1//===-- asan_descriptions.cpp -----------------------------------*- C++ -*-===//
2//
3// Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions.
4// See https://llvm.org/LICENSE.txt for license information.
5// SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception
6//
7//===----------------------------------------------------------------------===//
8//
9// This file is a part of AddressSanitizer, an address sanity checker.
10//
11// ASan functions for getting information about an address and/or printing it.
12//===----------------------------------------------------------------------===//
13
14#include "asan_descriptions.h"
15#include "asan_mapping.h"
16#include "asan_report.h"
17#include "asan_stack.h"
18#include "sanitizer_common/sanitizer_stackdepot.h"
19
20namespace __asan {
21
22AsanThreadIdAndName::AsanThreadIdAndName(AsanThreadContext *t) {
23 Init(tid: t->tid, tname: t->name);
24}
25
26AsanThreadIdAndName::AsanThreadIdAndName(u32 tid) {
27 if (tid == kInvalidTid) {
28 Init(tid, tname: "");
29 } else {
30 asanThreadRegistry().CheckLocked();
31 AsanThreadContext *t = GetThreadContextByTidLocked(tid);
32 Init(tid, tname: t->name);
33 }
34}
35
36void AsanThreadIdAndName::Init(u32 tid, const char *tname) {
37 int len = internal_snprintf(buffer: name, length: sizeof(name), format: "T%d", tid);
38 CHECK(((unsigned int)len) < sizeof(name));
39 if (tname[0] != '\0')
40 internal_snprintf(buffer: &name[len], length: sizeof(name) - len, format: " (%s)", tname);
41}
42
43void DescribeThread(AsanThreadContext *context) {
44 CHECK(context);
45 asanThreadRegistry().CheckLocked();
46 // No need to announce the main thread.
47 if (context->tid == kMainTid || context->announced) {
48 return;
49 }
50 context->announced = true;
51 InternalScopedString str;
52 str.AppendF(format: "Thread %s", AsanThreadIdAndName(context).c_str());
53 if (context->parent_tid == kInvalidTid) {
54 str.Append(str: " created by unknown thread\n");
55 Printf(format: "%s", str.data());
56 return;
57 }
58 str.AppendF(format: " created by %s here:\n",
59 AsanThreadIdAndName(context->parent_tid).c_str());
60 Printf(format: "%s", str.data());
61 StackDepotGet(id: context->stack_id).Print();
62 // Recursively described parent thread if needed.
63 if (flags()->print_full_thread_history) {
64 AsanThreadContext *parent_context =
65 GetThreadContextByTidLocked(tid: context->parent_tid);
66 DescribeThread(context: parent_context);
67 }
68}
69
70// Shadow descriptions
71static bool GetShadowKind(uptr addr, ShadowKind *shadow_kind) {
72 CHECK(!AddrIsInMem(addr));
73 if (AddrIsInShadowGap(a: addr)) {
74 *shadow_kind = kShadowKindGap;
75 } else if (AddrIsInHighShadow(a: addr)) {
76 *shadow_kind = kShadowKindHigh;
77 } else if (AddrIsInLowShadow(a: addr)) {
78 *shadow_kind = kShadowKindLow;
79 } else {
80 return false;
81 }
82 return true;
83}
84
85bool DescribeAddressIfShadow(uptr addr) {
86 ShadowAddressDescription descr;
87 if (!GetShadowAddressInformation(addr, descr: &descr)) return false;
88 descr.Print();
89 return true;
90}
91
92bool GetShadowAddressInformation(uptr addr, ShadowAddressDescription *descr) {
93 if (AddrIsInMem(a: addr)) return false;
94 ShadowKind shadow_kind;
95 if (!GetShadowKind(addr, shadow_kind: &shadow_kind)) return false;
96 if (shadow_kind != kShadowKindGap) descr->shadow_byte = *(u8 *)addr;
97 descr->addr = addr;
98 descr->kind = shadow_kind;
99 return true;
100}
101
102// Heap descriptions
103static void GetAccessToHeapChunkInformation(ChunkAccess *descr,
104 AsanChunkView chunk, uptr addr,
105 uptr access_size) {
106 descr->bad_addr = addr;
107 if (chunk.AddrIsAtLeft(addr, access_size, offset: &descr->offset)) {
108 descr->access_type = kAccessTypeLeft;
109 } else if (chunk.AddrIsAtRight(addr, access_size, offset: &descr->offset)) {
110 descr->access_type = kAccessTypeRight;
111 if (descr->offset < 0) {
112 descr->bad_addr -= descr->offset;
113 descr->offset = 0;
114 }
115 } else if (chunk.AddrIsInside(addr, access_size, offset: &descr->offset)) {
116 descr->access_type = kAccessTypeInside;
117 } else {
118 descr->access_type = kAccessTypeUnknown;
119 }
120 descr->chunk_begin = chunk.Beg();
121 descr->chunk_size = chunk.UsedSize();
122 descr->user_requested_alignment = chunk.UserRequestedAlignment();
123 descr->alloc_type = chunk.GetAllocType();
124}
125
126static void PrintHeapChunkAccess(uptr addr, const ChunkAccess &descr) {
127 Decorator d;
128 InternalScopedString str;
129 str.Append(str: d.Location());
130 switch (descr.access_type) {
131 case kAccessTypeLeft:
132 str.AppendF(format: "%p is located %zd bytes before", (void *)descr.bad_addr,
133 descr.offset);
134 break;
135 case kAccessTypeRight:
136 str.AppendF(format: "%p is located %zd bytes after", (void *)descr.bad_addr,
137 descr.offset);
138 break;
139 case kAccessTypeInside:
140 str.AppendF(format: "%p is located %zd bytes inside of", (void *)descr.bad_addr,
141 descr.offset);
142 break;
143 case kAccessTypeUnknown:
144 str.AppendF(
145 format: "%p is located somewhere around (this is AddressSanitizer bug!)",
146 (void *)descr.bad_addr);
147 }
148 str.AppendF(format: " %zu-byte region [%p,%p)\n", descr.chunk_size,
149 (void *)descr.chunk_begin,
150 (void *)(descr.chunk_begin + descr.chunk_size));
151 str.Append(str: d.Default());
152 Printf(format: "%s", str.data());
153}
154
155bool GetHeapAddressInformation(uptr addr, uptr access_size,
156 HeapAddressDescription *descr) {
157 AsanChunkView chunk = FindHeapChunkByAddress(address: addr);
158 if (!chunk.IsValid()) {
159 return false;
160 }
161 descr->addr = addr;
162 GetAccessToHeapChunkInformation(descr: &descr->chunk_access, chunk, addr,
163 access_size);
164 CHECK_NE(chunk.AllocTid(), kInvalidTid);
165 descr->alloc_tid = chunk.AllocTid();
166 descr->alloc_stack_id = chunk.GetAllocStackId();
167 descr->free_tid = chunk.FreeTid();
168 if (descr->free_tid != kInvalidTid)
169 descr->free_stack_id = chunk.GetFreeStackId();
170 return true;
171}
172
173static StackTrace GetStackTraceFromId(u32 id) {
174 CHECK(id);
175 StackTrace res = StackDepotGet(id);
176 CHECK(res.trace);
177 return res;
178}
179
180bool DescribeAddressIfHeap(uptr addr, uptr access_size) {
181 HeapAddressDescription descr;
182 if (!GetHeapAddressInformation(addr, access_size, descr: &descr)) {
183 Printf(
184 format: "AddressSanitizer can not describe address in more detail "
185 "(wild memory access suspected).\n");
186 return false;
187 }
188 descr.Print();
189 return true;
190}
191
192// Stack descriptions
193bool GetStackAddressInformation(uptr addr, uptr access_size,
194 StackAddressDescription *descr) {
195 AsanThread *t = FindThreadByStackAddress(addr);
196 if (!t) return false;
197
198 descr->addr = addr;
199 descr->tid = t->tid();
200 // Try to fetch precise stack frame for this access.
201 AsanThread::StackFrameAccess access;
202 if (!t->GetStackFrameAccessByAddr(addr, access: &access)) {
203 descr->frame_descr = nullptr;
204 return true;
205 }
206
207 descr->offset = access.offset;
208 descr->access_size = access_size;
209 descr->frame_pc = access.frame_pc;
210 descr->frame_descr = access.frame_descr;
211
212#if SANITIZER_PPC64V1
213 // On PowerPC64 ELFv1, the address of a function actually points to a
214 // three-doubleword data structure with the first field containing
215 // the address of the function's code.
216 descr->frame_pc = *reinterpret_cast<uptr *>(descr->frame_pc);
217#endif
218 descr->frame_pc += 16;
219
220 return true;
221}
222
223static void PrintAccessAndVarIntersection(const StackVarDescr &var, uptr addr,
224 uptr access_size, uptr prev_var_end,
225 uptr next_var_beg) {
226 uptr var_end = var.beg + var.size;
227 uptr addr_end = addr + access_size;
228 const char *pos_descr = nullptr;
229 // If the variable [var.beg, var_end) is the nearest variable to the
230 // current memory access, indicate it in the log.
231 if (addr >= var.beg) {
232 if (addr_end <= var_end)
233 pos_descr = "is inside"; // May happen if this is a use-after-return.
234 else if (addr < var_end)
235 pos_descr = "partially overflows";
236 else if (addr_end <= next_var_beg &&
237 next_var_beg - addr_end >= addr - var_end)
238 pos_descr = "overflows";
239 } else {
240 if (addr_end > var.beg)
241 pos_descr = "partially underflows";
242 else if (addr >= prev_var_end && addr - prev_var_end >= var.beg - addr_end)
243 pos_descr = "underflows";
244 }
245 InternalScopedString str;
246 str.AppendF(format: " [%zd, %zd)", var.beg, var_end);
247 // Render variable name.
248 str.Append(str: " '");
249 for (uptr i = 0; i < var.name_len; ++i) {
250 str.AppendF(format: "%c", var.name_pos[i]);
251 }
252 str.Append(str: "'");
253 if (var.line > 0) {
254 str.AppendF(format: " (line %zd)", var.line);
255 }
256 if (pos_descr) {
257 Decorator d;
258 // FIXME: we may want to also print the size of the access here,
259 // but in case of accesses generated by memset it may be confusing.
260 str.AppendF(format: "%s <== Memory access at offset %zd %s this variable%s\n",
261 d.Location(), addr, pos_descr, d.Default());
262 } else {
263 str.Append(str: "\n");
264 }
265 Printf(format: "%s", str.data());
266}
267
268bool DescribeAddressIfStack(uptr addr, uptr access_size) {
269 StackAddressDescription descr;
270 if (!GetStackAddressInformation(addr, access_size, descr: &descr)) return false;
271 descr.Print();
272 return true;
273}
274
275// Global descriptions
276static void DescribeAddressRelativeToGlobal(uptr addr, uptr access_size,
277 const __asan_global &g) {
278 InternalScopedString str;
279 Decorator d;
280 str.Append(str: d.Location());
281 if (addr < g.beg) {
282 str.AppendF(format: "%p is located %zd bytes before", (void *)addr, g.beg - addr);
283 } else if (addr + access_size > g.beg + g.size) {
284 if (addr < g.beg + g.size) addr = g.beg + g.size;
285 str.AppendF(format: "%p is located %zd bytes after", (void *)addr,
286 addr - (g.beg + g.size));
287 } else {
288 // Can it happen?
289 str.AppendF(format: "%p is located %zd bytes inside of", (void *)addr,
290 addr - g.beg);
291 }
292 str.AppendF(format: " global variable '%s' defined in '",
293 MaybeDemangleGlobalName(name: g.name));
294 PrintGlobalLocation(str: &str, g, /*print_module_name=*/false);
295 str.AppendF(format: "' (%p) of size %zu\n", (void *)g.beg, g.size);
296 str.Append(str: d.Default());
297 PrintGlobalNameIfASCII(str: &str, g);
298 Printf(format: "%s", str.data());
299}
300
301bool GetGlobalAddressInformation(uptr addr, uptr access_size,
302 GlobalAddressDescription *descr) {
303 descr->addr = addr;
304 int globals_num = GetGlobalsForAddress(addr, globals: descr->globals, reg_sites: descr->reg_sites,
305 ARRAY_SIZE(descr->globals));
306 descr->size = globals_num;
307 descr->access_size = access_size;
308 return globals_num != 0;
309}
310
311bool DescribeAddressIfGlobal(uptr addr, uptr access_size,
312 const char *bug_type) {
313 GlobalAddressDescription descr;
314 if (!GetGlobalAddressInformation(addr, access_size, descr: &descr)) return false;
315
316 descr.Print(bug_type);
317 return true;
318}
319
320void ShadowAddressDescription::Print() const {
321 Printf(format: "Address %p is located in the %s area.\n", (void *)addr,
322 ShadowNames[kind]);
323}
324
325void GlobalAddressDescription::Print(const char *bug_type) const {
326 for (int i = 0; i < size; i++) {
327 DescribeAddressRelativeToGlobal(addr, access_size, g: globals[i]);
328 if (bug_type &&
329 0 == internal_strcmp(s1: bug_type, s2: "initialization-order-fiasco") &&
330 reg_sites[i]) {
331 Printf(format: " registered at:\n");
332 StackDepotGet(id: reg_sites[i]).Print();
333 }
334 }
335}
336
337bool GlobalAddressDescription::PointsInsideTheSameVariable(
338 const GlobalAddressDescription &other) const {
339 if (size == 0 || other.size == 0) return false;
340
341 for (uptr i = 0; i < size; i++) {
342 const __asan_global &a = globals[i];
343 for (uptr j = 0; j < other.size; j++) {
344 const __asan_global &b = other.globals[j];
345 if (a.beg == b.beg &&
346 a.beg <= addr &&
347 b.beg <= other.addr &&
348 (addr + access_size) < (a.beg + a.size) &&
349 (other.addr + other.access_size) < (b.beg + b.size))
350 return true;
351 }
352 }
353
354 return false;
355}
356
357void StackAddressDescription::Print() const {
358 Decorator d;
359 Printf(format: "%s", d.Location());
360 Printf(format: "Address %p is located in stack of thread %s", (void *)addr,
361 AsanThreadIdAndName(tid).c_str());
362
363 if (!frame_descr) {
364 Printf(format: "%s\n", d.Default());
365 return;
366 }
367 Printf(format: " at offset %zu in frame%s\n", offset, d.Default());
368
369 // Now we print the frame where the alloca has happened.
370 // We print this frame as a stack trace with one element.
371 // The symbolizer may print more than one frame if inlining was involved.
372 // The frame numbers may be different than those in the stack trace printed
373 // previously. That's unfortunate, but I have no better solution,
374 // especially given that the alloca may be from entirely different place
375 // (e.g. use-after-scope, or different thread's stack).
376 Printf(format: "%s", d.Default());
377 StackTrace alloca_stack(&frame_pc, 1);
378 alloca_stack.Print();
379
380 InternalMmapVector<StackVarDescr> vars;
381 vars.reserve(new_size: 16);
382 if (!ParseFrameDescription(frame_descr, vars: &vars)) {
383 Printf(
384 format: "AddressSanitizer can't parse the stack frame "
385 "descriptor: |%s|\n",
386 frame_descr);
387 // 'addr' is a stack address, so return true even if we can't parse frame
388 return;
389 }
390 uptr n_objects = vars.size();
391 // Report the number of stack objects.
392 Printf(format: " This frame has %zu object(s):\n", n_objects);
393
394 // Report all objects in this frame.
395 for (uptr i = 0; i < n_objects; i++) {
396 uptr prev_var_end = i ? vars[i - 1].beg + vars[i - 1].size : 0;
397 uptr next_var_beg = i + 1 < n_objects ? vars[i + 1].beg : ~(0UL);
398 PrintAccessAndVarIntersection(var: vars[i], addr: offset, access_size, prev_var_end,
399 next_var_beg);
400 }
401 Printf(
402 format: "HINT: this may be a false positive if your program uses "
403 "some custom stack unwind mechanism, swapcontext or vfork\n");
404 if (SANITIZER_WINDOWS)
405 Printf(format: " (longjmp, SEH and C++ exceptions *are* supported)\n");
406 else
407 Printf(format: " (longjmp and C++ exceptions *are* supported)\n");
408
409 DescribeThread(context: GetThreadContextByTidLocked(tid));
410}
411
412void HeapAddressDescription::Print() const {
413 PrintHeapChunkAccess(addr, descr: chunk_access);
414
415 asanThreadRegistry().CheckLocked();
416 AsanThreadContext *alloc_thread = GetThreadContextByTidLocked(tid: alloc_tid);
417 StackTrace alloc_stack = GetStackTraceFromId(id: alloc_stack_id);
418
419 Decorator d;
420 AsanThreadContext *free_thread = nullptr;
421 if (free_tid != kInvalidTid) {
422 free_thread = GetThreadContextByTidLocked(tid: free_tid);
423 Printf(format: "%sfreed by thread %s here:%s\n", d.Allocation(),
424 AsanThreadIdAndName(free_thread).c_str(), d.Default());
425 StackTrace free_stack = GetStackTraceFromId(id: free_stack_id);
426 free_stack.Print();
427 Printf(format: "%spreviously allocated by thread %s here:%s\n", d.Allocation(),
428 AsanThreadIdAndName(alloc_thread).c_str(), d.Default());
429 } else {
430 Printf(format: "%sallocated by thread %s here:%s\n", d.Allocation(),
431 AsanThreadIdAndName(alloc_thread).c_str(), d.Default());
432 }
433 alloc_stack.Print();
434 DescribeThread(t: GetCurrentThread());
435 if (free_thread) DescribeThread(context: free_thread);
436 DescribeThread(context: alloc_thread);
437}
438
439AddressDescription::AddressDescription(uptr addr, uptr access_size,
440 bool shouldLockThreadRegistry) {
441 if (GetShadowAddressInformation(addr, descr: &data.shadow)) {
442 data.kind = kAddressKindShadow;
443 return;
444 }
445 if (GetHeapAddressInformation(addr, access_size, descr: &data.heap)) {
446 data.kind = kAddressKindHeap;
447 return;
448 }
449
450 bool isStackMemory = false;
451 if (shouldLockThreadRegistry) {
452 ThreadRegistryLock l(&asanThreadRegistry());
453 isStackMemory = GetStackAddressInformation(addr, access_size, descr: &data.stack);
454 } else {
455 isStackMemory = GetStackAddressInformation(addr, access_size, descr: &data.stack);
456 }
457 if (isStackMemory) {
458 data.kind = kAddressKindStack;
459 return;
460 }
461
462 if (GetGlobalAddressInformation(addr, access_size, descr: &data.global)) {
463 data.kind = kAddressKindGlobal;
464 return;
465 }
466 data.kind = kAddressKindWild;
467 data.wild.addr = addr;
468 data.wild.access_size = access_size;
469}
470
471void WildAddressDescription::Print() const {
472 Printf(format: "Address %p is a wild pointer inside of access range of size %p.\n",
473 (void *)addr, (void *)access_size);
474}
475
476void PrintAddressDescription(uptr addr, uptr access_size,
477 const char *bug_type) {
478 ShadowAddressDescription shadow_descr;
479 if (GetShadowAddressInformation(addr, descr: &shadow_descr)) {
480 shadow_descr.Print();
481 return;
482 }
483
484 GlobalAddressDescription global_descr;
485 if (GetGlobalAddressInformation(addr, access_size, descr: &global_descr)) {
486 global_descr.Print(bug_type);
487 return;
488 }
489
490 StackAddressDescription stack_descr;
491 if (GetStackAddressInformation(addr, access_size, descr: &stack_descr)) {
492 stack_descr.Print();
493 return;
494 }
495
496 HeapAddressDescription heap_descr;
497 if (GetHeapAddressInformation(addr, access_size, descr: &heap_descr)) {
498 heap_descr.Print();
499 return;
500 }
501
502 // We exhausted our possibilities. Bail out.
503 Printf(
504 format: "AddressSanitizer can not describe address in more detail "
505 "(wild memory access suspected).\n");
506}
507} // namespace __asan
508