[vm] Fix running under HWASAN

HWASAN tags stack regions (and stack pointers) with 0,
but also selectively tags some stack allocations with
non-zero tags. These tags need to be cleared when
allocation goes out of scope so that stack can be
later safely reused - otherwise stale tags confuse
HWASAN instrumentation later.

This CL teaches Exceptions::JumpToFrame to do that.

CL also adds basic build changes to support building
with HWASAN, though I don't wire it into CI for now
as it can only really run on Android ARM64

TEST=manually on Android phone and on internal tests

Bug: b/374433249
Change-Id: I678443dc1de693c999a226bee0d71a6f3582d4f9
Reviewed-on: https://dart-review.googlesource.com/c/sdk/+/421180
Commit-Queue: Ryan Macnak <[email protected]>
Reviewed-by: Ryan Macnak <[email protected]>
Auto-Submit: Slava Egorov <[email protected]>

Author: mraleph

build/config/BUILDCONFIG.gn

@@ -122,6 +122,10 @@ declare_args() {
   # Compile for Address Sanitizer to find memory bugs.
   is_asan = false
 
+  # Compile with HWAddress Sanitizer to find memory bugs.
+  # Requires ARM64 hardware
+  is_hwasan = false
+
   # Compile for Leak Sanitizer to find leaks.
   is_lsan = false
 

build/config/compiler/BUILD.gn

@@ -39,7 +39,8 @@ config("default_include_dirs") {
 }
 
 if (!is_win) {
-  using_sanitizer = is_asan || is_lsan || is_msan || is_tsan || is_ubsan
+  using_sanitizer =
+      is_asan || is_hwasan || is_lsan || is_msan || is_tsan || is_ubsan
 }
 
 # compiler ---------------------------------------------------------------------
@@ -117,6 +118,10 @@ config("compiler") {
       cflags += [ "-fsanitize=address" ]
       ldflags += [ "-fsanitize=address" ]
     }
+    if (is_hwasan && is_android && current_cpu == "arm64") {
+      cflags += [ "-fsanitize=hwaddress" ]
+      ldflags += [ "-fsanitize=hwaddress" ]
+    }
     if (is_lsan) {
       cflags += [ "-fsanitize=leak" ]
       ldflags += [ "-fsanitize=leak" ]

build/config/sanitizers/BUILD.gn

@@ -9,7 +9,7 @@ import("//build/config/sanitizers/sanitizers.gni")
 # |is_asan|, |is_lsan|, |is_tsan|, |is_msan| and |use_custom_libcxx| are false.
 group("deps") {
   deps = [ "//third_party/instrumented_libraries:deps" ]
-  if (is_asan || is_lsan || is_msan || is_tsan || is_ubsan) {
+  if (is_asan || is_hwasan || is_lsan || is_msan || is_tsan || is_ubsan) {
     public_configs = [ ":sanitizer_options_link_helper" ]
     deps += [ ":options_sources" ]
   }
@@ -23,6 +23,9 @@ config("sanitizer_options_link_helper") {
   if (is_asan) {
     ldflags += [ "-fsanitize=address" ]
   }
+  if (is_hwasan && is_android && current_cpu == "arm64") {
+    ldflags += [ "-fsanitize=hwaddress" ]
+  }
   if (is_lsan) {
     ldflags += [ "-fsanitize=leak" ]
   }

pkg/smith/lib/configuration.dart

@@ -962,6 +962,7 @@ class Mode extends NamedEnum {
 class Sanitizer extends NamedEnum {
   static const none = Sanitizer._('none');
   static const asan = Sanitizer._('asan');
+  static const hwasan = Sanitizer._('hwasan');
   static const lsan = Sanitizer._('lsan');
   static const msan = Sanitizer._('msan');
   static const tsan = Sanitizer._('tsan');
@@ -970,7 +971,7 @@ class Sanitizer extends NamedEnum {
   static final List<String> names = _all.keys.toList();
 
   static final _all = Map<String, Sanitizer>.fromIterable(
-      [none, asan, lsan, msan, tsan, ubsan],
+      [none, asan, hwasan, lsan, msan, tsan, ubsan],
       key: (mode) => (mode as Sanitizer).name);
 
   static Sanitizer find(String name) {

runtime/bin/BUILD.gn

@@ -36,7 +36,8 @@ config("libdart_builtin_config") {
 config("export_api_symbols") {
   if (is_win) {
     ldflags = [ "/EXPORT:Dart_True" ]
-  } else if (is_asan || is_lsan || is_msan || is_tsan || is_ubsan) {
+  } else if (is_asan || is_hwasan || is_lsan || is_msan || is_tsan ||
+             is_ubsan) {
     # Export everything so the sanitizers can intercept whatever they want.
     ldflags = [ "-rdynamic" ]
   } else if (is_mac || is_ios) {

runtime/platform/memory_sanitizer.h

@@ -13,6 +13,18 @@
 #if __has_feature(memory_sanitizer)
 #define USING_MEMORY_SANITIZER
 #endif
+#if __has_feature(hwaddress_sanitizer)
+#define USING_HWADDRESS_SANITIZER
+#endif
+#endif
+
+#if defined(USING_HWADDRESS_SANITIZER)
+extern "C" void __hwasan_handle_longjmp(const void* sp_dst);
+#define HWASAN_HANDLE_LONGJMP(sp_dst) __hwasan_handle_longjmp(sp_dst)
+#else
+#define HWASAN_HANDLE_LONGJMP(sp_dst)                                          \
+  do {                                                                         \
+  } while (false && (sp_dst) == nullptr)
 #endif
 
 #if defined(USING_MEMORY_SANITIZER)

runtime/vm/exceptions.cc

@@ -632,6 +632,14 @@ NO_SANITIZE_SAFE_STACK  // This function manipulates the safestack pointer.
                                     frame_pointer, thread);
 #else
 
+  // Zero out HWASAN tags from the current stack pointer to the destination.
+  //
+  // Stack region is by default tagged with 0 (including SP and all pointers
+  // derived from it via arithmetic), however HWASAN also selectively tags
+  // some stack allocations - which means these tags need to be zeroed out
+  // when the stack is unwound so that it could be safely reused later.
+  HWASAN_HANDLE_LONGJMP(reinterpret_cast<void*>(stack_pointer));
+
   // Unpoison the stack before we tear it down in the generated stub code.
   uword current_sp = OSThread::GetCurrentStackPointer() - 1024;
   ASAN_UNPOISON(reinterpret_cast<void*>(current_sp),

tools/gn.py

@@ -266,6 +266,7 @@ def ToGnArgs(args, mode, arch, target_os, sanitizer, verify_sdk_hash,
     gn_args['is_msan'] = sanitizer == 'msan'
     gn_args['is_tsan'] = sanitizer == 'tsan'
     gn_args['is_ubsan'] = sanitizer == 'ubsan'
+    gn_args['is_hwasan'] = sanitizer == 'hwasan'
     gn_args['is_qemu'] = args.use_qemu
 
     if not args.platform_sdk:
@@ -569,7 +570,7 @@ def AddCommonConfigurationArgs(parser):
     parser.add_argument('--sanitizer',
                         type=str,
                         help='Build variants (comma-separated).',
-                        metavar='[all,none,asan,lsan,msan,tsan,ubsan]',
+                        metavar='[all,none,asan,hwasan,lsan,msan,tsan,ubsan]',
                         default='none')
 
 

tools/utils.py

@@ -50,6 +50,7 @@
     None: '',
     'none': '',
     'asan': 'ASAN',
+    'hwasan': 'HWASAN',
     'lsan': 'LSAN',
     'msan': 'MSAN',
     'tsan': 'TSAN',