[compiler-rt] [win/asan] Improve SharedReAlloc with HEAP_REALLOC_IN_PLACE_ONLY. (PR #132558)

via llvm-commits llvm-commits at lists.llvm.org
Wed May 28 11:34:44 PDT 2025 

bernhardu wrote:

> > > Currently it prints only a "use-after-poison" message, not a proper "heap-buffer-overflow" with a hint to a reallocation.
> > 
> > 
> > This will be confusing to users and could lead them on a wild good chase, looking for bugs in poisoning.
> 
> I will try to improve the message and try to avoid the bare "use-after-poison".

I made now a bigger modification, which still tries to leave the chunk in an allocated state. But to show the stack of the partially free needed disabling a few checks `IsQuarantined`.

<details>
  <summary>An example output of the test is here, would that be usable?</summary>

```  
Okay 6
Okay 14
=================================================================
==572==ERROR: AddressSanitizer: heap-use-after-free on address 0x7eb83cbe001f at pc 0x000140001663 bp 0x7ffffe1ffdd0 sp 0x7ffffe1ffe18
WRITE of size 1 at 0x7eb83cbe001f thread T0
    #0 0x000140001662 in main ...\compiler-rt\test\asan\TestCases\Windows\rtlallocateheap_realloc_in_place.cpp:63:14
    #1 0x000140001338 in __tmainCRTStartup .../crt\crtexe.c:259:15
    #2 0x000140001395 in .l_start .../crt\crtexe.c:179:9
    #3 0x6fffffc45aa0 in BaseThreadInitThunk .../wine/dlls/kernel32/thread.c:61:24
    #4 0x6fffffdcc896 in RtlUserThreadStart (C:\windows\system32\ntdll.dll+0x17004c896)

0x7eb83cbe001f is located 15 bytes inside of 23-byte region [0x7eb83cbe0010,0x7eb83cbe0027)
partially freed by thread T0 here:
    #0 0x6ffffba6c316 in __asan::SharedReAlloc(void* (*)(void*, unsigned long, void*, unsigned long long), unsigned long long (*)(void*, unsigned long, void*), int (*)(void*, unsigned long, void*), void* (*)(void*, unsigned long, unsigned long long), void*, unsigned long, void*, unsigned long long) C:/llvm-mingw/llvm-mingw/llvm-project/compiler-rt/lib/asan\asan_malloc_win.cpp:270:3
    #1 0x6ffffba6c76a in HeapReAlloc C:/llvm-mingw/llvm-mingw/llvm-project/compiler-rt/lib/asan\asan_malloc_win.cpp:404:10
    #2 0x0001400015b5 in main ...\compiler-rt\test\asan\TestCases\Windows\rtlallocateheap_realloc_in_place.cpp:53:9
    #3 0x000140001338 in __tmainCRTStartup .../crt\crtexe.c:259:15
    #4 0x000140001395 in .l_start .../crt\crtexe.c:179:9
    #5 0x6fffffc45aa0 in BaseThreadInitThunk .../wine/dlls/kernel32/thread.c:61:24
    #6 0x6fffffdcc896 in RtlUserThreadStart (C:\windows\system32\ntdll.dll+0x17004c896)

previously allocated by thread T0 here:
    #0 0x6ffffba6bff8 in HeapAlloc C:/llvm-mingw/llvm-mingw/llvm-project/compiler-rt/lib/asan\asan_malloc_win.cpp:231:3
    #1 0x0001400014f0 in main ...\compiler-rt\test\asan\TestCases\Windows\rtlallocateheap_realloc_in_place.cpp:41:20
    #2 0x000140001338 in __tmainCRTStartup .../crt\crtexe.c:259:15
    #3 0x000140001395 in .l_start .../crt\crtexe.c:179:9
    #4 0x6fffffc45aa0 in BaseThreadInitThunk .../wine/dlls/kernel32/thread.c:61:24
    #5 0x6fffffdcc896 in RtlUserThreadStart (C:\windows\system32\ntdll.dll+0x17004c896)

SUMMARY: AddressSanitizer: heap-use-after-free ...\compiler-rt\test\asan\TestCases\Windows\rtlallocateheap_realloc_in_place.cpp:63:14 in main
Shadow bytes around the buggy address:
  0x7eb83cbdfd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7eb83cbdfe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7eb83cbdfe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7eb83cbdff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7eb83cbdff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7eb83cbe0000: fa fa 00[07]fd fd fa fa fa fa fa fa fa fa fa fa
  0x7eb83cbe0080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7eb83cbe0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7eb83cbe0180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7eb83cbe0200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x7eb83cbe0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==572==ABORTING
```
</details>


https://github.com/llvm/llvm-project/pull/132558

More information about the llvm-commits mailing list