Single poison value

Author: thurstond

compiler-rt/lib/asan/asan_descriptions.h

@@ -15,7 +15,6 @@
 #define ASAN_DESCRIPTIONS_H
 
 #include "asan_allocator.h"
-#include "asan_poisoning.h"
 #include "asan_thread.h"
 #include "sanitizer_common/sanitizer_common.h"
 #include "sanitizer_common/sanitizer_report_decorator.h"
@@ -47,9 +46,6 @@ class Decorator : public __sanitizer::SanitizerCommonDecorator {
   const char *Allocation() { return Magenta(); }
 
   const char *ShadowByte(u8 byte) {
-    if (IsPoisonTrackingMagic(byte))
-      return Blue();
-
     switch (byte) {
       case kAsanHeapLeftRedzoneMagic:
       case kAsanArrayCookieMagic:

compiler-rt/lib/asan/asan_errors.cpp

@@ -508,18 +508,6 @@ ErrorGeneric::ErrorGeneric(u32 tid, uptr pc_, uptr bp_, uptr sp_, uptr addr,
           break;
       }
 
-      if (flags()->track_poison > 0 && IsPoisonTrackingMagic(shadow_val)) {
-        if (internal_strcmp(bug_descr, "unknown-crash") != 0) {
-          Printf(
-              "ERROR: use-after-poison tracking magic values overlap with "
-              "other constants.\n");
-          Printf("Please file a bug.\n");
-        } else {
-          bug_descr = "use-after-poison";
-          bug_type_score = 20;
-        }
-      }
-
       scariness.Scare(bug_type_score + read_after_free_bonus, bug_descr);
       if (far_from_bounds) scariness.Scare(10, "far-from-bounds");
     }
@@ -565,12 +553,8 @@ static void PrintLegend(InternalScopedString *str) {
   PrintShadowByte(str, "  Global redzone:          ", kAsanGlobalRedzoneMagic);
   PrintShadowByte(str, "  Global init order:       ",
                   kAsanInitializationOrderMagic);
-  // TODO: sync description with PoisonTrackingMagicValues
-  PrintShadowByte(
-      str, "  Poisoned by user:        ", kAsanUserPoisonedMemoryMagic,
-      flags()->track_poison > 0 ? " with detailed tracking using {0x80-0x8F, "
-                                  "0x90-0x9F, 0xD0-0xDF, 0xE0-0xEF}\n"
-                                : "\n");
+  PrintShadowByte(str, "  Poisoned by user:        ",
+                  kAsanUserPoisonedMemoryMagic);
   PrintShadowByte(str, "  Container overflow:      ",
                   kAsanContiguousContainerOOBMagic);
   PrintShadowByte(str, "  Array cookie:            ",
@@ -624,13 +608,11 @@ static void CheckPoisonRecords(uptr addr) {
     return;
   uptr shadow_addr = MemToShadow(addr);
   unsigned char poison_magic = *(reinterpret_cast<u8 *>(shadow_addr));
-  int poison_index = PoisonTrackingMagicToIndex[poison_magic];
 
-  if (poison_index < 0 || poison_index >= NumPoisonTrackingMagicValues)
+  if (poison_magic != kAsanUserPoisonedMemoryMagic)
     return;
 
-  PoisonRecordRingBuffer *PoisonRecord =
-      reinterpret_cast<PoisonRecordRingBuffer *>(PoisonRecords[poison_index]);
+  PoisonRecordRingBuffer *PoisonRecord = GetPoisonRecord();
   if (PoisonRecord) {
     bool FoundMatch = false;
 

compiler-rt/lib/asan/asan_poisoning.cpp

@@ -26,40 +26,17 @@ namespace __asan {
 
 static atomic_uint8_t can_poison_memory;
 
-PoisonRecordRingBuffer *PoisonRecords[NumPoisonTrackingMagicValues] = {0};
-int PoisonTrackingMagicToIndex[256] = {-1};
+static PoisonRecordRingBuffer *PoisonRecords = nullptr;
 
 void InitializePoisonTracking() {
   if (flags()->track_poison <= 0)
     return;
 
-  for (unsigned int i = 0; i < sizeof(PoisonTrackingMagicToIndex) / sizeof(int);
-       i++) {
-    PoisonTrackingMagicToIndex[i] = -1;
-  }
-
-  for (unsigned int i = 0; i < NumPoisonTrackingMagicValues; i++) {
-    int magic = PoisonTrackingIndexToMagic[i];
-    CHECK(magic > 0);
-    CHECK((unsigned int)magic <
-          sizeof(PoisonTrackingMagicToIndex) / sizeof(int));
-
-    // Necessary for AddressIsPoisoned calculations
-    CHECK((char)magic < 0);
-
-    PoisonTrackingMagicToIndex[magic] = i;
-
-    PoisonRecords[i] = PoisonRecordRingBuffer::New(flags()->track_poison);
-  }
+  PoisonRecords = PoisonRecordRingBuffer::New(flags()->track_poison);
 }
 
-bool IsPoisonTrackingMagic(int byte) {
-  return (byte >= 0 &&
-          (unsigned long)byte <
-              (sizeof(PoisonTrackingMagicToIndex) / sizeof(int)) &&
-          PoisonTrackingMagicToIndex[byte] >= 0 &&
-          PoisonTrackingMagicToIndex[byte] < NumPoisonTrackingMagicValues &&
-          PoisonTrackingIndexToMagic[PoisonTrackingMagicToIndex[byte]] == byte);
+PoisonRecordRingBuffer* GetPoisonRecord() {
+  return PoisonRecords;
 }
 
 void SetCanPoisonMemory(bool value) {
@@ -149,23 +126,18 @@ void __asan_poison_memory_region(void const volatile *addr, uptr size) {
 
   if (flags()->track_poison > 0) {
     GET_STACK_TRACE(/*max_size=*/ 16, /*fast=*/ false);
+    u32 current_tid = GetCurrentTidOrInvalid();
+
     // TODO: garbage collect stacks once they fall off the ring buffer?
     // StackDepot doesn't currently have a way to delete stacks.
     u32 stack_id = StackDepotPut(stack);
 
-    u32 current_tid = GetCurrentTidOrInvalid();
-    u32 poison_index = ((stack_id * 151157) ^ (current_tid * 733123)) %
-                       NumPoisonTrackingMagicValues;
-    poison_magic = PoisonTrackingIndexToMagic[poison_index];
     PoisonRecord record{.stack_id = stack_id,
                         .thread_id = current_tid,
                         .begin = beg_addr,
                         .end = end_addr};
-    // This is a data race: with concurrent writes, some records may be lost,
-    // but it's a sacrifice I am willing to make for speed.
-    // The sharding across PoisonRecords reduces the likelihood of
-    // concurrent writes.
-    PoisonRecords[poison_index]->push(record);
+    // TODO: mutex
+    GetPoisonRecord()->push(record);
   }
 
   ShadowSegmentEndpoint beg(beg_addr);

compiler-rt/lib/asan/asan_poisoning.h

@@ -25,36 +25,19 @@
 
 namespace __asan {
 
-// These need to be negative chars (i.e., in the range [0x80 .. 0xff]) for
-// AddressIsPoisoned calculations.
-static const int PoisonTrackingIndexToMagic[] = {
-    0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a,
-    0x8b, 0x8c, 0x8d, 0x8e, 0x8f, 0x90, 0x91, 0x92, 0x93, 0x94, 0x95,
-    0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f, 0xd0,
-    0xd1, 0xd2, 0xd3, 0xd4, 0xd5, 0xd6, 0xd7, 0xd8, 0xd9, 0xda, 0xdb,
-    0xdc, 0xdd, 0xde, 0xdf, 0xe0, 0xe1, 0xe2, 0xe3, 0xe4, 0xe5, 0xe6,
-    0xe7, 0xe8, 0xe9, 0xea, 0xeb, 0xec, 0xed, 0xee, 0xef,
-};
-static const int NumPoisonTrackingMagicValues =
-    sizeof(PoisonTrackingIndexToMagic) / sizeof(int);
-
-extern int PoisonTrackingMagicToIndex[256];
-
 struct PoisonRecord {
   unsigned int stack_id;
   unsigned int thread_id;
   uptr begin;
   uptr end;
 };
 
-typedef RingBuffer<struct PoisonRecord> PoisonRecordRingBuffer;
-extern PoisonRecordRingBuffer* PoisonRecords[NumPoisonTrackingMagicValues];
+using PoisonRecordRingBuffer = RingBuffer<struct PoisonRecord>;
 
 // Set up data structures for track_poison.
 void InitializePoisonTracking();
 
-// Is this number a magic value used for poison tracking?
-bool IsPoisonTrackingMagic(int byte);
+PoisonRecordRingBuffer* GetPoisonRecord();
 
 // Enable/disable memory poisoning.
 void SetCanPoisonMemory(bool value);