[RFC,00/11] Add Memory Sanitizer support

  Hi,

This series adds minimalistic support for Memory Sanitizer (MSan) [1].
MSan is compiler instrumentation for detecting accesses to
uninitialized memory.

The motivation behind this is to be able to link elfutils into projects
instrumented with MSan, since it essentially requires all the code
running in a process to be instrumented.

The goal is to provide a setup where elfutils is linked only with zlib
and most tests pass. Here is the description of the setup that I'm
using:

- LLVM with argp_parse() instrumentation [2].

- zlib-ng instrumented with MSan:

  git clone git@github.com:zlib-ng/zlib-ng.git
  cmake -DWITH_SANITIZER=Memory -DZLIB_COMPAT=ON -DWITH_GTEST=OFF \
        -DCMAKE_C_COMPILER=clang -DCMAKE_INSTALL_PREFIX=/tmp/zlib-ng
  make install
  export CPATH=/tmp/zlib-ng/include
  export LIBRARY_PATH=/tmp/zlib-ng/lib

- Hack: zlib is used by a lot of system utilities, so adding
  MSan-instrumented zlib to LD_LIBRARY_PATH causes a lot of grief.
  Let elfutils test infrastructure add it there only for running
  tests:

  ln -s /tmp/zlib-ng/lib/libz.so.1 libelf/

- elfutils uses printf("%n"), so tweak MSan to unpoison the respective
  arguments. Also disable fast unwinding to get better backtraces:

  export MSAN_OPTIONS=check_printf=1,fast_unwind_on_malloc=0

- Minimal configuration of elfutils instrumented with MSan:

  autoreconf -i
  CC=clang ./configure --enable-maintainer-mode \
                       --enable-sanitize-memory --without-bzlib \
                       --without-lzma --without-zstd \
                       --disable-debuginfod --disable-libdebuginfod \
                       --disable-demangler

Results:

  ============================================================================
  Testsuite summary for elfutils 0.188
  ============================================================================
  # TOTAL: 235
  # PASS:  221
  # SKIP:  14
  # XFAIL: 0
  # FAIL:  0
  # XPASS: 0
  # ERROR: 0
  ============================================================================

The patches take care of the following:

- Fixing clang build.
- Adding small tweaks to get rid of false positives (no real issues
  were found, most likely because elfutils is already tested with
  valgrind).
- Dealing with "-self" tests, which now see MSan runtime compiled
  into elfutils binaries.
- MSan enablement itself.

[1] https://clang.llvm.org/docs/MemorySanitizer.html
[2] https://reviews.llvm.org/D143330

Best regards,
Ilya

Ilya Leoshkevich (11):
  libdwfl: Fix debuginfod_client redefinition
  libasm: Fix xdefault_pattern initialization
  printversion: Fix unused variable
  readelf: Fix set but not used parameter
  readelf: Fix set but not used variable
  Initialize reglocs for VMCOREINFO
  addr2line: Do not test demangling in run-addr2line-i-test.sh
  x86_64_return_value_location: Support lvalue and rvalue references
  configure: Use -fno-addrsig if possible
  configure: Add --disable-demangle
  configure: Add --enable-sanitize-memory

 backends/linux-core-note.c    |  1 +
 backends/x86_64_retval.c      |  2 ++
 configure.ac                  | 40 ++++++++++++++++++++++++++++++++++-
 debuginfod/Makefile.am        |  3 ++-
 lib/printversion.h            |  3 ++-
 libasm/Makefile.am            |  3 ++-
 libasm/asm_newscn.c           |  5 ++---
 libdw/Makefile.am             |  3 ++-
 libdwfl/debuginfod-client.c   |  2 +-
 libdwfl/libdwfl.h             |  5 +----
 libdwfl/libdwflP.h            |  4 ++--
 libelf/Makefile.am            |  3 ++-
 src/readelf.c                 |  3 +--
 tests/Makefile.am             | 10 ++++++++-
 tests/run-addr2line-i-test.sh | 14 ++++++------
 tests/run-readelf-self.sh     |  5 +++++
 tests/run-strip-reloc.sh      |  5 +++++
 tests/run-varlocs-self.sh     |  5 +++++
 18 files changed, 90 insertions(+), 26 deletions(-)
  

Hi Ilya,

On Mon, Feb 06, 2023 at 11:25:02PM +0100, Ilya Leoshkevich via Elfutils-devel wrote:
> This series adds minimalistic support for Memory Sanitizer (MSan) [1].
> MSan is compiler instrumentation for detecting accesses to
> uninitialized memory.
> 
> The motivation behind this is to be able to link elfutils into projects
> instrumented with MSan, since it essentially requires all the code
> running in a process to be instrumented.

Interesting. For regular CI testing we do use ubsan, valgrind and/or
asan. So msan might not find many new issues in the elfutils code
itself. But being able to link the elfutils libraries instrumented with
msan against other projects build with msan might be very useful.

> The goal is to provide a setup where elfutils is linked only with zlib
> and most tests pass. Here is the description of the setup that I'm
> using:
> 
> - LLVM with argp_parse() instrumentation [2].
> 
> - zlib-ng instrumented with MSan:
> 
>   git clone git@github.com:zlib-ng/zlib-ng.git
>   cmake -DWITH_SANITIZER=Memory -DZLIB_COMPAT=ON -DWITH_GTEST=OFF \
>         -DCMAKE_C_COMPILER=clang -DCMAKE_INSTALL_PREFIX=/tmp/zlib-ng
>   make install
>   export CPATH=/tmp/zlib-ng/include
>   export LIBRARY_PATH=/tmp/zlib-ng/lib
> 
> - Hack: zlib is used by a lot of system utilities, so adding
>   MSan-instrumented zlib to LD_LIBRARY_PATH causes a lot of grief.
>   Let elfutils test infrastructure add it there only for running
>   tests:
> 
>   ln -s /tmp/zlib-ng/lib/libz.so.1 libelf/
> 
> - elfutils uses printf("%n"), so tweak MSan to unpoison the respective
>   arguments. Also disable fast unwinding to get better backtraces:
> 
>   export MSAN_OPTIONS=check_printf=1,fast_unwind_on_malloc=0
> 
> - Minimal configuration of elfutils instrumented with MSan:
> 
>   autoreconf -i
>   CC=clang ./configure --enable-maintainer-mode \
>                        --enable-sanitize-memory --without-bzlib \
>                        --without-lzma --without-zstd \
>                        --disable-debuginfod --disable-libdebuginfod \
>                        --disable-demangler

Aren't there instrumented versions of bzip2, lzma/xz and/or zstd?

Can't debuginfod and libdebuginfod be instrumented?

Is the demangler disabled because you don't link against (an
instrumented) libstdc++?

> Results:
> 
>   ============================================================================
>   Testsuite summary for elfutils 0.188
>   ============================================================================
>   # TOTAL: 235
>   # PASS:  221
>   # SKIP:  14
>   # XFAIL: 0
>   # FAIL:  0
>   # XPASS: 0
>   # ERROR: 0
>   ============================================================================

Very good.

> The patches take care of the following:
> 
> - Fixing clang build.

Yeah, it is a pity msan hasn't been integrated with gcc, we often find
issues with clang.

> - Adding small tweaks to get rid of false positives (no real issues
>   were found, most likely because elfutils is already tested with
>   valgrind).
> - Dealing with "-self" tests, which now see MSan runtime compiled
>   into elfutils binaries.
> - MSan enablement itself.
> 
> Ilya Leoshkevich (11):
>   libdwfl: Fix debuginfod_client redefinition
>   libasm: Fix xdefault_pattern initialization
>   printversion: Fix unused variable
>   readelf: Fix set but not used parameter
>   readelf: Fix set but not used variable
>   Initialize reglocs for VMCOREINFO
>   addr2line: Do not test demangling in run-addr2line-i-test.sh
>   x86_64_return_value_location: Support lvalue and rvalue references
>   configure: Use -fno-addrsig if possible
>   configure: Add --disable-demangle
>   configure: Add --enable-sanitize-memory

Thanks for splitting things out so nicely in separate patches.

Cheers,

Mark
  

On Tue, 2023-02-07 at 20:05 +0100, Mark Wielaard wrote:
> Hi Ilya,
> 
> On Mon, Feb 06, 2023 at 11:25:02PM +0100, Ilya Leoshkevich via
> Elfutils-devel wrote:
> > This series adds minimalistic support for Memory Sanitizer (MSan)
> > [1].
> > MSan is compiler instrumentation for detecting accesses to
> > uninitialized memory.

[...]

> > - Minimal configuration of elfutils instrumented with MSan:
> > 
> >   autoreconf -i
> >   CC=clang ./configure --enable-maintainer-mode \
> >                        --enable-sanitize-memory --without-bzlib \
> >                        --without-lzma --without-zstd \
> >                        --disable-debuginfod --disable-libdebuginfod
> > \
> >                        --disable-demangler
> 
> Aren't there instrumented versions of bzip2, lzma/xz and/or zstd?
> 
> Can't debuginfod and libdebuginfod be instrumented?
> 
> Is the demangler disabled because you don't link against (an
> instrumented) libstdc++?

I think with some effort instrumenting the dependencies is possible.
bzlib and lzma are not particularly large, and zstd should support
this out of the box. Regarding C++, an instrumented LLVM's libc++
should also just work. With all this, it should be possible to test
elfutils with MSan without disabling the extra functionality.

But since you already test with valgrind, I figured it would be highly
unlikely that I find new bugs, and decided to limit the scope here.
For my current purposes - linking elfutils into libbpf - this proved
to be enough.

[...]

Best regards,
Ilya