Closed ramosian-glider closed 9 years ago
after quite a few runs I've got this:
[ RUN ] AddressSanitizerInterface.GetAllocatedSizeAndOwnershipTest
tests/asan_noinst_test.cc:361: Failure
Death test: __asan_get_allocated_size(array + kArraySize / 2)
Result: died but not with expected error.
Expected: attempting to call __asan_get_allocated_size()
Actual msg: ASAN:SIGSEGV
==99711== ERROR: AddressSanitizer crashed on unknown address 0x000000000000
Reported by konstantin.s.serebryany
on 2012-07-04 08:05:55
$ cat t.cc
#include <stdio.h>
#include <assert.h>
#include <unistd.h>
extern "C"
bool __asan_get_ownership(void *ptr);
int main() {
const size_t kArraySize = 100;
char *array = (char*)malloc(kArraySize);
char *p = array + kArraySize / 2;
printf("__asan_get_ownership(%p): %d\n", p, __asan_get_ownership(p));
if (__asan_get_ownership(p)) {
fprintf(stderr, "pid: %d\n", getpid());
sleep(1000);
}
return 0;
}
$ rm log; while true; do ASAN_OPTIONS=sleep_before_dying=1000 ./t 2>&1 | tee -a log;
done
...
__asan_get_ownership(0x10c39bfb2): 0
__asan_get_ownership(0x110933fb2): 0
__asan_get_ownership(0x107db8fb2): 0
__asan_get_ownership(0x10ca1bfb2): 0
__asan_get_ownership(0x104195fb2): 0
__asan_get_ownership(0x111a9ffb2): 0
__asan_get_ownership(0x109095fb2): 0
__asan_get_ownership(0x105d8efb2): 0
__asan_get_ownership(0x10c121fb2): 0
ASAN:SIGSEGV
==10282== ERROR: AddressSanitizer crashed on unknown address 0xffffff0103249ea9 (pc
0x000100dd0ccb sp 0x7fff5ee32ab0 bp 0x000000000001 T0)
AddressSanitizer can not provide additional info. ABORTING
#0 0x100dd0ccb (/Users/glider/src/asan/llvm/projects/compiler-rt/lib/asan/./t+0x3ccb)
Stats: 0M malloced (0M for red zones) by 1 calls
Stats: 0M realloced by 0 calls
Stats: 0M freed by 0 calls
Stats: 0M really freed by 0 calls
Stats: 4M (1024 full pages) mmaped in 1 calls
mmaps by size class: 8:16383;
mallocs by size class: 8:1;
frees by size class:
rfrees by size class:
Stats: malloc large: 0 small slow: 1
==10282== Sleeping for 1000 second(s)
Reported by ramosian.glider
on 2012-08-06 09:49:01
Started
ASan is unable to unwind past main() in ./t, but I'm getting the following stack from
gdb each time the crash occurs:
#0 0x00007fff87133386 in __semwait_signal ()
#1 0x00007fff89f29828 in nanosleep ()
#2 0x00007fff89f296b2 in sleep ()
#3 0x000000010edd3ee5 in __sanitizer::Die ()
#4 0x00007fff6e9d056e in __dyld__ZN4dyldL12registerDOFsERKNSt3__16vectorIN11ImageLoader7DOFInfoENS0_9allocatorIS3_EEEE
()
Looks like the crash in dyld::registerDOFs happens before the main().
Reported by ramosian.glider
on 2012-08-06 10:58:31
Apart from the above problem, for the same test __asan_get_ownership() sometimes incorrectly
returns 1 (this is the case described in comment #1).
This happens because the following function:
376 uptr AllocationSize(uptr ptr) {
377 if (!ptr) return 0;
378 ScopedLock lock(&mu_);
379
380 // first, check if this is our memory
381 PageGroup *g = FindPageGroupUnlocked(ptr);
382 if (!g) return 0;
383 AsanChunk *m = PtrToChunk(ptr);
384 if (m->chunk_state == CHUNK_ALLOCATED) {
385 return m->used_size;
386 } else {
387 return 0;
388 }
389 }
returns some random value as m->used_size.
I've inserted two CHECKs into the CHUNK_ALLOCATED branch:
CHECK(m->alloc_tid >= 0);
CHECK(m->free_tid == kInvalidTid);
, and the second one has started failing.
This means that for some reason AllocationSize() does not bail out after a call to
FindPageGroupUnlocked() for an invalid ptr. As a result, an invalid chunk pointer is
calculated, which accidentally has chunk_state==CHUNK_ALLOCATED, but other fields are
incorrect.
Reported by ramosian.glider
on 2012-08-06 11:13:15
After a discussion with Alexey we've decided to look up for the chunk containing |ptr|
and check whether |ptr| is actually the beginning of this chunk.
Clang r161320 should fix this issue.
Reported by ramosian.glider
on 2012-08-06 12:25:29
Reported by ramosian.glider
on 2012-08-06 12:25:38
Fixed
Reported by ramosian.glider
on 2012-09-13 13:43:12
Adding Project:AddressSanitizer as part of GitHub migration.
Reported by ramosian.glider
on 2015-07-30 09:12:59
Originally reported on Google Code with ID 86
Reported by
ramosian.glider
on 2012-07-03 14:53:22