[esan] Extend shadow mapping to cover low libraries

Summary:
Adds support for app libraries starting slightly below 0x7f00'00000000 (the
mmap ASLR range extends down to 0x7efb'f8000000 for reasonable stack
limits) by switching to a shadow mapping offset of 0x1300'00000000.

Reviewers: aizatsky

Subscribers: vitalybuka, zhaoqin, kcc, eugenis, llvm-commits, kubabrecka

Differential Revision: http://reviews.llvm.org/D20479

llvm-svn: 270255

2 files changed, 37 insertions, 20 deletions

diff --git a/compiler-rt/lib/esan/esan.cpp b/compiler-rt/lib/esan/esan.cpp
index e9a362a9e67..e16eea716d4 100644
--- a/compiler-rt/lib/esan/esan.cpp
+++ b/compiler-rt/lib/esan/esan.cpp
@@ -64,9 +64,27 @@ void processRangeAccess(uptr PC, uptr Addr, int Size, bool IsWrite) {
 #if SANITIZER_DEBUG
 static bool verifyShadowScheme() {
   // Sanity checks for our shadow mapping scheme.
+  uptr AppStart, AppEnd;
+  if (Verbosity() >= 3) {
+    for (int i = 0; getAppRegion(i, &AppStart, &AppEnd); ++i) {
+      VPrintf(3, "App #%d: [%zx-%zx) (%zuGB)\n", i, AppStart, AppEnd,
+              (AppEnd - AppStart) >> 30);
+    }
+  }
   for (int Scale = 0; Scale < 8; ++Scale) {
     Mapping.initialize(Scale);
-    uptr AppStart, AppEnd;
+    if (Verbosity() >= 3) {
+      VPrintf(3, "\nChecking scale %d\n", Scale);
+      uptr ShadowStart, ShadowEnd;
+      for (int i = 0; getShadowRegion(i, &ShadowStart, &ShadowEnd); ++i) {
+        VPrintf(3, "Shadow #%d: [%zx-%zx) (%zuGB)\n", i, ShadowStart,
+                ShadowEnd, (ShadowEnd - ShadowStart) >> 30);
+      }
+      for (int i = 0; getShadowRegion(i, &ShadowStart, &ShadowEnd); ++i) {
+        VPrintf(3, "Shadow(Shadow) #%d: [%zx-%zx)\n", i,
+                appToShadow(ShadowStart), appToShadow(ShadowEnd - 1)+1);
+      }
+    }
     for (int i = 0; getAppRegion(i, &AppStart, &AppEnd); ++i) {
       DCHECK(isAppMem(AppStart));
       DCHECK(!isAppMem(AppStart - 1));
diff --git a/compiler-rt/lib/esan/esan_shadow.h b/compiler-rt/lib/esan/esan_shadow.h
index d69d4e666cc..4507c3d14b5 100644
--- a/compiler-rt/lib/esan/esan_shadow.h
+++ b/compiler-rt/lib/esan/esan_shadow.h
@@ -31,7 +31,7 @@ namespace __esan {
 //
 // [0x00000000'00000000, 0x00000100'00000000) non-PIE + heap
 // [0x00005500'00000000, 0x00005700'00000000) PIE
-// [0x00007f00'00000000, 0x00007fff'ff600000) libraries + stack, part 1
+// [0x00007e00'00000000, 0x00007fff'ff600000) libraries + stack, part 1
 // [0x00007fff'ff601000, 0x00008000'00000000) libraries + stack, part 2
 // [0xffffffff'ff600000, 0xffffffff'ff601000) vsyscall
 //
@@ -39,7 +39,6 @@ namespace __esan {
 // references there (other sanitizers ignore it), we enforce a gap inside the
 // library region to distinguish the vsyscall's shadow, considering this gap to
 // be an invalid app region.
-//
 // We disallow application memory outside of those 5 regions.
 //
 // Our shadow memory is scaled from a 1:1 mapping and supports a scale
@@ -57,34 +56,34 @@ namespace __esan {
 //
 //   shadow(app) = ((app & 0x00000fff'ffffffff) + offset) >> scale
 //
-// Where the offset for 1:1 is 0x00001200'00000000.  For other scales, the
+// Where the offset for 1:1 is 0x00001300'00000000.  For other scales, the
 // offset is shifted left by the scale, except for scales of 1 and 2 where
 // it must be tweaked in order to pass the double-shadow test
 // (see the "shadow(shadow)" comments below):
-//   scale == 0: 0x0000120'000000000
-//   scale == 1: 0x0000220'000000000
-//   scale == 2: 0x0000440'000000000
-//   scale >= 3: (0x0000120'000000000 << scale)
+//   scale == 0: 0x00001300'000000000
+//   scale == 1: 0x00002200'000000000
+//   scale == 2: 0x00004400'000000000
+//   scale >= 3: (0x00001300'000000000 << scale)
 //
 // Do not pass in the open-ended end value to the formula as it will fail.
 //
 // The resulting shadow memory regions for a 0 scaling are:
 //
-// [0x00001200'00000000, 0x00001300'00000000)
-// [0x00001700'00000000, 0x00001900'00000000)
-// [0x00002100'00000000, 0x000021ff'ff600000)
-// [0x000021ff'ff601000, 0x00002200'00000000)
-// [0x000021ff'ff600000, 0x000021ff'ff601000]
+// [0x00001300'00000000, 0x00001400'00000000)
+// [0x00001800'00000000, 0x00001a00'00000000)
+// [0x00002100'00000000, 0x000022ff'ff600000)
+// [0x000022ff'ff601000, 0x00002300'00000000)
+// [0x000022ff'ff600000, 0x000022ff'ff601000]
 //
 // We also want to ensure that a wild access by the application into the shadow
 // regions will not corrupt our own shadow memory.  shadow(shadow) ends up
 // disjoint from shadow(app):
 //
-// [0x00001400'00000000, 0x00001500'00000000)
-// [0x00001900'00000000, 0x00001b00'00000000)
-// [0x00001300'00000000, 0x000013ff'ff600000]
-// [0x000013ff'ff601000, 0x00001400'00000000]
-// [0x000013ff'ff600000, 0x000013ff'ff601000]
+// [0x00001600'00000000, 0x00001700'00000000)
+// [0x00001b00'00000000, 0x00001d00'00000000)
+// [0x00001400'00000000, 0x000015ff'ff600000]
+// [0x000015ff'ff601000, 0x00001600'00000000]
+// [0x000015ff'ff600000, 0x000015ff'ff601000]
 
 struct ApplicationRegion {
   uptr Start;
@@ -98,7 +97,7 @@ static const struct ApplicationRegion AppRegions[] = {
   // We make one shadow mapping to hold the shadow regions for all 3 of these
   // app regions, as the mappings interleave, and the gap between the 3rd and
   // 4th scales down below a page.
-  {0x00007f0000000000u,   0x00007fffff600000u, false},
+  {0x00007e0000000000u,   0x00007fffff600000u, false},
   {0x00007fffff601000u,   0x0000800000000000u, true},
   {0xffffffffff600000u,   0xffffffffff601000u, true},
 };
@@ -112,7 +111,7 @@ public:
   uptr Offset;
   void initialize(uptr ShadowScale) {
     static const uptr OffsetArray[3] = {
-        0x0000120000000000u,
+        0x0000130000000000u,
         0x0000220000000000u,
         0x0000440000000000u,
     };