[msan] Better use-after-free reports.

By attaching an extra integer tag to heap origins, we are able
to distinguish between uninits
 - created by heap allocation,
 - created by heap deallocation (i.e. use-after-free),
 - created by __msan_allocated_memory call,
 - etc.

See https://code.google.com/p/memory-sanitizer/issues/detail?id=35.



git-svn-id: https://llvm.org/svn/llvm-project/compiler-rt/trunk@226821 91177308-0d34-0410-b5e6-96231b3b80d8

1 files changed, 6 insertions, 3 deletions

diff --git a/lib/sanitizer_common/sanitizer_stackdepot.cc b/lib/sanitizer_common/sanitizer_stackdepot.cc
index f10f1f973..59b53f4dc 100644
--- a/lib/sanitizer_common/sanitizer_stackdepot.cc
+++ b/lib/sanitizer_common/sanitizer_stackdepot.cc
@@ -22,7 +22,8 @@ struct StackDepotNode {
   StackDepotNode *link;
   u32 id;
   atomic_uint32_t hash_and_use_count; // hash_bits : 12; use_count : 20;
-  uptr size;
+  u32 size;
+  u32 tag;
   uptr stack[1];  // [size]
 
   static const u32 kTabSizeLog = 20;
@@ -37,7 +38,8 @@ struct StackDepotNode {
   bool eq(u32 hash, const args_type &args) const {
     u32 hash_bits =
         atomic_load(&hash_and_use_count, memory_order_relaxed) & kHashMask;
-    if ((hash & kHashMask) != hash_bits || args.size != size) return false;
+    if ((hash & kHashMask) != hash_bits || args.size != size || args.tag != tag)
+      return false;
     uptr i = 0;
     for (; i < size; i++) {
       if (stack[i] != args.trace[i]) return false;
@@ -72,10 +74,11 @@ struct StackDepotNode {
   void store(const args_type &args, u32 hash) {
     atomic_store(&hash_and_use_count, hash & kHashMask, memory_order_relaxed);
     size = args.size;
+    tag = args.tag;
     internal_memcpy(stack, args.trace, size * sizeof(uptr));
   }
   args_type load() const {
-    return args_type(&stack[0], size);
+    return args_type(&stack[0], size, tag);
   }
   StackDepotHandle get_handle() { return StackDepotHandle(this); }