1 //===-- asan_errors.cc ------------------------------------------*- C++ -*-===//
3 // This file is distributed under the University of Illinois Open Source
4 // License. See LICENSE.TXT for details.
6 //===----------------------------------------------------------------------===//
8 // This file is a part of AddressSanitizer, an address sanity checker.
10 // ASan implementation for error structures.
11 //===----------------------------------------------------------------------===//
13 #include "asan_errors.h"
14 #include "asan_descriptions.h"
15 #include "asan_mapping.h"
16 #include "asan_report.h"
17 #include "asan_stack.h"
18 #include "sanitizer_common/sanitizer_stackdepot.h"
22 static void OnStackUnwind(const SignalContext
&sig
,
23 const void *callback_context
,
24 BufferedStackTrace
*stack
) {
25 bool fast
= common_flags()->fast_unwind_on_fatal
;
26 #if SANITIZER_FREEBSD || SANITIZER_NETBSD
27 // On FreeBSD the slow unwinding that leverages _Unwind_Backtrace()
28 // yields the call stack of the signal's handler and not of the code
29 // that raised the signal (as it does on Linux).
32 // Tests and maybe some users expect that scariness is going to be printed
33 // just before the stack. As only asan has scariness score we have no
34 // corresponding code in the sanitizer_common and we use this callback to
36 static_cast<const ScarinessScoreBase
*>(callback_context
)->Print();
37 GetStackTrace(stack
, kStackTraceMax
, sig
.pc
, sig
.bp
, sig
.context
, fast
);
40 void ErrorDeadlySignal::Print() {
41 ReportDeadlySignal(signal
, tid
, &OnStackUnwind
, &scariness
);
44 void ErrorDoubleFree::Print() {
46 Printf("%s", d
.Error());
48 "ERROR: AddressSanitizer: attempting %s on %p in thread %s:\n",
49 scariness
.GetDescription(), addr_description
.addr
,
50 AsanThreadIdAndName(tid
).c_str());
51 Printf("%s", d
.Default());
53 GET_STACK_TRACE_FATAL(second_free_stack
->trace
[0],
54 second_free_stack
->top_frame_bp
);
56 addr_description
.Print();
57 ReportErrorSummary(scariness
.GetDescription(), &stack
);
60 void ErrorNewDeleteTypeMismatch::Print() {
62 Printf("%s", d
.Error());
64 "ERROR: AddressSanitizer: %s on %p in thread %s:\n",
65 scariness
.GetDescription(), addr_description
.addr
,
66 AsanThreadIdAndName(tid
).c_str());
67 Printf("%s object passed to delete has wrong type:\n", d
.Default());
68 if (delete_size
!= 0) {
70 " size of the allocated type: %zd bytes;\n"
71 " size of the deallocated type: %zd bytes.\n",
72 addr_description
.chunk_access
.chunk_size
, delete_size
);
74 const uptr user_alignment
=
75 addr_description
.chunk_access
.user_requested_alignment
;
76 if (delete_alignment
!= user_alignment
) {
77 char user_alignment_str
[32];
78 char delete_alignment_str
[32];
79 internal_snprintf(user_alignment_str
, sizeof(user_alignment_str
),
80 "%zd bytes", user_alignment
);
81 internal_snprintf(delete_alignment_str
, sizeof(delete_alignment_str
),
82 "%zd bytes", delete_alignment
);
83 static const char *kDefaultAlignment
= "default-aligned";
85 " alignment of the allocated type: %s;\n"
86 " alignment of the deallocated type: %s.\n",
87 user_alignment
> 0 ? user_alignment_str
: kDefaultAlignment
,
88 delete_alignment
> 0 ? delete_alignment_str
: kDefaultAlignment
);
90 CHECK_GT(free_stack
->size
, 0);
92 GET_STACK_TRACE_FATAL(free_stack
->trace
[0], free_stack
->top_frame_bp
);
94 addr_description
.Print();
95 ReportErrorSummary(scariness
.GetDescription(), &stack
);
97 "HINT: if you don't care about these errors you may set "
98 "ASAN_OPTIONS=new_delete_type_mismatch=0\n");
101 void ErrorFreeNotMalloced::Print() {
103 Printf("%s", d
.Error());
105 "ERROR: AddressSanitizer: attempting free on address "
106 "which was not malloc()-ed: %p in thread %s\n",
107 addr_description
.Address(), AsanThreadIdAndName(tid
).c_str());
108 Printf("%s", d
.Default());
109 CHECK_GT(free_stack
->size
, 0);
111 GET_STACK_TRACE_FATAL(free_stack
->trace
[0], free_stack
->top_frame_bp
);
113 addr_description
.Print();
114 ReportErrorSummary(scariness
.GetDescription(), &stack
);
117 void ErrorAllocTypeMismatch::Print() {
118 static const char *alloc_names
[] = {"INVALID", "malloc", "operator new",
120 static const char *dealloc_names
[] = {"INVALID", "free", "operator delete",
121 "operator delete []"};
122 CHECK_NE(alloc_type
, dealloc_type
);
124 Printf("%s", d
.Error());
125 Report("ERROR: AddressSanitizer: %s (%s vs %s) on %p\n",
126 scariness
.GetDescription(),
127 alloc_names
[alloc_type
], dealloc_names
[dealloc_type
],
128 addr_description
.addr
);
129 Printf("%s", d
.Default());
130 CHECK_GT(dealloc_stack
->size
, 0);
132 GET_STACK_TRACE_FATAL(dealloc_stack
->trace
[0], dealloc_stack
->top_frame_bp
);
134 addr_description
.Print();
135 ReportErrorSummary(scariness
.GetDescription(), &stack
);
137 "HINT: if you don't care about these errors you may set "
138 "ASAN_OPTIONS=alloc_dealloc_mismatch=0\n");
141 void ErrorMallocUsableSizeNotOwned::Print() {
143 Printf("%s", d
.Error());
145 "ERROR: AddressSanitizer: attempting to call malloc_usable_size() for "
146 "pointer which is not owned: %p\n",
147 addr_description
.Address());
148 Printf("%s", d
.Default());
150 addr_description
.Print();
151 ReportErrorSummary(scariness
.GetDescription(), stack
);
154 void ErrorSanitizerGetAllocatedSizeNotOwned::Print() {
156 Printf("%s", d
.Error());
158 "ERROR: AddressSanitizer: attempting to call "
159 "__sanitizer_get_allocated_size() for pointer which is not owned: %p\n",
160 addr_description
.Address());
161 Printf("%s", d
.Default());
163 addr_description
.Print();
164 ReportErrorSummary(scariness
.GetDescription(), stack
);
167 void ErrorCallocOverflow::Print() {
169 Printf("%s", d
.Error());
171 "ERROR: AddressSanitizer: calloc parameters overflow: count * size "
172 "(%zd * %zd) cannot be represented in type size_t (thread %s)\n",
173 count
, size
, AsanThreadIdAndName(tid
).c_str());
174 Printf("%s", d
.Default());
176 PrintHintAllocatorCannotReturnNull();
177 ReportErrorSummary(scariness
.GetDescription(), stack
);
180 void ErrorPvallocOverflow::Print() {
182 Printf("%s", d
.Error());
184 "ERROR: AddressSanitizer: pvalloc parameters overflow: size 0x%zx "
185 "rounded up to system page size 0x%zx cannot be represented in type "
186 "size_t (thread %s)\n",
187 size
, GetPageSizeCached(), AsanThreadIdAndName(tid
).c_str());
188 Printf("%s", d
.Default());
190 PrintHintAllocatorCannotReturnNull();
191 ReportErrorSummary(scariness
.GetDescription(), stack
);
194 void ErrorInvalidAllocationAlignment::Print() {
196 Printf("%s", d
.Error());
198 "ERROR: AddressSanitizer: invalid allocation alignment: %zd, "
199 "alignment must be a power of two (thread %s)\n",
200 alignment
, AsanThreadIdAndName(tid
).c_str());
201 Printf("%s", d
.Default());
203 PrintHintAllocatorCannotReturnNull();
204 ReportErrorSummary(scariness
.GetDescription(), stack
);
207 void ErrorInvalidAlignedAllocAlignment::Print() {
209 Printf("%s", d
.Error());
211 Report("ERROR: AddressSanitizer: invalid alignment requested in "
212 "aligned_alloc: %zd, alignment must be a power of two and the "
213 "requested size 0x%zx must be a multiple of alignment "
214 "(thread %s)\n", alignment
, size
, AsanThreadIdAndName(tid
).c_str());
216 Report("ERROR: AddressSanitizer: invalid alignment requested in "
217 "aligned_alloc: %zd, the requested size 0x%zx must be a multiple of "
218 "alignment (thread %s)\n", alignment
, size
,
219 AsanThreadIdAndName(tid
).c_str());
221 Printf("%s", d
.Default());
223 PrintHintAllocatorCannotReturnNull();
224 ReportErrorSummary(scariness
.GetDescription(), stack
);
227 void ErrorInvalidPosixMemalignAlignment::Print() {
229 Printf("%s", d
.Error());
231 "ERROR: AddressSanitizer: invalid alignment requested in posix_memalign: "
232 "%zd, alignment must be a power of two and a multiple of sizeof(void*) "
233 "== %zd (thread %s)\n",
234 alignment
, sizeof(void*), AsanThreadIdAndName(tid
).c_str()); // NOLINT
235 Printf("%s", d
.Default());
237 PrintHintAllocatorCannotReturnNull();
238 ReportErrorSummary(scariness
.GetDescription(), stack
);
241 void ErrorAllocationSizeTooBig::Print() {
243 Printf("%s", d
.Error());
245 "ERROR: AddressSanitizer: requested allocation size 0x%zx (0x%zx after "
246 "adjustments for alignment, red zones etc.) exceeds maximum supported "
247 "size of 0x%zx (thread %s)\n",
248 user_size
, total_size
, max_size
, AsanThreadIdAndName(tid
).c_str());
249 Printf("%s", d
.Default());
251 PrintHintAllocatorCannotReturnNull();
252 ReportErrorSummary(scariness
.GetDescription(), stack
);
255 void ErrorRssLimitExceeded::Print() {
257 Printf("%s", d
.Error());
259 "ERROR: AddressSanitizer: specified RSS limit exceeded, currently set to "
260 "soft_rss_limit_mb=%zd\n", common_flags()->soft_rss_limit_mb
);
261 Printf("%s", d
.Default());
263 PrintHintAllocatorCannotReturnNull();
264 ReportErrorSummary(scariness
.GetDescription(), stack
);
267 void ErrorOutOfMemory::Print() {
269 Printf("%s", d
.Error());
271 "ERROR: AddressSanitizer: allocator is out of memory trying to allocate "
272 "0x%zx bytes\n", requested_size
);
273 Printf("%s", d
.Default());
275 PrintHintAllocatorCannotReturnNull();
276 ReportErrorSummary(scariness
.GetDescription(), stack
);
279 void ErrorStringFunctionMemoryRangesOverlap::Print() {
282 internal_snprintf(bug_type
, sizeof(bug_type
), "%s-param-overlap", function
);
283 Printf("%s", d
.Error());
285 "ERROR: AddressSanitizer: %s: memory ranges [%p,%p) and [%p, %p) "
287 bug_type
, addr1_description
.Address(),
288 addr1_description
.Address() + length1
, addr2_description
.Address(),
289 addr2_description
.Address() + length2
);
290 Printf("%s", d
.Default());
293 addr1_description
.Print();
294 addr2_description
.Print();
295 ReportErrorSummary(bug_type
, stack
);
298 void ErrorStringFunctionSizeOverflow::Print() {
300 Printf("%s", d
.Error());
301 Report("ERROR: AddressSanitizer: %s: (size=%zd)\n",
302 scariness
.GetDescription(), size
);
303 Printf("%s", d
.Default());
306 addr_description
.Print();
307 ReportErrorSummary(scariness
.GetDescription(), stack
);
310 void ErrorBadParamsToAnnotateContiguousContainer::Print() {
312 "ERROR: AddressSanitizer: bad parameters to "
313 "__sanitizer_annotate_contiguous_container:\n"
318 beg
, end
, old_mid
, new_mid
);
319 uptr granularity
= SHADOW_GRANULARITY
;
320 if (!IsAligned(beg
, granularity
))
321 Report("ERROR: beg is not aligned by %d\n", granularity
);
323 ReportErrorSummary(scariness
.GetDescription(), stack
);
326 void ErrorODRViolation::Print() {
328 Printf("%s", d
.Error());
329 Report("ERROR: AddressSanitizer: %s (%p):\n", scariness
.GetDescription(),
331 Printf("%s", d
.Default());
332 InternalScopedString
g1_loc(256), g2_loc(256);
333 PrintGlobalLocation(&g1_loc
, global1
);
334 PrintGlobalLocation(&g2_loc
, global2
);
335 Printf(" [1] size=%zd '%s' %s\n", global1
.size
,
336 MaybeDemangleGlobalName(global1
.name
), g1_loc
.data());
337 Printf(" [2] size=%zd '%s' %s\n", global2
.size
,
338 MaybeDemangleGlobalName(global2
.name
), g2_loc
.data());
339 if (stack_id1
&& stack_id2
) {
340 Printf("These globals were registered at these points:\n");
342 StackDepotGet(stack_id1
).Print();
344 StackDepotGet(stack_id2
).Print();
347 "HINT: if you don't care about these errors you may set "
348 "ASAN_OPTIONS=detect_odr_violation=0\n");
349 InternalScopedString
error_msg(256);
350 error_msg
.append("%s: global '%s' at %s", scariness
.GetDescription(),
351 MaybeDemangleGlobalName(global1
.name
), g1_loc
.data());
352 ReportErrorSummary(error_msg
.data());
355 void ErrorInvalidPointerPair::Print() {
357 Printf("%s", d
.Error());
358 Report("ERROR: AddressSanitizer: %s: %p %p\n", scariness
.GetDescription(),
359 addr1_description
.Address(), addr2_description
.Address());
360 Printf("%s", d
.Default());
361 GET_STACK_TRACE_FATAL(pc
, bp
);
363 addr1_description
.Print();
364 addr2_description
.Print();
365 ReportErrorSummary(scariness
.GetDescription(), &stack
);
368 static bool AdjacentShadowValuesAreFullyPoisoned(u8
*s
) {
369 return s
[-1] > 127 && s
[1] > 127;
372 ErrorGeneric::ErrorGeneric(u32 tid
, uptr pc_
, uptr bp_
, uptr sp_
, uptr addr
,
373 bool is_write_
, uptr access_size_
)
375 addr_description(addr
, access_size_
, /*shouldLockThreadRegistry=*/false),
379 access_size(access_size_
),
384 if (access_size
<= 9) {
385 char desr
[] = "?-byte";
386 desr
[0] = '0' + access_size
;
387 scariness
.Scare(access_size
+ access_size
/ 2, desr
);
388 } else if (access_size
>= 10) {
389 scariness
.Scare(15, "multi-byte");
391 is_write
? scariness
.Scare(20, "write") : scariness
.Scare(1, "read");
393 // Determine the error type.
394 bug_descr
= "unknown-crash";
395 if (AddrIsInMem(addr
)) {
396 u8
*shadow_addr
= (u8
*)MemToShadow(addr
);
397 // If we are accessing 16 bytes, look at the second shadow byte.
398 if (*shadow_addr
== 0 && access_size
> SHADOW_GRANULARITY
) shadow_addr
++;
399 // If we are in the partial right redzone, look at the next shadow byte.
400 if (*shadow_addr
> 0 && *shadow_addr
< 128) shadow_addr
++;
401 bool far_from_bounds
= false;
402 shadow_val
= *shadow_addr
;
403 int bug_type_score
= 0;
404 // For use-after-frees reads are almost as bad as writes.
405 int read_after_free_bonus
= 0;
406 switch (shadow_val
) {
407 case kAsanHeapLeftRedzoneMagic
:
408 case kAsanArrayCookieMagic
:
409 bug_descr
= "heap-buffer-overflow";
411 far_from_bounds
= AdjacentShadowValuesAreFullyPoisoned(shadow_addr
);
413 case kAsanHeapFreeMagic
:
414 bug_descr
= "heap-use-after-free";
416 if (!is_write
) read_after_free_bonus
= 18;
418 case kAsanStackLeftRedzoneMagic
:
419 bug_descr
= "stack-buffer-underflow";
421 far_from_bounds
= AdjacentShadowValuesAreFullyPoisoned(shadow_addr
);
423 case kAsanInitializationOrderMagic
:
424 bug_descr
= "initialization-order-fiasco";
427 case kAsanStackMidRedzoneMagic
:
428 case kAsanStackRightRedzoneMagic
:
429 bug_descr
= "stack-buffer-overflow";
431 far_from_bounds
= AdjacentShadowValuesAreFullyPoisoned(shadow_addr
);
433 case kAsanStackAfterReturnMagic
:
434 bug_descr
= "stack-use-after-return";
436 if (!is_write
) read_after_free_bonus
= 18;
438 case kAsanUserPoisonedMemoryMagic
:
439 bug_descr
= "use-after-poison";
442 case kAsanContiguousContainerOOBMagic
:
443 bug_descr
= "container-overflow";
446 case kAsanStackUseAfterScopeMagic
:
447 bug_descr
= "stack-use-after-scope";
450 case kAsanGlobalRedzoneMagic
:
451 bug_descr
= "global-buffer-overflow";
453 far_from_bounds
= AdjacentShadowValuesAreFullyPoisoned(shadow_addr
);
455 case kAsanIntraObjectRedzone
:
456 bug_descr
= "intra-object-overflow";
459 case kAsanAllocaLeftMagic
:
460 case kAsanAllocaRightMagic
:
461 bug_descr
= "dynamic-stack-buffer-overflow";
463 far_from_bounds
= AdjacentShadowValuesAreFullyPoisoned(shadow_addr
);
466 scariness
.Scare(bug_type_score
+ read_after_free_bonus
, bug_descr
);
467 if (far_from_bounds
) scariness
.Scare(10, "far-from-bounds");
472 static void PrintContainerOverflowHint() {
473 Printf("HINT: if you don't care about these errors you may set "
474 "ASAN_OPTIONS=detect_container_overflow=0.\n"
475 "If you suspect a false positive see also: "
476 "https://github.com/google/sanitizers/wiki/"
477 "AddressSanitizerContainerOverflow.\n");
480 static void PrintShadowByte(InternalScopedString
*str
, const char *before
,
481 u8 byte
, const char *after
= "\n") {
482 PrintMemoryByte(str
, before
, byte
, /*in_shadow*/true, after
);
485 static void PrintLegend(InternalScopedString
*str
) {
487 "Shadow byte legend (one shadow byte represents %d "
488 "application bytes):\n",
489 (int)SHADOW_GRANULARITY
);
490 PrintShadowByte(str
, " Addressable: ", 0);
491 str
->append(" Partially addressable: ");
492 for (u8 i
= 1; i
< SHADOW_GRANULARITY
; i
++) PrintShadowByte(str
, "", i
, " ");
494 PrintShadowByte(str
, " Heap left redzone: ",
495 kAsanHeapLeftRedzoneMagic
);
496 PrintShadowByte(str
, " Freed heap region: ", kAsanHeapFreeMagic
);
497 PrintShadowByte(str
, " Stack left redzone: ",
498 kAsanStackLeftRedzoneMagic
);
499 PrintShadowByte(str
, " Stack mid redzone: ",
500 kAsanStackMidRedzoneMagic
);
501 PrintShadowByte(str
, " Stack right redzone: ",
502 kAsanStackRightRedzoneMagic
);
503 PrintShadowByte(str
, " Stack after return: ",
504 kAsanStackAfterReturnMagic
);
505 PrintShadowByte(str
, " Stack use after scope: ",
506 kAsanStackUseAfterScopeMagic
);
507 PrintShadowByte(str
, " Global redzone: ", kAsanGlobalRedzoneMagic
);
508 PrintShadowByte(str
, " Global init order: ",
509 kAsanInitializationOrderMagic
);
510 PrintShadowByte(str
, " Poisoned by user: ",
511 kAsanUserPoisonedMemoryMagic
);
512 PrintShadowByte(str
, " Container overflow: ",
513 kAsanContiguousContainerOOBMagic
);
514 PrintShadowByte(str
, " Array cookie: ",
515 kAsanArrayCookieMagic
);
516 PrintShadowByte(str
, " Intra object redzone: ",
517 kAsanIntraObjectRedzone
);
518 PrintShadowByte(str
, " ASan internal: ", kAsanInternalHeapMagic
);
519 PrintShadowByte(str
, " Left alloca redzone: ", kAsanAllocaLeftMagic
);
520 PrintShadowByte(str
, " Right alloca redzone: ", kAsanAllocaRightMagic
);
521 PrintShadowByte(str
, " Shadow gap: ", kAsanShadowGap
);
524 static void PrintShadowBytes(InternalScopedString
*str
, const char *before
,
525 u8
*bytes
, u8
*guilty
, uptr n
) {
527 if (before
) str
->append("%s%p:", before
, bytes
);
528 for (uptr i
= 0; i
< n
; i
++) {
531 p
== guilty
? "[" : (p
- 1 == guilty
&& i
!= 0) ? "" : " ";
532 const char *after
= p
== guilty
? "]" : "";
533 PrintShadowByte(str
, before
, *p
, after
);
538 static void PrintShadowMemoryForAddress(uptr addr
) {
539 if (!AddrIsInMem(addr
)) return;
540 uptr shadow_addr
= MemToShadow(addr
);
541 const uptr n_bytes_per_row
= 16;
542 uptr aligned_shadow
= shadow_addr
& ~(n_bytes_per_row
- 1);
543 InternalScopedString
str(4096 * 8);
544 str
.append("Shadow bytes around the buggy address:\n");
545 for (int i
= -5; i
<= 5; i
++) {
546 uptr row_shadow_addr
= aligned_shadow
+ i
* n_bytes_per_row
;
547 // Skip rows that would be outside the shadow range. This can happen when
548 // the user address is near the bottom, top, or shadow gap of the address
550 if (!AddrIsInShadow(row_shadow_addr
)) continue;
551 const char *prefix
= (i
== 0) ? "=>" : " ";
552 PrintShadowBytes(&str
, prefix
, (u8
*)row_shadow_addr
, (u8
*)shadow_addr
,
555 if (flags()->print_legend
) PrintLegend(&str
);
556 Printf("%s", str
.data());
559 void ErrorGeneric::Print() {
561 Printf("%s", d
.Error());
562 uptr addr
= addr_description
.Address();
563 Report("ERROR: AddressSanitizer: %s on address %p at pc %p bp %p sp %p\n",
564 bug_descr
, (void *)addr
, pc
, bp
, sp
);
565 Printf("%s", d
.Default());
567 Printf("%s%s of size %zu at %p thread %s%s\n", d
.Access(),
568 access_size
? (is_write
? "WRITE" : "READ") : "ACCESS", access_size
,
569 (void *)addr
, AsanThreadIdAndName(tid
).c_str(), d
.Default());
572 GET_STACK_TRACE_FATAL(pc
, bp
);
575 // Pass bug_descr because we have a special case for
576 // initialization-order-fiasco
577 addr_description
.Print(bug_descr
);
578 if (shadow_val
== kAsanContiguousContainerOOBMagic
)
579 PrintContainerOverflowHint();
580 ReportErrorSummary(bug_descr
, &stack
);
581 PrintShadowMemoryForAddress(addr
);
584 } // namespace __asan