Building the same manner (tools etc) for RH7 and BSD10
* Works fine on linux
* BSD10.3 crashes first time something tries to access what looks like
the ShadowMemory
* g++ is a cross build (target bsd10, host rh7)
o I had to specifically configure -enable-libsanitizer (so maybe its
generally not supported?)
o currently have to keep using g++ not clang/llvm here for a variety of
reasons
BSD10 - Looks like the initialization is done before the access in question
==75072==AddressSanitizer: failed to intercept 'fgetpwent_r'
==75072==AddressSanitizer: failed to intercept 'fgetgrent_r'
==75072==AddressSanitizer: failed to intercept 'backtrace'
==75072==AddressSanitizer: failed to intercept 'backtrace_symbols'
==75072==AddressSanitizer: failed to intercept '__getdelim'
==75072==AddressSanitizer: libc interceptors initialized
|| `[0x500000000000, 0x7fffffffffff]` || HighMem ||
|| `[0x4a0000000000, 0x4fffffffffff]` || HighShadow ||
|| `[0x480000000000, 0x49ffffffffff]` || ShadowGap ||
|| `[0x400000000000, 0x47ffffffffff]` || LowShadow ||
|| `[0x000000000000, 0x3fffffffffff]` || LowMem ||
MemToShadow(shadow): 0x480000000000 0x48ffffffffff 0x494000000000 0x49ffffffffff
redzone=16
max_redzone=2048
quarantine_size_mb=256M
malloc_context_size=30
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 0x400000000000
==75072==Installed the sigaction for signal 11
==75072==Installed the sigaction for signal 10
==75072==Installed the sigaction for signal 8
==75072==T0: stack [0x7fffdffff000,0x7ffffffff000) size 0x20000000;
local=0x7fffffffd9fc
==75072==AddressSanitizer Init done
But the code to access the shadow memory all looks like
0x0000000000449412 <+98>: movl $0xf1f1f1f1,0x7fff8000(%r12)
0x000000000044941e <+110>: movl $0xf4f40000,0x7fff8004(%r12)
0x000000000044942a <+122>: movl $0xf2f2f2f2,0x7fff8008(%r12)
0x0000000000449436 <+134>: movl $0xf4f40000,0x7fff800c(%r12)
(of course in linux the Shadow memory is located @ 0x7fff8000)
* And I can see that from its initialization verbosity (SHADOW_OFFSET:
0x7fff8000)
I would think the code above would have been (for BSD)
0x0000000000449412 <+98>: movl $0xf1f1f1f1, 0x400000000000 (%r12)
So trying to understand a bit as to how the shadow memory is used (seems fixed
in asan_mapping.h)
And gcc for i386.c has this (which does see it would always pick 0x7fff8000)
static unsigned HOST_WIDE_INT
ix86_asan_shadow_offset (void)
{
return TARGET_LP64 ? (TARGET_MACHO ? (HOST_WIDE_INT_1 << 44)
: HOST_WIDE_INT_C (0x7fff8000))
: (HOST_WIDE_INT_1 << 29);
}
So how for bsd would it pick up the shadow offset of 0x400000000000 when
compiling the code?
I'm missing something.
But of course it's crashing on any access slightly above 0x7fff8000(%reg) since
its not the right region ...
Seems like somewhere there needs to be a freebsd_asan_shadow_offset()??
Disclaimer:
This communication (including any attachments) is intended for the use of the
intended recipient(s) only and may contain information that is considered
confidential, proprietary, sensitive and/or otherwise legally protected. Any
unauthorized use or dissemination of this communication is strictly prohibited.
If you have received this communication in error, please immediately notify the
sender by return e-mail message and delete all copies of the original
communication. Thank you for your cooperation.
