args, Format);
__sanitizer::VSNPrintf(Message, sizeof(Message), Format, Args); __sanitizer::VSNPrintf(Message, sizeof(Message), Format, Args);
va_end(Args); va_end(Args);
RawWrite(Message); RawWrite(Message);
Die(); Die();
▲ Show 20 LinesShow All 89 LinesShow Last 20 Lines

projects/compiler-rt/test/scudo/options.cpp

// RUN: %clang_scudo %s -o %t
// RUN: %run %t 2>&1
// RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=0 %run %t 2>&1
// RUN: SCUDO_OPTIONS=DeallocationTypeMismatch=1 not %run %t 2>&1 | FileCheck %s
// Tests that the options can be passed using getScudoDefaultOptions, and that
// the environment ones take precedence over them.
#include <stdlib.h>
#include <malloc.h>
extern "C" const char* __scudo_default_options() {
return "DeallocationTypeMismatch=0"; // Defaults to true in scudo_flags.inc.
}
int main(int argc, char **argv)
{
int *p = (int *)malloc(16);
if (!p)
return 1;
delete p;
return 0;
}
// CHECK: ERROR: allocation type mismatch on address