dead2 / stabilizer Goto Github PK

This is a list of suggested improvements that anyone can contribute to, I will try to keep it updated as we add/remove items.
Please try not to clutter this thread with replies related to the below. If need be you can open a new issue dedicated to discussing one of the points below.

Wanted improvements:

• Fix for SZ_STACK related crashes.
• Fix for SZ_CODE related crashes.
• Port to ARM/Aarch64.
• Port to S390.
• Port to Windows.
• More and better comments, especially useful in llvm-pass code that may be hard to follow and debug for beginners.
• Investigate whether pass/IntrinsicLibcalls.h needs additional Intrinsics added due to new ones having been added in later llvm versions. [1]
• Improved tests [2].
• Github Actions CI testing, preferably also running the tests on all supported platforms and architectures.

1: There is very little info about why these intrinsics are on the list and others are not, if you know the details then please create a PR with
improved comments to document this feature.

2: The current tests are not able to detect the Stack and Code crashes, and it is hard to determine whether the current tests actually passed or failed due to an abundance of hard-to-understand output.
An option to improve test understanding would be to change the project from hand-written makefiles to CMake and then utilize CTest.

It's great that you've decided to maintain this tool ❤️

I am interested in doing all the memory layout randomization from within an LLVM compiled application of my own. I write in Julia (a programming language compiled using LLVM), and we're discussing how we can make our benchmarking tools handle memory layout issues better. My idea is to call a function that does the randomization, between benchmark evaluations.

Is the randomization functionality nicely encapsulated within a single C++ function? If so, which one? If not, is it possible to make it so? Perhaps only some of the randomization is possible this way? Perhaps it isn't possible to shuffle code about while it's running?

Many thanks 🙏

Tested using:
Clang 12.0.1 (Fedora 12.0.1-1.fc34)
Built zlib-ng from develop branch and ran the resulting example (basic self-tests) binary.

export SZ_CODE=1 SZ_LINK=0 SZ_HEAP=0 SZ_STACK=0 SZ_CLEAN=1
cmake -DCMAKE_VERBOSE_MAKEFILE=ON -DWITH_BENCHMARKS=OFF -DWITH_GTEST=OFF -DWITH_OPTIM=OFF -DWITH_NEW_STRATEGIES=OFF -DCMAKE_C_COMPILER=/home/hansr/github/stabilizer/szcc -DCMAKE_C_FLAGS="-Wall -Wpedantic -g3 -ggdb -O0" .`

gdb ./example

Program received signal SIGSEGV, Segmentation fault.
main (argc=1, argv=0x7fffffffde58) at /home/hansr/github/zlib/zlib-ng/test/example.c:960
960         if (zVersion()[0] != myVersion[0]) {
=> 0x00000000004040e4 <main+20>:        ff 15 56 03 70 15       call   *0x15700356(%rip)        # 0x15b04440

This is the first line of actual code in main(), after variable definitions.

Did a little experiment to see whether adding a line above that with __asm__("nop"); would do anything at all.

#0  main (argc=1, argv=0x7fffffffde58) at /home/hansr/github/zlib/zlib-ng/test/example.c:962
962         if (zVersion()[0] != myVersion[0]) {
=> 0x00000000004040e5 <main+21>:        ff 15 55 00 3a a0       call   *-0x5fc5ffab(%rip)        # 0xffffffffa07a4140

Not much changed, but the call address seems to be very random, unless there is a bit pattern I am not seeing.

Seems to me like something is still quite wrong somewhere in the Stabilizer plugin pass when it comes to patching the call addresses.

Reproduceable using Clang 14.0.5 and zlib-ng develop snapshot (probably the same with any version of zlib-ng really).

export SZ_CODE=0 SZ_LINK=0 SZ_HEAP=0 SZ_STACK=1 SZ_CLEAN=1
cmake -DCMAKE_VERBOSE_MAKEFILE=ON -DWITH_BENCHMARKS=OFF -DCMAKE_C_COMPILER=/home/hansr/github/stabilizer/szcc -DCMAKE_CXX_COMPILER=/home/hansr/github/stabilizer/szcc++ -DCMAKE_C_FLAGS="-g" .

Can be reproduced about 80% of the time by running this:
ctest . -j 10 --exclude-regex "benchmark.*" --progress --output-on-failure

There are two tests that typically fail, sometimes only one of them and sometimes neither.

[  FAILED  ] 2 tests, listed below:
[  FAILED  ] deflate.concurrency
[  FAILED  ] deflate_quick.bi_valid

Not much details available:

[ RUN      ] deflate.concurrency
/home/hansr/github/zlib/zlib-ng/test/test_deflate_concurrency.cc:146: Failure
Expected equality of these values:
  0
  err
    Which is: -3
invalid stored block lengths
[  FAILED  ] deflate.concurrency (476 ms)
[----------] 11 tests from deflate (481 ms total)

[----------] 2 tests from deflate_quick
[ RUN      ] deflate_quick.bi_valid
/home/hansr/github/zlib/zlib-ng/test/test_deflate_quick_bi_valid.cc:76: Failure
Expected equality of these values:
  err
    Which is: 0
  1
/home/hansr/github/zlib/zlib-ng/test/test_deflate_quick_bi_valid.cc:79: Failure
Expected equality of these values:
  err
    Which is: -3
  0
[  FAILED  ] deflate_quick.bi_valid (0 ms)

Interesting that only these two tests repeatedly fails when we compile with -g, but none of the other 61 tests fail.
minigzip also fails, but less often, around 5-10% chance it seems like, at least on quite big files.

Note: SZ_CODE also fails 53/63 tests if enabled, but that seems to be an unrelated bug. I need to look at how to narrow that down to a cause.

I have no MRE, but example binary from zlib-ng crushes because of that.

It turns out in some cases access to a TLS variable can generate an IP relative call on the backend, which of course breaks if the function was relocated at runtime. Since it happens on the compiler backend I don't know how to distinguish cases when stabilizer should keep access to a TLS variable intact and when to replace it.

As always we can replace all accesses to TLS variables with a call to a non-relocatable helper function.

This thread is for tracking information related to the crash on application-startup when SZ_CODE is enabled.

If anyone wants to have a go at fixing this bug, please contribute any additional information that can be useful in fixing this bug.

I suspect that this bug is somewhere in pass/Stabilizer.cpp, where the related llvm pass integration is.

Hi, I saw this fork from the original stabilizer repo and is very interested in it. I wanted to know how much a difference does this make for modern hardware with much larger cache size, more associative ways and better hardware prefetcher. Putting some figures in the readme can help others know that whether this is still important nowadays and attract others to contribute.

I checked ldconfig sources and I see no way to register LLVMStabilizer.so as a system library. In my opinion it is desirable to do so and get rid of the absolute path in opt -load command.

Right now the absolute path defined here: https://github.com/magras/stabilizer/blob/115c2f78288df717411e1fff641d1d5fb8edcdfb/szcc#L272

This is another step towards packaging stabilizer.

Code randomization breaks exception handling:

int main() {
    try { throw 42; }
    catch (int) {}
}

$ SZ_CODE=1 SZ_LOWER=1 szcc++ exception.cpp

...
LandingPadInst not the first non-PHI instruction in the block.
  %7 = landingpad { i8*, i32 }
          catch i8* %.indirect1
in function stabilizer_main
LLVM ERROR: Broken function found, compilation aborted!
...

I don't think that it is a good idea to check existence of clang at the same path. It makes impossible to install szcc to a system dir.

Stabilizer's relocation table consists of constants, so it should be possible to reuse values loaded from it. And in an ideal world duplicate calls to pure functions (readnone) should be merged too. This should reduce the impact of stabilizer on performance.

This thread is for tracking information related to the random crashes occuring when SZ_STACK is enabled.
If anyone wants to have a go at fixing this bug, please contribute any additional information that can be useful in fixing this bug.

I suspect that this bug is somewhere in pass/Stabilizer.cpp, where the related llvm pass integration is.