Open Menu / src / instrumentation.h
Loading...
  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
#if CONFIG_MTE

#ifndef __MEMTAG_H__
#define __MEMTAG_H__

// Make sure we have +memtag when including this file.
#if !defined(__ARM_FEATURE_MEMORY_TAGGING)
#error "This file requires __ARM_FEATURE_MEMORY_TAGGING"
#endif

#include <arm_acle.h>

__ptrcheck_abi_assume_unsafe_indexable();

#define MEMTAG_TAG_MAX 0xf

#define memtag_p2roundup(x, align) (-(-(x) & -(align)))
#define memtag_p2align(x, align) ((uintptr_t)(x) & -(align))

union memtag_ptr {
	uint64_t value;

	struct {
		uint64_t ptr_bits : 56; // address part
		uint64_t ptr_tag : 4;   // logical tag
		uint64_t ptr_upper : 4;
	};
};

// Add the logical tag contained in `tagged_addr` to the mask
// specified by `excluded`, and return the updated mask.
MALLOC_ALWAYS_INLINE MALLOC_INLINE
static uint64_t
_memtag_update_mask(uint8_t *tagged_addr, uint64_t excluded)
{
	return __arm_mte_exclude_tag(tagged_addr, excluded);
}

// Return a pointer whose address part comes from `addr`, and whose logical tag
// is the allocation tag loaded from the memory pointed to by `addr`.
MALLOC_ALWAYS_INLINE MALLOC_INLINE
static uint8_t *
_memtag_load_tag(uint8_t *addr)
{
	return __arm_mte_get_tag(addr);
}

// Load the allocation tag associated to the memory pointed to
// by `addr`, add it to the mask specified by `excluded`, and
// return the updated mask.
MALLOC_ALWAYS_INLINE MALLOC_INLINE
static uint64_t
_memtag_exclude_tag(uint8_t *addr, uint64_t excluded)
{
	return _memtag_update_mask(_memtag_load_tag(addr), excluded);
}

MALLOC_ALWAYS_INLINE MALLOC_INLINE
static uint8_t *
_memtag_create_random_tag(uint8_t *addr, uint64_t mask)
{
	return __arm_mte_create_random_tag(addr, mask);
}

#pragma mark Exposed interfaces

MALLOC_ALWAYS_INLINE MALLOC_INLINE
static uint8_t *
memtag_strip_address(uint8_t *tagged_addr)
{
	union memtag_ptr p = {
		.value = (uint64_t)tagged_addr,
	};
	p.ptr_tag = 0;
	return (uint8_t *)p.value;
}

MALLOC_ALWAYS_INLINE MALLOC_INLINE
static uint8_t
memtag_extract_tag(uint8_t *tagged_addr)
{
	union memtag_ptr p = {
		.value = (uint64_t)tagged_addr,
	};
	return (uint8_t)p.ptr_tag;
}

MALLOC_ALWAYS_INLINE MALLOC_INLINE
static uint8_t *
memtag_mix_tag(uint8_t *canonical_addr, uint8_t tag)
{
	MALLOC_DEBUG_ASSERT(tag <= MEMTAG_TAG_MAX);
	union memtag_ptr p = {
		.value = (uintptr_t)canonical_addr,
	};
	p.ptr_tag = tag;
	return (uint8_t *)p.value;
}

MALLOC_ALWAYS_INLINE MALLOC_INLINE
static bool
memtag_tags_match(const void *p,
	const void *q)
{
	union memtag_ptr pmtp = { .value = (uintptr_t)p };
	union memtag_ptr qmtp = { .value = (uintptr_t)q };
	return pmtp.ptr_tag == qmtp.ptr_tag;
}

MALLOC_ALWAYS_INLINE MALLOC_INLINE
static uint8_t *
memtag_fixup_ptr(uint8_t *ptr)
{
	return _memtag_load_tag(ptr);
}

// Return a pointer whose address part comes from `addr`, and whose logical tag
// is the canonical one (0).
MALLOC_ALWAYS_INLINE MALLOC_INLINE
static uint8_t *
memtag_assign_canonical_tag(uint8_t *address)
{
	// Assigning a canonical tag equates to stripping the logical tag included
	// in the address, if any is present.
	return memtag_strip_address(address);
}

// Disable tag checking (i.e. enable Tag Checking Override).
MALLOC_ALWAYS_INLINE MALLOC_INLINE
static void
memtag_disable_checking(void)
{
	__asm__ __volatile__ ("msr TCO, #1");
}

// Enable tag checking (i.e. disable Tag Checking Override).
MALLOC_ALWAYS_INLINE MALLOC_INLINE
static void
memtag_enable_checking(void)
{
	__asm__ __volatile__ ("msr TCO, #0");
}

// Set tags for a block with arbitrary 16B alignment
MALLOC_INLINE MALLOC_ALWAYS_INLINE
static void
memtag_set_tag_unaligned(uint8_t *start, size_t size)
{
	MALLOC_DEBUG_ASSERT(!(size % 16));
	MALLOC_DEBUG_ASSERT(!((uintptr_t)start % 16));
	uint8_t *addr = start;
	uint8_t *end  = start + size;

	// NB: For xzone-malloc, the stg and st2g operations can be further
	// conditioned on block sizes that can possibly be 64B-misaligned. This
	// optimization is measurably faster (on the order of 5 cycles per block),
	// but does not work for the early-allocator, for which all block sizes
	// may have arbitrary 16B-alignment.

	// Unconditionally tag the first and last 16B granule
	__asm__ __volatile__ ("stg %0, [%0]" : : "r"(addr) : "memory");
	__asm__ __volatile__ ("stg %0, [%0, #-16]" : : "r"(end) : "memory");

	if (os_likely(size > 32)) {
		// Round up/down to the nearest 32B boundary
		addr = (uint8_t *)((uintptr_t)(start + 31) & -32);
		end  = (uint8_t *)((uintptr_t)(start + size) & -32);

		// Tag the first and last 32B granule.
		__asm__ __volatile__ ("st2g %0, [%0]" : : "r"(addr) : "memory");
		__asm__ __volatile__ ("st2g %0, [%0, #-32]" : : "r"(end) : "memory");
	}

	// Round up/down to the nearest 64B boundary
	addr = (uint8_t *)((uintptr_t)(start + 63) & -64);
	end  = (uint8_t *)((uintptr_t)(start + size) & -64);

	// At this point, any non-64B-aligned portion of the block has been tagged.
	// Tag the remaining 64B granules
	while (addr < end) {
		__asm__ __volatile__ ("dc gva, %0" : : "r"(addr) : "memory");
		addr += 64;
	}
}

// Set tags for blocks with at least 512B alignment
MALLOC_ALWAYS_INLINE MALLOC_INLINE
static void
memtag_set_tag_aligned_512(uint8_t *addr, vm_size_t size)
{
	MALLOC_DEBUG_ASSERT(!((uintptr_t)addr % 512));
	MALLOC_DEBUG_ASSERT(!(size % 512));
	uint8_t *end = addr + size;
	while (addr < end) {
		__asm__ __volatile__ ("dc gva, %0" : : "r"(addr) : "memory");
		__asm__ __volatile__ ("dc gva, %0" : : "r"(addr + 64) : "memory");
		__asm__ __volatile__ ("dc gva, %0" : : "r"(addr + 128) : "memory");
		__asm__ __volatile__ ("dc gva, %0" : : "r"(addr + 192) : "memory");
		__asm__ __volatile__ ("dc gva, %0" : : "r"(addr + 256) : "memory");
		__asm__ __volatile__ ("dc gva, %0" : : "r"(addr + 320) : "memory");
		__asm__ __volatile__ ("dc gva, %0" : : "r"(addr + 384) : "memory");
		__asm__ __volatile__ ("dc gva, %0" : : "r"(addr + 448) : "memory");
		addr += 512;
	}
}

// Set tags for blocks served from a fixed block-size slab.
MALLOC_ALWAYS_INLINE MALLOC_INLINE
static void
memtag_set_tag(uint8_t *addr, size_t size)
{
	if (!!(size & 511)) {
		memtag_set_tag_unaligned(addr, size);
	} else {
		memtag_set_tag_aligned_512(addr, size);
	}
}

// Return a pointer whose address part comes from `address`, adding a
// random logical tag which is chosen based on the following criteria:
// - It should not be the canonical tag (0)
// - It should not match the allocation tag associated with the granule
//   pointed to by `address`
// - It should not match the allocation tag associated with the granule
//   that that precedes `address`
// - It should not match the allocation tag associated with the granule
//   that that follows the block pointed to by `address`
//   (i.e. the one associated with `address + size`)
MALLOC_NOEXPORT
uint8_t *
memtag_assign_tag(uint8_t *address, size_t size);

// Initialize the allocation tags for the chunk of memory pointed to
// by `chunk_start`, by setting a different tags for all the blocks
// of size `block_size` up to `chunk_size`.
MALLOC_NOEXPORT
uint8_t *
memtag_init_chunk(uint8_t *chunk_start, size_t chunk_size, uint64_t block_size);

// Given a pointer, try to load the tag associated to the physical memory it
// points to, and compare it against its logical tag. If the tags do not match,
// dereference the pointer (carrying the invalid logical tag) to raise a fatal
// exception that cannot be caught by the process.
//
// A result of true indicates that there _was_ a tag mismatch, which was
// handled.  A caller that observes this result should treat it as an indication
// that we're in soft mode and allow control to return to the client.
//
// A result of false indicates that the problem was not just a tag mismatch, so
// we should abort() in the traditional manner for invalid pointers.
MALLOC_NOEXPORT
bool
memtag_handle_mismatch(void *ptr);

// Retag a block.
MALLOC_ALWAYS_INLINE MALLOC_INLINE
static uint8_t *
memtag_retag(uint8_t *address, size_t size)
{
	uint8_t *tagged_addr = memtag_assign_tag(address, size);
	memtag_set_tag(tagged_addr, size);
	return tagged_addr;
}

// Canonically tag a block.
MALLOC_ALWAYS_INLINE MALLOC_INLINE
static uint8_t *
memtag_tag_canonical(uint8_t *address, size_t size)
{
	uint8_t *canonical_addr = memtag_assign_canonical_tag(address);
	memtag_set_tag_unaligned(canonical_addr, size);
	return canonical_addr;
}

#endif // __MEMTAG_H__

#endif // CONFIG_MTE