This is an archive of the discontinued LLVM Phabricator instance.

Differential D97962

[dfsan] Add utils to get and print origin paths and some test cases
ClosedPublic

Authored by stephan.yichao.zhao on Mar 4 2021, 8:57 AM.

Details

Reviewers
morehouse
gbalats
Commits
rGc20db7ea6a0b: [dfsan] Add utils to get and print origin paths and some test cases
Summary

This is a part of https://reviews.llvm.org/D95835.

Diff Detail

Event Timeline

stephan.yichao.zhao requested review of this revision.Mar 4 2021, 8:57 AM
stephan.yichao.zhao created this revision.
Herald added a project: Restricted Project. · View Herald TranscriptMar 4 2021, 8:57 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
gbalats added inline comments.Mar 4 2021, 11:49 AM
compiler-rt/include/sanitizer/dfsan_interface.h
121

Is this printed to stdout? Should we introduce an output stream argument instead to make it more versatile?

compiler-rt/lib/dfsan/dfsan.cpp
794

This is not very clear. It might be mistaken to mean that origin tracking is not supported. Also, it doesn't indicate to the user what they are doing wrong.

794

Should this be an error perhaps?

801
826–828

Is there a test for this code path?

845

If the loop is not entered at all, should the return value be 0 (now) or origin?

compiler-rt/test/dfsan/origin_ldst.c
32

Why not typedefs instead?

compiler-rt/test/dfsan/origin_limit.c
31

You can use CHECK-COUNT here to remove duplication.

stephan.yichao.zhao marked 3 inline comments as done.Mar 4 2021, 3:54 PM
stephan.yichao.zhao added inline comments.
compiler-rt/include/sanitizer/dfsan_interface.h
121

Agree that would be better.

dfsan_print_origin_trace eventually uses stack.Print() by sanitizer's Printf to print to stderr.
Printf is safe to use inside sanitizer code because high-level stream may not work.

If we assume this API is always called from customer code, I feel another stream can work if we can change stack.Print() works with a configurable output.
Other sanitizers print traces in the shared code path. so that needs a separate work.

I changed the comments to mention 'stderr'.

compiler-rt/lib/dfsan/dfsan.cpp
794

Since we print all the messages to stderr, changed to use colors (d.Warning()) for this kind of messages.

801

Also set the warning color.

826–828

Added a test case by using asm to bypass DFSan instrumentation.
Also added test to cover other corner cases.

845

That would be 0.
If along a chain, an invalid origin is found because of unknown issues: like somehow origin memory was overwritten, 0 also returns.
When a chain reaches to the very beginning, it also returns 0.
So we are able to distinguish the two cases. Maybe we can improve this later.

But the print out stack trace can tell which we get a valid chain, because a real very origin should be an stack about dfsan_set_label.

compiler-rt/test/dfsan/origin_ldst.c
32

Thank you.

stephan.yichao.zhao marked 3 inline comments as done.Mar 4 2021, 3:55 PM
stephan.yichao.zhao added inline comments.
compiler-rt/test/dfsan/origin_limit.c
31

Thank you.

stephan.yichao.zhao updated this revision to Diff 328330.Mar 4 2021, 3:55 PM
stephan.yichao.zhao marked an inline comment as done.

addressed comments

gbalats added inline comments.Mar 4 2021, 4:12 PM
compiler-rt/lib/dfsan/dfsan.cpp
851–858

Iiuc, raw_id is initialized to 0 so we could place origin_id var outside the loop so that we don't have to check the condition twice.

stephan.yichao.zhao updated this revision to Diff 328333.Mar 4 2021, 4:18 PM

simplified the loop in dfsan_get_init_origin

stephan.yichao.zhao marked an inline comment as done.Mar 4 2021, 4:18 PM
stephan.yichao.zhao added inline comments.
compiler-rt/lib/dfsan/dfsan.cpp
851–858

Thank you. This simplified the code.

gbalats accepted this revision.Mar 4 2021, 4:42 PM
This revision is now accepted and ready to land.Mar 4 2021, 4:42 PM
Harbormaster completed remote builds in B92093: Diff 328195.Mar 4 2021, 10:17 PM
Harbormaster completed remote builds in B92175: Diff 328330.Mar 5 2021, 9:04 AM
morehouse accepted this revision.Mar 5 2021, 9:23 AM
morehouse added inline comments.
compiler-rt/include/sanitizer/dfsan_interface.h
124

At some point we may want an API to traverse the origin chain. But this is fine for now.

compiler-rt/lib/dfsan/dfsan.cpp
711

Do we also need a dfsw wrapper?

802–803
810–811
813

For addr, do we need %p?

831–833
842–843
847–848
compiler-rt/test/dfsan/origin_add_label.c
20

Why do we need this cast?

Harbormaster completed remote builds in B92177: Diff 328333.Mar 5 2021, 9:31 AM
stephan.yichao.zhao updated this revision to Diff 328670.Mar 5 2021, 3:34 PM
stephan.yichao.zhao marked 10 inline comments as done.

addressed comments.

LLVM testing does not have debug info by default.
Added a dfsan config with debug info on to test stack traces with file/line information.

compiler-rt/lib/dfsan/dfsan.cpp
711

When origin_tracking is off, we do not generate wrappers with origin arguments.

813

yes. %p works perfectly than using 0x%x. Thank you.

compiler-rt/test/dfsan/origin_add_label.c
20

Thank you. we only need cast at the next line to shift 4 bytes. This one is not useful.

This revision was landed with ongoing or failed builds.Mar 5 2021, 4:12 PM
Closed by commit rGc20db7ea6a0b: [dfsan] Add utils to get and print origin paths and some test cases (authored by Jianzhou Zhao <jianzhouzh@google.com>). · Explain Why
This revision was automatically updated to reflect the committed changes.
Jianzhou Zhao <jianzhouzh@google.com> added a commit: rGc20db7ea6a0b: [dfsan] Add utils to get and print origin paths and some test cases.
Harbormaster completed remote builds in B92415: Diff 328670.Mar 6 2021, 11:35 AM

Revision Contents

PathSize
compiler-rt/
include/
sanitizer/
15 lines
lib/
dfsan/
88 lines
7 lines
test/
dfsan/
8 lines
35 lines
13 lines
18 lines
21 lines
87 lines
39 lines
46 lines
23 lines
34 lines
12 lines

Diff 328670

compiler-rt/include/sanitizer/dfsan_interface.h

Show First 20 LinesShow All 58 Lines▼ Show 20 Lines
/// Retrieves the label associated with the given data. /// Retrieves the label associated with the given data.
/// ///
/// The type of 'data' is arbitrary. The function accepts a value of any type, /// The type of 'data' is arbitrary. The function accepts a value of any type,
/// which can be truncated or extended (implicitly or explicitly) as necessary. /// which can be truncated or extended (implicitly or explicitly) as necessary.
/// The truncation/extension operations will preserve the label of the original /// The truncation/extension operations will preserve the label of the original
/// value. /// value.
dfsan_label dfsan_get_label(long data); dfsan_label dfsan_get_label(long data);
/// Retrieves the immediate origin associated with the given data. The returned
/// origin may point to another origin.
///
/// The type of 'data' is arbitrary.
dfsan_origin dfsan_get_origin(long data);
/// Retrieves the label associated with the data at the given address. /// Retrieves the label associated with the data at the given address.
dfsan_label dfsan_read_label(const void *addr, size_t size); dfsan_label dfsan_read_label(const void *addr, size_t size);
/// Retrieves a pointer to the dfsan_label_info struct for the given label. /// Retrieves a pointer to the dfsan_label_info struct for the given label.
const struct dfsan_label_info *dfsan_get_label_info(dfsan_label label); const struct dfsan_label_info *dfsan_get_label_info(dfsan_label label);
/// Returns whether the given label label contains the label elem. /// Returns whether the given label label contains the label elem.
int dfsan_has_label(dfsan_label label, dfsan_label elem); int dfsan_has_label(dfsan_label label, dfsan_label elem);
Show All 31 Lines
/// needs to see the parameters of the function and the labels. /// needs to see the parameters of the function and the labels.
/// FIXME: implement more hooks. /// FIXME: implement more hooks.
void dfsan_weak_hook_memcmp(void *caller_pc, const void *s1, const void *s2, void dfsan_weak_hook_memcmp(void *caller_pc, const void *s1, const void *s2,
size_t n, dfsan_label s1_label, size_t n, dfsan_label s1_label,
dfsan_label s2_label, dfsan_label n_label); dfsan_label s2_label, dfsan_label n_label);
void dfsan_weak_hook_strncmp(void *caller_pc, const char *s1, const char *s2, void dfsan_weak_hook_strncmp(void *caller_pc, const char *s1, const char *s2,
size_t n, dfsan_label s1_label, size_t n, dfsan_label s1_label,
dfsan_label s2_label, dfsan_label n_label); dfsan_label s2_label, dfsan_label n_label);
/// Prints the origin trace of the label at the address addr to stderr. It also
gbalatsUnsubmitted
Not Done
ReplyInline Actions

Is this printed to stdout? Should we introduce an output stream argument instead to make it more versatile?

gbalats: Is this printed to stdout? Should we introduce an output stream argument instead to make it…
stephan.yichao.zhaoAuthorUnsubmitted
Done
ReplyInline Actions

Agree that would be better.

dfsan_print_origin_trace eventually uses stack.Print() by sanitizer's Printf to print to stderr.
Printf is safe to use inside sanitizer code because high-level stream may not work.

If we assume this API is always called from customer code, I feel another stream can work if we can change stack.Print() works with a configurable output.
Other sanitizers print traces in the shared code path. so that needs a separate work.

I changed the comments to mention 'stderr'.

stephan.yichao.zhao: Agree that would be better. dfsan_print_origin_trace eventually uses stack.Print() by…
/// prints description at the beginning of the trace. If origin tracking is not
/// on, or the address is not labeled, it prints nothing.
void dfsan_print_origin_trace(const void *addr, const char *description);
morehouseUnsubmitted
Not Done
ReplyInline Actions

At some point we may want an API to traverse the origin chain. But this is fine for now.

morehouse: At some point we may want an API to traverse the origin chain. But this is fine for now.
/// Retrieves the very first origin associated with the data at the given
/// address.
dfsan_origin dfsan_get_init_origin(const void *addr);
#ifdef __cplusplus #ifdef __cplusplus
} // extern "C" } // extern "C"
template <typename T> template <typename T>
void dfsan_set_label(dfsan_label label, T &data) { // NOLINT void dfsan_set_label(dfsan_label label, T &data) { // NOLINT
dfsan_set_label(label, (void *)&data, sizeof(T)); dfsan_set_label(label, (void *)&data, sizeof(T));
} }
#endif #endif
#endif // DFSAN_INTERFACE_H #endif // DFSAN_INTERFACE_H

compiler-rt/lib/dfsan/dfsan.cpp

Show All 25 Lines
#include "dfsan/dfsan_thread.h" #include "dfsan/dfsan_thread.h"
#include "sanitizer_common/sanitizer_atomic.h" #include "sanitizer_common/sanitizer_atomic.h"
#include "sanitizer_common/sanitizer_common.h" #include "sanitizer_common/sanitizer_common.h"
#include "sanitizer_common/sanitizer_file.h" #include "sanitizer_common/sanitizer_file.h"
#include "sanitizer_common/sanitizer_flag_parser.h" #include "sanitizer_common/sanitizer_flag_parser.h"
#include "sanitizer_common/sanitizer_flags.h" #include "sanitizer_common/sanitizer_flags.h"
#include "sanitizer_common/sanitizer_internal_defs.h" #include "sanitizer_common/sanitizer_internal_defs.h"
#include "sanitizer_common/sanitizer_libc.h" #include "sanitizer_common/sanitizer_libc.h"
#include "sanitizer_common/sanitizer_report_decorator.h"
#include "sanitizer_common/sanitizer_stacktrace.h" #include "sanitizer_common/sanitizer_stacktrace.h"
using namespace __dfsan; using namespace __dfsan;
typedef atomic_uint16_t atomic_dfsan_label; typedef atomic_uint16_t atomic_dfsan_label;
static const dfsan_label kInitializingLabel = -1; static const dfsan_label kInitializingLabel = -1;
static const uptr kNumLabels = 1 << (sizeof(dfsan_label) * 8); static const uptr kNumLabels = 1 << (sizeof(dfsan_label) * 8);
▲ Show 20 LinesShow All 652 Lines▼ Show 20 Lines
// custom function. // custom function.
extern "C" SANITIZER_INTERFACE_ATTRIBUTE dfsan_label extern "C" SANITIZER_INTERFACE_ATTRIBUTE dfsan_label
__dfsw_dfsan_get_label(long data, dfsan_label data_label, __dfsw_dfsan_get_label(long data, dfsan_label data_label,
dfsan_label *ret_label) { dfsan_label *ret_label) {
*ret_label = 0; *ret_label = 0;
return data_label; return data_label;
} }
extern "C" SANITIZER_INTERFACE_ATTRIBUTE dfsan_label __dfso_dfsan_get_label(
long data, dfsan_label data_label, dfsan_label *ret_label,
dfsan_origin data_origin, dfsan_origin *ret_origin) {
*ret_label = 0;
*ret_origin = 0;
return data_label;
}
extern "C" SANITIZER_INTERFACE_ATTRIBUTE dfsan_origin __dfso_dfsan_get_origin(
morehouseUnsubmitted
Done
ReplyInline Actions

Do we also need a dfsw wrapper?

morehouse: Do we also need a dfsw wrapper?
stephan.yichao.zhaoAuthorUnsubmitted
Done
ReplyInline Actions

When origin_tracking is off, we do not generate wrappers with origin arguments.

stephan.yichao.zhao: When origin_tracking is off, we do not generate wrappers with origin arguments.
long data, dfsan_label data_label, dfsan_label *ret_label,
dfsan_origin data_origin, dfsan_origin *ret_origin) {
*ret_label = 0;
*ret_origin = 0;
return data_origin;
}
SANITIZER_INTERFACE_ATTRIBUTE dfsan_label SANITIZER_INTERFACE_ATTRIBUTE dfsan_label
dfsan_read_label(const void *addr, uptr size) { dfsan_read_label(const void *addr, uptr size) {
if (size == 0) if (size == 0)
return 0; return 0;
return __dfsan_union_load(shadow_for(addr), size); return __dfsan_union_load(shadow_for(addr), size);
} }
SANITIZER_INTERFACE_ATTRIBUTE dfsan_origin SANITIZER_INTERFACE_ATTRIBUTE dfsan_origin
▲ Show 20 LinesShow All 49 Lines▼ Show 20 Lines for (uptr l = 1; l <= last_label; ++l) {
if (__dfsan_label_info[l].l1 == 0 && __dfsan_label_info[l].desc) { if (__dfsan_label_info[l].l1 == 0 && __dfsan_label_info[l].desc) {
WriteToFile(fd, __dfsan_label_info[l].desc, WriteToFile(fd, __dfsan_label_info[l].desc,
internal_strlen(__dfsan_label_info[l].desc)); internal_strlen(__dfsan_label_info[l].desc));
} }
WriteToFile(fd, "\n", 1); WriteToFile(fd, "\n", 1);
} }
} }
class Decorator : public __sanitizer::SanitizerCommonDecorator {
public:
Decorator() : SanitizerCommonDecorator() {}
const char *Origin() const { return Magenta(); }
};
extern "C" SANITIZER_INTERFACE_ATTRIBUTE void dfsan_print_origin_trace(
const void *addr, const char *description) {
Decorator d;
if (!__dfsan_get_track_origins()) {
gbalatsUnsubmitted
Done
ReplyInline Actions
if (!__dfsan_get_track_origins()) {
- Printf(" DFSan does not track any origins\n");
+ Printf(" Origin tracking is not enabled. Did you specify the -dfsan-track-origins=1 option\n");
return;

This is not very clear. It might be mistaken to mean that origin tracking is not supported. Also, it doesn't indicate to the user what they are doing wrong.

gbalats: This is not very clear. It might be mistaken to mean that origin tracking is not supported.
gbalatsUnsubmitted
Not Done
ReplyInline Actions

Should this be an error perhaps?

gbalats: Should this be an error perhaps?
stephan.yichao.zhaoAuthorUnsubmitted
Done
ReplyInline Actions

Since we print all the messages to stderr, changed to use colors (d.Warning()) for this kind of messages.

stephan.yichao.zhao: Since we print all the messages to stderr, changed to use colors (d.Warning()) for this kind of…
Printf(
" %sDFSan: origin tracking is not enabled. Did you specify the "
"-dfsan-track-origins=1 option?%s\n",
d.Warning(), d.Default());
return;
}
gbalatsUnsubmitted
Done
ReplyInline Actions
if (!label) {
- Printf(" DFSan does not find any taint value at %x\n", addr);
+ Printf(" DFSan: no tainted value at %x\n", addr);
return;
gbalats:
stephan.yichao.zhaoAuthorUnsubmitted
Done
ReplyInline Actions

Also set the warning color.

stephan.yichao.zhao: Also set the warning color.
const dfsan_label label = *__dfsan::shadow_for(addr);
if (!label) {
morehouseUnsubmitted
Done
ReplyInline Actions
return;
}
- const dfsan_label *shadow_addr = __dfsan::shadow_for(addr);
- const dfsan_label label = *shadow_addr;
+ const dfsan_label label = *__dfsan::shadow_for(addr);
if (!label) {
morehouse:
Printf(" %sDFSan: no tainted value at %x%s\n", d.Warning(), addr,
d.Default());
return;
}
const dfsan_origin origin = *__dfsan::origin_for(addr);
Printf(" %sTaint value 0x%x (at %p) origin tracking (%s)%s\n", d.Origin(),
morehouseUnsubmitted
Done
ReplyInline Actions
return;
}
- const dfsan_origin *origin_addr = __dfsan::origin_for(addr);
- const dfsan_origin origin = *origin_addr;
+ const dfsan_origin origin = *__dfsan::origin_for(addr);
Printf(" %sTaint value 0x%x (at 0x%x) origin tracking (%s)%s\n", d.Origin(),
morehouse:
label, addr, description ? description : "", d.Default());
Origin o = Origin::FromRawId(origin);
morehouseUnsubmitted
Done
ReplyInline Actions

For addr, do we need %p?

morehouse: For addr, do we need `%p`?
stephan.yichao.zhaoAuthorUnsubmitted
Done
ReplyInline Actions

yes. %p works perfectly than using 0x%x. Thank you.

stephan.yichao.zhao: yes. %p works perfectly than using 0x%x. Thank you.
bool found = false;
while (o.isChainedOrigin()) {
StackTrace stack;
dfsan_origin origin_id = o.raw_id();
o = o.getNextChainedOrigin(&stack);
if (o.isChainedOrigin())
Printf(" %sOrigin value: 0x%x, Taint value was stored to memory at%s\n",
d.Origin(), origin_id, d.Default());
else
Printf(" %sOrigin value: 0x%x, Taint value was created at%s\n",
d.Origin(), origin_id, d.Default());
stack.Print();
found = true;
}
if (!found)
gbalatsUnsubmitted
Done
ReplyInline Actions

Is there a test for this code path?

gbalats: Is there a test for this code path?
stephan.yichao.zhaoAuthorUnsubmitted
Done
ReplyInline Actions

Added a test case by using asm to bypass DFSan instrumentation.
Also added test to cover other corner cases.

stephan.yichao.zhao: Added a test case by using asm to bypass DFSan instrumentation. Also added test to cover other…
Printf(
" %sTaint value 0x%x (at %p) has invalid origin tracking. This can "
"be a DFSan bug.%s\n",
d.Warning(), label, addr, d.Default());
}
morehouseUnsubmitted
Done
ReplyInline Actions
if (!found)
Printf(
- " %sTaint value 0x%x (at %x) has invalid origin tracking. This can "
- "be a bug of DFSan.%s\n",
+ " %sTaint value 0x%x (at %x) has invalid origin tracking. This may "
+ "be a DFSan bug.%s\n",
d.Warning(), label, addr, d.Default());
morehouse:
extern "C" SANITIZER_INTERFACE_ATTRIBUTE dfsan_origin
dfsan_get_init_origin(const void *addr) {
if (!__dfsan_get_track_origins())
return 0;
const dfsan_label label = *__dfsan::shadow_for(addr);
if (!label)
return 0;
morehouseUnsubmitted
Done
ReplyInline Actions
return 0;
- const dfsan_label *shadow_addr = __dfsan::shadow_for(addr);
- const dfsan_label label = *shadow_addr;
+ const dfsan_label label = *__dfsan::shadow_for(addr);
if (!label)
morehouse:
const dfsan_origin origin = *__dfsan::origin_for(addr);
gbalatsUnsubmitted
Not Done
ReplyInline Actions

If the loop is not entered at all, should the return value be 0 (now) or origin?

gbalats: If the loop is not entered at all, should the return value be 0 (now) or origin?
stephan.yichao.zhaoAuthorUnsubmitted
Done
ReplyInline Actions

That would be 0.
If along a chain, an invalid origin is found because of unknown issues: like somehow origin memory was overwritten, 0 also returns.
When a chain reaches to the very beginning, it also returns 0.
So we are able to distinguish the two cases. Maybe we can improve this later.

But the print out stack trace can tell which we get a valid chain, because a real very origin should be an stack about dfsan_set_label.

stephan.yichao.zhao: That would be 0. If along a chain, an invalid origin is found because of unknown issues: like…
Origin o = Origin::FromRawId(origin);
dfsan_origin origin_id = o.raw_id();
while (o.isChainedOrigin()) {
morehouseUnsubmitted
Done
ReplyInline Actions
return 0;
- const dfsan_origin *origin_addr = __dfsan::origin_for(addr);
- const dfsan_origin origin = *origin_addr;
+ const dfsan_origin origin = *__dfsan::origin_for(addr);
Origin o = Origin::FromRawId(origin);
morehouse:
StackTrace stack;
o = o.getNextChainedOrigin(&stack);
}
return origin_id;
}
#define GET_FATAL_STACK_TRACE_PC_BP(pc, bp) \ #define GET_FATAL_STACK_TRACE_PC_BP(pc, bp) \
BufferedStackTrace stack; \ BufferedStackTrace stack; \
stack.Unwind(pc, bp, nullptr, common_flags()->fast_unwind_on_fatal); stack.Unwind(pc, bp, nullptr, common_flags()->fast_unwind_on_fatal);
gbalatsUnsubmitted
Done
ReplyInline Actions
Origin o = Origin::FromRawId(origin);
+ dfsan_origin origin_id = o.raw_id();
while (o.isChainedOrigin()) {
StackTrace stack;
- dfsan_origin origin_id = o.raw_id();
o = o.getNextChainedOrigin(&stack);
- if (!o.isChainedOrigin())
- return origin_id;
}
- return 0;
+ return origin_id;
}
#define GET_FATAL_STACK_TRACE_PC_BP(pc, bp) \

Iiuc, raw_id is initialized to 0 so we could place origin_id var outside the loop so that we don't have to check the condition twice.

gbalats: Iiuc, `raw_id` is initialized to 0 so we could place `origin_id` var outside the loop so that…
stephan.yichao.zhaoAuthorUnsubmitted
Done
ReplyInline Actions

Thank you. This simplified the code.

stephan.yichao.zhao: Thank you. This simplified the code.
void __sanitizer::BufferedStackTrace::UnwindImpl(uptr pc, uptr bp, void __sanitizer::BufferedStackTrace::UnwindImpl(uptr pc, uptr bp,
void *context, void *context,
bool request_fast, bool request_fast,
u32 max_depth) { u32 max_depth) {
using namespace __dfsan; using namespace __dfsan;
DFsanThread *t = GetCurrentThread(); DFsanThread *t = GetCurrentThread();
if (!t || !StackTrace::WillUseFastUnwind(request_fast)) { if (!t || !StackTrace::WillUseFastUnwind(request_fast)) {
return Unwind(max_depth, pc, bp, context, 0, 0, false); return Unwind(max_depth, pc, bp, context, 0, 0, false);
▲ Show 20 LinesShow All 127 LinesShow Last 20 Lines

compiler-rt/lib/dfsan/done_abilist.txt

Show All 22 Lines
fun:dfsan_has_label=uninstrumented fun:dfsan_has_label=uninstrumented
fun:dfsan_has_label=discard fun:dfsan_has_label=discard
fun:dfsan_has_label_with_desc=uninstrumented fun:dfsan_has_label_with_desc=uninstrumented
fun:dfsan_has_label_with_desc=discard fun:dfsan_has_label_with_desc=discard
fun:dfsan_set_write_callback=uninstrumented fun:dfsan_set_write_callback=uninstrumented
fun:dfsan_set_write_callback=custom fun:dfsan_set_write_callback=custom
fun:dfsan_flush=uninstrumented fun:dfsan_flush=uninstrumented
fun:dfsan_flush=discard fun:dfsan_flush=discard
fun:dfsan_print_origin_trace=uninstrumented
fun:dfsan_print_origin_trace=discard
fun:dfsan_get_origin=uninstrumented
fun:dfsan_get_origin=custom
fun:dfsan_get_init_origin=uninstrumented
fun:dfsan_get_init_origin=discard
############################################################################### ###############################################################################
# glibc # glibc
############################################################################### ###############################################################################
fun:malloc=discard fun:malloc=discard
fun:free=discard fun:free=discard
# Functions that return a value that depends on the input, but the output might # Functions that return a value that depends on the input, but the output might
▲ Show 20 LinesShow All 356 LinesShow Last 20 Lines

compiler-rt/test/dfsan/lit.cfg.py

# -*- Python -*- # -*- Python -*-
import os import os
# Setup config name. # Setup config name.
config.name = 'DataFlowSanitizer' + config.name_suffix config.name = 'DataFlowSanitizer' + config.name_suffix
# Setup source root. # Setup source root.
config.test_source_root = os.path.dirname(__file__) config.test_source_root = os.path.dirname(__file__)
# Setup default compiler flags used with -fsanitize=dataflow option. # Setup default compiler flags used with -fsanitize=dataflow option.
clang_dfsan_cflags = ["-fsanitize=dataflow", config.target_cflags] clang_dfsan_cflags = (["-fsanitize=dataflow"] +
[config.target_cflags])
clang_dfsan_debug_cflags = (clang_dfsan_cflags +
config.debug_info_flags)
clang_dfsan_cxxflags = config.cxx_mode_flags + clang_dfsan_cflags clang_dfsan_cxxflags = config.cxx_mode_flags + clang_dfsan_cflags
def build_invocation(compile_flags): def build_invocation(compile_flags):
return " " + " ".join([config.clang] + compile_flags) + " " return " " + " ".join([config.clang] + compile_flags) + " "
config.substitutions.append( ("%clang_dfsan ", build_invocation(clang_dfsan_cflags)) ) config.substitutions.append( ("%clang_dfsan ", build_invocation(clang_dfsan_cflags)) )
config.substitutions.append( ("%clang_debug_dfsan ", build_invocation(clang_dfsan_debug_cflags)) )
config.substitutions.append( ("%clangxx_dfsan ", build_invocation(clang_dfsan_cxxflags)) ) config.substitutions.append( ("%clangxx_dfsan ", build_invocation(clang_dfsan_cxxflags)) )
# Default test suffixes. # Default test suffixes.
config.suffixes = ['.c', '.cpp'] config.suffixes = ['.c', '.cpp']
# DataFlowSanitizer tests are currently supported on Linux only. # DataFlowSanitizer tests are currently supported on Linux only.
if config.host_os not in ['Linux']: if config.host_os not in ['Linux']:
config.unsupported = True config.unsupported = True

compiler-rt/test/dfsan/origin_add_label.c

  • This file was added.
// RUN: %clang_debug_dfsan -mllvm -dfsan-track-origins=1 -mllvm -dfsan-fast-16-labels=true %s -o %t && \
// RUN: %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK < %t.out
// RUN: %clang_debug_dfsan -mllvm -dfsan-track-origins=1 -mllvm -dfsan-fast-16-labels=true -mllvm -dfsan-instrument-with-call-threshold=0 %s -o %t && \
// RUN: %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK < %t.out
#include <sanitizer/dfsan_interface.h>
__attribute__((noinline)) uint64_t foo(uint64_t a, uint64_t b) { return a + b; }
int main(int argc, char *argv[]) {
uint64_t a = 10;
uint64_t b = 20;
dfsan_add_label(4, &a, sizeof(a));
dfsan_add_label(8, &a, sizeof(a));
uint64_t c = foo(a, b);
dfsan_print_origin_trace(&c, NULL);
dfsan_print_origin_trace((int*)&c + 1, NULL);
morehouseUnsubmitted
Done
ReplyInline Actions

Why do we need this cast?

morehouse: Why do we need this cast?
stephan.yichao.zhaoAuthorUnsubmitted
Done
ReplyInline Actions

Thank you. we only need cast at the next line to shift 4 bytes. This one is not useful.

stephan.yichao.zhao: Thank you. we only need cast at the next line to shift 4 bytes. This one is not useful.
}
// CHECK: Taint value 0xc {{.*}} origin tracking ()
// CHECK: Origin value: {{.*}}, Taint value was stored to memory at
// CHECK: #0 {{.*}} in main {{.*}}origin_add_label.c:[[@LINE-7]]
// CHECK: Origin value: {{.*}}, Taint value was created at
// CHECK: #0 {{.*}} in main {{.*}}origin_add_label.c:[[@LINE-11]]
// CHECK: Taint value 0xc {{.*}} origin tracking ()
// CHECK: Origin value: {{.*}}, Taint value was stored to memory at
// CHECK: #0 {{.*}} in main {{.*}}origin_add_label.c:[[@LINE-14]]
// CHECK: Origin value: {{.*}}, Taint value was created at
// CHECK: #0 {{.*}} in main {{.*}}origin_add_label.c:[[@LINE-18]]

compiler-rt/test/dfsan/origin_disabled.c

  • This file was added.
// RUN: %clang_debug_dfsan -mllvm -dfsan-fast-16-labels=true %s -o %t && \
// RUN: %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK < %t.out
#include <sanitizer/dfsan_interface.h>
int main(int argc, char *argv[]) {
uint64_t a = 10;
dfsan_set_label(8, &a, sizeof(a));
dfsan_print_origin_trace(&a, NULL);
}
// CHECK: DFSan: origin tracking is not enabled. Did you specify the -dfsan-track-origins=1 option?

compiler-rt/test/dfsan/origin_invalid.c

  • This file was added.
// RUN: %clang_debug_dfsan -mllvm -dfsan-fast-16-labels=true -mllvm -dfsan-track-origins=1 %s -o %t && \
// RUN: %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK < %t.out
#include <sanitizer/dfsan_interface.h>
int main(int argc, char *argv[]) {
uint64_t a = 10;
dfsan_set_label(8, &a, sizeof(a));
size_t origin_addr =
(((size_t)&a & ~0x700000000000LL + 0x200000000000LL) & ~0x3UL);
asm("mov %0, %%rax": :"r"(origin_addr));
asm("movq $0, (%rax)");
dfsan_print_origin_trace(&a, "invalid");
}
// CHECK: Taint value 0x8 (at {{.*}}) origin tracking (invalid)
// CHECK: Taint value 0x8 (at {{.*}}) has invalid origin tracking. This can be a DFSan bug.

compiler-rt/test/dfsan/origin_ld_lost.c

  • This file was added.
// RUN: %clang_debug_dfsan -mllvm -dfsan-track-origins=1 -mllvm -dfsan-fast-16-labels=true %s -o %t && \
// RUN: %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK < %t.out
//
// Test origin tracking can lost origins at 2-byte load with addr % 4 == 3.
#include <sanitizer/dfsan_interface.h>
__attribute__((noinline)) uint16_t foo(uint16_t a, uint16_t b) { return a + b; }
int main(int argc, char *argv[]) {
uint64_t a __attribute__((aligned(4))) = 1;
uint32_t b = 10;
dfsan_set_label(4, (uint8_t *)&a + 4, sizeof(uint8_t));
uint16_t c = foo(*(uint16_t *)((uint8_t *)&a + 3), b);
dfsan_print_origin_trace(&c, "foo");
}
// CHECK: Taint value 0x4 {{.*}} origin tracking (foo)
// CHECK: Origin value: {{.*}}, Taint value was created at
// CHECK: #0 {{.*}} in main {{.*}}origin_ld_lost.c:[[@LINE-6]]

compiler-rt/test/dfsan/origin_ldst.c

  • This file was added.
// RUN: %clang_debug_dfsan -DTEST64 -DALIGN=8 -mllvm -dfsan-track-origins=1 -mllvm -dfsan-fast-16-labels=true %s -o %t && \
// RUN: %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefixes=CHECK,CHECK_DEBUG_INFO < %t.out
//
// RUN: %clang_debug_dfsan -DTEST32 -DALIGN=4 -mllvm -dfsan-track-origins=1 -mllvm -dfsan-fast-16-labels=true %s -o %t && \
// RUN: %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefixes=CHECK,CHECK_DEBUG_INFO < %t.out
//
// RUN: %clang_debug_dfsan -DALIGN=2 -mllvm -dfsan-track-origins=1 -mllvm -dfsan-fast-16-labels=true %s -o %t && \
// RUN: %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefixes=CHECK,CHECK_DEBUG_INFO < %t.out
//
// rUN: %clang_dfsan -DTEST64 -DALIGN=5 -mllvm -dfsan-track-origins=1 -mllvm -dfsan-fast-16-labels=true %s -o %t && \
// rUN: %run %t >%t.out 2>&1
// rUN: FileCheck %s --check-prefixes=CHECK,CHECK_NO_DEBUG_INFO < %t.out
//
// rUN: %clang_dfsan -DTEST32 -DALIGN=3 -mllvm -dfsan-track-origins=1 -mllvm -dfsan-fast-16-labels=true %s -o %t && \
// rUN: %run %t >%t.out 2>&1
// rUN: FileCheck %s --check-prefixes=CHECK,CHECK_NO_DEBUG_INFO < %t.out
//
// RUN: %clang_debug_dfsan -DALIGN=1 -mllvm -dfsan-track-origins=1 -mllvm -dfsan-fast-16-labels=true %s -o %t && \
// RUN: %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefixes=CHECK,CHECK_DEBUG_INFO < %t.out
//
// RUN: %clang_dfsan -DALIGN=1 -mllvm -dfsan-track-origins=1 -mllvm -dfsan-fast-16-labels=true %s -o %t && \
// RUN: %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefixes=CHECK,CHECK_NO_DEBUG_INFO < %t.out
//
// Test origin tracking is accurate in terms of partial store/load, and
// different aligments. Do not test alignments that are not power of 2.
// Compilers do not always allow this.
gbalatsUnsubmitted
Done
ReplyInline Actions

Why not typedefs instead?

gbalats: Why not typedefs instead?
stephan.yichao.zhaoAuthorUnsubmitted
Done
ReplyInline Actions

Thank you.

stephan.yichao.zhao: Thank you.
#include <sanitizer/dfsan_interface.h>
#ifdef TEST64
typedef uint64_t FULL_TYPE;
typedef uint32_t HALF_TYPE;
#elif defined(TEST32)
typedef uint32_t FULL_TYPE;
typedef uint16_t HALF_TYPE;
#else
typedef uint16_t FULL_TYPE;
typedef uint8_t HALF_TYPE;
#endif
__attribute__((noinline)) FULL_TYPE foo(FULL_TYPE a, FULL_TYPE b) { return a + b; }
int main(int argc, char *argv[]) {
char x __attribute__((aligned(ALIGN))) = 1, y = 2;
dfsan_set_label(8, &x, sizeof(x));
char z __attribute__((aligned(ALIGN))) = x + y;
dfsan_print_origin_trace(&z, NULL);
FULL_TYPE a __attribute__((aligned(ALIGN))) = 1;
FULL_TYPE b = 10;
dfsan_set_label(4, (HALF_TYPE *)&a + 1, sizeof(HALF_TYPE));
FULL_TYPE c __attribute__((aligned(ALIGN))) = foo(a, b);
dfsan_print_origin_trace(&c, NULL);
dfsan_print_origin_trace((HALF_TYPE *)&c + 1, NULL);
}
// CHECK: Taint value 0x8 {{.*}} origin tracking ()
// CHECK: Origin value: {{.*}}, Taint value was stored to memory at
// CHECK_DEBUG_INFO: #0 {{.*}} in main {{.*}}origin_ldst.c:[[@LINE-13]]
// CHECK_NO_DEBUG_INFO: #0 {{.*}} in main {{.*}}origin_ldst.c{{.*}}
// CHECK: Origin value: {{.*}}, Taint value was created at
// CHECK_DEBUG_INFO: #0 {{.*}} in main {{.*}}origin_ldst.c:[[@LINE-18]]
// CHECK_NO_DEBUG_INFO: #0 {{.*}} in main {{.*}}origin_ldst.c{{.*}}
// CHECK: Taint value 0x4 {{.*}} origin tracking ()
// CHECK: Origin value: {{.*}}, Taint value was stored to memory at
// CHECK_DEBUG_INFO: #0 {{.*}} in main {{.*}}origin_ldst.c:[[@LINE-16]]
// CHECK_NO_DEBUG_INFO: #0 {{.*}} in main {{.*}}origin_ldst.c{{.*}}
// CHECK: Origin value: {{.*}}, Taint value was created at
// CHECK_DEBUG_INFO: #0 {{.*}} in main {{.*}}origin_ldst.c:[[@LINE-21]]
// CHECK_NO_DEBUG_INFO: #0 {{.*}} in main {{.*}}origin_ldst.c{{.*}}
// CHECK: Taint value 0x4 {{.*}} origin tracking ()
// CHECK: Origin value: {{.*}}, Taint value was stored to memory at
// CHECK_DEBUG_INFO: #0 {{.*}} in main {{.*}}origin_ldst.c:[[@LINE-25]]
// CHECK_NO_DEBUG_INFO: #0 {{.*}} in main {{.*}}origin_ldst.c{{.*}}
// CHECK: Origin value: {{.*}}, Taint value was created at
// CHECK_DBEUG_INFO: #0 {{.*}} in main {{.*}}origin_ldst.c:[[@LINE-30]]
// CHECK_NO_DEBUG_INFO: #0 {{.*}} in main {{.*}}origin_ldst.c{{.*}}

compiler-rt/test/dfsan/origin_limit.c

  • This file was added.
// RUN: %clang_debug_dfsan -mllvm -dfsan-track-origins=1 -mllvm -dfsan-fast-16-labels=true %s -o %t
//
// RUN: %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK < %t.out
//
// RUN: DFSAN_OPTIONS=origin_history_size=2 %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK2 < %t.out
//
// RUN: DFSAN_OPTIONS=origin_history_size=0 %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK0 < %t.out
#include <sanitizer/dfsan_interface.h>
#include <stdio.h>
__attribute__((noinline)) int foo(int a, int b) { return a + b; }
int main(int argc, char *argv[]) {
int a = 10;
dfsan_set_label(8, &a, sizeof(a));
int c = 0;
for (int i = 0; i < 17; ++i) {
c = foo(a, c);
printf("%lx", (unsigned long)&c);
}
dfsan_print_origin_trace(&c, NULL);
}
// CHECK: Taint value 0x8 {{.*}} origin tracking ()
// CHECK-COUNT 14: Origin value: {{.*}}, Taint value was stored to memory at
// CHECK: Origin value: {{.*}}, Taint value was created at
gbalatsUnsubmitted
Done
ReplyInline Actions

You can use CHECK-COUNT here to remove duplication.

gbalats: You can use CHECK-COUNT here to remove duplication.
stephan.yichao.zhaoAuthorUnsubmitted
Done
ReplyInline Actions

Thank you.

stephan.yichao.zhao: Thank you.
// CHECK2: Taint value 0x8 {{.*}} origin tracking ()
// CHECK2: Origin value: {{.*}}, Taint value was stored to memory at
// CHECK2: Origin value: {{.*}}, Taint value was created at
// CHECK0: Taint value 0x8 {{.*}} origin tracking ()
// CHECK0-COUNT 16: Origin value: {{.*}}, Taint value was stored to memory at
// CHECK0: Origin value: {{.*}}, Taint value was created at

compiler-rt/test/dfsan/origin_memset.c

  • This file was added.
// RUN: %clang_debug_dfsan -DOFFSET=0 -mllvm -dfsan-track-origins=1 -mllvm -dfsan-fast-16-labels=true %s -o %t && \
// RUN: %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK0 < %t.out
// RUN: %clang_debug_dfsan -DOFFSET=10 -mllvm -dfsan-track-origins=1 -mllvm -dfsan-fast-16-labels=true %s -o %t && \
// RUN: %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK10 < %t.out
#include <sanitizer/dfsan_interface.h>
#include <string.h>
int xx[10000];
volatile int idx = 30;
__attribute__((noinline))
void fn_g(int a, int b) {
memset(&xx[idx], a, sizeof(a));
memset(&xx[idx + 10], b, sizeof(b));
}
__attribute__((noinline))
void fn_f(int a, int b) {
fn_g(a, b);
}
int main(int argc, char *argv[]) {
int volatile z1;
int volatile z2;
dfsan_set_label(8, (void *)&z1, sizeof(z1));
dfsan_set_label(16, (void *)&z2, sizeof(z2));
fn_f(z1, z2);
dfsan_print_origin_trace(&xx[idx + OFFSET], NULL);
return 0;
}
// CHECK0: Taint value 0x8 {{.*}} origin tracking ()
// CHECK0: Origin value: {{.*}}, Taint value was created at
// CHECK0: #0 {{.*}} in main {{.*}}origin_memset.c:[[@LINE-10]]
// CHECK10: Taint value 0x10 {{.*}} origin tracking ()
// CHECK10: Origin value: {{.*}}, Taint value was created at
// CHECK10: #0 {{.*}} in main {{.*}}origin_memset.c:[[@LINE-14]]

compiler-rt/test/dfsan/origin_overlapped.c

  • This file was added.
// RUN: %clang_debug_dfsan -mllvm -dfsan-track-origins=1 -mllvm -dfsan-fast-16-labels=true %s -o %t && \
// RUN: %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK < %t.out
#include <sanitizer/dfsan_interface.h>
int main(int argc, char *argv[]) {
char volatile z1;
char volatile z2;
dfsan_set_label(8, (void *)&z1, sizeof(z1));
dfsan_set_label(16, (void *)&z2, sizeof(z2)); // overwritting the old origin.
char c = z1;
dfsan_print_origin_trace(&c, "bar");
return 0;
}
// CHECK: Taint value 0x8 {{.*}} origin tracking (bar)
// CHECK: Origin value: {{.*}}, Taint value was stored to memory at
// CHECK: #0 {{.*}} in main {{.*}}origin_overlapped.c:[[@LINE-7]]
// CHECK: Origin value: {{.*}}, Taint value was created at
// CHECK: #0 {{.*}} in main {{.*}}origin_overlapped.c:[[@LINE-12]]

compiler-rt/test/dfsan/origin_set_label.c

  • This file was added.
// RUN: %clang_debug_dfsan -mllvm -dfsan-track-origins=1 -mllvm -dfsan-fast-16-labels=true %s -o %t && \
// RUN: %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK < %t.out
// RUN: %clang_debug_dfsan -mllvm -dfsan-track-origins=1 -mllvm -dfsan-fast-16-labels=true -mllvm -dfsan-instrument-with-call-threshold=0 %s -o %t && \
// RUN: %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK < %t.out
#include <sanitizer/dfsan_interface.h>
__attribute__((noinline)) uint64_t foo(uint64_t a, uint64_t b) { return a + b; }
int main(int argc, char *argv[]) {
uint64_t a = 10;
uint64_t b = 20;
dfsan_set_label(8, &a, sizeof(a));
uint64_t c = foo(a, b);
dfsan_print_origin_trace(&c, NULL);
dfsan_print_origin_trace((int*)(&c) + 1, NULL);
}
// CHECK: Taint value 0x8 {{.*}} origin tracking ()
// CHECK: Origin value: {{.*}}, Taint value was stored to memory at
// CHECK: #0 {{.*}} in main {{.*}}origin_set_label.c:[[@LINE-7]]
// CHECK: Origin value: {{.*}}, Taint value was created at
// CHECK: #0 {{.*}} in main {{.*}}origin_set_label.c:[[@LINE-11]]
// CHECK: Taint value 0x8 {{.*}} origin tracking ()
// CHECK: Origin value: {{.*}}, Taint value was stored to memory at
// CHECK: #0 {{.*}} in main {{.*}}origin_set_label.c:[[@LINE-14]]
// CHECK: Origin value: {{.*}}, Taint value was created at
// CHECK: #0 {{.*}} in main {{.*}}origin_set_label.c:[[@LINE-18]]

compiler-rt/test/dfsan/origin_untainted.c

  • This file was added.
// RUN: %clang_debug_dfsan -mllvm -dfsan-fast-16-labels=true -mllvm -dfsan-track-origins=1 %s -o %t && \
// RUN: %run %t >%t.out 2>&1
// RUN: FileCheck %s --check-prefix=CHECK < %t.out
#include <sanitizer/dfsan_interface.h>
int main(int argc, char *argv[]) {
uint64_t a = 10;
dfsan_print_origin_trace(&a, NULL);
}
// CHECK: DFSan: no tainted value at {{.*}}