diff options
| -rw-r--r-- | compiler-rt/lib/asan/asan_report.cc | 15 | ||||
| -rw-r--r-- | compiler-rt/lib/sanitizer_common/sanitizer_common.h | 19 | ||||
| -rw-r--r-- | compiler-rt/lib/sanitizer_common/sanitizer_linux.cc | 49 | ||||
| -rw-r--r-- | compiler-rt/lib/sanitizer_common/sanitizer_mac.cc | 4 | ||||
| -rw-r--r-- | compiler-rt/lib/sanitizer_common/sanitizer_posix.cc | 6 | ||||
| -rw-r--r-- | compiler-rt/test/asan/TestCases/Linux/segv_read_write.c | 16 |
6 files changed, 84 insertions, 25 deletions
diff --git a/compiler-rt/lib/asan/asan_report.cc b/compiler-rt/lib/asan/asan_report.cc index ad031b00dc7..f912336c21d 100644 --- a/compiler-rt/lib/asan/asan_report.cc +++ b/compiler-rt/lib/asan/asan_report.cc @@ -755,7 +755,7 @@ void ReportStackOverflow(const SignalContext &sig) { } void ReportDeadlySignal(const char *description, const SignalContext &sig) { - ScopedInErrorReport in_report(/*report*/nullptr, /*fatal*/true); + ScopedInErrorReport in_report(/*report*/ nullptr, /*fatal*/ true); Decorator d; Printf("%s", d.Warning()); Report( @@ -768,17 +768,22 @@ void ReportDeadlySignal(const char *description, const SignalContext &sig) { if (sig.pc < GetPageSizeCached()) Report("Hint: pc points to the zero page.\n"); if (sig.is_memory_access) { - Report("The signal is caused by a %s memory access.\n", - sig.is_write ? "WRITE" : "READ"); + const char *access_type = + sig.write_flag == SignalContext::WRITE + ? "WRITE" + : (sig.write_flag == SignalContext::READ ? "READ" : "UNKNOWN"); + Report("The signal is caused by a %s memory access.\n", access_type); if (sig.addr < GetPageSizeCached()) { Report("Hint: address points to the zero page.\n"); SS.Scare(10, "null-deref"); } else if (sig.addr == sig.pc) { SS.Scare(60, "wild-jump"); - } else if (sig.is_write) { + } else if (sig.write_flag == SignalContext::WRITE) { SS.Scare(30, "wild-addr-write"); - } else { + } else if (sig.write_flag == SignalContext::READ) { SS.Scare(20, "wild-addr-read"); + } else { + SS.Scare(25, "wild-addr"); } } else { SS.Scare(10, "signal"); diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_common.h b/compiler-rt/lib/sanitizer_common/sanitizer_common.h index 67ec76457a1..29e8372dc15 100644 --- a/compiler-rt/lib/sanitizer_common/sanitizer_common.h +++ b/compiler-rt/lib/sanitizer_common/sanitizer_common.h @@ -750,19 +750,26 @@ struct SignalContext { uptr sp; uptr bp; bool is_memory_access; - bool is_write; + + enum WriteFlag { UNKNOWN, READ, WRITE } write_flag; SignalContext(void *context, uptr addr, uptr pc, uptr sp, uptr bp, - bool is_memory_access, bool is_write) - : context(context), addr(addr), pc(pc), sp(sp), bp(bp), - is_memory_access(is_memory_access), is_write(is_write) {} + bool is_memory_access, WriteFlag write_flag) + : context(context), + addr(addr), + pc(pc), + sp(sp), + bp(bp), + is_memory_access(is_memory_access), + write_flag(write_flag) {} // Creates signal context in a platform-specific manner. static SignalContext Create(void *siginfo, void *context); + + // Returns true if the "context" indicates a memory write. + static WriteFlag GetWriteFlag(void *context); }; -// Returns true if the "context" indicates a memory write. -bool GetSigContextWriteFlag(void *context); void GetPcSpBp(void *context, uptr *pc, uptr *sp, uptr *bp); void DisableReexec(); diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_linux.cc b/compiler-rt/lib/sanitizer_common/sanitizer_linux.cc index f4c3c3cd62f..d054ed05e3f 100644 --- a/compiler-rt/lib/sanitizer_common/sanitizer_linux.cc +++ b/compiler-rt/lib/sanitizer_common/sanitizer_linux.cc @@ -1155,16 +1155,55 @@ void *internal_start_thread(void (*func)(void *), void *arg) { return 0; } void internal_join_thread(void *th) {} #endif -bool GetSigContextWriteFlag(void *context) { +#if defined(__aarch64__) +// Android headers in the older NDK releases miss this definition. +struct __sanitizer_esr_context { + struct _aarch64_ctx head; + uint64_t esr; +}; + +static bool Aarch64GetESR(ucontext_t *ucontext, u64 *esr) { + static const u32 kEsrMagic = 0x45535201; + u8 *aux = ucontext->uc_mcontext.__reserved; + while (true) { + _aarch64_ctx *ctx = (_aarch64_ctx *)aux; + if (ctx->size == 0) break; + Printf("ctx magic %x\n", ctx->magic); + if (ctx->magic == kEsrMagic) { + *esr = ((__sanitizer_esr_context *)ctx)->esr; + return true; + } + aux += ctx->size; + } + return false; +} +#endif + +SignalContext::WriteFlag SignalContext::GetWriteFlag(void *context) { + ucontext_t *ucontext = (ucontext_t *)context; #if defined(__x86_64__) || defined(__i386__) - ucontext_t *ucontext = (ucontext_t*)context; + static const uptr PF_WRITE = 1U << 1; #if SANITIZER_FREEBSD - return ucontext->uc_mcontext.mc_err & 2; + uptr err = ucontext->uc_mcontext.mc_err; #else - return ucontext->uc_mcontext.gregs[REG_ERR] & 2; + uptr err = ucontext->uc_mcontext.gregs[REG_ERR]; #endif + return err & PF_WRITE ? WRITE : READ; +#elif defined(__arm__) + static const uptr FSR_WRITE = 1U << 11; + uptr fsr = ucontext->uc_mcontext.error_code; + // FSR bits 5:0 describe the abort type, and are never 0 (or so it seems). + // Zero FSR indicates an older kernel that does not pass this information to + // the userspace. + if (fsr == 0) return UNKNOWN; + return fsr & FSR_WRITE ? WRITE : READ; +#elif defined(__aarch64__) + static const u64 ESR_ELx_WNR = 1U << 6; + u64 esr; + if (!Aarch64GetESR(ucontext, &esr)) return UNKNOWN; + return esr & ESR_ELx_WNR ? WRITE : READ; #else - return false; // FIXME: Implement. + return UNKNOWN; // FIXME: Implement. #endif } diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_mac.cc b/compiler-rt/lib/sanitizer_common/sanitizer_mac.cc index 632bc7b9373..becd831841f 100644 --- a/compiler-rt/lib/sanitizer_common/sanitizer_mac.cc +++ b/compiler-rt/lib/sanitizer_common/sanitizer_mac.cc @@ -491,8 +491,8 @@ void LogFullErrorReport(const char *buffer) { // The report is added to CrashLog as part of logging all of Printf output. } -bool GetSigContextWriteFlag(void *context) { - return false; // FIXME: implement this. +SignalContext::WriteFlag SignalContext::GetWriteFlag(void *context) { + return UNKNOWN; // FIXME: implement this. } void GetPcSpBp(void *context, uptr *pc, uptr *sp, uptr *bp) { diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc b/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc index e8e9017033f..a383b215886 100644 --- a/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc +++ b/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc @@ -323,13 +323,13 @@ bool GetCodeRangeForFile(const char *module, uptr *start, uptr *end) { } SignalContext SignalContext::Create(void *siginfo, void *context) { - auto si = (siginfo_t*)siginfo; + auto si = (siginfo_t *)siginfo; uptr addr = (uptr)si->si_addr; uptr pc, sp, bp; GetPcSpBp(context, &pc, &sp, &bp); - bool is_write = GetSigContextWriteFlag(context); + WriteFlag write_flag = GetWriteFlag(context); bool is_memory_access = si->si_signo == SIGSEGV; - return SignalContext(context, addr, pc, sp, bp, is_memory_access, is_write); + return SignalContext(context, addr, pc, sp, bp, is_memory_access, write_flag); } } // namespace __sanitizer diff --git a/compiler-rt/test/asan/TestCases/Linux/segv_read_write.c b/compiler-rt/test/asan/TestCases/Linux/segv_read_write.c index db6726cd374..d5a62c66db3 100644 --- a/compiler-rt/test/asan/TestCases/Linux/segv_read_write.c +++ b/compiler-rt/test/asan/TestCases/Linux/segv_read_write.c @@ -1,16 +1,24 @@ -// RUN: %clangxx_asan -O0 %s -o %t +// RUN: %clangxx_asan -std=c++11 -O0 %s -o %t // RUN: not %run %t 2>&1 | FileCheck %s --check-prefix=READ // RUN: not %run %t write 2>&1 | FileCheck %s --check-prefix=WRITE -// REQUIRES: x86_64-supported-target +// UNSUPPORTED: powerpc64,mips + +#include <sys/mman.h> static volatile int sink; __attribute__((noinline)) void Read(int *ptr) { sink = *ptr; } __attribute__((noinline)) void Write(int *ptr) { *ptr = 0; } int main(int argc, char **argv) { + // Writes to shadow are detected as reads from shadow gap (because of how the + // shadow mapping works). This is kinda hard to fix. Test a random address in + // the application part of the address space. + void *volatile p = + mmap(nullptr, 4096, PROT_READ, MAP_PRIVATE | MAP_ANONYMOUS, 0, 0); + munmap(p, 4096); if (argc == 1) - Read((int *)0); + Read((int *)p); else - Write((int *)0); + Write((int *)p); } // READ: AddressSanitizer: SEGV on unknown address // READ: The signal is caused by a READ memory access. |
