Author: eugenis Date: Mon Jul 15 13:02:23 2019 New Revision: 366123 URL: http://llvm.org/viewvc/llvm-project?rev=366123&view=rev Log: ARM MTE stack sanitizer.
Add "memtag" sanitizer that detects and mitigates stack memory issues using armv8.5 Memory Tagging Extension. It is similar in principle to HWASan, which is a software implementation of the same idea, but there are enough differencies to warrant a new sanitizer type IMHO. It is also expected to have very different performance properties. The new sanitizer does not have a runtime library (it may grow one later, along with a "debugging" mode). Similar to SafeStack and StackProtector, the instrumentation pass (in a follow up change) will be inserted in all cases, but will only affect functions marked with the new sanitize_memtag attribute. Reviewers: pcc, hctim, vitalybuka, ostannard Subscribers: srhines, mehdi_amini, javed.absar, kristof.beyls, hiraditya, cryptoad, steven_wu, dexonsmith, cfe-commits, llvm-commits Tags: #clang, #llvm Differential Revision: https://reviews.llvm.org/D64169 Added: cfe/trunk/test/CodeGen/memtag-attr.cpp cfe/trunk/test/Lexer/has_feature_memtag_sanitizer.cpp Modified: cfe/trunk/include/clang/Basic/Features.def cfe/trunk/include/clang/Basic/Sanitizers.def cfe/trunk/lib/CodeGen/CGDeclCXX.cpp cfe/trunk/lib/CodeGen/CodeGenFunction.cpp cfe/trunk/lib/CodeGen/CodeGenModule.cpp cfe/trunk/lib/CodeGen/SanitizerMetadata.cpp cfe/trunk/lib/Driver/SanitizerArgs.cpp cfe/trunk/lib/Driver/ToolChains/Linux.cpp cfe/trunk/test/Driver/fsanitize.c cfe/trunk/test/SemaCXX/attr-no-sanitize.cpp Modified: cfe/trunk/include/clang/Basic/Features.def URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/Basic/Features.def?rev=366123&r1=366122&r2=366123&view=diff ============================================================================== --- cfe/trunk/include/clang/Basic/Features.def (original) +++ cfe/trunk/include/clang/Basic/Features.def Mon Jul 15 13:02:23 2019 @@ -42,6 +42,7 @@ FEATURE(address_sanitizer, FEATURE(hwaddress_sanitizer, LangOpts.Sanitize.hasOneOf(SanitizerKind::HWAddress | SanitizerKind::KernelHWAddress)) +FEATURE(memtag_sanitizer, LangOpts.Sanitize.has(SanitizerKind::MemTag)) FEATURE(xray_instrument, LangOpts.XRayInstrument) FEATURE(undefined_behavior_sanitizer, LangOpts.Sanitize.hasOneOf(SanitizerKind::Undefined)) Modified: cfe/trunk/include/clang/Basic/Sanitizers.def URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/include/clang/Basic/Sanitizers.def?rev=366123&r1=366122&r2=366123&view=diff ============================================================================== --- cfe/trunk/include/clang/Basic/Sanitizers.def (original) +++ cfe/trunk/include/clang/Basic/Sanitizers.def Mon Jul 15 13:02:23 2019 @@ -55,6 +55,9 @@ SANITIZER("hwaddress", HWAddress) // Kernel Hardware-assisted AddressSanitizer (KHWASan) SANITIZER("kernel-hwaddress", KernelHWAddress) +// A variant of AddressSanitizer using AArch64 MTE extension. +SANITIZER("memtag", MemTag) + // MemorySanitizer SANITIZER("memory", Memory) Modified: cfe/trunk/lib/CodeGen/CGDeclCXX.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/CodeGen/CGDeclCXX.cpp?rev=366123&r1=366122&r2=366123&view=diff ============================================================================== --- cfe/trunk/lib/CodeGen/CGDeclCXX.cpp (original) +++ cfe/trunk/lib/CodeGen/CGDeclCXX.cpp Mon Jul 15 13:02:23 2019 @@ -369,6 +369,10 @@ llvm::Function *CodeGenModule::CreateGlo !isInSanitizerBlacklist(SanitizerKind::KernelHWAddress, Fn, Loc)) Fn->addFnAttr(llvm::Attribute::SanitizeHWAddress); + if (getLangOpts().Sanitize.has(SanitizerKind::MemTag) && + !isInSanitizerBlacklist(SanitizerKind::MemTag, Fn, Loc)) + Fn->addFnAttr(llvm::Attribute::SanitizeMemTag); + if (getLangOpts().Sanitize.has(SanitizerKind::Thread) && !isInSanitizerBlacklist(SanitizerKind::Thread, Fn, Loc)) Fn->addFnAttr(llvm::Attribute::SanitizeThread); Modified: cfe/trunk/lib/CodeGen/CodeGenFunction.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/CodeGen/CodeGenFunction.cpp?rev=366123&r1=366122&r2=366123&view=diff ============================================================================== --- cfe/trunk/lib/CodeGen/CodeGenFunction.cpp (original) +++ cfe/trunk/lib/CodeGen/CodeGenFunction.cpp Mon Jul 15 13:02:23 2019 @@ -696,6 +696,8 @@ void CodeGenFunction::StartFunction(Glob Fn->addFnAttr(llvm::Attribute::SanitizeAddress); if (SanOpts.hasOneOf(SanitizerKind::HWAddress | SanitizerKind::KernelHWAddress)) Fn->addFnAttr(llvm::Attribute::SanitizeHWAddress); + if (SanOpts.has(SanitizerKind::MemTag)) + Fn->addFnAttr(llvm::Attribute::SanitizeMemTag); if (SanOpts.has(SanitizerKind::Thread)) Fn->addFnAttr(llvm::Attribute::SanitizeThread); if (SanOpts.hasOneOf(SanitizerKind::Memory | SanitizerKind::KernelMemory)) Modified: cfe/trunk/lib/CodeGen/CodeGenModule.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/CodeGen/CodeGenModule.cpp?rev=366123&r1=366122&r2=366123&view=diff ============================================================================== --- cfe/trunk/lib/CodeGen/CodeGenModule.cpp (original) +++ cfe/trunk/lib/CodeGen/CodeGenModule.cpp Mon Jul 15 13:02:23 2019 @@ -2239,9 +2239,11 @@ bool CodeGenModule::isInSanitizerBlackli SourceLocation Loc, QualType Ty, StringRef Category) const { // For now globals can be blacklisted only in ASan and KASan. - const SanitizerMask EnabledAsanMask = LangOpts.Sanitize.Mask & + const SanitizerMask EnabledAsanMask = + LangOpts.Sanitize.Mask & (SanitizerKind::Address | SanitizerKind::KernelAddress | - SanitizerKind::HWAddress | SanitizerKind::KernelHWAddress); + SanitizerKind::HWAddress | SanitizerKind::KernelHWAddress | + SanitizerKind::MemTag); if (!EnabledAsanMask) return false; const auto &SanitizerBL = getContext().getSanitizerBlacklist(); Modified: cfe/trunk/lib/CodeGen/SanitizerMetadata.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/CodeGen/SanitizerMetadata.cpp?rev=366123&r1=366122&r2=366123&view=diff ============================================================================== --- cfe/trunk/lib/CodeGen/SanitizerMetadata.cpp (original) +++ cfe/trunk/lib/CodeGen/SanitizerMetadata.cpp Mon Jul 15 13:02:23 2019 @@ -20,14 +20,17 @@ using namespace CodeGen; SanitizerMetadata::SanitizerMetadata(CodeGenModule &CGM) : CGM(CGM) {} +static bool isAsanHwasanOrMemTag(const SanitizerSet& SS) { + return SS.hasOneOf(SanitizerKind::Address | SanitizerKind::KernelAddress | + SanitizerKind::HWAddress | SanitizerKind::KernelHWAddress | + SanitizerKind::MemTag); +} + void SanitizerMetadata::reportGlobalToASan(llvm::GlobalVariable *GV, SourceLocation Loc, StringRef Name, QualType Ty, bool IsDynInit, bool IsBlacklisted) { - if (!CGM.getLangOpts().Sanitize.hasOneOf(SanitizerKind::Address | - SanitizerKind::KernelAddress | - SanitizerKind::HWAddress | - SanitizerKind::KernelHWAddress)) + if (!isAsanHwasanOrMemTag(CGM.getLangOpts().Sanitize)) return; IsDynInit &= !CGM.isInSanitizerBlacklist(GV, Loc, Ty, "init"); IsBlacklisted |= CGM.isInSanitizerBlacklist(GV, Loc, Ty); @@ -58,10 +61,7 @@ void SanitizerMetadata::reportGlobalToAS void SanitizerMetadata::reportGlobalToASan(llvm::GlobalVariable *GV, const VarDecl &D, bool IsDynInit) { - if (!CGM.getLangOpts().Sanitize.hasOneOf(SanitizerKind::Address | - SanitizerKind::KernelAddress | - SanitizerKind::HWAddress | - SanitizerKind::KernelHWAddress)) + if (!isAsanHwasanOrMemTag(CGM.getLangOpts().Sanitize)) return; std::string QualName; llvm::raw_string_ostream OS(QualName); @@ -78,10 +78,7 @@ void SanitizerMetadata::reportGlobalToAS void SanitizerMetadata::disableSanitizerForGlobal(llvm::GlobalVariable *GV) { // For now, just make sure the global is not modified by the ASan // instrumentation. - if (CGM.getLangOpts().Sanitize.hasOneOf(SanitizerKind::Address | - SanitizerKind::KernelAddress | - SanitizerKind::HWAddress | - SanitizerKind::KernelHWAddress)) + if (isAsanHwasanOrMemTag(CGM.getLangOpts().Sanitize)) reportGlobalToASan(GV, SourceLocation(), "", QualType(), false, true); } Modified: cfe/trunk/lib/Driver/SanitizerArgs.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Driver/SanitizerArgs.cpp?rev=366123&r1=366122&r2=366123&view=diff ============================================================================== --- cfe/trunk/lib/Driver/SanitizerArgs.cpp (original) +++ cfe/trunk/lib/Driver/SanitizerArgs.cpp Mon Jul 15 13:02:23 2019 @@ -40,7 +40,8 @@ static const SanitizerMask NeedsUnwindTa static const SanitizerMask SupportsCoverage = SanitizerKind::Address | SanitizerKind::HWAddress | SanitizerKind::KernelAddress | SanitizerKind::KernelHWAddress | - SanitizerKind::Memory | SanitizerKind::KernelMemory | SanitizerKind::Leak | + SanitizerKind::MemTag | SanitizerKind::Memory | + SanitizerKind::KernelMemory | SanitizerKind::Leak | SanitizerKind::Undefined | SanitizerKind::Integer | SanitizerKind::ImplicitConversion | SanitizerKind::Nullability | SanitizerKind::DataFlow | SanitizerKind::Fuzzer | @@ -122,6 +123,7 @@ static void addDefaultBlacklists(const D SanitizerMask Mask; } Blacklists[] = {{"asan_blacklist.txt", SanitizerKind::Address}, {"hwasan_blacklist.txt", SanitizerKind::HWAddress}, + {"memtag_blacklist.txt", SanitizerKind::MemTag}, {"msan_blacklist.txt", SanitizerKind::Memory}, {"tsan_blacklist.txt", SanitizerKind::Thread}, {"dfsan_abilist.txt", SanitizerKind::DataFlow}, @@ -420,7 +422,11 @@ SanitizerArgs::SanitizerArgs(const ToolC SanitizerKind::Address | SanitizerKind::HWAddress | SanitizerKind::Leak | SanitizerKind::Thread | SanitizerKind::Memory | SanitizerKind::KernelAddress | - SanitizerKind::Scudo | SanitizerKind::SafeStack)}; + SanitizerKind::Scudo | SanitizerKind::SafeStack), + std::make_pair(SanitizerKind::MemTag, + SanitizerKind::Address | SanitizerKind::KernelAddress | + SanitizerKind::HWAddress | + SanitizerKind::KernelHWAddress)}; // Enable toolchain specific default sanitizers if not explicitly disabled. SanitizerMask Default = TC.getDefaultSanitizers() & ~AllRemove; Modified: cfe/trunk/lib/Driver/ToolChains/Linux.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/lib/Driver/ToolChains/Linux.cpp?rev=366123&r1=366122&r2=366123&view=diff ============================================================================== --- cfe/trunk/lib/Driver/ToolChains/Linux.cpp (original) +++ cfe/trunk/lib/Driver/ToolChains/Linux.cpp Mon Jul 15 13:02:23 2019 @@ -1026,6 +1026,8 @@ SanitizerMask Linux::getSupportedSanitiz Res |= SanitizerKind::HWAddress; Res |= SanitizerKind::KernelHWAddress; } + if (IsAArch64) + Res |= SanitizerKind::MemTag; return Res; } Added: cfe/trunk/test/CodeGen/memtag-attr.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/CodeGen/memtag-attr.cpp?rev=366123&view=auto ============================================================================== --- cfe/trunk/test/CodeGen/memtag-attr.cpp (added) +++ cfe/trunk/test/CodeGen/memtag-attr.cpp Mon Jul 15 13:02:23 2019 @@ -0,0 +1,19 @@ +// Make sure the sanitize_memtag attribute is emitted when using MemTag sanitizer. +// Make sure __attribute__((no_sanitize("memtag")) disables instrumentation. + +// RUN: %clang_cc1 -triple aarch64-unknown-linux -disable-O0-optnone \ +// RUN: -emit-llvm -o - %s | FileCheck -check-prefix=CHECK-NO %s + +// RUN: %clang_cc1 -triple aarch64-unknown-linux -fsanitize=memtag \ +// RUN: -disable-O0-optnone -emit-llvm -o - %s | \ +// RUN: FileCheck -check-prefix=CHECK-MEMTAG %s + +int HasSanitizeMemTag() { return 1; } +// CHECK-NO: {{Function Attrs: noinline nounwind$}} +// CHECK-MEMTAG: Function Attrs: noinline nounwind sanitize_memtag + +__attribute__((no_sanitize("memtag"))) int NoSanitizeQuoteAddress() { + return 0; +} +// CHECK-NO: {{Function Attrs: noinline nounwind$}} +// CHECK-MEMTAG: {{Function Attrs: noinline nounwind$}} Modified: cfe/trunk/test/Driver/fsanitize.c URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Driver/fsanitize.c?rev=366123&r1=366122&r2=366123&view=diff ============================================================================== --- cfe/trunk/test/Driver/fsanitize.c (original) +++ cfe/trunk/test/Driver/fsanitize.c Mon Jul 15 13:02:23 2019 @@ -181,6 +181,16 @@ // RUN: %clang -target x86_64-linux-gnu -fsanitize=hwaddress,address -fno-rtti %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-SANHA-SANA // CHECK-SANHA-SANA: '-fsanitize=hwaddress' not allowed with '-fsanitize=address' +// RUN: %clang -target aarch64-linux-android -fsanitize=memtag,address -fno-rtti %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-SANMT-SANA +// CHECK-SANMT-SANA: '-fsanitize=memtag' not allowed with '-fsanitize=address' + +// RUN: %clang -target aarch64-linux-android -fsanitize=memtag,hwaddress -fno-rtti %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-SANMT-SANHA +// CHECK-SANMT-SANHA: '-fsanitize=memtag' not allowed with '-fsanitize=hwaddress' + +// RUN: %clang -target i386-linux-android -fsanitize=memtag -fno-rtti %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-SANMT-BAD-ARCH +// RUN: %clang -target x86_64-linux-android -fsanitize=memtag -fno-rtti %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-SANMT-BAD-ARCH +// CHECK-SANMT-BAD-ARCH: unsupported option '-fsanitize=memtag' for target + // RUN: %clang -target x86_64-linux-gnu -fsanitize=address -fsanitize-address-use-after-scope %s -### 2>&1 | FileCheck %s --check-prefix=CHECK-USE-AFTER-SCOPE // RUN: %clang_cl --target=x86_64-windows -fsanitize=address -fsanitize-address-use-after-scope -### -- %s 2>&1 | FileCheck %s --check-prefix=CHECK-USE-AFTER-SCOPE // CHECK-USE-AFTER-SCOPE: -cc1{{.*}}-fsanitize-address-use-after-scope Added: cfe/trunk/test/Lexer/has_feature_memtag_sanitizer.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/Lexer/has_feature_memtag_sanitizer.cpp?rev=366123&view=auto ============================================================================== --- cfe/trunk/test/Lexer/has_feature_memtag_sanitizer.cpp (added) +++ cfe/trunk/test/Lexer/has_feature_memtag_sanitizer.cpp Mon Jul 15 13:02:23 2019 @@ -0,0 +1,11 @@ +// RUN: %clang_cc1 -E -fsanitize=memtag %s -o - | FileCheck --check-prefix=CHECK-MEMTAG %s +// RUN: %clang_cc1 -E %s -o - | FileCheck --check-prefix=CHECK-NO-MEMTAG %s + +#if __has_feature(memtag_sanitizer) +int MemTagSanitizerEnabled(); +#else +int MemTagSanitizerDisabled(); +#endif + +// CHECK-MEMTAG: MemTagSanitizerEnabled +// CHECK-NO-MEMTAG: MemTagSanitizerDisabled Modified: cfe/trunk/test/SemaCXX/attr-no-sanitize.cpp URL: http://llvm.org/viewvc/llvm-project/cfe/trunk/test/SemaCXX/attr-no-sanitize.cpp?rev=366123&r1=366122&r2=366123&view=diff ============================================================================== --- cfe/trunk/test/SemaCXX/attr-no-sanitize.cpp (original) +++ cfe/trunk/test/SemaCXX/attr-no-sanitize.cpp Mon Jul 15 13:02:23 2019 @@ -30,3 +30,8 @@ int f5() __attribute__((no_sanitize("add // DUMP: NoSanitizeAttr {{.*}} unknown // PRINT: int f6() __attribute__((no_sanitize("unknown"))) int f6() __attribute__((no_sanitize("unknown"))); // expected-warning{{unknown sanitizer 'unknown' ignored}} + +// DUMP-LABEL: FunctionDecl {{.*}} f7 +// DUMP: NoSanitizeAttr {{.*}} memtag +// PRINT: int f7() {{\[\[}}clang::no_sanitize("memtag")]] +[[clang::no_sanitize("memtag")]] int f7(); _______________________________________________ cfe-commits mailing list cfe-commits@lists.llvm.org https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
