1 //===-- asan_report.cc ----------------------------------------------------===//
2 //
3 // The LLVM Compiler Infrastructure
4 //
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
7 //
8 //===----------------------------------------------------------------------===//
9 //
10 // This file is a part of AddressSanitizer, an address sanity checker.
11 //
12 // This file contains error reporting code.
13 //===----------------------------------------------------------------------===//
14
15 #include "asan_flags.h"
16 #include "asan_internal.h"
17 #include "asan_mapping.h"
18 #include "asan_report.h"
19 #include "asan_scariness_score.h"
20 #include "asan_stack.h"
21 #include "asan_thread.h"
22 #include "sanitizer_common/sanitizer_common.h"
23 #include "sanitizer_common/sanitizer_flags.h"
24 #include "sanitizer_common/sanitizer_report_decorator.h"
25 #include "sanitizer_common/sanitizer_stackdepot.h"
26 #include "sanitizer_common/sanitizer_symbolizer.h"
27
28 namespace __asan {
29
30 // -------------------- User-specified callbacks ----------------- {{{1
31 static void (*error_report_callback)(const char*);
32 static char *error_message_buffer = nullptr;
33 static uptr error_message_buffer_pos = 0;
34 static BlockingMutex error_message_buf_mutex(LINKER_INITIALIZED);
35 static const unsigned kAsanBuggyPcPoolSize = 25;
36 static __sanitizer::atomic_uintptr_t AsanBuggyPcPool[kAsanBuggyPcPoolSize];
37
38 struct ReportData {
39 uptr pc;
40 uptr sp;
41 uptr bp;
42 uptr addr;
43 bool is_write;
44 uptr access_size;
45 const char *description;
46 };
47
48 static bool report_happened = false;
49 static ReportData report_data = {};
50
AppendToErrorMessageBuffer(const char * buffer)51 void AppendToErrorMessageBuffer(const char *buffer) {
52 BlockingMutexLock l(&error_message_buf_mutex);
53 if (!error_message_buffer) {
54 error_message_buffer =
55 (char*)MmapOrDieQuietly(kErrorMessageBufferSize, __func__);
56 error_message_buffer_pos = 0;
57 }
58 uptr length = internal_strlen(buffer);
59 RAW_CHECK(kErrorMessageBufferSize >= error_message_buffer_pos);
60 uptr remaining = kErrorMessageBufferSize - error_message_buffer_pos;
61 internal_strncpy(error_message_buffer + error_message_buffer_pos,
62 buffer, remaining);
63 error_message_buffer[kErrorMessageBufferSize - 1] = '\0';
64 // FIXME: reallocate the buffer instead of truncating the message.
65 error_message_buffer_pos += Min(remaining, length);
66 }
67
68 // ---------------------- Decorator ------------------------------ {{{1
69 class Decorator: public __sanitizer::SanitizerCommonDecorator {
70 public:
Decorator()71 Decorator() : SanitizerCommonDecorator() { }
Access()72 const char *Access() { return Blue(); }
EndAccess()73 const char *EndAccess() { return Default(); }
Location()74 const char *Location() { return Green(); }
EndLocation()75 const char *EndLocation() { return Default(); }
Allocation()76 const char *Allocation() { return Magenta(); }
EndAllocation()77 const char *EndAllocation() { return Default(); }
78
ShadowByte(u8 byte)79 const char *ShadowByte(u8 byte) {
80 switch (byte) {
81 case kAsanHeapLeftRedzoneMagic:
82 case kAsanHeapRightRedzoneMagic:
83 case kAsanArrayCookieMagic:
84 return Red();
85 case kAsanHeapFreeMagic:
86 return Magenta();
87 case kAsanStackLeftRedzoneMagic:
88 case kAsanStackMidRedzoneMagic:
89 case kAsanStackRightRedzoneMagic:
90 case kAsanStackPartialRedzoneMagic:
91 return Red();
92 case kAsanStackAfterReturnMagic:
93 return Magenta();
94 case kAsanInitializationOrderMagic:
95 return Cyan();
96 case kAsanUserPoisonedMemoryMagic:
97 case kAsanContiguousContainerOOBMagic:
98 case kAsanAllocaLeftMagic:
99 case kAsanAllocaRightMagic:
100 return Blue();
101 case kAsanStackUseAfterScopeMagic:
102 return Magenta();
103 case kAsanGlobalRedzoneMagic:
104 return Red();
105 case kAsanInternalHeapMagic:
106 return Yellow();
107 case kAsanIntraObjectRedzone:
108 return Yellow();
109 default:
110 return Default();
111 }
112 }
EndShadowByte()113 const char *EndShadowByte() { return Default(); }
MemoryByte()114 const char *MemoryByte() { return Magenta(); }
EndMemoryByte()115 const char *EndMemoryByte() { return Default(); }
116 };
117
118 // ---------------------- Helper functions ----------------------- {{{1
119
PrintMemoryByte(InternalScopedString * str,const char * before,u8 byte,bool in_shadow,const char * after="\\n")120 static void PrintMemoryByte(InternalScopedString *str, const char *before,
121 u8 byte, bool in_shadow, const char *after = "\n") {
122 Decorator d;
123 str->append("%s%s%x%x%s%s", before,
124 in_shadow ? d.ShadowByte(byte) : d.MemoryByte(),
125 byte >> 4, byte & 15,
126 in_shadow ? d.EndShadowByte() : d.EndMemoryByte(), after);
127 }
128
PrintShadowByte(InternalScopedString * str,const char * before,u8 byte,const char * after="\\n")129 static void PrintShadowByte(InternalScopedString *str, const char *before,
130 u8 byte, const char *after = "\n") {
131 PrintMemoryByte(str, before, byte, /*in_shadow*/true, after);
132 }
133
PrintShadowBytes(InternalScopedString * str,const char * before,u8 * bytes,u8 * guilty,uptr n)134 static void PrintShadowBytes(InternalScopedString *str, const char *before,
135 u8 *bytes, u8 *guilty, uptr n) {
136 Decorator d;
137 if (before) str->append("%s%p:", before, bytes);
138 for (uptr i = 0; i < n; i++) {
139 u8 *p = bytes + i;
140 const char *before =
141 p == guilty ? "[" : (p - 1 == guilty && i != 0) ? "" : " ";
142 const char *after = p == guilty ? "]" : "";
143 PrintShadowByte(str, before, *p, after);
144 }
145 str->append("\n");
146 }
147
PrintLegend(InternalScopedString * str)148 static void PrintLegend(InternalScopedString *str) {
149 str->append(
150 "Shadow byte legend (one shadow byte represents %d "
151 "application bytes):\n",
152 (int)SHADOW_GRANULARITY);
153 PrintShadowByte(str, " Addressable: ", 0);
154 str->append(" Partially addressable: ");
155 for (u8 i = 1; i < SHADOW_GRANULARITY; i++) PrintShadowByte(str, "", i, " ");
156 str->append("\n");
157 PrintShadowByte(str, " Heap left redzone: ",
158 kAsanHeapLeftRedzoneMagic);
159 PrintShadowByte(str, " Heap right redzone: ",
160 kAsanHeapRightRedzoneMagic);
161 PrintShadowByte(str, " Freed heap region: ", kAsanHeapFreeMagic);
162 PrintShadowByte(str, " Stack left redzone: ",
163 kAsanStackLeftRedzoneMagic);
164 PrintShadowByte(str, " Stack mid redzone: ",
165 kAsanStackMidRedzoneMagic);
166 PrintShadowByte(str, " Stack right redzone: ",
167 kAsanStackRightRedzoneMagic);
168 PrintShadowByte(str, " Stack partial redzone: ",
169 kAsanStackPartialRedzoneMagic);
170 PrintShadowByte(str, " Stack after return: ",
171 kAsanStackAfterReturnMagic);
172 PrintShadowByte(str, " Stack use after scope: ",
173 kAsanStackUseAfterScopeMagic);
174 PrintShadowByte(str, " Global redzone: ", kAsanGlobalRedzoneMagic);
175 PrintShadowByte(str, " Global init order: ",
176 kAsanInitializationOrderMagic);
177 PrintShadowByte(str, " Poisoned by user: ",
178 kAsanUserPoisonedMemoryMagic);
179 PrintShadowByte(str, " Container overflow: ",
180 kAsanContiguousContainerOOBMagic);
181 PrintShadowByte(str, " Array cookie: ",
182 kAsanArrayCookieMagic);
183 PrintShadowByte(str, " Intra object redzone: ",
184 kAsanIntraObjectRedzone);
185 PrintShadowByte(str, " ASan internal: ", kAsanInternalHeapMagic);
186 PrintShadowByte(str, " Left alloca redzone: ", kAsanAllocaLeftMagic);
187 PrintShadowByte(str, " Right alloca redzone: ", kAsanAllocaRightMagic);
188 }
189
MaybeDumpInstructionBytes(uptr pc)190 void MaybeDumpInstructionBytes(uptr pc) {
191 if (!flags()->dump_instruction_bytes || (pc < GetPageSizeCached()))
192 return;
193 InternalScopedString str(1024);
194 str.append("First 16 instruction bytes at pc: ");
195 if (IsAccessibleMemoryRange(pc, 16)) {
196 for (int i = 0; i < 16; ++i) {
197 PrintMemoryByte(&str, "", ((u8 *)pc)[i], /*in_shadow*/false, " ");
198 }
199 str.append("\n");
200 } else {
201 str.append("unaccessible\n");
202 }
203 Report("%s", str.data());
204 }
205
PrintShadowMemoryForAddress(uptr addr)206 static void PrintShadowMemoryForAddress(uptr addr) {
207 if (!AddrIsInMem(addr)) return;
208 uptr shadow_addr = MemToShadow(addr);
209 const uptr n_bytes_per_row = 16;
210 uptr aligned_shadow = shadow_addr & ~(n_bytes_per_row - 1);
211 InternalScopedString str(4096 * 8);
212 str.append("Shadow bytes around the buggy address:\n");
213 for (int i = -5; i <= 5; i++) {
214 const char *prefix = (i == 0) ? "=>" : " ";
215 PrintShadowBytes(&str, prefix, (u8 *)(aligned_shadow + i * n_bytes_per_row),
216 (u8 *)shadow_addr, n_bytes_per_row);
217 }
218 if (flags()->print_legend) PrintLegend(&str);
219 Printf("%s", str.data());
220 }
221
PrintZoneForPointer(uptr ptr,uptr zone_ptr,const char * zone_name)222 static void PrintZoneForPointer(uptr ptr, uptr zone_ptr,
223 const char *zone_name) {
224 if (zone_ptr) {
225 if (zone_name) {
226 Printf("malloc_zone_from_ptr(%p) = %p, which is %s\n",
227 ptr, zone_ptr, zone_name);
228 } else {
229 Printf("malloc_zone_from_ptr(%p) = %p, which doesn't have a name\n",
230 ptr, zone_ptr);
231 }
232 } else {
233 Printf("malloc_zone_from_ptr(%p) = 0\n", ptr);
234 }
235 }
236
DescribeThread(AsanThread * t)237 static void DescribeThread(AsanThread *t) {
238 if (t)
239 DescribeThread(t->context());
240 }
241
242 // ---------------------- Address Descriptions ------------------- {{{1
243
IsASCII(unsigned char c)244 static bool IsASCII(unsigned char c) {
245 return /*0x00 <= c &&*/ c <= 0x7F;
246 }
247
MaybeDemangleGlobalName(const char * name)248 static const char *MaybeDemangleGlobalName(const char *name) {
249 // We can spoil names of globals with C linkage, so use an heuristic
250 // approach to check if the name should be demangled.
251 bool should_demangle = false;
252 if (name[0] == '_' && name[1] == 'Z')
253 should_demangle = true;
254 else if (SANITIZER_WINDOWS && name[0] == '\01' && name[1] == '?')
255 should_demangle = true;
256
257 return should_demangle ? Symbolizer::GetOrInit()->Demangle(name) : name;
258 }
259
260 // Check if the global is a zero-terminated ASCII string. If so, print it.
PrintGlobalNameIfASCII(InternalScopedString * str,const __asan_global & g)261 static void PrintGlobalNameIfASCII(InternalScopedString *str,
262 const __asan_global &g) {
263 for (uptr p = g.beg; p < g.beg + g.size - 1; p++) {
264 unsigned char c = *(unsigned char*)p;
265 if (c == '\0' || !IsASCII(c)) return;
266 }
267 if (*(char*)(g.beg + g.size - 1) != '\0') return;
268 str->append(" '%s' is ascii string '%s'\n", MaybeDemangleGlobalName(g.name),
269 (char *)g.beg);
270 }
271
GlobalFilename(const __asan_global & g)272 static const char *GlobalFilename(const __asan_global &g) {
273 const char *res = g.module_name;
274 // Prefer the filename from source location, if is available.
275 if (g.location)
276 res = g.location->filename;
277 CHECK(res);
278 return res;
279 }
280
PrintGlobalLocation(InternalScopedString * str,const __asan_global & g)281 static void PrintGlobalLocation(InternalScopedString *str,
282 const __asan_global &g) {
283 str->append("%s", GlobalFilename(g));
284 if (!g.location)
285 return;
286 if (g.location->line_no)
287 str->append(":%d", g.location->line_no);
288 if (g.location->column_no)
289 str->append(":%d", g.location->column_no);
290 }
291
DescribeAddressRelativeToGlobal(uptr addr,uptr size,const __asan_global & g)292 static void DescribeAddressRelativeToGlobal(uptr addr, uptr size,
293 const __asan_global &g) {
294 InternalScopedString str(4096);
295 Decorator d;
296 str.append("%s", d.Location());
297 if (addr < g.beg) {
298 str.append("%p is located %zd bytes to the left", (void *)addr,
299 g.beg - addr);
300 } else if (addr + size > g.beg + g.size) {
301 if (addr < g.beg + g.size)
302 addr = g.beg + g.size;
303 str.append("%p is located %zd bytes to the right", (void *)addr,
304 addr - (g.beg + g.size));
305 } else {
306 // Can it happen?
307 str.append("%p is located %zd bytes inside", (void *)addr, addr - g.beg);
308 }
309 str.append(" of global variable '%s' defined in '",
310 MaybeDemangleGlobalName(g.name));
311 PrintGlobalLocation(&str, g);
312 str.append("' (0x%zx) of size %zu\n", g.beg, g.size);
313 str.append("%s", d.EndLocation());
314 PrintGlobalNameIfASCII(&str, g);
315 Printf("%s", str.data());
316 }
317
DescribeAddressIfGlobal(uptr addr,uptr size,const char * bug_type)318 static bool DescribeAddressIfGlobal(uptr addr, uptr size,
319 const char *bug_type) {
320 // Assume address is close to at most four globals.
321 const int kMaxGlobalsInReport = 4;
322 __asan_global globals[kMaxGlobalsInReport];
323 u32 reg_sites[kMaxGlobalsInReport];
324 int globals_num =
325 GetGlobalsForAddress(addr, globals, reg_sites, ARRAY_SIZE(globals));
326 if (globals_num == 0)
327 return false;
328 for (int i = 0; i < globals_num; i++) {
329 DescribeAddressRelativeToGlobal(addr, size, globals[i]);
330 if (0 == internal_strcmp(bug_type, "initialization-order-fiasco") &&
331 reg_sites[i]) {
332 Printf(" registered at:\n");
333 StackDepotGet(reg_sites[i]).Print();
334 }
335 }
336 return true;
337 }
338
DescribeAddressIfShadow(uptr addr,AddressDescription * descr,bool print)339 bool DescribeAddressIfShadow(uptr addr, AddressDescription *descr, bool print) {
340 if (AddrIsInMem(addr))
341 return false;
342 const char *area_type = nullptr;
343 if (AddrIsInShadowGap(addr)) area_type = "shadow gap";
344 else if (AddrIsInHighShadow(addr)) area_type = "high shadow";
345 else if (AddrIsInLowShadow(addr)) area_type = "low shadow";
346 if (area_type != nullptr) {
347 if (print) {
348 Printf("Address %p is located in the %s area.\n", addr, area_type);
349 } else {
350 CHECK(descr);
351 descr->region_kind = area_type;
352 }
353 return true;
354 }
355 CHECK(0 && "Address is not in memory and not in shadow?");
356 return false;
357 }
358
359 // Return " (thread_name) " or an empty string if the name is empty.
ThreadNameWithParenthesis(AsanThreadContext * t,char buff[],uptr buff_len)360 const char *ThreadNameWithParenthesis(AsanThreadContext *t, char buff[],
361 uptr buff_len) {
362 const char *name = t->name;
363 if (name[0] == '\0') return "";
364 buff[0] = 0;
365 internal_strncat(buff, " (", 3);
366 internal_strncat(buff, name, buff_len - 4);
367 internal_strncat(buff, ")", 2);
368 return buff;
369 }
370
ThreadNameWithParenthesis(u32 tid,char buff[],uptr buff_len)371 const char *ThreadNameWithParenthesis(u32 tid, char buff[],
372 uptr buff_len) {
373 if (tid == kInvalidTid) return "";
374 asanThreadRegistry().CheckLocked();
375 AsanThreadContext *t = GetThreadContextByTidLocked(tid);
376 return ThreadNameWithParenthesis(t, buff, buff_len);
377 }
378
PrintAccessAndVarIntersection(const StackVarDescr & var,uptr addr,uptr access_size,uptr prev_var_end,uptr next_var_beg)379 static void PrintAccessAndVarIntersection(const StackVarDescr &var, uptr addr,
380 uptr access_size, uptr prev_var_end,
381 uptr next_var_beg) {
382 uptr var_end = var.beg + var.size;
383 uptr addr_end = addr + access_size;
384 const char *pos_descr = nullptr;
385 // If the variable [var.beg, var_end) is the nearest variable to the
386 // current memory access, indicate it in the log.
387 if (addr >= var.beg) {
388 if (addr_end <= var_end)
389 pos_descr = "is inside"; // May happen if this is a use-after-return.
390 else if (addr < var_end)
391 pos_descr = "partially overflows";
392 else if (addr_end <= next_var_beg &&
393 next_var_beg - addr_end >= addr - var_end)
394 pos_descr = "overflows";
395 } else {
396 if (addr_end > var.beg)
397 pos_descr = "partially underflows";
398 else if (addr >= prev_var_end &&
399 addr - prev_var_end >= var.beg - addr_end)
400 pos_descr = "underflows";
401 }
402 InternalScopedString str(1024);
403 str.append(" [%zd, %zd)", var.beg, var_end);
404 // Render variable name.
405 str.append(" '");
406 for (uptr i = 0; i < var.name_len; ++i) {
407 str.append("%c", var.name_pos[i]);
408 }
409 str.append("'");
410 if (pos_descr) {
411 Decorator d;
412 // FIXME: we may want to also print the size of the access here,
413 // but in case of accesses generated by memset it may be confusing.
414 str.append("%s <== Memory access at offset %zd %s this variable%s\n",
415 d.Location(), addr, pos_descr, d.EndLocation());
416 } else {
417 str.append("\n");
418 }
419 Printf("%s", str.data());
420 }
421
ParseFrameDescription(const char * frame_descr,InternalMmapVector<StackVarDescr> * vars)422 bool ParseFrameDescription(const char *frame_descr,
423 InternalMmapVector<StackVarDescr> *vars) {
424 CHECK(frame_descr);
425 char *p;
426 // This string is created by the compiler and has the following form:
427 // "n alloc_1 alloc_2 ... alloc_n"
428 // where alloc_i looks like "offset size len ObjectName".
429 uptr n_objects = (uptr)internal_simple_strtoll(frame_descr, &p, 10);
430 if (n_objects == 0)
431 return false;
432
433 for (uptr i = 0; i < n_objects; i++) {
434 uptr beg = (uptr)internal_simple_strtoll(p, &p, 10);
435 uptr size = (uptr)internal_simple_strtoll(p, &p, 10);
436 uptr len = (uptr)internal_simple_strtoll(p, &p, 10);
437 if (beg == 0 || size == 0 || *p != ' ') {
438 return false;
439 }
440 p++;
441 StackVarDescr var = {beg, size, p, len};
442 vars->push_back(var);
443 p += len;
444 }
445
446 return true;
447 }
448
DescribeAddressIfStack(uptr addr,uptr access_size)449 bool DescribeAddressIfStack(uptr addr, uptr access_size) {
450 AsanThread *t = FindThreadByStackAddress(addr);
451 if (!t) return false;
452
453 Decorator d;
454 char tname[128];
455 Printf("%s", d.Location());
456 Printf("Address %p is located in stack of thread T%d%s", addr, t->tid(),
457 ThreadNameWithParenthesis(t->tid(), tname, sizeof(tname)));
458
459 // Try to fetch precise stack frame for this access.
460 AsanThread::StackFrameAccess access;
461 if (!t->GetStackFrameAccessByAddr(addr, &access)) {
462 Printf("%s\n", d.EndLocation());
463 return true;
464 }
465 Printf(" at offset %zu in frame%s\n", access.offset, d.EndLocation());
466
467 // Now we print the frame where the alloca has happened.
468 // We print this frame as a stack trace with one element.
469 // The symbolizer may print more than one frame if inlining was involved.
470 // The frame numbers may be different than those in the stack trace printed
471 // previously. That's unfortunate, but I have no better solution,
472 // especially given that the alloca may be from entirely different place
473 // (e.g. use-after-scope, or different thread's stack).
474 #if SANITIZER_PPC64V1
475 // On PowerPC64 ELFv1, the address of a function actually points to a
476 // three-doubleword data structure with the first field containing
477 // the address of the function's code.
478 access.frame_pc = *reinterpret_cast<uptr *>(access.frame_pc);
479 #endif
480 access.frame_pc += 16;
481 Printf("%s", d.EndLocation());
482 StackTrace alloca_stack(&access.frame_pc, 1);
483 alloca_stack.Print();
484
485 InternalMmapVector<StackVarDescr> vars(16);
486 if (!ParseFrameDescription(access.frame_descr, &vars)) {
487 Printf("AddressSanitizer can't parse the stack frame "
488 "descriptor: |%s|\n", access.frame_descr);
489 // 'addr' is a stack address, so return true even if we can't parse frame
490 return true;
491 }
492 uptr n_objects = vars.size();
493 // Report the number of stack objects.
494 Printf(" This frame has %zu object(s):\n", n_objects);
495
496 // Report all objects in this frame.
497 for (uptr i = 0; i < n_objects; i++) {
498 uptr prev_var_end = i ? vars[i - 1].beg + vars[i - 1].size : 0;
499 uptr next_var_beg = i + 1 < n_objects ? vars[i + 1].beg : ~(0UL);
500 PrintAccessAndVarIntersection(vars[i], access.offset, access_size,
501 prev_var_end, next_var_beg);
502 }
503 Printf("HINT: this may be a false positive if your program uses "
504 "some custom stack unwind mechanism or swapcontext\n");
505 if (SANITIZER_WINDOWS)
506 Printf(" (longjmp, SEH and C++ exceptions *are* supported)\n");
507 else
508 Printf(" (longjmp and C++ exceptions *are* supported)\n");
509
510 DescribeThread(t);
511 return true;
512 }
513
DescribeAccessToHeapChunk(AsanChunkView chunk,uptr addr,uptr access_size)514 static void DescribeAccessToHeapChunk(AsanChunkView chunk, uptr addr,
515 uptr access_size) {
516 sptr offset;
517 Decorator d;
518 InternalScopedString str(4096);
519 str.append("%s", d.Location());
520 if (chunk.AddrIsAtLeft(addr, access_size, &offset)) {
521 str.append("%p is located %zd bytes to the left of", (void *)addr, offset);
522 } else if (chunk.AddrIsAtRight(addr, access_size, &offset)) {
523 if (offset < 0) {
524 addr -= offset;
525 offset = 0;
526 }
527 str.append("%p is located %zd bytes to the right of", (void *)addr, offset);
528 } else if (chunk.AddrIsInside(addr, access_size, &offset)) {
529 str.append("%p is located %zd bytes inside of", (void*)addr, offset);
530 } else {
531 str.append("%p is located somewhere around (this is AddressSanitizer bug!)",
532 (void *)addr);
533 }
534 str.append(" %zu-byte region [%p,%p)\n", chunk.UsedSize(),
535 (void *)(chunk.Beg()), (void *)(chunk.End()));
536 str.append("%s", d.EndLocation());
537 Printf("%s", str.data());
538 }
539
DescribeHeapAddress(uptr addr,uptr access_size)540 void DescribeHeapAddress(uptr addr, uptr access_size) {
541 AsanChunkView chunk = FindHeapChunkByAddress(addr);
542 if (!chunk.IsValid()) {
543 Printf("AddressSanitizer can not describe address in more detail "
544 "(wild memory access suspected).\n");
545 return;
546 }
547 DescribeAccessToHeapChunk(chunk, addr, access_size);
548 CHECK(chunk.AllocTid() != kInvalidTid);
549 asanThreadRegistry().CheckLocked();
550 AsanThreadContext *alloc_thread =
551 GetThreadContextByTidLocked(chunk.AllocTid());
552 StackTrace alloc_stack = chunk.GetAllocStack();
553 char tname[128];
554 Decorator d;
555 AsanThreadContext *free_thread = nullptr;
556 if (chunk.FreeTid() != kInvalidTid) {
557 free_thread = GetThreadContextByTidLocked(chunk.FreeTid());
558 Printf("%sfreed by thread T%d%s here:%s\n", d.Allocation(),
559 free_thread->tid,
560 ThreadNameWithParenthesis(free_thread, tname, sizeof(tname)),
561 d.EndAllocation());
562 StackTrace free_stack = chunk.GetFreeStack();
563 free_stack.Print();
564 Printf("%spreviously allocated by thread T%d%s here:%s\n",
565 d.Allocation(), alloc_thread->tid,
566 ThreadNameWithParenthesis(alloc_thread, tname, sizeof(tname)),
567 d.EndAllocation());
568 } else {
569 Printf("%sallocated by thread T%d%s here:%s\n", d.Allocation(),
570 alloc_thread->tid,
571 ThreadNameWithParenthesis(alloc_thread, tname, sizeof(tname)),
572 d.EndAllocation());
573 }
574 alloc_stack.Print();
575 DescribeThread(GetCurrentThread());
576 if (free_thread)
577 DescribeThread(free_thread);
578 DescribeThread(alloc_thread);
579 }
580
DescribeAddress(uptr addr,uptr access_size,const char * bug_type)581 static void DescribeAddress(uptr addr, uptr access_size, const char *bug_type) {
582 // Check if this is shadow or shadow gap.
583 if (DescribeAddressIfShadow(addr))
584 return;
585 CHECK(AddrIsInMem(addr));
586 if (DescribeAddressIfGlobal(addr, access_size, bug_type))
587 return;
588 if (DescribeAddressIfStack(addr, access_size))
589 return;
590 // Assume it is a heap address.
591 DescribeHeapAddress(addr, access_size);
592 }
593
594 // ------------------- Thread description -------------------- {{{1
595
DescribeThread(AsanThreadContext * context)596 void DescribeThread(AsanThreadContext *context) {
597 CHECK(context);
598 asanThreadRegistry().CheckLocked();
599 // No need to announce the main thread.
600 if (context->tid == 0 || context->announced) {
601 return;
602 }
603 context->announced = true;
604 char tname[128];
605 InternalScopedString str(1024);
606 str.append("Thread T%d%s", context->tid,
607 ThreadNameWithParenthesis(context->tid, tname, sizeof(tname)));
608 if (context->parent_tid == kInvalidTid) {
609 str.append(" created by unknown thread\n");
610 Printf("%s", str.data());
611 return;
612 }
613 str.append(
614 " created by T%d%s here:\n", context->parent_tid,
615 ThreadNameWithParenthesis(context->parent_tid, tname, sizeof(tname)));
616 Printf("%s", str.data());
617 StackDepotGet(context->stack_id).Print();
618 // Recursively described parent thread if needed.
619 if (flags()->print_full_thread_history) {
620 AsanThreadContext *parent_context =
621 GetThreadContextByTidLocked(context->parent_tid);
622 DescribeThread(parent_context);
623 }
624 }
625
626 // -------------------- Different kinds of reports ----------------- {{{1
627
628 // Use ScopedInErrorReport to run common actions just before and
629 // immediately after printing error report.
630 class ScopedInErrorReport {
631 public:
ScopedInErrorReport(ReportData * report=nullptr,bool fatal=false)632 explicit ScopedInErrorReport(ReportData *report = nullptr,
633 bool fatal = false) {
634 halt_on_error_ = fatal || flags()->halt_on_error;
635
636 if (lock_.TryLock()) {
637 StartReporting(report);
638 return;
639 }
640
641 // ASan found two bugs in different threads simultaneously.
642
643 u32 current_tid = GetCurrentTidOrInvalid();
644 if (reporting_thread_tid_ == current_tid ||
645 reporting_thread_tid_ == kInvalidTid) {
646 // This is either asynch signal or nested error during error reporting.
647 // Fail simple to avoid deadlocks in Report().
648
649 // Can't use Report() here because of potential deadlocks
650 // in nested signal handlers.
651 const char msg[] = "AddressSanitizer: nested bug in the same thread, "
652 "aborting.\n";
653 WriteToFile(kStderrFd, msg, sizeof(msg));
654
655 internal__exit(common_flags()->exitcode);
656 }
657
658 if (halt_on_error_) {
659 // Do not print more than one report, otherwise they will mix up.
660 // Error reporting functions shouldn't return at this situation, as
661 // they are effectively no-returns.
662
663 Report("AddressSanitizer: while reporting a bug found another one. "
664 "Ignoring.\n");
665
666 // Sleep long enough to make sure that the thread which started
667 // to print an error report will finish doing it.
668 SleepForSeconds(Max(100, flags()->sleep_before_dying + 1));
669
670 // If we're still not dead for some reason, use raw _exit() instead of
671 // Die() to bypass any additional checks.
672 internal__exit(common_flags()->exitcode);
673 } else {
674 // The other thread will eventually finish reporting
675 // so it's safe to wait
676 lock_.Lock();
677 }
678
679 StartReporting(report);
680 }
681
~ScopedInErrorReport()682 ~ScopedInErrorReport() {
683 // Make sure the current thread is announced.
684 DescribeThread(GetCurrentThread());
685 // We may want to grab this lock again when printing stats.
686 asanThreadRegistry().Unlock();
687 // Print memory stats.
688 if (flags()->print_stats)
689 __asan_print_accumulated_stats();
690
691 if (common_flags()->print_cmdline)
692 PrintCmdline();
693
694 // Copy the message buffer so that we could start logging without holding a
695 // lock that gets aquired during printing.
696 InternalScopedBuffer<char> buffer_copy(kErrorMessageBufferSize);
697 {
698 BlockingMutexLock l(&error_message_buf_mutex);
699 internal_memcpy(buffer_copy.data(),
700 error_message_buffer, kErrorMessageBufferSize);
701 }
702
703 LogFullErrorReport(buffer_copy.data());
704
705 if (error_report_callback) {
706 error_report_callback(buffer_copy.data());
707 }
708 CommonSanitizerReportMutex.Unlock();
709 reporting_thread_tid_ = kInvalidTid;
710 lock_.Unlock();
711 if (halt_on_error_) {
712 Report("ABORTING\n");
713 Die();
714 }
715 }
716
717 private:
StartReporting(ReportData * report)718 void StartReporting(ReportData *report) {
719 if (report) report_data = *report;
720 report_happened = true;
721 ASAN_ON_ERROR();
722 // Make sure the registry and sanitizer report mutexes are locked while
723 // we're printing an error report.
724 // We can lock them only here to avoid self-deadlock in case of
725 // recursive reports.
726 asanThreadRegistry().Lock();
727 CommonSanitizerReportMutex.Lock();
728 reporting_thread_tid_ = GetCurrentTidOrInvalid();
729 Printf("===================================================="
730 "=============\n");
731 }
732
733 static StaticSpinMutex lock_;
734 static u32 reporting_thread_tid_;
735 bool halt_on_error_;
736 };
737
738 StaticSpinMutex ScopedInErrorReport::lock_;
739 u32 ScopedInErrorReport::reporting_thread_tid_ = kInvalidTid;
740
ReportStackOverflow(const SignalContext & sig)741 void ReportStackOverflow(const SignalContext &sig) {
742 ScopedInErrorReport in_report(/*report*/ nullptr, /*fatal*/ true);
743 Decorator d;
744 Printf("%s", d.Warning());
745 Report(
746 "ERROR: AddressSanitizer: stack-overflow on address %p"
747 " (pc %p bp %p sp %p T%d)\n",
748 (void *)sig.addr, (void *)sig.pc, (void *)sig.bp, (void *)sig.sp,
749 GetCurrentTidOrInvalid());
750 Printf("%s", d.EndWarning());
751 ScarinessScore::PrintSimple(10, "stack-overflow");
752 GET_STACK_TRACE_SIGNAL(sig);
753 stack.Print();
754 ReportErrorSummary("stack-overflow", &stack);
755 }
756
ReportDeadlySignal(const char * description,const SignalContext & sig)757 void ReportDeadlySignal(const char *description, const SignalContext &sig) {
758 ScopedInErrorReport in_report(/*report*/ nullptr, /*fatal*/ true);
759 Decorator d;
760 Printf("%s", d.Warning());
761 Report(
762 "ERROR: AddressSanitizer: %s on unknown address %p"
763 " (pc %p bp %p sp %p T%d)\n",
764 description, (void *)sig.addr, (void *)sig.pc, (void *)sig.bp,
765 (void *)sig.sp, GetCurrentTidOrInvalid());
766 Printf("%s", d.EndWarning());
767 ScarinessScore SS;
768 if (sig.pc < GetPageSizeCached())
769 Report("Hint: pc points to the zero page.\n");
770 if (sig.is_memory_access) {
771 const char *access_type =
772 sig.write_flag == SignalContext::WRITE
773 ? "WRITE"
774 : (sig.write_flag == SignalContext::READ ? "READ" : "UNKNOWN");
775 Report("The signal is caused by a %s memory access.\n", access_type);
776 if (sig.addr < GetPageSizeCached()) {
777 Report("Hint: address points to the zero page.\n");
778 SS.Scare(10, "null-deref");
779 } else if (sig.addr == sig.pc) {
780 SS.Scare(60, "wild-jump");
781 } else if (sig.write_flag == SignalContext::WRITE) {
782 SS.Scare(30, "wild-addr-write");
783 } else if (sig.write_flag == SignalContext::READ) {
784 SS.Scare(20, "wild-addr-read");
785 } else {
786 SS.Scare(25, "wild-addr");
787 }
788 } else {
789 SS.Scare(10, "signal");
790 }
791 SS.Print();
792 GET_STACK_TRACE_SIGNAL(sig);
793 stack.Print();
794 MaybeDumpInstructionBytes(sig.pc);
795 Printf("AddressSanitizer can not provide additional info.\n");
796 ReportErrorSummary(description, &stack);
797 }
798
ReportDoubleFree(uptr addr,BufferedStackTrace * free_stack)799 void ReportDoubleFree(uptr addr, BufferedStackTrace *free_stack) {
800 ScopedInErrorReport in_report;
801 Decorator d;
802 Printf("%s", d.Warning());
803 char tname[128];
804 u32 curr_tid = GetCurrentTidOrInvalid();
805 Report("ERROR: AddressSanitizer: attempting double-free on %p in "
806 "thread T%d%s:\n",
807 addr, curr_tid,
808 ThreadNameWithParenthesis(curr_tid, tname, sizeof(tname)));
809 Printf("%s", d.EndWarning());
810 CHECK_GT(free_stack->size, 0);
811 ScarinessScore::PrintSimple(42, "double-free");
812 GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
813 stack.Print();
814 DescribeHeapAddress(addr, 1);
815 ReportErrorSummary("double-free", &stack);
816 }
817
ReportNewDeleteSizeMismatch(uptr addr,uptr alloc_size,uptr delete_size,BufferedStackTrace * free_stack)818 void ReportNewDeleteSizeMismatch(uptr addr, uptr alloc_size, uptr delete_size,
819 BufferedStackTrace *free_stack) {
820 ScopedInErrorReport in_report;
821 Decorator d;
822 Printf("%s", d.Warning());
823 char tname[128];
824 u32 curr_tid = GetCurrentTidOrInvalid();
825 Report("ERROR: AddressSanitizer: new-delete-type-mismatch on %p in "
826 "thread T%d%s:\n",
827 addr, curr_tid,
828 ThreadNameWithParenthesis(curr_tid, tname, sizeof(tname)));
829 Printf("%s object passed to delete has wrong type:\n", d.EndWarning());
830 Printf(" size of the allocated type: %zd bytes;\n"
831 " size of the deallocated type: %zd bytes.\n",
832 alloc_size, delete_size);
833 CHECK_GT(free_stack->size, 0);
834 ScarinessScore::PrintSimple(10, "new-delete-type-mismatch");
835 GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
836 stack.Print();
837 DescribeHeapAddress(addr, 1);
838 ReportErrorSummary("new-delete-type-mismatch", &stack);
839 Report("HINT: if you don't care about these errors you may set "
840 "ASAN_OPTIONS=new_delete_type_mismatch=0\n");
841 }
842
ReportFreeNotMalloced(uptr addr,BufferedStackTrace * free_stack)843 void ReportFreeNotMalloced(uptr addr, BufferedStackTrace *free_stack) {
844 ScopedInErrorReport in_report;
845 Decorator d;
846 Printf("%s", d.Warning());
847 char tname[128];
848 u32 curr_tid = GetCurrentTidOrInvalid();
849 Report("ERROR: AddressSanitizer: attempting free on address "
850 "which was not malloc()-ed: %p in thread T%d%s\n", addr,
851 curr_tid, ThreadNameWithParenthesis(curr_tid, tname, sizeof(tname)));
852 Printf("%s", d.EndWarning());
853 CHECK_GT(free_stack->size, 0);
854 ScarinessScore::PrintSimple(40, "bad-free");
855 GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
856 stack.Print();
857 DescribeHeapAddress(addr, 1);
858 ReportErrorSummary("bad-free", &stack);
859 }
860
ReportAllocTypeMismatch(uptr addr,BufferedStackTrace * free_stack,AllocType alloc_type,AllocType dealloc_type)861 void ReportAllocTypeMismatch(uptr addr, BufferedStackTrace *free_stack,
862 AllocType alloc_type,
863 AllocType dealloc_type) {
864 static const char *alloc_names[] =
865 {"INVALID", "malloc", "operator new", "operator new []"};
866 static const char *dealloc_names[] =
867 {"INVALID", "free", "operator delete", "operator delete []"};
868 CHECK_NE(alloc_type, dealloc_type);
869 ScopedInErrorReport in_report;
870 Decorator d;
871 Printf("%s", d.Warning());
872 Report("ERROR: AddressSanitizer: alloc-dealloc-mismatch (%s vs %s) on %p\n",
873 alloc_names[alloc_type], dealloc_names[dealloc_type], addr);
874 Printf("%s", d.EndWarning());
875 CHECK_GT(free_stack->size, 0);
876 ScarinessScore::PrintSimple(10, "alloc-dealloc-mismatch");
877 GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
878 stack.Print();
879 DescribeHeapAddress(addr, 1);
880 ReportErrorSummary("alloc-dealloc-mismatch", &stack);
881 Report("HINT: if you don't care about these errors you may set "
882 "ASAN_OPTIONS=alloc_dealloc_mismatch=0\n");
883 }
884
ReportMallocUsableSizeNotOwned(uptr addr,BufferedStackTrace * stack)885 void ReportMallocUsableSizeNotOwned(uptr addr, BufferedStackTrace *stack) {
886 ScopedInErrorReport in_report;
887 Decorator d;
888 Printf("%s", d.Warning());
889 Report("ERROR: AddressSanitizer: attempting to call "
890 "malloc_usable_size() for pointer which is "
891 "not owned: %p\n", addr);
892 Printf("%s", d.EndWarning());
893 stack->Print();
894 DescribeHeapAddress(addr, 1);
895 ReportErrorSummary("bad-malloc_usable_size", stack);
896 }
897
ReportSanitizerGetAllocatedSizeNotOwned(uptr addr,BufferedStackTrace * stack)898 void ReportSanitizerGetAllocatedSizeNotOwned(uptr addr,
899 BufferedStackTrace *stack) {
900 ScopedInErrorReport in_report;
901 Decorator d;
902 Printf("%s", d.Warning());
903 Report("ERROR: AddressSanitizer: attempting to call "
904 "__sanitizer_get_allocated_size() for pointer which is "
905 "not owned: %p\n", addr);
906 Printf("%s", d.EndWarning());
907 stack->Print();
908 DescribeHeapAddress(addr, 1);
909 ReportErrorSummary("bad-__sanitizer_get_allocated_size", stack);
910 }
911
ReportStringFunctionMemoryRangesOverlap(const char * function,const char * offset1,uptr length1,const char * offset2,uptr length2,BufferedStackTrace * stack)912 void ReportStringFunctionMemoryRangesOverlap(const char *function,
913 const char *offset1, uptr length1,
914 const char *offset2, uptr length2,
915 BufferedStackTrace *stack) {
916 ScopedInErrorReport in_report;
917 Decorator d;
918 char bug_type[100];
919 internal_snprintf(bug_type, sizeof(bug_type), "%s-param-overlap", function);
920 Printf("%s", d.Warning());
921 Report("ERROR: AddressSanitizer: %s: "
922 "memory ranges [%p,%p) and [%p, %p) overlap\n", \
923 bug_type, offset1, offset1 + length1, offset2, offset2 + length2);
924 Printf("%s", d.EndWarning());
925 ScarinessScore::PrintSimple(10, bug_type);
926 stack->Print();
927 DescribeAddress((uptr)offset1, length1, bug_type);
928 DescribeAddress((uptr)offset2, length2, bug_type);
929 ReportErrorSummary(bug_type, stack);
930 }
931
ReportStringFunctionSizeOverflow(uptr offset,uptr size,BufferedStackTrace * stack)932 void ReportStringFunctionSizeOverflow(uptr offset, uptr size,
933 BufferedStackTrace *stack) {
934 ScopedInErrorReport in_report;
935 Decorator d;
936 const char *bug_type = "negative-size-param";
937 Printf("%s", d.Warning());
938 Report("ERROR: AddressSanitizer: %s: (size=%zd)\n", bug_type, size);
939 Printf("%s", d.EndWarning());
940 ScarinessScore::PrintSimple(10, bug_type);
941 stack->Print();
942 DescribeAddress(offset, size, bug_type);
943 ReportErrorSummary(bug_type, stack);
944 }
945
ReportBadParamsToAnnotateContiguousContainer(uptr beg,uptr end,uptr old_mid,uptr new_mid,BufferedStackTrace * stack)946 void ReportBadParamsToAnnotateContiguousContainer(uptr beg, uptr end,
947 uptr old_mid, uptr new_mid,
948 BufferedStackTrace *stack) {
949 ScopedInErrorReport in_report;
950 Report("ERROR: AddressSanitizer: bad parameters to "
951 "__sanitizer_annotate_contiguous_container:\n"
952 " beg : %p\n"
953 " end : %p\n"
954 " old_mid : %p\n"
955 " new_mid : %p\n",
956 beg, end, old_mid, new_mid);
957 uptr granularity = SHADOW_GRANULARITY;
958 if (!IsAligned(beg, granularity))
959 Report("ERROR: beg is not aligned by %d\n", granularity);
960 stack->Print();
961 ReportErrorSummary("bad-__sanitizer_annotate_contiguous_container", stack);
962 }
963
ReportODRViolation(const __asan_global * g1,u32 stack_id1,const __asan_global * g2,u32 stack_id2)964 void ReportODRViolation(const __asan_global *g1, u32 stack_id1,
965 const __asan_global *g2, u32 stack_id2) {
966 ScopedInErrorReport in_report;
967 Decorator d;
968 Printf("%s", d.Warning());
969 Report("ERROR: AddressSanitizer: odr-violation (%p):\n", g1->beg);
970 Printf("%s", d.EndWarning());
971 InternalScopedString g1_loc(256), g2_loc(256);
972 PrintGlobalLocation(&g1_loc, *g1);
973 PrintGlobalLocation(&g2_loc, *g2);
974 Printf(" [1] size=%zd '%s' %s\n", g1->size,
975 MaybeDemangleGlobalName(g1->name), g1_loc.data());
976 Printf(" [2] size=%zd '%s' %s\n", g2->size,
977 MaybeDemangleGlobalName(g2->name), g2_loc.data());
978 if (stack_id1 && stack_id2) {
979 Printf("These globals were registered at these points:\n");
980 Printf(" [1]:\n");
981 StackDepotGet(stack_id1).Print();
982 Printf(" [2]:\n");
983 StackDepotGet(stack_id2).Print();
984 }
985 Report("HINT: if you don't care about these errors you may set "
986 "ASAN_OPTIONS=detect_odr_violation=0\n");
987 InternalScopedString error_msg(256);
988 error_msg.append("odr-violation: global '%s' at %s",
989 MaybeDemangleGlobalName(g1->name), g1_loc.data());
990 ReportErrorSummary(error_msg.data());
991 }
992
993 // ----------------------- CheckForInvalidPointerPair ----------- {{{1
994 static NOINLINE void
ReportInvalidPointerPair(uptr pc,uptr bp,uptr sp,uptr a1,uptr a2)995 ReportInvalidPointerPair(uptr pc, uptr bp, uptr sp, uptr a1, uptr a2) {
996 ScopedInErrorReport in_report;
997 const char *bug_type = "invalid-pointer-pair";
998 Decorator d;
999 Printf("%s", d.Warning());
1000 Report("ERROR: AddressSanitizer: invalid-pointer-pair: %p %p\n", a1, a2);
1001 Printf("%s", d.EndWarning());
1002 GET_STACK_TRACE_FATAL(pc, bp);
1003 stack.Print();
1004 DescribeAddress(a1, 1, bug_type);
1005 DescribeAddress(a2, 1, bug_type);
1006 ReportErrorSummary(bug_type, &stack);
1007 }
1008
CheckForInvalidPointerPair(void * p1,void * p2)1009 static INLINE void CheckForInvalidPointerPair(void *p1, void *p2) {
1010 if (!flags()->detect_invalid_pointer_pairs) return;
1011 uptr a1 = reinterpret_cast<uptr>(p1);
1012 uptr a2 = reinterpret_cast<uptr>(p2);
1013 AsanChunkView chunk1 = FindHeapChunkByAddress(a1);
1014 AsanChunkView chunk2 = FindHeapChunkByAddress(a2);
1015 bool valid1 = chunk1.IsAllocated();
1016 bool valid2 = chunk2.IsAllocated();
1017 if (!valid1 || !valid2 || !chunk1.Eq(chunk2)) {
1018 GET_CALLER_PC_BP_SP;
1019 return ReportInvalidPointerPair(pc, bp, sp, a1, a2);
1020 }
1021 }
1022 // ----------------------- Mac-specific reports ----------------- {{{1
1023
ReportMacMzReallocUnknown(uptr addr,uptr zone_ptr,const char * zone_name,BufferedStackTrace * stack)1024 void ReportMacMzReallocUnknown(uptr addr, uptr zone_ptr, const char *zone_name,
1025 BufferedStackTrace *stack) {
1026 ScopedInErrorReport in_report;
1027 Printf("mz_realloc(%p) -- attempting to realloc unallocated memory.\n"
1028 "This is an unrecoverable problem, exiting now.\n",
1029 addr);
1030 PrintZoneForPointer(addr, zone_ptr, zone_name);
1031 stack->Print();
1032 DescribeHeapAddress(addr, 1);
1033 }
1034
1035 // -------------- SuppressErrorReport -------------- {{{1
1036 // Avoid error reports duplicating for ASan recover mode.
SuppressErrorReport(uptr pc)1037 static bool SuppressErrorReport(uptr pc) {
1038 if (!common_flags()->suppress_equal_pcs) return false;
1039 for (unsigned i = 0; i < kAsanBuggyPcPoolSize; i++) {
1040 uptr cmp = atomic_load_relaxed(&AsanBuggyPcPool[i]);
1041 if (cmp == 0 && atomic_compare_exchange_strong(&AsanBuggyPcPool[i], &cmp,
1042 pc, memory_order_relaxed))
1043 return false;
1044 if (cmp == pc) return true;
1045 }
1046 Die();
1047 }
1048
PrintContainerOverflowHint()1049 static void PrintContainerOverflowHint() {
1050 Printf("HINT: if you don't care about these errors you may set "
1051 "ASAN_OPTIONS=detect_container_overflow=0.\n"
1052 "If you suspect a false positive see also: "
1053 "https://github.com/google/sanitizers/wiki/"
1054 "AddressSanitizerContainerOverflow.\n");
1055 }
1056
AdjacentShadowValuesAreFullyPoisoned(u8 * s)1057 static bool AdjacentShadowValuesAreFullyPoisoned(u8 *s) {
1058 return s[-1] > 127 && s[1] > 127;
1059 }
1060
ReportGenericError(uptr pc,uptr bp,uptr sp,uptr addr,bool is_write,uptr access_size,u32 exp,bool fatal)1061 void ReportGenericError(uptr pc, uptr bp, uptr sp, uptr addr, bool is_write,
1062 uptr access_size, u32 exp, bool fatal) {
1063 if (!fatal && SuppressErrorReport(pc)) return;
1064 ENABLE_FRAME_POINTER;
1065 ScarinessScore SS;
1066
1067 if (access_size) {
1068 if (access_size <= 9) {
1069 char desr[] = "?-byte";
1070 desr[0] = '0' + access_size;
1071 SS.Scare(access_size + access_size / 2, desr);
1072 } else if (access_size >= 10) {
1073 SS.Scare(15, "multi-byte");
1074 }
1075 is_write ? SS.Scare(20, "write") : SS.Scare(1, "read");
1076 }
1077
1078 // Optimization experiments.
1079 // The experiments can be used to evaluate potential optimizations that remove
1080 // instrumentation (assess false negatives). Instead of completely removing
1081 // some instrumentation, compiler can emit special calls into runtime
1082 // (e.g. __asan_report_exp_load1 instead of __asan_report_load1) and pass
1083 // mask of experiments (exp).
1084 // The reaction to a non-zero value of exp is to be defined.
1085 (void)exp;
1086
1087 // Determine the error type.
1088 const char *bug_descr = "unknown-crash";
1089 u8 shadow_val = 0;
1090 if (AddrIsInMem(addr)) {
1091 u8 *shadow_addr = (u8*)MemToShadow(addr);
1092 // If we are accessing 16 bytes, look at the second shadow byte.
1093 if (*shadow_addr == 0 && access_size > SHADOW_GRANULARITY)
1094 shadow_addr++;
1095 // If we are in the partial right redzone, look at the next shadow byte.
1096 if (*shadow_addr > 0 && *shadow_addr < 128)
1097 shadow_addr++;
1098 bool far_from_bounds = false;
1099 shadow_val = *shadow_addr;
1100 int bug_type_score = 0;
1101 // For use-after-frees reads are almost as bad as writes.
1102 int read_after_free_bonus = 0;
1103 switch (shadow_val) {
1104 case kAsanHeapLeftRedzoneMagic:
1105 case kAsanHeapRightRedzoneMagic:
1106 case kAsanArrayCookieMagic:
1107 bug_descr = "heap-buffer-overflow";
1108 bug_type_score = 10;
1109 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
1110 break;
1111 case kAsanHeapFreeMagic:
1112 bug_descr = "heap-use-after-free";
1113 bug_type_score = 20;
1114 if (!is_write) read_after_free_bonus = 18;
1115 break;
1116 case kAsanStackLeftRedzoneMagic:
1117 bug_descr = "stack-buffer-underflow";
1118 bug_type_score = 25;
1119 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
1120 break;
1121 case kAsanInitializationOrderMagic:
1122 bug_descr = "initialization-order-fiasco";
1123 bug_type_score = 1;
1124 break;
1125 case kAsanStackMidRedzoneMagic:
1126 case kAsanStackRightRedzoneMagic:
1127 case kAsanStackPartialRedzoneMagic:
1128 bug_descr = "stack-buffer-overflow";
1129 bug_type_score = 25;
1130 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
1131 break;
1132 case kAsanStackAfterReturnMagic:
1133 bug_descr = "stack-use-after-return";
1134 bug_type_score = 30;
1135 if (!is_write) read_after_free_bonus = 18;
1136 break;
1137 case kAsanUserPoisonedMemoryMagic:
1138 bug_descr = "use-after-poison";
1139 bug_type_score = 20;
1140 break;
1141 case kAsanContiguousContainerOOBMagic:
1142 bug_descr = "container-overflow";
1143 bug_type_score = 10;
1144 break;
1145 case kAsanStackUseAfterScopeMagic:
1146 bug_descr = "stack-use-after-scope";
1147 bug_type_score = 10;
1148 break;
1149 case kAsanGlobalRedzoneMagic:
1150 bug_descr = "global-buffer-overflow";
1151 bug_type_score = 10;
1152 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
1153 break;
1154 case kAsanIntraObjectRedzone:
1155 bug_descr = "intra-object-overflow";
1156 bug_type_score = 10;
1157 break;
1158 case kAsanAllocaLeftMagic:
1159 case kAsanAllocaRightMagic:
1160 bug_descr = "dynamic-stack-buffer-overflow";
1161 bug_type_score = 25;
1162 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
1163 break;
1164 }
1165 SS.Scare(bug_type_score + read_after_free_bonus, bug_descr);
1166 if (far_from_bounds)
1167 SS.Scare(10, "far-from-bounds");
1168 }
1169
1170 ReportData report = { pc, sp, bp, addr, (bool)is_write, access_size,
1171 bug_descr };
1172 ScopedInErrorReport in_report(&report, fatal);
1173
1174 Decorator d;
1175 Printf("%s", d.Warning());
1176 Report("ERROR: AddressSanitizer: %s on address "
1177 "%p at pc %p bp %p sp %p\n",
1178 bug_descr, (void*)addr, pc, bp, sp);
1179 Printf("%s", d.EndWarning());
1180
1181 u32 curr_tid = GetCurrentTidOrInvalid();
1182 char tname[128];
1183 Printf("%s%s of size %zu at %p thread T%d%s%s\n",
1184 d.Access(),
1185 access_size ? (is_write ? "WRITE" : "READ") : "ACCESS",
1186 access_size, (void*)addr, curr_tid,
1187 ThreadNameWithParenthesis(curr_tid, tname, sizeof(tname)),
1188 d.EndAccess());
1189
1190 SS.Print();
1191 GET_STACK_TRACE_FATAL(pc, bp);
1192 stack.Print();
1193
1194 DescribeAddress(addr, access_size, bug_descr);
1195 if (shadow_val == kAsanContiguousContainerOOBMagic)
1196 PrintContainerOverflowHint();
1197 ReportErrorSummary(bug_descr, &stack);
1198 PrintShadowMemoryForAddress(addr);
1199 }
1200
1201 } // namespace __asan
1202
1203 // --------------------------- Interface --------------------- {{{1
1204 using namespace __asan; // NOLINT
1205
__asan_report_error(uptr pc,uptr bp,uptr sp,uptr addr,int is_write,uptr access_size,u32 exp)1206 void __asan_report_error(uptr pc, uptr bp, uptr sp, uptr addr, int is_write,
1207 uptr access_size, u32 exp) {
1208 ENABLE_FRAME_POINTER;
1209 bool fatal = flags()->halt_on_error;
1210 ReportGenericError(pc, bp, sp, addr, is_write, access_size, exp, fatal);
1211 }
1212
__asan_set_error_report_callback(void (* callback)(const char *))1213 void NOINLINE __asan_set_error_report_callback(void (*callback)(const char*)) {
1214 BlockingMutexLock l(&error_message_buf_mutex);
1215 error_report_callback = callback;
1216 }
1217
__asan_describe_address(uptr addr)1218 void __asan_describe_address(uptr addr) {
1219 // Thread registry must be locked while we're describing an address.
1220 asanThreadRegistry().Lock();
1221 DescribeAddress(addr, 1, "");
1222 asanThreadRegistry().Unlock();
1223 }
1224
__asan_report_present()1225 int __asan_report_present() {
1226 return report_happened ? 1 : 0;
1227 }
1228
__asan_get_report_pc()1229 uptr __asan_get_report_pc() {
1230 return report_data.pc;
1231 }
1232
__asan_get_report_bp()1233 uptr __asan_get_report_bp() {
1234 return report_data.bp;
1235 }
1236
__asan_get_report_sp()1237 uptr __asan_get_report_sp() {
1238 return report_data.sp;
1239 }
1240
__asan_get_report_address()1241 uptr __asan_get_report_address() {
1242 return report_data.addr;
1243 }
1244
__asan_get_report_access_type()1245 int __asan_get_report_access_type() {
1246 return report_data.is_write ? 1 : 0;
1247 }
1248
__asan_get_report_access_size()1249 uptr __asan_get_report_access_size() {
1250 return report_data.access_size;
1251 }
1252
__asan_get_report_description()1253 const char *__asan_get_report_description() {
1254 return report_data.description;
1255 }
1256
1257 extern "C" {
1258 SANITIZER_INTERFACE_ATTRIBUTE
__sanitizer_ptr_sub(void * a,void * b)1259 void __sanitizer_ptr_sub(void *a, void *b) {
1260 CheckForInvalidPointerPair(a, b);
1261 }
1262 SANITIZER_INTERFACE_ATTRIBUTE
__sanitizer_ptr_cmp(void * a,void * b)1263 void __sanitizer_ptr_cmp(void *a, void *b) {
1264 CheckForInvalidPointerPair(a, b);
1265 }
1266 } // extern "C"
1267
1268 #if !SANITIZER_SUPPORTS_WEAK_HOOKS
1269 // Provide default implementation of __asan_on_error that does nothing
1270 // and may be overriden by user.
1271 SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE NOINLINE
__asan_on_error()1272 void __asan_on_error() {}
1273 #endif
1274