Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clang+ASan incorrectly handles exceptions. #13

Closed
ramosian-glider opened this issue Aug 31, 2015 · 4 comments
Closed

Clang+ASan incorrectly handles exceptions. #13

ramosian-glider opened this issue Aug 31, 2015 · 4 comments
Labels
Priority-Medium ProjectAddressSanitizer Status-Fixed Type-Defect

Comments

@ramosian-glider
Copy link
Member

Originally reported on Google Code with ID 13

What steps will reproduce the problem?
$ cat asan-exceptions-test.cc
#include <stdio.h>
#include <string>

class Action {
 public:
  Action() {}
  void PrintString(const std::string& msg) const {
    fprintf(stderr, "%s\n", msg.c_str());
  }
  void Throw(const char& arg) const {
    PrintString("PrintString called!"); // this line is important
    throw arg;
  }
};

int main() {
  const Action a;
  fprintf(stderr, "&a before = %p\n", &a);
  try {
    a.Throw('c');
  } catch (const char&) {
    fprintf(stderr, "&a in catch = %p\n", &a);
  }
  fprintf(stderr, "&a final = %p\n", &a);
  return 0;
}
$ ../my_clang++ -faddress-sanitizer -O2 asan-exceptions-test.cc 
$ ./a.out
&a before = 0x7fff1300e2c0
PrintString called!
&a in catch = 0x101010101010101
&a final = 0x101010101010101

Please use labels and text to provide additional information.

Generated binary incorrectly handles exceptions: the address of local "const Action
a" is stored in a register (r14 or r15) which is assumed to be callee-safe, but which
is overwritten when the exception is caught.

Reported by samsonov@google.com on 2011-11-23 13:48:21
@ramosian-glider
Copy link
Member Author 

More investigation:

$ cat exception_test.cc 
#include <stdio.h>

void TouchR15AndThrow(const char& arg) {
  volatile int n __attribute__((aligned(32))) = 0;
  asm volatile ("nop" : : : "r15"); // force to save r15 on stack
  throw arg;
}

int main() {
  register int *a asm ("r15");
  fprintf(stderr, "before throw: %p\n", a);
  try {
    TouchR15AndThrow('c');
  } catch (const char&) { }
  fprintf(stderr, "after catch: %p\n", a);
  return 0;
}

$ ../my_clang++ -O2 exception_test.cc
$ ./a.out 
before throw: 0x7fff7a68fa18
after catch: 0xffffffffffffff70

When 32-byte alignment is required for stack variables (ASan does this), compiler adds
instruction that aligns stack pointer before the registers are saved on a stack. This
change is not captured by DWARF. Later, when exception is raised and we restore the
context (and value in registers), we try to read registers from wrong location in the
memory. See also:

$ ../my_clang++ -O2 exception_test.cc -o exception_test.o 
$ objdump -d exception_test.o
<...>
0000000000400870 <_Z16TouchR15AndThrowRKc>:
  400870:       55                      push   %rbp
  400871:       48 89 e5                mov    %rsp,%rbp
  400874:       48 81 e4 e0 ff ff ff    and    $0xffffffffffffffe0,%rsp #align rsp
  40087b:       41 57                   push   %r15                     #save r15
<...>
$ readelf --debug-dump=frames exception_test.o
<...>
00000018 0000001c 0000001c FDE cie=00000000 pc=00400870..004008aa
  DW_CFA_advance_loc: 1 to 00400871
  DW_CFA_def_cfa_offset: 16
  DW_CFA_offset: r6 (rbp) at cfa-16    
  DW_CFA_advance_loc: 3 to 00400874
  DW_CFA_def_cfa_register: r6 (rbp)
  DW_CFA_advance_loc: 14 to 00400882
  DW_CFA_offset: r3 (rbx) at cfa-32
  DW_CFA_offset: r15 (r15) at cfa-24   # r15 is supposed to be after r6(rbp).

$ ../my_clang++ -O2 exception_test.cc -S -o -
<...>
_Z16TouchR15AndThrowRKc:                # @_Z16TouchR15AndThrowRKc
.Ltmp3:
        .cfi_startproc
# BB#0:                                 # %entry
        pushq   %rbp
.Ltmp4:
        .cfi_def_cfa_offset 16
.Ltmp5:
        .cfi_offset %rbp, -16
        movq    %rsp, %rbp
.Ltmp6:
        .cfi_def_cfa_register %rbp
        andq    $-32, %rsp  <-- this is not used when calculating cfi_offset for %r15
        pushq   %r15
        pushq   %rbx
        subq    $48, %rsp
.Ltmp7:
        .cfi_offset %rbx, -32
.Ltmp8:
        .cfi_offset %r15, -24

Reported by samsonov@google.com on 2011-12-02 13:43:28

@ramosian-glider
Copy link
Member Author 

Filed upstream: http://llvm.org/bugs/show_bug.cgi?id=11468

Reported by samsonov@google.com on 2011-12-02 19:36:40

@ramosian-glider
Copy link
Member Author 

This is likely fixed in r160248.

Reported by samsonov@google.com on 2012-07-30 08:57:43

  • Status changed: Fixed

@ramosian-glider
Copy link
Member Author 

Adding Project:AddressSanitizer as part of GitHub migration.

Reported by ramosian.glider on 2015-07-30 09:12:58

  • Labels added: ProjectAddressSanitizer

@daliands daliands mentioned this issue Jul 11, 2016
Closed
@dragonltx dragonltx mentioned this issue Jul 19, 2016
Closed
@dang dang mentioned this issue Feb 1, 2017
Closed
@djdeath djdeath mentioned this issue Feb 24, 2017
Closed
@rbolgov rbolgov mentioned this issue Jan 26, 2018
Open
@adubovkin adubovkin mentioned this issue Mar 8, 2018
Open
@dionescu dionescu mentioned this issue May 8, 2018
Open
@eugenis eugenis mentioned this issue Jun 28, 2018
Closed
@artyomd artyomd mentioned this issue Jul 29, 2018
Closed
@shubhamgarg1 shubhamgarg1 mentioned this issue Mar 2, 2019
Open
@karen-arutyunov karen-arutyunov mentioned this issue Jun 6, 2019
Open
@sarora5 sarora5 mentioned this issue Jun 12, 2019
Open
@kusumakara kusumakara mentioned this issue Jun 26, 2019
Closed
@eugenis eugenis mentioned this issue Jul 2, 2019
Open
@eugenis eugenis mentioned this issue Sep 30, 2019
Open
@ramosian-glider ramosian-glider mentioned this issue Jan 18, 2020
Open
@hotrhino hotrhino mentioned this issue Mar 16, 2020
Open
@oviano oviano mentioned this issue Mar 31, 2020
Open
@kulkrohit kulkrohit mentioned this issue Oct 30, 2020
Open
@LitterSun LitterSun mentioned this issue Jul 12, 2021
Closed
@OldChicken1 OldChicken1 mentioned this issue Jul 14, 2022
Open
@chaiken chaiken mentioned this issue Dec 26, 2022
Open
@koteswararao18 koteswararao18 mentioned this issue Aug 6, 2023
Closed
@aguludunu aguludunu mentioned this issue Nov 1, 2023
Open
@UjjwalChitransh UjjwalChitransh mentioned this issue Apr 3, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Priority-Medium ProjectAddressSanitizer Status-Fixed Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ramosian-glider