This is an archive of the discontinued LLVM Phabricator instance.

Differential D147215

[hwasan] Record allocation thread id in HeapAllocationRecord
ClosedPublic

Authored by Enna1 on Mar 30 2023, 4:04 AM.

Details

Reviewers
kcc
eugenis
vitalybuka
Commits
rGdc7498eb027b: [hwasan] Record allocation thread id in HeapAllocationRecord
Summary

Extend HeapAllocationRecord to record allocation thread id, print thread id in memory allocation stack trace.

Diff Detail

Event Timeline

Enna1 created this revision.Mar 30 2023, 4:04 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 30 2023, 4:04 AM
Enna1 published this revision for review.Mar 30 2023, 4:07 AM
Enna1 added reviewers: kcc, eugenis, vitalybuka.
Enna1 added a subscriber: MTC.
Herald added a project: Restricted Project. · View Herald TranscriptMar 30 2023, 4:07 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B222698: Diff 509606.Mar 30 2023, 4:12 AM
Enna1 updated this revision to Diff 509613.Mar 30 2023, 4:38 AM

update

Harbormaster completed remote builds in B222704: Diff 509613.Mar 30 2023, 4:57 AM
Enna1 updated this revision to Diff 509638.Mar 30 2023, 6:05 AM

clang-format

Harbormaster completed remote builds in B222724: Diff 509638.Mar 30 2023, 6:22 AM
vitalybuka requested changes to this revision.Mar 31 2023, 8:30 PM
vitalybuka added inline comments.
compiler-rt/lib/hwasan/hwasan_allocator.h
122

thread id is part of alloc_context_id
why do we need another field?

This revision now requires changes to proceed.Mar 31 2023, 8:30 PM
Enna1 added inline comments.Mar 31 2023, 8:49 PM
compiler-rt/lib/hwasan/hwasan_allocator.h
122

Yes, thread id is part of alloc_context_id stored as atomic_uint64_t alloc_context_id in Metadata, u32 alloc_context_id stored in HeapAllocationRecord is without thread id.
What do you think add a function named inline u64 GetAllocContextId() const; and directly store u64 alloc_context_id in HeapAllocationRecord?

vitalybuka accepted this revision.Mar 31 2023, 9:47 PM
vitalybuka added inline comments.
compiler-rt/lib/hwasan/hwasan_allocator.cpp
359

@eugenis Unrelated to the patch but seems Deallocate must be called after ha->push

compiler-rt/lib/hwasan/hwasan_allocator.h
118–119

I guess you just resolved TODO, so please remove

122

missaligned, please clang-format

122

Yes, thread id is part of alloc_context_id stored as atomic_uint64_t alloc_context_id in Metadata, u32 alloc_context_id stored in HeapAllocationRecord is without thread id.
What do you think add a function named inline u64 GetAllocContextId() const; and directly store u64 alloc_context_id in HeapAllocationRecord?

thanks for pointing to this, I didn't noticed that first time

compiler-rt/lib/hwasan/hwasan_report.cpp
334

u32 should be %u

476
481
This revision is now accepted and ready to land.Mar 31 2023, 9:47 PM
Enna1 updated this revision to Diff 510177.Mar 31 2023, 10:07 PM

address review comments

Enna1 marked 4 inline comments as done.Mar 31 2023, 10:09 PM
Enna1 added inline comments.
compiler-rt/lib/hwasan/hwasan_allocator.h
122

clang-format complained about keeping this aligned

Harbormaster completed remote builds in B223114: Diff 510177.Mar 31 2023, 10:28 PM
Enna1 updated this revision to Diff 510195.Apr 1 2023, 12:49 AM

format

Harbormaster completed remote builds in B223128: Diff 510195.Apr 1 2023, 1:12 AM
Closed by commit rGdc7498eb027b: [hwasan] Record allocation thread id in HeapAllocationRecord (authored by Enna1). · Explain WhyApr 3 2023, 8:26 PM
This revision was automatically updated to reflect the committed changes.
Enna1 added a commit: rGdc7498eb027b: [hwasan] Record allocation thread id in HeapAllocationRecord.

Revision Contents

PathSize
compiler-rt/
lib/
hwasan/
7 lines
16 lines
5 lines
test/
hwasan/
TestCases/
2 lines
2 lines
12 lines
4 lines
4 lines
2 lines
2 lines

Diff 509638

compiler-rt/lib/hwasan/hwasan_allocator.h

Show All 40 Lines
public: public:
inline void SetAllocated(u32 stack, u64 size); inline void SetAllocated(u32 stack, u64 size);
inline void SetUnallocated(); inline void SetUnallocated();
inline bool IsAllocated() const; inline bool IsAllocated() const;
inline u64 GetRequestedSize() const; inline u64 GetRequestedSize() const;
inline u32 GetAllocStackId() const; inline u32 GetAllocStackId() const;
inline u32 GetAllocThreadId() const;
inline void SetLsanTag(__lsan::ChunkTag tag); inline void SetLsanTag(__lsan::ChunkTag tag);
inline __lsan::ChunkTag GetLsanTag() const; inline __lsan::ChunkTag GetLsanTag() const;
}; };
static_assert(sizeof(Metadata) == 16); static_assert(sizeof(Metadata) == 16);
struct HwasanMapUnmapCallback { struct HwasanMapUnmapCallback {
void OnMap(uptr p, uptr size) const { UpdateMemoryUsage(); } void OnMap(uptr p, uptr size) const { UpdateMemoryUsage(); }
void OnUnmap(uptr p, uptr size) const { void OnUnmap(uptr p, uptr size) const {
Show All 38 Lines public:
HwasanChunkView(uptr block, Metadata *metadata) HwasanChunkView(uptr block, Metadata *metadata)
: block_(block), metadata_(metadata) {} : block_(block), metadata_(metadata) {}
bool IsAllocated() const; // Checks if the memory is currently allocated bool IsAllocated() const; // Checks if the memory is currently allocated
uptr Beg() const; // First byte of user memory uptr Beg() const; // First byte of user memory
uptr End() const; // Last byte of user memory uptr End() const; // Last byte of user memory
uptr UsedSize() const; // Size requested by the user uptr UsedSize() const; // Size requested by the user
uptr ActualSize() const; // Size allocated by the allocator. uptr ActualSize() const; // Size allocated by the allocator.
u32 GetAllocStackId() const; u32 GetAllocStackId() const;
u32 GetAllocThreadId() const;
bool FromSmallHeap() const; bool FromSmallHeap() const;
bool AddrIsInside(uptr addr) const; bool AddrIsInside(uptr addr) const;
private: private:
friend class __lsan::LsanMetadata; friend class __lsan::LsanMetadata;
uptr block_; uptr block_;
Metadata *const metadata_; Metadata *const metadata_;
}; };
HwasanChunkView FindHeapChunkByAddress(uptr address); HwasanChunkView FindHeapChunkByAddress(uptr address);
// Information about one (de)allocation that happened in the past. // Information about one (de)allocation that happened in the past.
// These are recorded in a thread-local ring buffer. // These are recorded in a thread-local ring buffer.
// TODO: this is currently 24 bytes (20 bytes + alignment). // TODO: this is currently 24 bytes.
// Compress it to 16 bytes or extend it to be more useful. // Compress it or extend it to be more useful.
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

I guess you just resolved TODO, so please remove

vitalybuka: I guess you just resolved TODO, so please remove
struct HeapAllocationRecord { struct HeapAllocationRecord {
uptr tagged_addr; uptr tagged_addr;
u32 alloc_thread_id;
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

thread id is part of alloc_context_id
why do we need another field?

vitalybuka: thread id is part of alloc_context_id why do we need another field?
Enna1AuthorUnsubmitted
Done
ReplyInline Actions

Yes, thread id is part of alloc_context_id stored as atomic_uint64_t alloc_context_id in Metadata, u32 alloc_context_id stored in HeapAllocationRecord is without thread id.
What do you think add a function named inline u64 GetAllocContextId() const; and directly store u64 alloc_context_id in HeapAllocationRecord?

Enna1: Yes, thread id is part of alloc_context_id stored as `atomic_uint64_t alloc_context_id` in…
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

Yes, thread id is part of alloc_context_id stored as atomic_uint64_t alloc_context_id in Metadata, u32 alloc_context_id stored in HeapAllocationRecord is without thread id.
What do you think add a function named inline u64 GetAllocContextId() const; and directly store u64 alloc_context_id in HeapAllocationRecord?

thanks for pointing to this, I didn't noticed that first time

vitalybuka: > Yes, thread id is part of alloc_context_id stored as `atomic_uint64_t alloc_context_id` in…
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

missaligned, please clang-format

vitalybuka: missaligned, please clang-format
Enna1AuthorUnsubmitted
Not Done
ReplyInline Actions

clang-format complained about keeping this aligned

Enna1: clang-format complained about keeping this aligned
u32 alloc_context_id; u32 alloc_context_id;
u32 free_context_id; u32 free_context_id;
u32 requested_size; u32 requested_size;
}; };
typedef RingBuffer<HeapAllocationRecord> HeapAllocationsRingBuffer; typedef RingBuffer<HeapAllocationRecord> HeapAllocationsRingBuffer;
void GetAllocatorStats(AllocatorStatCounters s); void GetAllocatorStats(AllocatorStatCounters s);
Show All 14 Lines

compiler-rt/lib/hwasan/hwasan_allocator.cpp

Show First 20 LinesShow All 58 Lines▼ Show 20 Lines
} }
uptr HwasanChunkView::UsedSize() const { uptr HwasanChunkView::UsedSize() const {
return metadata_->GetRequestedSize(); return metadata_->GetRequestedSize();
} }
u32 HwasanChunkView::GetAllocStackId() const { u32 HwasanChunkView::GetAllocStackId() const {
return metadata_->GetAllocStackId(); return metadata_->GetAllocStackId();
} }
u32 HwasanChunkView::GetAllocThreadId() const {
return metadata_->GetAllocThreadId();
}
uptr HwasanChunkView::ActualSize() const { uptr HwasanChunkView::ActualSize() const {
return allocator.GetActuallyAllocatedSize(reinterpret_cast<void *>(block_)); return allocator.GetActuallyAllocatedSize(reinterpret_cast<void *>(block_));
} }
bool HwasanChunkView::FromSmallHeap() const { bool HwasanChunkView::FromSmallHeap() const {
return allocator.FromPrimary(reinterpret_cast<void *>(block_)); return allocator.FromPrimary(reinterpret_cast<void *>(block_));
} }
Show All 26 Lines
inline u64 Metadata::GetRequestedSize() const { inline u64 Metadata::GetRequestedSize() const {
return (static_cast<u64>(requested_size_high) << 32) + requested_size_low; return (static_cast<u64>(requested_size_high) << 32) + requested_size_low;
} }
inline u32 Metadata::GetAllocStackId() const { inline u32 Metadata::GetAllocStackId() const {
return atomic_load(&alloc_context_id, memory_order_relaxed); return atomic_load(&alloc_context_id, memory_order_relaxed);
} }
inline u32 Metadata::GetAllocThreadId() const {
u64 context = atomic_load(&alloc_context_id, memory_order_relaxed);
u32 tid = context >> 32;
return tid;
}
void GetAllocatorStats(AllocatorStatCounters s) { void GetAllocatorStats(AllocatorStatCounters s) {
allocator.GetStats(s); allocator.GetStats(s);
} }
inline void Metadata::SetLsanTag(__lsan::ChunkTag tag) { inline void Metadata::SetLsanTag(__lsan::ChunkTag tag) {
lsan_tag = tag; lsan_tag = tag;
} }
▲ Show 20 LinesShow All 174 Lines▼ Show 20 Lines Metadata *meta =
reinterpret_cast<Metadata *>(allocator.GetMetaData(aligned_ptr)); reinterpret_cast<Metadata *>(allocator.GetMetaData(aligned_ptr));
if (!meta) { if (!meta) {
ReportInvalidFree(stack, reinterpret_cast<uptr>(tagged_ptr)); ReportInvalidFree(stack, reinterpret_cast<uptr>(tagged_ptr));
return; return;
} }
uptr orig_size = meta->GetRequestedSize(); uptr orig_size = meta->GetRequestedSize();
u32 free_context_id = StackDepotPut(*stack); u32 free_context_id = StackDepotPut(*stack);
u32 alloc_context_id = meta->GetAllocStackId(); u32 alloc_context_id = meta->GetAllocStackId();
u32 alloc_thread_id = meta->GetAllocThreadId();
// Check tail magic. // Check tail magic.
uptr tagged_size = TaggedSize(orig_size); uptr tagged_size = TaggedSize(orig_size);
if (flags()->free_checks_tail_magic && orig_size && if (flags()->free_checks_tail_magic && orig_size &&
tagged_size != orig_size) { tagged_size != orig_size) {
uptr tail_size = tagged_size - orig_size - 1; uptr tail_size = tagged_size - orig_size - 1;
CHECK_LT(tail_size, kShadowAlignment); CHECK_LT(tail_size, kShadowAlignment);
void *tail_beg = reinterpret_cast<void *>( void *tail_beg = reinterpret_cast<void *>(
Show All 33 Lines if (t) {
static_assert(kFallbackFreeTag >= kShadowAlignment, static_assert(kFallbackFreeTag >= kShadowAlignment,
"fallback tag must not be a short granule tag."); "fallback tag must not be a short granule tag.");
tag = kFallbackFreeTag; tag = kFallbackFreeTag;
} }
TagMemoryAligned(reinterpret_cast<uptr>(aligned_ptr), TaggedSize(orig_size), TagMemoryAligned(reinterpret_cast<uptr>(aligned_ptr), TaggedSize(orig_size),
tag); tag);
} }
if (t) { if (t) {
allocator.Deallocate(t->allocator_cache(), aligned_ptr); allocator.Deallocate(t->allocator_cache(), aligned_ptr);
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

@eugenis Unrelated to the patch but seems Deallocate must be called after ha->push

vitalybuka: @eugenis Unrelated to the patch but seems Deallocate must be called after ha->push
if (auto *ha = t->heap_allocations()) if (auto *ha = t->heap_allocations())
ha->push({reinterpret_cast<uptr>(tagged_ptr), alloc_context_id, ha->push({reinterpret_cast<uptr>(tagged_ptr), alloc_thread_id,
free_context_id, static_cast<u32>(orig_size)}); alloc_context_id, free_context_id,
static_cast<u32>(orig_size)});
} else { } else {
SpinMutexLock l(&fallback_mutex); SpinMutexLock l(&fallback_mutex);
AllocatorCache *cache = &fallback_allocator_cache; AllocatorCache *cache = &fallback_allocator_cache;
allocator.Deallocate(cache, aligned_ptr); allocator.Deallocate(cache, aligned_ptr);
} }
} }
static void *HwasanReallocate(StackTrace *stack, void *tagged_ptr_old, static void *HwasanReallocate(StackTrace *stack, void *tagged_ptr_old,
▲ Show 20 LinesShow All 285 LinesShow Last 20 Lines

compiler-rt/lib/hwasan/hwasan_report.cpp

Show First 20 LinesShow All 325 Lines▼ Show 20 Lines if (chunk.IsAllocated()) {
Printf("%s", d.Error()); Printf("%s", d.Error());
Printf("\nCause: heap-buffer-overflow\n"); Printf("\nCause: heap-buffer-overflow\n");
Printf("%s", d.Default()); Printf("%s", d.Default());
Printf("%s", d.Location()); Printf("%s", d.Location());
Printf("%p is located %zd bytes %s a %zd-byte region [%p,%p)\n", Printf("%p is located %zd bytes %s a %zd-byte region [%p,%p)\n",
untagged_addr, offset, whence, chunk.UsedSize(), chunk.Beg(), untagged_addr, offset, whence, chunk.UsedSize(), chunk.Beg(),
chunk.End()); chunk.End());
Printf("%s", d.Allocation()); Printf("%s", d.Allocation());
Printf("allocated here:\n"); Printf("allocated by thread T%zd here:\n", chunk.GetAllocThreadId());
vitalybukaUnsubmitted
Done
ReplyInline Actions
Printf("%s", d.Allocation());
- Printf("allocated by thread T%zd here:\n", chunk.GetAllocThreadId());
+ Printf("allocated by thread T%u here:\n", chunk.GetAllocThreadId());
Printf("%s", d.Default());

u32 should be %u

vitalybuka: u32 should be %u
Printf("%s", d.Default()); Printf("%s", d.Default());
GetStackTraceFromId(chunk.GetAllocStackId()).Print(); GetStackTraceFromId(chunk.GetAllocStackId()).Print();
return; return;
} }
// Check whether the address points into a loaded library. If so, this is // Check whether the address points into a loaded library. If so, this is
// most likely a global variable. // most likely a global variable.
const char *module_name; const char *module_name;
uptr module_address; uptr module_address;
▲ Show 20 LinesShow All 125 Lines▼ Show 20 Lines if (FindHeapAllocation(t->heap_allocations(), tagged_addr, &har,
Printf("%s", d.Error()); Printf("%s", d.Error());
Printf("\nCause: use-after-free\n"); Printf("\nCause: use-after-free\n");
Printf("%s", d.Location()); Printf("%s", d.Location());
Printf("%p is located %zd bytes inside a %zd-byte region [%p,%p)\n", Printf("%p is located %zd bytes inside a %zd-byte region [%p,%p)\n",
untagged_addr, untagged_addr - UntagAddr(har.tagged_addr), untagged_addr, untagged_addr - UntagAddr(har.tagged_addr),
har.requested_size, UntagAddr(har.tagged_addr), har.requested_size, UntagAddr(har.tagged_addr),
UntagAddr(har.tagged_addr) + har.requested_size); UntagAddr(har.tagged_addr) + har.requested_size);
Printf("%s", d.Allocation()); Printf("%s", d.Allocation());
Printf("freed by thread T%zd here:\n", t->unique_id()); Printf("freed by thread T%zd here:\n", t->unique_id());
vitalybukaUnsubmitted
Done
ReplyInline Actions
Printf("%s", d.Allocation());
- Printf("freed by thread T%zd here:\n", t->unique_id());
+ Printf("freed by thread T%u here:\n", t->unique_id());
Printf("%s", d.Default());
vitalybuka:
Printf("%s", d.Default()); Printf("%s", d.Default());
GetStackTraceFromId(har.free_context_id).Print(); GetStackTraceFromId(har.free_context_id).Print();
Printf("%s", d.Allocation()); Printf("%s", d.Allocation());
Printf("previously allocated here:\n", t); Printf("previously allocated by thread T%zd here:\n",
vitalybukaUnsubmitted
Done
ReplyInline Actions
Printf("%s", d.Allocation());
- Printf("previously allocated by thread T%zd here:\n",
+ Printf("previously allocated by thread T%u here:\n",
har.alloc_thread_id);
vitalybuka:
har.alloc_thread_id);
Printf("%s", d.Default()); Printf("%s", d.Default());
GetStackTraceFromId(har.alloc_context_id).Print(); GetStackTraceFromId(har.alloc_context_id).Print();
// Print a developer note: the index of this heap object // Print a developer note: the index of this heap object
// in the thread's deallocation ring buffer. // in the thread's deallocation ring buffer.
Printf("hwasan_dev_note_heap_rb_distance: %zd %zd\n", ring_index + 1, Printf("hwasan_dev_note_heap_rb_distance: %zd %zd\n", ring_index + 1,
flags()->heap_history_size); flags()->heap_history_size);
Printf("hwasan_dev_note_num_matching_addrs: %zd\n", num_matching_addrs); Printf("hwasan_dev_note_num_matching_addrs: %zd\n", num_matching_addrs);
▲ Show 20 LinesShow All 315 LinesShow Last 20 Lines

compiler-rt/test/hwasan/TestCases/double-free.c

Show All 12 Linesint main() {
free(x); free(x);
// CHECK: ERROR: HWAddressSanitizer: invalid-free on address {{.*}} at pc {{[0x]+}}[[PC:.*]] on thread T{{[0-9]+}} // CHECK: ERROR: HWAddressSanitizer: invalid-free on address {{.*}} at pc {{[0x]+}}[[PC:.*]] on thread T{{[0-9]+}}
// CHECK: tags: [[PTR_TAG:..]]/[[MEM_TAG:..]] (ptr/mem) // CHECK: tags: [[PTR_TAG:..]]/[[MEM_TAG:..]] (ptr/mem)
// CHECK: #0 {{[0x]+}}{{.*}}[[PC]] // CHECK: #0 {{[0x]+}}{{.*}}[[PC]]
// If we instrument using calls (default on x86), free is not the top frame // If we instrument using calls (default on x86), free is not the top frame
// of the fault. With TCO the free frame can be replaced with the interceptor. // of the fault. With TCO the free frame can be replaced with the interceptor.
// CHECK: in {{.*}}free // CHECK: in {{.*}}free
// CHECK: freed by thread {{.*}} here: // CHECK: freed by thread {{.*}} here:
// CHECK: previously allocated here: // CHECK: previously allocated by thread {{.*}} here:
// CHECK: Memory tags around the buggy address (one tag corresponds to 16 bytes): // CHECK: Memory tags around the buggy address (one tag corresponds to 16 bytes):
// CHECK: =>{{.*}}[[MEM_TAG]] // CHECK: =>{{.*}}[[MEM_TAG]]
fprintf(stderr, "DONE\n"); fprintf(stderr, "DONE\n");
__hwasan_disable_allocator_tagging(); __hwasan_disable_allocator_tagging();
// CHECK-NOT: DONE // CHECK-NOT: DONE
} }

compiler-rt/test/hwasan/TestCases/hwasan_symbolize.cpp

Show All 12 Lines
int main(int argc, char **argv) { int main(int argc, char **argv) {
__hwasan_enable_allocator_tagging(); __hwasan_enable_allocator_tagging();
char *volatile x = (char *)malloc(10); char *volatile x = (char *)malloc(10);
sink = x[100]; sink = x[100];
// LINKIFY: <a href="http://test.invalid/hwasan_symbolize.cpp:[[@LINE-1]]"> // LINKIFY: <a href="http://test.invalid/hwasan_symbolize.cpp:[[@LINE-1]]">
// CHECK: hwasan_symbolize.cpp:[[@LINE-2]] // CHECK: hwasan_symbolize.cpp:[[@LINE-2]]
// CHECK: Cause: heap-buffer-overflow // CHECK: Cause: heap-buffer-overflow
// CHECK: allocated here: // CHECK: allocated by thread {{.*}} here:
// LINKIFY: <a href="http://test.invalid/hwasan_symbolize.cpp:[[@LINE-6]]"> // LINKIFY: <a href="http://test.invalid/hwasan_symbolize.cpp:[[@LINE-6]]">
// CHECK: hwasan_symbolize.cpp:[[@LINE-7]] // CHECK: hwasan_symbolize.cpp:[[@LINE-7]]
return 0; return 0;
} }

compiler-rt/test/hwasan/TestCases/realloc-after-free.c

Show All 10 Lines
int main(int argc, char **argv) { int main(int argc, char **argv) {
__hwasan_enable_allocator_tagging(); __hwasan_enable_allocator_tagging();
if (argc != 2) return 0; if (argc != 2) return 0;
int realloc_size = atoi(argv[1]); int realloc_size = atoi(argv[1]);
char * volatile x = (char*)malloc(40); char * volatile x = (char*)malloc(40);
free(x); free(x);
x = realloc(x, realloc_size); x = realloc(x, realloc_size);
// CHECK: ERROR: HWAddressSanitizer: invalid-free on address // CHECK: ERROR: HWAddressSanitizer: invalid-free on address
// CHECK: tags: [[PTR_TAG:..]]/[[MEM_TAG:..]] (ptr/mem) // CHECK: tags: [[PTR_TAG:..]]/[[MEM_TAG:..]] (ptr/mem)
// CHECK: freed by thread {{.*}} here: // CHECK: freed by thread {{.*}} here:
// CHECK: previously allocated here: // CHECK: previously allocated by thread {{.*}} here:
// CHECK: Memory tags around the buggy address (one tag corresponds to 16 bytes): // CHECK: Memory tags around the buggy address (one tag corresponds to 16 bytes):
// CHECK: =>{{.*}}[[MEM_TAG]] // CHECK: =>{{.*}}[[MEM_TAG]]
fprintf(stderr, "DONE\n"); fprintf(stderr, "DONE\n");
__hwasan_disable_allocator_tagging(); __hwasan_disable_allocator_tagging();
// CHECK-NOT: DONE // CHECK-NOT: DONE
} }

compiler-rt/test/hwasan/TestCases/set-error-report-callback.cpp

Show All 11 Lines
int main() { int main() {
__hwasan_enable_allocator_tagging(); __hwasan_enable_allocator_tagging();
__hwasan_set_error_report_callback(&callback); __hwasan_set_error_report_callback(&callback);
char *volatile p = (char *)malloc(16); char *volatile p = (char *)malloc(16);
p[16] = 1; p[16] = 1;
free(p); free(p);
// CHECK: ERROR: HWAddressSanitizer: // CHECK: ERROR: HWAddressSanitizer:
// CHECK: WRITE of size 1 at // CHECK: WRITE of size 1 at
// CHECK: allocated here: // CHECK: allocated by thread {{.*}} here:
// CHECK: Memory tags around the buggy address // CHECK: Memory tags around the buggy address
// CHECK: == error start // CHECK: == error start
// CHECK: ERROR: HWAddressSanitizer: // CHECK: ERROR: HWAddressSanitizer:
// CHECK: WRITE of size 1 at // CHECK: WRITE of size 1 at
// CHECK: allocated here: // CHECK: allocated by thread {{.*}} here:
// CHECK: Memory tags around the buggy address // CHECK: Memory tags around the buggy address
// CHECK: == error end // CHECK: == error end
} }

compiler-rt/test/hwasan/TestCases/tag_in_free.c

Show All 27 Lines for (int i = 0; i < 100; ++i) {
char * volatile p = (char*)malloc(10); char * volatile p = (char*)malloc(10);
free(p); free(p);
} }
char * volatile p = (char*)malloc(10); char * volatile p = (char*)malloc(10);
#ifdef MALLOC #ifdef MALLOC
// MALLOC: READ of size 1 at // MALLOC: READ of size 1 at
// MALLOC: is located 6 bytes after a 10-byte region // MALLOC: is located 6 bytes after a 10-byte region
// MALLOC: allocated here: // MALLOC: allocated by thread T0 here:
char volatile x = p[16]; char volatile x = p[16];
#endif #endif
free(p); free(p);
#ifdef FREE #ifdef FREE
// FREE: READ of size 1 at // FREE: READ of size 1 at
// FREE: is located 0 bytes inside a 10-byte region // FREE: is located 0 bytes inside a 10-byte region
// FREE: freed by thread T0 here: // FREE: freed by thread T0 here:
// FREE: previously allocated here: // FREE: previously allocated by thread T0 here:
char volatile y = p[0]; char volatile y = p[0];
#endif #endif
__hwasan_disable_allocator_tagging(); __hwasan_disable_allocator_tagging();
return 0; return 0;
} }

compiler-rt/test/hwasan/TestCases/thread-uaf.c

Show All 27 Lines
void *Use(void *arg) { void *Use(void *arg) {
x[5] = 42; x[5] = 42;
// CHECK: ERROR: HWAddressSanitizer: tag-mismatch on address // CHECK: ERROR: HWAddressSanitizer: tag-mismatch on address
// CHECK: WRITE of size 1 {{.*}} in thread T3 // CHECK: WRITE of size 1 {{.*}} in thread T3
// CHECK: thread-uaf.c:[[@LINE-3]] // CHECK: thread-uaf.c:[[@LINE-3]]
// CHECK: Cause: use-after-free // CHECK: Cause: use-after-free
// CHECK: freed by thread T2 here // CHECK: freed by thread T2 here
// CHECK: in Deallocate // CHECK: in Deallocate
// CHECK: previously allocated here: // CHECK: previously allocated by thread T1 here:
// CHECK: in Allocate // CHECK: in Allocate
// CHECK-DAG: Thread: T2 0x // CHECK-DAG: Thread: T2 0x
// CHECK-DAG: Thread: T3 0x // CHECK-DAG: Thread: T3 0x
// CHECK-DAG: Thread: T0 0x // CHECK-DAG: Thread: T0 0x
// CHECK-DAG: Thread: T1 0x // CHECK-DAG: Thread: T1 0x
__sync_fetch_and_add(&state, 1); __sync_fetch_and_add(&state, 1);
return NULL; return NULL;
} }
Show All 15 Lines

compiler-rt/test/hwasan/TestCases/use-after-free.c

Show All 29 Linesint main() {
// CHECK: is a small unallocated heap chunk; size: {{16|32}} offset: {{5|11}} // CHECK: is a small unallocated heap chunk; size: {{16|32}} offset: {{5|11}}
// CHECK: Cause: use-after-free // CHECK: Cause: use-after-free
// CHECK: is located 5 bytes inside a 10-byte region // CHECK: is located 5 bytes inside a 10-byte region
// //
// CHECK: freed by thread {{.*}} here: // CHECK: freed by thread {{.*}} here:
// CHECK: #0 {{.*}} in {{.*}}free{{.*}} {{.*}}hwasan_allocation_functions.cpp // CHECK: #0 {{.*}} in {{.*}}free{{.*}} {{.*}}hwasan_allocation_functions.cpp
// CHECK: #1 {{.*}} in main {{.*}}use-after-free.c:[[@LINE-19]] // CHECK: #1 {{.*}} in main {{.*}}use-after-free.c:[[@LINE-19]]
// CHECK: previously allocated here: // CHECK: previously allocated by thread {{.*}} here:
// CHECK: #0 {{.*}} in {{.*}}malloc{{.*}} {{.*}}hwasan_allocation_functions.cpp // CHECK: #0 {{.*}} in {{.*}}malloc{{.*}} {{.*}}hwasan_allocation_functions.cpp
// CHECK: #1 {{.*}} in main {{.*}}use-after-free.c:[[@LINE-24]] // CHECK: #1 {{.*}} in main {{.*}}use-after-free.c:[[@LINE-24]]
// CHECK: Memory tags around the buggy address (one tag corresponds to 16 bytes): // CHECK: Memory tags around the buggy address (one tag corresponds to 16 bytes):
// CHECK: =>{{.*}}[[MEM_TAG]] // CHECK: =>{{.*}}[[MEM_TAG]]
// CHECK: SUMMARY: HWAddressSanitizer: tag-mismatch // CHECK: SUMMARY: HWAddressSanitizer: tag-mismatch
return r; return r;
} }