<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Issue</th>
<td>
<a href=https://github.com/llvm/llvm-project/issues/125694>125694</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>
[asan] ReportErrorSummary should symbolicate at the exception PC, not the previous instruction
</td>
</tr>
<tr>
<th>Labels</th>
<td>
new issue
</td>
</tr>
<tr>
<th>Assignees</th>
<td>
</td>
</tr>
<tr>
<th>Reporter</th>
<td>
yjugl
</td>
</tr>
</table>
<pre>
Below is an example ASAN x64 report that sparked confusion [in a Mozilla bug entry](https://bugzilla.mozilla.org/show_bug.cgi?id=1945246):
```
==9540==ERROR: AddressSanitizer: breakpoint on unknown address 0x7ffa2a4c53b5 (pc 0x7ffa2a4c53b5 bp 0x00c5df9fcf70 sp 0x00c5df9fcee0 T0)
#0 0x7ffa2a4c53b4 in AnnotateMozCrashReason /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:55
#1 0x7ffa2a4c53b4 in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:336
#2 0x7ffa2a4c53b4 in mozilla::net::CheckForBrokenChromeURL(class nsILoadInfo *, class nsIURI *) /builds/worker/checkouts/gecko/netwerk/base/nsNetUtil.cpp:4105
#3 0x7ffa2b924414 in nsJARChannel::OnOpenLocalFileComplete(enum nsresult, bool) /builds/worker/checkouts/gecko/modules/libjar/nsJARChannel.cpp:460
#4 0x7ffa2aee9f6f in mozilla::detail::RunnableMethodArguments<unsigned int,bool>::apply<mozilla::net::HttpBackgroundChannelParent,bool (mozilla::net::HttpBackgroundChannelParent::*)(unsigned int, bool)>::<lambda_1>::operator() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085
....
```
In this example, the first 3 "stack" addresses (`0x7ffa2a4c53b4`) refer to the exception PC (minus 1), while the rest refer to the return addresses (minus 1) that were found on the stack. The symbols shown next to the addresses were obtained by symbolicating at the addresses printed (so -1 compared to the actual addresses found).
While it can make sense to symbolicate at -1 for the return addresses in order to symbolicate at the call site rather than the return site, I would argue that:
(a) it makes no sense to symbolicate at -1 for the exception PC, and it can get people confused about where the exception happened exactly (see linked Mozilla bug entry);
(b) it is confusing to print these -1 addresses in the output as they will typically point to invalid code, other tools would just print the actual exception PC and return addresses found.
This issue is mostly about (a) though. Below are some of the code paths that I think are involved.
In `lib/sanitizer_common/sanitizer_stacktrace.cpp` we don't distinguish the exception pc from a return address when we store it in `trace_buffer`:
```c++
void BufferedStackTrace::UnwindFast(uptr pc, uptr bp, uptr stack_top,
uptr stack_bottom, u32 max_depth) {
// ...
trace_buffer[0] = pc;
// ...
}
```
In `lib/sanitizer_common/sanitizer_symbolizer_report.cpp` we iterate overy the stack and symbolicate the instruction at the previous PC for all entries, including those derived from the exception PC:
```c++
void ReportErrorSummary(const char *error_type, const StackTrace *stack,
const char *alt_tool_name) {
// ...
uptr pc = StackTrace::GetPreviousInstructionPc(stack->trace[i]);
SymbolizedStackHolder symbolized_stack(
Symbolizer::GetOrInit()->SymbolizePC(pc));
if (const SymbolizedStack *frame = symbolized_stack.get()) {
if (const SymbolizedStack *summary_frame = SkipInternalFrames(frame)) {
ReportErrorSummary(error_type, summary_frame->info, alt_tool_name);
return;
}
}
}
// ...
}
```
</pre>
<img width="1" height="1" alt="" src="http://email.email.llvm.org/o/eJy0V1tv2zoS_jXMyyCGTPn64Afbqfd40Z4WSYsF9sWgpJHEmCIFkorj_vrFkLIdO9k9OQ9bGAhLzeXjNxcOhXOy0ogLNl6x8cOd6Hxt7OL43FXqLjPFcbFCZQ4gHQgN-CqaViEsn5Z_wutkBBZbYz34WnhwrbB7LCA3uuycNBrYeCU1CPhmfkulBGRdBai9PbLxA-Oz2vvWsXTJ-IbxTdZVQWrQROmBsRXjG1ebwy7rqkFeSZZuZMHSh-F8NOajCeNz0k7Cb5L0v2TJ0geWPszHoySuvjw-fn9k6RKWRWHRuSehpZe_0dJeZlHsWyO1B6Oh03ttDhpElITkdVqWgotRPk6zMTA-a_PbzayF5DVJ8nFRzsu8nCbgrnYQE_iZENhkyXiaXOuPQGpYam288PjN_F5b4epHFI74I1akKhzjm4Oxe7T9wrUiR8Y3Jnu-DxKMbwrpPOMbqXPVFfSx55HxzdI5tF4a7QY1S5fjcUQy_ADJt-__3gUI_y_naTqJ3vkH3k9a6ZKlS40-LtY15vuNsStr9qjXtTUN_nr8yvgsV8I50G771Yhiq0sDjC8ZX8P5w6_Hbdybf3ygnGybztNmRUvGNxr9Ae2e5IWjw2j3J_pfXqpB3rYsXY6GSU9hejpENuej0TAcQrt_Lh_XtdAaVTzAd_29Rf3V5EJtpMK1oSLyyPgMddeAdhZdpzwBz4xRfwtsY4pOIe0omT0LG-BeAJwQx8Lg6ejMOuK8nJTvWC_QC9njfuy0FpnCb-hrUyxt1TWovWPputOhbRQgNcEOqNMvUUu0rTqydP1xMP_wvl2JfF9Z0-miR_lDWDwboir7-7pBIEaa8dkNvhOtZ4wsXSvRZIXYDc97pkUrvLGMz_5rBD6d_9r9rC2KgrImJv4wmVHSDAaDwW2_SpZbDb6W7tRgCbKvEUppnYcUGOfOi3zPOD-1JnTEE5sk11VEFvkcLJZowZtgBV9zbKkC4cc6kCt152AYmFrDoZYKg5xF5681LfrO6muXF-3Y9g9oEUoKCDVQ0gpQB_CTlscmM8oBdXENGl_9yfTFZjBgMi8kBSw79koyF17qCoS_kW-t1B4LwuIM3A8hN00rLBZn07nvhHqjEdAxPh9Esv8VTiw95EJDI_YIDrVDUr-4RnJ8P4TS2I-pkBqMLSJXN2oknwulwEmPYIWvSawW-q0l-kb8b-FgOlWAsFWHgdL-UuMzQSRLHzA60OYzON8Gm8wLXZyOWqGHFg1d4PGOxgJEZjoPh5picK1ei7ZFigi-ityrY-AbEZTUdMu_v9OpvFYReNYDl-40DeiKYIfQkR-HhPmKTPJuOt92HoSj_x3hIJUCf2wlkXmEeEt7A1K_CCVp0igChSYSbCjTIpnPnfMXb6eMuCoEIuZdUEOm9GnykwpSOtchnaMxjkiIfJ1i42vTVfUA4owkLIIzDYIpYwqYAqEVvnaxUrZU43of5KR-MeoFT762GtgkUTKjiec0nuxy0zRGX22F2vJW5Bg6-yQBOCAUJDX1QG1I6qqTrr6JZptDaU0D4ubMFHpNJpw3NhSFDFCCi13WlSVa6inv5qyc8RX9kuWLkQWsgiQWT4TvJynHpvpLH6QuNoLa46xrvYU2p5CFZdael-FcO29ohyVL-MS_N3qZ8d40wVjKoRGvuwJbX4c2Pl0Fe3HIhNh9Aa7ON14lbPwALH0gdOkHCmz68GHT_mTQYrXSMg7Mp9gdiHG6dRDMC9rjpX2G9Hxb5fRFaudtl4eA9m2mtfgiTecoo6kFUNehcpQ0EqwhXkih-mrjEAq08gWLmAvv2sVfBfkxgP9irbFPXdMIKvpZbrTzkNfC0qCF9HHnj20ozPjtkhMk0V9kIcrXukL5HRXxTosG_0fs-tC3eYjYbcb9A_2PnpTtha8fObUvEr1n6ZcQfXqdhIdI37fg6RSmmMV_GEXt_Ry8YtdDn10J27Pb73arpY_jA3k5i1AnnlHezy_OAECWcObvxjfRUVrRYDjiLYRBhb2btyx9wqSLUdtdTD_tZbvVHq0WakO7jvFZ-Hxt_cPQXwf7yjidX-rShCvoJq49A7ERXegAiFX2dnX--5fFeFcs0mKezsUdLobTdDaZJcl0eFcveDqdzGfzZJrm4zlPxGSYT4aTfDLhIh0lfHYnFzzh44Qno-FoNBwmg4IXRVJOR3w8motsMmejBBsh1UCpl4aepXfhVlgM-XgyH90pkaFy4QHNucZDvDMY5_SetgtSus-6yrFRoqTz7mLGS6_Cy1s4oakDvWeZJie60D6YMG5vem1uWsKbdnHXWbW4fm9X0tddNsipb24IUv_nvrXmGfMwztJBaP7tT_qy4P8JAAD__9RhSNo">