[ASan/Win] Ignore allocations that occur before the dynamic runtime is initialized #30251
Comments
|
I'm pretty sure your example won't repro for me, but I'll check when I get into work. Ettiene has encountered the same crash stack when using newer dbghelp.dll versions. I want to do two things:
If 2 fails, then we can start trying to handle missed allocations, but I want to convince myself that we can't initialize earlier before going down that road. |
|
I agree that dealing with missed allocations is unfortunate, but I couldn't see any way around it. The allocation stack in comment 0 happens while the NT loader is traversing the dependency graph; ucrtbase.dll initializes before we even reach the entry point of clang_rt.asan_dynamic-i386.dll. To run code any earlier would require either: (1) removing clang_rt.asan_dynamic-i386.dll's dependency on ucrtbase.dll, or (2) adding some new DLL that loads before clang_rt.asan_dynamic-i386.dll. Neither of those seem particularly great. That said, if you can think of an option that I've overlooked, I'd be happy to hear it! |
|
My asan runtime doesn't depend on ucrtbase.dll directly: $ dumpbin -dependents lib/clang/4.0.0/lib/windows/clang_rt.asan_dynamic-x86_64.dll ... But if dbghelp.dll does, then we have a problem. That's what Etienne is running into. |
|
Ah, right. dbghelp depends on api-ms-win-crt-runtime-l1-1-0, which redirects to ucrtbase. With /delayload:dbghelp.dll, the error messages went away. |
|
I'm facing the exact same bug. Some allocations are done by ucrt before dynamic hooking (malloc/free interception). Which lead to an error when a free of an unknown object is done. This is a fix: |
|
Can you guys apply https://reviews.llvm.org/D26473 and test if that fixes your issues? I wonder if we need to worry the static ASan runtime, too. If we do, then I think we should use LoadLibrary so that users don't need to change their build to delay load dbghelp. Either that or maybe '#pragma comment(linker)' can solve it. |
Answering my own question, the test I added failed with the static CRT, so the patch is no good as is. |
|
With r286848 (and with my local patch reverted), I'm no longer getting any complaints from free(). Thanks for the fix! |
|
Great, fixed in r286848. We also discussed improving the "attempting free on address which was not malloc()-ed" report to indicate that the pointer comes from the system heap, and indicate that the user should try to debug why heap interception didn't work. |
|
It's fixing the first occurrence of the bug. I'm gonna dig to see which dependency is present. C:\src\chrome\src>ninja -C out\Asan64 chrome
|
Extended Description
$ echo "int main() { return 0; }" > test.cpp
$ clang-cl -MD -fsanitize=address test.cpp
$ test.exe
==9112==ERROR: AddressSanitizer: attempting free on address which was not malloc()-ed: 0x00bdaef0 in thread T0
#0 0x650f6cca in free d:\src\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:77
#1 0x74670ba1 in destroy_fls (C:\Windows\System32\ucrtbase.dll+0x10030ba1)
#2 0x772a9ec2 in RtlProcessFlsData (C:\Windows\SYSTEM32\ntdll.dll+0x4b2a9ec2)
#3 0x772aa142 in LdrShutdownProcess (C:\Windows\SYSTEM32\ntdll.dll+0x4b2aa142)
#4 0x772a9d85 in RtlExitUserProcess (C:\Windows\SYSTEM32\ntdll.dll+0x4b2a9d85)
#5 0x7702adc2 in ExitProcessImplementation (C:\Windows\System32\KERNEL32.DLL+0x6b82adc2)
#6 0x746796a4 in exit_or_terminate_process (C:\Windows\System32\ucrtbase.dll+0x100396a4)
#7 0x74679664 in common_exit (C:\Windows\System32\ucrtbase.dll+0x10039664)
#8 0x74679600 in exit (C:\Windows\System32\ucrtbase.dll+0x10039600)
#9 0xb01267 in _scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:260
#10 0x770162c3 in BaseThreadInitThunk (C:\Windows\System32\KERNEL32.DLL+0x6b8162c3)
#11 0x772e0718 in __RtlUserThreadStart (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e0718)
#12 0x772e06e3 in _RtlUserThreadStart (C:\Windows\SYSTEM32\ntdll.dll+0x4b2e06e3)
Address 0x00bdaef0 is a wild pointer.
SUMMARY: AddressSanitizer: bad-free d:\src\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:77 in free
==9112==ABORTING
That memory was allocated here, before the ASan runtime had an opportunity to set up interceptions:
ntdll!RtlAllocateHeap+0x32
ucrtbase!_calloc_base+0x37
ucrtbase!__acrt_initialize_ptd+0x5a
ucrtbase!__acrt_execute_initializers+0x5c
ucrtbase!DllMainProcessAttach+0x18
ucrtbase!DllMainDispatch+0x28b
ucrtbase!__acrt_DllMain+0x14
ntdll!LdrxCallInitRoutine+0x16
ntdll!LdrpCallInitRoutine+0x43
ntdll!LdrpInitializeNode+0x10e
ntdll!LdrpInitializeGraphRecurse+0x5d
ntdll!LdrpInitializeGraphRecurse+0x74
ntdll!LdrpInitializeGraphRecurse+0x74
ntdll!LdrpInitializeGraphRecurse+0x74
ntdll!LdrpInitializeProcess+0xc22
ntdll!_LdrpInitialize+0x178
ntdll!LdrInitializeThunk+0x10
I suspect that the only way to deal with these is to have free() ignore anything that belongs to the system heap.
The text was updated successfully, but these errors were encountered: