gcc/
[official-gcc.git] / libsanitizer / asan / asan_report.cc
blobd0a89b9677e0879fc69a91dd65c4b7f0343a8aa6
1 //===-- asan_report.cc ----------------------------------------------------===//
2 //
3 // This file is distributed under the University of Illinois Open Source
4 // License. See LICENSE.TXT for details.
5 //
6 //===----------------------------------------------------------------------===//
7 //
8 // This file is a part of AddressSanitizer, an address sanity checker.
9 //
10 // This file contains error reporting code.
11 //===----------------------------------------------------------------------===//
12 #include "asan_flags.h"
13 #include "asan_internal.h"
14 #include "asan_mapping.h"
15 #include "asan_report.h"
16 #include "asan_stack.h"
17 #include "asan_thread.h"
18 #include "sanitizer_common/sanitizer_common.h"
19 #include "sanitizer_common/sanitizer_flags.h"
20 #include "sanitizer_common/sanitizer_report_decorator.h"
21 #include "sanitizer_common/sanitizer_stackdepot.h"
22 #include "sanitizer_common/sanitizer_symbolizer.h"
24 namespace __asan {
26 // -------------------- User-specified callbacks ----------------- {{{1
27 static void (*error_report_callback)(const char*);
28 static char *error_message_buffer = 0;
29 static uptr error_message_buffer_pos = 0;
30 static uptr error_message_buffer_size = 0;
32 void AppendToErrorMessageBuffer(const char *buffer) {
33 if (error_message_buffer) {
34 uptr length = internal_strlen(buffer);
35 CHECK_GE(error_message_buffer_size, error_message_buffer_pos);
36 uptr remaining = error_message_buffer_size - error_message_buffer_pos;
37 internal_strncpy(error_message_buffer + error_message_buffer_pos,
38 buffer, remaining);
39 error_message_buffer[error_message_buffer_size - 1] = '\0';
40 // FIXME: reallocate the buffer instead of truncating the message.
41 error_message_buffer_pos += remaining > length ? length : remaining;
45 // ---------------------- Decorator ------------------------------ {{{1
46 class Decorator: public __sanitizer::SanitizerCommonDecorator {
47 public:
48 Decorator() : SanitizerCommonDecorator() { }
49 const char *Access() { return Blue(); }
50 const char *EndAccess() { return Default(); }
51 const char *Location() { return Green(); }
52 const char *EndLocation() { return Default(); }
53 const char *Allocation() { return Magenta(); }
54 const char *EndAllocation() { return Default(); }
56 const char *ShadowByte(u8 byte) {
57 switch (byte) {
58 case kAsanHeapLeftRedzoneMagic:
59 case kAsanHeapRightRedzoneMagic:
60 return Red();
61 case kAsanHeapFreeMagic:
62 return Magenta();
63 case kAsanStackLeftRedzoneMagic:
64 case kAsanStackMidRedzoneMagic:
65 case kAsanStackRightRedzoneMagic:
66 case kAsanStackPartialRedzoneMagic:
67 return Red();
68 case kAsanStackAfterReturnMagic:
69 return Magenta();
70 case kAsanInitializationOrderMagic:
71 return Cyan();
72 case kAsanUserPoisonedMemoryMagic:
73 case kAsanContiguousContainerOOBMagic:
74 return Blue();
75 case kAsanStackUseAfterScopeMagic:
76 return Magenta();
77 case kAsanGlobalRedzoneMagic:
78 return Red();
79 case kAsanInternalHeapMagic:
80 return Yellow();
81 default:
82 return Default();
85 const char *EndShadowByte() { return Default(); }
88 // ---------------------- Helper functions ----------------------- {{{1
90 static void PrintShadowByte(InternalScopedString *str, const char *before,
91 u8 byte, const char *after = "\n") {
92 Decorator d;
93 str->append("%s%s%x%x%s%s", before, d.ShadowByte(byte), byte >> 4, byte & 15,
94 d.EndShadowByte(), after);
97 static void PrintShadowBytes(InternalScopedString *str, const char *before,
98 u8 *bytes, u8 *guilty, uptr n) {
99 Decorator d;
100 if (before) str->append("%s%p:", before, bytes);
101 for (uptr i = 0; i < n; i++) {
102 u8 *p = bytes + i;
103 const char *before =
104 p == guilty ? "[" : (p - 1 == guilty && i != 0) ? "" : " ";
105 const char *after = p == guilty ? "]" : "";
106 PrintShadowByte(str, before, *p, after);
108 str->append("\n");
111 static void PrintLegend(InternalScopedString *str) {
112 str->append(
113 "Shadow byte legend (one shadow byte represents %d "
114 "application bytes):\n",
115 (int)SHADOW_GRANULARITY);
116 PrintShadowByte(str, " Addressable: ", 0);
117 str->append(" Partially addressable: ");
118 for (u8 i = 1; i < SHADOW_GRANULARITY; i++) PrintShadowByte(str, "", i, " ");
119 str->append("\n");
120 PrintShadowByte(str, " Heap left redzone: ",
121 kAsanHeapLeftRedzoneMagic);
122 PrintShadowByte(str, " Heap right redzone: ",
123 kAsanHeapRightRedzoneMagic);
124 PrintShadowByte(str, " Freed heap region: ", kAsanHeapFreeMagic);
125 PrintShadowByte(str, " Stack left redzone: ",
126 kAsanStackLeftRedzoneMagic);
127 PrintShadowByte(str, " Stack mid redzone: ",
128 kAsanStackMidRedzoneMagic);
129 PrintShadowByte(str, " Stack right redzone: ",
130 kAsanStackRightRedzoneMagic);
131 PrintShadowByte(str, " Stack partial redzone: ",
132 kAsanStackPartialRedzoneMagic);
133 PrintShadowByte(str, " Stack after return: ",
134 kAsanStackAfterReturnMagic);
135 PrintShadowByte(str, " Stack use after scope: ",
136 kAsanStackUseAfterScopeMagic);
137 PrintShadowByte(str, " Global redzone: ", kAsanGlobalRedzoneMagic);
138 PrintShadowByte(str, " Global init order: ",
139 kAsanInitializationOrderMagic);
140 PrintShadowByte(str, " Poisoned by user: ",
141 kAsanUserPoisonedMemoryMagic);
142 PrintShadowByte(str, " Container overflow: ",
143 kAsanContiguousContainerOOBMagic);
144 PrintShadowByte(str, " ASan internal: ", kAsanInternalHeapMagic);
147 static void PrintShadowMemoryForAddress(uptr addr) {
148 if (!AddrIsInMem(addr)) return;
149 uptr shadow_addr = MemToShadow(addr);
150 const uptr n_bytes_per_row = 16;
151 uptr aligned_shadow = shadow_addr & ~(n_bytes_per_row - 1);
152 InternalScopedString str(4096 * 8);
153 str.append("Shadow bytes around the buggy address:\n");
154 for (int i = -5; i <= 5; i++) {
155 const char *prefix = (i == 0) ? "=>" : " ";
156 PrintShadowBytes(&str, prefix, (u8 *)(aligned_shadow + i * n_bytes_per_row),
157 (u8 *)shadow_addr, n_bytes_per_row);
159 if (flags()->print_legend) PrintLegend(&str);
160 Printf("%s", str.data());
163 static void PrintZoneForPointer(uptr ptr, uptr zone_ptr,
164 const char *zone_name) {
165 if (zone_ptr) {
166 if (zone_name) {
167 Printf("malloc_zone_from_ptr(%p) = %p, which is %s\n",
168 ptr, zone_ptr, zone_name);
169 } else {
170 Printf("malloc_zone_from_ptr(%p) = %p, which doesn't have a name\n",
171 ptr, zone_ptr);
173 } else {
174 Printf("malloc_zone_from_ptr(%p) = 0\n", ptr);
178 static void DescribeThread(AsanThread *t) {
179 if (t)
180 DescribeThread(t->context());
183 // ---------------------- Address Descriptions ------------------- {{{1
185 static bool IsASCII(unsigned char c) {
186 return /*0x00 <= c &&*/ c <= 0x7F;
189 static const char *MaybeDemangleGlobalName(const char *name) {
190 // We can spoil names of globals with C linkage, so use an heuristic
191 // approach to check if the name should be demangled.
192 bool should_demangle = false;
193 if (name[0] == '_' && name[1] == 'Z')
194 should_demangle = true;
195 else if (SANITIZER_WINDOWS && name[0] == '\01' && name[1] == '?')
196 should_demangle = true;
198 return should_demangle ? Symbolizer::Get()->Demangle(name) : name;
201 // Check if the global is a zero-terminated ASCII string. If so, print it.
202 static void PrintGlobalNameIfASCII(InternalScopedString *str,
203 const __asan_global &g) {
204 for (uptr p = g.beg; p < g.beg + g.size - 1; p++) {
205 unsigned char c = *(unsigned char*)p;
206 if (c == '\0' || !IsASCII(c)) return;
208 if (*(char*)(g.beg + g.size - 1) != '\0') return;
209 str->append(" '%s' is ascii string '%s'\n", MaybeDemangleGlobalName(g.name),
210 (char *)g.beg);
213 bool DescribeAddressRelativeToGlobal(uptr addr, uptr size,
214 const __asan_global &g) {
215 static const uptr kMinimalDistanceFromAnotherGlobal = 64;
216 if (addr <= g.beg - kMinimalDistanceFromAnotherGlobal) return false;
217 if (addr >= g.beg + g.size_with_redzone) return false;
218 InternalScopedString str(4096);
219 Decorator d;
220 str.append("%s", d.Location());
221 if (addr < g.beg) {
222 str.append("%p is located %zd bytes to the left", (void *)addr,
223 g.beg - addr);
224 } else if (addr + size > g.beg + g.size) {
225 if (addr < g.beg + g.size)
226 addr = g.beg + g.size;
227 str.append("%p is located %zd bytes to the right", (void *)addr,
228 addr - (g.beg + g.size));
229 } else {
230 // Can it happen?
231 str.append("%p is located %zd bytes inside", (void *)addr, addr - g.beg);
233 str.append(" of global variable '%s' from '%s' (0x%zx) of size %zu\n",
234 MaybeDemangleGlobalName(g.name), g.module_name, g.beg, g.size);
235 str.append("%s", d.EndLocation());
236 PrintGlobalNameIfASCII(&str, g);
237 Printf("%s", str.data());
238 return true;
241 bool DescribeAddressIfShadow(uptr addr) {
242 if (AddrIsInMem(addr))
243 return false;
244 static const char kAddrInShadowReport[] =
245 "Address %p is located in the %s.\n";
246 if (AddrIsInShadowGap(addr)) {
247 Printf(kAddrInShadowReport, addr, "shadow gap area");
248 return true;
250 if (AddrIsInHighShadow(addr)) {
251 Printf(kAddrInShadowReport, addr, "high shadow area");
252 return true;
254 if (AddrIsInLowShadow(addr)) {
255 Printf(kAddrInShadowReport, addr, "low shadow area");
256 return true;
258 CHECK(0 && "Address is not in memory and not in shadow?");
259 return false;
262 // Return " (thread_name) " or an empty string if the name is empty.
263 const char *ThreadNameWithParenthesis(AsanThreadContext *t, char buff[],
264 uptr buff_len) {
265 const char *name = t->name;
266 if (name[0] == '\0') return "";
267 buff[0] = 0;
268 internal_strncat(buff, " (", 3);
269 internal_strncat(buff, name, buff_len - 4);
270 internal_strncat(buff, ")", 2);
271 return buff;
274 const char *ThreadNameWithParenthesis(u32 tid, char buff[],
275 uptr buff_len) {
276 if (tid == kInvalidTid) return "";
277 asanThreadRegistry().CheckLocked();
278 AsanThreadContext *t = GetThreadContextByTidLocked(tid);
279 return ThreadNameWithParenthesis(t, buff, buff_len);
282 void PrintAccessAndVarIntersection(const char *var_name,
283 uptr var_beg, uptr var_size,
284 uptr addr, uptr access_size,
285 uptr prev_var_end, uptr next_var_beg) {
286 uptr var_end = var_beg + var_size;
287 uptr addr_end = addr + access_size;
288 const char *pos_descr = 0;
289 // If the variable [var_beg, var_end) is the nearest variable to the
290 // current memory access, indicate it in the log.
291 if (addr >= var_beg) {
292 if (addr_end <= var_end)
293 pos_descr = "is inside"; // May happen if this is a use-after-return.
294 else if (addr < var_end)
295 pos_descr = "partially overflows";
296 else if (addr_end <= next_var_beg &&
297 next_var_beg - addr_end >= addr - var_end)
298 pos_descr = "overflows";
299 } else {
300 if (addr_end > var_beg)
301 pos_descr = "partially underflows";
302 else if (addr >= prev_var_end &&
303 addr - prev_var_end >= var_beg - addr_end)
304 pos_descr = "underflows";
306 InternalScopedString str(1024);
307 str.append(" [%zd, %zd) '%s'", var_beg, var_beg + var_size, var_name);
308 if (pos_descr) {
309 Decorator d;
310 // FIXME: we may want to also print the size of the access here,
311 // but in case of accesses generated by memset it may be confusing.
312 str.append("%s <== Memory access at offset %zd %s this variable%s\n",
313 d.Location(), addr, pos_descr, d.EndLocation());
314 } else {
315 str.append("\n");
317 Printf("%s", str.data());
320 struct StackVarDescr {
321 uptr beg;
322 uptr size;
323 const char *name_pos;
324 uptr name_len;
327 bool DescribeAddressIfStack(uptr addr, uptr access_size) {
328 AsanThread *t = FindThreadByStackAddress(addr);
329 if (!t) return false;
330 const uptr kBufSize = 4095;
331 char buf[kBufSize];
332 uptr offset = 0;
333 uptr frame_pc = 0;
334 char tname[128];
335 const char *frame_descr = t->GetFrameNameByAddr(addr, &offset, &frame_pc);
337 #ifdef __powerpc64__
338 // On PowerPC64, the address of a function actually points to a
339 // three-doubleword data structure with the first field containing
340 // the address of the function's code.
341 frame_pc = *reinterpret_cast<uptr *>(frame_pc);
342 #endif
344 // This string is created by the compiler and has the following form:
345 // "n alloc_1 alloc_2 ... alloc_n"
346 // where alloc_i looks like "offset size len ObjectName ".
347 CHECK(frame_descr);
348 Decorator d;
349 Printf("%s", d.Location());
350 Printf("Address %p is located in stack of thread T%d%s "
351 "at offset %zu in frame\n",
352 addr, t->tid(),
353 ThreadNameWithParenthesis(t->tid(), tname, sizeof(tname)),
354 offset);
355 // Now we print the frame where the alloca has happened.
356 // We print this frame as a stack trace with one element.
357 // The symbolizer may print more than one frame if inlining was involved.
358 // The frame numbers may be different than those in the stack trace printed
359 // previously. That's unfortunate, but I have no better solution,
360 // especially given that the alloca may be from entirely different place
361 // (e.g. use-after-scope, or different thread's stack).
362 StackTrace alloca_stack;
363 alloca_stack.trace[0] = frame_pc + 16;
364 alloca_stack.size = 1;
365 Printf("%s", d.EndLocation());
366 alloca_stack.Print();
367 // Report the number of stack objects.
368 char *p;
369 uptr n_objects = (uptr)internal_simple_strtoll(frame_descr, &p, 10);
370 CHECK_GT(n_objects, 0);
371 Printf(" This frame has %zu object(s):\n", n_objects);
373 // Report all objects in this frame.
374 InternalScopedBuffer<StackVarDescr> vars(n_objects);
375 for (uptr i = 0; i < n_objects; i++) {
376 uptr beg, size;
377 uptr len;
378 beg = (uptr)internal_simple_strtoll(p, &p, 10);
379 size = (uptr)internal_simple_strtoll(p, &p, 10);
380 len = (uptr)internal_simple_strtoll(p, &p, 10);
381 if (beg == 0 || size == 0 || *p != ' ') {
382 Printf("AddressSanitizer can't parse the stack frame "
383 "descriptor: |%s|\n", frame_descr);
384 break;
386 p++;
387 vars[i].beg = beg;
388 vars[i].size = size;
389 vars[i].name_pos = p;
390 vars[i].name_len = len;
391 p += len;
393 for (uptr i = 0; i < n_objects; i++) {
394 buf[0] = 0;
395 internal_strncat(buf, vars[i].name_pos,
396 static_cast<uptr>(Min(kBufSize, vars[i].name_len)));
397 uptr prev_var_end = i ? vars[i - 1].beg + vars[i - 1].size : 0;
398 uptr next_var_beg = i + 1 < n_objects ? vars[i + 1].beg : ~(0UL);
399 PrintAccessAndVarIntersection(buf, vars[i].beg, vars[i].size,
400 offset, access_size,
401 prev_var_end, next_var_beg);
403 Printf("HINT: this may be a false positive if your program uses "
404 "some custom stack unwind mechanism or swapcontext\n"
405 " (longjmp and C++ exceptions *are* supported)\n");
406 DescribeThread(t);
407 return true;
410 static void DescribeAccessToHeapChunk(AsanChunkView chunk, uptr addr,
411 uptr access_size) {
412 sptr offset;
413 Decorator d;
414 InternalScopedString str(4096);
415 str.append("%s", d.Location());
416 if (chunk.AddrIsAtLeft(addr, access_size, &offset)) {
417 str.append("%p is located %zd bytes to the left of", (void *)addr, offset);
418 } else if (chunk.AddrIsAtRight(addr, access_size, &offset)) {
419 if (offset < 0) {
420 addr -= offset;
421 offset = 0;
423 str.append("%p is located %zd bytes to the right of", (void *)addr, offset);
424 } else if (chunk.AddrIsInside(addr, access_size, &offset)) {
425 str.append("%p is located %zd bytes inside of", (void*)addr, offset);
426 } else {
427 str.append("%p is located somewhere around (this is AddressSanitizer bug!)",
428 (void *)addr);
430 str.append(" %zu-byte region [%p,%p)\n", chunk.UsedSize(),
431 (void *)(chunk.Beg()), (void *)(chunk.End()));
432 str.append("%s", d.EndLocation());
433 Printf("%s", str.data());
436 void DescribeHeapAddress(uptr addr, uptr access_size) {
437 AsanChunkView chunk = FindHeapChunkByAddress(addr);
438 if (!chunk.IsValid()) {
439 Printf("AddressSanitizer can not describe address in more detail "
440 "(wild memory access suspected).\n");
441 return;
443 DescribeAccessToHeapChunk(chunk, addr, access_size);
444 CHECK(chunk.AllocTid() != kInvalidTid);
445 asanThreadRegistry().CheckLocked();
446 AsanThreadContext *alloc_thread =
447 GetThreadContextByTidLocked(chunk.AllocTid());
448 StackTrace alloc_stack;
449 chunk.GetAllocStack(&alloc_stack);
450 char tname[128];
451 Decorator d;
452 AsanThreadContext *free_thread = 0;
453 if (chunk.FreeTid() != kInvalidTid) {
454 free_thread = GetThreadContextByTidLocked(chunk.FreeTid());
455 Printf("%sfreed by thread T%d%s here:%s\n", d.Allocation(),
456 free_thread->tid,
457 ThreadNameWithParenthesis(free_thread, tname, sizeof(tname)),
458 d.EndAllocation());
459 StackTrace free_stack;
460 chunk.GetFreeStack(&free_stack);
461 free_stack.Print();
462 Printf("%spreviously allocated by thread T%d%s here:%s\n",
463 d.Allocation(), alloc_thread->tid,
464 ThreadNameWithParenthesis(alloc_thread, tname, sizeof(tname)),
465 d.EndAllocation());
466 } else {
467 Printf("%sallocated by thread T%d%s here:%s\n", d.Allocation(),
468 alloc_thread->tid,
469 ThreadNameWithParenthesis(alloc_thread, tname, sizeof(tname)),
470 d.EndAllocation());
472 alloc_stack.Print();
473 DescribeThread(GetCurrentThread());
474 if (free_thread)
475 DescribeThread(free_thread);
476 DescribeThread(alloc_thread);
479 void DescribeAddress(uptr addr, uptr access_size) {
480 // Check if this is shadow or shadow gap.
481 if (DescribeAddressIfShadow(addr))
482 return;
483 CHECK(AddrIsInMem(addr));
484 if (DescribeAddressIfGlobal(addr, access_size))
485 return;
486 if (DescribeAddressIfStack(addr, access_size))
487 return;
488 // Assume it is a heap address.
489 DescribeHeapAddress(addr, access_size);
492 // ------------------- Thread description -------------------- {{{1
494 void DescribeThread(AsanThreadContext *context) {
495 CHECK(context);
496 asanThreadRegistry().CheckLocked();
497 // No need to announce the main thread.
498 if (context->tid == 0 || context->announced) {
499 return;
501 context->announced = true;
502 char tname[128];
503 InternalScopedString str(1024);
504 str.append("Thread T%d%s", context->tid,
505 ThreadNameWithParenthesis(context->tid, tname, sizeof(tname)));
506 str.append(
507 " created by T%d%s here:\n", context->parent_tid,
508 ThreadNameWithParenthesis(context->parent_tid, tname, sizeof(tname)));
509 Printf("%s", str.data());
510 uptr stack_size;
511 const uptr *stack_trace = StackDepotGet(context->stack_id, &stack_size);
512 StackTrace::PrintStack(stack_trace, stack_size);
513 // Recursively described parent thread if needed.
514 if (flags()->print_full_thread_history) {
515 AsanThreadContext *parent_context =
516 GetThreadContextByTidLocked(context->parent_tid);
517 DescribeThread(parent_context);
521 // -------------------- Different kinds of reports ----------------- {{{1
523 // Use ScopedInErrorReport to run common actions just before and
524 // immediately after printing error report.
525 class ScopedInErrorReport {
526 public:
527 ScopedInErrorReport() {
528 static atomic_uint32_t num_calls;
529 static u32 reporting_thread_tid;
530 if (atomic_fetch_add(&num_calls, 1, memory_order_relaxed) != 0) {
531 // Do not print more than one report, otherwise they will mix up.
532 // Error reporting functions shouldn't return at this situation, as
533 // they are defined as no-return.
534 Report("AddressSanitizer: while reporting a bug found another one."
535 "Ignoring.\n");
536 u32 current_tid = GetCurrentTidOrInvalid();
537 if (current_tid != reporting_thread_tid) {
538 // ASan found two bugs in different threads simultaneously. Sleep
539 // long enough to make sure that the thread which started to print
540 // an error report will finish doing it.
541 SleepForSeconds(Max(100, flags()->sleep_before_dying + 1));
543 // If we're still not dead for some reason, use raw _exit() instead of
544 // Die() to bypass any additional checks.
545 internal__exit(flags()->exitcode);
547 ASAN_ON_ERROR();
548 // Make sure the registry and sanitizer report mutexes are locked while
549 // we're printing an error report.
550 // We can lock them only here to avoid self-deadlock in case of
551 // recursive reports.
552 asanThreadRegistry().Lock();
553 CommonSanitizerReportMutex.Lock();
554 reporting_thread_tid = GetCurrentTidOrInvalid();
555 Printf("===================================================="
556 "=============\n");
558 // Destructor is NORETURN, as functions that report errors are.
559 NORETURN ~ScopedInErrorReport() {
560 // Make sure the current thread is announced.
561 DescribeThread(GetCurrentThread());
562 // We may want to grab this lock again when printing stats.
563 asanThreadRegistry().Unlock();
564 // Print memory stats.
565 if (flags()->print_stats)
566 __asan_print_accumulated_stats();
567 if (error_report_callback) {
568 error_report_callback(error_message_buffer);
570 Report("ABORTING\n");
571 Die();
575 void ReportStackOverflow(uptr pc, uptr sp, uptr bp, void *context, uptr addr) {
576 ScopedInErrorReport in_report;
577 Decorator d;
578 Printf("%s", d.Warning());
579 Report(
580 "ERROR: AddressSanitizer: stack-overflow on address %p"
581 " (pc %p sp %p bp %p T%d)\n",
582 (void *)addr, (void *)pc, (void *)sp, (void *)bp,
583 GetCurrentTidOrInvalid());
584 Printf("%s", d.EndWarning());
585 GET_STACK_TRACE_SIGNAL(pc, bp, context);
586 stack.Print();
587 ReportErrorSummary("stack-overflow", &stack);
590 void ReportSIGSEGV(uptr pc, uptr sp, uptr bp, void *context, uptr addr) {
591 ScopedInErrorReport in_report;
592 Decorator d;
593 Printf("%s", d.Warning());
594 Report(
595 "ERROR: AddressSanitizer: SEGV on unknown address %p"
596 " (pc %p sp %p bp %p T%d)\n",
597 (void *)addr, (void *)pc, (void *)sp, (void *)bp,
598 GetCurrentTidOrInvalid());
599 Printf("%s", d.EndWarning());
600 GET_STACK_TRACE_SIGNAL(pc, bp, context);
601 stack.Print();
602 Printf("AddressSanitizer can not provide additional info.\n");
603 ReportErrorSummary("SEGV", &stack);
606 void ReportDoubleFree(uptr addr, StackTrace *free_stack) {
607 ScopedInErrorReport in_report;
608 Decorator d;
609 Printf("%s", d.Warning());
610 char tname[128];
611 u32 curr_tid = GetCurrentTidOrInvalid();
612 Report("ERROR: AddressSanitizer: attempting double-free on %p in "
613 "thread T%d%s:\n",
614 addr, curr_tid,
615 ThreadNameWithParenthesis(curr_tid, tname, sizeof(tname)));
616 Printf("%s", d.EndWarning());
617 CHECK_GT(free_stack->size, 0);
618 GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
619 stack.Print();
620 DescribeHeapAddress(addr, 1);
621 ReportErrorSummary("double-free", &stack);
624 void ReportFreeNotMalloced(uptr addr, StackTrace *free_stack) {
625 ScopedInErrorReport in_report;
626 Decorator d;
627 Printf("%s", d.Warning());
628 char tname[128];
629 u32 curr_tid = GetCurrentTidOrInvalid();
630 Report("ERROR: AddressSanitizer: attempting free on address "
631 "which was not malloc()-ed: %p in thread T%d%s\n", addr,
632 curr_tid, ThreadNameWithParenthesis(curr_tid, tname, sizeof(tname)));
633 Printf("%s", d.EndWarning());
634 CHECK_GT(free_stack->size, 0);
635 GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
636 stack.Print();
637 DescribeHeapAddress(addr, 1);
638 ReportErrorSummary("bad-free", &stack);
641 void ReportAllocTypeMismatch(uptr addr, StackTrace *free_stack,
642 AllocType alloc_type,
643 AllocType dealloc_type) {
644 static const char *alloc_names[] =
645 {"INVALID", "malloc", "operator new", "operator new []"};
646 static const char *dealloc_names[] =
647 {"INVALID", "free", "operator delete", "operator delete []"};
648 CHECK_NE(alloc_type, dealloc_type);
649 ScopedInErrorReport in_report;
650 Decorator d;
651 Printf("%s", d.Warning());
652 Report("ERROR: AddressSanitizer: alloc-dealloc-mismatch (%s vs %s) on %p\n",
653 alloc_names[alloc_type], dealloc_names[dealloc_type], addr);
654 Printf("%s", d.EndWarning());
655 CHECK_GT(free_stack->size, 0);
656 GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
657 stack.Print();
658 DescribeHeapAddress(addr, 1);
659 ReportErrorSummary("alloc-dealloc-mismatch", &stack);
660 Report("HINT: if you don't care about these warnings you may set "
661 "ASAN_OPTIONS=alloc_dealloc_mismatch=0\n");
664 void ReportMallocUsableSizeNotOwned(uptr addr, StackTrace *stack) {
665 ScopedInErrorReport in_report;
666 Decorator d;
667 Printf("%s", d.Warning());
668 Report("ERROR: AddressSanitizer: attempting to call "
669 "malloc_usable_size() for pointer which is "
670 "not owned: %p\n", addr);
671 Printf("%s", d.EndWarning());
672 stack->Print();
673 DescribeHeapAddress(addr, 1);
674 ReportErrorSummary("bad-malloc_usable_size", stack);
677 void ReportAsanGetAllocatedSizeNotOwned(uptr addr, StackTrace *stack) {
678 ScopedInErrorReport in_report;
679 Decorator d;
680 Printf("%s", d.Warning());
681 Report("ERROR: AddressSanitizer: attempting to call "
682 "__asan_get_allocated_size() for pointer which is "
683 "not owned: %p\n", addr);
684 Printf("%s", d.EndWarning());
685 stack->Print();
686 DescribeHeapAddress(addr, 1);
687 ReportErrorSummary("bad-__asan_get_allocated_size", stack);
690 void ReportStringFunctionMemoryRangesOverlap(
691 const char *function, const char *offset1, uptr length1,
692 const char *offset2, uptr length2, StackTrace *stack) {
693 ScopedInErrorReport in_report;
694 Decorator d;
695 char bug_type[100];
696 internal_snprintf(bug_type, sizeof(bug_type), "%s-param-overlap", function);
697 Printf("%s", d.Warning());
698 Report("ERROR: AddressSanitizer: %s: "
699 "memory ranges [%p,%p) and [%p, %p) overlap\n", \
700 bug_type, offset1, offset1 + length1, offset2, offset2 + length2);
701 Printf("%s", d.EndWarning());
702 stack->Print();
703 DescribeAddress((uptr)offset1, length1);
704 DescribeAddress((uptr)offset2, length2);
705 ReportErrorSummary(bug_type, stack);
708 void ReportStringFunctionSizeOverflow(uptr offset, uptr size,
709 StackTrace *stack) {
710 ScopedInErrorReport in_report;
711 Decorator d;
712 const char *bug_type = "negative-size-param";
713 Printf("%s", d.Warning());
714 Report("ERROR: AddressSanitizer: %s: (size=%zd)\n", bug_type, size);
715 Printf("%s", d.EndWarning());
716 stack->Print();
717 DescribeAddress(offset, size);
718 ReportErrorSummary(bug_type, stack);
721 void ReportBadParamsToAnnotateContiguousContainer(uptr beg, uptr end,
722 uptr old_mid, uptr new_mid,
723 StackTrace *stack) {
724 ScopedInErrorReport in_report;
725 Report("ERROR: AddressSanitizer: bad parameters to "
726 "__sanitizer_annotate_contiguous_container:\n"
727 " beg : %p\n"
728 " end : %p\n"
729 " old_mid : %p\n"
730 " new_mid : %p\n",
731 beg, end, old_mid, new_mid);
732 stack->Print();
733 ReportErrorSummary("bad-__sanitizer_annotate_contiguous_container", stack);
736 void ReportODRViolation(const __asan_global *g1, const __asan_global *g2) {
737 ScopedInErrorReport in_report;
738 Decorator d;
739 Printf("%s", d.Warning());
740 Report("ERROR: AddressSanitizer: odr-violation (%p):\n", g1->beg);
741 Printf("%s", d.EndWarning());
742 Printf(" [1] size=%zd %s %s\n", g1->size, g1->name, g1->module_name);
743 Printf(" [2] size=%zd %s %s\n", g2->size, g2->name, g2->module_name);
744 Report("HINT: if you don't care about these warnings you may set "
745 "ASAN_OPTIONS=detect_odr_violation=0\n");
746 ReportErrorSummary("odr-violation", g1->module_name, 0, g1->name);
749 // ----------------------- CheckForInvalidPointerPair ----------- {{{1
750 static NOINLINE void
751 ReportInvalidPointerPair(uptr pc, uptr bp, uptr sp, uptr a1, uptr a2) {
752 ScopedInErrorReport in_report;
753 Decorator d;
754 Printf("%s", d.Warning());
755 Report("ERROR: AddressSanitizer: invalid-pointer-pair: %p %p\n", a1, a2);
756 Printf("%s", d.EndWarning());
757 GET_STACK_TRACE_FATAL(pc, bp);
758 stack.Print();
759 DescribeAddress(a1, 1);
760 DescribeAddress(a2, 1);
761 ReportErrorSummary("invalid-pointer-pair", &stack);
764 static INLINE void CheckForInvalidPointerPair(void *p1, void *p2) {
765 if (!flags()->detect_invalid_pointer_pairs) return;
766 uptr a1 = reinterpret_cast<uptr>(p1);
767 uptr a2 = reinterpret_cast<uptr>(p2);
768 AsanChunkView chunk1 = FindHeapChunkByAddress(a1);
769 AsanChunkView chunk2 = FindHeapChunkByAddress(a2);
770 bool valid1 = chunk1.IsValid();
771 bool valid2 = chunk2.IsValid();
772 if ((valid1 != valid2) || (valid1 && valid2 && !chunk1.Eq(chunk2))) {
773 GET_CALLER_PC_BP_SP; \
774 return ReportInvalidPointerPair(pc, bp, sp, a1, a2);
777 // ----------------------- Mac-specific reports ----------------- {{{1
779 void WarnMacFreeUnallocated(
780 uptr addr, uptr zone_ptr, const char *zone_name, StackTrace *stack) {
781 // Just print a warning here.
782 Printf("free_common(%p) -- attempting to free unallocated memory.\n"
783 "AddressSanitizer is ignoring this error on Mac OS now.\n",
784 addr);
785 PrintZoneForPointer(addr, zone_ptr, zone_name);
786 stack->Print();
787 DescribeHeapAddress(addr, 1);
790 void ReportMacMzReallocUnknown(
791 uptr addr, uptr zone_ptr, const char *zone_name, StackTrace *stack) {
792 ScopedInErrorReport in_report;
793 Printf("mz_realloc(%p) -- attempting to realloc unallocated memory.\n"
794 "This is an unrecoverable problem, exiting now.\n",
795 addr);
796 PrintZoneForPointer(addr, zone_ptr, zone_name);
797 stack->Print();
798 DescribeHeapAddress(addr, 1);
801 void ReportMacCfReallocUnknown(
802 uptr addr, uptr zone_ptr, const char *zone_name, StackTrace *stack) {
803 ScopedInErrorReport in_report;
804 Printf("cf_realloc(%p) -- attempting to realloc unallocated memory.\n"
805 "This is an unrecoverable problem, exiting now.\n",
806 addr);
807 PrintZoneForPointer(addr, zone_ptr, zone_name);
808 stack->Print();
809 DescribeHeapAddress(addr, 1);
812 } // namespace __asan
814 // --------------------------- Interface --------------------- {{{1
815 using namespace __asan; // NOLINT
817 void __asan_report_error(uptr pc, uptr bp, uptr sp, uptr addr, int is_write,
818 uptr access_size) {
819 ScopedInErrorReport in_report;
821 // Determine the error type.
822 const char *bug_descr = "unknown-crash";
823 if (AddrIsInMem(addr)) {
824 u8 *shadow_addr = (u8*)MemToShadow(addr);
825 // If we are accessing 16 bytes, look at the second shadow byte.
826 if (*shadow_addr == 0 && access_size > SHADOW_GRANULARITY)
827 shadow_addr++;
828 // If we are in the partial right redzone, look at the next shadow byte.
829 if (*shadow_addr > 0 && *shadow_addr < 128)
830 shadow_addr++;
831 switch (*shadow_addr) {
832 case kAsanHeapLeftRedzoneMagic:
833 case kAsanHeapRightRedzoneMagic:
834 bug_descr = "heap-buffer-overflow";
835 break;
836 case kAsanHeapFreeMagic:
837 bug_descr = "heap-use-after-free";
838 break;
839 case kAsanStackLeftRedzoneMagic:
840 bug_descr = "stack-buffer-underflow";
841 break;
842 case kAsanInitializationOrderMagic:
843 bug_descr = "initialization-order-fiasco";
844 break;
845 case kAsanStackMidRedzoneMagic:
846 case kAsanStackRightRedzoneMagic:
847 case kAsanStackPartialRedzoneMagic:
848 bug_descr = "stack-buffer-overflow";
849 break;
850 case kAsanStackAfterReturnMagic:
851 bug_descr = "stack-use-after-return";
852 break;
853 case kAsanUserPoisonedMemoryMagic:
854 bug_descr = "use-after-poison";
855 break;
856 case kAsanContiguousContainerOOBMagic:
857 bug_descr = "container-overflow";
858 break;
859 case kAsanStackUseAfterScopeMagic:
860 bug_descr = "stack-use-after-scope";
861 break;
862 case kAsanGlobalRedzoneMagic:
863 bug_descr = "global-buffer-overflow";
864 break;
867 Decorator d;
868 Printf("%s", d.Warning());
869 Report("ERROR: AddressSanitizer: %s on address "
870 "%p at pc 0x%zx bp 0x%zx sp 0x%zx\n",
871 bug_descr, (void*)addr, pc, bp, sp);
872 Printf("%s", d.EndWarning());
874 u32 curr_tid = GetCurrentTidOrInvalid();
875 char tname[128];
876 Printf("%s%s of size %zu at %p thread T%d%s%s\n",
877 d.Access(),
878 access_size ? (is_write ? "WRITE" : "READ") : "ACCESS",
879 access_size, (void*)addr, curr_tid,
880 ThreadNameWithParenthesis(curr_tid, tname, sizeof(tname)),
881 d.EndAccess());
883 GET_STACK_TRACE_FATAL(pc, bp);
884 stack.Print();
886 DescribeAddress(addr, access_size);
887 ReportErrorSummary(bug_descr, &stack);
888 PrintShadowMemoryForAddress(addr);
891 void NOINLINE __asan_set_error_report_callback(void (*callback)(const char*)) {
892 error_report_callback = callback;
893 if (callback) {
894 error_message_buffer_size = 1 << 16;
895 error_message_buffer =
896 (char*)MmapOrDie(error_message_buffer_size, __func__);
897 error_message_buffer_pos = 0;
901 void __asan_describe_address(uptr addr) {
902 DescribeAddress(addr, 1);
905 extern "C" {
906 SANITIZER_INTERFACE_ATTRIBUTE
907 void __sanitizer_ptr_sub(void *a, void *b) {
908 CheckForInvalidPointerPair(a, b);
910 SANITIZER_INTERFACE_ATTRIBUTE
911 void __sanitizer_ptr_cmp(void *a, void *b) {
912 CheckForInvalidPointerPair(a, b);
914 } // extern "C"
916 #if !SANITIZER_SUPPORTS_WEAK_HOOKS
917 // Provide default implementation of __asan_on_error that does nothing
918 // and may be overriden by user.
919 SANITIZER_INTERFACE_ATTRIBUTE SANITIZER_WEAK_ATTRIBUTE NOINLINE
920 void __asan_on_error() {}
921 #endif