This is an archive of the discontinued LLVM Phabricator instance.

Differential D35704

added reset feature to dfsan
Needs ReviewPublic

Authored by farahhariri on Jul 20 2017, 3:47 PM.

Details

Reviewers
kcc
pcc
Summary

Adding reset feature to dfsan. This is especially needed in the context of fuzzing. Otherwise, we would run out of labels very fast.

Diff Detail

Event Timeline

farahhariri created this revision.Jul 20 2017, 3:47 PM
kcc edited edge metadata.Jul 24 2017, 11:42 AM

also, would like to hear from @pcc

include/sanitizer/dfsan_interface.h
55

Explain thread-[un]safety
I assume this function is *not* thread safe and thus the comment must be clear on this topic.
Add '.' at the end

lib/dfsan/dfsan.cc
180

Add some code to check-fail in case __dfsan_last_label has changed (i.e. to check that no other threads are messing around)

Then, add a test with threads that will trigger that check-fail.

pcc added inline comments.Jul 24 2017, 2:49 PM
include/sanitizer/dfsan_interface.h
55

Please also document that there should also be no active stack frames which may be processing values with non-zero labels.

test/dfsan/reset.cc
19

Is this safe, given the constraint I mentioned above? I'd prefer to move the code that creates labels into a separate function.

farahhariri added inline comments.Jul 26 2017, 3:27 PM
lib/dfsan/dfsan.cc
180

Then, add a test with threads that will trigger that check-fail.

That means I will have to add a flaky test that sometimes passes and sometimes fails.
I cannot guarantee that the scheduler will switch context between the atomic store and
the check-fail to another thread, and then switch back to the check-fail. That's the only
way to guarantee it will fail..

kcc added inline comments.Jul 26 2017, 3:33 PM
lib/dfsan/dfsan.cc
180

You can create a test that runs a very long loop in a thread and thus guarantee that the test will crash 9999999999999999 our of 100000000000000 times.

farahhariri updated this revision to Diff 108683.Jul 28 2017, 11:18 AM

addressed concerns related to multithreaded code

Harbormaster completed remote builds in B8699: Diff 108683.Jul 28 2017, 11:18 AM
farahhariri marked 3 inline comments as done.Jul 28 2017, 11:22 AM
farahhariri added inline comments.
lib/dfsan/dfsan.cc
180

I tried that and let it run for 12+ hours and could not trigger the assertion after the atomic store to fail. But what I did is control the thread scheduling from the test and make an assertion in that test fail (check the update).

pcc added inline comments.Jul 31 2017, 5:04 PM
lib/dfsan/dfsan.cc
175

Is this part necessary? I believe that the mmap call above will also reset the union table to zero.

test/dfsan/reset_multithread.cc
21

Is this really testing for the property that Kostya mentioned? It seems like it is trying to reproduce the scenario where the labels are created in the other thread *after* (i.e. not parallel with) the reset. You might have better luck reproducing if you change the dfsan_reset function to do this:

void dfsan_reset() {
  atomic store to dfsan_last_label;
  mmap;
  assert(atomic load from dfan_last_label == 0);
}
farahhariri updated this revision to Diff 109186.Aug 1 2017, 12:56 PM

removed unecessary reset, and fixed multithreaded test.

farahhariri marked 2 inline comments as done.Aug 1 2017, 12:59 PM
farahhariri added inline comments.
lib/dfsan/dfsan.cc
175

You're right it's not. Thanks!

farahhariri updated this revision to Diff 110231.Aug 8 2017, 10:44 AM
farahhariri marked 6 inline comments as done.
This comment was removed by farahhariri.
Harbormaster completed remote builds in B9143: Diff 110231.Aug 8 2017, 10:44 AM
pcc edited edge metadata.Aug 8 2017, 10:51 AM

Please add the other hooks in a separate patch.

test/dfsan/reset_multithread.cc
20

Is this assert necessary? It's basically testing for the same thing as the assert in dfsan_reset, isn't it?

farahhariri updated this revision to Diff 110232.Aug 8 2017, 10:51 AM
This comment was removed by farahhariri.
Harbormaster completed remote builds in B9144: Diff 110232.Aug 8 2017, 10:53 AM
farahhariri added a child revision: D36476: (1) bring back support of dfsan into libFuzzer (2) introduce more dfsan hooks (3) introduce a bias in mutations towards locations found by dfsan (4) add support for taking input from static analyzer abouts hints to potentially buggy locations and....Aug 8 2017, 10:59 AM

Revision Contents

PathSize
include/
sanitizer/
7 lines
lib/
dfsan/
1 line
15 lines
2 lines
test/
dfsan/
26 lines
30 lines

Diff 110232

include/sanitizer/dfsan_interface.h

Show First 20 LinesShow All 46 Lines▼ Show 20 Lines
dfsan_label dfsan_union(dfsan_label l1, dfsan_label l2); dfsan_label dfsan_union(dfsan_label l1, dfsan_label l2);
/// Creates and returns a base label with the given description and user data. /// Creates and returns a base label with the given description and user data.
dfsan_label dfsan_create_label(const char *desc, void *userdata); dfsan_label dfsan_create_label(const char *desc, void *userdata);
/// Sets the label for each address in [addr,addr+size) to \c label. /// Sets the label for each address in [addr,addr+size) to \c label.
void dfsan_set_label(dfsan_label label, void *addr, size_t size); void dfsan_set_label(dfsan_label label, void *addr, size_t size);
// Reset labels and shadow memory for dfsan to restart from clean.
kccUnsubmitted
Done
ReplyInline Actions

Explain thread-[un]safety
I assume this function is *not* thread safe and thus the comment must be clear on this topic.
Add '.' at the end

kcc: Explain thread-[un]safety I assume this function is *not* thread safe and thus the comment must…
pccUnsubmitted
Done
ReplyInline Actions

Please also document that there should also be no active stack frames which may be processing values with non-zero labels.

pcc: Please also document that there should also be no active stack frames which may be processing…
// This is intended to work in a single threaded setting (main use
// case is to avoid running out of labels in fuzzing).
// This function is not safe to use in multithreaded code or when
// there are active stack frames processing non-zero labels.
void dfsan_reset(void);
/// Sets the label for each address in [addr,addr+size) to the union of the /// Sets the label for each address in [addr,addr+size) to the union of the
/// current label for that address and \c label. /// current label for that address and \c label.
void dfsan_add_label(dfsan_label label, void *addr, size_t size); void dfsan_add_label(dfsan_label label, void *addr, size_t size);
/// Retrieves the label associated with the given data. /// Retrieves the label associated with the given data.
/// ///
/// The type of 'data' is arbitrary. The function accepts a value of any type, /// The type of 'data' is arbitrary. The function accepts a value of any type,
/// which can be truncated or extended (implicitly or explicitly) as necessary. /// which can be truncated or extended (implicitly or explicitly) as necessary.
▲ Show 20 LinesShow All 54 LinesShow Last 20 Lines

lib/dfsan/dfsan.h

Show All 28 Linesstruct dfsan_label_info {
dfsan_label l2; dfsan_label l2;
const char *desc; const char *desc;
void *userdata; void *userdata;
}; };
extern "C" { extern "C" {
void dfsan_add_label(dfsan_label label, void *addr, uptr size); void dfsan_add_label(dfsan_label label, void *addr, uptr size);
void dfsan_set_label(dfsan_label label, void *addr, uptr size); void dfsan_set_label(dfsan_label label, void *addr, uptr size);
void dfsan_reset(void);
dfsan_label dfsan_read_label(const void *addr, uptr size); dfsan_label dfsan_read_label(const void *addr, uptr size);
dfsan_label dfsan_union(dfsan_label l1, dfsan_label l2); dfsan_label dfsan_union(dfsan_label l1, dfsan_label l2);
} // extern "C" } // extern "C"
template <typename T> template <typename T>
void dfsan_set_label(dfsan_label label, T &data) { // NOLINT void dfsan_set_label(dfsan_label label, T &data) { // NOLINT
dfsan_set_label(label, (void *)&data, sizeof(T)); dfsan_set_label(label, (void *)&data, sizeof(T));
} }
Show All 29 Lines

lib/dfsan/dfsan.cc

Show All 20 Lines
#include "sanitizer_common/sanitizer_atomic.h" #include "sanitizer_common/sanitizer_atomic.h"
#include "sanitizer_common/sanitizer_common.h" #include "sanitizer_common/sanitizer_common.h"
#include "sanitizer_common/sanitizer_flags.h" #include "sanitizer_common/sanitizer_flags.h"
#include "sanitizer_common/sanitizer_flag_parser.h" #include "sanitizer_common/sanitizer_flag_parser.h"
#include "sanitizer_common/sanitizer_libc.h" #include "sanitizer_common/sanitizer_libc.h"
#include "dfsan/dfsan.h" #include "dfsan/dfsan.h"
#include <assert.h>
using namespace __dfsan; using namespace __dfsan;
typedef atomic_uint16_t atomic_dfsan_label; typedef atomic_uint16_t atomic_dfsan_label;
static const dfsan_label kInitializingLabel = -1; static const dfsan_label kInitializingLabel = -1;
static const uptr kNumLabels = 1 << (sizeof(dfsan_label) * 8); static const uptr kNumLabels = 1 << (sizeof(dfsan_label) * 8);
▲ Show 20 LinesShow All 116 Lines▼ Show 20 Lines
// Checks we do not run out of labels. // Checks we do not run out of labels.
static void dfsan_check_label(dfsan_label label) { static void dfsan_check_label(dfsan_label label) {
if (label == kInitializingLabel) { if (label == kInitializingLabel) {
Report("FATAL: DataFlowSanitizer: out of labels\n"); Report("FATAL: DataFlowSanitizer: out of labels\n");
Die(); Die();
} }
} }
// Reset labels and shadow memory for dfsan to restart from clean.
// This is intended to work in a single threaded setting (to avoid
// running out of labels in fuzzing).
// This function is not safe to use in multithreaded code or when
// there are active stack frames processing non-zero labels.
extern "C" SANITIZER_INTERFACE_ATTRIBUTE
void dfsan_reset(void) {
// reset label count
atomic_store(&__dfsan_last_label, 0, memory_order_relaxed);
// reset shadow memory
MmapFixedNoReserve(ShadowAddr(), UnusedAddr() - ShadowAddr());
assert(atomic_load(&__dfsan_last_label, memory_order_relaxed) == 0);
}
pccUnsubmitted
Done
ReplyInline Actions

Is this part necessary? I believe that the mmap call above will also reset the union table to zero.

pcc: Is this part necessary? I believe that the mmap call above will also reset the union table to…
farahhaririAuthorUnsubmitted
Done
ReplyInline Actions

You're right it's not. Thanks!

farahhariri: You're right it's not. Thanks!
// Resolves the union of two unequal labels. Nonequality is a precondition for // Resolves the union of two unequal labels. Nonequality is a precondition for
// this function (the instrumentation pass inlines the equality test). // this function (the instrumentation pass inlines the equality test).
extern "C" SANITIZER_INTERFACE_ATTRIBUTE extern "C" SANITIZER_INTERFACE_ATTRIBUTE
dfsan_label __dfsan_union(dfsan_label l1, dfsan_label l2) { dfsan_label __dfsan_union(dfsan_label l1, dfsan_label l2) {
DCHECK_NE(l1, l2); DCHECK_NE(l1, l2);
kccUnsubmitted
Done
ReplyInline Actions

Add some code to check-fail in case __dfsan_last_label has changed (i.e. to check that no other threads are messing around)

Then, add a test with threads that will trigger that check-fail.

kcc: Add some code to check-fail in case __dfsan_last_label has changed (i.e. to check that no other…
farahhaririAuthorUnsubmitted
Done
ReplyInline Actions

Then, add a test with threads that will trigger that check-fail.

That means I will have to add a flaky test that sometimes passes and sometimes fails.
I cannot guarantee that the scheduler will switch context between the atomic store and
the check-fail to another thread, and then switch back to the check-fail. That's the only
way to guarantee it will fail..

farahhariri: > Then, add a test with threads that will trigger that check-fail. That means I will have to…
kccUnsubmitted
Done
ReplyInline Actions

You can create a test that runs a very long loop in a thread and thus guarantee that the test will crash 9999999999999999 our of 100000000000000 times.

kcc: You can create a test that runs a very long loop in a thread and thus guarantee that the test…
farahhaririAuthorUnsubmitted
Done
ReplyInline Actions

I tried that and let it run for 12+ hours and could not trigger the assertion after the atomic store to fail. But what I did is control the thread scheduling from the test and make an assertion in that test fail (check the update).

farahhariri: I tried that and let it run for 12+ hours and could not trigger the assertion after the atomic…
if (l1 == 0) if (l1 == 0)
return l2; return l2;
if (l2 == 0) if (l2 == 0)
return l1; return l1;
if (l1 > l2) if (l1 > l2)
Swap(l1, l2); Swap(l1, l2);
▲ Show 20 LinesShow All 278 LinesShow Last 20 Lines

lib/dfsan/done_abilist.txt

fun:main=uninstrumented fun:main=uninstrumented
fun:main=discard fun:main=discard
############################################################################### ###############################################################################
# DFSan interface functions # DFSan interface functions
############################################################################### ###############################################################################
fun:dfsan_union=uninstrumented fun:dfsan_union=uninstrumented
fun:dfsan_union=discard fun:dfsan_union=discard
fun:dfsan_reset=uninstrumented
fun:dfsan_reset=discard
fun:dfsan_create_label=uninstrumented fun:dfsan_create_label=uninstrumented
fun:dfsan_create_label=discard fun:dfsan_create_label=discard
fun:dfsan_set_label=uninstrumented fun:dfsan_set_label=uninstrumented
fun:dfsan_set_label=discard fun:dfsan_set_label=discard
fun:dfsan_add_label=uninstrumented fun:dfsan_add_label=uninstrumented
fun:dfsan_add_label=discard fun:dfsan_add_label=discard
fun:dfsan_get_label=uninstrumented fun:dfsan_get_label=uninstrumented
fun:dfsan_get_label=custom fun:dfsan_get_label=custom
▲ Show 20 LinesShow All 282 LinesShow Last 20 Lines

test/dfsan/reset.cc

  • This file was added.
// RUN: %clang_dfsan %s -o %t && %run %t
// RUN: %clang_dfsan -mllvm -dfsan-args-abi %s -o %t && %run %t
// Tests that dfsan is reset correctly in single threaded code.
#include <sanitizer/dfsan_interface.h>
#include <assert.h>
void foo() {
int i = 1;
int j = 1;
dfsan_label i_label = dfsan_create_label("i", 0);
dfsan_set_label(i_label, &i, sizeof(i));
dfsan_label j_label = dfsan_create_label("j", 0);
dfsan_add_label(j_label, &j, sizeof(j));
}
int main(void) {
pccUnsubmitted
Done
ReplyInline Actions

Is this safe, given the constraint I mentioned above? I'd prefer to move the code that creates labels into a separate function.

pcc: Is this safe, given the constraint I mentioned above? I'd prefer to move the code that creates…
foo();
assert(dfsan_get_label_count() == 2);
dfsan_reset();
assert(dfsan_get_label_count() == 0);
return 0;
}

test/dfsan/reset_multithread.cc

  • This file was added.
// RUN: %clang_dfsan %s -o %t && %run %t
// RUN: %clang_dfsan -mllvm -dfsan-args-abi %s -o %t && %run %t
// XFAIL: *
// Tests that dfsan runtime is reset can be violated in multithreaded settings.
#include <sanitizer/dfsan_interface.h>
#include <assert.h>
#include <pthread.h>
void *baz(void* unused) {
for(int i = 0; i < 1000000000; i++) {
for(int k = 0; k < 100; k++) {
int j = 1;
dfsan_label j_label = dfsan_create_label("j", 0);
dfsan_set_label(j_label, &j, sizeof(j));
}
dfsan_reset();
assert(dfsan_get_label_count() == 0);
}
pccUnsubmitted
Not Done
ReplyInline Actions

Is this assert necessary? It's basically testing for the same thing as the assert in dfsan_reset, isn't it?

pcc: Is this assert necessary? It's basically testing for the same thing as the assert in…
}
pccUnsubmitted
Done
ReplyInline Actions

Is this really testing for the property that Kostya mentioned? It seems like it is trying to reproduce the scenario where the labels are created in the other thread *after* (i.e. not parallel with) the reset. You might have better luck reproducing if you change the dfsan_reset function to do this:

void dfsan_reset() {
  atomic store to dfsan_last_label;
  mmap;
  assert(atomic load from dfan_last_label == 0);
}
pcc: Is this really testing for the property that Kostya mentioned? It seems like it is trying to…
int main(void) {
pthread_t t1, t2;
pthread_create(&t1, NULL, baz, NULL);
pthread_create(&t2, NULL, baz, NULL);
pthread_join(t1, NULL);
pthread_join(t2, NULL);
return 0;
}