[LLVMbugs] [Bug 23600] New: sanitizer stack trace pc off by 1

bugzilla-daemon at llvm.org bugzilla-daemon at llvm.org
Wed May 20 15:08:49 PDT 2015 

https://llvm.org/bugs/show_bug.cgi?id=23600

            Bug ID: 23600
           Summary: sanitizer stack trace pc off by 1
           Product: compiler-rt
           Version: 3.6
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P
         Component: compiler-rt
          Assignee: unassignedbugs at nondot.org
          Reporter: msebor at gmail.com
                CC: llvmbugs at cs.uiuc.edu
    Classification: Unclassified

(This was originally reported in
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=65749)

The PC printed in sanitizer stack traces is consistently off by 1.  Either off
by 1 byte, or by 1 instruction, depending on the target.  Below is a test case
and the ASan backtrace for it on x86_64, followed by a backtrace printed by GDB
along with the disassembly for reference.  As the disassembly shows, the ASan
PCs point at the last byte of the previous instruction.

On RISC targets such as powerpc64 the ASan backtrace is off by 1 instruction. 
Rather than pointing at either the faulting instruction in the active frame in
case of a trap or at the next instruction to be executed as GDB does, ASan
points at the the instruction just before it.

$ cat -n asan.c && /build/llvm-3.6.0-install/bin/clang -O2
-fasynchronous-unwind-tables -fno-omit-frame-pointer -fsanitize=address -g
asan.c && ASAN_SYMBOLIZER_PATH=/build/llvm-3.6.0-install/bin/llvm-symbolizer
./a.out || gdb -batch -q -ex r -ex bt a.out -ex "disas foo" -ex "disas bar" -ex
"disas main"
     1    void __attribute ((weak)) foo (int *p) { *p = 0; }
     2    void __attribute__ ((weak)) bar (int *p) { foo (p); foo (p); }
     3    int main (void) { bar (0); }
ASAN:SIGSEGV
=================================================================
==20556==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc
0x0000004cdae5 bp 0x7fffe0befe80 sp 0x7fffe0befe80 T0)
    #0 0x4cdae4 in foo /build/tmp/asan.c:1:42
    #1 0x4cdb1d in bar /build/tmp/asan.c:2:44
    #2 0x4cdaba in main /build/tmp/asan.c:3:19
    #3 0x7f91b65dffdf in __libc_start_main (/lib64/libc.so.6+0x1ffdf)
    #4 0x416cd6 in _start (/home/msebor/build/tmp/a.out+0x416cd6)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /build/tmp/asan.c:1 foo
==20556==ABORTING

Program received signal SIGSEGV, Segmentation fault.
0x00000000004cdae5 in foo (p=0x0) at asan.c:1
1    void __attribute ((weak)) foo (int *p) { *p = 0; }
#0  0x00000000004cdae5 in foo (p=0x0) at asan.c:1
#1  0x00000000004cdb1e in bar (p=0x0) at asan.c:2
#2  0x00000000004cdabb in main () at asan.c:3
Dump of assembler code for function foo:
   0x00000000004cdad0 <+0>:    push   %rbp
   0x00000000004cdad1 <+1>:    mov    %rsp,%rbp
   0x00000000004cdad4 <+4>:    mov    %rdi,%rax
   0x00000000004cdad7 <+7>:    shr    $0x3,%rax
   0x00000000004cdadb <+11>:    mov    0x7fff8000(%rax),%al
   0x00000000004cdae1 <+17>:    test   %al,%al
   0x00000000004cdae3 <+19>:    jne    0x4cdaed <foo+29>
=> 0x00000000004cdae5 <+21>:    movl   $0x0,(%rdi)
   0x00000000004cdaeb <+27>:    pop    %rbp
   0x00000000004cdaec <+28>:    retq   
   0x00000000004cdaed <+29>:    mov    %edi,%ecx
   0x00000000004cdaef <+31>:    and    $0x7,%ecx
   0x00000000004cdaf2 <+34>:    add    $0x3,%ecx
   0x00000000004cdaf5 <+37>:    movsbl %al,%eax
   0x00000000004cdaf8 <+40>:    cmp    %eax,%ecx
   0x00000000004cdafa <+42>:    jl     0x4cdae5 <foo+21>
   0x00000000004cdafc <+44>:    callq  0x4b1bc0
<__asan::__asan_report_store4(__sanitizer::uptr)>
End of assembler dump.
Dump of assembler code for function bar:
   0x00000000004cdb10 <+0>:    push   %rbp
   0x00000000004cdb11 <+1>:    mov    %rsp,%rbp
   0x00000000004cdb14 <+4>:    push   %rbx
   0x00000000004cdb15 <+5>:    push   %rax
   0x00000000004cdb16 <+6>:    mov    %rdi,%rbx
   0x00000000004cdb19 <+9>:    callq  0x4cdad0 <foo>
   0x00000000004cdb1e <+14>:    mov    %rbx,%rdi
   0x00000000004cdb21 <+17>:    add    $0x8,%rsp
   0x00000000004cdb25 <+21>:    pop    %rbx
   0x00000000004cdb26 <+22>:    pop    %rbp
   0x00000000004cdb27 <+23>:    jmpq   0x4cdad0 <foo>
End of assembler dump.
Dump of assembler code for function main:
   0x00000000004cdab0 <+0>:    push   %rbp
   0x00000000004cdab1 <+1>:    mov    %rsp,%rbp
   0x00000000004cdab4 <+4>:    xor    %edi,%edi
   0x00000000004cdab6 <+6>:    callq  0x4cdb10 <bar>
   0x00000000004cdabb <+11>:    xor    %eax,%eax
   0x00000000004cdabd <+13>:    pop    %rbp
   0x00000000004cdabe <+14>:    retq   
End of assembler dump.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-bugs/attachments/20150520/1e64cf02/attachment.html>

More information about the llvm-bugs mailing list