[compiler-rt] [asan] Fix `unknown-crash` being reported for multi-byte errors, and incorrect memory access addresses being reported (PR #144480)
via llvm-commits
llvm-commits at lists.llvm.org
Tue Jul 29 00:06:32 PDT 2025
wxwern wrote:
After further testing, it seems changing it to `__asan_region_is_poisoned` has more side effects than expected on the original `wild_pointer.cpp` (tentatively renamed to `heap-overflow-large-read.cpp`).
Without this patch, it originally outputs something like:
```
ERROR: AddressSanitizer: unknown-crash on address 0x4568018703436799 at pc 0x5e95bdbf4263 bp 0x7ffc7bc601c0 sp 0x7ffc7bc5f980
READ of size 5001116549197948809 at 0x4568018703436799 thread T0
:
:
Address 0x4568018703436799 is a wild pointer inside of access range of size 0x4567890123456789.
```
The patch with the while-loop allows it to be reported as a `heap-buffer-overflow` (which is most appropriate).
It looks something like:
```
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7921821e0010 at pc 0x55b05df80bfe bp 0x7ffedac15910 sp 0x7ffedac150d8
READ of size 5001116549197948809 at 0x7921821e0010 thread T0
:
:
Shadow bytes around the buggy address:
0x7921821dfd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7921821dfe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7921821dfe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7921821dff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7921821dff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7921821e0000: fa fa[01]fa fa fa 01 fa fa fa fa fa fa fa fa fa
0x7921821e0080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7921821e0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7921821e0180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7921821e0200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x7921821e0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
:
:
```
However, changing it to `__asan_region_is_poisoned` causes it to flag `unknown-crash`, as the start address is still on the heap, but `__asan_region_is_poisoned` does not output the heap shadow byte in this case [due to it bailing out early](https://github.com/llvm/llvm-project/blob/3ea3e334cc19cdd34416b546ac4b4a24b2018a28/compiler-rt/lib/asan/asan_poisoning.cpp#L245-L248). It also doesn't output `Address ... is a wild pointer` anymore, since with the `__bad` to `__offset` replacement the provided address (start address) is no longer a wild pointer (technically it never was, but the code previously treats it as such).
It looks something like:
```
ERROR: AddressSanitizer: unknown-crash on address 0x772b749e0010 at pc 0x591728c2aafe bp 0x7ffcd48fad20 sp 0x7ffcd48fa4e8
READ of size 5001116549197948809 at 0x772b749e0010 thread T0
:
:
Shadow bytes around the buggy address:
0x772b749dfd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x772b749dfe00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x772b749dfe80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x772b749dff00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x772b749dff80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x772b749e0000: fa fa[01]fa fa fa 01 fa fa fa fa fa fa fa fa fa
0x772b749e0080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x772b749e0100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x772b749e0180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x772b749e0200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x772b749e0280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
:
:
```
I'm not really sure what to do in this case - should I leave it as the while-loop, remove the wild pointer test, or maybe something else?
https://github.com/llvm/llvm-project/pull/144480
More information about the llvm-commits
mailing list