asan_fake_stack.cc revision 0f2283742e1d37ebf0c5ac034dab704a7d9af099
1//===-- asan_fake_stack.cc ------------------------------------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file is a part of AddressSanitizer, an address sanity checker. 11// 12// FakeStack is used to detect use-after-return bugs. 13//===----------------------------------------------------------------------===// 14#include "asan_allocator.h" 15#include "asan_poisoning.h" 16#include "asan_thread.h" 17 18namespace __asan { 19 20static const u64 kMagic1 = kAsanStackAfterReturnMagic; 21static const u64 kMagic2 = (kMagic1 << 8) | kMagic1; 22static const u64 kMagic4 = (kMagic2 << 16) | kMagic2; 23static const u64 kMagic8 = (kMagic4 << 32) | kMagic4; 24 25// For small size classes inline PoisonShadow for better performance. 26ALWAYS_INLINE void SetShadow(uptr ptr, uptr size, uptr class_id, u64 magic) { 27 CHECK_EQ(SHADOW_SCALE, 3); // This code expects SHADOW_SCALE=3. 28 u64 *shadow = reinterpret_cast<u64*>(MemToShadow(ptr)); 29 if (class_id <= 6) { 30 for (uptr i = 0; i < (1U << class_id); i++) 31 shadow[i] = magic; 32 } else { 33 // The size class is too big, it's cheaper to poison only size bytes. 34 PoisonShadow(ptr, size, static_cast<u8>(magic)); 35 } 36} 37 38void FakeStack::PoisonAll(u8 magic) { 39 PoisonShadow(reinterpret_cast<uptr>(this), RequiredSize(stack_size_log()), 40 magic); 41} 42 43ALWAYS_INLINE USED 44FakeFrame *FakeStack::Allocate(uptr stack_size_log, uptr class_id, 45 uptr real_stack) { 46 CHECK_LT(class_id, kNumberOfSizeClasses); 47 if (needs_gc_) 48 GC(real_stack); 49 uptr &hint_position = hint_position_[class_id]; 50 const int num_iter = NumberOfFrames(stack_size_log, class_id); 51 u8 *flags = GetFlags(stack_size_log, class_id); 52 for (int i = 0; i < num_iter; i++) { 53 uptr pos = ModuloNumberOfFrames(stack_size_log, class_id, hint_position++); 54 // This part is tricky. On one hand, checking and setting flags[pos] 55 // should be atomic to ensure async-signal safety. But on the other hand, 56 // if the signal arrives between checking and setting flags[pos], the 57 // signal handler's fake stack will start from a different hint_position 58 // and so will not touch this particular byte. So, it is safe to do this 59 // with regular non-atimic load and store (at least I was not able to make 60 // this code crash). 61 if (flags[pos]) continue; 62 flags[pos] = 1; 63 FakeFrame *res = reinterpret_cast<FakeFrame *>( 64 GetFrame(stack_size_log, class_id, pos)); 65 res->real_stack = real_stack; 66 return res; 67 } 68 CHECK(0 && "Failed to allocate a fake stack frame"); 69 return 0; 70} 71 72ALWAYS_INLINE USED 73void FakeStack::Deallocate(FakeFrame *ff, uptr stack_size_log, uptr class_id, 74 uptr real_stack) { 75 u8 *base = GetFrame(stack_size_log, class_id, 0); 76 u8 *cur = reinterpret_cast<u8 *>(ff); 77 CHECK_LE(base, cur); 78 CHECK_LT(cur, base + (1UL << stack_size_log)); 79 uptr pos = (cur - base) >> (kMinStackFrameSizeLog + class_id); 80 u8 *flags = GetFlags(stack_size_log, class_id); 81 CHECK_EQ(flags[pos], 1); 82 flags[pos] = 0; 83} 84 85uptr FakeStack::AddrIsInFakeStack(uptr ptr) { 86 uptr stack_size_log = this->stack_size_log(); 87 uptr beg = reinterpret_cast<uptr>(GetFrame(stack_size_log, 0, 0)); 88 uptr end = reinterpret_cast<uptr>(this) + RequiredSize(stack_size_log); 89 if (ptr < beg || ptr >= end) return 0; 90 uptr class_id = (ptr - beg) >> stack_size_log; 91 uptr base = beg + (class_id << stack_size_log); 92 CHECK_LE(base, ptr); 93 CHECK_LT(ptr, base + (1UL << stack_size_log)); 94 uptr pos = (ptr - base) >> (kMinStackFrameSizeLog + class_id); 95 return base + pos * BytesInSizeClass(class_id); 96} 97 98void FakeStack::HandleNoReturn() { 99 needs_gc_ = true; 100} 101 102// When throw, longjmp or some such happens we don't call OnFree() and 103// as the result may leak one or more fake frames, but the good news is that 104// we are notified about all such events by HandleNoReturn(). 105// If we recently had such no-return event we need to collect garbage frames. 106// We do it based on their 'real_stack' values -- everything that is lower 107// than the current real_stack is garbage. 108NOINLINE void FakeStack::GC(uptr real_stack) { 109 uptr collected = 0; 110 for (uptr class_id = 0; class_id < kNumberOfSizeClasses; class_id++) { 111 u8 *flags = GetFlags(stack_size_log(), class_id); 112 for (uptr i = 0, n = NumberOfFrames(stack_size_log(), class_id); i < n; 113 i++) { 114 if (flags[i] == 0) continue; // not allocated. 115 FakeFrame *ff = reinterpret_cast<FakeFrame *>( 116 GetFrame(stack_size_log(), class_id, i)); 117 if (ff->real_stack < real_stack) { 118 flags[i] = 0; 119 collected++; 120 } 121 } 122 } 123 needs_gc_ = false; 124} 125 126#if SANITIZER_LINUX 127static THREADLOCAL FakeStack *fake_stack_tls; 128 129FakeStack *GetTLSFakeStack() { 130 return fake_stack_tls; 131} 132void SetTLSFakeStack(FakeStack *fs) { 133 fake_stack_tls = fs; 134} 135#else 136FakeStack *GetTLSFakeStack() { return 0; } 137void SetTLSFakeStack(FakeStack *fs) { } 138#endif // SANITIZER_LINUX 139 140static FakeStack *GetFakeStack() { 141 AsanThread *t = GetCurrentThread(); 142 if (!t) return 0; 143 return t->fake_stack(); 144} 145 146static FakeStack *GetFakeStackFast() { 147 if (FakeStack *fs = GetTLSFakeStack()) 148 return fs; 149 return GetFakeStack(); 150} 151 152ALWAYS_INLINE uptr OnMalloc(uptr class_id, uptr size, uptr real_stack) { 153 FakeStack *fs = GetFakeStackFast(); 154 if (!fs) return real_stack; 155 FakeFrame *ff = fs->Allocate(fs->stack_size_log(), class_id, real_stack); 156 uptr ptr = reinterpret_cast<uptr>(ff); 157 SetShadow(ptr, size, class_id, 0); 158 return ptr; 159} 160 161ALWAYS_INLINE void OnFree(uptr ptr, uptr class_id, uptr size, uptr real_stack) { 162 if (ptr == real_stack) 163 return; 164 FakeStack *fs = GetFakeStackFast(); // Must not be 0. 165 FakeFrame *ff = reinterpret_cast<FakeFrame *>(ptr); 166 fs->Deallocate(ff, fs->stack_size_log(), class_id, real_stack); 167 SetShadow(ptr, size, class_id, kMagic8); 168} 169 170} // namespace __asan 171 172// ---------------------- Interface ---------------- {{{1 173#define DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(class_id) \ 174 extern "C" SANITIZER_INTERFACE_ATTRIBUTE uptr \ 175 __asan_stack_malloc_##class_id(uptr size, uptr real_stack) { \ 176 return __asan::OnMalloc(class_id, size, real_stack); \ 177 } \ 178 extern "C" SANITIZER_INTERFACE_ATTRIBUTE void __asan_stack_free_##class_id( \ 179 uptr ptr, uptr size, uptr real_stack) { \ 180 __asan::OnFree(ptr, class_id, size, real_stack); \ 181 } 182 183DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(0) 184DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(1) 185DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(2) 186DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(3) 187DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(4) 188DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(5) 189DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(6) 190DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(7) 191DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(8) 192DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(9) 193DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(10) 194