545 lines · c
1//===-- sanitizer/common_interface_defs.h -----------------------*- C++ -*-===//2//3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.4// See https://llvm.org/LICENSE.txt for license information.5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception6//7//===----------------------------------------------------------------------===//8//9// Common part of the public sanitizer interface.10//===----------------------------------------------------------------------===//11 12#ifndef SANITIZER_COMMON_INTERFACE_DEFS_H13#define SANITIZER_COMMON_INTERFACE_DEFS_H14 15#include <stddef.h>16#include <stdint.h>17 18// Windows allows a user to set their default calling convention, but we always19// use __cdecl20#ifdef _WIN3221#define SANITIZER_CDECL __cdecl22#else23#define SANITIZER_CDECL24#endif25 26#ifdef __cplusplus27extern "C" {28#endif29// Arguments for __sanitizer_sandbox_on_notify() below.30typedef struct {31 // Enable sandbox support in sanitizer coverage.32 int coverage_sandboxed;33 // File descriptor to write coverage data to. If -1 is passed, a file will34 // be pre-opened by __sanitizer_sandbox_on_notify(). This field has no35 // effect if coverage_sandboxed == 0.36 intptr_t coverage_fd;37 // If non-zero, split the coverage data into well-formed blocks. This is38 // useful when coverage_fd is a socket descriptor. Each block will contain39 // a header, allowing data from multiple processes to be sent over the same40 // socket.41 unsigned int coverage_max_block_size;42} __sanitizer_sandbox_arguments;43 44// Tell the tools to write their reports to "path.<pid>" instead of stderr.45void SANITIZER_CDECL __sanitizer_set_report_path(const char *path);46// Tell the tools to write their reports to the provided file descriptor47// (casted to void *).48void SANITIZER_CDECL __sanitizer_set_report_fd(void *fd);49// Get the current full report file path, if a path was specified by50// an earlier call to __sanitizer_set_report_path. Returns null otherwise.51const char *SANITIZER_CDECL __sanitizer_get_report_path();52 53// Notify the tools that the sandbox is going to be turned on. The reserved54// parameter will be used in the future to hold a structure with functions55// that the tools may call to bypass the sandbox.56void SANITIZER_CDECL57__sanitizer_sandbox_on_notify(__sanitizer_sandbox_arguments *args);58 59// This function is called by the tool when it has just finished reporting60// an error. 'error_summary' is a one-line string that summarizes61// the error message. This function can be overridden by the client.62void SANITIZER_CDECL63__sanitizer_report_error_summary(const char *error_summary);64 65// Some of the sanitizers (for example ASan/TSan) could miss bugs that happen66// in unaligned loads/stores. To find such bugs reliably, you need to replace67// plain unaligned loads/stores with these calls.68 69/// Loads a 16-bit unaligned value.70//71/// \param p Pointer to unaligned memory.72///73/// \returns Loaded value.74uint16_t SANITIZER_CDECL __sanitizer_unaligned_load16(const void *p);75 76/// Loads a 32-bit unaligned value.77///78/// \param p Pointer to unaligned memory.79///80/// \returns Loaded value.81uint32_t SANITIZER_CDECL __sanitizer_unaligned_load32(const void *p);82 83/// Loads a 64-bit unaligned value.84///85/// \param p Pointer to unaligned memory.86///87/// \returns Loaded value.88uint64_t SANITIZER_CDECL __sanitizer_unaligned_load64(const void *p);89 90/// Stores a 16-bit unaligned value.91///92/// \param p Pointer to unaligned memory.93/// \param x 16-bit value to store.94void SANITIZER_CDECL __sanitizer_unaligned_store16(void *p, uint16_t x);95 96/// Stores a 32-bit unaligned value.97///98/// \param p Pointer to unaligned memory.99/// \param x 32-bit value to store.100void SANITIZER_CDECL __sanitizer_unaligned_store32(void *p, uint32_t x);101 102/// Stores a 64-bit unaligned value.103///104/// \param p Pointer to unaligned memory.105/// \param x 64-bit value to store.106void SANITIZER_CDECL __sanitizer_unaligned_store64(void *p, uint64_t x);107 108// Returns 1 on the first call, then returns 0 thereafter. Called by the tool109// to ensure only one report is printed when multiple errors occur110// simultaneously.111int SANITIZER_CDECL __sanitizer_acquire_crash_state();112 113/// Annotates the current state of a contiguous container, such as114/// <c>std::vector</c>, <c>std::string</c>, or similar.115///116/// A contiguous container is a container that keeps all of its elements117/// in a contiguous region of memory. The container owns the region of memory118/// <c>[beg, end)</c>; the memory <c>[beg, mid)</c> is used to store the119/// current elements, and the memory <c>[mid, end)</c> is reserved for future120/// elements (<c>beg <= mid <= end</c>). For example, in121/// <c>std::vector<> v</c>:122///123/// \code124/// beg = &v[0];125/// end = beg + v.capacity() * sizeof(v[0]);126/// mid = beg + v.size() * sizeof(v[0]);127/// \endcode128///129/// This annotation tells the Sanitizer tool about the current state of the130/// container so that the tool can report errors when memory from131/// <c>[mid, end)</c> is accessed. Insert this annotation into methods like132/// <c>push_back()</c> or <c>pop_back()</c>. Supply the old and new values of133/// <c>mid</c>(<c><i>old_mid</i></c> and <c><i>new_mid</i></c>). In the initial134/// state <c>mid == end</c>, so that should be the final state when the135/// container is destroyed or when the container reallocates the storage.136///137/// For ASan, <c><i>beg</i></c> no longer needs to be 8-aligned,138/// first and last granule may be shared with other objects139/// and therefore the function can be used for any allocator.140///141/// The following example shows how to use the function:142///143/// \code144/// int32_t x[3]; // 12 bytes145/// char *beg = (char*)&x[0];146/// char *end = beg + 12;147/// __sanitizer_annotate_contiguous_container(beg, end, beg, end);148/// \endcode149///150/// \note Use this function with caution and do not use for anything other151/// than vector-like classes.152/// \note Unaligned <c><i>beg</i></c> or <c><i>end</i></c> may miss bugs in153/// these granules.154///155/// \param beg Beginning of memory region.156/// \param end End of memory region.157/// \param old_mid Old middle of memory region.158/// \param new_mid New middle of memory region.159#ifdef __SANITIZER_DISABLE_CONTAINER_OVERFLOW__160__attribute__((__internal_linkage__)) inline void SANITIZER_CDECL161__sanitizer_annotate_contiguous_container(const void *beg, const void *end,162 const void *old_mid,163 const void *new_mid) {}164#else165void SANITIZER_CDECL __sanitizer_annotate_contiguous_container(166 const void *beg, const void *end, const void *old_mid, const void *new_mid);167#endif168 169/// Similar to <c>__sanitizer_annotate_contiguous_container</c>.170///171/// Annotates the current state of a contiguous container memory,172/// such as <c>std::deque</c>'s single chunk, when the boundries are moved.173///174/// A contiguous chunk is a chunk that keeps all of its elements175/// in a contiguous region of memory. The container owns the region of memory176/// <c>[storage_beg, storage_end)</c>; the memory <c>[container_beg,177/// container_end)</c> is used to store the current elements, and the memory178/// <c>[storage_beg, container_beg), [container_end, storage_end)</c> is179/// reserved for future elements (<c>storage_beg <= container_beg <=180/// container_end <= storage_end</c>). For example, in <c> std::deque </c>:181/// - chunk with a frist deques element will have container_beg equal to address182/// of the first element.183/// - in every next chunk with elements, true is <c> container_beg ==184/// storage_beg </c>.185///186/// Argument requirements:187/// During unpoisoning memory of empty container (before first element is188/// added):189/// - old_container_beg_p == old_container_end_p190/// During poisoning after last element was removed:191/// - new_container_beg_p == new_container_end_p192/// \param storage_beg Beginning of memory region.193/// \param storage_end End of memory region.194/// \param old_container_beg Old beginning of used region.195/// \param old_container_end End of used region.196/// \param new_container_beg New beginning of used region.197/// \param new_container_end New end of used region.198#ifdef __SANITIZER_DISABLE_CONTAINER_OVERFLOW__199__attribute__((__internal_linkage__)) inline void200 SANITIZER_CDECL __sanitizer_annotate_double_ended_contiguous_container(201 const void *storage_beg, const void *storage_end,202 const void *old_container_beg, const void *old_container_end,203 const void *new_container_beg, const void *new_container_end) {}204#else205void SANITIZER_CDECL __sanitizer_annotate_double_ended_contiguous_container(206 const void *storage_beg, const void *storage_end,207 const void *old_container_beg, const void *old_container_end,208 const void *new_container_beg, const void *new_container_end);209#endif210 211/// Copies memory annotations from a source storage region to a destination212/// storage region. After the operation, the destination region has the same213/// memory annotations as the source region, as long as sanitizer limitations214/// allow it (more bytes may be unpoisoned than in the source region, resulting215/// in more false negatives, but never false positives). If the source and216/// destination regions overlap, only the minimal required changes are made to217/// preserve the correct annotations. Old storage bytes that are not in the new218/// storage should have the same annotations, as long as sanitizer limitations219/// allow it.220///221/// This function is primarily designed to be used when moving trivially222/// relocatable objects that may have poisoned memory, making direct copying223/// problematic under sanitizer. However, this function does not move memory224/// content itself, only annotations.225///226/// A contiguous container is a container that keeps all of its elements in a227/// contiguous region of memory. The container owns the region of memory228/// <c>[src_begin, src_end)</c> and <c>[dst_begin, dst_end)</c>. The memory229/// within these regions may be alternately poisoned and non-poisoned, with230/// possibly smaller poisoned and unpoisoned regions.231///232/// If this function fully poisons a granule, it is marked as "container233/// overflow".234///235/// Argument requirements: The destination container must have the same size as236/// the source container, which is inferred from the beginning and end of the237/// source region. Addresses may be granule-unaligned, but this may affect238/// performance.239///240/// \param src_begin Begin of the source container region.241/// \param src_end End of the source container region.242/// \param dst_begin Begin of the destination container region.243/// \param dst_end End of the destination container region.244#ifdef __SANITIZER_DISABLE_CONTAINER_OVERFLOW__245__attribute__((__internal_linkage__)) inline void SANITIZER_CDECL246__sanitizer_copy_contiguous_container_annotations(const void *src_begin,247 const void *src_end,248 const void *dst_begin,249 const void *dst_end) {}250#else251void SANITIZER_CDECL __sanitizer_copy_contiguous_container_annotations(252 const void *src_begin, const void *src_end, const void *dst_begin,253 const void *dst_end);254#endif255 256/// Returns true if the contiguous container <c>[beg, end)</c> is properly257/// poisoned.258///259/// Proper poisoning could occur, for example, with260/// <c>__sanitizer_annotate_contiguous_container</c>), that is, if261/// <c>[beg, mid)</c> is addressable and <c>[mid, end)</c> is unaddressable.262/// Full verification requires O (<c>end - beg</c>) time; this function tries263/// to avoid such complexity by touching only parts of the container around264/// <c><i>beg</i></c>, <c><i>mid</i></c>, and <c><i>end</i></c>.265///266/// \param beg Beginning of memory region.267/// \param mid Middle of memory region.268/// \param end Old end of memory region.269///270/// \returns True if the contiguous container <c>[beg, end)</c> is properly271/// poisoned.272#ifdef __SANITIZER_DISABLE_CONTAINER_OVERFLOW__273__attribute__((__internal_linkage__)) inline int274 SANITIZER_CDECL __sanitizer_verify_contiguous_container(const void *beg,275 const void *mid,276 const void *end) {}277#else278int SANITIZER_CDECL __sanitizer_verify_contiguous_container(const void *beg,279 const void *mid,280 const void *end);281#endif282 283/// Returns true if the double ended contiguous284/// container <c>[storage_beg, storage_end)</c> is properly poisoned.285///286/// Proper poisoning could occur, for example, with287/// <c>__sanitizer_annotate_double_ended_contiguous_container</c>), that is, if288/// <c>[storage_beg, container_beg)</c> is not addressable, <c>[container_beg,289/// container_end)</c> is addressable and <c>[container_end, end)</c> is290/// unaddressable. Full verification requires O (<c>storage_end -291/// storage_beg</c>) time; this function tries to avoid such complexity by292/// touching only parts of the container around <c><i>storage_beg</i></c>,293/// <c><i>container_beg</i></c>, <c><i>container_end</i></c>, and294/// <c><i>storage_end</i></c>.295///296/// \param storage_beg Beginning of memory region.297/// \param container_beg Beginning of used region.298/// \param container_end End of used region.299/// \param storage_end End of memory region.300///301/// \returns True if the double-ended contiguous container <c>[storage_beg,302/// container_beg, container_end, end)</c> is properly poisoned - only303/// [container_beg; container_end) is addressable.304#ifdef __SANITIZER_DISABLE_CONTAINER_OVERFLOW__305__attribute__((__internal_linkage__)) inline int SANITIZER_CDECL306__sanitizer_verify_double_ended_contiguous_container(const void *storage_beg,307 const void *container_beg,308 const void *container_end,309 const void *storage_end) {}310#else311int SANITIZER_CDECL __sanitizer_verify_double_ended_contiguous_container(312 const void *storage_beg, const void *container_beg,313 const void *container_end, const void *storage_end);314#endif315 316/// Similar to <c>__sanitizer_verify_contiguous_container()</c> but also317/// returns the address of the first improperly poisoned byte.318///319/// Returns NULL if the area is poisoned properly.320///321/// \param beg Beginning of memory region.322/// \param mid Middle of memory region.323/// \param end Old end of memory region.324///325/// \returns The bad address or NULL.326#ifdef __SANITIZER_DISABLE_CONTAINER_OVERFLOW__327__attribute__((__internal_linkage__)) inline const void *SANITIZER_CDECL328__sanitizer_contiguous_container_find_bad_address(const void *beg,329 const void *mid,330 const void *end) {}331#else332const void *SANITIZER_CDECL __sanitizer_contiguous_container_find_bad_address(333 const void *beg, const void *mid, const void *end);334#endif335 336/// returns the address of the first improperly poisoned byte.337///338/// Returns NULL if the area is poisoned properly.339///340/// \param storage_beg Beginning of memory region.341/// \param container_beg Beginning of used region.342/// \param container_end End of used region.343/// \param storage_end End of memory region.344///345/// \returns The bad address or NULL.346#ifdef __SANITIZER_DISABLE_CONTAINER_OVERFLOW__347__attribute__((__internal_linkage__)) inline const void *SANITIZER_CDECL348__sanitizer_double_ended_contiguous_container_find_bad_address(349 const void *storage_beg, const void *container_beg,350 const void *container_end, const void *storage_end) {}351#else352const void *SANITIZER_CDECL353__sanitizer_double_ended_contiguous_container_find_bad_address(354 const void *storage_beg, const void *container_beg,355 const void *container_end, const void *storage_end);356#endif357 358/// Prints the stack trace leading to this call (useful for calling from the359/// debugger).360void SANITIZER_CDECL __sanitizer_print_stack_trace(void);361 362// Symbolizes the supplied 'pc' using the format string 'fmt'.363// Outputs at most 'out_buf_size' bytes into 'out_buf'.364// If 'out_buf' is not empty then output is zero or more non empty C strings365// followed by single empty C string. Multiple strings can be returned if PC366// corresponds to inlined function. Inlined frames are printed in the order367// from "most-inlined" to the "least-inlined", so the last frame should be the368// not inlined function.369// Inlined frames can be removed with 'symbolize_inline_frames=0'.370// The format syntax is described in371// lib/sanitizer_common/sanitizer_stacktrace_printer.h.372void SANITIZER_CDECL __sanitizer_symbolize_pc(void *pc, const char *fmt,373 char *out_buf,374 size_t out_buf_size);375// Same as __sanitizer_symbolize_pc, but for data section (i.e. globals).376void SANITIZER_CDECL __sanitizer_symbolize_global(void *data_ptr,377 const char *fmt,378 char *out_buf,379 size_t out_buf_size);380// Determine the return address.381#if !defined(_MSC_VER) || defined(__clang__)382#define __sanitizer_return_address() \383 __builtin_extract_return_addr(__builtin_return_address(0))384#else385void *_ReturnAddress(void);386#pragma intrinsic(_ReturnAddress)387#define __sanitizer_return_address() _ReturnAddress()388#endif389 390/// Sets the callback to be called immediately before death on error.391///392/// Passing 0 will unset the callback.393///394/// \param callback User-provided callback.395void SANITIZER_CDECL __sanitizer_set_death_callback(void (*callback)(void));396 397// Interceptor hooks.398// Whenever a libc function interceptor is called, it checks if the399// corresponding weak hook is defined, and calls it if it is indeed defined.400// The primary use-case is data-flow-guided fuzzing, where the fuzzer needs401// to know what is being passed to libc functions (for example memcmp).402// FIXME: implement more hooks.403 404/// Interceptor hook for <c>memcmp()</c>.405///406/// \param called_pc PC (program counter) address of the original call.407/// \param s1 Pointer to block of memory.408/// \param s2 Pointer to block of memory.409/// \param n Number of bytes to compare.410/// \param result Value returned by the intercepted function.411void SANITIZER_CDECL __sanitizer_weak_hook_memcmp(void *called_pc,412 const void *s1,413 const void *s2, size_t n,414 int result);415 416/// Interceptor hook for <c>strncmp()</c>.417///418/// \param called_pc PC (program counter) address of the original call.419/// \param s1 Pointer to block of memory.420/// \param s2 Pointer to block of memory.421/// \param n Number of bytes to compare.422/// \param result Value returned by the intercepted function.423void SANITIZER_CDECL __sanitizer_weak_hook_strncmp(void *called_pc,424 const char *s1,425 const char *s2, size_t n,426 int result);427 428/// Interceptor hook for <c>strncasecmp()</c>.429///430/// \param called_pc PC (program counter) address of the original call.431/// \param s1 Pointer to block of memory.432/// \param s2 Pointer to block of memory.433/// \param n Number of bytes to compare.434/// \param result Value returned by the intercepted function.435void SANITIZER_CDECL __sanitizer_weak_hook_strncasecmp(void *called_pc,436 const char *s1,437 const char *s2, size_t n,438 int result);439 440/// Interceptor hook for <c>strcmp()</c>.441///442/// \param called_pc PC (program counter) address of the original call.443/// \param s1 Pointer to block of memory.444/// \param s2 Pointer to block of memory.445/// \param result Value returned by the intercepted function.446void SANITIZER_CDECL __sanitizer_weak_hook_strcmp(void *called_pc,447 const char *s1,448 const char *s2, int result);449 450/// Interceptor hook for <c>strcasecmp()</c>.451///452/// \param called_pc PC (program counter) address of the original call.453/// \param s1 Pointer to block of memory.454/// \param s2 Pointer to block of memory.455/// \param result Value returned by the intercepted function.456void SANITIZER_CDECL __sanitizer_weak_hook_strcasecmp(void *called_pc,457 const char *s1,458 const char *s2,459 int result);460 461/// Interceptor hook for <c>strstr()</c>.462///463/// \param called_pc PC (program counter) address of the original call.464/// \param s1 Pointer to block of memory.465/// \param s2 Pointer to block of memory.466/// \param result Value returned by the intercepted function.467void SANITIZER_CDECL __sanitizer_weak_hook_strstr(void *called_pc,468 const char *s1,469 const char *s2, char *result);470 471void SANITIZER_CDECL __sanitizer_weak_hook_strcasestr(void *called_pc,472 const char *s1,473 const char *s2,474 char *result);475 476void SANITIZER_CDECL __sanitizer_weak_hook_memmem(void *called_pc,477 const void *s1, size_t len1,478 const void *s2, size_t len2,479 void *result);480 481// Prints stack traces for all live heap allocations ordered by total482// allocation size until top_percent of total live heap is shown. top_percent483// should be between 1 and 100. At most max_number_of_contexts contexts484// (stack traces) are printed.485// Experimental feature currently available only with ASan on Linux/x86_64.486void SANITIZER_CDECL __sanitizer_print_memory_profile(487 size_t top_percent, size_t max_number_of_contexts);488 489/// Notify ASan that a fiber switch has started (required only if implementing490/// your own fiber library).491///492/// Before switching to a different stack, you must call493/// <c>__sanitizer_start_switch_fiber()</c> with a pointer to the bottom of the494/// destination stack and with its size. When code starts running on the new495/// stack, it must call <c>__sanitizer_finish_switch_fiber()</c> to finalize496/// the switch. The <c>__sanitizer_start_switch_fiber()</c> function takes a497/// <c>void**</c> pointer argument to store the current fake stack if there is498/// one (it is necessary when the runtime option499/// <c>detect_stack_use_after_return</c> is enabled).500///501/// When restoring a stack, this <c>void**</c> pointer must be given to the502/// <c>__sanitizer_finish_switch_fiber()</c> function. In most cases, this503/// pointer can be stored on the stack immediately before switching. When504/// leaving a fiber definitely, NULL must be passed as the first argument to505/// the <c>__sanitizer_start_switch_fiber()</c> function so that the fake stack506/// is destroyed. If your program does not need stack use-after-return507/// detection, you can always pass NULL to these two functions.508///509/// \note The fake stack mechanism is disabled during fiber switch, so if a510/// signal callback runs during the switch, it will not benefit from stack511/// use-after-return detection.512///513/// \param[out] fake_stack_save Fake stack save location.514/// \param bottom Bottom address of stack.515/// \param size Size of stack in bytes.516void SANITIZER_CDECL __sanitizer_start_switch_fiber(void **fake_stack_save,517 const void *bottom,518 size_t size);519 520/// Notify ASan that a fiber switch has completed (required only if521/// implementing your own fiber library).522///523/// When code starts running on the new stack, it must call524/// <c>__sanitizer_finish_switch_fiber()</c> to finalize525/// the switch. For usage details, see the description of526/// <c>__sanitizer_start_switch_fiber()</c>.527///528/// \param fake_stack_save Fake stack save location.529/// \param[out] bottom_old Bottom address of old stack.530/// \param[out] size_old Size of old stack in bytes.531void SANITIZER_CDECL __sanitizer_finish_switch_fiber(void *fake_stack_save,532 const void **bottom_old,533 size_t *size_old);534 535// Get full module name and calculate pc offset within it.536// Returns 1 if pc belongs to some module, 0 if module was not found.537int SANITIZER_CDECL __sanitizer_get_module_and_offset_for_pc(538 void *pc, char *module_path, size_t module_path_len, void **pc_offset);539 540#ifdef __cplusplus541} // extern "C"542#endif543 544#endif // SANITIZER_COMMON_INTERFACE_DEFS_H545