This is an archive of the discontinued LLVM Phabricator instance.

Add red zones to BumpPtrAllocator under ASan
ClosedPublic

Authored by jordan_rose on Mar 7 2017, 3:50 PM.

Download Raw Diff

Details

Reviewers

pete
kubamracek

Summary

To help catch buffer overruns, this patch changes BumpPtrAllocator to insert an extra unused byte between allocations when building with ASan. SpecificBumpPtrAllocator opts out of this behavior, since it needs to destroy its items later by walking the allocated memory.

I wrote this up while trying to catch a bug. It didn't actually catch anything new, but I didn't want it to go to waste. Do people think it's generally useful?

Diff Detail

Repository: rL LLVM

Event Timeline

jordan_rose created this revision.Mar 7 2017, 3:50 PM

Very cool. Justin and I looked at ASan on BumpPtrAllocator a while ago and I think this would have been useful then too. I think the reason you didn't find issues is that he fixed many of them already.

I think we could support SpecificBumpPtrAllocator but it would require walking the objects by 'sizeof(T) + RedZoneSize'. RedZoneSize itself would also have to be set to make sure we continue to have appropriate alignment. Not something you need to do now, but could be interesting in future.

So LGTM. Thanks!

This revision is now accepted and ready to land.Mar 8 2017, 11:34 AM

Thanks, Pete! Will land soon, then.

I think we could support SpecificBumpPtrAllocator but it would require walking the objects by 'sizeof(T) + RedZoneSize'. RedZoneSize itself would also have to be set to make sure we continue to have appropriate alignment. Not something you need to do now, but could be interesting in future.

FWIW, this doesn't work as is because SpecificBumpPtrAllocator lets you allocate *arrays* of objects as well as single objects, and the arrays obviously can't have red zones between elements.

In D30723#695798, @jordan_rose wrote:

Thanks, Pete! Will land soon, then.

I think we could support SpecificBumpPtrAllocator but it would require walking the objects by 'sizeof(T) + RedZoneSize'. RedZoneSize itself would also have to be set to make sure we continue to have appropriate alignment. Not something you need to do now, but could be interesting in future.

FWIW, this doesn't work as is because SpecificBumpPtrAllocator lets you allocate *arrays* of objects as well as single objects, and the arrays obviously can't have red zones between elements.

Good point. Never thought of that. Wouldn't be surprised if there's a whole bunch of users who never use arrays and could benefit, but still something to think about more.

Committed in rL297310.

Revision Contents

Path

Size

include/

llvm/

Support/

Allocator.h

33 lines

Diff 90956

include/llvm/Support/Allocator.h

Show First 20 Lines • Show All 150 Lines • ▼ Show 20 Lines	BumpPtrAllocatorImpl(T &&Allocator)
: CurPtr(nullptr), End(nullptr), BytesAllocated(0),		: CurPtr(nullptr), End(nullptr), BytesAllocated(0),
Allocator(std::forward<T &&>(Allocator)) {}		Allocator(std::forward<T &&>(Allocator)) {}

// Manually implement a move constructor as we must clear the old allocator's		// Manually implement a move constructor as we must clear the old allocator's
// slabs as a matter of correctness.		// slabs as a matter of correctness.
BumpPtrAllocatorImpl(BumpPtrAllocatorImpl &&Old)		BumpPtrAllocatorImpl(BumpPtrAllocatorImpl &&Old)
: CurPtr(Old.CurPtr), End(Old.End), Slabs(std::move(Old.Slabs)),		: CurPtr(Old.CurPtr), End(Old.End), Slabs(std::move(Old.Slabs)),
CustomSizedSlabs(std::move(Old.CustomSizedSlabs)),		CustomSizedSlabs(std::move(Old.CustomSizedSlabs)),
BytesAllocated(Old.BytesAllocated),		BytesAllocated(Old.BytesAllocated), RedZoneSize(Old.RedZoneSize),
Allocator(std::move(Old.Allocator)) {		Allocator(std::move(Old.Allocator)) {
Old.CurPtr = Old.End = nullptr;		Old.CurPtr = Old.End = nullptr;
Old.BytesAllocated = 0;		Old.BytesAllocated = 0;
Old.Slabs.clear();		Old.Slabs.clear();
Old.CustomSizedSlabs.clear();		Old.CustomSizedSlabs.clear();
}		}

~BumpPtrAllocatorImpl() {		~BumpPtrAllocatorImpl() {
DeallocateSlabs(Slabs.begin(), Slabs.end());		DeallocateSlabs(Slabs.begin(), Slabs.end());
DeallocateCustomSizedSlabs();		DeallocateCustomSizedSlabs();
}		}

BumpPtrAllocatorImpl &operator=(BumpPtrAllocatorImpl &&RHS) {		BumpPtrAllocatorImpl &operator=(BumpPtrAllocatorImpl &&RHS) {
DeallocateSlabs(Slabs.begin(), Slabs.end());		DeallocateSlabs(Slabs.begin(), Slabs.end());
DeallocateCustomSizedSlabs();		DeallocateCustomSizedSlabs();

CurPtr = RHS.CurPtr;		CurPtr = RHS.CurPtr;
End = RHS.End;		End = RHS.End;
BytesAllocated = RHS.BytesAllocated;		BytesAllocated = RHS.BytesAllocated;
		RedZoneSize = RHS.RedZoneSize;
Slabs = std::move(RHS.Slabs);		Slabs = std::move(RHS.Slabs);
CustomSizedSlabs = std::move(RHS.CustomSizedSlabs);		CustomSizedSlabs = std::move(RHS.CustomSizedSlabs);
Allocator = std::move(RHS.Allocator);		Allocator = std::move(RHS.Allocator);

RHS.CurPtr = RHS.End = nullptr;		RHS.CurPtr = RHS.End = nullptr;
RHS.BytesAllocated = 0;		RHS.BytesAllocated = 0;
RHS.Slabs.clear();		RHS.Slabs.clear();
RHS.CustomSizedSlabs.clear();		RHS.CustomSizedSlabs.clear();
Show All 26 Lines	Allocate(size_t Size, size_t Alignment) {
assert(Alignment > 0 && "0-byte alignnment is not allowed. Use 1 instead.");		assert(Alignment > 0 && "0-byte alignnment is not allowed. Use 1 instead.");

// Keep track of how many bytes we've allocated.		// Keep track of how many bytes we've allocated.
BytesAllocated += Size;		BytesAllocated += Size;

size_t Adjustment = alignmentAdjustment(CurPtr, Alignment);		size_t Adjustment = alignmentAdjustment(CurPtr, Alignment);
assert(Adjustment + Size >= Size && "Adjustment + Size must not overflow");		assert(Adjustment + Size >= Size && "Adjustment + Size must not overflow");

		size_t SizeToAllocate = Size;
		#if LLVM_ADDRESS_SANITIZER_BUILD
		// Add a trailing byte as a "red zone" under ASan.
		SizeToAllocate += RedZoneSize;
		#endif

// Check if we have enough space.		// Check if we have enough space.
if (Adjustment + Size <= size_t(End - CurPtr)) {		if (Adjustment + SizeToAllocate <= size_t(End - CurPtr)) {
char *AlignedPtr = CurPtr + Adjustment;		char *AlignedPtr = CurPtr + Adjustment;
CurPtr = AlignedPtr + Size;		CurPtr = AlignedPtr + SizeToAllocate;
// Update the allocation point of this memory block in MemorySanitizer.		// Update the allocation point of this memory block in MemorySanitizer.
// Without this, MemorySanitizer messages for values originated from here		// Without this, MemorySanitizer messages for values originated from here
// will point to the allocation of the entire slab.		// will point to the allocation of the entire slab.
__msan_allocated_memory(AlignedPtr, Size);		__msan_allocated_memory(AlignedPtr, Size);
// Similarly, tell ASan about this space.		// Similarly, tell ASan about this space.
__asan_unpoison_memory_region(AlignedPtr, Size);		__asan_unpoison_memory_region(AlignedPtr, Size);
return AlignedPtr;		return AlignedPtr;
}		}

// If Size is really big, allocate a separate slab for it.		// If Size is really big, allocate a separate slab for it.
size_t PaddedSize = Size + Alignment - 1;		size_t PaddedSize = SizeToAllocate + Alignment - 1;
if (PaddedSize > SizeThreshold) {		if (PaddedSize > SizeThreshold) {
void *NewSlab = Allocator.Allocate(PaddedSize, 0);		void *NewSlab = Allocator.Allocate(PaddedSize, 0);
// We own the new slab and don't want anyone reading anyting other than		// We own the new slab and don't want anyone reading anyting other than
// pieces returned from this method. So poison the whole slab.		// pieces returned from this method. So poison the whole slab.
__asan_poison_memory_region(NewSlab, PaddedSize);		__asan_poison_memory_region(NewSlab, PaddedSize);
CustomSizedSlabs.push_back(std::make_pair(NewSlab, PaddedSize));		CustomSizedSlabs.push_back(std::make_pair(NewSlab, PaddedSize));

uintptr_t AlignedAddr = alignAddr(NewSlab, Alignment);		uintptr_t AlignedAddr = alignAddr(NewSlab, Alignment);
assert(AlignedAddr + Size <= (uintptr_t)NewSlab + PaddedSize);		assert(AlignedAddr + Size <= (uintptr_t)NewSlab + PaddedSize);
char AlignedPtr = (char)AlignedAddr;		char AlignedPtr = (char)AlignedAddr;
__msan_allocated_memory(AlignedPtr, Size);		__msan_allocated_memory(AlignedPtr, Size);
__asan_unpoison_memory_region(AlignedPtr, Size);		__asan_unpoison_memory_region(AlignedPtr, Size);
return AlignedPtr;		return AlignedPtr;
}		}

// Otherwise, start a new slab and try again.		// Otherwise, start a new slab and try again.
StartNewSlab();		StartNewSlab();
uintptr_t AlignedAddr = alignAddr(CurPtr, Alignment);		uintptr_t AlignedAddr = alignAddr(CurPtr, Alignment);
assert(AlignedAddr + Size <= (uintptr_t)End &&		assert(AlignedAddr + SizeToAllocate <= (uintptr_t)End &&
"Unable to allocate memory!");		"Unable to allocate memory!");
char AlignedPtr = (char)AlignedAddr;		char AlignedPtr = (char)AlignedAddr;
CurPtr = AlignedPtr + Size;		CurPtr = AlignedPtr + SizeToAllocate;
__msan_allocated_memory(AlignedPtr, Size);		__msan_allocated_memory(AlignedPtr, Size);
__asan_unpoison_memory_region(AlignedPtr, Size);		__asan_unpoison_memory_region(AlignedPtr, Size);
return AlignedPtr;		return AlignedPtr;
}		}

// Pull in base class overloads.		// Pull in base class overloads.
using AllocatorBase<BumpPtrAllocatorImpl>::Allocate;		using AllocatorBase<BumpPtrAllocatorImpl>::Allocate;

Show All 12 Lines	for (auto I = Slabs.begin(), E = Slabs.end(); I != E; ++I)
TotalMemory += computeSlabSize(std::distance(Slabs.begin(), I));		TotalMemory += computeSlabSize(std::distance(Slabs.begin(), I));
for (auto &PtrAndSize : CustomSizedSlabs)		for (auto &PtrAndSize : CustomSizedSlabs)
TotalMemory += PtrAndSize.second;		TotalMemory += PtrAndSize.second;
return TotalMemory;		return TotalMemory;
}		}

size_t getBytesAllocated() const { return BytesAllocated; }		size_t getBytesAllocated() const { return BytesAllocated; }

		void setRedZoneSize(size_t NewSize) {
		RedZoneSize = NewSize;
		}

void PrintStats() const {		void PrintStats() const {
detail::printBumpPtrAllocatorStats(Slabs.size(), BytesAllocated,		detail::printBumpPtrAllocatorStats(Slabs.size(), BytesAllocated,
getTotalMemory());		getTotalMemory());
}		}

private:		private:
/// \brief The current pointer into the current slab.		/// \brief The current pointer into the current slab.
///		///
Show All 9 Lines	private:
/// \brief Custom-sized slabs allocated for too-large allocation requests.		/// \brief Custom-sized slabs allocated for too-large allocation requests.
SmallVector<std::pair<void *, size_t>, 0> CustomSizedSlabs;		SmallVector<std::pair<void *, size_t>, 0> CustomSizedSlabs;

/// \brief How many bytes we've allocated.		/// \brief How many bytes we've allocated.
///		///
/// Used so that we can compute how much space was wasted.		/// Used so that we can compute how much space was wasted.
size_t BytesAllocated;		size_t BytesAllocated;

		/// \brief The number of bytes to put between allocations when running under
		/// a sanitizer.
		size_t RedZoneSize = 1;

/// \brief The allocator instance we use to get slabs of memory.		/// \brief The allocator instance we use to get slabs of memory.
AllocatorT Allocator;		AllocatorT Allocator;

static size_t computeSlabSize(unsigned SlabIdx) {		static size_t computeSlabSize(unsigned SlabIdx) {
// Scale the actual allocated slab size based on the number of slabs		// Scale the actual allocated slab size based on the number of slabs
// allocated. Every 128 slabs allocated, we double the allocated size to		// allocated. Every 128 slabs allocated, we double the allocated size to
// reduce allocation frequency, but saturate at multiplying the slab size by		// reduce allocation frequency, but saturate at multiplying the slab size by
// 2^30.		// 2^30.
▲ Show 20 Lines • Show All 45 Lines • ▼ Show 20 Lines
/// allocated.		/// allocated.
///		///
/// This allows calling the destructor in DestroyAll() and when the allocator is		/// This allows calling the destructor in DestroyAll() and when the allocator is
/// destroyed.		/// destroyed.
template <typename T> class SpecificBumpPtrAllocator {		template <typename T> class SpecificBumpPtrAllocator {
BumpPtrAllocator Allocator;		BumpPtrAllocator Allocator;

public:		public:
SpecificBumpPtrAllocator() = default;		SpecificBumpPtrAllocator() {
		// Because SpecificBumpPtrAllocator walks the memory to call destructors,
		// it can't have red zones between allocations.
		Allocator.setRedZoneSize(0);
		}
SpecificBumpPtrAllocator(SpecificBumpPtrAllocator &&Old)		SpecificBumpPtrAllocator(SpecificBumpPtrAllocator &&Old)
: Allocator(std::move(Old.Allocator)) {}		: Allocator(std::move(Old.Allocator)) {}
~SpecificBumpPtrAllocator() { DestroyAll(); }		~SpecificBumpPtrAllocator() { DestroyAll(); }

SpecificBumpPtrAllocator &operator=(SpecificBumpPtrAllocator &&RHS) {		SpecificBumpPtrAllocator &operator=(SpecificBumpPtrAllocator &&RHS) {
Allocator = std::move(RHS.Allocator);		Allocator = std::move(RHS.Allocator);
return *this;		return *this;
}		}
▲ Show 20 Lines • Show All 60 Lines • Show Last 20 Lines