_Unwind_Backtrace cannot unwind past wrap___cxa_throw on Mac

[ramosian-glider]

Originally reported on Google Code with ID 23

This is best reproducible with pdfsqueeze from the Chromium tree (see http://dev.chromium.org/developers/testing/addresssanitizer
for the build instructions; the target name is pdfsqueeze)

# input.pdf must be a valid pdf, probably one of those in the Chromium tree.
$ out/Release/pdfsqueeze input.pdf output.pdf
terminate called after throwing an instance of 'CMMException'
Abort trap

$ gdb out/Release/pdfsqueeze
...
(gdb) break wrap___cxa_throw 
Breakpoint 1 at 0xcb9d
(gdb) r input.pdf output.pdf

Breakpoint 1, 0x0000cb9d in wrap___cxa_throw ()
(gdb) bt
#0  0x0000cb9d in wrap___cxa_throw ()
#1  0x90d0d292 in CMMThrowExceptionOnError ()
#2  0x90d131b7 in CMMCurveTag::CMMCurveTag ()
#3  0x90d15651 in CMMParaCurveTag::CMMParaCurveTag ()
#4  0x90d259f8 in CMMProfile::MakeTag ()
#5  0x90d25dbd in CMMProfile::GetTag ()
#6  0x90d28049 in CMMProfile::GetCurveTag ()
#7  0x90d2808e in CMMProfile::InnerGetMatrixTags ()
#8  0x90d28170 in CMMMatrixDisplayProfile::GetMatrixTags ()
#9  0x90d2d4a7 in ConversionManager::MakeConversionSequence ()
#10 0x90d2eecb in DoInitializeTransform ()
#11 0x90d2f5ec in AppleCMMInitializeTransform ()
#12 0x90d5ec24 in ColorSyncCMMInitializeTransform ()
#13 0x90cffec6 in ColorSyncTransformCreate ()
#14 0x94a5795b in create ()
#15 0x94a51019 in aquireColorWorldByAttributes ()
#16 0x94a50e46 in acquireColorWorld ()
#17 0x94a50d05 in CMSTransformConvertComponents ()
#18 0x99637c9d in CGCMSInterfaceTransformConvertColorComponents ()
#19 0x99636e31 in CGColorTransformConvertColorFloatComponents ()
#20 0x99636cde in CGColorTransformConvertColorComponents ()
#21 0x01728e5a in FilterGStateColor ()
#22 0x01729211 in FilterGState ()
#23 0x0172a155 in ctxftr_DrawPath ()
#24 0x996cd68f in CGContextDrawPath ()
#25 0x996e5c9b in CGPDFDrawingContextDrawPath ()
#26 0x996e7b47 in op_f ()
#27 0x996e4dcc in pdf_scanner_handle_xname ()
#28 0x996e3ed4 in CGPDFScannerScan ()
#29 0x996e1ff0 in CGPDFDrawingContextDrawPage ()
#30 0x996e1c8a in CGContextDrawPDFPageWithProgressCallback ()
#31 0x996e1c24 in CGContextDrawPDFPage ()
#32 0x94c25bf9 in -[PDFPage(PDFPagePrivate) drawWithBox:inContext:] ()
#33 0x94c1e82b in -[PDFPage drawWithBox:] ()
#34 0x94c1c931 in -[PDFDocument(PDFDocumentInternal) writeToConsumer:withOptions:]
()
#35 0x94c1be42 in -[PDFDocument writeToURL:withOptions:] ()
#36 0x0000a060 in main (argc=3, argv=<value temporarily unavailable, due to optimizations>)
at third_party/pdfsqueeze/pdfsqueeze.m:64

(gdb) disas
Dump of assembler code for function wrap___cxa_throw:
0x0000cb90 <wrap___cxa_throw+0>:    push   %ebp
0x0000cb91 <wrap___cxa_throw+1>:    push   %ebx
0x0000cb92 <wrap___cxa_throw+2>:    push   %edi
0x0000cb93 <wrap___cxa_throw+3>:    push   %esi
0x0000cb94 <wrap___cxa_throw+4>:    sub    $0x1c,%esp
0x0000cb97 <wrap___cxa_throw+7>:    call   0xcb9c <wrap___cxa_throw+12>
0x0000cb9c <wrap___cxa_throw+12>:   pop    %esi
0x0000cb9d <wrap___cxa_throw+13>:   call   0x8ae0 <_ZN6__asan18asanThreadRegistryEv>
0x0000cba2 <wrap___cxa_throw+18>:   mov    %eax,(%esp)
0x0000cba5 <wrap___cxa_throw+21>:   call   0x8c70 <_ZN6__asan18AsanThreadRegistry10GetCurrentEv>
0x0000cbaa <wrap___cxa_throw+26>:   test   %eax,%eax
0x0000cbac <wrap___cxa_throw+28>:   je     0xcbf9 <wrap___cxa_throw+105>
0x0000cbae <wrap___cxa_throw+30>:   mov    0x38(%esp),%edi
0x0000cbb2 <wrap___cxa_throw+34>:   mov    0x34(%esp),%ebx
0x0000cbb6 <wrap___cxa_throw+38>:   mov    0x30(%esp),%ebp
0x0000cbba <wrap___cxa_throw+42>:   lea    -0xfe8(%esp),%ecx
0x0000cbc1 <wrap___cxa_throw+49>:   and    $0xfffff000,%ecx
0x0000cbc7 <wrap___cxa_throw+55>:   mov    0xc(%eax),%eax
0x0000cbca <wrap___cxa_throw+58>:   sub    %ecx,%eax
0x0000cbcc <wrap___cxa_throw+60>:   mov    %eax,0x4(%esp)
0x0000cbd0 <wrap___cxa_throw+64>:   mov    %ecx,(%esp)
0x0000cbd3 <wrap___cxa_throw+67>:   movl   $0x0,0x8(%esp)
0x0000cbdb <wrap___cxa_throw+75>:   call   0x54f0 <_ZN6__asan12PoisonShadowEmmh>
0x0000cbe0 <wrap___cxa_throw+80>:   mov    %edi,0x8(%esp)
0x0000cbe4 <wrap___cxa_throw+84>:   mov    %ebx,0x4(%esp)
0x0000cbe8 <wrap___cxa_throw+88>:   mov    %ebp,(%esp)
0x0000cbeb <wrap___cxa_throw+91>:   call   *0x64e8(%esi)
0x0000cbf1 <wrap___cxa_throw+97>:   add    $0x1c,%esp
0x0000cbf4 <wrap___cxa_throw+100>:  pop    %esi
0x0000cbf5 <wrap___cxa_throw+101>:  pop    %edi
0x0000cbf6 <wrap___cxa_throw+102>:  pop    %ebx
0x0000cbf7 <wrap___cxa_throw+103>:  pop    %ebp
0x0000cbf8 <wrap___cxa_throw+104>:  ret    
0x0000cbf9 <wrap___cxa_throw+105>:  lea    0x2340(%esi),%eax
0x0000cbff <wrap___cxa_throw+111>:  mov    %eax,0x4(%esp)
0x0000cc03 <wrap___cxa_throw+115>:  lea    0x32d3(%esi),%eax
0x0000cc09 <wrap___cxa_throw+121>:  mov    %eax,(%esp)
0x0000cc0c <wrap___cxa_throw+124>:  movl   $0x1e6,0x8(%esp)
0x0000cc14 <wrap___cxa_throw+132>:  call   0x5f00 <_ZN6__asan11CheckFailedEPKcS1_i>
0x0000cc19 <wrap___cxa_throw+137>:  nopl   0x0(%eax)
End of assembler dump.

Let's stop before real___cxa_throw:
0x0000cbeb <wrap___cxa_throw+91>:   call   *0x64e8(%esi)

(gdb) break *0x0000cbeb
Breakpoint 4 at 0xcbeb
(gdb) c

(gdb) bt
#0  0x0000cbeb in wrap___cxa_throw ()
#1  0x90d0d292 in CMMThrowExceptionOnError ()
#2  0x90d131b7 in CMMCurveTag::CMMCurveTag ()
#3  0x90d15651 in CMMParaCurveTag::CMMParaCurveTag ()
#4  0x90d259f8 in CMMProfile::MakeTag ()
#5  0x90d25dbd in CMMProfile::GetTag ()
#6  0x90d28049 in CMMProfile::GetCurveTag ()
#7  0x90d2808e in CMMProfile::InnerGetMatrixTags ()
#8  0x90d28170 in CMMMatrixDisplayProfile::GetMatrixTags ()
#9  0x90d2d4a7 in ConversionManager::MakeConversionSequence ()
#10 0x90d2eecb in DoInitializeTransform ()
#11 0x90d2f5ec in AppleCMMInitializeTransform ()
#12 0x90d5ec24 in ColorSyncCMMInitializeTransform ()
#13 0x90cffec6 in ColorSyncTransformCreate ()
#14 0x94a5795b in create ()
#15 0x94a51019 in aquireColorWorldByAttributes ()
#16 0x94a50e46 in acquireColorWorld ()
#17 0x94a50d05 in CMSTransformConvertComponents ()
#18 0x99637c9d in CGCMSInterfaceTransformConvertColorComponents ()
#19 0x99636e31 in CGColorTransformConvertColorFloatComponents ()
#20 0x99636cde in CGColorTransformConvertColorComponents ()
#21 0x01728e5a in FilterGStateColor ()
#22 0x01729211 in FilterGState ()
#23 0x0172a155 in ctxftr_DrawPath ()
#24 0x996cd68f in CGContextDrawPath ()
#25 0x996e5c9b in CGPDFDrawingContextDrawPath ()
#26 0x996e7b47 in op_f ()
#27 0x996e4dcc in pdf_scanner_handle_xname ()
#28 0x996e3ed4 in CGPDFScannerScan ()
#29 0x996e1ff0 in CGPDFDrawingContextDrawPage ()
#30 0x996e1c8a in CGContextDrawPDFPageWithProgressCallback ()
#31 0x996e1c24 in CGContextDrawPDFPage ()
#32 0x94c25bf9 in -[PDFPage(PDFPagePrivate) drawWithBox:inContext:] ()
#33 0x94c1e82b in -[PDFPage drawWithBox:] ()
#34 0x94c1c931 in -[PDFDocument(PDFDocumentInternal) writeToConsumer:withOptions:]
()
#35 0x94c1be42 in -[PDFDocument writeToURL:withOptions:] ()
#36 0x0000a060 in main (argc=3, argv=<value temporarily unavailable, due to optimizations>)
at third_party/pdfsqueeze/pdfsqueeze.m:64

(gdb) stepi
0xffc23000 in ?? ()
(gdb) bt
#0  0xffc23000 in ?? ()
#1  0x0000cbf1 in wrap___cxa_throw ()

Note we already can't unwind at the first instruction of the branch island allocated
by mach_override_ptr.

(gdb) disas 0xffc23000 0xffc23020
Dump of assembler code from 0xffc23000 to 0xffc23020:
0xffc23000: push   %ebp
0xffc23001: mov    %esp,%ebp
0xffc23003: push   %esi
0xffc23004: push   %ebx
0xffc23005: nop    
0xffc23006: nop    
0xffc23007: nop    
0xffc23008: nop    
0xffc23009: nop    
0xffc2300a: nop    
0xffc2300b: nop    
0xffc2300c: nop    
0xffc2300d: nop    
0xffc2300e: nop    
0xffc2300f: nop    
0xffc23010: jmp    0x91448250 <__cxa_throw+5>
0xffc23015: add    %al,(%eax)
0xffc23017: add    %al,(%ecx)
0xffc23019: add    %al,(%eax)
0xffc2301b: add    %al,(%eax)
0xffc2301d: add    %al,(%eax)
0xffc2301f: add    %al,(%eax)

(gdb) c
Continuing.
terminate called after throwing an instance of 'CMMException'

Program received signal SIGABRT, Aborted.
0x94abac5a in __kill ()

(gdb) bt
#0  0x94abac5a in __kill ()
#1  0x94abac4c in kill$UNIX2003 ()
#2  0x94b4d5a5 in raise ()
#3  0x94b636e4 in abort ()
#4  0x91449fda in __gnu_cxx::__verbose_terminate_handler ()
#5  0x9144817a in __cxxabiv1::__terminate ()
#6  0x914481ba in std::terminate ()
#7  0x914482b8 in __cxa_throw ()
#8  0x0000cbf1 in wrap___cxa_throw ()

I believe the problem with stack unwinding leads to incorrect exception handling. If
so, other wrapped functions that may throw exceptions (fortunately we don't have any
yet) may be affected.
If we don't wrap __cxa_throw(), the problem goes away.

Reported by ramosian.glider on 2011-12-28 13:11:16

[ramosian-glider]

Building the runtime library with -funwind-tables fixes the problem.

Reported by ramosian.glider on 2011-12-29 10:42:24

[ramosian-glider]

Reported by ramosian.glider on 2012-01-10 12:17:06

• Status changed: Fixed

[ramosian-glider]

Reported by ramosian.glider on 2012-09-13 13:40:44

• Labels added: OpSys-OSX

[ramosian-glider]

Adding Project:AddressSanitizer as part of GitHub migration.

Reported by ramosian.glider on 2015-07-30 09:12:58

• Labels added: ProjectAddressSanitizer