[asan] Fix and report the mem access start addr instead of poisoned addr

ACCESS_MEMORY_RANGE defined in asan_interceptors_memintrinsics.h
reports the poisoned address (__bad), instead of the start address
(__offset) during a memory access to ReportGenericError.

We can determine that the latter (__offset) is the intended
interpretation, as most error descriptions are decided by treating
the given address as a start address (for example, see:
PrintAccessAndVarIntersection in asan_descriptions.cpp, which
decides whether a variable underflows or overflows depending
on the given addr and access_size).

GCC also uses the latter interpretation. For instance, in buffer
overflows, it appears to do its own processing, and will report
the start address of an overflowing read to ASan. This is in
contrast to Clang, which uses __asan_memcpy directly.

This patch fixes the above issue.

Existing tests previously assumed and check for the former incorrect
behaviour. The error descriptions in those tests have thus been
corrected.

Author: wxwern

compiler-rt/lib/asan/asan_interceptors_memintrinsics.h

@@ -74,7 +74,7 @@ struct AsanInterceptorContext {
       }                                                                   \
       if (!suppressed) {                                                  \
         GET_CURRENT_PC_BP_SP;                                             \
-        ReportGenericError(pc, bp, sp, __bad, isWrite, __size, 0, false); \
+        ReportGenericError(pc, bp, sp, __offset, isWrite, __size, 0, false); \
       }                                                                   \
     }                                                                     \
   } while (0)

compiler-rt/test/asan/TestCases/heap-overflow-large.cpp renamed to compiler-rt/test/asan/TestCases/heap-overflow-large-offset.cpp

@@ -11,22 +11,22 @@
 int main() {
   char *p = new char;
   char *dest = new char;
-  const size_t offset = 0x4567890123456789;
+  const size_t size = 0x4567890123456789;
 
   // The output here needs to match the output from the sanitizer runtime,
   // which includes 0x and prints hex in lower case.
   //
   // On Windows, %p omits %0x and prints hex characters in upper case,
   // so we use PRIxPTR instead of %p.
   fprintf(stderr, "Expected bad addr: %#" PRIxPTR "\n",
-          reinterpret_cast<uintptr_t>(p + offset));
+          reinterpret_cast<uintptr_t>(p));
   // Flush it so the output came out before the asan report.
   fflush(stderr);
 
-  memmove(dest, p, offset);
+  memmove(dest, p, size);
   return 0;
 }
 
 // CHECK: Expected bad addr: [[ADDR:0x[0-9,a-f]+]]
-// CHECK: AddressSanitizer: unknown-crash on address [[ADDR]]
-// CHECK: Address [[ADDR]] is a wild pointer inside of access range of size 0x4567890123456789
+// CHECK: AddressSanitizer: heap-buffer-overflow on address [[ADDR]]
+// CHECK: READ of size 5001116549197948809 at [[ADDR]] thread T0

compiler-rt/test/asan/TestCases/wild_pointer.cpp renamed to compiler-rt/test/asan/TestCases/heap-overflow-large-read.cpp

@@ -19,7 +19,7 @@ int main(int argc, char **argv) {
   char s1[4] = "abC";
   __asan_poison_memory_region ((char *)&s1[2], 2);
   r = strcasestr(s1, s2);
-  // CHECK:'s1'{{.*}} <== Memory access at offset {{[0-9]+}} partially overflows this variable
+  // CHECK:'s1'{{.*}} <== Memory access at offset {{[0-9]+}} is inside this variable
   assert(r == s1 + 2);
   return 0;
 }

compiler-rt/test/asan/TestCases/strcasestr-1.c

@@ -20,6 +20,6 @@ int main(int argc, char **argv) {
   __asan_poison_memory_region ((char *)&s2[2], 2);
   r = strcasestr(s1, s2);
   assert(r == 0);
-  // CHECK:'s2'{{.*}} <== Memory access at offset {{[0-9]+}} partially overflows this variable
+  // CHECK:'s2'{{.*}} <== Memory access at offset {{[0-9]+}} is inside this variable
   return 0;
 }

compiler-rt/test/asan/TestCases/strcasestr-2.c

@@ -14,7 +14,7 @@ int main(int argc, char **argv) {
   char s1[4] = "caB";
   __asan_poison_memory_region ((char *)&s1[2], 2);
   r = strcspn(s1, s2);
-  // CHECK:'s1'{{.*}} <== Memory access at offset {{[0-9]+}} partially overflows this variable
+  // CHECK:'s1'{{.*}} <== Memory access at offset {{[0-9]+}} is inside this variable
   assert(r == 1);
   return 0;
 }

compiler-rt/test/asan/TestCases/strcspn-1.c

@@ -14,7 +14,7 @@ int main(int argc, char **argv) {
   char s2[4] = "abc";
   __asan_poison_memory_region ((char *)&s2[2], 2);
   r = strcspn(s1, s2);
-  // CHECK:'s2'{{.*}} <== Memory access at offset {{[0-9]+}} partially overflows this variable
+  // CHECK:'s2'{{.*}} <== Memory access at offset {{[0-9]+}} is inside this variable
   assert(r == 0);
   return 0;
 }

compiler-rt/test/asan/TestCases/strcspn-2.c

@@ -14,7 +14,7 @@ int main(int argc, char **argv) {
   char s1[4] = "cab";
   __asan_poison_memory_region ((char *)&s1[2], 2);
   r = strpbrk(s1, s2);
-  // CHECK:'s1'{{.*}} <== Memory access at offset {{[0-9]+}} partially overflows this variable
+  // CHECK:'s1'{{.*}} <== Memory access at offset {{[0-9]+}} is inside this variable
   assert(r == s1 + 1);
   return 0;
 }

compiler-rt/test/asan/TestCases/strpbrk-1.c

@@ -14,7 +14,7 @@ int main(int argc, char **argv) {
   char s2[4] = "bca";
   __asan_poison_memory_region ((char *)&s2[2], 2);
   r = strpbrk(s1, s2);
-  // CHECK:'s2'{{.*}} <== Memory access at offset {{[0-9]+}} partially overflows this variable
+  // CHECK:'s2'{{.*}} <== Memory access at offset {{[0-9]+}} is inside this variable
   assert(r == s1);
   return 0;
 }

compiler-rt/test/asan/TestCases/strpbrk-2.c

@@ -14,7 +14,7 @@ int main(int argc, char **argv) {
   char s1[4] = "acb";
   __asan_poison_memory_region ((char *)&s1[2], 2);
   r = strspn(s1, s2);
-  // CHECK:'s1'{{.*}} <== Memory access at offset {{[0-9]+}} partially overflows this variable
+  // CHECK:'s1'{{.*}} <== Memory access at offset {{[0-9]+}} is inside this variable
   assert(r == 1);
   return 0;
 }

compiler-rt/test/asan/TestCases/strspn-1.c

@@ -14,7 +14,7 @@ int main(int argc, char **argv) {
   char s2[5] = "abcd";
   __asan_poison_memory_region ((char *)&s2[3], 2);
   r = strspn(s1, s2);
-  // CHECK:'s2'{{.*}} <== Memory access at offset {{[0-9]+}} partially overflows this variable
+  // CHECK:'s2'{{.*}} <== Memory access at offset {{[0-9]+}} is inside this variable
   assert(r >= 2);
   return 0;
 }

compiler-rt/test/asan/TestCases/strspn-2.c

@@ -15,7 +15,7 @@ int main(int argc, char **argv) {
   char s1[4] = "acb";
   __asan_poison_memory_region ((char *)&s1[2], 2);
   r = strstr(s1, s2);
-  // CHECK:'s1'{{.*}} <== Memory access at offset {{[0-9]+}} {{partially overflows this variable|is inside this variable}}
+  // CHECK:'s1'{{.*}} <== Memory access at offset {{[0-9]+}} is inside this variable
   assert(r == s1 + 1);
   return 0;
 }

compiler-rt/test/asan/TestCases/strstr-1.c

@@ -15,7 +15,7 @@ int main(int argc, char **argv) {
   char s2[4] = "cab";
   __asan_poison_memory_region ((char *)&s2[2], 2);
   r = strstr(s1, s2);
-  // CHECK:'s2'{{.*}} <== Memory access at offset {{[0-9]+}} partially overflows this variable
+  // CHECK:'s2'{{.*}} <== Memory access at offset {{[0-9]+}} is inside this variable
   assert(r == 0);
   return 0;
 }

compiler-rt/test/asan/TestCases/strstr-2.c

@@ -35,7 +35,7 @@ void test1() {
   char token_delimiter[2] = "b";
   __asan_poison_memory_region ((char *)&token_delimiter[1], 2);
   token = strtok(s, token_delimiter);
-  // CHECK1: 'token_delimiter'{{.*}} <== Memory access at offset {{[0-9]+}} partially overflows this variable
+  // CHECK1: 'token_delimiter'{{.*}} <== Memory access at offset {{[0-9]+}} is inside this variable
 }
 
 // Check that we find overflows in the delimiters on the second call (str == NULL)
@@ -48,7 +48,7 @@ void test2() {
   assert(strcmp(token, "a") == 0);
   __asan_poison_memory_region ((char *)&token_delimiter[1], 2);
   token = strtok(NULL, token_delimiter);
-  // CHECK2: 'token_delimiter'{{.*}} <== Memory access at offset {{[0-9]+}} partially overflows this variable
+  // CHECK2: 'token_delimiter'{{.*}} <== Memory access at offset {{[0-9]+}} is inside this variable
 }
 
 // Check that we find overflows in the string (only on the first call) with strict_string_checks.
@@ -58,7 +58,7 @@ void test3() {
   char token_delimiter[2] = "b";
   __asan_poison_memory_region ((char *)&s[3], 2);
   token = strtok(s, token_delimiter);
-  // CHECK3: 's'{{.*}} <== Memory access at offset {{[0-9]+}} partially overflows this variable
+  // CHECK3: 's'{{.*}} <== Memory access at offset {{[0-9]+}} is inside this variable
 }
 
 // Check that we do not crash when strtok returns NULL with strict_string_checks.
@@ -78,7 +78,7 @@ void test5() {
   __asan_poison_memory_region ((char *)&s[2], 2);
   __asan_poison_memory_region ((char *)&token_delimiter[1], 2);
   token = strtok(s, token_delimiter);
-  // CHECK5: 's'{{.*}} <== Memory access at offset {{[0-9]+}} partially overflows this variable
+  // CHECK5: 's'{{.*}} <== Memory access at offset {{[0-9]+}} is inside this variable
 }
 
 // Check that we find overflows in the delimiters (only on the first call) with !strict_string_checks.