Address Sanitizer fails due to odd system library mappings

Richard Sewards richard.sewards@exfo.com
Fri May 15 14:43:00 GMT 2015


Hi,
I've been building gcc 5.1.0 for a number of targets and one of them (an e500 powerpc linux target) is having difficulty running the address sanitizer.

With the default shadow configuration a trivial test program is unable start because ASAN cannot map the shadow memory.  It quits, saying: "Shadow memory range interleaves with an existing memory mapping.".   When I modify the location of the shadow offset to 0x40000000 (from 0x20000000) the trivial program works but a real application starts successfully but then fails when it attempts to allocate (new or malloc) a large (~2meg) chunk of memory.

On another powerpc linux target (e500mc) I have the sanitizer works fine, so I suspect there is a something in the failing target's system libraries that is causing problems.  The e500mc target has a newer kernel and OS.

What I think is the culprit is the mapping of several system libraries (libm, libc, and libdl) to addresses around 0x30000000, and that this causes the initial failure with shadow offset 0x20000000 and causes a fragmentation problem for the ASAN's allocator when the shadow offset is 0x40000000.

When ASAN fails (with the default shadow offset 0x20000000), I see:

# ASAN_OPTIONS=verbosity=2 ./try 1 2 3
==1165==Parsed ASAN_OPTIONS: verbosity=2
==1165==AddressSanitizer: failed to intercept 'preadv'
==1165==AddressSanitizer: failed to intercept 'preadv64'
==1165==AddressSanitizer: failed to intercept 'pwritev'
==1165==AddressSanitizer: failed to intercept 'pwritev64'
==1165==AddressSanitizer: failed to intercept '__isoc99_scanf'
==1165==AddressSanitizer: failed to intercept '__isoc99_sscanf'
==1165==AddressSanitizer: failed to intercept '__isoc99_fscanf'
==1165==AddressSanitizer: failed to intercept '__isoc99_vscanf'
==1165==AddressSanitizer: failed to intercept '__isoc99_vsscanf'
==1165==AddressSanitizer: failed to intercept '__isoc99_vfscanf'
==1165==AddressSanitizer: failed to intercept '__isoc99_printf'
==1165==AddressSanitizer: failed to intercept '__isoc99_sprintf'
==1165==AddressSanitizer: failed to intercept '__isoc99_snprintf'
==1165==AddressSanitizer: failed to intercept '__isoc99_fprintf'
==1165==AddressSanitizer: failed to intercept '__isoc99_vprintf'
==1165==AddressSanitizer: failed to intercept '__isoc99_vsprintf'
==1165==AddressSanitizer: failed to intercept '__isoc99_vsnprintf'
==1165==AddressSanitizer: failed to intercept '__isoc99_vfprintf'
==1165==AddressSanitizer: failed to intercept 'accept4'
==1165==AddressSanitizer: failed to intercept 'pthread_mutexattr_getrobust'
==1165==AddressSanitizer: failed to intercept 'pthread_setname_np'
==1165==AddressSanitizer: failed to intercept 'timerfd_settime'
==1165==AddressSanitizer: failed to intercept 'timerfd_gettime'
==1165==AddressSanitizer: libc interceptors initialized
|| `[0x38000000, 0xbfffffff]` || HighMem    ||
|| `[0x27000000, 0x37ffffff]` || HighShadow ||
|| `[0x24000000, 0x26ffffff]` || ShadowGap  ||
|| `[0x20000000, 0x23ffffff]` || LowShadow  ||
|| `[0x00000000, 0x1fffffff]` || LowMem     ||
MemToShadow(shadow): 0x24000000 0x247fffff 0x24e00000 0x26ffffff
redzone=16
max_redzone=2048
quarantine_size=64M
malloc_context_size=30
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 20000000
==1165==Shadow memory range interleaves with an existing memory mapping. ASan cannot proceed correctly. ABORTING.
==1165==Process memory map follows:
        0x00100000-0x00102000   [vdso]
        0x0f7f0000-0x0f807000   /export/navusr3/local/gnu/5.1.0/H-x86_64-unknown-linux-gnu/powerpc-wr2e500v2-linux-gnuspe/lib/libgcc_s.so.1
        0x0f807000-0x0f816000   /export/navusr3/local/gnu/5.1.0/H-x86_64-unknown-linux-gnu/powerpc-wr2e500v2-linux-gnuspe/lib/libgcc_s.so.1
        0x0f816000-0x0f817000   /export/navusr3/local/gnu/5.1.0/H-x86_64-unknown-linux-gnu/powerpc-wr2e500v2-linux-gnuspe/lib/libgcc_s.so.1
        0x0f827000-0x0f9b6000   /export/navusr3/local/gnu/5.1.0/H-x86_64-unknown-linux-gnu/powerpc-wr2e500v2-linux-gnuspe/lib/libstdc++.so.6.0.21
        0x0f9b6000-0x0f9c5000   /export/navusr3/local/gnu/5.1.0/H-x86_64-unknown-linux-gnu/powerpc-wr2e500v2-linux-gnuspe/lib/libstdc++.so.6.0.21
        0x0f9c5000-0x0f9cc000   /export/navusr3/local/gnu/5.1.0/H-x86_64-unknown-linux-gnu/powerpc-wr2e500v2-linux-gnuspe/lib/libstdc++.so.6.0.21
        0x0f9cc000-0x0f9ce000   /export/navusr3/local/gnu/5.1.0/H-x86_64-unknown-linux-gnu/powerpc-wr2e500v2-linux-gnuspe/lib/libstdc++.so.6.0.21
        0x0f9ce000-0x0f9d0000   
        0x0f9e0000-0x0f9e7000   /lib/librt-2.5.so
        0x0f9e7000-0x0f9f7000   /lib/librt-2.5.so
        0x0f9f7000-0x0f9f8000   /lib/librt-2.5.so
        0x0f9f8000-0x0f9f9000   /lib/librt-2.5.so
        0x0fa09000-0x0fb11000   /export/navusr3/local/gnu/5.1.0/H-x86_64-unknown-linux-gnu/powerpc-wr2e500v2-linux-gnuspe/lib/libasan.so.2.0.0
        0x0fb11000-0x0fb21000   /export/navusr3/local/gnu/5.1.0/H-x86_64-unknown-linux-gnu/powerpc-wr2e500v2-linux-gnuspe/lib/libasan.so.2.0.0
        0x0fb21000-0x0fb27000   /export/navusr3/local/gnu/5.1.0/H-x86_64-unknown-linux-gnu/powerpc-wr2e500v2-linux-gnuspe/lib/libasan.so.2.0.0
        0x0fb27000-0x0ff80000   
        0x0ff90000-0x0ffaf000   /lib/ld-2.5.so
        0x0ffbf000-0x0ffc1000   /lib/ld-2.5.so
        0x0ffd0000-0x0ffe5000   /lib/libpthread-2.5.so
        0x0ffe5000-0x0fff4000   /lib/libpthread-2.5.so
        0x0fff4000-0x0fff5000   /lib/libpthread-2.5.so
        0x0fff5000-0x0fff6000   /lib/libpthread-2.5.so
        0x0fff6000-0x0fff8000   
        0x10000000-0x10002000   /export/navusr3/local/gnu/obj/5.1.0/try/try
        0x10011000-0x10012000   /export/navusr3/local/gnu/obj/5.1.0/try/try
        0x30000000-0x30001000   
        0x30001000-0x301b6000   /lib/libm-2.5.so
        0x301b6000-0x301c5000   /lib/libm-2.5.so
        0x301c5000-0x301c6000   /lib/libm-2.5.so
        0x301c6000-0x301cc000   /lib/libm-2.5.so
        0x301cc000-0x3032b000   /lib/libc-2.5.so
        0x3032b000-0x3033a000   /lib/libc-2.5.so
        0x3033a000-0x30340000   /lib/libc-2.5.so
        0x30340000-0x30342000   
        0x30342000-0x30343000   
        0x30343000-0x30346000   /lib/libdl-2.5.so
        0x30346000-0x30355000   /lib/libdl-2.5.so
        0x30355000-0x30356000   /lib/libdl-2.5.so
        0x30356000-0x30357000   /lib/libdl-2.5.so
        0x30357000-0x3035e000   
        0x30360000-0x3050b000   
        0x7ffa6000-0x7ffbb000   [stack]
==1165==End of process memory map.
#

With the shadow offset at 0x40000000, the sanitizer fails with:

==889==ERROR: AddressSanitizer failed to allocate 0x273000 (2568192) bytes of LargeMmapAllocator (errno: 12)
==889==Process memory map follows:
        0x00100000-0x00102000   [vdso]
        0x0f7c4000-0x0f7cf000   /lib/libnss_files-2.5.so
        0x0f7cf000-0x0f7de000   /lib/libnss_files-2.5.so
        0x0f7de000-0x0f7df000   /lib/libnss_files-2.5.so
        0x0f7df000-0x0f7e0000   /lib/libnss_files-2.5.so
        0x0f7f0000-0x0f97f000   /export/navusr3/local/gnu/5.1.0/H-x86_64-unknown-linux-gnu/powerpc-wr2e500v2-linux-gnuspe/lib/libstdc++.so.6.0.21
        0x0f97f000-0x0f98e000   /export/navusr3/local/gnu/5.1.0/H-x86_64-unknown-linux-gnu/powerpc-wr2e500v2-linux-gnuspe/lib/libstdc++.so.6.0.21
        0x0f98e000-0x0f995000   /export/navusr3/local/gnu/5.1.0/H-x86_64-unknown-linux-gnu/powerpc-wr2e500v2-linux-gnuspe/lib/libstdc++.so.6.0.21
        0x0f995000-0x0f997000   /export/navusr3/local/gnu/5.1.0/H-x86_64-unknown-linux-gnu/powerpc-wr2e500v2-linux-gnuspe/lib/libstdc++.so.6.0.21
        0x0f997000-0x0f999000   
        0x0f9a9000-0x0f9c0000   /export/navusr3/local/gnu/5.1.0/H-x86_64-unknown-linux-gnu/powerpc-wr2e500v2-linux-gnuspe/lib/libgcc_s.so.1
        0x0f9c0000-0x0f9cf000   /export/navusr3/local/gnu/5.1.0/H-x86_64-unknown-linux-gnu/powerpc-wr2e500v2-linux-gnuspe/lib/libgcc_s.so.1
        0x0f9cf000-0x0f9d0000   /export/navusr3/local/gnu/5.1.0/H-x86_64-unknown-linux-gnu/powerpc-wr2e500v2-linux-gnuspe/lib/libgcc_s.so.1
        0x0f9e0000-0x0f9e7000   /lib/librt-2.5.so
        0x0f9e7000-0x0f9f7000   /lib/librt-2.5.so
        0x0f9f7000-0x0f9f8000   /lib/librt-2.5.so
        0x0f9f8000-0x0f9f9000   /lib/librt-2.5.so
        0x0fa09000-0x0fb11000   /export/navusr3/local/gnu/5.1.0/H-x86_64-unknown-linux-gnu/powerpc-wr2e500v2-linux-gnuspe/lib/libasan.so.2.0.0
        0x0fb11000-0x0fb21000   /export/navusr3/local/gnu/5.1.0/H-x86_64-unknown-linux-gnu/powerpc-wr2e500v2-linux-gnuspe/lib/libasan.so.2.0.0
        0x0fb21000-0x0fb27000   /export/navusr3/local/gnu/5.1.0/H-x86_64-unknown-linux-gnu/powerpc-wr2e500v2-linux-gnuspe/lib/libasan.so.2.0.0
        0x0fb27000-0x0ff80000   
        0x0ff90000-0x0ffaf000   /lib/ld-2.5.so
        0x0ffbf000-0x0ffc1000   /lib/ld-2.5.so
        0x0ffe0000-0x0ffe3000   /lib/libdl-2.5.so
        0x0ffe3000-0x0fff2000   /lib/libdl-2.5.so
        0x0fff2000-0x0fff3000   /lib/libdl-2.5.so
        0x0fff3000-0x0fff4000   /lib/libdl-2.5.so
        0x10000000-0x14d81000   /home/ricsew1/iw/r55--PeFlex/run-time/iut/appl/agent/bin.linux-e500-asan/gepeapp
        0x14d90000-0x15126000   /home/ricsew1/iw/r55--PeFlex/run-time/iut/appl/agent/bin.linux-e500-asan/gepeapp
        0x15126000-0x15422000   [heap]
        0x30000000-0x30001000   
        0x30001000-0x301b6000   /lib/libm-2.5.so
        0x301b6000-0x301c5000   /lib/libm-2.5.so
        0x301c5000-0x301c6000   /lib/libm-2.5.so
        0x301c6000-0x301cc000   /lib/libm-2.5.so
        0x301cc000-0x301cd000   
        0x301cd000-0x301e2000   /lib/libpthread-2.5.so
        0x301e2000-0x301f1000   /lib/libpthread-2.5.so
        0x301f1000-0x301f2000   /lib/libpthread-2.5.so
        0x301f2000-0x301f3000   /lib/libpthread-2.5.so
        0x301f3000-0x301f5000   
        0x301f5000-0x30354000   /lib/libc-2.5.so
        0x30354000-0x30363000   /lib/libc-2.5.so
        0x30363000-0x30369000   /lib/libc-2.5.so
        0x30369000-0x3036b000   
        0x3036b000-0x315fe000   
        0x31600000-0x32bfe000   
        0x32c00000-0x32d00000   
        0x32d00000-0x32d01000   
        0x32d01000-0x34e00000   
        0x34e00000-0x34e01000   
        0x34e01000-0x36ffb000   
        0x37000000-0x37603000   
        0x37603000-0x37604000   
        0x37604000-0x397fe000   
        0x39800000-0x3abfd000   
        0x3ac00000-0x3b200000   
        0x3b200000-0x3b201000   
        0x3b201000-0x3d400000   
        0x3d400000-0x3d401000   
        0x3d401000-0x3fafb000   
        0x3fb00000-0x3fffb000   
        0x3ffff000-0x48000000   
        0x48000000-0x4b000000   
        0x4b000000-0x58000000   
        0x58000000-0x58001000   
        0x58001000-0x5a000000   
        0x5a000000-0x5a001000   
        0x5a001000-0x5c200000   
        0x5c200000-0x5c201000   
        0x5c201000-0x5e200000   
        0x5e200000-0x5e201000   
        0x5e201000-0x60200000   
        0x60200000-0x60201000   
        0x60201000-0x62c8c000   
        0x62c8c000-0x62c8d000   
        0x62c8d000-0x64c8c000   
        0x64c8c000-0x64c8d000   
        0x64c8d000-0x66ef9000   
        0x66f00000-0x67000000   
        0x67000000-0x67001000   
        0x67001000-0x694fe000   
        0x69500000-0x69700000   
        0x69700000-0x69701000   
        0x69701000-0x6b700000   
        0x6b700000-0x6b701000   
        0x6b701000-0x6d700000   
        0x6d700000-0x6d701000   
        0x6d701000-0x6f700000   
        0x6f700000-0x6f701000   
        0x6f701000-0x717fe000   
        0x71800000-0x71900000   
        0x71900000-0x71901000   
        0x71901000-0x73900000   
        0x73900000-0x73901000   
        0x73901000-0x75d00000   
        0x75d00000-0x75d01000   
        0x75d01000-0x782ff000   
        0x78300000-0x7867f000   
        0x7867f000-0x78680000   
        0x78680000-0x7a6fe000   
        0x7a700000-0x7a8ee000   
        0x7a900000-0x7aa00000   
        0x7aa00000-0x7aa01000   
        0x7aa01000-0x7ca22000   
        0x7ca22000-0x7ca23000   
        0x7ca23000-0x7fb47000   
        0x7fc87000-0x7fc9c000   [stack]
        0x7fc9c000-0x7ff0f000   
==889==End of process memory map.
==889==AddressSanitizer CHECK failed: /usr/central.share/gnu/src/gcc-5.1.0/libsanitizer/sanitizer_common/sanitizer_posix.cc:121 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
ERROR: Failed to mmap

Interestingly, this time libpthread is mapped into the 0x30000000 region but it was not in the trivial program.

I realize this may not be the correct forum for asking questions about system libraries, but have been unable to find out any information about how libraries are mapped.  But since this affects the sanitizer, perhaps someone here has also seen this and can point me in the right direction.

Thanks in advance,
--
Richard Sewards



More information about the Gcc-help mailing list