<div dir="ltr"><br><div class="gmail_extra"><br><br><div class="gmail_quote">On Tue, Feb 5, 2013 at 6:32 PM, Evgeniy Stepanov <span dir="ltr"><<a href="mailto:eugeni.stepanov@gmail.com" target="_blank">eugeni.stepanov@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Author: eugenis<br>
Date: Tue Feb 5 08:32:03 2013<br>
New Revision: 174373<br>
<br>
URL: <a href="http://llvm.org/viewvc/llvm-project?rev=174373&view=rev" target="_blank">http://llvm.org/viewvc/llvm-project?rev=174373&view=rev</a><br>
Log:<br>
[asan] Fix nonsensical reports of partial right OOB.<br>
<br>
In case of partial right OOB, ASan was reporting<br>
X is located 0 bytes to the right of [A, B)<br>
where X was actually inside [A, B).<br>
<br>
With this change, ASan will report B as the error address in such case.<br>
<br>
Added:<br>
compiler-rt/trunk/lib/asan/lit_tests/partial_right.cc (with props)<br>
Modified:<br>
compiler-rt/trunk/lib/asan/asan_allocator.cc<br>
compiler-rt/trunk/lib/asan/asan_allocator.h<br>
compiler-rt/trunk/lib/asan/asan_allocator2.cc<br>
compiler-rt/trunk/lib/asan/asan_globals.cc<br>
compiler-rt/trunk/lib/asan/asan_interceptors.cc<br>
compiler-rt/trunk/lib/asan/asan_report.cc<br>
compiler-rt/trunk/lib/asan/asan_report.h<br>
compiler-rt/trunk/lib/asan/lit_tests/strncpy-overflow.cc<br>
<br>
Modified: compiler-rt/trunk/lib/asan/asan_allocator.cc<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_allocator.cc?rev=174373&r1=174372&r2=174373&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_allocator.cc?rev=174373&r1=174372&r2=174373&view=diff</a><br>
==============================================================================<br>
--- compiler-rt/trunk/lib/asan/asan_allocator.cc (original)<br>
+++ compiler-rt/trunk/lib/asan/asan_allocator.cc Tue Feb 5 08:32:03 2013<br>
@@ -369,7 +369,7 @@ class MallocInfo {<br>
left_chunk->chunk_state != CHUNK_AVAILABLE)<br>
return left_chunk;<br>
// Choose based on offset.<br>
- uptr l_offset = 0, r_offset = 0;<br>
+ sptr l_offset = 0, r_offset = 0;<br>
CHECK(AsanChunkView(left_chunk).AddrIsAtRight(addr, 1, &l_offset));<br>
CHECK(AsanChunkView(right_chunk).AddrIsAtLeft(addr, 1, &r_offset));<br>
if (l_offset < r_offset)<br>
@@ -389,7 +389,7 @@ class MallocInfo {<br>
CHECK(m->chunk_state == CHUNK_ALLOCATED ||<br>
m->chunk_state == CHUNK_AVAILABLE ||<br>
m->chunk_state == CHUNK_QUARANTINE);<br>
- uptr offset = 0;<br>
+ lptr offset = 0;<br></blockquote><div><br></div><div><br></div><div style>lptr? </div><div style>Does this even compile? </div><div> </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
AsanChunkView m_view(m);<br>
if (m_view.AddrIsInside(addr, 1, &offset))<br>
return m;<br>
<br>
Modified: compiler-rt/trunk/lib/asan/asan_allocator.h<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_allocator.h?rev=174373&r1=174372&r2=174373&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_allocator.h?rev=174373&r1=174372&r2=174373&view=diff</a><br>
==============================================================================<br>
--- compiler-rt/trunk/lib/asan/asan_allocator.h (original)<br>
+++ compiler-rt/trunk/lib/asan/asan_allocator.h Tue Feb 5 08:32:03 2013<br>
@@ -55,14 +55,14 @@ class AsanChunkView {<br>
uptr FreeTid();<br>
void GetAllocStack(StackTrace *stack);<br>
void GetFreeStack(StackTrace *stack);<br>
- bool AddrIsInside(uptr addr, uptr access_size, uptr *offset) {<br>
+ bool AddrIsInside(uptr addr, uptr access_size, sptr *offset) {<br>
if (addr >= Beg() && (addr + access_size) <= End()) {<br>
*offset = addr - Beg();<br>
return true;<br>
}<br>
return false;<br>
}<br>
- bool AddrIsAtLeft(uptr addr, uptr access_size, uptr *offset) {<br>
+ bool AddrIsAtLeft(uptr addr, uptr access_size, sptr *offset) {<br>
(void)access_size;<br>
if (addr < Beg()) {<br>
*offset = Beg() - addr;<br>
@@ -70,12 +70,9 @@ class AsanChunkView {<br>
}<br>
return false;<br>
}<br>
- bool AddrIsAtRight(uptr addr, uptr access_size, uptr *offset) {<br>
+ bool AddrIsAtRight(uptr addr, uptr access_size, sptr *offset) {<br>
if (addr + access_size >= End()) {<br>
- if (addr <= End())<br>
- *offset = 0;<br>
- else<br>
- *offset = addr - End();<br>
+ *offset = addr - End();<br>
return true;<br>
}<br>
return false;<br>
<br>
Modified: compiler-rt/trunk/lib/asan/asan_allocator2.cc<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_allocator2.cc?rev=174373&r1=174372&r2=174373&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_allocator2.cc?rev=174373&r1=174372&r2=174373&view=diff</a><br>
==============================================================================<br>
--- compiler-rt/trunk/lib/asan/asan_allocator2.cc (original)<br>
+++ compiler-rt/trunk/lib/asan/asan_allocator2.cc Tue Feb 5 08:32:03 2013<br>
@@ -547,7 +547,7 @@ AsanChunk *ChooseChunk(uptr addr,<br>
return right_chunk;<br>
}<br>
// Same chunk_state: choose based on offset.<br>
- uptr l_offset = 0, r_offset = 0;<br>
+ sptr l_offset = 0, r_offset = 0;<br>
CHECK(AsanChunkView(left_chunk).AddrIsAtRight(addr, 1, &l_offset));<br>
CHECK(AsanChunkView(right_chunk).AddrIsAtLeft(addr, 1, &r_offset));<br>
if (l_offset < r_offset)<br>
@@ -558,7 +558,7 @@ AsanChunk *ChooseChunk(uptr addr,<br>
AsanChunkView FindHeapChunkByAddress(uptr addr) {<br>
AsanChunk *m1 = GetAsanChunkByAddr(addr);<br>
if (!m1) return AsanChunkView(m1);<br>
- uptr offset = 0;<br>
+ sptr offset = 0;<br>
if (AsanChunkView(m1).AddrIsAtLeft(addr, 1, &offset)) {<br>
// The address is in the chunk's left redzone, so maybe it is actually<br>
// a right buffer overflow from the other chunk to the left.<br>
<br>
Modified: compiler-rt/trunk/lib/asan/asan_globals.cc<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_globals.cc?rev=174373&r1=174372&r2=174373&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_globals.cc?rev=174373&r1=174372&r2=174373&view=diff</a><br>
==============================================================================<br>
--- compiler-rt/trunk/lib/asan/asan_globals.cc (original)<br>
+++ compiler-rt/trunk/lib/asan/asan_globals.cc Tue Feb 5 08:32:03 2013<br>
@@ -48,7 +48,7 @@ void PoisonRedZones(const Global &g) {<br>
}<br>
}<br>
<br>
-bool DescribeAddressIfGlobal(uptr addr) {<br>
+bool DescribeAddressIfGlobal(uptr addr, uptr size) {<br>
if (!flags()->report_globals) return false;<br>
BlockingMutexLock lock(&mu_for_globals);<br>
bool res = false;<br>
@@ -57,7 +57,7 @@ bool DescribeAddressIfGlobal(uptr addr)<br>
if (flags()->report_globals >= 2)<br>
Report("Search Global: beg=%p size=%zu name=%s\n",<br>
(void*)g.beg, g.size, (char*)<a href="http://g.name" target="_blank">g.name</a>);<br>
- res |= DescribeAddressRelativeToGlobal(addr, g);<br>
+ res |= DescribeAddressRelativeToGlobal(addr, size, g);<br>
}<br>
return res;<br>
}<br>
<br>
Modified: compiler-rt/trunk/lib/asan/asan_interceptors.cc<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_interceptors.cc?rev=174373&r1=174372&r2=174373&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_interceptors.cc?rev=174373&r1=174372&r2=174373&view=diff</a><br>
==============================================================================<br>
--- compiler-rt/trunk/lib/asan/asan_interceptors.cc (original)<br>
+++ compiler-rt/trunk/lib/asan/asan_interceptors.cc Tue Feb 5 08:32:03 2013<br>
@@ -31,12 +31,14 @@ namespace __asan {<br>
// that no extra frames are created, and stack trace contains<br>
// relevant information only.<br>
// We check all shadow bytes.<br>
-#define ACCESS_MEMORY_RANGE(offset, size, isWrite) do { \<br>
- if (uptr __ptr = __asan_region_is_poisoned((uptr)(offset), size)) { \<br>
- GET_CURRENT_PC_BP_SP; \<br>
- __asan_report_error(pc, bp, sp, __ptr, isWrite, /* access_size */1); \<br>
- } \<br>
-} while (0)<br>
+#define ACCESS_MEMORY_RANGE(offset, size, isWrite) do { \<br>
+ uptr __offset = (uptr)(offset); \<br>
+ uptr __size = (uptr)(size); \<br>
+ if (__asan_region_is_poisoned(__offset, __size)) { \<br>
+ GET_CURRENT_PC_BP_SP; \<br>
+ __asan_report_error(pc, bp, sp, __offset, isWrite, __size); \<br>
+ } \<br>
+ } while (0)<br>
<br>
#define ASAN_READ_RANGE(offset, size) ACCESS_MEMORY_RANGE(offset, size, false)<br>
#define ASAN_WRITE_RANGE(offset, size) ACCESS_MEMORY_RANGE(offset, size, true);<br>
<br>
Modified: compiler-rt/trunk/lib/asan/asan_report.cc<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_report.cc?rev=174373&r1=174372&r2=174373&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_report.cc?rev=174373&r1=174372&r2=174373&view=diff</a><br>
==============================================================================<br>
--- compiler-rt/trunk/lib/asan/asan_report.cc (original)<br>
+++ compiler-rt/trunk/lib/asan/asan_report.cc Tue Feb 5 08:32:03 2013<br>
@@ -190,19 +190,23 @@ static void PrintGlobalNameIfASCII(const<br>
Printf(" '%s' is ascii string '%s'\n", <a href="http://g.name" target="_blank">g.name</a>, (char*)g.beg);<br>
}<br>
<br>
-bool DescribeAddressRelativeToGlobal(uptr addr, const __asan_global &g) {<br>
+bool DescribeAddressRelativeToGlobal(uptr addr, uptr size,<br>
+ const __asan_global &g) {<br>
static const uptr kMinimalDistanceFromAnotherGlobal = 64;<br>
if (addr <= g.beg - kMinimalDistanceFromAnotherGlobal) return false;<br>
if (addr >= g.beg + g.size_with_redzone) return false;<br>
Decorator d;<br>
Printf("%s", d.Location());<br>
- Printf("%p is located ", (void*)addr);<br>
if (addr < g.beg) {<br>
- Printf("%zd bytes to the left", g.beg - addr);<br>
- } else if (addr >= g.beg + g.size) {<br>
- Printf("%zd bytes to the right", addr - (g.beg + g.size));<br>
+ Printf("%p is located %zd bytes to the left", (void*)addr, g.beg - addr);<br>
+ } else if (addr + size > g.beg + g.size) {<br>
+ if (addr < g.beg + g.size)<br>
+ addr = g.beg + g.size;<br>
+ Printf("%p is located %zd bytes to the right", (void*)addr,<br>
+ addr - (g.beg + g.size));<br>
} else {<br>
- Printf("%zd bytes inside", addr - g.beg); // Can it happen?<br>
+ // Can it happen?<br>
+ Printf("%p is located %zd bytes inside", (void*)addr, addr - g.beg);<br>
}<br>
Printf(" of global variable '%s' (0x%zx) of size %zu\n",<br>
<a href="http://g.name" target="_blank">g.name</a>, g.beg, g.size);<br>
@@ -288,18 +292,22 @@ bool DescribeAddressIfStack(uptr addr, u<br>
<br>
static void DescribeAccessToHeapChunk(AsanChunkView chunk, uptr addr,<br>
uptr access_size) {<br>
- uptr offset;<br>
+ sptr offset;<br>
Decorator d;<br>
Printf("%s", d.Location());<br>
- Printf("%p is located ", (void*)addr);<br>
- if (chunk.AddrIsInside(addr, access_size, &offset)) {<br>
- Printf("%zu bytes inside of", offset);<br>
- } else if (chunk.AddrIsAtLeft(addr, access_size, &offset)) {<br>
- Printf("%zu bytes to the left of", offset);<br>
+ if (chunk.AddrIsAtLeft(addr, access_size, &offset)) {<br>
+ Printf("%p is located %zd bytes to the left of", (void*)addr, offset);<br>
} else if (chunk.AddrIsAtRight(addr, access_size, &offset)) {<br>
- Printf("%zu bytes to the right of", offset);<br>
+ if (offset < 0) {<br>
+ addr -= offset;<br>
+ offset = 0;<br>
+ }<br>
+ Printf("%p is located %zd bytes to the right of", (void*)addr, offset);<br>
+ } else if (chunk.AddrIsInside(addr, access_size, &offset)) {<br>
+ Printf("%p is located %zd bytes inside of", (void*)addr, offset);<br>
} else {<br>
- Printf(" somewhere around (this is AddressSanitizer bug!)");<br>
+ Printf("%p is located somewhere around (this is AddressSanitizer bug!)",<br>
+ (void*)addr);<br>
}<br>
Printf(" %zu-byte region [%p,%p)\n", chunk.UsedSize(),<br>
(void*)(chunk.Beg()), (void*)(chunk.End()));<br>
@@ -372,7 +380,7 @@ void DescribeAddress(uptr addr, uptr acc<br>
if (DescribeAddressIfShadow(addr))<br>
return;<br>
CHECK(AddrIsInMem(addr));<br>
- if (DescribeAddressIfGlobal(addr))<br>
+ if (DescribeAddressIfGlobal(addr, access_size))<br>
return;<br>
if (DescribeAddressIfStack(addr, access_size))<br>
return;<br>
<br>
Modified: compiler-rt/trunk/lib/asan/asan_report.h<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_report.h?rev=174373&r1=174372&r2=174373&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_report.h?rev=174373&r1=174372&r2=174373&view=diff</a><br>
==============================================================================<br>
--- compiler-rt/trunk/lib/asan/asan_report.h (original)<br>
+++ compiler-rt/trunk/lib/asan/asan_report.h Tue Feb 5 08:32:03 2013<br>
@@ -21,8 +21,9 @@ namespace __asan {<br>
// The following functions prints address description depending<br>
// on the memory type (shadow/heap/stack/global).<br>
void DescribeHeapAddress(uptr addr, uptr access_size);<br>
-bool DescribeAddressIfGlobal(uptr addr);<br>
-bool DescribeAddressRelativeToGlobal(uptr addr, const __asan_global &g);<br>
+bool DescribeAddressIfGlobal(uptr addr, uptr access_size);<br>
+bool DescribeAddressRelativeToGlobal(uptr addr, uptr access_size,<br>
+ const __asan_global &g);<br>
bool DescribeAddressIfShadow(uptr addr);<br>
bool DescribeAddressIfStack(uptr addr, uptr access_size);<br>
// Determines memory type on its own.<br>
<br>
Added: compiler-rt/trunk/lib/asan/lit_tests/partial_right.cc<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/lit_tests/partial_right.cc?rev=174373&view=auto" target="_blank">http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/lit_tests/partial_right.cc?rev=174373&view=auto</a><br>
==============================================================================<br>
--- compiler-rt/trunk/lib/asan/lit_tests/partial_right.cc (added)<br>
+++ compiler-rt/trunk/lib/asan/lit_tests/partial_right.cc Tue Feb 5 08:32:03 2013<br>
@@ -0,0 +1,17 @@<br>
+// RUN: %clangxx_asan -m64 -O0 %s -o %t && %t 2>&1 | %symbolize | FileCheck %s<br>
+// RUN: %clangxx_asan -m64 -O1 %s -o %t && %t 2>&1 | %symbolize | FileCheck %s<br>
+// RUN: %clangxx_asan -m64 -O2 %s -o %t && %t 2>&1 | %symbolize | FileCheck %s<br>
+// RUN: %clangxx_asan -m64 -O3 %s -o %t && %t 2>&1 | %symbolize | FileCheck %s<br>
+// RUN: %clangxx_asan -m32 -O0 %s -o %t && %t 2>&1 | %symbolize | FileCheck %s<br>
+// RUN: %clangxx_asan -m32 -O1 %s -o %t && %t 2>&1 | %symbolize | FileCheck %s<br>
+// RUN: %clangxx_asan -m32 -O2 %s -o %t && %t 2>&1 | %symbolize | FileCheck %s<br>
+// RUN: %clangxx_asan -m32 -O3 %s -o %t && %t 2>&1 | %symbolize | FileCheck %s<br>
+<br>
+#include <stdlib.h><br>
+int main(int argc, char **argv) {<br>
+ volatile int *x = (int*)malloc(2*sizeof(int) + 2);<br>
+ int res = x[2]; // BOOOM<br>
+ // CHECK: {{READ of size 4 at 0x.* thread T0}}<br>
+ // CHECK: [[ADDR:0x[01-9a-fa-f]+]] is located 0 bytes to the right of {{.*}}-byte region [{{.*}},{{.*}}[[ADDR]])<br>
+ return res;<br>
+}<br>
<br>
Propchange: compiler-rt/trunk/lib/asan/lit_tests/partial_right.cc<br>
------------------------------------------------------------------------------<br>
svn:eol-style = LF<br>
<br>
Modified: compiler-rt/trunk/lib/asan/lit_tests/strncpy-overflow.cc<br>
URL: <a href="http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/lit_tests/strncpy-overflow.cc?rev=174373&r1=174372&r2=174373&view=diff" target="_blank">http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/lit_tests/strncpy-overflow.cc?rev=174373&r1=174372&r2=174373&view=diff</a><br>
==============================================================================<br>
--- compiler-rt/trunk/lib/asan/lit_tests/strncpy-overflow.cc (original)<br>
+++ compiler-rt/trunk/lib/asan/lit_tests/strncpy-overflow.cc Tue Feb 5 08:32:03 2013<br>
@@ -22,7 +22,7 @@ int main(int argc, char **argv) {<br>
strcpy(hello, "hello");<br>
char *short_buffer = (char*)malloc(9);<br>
strncpy(short_buffer, hello, 10); // BOOM<br>
- // CHECK: {{WRITE of size 1 at 0x.* thread T0}}<br>
+ // CHECK: {{WRITE of size 10 at 0x.* thread T0}}<br>
// CHECK-Linux: {{ #0 0x.* in .*strncpy}}<br>
// CHECK-Darwin: {{ #0 0x.* in _?wrap_strncpy}}<br>
// CHECK: {{ #1 0x.* in _?main .*strncpy-overflow.cc:}}[[@LINE-4]]<br>
<br>
<br>
_______________________________________________<br>
llvm-commits mailing list<br>
<a href="mailto:llvm-commits@cs.uiuc.edu">llvm-commits@cs.uiuc.edu</a><br>
<a href="http://lists.cs.uiuc.edu/mailman/listinfo/llvm-commits" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/llvm-commits</a><br>
</blockquote></div><br></div></div>