Author: Peter Collingbourne
Date: 2020-02-06T17:44:43-08:00
New Revision: 7931e8eee3dafe64101dcc1aaaae88276ba81071

URL: 
https://github.com/llvm/llvm-project/commit/7931e8eee3dafe64101dcc1aaaae88276ba81071
DIFF: 
https://github.com/llvm/llvm-project/commit/7931e8eee3dafe64101dcc1aaaae88276ba81071.diff

LOG: Update hwasan docs to cover outlined checks and globals.

Differential Revision: https://reviews.llvm.org/D74150

Added: 
    

Modified: 
    clang/docs/HardwareAssistedAddressSanitizerDesign.rst

Removed: 
    


################################################################################
diff  --git a/clang/docs/HardwareAssistedAddressSanitizerDesign.rst 
b/clang/docs/HardwareAssistedAddressSanitizerDesign.rst
index d02dc00057fe..0e6c6902cfb3 100644
--- a/clang/docs/HardwareAssistedAddressSanitizerDesign.rst
+++ b/clang/docs/HardwareAssistedAddressSanitizerDesign.rst
@@ -67,43 +67,59 @@ Instrumentation
 
 Memory Accesses
 ---------------
-All memory accesses are prefixed with an inline instruction sequence that
-verifies the tags. Currently, the following sequence is used:
+In the majority of cases, memory accesses are prefixed with a call to
+an outlined instruction sequence that verifies the tags. The code size
+and performance overhead of the call is reduced by using a custom calling
+convention that
+
+* preserves most registers, and
+* is specialized to the register containing the address, and the type and
+  size of the memory access.
+
+Currently, the following sequence is used:
 
 .. code-block:: none
 
   // int foo(int *a) { return *a; }
-  // clang -O2 --target=aarch64-linux -fsanitize=hwaddress 
-fsanitize-recover=hwaddress -c load.c
+  // clang -O2 --target=aarch64-linux-android30 -fsanitize=hwaddress -S -o - 
load.c
+  [...]
   foo:
-       0:      90000008        adrp    x8, 0 <__hwasan_shadow>
-       4:      f9400108        ldr     x8, [x8]         // shadow base (to be 
resolved by the loader)
-       8:      d344dc09        ubfx    x9, x0, #4, #52  // shadow offset
-       c:      38696909        ldrb    w9, [x8, x9]     // load shadow tag
-      10:      d378fc08        lsr     x8, x0, #56      // extract address tag
-      14:      6b09011f        cmp     w8, w9           // compare tags
-      18:      54000061        b.ne    24 <foo+0x24>    // jump to short tag 
handler on mismatch
-      1c:      b9400000        ldr     w0, [x0]         // original load
-      20:      d65f03c0        ret
-      24:      7100413f        cmp     w9, #0x10        // is this a short tag?
-      28:      54000142        b.cs    50 <foo+0x50>    // if not, trap
-      2c:      12000c0a        and     w10, w0, #0xf    // find the address's 
position in the short granule
-      30:      11000d4a        add     w10, w10, #0x3   // adjust to the 
position of the last byte loaded
-      34:      6b09015f        cmp     w10, w9          // check that position 
is in bounds
-      38:      540000c2        b.cs    50 <foo+0x50>    // if not, trap
-      3c:      9240dc09        and     x9, x0, #0xffffffffffffff
-      40:      b2400d29        orr     x9, x9, #0xf     // compute address of 
last byte of granule
-      44:      39400129        ldrb    w9, [x9]         // load tag from it
-      48:      6b09011f        cmp     w8, w9           // compare with 
pointer tag
-      4c:      54fffe80        b.eq    1c <foo+0x1c>    // if so, continue
-      50:      d4212440        brk     #0x922           // otherwise trap
-      54:      b9400000        ldr     w0, [x0]         // tail duplicated 
original load (to handle recovery)
-      58:      d65f03c0        ret
-
-Alternatively, memory accesses are prefixed with a function call.
-On AArch64, a function call is used by default in trapping mode. The code size
-and performance overhead of the call is reduced by using a custom calling
-convention that preserves most registers and is specialized to the register
-containing the address and the type and size of the memory access.
+        str     x30, [sp, #-16]!
+        adrp    x9, :got:__hwasan_shadow                // load shadow address 
from GOT into x9
+        ldr     x9, [x9, :got_lo12:__hwasan_shadow]
+        bl      __hwasan_check_x0_2_short               // call outlined tag 
check
+                                                        // (arguments: x0 = 
address, x9 = shadow base;
+                                                        // "2" encodes the 
access type and size)
+        ldr     w0, [x0]                                // inline load
+        ldr     x30, [sp], #16
+        ret
+
+  [...]
+  __hwasan_check_x0_2_short:
+        ubfx    x16, x0, #4, #52                        // shadow offset
+        ldrb    w16, [x9, x16]                          // load shadow tag
+        cmp     x16, x0, lsr #56                        // extract address 
tag, compare with shadow tag
+        b.ne    .Ltmp0                                  // jump to short tag 
handler on mismatch
+  .Ltmp1:
+        ret
+  .Ltmp0:
+        cmp     w16, #15                                // is this a short tag?
+        b.hi    .Ltmp2                                  // if not, error
+        and     x17, x0, #0xf                           // find the address's 
position in the short granule
+        add     x17, x17, #3                            // adjust to the 
position of the last byte loaded
+        cmp     w16, w17                                // check that position 
is in bounds
+        b.ls    .Ltmp2                                  // if not, error
+        orr     x16, x0, #0xf                           // compute address of 
last byte of granule
+        ldrb    w16, [x16]                              // load tag from it
+        cmp     x16, x0, lsr #56                        // compare with 
pointer tag
+        b.eq    .Ltmp1                                  // if matches, continue
+  .Ltmp2:
+        stp     x0, x1, [sp, #-256]!                    // save original x0, 
x1 on stack (they will be overwritten)
+        stp     x29, x30, [sp, #232]                    // create frame record
+        mov     x1, #2                                  // set x1 to a 
constant indicating the type of failure
+        adrp    x16, :got:__hwasan_tag_mismatch_v2      // call runtime 
function to save remaining registers and report error
+        ldr     x16, [x16, :got_lo12:__hwasan_tag_mismatch_v2] // (load 
address from GOT to avoid potential register clobbers in delay load handler)
+        br      x16
 
 Heap
 ----
@@ -131,7 +147,67 @@ but could be optional.
 Globals
 -------
 
-TODO: details.
+Most globals in HWASAN instrumented code are tagged. This is accomplished
+using the following mechanisms:
+
+  * The address of each global has a static tag associated with it. The first
+    defined global in a translation unit has a pseudorandom tag associated
+    with it, based on the hash of the file path. Subsequent global tags are
+    incremental from the previously-assigned tag.
+
+  * The global's tag is added to its symbol address in the object file's symbol
+    table. This causes the global's address to be tagged when its address is
+    taken.
+
+  * When the address of a global is taken directly (i.e. not via the GOT), a 
special
+    instruction sequence needs to be used to add the tag to the address,
+    because the tag would otherwise take the address outside of the small code
+    model (4GB on AArch64). No changes are required when the address is taken
+    via the GOT because the address stored in the GOT will contain the tag.
+
+  * An associated ``hwasan_globals`` section is emitted for each tagged global,
+    which indicates the address of the global, its size and its tag.  These
+    sections are concatenated by the linker into a single ``hwasan_globals``
+    section that is enumerated by the runtime (via an ELF note) when a binary
+    is loaded and the memory is tagged accordingly.
+
+A complete example is given below:
+
+.. code-block:: none
+
+  // int x = 1; int *f() { return &x; }
+  // clang -O2 --target=aarch64-linux-android30 -fsanitize=hwaddress -S -o - 
global.c
+
+  [...]
+  f:
+        adrp    x0, :pg_hi21_nc:x            // set bits 12-63 to upper bits 
of untagged address
+        movk    x0, #:prel_g3:x+0x100000000  // set bits 48-63 to tag
+        add     x0, x0, :lo12:x              // set bits 0-11 to lower bits of 
address
+        ret
+
+  [...]
+        .data
+  .Lx.hwasan:
+        .word   1
+
+        .globl  x
+        .set x, .Lx.hwasan+0x2d00000000000000
+
+  [...]
+        .section        
.note.hwasan.globals,"aG",@note,hwasan.module_ctor,comdat
+  .Lhwasan.note:
+        .word   8                            // namesz
+        .word   8                            // descsz
+        .word   3                            // NT_LLVM_HWASAN_GLOBALS
+        .asciz  "LLVM\000\000\000"
+        .word   __start_hwasan_globals-.Lhwasan.note
+        .word   __stop_hwasan_globals-.Lhwasan.note
+
+  [...]
+        .section        hwasan_globals,"ao",@progbits,.Lx.hwasan,unique,2
+  .Lx.hwasan.descriptor:
+        .word   .Lx.hwasan-.Lx.hwasan.descriptor
+        .word   0x2d000004                   // tag = 0x2d, size = 4
 
 Error reporting
 ---------------


        
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
https://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits

Reply via email to