search

ramosian-glider / sanitizers

0 stars 0 forks source link

AddressSanitizer CHECK failed: ((name_end)) != (0)" (0x0, 0x0) in the use-after-return mode. #127

Closed ramosian-glider closed 9 years ago

ramosian-glider commented 9 years ago

Originally reported on Google Code with ID 126

$ cat t.c
int *glob = 0;
void foo() {
  int local[10];
  glob = local;
}
int main() {
  foo();
  glob[0] = 0;
  return 0;
}
=========================================
$ clang -fsanitize=address -mllvm -asan-use-after-return=1 t.c 
$ ./a.out 
=================================================================
==17961== ERROR: AddressSanitizer: stack-use-after-return on address 0x7ff528542220
at pc 0x40958d bp 0x7fff789b7450 sp 0x7fff789b7448
WRITE of size 4 at 0x7ff528542220 thread T0
    #0 0x40958c (/tmp/a.out+0x40958c)
    #1 0x7ff528d60c4c (/lib/libc-2.11.1.so+0x1ec4c)
==17961== AddressSanitizer CHECK failed: /usr/local/google/chrome/src/third_party/llvm/projects/compiler-rt/lib/asan/asan_report.cc:151
"((name_end)) != (0)" (0x0, 0x0)
    #0 0x412b0f (/tmp/a.out+0x412b0f)
    #1 0x414141 (/tmp/a.out+0x414141)
Stats: 0M malloced (0M for red zones) by 0 calls
Stats: 0M realloced by 0 calls
Stats: 0M freed by 0 calls
Stats: 0M really freed by 0 calls
Stats: 0M (0 full pages) mmaped in 0 calls
  mmaps   by size class: 
  mallocs by size class: 
  frees   by size class: 
  rfrees  by size class: 
Stats: malloc large: 0 small slow: 0

Reported by ramosian.glider on 2012-11-15 12:19:49

ramosian-glider commented 9 years ago 
This happens because the frame description returned by t->GetFrameNameByAddr(addr, &offset)
in DescribeAddressIfStack() is "UNKNOWN" and doesn't contain spaces.

Reported by ramosian.glider on 2012-11-15 12:29:22

ramosian-glider commented 9 years ago 
Haha, watch the hands:

1. We enter foo(), local[10] is allocated on the fake stack and its shadow is filled
by the instrumentation code:
0x1ffffecd1040: 0xf1    0xf1    0xf1    0xf1    0x00    0x00    0x00    0x00
0x1ffffecd1048: 0x00    0xf4    0xf4    0xf4    0xf3    0xf3    0xf3    0xf3
2. We leave foo(), local[10] is deallocated and __asan_stack_free() fills the shadow
with kAsanStackAfterReturnMagic:
3. At error report time AsanThread::GetFrameNameByAddr looks for kAsanStackLeftRedzoneMagic
(0xf1), doesn't find it and returns "UNKNOWN"
4. The error reporting code crashes.

Reported by ramosian.glider on 2012-11-15 12:37:12

ramosian-glider commented 9 years ago 
Nice. Sounds like we need another kind of use-after-return shadow to delimit stack frames.

Reported by eugenis@google.com on 2012-11-15 12:41:35

ramosian-glider commented 9 years ago 
Fixed in r168040.

Reported by ramosian.glider on 2012-11-15 14:00:03

ramosian-glider commented 9 years ago

Reported by ramosian.glider on 2012-11-15 14:00:24

ramosian-glider commented 9 years ago 
Fixed for real in r168046.

Reported by ramosian.glider on 2012-11-15 16:22:34

ramosian-glider commented 9 years ago 
Adding Project:AddressSanitizer as part of GitHub migration.

Reported by ramosian.glider on 2015-07-30 09:13:40