Index: lib/hwasan/hwasan_checks.h =================================================================== --- lib/hwasan/hwasan_checks.h +++ lib/hwasan/hwasan_checks.h @@ -15,6 +15,7 @@ #define HWASAN_CHECKS_H #include "hwasan_mapping.h" +#include "sanitizer_common/sanitizer_common.h" namespace __hwasan { template @@ -23,8 +24,8 @@ (void)p; // 0x900 is added to do not interfere with the kernel use of lower values of // brk immediate. - // FIXME: Add a constraint to put the pointer into x0, the same as x86 branch. - asm("brk %0\n\t" ::"n"(0x900 + X)); + register uptr x0 asm("x0") = p; + asm("brk %0\n\t" ::"r"(x0), "n"(0x900 + X)); #elif defined(__x86_64__) // INT3 + NOP DWORD ptr [EAX + X] to pass X to our signal handler, 5 bytes // total. The pointer is passed via rdi. @@ -42,6 +43,25 @@ // __builtin_unreachable(); } +// Version with access size which is not power of 2 +template +__attribute__((always_inline)) static void SigTrap(uptr p, uptr size) { +#if defined(__aarch64__) + register uptr x0 asm("x0") = p; + register uptr x1 asm("x1") = size; + asm("brk %0\n\t" ::"r"(x0), "r"(x1), "n"(0x900 + X)); +#elif defined(__x86_64__) + // Size is stored in rsi. + asm volatile( + "int3\n" + "nopl %c0(%%rax)\n" ::"n"(0x40 + X), + "D"(p), "S"(size)); +#else + __builtin_trap(); +#endif + // __builtin_unreachable(); +} + enum class ErrorAction { Abort, Recover }; enum class AccessType { Load, Store }; @@ -70,9 +90,9 @@ for (tag_t *t = shadow_first; t <= shadow_last; ++t) if (UNLIKELY(ptr_tag != *t)) { SigTrap<0x20 * (EA == ErrorAction::Recover) + - 0x10 * (AT == AccessType::Store) + 0xf>(p); - if (EA == ErrorAction::Abort) - __builtin_unreachable(); + 0x10 * (AT == AccessType::Store) + 0xf>(p, sz); + if (EA == ErrorAction::Abort) + __builtin_unreachable(); } } } // end namespace __hwasan Index: lib/hwasan/hwasan_report.cc =================================================================== --- lib/hwasan/hwasan_report.cc +++ lib/hwasan/hwasan_report.cc @@ -400,13 +400,26 @@ Thread *t = GetCurrentThread(); - tag_t ptr_tag = GetTagFromPointer(tagged_addr); + tag_t ptr_tag = GetTagFromPointer(tagged_addr); tag_t *tag_ptr = reinterpret_cast(MemToShadow(untagged_addr)); + + // For accesses spanned over granule boundary tag_ptr may not point to + // correct tag + uptr granule = untagged_addr; + for (; *tag_ptr == ptr_tag; + ++tag_ptr, granule = RoundUpTo(granule + 1, 1 << kShadowScale)) { + } + CHECK(granule - untagged_addr < access_size); tag_t mem_tag = *tag_ptr; + Printf("%s", d.Access()); Printf("%s of size %zu at %p tags: %02x/%02x (ptr/mem) in thread T%zd\n", is_store ? "WRITE" : "READ", access_size, untagged_addr, ptr_tag, mem_tag, t->unique_id()); + Printf("Offset to first bad byte is in range [%zu, %zu)\n", + granule - untagged_addr, + Min(access_size, + RoundUpTo(granule + 1, 1 << kShadowScale) - untagged_addr)); Printf("%s", d.Default()); stack->Print(); Index: test/hwasan/TestCases/mem-intrinsics.c =================================================================== --- test/hwasan/TestCases/mem-intrinsics.c +++ test/hwasan/TestCases/mem-intrinsics.c @@ -21,15 +21,17 @@ #endif write(STDOUT_FILENO, "recovered\n", 10); // WRITE: ERROR: HWAddressSanitizer: tag-mismatch on address - // WRITE: WRITE {{.*}} tags: [[PTR_TAG:..]]/[[MEM_TAG:..]] (ptr/mem) + // WRITE: WRITE of size 32 at {{.*}} tags: [[PTR_TAG:..]]/[[MEM_TAG:..]] (ptr/mem) + // WRITE: Offset to first bad byte is in range [16, 32) // WRITE: Memory tags around the buggy address (one tag corresponds to 16 bytes): - // WRITE: =>{{.*}}[[MEM_TAG]] + // WRITE: =>{{.*}}[[PTR_TAG]]{{[[:space:]]\[}}[[MEM_TAG]] // WRITE-NOT: recovered // READ: ERROR: HWAddressSanitizer: tag-mismatch on address - // READ: READ {{.*}} tags: [[PTR_TAG:..]]/[[MEM_TAG:..]] (ptr/mem) + // READ: READ of size 16 at {{.*}} tags: [[PTR_TAG:..]]/[[MEM_TAG:..]] (ptr/mem) + // READ: Offset to first bad byte is in range [0, 16) // READ: Memory tags around the buggy address (one tag corresponds to 16 bytes): - // READ: =>{{.*}}[[MEM_TAG]] + // READ: =>{{.*}}[[PTR_TAG]]{{[[:space:]]\[}}[[MEM_TAG]] // READ-NOT: recovered // RECOVER: recovered Index: test/hwasan/TestCases/rich-stack.c =================================================================== --- test/hwasan/TestCases/rich-stack.c +++ test/hwasan/TestCases/rich-stack.c @@ -60,6 +60,7 @@ // R321: HWAddressSanitizer: tag-mismatch // R321-NEXT: WRITE of size 8 +// R321-NEXT: Offset to first bad byte is in range [0, 8) // R321-NEXT: in BAR // R321-NEXT: in FOO // R321-NEXT: in main