[LLVMdev] Porting ASan to AArch64

Gideon Billings gideonhbillings at gmail.com
Tue Jun 3 16:46:35 PDT 2014 

The mmap error is an issue with the qemu-aarch64 model I've been using. I
am not sure how to get a dump of /proc/self/maps, as the model is
configured as a non-interactive elf interpreter. I can successfully mmap a
smaller address range, and I tried configuring the environment using
setrlimit(), but I still get the error for the shadow memory range.  I may
try to debug the qemu model further, but for now, I have switched to using
a different interactive model, and the mmap now succeeds. However, I am
getting a different error. When I try to run a simple "Hello World" program
that prints using cout, I get this segfault error:

==69==Parsed ASAN_OPTIONS: verbosity=2
==69==AddressSanitizer: failed to intercept '__isoc99_printf'
==69==AddressSanitizer: failed to intercept '__isoc99_sprintf'
==69==AddressSanitizer: failed to intercept '__isoc99_snprintf'
==69==AddressSanitizer: failed to intercept '__isoc99_fprintf'
==69==AddressSanitizer: failed to intercept '__isoc99_vprintf'
==69==AddressSanitizer: failed to intercept '__isoc99_vsprintf'
==69==AddressSanitizer: failed to intercept '__isoc99_vsnprintf'
==69==AddressSanitizer: failed to intercept '__isoc99_vfprintf'
==69==AddressSanitizer: libc interceptors initialized
|| `[0x002000000000, 0x007fffffffff]` || HighMem    ||
|| `[0x001400000000, 0x001fffffffff]` || HighShadow ||
|| `[0x001200000000, 0x0013ffffffff]` || ShadowGap  ||
|| `[0x001000000000, 0x0011ffffffff]` || LowShadow  ||
|| `[0x000000000000, 0x000fffffffff]` || LowMem     ||
MemToShadow(shadow): 0x001200000000 0x00123fffffff 0x001280000000
0x0013ffffffff
redzone=16
max_redzone=2048
quarantine_size=256M
malloc_context_size=30
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 1000000000
==69==Installed the sigaction for signal 11
==69==SetCurrentThread: 0x007fb7ff1000 for thread 0x007fb7ff6000
==69==T0: stack [0x007fff800000,0x008000000000) size 0x800000;
local=0x007ffffffbd8
==69==AddressSanitizer Init done
ASAN:SIGSEGV
=================================================================
==69==ERROR: AddressSanitizer: SEGV on unknown address 0x100fffffff6e (pc
0x0000004a37b4 sp 0x007ffffffb70 bp 0x007ffffffbe0 T0)
==69==AddressSanitizer CHECK failed:
/local/mnt/workspace/gideonb/projects/toolchains/open-draco/compiler-rt/lib/sanitizer_common/sanitizer_stacktrace.cc:68
"((count)) < ((size))" (0x1, 0x1)
    <empty stack>

I switched to using printf, and the binary ran without any errors. I then
tried making a use-after-delete error, and when I ran the binary, it
reported a segfault error like above rather than the expected
heap-use-after-free. When I tried making a heap-buffer-overflow error,
there were no reported errors when I ran the binary. The message above
appears to report two errors. ASan seems to initialize ok, but then there
is a segfault error at some point. The second error occurs when
"SlowUnwindStackWithContext" is called from "GET_STACK_TRACE_SIGNAL" which
is called when the segfault error is detected. I am a bit mystified on
where the problem might be.


On Fri, May 30, 2014 at 8:58 PM, Alexey Samsonov <vonosmas at gmail.com> wrote:

> +Greg in case he's seen similar problems.
>
> Basically, ASan is unable to map the necessary shadow memory. You may want
> to dump the contents of /proc/self/maps and look if it conflicts
> with the range ASan is trying to use. errno 12 is ENOMEM. Are you sure you
> don't have constraints on the virtual memory your process can use?
>
>
> On Fri, May 30, 2014 at 2:29 PM, Gideon Billings <
> gideonhbillings at gmail.com> wrote:
>
>> Hello,
>>
>> I have been working on porting ASan to AArch64. I am building compiler-rt
>> in "standalone mode" targeting aarch64. My build is successful, but I get
>> the following runtime error when I run an ASan enabled executable through
>> qemu-aarch64:
>>
>>
>> ==29184==Parsed ASAN_OPTIONS: verbosity=1
>> ==29184==AddressSanitizer: failed to intercept '__isoc99_printf'
>> ==29184==AddressSanitizer: failed to intercept '__isoc99_sprintf'
>> ==29184==AddressSanitizer: failed to intercept '__isoc99_snprintf'
>> ==29184==AddressSanitizer: failed to intercept '__isoc99_fprintf'
>> ==29184==AddressSanitizer: failed to intercept '__isoc99_vprintf'
>> ==29184==AddressSanitizer: failed to intercept '__isoc99_vsprintf'
>> ==29184==AddressSanitizer: failed to intercept '__isoc99_vsnprintf'
>> ==29184==AddressSanitizer: failed to intercept '__isoc99_vfprintf'
>> ==29184==AddressSanitizer: libc interceptors initialized
>> || `[0x002000000000, 0x007fffffffff]` || HighMem    ||
>> || `[0x001400000000, 0x001fffffffff]` || HighShadow ||
>> || `[0x001200000000, 0x0013ffffffff]` || ShadowGap  ||
>> || `[0x001000000000, 0x0011ffffffff]` || LowShadow  ||
>> || `[0x000000000000, 0x000fffffffff]` || LowMem     ||
>> MemToShadow(shadow): 0x001200000000 0x00123fffffff 0x001280000000
>> 0x0013ffffffff
>> redzone=16
>> max_redzone=2048
>> quarantine_size=256M
>> malloc_context_size=30
>> SHADOW_SCALE: 3
>> SHADOW_GRANULARITY: 8
>> SHADOW_OFFSET: 1000000000
>> ==29184==ERROR: AddressSanitizer failed to allocate 0xc00000000
>> (51539607552) bytes at address 1400000000 (errno: 12)
>> ==29184==ReserveShadowMemoryRange failed while trying to map 0xc00000000
>> bytes. Perhaps you're using ulimit -v
>>
>> This appears to be the same issue discussed in this thread:
>>
>> https://code.google.com/p/address-sanitizer/issues/detail?id=246#makechanges
>> <https://mymail.qualcomm.com/owa/redir.aspx?C=k7Wv_sbf90SWPFjF3_Wzyp-KmK3QT9EI87JrUWjRxE-4GcylWFTmUnPhLYMjO_xSknvKZiQAOf8.&URL=https%3a%2f%2fcode.google.com%2fp%2faddress-sanitizer%2fissues%2fdetail%3fid%3d246%23makechanges>
>>
>> I contacted Christophe Lyon, and he said he had successfully ported ASan
>> to aarch64 and had committed a patch to enable this to LLVM:
>>
>> https://github.com/llvm-mirror/compiler-rt/commit/33465467e7f8243933100bab3cf8f34b79a8f54c
>> <https://mymail.qualcomm.com/owa/redir.aspx?C=k7Wv_sbf90SWPFjF3_Wzyp-KmK3QT9EI87JrUWjRxE-4GcylWFTmUnPhLYMjO_xSknvKZiQAOf8.&URL=https%3a%2f%2fgithub.com%2fllvm-mirror%2fcompiler-rt%2fcommit%2f33465467e7f8243933100bab3cf8f34b79a8f54c>
>>
>> His changes from this patch still appear to be configured correctly in my
>> build, so I am not sure why I am getting this error. Is anyone able to shed
>> some light on this?
>>
>> Thanks,
>> -Gideon
>>
>> _______________________________________________
>> LLVM Developers mailing list
>> LLVMdev at cs.uiuc.edu         http://llvm.cs.uiuc.edu
>> http://lists.cs.uiuc.edu/mailman/listinfo/llvmdev
>>
>>
>
>
> --
> Alexey Samsonov
> vonosmas at gmail.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.llvm.org/pipermail/llvm-dev/attachments/20140603/2f610c75/attachment.html>

More information about the llvm-dev mailing list