[Bug sanitizer/67286] New: asan doen't work on Android(32bit ARM)

[Bug sanitizer/67286] New: asan doen't work on Android(32bit ARM)

[zhouweiguo2008 at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67286

            Bug ID: 67286
           Summary: asan doen't work on Android(32bit ARM)
           Product: gcc
           Version: 4.9.2
            Status: UNCONFIRMED
          Severity: critical
          Priority: P3
         Component: sanitizer
          Assignee: unassigned at gcc dot gnu.org
          Reporter: zhouweiguo2008 at gmail dot com
                CC: dodji at gcc dot gnu.org, dvyukov at gcc dot gnu.org,
                    jakub at gcc dot gnu.org, kcc at gcc dot gnu.org
  Target Milestone: ---

>> cat invalid-free.cc   
// RUN: %clangxx_asan -O0 %s -o %t
// RUN: not %run %t 2>&1 | FileCheck %s --check-prefix=CHECK
--check-prefix=MALLOC-CTX

// Also works if no malloc context is available.
// RUN: env ASAN_OPTIONS=malloc_context_size=0:fast_unwind_on_malloc=0 not %run
%t 2>&1 | FileCheck %s
// RUN: env ASAN_OPTIONS=malloc_context_size=0:fast_unwind_on_malloc=1 not %run
%t 2>&1 | FileCheck %s
// XFAIL: arm-linux-gnueabi

#include <stdlib.h>
#include <string.h>
int main(int argc, char **argv) {
  char *x = (char*)malloc(10 * sizeof(char));
  memset(x, 0, 10);
  int res = x[argc];
  free(x + 5);  // BOOM
  // CHECK: AddressSanitizer: attempting free on address{{.*}}in thread T0
  // CHECK: invalid-free.cc:[[@LINE-2]]
  // CHECK: is located 5 bytes inside of 10-byte region
  // CHECK: allocated by thread T0 here:
  // MALLOC-CTX: invalid-free.cc:[[@LINE-8]]
  return res;
}

when running above testcase (could be found at 
external/compiler-rt/test/asan/TestCases)on Android5.0 phone,

the testcase will SEGV as following(in the fact, all testcases would be SEGV on
android phone):


[1m[31m==3909==ERROR: AddressSanitizer: SEGV on unknown address 0x369a00fe
(pc 0xb6f51662 bp 0xbeb58a1c sp 0xbeb589e0 T0)
[1m[0m    #0 0xb6f51661 in main TestCases/invalid-free.cc:14
    #1 0xb69c0e09  (/system/lib/libc.so+0x12e09)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV TestCases/invalid-free.cc:14 main
==3909==ABORTING



the root cause is that when using Asan on 32-bit ARM android system, the shadow
offset should be zero, not 0x20000000(1<<29).

this serious bug could be fixed  according to following steps:

modify function 

static unsigned HOST_WIDE_INT arm_asan_shadow_offset(void) 

in the gcc-4.9.2/config/arm/arm.c  

from 

static unsigned HOST_WIDE_INT
 arm_asan_shadow_offset (void)
{
 return (unsigned HOST_WIDE_INT) 1 << 29;
}

to

static unsigned HOST_WIDE_INT
 arm_asan_shadow_offset (void)
{
#ifdef TARGET_ANDROID
 return 0;
#else
 return (unsigned HOST_WIDE_INT) 1 << 29;
#endif
}

[Bug sanitizer/67286] asan doen't work on Android(32bit ARM)

[zhouweiguo2008 at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67286

--- Comment #1 from zhouweiguo2008 at gmail dot com ---
this bug had been fixed and validated with gcc 4.9.2 and gcc 5.2.0.

and the testcases (from external/compiler-rt/test/asan/TestCases) could be
running

normally on the 32-bit Android 5.0 phone.

[Bug sanitizer/67286] asan doen't work on Android(32bit ARM)

[zhouweiguo2008 at gmail dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67286

weiguo.zhou <zhouweiguo2008 at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from weiguo.zhou <zhouweiguo2008 at gmail dot com> ---
validated with gcc 4.9.2 and gcc 5.2.0.

and the testcases (from external/compiler-rt/test/asan/TestCases) could be
running

normally on the 32-bit Android 5.0 phone.

[Bug sanitizer/67286] asan doen't work on Android(32bit ARM)

[y.gribov at samsung dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67286

Yury Gribov <y.gribov at samsung dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |y.gribov at samsung dot com

--- Comment #3 from Yury Gribov <y.gribov at samsung dot com> ---
Does GCC even support ASan on Android i.e. builds libasan.so? That's news to
me.

[Bug sanitizer/67286] asan doen't work on Android(32bit ARM)

[dvyukov at google dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67286

--- Comment #4 from Dmitry Vyukov <dvyukov at google dot com> ---
Yes, asan should work on android/arm32. There is some ongoing work on arm64.
+eugeni can provide more details.

[Bug sanitizer/67286] asan doen't work on Android(32bit ARM)

[y.gribov at samsung dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67286

--- Comment #5 from Yury Gribov <y.gribov at samsung dot com> ---
(In reply to Dmitry Vyukov from comment #4)
> +eugeni can provide more details.

Please! E.g. how do you build compiler and runtime?

[Bug sanitizer/67286] asan doen't work on Android(32bit ARM)

[weiguo.zhou at spreadtrum dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67286

--- Comment #6 from weiguo.zhou <weiguo.zhou at spreadtrum dot com> ---
(In reply to Dmitry Vyukov from comment #4)
> Yes, asan should work on android/arm32. There is some ongoing work on arm64.
> +eugeni can provide more details.

according to official documents on Google's site:


https://code.google.com/p/address-sanitizer/wiki/Android

 Android   
How to use AddressSanitizer on Android 
Updated Jul 20, 2015 by euge...@google.com 
NOTE: this document is about running Android applications built with the NDK
under AddressSanitizer. For information about using AddressSanitizer on Android
platform components, see AndroidPlatform. 
NOTE: ASan is broken on Android L. Use a K* build. This will be fixed in one of
the future L updates (or the current AOSP master branch). 
NOTE: AddressSanitizer on Android requires a rooted device (either -eng or
-userdebug build, or any other setup that allows editing the contents of the
/system partition). 
Android NDK supports AddressSanitizer on arm, armv7 and x86 ABIs starting with
version r10d. 


It seems Google's official docs indicate the asan only supported on Android
with  LLVM-based clang toolchain. in the fact, it should be supported "well" on
Android with gcc-based toolchain. 

the keypoint to enable asan running well with gcc-based toolchain on Android as
following:

1)build a cross-compile toolchain for ARM-32 Android system;
2)disable -Os optimization options in Android build system; becase the asan
pass   
must be called in the GCC's internal to handle GENERIC/GIMPLY transformation;
3)modify the code in the gcc-4.9.2/config/arm/arm.c

[Bug sanitizer/67286] asan doen't work on Android(32bit ARM)

[y.gribov at samsung dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67286

--- Comment #7 from Yury Gribov <y.gribov at samsung dot com> ---
(In reply to weiguo.zhou from comment #6)
> It seems Google's official docs indicate the asan only supported on Android
> with  LLVM-based clang toolchain.

That was my impression as well.

> in the fact, it should be supported "well"
> on Android with gcc-based toolchain.

I'm not sure what you mean. Is ASan runtime (libasan.so) built when you build
Android cross-compiler? If it's not, then ASan is not supported by GCC on
Android.

[Bug sanitizer/67286] asan doen't work on Android(32bit ARM)

[weiguo.zhou at spreadtrum dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67286

--- Comment #8 from weiguo.zhou <weiguo.zhou at spreadtrum dot com> ---
(In reply to Yury Gribov from comment #5)
> (In reply to Dmitry Vyukov from comment #4)
> > +eugeni can provide more details.
> 
> Please! E.g. how do you build compiler and runtime?


the keypoint to generate a gcc-based cross-compiler toolchain for android/arm32
as following:

1) generate an stage-1 cross-compile gcc toolchain with  the existing native
gcc;
2) build the sysroot from scratch with the stage-1 cross-compile toolchain;
3) generate the final cross-compile gcc_toolchain with the corresponding
sysroot.


you can see the keypoint is that we should "create a right sysroot" for the
final cross-compile gcc-toolchain for android/arm32.

[Bug sanitizer/67286] asan doen't work on Android(32bit ARM)

[weiguo.zhou at spreadtrum dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67286

--- Comment #9 from weiguo.zhou <weiguo.zhou at spreadtrum dot com> ---
(In reply to Yury Gribov from comment #7)
> (In reply to weiguo.zhou from comment #6)
> > It seems Google's official docs indicate the asan only supported on Android
> > with  LLVM-based clang toolchain.
> 
> That was my impression as well.
> 
> > in the fact, it should be supported "well"
> > on Android with gcc-based toolchain.
> 
> I'm not sure what you mean. Is ASan runtime (libasan.so) built when you
> build Android cross-compiler? If it's not, then ASan is not supported by GCC
> on Android.


as I explained just now, after generate the final cross-compile toolchain for
android/arm32 successfully, the last step is generate the libasasn.so.2

with the final cross-compile toolchain(because the runtime detection asan
library should be running on real ARM32 board).

[Bug sanitizer/67286] asan doen't work on Android(32bit ARM)

[y.gribov at samsung dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67286

--- Comment #10 from Yury Gribov <y.gribov at samsung dot com> ---
(In reply to weiguo.zhou from comment #9)
> as I explained just now, after generate the final cross-compile toolchain
> for android/arm32 successfully, the last step is generate the libasasn.so.2

How do you generate libasan.so?

[Bug sanitizer/67286] asan doen't work on Android(32bit ARM)

[weiguo.zhou at spreadtrum dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67286

--- Comment #11 from weiguo.zhou <weiguo.zhou at spreadtrum dot com> ---

you can got the dynamic libasan.so.2  with following step:

../gcc-4.9.2-sprd/libsanitizer/configure --host=arm-linux-androideabi
--prefix=/tmp/toolchain-build-linux-4.9.2/prefix --enabl
e-shared --disable-static

[Bug sanitizer/67286] asan doen't work on Android(32bit ARM)

[weiguo.zhou at spreadtrum dot com]

https://gcc.gnu.org/bugzilla/show_bug.cgi?id=67286

--- Comment #12 from weiguo.zhou <weiguo.zhou at spreadtrum dot com> ---
(In reply to weiguo.zhou from comment #8)
> (In reply to Yury Gribov from comment #5)
> > (In reply to Dmitry Vyukov from comment #4)
> > > +eugeni can provide more details.
> > 
> > Please! E.g. how do you build compiler and runtime?
> 
> 
> the keypoint to generate a gcc-based cross-compiler toolchain for
> android/arm32 as following:
> 
> 1) generate an stage-1 cross-compile gcc toolchain with  the existing native
> gcc;
> 2) build the sysroot from scratch with the stage-1 cross-compile toolchain;
> 3) generate the final cross-compile gcc_toolchain with the corresponding
> sysroot.
> 
> 
> you can see the keypoint is that we should "create a right sysroot" for the
> final cross-compile gcc-toolchain for android/arm32.


1) generate an stage-1 cross-compile gcc toolchain with  the existing native
 gcc;
2) build the sysroot from scratch with the stage-1 cross-compile toolchain;
3) generate the final cross-compile gcc_toolchain (with --enable-libsanitizer
option) with the corresponding sysroot;so the final cross-compile could
instrument the check code according to the excellent paper
<<address_sanity_checker.pdf>>;

4) reset the PATH environment variable, the generate the libasan.so.2 with the
final cross-compile gcc-toolchain:
   mkdir libasan-for-android-build
   cd libasan-for-android-build
   ../gcc-source-tree/libsanitizer/configure --host=arm-linux-androideabi
--prefix=/tmp/toolchain-build-linux-4.9.2/prefix --enable-shared
--disable-static

don't use any cross-tool like utility here. we should "create anything we need
from scratch". 

Thanks to great Google, the powerful AddressSanitizer, and the excellent
creator  of the AddressSantizer.(kcc and other greate engineer in Google)