This is an archive of the discontinued LLVM Phabricator instance.

Differential D65768

hwasan: Untag global variable addresses in tests.
ClosedPublic

Authored by pcc on Aug 5 2019, 12:38 PM.

Details

Reviewers
hctim
Commits
rGe757cadb0789: hwasan: Untag global variable addresses in tests.
rL367938: hwasan: Untag global variable addresses in tests.
rCRT367938: hwasan: Untag global variable addresses in tests.
Summary

Once we start instrumenting globals, all addresses including those of string literals
that we pass to the operating system will start being tagged. Since we can't rely
on the operating system to be able to cope with these addresses, we need to untag
them before passing them to the operating system. This change introduces a macro
that does so and uses it everywhere it is needed.

Diff Detail

Repository
rL LLVM

Event Timeline

pcc created this revision.Aug 5 2019, 12:38 PM
Herald added projects: Restricted Project, Restricted Project. · View Herald TranscriptAug 5 2019, 12:38 PM
Herald added subscribers: Restricted Project, kubamracek. · View Herald Transcript
pcc added a child revision: D65770: hwasan: Instrument globals..Aug 5 2019, 12:40 PM
Harbormaster completed remote builds in B36163: Diff 213432.Aug 5 2019, 12:42 PM
Herald added a subscriber: ormris. · View Herald TranscriptAug 5 2019, 12:42 PM
hctim added a comment.Aug 5 2019, 1:13 PM

Instead of putting UNTAG everywhere, could we change %clang_hwasan to instead have globals instrumentation disabled, then only use UNTAG in the hwasan_globals tests? WDYT?

pcc added a comment.Aug 5 2019, 1:22 PM

The reason why I did it this way was to make the tests as "realistic" as possible. The more we diverge from a "realistic" build the more likely it is that bugs slip through because we aren't testing what we ship.

hctim added a comment.Aug 5 2019, 1:37 PM

Understood. I'm not the biggest fan of putting macros all around the codebase - could we define our own ErrorPrintf()/Printf()/strcmp() and explicitly untag there? I think relying on explicit untagging everywhere may be error-prone, and it looks like we can reduce the mental overhead of remembering to explicitly untag.

pcc added a comment.Aug 5 2019, 1:45 PM
In D65768#1615607, @hctim wrote:

Understood. I'm not the biggest fan of putting macros all around the codebase - could we define our own ErrorPrintf()/Printf()/strcmp() and explicitly untag there? I think relying on explicit untagging everywhere may be error-prone, and it looks like we can reduce the mental overhead of remembering to explicitly untag.

If you forget to untag, your test will not pass once the global instrumentation change lands. So I'm personally not too concerned about this.

That said, adding the wrappers seems fine to me. I'll do that.

pcc updated this revision to Diff 213465.Aug 5 2019, 2:28 PM
  • Introduce wrappers
Harbormaster completed remote builds in B36179: Diff 213465.Aug 5 2019, 2:29 PM
hctim accepted this revision.Aug 5 2019, 2:33 PM

LGTM with nits.

compiler-rt/test/hwasan/TestCases/utils.h
10 ↗(On Diff #213465)

Nit: > 80char

18 ↗(On Diff #213465)

Nit: > 80char

This revision is now accepted and ready to land.Aug 5 2019, 2:33 PM
pcc marked an inline comment as done.Aug 5 2019, 2:45 PM
pcc added inline comments.
compiler-rt/test/hwasan/TestCases/utils.h
10 ↗(On Diff #213465)

No idea why clang-format isn't obeying <=80 cols here, oh well.

Closed by commit rL367938: hwasan: Untag global variable addresses in tests. (authored by pcc). · Explain WhyAug 5 2019, 2:45 PM
This revision was automatically updated to reflect the committed changes.
Herald added a subscriber: delcypher. · View Herald TranscriptAug 5 2019, 2:45 PM

Revision Contents

Diff 213469

compiler-rt/trunk/test/hwasan/TestCases/Linux/aligned_alloc-alignment.cpp

// RUN: %clangxx_hwasan -O0 %s -o %t // RUN: %clangxx_hwasan -O0 %s -o %t
// RUN: %env_hwasan_opts=allocator_may_return_null=0 not %run %t 2>&1 | FileCheck %s // RUN: %env_hwasan_opts=allocator_may_return_null=0 not %run %t 2>&1 | FileCheck %s
// RUN: %env_hwasan_opts=allocator_may_return_null=1 %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-NULL // RUN: %env_hwasan_opts=allocator_may_return_null=1 %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-NULL
// UNSUPPORTED: android // UNSUPPORTED: android
// REQUIRES: stable-runtime // REQUIRES: stable-runtime
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include "../utils.h"
extern void *aligned_alloc(size_t alignment, size_t size); extern void *aligned_alloc(size_t alignment, size_t size);
int main() { int main() {
void *p = aligned_alloc(17, 100); void *p = aligned_alloc(17, 100);
// CHECK: ERROR: HWAddressSanitizer: invalid alignment requested in aligned_alloc: 17 // CHECK: ERROR: HWAddressSanitizer: invalid alignment requested in aligned_alloc: 17
// CHECK: {{#0 0x.* in .*}}{{aligned_alloc|memalign}} // CHECK: {{#0 0x.* in .*}}{{aligned_alloc|memalign}}
// CHECK: {{#1 0x.* in main .*aligned_alloc-alignment.cpp:}}[[@LINE-3]] // CHECK: {{#1 0x.* in main .*aligned_alloc-alignment.cpp:}}[[@LINE-3]]
// CHECK: SUMMARY: HWAddressSanitizer: invalid-aligned-alloc-alignment // CHECK: SUMMARY: HWAddressSanitizer: invalid-aligned-alloc-alignment
printf("pointer after failed aligned_alloc: %zd\n", (size_t)p); untag_printf("pointer after failed aligned_alloc: %zd\n", (size_t)p);
// CHECK-NULL: pointer after failed aligned_alloc: 0 // CHECK-NULL: pointer after failed aligned_alloc: 0
return 0; return 0;
} }

compiler-rt/trunk/test/hwasan/TestCases/Linux/decorate-proc-maps.c

Show All 19 Lines
#include <pthread.h> #include <pthread.h>
#include <stdio.h> #include <stdio.h>
#include <sys/stat.h> #include <sys/stat.h>
#include <sys/types.h> #include <sys/types.h>
#include <unistd.h> #include <unistd.h>
#include <pthread.h> #include <pthread.h>
#include <stdlib.h> #include <stdlib.h>
#include "../utils.h"
void CopyFdToFd(int in_fd, int out_fd) { void CopyFdToFd(int in_fd, int out_fd) {
const size_t kBufSize = 0x10000; const size_t kBufSize = 0x10000;
static char buf[kBufSize]; static char buf[kBufSize];
while (1) { while (1) {
ssize_t got = read(in_fd, buf, kBufSize); ssize_t got = read(in_fd, UNTAG(buf), kBufSize);
if (got > 0) { if (got > 0) {
write(out_fd, buf, got); write(out_fd, UNTAG(buf), got);
} else if (got == 0) { } else if (got == 0) {
break; break;
} else if (errno != EAGAIN || errno != EWOULDBLOCK || errno != EINTR) { } else if (errno != EAGAIN || errno != EWOULDBLOCK || errno != EINTR) {
fprintf(stderr, "error reading file, errno %d\n", errno); untag_fprintf(stderr, "error reading file, errno %d\n", errno);
abort(); abort();
} }
} }
} }
void *ThreadFn(void *arg) { void *ThreadFn(void *arg) {
(void)arg; (void)arg;
int fd = open("/proc/self/maps", O_RDONLY); int fd = open(UNTAG("/proc/self/maps"), O_RDONLY);
CopyFdToFd(fd, 2); CopyFdToFd(fd, 2);
close(fd); close(fd);
return NULL; return NULL;
} }
int main(void) { int main(void) {
pthread_t t; pthread_t t;
void * volatile res = malloc(100); void * volatile res = malloc(100);
void * volatile res2 = malloc(100000); void * volatile res2 = malloc(100000);
pthread_create(&t, 0, ThreadFn, 0); pthread_create(&t, 0, ThreadFn, 0);
pthread_join(t, 0); pthread_join(t, 0);
return (int)(size_t)res; return (int)(size_t)res;
} }

compiler-rt/trunk/test/hwasan/TestCases/Linux/pvalloc-overflow.cpp

Show All 12 Lines
#include <assert.h> #include <assert.h>
#include <errno.h> #include <errno.h>
#include <malloc.h> #include <malloc.h>
#include <stdint.h> #include <stdint.h>
#include <string.h> #include <string.h>
#include <unistd.h> #include <unistd.h>
#include "../utils.h"
int main(int argc, char *argv[]) { int main(int argc, char *argv[]) {
assert(argc == 2); assert(argc == 2);
const char *action = argv[1]; const char *action = argv[1];
const size_t page_size = sysconf(_SC_PAGESIZE); const size_t page_size = sysconf(_SC_PAGESIZE);
void *p = nullptr; void *p = nullptr;
if (!strcmp(action, "m1")) { if (!untag_strcmp(action, "m1")) {
p = pvalloc((uintptr_t)-1); p = pvalloc((uintptr_t)-1);
} else if (!strcmp(action, "psm1")) { } else if (!untag_strcmp(action, "psm1")) {
p = pvalloc((uintptr_t)-(page_size - 1)); p = pvalloc((uintptr_t)-(page_size - 1));
} else { } else {
assert(0); assert(0);
} }
fprintf(stderr, "errno: %d\n", errno); untag_fprintf(stderr, "errno: %d\n", errno);
return p != nullptr; return p != nullptr;
} }
// CHECK: {{ERROR: HWAddressSanitizer: pvalloc parameters overflow: size .* rounded up to system page size .* cannot be represented in type size_t}} // CHECK: {{ERROR: HWAddressSanitizer: pvalloc parameters overflow: size .* rounded up to system page size .* cannot be represented in type size_t}}
// CHECK: {{#0 0x.* in .*pvalloc}} // CHECK: {{#0 0x.* in .*pvalloc}}
// CHECK: {{#1 0x.* in main .*pvalloc-overflow.cpp:}} // CHECK: {{#1 0x.* in main .*pvalloc-overflow.cpp:}}
// CHECK: SUMMARY: HWAddressSanitizer: pvalloc-overflow // CHECK: SUMMARY: HWAddressSanitizer: pvalloc-overflow
// CHECK-NULL: errno: 12 // CHECK-NULL: errno: 12

compiler-rt/trunk/test/hwasan/TestCases/Linux/release-shadow.c

// Test that tagging a large region to 0 reduces RSS. // Test that tagging a large region to 0 reduces RSS.
// RUN: %clang_hwasan -mllvm -hwasan-instrument-stack=0 %s -o %t && %run %t 2>&1 // RUN: %clang_hwasan -mllvm -hwasan-instrument-stack=0 %s -o %t && %run %t 2>&1
#include <assert.h> #include <assert.h>
#include <fcntl.h> #include <fcntl.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <sys/mman.h> #include <sys/mman.h>
#include <sys/stat.h> #include <sys/stat.h>
#include <sys/types.h> #include <sys/types.h>
#include <unistd.h> #include <unistd.h>
#include <sanitizer/hwasan_interface.h> #include <sanitizer/hwasan_interface.h>
#include "../utils.h"
const unsigned char kTag = 42; const unsigned char kTag = 42;
const size_t kNumShadowPages = 256; const size_t kNumShadowPages = 256;
const size_t kNumPages = 16 * kNumShadowPages; const size_t kNumPages = 16 * kNumShadowPages;
const size_t kPageSize = 4096; const size_t kPageSize = 4096;
const size_t kMapSize = kNumPages * kPageSize; const size_t kMapSize = kNumPages * kPageSize;
void sync_rss() { void sync_rss() {
char *page = (char *)mmap(0, kPageSize, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0); char *page = (char *)mmap(0, kPageSize, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
// Linux kernel updates RSS counters after a set number of page faults. // Linux kernel updates RSS counters after a set number of page faults.
for (int i = 0; i < 1000; ++i) { for (int i = 0; i < 1000; ++i) {
page[0] = 42; page[0] = 42;
madvise(page, kPageSize, MADV_DONTNEED); madvise(page, kPageSize, MADV_DONTNEED);
} }
munmap(page, kPageSize); munmap(page, kPageSize);
} }
size_t current_rss() { size_t current_rss() {
sync_rss(); sync_rss();
int statm_fd = open("/proc/self/statm", O_RDONLY); int statm_fd = open(UNTAG("/proc/self/statm"), O_RDONLY);
assert(statm_fd >= 0); assert(statm_fd >= 0);
char buf[100]; char buf[100];
assert(read(statm_fd, &buf, sizeof(buf)) > 0); assert(read(statm_fd, &buf, sizeof(buf)) > 0);
size_t size, rss; size_t size, rss;
assert(sscanf(buf, "%zu %zu", &size, &rss) == 2); assert(sscanf(buf, UNTAG("%zu %zu"), &size, &rss) == 2);
close(statm_fd); close(statm_fd);
return rss; return rss;
} }
void test_rss_difference(void *p) { void test_rss_difference(void *p) {
__hwasan_tag_memory(p, kTag, kMapSize); __hwasan_tag_memory(p, kTag, kMapSize);
size_t rss_before = current_rss(); size_t rss_before = current_rss();
__hwasan_tag_memory(p, 0, kMapSize); __hwasan_tag_memory(p, 0, kMapSize);
size_t rss_after = current_rss(); size_t rss_after = current_rss();
fprintf(stderr, "%zu -> %zu\n", rss_before, rss_after); untag_fprintf(stderr, "%zu -> %zu\n", rss_before, rss_after);
assert(rss_before > rss_after); assert(rss_before > rss_after);
size_t diff = rss_before - rss_after; size_t diff = rss_before - rss_after;
fprintf(stderr, "diff %zu\n", diff); untag_fprintf(stderr, "diff %zu\n", diff);
// Check that the difference is at least close to kNumShadowPages. // Check that the difference is at least close to kNumShadowPages.
assert(diff > kNumShadowPages / 4 * 3); assert(diff > kNumShadowPages / 4 * 3);
} }
int main() { int main() {
fprintf(stderr, "starting rss %zu\n", current_rss()); untag_fprintf(stderr, "starting rss %zu\n", current_rss());
fprintf(stderr, "shadow pages: %zu\n", kNumShadowPages); untag_fprintf(stderr, "shadow pages: %zu\n", kNumShadowPages);
void *p = mmap(0, kMapSize, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0); void *p = mmap(0, kMapSize, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0);
fprintf(stderr, "p = %p\n", p); untag_fprintf(stderr, "p = %p\n", p);
test_rss_difference(p); test_rss_difference(p);
test_rss_difference(p); test_rss_difference(p);
test_rss_difference(p); test_rss_difference(p);
return 0; return 0;
} }

compiler-rt/trunk/test/hwasan/TestCases/Posix/posix_memalign-alignment.cpp

// RUN: %clangxx_hwasan -O0 %s -o %t // RUN: %clangxx_hwasan -O0 %s -o %t
// RUN: %env_hwasan_opts=allocator_may_return_null=0 not %run %t 2>&1 | FileCheck %s // RUN: %env_hwasan_opts=allocator_may_return_null=0 not %run %t 2>&1 | FileCheck %s
// RUN: %env_hwasan_opts=allocator_may_return_null=1 %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-NULL // RUN: %env_hwasan_opts=allocator_may_return_null=1 %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-NULL
// REQUIRES: stable-runtime // REQUIRES: stable-runtime
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include "../utils.h"
int main() { int main() {
void *p = reinterpret_cast<void*>(42); void *p = reinterpret_cast<void*>(42);
int res = posix_memalign(&p, 17, 100); int res = posix_memalign(&p, 17, 100);
// CHECK: ERROR: HWAddressSanitizer: invalid alignment requested in posix_memalign: 17 // CHECK: ERROR: HWAddressSanitizer: invalid alignment requested in posix_memalign: 17
// CHECK: {{#0 0x.* in .*posix_memalign}} // CHECK: {{#0 0x.* in .*posix_memalign}}
// CHECK: {{#1 0x.* in main .*posix_memalign-alignment.cpp:}}[[@LINE-3]] // CHECK: {{#1 0x.* in main .*posix_memalign-alignment.cpp:}}[[@LINE-3]]
// CHECK: SUMMARY: HWAddressSanitizer: invalid-posix-memalign-alignment // CHECK: SUMMARY: HWAddressSanitizer: invalid-posix-memalign-alignment
printf("pointer after failed posix_memalign: %zd\n", (size_t)p); untag_printf("pointer after failed posix_memalign: %zd\n", (size_t)p);
// CHECK-NULL: pointer after failed posix_memalign: 42 // CHECK-NULL: pointer after failed posix_memalign: 42
return 0; return 0;
} }

compiler-rt/trunk/test/hwasan/TestCases/allocator_returns_null.cpp

Show First 20 LinesShow All 42 Lines▼ Show 20 Lines
#include <assert.h> #include <assert.h>
#include <errno.h> #include <errno.h>
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <string.h> #include <string.h>
#include <limits> #include <limits>
#include <new> #include <new>
#include "utils.h"
int main(int argc, char **argv) { int main(int argc, char **argv) {
assert(argc == 2); assert(argc == 2);
const char *action = argv[1]; const char *action = argv[1];
fprintf(stderr, "%s:\n", action); untag_fprintf(stderr, "%s:\n", action);
static const size_t kMaxAllowedMallocSizePlusOne = (2UL << 30) + 1; static const size_t kMaxAllowedMallocSizePlusOne = (2UL << 30) + 1;
void *x = nullptr; void *x = nullptr;
if (!strcmp(action, "malloc")) { if (!untag_strcmp(action, "malloc")) {
x = malloc(kMaxAllowedMallocSizePlusOne); x = malloc(kMaxAllowedMallocSizePlusOne);
} else if (!strcmp(action, "calloc")) { } else if (!untag_strcmp(action, "calloc")) {
x = calloc((kMaxAllowedMallocSizePlusOne / 4) + 1, 4); x = calloc((kMaxAllowedMallocSizePlusOne / 4) + 1, 4);
} else if (!strcmp(action, "calloc-overflow")) { } else if (!untag_strcmp(action, "calloc-overflow")) {
volatile size_t kMaxSizeT = std::numeric_limits<size_t>::max(); volatile size_t kMaxSizeT = std::numeric_limits<size_t>::max();
size_t kArraySize = 4096; size_t kArraySize = 4096;
volatile size_t kArraySize2 = kMaxSizeT / kArraySize + 10; volatile size_t kArraySize2 = kMaxSizeT / kArraySize + 10;
x = calloc(kArraySize, kArraySize2); x = calloc(kArraySize, kArraySize2);
} else if (!strcmp(action, "realloc")) { } else if (!untag_strcmp(action, "realloc")) {
x = realloc(0, kMaxAllowedMallocSizePlusOne); x = realloc(0, kMaxAllowedMallocSizePlusOne);
} else if (!strcmp(action, "realloc-after-malloc")) { } else if (!untag_strcmp(action, "realloc-after-malloc")) {
char *t = (char*)malloc(100); char *t = (char*)malloc(100);
*t = 42; *t = 42;
x = realloc(t, kMaxAllowedMallocSizePlusOne); x = realloc(t, kMaxAllowedMallocSizePlusOne);
assert(*t == 42); assert(*t == 42);
free(t); free(t);
} else if (!strcmp(action, "new")) { } else if (!untag_strcmp(action, "new")) {
x = operator new(kMaxAllowedMallocSizePlusOne); x = operator new(kMaxAllowedMallocSizePlusOne);
} else if (!strcmp(action, "new-nothrow")) { } else if (!untag_strcmp(action, "new-nothrow")) {
x = operator new(kMaxAllowedMallocSizePlusOne, std::nothrow); x = operator new(kMaxAllowedMallocSizePlusOne, std::nothrow);
} else { } else {
assert(0); assert(0);
} }
fprintf(stderr, "errno: %d\n", errno); untag_fprintf(stderr, "errno: %d\n", errno);
free(x); free(x);
return x != nullptr; return x != nullptr;
} }
// CHECK-mCRASH: malloc: // CHECK-mCRASH: malloc:
// CHECK-mCRASH: SUMMARY: HWAddressSanitizer: allocation-size-too-big // CHECK-mCRASH: SUMMARY: HWAddressSanitizer: allocation-size-too-big
Show All 26 Lines

compiler-rt/trunk/test/hwasan/TestCases/heap-buffer-overflow.c

Show All 9 Lines
// RUN: not %run %t 30 20 2>&1 | FileCheck %s --check-prefix=CHECK20 // RUN: not %run %t 30 20 2>&1 | FileCheck %s --check-prefix=CHECK20
// REQUIRES: stable-runtime // REQUIRES: stable-runtime
#include <stdlib.h> #include <stdlib.h>
#include <stdio.h> #include <stdio.h>
#include <sanitizer/hwasan_interface.h> #include <sanitizer/hwasan_interface.h>
#include "utils.h"
static volatile char sink; static volatile char sink;
int main(int argc, char **argv) { int main(int argc, char **argv) {
__hwasan_enable_allocator_tagging(); __hwasan_enable_allocator_tagging();
int offset = argc < 2 ? 40 : atoi(argv[1]); int offset = argc < 2 ? 40 : atoi(argv[1]);
int size = argc < 3 ? 30 : atoi(argv[2]); int size = argc < 3 ? 30 : atoi(argv[2]);
char * volatile x = (char*)malloc(size); char * volatile x = (char*)malloc(size);
fprintf(stderr, "base: %p access: %p\n", x, &x[offset]); untag_fprintf(stderr, "base: %p access: %p\n", x, &x[offset]);
sink = x[offset]; sink = x[offset];
// CHECK40: allocated heap chunk; size: 32 offset: 8 // CHECK40: allocated heap chunk; size: 32 offset: 8
// CHECK40: is located 10 bytes to the right of 30-byte region // CHECK40: is located 10 bytes to the right of 30-byte region
// //
// CHECK80: allocated heap chunk; size: 32 offset: 16 // CHECK80: allocated heap chunk; size: 32 offset: 16
// CHECK80: is located 50 bytes to the right of 30-byte region // CHECK80: is located 50 bytes to the right of 30-byte region
// //
Show All 18 Lines

compiler-rt/trunk/test/hwasan/TestCases/malloc_fill.cpp

// Check that we fill malloc-ed memory correctly. // Check that we fill malloc-ed memory correctly.
// RUN: %clangxx_hwasan %s -o %t // RUN: %clangxx_hwasan %s -o %t
// RUN: %run %t | FileCheck %s // RUN: %run %t | FileCheck %s
// RUN: %env_hwasan_opts=max_malloc_fill_size=10:malloc_fill_byte=8 %run %t | FileCheck %s --check-prefix=CHECK-10-8 // RUN: %env_hwasan_opts=max_malloc_fill_size=10:malloc_fill_byte=8 %run %t | FileCheck %s --check-prefix=CHECK-10-8
// RUN: %env_hwasan_opts=max_malloc_fill_size=20:malloc_fill_byte=171 %run %t | FileCheck %s --check-prefix=CHECK-20-ab // RUN: %env_hwasan_opts=max_malloc_fill_size=20:malloc_fill_byte=171 %run %t | FileCheck %s --check-prefix=CHECK-20-ab
#include <stdio.h> #include <stdio.h>
#include "utils.h"
int main(int argc, char **argv) { int main(int argc, char **argv) {
// With asan allocator this makes sure we get memory from mmap. // With asan allocator this makes sure we get memory from mmap.
static const int kSize = 1 << 25; static const int kSize = 1 << 25;
unsigned char *x = new unsigned char[kSize]; unsigned char *x = new unsigned char[kSize];
printf("-"); untag_printf("-");
for (int i = 0; i <= 32; i++) { for (int i = 0; i <= 32; i++) {
printf("%02x", x[i]); untag_printf("%02x", x[i]);
} }
printf("-\n"); untag_printf("-\n");
delete [] x; delete [] x;
} }
// CHECK: -bebebebebebebebebebebebebebebebebebebebebebebebebebebebebebebebebe- // CHECK: -bebebebebebebebebebebebebebebebebebebebebebebebebebebebebebebebebe-
// CHECK-10-8: -080808080808080808080000000000000000000000000000000000000000000000- // CHECK-10-8: -080808080808080808080000000000000000000000000000000000000000000000-
// CHECK-20-ab: -abababababababababababababababababababab00000000000000000000000000- // CHECK-20-ab: -abababababababababababababababababababab00000000000000000000000000-

compiler-rt/trunk/test/hwasan/TestCases/many-threads-uaf.c

// RUN: %clang_hwasan %s -o %t && not %env_hwasan_opts=verbose_threads=1 %run %t 2>&1 | FileCheck %s // RUN: %clang_hwasan %s -o %t && not %env_hwasan_opts=verbose_threads=1 %run %t 2>&1 | FileCheck %s
// REQUIRES: stable-runtime // REQUIRES: stable-runtime
#include <pthread.h> #include <pthread.h>
#include <stdlib.h> #include <stdlib.h>
#include <stdio.h> #include <stdio.h>
#include <sanitizer/hwasan_interface.h> #include <sanitizer/hwasan_interface.h>
#include "utils.h"
void *BoringThread(void *arg) { void *BoringThread(void *arg) {
char * volatile x = (char*)malloc(10); char * volatile x = (char*)malloc(10);
x[5] = 0; x[5] = 0;
free(x); free(x);
return NULL; return NULL;
} }
// CHECK: Creating : T0 // CHECK: Creating : T0
// CHECK: Creating : T1 // CHECK: Creating : T1
// CHECK: Destroying: T1 // CHECK: Destroying: T1
// CHECK: Creating : T1100 // CHECK: Creating : T1100
// CHECK: Destroying: T1100 // CHECK: Destroying: T1100
// CHECK: Creating : T1101 // CHECK: Creating : T1101
void *UAFThread(void *arg) { void *UAFThread(void *arg) {
char * volatile x = (char*)malloc(10); char * volatile x = (char*)malloc(10);
fprintf(stderr, "ZZZ %p\n", x); untag_fprintf(stderr, "ZZZ %p\n", x);
free(x); free(x);
x[5] = 42; x[5] = 42;
// CHECK: ERROR: HWAddressSanitizer: tag-mismatch on address // CHECK: ERROR: HWAddressSanitizer: tag-mismatch on address
// CHECK: WRITE of size 1 // CHECK: WRITE of size 1
// CHECK: many-threads-uaf.c:[[@LINE-3]] // CHECK: many-threads-uaf.c:[[@LINE-3]]
// CHECK: Thread: T1101 // CHECK: Thread: T1101
return NULL; return NULL;
} }
Show All 11 Lines

compiler-rt/trunk/test/hwasan/TestCases/mem-intrinsics.c

// RUN: %clang_hwasan %s -DTEST_NO=1 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=WRITE // RUN: %clang_hwasan %s -DTEST_NO=1 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=WRITE
// RUN: %clang_hwasan %s -DTEST_NO=2 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=READ // RUN: %clang_hwasan %s -DTEST_NO=2 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=READ
// RUN: %clang_hwasan %s -DTEST_NO=3 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=WRITE // RUN: %clang_hwasan %s -DTEST_NO=3 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %run %t 2>&1 | FileCheck %s --check-prefix=WRITE
// RUN: %clang_hwasan %s -DTEST_NO=2 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %env_hwasan_opts=halt_on_error=0 %run %t 2>&1 | FileCheck %s --check-prefix=RECOVER // RUN: %clang_hwasan %s -DTEST_NO=2 -mllvm -hwasan-instrument-mem-intrinsics -o %t && not %env_hwasan_opts=halt_on_error=0 %run %t 2>&1 | FileCheck %s --check-prefix=RECOVER
// REQUIRES: stable-runtime // REQUIRES: stable-runtime
#include <stdio.h> #include <stdio.h>
#include <stdlib.h> #include <stdlib.h>
#include <unistd.h> #include <unistd.h>
#include "utils.h"
int main() { int main() {
char Q[16] __attribute__((aligned(256))); char Q[16] __attribute__((aligned(256)));
char P[16] __attribute__((aligned(256))); char P[16] __attribute__((aligned(256)));
#if TEST_NO == 1 #if TEST_NO == 1
memset(Q, 0, 32); memset(Q, 0, 32);
#elif TEST_NO == 2 #elif TEST_NO == 2
memmove(Q, Q + 16, 16); memmove(Q, Q + 16, 16);
#elif TEST_NO == 3 #elif TEST_NO == 3
memcpy(Q, P, 32); memcpy(Q, P, 32);
#endif #endif
write(STDOUT_FILENO, "recovered\n", 10); write(STDOUT_FILENO, UNTAG("recovered\n"), 10);
// WRITE: ERROR: HWAddressSanitizer: tag-mismatch on address // WRITE: ERROR: HWAddressSanitizer: tag-mismatch on address
// WRITE: WRITE of size 32 at {{.*}} tags: [[PTR_TAG:..]]/[[MEM_TAG:..]] (ptr/mem) // WRITE: WRITE of size 32 at {{.*}} tags: [[PTR_TAG:..]]/[[MEM_TAG:..]] (ptr/mem)
// WRITE: Invalid access starting at offset [16, 32) // WRITE: Invalid access starting at offset [16, 32)
// WRITE: Memory tags around the buggy address (one tag corresponds to 16 bytes): // WRITE: Memory tags around the buggy address (one tag corresponds to 16 bytes):
// WRITE: =>{{.*}}[[PTR_TAG]]{{[[:space:]]\[}}[[MEM_TAG]] // WRITE: =>{{.*}}[[PTR_TAG]]{{[[:space:]]\[}}[[MEM_TAG]]
// WRITE-NOT: recovered // WRITE-NOT: recovered
// READ: ERROR: HWAddressSanitizer: tag-mismatch on address // READ: ERROR: HWAddressSanitizer: tag-mismatch on address
Show All 9 Lines

compiler-rt/trunk/test/hwasan/TestCases/sizes.cpp

Show All 28 Lines
#include <string.h> #include <string.h>
#include <limits> #include <limits>
#include <new> #include <new>
#include <sanitizer/allocator_interface.h> #include <sanitizer/allocator_interface.h>
#include <sanitizer/hwasan_interface.h> #include <sanitizer/hwasan_interface.h>
#include "utils.h"
int main(int argc, char **argv) { int main(int argc, char **argv) {
assert(argc <= 3); assert(argc <= 3);
bool test_size_max = argc == 3 && !strcmp(argv[2], "max"); bool test_size_max = argc == 3 && !untag_strcmp(argv[2], "max");
static const size_t kMaxAllowedMallocSize = 1ULL << 40; static const size_t kMaxAllowedMallocSize = 1ULL << 40;
static const size_t kChunkHeaderSize = 16; static const size_t kChunkHeaderSize = 16;
size_t MallocSize = test_size_max ? std::numeric_limits<size_t>::max() size_t MallocSize = test_size_max ? std::numeric_limits<size_t>::max()
: kMaxAllowedMallocSize; : kMaxAllowedMallocSize;
if (!strcmp(argv[1], "malloc")) { if (!untag_strcmp(argv[1], "malloc")) {
void *p = malloc(MallocSize); void *p = malloc(MallocSize);
assert(!p); assert(!p);
p = malloc(kMaxAllowedMallocSize - kChunkHeaderSize); p = malloc(kMaxAllowedMallocSize - kChunkHeaderSize);
assert(!p); assert(!p);
} else if (!strcmp(argv[1], "calloc")) { } else if (!untag_strcmp(argv[1], "calloc")) {
// Trigger an overflow in calloc. // Trigger an overflow in calloc.
size_t size = std::numeric_limits<size_t>::max(); size_t size = std::numeric_limits<size_t>::max();
void *p = calloc((size / 0x1000) + 1, 0x1000); void *p = calloc((size / 0x1000) + 1, 0x1000);
assert(!p); assert(!p);
} else if (!strcmp(argv[1], "reallocarray")) { } else if (!untag_strcmp(argv[1], "reallocarray")) {
// Trigger an overflow in reallocarray. // Trigger an overflow in reallocarray.
size_t size = std::numeric_limits<size_t>::max(); size_t size = std::numeric_limits<size_t>::max();
void *p = __sanitizer_reallocarray(nullptr, (size / 0x1000) + 1, 0x1000); void *p = __sanitizer_reallocarray(nullptr, (size / 0x1000) + 1, 0x1000);
assert(!p); assert(!p);
} else if (!strcmp(argv[1], "new")) { } else if (!untag_strcmp(argv[1], "new")) {
void *p = operator new(MallocSize); void *p = operator new(MallocSize);
assert(!p); assert(!p);
} else if (!strcmp(argv[1], "new-nothrow")) { } else if (!untag_strcmp(argv[1], "new-nothrow")) {
void *p = operator new(MallocSize, std::nothrow); void *p = operator new(MallocSize, std::nothrow);
assert(!p); assert(!p);
} else if (!strcmp(argv[1], "usable")) { } else if (!untag_strcmp(argv[1], "usable")) {
// Playing with the actual usable size of a chunk. // Playing with the actual usable size of a chunk.
void *p = malloc(1007); void *p = malloc(1007);
assert(p); assert(p);
size_t size = __sanitizer_get_allocated_size(p); size_t size = __sanitizer_get_allocated_size(p);
assert(size >= 1007); assert(size >= 1007);
memset(p, 'A', size); memset(p, 'A', size);
p = realloc(p, 2014); p = realloc(p, 2014);
assert(p); assert(p);
Show All 15 Lines

compiler-rt/trunk/test/hwasan/TestCases/tail-magic.c

// Tests free_checks_tail_magic=1. // Tests free_checks_tail_magic=1.
// RUN: %clang_hwasan %s -o %t // RUN: %clang_hwasan %s -o %t
// RUN: %env_hwasan_opts=free_checks_tail_magic=0 %run %t // RUN: %env_hwasan_opts=free_checks_tail_magic=0 %run %t
// RUN: %env_hwasan_opts=free_checks_tail_magic=1 not %run %t 2>&1 | FileCheck %s // RUN: %env_hwasan_opts=free_checks_tail_magic=1 not %run %t 2>&1 | FileCheck %s
// RUN: not %run %t 2>&1 | FileCheck %s // RUN: not %run %t 2>&1 | FileCheck %s
// REQUIRES: stable-runtime // REQUIRES: stable-runtime
#include <stdlib.h> #include <stdlib.h>
#include <stdio.h> #include <stdio.h>
#include <sanitizer/hwasan_interface.h> #include <sanitizer/hwasan_interface.h>
#include "utils.h"
static volatile char *sink; static volatile char *sink;
// Overwrite the tail in a non-hwasan function so that we don't detect the // Overwrite the tail in a non-hwasan function so that we don't detect the
// stores as OOB. // stores as OOB.
__attribute__((no_sanitize("hwaddress"))) void overwrite_tail() { __attribute__((no_sanitize("hwaddress"))) void overwrite_tail() {
sink[20] = 0x42; (*UNTAG(&sink))[20] = 0x42;
sink[24] = 0x66; (*UNTAG(&sink))[24] = 0x66;
} }
int main(int argc, char **argv) { int main(int argc, char **argv) {
__hwasan_enable_allocator_tagging(); __hwasan_enable_allocator_tagging();
char *p = (char*)malloc(20); char *p = (char*)malloc(20);
sink = (char *)((uintptr_t)(p) & 0xffffffffffffff); sink = UNTAG(p);
overwrite_tail(); overwrite_tail();
free(p); free(p);
// CHECK: ERROR: HWAddressSanitizer: alocation-tail-overwritten; heap object [{{.*}}) of size 20 // CHECK: ERROR: HWAddressSanitizer: alocation-tail-overwritten; heap object [{{.*}}) of size 20
// CHECK: in main {{.*}}tail-magic.c:[[@LINE-2]] // CHECK: in main {{.*}}tail-magic.c:[[@LINE-2]]
// CHECK: allocated here: // CHECK: allocated here:
// CHECK: in main {{.*}}tail-magic.c:[[@LINE-7]] // CHECK: in main {{.*}}tail-magic.c:[[@LINE-7]]
// CHECK: Tail contains: .. .. .. .. 42 {{.. .. ..}} 66 // CHECK: Tail contains: .. .. .. .. 42 {{.. .. ..}} 66
} }

compiler-rt/trunk/test/hwasan/TestCases/use-after-free.c

// RUN: %clang_hwasan -O0 -DISREAD=1 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefixes=CHECK // RUN: %clang_hwasan -O0 -DISREAD=1 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefixes=CHECK
// RUN: %clang_hwasan -O1 -DISREAD=1 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefixes=CHECK // RUN: %clang_hwasan -O1 -DISREAD=1 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefixes=CHECK
// RUN: %clang_hwasan -O2 -DISREAD=1 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefixes=CHECK // RUN: %clang_hwasan -O2 -DISREAD=1 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefixes=CHECK
// RUN: %clang_hwasan -O3 -DISREAD=1 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefixes=CHECK // RUN: %clang_hwasan -O3 -DISREAD=1 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefixes=CHECK
// RUN: %clang_hwasan -O0 -DISREAD=0 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefixes=CHECK // RUN: %clang_hwasan -O0 -DISREAD=0 %s -o %t && not %run %t 2>&1 | FileCheck %s --check-prefixes=CHECK
// REQUIRES: stable-runtime // REQUIRES: stable-runtime
#include <stdlib.h> #include <stdlib.h>
#include <stdio.h> #include <stdio.h>
#include <sanitizer/hwasan_interface.h> #include <sanitizer/hwasan_interface.h>
#include "utils.h"
int main() { int main() {
__hwasan_enable_allocator_tagging(); __hwasan_enable_allocator_tagging();
char * volatile x = (char*)malloc(10); char * volatile x = (char*)malloc(10);
free(x); free(x);
__hwasan_disable_allocator_tagging(); __hwasan_disable_allocator_tagging();
fprintf(stderr, "Going to do a %s\n", ISREAD ? "READ" : "WRITE"); untag_fprintf(stderr, ISREAD ? "Going to do a READ\n" : "Going to do a WRITE\n");
// CHECK: Going to do a [[TYPE:[A-Z]*]] // CHECK: Going to do a [[TYPE:[A-Z]*]]
int r = 0; int r = 0;
if (ISREAD) r = x[5]; else x[5] = 42; // should be on the same line. if (ISREAD) r = x[5]; else x[5] = 42; // should be on the same line.
// CHECK: [[TYPE]] of size 1 at {{.*}} tags: [[PTR_TAG:[0-9a-f][0-9a-f]]]/[[MEM_TAG:[0-9a-f][0-9a-f]]] (ptr/mem) // CHECK: [[TYPE]] of size 1 at {{.*}} tags: [[PTR_TAG:[0-9a-f][0-9a-f]]]/[[MEM_TAG:[0-9a-f][0-9a-f]]] (ptr/mem)
// CHECK: #0 {{.*}} in main {{.*}}use-after-free.c:[[@LINE-2]] // CHECK: #0 {{.*}} in main {{.*}}use-after-free.c:[[@LINE-2]]
// Offset is 5 or 11 depending on left/right alignment. // Offset is 5 or 11 depending on left/right alignment.
// CHECK: is a small unallocated heap chunk; size: 32 offset: {{5|11}} // CHECK: is a small unallocated heap chunk; size: 32 offset: {{5|11}}
// CHECK: is located 5 bytes inside of 10-byte region // CHECK: is located 5 bytes inside of 10-byte region
Show All 13 Lines

compiler-rt/trunk/test/hwasan/TestCases/utils.h

#pragma once
#include <stdarg.h>
#include <stdint.h>
#include <stdio.h>
#include <string.h>
#define UNTAG(x) (typeof((x) + 0))(((uintptr_t)(x)) & 0xffffffffffffff)
__attribute__((no_sanitize("hwaddress")))
int untag_printf(const char *fmt, ...) {
va_list ap;
va_start(ap, fmt);
int ret = vprintf(UNTAG(fmt), ap);
va_end(ap);
return ret;
}
__attribute__((no_sanitize("hwaddress")))
int untag_fprintf(FILE *stream, const char *fmt, ...) {
va_list ap;
va_start(ap, fmt);
int ret = vfprintf(stream, UNTAG(fmt), ap);
va_end(ap);
return ret;
}
int untag_strcmp(const char *s1, const char *s2) {
return strcmp(UNTAG(s1), UNTAG(s2));
}