This is an archive of the discontinued LLVM Phabricator instance.

Differential D92881

scudo: Fix quarantine allocation when MTE enabled.
ClosedPublic

Authored by pcc on Dec 8 2020, 12:52 PM.

Details

Reviewers
cryptoad
hctim
eugenis
Commits
rGe5a28e1261a0: scudo: Fix quarantine allocation when MTE enabled.
Summary

Quarantines have always been broken when MTE is enabled because the
quarantine batch allocator fails to reset tags that may have been
left behind by a user allocation.

This was only noticed when running the Scudo unit tests with Scudo
as the system allocator because quarantines are turned off by
default on Android and the test binary turns them on by defining
__scudo_default_options, which affects the system allocator as well.

Depends on D92880

Diff Detail

Event Timeline

pcc requested review of this revision.Dec 8 2020, 12:52 PM
pcc created this revision.
Herald added a project: Restricted Project. · View Herald TranscriptDec 8 2020, 12:52 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B81517: Diff 310323.Dec 8 2020, 2:00 PM
hctim accepted this revision.Dec 9 2020, 9:39 AM
hctim added inline comments.
compiler-rt/lib/scudo/standalone/combined.h
103

Are we sticking UNLIKELY around any memtag branches at this point? I feel like this might be a pain to undo when we actually have production devices that ship with this branch. Does it provide us a significant benefit?

This revision is now accepted and ready to land.Dec 9 2020, 9:39 AM
pcc added inline comments.Dec 9 2020, 11:15 AM
compiler-rt/lib/scudo/standalone/combined.h
103

Yes, I'm just being consistent with the other places where we are doing this. I don't remember if we ever measured the perf impact of UNLIKELY on non-MTE devices so maybe if we don't see a significant perf impact we could just remove them now.

Closed by commit rGe5a28e1261a0: scudo: Fix quarantine allocation when MTE enabled. (authored by pcc). · Explain WhyDec 9 2020, 11:49 AM
This revision was automatically updated to reflect the committed changes.
pcc added a commit: rGe5a28e1261a0: scudo: Fix quarantine allocation when MTE enabled..

Revision Contents

PathSize
compiler-rt/
lib/
scudo/
standalone/
6 lines

Diff 310597

compiler-rt/lib/scudo/standalone/combined.h

Show First 20 LinesShow All 92 Lines▼ Show 20 Lines void *allocate(UNUSED uptr Size) {
Ptr = reinterpret_cast<void *>(reinterpret_cast<uptr>(Ptr) + Ptr = reinterpret_cast<void *>(reinterpret_cast<uptr>(Ptr) +
Chunk::getHeaderSize()); Chunk::getHeaderSize());
Chunk::UnpackedHeader Header = {}; Chunk::UnpackedHeader Header = {};
Header.ClassId = QuarantineClassId & Chunk::ClassIdMask; Header.ClassId = QuarantineClassId & Chunk::ClassIdMask;
Header.SizeOrUnusedBytes = sizeof(QuarantineBatch); Header.SizeOrUnusedBytes = sizeof(QuarantineBatch);
Header.State = Chunk::State::Allocated; Header.State = Chunk::State::Allocated;
Chunk::storeHeader(Allocator.Cookie, Ptr, &Header); Chunk::storeHeader(Allocator.Cookie, Ptr, &Header);
// Reset tag to 0 as this chunk may have been previously used for a tagged
// user allocation.
if (UNLIKELY(Allocator.useMemoryTagging()))
hctimUnsubmitted
Not Done
ReplyInline Actions

Are we sticking UNLIKELY around any memtag branches at this point? I feel like this might be a pain to undo when we actually have production devices that ship with this branch. Does it provide us a significant benefit?

hctim: Are we sticking `UNLIKELY` around any memtag branches at this point? I feel like this might be…
pccAuthorUnsubmitted
Done
ReplyInline Actions

Yes, I'm just being consistent with the other places where we are doing this. I don't remember if we ever measured the perf impact of UNLIKELY on non-MTE devices so maybe if we don't see a significant perf impact we could just remove them now.

pcc: Yes, I'm just being consistent with the other places where we are doing this. I don't remember…
storeTags(reinterpret_cast<uptr>(Ptr),
reinterpret_cast<uptr>(Ptr) + sizeof(QuarantineBatch));
return Ptr; return Ptr;
} }
void deallocate(void *Ptr) { void deallocate(void *Ptr) {
const uptr QuarantineClassId = SizeClassMap::getClassIdBySize( const uptr QuarantineClassId = SizeClassMap::getClassIdBySize(
sizeof(QuarantineBatch) + Chunk::getHeaderSize()); sizeof(QuarantineBatch) + Chunk::getHeaderSize());
Chunk::UnpackedHeader Header; Chunk::UnpackedHeader Header;
Chunk::loadHeader(Allocator.Cookie, Ptr, &Header); Chunk::loadHeader(Allocator.Cookie, Ptr, &Header);
▲ Show 20 LinesShow All 1,022 LinesShow Last 20 Lines