On Mon, Nov 28, 2016 at 3:06 PM, steven shi <shijunj...@gmail.com> wrote: > Hello, > I'm porting the Asan RT lib to my firmware, and I meet a issue to block my > shadow memory checking work correctly. I have to update the Asan core logic > macro to let it works in my side, and I hope some expert could help me > understand below code correctly. > > LLVM Asan use below macro to check whether the addr shadow memory is > poisoned or not. My issue is about the line 166 condition: (size >= > SHADOW_GRANULARITY || ...), and I have to update it as (s >= > SHADOW_GRANULARITY || ...). I think the "size" is just from hard code > INTERFACE function name definition (e.g. ASAN_MEMORY_ACCESS_CALLBACK(load, > false, 16)), and its values are one of {1,2,4,8,16}. So, for __asan_load8 > and __asan_load16 with 8 granularity, the "size" will be 8 and 16, and (size >>= SHADOW_GRANULARITY) will always be true, isn't it wrong? My understanding > is we need check the addr shadow memory value here to make sure the addr's > shadow memory value is less than its covered SHADOW_GRANULARITY bound. > Appreciate any clarification about this code.
> I think the "size" is just from hard code INTERFACE function name definition > (e.g. ASAN_MEMORY_ACCESS_CALLBACK(load, false, 16)), and its values are one > of {1,2,4,8,16} That's true and correct. If access size is 8 or 16, then we just compare shadow value s with 0. If it's not zero, we report bug. For accesses of size 1, 2, 4 we need more complex check: s != 0 && ((s8)((addr & (SHADOW_GRANULARITY - 1)) + size - 1)) >= (s8)s) > http://llvm.org/svn/llvm-project/compiler-rt/trunk/lib/asan/asan_rtl.cc > line 161: > #define ASAN_MEMORY_ACCESS_CALLBACK_BODY(type, is_write, size, exp_arg, > fatal) \ > uptr sp = MEM_TO_SHADOW(addr); > \ > uptr s = size <= SHADOW_GRANULARITY ? *reinterpret_cast<u8 *>(sp) > \ > : *reinterpret_cast<u16 *>(sp); > \ > if (UNLIKELY(s)) { > \ > if (UNLIKELY(size >= SHADOW_GRANULARITY || > \ > ((s8)((addr & (SHADOW_GRANULARITY - 1)) + size - 1)) >= > \ > (s8)s)) { > \ > if (__asan_test_only_reported_buggy_pointer) { > \ > *__asan_test_only_reported_buggy_pointer = addr; > \ > } else { > \ > GET_CALLER_PC_BP_SP; > \ > ReportGenericError(pc, bp, sp, addr, is_write, size, exp_arg, > \ > fatal); > \ > } > \ > } > \ > } > > My updated version: > > #define ASAN_MEMORY_ACCESS_CALLBACK_BODY(type, is_write, size, exp_arg, > fatal) \ > uptr sp = MEM_TO_SHADOW(addr); > \ > uptr s = size <= SHADOW_GRANULARITY ? *reinterpret_cast<u8 *>(sp) > \ > : *reinterpret_cast<u16 *>(sp); > \ > if (UNLIKELY(s)) { > \ > if (UNLIKELY(s>= SHADOW_GRANULARITY || \ > ((s8)((addr & (SHADOW_GRANULARITY - 1)) + size - 1)) >= > \ > (s8)s)) { > \ > if (__asan_test_only_reported_buggy_pointer) { > \ > *__asan_test_only_reported_buggy_pointer = addr; > \ > } else { > \ > GET_CALLER_PC_BP_SP; > \ > ReportGenericError(pc, bp, sp, addr, is_write, size, exp_arg, > \ > fatal); > \ > } > \ > } > \ > } > > -- > You received this message because you are subscribed to the Google Groups > "address-sanitizer" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to address-sanitizer+unsubscr...@googlegroups.com. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "address-sanitizer" group. To unsubscribe from this group and stop receiving emails from it, send an email to address-sanitizer+unsubscr...@googlegroups.com. For more options, visit https://groups.google.com/d/optout.