aboutsummaryrefslogtreecommitdiffstats
path: root/lib/gwp_asan
diff options
context:
space:
mode:
Diffstat (limited to 'lib/gwp_asan')
-rw-r--r--lib/gwp_asan/definitions.h29
-rw-r--r--lib/gwp_asan/guarded_pool_allocator.cpp510
-rw-r--r--lib/gwp_asan/guarded_pool_allocator.h265
-rw-r--r--lib/gwp_asan/mutex.h50
-rw-r--r--lib/gwp_asan/optional/backtrace.h23
-rw-r--r--lib/gwp_asan/optional/backtrace_linux_libc.cpp64
-rw-r--r--lib/gwp_asan/optional/backtrace_sanitizer_common.cpp69
-rw-r--r--lib/gwp_asan/optional/options_parser.cpp93
-rw-r--r--lib/gwp_asan/optional/options_parser.h31
-rw-r--r--lib/gwp_asan/options.h59
-rw-r--r--lib/gwp_asan/options.inc41
-rw-r--r--lib/gwp_asan/platform_specific/guarded_pool_allocator_posix.cpp96
-rw-r--r--lib/gwp_asan/platform_specific/mutex_posix.cpp30
-rw-r--r--lib/gwp_asan/random.cpp23
-rw-r--r--lib/gwp_asan/random.h20
15 files changed, 1403 insertions, 0 deletions
diff --git a/lib/gwp_asan/definitions.h b/lib/gwp_asan/definitions.h
new file mode 100644
index 000000000000..1190adbd4f4f
--- /dev/null
+++ b/lib/gwp_asan/definitions.h
@@ -0,0 +1,29 @@
+//===-- gwp_asan_definitions.h ----------------------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef GWP_ASAN_DEFINITIONS_H_
+#define GWP_ASAN_DEFINITIONS_H_
+
+#define TLS_INITIAL_EXEC __thread __attribute__((tls_model("initial-exec")))
+
+#ifdef LIKELY
+# undef LIKELY
+#endif // defined(LIKELY)
+#define LIKELY(X) __builtin_expect(!!(X), 1)
+
+#ifdef UNLIKELY
+# undef UNLIKELY
+#endif // defined(UNLIKELY)
+#define UNLIKELY(X) __builtin_expect(!!(X), 0)
+
+#ifdef ALWAYS_INLINE
+# undef ALWAYS_INLINE
+#endif // defined(ALWAYS_INLINE)
+#define ALWAYS_INLINE inline __attribute__((always_inline))
+
+#endif // GWP_ASAN_DEFINITIONS_H_
diff --git a/lib/gwp_asan/guarded_pool_allocator.cpp b/lib/gwp_asan/guarded_pool_allocator.cpp
new file mode 100644
index 000000000000..7e3628eba6ff
--- /dev/null
+++ b/lib/gwp_asan/guarded_pool_allocator.cpp
@@ -0,0 +1,510 @@
+//===-- guarded_pool_allocator.cpp ------------------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#include "gwp_asan/guarded_pool_allocator.h"
+
+#include "gwp_asan/options.h"
+
+// RHEL creates the PRIu64 format macro (for printing uint64_t's) only when this
+// macro is defined before including <inttypes.h>.
+#ifndef __STDC_FORMAT_MACROS
+ #define __STDC_FORMAT_MACROS 1
+#endif
+
+#include <assert.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <time.h>
+
+using AllocationMetadata = gwp_asan::GuardedPoolAllocator::AllocationMetadata;
+using Error = gwp_asan::GuardedPoolAllocator::Error;
+
+namespace gwp_asan {
+namespace {
+// Forward declare the pointer to the singleton version of this class.
+// Instantiated during initialisation, this allows the signal handler
+// to find this class in order to deduce the root cause of failures. Must not be
+// referenced by users outside this translation unit, in order to avoid
+// init-order-fiasco.
+GuardedPoolAllocator *SingletonPtr = nullptr;
+
+class ScopedBoolean {
+public:
+ ScopedBoolean(bool &B) : Bool(B) { Bool = true; }
+ ~ScopedBoolean() { Bool = false; }
+
+private:
+ bool &Bool;
+};
+
+void defaultPrintStackTrace(uintptr_t *Trace, options::Printf_t Printf) {
+ if (Trace[0] == 0)
+ Printf(" <unknown (does your allocator support backtracing?)>\n");
+
+ for (size_t i = 0; Trace[i] != 0; ++i) {
+ Printf(" #%zu 0x%zx in <unknown>\n", i, Trace[i]);
+ }
+ Printf("\n");
+}
+} // anonymous namespace
+
+// Gets the singleton implementation of this class. Thread-compatible until
+// init() is called, thread-safe afterwards.
+GuardedPoolAllocator *getSingleton() { return SingletonPtr; }
+
+void GuardedPoolAllocator::AllocationMetadata::RecordAllocation(
+ uintptr_t AllocAddr, size_t AllocSize, options::Backtrace_t Backtrace) {
+ Addr = AllocAddr;
+ Size = AllocSize;
+ IsDeallocated = false;
+
+ // TODO(hctim): Ask the caller to provide the thread ID, so we don't waste
+ // other thread's time getting the thread ID under lock.
+ AllocationTrace.ThreadID = getThreadID();
+ DeallocationTrace.ThreadID = kInvalidThreadID;
+ if (Backtrace)
+ Backtrace(AllocationTrace.Trace, kMaximumStackFrames);
+ else
+ AllocationTrace.Trace[0] = 0;
+ DeallocationTrace.Trace[0] = 0;
+}
+
+void GuardedPoolAllocator::AllocationMetadata::RecordDeallocation(
+ options::Backtrace_t Backtrace) {
+ IsDeallocated = true;
+ // Ensure that the unwinder is not called if the recursive flag is set,
+ // otherwise non-reentrant unwinders may deadlock.
+ if (Backtrace && !ThreadLocals.RecursiveGuard) {
+ ScopedBoolean B(ThreadLocals.RecursiveGuard);
+ Backtrace(DeallocationTrace.Trace, kMaximumStackFrames);
+ } else {
+ DeallocationTrace.Trace[0] = 0;
+ }
+ DeallocationTrace.ThreadID = getThreadID();
+}
+
+void GuardedPoolAllocator::init(const options::Options &Opts) {
+ // Note: We return from the constructor here if GWP-ASan is not available.
+ // This will stop heap-allocation of class members, as well as mmap() of the
+ // guarded slots.
+ if (!Opts.Enabled || Opts.SampleRate == 0 ||
+ Opts.MaxSimultaneousAllocations == 0)
+ return;
+
+ // TODO(hctim): Add a death unit test for this.
+ if (SingletonPtr) {
+ (*SingletonPtr->Printf)(
+ "GWP-ASan Error: init() has already been called.\n");
+ exit(EXIT_FAILURE);
+ }
+
+ if (Opts.SampleRate < 0) {
+ Opts.Printf("GWP-ASan Error: SampleRate is < 0.\n");
+ exit(EXIT_FAILURE);
+ }
+
+ if (Opts.SampleRate > INT32_MAX) {
+ Opts.Printf("GWP-ASan Error: SampleRate is > 2^31.\n");
+ exit(EXIT_FAILURE);
+ }
+
+ if (Opts.MaxSimultaneousAllocations < 0) {
+ Opts.Printf("GWP-ASan Error: MaxSimultaneousAllocations is < 0.\n");
+ exit(EXIT_FAILURE);
+ }
+
+ SingletonPtr = this;
+
+ MaxSimultaneousAllocations = Opts.MaxSimultaneousAllocations;
+
+ PageSize = getPlatformPageSize();
+
+ PerfectlyRightAlign = Opts.PerfectlyRightAlign;
+ Printf = Opts.Printf;
+ Backtrace = Opts.Backtrace;
+ if (Opts.PrintBacktrace)
+ PrintBacktrace = Opts.PrintBacktrace;
+ else
+ PrintBacktrace = defaultPrintStackTrace;
+
+ size_t PoolBytesRequired =
+ PageSize * (1 + MaxSimultaneousAllocations) +
+ MaxSimultaneousAllocations * maximumAllocationSize();
+ void *GuardedPoolMemory = mapMemory(PoolBytesRequired);
+
+ size_t BytesRequired = MaxSimultaneousAllocations * sizeof(*Metadata);
+ Metadata = reinterpret_cast<AllocationMetadata *>(mapMemory(BytesRequired));
+ markReadWrite(Metadata, BytesRequired);
+
+ // Allocate memory and set up the free pages queue.
+ BytesRequired = MaxSimultaneousAllocations * sizeof(*FreeSlots);
+ FreeSlots = reinterpret_cast<size_t *>(mapMemory(BytesRequired));
+ markReadWrite(FreeSlots, BytesRequired);
+
+ // Multiply the sample rate by 2 to give a good, fast approximation for (1 /
+ // SampleRate) chance of sampling.
+ if (Opts.SampleRate != 1)
+ AdjustedSampleRate = static_cast<uint32_t>(Opts.SampleRate) * 2;
+ else
+ AdjustedSampleRate = 1;
+
+ GuardedPagePool = reinterpret_cast<uintptr_t>(GuardedPoolMemory);
+ GuardedPagePoolEnd =
+ reinterpret_cast<uintptr_t>(GuardedPoolMemory) + PoolBytesRequired;
+
+ // Ensure that signal handlers are installed as late as possible, as the class
+ // is not thread-safe until init() is finished, and thus a SIGSEGV may cause a
+ // race to members if recieved during init().
+ if (Opts.InstallSignalHandlers)
+ installSignalHandlers();
+}
+
+void *GuardedPoolAllocator::allocate(size_t Size) {
+ // GuardedPagePoolEnd == 0 when GWP-ASan is disabled. If we are disabled, fall
+ // back to the supporting allocator.
+ if (GuardedPagePoolEnd == 0)
+ return nullptr;
+
+ // Protect against recursivity.
+ if (ThreadLocals.RecursiveGuard)
+ return nullptr;
+ ScopedBoolean SB(ThreadLocals.RecursiveGuard);
+
+ if (Size == 0 || Size > maximumAllocationSize())
+ return nullptr;
+
+ size_t Index;
+ {
+ ScopedLock L(PoolMutex);
+ Index = reserveSlot();
+ }
+
+ if (Index == kInvalidSlotID)
+ return nullptr;
+
+ uintptr_t Ptr = slotToAddr(Index);
+ Ptr += allocationSlotOffset(Size);
+ AllocationMetadata *Meta = addrToMetadata(Ptr);
+
+ // If a slot is multiple pages in size, and the allocation takes up a single
+ // page, we can improve overflow detection by leaving the unused pages as
+ // unmapped.
+ markReadWrite(reinterpret_cast<void *>(getPageAddr(Ptr)), Size);
+
+ Meta->RecordAllocation(Ptr, Size, Backtrace);
+
+ return reinterpret_cast<void *>(Ptr);
+}
+
+void GuardedPoolAllocator::deallocate(void *Ptr) {
+ assert(pointerIsMine(Ptr) && "Pointer is not mine!");
+ uintptr_t UPtr = reinterpret_cast<uintptr_t>(Ptr);
+ uintptr_t SlotStart = slotToAddr(addrToSlot(UPtr));
+ AllocationMetadata *Meta = addrToMetadata(UPtr);
+ if (Meta->Addr != UPtr) {
+ reportError(UPtr, Error::INVALID_FREE);
+ exit(EXIT_FAILURE);
+ }
+
+ // Intentionally scope the mutex here, so that other threads can access the
+ // pool during the expensive markInaccessible() call.
+ {
+ ScopedLock L(PoolMutex);
+ if (Meta->IsDeallocated) {
+ reportError(UPtr, Error::DOUBLE_FREE);
+ exit(EXIT_FAILURE);
+ }
+
+ // Ensure that the deallocation is recorded before marking the page as
+ // inaccessible. Otherwise, a racy use-after-free will have inconsistent
+ // metadata.
+ Meta->RecordDeallocation(Backtrace);
+ }
+
+ markInaccessible(reinterpret_cast<void *>(SlotStart),
+ maximumAllocationSize());
+
+ // And finally, lock again to release the slot back into the pool.
+ ScopedLock L(PoolMutex);
+ freeSlot(addrToSlot(UPtr));
+}
+
+size_t GuardedPoolAllocator::getSize(const void *Ptr) {
+ assert(pointerIsMine(Ptr));
+ ScopedLock L(PoolMutex);
+ AllocationMetadata *Meta = addrToMetadata(reinterpret_cast<uintptr_t>(Ptr));
+ assert(Meta->Addr == reinterpret_cast<uintptr_t>(Ptr));
+ return Meta->Size;
+}
+
+size_t GuardedPoolAllocator::maximumAllocationSize() const { return PageSize; }
+
+AllocationMetadata *GuardedPoolAllocator::addrToMetadata(uintptr_t Ptr) const {
+ return &Metadata[addrToSlot(Ptr)];
+}
+
+size_t GuardedPoolAllocator::addrToSlot(uintptr_t Ptr) const {
+ assert(pointerIsMine(reinterpret_cast<void *>(Ptr)));
+ size_t ByteOffsetFromPoolStart = Ptr - GuardedPagePool;
+ return ByteOffsetFromPoolStart / (maximumAllocationSize() + PageSize);
+}
+
+uintptr_t GuardedPoolAllocator::slotToAddr(size_t N) const {
+ return GuardedPagePool + (PageSize * (1 + N)) + (maximumAllocationSize() * N);
+}
+
+uintptr_t GuardedPoolAllocator::getPageAddr(uintptr_t Ptr) const {
+ assert(pointerIsMine(reinterpret_cast<void *>(Ptr)));
+ return Ptr & ~(static_cast<uintptr_t>(PageSize) - 1);
+}
+
+bool GuardedPoolAllocator::isGuardPage(uintptr_t Ptr) const {
+ assert(pointerIsMine(reinterpret_cast<void *>(Ptr)));
+ size_t PageOffsetFromPoolStart = (Ptr - GuardedPagePool) / PageSize;
+ size_t PagesPerSlot = maximumAllocationSize() / PageSize;
+ return (PageOffsetFromPoolStart % (PagesPerSlot + 1)) == 0;
+}
+
+size_t GuardedPoolAllocator::reserveSlot() {
+ // Avoid potential reuse of a slot before we have made at least a single
+ // allocation in each slot. Helps with our use-after-free detection.
+ if (NumSampledAllocations < MaxSimultaneousAllocations)
+ return NumSampledAllocations++;
+
+ if (FreeSlotsLength == 0)
+ return kInvalidSlotID;
+
+ size_t ReservedIndex = getRandomUnsigned32() % FreeSlotsLength;
+ size_t SlotIndex = FreeSlots[ReservedIndex];
+ FreeSlots[ReservedIndex] = FreeSlots[--FreeSlotsLength];
+ return SlotIndex;
+}
+
+void GuardedPoolAllocator::freeSlot(size_t SlotIndex) {
+ assert(FreeSlotsLength < MaxSimultaneousAllocations);
+ FreeSlots[FreeSlotsLength++] = SlotIndex;
+}
+
+uintptr_t GuardedPoolAllocator::allocationSlotOffset(size_t Size) const {
+ assert(Size > 0);
+
+ bool ShouldRightAlign = getRandomUnsigned32() % 2 == 0;
+ if (!ShouldRightAlign)
+ return 0;
+
+ uintptr_t Offset = maximumAllocationSize();
+ if (!PerfectlyRightAlign) {
+ if (Size == 3)
+ Size = 4;
+ else if (Size > 4 && Size <= 8)
+ Size = 8;
+ else if (Size > 8 && (Size % 16) != 0)
+ Size += 16 - (Size % 16);
+ }
+ Offset -= Size;
+ return Offset;
+}
+
+void GuardedPoolAllocator::reportError(uintptr_t AccessPtr, Error E) {
+ if (SingletonPtr)
+ SingletonPtr->reportErrorInternal(AccessPtr, E);
+}
+
+size_t GuardedPoolAllocator::getNearestSlot(uintptr_t Ptr) const {
+ if (Ptr <= GuardedPagePool + PageSize)
+ return 0;
+ if (Ptr > GuardedPagePoolEnd - PageSize)
+ return MaxSimultaneousAllocations - 1;
+
+ if (!isGuardPage(Ptr))
+ return addrToSlot(Ptr);
+
+ if (Ptr % PageSize <= PageSize / 2)
+ return addrToSlot(Ptr - PageSize); // Round down.
+ return addrToSlot(Ptr + PageSize); // Round up.
+}
+
+Error GuardedPoolAllocator::diagnoseUnknownError(uintptr_t AccessPtr,
+ AllocationMetadata **Meta) {
+ // Let's try and figure out what the source of this error is.
+ if (isGuardPage(AccessPtr)) {
+ size_t Slot = getNearestSlot(AccessPtr);
+ AllocationMetadata *SlotMeta = addrToMetadata(slotToAddr(Slot));
+
+ // Ensure that this slot was allocated once upon a time.
+ if (!SlotMeta->Addr)
+ return Error::UNKNOWN;
+ *Meta = SlotMeta;
+
+ if (SlotMeta->Addr < AccessPtr)
+ return Error::BUFFER_OVERFLOW;
+ return Error::BUFFER_UNDERFLOW;
+ }
+
+ // Access wasn't a guard page, check for use-after-free.
+ AllocationMetadata *SlotMeta = addrToMetadata(AccessPtr);
+ if (SlotMeta->IsDeallocated) {
+ *Meta = SlotMeta;
+ return Error::USE_AFTER_FREE;
+ }
+
+ // If we have reached here, the error is still unknown. There is no metadata
+ // available.
+ *Meta = nullptr;
+ return Error::UNKNOWN;
+}
+
+namespace {
+// Prints the provided error and metadata information.
+void printErrorType(Error E, uintptr_t AccessPtr, AllocationMetadata *Meta,
+ options::Printf_t Printf, uint64_t ThreadID) {
+ // Print using intermediate strings. Platforms like Android don't like when
+ // you print multiple times to the same line, as there may be a newline
+ // appended to a log file automatically per Printf() call.
+ const char *ErrorString;
+ switch (E) {
+ case Error::UNKNOWN:
+ ErrorString = "GWP-ASan couldn't automatically determine the source of "
+ "the memory error. It was likely caused by a wild memory "
+ "access into the GWP-ASan pool. The error occured";
+ break;
+ case Error::USE_AFTER_FREE:
+ ErrorString = "Use after free";
+ break;
+ case Error::DOUBLE_FREE:
+ ErrorString = "Double free";
+ break;
+ case Error::INVALID_FREE:
+ ErrorString = "Invalid (wild) free";
+ break;
+ case Error::BUFFER_OVERFLOW:
+ ErrorString = "Buffer overflow";
+ break;
+ case Error::BUFFER_UNDERFLOW:
+ ErrorString = "Buffer underflow";
+ break;
+ }
+
+ constexpr size_t kDescriptionBufferLen = 128;
+ char DescriptionBuffer[kDescriptionBufferLen];
+ if (Meta) {
+ if (E == Error::USE_AFTER_FREE) {
+ snprintf(DescriptionBuffer, kDescriptionBufferLen,
+ "(%zu byte%s into a %zu-byte allocation at 0x%zx)",
+ AccessPtr - Meta->Addr, (AccessPtr - Meta->Addr == 1) ? "" : "s",
+ Meta->Size, Meta->Addr);
+ } else if (AccessPtr < Meta->Addr) {
+ snprintf(DescriptionBuffer, kDescriptionBufferLen,
+ "(%zu byte%s to the left of a %zu-byte allocation at 0x%zx)",
+ Meta->Addr - AccessPtr, (Meta->Addr - AccessPtr == 1) ? "" : "s",
+ Meta->Size, Meta->Addr);
+ } else if (AccessPtr > Meta->Addr) {
+ snprintf(DescriptionBuffer, kDescriptionBufferLen,
+ "(%zu byte%s to the right of a %zu-byte allocation at 0x%zx)",
+ AccessPtr - Meta->Addr, (AccessPtr - Meta->Addr == 1) ? "" : "s",
+ Meta->Size, Meta->Addr);
+ } else {
+ snprintf(DescriptionBuffer, kDescriptionBufferLen,
+ "(a %zu-byte allocation)", Meta->Size);
+ }
+ }
+
+ // Possible number of digits of a 64-bit number: ceil(log10(2^64)) == 20. Add
+ // a null terminator, and round to the nearest 8-byte boundary.
+ constexpr size_t kThreadBufferLen = 24;
+ char ThreadBuffer[kThreadBufferLen];
+ if (ThreadID == GuardedPoolAllocator::kInvalidThreadID)
+ snprintf(ThreadBuffer, kThreadBufferLen, "<unknown>");
+ else
+ snprintf(ThreadBuffer, kThreadBufferLen, "%" PRIu64, ThreadID);
+
+ Printf("%s at 0x%zx %s by thread %s here:\n", ErrorString, AccessPtr,
+ DescriptionBuffer, ThreadBuffer);
+}
+
+void printAllocDeallocTraces(uintptr_t AccessPtr, AllocationMetadata *Meta,
+ options::Printf_t Printf,
+ options::PrintBacktrace_t PrintBacktrace) {
+ assert(Meta != nullptr && "Metadata is non-null for printAllocDeallocTraces");
+
+ if (Meta->IsDeallocated) {
+ if (Meta->DeallocationTrace.ThreadID ==
+ GuardedPoolAllocator::kInvalidThreadID)
+ Printf("0x%zx was deallocated by thread <unknown> here:\n", AccessPtr);
+ else
+ Printf("0x%zx was deallocated by thread %zu here:\n", AccessPtr,
+ Meta->DeallocationTrace.ThreadID);
+
+ PrintBacktrace(Meta->DeallocationTrace.Trace, Printf);
+ }
+
+ if (Meta->AllocationTrace.ThreadID == GuardedPoolAllocator::kInvalidThreadID)
+ Printf("0x%zx was allocated by thread <unknown> here:\n", Meta->Addr);
+ else
+ Printf("0x%zx was allocated by thread %zu here:\n", Meta->Addr,
+ Meta->AllocationTrace.ThreadID);
+
+ PrintBacktrace(Meta->AllocationTrace.Trace, Printf);
+}
+
+struct ScopedEndOfReportDecorator {
+ ScopedEndOfReportDecorator(options::Printf_t Printf) : Printf(Printf) {}
+ ~ScopedEndOfReportDecorator() { Printf("*** End GWP-ASan report ***\n"); }
+ options::Printf_t Printf;
+};
+} // anonymous namespace
+
+void GuardedPoolAllocator::reportErrorInternal(uintptr_t AccessPtr, Error E) {
+ if (!pointerIsMine(reinterpret_cast<void *>(AccessPtr))) {
+ return;
+ }
+
+ // Attempt to prevent races to re-use the same slot that triggered this error.
+ // This does not guarantee that there are no races, because another thread can
+ // take the locks during the time that the signal handler is being called.
+ PoolMutex.tryLock();
+ ThreadLocals.RecursiveGuard = true;
+
+ Printf("*** GWP-ASan detected a memory error ***\n");
+ ScopedEndOfReportDecorator Decorator(Printf);
+
+ AllocationMetadata *Meta = nullptr;
+
+ if (E == Error::UNKNOWN) {
+ E = diagnoseUnknownError(AccessPtr, &Meta);
+ } else {
+ size_t Slot = getNearestSlot(AccessPtr);
+ Meta = addrToMetadata(slotToAddr(Slot));
+ // Ensure that this slot has been previously allocated.
+ if (!Meta->Addr)
+ Meta = nullptr;
+ }
+
+ // Print the error information.
+ uint64_t ThreadID = getThreadID();
+ printErrorType(E, AccessPtr, Meta, Printf, ThreadID);
+ if (Backtrace) {
+ static constexpr unsigned kMaximumStackFramesForCrashTrace = 128;
+ uintptr_t Trace[kMaximumStackFramesForCrashTrace];
+ Backtrace(Trace, kMaximumStackFramesForCrashTrace);
+
+ PrintBacktrace(Trace, Printf);
+ } else {
+ Printf(" <unknown (does your allocator support backtracing?)>\n\n");
+ }
+
+ if (Meta)
+ printAllocDeallocTraces(AccessPtr, Meta, Printf, PrintBacktrace);
+}
+
+TLS_INITIAL_EXEC
+GuardedPoolAllocator::ThreadLocalPackedVariables
+ GuardedPoolAllocator::ThreadLocals;
+} // namespace gwp_asan
diff --git a/lib/gwp_asan/guarded_pool_allocator.h b/lib/gwp_asan/guarded_pool_allocator.h
new file mode 100644
index 000000000000..28a41110faed
--- /dev/null
+++ b/lib/gwp_asan/guarded_pool_allocator.h
@@ -0,0 +1,265 @@
+//===-- guarded_pool_allocator.h --------------------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef GWP_ASAN_GUARDED_POOL_ALLOCATOR_H_
+#define GWP_ASAN_GUARDED_POOL_ALLOCATOR_H_
+
+#include "gwp_asan/definitions.h"
+#include "gwp_asan/mutex.h"
+#include "gwp_asan/options.h"
+#include "gwp_asan/random.h"
+
+#include <stddef.h>
+#include <stdint.h>
+
+namespace gwp_asan {
+// This class is the primary implementation of the allocator portion of GWP-
+// ASan. It is the sole owner of the pool of sequentially allocated guarded
+// slots. It should always be treated as a singleton.
+
+// Functions in the public interface of this class are thread-compatible until
+// init() is called, at which point they become thread-safe (unless specified
+// otherwise).
+class GuardedPoolAllocator {
+public:
+ static constexpr uint64_t kInvalidThreadID = UINT64_MAX;
+
+ enum class Error {
+ UNKNOWN,
+ USE_AFTER_FREE,
+ DOUBLE_FREE,
+ INVALID_FREE,
+ BUFFER_OVERFLOW,
+ BUFFER_UNDERFLOW
+ };
+
+ struct AllocationMetadata {
+ // Maximum number of stack trace frames to collect for allocations + frees.
+ // TODO(hctim): Implement stack frame compression, a-la Chromium.
+ static constexpr size_t kMaximumStackFrames = 64;
+
+ // Records the given allocation metadata into this struct.
+ void RecordAllocation(uintptr_t Addr, size_t Size,
+ options::Backtrace_t Backtrace);
+
+ // Record that this allocation is now deallocated.
+ void RecordDeallocation(options::Backtrace_t Backtrace);
+
+ struct CallSiteInfo {
+ // The backtrace to the allocation/deallocation. If the first value is
+ // zero, we did not collect a trace.
+ uintptr_t Trace[kMaximumStackFrames] = {};
+ // The thread ID for this trace, or kInvalidThreadID if not available.
+ uint64_t ThreadID = kInvalidThreadID;
+ };
+
+ // The address of this allocation.
+ uintptr_t Addr = 0;
+ // Represents the actual size of the allocation.
+ size_t Size = 0;
+
+ CallSiteInfo AllocationTrace;
+ CallSiteInfo DeallocationTrace;
+
+ // Whether this allocation has been deallocated yet.
+ bool IsDeallocated = false;
+ };
+
+ // During program startup, we must ensure that memory allocations do not land
+ // in this allocation pool if the allocator decides to runtime-disable
+ // GWP-ASan. The constructor value-initialises the class such that if no
+ // further initialisation takes place, calls to shouldSample() and
+ // pointerIsMine() will return false.
+ constexpr GuardedPoolAllocator(){};
+ GuardedPoolAllocator(const GuardedPoolAllocator &) = delete;
+ GuardedPoolAllocator &operator=(const GuardedPoolAllocator &) = delete;
+
+ // Note: This class is expected to be a singleton for the lifetime of the
+ // program. If this object is initialised, it will leak the guarded page pool
+ // and metadata allocations during destruction. We can't clean up these areas
+ // as this may cause a use-after-free on shutdown.
+ ~GuardedPoolAllocator() = default;
+
+ // Initialise the rest of the members of this class. Create the allocation
+ // pool using the provided options. See options.inc for runtime configuration
+ // options.
+ void init(const options::Options &Opts);
+
+ // Return whether the allocation should be randomly chosen for sampling.
+ ALWAYS_INLINE bool shouldSample() {
+ // NextSampleCounter == 0 means we "should regenerate the counter".
+ // == 1 means we "should sample this allocation".
+ if (UNLIKELY(ThreadLocals.NextSampleCounter == 0))
+ ThreadLocals.NextSampleCounter =
+ (getRandomUnsigned32() % AdjustedSampleRate) + 1;
+
+ return UNLIKELY(--ThreadLocals.NextSampleCounter == 0);
+ }
+
+ // Returns whether the provided pointer is a current sampled allocation that
+ // is owned by this pool.
+ ALWAYS_INLINE bool pointerIsMine(const void *Ptr) const {
+ uintptr_t P = reinterpret_cast<uintptr_t>(Ptr);
+ return GuardedPagePool <= P && P < GuardedPagePoolEnd;
+ }
+
+ // Allocate memory in a guarded slot, and return a pointer to the new
+ // allocation. Returns nullptr if the pool is empty, the requested size is too
+ // large for this pool to handle, or the requested size is zero.
+ void *allocate(size_t Size);
+
+ // Deallocate memory in a guarded slot. The provided pointer must have been
+ // allocated using this pool. This will set the guarded slot as inaccessible.
+ void deallocate(void *Ptr);
+
+ // Returns the size of the allocation at Ptr.
+ size_t getSize(const void *Ptr);
+
+ // Returns the largest allocation that is supported by this pool. Any
+ // allocations larger than this should go to the regular system allocator.
+ size_t maximumAllocationSize() const;
+
+ // Dumps an error report (including allocation and deallocation stack traces).
+ // An optional error may be provided if the caller knows what the error is
+ // ahead of time. This is primarily a helper function to locate the static
+ // singleton pointer and call the internal version of this function. This
+ // method is never thread safe, and should only be called when fatal errors
+ // occur.
+ static void reportError(uintptr_t AccessPtr, Error E = Error::UNKNOWN);
+
+ // Get the current thread ID, or kInvalidThreadID if failure. Note: This
+ // implementation is platform-specific.
+ static uint64_t getThreadID();
+
+private:
+ static constexpr size_t kInvalidSlotID = SIZE_MAX;
+
+ // These functions anonymously map memory or change the permissions of mapped
+ // memory into this process in a platform-specific way. Pointer and size
+ // arguments are expected to be page-aligned. These functions will never
+ // return on error, instead electing to kill the calling process on failure.
+ // Note that memory is initially mapped inaccessible. In order for RW
+ // mappings, call mapMemory() followed by markReadWrite() on the returned
+ // pointer.
+ void *mapMemory(size_t Size) const;
+ void markReadWrite(void *Ptr, size_t Size) const;
+ void markInaccessible(void *Ptr, size_t Size) const;
+
+ // Get the page size from the platform-specific implementation. Only needs to
+ // be called once, and the result should be cached in PageSize in this class.
+ static size_t getPlatformPageSize();
+
+ // Install the SIGSEGV crash handler for printing use-after-free and heap-
+ // buffer-{under|over}flow exceptions. This is platform specific as even
+ // though POSIX and Windows both support registering handlers through
+ // signal(), we have to use platform-specific signal handlers to obtain the
+ // address that caused the SIGSEGV exception.
+ static void installSignalHandlers();
+
+ // Returns the index of the slot that this pointer resides in. If the pointer
+ // is not owned by this pool, the result is undefined.
+ size_t addrToSlot(uintptr_t Ptr) const;
+
+ // Returns the address of the N-th guarded slot.
+ uintptr_t slotToAddr(size_t N) const;
+
+ // Returns a pointer to the metadata for the owned pointer. If the pointer is
+ // not owned by this pool, the result is undefined.
+ AllocationMetadata *addrToMetadata(uintptr_t Ptr) const;
+
+ // Returns the address of the page that this pointer resides in.
+ uintptr_t getPageAddr(uintptr_t Ptr) const;
+
+ // Gets the nearest slot to the provided address.
+ size_t getNearestSlot(uintptr_t Ptr) const;
+
+ // Returns whether the provided pointer is a guard page or not. The pointer
+ // must be within memory owned by this pool, else the result is undefined.
+ bool isGuardPage(uintptr_t Ptr) const;
+
+ // Reserve a slot for a new guarded allocation. Returns kInvalidSlotID if no
+ // slot is available to be reserved.
+ size_t reserveSlot();
+
+ // Unreserve the guarded slot.
+ void freeSlot(size_t SlotIndex);
+
+ // Returns the offset (in bytes) between the start of a guarded slot and where
+ // the start of the allocation should take place. Determined using the size of
+ // the allocation and the options provided at init-time.
+ uintptr_t allocationSlotOffset(size_t AllocationSize) const;
+
+ // Returns the diagnosis for an unknown error. If the diagnosis is not
+ // Error::INVALID_FREE or Error::UNKNOWN, the metadata for the slot
+ // responsible for the error is placed in *Meta.
+ Error diagnoseUnknownError(uintptr_t AccessPtr, AllocationMetadata **Meta);
+
+ void reportErrorInternal(uintptr_t AccessPtr, Error E);
+
+ // Cached page size for this system in bytes.
+ size_t PageSize = 0;
+
+ // A mutex to protect the guarded slot and metadata pool for this class.
+ Mutex PoolMutex;
+ // The number of guarded slots that this pool holds.
+ size_t MaxSimultaneousAllocations = 0;
+ // Record the number allocations that we've sampled. We store this amount so
+ // that we don't randomly choose to recycle a slot that previously had an
+ // allocation before all the slots have been utilised.
+ size_t NumSampledAllocations = 0;
+ // Pointer to the pool of guarded slots. Note that this points to the start of
+ // the pool (which is a guard page), not a pointer to the first guarded page.
+ uintptr_t GuardedPagePool = UINTPTR_MAX;
+ uintptr_t GuardedPagePoolEnd = 0;
+ // Pointer to the allocation metadata (allocation/deallocation stack traces),
+ // if any.
+ AllocationMetadata *Metadata = nullptr;
+
+ // Pointer to an array of free slot indexes.
+ size_t *FreeSlots = nullptr;
+ // The current length of the list of free slots.
+ size_t FreeSlotsLength = 0;
+
+ // See options.{h, inc} for more information.
+ bool PerfectlyRightAlign = false;
+
+ // Printf function supplied by the implementing allocator. We can't (in
+ // general) use printf() from the cstdlib as it may malloc(), causing infinite
+ // recursion.
+ options::Printf_t Printf = nullptr;
+ options::Backtrace_t Backtrace = nullptr;
+ options::PrintBacktrace_t PrintBacktrace = nullptr;
+
+ // The adjusted sample rate for allocation sampling. Default *must* be
+ // nonzero, as dynamic initialisation may call malloc (e.g. from libstdc++)
+ // before GPA::init() is called. This would cause an error in shouldSample(),
+ // where we would calculate modulo zero. This value is set UINT32_MAX, as when
+ // GWP-ASan is disabled, we wish to never spend wasted cycles recalculating
+ // the sample rate.
+ uint32_t AdjustedSampleRate = UINT32_MAX;
+
+ // Pack the thread local variables into a struct to ensure that they're in
+ // the same cache line for performance reasons. These are the most touched
+ // variables in GWP-ASan.
+ struct alignas(8) ThreadLocalPackedVariables {
+ constexpr ThreadLocalPackedVariables() {}
+ // Thread-local decrementing counter that indicates that a given allocation
+ // should be sampled when it reaches zero.
+ uint32_t NextSampleCounter = 0;
+ // Guard against recursivity. Unwinders often contain complex behaviour that
+ // may not be safe for the allocator (i.e. the unwinder calls dlopen(),
+ // which calls malloc()). When recursive behaviour is detected, we will
+ // automatically fall back to the supporting allocator to supply the
+ // allocation.
+ bool RecursiveGuard = false;
+ };
+ static TLS_INITIAL_EXEC ThreadLocalPackedVariables ThreadLocals;
+};
+} // namespace gwp_asan
+
+#endif // GWP_ASAN_GUARDED_POOL_ALLOCATOR_H_
diff --git a/lib/gwp_asan/mutex.h b/lib/gwp_asan/mutex.h
new file mode 100644
index 000000000000..c29df4cde164
--- /dev/null
+++ b/lib/gwp_asan/mutex.h
@@ -0,0 +1,50 @@
+//===-- mutex.h -------------------------------------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef GWP_ASAN_MUTEX_H_
+#define GWP_ASAN_MUTEX_H_
+
+#ifdef __unix__
+#include <pthread.h>
+#else
+#error "GWP-ASan is not supported on this platform."
+#endif
+
+namespace gwp_asan {
+class Mutex {
+public:
+ constexpr Mutex() = default;
+ ~Mutex() = default;
+ Mutex(const Mutex &) = delete;
+ Mutex &operator=(const Mutex &) = delete;
+ // Lock the mutex.
+ void lock();
+ // Nonblocking trylock of the mutex. Returns true if the lock was acquired.
+ bool tryLock();
+ // Unlock the mutex.
+ void unlock();
+
+private:
+#ifdef __unix__
+ pthread_mutex_t Mu = PTHREAD_MUTEX_INITIALIZER;
+#endif // defined(__unix__)
+};
+
+class ScopedLock {
+public:
+ explicit ScopedLock(Mutex &Mx) : Mu(Mx) { Mu.lock(); }
+ ~ScopedLock() { Mu.unlock(); }
+ ScopedLock(const ScopedLock &) = delete;
+ ScopedLock &operator=(const ScopedLock &) = delete;
+
+private:
+ Mutex &Mu;
+};
+} // namespace gwp_asan
+
+#endif // GWP_ASAN_MUTEX_H_
diff --git a/lib/gwp_asan/optional/backtrace.h b/lib/gwp_asan/optional/backtrace.h
new file mode 100644
index 000000000000..2700970e5e8e
--- /dev/null
+++ b/lib/gwp_asan/optional/backtrace.h
@@ -0,0 +1,23 @@
+//===-- backtrace.h ---------------------------------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef GWP_ASAN_OPTIONAL_BACKTRACE_H_
+#define GWP_ASAN_OPTIONAL_BACKTRACE_H_
+
+#include "gwp_asan/options.h"
+
+namespace gwp_asan {
+namespace options {
+// Functions to get the platform-specific and implementation-specific backtrace
+// and backtrace printing functions.
+Backtrace_t getBacktraceFunction();
+PrintBacktrace_t getPrintBacktraceFunction();
+} // namespace options
+} // namespace gwp_asan
+
+#endif // GWP_ASAN_OPTIONAL_BACKTRACE_H_
diff --git a/lib/gwp_asan/optional/backtrace_linux_libc.cpp b/lib/gwp_asan/optional/backtrace_linux_libc.cpp
new file mode 100644
index 000000000000..f20a3100927e
--- /dev/null
+++ b/lib/gwp_asan/optional/backtrace_linux_libc.cpp
@@ -0,0 +1,64 @@
+//===-- backtrace_linux_libc.cpp --------------------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#include <assert.h>
+#include <execinfo.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "gwp_asan/optional/backtrace.h"
+#include "gwp_asan/options.h"
+
+namespace {
+void Backtrace(uintptr_t *TraceBuffer, size_t Size) {
+ // Grab (what seems to be) one more trace than we need. TraceBuffer needs to
+ // be null-terminated, but we wish to remove the frame of this function call.
+ static_assert(sizeof(uintptr_t) == sizeof(void *), "uintptr_t is not void*");
+ int NumTraces =
+ backtrace(reinterpret_cast<void **>(TraceBuffer), Size);
+
+ // Now shift the entire trace one place to the left and null-terminate.
+ memmove(TraceBuffer, TraceBuffer + 1, NumTraces * sizeof(void *));
+ TraceBuffer[NumTraces - 1] = 0;
+}
+
+static void PrintBacktrace(uintptr_t *Trace,
+ gwp_asan::options::Printf_t Printf) {
+ size_t NumTraces = 0;
+ for (; Trace[NumTraces] != 0; ++NumTraces) {
+ }
+
+ if (NumTraces == 0) {
+ Printf(" <not found (does your allocator support backtracing?)>\n\n");
+ return;
+ }
+
+ char **BacktraceSymbols =
+ backtrace_symbols(reinterpret_cast<void **>(Trace), NumTraces);
+
+ for (size_t i = 0; i < NumTraces; ++i) {
+ if (!BacktraceSymbols)
+ Printf(" #%zu %p\n", i, Trace[i]);
+ else
+ Printf(" #%zu %s\n", i, BacktraceSymbols[i]);
+ }
+
+ Printf("\n");
+ if (BacktraceSymbols)
+ free(BacktraceSymbols);
+}
+} // anonymous namespace
+
+namespace gwp_asan {
+namespace options {
+Backtrace_t getBacktraceFunction() { return Backtrace; }
+PrintBacktrace_t getPrintBacktraceFunction() { return PrintBacktrace; }
+} // namespace options
+} // namespace gwp_asan
diff --git a/lib/gwp_asan/optional/backtrace_sanitizer_common.cpp b/lib/gwp_asan/optional/backtrace_sanitizer_common.cpp
new file mode 100644
index 000000000000..7d17eec0da2f
--- /dev/null
+++ b/lib/gwp_asan/optional/backtrace_sanitizer_common.cpp
@@ -0,0 +1,69 @@
+//===-- backtrace_sanitizer_common.cpp --------------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#include <assert.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <string.h>
+
+#include "gwp_asan/optional/backtrace.h"
+#include "gwp_asan/options.h"
+#include "sanitizer_common/sanitizer_stacktrace.h"
+
+void __sanitizer::BufferedStackTrace::UnwindImpl(uptr pc, uptr bp,
+ void *context,
+ bool request_fast,
+ u32 max_depth) {
+ if (!StackTrace::WillUseFastUnwind(request_fast)) {
+ return Unwind(max_depth, pc, bp, context, 0, 0, request_fast);
+ }
+ Unwind(max_depth, pc, 0, context, 0, 0, false);
+}
+
+namespace {
+void Backtrace(uintptr_t *TraceBuffer, size_t Size) {
+ __sanitizer::BufferedStackTrace Trace;
+ Trace.Reset();
+ if (Size > __sanitizer::kStackTraceMax)
+ Size = __sanitizer::kStackTraceMax;
+
+ Trace.Unwind((__sanitizer::uptr)__builtin_return_address(0),
+ (__sanitizer::uptr)__builtin_frame_address(0),
+ /* ucontext */ nullptr,
+ /* fast unwind */ true, Size - 1);
+
+ memcpy(TraceBuffer, Trace.trace, Trace.size * sizeof(uintptr_t));
+ TraceBuffer[Trace.size] = 0;
+}
+
+static void PrintBacktrace(uintptr_t *Trace,
+ gwp_asan::options::Printf_t Printf) {
+ __sanitizer::StackTrace StackTrace;
+ StackTrace.trace = reinterpret_cast<__sanitizer::uptr *>(Trace);
+
+ for (StackTrace.size = 0; StackTrace.size < __sanitizer::kStackTraceMax;
+ ++StackTrace.size) {
+ if (Trace[StackTrace.size] == 0)
+ break;
+ }
+
+ if (StackTrace.size == 0) {
+ Printf(" <unknown (does your allocator support backtracing?)>\n\n");
+ return;
+ }
+
+ StackTrace.Print();
+}
+} // anonymous namespace
+
+namespace gwp_asan {
+namespace options {
+Backtrace_t getBacktraceFunction() { return Backtrace; }
+PrintBacktrace_t getPrintBacktraceFunction() { return PrintBacktrace; }
+} // namespace options
+} // namespace gwp_asan
diff --git a/lib/gwp_asan/optional/options_parser.cpp b/lib/gwp_asan/optional/options_parser.cpp
new file mode 100644
index 000000000000..6c2167288d6c
--- /dev/null
+++ b/lib/gwp_asan/optional/options_parser.cpp
@@ -0,0 +1,93 @@
+//===-- options_parser.cpp --------------------------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#include "gwp_asan/optional/options_parser.h"
+
+#include <stdarg.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "gwp_asan/options.h"
+#include "sanitizer_common/sanitizer_common.h"
+#include "sanitizer_common/sanitizer_flag_parser.h"
+#include "sanitizer_common/sanitizer_flags.h"
+
+namespace gwp_asan {
+namespace options {
+namespace {
+void registerGwpAsanFlags(__sanitizer::FlagParser *parser, Options *o) {
+#define GWP_ASAN_OPTION(Type, Name, DefaultValue, Description) \
+ RegisterFlag(parser, #Name, Description, &o->Name);
+#include "gwp_asan/options.inc"
+#undef GWP_ASAN_OPTION
+}
+
+const char *getCompileDefinitionGwpAsanDefaultOptions() {
+#ifdef GWP_ASAN_DEFAULT_OPTIONS
+ return SANITIZER_STRINGIFY(GWP_ASAN_DEFAULT_OPTIONS);
+#else
+ return "";
+#endif
+}
+
+const char *getGwpAsanDefaultOptions() {
+ return (__gwp_asan_default_options) ? __gwp_asan_default_options() : "";
+}
+
+Options *getOptionsInternal() {
+ static Options GwpAsanFlags;
+ return &GwpAsanFlags;
+}
+} // anonymous namespace
+
+void initOptions() {
+ __sanitizer::SetCommonFlagsDefaults();
+
+ Options *o = getOptionsInternal();
+ o->setDefaults();
+
+ __sanitizer::FlagParser Parser;
+ registerGwpAsanFlags(&Parser, o);
+
+ // Override from compile definition.
+ Parser.ParseString(getCompileDefinitionGwpAsanDefaultOptions());
+
+ // Override from user-specified string.
+ Parser.ParseString(getGwpAsanDefaultOptions());
+
+ // Override from environment.
+ Parser.ParseString(__sanitizer::GetEnv("GWP_ASAN_OPTIONS"));
+
+ __sanitizer::InitializeCommonFlags();
+ if (__sanitizer::Verbosity())
+ __sanitizer::ReportUnrecognizedFlags();
+
+ if (!o->Enabled)
+ return;
+
+ // Sanity checks for the parameters.
+ if (o->MaxSimultaneousAllocations <= 0) {
+ __sanitizer::Printf("GWP-ASan ERROR: MaxSimultaneousAllocations must be > "
+ "0 when GWP-ASan is enabled.\n");
+ exit(EXIT_FAILURE);
+ }
+
+ if (o->SampleRate < 1) {
+ __sanitizer::Printf(
+ "GWP-ASan ERROR: SampleRate must be > 0 when GWP-ASan is enabled.\n");
+ exit(EXIT_FAILURE);
+ }
+
+ o->Printf = __sanitizer::Printf;
+}
+
+Options &getOptions() { return *getOptionsInternal(); }
+
+} // namespace options
+} // namespace gwp_asan
diff --git a/lib/gwp_asan/optional/options_parser.h b/lib/gwp_asan/optional/options_parser.h
new file mode 100644
index 000000000000..7a6bfaf0ce3e
--- /dev/null
+++ b/lib/gwp_asan/optional/options_parser.h
@@ -0,0 +1,31 @@
+//===-- options_parser.h ----------------------------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef GWP_ASAN_OPTIONAL_OPTIONS_PARSER_H_
+#define GWP_ASAN_OPTIONAL_OPTIONS_PARSER_H_
+
+#include "gwp_asan/optional/backtrace.h"
+#include "gwp_asan/options.h"
+#include "sanitizer_common/sanitizer_common.h"
+
+namespace gwp_asan {
+namespace options {
+// Parse the options from the GWP_ASAN_FLAGS environment variable.
+void initOptions();
+// Returns the initialised options. Call initOptions() prior to calling this
+// function.
+Options &getOptions();
+} // namespace options
+} // namespace gwp_asan
+
+extern "C" {
+SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE const char *
+__gwp_asan_default_options();
+}
+
+#endif // GWP_ASAN_OPTIONAL_OPTIONS_PARSER_H_
diff --git a/lib/gwp_asan/options.h b/lib/gwp_asan/options.h
new file mode 100644
index 000000000000..6423e16526f4
--- /dev/null
+++ b/lib/gwp_asan/options.h
@@ -0,0 +1,59 @@
+//===-- options.h -----------------------------------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef GWP_ASAN_OPTIONS_H_
+#define GWP_ASAN_OPTIONS_H_
+
+#include <stddef.h>
+#include <stdint.h>
+
+namespace gwp_asan {
+namespace options {
+// The function pointer type for printf(). Follows the standard format from the
+// sanitizers library. If the supported allocator exposes printing via a
+// different function signature, please provide a wrapper which has this
+// printf() signature, and pass the wrapper instead.
+typedef void (*Printf_t)(const char *Format, ...);
+
+// The function pointer type for backtrace information. Required to be
+// implemented by the supporting allocator. The callee should elide itself and
+// all frames below itself from TraceBuffer, i.e. the caller's frame should be
+// in TraceBuffer[0], and subsequent frames 1..n into TraceBuffer[1..n], where a
+// maximum of `MaximumDepth - 1` frames are stored. TraceBuffer should be
+// nullptr-terminated (i.e. if there are 5 frames; TraceBuffer[5] == nullptr).
+// If the allocator cannot supply backtrace information, it should set
+// TraceBuffer[0] == nullptr.
+typedef void (*Backtrace_t)(uintptr_t *TraceBuffer, size_t Size);
+typedef void (*PrintBacktrace_t)(uintptr_t *TraceBuffer, Printf_t Print);
+
+struct Options {
+ Printf_t Printf = nullptr;
+ Backtrace_t Backtrace = nullptr;
+ PrintBacktrace_t PrintBacktrace = nullptr;
+
+ // Read the options from the included definitions file.
+#define GWP_ASAN_OPTION(Type, Name, DefaultValue, Description) \
+ Type Name = DefaultValue;
+#include "gwp_asan/options.inc"
+#undef GWP_ASAN_OPTION
+
+ void setDefaults() {
+#define GWP_ASAN_OPTION(Type, Name, DefaultValue, Description) \
+ Name = DefaultValue;
+#include "gwp_asan/options.inc"
+#undef GWP_ASAN_OPTION
+
+ Printf = nullptr;
+ Backtrace = nullptr;
+ PrintBacktrace = nullptr;
+ }
+};
+} // namespace options
+} // namespace gwp_asan
+
+#endif // GWP_ASAN_OPTIONS_H_
diff --git a/lib/gwp_asan/options.inc b/lib/gwp_asan/options.inc
new file mode 100644
index 000000000000..9042b11895ae
--- /dev/null
+++ b/lib/gwp_asan/options.inc
@@ -0,0 +1,41 @@
+//===-- options.inc ---------------------------------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef GWP_ASAN_OPTION
+#error "Define GWP_ASAN_OPTION prior to including this file!"
+#endif
+
+GWP_ASAN_OPTION(bool, Enabled, true, "Is GWP-ASan enabled? Defaults to true.")
+
+GWP_ASAN_OPTION(
+ bool, PerfectlyRightAlign, false,
+ "When allocations are right-aligned, should we perfectly align them up to "
+ "the page boundary? By default (false), we round up allocation size to the "
+ "nearest power of two (1, 2, 4, 8, 16) up to a maximum of 16-byte "
+ "alignment for performance reasons. Setting this to true can find single "
+ "byte buffer-overflows for multibyte allocations at the cost of "
+ "performance, and may be incompatible with some architectures.")
+
+GWP_ASAN_OPTION(
+ int, MaxSimultaneousAllocations, 16,
+ "Number of usable guarded slots in the allocation pool. Defaults to 16.")
+
+GWP_ASAN_OPTION(int, SampleRate, 5000,
+ "The probability (1 / SampleRate) that an allocation is "
+ "selected for GWP-ASan sampling. Default is 5000. Sample rates "
+ "up to (2^31 - 1) are supported.")
+
+GWP_ASAN_OPTION(
+ bool, InstallSignalHandlers, true,
+ "Install GWP-ASan signal handlers for SIGSEGV during dynamic loading. This "
+ "allows better error reports by providing stack traces for allocation and "
+ "deallocation when reporting a memory error. GWP-ASan's signal handler "
+ "will forward the signal to any previously-installed handler, and user "
+ "programs that install further signal handlers should make sure they do "
+ "the same. Note, if the previously installed SIGSEGV handler is SIG_IGN, "
+ "we terminate the process after dumping the error report.")
diff --git a/lib/gwp_asan/platform_specific/guarded_pool_allocator_posix.cpp b/lib/gwp_asan/platform_specific/guarded_pool_allocator_posix.cpp
new file mode 100644
index 000000000000..8bc0aefeec44
--- /dev/null
+++ b/lib/gwp_asan/platform_specific/guarded_pool_allocator_posix.cpp
@@ -0,0 +1,96 @@
+//===-- guarded_pool_allocator_posix.cpp ------------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#include "gwp_asan/guarded_pool_allocator.h"
+
+#include <stdlib.h>
+#include <errno.h>
+#include <signal.h>
+#include <sys/mman.h>
+#include <sys/syscall.h>
+#include <sys/types.h>
+#include <unistd.h>
+
+namespace gwp_asan {
+
+void *GuardedPoolAllocator::mapMemory(size_t Size) const {
+ void *Ptr =
+ mmap(nullptr, Size, PROT_NONE, MAP_ANONYMOUS | MAP_PRIVATE, -1, 0);
+
+ if (Ptr == MAP_FAILED) {
+ Printf("Failed to map guarded pool allocator memory, errno: %d\n", errno);
+ Printf(" mmap(nullptr, %zu, ...) failed.\n", Size);
+ exit(EXIT_FAILURE);
+ }
+ return Ptr;
+}
+
+void GuardedPoolAllocator::markReadWrite(void *Ptr, size_t Size) const {
+ if (mprotect(Ptr, Size, PROT_READ | PROT_WRITE) != 0) {
+ Printf("Failed to set guarded pool allocator memory at as RW, errno: %d\n",
+ errno);
+ Printf(" mprotect(%p, %zu, RW) failed.\n", Ptr, Size);
+ exit(EXIT_FAILURE);
+ }
+}
+
+void GuardedPoolAllocator::markInaccessible(void *Ptr, size_t Size) const {
+ // mmap() a PROT_NONE page over the address to release it to the system, if
+ // we used mprotect() here the system would count pages in the quarantine
+ // against the RSS.
+ if (mmap(Ptr, Size, PROT_NONE, MAP_FIXED | MAP_ANONYMOUS | MAP_PRIVATE, -1,
+ 0) == MAP_FAILED) {
+ Printf("Failed to set guarded pool allocator memory as inaccessible, "
+ "errno: %d\n",
+ errno);
+ Printf(" mmap(%p, %zu, NONE, ...) failed.\n", Ptr, Size);
+ exit(EXIT_FAILURE);
+ }
+}
+
+size_t GuardedPoolAllocator::getPlatformPageSize() {
+ return sysconf(_SC_PAGESIZE);
+}
+
+struct sigaction PreviousHandler;
+
+static void sigSegvHandler(int sig, siginfo_t *info, void *ucontext) {
+ gwp_asan::GuardedPoolAllocator::reportError(
+ reinterpret_cast<uintptr_t>(info->si_addr));
+
+ // Process any previous handlers.
+ if (PreviousHandler.sa_flags & SA_SIGINFO) {
+ PreviousHandler.sa_sigaction(sig, info, ucontext);
+ } else if (PreviousHandler.sa_handler == SIG_IGN ||
+ PreviousHandler.sa_handler == SIG_DFL) {
+ // If the previous handler was the default handler, or was ignoring this
+ // signal, install the default handler and re-raise the signal in order to
+ // get a core dump and terminate this process.
+ signal(SIGSEGV, SIG_DFL);
+ raise(SIGSEGV);
+ } else {
+ PreviousHandler.sa_handler(sig);
+ }
+}
+
+void GuardedPoolAllocator::installSignalHandlers() {
+ struct sigaction Action;
+ Action.sa_sigaction = sigSegvHandler;
+ Action.sa_flags = SA_SIGINFO;
+ sigaction(SIGSEGV, &Action, &PreviousHandler);
+}
+
+uint64_t GuardedPoolAllocator::getThreadID() {
+#ifdef SYS_gettid
+ return syscall(SYS_gettid);
+#else
+ return kInvalidThreadID;
+#endif
+}
+
+} // namespace gwp_asan
diff --git a/lib/gwp_asan/platform_specific/mutex_posix.cpp b/lib/gwp_asan/platform_specific/mutex_posix.cpp
new file mode 100644
index 000000000000..8bd405e1074c
--- /dev/null
+++ b/lib/gwp_asan/platform_specific/mutex_posix.cpp
@@ -0,0 +1,30 @@
+//===-- mutex_posix.cpp -----------------------------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#include "gwp_asan/mutex.h"
+
+#include <assert.h>
+#include <pthread.h>
+
+namespace gwp_asan {
+void Mutex::lock() {
+ int Status = pthread_mutex_lock(&Mu);
+ assert(Status == 0);
+ // Remove warning for non-debug builds.
+ (void)Status;
+}
+
+bool Mutex::tryLock() { return pthread_mutex_trylock(&Mu) == 0; }
+
+void Mutex::unlock() {
+ int Status = pthread_mutex_unlock(&Mu);
+ assert(Status == 0);
+ // Remove warning for non-debug builds.
+ (void)Status;
+}
+} // namespace gwp_asan
diff --git a/lib/gwp_asan/random.cpp b/lib/gwp_asan/random.cpp
new file mode 100644
index 000000000000..90493da7e038
--- /dev/null
+++ b/lib/gwp_asan/random.cpp
@@ -0,0 +1,23 @@
+//===-- random.cpp ----------------------------------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#include "gwp_asan/random.h"
+#include "gwp_asan/guarded_pool_allocator.h"
+
+#include <time.h>
+
+namespace gwp_asan {
+uint32_t getRandomUnsigned32() {
+ thread_local uint32_t RandomState =
+ time(nullptr) + GuardedPoolAllocator::getThreadID();
+ RandomState ^= RandomState << 13;
+ RandomState ^= RandomState >> 17;
+ RandomState ^= RandomState << 5;
+ return RandomState;
+}
+} // namespace gwp_asan
diff --git a/lib/gwp_asan/random.h b/lib/gwp_asan/random.h
new file mode 100644
index 000000000000..5fcf30d557ee
--- /dev/null
+++ b/lib/gwp_asan/random.h
@@ -0,0 +1,20 @@
+//===-- random.h ------------------------------------------------*- C++ -*-===//
+//
+// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
+// See https://llvm.org/LICENSE.txt for license information.
+// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef GWP_ASAN_RANDOM_H_
+#define GWP_ASAN_RANDOM_H_
+
+#include <stdint.h>
+
+namespace gwp_asan {
+// xorshift (32-bit output), extremely fast PRNG that uses arithmetic operations
+// only. Seeded using walltime.
+uint32_t getRandomUnsigned32();
+} // namespace gwp_asan
+
+#endif // GWP_ASAN_RANDOM_H_