Stack-use-after-return bug appears when a stack object is used afterthe function where this object is defined has returned.Example (see alsoAddressSanitizerExampleUseAfterReturn):

int *ptr;void FunctionThatEscapesLocalObject() {  int local[100];  ptr = &local[0];}// *ptr is used later

AddressSanitizer currently does not attempt to detect these bugs by default,only with an additional flag run-time: ASAN_OPTIONS=detect_stack_use_after_return=1

Detection of stack-use-after-return is similar to detection of heap-use-after-free,but thequarantine should be implemented in a different way.

Once a function has returned, its stack memory is reused by the next call instruction.So in order to implement quarantine for the stack memory we need to promote stack to heap.The current implementation does it like this:

Before:

void foo() {  int local;  escape_addr(&local);}

After:

void foo() {  char redzone1[32];  int local;  char redzone2[32+28];  char *fake_stack = __asan_stack_malloc(&local, 96);  poison_redzones(fake_stack);  // Done by the inlined instrumentation code.  escape_addr(fake_stack + 32);  __asan_stack_free(stack, &local, 96)}

__asan_stack_malloc(real_stack, frame_size) allocates afake frame(frame_size bytes) from a thread-local heap-like structure (fake stack).Every fake frame comes unpoisoned and then the redzones are poisoned in the instrumentedfunction code.

__asan_stack_free(fake_stack, real_stack, frame_size)poisons the entire fake frame and deallocates it.

TheFake Stack allocator uses a fixed amount of memory per each thread.The allocator has 11 size classes (from2**6 bytes to2**16 bytes),every size class has fixed amount of chunks.If the given size class is fully used, the allocator will return 0 and thus regular stack will be used(i.e. stack-use-after-return detection will not work for the given function call).The amount of memory given to every size class is proportional to the size of thread's real stack,but not more than2**max_uar_stack_size_log (by default,2**20)and not less than2**min_uar_stack_size_log (by default,2**16). See also:AddressSanitizerFlags.

So, with the default 8Mb stack size and defaultAddressSanitizerFlags each size class will get2**20 bytes and thus every thread will mmap ~11Mb for Fake Stack.

The bigger the Fake Stack the better your chances to catch a stack-use-after-return and get a correct report, but the greater is the memory consumption.

Detecting stack-use-after-return is expensive in both CPU and RAM:

• Allocating fake frames introduces two function calls per every function with non-empty frame.
• The entire fake frames should be unpoisoned on entry and poisoned on exit, as opposed to poisoning just the redzones in the default mode.

These are the performance numbers on SPEC 2006. We've compared pure asan against ASAN_OPTIONS=detect_stack_use_after_return=1 both with-fsanitize=address -O2.4 benchmarks get 30% extra slowdown and one gets almost 2x extra slowdown. Other 14 benchmarks are not affected at all.

We have an experimental API to support interoperability ofAddressSanitizer's fake stack with garbage collection.Seehttp://llvm.org/viewvc/llvm-project?view=revision&revision=200908 and stay tuned for more news.

The fake stack may be incompatible with some low-level code thatuses certain assumptions about the stack memory layout.

• Code that takes an address of a local variable and assumes the variable is localed on the real stack.
• Implementations of C++ garbage collection may require special attention. See above.

TODO