search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
* function.c (dump_stack_clash_frame_info): New function.
[official-gcc.git] / libsanitizer / asan / asan_errors.cc
blob73c4cca843be02c4215a5ada2d2633161d827e6d
1 //===-- asan_errors.cc ------------------------------------------*- C++ -*-===//
2 //
3 // This file is distributed under the University of Illinois Open Source
4 // License. See LICENSE.TXT for details.
5 //
6 //===----------------------------------------------------------------------===//
7 //
8 // This file is a part of AddressSanitizer, an address sanity checker.
9 //
10 // ASan implementation for error structures.
11 //===----------------------------------------------------------------------===//
12
13 #include "asan_errors.h"
14 #include <signal.h>
15 #include "asan_descriptions.h"
16 #include "asan_mapping.h"
17 #include "asan_report.h"
18 #include "asan_stack.h"
19 #include "sanitizer_common/sanitizer_stackdepot.h"
20
21 namespace __asan {
22
23 void ErrorStackOverflow::Print() {
24 Decorator d;
25 Printf("%s", d.Warning());
26 Report(
27 "ERROR: AddressSanitizer: stack-overflow on address %p"
28 " (pc %p bp %p sp %p T%d)\n",
29 (void *)addr, (void *)pc, (void *)bp, (void *)sp, tid);
30 Printf("%s", d.EndWarning());
31 scariness.Print();
32 BufferedStackTrace stack;
33 GetStackTraceWithPcBpAndContext(&stack, kStackTraceMax, pc, bp, context,
34 common_flags()->fast_unwind_on_fatal);
35 stack.Print();
36 ReportErrorSummary("stack-overflow", &stack);
37 }
38
39 static void MaybeDumpInstructionBytes(uptr pc) {
40 if (!flags()->dump_instruction_bytes || (pc < GetPageSizeCached())) return;
41 InternalScopedString str(1024);
42 str.append("First 16 instruction bytes at pc: ");
43 if (IsAccessibleMemoryRange(pc, 16)) {
44 for (int i = 0; i < 16; ++i) {
45 PrintMemoryByte(&str, "", ((u8 *)pc)[i], /*in_shadow*/ false, " ");
46 }
47 str.append("\n");
48 } else {
49 str.append("unaccessible\n");
50 }
51 Report("%s", str.data());
52 }
53
54 void ErrorDeadlySignal::Print() {
55 Decorator d;
56 Printf("%s", d.Warning());
57 const char *description = DescribeSignalOrException(signo);
58 Report(
59 "ERROR: AddressSanitizer: %s on unknown address %p (pc %p bp %p sp %p "
60 "T%d)\n",
61 description, (void *)addr, (void *)pc, (void *)bp, (void *)sp, tid);
62 Printf("%s", d.EndWarning());
63 if (pc < GetPageSizeCached()) Report("Hint: pc points to the zero page.\n");
64 if (is_memory_access) {
65 const char *access_type =
66 write_flag == SignalContext::WRITE
67 ? "WRITE"
68 : (write_flag == SignalContext::READ ? "READ" : "UNKNOWN");
69 Report("The signal is caused by a %s memory access.\n", access_type);
70 if (addr < GetPageSizeCached())
71 Report("Hint: address points to the zero page.\n");
72 }
73 scariness.Print();
74 BufferedStackTrace stack;
75 GetStackTraceWithPcBpAndContext(&stack, kStackTraceMax, pc, bp, context,
76 common_flags()->fast_unwind_on_fatal);
77 stack.Print();
78 MaybeDumpInstructionBytes(pc);
79 Printf("AddressSanitizer can not provide additional info.\n");
80 ReportErrorSummary(description, &stack);
81 }
82
83 void ErrorDoubleFree::Print() {
84 Decorator d;
85 Printf("%s", d.Warning());
86 char tname[128];
87 Report(
88 "ERROR: AddressSanitizer: attempting double-free on %p in "
89 "thread T%d%s:\n",
90 addr_description.addr, tid,
91 ThreadNameWithParenthesis(tid, tname, sizeof(tname)));
92 Printf("%s", d.EndWarning());
93 scariness.Print();
94 GET_STACK_TRACE_FATAL(second_free_stack->trace[0],
95 second_free_stack->top_frame_bp);
96 stack.Print();
97 addr_description.Print();
98 ReportErrorSummary("double-free", &stack);
99 }
100
101 void ErrorNewDeleteSizeMismatch::Print() {
102 Decorator d;
103 Printf("%s", d.Warning());
104 char tname[128];
105 Report(
106 "ERROR: AddressSanitizer: new-delete-type-mismatch on %p in thread "
107 "T%d%s:\n",
108 addr_description.addr, tid,
109 ThreadNameWithParenthesis(tid, tname, sizeof(tname)));
110 Printf("%s object passed to delete has wrong type:\n", d.EndWarning());
111 Printf(
112 " size of the allocated type: %zd bytes;\n"
113 " size of the deallocated type: %zd bytes.\n",
114 addr_description.chunk_access.chunk_size, delete_size);
115 CHECK_GT(free_stack->size, 0);
116 scariness.Print();
117 GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
118 stack.Print();
119 addr_description.Print();
120 ReportErrorSummary("new-delete-type-mismatch", &stack);
121 Report(
122 "HINT: if you don't care about these errors you may set "
123 "ASAN_OPTIONS=new_delete_type_mismatch=0\n");
124 }
125
126 void ErrorFreeNotMalloced::Print() {
127 Decorator d;
128 Printf("%s", d.Warning());
129 char tname[128];
130 Report(
131 "ERROR: AddressSanitizer: attempting free on address "
132 "which was not malloc()-ed: %p in thread T%d%s\n",
133 addr_description.Address(), tid,
134 ThreadNameWithParenthesis(tid, tname, sizeof(tname)));
135 Printf("%s", d.EndWarning());
136 CHECK_GT(free_stack->size, 0);
137 scariness.Print();
138 GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
139 stack.Print();
140 addr_description.Print();
141 ReportErrorSummary("bad-free", &stack);
142 }
143
144 void ErrorAllocTypeMismatch::Print() {
145 static const char *alloc_names[] = {"INVALID", "malloc", "operator new",
146 "operator new []"};
147 static const char *dealloc_names[] = {"INVALID", "free", "operator delete",
148 "operator delete []"};
149 CHECK_NE(alloc_type, dealloc_type);
150 Decorator d;
151 Printf("%s", d.Warning());
152 Report("ERROR: AddressSanitizer: alloc-dealloc-mismatch (%s vs %s) on %p\n",
153 alloc_names[alloc_type], dealloc_names[dealloc_type],
154 addr_description.addr);
155 Printf("%s", d.EndWarning());
156 CHECK_GT(dealloc_stack->size, 0);
157 scariness.Print();
158 GET_STACK_TRACE_FATAL(dealloc_stack->trace[0], dealloc_stack->top_frame_bp);
159 stack.Print();
160 addr_description.Print();
161 ReportErrorSummary("alloc-dealloc-mismatch", &stack);
162 Report(
163 "HINT: if you don't care about these errors you may set "
164 "ASAN_OPTIONS=alloc_dealloc_mismatch=0\n");
165 }
166
167 void ErrorMallocUsableSizeNotOwned::Print() {
168 Decorator d;
169 Printf("%s", d.Warning());
170 Report(
171 "ERROR: AddressSanitizer: attempting to call malloc_usable_size() for "
172 "pointer which is not owned: %p\n",
173 addr_description.Address());
174 Printf("%s", d.EndWarning());
175 stack->Print();
176 addr_description.Print();
177 ReportErrorSummary("bad-malloc_usable_size", stack);
178 }
179
180 void ErrorSanitizerGetAllocatedSizeNotOwned::Print() {
181 Decorator d;
182 Printf("%s", d.Warning());
183 Report(
184 "ERROR: AddressSanitizer: attempting to call "
185 "__sanitizer_get_allocated_size() for pointer which is not owned: %p\n",
186 addr_description.Address());
187 Printf("%s", d.EndWarning());
188 stack->Print();
189 addr_description.Print();
190 ReportErrorSummary("bad-__sanitizer_get_allocated_size", stack);
191 }
192
193 void ErrorStringFunctionMemoryRangesOverlap::Print() {
194 Decorator d;
195 char bug_type[100];
196 internal_snprintf(bug_type, sizeof(bug_type), "%s-param-overlap", function);
197 Printf("%s", d.Warning());
198 Report(
199 "ERROR: AddressSanitizer: %s: memory ranges [%p,%p) and [%p, %p) "
200 "overlap\n",
201 bug_type, addr1_description.Address(),
202 addr1_description.Address() + length1, addr2_description.Address(),
203 addr2_description.Address() + length2);
204 Printf("%s", d.EndWarning());
205 scariness.Print();
206 stack->Print();
207 addr1_description.Print();
208 addr2_description.Print();
209 ReportErrorSummary(bug_type, stack);
210 }
211
212 void ErrorStringFunctionSizeOverflow::Print() {
213 Decorator d;
214 Printf("%s", d.Warning());
215 const char *bug_type = "negative-size-param";
216 Report("ERROR: AddressSanitizer: %s: (size=%zd)\n", bug_type, size);
217 Printf("%s", d.EndWarning());
218 scariness.Print();
219 stack->Print();
220 addr_description.Print();
221 ReportErrorSummary(bug_type, stack);
222 }
223
224 void ErrorBadParamsToAnnotateContiguousContainer::Print() {
225 Report(
226 "ERROR: AddressSanitizer: bad parameters to "
227 "__sanitizer_annotate_contiguous_container:\n"
228 " beg : %p\n"
229 " end : %p\n"
230 " old_mid : %p\n"
231 " new_mid : %p\n",
232 beg, end, old_mid, new_mid);
233 uptr granularity = SHADOW_GRANULARITY;
234 if (!IsAligned(beg, granularity))
235 Report("ERROR: beg is not aligned by %d\n", granularity);
236 stack->Print();
237 ReportErrorSummary("bad-__sanitizer_annotate_contiguous_container", stack);
238 }
239
240 void ErrorODRViolation::Print() {
241 Decorator d;
242 Printf("%s", d.Warning());
243 Report("ERROR: AddressSanitizer: odr-violation (%p):\n", global1.beg);
244 Printf("%s", d.EndWarning());
245 InternalScopedString g1_loc(256), g2_loc(256);
246 PrintGlobalLocation(&g1_loc, global1);
247 PrintGlobalLocation(&g2_loc, global2);
248 Printf(" [1] size=%zd '%s' %s\n", global1.size,
249 MaybeDemangleGlobalName(global1.name), g1_loc.data());
250 Printf(" [2] size=%zd '%s' %s\n", global2.size,
251 MaybeDemangleGlobalName(global2.name), g2_loc.data());
252 if (stack_id1 && stack_id2) {
253 Printf("These globals were registered at these points:\n");
254 Printf(" [1]:\n");
255 StackDepotGet(stack_id1).Print();
256 Printf(" [2]:\n");
257 StackDepotGet(stack_id2).Print();
258 }
259 Report(
260 "HINT: if you don't care about these errors you may set "
261 "ASAN_OPTIONS=detect_odr_violation=0\n");
262 InternalScopedString error_msg(256);
263 error_msg.append("odr-violation: global '%s' at %s",
264 MaybeDemangleGlobalName(global1.name), g1_loc.data());
265 ReportErrorSummary(error_msg.data());
266 }
267
268 void ErrorInvalidPointerPair::Print() {
269 const char *bug_type = "invalid-pointer-pair";
270 Decorator d;
271 Printf("%s", d.Warning());
272 Report("ERROR: AddressSanitizer: invalid-pointer-pair: %p %p\n",
273 addr1_description.Address(), addr2_description.Address());
274 Printf("%s", d.EndWarning());
275 GET_STACK_TRACE_FATAL(pc, bp);
276 stack.Print();
277 addr1_description.Print();
278 addr2_description.Print();
279 ReportErrorSummary(bug_type, &stack);
280 }
281
282 static bool AdjacentShadowValuesAreFullyPoisoned(u8 *s) {
283 return s[-1] > 127 && s[1] > 127;
284 }
285
286 ErrorGeneric::ErrorGeneric(u32 tid, uptr pc_, uptr bp_, uptr sp_, uptr addr,
287 bool is_write_, uptr access_size_)
288 : ErrorBase(tid),
289 addr_description(addr, access_size_, /*shouldLockThreadRegistry=*/false),
290 pc(pc_),
291 bp(bp_),
292 sp(sp_),
293 access_size(access_size_),
294 is_write(is_write_),
295 shadow_val(0) {
296 scariness.Clear();
297 if (access_size) {
298 if (access_size <= 9) {
299 char desr[] = "?-byte";
300 desr[0] = '0' + access_size;
301 scariness.Scare(access_size + access_size / 2, desr);
302 } else if (access_size >= 10) {
303 scariness.Scare(15, "multi-byte");
304 }
305 is_write ? scariness.Scare(20, "write") : scariness.Scare(1, "read");
306
307 // Determine the error type.
308 bug_descr = "unknown-crash";
309 if (AddrIsInMem(addr)) {
310 u8 *shadow_addr = (u8 *)MemToShadow(addr);
311 // If we are accessing 16 bytes, look at the second shadow byte.
312 if (*shadow_addr == 0 && access_size > SHADOW_GRANULARITY) shadow_addr++;
313 // If we are in the partial right redzone, look at the next shadow byte.
314 if (*shadow_addr > 0 && *shadow_addr < 128) shadow_addr++;
315 bool far_from_bounds = false;
316 shadow_val = *shadow_addr;
317 int bug_type_score = 0;
318 // For use-after-frees reads are almost as bad as writes.
319 int read_after_free_bonus = 0;
320 switch (shadow_val) {
321 case kAsanHeapLeftRedzoneMagic:
322 case kAsanArrayCookieMagic:
323 bug_descr = "heap-buffer-overflow";
324 bug_type_score = 10;
325 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
326 break;
327 case kAsanHeapFreeMagic:
328 bug_descr = "heap-use-after-free";
329 bug_type_score = 20;
330 if (!is_write) read_after_free_bonus = 18;
331 break;
332 case kAsanStackLeftRedzoneMagic:
333 bug_descr = "stack-buffer-underflow";
334 bug_type_score = 25;
335 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
336 break;
337 case kAsanInitializationOrderMagic:
338 bug_descr = "initialization-order-fiasco";
339 bug_type_score = 1;
340 break;
341 case kAsanStackMidRedzoneMagic:
342 case kAsanStackRightRedzoneMagic:
343 bug_descr = "stack-buffer-overflow";
344 bug_type_score = 25;
345 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
346 break;
347 case kAsanStackAfterReturnMagic:
348 bug_descr = "stack-use-after-return";
349 bug_type_score = 30;
350 if (!is_write) read_after_free_bonus = 18;
351 break;
352 case kAsanUserPoisonedMemoryMagic:
353 bug_descr = "use-after-poison";
354 bug_type_score = 20;
355 break;
356 case kAsanContiguousContainerOOBMagic:
357 bug_descr = "container-overflow";
358 bug_type_score = 10;
359 break;
360 case kAsanStackUseAfterScopeMagic:
361 bug_descr = "stack-use-after-scope";
362 bug_type_score = 10;
363 break;
364 case kAsanGlobalRedzoneMagic:
365 bug_descr = "global-buffer-overflow";
366 bug_type_score = 10;
367 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
368 break;
369 case kAsanIntraObjectRedzone:
370 bug_descr = "intra-object-overflow";
371 bug_type_score = 10;
372 break;
373 case kAsanAllocaLeftMagic:
374 case kAsanAllocaRightMagic:
375 bug_descr = "dynamic-stack-buffer-overflow";
376 bug_type_score = 25;
377 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
378 break;
379 }
380 scariness.Scare(bug_type_score + read_after_free_bonus, bug_descr);
381 if (far_from_bounds) scariness.Scare(10, "far-from-bounds");
382 }
383 }
384 }
385
386 static void PrintContainerOverflowHint() {
387 Printf("HINT: if you don't care about these errors you may set "
388 "ASAN_OPTIONS=detect_container_overflow=0.\n"
389 "If you suspect a false positive see also: "
390 "https://github.com/google/sanitizers/wiki/"
391 "AddressSanitizerContainerOverflow.\n");
392 }
393
394 static void PrintShadowByte(InternalScopedString *str, const char *before,
395 u8 byte, const char *after = "\n") {
396 PrintMemoryByte(str, before, byte, /*in_shadow*/true, after);
397 }
398
399 static void PrintLegend(InternalScopedString *str) {
400 str->append(
401 "Shadow byte legend (one shadow byte represents %d "
402 "application bytes):\n",
403 (int)SHADOW_GRANULARITY);
404 PrintShadowByte(str, " Addressable: ", 0);
405 str->append(" Partially addressable: ");
406 for (u8 i = 1; i < SHADOW_GRANULARITY; i++) PrintShadowByte(str, "", i, " ");
407 str->append("\n");
408 PrintShadowByte(str, " Heap left redzone: ",
409 kAsanHeapLeftRedzoneMagic);
410 PrintShadowByte(str, " Freed heap region: ", kAsanHeapFreeMagic);
411 PrintShadowByte(str, " Stack left redzone: ",
412 kAsanStackLeftRedzoneMagic);
413 PrintShadowByte(str, " Stack mid redzone: ",
414 kAsanStackMidRedzoneMagic);
415 PrintShadowByte(str, " Stack right redzone: ",
416 kAsanStackRightRedzoneMagic);
417 PrintShadowByte(str, " Stack after return: ",
418 kAsanStackAfterReturnMagic);
419 PrintShadowByte(str, " Stack use after scope: ",
420 kAsanStackUseAfterScopeMagic);
421 PrintShadowByte(str, " Global redzone: ", kAsanGlobalRedzoneMagic);
422 PrintShadowByte(str, " Global init order: ",
423 kAsanInitializationOrderMagic);
424 PrintShadowByte(str, " Poisoned by user: ",
425 kAsanUserPoisonedMemoryMagic);
426 PrintShadowByte(str, " Container overflow: ",
427 kAsanContiguousContainerOOBMagic);
428 PrintShadowByte(str, " Array cookie: ",
429 kAsanArrayCookieMagic);
430 PrintShadowByte(str, " Intra object redzone: ",
431 kAsanIntraObjectRedzone);
432 PrintShadowByte(str, " ASan internal: ", kAsanInternalHeapMagic);
433 PrintShadowByte(str, " Left alloca redzone: ", kAsanAllocaLeftMagic);
434 PrintShadowByte(str, " Right alloca redzone: ", kAsanAllocaRightMagic);
435 }
436
437 static void PrintShadowBytes(InternalScopedString *str, const char *before,
438 u8 *bytes, u8 *guilty, uptr n) {
439 Decorator d;
440 if (before) str->append("%s%p:", before, bytes);
441 for (uptr i = 0; i < n; i++) {
442 u8 *p = bytes + i;
443 const char *before =
444 p == guilty ? "[" : (p - 1 == guilty && i != 0) ? "" : " ";
445 const char *after = p == guilty ? "]" : "";
446 PrintShadowByte(str, before, *p, after);
447 }
448 str->append("\n");
449 }
450
451 static void PrintShadowMemoryForAddress(uptr addr) {
452 if (!AddrIsInMem(addr)) return;
453 uptr shadow_addr = MemToShadow(addr);
454 const uptr n_bytes_per_row = 16;
455 uptr aligned_shadow = shadow_addr & ~(n_bytes_per_row - 1);
456 InternalScopedString str(4096 * 8);
457 str.append("Shadow bytes around the buggy address:\n");
458 for (int i = -5; i <= 5; i++) {
459 const char *prefix = (i == 0) ? "=>" : " ";
460 PrintShadowBytes(&str, prefix, (u8 *)(aligned_shadow + i * n_bytes_per_row),
461 (u8 *)shadow_addr, n_bytes_per_row);
462 }
463 if (flags()->print_legend) PrintLegend(&str);
464 Printf("%s", str.data());
465 }
466
467 void ErrorGeneric::Print() {
468 Decorator d;
469 Printf("%s", d.Warning());
470 uptr addr = addr_description.Address();
471 Report("ERROR: AddressSanitizer: %s on address %p at pc %p bp %p sp %p\n",
472 bug_descr, (void *)addr, pc, bp, sp);
473 Printf("%s", d.EndWarning());
474
475 char tname[128];
476 Printf("%s%s of size %zu at %p thread T%d%s%s\n", d.Access(),
477 access_size ? (is_write ? "WRITE" : "READ") : "ACCESS", access_size,
478 (void *)addr, tid,
479 ThreadNameWithParenthesis(tid, tname, sizeof(tname)), d.EndAccess());
480
481 scariness.Print();
482 GET_STACK_TRACE_FATAL(pc, bp);
483 stack.Print();
484
485 // Pass bug_descr because we have a special case for
486 // initialization-order-fiasco
487 addr_description.Print(bug_descr);
488 if (shadow_val == kAsanContiguousContainerOOBMagic)
489 PrintContainerOverflowHint();
490 ReportErrorSummary(bug_descr, &stack);
491 PrintShadowMemoryForAddress(addr);
492 }
493
494 } // namespace __asan
Mirror of the offical gcc git repository hosted at gcc.gnu.org