Commit Graph

351 Commits

Author SHA1 Message Date
Etienne Bergeron 7a1bafd6ae This patch attempts to primitive support for Win64 asan
Some known issues are:

When "head" include instructions that involve branching, the "cut and paste" approach may break down in a way that function interception still work but calling back the original function does not work.
The jmp [rip -8] saves some bytes in the "head" but finding the safe zone of 0xCC is not implemented yet. So it may stomp on preceding codes.
The shadow offset is not working yet on Win64. More complexity maybe involved since there are some differences regarding virtual address space between Window 8 and Windows 8.1/10.

Patch by: Wang Wei

Differential Revision: http://reviews.llvm.org/D20884

llvm-svn: 271915
2016-06-06 18:09:54 +00:00
Kuba Brecka 4087675948 Revert r270038 ("Change preprocessor `#if` to regular `if` for CAN_SANITIZE_LEAKS")
llvm-svn: 270044
2016-05-19 11:21:34 +00:00
Kuba Brecka b5cb227b98 [asan] Change preprocessor `#if` to regular `if` for CAN_SANITIZE_LEAKS
llvm-svn: 270038
2016-05-19 10:43:51 +00:00
Kuba Brecka daac6a0083 [sanitizer] Fix a crash when demangling Swift symbols, take 3
The previous patch (r269291) was reverted (commented out) because the patch caused leaks that
were detected by LSan and they broke some lit tests.  The actual reason was that dlsym allocates
an error string buffer in TLS, and some LSan lit tests are intentionally not scanning TLS for
root pointers.  This patch simply makes LSan ignore the allocation from dlsym, because it's
not interesting anyway.

llvm-svn: 269917
2016-05-18 13:00:20 +00:00
Mike Aizatsky 599eef49e5 [sanitizers] disabling LateInitialize call to fix the build.
http://reviews.llvm.org/rL269291 introduced a memory leak.
Disabling offending call temprorary rather than rolling back the chain
of CLs.

llvm-svn: 269799
2016-05-17 18:44:21 +00:00
Kuba Brecka 5bdf86ec7c [sanitizer] Fix a crash when demangling Swift symbols, take 2
To invoke the Swift demangler, we use dlsym to locate swift_demangle. However, dlsym malloc's storage and stores it in thread-local storage. Since allocations from the symbolizer are done with the system allocator (at least in TSan, interceptors are skipped when inside the symbolizer), we will crash when we try to deallocate later using the sanitizer allocator again.

To fix this, let's just not call dlsym from the demangler, and call it during initialization. The dlsym function calls malloc, so it needs to be only used after our allocator is initialized. Adding a Symbolizer::LateInitialize call that is only invoked after all other initializations.

Differential Revision: http://reviews.llvm.org/D20015

llvm-svn: 269291
2016-05-12 13:11:03 +00:00
Marcin Koscielnicki b7b5ac60c4 [sanitizer] [SystemZ] Abort if the kernel might be vulnerable to CVE-2016-2143.
In short, CVE-2016-2143 will crash the machine if a process uses both >4TB
virtual addresses and fork().  ASan, TSan, and MSan will, by necessity, map
a sizable chunk of virtual address space, which is much larger than 4TB.
Even worse, sanitizers will always use fork() for llvm-symbolizer when a bug
is detected.  Disable all three by aborting on process initialization if
the running kernel version is not known to contain a fix.

Unfortunately, there's no reliable way to detect the fix without crashing
the kernel.  So, we rely on whitelisting - I've included a list of upstream
kernel versions that will work.  In case someone uses a distribution kernel
or applied the fix themselves, an override switch is also included.

Differential Revision: http://reviews.llvm.org/D19576

llvm-svn: 267747
2016-04-27 17:42:00 +00:00
Kostya Serebryany 99ed605799 [sanitizer] rename MmapNoAccess to MmapFixedNoAccess; NFC
llvm-svn: 267253
2016-04-22 23:46:53 +00:00
Marcin Koscielnicki 0a91cf8a84 Revert "[sanitizer] [SystemZ] Abort if the kernel might be vulnerable to CVE-2016-2143."
This reverts commit r266297.

llvm-svn: 266470
2016-04-15 20:00:12 +00:00
Marcin Koscielnicki c8dda336bb [sanitizer] [SystemZ] Abort if the kernel might be vulnerable to CVE-2016-2143.
In short, CVE-2016-2143 will crash the machine if a process uses both >4TB
virtual addresses and fork().  ASan, TSan, and MSan will, by necessity, map
a sizable chunk of virtual address space, which is much larger than 4TB.
Even worse, sanitizers will always use fork() for llvm-symbolizer when a bug
is detected.  Disable all three by aborting on process initialization if
the running kernel version is not known to contain a fix.

Unfortunately, there's no reliable way to detect the fix without crashing
the kernel.  So, we rely on whitelisting - I've included a list of upstream
kernel versions that will work.  In case someone uses a distribution kernel
or applied the fix themselves, an override switch is also included.

Differential Revision: http://reviews.llvm.org/D18915

llvm-svn: 266297
2016-04-14 12:56:24 +00:00
Reid Kleckner 0765fbc332 [WinASan] Fix page size and mmap granularity confusion
We were erroneously reporting 16K as the page size on Windows because
the code that does the shadow mapping was using page size instead of
allocation granularity. After fixing that, we can resolve the FIXMEs in
the Windows implementations of GetPageSize and GetMmapGranularity by
calling GetSystemInfo instead of returning hard-coded, incorrect
answers.

llvm-svn: 261233
2016-02-18 17:58:22 +00:00
Alexander Potapenko 00bddf6406 [ASan] Fix the links to bugs and wikipages.
llvm-svn: 254735
2015-12-04 17:37:40 +00:00
Kostya Serebryany fb484cedb4 [asan] add an experimental flag protect_shadow_gap. If set to false, the shadow gap will not be mprotect-ed and all hell may break loose. But this makes CUDA's cuInit() pass.
llvm-svn: 253108
2015-11-14 00:50:23 +00:00
Yury Gribov 468d955b98 [ASan] Enable optional ASan recovery.
Differential Revision: http://reviews.llvm.org/D12318

llvm-svn: 252723
2015-11-11 11:59:38 +00:00
Adhemerval Zanella 18b2258c92 [compiler-rt] [asan] Use same shadow offset for aarch64
This patch makes ASAN for aarch64 use the same shadow offset for all
currently supported VMAs (39 and 42 bits).  The shadow offset is the
same for 39-bit (36).

llvm-svn: 252497
2015-11-09 18:05:24 +00:00
Vedant Kumar 59ba7b8cd1 [compiler-rt] Apply modernize-use-nullptr fixes in sanitizers
- Trim spaces.
- Use nullptr in place of 0 for pointer variables.
- Use '!p' in place of 'p == 0' for null pointer checks.
- Add blank lines to separate function definitions.
- Add 'extern "C"' or 'namespace foo' comments after the appropriate
  closing brackets

This is a continuation of work from 409b7b82. The focus here is on the
various sanitizers (not sanitizer_common, as before).

Patch by Eugene Zelenko!

Differential Revision: http://reviews.llvm.org/D13225

llvm-svn: 248966
2015-10-01 00:22:21 +00:00
Adhemerval Zanella 172cc32ef3 [sanitizer] Move CheckVMASize after flag initialization
llvm-svn: 247684
2015-09-15 13:22:54 +00:00
Adhemerval Zanella 0563686a1c [compiler-rt] [sanitizers] Add VMA size check at runtime
This patch adds a runtime check for asan, dfsan, msan, and tsan for
architectures that support multiple VMA size (like aarch64).  Currently
the check only prints a warning indicating which is the VMA built and
expected against the one detected at runtime.

llvm-svn: 247413
2015-09-11 13:55:00 +00:00
Alexey Samsonov 53b8750e7d [Sanitizers] Make abort_on_error common flag.
Summary:
Teach all sanitizers to call abort() instead of _exit() after printing
an error report, if requested. This behavior is the default on Mac OS.

Reviewers: kcc, kubabrecka

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D12332

llvm-svn: 246205
2015-08-27 20:40:24 +00:00
Alexey Samsonov ab229c13a6 [Sanitizer] Dump coverage if we're killing the program with __sanitizer::Die().
Previously we had to call __sanitizer_cov_dump() from tool-specific
callbacks - instead, let sanitizer_common library handle this in a
single place.

This is a re-application of r245770, with slightly different approach
taken.

llvm-svn: 245890
2015-08-24 22:21:47 +00:00
Alexey Samsonov b92aa0fc3f [Sanitizers] Allow to install several internal Die callbacks.
This is required to properly re-apply r245770:
1) We should be able to dump coverage in __sanitizer::Die() if coverage
   collection is turned on.
2) We don't want to explicitly do this in every single
   sanitizer that supports it.
3) We don't want to link in coverage (and therefore symbolization) bits
   into small sanitizers that don't support it (safestack).

The solution is to make InitializeCoverage() register its own Die()
callback that would call __sanitizer_cov_dump(). This callback should be
executed in addition to another tool-specific die callbacks (if there
are any).

llvm-svn: 245889
2015-08-24 22:21:44 +00:00
Alexey Samsonov 4369a3f4ad Revert r245770 and r245777.
These changes break both autoconf Mac OS X buildbot (linker errors
due to wrong Makefiles) and CMake buildbot (safestack test failures).

llvm-svn: 245784
2015-08-22 05:15:55 +00:00
Alexey Samsonov 8e38c71cb7 [Sanitizer] Dump coverage if we're killing the program with __sanitizer::Die().
Previously we had to call __sanitizer_cov_dump() from tool-specific
callbacks - instead, let sanitizer_common library handle this in a single place.

llvm-svn: 245770
2015-08-22 00:28:12 +00:00
Alexey Samsonov bb79b06f4e [Sanitizers] Unify the semantics and usage of "exitcode" runtime flag across all sanitizers.
Summary:
Merge "exitcode" flag from ASan, LSan, TSan and "exit_code" from MSan
into one entity. Additionally, make sure sanitizer_common now uses the
value of common_flags()->exitcode when dying on error, so that this
flag will automatically work for other sanitizers (UBSan and DFSan) as
well.

User-visible changes:
* "exit_code" MSan runtime flag is now deprecated. If explicitly
  specified, this flag will take precedence over "exitcode".
  The users are encouraged to migrate to the new version.
* __asan_set_error_exit_code() and __msan_set_exit_code() functions
  are removed. With few exceptions, we don't support changing runtime
  flags during program execution - we can't make them thread-safe.
  The users should use __sanitizer_set_death_callback()
  that would call _exit() with proper exit code instead.
* Plugin tools (LSan and UBSan) now inherit the exit code of the parent
  tool. In particular, this means that ASan would now crash the program
  with exit code "1" instead of "23" if it detects leaks.

Reviewers: kcc, eugenis

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D12120

llvm-svn: 245734
2015-08-21 20:49:37 +00:00
Evgeniy Stepanov aa91588b6c [asan] Try different values of the shadow gap start.
The number of unaccessible pages at the beginning of the address
space can differ between processes on the same machine. Try different
values at runtime to protect as much memory as possible.

llvm-svn: 244364
2015-08-07 22:38:44 +00:00
Kostya Serebryany cc9fd3cbe9 [sanitizer] 2-nd attempt. Add the flag handle_sigfpe that is default true to handle SIGFPE crashes same as SIGSEV crashes, patch by Karl Skomski. This time the test is enabled only on x86-64 (it broke on ARM)
llvm-svn: 244234
2015-08-06 17:52:54 +00:00
Renato Golin 4ae2e1f575 Revert "[sanitizer] Add the flag handle_sigfpe that is default true to handle SIGFPE crashes same as SIGSEV crashes, patch by Karl Skomski"
This reverts commit r244136, it was breaking the ARM bots for too long. We should investigate it offline.

llvm-svn: 244210
2015-08-06 12:42:46 +00:00
Kostya Serebryany ce1799a83f [sanitizer] Add the flag handle_sigfpe that is default true to handle SIGFPE crashes same as SIGSEV crashes, patch by Karl Skomski
llvm-svn: 244136
2015-08-05 21:19:11 +00:00
Kuba Brecka a11cfb990a [asan] Rename the ABI versioning symbol to '__asan_version_mismatch_check' instead of abusing '__asan_init'
We currently version `__asan_init` and when the ABI version doesn't match, the linker gives a `undefined reference to '__asan_init_v5'` message. From this, it might not be obvious that it's actually a version mismatch error. This patch makes the error message much clearer by changing the name of the undefined symbol to be `__asan_version_mismatch_check_xxx` (followed by the version string). We obviously don't want the initializer to be named like that, so it's a separate symbol that is used only for the purpose of version checking.

Reviewed at http://reviews.llvm.org/D11004

llvm-svn: 243004
2015-07-23 10:55:13 +00:00
Reid Kleckner 33b9cd2191 [asan] Make __asan_handle_no_return tolerate unregistered threads
Summary:
On Windows, thread injection by the kernel or other running processes is
a fairly common occurrence, so ASan should be resilient to it.  The
comments on GetCurrentThread() say that it can return null, so we
shouldn't be CHECK failing if it does.

Sending control-C is one way to get the kernel to inject a thread into
your process, so I wrote a test around it.

Reviewers: llvm-commits

Subscribers: samsonov

Differential Revision: http://reviews.llvm.org/D11426

llvm-svn: 242948
2015-07-22 21:58:31 +00:00
Evgeniy Stepanov df9ed542b5 [sanitizer] Implement include_if_exists with process name substitution.
include_if_exists=/path/to/sanitizer/options reads flags from the
file if it is present. "%b" in the include file path (for both
variants of the flag) is replaced with the basename of the main
executable.

llvm-svn: 242853
2015-07-21 23:03:13 +00:00
Yury Gribov c019a57099 [ASan] Make binary name reader cross-platform.
Differential Revision: http://reviews.llvm.org/D10213

llvm-svn: 239020
2015-06-04 07:29:43 +00:00
Yury Gribov c5243f0c6a [ASan] Move ASan runtime library self-checks to a more appropriate place.
llvm-svn: 239018
2015-06-04 07:23:09 +00:00
Evgeniy Stepanov 8e9c70be7f Add descriptive names to sanitizer entries in /proc/self/maps. Helps debugging.
This is done by creating a named shared memory region, unlinking it
and setting up a private (i.e. copy-on-write) mapping of that instead
of a regular anonymous mapping. I've experimented with regular
(sparse) files, but they can not be scaled to the size of MSan shadow
mapping, at least on Linux/X86_64 and ext3 fs.

Controlled by a common flag, decorate_proc_maps, disabled by default.

This patch has a few shortcomings:
* not all mappings are annotated, especially in TSan.
* our handling of memset() of shadow via mmap() puts small anonymous
  mappings inside larger named mappings, which looks ugly and can, in
  theory, hit the mapping number limit.

llvm-svn: 238621
2015-05-29 22:31:28 +00:00
Daniel Sanders 0568283e69 [asan] Print SHADOW_SCALE and SHADOW_GRANULARITY as decimal values.
Summary:
During the review of http://reviews.llvm.org/D9199 where I had originally
changed the debug_mapping.cc test to accept hexadecimal values, we realized
that SHADOW_SCALE and SHADOW_GRANULARITY ought to be printed as decimal values.
This patch makes that change.

This patch also adds a '0x' prefix to the SHADOW_OFFSET to make it clear that
it is hexadecimal while the other two are decimal.

Reviewers: kcc, timurrrr, samsonov

Reviewed By: timurrrr, samsonov

Subscribers: samsonov, llvm-commits, sagar

Differential Revision: http://reviews.llvm.org/D9224

llvm-svn: 235798
2015-04-25 10:57:35 +00:00
Timur Iskhodzhanov bd989e78f1 [ASan] Use a better name for a function parameter
llvm-svn: 234604
2015-04-10 15:31:16 +00:00
Timur Iskhodzhanov ea1f332b79 Split Mprotect into MmapNoAccess and MprotectNoAccess to be more portable
On Windows, we have to know if a memory to be protected is mapped or not.
On POSIX, Mprotect was semantically different from mprotect most people know.

llvm-svn: 234602
2015-04-10 15:02:19 +00:00
Alexey Samsonov 09dce3b7e5 [UBSan] Embed UBSan into ASan runtime (compiler-rt part).
Summary:
Change the way we use ASan and UBSan together. Instead of keeping two
separate runtimes (libclang_rt.asan and libclang_rt.ubsan), embed UBSan
into ASan and get rid of libclang_rt.ubsan. If UBSan is not supported on
a platform, all UBSan sources are just compiled into dummy empty object
files. UBSan initialization code (e.g. flag parsing) is directly called
from ASan initialization, so we are able to enforce correct
initialization order.

This mirrors the approach we already use for ASan+LSan. This change
doesn't modify the way we use standalone UBSan.

Test Plan: regression test suite

Reviewers: kubabrecka, zaks.anna, rsmith, kcc

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D8646

llvm-svn: 233861
2015-04-01 22:42:36 +00:00
Dmitry Vyukov 6bd917a31f asan: optimization experiments
The experiments can be used to evaluate potential optimizations that remove
instrumentation (assess false negatives). Instead of completely removing
some instrumentation, you set Exp to a non-zero value (mask of optimization
experiments that want to remove instrumentation of this instruction).
If Exp is non-zero, this pass will emit special calls into runtime
(e.g. __asan_report_exp_load1 instead of __asan_report_load1). These calls
make runtime terminate the program in a special way (with a different
exit status). Then you run the new compiler on a buggy corpus, collect
the special terminations (ideally, you don't see them at all -- no false
negatives) and make the decision on the optimization.

The exact reaction to experiments in runtime is not implemented in this patch.
It will be defined and implemented in a subsequent patch.

http://reviews.llvm.org/D8198

llvm-svn: 232501
2015-03-17 16:59:11 +00:00
Alexey Samsonov 79df187034 [LSan] Make parent tool responsible for initializing LSan flags.
Summary:
LSan can be combined with a parent tool (for now it's only ASan).
Also, we allow LSAN_OPTIONS to override certain common flags. It means
we have to parse LSAN_OPTIONS early enough, before the rest of the
parent tool (including chunks of sanitizer_common) is initialized.

In future, we can use the same approach for UBSan, after we embed it
into ASan runtime in a similar way.

Test Plan: regression test suite

Reviewers: earthdok, eugenis

Subscribers: llvm-commits

Differential Revision: http://reviews.llvm.org/D7577

llvm-svn: 229519
2015-02-17 18:50:30 +00:00
Alexey Samsonov 1225816a2d [Sanitizer] Change InitializeFlags() signatures. NFC.
These functions are always used to initialize singleton flags(), as
well as other global data (common_flags()).

llvm-svn: 228894
2015-02-12 00:36:42 +00:00
Yury Gribov 8f848ff5ed [ASan] Add use_madv_dontdump flag.
Differential Revision: http://reviews.llvm.org/D7294

llvm-svn: 227959
2015-02-03 10:15:15 +00:00
Timur Iskhodzhanov e5935ef0c4 [ASan/Win] Add some diagnostics to help investigate Mprotect failures
llvm-svn: 227803
2015-02-02 15:04:23 +00:00
Timur Iskhodzhanov 841572e90a [ASan] Print out the shadow memory range on shadow mapping failures
llvm-svn: 226807
2015-01-22 12:05:27 +00:00
Kostya Serebryany c6338ac943 [asan] use MADV_NOHUGEPAGE for shadow to reduce the actual memory usage
llvm-svn: 226636
2015-01-21 02:05:31 +00:00
Evgeniy Stepanov f074b3c2de [asan] Allow changing verbosity in activation flags.
This change removes some debug output in asan_flags.cc that
was reading the verbosity level before all the flags were parsed.

llvm-svn: 226566
2015-01-20 13:21:20 +00:00
Kostya Serebryany 7ad02fca09 [asan] add flag quarantine_size_mb, deprecate quarantine_size
llvm-svn: 225337
2015-01-07 02:37:52 +00:00
Kostya Serebryany 7e85a9216e [asan] add a flag soft_rss_limit_mb
llvm-svn: 225323
2015-01-06 23:53:32 +00:00
Evgeniy Stepanov 05dc4be0dc [asan] Allow enabling coverage at activation.
This is a re-commit of r224838 + r224839, previously reverted in r224850.
Test failures were likely (still can not reproduce) caused by two lit tests
using the same name for an intermediate build target.

llvm-svn: 224853
2014-12-26 12:32:32 +00:00
Evgeniy Stepanov f8c7e25560 Revert r224838, r224839.
Flaky failures on the build bots.

llvm-svn: 224850
2014-12-26 10:19:56 +00:00