search

viralcode / address-sanitizer

Automatically exported from code.google.com/p/address-sanitizer
1 stars 0 forks source link

ASan incorrectly wraps memmove on OS X Lion #34

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
$ cat t.c
#include <stdio.h>
extern void *memmove(void *dest, void *src, size_t n);
int main() {
  char a[] = "Hello World!\n";
  memmove(a+3, a, 5);
  printf("%s\n", a);
  return 0;
}
=============================
$ gcc t.c -o t && ./t
HelHellorld!
=============================
$ clang t.c -o t -fno-builtin -O0  -faddress-sanitizer && ./t 2>&1 | 
scripts/asan_symbolize.py 
==51112== ERROR: AddressSanitizer memcpy-param-overlap: memory ranges 
[0x7fff6904eb43,0x7fff6904eb48) and [0x7fff6904eb40, 0x7fff6904eb45) overlap
    #0 0x1094543b0 in wrap_memcpy (in t) + 128
    #1 0x109450127 in main (in t) + 471
    #2 0x10944ff44 in start (in t) + 52
    #3 0x1
Stats: 0M malloced (0M for red zones) by 0 calls
Stats: 0M realloced by 0 calls
Stats: 0M freed by 0 calls
Stats: 0M really freed by 0 calls
Stats: 0M (0 full pages) mmaped in 0 calls
  mmaps   by size class:
  mallocs by size class:
  frees   by size class:
  rfrees  by size class:
Stats: malloc large: 0 small slow: 0

Original issue reported on code.google.com by ramosian.glider@gmail.com on 30 Jan 2012 at 1:03

GoogleCodeExporter commented 9 years ago 
It appears that memcpy() and memmove() are aliases on Lion:

$ nm /usr/lib/system/libsystem_c.dylib | grep "memcpy\|memmove"
0000000000013830 T ___memcpy_chk
000000000001381c T ___memmove_chk
00000000000a1969 T _memcpy
0000000000027ebd t _memcpy$VARIANT$sse3x
0000000000027cbd t _memcpy$VARIANT$sse42
00000000000e0af0 d _memcpy_platfunc_descriptors
000000000009ea1a T _memmove
0000000000027ebd t _memmove$VARIANT$sse3x
0000000000027cbd t _memmove$VARIANT$sse42
00000000000e0ab0 d _memmove_platfunc_descriptors
00000000000e19f0 s _platfunc_memcpy$VARIANT$sse3x
00000000000e19c0 s _platfunc_memcpy$VARIANT$sse42
00000000000e1a00 s _platfunc_memmove$VARIANT$sse3x
00000000000e19d0 s _platfunc_memmove$VARIANT$sse42
00000000000295a5 T _wmemcpy
0000000000006793 T _wmemmove

Therefore we're wrapping the same function twice, so for both memcpy() and 
memmove() we're calling wrap_memcpy() => wrap_memmove() => original function.

To fix this we should just wrap memmove() and forget about memcpy-param-overlap 
errors.

See also https://bugzilla.mozilla.org/show_bug.cgi?id=715750 and 
http://code.google.com/p/valgrind-variant/issues/detail?id=5

Original comment by ramosian.glider@gmail.com on 31 Jan 2012 at 11:30

GoogleCodeExporter commented 9 years ago 
Fixed in clang:r149492

Original comment by ramosian.glider@gmail.com on 1 Feb 2012 at 10:13

GoogleCodeExporter commented 9 years ago

Original comment by ramosian.glider@gmail.com on 1 Feb 2012 at 10:13