emacs-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

building/using address-sanitizer-enabled emacs?

From: Jim Meyering
Subject: building/using address-sanitizer-enabled emacs?
Date: Sat, 06 May 2017 20:40:05 -0700 
Has anyone managed to dump an ASAN-enabled emacs recently?
I can build and use an ASAN-enabled temacs, but it's too slow, of course.
When I build as follows, (using latest gcc-built-from-today's-git[*] --
very recent gcc is required for my use of the new
-fsanitize-address-use-after-scope), the temacs-to-emacs dump fails
with a global-buffer-overflow:

  san='-fsanitize-address-use-after-scope -fsanitize=address -static-libasan'
  ./configure --prefix=/p/p/emacs-asan --without-gpm --without-x \
    --with-x-toolkit=no --with-png=no --with-jpeg=no --with-sound=no \
    CFLAGS="-O0 -ggdb3 $san" LDFLAGS="$san" && make

I guess it's not too surprising -- given what dumping does -- that it
is not yet ASAN-aware, but there are so many traces of address sanitizer
work already in emacs that I'm hoping someone has already dealt with this.

------------------
Finding pointers to doc strings...
Finding pointers to doc strings...done
Dumping under the name emacs
=================================================================
==8192==ERROR: AddressSanitizer: global-buffer-overflow on address 
0x000001d561e1 at pc 0x000000463102 bp 0x7fffffffbca0 sp 0x7fffffffb450
READ of size 13643296 at 0x000001d561e1 thread T0
    #0 0x463101 in __interceptor_memcpy 
/h/j/gcc/libsanitizer/asan/asan_interceptors.cc:456
    #1 0x9896c0 in unexec /h/j/emacs/src/unexelf.c:407
    #2 0x74d8ad in Fdump_emacs /h/j/emacs/src/emacs.c:2191
    #3 0x8df69d in eval_sub /h/j/emacs/src/eval.c:2223
    #4 0x8d51c4 in Fprogn /h/j/emacs/src/eval.c:449
    #5 0x8deed5 in eval_sub /h/j/emacs/src/eval.c:2173
    #6 0x8d4d41 in Fif /h/j/emacs/src/eval.c:406
    #7 0x8deed5 in eval_sub /h/j/emacs/src/eval.c:2173
    #8 0x945a9c in readevalloop /h/j/emacs/src/lread.c:1947
    #9 0x942b1d in Fload /h/j/emacs/src/lread.c:1352
    #10 0x8df946 in eval_sub /h/j/emacs/src/eval.c:2234
    #11 0x8ddf54 in Feval /h/j/emacs/src/eval.c:2042
    #12 0x751a34 in top_level_2 /h/j/emacs/src/keyboard.c:1121
    #13 0x8da12d in internal_condition_case /h/j/emacs/src/eval.c:1326
    #14 0x751a97 in top_level_1 /h/j/emacs/src/keyboard.c:1129
    #15 0x8d8911 in internal_catch /h/j/emacs/src/eval.c:1091
    #16 0x751899 in command_loop /h/j/emacs/src/keyboard.c:1090
    #17 0x75033f in recursive_edit_1 /h/j/emacs/src/keyboard.c:697
    #18 0x7506dd in Frecursive_edit /h/j/emacs/src/keyboard.c:768
    #19 0x74bbb9 in main /h/j/emacs/src/emacs.c:1687
    #20 0x7ffff5b52400 in __libc_start_main (/lib64/libc.so.6+0x20400)
    #21 0x40d369 in _start (/h/j/emacs/src/temacs+0x40d369)

0x000001d561e1 is located 0 bytes to the right of global variable 
'display_completed' defined in 'dispnew.c:100:6' (0x1d561e0) of size 1
  'display_completed' is ascii string ''
0x000001d561e1 is located 63 bytes to the left of global variable 
'delayed_size_change' defined in 'dispnew.c:104:13' (0x1d56220) of size 1
SUMMARY: AddressSanitizer: global-buffer-overflow 
/h/j/gcc/libsanitizer/asan/asan_interceptors.cc:456 in __interceptor_memcpy
Shadow bytes around the buggy address:
  0x0000803a2be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803a2bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803a2c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803a2c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000803a2c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000803a2c30: 00 00 00 00 00 00 00 00 00 00 00 00[01]f9 f9 f9
  0x0000803a2c40: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0000803a2c50: 00 00 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0000803a2c60: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0000803a2c70: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0000803a2c80: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8192==ABORTING
Makefile:735: recipe for target 'bootstrap-emacs' failed
make[1]: *** [bootstrap-emacs] Error 1
make[1]: Leaving directory '/h/j/emacs/src'
Makefile:416: recipe for target 'src' failed
make: *** [src] Error 2

-------------------
[*] One caveat: to get past a gcc ICE (just reported as 
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=80659), I had to apply this 
kludgey patch:

diff --git a/src/process.c b/src/process.c
index 0edd092..8abd0d2 100644
--- a/src/process.c
+++ b/src/process.c
@@ -4724,10 +4725,13 @@ server_accept_connection (Lisp_Object server, int 
channel)
     case AF_LOCAL:
 #endif
     default:
+      abort ();
+#if 0
       caller = Fnumber_to_string (make_number (connect_counter));
       AUTO_STRING (space_less_than, " <");
       AUTO_STRING (greater_than, ">");
       caller = concat3 (space_less_than, caller, greater_than);
+#endif
       break;
     }
reply via email to
[Prev in Thread] Current Thread [Next in Thread]