Skip to content

[sanitizer-common] [Darwin] Provide warnings for common sandbox issues #165907

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Nov 3, 2025
Merged

[sanitizer-common] [Darwin] Provide warnings for common sandbox issues #165907

merged 4 commits into from
Nov 3, 2025

Conversation

@ndrewh
Copy link
Contributor

@ndrewh ndrewh commented Oct 31, 2025
edited
Loading

We currently do not handle errors in task_set_exc_guard_behavior. If this fails, mmap can unexpectedly crash.
We also do not currently provide a clear warning if no external symbolizers are found.

rdar://163798535

@ndrewh ndrewh changed the title [sanitizer-common] Provide warning if task_set_exc_guard_behavior errors [sanitizer-common] [Darwin] Provide warning if task_set_exc_guard_behavior errors Oct 31, 2025
@llvmbot
Copy link
Member

llvmbot commented Oct 31, 2025

@llvm/pr-subscribers-compiler-rt-sanitizer

Author: Andrew Haberlandt (ndrewh)

Changes

We currently do not handle errors in task_set_exc_guard_behavior. If this fails, mmap can unexpectedly crash.

Here, we add a warning to notify users when this occurs.

Full diff: https://github.com/llvm/llvm-project/pull/165907.diff

1 Files Affected:

  • (modified) compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp (+12-1)
diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp b/compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp
index b0a29db908639..a118f7da2c856 100644
--- a/compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp
+++ b/compiler-rt/lib/sanitizer_common/sanitizer_mac.cpp
@@ -960,7 +960,18 @@ static void DisableMmapExcGuardExceptions() {
       RTLD_DEFAULT, "task_set_exc_guard_behavior");
   if (set_behavior == nullptr) return;
   const task_exc_guard_behavior_t task_exc_guard_none = 0;
-  set_behavior(mach_task_self(), task_exc_guard_none);
+  kern_return_t res = set_behavior(mach_task_self(), task_exc_guard_none);
+  if (res != KERN_SUCCESS) {
+    Report(
+        "WARN: AddressSanitizer: task_set_exc_guard_behavior returned %d (%s), "
+        "mmap may fail unexpectedly.\n",
+        res, mach_error_string(res));
+    if (res == KERN_DENIED) {
+      Report(
+          "HINT: Check that task_set_exc_guard_behavior is allowed by "
+          "sandbox.\n");
+    }
+  }
 }
 
 static void VerifyInterceptorsWorking();

@ndrewh ndrewh force-pushed the task_set_exc_guard_behavior-checkret branch from 407b2c6 to d41ba61 Compare October 31, 2025 19:11
@ndrewh ndrewh changed the title [sanitizer-common] [Darwin] Provide warning if task_set_exc_guard_behavior errors [sanitizer-common] [Darwin] Provide warnings for common sandbox issues Nov 1, 2025
DanBlackwell
DanBlackwell approved these changes Nov 1, 2025
View reviewed changes
Copy link
Contributor

@DanBlackwell DanBlackwell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this, looks good. Possibly could have been better to split across 2 separate PRs.

@ndrewh ndrewh merged commit 148a42b into llvm:main Nov 3, 2025
10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DanBlackwell DanBlackwell DanBlackwell approved these changes

@wrotki wrotki Awaiting requested review from wrotki

@thetruestblue thetruestblue Awaiting requested review from thetruestblue

Assignees

No one assigned

Labels

compiler-rt:sanitizer compiler-rt

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ndrewh @llvmbot @DanBlackwell