This is an archive of the discontinued LLVM Phabricator instance.

Differential D60981

[TSan] Improve handling of stack pointer mangling in {set,long}jmp, pt.1
ClosedPublic

Authored by yln on Apr 22 2019, 2:46 PM.

Details

Reviewers
dvyukov
Commits
rCRT364662: [TSan] Improve handling of stack pointer mangling in {set,long}jmp, pt.1
rG5be69ebe121d: [TSan] Improve handling of stack pointer mangling in {set,long}jmp, pt.1
rL364662: [TSan] Improve handling of stack pointer mangling in {set,long}jmp, pt.1
Summary

TSan needs to infer which calls to setjmp/longjmp are corresponding
pairs. My understanding is, that we can't simply use the jmp_buf
address, since this buffer is just a plain data structure storing the
environment (registers) with no additional semantics, i.e., it can be
copied around and is still expected to work. So we use the stack pointer
(SP) instead.

The setjmp interceptor stores some metadata, which is then consumed in
the corresponding call to longjmp. We use the SP as an "index" (stable
identifier) into the metadata table. So far so good.

However, when mangling is used, the setjmp interceptor observes the
UNmangled SP, but the longjmp interceptor only knows the mangled value
for SP. To still correlate corresponding pairs of calls, TSan currently
derives the mangled representation in setjmp and uses it as the stable
identifer, so that longjmp can do it's lookup.

Currently, this works since "mangling" simply means XOR with a secret
value. However, in the future we want to use operations that do not
allow us to easily go from unmangled -> mangled (pointer
authentication). Going from mangled -> unmangled should still be
possible (for pointer authentication it means zeroing a few bits).

This patch is part 1 of changing set/longjmp interceptors to use the
unmangled SP for metadata lookup. Instead of deriving the mangled SP in
setjmp, we will derive the unmangled SP in longjmp. Since this change
involves difficult-to-test code, it will be done in (at least) 2 parts:
This patch only replicates the existing behavior and checks that the
newly computed value for SP matches with what we have been doing so far.
This should help me to fix issues on architectures I cannot test
directly. I tested this patch on x86-64 (Linux/Darwin) and arm64
(Darwin).

This patch will also address an orthogonal issue: there is a lot of code
duplication in the assembly files, because the
void __tsan_setjmp(uptr sp, uptr mangled_sp) already demands the
mangled SP. This means that the code for computing the mangled SP is
duplicated at every call site (in assembly).

Diff Detail

Repository
rL LLVM

Event Timeline

yln created this revision.Apr 22 2019, 2:46 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptApr 22 2019, 2:46 PM
Herald added subscribers: llvm-commits, Restricted Project, kristof.beyls and 3 others. · View Herald Transcript
Harbormaster completed remote builds in B30850: Diff 196136.Apr 22 2019, 2:47 PM
dvyukov accepted this revision.Apr 23 2019, 5:11 AM
dvyukov added a subscriber: dvyukov.

JmpBufGarbageCollect uses <= on sp values to detect bufs that are no longer active. But as far as I understand we still will able to do this, right?

It can make sense to combine the first part of LongJmp that extracts sp from context with UnmangleLongJmpSp in future changes, because they have effectively the same set of checks on OS/arch. E.g. GetSPFromContext that will both extract and demangle it.

This revision is now accepted and ready to land.Apr 23 2019, 5:11 AM
yln added a comment.Jun 28 2019, 10:24 AM

@dvyukov: I finally have a chance to continue working on this. I hope you are still onboard?
I plan to land this and let the bots (all the different architectures) churn on it over the weekend.

My next patch will be switching over the lookup to use the SP instead of the mangled SP, followed by some cleanup that is enabled by this.
I will make sure to put you as a reviewer for all of those.

In D60981#1475319, @dvyukov wrote:

JmpBufGarbageCollect uses <= on sp values to detect bufs that are no longer active. But as far as I understand we still will able to do this, right?

Yes.

It can make sense to combine the first part of LongJmp that extracts sp from context with UnmangleLongJmpSp in future changes, because they have effectively the same set of checks on OS/arch. E.g. GetSPFromContext that will both extract and demangle it.

I will do a round of cleanups and that sounds like a good candidate!

Closed by commit rL364662: [TSan] Improve handling of stack pointer mangling in {set,long}jmp, pt.1 (authored by yln). · Explain WhyJun 28 2019, 10:27 AM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: delcypher. · View Herald TranscriptJun 28 2019, 10:27 AM
dvyukov added a comment.Jul 1 2019, 2:18 AM

@dvyukov: I finally have a chance to continue working on this. I hope you are still onboard?

To the degree I will find time to review changes...

It seems I already approved this, so as long as there are no significant changes I guess that approval still holds.

Revision Contents

PathSize
compiler-rt/
trunk/
lib/
tsan/
rtl/
3 lines
1 line
33 lines
4 lines

Diff 207093

compiler-rt/trunk/lib/tsan/rtl/tsan_interceptors.cc

Show First 20 LinesShow All 522 Lines▼ Show 20 Lines
# ifdef __aarch64__ # ifdef __aarch64__
uptr mangled_sp = env[13]; uptr mangled_sp = env[13];
# elif defined(__mips64) # elif defined(__mips64)
uptr mangled_sp = env[1]; uptr mangled_sp = env[1];
# else # else
uptr mangled_sp = env[6]; uptr mangled_sp = env[6];
# endif # endif
#endif #endif
uptr sp = UnmangleLongJmpSp(mangled_sp);
// Find the saved buf by mangled_sp. // Find the saved buf by mangled_sp.
for (uptr i = 0; i < thr->jmp_bufs.Size(); i++) { for (uptr i = 0; i < thr->jmp_bufs.Size(); i++) {
JmpBuf *buf = &thr->jmp_bufs[i]; JmpBuf *buf = &thr->jmp_bufs[i];
if (buf->mangled_sp == mangled_sp) { if (buf->mangled_sp == mangled_sp) {
CHECK_EQ(buf->sp, sp);
// TODO(yln): Lookup via sp, remove mangled_sp from struct.
CHECK_GE(thr->shadow_stack_pos, buf->shadow_stack_pos); CHECK_GE(thr->shadow_stack_pos, buf->shadow_stack_pos);
// Unwind the stack. // Unwind the stack.
while (thr->shadow_stack_pos > buf->shadow_stack_pos) while (thr->shadow_stack_pos > buf->shadow_stack_pos)
FuncExit(thr); FuncExit(thr);
ThreadSignalContext *sctx = SigCtx(thr); ThreadSignalContext *sctx = SigCtx(thr);
if (sctx) { if (sctx) {
sctx->int_signal_send = buf->int_signal_send; sctx->int_signal_send = buf->int_signal_send;
atomic_store(&sctx->in_blocking_func, buf->in_blocking_func, atomic_store(&sctx->in_blocking_func, buf->in_blocking_func,
▲ Show 20 LinesShow All 2,335 LinesShow Last 20 Lines

compiler-rt/trunk/lib/tsan/rtl/tsan_platform.h

Show First 20 LinesShow All 1,005 Lines▼ Show 20 Lines
void InitializePlatform(); void InitializePlatform();
void InitializePlatformEarly(); void InitializePlatformEarly();
void CheckAndProtect(); void CheckAndProtect();
void InitializeShadowMemoryPlatform(); void InitializeShadowMemoryPlatform();
void FlushShadowMemory(); void FlushShadowMemory();
void WriteMemoryProfile(char *buf, uptr buf_size, uptr nthread, uptr nlive); void WriteMemoryProfile(char *buf, uptr buf_size, uptr nthread, uptr nlive);
int ExtractResolvFDs(void *state, int *fds, int nfd); int ExtractResolvFDs(void *state, int *fds, int nfd);
int ExtractRecvmsgFDs(void *msg, int *fds, int nfd); int ExtractRecvmsgFDs(void *msg, int *fds, int nfd);
uptr UnmangleLongJmpSp(uptr mangled_sp);
void ImitateTlsWrite(ThreadState *thr, uptr tls_addr, uptr tls_size); void ImitateTlsWrite(ThreadState *thr, uptr tls_addr, uptr tls_size);
int call_pthread_cancel_with_cleanup(int(*fn)(void *c, void *m, int call_pthread_cancel_with_cleanup(int(*fn)(void *c, void *m,
void *abstime), void *c, void *m, void *abstime, void *abstime), void *c, void *m, void *abstime,
void(*cleanup)(void *arg), void *arg); void(*cleanup)(void *arg), void *arg);
void DestroyThreadState(); void DestroyThreadState();
} // namespace __tsan } // namespace __tsan
#endif // TSAN_PLATFORM_H #endif // TSAN_PLATFORM_H

compiler-rt/trunk/lib/tsan/rtl/tsan_platform_linux.cc

Show First 20 LinesShow All 63 Lines▼ Show 20 Lines
#if SANITIZER_FREEBSD #if SANITIZER_FREEBSD
extern "C" void *__libc_stack_end; extern "C" void *__libc_stack_end;
void *__libc_stack_end = 0; void *__libc_stack_end = 0;
#endif #endif
#if SANITIZER_LINUX && defined(__aarch64__) #if SANITIZER_LINUX && defined(__aarch64__)
void InitializeGuardPtr() __attribute__((visibility("hidden"))); void InitializeGuardPtr() __attribute__((visibility("hidden")));
extern "C" uptr _tsan_pointer_chk_guard;
#endif #endif
namespace __tsan { namespace __tsan {
#ifdef TSAN_RUNTIME_VMA #ifdef TSAN_RUNTIME_VMA
// Runtime detected VMA size. // Runtime detected VMA size.
uptr vmaSize; uptr vmaSize;
#endif #endif
▲ Show 20 LinesShow All 249 Lines▼ Show 20 Lines for (int i = 0; i < n; i++) {
fds[res++] = ((int*)CMSG_DATA(cmsg))[i]; fds[res++] = ((int*)CMSG_DATA(cmsg))[i];
if (res == nfd) if (res == nfd)
return res; return res;
} }
} }
return res; return res;
} }
// Reverse operation of libc stack pointer mangling
uptr UnmangleLongJmpSp(uptr mangled_sp) {
#if defined(__x86_64__)
#if SANITIZER_FREEBSD || SANITIZER_NETBSD
return mangled_sp;
#else // Linux
// Reverse of:
// xor %fs:0x30, %rsi
// rol $0x11, %rsi
uptr sp;
asm("ror $0x11, %0 \n"
"xor %%fs:0x30, %0 \n"
: "=r" (sp)
: "0" (mangled_sp));
return sp;
#endif
#elif defined(__aarch64__)
return mangled_sp ^ _tsan_pointer_chk_guard;
#elif defined(__powerpc64__)
// Reverse of:
// ld r4, -28696(r13)
// xor r4, r3, r4
uptr xor_guard;
asm("ld %0, -28696(%%r13) \n" : "=r" (xor_guard));
return mangled_sp ^ xor_guard;
#elif defined(__mips__)
return mangled_sp;
#else
#error "Unknown platform"
#endif
}
void ImitateTlsWrite(ThreadState *thr, uptr tls_addr, uptr tls_size) { void ImitateTlsWrite(ThreadState *thr, uptr tls_addr, uptr tls_size) {
// Check that the thr object is in tls; // Check that the thr object is in tls;
const uptr thr_beg = (uptr)thr; const uptr thr_beg = (uptr)thr;
const uptr thr_end = (uptr)thr + sizeof(*thr); const uptr thr_end = (uptr)thr + sizeof(*thr);
CHECK_GE(thr_beg, tls_addr); CHECK_GE(thr_beg, tls_addr);
CHECK_LE(thr_beg, tls_addr + tls_size); CHECK_LE(thr_beg, tls_addr + tls_size);
CHECK_GE(thr_end, tls_addr); CHECK_GE(thr_end, tls_addr);
CHECK_LE(thr_end, tls_addr + tls_size); CHECK_LE(thr_end, tls_addr + tls_size);
▲ Show 20 LinesShow All 81 LinesShow Last 20 Lines

compiler-rt/trunk/lib/tsan/rtl/tsan_platform_mac.cc

Show First 20 LinesShow All 253 Lines▼ Show 20 Lines
#endif #endif
if (GetMacosVersion() >= MACOS_VERSION_MOJAVE) { if (GetMacosVersion() >= MACOS_VERSION_MOJAVE) {
__tsan_darwin_setjmp_xor_key = __tsan_darwin_setjmp_xor_key =
(uptr)pthread_getspecific(kPthreadSetjmpXorKeySlot); (uptr)pthread_getspecific(kPthreadSetjmpXorKeySlot);
} }
} }
uptr UnmangleLongJmpSp(uptr mangled_sp) {
return mangled_sp ^ __tsan_darwin_setjmp_xor_key;
}
#if !SANITIZER_GO #if !SANITIZER_GO
void ImitateTlsWrite(ThreadState *thr, uptr tls_addr, uptr tls_size) { void ImitateTlsWrite(ThreadState *thr, uptr tls_addr, uptr tls_size) {
// The pointer to the ThreadState object is stored in the shadow memory // The pointer to the ThreadState object is stored in the shadow memory
// of the tls. // of the tls.
uptr tls_end = tls_addr + tls_size; uptr tls_end = tls_addr + tls_size;
uptr thread_identity = (uptr)pthread_self(); uptr thread_identity = (uptr)pthread_self();
if (thread_identity == main_thread_identity) { if (thread_identity == main_thread_identity) {
MemoryRangeImitateWrite(thr, /*pc=*/2, tls_addr, tls_size); MemoryRangeImitateWrite(thr, /*pc=*/2, tls_addr, tls_size);
Show All 34 Lines