[compiler-rt] r260128 - [asan] re-commit r259961, this time making the test Linux-Only

Kostya Serebryany via llvm-commits llvm-commits at lists.llvm.org
Mon Feb 8 11:21:08 PST 2016


Author: kcc
Date: Mon Feb  8 13:21:08 2016
New Revision: 260128

URL: http://llvm.org/viewvc/llvm-project?rev=260128&view=rev
Log:
[asan] re-commit r259961, this time making the test Linux-Only

Added:
    compiler-rt/trunk/lib/asan/asan_scariness_score.h
    compiler-rt/trunk/test/asan/TestCases/Linux/scariness_score_test.cc
Modified:
    compiler-rt/trunk/lib/asan/asan_flags.inc
    compiler-rt/trunk/lib/asan/asan_report.cc

Modified: compiler-rt/trunk/lib/asan/asan_flags.inc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_flags.inc?rev=260128&r1=260127&r2=260128&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_flags.inc (original)
+++ compiler-rt/trunk/lib/asan/asan_flags.inc Mon Feb  8 13:21:08 2016
@@ -77,6 +77,8 @@ ASAN_FLAG(bool, print_stats, false,
           "Print various statistics after printing an error message or if "
           "atexit=1.")
 ASAN_FLAG(bool, print_legend, true, "Print the legend for the shadow bytes.")
+ASAN_FLAG(bool, print_scariness, false,
+          "Print the scariness score. Experimental.")
 ASAN_FLAG(bool, atexit, false,
           "If set, prints ASan exit stats even after program terminates "
           "successfully.")

Modified: compiler-rt/trunk/lib/asan/asan_report.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_report.cc?rev=260128&r1=260127&r2=260128&view=diff
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_report.cc (original)
+++ compiler-rt/trunk/lib/asan/asan_report.cc Mon Feb  8 13:21:08 2016
@@ -16,6 +16,7 @@
 #include "asan_internal.h"
 #include "asan_mapping.h"
 #include "asan_report.h"
+#include "asan_scariness_score.h"
 #include "asan_stack.h"
 #include "asan_thread.h"
 #include "sanitizer_common/sanitizer_common.h"
@@ -747,6 +748,7 @@ void ReportStackOverflow(const SignalCon
       (void *)sig.addr, (void *)sig.pc, (void *)sig.bp, (void *)sig.sp,
       GetCurrentTidOrInvalid());
   Printf("%s", d.EndWarning());
+  ScarinessScore::PrintSimple(15, "stack-overflow");
   GET_STACK_TRACE_SIGNAL(sig);
   stack.Print();
   ReportErrorSummary("stack-overflow", &stack);
@@ -762,14 +764,26 @@ void ReportDeadlySignal(const char *desc
       description, (void *)sig.addr, (void *)sig.pc, (void *)sig.bp,
       (void *)sig.sp, GetCurrentTidOrInvalid());
   Printf("%s", d.EndWarning());
+  ScarinessScore SS;
   if (sig.pc < GetPageSizeCached())
     Report("Hint: pc points to the zero page.\n");
   if (sig.is_memory_access) {
     Report("The signal is caused by a %s memory access.\n",
            sig.is_write ? "WRITE" : "READ");
-    if (sig.addr < GetPageSizeCached())
+    if (sig.addr < GetPageSizeCached()) {
       Report("Hint: address points to the zero page.\n");
+      SS.Scare(10, "null-deref");
+    } else if (sig.addr == sig.pc) {
+      SS.Scare(60, "wild-jump");
+    } else if (sig.is_write) {
+      SS.Scare(30, "wild-addr-write");
+    } else {
+      SS.Scare(20, "wild-addr-read");
+    }
+  } else {
+    SS.Scare(10, "signal");
   }
+  SS.Print();
   GET_STACK_TRACE_SIGNAL(sig);
   stack.Print();
   MaybeDumpInstructionBytes(sig.pc);
@@ -789,6 +803,7 @@ void ReportDoubleFree(uptr addr, Buffere
          ThreadNameWithParenthesis(curr_tid, tname, sizeof(tname)));
   Printf("%s", d.EndWarning());
   CHECK_GT(free_stack->size, 0);
+  ScarinessScore::PrintSimple(42, "double-free");
   GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
   stack.Print();
   DescribeHeapAddress(addr, 1);
@@ -811,6 +826,7 @@ void ReportNewDeleteSizeMismatch(uptr ad
          "  size of the deallocated type: %zd bytes.\n",
          asan_mz_size(reinterpret_cast<void*>(addr)), delete_size);
   CHECK_GT(free_stack->size, 0);
+  ScarinessScore::PrintSimple(10, "new-delete-type-mismatch");
   GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
   stack.Print();
   DescribeHeapAddress(addr, 1);
@@ -830,6 +846,7 @@ void ReportFreeNotMalloced(uptr addr, Bu
          curr_tid, ThreadNameWithParenthesis(curr_tid, tname, sizeof(tname)));
   Printf("%s", d.EndWarning());
   CHECK_GT(free_stack->size, 0);
+  ScarinessScore::PrintSimple(10, "bad-free");
   GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
   stack.Print();
   DescribeHeapAddress(addr, 1);
@@ -851,6 +868,7 @@ void ReportAllocTypeMismatch(uptr addr,
         alloc_names[alloc_type], dealloc_names[dealloc_type], addr);
   Printf("%s", d.EndWarning());
   CHECK_GT(free_stack->size, 0);
+  ScarinessScore::PrintSimple(10, "alloc-dealloc-mismatch");
   GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
   stack.Print();
   DescribeHeapAddress(addr, 1);
@@ -899,6 +917,7 @@ void ReportStringFunctionMemoryRangesOve
              "memory ranges [%p,%p) and [%p, %p) overlap\n", \
              bug_type, offset1, offset1 + length1, offset2, offset2 + length2);
   Printf("%s", d.EndWarning());
+  ScarinessScore::PrintSimple(10, bug_type);
   stack->Print();
   DescribeAddress((uptr)offset1, length1, bug_type);
   DescribeAddress((uptr)offset2, length2, bug_type);
@@ -913,6 +932,7 @@ void ReportStringFunctionSizeOverflow(up
   Printf("%s", d.Warning());
   Report("ERROR: AddressSanitizer: %s: (size=%zd)\n", bug_type, size);
   Printf("%s", d.EndWarning());
+  ScarinessScore::PrintSimple(10, bug_type);
   stack->Print();
   DescribeAddress(offset, size, bug_type);
   ReportErrorSummary(bug_type, stack);
@@ -1033,6 +1053,18 @@ void ReportGenericError(uptr pc, uptr bp
                         uptr access_size, u32 exp, bool fatal) {
   if (!fatal && SuppressErrorReport(pc)) return;
   ENABLE_FRAME_POINTER;
+  ScarinessScore SS;
+
+  if (access_size) {
+    if (access_size <= 9) {
+      char desr[] = "?-byte";
+      desr[0] = '0' + access_size;
+      SS.Scare(access_size + access_size / 2, desr);
+    } else if (access_size >= 10) {
+      SS.Scare(15, "multi-byte");
+    }
+    is_write ? SS.Scare(20, "write") : SS.Scare(1, "read");
+  }
 
   // Optimization experiments.
   // The experiments can be used to evaluate potential optimizations that remove
@@ -1054,50 +1086,72 @@ void ReportGenericError(uptr pc, uptr bp
     // If we are in the partial right redzone, look at the next shadow byte.
     if (*shadow_addr > 0 && *shadow_addr < 128)
       shadow_addr++;
+    bool far_from_bounds = false;
     shadow_val = *shadow_addr;
+    int bug_type_score = 0;
     switch (shadow_val) {
       case kAsanHeapLeftRedzoneMagic:
       case kAsanHeapRightRedzoneMagic:
       case kAsanArrayCookieMagic:
         bug_descr = "heap-buffer-overflow";
+        bug_type_score = 10;
+        far_from_bounds = shadow_addr[-1] > 127 && shadow_addr[1] > 127;
         break;
       case kAsanHeapFreeMagic:
         bug_descr = "heap-use-after-free";
+        bug_type_score = 20;
         break;
       case kAsanStackLeftRedzoneMagic:
         bug_descr = "stack-buffer-underflow";
+        bug_type_score = 25;
+        far_from_bounds = shadow_addr[-1] > 127 && shadow_addr[1] > 127;
         break;
       case kAsanInitializationOrderMagic:
         bug_descr = "initialization-order-fiasco";
+        bug_type_score = 1;
         break;
       case kAsanStackMidRedzoneMagic:
       case kAsanStackRightRedzoneMagic:
       case kAsanStackPartialRedzoneMagic:
         bug_descr = "stack-buffer-overflow";
+        bug_type_score = 25;
+        far_from_bounds = shadow_addr[-1] > 127 && shadow_addr[1] > 127;
         break;
       case kAsanStackAfterReturnMagic:
         bug_descr = "stack-use-after-return";
+        bug_type_score = 30;
         break;
       case kAsanUserPoisonedMemoryMagic:
         bug_descr = "use-after-poison";
+        bug_type_score = 10;
         break;
       case kAsanContiguousContainerOOBMagic:
         bug_descr = "container-overflow";
+        bug_type_score = 10;
         break;
       case kAsanStackUseAfterScopeMagic:
         bug_descr = "stack-use-after-scope";
+        bug_type_score = 10;
         break;
       case kAsanGlobalRedzoneMagic:
         bug_descr = "global-buffer-overflow";
+        bug_type_score = 10;
+        far_from_bounds = shadow_addr[-1] > 127 && shadow_addr[1] > 127;
         break;
       case kAsanIntraObjectRedzone:
         bug_descr = "intra-object-overflow";
+        bug_type_score = 10;
         break;
       case kAsanAllocaLeftMagic:
       case kAsanAllocaRightMagic:
         bug_descr = "dynamic-stack-buffer-overflow";
+        bug_type_score = 25;
+        far_from_bounds = shadow_addr[-1] > 127 && shadow_addr[1] > 127;
         break;
     }
+    SS.Scare(bug_type_score, bug_descr);
+    if (far_from_bounds)
+      SS.Scare(10, "far-from-bounds");
   }
 
   ReportData report = { pc, sp, bp, addr, (bool)is_write, access_size,
@@ -1120,6 +1174,7 @@ void ReportGenericError(uptr pc, uptr bp
          ThreadNameWithParenthesis(curr_tid, tname, sizeof(tname)),
          d.EndAccess());
 
+  SS.Print();
   GET_STACK_TRACE_FATAL(pc, bp);
   stack.Print();
 

Added: compiler-rt/trunk/lib/asan/asan_scariness_score.h
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/lib/asan/asan_scariness_score.h?rev=260128&view=auto
==============================================================================
--- compiler-rt/trunk/lib/asan/asan_scariness_score.h (added)
+++ compiler-rt/trunk/lib/asan/asan_scariness_score.h Mon Feb  8 13:21:08 2016
@@ -0,0 +1,65 @@
+//===-- asan_scariness_score.h ----------------------------------*- C++ -*-===//
+//
+//                     The LLVM Compiler Infrastructure
+//
+// This file is distributed under the University of Illinois Open Source
+// License. See LICENSE.TXT for details.
+//
+//===----------------------------------------------------------------------===//
+//
+// This file is a part of AddressSanitizer, an address sanity checker.
+//
+// Compute the level of scariness of the error message.
+// Don't expect any deep science here, just a set of heuristics that suggest
+// that e.g. 1-byte-read-global-buffer-overflow is less scary than
+// 8-byte-write-stack-use-after-return.
+//
+// Every error report has one or more features, such as memory access size,
+// type (read or write), type of accessed memory (e.g. free-d heap, or a global
+// redzone), etc. Every such feature has an int score and a string description.
+// The overall score is the sum of all feature scores and the description
+// is a concatenation of feature descriptions.
+// Examples:
+//  17 (4-byte-read-heap-buffer-overflow)
+//  65 (multi-byte-write-stack-use-after-return)
+//  10 (null-deref)
+//
+//===----------------------------------------------------------------------===//
+
+#ifndef ASAN_SCARINESS_SCORE_H
+#define ASAN_SCARINESS_SCORE_H
+
+#include "asan_flags.h"
+#include "sanitizer_common/sanitizer_common.h"
+#include "sanitizer_common/sanitizer_libc.h"
+
+namespace __asan {
+class ScarinessScore {
+ public:
+  ScarinessScore() {}
+  void Scare(int add_to_score, const char *reason) {
+    if (descr[0])
+      internal_strlcat(descr, "-", sizeof(descr));
+    internal_strlcat(descr, reason, sizeof(descr));
+    score += add_to_score;
+  };
+  int GetScore() const { return score; }
+  const char *GetDescription() const { return descr; }
+  void Print() {
+    if (score && flags()->print_scariness)
+      Printf("SCARINESS: %d (%s)\n", score, descr);
+  }
+  static void PrintSimple(int score, const char *descr) {
+    ScarinessScore SS;
+    SS.Scare(score, descr);
+    SS.Print();
+  }
+
+ private:
+  int score = 0;
+  char descr[1024] = {0};
+};
+
+}  // namespace __asan
+
+#endif  // ASAN_SCARINESS_SCORE_H

Added: compiler-rt/trunk/test/asan/TestCases/Linux/scariness_score_test.cc
URL: http://llvm.org/viewvc/llvm-project/compiler-rt/trunk/test/asan/TestCases/Linux/scariness_score_test.cc?rev=260128&view=auto
==============================================================================
--- compiler-rt/trunk/test/asan/TestCases/Linux/scariness_score_test.cc (added)
+++ compiler-rt/trunk/test/asan/TestCases/Linux/scariness_score_test.cc Mon Feb  8 13:21:08 2016
@@ -0,0 +1,178 @@
+// Test how we produce the scariness score.
+
+// RUN: %clangxx_asan -O0 %s -o %t
+// RUN: export %env_asan_opts=detect_stack_use_after_return=1:handle_abort=1:print_scariness=1
+// RUN: not %run %t  1 2>&1 | FileCheck %s --check-prefix=CHECK1
+// RUN: not %run %t  2 2>&1 | FileCheck %s --check-prefix=CHECK2
+// RUN: not %run %t  3 2>&1 | FileCheck %s --check-prefix=CHECK3
+// RUN: not %run %t  4 2>&1 | FileCheck %s --check-prefix=CHECK4
+// RUN: not %run %t  5 2>&1 | FileCheck %s --check-prefix=CHECK5
+// RUN: not %run %t  6 2>&1 | FileCheck %s --check-prefix=CHECK6
+// RUN: not %run %t  7 2>&1 | FileCheck %s --check-prefix=CHECK7
+// RUN: not %run %t  8 2>&1 | FileCheck %s --check-prefix=CHECK8
+// RUN: not %run %t  9 2>&1 | FileCheck %s --check-prefix=CHECK9
+// RUN: not %run %t 10 2>&1 | FileCheck %s --check-prefix=CHECK10
+// RUN: not %run %t 11 2>&1 | FileCheck %s --check-prefix=CHECK11
+// RUN: not %run %t 12 2>&1 | FileCheck %s --check-prefix=CHECK12
+// RUN: not %run %t 13 2>&1 | FileCheck %s --check-prefix=CHECK13
+// RUN: not %run %t 14 2>&1 | FileCheck %s --check-prefix=CHECK14
+// RUN: not %run %t 15 2>&1 | FileCheck %s --check-prefix=CHECK15
+// RUN: not %run %t 16 2>&1 | FileCheck %s --check-prefix=CHECK16
+// RUN: not %run %t 17 2>&1 | FileCheck %s --check-prefix=CHECK17
+// Stack overflow may not trigger under GNU make.
+// DISABLED: not %run %t 18 2>&1 | FileCheck %s --check-prefix=CHECK18
+// RUN: not %run %t 19 2>&1 | FileCheck %s --check-prefix=CHECK19
+// RUN: not %run %t 20 2>&1 | FileCheck %s --check-prefix=CHECK20
+// RUN: not %run %t 21 2>&1 | FileCheck %s --check-prefix=CHECK21
+// RUN: not %run %t 22 2>&1 | FileCheck %s --check-prefix=CHECK22
+// RUN: not %run %t 23 2>&1 | FileCheck %s --check-prefix=CHECK23
+// RUN: not %run %t 24 2>&1 | FileCheck %s --check-prefix=CHECK24
+// RUN: not %run %t 25 2>&1 | FileCheck %s --check-prefix=CHECK25
+// RUN: not %run %t 26 2>&1 | FileCheck %s --check-prefix=CHECK26
+// Parts of the test are too platform-specific:
+// REQUIRES: x86_64-supported-target
+#include <stdlib.h>
+#include <stdio.h>
+#include <string.h>
+
+enum ReadOrWrite { Read = 0, Write = 1 };
+
+struct S32 {
+  char x[32];
+};
+
+template<class T>
+void HeapBuferOverflow(int Idx, ReadOrWrite w) {
+  T *t = new T[100];
+  static T sink;
+  if (w)
+    t[100 + Idx] = T();
+  else
+    sink = t[100 + Idx];
+  delete [] t;
+}
+
+template<class T>
+void HeapUseAfterFree(int Idx, ReadOrWrite w) {
+  T *t = new T[100];
+  static T sink;
+  sink = t[0];
+  delete [] t;
+  if (w)
+    t[Idx] = T();
+  else
+    sink = t[Idx];
+}
+
+template<class T>
+void StackBufferOverflow(int Idx, ReadOrWrite w) {
+  T t[100];
+  static T sink;
+  sink = t[Idx];
+  if (w)
+    t[100 + Idx] = T();
+  else
+    sink = t[100 + Idx];
+}
+
+template<class T>
+T *LeakStack() {
+  T t[100];
+  static volatile T *x;
+  x = &t[0];
+  return (T*)x;
+}
+
+template<class T>
+void StackUseAfterReturn(int Idx, ReadOrWrite w) {
+  static T sink;
+  T *t = LeakStack<T>();
+  if (w)
+    t[100 + Idx] = T();
+  else
+    sink = t[100 + Idx];
+}
+
+char    g1[100];
+short   g2[100];
+int     g4[100];
+int64_t g8[100];
+S32     gm[100];
+
+void DoubleFree() {
+  int *x = new int;
+  static volatile int two = 2;
+  for (int i = 0; i < two; i++)
+    delete x;
+}
+
+void StackOverflow(int Idx) {
+  int some_stack[10000];
+  static volatile int *x;
+  x = &some_stack[0];
+  if (Idx > 0)
+    StackOverflow(Idx - 1);
+}
+
+int main(int argc, char **argv) {
+  char arr[100];
+  static volatile int zero = 0;
+  static volatile int *zero_ptr = 0;
+  static volatile int *wild_addr = (int*)0x10000000; // System-dependent.
+  if (argc != 2) return 1;
+  int kind = atoi(argv[1]);
+  switch (kind) {
+    case 1: HeapBuferOverflow<char>(0, Read); break;
+    case 2: HeapBuferOverflow<int>(0, Read); break;
+    case 3: HeapBuferOverflow<short>(0, Write); break;
+    case 4: HeapBuferOverflow<int64_t>(2, Write); break;
+    case 5: HeapBuferOverflow<S32>(4, Write); break;
+    case 6: HeapUseAfterFree<char>(0, Read); break;
+    case 7: HeapUseAfterFree<int>(0, Write); break;
+    case 8: HeapUseAfterFree<int64_t>(0, Read); break;
+    case 9: HeapUseAfterFree<S32>(0, Write); break;
+    case 10: StackBufferOverflow<char>(0, Write); break;
+    case 11: StackBufferOverflow<int64_t>(0, Read); break;
+    case 12: StackBufferOverflow<int>(4, Write); break;
+    case 13: StackUseAfterReturn<char>(0, Read); break;
+    case 14: StackUseAfterReturn<S32>(0, Write); break;
+    case 15: g1[zero + 100] = 0; break;
+    case 16: gm[0] = gm[zero + 100 + 1]; break;
+    case 17: DoubleFree(); break;
+    case 18: StackOverflow(1000000); break;
+    case 19: *zero_ptr = 0; break;
+    case 20: *wild_addr = 0; break;
+    case 21: zero = *wild_addr; break;
+    case 22: abort(); break;
+    case 23: ((void (*)(void))wild_addr)(); break;
+    case 24: delete (new int[10]); break;
+    case 25: free((char*)malloc(100) + 10); break;
+    case 26: memcpy(arr, arr+10, 20);  break;
+    // CHECK1: SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
+    // CHECK2: SCARINESS: 17 (4-byte-read-heap-buffer-overflow)
+    // CHECK3: SCARINESS: 33 (2-byte-write-heap-buffer-overflow)
+    // CHECK4: SCARINESS: 52 (8-byte-write-heap-buffer-overflow-far-from-bounds)
+    // CHECK5: SCARINESS: 55 (multi-byte-write-heap-buffer-overflow-far-from-bounds)
+    // CHECK6: SCARINESS: 22 (1-byte-read-heap-use-after-free)
+    // CHECK7: SCARINESS: 46 (4-byte-write-heap-use-after-free)
+    // CHECK8: SCARINESS: 33 (8-byte-read-heap-use-after-free)
+    // CHECK9: SCARINESS: 55 (multi-byte-write-heap-use-after-free)
+    // CHECK10: SCARINESS: 46 (1-byte-write-stack-buffer-overflow)
+    // CHECK11: SCARINESS: 38 (8-byte-read-stack-buffer-overflow)
+    // CHECK12: SCARINESS: 61 (4-byte-write-stack-buffer-overflow-far-from-bounds)
+    // CHECK13: SCARINESS: 32 (1-byte-read-stack-use-after-return)
+    // CHECK14: SCARINESS: 65 (multi-byte-write-stack-use-after-return)
+    // CHECK15: SCARINESS: 31 (1-byte-write-global-buffer-overflow)
+    // CHECK16: SCARINESS: 36 (multi-byte-read-global-buffer-overflow-far-from-bounds)
+    // CHECK17: SCARINESS: 42 (double-free)
+    // CHECK18: SCARINESS: 15 (stack-overflow)
+    // CHECK19: SCARINESS: 10 (null-deref)
+    // CHECK20: SCARINESS: 30 (wild-addr-write)
+    // CHECK21: SCARINESS: 20 (wild-addr-read)
+    // CHECK22: SCARINESS: 10 (signal)
+    // CHECK23: SCARINESS: 60 (wild-jump)
+    // CHECK24: SCARINESS: 10 (alloc-dealloc-mismatch)
+    // CHECK25: SCARINESS: 10 (bad-free)
+    // CHECK26: SCARINESS: 10 (memcpy-param-overlap)
+  }
+}




More information about the llvm-commits mailing list