This is an archive of the discontinued LLVM Phabricator instance.

Differential D123643

[ASan] Fixed a reporting bug in (load|store)N functions which would print unknown-crash instead of the proper error message when a the data access is unaligned.
ClosedPublic

Authored by kstoimenov on Apr 12 2022, 4:18 PM.

Details

Reviewers
kda
eugenis
Commits
rG64c929ec0937: [ASan] Fixed a reporting bug in (load|store)N functions which would print…
rGd81d317999b3: [ASan] Fixed a reporting bug in (load|store)N functions which would print…

Diff Detail

Event Timeline

kstoimenov created this revision.Apr 12 2022, 4:18 PM
Herald added a project: Restricted Project. · View Herald TranscriptApr 12 2022, 4:18 PM
kstoimenov requested review of this revision.Apr 12 2022, 4:18 PM
Herald added a project: Restricted Project. · View Herald TranscriptApr 12 2022, 4:18 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
kstoimenov added a reviewer: kda.Apr 12 2022, 4:19 PM
kda accepted this revision.Apr 12 2022, 4:26 PM

A couple of nits.

compiler-rt/test/asan/TestCases/load_and_store_n.cpp
34–35

nit: maybe move below include

59

prepend 'res = ' ?

This revision is now accepted and ready to land.Apr 12 2022, 4:26 PM
Harbormaster completed remote builds in B159344: Diff 422361.Apr 12 2022, 4:38 PM
kstoimenov updated this revision to Diff 422368.Apr 12 2022, 4:52 PM
kstoimenov marked an inline comment as done.

Moved vars below include.

kstoimenov added inline comments.Apr 12 2022, 4:54 PM
compiler-rt/test/asan/TestCases/load_and_store_n.cpp
59

Store is a void function.

Harbormaster completed remote builds in B159351: Diff 422368.Apr 12 2022, 5:13 PM
eugenis added a subscriber: eugenis.Apr 13 2022, 5:23 PM
eugenis added inline comments.
compiler-rt/test/asan/TestCases/load_and_store_n.cpp
30

Could you tighten this check a little? Ex. you could print the expected "bad access" address in the test code, and then verify that it matches the address printed by asan.

Also an interesting edge case to test would be when the access is entirely outside of the global (ex. (char*)&G + 9).

kstoimenov updated this revision to Diff 423467.Apr 18 2022, 1:53 PM

Addressed comments.

kstoimenov marked an inline comment as done.Apr 18 2022, 1:54 PM
Harbormaster completed remote builds in B160113: Diff 423467.Apr 18 2022, 2:32 PM
eugenis accepted this revision.Apr 18 2022, 3:22 PM

LGTM w/ nits

compiler-rt/test/asan/TestCases/load_and_store_n.cpp
37

Could you also extend this check? I imagine this would say "0 bytes to the right" vs "1 bytes to the right" depending on the case.

kstoimenov updated this revision to Diff 423480.Apr 18 2022, 3:29 PM

Extended checks to 0 and 1 cases.

This revision was landed with ongoing or failed builds.Apr 18 2022, 3:47 PM
Closed by commit rGd81d317999b3: [ASan] Fixed a reporting bug in (load|store)N functions which would print… (authored by kstoimenov). · Explain Why
This revision was automatically updated to reflect the committed changes.
kstoimenov added a commit: rGd81d317999b3: [ASan] Fixed a reporting bug in (load|store)N functions which would print….
Harbormaster completed remote builds in B160125: Diff 423480.Apr 18 2022, 4:13 PM
kstoimenov added a reverting change: D123966: Revert "[ASan] Fixed a reporting bug in (load|store)N functions which would print unknown-crash instead of the proper error message when a the data access is unaligned.".Apr 18 2022, 4:32 PM
kstoimenov added a reverting change: rG70f13bd752f0: Revert "[ASan] Fixed a reporting bug in (load|store)N functions which would….Apr 18 2022, 4:33 PM
kstoimenov reopened this revision.Apr 18 2022, 4:35 PM
This revision is now accepted and ready to land.Apr 18 2022, 4:35 PM
kstoimenov updated this revision to Diff 423518.Apr 18 2022, 9:00 PM

Tests are against the IR instead of assembly.

kstoimenov updated this revision to Diff 423522.Apr 18 2022, 9:04 PM

Tests are against the IR instead of assembly - for real.

kstoimenov updated this revision to Diff 423529.Apr 18 2022, 9:13 PM

Fixed tests.

Harbormaster completed remote builds in B160166: Diff 423529.Apr 18 2022, 9:30 PM
Closed by commit rG64c929ec0937: [ASan] Fixed a reporting bug in (load|store)N functions which would print… (authored by kstoimenov). · Explain WhyApr 19 2022, 8:07 AM
This revision was automatically updated to reflect the committed changes.
kstoimenov added a commit: rG64c929ec0937: [ASan] Fixed a reporting bug in (load|store)N functions which would print….
eugenis added a comment.Apr 19 2022, 11:55 AM

android_compile script is confused by -emit-llvm it looks like. I'd just remove the IR checks from the test.

+ /var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/llvm-project/compiler-rt/test/sanitizer_common/android_commands/android_compile.py /var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/llvm_build64/bin/clang --driver-mode=g++ -fsanitize=address -mno-omit-leaf-frame-pointer -fno-omit-frame-pointer -fno-optimize-sibling-calls -gline-tables-only --target=aarch64-linux-android24 --sysroot=/var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/android_ndk/toolchains/llvm/prebuilt/linux-x86_64/sysroot --gcc-toolchain=/var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/android_ndk/toolchains/llvm/prebuilt/linux-x86_64 -B/var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/android_ndk/toolchains/llvm/prebuilt/linux-x86_64 -Wthread-safety -Wthread-safety-reference -Wthread-safety-beta -stdlib=libc++ -fuse-ld=lld -shared-libasan -O2 -fsanitize-address-outline-instrumentation /var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/llvm-project/compiler-rt/test/asan/TestCases/load_and_store_n.cpp -o - -S -emit-llvm
+ FileCheck /var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/llvm-project/compiler-rt/test/asan/TestCases/load_and_store_n.cpp --check-prefix=CHECK_REGULAR_LOAD_STORE
clang-15: warning: argument unused during compilation: '-fuse-ld=lld' [-Wunused-command-line-argument]
Traceback (most recent call last):
  File "/var/lib/buildbot/sanitizer-buildbot6/sanitizer-x86_64-linux-android/build/llvm-project/compiler-rt/test/sanitizer_common/android_commands/android_compile.py", line 35, in <module>
    os.rename(output, output + '.real')
OSError: [Errno 2] No such file or directory
kstoimenov added a comment.Apr 19 2022, 12:03 PM

Sent D124030 to remove the checks.

vitalybuka added a subscriber: vitalybuka.Apr 19 2022, 1:19 PM
vitalybuka added inline comments.
compiler-rt/test/asan/TestCases/load_and_store_n.cpp
30

Should we have IR test on the clang side?
GCC uses compiler-rt as well

Enna1 added a subscriber: Enna1.EditedApr 23 2022, 2:03 AM

Can we do this on the ASan error report side (i.e. compiler-rt/lib/asan/asan_errors.cpp) .

diff --git a/compiler-rt/lib/asan/asan_errors.cpp b/compiler-rt/lib/asan/asan_errors.cpp
index a22bf130d823..2cdd13df6c2a 100644
--- a/compiler-rt/lib/asan/asan_errors.cpp
+++ b/compiler-rt/lib/asan/asan_errors.cpp
@@ -409,8 +409,10 @@ ErrorGeneric::ErrorGeneric(u32 tid, uptr pc_, uptr bp_, uptr sp_, uptr addr,
     bug_descr = "unknown-crash";
     if (AddrIsInMem(addr)) {
       u8 *shadow_addr = (u8 *)MemToShadow(addr);
-      // If we are accessing 16 bytes, look at the second shadow byte.
-      if (*shadow_addr == 0 && access_size > ASAN_SHADOW_GRANULARITY)
+      // If we are accessing 16 bytes or in unaligned accesses, look at the
+      // second shadow byte.
+      if (*shadow_addr == 0 && (access_size > ASAN_SHADOW_GRANULARITY ||
+                                (addr & (ASAN_SHADOW_GRANULARITY - 1)) != 0))
         shadow_addr++;
       // If we are in the partial right redzone, look at the next shadow byte.
       if (*shadow_addr > 0 && *shadow_addr < 128) shadow_addr++;

In this way, the error report of the test load_and_store_n.cpp (e.g. %run %t A) will like:

==2884775==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000545bc7 at pc 0x00000050bf95 bp 0x7ffcdcbcb350 sp 0x7ffcdcbcb338
READ of size 2 at 0x000000545bc7 thread T0
...
0x000000545bc8 is located 0 bytes to the right of global variable 'mem' defined in 'load_and_store_n.cpp:46:16' (0x545bc0) of size 8
SUMMARY: AddressSanitizer: global-buffer-overflow ./load_and_store_n.cpp:51:3 in UNALIGNED_LOAD(void const*)
Shadow bytes around the buggy address:
  0x0000800a0b20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a0b30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a0b40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a0b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a0b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000800a0b70: 00 00 00 00 00 f9 f9 f9[00]f9 f9 f9 f9 f9 f9 f9
  0x0000800a0b80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0000800a0b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a0ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a0bb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000800a0bc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

This way the access start address (0x000000545bc7) in this report is more readable.

Revision Contents

PathSize
compiler-rt/
lib/
asan/
12 lines
test/
asan/
TestCases/
78 lines

Diff 423625

compiler-rt/lib/asan/asan_rtl.cpp

Show First 20 LinesShow All 181 Lines▼ Show 20 Lines
ASAN_MEMORY_ACCESS_CALLBACK(store, true, 2) ASAN_MEMORY_ACCESS_CALLBACK(store, true, 2)
ASAN_MEMORY_ACCESS_CALLBACK(store, true, 4) ASAN_MEMORY_ACCESS_CALLBACK(store, true, 4)
ASAN_MEMORY_ACCESS_CALLBACK(store, true, 8) ASAN_MEMORY_ACCESS_CALLBACK(store, true, 8)
ASAN_MEMORY_ACCESS_CALLBACK(store, true, 16) ASAN_MEMORY_ACCESS_CALLBACK(store, true, 16)
extern "C" extern "C"
NOINLINE INTERFACE_ATTRIBUTE NOINLINE INTERFACE_ATTRIBUTE
void __asan_loadN(uptr addr, uptr size) { void __asan_loadN(uptr addr, uptr size) {
if (__asan_region_is_poisoned(addr, size)) { if ((addr = __asan_region_is_poisoned(addr, size))) {
GET_CALLER_PC_BP_SP; GET_CALLER_PC_BP_SP;
ReportGenericError(pc, bp, sp, addr, false, size, 0, true); ReportGenericError(pc, bp, sp, addr, false, size, 0, true);
} }
} }
extern "C" extern "C"
NOINLINE INTERFACE_ATTRIBUTE NOINLINE INTERFACE_ATTRIBUTE
void __asan_exp_loadN(uptr addr, uptr size, u32 exp) { void __asan_exp_loadN(uptr addr, uptr size, u32 exp) {
if (__asan_region_is_poisoned(addr, size)) { if ((addr = __asan_region_is_poisoned(addr, size))) {
GET_CALLER_PC_BP_SP; GET_CALLER_PC_BP_SP;
ReportGenericError(pc, bp, sp, addr, false, size, exp, true); ReportGenericError(pc, bp, sp, addr, false, size, exp, true);
} }
} }
extern "C" extern "C"
NOINLINE INTERFACE_ATTRIBUTE NOINLINE INTERFACE_ATTRIBUTE
void __asan_loadN_noabort(uptr addr, uptr size) { void __asan_loadN_noabort(uptr addr, uptr size) {
if (__asan_region_is_poisoned(addr, size)) { if ((addr = __asan_region_is_poisoned(addr, size))) {
GET_CALLER_PC_BP_SP; GET_CALLER_PC_BP_SP;
ReportGenericError(pc, bp, sp, addr, false, size, 0, false); ReportGenericError(pc, bp, sp, addr, false, size, 0, false);
} }
} }
extern "C" extern "C"
NOINLINE INTERFACE_ATTRIBUTE NOINLINE INTERFACE_ATTRIBUTE
void __asan_storeN(uptr addr, uptr size) { void __asan_storeN(uptr addr, uptr size) {
if (__asan_region_is_poisoned(addr, size)) { if ((addr = __asan_region_is_poisoned(addr, size))) {
GET_CALLER_PC_BP_SP; GET_CALLER_PC_BP_SP;
ReportGenericError(pc, bp, sp, addr, true, size, 0, true); ReportGenericError(pc, bp, sp, addr, true, size, 0, true);
} }
} }
extern "C" extern "C"
NOINLINE INTERFACE_ATTRIBUTE NOINLINE INTERFACE_ATTRIBUTE
void __asan_exp_storeN(uptr addr, uptr size, u32 exp) { void __asan_exp_storeN(uptr addr, uptr size, u32 exp) {
if (__asan_region_is_poisoned(addr, size)) { if ((addr = __asan_region_is_poisoned(addr, size))) {
GET_CALLER_PC_BP_SP; GET_CALLER_PC_BP_SP;
ReportGenericError(pc, bp, sp, addr, true, size, exp, true); ReportGenericError(pc, bp, sp, addr, true, size, exp, true);
} }
} }
extern "C" extern "C"
NOINLINE INTERFACE_ATTRIBUTE NOINLINE INTERFACE_ATTRIBUTE
void __asan_storeN_noabort(uptr addr, uptr size) { void __asan_storeN_noabort(uptr addr, uptr size) {
if (__asan_region_is_poisoned(addr, size)) { if ((addr = __asan_region_is_poisoned(addr, size))) {
GET_CALLER_PC_BP_SP; GET_CALLER_PC_BP_SP;
ReportGenericError(pc, bp, sp, addr, true, size, 0, false); ReportGenericError(pc, bp, sp, addr, true, size, 0, false);
} }
} }
// Force the linker to keep the symbols for various ASan interface functions. // Force the linker to keep the symbols for various ASan interface functions.
// We want to keep those in the executable in order to let the instrumented // We want to keep those in the executable in order to let the instrumented
// dynamic libraries access the symbol even if it is not used by the executable // dynamic libraries access the symbol even if it is not used by the executable
▲ Show 20 LinesShow All 374 LinesShow Last 20 Lines

compiler-rt/test/asan/TestCases/load_and_store_n.cpp

  • This file was added.
// CHECK_REGULAR_LOAD_STORE: call void @__asan_loadN
// CHECK_REGULAR_LOAD_STORE: call void @__asan_storeN
// RUN: %clangxx_asan -O2 -fsanitize-address-outline-instrumentation %s -o %t
// RUN: %clangxx_asan -O2 -fsanitize-address-outline-instrumentation %s -o - -S \
// RUN: -emit-llvm | FileCheck %s --check-prefix=CHECK_REGULAR_LOAD_STORE
// RUN: not %run %t A 2>&1 | FileCheck %s --check-prefix=CHECK_0_BYTES
// RUN: not %run %t B 2>&1 | FileCheck %s --check-prefix=CHECK_0_BYTES
// RUN: not %run %t C 2>&1 | FileCheck %s --check-prefix=CHECK_1_BYTES
// RUN: not %run %t D 2>&1 | FileCheck %s --check-prefix=CHECK_1_BYTES
// CHECK_NOABORT_LOAD_STORE: call void @__asan_loadN_noabort
// CHECK_NOABORT_LOAD_STORE: call void @__asan_storeN_noabort
// RUN: %clangxx_asan -O2 -fsanitize-address-outline-instrumentation %s -o %t \
// RUN: -mllvm -asan-recover=1
// RUN: %clangxx_asan -O2 -fsanitize-address-outline-instrumentation %s -o - -S \
// RUN: -mllvm -asan-recover=1 -emit-llvm \
// RUN: | FileCheck %s --check-prefix=CHECK_NOABORT_LOAD_STORE
// RUN: not %run %t A 2>&1 | FileCheck %s --check-prefix=CHECK_0_BYTES
// RUN: not %run %t B 2>&1 | FileCheck %s --check-prefix=CHECK_0_BYTES
// RUN: not %run %t C 2>&1 | FileCheck %s --check-prefix=CHECK_1_BYTES
// RUN: not %run %t D 2>&1 | FileCheck %s --check-prefix=CHECK_1_BYTES
// CHECK_EXP_LOAD_STORE: call void @__asan_exp_loadN
// CHECK_EXP_LOAD_STORE: call void @__asan_exp_storeN
// RUN: %clangxx_asan -O2 -fsanitize-address-outline-instrumentation %s -o %t \
// RUN: -mllvm -asan-force-experiment=42
// RUN: %clangxx_asan -O2 -fsanitize-address-outline-instrumentation %s -o - -S \
// RUN: -mllvm -asan-force-experiment=42 -emit-llvm \
// RUN: | FileCheck %s --check-prefix=CHECK_EXP_LOAD_STORE
// RUN: not %run %t A 2>&1 | FileCheck %s --check-prefix=CHECK_0_BYTES
eugenisUnsubmitted
Done
ReplyInline Actions

Could you tighten this check a little? Ex. you could print the expected "bad access" address in the test code, and then verify that it matches the address printed by asan.

Also an interesting edge case to test would be when the access is entirely outside of the global (ex. (char*)&G + 9).

eugenis: Could you tighten this check a little? Ex. you could print the expected "bad access" address in…
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Should we have IR test on the clang side?
GCC uses compiler-rt as well

vitalybuka: Should we have IR test on the clang side? GCC uses compiler-rt as well
// RUN: not %run %t B 2>&1 | FileCheck %s --check-prefix=CHECK_0_BYTES
// RUN: not %run %t C 2>&1 | FileCheck %s --check-prefix=CHECK_1_BYTES
// RUN: not %run %t D 2>&1 | FileCheck %s --check-prefix=CHECK_1_BYTES
// CHECK_0_BYTES: ERROR: AddressSanitizer: global-buffer-overflow on address [[ADDR:.*]] at
kdaUnsubmitted
Done
ReplyInline Actions

nit: maybe move below include

kda: nit: maybe move below include
// CHECK_0_BYTES: [[ADDR]] is located 0 bytes to the right
eugenisUnsubmitted
Not Done
ReplyInline Actions

Could you also extend this check? I imagine this would say "0 bytes to the right" vs "1 bytes to the right" depending on the case.

eugenis: Could you also extend this check? I imagine this would say "0 bytes to the right" vs "1 bytes…
// CHECK_1_BYTES: ERROR: AddressSanitizer: global-buffer-overflow on address [[ADDR:.*]] at
// CHECK_1_BYTES: [[ADDR]] is located 1 bytes to the right
#include <sanitizer/asan_interface.h>
#include <stdlib.h>
#include <string.h>
static int64_t mem = -1;
static int64_t *volatile G = &mem;
inline uint16_t UNALIGNED_LOAD(const void *p) {
uint16_t data;
memcpy(&data, p, sizeof data);
return data;
}
inline void UNALIGNED_STORE(uint16_t data, void *p) {
memcpy(p, &data, sizeof data);
}
int main(int argc, char **argv) {
kdaUnsubmitted
Not Done
ReplyInline Actions

prepend 'res = ' ?

kda: prepend 'res = ' ?
kstoimenovAuthorUnsubmitted
Done
ReplyInline Actions

Store is a void function.

kstoimenov: Store is a void function.
if (argc != 2)
return 1;
int res = 1;
switch (argv[1][0]) {
case 'A':
res = UNALIGNED_LOAD(reinterpret_cast<char *>(G) + 7);
break;
case 'B':
UNALIGNED_STORE(0, reinterpret_cast<char *>(G) + 7);
break;
case 'C':
res = UNALIGNED_LOAD(reinterpret_cast<char *>(G) + 9);
break;
case 'D':
UNALIGNED_STORE(0, reinterpret_cast<char *>(G) + 9);
break;
}
return res;
}