Re: RFC Asan instrumentation control

[OndÅej BÃlka <neleai at seznam dot cz>]

On Fri, Dec 06, 2013 at 04:16:04PM +0100, Jakub Jelinek wrote:
> On Fri, Dec 06, 2013 at 04:10:31PM +0100, OndÅej BÃlka wrote:
> > Currently this code with sanitize=address gets expanded
> > 
> > int foo(char *x, char *y, int i)
> > {
> >   x[i] = y[i];
> > }
> > 
> > to 
> > 
> > snip
> > 	movq    %rsi, %rax
> >         movq    %rsi, %rdx
> >         shrq    $3, %rax
> >         andl    $7, %edx
> >         movzbl  2147450880(%rax), %eax
> >         cmpb    %dl, %al
> >         jle     .L18
> > .L2:
> > 
> > snip 
> > 
> > .L18:
> >         .cfi_restore_state
> >         testb   %al, %al
> >         je      .L2
> >         movq    %rsi, %rdi
> >         call    __asan_report_load1
> > 
> > There is nothing imposible about disabling these checks. You just fill a
> > page to make this check pass and use mmap to make entire shadow memory point
> > to that page.
> 
> I don't think I understand you.  __asan_report_* is a fatal error, the
> program is terminated there.  What is costly on the asan instrumentation is
> exactly the >>, memory loads, extra comparisons, in non-buggy programs
> you never enter the __asan_report_* calls.
>
This thread started on disabling features to decrease memory
consumption. This makes checks always pass because they read always read
from shared page that is set to do it. It should also be bit faster due
of better cache locality that causes .L18 path never be reached.


Also as you mentioned that __asan_report_load1 do not return if this is
dropped you could implement runtime equivalent of blacklists by
LD_PRELOADing a interceptor like this one

void *blacklisted[] = {foo, bar, baz, NULL};

void
__asan_report_load1 ()
{
  void *bt[2];
  backtrace (&bt, 1);
  for (i = 0; i < blacklisted[i]; i++)
  if (bt[0] != blacklisted[i])
    dlsym(RTLD_NEXT, "__asan_report_load1") ();
  return;
}