[ASan] Do not instrument catch block parameters on Windows #159618
Conversation
llvmbot
added
compiler-rt
compiler-rt:asan
|
@llvm/pr-subscribers-llvm-transforms Author: David Justo (davidmrdavid) ChangesMitigation for: google/sanitizers#749 Disclosure: I'm not an ASan compiler expert yet (I'm trying to learn!), I primarily work in the runtime. Some of this PR was developed with the help of AI tools (primarily as a "fuzzy All text in the PR and in this description is written by me. Context: The msvc ASan team (👋 ) has received an internal request to improve clang's exception handling under ASan for Windows. Namely, we're interested in mitigating this bug: google/sanitizers#749 To summarize, today, clang + ASan produces a false-positive error for this program: #include <cstdio>
#include <exception>
int main()
{
try {
throw std::exception("test");
}catch (const std::exception& ex){
puts(ex.what());
}
return 0;
}The error reads as such: The root of the issue appears to be that ASan's instrumentation is incompatible with Window's assumptions for instantiating The nitty gritty details are lost on me, but I understand that to make this work without loss of ASan coverage, a "serious" refactoring is needed. In the meantime, users risk false positive errors when pairing ASan + catch-block parameters on Windows. To mitigate this I think we should avoid instrumenting catch-block parameters on Windows. It appears to me this is as "simple" as marking catch block parameters as "uninteresting" in I believe this is strictly better than today's status quo, where the runtime generates false positives. Although we're now explicitly choosing to instrument less, the benefit is that now more programs can run with ASan without funky macros that disable ASan on exception blocks. This PR: implements the mitigation above, and creates a simple new test for it. Thanks! Full diff: https://github.com/llvm/llvm-project/pull/159618.diff 2 Files Affected:
diff --git a/compiler-rt/test/asan/TestCases/Windows/basic_exception_handling.cpp b/compiler-rt/test/asan/TestCases/Windows/basic_exception_handling.cpp
new file mode 100644
index 0000000000000..94ca4b9bf2df0
--- /dev/null
+++ b/compiler-rt/test/asan/TestCases/Windows/basic_exception_handling.cpp
@@ -0,0 +1,36 @@
+// RUN: %clangxx_asan %s -o %t
+// RUN: %run %t | FileCheck %s
+
+// This test tests that declaring a parameter in a catch-block does not produce a false positive
+// ASan error on Windows.
+
+// This code is based on the repro in https://github.com/google/sanitizers/issues/749
+#include <cstdio>
+#include <exception>
+
+void throwInFunction(){
+ throw std::exception("test2");
+}
+
+int main()
+{
+ // case 1: direct throw
+ try {
+ throw std::exception("test1");
+ } catch (const std::exception& ex){
+ puts(ex.what());
+ // CHECK: test1
+ }
+
+ // case 2: throw in function
+ try {
+ throwInFunction();
+ } catch (const std::exception& ex){
+ puts(ex.what());
+ // CHECK: test2
+ }
+
+ printf("Success!\n");
+ // CHECK: Success!
+ return 0;
+}
\ No newline at end of file
diff --git a/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp b/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
index 42c3d4a4f4c46..986d3c2861af0 100644
--- a/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
+++ b/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
@@ -1397,6 +1397,16 @@ void AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI,
MI->eraseFromParent();
}
+// Check if an alloca is a catch block parameter
+static bool isCatchParameter(const AllocaInst &AI) {
+ for (const Use &U : AI.uses()) {
+ if (isa<CatchPadInst>(U.getUser())) {
+ return true;
+ }
+ }
+ return false;
+}
+
/// Check if we want (and can) handle this alloca.
bool AddressSanitizer::isInterestingAlloca(const AllocaInst &AI) {
auto [It, Inserted] = ProcessedAllocas.try_emplace(&AI);
@@ -1417,7 +1427,11 @@ bool AddressSanitizer::isInterestingAlloca(const AllocaInst &AI) {
// swifterror allocas are register promoted by ISel
!AI.isSwiftError() &&
// safe allocas are not interesting
- !(SSGI && SSGI->isSafe(AI)));
+ !(SSGI && SSGI->isSafe(AI)) &&
+ // Mitigation for https://github.com/google/sanitizers/issues/749
+ // We don't instrument Windows catch-block parameters to avoid
+ // interfering with exception handling assumptions.
+ !(TargetTriple.isOSWindows() && isCatchParameter(AI)));
It->second = IsInteresting;
return IsInteresting;
|
|
@llvm/pr-subscribers-compiler-rt-sanitizer Author: David Justo (davidmrdavid) ChangesMitigation for: google/sanitizers#749 Disclosure: I'm not an ASan compiler expert yet (I'm trying to learn!), I primarily work in the runtime. Some of this PR was developed with the help of AI tools (primarily as a "fuzzy All text in the PR and in this description is written by me. Context: The msvc ASan team (👋 ) has received an internal request to improve clang's exception handling under ASan for Windows. Namely, we're interested in mitigating this bug: google/sanitizers#749 To summarize, today, clang + ASan produces a false-positive error for this program: #include <cstdio>
#include <exception>
int main()
{
try {
throw std::exception("test");
}catch (const std::exception& ex){
puts(ex.what());
}
return 0;
}The error reads as such: The root of the issue appears to be that ASan's instrumentation is incompatible with Window's assumptions for instantiating The nitty gritty details are lost on me, but I understand that to make this work without loss of ASan coverage, a "serious" refactoring is needed. In the meantime, users risk false positive errors when pairing ASan + catch-block parameters on Windows. To mitigate this I think we should avoid instrumenting catch-block parameters on Windows. It appears to me this is as "simple" as marking catch block parameters as "uninteresting" in I believe this is strictly better than today's status quo, where the runtime generates false positives. Although we're now explicitly choosing to instrument less, the benefit is that now more programs can run with ASan without funky macros that disable ASan on exception blocks. This PR: implements the mitigation above, and creates a simple new test for it. Thanks! Full diff: https://github.com/llvm/llvm-project/pull/159618.diff 2 Files Affected:
diff --git a/compiler-rt/test/asan/TestCases/Windows/basic_exception_handling.cpp b/compiler-rt/test/asan/TestCases/Windows/basic_exception_handling.cpp
new file mode 100644
index 0000000000000..94ca4b9bf2df0
--- /dev/null
+++ b/compiler-rt/test/asan/TestCases/Windows/basic_exception_handling.cpp
@@ -0,0 +1,36 @@
+// RUN: %clangxx_asan %s -o %t
+// RUN: %run %t | FileCheck %s
+
+// This test tests that declaring a parameter in a catch-block does not produce a false positive
+// ASan error on Windows.
+
+// This code is based on the repro in https://github.com/google/sanitizers/issues/749
+#include <cstdio>
+#include <exception>
+
+void throwInFunction(){
+ throw std::exception("test2");
+}
+
+int main()
+{
+ // case 1: direct throw
+ try {
+ throw std::exception("test1");
+ } catch (const std::exception& ex){
+ puts(ex.what());
+ // CHECK: test1
+ }
+
+ // case 2: throw in function
+ try {
+ throwInFunction();
+ } catch (const std::exception& ex){
+ puts(ex.what());
+ // CHECK: test2
+ }
+
+ printf("Success!\n");
+ // CHECK: Success!
+ return 0;
+}
\ No newline at end of file
diff --git a/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp b/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
index 42c3d4a4f4c46..986d3c2861af0 100644
--- a/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
+++ b/llvm/lib/Transforms/Instrumentation/AddressSanitizer.cpp
@@ -1397,6 +1397,16 @@ void AddressSanitizer::instrumentMemIntrinsic(MemIntrinsic *MI,
MI->eraseFromParent();
}
+// Check if an alloca is a catch block parameter
+static bool isCatchParameter(const AllocaInst &AI) {
+ for (const Use &U : AI.uses()) {
+ if (isa<CatchPadInst>(U.getUser())) {
+ return true;
+ }
+ }
+ return false;
+}
+
/// Check if we want (and can) handle this alloca.
bool AddressSanitizer::isInterestingAlloca(const AllocaInst &AI) {
auto [It, Inserted] = ProcessedAllocas.try_emplace(&AI);
@@ -1417,7 +1427,11 @@ bool AddressSanitizer::isInterestingAlloca(const AllocaInst &AI) {
// swifterror allocas are register promoted by ISel
!AI.isSwiftError() &&
// safe allocas are not interesting
- !(SSGI && SSGI->isSafe(AI)));
+ !(SSGI && SSGI->isSafe(AI)) &&
+ // Mitigation for https://github.com/google/sanitizers/issues/749
+ // We don't instrument Windows catch-block parameters to avoid
+ // interfering with exception handling assumptions.
+ !(TargetTriple.isOSWindows() && isCatchParameter(AI)));
It->second = IsInteresting;
return IsInteresting;
|
|
✅ With the latest revision this PR passed the C/C++ code formatter. |
…exception_handling.cpp`
|
FYI @rnk - since you contributed to the discussion of the bug I'm trying to mitigate. Would appreciate your thoughts on this PR. Thanks! |
| // Mitigation for https://github.com/google/sanitizers/issues/749 | ||
| // We don't instrument Windows catch-block parameters to avoid | ||
| // interfering with exception handling assumptions. | ||
| !(TargetTriple.isOSWindows() && isCatchParameter(AI))); |
There was a problem hiding this comment.
Please do a simple up-front pass over all basic blocks looking for catchpads and build up a set of catchpad parameters, and make this O(1) by testing for set membership.
Allocas may have a very high number of uses, so this seems worth optimizing.
There was a problem hiding this comment.
I notice above that isAllocaPromotable is also O(#uses), and that seems bad, honestly :(
…ss over function basic blocks
|
Following up to this request: #159618 (comment) I could use a bit of assistance, I think I'm doing something wrong. So, I tried producing the I suspect I'm doing something wrong when generating these For debugging, this is the class MyClass {};
#include <exception>
#include <cstdio>
int main() {
try {
throw 1;
} catch (const int ex) {
printf("%d\n", ex);
return -1;
}
return 0;
}(please ignore the dead code of To obtain the To obtain the Below, I'm attaching my This doesn't seem right, does it? Am I doing something obviously wrong? Thanks! |
|
@davidmrdavid Shot in the dark: is opt.exe out of date? At least on Linux, it's common for clang to be rebuilt without building opt (or vice-versa), and then they can become out of sync. For example:
|
|
@thurstond - thanks for the tip, but I've been fully deleting my build directory between builds ( If it helps, this is how I'm building llvm: :: Create and enter build directory (`build.runtimes`)
mkdir %LLVM_ROOT%\build.runtimes
cd %LLVM_ROOT%\build.runtimes
:: Configure the build
cmake -GNinja -DCMAKE_BUILD_TYPE=Debug -DLLVM_ENABLE_PROJECTS=clang -DLLVM_ENABLE_RUNTIMES=compiler-rt ..\llvm\
:: Build LLVM
ninjaSomething weird is that, when running my local clang, I do see my own ad-hoc debug messages in I think I'm going to have to dive deeper, and try to attach a debugger on |
|
edit: please ignore, I noticed it's already in your .ll davidmrdavid@ Ah, try adding this to the top of your .ll file: (or similar; I stole this snippet from opt is designed to be portable so it doesn't know or care that you're running on Windows, unless you tell it to act as if it is Windows. |
|
@davidmrdavid Third-time lucky? :-) |
|
Thanks, yes - that seems to have worked, thanks a lot :-) . I should be able to push a test sometime next week, but I've confirmed locally that adding the missing |
…tps://github.com/davidmrdavid/llvm-project into dev/dajusto/dont-asanize-catch-params-on-windows
|
My latest diff should contain a working unit test, thanks to the suggestions here ^. |
llvm/test/Instrumentation/AddressSanitizer/asan-win-dont-instrument-catchpad.ll
Outdated
Show resolved
Hide resolved
llvm/test/Instrumentation/AddressSanitizer/asan-win-dont-instrument-catchpad.ll
Outdated
Show resolved
Hide resolved
…tps://github.com/davidmrdavid/llvm-project into dev/dajusto/dont-asanize-catch-params-on-windows
compiler-rt/test/asan/TestCases/Windows/basic_exception_handling.cpp
Outdated
Show resolved
Hide resolved
llvm/test/Instrumentation/AddressSanitizer/asan-win-dont-instrument-catchpad.ll
Outdated
Show resolved
Hide resolved
llvm/test/Instrumentation/AddressSanitizer/asan-win-dont-instrument-catchpad.ll
Outdated
Show resolved
Hide resolved
…ument-catchpad.ll Co-authored-by: Antonio Frighetto <[email protected]>
Co-authored-by: Antonio Frighetto <[email protected]>
|
Thanks for the approval @antoniofrighetto. I incorporated your last feedback, could I get a final re-approval? Then I can merge myself, thanks a lot for your help here! |
llvm/test/Instrumentation/AddressSanitizer/asan-win-dont-instrument-catchpad.ll
Outdated
Show resolved
Hide resolved
…ument-catchpad.ll Co-authored-by: Antonio Frighetto <[email protected]>
|
Thanks again for the re-approval :) . As I mentioned in my last comment - I'll take that re-approval as an 'ok' to merge. I incorporated the final suggestion as-is, so I'm assuming I'm good to go. If the right etiquette is to wait for yet another re-approval, please let me know and I'll be cognizant of that next time. My apologies if this was the wrong move, just trying to be cognizant of the reviewer burden after 2 approvals now. Thanks a lot everyone for your time, I'm excited to merge my first codegen contribution, and hope to make many more :-) . Merging now! |
davidmrdavid
deleted the
dev/dajusto/dont-asanize-catch-params-on-windows
branch
|
This testcase fails to compile in mingw environments, with libc++ as a C++ standard library - https://github.com/mstorsjo/llvm-mingw/actions/runs/18608410056/job/53074081871: Looking at https://en.cppreference.com/w/cpp/error/exception/exception.html, I don't see any |
|
Thanks for letting me know, @mstorsjo. I see from your link the following note:
from: https://en.cppreference.com/w/cpp/error/exception/exception.html I must have been implicitly relying on that MSVC behavior, as I was working on an "x64 Visual Studio native tools" shell for my testing. My apologies. Question: does the LLVM CI not use mingw (or clang's libc)? , I'm just trying to understand why this didn't get caught in the PR CI. I could use some guidance understanding that better, to avoid this in the future. Anyways, on Monday morning (traveling at the moment) I can submit a PR to remediate the situation. Either by relying on If anyone wants to remediate this sooner that Monday morning PDT: removing the |
|
Ah, I found enough time to whip up a quick fix PR. Here it goes: #164137 (comment) I still would like to understand why this we didn't catch in the PR's CI. I'd love to help improve that, for stability :). I'll have to investigate deeper later, but if anyone knows the answer, that'd be helpful to me. Thanks! |
…/TestCases/Windows/basic_exception_handling.cpp` (#164137) **Follow up to:** #159618 **Context** The linked PR ^ introduced a new test to ensure that ASan on Windows no longer instruments catch-parameters. This test used a non-standard constructor of `std::exception`,one that accepted strings as their input, which _somehow_ passed the PR CI but would fail to compile on mingw with libc++. This was originally reported by @mstorsjo, in this comment: ``` This testcase fails to compile in mingw environments, with libc++ as a C++ standard library - https://github.com/mstorsjo/llvm-mingw/actions/runs/18608410056/job/53074081871: D:\a\llvm-mingw\llvm-mingw\llvm-project\compiler-rt\test\asan\TestCases\Windows\basic_exception_handling.cpp:11:32: error: no matching conversion for functional-style cast from 'const char[6]' to 'std::exception' 11 | void throwInFunction() { throw std::exception("test2"); } | ^~~~~~~~~~~~~~~~~~~~~~~ C:/llvm-mingw/include/c++/v1/__exception/exception.h:75:25: note: candidate constructor not viable: no known conversion from 'const char[6]' to 'const exception' for 1st argument 75 | _LIBCPP_HIDE_FROM_ABI exception(const exception&) _NOEXCEPT = default; | ^ ~~~~~~~~~~~~~~~~ C:/llvm-mingw/include/c++/v1/__exception/exception.h:74:25: note: candidate constructor not viable: requires 0 arguments, but 1 was provided 74 | _LIBCPP_HIDE_FROM_ABI exception() _NOEXCEPT {} | ^ D:\a\llvm-mingw\llvm-mingw\llvm-project\compiler-rt\test\asan\TestCases\Windows\basic_exception_handling.cpp:16:11: error: no matching conversion for functional-style cast from 'const char[6]' to 'std::exception' 16 | throw std::exception("test1"); | ^~~~~~~~~~~~~~~~~~~~~~~ C:/llvm-mingw/include/c++/v1/__exception/exception.h:75:25: note: candidate constructor not viable: no known conversion from 'const char[6]' to 'const exception' for 1st argument 75 | _LIBCPP_HIDE_FROM_ABI exception(const exception&) _NOEXCEPT = default; | ^ ~~~~~~~~~~~~~~~~ C:/llvm-mingw/include/c++/v1/__exception/exception.h:74:25: note: candidate constructor not viable: requires 0 arguments, but 1 was provided 74 | _LIBCPP_HIDE_FROM_ABI exception() _NOEXCEPT {} | ^ 2 errors generated. Looking at https://en.cppreference.com/w/cpp/error/exception/exception.html, I don't see any std::exception constructor taking a const char* parameter. ``` _from:_ #159618 (comment) **This PR** adjusts the faulty test case to rely on `std::runtime_error`, which contains a standard constructor accepting a string. This should suffice to make the test pass on mingw. I tested this on godbolt: https://godbolt.org/z/M4hPv5Wvx
…t/test/asan/TestCases/Windows/basic_exception_handling.cpp` (#164137) **Follow up to:** #159618 **Context** The linked PR ^ introduced a new test to ensure that ASan on Windows no longer instruments catch-parameters. This test used a non-standard constructor of `std::exception`,one that accepted strings as their input, which _somehow_ passed the PR CI but would fail to compile on mingw with libc++. This was originally reported by @mstorsjo, in this comment: ``` This testcase fails to compile in mingw environments, with libc++ as a C++ standard library - https://github.com/mstorsjo/llvm-mingw/actions/runs/18608410056/job/53074081871: D:\a\llvm-mingw\llvm-mingw\llvm-project\compiler-rt\test\asan\TestCases\Windows\basic_exception_handling.cpp:11:32: error: no matching conversion for functional-style cast from 'const char[6]' to 'std::exception' 11 | void throwInFunction() { throw std::exception("test2"); } | ^~~~~~~~~~~~~~~~~~~~~~~ C:/llvm-mingw/include/c++/v1/__exception/exception.h:75:25: note: candidate constructor not viable: no known conversion from 'const char[6]' to 'const exception' for 1st argument 75 | _LIBCPP_HIDE_FROM_ABI exception(const exception&) _NOEXCEPT = default; | ^ ~~~~~~~~~~~~~~~~ C:/llvm-mingw/include/c++/v1/__exception/exception.h:74:25: note: candidate constructor not viable: requires 0 arguments, but 1 was provided 74 | _LIBCPP_HIDE_FROM_ABI exception() _NOEXCEPT {} | ^ D:\a\llvm-mingw\llvm-mingw\llvm-project\compiler-rt\test\asan\TestCases\Windows\basic_exception_handling.cpp:16:11: error: no matching conversion for functional-style cast from 'const char[6]' to 'std::exception' 16 | throw std::exception("test1"); | ^~~~~~~~~~~~~~~~~~~~~~~ C:/llvm-mingw/include/c++/v1/__exception/exception.h:75:25: note: candidate constructor not viable: no known conversion from 'const char[6]' to 'const exception' for 1st argument 75 | _LIBCPP_HIDE_FROM_ABI exception(const exception&) _NOEXCEPT = default; | ^ ~~~~~~~~~~~~~~~~ C:/llvm-mingw/include/c++/v1/__exception/exception.h:74:25: note: candidate constructor not viable: requires 0 arguments, but 1 was provided 74 | _LIBCPP_HIDE_FROM_ABI exception() _NOEXCEPT {} | ^ 2 errors generated. Looking at https://en.cppreference.com/w/cpp/error/exception/exception.html, I don't see any std::exception constructor taking a const char* parameter. ``` _from:_ llvm/llvm-project#159618 (comment) **This PR** adjusts the faulty test case to rely on `std::runtime_error`, which contains a standard constructor accepting a string. This should suffice to make the test pass on mingw. I tested this on godbolt: https://godbolt.org/z/M4hPv5Wvx
|
Thanks for the prompt fix! Btw, as a small side note - while it's good with backreferences to who reported what, having an
The LLVM premerge CI only tests 2 configurations, a plain linux and plain windows configuration. I'm not even sure if compiler-rt tests are ran in that config at all, or if they are ran in both configurations. (If you did hit CI errors in earlier incarnations of the patch - we'd know that it does get ran in some form at least :-) ) As LLVM supports targeting many dozens of different targets (both architectures, OSes and environments within those OSes), we don't have test coverage for all of them in the premerge CI (which needs to be quick) - most of the other targets are covered in various buildbots. For mingw, I don't have any HW of my own (as an individual volunteer contributor) that I could set up for such a buildbot, but I run nightly test runs on github actions, where I catch some breakage later on at least. But if it is relevant to test things more widely, it's somewhat easy to do through github actions. See mstorsjo@gha-mingw-compiler-rt - there I have a commit which adds an extra test job, which gets executed on push to a branch (it doesn't even need to be part of an opened PR, you can just push it to a branch in your fork - although you may need to enable github actions for your fork). See https://github.com/mstorsjo/llvm-project/actions/runs/18630556946 for a recent test run. That runs tests for both i686, x86_64 and aarch64. Note that this configuration just uses the latest successful nightly llvm-mingw build, it doesn't test building a new compiler, so it might not work perfectly if the compiler-rt test changes require a matchingly updated compiler though. (Building a new compiler from scratch takes 2-3 hours, while this test in this form runs in ~10-15 minutes.) |
Thanks for letting me know, and my apologies for the spam. I'll reply on that Discourse thread to see if we can introduce automate checks to protect against this.
Thanks for the pointers, this is great I'll look to set up something similar for future pushes. Thanks! |
6 participants
Mitigation for: google/sanitizers#749
Disclosure: I'm not an ASan compiler expert yet (I'm trying to learn!), I primarily work in the runtime. Some of this PR was developed with the help of AI tools (primarily as a "fuzzy
grepengine"), but I've manually refined and tested the output, and can speak for every line. In general, I used it only to orient myself and for "rubberducking".Context:
The msvc ASan team (👋 ) has received an internal request to improve clang's exception handling under ASan for Windows. Namely, we're interested in mitigating this bug: google/sanitizers#749
To summarize, today, clang + ASan produces a false-positive error for this program:
The error reads as such:
The root of the issue appears to be that ASan's instrumentation is incompatible with Window's assumptions for instantiating
catch-block's parameters (exin the snippet above).The nitty gritty details are lost on me, but I understand that to make this work without loss of ASan coverage, a "serious" refactoring is needed. In the meantime, users risk false positive errors when pairing ASan + catch-block parameters on Windows.
To mitigate this I think we should avoid instrumenting catch-block parameters on Windows. It appears to me this is as "simple" as marking catch block parameters as "uninteresting" in
AddressSanitizer::isInterestingAlloca. My manual tests seem to confirm this.I believe this is strictly better than today's status quo, where the runtime generates false positives. Although we're now explicitly choosing to instrument less, the benefit is that now more programs can run with ASan without funky macros that disable ASan on exception blocks.
This PR: implements the mitigation above, and creates a simple new test for it.
Thanks!