ASan output doesn't show symbols when built with clang 3.8 or 3.9

[thinkycx]

built with clang

As we can see in the output, (/home/thinkycx/Fuzz/fuzzer/ASan/a.out+0x41b8d9 dosen't show which line it belongs to the source code. Is there anyone knows why?

Env:

ubuntu 18.04
$ clang -v
clang version 3.9.1-19ubuntu1 (tags/RELEASE_391/rc2)
Target: x86_64-pc-linux-gnu
Thread model: posix
InstalledDir: /usr/bin
Found candidate GCC installation: /usr/bin/../lib/gcc/i686-linux-gnu/8
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/7
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/7.3.0
Found candidate GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/8
Found candidate GCC installation: /usr/lib/gcc/i686-linux-gnu/8
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/7
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/7.3.0
Found candidate GCC installation: /usr/lib/gcc/x86_64-linux-gnu/8
Selected GCC installation: /usr/bin/../lib/gcc/x86_64-linux-gnu/7.3.0
Candidate multilib: .;@m64
Candidate multilib: 32;@m32
Candidate multilib: x32;@mx32
Selected multilib: .;@m64
Found CUDA installation: /usr/local/cuda, version unknown

compile:

 clang -fsanitize=address -O1 -fno-omit-frame-pointer -g   uaf.c

source code:

#include <stdlib.h>
int main() {
      char *x = (char*)malloc(10 * sizeof(char*));
        free(x);
          return x[5];

}

run:

./a.out
=================================================================
==5010==ERROR: AddressSanitizer: heap-use-after-free on address 0x60700000dfb5 at pc 0x00000050331b bp 0x7ffddeed5ad0 sp 0x7ffddeed5ac8
READ of size 1 at 0x60700000dfb5 thread T0
    #0 0x50331a  (/home/thinkycx/Fuzz/fuzzer/ASan/a.out+0x50331a)
    #1 0x7f2e41177b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #2 0x41b8d9  (/home/thinkycx/Fuzz/fuzzer/ASan/a.out+0x41b8d9)

0x60700000dfb5 is located 5 bytes inside of 80-byte region [0x60700000dfb0,0x60700000e000)
freed by thread T0 here:
    #0 0x4cacf8  (/home/thinkycx/Fuzz/fuzzer/ASan/a.out+0x4cacf8)
    #1 0x5032ea  (/home/thinkycx/Fuzz/fuzzer/ASan/a.out+0x5032ea)
    #2 0x7f2e41177b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

previously allocated by thread T0 here:
    #0 0x4caeb0  (/home/thinkycx/Fuzz/fuzzer/ASan/a.out+0x4caeb0)
    #1 0x5032df  (/home/thinkycx/Fuzz/fuzzer/ASan/a.out+0x5032df)
    #2 0x7f2e41177b96  (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

SUMMARY: AddressSanitizer: heap-use-after-free (/home/thinkycx/Fuzz/fuzzer/ASan/a.out+0x50331a)
Shadow bytes around the buggy address:
  0x0c0e7fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0e7fff9bf0: fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd fd fd
  0x0c0e7fff9c00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9c10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0e7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4

built with gcc

When I build with gcc, it displays well.

$ gcc -v
Using built-in specs.
COLLECT_GCC=gcc
COLLECT_LTO_WRAPPER=/usr/lib/gcc/x86_64-linux-gnu/7/lto-wrapper
OFFLOAD_TARGET_NAMES=nvptx-none
OFFLOAD_TARGET_DEFAULT=1
Target: x86_64-linux-gnu
Configured with: ../src/configure -v --with-pkgversion='Ubuntu 7.3.0-27ubuntu1~18.04' --with-bugurl=file:///usr/share/doc/gcc-7/README.Bugs --enable-languages=c,ada,c++,go,brig,d,fortran,objc,obj-c++ --prefix=/usr --with-gcc-major-version-only --program-suffix=-7 --program-prefix=x86_64-linux-gnu- --enable-shared --enable-linker-build-id --libexecdir=/usr/lib --without-included-gettext --enable-threads=posix --libdir=/usr/lib --enable-nls --with-sysroot=/ --enable-clocale=gnu --enable-libstdcxx-debug --enable-libstdcxx-time=yes --with-default-libstdcxx-abi=new --enable-gnu-unique-object --disable-vtable-verify --enable-libmpx --enable-plugin --enable-default-pie --with-system-zlib --with-target-system-zlib --enable-objc-gc=auto --enable-multiarch --disable-werror --with-arch-32=i686 --with-abi=m64 --with-multilib-list=m32,m64,mx32 --enable-multilib --with-tune=generic --enable-offload-targets=nvptx-none --without-cuda-driver --enable-checking=release --build=x86_64-linux-gnu --host=x86_64-linux-gnu --target=x86_64-linux-gnu
Thread model: posix
gcc version 7.3.0 (Ubuntu 7.3.0-27ubuntu1~18.04)

$ gcc -fsanitize=address -g uaf.c
$ ./a.out
=================================================================
==5208==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000000095 at pc 0x5645302d58e8 bp 0x7ffc87890440 sp 0x7ffc87890430
READ of size 1 at 0x607000000095 thread T0
    #0 0x5645302d58e7 in main /home/thinkycx/Fuzz/fuzzer/ASan/uaf.c:5
    #1 0x7fa529b84b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #2 0x5645302d57a9 in _start (/home/thinkycx/Fuzz/fuzzer/ASan/a.out+0x7a9)

0x607000000095 is located 5 bytes inside of 80-byte region [0x607000000090,0x6070000000e0)
freed by thread T0 here:
    #0 0x7fa52a0327b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
    #1 0x5645302d58ab in main /home/thinkycx/Fuzz/fuzzer/ASan/uaf.c:4
    #2 0x7fa529b84b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

previously allocated by thread T0 here:
    #0 0x7fa52a032b50 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdeb50)
    #1 0x5645302d589b in main /home/thinkycx/Fuzz/fuzzer/ASan/uaf.c:3
    #2 0x7fa529b84b96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)

[thinkycx]

Solved.

After I ran into the principle of ASan AddressSanitizerCallStack, I notice that :

AddressSanitizer uses llvm-symbolizer binary from the Clang distribution to symbolize the stack traces (note that ideally the llvm-symbolizer version must match the version of ASan runtime library). 

I run sudo ln -s /usr/bin/llvm-symbolizer-3.9 /usr/bin/llvm-symbolizer and make sure that we can use llvm-symbolizer at command line. Or we can set the ASAN_SYMBOLIZER_PATH env.

More info here:
https://github.com/google/sanitizers/wiki/AddressSanitizerCallStack

After I built with clang -fsanitize=address -O1 -fno-omit-frame-pointer -g uaf.c , now the output:

$ ./a.out
=================================================================
==6096==ERROR: AddressSanitizer: heap-use-after-free on address 0x60700000dfb5 at pc 0x00000050331b bp 0x7ffe6387f0c0 sp 0x7ffe6387f0b8
READ of size 1 at 0x60700000dfb5 thread T0
    #0 0x50331a in main /home/thinkycx/Fuzz/fuzzer/ASan/uaf.c:5:18
    #1 0x7f38c6f23b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #2 0x41b8d9 in _start (/home/thinkycx/Fuzz/fuzzer/ASan/a.out+0x41b8d9)

0x60700000dfb5 is located 5 bytes inside of 80-byte region [0x60700000dfb0,0x60700000e000)
freed by thread T0 here:
    #0 0x4cacf8 in __interceptor_free.localalias.0 (/home/thinkycx/Fuzz/fuzzer/ASan/a.out+0x4cacf8)
    #1 0x5032ea in main /home/thinkycx/Fuzz/fuzzer/ASan/uaf.c:4:9
    #2 0x7f38c6f23b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

previously allocated by thread T0 here:
    #0 0x4caeb0 in malloc (/home/thinkycx/Fuzz/fuzzer/ASan/a.out+0x4caeb0)
    #1 0x5032df in main /home/thinkycx/Fuzz/fuzzer/ASan/uaf.c:3:24
    #2 0x7f38c6f23b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

[hxingpax]

Wow, good job