Index: compiler-rt/lib/asan/CMakeLists.txt =================================================================== --- compiler-rt/lib/asan/CMakeLists.txt +++ compiler-rt/lib/asan/CMakeLists.txt @@ -21,6 +21,7 @@ asan_memory_profile.cc asan_poisoning.cc asan_posix.cc + asan_premap_shadow.cc asan_report.cc asan_rtl.cc asan_shadow_setup.cc Index: compiler-rt/lib/asan/asan_linux.cc =================================================================== --- compiler-rt/lib/asan/asan_linux.cc +++ compiler-rt/lib/asan/asan_linux.cc @@ -17,6 +17,7 @@ #include "asan_interceptors.h" #include "asan_internal.h" +#include "asan_premap_shadow.h" #include "asan_thread.h" #include "sanitizer_common/sanitizer_flags.h" #include "sanitizer_common/sanitizer_freebsd.h" @@ -81,10 +82,38 @@ return &_DYNAMIC; // defined in link.h } +#if ASAN_PREMAP_SHADOW uptr FindDynamicShadowStart() { - UNREACHABLE("FindDynamicShadowStart is not available"); - return 0; + uptr granularity = GetMmapGranularity(); + uptr shadow_start = reinterpret_cast(&__asan_shadow); + uptr shadow_size = PremapShadowSize(); + UnmapOrDie((void *)(shadow_start - granularity), shadow_size + granularity); + // MmapNoAccess does not touch TotalMmap, but UnmapOrDie decreases it. + // Compensate. + IncreaseTotalMmap(shadow_size + granularity); + Printf("shadow_start: %zx\n", shadow_start); + return shadow_start; } +#else +uptr FindDynamicShadowStart() { + uptr granularity = GetMmapGranularity(); + uptr alignment = granularity * 8; + uptr left_padding = granularity; + uptr shadow_size = kHighShadowEnd + left_padding; + uptr map_size = shadow_size + alignment; + + uptr map_start = (uptr)MmapNoAccess(map_size); + CHECK_NE(map_start, ~(uptr)0); + + uptr shadow_start = RoundUpTo(map_start, alignment); + UnmapOrDie((void *)map_start, map_size); + // MmapNoAccess does not touch TotalMmap, but UnmapOrDie decreases it. + // Compensate. + IncreaseTotalMmap(map_size); + + return shadow_start; +} +#endif void AsanApplyToGlobals(globals_op_fptr op, const void *needle) { UNIMPLEMENTED(); Index: compiler-rt/lib/asan/asan_mapping.h =================================================================== --- compiler-rt/lib/asan/asan_mapping.h +++ compiler-rt/lib/asan/asan_mapping.h @@ -156,7 +156,7 @@ # define SHADOW_OFFSET (0) #elif SANITIZER_WORDSIZE == 32 # if SANITIZER_ANDROID -# define SHADOW_OFFSET (0) +# define SHADOW_OFFSET __asan_shadow_memory_dynamic_address # elif defined(__mips__) # define SHADOW_OFFSET kMIPS32_ShadowOffset32 # elif SANITIZER_FREEBSD @@ -200,6 +200,12 @@ # endif #endif +#if SANITIZER_ANDROID && defined(__arm__) +# define ASAN_PREMAP_SHADOW 1 +#else +# define ASAN_PREMAP_SHADOW 0 +#endif + #define SHADOW_GRANULARITY (1ULL << SHADOW_SCALE) #define MEM_TO_SHADOW(mem) (((mem) >> SHADOW_SCALE) + (SHADOW_OFFSET)) Index: compiler-rt/lib/asan/asan_premap_shadow.h =================================================================== --- /dev/null +++ compiler-rt/lib/asan/asan_premap_shadow.h @@ -0,0 +1,28 @@ +//===-- asan_mapping.h ------------------------------------------*- C++ -*-===// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// +// +// This file is a part of AddressSanitizer, an address sanity checker. +// +// Premap shadow range with an ifunc resolver. +//===----------------------------------------------------------------------===// + + +#ifndef ASAN_PREMAP_SHADOW_H +#define ASAN_PREMAP_SHADOW_H + +#if ASAN_PREMAP_SHADOW +namespace __asan { +// Conservative upper limit. +uptr PremapShadowSize(); +} +#endif + +extern "C" INTERFACE_ATTRIBUTE void __asan_shadow(); + +#endif // ASAN_PREMAP_SHADOW_H Index: compiler-rt/lib/asan/asan_premap_shadow.cc =================================================================== --- /dev/null +++ compiler-rt/lib/asan/asan_premap_shadow.cc @@ -0,0 +1,69 @@ +//===-- asan_premap_shadow.cc ---------------------------------------------===// +// +// The LLVM Compiler Infrastructure +// +// This file is distributed under the University of Illinois Open Source +// License. See LICENSE.TXT for details. +// +//===----------------------------------------------------------------------===// +// +// This file is a part of AddressSanitizer, an address sanity checker. +// +// Reserve shadow memory with an ifunc resolver. +//===----------------------------------------------------------------------===// + +#include "asan_mapping.h" + +#if ASAN_PREMAP_SHADOW + +#include "asan_premap_shadow.h" +#include "sanitizer_common/sanitizer_posix.h" + +namespace __asan { + +// The code in this file needs to run in an unrelocated binary. It may not +// access any external symbol, including its own non-hidden globals. + +// Conservative upper limit. +uptr PremapShadowSize() { + return GetMaxVirtualAddress(true /*ifunc_safe*/) >> SHADOW_SCALE; +} + +// Returns an address aligned to 8 pages, such that one page on the left and +// PremapShadowSize() bytes on the right of it are mapped r/o. +uptr PremapShadow() { + uptr granularity = GetMmapGranularity(); + uptr alignment = granularity * 8; + uptr left_padding = granularity; + uptr shadow_size = PremapShadowSize(); + uptr map_size = shadow_size + left_padding + alignment; + + uptr map_start = (uptr)MmapNoAccess(map_size); + CHECK_NE(map_start, ~(uptr)0); + + uptr shadow_start = RoundUpTo(map_start + left_padding, alignment); + uptr shadow_end = shadow_start + shadow_size; + internal_munmap(reinterpret_cast(map_start), + shadow_start - left_padding - map_start); + internal_munmap(reinterpret_cast(shadow_end), + map_start + map_size - shadow_end); + return shadow_start; +} + +} // namespace __asan + +extern "C" { +decltype(__asan_shadow)* __asan_premap_shadow() { + // The resolver may be called multiple times. Map the shadow just once. + static uptr premapped_shadow = 0; + if (!premapped_shadow) premapped_shadow = __asan::PremapShadow(); + return reinterpret_cast(premapped_shadow); +} + +// __asan_shadow is a "function" that has the same address as the first byte of +// the shadow mapping. +INTERFACE_ATTRIBUTE __attribute__((ifunc("__asan_premap_shadow"))) void +__asan_shadow(); +} + +#endif // ASAN_PREMAP_SHADOW Index: compiler-rt/lib/sanitizer_common/sanitizer_common.h =================================================================== --- compiler-rt/lib/sanitizer_common/sanitizer_common.h +++ compiler-rt/lib/sanitizer_common/sanitizer_common.h @@ -73,7 +73,7 @@ return PageSizeCached; } uptr GetMmapGranularity(); -uptr GetMaxVirtualAddress(); +uptr GetMaxVirtualAddress(bool ifunc_safe = false); // Threads tid_t GetTid(); uptr GetThreadSelf(); Index: compiler-rt/lib/sanitizer_common/sanitizer_flags.h =================================================================== --- compiler-rt/lib/sanitizer_common/sanitizer_flags.h +++ compiler-rt/lib/sanitizer_common/sanitizer_flags.h @@ -34,7 +34,8 @@ }; // Functions to get/set global CommonFlags shared by all sanitizer runtimes: -extern CommonFlags common_flags_dont_use; +// FIXME: hidden needed for asan_premap_shadow. Consider building with -fvisibility=hidden. +extern CommonFlags common_flags_dont_use __attribute__((visibility("hidden"))); inline const CommonFlags *common_flags() { return &common_flags_dont_use; } Index: compiler-rt/lib/sanitizer_common/sanitizer_fuchsia.cc =================================================================== --- compiler-rt/lib/sanitizer_common/sanitizer_fuchsia.cc +++ compiler-rt/lib/sanitizer_common/sanitizer_fuchsia.cc @@ -186,7 +186,7 @@ sanitizer_shadow_bounds_t ShadowBounds; -uptr GetMaxVirtualAddress() { +uptr GetMaxVirtualAddress(bool ifunc_safe) { ShadowBounds = __sanitizer_shadow_bounds(); return ShadowBounds.memory_limit - 1; } Index: compiler-rt/lib/sanitizer_common/sanitizer_linux.cc =================================================================== --- compiler-rt/lib/sanitizer_common/sanitizer_linux.cc +++ compiler-rt/lib/sanitizer_common/sanitizer_linux.cc @@ -967,7 +967,7 @@ } #endif // SANITIZER_WORDSIZE == 32 -uptr GetMaxVirtualAddress() { +uptr GetMaxVirtualAddress(bool ifunc_safe) { #if SANITIZER_NETBSD && defined(__x86_64__) return 0x7f7ffffff000ULL; // (0x00007f8000000000 - PAGE_SIZE) #elif SANITIZER_WORDSIZE == 64 @@ -992,7 +992,7 @@ return (1ULL << 31) - 1; // 0x7fffffff; # else uptr res = (1ULL << 32) - 1; // 0xffffffff; - if (!common_flags()->full_address_space) + if (!ifunc_safe && !common_flags()->full_address_space) res -= GetKernelAreaSize(); CHECK_LT(reinterpret_cast(&res), res); return res; Index: compiler-rt/lib/sanitizer_common/sanitizer_mac.cc =================================================================== --- compiler-rt/lib/sanitizer_common/sanitizer_mac.cc +++ compiler-rt/lib/sanitizer_common/sanitizer_mac.cc @@ -849,7 +849,8 @@ } #endif -uptr GetMaxVirtualAddress() { +uptr GetMaxVirtualAddress(bool ifunc_safe) { + CHECK_EQ(ifunc_safe, false); #if SANITIZER_WORDSIZE == 64 # if defined(__aarch64__) && SANITIZER_IOS && !SANITIZER_IOSSIM // Get the maximum VM address Index: compiler-rt/lib/sanitizer_common/sanitizer_win.cc =================================================================== --- compiler-rt/lib/sanitizer_common/sanitizer_win.cc +++ compiler-rt/lib/sanitizer_common/sanitizer_win.cc @@ -64,7 +64,8 @@ return si.dwAllocationGranularity; } -uptr GetMaxVirtualAddress() { +uptr GetMaxVirtualAddress(bool ifunc_safe) { + CHECK_EQ(ifunc_safe, false); SYSTEM_INFO si; GetSystemInfo(&si); return (uptr)si.lpMaximumApplicationAddress; Index: llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp =================================================================== --- llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp +++ llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp @@ -447,10 +447,14 @@ /// This struct defines the shadow mapping using the rule: /// shadow = (mem >> Scale) ADD-or-OR Offset. +/// If InGlobal is true, then +/// extern char __asan_shadow[]; +/// shadow = (mem >> Scale) + &__asan_shadow struct ShadowMapping { int Scale; uint64_t Offset; bool OrShadowOffset; + bool InGlobal; }; } // end anonymous namespace @@ -472,6 +476,7 @@ TargetTriple.getArch() == Triple::mipsel; bool IsMIPS64 = TargetTriple.getArch() == Triple::mips64 || TargetTriple.getArch() == Triple::mips64el; + bool IsArmOrThumb = TargetTriple.isARM() || TargetTriple.isThumb(); bool IsAArch64 = TargetTriple.getArch() == Triple::aarch64; bool IsWindows = TargetTriple.isOSWindows(); bool IsFuchsia = TargetTriple.isOSFuchsia(); @@ -479,10 +484,8 @@ ShadowMapping Mapping; if (LongSize == 32) { - // Android is always PIE, which means that the beginning of the address - // space is always available. if (IsAndroid) - Mapping.Offset = 0; + Mapping.Offset = kDynamicShadowSentinel; else if (IsMIPS32) Mapping.Offset = kMIPS32_ShadowOffset32; else if (IsFreeBSD) @@ -550,6 +553,7 @@ Mapping.OrShadowOffset = !IsAArch64 && !IsPPC64 && !IsSystemZ && !IsPS4CPU && !(Mapping.Offset & (Mapping.Offset - 1)) && Mapping.Offset != kDynamicShadowSentinel; + Mapping.InGlobal = IsAndroid && IsArmOrThumb; return Mapping; } @@ -672,6 +676,7 @@ DominatorTree *DT; Function *AsanHandleNoReturnFunc; Function *AsanPtrCmpFunction, *AsanPtrSubFunction; + Constant *AsanShadowGlobal; // These arrays is indexed by AccessIsWrite, Experiment and log2(AccessSize). Function *AsanErrorCallback[2][2][kNumberOfAccessSizes]; @@ -1109,6 +1114,11 @@ if (Mapping.Offset == 0) return Shadow; // (Shadow >> scale) | offset Value *ShadowBase; + if (Mapping.InGlobal) + return IRB.CreatePtrToInt( + IRB.CreateGEP(AsanShadowGlobal, + {ConstantInt::get(IntptrTy, 0), Shadow}), + IntptrTy); if (LocalDynamicShadow) ShadowBase = LocalDynamicShadow; else @@ -2270,6 +2280,9 @@ EmptyAsm = InlineAsm::get(FunctionType::get(IRB.getVoidTy(), false), StringRef(""), StringRef(""), /*hasSideEffects=*/true); + if (Mapping.InGlobal) + AsanShadowGlobal = M.getOrInsertGlobal("__asan_shadow", + ArrayType::get(IRB.getInt8Ty(), 0)); } // virtual