Author: kcc
Date: Mon Dec 18 13:40:07 2017
New Revision: 321027
URL: http://llvm.org/viewvc/llvm-project?rev=321027&view=rev
Log:
[hwasan] update the design doc
Modified:
cfe/trunk/docs/HardwareAssistedAddressSanitizerDesign.rst
Modified: cfe/trunk/docs/HardwareAssistedAddressSanitizerDesign.rst
URL:
http://llvm.org/viewvc/llvm-project/cfe/trunk/docs/HardwareAssistedAddressSanitizerDesign.rst?rev=321027&r1=321026&r2=321027&view=diff
==============================================================================
--- cfe/trunk/docs/HardwareAssistedAddressSanitizerDesign.rst (original)
+++ cfe/trunk/docs/HardwareAssistedAddressSanitizerDesign.rst Mon Dec 18
13:40:07 2017
@@ -21,7 +21,7 @@ The redzones, the quarantine, and, to a
sources of AddressSanitizer's memory overhead.
See the `AddressSanitizer paper`_ for details.
-AArch64 has the `Address Tagging`_, a hardware feature that allows
+AArch64 has the `Address Tagging`_ (or top-byte-ignore, TBI), a hardware
feature that allows
software to use 8 most significant bits of a 64-bit pointer as
a tag. HWASAN uses `Address Tagging`_
to implement a memory safety tool, similar to :doc:`AddressSanitizer`,
@@ -31,7 +31,7 @@ accuracy guarantees.
Algorithm
=========
* Every heap/stack/global memory object is forcibly aligned by `N` bytes
- (`N` is e.g. 16 or 64)
+ (`N` is e.g. 16 or 64). We call `N` the **granularity** of tagging.
* For every such object a random `K`-bit tag `T` is chosen (`K` is e.g. 4 or 8)
* The pointer to the object is tagged with `T`.
* The memory for the object is also tagged with `T`
@@ -44,19 +44,35 @@ Instrumentation
Memory Accesses
---------------
-All memory accesses are prefixed with a call to a run-time function.
-The function encodes the type and the size of access in its name;
-it receives the address as a parameter, e.g. `__hwasan_load4(void *ptr)`;
-it loads the memory tag, compares it with the
-pointer tag, and executes `__builtin_trap` (or calls
`__hwasan_error_load4(void *ptr)`) on mismatch.
+All memory accesses are prefixed with an inline instruction sequence that
+verifies the tags. Currently, the following sequence is used:
-It's possible to inline this callback too.
+
+.. code-block:: asm
+
+ // int foo(int *a) { return *a; }
+ // clang -O2 --target=aarch64-linux -fsanitize=hwaddress -c load.c
+ foo:
+ 0: 08 dc 44 d3 ubfx x8, x0, #4, #52 // shadow address
+ 4: 08 01 40 39 ldrb w8, [x8] // load shadow
+ 8: 09 fc 78 d3 lsr x9, x0, #56 // address tag
+ c: 3f 01 08 6b cmp w9, w8 // compare tags
+ 10: 61 00 00 54 b.ne #12 // jump on mismatch
+ 14: 00 00 40 b9 ldr w0, [x0] // original load
+ 18: c0 03 5f d6 ret
+ 1c: 40 20 40 d4 hlt #0x102 // halt
+ 20: 00 00 40 b9 ldr w0, [x0] // original load
+ 24: c0 03 5f d6 ret
+
+
+Alternatively, memory accesses are prefixed with a function call.
Heap
----
Tagging the heap memory/pointers is done by `malloc`.
This can be based on any malloc that forces all objects to be N-aligned.
+`free` tags the memory with a different tag.
Stack
-----
@@ -75,7 +91,7 @@ TODO: details.
Error reporting
---------------
-Errors are generated by `__builtin_trap` and are handled by a signal handler.
+Errors are generated by the `HLT` instruction and are handled by a signal
handler.
Attribute
---------
_______________________________________________
cfe-commits mailing list
cfe-commits@lists.llvm.org
http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits
