Summary:
Add the ability to suppress UBSan reports for files/functions/modules
at runtime. The user can now pass UBSAN_OPTIONS=suppressions=supp.txt
with the contents of the form:
signed-integer-overflow:file-with-known-overflow.cpp
alignment:function_doing_unaligned_access
vptr:shared_object_with_vptr_failures.so
Suppression categories match the arguments passed to -fsanitize=
flag (although, see below). There is no overhead if suppressions are
not provided. Otherwise there is extra overhead for symbolization.
Limitations:
1) sometimes suppressions need debug info / symbol table to function
properly (although sometimes frontend generates enough info to
do the match).
2) it's only possible to suppress recoverable UB kinds - if you've
built the code with -fno-sanitize-recover=undefined, suppressions
will not work.
3) categories are fine-grained check kinds, not groups like "undefined"
or "integer", so you can't write "undefined:file_with_ub.cc".
Reviewers: rsmith, kcc
Subscribers: cfe-commits
Differential Revision: http://reviews.llvm.org/D15363
llvm-svn: 256018
Interceptors using ScopedInteceptor should never call into user's code before the ScopedInterceptor is out of scope (and its destructor is called). Let's add a DCHECK to enforce that.
Differential Revision: http://reviews.llvm.org/D15381
llvm-svn: 255996
Some interceptors in tsan_libdispatch_mac.cc currently wrongly use TSAN_SCOPED_INTERCEPTOR/ScopedInterceptor. Its constructor can start ignoring memory accesses, and the destructor the stops this -- however, e.g. dispatch_sync can call user's code, so the ignoring will extend to user's code as well. This is not expected and we should only limit the scope of ScopedInterceptor to TSan code. This patch introduces annotations that mark the beginning and ending of a callback into user's code.
Differential Revision: http://reviews.llvm.org/D15419
llvm-svn: 255995
This is an initial version of the runtime cross-DSO CFI support
library.
It contains a number of FIXMEs, ex. it does not support the
diagnostic mode nor dlopen/dlclose, but it works and can be tested.
Diagnostic mode, in particular, would require some refactoring (we'd
like to gather all CFI hooks in the UBSan library into one function
so that we could easier pass the diagnostic information down to
__cfi_check). It will be implemented later.
Once the diagnostic mode is in, I plan to create a second test
configuration to run all existing tests in both modes. For now, this
patch includes only a few new cross-DSO tests.
llvm-svn: 255695
Patch by: Johan Engelen
On windows, opening in text mode will result in
line ending chars to be appended leading to
profile corruption.
llvm-svn: 255684
Now with variadic support for msan on aarch6 there is no need for
XFAIL signal_stress_test anymore. Also to garantee aligned stores
for the FP/SIMD arguments enforce the '__msan_va_arg_tls' alignment
to sizeof the SIMD register (16).
llvm-svn: 255496
We're using the dispatch group itself to synchronize (to call Release() and Acquire() on it), but in dispatch group notifications, the group can already be disposed/deallocated. This causes a later assertion failure at `DCHECK_EQ(*meta, 0);` in `MetaMap::AllocBlock` when the same memory is reused (note that the failure only happens in debug builds).
Fixing this by retaining the group and releasing it in the notification. Adding a stress test case that reproduces this.
Differential Revision: http://reviews.llvm.org/D15380
llvm-svn: 255494
This patch enables the safestack for aarch64. The frontend already have
it enabled on all supported architectures and no adjustment is required
in llvm.
The compiler-rt adjustments are basically add on the cmake configuration
to enable the tests and fix the pagesize debug check by getting its
value at runtime (since aarch64 has multiple pagesize depending of
kernel configuration).
llvm-svn: 255345
Value profile runtime depends on libc which breaks
buffer API implemenation with current file organization.
Test case is also updated to check more symbols.
llvm-svn: 255294
check_memcpy test added in r254959 fails on some configurations due to
memcpy() calls inserted by Clang. Try harder to avoid them by using
internal_memcpy() where applicable.
llvm-svn: 255287
InstrProfiling.h file declares profile runtime public APIs.
It has become a dumping place for many different things, which
needs cleanups. In this change, core type declarations and
portability macros are moved to a new file InstrProfilingPort.h.
llvm-svn: 255270
Some targets (e.g. Mips) don't have 64-bit atomics, so using atomic_uint64_t
leads to build failures. Use atomic_uintptr_t to avoid such errors.
Patch by Max Ostapenko.
llvm-svn: 255242
This allows the profile runtime to pick the right impl
for cmp&swap for a given target.
Differential Revision: http://reviews.llvm.org/D15248
llvm-svn: 255173
Summary:
Rather than having to add new "experimental" options each time someone wants to work on bringing a sanitizer to a new platform, this patch makes options for all of them.
The default values for the options are set by the platform checks that would have enabled them, but they can be overridden on or off.
Reviewers: kubabrecka, samsonov
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D14846
llvm-svn: 255170
Summary:
Android doesn't have __libc_malloc and related allocation
functions. As its dynamic linker doesn't use malloc, so
we can use REAL(malloc) to replace __libc_malloc safely.
Reviewers: kcc, eugenis, dvyukov
Subscribers: llvm-commits, tberghammer, danalbert, srhines
Differential Revision: http://reviews.llvm.org/D15297
llvm-svn: 255167
MSVC apparently makes atexit available even without including stdlib.h,
but clang-cl does not. This makes the file build also with clang-cl.
llvm-svn: 255160
check_memcpy test added in r254959 fails on some configurations due to
memset() calls inserted by Clang. Try harder to avoid them:
* Explicitly use internal_memset() instead of empty braced-initializer.
* Replace "new T()" with "new T", as the former generates zero-initialization
for structs in C++11.
llvm-svn: 255136
Let unrecoverable handlers be responsbile for killing the
program with Die(), and let functions which print the error
report know if it's going to happen. Re-write the comments to
describe the situation.
llvm-svn: 255081
Currently, this is an NFC. However, knowing out the kind of error
report before we bring up all the reporting machinery (implemented in
ScopedReport class) is important once we teach UBSan runtime
suppressions.
llvm-svn: 255074
This patch provides the assembly support for setjmp/longjmp for use
with the thread sanitizer. This is a big more complicated than for
aarch64, because sibcalls are only legal under our ABIs if the TOC
pointer is unchanged. Since the true setjmp function trashes the TOC
pointer, and we have to leave the stack in a correct state, we emulate
the setjmp function rather than branching to it.
We also need to materialize the TOC for cases where the _setjmp code
is called from libc. This is done differently under the ELFv1 and
ELFv2 ABIs.
llvm-svn: 255059
This patch is by Simone Atzeni with portions by Adhemerval Zanella.
This contains the LLVM patches to enable the thread sanitizer for
PPC64, both big- and little-endian. Two different virtual memory
sizes are supported: Old kernels use a 44-bit address space, while
newer kernels require a 46-bit address space.
There are two companion patches that will be added shortly. There is
a Clang patch to actually turn on the use of the thread sanitizer for
PPC64. There is also a patch that I wrote to provide interceptor
support for setjmp/longjmp on PPC64.
Patch discussion at reviews.llvm.org/D12841.
llvm-svn: 255057
Summary:
It was barely supported for a several years for now, somewhat
rotten and doesn't correspond to the way we build/test TSan runtime
in Clang anymore.
CMake build has proper compile flags, library layout, build
dependencies etc.
Shell scripts that depended on the output of Makefile.old are
either obsolete now (check_cmake.sh), or moved to lit tests
(check_memcpy.sh), or kept as a standalone scripts not suitable
for generic test suite, but invoked on bots (check_analyze.sh).
It is not used on bots anymore: all "interesting" configurations
(gcc/clang as a host compiler; debug/release build types) are now
tested via CMake.
Reviewers: dvyukov, kcc
Subscribers: llvm-commits
Differential Revision: http://reviews.llvm.org/D15316
llvm-svn: 255032
Another attempt at fixing tsan_invisible_barrier.
Current implementation causes:
https://llvm.org/bugs/show_bug.cgi?id=25643
There were several unsuccessful iterations for this functionality:
Initially it was implemented in user code using REAL(pthread_barrier_wait). But pthread_barrier_wait is not supported on MacOS. Futexes are linux-specific for this matter.
Then we switched to atomics+usleep(10). But usleep produced parasitic "as-if synchronized via sleep" messages in reports which failed some output tests.
Then we switched to atomics+sched_yield. But this produced tons of tsan- visible events, which lead to "failed to restore stack trace" failures.
Move implementation into runtime and use internal_sched_yield in the wait loop.
This way tsan should see no events from the barrier, so not trace overflows and
no "as-if synchronized via sleep" messages.
llvm-svn: 255030
This patch adds release and acquire semantics for dispatch groups, plus a test case.
Differential Revision: http://reviews.llvm.org/D15048
llvm-svn: 255020
The memcmp interceptor checks COMMON_INTERCEPTOR_NOTHING_IS_INITIALIZED only after it calls COMMON_INTERCEPTOR_ENTER, which causes an early process launch crash when running TSan in iOS simulator. Let's fix this by checking COMMON_INTERCEPTOR_NOTHING_IS_INITIALIZED as the very first thing in the interceptor.
Differential Revision: http://reviews.llvm.org/D15287
llvm-svn: 255019
Check that TSan runtime doesn't contain compiler-inserted calls
to memset/memmove functions.
In future, we may consider moving this test to test/sanitizer_common,
as we don't want to have compiler-inserted memcpy/memmove calls in
any sanitizer runtime.
llvm-svn: 254955
De-hardcode path to TSan-ified executable: pass it as an input to
the scripts. Fix them so that they don't write to the current
directory. Remove their invocation from Makefile.old: they are
broken there anyway, as check_analyze.sh now matches trunk Clang.
llvm-svn: 254936
This script is superseded by lit test suite integrated into CMake
for quite a while now. It doesn't support many tests, and require
custom hacks for a few other.
llvm-svn: 254932
This option builds TSan runtime with extra debug printfs
and stats collection. This build configuration is developer-only
and should rarely be used, but we need to keep it to make sure
it doesn't bitrot.
llvm-svn: 254818
System properties are not accessible through NDK (we've been using
hacks to get to them) and they are unavailable during ASan
initialization in .preinit_array. Use environment variables and
files instead (ex. ASAN_OPTIONS=include_if_exists=/path).
No test changes. This feature was not tested because the properties
are system-wide and would conflict with the parallel test runner. Yet
another reason to get rid of it.
llvm-svn: 254783
mac_ignore_invalid_free was helpful when ASan runtime used to intercept
CFAllocator and sometimes corrupted its memory. This behavior had been long
gone, and the flag was unused.
This patch also deletes ReportMacCfReallocUnknown(), which was used by the
CFAllocator realloc() wrapper.
llvm-svn: 254722
cmp&swap is not well supported -- the new test
case triggers some assembler error.
This is a partial fix to the general problem (lack
of atomics operation support for certain targets).
llvm-svn: 254701
With the latest refactoring and code sharing patches landed,
it is possible to unify the value profile implementation between
raw and indexed profile. This is part in prfofile runtime.
Differential Revision: http://reviews.llvm.org/D15057
llvm-svn: 254678
`MaybeReexec` contains a 1024-byte long local array, which produces a warning about frame size:
.../lib/sanitizer_common/sanitizer_mac.cc:548:6: warning: stack frame size of 1132 bytes in function '__sanitizer::MaybeReexec' [-Wframe-larger-than=]
Let's replace it with InternalScopedString.
Differential Revision: http://reviews.llvm.org/D15181
llvm-svn: 254619
On OS X, there are other-than-pthread locking APIs that are used quite extensively - OSSpinLock and os_lock_lock. Let's add interceptors for those.
Differential Revision: http://reviews.llvm.org/D14987
llvm-svn: 254611
In AddressSanitizer, we have the MaybeReexec method to detect when we're running without DYLD_INSERT_LIBRARIES (in which case interceptors don't work) and re-execute with the environment variable set. On OS X 10.11+, this is no longer necessary, but to have ThreadSanitizer supported on older versions of OS X, let's use the same method as well. This patch moves the implementation from `asan/` into `sanitizer_common/`.
Differential Revision: http://reviews.llvm.org/D15123
llvm-svn: 254600
si_int is already defined in sysroot's siginfo.h
emutls.c includes pthread.h which includes asm/siginfo.h which
in turn includes asm-generic/siginfo.h and that defines si_int.
si_int is also defined in builtin's int_types.h and this leads to
errors. This patch fixes the issue by undefining the si_int in int_types.h
Differential Revision: http://reviews.llvm.org/D15086
llvm-svn: 254472
This patch adds release and acquire semantics for libdispatch semaphores and a test case.
Differential Revision: http://reviews.llvm.org/D14992
llvm-svn: 254412
Calloc interceptor initially allocates memory from temp buffer (to serve dlsyms called during asan_init). There is a chance that some non-instrumented library (or executable) has allocated memory with calloc before asan_init and got pointer from the same temporary buffer which later caused problems with free.
Inspired by https://github.com/google/sanitizers/issues/626
Differential Revision: http://reviews.llvm.org/D14979
llvm-svn: 254395
This patch complete removed SANITIZER_AARCH64_VMA definition and usage.
AArch64 ports now supports runtime VMA detection and instrumentation
for 39 and 42-bit VMA.
It also Rewrite print_address to take a variadic argument list
(the addresses to print) and adjust the tests which uses it to the new
signature.
llvm-svn: 254319
On OS X, in AtosSymbolizer, if the answer from atos doesn't contain module name, let's bail and return false. There are some cases where this is beneficial, because we'll try DlAddrSymbolizer next (it's next in the symbolizer chain), which might be able to symbolize something that atos couldn't.
Differential Revision: http://reviews.llvm.org/D15071
llvm-svn: 254301
1) There's a few wrongly defined things in tsan_interceptors.cc,
2) a typo in tsan_rtl_amd64.S which calls setjmp instead of sigsetjmp in the interceptor, and
3) on OS X, accessing an mprotected page results in a SIGBUS (and not SIGSEGV).
Differential Revision: http://reviews.llvm.org/D15052
llvm-svn: 254299
On OS X, for weak function (that user can override by providing their own implementation in the main binary), we need extern `"C" SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE NOINLINE`.
Fixes a broken test case on OS X, java_symbolization.cc, which uses a weak function __tsan_symbolize_external.
Differential Revision: http://reviews.llvm.org/D14907
llvm-svn: 254298
build errors on ARM. Define it internally to avoid such errors.
Patch by Max Ostapenko.
Differential Revision: http://reviews.llvm.org/D14921
llvm-svn: 254292
Serial queues need extra happens-before between individual tasks executed in the same queue. This patch adds `Acquire(queue)` before the executed task and `Release(queue)` just after it (for serial queues only). Added a test case.
Differential Revision: http://reviews.llvm.org/D15011
llvm-svn: 254229
This patch ports the assembly file tsan_rtl_amd64.S to OS X, where we need several changes:
* Some assembler directives are not available on OS X (.hidden, .type, .size)
* Symbol names need to start with an underscore (added a ASM_TSAN_SYMBOL macro for that).
* To make the interceptors work, we ween to name the function "_wrap_setjmp" (added ASM_TSAN_SYMBOL_INTERCEPTOR for that).
* Calling the original setjmp is done with a simple "jmp _setjmp".
* __sigsetjmp doesn't exist on OS X.
Differential Revision: http://reviews.llvm.org/D14947
llvm-svn: 254228
When a race on file descriptors is detected, `FindThreadByUidLocked()` is called to retrieve ThreadContext with a specific unique_id. However, this ThreadContext might not exist in the thread registry anymore (it may have been recycled), in which case `FindThreadByUidLocked` will cause an assertion failure in `GetThreadLocked`. Adding a test case that reproduces this, producing:
FATAL: ThreadSanitizer CHECK failed: sanitizer_common/sanitizer_thread_registry.h:92 "((tid)) < ((n_contexts_))" (0x34, 0x34)
This patch fixes this by replacing the loop with `FindThreadContextLocked`.
Differential Revision: http://reviews.llvm.org/D14984
llvm-svn: 254223
This patch reorganize the platform specific mapping information to
export the application mask on a external variable. This exported
variable will be used by intrumentation phase to create code to be
used on architecture with multiple VMA range.
The patch creates a new header, dfsan_platform.h, and move all the
mapping information and also create function accessors to the
mapping value.
Also for aarch64 it initialize application exported mask to the
value based on runtime VMA detection.
llvm-svn: 254197
This patch unify the 39 and 42-bit support for AArch64 by using an external
memory read to check the runtime detected VMA and select the better mapping
and transformation. Although slower, this leads to same instrumented binary
to be independent of the kernel.
Along with this change this patch also fix some 42-bit failures with
ALSR disable by increasing the upper high app memory threshold and also
the 42-bit madvise value for non large page set.
llvm-svn: 254151
Summary:
In r251553, I added a warning that proved to be super noisy,
especially in case of MSan. Removing it for now, and I will
probably add some additional diagnostics for symbolizer, when
I better understand how to make it properly.
Reviewers: eugenis
Differential Revision: http://reviews.llvm.org/D14998
llvm-svn: 254102
This patch adds some fixes for MSAN with libc++ for aarch64:
1. Adds the libmsan_loadable name for aarch64.
2. Fixes some pthread_attr_setstacksize for aarch64, since glibc sets
the mininum stack size to be higher than the x86_64 default (16KB
vs 128KB).
3. Fixes a swprintf null char constant definition.
llvm-svn: 254015
We need to intercept libdispatch APIs (dispatch_sync, dispatch_async, etc.) to add synchronization between the code that submits the task and the code that gets executed (possibly on a different thread). This patch adds release+acquire semantics for dispatch_sync, and dispatch_async (plus their "_f" and barrier variants). The synchronization is done on malloc'd contexts (separate for each submitted block/callback). Added tests to show usage of dispatch_sync and dispatch_async, for cases where we expect no warnings and for cases where TSan finds races.
Differential Revision: http://reviews.llvm.org/D14745
llvm-svn: 253982
Xinliang David Li