1 //===-- asan_descriptions.cpp -----------------------------------*- C++ -*-===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file is a part of AddressSanitizer, an address sanity checker. 10 // 11 // ASan functions for getting information about an address and/or printing it. 12 //===----------------------------------------------------------------------===// 13 14 #include "asan_descriptions.h" 15 #include "asan_mapping.h" 16 #include "asan_report.h" 17 #include "asan_stack.h" 18 #include "sanitizer_common/sanitizer_stackdepot.h" 19 20 namespace __asan { 21 22 AsanThreadIdAndName::AsanThreadIdAndName(AsanThreadContext *t) { 23 Init(t->tid, t->name); 24 } 25 26 AsanThreadIdAndName::AsanThreadIdAndName(u32 tid) { 27 if (tid == kInvalidTid) { 28 Init(tid, ""); 29 } else { 30 asanThreadRegistry().CheckLocked(); 31 AsanThreadContext *t = GetThreadContextByTidLocked(tid); 32 Init(tid, t->name); 33 } 34 } 35 36 void AsanThreadIdAndName::Init(u32 tid, const char *tname) { 37 int len = internal_snprintf(name, sizeof(name), "T%d", tid); 38 CHECK(((unsigned int)len) < sizeof(name)); 39 if (tname[0] != '\0') 40 internal_snprintf(&name[len], sizeof(name) - len, " (%s)", tname); 41 } 42 43 void DescribeThread(AsanThreadContext *context) { 44 CHECK(context); 45 asanThreadRegistry().CheckLocked(); 46 // No need to announce the main thread. 47 if (context->tid == 0 || context->announced) { 48 return; 49 } 50 context->announced = true; 51 InternalScopedString str(1024); 52 str.append("Thread %s", AsanThreadIdAndName(context).c_str()); 53 if (context->parent_tid == kInvalidTid) { 54 str.append(" created by unknown thread\n"); 55 Printf("%s", str.data()); 56 return; 57 } 58 str.append(" created by %s here:\n", 59 AsanThreadIdAndName(context->parent_tid).c_str()); 60 Printf("%s", str.data()); 61 StackDepotGet(context->stack_id).Print(); 62 // Recursively described parent thread if needed. 63 if (flags()->print_full_thread_history) { 64 AsanThreadContext *parent_context = 65 GetThreadContextByTidLocked(context->parent_tid); 66 DescribeThread(parent_context); 67 } 68 } 69 70 // Shadow descriptions 71 static bool GetShadowKind(uptr addr, ShadowKind *shadow_kind) { 72 CHECK(!AddrIsInMem(addr)); 73 if (AddrIsInShadowGap(addr)) { 74 *shadow_kind = kShadowKindGap; 75 } else if (AddrIsInHighShadow(addr)) { 76 *shadow_kind = kShadowKindHigh; 77 } else if (AddrIsInLowShadow(addr)) { 78 *shadow_kind = kShadowKindLow; 79 } else { 80 CHECK(0 && "Address is not in memory and not in shadow?"); 81 return false; 82 } 83 return true; 84 } 85 86 bool DescribeAddressIfShadow(uptr addr) { 87 ShadowAddressDescription descr; 88 if (!GetShadowAddressInformation(addr, &descr)) return false; 89 descr.Print(); 90 return true; 91 } 92 93 bool GetShadowAddressInformation(uptr addr, ShadowAddressDescription *descr) { 94 if (AddrIsInMem(addr)) return false; 95 ShadowKind shadow_kind; 96 if (!GetShadowKind(addr, &shadow_kind)) return false; 97 if (shadow_kind != kShadowKindGap) descr->shadow_byte = *(u8 *)addr; 98 descr->addr = addr; 99 descr->kind = shadow_kind; 100 return true; 101 } 102 103 // Heap descriptions 104 static void GetAccessToHeapChunkInformation(ChunkAccess *descr, 105 AsanChunkView chunk, uptr addr, 106 uptr access_size) { 107 descr->bad_addr = addr; 108 if (chunk.AddrIsAtLeft(addr, access_size, &descr->offset)) { 109 descr->access_type = kAccessTypeLeft; 110 } else if (chunk.AddrIsAtRight(addr, access_size, &descr->offset)) { 111 descr->access_type = kAccessTypeRight; 112 if (descr->offset < 0) { 113 descr->bad_addr -= descr->offset; 114 descr->offset = 0; 115 } 116 } else if (chunk.AddrIsInside(addr, access_size, &descr->offset)) { 117 descr->access_type = kAccessTypeInside; 118 } else { 119 descr->access_type = kAccessTypeUnknown; 120 } 121 descr->chunk_begin = chunk.Beg(); 122 descr->chunk_size = chunk.UsedSize(); 123 descr->user_requested_alignment = chunk.UserRequestedAlignment(); 124 descr->alloc_type = chunk.GetAllocType(); 125 } 126 127 static void PrintHeapChunkAccess(uptr addr, const ChunkAccess &descr) { 128 Decorator d; 129 InternalScopedString str(4096); 130 str.append("%s", d.Location()); 131 switch (descr.access_type) { 132 case kAccessTypeLeft: 133 str.append("%p is located %zd bytes to the left of", 134 (void *)descr.bad_addr, descr.offset); 135 break; 136 case kAccessTypeRight: 137 str.append("%p is located %zd bytes to the right of", 138 (void *)descr.bad_addr, descr.offset); 139 break; 140 case kAccessTypeInside: 141 str.append("%p is located %zd bytes inside of", (void *)descr.bad_addr, 142 descr.offset); 143 break; 144 case kAccessTypeUnknown: 145 str.append( 146 "%p is located somewhere around (this is AddressSanitizer bug!)", 147 (void *)descr.bad_addr); 148 } 149 str.append(" %zu-byte region [%p,%p)\n", descr.chunk_size, 150 (void *)descr.chunk_begin, 151 (void *)(descr.chunk_begin + descr.chunk_size)); 152 str.append("%s", d.Default()); 153 Printf("%s", str.data()); 154 } 155 156 bool GetHeapAddressInformation(uptr addr, uptr access_size, 157 HeapAddressDescription *descr) { 158 AsanChunkView chunk = FindHeapChunkByAddress(addr); 159 if (!chunk.IsValid()) { 160 return false; 161 } 162 descr->addr = addr; 163 GetAccessToHeapChunkInformation(&descr->chunk_access, chunk, addr, 164 access_size); 165 CHECK_NE(chunk.AllocTid(), kInvalidTid); 166 descr->alloc_tid = chunk.AllocTid(); 167 descr->alloc_stack_id = chunk.GetAllocStackId(); 168 descr->free_tid = chunk.FreeTid(); 169 if (descr->free_tid != kInvalidTid) 170 descr->free_stack_id = chunk.GetFreeStackId(); 171 return true; 172 } 173 174 static StackTrace GetStackTraceFromId(u32 id) { 175 CHECK(id); 176 StackTrace res = StackDepotGet(id); 177 CHECK(res.trace); 178 return res; 179 } 180 181 bool DescribeAddressIfHeap(uptr addr, uptr access_size) { 182 HeapAddressDescription descr; 183 if (!GetHeapAddressInformation(addr, access_size, &descr)) { 184 Printf( 185 "AddressSanitizer can not describe address in more detail " 186 "(wild memory access suspected).\n"); 187 return false; 188 } 189 descr.Print(); 190 return true; 191 } 192 193 // Stack descriptions 194 bool GetStackAddressInformation(uptr addr, uptr access_size, 195 StackAddressDescription *descr) { 196 AsanThread *t = FindThreadByStackAddress(addr); 197 if (!t) return false; 198 199 descr->addr = addr; 200 descr->tid = t->tid(); 201 // Try to fetch precise stack frame for this access. 202 AsanThread::StackFrameAccess access; 203 if (!t->GetStackFrameAccessByAddr(addr, &access)) { 204 descr->frame_descr = nullptr; 205 return true; 206 } 207 208 descr->offset = access.offset; 209 descr->access_size = access_size; 210 descr->frame_pc = access.frame_pc; 211 descr->frame_descr = access.frame_descr; 212 213 #if SANITIZER_PPC64V1 214 // On PowerPC64 ELFv1, the address of a function actually points to a 215 // three-doubleword data structure with the first field containing 216 // the address of the function's code. 217 descr->frame_pc = *reinterpret_cast<uptr *>(descr->frame_pc); 218 #endif 219 descr->frame_pc += 16; 220 221 return true; 222 } 223 224 static void PrintAccessAndVarIntersection(const StackVarDescr &var, uptr addr, 225 uptr access_size, uptr prev_var_end, 226 uptr next_var_beg) { 227 uptr var_end = var.beg + var.size; 228 uptr addr_end = addr + access_size; 229 const char *pos_descr = nullptr; 230 // If the variable [var.beg, var_end) is the nearest variable to the 231 // current memory access, indicate it in the log. 232 if (addr >= var.beg) { 233 if (addr_end <= var_end) 234 pos_descr = "is inside"; // May happen if this is a use-after-return. 235 else if (addr < var_end) 236 pos_descr = "partially overflows"; 237 else if (addr_end <= next_var_beg && 238 next_var_beg - addr_end >= addr - var_end) 239 pos_descr = "overflows"; 240 } else { 241 if (addr_end > var.beg) 242 pos_descr = "partially underflows"; 243 else if (addr >= prev_var_end && addr - prev_var_end >= var.beg - addr_end) 244 pos_descr = "underflows"; 245 } 246 InternalScopedString str(1024); 247 str.append(" [%zd, %zd)", var.beg, var_end); 248 // Render variable name. 249 str.append(" '"); 250 for (uptr i = 0; i < var.name_len; ++i) { 251 str.append("%c", var.name_pos[i]); 252 } 253 str.append("'"); 254 if (var.line > 0) { 255 str.append(" (line %d)", var.line); 256 } 257 if (pos_descr) { 258 Decorator d; 259 // FIXME: we may want to also print the size of the access here, 260 // but in case of accesses generated by memset it may be confusing. 261 str.append("%s <== Memory access at offset %zd %s this variable%s\n", 262 d.Location(), addr, pos_descr, d.Default()); 263 } else { 264 str.append("\n"); 265 } 266 Printf("%s", str.data()); 267 } 268 269 bool DescribeAddressIfStack(uptr addr, uptr access_size) { 270 StackAddressDescription descr; 271 if (!GetStackAddressInformation(addr, access_size, &descr)) return false; 272 descr.Print(); 273 return true; 274 } 275 276 // Global descriptions 277 static void DescribeAddressRelativeToGlobal(uptr addr, uptr access_size, 278 const __asan_global &g) { 279 InternalScopedString str(4096); 280 Decorator d; 281 str.append("%s", d.Location()); 282 if (addr < g.beg) { 283 str.append("%p is located %zd bytes to the left", (void *)addr, 284 g.beg - addr); 285 } else if (addr + access_size > g.beg + g.size) { 286 if (addr < g.beg + g.size) addr = g.beg + g.size; 287 str.append("%p is located %zd bytes to the right", (void *)addr, 288 addr - (g.beg + g.size)); 289 } else { 290 // Can it happen? 291 str.append("%p is located %zd bytes inside", (void *)addr, addr - g.beg); 292 } 293 str.append(" of global variable '%s' defined in '", 294 MaybeDemangleGlobalName(g.name)); 295 PrintGlobalLocation(&str, g); 296 str.append("' (0x%zx) of size %zu\n", g.beg, g.size); 297 str.append("%s", d.Default()); 298 PrintGlobalNameIfASCII(&str, g); 299 Printf("%s", str.data()); 300 } 301 302 bool GetGlobalAddressInformation(uptr addr, uptr access_size, 303 GlobalAddressDescription *descr) { 304 descr->addr = addr; 305 int globals_num = GetGlobalsForAddress(addr, descr->globals, descr->reg_sites, 306 ARRAY_SIZE(descr->globals)); 307 descr->size = globals_num; 308 descr->access_size = access_size; 309 return globals_num != 0; 310 } 311 312 bool DescribeAddressIfGlobal(uptr addr, uptr access_size, 313 const char *bug_type) { 314 GlobalAddressDescription descr; 315 if (!GetGlobalAddressInformation(addr, access_size, &descr)) return false; 316 317 descr.Print(bug_type); 318 return true; 319 } 320 321 void ShadowAddressDescription::Print() const { 322 Printf("Address %p is located in the %s area.\n", addr, ShadowNames[kind]); 323 } 324 325 void GlobalAddressDescription::Print(const char *bug_type) const { 326 for (int i = 0; i < size; i++) { 327 DescribeAddressRelativeToGlobal(addr, access_size, globals[i]); 328 if (bug_type && 329 0 == internal_strcmp(bug_type, "initialization-order-fiasco") && 330 reg_sites[i]) { 331 Printf(" registered at:\n"); 332 StackDepotGet(reg_sites[i]).Print(); 333 } 334 } 335 } 336 337 bool GlobalAddressDescription::PointsInsideTheSameVariable( 338 const GlobalAddressDescription &other) const { 339 if (size == 0 || other.size == 0) return false; 340 341 for (uptr i = 0; i < size; i++) { 342 const __asan_global &a = globals[i]; 343 for (uptr j = 0; j < other.size; j++) { 344 const __asan_global &b = other.globals[j]; 345 if (a.beg == b.beg && 346 a.beg <= addr && 347 b.beg <= other.addr && 348 (addr + access_size) < (a.beg + a.size) && 349 (other.addr + other.access_size) < (b.beg + b.size)) 350 return true; 351 } 352 } 353 354 return false; 355 } 356 357 void StackAddressDescription::Print() const { 358 Decorator d; 359 Printf("%s", d.Location()); 360 Printf("Address %p is located in stack of thread %s", addr, 361 AsanThreadIdAndName(tid).c_str()); 362 363 if (!frame_descr) { 364 Printf("%s\n", d.Default()); 365 return; 366 } 367 Printf(" at offset %zu in frame%s\n", offset, d.Default()); 368 369 // Now we print the frame where the alloca has happened. 370 // We print this frame as a stack trace with one element. 371 // The symbolizer may print more than one frame if inlining was involved. 372 // The frame numbers may be different than those in the stack trace printed 373 // previously. That's unfortunate, but I have no better solution, 374 // especially given that the alloca may be from entirely different place 375 // (e.g. use-after-scope, or different thread's stack). 376 Printf("%s", d.Default()); 377 StackTrace alloca_stack(&frame_pc, 1); 378 alloca_stack.Print(); 379 380 InternalMmapVector<StackVarDescr> vars; 381 vars.reserve(16); 382 if (!ParseFrameDescription(frame_descr, &vars)) { 383 Printf( 384 "AddressSanitizer can't parse the stack frame " 385 "descriptor: |%s|\n", 386 frame_descr); 387 // 'addr' is a stack address, so return true even if we can't parse frame 388 return; 389 } 390 uptr n_objects = vars.size(); 391 // Report the number of stack objects. 392 Printf(" This frame has %zu object(s):\n", n_objects); 393 394 // Report all objects in this frame. 395 for (uptr i = 0; i < n_objects; i++) { 396 uptr prev_var_end = i ? vars[i - 1].beg + vars[i - 1].size : 0; 397 uptr next_var_beg = i + 1 < n_objects ? vars[i + 1].beg : ~(0UL); 398 PrintAccessAndVarIntersection(vars[i], offset, access_size, prev_var_end, 399 next_var_beg); 400 } 401 Printf( 402 "HINT: this may be a false positive if your program uses " 403 "some custom stack unwind mechanism, swapcontext or vfork\n"); 404 if (SANITIZER_WINDOWS) 405 Printf(" (longjmp, SEH and C++ exceptions *are* supported)\n"); 406 else 407 Printf(" (longjmp and C++ exceptions *are* supported)\n"); 408 409 DescribeThread(GetThreadContextByTidLocked(tid)); 410 } 411 412 void HeapAddressDescription::Print() const { 413 PrintHeapChunkAccess(addr, chunk_access); 414 415 asanThreadRegistry().CheckLocked(); 416 AsanThreadContext *alloc_thread = GetThreadContextByTidLocked(alloc_tid); 417 StackTrace alloc_stack = GetStackTraceFromId(alloc_stack_id); 418 419 Decorator d; 420 AsanThreadContext *free_thread = nullptr; 421 if (free_tid != kInvalidTid) { 422 free_thread = GetThreadContextByTidLocked(free_tid); 423 Printf("%sfreed by thread %s here:%s\n", d.Allocation(), 424 AsanThreadIdAndName(free_thread).c_str(), d.Default()); 425 StackTrace free_stack = GetStackTraceFromId(free_stack_id); 426 free_stack.Print(); 427 Printf("%spreviously allocated by thread %s here:%s\n", d.Allocation(), 428 AsanThreadIdAndName(alloc_thread).c_str(), d.Default()); 429 } else { 430 Printf("%sallocated by thread %s here:%s\n", d.Allocation(), 431 AsanThreadIdAndName(alloc_thread).c_str(), d.Default()); 432 } 433 alloc_stack.Print(); 434 DescribeThread(GetCurrentThread()); 435 if (free_thread) DescribeThread(free_thread); 436 DescribeThread(alloc_thread); 437 } 438 439 AddressDescription::AddressDescription(uptr addr, uptr access_size, 440 bool shouldLockThreadRegistry) { 441 if (GetShadowAddressInformation(addr, &data.shadow)) { 442 data.kind = kAddressKindShadow; 443 return; 444 } 445 if (GetHeapAddressInformation(addr, access_size, &data.heap)) { 446 data.kind = kAddressKindHeap; 447 return; 448 } 449 450 bool isStackMemory = false; 451 if (shouldLockThreadRegistry) { 452 ThreadRegistryLock l(&asanThreadRegistry()); 453 isStackMemory = GetStackAddressInformation(addr, access_size, &data.stack); 454 } else { 455 isStackMemory = GetStackAddressInformation(addr, access_size, &data.stack); 456 } 457 if (isStackMemory) { 458 data.kind = kAddressKindStack; 459 return; 460 } 461 462 if (GetGlobalAddressInformation(addr, access_size, &data.global)) { 463 data.kind = kAddressKindGlobal; 464 return; 465 } 466 data.kind = kAddressKindWild; 467 addr = 0; 468 } 469 470 void PrintAddressDescription(uptr addr, uptr access_size, 471 const char *bug_type) { 472 ShadowAddressDescription shadow_descr; 473 if (GetShadowAddressInformation(addr, &shadow_descr)) { 474 shadow_descr.Print(); 475 return; 476 } 477 478 GlobalAddressDescription global_descr; 479 if (GetGlobalAddressInformation(addr, access_size, &global_descr)) { 480 global_descr.Print(bug_type); 481 return; 482 } 483 484 StackAddressDescription stack_descr; 485 if (GetStackAddressInformation(addr, access_size, &stack_descr)) { 486 stack_descr.Print(); 487 return; 488 } 489 490 HeapAddressDescription heap_descr; 491 if (GetHeapAddressInformation(addr, access_size, &heap_descr)) { 492 heap_descr.Print(); 493 return; 494 } 495 496 // We exhausted our possibilities. Bail out. 497 Printf( 498 "AddressSanitizer can not describe address in more detail " 499 "(wild memory access suspected).\n"); 500 } 501 } // namespace __asan 502