<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/61860>61860</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
Deadlock when using __asan_locate_address
</td>
</tr>
<tr>
<th>Labels</th>
<td>
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
SonicStark
</td>
</tr>
</table>
<pre>
We developed https://github.com/HexHive/Evocatio ([*Evocatio: Conjuring Bug Capabilities from a Single PoC*](https://doi.org/10.1145/3548606.3560575)) by leveraging the convenience of `__asan_*` public interfaces provided in `compiler-rt/include/sanitizer/asan_interface.h`. Capabilities of the bug which causes memory error are collected in a custom `__asan_on_error` (*implementation is [here](https://github.com/HexHive/Evocatio/blob/72bf2fc7e265015d756d461c1de14bf1682fcdd7/bug-severity-AFLplusplus/instrumentation/bug-severity-rt.o.c#L154)*).
However, DEADLOCK occurs when we call `__asan_locate_address` in `__asan_on_error` against memory errors that crashes on **stack** or **global** address.
We find that the deadlock occurs in this way:
---
### 1ST
`in_report` is created in `__asan::ReportGenericError` as an instance of `__asan::ScopedInErrorReport` for printing the report.
https://github.com/llvm/llvm-project/blob/b5c862e15caf4d8aa34bbc6ee25af8da9a9405a4/compiler-rt/lib/asan/asan_report.cpp#L493-L496
### 2ND
The mutex is locked in `__asan::ScopedInErrorReport::ScopedInErrorReport`.
https://github.com/llvm/llvm-project/blob/b5c862e15caf4d8aa34bbc6ee25af8da9a9405a4/compiler-rt/lib/asan/asan_report.cpp#L128-L134
### 3RD
`in_report` dies and `__asan::ScopedInErrorReport::~ScopedInErrorReport` is called. In this method `__asan_on_error` is called where macro `ASAN_ON_ERROR` locates.
https://github.com/llvm/llvm-project/blob/b5c862e15caf4d8aa34bbc6ee25af8da9a9405a4/compiler-rt/lib/asan/asan_report.cpp#L137-L142
https://github.com/llvm/llvm-project/blob/b5c862e15caf4d8aa34bbc6ee25af8da9a9405a4/compiler-rt/lib/asan/asan_internal.h#L129-L131
### 4TH
`__asan_locate_address` is called in our custom `__asan_on_error`. It creates `descr` as an instance of `__asan::AddressDescription`, so `__asan::AddressDescription::AddressDescription` is called.
Obviously `shouldLockThreadRegistry` keeps its default value, i.e., `true`.
https://github.com/llvm/llvm-project/blob/b5c862e15caf4d8aa34bbc6ee25af8da9a9405a4/compiler-rt/lib/asan/asan_debugging.cpp#L79-L83
https://github.com/llvm/llvm-project/blob/b5c862e15caf4d8aa34bbc6ee25af8da9a9405a4/compiler-rt/lib/asan/asan_descriptions.h#L213-L216
### 5TH
If `data.kind` is neither `kAddressKindShadow` nor `kAddressKindHeap`, next check if it is `kAddressKindStack`.
Then the mutex is locked again. Here the DEADLOCK occurs.
Obviously if `data.kind` is `kAddressKindGlobal`, the deadlock would also be triggered because it is checked after `kAddressKindStack`.
https://github.com/llvm/llvm-project/blob/b5c862e15caf4d8aa34bbc6ee25af8da9a9405a4/compiler-rt/lib/asan/asan_descriptions.cpp#L439-L465
---
So there are underlying timing dependencies in those public interfaces provided in `asan_interface.h`.
At least we can confirm that using `__asan_locate_address` or `__asan_describe_address` in certain situations will cause deadlock.
https://github.com/llvm/llvm-project/blob/b5c862e15caf4d8aa34bbc6ee25af8da9a9405a4/compiler-rt/lib/asan/asan_report.cpp#L516-L521
This should be warned in docs. Or users should be allowed to manually control whether to lock the mutex with a parameter like `shouldLockThreadRegistry` of `__asan::AddressDescription::AddressDescription`.
For example:
```c
void __asan_describe_address(void *addr, const char shouldLockThreadRegistry = 0);
const char *__asan_locate_address(void *addr, char *name, size_t name_size,
void **region_address, size_t *region_size,
const char shouldLockThreadRegistry = 0);
```
</pre>
<img width="1px" height="1px" alt="" src="http://email.email.llvm.org/o/eJzMWM1u4zgSfhrmUrAgUT-2Dz6o4_akMUZnkTQwR4MiSxInNCmQlN2Zwz77gpLt2F4n3bunAO62JRZZVV999cMw52SjERck_0Ly5R3rfWvs4tloyZ89sy93lRGvi78QBO5QmQ4FtN53jqQloStCV430bV9F3GwJXT3gzwe5Q0JXX3eGMy8NEDoLZ9Py-IakJdwb_XdvpW7gS9_APetYJZX0Eh3U1myBwbPUjUL4l7kntCT5ktDZpV5hZGRsQ-gqiaMkyXJCV2mezYq4iNK8iPNpTuic0DlUr6Bwh5Y1QaFvEbjRO9QSNUcwNZAi3myYY3oTdBUxdH2lJAepPdqacXTQWbOTAgVIHcS52XZSoZ1YT-hKaq56Ebx2TEsv_0FL6Go48HRE1JIiji5dNfVgTdU3sG8lb4Gz3qGDLW6NfQW01lhgNtirFHI_qmfAe-fN9sxsozeDcLA94E1Lue0UblH7gLgG6YDkX1q0eAvKX4SQ0FWlTEXoakqrmtZ8irTI4yQX07wQWZHwRGCSVXVSzGjNhZiGHX0zcQF16V8n5Wrdqd6FfwNcztv-ZNy1sPWRiTih6TrJsyGEJaHziMRLEpfj_w9mH6QJvYfl13K5frz_EwznvXWwb1HDHoEzpc4QUsEV3DAhLDoXcBoDeQNA1rBg4UUUHPiWeeCWuTYETsNgVek84y_jTzD28LJRpmLq8Pag8cL8vxBqqcV4ZmCAQCaU4S9HJ6QG30oHe_YagnS2dTKZnD8Smo4fSJ5_XCwUsdQbi52xfvDWAbfI_InBo-Ph9LR8GsT-QI1W8q8nHBwwDQEKdp0n47ZnHsrBNz3seDqpqo2Fzkrtj9k2WnGBwAf8U2p3_Jp01vyN3L8RsMr5rKCY5JzVmZgxlmZVxQtEmrN6JticzbM4Zxmhq8sUVbI6pOQxMw9W8a4LVMvm6WSdzYvb4NLvy_OFHy3Ctvf4M8Aa4nYT1VvwfIDb58YnobPJOkmz2_ikT8uPyCdCsWNa_DZC_36HWoHFTCkUEXw7pMgWfWvEO6l8kg9lwSJsGbcmyJbP5ffN4_fN16enx6cgOdYH98mDkE4n6ySjn8zIocdppqJ2ZMo8MCW5zZTsx8MVU94v0KfgSQ2mtx-2vQi--UOFc0FCoOO_V8XKUeMybJDd0JCKOHQWZ35D9P0jzsh67vFjtZOmd-o1HO5a0yuxNvzlR2uRiSdspPP2NWx_QewcSO9AYM165WHHVI_BMhlhFL5JEXvb4ycsHgKrvgnj1pG60_lkPUs_nZWngLmRvDRJJ2uavNMG8kvyfhu4JJhn0YvU4hBzjdK3aMPSy4EYf0otnlsmzD7IaPNfiw_IugPrNP70wFvkLyBrkH4Y3a6OGoaOwPmrpqSHdnvdmYZ5JoKHUADD-tXEdHnKGz3lTe-uTPljHHVG0y8mmX1gNjDlDFQI3sqmQYsCKhyG3INng6PBxtrfgOzo52emzXF-SOeTdVbkH8xqzyYgZHGY6Hst0KrXYUSS2_AlsEMtUPPQLIcB0Dj89U3k1i3jXGvpQSFzfpyJdbj61NJux9mzd0HzR0V45OpheXS8uh6jOVrPpAYnfT9M9A72UqnxNnNixGeL4mVrzZNiss5pcplR0sFYogOH98zqEXZhuIvg0ULv0J6LMKXMHgV4A1ume6bUawDcW6PCBDLUBW-GxDxL1b30LTDomGVbDHmg5Av-qj38ViN7vztdRGNlLOBPFq6MV9eNkNnDh4_POyMFvMcGOhuWCS3Dm1ARuAkXKd4yC-_5AiRdQhyueemXc81nWwktb_PzhsKDvGbboVM6-Q9uPITHTfhN6P14PBx3ElpabKTRb6eetr2tXe79_9w6QnknFqmYp3N2h4ukmMU0nSXT9K5d1DHNMZ2yrGBims7iXOQ4rRBFnNBqxtI7uaAxTeM0TeIsm6dplGbJbBpX1bwuCpFXOcli3DKpopA9kbHNnXSux0WRzIr4TrEKlTv-pccuhhSr-saRLFbSefe2zUuvcLE8FfPQW8ZicTMSd71Vi_85pwfbHKGrwbz_BAAA__94Y-1Q">