This is an archive of the discontinued LLVM Phabricator instance.

Differential D98280

[compiler-rt][asan] Make wild-pointer crash error more useful
ClosedPublic

Authored by oontvoo on Mar 9 2021, 11:56 AM.

Details

Reviewers
eugenis
vitalybuka
Commits
rGab08c3865b37: Revert "Revert "[compiler-rt][asan] Make wild-pointer crash error more useful""
rGf65e1aee4004: [compiler-rt][asan] Make wild-pointer crash error more useful
Summary

Right now, when you have an invalid memory address, asan would just crash and does not offer much useful info.
This patch attempted to give a bit more detail on the access.

Diff Detail

Event Timeline

oontvoo created this revision.Mar 9 2021, 11:56 AM
Herald added a subscriber: dberris. · View Herald TranscriptMar 9 2021, 11:56 AM
oontvoo requested review of this revision.Mar 9 2021, 11:56 AM
Herald added a project: Restricted Project. · View Herald TranscriptMar 9 2021, 11:56 AM
Herald added a subscriber: Restricted Project. · View Herald Transcript
Harbormaster completed remote builds in B92932: Diff 329428.Mar 9 2021, 11:55 PM
oontvoo updated this revision to Diff 329725.Mar 10 2021, 12:01 PM

diff

Herald added subscribers: s.egerton, simoncook. · View Herald TranscriptMar 10 2021, 12:01 PM
Harbormaster completed remote builds in B93139: Diff 329725.Mar 10 2021, 11:09 PM
vitalybuka added a reviewer: vitalybuka.Mar 10 2021, 11:17 PM
vitalybuka added a subscriber: vitalybuka.
vitalybuka added inline comments.
compiler-rt/lib/asan/asan_descriptions.cpp
473

I guess this math is confusing and applies only to
__asan_region_is_poisoned
if (!AddrIsInMem(end)) return end;

Even __asan_region_is_poisoned can return a different offset from the range, not sure what is going to happen with other callers.

e.g. if we change change the test to
memmove(dest + 0x4567890123456789, p + 0x4567890123456789, 0x4567890123456789);
Address 0x4567e92123456799 is a wild pointer - originating from address 0x602000000010, offset = 0x4567890123456789
which is not true any more

We can't get access begin from this addr/size in general.
I propose just to print only bad address and access size to avoid confusion.

oontvoo marked an inline comment as done.Mar 11 2021, 9:16 AM
oontvoo added inline comments.
compiler-rt/lib/asan/asan_descriptions.cpp
473

Good point. Thanks!

oontvoo updated this revision to Diff 329987.Mar 11 2021, 9:16 AM
oontvoo marked an inline comment as done.

updated diff

vitalybuka added inline comments.Mar 11 2021, 11:40 AM
compiler-rt/lib/asan/asan_descriptions.cpp
470–472

maybe

oontvoo added inline comments.Mar 11 2021, 12:36 PM
compiler-rt/test/asan/TestCases/wild_pointer.cpp
12

@vitalybuka : btw, do you know why this inclusion doesn't work here? (ie., if I uncomment it, it'd cause "file not found" error)
Am I missing something obvious? Other tests (eg., lsan/TestCases/use_registers.cpp) use this helper just fine.

vitalybuka added inline comments.Mar 11 2021, 1:21 PM
compiler-rt/test/asan/TestCases/wild_pointer.cpp
12

lsan probably somehow adds include dir
but I don't see why we need it here? (and in lsan as well)

Why not just printf("Expected bad addr: %p", p+offset)

Harbormaster completed remote builds in B93324: Diff 329987.Mar 11 2021, 3:27 PM
oontvoo updated this revision to Diff 330111.Mar 11 2021, 5:17 PM
oontvoo marked an inline comment as done.

updated diff

vitalybuka accepted this revision.Mar 11 2021, 6:11 PM
vitalybuka added inline comments.
compiler-rt/test/asan/TestCases/wild_pointer.cpp
1–3

-m64 is not enough it tests are being executed on 32bit platform

This revision is now accepted and ready to land.Mar 11 2021, 6:11 PM
oontvoo updated this revision to Diff 330124.Mar 11 2021, 6:48 PM
oontvoo marked an inline comment as done.

updated diff

compiler-rt/test/asan/TestCases/wild_pointer.cpp
1–3

Cool! I didn't know asan-64-bits was a thing!

This revision was landed with ongoing or failed builds.Mar 11 2021, 6:49 PM
Closed by commit rGf65e1aee4004: [compiler-rt][asan] Make wild-pointer crash error more useful (authored by oontvoo). · Explain Why
This revision was automatically updated to reflect the committed changes.
oontvoo added a commit: rGf65e1aee4004: [compiler-rt][asan] Make wild-pointer crash error more useful.
thakis added a subscriber: thakis.Mar 11 2021, 7:00 PM

This makes clang crash when building the adam runtime O_o: http://45.33.8.238/linux/41534/step_4.txt

That's a clang bug, but it als

thakis added a comment.Mar 11 2021, 7:00 PM

o breaks the build. So I'm afraid you'll have to revert this until that clang crash is fixed :/

oontvoo added a comment.Mar 11 2021, 7:12 PM
In D98280#2621150, @thakis wrote:

o breaks the build. So I'm afraid you'll have to revert this until that clang crash is fixed :/

Thanks. I've reverted it. Will wait and reland later

oontvoo added a reverting change: rGc578508b5bb2: Revert "[compiler-rt][asan] Make wild-pointer crash error more useful".Mar 11 2021, 7:14 PM
oontvoo reopened this revision.Mar 11 2021, 7:15 PM
This revision is now accepted and ready to land.Mar 11 2021, 7:15 PM
Harbormaster completed remote builds in B93404: Diff 330111.Mar 11 2021, 11:55 PM
Harbormaster completed remote builds in B93414: Diff 330124.Mar 12 2021, 12:54 AM
oontvoo closed this revision.Mar 12 2021, 8:38 AM
oontvoo added a commit: rGab08c3865b37: Revert "Revert "[compiler-rt][asan] Make wild-pointer crash error more useful"".
morehouse added a subscriber: morehouse.Mar 12 2021, 3:40 PM

Broke the test on Windows: https://lab.llvm.org/buildbot/#/builders/127/builds/7495

C:\b\slave\sanitizer-windows\llvm-project\compiler-rt\test\asan\TestCases\wild_pointer.cpp:20:11: error: CHECK: expected string not found in input
// CHECK: Expected bad addr: [[ADDR:0x[0-9,a-f]+]]
          ^
<stdin>:1:1: note: scanning from here
Expected bad addr: 4567998FA7CF6839

I guess Windows has a different printf format.

Please fix.

oontvoo added a comment.Mar 12 2021, 6:03 PM
In D98280#2623697, @morehouse wrote:

Broke the test on Windows: https://lab.llvm.org/buildbot/#/builders/127/builds/7495

C:\b\slave\sanitizer-windows\llvm-project\compiler-rt\test\asan\TestCases\wild_pointer.cpp:20:11: error: CHECK: expected string not found in input
// CHECK: Expected bad addr: [[ADDR:0x[0-9,a-f]+]]
          ^
<stdin>:1:1: note: scanning from here
Expected bad addr: 4567998FA7CF6839

I guess Windows has a different printf format.

Please fix.

I've sent https://reviews.llvm.org/D98570

(Dont have a windows to test it, but I *think* it should work. PTAL Thanks!)

Revision Contents

PathSize
compiler-rt/
lib/
asan/
13 lines
9 lines
test/
asan/
TestCases/
22 lines

Diff 330111

compiler-rt/lib/asan/asan_descriptions.h

Show First 20 LinesShow All 140 Lines▼ Show 20 Linesstruct StackAddressDescription {
const char *frame_descr; const char *frame_descr;
void Print() const; void Print() const;
}; };
bool GetStackAddressInformation(uptr addr, uptr access_size, bool GetStackAddressInformation(uptr addr, uptr access_size,
StackAddressDescription *descr); StackAddressDescription *descr);
struct WildAddressDescription {
uptr addr;
uptr access_size;
void Print() const;
};
struct GlobalAddressDescription { struct GlobalAddressDescription {
uptr addr; uptr addr;
// Assume address is close to at most four globals. // Assume address is close to at most four globals.
static const int kMaxGlobals = 4; static const int kMaxGlobals = 4;
__asan_global globals[kMaxGlobals]; __asan_global globals[kMaxGlobals];
u32 reg_sites[kMaxGlobals]; u32 reg_sites[kMaxGlobals];
uptr access_size; uptr access_size;
u8 size; u8 size;
Show All 31 Lines
class AddressDescription { class AddressDescription {
struct AddressDescriptionData { struct AddressDescriptionData {
AddressKind kind; AddressKind kind;
union { union {
ShadowAddressDescription shadow; ShadowAddressDescription shadow;
HeapAddressDescription heap; HeapAddressDescription heap;
StackAddressDescription stack; StackAddressDescription stack;
GlobalAddressDescription global; GlobalAddressDescription global;
uptr addr; WildAddressDescription wild;
}; };
}; };
AddressDescriptionData data; AddressDescriptionData data;
public: public:
AddressDescription() = default; AddressDescription() = default;
// shouldLockThreadRegistry allows us to skip locking if we're sure we already // shouldLockThreadRegistry allows us to skip locking if we're sure we already
// have done it. // have done it.
explicit AddressDescription(uptr addr, bool shouldLockThreadRegistry = true) explicit AddressDescription(uptr addr, bool shouldLockThreadRegistry = true)
: AddressDescription(addr, 1, shouldLockThreadRegistry) {} : AddressDescription(addr, 1, shouldLockThreadRegistry) {}
AddressDescription(uptr addr, uptr access_size, AddressDescription(uptr addr, uptr access_size,
bool shouldLockThreadRegistry = true); bool shouldLockThreadRegistry = true);
uptr Address() const { uptr Address() const {
switch (data.kind) { switch (data.kind) {
case kAddressKindWild: case kAddressKindWild:
return data.addr; return data.wild.addr;
case kAddressKindShadow: case kAddressKindShadow:
return data.shadow.addr; return data.shadow.addr;
case kAddressKindHeap: case kAddressKindHeap:
return data.heap.addr; return data.heap.addr;
case kAddressKindStack: case kAddressKindStack:
return data.stack.addr; return data.stack.addr;
case kAddressKindGlobal: case kAddressKindGlobal:
return data.global.addr; return data.global.addr;
} }
UNREACHABLE("AddressInformation kind is invalid"); UNREACHABLE("AddressInformation kind is invalid");
} }
void Print(const char *bug_descr = nullptr) const { void Print(const char *bug_descr = nullptr) const {
switch (data.kind) { switch (data.kind) {
case kAddressKindWild: case kAddressKindWild:
Printf("Address %p is a wild pointer.\n", data.addr); data.wild.Print();
return; return;
case kAddressKindShadow: case kAddressKindShadow:
return data.shadow.Print(); return data.shadow.Print();
case kAddressKindHeap: case kAddressKindHeap:
return data.heap.Print(); return data.heap.Print();
case kAddressKindStack: case kAddressKindStack:
return data.stack.Print(); return data.stack.Print();
case kAddressKindGlobal: case kAddressKindGlobal:
Show All 25 Lines

compiler-rt/lib/asan/asan_descriptions.cpp

Show First 20 LinesShow All 71 Lines▼ Show 20 Linesstatic bool GetShadowKind(uptr addr, ShadowKind *shadow_kind) {
CHECK(!AddrIsInMem(addr)); CHECK(!AddrIsInMem(addr));
if (AddrIsInShadowGap(addr)) { if (AddrIsInShadowGap(addr)) {
*shadow_kind = kShadowKindGap; *shadow_kind = kShadowKindGap;
} else if (AddrIsInHighShadow(addr)) { } else if (AddrIsInHighShadow(addr)) {
*shadow_kind = kShadowKindHigh; *shadow_kind = kShadowKindHigh;
} else if (AddrIsInLowShadow(addr)) { } else if (AddrIsInLowShadow(addr)) {
*shadow_kind = kShadowKindLow; *shadow_kind = kShadowKindLow;
} else { } else {
CHECK(0 && "Address is not in memory and not in shadow?");
return false; return false;
} }
return true; return true;
} }
bool DescribeAddressIfShadow(uptr addr) { bool DescribeAddressIfShadow(uptr addr) {
ShadowAddressDescription descr; ShadowAddressDescription descr;
if (!GetShadowAddressInformation(addr, &descr)) return false; if (!GetShadowAddressInformation(addr, &descr)) return false;
▲ Show 20 LinesShow All 370 Lines▼ Show 20 Lines if (isStackMemory) {
return; return;
} }
if (GetGlobalAddressInformation(addr, access_size, &data.global)) { if (GetGlobalAddressInformation(addr, access_size, &data.global)) {
data.kind = kAddressKindGlobal; data.kind = kAddressKindGlobal;
return; return;
} }
data.kind = kAddressKindWild; data.kind = kAddressKindWild;
addr = 0; data.wild.addr = addr;
data.wild.access_size = access_size;
}
void WildAddressDescription::Print() const {
Printf("Address %p is a wild pointer inside of access range of size %p.\n",
addr, access_size);
vitalybukaUnsubmitted
Done
ReplyInline Actions
data.wild.access_size = access_size;
}
void WildAddressDescription::Print() const {
- Printf("Address %p is a wild pointer - associated offset/access-size = %p.\n",
+ Printf("Address %p is a wild pointer inside of access range of size %p.\n",
addr, access_size);
}
void PrintAddressDescription(uptr addr, uptr access_size,

maybe

vitalybuka: maybe
} }
vitalybukaUnsubmitted
Done
ReplyInline Actions

I guess this math is confusing and applies only to
__asan_region_is_poisoned
if (!AddrIsInMem(end)) return end;

Even __asan_region_is_poisoned can return a different offset from the range, not sure what is going to happen with other callers.

e.g. if we change change the test to
memmove(dest + 0x4567890123456789, p + 0x4567890123456789, 0x4567890123456789);
Address 0x4567e92123456799 is a wild pointer - originating from address 0x602000000010, offset = 0x4567890123456789
which is not true any more

We can't get access begin from this addr/size in general.
I propose just to print only bad address and access size to avoid confusion.

vitalybuka: I guess this math is confusing and applies only to __asan_region_is_poisoned if (!AddrIsInMem…
oontvooAuthorUnsubmitted
Done
ReplyInline Actions

Good point. Thanks!

oontvoo: Good point. Thanks!
void PrintAddressDescription(uptr addr, uptr access_size, void PrintAddressDescription(uptr addr, uptr access_size,
const char *bug_type) { const char *bug_type) {
ShadowAddressDescription shadow_descr; ShadowAddressDescription shadow_descr;
if (GetShadowAddressInformation(addr, &shadow_descr)) { if (GetShadowAddressInformation(addr, &shadow_descr)) {
shadow_descr.Print(); shadow_descr.Print();
return; return;
} }
Show All 25 Lines

compiler-rt/test/asan/TestCases/wild_pointer.cpp

  • This file was added.
// Needs -m64 because the tested address is too large for m32
// RUN: %clangxx_asan %s -o %t -m64
// RUN: not %run %t 2>&1 | FileCheck %s
vitalybukaUnsubmitted
Done
ReplyInline Actions
- // Needs -m64 because the tested address is too large for m32
- // RUN: %clangxx_asan %s -o %t -m64
+ // RUN: %clangxx_asan %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s
+ // REQUIRES: asan-64-bits
#include <stdarg.h>

-m64 is not enough it tests are being executed on 32bit platform

vitalybuka: -m64 is not enough it tests are being executed on 32bit platform
oontvooAuthorUnsubmitted
Done
ReplyInline Actions

Cool! I didn't know asan-64-bits was a thing!

oontvoo: Cool! I didn't know asan-64-bits was a thing!
#include <stdarg.h>
#include <stdio.h>
#include <string.h>
int main() {
char *p = new char;
char *dest = new char;
const size_t offset = 0x4567890123456789;
oontvooAuthorUnsubmitted
Done
ReplyInline Actions

@vitalybuka : btw, do you know why this inclusion doesn't work here? (ie., if I uncomment it, it'd cause "file not found" error)
Am I missing something obvious? Other tests (eg., lsan/TestCases/use_registers.cpp) use this helper just fine.

oontvoo: @vitalybuka : btw, do you know why this inclusion doesn't work here? (ie., if I uncomment it…
vitalybukaUnsubmitted
Not Done
ReplyInline Actions

lsan probably somehow adds include dir
but I don't see why we need it here? (and in lsan as well)

Why not just printf("Expected bad addr: %p", p+offset)

vitalybuka: lsan probably somehow adds include dir but I don't see why we need it here? (and in lsan as…
// Flush it so the output came out before the asan report.
fprintf(stderr, "Expected bad addr: %p\n", p + offset);
fflush(stderr);
memmove(dest, p, offset);
return 0;
}
// CHECK: Expected bad addr: [[ADDR:0x[0-9,a-f]+]]
// CHECK: AddressSanitizer: unknown-crash on address [[ADDR]]
// CHECK: Address [[ADDR]] is a wild pointer inside of access range of size 0x4567890123456789