svadev AT lists.siebelschool.illinois.edu
Subject: Svadev mailing list
List archive
- From: John Criswell <criswell AT illinois.edu>
- To: David Keaton <dmk AT dmk.com>
- Cc: "svadev AT cs.uiuc.edu" <svadev AT cs.uiuc.edu>
- Subject: Re: [svadev] question about SAFECode output
- Date: Mon, 23 Jan 2012 10:21:46 -0600
- List-archive: <http://lists.cs.uiuc.edu/pipermail/svadev>
- List-id: <svadev.cs.uiuc.edu>
- Organization: University of Illinois
On 1/19/12 1:22 PM, David Keaton wrote:
Matt,
Thanks for your help.
Hi David. I thought I'd add a few comments below to what Matt has already said.
On 01/18/2012 06:35 PM, Matthew Wala wrote:
I'm pretty sure this is why the long error sequence occurs:That explains a lot, thanks.
http://lists.cs.uiuc.edu/pipermail/svadev/2011-August/000104.html
If you want to output only the first error message and then exit, useActually, I am looking for just the opposite. I would like to run
the '-fmemsafety-terminate' option along with '-fmemsafety' when
compiling your code.
a program to completion, and then afterward look at the list of buffer
overflows that occurred.
Many programs work in spite of their buffer overflows. For
example, they may allocate 15 bytes, but use 16, and they get away with
it because 16 bytes were reserved by the compiler or library for
alignment purposes.
Benchmarks are another category where run-to-completion is important.
There are a couple of ways to implement this in a memory safety
compiler/runtime system. One is to report the error and then let the
program go on and do what it does. Another is to have the memory safety
runtime system fake-extend each object to the maximum size that is
actually accessed, as described in some of the papers on the subject.
I thought SAFECode did the latter. Is it a special option that
needs to be turned on explicitly, or is it not implemented?
First, SAFECode currently does not have an option to continue execution until the program terminates. Instead, it has a threshold of how many errors to report until it terminates the program. If you'd like an option to continue regardless of the kind of error, please file an enhancement request in Bugzilla, although at present I don't think such an option will be as useful as one would like because of a technique called pointer rewriting.
So, pointer rewriting is the reason that you're seeing an error with address 0xc0000001 over and over and over and over again. Whenever a SAFECode run-time check sees a pointer arithmetic operation go out of bounds, it replaces the out-of-bounds value with a unique pointer value that points into a special, unmapped memory region (on Linux, this memory region is currently 0xc0000000 - 0xffffffff, although this needs to be changed for 64-bit Linux systems). This value is called an OOB pointer.
When the SAFECode load/store checks see that the pointer is an OOB pointer, the check reports an error. However, the OOB pointer is not replaced with the actual, out-of-bounds value. The result is that the program tries to load or store through the OOB pointer, the processor detects a memory access violation, and the SAFECode signal handler reports an error. Since the SAFECode signal handler doesn't attempt to "fix up" the program counter or dereferenced pointer, the faulting load/store accesses the OOB pointer over and over and over again, and SAFECode keeps reporting it until it reaches its error report threshold.
To summarize:
o) A pointer arithmetic check generates an OOB pointer.
o) A load/store check reports the use of the OOB pointer and attempts to continue execution.
o) The load/store using the OOB pointer generates a segfault over and over again which SAFECode reports.
So, SAFECode is trying to continue execution of the program, but in some cases, it cannot due to its current design.
As an aside, if you're wondering why the special memory region is unmapped, it is so that SAFECode can remove load/store checks for type-safe pointers and still catch out-of-bounds pointer dereferences. We aren't using this optimization at present, but we plan to in the future to improve performance.
-- John T.
As to why the program counter is printed as 0x8, it looks like theThanks for fixing this! The sample program from the SAFECode
runtime was accessing the wrong register value on x86-64 Linux. This
should be fixed in revision 148458.
Users Guide now shows a reasonable-looking program counter for these
faults. It also now terminates after 20 faults, rather than continuing
to fault indefinitely. Is this a newly designed limit? If so, can it
be turned off to achieve run-to-completion?
I've appended the new output from the Users Guide sample program
below.
David
-----
$ ./overflow 10
SAFECode:Violation Type 0x6 when accessing 0x6be989 at IP=0x402250
=======+++++++ SAFECODE RUNTIME ALERT +++++++=======
= Error type : Load/Store Error
= CWE ID : 120
= Faulting pointer : 0x6be989
= Program counter : 0x402250
= Fault PC Source :
/home/dmk/com/llvm/sample/overflow.c:7
=
= Object allocated at PC : 0x4023e1
= Allocated in Source File :
/home/dmk/com/llvm/sample/overflow.c:17
= Object allocation sequence number : 3
= Object start : 0x6be980
= Object length : 0x9
SAFECode: Fault!
SAFECode:Violation Type 0x9 when accessing 0xc0000001 at IP=0x402254
=======+++++++ SAFECODE RUNTIME ALERT +++++++=======
= Error type : Uninitialized/NULL Pointer
Error
= CWE ID : 120
= Faulting pointer : 0xc0000001
= Program counter : 0x402254
= Fault PC Source : <unknown>:0
SAFECode: Fault!
SAFECode:Violation Type 0x9 when accessing 0xc0000001 at IP=0x402254
=======+++++++ SAFECODE RUNTIME ALERT +++++++=======
= Error type : Uninitialized/NULL Pointer
Error
= CWE ID : 120
= Faulting pointer : 0xc0000001
= Program counter : 0x402254
= Fault PC Source : <unknown>:0
SAFECode: Fault!
SAFECode:Violation Type 0x9 when accessing 0xc0000001 at IP=0x402254
=======+++++++ SAFECODE RUNTIME ALERT +++++++=======
= Error type : Uninitialized/NULL Pointer
Error
= CWE ID : 120
= Faulting pointer : 0xc0000001
= Program counter : 0x402254
= Fault PC Source : <unknown>:0
SAFECode: Fault!
SAFECode:Violation Type 0x9 when accessing 0xc0000001 at IP=0x402254
=======+++++++ SAFECODE RUNTIME ALERT +++++++=======
= Error type : Uninitialized/NULL Pointer
Error
= CWE ID : 120
= Faulting pointer : 0xc0000001
= Program counter : 0x402254
= Fault PC Source : <unknown>:0
SAFECode: Fault!
SAFECode:Violation Type 0x9 when accessing 0xc0000001 at IP=0x402254
=======+++++++ SAFECODE RUNTIME ALERT +++++++=======
= Error type : Uninitialized/NULL Pointer
Error
= CWE ID : 120
= Faulting pointer : 0xc0000001
= Program counter : 0x402254
= Fault PC Source : <unknown>:0
SAFECode: Fault!
SAFECode:Violation Type 0x9 when accessing 0xc0000001 at IP=0x402254
=======+++++++ SAFECODE RUNTIME ALERT +++++++=======
= Error type : Uninitialized/NULL Pointer
Error
= CWE ID : 120
= Faulting pointer : 0xc0000001
= Program counter : 0x402254
= Fault PC Source : <unknown>:0
SAFECode: Fault!
SAFECode:Violation Type 0x9 when accessing 0xc0000001 at IP=0x402254
=======+++++++ SAFECODE RUNTIME ALERT +++++++=======
= Error type : Uninitialized/NULL Pointer
Error
= CWE ID : 120
= Faulting pointer : 0xc0000001
= Program counter : 0x402254
= Fault PC Source : <unknown>:0
SAFECode: Fault!
SAFECode:Violation Type 0x9 when accessing 0xc0000001 at IP=0x402254
=======+++++++ SAFECODE RUNTIME ALERT +++++++=======
= Error type : Uninitialized/NULL Pointer
Error
= CWE ID : 120
= Faulting pointer : 0xc0000001
= Program counter : 0x402254
= Fault PC Source : <unknown>:0
SAFECode: Fault!
SAFECode:Violation Type 0x9 when accessing 0xc0000001 at IP=0x402254
=======+++++++ SAFECODE RUNTIME ALERT +++++++=======
= Error type : Uninitialized/NULL Pointer
Error
= CWE ID : 120
= Faulting pointer : 0xc0000001
= Program counter : 0x402254
= Fault PC Source : <unknown>:0
SAFECode: Fault!
SAFECode:Violation Type 0x9 when accessing 0xc0000001 at IP=0x402254
=======+++++++ SAFECODE RUNTIME ALERT +++++++=======
= Error type : Uninitialized/NULL Pointer
Error
= CWE ID : 120
= Faulting pointer : 0xc0000001
= Program counter : 0x402254
= Fault PC Source : <unknown>:0
SAFECode: Fault!
SAFECode:Violation Type 0x9 when accessing 0xc0000001 at IP=0x402254
=======+++++++ SAFECODE RUNTIME ALERT +++++++=======
= Error type : Uninitialized/NULL Pointer
Error
= CWE ID : 120
= Faulting pointer : 0xc0000001
= Program counter : 0x402254
= Fault PC Source : <unknown>:0
SAFECode: Fault!
SAFECode:Violation Type 0x9 when accessing 0xc0000001 at IP=0x402254
=======+++++++ SAFECODE RUNTIME ALERT +++++++=======
= Error type : Uninitialized/NULL Pointer
Error
= CWE ID : 120
= Faulting pointer : 0xc0000001
= Program counter : 0x402254
= Fault PC Source : <unknown>:0
SAFECode: Fault!
SAFECode:Violation Type 0x9 when accessing 0xc0000001 at IP=0x402254
=======+++++++ SAFECODE RUNTIME ALERT +++++++=======
= Error type : Uninitialized/NULL Pointer
Error
= CWE ID : 120
= Faulting pointer : 0xc0000001
= Program counter : 0x402254
= Fault PC Source : <unknown>:0
SAFECode: Fault!
SAFECode:Violation Type 0x9 when accessing 0xc0000001 at IP=0x402254
=======+++++++ SAFECODE RUNTIME ALERT +++++++=======
= Error type : Uninitialized/NULL Pointer
Error
= CWE ID : 120
= Faulting pointer : 0xc0000001
= Program counter : 0x402254
= Fault PC Source : <unknown>:0
SAFECode: Fault!
SAFECode:Violation Type 0x9 when accessing 0xc0000001 at IP=0x402254
=======+++++++ SAFECODE RUNTIME ALERT +++++++=======
= Error type : Uninitialized/NULL Pointer
Error
= CWE ID : 120
= Faulting pointer : 0xc0000001
= Program counter : 0x402254
= Fault PC Source : <unknown>:0
SAFECode: Fault!
SAFECode:Violation Type 0x9 when accessing 0xc0000001 at IP=0x402254
=======+++++++ SAFECODE RUNTIME ALERT +++++++=======
= Error type : Uninitialized/NULL Pointer
Error
= CWE ID : 120
= Faulting pointer : 0xc0000001
= Program counter : 0x402254
= Fault PC Source : <unknown>:0
SAFECode: Fault!
SAFECode:Violation Type 0x9 when accessing 0xc0000001 at IP=0x402254
=======+++++++ SAFECODE RUNTIME ALERT +++++++=======
= Error type : Uninitialized/NULL Pointer
Error
= CWE ID : 120
= Faulting pointer : 0xc0000001
= Program counter : 0x402254
= Fault PC Source : <unknown>:0
SAFECode: Fault!
SAFECode:Violation Type 0x9 when accessing 0xc0000001 at IP=0x402254
=======+++++++ SAFECODE RUNTIME ALERT +++++++=======
= Error type : Uninitialized/NULL Pointer
Error
= CWE ID : 120
= Faulting pointer : 0xc0000001
= Program counter : 0x402254
= Fault PC Source : <unknown>:0
SAFECode: Fault!
SAFECode:Violation Type 0x9 when accessing 0xc0000001 at IP=0x402254
=======+++++++ SAFECODE RUNTIME ALERT +++++++=======
= Error type : Uninitialized/NULL Pointer
Error
= CWE ID : 120
= Faulting pointer : 0xc0000001
= Program counter : 0x402254
= Fault PC Source : <unknown>:0
Aborted
_______________________________________________
svadev mailing list
svadev AT cs.uiuc.edu
http://lists.cs.uiuc.edu/mailman/listinfo/svadev
- [svadev] question about SAFECode output, David Keaton, 01/18/2012
- Re: [svadev] question about SAFECode output, Matthew Wala, 01/18/2012
- Re: [svadev] question about SAFECode output, David Keaton, 01/19/2012
- Re: [svadev] question about SAFECode output, Matthew Wala, 01/19/2012
- Re: [svadev] question about SAFECode output, David Keaton, 01/20/2012
- Re: [svadev] question about SAFECode output, John Criswell, 01/23/2012
- Re: [svadev] question about SAFECode output, Matthew Wala, 01/19/2012
- Re: [svadev] question about SAFECode output, David Keaton, 01/19/2012
- Re: [svadev] question about SAFECode output, Matthew Wala, 01/18/2012
Archive powered by MHonArc 2.6.16.