Commit Graph

279 Commits

Author SHA1 Message Date
Francis Ricci 0d920c4418 Only scan global sections containing data in LSan on darwin
Summary:
__DATA segments on Darwin contain a large number of separate sections,
many of which cannot actually contain pointers, and contain const values or
objc metadata. Not scanning sections which cannot contain pointers significantly
improves performance.

On a medium-sized (~4000 files) internal project, I saw a speedup of about 30%
in standalone LSan's execution time (30% improvement in the time spent running
LSan, not the total program time).

Reviewers: kcc, kubamracek, alekseyshl

Subscribers: llvm-commits

Differential Revision: https://reviews.llvm.org/D35432

llvm-svn: 308999
2017-07-25 18:16:58 +00:00
Vitaly Buka d4abe9e7d3 [sanitizer_common] Move filesystem-related code out of sanitizer_common.cc
Summary:
This is a pure refactoring change.  It just moves code that is
related to filesystem operations from sanitizer_common.{cc,h} to
sanitizer_file.{cc,h}.  This makes it cleaner to disable the
filesystem-related code for a new port that doesn't want it.

Submitted on behalf of Roland McGrath.

Reviewers: kcc, eugenis, alekseyshl

Reviewed By: alekseyshl

Subscribers: vitalybuka, llvm-commits, kubamracek, mgorny, phosek

Tags: #sanitizers

Differential Revision: https://reviews.llvm.org/D35591

llvm-svn: 308819
2017-07-22 01:46:40 +00:00
Vitaly Buka 094684c155 Revert "[sanitizer_common] Move filesystem-related code out of sanitizer_common.cc"
Breaks Windows build.

This reverts commit r308640.

llvm-svn: 308648
2017-07-20 18:24:45 +00:00
Alex Shlyapnikov 89e85d1717 [sanitizer_common] Move filesystem-related code out of sanitizer_common.cc
This is a pure refactoring change. It just moves code that is
related to filesystem operations from sanitizer_common.{cc,h} to
sanitizer_file.{cc,h}. This makes it cleaner to disable the
filesystem-related code for a new port that doesn't want it.

Commiting for mcgrathr.

Reviewers: alekseyshl

Subscribers: llvm-commits

Differential Revision: https://reviews.llvm.org/D35591

llvm-svn: 308640
2017-07-20 17:48:42 +00:00
Francis Ricci 1b5f773859 Revert "Only scan global sections containing data in LSan on darwin"
This reverts commit 7e46d78d47832f03ce42adcf56417fbfd47cbaad.

llvm-svn: 308394
2017-07-18 23:51:44 +00:00
Francis Ricci 7096b08cd7 Only scan global sections containing data in LSan on darwin
Summary:
__DATA segments on Darwin contain a large number of separate sections,
most of which cannot actually contain pointers, and contain const values or
objc metadata. Only scanning sections which can contain pointers greatly improves
performance.

On a medium-sized (~4000 files) internal project, I saw a speedup of about 50%
in standalone LSan's execution time (50% improvement in the time spent running
LSan, not the total program time).

Reviewers: kcc, kubamracek, alekseyshl

Subscribers: llvm-commits

Differential Revision: https://reviews.llvm.org/D35432

llvm-svn: 308231
2017-07-17 23:03:03 +00:00
Kuba Mracek c1e903be19 [asan] For iOS/AArch64, if the dynamic shadow doesn't fit, restrict the VM space
On iOS/AArch64, the address space is very limited and has a dynamic maximum address based on the configuration of the device. We're already using a dynamic shadow, and we find a large-enough "gap" in the VM where we place the shadow memory. In some cases and some device configuration, we might not be able to find a large-enough gap: E.g. if the main executable is linked against a large number of libraries that are not part of the system, these libraries can fragment the address space, and this happens before ASan starts initializing.

This patch has a solution, where we have a "backup plan" when we cannot find a large-enough gap: We will restrict the address space (via MmapFixedNoAccess) to a limit, for which the shadow limit will fit.

Differential Revision: https://reviews.llvm.org/D35098

llvm-svn: 307865
2017-07-12 23:29:21 +00:00
Alex Shlyapnikov 01676883cd [Sanitizers] 64 bit allocator respects allocator_may_return_null flag
Summary:
Make SizeClassAllocator64 return nullptr when it encounters OOM, which
allows the entire sanitizer's allocator to follow
allocator_may_return_null=1 policy
(LargeMmapAllocator: D34243, SizeClassAllocator64: D34433).

Reviewers: eugenis

Subscribers: srhines, kubamracek, llvm-commits

Differential Revision: https://reviews.llvm.org/D34540

llvm-svn: 306342
2017-06-26 22:54:10 +00:00
Evgeniy Stepanov 90e5c30836 [asan] Add support for Android debug message.
Add ASan report to the "debug message" field in Android tombstones.

llvm-svn: 306184
2017-06-23 23:38:20 +00:00
Alex Shlyapnikov f3cc7cc3d8 [Sanitizers] 32 bit allocator respects allocator_may_return_null flag
Summary:
Make SizeClassAllocator32 return nullptr when it encounters OOM, which
allows the entire sanitizer's allocator to follow allocator_may_return_null=1
policy, even for small allocations (LargeMmapAllocator is already fixed
by D34243).

Will add a test for OOM in primary allocator later, when
SizeClassAllocator64 can gracefully handle OOM too.

Reviewers: eugenis

Subscribers: kubamracek, llvm-commits

Differential Revision: https://reviews.llvm.org/D34433

llvm-svn: 305972
2017-06-22 00:02:37 +00:00
Kostya Kortchinsky 2b053b1c28 [sanitizer] Add a function to gather random bytes
Summary:
AFAICT compiler-rt doesn't have a function that would return 'good' random
bytes to seed a PRNG. Currently, the `SizeClassAllocator64` uses addresses
returned by `mmap` to seed its PRNG, which is not ideal, and  
`SizeClassAllocator32` doesn't benefit from the entropy offered by its 64-bit
counterpart address space, so right now it has nothing. This function aims at
solving this, allowing to implement good 32-bit chunk randomization. Scudo also
has a function that does this for Cookie purposes, which would go away in a
later CL once this lands.

This function will try the `getrandom` syscall if available, and fallback to
`/dev/urandom` if not.

Unfortunately, I do not have a way to implement and test a Mac and Windows
version, so those are unimplemented as of now. Note that `kRandomShuffleChunks`
is only used on Linux for now.

Reviewers: alekseyshl

Reviewed By: alekseyshl

Subscribers: zturner, rnk, llvm-commits, kubamracek

Differential Revision: https://reviews.llvm.org/D34412

llvm-svn: 305922
2017-06-21 15:56:03 +00:00
Alex Shlyapnikov 9092fe6f4b [Sanitizers] Secondary allocator respects allocator_may_return_null=1.
Summary:
Context: https://github.com/google/sanitizers/issues/740.

Making secondary allocator to respect allocator_may_return_null=1 flag
and return nullptr when "out of memory" happens.

More changes in primary allocator and operator new will follow.

Reviewers: eugenis

Subscribers: kubamracek, llvm-commits

Differential Revision: https://reviews.llvm.org/D34243

llvm-svn: 305569
2017-06-16 18:48:08 +00:00
Kostya Kortchinsky 77f30c9c31 [sanitizer] Reverting D34152
Summary:
This broke thread_local_quarantine_pthread_join.cc on some architectures, due
to the overhead of the stashed regions. Reverting while figuring out the best
way to deal with it.

Reviewers: alekseyshl

Reviewed By: alekseyshl

Subscribers: llvm-commits, kubamracek

Differential Revision: https://reviews.llvm.org/D34213

llvm-svn: 305404
2017-06-14 17:32:26 +00:00
Kostya Kortchinsky eca926ab3a [sanitizer] MmapAlignedOrDie changes to reduce fragmentation
Summary:
The reasoning behind this change is explained in D33454, which unfortunately
broke the Windows version (due to the platform not supporting partial unmapping
of a memory region).

This new approach changes `MmapAlignedOrDie` to allow for the specification of
a `padding_chunk`. If non-null, and the initial allocation is aligned, this
padding chunk will hold the address of the extra memory (of `alignment` bytes).
This allows `AllocateRegion` to get 2 regions if the memory is aligned
properly, and thus help reduce fragmentation (and saves on unmapping
operations). As with the initial D33454, we use a stash in the 32-bit Primary
to hold those extra regions and return them on the fast-path.

The Windows version of `MmapAlignedOrDie` will always return a 0
`padding_chunk` if one was requested.

Reviewers: alekseyshl, dvyukov, kcc

Reviewed By: alekseyshl

Subscribers: llvm-commits, kubamracek

Differential Revision: https://reviews.llvm.org/D34152

llvm-svn: 305391
2017-06-14 15:32:17 +00:00
Kostya Serebryany 1800814b41 [sanitizer-coverage] nuke more stale code
llvm-svn: 304504
2017-06-02 00:52:35 +00:00
Kostya Serebryany c1a56baa3e [sanitizer-coverage] nuke more stale code
llvm-svn: 304503
2017-06-02 00:17:54 +00:00
Vitaly Buka a05da1fca9 [compiler-rt] Replace allow_user_segv_handler=0 with kHandleSignalExclusive
Summary:
allow_user_segv_handler had confusing name did not allow to control behavior for
signals separately.

Reviewers: eugenis, alekseyshl, kcc

Subscribers: llvm-commits, dberris, kubamracek

Differential Revision: https://reviews.llvm.org/D33371

llvm-svn: 303941
2017-05-25 23:42:33 +00:00
Francis Ricci dd592ff467 Use write instead of read permissions to check for global sections on mac
Summary:
The LINKEDIT section is very large and is read-only. Scanning this
section caused LSan on darwin to be very slow. When only writable sections
are scanned for global pointers, performance improved by a factor of about 25x.

Reviewers: alekseyshl, kubamracek

Subscribers: llvm-commits

Differential Revision: https://reviews.llvm.org/D33322

llvm-svn: 303422
2017-05-19 13:34:02 +00:00
Kuba Mracek ceb30b0717 [sanitizer] Introduce tid_t as a typedef for OS-provided thread IDs
We seem to assume that OS-provided thread IDs are either uptr or int, neither of which is true on Darwin. This introduces a tid_t type, which holds a OS-provided thread ID (gettid on Linux, pthread_threadid_np on Darwin, pthread_self on FreeBSD).

Differential Revision: https://reviews.llvm.org/D31774

llvm-svn: 300473
2017-04-17 18:17:38 +00:00
Francis Ricci 7c6bf1cc9f Don't read non-readable address ranges during lsan pointer scanning
Summary: This specifically addresses the Mach-O zero page, which we cannot read from.

Reviewers: kubamracek, samsonov, alekseyshl

Subscribers: llvm-commits

Differential Revision: https://reviews.llvm.org/D32044

llvm-svn: 300456
2017-04-17 16:34:38 +00:00
Vedant Kumar 2b1eae0aa5 [ubsan] Use the correct tool name in diagnostics
When using ASan and UBSan together, the common sanitizer tool name is
set to "AddressSanitizer". That means that when a UBSan diagnostic is
printed out, it looks like this:

  SUMMARY: AddressSanitizer: ...

This can confuse users. Fix it so that we always use the correct tool
name when printing out UBSan diagnostics.

Differential Revision: https://reviews.llvm.org/D32066

llvm-svn: 300358
2017-04-14 18:24:35 +00:00
Maxim Ostapenko 76630d43f6 [sanitizer] Bail out with warning if user dlopens shared library with RTLD_DEEPBIND flag
People keep hitting on spurious failures in malloc/free routines when using sanitizers
with shared libraries dlopened with RTLD_DEEPBIND (see https://github.com/google/sanitizers/issues/611 for details).
Let's check for this flag and bail out with warning message instead of failing in random places.

Differential Revision: https://reviews.llvm.org/D30504

llvm-svn: 297370
2017-03-09 10:47:38 +00:00
Marcos Pividori fe9288a6a0 [sanitizer] Move DescribeSignalOrException to sanitizer_common.
Differential Revision: https://reviews.llvm.org/D29459

llvm-svn: 293956
2017-02-02 23:01:59 +00:00
Kuba Mracek 14cabdd2c3 Follow-up for r291277: Add a return to silence GCC's "control reaches end of non-void function" warning.
llvm-svn: 291639
2017-01-11 01:12:53 +00:00
Kuba Mracek b6c6eaf226 [sanitizer] Add a 'print_module_map' flag which prints modules with UUIDs on Darwin
This patch add a new sanitizer flag, print_module_map, which enables printing a module map when the process exits, or after each report (for TSan). The output format is very similar to what Crash Reporter produces on Darwin (e.g. the format of module UUIDs). This enables users to use the existing symbol servers to offline symbolicate and aggregate reports.

Differential Revision: https://reviews.llvm.org/D27400

llvm-svn: 291277
2017-01-06 20:57:47 +00:00
Kuba Mracek 43d287e04e [sanitizer] Track which modules are instrumented in LoadedModule objects
This patch adds tracking which modules are instrumented and which are not. On macOS, instrumented modules link against the ASan/TSan/... dylib, so we can just check if such a load command exists or not.

Differential Revision: https://reviews.llvm.org/D28263

llvm-svn: 291268
2017-01-06 19:34:54 +00:00
Mike Aizatsky aaa637001a [sancov] __sanitizer_dump_coverage api
Subscribers: kubabrecka, mgorny

Differential Revision: https://reviews.llvm.org/D26758

llvm-svn: 289498
2016-12-12 23:45:38 +00:00
Kuba Mracek 3eb98a1318 [sanitizer] Track architecture and UUID of modules in LoadedModule
When we enumerate loaded modules, we only track the module name and base address, which then has several problems on macOS. Dylibs and executables often have several architecture slices and not storing which architecture/UUID is actually loaded creates problems with symbolication: A file path + offset isn't enough to correctly symbolicate, since the offset can be valid in multiple slices. This is especially common for Haswell+ X86_64 machines, where x86_64h slices are preferred, but if one is not available, a regular x86_64 is loaded instead. But the same issue exists for i386 vs. x86_64 as well.

This patch adds tracking of arch and UUID for each LoadedModule. At this point, this information isn't used in reports, but this is the first step. The goal is to correctly identify which slice is loaded in symbolication, and also to output this information in reports so that we can tell which exact slices were loaded in post-mortem analysis.

Differential Revision: https://reviews.llvm.org/D26632

llvm-svn: 288537
2016-12-02 21:27:14 +00:00
Evgeniy Stepanov e109ef854a Release memory to OS only when the requested range covers the entire page
Summary:
The current code was sometimes attempting to release huge chunks of
memory due to undesired RoundUp/RoundDown interaction when the requested
range is fully contained within one memory page.

Reviewers: eugenis

Subscribers: kubabrecka, llvm-commits

Patch by Aleksey Shlyapnikov.

Differential Revision: https://reviews.llvm.org/D27228

llvm-svn: 288271
2016-11-30 20:41:59 +00:00
Evgeniy Stepanov d3305afc75 Return memory to OS right after free (not in the async thread).
Summary:
In order to avoid starting a separate thread to return unused memory to
the system (the thread interferes with process startup on Android,
Zygota waits for all threads to exit before fork, but this thread never
exits), try to return it right after free.

Reviewers: eugenis

Subscribers: cryptoad, filcab, danalbert, kubabrecka, llvm-commits

Patch by Aleksey Shlyapnikov.

Differential Revision: https://reviews.llvm.org/D27003

llvm-svn: 288091
2016-11-29 00:22:50 +00:00
Kuba Mracek 073cea6128 [asan] Add a "dump_registers" flag to print out CPU registers after a SIGSEGV
This patch prints out all CPU registers after a SIGSEGV. These are available in the signal handler context. Only implemented for Darwin. Can be turned off with the dump_registers flag.

Differential Revision: https://reviews.llvm.org/D11365

llvm-svn: 287957
2016-11-26 00:50:08 +00:00
Mike Aizatsky 7594ec3355 rename InternalBinarySearch to InternalLowerBound
Summary: The new name better corresponds to its logic.

Reviewers: kcc

Subscribers: kubabrecka

Differential Revision: https://reviews.llvm.org/D26821

llvm-svn: 287377
2016-11-18 20:48:52 +00:00
Mike Aizatsky ff3bdbac35 fixing binary search for cases when element is not in array
Subscribers: kubabrecka

Differential Revision: https://reviews.llvm.org/D26707

llvm-svn: 287078
2016-11-16 04:03:27 +00:00
Etienne Bergeron c07e576968 [compiler-rt] Add support for the dynamic shadow allocation
Summary:
This patch is adding support for dynamic shadow allocation.

This is a merge and re-commit of the following patches.

```
[compiler-rt] Fix Asan build on Android
  https://reviews.llvm.org/D24768
[compiler-rt] Add support for the dynamic shadow allocation
  https://reviews.llvm.org/D23363
```

This patch needed to re-land at the same time:
```
[asan] Support dynamic shadow address instrumentation
  https://reviews.llvm.org/D23354
```

Reviewers: rnk, zaks.anna

Subscribers: tberghammer, danalbert, kubabrecka, dberris, chrisha, llvm-commits

Differential Revision: https://reviews.llvm.org/D25104

llvm-svn: 282882
2016-09-30 17:47:34 +00:00
Vedant Kumar ff17fcbc58 [sanitizer_common] Delete some copy/move methods in InternalScopedBuffer
Differential Revision: https://reviews.llvm.org/D24811

llvm-svn: 282548
2016-09-27 22:52:34 +00:00
Nico Weber b097c8fa2b revert 282085, 281909, they broke 32-bit dynamic ASan and the sanitizer-windows bot
llvm-svn: 282096
2016-09-21 18:22:43 +00:00
Etienne Bergeron 130a190bf0 [compiler-rt] Add support for the dynamic shadow allocation
Summary:
This patch is adding the needed code to compiler-rt to support
dynamic shadow.

This is to support this patch:
  https://reviews.llvm.org/D23354

It's adding support for using a shadow placed at a dynamic address determined
at runtime.

The dynamic shadow is required to work on windows 64-bits.

Reviewers: rnk, kcc, vitalybuka

Subscribers: kubabrecka, dberris, llvm-commits, chrisha

Differential Revision: https://reviews.llvm.org/D23363

llvm-svn: 281909
2016-09-19 15:59:01 +00:00
Anna Zaks 691644f3ca [compiler-rt] Do not introduce __sanitizer namespace globally
The definitions in sanitizer_common may conflict with definitions from system headers because:

The runtime includes the system headers after the project headers (as per LLVM coding guidelines).
lib/sanitizer_common/sanitizer_internal_defs.h pollutes the namespace of everything defined after it, which is all/most of the sanitizer .h and .cc files and the included system headers with: using namespace __sanitizer; // NOLINT
This patch solves the problem by introducing the namespace only within the sanitizer namespaces as proposed by Dmitry.

Differential Revision: https://reviews.llvm.org/D21947

llvm-svn: 281657
2016-09-15 21:02:18 +00:00
Kostya Serebryany 9a830b9433 [sanitizer] replace CHECK with CHECK_XY in two places for better diagnostics
llvm-svn: 281255
2016-09-12 20:39:13 +00:00
Filipe Cabecinhas 64150ea00d [asan] Cleanup: Move tid into ErrorBase, add const to BufferedStackTrace, be consistent in constructor arguments and member order.
Summary: As mentioned in D24394, I'm moving tid to ErrorBase, since basically all errors need it.
Also mentioned in the same review are other cleanups like adding const
to BufferedStackTrace and make sure constructor orders are consistent.

Reviewers: vitalybuka, kcc, eugenis

Subscribers: llvm-commits, kubabrecka

Differential Revision: https://reviews.llvm.org/D24455

llvm-svn: 281236
2016-09-12 17:10:44 +00:00
Kostya Serebryany b72479b84a [asan] first attempt at releasing free-d memory back to the system using madvise. Requires quite some tuning.
llvm-svn: 279887
2016-08-26 23:58:42 +00:00
Kuba Brecka 02478f4166 [sanitizer] Stop unwinding the stack when a close-to-zero PC is found
On OS X, we often get stack trace in a report that ends with a 0x0 frame.  To get rid of it, let's trim the stack trace when we find a close-to-zero value, which is obviously not a valid PC.

Differential Revision: http://reviews.llvm.org/D14656

llvm-svn: 273886
2016-06-27 15:32:18 +00:00
Kostya Serebryany bf6a04fde8 [sanitizers] introduce yet another API function: __sanitizer_install_malloc_and_free_hooks
llvm-svn: 272943
2016-06-16 20:06:06 +00:00
Derek Bruening 909d32955b [esan] Add handling of large stack size rlimits
Summary:
Adds detection of large stack size rlimits (over 1 TB or unlimited), which
results in an mmap location that our shadow mapping does not support.  We
re-exec the application in this situation.  Adds a test of this behavior.

Adds general detection of mmap regions outside of our app regions.  In the
future we want to try to adaptively handle these but for now we abort.

Moves the existing Linux-specific mmap code into a platform-specific file
where the new rlimit code lives.

Reviewers: eugenis

Subscribers: vitalybuka, zhaoqin, kcc, aizatsky, llvm-commits, kubabrecka

Differential Revision: http://reviews.llvm.org/D20745

llvm-svn: 271079
2016-05-28 00:25:16 +00:00
Marcin Koscielnicki b7b5ac60c4 [sanitizer] [SystemZ] Abort if the kernel might be vulnerable to CVE-2016-2143.
In short, CVE-2016-2143 will crash the machine if a process uses both >4TB
virtual addresses and fork().  ASan, TSan, and MSan will, by necessity, map
a sizable chunk of virtual address space, which is much larger than 4TB.
Even worse, sanitizers will always use fork() for llvm-symbolizer when a bug
is detected.  Disable all three by aborting on process initialization if
the running kernel version is not known to contain a fix.

Unfortunately, there's no reliable way to detect the fix without crashing
the kernel.  So, we rely on whitelisting - I've included a list of upstream
kernel versions that will work.  In case someone uses a distribution kernel
or applied the fix themselves, an override switch is also included.

Differential Revision: http://reviews.llvm.org/D19576

llvm-svn: 267747
2016-04-27 17:42:00 +00:00
Kostya Serebryany 3884f1a5bd [sanitizer] add a function MmapNoAccess that mmaps a protected region *somewhere*; use MmapNoAccess in the Allocator when SpaceBeg is not a constant. In this mode the allocator will be a bit more hardened
llvm-svn: 267256
2016-04-23 00:05:24 +00:00
Kostya Serebryany 99ed605799 [sanitizer] rename MmapNoAccess to MmapFixedNoAccess; NFC
llvm-svn: 267253
2016-04-22 23:46:53 +00:00
Reid Kleckner a8e5c0c200 Fix a load of -Wunknown-pragma warnings from clang-cl
llvm-svn: 265152
2016-04-01 17:09:08 +00:00
Kuba Brecka 4c80867ecf [sanitizer] On OS X, verify that interceptors work and abort if not, take 2
On OS X 10.11+, we have "automatic interceptors", so we don't need to use DYLD_INSERT_LIBRARIES when launching instrumented programs. However, non-instrumented programs that load TSan late (e.g. via dlopen) are currently broken, as TSan will still try to initialize, but the program will crash/hang at random places (because the interceptors don't work). This patch adds an explicit check that interceptors are working, and if not, it aborts and prints out an error message suggesting to explicitly use DYLD_INSERT_LIBRARIES.

TSan unit tests run with a statically linked runtime, where interceptors don't work. To avoid aborting the process in this case, the patch replaces `DisableReexec()` with a weak `ReexecDisabled()` function which is defined to return true in unit tests.

Differential Revision: http://reviews.llvm.org/D18212

llvm-svn: 263695
2016-03-17 08:37:25 +00:00
Alexey Samsonov 07f9c0f558 [Sanitizer] Protect against compiler-inserted memcpy() in InternalMmapVector::push_back().
llvm-svn: 261909
2016-02-25 18:12:30 +00:00