1 //===-- asan_errors.cpp -----------------------------------------*- C++ -*-===// 2 // 3 // Part of the LLVM Project, under the Apache License v2.0 with LLVM Exceptions. 4 // See https://llvm.org/LICENSE.txt for license information. 5 // SPDX-License-Identifier: Apache-2.0 WITH LLVM-exception 6 // 7 //===----------------------------------------------------------------------===// 8 // 9 // This file is a part of AddressSanitizer, an address sanity checker. 10 // 11 // ASan implementation for error structures. 12 //===----------------------------------------------------------------------===// 13 14 #include "asan_errors.h" 15 #include "asan_descriptions.h" 16 #include "asan_mapping.h" 17 #include "asan_report.h" 18 #include "asan_stack.h" 19 #include "sanitizer_common/sanitizer_stackdepot.h" 20 21 namespace __asan { 22 23 static void OnStackUnwind(const SignalContext &sig, 24 const void *callback_context, 25 BufferedStackTrace *stack) { 26 bool fast = common_flags()->fast_unwind_on_fatal; 27 #if SANITIZER_FREEBSD || SANITIZER_NETBSD 28 // On FreeBSD the slow unwinding that leverages _Unwind_Backtrace() 29 // yields the call stack of the signal's handler and not of the code 30 // that raised the signal (as it does on Linux). 31 fast = true; 32 #endif 33 // Tests and maybe some users expect that scariness is going to be printed 34 // just before the stack. As only asan has scariness score we have no 35 // corresponding code in the sanitizer_common and we use this callback to 36 // print it. 37 static_cast<const ScarinessScoreBase *>(callback_context)->Print(); 38 stack->Unwind(StackTrace::GetNextInstructionPc(sig.pc), sig.bp, sig.context, 39 fast); 40 } 41 42 void ErrorDeadlySignal::Print() { 43 ReportDeadlySignal(signal, tid, &OnStackUnwind, &scariness); 44 } 45 46 void ErrorDoubleFree::Print() { 47 Decorator d; 48 Printf("%s", d.Error()); 49 Report("ERROR: AddressSanitizer: attempting %s on %p in thread %s:\n", 50 scariness.GetDescription(), (void *)addr_description.addr, 51 AsanThreadIdAndName(tid).c_str()); 52 Printf("%s", d.Default()); 53 scariness.Print(); 54 GET_STACK_TRACE_FATAL(second_free_stack->trace[0], 55 second_free_stack->top_frame_bp); 56 stack.Print(); 57 addr_description.Print(); 58 ReportErrorSummary(scariness.GetDescription(), &stack); 59 } 60 61 void ErrorNewDeleteTypeMismatch::Print() { 62 Decorator d; 63 Printf("%s", d.Error()); 64 Report("ERROR: AddressSanitizer: %s on %p in thread %s:\n", 65 scariness.GetDescription(), (void *)addr_description.addr, 66 AsanThreadIdAndName(tid).c_str()); 67 Printf("%s object passed to delete has wrong type:\n", d.Default()); 68 if (delete_size != 0) { 69 Printf( 70 " size of the allocated type: %zd bytes;\n" 71 " size of the deallocated type: %zd bytes.\n", 72 addr_description.chunk_access.chunk_size, delete_size); 73 } 74 const uptr user_alignment = 75 addr_description.chunk_access.user_requested_alignment; 76 if (delete_alignment != user_alignment) { 77 char user_alignment_str[32]; 78 char delete_alignment_str[32]; 79 internal_snprintf(user_alignment_str, sizeof(user_alignment_str), 80 "%zd bytes", user_alignment); 81 internal_snprintf(delete_alignment_str, sizeof(delete_alignment_str), 82 "%zd bytes", delete_alignment); 83 static const char *kDefaultAlignment = "default-aligned"; 84 Printf( 85 " alignment of the allocated type: %s;\n" 86 " alignment of the deallocated type: %s.\n", 87 user_alignment > 0 ? user_alignment_str : kDefaultAlignment, 88 delete_alignment > 0 ? delete_alignment_str : kDefaultAlignment); 89 } 90 CHECK_GT(free_stack->size, 0); 91 scariness.Print(); 92 GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp); 93 stack.Print(); 94 addr_description.Print(); 95 ReportErrorSummary(scariness.GetDescription(), &stack); 96 Report( 97 "HINT: if you don't care about these errors you may set " 98 "ASAN_OPTIONS=new_delete_type_mismatch=0\n"); 99 } 100 101 void ErrorFreeNotMalloced::Print() { 102 Decorator d; 103 Printf("%s", d.Error()); 104 Report( 105 "ERROR: AddressSanitizer: attempting free on address " 106 "which was not malloc()-ed: %p in thread %s\n", 107 (void *)addr_description.Address(), AsanThreadIdAndName(tid).c_str()); 108 Printf("%s", d.Default()); 109 CHECK_GT(free_stack->size, 0); 110 scariness.Print(); 111 GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp); 112 stack.Print(); 113 addr_description.Print(); 114 ReportErrorSummary(scariness.GetDescription(), &stack); 115 } 116 117 void ErrorAllocTypeMismatch::Print() { 118 static const char *alloc_names[] = {"INVALID", "malloc", "operator new", 119 "operator new []"}; 120 static const char *dealloc_names[] = {"INVALID", "free", "operator delete", 121 "operator delete []"}; 122 CHECK_NE(alloc_type, dealloc_type); 123 Decorator d; 124 Printf("%s", d.Error()); 125 Report("ERROR: AddressSanitizer: %s (%s vs %s) on %p\n", 126 scariness.GetDescription(), alloc_names[alloc_type], 127 dealloc_names[dealloc_type], (void *)addr_description.Address()); 128 Printf("%s", d.Default()); 129 CHECK_GT(dealloc_stack->size, 0); 130 scariness.Print(); 131 GET_STACK_TRACE_FATAL(dealloc_stack->trace[0], dealloc_stack->top_frame_bp); 132 stack.Print(); 133 addr_description.Print(); 134 ReportErrorSummary(scariness.GetDescription(), &stack); 135 Report( 136 "HINT: if you don't care about these errors you may set " 137 "ASAN_OPTIONS=alloc_dealloc_mismatch=0\n"); 138 } 139 140 void ErrorMallocUsableSizeNotOwned::Print() { 141 Decorator d; 142 Printf("%s", d.Error()); 143 Report( 144 "ERROR: AddressSanitizer: attempting to call malloc_usable_size() for " 145 "pointer which is not owned: %p\n", 146 (void *)addr_description.Address()); 147 Printf("%s", d.Default()); 148 stack->Print(); 149 addr_description.Print(); 150 ReportErrorSummary(scariness.GetDescription(), stack); 151 } 152 153 void ErrorSanitizerGetAllocatedSizeNotOwned::Print() { 154 Decorator d; 155 Printf("%s", d.Error()); 156 Report( 157 "ERROR: AddressSanitizer: attempting to call " 158 "__sanitizer_get_allocated_size() for pointer which is not owned: %p\n", 159 (void *)addr_description.Address()); 160 Printf("%s", d.Default()); 161 stack->Print(); 162 addr_description.Print(); 163 ReportErrorSummary(scariness.GetDescription(), stack); 164 } 165 166 void ErrorCallocOverflow::Print() { 167 Decorator d; 168 Printf("%s", d.Error()); 169 Report( 170 "ERROR: AddressSanitizer: calloc parameters overflow: count * size " 171 "(%zd * %zd) cannot be represented in type size_t (thread %s)\n", 172 count, size, AsanThreadIdAndName(tid).c_str()); 173 Printf("%s", d.Default()); 174 stack->Print(); 175 PrintHintAllocatorCannotReturnNull(); 176 ReportErrorSummary(scariness.GetDescription(), stack); 177 } 178 179 void ErrorReallocArrayOverflow::Print() { 180 Decorator d; 181 Printf("%s", d.Error()); 182 Report( 183 "ERROR: AddressSanitizer: reallocarray parameters overflow: count * size " 184 "(%zd * %zd) cannot be represented in type size_t (thread %s)\n", 185 count, size, AsanThreadIdAndName(tid).c_str()); 186 Printf("%s", d.Default()); 187 stack->Print(); 188 PrintHintAllocatorCannotReturnNull(); 189 ReportErrorSummary(scariness.GetDescription(), stack); 190 } 191 192 void ErrorPvallocOverflow::Print() { 193 Decorator d; 194 Printf("%s", d.Error()); 195 Report( 196 "ERROR: AddressSanitizer: pvalloc parameters overflow: size 0x%zx " 197 "rounded up to system page size 0x%zx cannot be represented in type " 198 "size_t (thread %s)\n", 199 size, GetPageSizeCached(), AsanThreadIdAndName(tid).c_str()); 200 Printf("%s", d.Default()); 201 stack->Print(); 202 PrintHintAllocatorCannotReturnNull(); 203 ReportErrorSummary(scariness.GetDescription(), stack); 204 } 205 206 void ErrorInvalidAllocationAlignment::Print() { 207 Decorator d; 208 Printf("%s", d.Error()); 209 Report( 210 "ERROR: AddressSanitizer: invalid allocation alignment: %zd, " 211 "alignment must be a power of two (thread %s)\n", 212 alignment, AsanThreadIdAndName(tid).c_str()); 213 Printf("%s", d.Default()); 214 stack->Print(); 215 PrintHintAllocatorCannotReturnNull(); 216 ReportErrorSummary(scariness.GetDescription(), stack); 217 } 218 219 void ErrorInvalidAlignedAllocAlignment::Print() { 220 Decorator d; 221 Printf("%s", d.Error()); 222 #if SANITIZER_POSIX 223 Report("ERROR: AddressSanitizer: invalid alignment requested in " 224 "aligned_alloc: %zd, alignment must be a power of two and the " 225 "requested size 0x%zx must be a multiple of alignment " 226 "(thread %s)\n", alignment, size, AsanThreadIdAndName(tid).c_str()); 227 #else 228 Report("ERROR: AddressSanitizer: invalid alignment requested in " 229 "aligned_alloc: %zd, the requested size 0x%zx must be a multiple of " 230 "alignment (thread %s)\n", alignment, size, 231 AsanThreadIdAndName(tid).c_str()); 232 #endif 233 Printf("%s", d.Default()); 234 stack->Print(); 235 PrintHintAllocatorCannotReturnNull(); 236 ReportErrorSummary(scariness.GetDescription(), stack); 237 } 238 239 void ErrorInvalidPosixMemalignAlignment::Print() { 240 Decorator d; 241 Printf("%s", d.Error()); 242 Report( 243 "ERROR: AddressSanitizer: invalid alignment requested in posix_memalign: " 244 "%zd, alignment must be a power of two and a multiple of sizeof(void*) " 245 "== %zd (thread %s)\n", 246 alignment, sizeof(void *), AsanThreadIdAndName(tid).c_str()); 247 Printf("%s", d.Default()); 248 stack->Print(); 249 PrintHintAllocatorCannotReturnNull(); 250 ReportErrorSummary(scariness.GetDescription(), stack); 251 } 252 253 void ErrorAllocationSizeTooBig::Print() { 254 Decorator d; 255 Printf("%s", d.Error()); 256 Report( 257 "ERROR: AddressSanitizer: requested allocation size 0x%zx (0x%zx after " 258 "adjustments for alignment, red zones etc.) exceeds maximum supported " 259 "size of 0x%zx (thread %s)\n", 260 user_size, total_size, max_size, AsanThreadIdAndName(tid).c_str()); 261 Printf("%s", d.Default()); 262 stack->Print(); 263 PrintHintAllocatorCannotReturnNull(); 264 ReportErrorSummary(scariness.GetDescription(), stack); 265 } 266 267 void ErrorRssLimitExceeded::Print() { 268 Decorator d; 269 Printf("%s", d.Error()); 270 Report( 271 "ERROR: AddressSanitizer: specified RSS limit exceeded, currently set to " 272 "soft_rss_limit_mb=%zd\n", common_flags()->soft_rss_limit_mb); 273 Printf("%s", d.Default()); 274 stack->Print(); 275 PrintHintAllocatorCannotReturnNull(); 276 ReportErrorSummary(scariness.GetDescription(), stack); 277 } 278 279 void ErrorOutOfMemory::Print() { 280 Decorator d; 281 Printf("%s", d.Error()); 282 ERROR_OOM("allocator is trying to allocate 0x%zx bytes\n", requested_size); 283 Printf("%s", d.Default()); 284 stack->Print(); 285 PrintHintAllocatorCannotReturnNull(); 286 ReportErrorSummary(scariness.GetDescription(), stack); 287 } 288 289 void ErrorStringFunctionMemoryRangesOverlap::Print() { 290 Decorator d; 291 char bug_type[100]; 292 internal_snprintf(bug_type, sizeof(bug_type), "%s-param-overlap", function); 293 Printf("%s", d.Error()); 294 Report( 295 "ERROR: AddressSanitizer: %s: memory ranges [%p,%p) and [%p, %p) " 296 "overlap\n", 297 bug_type, (void *)addr1_description.Address(), 298 (void *)(addr1_description.Address() + length1), 299 (void *)addr2_description.Address(), 300 (void *)(addr2_description.Address() + length2)); 301 Printf("%s", d.Default()); 302 scariness.Print(); 303 stack->Print(); 304 addr1_description.Print(); 305 addr2_description.Print(); 306 ReportErrorSummary(bug_type, stack); 307 } 308 309 void ErrorStringFunctionSizeOverflow::Print() { 310 Decorator d; 311 Printf("%s", d.Error()); 312 Report("ERROR: AddressSanitizer: %s: (size=%zd)\n", 313 scariness.GetDescription(), size); 314 Printf("%s", d.Default()); 315 scariness.Print(); 316 stack->Print(); 317 addr_description.Print(); 318 ReportErrorSummary(scariness.GetDescription(), stack); 319 } 320 321 void ErrorBadParamsToAnnotateContiguousContainer::Print() { 322 Report( 323 "ERROR: AddressSanitizer: bad parameters to " 324 "__sanitizer_annotate_contiguous_container:\n" 325 " beg : %p\n" 326 " end : %p\n" 327 " old_mid : %p\n" 328 " new_mid : %p\n", 329 (void *)beg, (void *)end, (void *)old_mid, (void *)new_mid); 330 stack->Print(); 331 ReportErrorSummary(scariness.GetDescription(), stack); 332 } 333 334 void ErrorBadParamsToAnnotateDoubleEndedContiguousContainer::Print() { 335 Report( 336 "ERROR: AddressSanitizer: bad parameters to " 337 "__sanitizer_annotate_double_ended_contiguous_container:\n" 338 " storage_beg : %p\n" 339 " storage_end : %p\n" 340 " old_container_beg : %p\n" 341 " old_container_end : %p\n" 342 " new_container_beg : %p\n" 343 " new_container_end : %p\n", 344 (void *)storage_beg, (void *)storage_end, (void *)old_container_beg, 345 (void *)old_container_end, (void *)new_container_beg, 346 (void *)new_container_end); 347 stack->Print(); 348 ReportErrorSummary(scariness.GetDescription(), stack); 349 } 350 351 void ErrorBadParamsToCopyContiguousContainerAnnotations::Print() { 352 Report( 353 "ERROR: AddressSanitizer: bad parameters to " 354 "__sanitizer_copy_contiguous_container_annotations:\n" 355 " src_storage_beg : %p\n" 356 " src_storage_end : %p\n" 357 " dst_storage_beg : %p\n" 358 " new_storage_end : %p\n", 359 (void *)old_storage_beg, (void *)old_storage_end, (void *)new_storage_beg, 360 (void *)new_storage_end); 361 stack->Print(); 362 ReportErrorSummary(scariness.GetDescription(), stack); 363 } 364 365 void ErrorODRViolation::Print() { 366 Decorator d; 367 Printf("%s", d.Error()); 368 Report("ERROR: AddressSanitizer: %s (%p):\n", scariness.GetDescription(), 369 (void *)global1.beg); 370 Printf("%s", d.Default()); 371 InternalScopedString g1_loc; 372 InternalScopedString g2_loc; 373 PrintGlobalLocation(&g1_loc, global1, /*print_module_name=*/true); 374 PrintGlobalLocation(&g2_loc, global2, /*print_module_name=*/true); 375 Printf(" [1] size=%zd '%s' %s\n", global1.size, 376 MaybeDemangleGlobalName(global1.name), g1_loc.data()); 377 Printf(" [2] size=%zd '%s' %s\n", global2.size, 378 MaybeDemangleGlobalName(global2.name), g2_loc.data()); 379 if (stack_id1 && stack_id2) { 380 Printf("These globals were registered at these points:\n"); 381 Printf(" [1]:\n"); 382 StackDepotGet(stack_id1).Print(); 383 Printf(" [2]:\n"); 384 StackDepotGet(stack_id2).Print(); 385 } 386 Report( 387 "HINT: if you don't care about these errors you may set " 388 "ASAN_OPTIONS=detect_odr_violation=0\n"); 389 InternalScopedString error_msg; 390 error_msg.AppendF("%s: global '%s' at %s", scariness.GetDescription(), 391 MaybeDemangleGlobalName(global1.name), g1_loc.data()); 392 ReportErrorSummary(error_msg.data()); 393 } 394 395 void ErrorInvalidPointerPair::Print() { 396 Decorator d; 397 Printf("%s", d.Error()); 398 Report("ERROR: AddressSanitizer: %s: %p %p\n", scariness.GetDescription(), 399 (void *)addr1_description.Address(), 400 (void *)addr2_description.Address()); 401 Printf("%s", d.Default()); 402 GET_STACK_TRACE_FATAL(pc, bp); 403 stack.Print(); 404 addr1_description.Print(); 405 addr2_description.Print(); 406 ReportErrorSummary(scariness.GetDescription(), &stack); 407 } 408 409 static bool AdjacentShadowValuesAreFullyPoisoned(u8 *s) { 410 return s[-1] > 127 && s[1] > 127; 411 } 412 413 ErrorGeneric::ErrorGeneric(u32 tid, uptr pc_, uptr bp_, uptr sp_, uptr addr, 414 bool is_write_, uptr access_size_) 415 : ErrorBase(tid), 416 addr_description(addr, access_size_, /*shouldLockThreadRegistry=*/false), 417 pc(pc_), 418 bp(bp_), 419 sp(sp_), 420 access_size(access_size_), 421 is_write(is_write_), 422 shadow_val(0) { 423 scariness.Clear(); 424 if (access_size) { 425 if (access_size <= 9) { 426 char desr[] = "?-byte"; 427 desr[0] = '0' + access_size; 428 scariness.Scare(access_size + access_size / 2, desr); 429 } else if (access_size >= 10) { 430 scariness.Scare(15, "multi-byte"); 431 } 432 is_write ? scariness.Scare(20, "write") : scariness.Scare(1, "read"); 433 434 // Determine the error type. 435 bug_descr = "unknown-crash"; 436 if (AddrIsInMem(addr)) { 437 u8 *shadow_addr = (u8 *)MemToShadow(addr); 438 // If we are accessing 16 bytes, look at the second shadow byte. 439 if (*shadow_addr == 0 && access_size > ASAN_SHADOW_GRANULARITY) 440 shadow_addr++; 441 // If we are in the partial right redzone, look at the next shadow byte. 442 if (*shadow_addr > 0 && *shadow_addr < 128) shadow_addr++; 443 bool far_from_bounds = false; 444 shadow_val = *shadow_addr; 445 int bug_type_score = 0; 446 // For use-after-frees reads are almost as bad as writes. 447 int read_after_free_bonus = 0; 448 switch (shadow_val) { 449 case kAsanHeapLeftRedzoneMagic: 450 case kAsanArrayCookieMagic: 451 bug_descr = "heap-buffer-overflow"; 452 bug_type_score = 10; 453 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr); 454 break; 455 case kAsanHeapFreeMagic: 456 bug_descr = "heap-use-after-free"; 457 bug_type_score = 20; 458 if (!is_write) read_after_free_bonus = 18; 459 break; 460 case kAsanStackLeftRedzoneMagic: 461 bug_descr = "stack-buffer-underflow"; 462 bug_type_score = 25; 463 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr); 464 break; 465 case kAsanInitializationOrderMagic: 466 bug_descr = "initialization-order-fiasco"; 467 bug_type_score = 1; 468 break; 469 case kAsanStackMidRedzoneMagic: 470 case kAsanStackRightRedzoneMagic: 471 bug_descr = "stack-buffer-overflow"; 472 bug_type_score = 25; 473 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr); 474 break; 475 case kAsanStackAfterReturnMagic: 476 bug_descr = "stack-use-after-return"; 477 bug_type_score = 30; 478 if (!is_write) read_after_free_bonus = 18; 479 break; 480 case kAsanUserPoisonedMemoryMagic: 481 bug_descr = "use-after-poison"; 482 bug_type_score = 20; 483 break; 484 case kAsanContiguousContainerOOBMagic: 485 bug_descr = "container-overflow"; 486 bug_type_score = 10; 487 break; 488 case kAsanStackUseAfterScopeMagic: 489 bug_descr = "stack-use-after-scope"; 490 bug_type_score = 10; 491 break; 492 case kAsanGlobalRedzoneMagic: 493 bug_descr = "global-buffer-overflow"; 494 bug_type_score = 10; 495 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr); 496 break; 497 case kAsanIntraObjectRedzone: 498 bug_descr = "intra-object-overflow"; 499 bug_type_score = 10; 500 break; 501 case kAsanAllocaLeftMagic: 502 case kAsanAllocaRightMagic: 503 bug_descr = "dynamic-stack-buffer-overflow"; 504 bug_type_score = 25; 505 far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr); 506 break; 507 } 508 scariness.Scare(bug_type_score + read_after_free_bonus, bug_descr); 509 if (far_from_bounds) scariness.Scare(10, "far-from-bounds"); 510 } 511 } 512 } 513 514 static void PrintContainerOverflowHint() { 515 Printf("HINT: if you don't care about these errors you may set " 516 "ASAN_OPTIONS=detect_container_overflow=0.\n" 517 "If you suspect a false positive see also: " 518 "https://github.com/google/sanitizers/wiki/" 519 "AddressSanitizerContainerOverflow.\n"); 520 } 521 522 static void PrintShadowByte(InternalScopedString *str, const char *before, 523 u8 byte, const char *after = "\n") { 524 PrintMemoryByte(str, before, byte, /*in_shadow*/true, after); 525 } 526 527 static void PrintLegend(InternalScopedString *str) { 528 str->AppendF( 529 "Shadow byte legend (one shadow byte represents %d " 530 "application bytes):\n", 531 (int)ASAN_SHADOW_GRANULARITY); 532 PrintShadowByte(str, " Addressable: ", 0); 533 str->AppendF(" Partially addressable: "); 534 for (u8 i = 1; i < ASAN_SHADOW_GRANULARITY; i++) 535 PrintShadowByte(str, "", i, " "); 536 str->AppendF("\n"); 537 PrintShadowByte(str, " Heap left redzone: ", 538 kAsanHeapLeftRedzoneMagic); 539 PrintShadowByte(str, " Freed heap region: ", kAsanHeapFreeMagic); 540 PrintShadowByte(str, " Stack left redzone: ", 541 kAsanStackLeftRedzoneMagic); 542 PrintShadowByte(str, " Stack mid redzone: ", 543 kAsanStackMidRedzoneMagic); 544 PrintShadowByte(str, " Stack right redzone: ", 545 kAsanStackRightRedzoneMagic); 546 PrintShadowByte(str, " Stack after return: ", 547 kAsanStackAfterReturnMagic); 548 PrintShadowByte(str, " Stack use after scope: ", 549 kAsanStackUseAfterScopeMagic); 550 PrintShadowByte(str, " Global redzone: ", kAsanGlobalRedzoneMagic); 551 PrintShadowByte(str, " Global init order: ", 552 kAsanInitializationOrderMagic); 553 PrintShadowByte(str, " Poisoned by user: ", 554 kAsanUserPoisonedMemoryMagic); 555 PrintShadowByte(str, " Container overflow: ", 556 kAsanContiguousContainerOOBMagic); 557 PrintShadowByte(str, " Array cookie: ", 558 kAsanArrayCookieMagic); 559 PrintShadowByte(str, " Intra object redzone: ", 560 kAsanIntraObjectRedzone); 561 PrintShadowByte(str, " ASan internal: ", kAsanInternalHeapMagic); 562 PrintShadowByte(str, " Left alloca redzone: ", kAsanAllocaLeftMagic); 563 PrintShadowByte(str, " Right alloca redzone: ", kAsanAllocaRightMagic); 564 } 565 566 static void PrintShadowBytes(InternalScopedString *str, const char *before, 567 u8 *bytes, u8 *guilty, uptr n) { 568 Decorator d; 569 if (before) 570 str->AppendF("%s%p:", before, 571 (void *)ShadowToMem(reinterpret_cast<uptr>(bytes))); 572 for (uptr i = 0; i < n; i++) { 573 u8 *p = bytes + i; 574 const char *before = 575 p == guilty ? "[" : (p - 1 == guilty && i != 0) ? "" : " "; 576 const char *after = p == guilty ? "]" : ""; 577 PrintShadowByte(str, before, *p, after); 578 } 579 str->AppendF("\n"); 580 } 581 582 static void PrintShadowMemoryForAddress(uptr addr) { 583 if (!AddrIsInMem(addr)) return; 584 uptr shadow_addr = MemToShadow(addr); 585 const uptr n_bytes_per_row = 16; 586 uptr aligned_shadow = shadow_addr & ~(n_bytes_per_row - 1); 587 InternalScopedString str; 588 str.AppendF("Shadow bytes around the buggy address:\n"); 589 for (int i = -5; i <= 5; i++) { 590 uptr row_shadow_addr = aligned_shadow + i * n_bytes_per_row; 591 // Skip rows that would be outside the shadow range. This can happen when 592 // the user address is near the bottom, top, or shadow gap of the address 593 // space. 594 if (!AddrIsInShadow(row_shadow_addr)) continue; 595 const char *prefix = (i == 0) ? "=>" : " "; 596 PrintShadowBytes(&str, prefix, (u8 *)row_shadow_addr, (u8 *)shadow_addr, 597 n_bytes_per_row); 598 } 599 if (flags()->print_legend) PrintLegend(&str); 600 Printf("%s", str.data()); 601 } 602 603 void ErrorGeneric::Print() { 604 Decorator d; 605 Printf("%s", d.Error()); 606 uptr addr = addr_description.Address(); 607 Report("ERROR: AddressSanitizer: %s on address %p at pc %p bp %p sp %p\n", 608 bug_descr, (void *)addr, (void *)pc, (void *)bp, (void *)sp); 609 Printf("%s", d.Default()); 610 611 Printf("%s%s of size %zu at %p thread %s%s\n", d.Access(), 612 access_size ? (is_write ? "WRITE" : "READ") : "ACCESS", access_size, 613 (void *)addr, AsanThreadIdAndName(tid).c_str(), d.Default()); 614 615 scariness.Print(); 616 GET_STACK_TRACE_FATAL(pc, bp); 617 stack.Print(); 618 619 // Pass bug_descr because we have a special case for 620 // initialization-order-fiasco 621 addr_description.Print(bug_descr); 622 if (shadow_val == kAsanContiguousContainerOOBMagic) 623 PrintContainerOverflowHint(); 624 ReportErrorSummary(bug_descr, &stack); 625 PrintShadowMemoryForAddress(addr); 626 } 627 628 } // namespace __asan 629