xref: /freebsd/contrib/llvm-project/compiler-rt/lib/asan/asan_descriptions.cpp (revision cfd6422a5217410fbd66f7a7a8a64d9d85e61229)
1 //===-- asan_descriptions.cpp -----------------------------------*- C++ -*-===//
2 //
3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4 // See https://llvm.org/LICENSE.txt for license information.
5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6 //
7 //===----------------------------------------------------------------------===//
8 //
9 // This file is a part of AddressSanitizer, an address sanity checker.
10 //
11 // ASan functions for getting information about an address and/or printing it.
12 //===----------------------------------------------------------------------===//
13 
14 #include "asan_descriptions.h"
15 #include "asan_mapping.h"
16 #include "asan_report.h"
17 #include "asan_stack.h"
18 #include "sanitizer_common/sanitizer_stackdepot.h"
19 
20 namespace __asan {
21 
22 AsanThreadIdAndName::AsanThreadIdAndName(AsanThreadContext *t) {
23   Init(t->tid, t->name);
24 }
25 
26 AsanThreadIdAndName::AsanThreadIdAndName(u32 tid) {
27   if (tid == kInvalidTid) {
28     Init(tid, "");
29   } else {
30     asanThreadRegistry().CheckLocked();
31     AsanThreadContext *t = GetThreadContextByTidLocked(tid);
32     Init(tid, t->name);
33   }
34 }
35 
36 void AsanThreadIdAndName::Init(u32 tid, const char *tname) {
37   int len = internal_snprintf(name, sizeof(name), "T%d", tid);
38   CHECK(((unsigned int)len) < sizeof(name));
39   if (tname[0] != '\0')
40     internal_snprintf(&name[len], sizeof(name) - len, " (%s)", tname);
41 }
42 
43 void DescribeThread(AsanThreadContext *context) {
44   CHECK(context);
45   asanThreadRegistry().CheckLocked();
46   // No need to announce the main thread.
47   if (context->tid == 0 || context->announced) {
48     return;
49   }
50   context->announced = true;
51   InternalScopedString str(1024);
52   str.append("Thread %s", AsanThreadIdAndName(context).c_str());
53   if (context->parent_tid == kInvalidTid) {
54     str.append(" created by unknown thread\n");
55     Printf("%s", str.data());
56     return;
57   }
58   str.append(" created by %s here:\n",
59              AsanThreadIdAndName(context->parent_tid).c_str());
60   Printf("%s", str.data());
61   StackDepotGet(context->stack_id).Print();
62   // Recursively described parent thread if needed.
63   if (flags()->print_full_thread_history) {
64     AsanThreadContext *parent_context =
65         GetThreadContextByTidLocked(context->parent_tid);
66     DescribeThread(parent_context);
67   }
68 }
69 
70 // Shadow descriptions
71 static bool GetShadowKind(uptr addr, ShadowKind *shadow_kind) {
72   CHECK(!AddrIsInMem(addr));
73   if (AddrIsInShadowGap(addr)) {
74     *shadow_kind = kShadowKindGap;
75   } else if (AddrIsInHighShadow(addr)) {
76     *shadow_kind = kShadowKindHigh;
77   } else if (AddrIsInLowShadow(addr)) {
78     *shadow_kind = kShadowKindLow;
79   } else {
80     CHECK(0 && "Address is not in memory and not in shadow?");
81     return false;
82   }
83   return true;
84 }
85 
86 bool DescribeAddressIfShadow(uptr addr) {
87   ShadowAddressDescription descr;
88   if (!GetShadowAddressInformation(addr, &descr)) return false;
89   descr.Print();
90   return true;
91 }
92 
93 bool GetShadowAddressInformation(uptr addr, ShadowAddressDescription *descr) {
94   if (AddrIsInMem(addr)) return false;
95   ShadowKind shadow_kind;
96   if (!GetShadowKind(addr, &shadow_kind)) return false;
97   if (shadow_kind != kShadowKindGap) descr->shadow_byte = *(u8 *)addr;
98   descr->addr = addr;
99   descr->kind = shadow_kind;
100   return true;
101 }
102 
103 // Heap descriptions
104 static void GetAccessToHeapChunkInformation(ChunkAccess *descr,
105                                             AsanChunkView chunk, uptr addr,
106                                             uptr access_size) {
107   descr->bad_addr = addr;
108   if (chunk.AddrIsAtLeft(addr, access_size, &descr->offset)) {
109     descr->access_type = kAccessTypeLeft;
110   } else if (chunk.AddrIsAtRight(addr, access_size, &descr->offset)) {
111     descr->access_type = kAccessTypeRight;
112     if (descr->offset < 0) {
113       descr->bad_addr -= descr->offset;
114       descr->offset = 0;
115     }
116   } else if (chunk.AddrIsInside(addr, access_size, &descr->offset)) {
117     descr->access_type = kAccessTypeInside;
118   } else {
119     descr->access_type = kAccessTypeUnknown;
120   }
121   descr->chunk_begin = chunk.Beg();
122   descr->chunk_size = chunk.UsedSize();
123   descr->user_requested_alignment = chunk.UserRequestedAlignment();
124   descr->alloc_type = chunk.GetAllocType();
125 }
126 
127 static void PrintHeapChunkAccess(uptr addr, const ChunkAccess &descr) {
128   Decorator d;
129   InternalScopedString str(4096);
130   str.append("%s", d.Location());
131   switch (descr.access_type) {
132     case kAccessTypeLeft:
133       str.append("%p is located %zd bytes to the left of",
134                  (void *)descr.bad_addr, descr.offset);
135       break;
136     case kAccessTypeRight:
137       str.append("%p is located %zd bytes to the right of",
138                  (void *)descr.bad_addr, descr.offset);
139       break;
140     case kAccessTypeInside:
141       str.append("%p is located %zd bytes inside of", (void *)descr.bad_addr,
142                  descr.offset);
143       break;
144     case kAccessTypeUnknown:
145       str.append(
146           "%p is located somewhere around (this is AddressSanitizer bug!)",
147           (void *)descr.bad_addr);
148   }
149   str.append(" %zu-byte region [%p,%p)\n", descr.chunk_size,
150              (void *)descr.chunk_begin,
151              (void *)(descr.chunk_begin + descr.chunk_size));
152   str.append("%s", d.Default());
153   Printf("%s", str.data());
154 }
155 
156 bool GetHeapAddressInformation(uptr addr, uptr access_size,
157                                HeapAddressDescription *descr) {
158   AsanChunkView chunk = FindHeapChunkByAddress(addr);
159   if (!chunk.IsValid()) {
160     return false;
161   }
162   descr->addr = addr;
163   GetAccessToHeapChunkInformation(&descr->chunk_access, chunk, addr,
164                                   access_size);
165   CHECK_NE(chunk.AllocTid(), kInvalidTid);
166   descr->alloc_tid = chunk.AllocTid();
167   descr->alloc_stack_id = chunk.GetAllocStackId();
168   descr->free_tid = chunk.FreeTid();
169   if (descr->free_tid != kInvalidTid)
170     descr->free_stack_id = chunk.GetFreeStackId();
171   return true;
172 }
173 
174 static StackTrace GetStackTraceFromId(u32 id) {
175   CHECK(id);
176   StackTrace res = StackDepotGet(id);
177   CHECK(res.trace);
178   return res;
179 }
180 
181 bool DescribeAddressIfHeap(uptr addr, uptr access_size) {
182   HeapAddressDescription descr;
183   if (!GetHeapAddressInformation(addr, access_size, &descr)) {
184     Printf(
185         "AddressSanitizer can not describe address in more detail "
186         "(wild memory access suspected).\n");
187     return false;
188   }
189   descr.Print();
190   return true;
191 }
192 
193 // Stack descriptions
194 bool GetStackAddressInformation(uptr addr, uptr access_size,
195                                 StackAddressDescription *descr) {
196   AsanThread *t = FindThreadByStackAddress(addr);
197   if (!t) return false;
198 
199   descr->addr = addr;
200   descr->tid = t->tid();
201   // Try to fetch precise stack frame for this access.
202   AsanThread::StackFrameAccess access;
203   if (!t->GetStackFrameAccessByAddr(addr, &access)) {
204     descr->frame_descr = nullptr;
205     return true;
206   }
207 
208   descr->offset = access.offset;
209   descr->access_size = access_size;
210   descr->frame_pc = access.frame_pc;
211   descr->frame_descr = access.frame_descr;
212 
213 #if SANITIZER_PPC64V1
214   // On PowerPC64 ELFv1, the address of a function actually points to a
215   // three-doubleword data structure with the first field containing
216   // the address of the function's code.
217   descr->frame_pc = *reinterpret_cast<uptr *>(descr->frame_pc);
218 #endif
219   descr->frame_pc += 16;
220 
221   return true;
222 }
223 
224 static void PrintAccessAndVarIntersection(const StackVarDescr &var, uptr addr,
225                                           uptr access_size, uptr prev_var_end,
226                                           uptr next_var_beg) {
227   uptr var_end = var.beg + var.size;
228   uptr addr_end = addr + access_size;
229   const char *pos_descr = nullptr;
230   // If the variable [var.beg, var_end) is the nearest variable to the
231   // current memory access, indicate it in the log.
232   if (addr >= var.beg) {
233     if (addr_end <= var_end)
234       pos_descr = "is inside";  // May happen if this is a use-after-return.
235     else if (addr < var_end)
236       pos_descr = "partially overflows";
237     else if (addr_end <= next_var_beg &&
238              next_var_beg - addr_end >= addr - var_end)
239       pos_descr = "overflows";
240   } else {
241     if (addr_end > var.beg)
242       pos_descr = "partially underflows";
243     else if (addr >= prev_var_end && addr - prev_var_end >= var.beg - addr_end)
244       pos_descr = "underflows";
245   }
246   InternalScopedString str(1024);
247   str.append("    [%zd, %zd)", var.beg, var_end);
248   // Render variable name.
249   str.append(" '");
250   for (uptr i = 0; i < var.name_len; ++i) {
251     str.append("%c", var.name_pos[i]);
252   }
253   str.append("'");
254   if (var.line > 0) {
255     str.append(" (line %d)", var.line);
256   }
257   if (pos_descr) {
258     Decorator d;
259     // FIXME: we may want to also print the size of the access here,
260     // but in case of accesses generated by memset it may be confusing.
261     str.append("%s <== Memory access at offset %zd %s this variable%s\n",
262                d.Location(), addr, pos_descr, d.Default());
263   } else {
264     str.append("\n");
265   }
266   Printf("%s", str.data());
267 }
268 
269 bool DescribeAddressIfStack(uptr addr, uptr access_size) {
270   StackAddressDescription descr;
271   if (!GetStackAddressInformation(addr, access_size, &descr)) return false;
272   descr.Print();
273   return true;
274 }
275 
276 // Global descriptions
277 static void DescribeAddressRelativeToGlobal(uptr addr, uptr access_size,
278                                             const __asan_global &g) {
279   InternalScopedString str(4096);
280   Decorator d;
281   str.append("%s", d.Location());
282   if (addr < g.beg) {
283     str.append("%p is located %zd bytes to the left", (void *)addr,
284                g.beg - addr);
285   } else if (addr + access_size > g.beg + g.size) {
286     if (addr < g.beg + g.size) addr = g.beg + g.size;
287     str.append("%p is located %zd bytes to the right", (void *)addr,
288                addr - (g.beg + g.size));
289   } else {
290     // Can it happen?
291     str.append("%p is located %zd bytes inside", (void *)addr, addr - g.beg);
292   }
293   str.append(" of global variable '%s' defined in '",
294              MaybeDemangleGlobalName(g.name));
295   PrintGlobalLocation(&str, g);
296   str.append("' (0x%zx) of size %zu\n", g.beg, g.size);
297   str.append("%s", d.Default());
298   PrintGlobalNameIfASCII(&str, g);
299   Printf("%s", str.data());
300 }
301 
302 bool GetGlobalAddressInformation(uptr addr, uptr access_size,
303                                  GlobalAddressDescription *descr) {
304   descr->addr = addr;
305   int globals_num = GetGlobalsForAddress(addr, descr->globals, descr->reg_sites,
306                                          ARRAY_SIZE(descr->globals));
307   descr->size = globals_num;
308   descr->access_size = access_size;
309   return globals_num != 0;
310 }
311 
312 bool DescribeAddressIfGlobal(uptr addr, uptr access_size,
313                              const char *bug_type) {
314   GlobalAddressDescription descr;
315   if (!GetGlobalAddressInformation(addr, access_size, &descr)) return false;
316 
317   descr.Print(bug_type);
318   return true;
319 }
320 
321 void ShadowAddressDescription::Print() const {
322   Printf("Address %p is located in the %s area.\n", addr, ShadowNames[kind]);
323 }
324 
325 void GlobalAddressDescription::Print(const char *bug_type) const {
326   for (int i = 0; i < size; i++) {
327     DescribeAddressRelativeToGlobal(addr, access_size, globals[i]);
328     if (bug_type &&
329         0 == internal_strcmp(bug_type, "initialization-order-fiasco") &&
330         reg_sites[i]) {
331       Printf("  registered at:\n");
332       StackDepotGet(reg_sites[i]).Print();
333     }
334   }
335 }
336 
337 bool GlobalAddressDescription::PointsInsideTheSameVariable(
338     const GlobalAddressDescription &other) const {
339   if (size == 0 || other.size == 0) return false;
340 
341   for (uptr i = 0; i < size; i++) {
342     const __asan_global &a = globals[i];
343     for (uptr j = 0; j < other.size; j++) {
344       const __asan_global &b = other.globals[j];
345       if (a.beg == b.beg &&
346           a.beg <= addr &&
347           b.beg <= other.addr &&
348           (addr + access_size) < (a.beg + a.size) &&
349           (other.addr + other.access_size) < (b.beg + b.size))
350         return true;
351     }
352   }
353 
354   return false;
355 }
356 
357 void StackAddressDescription::Print() const {
358   Decorator d;
359   Printf("%s", d.Location());
360   Printf("Address %p is located in stack of thread %s", addr,
361          AsanThreadIdAndName(tid).c_str());
362 
363   if (!frame_descr) {
364     Printf("%s\n", d.Default());
365     return;
366   }
367   Printf(" at offset %zu in frame%s\n", offset, d.Default());
368 
369   // Now we print the frame where the alloca has happened.
370   // We print this frame as a stack trace with one element.
371   // The symbolizer may print more than one frame if inlining was involved.
372   // The frame numbers may be different than those in the stack trace printed
373   // previously. That's unfortunate, but I have no better solution,
374   // especially given that the alloca may be from entirely different place
375   // (e.g. use-after-scope, or different thread's stack).
376   Printf("%s", d.Default());
377   StackTrace alloca_stack(&frame_pc, 1);
378   alloca_stack.Print();
379 
380   InternalMmapVector<StackVarDescr> vars;
381   vars.reserve(16);
382   if (!ParseFrameDescription(frame_descr, &vars)) {
383     Printf(
384         "AddressSanitizer can't parse the stack frame "
385         "descriptor: |%s|\n",
386         frame_descr);
387     // 'addr' is a stack address, so return true even if we can't parse frame
388     return;
389   }
390   uptr n_objects = vars.size();
391   // Report the number of stack objects.
392   Printf("  This frame has %zu object(s):\n", n_objects);
393 
394   // Report all objects in this frame.
395   for (uptr i = 0; i < n_objects; i++) {
396     uptr prev_var_end = i ? vars[i - 1].beg + vars[i - 1].size : 0;
397     uptr next_var_beg = i + 1 < n_objects ? vars[i + 1].beg : ~(0UL);
398     PrintAccessAndVarIntersection(vars[i], offset, access_size, prev_var_end,
399                                   next_var_beg);
400   }
401   Printf(
402       "HINT: this may be a false positive if your program uses "
403       "some custom stack unwind mechanism, swapcontext or vfork\n");
404   if (SANITIZER_WINDOWS)
405     Printf("      (longjmp, SEH and C++ exceptions *are* supported)\n");
406   else
407     Printf("      (longjmp and C++ exceptions *are* supported)\n");
408 
409   DescribeThread(GetThreadContextByTidLocked(tid));
410 }
411 
412 void HeapAddressDescription::Print() const {
413   PrintHeapChunkAccess(addr, chunk_access);
414 
415   asanThreadRegistry().CheckLocked();
416   AsanThreadContext *alloc_thread = GetThreadContextByTidLocked(alloc_tid);
417   StackTrace alloc_stack = GetStackTraceFromId(alloc_stack_id);
418 
419   Decorator d;
420   AsanThreadContext *free_thread = nullptr;
421   if (free_tid != kInvalidTid) {
422     free_thread = GetThreadContextByTidLocked(free_tid);
423     Printf("%sfreed by thread %s here:%s\n", d.Allocation(),
424            AsanThreadIdAndName(free_thread).c_str(), d.Default());
425     StackTrace free_stack = GetStackTraceFromId(free_stack_id);
426     free_stack.Print();
427     Printf("%spreviously allocated by thread %s here:%s\n", d.Allocation(),
428            AsanThreadIdAndName(alloc_thread).c_str(), d.Default());
429   } else {
430     Printf("%sallocated by thread %s here:%s\n", d.Allocation(),
431            AsanThreadIdAndName(alloc_thread).c_str(), d.Default());
432   }
433   alloc_stack.Print();
434   DescribeThread(GetCurrentThread());
435   if (free_thread) DescribeThread(free_thread);
436   DescribeThread(alloc_thread);
437 }
438 
439 AddressDescription::AddressDescription(uptr addr, uptr access_size,
440                                        bool shouldLockThreadRegistry) {
441   if (GetShadowAddressInformation(addr, &data.shadow)) {
442     data.kind = kAddressKindShadow;
443     return;
444   }
445   if (GetHeapAddressInformation(addr, access_size, &data.heap)) {
446     data.kind = kAddressKindHeap;
447     return;
448   }
449 
450   bool isStackMemory = false;
451   if (shouldLockThreadRegistry) {
452     ThreadRegistryLock l(&asanThreadRegistry());
453     isStackMemory = GetStackAddressInformation(addr, access_size, &data.stack);
454   } else {
455     isStackMemory = GetStackAddressInformation(addr, access_size, &data.stack);
456   }
457   if (isStackMemory) {
458     data.kind = kAddressKindStack;
459     return;
460   }
461 
462   if (GetGlobalAddressInformation(addr, access_size, &data.global)) {
463     data.kind = kAddressKindGlobal;
464     return;
465   }
466   data.kind = kAddressKindWild;
467   addr = 0;
468 }
469 
470 void PrintAddressDescription(uptr addr, uptr access_size,
471                              const char *bug_type) {
472   ShadowAddressDescription shadow_descr;
473   if (GetShadowAddressInformation(addr, &shadow_descr)) {
474     shadow_descr.Print();
475     return;
476   }
477 
478   GlobalAddressDescription global_descr;
479   if (GetGlobalAddressInformation(addr, access_size, &global_descr)) {
480     global_descr.Print(bug_type);
481     return;
482   }
483 
484   StackAddressDescription stack_descr;
485   if (GetStackAddressInformation(addr, access_size, &stack_descr)) {
486     stack_descr.Print();
487     return;
488   }
489 
490   HeapAddressDescription heap_descr;
491   if (GetHeapAddressInformation(addr, access_size, &heap_descr)) {
492     heap_descr.Print();
493     return;
494   }
495 
496   // We exhausted our possibilities. Bail out.
497   Printf(
498       "AddressSanitizer can not describe address in more detail "
499       "(wild memory access suspected).\n");
500 }
501 }  // namespace __asan
502