• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 //===-- asan_report.cc ----------------------------------------------------===//
2 //
3 //                     The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This file is a part of AddressSanitizer, an address sanity checker.
11 //
12 // This file contains error reporting code.
13 //===----------------------------------------------------------------------===//
14 
15 #include "asan_flags.h"
16 #include "asan_internal.h"
17 #include "asan_mapping.h"
18 #include "asan_report.h"
19 #include "asan_scariness_score.h"
20 #include "asan_stack.h"
21 #include "asan_thread.h"
22 #include "sanitizer_common/sanitizer_common.h"
23 #include "sanitizer_common/sanitizer_flags.h"
24 #include "sanitizer_common/sanitizer_report_decorator.h"
25 #include "sanitizer_common/sanitizer_stackdepot.h"
26 #include "sanitizer_common/sanitizer_symbolizer.h"
27 
28 namespace __asan {
29 
30 // -------------------- User-specified callbacks ----------------- {{{1
31 static void (*error_report_callback)(const char*);
32 static char *error_message_buffer = nullptr;
33 static uptr error_message_buffer_pos = 0;
34 static BlockingMutex error_message_buf_mutex(LINKER_INITIALIZED);
35 static const unsigned kAsanBuggyPcPoolSize = 25;
36 static __sanitizer::atomic_uintptr_t AsanBuggyPcPool[kAsanBuggyPcPoolSize];
37 
38 struct ReportData {
39   uptr pc;
40   uptr sp;
41   uptr bp;
42   uptr addr;
43   bool is_write;
44   uptr access_size;
45   const char *description;
46 };
47 
48 static bool report_happened = false;
49 static ReportData report_data = {};
50 
AppendToErrorMessageBuffer(const char * buffer)51 void AppendToErrorMessageBuffer(const char *buffer) {
52   BlockingMutexLock l(&error_message_buf_mutex);
53   if (!error_message_buffer) {
54     error_message_buffer =
55       (char*)MmapOrDieQuietly(kErrorMessageBufferSize, __func__);
56     error_message_buffer_pos = 0;
57   }
58   uptr length = internal_strlen(buffer);
59   RAW_CHECK(kErrorMessageBufferSize >= error_message_buffer_pos);
60   uptr remaining = kErrorMessageBufferSize - error_message_buffer_pos;
61   internal_strncpy(error_message_buffer + error_message_buffer_pos,
62                    buffer, remaining);
63   error_message_buffer[kErrorMessageBufferSize - 1] = '\0';
64   // FIXME: reallocate the buffer instead of truncating the message.
65   error_message_buffer_pos += Min(remaining, length);
66 }
67 
68 // ---------------------- Decorator ------------------------------ {{{1
69 class Decorator: public __sanitizer::SanitizerCommonDecorator {
70  public:
Decorator()71   Decorator() : SanitizerCommonDecorator() { }
Access()72   const char *Access()     { return Blue(); }
EndAccess()73   const char *EndAccess()  { return Default(); }
Location()74   const char *Location()   { return Green(); }
EndLocation()75   const char *EndLocation() { return Default(); }
Allocation()76   const char *Allocation()  { return Magenta(); }
EndAllocation()77   const char *EndAllocation()  { return Default(); }
78 
ShadowByte(u8 byte)79   const char *ShadowByte(u8 byte) {
80     switch (byte) {
81       case kAsanHeapLeftRedzoneMagic:
82       case kAsanHeapRightRedzoneMagic:
83       case kAsanArrayCookieMagic:
84         return Red();
85       case kAsanHeapFreeMagic:
86         return Magenta();
87       case kAsanStackLeftRedzoneMagic:
88       case kAsanStackMidRedzoneMagic:
89       case kAsanStackRightRedzoneMagic:
90       case kAsanStackPartialRedzoneMagic:
91         return Red();
92       case kAsanStackAfterReturnMagic:
93         return Magenta();
94       case kAsanInitializationOrderMagic:
95         return Cyan();
96       case kAsanUserPoisonedMemoryMagic:
97       case kAsanContiguousContainerOOBMagic:
98       case kAsanAllocaLeftMagic:
99       case kAsanAllocaRightMagic:
100         return Blue();
101       case kAsanStackUseAfterScopeMagic:
102         return Magenta();
103       case kAsanGlobalRedzoneMagic:
104         return Red();
105       case kAsanInternalHeapMagic:
106         return Yellow();
107       case kAsanIntraObjectRedzone:
108         return Yellow();
109       default:
110         return Default();
111     }
112   }
EndShadowByte()113   const char *EndShadowByte() { return Default(); }
MemoryByte()114   const char *MemoryByte() { return Magenta(); }
EndMemoryByte()115   const char *EndMemoryByte() { return Default(); }
116 };
117 
118 // ---------------------- Helper functions ----------------------- {{{1
119 
PrintMemoryByte(InternalScopedString * str,const char * before,u8 byte,bool in_shadow,const char * after="\\n")120 static void PrintMemoryByte(InternalScopedString *str, const char *before,
121     u8 byte, bool in_shadow, const char *after = "\n") {
122   Decorator d;
123   str->append("%s%s%x%x%s%s", before,
124               in_shadow ? d.ShadowByte(byte) : d.MemoryByte(),
125               byte >> 4, byte & 15,
126               in_shadow ? d.EndShadowByte() : d.EndMemoryByte(), after);
127 }
128 
PrintShadowByte(InternalScopedString * str,const char * before,u8 byte,const char * after="\\n")129 static void PrintShadowByte(InternalScopedString *str, const char *before,
130     u8 byte, const char *after = "\n") {
131   PrintMemoryByte(str, before, byte, /*in_shadow*/true, after);
132 }
133 
PrintShadowBytes(InternalScopedString * str,const char * before,u8 * bytes,u8 * guilty,uptr n)134 static void PrintShadowBytes(InternalScopedString *str, const char *before,
135                              u8 *bytes, u8 *guilty, uptr n) {
136   Decorator d;
137   if (before) str->append("%s%p:", before, bytes);
138   for (uptr i = 0; i < n; i++) {
139     u8 *p = bytes + i;
140     const char *before =
141         p == guilty ? "[" : (p - 1 == guilty && i != 0) ? "" : " ";
142     const char *after = p == guilty ? "]" : "";
143     PrintShadowByte(str, before, *p, after);
144   }
145   str->append("\n");
146 }
147 
PrintLegend(InternalScopedString * str)148 static void PrintLegend(InternalScopedString *str) {
149   str->append(
150       "Shadow byte legend (one shadow byte represents %d "
151       "application bytes):\n",
152       (int)SHADOW_GRANULARITY);
153   PrintShadowByte(str, "  Addressable:           ", 0);
154   str->append("  Partially addressable: ");
155   for (u8 i = 1; i < SHADOW_GRANULARITY; i++) PrintShadowByte(str, "", i, " ");
156   str->append("\n");
157   PrintShadowByte(str, "  Heap left redzone:       ",
158                   kAsanHeapLeftRedzoneMagic);
159   PrintShadowByte(str, "  Heap right redzone:      ",
160                   kAsanHeapRightRedzoneMagic);
161   PrintShadowByte(str, "  Freed heap region:       ", kAsanHeapFreeMagic);
162   PrintShadowByte(str, "  Stack left redzone:      ",
163                   kAsanStackLeftRedzoneMagic);
164   PrintShadowByte(str, "  Stack mid redzone:       ",
165                   kAsanStackMidRedzoneMagic);
166   PrintShadowByte(str, "  Stack right redzone:     ",
167                   kAsanStackRightRedzoneMagic);
168   PrintShadowByte(str, "  Stack partial redzone:   ",
169                   kAsanStackPartialRedzoneMagic);
170   PrintShadowByte(str, "  Stack after return:      ",
171                   kAsanStackAfterReturnMagic);
172   PrintShadowByte(str, "  Stack use after scope:   ",
173                   kAsanStackUseAfterScopeMagic);
174   PrintShadowByte(str, "  Global redzone:          ", kAsanGlobalRedzoneMagic);
175   PrintShadowByte(str, "  Global init order:       ",
176                   kAsanInitializationOrderMagic);
177   PrintShadowByte(str, "  Poisoned by user:        ",
178                   kAsanUserPoisonedMemoryMagic);
179   PrintShadowByte(str, "  Container overflow:      ",
180                   kAsanContiguousContainerOOBMagic);
181   PrintShadowByte(str, "  Array cookie:            ",
182                   kAsanArrayCookieMagic);
183   PrintShadowByte(str, "  Intra object redzone:    ",
184                   kAsanIntraObjectRedzone);
185   PrintShadowByte(str, "  ASan internal:           ", kAsanInternalHeapMagic);
186   PrintShadowByte(str, "  Left alloca redzone:     ", kAsanAllocaLeftMagic);
187   PrintShadowByte(str, "  Right alloca redzone:    ", kAsanAllocaRightMagic);
188 }
189 
MaybeDumpInstructionBytes(uptr pc)190 void MaybeDumpInstructionBytes(uptr pc) {
191   if (!flags()->dump_instruction_bytes || (pc < GetPageSizeCached()))
192     return;
193   InternalScopedString str(1024);
194   str.append("First 16 instruction bytes at pc: ");
195   if (IsAccessibleMemoryRange(pc, 16)) {
196     for (int i = 0; i < 16; ++i) {
197       PrintMemoryByte(&str, "", ((u8 *)pc)[i], /*in_shadow*/false, " ");
198     }
199     str.append("\n");
200   } else {
201     str.append("unaccessible\n");
202   }
203   Report("%s", str.data());
204 }
205 
PrintShadowMemoryForAddress(uptr addr)206 static void PrintShadowMemoryForAddress(uptr addr) {
207   if (!AddrIsInMem(addr)) return;
208   uptr shadow_addr = MemToShadow(addr);
209   const uptr n_bytes_per_row = 16;
210   uptr aligned_shadow = shadow_addr & ~(n_bytes_per_row - 1);
211   InternalScopedString str(4096 * 8);
212   str.append("Shadow bytes around the buggy address:\n");
213   for (int i = -5; i <= 5; i++) {
214     const char *prefix = (i == 0) ? "=>" : "  ";
215     PrintShadowBytes(&str, prefix, (u8 *)(aligned_shadow + i * n_bytes_per_row),
216                      (u8 *)shadow_addr, n_bytes_per_row);
217   }
218   if (flags()->print_legend) PrintLegend(&str);
219   Printf("%s", str.data());
220 }
221 
PrintZoneForPointer(uptr ptr,uptr zone_ptr,const char * zone_name)222 static void PrintZoneForPointer(uptr ptr, uptr zone_ptr,
223                                 const char *zone_name) {
224   if (zone_ptr) {
225     if (zone_name) {
226       Printf("malloc_zone_from_ptr(%p) = %p, which is %s\n",
227                  ptr, zone_ptr, zone_name);
228     } else {
229       Printf("malloc_zone_from_ptr(%p) = %p, which doesn't have a name\n",
230                  ptr, zone_ptr);
231     }
232   } else {
233     Printf("malloc_zone_from_ptr(%p) = 0\n", ptr);
234   }
235 }
236 
DescribeThread(AsanThread * t)237 static void DescribeThread(AsanThread *t) {
238   if (t)
239     DescribeThread(t->context());
240 }
241 
242 // ---------------------- Address Descriptions ------------------- {{{1
243 
IsASCII(unsigned char c)244 static bool IsASCII(unsigned char c) {
245   return /*0x00 <= c &&*/ c <= 0x7F;
246 }
247 
MaybeDemangleGlobalName(const char * name)248 static const char *MaybeDemangleGlobalName(const char *name) {
249   // We can spoil names of globals with C linkage, so use an heuristic
250   // approach to check if the name should be demangled.
251   bool should_demangle = false;
252   if (name[0] == '_' && name[1] == 'Z')
253     should_demangle = true;
254   else if (SANITIZER_WINDOWS && name[0] == '\01' && name[1] == '?')
255     should_demangle = true;
256 
257   return should_demangle ? Symbolizer::GetOrInit()->Demangle(name) : name;
258 }
259 
260 // Check if the global is a zero-terminated ASCII string. If so, print it.
PrintGlobalNameIfASCII(InternalScopedString * str,const __asan_global & g)261 static void PrintGlobalNameIfASCII(InternalScopedString *str,
262                                    const __asan_global &g) {
263   for (uptr p = g.beg; p < g.beg + g.size - 1; p++) {
264     unsigned char c = *(unsigned char*)p;
265     if (c == '\0' || !IsASCII(c)) return;
266   }
267   if (*(char*)(g.beg + g.size - 1) != '\0') return;
268   str->append("  '%s' is ascii string '%s'\n", MaybeDemangleGlobalName(g.name),
269               (char *)g.beg);
270 }
271 
GlobalFilename(const __asan_global & g)272 static const char *GlobalFilename(const __asan_global &g) {
273   const char *res = g.module_name;
274   // Prefer the filename from source location, if is available.
275   if (g.location)
276     res = g.location->filename;
277   CHECK(res);
278   return res;
279 }
280 
PrintGlobalLocation(InternalScopedString * str,const __asan_global & g)281 static void PrintGlobalLocation(InternalScopedString *str,
282                                 const __asan_global &g) {
283   str->append("%s", GlobalFilename(g));
284   if (!g.location)
285     return;
286   if (g.location->line_no)
287     str->append(":%d", g.location->line_no);
288   if (g.location->column_no)
289     str->append(":%d", g.location->column_no);
290 }
291 
DescribeAddressRelativeToGlobal(uptr addr,uptr size,const __asan_global & g)292 static void DescribeAddressRelativeToGlobal(uptr addr, uptr size,
293                                             const __asan_global &g) {
294   InternalScopedString str(4096);
295   Decorator d;
296   str.append("%s", d.Location());
297   if (addr < g.beg) {
298     str.append("%p is located %zd bytes to the left", (void *)addr,
299                g.beg - addr);
300   } else if (addr + size > g.beg + g.size) {
301     if (addr < g.beg + g.size)
302       addr = g.beg + g.size;
303     str.append("%p is located %zd bytes to the right", (void *)addr,
304                addr - (g.beg + g.size));
305   } else {
306     // Can it happen?
307     str.append("%p is located %zd bytes inside", (void *)addr, addr - g.beg);
308   }
309   str.append(" of global variable '%s' defined in '",
310              MaybeDemangleGlobalName(g.name));
311   PrintGlobalLocation(&str, g);
312   str.append("' (0x%zx) of size %zu\n", g.beg, g.size);
313   str.append("%s", d.EndLocation());
314   PrintGlobalNameIfASCII(&str, g);
315   Printf("%s", str.data());
316 }
317 
DescribeAddressIfGlobal(uptr addr,uptr size,const char * bug_type)318 static bool DescribeAddressIfGlobal(uptr addr, uptr size,
319                                     const char *bug_type) {
320   // Assume address is close to at most four globals.
321   const int kMaxGlobalsInReport = 4;
322   __asan_global globals[kMaxGlobalsInReport];
323   u32 reg_sites[kMaxGlobalsInReport];
324   int globals_num =
325       GetGlobalsForAddress(addr, globals, reg_sites, ARRAY_SIZE(globals));
326   if (globals_num == 0)
327     return false;
328   for (int i = 0; i < globals_num; i++) {
329     DescribeAddressRelativeToGlobal(addr, size, globals[i]);
330     if (0 == internal_strcmp(bug_type, "initialization-order-fiasco") &&
331         reg_sites[i]) {
332       Printf("  registered at:\n");
333       StackDepotGet(reg_sites[i]).Print();
334     }
335   }
336   return true;
337 }
338 
DescribeAddressIfShadow(uptr addr,AddressDescription * descr,bool print)339 bool DescribeAddressIfShadow(uptr addr, AddressDescription *descr, bool print) {
340   if (AddrIsInMem(addr))
341     return false;
342   const char *area_type = nullptr;
343   if (AddrIsInShadowGap(addr)) area_type = "shadow gap";
344   else if (AddrIsInHighShadow(addr)) area_type = "high shadow";
345   else if (AddrIsInLowShadow(addr)) area_type = "low shadow";
346   if (area_type != nullptr) {
347     if (print) {
348       Printf("Address %p is located in the %s area.\n", addr, area_type);
349     } else {
350       CHECK(descr);
351       descr->region_kind = area_type;
352     }
353     return true;
354   }
355   CHECK(0 && "Address is not in memory and not in shadow?");
356   return false;
357 }
358 
359 // Return " (thread_name) " or an empty string if the name is empty.
ThreadNameWithParenthesis(AsanThreadContext * t,char buff[],uptr buff_len)360 const char *ThreadNameWithParenthesis(AsanThreadContext *t, char buff[],
361                                       uptr buff_len) {
362   const char *name = t->name;
363   if (name[0] == '\0') return "";
364   buff[0] = 0;
365   internal_strncat(buff, " (", 3);
366   internal_strncat(buff, name, buff_len - 4);
367   internal_strncat(buff, ")", 2);
368   return buff;
369 }
370 
ThreadNameWithParenthesis(u32 tid,char buff[],uptr buff_len)371 const char *ThreadNameWithParenthesis(u32 tid, char buff[],
372                                       uptr buff_len) {
373   if (tid == kInvalidTid) return "";
374   asanThreadRegistry().CheckLocked();
375   AsanThreadContext *t = GetThreadContextByTidLocked(tid);
376   return ThreadNameWithParenthesis(t, buff, buff_len);
377 }
378 
PrintAccessAndVarIntersection(const StackVarDescr & var,uptr addr,uptr access_size,uptr prev_var_end,uptr next_var_beg)379 static void PrintAccessAndVarIntersection(const StackVarDescr &var, uptr addr,
380                                           uptr access_size, uptr prev_var_end,
381                                           uptr next_var_beg) {
382   uptr var_end = var.beg + var.size;
383   uptr addr_end = addr + access_size;
384   const char *pos_descr = nullptr;
385   // If the variable [var.beg, var_end) is the nearest variable to the
386   // current memory access, indicate it in the log.
387   if (addr >= var.beg) {
388     if (addr_end <= var_end)
389       pos_descr = "is inside";  // May happen if this is a use-after-return.
390     else if (addr < var_end)
391       pos_descr = "partially overflows";
392     else if (addr_end <= next_var_beg &&
393              next_var_beg - addr_end >= addr - var_end)
394       pos_descr = "overflows";
395   } else {
396     if (addr_end > var.beg)
397       pos_descr = "partially underflows";
398     else if (addr >= prev_var_end &&
399              addr - prev_var_end >= var.beg - addr_end)
400       pos_descr = "underflows";
401   }
402   InternalScopedString str(1024);
403   str.append("    [%zd, %zd)", var.beg, var_end);
404   // Render variable name.
405   str.append(" '");
406   for (uptr i = 0; i < var.name_len; ++i) {
407     str.append("%c", var.name_pos[i]);
408   }
409   str.append("'");
410   if (pos_descr) {
411     Decorator d;
412     // FIXME: we may want to also print the size of the access here,
413     // but in case of accesses generated by memset it may be confusing.
414     str.append("%s <== Memory access at offset %zd %s this variable%s\n",
415                d.Location(), addr, pos_descr, d.EndLocation());
416   } else {
417     str.append("\n");
418   }
419   Printf("%s", str.data());
420 }
421 
ParseFrameDescription(const char * frame_descr,InternalMmapVector<StackVarDescr> * vars)422 bool ParseFrameDescription(const char *frame_descr,
423                            InternalMmapVector<StackVarDescr> *vars) {
424   CHECK(frame_descr);
425   char *p;
426   // This string is created by the compiler and has the following form:
427   // "n alloc_1 alloc_2 ... alloc_n"
428   // where alloc_i looks like "offset size len ObjectName".
429   uptr n_objects = (uptr)internal_simple_strtoll(frame_descr, &p, 10);
430   if (n_objects == 0)
431     return false;
432 
433   for (uptr i = 0; i < n_objects; i++) {
434     uptr beg  = (uptr)internal_simple_strtoll(p, &p, 10);
435     uptr size = (uptr)internal_simple_strtoll(p, &p, 10);
436     uptr len  = (uptr)internal_simple_strtoll(p, &p, 10);
437     if (beg == 0 || size == 0 || *p != ' ') {
438       return false;
439     }
440     p++;
441     StackVarDescr var = {beg, size, p, len};
442     vars->push_back(var);
443     p += len;
444   }
445 
446   return true;
447 }
448 
DescribeAddressIfStack(uptr addr,uptr access_size)449 bool DescribeAddressIfStack(uptr addr, uptr access_size) {
450   AsanThread *t = FindThreadByStackAddress(addr);
451   if (!t) return false;
452 
453   Decorator d;
454   char tname[128];
455   Printf("%s", d.Location());
456   Printf("Address %p is located in stack of thread T%d%s", addr, t->tid(),
457          ThreadNameWithParenthesis(t->tid(), tname, sizeof(tname)));
458 
459   // Try to fetch precise stack frame for this access.
460   AsanThread::StackFrameAccess access;
461   if (!t->GetStackFrameAccessByAddr(addr, &access)) {
462     Printf("%s\n", d.EndLocation());
463     return true;
464   }
465   Printf(" at offset %zu in frame%s\n", access.offset, d.EndLocation());
466 
467   // Now we print the frame where the alloca has happened.
468   // We print this frame as a stack trace with one element.
469   // The symbolizer may print more than one frame if inlining was involved.
470   // The frame numbers may be different than those in the stack trace printed
471   // previously. That's unfortunate, but I have no better solution,
472   // especially given that the alloca may be from entirely different place
473   // (e.g. use-after-scope, or different thread's stack).
474 #if SANITIZER_PPC64V1
475   // On PowerPC64 ELFv1, the address of a function actually points to a
476   // three-doubleword data structure with the first field containing
477   // the address of the function's code.
478   access.frame_pc = *reinterpret_cast<uptr *>(access.frame_pc);
479 #endif
480   access.frame_pc += 16;
481   Printf("%s", d.EndLocation());
482   StackTrace alloca_stack(&access.frame_pc, 1);
483   alloca_stack.Print();
484 
485   InternalMmapVector<StackVarDescr> vars(16);
486   if (!ParseFrameDescription(access.frame_descr, &vars)) {
487     Printf("AddressSanitizer can't parse the stack frame "
488            "descriptor: |%s|\n", access.frame_descr);
489     // 'addr' is a stack address, so return true even if we can't parse frame
490     return true;
491   }
492   uptr n_objects = vars.size();
493   // Report the number of stack objects.
494   Printf("  This frame has %zu object(s):\n", n_objects);
495 
496   // Report all objects in this frame.
497   for (uptr i = 0; i < n_objects; i++) {
498     uptr prev_var_end = i ? vars[i - 1].beg + vars[i - 1].size : 0;
499     uptr next_var_beg = i + 1 < n_objects ? vars[i + 1].beg : ~(0UL);
500     PrintAccessAndVarIntersection(vars[i], access.offset, access_size,
501                                   prev_var_end, next_var_beg);
502   }
503   Printf("HINT: this may be a false positive if your program uses "
504          "some custom stack unwind mechanism or swapcontext\n");
505   if (SANITIZER_WINDOWS)
506     Printf("      (longjmp, SEH and C++ exceptions *are* supported)\n");
507   else
508     Printf("      (longjmp and C++ exceptions *are* supported)\n");
509 
510   DescribeThread(t);
511   return true;
512 }
513 
DescribeAccessToHeapChunk(AsanChunkView chunk,uptr addr,uptr access_size)514 static void DescribeAccessToHeapChunk(AsanChunkView chunk, uptr addr,
515                                       uptr access_size) {
516   sptr offset;
517   Decorator d;
518   InternalScopedString str(4096);
519   str.append("%s", d.Location());
520   if (chunk.AddrIsAtLeft(addr, access_size, &offset)) {
521     str.append("%p is located %zd bytes to the left of", (void *)addr, offset);
522   } else if (chunk.AddrIsAtRight(addr, access_size, &offset)) {
523     if (offset < 0) {
524       addr -= offset;
525       offset = 0;
526     }
527     str.append("%p is located %zd bytes to the right of", (void *)addr, offset);
528   } else if (chunk.AddrIsInside(addr, access_size, &offset)) {
529     str.append("%p is located %zd bytes inside of", (void*)addr, offset);
530   } else {
531     str.append("%p is located somewhere around (this is AddressSanitizer bug!)",
532                (void *)addr);
533   }
534   str.append(" %zu-byte region [%p,%p)\n", chunk.UsedSize(),
535              (void *)(chunk.Beg()), (void *)(chunk.End()));
536   str.append("%s", d.EndLocation());
537   Printf("%s", str.data());
538 }
539 
DescribeHeapAddress(uptr addr,uptr access_size)540 void DescribeHeapAddress(uptr addr, uptr access_size) {
541   AsanChunkView chunk = FindHeapChunkByAddress(addr);
542   if (!chunk.IsValid()) {
543     Printf("AddressSanitizer can not describe address in more detail "
544            "(wild memory access suspected).\n");
545     return;
546   }
547   DescribeAccessToHeapChunk(chunk, addr, access_size);
548   CHECK(chunk.AllocTid() != kInvalidTid);
549   asanThreadRegistry().CheckLocked();
550   AsanThreadContext *alloc_thread =
551       GetThreadContextByTidLocked(chunk.AllocTid());
552   StackTrace alloc_stack = chunk.GetAllocStack();
553   char tname[128];
554   Decorator d;
555   AsanThreadContext *free_thread = nullptr;
556   if (chunk.FreeTid() != kInvalidTid) {
557     free_thread = GetThreadContextByTidLocked(chunk.FreeTid());
558     Printf("%sfreed by thread T%d%s here:%s\n", d.Allocation(),
559            free_thread->tid,
560            ThreadNameWithParenthesis(free_thread, tname, sizeof(tname)),
561            d.EndAllocation());
562     StackTrace free_stack = chunk.GetFreeStack();
563     free_stack.Print();
564     Printf("%spreviously allocated by thread T%d%s here:%s\n",
565            d.Allocation(), alloc_thread->tid,
566            ThreadNameWithParenthesis(alloc_thread, tname, sizeof(tname)),
567            d.EndAllocation());
568   } else {
569     Printf("%sallocated by thread T%d%s here:%s\n", d.Allocation(),
570            alloc_thread->tid,
571            ThreadNameWithParenthesis(alloc_thread, tname, sizeof(tname)),
572            d.EndAllocation());
573   }
574   alloc_stack.Print();
575   DescribeThread(GetCurrentThread());
576   if (free_thread)
577     DescribeThread(free_thread);
578   DescribeThread(alloc_thread);
579 }
580 
DescribeAddress(uptr addr,uptr access_size,const char * bug_type)581 static void DescribeAddress(uptr addr, uptr access_size, const char *bug_type) {
582   // Check if this is shadow or shadow gap.
583   if (DescribeAddressIfShadow(addr))
584     return;
585   CHECK(AddrIsInMem(addr));
586   if (DescribeAddressIfGlobal(addr, access_size, bug_type))
587     return;
588   if (DescribeAddressIfStack(addr, access_size))
589     return;
590   // Assume it is a heap address.
591   DescribeHeapAddress(addr, access_size);
592 }
593 
594 // ------------------- Thread description -------------------- {{{1
595 
DescribeThread(AsanThreadContext * context)596 void DescribeThread(AsanThreadContext *context) {
597   CHECK(context);
598   asanThreadRegistry().CheckLocked();
599   // No need to announce the main thread.
600   if (context->tid == 0 || context->announced) {
601     return;
602   }
603   context->announced = true;
604   char tname[128];
605   InternalScopedString str(1024);
606   str.append("Thread T%d%s", context->tid,
607              ThreadNameWithParenthesis(context->tid, tname, sizeof(tname)));
608   if (context->parent_tid == kInvalidTid) {
609     str.append(" created by unknown thread\n");
610     Printf("%s", str.data());
611     return;
612   }
613   str.append(
614       " created by T%d%s here:\n", context->parent_tid,
615       ThreadNameWithParenthesis(context->parent_tid, tname, sizeof(tname)));
616   Printf("%s", str.data());
617   StackDepotGet(context->stack_id).Print();
618   // Recursively described parent thread if needed.
619   if (flags()->print_full_thread_history) {
620     AsanThreadContext *parent_context =
621         GetThreadContextByTidLocked(context->parent_tid);
622     DescribeThread(parent_context);
623   }
624 }
625 
626 // -------------------- Different kinds of reports ----------------- {{{1
627 
628 // Use ScopedInErrorReport to run common actions just before and
629 // immediately after printing error report.
630 class ScopedInErrorReport {
631  public:
ScopedInErrorReport(ReportData * report=nullptr,bool fatal=false)632   explicit ScopedInErrorReport(ReportData *report = nullptr,
633                                bool fatal = false) {
634     halt_on_error_ = fatal || flags()->halt_on_error;
635 
636     if (lock_.TryLock()) {
637       StartReporting(report);
638       return;
639     }
640 
641     // ASan found two bugs in different threads simultaneously.
642 
643     u32 current_tid = GetCurrentTidOrInvalid();
644     if (reporting_thread_tid_ == current_tid ||
645         reporting_thread_tid_ == kInvalidTid) {
646       // This is either asynch signal or nested error during error reporting.
647       // Fail simple to avoid deadlocks in Report().
648 
649       // Can't use Report() here because of potential deadlocks
650       // in nested signal handlers.
651       const char msg[] = "AddressSanitizer: nested bug in the same thread, "
652                          "aborting.\n";
653       WriteToFile(kStderrFd, msg, sizeof(msg));
654 
655       internal__exit(common_flags()->exitcode);
656     }
657 
658     if (halt_on_error_) {
659       // Do not print more than one report, otherwise they will mix up.
660       // Error reporting functions shouldn't return at this situation, as
661       // they are effectively no-returns.
662 
663       Report("AddressSanitizer: while reporting a bug found another one. "
664              "Ignoring.\n");
665 
666       // Sleep long enough to make sure that the thread which started
667       // to print an error report will finish doing it.
668       SleepForSeconds(Max(100, flags()->sleep_before_dying + 1));
669 
670       // If we're still not dead for some reason, use raw _exit() instead of
671       // Die() to bypass any additional checks.
672       internal__exit(common_flags()->exitcode);
673     } else {
674       // The other thread will eventually finish reporting
675       // so it's safe to wait
676       lock_.Lock();
677     }
678 
679     StartReporting(report);
680   }
681 
~ScopedInErrorReport()682   ~ScopedInErrorReport() {
683     // Make sure the current thread is announced.
684     DescribeThread(GetCurrentThread());
685     // We may want to grab this lock again when printing stats.
686     asanThreadRegistry().Unlock();
687     // Print memory stats.
688     if (flags()->print_stats)
689       __asan_print_accumulated_stats();
690 
691     if (common_flags()->print_cmdline)
692       PrintCmdline();
693 
694     // Copy the message buffer so that we could start logging without holding a
695     // lock that gets aquired during printing.
696     InternalScopedBuffer<char> buffer_copy(kErrorMessageBufferSize);
697     {
698       BlockingMutexLock l(&error_message_buf_mutex);
699       internal_memcpy(buffer_copy.data(),
700                       error_message_buffer, kErrorMessageBufferSize);
701     }
702 
703     LogFullErrorReport(buffer_copy.data());
704 
705     if (error_report_callback) {
706       error_report_callback(buffer_copy.data());
707     }
708     CommonSanitizerReportMutex.Unlock();
709     reporting_thread_tid_ = kInvalidTid;
710     lock_.Unlock();
711     if (halt_on_error_) {
712       Report("ABORTING\n");
713       Die();
714     }
715   }
716 
717  private:
StartReporting(ReportData * report)718   void StartReporting(ReportData *report) {
719     if (report) report_data = *report;
720     report_happened = true;
721     ASAN_ON_ERROR();
722     // Make sure the registry and sanitizer report mutexes are locked while
723     // we're printing an error report.
724     // We can lock them only here to avoid self-deadlock in case of
725     // recursive reports.
726     asanThreadRegistry().Lock();
727     CommonSanitizerReportMutex.Lock();
728     reporting_thread_tid_ = GetCurrentTidOrInvalid();
729     Printf("===================================================="
730            "=============\n");
731   }
732 
733   static StaticSpinMutex lock_;
734   static u32 reporting_thread_tid_;
735   bool halt_on_error_;
736 };
737 
738 StaticSpinMutex ScopedInErrorReport::lock_;
739 u32 ScopedInErrorReport::reporting_thread_tid_ = kInvalidTid;
740 
ReportStackOverflow(const SignalContext & sig)741 void ReportStackOverflow(const SignalContext &sig) {
742   ScopedInErrorReport in_report(/*report*/ nullptr, /*fatal*/ true);
743   Decorator d;
744   Printf("%s", d.Warning());
745   Report(
746       "ERROR: AddressSanitizer: stack-overflow on address %p"
747       " (pc %p bp %p sp %p T%d)\n",
748       (void *)sig.addr, (void *)sig.pc, (void *)sig.bp, (void *)sig.sp,
749       GetCurrentTidOrInvalid());
750   Printf("%s", d.EndWarning());
751   ScarinessScore::PrintSimple(10, "stack-overflow");
752   GET_STACK_TRACE_SIGNAL(sig);
753   stack.Print();
754   ReportErrorSummary("stack-overflow", &stack);
755 }
756 
ReportDeadlySignal(const char * description,const SignalContext & sig)757 void ReportDeadlySignal(const char *description, const SignalContext &sig) {
758   ScopedInErrorReport in_report(/*report*/ nullptr, /*fatal*/ true);
759   Decorator d;
760   Printf("%s", d.Warning());
761   Report(
762       "ERROR: AddressSanitizer: %s on unknown address %p"
763       " (pc %p bp %p sp %p T%d)\n",
764       description, (void *)sig.addr, (void *)sig.pc, (void *)sig.bp,
765       (void *)sig.sp, GetCurrentTidOrInvalid());
766   Printf("%s", d.EndWarning());
767   ScarinessScore SS;
768   if (sig.pc < GetPageSizeCached())
769     Report("Hint: pc points to the zero page.\n");
770   if (sig.is_memory_access) {
771     const char *access_type =
772         sig.write_flag == SignalContext::WRITE
773             ? "WRITE"
774             : (sig.write_flag == SignalContext::READ ? "READ" : "UNKNOWN");
775     Report("The signal is caused by a %s memory access.\n", access_type);
776     if (sig.addr < GetPageSizeCached()) {
777       Report("Hint: address points to the zero page.\n");
778       SS.Scare(10, "null-deref");
779     } else if (sig.addr == sig.pc) {
780       SS.Scare(60, "wild-jump");
781     } else if (sig.write_flag == SignalContext::WRITE) {
782       SS.Scare(30, "wild-addr-write");
783     } else if (sig.write_flag == SignalContext::READ) {
784       SS.Scare(20, "wild-addr-read");
785     } else {
786       SS.Scare(25, "wild-addr");
787     }
788   } else {
789     SS.Scare(10, "signal");
790   }
791   SS.Print();
792   GET_STACK_TRACE_SIGNAL(sig);
793   stack.Print();
794   MaybeDumpInstructionBytes(sig.pc);
795   Printf("AddressSanitizer can not provide additional info.\n");
796   ReportErrorSummary(description, &stack);
797 }
798 
ReportDoubleFree(uptr addr,BufferedStackTrace * free_stack)799 void ReportDoubleFree(uptr addr, BufferedStackTrace *free_stack) {
800   ScopedInErrorReport in_report;
801   Decorator d;
802   Printf("%s", d.Warning());
803   char tname[128];
804   u32 curr_tid = GetCurrentTidOrInvalid();
805   Report("ERROR: AddressSanitizer: attempting double-free on %p in "
806          "thread T%d%s:\n",
807          addr, curr_tid,
808          ThreadNameWithParenthesis(curr_tid, tname, sizeof(tname)));
809   Printf("%s", d.EndWarning());
810   CHECK_GT(free_stack->size, 0);
811   ScarinessScore::PrintSimple(42, "double-free");
812   GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
813   stack.Print();
814   DescribeHeapAddress(addr, 1);
815   ReportErrorSummary("double-free", &stack);
816 }
817 
ReportNewDeleteSizeMismatch(uptr addr,uptr alloc_size,uptr delete_size,BufferedStackTrace * free_stack)818 void ReportNewDeleteSizeMismatch(uptr addr, uptr alloc_size, uptr delete_size,
819                                  BufferedStackTrace *free_stack) {
820   ScopedInErrorReport in_report;
821   Decorator d;
822   Printf("%s", d.Warning());
823   char tname[128];
824   u32 curr_tid = GetCurrentTidOrInvalid();
825   Report("ERROR: AddressSanitizer: new-delete-type-mismatch on %p in "
826          "thread T%d%s:\n",
827          addr, curr_tid,
828          ThreadNameWithParenthesis(curr_tid, tname, sizeof(tname)));
829   Printf("%s  object passed to delete has wrong type:\n", d.EndWarning());
830   Printf("  size of the allocated type:   %zd bytes;\n"
831          "  size of the deallocated type: %zd bytes.\n",
832          alloc_size, delete_size);
833   CHECK_GT(free_stack->size, 0);
834   ScarinessScore::PrintSimple(10, "new-delete-type-mismatch");
835   GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
836   stack.Print();
837   DescribeHeapAddress(addr, 1);
838   ReportErrorSummary("new-delete-type-mismatch", &stack);
839   Report("HINT: if you don't care about these errors you may set "
840          "ASAN_OPTIONS=new_delete_type_mismatch=0\n");
841 }
842 
ReportFreeNotMalloced(uptr addr,BufferedStackTrace * free_stack)843 void ReportFreeNotMalloced(uptr addr, BufferedStackTrace *free_stack) {
844   ScopedInErrorReport in_report;
845   Decorator d;
846   Printf("%s", d.Warning());
847   char tname[128];
848   u32 curr_tid = GetCurrentTidOrInvalid();
849   Report("ERROR: AddressSanitizer: attempting free on address "
850              "which was not malloc()-ed: %p in thread T%d%s\n", addr,
851          curr_tid, ThreadNameWithParenthesis(curr_tid, tname, sizeof(tname)));
852   Printf("%s", d.EndWarning());
853   CHECK_GT(free_stack->size, 0);
854   ScarinessScore::PrintSimple(40, "bad-free");
855   GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
856   stack.Print();
857   DescribeHeapAddress(addr, 1);
858   ReportErrorSummary("bad-free", &stack);
859 }
860 
ReportAllocTypeMismatch(uptr addr,BufferedStackTrace * free_stack,AllocType alloc_type,AllocType dealloc_type)861 void ReportAllocTypeMismatch(uptr addr, BufferedStackTrace *free_stack,
862                              AllocType alloc_type,
863                              AllocType dealloc_type) {
864   static const char *alloc_names[] =
865     {"INVALID", "malloc", "operator new", "operator new []"};
866   static const char *dealloc_names[] =
867     {"INVALID", "free", "operator delete", "operator delete []"};
868   CHECK_NE(alloc_type, dealloc_type);
869   ScopedInErrorReport in_report;
870   Decorator d;
871   Printf("%s", d.Warning());
872   Report("ERROR: AddressSanitizer: alloc-dealloc-mismatch (%s vs %s) on %p\n",
873         alloc_names[alloc_type], dealloc_names[dealloc_type], addr);
874   Printf("%s", d.EndWarning());
875   CHECK_GT(free_stack->size, 0);
876   ScarinessScore::PrintSimple(10, "alloc-dealloc-mismatch");
877   GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
878   stack.Print();
879   DescribeHeapAddress(addr, 1);
880   ReportErrorSummary("alloc-dealloc-mismatch", &stack);
881   Report("HINT: if you don't care about these errors you may set "
882          "ASAN_OPTIONS=alloc_dealloc_mismatch=0\n");
883 }
884 
ReportMallocUsableSizeNotOwned(uptr addr,BufferedStackTrace * stack)885 void ReportMallocUsableSizeNotOwned(uptr addr, BufferedStackTrace *stack) {
886   ScopedInErrorReport in_report;
887   Decorator d;
888   Printf("%s", d.Warning());
889   Report("ERROR: AddressSanitizer: attempting to call "
890              "malloc_usable_size() for pointer which is "
891              "not owned: %p\n", addr);
892   Printf("%s", d.EndWarning());
893   stack->Print();
894   DescribeHeapAddress(addr, 1);
895   ReportErrorSummary("bad-malloc_usable_size", stack);
896 }
897 
ReportSanitizerGetAllocatedSizeNotOwned(uptr addr,BufferedStackTrace * stack)898 void ReportSanitizerGetAllocatedSizeNotOwned(uptr addr,
899                                              BufferedStackTrace *stack) {
900   ScopedInErrorReport in_report;
901   Decorator d;
902   Printf("%s", d.Warning());
903   Report("ERROR: AddressSanitizer: attempting to call "
904              "__sanitizer_get_allocated_size() for pointer which is "
905              "not owned: %p\n", addr);
906   Printf("%s", d.EndWarning());
907   stack->Print();
908   DescribeHeapAddress(addr, 1);
909   ReportErrorSummary("bad-__sanitizer_get_allocated_size", stack);
910 }
911 
ReportStringFunctionMemoryRangesOverlap(const char * function,const char * offset1,uptr length1,const char * offset2,uptr length2,BufferedStackTrace * stack)912 void ReportStringFunctionMemoryRangesOverlap(const char *function,
913                                              const char *offset1, uptr length1,
914                                              const char *offset2, uptr length2,
915                                              BufferedStackTrace *stack) {
916   ScopedInErrorReport in_report;
917   Decorator d;
918   char bug_type[100];
919   internal_snprintf(bug_type, sizeof(bug_type), "%s-param-overlap", function);
920   Printf("%s", d.Warning());
921   Report("ERROR: AddressSanitizer: %s: "
922              "memory ranges [%p,%p) and [%p, %p) overlap\n", \
923              bug_type, offset1, offset1 + length1, offset2, offset2 + length2);
924   Printf("%s", d.EndWarning());
925   ScarinessScore::PrintSimple(10, bug_type);
926   stack->Print();
927   DescribeAddress((uptr)offset1, length1, bug_type);
928   DescribeAddress((uptr)offset2, length2, bug_type);
929   ReportErrorSummary(bug_type, stack);
930 }
931 
ReportStringFunctionSizeOverflow(uptr offset,uptr size,BufferedStackTrace * stack)932 void ReportStringFunctionSizeOverflow(uptr offset, uptr size,
933                                       BufferedStackTrace *stack) {
934   ScopedInErrorReport in_report;
935   Decorator d;
936   const char *bug_type = "negative-size-param";
937   Printf("%s", d.Warning());
938   Report("ERROR: AddressSanitizer: %s: (size=%zd)\n", bug_type, size);
939   Printf("%s", d.EndWarning());
940   ScarinessScore::PrintSimple(10, bug_type);
941   stack->Print();
942   DescribeAddress(offset, size, bug_type);
943   ReportErrorSummary(bug_type, stack);
944 }
945 
ReportBadParamsToAnnotateContiguousContainer(uptr beg,uptr end,uptr old_mid,uptr new_mid,BufferedStackTrace * stack)946 void ReportBadParamsToAnnotateContiguousContainer(uptr beg, uptr end,
947                                                   uptr old_mid, uptr new_mid,
948                                                   BufferedStackTrace *stack) {
949   ScopedInErrorReport in_report;
950   Report("ERROR: AddressSanitizer: bad parameters to "
951          "__sanitizer_annotate_contiguous_container:\n"
952          "      beg     : %p\n"
953          "      end     : %p\n"
954          "      old_mid : %p\n"
955          "      new_mid : %p\n",
956          beg, end, old_mid, new_mid);
957   uptr granularity = SHADOW_GRANULARITY;
958   if (!IsAligned(beg, granularity))
959     Report("ERROR: beg is not aligned by %d\n", granularity);
960   stack->Print();
961   ReportErrorSummary("bad-__sanitizer_annotate_contiguous_container", stack);
962 }
963 
ReportODRViolation(const __asan_global * g1,u32 stack_id1,const __asan_global * g2,u32 stack_id2)964 void ReportODRViolation(const __asan_global *g1, u32 stack_id1,
965                         const __asan_global *g2, u32 stack_id2) {
966   ScopedInErrorReport in_report;
967   Decorator d;
968   Printf("%s", d.Warning());
969   Report("ERROR: AddressSanitizer: odr-violation (%p):\n", g1->beg);
970   Printf("%s", d.EndWarning());
971   InternalScopedString g1_loc(256), g2_loc(256);
972   PrintGlobalLocation(&g1_loc, *g1);
973   PrintGlobalLocation(&g2_loc, *g2);
974   Printf("  [1] size=%zd '%s' %s\n", g1->size,
975          MaybeDemangleGlobalName(g1->name), g1_loc.data());
976   Printf("  [2] size=%zd '%s' %s\n", g2->size,
977          MaybeDemangleGlobalName(g2->name), g2_loc.data());
978   if (stack_id1 && stack_id2) {
979     Printf("These globals were registered at these points:\n");
980     Printf("  [1]:\n");
981     StackDepotGet(stack_id1).Print();
982     Printf("  [2]:\n");
983     StackDepotGet(stack_id2).Print();
984   }
985   Report("HINT: if you don't care about these errors you may set "
986          "ASAN_OPTIONS=detect_odr_violation=0\n");
987   InternalScopedString error_msg(256);
988   error_msg.append("odr-violation: global '%s' at %s",
989                    MaybeDemangleGlobalName(g1->name), g1_loc.data());
990   ReportErrorSummary(error_msg.data());
991 }
992 
993 // ----------------------- CheckForInvalidPointerPair ----------- {{{1
994 static NOINLINE void
ReportInvalidPointerPair(uptr pc,uptr bp,uptr sp,uptr a1,uptr a2)995 ReportInvalidPointerPair(uptr pc, uptr bp, uptr sp, uptr a1, uptr a2) {
996   ScopedInErrorReport in_report;
997   const char *bug_type = "invalid-pointer-pair";
998   Decorator d;
999   Printf("%s", d.Warning());
1000   Report("ERROR: AddressSanitizer: invalid-pointer-pair: %p %p\n", a1, a2);
1001   Printf("%s", d.EndWarning());
1002   GET_STACK_TRACE_FATAL(pc, bp);
1003   stack.Print();
1004   DescribeAddress(a1, 1, bug_type);
1005   DescribeAddress(a2, 1, bug_type);
1006   ReportErrorSummary(bug_type, &stack);
1007 }
1008 
CheckForInvalidPointerPair(void * p1,void * p2)1009 static INLINE void CheckForInvalidPointerPair(void *p1, void *p2) {
1010   if (!flags()->detect_invalid_pointer_pairs) return;
1011   uptr a1 = reinterpret_cast<uptr>(p1);
1012   uptr a2 = reinterpret_cast<uptr>(p2);
1013   AsanChunkView chunk1 = FindHeapChunkByAddress(a1);
1014   AsanChunkView chunk2 = FindHeapChunkByAddress(a2);
1015   bool valid1 = chunk1.IsAllocated();
1016   bool valid2 = chunk2.IsAllocated();
1017   if (!valid1 || !valid2 || !chunk1.Eq(chunk2)) {
1018     GET_CALLER_PC_BP_SP;
1019     return ReportInvalidPointerPair(pc, bp, sp, a1, a2);
1020   }
1021 }
1022 // ----------------------- Mac-specific reports ----------------- {{{1
1023 
ReportMacMzReallocUnknown(uptr addr,uptr zone_ptr,const char * zone_name,BufferedStackTrace * stack)1024 void ReportMacMzReallocUnknown(uptr addr, uptr zone_ptr, const char *zone_name,
1025                                BufferedStackTrace *stack) {
1026   ScopedInErrorReport in_report;
1027   Printf("mz_realloc(%p) -- attempting to realloc unallocated memory.\n"
1028              "This is an unrecoverable problem, exiting now.\n",
1029              addr);
1030   PrintZoneForPointer(addr, zone_ptr, zone_name);
1031   stack->Print();
1032   DescribeHeapAddress(addr, 1);
1033 }
1034 
1035 // -------------- SuppressErrorReport -------------- {{{1
1036 // Avoid error reports duplicating for ASan recover mode.
SuppressErrorReport(uptr pc)1037 static bool SuppressErrorReport(uptr pc) {
1038   if (!common_flags()->suppress_equal_pcs) return false;
1039   for (unsigned i = 0; i < kAsanBuggyPcPoolSize; i++) {
1040     uptr cmp = atomic_load_relaxed(&AsanBuggyPcPool[i]);
1041     if (cmp == 0 && atomic_compare_exchange_strong(&AsanBuggyPcPool[i], &cmp,
1042                                                    pc, memory_order_relaxed))
1043       return false;
1044     if (cmp == pc) return true;
1045   }
1046   Die();
1047 }
1048 
PrintContainerOverflowHint()1049 static void PrintContainerOverflowHint() {
1050   Printf("HINT: if you don't care about these errors you may set "
1051          "ASAN_OPTIONS=detect_container_overflow=0.\n"
1052          "If you suspect a false positive see also: "
1053          "https://github.com/google/sanitizers/wiki/"
1054          "AddressSanitizerContainerOverflow.\n");
1055 }
1056 
AdjacentShadowValuesAreFullyPoisoned(u8 * s)1057 static bool AdjacentShadowValuesAreFullyPoisoned(u8 *s) {
1058   return s[-1] > 127 && s[1] > 127;
1059 }
1060 
ReportGenericError(uptr pc,uptr bp,uptr sp,uptr addr,bool is_write,uptr access_size,u32 exp,bool fatal)1061 void ReportGenericError(uptr pc, uptr bp, uptr sp, uptr addr, bool is_write,
1062                         uptr access_size, u32 exp, bool fatal) {
1063   if (!fatal && SuppressErrorReport(pc)) return;
1064   ENABLE_FRAME_POINTER;
1065   ScarinessScore SS;
1066 
1067   if (access_size) {
1068     if (access_size <= 9) {
1069       char desr[] = "?-byte";
1070       desr[0] = '0' + access_size;
1071       SS.Scare(access_size + access_size / 2, desr);
1072     } else if (access_size >= 10) {
1073       SS.Scare(15, "multi-byte");
1074     }
1075     is_write ? SS.Scare(20, "write") : SS.Scare(1, "read");
1076   }
1077 
1078   // Optimization experiments.
1079   // The experiments can be used to evaluate potential optimizations that remove
1080   // instrumentation (assess false negatives). Instead of completely removing
1081   // some instrumentation, compiler can emit special calls into runtime
1082   // (e.g. __asan_report_exp_load1 instead of __asan_report_load1) and pass
1083   // mask of experiments (exp).
1084   // The reaction to a non-zero value of exp is to be defined.
1085   (void)exp;
1086 
1087   // Determine the error type.
1088   const char *bug_descr = "unknown-crash";
1089   u8 shadow_val = 0;
1090   if (AddrIsInMem(addr)) {
1091     u8 *shadow_addr = (u8*)MemToShadow(addr);
1092     // If we are accessing 16 bytes, look at the second shadow byte.
1093     if (*shadow_addr == 0 && access_size > SHADOW_GRANULARITY)
1094       shadow_addr++;
1095     // If we are in the partial right redzone, look at the next shadow byte.
1096     if (*shadow_addr > 0 && *shadow_addr < 128)
1097       shadow_addr++;
1098     bool far_from_bounds = false;
1099     shadow_val = *shadow_addr;
1100     int bug_type_score = 0;
1101     // For use-after-frees reads are almost as bad as writes.
1102     int read_after_free_bonus = 0;
1103     switch (shadow_val) {
1104       case kAsanHeapLeftRedzoneMagic:
1105       case kAsanHeapRightRedzoneMagic:
1106       case kAsanArrayCookieMagic:
1107         bug_descr = "heap-buffer-overflow";
1108         bug_type_score = 10;
1109         far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
1110         break;
1111       case kAsanHeapFreeMagic:
1112         bug_descr = "heap-use-after-free";
1113         bug_type_score = 20;
1114         if (!is_write) read_after_free_bonus = 18;
1115         break;
1116       case kAsanStackLeftRedzoneMagic:
1117         bug_descr = "stack-buffer-underflow";
1118         bug_type_score = 25;
1119         far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
1120         break;
1121       case kAsanInitializationOrderMagic:
1122         bug_descr = "initialization-order-fiasco";
1123         bug_type_score = 1;
1124         break;
1125       case kAsanStackMidRedzoneMagic:
1126       case kAsanStackRightRedzoneMagic:
1127       case kAsanStackPartialRedzoneMagic:
1128         bug_descr = "stack-buffer-overflow";
1129         bug_type_score = 25;
1130         far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
1131         break;
1132       case kAsanStackAfterReturnMagic:
1133         bug_descr = "stack-use-after-return";
1134         bug_type_score = 30;
1135         if (!is_write) read_after_free_bonus = 18;
1136         break;
1137       case kAsanUserPoisonedMemoryMagic:
1138         bug_descr = "use-after-poison";
1139         bug_type_score = 20;
1140         break;
1141       case kAsanContiguousContainerOOBMagic:
1142         bug_descr = "container-overflow";
1143         bug_type_score = 10;
1144         break;
1145       case kAsanStackUseAfterScopeMagic:
1146         bug_descr = "stack-use-after-scope";
1147         bug_type_score = 10;
1148         break;
1149       case kAsanGlobalRedzoneMagic:
1150         bug_descr = "global-buffer-overflow";
1151         bug_type_score = 10;
1152         far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
1153         break;
1154       case kAsanIntraObjectRedzone:
1155         bug_descr = "intra-object-overflow";
1156         bug_type_score = 10;
1157         break;
1158       case kAsanAllocaLeftMagic:
1159       case kAsanAllocaRightMagic:
1160         bug_descr = "dynamic-stack-buffer-overflow";
1161         bug_type_score = 25;
1162         far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
1163         break;
1164     }
1165     SS.Scare(bug_type_score + read_after_free_bonus, bug_descr);
1166     if (far_from_bounds)
1167       SS.Scare(10, "far-from-bounds");
1168   }
1169 
1170   ReportData report = { pc, sp, bp, addr, (bool)is_write, access_size,
1171                         bug_descr };
1172   ScopedInErrorReport in_report(&report, fatal);
1173 
1174   Decorator d;
1175   Printf("%s", d.Warning());
1176   Report("ERROR: AddressSanitizer: %s on address "
1177              "%p at pc %p bp %p sp %p\n",
1178              bug_descr, (void*)addr, pc, bp, sp);
1179   Printf("%s", d.EndWarning());
1180 
1181   u32 curr_tid = GetCurrentTidOrInvalid();
1182   char tname[128];
1183   Printf("%s%s of size %zu at %p thread T%d%s%s\n",
1184          d.Access(),
1185          access_size ? (is_write ? "WRITE" : "READ") : "ACCESS",
1186          access_size, (void*)addr, curr_tid,
1187          ThreadNameWithParenthesis(curr_tid, tname, sizeof(tname)),
1188          d.EndAccess());
1189 
1190   SS.Print();
1191   GET_STACK_TRACE_FATAL(pc, bp);
1192   stack.Print();
1193 
1194   DescribeAddress(addr, access_size, bug_descr);
1195   if (shadow_val == kAsanContiguousContainerOOBMagic)
1196     PrintContainerOverflowHint();
1197   ReportErrorSummary(bug_descr, &stack);
1198   PrintShadowMemoryForAddress(addr);
1199 }
1200 
1201 }  // namespace __asan
1202 
1203 // --------------------------- Interface --------------------- {{{1
1204 using namespace __asan;  // NOLINT
1205 
__asan_report_error(uptr pc,uptr bp,uptr sp,uptr addr,int is_write,uptr access_size,u32 exp)1206 void __asan_report_error(uptr pc, uptr bp, uptr sp, uptr addr, int is_write,
1207                          uptr access_size, u32 exp) {
1208   ENABLE_FRAME_POINTER;
1209   bool fatal = flags()->halt_on_error;
1210   ReportGenericError(pc, bp, sp, addr, is_write, access_size, exp, fatal);
1211 }
1212 
__asan_set_error_report_callback(void (* callback)(const char *))1213 void NOINLINE __asan_set_error_report_callback(void (*callback)(const char*)) {
1214   BlockingMutexLock l(&error_message_buf_mutex);
1215   error_report_callback = callback;
1216 }
1217 
__asan_describe_address(uptr addr)1218 void __asan_describe_address(uptr addr) {
1219   // Thread registry must be locked while we're describing an address.
1220   asanThreadRegistry().Lock();
1221   DescribeAddress(addr, 1, "");
1222   asanThreadRegistry().Unlock();
1223 }
1224 
__asan_report_present()1225 int __asan_report_present() {
1226   return report_happened ? 1 : 0;
1227 }
1228 
__asan_get_report_pc()1229 uptr __asan_get_report_pc() {
1230   return report_data.pc;
1231 }
1232 
__asan_get_report_bp()1233 uptr __asan_get_report_bp() {
1234   return report_data.bp;
1235 }
1236 
__asan_get_report_sp()1237 uptr __asan_get_report_sp() {
1238   return report_data.sp;
1239 }
1240 
__asan_get_report_address()1241 uptr __asan_get_report_address() {
1242   return report_data.addr;
1243 }
1244 
__asan_get_report_access_type()1245 int __asan_get_report_access_type() {
1246   return report_data.is_write ? 1 : 0;
1247 }
1248 
__asan_get_report_access_size()1249 uptr __asan_get_report_access_size() {
1250   return report_data.access_size;
1251 }
1252 
__asan_get_report_description()1253 const char *__asan_get_report_description() {
1254   return report_data.description;
1255 }
1256 
1257 extern "C" {
1258 SANITIZER_INTERFACE_ATTRIBUTE
__sanitizer_ptr_sub(void * a,void * b)1259 void __sanitizer_ptr_sub(void *a, void *b) {
1260   CheckForInvalidPointerPair(a, b);
1261 }
1262 SANITIZER_INTERFACE_ATTRIBUTE
__sanitizer_ptr_cmp(void * a,void * b)1263 void __sanitizer_ptr_cmp(void *a, void *b) {
1264   CheckForInvalidPointerPair(a, b);
1265 }
1266 } // extern "C"
1267 
1268 #if !SANITIZER_SUPPORTS_WEAK_HOOKS
1269 // Provide default implementation of __asan_on_error that does nothing
1270 // and may be overriden by user.
1271 SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE NOINLINE
__asan_on_error()1272 void __asan_on_error() {}
1273 #endif
1274