This is an archive of the discontinued LLVM Phabricator instance.

Differential D62875

[GWP-ASan] Add public-facing documentation [6].
ClosedPublic

Authored by hctim on Jun 4 2019, 1:19 PM.

Details

Reviewers
jfb
morehouse
vlad.tsyrklevich
Commits
rGc776f3f3c26f: [GWP-ASan] Add public-facing documentation [6].
rL369552: [GWP-ASan] Add public-facing documentation [6].
rCRT369552: [GWP-ASan] Add public-facing documentation [6].
Summary

Note: Do not submit this documentation until Scudo support is reviewed and submitted (should be #[5]).

See D60593 for further information.

This patch introduces the public-facing documentation for GWP-ASan, as well as updating the definition of one of the options, which wasn't properly merged. The document describes the design and features of GWP-ASan, as well as how to use GWP-ASan from both a user's standpoint, and development documentation for supporting allocators.

Diff Detail

Event Timeline

hctim created this revision.Jun 4 2019, 1:19 PM
Herald added a reviewer: jfb. · View Herald TranscriptJun 4 2019, 1:19 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald Transcript
Herald added subscribers: llvm-commits, Restricted Project, jfb and 2 others. · View Herald Transcript
Harbormaster completed remote builds in B32898: Diff 203007.Jun 4 2019, 1:20 PM
Herald added a subscriber: dexonsmith. · View Herald TranscriptJun 4 2019, 1:20 PM
hctim removed a reviewer: jfb.Jun 4 2019, 1:20 PM
Herald added a reviewer: jfb. · View Herald TranscriptJun 4 2019, 1:20 PM
vitalybuka edited reviewers, added: morehouse, vlad.tsyrklevich; removed: vitalybuka.Jul 9 2019, 2:07 PM
kcc added a subscriber: kcc.Jul 9 2019, 2:46 PM

Maybe add an example?
something like my favorite

#include <iostream>
#include <string>
#include <string_view>

int main() {
  std::string s = "Hellooooooooooooooo ";
  std::string_view sv = s + "World\n";
  std::cout << sv;
}


for((i=0;i<10000; i++)); do GWP_ASAN_OPTIONS=Enabled=1:SampleRate=500  ./a.out > /dev/null; done

Segmentation fault
*** GWP-ASan detected a memory error ***
Use after free at 0x7f43300df000 (0 bytes into a 41-byte allocation at 0x7f43300df000) by thread 26228 here:
#0 ./a.out(_ZN8gwp_asan20GuardedPoolAllocator19reportErrorInternalEmNS0_5ErrorE+0x25a) [0x56454249ecea]
#1 ./a.out(+0x1bede) [0x56454249dede]
#2 /lib/x86_64-linux-gnu/libpthread.so.0(+0x123a0) [0x7ffbb526f3a0]
#3 /lib/x86_64-linux-gnu/libc.so.6(+0x15c27e) [0x7ffbb49d627e]
#4 /lib/x86_64-linux-gnu/libc.so.6(_IO_default_xsputn+0xa8) [0x7ffbb48f7058]
#5 /lib/x86_64-linux-gnu/libc.so.6(_IO_file_xsputn+0x151) [0x7ffbb48f52b1]
#6 /lib/x86_64-linux-gnu/libc.so.6(fwrite+0xd8) [0x7ffbb48ea1f8]
#7 /lib/x86_64-linux-gnu/libstdc++.so.6(_ZSt16__ostream_insertIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_PKS3_l+0x124) [0x7ffbb590d3a4]
#8 ./a.out(_ZStlsIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_St17basic_string_viewIS3_S4_E+0x45) [0x5645424b3bc5]
#9 ./a.out(main+0x9f) [0x5645424b393f]

Also, please provide some guidance about symbolizing the reports.

kcc added a comment.Jul 9 2019, 2:47 PM

With a build command line, of course

clang++ -g -std=c++17 string-view-use-after-free.cc  -fsanitize=scudo
hctim updated this revision to Diff 211223.Jul 22 2019, 4:04 PM
  • Added GWP-ASan symbolization example and script.
Harbormaster completed remote builds in B35499: Diff 211223.Jul 22 2019, 4:07 PM
morehouse added inline comments.Jul 22 2019, 5:32 PM
compiler-rt/lib/gwp_asan/scripts/symbolize.sh
15

Can reduce indentation by putting a continue here and removing else below.

llvm/docs/GwpAsan.rst
89

I find this explanation confusing. Maybe we don't need to mention that it's a contiguous buffer, since that detail isn't key to the approach.

Example wording: The collection of all guarded slots make up the *guarded allocation pool*.

95

insert "detection"

100

"helpful" is redundant.

103

Increase versus what? Maybe this would be clearer if we say something like "allocations are randomly selected to be either left- or right-aligned to provide equal detection of both underflows and overflows".

108

provides

109

s/the guard page/its guarded slot

117

Above two sentences could be combined and made more succinct.

e.g,, "To keep memory overhead fixed while still detecting bugs, deallocated slots are randomly reused to guard future allocations".

122

It's a small difference, but I'd prefer a more positive (think advertising) wording here.

e.g.,

"GWP-ASan already ships by default in Scudo, so building with -fsanitize=scudo is the quickest and easiest way to try out GWP-ASan. For other allocators, using GWP-ASan is as easy as..."

134

I'm confused. Is this per-allocator or per-process?

137

Is this a CMake variable, a preprocessor macro, or something else?

197

ephemeral + temporary seems redundant

197

"inappropriately assigned" - Can we be more precise?

hctim marked 15 inline comments as done.Jul 22 2019, 6:27 PM
hctim added inline comments.
llvm/docs/GwpAsan.rst
122

I think the "for other allocators..." part is covered above in the "Allocator Support" section, but otherwise SGTM+done.

134

Hopefully the rewording adds some clarity.

hctim updated this revision to Diff 211239.Jul 22 2019, 6:27 PM
hctim marked 2 inline comments as done.
  • Updated from Matt's comments. Thanks Matt for taking a look on short notice :)
Harbormaster completed remote builds in B35504: Diff 211239.Jul 22 2019, 6:29 PM
morehouse accepted this revision.Jul 23 2019, 9:25 AM
morehouse added inline comments.
llvm/docs/GwpAsan.rst
137

This helps, but it's still not clear whether this is a cmake variable or a preprocessor variable.

Do I do this with:

cmake ... -DGWP_ASAN_DEFAULT_OPTIONS="..."

or

clang++ -fsanitize=scudo ... -DGWP_ASAN_DEFAULT_OPTIONS="..."
This revision is now accepted and ready to land.Jul 23 2019, 9:25 AM
vlad.tsyrklevich accepted this revision.Jul 23 2019, 4:53 PM
vlad.tsyrklevich added inline comments.
compiler-rt/lib/gwp_asan/scripts/symbolize.sh
4

s/looks/look/

llvm/docs/GwpAsan.rst
51

s/reasonble/reasonable/

hctim updated this revision to Diff 215512.Aug 15 2019, 5:08 PM
hctim marked 2 inline comments as done.
  • Addressed Matt's and Vlad's comments.
  • Updated memory overhead description in the docs.

Updated memory overhead description in the docs.

Assumes 8KiB for allocation/deallocation stack traces (256B compressed *
2 [alloc + dealloc] * 16 slots).
Assumes a full 4KiB of wasted memory (if we have 1-byte allocations) *
8 [half of the 16 possible slots].

Note that freed guarded allocations take no space, as the pages are
released back to the OS.

llvm/docs/GwpAsan.rst
137

Added some clarifying comments, let me know if they LGTY.

Harbormaster completed remote builds in B36870: Diff 215512.Aug 15 2019, 5:08 PM
hctim marked 2 inline comments as done.Aug 16 2019, 10:49 AM
morehouse added inline comments.Aug 19 2019, 9:06 AM
llvm/docs/GwpAsan.rst
134

Shouldn't this be -DGWP_ASAN_DEFAULT_OPTIONS?

135

What manual?

138

Do we expect/want-to-support building outside of compiler-rt? If we encourage this, we may end up with many forks of GWP-ASan.

hctim marked 4 inline comments as done.Aug 19 2019, 4:14 PM
hctim added inline comments.
llvm/docs/GwpAsan.rst
135

Was supposed to be the manual for the supporting allocator, but I've removed some words here to try and clarify.

138

I think that supporting out-of-RT builds is necessary. We've got an Android repository slice up and going that will definitely be out-of-tree builds.

My goal is basically to have the core **/*.h and **/*.cpp. If you want to use GWP-ASan, simply pull in the slice of the repository and add it to your build.

Maybe I should copybara slice this out of CRT and keep a makefile-independent (read: only cpp and header files) version so that it can be mirrored everywhere... WDYT?

hctim updated this revision to Diff 216019.Aug 19 2019, 4:14 PM
hctim marked 2 inline comments as done.
  • Update from Matt's comments.
Harbormaster completed remote builds in B36992: Diff 216019.Aug 19 2019, 4:14 PM
morehouse accepted this revision.Aug 19 2019, 4:53 PM
morehouse added inline comments.
llvm/docs/GwpAsan.rst
138

Not sure if we have a need/demand for this. I'm inclined to not do this unless we have a good reason.

hctim marked an inline comment as done.Aug 20 2019, 1:09 PM
hctim added inline comments.
llvm/docs/GwpAsan.rst
138

I forsee Chrome on Android using this configuration method to start-time disable platform GWP-ASan, as they'll use their own variant.

@vlad.tsyrklevich, do you have any thoughts?

vlad.tsyrklevich added inline comments.Aug 20 2019, 2:34 PM
llvm/docs/GwpAsan.rst
138

We probably do want to disable GWP-ASan for Android Chrome, though it doesn't have to be this method specifically.

hctim marked an inline comment as done.Aug 20 2019, 4:48 PM
hctim added inline comments.
llvm/docs/GwpAsan.rst
138

Ways to configure:

  • Compile time (for GWP-ASan) configuration options: Use -DGWP_ASAN_OPTIONS as described above.
  • Compile time (for application) configuration options: Use __gwp_asan_default_options here.
  • Program start time: Use GWP_ASAN_OPTIONS environment as per below.

We could possibly do detection of Chrome in the initialisation of platform GWP-ASan on Android - but I don't think this is generally suitable.

@morehouse are you okay with providing this config option? I think that #2 is probably the best way for applications to "always off" GWP-ASan, unless we have a better solution in mind.

morehouse added inline comments.Aug 20 2019, 6:02 PM
llvm/docs/GwpAsan.rst
138

These three options are fine with me.

Closed by commit rL369552: [GWP-ASan] Add public-facing documentation [6]. (authored by hctim). · Explain WhyAug 21 2019, 10:54 AM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: delcypher. · View Herald TranscriptAug 21 2019, 10:54 AM
rupprecht added a subscriber: rupprecht.Aug 21 2019, 11:10 AM

The docs don't build and rL369554 doesn't fully fix it

$ ninja docs-llvm-html
[1/1] Generating html Sphinx documentation
FAILED: docs/CMakeFiles/docs-llvm-html

Warning, treated as error:
llvm/docs/GwpAsan.rst:document isn't included in any toctree
ninja: build stopped: subcommand failed.

Submitted rL369556 to temporarily make docs build again. However that basically suppresses the warning; you likely want to put it in a toctree instead of making it an orphan doc, e.g. https://reviews.llvm.org/D66183#change-D4KqPHFormwF

hctim added a comment.Aug 21 2019, 11:34 AM
In D62875#1639703, @rupprecht wrote:

The docs don't build and rL369554 doesn't fully fix it

$ ninja docs-llvm-html
[1/1] Generating html Sphinx documentation
FAILED: docs/CMakeFiles/docs-llvm-html

Warning, treated as error:
llvm/docs/GwpAsan.rst:document isn't included in any toctree
ninja: build stopped: subcommand failed.

Submitted rL369556 to temporarily make docs build again. However that basically suppresses the warning; you likely want to put it in a toctree instead of making it an orphan doc, e.g. https://reviews.llvm.org/D66183#change-D4KqPHFormwF

Solved in rL369560. Thanks!

Revision Contents

PathSize
compiler-rt/
lib/
gwp_asan/
6 lines
scripts/
55 lines
llvm/
docs/
280 lines

Diff 215512

compiler-rt/lib/gwp_asan/options.inc

Show All 15 LinesGWP_ASAN_OPTION(
bool, PerfectlyRightAlign, false, bool, PerfectlyRightAlign, false,
"When allocations are right-aligned, should we perfectly align them up to " "When allocations are right-aligned, should we perfectly align them up to "
"the page boundary? By default (false), we round up allocation size to the " "the page boundary? By default (false), we round up allocation size to the "
"nearest power of two (1, 2, 4, 8, 16) up to a maximum of 16-byte " "nearest power of two (1, 2, 4, 8, 16) up to a maximum of 16-byte "
"alignment for performance reasons. Setting this to true can find single " "alignment for performance reasons. Setting this to true can find single "
"byte buffer-overflows for multibyte allocations at the cost of " "byte buffer-overflows for multibyte allocations at the cost of "
"performance, and may be incompatible with some architectures.") "performance, and may be incompatible with some architectures.")
GWP_ASAN_OPTION( GWP_ASAN_OPTION(int, MaxSimultaneousAllocations, 16,
int, MaxSimultaneousAllocations, 16, "Number of simultaneously-guarded allocations available in the "
"Number of usable guarded slots in the allocation pool. Defaults to 16.") "pool. Defaults to 16.")
GWP_ASAN_OPTION(int, SampleRate, 5000, GWP_ASAN_OPTION(int, SampleRate, 5000,
"The probability (1 / SampleRate) that an allocation is " "The probability (1 / SampleRate) that an allocation is "
"selected for GWP-ASan sampling. Default is 5000. Sample rates " "selected for GWP-ASan sampling. Default is 5000. Sample rates "
"up to (2^31 - 1) are supported.") "up to (2^31 - 1) are supported.")
GWP_ASAN_OPTION( GWP_ASAN_OPTION(
bool, InstallSignalHandlers, true, bool, InstallSignalHandlers, true,
"Install GWP-ASan signal handlers for SIGSEGV during dynamic loading. This " "Install GWP-ASan signal handlers for SIGSEGV during dynamic loading. This "
"allows better error reports by providing stack traces for allocation and " "allows better error reports by providing stack traces for allocation and "
"deallocation when reporting a memory error. GWP-ASan's signal handler " "deallocation when reporting a memory error. GWP-ASan's signal handler "
"will forward the signal to any previously-installed handler, and user " "will forward the signal to any previously-installed handler, and user "
"programs that install further signal handlers should make sure they do " "programs that install further signal handlers should make sure they do "
"the same. Note, if the previously installed SIGSEGV handler is SIG_IGN, " "the same. Note, if the previously installed SIGSEGV handler is SIG_IGN, "
"we terminate the process after dumping the error report.") "we terminate the process after dumping the error report.")

compiler-rt/lib/gwp_asan/scripts/symbolize.sh

  • This file was added.
PropertyOld ValueNew Value
File Modenull100755
#!/bin/bash
# The lines that we're looking to symbolize look like this:
#0 ./a.out(_foo+0x3e6) [0x55a52e64c696]
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

s/looks/look/

vlad.tsyrklevich: s/looks/look/
# ... which come from the backtrace_symbols() symbolisation function used by
# default in Scudo's implementation of GWP-ASan.
while read -r line; do
# Check that this line needs symbolization.
should_symbolize="$(echo $line |\
grep -E '^[ ]*\#.*\(.*\+0x[0-9a-f]+\) \[0x[0-9a-f]+\]$')"
if [ -z "$should_symbolize" ]; then
echo "$line"
continue
morehouseUnsubmitted
Done
ReplyInline Actions

Can reduce indentation by putting a continue here and removing else below.

morehouse: Can reduce indentation by putting a continue here and removing else below.
fi
# Carve up the input line into sections.
binary_name="$(echo $line | grep -oE ' .*\(' | rev | cut -c2- | rev |\
cut -c2-)"
function_name="$(echo $line | grep -oE '\([^+]*' | cut -c2-)"
function_offset="$(echo $line | grep -oE '\(.*\)' | grep -oE '\+.*\)' |\
cut -c2- | rev | cut -c2- | rev)"
frame_number="$(echo $line | grep -oE '\#[0-9]+ ')"
if [ -z "$function_name" ]; then
# If the offset is binary-relative, just resolve that.
symbolized="$(echo $function_offset | addr2line -e $binary_name)"
else
# Otherwise, the offset is function-relative. Get the address of the
# function, and add it to the offset, then symbolize.
function_addr="0x$(echo $function_offset |\
nm --defined-only $binary_name 2> /dev/null |\
grep -E " $function_name$" | cut -d' ' -f1)"
# Check that we could get the function address from nm.
if [ -z "$function_addr" ]; then
echo "$line"
continue
fi
# Add the function address and offset to get the offset into the binary.
binary_offset="$(printf "0x%X" "$((function_addr+function_offset))")"
symbolized="$(echo $binary_offset | addr2line -e $binary_name)"
fi
# Check that it symbolized properly. If it didn't, output the old line.
echo $symbolized | grep -E ".*\?.*:" > /dev/null
if [ "$?" -eq "0" ]; then
echo "$line"
continue
else
echo "${frame_number}${symbolized}"
fi
done

llvm/docs/GwpAsan.rst

  • This file was added.
========
GWP-ASan
========
.. contents::
:local:
:depth: 2
Introduction
============
GWP-ASan is a sampled allocator framework that assists in finding use-after-free
and heap-buffer-overflow bugs in production environments. It informally is a
recursive acronym, "**G**\WP-ASan **W**\ill **P**\rovide **A**\llocation
**SAN**\ity".
GWP-ASan is based on the classic
`Electric Fence Malloc Debugger <https://linux.die.net/man/3/efence>`_, with a
key adaptation. Notably, we only choose a very small percentage of allocations
to sample, and apply guard pages to these sampled allocations only. The sampling
is small enough to allow us to have very low performance overhead.
There is a small, tunable memory overhead that is fixed for the lifetime of the
process. This is approximately ~40KiB per process using the default settings,
depending on the average size of your allocations.
GWP-ASan vs. ASan
=================
Unlike `AddressSanitizer <https://clang.llvm.org/docs/AddressSanitizer.html>`_,
GWP-ASan does not induce a significant performance overhead. ASan often requires
the use of dedicated canaries to be viable in production environments, and as
such is often impractical.
GWP-ASan is only capable of finding a subset of the memory issues detected by
ASan. Furthermore, GWP-ASan's bug detection capabilities are only probabilistic.
As such, we recommend using ASan over GWP-ASan in testing, as well as anywhere
else that guaranteed error detection is more valuable than the 2x execution
slowdown/binary size bloat. For the majority of production environments, this
impact is too high, and GWP-ASan proves extremely useful.
Design
======
**Please note:** The implementation of GWP-ASan is largely in-flux, and these
details are subject to change. There are currently other implementations of
GWP-ASan, such as the implementation featured in
`Chromium <https://cs.chromium.org/chromium/src/components/gwp_asan/>`_. The
long-term support goal is to ensure feature-parity where reasonable, and to
support compiler-rt as the reference implementation.
vlad.tsyrklevichUnsubmitted
Done
ReplyInline Actions

s/reasonble/reasonable/

vlad.tsyrklevich: s/reasonble/reasonable/
Allocator Support
-----------------
GWP-ASan is not a replacement for a traditional allocator. Instead, it works by
inserting stubs into a supporting allocator to redirect allocations to GWP-ASan
when they're chosen to be sampled. These stubs are generally implemented in the
implementaion of ``malloc()``, ``free()`` and ``realloc()``. The stubs are
extremely small, which makes using GWP-ASan in most allocators fairly trivial.
The stubs follow the same general pattern (example ``malloc()`` pseudocode
below):
.. code:: cpp
#ifdef INSTALL_GWP_ASAN_STUBS
gwp_asan::GuardedPoolAllocator GWPASanAllocator;
#endif
void* YourAllocator::malloc(..) {
#ifdef INSTALL_GWP_ASAN_STUBS
if (GWPASanAllocator.shouldSample(..))
return GWPASanAllocator.allocate(..);
#endif
// ... the rest of your allocator code here.
}
Then, all the supporting allocator needs to do is compile with
``-DINSTALL_GWP_ASAN_STUBS`` and link against the GWP-ASan library! For
performance reasons, we strongly recommend static linkage of the GWP-ASan
library.
Guarded Allocation Pool
-----------------------
The core of GWP-ASan is the guarded allocation pool. Each sampled allocation is
backed using its own *guarded* slot, which may consist of one or more accessible
pages. Each guarded slot is surrounded by two *guard* pages, which are mapped as
inaccessible. The collection of all guarded slots makes up the *guarded
allocation pool*.
morehouseUnsubmitted
Done
ReplyInline Actions

I find this explanation confusing. Maybe we don't need to mention that it's a contiguous buffer, since that detail isn't key to the approach.

Example wording: The collection of all guarded slots make up the *guarded allocation pool*.

morehouse: I find this explanation confusing. Maybe we don't need to mention that it's a contiguous…
Buffer Underflow/Overflow Detection
-----------------------------------
We gain buffer-overflow and buffer-underflow detection through these guard
pages. When a memory access overruns the allocated buffer, it will touch the
morehouseUnsubmitted
Done
ReplyInline Actions

insert "detection"

morehouse: insert "detection"
inaccessible guard page, causing memory exception. This exception is caught and
handled by the internal crash handler. Because each allocation is recorded with
metadata about where (and by what thread) it was allocated and deallocated, we
can provide information that will help identify the root cause of the bug.
morehouseUnsubmitted
Done
ReplyInline Actions

"helpful" is redundant.

morehouse: "helpful" is redundant.
Allocations are randomly selected to be either left- or right-aligned to provide
equal detection of both underflows and overflows.
morehouseUnsubmitted
Done
ReplyInline Actions

Increase versus what? Maybe this would be clearer if we say something like "allocations are randomly selected to be either left- or right-aligned to provide equal detection of both underflows and overflows".

morehouse: Increase versus what? Maybe this would be clearer if we say something like "allocations are…
Use after Free Detection
------------------------
The guarded allocation pool also provides use-after-free detection. Whenever a
sampled allocation is deallocated, we map its guarded slot as inaccessible. Any
morehouseUnsubmitted
Done
ReplyInline Actions

provides

morehouse: provides
memory accesses after deallocation will thus trigger the crash handler, and we
morehouseUnsubmitted
Done
ReplyInline Actions

s/the guard page/its guarded slot

morehouse: s/the guard page/its guarded slot
can provide useful information about the source of the error.
Please note that the use-after-free detection for a sampled allocation is
transient. To keep memory overhead fixed while still detecting bugs, deallocated
slots are randomly reused to guard future allocations.
Usage
=====
morehouseUnsubmitted
Done
ReplyInline Actions

Above two sentences could be combined and made more succinct.

e.g,, "To keep memory overhead fixed while still detecting bugs, deallocated slots are randomly reused to guard future allocations".

morehouse: Above two sentences could be combined and made more succinct. e.g,, "To keep memory overhead…
GWP-ASan already ships by default in the
`Scudo Hardened Allocator <https://llvm.org/docs/ScudoHardenedAllocator.html>`_,
so building with ``-fsanitize=scudo`` is the quickest and easiest way to try out
GWP-ASan.
morehouseUnsubmitted
Done
ReplyInline Actions

It's a small difference, but I'd prefer a more positive (think advertising) wording here.

e.g.,

"GWP-ASan already ships by default in Scudo, so building with -fsanitize=scudo is the quickest and easiest way to try out GWP-ASan. For other allocators, using GWP-ASan is as easy as..."

morehouse: It's a small difference, but I'd prefer a more positive (think advertising) wording here. e.g.
hctimAuthorUnsubmitted
Done
ReplyInline Actions

I think the "for other allocators..." part is covered above in the "Allocator Support" section, but otherwise SGTM+done.

hctim: I think the "for other allocators..." part is covered above in the "Allocator Support" section…
Options
-------
GWP-ASan's configuration is managed by the supporting allocator. We provide a
generic configuration management library that is used by Scudo. It allows
several aspects of GWP-ASan to be configured through the following methods:
- When the GWP-ASan library is compiled, by setting
``-DGWP_ASAN_DEFAULT_OPTIONS`` to the options string you want set by default.
If you're building GWP-ASan as part of a compiler-rt/LLVM build, add it during
cmake configure time (e.g. ``cmake ... -GWP_ASAN_DEFAULT_OPTIONS="..."``). If
morehouseUnsubmitted
Done
ReplyInline Actions

I'm confused. Is this per-allocator or per-process?

morehouse: I'm confused. Is this per-allocator or per-process?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Hopefully the rewording adds some clarity.

hctim: Hopefully the rewording adds some clarity.
morehouseUnsubmitted
Done
ReplyInline Actions

Shouldn't this be -DGWP_ASAN_DEFAULT_OPTIONS?

morehouse: Shouldn't this be `-DGWP_ASAN_DEFAULT_OPTIONS`?
you're building GWP-ASan outside of compiler-rt, consult the manual for your
morehouseUnsubmitted
Done
ReplyInline Actions

What manual?

morehouse: What manual?
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Was supposed to be the manual for the supporting allocator, but I've removed some words here to try and clarify.

hctim: Was supposed to be the manual for the supporting allocator, but I've removed some words here to…
paticular instance (or just ensure that you specify
``-GWP_ASAN_DEFAULT_OPTIONS="..."`` when building
morehouseUnsubmitted
Done
ReplyInline Actions

Is this a CMake variable, a preprocessor macro, or something else?

morehouse: Is this a CMake variable, a preprocessor macro, or something else?
morehouseUnsubmitted
Done
ReplyInline Actions

This helps, but it's still not clear whether this is a cmake variable or a preprocessor variable.

Do I do this with:

cmake ... -DGWP_ASAN_DEFAULT_OPTIONS="..."

or

clang++ -fsanitize=scudo ... -DGWP_ASAN_DEFAULT_OPTIONS="..."
morehouse: This helps, but it's still not clear whether this is a cmake variable or a preprocessor…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Added some clarifying comments, let me know if they LGTY.

hctim: Added some clarifying comments, let me know if they LGTY.
``optional/options_parser.cpp``).
morehouseUnsubmitted
Done
ReplyInline Actions

Do we expect/want-to-support building outside of compiler-rt? If we encourage this, we may end up with many forks of GWP-ASan.

morehouse: Do we expect/want-to-support building outside of compiler-rt? If we encourage this, we may end…
hctimAuthorUnsubmitted
Not Done
ReplyInline Actions

I think that supporting out-of-RT builds is necessary. We've got an Android repository slice up and going that will definitely be out-of-tree builds.

My goal is basically to have the core **/*.h and **/*.cpp. If you want to use GWP-ASan, simply pull in the slice of the repository and add it to your build.

Maybe I should copybara slice this out of CRT and keep a makefile-independent (read: only cpp and header files) version so that it can be mirrored everywhere... WDYT?

hctim: I think that supporting out-of-RT builds is necessary. We've got an Android repository slice up…
morehouseUnsubmitted
Not Done
ReplyInline Actions

Not sure if we have a need/demand for this. I'm inclined to not do this unless we have a good reason.

morehouse: Not sure if we have a need/demand for this. I'm inclined to not do this unless we have a good…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

I forsee Chrome on Android using this configuration method to start-time disable platform GWP-ASan, as they'll use their own variant.

@vlad.tsyrklevich, do you have any thoughts?

hctim: I forsee Chrome on Android using this configuration method to start-time disable platform GWP…
vlad.tsyrklevichUnsubmitted
Not Done
ReplyInline Actions

We probably do want to disable GWP-ASan for Android Chrome, though it doesn't have to be this method specifically.

vlad.tsyrklevich: We probably do want to disable GWP-ASan for Android Chrome, though it doesn't have to be this…
hctimAuthorUnsubmitted
Done
ReplyInline Actions

Ways to configure:

  • Compile time (for GWP-ASan) configuration options: Use -DGWP_ASAN_OPTIONS as described above.
  • Compile time (for application) configuration options: Use __gwp_asan_default_options here.
  • Program start time: Use GWP_ASAN_OPTIONS environment as per below.

We could possibly do detection of Chrome in the initialisation of platform GWP-ASan on Android - but I don't think this is generally suitable.

@morehouse are you okay with providing this config option? I think that #2 is probably the best way for applications to "always off" GWP-ASan, unless we have a better solution in mind.

hctim: Ways to configure: - Compile time (for GWP-ASan) configuration options: Use `…
morehouseUnsubmitted
Not Done
ReplyInline Actions

These three options are fine with me.

morehouse: These three options are fine with me.
- By defining a ``__gwp_asan_default_options`` function in one's program that
returns the options string to be parsed. Said function must have the following
prototype: ``extern "C" const char* __gwp_asan_default_options(void)``, with a
default visibility. This will override the compile time define;
- Depending on allocator support (Scudo has support for this mechanism): Through
the environment variable ``GWP_ASAN_OPTIONS``, containing the options string
to be parsed. Options defined this way will override any definition made
through ``__gwp_asan_default_options``.
The options string follows a syntax similar to ASan, where distinct options
can be assigned in the same string, separated by colons.
For example, using the environment variable:
.. code:: console
GWP_ASAN_OPTIONS="MaxSimultaneousAllocations=16:SampleRate=5000" ./a.out
Or using the function:
.. code:: cpp
extern "C" const char *__gwp_asan_default_options() {
return "MaxSimultaneousAllocations=16:SampleRate=5000";
}
The following options are available:
+----------------------------+---------+--------------------------------------------------------------------------------+
| Option | Default | Description |
+----------------------------+---------+--------------------------------------------------------------------------------+
| Enabled | true | Is GWP-ASan enabled? |
+----------------------------+---------+--------------------------------------------------------------------------------+
| PerfectlyRightAlign | false | When allocations are right-aligned, should we perfectly align them up to the |
| | | page boundary? By default (false), we round up allocation size to the nearest |
| | | power of two (2, 4, 8, 16) up to a maximum of 16-byte alignment for |
| | | performance reasons. Setting this to true can find single byte |
| | | buffer-overflows at the cost of performance, and may be incompatible with |
| | | some architectures. |
+----------------------------+---------+--------------------------------------------------------------------------------+
| MaxSimultaneousAllocations | 16 | Number of simultaneously-guarded allocations available in the pool. |
+----------------------------+---------+--------------------------------------------------------------------------------+
| SampleRate | 5000 | The probability (1 / SampleRate) that a page is selected for GWP-ASan |
| | | sampling. Sample rates up to (2^31 - 1) are supported. |
+----------------------------+---------+--------------------------------------------------------------------------------+
| InstallSignalHandlers | true | Install GWP-ASan signal handlers for SIGSEGV during dynamic loading. This |
| | | allows better error reports by providing stack traces for allocation and |
| | | deallocation when reporting a memory error. GWP-ASan's signal handler will |
| | | forward the signal to any previously-installed handler, and user programs |
| | | that install further signal handlers should make sure they do the same. Note, |
| | | if the previously installed SIGSEGV handler is SIG_IGN, we terminate the |
| | | process after dumping the error report. |
+----------------------------+---------+--------------------------------------------------------------------------------+
Example
-------
morehouseUnsubmitted
Done
ReplyInline Actions

ephemeral + temporary seems redundant

morehouse: ephemeral + temporary seems redundant
morehouseUnsubmitted
Done
ReplyInline Actions

"inappropriately assigned" - Can we be more precise?

morehouse: "inappropriately assigned" - Can we be more precise?
The below code has a use-after-free bug, where the ``string_view`` is created as
a reference to the temporary result of the ``string+`` operator. The
use-after-free occurs when ``sv`` is dereferenced on line 8.
.. code:: cpp
1: #include <iostream>
2: #include <string>
3: #include <string_view>
4:
5: int main() {
6: std::string s = "Hellooooooooooooooo ";
7: std::string_view sv = s + "World\n";
8: std::cout << sv;
9: }
Compiling this code with Scudo+GWP-ASan will probabilistically catch this bug
and provide us a detailed error report:
.. code:: console
$ clang++ -fsanitize=scudo -std=c++17 -g buggy_code.cpp
$ for i in `seq 1 200`; do
GWP_ASAN_OPTIONS="SampleRate=100" ./a.out > /dev/null;
done
|
| *** GWP-ASan detected a memory error ***
| Use after free at 0x7feccab26000 (0 bytes into a 41-byte allocation at 0x7feccab26000) by thread 31027 here:
| ...
| #9 ./a.out(_ZStlsIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_St17basic_string_viewIS3_S4_E+0x45) [0x55585c0afa55]
| #10 ./a.out(main+0x9f) [0x55585c0af7cf]
| #11 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xeb) [0x7fecc966952b]
| #12 ./a.out(_start+0x2a) [0x55585c0867ba]
|
| 0x7feccab26000 was deallocated by thread 31027 here:
| ...
| #7 ./a.out(main+0x83) [0x55585c0af7b3]
| #8 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xeb) [0x7fecc966952b]
| #9 ./a.out(_start+0x2a) [0x55585c0867ba]
|
| 0x7feccab26000 was allocated by thread 31027 here:
| ...
| #12 ./a.out(main+0x57) [0x55585c0af787]
| #13 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xeb) [0x7fecc966952b]
| #14 ./a.out(_start+0x2a) [0x55585c0867ba]
|
| *** End GWP-ASan report ***
| Segmentation fault
To symbolize these stack traces, some care has to be taken. Scudo currently uses
GNU's ``backtrace_symbols()`` from ``<execinfo.h>`` to unwind. The unwinder
provides human-readable stack traces in ``function+offset`` form, rather than
the normal ``binary+offset`` form. In order to use addr2line or similar tools to
recover the exact line number, we must convert the ``function+offset`` to
``binary+offset``. A helper script is available at
``compiler-rt/lib/gwp_asan/scripts/symbolize.sh``. Using this script will
attempt to symbolize each possible line, falling back to the previous output if
anything fails. This results in the following output:
.. code:: console
$ cat my_gwp_asan_error.txt | symbolize.sh
|
| *** GWP-ASan detected a memory error ***
| Use after free at 0x7feccab26000 (0 bytes into a 41-byte allocation at 0x7feccab26000) by thread 31027 here:
| ...
| #9 /usr/lib/gcc/x86_64-linux-gnu/8.0.1/../../../../include/c++/8.0.1/string_view:547
| #10 /tmp/buggy_code.cpp:8
|
| 0x7feccab26000 was deallocated by thread 31027 here:
| ...
| #7 /tmp/buggy_code.cpp:8
| #8 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xeb) [0x7fecc966952b]
| #9 ./a.out(_start+0x2a) [0x55585c0867ba]
|
| 0x7feccab26000 was allocated by thread 31027 here:
| ...
| #12 /tmp/buggy_code.cpp:7
| #13 /lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xeb) [0x7fecc966952b]
| #14 ./a.out(_start+0x2a) [0x55585c0867ba]
|
| *** End GWP-ASan report ***
| Segmentation fault