asan global instrumentation broken for interposed global variables

[Quuxplusone]

Bugzilla Link	PR37545
Status	NEW
Importance	P normal
Reported by	Richard Smith (richard-llvm@metafoo.co.uk)
Reported on	2018-05-21 13:05:51 -0700
Last modified on	2018-06-11 17:56:03 -0700
Version	unspecified
Hardware	PC Linux
CC	kcc@google.com, llvm-bugs@lists.llvm.org, rnk@google.com, vitalybuka@google.com
Fixed by commit(s)
Attachments
Blocks
Blocked by
See also

Situation:

main binary contains a weak definition of global symbol foo
foo.so contains a strong definition of global symbol foo

ASan instruments the strong definition but not the weak one:

https://github.com/llvm-mirror/llvm/blob/master/lib/Transforms/Instrumentation/AddressSanitizer.cpp#L1661

Now, after dynamic linking, the program has only one definition of foo (the one
from the main binary) but still has the global registration code from foo.so,
which tries to register that global symbol.

In my test case, the registration fails because the weak definition is
underaligned for a sanitized global, and ASan reports a bogus ODR violation
error. If the alignment happens to match, ASan would presumably instead mark a
bogus region of the address space as being global redzone.

As of r332028, Clang creates the above situation for entirely valid code:

// main.cc
#include <typeinfo>
struct A;
auto &x = typeid(A*);
void use_foo();
int main() { use_foo(); }

// foo.cc
struct A {
  virtual void f();
};
void A::f() {}
void use_foo() {}

$ clang++ foo.cc -shared -o /tmp/foo.so -fsanitize=address
$ clang++ /tmp/foo.so main.cc -o /tmp/main -fsanitize=address
$ /tmp/main
==211158==The following global variable is not properly aligned.
==211158==This may happen if another global with the same name
==211158==resides in another non-instrumented module.
==211158==Or the global comes from a C file built w/o -fno-common.
==211158==In either case this is likely an ODR violation bug,
==211158==but AddressSanitizer can not provide more details.
=================================================================
==211158==ERROR: AddressSanitizer: odr-violation (0x00000050a1d6):
  [1] size=3 'typeinfo name for A' -
  [2] size=3 'typeinfo name for A' -
These globals were registered at these points:
  [1]:
    #0 0x42dcfe in __asan_register_globals[...]/compiler-rt/lib/asan/asan_globals.cc:358:3
    #1 0x7f32dfe18a70 in asan.module_ctor (/tmp/foo.so+0xa70)

  [2]:
    #0 0x42dcfe in __asan_register_globals [...]/compiler-rt/lib/asan/asan_globals.cc:358:3
    #1 0x7f32dfe18a70 in asan.module_ctor (/tmp/foo.so+0xa70)

==211158==HINT: if you don't care about these errors you may set
ASAN_OPTIONS=detect_odr_violation=0
SUMMARY: AddressSanitizer: odr-violation: global 'typeinfo name for A' at -
==211158==ABORTING

[Quuxplusone]

I've reverted r332028 for now, in r332879. Note that this undoes a change that fixes a conformance bug.

[Quuxplusone]

Not sure what to do here.
We can't instrument weak definitions...

We can just avoid instrumenting typeinfo globals as a workaround...

[Quuxplusone]

If the global registration data referred to the copy of the symbol from that DSO rather than the one selected by the dynamic linker, I think that would resolve this problem. (I don't know for sure, but I think it may be possible to get that effect by changing the global to an internal symbol with a new name, and adding an external-linkage alias to it with the original name, then using the non-alias name only for the ASan registration data.)

[Quuxplusone]

The alias trick would work, I guess. Instrumented IR transform would look like:

@foo = global i32 42
->
@foo = global alias i32* (getelementptr {i32, [60 x i8]}* @__asan_rz_foo, i32
0, 0)
@__asan_rz_foo = internal global {i32, [60 x i8]} { i32 42, [60 x i8]
zeroinitializer }
@__asan_global_foo = ; ... same, using @__asan_rz_foo

Or, we could try to leverage dso_local information to avoid instrumenting
interposable globals. If the user sets -fPIE or doesn't explicitly set -fPIC,
we can assume that we'll be linked into an executable, and if so, everything
with a definition is dso_local, and everything should be instrumented.