asan_fake_stack.cc revision 0f2283742e1d37ebf0c5ac034dab704a7d9af099 
1//===-- asan_fake_stack.cc ------------------------------------------------===//
2//
3//                     The LLVM Compiler Infrastructure
4//
5// This file is distributed under the University of Illinois Open Source
6// License. See LICENSE.TXT for details.
7//
8//===----------------------------------------------------------------------===//
9//
10// This file is a part of AddressSanitizer, an address sanity checker.
11//
12// FakeStack is used to detect use-after-return bugs.
13//===----------------------------------------------------------------------===//
14#include "asan_allocator.h"
15#include "asan_poisoning.h"
16#include "asan_thread.h"
17
18namespace __asan {
19
20static const u64 kMagic1 = kAsanStackAfterReturnMagic;
21static const u64 kMagic2 = (kMagic1 << 8) | kMagic1;
22static const u64 kMagic4 = (kMagic2 << 16) | kMagic2;
23static const u64 kMagic8 = (kMagic4 << 32) | kMagic4;
24
25// For small size classes inline PoisonShadow for better performance.
26ALWAYS_INLINE void SetShadow(uptr ptr, uptr size, uptr class_id, u64 magic) {
27  CHECK_EQ(SHADOW_SCALE, 3);  // This code expects SHADOW_SCALE=3.
28  u64 *shadow = reinterpret_cast<u64*>(MemToShadow(ptr));
29  if (class_id <= 6) {
30    for (uptr i = 0; i < (1U << class_id); i++)
31      shadow[i] = magic;
32  } else {
33    // The size class is too big, it's cheaper to poison only size bytes.
34    PoisonShadow(ptr, size, static_cast<u8>(magic));
35  }
36}
37
38void FakeStack::PoisonAll(u8 magic) {
39  PoisonShadow(reinterpret_cast<uptr>(this), RequiredSize(stack_size_log()),
40               magic);
41}
42
43ALWAYS_INLINE USED
44FakeFrame *FakeStack::Allocate(uptr stack_size_log, uptr class_id,
45                               uptr real_stack) {
46  CHECK_LT(class_id, kNumberOfSizeClasses);
47  if (needs_gc_)
48    GC(real_stack);
49  uptr &hint_position = hint_position_[class_id];
50  const int num_iter = NumberOfFrames(stack_size_log, class_id);
51  u8 *flags = GetFlags(stack_size_log, class_id);
52  for (int i = 0; i < num_iter; i++) {
53    uptr pos = ModuloNumberOfFrames(stack_size_log, class_id, hint_position++);
54    // This part is tricky. On one hand, checking and setting flags[pos]
55    // should be atomic to ensure async-signal safety. But on the other hand,
56    // if the signal arrives between checking and setting flags[pos], the
57    // signal handler's fake stack will start from a different hint_position
58    // and so will not touch this particular byte. So, it is safe to do this
59    // with regular non-atimic load and store (at least I was not able to make
60    // this code crash).
61    if (flags[pos]) continue;
62    flags[pos] = 1;
63    FakeFrame *res = reinterpret_cast<FakeFrame *>(
64        GetFrame(stack_size_log, class_id, pos));
65    res->real_stack = real_stack;
66    return res;
67  }
68  CHECK(0 && "Failed to allocate a fake stack frame");
69  return 0;
70}
71
72ALWAYS_INLINE USED
73void FakeStack::Deallocate(FakeFrame *ff, uptr stack_size_log, uptr class_id,
74                           uptr real_stack) {
75  u8 *base = GetFrame(stack_size_log, class_id, 0);
76  u8 *cur = reinterpret_cast<u8 *>(ff);
77  CHECK_LE(base, cur);
78  CHECK_LT(cur, base + (1UL << stack_size_log));
79  uptr pos = (cur - base) >> (kMinStackFrameSizeLog + class_id);
80  u8 *flags = GetFlags(stack_size_log, class_id);
81  CHECK_EQ(flags[pos], 1);
82  flags[pos] = 0;
83}
84
85uptr FakeStack::AddrIsInFakeStack(uptr ptr) {
86  uptr stack_size_log = this->stack_size_log();
87  uptr beg = reinterpret_cast<uptr>(GetFrame(stack_size_log, 0, 0));
88  uptr end = reinterpret_cast<uptr>(this) + RequiredSize(stack_size_log);
89  if (ptr < beg || ptr >= end) return 0;
90  uptr class_id = (ptr - beg) >> stack_size_log;
91  uptr base = beg + (class_id << stack_size_log);
92  CHECK_LE(base, ptr);
93  CHECK_LT(ptr, base + (1UL << stack_size_log));
94  uptr pos = (ptr - base) >> (kMinStackFrameSizeLog + class_id);
95  return base + pos * BytesInSizeClass(class_id);
96}
97
98void FakeStack::HandleNoReturn() {
99  needs_gc_ = true;
100}
101
102// When throw, longjmp or some such happens we don't call OnFree() and
103// as the result may leak one or more fake frames, but the good news is that
104// we are notified about all such events by HandleNoReturn().
105// If we recently had such no-return event we need to collect garbage frames.
106// We do it based on their 'real_stack' values -- everything that is lower
107// than the current real_stack is garbage.
108NOINLINE void FakeStack::GC(uptr real_stack) {
109  uptr collected = 0;
110  for (uptr class_id = 0; class_id < kNumberOfSizeClasses; class_id++) {
111    u8 *flags = GetFlags(stack_size_log(), class_id);
112    for (uptr i = 0, n = NumberOfFrames(stack_size_log(), class_id); i < n;
113         i++) {
114      if (flags[i] == 0) continue;  // not allocated.
115      FakeFrame *ff = reinterpret_cast<FakeFrame *>(
116          GetFrame(stack_size_log(), class_id, i));
117      if (ff->real_stack < real_stack) {
118        flags[i] = 0;
119        collected++;
120      }
121    }
122  }
123  needs_gc_ = false;
124}
125
126#if SANITIZER_LINUX
127static THREADLOCAL FakeStack *fake_stack_tls;
128
129FakeStack *GetTLSFakeStack() {
130  return fake_stack_tls;
131}
132void SetTLSFakeStack(FakeStack *fs) {
133  fake_stack_tls = fs;
134}
135#else
136FakeStack *GetTLSFakeStack() { return 0; }
137void SetTLSFakeStack(FakeStack *fs) { }
138#endif  // SANITIZER_LINUX
139
140static FakeStack *GetFakeStack() {
141  AsanThread *t = GetCurrentThread();
142  if (!t) return 0;
143  return t->fake_stack();
144}
145
146static FakeStack *GetFakeStackFast() {
147  if (FakeStack *fs = GetTLSFakeStack())
148    return fs;
149  return GetFakeStack();
150}
151
152ALWAYS_INLINE uptr OnMalloc(uptr class_id, uptr size, uptr real_stack) {
153  FakeStack *fs = GetFakeStackFast();
154  if (!fs) return real_stack;
155  FakeFrame *ff = fs->Allocate(fs->stack_size_log(), class_id, real_stack);
156  uptr ptr = reinterpret_cast<uptr>(ff);
157  SetShadow(ptr, size, class_id, 0);
158  return ptr;
159}
160
161ALWAYS_INLINE void OnFree(uptr ptr, uptr class_id, uptr size, uptr real_stack) {
162  if (ptr == real_stack)
163    return;
164  FakeStack *fs = GetFakeStackFast();  // Must not be 0.
165  FakeFrame *ff = reinterpret_cast<FakeFrame *>(ptr);
166  fs->Deallocate(ff, fs->stack_size_log(), class_id, real_stack);
167  SetShadow(ptr, size, class_id, kMagic8);
168}
169
170}  // namespace __asan
171
172// ---------------------- Interface ---------------- {{{1
173#define DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(class_id)                       \
174  extern "C" SANITIZER_INTERFACE_ATTRIBUTE uptr                                \
175  __asan_stack_malloc_##class_id(uptr size, uptr real_stack) {                 \
176    return __asan::OnMalloc(class_id, size, real_stack);                       \
177  }                                                                            \
178  extern "C" SANITIZER_INTERFACE_ATTRIBUTE void __asan_stack_free_##class_id(  \
179      uptr ptr, uptr size, uptr real_stack) {                                  \
180    __asan::OnFree(ptr, class_id, size, real_stack);                           \
181  }
182
183DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(0)
184DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(1)
185DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(2)
186DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(3)
187DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(4)
188DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(5)
189DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(6)
190DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(7)
191DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(8)
192DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(9)
193DEFINE_STACK_MALLOC_FREE_WITH_CLASS_ID(10)
194