This is an archive of the discontinued LLVM Phabricator instance.

Differential D60593

[GwpAsan] Introduce GWP-ASan.
AbandonedPublic

Authored by hctim on Apr 11 2019, 5:33 PM.

Details

Reviewers
vlad.tsyrklevich
morehouse
eugenis
cryptoad
jfb
vitalybuka
Summary

This patch introduces GWP-ASan, a sampled allocator framework that assists in finding use-after-free and heap-buffer-overflows bugs in production environments.

GWP-ASan supplements a traditional allocator (e.g. Scudo), and chooses random allocations to 'sample'. These sampled allocations are placed into a special guarded pool, which is based upon the traditional 'Electric Fence Malloc Debugger'. We surround the allocation with inaccessible pages, such that buffer under/overflows trap on the page fault. We also mark the allocation's page as inaccessible on free, meaning that any use-after-free bugs also cause a page fault trap, which we capture. For more implementation details, please see docs/GWPASan.rst.

Please note that this patch is quite large. The patchset contains the basic functionality of GWP-ASan (stack trace dumping and other debug information will be added shortly), the unit tests, and allocator shims into Scudo. This allows any code compiled with -fsanitize=scudo to have GWP-ASan enabled-by-default (including the unit tests). I've tried to slice out as much as possible for follow up patches but there isn't much left here to carve off.

Diff Detail

Event Timeline

There are a very large number of changes, so older changes are hidden. Show Older Changes
hctim added inline comments.Apr 26 2019, 3:32 PM
compiler-rt/lib/gwp_asan/guarded_pool_allocator.cpp
63

Shouldn't be allowed - the default flag parser has the check:

if (o->Enabled && o->SampleRate < 1) {
    __sanitizer::Printf("GWP-ASan ERROR: SampleRate must be >= 1 when "
                        "GWP-ASan is enabled.\n");
    exit(EXIT_FAILURE);
  }

... but allocators can implement their own flag parser. I've added an explicit check in init() to consider SampleRate == 0 as being the same as Enabled == false.

77

Fixed by thread-hostile requirements described above.

91

That's an awesome catch! Thanks!

156

Yep, this is intended, but one of the deallocate() was using this incorrectly (where they wanted slot address instead of page address). I've updated the callee.

169

Furthermore, this also had an issue where (if it worked correctly in the first place), it lead to more deterministic left/right alignment, as the alignment choice was made based on the slot number.

I've fixed this and will add some more tests before submitting. Leaving this comment open to remind me to do this at a later date, but focus right now is getting this out for another round of comments.

183

FYI - I have adjusted this to be purely PRNG based as if NumGuardedSlots is odd, it will give us a higher probability of left-alignment. If NumGuardedSlots == 1, we want to still do random left/right alignment.

207

At this point, we don't have access to a printf() library.

Also, I'm not sure whether this is actually reachable. SingletonPtr is always initialised in this TU before the signal handlers are installed. Have changed this to an assert.

263

I didn't know this, thanks!

299

Could this be useful for UaF where there is a nonzero offset? Have elided for zero offsets only, as I figure it's better to keep the information when it may be of use.

339

Have changed to simply echo "Segmentation fault" and exit.

compiler-rt/lib/gwp_asan/guarded_pool_allocator.h
68

It wont on x64 as AFAIK the static predictors can't be primed (and doesn't appear to change the optimiser), but have as it may affect other other platforms.

75

So upon further reading, looks like the only way to ensure atomic-correctness here is to establish a dependency between GPP and GPPEnd, which require sequentially consistent loads and stores (which would hurt performance a trememdous amount).

We currently do what Matt suggests, so I've updated the documentation to reflect that the entire class is thread-hostile until init() is called.

114

They may access GPA::Printf on failure. Would you prefer them to be static w/ passing Printf as an argument?

163

For future expansion, we will want to populate a slot index and a separate metadata index. I've reworded up the comment but left the implementation as-is for now. WDYT?

172

I had a good think about the best way to do this adjustment. Does the rework LGTY?

237

AFAICT it is required:

<snip>/llvm/compiler-rt/lib/scudo/../gwp_asan/guarded_pool_allocator.h:237:3: error: 'thread_local' is only allowed on variable declarations
  TLS_INITIAL_EXEC uint64_t NextSampleCounter;
compiler-rt/lib/gwp_asan/guarded_pool_allocator_posix.cpp
72

Can you PTAL and see if it LGTY?

compiler-rt/lib/gwp_asan/options.inc
25

Added a test for this.

compiler-rt/lib/scudo/scudo_allocator.cpp
305

See attached image in description.

compiler-rt/test/gwp_asan/alignment_power_of_two.cpp
19

Updated w/ comment in the test. We have no direct influence on left/right alignment any more, so we just run it multiple times.

llvm/docs/GWPASan.rst
114 ↗(On Diff #195942)

I think "transient" actually suits this better.

Harbormaster completed remote builds in B31050: Diff 196920.Apr 26 2019, 3:33 PM
vitalybuka added a reviewer: vitalybuka.Apr 26 2019, 7:43 PM
hctim updated this revision to Diff 197148.Apr 29 2019, 11:17 AM
hctim marked 15 inline comments as done.
  • Updated from Matt's comments.
Harbormaster completed remote builds in B31109: Diff 197148.Apr 29 2019, 11:19 AM
hctim updated this revision to Diff 197198.Apr 29 2019, 3:17 PM
hctim marked an inline comment as done.
  • Added a thread contention test. Creates allocations using multiple threads and checks to see that a guarded slot is never allocated twice. Also tests against the random slot selection.
compiler-rt/lib/gwp_asan/optional/runtime_env_flag_parser.cpp
27

fn is removed.

49

Removed them without an unnamed namespace. This okay?

59

Nope, removed.

100

I could have sworn that this failed to build without it, but it appears to be a non-issue now. Removed.

compiler-rt/lib/gwp_asan/options.h
28

Yep, fixed the init-order-fiasco with moving to on-demand instantiation inside of getOptions().

Harbormaster completed remote builds in B31119: Diff 197198.Apr 29 2019, 3:20 PM
hctim updated this revision to Diff 197200.Apr 29 2019, 3:21 PM
  • Removed the changed sanitizer_common from this changelist. No longer required, and the dependent change is abandoned.
Harbormaster completed remote builds in B31120: Diff 197200.Apr 29 2019, 3:26 PM
vlad.tsyrklevich added a comment.Apr 30 2019, 1:26 PM
In D60593#1483183, @hctim wrote:
  • Added a thread contention test. Creates allocations using multiple threads and checks to see that a guarded slot is never allocated twice. Also tests against the random slot selection.

There's no way to access the allocator directly in the tests? I ask because you could test stronger conditions if you had things like PointerIsMine in the tests.

compiler-rt/lib/gwp_asan/options.inc
29

Feels like this should still be uint64/ULL (2^63 comment is otherwise not right on 32-bit platforms.)

compiler-rt/test/gwp_asan/alignment_power_of_two.cpp
39

Lets make this 2**-40 so it can never flake.

51

Seems redundant to the check above (if you assume that page size is always a power of two.)

compiler-rt/test/gwp_asan/num_usable_slots.cpp
13

Add a negative test or two (e.g. do we actually fail when invoked with 8 slots but we iterate 9 times? Do we fail when we have 8 slots but iterate 7 times?)

64

There's UB in the 129 case (SampleAllocs OOB access), replace with i<NumSlots and maybe just make SampledAllocs a stack-allocated VLA?

compiler-rt/test/gwp_asan/page_size.h
12

Delete, currently unused.

llvm/docs/GwpAsan.rst
178

s/NumUsableGuardedSlots/MaxSimultaneousAllocations/ ? It would also make the description a little clearer to explain it that way.

vlad.tsyrklevich added inline comments.Apr 30 2019, 1:45 PM
compiler-rt/lib/gwp_asan/guarded_pool_allocator.cpp
115

getPageAddr()

compiler-rt/test/gwp_asan/thread_contention.cpp
1 ↗(On Diff #197200)

This tests races in the allocation code but not in the deallocation (and reallocation) code.

9 ↗(On Diff #197200)

I don't think the runtime configuration adds much here anyway. I think you could get rid of both options and just have it allocate a fixed amount (lets say 1024 times) twice (first w/o random eviction and second run with.) It simplifies the test.

If we had access to the underlying allocator we could be cuter and also verify that every available slot was used, but I wouldn't bother otherwise.

30 ↗(On Diff #197200)

Nit: Why not left to right?

hctim added a parent revision: D61342: [sanitizer_common] Added 64-bit signed flag parser..Apr 30 2019, 2:19 PM
hctim updated this revision to Diff 197443.Apr 30 2019, 2:22 PM
hctim marked 2 inline comments as done.
  • Updated sample rate to guarantee 64-bit values.
compiler-rt/lib/gwp_asan/options.inc
29

Was trying to work out a solution around the fact that the sanitizer flag parser doesn't support uint64_t. I've created a patch to support long long in sanitizer_common which we can then truncate if > 64bits.

Signed-ness of this doesn't really matter as we multiply by two in init() anyway. We can't directly convert to an unsigned 64-bit value as internal_strtoll doesn't support unsigned 64-bit values (they internally use s64 and typedef it to long long).

Harbormaster completed remote builds in B31200: Diff 197443.Apr 30 2019, 2:24 PM
vitalybuka added a comment.Apr 30 2019, 3:40 PM

you should try to extract obvious parts into smaller patches

compiler-rt/lib/gwp_asan/guarded_pool_allocator.cpp
52

sizeof(*Metadata)

57

sizeof(*FreeSlots)
this is not Google style, but advice is still relevant https://google.github.io/styleguide/cppguide.html#sizeof

87

...== false) -> if (!...

100

Meta->Init(Size, Ptr, .....)

125

can you move all metadata manipulation logic into AllocationMetadata:: methods?

compiler-rt/lib/gwp_asan/guarded_pool_allocator.h
40

can you hide this struct into cpp file and just keep forward declaration here?

51

can you please add kInvalidThreadID ?

79

why do you need this this line at all "~GuardedPoolAllocator() = default;"?

179

can you avoid output arg by:
std::size_t reserveSlot();

237

"static private:" are not very useful
you can hide them into unnamed namespace of cpp file

compiler-rt/lib/gwp_asan/mutex.h
43

explicit?

64

do you need yieldProcessor and lockSlow inline?
maybe move into cpp file to move this ifdefs from header?

compiler-rt/lib/gwp_asan/random.h
25

it's called on slow path when NextSampleCounter == 0
I don't thins ALWAYS_INLINE will help here.
just move it into cpp file?
Also http://quick-bench.com/Jbi9nGqIlAfRkFGHjpJzBVR58Bw

Can you explain why you need own random?

50

they don't need to be in the header

hctim marked 36 inline comments as done.May 1 2019, 2:08 PM
hctim added inline comments.
compiler-rt/lib/gwp_asan/guarded_pool_allocator.cpp
115

Not equal if sizeof(Slot) != sizeof(Page). Happy to introduce a helper fn for this if you want, but it's used in a single place.

compiler-rt/lib/gwp_asan/guarded_pool_allocator.h
40

See https://reviews.llvm.org/D60593?id=195942#inline-541269. Happy to change.

79

It's simply an explicit note to the reader that we have a trivial destructor. If they want to add a d'tor, they'll come to this line and read the note above.

179

See https://reviews.llvm.org/D60593#inline-542081

237

NextSampleCounter are referenced in shouldSample(), which is implemented in the header for inlining reasons.
SingletonPtr has been moved.

compiler-rt/lib/gwp_asan/mutex.h
64

http://quick-bench.com/5oJNxyiBe-7KwZ0nMCRDGBaNa5s

Looks like with clang gets a slight perf improvement with inlining, which is extended (to 10% perf improvement) w/ libc++.

Also I'm hesitent to create small cpp files, as per https://reviews.llvm.org/D60593?id=195942#inline-542189.

Okay to leave as is?

compiler-rt/lib/gwp_asan/random.h
25

Can't use PRNG from libc++, as we have to be c-compatible.

Can't use PRNG from sanitizer_common, as we don't depend on sanitizer_common in the core code.

libc rand() is too slow.

read from /dev/ is too slow.

compiler-rt/test/gwp_asan/thread_contention.cpp
1 ↗(On Diff #197200)

I've also added a test that's pretty much ThreadedHighContention.

9 ↗(On Diff #197200)

The runtime configuration is mostly to avoid the overhead of recompilation. The compilation of this file for a debug build of clang takes 3.5-4s on my machine, and I desperately wanted to avoid that overhead multiple times.

The additional runs have been deleted.

hctim updated this revision to Diff 197637.May 1 2019, 2:08 PM
hctim marked 9 inline comments as done.
  • From Vlad and Vitaly's comments.
  • Merge branch 'master' into gwp-address with parent change completed.
Harbormaster completed remote builds in B31253: Diff 197637.May 1 2019, 2:08 PM
morehouse added inline comments.May 1 2019, 2:21 PM
compiler-rt/CMakeLists.txt
281

This option has to do specifically with Scudo. Therefore it should go in the Scudo cmake.

And Kostya K. needs to be OK with hooks being installed by default.

compiler-rt/lib/gwp_asan/guarded_pool_allocator.cpp
183

I expect it doesn't matter in practice. GWP-ASan is already probabilistic, so who cares if we're x% more likely to detect underflow than overflow. You could even invert things so we get more right-aligned allocations since overflow is more common than underflow.

207

Ok, but the assert isn't enough. In release builds we could still null-deref.

264

Nit: else is unnecessary

compiler-rt/lib/gwp_asan/guarded_pool_allocator.h
26

Technically doesn't this make it "thread-compatible" until init(), then thread-safe?

40

GPA is the only user of AllocationMetadata, and the struct is relatively small. Do we really want an entire file for ~20 lines of code?

68

Regardless of branch prediction, the compiler may choose to make "other optimizations" to improve the hot path.

79

Not necessary, but I think it does make the intention clear.

163

I'd prefer simpler for now, with refactoring later. It could be a while until "future expansion", so let's keep the code simple in the meantime.

172

Looks better.

compiler-rt/lib/gwp_asan/guarded_pool_allocator_posix.cpp
69

These two checks are probably unnecessary.

72

I think we should avoid dying here so the previous signal handler can examine the SEGV too.

compiler-rt/lib/gwp_asan/options.inc
29

What happens if I set a negative value?

39

What happens if I set a negative sample rate?

morehouse added inline comments.May 1 2019, 2:21 PM
compiler-rt/lib/gwp_asan/guarded_pool_allocator_posix.cpp
77

There are also SIG_DFL and SIG_IGN cases. See https://critique.corp.google.com/#review/197822848/depot/google3/tcmalloc/guarded_page_allocator.cc for an example.

vlad.tsyrklevich added inline comments.May 2 2019, 12:24 PM
compiler-rt/test/gwp_asan/num_usable_slots.cpp
13

We test +1 case but not the -1 case.

61

I'm not sure what a better test is but this isn't always true (e.g. the allocator could actually take back that page if all the allocations on it are gone.) These tests could test stronger assertions and be simpler if there was a __gwp_asan_pointer_is_mine() or something like that.

compiler-rt/test/gwp_asan/thread_contention_with_release.cpp
32 ↗(On Diff #197637)

*Ptr may not be 0 if we fall through to regular malloc() (either here or on the realloc call below), perhaps we should risk running this test on normal malloc()/realloc() sometimes and have NumAllocsTotal fully deplete the free list instead?

72 ↗(On Diff #197637)

I'm not sure I understand this logic: 1) what std::set? (the std::vector<std::thread>?) 2) we should be able to consume more than the total number of guarded allocations if we wanted right since it would just fall back to normal malloc?

llvm/docs/GwpAsan.rst
153

Replace NumUsableGuardedPages

160

Ditto

hctim updated this revision to Diff 198048.May 3 2019, 10:55 AM
hctim marked 25 inline comments as done.
  • Updated with Vlad's and Matt's comments.
compiler-rt/CMakeLists.txt
281

I've changed this flag to not exist any more, as it's synonymous with COMPILER_RT_GWP_ASAN_ENABLED anyway.

@cryptoad and I have confirmed offline that always-built on supported platforms is okay :)

compiler-rt/lib/gwp_asan/guarded_pool_allocator.cpp
183

I think the major reason for me is that it may be a use case to have a guarded pool with only a single slot for short-lived processes on memory-constrained devices. We're planning on process sampling as well for Android, and it may be useful to service short-lived processes with a single allocation instead of disabling it completely.

compiler-rt/lib/gwp_asan/guarded_pool_allocator.h
26

Yep, updated documentation to reflect this.

163

Gotcha. ssize_t is POSIX-only (see Windows docs) so I've made it return kInvalidSlotID instead.

compiler-rt/lib/gwp_asan/guarded_pool_allocator_posix.cpp
77

Done with some slight modifications. If the previous handler was SIG_IGN, we die as we'll constantly restart on the memory error and repeatedly spam GWP-ASan output. This also aligns with the exit behaviour of DOUBLE_FREE/INVALID_FREE and that of SIGSEGV-delivered errors.

We also don't explicitly handle SIG_DFL, as the fallthrough should call the default signal handler just fine.

compiler-rt/lib/gwp_asan/options.inc
29

The error checking is done in the flag parser, but I've also added explicit checking in init() as well.

compiler-rt/test/gwp_asan/num_usable_slots.cpp
13

I'm confused why we would need to test the -1 case (assuming that -1 means NumIterations == MaxSimultaneousAllocations - 1), given that NumIterations == MSA provide this coverage. Is my assumption correct?

61

Changed it to use the same mechanism from above to detect if it's in the pool.

I think the current assumption is strong enough, but may be broken if atoi() or alloca() changes to call malloc (unlikely), or if a shared library calls malloc() during dynamic loading. WDYT?

Edit: On further thought, this also will spuriously pass if the implementing allocator uses the page immediately after the allocation pool to back the allocation. I've added interface definitions and started a cleanup so that we can exercise the allocator internals directly.

Harbormaster completed remote builds in B31383: Diff 198048.May 3 2019, 10:56 AM
vlad.tsyrklevich added inline comments.May 3 2019, 12:04 PM
compiler-rt/lib/gwp_asan/guarded_pool_allocator.cpp
427

nullptr

432

if (!gwp_asan::SingletonPtr) return; to match the other functions?

compiler-rt/test/gwp_asan/no_reuse_ahead_of_time.cpp
35 ↗(On Diff #198048)

Why does anything need to care about initializing the GPA ahead of time for anything other than allocate? The underlying methods should return the correct values. And even for allocate() we can get around this edge case by doing allocate(PageSize+1).

compiler-rt/test/gwp_asan/num_usable_slots.cpp
13

This looks fine as is.

61

If we want to be safe, because I can definitely see runtimes hitting malloc() before main()in normal code paths, we could make SampleRate high and use the GPA allocate directly for this test.

compiler-rt/test/gwp_asan/pattern_malloc_free.cpp
2

I would collapse the pattern_* tests into two tests:

  1. Test that malloc, calloc, realloc, new, new[] all satisfy pointerismine
  2. And then this test.

Less code and should have equal coverage.

compiler-rt/test/gwp_asan/reuse_quarantine.cpp
9

Maybe delete the 1/2 cases (will fail on runtimes that call malloc before main() and just call it with some other higher value that should always work like 32.

vlad.tsyrklevich added inline comments.May 3 2019, 12:09 PM
compiler-rt/lib/gwp_asan/guarded_pool_allocator.cpp
432

I suppose it could also be assert(gwp_asan::SingletonPtr) since it's never correct to reach this function with an uninitialized GPA.

hctim marked 10 inline comments as done.May 6 2019, 11:11 AM
hctim added inline comments.
compiler-rt/test/gwp_asan/no_reuse_ahead_of_time.cpp
35 ↗(On Diff #198048)

These helper funcs call through the singleton ptr, which is nullptr until init(). Calling pointerIsMine() (for example) would access (nullptr)->GuardedPagePool.

I like the maximumAllocSize() + 1. At the moment, GPA::maximumAllocSize()doesn't rely on any data members, but is still UB to call with a nullptr instance. I think I'll do this but with an arbritrarily large allocation and leave a note for me to update it when we support multipage slots.

compiler-rt/test/gwp_asan/reuse_quarantine.cpp
9

I've instead rewrote it so that it exercises the allocator directly with no sampling, so that we avoid this issue. LGTY?

hctim updated this revision to Diff 198313.May 6 2019, 11:11 AM
hctim marked 2 inline comments as done.
  • Updated from Vlad's comments.
Harbormaster completed remote builds in B31465: Diff 198313.May 6 2019, 11:12 AM
vlad.tsyrklevich accepted this revision.May 6 2019, 1:11 PM
vlad.tsyrklevich added inline comments.
compiler-rt/test/gwp_asan/no_reuse_ahead_of_time.cpp
35 ↗(On Diff #198048)

But that's not true, all of the __gwp_asan_* functions fail gracefully if initialization hasn't occurred (except for deallocate which is never valid to call when uninitialized), e.g. pointer_is_mine would just return false. We do need initialization for the allocate() case so it works as expected, and I'm fine with wrapping all of the gwp_asan_* functions for consistency with allocate(), but I think we should only call maybeInit in the allocate case to make it explicit that that is the only one that needs it (and if that changes we can get rid of it and use the underlying methods directly.)

compiler-rt/test/gwp_asan/reuse_quarantine.cpp
9

Looks good.

This revision is now accepted and ready to land.May 6 2019, 1:11 PM
morehouse added inline comments.May 6 2019, 6:22 PM
compiler-rt/include/sanitizer/gwp_asan_interface.h
1 ↗(On Diff #198313)

I think I missed something. What is the purpose of these functions?

compiler-rt/lib/gwp_asan/guarded_pool_allocator_posix.cpp
75

I'm not opposed to ignoring SIG_IGN, but this should be documented somewhere.

77

I am skeptical that calling SIG_DFL() will work.

SIG_DFL is not a function address.

https://en.cppreference.com/w/cpp/utility/program/SIG_strategies

compiler-rt/lib/gwp_asan/gwp_asan_interface_internal.h
1 ↗(On Diff #198313)

Why do we want this?

compiler-rt/lib/gwp_asan/random.cpp
18

Looks like initialization of these globals could happen after the first call to getRandom.

compiler-rt/lib/scudo/scudo_allocator.cpp
305

Could you just post the assembly? Preferably a before/after of this fastpath change.

The CFG is confusing for me to read.

hctim marked 15 inline comments as done.May 7 2019, 12:46 PM
hctim added inline comments.
compiler-rt/include/sanitizer/gwp_asan_interface.h
1 ↗(On Diff #198313)

See comment in compiler-rt/lib/gwp_asan/gwp_asan_interface_internal.h.

compiler-rt/lib/gwp_asan/guarded_pool_allocator_posix.cpp
75

Documented in GwpAsan.rst and options.inc.

77

Surprisingly, it worked on my machine. Have changed to ensure this works everywhere.

compiler-rt/lib/gwp_asan/gwp_asan_interface_internal.h
1 ↗(On Diff #198313)

To allow us to exercise the allocator directly for testing. The comments in compiler-rt/test/gwp_asan/num_usable_slots.cpp has some more context, but the summary is:

  1. Allows us to be precise with exactly which allocations are sampled (important, for example, in tests/num_usable_slots.cpp where if a library calls malloc() during its init, we will break. Also, in the thread_contention* tests, we want to be certain that we are exercising the sampled allocator, rather than potentially falling back to the system allocator.
  2. Allows us to test directly against the interface whether something is sampled through __gwp_asan_pointer_is_mine(), avoiding relying on implementation specific assumptions. In tests/num_usable_slots.cpp, we were previously relying on left-to-right sequential usage of the sampled slots to determine whether an allocation was sampled. We then had no method to determine whether an allocation was not sampled, as the system allocator may place the unsampled allocation in the page directly after the guarded pool, leading us to spurious failure.
compiler-rt/lib/scudo/scudo_allocator.cpp
305

before, after the changes

compiler-rt/test/gwp_asan/no_reuse_ahead_of_time.cpp
35 ↗(On Diff #198048)

My mistake. They don't cause error, but they don't return correct values until init has taken place.

We also need init support for maximumAllocationSize() from interface_test.cpp and interface_test_failures.cpp with their current implementation. We could add explicit initialisation by caling a dummy __internal::allocate() / deallocate() in these specific tests. (And, I guess thread_contention_with_release.cpp as well if we can't make the strong guarantee that std::vector<std::thread>::emplace_back() always calls the system allocator.)

It seems to make the interface a lot less prone to test implementation errors. Happy to change if if you feel strongly about this, but apart from performance of the tests, I don't see what we gain (especially when scudo::allocate always does a once-init check as well through initThreadMaybe()).

hctim updated this revision to Diff 198512.May 7 2019, 12:46 PM
hctim marked 6 inline comments as done.
  • Matt's comments.
Harbormaster completed remote builds in B31551: Diff 198512.May 7 2019, 12:46 PM
hctim marked an inline comment as done.May 7 2019, 12:47 PM
hctim added inline comments.
compiler-rt/lib/scudo/scudo_allocator.cpp
305

@vlad.tsyrklevich

morehouse added inline comments.May 7 2019, 4:50 PM
compiler-rt/lib/gwp_asan/gwp_asan_interface_internal.h
1 ↗(On Diff #198313)

Can we just write unit tests, like we have in Google3 and Chrome GWP-ASans, Scudo, and every sanitizer? Then we don't need these interfaces.

morehouse added inline comments.May 8 2019, 9:07 AM
compiler-rt/lib/gwp_asan/guarded_pool_allocator.h
98

The assembly you posted for this function looks way too slow. Is it actually optimized with -O2?

  • The fast path (counter > 1) has *two* branches that check if NextSampleCounter's TLS init function has run and one actual call to the TLS init function. Ouch! We shouldn't need these.
    • Maybe we need to make the counter function-local or use __thread instead of thread_local.
  • The counter decrement of NextSampleCounter requires 4 instructions? Load TLS offset from global, read TLS, increment, write TLS. Yikes. For reference, TCMalloc does this operation in 1 instruction.
  • The + 1 operation on the NextSampleCounter == 0 branch is done with a mov-add, rather than an lea.

Again, please triple-check that the binary you compiled is actually optimized. Make sure it is compiled with clang++ -O2 ....

vlad.tsyrklevich added a comment.May 8 2019, 9:36 AM

One thing I also just realized is that by explicitly setting TLS model to initial-exec we prevent dlopen() dynamic loading, I don't have a problem with that but just wanted to make sure @cryptoad was aware.

compiler-rt/lib/gwp_asan/gwp_asan_interface_internal.h
1 ↗(On Diff #198313)

That is the way to go, I suggested this approach at first forgetting that there are non-lit tests.

gribozavr added a subscriber: gribozavr.May 8 2019, 10:25 AM

What does GWP stand for?

hctim marked 4 inline comments as done.May 10 2019, 2:19 PM
hctim added inline comments.
compiler-rt/lib/gwp_asan/guarded_pool_allocator.h
98

As per offline discussion, declaring NextSampleCounter with __thread instead of thread_local fixed this. Also added a note in definitions.h.

hctim updated this revision to Diff 199083.May 10 2019, 2:19 PM
hctim marked an inline comment as done.
  • Updated tests to use unittests rather than expose a public interface and exercise that. Minor perf improvements to shouldSample().
Herald added a project: Restricted Project. · View Herald TranscriptMay 10 2019, 2:19 PM
Herald added a subscriber: cfe-commits. · View Herald Transcript
Harbormaster completed remote builds in B31764: Diff 199083.May 10 2019, 2:19 PM
hctim added a comment.May 10 2019, 2:24 PM
In D60593#1495428, @gribozavr wrote:

What does GWP stand for?

Google Wide Profiling.

We use the name GWP-ASan, even though it's "technically neither GWP nor ASan", but because it describes well what the outcome is (sampled allocations with memory detection capabilities). It also mirrors the name used for the identical mechanism implemented in Chromium.

morehouse added a comment.May 10 2019, 3:58 PM

This diff is helpful to get an overall idea of how things fit together, but it is very difficult to review thoroughly. Let's start splicing off pieces for individual review.

I suggest:

  • Individual reviews for each prereq (mutex, random, etc.)
  • Review for base GPA + unit tests
  • Review for "optional" options parsing, etc.
  • Review for documentation
  • Review for Scudo integration + e2e tests

Submitting this in pieces (especially the Scudo integration) will also make things simpler if we need to revert something.

compiler-rt/lib/gwp_asan/guarded_pool_allocator.h
98

What is the assembly now?

hctim mentioned this in D61867: [GWP-ASan] Initial build files, implementation of PRNG [1]..May 13 2019, 11:08 AM
hctim mentioned this in rL360710: [GWP-ASan] Initial build files, implementation of PRNG [1]..May 14 2019, 2:43 PM
hctim mentioned this in rGc9dd299736ad: [GWP-ASan] Initial build files, implementation of PRNG [1]..
hctim mentioned this in rCRT360710: [GWP-ASan] Initial build files, implementation of PRNG [1]..May 14 2019, 2:54 PM
hctim mentioned this in D61923: [GWP-ASan] Mutex implementation [2]..May 14 2019, 4:28 PM
jfb added a comment.May 14 2019, 4:54 PM
In D60593#1498622, @hctim wrote:
In D60593#1495428, @gribozavr wrote:

What does GWP stand for?

Google Wide Profiling.

We use the name GWP-ASan, even though it's "technically neither GWP nor ASan", but because it describes well what the outcome is (sampled allocations with memory detection capabilities). It also mirrors the name used for the identical mechanism implemented in Chromium.

Hello I'm here to bikeshed, and this is a terrible name for an LLVM project. Or super appropriate because LLVM itself is a terrible name? In any case, backronym it to something else, or rename it. Thanks!

eugenis added a comment.May 14 2019, 5:38 PM

Ha, I think it matches LLVM perfectly :)
G, of course, stands for "Galaxy".

hctim added a comment.May 14 2019, 6:20 PM
In D60593#1502266, @jfb wrote:

Hello I'm here to bikeshed, and this is a terrible name for an LLVM project. Or super appropriate because LLVM itself is a terrible name? In any case, backronym it to something else, or rename it. Thanks!

Also see GwpAsan.rst:

It informally is a recursive acronym, "GWP-ASan Will Provide Allocation SANity".

sidorovd mentioned this in rG2d3fa7b73eeb: [GWP-ASan] Initial build files, implementation of PRNG [1]..May 30 2019, 9:21 AM
sidorovd mentioned this in rGfca7884310ac: [GWP-ASan] Initial build files, implementation of PRNG [1]..May 30 2019, 10:21 AM
hctim mentioned this in rL362138: [GWP-ASan] Mutex implementation [2]..May 30 2019, 12:42 PM
hctim mentioned this in rG5f0f4e3ae03a: [GWP-ASan] Mutex implementation [2]..
hctim mentioned this in D62698: [GWP-ASan] Configuration options [3]..May 30 2019, 1:29 PM
hctim mentioned this in rG2133daf232c5: [GWP-ASan] Configuration options [3]..Jun 4 2019, 9:59 AM
hctim mentioned this in rL362527: [GWP-ASan] Configuration options [3]..
hctim mentioned this in D62872: [GWP-ASan] Core Guarded Pool Allocator [4]..Jun 4 2019, 12:46 PM
hctim mentioned this in D62875: [GWP-ASan] Add public-facing documentation [6]..Jun 4 2019, 1:19 PM
hctim mentioned this in rL362636: [GWP-ASan] Core Guarded Pool Allocator [4]..Jun 5 2019, 12:40 PM
hctim mentioned this in rGa95edb9dc1dd: [GWP-ASan] Core Guarded Pool Allocator [4]..
hctim mentioned this in D62929: [GWP-ASan] Integration with Scudo [5]..Jun 5 2019, 1:13 PM
hctim mentioned this in rL363584: [GWP-ASan] Integration with Scudo [5]..Jun 17 2019, 10:42 AM
hctim mentioned this in rG21184ec5c48c: [GWP-ASan] Integration with Scudo [5]..
hctim abandoned this revision.Jun 28 2019, 3:27 PM

Abandoned as this was merged in small chunks.

hctim mentioned this in rL369552: [GWP-ASan] Add public-facing documentation [6]..Aug 21 2019, 10:54 AM
hctim mentioned this in rGc776f3f3c26f: [GWP-ASan] Add public-facing documentation [6]..

Revision Contents

Diff 196920

compiler-rt/CMakeLists.txt

Show First 20 LinesShow All 271 Lines▼ Show 20 Lines
set(DEFAULT_COMPILER_RT_USE_BUILTINS_LIBRARY OFF) set(DEFAULT_COMPILER_RT_USE_BUILTINS_LIBRARY OFF)
if (FUCHSIA) if (FUCHSIA)
set(DEFAULT_COMPILER_RT_USE_BUILTINS_LIBRARY ON) set(DEFAULT_COMPILER_RT_USE_BUILTINS_LIBRARY ON)
endif() endif()
option(COMPILER_RT_USE_BUILTINS_LIBRARY option(COMPILER_RT_USE_BUILTINS_LIBRARY
"Use compiler-rt builtins instead of libgcc" ${DEFAULT_COMPILER_RT_USE_BUILTINS_LIBRARY}) "Use compiler-rt builtins instead of libgcc" ${DEFAULT_COMPILER_RT_USE_BUILTINS_LIBRARY})
option(GWP_ASAN_SCUDO_HOOKS
"When building scudo, should we install GWP-ASan hooks?"
morehouseUnsubmitted
Done
ReplyInline Actions

I think the "(default=False)" is unnecessary since the default value is clearly "OFF".

Also, shouldn't this go in the Scudo cmake?

morehouse: I think the "(default=False)" is unnecessary since the default value is clearly "OFF". Also…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Done. Also turned this default to True for supported platforms.

Needs to be defined this high in the build as it's used by compiler-rt/test/lit.common.configured.

hctim: Done. Also turned this default to True for supported platforms. Needs to be defined this high…
morehouseUnsubmitted
Done
ReplyInline Actions

This option has to do specifically with Scudo. Therefore it should go in the Scudo cmake.

And Kostya K. needs to be OK with hooks being installed by default.

morehouse: This option has to do specifically with Scudo. Therefore it should go in the Scudo cmake. And…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

I've changed this flag to not exist any more, as it's synonymous with COMPILER_RT_GWP_ASAN_ENABLED anyway.

@cryptoad and I have confirmed offline that always-built on supported platforms is okay :)

hctim: I've changed this flag to not exist any more, as it's synonymous with…
COMPILER_RT_HAS_GWP_ASAN)
pythonize_bool(GWP_ASAN_SCUDO_HOOKS)
include(config-ix) include(config-ix)
#================================ #================================
# Setup Compiler Flags # Setup Compiler Flags
#================================ #================================
if(MSVC) if(MSVC)
# Override any existing /W flags with /W4. This is what LLVM does. Failing to # Override any existing /W flags with /W4. This is what LLVM does. Failing to
▲ Show 20 LinesShow All 266 LinesShow Last 20 Lines

compiler-rt/cmake/config-ix.cmake

Show First 20 LinesShow All 226 Lines▼ Show 20 Lines
set(ALL_SANITIZER_COMMON_SUPPORTED_ARCH ${X86} ${X86_64} ${PPC64} set(ALL_SANITIZER_COMMON_SUPPORTED_ARCH ${X86} ${X86_64} ${PPC64}
${ARM32} ${ARM64} ${MIPS32} ${MIPS64} ${S390X}) ${ARM32} ${ARM64} ${MIPS32} ${MIPS64} ${S390X})
set(ALL_ASAN_SUPPORTED_ARCH ${X86} ${X86_64} ${ARM32} ${ARM64} set(ALL_ASAN_SUPPORTED_ARCH ${X86} ${X86_64} ${ARM32} ${ARM64}
${MIPS32} ${MIPS64} ${PPC64} ${S390X}) ${MIPS32} ${MIPS64} ${PPC64} ${S390X})
set(ALL_DFSAN_SUPPORTED_ARCH ${X86_64} ${MIPS64} ${ARM64}) set(ALL_DFSAN_SUPPORTED_ARCH ${X86_64} ${MIPS64} ${ARM64})
set(ALL_FUZZER_SUPPORTED_ARCH ${X86_64} ${ARM64}) set(ALL_FUZZER_SUPPORTED_ARCH ${X86_64} ${ARM64})
set(ALL_GWP_ASAN_SUPPORTED_ARCH ${X86} ${X86_64} ${ARM64} ${ARM32})
if(APPLE) if(APPLE)
set(ALL_LSAN_SUPPORTED_ARCH ${X86} ${X86_64} ${MIPS64} ${ARM64}) set(ALL_LSAN_SUPPORTED_ARCH ${X86} ${X86_64} ${MIPS64} ${ARM64})
else() else()
set(ALL_LSAN_SUPPORTED_ARCH ${X86} ${X86_64} ${MIPS64} ${ARM64} ${ARM32} ${PPC64}) set(ALL_LSAN_SUPPORTED_ARCH ${X86} ${X86_64} ${MIPS64} ${ARM64} ${ARM32} ${PPC64})
endif() endif()
set(ALL_MSAN_SUPPORTED_ARCH ${X86_64} ${MIPS64} ${ARM64} ${PPC64}) set(ALL_MSAN_SUPPORTED_ARCH ${X86_64} ${MIPS64} ${ARM64} ${PPC64})
set(ALL_HWASAN_SUPPORTED_ARCH ${X86_64} ${ARM64}) set(ALL_HWASAN_SUPPORTED_ARCH ${X86_64} ${ARM64})
set(ALL_PROFILE_SUPPORTED_ARCH ${X86} ${X86_64} ${ARM32} ${ARM64} ${PPC64} set(ALL_PROFILE_SUPPORTED_ARCH ${X86} ${X86_64} ${ARM32} ${ARM64} ${PPC64}
▲ Show 20 LinesShow All 183 Lines▼ Show 20 Linesif(APPLE)
set(LSAN_COMMON_SUPPORTED_ARCH ${SANITIZER_COMMON_SUPPORTED_ARCH}) set(LSAN_COMMON_SUPPORTED_ARCH ${SANITIZER_COMMON_SUPPORTED_ARCH})
set(UBSAN_COMMON_SUPPORTED_ARCH ${SANITIZER_COMMON_SUPPORTED_ARCH}) set(UBSAN_COMMON_SUPPORTED_ARCH ${SANITIZER_COMMON_SUPPORTED_ARCH})
list_intersect(ASAN_SUPPORTED_ARCH list_intersect(ASAN_SUPPORTED_ARCH
ALL_ASAN_SUPPORTED_ARCH ALL_ASAN_SUPPORTED_ARCH
SANITIZER_COMMON_SUPPORTED_ARCH) SANITIZER_COMMON_SUPPORTED_ARCH)
list_intersect(DFSAN_SUPPORTED_ARCH list_intersect(DFSAN_SUPPORTED_ARCH
ALL_DFSAN_SUPPORTED_ARCH ALL_DFSAN_SUPPORTED_ARCH
SANITIZER_COMMON_SUPPORTED_ARCH) SANITIZER_COMMON_SUPPORTED_ARCH)
list_intersect(GWP_ASAN_SUPPORTED_ARCH
ALL_GWP_ASAN_SUPPORTED_ARCH
SANITIZER_COMMON_SUPPORTED_ARCH)
list_intersect(LSAN_SUPPORTED_ARCH list_intersect(LSAN_SUPPORTED_ARCH
ALL_LSAN_SUPPORTED_ARCH ALL_LSAN_SUPPORTED_ARCH
SANITIZER_COMMON_SUPPORTED_ARCH) SANITIZER_COMMON_SUPPORTED_ARCH)
list_intersect(MSAN_SUPPORTED_ARCH list_intersect(MSAN_SUPPORTED_ARCH
ALL_MSAN_SUPPORTED_ARCH ALL_MSAN_SUPPORTED_ARCH
SANITIZER_COMMON_SUPPORTED_ARCH) SANITIZER_COMMON_SUPPORTED_ARCH)
list_intersect(HWASAN_SUPPORTED_ARCH list_intersect(HWASAN_SUPPORTED_ARCH
ALL_HWASAN_SUPPORTED_ARCH ALL_HWASAN_SUPPORTED_ARCH
▲ Show 20 LinesShow All 51 Lines▼ Show 20 Lineselse()
filter_available_targets(SAFESTACK_SUPPORTED_ARCH filter_available_targets(SAFESTACK_SUPPORTED_ARCH
${ALL_SAFESTACK_SUPPORTED_ARCH}) ${ALL_SAFESTACK_SUPPORTED_ARCH})
filter_available_targets(CFI_SUPPORTED_ARCH ${ALL_CFI_SUPPORTED_ARCH}) filter_available_targets(CFI_SUPPORTED_ARCH ${ALL_CFI_SUPPORTED_ARCH})
filter_available_targets(SCUDO_SUPPORTED_ARCH ${ALL_SCUDO_SUPPORTED_ARCH}) filter_available_targets(SCUDO_SUPPORTED_ARCH ${ALL_SCUDO_SUPPORTED_ARCH})
filter_available_targets(SCUDO_STANDALONE_SUPPORTED_ARCH ${ALL_SCUDO_STANDALONE_SUPPORTED_ARCH}) filter_available_targets(SCUDO_STANDALONE_SUPPORTED_ARCH ${ALL_SCUDO_STANDALONE_SUPPORTED_ARCH})
filter_available_targets(XRAY_SUPPORTED_ARCH ${ALL_XRAY_SUPPORTED_ARCH}) filter_available_targets(XRAY_SUPPORTED_ARCH ${ALL_XRAY_SUPPORTED_ARCH})
filter_available_targets(SHADOWCALLSTACK_SUPPORTED_ARCH filter_available_targets(SHADOWCALLSTACK_SUPPORTED_ARCH
${ALL_SHADOWCALLSTACK_SUPPORTED_ARCH}) ${ALL_SHADOWCALLSTACK_SUPPORTED_ARCH})
filter_available_targets(GWP_ASAN_SUPPORTED_ARCH ${ALL_GWP_ASAN_SUPPORTED_ARCH})
endif() endif()
if (MSVC) if (MSVC)
# See if the DIA SDK is available and usable. # See if the DIA SDK is available and usable.
set(MSVC_DIA_SDK_DIR "$ENV{VSINSTALLDIR}DIA SDK") set(MSVC_DIA_SDK_DIR "$ENV{VSINSTALLDIR}DIA SDK")
if (IS_DIRECTORY ${MSVC_DIA_SDK_DIR}) if (IS_DIRECTORY ${MSVC_DIA_SDK_DIR})
set(CAN_SYMBOLIZE 1) set(CAN_SYMBOLIZE 1)
else() else()
Show All 11 Lines
message(STATUS "Compiler-RT supported architectures: ${COMPILER_RT_SUPPORTED_ARCH}") message(STATUS "Compiler-RT supported architectures: ${COMPILER_RT_SUPPORTED_ARCH}")
if(ANDROID) if(ANDROID)
set(OS_NAME "Android") set(OS_NAME "Android")
else() else()
set(OS_NAME "${CMAKE_SYSTEM_NAME}") set(OS_NAME "${CMAKE_SYSTEM_NAME}")
endif() endif()
set(ALL_SANITIZERS asan;dfsan;msan;hwasan;tsan;safestack;cfi;scudo;ubsan_minimal) set(ALL_SANITIZERS asan;dfsan;msan;hwasan;tsan;safestack;cfi;scudo;ubsan_minimal;gwp_asan)
set(COMPILER_RT_SANITIZERS_TO_BUILD all CACHE STRING set(COMPILER_RT_SANITIZERS_TO_BUILD all CACHE STRING
"sanitizers to build if supported on the target (all;${ALL_SANITIZERS})") "sanitizers to build if supported on the target (all;${ALL_SANITIZERS})")
list_replace(COMPILER_RT_SANITIZERS_TO_BUILD all "${ALL_SANITIZERS}") list_replace(COMPILER_RT_SANITIZERS_TO_BUILD all "${ALL_SANITIZERS}")
if (SANITIZER_COMMON_SUPPORTED_ARCH AND NOT LLVM_USE_SANITIZER AND if (SANITIZER_COMMON_SUPPORTED_ARCH AND NOT LLVM_USE_SANITIZER AND
(OS_NAME MATCHES "Android|Darwin|Linux|FreeBSD|NetBSD|OpenBSD|Fuchsia|SunOS" OR (OS_NAME MATCHES "Android|Darwin|Linux|FreeBSD|NetBSD|OpenBSD|Fuchsia|SunOS" OR
(OS_NAME MATCHES "Windows" AND NOT CYGWIN AND (OS_NAME MATCHES "Windows" AND NOT CYGWIN AND
(NOT MINGW OR CMAKE_CXX_COMPILER_ID MATCHES "Clang")))) (NOT MINGW OR CMAKE_CXX_COMPILER_ID MATCHES "Clang"))))
▲ Show 20 LinesShow All 121 Lines▼ Show 20 Lines
endif() endif()
if (COMPILER_RT_HAS_SANITIZER_COMMON AND SHADOWCALLSTACK_SUPPORTED_ARCH AND if (COMPILER_RT_HAS_SANITIZER_COMMON AND SHADOWCALLSTACK_SUPPORTED_ARCH AND
OS_NAME MATCHES "Linux|Android") OS_NAME MATCHES "Linux|Android")
set(COMPILER_RT_HAS_SHADOWCALLSTACK TRUE) set(COMPILER_RT_HAS_SHADOWCALLSTACK TRUE)
else() else()
set(COMPILER_RT_HAS_SHADOWCALLSTACK FALSE) set(COMPILER_RT_HAS_SHADOWCALLSTACK FALSE)
endif() endif()
# Note: Fuchsia and Windows are not currently supported by GWP-ASan. Support
# is planned for these platforms. Darwin is also not supported due to TLS
# calling malloc on first use.
morehouseUnsubmitted
Done
ReplyInline Actions

I think "TLS calling malloc on first-use" is clearer.

morehouse: I think "TLS calling malloc on first-use" is clearer.
if (GWP_ASAN_SUPPORTED_ARCH AND OS_NAME MATCHES "Android|Linux")
morehouseUnsubmitted
Done
ReplyInline Actions

Does this mean GWP-ASan requires sanitizer_common to be present?

morehouse: Does this mean GWP-ASan requires sanitizer_common to be present?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Thanks, fixed. Only for sanitizer-common backed default initialisation of gwp_asan::Options (which is not required if the implementing allocator creates the options themselves).

hctim: Thanks, fixed. Only for sanitizer-common backed default initialisation of `gwp_asan::Options`…
set(COMPILER_RT_HAS_GWP_ASAN TRUE)
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

I would remove the BSDs and let them add it themselves, otherwise we risk breaking them without having tested it. (e.g. they may have system calls like gettid() with different names/APIs)

vlad.tsyrklevich: I would remove the BSDs and let them add it themselves, otherwise we risk breaking them without…
else()
set(COMPILER_RT_HAS_GWP_ASAN FALSE)
endif()

compiler-rt/lib/gwp_asan/CMakeLists.txt

  • This file was added.
add_compiler_rt_component(gwp_asan)
include_directories(..)
set(GWP_ASAN_SOURCES
guarded_pool_allocator.cpp
guarded_pool_allocator_posix.cpp
random.cpp
)
set(GWP_ASAN_HEADERS
guarded_pool_allocator.h
mutex.h
options.h
options.inc
random.h
)
# Runtime environment support is optional. GwpAsan is totally independent of
# sanitizer_common, the runtime env parser is not. This is an optional library
# that can be used by an allocator to automatically parse GwpAsan flags from the
# environment variable GWP_ASAN_FLAGS, but the allocator can choose to implement
# its own flag parsing and populate the Options struct itself.
set(GWP_ASAN_FLAG_PARSER_SOURCES
optional/runtime_env_flag_parser.cpp
)
morehouseUnsubmitted
Done
ReplyInline Actions

s/themselves/itself

morehouse: s/themselves/itself
set(GWP_ASAN_FLAG_PARSER_HEADERS
optional/runtime_env_flag_parser.h
)
# Disable RTTI and exception support, as we want these libraries to be
# C-compatible. Regular C source files can be linked against the generated
# GwpAsan libraries using the Clang C compiler.
set(GWP_ASAN_CFLAGS -fno-rtti -fno-exceptions)
set(GWP_ASAN_FLAG_PARSER_CFLAGS ${GWP_ASAN_CFLAGS} ${SANITIZER_COMMON_CFLAGS})
if (COMPILER_RT_HAS_GWP_ASAN)
foreach(arch ${GWP_ASAN_SUPPORTED_ARCH})
add_compiler_rt_runtime(
clang_rt.gwp_asan
STATIC
ARCHS ${arch}
SOURCES ${GWP_ASAN_SOURCES}
ADDITIONAL_HEADERS ${GWP_ASAN_HEADERS}
CFLAGS ${GWP_ASAN_CFLAGS}
PARENT_TARGET gwp_asan
)
endforeach()
cryptoadUnsubmitted
Done
ReplyInline Actions

GWP_ASAN_OBJECT_LIBS not defined?

cryptoad: GWP_ASAN_OBJECT_LIBS not defined?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Removed.

hctim: Removed.
add_compiler_rt_object_libraries(RTGwpAsan
ARCHS ${GWP_ASAN_SUPPORTED_ARCH}
SOURCES ${GWP_ASAN_SOURCES}
ADDITIONAL_HEADERS ${GWP_ASAN_HEADERS}
CFLAGS ${GWP_ASAN_CFLAGS})
# Note: If you choose to add this as an object library, ensure you also
# include the sanitizer_common flag parsing object lib
# 'RTSanitizerCommonNoTermination'.
add_compiler_rt_object_libraries(RTGwpAsanFlagParser
ARCHS ${GWP_ASAN_SUPPORTED_ARCH}
SOURCES ${GWP_ASAN_FLAG_PARSER_SOURCES}
morehouseUnsubmitted
Done
ReplyInline Actions

What does RTSanitizerCommonNoTermination do?

morehouse: What does RTSanitizerCommonNoTermination do?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Provides argument parsing and printf from sanitizer_common (and also will provide unwinding in the future). This is only for allocators to use if they don't want to populate the Options struct themselves, and are okay with depending on sanitizer_common.

hctim: Provides argument parsing and printf from sanitizer_common (and also will provide unwinding in…
ADDITIONAL_HEADERS ${GWP_ASAN_FLAG_PARSER_HEADERS}
CFLAGS ${GWP_ASAN_FLAG_PARSER_CFLAGS})
endif()

compiler-rt/lib/gwp_asan/definitions.h

  • This file was added.
//===-- gwp_asan_definitions.h ----------------------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#ifndef GWP_ASAN_DEFINITIONS_H_
#define GWP_ASAN_DEFINITIONS_H_
#if defined(_WIN64)
// 64-bit Windows uses LLP64 data model.
typedef unsigned long long uptr; // NOLINT
typedef signed long long sptr; // NOLINT
#else
typedef unsigned long uptr; // NOLINT
typedef signed long sptr; // NOLINT
#endif // defined(_WIN64)
#define TLS_INITIAL_EXEC thread_local __attribute__((tls_model("initial-exec")))
#ifdef LIKELY
# undef LIKELY
#endif // defined(LIKELY)
#define LIKELY(X) __builtin_expect(!!(X), 1)
#ifdef UNLIKELY
# undef UNLIKELY
#endif // defined(UNLIKELY)
#define UNLIKELY(X) __builtin_expect(!!(X), 0)
#ifdef NORETURN
# undef NORETURN
#endif // defined(NORETURN)
#define NORETURN __attribute__((noreturn))
#ifdef ALWAYS_INLINE
# undef ALWAYS_INLINE
#endif // defined(ALWAYS_INLINE)
#define ALWAYS_INLINE inline __attribute__((always_inline))
#ifdef ALIGNED
# undef ALIGNED
#endif // defined(ALIGNED)
#define ALIGNED(X) __attribute__((aligned(X)))
#endif // GWP_ASAN_DEFINITIONS_H_

compiler-rt/lib/gwp_asan/guarded_pool_allocator.h

  • This file was added.
//===-- guarded_pool_allocator.h --------------------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#ifndef GWP_ASAN_GUARDED_POOL_ALLOCATOR_H_
#define GWP_ASAN_GUARDED_POOL_ALLOCATOR_H_
#include "gwp_asan/definitions.h"
#include "gwp_asan/mutex.h"
#include "gwp_asan/options.h"
#include "gwp_asan/random.h"
#include <cstddef>
#include <cstdint>
#include <type_traits>
namespace gwp_asan {
// This class is the primary implementation of the allocator portion of GWP-
// ASan. It is the sole owner of the pool of sequentially allocated guarded
// slots. It should always be treated as a singleton.
// This class is **thread-hostile** until init() is completely finished. Any
// implementing allocator must ensure that init() is called in a thread-safe
morehouseUnsubmitted
Done
ReplyInline Actions

Technically doesn't this make it "thread-compatible" until init(), then thread-safe?

morehouse: Technically doesn't this make it "thread-compatible" until init(), then thread-safe?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Yep, updated documentation to reflect this.

hctim: Yep, updated documentation to reflect this.
// manner, before any calls to public methods are made.
morehouseUnsubmitted
Done
ReplyInline Actions

GwpAsan seems superfluous since we're either using this inside GuardedPoolAllocator, or we're fully-qualifying as GuardedPoolAllocator::GwpAsanError::*.

morehouse: `GwpAsan` seems superfluous since we're either using this inside `GuardedPoolAllocator`, or…
class GuardedPoolAllocator {
public:
enum class Error {
UNKNOWN,
USE_AFTER_FREE,
DOUBLE_FREE,
INVALID_FREE,
BUFFER_OVERFLOW,
BUFFER_UNDERFLOW
};
struct AllocationMetadata {
// Maximum number of stack trace frames to collect for allocations + frees.
vitalybukaUnsubmitted
Done
ReplyInline Actions

can you hide this struct into cpp file and just keep forward declaration here?

vitalybuka: can you hide this struct into cpp file and just keep forward declaration here?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

See https://reviews.llvm.org/D60593?id=195942#inline-541269. Happy to change.

hctim: See https://reviews.llvm.org/D60593?id=195942#inline-541269. Happy to change.
morehouseUnsubmitted
Not Done
ReplyInline Actions

GPA is the only user of AllocationMetadata, and the struct is relatively small. Do we really want an entire file for ~20 lines of code?

morehouse: GPA is the only user of `AllocationMetadata`, and the struct is relatively small. Do we really…
// TODO(hctim): Implement stack frame compression, a-la Chromium.
// Currently the maximum stack frames is one, as we don't collect traces.
static constexpr std::size_t MaximumStackFrames = 1;
morehouseUnsubmitted
Done
ReplyInline Actions

Also delete operator=.

morehouse: Also delete `operator=`.
morehouseUnsubmitted
Done
ReplyInline Actions

We should have a static_assert to ensure a constexpr GuardedPoolAllocator can actually be instantiated.

morehouse: We should have a static_assert to ensure a constexpr GuardedPoolAllocator can actually be…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

This is also vestigal, we don't actually need a constexpr constructor. Zero-initialisation during dynamic loading is sufficient for us to not recursively malloc(), as shouldSample() and pointerIsMine() are designed to guard entry with zero-initialised members.

hctim: This is also vestigal, we don't actually need a constexpr constructor. Zero-initialisation…
struct CallSiteInfo {
// The backtrace to the allocation/deallocation. If the first value is
// zero, we did not collect a trace.
uintptr_t Trace[MaximumStackFrames] = {};
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Nit: Delete racy (I think it can cause plain ol' UAF depending on destructor ordering.)

vlad.tsyrklevich: Nit: Delete racy (I think it can cause plain ol' UAF depending on destructor ordering.)
// The thread ID for this trace, or UINT64_MAX if not available.
uint64_t ThreadID = UINT64_MAX;
};
vitalybukaUnsubmitted
Done
ReplyInline Actions

can you please add kInvalidThreadID ?

vitalybuka: can you please add kInvalidThreadID ?
// The address of this allocation.
uintptr_t Addr = 0;
// Represents the actual size of the allocation.
std::size_t Size = 0;
morehouseUnsubmitted
Done
ReplyInline Actions

It would be nice to avoid this check on the fast path.

Perhaps we can do rand() % (SampleRate + 1) and then check SampleRate !=0 only just before we would return true.

morehouse: It would be nice to avoid this check on the fast path. Perhaps we can do `rand() % (SampleRate…
eugenisUnsubmitted
Done
ReplyInline Actions

Or it could be another special value of NextSampleCounter, which could also serve as a way to temporarily disable sampling in a thread.

eugenis: Or it could be another special value of NextSampleCounter, which could also serve as a way to…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Yes and no. We would have to set SampleRate = Opts.SampleRate - 1 to get precise sampling behaviour, which would make a sample rate of always on ("1") be the same as uninitialised.

I've added another flag IsInitialised in order to counteract this.

hctim: Yes and no. We would have to set `SampleRate = Opts.SampleRate - 1` to get precise sampling…
morehouseUnsubmitted
Done
ReplyInline Actions

This doesn't seem any better. We're still checking for initialization on the fast path.

morehouse: This doesn't seem any better. We're still checking for initialization on the fast path.
morehouseUnsubmitted
Done
ReplyInline Actions

Sorry, disregard the last comment; it's actually not on the fast path. This looks like it will have better perf.

morehouse: Sorry, disregard the last comment; it's actually not on the fast path. This looks like it will…
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Is it not still on the fast path? I thought we'd want the if (IsInitialized) check to be in if (UNLIKELY(counter ==0)) to get it out of there?

vlad.tsyrklevich: Is it not still on the fast path? I thought we'd want the if (IsInitialized) check to be in if…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Tying to the discussion in scudo_allocator:236, I think that we should scrap calling malloc() from within GwpAsan's init. This would allow us to not have an initialisation check entirely, with the strict requirement that GuardedPoolAllocator::init() is called before any malloc takes place. WDYT?

hctim: Tying to the discussion in `scudo_allocator:236`, I think that we should scrap calling `malloc…
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

I'm fine with getting rid of it. I do think it's much nicer to use the simple malloc primitives, but it's not the end of the world.

vlad.tsyrklevich: I'm fine with getting rid of it. I do think it's much nicer to use the simple malloc primitives…
morehouseUnsubmitted
Done
ReplyInline Actions

+1 to removing malloc inside init. The recursion seems subtle and potentially bug-prone. We're already mapping pages, so why not map some extra for internal structures?

morehouse: +1 to removing `malloc` inside init. The recursion seems subtle and potentially bug-prone.
CallSiteInfo AllocationTrace;
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

The Chrome sampling code does this more simply by treating 0 as "sample again" and then returning whether the next SampleCounter is equal to 1 to indicate "sample now" https://github.com/chromium/chromium/blob/master/components/gwp_asan/client/sampling_allocator_shims.cc#L50

vlad.tsyrklevich: The Chrome sampling code does this more simply by treating 0 as "sample again" and then…
CallSiteInfo DeallocationTrace;
morehouseUnsubmitted
Done
ReplyInline Actions

How does the perf compare to a simple if (NextSampleCounter <= 1)?

morehouse: How does the perf compare to a simple `if (NextSampleCounter <= 1)`?
// Whether this allocation has been deallocated yet.
bool IsDeallocated = false;
};
// During program startup, we must ensure that memory allocations do not land
morehouseUnsubmitted
Done
ReplyInline Actions

This looks unnecessarily complex and slow compared to a counter decrement. Do you have benchmarks indicating this is faster?

morehouse: This looks unnecessarily complex and slow compared to a counter decrement. Do you have…
morehouseUnsubmitted
Done
ReplyInline Actions

Never mind, I spoke too soon. Counter decrement is below...

morehouse: Never mind, I spoke too soon. Counter decrement is below...
// in this allocation pool if the allocator decides to runtime-disable
// GWP-ASan. The constructor value-initialises the class such that if no
// further initialisation takes place, calls to shouldSample() and
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Random::getRandomUnsigned64() % SampleRate means we are sampling more often than the actual sampling rate. This should be % (SampleRate * 2), or, even better, sample from a geometric distribution

vlad.tsyrklevich: Random::getRandomUnsigned64() % SampleRate means we are sampling more often than the actual…
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Woops, seems I made the same mistake in http://crrev.com/c/1400050

vlad.tsyrklevich: Woops, seems I made the same mistake in http://crrev.com/c/1400050
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Actually I take that back. After reading it again that code uses a complicated sampling mechanism that does sample 1/N, the reason I chose it is so that we did not undersample the first SampleRate allocations as this scheme will. If it's possible to use the standard library I'd just replace it with a geometric distribution from the beginning if you can.

vlad.tsyrklevich: Actually I take that back. After reading it again that code uses a complicated sampling…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Unfortunately I'm trying to stick to header-only c++stdlib, is it okay as currently implemented?

hctim: Unfortunately I'm trying to stick to header-only c++stdlib, is it okay as currently implemented?
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

You should still modulo by SampleRate*2, perhaps store AdjustedSampleRate = (ConfigurationSampleRate*2) + 1 and use that instead of SampleRate directly?

vlad.tsyrklevich: You should still modulo by SampleRate*2, perhaps store AdjustedSampleRate =…
morehouseUnsubmitted
Done
ReplyInline Actions

Can perf be improved by marking the == 1 branch as UNLIKELY?

morehouse: Can perf be improved by marking the `== 1` branch as `UNLIKELY`?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

It wont on x64 as AFAIK the static predictors can't be primed (and doesn't appear to change the optimiser), but have as it may affect other other platforms.

hctim: It wont on x64 as AFAIK the static predictors can't be primed (and doesn't appear to change the…
morehouseUnsubmitted
Done
ReplyInline Actions

Regardless of branch prediction, the compiler may choose to make "other optimizations" to improve the hot path.

morehouse: Regardless of branch prediction, the compiler may choose to make "other optimizations" to…
// pointerIsMine() will return false.
constexpr GuardedPoolAllocator(){};
GuardedPoolAllocator(const GuardedPoolAllocator &) = delete;
GuardedPoolAllocator &operator=(const GuardedPoolAllocator &) = delete;
// Note: This class is expected to be a singleton for the lifetime of the
// program. If this object is initialised, it will leak the guarded page pool
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

We've given GuardedPagePool/GuardedPagePoolEnd the atomic treatment but since we access them sequentially it's possible that we get the sequence:
T1 Load GuardedPagePool
T2 Lazy Init
T1 Load GuardedPagePoolEnd

and give a bad value if the pointer is between 0 and GuardedPagePoolEnd. It seems like these values should not be atomic but that instead we are forced to perform an IsInitialised check first instead.

vlad.tsyrklevich: We've given GuardedPagePool/GuardedPagePoolEnd the atomic treatment but since we access them…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Alternatively, we could set GuardedPagePool = UINTPTR_MAX in the constructor for value-initialisation, and not have the overhead of the check. Do you see any problems with this?

hctim: Alternatively, we could set `GuardedPagePool = UINTPTR_MAX` in the constructor for value…
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

I'm not familiar with the atomic orderings but it seems like technically that's still not correct because __ATOMIC_RELAXED doesn't guarantee ordering (though I suppose loading IsInitialized here wouldn't fix that either.) We might need to change the memory order of the writes (hopefully not the reads for optimality) and then we could make that scheme work. (Make sure to document it somewhere.)

vlad.tsyrklevich: I'm not familiar with the atomic orderings but it seems like technically that's still not…
morehouseUnsubmitted
Done
ReplyInline Actions

Perhaps we can require that GPA has been initialized prior to calling pointerIsMine.

Scudo has some code like

allocate() {
  initScudoIfNecessary();
  ...
}

If we ensure that GPA is initialized inside initScudo, we guarantee that PointerIsMine is only ever called after GPA::Init.

morehouse: Perhaps we can require that GPA has been initialized prior to calling `pointerIsMine`. Scudo…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

So upon further reading, looks like the only way to ensure atomic-correctness here is to establish a dependency between GPP and GPPEnd, which require sequentially consistent loads and stores (which would hurt performance a trememdous amount).

We currently do what Matt suggests, so I've updated the documentation to reflect that the entire class is thread-hostile until init() is called.

hctim: So upon further reading, looks like the only way to ensure atomic-correctness here is to…
// and metadata allocations during destruction. We can't clean up these areas
// as this may cause a use-after-free on shutdown.
~GuardedPoolAllocator() = default;
cryptoadUnsubmitted
Done
ReplyInline Actions

const uintptr_t P?

cryptoad: const uintptr_t P?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

I don't think this is necessary, P is a copy of Ptr (just a casted version of Ptr) :)

hctim: I don't think this is necessary, P is a copy of `Ptr` (just a casted version of `Ptr`) :)
morehouseUnsubmitted
Done
ReplyInline Actions

Then why are we casting to const uintptr_t?

morehouse: Then why are we casting to `const uintptr_t`?
vitalybukaUnsubmitted
Done
ReplyInline Actions

why do you need this this line at all "~GuardedPoolAllocator() = default;"?

vitalybuka: why do you need this this line at all "~GuardedPoolAllocator() = default;"?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

It's simply an explicit note to the reader that we have a trivial destructor. If they want to add a d'tor, they'll come to this line and read the note above.

hctim: It's simply an explicit note to the reader that we have a trivial destructor. If they want to…
morehouseUnsubmitted
Not Done
ReplyInline Actions

Not necessary, but I think it does make the intention clear.

morehouse: Not necessary, but I think it does make the intention clear.
// Initialise the rest of the members of this class. Create the allocation
// pool using the provided options. See options.inc for runtime configuration
// options.
void init(const options::Options &Opts);
// Return whether the allocation should be randomly chosen for sampling.
ALWAYS_INLINE bool shouldSample() {
// NextSampleCounter == 0 means we "should regenerate the counter".
// == 1 means we "should sample this allocation".
if (UNLIKELY(NextSampleCounter == 0))
NextSampleCounter =
(Random::getRandomUnsigned64() % AdjustedSampleRate) + 1;
// GuardedPagePool != 0 if GWP-ASan is enabled.
return UNLIKELY(NextSampleCounter-- == 1) && LIKELY(GuardedPagePool != 0);
}
// Returns whether the provided pointer is a current sampled allocation that
// is owned by this pool.
morehouseUnsubmitted
Done
ReplyInline Actions

The assembly you posted for this function looks way too slow. Is it actually optimized with -O2?

  • The fast path (counter > 1) has *two* branches that check if NextSampleCounter's TLS init function has run and one actual call to the TLS init function. Ouch! We shouldn't need these.
    • Maybe we need to make the counter function-local or use __thread instead of thread_local.
  • The counter decrement of NextSampleCounter requires 4 instructions? Load TLS offset from global, read TLS, increment, write TLS. Yikes. For reference, TCMalloc does this operation in 1 instruction.
  • The + 1 operation on the NextSampleCounter == 0 branch is done with a mov-add, rather than an lea.

Again, please triple-check that the binary you compiled is actually optimized. Make sure it is compiled with clang++ -O2 ....

morehouse: The assembly you posted for this function looks way too slow. Is it actually optimized with `…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

As per offline discussion, declaring NextSampleCounter with __thread instead of thread_local fixed this. Also added a note in definitions.h.

hctim: As per offline discussion, declaring `NextSampleCounter` with `__thread` instead of…
morehouseUnsubmitted
Not Done
ReplyInline Actions

What is the assembly now?

morehouse: What is the assembly now?
ALWAYS_INLINE bool pointerIsMine(const void *Ptr) const {
uintptr_t P = reinterpret_cast<uintptr_t>(Ptr);
return GuardedPagePool <= P && P < GuardedPagePoolEnd;
}
// Allocate memory in a guarded slot, and return a pointer to the new
// allocation. Returns nullptr if the pool is empty, the requested size is too
// large for this pool to handle, or the requested size is zero.
void *allocate(std::size_t Size);
// Deallocate memory in a guarded slot. The provided pointer must have been
// allocated using this pool. This will set the guarded slot as inaccessible.
void deallocate(void *Ptr);
morehouseUnsubmitted
Done
ReplyInline Actions

This is unused.

morehouse: This is unused.
// Returns the size of the allocation at Ptr.
std::size_t getSize(const void *Ptr) const;
morehouseUnsubmitted
Done
ReplyInline Actions

Can these be static?

morehouse: Can these be static?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

They may access GPA::Printf on failure. Would you prefer them to be static w/ passing Printf as an argument?

hctim: They may access `GPA::Printf` on failure. Would you prefer them to be static w/ passing…
// Returns the largest allocation that is supported by this pool. Any
eugenisUnsubmitted
Done
ReplyInline Actions

Why are these functions in the public interface?

eugenis: Why are these functions in the public interface?
// allocations larger than this should go to the regular system allocator.
std::size_t maximumAllocationSize() const;
// Dumps an error report (including allocation and deallocation stack traces)
// and exits the program. An optional error may be provided if the caller
eugenisUnsubmitted
Done
ReplyInline Actions

why protected and not private?

eugenis: why protected and not private?
// knows what the error is ahead of time. This is primarily a helper function
morehouseUnsubmitted
Done
ReplyInline Actions

static?

morehouse: static?
// to locate the static singleton pointer and call the internal version of
// this function. This helps solve the static initialisation order problem.
NORETURN static void reportErrorAndDie(uintptr_t AccessPtr,
Error Error = Error::UNKNOWN);
private:
// These functions anonymously map memory or change the permissions of mapped
// memory into this process in a platform- specific way. Pointer and size
// arguments are expected to be page-aligned. These functions will never
// return on error, instead electing to kill the calling process on failure.
// Note that memory is initially mapped inaccessible. In order for RW
// mappings, call mapMemory() followed by markReadWrite() on the returned
// pointer.
void *mapMemory(std::size_t Size) const;
void markReadWrite(void *Ptr, std::size_t Size) const;
void markInaccessible(void *Ptr, std::size_t Size) const;
// Get the current thread ID, or UINT64_MAX if failure. Note: This
// implementation is platform-specific.
static uint64_t getThreadID();
morehouseUnsubmitted
Done
ReplyInline Actions

s/a pointer to/the address of

Technically we're not returning a pointer.

morehouse: s/a pointer to/the address of Technically we're not returning a pointer.
// Get the page size from the platform-specific implementation. Only needs to
// be called once, and the result should be cached in PageSize in this class.
static std::size_t getPlatformPageSize();
// Install the SIGSEGV crash handler for printing use-after-free and heap-
// buffer-{under|over}flow exceptions. This is platform specific as even
// though POSIX and Windows both support registering handlers through
// signal(), we have to use platform-specific signal handlers to obtain the
// address that caused the SIGSEGV exception.
static void installSignalHandlers();
morehouseUnsubmitted
Done
ReplyInline Actions

s/the the/to the

morehouse: s/the the/to the
// Returns the index of the slot that this pointer resides in. If the pointer
// is not owned by this pool, the result is undefined.
std::size_t addrToSlot(uintptr_t Ptr) const;
// Returns the address of to the N-th guarded slot.
uintptr_t slotToAddr(std::size_t N) const;
// Returns a pointer to the metadata for the owned pointer. If the pointer is
// not owned by this pool, the result is undefined.
morehouseUnsubmitted
Done
ReplyInline Actions

ssize_t reserveSlot() seems cleaner to me. Also the function comment could be reworded clearer.

morehouse: `ssize_t reserveSlot()` seems cleaner to me. Also the function comment could be reworded…
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

I think this is because it's modeled on my implementation since with my design I reserve slots/metadata indices separately.

vlad.tsyrklevich: I think this is because it's modeled on my implementation since with my design I reserve…
morehouseUnsubmitted
Done
ReplyInline Actions

With ssize_t return value, we can still detect failure (-1) while not having to pass a return param. What's the benefit of the current setup?

morehouse: With `ssize_t` return value, we can still detect failure (-1) while not having to pass a return…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

For future expansion, we will want to populate a slot index and a separate metadata index. I've reworded up the comment but left the implementation as-is for now. WDYT?

hctim: For future expansion, we will want to populate a slot index and a separate metadata index. I've…
morehouseUnsubmitted
Done
ReplyInline Actions

I'd prefer simpler for now, with refactoring later. It could be a while until "future expansion", so let's keep the code simple in the meantime.

morehouse: I'd prefer simpler for now, with refactoring later. It could be a while until "future…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Gotcha. ssize_t is POSIX-only (see Windows docs) so I've made it return kInvalidSlotID instead.

hctim: Gotcha. `ssize_t` is POSIX-only (see [[ https://docs.microsoft.com/en-us/cpp/c-runtime…
AllocationMetadata *addrToMetadata(uintptr_t Ptr) const;
// Returns the address of the page that this pointer resides in.
uintptr_t getPageAddr(uintptr_t Ptr) const;
// Gets the nearest slot to the provided address.
std::size_t getNearestSlot(uintptr_t Ptr) const;
// Returns whether the provided pointer is a guard page or not. The pointer
morehouseUnsubmitted
Done
ReplyInline Actions

Confusing interface and comment. How about uintptr_t AlignAllocation(size_t SlotIdx, size_t Size)?

morehouse: Confusing interface and comment. How about `uintptr_t AlignAllocation(size_t SlotIdx, size_t…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

I had a good think about the best way to do this adjustment. Does the rework LGTY?

hctim: I had a good think about the best way to do this adjustment. Does the rework LGTY?
morehouseUnsubmitted
Done
ReplyInline Actions

Looks better.

morehouse: Looks better.
// must be within memory owned by this pool, else the result is undefined.
bool isGuardPage(uintptr_t Ptr) const;
// Reserve a slot for a new guarded allocation, and place the slot number into
// *SlotIndex. Returns false if there are no remaining slots, true otherwise.
bool reserveSlot(std::size_t *SlotIndex);
morehouseUnsubmitted
Done
ReplyInline Actions

There's only one mutex, so maybe just do the try-lock inline.

morehouse: There's only one mutex, so maybe just do the try-lock inline.
vitalybukaUnsubmitted
Done
ReplyInline Actions

can you avoid output arg by:
std::size_t reserveSlot();

vitalybuka: can you avoid output arg by: std::size_t reserveSlot();
hctimAuthorUnsubmitted
Done
ReplyInline Actions

See https://reviews.llvm.org/D60593#inline-542081

hctim: See https://reviews.llvm.org/D60593#inline-542081
// Unreserve the guarded slot.
void freeSlot(std::size_t SlotIndex);
// Returns the offset (in bytes) between the start of a guarded slot and where
// the start of the allocation should take place. Determined using the size of
morehouseUnsubmitted
Done
ReplyInline Actions

The name diagnoseUnknownError suggests that the error type is being returned. I'd suggest a signature like this:

GwpAsanError diagnoseError(uintptr_t AccessPtr, AllocationMetadata *ErrorMetadata)
morehouse: The name `diagnoseUnknownError` suggests that the error type is being returned. I'd suggest a…
// the allocation and the options provided at init-time.
uintptr_t allocationSlotOffset(std::size_t AllocationSize);
// Returns the diagnosis for an unknown error. If the diagnosis is not
// Error::INVALID_FREE or Error::UNKNOWN, the metadata for the slot
// responsible for the error is placed in *Meta.
morehouseUnsubmitted
Done
ReplyInline Actions

Unnecessary private.

morehouse: Unnecessary private.
Error diagnoseUnknownError(uintptr_t AccessPtr, AllocationMetadata **Meta);
eugenisUnsubmitted
Done
ReplyInline Actions

What's the distinction between slots and pages (as in FreePages below)?

eugenis: What's the distinction between slots and pages (as in FreePages below)?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

A slot can be multiple-pages in this implementation - but yes some the member names were vestigal to the previous implementation. Have updated this.

hctim: A slot can be multiple-pages in this implementation - but yes some the member names were…
NORETURN void reportErrorAndDieInternal(uintptr_t AccessPtr, Error Error);
// Cached page size for this system in bytes.
std::size_t PageSize = 0;
// A mutex to protect the guarded slot and metadata pool for this class.
Mutex PoolMutex;
// The number of guarded slots that this pool holds.
std::size_t NumGuardedSlots = 0;
// Record the number allocations that we've sampled. We store this amount so
// that we don't randomly choose to recycle a slot that previously had an
// allocation before all the slots have been utilised.
morehouseUnsubmitted
Done
ReplyInline Actions

nit: s/potentially//

morehouse: nit: s/potentially//
std::size_t NumSampledAllocations = 0;
// Pointer to the pool of guarded slots. Note that this points to the start of
// the pool (which is a guard page), not a pointer to the first guarded page.
uintptr_t GuardedPagePool = UINTPTR_MAX;
uintptr_t GuardedPagePoolEnd = 0;
// Pointer to the allocation metadata (allocation/deallocation stack traces),
// if any.
AllocationMetadata *Metadata = nullptr;
// Pointer to an array of free slot indexes.
std::size_t *FreeSlots = nullptr;
// The current length of the list of free slots.
std::size_t FreeSlotsLength = 0;
// See options.{h, inc} for more information.
bool PerfectlyRightAlign = false;
// Printf function supplied by the implementing allocator. We can't (in
// general) use printf() from the cstdlib as it may malloc(), causing infinite
// recursion.
options::Printf_t Printf = nullptr;
// The adjusted sample rate for allocation sampling. Default *must* be
// nonzero, as dynamic initialisation may call malloc (e.g. from libstdc++)
// before GPA::init() is called. This would cause an error in shouldSample(),
// where we would calculate modulo zero. This value is set UINT64_MAX, as when
// GWP-ASan is disabled, we wish to never spend wasted cycles recalculating
// the sample rate.
ALIGNED(8) uint64_t AdjustedSampleRate = UINT64_MAX;
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

nit: recalculating

vlad.tsyrklevich: nit: recalculating
// Thread-local decrementing counter that indicates that a given allocation
morehouseUnsubmitted
Done
ReplyInline Actions

Why not UINT64_MAX?

morehouse: Why not `UINT64_MAX`?
// should be sampled when it reaches zero.
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

ALIGNED(8) seems unnecessary for a uint64_t?

vlad.tsyrklevich: ALIGNED(8) seems unnecessary for a uint64_t?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

On 32-bit platforms, 64-bit values aren't guaranteed to have 8 byte alignment (strangely enough).

hctim: On 32-bit platforms, 64-bit values aren't guaranteed to have 8 byte alignment (strangely…
static TLS_INITIAL_EXEC uint64_t NextSampleCounter;
morehouseUnsubmitted
Done
ReplyInline Actions

Nit: static is unnecessary.

morehouse: Nit: static is unnecessary.
hctimAuthorUnsubmitted
Done
ReplyInline Actions

AFAICT it is required:

<snip>/llvm/compiler-rt/lib/scudo/../gwp_asan/guarded_pool_allocator.h:237:3: error: 'thread_local' is only allowed on variable declarations
  TLS_INITIAL_EXEC uint64_t NextSampleCounter;
hctim: AFAICT it is required: ``` <snip>/llvm/compiler-rt/lib/scudo/../gwp_asan/guarded_pool_allocator.
vitalybukaUnsubmitted
Done
ReplyInline Actions

"static private:" are not very useful
you can hide them into unnamed namespace of cpp file

vitalybuka: "static private:" are not very useful you can hide them into unnamed namespace of cpp file
hctimAuthorUnsubmitted
Done
ReplyInline Actions

NextSampleCounter are referenced in shouldSample(), which is implemented in the header for inlining reasons.
SingletonPtr has been moved.

hctim: `NextSampleCounter` are referenced in `shouldSample()`, which is implemented in the header for…
// Pointer to the singleton version of this class. Automatically assigned
// during initialisation, this allows the signal handler to find this class
// in order to deduce the root cause of failures.
static GuardedPoolAllocator *SingletonPtr;
};
static_assert(std::is_trivially_destructible<GuardedPoolAllocator>::value,
"GuardedPoolAllocator must be trivially destructible.");
} // namespace gwp_asan
morehouseUnsubmitted
Done
ReplyInline Actions

Unnecessary semicolon.

morehouse: Unnecessary semicolon.
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

nit: unnecessary semi-colon

vlad.tsyrklevich: nit: unnecessary semi-colon
#endif // GWP_ASAN_GUARDED_POOL_ALLOCATOR_H_

compiler-rt/lib/gwp_asan/guarded_pool_allocator.cpp

  • This file was added.
//===-- guarded_pool_allocator.cpp ------------------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "gwp_asan/guarded_pool_allocator.h"
#include "gwp_asan/options.h"
#include <cassert>
#include <cstdlib>
#include <cstring>
#include <ctime>
#include <new>
using AllocationMetadata = gwp_asan::GuardedPoolAllocator::AllocationMetadata;
using Error = gwp_asan::GuardedPoolAllocator::Error;
namespace gwp_asan {
void GuardedPoolAllocator::init(const options::Options &Opts) {
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Move below the Opts.Enabled check? Not sure if we need this if GWP-ASan isn't enabled.

vlad.tsyrklevich: Move below the Opts.Enabled check? Not sure if we need this if GWP-ASan isn't enabled.
// Note: We return from the constructor here if GWP-ASan is not available.
morehouseUnsubmitted
Done
ReplyInline Actions

This is going to cause racy use-after-dtors on thread exit.

We need a trivial dtor if we want a global GuardedPoolAllocator, or we need to avoid destruction.

morehouse: This is going to cause racy use-after-dtors on thread exit. We need a trivial dtor if we want…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Have removed the nontrivial d'tor and explained that the class leaks if destructed during the lifetime of a program.

hctim: Have removed the nontrivial d'tor and explained that the class leaks if destructed during the…
morehouseUnsubmitted
Done
ReplyInline Actions

I think we still need a static_assert to make sure the destructor is actually trivial. It would be pretty easy for someone to introduce a new member that precludes trivial dtor.

Or you need to tell the user to never construct as a global and have a code sample showing how to construct with placement new.

morehouse: I think we still need a `static_assert` to make sure the destructor is actually trivial. It…
morehouseUnsubmitted
Done
ReplyInline Actions

We should crash with an error if SingletonPtr is already set.

morehouse: We should crash with an error if SingletonPtr is already set.
// This will stop heap-allocation of class members, as well as mmap() of the
// guarded slots.
if (!Opts.Enabled || Opts.SampleRate == 0)
return;
// TODO(hctim): Add a death unit test for this.
if (SingletonPtr) {
(*SingletonPtr->Printf)(
"GWP-ASan Error: init() has already been called.\n");
exit(EXIT_FAILURE);
}
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Any reason to do this here and not until just before IsInitialised is set? If we're very unlucky and hit an exception on the next instruction the signal handler will fault on calling Printf, perhaps other such conditions will be introduced in the future as well.

vlad.tsyrklevich: Any reason to do this here and not until just before IsInitialised is set? If we're very…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Nope, have moved it.

hctim: Nope, have moved it.
SingletonPtr = this;
NumGuardedSlots = Opts.NumUsableGuardedSlots;
PageSize = getPlatformPageSize();
PerfectlyRightAlign = Opts.PerfectlyRightAlign;
Printf = Opts.Printf;
morehouseUnsubmitted
Done
ReplyInline Actions

This rounding is unnecessary unless we're actually using the extra memory. (Below as well)

morehouse: This rounding is unnecessary unless we're actually using the extra memory. (Below as well)
std::size_t PoolBytesRequired = PageSize * (1 + NumGuardedSlots) +
NumGuardedSlots * maximumAllocationSize();
void *GuardedPoolMemory = mapMemory(PoolBytesRequired);
// Round up memory mappings to the nearest page size.
std::size_t BytesRequired = NumGuardedSlots * sizeof(AllocationMetadata);
Metadata = reinterpret_cast<AllocationMetadata *>(mapMemory(BytesRequired));
vitalybukaUnsubmitted
Done
ReplyInline Actions

sizeof(*Metadata)

vitalybuka: sizeof(*Metadata)
markReadWrite(Metadata, BytesRequired);
cryptoadUnsubmitted
Done
ReplyInline Actions

GuardedPoolAllocator::init is called within the constructor of Allocator for Scudo, so malloc here doesn't sound like it would work?
Any heap related function should probably be avoided.

cryptoad: `GuardedPoolAllocator::init` is called within the constructor of `Allocator` for Scudo, so…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

So there's a neat little trick we're using here. SampleRate is initialised intentionally at the end of init(), so that any call to shouldSample() returns false. This means that the malloc() calls do not fall into the guarded pool before the GuardedPoolAllocator is completely initialised. This trick also allows us to have GWP-ASan disabled at runtime without creating the allocation pool (and thus reducing static memory overhead).

hctim: So there's a neat little trick we're using here. `SampleRate` is initialised intentionally at…
eugenisUnsubmitted
Done
ReplyInline Actions

Could full initialization be done lazily at the first sampled malloc?
At least, we should not allocate metadata array if the process is going to have sample rate of 0.

eugenis: Could full initialization be done lazily at the first sampled malloc? At least, we should not…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

We don't allocate if it's disabled (see the early return in init() on line 40. What benefits do we get from lazy-init?

hctim: We don't allocate if it's disabled (see the early return in `init()` on line 40. What benefits…
eugenisUnsubmitted
Done
ReplyInline Actions

lazy-init lets us use malloc.

user malloc -> gwp-asan-sample -> gwp-asan-malloc -> gwp-asan-init -> malloc -> (sampling disabled for recursive mallocs) -> scudo-malloc -> (possibly) scudo-init

eugenis: lazy-init lets us use malloc. user malloc -> gwp-asan-sample -> gwp-asan-malloc -> gwp-asan…
// Allocate memory and set up the free pages queue.
BytesRequired = NumGuardedSlots * sizeof(std::size_t);
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Is std::size_t a scudo thing? Otherwise I'd just replace with just size_t?

vlad.tsyrklevich: Is std::size_t a scudo thing? Otherwise I'd just replace with just size_t?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

AFAIK, the official stddef for size_t in C++ is std::size_t. At the least, /s/std::size_t/size_t in guarded_pool_allocator.h will error when trying to find size_t.

hctim: AFAIK, the official stddef for size_t in C++ is `std::size_t`. At the least, `/s/std…
FreeSlots = reinterpret_cast<std::size_t *>(mapMemory(BytesRequired));
vitalybukaUnsubmitted
Done
ReplyInline Actions

sizeof(*FreeSlots)
this is not Google style, but advice is still relevant https://google.github.io/styleguide/cppguide.html#sizeof

vitalybuka: sizeof(*FreeSlots) this is not Google style, but advice is still relevant https://google.github.
markReadWrite(FreeSlots, BytesRequired);
// Multiply the sample rate by 2 to give a good, fast approximation for (1 /
// SampleRate) chance of sampling.
if (Opts.SampleRate != 1)
__atomic_store_n(&AdjustedSampleRate, Opts.SampleRate * 2,
morehouseUnsubmitted
Done
ReplyInline Actions

What if Opts.SampleRate == 0?

morehouse: What if `Opts.SampleRate == 0`?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Shouldn't be allowed - the default flag parser has the check:

if (o->Enabled && o->SampleRate < 1) {
    __sanitizer::Printf("GWP-ASan ERROR: SampleRate must be >= 1 when "
                        "GWP-ASan is enabled.\n");
    exit(EXIT_FAILURE);
  }

... but allocators can implement their own flag parser. I've added an explicit check in init() to consider SampleRate == 0 as being the same as Enabled == false.

hctim: Shouldn't be allowed - the default flag parser has the check: ``` if (o->Enabled && o…
__ATOMIC_RELAXED);
else
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

nit: I'd move to just before the IsInitialised store (we do use GuardedPagePool in the signal handler though it's not likely to cause an error as it is now.)

vlad.tsyrklevich: nit: I'd move to just before the IsInitialised store (we do use GuardedPagePool in the signal…
__atomic_store_n(&AdjustedSampleRate, 1, __ATOMIC_RELAXED);
GuardedPagePool = reinterpret_cast<uintptr_t>(GuardedPoolMemory);
GuardedPagePoolEnd =
reinterpret_cast<uintptr_t>(GuardedPoolMemory) + PoolBytesRequired;
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Is this true? It shouldn't be based on my reading of the sampling logic. I don't think this needs to be set here nor should it be as it's only for this current thread. I'm particularly careful abut this as we really want to avoid always sampling the first allocation on a given thread. I had this bug originally in Chrome thinking it didn't matter but it turns out the first allocation would be for something that had thread-lifetime and it led to very quick allocator depletion!

vlad.tsyrklevich: Is this true? It shouldn't be based on my reading of the sampling logic. I don't think this…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Yep - thanks!

hctim: Yep - thanks!
// Ensure that signal handlers are installed as late as possible, as the class
// is not thread-safe until init() is finished, and thus a SIGSEGV may cause a
// race to members if recieved during init().
if (Opts.InstallSignalHandlers)
installSignalHandlers();
}
morehouseUnsubmitted
Done
ReplyInline Actions

I think we need to hold PoolMutex during init. Otherwise we have no guarantees that everything else is initialized once IsInitialized = true (instructions may be executed out-of-order).

morehouse: I think we need to hold `PoolMutex` during `init`. Otherwise we have no guarantees that…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Fixed by thread-hostile requirements described above.

hctim: Fixed by thread-hostile requirements described above.
void *GuardedPoolAllocator::allocate(std::size_t Size) {
if (Size == 0 || Size > maximumAllocationSize())
return nullptr;
ScopedLock L(&PoolMutex);
size_t Index;
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Wait, why do we subtract 1 here and then always add 1 later?

vlad.tsyrklevich: Wait, why do we subtract 1 here and then always add 1 later?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

NextSampleCounter in shouldSample() calculates PRNG % (SampleRate + 1) as SampleRate == 0 on thread-init, and would cause an arithmetic error if malloc() is called befire init() completes. If we can enfore that the allocator doesn't call malloc() before init() finishes, then we can remove this.

hctim: `NextSampleCounter` in `shouldSample()` calculates `PRNG % (SampleRate + 1)` as `SampleRate ==…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Removed as init() no longer calls malloc().

hctim: Removed as `init()` no longer calls `malloc()`.
if (reserveSlot(&Index) == false)
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

RequestedSize seems vestigial, the returned value of Size is no longer used so it could be removed and RequestedSize replaced with Size.

vlad.tsyrklevich: RequestedSize seems vestigial, the returned value of Size is no longer used so it could be…
return nullptr;
vitalybukaUnsubmitted
Done
ReplyInline Actions

...== false) -> if (!...

vitalybuka: ...== false) -> if (!...
uintptr_t Ptr = slotToAddr(Index);
Ptr += allocationSlotOffset(Size);
AllocationMetadata *Meta = addrToMetadata(Ptr);
morehouseUnsubmitted
Done
ReplyInline Actions

Suppose Size <= PageSize < maximumAllocationSize(). In this case, we can mprotect a single page rather than the whole slot to improve bug-detection.

morehouse: Suppose `Size <= PageSize < maximumAllocationSize()`. In this case, we can `mprotect` a single…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

That's an awesome catch! Thanks!

hctim: That's an awesome catch! Thanks!
// If a slot is multiple pages in size, and the allocation takes up a single
// page, we can improve overflow detection by leaving the unused pages as
// unmapped.
markReadWrite(reinterpret_cast<void *>(getPageAddr(Ptr)), Size);
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

nit: we can move this up above the Meta->Size store now.

vlad.tsyrklevich: nit: we can move this up above the Meta->Size store now.
Meta->Size = Size;
Meta->Addr = Ptr;
Meta->IsDeallocated = false;
vitalybukaUnsubmitted
Done
ReplyInline Actions

Meta->Init(Size, Ptr, .....)

vitalybuka: Meta->Init(Size, Ptr, .....)
Meta->AllocationTrace.ThreadID = getThreadID();
Meta->DeallocationTrace.ThreadID = UINT64_MAX;
// TODO(hctim): Implement stack trace collection.
Meta->AllocationTrace.Trace[0] = 0;
morehouseUnsubmitted
Done
ReplyInline Actions

lu is unnecessary.

morehouse: `lu` is unnecessary.
Meta->DeallocationTrace.Trace[0] = 0;
return reinterpret_cast<void *>(Ptr);
}
void GuardedPoolAllocator::deallocate(void *Ptr) {
assert(pointerIsMine(Ptr) && "Pointer is not mine!");
uintptr_t UPtr = reinterpret_cast<uintptr_t>(Ptr);
uintptr_t SlotStart = slotToAddr(addrToSlot(UPtr));
AllocationMetadata *Meta = addrToMetadata(UPtr);
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

getPageAddr()

vlad.tsyrklevich: getPageAddr()
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Not equal if sizeof(Slot) != sizeof(Page). Happy to introduce a helper fn for this if you want, but it's used in a single place.

hctim: Not equal if `sizeof(Slot) != sizeof(Page)`. Happy to introduce a helper fn for this if you…
if (Meta->Addr != UPtr)
reportErrorAndDie(UPtr, Error::INVALID_FREE);
ScopedLock L(&PoolMutex);
if (Meta->IsDeallocated)
reportErrorAndDie(UPtr, Error::DOUBLE_FREE);
Meta->IsDeallocated = true;
Meta->DeallocationTrace.ThreadID = getThreadID();
vitalybukaUnsubmitted
Done
ReplyInline Actions

can you move all metadata manipulation logic into AllocationMetadata:: methods?

vitalybuka: can you move all metadata manipulation logic into AllocationMetadata:: methods?
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Call freeSlot after markInaccessible, otherwise you introduce a very unlikely race where the slot is freed, then another threads takes it and marks the page RW before it's marked RO below.

vlad.tsyrklevich: Call freeSlot after markInaccessible, otherwise you introduce a very unlikely race where the…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Nice catch, thanks!

hctim: Nice catch, thanks!
markInaccessible(reinterpret_cast<void *>(SlotStart),
maximumAllocationSize());
freeSlot(addrToSlot(UPtr));
}
std::size_t GuardedPoolAllocator::getSize(const void *Ptr) const {
assert(pointerIsMine(Ptr));
AllocationMetadata *Meta = addrToMetadata(reinterpret_cast<uintptr_t>(Ptr));
assert(Meta->Addr == reinterpret_cast<uintptr_t>(Ptr));
return Meta->Size;
}
std::size_t GuardedPoolAllocator::maximumAllocationSize() const {
return PageSize;
}
AllocationMetadata *GuardedPoolAllocator::addrToMetadata(uintptr_t Ptr) const {
morehouseUnsubmitted
Done
ReplyInline Actions

Nit: I think return &Metadata[addrToSlot(Ptr)] is a little clearer.

morehouse: Nit: I think `return &Metadata[addrToSlot(Ptr)]` is a little clearer.
assert(pointerIsMine(reinterpret_cast<void *>(Ptr)));
return &Metadata[addrToSlot(Ptr)];
}
std::size_t GuardedPoolAllocator::addrToSlot(uintptr_t Ptr) const {
std::size_t ByteOffsetFromPoolStart = Ptr - GuardedPagePool;
return ByteOffsetFromPoolStart / (maximumAllocationSize() + PageSize);
}
uintptr_t GuardedPoolAllocator::slotToAddr(std::size_t N) const {
return GuardedPagePool + (PageSize * (1 + N)) + (maximumAllocationSize() * N);
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Given that there is no page/metadata index distinction right now I'd make this just one parameter.

vlad.tsyrklevich: Given that there is no page/metadata index distinction right now I'd make this just one…
}
morehouseUnsubmitted
Done
ReplyInline Actions

This rounds down to page size, not slot size. So we will have unintended behavior when AllocSize < PageSize < SlotSize and the alloc is right-aligned.

morehouse: This rounds down to page size, not slot size. So we will have unintended behavior when…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Yep, this is intended, but one of the deallocate() was using this incorrectly (where they wanted slot address instead of page address). I've updated the callee.

hctim: Yep, this is intended, but one of the `deallocate()` was using this incorrectly (where they…
uintptr_t GuardedPoolAllocator::getPageAddr(uintptr_t Ptr) const {
return Ptr & ~(static_cast<uintptr_t>(PageSize) - 1);
}
morehouseUnsubmitted
Done
ReplyInline Actions

Only works if PageSize == SlotSize.

morehouse: Only works if `PageSize == SlotSize`.
bool GuardedPoolAllocator::isGuardPage(uintptr_t Ptr) const {
std::size_t PageOffsetFromPoolStart = (Ptr - GuardedPagePool) / PageSize;
std::size_t PagesPerSlot = maximumAllocationSize() / PageSize;
return (PageOffsetFromPoolStart % (PagesPerSlot + 1)) == 0;
}
bool GuardedPoolAllocator::reserveSlot(std::size_t *SlotIndex) {
// Avoid potential reuse of a slot before we have made at least a single
// allocation in each slot. Helps with our use-after-free detection.
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

This algorithm doesn't work, imagine NumGuardedSlots=4. Then you first start off with 0 1 2 3 + (The plus donates FreeSlotsLength.) Then after an allocation you have 3 1 2 + 3, after another allocation you have 3 2 + 2 3. Now your ReservedIndex reads past the end of FreeSlotsLength which is wrong. If you free the first pointer you get 3 2 0 + 3. Another allocation 3 2 + 0 3, then 3 + 2 0 2. Now you've hit NumUsedSlots == NumGuardedSlots and you'll allocate slot 3 (again.)

This highlights the importance of tests like AllocDeallocAllPages, ThreadedAllocCount, and ThreadedHighContention in https://github.com/chromium/chromium/blob/master/components/gwp_asan/client/guarded_page_allocator_unittest.cc

We need to add tests ensuring that in both single- and multi-threaded contexts we are never returning slots twice.

vlad.tsyrklevich: This algorithm doesn't work, imagine NumGuardedSlots=4. Then you first start off with 0 1 2 3 +…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Furthermore, this also had an issue where (if it worked correctly in the first place), it lead to more deterministic left/right alignment, as the alignment choice was made based on the slot number.

I've fixed this and will add some more tests before submitting. Leaving this comment open to remind me to do this at a later date, but focus right now is getting this out for another round of comments.

hctim: Furthermore, this also had an issue where (if it worked correctly in the first place), it lead…
if (NumSampledAllocations < NumGuardedSlots) {
*SlotIndex = NumSampledAllocations++;
return true;
}
if (FreeSlotsLength == 0)
return false;
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

This should really be blank (e.g. if Size==1 there's no reason to make off-by-ones not crash.)

vlad.tsyrklevich: This should really be blank (e.g. if Size==1 there's no reason to make off-by-ones not crash.)
std::size_t ReservedIndex = Random::getRandomUnsigned64() % FreeSlotsLength;
*SlotIndex = FreeSlots[ReservedIndex];
morehouseUnsubmitted
Done
ReplyInline Actions

Why do we need so many options? In general I think we need to enforce some minimal alignment, probably alignof(std::max_align_t). For smaller allocs than that, we might be able to do smaller alignments. So maybe keep POWER_OF_TWO case and remove all other options.

morehouse: Why do we need so many options? In general I think we need to enforce some minimal alignment…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Removed a whole bunch of logic here.

hctim: Removed a whole bunch of logic here.
FreeSlots[ReservedIndex] = FreeSlots[--FreeSlotsLength];
return true;
}
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

In Chrome we left- or right-align based on whether the (randomly chosen) slot is even/odd, that means an allocation will test for both under- and over-flows across different runs. However in this case we always left-/right-align based on the size which means a given type will only ever be tested one way (and I'd expect we have a lot more even allocations than odd allocations.)

vlad.tsyrklevich: In Chrome we left- or right-align based on whether the (randomly chosen) slot is even/odd, that…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Gotcha. In this case, we need a runtime option (like the previous AlignmentStrategy) to guarantee left && right alignment for testing, as we don't want flaky tests.

How would you prefer to go about this? Two runtime options, NoRandomAlignment and AlignRight?

hctim: Gotcha. In this case, we need a runtime option (like the previous `AlignmentStrategy`) to…
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Why not just have the tests either 1) Use full-page allocations so that we know exactly where the bounds are or 2) a helper routine to get a left-/right-aligned allocation? Those are the two things I end up using in Chrome and they've been sufficient.

vlad.tsyrklevich: Why not just have the tests either 1) Use full-page allocations so that we know exactly where…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

FYI - I have adjusted this to be purely PRNG based as if NumGuardedSlots is odd, it will give us a higher probability of left-alignment. If NumGuardedSlots == 1, we want to still do random left/right alignment.

hctim: FYI - I have adjusted this to be purely PRNG based as if `NumGuardedSlots` is odd, it will give…
morehouseUnsubmitted
Done
ReplyInline Actions

I expect it doesn't matter in practice. GWP-ASan is already probabilistic, so who cares if we're x% more likely to detect underflow than overflow. You could even invert things so we get more right-aligned allocations since overflow is more common than underflow.

morehouse: I expect it doesn't matter in practice. GWP-ASan is already probabilistic, so who cares if…
hctimAuthorUnsubmitted
Not Done
ReplyInline Actions

I think the major reason for me is that it may be a use case to have a guarded pool with only a single slot for short-lived processes on memory-constrained devices. We're planning on process sampling as well for Android, and it may be useful to service short-lived processes with a single allocation instead of disabling it completely.

hctim: I think the major reason for me is that it may be a use case to have a guarded pool with only a…
void GuardedPoolAllocator::freeSlot(std::size_t SlotIndex) {
assert(FreeSlotsLength < NumGuardedSlots);
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Size isn't read again by the caller so I'd change it to pass-by-value.

vlad.tsyrklevich: Size isn't read again by the caller so I'd change it to pass-by-value.
FreeSlots[FreeSlotsLength++] = SlotIndex;
}
uintptr_t GuardedPoolAllocator::allocationSlotOffset(std::size_t Size) {
assert(Size > 0);
bool ShouldRightAlign = Random::getRandomUnsigned64() % 2 == 0;
if (!ShouldRightAlign)
return 0;
uintptr_t Offset = maximumAllocationSize();
if (!PerfectlyRightAlign) {
morehouseUnsubmitted
Done
ReplyInline Actions

This logic would be clearer if we use % 16 instead of & 15.

morehouse: This logic would be clearer if we use `% 16` instead of `& 15`.
if (Size == 3)
Size = 4;
else if (Size > 4 && Size <= 8)
Size = 8;
else if (Size > 8 && (Size % 16) != 0)
Size += 16 - (Size % 16);
}
Offset -= Size;
return Offset;
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

You can simplify this to just + PageSize if you wanted.

vlad.tsyrklevich: You can simplify this to just + PageSize if you wanted.
}
morehouseUnsubmitted
Done
ReplyInline Actions

We should have an error message so the user knows what happened.

morehouse: We should have an error message so the user knows what happened.
hctimAuthorUnsubmitted
Done
ReplyInline Actions

At this point, we don't have access to a printf() library.

Also, I'm not sure whether this is actually reachable. SingletonPtr is always initialised in this TU before the signal handlers are installed. Have changed this to an assert.

hctim: At this point, we don't have access to a `printf()` library. Also, I'm not sure whether this…
morehouseUnsubmitted
Done
ReplyInline Actions

Ok, but the assert isn't enough. In release builds we could still null-deref.

morehouse: Ok, but the assert isn't enough. In release builds we could still null-deref.
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Ditto the simplification and this should be - PageSize

vlad.tsyrklevich: Ditto the simplification and this should be - PageSize
NORETURN void GuardedPoolAllocator::reportErrorAndDie(uintptr_t AccessPtr,
Error Error) {
assert(SingletonPtr != nullptr);
SingletonPtr->reportErrorAndDieInternal(AccessPtr, Error);
}
morehouseUnsubmitted
Done
ReplyInline Actions

Nit: else is unnecessary.

morehouse: Nit: else is unnecessary.
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

I believe it's required for the case when the OOB access happens in the second half of the last guard page.

vlad.tsyrklevich: I believe it's required for the case when the OOB access happens in the second half of the last…
morehouseUnsubmitted
Done
ReplyInline Actions

Right, the if seems necessary. What I meant was:

if (X) return;
else if(Y) doSomething();

is always equivalent to

if (X) return;
if (Y) doSomething();
morehouse: Right, the `if` seems necessary. What I meant was: ``` if (X) return; else if(Y) doSomething…
std::size_t GuardedPoolAllocator::getNearestSlot(uintptr_t Ptr) const {
if (Ptr <= GuardedPagePool + PageSize)
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

This logic won't work for the first half of the very first guard page or the second half of the last guard page, they need to be special cased (this can be rolled into the GuardedPagePool/GuardedPagePoolEnd checks at the top.)

vlad.tsyrklevich: This logic won't work for the first half of the very first guard page or the second half of…
return 0;
if (Ptr > GuardedPagePoolEnd - PageSize)
return NumGuardedSlots - 1;
if (!isGuardPage(Ptr))
return addrToSlot(Ptr);
if (Ptr % PageSize <= PageSize / 2)
return addrToSlot(Ptr - PageSize); // Round down.
return addrToSlot(Ptr + PageSize); // Round up.
}
Error GuardedPoolAllocator::diagnoseUnknownError(uintptr_t AccessPtr,
AllocationMetadata **Meta) {
// Let's try and figure out what the source of this error is.
if (isGuardPage(AccessPtr)) {
std::size_t Slot = getNearestSlot(AccessPtr);
AllocationMetadata *SlotMeta = addrToMetadata(slotToAddr(Slot));
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

It should be an invalid free() if it actually crashed on free(). It doesn't seem possible to ever hit this routine for an INVALID_FREE since INVALID_FREE is always reported directly with an error type.

vlad.tsyrklevich: It should be an invalid free() if it actually crashed on free(). It doesn't seem possible to…
// Ensure that this slot was allocated once upon a time.
if (!SlotMeta->Addr)
return Error::UNKNOWN;
morehouseUnsubmitted
Done
ReplyInline Actions

Simpler: if (Meta->Addr < AccessPtr)

morehouse: Simpler: `if (Meta->Addr < AccessPtr)`
*Meta = SlotMeta;
if (SlotMeta->Addr < AccessPtr)
return Error::BUFFER_OVERFLOW;
else
return Error::BUFFER_UNDERFLOW;
morehouseUnsubmitted
Done
ReplyInline Actions

Nit: else is unnecessary

morehouse: Nit: else is unnecessary
}
morehouseUnsubmitted
Done
ReplyInline Actions

What do we gain from so many "strategies"? Why not have even-left and odd-right and be done?

morehouse: What do we gain from so many "strategies"? Why not have even-left and odd-right and be done?
// Access wasn't a guard page, check for use-after-free.
AllocationMetadata *SlotMeta = addrToMetadata(AccessPtr);
if (SlotMeta->IsDeallocated) {
*Meta = SlotMeta;
return Error::USE_AFTER_FREE;
}
// If we have reached here, the error is still unknown. There is no metadata
// available.
return Error::UNKNOWN;
}
void printErrorTypeAndMaybeDie(Error Error, uintptr_t AccessPtr,
AllocationMetadata *Meta,
options::Printf_t Printf) {
switch (Error) {
case Error::UNKNOWN:
morehouseUnsubmitted
Done
ReplyInline Actions

Nit: I think Printf(...) suffices.

morehouse: Nit: I think `Printf(...)` suffices.
hctimAuthorUnsubmitted
Done
ReplyInline Actions

I didn't know this, thanks!

hctim: I didn't know this, thanks!
Printf("GWP-ASan couldn't automatically determine the source of the "
morehouseUnsubmitted
Done
ReplyInline Actions

Nit: else is unnecessary

morehouse: Nit: else is unnecessary
"memory error when accessing 0x%zx. It was likely caused by a wild "
"memory access into the GWP-ASan pool.\n",
AccessPtr);
exit(EXIT_FAILURE);
morehouseUnsubmitted
Done
ReplyInline Actions

This function is way too long.

morehouse: This function is way too long.
morehouseUnsubmitted
Done
ReplyInline Actions

Can we put some logic in helper functions?

morehouse: Can we put some logic in helper functions?
morehouseUnsubmitted
Done
ReplyInline Actions

This error message is verbose. The first two sentences say the same thing, and I don't think we need to mention the possibility of bugs in GWP-ASan.

morehouse: This error message is verbose. The first two sentences say the same thing, and I don't think…
case Error::USE_AFTER_FREE:
morehouseUnsubmitted
Done
ReplyInline Actions

The message might be a little confusing. What happened "when trying to access memory"?

Also, let's combine this with the previous printf.

morehouse: The message might be a little confusing. What happened "when trying to access memory"? Also…
Printf("Use after free occurred when accessing memory at: 0x%zx\n",
AccessPtr);
break;
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

nit: occurred here and below.

vlad.tsyrklevich: nit: occurred here and below.
case Error::DOUBLE_FREE:
Printf("Double free occurred when trying to free memory at: 0x%zx\n",
AccessPtr);
break;
case Error::INVALID_FREE:
Printf(
"Invalid (wild) free occurred when trying to free memory at: 0x%zx\n",
AccessPtr);
// It's possible for an invalid free to fall onto a slot that has never been
// allocated. If this is the case, there is no valid metadata.
if (Meta == nullptr)
exit(EXIT_FAILURE);
break;
case Error::BUFFER_OVERFLOW:
Printf("Buffer overflow occurred when accessing memory at: 0x%zx\n",
AccessPtr);
break;
case Error::BUFFER_UNDERFLOW:
Printf("Buffer underflow occurred when accessing memory at: 0x%zx\n",
AccessPtr);
break;
}
Printf("0x%zx is ", AccessPtr);
if (AccessPtr < Meta->Addr)
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Meta won't be nullptr in this case though right? You need to look into the metadata to check that it's never been allocated.

vlad.tsyrklevich: Meta won't be nullptr in this case though right? You need to look into the metadata to check…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Done some refactoring and resolved this.

hctim: Done some refactoring and resolved this.
Printf("located %zu bytes to the left of ", Meta->Addr - AccessPtr);
else if (AccessPtr > Meta->Addr)
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

This will print "0 bytes to the right" on UAF at the address of the allocation. Perhaps elide the left/right calculation and just print the info for the allocation.

vlad.tsyrklevich: This will print "0 bytes to the right" on UAF at the address of the allocation. Perhaps elide…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Could this be useful for UaF where there is a nonzero offset? Have elided for zero offsets only, as I figure it's better to keep the information when it may be of use.

hctim: Could this be useful for UaF where there is a nonzero offset? Have elided for zero offsets only…
Printf("located %zu bytes to the right of ", AccessPtr - Meta->Addr);
Printf("a %zu-byte allocation located at 0x%zx\n", Meta->Size, Meta->Addr);
}
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

I don't like this logic. If the allocation is size 4095 and left-aligned and overflows by two bytes it will be classified as an underflow to the next page. I'd use the same logic as Matt and I where we decide based on just whether it's left/right of the half way point of the guard page. (Also Left/RightMeta might not even be for valid allocations here.)

vlad.tsyrklevich: I don't like this logic. If the allocation is size 4095 and left-aligned and overflows by two…
void printThreadInformation(Error Error, uintptr_t AccessPtr,
AllocationMetadata *Meta,
options::Printf_t Printf) {
Printf("0x%zx was allocated by thread ", AccessPtr);
if (Meta->AllocationTrace.ThreadID == UINT64_MAX)
Printf("UNKNOWN.\n");
else
Printf("%zu.\n", Meta->AllocationTrace.ThreadID);
if (Error == Error::USE_AFTER_FREE || Error == Error::DOUBLE_FREE) {
Printf("0x%zx was freed by thread ", AccessPtr);
if (Meta->AllocationTrace.ThreadID == UINT64_MAX)
Printf("UNKNOWN.\n");
else
Printf("%zu.\n", Meta->AllocationTrace.ThreadID);
}
}
NORETURN void
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

The rest of this routine assumes Meta is valid but it may not be (e.g. a wild access to a page that's never been allocated yet.)

vlad.tsyrklevich: The rest of this routine assumes Meta is valid but it may not be (e.g. a wild access to a page…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

The invariant here is that the only time when Meta is invalid is with an UNKNOWN error. I've made the switch for UNKNOWN exit instead of fallthrough and added an assert() to clarify this invariant below.

A wild access should set Meta but keep ErrorType == UNKNOWN. Hopefully this helps.

hctim: The invariant here is that the only time when `Meta` is invalid is with an `UNKNOWN` error.
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

I should have mentioned the code path that got me here. It's possible to hit this with an invalid Meta for INVALID_FREE right now.

vlad.tsyrklevich: I should have mentioned the code path that got me here. It's possible to hit this with an…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Gotcha. I've fixed this up, as we have two different edge cases with INVALID_FREE. If the INVALID_FREE lands on a slot that's been allocated or a guard page, we dump the information. Otherwise, we tell the user about the invalid free and stop processing there to avoid using an invalid meta.

hctim: Gotcha. I've fixed this up, as we have two different edge cases with `INVALID_FREE`. If the…
GuardedPoolAllocator::reportErrorAndDieInternal(uintptr_t AccessPtr,
Error Error) {
if (!pointerIsMine(reinterpret_cast<void *>(AccessPtr))) {
Printf("Segmentation fault\n");
exit(EXIT_FAILURE);
}
// Attempt to prevent races to re-use the same slot that triggered this error.
// This does not guarantee that there are no races, because another thread can
// take the locks during the time that the signal handler is being called.
PoolMutex.tryLock();
Printf("*** GWP-ASan detected a memory error ***\n");
AllocationMetadata *Meta = nullptr;
if (Error == Error::UNKNOWN) {
morehouseUnsubmitted
Done
ReplyInline Actions

Hmm... So any segfault will trigger a GWP-ASan report, even if its very far from the guarded region?

morehouse: Hmm... So any segfault will trigger a GWP-ASan report, even if its very far from the guarded…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Have changed to simply echo "Segmentation fault" and exit.

hctim: Have changed to simply echo "Segmentation fault" and exit.
Error = diagnoseUnknownError(AccessPtr, &Meta);
} else {
std::size_t Slot = getNearestSlot(AccessPtr);
Meta = addrToMetadata(slotToAddr(Slot));
// Ensure that this slot has been previously allocated.
if (!Meta->Addr)
Meta = nullptr;
}
// Print the error information, and if there is no valid metadata, die here.
printErrorTypeAndMaybeDie(Error, AccessPtr, Meta, Printf);
// Ensure that we have a valid metadata pointer from this point forward.
if (Meta == nullptr) {
Printf("GWP-ASan internal unreachable error. Metadata is not null.\n");
exit(EXIT_FAILURE);
}
printThreadInformation(Error, AccessPtr, Meta, Printf);
// TODO(hctim): Implement stack unwinding here. Ask the caller to provide us
// with the base pointer, and we unwind the stack to give a stack trace for
// the access.
// TODO(hctim): Implement dumping here of allocation/deallocation traces.
exit(EXIT_FAILURE);
}
TLS_INITIAL_EXEC uint64_t GuardedPoolAllocator::NextSampleCounter = 0;
GuardedPoolAllocator *GuardedPoolAllocator::SingletonPtr = nullptr;
} // namespace gwp_asan
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

nullptr

vlad.tsyrklevich: nullptr
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

if (!gwp_asan::SingletonPtr) return; to match the other functions?

vlad.tsyrklevich: if (!gwp_asan::SingletonPtr) return; to match the other functions?
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

I suppose it could also be assert(gwp_asan::SingletonPtr) since it's never correct to reach this function with an uninitialized GPA.

vlad.tsyrklevich: I suppose it could also be assert(gwp_asan::SingletonPtr) since it's never correct to reach…

compiler-rt/lib/gwp_asan/guarded_pool_allocator_posix.cpp

  • This file was added.
//===-- guarded_pool_allocator_posix.cpp ------------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "gwp_asan/guarded_pool_allocator.h"
#include <cstdlib>
#include <errno.h>
#include <signal.h>
#include <sys/mman.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <unistd.h>
namespace gwp_asan {
void *GuardedPoolAllocator::mapMemory(size_t Size) const {
void *Ptr =
mmap(nullptr, Size, PROT_NONE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
if (Ptr == MAP_FAILED) {
Printf("Failed to map guarded pool allocator memory, errno: %d\n", errno);
Printf(" mmap(nullptr, %zu, ...) failed.\n", Size);
exit(EXIT_FAILURE);
}
return Ptr;
}
void GuardedPoolAllocator::markReadWrite(void *Ptr, size_t Size) const {
if (mprotect(Ptr, Size, PROT_READ | PROT_WRITE) != 0) {
Printf("Failed to set guarded pool allocator memory at as RW, errno: %d\n",
errno);
Printf(" mprotect(%p, %zu, RW) failed.\n", Ptr, Size);
exit(EXIT_FAILURE);
}
}
void GuardedPoolAllocator::markInaccessible(void *Ptr, size_t Size) const {
// mmap() a PROT_NONE page over the address to release it to the system, if
// we used mprotect() here the system would count pages in the quarantine
// against the RSS.
if (mmap(Ptr, Size, PROT_NONE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1,
0) == MAP_FAILED) {
Printf("Failed to set guarded pool allocator memory as inaccessible, "
"errno: %d\n",
errno);
Printf(" mmap(%p, %zu, NONE, ...) failed.\n", Ptr, Size);
exit(EXIT_FAILURE);
}
}
std::size_t GuardedPoolAllocator::getPlatformPageSize() {
return sysconf(_SC_PAGESIZE);
}
morehouseUnsubmitted
Done
ReplyInline Actions

s/0/-1 to be safe

morehouse: s/0/-1 to be safe
void (*PreviousSignumHandler)(int) = nullptr;
void (*PreviousSigactionHandler)(int, siginfo_t *, void *) = nullptr;
static void sigSegvHandler(int sig, siginfo_t *info, void *ucontext) {
if (sig != SIGSEGV)
return;
if (info == nullptr)
return;
morehouseUnsubmitted
Done
ReplyInline Actions

These two checks are probably unnecessary.

morehouse: These two checks are probably unnecessary.
gwp_asan::GuardedPoolAllocator::reportErrorAndDie(
reinterpret_cast<uintptr_t>(info->si_addr));
morehouseUnsubmitted
Done
ReplyInline Actions

This should probably forward to the previous SEGV handler after printing any GWP-ASan related things.

Doing this correctly is tricky, but you can look at how the original Google3 implementation did it for reference.

morehouse: This should probably forward to the previous SEGV handler after printing any GWP-ASan related…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Can you PTAL and see if it LGTY?

hctim: Can you PTAL and see if it LGTY?
morehouseUnsubmitted
Done
ReplyInline Actions

I think we should avoid dying here so the previous signal handler can examine the SEGV too.

morehouse: I think we should avoid dying here so the previous signal handler can examine the SEGV too.
if (PreviousSignumHandler)
PreviousSignumHandler(sig);
if (PreviousSigactionHandler)
morehouseUnsubmitted
Done
ReplyInline Actions

I'm not opposed to ignoring SIG_IGN, but this should be documented somewhere.

morehouse: I'm not opposed to ignoring `SIG_IGN`, but this should be documented somewhere.
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Documented in GwpAsan.rst and options.inc.

hctim: Documented in `GwpAsan.rst` and `options.inc`.
PreviousSigactionHandler(sig, info, ucontext);
}
morehouseUnsubmitted
Done
ReplyInline Actions

There are also SIG_DFL and SIG_IGN cases. See https://critique.corp.google.com/#review/197822848/depot/google3/tcmalloc/guarded_page_allocator.cc for an example.

morehouse: There are also `SIG_DFL` and `SIG_IGN` cases. See https://critique.corp.google.
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Done with some slight modifications. If the previous handler was SIG_IGN, we die as we'll constantly restart on the memory error and repeatedly spam GWP-ASan output. This also aligns with the exit behaviour of DOUBLE_FREE/INVALID_FREE and that of SIGSEGV-delivered errors.

We also don't explicitly handle SIG_DFL, as the fallthrough should call the default signal handler just fine.

hctim: Done with some slight modifications. If the previous handler was `SIG_IGN`, we die as we'll…
morehouseUnsubmitted
Done
ReplyInline Actions

I am skeptical that calling SIG_DFL() will work.

SIG_DFL is not a function address.

https://en.cppreference.com/w/cpp/utility/program/SIG_strategies

morehouse: I am skeptical that calling `SIG_DFL()` will work. SIG_DFL is not a function address. https…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Surprisingly, it worked on my machine. Have changed to ensure this works everywhere.

hctim: Surprisingly, it worked on my machine. Have changed to ensure this works everywhere.
void GuardedPoolAllocator::installSignalHandlers() {
struct sigaction OldHandler;
if (sigaction(SIGSEGV, nullptr, &OldHandler) == 0) {
if (OldHandler.sa_flags & SA_SIGINFO)
PreviousSigactionHandler = OldHandler.sa_sigaction;
else
PreviousSignumHandler = OldHandler.sa_handler;
}
struct sigaction Action;
Action.sa_sigaction = sigSegvHandler;
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

gettid()?

vlad.tsyrklevich: gettid()?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Unsupported until glibc 2.30, but have implemented the syscall w/ fallback to UINT64_MAX.

hctim: Unsupported until glibc 2.30, but have implemented the syscall w/ fallback to `UINT64_MAX`.
Action.sa_flags = SA_SIGINFO;
sigaction(SIGSEGV, &Action, nullptr);
}
uint64_t GuardedPoolAllocator::getThreadID() {
#ifdef SYS_gettid
return syscall(SYS_gettid);
#else
return UINT64_MAX;
#endif
}
} // namespace gwp_asan

compiler-rt/lib/gwp_asan/mutex.h

  • This file was added.
//===-- mutex.h -------------------------------------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
// TODO(hctim): Move this implementation and Scudo's implementation into a
// unified base implementation. We shouldn't need to have separate
// implementations for this.
morehouseUnsubmitted
Done
ReplyInline Actions

implementation

morehouse: implementation
#ifndef GWP_ASAN_MUTEX_H_
#define GWP_ASAN_MUTEX_H_
#include "gwp_asan/definitions.h"
#include <cstdint>
#ifdef __unix__
#include <sched.h>
#endif // defined(__unix__)
namespace gwp_asan {
class Mutex {
public:
void lock();
bool tryLock();
void unlock();
private:
void yieldProcessor(uint8_t Count);
void yieldPlatform();
morehouseUnsubmitted
Done
ReplyInline Actions

I don't normally think of a semaphore as a bool. Maybe just call it Locked?

morehouse: I don't normally think of a semaphore as a bool. Maybe just call it `Locked`?
void lockSlow();
cryptoadUnsubmitted
Done
ReplyInline Actions

Does using std::atomic bring in a libc++ (or equivalent) dependency?

cryptoad: Does using `std::atomic` bring in a libc++ (or equivalent) dependency?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

It brings in a libc++ dependency when building GWP-ASan, but no further than that (i.e. does not affect Scudo). std::atomic<bool> is header-only, and although we don't have any strong guarantess for this, I believe it to be a safe bet.

@pcc - can you confirm that this is a safe bet?

hctim: It brings in a libc++ dependency when building GWP-ASan, but no further than that (i.e. does…
pccUnsubmitted
Done
ReplyInline Actions

I don't believe that the "header-only" subset of the standard library is formally defined, so in theory there could be a library dependency here but it seems unlikely. If we want a guarantee of no library dependency, we could always just use the __atomic builtins here like scudo is doing.

pcc: I don't believe that the "header-only" subset of the standard library is formally defined, so…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Moved onto __atomic builtins instead.

hctim: Moved onto `__atomic` builtins instead.
bool Locked = false;
};
class ScopedLock {
public:
ScopedLock(Mutex *Mx) : Mu(Mx) { Mu->lock(); }
~ScopedLock() { Mu->unlock(); }
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

gcc doesn't like this being named identically.

vlad.tsyrklevich: gcc doesn't like this being named identically.
vitalybukaUnsubmitted
Done
ReplyInline Actions

explicit?

vitalybuka: explicit?
private:
Mutex *Mu;
};
ALWAYS_INLINE void Mutex::lock() {
if (tryLock())
return;
lockSlow();
}
morehouseUnsubmitted
Done
ReplyInline Actions

Nit: Since bools, we can do !__atomic_exchange_n(...) instead.

morehouse: Nit: Since bools, we can do `!__atomic_exchange_n(...)` instead.
ALWAYS_INLINE bool Mutex::tryLock() {
return !__atomic_exchange_n(&Locked, true, __ATOMIC_ACQUIRE);
}
ALWAYS_INLINE void Mutex::unlock() {
__atomic_store_n(&Locked, false, __ATOMIC_RELEASE);
}
ALWAYS_INLINE void Mutex::yieldProcessor(uint8_t Count) {
#if defined(__i386__) || defined(__x86_64__)
vitalybukaUnsubmitted
Done
ReplyInline Actions

do you need yieldProcessor and lockSlow inline?
maybe move into cpp file to move this ifdefs from header?

vitalybuka: do you need yieldProcessor and lockSlow inline? maybe move into cpp file to move this ifdefs…
hctimAuthorUnsubmitted
Not Done
ReplyInline Actions

http://quick-bench.com/5oJNxyiBe-7KwZ0nMCRDGBaNa5s

Looks like with clang gets a slight perf improvement with inlining, which is extended (to 10% perf improvement) w/ libc++.

Also I'm hesitent to create small cpp files, as per https://reviews.llvm.org/D60593?id=195942#inline-542189.

Okay to leave as is?

hctim: http://quick-bench.com/5oJNxyiBe-7KwZ0nMCRDGBaNa5s Looks like with clang gets a slight perf…
__asm__ __volatile__("" ::: "memory");
for (uint8_t i = 0; i < Count; ++i)
__asm__ __volatile__("pause");
#elif defined(__aarch64__) || defined(__arm__)
__asm__ __volatile__("" ::: "memory");
for (uint8_t i = 0; I < Count; ++i)
__asm__ __volatile__("yield");
#endif
__asm__ __volatile__("" ::: "memory");
}
ALWAYS_INLINE void Mutex::lockSlow() {
for (uint32_t i = 0;; ++i) {
if (i < 10)
yieldProcessor(10);
else
yieldPlatform();
if (!__atomic_load_n(&Locked, __ATOMIC_RELAXED) && tryLock())
return;
}
}
#ifdef __unix__
ALWAYS_INLINE void Mutex::yieldPlatform() { sched_yield(); }
#endif // defined(__unix__)
} // namespace gwp_asan
#endif // GWP_ASAN_MUTEX_H_

compiler-rt/lib/gwp_asan/optional/runtime_env_flag_parser.h

  • This file was added.
//===-- runtime_env_flag_parser.h -------------------------------*- C++ -*-===//
//
morehouseUnsubmitted
Done
ReplyInline Actions

Why is this file called runtime_env_flag_parser.h?

  1. We're also parsing compile-time flags.
  2. Looks like we're calling these "options" rather than flags.
morehouse: Why is this file called `runtime_env_flag_parser.h`? # We're also parsing compile-time…
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#ifndef GWP_ASAN_OPTIONAL_RUNTIME_ENV_FLAG_PARSER_H_
#define GWP_ASAN_OPTIONAL_RUNTIME_ENV_FLAG_PARSER_H_
// Include sanitizer_common first as gwp_asan/options.h transiently includes
// definitions.h, which overwrites some of the definitions in sanitizer_common.
#include "sanitizer_common/sanitizer_common.h"
#include "gwp_asan/options.h"
namespace gwp_asan {
namespace options {
morehouseUnsubmitted
Done
ReplyInline Actions

Can we outsource all flag parsing and just have GuardedPoolAllocator configured during init?

morehouse: Can we outsource all flag parsing and just have GuardedPoolAllocator configured during init?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

We do. Sorry if this isn't clear in the design.

The optional directory (and build flags) basically are a set of features that an allocator can choose to use if they don't want to reimplement the functionality. In this case, the optional component is the runtime environment flag parser, which has a dependency on sanitizer_common.

When Scudo merges its own flag parsing, they can then parse GwpAsan flags by their own methodology, as the GwpAsan options are passed to the allocator in init(). The configuration of GwpAsan is orthogonal to how the options are parsed.

hctim: We do. Sorry if this isn't clear in the design. The `optional` directory (and build flags)…
// Parse the options from the GWP_ASAN_FLAGS environment variable.
morehouseUnsubmitted
Done
ReplyInline Actions

s/initFlags/initOptions

morehouse: s/initFlags/initOptions
void initOptions();
// Returns a pointer to the initialised options. Call initFlags() prior to
// calling this function.
Options *getOptions();
} // namespace options
} // namespace gwp_asan
extern "C" {
SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE const char *
__gwp_asan_default_options();
}
#endif // GWP_ASAN_OPTIONAL_RUNTIME_ENV_FLAG_PARSER_H_

compiler-rt/lib/gwp_asan/optional/runtime_env_flag_parser.cpp

  • This file was added.
//===-- runtime_env_flag_parser.cpp -----------------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include <cstdarg>
#include <cstdlib>
#include <cstring>
#include "gwp_asan/optional/runtime_env_flag_parser.h"
#include "gwp_asan/options.h"
#include "sanitizer_common/sanitizer_common.h"
#include "sanitizer_common/sanitizer_flag_parser.h"
#include "sanitizer_common/sanitizer_flags.h"
namespace gwp_asan {
namespace options {
static Options GwpAsanFlags; // Use via getOptions().
static void registerGwpAsanFlags(__sanitizer::FlagParser *parser, Options *o) {
#define GWP_ASAN_OPTION(Type, Name, DefaultValue, Description) \
RegisterFlag(parser, #Name, Description, &o->Name);
#include "gwp_asan/options.inc"
#undef GWP_ASAN_OPTION
morehouseUnsubmitted
Done
ReplyInline Actions

May as well make this return void if we're always returning 0.

morehouse: May as well make this return `void` if we're always returning 0.
hctimAuthorUnsubmitted
Done
ReplyInline Actions

fn is removed.

hctim: fn is removed.
}
static const char *getCompileDefinitionGwpAsanDefaultOptions() {
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Nit: GwpAsan or GWPASan are internally coherent capitalization-wise.

vlad.tsyrklevich: Nit: GwpAsan or GWPASan are internally coherent capitalization-wise.
morehouseUnsubmitted
Done
ReplyInline Actions

Can we make GWPAsanFlags a static inside getOptions?

morehouse: Can we make `GWPAsanFlags` a static inside `getOptions`?
#ifdef GWP_ASAN_DEFAULT_OPTIONS
return SANITIZER_STRINGIFY(GWP_ASAN_DEFAULT_OPTIONS);
#else
return "";
#endif
}
static const char *getGwpAsanDefaultOptions() {
return (&__gwp_asan_default_options) ? __gwp_asan_default_options() : "";
}
void initOptions() {
__sanitizer::SetCommonFlagsDefaults();
{
__sanitizer::CommonFlags cf;
cf.CopyFrom(*__sanitizer::common_flags());
cf.exitcode = 1;
OverrideCommonFlags(cf);
morehouseUnsubmitted
Done
ReplyInline Actions

I'm pretty sure & is unnecessary.

morehouse: I'm pretty sure `&` is unnecessary.
}
morehouseUnsubmitted
Done
ReplyInline Actions

Unnamed namespace would allow us to remove all these statics on variables and functions.

morehouse: Unnamed namespace would allow us to remove all these `statics` on variables and functions.
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Removed them without an unnamed namespace. This okay?

hctim: Removed them without an unnamed namespace. This okay?
Options *o = getOptions();
o->setDefaults();
__sanitizer::FlagParser Parser;
registerGwpAsanFlags(&Parser, o);
RegisterCommonFlags(&Parser);
// Override from compile definition.
Parser.ParseString(getCompileDefinitionGwpAsanDefaultOptions());
morehouseUnsubmitted
Done
ReplyInline Actions

Do we care about any of the sanitizer_common flags?

morehouse: Do we care about any of the `sanitizer_common` flags?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Nope, removed.

hctim: Nope, removed.
// Override from user-specified string.
Parser.ParseString(getGwpAsanDefaultOptions());
// Override from environment.
Parser.ParseString(__sanitizer::GetEnv("GWP_ASAN_OPTIONS"));
__sanitizer::InitializeCommonFlags();
// Sanity checks and default settings for the parameters.
if (o->Enabled && o->NumUsableGuardedSlots <= 0) {
__sanitizer::Printf(
"GWP-ASan ERROR: NumUsableGuardedSlots must be >= 0 when "
"GWP-ASan is enabled.\n");
exit(EXIT_FAILURE);
}
if (o->Enabled && o->SampleRate < 1) {
__sanitizer::Printf("GWP-ASan ERROR: SampleRate must be >= 1 when "
"GWP-ASan is enabled.\n");
exit(EXIT_FAILURE);
}
o->Printf = __sanitizer::Printf;
}
Options *getOptions() { return &GwpAsanFlags; }
} // namespace options
} // namespace gwp_asan
#if !SANITIZER_SUPPORTS_WEAK_HOOKS
SANITIZER_INTERFACE_WEAK_DEF(const char *, __gwp_asan_default_options, void) {
return "";
}
#endif
morehouseUnsubmitted
Done
ReplyInline Actions

Why the #if?

morehouse: Why the `#if`?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

I could have sworn that this failed to build without it, but it appears to be a non-issue now. Removed.

hctim: I could have sworn that this failed to build without it, but it appears to be a non-issue now.

compiler-rt/lib/gwp_asan/options.h

  • This file was added.
//===-- options.h -----------------------------------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#ifndef GWP_ASAN_OPTIONS_H_
#define GWP_ASAN_OPTIONS_H_
#include "definitions.h"
namespace gwp_asan {
namespace options {
// The function pointer type for printf(). Follows the standard format from the
// sanitizers library. If the supported allocator exposes printing via a
// different function signature, please provide a wrapper which has this
// printf() signature, and pass the wrapper instead.
typedef void (*Printf_t)(const char *Format, ...);
struct Options {
Printf_t Printf = nullptr;
// Read the options from the included definitions file.
#define GWP_ASAN_OPTION(Type, Name, DefaultValue, Description) \
Type Name = DefaultValue;
#include "gwp_asan/options.inc"
morehouseUnsubmitted
Done
ReplyInline Actions

Seems we have potential double-initialization of the global options:

  1. We call initOptions before the GwpAsanFlags constructor runs.
  2. GwpAsanFlags constructor runs and sets back to defaults.
morehouse: Seems we have potential double-initialization of the global options: # We call `initOptions`…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Yep, fixed the init-order-fiasco with moving to on-demand instantiation inside of getOptions().

hctim: Yep, fixed the init-order-fiasco with moving to on-demand instantiation inside of `getOptions…
#undef GWP_ASAN_OPTION
void setDefaults() {
#define GWP_ASAN_OPTION(Type, Name, DefaultValue, Description) \
Name = DefaultValue;
#include "gwp_asan/options.inc"
#undef GWP_ASAN_OPTION
Printf = nullptr;
}
};
} // namespace options
} // namespace gwp_asan
#endif // GWP_ASAN_OPTIONS_H_

compiler-rt/lib/gwp_asan/options.inc

  • This file was added.
//===-- options.inc ---------------------------------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#ifndef GWP_ASAN_OPTION
#error "Define GWP_ASAN_OPTION prior to including this file!"
#endif
#ifndef GWP_ASAN_DEFINITIONS_H_
#error "Include gwp_asan/definitions.h prior to including this file!"
#endif
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

I personally would also eliminate this option, most users shouldn't have to think about the likelihood of overflow versus underflow.

vlad.tsyrklevich: I personally would also eliminate this option, most users shouldn't have to think about the…
GWP_ASAN_OPTION(bool, Enabled, true, "Is GWP-ASan enabled? Defaults to true.")
GWP_ASAN_OPTION(
bool, PerfectlyRightAlign, false,
"When allocations are right-aligned, should we perfectly align them up to "
"the page boundary? By default (false), we round up allocation size to the "
morehouseUnsubmitted
Done
ReplyInline Actions

malloc is required to return memory that is "suitably aligned". Won't perfect right alignment violate this?

E.g.,

uint8_t *buf = malloc(5);
// ... Copy some data into buf ...
uint32_t *word = (uint32_t *) buf;
*word += buf[4];

I think if malloc right-aligns, some processors would fail to load the 32-bit word on the last line.

morehouse: malloc is required to return memory that is "suitably aligned". Won't perfect right alignment…
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

I think it's a useful option on platforms that do support unaligned access (Intel, ARM >= v7). We've heard that this was useful with PageHeap for finding small OOB accesses, though obviously perf characteristics from using this option will vary significantly depending on the application.

vlad.tsyrklevich: I think it's a useful option on platforms that do support unaligned access (Intel, ARM >= v7).
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Yep, for safety reasons this is why it's disabled-by-default. I would personally prefer that users who understand the architectural configuration can enable it for themselves at the risk of performance degradation.

hctim: Yep, for safety reasons this is why it's disabled-by-default. I would personally prefer that…
morehouseUnsubmitted
Done
ReplyInline Actions

We should also mention that perfect-right-alignment will break on some architectures.

morehouse: We should also mention that perfect-right-alignment will break on some architectures.
"nearest power of two (2, 4, 8, 16) up to a maximum of 16-byte alignment "
"for performance reasons. Setting this to true can find single byte "
"buffer-overflows at the cost of performance, and may be incompatible with "
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

The documentation and tests use NumUsableGuardedPages but it's not directly tested anywhere so it's not caught that this is named differently here and doesn't work.

vlad.tsyrklevich: The documentation and tests use NumUsableGuardedPages but it's not directly tested anywhere so…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Added a test for this.

hctim: Added a test for this.
"some architectures.")
GWP_ASAN_OPTION(
int, NumUsableGuardedSlots, 16,
morehouseUnsubmitted
Done
ReplyInline Actions

I think this needs to be uint64 or unsigned long long.

morehouse: I think this needs to be `uint64` or `unsigned long long`.
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Feels like this should still be uint64/ULL (2^63 comment is otherwise not right on 32-bit platforms.)

vlad.tsyrklevich: Feels like this should still be uint64/ULL (2^63 comment is otherwise not right on 32-bit…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Was trying to work out a solution around the fact that the sanitizer flag parser doesn't support uint64_t. I've created a patch to support long long in sanitizer_common which we can then truncate if > 64bits.

Signed-ness of this doesn't really matter as we multiply by two in init() anyway. We can't directly convert to an unsigned 64-bit value as internal_strtoll doesn't support unsigned 64-bit values (they internally use s64 and typedef it to long long).

hctim: Was trying to work out a solution around the fact that the sanitizer flag parser doesn't…
morehouseUnsubmitted
Done
ReplyInline Actions

What happens if I set a negative value?

morehouse: What happens if I set a negative value?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

The error checking is done in the flag parser, but I've also added explicit checking in init() as well.

hctim: The error checking is done in the flag parser, but I've also added explicit checking in `init…
"Number of usable guarded slots in the allocation pool. Defaults to 16.")
morehouseUnsubmitted
Done
ReplyInline Actions

Replace 1 / (2^63) with 2^63

morehouse: Replace 1 / (2^63) with 2^63
GWP_ASAN_OPTION(
uptr, SampleRate, 5000,
"The probability (1 / SampleRate) that an allocation is selected for "
"GWP-ASan sampling. Default is 5000. Sample rates up to 2^63 are "
"supported.")
morehouseUnsubmitted
Done
ReplyInline Actions

This option should describe interactions with the user's signal handlers.

morehouse: This option should describe interactions with the user's signal handlers.
GWP_ASAN_OPTION(bool, InstallSignalHandlers, true,
"Install GWP-ASan signal handlers for SIGSEGV. This allows "
morehouseUnsubmitted
Done
ReplyInline Actions

What happens if I set a negative sample rate?

morehouse: What happens if I set a negative sample rate?
"better error reports by providing stack traces for "
"allocation/deallocation when reporting a use-after-free.")

compiler-rt/lib/gwp_asan/random.h

  • This file was added.
//===-- random.h ------------------------------------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#ifndef GWP_ASAN_RANDOM_H_
#define GWP_ASAN_RANDOM_H_
#include <cstdint>
#include "gwp_asan/definitions.h"
namespace gwp_asan {
class Random {
public:
// TODO(hctim): This may have significant overhead for platforms where
// 64-bit arithmetic is emulated. Do we need less than a 2^32 chance of
// sampling?
// xorshift128+ (64-bit output). Avoids multiplication.
static ALWAYS_INLINE uint64_t getRandomUnsigned64() {
uint64_t A = RandomStateA;
vitalybukaUnsubmitted
Done
ReplyInline Actions

it's called on slow path when NextSampleCounter == 0
I don't thins ALWAYS_INLINE will help here.
just move it into cpp file?
Also http://quick-bench.com/Jbi9nGqIlAfRkFGHjpJzBVR58Bw

Can you explain why you need own random?

vitalybuka: it's called on slow path when NextSampleCounter == 0 I don't thins ALWAYS_INLINE will help here.
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Can't use PRNG from libc++, as we have to be c-compatible.

Can't use PRNG from sanitizer_common, as we don't depend on sanitizer_common in the core code.

libc rand() is too slow.

read from /dev/ is too slow.

hctim: Can't use PRNG from libc++, as we have to be c-compatible. Can't use PRNG from…
const uint64_t B = RandomStateB;
RandomStateA = B;
A ^= A << 23;
A ^= A >> 17;
A ^= B ^ (B >> 26);
RandomStateB = A;
return A + B;
}
// xorshift* (64-bit output). This is primarily used to seed the xorshift128+
// generator.
static ALWAYS_INLINE uint64_t xorShiftStar64() {
uint64_t A = RandomStateA;
A ^= A >> 12;
A ^= A << 25;
A ^= A >> 27;
RandomStateA = A;
return A * 0x2545F4914F6CDD1D;
}
private:
static TLS_INITIAL_EXEC uint64_t RandomStateA;
static TLS_INITIAL_EXEC uint64_t RandomStateB;
vitalybukaUnsubmitted
Done
ReplyInline Actions

they don't need to be in the header

vitalybuka: they don't need to be in the header
};
} // namespace gwp_asan
#endif // GWP_ASAN_RANDOM_H_

compiler-rt/lib/gwp_asan/random.cpp

  • This file was added.
//===-- random.cpp ----------------------------------------------*- C++ -*-===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
#include "gwp_asan/random.h"
#include <ctime>
namespace gwp_asan {
TLS_INITIAL_EXEC uint64_t Random::RandomStateA =
static_cast<uint64_t>(time(nullptr));
TLS_INITIAL_EXEC uint64_t Random::RandomStateB = xorShiftStar64();
} // namespace gwp_asan
morehouseUnsubmitted
Done
ReplyInline Actions

Looks like initialization of these globals could happen after the first call to getRandom.

morehouse: Looks like initialization of these globals could happen after the first call to `getRandom`.

compiler-rt/lib/sanitizer_common/sanitizer_common.h

Show All 16 Lines
#include "sanitizer_flags.h" #include "sanitizer_flags.h"
#include "sanitizer_interface_internal.h" #include "sanitizer_interface_internal.h"
#include "sanitizer_internal_defs.h" #include "sanitizer_internal_defs.h"
#include "sanitizer_libc.h" #include "sanitizer_libc.h"
#include "sanitizer_list.h" #include "sanitizer_list.h"
#include "sanitizer_mutex.h" #include "sanitizer_mutex.h"
#include <stdarg.h>
#if defined(_MSC_VER) && !defined(__clang__) #if defined(_MSC_VER) && !defined(__clang__)
extern "C" void _ReadWriteBarrier(); extern "C" void _ReadWriteBarrier();
#pragma intrinsic(_ReadWriteBarrier) #pragma intrinsic(_ReadWriteBarrier)
#endif #endif
namespace __sanitizer { namespace __sanitizer {
struct AddressInfo; struct AddressInfo;
▲ Show 20 LinesShow All 148 Lines▼ Show 20 Lines
void SetLowLevelAllocateCallback(LowLevelAllocateCallback callback); void SetLowLevelAllocateCallback(LowLevelAllocateCallback callback);
// IO // IO
void CatastrophicErrorWrite(const char *buffer, uptr length); void CatastrophicErrorWrite(const char *buffer, uptr length);
void RawWrite(const char *buffer); void RawWrite(const char *buffer);
bool ColorizeReports(); bool ColorizeReports();
void RemoveANSIEscapeSequencesFromString(char *buffer); void RemoveANSIEscapeSequencesFromString(char *buffer);
void Printf(const char *format, ...); void Printf(const char *format, ...);
void VariadicPrintf(const char *format, va_list ap);
void Report(const char *format, ...); void Report(const char *format, ...);
void SetPrintfAndReportCallback(void (*callback)(const char *)); void SetPrintfAndReportCallback(void (*callback)(const char *));
#define VReport(level, ...) \ #define VReport(level, ...) \
do { \ do { \
if ((uptr)Verbosity() >= (level)) Report(__VA_ARGS__); \ if ((uptr)Verbosity() >= (level)) Report(__VA_ARGS__); \
} while (0) } while (0)
#define VPrintf(level, ...) \ #define VPrintf(level, ...) \
do { \ do { \
▲ Show 20 LinesShow All 782 LinesShow Last 20 Lines

compiler-rt/lib/sanitizer_common/sanitizer_printf.cc

Show First 20 LinesShow All 316 Lines▼ Show 20 Lines
FORMAT(1, 2) FORMAT(1, 2)
void Printf(const char *format, ...) { void Printf(const char *format, ...) {
va_list args; va_list args;
va_start(args, format); va_start(args, format);
SharedPrintfCode(false, format, args); SharedPrintfCode(false, format, args);
va_end(args); va_end(args);
} }
void VariadicPrintf(const char *format, va_list ap) {
SharedPrintfCode(false, format, ap);
}
// Like Printf, but prints the current PID before the output string. // Like Printf, but prints the current PID before the output string.
FORMAT(1, 2) FORMAT(1, 2)
void Report(const char *format, ...) { void Report(const char *format, ...) {
va_list args; va_list args;
va_start(args, format); va_start(args, format);
SharedPrintfCode(true, format, args); SharedPrintfCode(true, format, args);
va_end(args); va_end(args);
} }
Show All 26 Lines

compiler-rt/lib/scudo/CMakeLists.txt

Show All 24 Lines# android-changes-for-ndk-developers.md#changes-to-library-search-order
endif() endif()
endif() endif()
# The minimal Scudo runtime does not inlude the UBSan runtime. # The minimal Scudo runtime does not inlude the UBSan runtime.
set(SCUDO_MINIMAL_OBJECT_LIBS set(SCUDO_MINIMAL_OBJECT_LIBS
RTSanitizerCommonNoTermination RTSanitizerCommonNoTermination
RTSanitizerCommonLibc RTSanitizerCommonLibc
RTInterception) RTInterception)
if (GWP_ASAN_SCUDO_HOOKS)
# Currently, Scudo uses the GwpAsan flag parser. This backs onto the flag
# parsing mechanism of sanitizer_common. Once Scudo has its own flag parsing,
# and parses GwpAsan options, you can remove this dependency.
list(APPEND SCUDO_MINIMAL_OBJECT_LIBS RTGwpAsan RTGwpAsanFlagParser)
list(APPEND SCUDO_CFLAGS -DGWP_ASAN_HOOKS)
# TODO(hctim): Why do we require the atomics library here? When compiling i386
# versions of Scudo, the linker fails to find __atomic_load_8 (used by
# GPA::shouldSample() to atomically load GPA::AdjustedSampleRate).
list(APPEND SCUDO_DYNAMIC_LINK_FLAGS -latomic)
endif()
set(SCUDO_OBJECT_LIBS ${SCUDO_MINIMAL_OBJECT_LIBS}) set(SCUDO_OBJECT_LIBS ${SCUDO_MINIMAL_OBJECT_LIBS})
set(SCUDO_DYNAMIC_LIBS ${SCUDO_MINIMAL_DYNAMIC_LIBS}) set(SCUDO_DYNAMIC_LIBS ${SCUDO_MINIMAL_DYNAMIC_LIBS})
if (FUCHSIA) if (FUCHSIA)
list(APPEND SCUDO_CFLAGS -nostdinc++) list(APPEND SCUDO_CFLAGS -nostdinc++)
list(APPEND SCUDO_DYNAMIC_LINK_FLAGS -nostdlib++) list(APPEND SCUDO_DYNAMIC_LINK_FLAGS -nostdlib++)
else() else()
list(APPEND SCUDO_DYNAMIC_LIBS ${SANITIZER_CXX_ABI_LIBRARIES}) list(APPEND SCUDO_DYNAMIC_LIBS ${SANITIZER_CXX_ABI_LIBRARIES})
▲ Show 20 LinesShow All 102 LinesShow Last 20 Lines

compiler-rt/lib/scudo/scudo_allocator.cpp

Show All 19 Lines
#include "scudo_interface_internal.h" #include "scudo_interface_internal.h"
#include "scudo_tsd.h" #include "scudo_tsd.h"
#include "scudo_utils.h" #include "scudo_utils.h"
#include "sanitizer_common/sanitizer_allocator_checks.h" #include "sanitizer_common/sanitizer_allocator_checks.h"
#include "sanitizer_common/sanitizer_allocator_interface.h" #include "sanitizer_common/sanitizer_allocator_interface.h"
#include "sanitizer_common/sanitizer_quarantine.h" #include "sanitizer_common/sanitizer_quarantine.h"
#ifdef GWP_ASAN_HOOKS
# include "gwp_asan/guarded_pool_allocator.h"
# include "gwp_asan/optional/runtime_env_flag_parser.h"
#endif // GWP_ASAN_HOOKS
#include <errno.h> #include <errno.h>
#include <string.h> #include <string.h>
namespace __scudo { namespace __scudo {
// Global static cookie, initialized at start-up. // Global static cookie, initialized at start-up.
static u32 Cookie; static u32 Cookie;
▲ Show 20 LinesShow All 172 Lines▼ Show 20 Lines
typedef QuarantineT::Cache QuarantineCacheT; typedef QuarantineT::Cache QuarantineCacheT;
COMPILER_CHECK(sizeof(QuarantineCacheT) <= COMPILER_CHECK(sizeof(QuarantineCacheT) <=
sizeof(ScudoTSD::QuarantineCachePlaceHolder)); sizeof(ScudoTSD::QuarantineCachePlaceHolder));
QuarantineCacheT *getQuarantineCache(ScudoTSD *TSD) { QuarantineCacheT *getQuarantineCache(ScudoTSD *TSD) {
return reinterpret_cast<QuarantineCacheT *>(TSD->QuarantineCachePlaceHolder); return reinterpret_cast<QuarantineCacheT *>(TSD->QuarantineCachePlaceHolder);
} }
#ifdef GWP_ASAN_HOOKS
static gwp_asan::GuardedPoolAllocator GuardedAlloc;
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

nit: spacing doesn't match surrounding code

vlad.tsyrklevich: nit: spacing doesn't match surrounding code
#endif // GWP_ASAN_HOOKS
struct Allocator { struct Allocator {
static const uptr MaxAllowedMallocSize = static const uptr MaxAllowedMallocSize =
FIRST_32_SECOND_64(2UL << 30, 1ULL << 40); FIRST_32_SECOND_64(2UL << 30, 1ULL << 40);
BackendT Backend; BackendT Backend;
QuarantineT Quarantine; QuarantineT Quarantine;
u32 QuarantineChunksUpToSize; u32 QuarantineChunksUpToSize;
bool DeallocationTypeMismatch; bool DeallocationTypeMismatch;
bool ZeroContents; bool ZeroContents;
bool DeleteSizeMismatch; bool DeleteSizeMismatch;
bool CheckRssLimit; bool CheckRssLimit;
uptr HardRssLimitMb; uptr HardRssLimitMb;
uptr SoftRssLimitMb; uptr SoftRssLimitMb;
atomic_uint8_t RssLimitExceeded; atomic_uint8_t RssLimitExceeded;
atomic_uint64_t RssLastCheckedAtNS; atomic_uint64_t RssLastCheckedAtNS;
explicit Allocator(LinkerInitialized) explicit Allocator(LinkerInitialized)
: Quarantine(LINKER_INITIALIZED) {} : Quarantine(LINKER_INITIALIZED) {}
cryptoadUnsubmitted
Done
ReplyInline Actions

We are avoiding any non-trivial initialization on static objects. Ideally those 2 would go in init.

cryptoad: We are avoiding any non-trivial initialization on static objects. Ideally those 2 would go in…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

So this kind of conflicts with my previous statement. If we move this initialisation into init(), we will recurse into init() -> Allocator::allocate() -> initThreadMaybe() -> init() and we deadlock on pthread_once.

We have two options here:

  1. Leave the GwpAsan initialisation in the c'tor, which forces the initialisation of Scudo at startup, rather than lazily initialising.
  2. We avoid malloc() and instead do our own memory management in GwpAsan's init().

@eugenis - What do you think is the right long-term support option for GwpAsan here?

hctim: So this kind of conflicts with my previous statement. If we move this initialisation into `init…
eugenisUnsubmitted
Done
ReplyInline Actions

how about

  1. Do "fast pass" initialization in init(), then do full initialization on first sampled malloc

"fast pass" initialization is just enough to do sampling, i.e. the inlined part of shouldSample().

Since init() can run in a secondary thread, the access to SampleRate can race and needs to be changed to an atomic.

eugenis: how about 3. Do "fast pass" initialization in init(), then do full initialization on first…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

So this would be a problem with lazy-init of GWP-ASan. For lazy-initialisation, we would require NextSampleCounter, SampleRate, GuardedPagePool, and GuardedPagePoolEnd to all be atomic (and at least one with . At the moment, init() is run before any allocations take place, so it shouldn't race. Changing these to atomics would incur a significant performace overhead to the allocator's fast path.

I'm leaning towards #2 here, and requiring the c'tor to initialise GwpAsan before any allocations take place.

hctim: So this would be a problem with lazy-init of GWP-ASan. For lazy-initialisation, we would…
eugenisUnsubmitted
Done
ReplyInline Actions

Relaxed atomic. We don't need any fancy memory ordering here, only atomicity of individual stores and loads. They will compile to the same code as non-atomic, or very similar.

#2 is also fine, but it limits us a little. Not a big deal, I guess, if we already are not allowed to use libc in common gwp-asan code because of fuchsia - is that correct?

eugenis: Relaxed atomic. We don't need any fancy memory ordering here, only atomicity of individual…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

I think we've decided to do memory-mapped pages instead.

hctim: I think we've decided to do memory-mapped pages instead.
hctimAuthorUnsubmitted
Done
ReplyInline Actions

I've just remembered that I forgot to update the aforementioned values to atomics, working on it now. My initial experiments show that the relaxed atomics (on x86_64) compile down to the same bytecode, and should not create a performance issue.

Will run the synthetic tests as well.

hctim: I've just remembered that I forgot to update the aforementioned values to atomics, working on…
NOINLINE void performSanityChecks(); NOINLINE void performSanityChecks();
void init() { void init() {
SanitizerToolName = "Scudo"; SanitizerToolName = "Scudo";
PrimaryAllocatorName = "ScudoPrimary"; PrimaryAllocatorName = "ScudoPrimary";
SecondaryAllocatorName = "ScudoSecondary"; SecondaryAllocatorName = "ScudoSecondary";
initFlags(); initFlags();
Show All 40 Linesstruct Allocator {
} }
NOINLINE bool isRssLimitExceeded(); NOINLINE bool isRssLimitExceeded();
// Allocates a chunk. // Allocates a chunk.
void *allocate(uptr Size, uptr Alignment, AllocType Type, void *allocate(uptr Size, uptr Alignment, AllocType Type,
bool ForceZeroContents = false) { bool ForceZeroContents = false) {
initThreadMaybe(); initThreadMaybe();
#ifdef GWP_ASAN_HOOKS
if (UNLIKELY(GuardedAlloc.shouldSample())) {
morehouseUnsubmitted
Done
ReplyInline Actions

What does the assembly for this look like on the fast path?

morehouse: What does the assembly for this look like on the fast path?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

See attached image in description.

hctim: See attached image in description.
morehouseUnsubmitted
Done
ReplyInline Actions

Could you just post the assembly? Preferably a before/after of this fastpath change.

The CFG is confusing for me to read.

morehouse: Could you just post the assembly? Preferably a before/after of this fastpath change. The CFG…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

before, after the changes

hctim: [[ https://pastebin.com/RNUyYBkC | before ]], [[ https://pastebin.com/XfyBtDsp | after ]] the…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

@vlad.tsyrklevich

hctim: @vlad.tsyrklevich
if (void *Ptr = GuardedAlloc.allocate(Size))
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Can collapse this into a single if (void *Ptr = GuardedAlloc.allocate(Size))

vlad.tsyrklevich: Can collapse this into a single if (void *Ptr = GuardedAlloc.allocate(Size))
return Ptr;
}
#endif // GWP_ASAN_HOOKS
if (UNLIKELY(Alignment > MaxAlignment)) { if (UNLIKELY(Alignment > MaxAlignment)) {
if (AllocatorMayReturnNull()) if (AllocatorMayReturnNull())
return nullptr; return nullptr;
reportAllocationAlignmentTooBig(Alignment, MaxAlignment); reportAllocationAlignmentTooBig(Alignment, MaxAlignment);
} }
if (UNLIKELY(Alignment < MinAlignment)) if (UNLIKELY(Alignment < MinAlignment))
Alignment = MinAlignment; Alignment = MinAlignment;
▲ Show 20 LinesShow All 127 Lines▼ Show 20 Lines void deallocate(void *Ptr, uptr DeleteSize, uptr DeleteAlignment,
// where the only heap operation performed in a thread would be a free past // where the only heap operation performed in a thread would be a free past
// the TLS destructors, ending up in initialized thread specific data never // the TLS destructors, ending up in initialized thread specific data never
// being destroyed properly. Any other heap operation will do a full init. // being destroyed properly. Any other heap operation will do a full init.
initThreadMaybe(/*MinimalInit=*/true); initThreadMaybe(/*MinimalInit=*/true);
if (SCUDO_CAN_USE_HOOKS && &__sanitizer_free_hook) if (SCUDO_CAN_USE_HOOKS && &__sanitizer_free_hook)
__sanitizer_free_hook(Ptr); __sanitizer_free_hook(Ptr);
if (UNLIKELY(!Ptr)) if (UNLIKELY(!Ptr))
return; return;
#ifdef GWP_ASAN_HOOKS
if (UNLIKELY(GuardedAlloc.pointerIsMine(Ptr))) {
GuardedAlloc.deallocate(Ptr);
return;
}
#endif // GWP_ASAN_HOOKS
if (UNLIKELY(!Chunk::isAligned(Ptr))) if (UNLIKELY(!Chunk::isAligned(Ptr)))
dieWithMessage("misaligned pointer when deallocating address %p\n", Ptr); dieWithMessage("misaligned pointer when deallocating address %p\n", Ptr);
UnpackedHeader Header; UnpackedHeader Header;
Chunk::loadHeader(Ptr, &Header); Chunk::loadHeader(Ptr, &Header);
if (UNLIKELY(Header.State != ChunkAllocated)) if (UNLIKELY(Header.State != ChunkAllocated))
dieWithMessage("invalid chunk state when deallocating address %p\n", Ptr); dieWithMessage("invalid chunk state when deallocating address %p\n", Ptr);
if (DeallocationTypeMismatch) { if (DeallocationTypeMismatch) {
// The deallocation type has to match the allocation one. // The deallocation type has to match the allocation one.
Show All 13 Lines#endif // GWP_ASAN_HOOKS
(void)DeleteAlignment; // TODO(kostyak): verify that the alignment matches. (void)DeleteAlignment; // TODO(kostyak): verify that the alignment matches.
quarantineOrDeallocateChunk(Ptr, &Header, Size); quarantineOrDeallocateChunk(Ptr, &Header, Size);
} }
// Reallocates a chunk. We can save on a new allocation if the new requested // Reallocates a chunk. We can save on a new allocation if the new requested
// size still fits in the chunk. // size still fits in the chunk.
void *reallocate(void *OldPtr, uptr NewSize) { void *reallocate(void *OldPtr, uptr NewSize) {
initThreadMaybe(); initThreadMaybe();
#ifdef GWP_ASAN_HOOKS
if (UNLIKELY(GuardedAlloc.pointerIsMine(OldPtr))) {
size_t OldSize = GuardedAlloc.getSize(OldPtr);
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

if (!NewPtr) then we never deallocate? Also is it possible that this will be reached with NewSize=0 like in the realloc() case or not? e.g. do we need to explicitly handle it here

vlad.tsyrklevich: if (!NewPtr) then we never deallocate? Also is it possible that this will be reached with…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Fixed. Also, if NewSize==0, then Scudo will provide the backing allocation through allocate, and we should proceed as normal (zero bytes will be copied and dealloc from GPA will take place).

hctim: Fixed. Also, if `NewSize==0`, then Scudo will provide the backing allocation through `allocate`…
void *NewPtr = allocate(NewSize, MinAlignment, FromMalloc);
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Unlikely but there may be no metadata here for a bad realloc. If you implement the logic for checking the pointer as I mention below, you may be able to piggy back on that here and just called GPA.GetSize(ptr) here and get that check for free instead of accessing the metadata. (This gives the additional added advantage of being able to place addrToMetadata as a private member and hiding the metadata from upstream users.)

vlad.tsyrklevich: Unlikely but there may be no metadata here for a bad realloc. If you implement the logic for…
if (NewPtr)
memcpy(NewPtr, OldPtr, (NewSize < OldSize) ? NewSize : OldSize);
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

std::min(Meta->Size, NewSize)

vlad.tsyrklevich: std::min(Meta->Size, NewSize)
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Done (but w/o std:: as Scudo doesn't want dependency on c++stdlib).

hctim: Done (but w/o `std::` as Scudo doesn't want dependency on `c++stdlib`).
GuardedAlloc.deallocate(OldPtr);
return NewPtr;
}
#endif // GWP_ASAN_HOOKS
if (UNLIKELY(!Chunk::isAligned(OldPtr))) if (UNLIKELY(!Chunk::isAligned(OldPtr)))
dieWithMessage("misaligned address when reallocating address %p\n", dieWithMessage("misaligned address when reallocating address %p\n",
OldPtr); OldPtr);
UnpackedHeader OldHeader; UnpackedHeader OldHeader;
Chunk::loadHeader(OldPtr, &OldHeader); Chunk::loadHeader(OldPtr, &OldHeader);
if (UNLIKELY(OldHeader.State != ChunkAllocated)) if (UNLIKELY(OldHeader.State != ChunkAllocated))
dieWithMessage("invalid chunk state when reallocating address %p\n", dieWithMessage("invalid chunk state when reallocating address %p\n",
OldPtr); OldPtr);
Show All 25 Lines#endif // GWP_ASAN_HOOKS
return NewPtr; return NewPtr;
} }
// Helper function that returns the actual usable size of a chunk. // Helper function that returns the actual usable size of a chunk.
uptr getUsableSize(const void *Ptr) { uptr getUsableSize(const void *Ptr) {
initThreadMaybe(); initThreadMaybe();
if (UNLIKELY(!Ptr)) if (UNLIKELY(!Ptr))
return 0; return 0;
#ifdef GWP_ASAN_HOOKS
if (UNLIKELY(GuardedAlloc.pointerIsMine(Ptr)))
return GuardedAlloc.getSize(Ptr);
#endif // GWP_ASAN_HOOKS
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

I would return Size here, there is no reason for users of this API to see more than that. For one I'm not sure how other allocators handle the slack between Size and RealSize and things like reallocations.

vlad.tsyrklevich: I would return Size here, there is no reason for users of this API to see more than that. For…
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

I would check that ptr is allocated and matches the metadata here. (It turns out that e.g. on macOS the system libs can reach this with an incorrect pointer and on that platform they expect you to return 0. For now I'd just assert())

vlad.tsyrklevich: I would check that ptr is allocated and matches the metadata here. (It turns out that e.g. on…
UnpackedHeader Header; UnpackedHeader Header;
Chunk::loadHeader(Ptr, &Header); Chunk::loadHeader(Ptr, &Header);
// Getting the usable size of a chunk only makes sense if it's allocated. // Getting the usable size of a chunk only makes sense if it's allocated.
if (UNLIKELY(Header.State != ChunkAllocated)) if (UNLIKELY(Header.State != ChunkAllocated))
dieWithMessage("invalid chunk state when sizing address %p\n", Ptr); dieWithMessage("invalid chunk state when sizing address %p\n", Ptr);
return Chunk::getUsableSize(Ptr, &Header); return Chunk::getUsableSize(Ptr, &Header);
} }
▲ Show 20 LinesShow All 106 Lines▼ Show 20 Lines
static Allocator Instance(LINKER_INITIALIZED); static Allocator Instance(LINKER_INITIALIZED);
static BackendT &getBackend() { static BackendT &getBackend() {
return Instance.Backend; return Instance.Backend;
} }
void initScudo() { void initScudo() {
Instance.init(); Instance.init();
#ifdef GWP_ASAN_HOOKS
gwp_asan::options::initOptions();
GuardedAlloc.init(*gwp_asan::options::getOptions());
#endif // GWP_ASAN_HOOKS
} }
void ScudoTSD::init() { void ScudoTSD::init() {
getBackend().initCache(&Cache); getBackend().initCache(&Cache);
memset(QuarantineCachePlaceHolder, 0, sizeof(QuarantineCachePlaceHolder)); memset(QuarantineCachePlaceHolder, 0, sizeof(QuarantineCachePlaceHolder));
} }
void ScudoTSD::commitBack() { void ScudoTSD::commitBack() {
▲ Show 20 LinesShow All 133 LinesShow Last 20 Lines

compiler-rt/test/gwp_asan/CMakeLists.txt

  • This file was added.
set(GWP_ASAN_LIT_SOURCE_DIR ${CMAKE_CURRENT_SOURCE_DIR})
set(GWP_ASAN_LIT_BINARY_DIR ${CMAKE_CURRENT_BINARY_DIR})
set(GWP_ASAN_TESTSUITES)
set(GWP_ASAN_TEST_DEPS ${SANITIZER_COMMON_LIT_TEST_DEPS} gwp_asan scudo)
configure_lit_site_cfg(
${CMAKE_CURRENT_SOURCE_DIR}/lit.site.cfg.in
${CMAKE_CURRENT_BINARY_DIR}/lit.site.cfg
)
set(GWP_ASAN_TEST_ARCH ${GWP_ASAN_SUPPORTED_ARCH})
foreach(arch ${GWP_ASAN_TEST_ARCH})
set(GWP_ASAN_TEST_TARGET_ARCH ${arch})
string(TOLOWER "-${arch}" GWP_ASAN_TEST_CONFIG_SUFFIX)
get_test_cc_for_arch(${arch} GWP_ASAN_TEST_TARGET_CC GWP_ASAN_TEST_TARGET_CFLAGS)
string(TOUPPER ${arch} ARCH_UPPER_CASE)
set(CONFIG_NAME ${ARCH_UPPER_CASE}${OS_NAME}Config)
configure_lit_site_cfg(
${CMAKE_CURRENT_SOURCE_DIR}/lit.site.cfg.in
${CMAKE_CURRENT_BINARY_DIR}/${CONFIG_NAME}/lit.site.cfg)
list(APPEND GWP_ASAN_TESTSUITES ${CMAKE_CURRENT_BINARY_DIR}/${CONFIG_NAME})
endforeach()
add_lit_testsuite(check-gwp_asan "Running the GWP-ASan tests"
${GWP_ASAN_TESTSUITES}
DEPENDS ${GWP_ASAN_TEST_DEPS})
set_target_properties(check-gwp_asan PROPERTIES FOLDER "Compiler-RT Misc")

compiler-rt/test/gwp_asan/alignment_power_of_two.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=1 %run %t
#include <cstdint>
#include <cstdio>
#include <cstdlib>
#include <utility>
#include <vector>
// Note, statically defined in order to avoid calling malloc() to store this
// data. Consider this a map where element n => element n+1, and we are testing
// that an allocation of size [n] rounds up to the nearest [n+1]-byte boundary.
int AllocSizeToAlignment[] = {
1, 1,
2, 2,
3, 4,
4, 4,
5, 8,
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Do we need to ensure this allocation is right-aligned? Or do both left-/right-?

vlad.tsyrklevich: Do we need to ensure this allocation is right-aligned? Or do both left-/right-?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Updated w/ comment in the test. We have no direct influence on left/right alignment any more, so we just run it multiple times.

hctim: Updated w/ comment in the test. We have no direct influence on left/right alignment any more…
7, 8,
8, 8,
9, 16,
15, 16,
16, 16,
17, 16,
31, 16,
32, 16,
33, 16,
4095, 4096,
4096, 4096
};
int main() {
for (unsigned i = 0; i < sizeof(AllocSizeToAlignment) / sizeof(int); i += 2) {
// Each allocation has a 50/50 chance of being left/right aligned. As we
// want to test both instances, and have no way of directly controlling
// left/right alignment, we test each allocation multiple times. We have a
// 0.195% chance of all allocations being left or right aligned when we do
// 10 tests.
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Lets make this 2**-40 so it can never flake.

vlad.tsyrklevich: Lets make this 2**-40 so it can never flake.
for (unsigned j = 0; j < 10; ++j) {
char *Ptr = reinterpret_cast<char *>(malloc(AllocSizeToAlignment[i]));
if (reinterpret_cast<uintptr_t>(Ptr) % AllocSizeToAlignment[i + 1] != 0) {
fprintf(stderr,
"Guarded pointer %p with size %i is not %i-byte aligned.\n",
Ptr, AllocSizeToAlignment[i], AllocSizeToAlignment[i + 1]);
exit(EXIT_FAILURE);
}
// Normally causes buffer overflow, but alignment should prevent this.
volatile char x = *(Ptr + AllocSizeToAlignment[i + 1] - 1);
free(Ptr);
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Seems redundant to the check above (if you assume that page size is always a power of two.)

vlad.tsyrklevich: Seems redundant to the check above (if you assume that page size is always a power of two.)
}
}
return 0;
}

compiler-rt/test/gwp_asan/allocator_fallback.cpp

  • This file was added.
// REQUIRES: gwp_asan
// This test ensures that normal allocation/memory access/deallocation works
// as expected.
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=1 %run %t
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=2 %run %t
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=11 %run %t
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=12 %run %t
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=13 %run %t
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

We test both sides of the "cliff" here but the cliff is actually at 12 because max alloc size is 1<<12

vlad.tsyrklevich: We test both sides of the "cliff" here but the cliff is actually at 12 because max alloc size…
#include <cstdlib>
int main() {
void* Pointers[16];
for (unsigned i = 0; i < 16; ++i) {
char *Ptr = reinterpret_cast<char*>(malloc(1 << i));
Pointers[i] = Ptr;
*Ptr = 0;
Ptr[(1 << i) - 1] = 0;
}
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

j < (1 << i) ? Can probably just write Ptr[0] and Ptr[(1<<i )- 1]

vlad.tsyrklevich: j < (1 << i) ? Can probably just write Ptr[0] and Ptr[(1<<i )- 1]
for (unsigned i = 0; i < 16; ++i) {
free(Pointers[i]);
}
return 0;
}

compiler-rt/test/gwp_asan/double_delete.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Double free occurred when trying to free memory at:
#include <cstdlib>
int main() {
char *Ptr = new char;
delete Ptr;
delete Ptr;
return 0;
}

compiler-rt/test/gwp_asan/double_deletea.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Double free occurred when trying to free memory at:
#include <cstdlib>
int main() {
char *Ptr = new char[50];
delete[] Ptr;
delete[] Ptr;
return 0;
}

compiler-rt/test/gwp_asan/double_free.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Double free occurred when trying to free memory at:
#include <cstdlib>
int main() {
char *Ptr = reinterpret_cast<char*>(malloc(10));
free(Ptr);
free(Ptr);
return 0;
}

compiler-rt/test/gwp_asan/heap_buffer_overflow.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Buffer overflow occurred when accessing memory at:
// CHECK: is located {{[0-9]+}} bytes to the right
#include <cstdlib>
#include "page_size.h"
int main() {
char *Ptr = reinterpret_cast<char *>(malloc(pageSize()));
volatile char x = *(Ptr + pageSize());
return 0;
}

compiler-rt/test/gwp_asan/heap_buffer_underflow.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Buffer underflow occurred when accessing memory at:
// CHECK: is located 1 bytes to the left
#include <cstdlib>
#include "page_size.h"
int main() {
char *Ptr = reinterpret_cast<char*>(malloc(pageSize()));
volatile char x = *(Ptr - 1);
return 0;
}

compiler-rt/test/gwp_asan/invalid_free_left.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Invalid (wild) free occurred when trying to free memory at:
// CHECK: is located 1 bytes to the left of
#include <cstdlib>
#include "page_size.h"
int main() {
char *Ptr = reinterpret_cast<char*>(malloc(pageSize()));
free(Ptr - 1);
return 0;
}

compiler-rt/test/gwp_asan/invalid_free_right.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Invalid (wild) free occurred when trying to free memory at:
// CHECK: is located {{[0-9]+}} bytes to the right
#include <cstdlib>
#include "page_size.h"
int main() {
char *Ptr = reinterpret_cast<char*>(malloc(pageSize()));
free(Ptr + pageSize());
return 0;
}

compiler-rt/test/gwp_asan/lit.cfg

  • This file was added.
# -*- Python -*-
import os
# Setup config name.
config.name = 'GWP-ASan' + config.name_suffix
# Setup source root.
config.test_source_root = os.path.dirname(__file__)
# Test suffixes.
config.suffixes = ['.c', '.cc', '.cpp', '.test']
# C & CXX flags.
c_flags = ([config.target_cflags])
# Android doesn't want -lrt.
#if not config.android:
# c_flags += ["-lrt"]
cxx_flags = (c_flags + config.cxx_mode_flags + ["-std=c++11"])
gwp_asan_flags = ["-fsanitize=scudo"]
def build_invocation(compile_flags):
return " " + " ".join([config.clang] + compile_flags) + " "
# Add substitutions.
config.substitutions.append(("%clang ", build_invocation(c_flags)))
config.substitutions.append(("%clang_gwp_asan ", build_invocation(c_flags + gwp_asan_flags)))
config.substitutions.append(("%clangxx_gwp_asan ", build_invocation(cxx_flags + gwp_asan_flags)))
# Platform-specific default GWP_ASAN for lit tests. Ensure that GWP-ASan is
# enabled and that it samples every allocation.
default_gwp_asan_options = 'Enabled=1:SampleRate=1'
config.environment['GWP_ASAN_OPTIONS'] = default_gwp_asan_options
default_gwp_asan_options += ':'
config.substitutions.append(('%env_gwp_asan_options=',
'env GWP_ASAN_OPTIONS=' + default_gwp_asan_options))
# GWP-ASan tests are currently supported on Linux only.
if config.host_os not in ['Linux']:
config.unsupported = True

compiler-rt/test/gwp_asan/lit.site.cfg.in

  • This file was added.
@LIT_SITE_CFG_IN_HEADER@
config.name_suffix = "@GWP_ASAN_TEST_CONFIG_SUFFIX@"
config.target_arch = "@GWP_ASAN_TEST_TARGET_ARCH@"
config.target_cflags = "@GWP_ASAN_TEST_TARGET_CFLAGS@"
# Load common config for all compiler-rt lit tests.
lit_config.load_config(config, "@COMPILER_RT_BINARY_DIR@/test/lit.common.configured")
# Load tool-specific config that would do the real work.
lit_config.load_config(config, "@GWP_ASAN_LIT_SOURCE_DIR@/lit.cfg")

compiler-rt/test/gwp_asan/num_usable_slots.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=1 %run %t 1 2>&1
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=2 %run %t 2 2>&1
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=3 %run %t 3 2>&1
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=8 %run %t 8 2>&1
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=16 %run %t 16 2>&1
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=32 %run %t 32 2>&1
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=64 %run %t 64 2>&1
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=128 %run %t 128 2>&1
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=129 %run %t 129 2>&1
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Add a negative test or two (e.g. do we actually fail when invoked with 8 slots but we iterate 9 times? Do we fail when we have 8 slots but iterate 7 times?)

vlad.tsyrklevich: Add a negative test or two (e.g. do we actually fail when invoked with 8 slots but we iterate 9…
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

We test +1 case but not the -1 case.

vlad.tsyrklevich: We test +1 case but not the -1 case.
hctimAuthorUnsubmitted
Done
ReplyInline Actions

I'm confused why we would need to test the -1 case (assuming that -1 means NumIterations == MaxSimultaneousAllocations - 1), given that NumIterations == MSA provide this coverage. Is my assumption correct?

hctim: I'm confused why we would need to test the -1 case (assuming that -1 means `NumIterations ==…
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

This looks fine as is.

vlad.tsyrklevich: This looks fine as is.
// This test massages the GPA to reveal internal data that we test for. In
// particular, this test ensures that our allocations use all of the available
// slots. It relies on the fact that the 1st allocation -> ${NumGuardedSlots}th
// allocation are sequential, before PRNG selection of the guarded slots takes
// place.
// TODO(hctim): Update this test when the slot size is different to a single
// page.
#include <cstdint>
#include <cstdio>
#include <cstdlib>
#include "page_size.h"
char *SampledAllocs[129] = {};
int main(int argc, char** argv) {
int NumSlots = atoi(argv[1]);
uintptr_t PageSize = pageSize();
SampledAllocs[0] = reinterpret_cast<char*>(malloc(1));
char *FirstGuardedSlot = reinterpret_cast<char *>(
reinterpret_cast<uintptr_t>(SampledAllocs[0]) & ~(PageSize - 1));
for (unsigned i = 1; i < NumSlots; ++i) {
char *Ptr = reinterpret_cast<char*>(malloc(PageSize));
char *Slot = reinterpret_cast<char *>(reinterpret_cast<uintptr_t>(Ptr) &
~(PageSize - 1));
if (Slot != FirstGuardedSlot + (i * 2 * PageSize)) {
fprintf(
stderr,
"Allocation number %i (%p) was either not in the guarded pool, or it "
"is reusing a slot before all slots have been used once.\n",
i, Ptr);
exit(EXIT_FAILURE);
}
SampledAllocs[i] = Ptr;
}
// Now, we have exhausted the pool. Check to see that the next allocation goes
// to the system allocator.
char *Ptr = reinterpret_cast<char*>(malloc(PageSize));
// The system allocator doesn't have use-after-free READ detection. If this
// was a sampled allocation, this would be caught.
free(Ptr);
volatile char x = *Ptr;
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

I'm not sure what a better test is but this isn't always true (e.g. the allocator could actually take back that page if all the allocations on it are gone.) These tests could test stronger assertions and be simpler if there was a __gwp_asan_pointer_is_mine() or something like that.

vlad.tsyrklevich: I'm not sure what a better test is but this isn't always true (e.g. the allocator could…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Changed it to use the same mechanism from above to detect if it's in the pool.

I think the current assumption is strong enough, but may be broken if atoi() or alloca() changes to call malloc (unlikely), or if a shared library calls malloc() during dynamic loading. WDYT?

Edit: On further thought, this also will spuriously pass if the implementing allocator uses the page immediately after the allocation pool to back the allocation. I've added interface definitions and started a cleanup so that we can exercise the allocator internals directly.

hctim: Changed it to use the same mechanism from above to detect if it's in the pool. I think the…
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

If we want to be safe, because I can definitely see runtimes hitting malloc() before main()in normal code paths, we could make SampleRate high and use the GPA allocate directly for this test.

vlad.tsyrklevich: If we want to be safe, because I can definitely see runtimes hitting malloc() before main()in…
// Clean up allocations.
for (unsigned i = 0; SampledAllocs[i] != nullptr; ++i) {
free(SampledAllocs[i]);
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

There's UB in the 129 case (SampleAllocs OOB access), replace with i<NumSlots and maybe just make SampledAllocs a stack-allocated VLA?

vlad.tsyrklevich: There's UB in the 129 case (SampleAllocs OOB access), replace with i<NumSlots and maybe just…
}
return 0;
}

compiler-rt/test/gwp_asan/page_size.h

  • This file was added.
#ifndef PAGE_SIZE_
#define PAGE_SIZE_
#if defined (__unix__) || (defined (__APPLE__) && defined (__MACH__))
# include <unistd.h>
unsigned pageSize() {
return sysconf(_SC_PAGESIZE);
}
#endif
#if defined (_WIN32)
# define WIN32_LEAN_AND_MEAN
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Delete, currently unused.

vlad.tsyrklevich: Delete, currently unused.
# include <windows.h>
unsigned pageSize() {
SYSTEM_INFO system_info;
GetSystemInfo(&system_info);
return system_info.dwPageSize;
}
#endif
#endif // PAGE_SIZE_

compiler-rt/test/gwp_asan/pattern_calloc_free.cpp

  • This file was added.
// REQUIRES: gwp_asan
// This test ensures that normal allocation/memory access/deallocation works
// as expected.
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: %run %t
#include <cstdlib>
int main() {
for (unsigned i = 1; i < 0x100000; i <<= 1) {
char *Ptr = reinterpret_cast<char *>(calloc(i, sizeof(char)));
for (unsigned j = 0; j < i; ++j) {
*(Ptr + j) = 0x0;
}
free(Ptr);
}
return 0;
}

compiler-rt/test/gwp_asan/pattern_malloc_free.cpp

  • This file was added.
// REQUIRES: gwp_asan
// This test ensures that normal allocation/memory access/deallocation works
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

I would collapse the pattern_* tests into two tests:

  1. Test that malloc, calloc, realloc, new, new[] all satisfy pointerismine
  2. And then this test.

Less code and should have equal coverage.

vlad.tsyrklevich: I would collapse the pattern_* tests into two tests: 1) Test that malloc, calloc, realloc, new…
// as expected.
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: %run %t
#include <cstdlib>
int main() {
for (unsigned i = 1; i < 0x100000; i <<= 1) {
char *Ptr = reinterpret_cast<char *>(malloc(i));
for (unsigned j = 0; j < i; ++j) {
*(Ptr + j) = 0x0;
}
free(Ptr);
}
return 0;
}

compiler-rt/test/gwp_asan/pattern_new_delete.cpp

  • This file was added.
// REQUIRES: gwp_asan
// This test ensures that normal allocation/memory access/deallocation works
// as expected.
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: %run %t
int main() {
char *Ptr = new char;
*Ptr = 0x0;
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

These values are not used anywhere.

vlad.tsyrklevich: These values are not used anywhere.
delete Ptr;
return 0;
}

compiler-rt/test/gwp_asan/pattern_newa_deletea.cpp

  • This file was added.
// REQUIRES: gwp_asan
// This test ensures that normal allocation/memory access/deallocation works
// as expected.
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: %run %t
int main() {
for (unsigned i = 1; i < 0x100000; i <<= 1) {
char *Ptr = new char[i];
for (unsigned j = 0; j < i; ++j) {
*(Ptr + j) = 0x0;
}
delete[] Ptr;
}
return 0;
}

compiler-rt/test/gwp_asan/pattern_realloc_free.cpp

  • This file was added.
// REQUIRES: gwp_asan
// This test ensures that normal allocation/memory access/deallocation works
// as expected.
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: %run %t
#include <cstdlib>
int main() {
char *Ptr = reinterpret_cast<char *>(realloc(nullptr, 1));
for (unsigned i = 1; i < 0x100000; i <<= 1) {
Ptr = reinterpret_cast<char *>(realloc(Ptr, i));
for (unsigned j = 0; j < i; ++j) {
*(Ptr + j) = 0x0;
}
}
return 0;
}

compiler-rt/test/gwp_asan/reuse_quarantine.cpp

  • This file was added.
// REQUIRES: gwp_asan
// This test ensures that normal allocation/memory access/deallocation works
// as expected.
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=1 not %run %t 2>&1 | FileCheck %s
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=2 not %run %t 2>&1 | FileCheck %s
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=8 not %run %t 2>&1 | FileCheck %s
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=16 not %run %t 2>&1 | FileCheck %s
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Maybe delete the 1/2 cases (will fail on runtimes that call malloc before main() and just call it with some other higher value that should always work like 32.

vlad.tsyrklevich: Maybe delete the 1/2 cases (will fail on runtimes that call malloc before main() and just call…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

I've instead rewrote it so that it exercises the allocator directly with no sampling, so that we avoid this issue. LGTY?

hctim: I've instead rewrote it so that it exercises the allocator directly with no sampling, so that…
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Looks good.

vlad.tsyrklevich: Looks good.
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=32 not %run %t 2>&1 | FileCheck %s
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=64 not %run %t 2>&1 | FileCheck %s
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=128 not %run %t 2>&1 | FileCheck %s
// RUN: %env_gwp_asan_options=NumUsableGuardedSlots=129 not %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Buffer overflow occurred when accessing memory at:
// CHECK: is located {{[0-9]+}} bytes to the right of a
#include <cstdlib>
#include "page_size.h"
int main() {
unsigned PageSize = pageSize();
for (unsigned i = 0; i < 128; ++i) {
char *Ptr = reinterpret_cast<char*>(malloc(PageSize));
*Ptr = 0x0;
free(Ptr);
}
char *Ptr = reinterpret_cast<char*>(malloc(PageSize));
volatile char x = *(Ptr + PageSize);
return 0;
}

compiler-rt/test/gwp_asan/use_after_delete.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Use after free occurred when accessing memory at:
#include <cstdlib>
int main() {
char *Ptr = new char;
*Ptr = 0x0;
delete Ptr;
volatile char x = *Ptr;
return 0;
}

compiler-rt/test/gwp_asan/use_after_deletea.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Use after free occurred when accessing memory at:
#include <cstdlib>
int main() {
char *Ptr = new char[10];
for (unsigned i = 0; i < 10; ++i) {
*(Ptr + i) = 0x0;
}
delete[] Ptr;
volatile char x = *Ptr;
return 0;
}

compiler-rt/test/gwp_asan/use_after_free.cpp

  • This file was added.
// REQUIRES: gwp_asan
// RUN: %clangxx_gwp_asan %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s
// CHECK: GWP-ASan detected a memory error
// CHECK: Use after free occurred when accessing memory at:
#include <cstdlib>
int main() {
char *Ptr = reinterpret_cast<char*>(malloc(10));
for (unsigned i = 0; i < 10; ++i) {
*(Ptr + i) = 0x0;
}
free(Ptr);
volatile char x = *Ptr;
return 0;
}

compiler-rt/test/lit.common.cfg

Show First 20 LinesShow All 233 Lines▼ Show 20 Linesif config.has_lld:
config.available_features.add('lld-available') config.available_features.add('lld-available')
if config.use_lld: if config.use_lld:
config.available_features.add('lld') config.available_features.add('lld')
if config.can_symbolize: if config.can_symbolize:
config.available_features.add('can-symbolize') config.available_features.add('can-symbolize')
if config.gwp_asan_scudo_hooks:
config.available_features.add('gwp_asan')
lit.util.usePlatformSdkOnDarwin(config, lit_config) lit.util.usePlatformSdkOnDarwin(config, lit_config)
if config.host_os == 'Darwin': if config.host_os == 'Darwin':
osx_version = (10, 0, 0) osx_version = (10, 0, 0)
try: try:
osx_version = subprocess.check_output(["sw_vers", "-productVersion"]) osx_version = subprocess.check_output(["sw_vers", "-productVersion"])
osx_version = tuple(int(x) for x in osx_version.split('.')) osx_version = tuple(int(x) for x in osx_version.split('.'))
if len(osx_version) == 2: osx_version = (osx_version[0], osx_version[1], 0) if len(osx_version) == 2: osx_version = (osx_version[0], osx_version[1], 0)
▲ Show 20 LinesShow All 245 LinesShow Last 20 Lines

compiler-rt/test/lit.common.configured.in

Show All 35 Lines
set_default("use_thinlto", False) set_default("use_thinlto", False)
set_default("use_lto", config.use_thinlto) set_default("use_lto", config.use_thinlto)
set_default("use_newpm", False) set_default("use_newpm", False)
set_default("android", @ANDROID_PYBOOL@) set_default("android", @ANDROID_PYBOOL@)
set_default("android_ndk_version", @ANDROID_NDK_VERSION@) set_default("android_ndk_version", @ANDROID_NDK_VERSION@)
set_default("android_serial", "@ANDROID_SERIAL_FOR_TESTING@") set_default("android_serial", "@ANDROID_SERIAL_FOR_TESTING@")
set_default("android_files_to_push", []) set_default("android_files_to_push", [])
set_default("have_rpc_xdr_h", @HAVE_RPC_XDR_H@) set_default("have_rpc_xdr_h", @HAVE_RPC_XDR_H@)
set_default("gwp_asan_scudo_hooks", @GWP_ASAN_SCUDO_HOOKS_PYBOOL@)
config.available_features.add('target-is-%s' % config.target_arch) config.available_features.add('target-is-%s' % config.target_arch)
if config.enable_per_target_runtime_dir: if config.enable_per_target_runtime_dir:
set_default("target_suffix", "") set_default("target_suffix", "")
else: else:
set_default("target_suffix", "-%s" % config.target_arch) set_default("target_suffix", "-%s" % config.target_arch)
set_default("have_zlib", "@HAVE_LIBZ@") set_default("have_zlib", "@HAVE_LIBZ@")
Show All 16 Lines

compiler-rt/test/scudo/lit.cfg

Show First 20 LinesShow All 43 Lines▼ Show 20 Lines
config.substitutions.append(("%shared_minlibscudo", shared_minlibscudo)) config.substitutions.append(("%shared_minlibscudo", shared_minlibscudo))
# Platform-specific default SCUDO_OPTIONS for lit tests. # Platform-specific default SCUDO_OPTIONS for lit tests.
default_scudo_opts = '' default_scudo_opts = ''
if config.android: if config.android:
# Android defaults to abort_on_error=1, which doesn't work for us. # Android defaults to abort_on_error=1, which doesn't work for us.
default_scudo_opts = 'abort_on_error=0' default_scudo_opts = 'abort_on_error=0'
# Disable GWP-ASan for scudo internal tests.
gwp_asan_options = 'Enabled=0'
config.environment['GWP_ASAN_OPTIONS'] = gwp_asan_options
config.substitutions.append(('%env_gwp_asan_options=',
'env GWP_ASAN_OPTIONS=' + gwp_asan_options))
if default_scudo_opts: if default_scudo_opts:
config.environment['SCUDO_OPTIONS'] = default_scudo_opts config.environment['SCUDO_OPTIONS'] = default_scudo_opts
default_scudo_opts += ':' default_scudo_opts += ':'
config.substitutions.append(('%env_scudo_opts=', config.substitutions.append(('%env_scudo_opts=',
'env SCUDO_OPTIONS=' + default_scudo_opts)) 'env SCUDO_OPTIONS=' + default_scudo_opts))
# Hardened Allocator tests are currently supported on Linux only. # Hardened Allocator tests are currently supported on Linux only.
if config.host_os not in ['Linux']: if config.host_os not in ['Linux']:
config.unsupported = True config.unsupported = True

llvm/docs/GwpAsan.rst

  • This file was added.
========
GWP-ASan
========
.. contents::
:local:
:depth: 2
Introduction
============
GWP-ASan is a sampled allocator framework that assists in finding use-after-free
and heap-buffer-overflow bugs in production environments. It informally is a
recursive acronym, "**G**\WP-ASan **W**\ill **P**\rovide **A**\llocation
**SAN**\ity".
GWP-ASan is based on the classic
`Electric Fence Malloc Debugger <https://linux.die.net/man/3/efence>`_, with a
key adaptation. Notably, we only choose a very small percentage of allocations
to sample, and apply guard pages to these sampled allocations only. The sampling
is small enough to allow us to have very low performance overhead.
There is a small, tunable memory overhead that is fixed for the lifetime of the
process. This is approximately ~60KiB per process using the default settings,
depending on the average size of your allocations. Future improvements should
drastically reduce this amount.
GWP-ASan vs. ASan
=================
Unlike `AddressSanitizer <https://clang.llvm.org/docs/AddressSanitizer.html>`_,
GWP-ASan does not induce a significant performance overhead. ASan often requires
the use of dedicated canaries to be viable in production environments, and as
such is often impractical.
GWP-ASan is only capable of finding a subset of the memory issues detected by
ASan. Furthermore, GWP-ASan's bug detection capabilities are only probabilistic.
As such, we recommend using ASan over GWP-ASan in testing, as well as anywhere
else that guaranteed error detection is more valuable than the 2x execution
slowdown/binary size bloat. For the majority of production environments, this
impact is too high, and GWP-ASan proves extremely useful.
Design
======
**Please note:** The implementation of GWP-ASan is largely in-flux, and these
details are subject to change. There are currently other implementations of
GWP-ASan, such as the implementation featured in
`Chromium <https://cs.chromium.org/chromium/src/components/gwp_asan/>`_. The
long-term support goal is to ensure feature-parity where reasonble, and to
support compiler-rt as the reference implementation.
Allocator Support
-----------------
GWP-ASan is not a replacement for a traditional allocator. Instead, it works by
inserting stubs into an existing allocator to redirect allocations when they're
chosen to be sampled. These stubs are generally implemented in the implementaion
of ``malloc()``, ``free()`` and ``realloc()``. The stubs are extremely small,
which makes using GWP-ASan in most allocators fairly trivial. The stubs follow
the same general pattern (example ``malloc()`` pseudocode below):
.. code:: cpp
#ifdef INSTALL_GWP_ASAN_STUBS
gwp_asan::GuardedPoolAllocator GWPASanAllocator;
#endif
void* YourAllocator::malloc(..) {
#ifdef INSTALL_GWP_ASAN_STUBS
if (GWPASanAllocator.shouldSample(..))
return GWPASanAllocator.allocate(..);
#endif
// ... the rest of your allocator code here.
}
Then, all the supported allocator needs to do is compile with
``-DINSTALL_GWP_ASAN_STUBS`` and link against the GWP-ASan library!
Guarded Allocation Pool
-----------------------
The core of GWP-ASan is the guarded allocation pool. Each individual sampled
allocation is backed using its own *guarded* slot, which may consist of one or
more accessible pages. Each guarded slot is surrounded by two *guard* pages,
which are mapped as inaccessible. We create a contiguous buffer of this
``guard_page | guarded_slot | guard_page`` pattern, which we call the *guarded
allocation pool*.
Buffer Underflow/Overflow Detection
-----------------------------------
We gain buffer-overflow and buffer-underflow through these guard pages. When a
memory access overruns the allocated buffer, it will touch the inaccessible
guard page, causing memory exception. This exception is caught and handled by
the internal crash handler. Because each allocation is recorded with metadata
about where (and by what thread) it was allocated and deallocated, we can
provide helpful information that will help identify the root cause of the bug.
In order to increase our detection of overflows, we randomly align half of the
allocations to the right hand side of the guarded slot.
Use after Free Detection
------------------------
The guarded allocation pool also provide use-after-free detection. Whenever a
sampled allocation is deallocated, we map the guard page as inaccessible. Any
memory accesses after deallocation will thus trigger the crash handler, and we
can provide useful information about the source of the error.
Please note that the use-after-free detection for a sampled allocation is
transient. We reuse inaccessible slots on-demand as we have a fixed number of
them, and wish to avoid starving the allocation pool to solely catch
use-after-frees. We choose the inaccessible slot to reuse at random to provide a
chance of detecting long-lived use-after-frees.
Usage
=====
Currently, the only allocator that supports GWP-ASan is the
`Scudo Hardened Allocator <https://llvm.org/docs/ScudoHardenedAllocator.html>`_.
Building compiler-rt will install GWP-ASan into your local version of Scudo, and
any binary built with Scudo will also have GWP-ASan enabled by default.
Instructions on using Scudo for your applications can be found on the Scudo wiki
page.
Options
-------
GWP-ASan is configured on a per-allocator basis. We provide a default
implementation of configuration that is used by Scudo. Several aspects of
GWP-ASan can be configured on a per process basis through the following ways:
- at compile time, by defining ``GWP_ASAN_DEFAULT_OPTIONS`` to the options
string you want set by default;
- by defining a ``__gwp_asan_default_options`` function in one's program that
returns the options string to be parsed. Said function must have the following
prototype: ``extern "C" const char* __gwp_asan_default_options(void)``, with a
default visibility. This will override the compile time define;
- through the environment variable ``GWP_ASAN_OPTIONS``, containing the options string
to be parsed. Options defined this way will override any definition made
through ``__gwp_asan_default_options``.
The options string follows a syntax similar to ASan, where distinct options
can be assigned in the same string, separated by colons.
For example, using the environment variable:
.. code:: console
GWP_ASAN_OPTIONS="NumUsableGuardedPages=16:SampleRate=5000" ./a.out
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Replace NumUsableGuardedPages

vlad.tsyrklevich: Replace NumUsableGuardedPages
Or using the function:
.. code:: cpp
extern "C" const char *__gwp_asan_default_options() {
return "NumUsableGuardedPages=16:SampleRate=5000";
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

Ditto

vlad.tsyrklevich: Ditto
}
The following options are available:
+------------------------+--------------------+---------------------------------------------------------------------------------+
| Option | Default | Description |
+------------------------+--------------------+---------------------------------------------------------------------------------+
| Enabled | true | Is GWP-ASan enabled? |
+------------------------+--------------------+---------------------------------------------------------------------------------+
| PerfectlyRightAlign | false | When allocations are right-aligned, should we perfectly align them up to the |
| | | page boundary? By default (false), we round up allocation size to the nearest |
| | | power of two (2, 4, 8, 16) up to a maximum of 16-byte alignment for |
| | | performance reasons. Setting this to true can find single byte |
| | | buffer-overflows at the cost of performance, and may be incompatible with |
| | | some architectures. |
+------------------------+--------------------+---------------------------------------------------------------------------------+
| NumUsableGuardedSlots | 16 | Number of usable guarded slots in the allocation pool. |
+------------------------+--------------------+---------------------------------------------------------------------------------+
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

s/NumUsableGuardedSlots/MaxSimultaneousAllocations/ ? It would also make the description a little clearer to explain it that way.

vlad.tsyrklevich: s/NumUsableGuardedSlots/MaxSimultaneousAllocations/ ? It would also make the description a…
| SampleRate | 5000 | The probability (1 / SampleRate) that a page is selected for GWP-ASan |
| | | sampling. Sample rates up to 2^63 are supported. | |
+------------------------+--------------------+---------------------------------------------------------------------------------+
| InstallSignalHandlers | true | Install GWP-ASan signal handlers for SIGSEGV. This allows better error reports |
| | | by providing stack traces for allocation/deallocation when reporting a |
| | | use-after-free. |
+------------------------+--------------------+---------------------------------------------------------------------------------+