mz_free is called for non-allocated memory in Chromium tests

[ramosian-glider]

Originally reported on Google Code with ID 99

$ out/Release/media_unittests --gtest_filter=VideoCaptureDeviceTest.OpenInvalidDevice
2>&1 | tee log | tools/valgrind/asan/asan_symbolize.py | c++filt
[ RUN      ] VideoCaptureDeviceTest.OpenInvalidDevice
==39177== ERROR: AddressSanitizer attempting free on address which was not malloc()-ed:
0x0320acd0
    #0 0x12d935a in (anonymous namespace)::mz_free(_malloc_zone_t*, void*) (in media_unittests)
+ 58
    #1 0x99b3614c in -[__CFx606449CHT hashGrow] (in CoreFoundation) + 220
    #2 0x99ae1ee9 in -[__CFx606449CHT addObject:] (in CoreFoundation) + 137
    #3 0x99ad0613 in _CFBundleCreate (in CoreFoundation) + 867
    #4 0x99b49a16 in CFPlugInCreate (in CoreFoundation) + 38
    #5 0x92a30d13 in MIO::DAL::PlugInManagement::OpenPlugInsInDirectory(__CFString
const*, char const*) (in CoreMediaIOServices) + 357
    #6 0x92a310cc in MIO::DAL::PlugInManagement::RegisterPlugIns() (in CoreMediaIOServices)
+ 484
    #7 0x92a312b8 in MIO::DAL::PlugInManagement::Initialize() (in CoreMediaIOServices)
+ 348
    #8 0x92a2baec in MIO::DAL::System::InitializeDevices() (in CoreMediaIOServices)
+ 10
    #9 0x92a2c9d0 in MIO::DAL::System::CheckOutInstance() (in CoreMediaIOServices)
+ 376
    #10 0x92a261bd in TundraObjectGetPropertyDataSize (in CoreMediaIOServices) + 137
    #11 0x9a6a3b04 in +[QTCaptureDALDevice _refreshDevices] (in QTKit) + 233
    #12 0x9a6a0f4a in +[QTCaptureDALDevice devicesWithIOType:] (in QTKit) + 54
    #13 0x9a6a5012 in +[QTCaptureDevice devicesWithIOType:] (in QTKit) + 204
    #14 0x9a6a4b03 in +[QTCaptureDevice inputDevices] (in QTKit) + 41
    #15 0x9a6a4a49 in +[QTCaptureDevice inputDevicesWithMediaType:] (in QTKit) + 35
    #16 0xeaafbd in +[VideoCaptureDeviceQTKit deviceNames] (in media_unittests) + 141
    #17 0xea82b8 in media::VideoCaptureDevice::GetDeviceNames(std::list<media::VideoCaptureDevice::Name,
std::allocator<media::VideoCaptureDevice::Name> >*) (in media_unittests) + 680
    #18 0xea8ca0 in media::VideoCaptureDeviceMac::Init() (in media_unittests) + 512
    #19 0xea8977 in media::VideoCaptureDevice::Create(media::VideoCaptureDevice::Name
const&) (in media_unittests) + 327
    #20 0x7beff9 in media::VideoCaptureDeviceTest_OpenInvalidDevice_Test::TestBody()
(in media_unittests) + 409
    #21 0xf06d03 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test,
void>(testing::Test*, void (testing::Test::*)(), char const*) (in media_unittests)
+ 499
    #22 0xee8ec1 in testing::Test::Run() (in media_unittests) + 1489
    #23 0xeeaeb0 in testing::TestInfo::Run() (in media_unittests) + 1616
    #24 0xeebde9 in testing::TestCase::Run() (in media_unittests) + 1417
    #25 0xefde87 in testing::internal::UnitTestImpl::RunAllTests() (in media_unittests)
+ 3527
    #26 0xf08963 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl,
bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(),
char const*) (in media_unittests) + 499
    #27 0xefd057 in testing::UnitTest::Run() (in media_unittests) + 311
    #28 0x88e346 in base::TestSuite::Run() (in media_unittests) + 726
    #29 0x3b30c7 in main (in media_unittests) + 167
Stats: 1M malloced (4M for red zones) by 18917 calls
Stats: 0M realloced by 242 calls
Stats: 0M freed by 14444 calls
Stats: 0M really freed by 0 calls
Stats: 36M (9220 full pages) mmaped in 9 calls
  mmaps   by size class: 8:32766; 9:8191; 10:4095; 11:2047; 12:1024; 13:512; 14:256;
15:128;
  mallocs by size class: 8:17674; 9:504; 10:600; 11:80; 12:23; 13:32; 14:2; 15:2;
  frees   by size class: 8:13417; 9:347; 10:573; 11:74; 12:9; 13:24;
  rfrees  by size class:
Stats: malloc large: 2 small slow: 49

Reported by ramosian.glider on 2012-08-10 10:37:25

[ramosian-glider]

$ ASAN_OPTIONS="mac_ignore_invalid_free=1" out/Release/media_unittests --gtest_filter=VideoCaptureDeviceTest.OpenInvalidDevice
2>&1 | tee log | tools/valgrind/asan/asan_symbolize.py | c++filt
[ RUN      ] VideoCaptureDeviceTest.OpenInvalidDevice
free_common(0x0320acd0) -- attempting to free unallocated memory.
AddressSanitizer is ignoring this error on Mac OS now.
malloc_zone_from_ptr(0x0320acd0) = 0x03199000, which is DefaultPurgeableMallocZone
    #0 0x12d938f in (anonymous namespace)::mz_free(_malloc_zone_t*, void*) (in media_unittests)
+ 111
    #1 0x99b3614c in -[__CFx606449CHT hashGrow] (in CoreFoundation) + 220
    #2 0x99ae1ee9 in -[__CFx606449CHT addObject:] (in CoreFoundation) + 137
    #3 0x99ad0613 in _CFBundleCreate (in CoreFoundation) + 867
    #4 0x99b49a16 in CFPlugInCreate (in CoreFoundation) + 38
    #5 0x92a30d13 in MIO::DAL::PlugInManagement::OpenPlugInsInDirectory(__CFString
const*, char const*) (in CoreMediaIOServices) + 357
    #6 0x92a310cc in MIO::DAL::PlugInManagement::RegisterPlugIns() (in CoreMediaIOServices)
+ 484
    #7 0x92a312b8 in MIO::DAL::PlugInManagement::Initialize() (in CoreMediaIOServices)
+ 348
    #8 0x92a2baec in MIO::DAL::System::InitializeDevices() (in CoreMediaIOServices)
+ 10
    #9 0x92a2c9d0 in MIO::DAL::System::CheckOutInstance() (in CoreMediaIOServices)
+ 376
    #10 0x92a261bd in TundraObjectGetPropertyDataSize (in CoreMediaIOServices) + 137
    #11 0x9a6a3b04 in +[QTCaptureDALDevice _refreshDevices] (in QTKit) + 233
    #12 0x9a6a0f4a in +[QTCaptureDALDevice devicesWithIOType:] (in QTKit) + 54
    #13 0x9a6a5012 in +[QTCaptureDevice devicesWithIOType:] (in QTKit) + 204
    #14 0x9a6a4b03 in +[QTCaptureDevice inputDevices] (in QTKit) + 41
    #15 0x9a6a4a49 in +[QTCaptureDevice inputDevicesWithMediaType:] (in QTKit) + 35
    #16 0xeaafbd in +[VideoCaptureDeviceQTKit deviceNames] (in media_unittests) + 141
    #17 0xea82b8 in media::VideoCaptureDevice::GetDeviceNames(std::list<media::VideoCaptureDevice::Name,
std::allocator<media::VideoCaptureDevice::Name> >*) (in media_unittests) + 680
    #18 0xea8ca0 in media::VideoCaptureDeviceMac::Init() (in media_unittests) + 512
    #19 0xea8977 in media::VideoCaptureDevice::Create(media::VideoCaptureDevice::Name
const&) (in media_unittests) + 327
    #20 0x7beff9 in media::VideoCaptureDeviceTest_OpenInvalidDevice_Test::TestBody()
(in media_unittests) + 409
    #21 0xf06d03 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test,
void>(testing::Test*, void (testing::Test::*)(), char const*) (in media_unittests)
+ 499
    #22 0xee8ec1 in testing::Test::Run() (in media_unittests) + 1489
    #23 0xeeaeb0 in testing::TestInfo::Run() (in media_unittests) + 1616
    #24 0xeebde9 in testing::TestCase::Run() (in media_unittests) + 1417
    #25 0xefde87 in testing::internal::UnitTestImpl::RunAllTests() (in media_unittests)
+ 3527
    #26 0xf08963 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl,
bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(),
char const*) (in media_unittests) + 499
    #27 0xefd057 in testing::UnitTest::Run() (in media_unittests) + 311
    #28 0x88e346 in base::TestSuite::Run() (in media_unittests) + 726
    #29 0x3b30c7 in main (in media_unittests) + 167
free_common(0x0320ae30) -- attempting to free unallocated memory.
AddressSanitizer is ignoring this error on Mac OS now.
malloc_zone_from_ptr(0x0320ae30) = 0x03199000, which is DefaultPurgeableMallocZone
    #0 0x12d938f in (anonymous namespace)::mz_free(_malloc_zone_t*, void*) (in media_unittests)
+ 111
    #1 0x99b3641b in -[__CFx606449CMT grow] (in CoreFoundation) + 683
    #2 0x99ae23f8 in -[__CFx606449CMT setObject:forKey:] (in CoreFoundation) + 168
    #3 0x99ad064a in _CFBundleCreate (in CoreFoundation) + 922
    #4 0x99b49a16 in CFPlugInCreate (in CoreFoundation) + 38
    #5 0x92a30d13 in MIO::DAL::PlugInManagement::OpenPlugInsInDirectory(__CFString
const*, char const*) (in CoreMediaIOServices) + 357
    #6 0x92a310cc in MIO::DAL::PlugInManagement::RegisterPlugIns() (in CoreMediaIOServices)
+ 484
    #7 0x92a312b8 in MIO::DAL::PlugInManagement::Initialize() (in CoreMediaIOServices)
+ 348
    #8 0x92a2baec in MIO::DAL::System::InitializeDevices() (in CoreMediaIOServices)
+ 10
    #9 0x92a2c9d0 in MIO::DAL::System::CheckOutInstance() (in CoreMediaIOServices)
+ 376
    #10 0x92a261bd in TundraObjectGetPropertyDataSize (in CoreMediaIOServices) + 137
    #11 0x9a6a3b04 in +[QTCaptureDALDevice _refreshDevices] (in QTKit) + 233
    #12 0x9a6a0f4a in +[QTCaptureDALDevice devicesWithIOType:] (in QTKit) + 54
    #13 0x9a6a5012 in +[QTCaptureDevice devicesWithIOType:] (in QTKit) + 204
    #14 0x9a6a4b03 in +[QTCaptureDevice inputDevices] (in QTKit) + 41
    #15 0x9a6a4a49 in +[QTCaptureDevice inputDevicesWithMediaType:] (in QTKit) + 35
    #16 0xeaafbd in +[VideoCaptureDeviceQTKit deviceNames] (in media_unittests) + 141
    #17 0xea82b8 in media::VideoCaptureDevice::GetDeviceNames(std::list<media::VideoCaptureDevice::Name,
std::allocator<media::VideoCaptureDevice::Name> >*) (in media_unittests) + 680
    #18 0xea8ca0 in media::VideoCaptureDeviceMac::Init() (in media_unittests) + 512
    #19 0xea8977 in media::VideoCaptureDevice::Create(media::VideoCaptureDevice::Name
const&) (in media_unittests) + 327
    #20 0x7beff9 in media::VideoCaptureDeviceTest_OpenInvalidDevice_Test::TestBody()
(in media_unittests) + 409
    #21 0xf06d03 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test,
void>(testing::Test*, void (testing::Test::*)(), char const*) (in media_unittests)
+ 499
    #22 0xee8ec1 in testing::Test::Run() (in media_unittests) + 1489
    #23 0xeeaeb0 in testing::TestInfo::Run() (in media_unittests) + 1616
    #24 0xeebde9 in testing::TestCase::Run() (in media_unittests) + 1417
    #25 0xefde87 in testing::internal::UnitTestImpl::RunAllTests() (in media_unittests)
+ 3527
    #26 0xf08963 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl,
bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(),
char const*) (in media_unittests) + 499
    #27 0xefd057 in testing::UnitTest::Run() (in media_unittests) + 311
    #28 0x88e346 in base::TestSuite::Run() (in media_unittests) + 726
    #29 0x3b30c7 in main (in media_unittests) + 167
free_common(0x0320ae70) -- attempting to free unallocated memory.
AddressSanitizer is ignoring this error on Mac OS now.
malloc_zone_from_ptr(0x0320ae70) = 0x03199000, which is DefaultPurgeableMallocZone
    #0 0x12d938f in (anonymous namespace)::mz_free(_malloc_zone_t*, void*) (in media_unittests)
+ 111
    #1 0x99b36433 in -[__CFx606449CMT grow] (in CoreFoundation) + 707
    #2 0x99ae23f8 in -[__CFx606449CMT setObject:forKey:] (in CoreFoundation) + 168
    #3 0x99ad064a in _CFBundleCreate (in CoreFoundation) + 922
    #4 0x99b49a16 in CFPlugInCreate (in CoreFoundation) + 38
    #5 0x92a30d13 in MIO::DAL::PlugInManagement::OpenPlugInsInDirectory(__CFString
const*, char const*) (in CoreMediaIOServices) + 357
    #6 0x92a310cc in MIO::DAL::PlugInManagement::RegisterPlugIns() (in CoreMediaIOServices)
+ 484
    #7 0x92a312b8 in MIO::DAL::PlugInManagement::Initialize() (in CoreMediaIOServices)
+ 348
    #8 0x92a2baec in MIO::DAL::System::InitializeDevices() (in CoreMediaIOServices)
+ 10
    #9 0x92a2c9d0 in MIO::DAL::System::CheckOutInstance() (in CoreMediaIOServices)
+ 376
    #10 0x92a261bd in TundraObjectGetPropertyDataSize (in CoreMediaIOServices) + 137
    #11 0x9a6a3b04 in +[QTCaptureDALDevice _refreshDevices] (in QTKit) + 233
    #12 0x9a6a0f4a in +[QTCaptureDALDevice devicesWithIOType:] (in QTKit) + 54
    #13 0x9a6a5012 in +[QTCaptureDevice devicesWithIOType:] (in QTKit) + 204
    #14 0x9a6a4b03 in +[QTCaptureDevice inputDevices] (in QTKit) + 41
    #15 0x9a6a4a49 in +[QTCaptureDevice inputDevicesWithMediaType:] (in QTKit) + 35
    #16 0xeaafbd in +[VideoCaptureDeviceQTKit deviceNames] (in media_unittests) + 141
    #17 0xea82b8 in media::VideoCaptureDevice::GetDeviceNames(std::list<media::VideoCaptureDevice::Name,
std::allocator<media::VideoCaptureDevice::Name> >*) (in media_unittests) + 680
    #18 0xea8ca0 in media::VideoCaptureDeviceMac::Init() (in media_unittests) + 512
    #19 0xea8977 in media::VideoCaptureDevice::Create(media::VideoCaptureDevice::Name
const&) (in media_unittests) + 327
    #20 0x7beff9 in media::VideoCaptureDeviceTest_OpenInvalidDevice_Test::TestBody()
(in media_unittests) + 409
    #21 0xf06d03 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test,
void>(testing::Test*, void (testing::Test::*)(), char const*) (in media_unittests)
+ 499
    #22 0xee8ec1 in testing::Test::Run() (in media_unittests) + 1489
    #23 0xeeaeb0 in testing::TestInfo::Run() (in media_unittests) + 1616
    #24 0xeebde9 in testing::TestCase::Run() (in media_unittests) + 1417
    #25 0xefde87 in testing::internal::UnitTestImpl::RunAllTests() (in media_unittests)
+ 3527
    #26 0xf08963 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl,
bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(),
char const*) (in media_unittests) + 499
    #27 0xefd057 in testing::UnitTest::Run() (in media_unittests) + 311
    #28 0x88e346 in base::TestSuite::Run() (in media_unittests) + 726
    #29 0x3b30c7 in main (in media_unittests) + 167
[39536:-1600703168:0810/143727:691277116511509:ERROR:video_capture_device_mac.mm(32)]
Could not initialize VideoCaptureDevice.
[       OK ] VideoCaptureDeviceTest.OpenInvalidDevice (277 ms)

Reported by ramosian.glider on 2012-08-10 10:38:39

[ramosian-glider]

Here's the output from malloc_history for the first address being freed:

$ malloc_history 47703 0x0320acd0
malloc_history Report Version:  2.0
Process:         media_unittests [47703]
Path:            /Users/glider/src/chrome-commit/src/out/Release/media_unittests
Load Address:    0x1000
Identifier:      media_unittests
Version:         ??? (???)
Code Type:       X86 (Native)
Parent Process:  bash [45289]

Date/Time:       2012-08-10 14:58:50.607 +0400
OS Version:      Mac OS X 10.6.8 (10K549)
Report Version:  7

ALLOC 0x320acd0-0x320ad0f [size=64]: thread_a0973540 |_dyld_start | dyldbootstrap::start(macho_header
const*, int, char const**, long) | dyld::_main(macho_header const*, unsigned long,
int, char const**, char const**, char const**) | dyld::initializeMainExecutable() |
ImageLoader::runInitializers(ImageLoader::LinkContext const&) | ImageLoader::recursiveInitialization(ImageLoader::LinkContext
const&, unsigned int) | ImageLoader::recursiveInitialization(ImageLoader::LinkContext
const&, unsigned int) | ImageLoader::recursiveInitialization(ImageLoader::LinkContext
const&, unsigned int) | ImageLoader::recursiveInitialization(ImageLoader::LinkContext
const&, unsigned int) | ImageLoader::recursiveInitialization(ImageLoader::LinkContext
const&, unsigned int) | ImageLoader::recursiveInitialization(ImageLoader::LinkContext
const&, unsigned int) | ImageLoaderMachO::doInitialization(ImageLoader::LinkContext
const&) | ImageLoaderMachO::doImageInit(ImageLoader::LinkContext const&) | __CFInitialize
| _CFAppVersionCheckLessThan | cacheBundleInfo | CFBundleGetMainBundle | _CFBundleGetMainBundleAlreadyLocked
| _CFBundleCreate | -[__CFx606449CHT initWithOptions:capacity:] | allocateCollectableUnscannedStorage
| _CFAllocateCollectable | malloc_zone_malloc 
----
FREE  0x320acd0-0x320ad0f [size=64]: thread_a0973540 |0x27f5 | 0x3b30c7 | 0x88e347
| 0xefd058 | 0xf08964 | 0xefde88 | 0xeebdea | 0xeeaeb1 | 0xee8ec2 | 0xf06d04 | 0x7beffa
| 0xea8978 | 0xea8ca1 | 0xea82b9 | 0xeaafbe | +[QTCaptureDevice inputDevicesWithMediaType:]
| +[QTCaptureDevice inputDevices] | +[QTCaptureDevice devicesWithIOType:] | +[QTCaptureDALDevice
devicesWithIOType:] | +[QTCaptureDALDevice _refreshDevices] | TundraObjectGetPropertyDataSize
| MIO::DAL::System::CheckOutInstance() | MIO::DAL::System::InitializeDevices() | MIO::DAL::PlugInManagement::Initialize()
| MIO::DAL::PlugInManagement::RegisterPlugIns() | MIO::DAL::PlugInManagement::OpenPlugInsInDirectory(__CFString
const*, char const*) | CFPlugInCreate | _CFBundleCreate | -[__CFx606449CHT addObject:]
| -[__CFx606449CHT hashGrow] | malloc_zone_free 

Reported by ramosian.glider on 2012-08-10 11:00:45

[ramosian-glider]

My guess is that we're initializing ASan too late, so some memory is already allocated
via DefaultPurgeableMallocZone. I'm going to (at least temporarily) add a zone check
back to free_common().

Reported by ramosian.glider on 2012-08-10 11:13:49

[ramosian-glider]

A temporary fix has been landed in Clang r161661.

Reported by ramosian.glider on 2012-08-10 12:56:33

[ramosian-glider]

Marking as fixed.

Reported by ramosian.glider on 2012-09-17 11:16:56

• Status changed: Fixed

[ramosian-glider]

Adding Project:AddressSanitizer as part of GitHub migration.

Reported by ramosian.glider on 2015-07-30 09:12:59

• Labels added: ProjectAddressSanitizer