From b34db9e88336d673c3b69a65d8ffc41491731668 Mon Sep 17 00:00:00 2001
From: Alexander Potapenko <glider@google.com>
Date: Thu, 15 Nov 2012 13:40:44 +0000
Subject: [PATCH] [ASan] Poison the leftmost shadow byte with a special value
 so that we can find the beginning of the fake frame when reporting an
 use-after-return error. Fixes
 http://code.google.com/p/address-sanitizer/issues/detail?id=126

llvm-svn: 168040
---
 compiler-rt/lib/asan/asan_allocator.cc | 4 ++++
 compiler-rt/lib/asan/asan_internal.h   | 1 +
 compiler-rt/lib/asan/asan_report.cc    | 1 +
 compiler-rt/lib/asan/asan_thread.cc    | 6 ++++--
 4 files changed, 10 insertions(+), 2 deletions(-)

diff --git a/compiler-rt/lib/asan/asan_allocator.cc b/compiler-rt/lib/asan/asan_allocator.cc
index de37137..d864ea1 100644
--- a/compiler-rt/lib/asan/asan_allocator.cc
+++ b/compiler-rt/lib/asan/asan_allocator.cc
@@ -998,6 +998,10 @@ void FakeStack::OnFree(uptr ptr, uptr size, uptr real_stack) {
   CHECK(fake_frame->descr != 0);
   CHECK(fake_frame->size_minus_one == size - 1);
   PoisonShadow(ptr, size, kAsanStackAfterReturnMagic);
+  CHECK(size >= SHADOW_GRANULARITY);
+  // Poison the leftmost shadow byte with a special value so that we can find
+  // the beginning of the fake frame when reporting an error.
+  PoisonShadow(ptr, SHADOW_GRANULARITY, kAsanStackAfterReturnLeftMagic);
 }
 
 }  // namespace __asan
diff --git a/compiler-rt/lib/asan/asan_internal.h b/compiler-rt/lib/asan/asan_internal.h
index f9a6149..a473a04 100644
--- a/compiler-rt/lib/asan/asan_internal.h
+++ b/compiler-rt/lib/asan/asan_internal.h
@@ -160,6 +160,7 @@ const int kAsanStackPartialRedzoneMagic = 0xf4;
 const int kAsanStackAfterReturnMagic = 0xf5;
 const int kAsanInitializationOrderMagic = 0xf6;
 const int kAsanUserPoisonedMemoryMagic = 0xf7;
+const int kAsanStackAfterReturnLeftMagic = 0xf8;
 const int kAsanGlobalRedzoneMagic = 0xf9;
 const int kAsanInternalHeapMagic = 0xfe;
 
diff --git a/compiler-rt/lib/asan/asan_report.cc b/compiler-rt/lib/asan/asan_report.cc
index 2fbf8fd..86bb66c 100644
--- a/compiler-rt/lib/asan/asan_report.cc
+++ b/compiler-rt/lib/asan/asan_report.cc
@@ -450,6 +450,7 @@ void __asan_report_error(uptr pc, uptr bp, uptr sp,
         bug_descr = "stack-buffer-overflow";
         break;
       case kAsanStackAfterReturnMagic:
+      case kAsanStackAfterReturnLeftMagic:
         bug_descr = "stack-use-after-return";
         break;
       case kAsanUserPoisonedMemoryMagic:
diff --git a/compiler-rt/lib/asan/asan_thread.cc b/compiler-rt/lib/asan/asan_thread.cc
index bdb5022..9ac3962 100644
--- a/compiler-rt/lib/asan/asan_thread.cc
+++ b/compiler-rt/lib/asan/asan_thread.cc
@@ -131,12 +131,14 @@ const char *AsanThread::GetFrameNameByAddr(uptr addr, uptr *offset) {
   u8 *shadow_bottom = (u8*)MemToShadow(bottom);
 
   while (shadow_ptr >= shadow_bottom &&
-      *shadow_ptr != kAsanStackLeftRedzoneMagic) {
+      *shadow_ptr != kAsanStackLeftRedzoneMagic &&
+      *shadow_ptr != kAsanStackAfterReturnLeftMagic) {
     shadow_ptr--;
   }
 
   while (shadow_ptr >= shadow_bottom &&
-      *shadow_ptr == kAsanStackLeftRedzoneMagic) {
+      (*shadow_ptr == kAsanStackLeftRedzoneMagic ||
+       *shadow_ptr == kAsanStackAfterReturnLeftMagic)) {
     shadow_ptr--;
   }
 
-- 
2.7.4