<div style="font-family: arial, helvetica, sans-serif; font-size: 10pt">Just want to remind everyone that we plan to stop using mach_override in asanin favor of OSX's native function interposition.<div>So, we probably don't want to spend too much effort fixing mach_override. </div>
<div><br></div><div>--kcc <br><br><div class="gmail_quote">On Fri, Nov 30, 2012 at 4:46 AM, Alexander Potapenko <span dir="ltr"><<a href="mailto:glider@google.com" target="_blank">glider@google.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Looks like this happens on x86_64 because the position of __cxa_throw<br>
is too far from the allocated branch island (should be <2G). This can<br>
be solved by allocating the branch islands somewhere near the text<br>
segment (look for kIslandEnd in asan_mac.cc, this is currently<br>
0x7fffffdf0000) or by patching the function with a longer instruction<br>
sequence that stores the jump target in a register and jumps to that<br>
target (which is a bit more complex to implement).<br>
<br>
Once this problem is fixed, another one is going to arise. This is how<br>
the first bytes of __cxa_throw look like:<br>
<br>
0x0020c49ba5d916e0 <__cxa_throw+0>: lea 0xb4f01(%rip),%rax #<br>
0x20c49ba5e465e8 <_ZN10__cxxabiv120__unexpected_handlerE><br>
0x0020c49ba5d916e7 <__cxa_throw+7>: push %rbx<br>
0x0020c49ba5d916e8 <__cxa_throw+8>: lea -0x20(%rdi),%rbx<br>
<br>
If we move the relative LEA instruction somewhere, we must fix the<br>
constant in order to keep it pointing to the same address.<br>
mach_override already does this for relative CALL and JMP<br>
instructions, but not for LEA. This should be fairly simple to fix.<br>
<br>
Note that the 32-bit variant crashes on another invalid address:<br>
<br>
ASAN:SIGSEGV<br>
=================================================================<br>
==89768== ERROR: AddressSanitizer: SEGV on unknown address 0xcccccccc<br>
(pc 0x00061f8c sp 0xbffa8bd0 bp 0xbffa8cc8 T0)<br>
<div class="im">AddressSanitizer can not provide additional info.<br>
</div> #0 0x61f8b (/Users/glider/src/gcc-asan/inst/lib/i386/libstdc++.6.dylib+0x3f8b)<br>
#1 0x91391724 (/usr/lib/system/libdyld.dylib+0x2724)<br>
<div class="im"> #2 0x0<br>
Stats: 0M malloced (0M for red zones) by 3 calls<br>
Stats: 0M realloced by 0 calls<br>
Stats: 0M freed by 0 calls<br>
Stats: 0M really freed by 0 calls<br>
</div>Stats: 1M (256 full pages) mmaped in 2 calls<br>
<div class="im"> mmaps by size class: 7:4095; 8:2047;<br>
</div> mallocs by size class: 7:1; 8:2;<br>
<div class="im"> frees by size class:<br>
rfrees by size class:<br>
</div>Stats: malloc large: 0 small slow: 2<br>
==89768== ABORTING<br>
<br>
My guess is that this is caused by the following code being moved to a<br>
branch island:<br>
<br>
Dump of assembler code for function __cxa_throw:<br>
0x00008f60 <__cxa_throw+0>: push %esi<br>
0x00008f61 <__cxa_throw+1>: push %ebx<br>
0x00008f62 <__cxa_throw+2>: call 0x7a60 <__x86.get_pc_thunk.bx><br>
<br>
Perhaps this makes __x86.get_pc_thunk.bx return an incorrect value.<br>
<br>
Since libstdc++-v3 is built together with gcc, the two issues related<br>
to instructions being moved to another place can be solved by padding<br>
__cxa_throw() with five NOP instructions (enough to hold a JMP). I<br>
believe this should be acceptable, because the performance penalty for<br>
additional NOPs is negligible, and __cxa_throw() isn't a hot point.<br>
<div class="HOEnZb"><div class="h5"><br>
On Thu, Nov 29, 2012 at 1:01 PM, Nick Kledzik <<a href="mailto:kledzik@apple.com">kledzik@apple.com</a>> wrote:<br>
> I debugged this a bit and it seems the mach_override patching of __cxa_throw is bogus. The start of that function is patched to jump to garbage.<br>
><br>
> Breakpoint 1, 0x0000000100001c19 in main ()<br>
> (gdb) display/i $pc<br>
> 2: x/i $pc 0x100001c19 <main+318>: callq 0x100016386 <dyld_stub___cxa_throw><br>
> (gdb) si<br>
> 0x0000000100016386 in dyld_stub___cxa_throw ()<br>
> 2: x/i $pc 0x100016386 <dyld_stub___cxa_throw>: jmpq *0xae1c(%rip) # 0x1000211a8<br>
> (gdb)<br>
> 0x0000000102244870 in __cxa_throw ()<br>
> 2: x/i $pc 0x102244870 <__cxa_throw>: jmpq 0xffd27000<br>
> (gdb) # the above its __cxa_throw in gcc's libstdc++.6.dylib. The first instruction has been patch to jump to a garbage address.<br>
><br>
> (gdb) x/8i 0x102244870-8<br>
> 0x102244868 <_ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception+56>: std<br>
> 0x102244869 <_ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception+57>: (bad)<br>
> 0x10224486a <_ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception+58>: decl (%rdi)<br>
> 0x10224486c <_ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception+60>: (bad)<br>
> 0x10224486d <_ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception+61>: add %r8b,(%rax)<br>
> 0x102244870 <__cxa_throw>: jmpq 0xffd27000<br>
> 0x102244875 <__cxa_throw+5>: or (%rax),%eax<br>
> 0x102244877 <__cxa_throw+7>: push %rbx<br>
> (gdb)<br>
> (gdb) watch *0x102244870<br>
> Hardware watchpoint 2: *4330899568<br>
> (gdb) r<br>
><br>
> Old value = -788165304<br>
> New value = -1373139991<br>
> 0x0000000100016203 in __asan_mach_override_ptr_custom ()<br>
> (gdb) bt<br>
> #0 0x0000000100016203 in __asan_mach_override_ptr_custom ()<br>
> #1 0x0000000100015a9e in __interception::OverrideFunction ()<br>
> #2 0x00007fff5fc13378 in ImageLoaderMachO::doModInitFunctions ()<br>
> #3 0x00007fff5fc13762 in ImageLoaderMachO::doInitialization ()<br>
> #4 0x00007fff5fc1006e in ImageLoader::recursiveInitialization ()<br>
> #5 0x00007fff5fc0feba in ImageLoader::runInitializers ()<br>
> #6 0x00007fff5fc01fc0 in dyld::initializeMainExecutable ()<br>
> #7 0x00007fff5fc05b04 in dyld::_main ()<br>
> #8 0x00007fff5fc01397 in dyldbootstrap::start ()<br>
> #9 0x00007fff5fc0105e in _dyld_start ()<br>
> (gdb) x/8i 0x102244870<br>
> 0x102244870 <__cxa_throw>: jmpq 0xffd27000<br>
> 0x102244875 <__cxa_throw+5>: or (%rax),%eax<br>
> 0x102244877 <__cxa_throw+7>: push %rbx<br>
> 0x102244878 <__cxa_throw+8>: lea -0x20(%rdi),%rbx<br>
> 0x10224487c <__cxa_throw+12>: mov %rsi,-0x70(%rdi)<br>
> # Here is where the patching is being done<br>
><br>
> -Nick<br>
><br>
> On Nov 29, 2012, at 11:07 AM, Alexander Potapenko wrote:<br>
>>> On Thu, Nov 29, 2012 at 9:55 PM, Jack Howarth <<a href="mailto:howarth@bromo.med.uc.edu">howarth@bromo.med.uc.edu</a>><br>
>>> wrote:<br>
>>>><br>
>>>> Nick,<br>
>>>> Can you take a quick look at the <a href="http://asan_eh_bug.tar.bz" target="_blank">asan_eh_bug.tar.bz</a> testcase<br>
>>>> I uploaded into the newly opened radr://12777299, "potential<br>
>>>> pthread/eh bug exposed by libsanitizer". The FSF gcc developers<br>
>>>> have ported <a href="http://llvm.org" target="_blank">llvm.org</a>'s asan code into FSF gcc (and are keeping<br>
>>>> it synced to the upstream <a href="http://llvm.org" target="_blank">llvm.org</a> code). I have been helping<br>
>>>> with the darwin build and testing -fsanitize=address against the<br>
>>>> complete FSF gcc testsuite. This seems to have exposed a potential<br>
>>>> bug in pthread or eh on darwin under libasan. Hundreds of test cases<br>
>>>> in the g++ and libstdc++ testsuites fail under -fsanitize=address<br>
>>>> in the following manner...<br>
>>>><br>
>>>> ASAN:SIGSEGV<br>
>>>> =================================================================<br>
>>>> ==2738== ERROR: AddressSanitizer: SEGV on unknown address 0x0000ffd27000<br>
>>>> (pc 0x0000ffd27000 sp 0x7fff55e40828 bp 0x7fff55e408f0 T0)<br>
>>>> AddressSanitizer can not provide additional info.<br>
>>>> #0 0xffd26fff (/Users/howarth/asan_eh_bug/./cond1_asan.exe+0xf5f67fff)<br>
>>>> #1 0x7fff8bd827e0 (/usr/lib/system/libdyld.dylib+0x27e0)<br>
>>>> #2 0x0<br>
>>>> Stats: 0M malloced (0M for red zones) by 3 calls<br>
>>>> Stats: 0M realloced by 0 calls<br>
>>>> Stats: 0M freed by 0 calls<br>
>>>> Stats: 0M really freed by 0 calls<br>
>>>> Stats: 1M (384 full pages) mmaped in 3 calls<br>
>>>> mmaps by size class: 7:4095; 8:2047; 9:1023;<br>
>>>> mallocs by size class: 7:1; 8:1; 9:1;<br>
>>>> frees by size class:<br>
>>>> rfrees by size class:<br>
>>>> Stats: malloc large: 0 small slow: 3<br>
>>>> ==2738== ABORTING<br>
>>>><br>
>>>> The failure of...<br>
>>>><br>
>>>> FAIL: g++.dg/eh/cond1.C -std=c++98 execution test<br>
>>>><br>
>>>> was used as the test case for the radar report and compiled with...<br>
>>>><br>
>>>> g++-fsf-4.8 -static-libasan -fsanitize=address -std=c++98 cond1.C -g -O0<br>
>>>> -o cond1_asan.exe<br>
>>>><br>
>>>> to produce the above failure. When compiled without libasan as...<br>
>>>><br>
>>>> g++-fsf-4.8 -std=c++98 cond1.C -g -O0 -o cond1_no_asan.exe<br>
>>>><br>
>>>> the resulting executable runs fine. Debugging this in gdb seems to show<br>
>>>> that the failure<br>
>>>> is occuring in the final call to dyld_stub_pthread_once (). The same test<br>
>>>> case<br>
>>>> compiles fine with -fsanitize=address under llvm 3.2 clang++ and produces<br>
>>>> no runtime errors<br>
>>>> but the code execution path is very different in that case (because of the<br>
>>>> different<br>
>>>> libstdc++).<br>
>>>> Can you take a quick peek at this and determine if this is a darwin<br>
>>>> pthread or unwinder<br>
>>>> bug or an issue with libasan that FSF gcc's compiler is exposing? Thanks<br>
>>>> in advance for<br>
>>>> any help on this.<br>
>>>> Jack<br>
>>>> _______________________________________________<br>
>>>> LLVM Developers mailing list<br>
>>>> <a href="mailto:LLVMdev@cs.uiuc.edu">LLVMdev@cs.uiuc.edu</a> <a href="http://llvm.cs.uiuc.edu" target="_blank">http://llvm.cs.uiuc.edu</a><br>
>>>> <a href="http://lists.cs.uiuc.edu/mailman/listinfo/llvmdev" target="_blank">http://lists.cs.uiuc.edu/mailman/listinfo/llvmdev</a><br>
>>><br>
>>><br>
>><br>
>><br>
>><br>
>> --<br>
>> Alexander Potapenko<br>
>> Software Engineer<br>
>> Google Moscow<br>
><br>
<br>
<br>
<br>
--<br>
Alexander Potapenko<br>
Software Engineer<br>
Google Moscow<br>
</div></div></blockquote></div><br></div></div>