Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp5593071pxb; Mon, 28 Mar 2022 14:41:34 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxxZzbP7RvBGogjbYXDeHBGZffHVuErpJsAepaR88NOhUSkizLWm+q54LIbFDUnsH07t5Ez X-Received: by 2002:a05:6102:34d8:b0:325:539c:f7f6 with SMTP id a24-20020a05610234d800b00325539cf7f6mr12827105vst.86.1648503694103; Mon, 28 Mar 2022 14:41:34 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648503694; cv=none; d=google.com; s=arc-20160816; b=tA9B3JgeR0LkNxSkBvdp50tfeztNYZzJ5/A74DjlDuef4hPa0yIKFZNqLFQN+iLBte wyihhvXGcYLCWMHNSTtPWKrCPFBYIIFsufE+rvYXN5FzqOzw0QEBTcJfjJZEevAMEVBB p8PRmIbhn2fRKj6wuwxNwD4PmGGnVQyeBRcONaOdUAi2XrQ/8j5Vo7niwx5UJRlo6hkv f9NpSiDY7ZcpqDGANkJ1KLcHI+1+xWkt3mnRNsZUWvGgvlSsQr30VXgLgXMgLYkg6v2L 4AxBAILhcw7XVxikQVKqSnK4fWY28PXCKzUaqUZGMhDCBiPsL85/zaQjSrM2012vdJlx gTMw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=5Qa/akwwLnl1jbi3ZBLNGBoSUijJ6JEU7O/T7bwLesw=; b=i9kr6j2fleNZUViJj1d8wtM2yIvFAWnfv/FS7IoAlfXD90AZzdySK3I1iEV+tbeCVi TtSVjcCY7tjRjzaKO7pnzuP8L+Hvt+X9sCEUghsswqKu1GaLxLHe3nyTHLzyRajWHi6s PL5oh7zyron9GDKaS+Eqbb4sWro7ZuTBW9Mp4bmcumJga0tEWVRIwBcpPO2yJ92G7EmP y9lXlbiZ68zT+ZmQpghaaho4gsaXv+MZbDq5/HSoMc9pVdj93f1MW0SDsnWPmLYBhFox 9TRTW+cGGz7ye7aKG92Rb8R5iDPIJnhoeHsBc8LyCkl1Vdva+0GeEMqxKXWf2wlcFF2z T8pA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id n128-20020a1f7286000000b0033f56f66687si3095333vkc.142.2022.03.28.14.41.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 28 Mar 2022 14:41:34 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 62958A66EA; Mon, 28 Mar 2022 14:18:02 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S243806AbiC1O2k (ORCPT + 99 others); Mon, 28 Mar 2022 10:28:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53076 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243801AbiC1O2i (ORCPT ); Mon, 28 Mar 2022 10:28:38 -0400 Received: from gate.crashing.org (gate.crashing.org [63.228.1.57]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 3744B46B1A; Mon, 28 Mar 2022 07:26:58 -0700 (PDT) Received: from gate.crashing.org (localhost.localdomain [127.0.0.1]) by gate.crashing.org (8.14.1/8.14.1) with ESMTP id 22SEMLX6009684; Mon, 28 Mar 2022 09:22:21 -0500 Received: (from segher@localhost) by gate.crashing.org (8.14.1/8.14.1/Submit) id 22SEMKu7009683; Mon, 28 Mar 2022 09:22:20 -0500 X-Authentication-Warning: gate.crashing.org: segher set sender to segher@kernel.crashing.org using -f Date: Mon, 28 Mar 2022 09:22:20 -0500 From: Segher Boessenkool To: Mark Rutland Cc: Peter Zijlstra , Nick Desaulniers , Borislav Petkov , Nathan Chancellor , x86-ml , lkml , llvm@lists.linux.dev, Josh Poimboeuf , linux-toolchains@vger.kernel.org Subject: Re: clang memcpy calls Message-ID: <20220328142220.GI614@gate.crashing.org> References: <20220325151238.GB614@gate.crashing.org> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.4.2.3i X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi! On Mon, Mar 28, 2022 at 10:52:54AM +0100, Mark Rutland wrote: > On Fri, Mar 25, 2022 at 10:12:38AM -0500, Segher Boessenkool wrote: > > The compiler isn't assuming anything about asan. The compiler generates > > its code without any consideration of what asan will or will not do. > > The burden of making things work is on asan. > > I think we're talking past each other here, so let me be more precise. :) > > The key thing is that when the user passes `-fsantize=address`, instrumentation > is added by (a part of) the compiler. That instrumentation is added under some > assumptions as to how the compiler as a whole will behave. > > With that in mind, the question is how is __attribute__((no_sanitize_address)) > intended to work when considering all the usual expectations around how the > compiler can play with memcpy and similar? The attribute is about how the *current* function is instrumented, not about anything called by this function. This is clearly documented: 'no_sanitize_address' 'no_address_safety_analysis' The 'no_sanitize_address' attribute on functions is used to inform the compiler that it should not instrument memory accesses in the function when compiling with the '-fsanitize=address' option. The 'no_address_safety_analysis' is a deprecated alias of the 'no_sanitize_address' attribute, new code should use 'no_sanitize_address'. > > The compiler should not do anything differently here if it uses asan. > > The address sanitizer and the memcpy function implementation perhaps > > have to cooperate somehow, or asan needs more smarts. This needs to > > happen no matter what, to support other things calling memcpy, say, > > assembler code. > > I appreciate where you're coming from here, but I think you're approaching the > problem sideways. I am stating facts, I am not trying to solve your problem there. It seemed to me (and still does) that you didn't grasp all facts here. > We need to define *what the semantics are* so that we can actually solve the > problem, e.g. is a memcpy implementation expected to be instrumented or not? That is up to the memcpy implementation itself, of course. > > GCC *requires* memcpy to be the standard memcpy always (i.e. to have the > > standard-specified semantics). This means that it will have the same > > semantics as __builtin_memcpy always, and either or not be a call to an > > external function. It can also create calls to it out of thin air. > > I understand all of that. And still you want us to do something that is impossible under those existing constraints :-( If you want the external memcpy called by modules A, B, C to not be instrumented, you have to link A, B, and C against an uninstrumented memcpy. This is something the kernel will have to do, the compiler has no say in how the kernel is linked together. Segher