ASan crashes in _CFRuntimeSetInstanceTypeID on Mac OS 10.8

[ramosian-glider]

Originally reported on Google Code with ID 122

To reproduce, build Chromium v8_shell with the latest Clang.

$ GYP_DEFINES="asan=1 dcheck_always_on=1 fastbuild=1 clang=1 component=static_library"
GYP_GENERATORS=ninja gclient runhooks
$ ninja -C out/Release v8_shell
$ $ out/Release/v8_shell
ASAN:SIGSEGV
=================================================================
==89012== ERROR: AddressSanitizer crashed on unknown address 0x00000000 (pc 0x996ea80f
sp 0xbff89f30 bp 0xbff89f58 T0)
AddressSanitizer can not provide additional info.
    #0 0x996ea80e (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xd80e)
    #1 0x99749066 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x6c066)
    #2 0x831af (/Users/glider/src/chrome-commit/src/out/Release/v8_shell+0xe1af)
    #3 0x8fe88cd9
    #4 0x8fe88fdd
    #5 0x8fe85267
    #6 0x8fe851cb
    #7 0x8fe850b9
    #8 0x8fe76e04
    #9 0x8fe7aada
    #10 0x8fe76375
    #11 0x8fe76076
    #12 0x0
Stats: 0M malloced (0M for red zones) by 1 calls
Stats: 0M realloced by 0 calls
Stats: 0M freed by 0 calls
Stats: 0M really freed by 0 calls
Stats: 0M (128 full pages) mmaped in 1 calls
  mmaps   by size class: 8:2047; 
  mallocs by size class: 8:1; 
  frees   by size class: 
  rfrees  by size class: 
Stats: malloc large: 0 small slow: 1
==89012== ABORTING

$ gdb out/Release/v8_shell
(gdb) r
Starting program: /Users/glider/src/chrome-commit/src/out/Release/v8_shell 
Reading symbols for shared libraries .+++................................ done

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x996ea80f in _CFRuntimeSetInstanceTypeID ()
(gdb) bt
#0  0x996ea80f in _CFRuntimeSetInstanceTypeID ()
#1  0x99749067 in CFAllocatorCreate ()
#2  0x0000e1b0 in __asan::ReplaceCFAllocator ()
#3  0x8fe13cda in __dyld__ZN16ImageLoaderMachO18doModInitFunctionsERKN11ImageLoader11LinkContextE
()
#4  0x8fe13fde in __dyld__ZN16ImageLoaderMachO16doInitializationERKN11ImageLoader11LinkContextE
()
#5  0x8fe10268 in __dyld__ZN11ImageLoader23recursiveInitializationERKNS_11LinkContextEjRNS_21InitializerTimingListE
()
#6  0x8fe101cc in __dyld__ZN11ImageLoader23recursiveInitializationERKNS_11LinkContextEjRNS_21InitializerTimingListE
()
#7  0x8fe100ba in __dyld__ZN11ImageLoader15runInitializersERKNS_11LinkContextERNS_21InitializerTimingListE
()
#8  0x8fe01e05 in __dyld__ZN4dyld24initializeMainExecutableEv ()
#9  0x8fe05adb in __dyld__ZN4dyld5_mainEPK12macho_headermiPPKcS5_S5_Pm ()
#10 0x8fe01376 in __dyld__ZN13dyldbootstrap5startEPK12macho_headeriPPKclS2_Pm ()
#11 0x8fe01077 in __dyld__dyld_start ()

Reported by ramosian.glider on 2012-10-16 15:39:06

[ramosian-glider]

Reported by glider@chromium.org on 2012-10-16 15:46:49

• Blocking: #156005

[ramosian-glider]

Looks like issue 87 striking back.
Setting breakpoints in _CFInitialize and _CFAllocatorInitialize shows they aren't being
called before ReplaceCFAllocator.
In fact ReplaceCFAllocator is being called from AsanThread::Init() before any initialization
happens.

Reported by ramosian.glider on 2012-10-16 16:59:59

[ramosian-glider]

Committed a fix in r166029.

Reported by ramosian.glider on 2012-10-16 17:03:13

[ramosian-glider]

Reported by ramosian.glider on 2012-10-17 09:36:14

• Status changed: Fixed

[ramosian-glider]

Adding Project:AddressSanitizer as part of GitHub migration.

Reported by ramosian.glider on 2015-07-30 09:13:40

• Labels added: ProjectAddressSanitizer