ping On 7/10/25 2:01 PM, claudiu.zissulescu-iancule...@oracle.com wrote: > From: Claudiu Zissulescu <claudiu.zissulescu-iancule...@oracle.com> > > Hi, > > Please find a new series of patches that implememnts stack sanitizer > using AArch64 MTE instructions. This new series is based on Indu > previous patch series. > > What is new: > - Introduces a new target instruction tag_memory. > - Introduces a new target hook to deal with tag computation > (TARGET_MEMTAG_COMPOSE_OFFSET_TAG). > - Simplify the stg/st2g instruction patterns to accept POST/PRE > modify type of addresses. > - Minimize asan.cc modification. > - Add execution tests. > - Improve and fix emitting stg/st2g instructions. > - Various text improvements. > > Thank you, > Claudiu > > ====================================== > MTE on AArch64 and Memory Tagging > > Memory Tagging Extension (MTE) is an AArch64 extension. This > extension allows coloring of 16-byte memory granules with 4-bit tag > values. The extension provides additional instructions in ISA and a > new memory type, Normal Tagged Memory, added to the Arm Architecture. > This hardware-assisted mechanism can be used to detect memory bugs > like buffer overrun or use-after-free. The detection is > probabilistic. > > Under the hoods, the MTE extension introduces two types of tags: > - Address Tags, and, > - Allocation Tags (a.k.a., Memory Tags) > > Address Tag: which acts as the key. This adds four bits to the top of > a virtual address. It is built on AArch64 'top-byte-ignore'(TBI) > feature. > > Allocation Tag: which acts as the lock. Allocation tags also consist > of four bits, linked with every aligned 16-byte region in the physical > memory space. Arm refers to these 16-byte regions as tag granules. > The way Allocation tags are stored is a hardware implementation > detail. > > A subset of the MTE instructions which are relevant in the current > context are: > > [Xn, Xd are registers containing addresses]. > > - irg Xd, Xn > Copy Xn into Xd, insert a random 4-bit Address Tag into Xd. > - addg Xd, Xn, #<immA>, #<immB> > Xd = Xn + immA, with Address Tag modified by #immB. Similarly, there > exists a subg. > - stg Xd, [Xn] > (Store Allocation Tag) updates Allocation Tag for [Xn, Xn + 16) to the > Address Tag of Xd. > > Additionally, note that load and store instructions with SP base > register do not check tags. > > MEMTAG sanitizer for stack > Use MTE instructions to instrument stack accesses to detect memory safety > issues. > > Detecting stack-related memory bugs requires the compiler to: > - ensure that each object on the stack is allocated in its own 16-byte > granule. > - Tag/Color: put tags into each stack variable pointer. > - Untag: the function epilogue will untag the (stack) memory. > Above should work with dynamic stack allocation as well. > > GCC has HWASAN machinery for coloring stack variables. Extend the > machinery to emit MTE instructions when MEMTAG sanitizer is in effect. > > Deploying and running user space programs built with -fsanitizer=memtag will > need following additional pieces in place. If there is any existing work / > ideas on any of the following, please send comments to help define the work. > > Additional necessary pieces > > * MTE aware exception handling and unwinding routines > The additional stack coloring must work with C++ exceptions and C > setjmp/longjmp. > > * When unwinding the stack for handling C++ exceptions, the unwinder > additionally also needs to untag the stack frame. As per the > AADWARF64 document: "The character 'G' indicates that associated > frames may modify MTE tags on the stack space they use." > > * When restoring the context in longjmp, we need to additionally untag the > stack. > > Claudiu Zissulescu (4): > target-insns.def: (tag_memory) New pattern. > targhooks: add TARGET_MEMTAG_COMPOSE_OFFSET_TAG > asan: memtag-stack add support for MTE instructions > aarch64: Add support for memetag-stack sanitizer using MTE insns > > Indu Bhagat (5): > targhooks: i386: rename TAG_SIZE to TAG_BITSIZE > opts: use uint64_t for sanitizer flags > aarch64: add new constants for MTE insns > asan: add new memtag sanitizer > aarch64: Add memtag-stack tests > > gcc/asan.cc | 214 +++++++--- > gcc/asan.h | 17 +- > gcc/builtins.def | 1 + > gcc/c-family/c-attribs.cc | 16 +- > gcc/c-family/c-common.h | 2 +- > gcc/c/c-parser.cc | 4 +- > gcc/cfgexpand.cc | 29 +- > gcc/common.opt | 6 +- > gcc/config/aarch64/aarch64-builtins.cc | 7 +- > gcc/config/aarch64/aarch64-linux.h | 4 +- > gcc/config/aarch64/aarch64-protos.h | 4 + > gcc/config/aarch64/aarch64.cc | 370 +++++++++++++++++- > gcc/config/aarch64/aarch64.md | 78 ++-- > gcc/config/aarch64/constraints.md | 26 ++ > gcc/config/aarch64/predicates.md | 13 +- > gcc/config/i386/i386.cc | 8 +- > gcc/cp/typeck.cc | 2 +- > gcc/d/d-attribs.cc | 8 +- > gcc/doc/invoke.texi | 19 +- > gcc/doc/md.texi | 5 + > gcc/doc/tm.texi | 8 +- > gcc/doc/tm.texi.in | 4 +- > gcc/dwarf2asm.cc | 2 +- > gcc/flag-types.h | 4 + > gcc/gcc.cc | 2 + > gcc/gimplify.cc | 5 +- > gcc/internal-fn.cc | 68 +++- > gcc/internal-fn.def | 1 + > gcc/opts.cc | 47 ++- > gcc/opts.h | 8 +- > gcc/params.opt | 8 + > gcc/sanopt.cc | 2 +- > gcc/target-insns.def | 1 + > gcc/target.def | 11 +- > gcc/targhooks.cc | 9 +- > gcc/targhooks.h | 4 +- > .../gcc.target/aarch64/acle/memtag_1.c | 2 +- > .../gcc.target/aarch64/memtag/alloca-1.c | 14 + > .../gcc.target/aarch64/memtag/alloca-3.c | 27 ++ > .../gcc.target/aarch64/memtag/arguments-1.c | 3 + > .../gcc.target/aarch64/memtag/arguments-2.c | 3 + > .../gcc.target/aarch64/memtag/arguments-3.c | 3 + > .../gcc.target/aarch64/memtag/arguments-4.c | 16 + > .../gcc.target/aarch64/memtag/arguments.c | 3 + > .../gcc.target/aarch64/memtag/basic-1.c | 15 + > .../gcc.target/aarch64/memtag/basic-3.c | 21 + > .../gcc.target/aarch64/memtag/basic-struct.c | 22 ++ > .../aarch64/memtag/cfi-mte-memtag-frame-1.c | 11 + > .../gcc.target/aarch64/memtag/large-array.c | 24 ++ > .../aarch64/memtag/local-no-escape.c | 20 + > .../gcc.target/aarch64/memtag/memtag.exp | 64 +++ > .../gcc.target/aarch64/memtag/mte-sig.h | 15 + > .../aarch64/memtag/no-sanitize-attribute.c | 17 + > .../gcc.target/aarch64/memtag/texec-1.c | 27 ++ > .../gcc.target/aarch64/memtag/texec-2.c | 22 ++ > .../gcc.target/aarch64/memtag/value-init.c | 14 + > .../aarch64/memtag/vararray-gimple.c | 17 + > .../gcc.target/aarch64/memtag/vararray.c | 14 + > .../gcc.target/aarch64/memtag/vla-1.c | 39 ++ > .../gcc.target/aarch64/memtag/vla-2.c | 48 +++ > .../gcc.target/aarch64/memtag/zero-init.c | 14 + > gcc/testsuite/lib/target-supports.exp | 12 + > gcc/tree-cfg.cc | 2 +- > 63 files changed, 1344 insertions(+), 162 deletions(-) > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/alloca-1.c > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/alloca-3.c > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/arguments-1.c > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/arguments-2.c > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/arguments-3.c > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/arguments-4.c > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/arguments.c > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/basic-1.c > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/basic-3.c > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/basic-struct.c > create mode 100644 > gcc/testsuite/gcc.target/aarch64/memtag/cfi-mte-memtag-frame-1.c > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/large-array.c > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/local-no-escape.c > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/memtag.exp > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/mte-sig.h > create mode 100644 > gcc/testsuite/gcc.target/aarch64/memtag/no-sanitize-attribute.c > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/texec-1.c > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/texec-2.c > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/value-init.c > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/vararray-gimple.c > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/vararray.c > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/vla-1.c > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/vla-2.c > create mode 100644 gcc/testsuite/gcc.target/aarch64/memtag/zero-init.c >
Re: [PATCH v3 0/9] Add memtag-stack sanitizer using MTE instructions.
Claudiu Zissulescu-Ianculescu Wed, 30 Jul 2025 04:29:09 -0700
- [PATCH v3 6/9] asan:... claudiu . zissulescu-ianculescu
- [PATCH v3 7/9] a... claudiu . zissulescu-ianculescu
- [PATCH v3 8/9] a... claudiu . zissulescu-ianculescu
- [PATCH v3 9/9] a... claudiu . zissulescu-ianculescu
- Re: [PATCH v3 2/9] opts: use uint... Andrew Pinski
- Re: [PATCH v3 2/9] opts: use ... Claudiu Zissulescu-Ianculescu
- Re: [PATCH v3 2/9] opts: ... Andrew Pinski
- Re: [PATCH v3 2/9] o... Claudiu Zissulescu-Ianculescu
- Re: [PATCH v3 2/... Andrew Pinski
- [PATCH v4] opts:... claudiu . zissulescu-ianculescu
- Re: [PATCH v3 0/9] Add memtag-stack saniti... Claudiu Zissulescu-Ianculescu
