[PATCH] [PowerPC]Adapt fast stack unwinding to work for Power.

Evgeniy Stepanov eugenis at google.com
Mon May 18 10:45:06 PDT 2015 

This is unexpected. Reading the code, operator new() does
GET_STACK_TRACE_MALLOC, which grabs the current PC (though
__builtin_return_address) and frame address (__builtin_frame_address)
and starts frame pointer-based unwind from there.

  #0 0x100ec5d4 in operator new(unsigned long)
/home/seurer/llvm/llvm-test/projects/compiler-rt/lib/asan/asan_new_delete.cc:62:35
  #1 0x100ec668 in GetStackTraceWithPcBpAndContext
/home/seurer/llvm/llvm-test/projects/compiler-rt/lib/asan/asan_stack.h:50:7
  #2 0x100ec668 in operator new(unsigned long)
/home/seurer/llvm/llvm-test/projects/compiler-rt/lib/asan/asan_new_delete.cc:62
  #3 0x100ef274 in main /home/seurer/test/stack/crash.cpp:60:8
  #4 0x3fffa9574cfc in generic_start_main
/build/buildd/eglibc-2.19/csu/../csu/libc-start.c:287
  #5 0x3fffa9574ef4 in __libc_start_main
/build/buildd/eglibc-2.19/csu/../sysdeps/unix/sysv/linux/powerpc/libc-start.c:93

Here, it looks like frame #0 is the one we got from GetCurrentPc(),
and frames 1 and 2 (inlined) correspond to the return address of the
frame of operator new() (at the point of GET_STACK_TRACE_MALLOC). I'm
not sure why it is, again, operator new(). Also, if there is a real
extra stack frame there, this is not guaranteed to succeed, because we
build ASan runtime library without -fno-omit-frame-pointer.

I wonder if there is a problem with __builtin_frame_address on
PowerPC, or if ALWAYS_INLINE on GetStackTraceWithPcBpAndContext did
not have any effect, or something like that?

On Fri, May 15, 2015 at 8:54 AM, Bill Seurer <seurer at linux.vnet.ibm.com> wrote:
> The stack popping makes the fast unwinding act closer to how slow unwinding works (though still not identical).  I don't know how this works on x86 so I can't comment on that.  I will move and rename the constants.
>
> Here is an example.  With slow unwinding:
>
>
>
>
> 68283==ERROR: AddressSanitizer: heap-use-after-free on address 0x0a100000eff0 at pc 0x000010103af8 bp 0x3ffff7640400 sp 0x3ffff7640420
> --------------------------------------------------------------------------------------------------------------------------------------
>
> WRITE of size 4 at 0x0a100000eff0 thread T0
>
>   #0 0x10103af4 in Func6(int, int*) /home/seurer/test/stack/crash.cpp:19:7
>   #1 0x10103c9c in Func5(int, int*) /home/seurer/test/stack/crash.cpp:27:10
>   #2 0x10103f3c in Func4(int, int*) /home/seurer/test/stack/crash.cpp:34:10
>   #3 0x101041dc in Func3(int, int*) /home/seurer/test/stack/crash.cpp:41:10
>   #4 0x1010447c in Func2(int, int*) /home/seurer/test/stack/crash.cpp:48:10
>   #5 0x1010471c in Func1(int, int*) /home/seurer/test/stack/crash.cpp:55:10
>   #6 0x101049dc in main /home/seurer/test/stack/crash.cpp:64:10
>   #7 0x3fff9c134cfc in generic_start_main /build/buildd/eglibc-2.19/csu/../csu/libc-start.c:287
>
> 0x0a100000eff0 is located 0 bytes inside of 4-byte region [0x0a100000eff0,0x0a100000eff4)
> freed by thread T0 here:
>
>   #0 0x1010115c in operator delete(void*) /home/seurer/llvm/llvm-base/projects/compiler-rt/lib/asan/asan_new_delete.cc:94
>   #1 0x10104990 in main /home/seurer/test/stack/crash.cpp:62:3
>   #2 0x3fff9c134cfc in generic_start_main /build/buildd/eglibc-2.19/csu/../csu/libc-start.c:287
>
> previously allocated by thread T0 here:
>
>   #0 0x1010096c in operator new(unsigned long) /home/seurer/llvm/llvm-base/projects/compiler-rt/lib/asan/asan_new_delete.cc:62
>   #1 0x10104954 in main /home/seurer/test/stack/crash.cpp:60:8
>   #2 0x3fff9c134cfc in generic_start_main /build/buildd/eglibc-2.19/csu/../csu/libc-start.c:287
>
> With fast unwinding and no stack popping:
>
> 117763==ERROR: AddressSanitizer: heap-use-after-free on address 0x0a100000eff0 at pc 0x0000100ee418 bp 0x3fffdcc66870 sp 0x3fffdcc668d8
> ---------------------------------------------------------------------------------------------------------------------------------------
>
> WRITE of size 4 at 0x0a100000eff0 thread T0
>
>   #0 0x100ee414 in Func6(int, int*) /home/seurer/test/stack/crash.cpp:19:7
>   #1 0x100ee5bc in Func5(int, int*) /home/seurer/test/stack/crash.cpp:27:10
>   #2 0x100ee85c in Func4(int, int*) /home/seurer/test/stack/crash.cpp:34:10
>   #3 0x100eeafc in Func3(int, int*) /home/seurer/test/stack/crash.cpp:41:10
>   #4 0x100eed9c in Func2(int, int*) /home/seurer/test/stack/crash.cpp:48:10
>   #5 0x100ef03c in Func1(int, int*) /home/seurer/test/stack/crash.cpp:55:10
>   #6 0x100ef2fc in main /home/seurer/test/stack/crash.cpp:64:10
>   #7 0x3fffa9574cfc in generic_start_main /build/buildd/eglibc-2.19/csu/../csu/libc-start.c:287
>
> 0x0a100000eff0 is located 0 bytes inside of 4-byte region [0x0a100000eff0,0x0a100000eff4)
> freed by thread T0 here:
>
>   #0 0x100ecd14 in operator delete(void*) /home/seurer/llvm/llvm-test/projects/compiler-rt/lib/asan/asan_new_delete.cc:94:3
>   #1 0x100ecda8 in GetStackTraceWithPcBpAndContext /home/seurer/llvm/llvm-test/projects/compiler-rt/lib/asan/asan_stack.h:50:7
>   #2 0x100ecda8 in operator delete(void*) /home/seurer/llvm/llvm-test/projects/compiler-rt/lib/asan/asan_new_delete.cc:94
>   #3 0x100ef2b0 in main /home/seurer/test/stack/crash.cpp:62:3
>   #4 0x3fffa9574cfc in generic_start_main /build/buildd/eglibc-2.19/csu/../csu/libc-start.c:287
>   #5 0x3fffa9574ef4 in __libc_start_main /build/buildd/eglibc-2.19/csu/../sysdeps/unix/sysv/linux/powerpc/libc-start.c:93
>
> previously allocated by thread T0 here:
>
>   #0 0x100ec5d4 in operator new(unsigned long) /home/seurer/llvm/llvm-test/projects/compiler-rt/lib/asan/asan_new_delete.cc:62:35
>   #1 0x100ec668 in GetStackTraceWithPcBpAndContext /home/seurer/llvm/llvm-test/projects/compiler-rt/lib/asan/asan_stack.h:50:7
>   #2 0x100ec668 in operator new(unsigned long) /home/seurer/llvm/llvm-test/projects/compiler-rt/lib/asan/asan_new_delete.cc:62
>   #3 0x100ef274 in main /home/seurer/test/stack/crash.cpp:60:8
>   #4 0x3fffa9574cfc in generic_start_main /build/buildd/eglibc-2.19/csu/../csu/libc-start.c:287
>   #5 0x3fffa9574ef4 in __libc_start_main /build/buildd/eglibc-2.19/csu/../sysdeps/unix/sysv/linux/powerpc/libc-start.c:93
>
> With fast unwinding and stack popping:
>
>
>
>
> 75053==ERROR: AddressSanitizer: heap-use-after-free on address 0x0a100000eff0 at pc 0x0000100ee518 bp 0x3fffed4849f0 sp 0x3fffed484a58
> --------------------------------------------------------------------------------------------------------------------------------------
>
> WRITE of size 4 at 0x0a100000eff0 thread T0
>
>   #0 0x100ee514 in Func6(int, int*) /home/seurer/test/stack/crash.cpp:19:7
>   #1 0x100ee6bc in Func5(int, int*) /home/seurer/test/stack/crash.cpp:27:10
>   #2 0x100ee95c in Func4(int, int*) /home/seurer/test/stack/crash.cpp:34:10
>   #3 0x100eebfc in Func3(int, int*) /home/seurer/test/stack/crash.cpp:41:10
>   #4 0x100eee9c in Func2(int, int*) /home/seurer/test/stack/crash.cpp:48:10
>   #5 0x100ef13c in Func1(int, int*) /home/seurer/test/stack/crash.cpp:55:10
>   #6 0x100ef3fc in main /home/seurer/test/stack/crash.cpp:64:10
>   #7 0x3fff9b9f4cfc in generic_start_main /build/buildd/eglibc-2.19/csu/../csu/libc-start.c:287
>
> 0x0a100000eff0 is located 0 bytes inside of 4-byte region [0x0a100000eff0,0x0a100000eff4)
> freed by thread T0 here:
>
>   #0 0x100ece14 in operator delete(void*) /home/seurer/llvm/llvm-test/projects/compiler-rt/lib/asan/asan_new_delete.cc:94:3
>   #1 0x100ef3b0 in main /home/seurer/test/stack/crash.cpp:62:3
>   #2 0x3fff9b9f4cfc in generic_start_main /build/buildd/eglibc-2.19/csu/../csu/libc-start.c:287
>   #3 0x3fff9b9f4ef4 in __libc_start_main /build/buildd/eglibc-2.19/csu/../sysdeps/unix/sysv/linux/powerpc/libc-start.c:93
>
> previously allocated by thread T0 here:
>
>   #0 0x100ec6d4 in operator new(unsigned long) /home/seurer/llvm/llvm-test/projects/compiler-rt/lib/asan/asan_new_delete.cc:62:35
>   #1 0x100ef374 in main /home/seurer/test/stack/crash.cpp:60:8
>   #2 0x3fff9b9f4cfc in generic_start_main /build/buildd/eglibc-2.19/csu/../csu/libc-start.c:287
>   #3 0x3fff9b9f4ef4 in __libc_start_main /build/buildd/eglibc-2.19/csu/../sysdeps/unix/sysv/linux/powerpc/libc-start.c:93
>
>
> http://reviews.llvm.org/D9259
>
> EMAIL PREFERENCES
>   http://reviews.llvm.org/settings/panel/emailpreferences/
>
>

More information about the llvm-commits mailing list