src: do not report speculative overflows within ASan RTL

OleksiiOleksenko · Feb 20, 2020 · 79637f6 · 79637f6
1 parent c296d73
commit 79637f6
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 1 deletion.
diff --git a/postprocessing/analyzer.py b/postprocessing/analyzer.py
@@ -499,7 +499,8 @@ def get_key(address):
             k = l[0]
 
         if "asan" in k or "sanitizer" in k:
-            raise RuntimeError("Detected an exception in ASan runtime library: " + k)
+            raise RuntimeError(
+                "Detected an exception in ASan runtime library: " + k + " at " + address)
 
         return k, l
 

diff --git a/src/specfuzz_init.c b/src/specfuzz_init.c
@@ -71,6 +71,11 @@ void specfuzz_handler(int signo, siginfo_t *siginfo, void *ucontext) {
 
     if (siginfo->si_signo == SIGFPE) {
         STAT_INCREMENT(stat_signal_misc);
+    } else if (context->uc_mcontext.gregs[REG_RSP] >= (long long) &asan_rtl_frame_bottom &&
+        context->uc_mcontext.gregs[REG_RSP] <= (long long) &asan_rtl_frame) {
+        // When we detect an overflow in ASan RTL, recovering the offending address is tricky
+        // For the time being, we ignore these cases
+        STAT_INCREMENT(stat_signal_overflow);
     } else {
 #if ENABLE_PRINT == 1
         // Print information about the signal

diff --git a/src/specfuzz_rtl.S b/src/specfuzz_rtl.S
@@ -140,6 +140,7 @@ specfuzz_rtl_frame:             .quad   0
 
 // A disjoint stack frame for ASan functions
 .globl asan_rtl_frame
+.globl asan_rtl_frame_bottom
 asan_rtl_frame_bottom:          .zero   4088
 asan_rtl_frame:                 .quad   0
 
@@ -729,6 +730,7 @@ specfuzz_check_code_pointer:
     jl specfuzz_check_code_pointer.ok
     cmpq $_end, %rdi  # bss and data
     jl specfuzz_check_code_pointer.corrupted
+
 specfuzz_check_code_pointer.unknown:
     // We are above BSS, which means we are about to either enter a dynamically linked
     // code (most likely uninstrumented) or to executes some random data
@@ -743,6 +745,7 @@ specfuzz_check_code_pointer.unknown:
 specfuzz_check_code_pointer.ok:
     popfq
     ret
+
 specfuzz_check_code_pointer.corrupted:
     STAT_INCREMENT stat_corrupted_code_pointer
     movq 8(%rsp), %rsi

diff --git a/src/specfuzz_rtl.h b/src/specfuzz_rtl.h
@@ -20,6 +20,9 @@ extern uint64_t branch_execution_count;
 extern uint64_t specfuzz_rtl_frame;
 extern uint64_t specfuzz_rtl_frame_bottom;
 
+extern uint64_t asan_rtl_frame;
+extern uint64_t asan_rtl_frame_bottom;
+
 extern uint64_t *checkpoint_sp;
 extern uint64_t checkpoint_stack;
 extern uint64_t checkpoint_stack_bottom;