This is an archive of the discontinued LLVM Phabricator instance.

Differential D5167

[ASan] Introduce the dump_instruction_bytes flag to print the faulting instruction upon SIGSEGV
ClosedPublic

Authored by glider on Sep 3 2014, 5:24 AM.

Details

Reviewers
kcc
samsonov
eugenis
Summary

When dump_instruction_bytes=1 and the instruction pointer doesn't point to the zero page, ASan prints 16 bytes starting at the instruction point.
When the instruction pointer points to the zero page, print a warning about that.
Also allow deadly signals to be received in signal handlers (previously ASan would just crash upon the second SEGV)

Diff Detail

Event Timeline

glider updated this revision to Diff 13201.Sep 3 2014, 5:24 AM
glider retitled this revision from to [ASan] Introduce the dump_instruction_bytes flag to print the faulting instruction upon SIGSEGV.
glider updated this object.
glider edited the test plan for this revision. (Show Details)
glider added reviewers: kcc, eugenis.
glider added a subscriber: Unknown Object (MLST).
samsonov added a subscriber: samsonov.Sep 3 2014, 5:35 PM

What if instruction pc points to is not in the zero page, but is inaccessible? It would be sad to crash the program while printing ASan error report in this case.

lib/asan/asan_report.cc
162

You may check that pc < GetPageSizeCached() here.

656

We print pc above... do you really need this?

lib/asan/asan_rtl.cc
234

Wait, where is the default value for this flag?

lib/sanitizer_common/sanitizer_posix_libcdep.cc
151

Can this go as a separate change?

samsonov added a reviewer: samsonov.Sep 3 2014, 5:36 PM

What if instruction pc points to is not in the zero page, but is inaccessible? It would be sad to crash the program while printing ASan error report in this case.

glider added a comment.Sep 4 2014, 2:53 AM

What if instruction pc points to is not in the zero page, but is inaccessible? It would be sad to crash the program while printing ASan error report in this case.

If pc points to inaccessible page, then we're in a SEGV handler caused by this. We can't print anything meaningful besides the stack, and _Unwind_Backtrace() will crash on this pc right away.

lib/asan/asan_report.cc
162

Done.

656

Many people do not understand that this is just a SEGV handler, so they keep asking whether this crash is a false positive and why ASan doesn't print more info about it.
I'm not insisting on this piece, however.

lib/asan/asan_rtl.cc
234

Done.

lib/sanitizer_common/sanitizer_posix_libcdep.cc
151

Done.

glider updated this revision to Diff 13242.Sep 4 2014, 2:58 AM

Addressed Alexey's comments

samsonov accepted this revision.Sep 4 2014, 12:00 PM
samsonov edited edge metadata.

Alright, let's do this if you feel it would improve user experience in certain cases.

This revision is now accepted and ready to land.Sep 4 2014, 12:00 PM
glider added a comment.Sep 4 2014, 11:16 PM

I take back my argument about crashes in _Unwind_Backtrace.
Apparently at least on OSX unwinding the stack from the unmapped page doesn't necessarily crash the unwinder. Thus we probably need to unprotect the faulting page before trying to dump instruction bytes.

glider added a comment.Sep 4 2014, 11:18 PM

Meanwhile I'll land the "zero page" hint separately.

glider updated this revision to Diff 13872.Sep 19 2014, 8:07 AM
glider edited edge metadata.

Call IsAccessibleMemoryRange() to make sure we don't step on unaccessible memory.
Disable the test on ARM.

samsonov added a comment.Sep 19 2014, 4:52 PM

LGTM

lib/asan/asan_report.cc
168

s/char/u8 ?

glider closed this revision.Sep 22 2014, 5:08 AM

r218243, thanks!

Revision Contents

PathSize
lib/
asan/
1 line
35 lines
3 lines
sanitizer_common/
4 lines
test/
asan/
TestCases/
22 lines
11 lines

Diff 13201

lib/asan/asan_flags.h

Show First 20 LinesShow All 59 Lines▼ Show 20 Linesstruct Flags {
bool alloc_dealloc_mismatch; bool alloc_dealloc_mismatch;
bool new_delete_type_mismatch; bool new_delete_type_mismatch;
bool strict_memcmp; bool strict_memcmp;
bool strict_init_order; bool strict_init_order;
bool start_deactivated; bool start_deactivated;
int detect_invalid_pointer_pairs; int detect_invalid_pointer_pairs;
bool detect_container_overflow; bool detect_container_overflow;
int detect_odr_violation; int detect_odr_violation;
bool dump_instruction_bytes;
}; };
extern Flags asan_flags_dont_use_directly; extern Flags asan_flags_dont_use_directly;
inline Flags *flags() { inline Flags *flags() {
return &asan_flags_dont_use_directly; return &asan_flags_dont_use_directly;
} }
void InitializeFlags(Flags *f, const char *env); void InitializeFlags(Flags *f, const char *env);
} // namespace __asan } // namespace __asan
#endif // ASAN_FLAGS_H #endif // ASAN_FLAGS_H

lib/asan/asan_report.cc

Show First 20 LinesShow All 80 Lines▼ Show 20 Lines switch (byte) {
return Red(); return Red();
case kAsanInternalHeapMagic: case kAsanInternalHeapMagic:
return Yellow(); return Yellow();
default: default:
return Default(); return Default();
} }
} }
const char *EndShadowByte() { return Default(); } const char *EndShadowByte() { return Default(); }
const char *MemoryByte() { return Magenta(); }
const char *EndMemoryByte() { return Default(); }
}; };
// ---------------------- Helper functions ----------------------- {{{1 // ---------------------- Helper functions ----------------------- {{{1
static void PrintMemoryByte(InternalScopedString *str, const char *before,
u8 byte, bool in_shadow, const char *after = "\n") {
Decorator d;
str->append("%s%s%x%x%s%s", before,
in_shadow ? d.ShadowByte(byte) : d.MemoryByte(),
byte >> 4, byte & 15,
in_shadow ? d.EndShadowByte() : d.EndMemoryByte(), after);
}
static void PrintShadowByte(InternalScopedString *str, const char *before, static void PrintShadowByte(InternalScopedString *str, const char *before,
u8 byte, const char *after = "\n") { u8 byte, const char *after = "\n") {
Decorator d; PrintMemoryByte(str, before, byte, /*in_shadow*/true, after);
str->append("%s%s%x%x%s%s", before, d.ShadowByte(byte), byte >> 4, byte & 15,
d.EndShadowByte(), after);
} }
static void PrintShadowBytes(InternalScopedString *str, const char *before, static void PrintShadowBytes(InternalScopedString *str, const char *before,
u8 *bytes, u8 *guilty, uptr n) { u8 *bytes, u8 *guilty, uptr n) {
Decorator d; Decorator d;
if (before) str->append("%s%p:", before, bytes); if (before) str->append("%s%p:", before, bytes);
for (uptr i = 0; i < n; i++) { for (uptr i = 0; i < n; i++) {
u8 *p = bytes + i; u8 *p = bytes + i;
Show All 38 Lines PrintShadowByte(str, " Poisoned by user: ",
kAsanUserPoisonedMemoryMagic); kAsanUserPoisonedMemoryMagic);
PrintShadowByte(str, " Container overflow: ", PrintShadowByte(str, " Container overflow: ",
kAsanContiguousContainerOOBMagic); kAsanContiguousContainerOOBMagic);
PrintShadowByte(str, " Array cookie: ", PrintShadowByte(str, " Array cookie: ",
kAsanArrayCookieMagic); kAsanArrayCookieMagic);
PrintShadowByte(str, " ASan internal: ", kAsanInternalHeapMagic); PrintShadowByte(str, " ASan internal: ", kAsanInternalHeapMagic);
} }
void MaybeDumpInstructionBytes(uptr pc) {
if (!flags()->dump_instruction_bytes)
samsonovUnsubmitted
Not Done
ReplyInline Actions

You may check that pc < GetPageSizeCached() here.

samsonov: You may check that pc < GetPageSizeCached() here.
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

Done.

glider: Done.
return;
InternalScopedString str(1024);
if (pc >= GetPageSizeCached()) {
str.append("First 16 instruction bytes at pc: ");
for (int i = 0; i < 16; ++i) {
PrintMemoryByte(&str, "", ((char *)pc)[i], /*in_shadow*/false, " ");
samsonovUnsubmitted
Not Done
ReplyInline Actions

s/char/u8 ?

samsonov: s/char/u8 ?
}
str.append("\n");
Report("%s", str.data());
}
}
static void PrintShadowMemoryForAddress(uptr addr) { static void PrintShadowMemoryForAddress(uptr addr) {
if (!AddrIsInMem(addr)) return; if (!AddrIsInMem(addr)) return;
uptr shadow_addr = MemToShadow(addr); uptr shadow_addr = MemToShadow(addr);
const uptr n_bytes_per_row = 16; const uptr n_bytes_per_row = 16;
uptr aligned_shadow = shadow_addr & ~(n_bytes_per_row - 1); uptr aligned_shadow = shadow_addr & ~(n_bytes_per_row - 1);
InternalScopedString str(4096 * 8); InternalScopedString str(4096 * 8);
str.append("Shadow bytes around the buggy address:\n"); str.append("Shadow bytes around the buggy address:\n");
for (int i = -5; i <= 5; i++) { for (int i = -5; i <= 5; i++) {
▲ Show 20 LinesShow All 465 Lines▼ Show 20 Linesvoid ReportSIGSEGV(const char *description, uptr pc, uptr sp, uptr bp,
ScopedInErrorReport in_report; ScopedInErrorReport in_report;
Decorator d; Decorator d;
Printf("%s", d.Warning()); Printf("%s", d.Warning());
Report( Report(
"ERROR: AddressSanitizer: %s on unknown address %p" "ERROR: AddressSanitizer: %s on unknown address %p"
" (pc %p bp %p sp %p T%d)\n", " (pc %p bp %p sp %p T%d)\n",
description, (void *)addr, (void *)pc, (void *)bp, (void *)sp, description, (void *)addr, (void *)pc, (void *)bp, (void *)sp,
GetCurrentTidOrInvalid()); GetCurrentTidOrInvalid());
if (pc < GetPageSizeCached()) {
samsonovUnsubmitted
Not Done
ReplyInline Actions

We print pc above... do you really need this?

samsonov: We print pc above... do you really need this?
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

Many people do not understand that this is just a SEGV handler, so they keep asking whether this crash is a false positive and why ASan doesn't print more info about it.
I'm not insisting on this piece, however.

glider: Many people do not understand that this is just a SEGV handler, so they keep asking whether…
Report("Hint: pc points to the zero page.\n");
}
Printf("%s", d.EndWarning()); Printf("%s", d.EndWarning());
GET_STACK_TRACE_SIGNAL(pc, bp, context); GET_STACK_TRACE_SIGNAL(pc, bp, context);
stack.Print(); stack.Print();
MaybeDumpInstructionBytes(pc);
Printf("AddressSanitizer can not provide additional info.\n"); Printf("AddressSanitizer can not provide additional info.\n");
ReportErrorSummary("SEGV", &stack); ReportErrorSummary("SEGV", &stack);
} }
void ReportDoubleFree(uptr addr, StackTrace *free_stack) { void ReportDoubleFree(uptr addr, StackTrace *free_stack) {
ScopedInErrorReport in_report; ScopedInErrorReport in_report;
Decorator d; Decorator d;
Printf("%s", d.Warning()); Printf("%s", d.Warning());
▲ Show 20 LinesShow All 359 LinesShow Last 20 Lines

lib/asan/asan_rtl.cc

Show First 20 LinesShow All 224 Lines▼ Show 20 Lines ParseFlag(str, &f->detect_container_overflow,
"detect_container_overflow", "detect_container_overflow",
"If true, honor the container overflow annotations. " "If true, honor the container overflow annotations. "
"See https://code.google.com/p/address-sanitizer/wiki/ContainerOverflow"); "See https://code.google.com/p/address-sanitizer/wiki/ContainerOverflow");
ParseFlag(str, &f->detect_odr_violation, "detect_odr_violation", ParseFlag(str, &f->detect_odr_violation, "detect_odr_violation",
"If >=2, detect violation of One-Definition-Rule (ODR); " "If >=2, detect violation of One-Definition-Rule (ODR); "
"If ==1, detect ODR-violation only if the two variables " "If ==1, detect ODR-violation only if the two variables "
"have different sizes"); "have different sizes");
ParseFlag(str, &f->dump_instruction_bytes, "dump_instruction_bytes",
samsonovUnsubmitted
Not Done
ReplyInline Actions

Wait, where is the default value for this flag?

samsonov: Wait, where is the default value for this flag?
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

Done.

glider: Done.
"If true, dump 16 bytes starting at the instruction that caused SEGV");
} }
void InitializeFlags(Flags *f, const char *env) { void InitializeFlags(Flags *f, const char *env) {
CommonFlags *cf = common_flags(); CommonFlags *cf = common_flags();
SetCommonFlagsDefaults(cf); SetCommonFlagsDefaults(cf);
cf->detect_leaks = CAN_SANITIZE_LEAKS; cf->detect_leaks = CAN_SANITIZE_LEAKS;
cf->external_symbolizer_path = GetEnv("ASAN_SYMBOLIZER_PATH"); cf->external_symbolizer_path = GetEnv("ASAN_SYMBOLIZER_PATH");
cf->malloc_context_size = kDefaultMallocContextSize; cf->malloc_context_size = kDefaultMallocContextSize;
▲ Show 20 LinesShow All 529 LinesShow Last 20 Lines

lib/sanitizer_common/sanitizer_posix_libcdep.cc

Show First 20 LinesShow All 142 Lines▼ Show 20 Lines
typedef void (*sa_sigaction_t)(int, siginfo_t *, void *); typedef void (*sa_sigaction_t)(int, siginfo_t *, void *);
static void MaybeInstallSigaction(int signum, static void MaybeInstallSigaction(int signum,
SignalHandlerType handler) { SignalHandlerType handler) {
if (!IsDeadlySignal(signum)) if (!IsDeadlySignal(signum))
return; return;
struct sigaction sigact; struct sigaction sigact;
internal_memset(&sigact, 0, sizeof(sigact)); internal_memset(&sigact, 0, sizeof(sigact));
sigact.sa_sigaction = (sa_sigaction_t)handler; sigact.sa_sigaction = (sa_sigaction_t)handler;
sigact.sa_flags = SA_SIGINFO; // Do not block the signal from being received in that signal's handler.
samsonovUnsubmitted
Not Done
ReplyInline Actions

Can this go as a separate change?

samsonov: Can this go as a separate change?
gliderAuthorUnsubmitted
Not Done
ReplyInline Actions

Done.

glider: Done.
// Clients are responsible for handling this correctly.
sigact.sa_flags = SA_SIGINFO | SA_NODEFER;
if (common_flags()->use_sigaltstack) sigact.sa_flags |= SA_ONSTACK; if (common_flags()->use_sigaltstack) sigact.sa_flags |= SA_ONSTACK;
CHECK_EQ(0, internal_sigaction(signum, &sigact, 0)); CHECK_EQ(0, internal_sigaction(signum, &sigact, 0));
VReport(1, "Installed the sigaction for signal %d\n", signum); VReport(1, "Installed the sigaction for signal %d\n", signum);
} }
void InstallDeadlySignalHandlers(SignalHandlerType handler) { void InstallDeadlySignalHandlers(SignalHandlerType handler) {
// Set the alternate signal stack for the main thread. // Set the alternate signal stack for the main thread.
// This will cause SetAlternateSignalStack to be called twice, but the stack // This will cause SetAlternateSignalStack to be called twice, but the stack
Show All 10 Lines

test/asan/TestCases/dump_instruction_bytes.cc

// Check that ASan prints the faulting instruction bytes on
// dump_instruction_bytes=1
// RUN: %clangxx_asan %s -o %t
// RUN: env ASAN_OPTIONS=dump_instruction_bytes=1 not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-DUMP
// RUN: not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK-NODUMP
int main() {
#if defined(__x86_64__)
asm("movq $0, %rax");
asm("movl $0xcafebabe, 0x0(%rax)");
#elif defined(i386)
asm("movl $0, %eax");
asm("movl $0xcafebabe, 0x0(%eax)");
#elif defined(__arm__)
asm("mov %r0, $0xcafebabe");
asm("mov %r1, $0x0");
asm("str %r0, [%r1]");
#endif
// CHECK-DUMP: First 16 instruction bytes at pc: c7 00 be ba fe ca
// CHECK-NODUMP-NOT: First 16 instruction bytes
return 0;
}

test/asan/TestCases/zero_page_pc.cc

// Check that ASan correctly detects SEGV on the zero page.
// RUN: %clangxx_asan %s -o %t && not %run %t 2>&1 | FileCheck %s
typedef void void_f();
int main() {
void_f *func = (void_f *)0x7;
func();
// CHECK: {{AddressSanitizer: SEGV.*(pc.*0007)}}
// CHECK: Hint: pc points to the zero page.
return 0;
}