[Bug sanitizer/67286] New: asan doen't work on Android(32bit ARM)

zhouweiguo2008 at gmail dot com gcc-bugzilla@gcc.gnu.org
Thu Aug 20 06:09:00 GMT 2015 

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67286

            Bug ID: 67286
           Summary: asan doen't work on Android(32bit ARM)
           Product: gcc
           Version: 4.9.2
            Status: UNCONFIRMED
          Severity: critical
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: zhouweiguo2008 at gmail dot com
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org
  Target Milestone: ---

>> cat invalid-free.cc   
// RUN: %clangxx_asan -O0 %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK
--check-prefix=MALLOC-CTX

// Also works if no malloc context is available.
// RUN: env ASAN_OPTIONS=malloc_context_size=0:fast_unwind_on_malloc=0 not %run
%t 2>&1 | FileCheck %s
// RUN: env ASAN_OPTIONS=malloc_context_size=0:fast_unwind_on_malloc=1 not %run
%t 2>&1 | FileCheck %s
// XFAIL: arm-linux-gnueabi

#include <stdlib.h>
#include <string.h>
int main(int argc, char **argv) {
  char *x = (char*)malloc(10 * sizeof(char));
  memset(x, 0, 10);
  int res = x[argc];
  free(x + 5);  // BOOM
  // CHECK: AddressSanitizer: attempting free on address{{.*}}in thread T0
  // CHECK: invalid-free.cc:[[@LINE-2]]
  // CHECK: is located 5 bytes inside of 10-byte region
  // CHECK: allocated by thread T0 here:
  // MALLOC-CTX: invalid-free.cc:[[@LINE-8]]
  return res;
}

when running above testcase (could be found at 
external/compiler-rt/test/asan/TestCases)on Android5.0 phone,

the testcase will SEGV as following(in the fact, all testcases would be SEGV on
android phone):


[1m[31m==3909==ERROR: AddressSanitizer: SEGV on unknown address 0x369a00fe
(pc 0xb6f51662 bp 0xbeb58a1c sp 0xbeb589e0 T0)
[1m[0m    #0 0xb6f51661 in main TestCases/invalid-free.cc:14
    #1 0xb69c0e09  (/system/lib/libc.so+0x12e09)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV TestCases/invalid-free.cc:14 main
==3909==ABORTING



the root cause is that when using Asan on 32-bit ARM android system, the shadow
offset should be zero, not 0x20000000(1<<29).

this serious bug could be fixed  according to following steps:

modify function 

static unsigned HOST_WIDE_INT arm_asan_shadow_offset(void) 

in the gcc-4.9.2/config/arm/arm.c  

from 

static unsigned HOST_WIDE_INT
 arm_asan_shadow_offset (void)
{
 return (unsigned HOST_WIDE_INT) 1 << 29;
}

to

static unsigned HOST_WIDE_INT
 arm_asan_shadow_offset (void)
{
#ifdef TARGET_ANDROID
 return 0;
#else
 return (unsigned HOST_WIDE_INT) 1 << 29;
#endif
}

More information about the Gcc-bugs mailing list