1 //===-- asan_errors.cc ------------------------------------------*- C++ -*-===//
3 // The LLVM Compiler Infrastructure
5 // This file is distributed under the University of Illinois Open Source
6 // License. See LICENSE.TXT for details.
8 //===----------------------------------------------------------------------===//
10 // This file is a part of AddressSanitizer, an address sanity checker.
12 // ASan implementation for error structures.
13 //===----------------------------------------------------------------------===//
15 #include "asan_errors.h"
16 #include "asan_descriptions.h"
17 #include "asan_mapping.h"
18 #include "asan_report.h"
19 #include "asan_stack.h"
20 #include "sanitizer_common/sanitizer_stackdepot.h"
24 static void OnStackUnwind(const SignalContext &sig,
25 const void *callback_context,
26 BufferedStackTrace *stack) {
27 bool fast = common_flags()->fast_unwind_on_fatal;
28 #if SANITIZER_FREEBSD || SANITIZER_NETBSD
29 // On FreeBSD the slow unwinding that leverages _Unwind_Backtrace()
30 // yields the call stack of the signal's handler and not of the code
31 // that raised the signal (as it does on Linux).
34 // Tests and maybe some users expect that scariness is going to be printed
35 // just before the stack. As only asan has scariness score we have no
36 // corresponding code in the sanitizer_common and we use this callback to
38 static_cast<const ScarinessScoreBase *>(callback_context)->Print();
39 GetStackTrace(stack, kStackTraceMax, sig.pc, sig.bp, sig.context, fast);
42 void ErrorDeadlySignal::Print() {
43 ReportDeadlySignal(signal, tid, &OnStackUnwind, &scariness);
46 void ErrorDoubleFree::Print() {
48 Printf("%s", d.Error());
50 "ERROR: AddressSanitizer: attempting %s on %p in thread %s:\n",
51 scariness.GetDescription(), addr_description.addr,
52 AsanThreadIdAndName(tid).c_str());
53 Printf("%s", d.Default());
55 GET_STACK_TRACE_FATAL(second_free_stack->trace[0],
56 second_free_stack->top_frame_bp);
58 addr_description.Print();
59 ReportErrorSummary(scariness.GetDescription(), &stack);
62 void ErrorNewDeleteTypeMismatch::Print() {
64 Printf("%s", d.Error());
66 "ERROR: AddressSanitizer: %s on %p in thread %s:\n",
67 scariness.GetDescription(), addr_description.addr,
68 AsanThreadIdAndName(tid).c_str());
69 Printf("%s object passed to delete has wrong type:\n", d.Default());
70 if (delete_size != 0) {
72 " size of the allocated type: %zd bytes;\n"
73 " size of the deallocated type: %zd bytes.\n",
74 addr_description.chunk_access.chunk_size, delete_size);
76 const uptr user_alignment =
77 addr_description.chunk_access.user_requested_alignment;
78 if (delete_alignment != user_alignment) {
79 char user_alignment_str[32];
80 char delete_alignment_str[32];
81 internal_snprintf(user_alignment_str, sizeof(user_alignment_str),
82 "%zd bytes", user_alignment);
83 internal_snprintf(delete_alignment_str, sizeof(delete_alignment_str),
84 "%zd bytes", delete_alignment);
85 static const char *kDefaultAlignment = "default-aligned";
87 " alignment of the allocated type: %s;\n"
88 " alignment of the deallocated type: %s.\n",
89 user_alignment > 0 ? user_alignment_str : kDefaultAlignment,
90 delete_alignment > 0 ? delete_alignment_str : kDefaultAlignment);
92 CHECK_GT(free_stack->size, 0);
94 GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
96 addr_description.Print();
97 ReportErrorSummary(scariness.GetDescription(), &stack);
99 "HINT: if you don't care about these errors you may set "
100 "ASAN_OPTIONS=new_delete_type_mismatch=0\n");
103 void ErrorFreeNotMalloced::Print() {
105 Printf("%s", d.Error());
107 "ERROR: AddressSanitizer: attempting free on address "
108 "which was not malloc()-ed: %p in thread %s\n",
109 addr_description.Address(), AsanThreadIdAndName(tid).c_str());
110 Printf("%s", d.Default());
111 CHECK_GT(free_stack->size, 0);
113 GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
115 addr_description.Print();
116 ReportErrorSummary(scariness.GetDescription(), &stack);
119 void ErrorAllocTypeMismatch::Print() {
120 static const char *alloc_names[] = {"INVALID", "malloc", "operator new",
122 static const char *dealloc_names[] = {"INVALID", "free", "operator delete",
123 "operator delete []"};
124 CHECK_NE(alloc_type, dealloc_type);
126 Printf("%s", d.Error());
127 Report("ERROR: AddressSanitizer: %s (%s vs %s) on %p\n",
128 scariness.GetDescription(),
129 alloc_names[alloc_type], dealloc_names[dealloc_type],
130 addr_description.addr);
131 Printf("%s", d.Default());
132 CHECK_GT(dealloc_stack->size, 0);
134 GET_STACK_TRACE_FATAL(dealloc_stack->trace[0], dealloc_stack->top_frame_bp);
136 addr_description.Print();
137 ReportErrorSummary(scariness.GetDescription(), &stack);
139 "HINT: if you don't care about these errors you may set "
140 "ASAN_OPTIONS=alloc_dealloc_mismatch=0\n");
143 void ErrorMallocUsableSizeNotOwned::Print() {
145 Printf("%s", d.Error());
147 "ERROR: AddressSanitizer: attempting to call malloc_usable_size() for "
148 "pointer which is not owned: %p\n",
149 addr_description.Address());
150 Printf("%s", d.Default());
152 addr_description.Print();
153 ReportErrorSummary(scariness.GetDescription(), stack);
156 void ErrorSanitizerGetAllocatedSizeNotOwned::Print() {
158 Printf("%s", d.Error());
160 "ERROR: AddressSanitizer: attempting to call "
161 "__sanitizer_get_allocated_size() for pointer which is not owned: %p\n",
162 addr_description.Address());
163 Printf("%s", d.Default());
165 addr_description.Print();
166 ReportErrorSummary(scariness.GetDescription(), stack);
169 void ErrorCallocOverflow::Print() {
171 Printf("%s", d.Error());
173 "ERROR: AddressSanitizer: calloc parameters overflow: count * size "
174 "(%zd * %zd) cannot be represented in type size_t (thread %s)\n",
175 count, size, AsanThreadIdAndName(tid).c_str());
176 Printf("%s", d.Default());
178 PrintHintAllocatorCannotReturnNull();
179 ReportErrorSummary(scariness.GetDescription(), stack);
182 void ErrorPvallocOverflow::Print() {
184 Printf("%s", d.Error());
186 "ERROR: AddressSanitizer: pvalloc parameters overflow: size 0x%zx "
187 "rounded up to system page size 0x%zx cannot be represented in type "
188 "size_t (thread %s)\n",
189 size, GetPageSizeCached(), AsanThreadIdAndName(tid).c_str());
190 Printf("%s", d.Default());
192 PrintHintAllocatorCannotReturnNull();
193 ReportErrorSummary(scariness.GetDescription(), stack);
196 void ErrorInvalidAllocationAlignment::Print() {
198 Printf("%s", d.Error());
200 "ERROR: AddressSanitizer: invalid allocation alignment: %zd, "
201 "alignment must be a power of two (thread %s)\n",
202 alignment, AsanThreadIdAndName(tid).c_str());
203 Printf("%s", d.Default());
205 PrintHintAllocatorCannotReturnNull();
206 ReportErrorSummary(scariness.GetDescription(), stack);
209 void ErrorInvalidAlignedAllocAlignment::Print() {
211 Printf("%s", d.Error());
213 Report("ERROR: AddressSanitizer: invalid alignment requested in "
214 "aligned_alloc: %zd, alignment must be a power of two and the "
215 "requested size 0x%zx must be a multiple of alignment "
216 "(thread %s)\n", alignment, size, AsanThreadIdAndName(tid).c_str());
218 Report("ERROR: AddressSanitizer: invalid alignment requested in "
219 "aligned_alloc: %zd, the requested size 0x%zx must be a multiple of "
220 "alignment (thread %s)\n", alignment, size,
221 AsanThreadIdAndName(tid).c_str());
223 Printf("%s", d.Default());
225 PrintHintAllocatorCannotReturnNull();
226 ReportErrorSummary(scariness.GetDescription(), stack);
229 void ErrorInvalidPosixMemalignAlignment::Print() {
231 Printf("%s", d.Error());
233 "ERROR: AddressSanitizer: invalid alignment requested in posix_memalign: "
234 "%zd, alignment must be a power of two and a multiple of sizeof(void*) "
235 "== %zd (thread %s)\n",
236 alignment, sizeof(void*), AsanThreadIdAndName(tid).c_str()); // NOLINT
237 Printf("%s", d.Default());
239 PrintHintAllocatorCannotReturnNull();
240 ReportErrorSummary(scariness.GetDescription(), stack);
243 void ErrorAllocationSizeTooBig::Print() {
245 Printf("%s", d.Error());
247 "ERROR: AddressSanitizer: requested allocation size 0x%zx (0x%zx after "
248 "adjustments for alignment, red zones etc.) exceeds maximum supported "
249 "size of 0x%zx (thread %s)\n",
250 user_size, total_size, max_size, AsanThreadIdAndName(tid).c_str());
251 Printf("%s", d.Default());
253 PrintHintAllocatorCannotReturnNull();
254 ReportErrorSummary(scariness.GetDescription(), stack);
257 void ErrorRssLimitExceeded::Print() {
259 Printf("%s", d.Error());
261 "ERROR: AddressSanitizer: specified RSS limit exceeded, currently set to "
262 "soft_rss_limit_mb=%zd\n", common_flags()->soft_rss_limit_mb);
263 Printf("%s", d.Default());
265 PrintHintAllocatorCannotReturnNull();
266 ReportErrorSummary(scariness.GetDescription(), stack);
269 void ErrorOutOfMemory::Print() {
271 Printf("%s", d.Error());
273 "ERROR: AddressSanitizer: allocator is out of memory trying to allocate "
274 "0x%zx bytes\n", requested_size);
275 Printf("%s", d.Default());
277 PrintHintAllocatorCannotReturnNull();
278 ReportErrorSummary(scariness.GetDescription(), stack);
281 void ErrorStringFunctionMemoryRangesOverlap::Print() {
284 internal_snprintf(bug_type, sizeof(bug_type), "%s-param-overlap", function);
285 Printf("%s", d.Error());
287 "ERROR: AddressSanitizer: %s: memory ranges [%p,%p) and [%p, %p) "
289 bug_type, addr1_description.Address(),
290 addr1_description.Address() + length1, addr2_description.Address(),
291 addr2_description.Address() + length2);
292 Printf("%s", d.Default());
295 addr1_description.Print();
296 addr2_description.Print();
297 ReportErrorSummary(bug_type, stack);
300 void ErrorStringFunctionSizeOverflow::Print() {
302 Printf("%s", d.Error());
303 Report("ERROR: AddressSanitizer: %s: (size=%zd)\n",
304 scariness.GetDescription(), size);
305 Printf("%s", d.Default());
308 addr_description.Print();
309 ReportErrorSummary(scariness.GetDescription(), stack);
312 void ErrorBadParamsToAnnotateContiguousContainer::Print() {
314 "ERROR: AddressSanitizer: bad parameters to "
315 "__sanitizer_annotate_contiguous_container:\n"
320 beg, end, old_mid, new_mid);
321 uptr granularity = SHADOW_GRANULARITY;
322 if (!IsAligned(beg, granularity))
323 Report("ERROR: beg is not aligned by %d\n", granularity);
325 ReportErrorSummary(scariness.GetDescription(), stack);
328 void ErrorODRViolation::Print() {
330 Printf("%s", d.Error());
331 Report("ERROR: AddressSanitizer: %s (%p):\n", scariness.GetDescription(),
333 Printf("%s", d.Default());
334 InternalScopedString g1_loc(256), g2_loc(256);
335 PrintGlobalLocation(&g1_loc, global1);
336 PrintGlobalLocation(&g2_loc, global2);
337 Printf(" [1] size=%zd '%s' %s\n", global1.size,
338 MaybeDemangleGlobalName(global1.name), g1_loc.data());
339 Printf(" [2] size=%zd '%s' %s\n", global2.size,
340 MaybeDemangleGlobalName(global2.name), g2_loc.data());
341 if (stack_id1 && stack_id2) {
342 Printf("These globals were registered at these points:\n");
344 StackDepotGet(stack_id1).Print();
346 StackDepotGet(stack_id2).Print();
349 "HINT: if you don't care about these errors you may set "
350 "ASAN_OPTIONS=detect_odr_violation=0\n");
351 InternalScopedString error_msg(256);
352 error_msg.append("%s: global '%s' at %s", scariness.GetDescription(),
353 MaybeDemangleGlobalName(global1.name), g1_loc.data());
354 ReportErrorSummary(error_msg.data());
357 void ErrorInvalidPointerPair::Print() {
359 Printf("%s", d.Error());
360 Report("ERROR: AddressSanitizer: %s: %p %p\n", scariness.GetDescription(),
361 addr1_description.Address(), addr2_description.Address());
362 Printf("%s", d.Default());
363 GET_STACK_TRACE_FATAL(pc, bp);
365 addr1_description.Print();
366 addr2_description.Print();
367 ReportErrorSummary(scariness.GetDescription(), &stack);
370 static bool AdjacentShadowValuesAreFullyPoisoned(u8 *s) {
371 return s[-1] > 127 && s[1] > 127;
374 ErrorGeneric::ErrorGeneric(u32 tid, uptr pc_, uptr bp_, uptr sp_, uptr addr,
375 bool is_write_, uptr access_size_)
377 addr_description(addr, access_size_, /*shouldLockThreadRegistry=*/false),
381 access_size(access_size_),
386 if (access_size <= 9) {
387 char desr[] = "?-byte";
388 desr[0] = '0' + access_size;
389 scariness.Scare(access_size + access_size / 2, desr);
390 } else if (access_size >= 10) {
391 scariness.Scare(15, "multi-byte");
393 is_write ? scariness.Scare(20, "write") : scariness.Scare(1, "read");
395 // Determine the error type.
396 bug_descr = "unknown-crash";
397 if (AddrIsInMem(addr)) {
398 u8 *shadow_addr = (u8 *)MemToShadow(addr);
399 // If we are accessing 16 bytes, look at the second shadow byte.
400 if (*shadow_addr == 0 && access_size > SHADOW_GRANULARITY) shadow_addr++;
401 // If we are in the partial right redzone, look at the next shadow byte.
402 if (*shadow_addr > 0 && *shadow_addr < 128) shadow_addr++;
403 bool far_from_bounds = false;
404 shadow_val = *shadow_addr;
405 int bug_type_score = 0;
406 // For use-after-frees reads are almost as bad as writes.
407 int read_after_free_bonus = 0;
408 switch (shadow_val) {
409 case kAsanHeapLeftRedzoneMagic:
410 case kAsanArrayCookieMagic:
411 bug_descr = "heap-buffer-overflow";
413 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
415 case kAsanHeapFreeMagic:
416 bug_descr = "heap-use-after-free";
418 if (!is_write) read_after_free_bonus = 18;
420 case kAsanStackLeftRedzoneMagic:
421 bug_descr = "stack-buffer-underflow";
423 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
425 case kAsanInitializationOrderMagic:
426 bug_descr = "initialization-order-fiasco";
429 case kAsanStackMidRedzoneMagic:
430 case kAsanStackRightRedzoneMagic:
431 bug_descr = "stack-buffer-overflow";
433 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
435 case kAsanStackAfterReturnMagic:
436 bug_descr = "stack-use-after-return";
438 if (!is_write) read_after_free_bonus = 18;
440 case kAsanUserPoisonedMemoryMagic:
441 bug_descr = "use-after-poison";
444 case kAsanContiguousContainerOOBMagic:
445 bug_descr = "container-overflow";
448 case kAsanStackUseAfterScopeMagic:
449 bug_descr = "stack-use-after-scope";
452 case kAsanGlobalRedzoneMagic:
453 bug_descr = "global-buffer-overflow";
455 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
457 case kAsanIntraObjectRedzone:
458 bug_descr = "intra-object-overflow";
461 case kAsanAllocaLeftMagic:
462 case kAsanAllocaRightMagic:
463 bug_descr = "dynamic-stack-buffer-overflow";
465 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
468 scariness.Scare(bug_type_score + read_after_free_bonus, bug_descr);
469 if (far_from_bounds) scariness.Scare(10, "far-from-bounds");
474 static void PrintContainerOverflowHint() {
475 Printf("HINT: if you don't care about these errors you may set "
476 "ASAN_OPTIONS=detect_container_overflow=0.\n"
477 "If you suspect a false positive see also: "
478 "https://github.com/google/sanitizers/wiki/"
479 "AddressSanitizerContainerOverflow.\n");
482 static void PrintShadowByte(InternalScopedString *str, const char *before,
483 u8 byte, const char *after = "\n") {
484 PrintMemoryByte(str, before, byte, /*in_shadow*/true, after);
487 static void PrintLegend(InternalScopedString *str) {
489 "Shadow byte legend (one shadow byte represents %d "
490 "application bytes):\n",
491 (int)SHADOW_GRANULARITY);
492 PrintShadowByte(str, " Addressable: ", 0);
493 str->append(" Partially addressable: ");
494 for (u8 i = 1; i < SHADOW_GRANULARITY; i++) PrintShadowByte(str, "", i, " ");
496 PrintShadowByte(str, " Heap left redzone: ",
497 kAsanHeapLeftRedzoneMagic);
498 PrintShadowByte(str, " Freed heap region: ", kAsanHeapFreeMagic);
499 PrintShadowByte(str, " Stack left redzone: ",
500 kAsanStackLeftRedzoneMagic);
501 PrintShadowByte(str, " Stack mid redzone: ",
502 kAsanStackMidRedzoneMagic);
503 PrintShadowByte(str, " Stack right redzone: ",
504 kAsanStackRightRedzoneMagic);
505 PrintShadowByte(str, " Stack after return: ",
506 kAsanStackAfterReturnMagic);
507 PrintShadowByte(str, " Stack use after scope: ",
508 kAsanStackUseAfterScopeMagic);
509 PrintShadowByte(str, " Global redzone: ", kAsanGlobalRedzoneMagic);
510 PrintShadowByte(str, " Global init order: ",
511 kAsanInitializationOrderMagic);
512 PrintShadowByte(str, " Poisoned by user: ",
513 kAsanUserPoisonedMemoryMagic);
514 PrintShadowByte(str, " Container overflow: ",
515 kAsanContiguousContainerOOBMagic);
516 PrintShadowByte(str, " Array cookie: ",
517 kAsanArrayCookieMagic);
518 PrintShadowByte(str, " Intra object redzone: ",
519 kAsanIntraObjectRedzone);
520 PrintShadowByte(str, " ASan internal: ", kAsanInternalHeapMagic);
521 PrintShadowByte(str, " Left alloca redzone: ", kAsanAllocaLeftMagic);
522 PrintShadowByte(str, " Right alloca redzone: ", kAsanAllocaRightMagic);
523 PrintShadowByte(str, " Shadow gap: ", kAsanShadowGap);
526 static void PrintShadowBytes(InternalScopedString *str, const char *before,
527 u8 *bytes, u8 *guilty, uptr n) {
529 if (before) str->append("%s%p:", before, bytes);
530 for (uptr i = 0; i < n; i++) {
533 p == guilty ? "[" : (p - 1 == guilty && i != 0) ? "" : " ";
534 const char *after = p == guilty ? "]" : "";
535 PrintShadowByte(str, before, *p, after);
540 static void PrintShadowMemoryForAddress(uptr addr) {
541 if (!AddrIsInMem(addr)) return;
542 uptr shadow_addr = MemToShadow(addr);
543 const uptr n_bytes_per_row = 16;
544 uptr aligned_shadow = shadow_addr & ~(n_bytes_per_row - 1);
545 InternalScopedString str(4096 * 8);
546 str.append("Shadow bytes around the buggy address:\n");
547 for (int i = -5; i <= 5; i++) {
548 uptr row_shadow_addr = aligned_shadow + i * n_bytes_per_row;
549 // Skip rows that would be outside the shadow range. This can happen when
550 // the user address is near the bottom, top, or shadow gap of the address
552 if (!AddrIsInShadow(row_shadow_addr)) continue;
553 const char *prefix = (i == 0) ? "=>" : " ";
554 PrintShadowBytes(&str, prefix, (u8 *)row_shadow_addr, (u8 *)shadow_addr,
557 if (flags()->print_legend) PrintLegend(&str);
558 Printf("%s", str.data());
561 void ErrorGeneric::Print() {
563 Printf("%s", d.Error());
564 uptr addr = addr_description.Address();
565 Report("ERROR: AddressSanitizer: %s on address %p at pc %p bp %p sp %p\n",
566 bug_descr, (void *)addr, pc, bp, sp);
567 Printf("%s", d.Default());
569 Printf("%s%s of size %zu at %p thread %s%s\n", d.Access(),
570 access_size ? (is_write ? "WRITE" : "READ") : "ACCESS", access_size,
571 (void *)addr, AsanThreadIdAndName(tid).c_str(), d.Default());
574 GET_STACK_TRACE_FATAL(pc, bp);
577 // Pass bug_descr because we have a special case for
578 // initialization-order-fiasco
579 addr_description.Print(bug_descr);
580 if (shadow_val == kAsanContiguousContainerOOBMagic)
581 PrintContainerOverflowHint();
582 ReportErrorSummary(bug_descr, &stack);
583 PrintShadowMemoryForAddress(addr);
586 } // namespace __asan