llvm dev - May 2014 - [LLVMdev] Porting ASan to AArch64

Hello,

I have been working on porting ASan to AArch64. I am building compiler-rt
in "standalone mode" targeting aarch64. My build is successful, but I
get
the following runtime error when I run an ASan enabled executable through
qemu-aarch64:


==29184==Parsed ASAN_OPTIONS: verbosity=1
==29184==AddressSanitizer: failed to intercept '__isoc99_printf'
==29184==AddressSanitizer: failed to intercept '__isoc99_sprintf'
==29184==AddressSanitizer: failed to intercept '__isoc99_snprintf'
==29184==AddressSanitizer: failed to intercept '__isoc99_fprintf'
==29184==AddressSanitizer: failed to intercept '__isoc99_vprintf'
==29184==AddressSanitizer: failed to intercept '__isoc99_vsprintf'
==29184==AddressSanitizer: failed to intercept '__isoc99_vsnprintf'
==29184==AddressSanitizer: failed to intercept '__isoc99_vfprintf'
==29184==AddressSanitizer: libc interceptors initialized
|| `[0x002000000000, 0x007fffffffff]` || HighMem    ||
|| `[0x001400000000, 0x001fffffffff]` || HighShadow ||
|| `[0x001200000000, 0x0013ffffffff]` || ShadowGap  ||
|| `[0x001000000000, 0x0011ffffffff]` || LowShadow  ||
|| `[0x000000000000, 0x000fffffffff]` || LowMem     ||
MemToShadow(shadow): 0x001200000000 0x00123fffffff 0x001280000000
0x0013ffffffff
redzone=16
max_redzone=2048
quarantine_size=256M
malloc_context_size=30
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 1000000000
==29184==ERROR: AddressSanitizer failed to allocate 0xc00000000
(51539607552) bytes at address 1400000000 (errno: 12)
==29184==ReserveShadowMemoryRange failed while trying to map 0xc00000000
bytes. Perhaps you're using ulimit -v

This appears to be the same issue discussed in this thread:
https://code.google.com/p/address-sanitizer/issues/detail?id=246#makechanges
<https://mymail.qualcomm.com/owa/redir.aspx?C=k7Wv_sbf90SWPFjF3_Wzyp-KmK3QT9EI87JrUWjRxE-4GcylWFTmUnPhLYMjO_xSknvKZiQAOf8.&URL=https%3a%2f%2fcode.google.com%2fp%2faddress-sanitizer%2fissues%2fdetail%3fid%3d246%23makechanges>

I contacted Christophe Lyon, and he said he had successfully ported ASan to
aarch64 and had committed a patch to enable this to LLVM:
https://github.com/llvm-mirror/compiler-rt/commit/33465467e7f8243933100bab3cf8f34b79a8f54c
<https://mymail.qualcomm.com/owa/redir.aspx?C=k7Wv_sbf90SWPFjF3_Wzyp-KmK3QT9EI87JrUWjRxE-4GcylWFTmUnPhLYMjO_xSknvKZiQAOf8.&URL=https%3a%2f%2fgithub.com%2fllvm-mirror%2fcompiler-rt%2fcommit%2f33465467e7f8243933100bab3cf8f34b79a8f54c>

His changes from this patch still appear to be configured correctly in my
build, so I am not sure why I am getting this error. Is anyone able to shed
some light on this?

Thanks,
-Gideon
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20140530/61f8b472/attachment.html>

+Greg in case he's seen similar problems.

Basically, ASan is unable to map the necessary shadow memory. You may want
to dump the contents of /proc/self/maps and look if it conflicts
with the range ASan is trying to use. errno 12 is ENOMEM. Are you sure you
don't have constraints on the virtual memory your process can use?


On Fri, May 30, 2014 at 2:29 PM, Gideon Billings <gideonhbillings at
gmail.com>
wrote:
> Hello,
>
> I have been working on porting ASan to AArch64. I am building compiler-rt
> in "standalone mode" targeting aarch64. My build is successful,
but I get
> the following runtime error when I run an ASan enabled executable through
> qemu-aarch64:
>
>
> ==29184==Parsed ASAN_OPTIONS: verbosity=1
> ==29184==AddressSanitizer: failed to intercept '__isoc99_printf'
> ==29184==AddressSanitizer: failed to intercept '__isoc99_sprintf'
> ==29184==AddressSanitizer: failed to intercept '__isoc99_snprintf'
> ==29184==AddressSanitizer: failed to intercept '__isoc99_fprintf'
> ==29184==AddressSanitizer: failed to intercept '__isoc99_vprintf'
> ==29184==AddressSanitizer: failed to intercept '__isoc99_vsprintf'
> ==29184==AddressSanitizer: failed to intercept '__isoc99_vsnprintf'
> ==29184==AddressSanitizer: failed to intercept '__isoc99_vfprintf'
> ==29184==AddressSanitizer: libc interceptors initialized
> || `[0x002000000000, 0x007fffffffff]` || HighMem    ||
> || `[0x001400000000, 0x001fffffffff]` || HighShadow ||
> || `[0x001200000000, 0x0013ffffffff]` || ShadowGap  ||
> || `[0x001000000000, 0x0011ffffffff]` || LowShadow  ||
> || `[0x000000000000, 0x000fffffffff]` || LowMem     ||
> MemToShadow(shadow): 0x001200000000 0x00123fffffff 0x001280000000
> 0x0013ffffffff
> redzone=16
> max_redzone=2048
> quarantine_size=256M
> malloc_context_size=30
> SHADOW_SCALE: 3
> SHADOW_GRANULARITY: 8
> SHADOW_OFFSET: 1000000000
> ==29184==ERROR: AddressSanitizer failed to allocate 0xc00000000
> (51539607552) bytes at address 1400000000 (errno: 12)
> ==29184==ReserveShadowMemoryRange failed while trying to map 0xc00000000
> bytes. Perhaps you're using ulimit -v
>
> This appears to be the same issue discussed in this thread:
>
>
https://code.google.com/p/address-sanitizer/issues/detail?id=246#makechanges
>
<https://mymail.qualcomm.com/owa/redir.aspx?C=k7Wv_sbf90SWPFjF3_Wzyp-KmK3QT9EI87JrUWjRxE-4GcylWFTmUnPhLYMjO_xSknvKZiQAOf8.&URL=https%3a%2f%2fcode.google.com%2fp%2faddress-sanitizer%2fissues%2fdetail%3fid%3d246%23makechanges>
>
> I contacted Christophe Lyon, and he said he had successfully ported ASan
> to aarch64 and had committed a patch to enable this to LLVM:
>
>
https://github.com/llvm-mirror/compiler-rt/commit/33465467e7f8243933100bab3cf8f34b79a8f54c
>
<https://mymail.qualcomm.com/owa/redir.aspx?C=k7Wv_sbf90SWPFjF3_Wzyp-KmK3QT9EI87JrUWjRxE-4GcylWFTmUnPhLYMjO_xSknvKZiQAOf8.&URL=https%3a%2f%2fgithub.com%2fllvm-mirror%2fcompiler-rt%2fcommit%2f33465467e7f8243933100bab3cf8f34b79a8f54c>
>
> His changes from this patch still appear to be configured correctly in my
> build, so I am not sure why I am getting this error. Is anyone able to shed
> some light on this?
>
> Thanks,
> -Gideon
>
> _______________________________________________
> LLVM Developers mailing list
> LLVMdev at cs.uiuc.edu         http://llvm.cs.uiuc.edu
> http://lists.cs.uiuc.edu/mailman/listinfo/llvmdev
>
>

-- 
Alexey Samsonov
vonosmas at gmail.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20140530/c1c603c0/attachment.html>

The mmap error is an issue with the qemu-aarch64 model I've been using. I
am not sure how to get a dump of /proc/self/maps, as the model is
configured as a non-interactive elf interpreter. I can successfully mmap a
smaller address range, and I tried configuring the environment using
setrlimit(), but I still get the error for the shadow memory range.  I may
try to debug the qemu model further, but for now, I have switched to using
a different interactive model, and the mmap now succeeds. However, I am
getting a different error. When I try to run a simple "Hello World"
program
that prints using cout, I get this segfault error:

==69==Parsed ASAN_OPTIONS: verbosity=2
==69==AddressSanitizer: failed to intercept '__isoc99_printf'
==69==AddressSanitizer: failed to intercept '__isoc99_sprintf'
==69==AddressSanitizer: failed to intercept '__isoc99_snprintf'
==69==AddressSanitizer: failed to intercept '__isoc99_fprintf'
==69==AddressSanitizer: failed to intercept '__isoc99_vprintf'
==69==AddressSanitizer: failed to intercept '__isoc99_vsprintf'
==69==AddressSanitizer: failed to intercept '__isoc99_vsnprintf'
==69==AddressSanitizer: failed to intercept '__isoc99_vfprintf'
==69==AddressSanitizer: libc interceptors initialized
|| `[0x002000000000, 0x007fffffffff]` || HighMem    ||
|| `[0x001400000000, 0x001fffffffff]` || HighShadow ||
|| `[0x001200000000, 0x0013ffffffff]` || ShadowGap  ||
|| `[0x001000000000, 0x0011ffffffff]` || LowShadow  ||
|| `[0x000000000000, 0x000fffffffff]` || LowMem     ||
MemToShadow(shadow): 0x001200000000 0x00123fffffff 0x001280000000
0x0013ffffffff
redzone=16
max_redzone=2048
quarantine_size=256M
malloc_context_size=30
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 1000000000
==69==Installed the sigaction for signal 11
==69==SetCurrentThread: 0x007fb7ff1000 for thread 0x007fb7ff6000
==69==T0: stack [0x007fff800000,0x008000000000) size 0x800000;
local=0x007ffffffbd8
==69==AddressSanitizer Init done
ASAN:SIGSEGV
==================================================================69==ERROR:
AddressSanitizer: SEGV on unknown address 0x100fffffff6e (pc
0x0000004a37b4 sp 0x007ffffffb70 bp 0x007ffffffbe0 T0)
==69==AddressSanitizer CHECK failed:
/local/mnt/workspace/gideonb/projects/toolchains/open-draco/compiler-rt/lib/sanitizer_common/sanitizer_stacktrace.cc:68
"((count)) < ((size))" (0x1, 0x1)
    <empty stack>

I switched to using printf, and the binary ran without any errors. I then
tried making a use-after-delete error, and when I ran the binary, it
reported a segfault error like above rather than the expected
heap-use-after-free. When I tried making a heap-buffer-overflow error,
there were no reported errors when I ran the binary. The message above
appears to report two errors. ASan seems to initialize ok, but then there
is a segfault error at some point. The second error occurs when
"SlowUnwindStackWithContext" is called from
"GET_STACK_TRACE_SIGNAL" which
is called when the segfault error is detected. I am a bit mystified on
where the problem might be.


On Fri, May 30, 2014 at 8:58 PM, Alexey Samsonov <vonosmas at gmail.com>
wrote:
> +Greg in case he's seen similar problems.
>
> Basically, ASan is unable to map the necessary shadow memory. You may want
> to dump the contents of /proc/self/maps and look if it conflicts
> with the range ASan is trying to use. errno 12 is ENOMEM. Are you sure you
> don't have constraints on the virtual memory your process can use?
>
>
> On Fri, May 30, 2014 at 2:29 PM, Gideon Billings <
> gideonhbillings at gmail.com> wrote:
>
>> Hello,
>>
>> I have been working on porting ASan to AArch64. I am building
compiler-rt
>> in "standalone mode" targeting aarch64. My build is
successful, but I get
>> the following runtime error when I run an ASan enabled executable
through
>> qemu-aarch64:
>>
>>
>> ==29184==Parsed ASAN_OPTIONS: verbosity=1
>> ==29184==AddressSanitizer: failed to intercept
'__isoc99_printf'
>> ==29184==AddressSanitizer: failed to intercept
'__isoc99_sprintf'
>> ==29184==AddressSanitizer: failed to intercept
'__isoc99_snprintf'
>> ==29184==AddressSanitizer: failed to intercept
'__isoc99_fprintf'
>> ==29184==AddressSanitizer: failed to intercept
'__isoc99_vprintf'
>> ==29184==AddressSanitizer: failed to intercept
'__isoc99_vsprintf'
>> ==29184==AddressSanitizer: failed to intercept
'__isoc99_vsnprintf'
>> ==29184==AddressSanitizer: failed to intercept
'__isoc99_vfprintf'
>> ==29184==AddressSanitizer: libc interceptors initialized
>> || `[0x002000000000, 0x007fffffffff]` || HighMem    ||
>> || `[0x001400000000, 0x001fffffffff]` || HighShadow ||
>> || `[0x001200000000, 0x0013ffffffff]` || ShadowGap  ||
>> || `[0x001000000000, 0x0011ffffffff]` || LowShadow  ||
>> || `[0x000000000000, 0x000fffffffff]` || LowMem     ||
>> MemToShadow(shadow): 0x001200000000 0x00123fffffff 0x001280000000
>> 0x0013ffffffff
>> redzone=16
>> max_redzone=2048
>> quarantine_size=256M
>> malloc_context_size=30
>> SHADOW_SCALE: 3
>> SHADOW_GRANULARITY: 8
>> SHADOW_OFFSET: 1000000000
>> ==29184==ERROR: AddressSanitizer failed to allocate 0xc00000000
>> (51539607552) bytes at address 1400000000 (errno: 12)
>> ==29184==ReserveShadowMemoryRange failed while trying to map
0xc00000000
>> bytes. Perhaps you're using ulimit -v
>>
>> This appears to be the same issue discussed in this thread:
>>
>>
https://code.google.com/p/address-sanitizer/issues/detail?id=246#makechanges
>>
<https://mymail.qualcomm.com/owa/redir.aspx?C=k7Wv_sbf90SWPFjF3_Wzyp-KmK3QT9EI87JrUWjRxE-4GcylWFTmUnPhLYMjO_xSknvKZiQAOf8.&URL=https%3a%2f%2fcode.google.com%2fp%2faddress-sanitizer%2fissues%2fdetail%3fid%3d246%23makechanges>
>>
>> I contacted Christophe Lyon, and he said he had successfully ported
ASan
>> to aarch64 and had committed a patch to enable this to LLVM:
>>
>>
https://github.com/llvm-mirror/compiler-rt/commit/33465467e7f8243933100bab3cf8f34b79a8f54c
>>
<https://mymail.qualcomm.com/owa/redir.aspx?C=k7Wv_sbf90SWPFjF3_Wzyp-KmK3QT9EI87JrUWjRxE-4GcylWFTmUnPhLYMjO_xSknvKZiQAOf8.&URL=https%3a%2f%2fgithub.com%2fllvm-mirror%2fcompiler-rt%2fcommit%2f33465467e7f8243933100bab3cf8f34b79a8f54c>
>>
>> His changes from this patch still appear to be configured correctly in
my
>> build, so I am not sure why I am getting this error. Is anyone able to
shed
>> some light on this?
>>
>> Thanks,
>> -Gideon
>>
>> _______________________________________________
>> LLVM Developers mailing list
>> LLVMdev at cs.uiuc.edu         http://llvm.cs.uiuc.edu
>> http://lists.cs.uiuc.edu/mailman/listinfo/llvmdev
>>
>>
>
>
> --
> Alexey Samsonov
> vonosmas at gmail.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.llvm.org/pipermail/llvm-dev/attachments/20140603/2f610c75/attachment.html>

> Basically, ASan is unable to map the necessary shadow memory. You may want
> to dump the contents of /proc/self/maps and look if it conflicts
> with the range ASan is trying to use. errno 12 is ENOMEM. Are you sure you
> don't have constraints on the virtual memory your process can use?
Similar thread in GCC ML: https://gcc.gnu.org/ml/gcc/2014-06/msg00023.html .
It looks like QEMU-user does not yet support the NORESERVE flag.

-Y