-fsanitizer=address

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

-fsanitizer=address

Mike-6
hi all,

I've run "make test" under -fsanitize=address and got the same report for several failed tests:



Test: 05_array...
Test: 06_case...
Test: 07_function...
--- 07_function.expect 2019-06-12 18:25:10.882343396 +0300
+++ 07_function.output 2019-06-12 22:06:43.089702799 +0300
@@ -1,4 +1,54 @@
-9
-16
-a=1234
-qfunc()
+=================================================================
+==5953==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150000000fc at pc 0x558ff5fe5616 bp 0x7ffcc0f968a0 sp 0x7ffcc0f96890
+READ of size 1 at 0x6150000000fc thread T0
+    #0 0x558ff5fe5615 in build_got_entries /home/mpech/tinycc/tccelf.c:1107
+    #1 0x558ff5ffb422 in tcc_relocate_ex /home/mpech/tinycc/tccrun.c:195
+    #2 0x558ff5ffb52f in tcc_relocate /home/mpech/tinycc/tccrun.c:67
+    #3 0x558ff5ffb7dc in tcc_relocate /home/mpech/tinycc/tccrun.c:64
+    #4 0x558ff5ffb7dc in tcc_run /home/mpech/tinycc/tccrun.c:123
+    #5 0x558ff5fa0439 in main /home/mpech/tinycc/tcc.c:353
+    #6 0x7f51fe50ace2 in __libc_start_main (/usr/lib/libc.so.6+0x23ce2)
+    #7 0x558ff5fa0b9d in _start (/home/mpech/tinycc/tcc+0x11b9d)
+
+0x6150000000fc is located 124 bytes inside of 512-byte region [0x615000000080,0x615000000280)
+freed by thread T0 here:
+    #0 0x7f51fe8e9801 in __interceptor_realloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:105
+    #1 0x558ff5fa3b38 in tcc_realloc /home/mpech/tinycc/libtcc.c:224
+
+previously allocated by thread T0 here:
+    #0 0x7f51fe8e9801 in __interceptor_realloc /build/gcc/src/gcc/libsanitizer/asan/asan_malloc_linux.cc:105
+    #1 0x558ff5fa3b38 in tcc_realloc /home/mpech/tinycc/libtcc.c:224
+
+SUMMARY: AddressSanitizer: heap-use-after-free /home/mpech/tinycc/tccelf.c:1107 in build_got_entries
+Shadow bytes around the buggy address:
+  0x0c2a7fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c2a7fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c2a7fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c2a7fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+  0x0c2a7fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+=>0x0c2a7fff8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]
+  0x0c2a7fff8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x0c2a7fff8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x0c2a7fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
+  0x0c2a7fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
+  0x0c2a7fff8060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+Shadow byte legend (one shadow byte represents 8 application bytes):
+  Addressable:           00
+  Partially addressable: 01 02 03 04 05 06 07
+  Heap left redzone:       fa
+  Freed heap region:       fd
+  Stack left redzone:      f1
+  Stack mid redzone:       f2
+  Stack right redzone:     f3
+  Stack after return:      f5
+  Stack use after scope:   f8
+  Global redzone:          f9
+  Global init order:       f6
+  Poisoned by user:        f7
+  Container overflow:      fc
+  Array cookie:            ac
+  Intra object redzone:    bb
+  ASan internal:           fe
+  Left alloca redzone:     ca
+  Right alloca redzone:    cb
+==5953==ABORTING
make[3]: *** [Makefile:70: 07_function.test] Error 1
Test: 08_while...
Test: 09_do_while...
Test: 10_pointer...
...


p.s. "leak" sanitizer passed, "undefined" failed with huge number of errors and scope of another mail.


(mike)

_______________________________________________
Tinycc-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/tinycc-devel
Reply | Threaded
Open this post in threaded view
|

Re: -fsanitizer=address

Pascal Cuoq
Hello,

On 12 Jun 2019, at 21:21, Mike <[hidden email]> wrote:

I've run "make test" under -fsanitize=address and got the same report for several failed tests:

This appears to be caused by an offset into a dynamically allocated block being assigned to sym in build_got_entries at line 1041:

            sym = &((ElfW(Sym) *)symtab_section->data)[sym_index];

And this dynamically allocated block being realloc'ed as a result of calling build_got(s1) at line 1102:

                build_got(s1);

Bearing in mind that we keep using sym at line 1108:

            attr = put_got_entry(s1, reloc_type, sym->st_size, sym->st_info,
                                 sym_index);

I have no idea what I am doing, but I applied the following patch and it seems to have fixed the dangling pointer, according to the tool I use (not ASan).

diff --git a/tccelf.c b/tccelf.c
index e5f6c42..6ddfb9f 100644
--- a/tccelf.c
+++ b/tccelf.c
@@ -1098,8 +1098,10 @@ ST_FUNC void build_got_entries(TCCState *s1)
             } else
                 reloc_type = R_GLOB_DAT;

 

-            if (!s1->got)
+            if (!s1->got) {
                 build_got(s1);
+                sym = &((ElfW(Sym) *)symtab_section->data)[sym_index]; //attempt
+            }

 

             if (gotplt_entry == BUILD_GOT_ONLY)
                 continue;


Would a developer confirm this is a good idea?

Pascal


_______________________________________________
Tinycc-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/tinycc-devel

dangling.patch (690 bytes) Download Attachment
ATT00001.htm (546 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: -fsanitizer=address

Mike-6
>
> I have no idea what I am doing, but I applied the following patch and it seems to have fixed the
> dangling pointer, according to the tool I use (not ASan).


Now much better, BTW what tool you use ?

(mike)

_______________________________________________
Tinycc-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/tinycc-devel
Reply | Threaded
Open this post in threaded view
|

Re: -fsanitizer=address

Michael Matz-4
In reply to this post by Pascal Cuoq
Hello Pascal,

On Thu, 13 Jun 2019, Pascal Cuoq wrote:

> This appears to be caused by an offset into a dynamically allocated block
> being assigned to sym in build_got_entries at line 1041:
>
>             sym = &((ElfW(Sym) *)symtab_section->data)[sym_index];
>
> And this dynamically allocated block being realloc'ed as a result of calling
> build_got(s1) at line 1102:
>
>                 build_got(s1);
>
> Bearing in mind that we keep using sym at line 1108:
>
>             attr = put_got_entry(s1, reloc_type, sym->st_size, sym->st_info,
>                                  sym_index);
>
> I have no idea what I am doing, but I applied the following patch and it
> seems to have fixed the dangling pointer, according to the tool I use (not
> ASan).
The analysis and fix are correct.  But there's an even better way, the
usage of sym is useless there, the function put_got_entry is recomputing
sym already anyway, so there's no need to pass stuff into it that's
readily available in a different way, removing two paramters and the
problematic use.  That's what is in mob now.


Ciao,
Michael.
_______________________________________________
Tinycc-devel mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/tinycc-devel