Fix a bug in the shadow walker.

syzygy/agent/asan/shadow.cc

 // Copyright 2012 Google Inc. All Rights Reserved.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //     http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
@@ skipping 15 matching lines @@
 
 namespace {
 
 #ifdef _WIN64
 // A lock under which the shadow instance is modified.
 base::Lock shadow_instance_lock;
 
 // The pointer for the exception handler to know what shadow object is
 // currently used. Under shadow_instance_lock.
 // TODO(loskutov): eliminate this by enforcing Shadow to be a singleton.
-const Shadow* shadow_instance;
+const Shadow* shadow_instance = nullptr;
 
 // The exception handler, intended to map the pages for shadow and page_bits
 // on demand. When a page fault happens, the operating systems calls
 // this handler, and if the page is inside shadow or page_bits, it gets
 // commited seamlessly for the caller, and then execution continues.
 // Otherwise, the OS keeps searching for an appropriate handler.
 LONG NTAPI ShadowExceptionHandler(PEXCEPTION_POINTERS exception_pointers) {
+  DCHECK_NE(static_cast<const Shadow*>(nullptr), shadow_instance);
   // Only handle access violations.
   if (exception_pointers->ExceptionRecord->ExceptionCode !=
       EXCEPTION_ACCESS_VIOLATION) {
     return EXCEPTION_CONTINUE_SEARCH;
   }
 
   // Only handle access violations that land within the shadow memory
   // or the page bits.
 
   void* addr = reinterpret_cast<void*>(
@@ skipping 154 matching lines @@
   }
 
   auto cursor = shadow_ + i;
   MEMORY_BASIC_INFORMATION info = {};
   while (i < length_) {
     auto next_cursor = cursor;
     while (cursor < shadow_ + length_) {
       auto ret = ::VirtualQuery(cursor, &info, sizeof(info));
       DCHECK_GT(ret, 0u);
       next_cursor = static_cast<uint8_t*>(info.BaseAddress) + info.RegionSize;
-      if (info.Type == MEM_COMMIT)
+      if (info.State == MEM_COMMIT)
         break;
       cursor = next_cursor;
     }
     i = cursor - shadow_;
     next_cursor = std::min(next_cursor, shadow_ + length_);
     auto next_i = next_cursor - shadow_;
     for (; i < next_i; ++i) {
       if ((i >= shadow_begin && i < shadow_end) ||
           (i >= page_bits_begin && i < page_bits_end) ||
           (i >= this_begin && i < this_end)) {
@@ skipping 48 matching lines @@
   Init(true, mem, length);
 }
 
 void Shadow::Init(bool own_memory, void* shadow, size_t length) {
 #ifdef _WIN64
   {
     base::AutoLock lock(shadow_instance_lock);
     shadow_instance = this;
   }
   exception_handler_ =
-      AddVectoredExceptionHandler(TRUE, ShadowExceptionHandler);
+      ::AddVectoredExceptionHandler(TRUE, ShadowExceptionHandler);
 #endif
 
   // Handle the case of a failed allocation.
   if (shadow == nullptr) {
     own_memory_ = false;
     shadow_ = nullptr;
     length = 0;
     return;
   }
 
@@ skipping 579 matching lines @@
 }
 
 bool Shadow::ScanLeftForBracketingBlockStart(
     size_t initial_nesting_depth, size_t cursor, size_t* location) const {
   DCHECK_NE(static_cast<size_t*>(NULL), location);
 
   static const size_t kLowerBound = kAddressLowerBound / kShadowRatio;
 
   size_t left = cursor;
   int nesting_depth = static_cast<int>(initial_nesting_depth);
+
+  MEMORY_BASIC_INFORMATION memory_info = {};
+  SIZE_T ret =
+      ::VirtualQuery(&shadow_[left], &memory_info, sizeof(memory_info));
+  DCHECK_GT(ret, 0u);
+  if (memory_info.State != MEM_COMMIT)
+    return false;
+
   if (ShadowMarkerHelper::IsBlockEnd(shadow_[left]))
     --nesting_depth;
   while (true) {
+    if (&shadow_[left] < static_cast<const uint8_t*>(memory_info.BaseAddress)) {
+      ret = ::VirtualQuery(&shadow_[left], &memory_info, sizeof(memory_info));
+      DCHECK_GT(ret, 0u);
+      if (memory_info.State != MEM_COMMIT)
+        return false;
+    }
     if (ShadowMarkerHelper::IsBlockStart(shadow_[left])) {
       if (nesting_depth == 0) {
         *location = left;
         return true;
       }
       // If this is not a nested block then there's no hope of finding a
       // block containing the original cursor.
       if (!ShadowMarkerHelper::IsNestedBlockStart(shadow_[left]))
         return false;
       --nesting_depth;
@@ skipping 200 matching lines @@
   // Get the bounds as shadow indices, being careful to deal with overflow
   // of |upper_bound|.
   lower_index_ = reinterpret_cast<uintptr_t>(lower_bound) >> kShadowRatioLog;
   upper_index_ = reinterpret_cast<size_t>(::common::AlignUp(
       reinterpret_cast<const uint8_t*>(upper_bound), kShadowRatio));
   upper_index_--;
   upper_index_ >>= kShadowRatioLog;
   upper_index_++;
 
   DCHECK_LE(lower_index_, upper_index_);
-  DCHECK_GE(shadow->length(), upper_index_);
+  DCHECK_GE(shadow->length(), upper_index_ - lower_index_);
 
   Reset();
 }
 
 void ShadowWalker::Reset() {
   nesting_depth_ = -1;
   shadow_cursor_ = shadow_->shadow() + lower_index_;
 }
 
 bool ShadowWalker::Next(BlockInfo* info) {
@@ skipping 13 matching lines @@
     auto end_of_region = start_of_region + memory_info.RegionSize;
 
     // If the region isn't committed and readable memory then skip it.
     if (memory_info.State != MEM_COMMIT) {
       // If the next region is beyond the part of the shadow being scanned
       // then bail early (be careful to handle overflow here).
       if (end_of_region > shadow_upper_bound || end_of_region == nullptr)
         return false;
 
       // Step to the beginning of the next region and try again.
-      shadow_cursor_ = start_of_region;
+      shadow_cursor_ = end_of_region;
       continue;
     }
 
     // Getting here then |start_of_region| and |end_of_region| are a part of
     // the shadow that should be scanned. Calculate where to stop for this
     // region, taking care to handle overflow.
     if (!end_of_region) {
       end_of_region = shadow_upper_bound;
     } else {
       end_of_region = std::min(shadow_upper_bound, end_of_region);
@@ skipping 51 matching lines @@
       // Advance the shadow cursor.
       ++shadow_cursor_;
     }  // while (shadow_cursor_ < end_of_region)
   }
 
   return false;
 }
 
 }  // namespace asan
 }  // namespace agent