This is an archive of the discontinued LLVM Phabricator instance.

Paths

Table of Contentst

-
lib/asan/
-
asan/
4/5
asan_descriptions.h
12/12
asan_descriptions.cc
12/14
asan_report.cc
2/3
asan_thread.h
3/4
asan_thread.cc
-
test/asan/TestCases/
-
asan/
-
TestCases/
2
invalid-pointer-pairs-compare-errors.cc
-
invalid-pointer-pairs-compare-success.cc
1
invalid-pointer-pairs-subtract-errors.cc
1
invalid-pointer-pairs-subtract-success.cc
2
invalid-pointer-pairs-threads.cc

Differential D38971

Enhance libsanitizer support for invalid-pointer-pair.
AbandonedPublic

Authored by marxin on Oct 16 2017, 1:36 PM.

Download Raw Diff

Details

Reviewers

kcc
llvm-commits

Summary

Hi.

Following patch adds support of all memory origins in CheckForInvalidPointerPair function.
For small difference of pointers, it's directly done in shadow memory (the limit was set to 2048B).
Then we search for origin of first pointer and verify that the second one has the same origin. If so,
we verify that it points either to a same variable (in case of stack memory or a global variable), or to
a same heap segment.

Diff Detail

Event Timeline

marxin created this revision.Oct 16 2017, 1:36 PM

Herald added a subscriber: kubamracek. · View Herald TranscriptOct 16 2017, 1:36 PM

There's link to GCC tests I created:

https://github.com/marxin/gcc/blob/asan-pointer-comparison-v4/gcc/testsuite/c-c++-common/asan/pointer-compare-1.c
https://github.com/marxin/gcc/blob/asan-pointer-comparison-v4/gcc/testsuite/c-c++-common/asan/pointer-compare-2.c
https://github.com/marxin/gcc/blob/asan-pointer-comparison-v4/gcc/testsuite/c-c++-common/asan/pointer-subtract-1.c
https://github.com/marxin/gcc/blob/asan-pointer-comparison-v4/gcc/testsuite/c-c++-common/asan/pointer-subtract-2.c

Thanks for the patch, but...

please follow the coding style (some comments inline)
please add tests

lib/asan/asan_descriptions.cc
227	the idiom used in this code is if (T *x = getX()) { use(x) }
353	We don't use 'unsigned' in this code for this purpose.
361	Please make sure to format all the code.

kcc added inline comments.Oct 16 2017, 1:41 PM

lib/asan/asan_report.cc
329	No goto please.

Thanks, I'll add some tests. May I please ask you how to run a single test-case (I guess using llvm-lit) ?

Besides the patch, we'd like to coordinate on options enabling this in the compilers.
From what I can see, in clang it is currently an experimental asan-detect-invalid-pointer-pair param,
what Martin has implemented is handle it as another kind of sanitization (separate kinds for pointer compare and pointer subtract),
-fsanitize=pointer-subtract or -fsanitize=pointer-compare. One can then do:
-fsanitize=address,pointer-subtract,pointer-compare etc., if address is not specified but one of these is, then
right now we error out. I could imagine pointer-subtract or pointer-compare to be supported even without address
sanitization, where we'd link against libasan and add poisoning/unpoisoning/global variable registration etc., but not
memory dereference checks, the problem is that the compiler then doesn't know if it should do the registration etc.
in kernel-address or user address style.

I've updated patch where I fixed:

various coding style issues (as reported by make check-asan)
goto has been removed, not that due to ThreadRegistryLock, there are some extra scopes that guarantee that we don't reach a dead lock
new tests have been aded

Shouldn't detect_invalid_pointer_pairs=1 be the default? I mean, the user already makes the decision to enable it through a compiler option/parameter and the generated code adds non-zero amount of .text space and some runtime cost, and there is no extra runtime costs for this if code isn't instrumented, so detect_invalid_pointer_pairs=0 by default only causes false assumption that code is error clean.

In D38971#899679, @jakubjelinek wrote:

Shouldn't detect_invalid_pointer_pairs=1 be the default? I mean, the user already makes the decision to enable it through a compiler option/parameter and the generated code adds non-zero amount of .text space and some runtime cost, and there is no extra runtime costs for this if code isn't instrumented, so detect_invalid_pointer_pairs=0 by default only causes false assumption that code is error clean.

Works for me. I'll update the patch.

So I've got patch for both default value of the option and type of the option. Currently it's int, but we don't use any levels different from 0/1.
Are both changes desired?

In D38971#899407, @marxin wrote:

Thanks, I'll add some tests. May I please ask you how to run a single test-case (I guess using llvm-lit) ?

Frankly, dunno. The entire ninja check-llvm takes 40 seconds for me
Doesn't this work?

llvm-lit <test path>

[disclaimer: this is the week of the LLVM developer conference, please expect delayed replies]

In D38971#899422, @jakubjelinek wrote:

Besides the patch, we'd like to coordinate on options enabling this in the compilers.
From what I can see, in clang it is currently an experimental asan-detect-invalid-pointer-pair param,
what Martin has implemented is handle it as another kind of sanitization (separate kinds for pointer compare and pointer subtract),
-fsanitize=pointer-subtract or -fsanitize=pointer-compare. One can then do:
-fsanitize=address,pointer-subtract,pointer-compare etc., if address is not specified but one of these is, then
right now we error out.

Yes, something like this sounds good.

I've prototyped this feature quite a while ago and tried it on a large code base and got a lot of false positives (or things that looked like false positives).
One problem is that C++'s std::less explicitly allows comparing two unrelated pointers and this is used in std::set and such.
I suspect that proper implementation in LLVM will need to have the instrumentation done in Clang, not in LLVM
See also https://bugs.llvm.org/show_bug.cgi?id=18989

Unfortunately, my team is unlikely to have time for this work in Q4 -- but we will gladly review patches.

I could imagine pointer-subtract or pointer-compare to be supported even without address
sanitization, where we'd link against libasan and add poisoning/unpoisoning/global variable registration etc., but not
memory dereference checks, the problem is that the compiler then doesn't know if it should do the registration etc.
in kernel-address or user address style.

We may do it in future but I wouldn't bother about pointer checks w/o asan for now -- not until we see how this feature works.

In D38971#899679, @jakubjelinek wrote:

Shouldn't detect_invalid_pointer_pairs=1 be the default? I mean, the user already makes the decision to enable it through a compiler option/parameter and the generated code adds non-zero amount of .text space and some runtime cost, and there is no extra runtime costs for this if code isn't instrumented, so detect_invalid_pointer_pairs=0 by default only causes false assumption that code is error clean.

Maybe later.
The reason for these two-stage flags is that first we need to ensure that the instrumentation itself does not introduce any trouble (excessive code size, too frequent callbacks, etc).
Only then, we want to enable the run-time feature and we can do it selectively at process startup vi __asan_default_options or ASAN_OPTIONS

Please use the arc tool to submit the patch or otherwise paste the patch with full context.
Please always CC llvm-commits for changes in compiler-rt (phabricator doesn't do it automatically)

(My next response is likely to be on the next week)

lib/asan/asan_descriptions.cc
225	You can simplify the interface and the implementation if you return shadow_addr or nullptr if it's not found.
229	no else after return
347	indentation doesn't look right. If in doubt, use clang-format
353	int is even worse. In proper C++ the only good type for iteration is size_t. asan is not a proper C++ sadly, so we use uptr.
lib/asan/asan_descriptions.h
150	Returns true
152	naming nit pick: points inside the same var or points inside a same var ? Not native speaker myself, but I think the is right.
lib/asan/asan_report.cc
300	a macro is better than a goto, but still bad. Can this be expressed in just C++? (e.g. wrap the main logic into a separate function and return from it on error).
329	ouch. We have a lock in a function that is called on every pointer cmp? This is bad. We need to avoid the lock. Probably by relaxing the check a bit (e.g. never compare pointers from other thread's stacks). Also, your tests don't seem to have threads, so this code is probably untested.
lib/asan/asan_thread.cc
357	Please use RoundUpTo() or some such
364	no need for {}
test/asan/TestCases/invalid-pointer-pairs-compare-1.cc
1 ↗	(On Diff #119294)	What does the file name mean (-1.cc vs -2.cc)? If these are positive vs negtive, either express this in the name or (better) put everything into one file. E.g. put all positives in the beginning and use CHECK-NOT to ensure we don't report anything there
test/asan/TestCases/invalid-pointer-pairs-subtract-1.cc
1 ↗	(On Diff #119294)	same here.

(just saw this by accident)

@marxin @kcc

May I please ask you how to run a single test-case (I guess using llvm-lit) ?

I've added LIT_FILTER environment variable for such cases. So the command line becomes e.g. env LIT_FILTER=mytestcase.cc ninja check-clang

In D38971#900253, @kcc wrote:
In D38971#899407, @marxin wrote:

Thanks, I'll add some tests. May I please ask you how to run a single test-case (I guess using llvm-lit) ?

Frankly, dunno. The entire ninja check-llvm takes 40 seconds for me
Doesn't this work?
llvm-lit <test path>

Agree that make check-sanitizer is really fast.

lib/asan/asan_descriptions.cc
225	Good point!
353	I basically copied what's done in GlobalAddressDescription::Print: for (int i = 0; i < size; i++) { I'm changing that to uptr.
lib/asan/asan_descriptions.h
152	Agree, your name is better.
lib/asan/asan_report.cc
329	Unfortunately yes. Do you mean to call FindThreadByStackAddress (which currently needs lock as it calls FindThreadContextLocked)? Then comparing the variables if threads do match? I can come up with a test-case for that.

In D38971#900315, @kcc wrote:

Please use the arc tool to submit the patch or otherwise paste the patch with full context.
Please always CC llvm-commits for changes in compiler-rt (phabricator doesn't do it automatically)

Done that with new version of the patch.

(My next response is likely to be on the next week)

Works for me.

Fixed most of notes spotted by @kcc.

Analyzing errors spotted on GCC itself, I would suggest to have 3 values for detect_invalid_pointer_pairs:

0 = disabled
1 = all except comparison with zero (0x0)
2 = all

Thoughts?

In D38971#901428, @marxin wrote:

Analyzing errors spotted on GCC itself, I would suggest to have 3 values for detect_invalid_pointer_pairs:

0 = disabled

1 = all except comparison with zero (0x0)

2 = all

Thoughts?

What does the standard say about comparisons with zero and subtracting zero from a pointer?

lib/asan/asan_report.cc
308	isn't this the same as return __asan_region_is_poisoned(left, offset);
329	We should not call anything that grabs a lock here. Let's start from simply ignoring any pointers from threads other than the current.

What does the standard say about comparisons with zero and subtracting zero from a pointer?

I summarize that for both languages C and C++

Relational operators: §6.5.8 - point 5 - there's described that it's defined basically for same objects; last sentence says:

In all other cases, the behavior is undefined.

Additive operators - §6.5.6 - point 9 - it basically says that it's defined if it's representative in ptrdiff_t type

C++:

Relational operators: §5.9.3 - it defined explicitly which situations are defined - comparison of pointers to a different object

and also comparison with null pointer is not listed. Thus I consider it as invalid.

Additive operators: §5.7.6 - quite clear:

Unless both pointers point to elements of the same array object, or

one past the last element of the array object, the behavior is undefined.

That said, we should probably skip instrumentation of additive operators in C. What do you think @kcc and @jakubjelinek
about 3 levels of detect_invalid_pointer_pairs ?

I summarize that for both languages C and C++

Ok, it might be worth having a separate flag.
But please do it in a separate patch.

I'll do it in a separate patch.
Can you please @kcc explain me how should I use the lock for stack access in order to have it less locking?
I'm planning also to come up with a multi-threaded test-case.

In D38971#907748, @marxin wrote:

I'll do it in a separate patch.
Can you please @kcc explain me how should I use the lock for stack access in order to have it less locking?
I'm planning also to come up with a multi-threaded test-case.

Please just don't do it in this patch -- no locking, no checking of other thread's stacks.

In D38971#908129, @kcc wrote:

In D38971#907748, @marxin wrote:

I'll do it in a separate patch.
Can you please @kcc explain me how should I use the lock for stack access in order to have it less locking?
I'm planning also to come up with a multi-threaded test-case.

Please just don't do it in this patch -- no locking, no checking of other thread's stacks.

Ok, so now we check pointers in shadow memory for size <= 2048. If we don't want to grab the lock, FindThreadByStackAddress can't be used.
And thus AddrIsInStack can't be used. So do you prefer not to use it and stay with the shadow memory iteration?

We can still use the stack bounds for the *current* thread, right?
(maybe will need some extra plumbing for this)

Updated version where we do not grab thread registry lock. New threads test added.

marxin marked 5 inline comments as done.Nov 1 2017, 6:11 AM

Hello. I would like to gently ping the review. Hope we're close to be accepted?

[sorry, I've been swamped]
Alexey, please make your round of reviews.

lib/asan/asan_descriptions.cc
344	I can't read this. Please refactor in a more readable way. I suggest to do a = globals[i] b = globals[j] and implement lambda(s) to compute recurring subexpression(s)
lib/asan/asan_report.cc
307	define a const uptr kMaxOffset = 2048; // Explain why 2048

Updated version, as we mix __asan_globals and GlobalAddressDescription in GlobalAddressDescription::PointsInsideTheSameVariable, I decided not to use lambdas.
Even though, hope it's readable.

marxin marked 2 inline comments as done.Nov 7 2017, 11:05 PM

Add couple more comments, sorry for delay.
Alexey, your turn now.

lib/asan/asan_report.cc
316	Ouch. Please don't do this. uptr a; if((a = foo())) ... It's easy to misinterpret such code. Instead, do if (uptr a = foo()) ...
317	here and below instead of if (a && b) return true; else return false; prefer return a && b;

Notes fixed in the new version.

marxin marked an inline comment as done.Nov 14 2017, 12:51 AM

Very sorry for the delay!

lib/asan/asan_descriptions.cc
344	Move it to the outer loop
345	const __asan_global &b and the same for a
lib/asan/asan_descriptions.h
149	this description points inside the same
lib/asan/asan_report.cc
307	uptr offset = right - left;
319	What are we trying to save here? Why not just being explicit: if (uptr shadow_offset_left = t->GetStackFrameVariableBeginning(left)) { uptr shadow_offset_right = t->GetStackFrameVariableBeginning(right); return shadow_offset_right == 0 \|\| shadow_offset_left != shadow_offset_right; }
332	I wonder why "right - 1"?
lib/asan/asan_thread.cc
369	It returns a pointer to one of the redzones, not to the variable beginning (as the function name suggests), right?
lib/asan/asan_thread.h
93	Returns a pointer to the start of the stack variable's shadow memory.
94	GetStackVariableShadowStart

Updated according to provided review.
Unfortunately I'm leaving for holidays tomorrow. @jakubjelinek will fix notes if there will be any.

marxin marked 8 inline comments as done.Nov 21 2017, 2:37 AM

marxin marked an inline comment as done.Nov 21 2017, 2:39 AM

marxin added inline comments.

lib/asan/asan_report.cc
332	Because it's possible to have a valid pointer comparison of a pointer that points right after a valid location. In case of global variables, for a pointer pointing right after a variable, I want to have it listed in GlobalAddressDescription. I added test-case for that: + bar(&global[0], &global[10000]);

alekseyshl added inline comments.Nov 21 2017, 2:01 PM

lib/asan/asan_report.cc
340	Change it to // style comment.
lib/asan/asan_thread.cc
369	That was a question, actually. This function does not what its name suggests. At least, acknowledge it in the comment and explain why it is ok.
lib/asan/asan_thread.h
93	It's marked as done, but I do not see the change.
test/asan/TestCases/invalid-pointer-pairs-compare-errors.cc
18	int main() {
101	free(heap1);
test/asan/TestCases/invalid-pointer-pairs-subtract-errors.cc
45	free(heap1); free(heap2);
test/asan/TestCases/invalid-pointer-pairs-subtract-success.cc
28	In all the tests, change /* */ comments to //
test/asan/TestCases/invalid-pointer-pairs-threads.cc
8	This test should be in test/asan/TestCases/Posix/
34	This and sleep in threads, use synchronization instead (for example, two barriers of count 3, barrier_assign and barrier_check, wait for _assign here and wait for _check after the pointer check). That will be less flaky, not racy and much faster than 1 second.

Phabriactor doesn't allow me to update this patch, so I've uploaded it to D40600 instead. If you have a way to update the diff here, please do.

lib/asan/asan_descriptions.h
152	The comment also has a "inside a same" when it should be "inside the same".

D40600 is committed, I guess, we can abandon this one now.

alekseyshl removed a reviewer: alekseyshl.Dec 5 2017, 12:00 PM

marxin abandoned this revision.Mar 14 2018, 1:49 AM

marxin marked an inline comment as done.

Revision Contents

Path

Size

lib/

asan/

4 lines

17 lines

62 lines

3 lines

25 lines

test/

asan/

TestCases/

invalid-pointer-pairs-compare-errors.cc

102 lines

invalid-pointer-pairs-compare-success.cc

75 lines

invalid-pointer-pairs-subtract-errors.cc

46 lines

invalid-pointer-pairs-subtract-success.cc

33 lines

invalid-pointer-pairs-threads.cc

51 lines

Diff 121121

lib/asan/asan_descriptions.h

Show First 20 Lines • Show All 139 Lines • ▼ Show 20 Lines	struct GlobalAddressDescription {
// Assume address is close to at most four globals.		// Assume address is close to at most four globals.
static const int kMaxGlobals = 4;		static const int kMaxGlobals = 4;
__asan_global globals[kMaxGlobals];		__asan_global globals[kMaxGlobals];
u32 reg_sites[kMaxGlobals];		u32 reg_sites[kMaxGlobals];
uptr access_size;		uptr access_size;
u8 size;		u8 size;

void Print(const char *bug_type = "") const;		void Print(const char *bug_type = "") const;

		// Returns true when this descriptions points inside a same global variable
		alekseyshlUnsubmitted Done Reply Inline Actions this description points inside the same alekseyshl: this description points inside the same
		// as other. Descriptions can have different address within the variable
		kccUnsubmitted Done Reply Inline Actions Returns true kcc: Returns true
		bool PointsInsideTheSameVariable(const GlobalAddressDescription &other) const;
};		};
		kccUnsubmitted Done Reply Inline Actions naming nit pick: points inside the same var or points inside a same var ? Not native speaker myself, but I think the is right. kcc: naming nit pick: points inside the same var or points inside a same var ? Not native…
		marxinAuthorUnsubmitted Done Reply Inline Actions Agree, your name is better. marxin: Agree, your name is better.
		jakubjelinekUnsubmitted Not Done Reply Inline Actions The comment also has a "inside a same" when it should be "inside the same". jakubjelinek: The comment also has a "inside a same" when it should be "inside the same".

bool GetGlobalAddressInformation(uptr addr, uptr access_size,		bool GetGlobalAddressInformation(uptr addr, uptr access_size,
GlobalAddressDescription *descr);		GlobalAddressDescription *descr);
bool DescribeAddressIfGlobal(uptr addr, uptr access_size, const char *bug_type);		bool DescribeAddressIfGlobal(uptr addr, uptr access_size, const char *bug_type);

// General function to describe an address. Will try to describe the address as		// General function to describe an address. Will try to describe the address as
// a shadow, global (variable), stack, or heap address.		// a shadow, global (variable), stack, or heap address.
// bug_type is optional and is used for checking if we're reporting an		// bug_type is optional and is used for checking if we're reporting an
▲ Show 20 Lines • Show All 91 Lines • Show Last 20 Lines

lib/asan/asan_descriptions.cc

Show First 20 Lines • Show All 216 Lines • ▼ Show 20 Lines	#if SANITIZER_PPC64V1
// the address of the function's code.		// the address of the function's code.
descr->frame_pc = reinterpret_cast<uptr >(descr->frame_pc);		descr->frame_pc = reinterpret_cast<uptr >(descr->frame_pc);
#endif		#endif
descr->frame_pc += 16;		descr->frame_pc += 16;

return true;		return true;
}		}

static void PrintAccessAndVarIntersection(const StackVarDescr &var, uptr addr,		static void PrintAccessAndVarIntersection(const StackVarDescr &var, uptr addr,
		kccUnsubmitted Done Reply Inline Actions You can simplify the interface and the implementation if you return shadow_addr or nullptr if it's not found. kcc: You can simplify the interface and the implementation if you return shadow_addr or nullptr if…
		marxinAuthorUnsubmitted Done Reply Inline Actions Good point! marxin: Good point!
uptr access_size, uptr prev_var_end,		uptr access_size, uptr prev_var_end,
uptr next_var_beg) {		uptr next_var_beg) {
		kccUnsubmitted Done Reply Inline Actions the idiom used in this code is if (T x = getX()) { use(x) } kcc:* the idiom used in this code is if (T *x = getX()) { use(x) }
uptr var_end = var.beg + var.size;		uptr var_end = var.beg + var.size;
uptr addr_end = addr + access_size;		uptr addr_end = addr + access_size;
		kccUnsubmitted Done Reply Inline Actions no else after return kcc: no else after return
const char *pos_descr = nullptr;		const char *pos_descr = nullptr;
// If the variable [var.beg, var_end) is the nearest variable to the		// If the variable [var.beg, var_end) is the nearest variable to the
// current memory access, indicate it in the log.		// current memory access, indicate it in the log.
if (addr >= var.beg) {		if (addr >= var.beg) {
if (addr_end <= var_end)		if (addr_end <= var_end)
pos_descr = "is inside"; // May happen if this is a use-after-return.		pos_descr = "is inside"; // May happen if this is a use-after-return.
else if (addr < var_end)		else if (addr < var_end)
pos_descr = "partially overflows";		pos_descr = "partially overflows";
▲ Show 20 Lines • Show All 92 Lines • ▼ Show 20 Lines	if (bug_type &&
0 == internal_strcmp(bug_type, "initialization-order-fiasco") &&		0 == internal_strcmp(bug_type, "initialization-order-fiasco") &&
reg_sites[i]) {		reg_sites[i]) {
Printf(" registered at:\n");		Printf(" registered at:\n");
StackDepotGet(reg_sites[i]).Print();		StackDepotGet(reg_sites[i]).Print();
}		}
}		}
}		}

		bool GlobalAddressDescription::PointsInsideTheSameVariable(
		const GlobalAddressDescription &other) const {
		if (size == 0 \|\| other.size == 0) return false;

		for (uptr i = 0; i < size; i++)
		for (uptr j = 0; j < other.size; j++) {
		if (globals[i].beg == other.globals[j].beg && globals[i].beg <= addr &&
		kccUnsubmitted Done Reply Inline Actions I can't read this. Please refactor in a more readable way. I suggest to do a = globals[i] b = globals[j] and implement lambda(s) to compute recurring subexpression(s) kcc: I can't read this. Please refactor in a more readable way. I suggest to do a = globals[i]…
		alekseyshlUnsubmitted Done Reply Inline Actions Move it to the outer loop alekseyshl: Move it to the outer loop
		other.globals[j].beg <= other.addr &&
		alekseyshlUnsubmitted Done Reply Inline Actions const __asan_global &b and the same for a alekseyshl: const __asan_global &b and the same for a
		(addr + access_size) < (globals[i].beg + globals[i].size) &&
		((other.addr + other.access_size) <
		kccUnsubmitted Done Reply Inline Actions indentation doesn't look right. If in doubt, use clang-format kcc: indentation doesn't look right. If in doubt, use clang-format
		(other.globals[j].beg + other.globals[j].size)))
		return true;
		}

		return false;
		}
		kccUnsubmitted Done Reply Inline Actions We don't use 'unsigned' in this code for this purpose. kcc: We don't use 'unsigned' in this code for this purpose.
		kccUnsubmitted Done Reply Inline Actions int is even worse. In proper C++ the only good type for iteration is size_t. asan is not a proper C++ sadly, so we use uptr. kcc: int is even worse. In proper C++ the only good type for iteration is size_t. asan is not a…
		marxinAuthorUnsubmitted Done Reply Inline Actions I basically copied what's done in GlobalAddressDescription::Print: for (int i = 0; i < size; i++) { I'm changing that to uptr. marxin: I basically copied what's done in GlobalAddressDescription::Print: for (int i = 0; i < size…

void StackAddressDescription::Print() const {		void StackAddressDescription::Print() const {
Decorator d;		Decorator d;
char tname[128];		char tname[128];
Printf("%s", d.Location());		Printf("%s", d.Location());
Printf("Address %p is located in stack of thread T%d%s", addr, tid,		Printf("Address %p is located in stack of thread T%d%s", addr, tid,
ThreadNameWithParenthesis(tid, tname, sizeof(tname)));		ThreadNameWithParenthesis(tid, tname, sizeof(tname)));

		kccUnsubmitted Done Reply Inline Actions Please make sure to format all the code. kcc: Please make sure to format all the code.
if (!frame_descr) {		if (!frame_descr) {
Printf("%s\n", d.Default());		Printf("%s\n", d.Default());
return;		return;
}		}
Printf(" at offset %zu in frame%s\n", offset, d.Default());		Printf(" at offset %zu in frame%s\n", offset, d.Default());

// Now we print the frame where the alloca has happened.		// Now we print the frame where the alloca has happened.
// We print this frame as a stack trace with one element.		// We print this frame as a stack trace with one element.
▲ Show 20 Lines • Show All 137 Lines • Show Last 20 Lines

lib/asan/asan_report.cc

	Show First 20 Lines • Show All 291 Lines • ▼ Show 20 Lines
	// ----------------------- CheckForInvalidPointerPair ----------- {{{1			// ----------------------- CheckForInvalidPointerPair ----------- {{{1
	static NOINLINE void ReportInvalidPointerPair(uptr pc, uptr bp, uptr sp,			static NOINLINE void ReportInvalidPointerPair(uptr pc, uptr bp, uptr sp,
	uptr a1, uptr a2) {			uptr a1, uptr a2) {
	ScopedInErrorReport in_report;			ScopedInErrorReport in_report;
	ErrorInvalidPointerPair error(GetCurrentTidOrInvalid(), pc, bp, sp, a1, a2);			ErrorInvalidPointerPair error(GetCurrentTidOrInvalid(), pc, bp, sp, a1, a2);
	in_report.ReportError(error);			in_report.ReportError(error);
	}			}

				static bool IsInvalidPointerPair(uptr a1, uptr a2) {
				kccUnsubmitted Done Reply Inline Actions a macro is better than a goto, but still bad. Can this be expressed in just C++? (e.g. wrap the main logic into a separate function and return from it on error). kcc: a macro is better than a goto, but still bad. Can this be expressed in just C++? (e.g. wrap…
				if (a1 == a2)
				return false;

				uptr offset = a1 < a2 ? a2 - a1 : a1 - a2;
				uptr left = a1 < a2 ? a1 : a2;
				uptr right = a1 < a2 ? a2 : a1;
				if (offset <= 2048)
				kccUnsubmitted Done Reply Inline Actions define a const uptr kMaxOffset = 2048; // Explain why 2048 kcc: define a const uptr kMaxOffset = 2048; // Explain why 2048
				alekseyshlUnsubmitted Done Reply Inline Actions uptr offset = right - left; alekseyshl: uptr offset = right - left;
				return __asan_region_is_poisoned(left, offset);
				kccUnsubmitted Done Reply Inline Actions isn't this the same as return __asan_region_is_poisoned(left, offset); kcc: isn't this the same as return __asan_region_is_poisoned(left, offset);

				AsanThread *t = GetCurrentThread();

				// check whether left is a stack memory pointer
				uptr shadow_offset1, shadow_offset2;
				if ((shadow_offset1 = t->GetStackFrameVariableBeginning(left))) {
				if ((shadow_offset2 = t->GetStackFrameVariableBeginning(right))
				&& shadow_offset1 == shadow_offset2)
				kccUnsubmitted Done Reply Inline Actions Ouch. Please don't do this. uptr a; if((a = foo())) ... It's easy to misinterpret such code. Instead, do if (uptr a = foo()) ... kcc: Ouch. Please don't do this. uptr a; if((a = foo())) ... It's easy to misinterpret such…
				return false;
				kccUnsubmitted Done Reply Inline Actions here and below instead of if (a && b) return true; else return false; prefer return a && b; kcc: here and below instead of if (a && b) return true; else return false; prefer return a &&…
				else
				return true;
				alekseyshlUnsubmitted Done Reply Inline Actions What are we trying to save here? Why not just being explicit: if (uptr shadow_offset_left = t->GetStackFrameVariableBeginning(left)) { uptr shadow_offset_right = t->GetStackFrameVariableBeginning(right); return shadow_offset_right == 0 \|\| shadow_offset_left != shadow_offset_right; } alekseyshl: What are we trying to save here? Why not just being explicit: if (uptr shadow_offset_left = t…
				}

				// check whether left is a heap memory address
				HeapAddressDescription hdesc1, hdesc2;
				if (GetHeapAddressInformation(left, 0, &hdesc1) &&
				hdesc1.chunk_access.access_type == kAccessTypeInside) {
				if (GetHeapAddressInformation(right, 0, &hdesc2) &&
				hdesc2.chunk_access.access_type == kAccessTypeInside &&
				(hdesc1.chunk_access.chunk_begin
				== hdesc2.chunk_access.chunk_begin))
				kccUnsubmitted Done Reply Inline Actions No goto please. kcc: No goto please.
				kccUnsubmitted Done Reply Inline Actions ouch. We have a lock in a function that is called on every pointer cmp? This is bad. We need to avoid the lock. Probably by relaxing the check a bit (e.g. never compare pointers from other thread's stacks). Also, your tests don't seem to have threads, so this code is probably untested. kcc: ouch. We have a lock in a function that is called on every pointer cmp? This is bad. We need…
				marxinAuthorUnsubmitted Done Reply Inline Actions Unfortunately yes. Do you mean to call FindThreadByStackAddress (which currently needs lock as it calls FindThreadContextLocked)? Then comparing the variables if threads do match? I can come up with a test-case for that. marxin: Unfortunately yes. Do you mean to call FindThreadByStackAddress (which currently needs lock as…
				kccUnsubmitted Done Reply Inline Actions We should not call anything that grabs a lock here. Let's start from simply ignoring any pointers from threads other than the current. kcc: We should not call anything that grabs a lock here. Let's start from simply ignoring any…
				return false;
				else
				return true;
				alekseyshlUnsubmitted Done Reply Inline Actions I wonder why "right - 1"? alekseyshl: I wonder why "right - 1"?
				marxinAuthorUnsubmitted Not Done Reply Inline Actions Because it's possible to have a valid pointer comparison of a pointer that points right after a valid location. In case of global variables, for a pointer pointing right after a variable, I want to have it listed in GlobalAddressDescription. I added test-case for that: + bar(&global[0], &global[10000]); marxin: Because it's possible to have a valid pointer comparison of a pointer that points right after a…
				}
				// check whether left is an address of a global variable
				GlobalAddressDescription gdesc1, gdesc2;
				if (GetGlobalAddressInformation(left, 0, &gdesc1)) {
				if (GetGlobalAddressInformation(right - 1, 0, &gdesc2) &&
				gdesc1.PointsInsideTheSameVariable(gdesc2))
				return false;
				else
				alekseyshlUnsubmitted Not Done Reply Inline Actions Change it to // style comment. alekseyshl: Change it to // style comment.
				return true;
				}

				if (t->GetStackFrameVariableBeginning(right) \|\|
				GetHeapAddressInformation(right, 0, &hdesc2) \|\|
				GetGlobalAddressInformation(right - 1, 0, &gdesc2))
				return true;

				/* At this point we know nothing about both a1 and a2 addresses. */
				return false;
				}

	static INLINE void CheckForInvalidPointerPair(void p1, void p2) {			static INLINE void CheckForInvalidPointerPair(void p1, void p2) {
	if (!flags()->detect_invalid_pointer_pairs) return;			if (!flags()->detect_invalid_pointer_pairs) return;
	uptr a1 = reinterpret_cast<uptr>(p1);			uptr a1 = reinterpret_cast<uptr>(p1);
	uptr a2 = reinterpret_cast<uptr>(p2);			uptr a2 = reinterpret_cast<uptr>(p2);
	AsanChunkView chunk1 = FindHeapChunkByAddress(a1);
	AsanChunkView chunk2 = FindHeapChunkByAddress(a2);			if (IsInvalidPointerPair(a1, a2)) {
	bool valid1 = chunk1.IsAllocated();
	bool valid2 = chunk2.IsAllocated();
	if (!valid1 \|\| !valid2 \|\| !chunk1.Eq(chunk2)) {
	GET_CALLER_PC_BP_SP;			GET_CALLER_PC_BP_SP;
	return ReportInvalidPointerPair(pc, bp, sp, a1, a2);			ReportInvalidPointerPair(pc, bp, sp, a1, a2);
	}			}
	}			}
	// ----------------------- Mac-specific reports ----------------- {{{1			// ----------------------- Mac-specific reports ----------------- {{{1

	void ReportMacMzReallocUnknown(uptr addr, uptr zone_ptr, const char *zone_name,			void ReportMacMzReallocUnknown(uptr addr, uptr zone_ptr, const char *zone_name,
	BufferedStackTrace *stack) {			BufferedStackTrace *stack) {
	ScopedInErrorReport in_report;			ScopedInErrorReport in_report;
	Printf("mz_realloc(%p) -- attempting to realloc unallocated memory.\n"			Printf("mz_realloc(%p) -- attempting to realloc unallocated memory.\n"
	▲ Show 20 Lines • Show All 128 Lines • Show Last 20 Lines

lib/asan/asan_thread.h

Show First 20 Lines • Show All 84 Lines • ▼ Show 20 Lines	public:

struct StackFrameAccess {		struct StackFrameAccess {
uptr offset;		uptr offset;
uptr frame_pc;		uptr frame_pc;
const char *frame_descr;		const char *frame_descr;
};		};
bool GetStackFrameAccessByAddr(uptr addr, StackFrameAccess *access);		bool GetStackFrameAccessByAddr(uptr addr, StackFrameAccess *access);

		// Return beginning of a stack variable in shadow memory
		alekseyshlUnsubmitted Done Reply Inline Actions Returns a pointer to the start of the stack variable's shadow memory. alekseyshl: Returns a pointer to the start of the stack variable's shadow memory.
		alekseyshlUnsubmitted Not Done Reply Inline Actions It's marked as done, but I do not see the change. alekseyshl: It's marked as done, but I do not see the change.
		uptr GetStackFrameVariableBeginning(uptr addr);
		alekseyshlUnsubmitted Done Reply Inline Actions GetStackVariableShadowStart alekseyshl: GetStackVariableShadowStart

bool AddrIsInStack(uptr addr);		bool AddrIsInStack(uptr addr);

void DeleteFakeStack(int tid) {		void DeleteFakeStack(int tid) {
if (!fake_stack_) return;		if (!fake_stack_) return;
FakeStack *t = fake_stack_;		FakeStack *t = fake_stack_;
fake_stack_ = nullptr;		fake_stack_ = nullptr;
SetTLSFakeStack(nullptr);		SetTLSFakeStack(nullptr);
t->Destroy(tid);		t->Destroy(tid);
▲ Show 20 Lines • Show All 96 Lines • Show Last 20 Lines

lib/asan/asan_thread.cc

Show First 20 Lines • Show All 311 Lines • ▼ Show 20 Lines	bool AsanThread::GetStackFrameAccessByAddr(uptr addr,
} else if (has_fake_stack()) {		} else if (has_fake_stack()) {
bottom = fake_stack()->AddrIsInFakeStack(addr);		bottom = fake_stack()->AddrIsInFakeStack(addr);
CHECK(bottom);		CHECK(bottom);
access->offset = addr - bottom;		access->offset = addr - bottom;
access->frame_pc = ((uptr*)bottom)[2];		access->frame_pc = ((uptr*)bottom)[2];
access->frame_descr = (const char )((uptr)bottom)[1];		access->frame_descr = (const char )((uptr)bottom)[1];
return true;		return true;
}		}
uptr aligned_addr = addr & ~(SANITIZER_WORDSIZE/8 - 1); // align addr.		uptr aligned_addr = RoundDownTo(addr, SANITIZER_WORDSIZE / 8); // align addr.
uptr mem_ptr = RoundDownTo(aligned_addr, SHADOW_GRANULARITY);		uptr mem_ptr = RoundDownTo(aligned_addr, SHADOW_GRANULARITY);
u8 shadow_ptr = (u8)MemToShadow(aligned_addr);		u8 shadow_ptr = (u8)MemToShadow(aligned_addr);
u8 shadow_bottom = (u8)MemToShadow(bottom);		u8 shadow_bottom = (u8)MemToShadow(bottom);

while (shadow_ptr >= shadow_bottom &&		while (shadow_ptr >= shadow_bottom &&
*shadow_ptr != kAsanStackLeftRedzoneMagic) {		*shadow_ptr != kAsanStackLeftRedzoneMagic) {
shadow_ptr--;		shadow_ptr--;
mem_ptr -= SHADOW_GRANULARITY;		mem_ptr -= SHADOW_GRANULARITY;
Show All 12 Lines	bool AsanThread::GetStackFrameAccessByAddr(uptr addr,
uptr* ptr = (uptr*)(mem_ptr + SHADOW_GRANULARITY);		uptr* ptr = (uptr*)(mem_ptr + SHADOW_GRANULARITY);
CHECK(ptr[0] == kCurrentStackFrameMagic);		CHECK(ptr[0] == kCurrentStackFrameMagic);
access->offset = addr - (uptr)ptr;		access->offset = addr - (uptr)ptr;
access->frame_pc = ptr[2];		access->frame_pc = ptr[2];
access->frame_descr = (const char*)ptr[1];		access->frame_descr = (const char*)ptr[1];
return true;		return true;
}		}

		uptr AsanThread::GetStackFrameVariableBeginning(uptr addr) {
		uptr bottom = 0;
		if (AddrIsInStack(addr)) {
		bottom = stack_bottom();
		} else if (has_fake_stack()) {
		bottom = fake_stack()->AddrIsInFakeStack(addr);
		CHECK(bottom);
		} else
		return 0;
		kccUnsubmitted Done Reply Inline Actions Please use RoundUpTo() or some such kcc: Please use RoundUpTo() or some such

		uptr aligned_addr = RoundDownTo(addr, SANITIZER_WORDSIZE / 8); // align addr.
		u8 shadow_ptr = (u8)MemToShadow(aligned_addr);
		u8 shadow_bottom = (u8)MemToShadow(bottom);

		while (shadow_ptr >= shadow_bottom &&
		(*shadow_ptr != kAsanStackLeftRedzoneMagic &&
		kccUnsubmitted Done Reply Inline Actions no need for {} kcc: no need for {}
		*shadow_ptr != kAsanStackMidRedzoneMagic &&
		*shadow_ptr != kAsanStackRightRedzoneMagic))
		shadow_ptr--;

		return (uptr)shadow_ptr;
		alekseyshlUnsubmitted Done Reply Inline Actions It returns a pointer to one of the redzones, not to the variable beginning (as the function name suggests), right? alekseyshl: It returns a pointer to one of the redzones, not to the variable beginning (as the function…
		alekseyshlUnsubmitted Not Done Reply Inline Actions That was a question, actually. This function does not what its name suggests. At least, acknowledge it in the comment and explain why it is ok. alekseyshl: That was a question, actually. This function does not what its name suggests. At least…
		}

bool AsanThread::AddrIsInStack(uptr addr) {		bool AsanThread::AddrIsInStack(uptr addr) {
const auto bounds = GetStackBounds();		const auto bounds = GetStackBounds();
return addr >= bounds.bottom && addr < bounds.top;		return addr >= bounds.bottom && addr < bounds.top;
}		}

static bool ThreadStackContainsAddress(ThreadContextBase *tctx_base,		static bool ThreadStackContainsAddress(ThreadContextBase *tctx_base,
void *addr) {		void *addr) {
AsanThreadContext tctx = static_cast<AsanThreadContext>(tctx_base);		AsanThreadContext tctx = static_cast<AsanThreadContext>(tctx_base);
▲ Show 20 Lines • Show All 134 Lines • Show Last 20 Lines

test/asan/TestCases/invalid-pointer-pairs-compare-errors.cc

This file was added.

				// RUN: %clangxx_asan -O0 %s -o %t -mllvm -asan-detect-invalid-pointer-pair

				// RUN: %env_asan_opts=detect_invalid_pointer_pairs=1:halt_on_error=0 %run %t 2>&1 \| FileCheck %s

				#include <assert.h>
				#include <stdlib.h>

				int foo(char p, char q) {
				return p > q;
				}

				char global1[100] = {}, global2[100] = {};
				char small_global[7] = {};
				char large_global[5000] = {};

				int
				main() {
				/* Heap allocated memory. */
				alekseyshlUnsubmitted Not Done Reply Inline Actions int main() { alekseyshl: int main() {
				char heap1 = (char )malloc(42);
				char heap2 = (char )malloc(42);

				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-compare-errors.cc:[[@LINE+1]]
				foo(heap1, heap2);
				free(heap1);
				free(heap2);

				heap1 = (char *)malloc(1024);
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-compare-errors.cc:[[@LINE+1]]
				foo(heap1, heap1 + 1025);
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-compare-errors.cc:[[@LINE+1]]
				foo(heap1 + 1024, heap1 + 1025);
				free(heap1);

				heap1 = (char *)malloc(4096);
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-compare-errors.cc:[[@LINE+1]]
				foo(heap1, heap1 + 4097);
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-compare-errors.cc:[[@LINE+1]]
				foo(heap1, 0);

				/* Global variables. */
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-compare-errors.cc:[[@LINE+1]]
				foo(&global1[0], &global2[10]);

				char *p = &small_global[0];
				foo(p, p); // OK
				foo(p, p + 7); // OK
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-compare-errors.cc:[[@LINE+1]]
				foo(p, p + 8);
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-compare-errors.cc:[[@LINE+1]]
				foo(p - 1, p);
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-compare-errors.cc:[[@LINE+1]]
				foo(p, p - 1);
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-compare-errors.cc:[[@LINE+1]]
				foo(p - 1, p + 8);

				p = &large_global[0];
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-compare-errors.cc:[[@LINE+1]]
				foo(p - 1, p);
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-compare-errors.cc:[[@LINE+1]]
				foo(p, p - 1);
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-compare-errors.cc:[[@LINE+1]]
				foo(p, &global1[0]);
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-compare-errors.cc:[[@LINE+1]]
				foo(p, &small_global[0]);
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-compare-errors.cc:[[@LINE+1]]
				foo(p, 0);

				/* Stack variables. */
				char stack1, stack2;
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-compare-errors.cc:[[@LINE+1]]
				foo(&stack1, &stack2);

				/* Mixtures. */
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-compare-errors.cc:[[@LINE+1]]
				foo(heap1, &stack1);
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				foo(heap1, &global1[0]);
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				foo(&stack1, &global1[0]);
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-compare-errors.cc:[[@LINE+1]]
				foo(&stack1, 0);

				return 0;
				alekseyshlUnsubmitted Not Done Reply Inline Actions free(heap1); alekseyshl: free(heap1);
				}

test/asan/TestCases/invalid-pointer-pairs-compare-success.cc

This file was added.

				// RUN: %clangxx_asan -O0 %s -o %t -mllvm -asan-detect-invalid-pointer-pair

				// RUN: %env_asan_opts=detect_invalid_pointer_pairs=1 %run %t

				#include <assert.h>
				#include <stdlib.h>

				int foo(char *p) {
				char *p2 = p + 20;
				return p > p2;
				}

				int bar(char p, char q) {
				return p <= q;
				}

				int baz(char p, char q) {
				return p != 0 && p < q;
				}

				char global[8192] = {};
				char small_global[7] = {};

				int
				main() {
				/* Heap allocated memory. */
				char p = (char )malloc(42);
				int r = foo(p);
				free(p);

				p = (char *)malloc(1024);
				bar(p, p + 1024);
				bar(p + 1024, p + 1023);
				bar(p + 1, p + 1023);
				free(p);

				p = (char *)malloc(4096);
				bar(p, p + 4096);
				bar(p + 10, p + 100);
				bar(p + 1024, p + 4096);
				bar(p + 4095, p + 4096);
				bar(p + 4095, p + 4094);
				bar(p + 100, p + 4096);
				bar(p + 100, p + 4094);
				free(p);

				/* Global variable. */
				bar(&global[0], &global[1]);
				bar(&global[1], &global[2]);
				bar(&global[2], &global[1]);
				bar(&global[0], &global[100]);
				bar(&global[1000], &global[7000]);
				bar(&global[500], &global[10]);
				p = &global[0];
				bar(p, p + 8192);
				p = &global[8000];
				bar(p, p + 192);

				p = &small_global[0];
				bar(p, p + 1);
				bar(p, p + 7);
				bar(p + 7, p + 1);
				bar(p + 6, p + 7);
				bar(p + 7, p + 7);

				/* Stack variable. */
				char stack[10000];
				bar(&stack[0], &stack[100]);
				bar(&stack[1000], &stack[9000]);
				bar(&stack[500], &stack[10]);

				baz(0, &stack[10]);

				return 0;
				}

test/asan/TestCases/invalid-pointer-pairs-subtract-errors.cc

This file was added.

				// RUN: %clangxx_asan -O0 %s -o %t -mllvm -asan-detect-invalid-pointer-pair

				// RUN: %env_asan_opts=detect_invalid_pointer_pairs=1:halt_on_error=0 %run %t 2>&1 \| FileCheck %s

				#include <assert.h>
				#include <stdlib.h>

				int foo(char p, char q) {
				return p - q;
				}

				char global1[100] = {}, global2[100] = {};

				int
				main() {
				/* Heap allocated memory. */
				char heap1 = (char )malloc(42);
				char heap2 = (char )malloc(42);

				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-subtract-errors.cc:[[@LINE+1]]
				foo(heap1, heap2);

				/* Global variables. */
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-subtract-errors.cc:[[@LINE+1]]
				foo(&global1[0], &global2[10]);

				/* Stack variables. */
				char stack1, stack2;
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-subtract-errors.cc:[[@LINE+1]]
				foo(&stack1, &stack2);

				/* Mixtures. */
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-subtract-errors.cc:[[@LINE+1]]
				foo(heap1, &stack1);
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-subtract-errors.cc:[[@LINE+1]]
				foo(heap1, &global1[0]);
				// CHECK: ERROR: AddressSanitizer: invalid-pointer-pair
				// CHECK: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-subtract-errors.cc:[[@LINE+1]]
				foo(&stack1, &global1[0]);
				return 0;
				alekseyshlUnsubmitted Not Done Reply Inline Actions free(heap1); free(heap2); alekseyshl: free(heap1); free(heap2);
				}

test/asan/TestCases/invalid-pointer-pairs-subtract-success.cc

This file was added.

				// RUN: %clangxx_asan -O0 %s -o %t -mllvm -asan-detect-invalid-pointer-pair

				// RUN: %env_asan_opts=detect_invalid_pointer_pairs=1 %run %t

				#include <assert.h>
				#include <stdlib.h>

				int bar(char p, char q) {
				return p <= q;
				}

				char global[10000] = {};

				int
				main() {
				/* Heap allocated memory. */
				char p = (char )malloc(42);
				int r = bar(p, p + 20);
				free(p);

				/* Global variable. */
				bar(&global[0], &global[100]);
				bar(&global[1000], &global[9000]);
				bar(&global[500], &global[10]);

				/* Stack variable. */
				char stack[10000];
				bar(&stack[0], &stack[100]);
				alekseyshlUnsubmitted Not Done Reply Inline Actions In all the tests, change /* / comments to // alekseyshl:* In all the tests, change /* */ comments to //
				bar(&stack[1000], &stack[9000]);
				bar(&stack[500], &stack[10]);

				return 0;
				}

test/asan/TestCases/invalid-pointer-pairs-threads.cc

This file was added.

				// RUN: %clangxx_asan -O0 %s -o %t -mllvm -asan-detect-invalid-pointer-pair

				// RUN: %env_asan_opts=detect_invalid_pointer_pairs=1 %run %t a 2>&1 \| FileCheck %s -check-prefix=OK -allow-empty
				// RUN: %env_asan_opts=detect_invalid_pointer_pairs=1 not %run %t b 2>&1 \| FileCheck %s -check-prefix=B

				#include <assert.h>
				#include <pthread.h>
				#include <stdlib.h>
				alekseyshlUnsubmitted Not Done Reply Inline Actions This test should be in test/asan/TestCases/Posix/ alekseyshl: This test should be in test/asan/TestCases/Posix/
				#include <unistd.h>

				char *pointers[2];

				void thread_main(void n) {
				char local;

				unsigned long id = (unsigned long)n;
				pointers[id] = &local;
				sleep(1);

				return NULL;
				}

				int main(int argc, char **argv) {
				assert(argc >= 2);

				char t = argv[1][0];

				pthread_t threads[2];
				pthread_create(&threads[0], 0, thread_main, (void *)0);
				pthread_create(&threads[1], 0, thread_main, (void *)1);

				do {
				} while (pointers[0] == NULL \|\| pointers[1] == NULL);

				alekseyshlUnsubmitted Not Done Reply Inline Actions This and sleep in threads, use synchronization instead (for example, two barriers of count 3, barrier_assign and barrier_check, wait for _assign here and wait for _check after the pointer check). That will be less flaky, not racy and much faster than 1 second. alekseyshl: This and sleep in threads, use synchronization instead (for example, two barriers of count 3…
				if (t == 'a') {
				// OK-NOT: not handled yet
				unsigned r = pointers[0] - pointers[1];
				} else {
				char local;
				char *parent_pointer = &local;

				// B: ERROR: AddressSanitizer: invalid-pointer-pair
				// B: #{{[0-9]+ .}} in main {{.}}invalid-pointer-pairs-threads.cc:[[@LINE+1]]
				unsigned r = parent_pointer - pointers[0];
				}

				pthread_join(threads[0], 0);
				pthread_join(threads[1], 0);

				return 0;
				}