This is an archive of the discontinued LLVM Phabricator instance.

Differential D39072

Introduce ReservedAddressRange to sanitizer_common.
ClosedPublic

Authored by flowerhack on Oct 18 2017, 2:48 PM.

Details

Reviewers
alekseyshl
cryptoad
phosek
Commits
rG96da9fa4ca74: Introduce ReservedAddressRange to sanitizer_common.
rCRT316934: Introduce ReservedAddressRange to sanitizer_common.
rL316934: Introduce ReservedAddressRange to sanitizer_common.
Summary

Fixed version of https://reviews.llvm.org/D38437 (fixes Win/Fuchsia failures).

Creating a new revision, since the old one was getting a bit old/crowded.

In Fuchsia, MmapNoAccess/MmapFixedOrDie are implemented using a global
VMAR, which means that MmapNoAccess can only be called once. This works
for the sanitizer allocator but *not* for the Scudo allocator.

Hence, this changeset introduces a new ReservedAddressRange object to
serve as the new API for these calls. In this changeset, the object
still calls into the old Mmap implementations.

The next changeset two changesets will convert the sanitizer and scudo
allocators to use the new APIs, respectively. (ReservedAddressRange will
replace the SecondaryHeader in Scudo.)

Finally, a last changeset will update the Fuchsia implementation.

Diff Detail

Event Timeline

flowerhack created this revision.Oct 18 2017, 2:48 PM
Herald added a subscriber: kubamracek. · View Herald TranscriptOct 18 2017, 2:48 PM
flowerhack updated this revision to Diff 119537.Oct 18 2017, 4:59 PM
flowerhack added reviewers: alekseyshl, cryptoad, phosek.

@phosek ; if you could run this on Windows for me i'd much appreciate it!

cryptoad added inline comments.Oct 20 2017, 4:19 PM
lib/sanitizer_common/sanitizer_win.cc
252

To avoid any further problem with Windows, it might be worth enforcing addr == base_ and size == size_ in just this one.

lib/sanitizer_common/tests/sanitizer_common_test.cc
14

I don't think this is going to work for Windows.

flowerhack updated this revision to Diff 119983.Oct 23 2017, 6:14 PM
flowerhack marked 2 inline comments as done.
flowerhack added inline comments.
lib/sanitizer_common/tests/sanitizer_common_test.cc
14

gotcha, updated it to work with win APIs.

still don't have a test environment, alas-- phosek@, can you run it on your box? thanks!

cryptoad edited edge metadata.Oct 25 2017, 10:50 AM

I am gonna test with the current version of the patch minus the inline comment and let you know what's up (on Linux & Android).

lib/sanitizer_common/sanitizer_common.h
136

This one and the next should be void *blah() const {blah;} (as we did before, I am not sure why it came back again that way).

flowerhack updated this revision to Diff 120298.Oct 25 2017, 1:06 PM
flowerhack marked an inline comment as done.
flowerhack added inline comments.
lib/sanitizer_common/sanitizer_common.h
136

oh weird. fixed!

cryptoad added a comment.Oct 25 2017, 1:18 PM

So it looks good/works on Linux/Android in my local testing environment.
I'll let someone else comment further.
The only thing that I can see being somewhat off is the use of msync/FlushViewOfFile. I think those tests shouldn't rely on a platform specific function like this. What was the reason for it?

flowerhack updated this revision to Diff 120310.Oct 25 2017, 2:15 PM

chatted w/ cryptoad@ a bit offline; decided the msync checks were unnecessary & removed them

flowerhack updated this revision to Diff 120311.Oct 25 2017, 2:17 PM
flowerhack updated this revision to Diff 120314.
cryptoad added inline comments.Oct 27 2017, 8:37 AM
lib/sanitizer_common/tests/sanitizer_common_test.cc
350

memcpy(buffer, reinterpret_cast<void *>(res), init_size);

flowerhack updated this revision to Diff 120626.Oct 27 2017, 9:07 AM
flowerhack marked an inline comment as done.
cryptoad added inline comments.Oct 27 2017, 9:30 AM
lib/sanitizer_common/sanitizer_fuchsia.cc
258

Same: CHECK_EQ(..., true) -> CHECK()

261

Here you actually want CHECK_LE(size, size_).
If addr_as_void == base_ then CHECK_LE(size, (base_as_uptr + size_) - addr) -> CHECK_LE(size, size_)
If addr + size == base_as_uptr + size_ then that CHECK_LE is true anyway, but with size <= size_ you ensure there is no overflow.
And remove the comment on the line before.

lib/sanitizer_common/sanitizer_posix_libcdep.cc
365

Same: CHECK_EQ(..., true) -> CHECK()

368

Same CHECK_LE(size, size_) (comment on the previous line becomes extraneous).

lib/sanitizer_common/sanitizer_win.cc
252

Use CHECK((addr_as_void == base_) && (size == size_)) rather than CHECK_EQ(..., true)

254

Unneeded for Windows since size == size_ and base_ == addr.

flowerhack updated this revision to Diff 120671.Oct 27 2017, 12:05 PM
flowerhack marked 5 inline comments as done.
cryptoad accepted this revision.Oct 27 2017, 12:20 PM

Linux/Android tests pass in my local environment.
Might want another LGTM from someone else though.

This revision is now accepted and ready to land.Oct 27 2017, 12:20 PM
flowerhack added a comment.Oct 27 2017, 12:52 PM

kindly ping @alekseyshl , if you wouldn't mind? :)

alekseyshl accepted this revision.Oct 30 2017, 10:46 AM
cryptoad closed this revision.Oct 30 2017, 10:56 AM
cryptoad mentioned this in D39426: [sanitizer] Fixing an error introduced in D39072.Oct 30 2017, 11:14 AM
cryptoad mentioned this in rL316937: [sanitizer] Fixing an error introduced in D39072.Oct 30 2017, 11:16 AM
cryptoad mentioned this in rL316943: Fix warning + death test + failing test on Windows (D39072)..Oct 30 2017, 12:07 PM

Revision Contents

PathSize
lib/
sanitizer_common/
14 lines
24 lines
30 lines
30 lines
tests/
67 lines

Diff 120671

lib/sanitizer_common/sanitizer_common.h

Show First 20 LinesShow All 122 Lines▼ Show 20 Lines
uptr GetRSS(); uptr GetRSS();
void NoHugePagesInRegion(uptr addr, uptr length); void NoHugePagesInRegion(uptr addr, uptr length);
void DontDumpShadowMemory(uptr addr, uptr length); void DontDumpShadowMemory(uptr addr, uptr length);
// Check if the built VMA size matches the runtime one. // Check if the built VMA size matches the runtime one.
void CheckVMASize(); void CheckVMASize();
void RunMallocHooks(const void *ptr, uptr size); void RunMallocHooks(const void *ptr, uptr size);
void RunFreeHooks(const void *ptr); void RunFreeHooks(const void *ptr);
class ReservedAddressRange {
public:
uptr Init(uptr size, const char *name = nullptr, uptr fixed_addr = 0);
uptr Map(uptr fixed_addr, uptr size, bool tolerate_enomem = false);
void Unmap(uptr addr, uptr size);
void *base() const { return base_; }
cryptoadUnsubmitted
Done
ReplyInline Actions

This one and the next should be void *blah() const {blah;} (as we did before, I am not sure why it came back again that way).

cryptoad: This one and the next should be void *blah() const {blah;} (as we did before, I am not sure why…
flowerhackAuthorUnsubmitted
Not Done
ReplyInline Actions

oh weird. fixed!

flowerhack: oh weird. fixed!
uptr size() const { return size_; }
private:
void* base_;
uptr size_;
const char* name_;
};
typedef void (*fill_profile_f)(uptr start, uptr rss, bool file, typedef void (*fill_profile_f)(uptr start, uptr rss, bool file,
/*out*/uptr *stats, uptr stats_size); /*out*/uptr *stats, uptr stats_size);
// Parse the contents of /proc/self/smaps and generate a memory profile. // Parse the contents of /proc/self/smaps and generate a memory profile.
// |cb| is a tool-specific callback that fills the |stats| array containing // |cb| is a tool-specific callback that fills the |stats| array containing
// |stats_size| elements. // |stats_size| elements.
void GetMemoryProfile(fill_profile_f cb, uptr *stats, uptr stats_size); void GetMemoryProfile(fill_profile_f cb, uptr *stats, uptr stats_size);
▲ Show 20 LinesShow All 790 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_fuchsia.cc

Show First 20 LinesShow All 230 Lines▼ Show 20 Lines
void *MmapNoReserveOrDie(uptr size, const char *mem_type) { void *MmapNoReserveOrDie(uptr size, const char *mem_type) {
return MmapOrDie(size, mem_type); return MmapOrDie(size, mem_type);
} }
void *MmapOrDieOnFatalError(uptr size, const char *mem_type) { void *MmapOrDieOnFatalError(uptr size, const char *mem_type) {
return DoAnonymousMmapOrDie(size, mem_type, false, false); return DoAnonymousMmapOrDie(size, mem_type, false, false);
} }
uptr ReservedAddressRange::Init(uptr init_size, const char* name,
uptr fixed_addr) {
base_ = MmapNoAccess(init_size);
size_ = init_size;
name_ = name;
return reinterpret_cast<uptr>(base_);
}
// Uses fixed_addr for now.
// Will use offset instead once we've implemented this function for real.
uptr ReservedAddressRange::Map(uptr fixed_addr, uptr map_size,
bool tolerate_enomem) {
return reinterpret_cast<uptr>(MmapFixedOrDie(fixed_addr, map_size));
}
void ReservedAddressRange::Unmap(uptr addr, uptr size) {
void* addr_as_void = reinterpret_cast<void*>(addr);
uptr base_as_uptr = reinterpret_cast<uptr>(base_);
// Only unmap at the beginning or end of the range.
CHECK((addr_as_void == base_) || (addr + size == base_as_uptr + size_))
cryptoadUnsubmitted
Not Done
ReplyInline Actions

Same: CHECK_EQ(..., true) -> CHECK()

cryptoad: Same: CHECK_EQ(..., true) -> CHECK()
CHECK_LE(size, size_);
UnmapOrDie(reinterpret_cast<void*>(addr), size);
}
cryptoadUnsubmitted
Done
ReplyInline Actions

Here you actually want CHECK_LE(size, size_).
If addr_as_void == base_ then CHECK_LE(size, (base_as_uptr + size_) - addr) -> CHECK_LE(size, size_)
If addr + size == base_as_uptr + size_ then that CHECK_LE is true anyway, but with size <= size_ you ensure there is no overflow.
And remove the comment on the line before.

cryptoad: Here you actually want CHECK_LE(size, size_). If addr_as_void == base_ then CHECK_LE(size…
// MmapNoAccess and MmapFixedOrDie are used only by sanitizer_allocator. // MmapNoAccess and MmapFixedOrDie are used only by sanitizer_allocator.
// Instead of doing exactly what they say, we make MmapNoAccess actually // Instead of doing exactly what they say, we make MmapNoAccess actually
// just allocate a VMAR to reserve the address space. Then MmapFixedOrDie // just allocate a VMAR to reserve the address space. Then MmapFixedOrDie
// uses that VMAR instead of the root. // uses that VMAR instead of the root.
zx_handle_t allocator_vmar = ZX_HANDLE_INVALID; zx_handle_t allocator_vmar = ZX_HANDLE_INVALID;
uintptr_t allocator_vmar_base; uintptr_t allocator_vmar_base;
size_t allocator_vmar_size; size_t allocator_vmar_size;
▲ Show 20 LinesShow All 273 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_posix_libcdep.cc

Show First 20 LinesShow All 331 Lines▼ Show 20 Linesvoid *MmapFixedNoReserve(uptr fixed_addr, uptr size, const char *name) {
if (internal_iserror(p, &reserrno)) if (internal_iserror(p, &reserrno))
Report("ERROR: %s failed to " Report("ERROR: %s failed to "
"allocate 0x%zx (%zd) bytes at address %zx (errno: %d)\n", "allocate 0x%zx (%zd) bytes at address %zx (errno: %d)\n",
SanitizerToolName, size, size, fixed_addr, reserrno); SanitizerToolName, size, size, fixed_addr, reserrno);
IncreaseTotalMmap(size); IncreaseTotalMmap(size);
return (void *)p; return (void *)p;
} }
uptr ReservedAddressRange::Init(uptr size, const char *name, uptr fixed_addr) {
if (fixed_addr) {
base_ = MmapFixedNoAccess(fixed_addr, size, name);
} else {
base_ = MmapNoAccess(size);
}
size_ = size;
name_ = name;
return reinterpret_cast<uptr>(base_);
}
// Uses fixed_addr for now.
// Will use offset instead once we've implemented this function for real.
uptr ReservedAddressRange::Map(uptr fixed_addr, uptr size,
bool tolerate_enomem) {
if (tolerate_enomem) {
return reinterpret_cast<uptr>(MmapFixedOrDieOnFatalError(fixed_addr, size));
}
return reinterpret_cast<uptr>(MmapFixedOrDie(fixed_addr, size));
}
void ReservedAddressRange::Unmap(uptr addr, uptr size) {
void* addr_as_void = reinterpret_cast<void*>(addr);
uptr base_as_uptr = reinterpret_cast<uptr>(base_);
// Only unmap at the beginning or end of the range.
CHECK((addr_as_void == base_) || (addr + size == base_as_uptr + size_));
cryptoadUnsubmitted
Done
ReplyInline Actions

Same: CHECK_EQ(..., true) -> CHECK()

cryptoad: Same: CHECK_EQ(..., true) -> CHECK()
CHECK_LE(size, size_);
UnmapOrDie(reinterpret_cast<void*>(addr), size);
}
cryptoadUnsubmitted
Done
ReplyInline Actions

Same CHECK_LE(size, size_) (comment on the previous line becomes extraneous).

cryptoad: Same CHECK_LE(size, size_) (comment on the previous line becomes extraneous).
void *MmapFixedNoAccess(uptr fixed_addr, uptr size, const char *name) { void *MmapFixedNoAccess(uptr fixed_addr, uptr size, const char *name) {
int fd = name ? GetNamedMappingFd(name, size) : -1; int fd = name ? GetNamedMappingFd(name, size) : -1;
unsigned flags = MAP_PRIVATE | MAP_FIXED | MAP_NORESERVE; unsigned flags = MAP_PRIVATE | MAP_FIXED | MAP_NORESERVE;
if (fd == -1) flags |= MAP_ANON; if (fd == -1) flags |= MAP_ANON;
return (void *)internal_mmap((void *)fixed_addr, size, PROT_NONE, flags, fd, return (void *)internal_mmap((void *)fixed_addr, size, PROT_NONE, flags, fd,
0); 0);
} }
▲ Show 20 LinesShow All 128 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_win.cc

Show First 20 LinesShow All 229 Lines▼ Show 20 Lines if (p == 0) {
char mem_type[30]; char mem_type[30];
internal_snprintf(mem_type, sizeof(mem_type), "memory at address 0x%zx", internal_snprintf(mem_type, sizeof(mem_type), "memory at address 0x%zx",
fixed_addr); fixed_addr);
ReportMmapFailureAndDie(size, mem_type, "allocate", GetLastError()); ReportMmapFailureAndDie(size, mem_type, "allocate", GetLastError());
} }
return p; return p;
} }
// Uses fixed_addr for now.
// Will use offset instead once we've implemented this function for real.
uptr ReservedAddressRange::Map(uptr fixed_addr, uptr size,
bool tolerate_enomem) {
if (tolerate_enomem) {
return reinterpret_cast<uptr>(MmapFixedOrDieOnFatalError(fixed_addr, size));
}
return reinterpret_cast<uptr>(MmapFixedOrDie(uptr fixed_addr, uptr size));
}
void ReservedAddressRange::Unmap(uptr addr, uptr size) {
void* addr_as_void = reinterpret_cast<void*>(addr);
uptr base_as_uptr = reinterpret_cast<uptr>(base_);
// Only unmap if it covers the entire range.
CHECK((addr_as_void == base_) && (size == size_));
cryptoadUnsubmitted
Done
ReplyInline Actions

To avoid any further problem with Windows, it might be worth enforcing addr == base_ and size == size_ in just this one.

cryptoad: To avoid any further problem with Windows, it might be worth enforcing addr == base_ and size…
cryptoadUnsubmitted
Done
ReplyInline Actions

Use CHECK((addr_as_void == base_) && (size == size_)) rather than CHECK_EQ(..., true)

cryptoad: Use CHECK((addr_as_void == base_) && (size == size_)) rather than CHECK_EQ(..., true)
UnmapOrDie(reinterpret_cast<void*>(addr), size);
}
cryptoadUnsubmitted
Done
ReplyInline Actions

Unneeded for Windows since size == size_ and base_ == addr.

cryptoad: Unneeded for Windows since size == size_ and base_ == addr.
void *MmapFixedOrDieOnFatalError(uptr fixed_addr, uptr size) { void *MmapFixedOrDieOnFatalError(uptr fixed_addr, uptr size) {
void *p = VirtualAlloc((LPVOID)fixed_addr, size, void *p = VirtualAlloc((LPVOID)fixed_addr, size,
MEM_COMMIT, PAGE_READWRITE); MEM_COMMIT, PAGE_READWRITE);
if (p == 0) { if (p == 0) {
char mem_type[30]; char mem_type[30];
internal_snprintf(mem_type, sizeof(mem_type), "memory at address 0x%zx", internal_snprintf(mem_type, sizeof(mem_type), "memory at address 0x%zx",
fixed_addr); fixed_addr);
return ReturnNullptrOnOOMOrDie(size, mem_type, "allocate"); return ReturnNullptrOnOOMOrDie(size, mem_type, "allocate");
} }
return p; return p;
} }
void *MmapNoReserveOrDie(uptr size, const char *mem_type) { void *MmapNoReserveOrDie(uptr size, const char *mem_type) {
// FIXME: make this really NoReserve? // FIXME: make this really NoReserve?
return MmapOrDie(size, mem_type); return MmapOrDie(size, mem_type);
} }
uptr ReservedAddressRange::Init(uptr size, const char *name, uptr fixed_addr) {
if (fixed_addr) {
base_ = MmapFixedNoAccess(fixed_addr, size, name);
} else {
base_ = MmapNoAccess(size);
}
size_ = size;
name_ = name;
return reinterpret_cast<uptr>(base_);
}
void *MmapFixedNoAccess(uptr fixed_addr, uptr size, const char *name) { void *MmapFixedNoAccess(uptr fixed_addr, uptr size, const char *name) {
(void)name; // unsupported (void)name; // unsupported
void *res = VirtualAlloc((LPVOID)fixed_addr, size, void *res = VirtualAlloc((LPVOID)fixed_addr, size,
MEM_RESERVE, PAGE_NOACCESS); MEM_RESERVE, PAGE_NOACCESS);
if (res == 0) if (res == 0)
Report("WARNING: %s failed to " Report("WARNING: %s failed to "
"mprotect %p (%zd) bytes at %p (error code: %d)\n", "mprotect %p (%zd) bytes at %p (error code: %d)\n",
SanitizerToolName, size, size, fixed_addr, GetLastError()); SanitizerToolName, size, size, fixed_addr, GetLastError());
▲ Show 20 LinesShow All 806 LinesShow Last 20 Lines

lib/sanitizer_common/tests/sanitizer_common_test.cc

//===-- sanitizer_common_test.cc ------------------------------------------===// //===-- sanitizer_common_test.cc ------------------------------------------===//
// //
// The LLVM Compiler Infrastructure // The LLVM Compiler Infrastructure
// //
// This file is distributed under the University of Illinois Open Source // This file is distributed under the University of Illinois Open Source
// License. See LICENSE.TXT for details. // License. See LICENSE.TXT for details.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file is a part of ThreadSanitizer/AddressSanitizer runtime. // This file is a part of ThreadSanitizer/AddressSanitizer runtime.
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include <algorithm> #include <algorithm>
cryptoadUnsubmitted
Done
ReplyInline Actions

I don't think this is going to work for Windows.

cryptoad: I don't think this is going to work for Windows.
flowerhackAuthorUnsubmitted
Not Done
ReplyInline Actions

gotcha, updated it to work with win APIs.

still don't have a test environment, alas-- phosek@, can you run it on your box? thanks!

flowerhack: gotcha, updated it to work with win APIs. still don't have a test environment, alas-- phosek@…
#include "sanitizer_common/sanitizer_allocator_internal.h" #include "sanitizer_common/sanitizer_allocator_internal.h"
#include "sanitizer_common/sanitizer_common.h" #include "sanitizer_common/sanitizer_common.h"
#include "sanitizer_common/sanitizer_file.h" #include "sanitizer_common/sanitizer_file.h"
#include "sanitizer_common/sanitizer_flags.h" #include "sanitizer_common/sanitizer_flags.h"
#include "sanitizer_common/sanitizer_libc.h" #include "sanitizer_common/sanitizer_libc.h"
#include "sanitizer_common/sanitizer_platform.h" #include "sanitizer_common/sanitizer_platform.h"
#include "sanitizer_pthread_wrappers.h" #include "sanitizer_pthread_wrappers.h"
▲ Show 20 LinesShow All 292 Lines▼ Show 20 Lines for (uptr size = 4; size <= ARRAY_SIZE(buffer_1); size += 4) {
EXPECT_TRUE(GetRandom(buffer_2, size, blocking)); EXPECT_TRUE(GetRandom(buffer_2, size, blocking));
EXPECT_NE(internal_memcmp(buffer_1, buffer_2, size), 0); EXPECT_NE(internal_memcmp(buffer_1, buffer_2, size), 0);
} }
} }
} }
} }
#endif #endif
TEST(SanitizerCommon, ReservedAddressRangeInit) {
uptr init_size = 0xffff;
ReservedAddressRange address_range;
uptr res = address_range.Init(init_size);
CHECK_NE(res, (void*)-1);
UnmapOrDie((void*)res, init_size);
// Should be able to map into the same space now.
ReservedAddressRange address_range2;
uptr res2 = address_range2.Init(init_size, nullptr, res);
CHECK_EQ(res, res2);
// TODO(flowerhack): Once this is switched to the "real" implementation
// (rather than passing through to MmapNoAccess*), enforce and test "no
// double initializations allowed"
}
TEST(SanitizerCommon, ReservedAddressRangeMap) {
constexpr uptr init_size = 0xffff;
ReservedAddressRange address_range;
uptr res = address_range.Init(init_size);
CHECK_NE(res, (void*) -1);
// Valid mappings should succeed.
CHECK_EQ(res, address_range.Map(res, init_size));
// Valid mappings should be readable.
unsigned char buffer[init_size];
memcpy(buffer, reinterpret_cast<void *>(res), init_size);
cryptoadUnsubmitted
Done
ReplyInline Actions

memcpy(buffer, reinterpret_cast<void *>(res), init_size);

cryptoad: memcpy(buffer, reinterpret_cast<void *>(res), init_size);
// Invalid mappings should fail.
EXPECT_DEATH(address_range.Map(res, 0), ".*");
// TODO(flowerhack): Once this is switched to the "real" implementation, make
// sure you can only mmap into offsets in the Init range.
}
TEST(SanitizerCommon, ReservedAddressRangeUnmap) {
uptr PageSize = GetPageSizeCached();
uptr init_size = PageSize * 4;
ReservedAddressRange address_range;
uptr base_addr = address_range.Init(init_size);
CHECK_NE(base_addr, (void*)-1);
CHECK_EQ(base_addr, address_range.Map(base_addr, init_size));
// Unmapping the entire range should succeed.
address_range.Unmap(base_addr, PageSize * 4);
// Remap that range in.
CHECK_EQ(base_addr, address_range.Map(base_addr, init_size));
// Windows doesn't allow partial unmappings.
#if !SANITIZER_WINDOWS
// Unmapping at the beginning should succeed.
address_range.Unmap(base_addr, PageSize);
// Unmapping at the end should succeed.
uptr new_start = reinterpret_cast<uptr>(address_range.base()) +
address_range.size() - PageSize;
address_range.Unmap(new_start, PageSize);
#endif
// Unmapping in the middle of the ReservedAddressRange should fail.
EXPECT_DEATH(address_range.Unmap(base_addr + 0xf, 0xff), ".*");
}
} // namespace __sanitizer } // namespace __sanitizer