search

ramosian-glider / sanitizers

0 stars 0 forks source link

ASan doesn't play well with vmmap on OS X 10.7 #64

Closed ramosian-glider closed 9 years ago

ramosian-glider commented 9 years ago

Originally reported on Google Code with ID 63

$ cat t.c
#include <stdlib.h>
int main() {
  char *c = malloc(100);
  free(c);
  free(c);
  return 0;
}
=============================
$ clang t.c -faddress-sanitizer -o t
$ ASAN_OPTIONS=sleep_before_dying=100 ./t
==298== ERROR: AddressSanitizer attempting double-free on 0x000103fdff80:
    #0 0x1019d3ac1 (/Users/glider/src/asan/llvm/build/./t+0x8ac1)
    #1 0x1019cbb4f (/Users/glider/src/asan/llvm/build/./t+0xb4f)
    #2 0x1019cba04 (/Users/glider/src/asan/llvm/build/./t+0xa04)
    #3 0x1
0x000103fdff80 is located 0 bytes inside of 100-byte region [0x000103fdff80,0x000103fdffe4)
freed by thread T0 here:
    #0 0x1019d3fe7 (/Users/glider/src/asan/llvm/build/./t+0x8fe7)
    #1 0x1019d3ab0 (/Users/glider/src/asan/llvm/build/./t+0x8ab0)
    #2 0x1019cbb23 (/Users/glider/src/asan/llvm/build/./t+0xb23)
    #3 0x1019cba04 (/Users/glider/src/asan/llvm/build/./t+0xa04)
    #4 0x1
previously allocated by thread T0 here:
    #0 0x1019d3de4 (/Users/glider/src/asan/llvm/build/./t+0x8de4)
    #1 0x7fff873d73c8 (/usr/lib/system/libsystem_c.dylib+0xa03c8)
    #2 0x7fff873d81a4 (/usr/lib/system/libsystem_c.dylib+0xa11a4)
    #3 0x1019cbaec (/Users/glider/src/asan/llvm/build/./t+0xaec)
    #4 0x1019cba04 (/Users/glider/src/asan/llvm/build/./t+0xa04)
    #5 0x1
Stats: 0M malloced (0M for red zones) by 1 calls
Stats: 0M realloced by 0 calls
Stats: 0M freed by 1 calls
Stats: 0M really freed by 0 calls
Stats: 4M (1024 full pages) mmaped in 1 calls
  mmaps   by size class: 8:16383; 
  mallocs by size class: 8:1; 
  frees   by size class: 8:1; 
  rfrees  by size class: 
Stats: malloc large: 0 small slow: 1
==298== Sleeping for 100 second(s)

[in another terminal]
$ vmmap 298 2>&1 |  /Users/glider/src/chrome-commit/src/tools/valgrind/asan/asan_symbolize.py

==567== ERROR: AddressSanitizer attempting free on address which was not malloc()-ed:
0x7f8112036400
    #0 0x210f67422 in operator delete(void*) (in t) + 34
    #1 0x7fff827ba2c3 in CSSymbolicatorCreateWithSignatureAndNotification (in CoreSymbolication)
+ 1261
    #2 0x7fff827a022b in TDwarfSymbolAbbrev<Dwarf<Dwarf32, Pointer64, LittleEndian>
>::TDwarfSymbolAbbrev(unsigned int, unsigned char, std::vector<CSCppDwarfAttribute,
std::allocator<CSCppDwarfAttribute> >&, TDwarfAbbrevData<Dwarf<Dwarf32, Pointer64,
LittleEndian> >&) (in CoreSymbolication) + 625
    #3 0x7fff827a00c2 in TDwarfSymbolAbbrev<Dwarf<Dwarf32, Pointer64, LittleEndian>
>::TDwarfSymbolAbbrev(unsigned int, unsigned char, std::vector<CSCppDwarfAttribute,
std::allocator<CSCppDwarfAttribute> >&, TDwarfAbbrevData<Dwarf<Dwarf32, Pointer64,
LittleEndian> >&) (in CoreSymbolication) + 264
    #4 0x7fff8cefac86 in pidFromHint (in Symbolication) + 1133
    #5 0x7fff8ceec7f2 in -[VMUClassInfo _copyRemoteIvarAt:] (in Symbolication) + 6
    #6 0x10e41d44c in 0x10000244c
    #7 0x10e41cabc in 0x100001abc
    #8 0x2
Stats: 0M malloced (0M for red zones) by 0 calls
Stats: 0M realloced by 0 calls
Stats: 0M freed by 0 calls
Stats: 0M really freed by 0 calls
Stats: 0M (0 full pages) mmaped in 0 calls
  mmaps   by size class:
  mallocs by size class:
  frees   by size class:
  rfrees  by size class:
Stats: malloc large: 0 small slow: 0

Reported by ramosian.glider on 2012-04-13 10:44:14

ramosian-glider commented 9 years ago

Reported by konstantin.s.serebryany on 2012-05-22 08:49:13

ramosian-glider commented 9 years ago 
Also confirmed on 10.8

Reported by ramosian.glider on 2012-10-29 14:10:36

ramosian-glider commented 9 years ago 
With the introduction of the dynamic library the vmmap output now looks as:

$ vmmap 39445
Virtual Memory Map of process 39445 (t)
Output report format:  2.2  -- 64-bit process

2013-02-06 19:39:09.678 vmmap[39511:707] *** Symbolication:  Couldn't load /Users/glider/src/asan-clean/llvm/llvm_cmake_build/lib/clang/3.3/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
to introspect target process's malloc zone named asan: dlopen(/Users/glider/src/asan-clean/llvm/llvm_cmake_build/lib/clang/3.3/lib/darwin/libclang_rt.asan_osx_dynamic.dylib,
261): Symbol not found: ___asan_mapping_offset
  Referenced from: /Users/glider/src/asan-clean/llvm/llvm_cmake_build/lib/clang/3.3/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
  Expected in: flat namespace
 in /Users/glider/src/asan-clean/llvm/llvm_cmake_build/lib/clang/3.3/lib/darwin/libclang_rt.asan_osx_dynamic.dylib

==== Non-writable regions for process 39445
__TEXT                 000000010b564000-000000010b565000 [    4K] r-x/rwx SM=COW  ...s/glider/src/asan-clean/llvm/llvm_cmake_build/t
__LINKEDIT             000000010b566000-000000010b567000 [    4K] r--/rwx SM=COW  ...s/glider/src/asan-clean/llvm/llvm_cmake_build/t
MALLOC metadata        000000010b567000-000000010b568000 [    4K] r--/rwx SM=PRV  
__TEXT                 000000010b56c000-000000010b58a000 [  120K] r-x/rwx SM=COW  ...3/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
__LINKEDIT             000000010ddd4000-000000010ddeb000 [   92K] r--/rwx SM=COW  ...3/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
VM_ALLOCATE            0000120000000000-0000140000000000 [  2.0T] ---/rwx SM=NUL  
...
[map follows]

I wonder if we can (or should) do something about the process not having __asan_mapping_offset.

Reported by ramosian.glider on 2013-02-06 15:42:10

ramosian-glider commented 9 years ago 
Marking this bug as WontFix with a FixLater label.
Feel free to reopen if you want to work on this.

Reported by ramosian.glider on 2013-12-26 15:08:54

ramosian-glider commented 9 years ago 
Even better, let it be a duplicate of issue 201, since having a fallback (or retiring
__asan_mapping_offset) is everything we need.

Reported by ramosian.glider on 2013-12-26 15:11:21

ramosian-glider commented 9 years ago 
Adding Project:AddressSanitizer as part of GitHub migration.

Reported by ramosian.glider on 2015-07-30 09:12:59