This is an archive of the discontinued LLVM Phabricator instance.

Differential D92344

[WinASan] Improve exception reporting accuracy
ClosedPublic

Authored by rnk on Nov 30 2020, 12:58 PM.

Details

Reviewers
vitalybuka
mcgov
Commits
rGb5af5787b367: [WinASan] Improve exception reporting accuracy
Summary

Previously, ASan would produce reports like this:
ERROR: AddressSanitizer: breakpoint on unknown address 0x000000000000 (pc 0x7fffdd7c5e86 ...)

This is unhelpful, because the developer may think this is a null
pointer dereference, and not a breakpoint exception on some PC.

The cause was that SignalContext::GetAddress would read the
ExceptionInformation array to retreive an address for any kind of
exception. That data is only available for access violation exceptions.
This changes it to be conditional on the exception type, and to use the
PC otherwise.

I added a variety of tests for common exception types:

  • int div zero
  • breakpoint
  • ud2a / illegal instruction
  • SSE misalignment

I also tightened up IsMemoryAccess and GetWriteFlag to check the
ExceptionCode rather than looking at ExceptionInformation[1] directly.

Diff Detail

Event Timeline

rnk created this revision.Nov 30 2020, 12:58 PM
Herald added a project: Restricted Project. · View Herald TranscriptNov 30 2020, 12:58 PM
Herald added a subscriber: Restricted Project. · View Herald Transcript
rnk requested review of this revision.Nov 30 2020, 12:58 PM
Harbormaster completed remote builds in B80576: Diff 308464.Nov 30 2020, 1:43 PM
mcgov added a comment.Nov 30 2020, 3:29 PM

lgtm

mcgov accepted this revision.Nov 30 2020, 3:29 PM
This revision is now accepted and ready to land.Nov 30 2020, 3:29 PM
rnk added a comment.Nov 30 2020, 4:41 PM

Thanks!

Closed by commit rGb5af5787b367: [WinASan] Improve exception reporting accuracy (authored by rnk). · Explain WhyNov 30 2020, 4:41 PM
This revision was automatically updated to reflect the committed changes.
rnk added a commit: rGb5af5787b367: [WinASan] Improve exception reporting accuracy.

Revision Contents

PathSize
compiler-rt/
lib/
sanitizer_common/
19 lines
test/
asan/
TestCases/
Windows/
18 lines
17 lines
18 lines
28 lines

Diff 308502

compiler-rt/lib/sanitizer_common/sanitizer_win.cpp

Show First 20 LinesShow All 950 Lines▼ Show 20 Lines
#else #else
bp = (uptr)context_record->Ebp; bp = (uptr)context_record->Ebp;
sp = (uptr)context_record->Esp; sp = (uptr)context_record->Esp;
#endif #endif
} }
uptr SignalContext::GetAddress() const { uptr SignalContext::GetAddress() const {
EXCEPTION_RECORD *exception_record = (EXCEPTION_RECORD *)siginfo; EXCEPTION_RECORD *exception_record = (EXCEPTION_RECORD *)siginfo;
if (exception_record->ExceptionCode == EXCEPTION_ACCESS_VIOLATION)
return exception_record->ExceptionInformation[1]; return exception_record->ExceptionInformation[1];
return (uptr)exception_record->ExceptionAddress;
} }
bool SignalContext::IsMemoryAccess() const { bool SignalContext::IsMemoryAccess() const {
return GetWriteFlag() != SignalContext::UNKNOWN; return ((EXCEPTION_RECORD *)siginfo)->ExceptionCode ==
EXCEPTION_ACCESS_VIOLATION;
} }
bool SignalContext::IsTrueFaultingAddress() const { bool SignalContext::IsTrueFaultingAddress() const { return true; }
// FIXME: Provide real implementation for this. See Linux and Mac variants.
return IsMemoryAccess();
}
SignalContext::WriteFlag SignalContext::GetWriteFlag() const { SignalContext::WriteFlag SignalContext::GetWriteFlag() const {
EXCEPTION_RECORD *exception_record = (EXCEPTION_RECORD *)siginfo; EXCEPTION_RECORD *exception_record = (EXCEPTION_RECORD *)siginfo;
// The write flag is only available for access violation exceptions.
if (exception_record->ExceptionCode != EXCEPTION_ACCESS_VIOLATION)
return SignalContext::UNKNOWN;
// The contents of this array are documented at // The contents of this array are documented at
// https://msdn.microsoft.com/en-us/library/windows/desktop/aa363082(v=vs.85).aspx // https://docs.microsoft.com/en-us/windows/win32/api/winnt/ns-winnt-exception_record
// The first element indicates read as 0, write as 1, or execute as 8. The // The first element indicates read as 0, write as 1, or execute as 8. The
// second element is the faulting address. // second element is the faulting address.
switch (exception_record->ExceptionInformation[0]) { switch (exception_record->ExceptionInformation[0]) {
case 0: case 0:
return SignalContext::READ; return SignalContext::READ;
case 1: case 1:
return SignalContext::WRITE; return SignalContext::WRITE;
case 8: case 8:
▲ Show 20 LinesShow All 163 LinesShow Last 20 Lines

compiler-rt/test/asan/TestCases/Windows/breakpoint.cpp

  • This file was added.
// RUN: %clang_cl_asan -Od %s -Fe%t
// RUN: %env_asan_opts=handle_sigill=1 not %run %t 2>&1 | FileCheck %s
// Test the error output from a breakpoint. Assertion-like macros often end in
// int3 on Windows.
#include <stdio.h>
int main() {
puts("before breakpoint");
fflush(stdout);
__debugbreak();
return 0;
}
// CHECK: before breakpoint
// CHECK: ERROR: AddressSanitizer: breakpoint on unknown address [[ADDR:0x[^ ]*]]
// CHECK-SAME: (pc [[ADDR]] {{.*}})
// CHECK-NEXT: #0 {{.*}} in main {{.*}}breakpoint.cpp:{{.*}}

compiler-rt/test/asan/TestCases/Windows/illegal_instruction.cpp

  • This file was added.
// RUN: %clang_cl_asan -Od %s -Fe%t
// RUN: %env_asan_opts=handle_sigill=1 not %run %t 2>&1 | FileCheck %s
// Test the error output from an illegal instruction.
#include <stdio.h>
int main() {
puts("before ud2a");
fflush(stdout);
__builtin_trap();
return 0;
}
// CHECK: before ud2a
// CHECK: ERROR: AddressSanitizer: illegal-instruction on unknown address [[ADDR:0x[^ ]*]]
// CHECK-SAME: (pc [[ADDR]] {{.*}})
// CHECK-NEXT: #0 {{.*}} in main {{.*}}illegal_instruction.cpp:{{.*}}

compiler-rt/test/asan/TestCases/Windows/integer_divide_by_zero.cpp

  • This file was added.
// RUN: %clang_cl_asan -Od %s -Fe%t
// RUN: %env_asan_opts=handle_sigfpe=1 not %run %t 2>&1 | FileCheck %s
// Test the error output from dividing by zero.
#include <stdio.h>
int main() {
puts("before ud2a");
fflush(stdout);
volatile int numerator = 1;
volatile int divisor = 0;
return numerator / divisor;
}
// CHECK: before ud2a
// CHECK: ERROR: AddressSanitizer: int-divide-by-zero on unknown address [[ADDR:0x[^ ]*]]
// CHECK-SAME: (pc [[ADDR]] {{.*}})
// CHECK-NEXT: #0 {{.*}} in main {{.*}}integer_divide_by_zero.cpp:{{.*}}

compiler-rt/test/asan/TestCases/Windows/sse_misalignment.cpp

  • This file was added.
// RUN: %clang_cl_asan -Od %s -Fe%t
// RUN: %env_asan_opts=handle_sigfpe=1 not %run %t 2>&1 | FileCheck %s
// Test the error output from misaligned SSE2 memory access. This is a READ
// memory access. Windows appears to always provide an address of -1 for these
// types of faults, and there doesn't seem to be a way to distinguish them from
// other types of access violations without disassembling.
#include <emmintrin.h>
#include <stdio.h>
__m128i test() {
char buffer[17] = {};
__m128i a = _mm_load_si128((__m128i *)buffer);
__m128i b = _mm_load_si128((__m128i *)(&buffer[0] + 1));
return _mm_or_si128(a, b);
}
int main() {
puts("before alignment fault");
fflush(stdout);
volatile __m128i v = test();
return 0;
}
// CHECK: before alignment fault
// CHECK: ERROR: AddressSanitizer: access-violation on unknown address {{0x[fF]*}}
// CHECK-NEXT: The signal is caused by a READ memory access.
// CHECK-NEXT: #0 {{.*}} in test(void) {{.*}}misalignment.cpp:{{.*}}