asan_report.cc revision 031633bef8dff03f4e8943a12e34856bd66bbc78
1//===-- asan_report.cc ----------------------------------------------------===// 2// 3// The LLVM Compiler Infrastructure 4// 5// This file is distributed under the University of Illinois Open Source 6// License. See LICENSE.TXT for details. 7// 8//===----------------------------------------------------------------------===// 9// 10// This file is a part of AddressSanitizer, an address sanity checker. 11// 12// This file contains error reporting code. 13//===----------------------------------------------------------------------===// 14#include "asan_flags.h" 15#include "asan_internal.h" 16#include "asan_mapping.h" 17#include "asan_report.h" 18#include "asan_stack.h" 19#include "asan_thread.h" 20#include "asan_thread_registry.h" 21 22namespace __asan { 23 24// -------------------- User-specified callbacks ----------------- {{{1 25static void (*error_report_callback)(const char*); 26static char *error_message_buffer = 0; 27static uptr error_message_buffer_pos = 0; 28static uptr error_message_buffer_size = 0; 29 30void AppendToErrorMessageBuffer(const char *buffer) { 31 if (error_message_buffer) { 32 uptr length = internal_strlen(buffer); 33 CHECK_GE(error_message_buffer_size, error_message_buffer_pos); 34 uptr remaining = error_message_buffer_size - error_message_buffer_pos; 35 internal_strncpy(error_message_buffer + error_message_buffer_pos, 36 buffer, remaining); 37 error_message_buffer[error_message_buffer_size - 1] = '\0'; 38 // FIXME: reallocate the buffer instead of truncating the message. 39 error_message_buffer_pos += remaining > length ? length : remaining; 40 } 41} 42 43// ---------------------- Helper functions ----------------------- {{{1 44 45static void PrintBytes(const char *before, uptr *a) { 46 u8 *bytes = (u8*)a; 47 uptr byte_num = (__WORDSIZE) / 8; 48 Printf("%s%p:", before, (void*)a); 49 for (uptr i = 0; i < byte_num; i++) { 50 Printf(" %x%x", bytes[i] >> 4, bytes[i] & 15); 51 } 52 Printf("\n"); 53} 54 55static void PrintShadowMemoryForAddress(uptr addr) { 56 if (!AddrIsInMem(addr)) 57 return; 58 uptr shadow_addr = MemToShadow(addr); 59 Printf("Shadow byte and word:\n"); 60 Printf(" %p: %x\n", (void*)shadow_addr, *(unsigned char*)shadow_addr); 61 uptr aligned_shadow = shadow_addr & ~(kWordSize - 1); 62 PrintBytes(" ", (uptr*)(aligned_shadow)); 63 Printf("More shadow bytes:\n"); 64 for (int i = -4; i <= 4; i++) { 65 const char *prefix = (i == 0) ? "=>" : " "; 66 PrintBytes(prefix, (uptr*)(aligned_shadow + i * kWordSize)); 67 } 68} 69 70static void PrintZoneForPointer(uptr ptr, uptr zone_ptr, 71 const char *zone_name) { 72 if (zone_ptr) { 73 if (zone_name) { 74 Printf("malloc_zone_from_ptr(%p) = %p, which is %s\n", 75 ptr, zone_ptr, zone_name); 76 } else { 77 Printf("malloc_zone_from_ptr(%p) = %p, which doesn't have a name\n", 78 ptr, zone_ptr); 79 } 80 } else { 81 Printf("malloc_zone_from_ptr(%p) = 0\n", ptr); 82 } 83} 84 85// ---------------------- Address Descriptions ------------------- {{{1 86 87static bool IsASCII(unsigned char c) { 88 return /*0x00 <= c &&*/ c <= 0x7F; 89} 90 91// Check if the global is a zero-terminated ASCII string. If so, print it. 92static void PrintGlobalNameIfASCII(const __asan_global &g) { 93 for (uptr p = g.beg; p < g.beg + g.size - 1; p++) { 94 if (!IsASCII(*(unsigned char*)p)) return; 95 } 96 if (*(char*)(g.beg + g.size - 1) != 0) return; 97 Printf(" '%s' is ascii string '%s'\n", g.name, (char*)g.beg); 98} 99 100bool DescribeAddressRelativeToGlobal(uptr addr, const __asan_global &g) { 101 if (addr < g.beg - kGlobalAndStackRedzone) return false; 102 if (addr >= g.beg + g.size_with_redzone) return false; 103 Printf("%p is located ", (void*)addr); 104 if (addr < g.beg) { 105 Printf("%zd bytes to the left", g.beg - addr); 106 } else if (addr >= g.beg + g.size) { 107 Printf("%zd bytes to the right", addr - (g.beg + g.size)); 108 } else { 109 Printf("%zd bytes inside", addr - g.beg); // Can it happen? 110 } 111 Printf(" of global variable '%s' (0x%zx) of size %zu\n", 112 g.name, g.beg, g.size); 113 PrintGlobalNameIfASCII(g); 114 return true; 115} 116 117bool DescribeAddressIfShadow(uptr addr) { 118 if (AddrIsInMem(addr)) 119 return false; 120 static const char kAddrInShadowReport[] = 121 "Address %p is located in the %s.\n"; 122 if (AddrIsInShadowGap(addr)) { 123 Printf(kAddrInShadowReport, addr, "shadow gap area"); 124 return true; 125 } 126 if (AddrIsInHighShadow(addr)) { 127 Printf(kAddrInShadowReport, addr, "high shadow area"); 128 return true; 129 } 130 if (AddrIsInLowShadow(addr)) { 131 Printf(kAddrInShadowReport, addr, "low shadow area"); 132 return true; 133 } 134 CHECK(0 && "Address is not in memory and not in shadow?"); 135 return false; 136} 137 138bool DescribeAddressIfStack(uptr addr, uptr access_size) { 139 AsanThread *t = asanThreadRegistry().FindThreadByStackAddress(addr); 140 if (!t) return false; 141 const sptr kBufSize = 4095; 142 char buf[kBufSize]; 143 uptr offset = 0; 144 const char *frame_descr = t->GetFrameNameByAddr(addr, &offset); 145 // This string is created by the compiler and has the following form: 146 // "FunctioName n alloc_1 alloc_2 ... alloc_n" 147 // where alloc_i looks like "offset size len ObjectName ". 148 CHECK(frame_descr); 149 // Report the function name and the offset. 150 const char *name_end = internal_strchr(frame_descr, ' '); 151 CHECK(name_end); 152 buf[0] = 0; 153 internal_strncat(buf, frame_descr, 154 Min(kBufSize, 155 static_cast<sptr>(name_end - frame_descr))); 156 Printf("Address %p is located at offset %zu " 157 "in frame <%s> of T%d's stack:\n", 158 (void*)addr, offset, buf, t->tid()); 159 // Report the number of stack objects. 160 char *p; 161 uptr n_objects = internal_simple_strtoll(name_end, &p, 10); 162 CHECK(n_objects > 0); 163 Printf(" This frame has %zu object(s):\n", n_objects); 164 // Report all objects in this frame. 165 for (uptr i = 0; i < n_objects; i++) { 166 uptr beg, size; 167 sptr len; 168 beg = internal_simple_strtoll(p, &p, 10); 169 size = internal_simple_strtoll(p, &p, 10); 170 len = internal_simple_strtoll(p, &p, 10); 171 if (beg <= 0 || size <= 0 || len < 0 || *p != ' ') { 172 Printf("AddressSanitizer can't parse the stack frame " 173 "descriptor: |%s|\n", frame_descr); 174 break; 175 } 176 p++; 177 buf[0] = 0; 178 internal_strncat(buf, p, Min(kBufSize, len)); 179 p += len; 180 Printf(" [%zu, %zu) '%s'\n", beg, beg + size, buf); 181 } 182 Printf("HINT: this may be a false positive if your program uses " 183 "some custom stack unwind mechanism\n" 184 " (longjmp and C++ exceptions *are* supported)\n"); 185 DescribeThread(t->summary()); 186 return true; 187} 188 189static void DescribeAccessToHeapChunk(AsanChunkView chunk, uptr addr, 190 uptr access_size) { 191 uptr offset; 192 Printf("%p is located ", (void*)addr); 193 if (chunk.AddrIsInside(addr, access_size, &offset)) { 194 Printf("%zu bytes inside of", offset); 195 } else if (chunk.AddrIsAtLeft(addr, access_size, &offset)) { 196 Printf("%zu bytes to the left of", offset); 197 } else if (chunk.AddrIsAtRight(addr, access_size, &offset)) { 198 Printf("%zu bytes to the right of", offset); 199 } else { 200 Printf(" somewhere around (this is AddressSanitizer bug!)"); 201 } 202 Printf(" %zu-byte region [%p,%p)\n", chunk.UsedSize(), 203 (void*)(chunk.Beg()), (void*)(chunk.End())); 204} 205 206void DescribeHeapAddress(uptr addr, uptr access_size) { 207 AsanChunkView chunk = FindHeapChunkByAddress(addr); 208 if (!chunk.IsValid()) return; 209 DescribeAccessToHeapChunk(chunk, addr, access_size); 210 CHECK(chunk.AllocTid() != kInvalidTid); 211 AsanThreadSummary *alloc_thread = 212 asanThreadRegistry().FindByTid(chunk.AllocTid()); 213 StackTrace alloc_stack; 214 chunk.GetAllocStack(&alloc_stack); 215 AsanThread *t = asanThreadRegistry().GetCurrent(); 216 CHECK(t); 217 if (chunk.FreeTid() != kInvalidTid) { 218 AsanThreadSummary *free_thread = 219 asanThreadRegistry().FindByTid(chunk.FreeTid()); 220 Printf("freed by thread T%d here:\n", free_thread->tid()); 221 StackTrace free_stack; 222 chunk.GetFreeStack(&free_stack); 223 PrintStack(&free_stack); 224 Printf("previously allocated by thread T%d here:\n", alloc_thread->tid()); 225 PrintStack(&alloc_stack); 226 DescribeThread(t->summary()); 227 DescribeThread(free_thread); 228 DescribeThread(alloc_thread); 229 } else { 230 Printf("allocated by thread T%d here:\n", alloc_thread->tid()); 231 PrintStack(&alloc_stack); 232 DescribeThread(t->summary()); 233 DescribeThread(alloc_thread); 234 } 235} 236 237void DescribeAddress(uptr addr, uptr access_size) { 238 // Check if this is shadow or shadow gap. 239 if (DescribeAddressIfShadow(addr)) 240 return; 241 CHECK(AddrIsInMem(addr)); 242 if (DescribeAddressIfGlobal(addr)) 243 return; 244 if (DescribeAddressIfStack(addr, access_size)) 245 return; 246 // Assume it is a heap address. 247 DescribeHeapAddress(addr, access_size); 248} 249 250// ------------------- Thread description -------------------- {{{1 251 252void DescribeThread(AsanThreadSummary *summary) { 253 CHECK(summary); 254 // No need to announce the main thread. 255 if (summary->tid() == 0 || summary->announced()) { 256 return; 257 } 258 summary->set_announced(true); 259 Printf("Thread T%d created by T%d here:\n", 260 summary->tid(), summary->parent_tid()); 261 PrintStack(summary->stack()); 262 // Recursively described parent thread if needed. 263 if (flags()->print_full_thread_history) { 264 AsanThreadSummary *parent_summary = 265 asanThreadRegistry().FindByTid(summary->parent_tid()); 266 DescribeThread(parent_summary); 267 } 268} 269 270// -------------------- Different kinds of reports ----------------- {{{1 271 272// Use ScopedInErrorReport to run common actions just before and 273// immediately after printing error report. 274class ScopedInErrorReport { 275 public: 276 ScopedInErrorReport() { 277 static atomic_uint32_t num_calls; 278 static u32 reporting_thread_tid; 279 if (atomic_fetch_add(&num_calls, 1, memory_order_relaxed) != 0) { 280 // Do not print more than one report, otherwise they will mix up. 281 // Error reporting functions shouldn't return at this situation, as 282 // they are defined as no-return. 283 Report("AddressSanitizer: while reporting a bug found another one." 284 "Ignoring.\n"); 285 u32 current_tid = asanThreadRegistry().GetCurrentTidOrInvalid(); 286 if (current_tid != reporting_thread_tid) { 287 // ASan found two bugs in different threads simultaneously. Sleep 288 // long enough to make sure that the thread which started to print 289 // an error report will finish doing it. 290 SleepForSeconds(Max(100, flags()->sleep_before_dying + 1)); 291 } 292 // If we're still not dead for some reason, use raw Exit() instead of 293 // Die() to bypass any additional checks. 294 Exit(flags()->exitcode); 295 } 296 __asan_on_error(); 297 reporting_thread_tid = asanThreadRegistry().GetCurrentTidOrInvalid(); 298 Printf("====================================================" 299 "=============\n"); 300 if (reporting_thread_tid != kInvalidTid) { 301 // We started reporting an error message. Stop using the fake stack 302 // in case we call an instrumented function from a symbolizer. 303 AsanThread *curr_thread = asanThreadRegistry().GetCurrent(); 304 CHECK(curr_thread); 305 curr_thread->fake_stack().StopUsingFakeStack(); 306 } 307 } 308 // Destructor is NORETURN, as functions that report errors are. 309 NORETURN ~ScopedInErrorReport() { 310 // Make sure the current thread is announced. 311 AsanThread *curr_thread = asanThreadRegistry().GetCurrent(); 312 if (curr_thread) { 313 DescribeThread(curr_thread->summary()); 314 } 315 // Print memory stats. 316 __asan_print_accumulated_stats(); 317 if (error_report_callback) { 318 error_report_callback(error_message_buffer); 319 } 320 Report("ABORTING\n"); 321 Die(); 322 } 323}; 324 325void ReportSIGSEGV(uptr pc, uptr sp, uptr bp, uptr addr) { 326 ScopedInErrorReport in_report; 327 Report("ERROR: AddressSanitizer: SEGV on unknown address %p" 328 " (pc %p sp %p bp %p T%d)\n", 329 (void*)addr, (void*)pc, (void*)sp, (void*)bp, 330 asanThreadRegistry().GetCurrentTidOrInvalid()); 331 Printf("AddressSanitizer can not provide additional info.\n"); 332 GET_STACK_TRACE_WITH_PC_AND_BP(kStackTraceMax, pc, bp); 333 PrintStack(&stack); 334} 335 336void ReportDoubleFree(uptr addr, StackTrace *stack) { 337 ScopedInErrorReport in_report; 338 Report("ERROR: AddressSanitizer: attempting double-free on %p:\n", addr); 339 PrintStack(stack); 340 DescribeHeapAddress(addr, 1); 341} 342 343void ReportFreeNotMalloced(uptr addr, StackTrace *stack) { 344 ScopedInErrorReport in_report; 345 Report("ERROR: AddressSanitizer: attempting free on address " 346 "which was not malloc()-ed: %p\n", addr); 347 PrintStack(stack); 348 DescribeHeapAddress(addr, 1); 349} 350 351void ReportMallocUsableSizeNotOwned(uptr addr, StackTrace *stack) { 352 ScopedInErrorReport in_report; 353 Report("ERROR: AddressSanitizer: attempting to call " 354 "malloc_usable_size() for pointer which is " 355 "not owned: %p\n", addr); 356 PrintStack(stack); 357 DescribeHeapAddress(addr, 1); 358} 359 360void ReportAsanGetAllocatedSizeNotOwned(uptr addr, StackTrace *stack) { 361 ScopedInErrorReport in_report; 362 Report("ERROR: AddressSanitizer: attempting to call " 363 "__asan_get_allocated_size() for pointer which is " 364 "not owned: %p\n", addr); 365 PrintStack(stack); 366 DescribeHeapAddress(addr, 1); 367} 368 369void ReportStringFunctionMemoryRangesOverlap( 370 const char *function, const char *offset1, uptr length1, 371 const char *offset2, uptr length2, StackTrace *stack) { 372 ScopedInErrorReport in_report; 373 Report("ERROR: AddressSanitizer: %s-param-overlap: " 374 "memory ranges [%p,%p) and [%p, %p) overlap\n", \ 375 function, offset1, offset1 + length1, offset2, offset2 + length2); 376 PrintStack(stack); 377 DescribeAddress((uptr)offset1, length1); 378 DescribeAddress((uptr)offset2, length2); 379} 380 381// ----------------------- Mac-specific reports ----------------- {{{1 382 383void WarnMacFreeUnallocated( 384 uptr addr, uptr zone_ptr, const char *zone_name, StackTrace *stack) { 385 // Just print a warning here. 386 Printf("free_common(%p) -- attempting to free unallocated memory.\n" 387 "AddressSanitizer is ignoring this error on Mac OS now.\n", 388 addr); 389 PrintZoneForPointer(addr, zone_ptr, zone_name); 390 PrintStack(stack); 391 DescribeHeapAddress(addr, 1); 392} 393 394void ReportMacMzReallocUnknown( 395 uptr addr, uptr zone_ptr, const char *zone_name, StackTrace *stack) { 396 ScopedInErrorReport in_report; 397 Printf("mz_realloc(%p) -- attempting to realloc unallocated memory.\n" 398 "This is an unrecoverable problem, exiting now.\n", 399 addr); 400 PrintZoneForPointer(addr, zone_ptr, zone_name); 401 PrintStack(stack); 402 DescribeHeapAddress(addr, 1); 403} 404 405void ReportMacCfReallocUnknown( 406 uptr addr, uptr zone_ptr, const char *zone_name, StackTrace *stack) { 407 ScopedInErrorReport in_report; 408 Printf("cf_realloc(%p) -- attempting to realloc unallocated memory.\n" 409 "This is an unrecoverable problem, exiting now.\n", 410 addr); 411 PrintZoneForPointer(addr, zone_ptr, zone_name); 412 PrintStack(stack); 413 DescribeHeapAddress(addr, 1); 414} 415 416} // namespace __asan 417 418// --------------------------- Interface --------------------- {{{1 419using namespace __asan; // NOLINT 420 421void __asan_report_error(uptr pc, uptr bp, uptr sp, 422 uptr addr, bool is_write, uptr access_size) { 423 ScopedInErrorReport in_report; 424 425 // Determine the error type. 426 const char *bug_descr = "unknown-crash"; 427 if (AddrIsInMem(addr)) { 428 u8 *shadow_addr = (u8*)MemToShadow(addr); 429 // If we are accessing 16 bytes, look at the second shadow byte. 430 if (*shadow_addr == 0 && access_size > SHADOW_GRANULARITY) 431 shadow_addr++; 432 // If we are in the partial right redzone, look at the next shadow byte. 433 if (*shadow_addr > 0 && *shadow_addr < 128) 434 shadow_addr++; 435 switch (*shadow_addr) { 436 case kAsanHeapLeftRedzoneMagic: 437 case kAsanHeapRightRedzoneMagic: 438 bug_descr = "heap-buffer-overflow"; 439 break; 440 case kAsanHeapFreeMagic: 441 bug_descr = "heap-use-after-free"; 442 break; 443 case kAsanStackLeftRedzoneMagic: 444 bug_descr = "stack-buffer-underflow"; 445 break; 446 case kAsanInitializationOrderMagic: 447 bug_descr = "initialization-order-fiasco"; 448 break; 449 case kAsanStackMidRedzoneMagic: 450 case kAsanStackRightRedzoneMagic: 451 case kAsanStackPartialRedzoneMagic: 452 bug_descr = "stack-buffer-overflow"; 453 break; 454 case kAsanStackAfterReturnMagic: 455 bug_descr = "stack-use-after-return"; 456 break; 457 case kAsanUserPoisonedMemoryMagic: 458 bug_descr = "use-after-poison"; 459 break; 460 case kAsanGlobalRedzoneMagic: 461 bug_descr = "global-buffer-overflow"; 462 break; 463 } 464 } 465 466 Report("ERROR: AddressSanitizer: %s on address " 467 "%p at pc 0x%zx bp 0x%zx sp 0x%zx\n", 468 bug_descr, (void*)addr, pc, bp, sp); 469 470 u32 curr_tid = asanThreadRegistry().GetCurrentTidOrInvalid(); 471 Printf("%s of size %zu at %p thread T%d\n", 472 access_size ? (is_write ? "WRITE" : "READ") : "ACCESS", 473 access_size, (void*)addr, curr_tid); 474 475 GET_STACK_TRACE_WITH_PC_AND_BP(kStackTraceMax, pc, bp); 476 PrintStack(&stack); 477 478 DescribeAddress(addr, access_size); 479 480 PrintShadowMemoryForAddress(addr); 481} 482 483void NOINLINE __asan_set_error_report_callback(void (*callback)(const char*)) { 484 error_report_callback = callback; 485 if (callback) { 486 error_message_buffer_size = 1 << 16; 487 error_message_buffer = 488 (char*)MmapOrDie(error_message_buffer_size, __FUNCTION__); 489 error_message_buffer_pos = 0; 490 } 491} 492 493// Provide default implementation of __asan_on_error that does nothing 494// and may be overriden by user. 495SANITIZER_WEAK_ATTRIBUTE SANITIZER_INTERFACE_ATTRIBUTE NOINLINE 496void __asan_on_error() {} 497