0x7fff8000(0xffffffffbc0) looks fine - it's a shadow address for ~near top of the main thread stack. Perhaps ASan did not initialize in time? What's the backtrace of the crash? Try a breakpoint on __asan_init. Try running with ASAN_OPTIONS=verbosity=2,debug=1, it should print the memory layout.
On Fri, Jan 15, 2021 at 11:48 AM Jeffrey Walton <[email protected]> wrote: > Hi Everyone, > > I'm testing an Asan instrumented build of Bash. Bash and all dependencies > have been instrumented. I'm working on Ubuntu 20.04 x86_64 fully patched. > It has gcc (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0. > > All of the executables and shared objects were built with CFLAGS/CXXFLAGS > of -fsanitize=address and -fno-omit-frame-pointer. LDFLAGS includes > -fno-lto. (I tried both with and without LTO). > > Bash is crashing in startup code. It looks like Asan is trying to setup a > red zone: > > shr $0x3,%r15 > ===> movl $0xf1f1f1f1,0x7fff8000(%r15) > movl $0xf3f3f304,0x7fff8004(%r15) > > r15 is 0xffffffffbc0. The effective address of 0x7fff8000(0xffffffffbc0) > does seem to be a bit sideways. > > Does anyone know where to go from here? > > ----- > > (gdb) r > ... > Program received signal SIGSEGV, Segmentation fault. > 0x000055555578cb83 in internal_malloc (n=n@entry=0x20, file=file@entry=0x0, > > line=line@entry=0x0, flags=<optimized out>) at malloc.c:820 > 820 in malloc.c > (gdb) disass > Dump of assembler code for function internal_malloc: > 0x000055555578cb20 <+0>: push %rbp > 0x000055555578cb21 <+1>: mov %rsp,%rbp > 0x000055555578cb24 <+4>: push %r15 > 0x000055555578cb26 <+6>: lea -0x90(%rbp),%rcx > 0x000055555578cb2d <+13>: push %r14 > 0x000055555578cb2f <+15>: mov %rsi,%r14 > 0x000055555578cb32 <+18>: push %r13 > 0x000055555578cb34 <+20>: mov %rdi,%r13 > 0x000055555578cb37 <+23>: push %r12 > 0x000055555578cb39 <+25>: push %rbx > 0x000055555578cb3a <+26>: sub $0xa8,%rsp > 0x000055555578cb41 <+33>: mov 0x6d2e8(%rip),%rax # > 0x5555557f9e30 > 0x000055555578cb48 <+40>: mov %edx,-0xa0(%rbp) > 0x000055555578cb4e <+46>: mov (%rax),%edx > 0x000055555578cb50 <+48>: mov %rcx,-0x98(%rbp) > 0x000055555578cb57 <+55>: test %edx,%edx > 0x000055555578cb59 <+57>: jne 0x55555578d7cf > <internal_malloc+3247> > 0x000055555578cb5f <+63>: lea 0x4856a(%rip),%rax # > 0x5555557d50d0 > 0x000055555578cb66 <+70>: mov %rax,0x8(%rcx) > 0x000055555578cb6a <+74>: lea -0x51(%rip),%rax # > 0x55555578cb20 --Type <RET> for more, q to quit, c to continue without > paging-- > <internal_malloc> > 0x000055555578cb71 <+81>: movq $0x41b58ab3,(%rcx) > 0x000055555578cb78 <+88>: mov %rax,0x10(%rcx) > 0x000055555578cb7c <+92>: mov %rcx,%r15 > 0x000055555578cb7f <+95>: shr $0x3,%r15 > => 0x000055555578cb83 <+99>: movl $0xf1f1f1f1,0x7fff8000(%r15) > 0x000055555578cb8e <+110>: movl $0xf3f3f304,0x7fff8004(%r15) > 0x000055555578cb99 <+121>: mov 0xc6261(%rip),%ebx # > 0x555555852e00 <pagesz> > 0x000055555578cb9f <+127>: lea 0x60(%rcx),%r8 > 0x000055555578cba3 <+131>: mov %fs:0x28,%rax > 0x000055555578cbac <+140>: mov %rax,-0x38(%rbp) > 0x000055555578cbb0 <+144>: xor %eax,%eax > 0x000055555578cbb2 <+146>: test %ebx,%ebx > 0x000055555578cbb4 <+148>: je 0x55555578d3c0 > <internal_malloc+2208> > 0x000055555578cbba <+154>: lea 0x23(%r13),%rsi > 0x000055555578cbbe <+158>: sar %ebx > 0x000055555578cbc0 <+160>: and $0xfffffffffffffff0,%rsi > 0x000055555578cbc4 <+164>: movslq %ebx,%rbx > 0x000055555578cbc7 <+167>: cmp %rbx,%rsi > 0x000055555578cbca <+170>: jg 0x55555578d100 > <internal_malloc+1504> > 0x000055555578cbd0 <+176>: mov $0x10,%eax > 0x000055555578cbd5 <+181>: mov $0x1,%ebx > ... > > (gdb) info registers > rax 0x55555578cb20 0x55555578cb20 > rbx 0x0 0x0 > rcx 0x7fffffffde00 0x7fffffffde00 > rdx 0x0 0x0 > rsi 0x0 0x0 > rdi 0x20 0x20 > rbp 0x7fffffffde90 0x7fffffffde90 > rsp 0x7fffffffddc0 0x7fffffffddc0 > r8 0x0 0x0 > r9 0x1 0x1 > r10 0x7ffff7438b0f 0x7ffff7438b0f > r11 0x55555578e5e0 0x55555578e5e0 > r12 0x20 0x20 > r13 0x20 0x20 > r14 0x0 0x0 > r15 0xffffffffbc0 0xffffffffbc0 > rip 0x55555578cb83 0x55555578cb83 <internal_malloc+99> > eflags 0x10206 [ PF IF RF ] > cs 0x33 0x33 > ss 0x2b 0x2b > ds 0x0 0x0 > es 0x0 0x0 > fs 0x0 0x0 > > > > -- > You received this message because you are subscribed to the Google Groups > "address-sanitizer" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/address-sanitizer/0752f970-ec19-4aab-8ca1-c4c6b3c1e1a2n%40googlegroups.com > <https://groups.google.com/d/msgid/address-sanitizer/0752f970-ec19-4aab-8ca1-c4c6b3c1e1a2n%40googlegroups.com?utm_medium=email&utm_source=footer> > . > -- You received this message because you are subscribed to the Google Groups "address-sanitizer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/address-sanitizer/CAFKCwrh_9JGdR4QZrnSKS049BLianpYWp-h5PB35yZYrnjuu_A%40mail.gmail.com.
