This is an archive of the discontinued LLVM Phabricator instance.

Differential D45509

[asan] Reduce flakiness in stack-overflow detection
ClosedPublic

Authored by kubamracek on Apr 10 2018, 7:47 PM.

Details

Reviewers
eugenis
filcab
vitalybuka
kcc
george.karpenkov
delcypher
Summary

IsStackOverflow only treats accesses within 512 bytes of SP as stack-overflow. This should really be the size of a page instead.

The scariness_score_test.cc triggers stack overflow with frames that are even larger than a page, which can also trigger a fault that will not be recognized as stack-overflow. Let's just use smaller frames.

Diff Detail

Event Timeline

kubamracek created this revision.Apr 10 2018, 7:47 PM
Herald added a subscriber: Restricted Project. · View Herald TranscriptApr 10 2018, 7:47 PM
george.karpenkov accepted this revision.Apr 11 2018, 10:43 AM

LGTM, but probably someone else would need to check this as well.

This revision is now accepted and ready to land.Apr 11 2018, 10:43 AM
eugenis accepted this revision.Apr 11 2018, 11:19 AM

Out of curiosity, how does access that far below SP happen in that test? Redzone? But that's not a leaf function.

kubamracek added a comment.Apr 11 2018, 11:42 AM
In D45509#1064637, @eugenis wrote:

Out of curiosity, how does access that far below SP happen in that test? Redzone? But that's not a leaf function.

This is related to stack protectors and stack probing, see https://reviews.llvm.org/D40856. When stack probing is enabled, we make an access to the end of the frame before SP is updated.

eugenis added a comment.Apr 11 2018, 12:41 PM

LGTM, please add a comment though

kubamracek closed this revision.Apr 12 2018, 6:09 PM

Landed in r329980.

Revision Contents

PathSize
lib/
sanitizer_common/
2 lines
test/
asan/
TestCases/
2 lines

Diff 141943

lib/sanitizer_common/sanitizer_posix_libcdep.cc

Show First 20 LinesShow All 224 Lines▼ Show 20 Linesbool SignalContext::IsStackOverflow() const {
// for x86_64 or PowerPC redzone, ARM push of multiple registers, etc) is // for x86_64 or PowerPC redzone, ARM push of multiple registers, etc) is
// probably a stack overflow. // probably a stack overflow.
#ifdef __s390__ #ifdef __s390__
// On s390, the fault address in siginfo points to start of the page, not // On s390, the fault address in siginfo points to start of the page, not
// to the precise word that was accessed. Mask off the low bits of sp to // to the precise word that was accessed. Mask off the low bits of sp to
// take it into account. // take it into account.
bool IsStackAccess = addr >= (sp & ~0xFFF) && addr < sp + 0xFFFF; bool IsStackAccess = addr >= (sp & ~0xFFF) && addr < sp + 0xFFFF;
#else #else
bool IsStackAccess = addr + 512 > sp && addr < sp + 0xFFFF; bool IsStackAccess = addr + GetPageSizeCached() > sp && addr < sp + 0xFFFF;
#endif #endif
#if __powerpc__ #if __powerpc__
// Large stack frames can be allocated with e.g. // Large stack frames can be allocated with e.g.
// lis r0,-10000 // lis r0,-10000
// stdux r1,r1,r0 # store sp to [sp-10000] and update sp by -10000 // stdux r1,r1,r0 # store sp to [sp-10000] and update sp by -10000
// If the store faults then sp will not have been updated, so test above // If the store faults then sp will not have been updated, so test above
// will not work, because the fault address will be more than just "slightly" // will not work, because the fault address will be more than just "slightly"
▲ Show 20 LinesShow All 275 LinesShow Last 20 Lines

test/asan/TestCases/scariness_score_test.cc

Show First 20 LinesShow All 109 Lines▼ Show 20 Lines
void DoubleFree() { void DoubleFree() {
int *x = new int; int *x = new int;
static volatile int two = 2; static volatile int two = 2;
for (int i = 0; i < two; i++) for (int i = 0; i < two; i++)
delete x; delete x;
} }
void StackOverflow(int Idx) { void StackOverflow(int Idx) {
int some_stack[10000]; int some_stack[256];
static volatile int *x; static volatile int *x;
x = &some_stack[0]; x = &some_stack[0];
if (Idx > 0) if (Idx > 0)
StackOverflow(Idx - 1); StackOverflow(Idx - 1);
} }
void UseAfterPoison() { void UseAfterPoison() {
int buf[100]; int buf[100];
▲ Show 20 LinesShow All 86 LinesShow Last 20 Lines