[ASan] New approach to dynamic allocas unpoisoning. Patch by Max Osta…

…penko!

Differential Revision: http://reviews.llvm.org/D7098

llvm-svn: 238401

compiler-rt/lib/asan/asan_fake_stack.cc

@@ -22,6 +22,9 @@ static const u64 kMagic2 = (kMagic1 << 8) | kMagic1;
 static const u64 kMagic4 = (kMagic2 << 16) | kMagic2;
 static const u64 kMagic8 = (kMagic4 << 32) | kMagic4;
 
+static const u64 kAllocaRedzoneSize = 32UL;
+static const u64 kAllocaRedzoneMask = 31UL;
+
 // For small size classes inline PoisonShadow for better performance.
 ALWAYS_INLINE void SetShadow(uptr ptr, uptr size, uptr class_id, u64 magic) {
   CHECK_EQ(SHADOW_SCALE, 3);  // This code expects SHADOW_SCALE=3.
@@ -253,4 +256,24 @@ void *__asan_addr_is_in_fake_stack(void *fake_stack, void *addr, void **beg,
   if (end) *end = reinterpret_cast<void*>(frame_end);
   return reinterpret_cast<void*>(frame->real_stack);
 }
+
+SANITIZER_INTERFACE_ATTRIBUTE
+void __asan_alloca_poison(uptr addr, uptr size) {
+  uptr LeftRedzoneAddr = addr - kAllocaRedzoneSize;
+  uptr PartialRzAddr = addr + size;
+  uptr RightRzAddr = (PartialRzAddr + kAllocaRedzoneMask) & ~kAllocaRedzoneMask;
+  uptr PartialRzAligned = PartialRzAddr & ~(SHADOW_GRANULARITY - 1);
+  FastPoisonShadow(LeftRedzoneAddr, kAllocaRedzoneSize, kAsanAllocaLeftMagic);
+  FastPoisonShadowPartialRightRedzone(
+      PartialRzAligned, PartialRzAddr % SHADOW_GRANULARITY,
+      RightRzAddr - PartialRzAligned, kAsanAllocaRightMagic);
+  FastPoisonShadow(RightRzAddr, kAllocaRedzoneSize, kAsanAllocaRightMagic);
+}
+
+SANITIZER_INTERFACE_ATTRIBUTE
+void __asan_allocas_unpoison(uptr top, uptr bottom) {
+  if ((!top) || (top > bottom)) return;
+  REAL(memset)(reinterpret_cast<void*>(MemToShadow(top)), 0,
+               (bottom - top) / SHADOW_GRANULARITY);
+}
 }  // extern "C"

compiler-rt/lib/asan/asan_interface_internal.h

@@ -195,6 +195,10 @@ extern "C" {
   void __asan_poison_intra_object_redzone(uptr p, uptr size);
   SANITIZER_INTERFACE_ATTRIBUTE
   void __asan_unpoison_intra_object_redzone(uptr p, uptr size);
+  SANITIZER_INTERFACE_ATTRIBUTE
+  void __asan_alloca_poison(uptr addr, uptr size);
+  SANITIZER_INTERFACE_ATTRIBUTE
+  void __asan_allocas_unpoison(uptr top, uptr bottom);
 }  // extern "C"
 
 #endif  // ASAN_INTERFACE_INTERNAL_H

compiler-rt/test/asan/TestCases/Linux/interface_symbols_linux.c

@@ -38,6 +38,8 @@
 // RUN: echo __asan_report_exp_store_n >> %t.interface
 // RUN: echo __asan_get_current_fake_stack >> %t.interface
 // RUN: echo __asan_addr_is_in_fake_stack >> %t.interface
+// RUN: echo __asan_alloca_poison >> %t.interface
+// RUN: echo __asan_allocas_unpoison >> %t.interface
 // RUN: cat %t.interface | sort -u | diff %t.symbols -
 
 // FIXME: nm -D on powerpc somewhy shows ASan interface symbols residing

compiler-rt/test/asan/TestCases/alloca_loop_unpoisoning.cc

@@ -0,0 +1,32 @@
+// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t
+// RUN: %run %t 2>&1
+//
+
+// This testcase checks that allocas and VLAs inside loop are correctly unpoisoned.
+
+#include <assert.h>
+#include <alloca.h>
+#include <stdint.h>
+#include "sanitizer/asan_interface.h"
+
+void *top, *bot;
+
+__attribute__((noinline)) void foo(int len) {
+  char x;
+  top = &x;
+  char array[len];  // NOLINT
+  assert(!(reinterpret_cast<uintptr_t>(array) & 31L));
+  alloca(len);
+  for (int i = 0; i < 32; ++i) {
+    char array[i];  // NOLINT
+    bot = alloca(i);
+    assert(!(reinterpret_cast<uintptr_t>(bot) & 31L));
+  }
+}
+
+int main(int argc, char **argv) {
+  foo(32);
+  void *q = __asan_region_is_poisoned(bot, (char *)top - (char *)bot);
+  assert(!q);
+  return 0;
+}

compiler-rt/test/asan/TestCases/alloca_vla_interact.cc

@@ -0,0 +1,39 @@
+// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t
+// RUN: %run %t 2>&1
+//
+
+// This testcase checks correct interaction between VLAs and allocas.
+
+#include <assert.h>
+#include <alloca.h>
+#include <stdint.h>
+#include "sanitizer/asan_interface.h"
+
+#define RZ 32
+
+__attribute__((noinline)) void foo(int len) {
+  char *top, *bot;
+  // This alloca call should live until the end of foo.
+  char *alloca1 = (char *)alloca(len);
+  assert(!(reinterpret_cast<uintptr_t>(alloca1) & 31L));
+  // This should be first poisoned address after loop.
+  top = alloca1 - RZ;
+  for (int i = 0; i < 32; ++i) {
+    // Check that previous alloca was unpoisoned at the end of iteration.
+    if (i) assert(!__asan_region_is_poisoned(bot, 96));
+    // VLA is unpoisoned at the end of iteration.
+    volatile char array[i];
+    assert(!(reinterpret_cast<uintptr_t>(array) & 31L));
+    // Alloca is unpoisoned at the end of iteration,
+    // because dominated by VLA.
+    bot = (char *)alloca(i) - RZ;
+  }
+  // Check that all allocas from loop were unpoisoned correctly.
+  void *q = __asan_region_is_poisoned(bot, (char *)top - (char *)bot + 1);
+  assert(q == top);
+}
+
+int main(int argc, char **argv) {
+  foo(32);
+  return 0;
+}

compiler-rt/test/asan/TestCases/vla_chrome_testcase.cc

@@ -0,0 +1,30 @@
+// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t
+// RUN: not %run %t 2>&1 | FileCheck %s
+//
+
+// This is reduced testcase based on Chromium code.
+// See http://reviews.llvm.org/D6055?vs=on&id=15616&whitespace=ignore-all#toc.
+
+#include <stdint.h>
+#include <assert.h>
+
+int a = 7;
+int b;
+int c;
+int *p;
+
+__attribute__((noinline)) void fn3(int *first, int second) {
+}
+
+int main() {
+  int d = b && c;
+  int e[a]; // NOLINT
+  assert(!(reinterpret_cast<uintptr_t>(e) & 31L));
+  int f;
+  if (d)
+    fn3(&f, sizeof 0 * (&c - e));
+  e[a] = 0;
+// CHECK: ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]]
+// CHECK: WRITE of size 4 at [[ADDR]] thread T0
+  return 0;
+}

compiler-rt/test/asan/TestCases/vla_condition_overflow.cc

@@ -0,0 +1,21 @@
+// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t
+// RUN: not %run %t 2>&1 | FileCheck %s
+//
+
+#include <assert.h>
+#include <stdint.h>
+
+__attribute__((noinline)) void foo(int index, int len) {
+  if (index > len) {
+    char str[len]; //NOLINT
+    assert(!(reinterpret_cast<uintptr_t>(str) & 31L));
+    str[index] = '1'; // BOOM
+// CHECK: ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]]
+// CHECK: WRITE of size 1 at [[ADDR]] thread T0
+  }
+}
+
+int main(int argc, char **argv) {
+  foo(33, 10);
+  return 0;
+}

compiler-rt/test/asan/TestCases/vla_loop_overfow.cc

@@ -0,0 +1,21 @@
+// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-allocas %s -o %t
+// RUN: not %run %t 2>&1 | FileCheck %s
+//
+
+#include <assert.h>
+#include <stdint.h>
+
+void foo(int index, int len) {
+  for (int i = 1; i < len; ++i) {
+    char array[len]; // NOLINT
+    assert(!(reinterpret_cast<uintptr_t>(array) & 31L));
+    array[index + i] = 0;
+// CHECK: ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]]
+// CHECK: WRITE of size 1 at [[ADDR]] thread T0
+  }
+}
+
+int main(int argc, char **argv) {
+  foo(9, 21);
+  return 0;
+}