This is an archive of the discontinued LLVM Phabricator instance.

Differential D97781

Hook Rtl* allocation functions directly on Windows
AbandonedPublic

Authored by cbezault on Mar 2 2021, 9:56 AM.

Details

Reviewers
None
Summary

This is the first of several planned PRs to upstream the changes to the ASan runtime which have been completed internally by Microsoft.We are shipping this and several other changes built on top of LLVM 9 in the Visual Studio toolset.et. Our intention is to upstream our changes,
and then move our development of ASan for Windows to LLVM latest/trunk.

This PR consists of three major changes.

  1. Drop the hook_rtl_allocators flag. All the Heap* functions are just thin wrappers for their Rtl* counterparts and directly hooking them makes everything more robust.
  2. Keep track of all the ASan allocated memory associated with each heap so that on RtlDestroyHeap We can free the memory appropriately.
  3. Heaps with flags we do not currently support with the ASan allocator get passed through to the real Rtl* functions. This is required for applications which require special heaps such as the CLR runtime which requires an executable memory heap. This is an area for future improvement.

Diff Detail

Event Timeline

cbezault created this revision.Mar 2 2021, 9:56 AM
Herald added subscribers: jfb, yaxunl. · View Herald TranscriptMar 2 2021, 9:56 AM
cbezault requested review of this revision.Mar 2 2021, 9:56 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 2 2021, 9:56 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
cbezault retitled this revision from Summary: This is the first of several planned PRs to upstream the changes to the ASan runtime which have been completed internally by Microsoft. We are shipping this and several other changes built on top of LLVM 9 in the Visual Studio toolset. to Move Heap* hooks to just hooking the Rtl* functions directly on Windows.Mar 2 2021, 10:01 AM
cbezault edited the summary of this revision. (Show Details)
cbezault edited the summary of this revision. (Show Details)Mar 2 2021, 10:03 AM
cbezault retitled this revision from Move Heap* hooks to just hooking the Rtl* functions directly on Windows to Hook Rtl* allocation functions directly on Windows.
cbezault planned changes to this revision.Mar 2 2021, 10:11 AM
Harbormaster completed remote builds in B91605: Diff 327500.Mar 2 2021, 11:48 AM
cbezault updated this revision to Diff 327642.Mar 2 2021, 6:05 PM

Fixups

cbezault updated this revision to Diff 327644.Mar 2 2021, 6:19 PM

Fixup headers.

Harbormaster completed remote builds in B91709: Diff 327642.Mar 2 2021, 10:38 PM
Harbormaster completed remote builds in B91711: Diff 327644.Mar 2 2021, 10:53 PM
cbezault planned changes to this revision.Mar 12 2021, 10:59 AM
jblazquez added a subscriber: jblazquez.EditedJul 19 2021, 12:29 PM

@cbezault , I think these changes can cause hangs on shutdown when linking against the static runtime.

You may want to check our discussion here: https://developercommunity.visualstudio.com/t/ASAN-hang-on-exit-in-__sanitizer::proc/1453688

cbezault added a comment.Jul 19 2021, 2:33 PM

Hi Javier,

This changeset is not what is currently being shipped with VS but I did fix
a deadlock a few weeks back that could be causing the hang you observe.
Try out the latest version of VS and let me know if your issue is still
present. I'm hoping to come back to this differential in the next couple of
weeks, so you can take a look at the code then.

Curtis

jblazquez added a comment.Jul 19 2021, 3:08 PM

Hi Curtis, thanks for the quick reply.

I just rebuilt one of our apps with the latest MSVC toolset (14.30.30401, from VS2022 Preview 2.0), and the issue still occurs. Here's a callstack I just got:

MyApp.exe!__sanitizer::internal_sched_yield() Line 887
MyApp.exe!__sanitizer::StaticSpinMutex::LockSlow() Line 56
[Inline Frame] MyApp.exe!__sanitizer::StaticSpinMutex::Lock() Line 31
[Inline Frame] MyApp.exe!RecursiveScopedLock::{ctor}(__sanitizer::SpinMutex &) Line 31
[Inline Frame] MyApp.exe!AsanHeapHandle::{ctor}(AsanHeap & heap, void *) Line 602
MyApp.exe!GetAsanHeapHandle(void * heap, void * memory) Line 631
MyApp.exe!__asan_wrap_RtlFreeHeap(void * HeapHandle, unsigned long Flags, void * BaseAddress) Line 772
bcryptprimitives.dll!_TearDownRNGStatesCommon@0
bcryptprimitives.dll!_TearDownRNGStates@0
bcryptprimitives.dll!_MsProviderStop@0
bcryptprimitives.dll!_DllMain@12
ntdll.dll!_LdrxCallInitRoutine@16
ntdll.dll!LdrpCallInitRoutine()
ntdll.dll!_LdrShutdownProcess@0
ntdll.dll!RtlExitUserProcess()
kernel32.dll!_ExitProcessImplementation@4
MyApp.exe!exit_or_terminate_process(const unsigned int return_code) Line 143
MyApp.exe!common_exit(const int return_code, const _crt_exit_cleanup_mode cleanup_mode, const _crt_exit_return_mode return_mode) Line 280
MyApp.exe!exit(int return_code) Line 293
MyApp.exe!__scrt_common_main_seh() Line 310
kernel32.dll!@BaseThreadInitThunk@12
ntdll.dll!___RtlUserThreadStart@8
ntdll.dll!__RtlUserThreadStart@8

I have this issue in the debugger right now, and I could potentially share a full memory dump with you or assist in other ways in order to dig into the problem.

Please let me know how you'd like to proceed, and whether there's a better venue than reviews.llvm.org for this discussion.

cbezault added a comment.Jul 19 2021, 4:27 PM

Hi Javier,

A full memory dump could be useful, even more useful would be the
application which is suffering from the hang.
If you could open a new devcom ticket and just send me the link so I can
get it triaged more quickly that would probably be best.

jblazquez added a comment.Jul 19 2021, 4:42 PM

Hi Curtis, I created a new ticket and attached a full memory dump + PDB for you: https://developercommunity.visualstudio.com/t/AddressSanitizer:-Hang-on-exit-inside-AS/1479116

jblazquez added a comment.Jul 19 2021, 5:05 PM

I noticed a Lock call in RtlDestroyHeap that doesn't have a corresponding Unlock. Could that be it?

compiler-rt/lib/asan/asan_malloc_win.cpp
421

There is no Unlock call here. Could this be the cause of the hang?

cbezault added subscribers: aizatsky, browneee, aralisza and 24 others.Jul 19 2021, 8:43 PM

Looks like I found the problem. It's pretty dumb :( . The issue is that at
the top of RtlDestroyHeap I destroy the instance of the AsanHeap associated
with the HeapHandle but anywhere that calls GetAsanHeap will just recreate
it, leading to the race condition. This is a pretty easy fix but I'm kind
of backlogged and won't be able to get something in for the next couple of
weeks.

jblazquez added a comment.Jul 19 2021, 9:21 PM

I’m glad we found the problem.

We’re not blocked by this issue, since we have recently switched to linking against the upstream compiler-rt instead of using the MSVC-provided libraries, as a temporary workaround.

Looking forward to seeing the latest MSFT changes upstreamed.

danieljennings added a subscriber: danieljennings.Sep 10 2021, 10:58 AM

Hi friends,

We've also run into this problem after upgrading our compilers and attempting to run our servers with ASan enabled. I was wondering if there was any update about the fix mentioned here? We're willing to upgrade to VS2022 Preview if it's been fixed there, but I assume that it wasn't fixed as part of the Preview 3 release.

We’re not blocked by this issue, since we have recently switched to linking against the upstream compiler-rt instead of using the MSVC-provided libraries, as a temporary workaround.

I was excited to hear this workaround is possible! Are you able to share information with me about how you accomplished this?
I'm able to compile the LLVM ASan binaries fine, and can swap out the MSVC-shipped libs for a local version at link-time, but my DLLs don't link cleanly when I do that. I think there must be some fundamental piece of this puzzle that I'm missing, as I get the same linker errors when I swap out the MSVC-shipped clang/vcasan libs from 14.29.30133 for the older copy MSVC ships with 14.28.29910. The linker errors all involve the asan_new_delete OBJ if that's any clue...

Thanks for anything either of you may be able to share, and thanks above all for the work on bringing ASan to Windows/MSVC. :)

danieljennings added a comment.Sep 13 2021, 3:17 PM

Sorry for the spam, but I wanted to follow-up on my previous message since I've discovered what I was doing wrong. For anyone else who may run into this problem, I was trying to use /libpath with link.exe to have it skip the default libs and use the custom set I had built. For whatever reason, that doesn't work. The correct change to make, which does link correctly, was to use /inferasanlibs:no and then manually /wholearchive the ASAN libs as described on this page I hadn't discovered before: https://docs.microsoft.com/en-us/cpp/sanitizers/asan-building?view=msvc-160

Thanks again to everyone for your work on MSVC ASan :)

cbezault added subscribers: MTC, Enna1.Sep 14 2021, 5:24 AM

Hi Daniel,

The fix for the race condition is in PR review internally right now. We
should be moving to getting all our changes out in the open soon™.
For your second problem it sounds like you're running into an issue with
the way asan replaces the new and delete operators. If your program
provides user-defined new/delete operators in a header as opposed to in
their own standalone obj file you may run into the issue of multiple
defined symbols.

Curtis

rnk added a subscriber: rnk.Sep 17 2021, 3:47 PM

Hey, I just found this review today. Let me see what I can do to help get this review going.

I found my way here because I was looking at a different winasan patch: D109941

cbezault added a comment.Sep 17 2021, 5:48 PM

Hi Reid,

This DR isn't actually ready yet. We've made some extensive changes on our
side that we're getting ready to start breaking into digestible pieces for
review.

cerg2010cerg2010 added a subscriber: cerg2010cerg2010.Nov 17 2021, 12:30 AM
cbezault abandoned this revision.Jan 25 2022, 1:25 PM
jblazquez added a comment.Jan 26 2022, 2:06 PM

Hi @cbezault, I see this review was abandoned. Is a new one coming? We're still hoping to go back to Microsoft's official ASan libraries as soon as possible, once the hang on exit issue is solved.

cbezault added subscribers: melver, fares96311, jkorous and 2 others.Jan 26 2022, 3:17 PM

Hi Javier,

There is a fix in the pipeline for the hang on teardown issue.

poljak181 added a subscriber: poljak181.Mar 31 2022, 2:16 PM
Herald added a project: Restricted Project. · View Herald TranscriptMar 31 2022, 2:16 PM
poljak181 added a comment.Mar 31 2022, 2:19 PM
In D97781#3274006, @cbezault wrote:

Hi Javier,

There is a fix in the pipeline for the hang on teardown issue.

Hi @cbezault, is there any information about the studio version that will include this fix?

cbezault added a subscriber: stwish_msft.Apr 1 2022, 9:57 AM

@poljak181 I'm no longer on the ASan team at Microsoft so I can't really comment on where things stand. The last thing I saw was that we were still running into issues where Rtl* functions were getting called during process teardown. The RAII lock destructors wouldn't get called before teardown so locks would be held by threads that no longer existed and then we would deadlock. Windows gets around this with the Heap locks by walking through all existing heaps on teardown and essentially unlocking all of the locks before proceeding to call Rtl* functions. I had proposed hooking the function that does that in order to effectively do the same thing with the ASan internal locks but I don't know if it was ever implemented. @stwish_msft

stwish_msft added a comment.Apr 1 2022, 10:46 AM

The process teardown issue (as well as a bunch of other deadlock issues resulting from this change) are going to be included in Visual Studio 17.2 Preview 3. We have plans to backport this to 16.11 as well. This is our feedback issue tracking this on DevCommunity: https://developercommunity.visualstudio.com/t/ASAN-hang-on-exit-in-__sanitizer::proc/1453688

jblazquez added a comment.Apr 1 2022, 11:17 AM

Thanks for the update, Steve! Looking forward to switching back to MSFT's ASan libraries.

Revision Contents

Diff 327644

compiler-rt/lib/asan/asan_flags.inc

Show First 20 LinesShow All 152 Lines▼ Show 20 LinesASAN_FLAG(bool, halt_on_error, true,
"(WARNING: USE AT YOUR OWN RISK!)") "(WARNING: USE AT YOUR OWN RISK!)")
ASAN_FLAG(bool, allocator_frees_and_returns_null_on_realloc_zero, true, ASAN_FLAG(bool, allocator_frees_and_returns_null_on_realloc_zero, true,
"realloc(p, 0) is equivalent to free(p) by default (Same as the " "realloc(p, 0) is equivalent to free(p) by default (Same as the "
"POSIX standard). If set to false, realloc(p, 0) will return a " "POSIX standard). If set to false, realloc(p, 0) will return a "
"pointer to an allocated space which can not be used.") "pointer to an allocated space which can not be used.")
ASAN_FLAG(bool, verify_asan_link_order, true, ASAN_FLAG(bool, verify_asan_link_order, true,
"Check position of ASan runtime in library list (needs to be disabled" "Check position of ASan runtime in library list (needs to be disabled"
" when other library has to be preloaded system-wide)") " when other library has to be preloaded system-wide)")
ASAN_FLAG(
bool, windows_hook_rtl_allocators, false,
"(Windows only) enable hooking of Rtl(Allocate|Free|Size|ReAllocate)Heap.")

compiler-rt/lib/asan/asan_malloc_win.cpp

//===-- asan_malloc_win.cpp -----------------------------------------------===// //===-- asan_malloc_win.cpp -----------------------------------------------===//
// //
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information. // See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
// //
// This file is a part of AddressSanitizer, an address sanity checker. // This file is a part of AddressSanitizer, an address sanity checker.
// //
// Windows-specific malloc interception. // Windows-specific malloc interception.
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#include "sanitizer_common/sanitizer_addrhashmap.h"
#include "sanitizer_common/sanitizer_allocator_interface.h" #include "sanitizer_common/sanitizer_allocator_interface.h"
#include "sanitizer_common/sanitizer_atomic.h"
#include "sanitizer_common/sanitizer_mutex.h"
#include "sanitizer_common/sanitizer_platform.h" #include "sanitizer_common/sanitizer_platform.h"
#if SANITIZER_WINDOWS #if SANITIZER_WINDOWS
#include <stddef.h>
#include "asan_allocator.h" #include "asan_allocator.h"
#include "asan_interceptors.h" #include "asan_interceptors.h"
#include "asan_internal.h" #include "asan_internal.h"
#include "asan_stack.h" #include "asan_stack.h"
#include "asan_win_immortalize.h"
#include "asan_win_scoped_lock.h"
#include "interception/interception.h" #include "interception/interception.h"
#include <stddef.h>
// Intentionally not including windows.h here, to avoid the risk of // Intentionally not including windows.h here, to avoid the risk of
// pulling in conflicting declarations of these functions. (With mingw-w64, // pulling in conflicting declarations of these functions. (With mingw-w64,
// there's a risk of windows.h pulling in stdint.h.) // there's a risk of windows.h pulling in stdint.h.)
typedef int BOOL; typedef void *HANDLE, *LPVOID, *PHANDLE, *HGLOBAL, *HLOCAL, *HWND;
typedef void *HANDLE;
typedef const void *LPCVOID; typedef const void *LPCVOID;
typedef void *LPVOID; typedef int BOOL;
typedef unsigned int UINT;
typedef unsigned long DWORD, LOGICAL;
struct _RTL_HEAP_PARAMETERS;
typedef _RTL_HEAP_PARAMETERS *PRTL_HEAP_PARAMETERS;
using __sanitizer::uptr;
typedef unsigned long DWORD; constexpr unsigned long HEAP_NO_SERIALIZE = 0x00000001;
constexpr unsigned long HEAP_GENERATE_EXCEPTIONS = 0x00000004;
constexpr unsigned long HEAP_ZERO_MEMORY = 0x00000008; constexpr unsigned long HEAP_ZERO_MEMORY = 0x00000008;
constexpr unsigned long HEAP_REALLOC_IN_PLACE_ONLY = 0x00000010; constexpr unsigned long HEAP_REALLOC_IN_PLACE_ONLY = 0x00000010;
constexpr unsigned long HEAP_ALLOCATE_SUPPORTED_FLAGS = (HEAP_ZERO_MEMORY); constexpr unsigned long HEAP_CREATE_ENABLE_EXECUTE = 0x00040000;
constexpr unsigned long HEAP_ALLOCATE_SUPPORTED_FLAGS =
(HEAP_NO_SERIALIZE | HEAP_ZERO_MEMORY);
constexpr unsigned long HEAP_ALLOCATE_UNSUPPORTED_FLAGS = constexpr unsigned long HEAP_ALLOCATE_UNSUPPORTED_FLAGS =
(~HEAP_ALLOCATE_SUPPORTED_FLAGS); (~HEAP_ALLOCATE_SUPPORTED_FLAGS);
constexpr unsigned long HEAP_FREE_UNSUPPORTED_FLAGS =
(~HEAP_ALLOCATE_SUPPORTED_FLAGS);
constexpr unsigned long HEAP_REALLOC_UNSUPPORTED_FLAGS =
(~HEAP_ALLOCATE_SUPPORTED_FLAGS);
constexpr unsigned long HEAP_REALLOC_SUPPORTED_FLAGS =
(HEAP_NO_SERIALIZE | HEAP_ZERO_MEMORY);
constexpr unsigned long HEAP_REALLOC_UNSUPPORTED_FLAGS =
(~HEAP_REALLOC_SUPPORTED_FLAGS);
extern "C" { extern "C" {
LPVOID WINAPI HeapAlloc(HANDLE hHeap, DWORD dwFlags, size_t dwBytes); HANDLE WINAPI GetProcessHeap();
LPVOID WINAPI HeapReAlloc(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem, BOOL WINAPI HeapValidate(HANDLE, DWORD, void *);
size_t dwBytes);
BOOL WINAPI HeapFree(HANDLE hHeap, DWORD dwFlags, LPVOID lpMem);
size_t WINAPI HeapSize(HANDLE hHeap, DWORD dwFlags, LPCVOID lpMem);
BOOL WINAPI HeapValidate(HANDLE hHeap, DWORD dwFlags, LPCVOID lpMem); DWORD WINAPI GetCurrentThreadId();
} }
using namespace __asan; using namespace __asan;
// MT: Simply defining functions with the same signature in *.obj // MT: Simply defining functions with the same signature in *.obj
// files overrides the standard functions in the CRT. // files overrides the standard functions in the CRT.
// MD: Memory allocation functions are defined in the CRT .dll, // MD: Memory allocation functions are defined in the CRT .dll,
// so we have to intercept them before they are called for the first time. // so we have to intercept them before they are called for the first time.
▲ Show 20 LinesShow All 134 Lines▼ Show 20 Lines
int _CrtDbgReportW(int reportType, const wchar_t*, int, int _CrtDbgReportW(int reportType, const wchar_t*, int,
const wchar_t*, const wchar_t*, ...) { const wchar_t*, const wchar_t*, ...) {
ShowStatsAndAbort(); ShowStatsAndAbort();
} }
int _CrtSetReportMode(int, int) { int _CrtSetReportMode(int, int) {
return 0; return 0;
} }
} // extern "C" } // extern "C"
#define OWNED_BY_RTL(heap, memory) \ struct AsanHeapMemoryNode {
(!__sanitizer_get_ownership(memory) && HeapValidate(heap, 0, memory)) static void *operator new(size_t size) { return InternalAlloc(size); }
static void operator delete(void *p) { InternalFree(p); }
AsanHeapMemoryNode(void *_memory) : memory(_memory) {}
void *memory;
AsanHeapMemoryNode *next;
};
typedef __sanitizer::IntrusiveList<AsanHeapMemoryNode> AsanMemoryList;
typedef __sanitizer::AddrHashMap<AsanHeapMemoryNode *, 4099> AsanMemoryMap;
struct AsanHeap {
// This data structure is undocumented and is subject to change.
struct HEAP {
#if SANITIZER_WORDSIZE == 64
unsigned long padding[28];
#elif SANITIZER_WORDSIZE == 32
unsigned long padding[16];
#else
#error "Platform not supported"
#endif
unsigned long flags;
unsigned long forceFlags;
};
static void *operator new(size_t size) { return InternalAlloc(size); }
static void *operator new(size_t, void *p) { return p; }
static void operator delete(void *p) { InternalFree(p); }
INTERCEPTOR_WINAPI(size_t, HeapSize, HANDLE hHeap, DWORD dwFlags, explicit AsanHeap(HANDLE _heap) : heap(*((HEAP *)_heap)) {
LPCVOID lpMem) { constexpr unsigned long HEAP_PROCESS_CLASS = 0x00000000;
// If the RTL allocators are hooked we need to check whether the ASAN constexpr unsigned long HEAP_PRIVATE_CLASS = 0x00001000;
// allocator owns the pointer we're about to use. Allocations occur before constexpr unsigned long HEAP_CLASS_MASK = 0x0000F000;
// interception takes place, so if it is not owned by the RTL heap we can
// pass it to the ASAN heap for inspection.
if (flags()->windows_hook_rtl_allocators) {
if (!asan_inited || OWNED_BY_RTL(hHeap, lpMem))
return REAL(HeapSize)(hHeap, dwFlags, lpMem);
} else {
CHECK(dwFlags == 0 && "unsupported heap flags");
}
GET_CURRENT_PC_BP_SP;
(void)sp;
return asan_malloc_usable_size(lpMem, pc, bp);
}
INTERCEPTOR_WINAPI(LPVOID, HeapAlloc, HANDLE hHeap, DWORD dwFlags, constexpr unsigned long HEAP_SUPPORTED_CLASSES[] = {HEAP_PROCESS_CLASS,
size_t dwBytes) { HEAP_PRIVATE_CLASS};
// If the ASAN runtime is not initialized, or we encounter an unsupported
// flag, fall back to the original allocator. const unsigned long heapClass =
if (flags()->windows_hook_rtl_allocators) { (heap.flags | heap.forceFlags) & HEAP_CLASS_MASK;
if (UNLIKELY(!asan_inited ||
(dwFlags & HEAP_ALLOCATE_UNSUPPORTED_FLAGS) != 0)) { bool heapClassSupported = false;
return REAL(HeapAlloc)(hHeap, dwFlags, dwBytes); for (const auto &heapClassType : HEAP_SUPPORTED_CLASSES) {
if (heapClass == heapClassType) {
heapClassSupported = true;
break;
} }
} else {
// In the case that we don't hook the rtl allocators,
// this becomes an assert since there is no failover to the original
// allocator.
CHECK((HEAP_ALLOCATE_UNSUPPORTED_FLAGS & dwFlags) != 0 &&
"unsupported flags");
} }
GET_STACK_TRACE_MALLOC;
void *p = asan_malloc(dwBytes, &stack); if (!heapClassSupported) {
// Reading MSDN suggests that the *entire* usable allocation is zeroed out. is_supported = false;
// Otherwise it is difficult to HeapReAlloc with HEAP_ZERO_MEMORY. return;
// https://blogs.msdn.microsoft.com/oldnewthing/20120316-00/?p=8083
if (p && (dwFlags & HEAP_ZERO_MEMORY)) {
GET_CURRENT_PC_BP_SP;
(void)sp;
auto usable_size = asan_malloc_usable_size(p, pc, bp);
internal_memset(p, 0, usable_size);
}
return p;
} }
INTERCEPTOR_WINAPI(BOOL, HeapFree, HANDLE hHeap, DWORD dwFlags, LPVOID lpMem) { constexpr unsigned long HEAP_UNSUPPORTED_FLAGS =
// Heap allocations happen before this function is hooked, so we must fall (HEAP_GENERATE_EXCEPTIONS | HEAP_REALLOC_IN_PLACE_ONLY |
// back to the original function if the pointer is not from the ASAN heap, HEAP_CREATE_ENABLE_EXECUTE);
// or unsupported flags are provided.
if (flags()->windows_hook_rtl_allocators) { if ((heap.flags | heap.forceFlags) & HEAP_UNSUPPORTED_FLAGS) {
if (OWNED_BY_RTL(hHeap, lpMem)) is_supported = false;
return REAL(HeapFree)(hHeap, dwFlags, lpMem); return;
} else {
CHECK((HEAP_FREE_UNSUPPORTED_FLAGS & dwFlags) != 0 && "unsupported flags");
} }
GET_STACK_TRACE_FREE;
asan_free(lpMem, &stack, FROM_MALLOC); is_supported = true;
return true;
} }
namespace __asan { [[nodiscard]] unsigned long GetFlags() const {
using AllocFunction = LPVOID(WINAPI *)(HANDLE, DWORD, size_t); constexpr unsigned long HEAP_EXAMINED_FLAGS =
using ReAllocFunction = LPVOID(WINAPI *)(HANDLE, DWORD, LPVOID, size_t); (HEAP_NO_SERIALIZE | HEAP_ZERO_MEMORY | HEAP_REALLOC_IN_PLACE_ONLY);
using SizeFunction = size_t(WINAPI *)(HANDLE, DWORD, LPVOID);
using FreeFunction = BOOL(WINAPI *)(HANDLE, DWORD, LPVOID);
void *SharedReAlloc(ReAllocFunction reallocFunc, SizeFunction heapSizeFunc,
FreeFunction freeFunc, AllocFunction allocFunc,
HANDLE hHeap, DWORD dwFlags, LPVOID lpMem, size_t dwBytes) {
CHECK(reallocFunc && heapSizeFunc && freeFunc && allocFunc);
GET_STACK_TRACE_MALLOC;
GET_CURRENT_PC_BP_SP;
(void)sp;
if (flags()->windows_hook_rtl_allocators) {
enum AllocationOwnership { NEITHER = 0, ASAN = 1, RTL = 2 };
AllocationOwnership ownershipState;
bool owned_rtlalloc = false;
bool owned_asan = __sanitizer_get_ownership(lpMem);
if (!owned_asan)
owned_rtlalloc = HeapValidate(hHeap, 0, lpMem);
if (owned_asan && !owned_rtlalloc)
ownershipState = ASAN;
else if (!owned_asan && owned_rtlalloc)
ownershipState = RTL;
else if (!owned_asan && !owned_rtlalloc)
ownershipState = NEITHER;
// If this heap block which was allocated before the ASAN return (heap.flags | heap.forceFlags) & HEAP_EXAMINED_FLAGS;
// runtime came up, use the real HeapFree function.
if (UNLIKELY(!asan_inited)) {
return reallocFunc(hHeap, dwFlags, lpMem, dwBytes);
} }
bool only_asan_supported_flags =
(HEAP_REALLOC_UNSUPPORTED_FLAGS & dwFlags) == 0;
if (ownershipState == RTL || // A reference to some members of the opaque HEAP data structure.
(ownershipState == NEITHER && !only_asan_supported_flags)) { const HEAP &heap;
if (only_asan_supported_flags) {
// if this is a conversion to ASAN upported flags, transfer this // A lock to keep the accesses to the map and the list atomic.
// allocation to the ASAN allocator __sanitizer::SpinMutex lock = {};
void *replacement_alloc;
if (dwFlags & HEAP_ZERO_MEMORY) // We need to keep track of which thread holds the lock if any.
replacement_alloc = asan_calloc(1, dwBytes, &stack); __sanitizer::atomic_uint32_t thread_id = {};
else
replacement_alloc = asan_malloc(dwBytes, &stack); // A list of memory managed by asan associated with this heap to enable
if (replacement_alloc) { // freeing all memory when a heap is destroyed.
size_t old_size = heapSizeFunc(hHeap, dwFlags, lpMem); AsanMemoryList asan_memory = {};
if (old_size == ((size_t)0) - 1) {
asan_free(replacement_alloc, &stack, FROM_MALLOC); // A mapping of asan managed pointers to the node before them in the list to
return nullptr; // allow for efficient removal when freed.
} AsanMemoryMap memory_map;
REAL(memcpy)(replacement_alloc, lpMem, old_size);
freeFunc(hHeap, dwFlags, lpMem); bool is_supported;
};
struct AsanHeapMap : public __sanitizer::AddrHashMap<AsanHeap *, 37> {
using __sanitizer::AddrHashMap<AsanHeap *, 37>::Handle;
static void *operator new(size_t, void *p) { return p; }
};
AsanHeapMap *GetAsanHeapMap() { return &immortalize<AsanHeapMap>(); }
AsanHeap *GetDefaultHeap() {
return &immortalize<AsanHeap, void *>(GetProcessHeap());
} }
return replacement_alloc;
AsanHeap *GetAsanHeap(void *heap) {
AsanHeap *asan_heap;
if (heap == GetProcessHeap()) {
asan_heap = GetDefaultHeap();
} else { } else {
// owned by rtl or neither with unsupported ASAN flags, AsanHeapMap::Handle h_find_or_create(
// just pass back to original allocator GetAsanHeapMap(), reinterpret_cast<uptr>(heap), false, true);
CHECK(ownershipState == RTL || ownershipState == NEITHER);
CHECK(!only_asan_supported_flags); if (h_find_or_create.created()) {
return reallocFunc(hHeap, dwFlags, lpMem, dwBytes); asan_heap = new AsanHeap(heap);
*h_find_or_create = asan_heap;
} else {
asan_heap = *h_find_or_create;
} }
} }
if (ownershipState == ASAN && !only_asan_supported_flags) { return asan_heap;
// Conversion to unsupported flags allocation,
// transfer this allocation back to the original allocator.
void *replacement_alloc = allocFunc(hHeap, dwFlags, dwBytes);
size_t old_usable_size = 0;
if (replacement_alloc) {
old_usable_size = asan_malloc_usable_size(lpMem, pc, bp);
REAL(memcpy)(replacement_alloc, lpMem,
Min<size_t>(dwBytes, old_usable_size));
asan_free(lpMem, &stack, FROM_MALLOC);
}
return replacement_alloc;
} }
CHECK((ownershipState == ASAN || ownershipState == NEITHER) && struct AllocationOwnership {
only_asan_supported_flags); enum { NEITHER = 0, ASAN = 1, RTL = 2 };
// At this point we should either be ASAN owned with ASAN supported flags const int ownership;
// or we owned by neither and have supported flags.
// Pass through even when it's neither since this could be a null realloc or AllocationOwnership(void *heap, void *memory)
// UAF that ASAN needs to catch. : ownership(get_ownership(heap, memory)) {}
} else {
CHECK((HEAP_REALLOC_UNSUPPORTED_FLAGS & dwFlags) != 0 && private:
"unsupported flags"); int get_ownership(void *heap, void *memory) {
if (__sanitizer_get_ownership(memory)) {
return ASAN;
} else if (HeapValidate(heap, 0, memory)) {
return RTL;
} }
// asan_realloc will never reallocate in place, so for now this flag is
// unsupported until we figure out a way to fake this.
if (dwFlags & HEAP_REALLOC_IN_PLACE_ONLY)
return nullptr;
// HeapReAlloc and HeapAlloc both happily accept 0 sized allocations. return NEITHER;
// passing a 0 size into asan_realloc will free the allocation. }
// To avoid this and keep behavior consistent, fudge the size if 0.
// (asan_malloc already does this)
if (dwBytes == 0)
dwBytes = 1;
size_t old_size; friend bool operator==(const AllocationOwnership &l,
if (dwFlags & HEAP_ZERO_MEMORY) const AllocationOwnership &r) {
old_size = asan_malloc_usable_size(lpMem, pc, bp); return l.ownership == r.ownership;
}
void *ptr = asan_realloc(lpMem, dwBytes, &stack); friend bool operator==(const AllocationOwnership &l, const int &r) {
if (ptr == nullptr) return l.ownership == r;
return nullptr; }
if (dwFlags & HEAP_ZERO_MEMORY) { friend bool operator==(const int &l, const AllocationOwnership &r) {
size_t new_size = asan_malloc_usable_size(ptr, pc, bp); return l == r.ownership;
if (old_size < new_size)
REAL(memset)(((u8 *)ptr) + old_size, 0, new_size - old_size);
} }
return ptr; template <class Other>
friend bool operator!=(const AllocationOwnership &l, const Other &r) {
return !(l == r);
} }
} // namespace __asan
INTERCEPTOR_WINAPI(LPVOID, HeapReAlloc, HANDLE hHeap, DWORD dwFlags, template <class Other>
LPVOID lpMem, size_t dwBytes) { friend bool operator!=(const Other &l, const AllocationOwnership &r) {
return SharedReAlloc(REAL(HeapReAlloc), (SizeFunction)REAL(HeapSize), return !(l == r);
REAL(HeapFree), REAL(HeapAlloc), hHeap, dwFlags, lpMem,
dwBytes);
} }
};
// The following functions are undocumented and subject to change. // The following functions are undocumented and subject to change.
// However, hooking them is necessary to hook Windows heap // However, hooking them is necessary to hook Windows heap
// allocations with detours and their definitions are unlikely to change. // allocations with detours and their definitions are unlikely to change.
// Comments in /minkernel/ntos/rtl/heappublic.c indicate that these functions // Comments in /minkernel/ntos/rtl/heappublic.c indicate that these functions
// are part of the heap's public interface. // are part of the heap's public interface.
typedef unsigned long LOGICAL;
// This function is documented as part of the Driver Development Kit but *not* // This function is documented as part of the Driver Development Kit but *not*
// the Windows Development Kit. // the Windows Development Kit.
LOGICAL RtlFreeHeap(void* HeapHandle, DWORD Flags, void *RtlDestroyHeap(void *HeapHandle);
void* BaseAddress);
// This function is documented as part of the Driver Development Kit but *not*
// the Windows Development Kit.
LOGICAL RtlFreeHeap(void *HeapHandle, DWORD Flags, void *BaseAddress);
// This function is documented as part of the Driver Development Kit but *not* // This function is documented as part of the Driver Development Kit but *not*
// the Windows Development Kit. // the Windows Development Kit.
void* RtlAllocateHeap(void* HeapHandle, DWORD Flags, size_t Size); void *RtlAllocateHeap(void *HeapHandle, DWORD Flags, size_t Size);
// This function is completely undocumented. // This function is completely undocumented.
void* void *RtlReAllocateHeap(void *HeapHandle, DWORD Flags, void *BaseAddress,
RtlReAllocateHeap(void* HeapHandle, DWORD Flags, void* BaseAddress,
size_t Size); size_t Size);
// This function is completely undocumented. // This function is completely undocumented.
size_t RtlSizeHeap(void* HeapHandle, DWORD Flags, void* BaseAddress); size_t RtlSizeHeap(void *HeapHandle, DWORD Flags, void *BaseAddress);
// TODO: This doesn't gracefully handle the situation that one thread is trying
// to use this heap while it is being destroyed.
INTERCEPTOR_WINAPI(void *, RtlDestroyHeap, void *HeapHandle) {
AsanHeapMap::Handle h_delete(GetAsanHeapMap(),
reinterpret_cast<uptr>(HeapHandle), true, false);
if (UNLIKELY(!h_delete.exists() && HeapHandle != GetProcessHeap())) {
return REAL(RtlDestroyHeap)(HeapHandle);
}
AsanHeap *asan_heap = GetAsanHeap(HeapHandle);
GET_STACK_TRACE_FREE;
asan_heap->lock.Lock();
jblazquezUnsubmitted
Not Done
ReplyInline Actions

There is no Unlock call here. Could this be the cause of the hang?

jblazquez: There is no `Unlock` call here. Could this be the cause of the hang?
// Free all memory managed by asan and associated with this heap.
while (!asan_heap->asan_memory.empty()) {
asan_free(asan_heap->asan_memory.front()->memory, &stack, FROM_MALLOC);
delete asan_heap->asan_memory.front();
asan_heap->asan_memory.pop_front();
}
if (HeapHandle != GetProcessHeap()) {
delete asan_heap;
}
return REAL(RtlDestroyHeap)(HeapHandle);
}
INTERCEPTOR_WINAPI(size_t, RtlSizeHeap, HANDLE HeapHandle, DWORD Flags, INTERCEPTOR_WINAPI(size_t, RtlSizeHeap, HANDLE HeapHandle, DWORD Flags,
void* BaseAddress) { void *BaseAddress) {
if (!flags()->windows_hook_rtl_allocators || if (UNLIKELY(!asan_inited || !BaseAddress)) {
UNLIKELY(!asan_inited || OWNED_BY_RTL(HeapHandle, BaseAddress))) {
return REAL(RtlSizeHeap)(HeapHandle, Flags, BaseAddress); return REAL(RtlSizeHeap)(HeapHandle, Flags, BaseAddress);
} }
AllocationOwnership owner(HeapHandle, BaseAddress);
if (UNLIKELY(owner != AllocationOwnership::ASAN)) {
return REAL(RtlSizeHeap)(HeapHandle, Flags, BaseAddress);
}
// We could check to make sure the BaseAddress belongs to the heap that
// was passed in here but it is not strictly necessary.
GET_CURRENT_PC_BP_SP; GET_CURRENT_PC_BP_SP;
(void)sp; (void)sp;
return asan_malloc_usable_size(BaseAddress, pc, bp); return asan_malloc_usable_size(BaseAddress, pc, bp);
} }
INTERCEPTOR_WINAPI(BOOL, RtlFreeHeap, HANDLE HeapHandle, DWORD Flags, INTERCEPTOR_WINAPI(void *, RtlAllocateHeap, HANDLE HeapHandle, DWORD Flags,
void* BaseAddress) { size_t Size) {
// Heap allocations happen before this function is hooked, so we must fall if (UNLIKELY(!asan_inited)) {
// back to the original function if the pointer is not from the ASAN heap, or return REAL(RtlAllocateHeap)(HeapHandle, Flags, Size);
// unsupported flags are provided.
if (!flags()->windows_hook_rtl_allocators ||
UNLIKELY((HEAP_FREE_UNSUPPORTED_FLAGS & Flags) != 0 ||
OWNED_BY_RTL(HeapHandle, BaseAddress))) {
return REAL(RtlFreeHeap)(HeapHandle, Flags, BaseAddress);
} }
GET_STACK_TRACE_FREE;
asan_free(BaseAddress, &stack, FROM_MALLOC); AsanHeap *asan_heap = GetAsanHeap(HeapHandle);
return true; if (UNLIKELY(!asan_heap->is_supported)) {
return REAL(RtlAllocateHeap)(HeapHandle, Flags, Size);
} }
INTERCEPTOR_WINAPI(void*, RtlAllocateHeap, HANDLE HeapHandle, DWORD Flags, const DWORD all_flags = Flags | asan_heap->GetFlags();
size_t Size) { const DWORD unsupported_flags = all_flags & HEAP_ALLOCATE_UNSUPPORTED_FLAGS;
// If the ASAN runtime is not initialized, or we encounter an unsupported
// flag, fall back to the original allocator. if (UNLIKELY(unsupported_flags)) {
if (!flags()->windows_hook_rtl_allocators ||
UNLIKELY(!asan_inited ||
(Flags & HEAP_ALLOCATE_UNSUPPORTED_FLAGS) != 0)) {
return REAL(RtlAllocateHeap)(HeapHandle, Flags, Size); return REAL(RtlAllocateHeap)(HeapHandle, Flags, Size);
} }
// Take the lock in the AsanHeap
RecursiveScopedLock raii_lock(asan_heap->lock, asan_heap->thread_id);
GET_STACK_TRACE_MALLOC; GET_STACK_TRACE_MALLOC;
void *p; void *p = asan_malloc(Size, &stack);
// Reading MSDN suggests that the *entire* usable allocation is zeroed out. // Reading MSDN suggests that the *entire* usable allocation is zeroed out.
// Otherwise it is difficult to HeapReAlloc with HEAP_ZERO_MEMORY. // Otherwise it is difficult to HeapReAlloc with HEAP_ZERO_MEMORY.
// https://blogs.msdn.microsoft.com/oldnewthing/20120316-00/?p=8083 // https://blogs.msdn.microsoft.com/oldnewthing/20120316-00/?p=8083
if (Flags & HEAP_ZERO_MEMORY) { if (p && (Flags & HEAP_ZERO_MEMORY)) {
p = asan_calloc(Size, 1, &stack); GET_CURRENT_PC_BP_SP;
} else { (void)sp;
p = asan_malloc(Size, &stack); auto usable_size = asan_malloc_usable_size(p, pc, bp);
internal_memset(p, 0, usable_size);
}
AsanHeapMemoryNode *mem_node = new AsanHeapMemoryNode(p);
AsanHeapMemoryNode *prev_tail = asan_heap->asan_memory.back();
asan_heap->asan_memory.push_back(mem_node);
{
AsanMemoryMap::Handle h(&(asan_heap->memory_map), reinterpret_cast<uptr>(p),
false, true);
*h = prev_tail;
} }
return p; return p;
} }
INTERCEPTOR_WINAPI(LOGICAL, RtlFreeHeap, void *HeapHandle, DWORD Flags,
void *BaseAddress) {
if (UNLIKELY(!asan_inited || !BaseAddress)) {
return REAL(RtlFreeHeap)(HeapHandle, Flags, BaseAddress);
}
AllocationOwnership owner(HeapHandle, BaseAddress);
if (UNLIKELY(owner == AllocationOwnership::RTL)) {
return REAL(RtlFreeHeap)(HeapHandle, Flags, BaseAddress);
}
if (owner == AllocationOwnership::NEITHER) {
GET_STACK_TRACE_FREE;
// This should either return double-free or wild pointer errors
asan_free(BaseAddress, &stack, FROM_MALLOC);
return false;
}
// ASAN owns the memory
AsanHeap *asan_heap = GetAsanHeap(HeapHandle);
// Take the lock in the AsanHeap
RecursiveScopedLock raii_lock(asan_heap->lock, asan_heap->thread_id);
AsanHeapMemoryNode *found;
{
AsanMemoryMap::Handle h_delete(&(asan_heap->memory_map),
reinterpret_cast<uptr>(BaseAddress), true,
false);
// If the pointer is not in the heap's allocated memory map one of
// two things could be happening:
// 1. The memory passed into RtlFreeHeap was allocated with malloc or new.
// 2. ASAN owns the memory but the wrong heap was passed into RtlFreeHeap
// and we should emulate RtlFreeHeap's behavior.
if (!h_delete.exists()) {
if (HeapHandle == GetProcessHeap()) {
GET_STACK_TRACE_FREE;
asan_free(BaseAddress, &stack, FROM_MALLOC);
return true;
} else {
return REAL(RtlFreeHeap)(HeapHandle, Flags, BaseAddress);
}
}
found = *h_delete;
}
AsanHeapMemoryNode *remove;
AsanHeapMemoryNode *update;
if (found) {
remove = found->next;
asan_heap->asan_memory.extract(found, found->next);
update = found->next;
} else {
remove = asan_heap->asan_memory.front();
asan_heap->asan_memory.pop_front();
update = asan_heap->asan_memory.front();
}
CHECK(remove->memory == BaseAddress &&
"Memory list is inconsistent with map. "
"This is a bug, please report it.");
if (update) {
{
AsanMemoryMap::Handle h_update(&(asan_heap->memory_map),
reinterpret_cast<uptr>(update->memory),
true, false);
}
{
AsanMemoryMap::Handle h_update(&(asan_heap->memory_map),
reinterpret_cast<uptr>(update->memory),
false, true);
*h_update = found;
}
}
delete remove;
GET_STACK_TRACE_FREE;
asan_free(BaseAddress, &stack, FROM_MALLOC);
return true;
}
INTERCEPTOR_WINAPI(void*, RtlReAllocateHeap, HANDLE HeapHandle, DWORD Flags, INTERCEPTOR_WINAPI(void *, RtlReAllocateHeap, HANDLE HeapHandle, DWORD Flags,
void* BaseAddress, size_t Size) { void *BaseAddress, size_t Size) {
// If it's actually a heap block which was allocated before the ASAN runtime if (UNLIKELY(!asan_inited)) {
// came up, use the real RtlFreeHeap function.
if (!flags()->windows_hook_rtl_allocators)
return REAL(RtlReAllocateHeap)(HeapHandle, Flags, BaseAddress, Size); return REAL(RtlReAllocateHeap)(HeapHandle, Flags, BaseAddress, Size);
}
return SharedReAlloc(REAL(RtlReAllocateHeap), REAL(RtlSizeHeap), if (UNLIKELY(!BaseAddress)) {
REAL(RtlFreeHeap), REAL(RtlAllocateHeap), HeapHandle, return WRAP(RtlAllocateHeap)(HeapHandle, Flags, Size);
Flags, BaseAddress, Size); }
AllocationOwnership owner(HeapHandle, BaseAddress);
AsanHeap *asan_heap = GetAsanHeap(HeapHandle);
if (UNLIKELY(!asan_heap->is_supported)) {
return REAL(RtlReAllocateHeap)(HeapHandle, Flags, BaseAddress, Size);
}
const DWORD all_flags = Flags | asan_heap->GetFlags();
const DWORD asan_unsupported_flags =
(HEAP_REALLOC_UNSUPPORTED_FLAGS & all_flags);
// Take the lock in the AsanHeap
RecursiveScopedLock raii_lock(asan_heap->lock, asan_heap->thread_id);
GET_STACK_TRACE_MALLOC;
GET_CURRENT_PC_BP_SP;
(void)sp;
void *replacement_alloc = nullptr;
size_t old_size;
if (owner == AllocationOwnership::NEITHER) {
// This should cause a use-after-free or wild pointer error. If it is a
// wild pointer error the pointer was either nonsense or came from
// another heap.
replacement_alloc = asan_realloc(BaseAddress, Size, &stack);
CHECK((all_flags & HEAP_ZERO_MEMORY) == 0 &&
"We cannot zero the memory as we do not know the previous size of "
"the memory. This error should only occur if ASAN errors are "
"non-fatal.");
if (replacement_alloc) {
AsanHeapMemoryNode *mem_node = new AsanHeapMemoryNode(replacement_alloc);
AsanHeapMemoryNode *prev_tail = asan_heap->asan_memory.back();
asan_heap->asan_memory.push_back(mem_node);
{
AsanMemoryMap::Handle h(&(asan_heap->memory_map),
reinterpret_cast<uptr>(replacement_alloc),
false, true);
*h = prev_tail;
}
}
} else if (!asan_unsupported_flags && owner == AllocationOwnership::ASAN) {
// HeapReAlloc and HeapAlloc both happily accept 0 sized allocations.
// passing a 0 size into asan_realloc will free the allocation.
// To avoid this and keep behavior consistent, fudge the size if 0.
// (asan_malloc already does this)
if (Size == 0) {
Size = 1;
}
if (all_flags & HEAP_ZERO_MEMORY) {
old_size = asan_malloc_usable_size(BaseAddress, pc, bp);
}
AsanHeapMemoryNode *found;
bool new_malloc_rtl_mismatch = false;
{
AsanMemoryMap::Handle h_delete(&(asan_heap->memory_map),
reinterpret_cast<uptr>(BaseAddress), true,
false);
// If the pointer is not in the heap's allocated memory map one of
// two things could be happening:
// 1. The memory passed into RtlReAllocateHeap was allocated with malloc
// or new.
// 2. ASAN owns the memory but the wrong heap was passed into
// RtlReAllocateHeap and we should emulate RtlReAllocateHeap's behavior.
if (!h_delete.exists()) {
if (HeapHandle == GetProcessHeap()) {
new_malloc_rtl_mismatch = true;
} else {
return REAL(RtlReAllocateHeap)(HeapHandle, Flags, BaseAddress, Size);
}
}
found = *h_delete;
}
replacement_alloc = asan_realloc(BaseAddress, Size, &stack);
if (replacement_alloc == nullptr) {
return nullptr;
}
if (all_flags & HEAP_ZERO_MEMORY) {
size_t new_size = asan_malloc_usable_size(replacement_alloc, pc, bp);
if (old_size < new_size) {
REAL(memset)
(((u8 *)replacement_alloc) + old_size, 0, new_size - old_size);
}
}
// We need to remove the old pointer from both the heap list and the heap
// map and then add the new pointer.
if (replacement_alloc != BaseAddress) {
if (!new_malloc_rtl_mismatch) {
if (found) {
found->next->memory = replacement_alloc;
} else {
asan_heap->asan_memory.front()->memory = replacement_alloc;
}
} else {
// If the function which created this allocation was not an Rtl
// function we just add the new memory onto the end of the linked
// list.
AsanHeapMemoryNode *mem_node =
new AsanHeapMemoryNode(replacement_alloc);
found = asan_heap->asan_memory.back();
asan_heap->asan_memory.push_back(mem_node);
}
AsanMemoryMap::Handle h_new(&(asan_heap->memory_map),
reinterpret_cast<uptr>(replacement_alloc),
false, true);
*h_new = found;
}
} else if (UNLIKELY(!asan_unsupported_flags &&
owner == AllocationOwnership::RTL)) {
old_size = REAL(RtlSizeHeap)(HeapHandle, Flags, BaseAddress);
if (old_size != ~size_t{0}) {
replacement_alloc = WRAP(RtlAllocateHeap)(HeapHandle, Flags, Size);
if (replacement_alloc == nullptr) {
return nullptr;
} else {
REAL(memcpy)
(replacement_alloc, BaseAddress, Min<size_t>(Size, old_size));
REAL(RtlFreeHeap)(HeapHandle, Flags, BaseAddress);
}
} else {
return nullptr;
}
} else if (UNLIKELY(asan_unsupported_flags &&
owner == AllocationOwnership::ASAN)) {
// Conversion to unsupported flags allocation,
// transfer this allocation to the original allocator.
replacement_alloc = REAL(RtlAllocateHeap)(HeapHandle, Flags, Size);
if (replacement_alloc) {
old_size = asan_malloc_usable_size(BaseAddress, pc, bp);
REAL(memcpy)(replacement_alloc, BaseAddress, Min<size_t>(Size, old_size));
WRAP(RtlFreeHeap)(HeapHandle, Flags, BaseAddress);
}
} else if (UNLIKELY(asan_unsupported_flags &&
owner == AllocationOwnership::RTL)) {
// Currently owned by rtl using unsupported ASAN flags,
// just pass back to original allocator.
replacement_alloc =
REAL(RtlReAllocateHeap)(HeapHandle, Flags, BaseAddress, Size);
}
return replacement_alloc;
} }
namespace __asan { namespace __asan {
static void TryToOverrideFunction(const char *fname, uptr new_func) { static void TryToOverrideFunction(const char *fname, uptr new_func) {
// Failure here is not fatal. The CRT may not be present, and different CRT // Failure here is not fatal. The CRT may not be present, and different CRT
// versions use different symbols. // versions use different symbols.
if (!__interception::OverrideFunction(fname, new_func)) if (!__interception::OverrideFunction(fname, new_func))
Show All 16 Lines#if defined(ASAN_DYNAMIC)
TryToOverrideFunction("_recalloc", (uptr)_recalloc); TryToOverrideFunction("_recalloc", (uptr)_recalloc);
TryToOverrideFunction("_recalloc_base", (uptr)_recalloc); TryToOverrideFunction("_recalloc_base", (uptr)_recalloc);
TryToOverrideFunction("_recalloc_crt", (uptr)_recalloc); TryToOverrideFunction("_recalloc_crt", (uptr)_recalloc);
TryToOverrideFunction("_msize", (uptr)_msize); TryToOverrideFunction("_msize", (uptr)_msize);
TryToOverrideFunction("_msize_base", (uptr)_msize); TryToOverrideFunction("_msize_base", (uptr)_msize);
TryToOverrideFunction("_expand", (uptr)_expand); TryToOverrideFunction("_expand", (uptr)_expand);
TryToOverrideFunction("_expand_base", (uptr)_expand); TryToOverrideFunction("_expand_base", (uptr)_expand);
if (flags()->windows_hook_rtl_allocators) {
INTERCEPT_FUNCTION(HeapSize);
INTERCEPT_FUNCTION(HeapFree);
INTERCEPT_FUNCTION(HeapReAlloc);
INTERCEPT_FUNCTION(HeapAlloc);
// Undocumented functions must be intercepted by name, not by symbol. // Undocumented functions must be intercepted by name, not by symbol.
__interception::OverrideFunction("RtlSizeHeap", (uptr)WRAP(RtlSizeHeap), __interception::OverrideFunction("RtlSizeHeap", (uptr)WRAP(RtlSizeHeap),
(uptr *)&REAL(RtlSizeHeap)); (uptr *)&REAL(RtlSizeHeap));
__interception::OverrideFunction("RtlFreeHeap", (uptr)WRAP(RtlFreeHeap), __interception::OverrideFunction("RtlFreeHeap", (uptr)WRAP(RtlFreeHeap),
(uptr *)&REAL(RtlFreeHeap)); (uptr *)&REAL(RtlFreeHeap));
__interception::OverrideFunction("RtlReAllocateHeap", __interception::OverrideFunction("RtlReAllocateHeap",
(uptr)WRAP(RtlReAllocateHeap), (uptr)WRAP(RtlReAllocateHeap),
(uptr *)&REAL(RtlReAllocateHeap)); (uptr *)&REAL(RtlReAllocateHeap));
__interception::OverrideFunction("RtlAllocateHeap", __interception::OverrideFunction("RtlAllocateHeap",
(uptr)WRAP(RtlAllocateHeap), (uptr)WRAP(RtlAllocateHeap),
(uptr *)&REAL(RtlAllocateHeap)); (uptr *)&REAL(RtlAllocateHeap));
} else { __interception::OverrideFunction("RtlDestroyHeap", (uptr)WRAP(RtlDestroyHeap),
#define INTERCEPT_UCRT_FUNCTION(func) \ (uptr *)&REAL(RtlDestroyHeap));
if (!INTERCEPT_FUNCTION_DLLIMPORT( \
"ucrtbase.dll", "api-ms-win-core-heap-l1-1-0.dll", func)) { \
VPrintf(2, "Failed to intercept ucrtbase.dll import %s\n", #func); \
}
INTERCEPT_UCRT_FUNCTION(HeapAlloc);
INTERCEPT_UCRT_FUNCTION(HeapFree);
INTERCEPT_UCRT_FUNCTION(HeapReAlloc);
INTERCEPT_UCRT_FUNCTION(HeapSize);
#undef INTERCEPT_UCRT_FUNCTION
}
// Recent versions of ucrtbase.dll appear to be built with PGO and LTCG, which
// enable cross-module inlining. This means our _malloc_base hook won't catch
// all CRT allocations. This code here patches the import table of
// ucrtbase.dll so that all attempts to use the lower-level win32 heap
// allocation API will be directed to ASan's heap. We don't currently
// intercept all calls to HeapAlloc. If we did, we would have to check on
// HeapFree whether the pointer came from ASan of from the system.
#endif // defined(ASAN_DYNAMIC) #endif // defined(ASAN_DYNAMIC)
} }
} // namespace __asan } // namespace __asan
#endif // _WIN32 #endif // _WIN32

compiler-rt/lib/asan/asan_win_dynamic_runtime_thunk.cpp

Show All 16 Lines
// - forwarding the detect_stack_use_after_return runtime option // - forwarding the detect_stack_use_after_return runtime option
// - working around deficiencies of the MD runtime // - working around deficiencies of the MD runtime
// - installing a custom SEH handler // - installing a custom SEH handler
// //
//===----------------------------------------------------------------------===// //===----------------------------------------------------------------------===//
#ifdef SANITIZER_DYNAMIC_RUNTIME_THUNK #ifdef SANITIZER_DYNAMIC_RUNTIME_THUNK
#define SANITIZER_IMPORT_INTERFACE 1 #define SANITIZER_IMPORT_INTERFACE 1
#include "sanitizer_common/sanitizer_win_defs.h"
#define WIN32_LEAN_AND_MEAN #define WIN32_LEAN_AND_MEAN
#include <windows.h> #include <windows.h>
#include "sanitizer_common/sanitizer_win_defs.h"
// Define weak alias for all weak functions imported from asan dll. // Define weak alias for all weak functions imported from asan dll.
#define INTERFACE_FUNCTION(Name) #define INTERFACE_FUNCTION(Name)
#define INTERFACE_WEAK_FUNCTION(Name) WIN_WEAK_IMPORT_DEF(Name) #define INTERFACE_WEAK_FUNCTION(Name) WIN_WEAK_IMPORT_DEF(Name)
#include "asan_interface.inc" #include "asan_interface.inc"
// First, declare CRT sections we'll be using in this file // First, declare CRT sections we'll be using in this file
#pragma section(".CRT$XIB", long, read) #pragma section(".CRT$XIB", long, read)
#pragma section(".CRT$XID", long, read) #pragma section(".CRT$XID", long, read)
▲ Show 20 LinesShow All 94 LinesShow Last 20 Lines

compiler-rt/lib/asan/asan_win_immortalize.h

  • This file was added.
//===-- asan_win_immortalize.h --------------------------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file is a part of AddressSanitizer, an address sanity checker.
//
// Windows-specific thread-safe and pre-CRT global initialization safe
// infrastructure to create an object whose destructor is never called.
//===----------------------------------------------------------------------===//
#include "sanitizer_common/sanitizer_win_defs.h"
// These types are required to satisfy XFG which requires that the names of the
// types for indirect calls to be correct as well as the name of the original
// type for any typedefs.
typedef union _RTL_RUN_ONCE* PINIT_ONCE;
typedef void* PVOID;
typedef int BOOL;
extern "C" {
__declspec(dllimport) int WINAPI
Lint: Pre-merge checks
Inline Actions

clang-tidy: error: 'declspec' attributes are not enabled; use '-fdeclspec' or '-fms-extensions' to enable support for declspec attributes [clang-diagnostic-error]
not useful
clang-tidy: error: expected ';' after top level declarator [clang-diagnostic-error]
not useful

Lint: Pre-merge checks: clang-tidy: error: '__declspec' attributes are not enabled; use '-fdeclspec' or '-fms…
InitOnceExecuteOnce(void**, BOOL(WINAPI*)(PINIT_ONCE, PVOID, PVOID*), void*,
void*);
}
template <class Ty>
BOOL WINAPI immortalize_impl(PINIT_ONCE, PVOID storage_ptr, PVOID*) noexcept {
Lint: Pre-merge checks
Inline Actions

clang-tidy: error: redefinition of 'WINAPI' as different kind of symbol [clang-diagnostic-error]
not useful
clang-tidy: error: expected ';' at end of declaration [clang-diagnostic-error]
not useful
clang-tidy: error: C++ requires a type specifier for all declarations [clang-diagnostic-error]
not useful

Lint: Pre-merge checks: clang-tidy: error: redefinition of 'WINAPI' as different kind of symbol [clang-diagnostic…
// Ty must provide a placement new operator
new (storage_ptr) Ty();
Lint: Pre-merge checks
Inline Actions

clang-tidy: error: unknown type name 'Ty' [clang-diagnostic-error]
not useful

Lint: Pre-merge checks: clang-tidy: error: unknown type name 'Ty' [clang-diagnostic-error] [[https://github.
return 1;
}
template <class Ty, typename Arg>
BOOL WINAPI immortalize_impl(PINIT_ONCE, PVOID storage_ptr,
Lint: Pre-merge checks
Inline Actions

clang-tidy: error: redefinition of 'WINAPI' as different kind of symbol [clang-diagnostic-error]
not useful
clang-tidy: error: expected ';' at end of declaration [clang-diagnostic-error]
not useful
clang-tidy: error: C++ requires a type specifier for all declarations [clang-diagnostic-error]
not useful

Lint: Pre-merge checks: clang-tidy: error: redefinition of 'WINAPI' as different kind of symbol [clang-diagnostic…
PVOID* param) noexcept {
// Ty must provide a placement new operator
new (storage_ptr) Ty(*((Arg*)param));
Lint: Pre-merge checks
Inline Actions

clang-tidy: error: unknown type name 'Ty' [clang-diagnostic-error]
not useful

Lint: Pre-merge checks: clang-tidy: error: unknown type name 'Ty' [clang-diagnostic-error] [[https://github.
return 1;
}
template <class Ty>
Ty& immortalize() { // return a reference to an object that will live forever
static void* flag;
alignas(Ty) static unsigned char storage[sizeof(Ty)];
InitOnceExecuteOnce(&flag, immortalize_impl<Ty>, &storage, nullptr);
Lint: Pre-merge checks
Inline Actions

clang-tidy: error: 'Ty' does not refer to a value [clang-diagnostic-error]
not useful
clang-tidy: error: expected expression [clang-diagnostic-error]
not useful

Lint: Pre-merge checks: clang-tidy: error: 'Ty' does not refer to a value [clang-diagnostic-error] [[https://github.
return reinterpret_cast<Ty&>(storage);
}
template <class Ty, typename Arg>
Ty& immortalize(
Arg arg) { // return a reference to an object that will live forever
static void* flag;
alignas(Ty) static unsigned char storage[sizeof(Ty)];
InitOnceExecuteOnce(&flag, immortalize_impl<Ty, Arg>, &storage, &arg);
Lint: Pre-merge checks
Inline Actions

clang-tidy: error: 'Ty' does not refer to a value [clang-diagnostic-error]
not useful
clang-tidy: error: 'Arg' does not refer to a value [clang-diagnostic-error]
not useful
clang-tidy: error: expected expression [clang-diagnostic-error]
not useful

Lint: Pre-merge checks: clang-tidy: error: 'Ty' does not refer to a value [clang-diagnostic-error] [[https://github.
return reinterpret_cast<Ty&>(storage);
}

compiler-rt/lib/asan/asan_win_scoped_lock.h

  • This file was added.
//===-- asan_win_scoped_lock.h --------------------------------------------===//
//
// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
// See https://llvm.org/LICENSE.txt for license information.
// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
//
//===----------------------------------------------------------------------===//
//
// This file is a part of AddressSanitizer, an address sanity checker.
//
// raii lock used exclusively by Windows-specific parts of ASan
//===----------------------------------------------------------------------===//
#pragma once
#include "sanitizer_common/sanitizer_atomic.h"
#include "sanitizer_common/sanitizer_mutex.h"
extern "C" unsigned long _stdcall GetCurrentThreadId();
Lint: Pre-merge checks
Inline Actions

clang-tidy: error: expected ';' after top level declarator [clang-diagnostic-error]
not useful

Lint: Pre-merge checks: clang-tidy: error: expected ';' after top level declarator [clang-diagnostic-error] [[https…
class RecursiveScopedLock {
public:
explicit RecursiveScopedLock(__sanitizer::SpinMutex &_lock,
__sanitizer::atomic_uint32_t &_thread_id)
: lock(_lock), thread_id(_thread_id), serialized(false) {
if (atomic_load_relaxed(&thread_id) != GetCurrentThreadId()) {
Lint: Pre-merge checks
Inline Actions

clang-tidy: error: use of undeclared identifier 'GetCurrentThreadId' [clang-diagnostic-error]
not useful

Lint: Pre-merge checks: clang-tidy: error: use of undeclared identifier 'GetCurrentThreadId' [clang-diagnostic-error]…
lock.Lock();
atomic_store_relaxed(&thread_id, GetCurrentThreadId());
Lint: Pre-merge checks
Inline Actions

clang-tidy: error: use of undeclared identifier 'GetCurrentThreadId' [clang-diagnostic-error]
not useful

Lint: Pre-merge checks: clang-tidy: error: use of undeclared identifier 'GetCurrentThreadId' [clang-diagnostic-error]…
serialized = true;
}
}
~RecursiveScopedLock() {
if (serialized) {
atomic_store_relaxed(&thread_id, 0);
lock.Unlock();
}
}
private:
__sanitizer::SpinMutex &lock;
__sanitizer::atomic_uint32_t &thread_id;
bool serialized;
};

compiler-rt/lib/interception/interception_win.cpp

Show First 20 LinesShow All 417 Lines▼ Show 20 Lines switch (*(u8*)address) {
case 0x56: // push esi / rsi case 0x56: // push esi / rsi
case 0x57: // push edi / rdi case 0x57: // push edi / rdi
case 0x5D: // pop ebp / rbp case 0x5D: // pop ebp / rbp
return 1; return 1;
case 0x6A: // 6A XX = push XX case 0x6A: // 6A XX = push XX
return 2; return 2;
// This instruction can be encoded with a 16-bit immediate but that is
// incredibly unlikely.
case 0x68: // 68 XX XX XX XX : push imm32
return 5;
case 0xb8: // b8 XX XX XX XX : mov eax, XX XX XX XX case 0xb8: // b8 XX XX XX XX : mov eax, XX XX XX XX
case 0xB9: // b9 XX XX XX XX : mov ecx, XX XX XX XX case 0xB9: // b9 XX XX XX XX : mov ecx, XX XX XX XX
return 5; return 5;
// Cannot overwrite control-instruction. Return 0 to indicate failure. // Cannot overwrite control-instruction. Return 0 to indicate failure.
case 0xE9: // E9 XX XX XX XX : jmp <label> case 0xE9: // E9 XX XX XX XX : jmp <label>
case 0xE8: // E8 XX XX XX XX : call <func> case 0xE8: // E8 XX XX XX XX : call <func>
case 0xC3: // C3 : ret case 0xC3: // C3 : ret
Show All 19 Linesstatic size_t GetInstructionSize(uptr address, size_t* rel_offset = nullptr) {
switch (*(u16*)(address)) { switch (*(u16*)(address)) {
case 0x018A: // 8A 01 : mov al, byte ptr [ecx] case 0x018A: // 8A 01 : mov al, byte ptr [ecx]
case 0xFF8B: // 8B FF : mov edi, edi case 0xFF8B: // 8B FF : mov edi, edi
case 0xEC8B: // 8B EC : mov ebp, esp case 0xEC8B: // 8B EC : mov ebp, esp
case 0xc889: // 89 C8 : mov eax, ecx case 0xc889: // 89 C8 : mov eax, ecx
case 0xC18B: // 8B C1 : mov eax, ecx case 0xC18B: // 8B C1 : mov eax, ecx
case 0xC033: // 33 C0 : xor eax, eax case 0xC033: // 33 C0 : xor eax, eax
case 0x8bec: // EC 8B : mov ebp, esp
case 0xC933: // 33 C9 : xor ecx, ecx case 0xC933: // 33 C9 : xor ecx, ecx
case 0xD233: // 33 D2 : xor edx, edx case 0xD233: // 33 D2 : xor edx, edx
case 0xc084: // 84 c0 : test al,al
case 0xdb84: // 84 db : test bl,bl
case 0xc984: // 84 c9 : test cl,cl
case 0xd284: // 84 d2 : test dl,dl
return 2; return 2;
// Cannot overwrite control-instruction. Return 0 to indicate failure. // Cannot overwrite control-instruction. Return 0 to indicate failure.
case 0x25FF: // FF 25 XX XX XX XX : jmp [XXXXXXXX] case 0x25FF: // FF 25 XX XX XX XX : jmp [XXXXXXXX]
return 0; return 0;
} }
switch (0x00FFFFFF & *(u32*)address) { switch (0x00FFFFFF & *(u32*)address) {
case 0x83e4f8: // F8 E4 83 : and esp, 0xFFFFFFF8
case 0x83ec64: // 64 EC 83 : sub esp, 64h
return 3;
case 0x24A48D: // 8D A4 24 XX XX XX XX : lea esp, [esp + XX XX XX XX] case 0x24A48D: // 8D A4 24 XX XX XX XX : lea esp, [esp + XX XX XX XX]
return 7; return 7;
} }
#if SANITIZER_WINDOWS64 #if SANITIZER_WINDOWS64
switch (*(u8*)address) { switch (*(u8*)address) {
case 0xA1: // A1 XX XX XX XX XX XX XX XX : case 0xA1: // A1 XX XX XX XX XX XX XX XX :
// movabs eax, dword ptr ds:[XXXXXXXX] // movabs eax, dword ptr ds:[XXXXXXXX]
return 9; return 9;
case 0xf2:
switch (*(u32 *)(address + 1)) {
case 0x2444110f: // f2 0f 11 44 24 XX movsd mmword ptr [rsp + XX],
// xmm0
case 0x244c110f: // f2 0f 11 4c 24 XX movsd QWORD PTR
// [rsp+0x8],xmm1
case 0x2454110f: // f2 0f 11 54 24 XX movsd QWORD PTR
// [rsp+0x8],xmm2
case 0x245c110f: // f2 0f 11 5c 24 XX movsd QWORD PTR
// [rsp+0x8],xmm3
case 0x2464110f: // f2 0f 11 64 24 XX movsd QWORD PTR
// [rsp+0x8],xmm4
return 6;
}
} }
switch (*(u16*)address) { switch (*(u16*)address) {
case 0x5040: // push rax case 0x5040: // push rax
case 0x5140: // push rcx case 0x5140: // push rcx
case 0x5240: // push rdx case 0x5240: // push rdx
case 0x5340: // push rbx case 0x5340: // push rbx
case 0x5440: // push rsp case 0x5440: // push rsp
case 0x5540: // push rbp case 0x5540: // push rbp
case 0x5640: // push rsi case 0x5640: // push rsi
case 0x5740: // push rdi case 0x5740: // push rdi
case 0x5441: // push r12 case 0x5441: // push r12
case 0x5541: // push r13 case 0x5541: // push r13
case 0x5641: // push r14 case 0x5641: // push r14
case 0x5741: // push r15 case 0x5741: // push r15
case 0x9066: // Two-byte NOP case 0x9066: // Two-byte NOP
return 2; return 2;
case 0x7e80: // 80 7e YY XX cmp BYTE PTR [rsi+YY], XX
case 0x7d80: // 80 7d YY XX cmp BYTE PTR [rdx+YY], XX
case 0x7a80: // 80 7a YY XX cmp BYTE PTR [rdx+YY], XX
case 0x7880: // 80 78 YY XX cmp BYTE PTR [rax+YY], XX
case 0x7b80: // 80 7b YY XX cmp BYTE PTR [rbx+YY], XX
case 0x7980: // 80 79 YY XX cmp BYTE ptr [rcx+YY], XX
return 4;
case 0x058B: // 8B 05 XX XX XX XX : mov eax, dword ptr [XX XX XX XX] case 0x058B: // 8B 05 XX XX XX XX : mov eax, dword ptr [XX XX XX XX]
if (rel_offset) if (rel_offset)
*rel_offset = 2; *rel_offset = 2;
return 6; return 6;
case 0x7e81: // 81 7e YY XX XX XX XX cmp DWORD PTR [rsi+YY], XX XX XX XX
case 0x7d81: // 81 7d YY XX XX XX XX cmp DWORD PTR [rdx+YY], XX XX XX XX
case 0x7a81: // 81 7a YY XX XX XX XX cmp DWORD PTR [rdx+YY], XX XX XX XX
case 0x7881: // 81 78 YY XX XX XX XX cmp DWORD PTR [rax+YY], XX XX XX XX
case 0x7b81: // 81 78 YY XX XX XX XX cmp DWORD PTR [rbx+YY], XX XX XX XX
case 0x7981: // 81 79 YY XX XX XX XX cmp dword ptr [rcx+YY], XX XX XX XX
return 7;
} }
switch (0x00FFFFFF & *(u32*)address) { switch (0x00FFFFFF & *(u32*)address) {
case 0xe58948: // 48 8b c4 : mov rbp, rsp case 0xe58948: // 48 8b c4 : mov rbp, rsp
case 0xc18b48: // 48 8b c1 : mov rax, rcx case 0xc18b48: // 48 8b c1 : mov rax, rcx
case 0xc48b48: // 48 8b c4 : mov rax, rsp case 0xc48b48: // 48 8b c4 : mov rax, rsp
case 0xd9f748: // 48 f7 d9 : neg rcx case 0xd9f748: // 48 f7 d9 : neg rcx
case 0xd12b48: // 48 2b d1 : sub rdx, rcx case 0xd12b48: // 48 2b d1 : sub rdx, rcx
case 0x07c1f6: // f6 c1 07 : test cl, 0x7 case 0x07c1f6: // f6 c1 07 : test cl, 0x7
case 0xc98548: // 48 85 C9 : test rcx, rcx case 0xc98548: // 48 85 C9 : test rcx, rcx
case 0xc0854d: // 4d 85 c0 : test r8, r8 case 0xc0854d: // 4d 85 c0 : test r8, r8
case 0xdb8548: // 48 85 db : test rbx,rbx
case 0xd28548: // 48 85 d2 : test rdx,rdx
case 0xc9854d: // 4d 85 c9 : test r9,r9
case 0xd2854d: // 4d 85 d2 : test r10,r10
case 0xdb854d: // 4d 85 db : test r11,r11
case 0xe4854d: // 4d 85 e4 : test r12,r12
case 0xed854d: // 4d 85 ed : test r13,r13
case 0xf6854d: // 4d 85 f6 : test r14,r14
case 0xff854d: // 4d 85 ff : test r15,r15
case 0xed8548: // 48 85 ed : test rbp,rbp
case 0xe48548: // 48 85 e4 : test rsp,rsp
case 0xc2b60f: // 0f b6 c2 : movzx eax, dl case 0xc2b60f: // 0f b6 c2 : movzx eax, dl
case 0xc03345: // 45 33 c0 : xor r8d, r8d case 0xc03345: // 45 33 c0 : xor r8d, r8d
case 0xc93345: // 45 33 c9 : xor r9d, r9d case 0xc93345: // 45 33 c9 : xor r9d, r9d
case 0xdb3345: // 45 33 DB : xor r11d, r11d case 0xdb3345: // 45 33 DB : xor r11d, r11d
case 0xd98b4c: // 4c 8b d9 : mov r11, rcx case 0xd98b4c: // 4c 8b d9 : mov r11, rcx
case 0xd28b4c: // 4c 8b d2 : mov r10, rdx case 0xd28b4c: // 4c 8b d2 : mov r10, rdx
case 0xc98b4c: // 4C 8B C9 : mov r9, rcx case 0xc98b4c: // 4C 8B C9 : mov r9, rcx
case 0xc18b4c: // 4C 8B C1 : mov r8, rcx case 0xc18b4c: // 4C 8B C1 : mov r8, rcx
case 0xd2b60f: // 0f b6 d2 : movzx edx, dl case 0xd2b60f: // 0f b6 d2 : movzx edx, dl
case 0xca2b48: // 48 2b ca : sub rcx, rdx case 0xca2b48: // 48 2b ca : sub rcx, rdx
case 0x10b70f: // 0f b7 10 : movzx edx, WORD PTR [rax] case 0x10b70f: // 0f b7 10 : movzx edx, WORD PTR [rax]
case 0xc00b4d: // 3d 0b c0 : or r8, r8 case 0xc00b4d: // 3d 0b c0 : or r8, r8
case 0xd18b48: // 48 8b d1 : mov rdx, rcx case 0xd18b48: // 48 8b d1 : mov rdx, rcx
case 0xdc8b4c: // 4c 8b dc : mov r11, rsp case 0xdc8b4c: // 4c 8b dc : mov r11, rsp
case 0xd18b4c: // 4c 8b d1 : mov r10, rcx case 0xd18b4c: // 4c 8b d1 : mov r10, rcx
case 0xE0E483: // 83 E4 E0 : and esp, 0xFFFFFFE0 case 0xE0E483: // 83 E4 E0 : and esp, 0xFFFFFFE0
case 0xc1ff48: // 48 ff c1 : inc rcx
case 0xc0ff48: // 48 ff c0 : inc rax
case 0xc3ff48: // 48 ff c3 : inc rbx
case 0xc2ff48: // 48 ff c2 : inc rdx
case 0xc0ff49: // 49 ff c0 : inc r8
case 0xc1ff49: // 49 ff c1 : inc r9
case 0xc2ff49: // 49 ff c2 : inc r10
case 0xc3ff49: // 49 ff c3 : inc r11
case 0xc4ff49: // 49 ff c4 : inc r12
case 0xc5ff49: // 49 ff c5 : inc r13
case 0xc6ff49: // 49 ff c6 : inc r14
case 0xc7ff49: // 49 ff c7 : inc r15
case 0xc6ff48: // 48 ff c6 : inc rsi
case 0xc7ff48: // 48 ff c7 : inc rdi
case 0xc08b41: // 41 8b c0 : mov eax,r8d
case 0xc18b41: // 41 8b c1 : mov eax,r9d
case 0xc28b41: // 41 8b c2 : mov eax,r10d
case 0xc38b41: // 41 8b c3 : mov eax,r11d
case 0xc48b41: // 41 8b c4 : mov eax,r12d
return 3; return 3;
case 0xec8348: // 48 83 ec XX : sub rsp, XX case 0xec8348: // 48 83 ec XX : sub rsp, XX
case 0xf88349: // 49 83 f8 XX : cmp r8, XX case 0xf88349: // 49 83 f8 XX : cmp r8, XX
case 0x588948: // 48 89 58 XX : mov QWORD PTR[rax + XX], rbx case 0x588948: // 48 89 58 XX : mov QWORD PTR[rax + XX], rbx
case 0x245489: // 89 54 24 XX : mov DWORD PTR[rsp + XX], edx
return 4; return 4;
case 0x246483: // 83 64 24 00 00 : and DWORD PTR [rsp+xx],0x0
return 5;
case 0x7e8166: // 66 81 7e YY XX XX cmp WORD PTR [rsi+0xYY], XX XX
case 0x7f8166: // 66 81 7f YY XX XX cmp WORD PTR [rdi+0xYY], XX XX
case 0x788166: // 66 81 78 YY XX XX cmp WORD PTR [rax+0xYY], XX XX
case 0x7b8166: // 66 81 7b YY XX XX cmp WORD PTR [rbx+0xYY], XX XX
case 0x798166: // 66 81 79 YY XX XX cmp WORD PTR [rcx+0xYY], XX XX
case 0x7a8166: // 66 81 7a YY XX XX cmp WORD PTR [rdx+0xYY], XX XX
return 6;
case 0xec8148: // 48 81 EC XX XX XX XX : sub rsp, XXXXXXXX case 0xec8148: // 48 81 EC XX XX XX XX : sub rsp, XXXXXXXX
return 7; return 7;
case 0x788141: // 41 81 78 YY XX XX XX XX cmp DWORD PTR [r8+YY], XX XX XX
// XX
case 0x798141: // r9
case 0x7a8141: // r10
case 0x7b8141: // r11
case 0x7c8141: // r12
case 0x7d8141: // r13
case 0x7e8141: // r14
case 0x7f8141: // 41 81 78 YY XX XX XX XX cmp DWORD P [r15+YY], XX XX XX XX
case 0x247c81: // 81 7c 24 YY XX XX XX XX cmp DWORD P [rsp+YY], XX XX XX XX
return 8;
case 0x058b48: // 48 8b 05 XX XX XX XX : case 0x058b48: // 48 8b 05 XX XX XX XX :
// mov rax, QWORD PTR [rip + XXXXXXXX] // mov rax, QWORD PTR [rip + XXXXXXXX]
case 0x25ff48: // 48 ff 25 XX XX XX XX : case 0x25ff48: // 48 ff 25 XX XX XX XX :
// rex.W jmp QWORD PTR [rip + XXXXXXXX] // rex.W jmp QWORD PTR [rip + XXXXXXXX]
// Instructions having offset relative to 'rip' need offset adjustment. // Instructions having offset relative to 'rip' need offset adjustment.
if (rel_offset) if (rel_offset)
*rel_offset = 3; *rel_offset = 3;
return 7; return 7;
case 0x2444c7: // C7 44 24 XX YY YY YY YY case 0x2444c7: // C7 44 24 XX YY YY YY YY
// mov dword ptr [rsp + XX], YYYYYYYY // mov dword ptr [rsp + XX], YYYYYYYY
return 8; return 8;
} }
switch (*(u32*)(address)) { switch (*(u32*)(address)) {
case 0x24448b48: // 48 8b 44 24 XX : mov rax, QWORD ptr [rsp + XX] case 0x24448b48: // 48 8b 44 24 XX : mov rax, QWORD ptr [rsp + XX]
case 0x246c8948: // 48 89 6C 24 XX : mov QWORD ptr [rsp + XX], rbp case 0x246c8948: // 48 89 6C 24 XX : mov QWORD ptr [rsp + XX], rbp
case 0x245c8948: // 48 89 5c 24 XX : mov QWORD PTR [rsp + XX], rbx case 0x245c8948: // 48 89 5c 24 XX : mov QWORD PTR [rsp + XX], rbx
case 0x24748948: // 48 89 74 24 XX : mov QWORD PTR [rsp + XX], rsi case 0x24748948: // 48 89 74 24 XX : mov QWORD PTR [rsp + XX], rsi
case 0x244C8948: // 48 89 4C 24 XX : mov QWORD PTR [rsp + XX], rcx case 0x244C8948: // 48 89 4C 24 XX : mov QWORD PTR [rsp + XX], rcx
case 0x24548948: // 48 89 54 24 XX : mov QWORD PTR [rsp + XX], rdx case 0x24548948: // 48 89 54 24 XX : mov QWORD PTR [rsp + XX], rdx
case 0x244c894c: // 4c 89 4c 24 XX : mov QWORD PTR [rsp + XX], r9 case 0x244c894c: // 4c 89 4c 24 XX : mov QWORD PTR [rsp + XX], r9
case 0x2444894c: // 4c 89 44 24 XX : mov QWORD PTR [rsp + XX], r8 case 0x2444894c: // 4c 89 44 24 XX : mov QWORD PTR [rsp + XX], r8
case 0x244c8944: // 44 89 4c 24 XX mov DWORD PTR [rsp + XX], r9d
case 0x24448944: // 44 89 44 24 XX mov DWORD PTR [rsp + XX], r8d
case 0x247c8948: // 48 89 7c 24 XX mov QWORD ptr [rsp + XX], rdi
case 0x246c8d48: // 48 8d 6c 24 XX : lea rbp, [rsp + XX]
return 5; return 5;
case 0x24648348: // 48 83 64 24 XX : and QWORD PTR [rsp + XX], YY case 0x24648348: // 48 83 64 24 XX : and QWORD PTR [rsp + XX], YY
return 6; return 6;
} }
#else #else
switch (*(u8*)address) { switch (*(u8*)address) {
▲ Show 20 LinesShow All 452 LinesShow Last 20 Lines

compiler-rt/test/asan/TestCases/Windows/dll_host.cpp

Show All 18 Lines
// [BEWARE: be really careful with the sed commands, as this test can be run // [BEWARE: be really careful with the sed commands, as this test can be run
// from different environemnts with different shells and seds] // from different environemnts with different shells and seds]
// RUN: grep INTERCEPT_LIBRARY_FUNCTION %p/../../../../lib/asan/asan_win_dll_thunk.cpp \ // RUN: grep INTERCEPT_LIBRARY_FUNCTION %p/../../../../lib/asan/asan_win_dll_thunk.cpp \
// RUN: | grep -v define | sed -e s/.*(/__asan_wrap_/ -e s/).*// \ // RUN: | grep -v define | sed -e s/.*(/__asan_wrap_/ -e s/).*// \
// RUN: > %t.imports1 // RUN: > %t.imports1
// //
// Add functions interecepted in asan_malloc.win.cpp and asan_win.cpp. // Add functions interecepted in asan_malloc.win.cpp and asan_win.cpp.
// RUN: grep '[I]MPORT:' %s | sed -e 's/.*[I]MPORT: //' > %t.imports2 // RUN: grep '[I]MPORT:' %s | sed -e 's/.*[I]MPORT: //' > %t.imports2
// IMPORT: __asan_wrap_HeapAlloc
// IMPORT: __asan_wrap_HeapFree
// IMPORT: __asan_wrap_HeapReAlloc
// IMPORT: __asan_wrap_HeapSize
// IMPORT: __asan_wrap_CreateThread // IMPORT: __asan_wrap_CreateThread
// IMPORT: __asan_wrap_RaiseException // IMPORT: __asan_wrap_RaiseException
// IMPORT: __asan_wrap_RtlRaiseException // IMPORT: __asan_wrap_RtlRaiseException
// IMPORT: __asan_wrap_SetUnhandledExceptionFilter // IMPORT: __asan_wrap_SetUnhandledExceptionFilter
// IMPORT: __asan_wrap_RtlSizeHeap // IMPORT: __asan_wrap_RtlSizeHeap
// IMPORT: __asan_wrap_RtlAllocateHeap // IMPORT: __asan_wrap_RtlAllocateHeap
// IMPORT: __asan_wrap_RtlDestroyHeap
// IMPORT: __asan_wrap_RtlReAllocateHeap // IMPORT: __asan_wrap_RtlReAllocateHeap
// IMPORT: __asan_wrap_RtlFreeHeap // IMPORT: __asan_wrap_RtlFreeHeap
// //
// RUN: cat %t.imports1 %t.imports2 | sort | uniq > %t.imports-sorted // RUN: cat %t.imports1 %t.imports2 | sort | uniq > %t.imports-sorted
// RUN: cat %t.exports1 %t.exports2 | sort | uniq > %t.exports-sorted // RUN: cat %t.exports1 %t.exports2 | sort | uniq > %t.exports-sorted
// //
// Now make sure the DLL thunk imports everything: // Now make sure the DLL thunk imports everything:
// RUN: echo // RUN: echo
Show All 35 Lines

compiler-rt/test/asan/TestCases/Windows/dll_unload.cpp

#include <stdio.h> #include <stdio.h>
#include <windows.h> #include <windows.h>
// RUN: %clang_cl_asan -LD /Od -DDLL %s -Fe%t.dll // RUN: %clang_cl_asan -LD /Od -DDLL %s -Fe%t.dll
// RUN: %clang_cl /Od -DEXE %s -Fe%te.exe // RUN: %clang_cl /Od -DEXE %s -Fe%te.exe
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %te.exe %t.dll 2>&1 | FileCheck %s // RUN: not %run %te.exe %t.dll 2>&1 | FileCheck %s
// REQUIRES: asan-dynamic-runtime // REQUIRES: asan-dynamic-runtime
// REQUIRES: asan-32-bits // REQUIRES: asan-32-bits
#include <cassert> #include <cassert>
#include <stdio.h> #include <stdio.h>
#include <windows.h> #include <windows.h>
extern "C" { extern "C" {
#if defined(EXE) #if defined(EXE)
Show All 37 Lines

compiler-rt/test/asan/TestCases/Windows/heapalloc.cpp

// UNSUPPORTED: asan-64-bits // UNSUPPORTED: asan-64-bits
// RUN: %clang_cl_asan -Od %s -Fe%t // RUN: %clang_cl_asan -Od %s -Fe%t
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %t 2>&1 | FileCheck %s // RUN: not %run %t 2>&1 | FileCheck %s
#include <windows.h> #include <windows.h>
int main() { int main() {
char *buffer; char *buffer;
buffer = (char *)HeapAlloc(GetProcessHeap(), 0, 32), buffer = (char *)HeapAlloc(GetProcessHeap(), 0, 32),
buffer[33] = 'a'; buffer[33] = 'a';
// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] // CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR:0x[0-9a-f]+]]
// CHECK: WRITE of size 1 at [[ADDR]] thread T0 // CHECK: WRITE of size 1 at [[ADDR]] thread T0
} }

compiler-rt/test/asan/TestCases/Windows/heapalloc_dll_double_free.cpp

#include <stdio.h> #include <stdio.h>
#include <windows.h> #include <windows.h>
// RUN: %clang_cl_asan -LD /Od -DDLL %s -Fe%t.dll // RUN: %clang_cl_asan -LD /Od -DDLL %s -Fe%t.dll
// RUN: %clang_cl /Od -DEXE %s -Fe%te.exe // RUN: %clang_cl /Od -DEXE %s -Fe%te.exe
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %te.exe %t.dll 2>&1 | FileCheck %s // RUN: not %run %te.exe %t.dll 2>&1 | FileCheck %s
// REQUIRES: asan-dynamic-runtime // REQUIRES: asan-dynamic-runtime
// REQUIRES: asan-32-bits // REQUIRES: asan-32-bits
#include <cassert> #include <cassert>
#include <stdio.h> #include <stdio.h>
#include <windows.h> #include <windows.h>
extern "C" { extern "C" {
#if defined(EXE) #if defined(EXE)
Show All 26 Lines

compiler-rt/test/asan/TestCases/Windows/heapalloc_dll_unload_realloc_uaf.cpp

#include <stdio.h> #include <stdio.h>
#include <windows.h> #include <windows.h>
// RUN: %clang_cl_asan -LD /Od -DDLL %s -Fe%t.dll // RUN: %clang_cl_asan -LD /Od -DDLL %s -Fe%t.dll
// RUN: %clang_cl /Od -DEXE %s -Fe%te.exe // RUN: %clang_cl /Od -DEXE %s -Fe%te.exe
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %te.exe %t.dll 2>&1 | FileCheck %s // RUN: not %run %te.exe %t.dll 2>&1 | FileCheck %s
// REQUIRES: asan-dynamic-runtime // REQUIRES: asan-dynamic-runtime
// REQUIRES: asan-32-bits // REQUIRES: asan-32-bits
#include <cassert> #include <cassert>
#include <stdio.h> #include <stdio.h>
#include <windows.h> #include <windows.h>
extern "C" { extern "C" {
#if defined(EXE) #if defined(EXE)
Show All 26 Lines

compiler-rt/test/asan/TestCases/Windows/heapalloc_doublefree.cpp

// RUN: %clang_cl_asan -Od %s -Fe%t // RUN: %clang_cl_asan -Od %s -Fe%t
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %t 2>&1 | FileCheck %s // RUN: not %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: asan-64-bits // UNSUPPORTED: asan-64-bits
#include <cassert> #include <cassert>
#include <windows.h> #include <windows.h>
int main() { int main() {
void *allocation = HeapAlloc(GetProcessHeap(), 0, 10); void *allocation = HeapAlloc(GetProcessHeap(), 0, 10);
assert(allocation != 0); assert(allocation != 0);
assert(HeapFree(GetProcessHeap(), 0, allocation)); assert(HeapFree(GetProcessHeap(), 0, allocation));
HeapFree(GetProcessHeap(), 0, allocation); //will dump HeapFree(GetProcessHeap(), 0, allocation); //will dump
assert(0 && "HeapFree double free should produce an ASAN dump\n"); assert(0 && "HeapFree double free should produce an ASAN dump\n");
return 0; return 0;
} }
// CHECK: AddressSanitizer: attempting double-free on [[addr:0x[0-9a-fA-F]+]] in thread T0: // CHECK: AddressSanitizer: attempting double-free on [[addr:0x[0-9a-fA-F]+]] in thread T0:

compiler-rt/test/asan/TestCases/Windows/heapalloc_flags_fallback.cpp

// RUN: %clang_cl_asan -Od %s -Fe%t // RUN: %clang_cl_asan -Od %s -Fe%t
// RUN: %run %t 2>&1 | FileCheck %s // RUN: %run %t 2>&1 | FileCheck %s
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true %run %t 2>&1 | FileCheck %s // RUN: %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: asan-64-bits // UNSUPPORTED: asan-64-bits
#include <assert.h> #include <assert.h>
#include <stdio.h> #include <stdio.h>
#include <windows.h> #include <windows.h>
extern "C" int extern "C" int
__sanitizer_get_ownership(const volatile void *p); __sanitizer_get_ownership(const volatile void *p);
Show All 9 Lines

compiler-rt/test/asan/TestCases/Windows/heapalloc_huge.cpp

// RUN: %clang_cl_asan -Od %s -Fe%t // RUN: %clang_cl_asan -Od %s -Fe%t
// RUN: %env_asan_opts=allocator_may_return_null=true %run %t // RUN: %env_asan_opts=allocator_may_return_null=true %run %t
// RUN: %env_asan_opts=allocator_may_return_null=true:windows_hook_rtl_allocators=true %run %t // RUN: %env_asan_opts=allocator_may_return_null=true %run %t
// UNSUPPORTED: asan-64-bits // UNSUPPORTED: asan-64-bits
#include <windows.h> #include <windows.h>
int main() { int main() {
void *nope = HeapAlloc(GetProcessHeap(), 0, ((size_t)0) - 1); void *nope = HeapAlloc(GetProcessHeap(), 0, ((size_t)0) - 1);
return (nope == nullptr) ? 0 : 1; return (nope == nullptr) ? 0 : 1;
} }

compiler-rt/test/asan/TestCases/Windows/heapalloc_rtl_transfer.cpp

#include "sanitizer\allocator_interface.h" #include "sanitizer\allocator_interface.h"
#include <cassert> #include <cassert>
#include <stdio.h> #include <stdio.h>
#include <windows.h> #include <windows.h>
// RUN: %clang_cl_asan %s -o%t // RUN: %clang_cl_asan %s -o%t
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true %run %t 2>&1 | FileCheck %s // RUN: %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: asan-64-bits // UNSUPPORTED: asan-64-bits
using AllocateFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, SIZE_T); using AllocateFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, SIZE_T);
using ReAllocateFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, PVOID, SIZE_T); using ReAllocateFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, PVOID, SIZE_T);
using FreeFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, PVOID); using FreeFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, PVOID);
int main() { int main() {
▲ Show 20 LinesShow All 75 Lines▼ Show 20 Linesint main() {
} }
printf("Success\n"); printf("Success\n");
} }
// CHECK-NOT: Assertion failed: // CHECK-NOT: Assertion failed:
// CHECK-NOT: AddressSanitizer // CHECK-NOT: AddressSanitizer
// CHECK: Success // CHECK: Success
No newline at end of file No newline at end of file

compiler-rt/test/asan/TestCases/Windows/heapalloc_transfer.cpp

#include "sanitizer\allocator_interface.h" #include "sanitizer\allocator_interface.h"
#include <cassert> #include <cassert>
#include <stdio.h> #include <stdio.h>
#include <windows.h> #include <windows.h>
// RUN: %clang_cl_asan %s -o%t // RUN: %clang_cl_asan %s -o%t
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true %run %t 2>&1 | FileCheck %s // RUN: %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: asan-64-bits // UNSUPPORTED: asan-64-bits
int main() { int main() {
//owned by rtl //owned by rtl
void *alloc = HeapAlloc(GetProcessHeap(), HEAP_GENERATE_EXCEPTIONS, 100); void *alloc = HeapAlloc(GetProcessHeap(), HEAP_GENERATE_EXCEPTIONS, 100);
assert(alloc); assert(alloc);
// still owned by rtl // still owned by rtl
alloc = HeapReAlloc(GetProcessHeap(), HEAP_GENERATE_EXCEPTIONS, alloc, 100); alloc = HeapReAlloc(GetProcessHeap(), HEAP_GENERATE_EXCEPTIONS, alloc, 100);
assert(alloc && !__sanitizer_get_ownership(alloc) && HeapValidate(GetProcessHeap(), 0, alloc)); assert(alloc && !__sanitizer_get_ownership(alloc) && HeapValidate(GetProcessHeap(), 0, alloc));
//convert to asan owned //convert to asan owned
void *realloc = HeapReAlloc(GetProcessHeap(), 0, alloc, 500); void *realloc = HeapReAlloc(GetProcessHeap(), 0, alloc, 500);
alloc = nullptr; alloc = nullptr;
assert(realloc && __sanitizer_get_ownership(realloc)); assert(realloc && __sanitizer_get_ownership(realloc));
//convert back to rtl owned; //convert back to rtl owned;
alloc = HeapReAlloc(GetProcessHeap(), HEAP_GENERATE_EXCEPTIONS, realloc, 100); alloc = HeapReAlloc(GetProcessHeap(), HEAP_GENERATE_EXCEPTIONS, realloc, 100);
assert(alloc && !__sanitizer_get_ownership(alloc) && HeapValidate(GetProcessHeap(), 0, alloc)); assert(alloc && !__sanitizer_get_ownership(alloc) && HeapValidate(GetProcessHeap(), 0, alloc));
printf("Success\n"); printf("Success\n");
} }
// CHECK-NOT: assert // CHECK-NOT: assert
// CHECK-NOT: AddressSanitizer // CHECK-NOT: AddressSanitizer
// CHECK: Success // CHECK: Success
No newline at end of file No newline at end of file

compiler-rt/test/asan/TestCases/Windows/heapalloc_uaf.cpp

// RUN: %clang_cl_asan -Od %s -Fe%t // RUN: %clang_cl_asan -Od %s -Fe%t
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %t 2>&1 | FileCheck %s // RUN: not %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: asan-64-bits // UNSUPPORTED: asan-64-bits
#include <windows.h> #include <windows.h>
int main() { int main() {
char *buffer; char *buffer;
buffer = (char *)HeapAlloc(GetProcessHeap(), 0, 32), buffer = (char *)HeapAlloc(GetProcessHeap(), 0, 32),
HeapFree(GetProcessHeap(), 0, buffer); HeapFree(GetProcessHeap(), 0, buffer);
buffer[0] = 'a'; buffer[0] = 'a';
// CHECK: AddressSanitizer: heap-use-after-free on address [[ADDR:0x[0-9a-f]+]] // CHECK: AddressSanitizer: heap-use-after-free on address [[ADDR:0x[0-9a-f]+]]
// CHECK: WRITE of size 1 at [[ADDR]] thread T0 // CHECK: WRITE of size 1 at [[ADDR]] thread T0
} }

compiler-rt/test/asan/TestCases/Windows/heapalloc_zero_size.cpp

// RUN: %clang_cl_asan /Od -o %t %s // RUN: %clang_cl_asan /Od -o %t %s
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true %run %t 2>&1 | FileCheck %s // RUN: %run %t 2>&1 | FileCheck %s
// RUN: %env_asan_opts=windows_hook_rtl_allocators=false %run %t 2>&1 | FileCheck %s // RUN: %run %t 2>&1 | FileCheck %s
// RUN: %clang_cl /Od -o %t %s // RUN: %clang_cl /Od -o %t %s
// RUN: %run %t 2>&1 | FileCheck %s // RUN: %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: asan-64-bits // UNSUPPORTED: asan-64-bits
#include <cassert> #include <cassert>
#include <stdio.h> #include <stdio.h>
#include <windows.h> #include <windows.h>
int main() { int main() {
Show All 12 Lines

compiler-rt/test/asan/TestCases/Windows/heapcreate.cpp

  • This file was added.
#include "sanitizer\allocator_interface.h"
#include <Windows.h>
#include <stdio.h>
// RUN: %clang_cl_asan -Od %s -Fe%t
// RUN: %run %t 2>&1 | FileCheck %s
int main() {
void *newHeap = HeapCreate(0, 1000, 5000);
void *newAlloc = HeapAlloc(newHeap, 0, 100);
if (__sanitizer_get_ownership(newAlloc)) {
printf("success\n");
return 0;
}
printf("fail\n");
return 1;
}
// CHECK: success
// CHECK-NOT: fail

compiler-rt/test/asan/TestCases/Windows/heapcreate_double_free.cpp

  • This file was added.
#include "sanitizer\allocator_interface.h"
#include <Windows.h>
#include <stdio.h>
// RUN: %clang_cl_asan -Od %s -Fe%t
// RUN: not %run %t 2>&1 | FileCheck %s
int main() {
void *newHeap = HeapCreate(0, 0, 0);
void *newAlloc = HeapAlloc(newHeap, 0, 100);
HeapFree(newHeap, 0, newAlloc);
HeapFree(newHeap, 0, newAlloc);
printf("failure\n");
return 1;
}
// CHECK: AddressSanitizer: double-free
// CHECK-NOT: failure;
No newline at end of file

compiler-rt/test/asan/TestCases/Windows/heapcreate_executable.cpp

  • This file was added.
#include "sanitizer\allocator_interface.h"
#include <Windows.h>
#include <stdio.h>
// RUN: %clang_cl_asan -Od %s -Fe%t
// RUN: %run %t 2>&1 | FileCheck %s
int main() {
void *newHeap = HeapCreate(HEAP_CREATE_ENABLE_EXECUTE, 0, 0);
void *newAlloc = HeapAlloc(newHeap, 0, 100);
if (!__sanitizer_get_ownership(newAlloc)) {
printf("success\n");
return 0;
}
printf("fail\n");
return 1;
}
// CHECK: success
// CHECK-NOT: fail

compiler-rt/test/asan/TestCases/Windows/heapcreate_free_after_destroy.cpp

  • This file was added.
#include "sanitizer\allocator_interface.h"
#include <Windows.h>
#include <stdio.h>
// RUN: %clang_cl_asan -Od %s -Fe%t
// RUN: not %run %t 2>&1 | FileCheck %s
int main() {
void *newHeap = HeapCreate(0, 0, 0);
void *newAlloc = HeapAlloc(newHeap, 0, 100);
HeapDestroy(newHeap);
HeapFree(newHeap, 0, newAlloc);
printf("failure\n");
return 1;
}
// We need to add an address sanitizer error for using a heap after it has
// been destroyed. For now we get an access-violation error.
// CHECK: AddressSanitizer:
// CHECK-NOT: failure;

compiler-rt/test/asan/TestCases/Windows/heapcreate_sanity.cpp

  • This file was added.
#include "sanitizer\allocator_interface.h"
#include <Windows.h>
#include <stdio.h>
// RUN: %clang_cl_asan -Od %s -Fe%t
// RUN: %run %t 2>&1 | FileCheck %s
int main() {
void *newHeap = HeapCreate(0, 1000, 5000); // make a new heap with accepted flags for the asan interceptors
char *newAlloc = (char *)HeapAlloc(newHeap, 0, 100); // Allocate, this should belong to the sanitizer runtime
// check that we've created a new heap and that the allocation belongs where we think it should
if (newHeap != GetProcessHeap() && __sanitizer_get_ownership(newAlloc)) {
//touch the allocations and make sure nothing unexpected happens.
newAlloc[0] = 0xff;
newAlloc[99] = 0xff;
printf("success\n");
return 0;
}
printf("fail\n");
return 1;
}
// CHECK: success
// CHECK-NOT: fail
// CHECK-NOT: AddressSanitizer

compiler-rt/test/asan/TestCases/Windows/heapdestroy_report.cpp

  • This file was added.
#include "sanitizer\allocator_interface.h"
#include <Windows.h>
#include <stdio.h>
// RUN: %clang_cl_asan -Od %s -Fe%t
// RUN: not %run %t 2>&1 | FileCheck %s
int main() {
void *newHeap = HeapCreate(0, 0, 0);
char *newAlloc = (char *)HeapAlloc(newHeap, 0, 100);
HeapDestroy(newHeap);
newAlloc[0] = 0xff;
return 1;
}
// CHECK: AddressSanitizer: heap-use-after-free on address [[ADDR:0x[0-9a-f]+]]
// CHECK: WRITE of size 1 at [[ADDR]] thread T0

compiler-rt/test/asan/TestCases/Windows/heapdestroy_sanity.cpp

  • This file was added.
#include "sanitizer\allocator_interface.h"
#include <Windows.h>
#include <stdio.h>
// RUN: %clang_cl_asan -Od %s -Fe%t
// RUN: %run %t 2>&1 | FileCheck %s
int main() {
void *newHeap = HeapCreate(0, 0, 0);
void *newAlloc = HeapAlloc(newHeap, 0, 100);
HeapDestroy(newHeap);
printf("success\n");
return 0;
}
// CHECK-NOT: AddressSanitizer
// CHECK: success

compiler-rt/test/asan/TestCases/Windows/heaprealloc.cpp

// RUN: %clang_cl_asan -Od %s -Fe%t // RUN: %clang_cl_asan -Od %s -Fe%t
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %t 2>&1 | FileCheck %s // RUN: not %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: asan-64-bits // UNSUPPORTED: asan-64-bits
#include <stdio.h> #include <stdio.h>
#include <windows.h> #include <windows.h>
int main() { int main() {
char *oldbuf; char *oldbuf;
size_t sz = 8; size_t sz = 8;
HANDLE procHeap = GetProcessHeap(); HANDLE procHeap = GetProcessHeap();
Show All 13 Lines

compiler-rt/test/asan/TestCases/Windows/heaprealloc_alloc_zero.cpp

// RUN: %clang_cl_asan /Od /MT -o %t %s // RUN: %clang_cl_asan /Od /MT -o %t %s
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true %run %t 2>&1 | FileCheck %s // RUN: %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: asan-64-bits // UNSUPPORTED: asan-64-bits
#include <cassert> #include <cassert>
#include <iostream> #include <iostream>
#include <windows.h> #include <windows.h>
int main() { int main() {
void *ptr = malloc(0); void *ptr = malloc(0);
if (ptr) if (ptr)
Show All 40 Linesint main() {
HeapFree(GetProcessHeap(), 0, ptr3); HeapFree(GetProcessHeap(), 0, ptr3);
return 0; return 0;
} }
// CHECK: allocated! // CHECK: allocated!
// CHECK-NOT: heap-buffer-overflow // CHECK-NOT: heap-buffer-overflow
// CHECK-NOT: AddressSanitizer // CHECK-NOT: AddressSanitizer
// CHECK-NOT: HeapAlloc size failure! // CHECK-NOT: HeapAlloc size failure!
No newline at end of file No newline at end of file

compiler-rt/test/asan/TestCases/Windows/heaprealloc_zero_size.cpp

// RUN: %clang_cl_asan /Od -o %t %s // RUN: %clang_cl_asan /Od -o %t %s
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true %run %t 2>&1 | FileCheck %s // RUN: %run %t 2>&1 | FileCheck %s
// RUN: %env_asan_opts=windows_hook_rtl_allocators=false %run %t 2>&1 | FileCheck %s // RUN: %run %t 2>&1 | FileCheck %s
// RUN: %clang_cl /Od -o %t %s // RUN: %clang_cl /Od -o %t %s
// RUN: %run %t 2>&1 | FileCheck %s // RUN: %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: asan-64-bits // UNSUPPORTED: asan-64-bits
#include <cassert> #include <cassert>
#include <stdio.h> #include <stdio.h>
#include<windows.h> #include<windows.h>
int main() { int main() {
HANDLE heap = HeapCreate(0, 0, 0); HANDLE heap = HeapCreate(0, 0, 0);
void *ptr = HeapAlloc(heap, 0, 4); void *ptr = HeapAlloc(heap, 0, 4);
assert(ptr); assert(ptr);
void *ptr2 = HeapReAlloc(heap, 0, ptr, 0); void *ptr2 = HeapReAlloc(heap, 0, ptr, 0);
assert(ptr2); assert(ptr2);
HeapFree(heap, 0, ptr2); HeapFree(heap, 0, ptr2);
fprintf(stderr, "passed!\n"); fprintf(stderr, "passed!\n");
} }
// CHECK-NOT: double-free // CHECK-NOT: double-free
// CHECK-NOT: AddressSanitizer // CHECK-NOT: AddressSanitizer
// CHECK: passed! // CHECK: passed!
No newline at end of file

compiler-rt/test/asan/TestCases/Windows/rtlallocateheap.cpp

// RUN: %clang_cl_asan -Od %s -Fe%t /MD // RUN: %clang_cl_asan -Od %s -Fe%t /MD
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %t 2>&1 | FileCheck %s // RUN: not %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: asan-64-bits // UNSUPPORTED: asan-64-bits
// REQUIRES: asan-rtl-heap-interception // REQUIRES: asan-rtl-heap-interception
#include <stdio.h> #include <stdio.h>
#include <windows.h> #include <windows.h>
using AllocateFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, SIZE_T); using AllocateFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, SIZE_T);
using FreeFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, PVOID); using FreeFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, PVOID);
Show All 20 Lines

compiler-rt/test/asan/TestCases/Windows/rtlallocateheap_dll_unload_double_free.cpp

// RUN: %clang_cl_asan -LD /Od -DDLL %s -Fe%t.dll // RUN: %clang_cl_asan -LD /Od -DDLL %s -Fe%t.dll
// RUN: %clang_cl /Od -DEXE %s -Fe%te.exe // RUN: %clang_cl /Od -DEXE %s -Fe%te.exe
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %te.exe %t.dll 2>&1 | FileCheck %s // RUN: not %run %te.exe %t.dll 2>&1 | FileCheck %s
// REQUIRES: asan-dynamic-runtime // REQUIRES: asan-dynamic-runtime
// REQUIRES: asan-32-bits // REQUIRES: asan-32-bits
// REQUIRES: asan-rtl-heap-interception // REQUIRES: asan-rtl-heap-interception
#include <cassert> #include <cassert>
#include <stdio.h> #include <stdio.h>
#include <windows.h> #include <windows.h>
▲ Show 20 LinesShow All 61 LinesShow Last 20 Lines

compiler-rt/test/asan/TestCases/Windows/rtlallocateheap_dll_unload_realloc.cpp

// RUN: %clang_cl_asan -LD /Od -DDLL %s -Fe%t.dll // RUN: %clang_cl_asan -LD /Od -DDLL %s -Fe%t.dll
// RUN: %clang_cl /Od -DEXE %s -Fe%te.exe // RUN: %clang_cl /Od -DEXE %s -Fe%te.exe
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %te.exe %t.dll 2>&1 | FileCheck %s // RUN: not %run %te.exe %t.dll 2>&1 | FileCheck %s
// REQUIRES: asan-dynamic-runtime // REQUIRES: asan-dynamic-runtime
// REQUIRES: asan-32-bits // REQUIRES: asan-32-bits
// REQUIRES: asan-rtl-heap-interception // REQUIRES: asan-rtl-heap-interception
#include <cassert> #include <cassert>
#include <stdio.h> #include <stdio.h>
#include <windows.h> #include <windows.h>
▲ Show 20 LinesShow All 65 LinesShow Last 20 Lines

compiler-rt/test/asan/TestCases/Windows/rtlallocateheap_flags_fallback.cpp

// RUN: %clang_cl_asan -Od %s -Fe%t /MD // RUN: %clang_cl_asan -Od %s -Fe%t /MD
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true %run %t 2>&1 | FileCheck %s // RUN: %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: asan-64-bits // UNSUPPORTED: asan-64-bits
// REQUIRES: asan-rtl-heap-interception // REQUIRES: asan-rtl-heap-interception
#include <assert.h> #include <assert.h>
#include <stdio.h> #include <stdio.h>
#include <windows.h> #include <windows.h>
extern "C" int __sanitizer_get_ownership(const volatile void *p); extern "C" int __sanitizer_get_ownership(const volatile void *p);
Show All 35 Lines

compiler-rt/test/asan/TestCases/Windows/rtlallocateheap_zero.cpp

// RUN: %clang_cl_asan -Od %s -Fe%t /MD // RUN: %clang_cl_asan -Od %s -Fe%t /MD
// RUN: %env_asan_opts=windows_hook_rtl_allocators=true not %run %t 2>&1 | FileCheck %s // RUN: not %run %t 2>&1 | FileCheck %s
// UNSUPPORTED: asan-64-bits // UNSUPPORTED: asan-64-bits
// REQUIRES: asan-rtl-heap-interception // REQUIRES: asan-rtl-heap-interception
#include <assert.h> #include <assert.h>
#include <stdio.h> #include <stdio.h>
#include <windows.h> #include <windows.h>
using AllocateFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, SIZE_T); using AllocateFunctionPtr = PVOID(__stdcall *)(PVOID, ULONG, SIZE_T);
▲ Show 20 LinesShow All 58 LinesShow Last 20 Lines

compiler-rt/test/asan/TestCases/alloca_detect_custom_size_.cpp

// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-dynamic-allocas %s -o %t // RUN: %clangxx_asan -O0 -mllvm -asan-instrument-dynamic-allocas %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s // RUN: not %run %t 2>&1 | FileCheck %s
// //
#include "defines.h"
#include <assert.h> #include <assert.h>
#include <cstdint>
struct A { struct A {
char a[3]; char a[3];
int b[3]; int b[3];
}; };
__attribute__((noinline)) void foo(int index, int len) { ATTRIBUTE_NOINLINE void foo(int index, int len) {
volatile struct A str[len] __attribute__((aligned(32))); ATTRIBUTE_ALIGNED(32)
assert(!(reinterpret_cast<long>(str) & 31L)); #ifdef MSVC
volatile struct A *str = (volatile struct A *)_alloca(len * sizeof(struct A));
#else
volatile struct A str[len];
#endif
assert(!(reinterpret_cast<uintptr_t>(str) & 31L));
str[index].a[0] = '1'; // BOOM str[index].a[0] = '1'; // BOOM
// CHECK: ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]] // CHECK: ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address [[ADDR:0x[0-9a-f]+]]
// CHECK: WRITE of size 1 at [[ADDR]] thread T0 // CHECK: WRITE of size 1 at [[ADDR]] thread T0
} }
int main(int argc, char **argv) { int main(int argc, char **argv) {
foo(10, 10); foo(10, 10);
return 0; return 0;
} }

compiler-rt/test/asan/TestCases/alloca_loop_unpoisoning.cpp

// RUN: %clangxx_asan -O0 -mllvm -asan-instrument-dynamic-allocas %s -o %t // RUN: %clangxx_asan -O0 -mllvm -asan-instrument-dynamic-allocas %s -o %t
// RUN: %run %t 2>&1 // RUN: %run %t 2>&1
// //
// REQUIRES: stable-runtime // REQUIRES: stable-runtime
// This testcase checks that allocas and VLAs inside loop are correctly unpoisoned. // This testcase checks that allocas and VLAs inside loop are correctly unpoisoned.
#include "defines.h"
#include "sanitizer/asan_interface.h"
#include <assert.h> #include <assert.h>
#include <stdint.h> #include <stdint.h>
#include <stdlib.h> #include <stdlib.h>
#include "sanitizer/asan_interface.h"
// MSVC provides _alloca instead of alloca. // MSVC provides _alloca instead of alloca.
#if defined(_MSC_VER) && !defined(alloca) #if defined(_MSC_VER) && !defined(alloca)
# define alloca _alloca # define alloca _alloca
#endif #endif
#if defined(__sun__) && defined(__svr4__) #if defined(__sun__) && defined(__svr4__)
#include <alloca.h> #include <alloca.h>
#endif #endif
void *top, *bot; void *top, *bot;
__attribute__((noinline)) void foo(int len) { ATTRIBUTE_NOINLINE void foo(int len) {
char x; char x;
top = &x; top = &x;
ATTRIBUTE_ALIGNED(32)
#ifdef MSVC
char *array = (char *)alloca(len);
#else
char array[len]; char array[len];
#endif
assert(!(reinterpret_cast<uintptr_t>(array) & 31L)); assert(!(reinterpret_cast<uintptr_t>(array) & 31L));
alloca(len); alloca(len);
for (int i = 0; i < 32; ++i) { for (int i = 0; i < 32; ++i) {
char array[i]; ATTRIBUTE_ALIGNED(32)
#ifdef MSVC
char *array = (char *)alloca(i);
#else
char array[i]; // NOLINT
#endif
bot = alloca(i); bot = alloca(i);
assert(!(reinterpret_cast<uintptr_t>(bot) & 31L)); assert(!(reinterpret_cast<uintptr_t>(bot) & 31L));
} }
} }
int main(int argc, char **argv) { int main(int argc, char **argv) {
foo(32); foo(32);
void *q = __asan_region_is_poisoned(bot, (char *)top - (char *)bot); void *q = __asan_region_is_poisoned(bot, (char *)top - (char *)bot);
assert(!q); assert(!q);
return 0; return 0;
} }

compiler-rt/test/asan/TestCases/defines.h

  • This file was added.
#pragma once
#if defined(MSVC)
#include <intrin.h>
#define ATTRIBUTE_NOINLINE __declspec(noinline)
#define ATTRIBUTE_ALIGNED(x) __declspec(align(x))
#define ATTRIBUTE_NO_SANITIZE_ADDRESS __declspec(no_sanitize_address)
#define ATTRIBUTE_USED /* FIXME: Is there a __declspec used? */
#define ATTRIBUTE_ALWAYS_INLINE __forceinline
#define VOLATILE volatile
#define EXTRACT_RETURN_ADDRESS _ReturnAddress()
#define ASM_CAUSE_SIDE_EFFECT(dest) __asm { mov eax, dest}
#define MULTIPLE_ATTRIBUTE_DECL(a, b) __declspec(a b)
#ifdef _DEBUG
// _DEBUG tests are compiled with NDEBUG to turn off CRT debug assertions
// that will throw before we can get to the asan report.
#undef assert
#define assert(x) \
if (!(x)) \
return 1;
#endif // _DEBUG
#else
#define ATTRIBUTE_NOINLINE __attribute__((noinline))
#define ATTRIBUTE_ALIGNED(x) __attribute__((aligned(x)))
#define ATTRIBUTE_NO_SANITIZE_ADDRESS __attribute__((no_sanitize_address))
#define ATTRIBUTE_USED __attribute__((used))
#define ATTRIBUTE_ALWAYS_INLINE __attribute__((always_inline))
#define INLINE_ASM(x) __asm__(x)
#define VOLATILE __volatile__
#define EXTRACT_RETURN_ADDRESS __builtin_extract_return_addr(__builtin_return_address(0))
#define ASM_CAUSE_SIDE_EFFECT(dest) __asm__ __volatile__("" \
: \
: "r"(dest) \
: "memory");
#define MULTIPLE_ATTRIBUTE_DECL(a, b) __attribute__((a, b))
#endif // _MSC_VER