| Vlad Tsyrklevich | 08bc0525 | 2018-12-04 06:58:54 | [diff] [blame] | 1 | # GWP-ASan |
| 2 | |
| 3 | GWP-ASan is a debug tool intended to detect heap memory errors in the wild. It |
| 4 | samples alloctions to a debug allocator, similar to ElectricFence or Page Heap, |
| 5 | in order to detect heap memory errors and report additional debugging context. |
| 6 | |
| 7 | ## Allocator |
| 8 | |
| 9 | The GuardedPageAllocator returns allocations on pages buffered on both sides by |
| 10 | guard pages. The allocations are either left- or right-aligned to detect buffer |
| 11 | overflows and underflows. When an allocation is freed, the page is marked |
| 12 | inaccessible so use-after-frees cause an exception (until that page is reused |
| 13 | for another allocation.) |
| 14 | |
| 15 | The allocator saves stack traces on every allocation and deallocation to |
| 16 | preserve debug context if that allocation results in a memory error. |
| 17 | |
| Vlad Tsyrklevich | dc1a9a5e8 | 2018-12-18 18:04:01 | [diff] [blame^] | 18 | The allocator implements a quarantine mechanism by allocating virtual memory for |
| 19 | more allocations than the total number of allocations it can return. The |
| 20 | difference forms a rudimentary quarantine as not all allocations can be taken at |
| 21 | a given time. |
| 22 | |
| Vlad Tsyrklevich | 08bc0525 | 2018-12-04 06:58:54 | [diff] [blame] | 23 | Allocations are sampled to the GuardedPageAllocator using an [allocator shim.](/base/allocator/README.md) |
| 24 | |
| 25 | ## Crash handler |
| 26 | |
| 27 | The allocator is designed so that memory errors with GWP-ASan allocations |
| 28 | intentionally trigger invalid access exceptions. A hook in the crashpad crash |
| 29 | handler process inspects crashes, determines if they are GWP-ASan exceptions, |
| 30 | and adds additional debug information to the crash minidump if so. |
| 31 | |
| 32 | The crash handler hook determines if the exception was related to GWP-ASan by |
| 33 | reading the allocator internals and seeing if the exception address was within |
| 34 | the bounds of the allocator region. If it is, the crash handler hook extracts |
| 35 | debug information about that allocation, such as thread IDs and stack traces |
| 36 | for allocation (and deallocation, if relevant) and writes it to the crash dump. |
| 37 | |
| 38 | The crash handler runs with elevated privileges so parsing information from a |
| 39 | lesser-privileged process is security sensitive. The GWP-ASan hook is specially |
| 40 | structured to minimize the amount of allocator logic it relies on and to |
| 41 | validate the allocator internals before reasoning about them. |
| 42 | |
| 43 | ## Status |
| 44 | |
| 45 | GWP-ASan is currently only implemented for the system allocator (e.g. not |
| 46 | PartitionAlloc) on Windows. It is not currently enabled by default, but can be |
| 47 | enabled using the following command-line switches (with adjustable parameters): |
| 48 | |
| 49 | ```shell |
| 50 | chrome --enable-features="GwpAsanMalloc<Study" \ |
| 51 | --force-fieldtrials=Study/Group1 \ |
| 52 | --force-fieldtrial-params=Study.Group1:TotalAllocations/64/AllocationSamplingFrequency/200/ProcessSamplingProbability/1.0 |
| 53 | ``` |
| 54 | |
| 55 | ## Testing |
| 56 | |
| 57 | There is [not yet](https://crbug.com/910751) a way to intentionally trigger a |
| 58 | GWP-ASan exception. |
| 59 | |
| 60 | There is [not yet](https://crbug.com/910749) a way to inspect GWP-ASan data in |
| 61 | the minidump (crash report). |
