ee7d41d179
For an odr-violation error due to a source file linked into two DSOs, or
one DSO and the main executable, it can be difficult to identify the DSO
name. Let's print the module name in the error report.
```
echo 'extern long var; int main() { return var; }' > a.cc
echo 'long var;' > b.cc
clang++ -fpic -fsanitize=address -shared b.cc -o b.so
clang++ -fsanitize=address a.cc b.cc ./b.so -o a
```
w/o this patch:
```
==1375386==ERROR: AddressSanitizer: odr-violation (0x56067cb06240):
[1] size=8 'var' b.cc
[2] size=8 'var' b.cc
...
```
w/ this patch:
```
==1375386==ERROR: AddressSanitizer: odr-violation (0x56067cb06240):
[1] size=8 'var' b.cc in /tmp/c/a
[2] size=8 'var' b.cc in ./b.so
```
In addition, update the `report_globals=2` message to include the module
name
```
==1451005==Added Global[0x7fcfe59ae040]: beg=0x7fcfe59ae140 size=8/32 name=var source=b.cc module=./b.so dyn_init=0 odr_indicator=0x55754f939260
```
621 lines
23 KiB
C++
621 lines
23 KiB
C++
//===-- asan_errors.cpp -----------------------------------------*- C++ -*-===//
|
|
//
|
|
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
|
|
// See https://llvm.org/LICENSE.txt for license information.
|
|
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
|
|
//
|
|
//===----------------------------------------------------------------------===//
|
|
//
|
|
// This file is a part of AddressSanitizer, an address sanity checker.
|
|
//
|
|
// ASan implementation for error structures.
|
|
//===----------------------------------------------------------------------===//
|
|
|
|
#include "asan_errors.h"
|
|
#include "asan_descriptions.h"
|
|
#include "asan_mapping.h"
|
|
#include "asan_report.h"
|
|
#include "asan_stack.h"
|
|
#include "sanitizer_common/sanitizer_stackdepot.h"
|
|
|
|
namespace __asan {
|
|
|
|
static void OnStackUnwind(const SignalContext &sig,
|
|
const void *callback_context,
|
|
BufferedStackTrace *stack) {
|
|
bool fast = common_flags()->fast_unwind_on_fatal;
|
|
#if SANITIZER_FREEBSD || SANITIZER_NETBSD
|
|
// On FreeBSD the slow unwinding that leverages _Unwind_Backtrace()
|
|
// yields the call stack of the signal's handler and not of the code
|
|
// that raised the signal (as it does on Linux).
|
|
fast = true;
|
|
#endif
|
|
// Tests and maybe some users expect that scariness is going to be printed
|
|
// just before the stack. As only asan has scariness score we have no
|
|
// corresponding code in the sanitizer_common and we use this callback to
|
|
// print it.
|
|
static_cast<const ScarinessScoreBase *>(callback_context)->Print();
|
|
stack->Unwind(StackTrace::GetNextInstructionPc(sig.pc), sig.bp, sig.context,
|
|
fast);
|
|
}
|
|
|
|
void ErrorDeadlySignal::Print() {
|
|
ReportDeadlySignal(signal, tid, &OnStackUnwind, &scariness);
|
|
}
|
|
|
|
void ErrorDoubleFree::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report("ERROR: AddressSanitizer: attempting %s on %p in thread %s:\n",
|
|
scariness.GetDescription(), (void *)addr_description.addr,
|
|
AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
scariness.Print();
|
|
GET_STACK_TRACE_FATAL(second_free_stack->trace[0],
|
|
second_free_stack->top_frame_bp);
|
|
stack.Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), &stack);
|
|
}
|
|
|
|
void ErrorNewDeleteTypeMismatch::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report("ERROR: AddressSanitizer: %s on %p in thread %s:\n",
|
|
scariness.GetDescription(), (void *)addr_description.addr,
|
|
AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s object passed to delete has wrong type:\n", d.Default());
|
|
if (delete_size != 0) {
|
|
Printf(
|
|
" size of the allocated type: %zd bytes;\n"
|
|
" size of the deallocated type: %zd bytes.\n",
|
|
addr_description.chunk_access.chunk_size, delete_size);
|
|
}
|
|
const uptr user_alignment =
|
|
addr_description.chunk_access.user_requested_alignment;
|
|
if (delete_alignment != user_alignment) {
|
|
char user_alignment_str[32];
|
|
char delete_alignment_str[32];
|
|
internal_snprintf(user_alignment_str, sizeof(user_alignment_str),
|
|
"%zd bytes", user_alignment);
|
|
internal_snprintf(delete_alignment_str, sizeof(delete_alignment_str),
|
|
"%zd bytes", delete_alignment);
|
|
static const char *kDefaultAlignment = "default-aligned";
|
|
Printf(
|
|
" alignment of the allocated type: %s;\n"
|
|
" alignment of the deallocated type: %s.\n",
|
|
user_alignment > 0 ? user_alignment_str : kDefaultAlignment,
|
|
delete_alignment > 0 ? delete_alignment_str : kDefaultAlignment);
|
|
}
|
|
CHECK_GT(free_stack->size, 0);
|
|
scariness.Print();
|
|
GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
|
|
stack.Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), &stack);
|
|
Report(
|
|
"HINT: if you don't care about these errors you may set "
|
|
"ASAN_OPTIONS=new_delete_type_mismatch=0\n");
|
|
}
|
|
|
|
void ErrorFreeNotMalloced::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: attempting free on address "
|
|
"which was not malloc()-ed: %p in thread %s\n",
|
|
(void *)addr_description.Address(), AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
CHECK_GT(free_stack->size, 0);
|
|
scariness.Print();
|
|
GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
|
|
stack.Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), &stack);
|
|
}
|
|
|
|
void ErrorAllocTypeMismatch::Print() {
|
|
static const char *alloc_names[] = {"INVALID", "malloc", "operator new",
|
|
"operator new []"};
|
|
static const char *dealloc_names[] = {"INVALID", "free", "operator delete",
|
|
"operator delete []"};
|
|
CHECK_NE(alloc_type, dealloc_type);
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report("ERROR: AddressSanitizer: %s (%s vs %s) on %p\n",
|
|
scariness.GetDescription(), alloc_names[alloc_type],
|
|
dealloc_names[dealloc_type], (void *)addr_description.Address());
|
|
Printf("%s", d.Default());
|
|
CHECK_GT(dealloc_stack->size, 0);
|
|
scariness.Print();
|
|
GET_STACK_TRACE_FATAL(dealloc_stack->trace[0], dealloc_stack->top_frame_bp);
|
|
stack.Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), &stack);
|
|
Report(
|
|
"HINT: if you don't care about these errors you may set "
|
|
"ASAN_OPTIONS=alloc_dealloc_mismatch=0\n");
|
|
}
|
|
|
|
void ErrorMallocUsableSizeNotOwned::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: attempting to call malloc_usable_size() for "
|
|
"pointer which is not owned: %p\n",
|
|
(void *)addr_description.Address());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorSanitizerGetAllocatedSizeNotOwned::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: attempting to call "
|
|
"__sanitizer_get_allocated_size() for pointer which is not owned: %p\n",
|
|
(void *)addr_description.Address());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorCallocOverflow::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: calloc parameters overflow: count * size "
|
|
"(%zd * %zd) cannot be represented in type size_t (thread %s)\n",
|
|
count, size, AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorReallocArrayOverflow::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: reallocarray parameters overflow: count * size "
|
|
"(%zd * %zd) cannot be represented in type size_t (thread %s)\n",
|
|
count, size, AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorPvallocOverflow::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: pvalloc parameters overflow: size 0x%zx "
|
|
"rounded up to system page size 0x%zx cannot be represented in type "
|
|
"size_t (thread %s)\n",
|
|
size, GetPageSizeCached(), AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorInvalidAllocationAlignment::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: invalid allocation alignment: %zd, "
|
|
"alignment must be a power of two (thread %s)\n",
|
|
alignment, AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorInvalidAlignedAllocAlignment::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
#if SANITIZER_POSIX
|
|
Report("ERROR: AddressSanitizer: invalid alignment requested in "
|
|
"aligned_alloc: %zd, alignment must be a power of two and the "
|
|
"requested size 0x%zx must be a multiple of alignment "
|
|
"(thread %s)\n", alignment, size, AsanThreadIdAndName(tid).c_str());
|
|
#else
|
|
Report("ERROR: AddressSanitizer: invalid alignment requested in "
|
|
"aligned_alloc: %zd, the requested size 0x%zx must be a multiple of "
|
|
"alignment (thread %s)\n", alignment, size,
|
|
AsanThreadIdAndName(tid).c_str());
|
|
#endif
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorInvalidPosixMemalignAlignment::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: invalid alignment requested in posix_memalign: "
|
|
"%zd, alignment must be a power of two and a multiple of sizeof(void*) "
|
|
"== %zd (thread %s)\n",
|
|
alignment, sizeof(void *), AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorAllocationSizeTooBig::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: requested allocation size 0x%zx (0x%zx after "
|
|
"adjustments for alignment, red zones etc.) exceeds maximum supported "
|
|
"size of 0x%zx (thread %s)\n",
|
|
user_size, total_size, max_size, AsanThreadIdAndName(tid).c_str());
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorRssLimitExceeded::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: specified RSS limit exceeded, currently set to "
|
|
"soft_rss_limit_mb=%zd\n", common_flags()->soft_rss_limit_mb);
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorOutOfMemory::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
ERROR_OOM("allocator is trying to allocate 0x%zx bytes\n", requested_size);
|
|
Printf("%s", d.Default());
|
|
stack->Print();
|
|
PrintHintAllocatorCannotReturnNull();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorStringFunctionMemoryRangesOverlap::Print() {
|
|
Decorator d;
|
|
char bug_type[100];
|
|
internal_snprintf(bug_type, sizeof(bug_type), "%s-param-overlap", function);
|
|
Printf("%s", d.Error());
|
|
Report(
|
|
"ERROR: AddressSanitizer: %s: memory ranges [%p,%p) and [%p, %p) "
|
|
"overlap\n",
|
|
bug_type, (void *)addr1_description.Address(),
|
|
(void *)(addr1_description.Address() + length1),
|
|
(void *)addr2_description.Address(),
|
|
(void *)(addr2_description.Address() + length2));
|
|
Printf("%s", d.Default());
|
|
scariness.Print();
|
|
stack->Print();
|
|
addr1_description.Print();
|
|
addr2_description.Print();
|
|
ReportErrorSummary(bug_type, stack);
|
|
}
|
|
|
|
void ErrorStringFunctionSizeOverflow::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report("ERROR: AddressSanitizer: %s: (size=%zd)\n",
|
|
scariness.GetDescription(), size);
|
|
Printf("%s", d.Default());
|
|
scariness.Print();
|
|
stack->Print();
|
|
addr_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorBadParamsToAnnotateContiguousContainer::Print() {
|
|
Report(
|
|
"ERROR: AddressSanitizer: bad parameters to "
|
|
"__sanitizer_annotate_contiguous_container:\n"
|
|
" beg : %p\n"
|
|
" end : %p\n"
|
|
" old_mid : %p\n"
|
|
" new_mid : %p\n",
|
|
(void *)beg, (void *)end, (void *)old_mid, (void *)new_mid);
|
|
uptr granularity = ASAN_SHADOW_GRANULARITY;
|
|
if (!IsAligned(beg, granularity))
|
|
Report("ERROR: beg is not aligned by %zu\n", granularity);
|
|
stack->Print();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorBadParamsToAnnotateDoubleEndedContiguousContainer::Print() {
|
|
Report(
|
|
"ERROR: AddressSanitizer: bad parameters to "
|
|
"__sanitizer_annotate_double_ended_contiguous_container:\n"
|
|
" storage_beg : %p\n"
|
|
" storage_end : %p\n"
|
|
" old_container_beg : %p\n"
|
|
" old_container_end : %p\n"
|
|
" new_container_beg : %p\n"
|
|
" new_container_end : %p\n",
|
|
(void *)storage_beg, (void *)storage_end, (void *)old_container_beg,
|
|
(void *)old_container_end, (void *)new_container_beg,
|
|
(void *)new_container_end);
|
|
uptr granularity = ASAN_SHADOW_GRANULARITY;
|
|
if (!IsAligned(storage_beg, granularity))
|
|
Report("ERROR: storage_beg is not aligned by %zu\n", granularity);
|
|
stack->Print();
|
|
ReportErrorSummary(scariness.GetDescription(), stack);
|
|
}
|
|
|
|
void ErrorODRViolation::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report("ERROR: AddressSanitizer: %s (%p):\n", scariness.GetDescription(),
|
|
(void *)global1.beg);
|
|
Printf("%s", d.Default());
|
|
InternalScopedString g1_loc;
|
|
InternalScopedString g2_loc;
|
|
PrintGlobalLocation(&g1_loc, global1, /*print_module_name=*/true);
|
|
PrintGlobalLocation(&g2_loc, global2, /*print_module_name=*/true);
|
|
Printf(" [1] size=%zd '%s' %s\n", global1.size,
|
|
MaybeDemangleGlobalName(global1.name), g1_loc.data());
|
|
Printf(" [2] size=%zd '%s' %s\n", global2.size,
|
|
MaybeDemangleGlobalName(global2.name), g2_loc.data());
|
|
if (stack_id1 && stack_id2) {
|
|
Printf("These globals were registered at these points:\n");
|
|
Printf(" [1]:\n");
|
|
StackDepotGet(stack_id1).Print();
|
|
Printf(" [2]:\n");
|
|
StackDepotGet(stack_id2).Print();
|
|
}
|
|
Report(
|
|
"HINT: if you don't care about these errors you may set "
|
|
"ASAN_OPTIONS=detect_odr_violation=0\n");
|
|
InternalScopedString error_msg;
|
|
error_msg.AppendF("%s: global '%s' at %s", scariness.GetDescription(),
|
|
MaybeDemangleGlobalName(global1.name), g1_loc.data());
|
|
ReportErrorSummary(error_msg.data());
|
|
}
|
|
|
|
void ErrorInvalidPointerPair::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
Report("ERROR: AddressSanitizer: %s: %p %p\n", scariness.GetDescription(),
|
|
(void *)addr1_description.Address(),
|
|
(void *)addr2_description.Address());
|
|
Printf("%s", d.Default());
|
|
GET_STACK_TRACE_FATAL(pc, bp);
|
|
stack.Print();
|
|
addr1_description.Print();
|
|
addr2_description.Print();
|
|
ReportErrorSummary(scariness.GetDescription(), &stack);
|
|
}
|
|
|
|
static bool AdjacentShadowValuesAreFullyPoisoned(u8 *s) {
|
|
return s[-1] > 127 && s[1] > 127;
|
|
}
|
|
|
|
ErrorGeneric::ErrorGeneric(u32 tid, uptr pc_, uptr bp_, uptr sp_, uptr addr,
|
|
bool is_write_, uptr access_size_)
|
|
: ErrorBase(tid),
|
|
addr_description(addr, access_size_, /*shouldLockThreadRegistry=*/false),
|
|
pc(pc_),
|
|
bp(bp_),
|
|
sp(sp_),
|
|
access_size(access_size_),
|
|
is_write(is_write_),
|
|
shadow_val(0) {
|
|
scariness.Clear();
|
|
if (access_size) {
|
|
if (access_size <= 9) {
|
|
char desr[] = "?-byte";
|
|
desr[0] = '0' + access_size;
|
|
scariness.Scare(access_size + access_size / 2, desr);
|
|
} else if (access_size >= 10) {
|
|
scariness.Scare(15, "multi-byte");
|
|
}
|
|
is_write ? scariness.Scare(20, "write") : scariness.Scare(1, "read");
|
|
|
|
// Determine the error type.
|
|
bug_descr = "unknown-crash";
|
|
if (AddrIsInMem(addr)) {
|
|
u8 *shadow_addr = (u8 *)MemToShadow(addr);
|
|
// If we are accessing 16 bytes, look at the second shadow byte.
|
|
if (*shadow_addr == 0 && access_size > ASAN_SHADOW_GRANULARITY)
|
|
shadow_addr++;
|
|
// If we are in the partial right redzone, look at the next shadow byte.
|
|
if (*shadow_addr > 0 && *shadow_addr < 128) shadow_addr++;
|
|
bool far_from_bounds = false;
|
|
shadow_val = *shadow_addr;
|
|
int bug_type_score = 0;
|
|
// For use-after-frees reads are almost as bad as writes.
|
|
int read_after_free_bonus = 0;
|
|
switch (shadow_val) {
|
|
case kAsanHeapLeftRedzoneMagic:
|
|
case kAsanArrayCookieMagic:
|
|
bug_descr = "heap-buffer-overflow";
|
|
bug_type_score = 10;
|
|
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
|
|
break;
|
|
case kAsanHeapFreeMagic:
|
|
bug_descr = "heap-use-after-free";
|
|
bug_type_score = 20;
|
|
if (!is_write) read_after_free_bonus = 18;
|
|
break;
|
|
case kAsanStackLeftRedzoneMagic:
|
|
bug_descr = "stack-buffer-underflow";
|
|
bug_type_score = 25;
|
|
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
|
|
break;
|
|
case kAsanInitializationOrderMagic:
|
|
bug_descr = "initialization-order-fiasco";
|
|
bug_type_score = 1;
|
|
break;
|
|
case kAsanStackMidRedzoneMagic:
|
|
case kAsanStackRightRedzoneMagic:
|
|
bug_descr = "stack-buffer-overflow";
|
|
bug_type_score = 25;
|
|
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
|
|
break;
|
|
case kAsanStackAfterReturnMagic:
|
|
bug_descr = "stack-use-after-return";
|
|
bug_type_score = 30;
|
|
if (!is_write) read_after_free_bonus = 18;
|
|
break;
|
|
case kAsanUserPoisonedMemoryMagic:
|
|
bug_descr = "use-after-poison";
|
|
bug_type_score = 20;
|
|
break;
|
|
case kAsanContiguousContainerOOBMagic:
|
|
bug_descr = "container-overflow";
|
|
bug_type_score = 10;
|
|
break;
|
|
case kAsanStackUseAfterScopeMagic:
|
|
bug_descr = "stack-use-after-scope";
|
|
bug_type_score = 10;
|
|
break;
|
|
case kAsanGlobalRedzoneMagic:
|
|
bug_descr = "global-buffer-overflow";
|
|
bug_type_score = 10;
|
|
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
|
|
break;
|
|
case kAsanIntraObjectRedzone:
|
|
bug_descr = "intra-object-overflow";
|
|
bug_type_score = 10;
|
|
break;
|
|
case kAsanAllocaLeftMagic:
|
|
case kAsanAllocaRightMagic:
|
|
bug_descr = "dynamic-stack-buffer-overflow";
|
|
bug_type_score = 25;
|
|
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
|
|
break;
|
|
}
|
|
scariness.Scare(bug_type_score + read_after_free_bonus, bug_descr);
|
|
if (far_from_bounds) scariness.Scare(10, "far-from-bounds");
|
|
}
|
|
}
|
|
}
|
|
|
|
static void PrintContainerOverflowHint() {
|
|
Printf("HINT: if you don't care about these errors you may set "
|
|
"ASAN_OPTIONS=detect_container_overflow=0.\n"
|
|
"If you suspect a false positive see also: "
|
|
"https://github.com/google/sanitizers/wiki/"
|
|
"AddressSanitizerContainerOverflow.\n");
|
|
}
|
|
|
|
static void PrintShadowByte(InternalScopedString *str, const char *before,
|
|
u8 byte, const char *after = "\n") {
|
|
PrintMemoryByte(str, before, byte, /*in_shadow*/true, after);
|
|
}
|
|
|
|
static void PrintLegend(InternalScopedString *str) {
|
|
str->AppendF(
|
|
"Shadow byte legend (one shadow byte represents %d "
|
|
"application bytes):\n",
|
|
(int)ASAN_SHADOW_GRANULARITY);
|
|
PrintShadowByte(str, " Addressable: ", 0);
|
|
str->AppendF(" Partially addressable: ");
|
|
for (u8 i = 1; i < ASAN_SHADOW_GRANULARITY; i++)
|
|
PrintShadowByte(str, "", i, " ");
|
|
str->AppendF("\n");
|
|
PrintShadowByte(str, " Heap left redzone: ",
|
|
kAsanHeapLeftRedzoneMagic);
|
|
PrintShadowByte(str, " Freed heap region: ", kAsanHeapFreeMagic);
|
|
PrintShadowByte(str, " Stack left redzone: ",
|
|
kAsanStackLeftRedzoneMagic);
|
|
PrintShadowByte(str, " Stack mid redzone: ",
|
|
kAsanStackMidRedzoneMagic);
|
|
PrintShadowByte(str, " Stack right redzone: ",
|
|
kAsanStackRightRedzoneMagic);
|
|
PrintShadowByte(str, " Stack after return: ",
|
|
kAsanStackAfterReturnMagic);
|
|
PrintShadowByte(str, " Stack use after scope: ",
|
|
kAsanStackUseAfterScopeMagic);
|
|
PrintShadowByte(str, " Global redzone: ", kAsanGlobalRedzoneMagic);
|
|
PrintShadowByte(str, " Global init order: ",
|
|
kAsanInitializationOrderMagic);
|
|
PrintShadowByte(str, " Poisoned by user: ",
|
|
kAsanUserPoisonedMemoryMagic);
|
|
PrintShadowByte(str, " Container overflow: ",
|
|
kAsanContiguousContainerOOBMagic);
|
|
PrintShadowByte(str, " Array cookie: ",
|
|
kAsanArrayCookieMagic);
|
|
PrintShadowByte(str, " Intra object redzone: ",
|
|
kAsanIntraObjectRedzone);
|
|
PrintShadowByte(str, " ASan internal: ", kAsanInternalHeapMagic);
|
|
PrintShadowByte(str, " Left alloca redzone: ", kAsanAllocaLeftMagic);
|
|
PrintShadowByte(str, " Right alloca redzone: ", kAsanAllocaRightMagic);
|
|
}
|
|
|
|
static void PrintShadowBytes(InternalScopedString *str, const char *before,
|
|
u8 *bytes, u8 *guilty, uptr n) {
|
|
Decorator d;
|
|
if (before)
|
|
str->AppendF("%s%p:", before,
|
|
(void *)ShadowToMem(reinterpret_cast<uptr>(bytes)));
|
|
for (uptr i = 0; i < n; i++) {
|
|
u8 *p = bytes + i;
|
|
const char *before =
|
|
p == guilty ? "[" : (p - 1 == guilty && i != 0) ? "" : " ";
|
|
const char *after = p == guilty ? "]" : "";
|
|
PrintShadowByte(str, before, *p, after);
|
|
}
|
|
str->AppendF("\n");
|
|
}
|
|
|
|
static void PrintShadowMemoryForAddress(uptr addr) {
|
|
if (!AddrIsInMem(addr)) return;
|
|
uptr shadow_addr = MemToShadow(addr);
|
|
const uptr n_bytes_per_row = 16;
|
|
uptr aligned_shadow = shadow_addr & ~(n_bytes_per_row - 1);
|
|
InternalScopedString str;
|
|
str.AppendF("Shadow bytes around the buggy address:\n");
|
|
for (int i = -5; i <= 5; i++) {
|
|
uptr row_shadow_addr = aligned_shadow + i * n_bytes_per_row;
|
|
// Skip rows that would be outside the shadow range. This can happen when
|
|
// the user address is near the bottom, top, or shadow gap of the address
|
|
// space.
|
|
if (!AddrIsInShadow(row_shadow_addr)) continue;
|
|
const char *prefix = (i == 0) ? "=>" : " ";
|
|
PrintShadowBytes(&str, prefix, (u8 *)row_shadow_addr, (u8 *)shadow_addr,
|
|
n_bytes_per_row);
|
|
}
|
|
if (flags()->print_legend) PrintLegend(&str);
|
|
Printf("%s", str.data());
|
|
}
|
|
|
|
void ErrorGeneric::Print() {
|
|
Decorator d;
|
|
Printf("%s", d.Error());
|
|
uptr addr = addr_description.Address();
|
|
Report("ERROR: AddressSanitizer: %s on address %p at pc %p bp %p sp %p\n",
|
|
bug_descr, (void *)addr, (void *)pc, (void *)bp, (void *)sp);
|
|
Printf("%s", d.Default());
|
|
|
|
Printf("%s%s of size %zu at %p thread %s%s\n", d.Access(),
|
|
access_size ? (is_write ? "WRITE" : "READ") : "ACCESS", access_size,
|
|
(void *)addr, AsanThreadIdAndName(tid).c_str(), d.Default());
|
|
|
|
scariness.Print();
|
|
GET_STACK_TRACE_FATAL(pc, bp);
|
|
stack.Print();
|
|
|
|
// Pass bug_descr because we have a special case for
|
|
// initialization-order-fiasco
|
|
addr_description.Print(bug_descr);
|
|
if (shadow_val == kAsanContiguousContainerOOBMagic)
|
|
PrintContainerOverflowHint();
|
|
ReportErrorSummary(bug_descr, &stack);
|
|
PrintShadowMemoryForAddress(addr);
|
|
}
|
|
|
|
} // namespace __asan
|