Skip to content

Commit 8c4b9ff

Browse files
kcckcc
committed
[asan] update the scariness score: tweak a few weights and add tests
llvm-svn: 260327
1 parent 657f930 commit 8c4b9ff

File tree

2 files changed

+30
-12
lines changed

2 files changed

+30
-12
lines changed

compiler-rt/lib/asan/asan_report.cc

Lines changed: 12 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -748,7 +748,7 @@ void ReportStackOverflow(const SignalContext &sig) {
748748
(void *)sig.addr, (void *)sig.pc, (void *)sig.bp, (void *)sig.sp,
749749
GetCurrentTidOrInvalid());
750750
Printf("%s", d.EndWarning());
751-
ScarinessScore::PrintSimple(15, "stack-overflow");
751+
ScarinessScore::PrintSimple(10, "stack-overflow");
752752
GET_STACK_TRACE_SIGNAL(sig);
753753
stack.Print();
754754
ReportErrorSummary("stack-overflow", &stack);
@@ -851,7 +851,7 @@ void ReportFreeNotMalloced(uptr addr, BufferedStackTrace *free_stack) {
851851
curr_tid, ThreadNameWithParenthesis(curr_tid, tname, sizeof(tname)));
852852
Printf("%s", d.EndWarning());
853853
CHECK_GT(free_stack->size, 0);
854-
ScarinessScore::PrintSimple(10, "bad-free");
854+
ScarinessScore::PrintSimple(40, "bad-free");
855855
GET_STACK_TRACE_FATAL(free_stack->trace[0], free_stack->top_frame_bp);
856856
stack.Print();
857857
DescribeHeapAddress(addr, 1);
@@ -1054,6 +1054,10 @@ static void PrintContainerOverflowHint() {
10541054
"AddressSanitizerContainerOverflow.\n");
10551055
}
10561056

1057+
static bool AdjacentShadowValuesAreFullyPoisoned(u8 *s) {
1058+
return s[-1] > 127 && s[1] > 127;
1059+
}
1060+
10571061
void ReportGenericError(uptr pc, uptr bp, uptr sp, uptr addr, bool is_write,
10581062
uptr access_size, u32 exp, bool fatal) {
10591063
if (!fatal && SuppressErrorReport(pc)) return;
@@ -1100,7 +1104,7 @@ void ReportGenericError(uptr pc, uptr bp, uptr sp, uptr addr, bool is_write,
11001104
case kAsanArrayCookieMagic:
11011105
bug_descr = "heap-buffer-overflow";
11021106
bug_type_score = 10;
1103-
far_from_bounds = shadow_addr[-1] > 127 && shadow_addr[1] > 127;
1107+
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
11041108
break;
11051109
case kAsanHeapFreeMagic:
11061110
bug_descr = "heap-use-after-free";
@@ -1109,7 +1113,7 @@ void ReportGenericError(uptr pc, uptr bp, uptr sp, uptr addr, bool is_write,
11091113
case kAsanStackLeftRedzoneMagic:
11101114
bug_descr = "stack-buffer-underflow";
11111115
bug_type_score = 25;
1112-
far_from_bounds = shadow_addr[-1] > 127 && shadow_addr[1] > 127;
1116+
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
11131117
break;
11141118
case kAsanInitializationOrderMagic:
11151119
bug_descr = "initialization-order-fiasco";
@@ -1120,15 +1124,15 @@ void ReportGenericError(uptr pc, uptr bp, uptr sp, uptr addr, bool is_write,
11201124
case kAsanStackPartialRedzoneMagic:
11211125
bug_descr = "stack-buffer-overflow";
11221126
bug_type_score = 25;
1123-
far_from_bounds = shadow_addr[-1] > 127 && shadow_addr[1] > 127;
1127+
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
11241128
break;
11251129
case kAsanStackAfterReturnMagic:
11261130
bug_descr = "stack-use-after-return";
11271131
bug_type_score = 30;
11281132
break;
11291133
case kAsanUserPoisonedMemoryMagic:
11301134
bug_descr = "use-after-poison";
1131-
bug_type_score = 10;
1135+
bug_type_score = 20;
11321136
break;
11331137
case kAsanContiguousContainerOOBMagic:
11341138
bug_descr = "container-overflow";
@@ -1141,7 +1145,7 @@ void ReportGenericError(uptr pc, uptr bp, uptr sp, uptr addr, bool is_write,
11411145
case kAsanGlobalRedzoneMagic:
11421146
bug_descr = "global-buffer-overflow";
11431147
bug_type_score = 10;
1144-
far_from_bounds = shadow_addr[-1] > 127 && shadow_addr[1] > 127;
1148+
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
11451149
break;
11461150
case kAsanIntraObjectRedzone:
11471151
bug_descr = "intra-object-overflow";
@@ -1151,7 +1155,7 @@ void ReportGenericError(uptr pc, uptr bp, uptr sp, uptr addr, bool is_write,
11511155
case kAsanAllocaRightMagic:
11521156
bug_descr = "dynamic-stack-buffer-overflow";
11531157
bug_type_score = 25;
1154-
far_from_bounds = shadow_addr[-1] > 127 && shadow_addr[1] > 127;
1158+
far_from_bounds = AdjacentShadowValuesAreFullyPoisoned(shadow_addr);
11551159
break;
11561160
}
11571161
SS.Scare(bug_type_score, bug_descr);

compiler-rt/test/asan/TestCases/Linux/scariness_score_test.cc

Lines changed: 18 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -2,6 +2,8 @@
22

33
// RUN: %clangxx_asan -O0 %s -o %t
44
// RUN: export %env_asan_opts=detect_stack_use_after_return=1:handle_abort=1:print_scariness=1
5+
// Make sure the stack is limited (may not be the default under GNU make)
6+
// RUN: ulimit -s 4096
57
// RUN: not %run %t 1 2>&1 | FileCheck %s --check-prefix=CHECK1
68
// RUN: not %run %t 2 2>&1 | FileCheck %s --check-prefix=CHECK2
79
// RUN: not %run %t 3 2>&1 | FileCheck %s --check-prefix=CHECK3
@@ -19,8 +21,7 @@
1921
// RUN: not %run %t 15 2>&1 | FileCheck %s --check-prefix=CHECK15
2022
// RUN: not %run %t 16 2>&1 | FileCheck %s --check-prefix=CHECK16
2123
// RUN: not %run %t 17 2>&1 | FileCheck %s --check-prefix=CHECK17
22-
// Stack overflow may not trigger under GNU make.
23-
// DISABLED: not %run %t 18 2>&1 | FileCheck %s --check-prefix=CHECK18
24+
// RUN: not %run %t 18 2>&1 | FileCheck %s --check-prefix=CHECK18
2425
// RUN: not %run %t 19 2>&1 | FileCheck %s --check-prefix=CHECK19
2526
// RUN: not %run %t 20 2>&1 | FileCheck %s --check-prefix=CHECK20
2627
// RUN: not %run %t 21 2>&1 | FileCheck %s --check-prefix=CHECK21
@@ -29,12 +30,16 @@
2930
// RUN: not %run %t 24 2>&1 | FileCheck %s --check-prefix=CHECK24
3031
// RUN: not %run %t 25 2>&1 | FileCheck %s --check-prefix=CHECK25
3132
// RUN: not %run %t 26 2>&1 | FileCheck %s --check-prefix=CHECK26
33+
// RUN: not %run %t 27 2>&1 | FileCheck %s --check-prefix=CHECK27
3234
// Parts of the test are too platform-specific:
3335
// REQUIRES: x86_64-supported-target
36+
// REQUIRES: shell
3437
#include <stdlib.h>
3538
#include <stdio.h>
3639
#include <string.h>
3740

41+
#include <sanitizer/asan_interface.h>
42+
3843
enum ReadOrWrite { Read = 0, Write = 1 };
3944

4045
struct S32 {
@@ -114,6 +119,13 @@ void StackOverflow(int Idx) {
114119
StackOverflow(Idx - 1);
115120
}
116121

122+
void UseAfterPoison() {
123+
int buf[100];
124+
__asan_poison_memory_region(buf, sizeof(buf));
125+
static volatile int sink;
126+
sink = buf[42];
127+
}
128+
117129
int main(int argc, char **argv) {
118130
char arr[100];
119131
static volatile int zero = 0;
@@ -148,6 +160,7 @@ int main(int argc, char **argv) {
148160
case 24: delete (new int[10]); break;
149161
case 25: free((char*)malloc(100) + 10); break;
150162
case 26: memcpy(arr, arr+10, 20); break;
163+
case 27: UseAfterPoison(); break;
151164
// CHECK1: SCARINESS: 12 (1-byte-read-heap-buffer-overflow)
152165
// CHECK2: SCARINESS: 17 (4-byte-read-heap-buffer-overflow)
153166
// CHECK3: SCARINESS: 33 (2-byte-write-heap-buffer-overflow)
@@ -165,14 +178,15 @@ int main(int argc, char **argv) {
165178
// CHECK15: SCARINESS: 31 (1-byte-write-global-buffer-overflow)
166179
// CHECK16: SCARINESS: 36 (multi-byte-read-global-buffer-overflow-far-from-bounds)
167180
// CHECK17: SCARINESS: 42 (double-free)
168-
// CHECK18: SCARINESS: 15 (stack-overflow)
181+
// CHECK18: SCARINESS: 10 (stack-overflow)
169182
// CHECK19: SCARINESS: 10 (null-deref)
170183
// CHECK20: SCARINESS: 30 (wild-addr-write)
171184
// CHECK21: SCARINESS: 20 (wild-addr-read)
172185
// CHECK22: SCARINESS: 10 (signal)
173186
// CHECK23: SCARINESS: 60 (wild-jump)
174187
// CHECK24: SCARINESS: 10 (alloc-dealloc-mismatch)
175-
// CHECK25: SCARINESS: 10 (bad-free)
188+
// CHECK25: SCARINESS: 40 (bad-free)
176189
// CHECK26: SCARINESS: 10 (memcpy-param-overlap)
190+
// CHECK27: SCARINESS: 27 (4-byte-read-use-after-poison)
177191
}
178192
}

0 commit comments

Comments
 (0)