Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AddressSanitizer CHECK failed: ((name_end)) != (0)" (0x0, 0x0) in the use-after-return mode. #126

Closed
ramosian-glider opened this issue Aug 31, 2015 · 7 comments
Closed

AddressSanitizer CHECK failed: ((name_end)) != (0)" (0x0, 0x0) in the use-after-return mode. #126

ramosian-glider opened this issue Aug 31, 2015 · 7 comments
Labels
Priority-Medium ProjectAddressSanitizer Status-Fixed Type-Defect

Comments

@ramosian-glider
Copy link
Member

Originally reported on Google Code with ID 126

$ cat t.c
int *glob = 0;
void foo() {
  int local[10];
  glob = local;
}
int main() {
  foo();
  glob[0] = 0;
  return 0;
}
=========================================
$ clang -fsanitize=address -mllvm -asan-use-after-return=1 t.c 
$ ./a.out 
=================================================================
==17961== ERROR: AddressSanitizer: stack-use-after-return on address 0x7ff528542220
at pc 0x40958d bp 0x7fff789b7450 sp 0x7fff789b7448
WRITE of size 4 at 0x7ff528542220 thread T0
    #0 0x40958c (/tmp/a.out+0x40958c)
    #1 0x7ff528d60c4c (/lib/libc-2.11.1.so+0x1ec4c)
==17961== AddressSanitizer CHECK failed: /usr/local/google/chrome/src/third_party/llvm/projects/compiler-rt/lib/asan/asan_report.cc:151
"((name_end)) != (0)" (0x0, 0x0)
    #0 0x412b0f (/tmp/a.out+0x412b0f)
    #1 0x414141 (/tmp/a.out+0x414141)
Stats: 0M malloced (0M for red zones) by 0 calls
Stats: 0M realloced by 0 calls
Stats: 0M freed by 0 calls
Stats: 0M really freed by 0 calls
Stats: 0M (0 full pages) mmaped in 0 calls
  mmaps   by size class: 
  mallocs by size class: 
  frees   by size class: 
  rfrees  by size class: 
Stats: malloc large: 0 small slow: 0

Reported by ramosian.glider on 2012-11-15 12:19:49
@ramosian-glider
Copy link
Member Author 

This happens because the frame description returned by t->GetFrameNameByAddr(addr, &offset)
in DescribeAddressIfStack() is "UNKNOWN" and doesn't contain spaces.

Reported by ramosian.glider on 2012-11-15 12:29:22

@ramosian-glider
Copy link
Member Author 

Haha, watch the hands:

1. We enter foo(), local[10] is allocated on the fake stack and its shadow is filled
by the instrumentation code:
0x1ffffecd1040: 0xf1    0xf1    0xf1    0xf1    0x00    0x00    0x00    0x00
0x1ffffecd1048: 0x00    0xf4    0xf4    0xf4    0xf3    0xf3    0xf3    0xf3
2. We leave foo(), local[10] is deallocated and __asan_stack_free() fills the shadow
with kAsanStackAfterReturnMagic:
3. At error report time AsanThread::GetFrameNameByAddr looks for kAsanStackLeftRedzoneMagic
(0xf1), doesn't find it and returns "UNKNOWN"
4. The error reporting code crashes.

Reported by ramosian.glider on 2012-11-15 12:37:12

@ramosian-glider
Copy link
Member Author 

Nice. Sounds like we need another kind of use-after-return shadow to delimit stack frames.

Reported by eugenis@google.com on 2012-11-15 12:41:35

@ramosian-glider
Copy link
Member Author 

Fixed in r168040.

Reported by ramosian.glider on 2012-11-15 14:00:03

@ramosian-glider
Copy link
Member Author

Reported by ramosian.glider on 2012-11-15 14:00:24

  • Status changed: Fixed

@ramosian-glider
Copy link
Member Author 

Fixed for real in r168046.

Reported by ramosian.glider on 2012-11-15 16:22:34

@ramosian-glider
Copy link
Member Author 

Adding Project:AddressSanitizer as part of GitHub migration.

Reported by ramosian.glider on 2015-07-30 09:13:40

  • Labels added: ProjectAddressSanitizer

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Priority-Medium ProjectAddressSanitizer Status-Fixed Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ramosian-glider