So I'm using the AddressSanitizer. But it uses some dense terms when describing the problem.
Shadow bytes around the buggy address:
0x0c067fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c067fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c067fff8000: fa fa 00 00 00 00[fa]fa 00 00 00 fa fa fa 00 00
0x0c067fff8010: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c067fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7320==ABORTING
What does Heap left redzone
mean? (and the others but I'm mostly interested in the fa
as there is one [fa]
which indicates the problem probably?)
AddressSanitizer is a fast memory error detector. It consists of a compiler instrumentation module and a run-time library. The tool can detect the following types of bugs: Out-of-bounds accesses to heap, stack and globals.
The "-fsanitize=address" flag is used to tell the compiler to add AddressSanitizer. Additionally, due to some environmental configuration settings on OSC systems, we must also statically link against Asan. This is done using the "-static-libasan" flag. It's helpful to compile the code with debug symbols.
Starting in Visual Studio 2019 version 16.9, the Microsoft C/C++ compiler (MSVC) and IDE supports the AddressSanitizer. AddressSanitizer (ASan) is a compiler and runtime technology that exposes many hard-to-find bugs with zero false positives: Alloc/dealloc mismatches and new / delete type mismatches.
What does Heap left redzone mean?
When AddressSanitizer heap interposer allocates heap memory in response to something like:
char *p = malloc(5);
it allocates more memory than you asked for. Let's say it allocates 32 bytes at address q
. It then would mark the first 16 bytes (region [q, q+15]
) as inaccessible heap left red zone (fa
), the next 5 bytes as addressable (0
), and the next 11 bytes as heap right red zone (fb
).
Finally it would return the q+16
to the application (assigned to p
).
Now if the application attempts to read or write from p-1
, p-2
, ... p-15
, all such attempts would be detected because they will all land on the left red zone. This is heap underflow.
Similarly, attempts to access p+5
, p+6
, ... p+10
(heap overflow) would be detected because they will all land on the right red zone.
Why would an application ever have heap underflow? Consider this code:
int idx = get_valid_index(...); // return -1 on failure
...
if (p[idx] == ...) { // BUG: forgot to check idx!=-1
This actually happens more often that you'd think, and appears to have happened to you.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With