src/IceASanInstrumentation.cpp - Issue 2079723002: Instrumented malloc and free with dummy functions.

Side by Side Diff: src/IceASanInstrumentation.cpp

Issue 2079723002: Instrumented malloc and free with dummy functions. (Closed) Base URL: https://chromium.googlesource.com/native_client/pnacl-subzero.git@master

Patch Set: Created 4 years, 6 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 //===- subzero/src/IceASanInstrumentation.cpp - ASan ------------- C++ --===//	1 //===- subzero/src/IceASanInstrumentation.cpp - ASan ------------- C++ --===//

2 //	2 //

3 // The Subzero Code Generator	3 // The Subzero Code Generator

4 //	4 //

5 // This file is distributed under the University of Illinois Open Source	5 // This file is distributed under the University of Illinois Open Source

6 // License. See LICENSE.TXT for details.	6 // License. See LICENSE.TXT for details.

7 //	7 //

8 //===----------------------------------------------------------------------===//	8 //===----------------------------------------------------------------------===//

9 ///	9 ///

10 /// \file	10 /// \file

11 /// \brief Implements the AddressSanitizer instrumentation class.	11 /// \brief Implements the AddressSanitizer instrumentation class.

12 ///	12 ///

13 //===----------------------------------------------------------------------===//	13 //===----------------------------------------------------------------------===//

14	14

15 #include "IceASanInstrumentation.h"	15 #include "IceASanInstrumentation.h"

16	16

17 #include "IceBuildDefs.h"	17 #include "IceBuildDefs.h"

18 #include "IceCfgNode.h"	18 #include "IceCfgNode.h"

19 #include "IceGlobalInits.h"	19 #include "IceGlobalInits.h"

20 #include "IceInst.h"	20 #include "IceInst.h"

21 #include "IceTargetLowering.h"	21 #include "IceTargetLowering.h"

22 #include "IceTypes.h"	22 #include "IceTypes.h"

23	23

24 #include <sstream>	24 #include <sstream>

	25 #include <unordered_map>

25	26

26 namespace Ice {	27 namespace Ice {

27	28

28 namespace {	29 namespace {

29 constexpr SizeT RzSize = 32;	30 constexpr SizeT RzSize = 32;

30 const std::string RzPrefix = "__$rz";	31 const std::string RzPrefix = "__$rz";

31 const llvm::NaClBitcodeRecord::RecordVector RzContents =	32 const llvm::NaClBitcodeRecord::RecordVector RzContents =

32 llvm::NaClBitcodeRecord::RecordVector(RzSize, 'R');	33 llvm::NaClBitcodeRecord::RecordVector(RzSize, 'R');

	34

	35 // TODO(tlively): Handle all allocation functions

	36 using string_map = std::unordered_map<std::string, std::string>;

	37 const string_map FuncSubstitutions = {{"malloc", "__asan_malloc"},
	Jim Stichnoth 2016/06/17 15:43:05 I'm wondering if you've fully considered how this I'm wondering if you've fully considered how this would actually work in practice. Normally, the developer runs pnacl-clang or pnacl-clang++, which produces a statically linked pexe containing the full newlib malloc/free implementation complete with all supporting functions. Then the developer runs pnacl-finalize which, as a side effect, strips all the symbol names except for _start. So when you enable asan, it won't be possible to identify calls to malloc or free, at least not by name. The developer can suppress symbol stripping by running "pnacl-finalize --no-strip-syms", and then Subzero will succeed in finding malloc/free calls. This should be documented, both in the code and in whatever developer documentation is eventually provided. I'm also concerned about calls to auxiliary functions that might affect the malloc heap state, like how Subzero calls mallopt() in main.cpp, but I suppose that is a general asan issue and one not unique to Subzero. Karl 2016/06/17 16:06:02 Thomas and I have discussed this issue. Because th Show quoted text On 2016/06/17 15:43:05, stichnot wrote: > I'm wondering if you've fully considered how this would actually work in > practice. > > Normally, the developer runs pnacl-clang or pnacl-clang++, which produces a > statically linked pexe containing the full newlib malloc/free implementation > complete with all supporting functions. Then the developer runs pnacl-finalize > which, as a side effect, strips all the symbol names except for _start. > > So when you enable asan, it won't be possible to identify calls to malloc or > free, at least not by name. > > The developer can suppress symbol stripping by running "pnacl-finalize > --no-strip-syms", and then Subzero will succeed in finding malloc/free calls. > This should be documented, both in the code and in whatever developer > documentation is eventually provided. > > I'm also concerned about calls to auxiliary functions that might affect the > malloc heap state, like how Subzero calls mallopt() in main.cpp, but I suppose > that is a general asan issue and one not unique to Subzero. Thomas and I have discussed this issue. Because the ASAN sanitizer must change how malloc works, but malloc has already been statically added to the pexe, there was a problem. This forced the need to not strip symbols, so that we can find the malloc function in the pexe. However, I agree with Jim that what is being done should be well documented. I also agree that these assumptions should be well documented. I think you should be creating external documentation, like ASAN.rst (similar to the DESIGN.ast) that clarifies what needs to be done, and what assumptions are being made. tlively 2016/06/17 21:39:40 Done. Show quoted text On 2016/06/17 16:06:02, Karl wrote: > On 2016/06/17 15:43:05, stichnot wrote: > > I'm wondering if you've fully considered how this would actually work in > > practice. > > > > Normally, the developer runs pnacl-clang or pnacl-clang++, which produces a > > statically linked pexe containing the full newlib malloc/free implementation > > complete with all supporting functions. Then the developer runs > pnacl-finalize > > which, as a side effect, strips all the symbol names except for _start. > > > > So when you enable asan, it won't be possible to identify calls to malloc or > > free, at least not by name. > > > > The developer can suppress symbol stripping by running "pnacl-finalize > > --no-strip-syms", and then Subzero will succeed in finding malloc/free calls. > > This should be documented, both in the code and in whatever developer > > documentation is eventually provided. > > > > I'm also concerned about calls to auxiliary functions that might affect the > > malloc heap state, like how Subzero calls mallopt() in main.cpp, but I suppose > > that is a general asan issue and one not unique to Subzero. > > Thomas and I have discussed this issue. Because the ASAN sanitizer must change > how malloc works, but malloc has already been statically added to the pexe, > there was a problem. This forced the need to not > strip symbols, so that we can find the malloc function in the pexe. > > However, I agree with Jim that what is being done should be well documented. > > I also agree that these assumptions should be well documented. > > I think you should be creating external documentation, like ASAN.rst (similar to > the DESIGN.ast) that clarifies what needs to be done, and what assumptions are > being made. Done.
	38 {"free", "__asan_free"}};

	39

33 } // end of anonymous namespace	40 } // end of anonymous namespace

34	41

35 // Create redzones around all global variables, ensuring that the initializer	42 // Create redzones around all global variables, ensuring that the initializer

36 // types of the redzones and their associated globals match so that they are	43 // types of the redzones and their associated globals match so that they are

37 // laid out together in memory.	44 // laid out together in memory.

38 void ASanInstrumentation::instrumentGlobals(VariableDeclarationList &Globals) {	45 void ASanInstrumentation::instrumentGlobals(VariableDeclarationList &Globals) {

39 if (DidInsertRedZones)	46 if (DidInsertRedZones)

40 return;	47 return;

41	48

42 VariableDeclarationList NewGlobals;	49 VariableDeclarationList NewGlobals;

(...skipping 63 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
106 Rz->addInitializer(	113 Rz->addInitializer(

107 VariableDeclaration::ZeroInitializer::create(List, RzSize));	114 VariableDeclaration::ZeroInitializer::create(List, RzSize));

108 }	115 }

109 Rz->setIsConstant(Global->getIsConstant());	116 Rz->setIsConstant(Global->getIsConstant());

110 RzArray->addInitializer(VariableDeclaration::RelocInitializer::create(	117 RzArray->addInitializer(VariableDeclaration::RelocInitializer::create(

111 List, Rz, RelocOffsetArray(0)));	118 List, Rz, RelocOffsetArray(0)));

112 ++RzArraySize;	119 ++RzArraySize;

113 return Rz;	120 return Rz;

114 }	121 }

115	122

	123 void ASanInstrumentation::instrumentCall(LoweringContext &Context,

	124 InstCall *Inst) {
	Jim Stichnoth 2016/06/17 15:43:05 Name the arg Instr, not Inst, since Inst is the na Name the arg Instr, not Inst, since Inst is the name of a type and this could lead to compile errors down the road. tlively 2016/06/17 21:39:40 Done. Show quoted text On 2016/06/17 15:43:05, stichnot wrote: > Name the arg Instr, not Inst, since Inst is the name of a type and this could > lead to compile errors down the road. Done.
	125 if (Inst->getCallTarget()->getKind() != Operand::kConstRelocatable)
	Jim Stichnoth 2016/06/17 15:43:05 I would do something like this: auto CallTarget I would do something like this: auto CallTarget = llvm::dyn_cast<ConstantRelocatable>(Inst->getCallTarget()); if (CallTarget == nullptr) return; tlively 2016/06/17 21:39:40 Done. Show quoted text On 2016/06/17 15:43:05, stichnot wrote: > I would do something like this: > > auto *CallTarget = > llvm::dyn_cast<ConstantRelocatable>(Inst->getCallTarget()); > if (CallTarget == nullptr) > return; Done.
	126 return;

	127

	128 ConstantRelocatable *CallTarget =

	129 static_cast<ConstantRelocatable *>(Inst->getCallTarget());

	130 std::string TargetName = CallTarget->getName().toStringOrEmpty();

	131 if (FuncSubstitutions.find(TargetName) == FuncSubstitutions.end())
	Jim Stichnoth 2016/06/17 15:43:05 Would be nice to do something like auto Subst = Would be nice to do something like auto Subst = FuncSubstitutions.find(TargetName); if (Subst == FuncSubstitutions.end()) return; std::string SubName = Subst->second; in order to call find() just once. tlively 2016/06/17 21:39:40 Done. Show quoted text On 2016/06/17 15:43:05, stichnot wrote: > Would be nice to do something like > > auto Subst = FuncSubstitutions.find(TargetName); > if (Subst == FuncSubstitutions.end()) > return; > std::string SubName = Subst->second; > > in order to call find() just once. Done.
	132 return;

	133

	134 std::string SubName = FuncSubstitutions.find(TargetName)->second;

	135 Constant *Substitution =

	136 Ctx->getConstantExternSym(Ctx->getGlobalString(SubName));

	137 auto *NewCall =

	138 InstCall::create(Context.getNode()->getCfg(), Inst->getNumArgs(),

	139 Inst->getDest(), Substitution, Inst->isTailcall());

	140 for (SizeT I = 0, Args = Inst->getNumArgs(); I < Args; ++I)

	141 NewCall->addArg(Inst->getArg(I));

	142 Context.insert(NewCall);

	143 Inst->setDeleted();

	144 }

	145

116 void ASanInstrumentation::instrumentLoad(LoweringContext &Context,	146 void ASanInstrumentation::instrumentLoad(LoweringContext &Context,

117 const InstLoad *Inst) {	147 InstLoad *Inst) {

118 instrumentAccess(Context, Inst->getSourceAddress(),	148 instrumentAccess(Context, Inst->getSourceAddress(),

119 typeWidthInBytes(Inst->getDest()->getType()));	149 typeWidthInBytes(Inst->getDest()->getType()));

120 }	150 }

121	151

122 void ASanInstrumentation::instrumentStore(LoweringContext &Context,	152 void ASanInstrumentation::instrumentStore(LoweringContext &Context,

123 const InstStore *Inst) {	153 InstStore *Inst) {

124 instrumentAccess(Context, Inst->getAddr(),	154 instrumentAccess(Context, Inst->getAddr(),

125 typeWidthInBytes(Inst->getData()->getType()));	155 typeWidthInBytes(Inst->getData()->getType()));

126 }	156 }

127	157

128 // TODO(tlively): Take size of access into account as well	158 // TODO(tlively): Take size of access into account as well

129 void ASanInstrumentation::instrumentAccess(LoweringContext &Context,	159 void ASanInstrumentation::instrumentAccess(LoweringContext &Context,

130 Operand *Op, SizeT Size) {	160 Operand *Op, SizeT Size) {

131 Constant *AccessCheck =	161 Constant *AccessCheck =

132 Ctx->getConstantExternSym(Ctx->getGlobalString("__asan_check"));	162 Ctx->getConstantExternSym(Ctx->getGlobalString("__asan_check"));

133 constexpr SizeT NumArgs = 2;	163 constexpr SizeT NumArgs = 2;

(...skipping 14 matching lines...) Expand all Loading...
148 Constant *ShadowMemInit =	178 Constant *ShadowMemInit =

149 Ctx->getConstantExternSym(Ctx->getGlobalString("__asan_init"));	179 Ctx->getConstantExternSym(Ctx->getGlobalString("__asan_init"));

150 constexpr SizeT NumArgs = 0;	180 constexpr SizeT NumArgs = 0;

151 constexpr Variable *Void = nullptr;	181 constexpr Variable *Void = nullptr;

152 constexpr bool NoTailCall = false;	182 constexpr bool NoTailCall = false;

153 auto *Call = InstCall::create(Func, NumArgs, Void, ShadowMemInit, NoTailCall);	183 auto *Call = InstCall::create(Func, NumArgs, Void, ShadowMemInit, NoTailCall);

154 Func->getEntryNode()->getInsts().push_front(Call);	184 Func->getEntryNode()->getInsts().push_front(Call);

155 }	185 }

156	186

157 } // end of namespace Ice	187 } // end of namespace Ice

OLD	NEW

« no previous file with comments | « src/IceASanInstrumentation.h ('k') | src/IceInstrumentation.h » ('j') | no next file with comments »