[OSX] Sometimes malloc is replaced but free is not

[ramosian-glider]

Originally reported on Google Code with ID 70

Firefox with asan works just fine on Linux, but on OS X it crashes when starting up
with

firefox(32200,0x7fff77547960) malloc: *** error for object 0x11195b688: pointer being
freed was not allocated
*** set a breakpoint in malloc_error_break to debug

Program received signal SIGABRT, Aborted.
0x00007fff931b0ce2 in __pthread_kill ()
(gdb) bt
#0  0x00007fff931b0ce2 in __pthread_kill ()
#1  0x00007fff8c5447d2 in pthread_kill ()
#2  0x00007fff8c535a7a in abort ()
#3  0x00007fff8c59484c in free ()
#4  0x00007fff91ce1d53 in object_dispose ()
#5  0x00007fff8b4d6276 in -[NSObject dealloc] ()
#6  0x00007fff911e3d73 in -[NSURL(NSURL) initWithString:relativeToURL:] ()
#7  0x00007fff911e39d2 in -[NSURL(NSURLPathUtilities) URLByAppendingPathComponent:]
()
#8  0x00007fff8fe1c78a in persistentStateDirectoryURLForBundleID ()
#9  0x00007fff8fe1c64c in +[NSPersistentUIManager(NSCarbonMethods) copyPersistentCarbonWindowDictionariesForBundleID:]
()
#10 0x00007fff8e20516f in _HIPersistentUICopyPersistentCarbonWindowDictionariesForBundleID
()
#11 0x00007fff8e205112 in GetPersistenceDictionariesAtLaunch ()
#12 0x00007fff8e2050d6 in WindowStateInitFirstEventTime ()
#13 0x00007fff8e204a9b in _FirstEventTime ()
#14 0x00007fff8e1fd232 in RunCurrentEventLoopInMode ()
#15 0x00007fff8e20451b in ReceiveNextEventCommon ()
#16 0x00007fff8e204456 in BlockUntilNextEventMatchingListInMode ()
#17 0x00007fff8fe1af5d in _DPSNextEvent ()
#18 0x00007fff8fe1a861 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:]
()
#19 0x0000000105fc8587 in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:]
(self=0x1032e6280, _cmd=0x7fff906b8098, mask=18446744073709551615, expiration=0x0,
mode=0x7fff773c9b20, flag=1 '\001') at /Users/espindola/mozilla-central/widget/cocoa/nsAppShell.mm:207
#20 0x0000000105fca403 in nsAppShell::ProcessNextNativeEvent (this=0x1032e4280, aMayWait=false)
at /Users/espindola/mozilla-central/widget/cocoa/nsAppShell.mm:674
#21 0x000000010602f6a9 in nsBaseAppShell::DoProcessNextNativeEvent (this=0x1032e4280,
mayWait=false) at /Users/espindola/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:171
#22 0x000000010602fb77 in nsBaseAppShell::OnProcessNextEvent (this=0x1032e4280, thr=0x1033f4480,
mayWait=true, recursionDepth=0) at /Users/espindola/mozilla-central/widget/xpwidgets/nsBaseAppShell.cpp:306
#23 0x0000000105fcac17 in nsAppShell::OnProcessNextEvent (this=0x1032e4280, aThread=0x1033f4480,
aMayWait=true, aRecursionDepth=0) at /Users/espindola/mozilla-central/widget/cocoa/nsAppShell.mm:882
#24 0x0000000105fcacc4 in non-virtual thunk to nsAppShell::OnProcessNextEvent(nsIThreadInternal*,
bool, unsigned int) () at /Users/espindola/mozilla-central/widget/cocoa/nsAppShell.mm:884
#25 0x00000001063cb4c9 in nsThread::ProcessNextEvent (this=0x1033f4480, mayWait=true,
result=0x7fff5fbfd51e) at /Users/espindola/mozilla-central/xpcom/threads/nsThread.cpp:618
#26 0x0000000106339e99 in NS_ProcessNextEvent_P (thread=0x1033f4480, mayWait=true)
at nsThreadUtils.cpp:245
#27 0x00000001063cb02a in nsThread::Shutdown (this=0x10336f680) at /Users/espindola/mozilla-central/xpcom/threads/nsThread.cpp:498
#28 0x00000001044ae55e in nsSocketTransportService::Shutdown (this=0x10336f080) at
/Users/espindola/mozilla-central/netwerk/base/src/nsSocketTransportService2.cpp:534
#29 0x000000010446b54a in nsIOService::SetOffline (this=0x10336c480, offline=true)
at /Users/espindola/mozilla-central/netwerk/base/src/nsIOService.cpp:812
#30 0x000000010446be23 in nsIOService::Observe (this=0x10336c480, subject=0x11195a280,
topic=0x10710fcaa "profile-change-net-teardown", data=0x107327ca0) at /Users/espindola/mozilla-central/netwerk/base/src/nsIOService.cpp:1001
#31 0x000000010446c0ef in non-virtual thunk to nsIOService::Observe(nsISupports*, char
const*, unsigned short const*) () at /Users/espindola/mozilla-central/netwerk/base/src/nsIOService.cpp:1040
#32 0x00000001063678b6 in nsObserverList::NotifyObservers (this=0x10bed44e8, aSubject=0x11195a280,
aTopic=0x10710fcaa "profile-change-net-teardown", someData=0x107327ca0) at /Users/espindola/mozilla-central/xpcom/ds/nsObserverList.cpp:130
#33 0x0000000106369c96 in nsObserverService::NotifyObservers (this=0x1024b3c80, aSubject=0x11195a280,
aTopic=0x10710fcaa "profile-change-net-teardown", someData=0x107327ca0) at /Users/espindola/mozilla-central/xpcom/ds/nsObserverService.cpp:182
#34 0x0000000104419c94 in nsXREDirProvider::DoShutdown (this=0x7fff5fbfdc38) at /Users/espindola/mozilla-central/toolkit/xre/nsXREDirProvider.cpp:837
#35 0x00000001043ff873 in ScopedXPCOMStartup::~ScopedXPCOMStartup (this=0x102593980)
at /Users/espindola/mozilla-central/toolkit/xre/nsAppRunner.cpp:1125
#36 0x00000001043ff7a5 in ScopedXPCOMStartup::~ScopedXPCOMStartup (this=0x102593980)
at /Users/espindola/mozilla-central/toolkit/xre/nsAppRunner.cpp:1111
#37 0x000000010440832b in XREMain::XRE_main (this=0x7fff5fbfdc00, argc=1, argv=0x7fff5fbff9a8,
aAppData=0x10004a100) at /Users/espindola/mozilla-central/toolkit/xre/nsAppRunner.cpp:3879
#38 0x00000001044086bc in XRE_main (argc=1, argv=0x7fff5fbff9a8, aAppData=0x10004a100)
at /Users/espindola/mozilla-central/toolkit/xre/nsAppRunner.cpp:3933
#39 0x00000001000070a1 in do_main (argc=<value temporarily unavailable, due to optimizations>,
argv=<value temporarily unavailable, due to optimizations>) at /Users/espindola/mozilla-central/browser/app/nsBrowserApp.cpp:190
#40 0x000000010000500d in main (argc=<value temporarily unavailable, due to optimizations>,
argv=<value temporarily unavailable, due to optimizations>) at /Users/espindola/mozilla-central/browser/app/nsBrowserApp.cpp:277

It looks like asan managed to replace a call to malloc but failed to replace a call
to free.

Reported by rafael.espindola on 2012-05-01 12:57:42

[ramosian-glider]

Rafael,

on OS X several heap allocators may co-exist in the same process, and chances are that
some memory chunk has been allocated by one of them (e.g. our malloc()) and then mistakingly
passed to another one that we don't intercept (we do intercept the default malloc zone
and the default CFAllocator).

I'd love to reproduce this -- is there an instruction how to build Firefox on OS X
with ASan?

Reported by ramosian.glider on 2012-05-02 10:57:09

• Status changed: Accepted
• Labels added: OpSys-OSX

[ramosian-glider]

Hey :)

I can provide you both with a build manual and with 64 bit OSX debug builds that reproduce
the failure.

A current build that should reproduce the error is here: http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/decoder@own-hero.net-98a3e6c73a4a/try-macosx64-debug/firefox-15.0a1.en-US.mac64.dmg

A general manual how to build Firefox with ASAN is here: https://developer.mozilla.org/en/Building_Firefox_with_Address_Sanitizer

If you need any further information, feel free to contact me or Rafael. You can also
find us on irc.mozilla.org #security :)

Chris

Reported by decoder.oh on 2012-05-02 11:52:13

[ramosian-glider]

I've managed to build the nightly Firefox with -faddress-sanitizer and -O1, but it is
nearly unusable. Is there a web page I can navigate to to reproduce this report?
I'll also try your prebuilt .dmg, maybe it's a bit better

Reported by ramosian.glider on 2012-05-04 09:51:44

[ramosian-glider]

Regarding your first comment: How are you running Firefox when you built it? If you
run it from objdir/dist/bin/firefox, then it will not crash but the GUI events will
not work (this problem is not related to Firefox).

There should be a objdir/dist/NightlyDebug.app/Contents/MacOS/firefox or objdir/dist/NightlyDebug.app/Contents/MacOS/firefox
try starting it from there.

The .dmg will also reproduce this 100% of the time since there is no way to start it
like you probably did it with your own build.

The crash happens on startup.

Reported by decoder.oh on 2012-05-04 11:36:20

[ramosian-glider]

Yes objdir/dist/NightlyDebug.app/Contents/MacOS/firefox works for me, thanks!
But neither my build nor the nightly one crashed with the error message.
Is it OS X 10.7 you're running? (I've only tried it on 10.6 so far)

Reported by ramosian.glider on 2012-05-05 11:34:26

[ramosian-glider]

I think all the people that tried this have 10.7. Might be specific to that.

Reported by decoder.oh on 2012-05-05 11:55:43

[ramosian-glider]

Yes, this was on 10.7

Reported by rafael.espindola on 2012-05-06 14:00:39

[ramosian-glider]

@Ramosian: Did you manage to reproduce the problem or do you need more information from
our side? Thanks!

Reported by decoder.oh on 2012-05-14 21:20:50

[ramosian-glider]

Yes, I was able to reproduce it, but got distracted by other Mac stuff on 10.6. Sorry
for that.
I'm planning to get back to it next week, but not quite sure.

Reported by ramosian.glider on 2012-05-22 08:09:57

[ramosian-glider]

That would be great since this is a huge blocker for us. Running Firefox on OSX is with
ASan is practically impossible because of this issue and I'm sure others will run into
this as well.

Reported by decoder.oh on 2012-05-22 13:38:07

[ramosian-glider]

Here's a smaller replacement for the problem:

====================t.mm===============

#import <Foundation/Foundation.h>
#import <Cocoa/Cocoa.h>
int main() {
  NSURL *base = [[NSURL alloc] initWithString:@"file://localhost/Users/glider/Library/"];
  NSURL *u = [[NSURL alloc] initWithString:@"Saved Application State" relativeToURL:base];
  return 0;
}
===================================

 $ clang++ t.mm -o t -faddress-sanitizer -framework Foundation -g
 $ ./t | $SYMB
==22255== __asan_osx_free(0x00010d2e0788), zone=0x000000000000
==22255== ERROR: AddressSanitizer attempting free on address which was not malloc()-ed:
0x00010d2e0788
got symbolicator for /Users/glider/src/chrome-commit/src/t, base address 100000000
    #0 0x10ac916b8 in __asan_osx_free (in t) + 120
    #1 0x7fff9375ed53 in object_dispose (in libobjc.A.dylib) + 57
    #2 0x7fff8e295086 in -[NSObject dealloc] (in CoreFoundation) + 102
    #3 0x7fff8e854d4f in -[NSURL(NSURL) initWithString:relativeToURL:] (in Foundation)
+ 197
got symbolicator for /Users/glider/src/chrome-commit/src/t, base address 100000000
    #4 0x10ac89422 in main t.mm:6
got symbolicator for /Users/glider/src/chrome-commit/src/t, base address 100000000
    #5 0x10ac89204 in start (in t) + 52
    #6 0x1
Stats: 0M malloced (0M for red zones) by 9 calls
Stats: 0M realloced by 0 calls
Stats: 0M freed by 1 calls
Stats: 0M really freed by 0 calls
Stats: 4M (1024 full pages) mmaped in 1 calls
  mmaps   by size class: 8:16383;
  mallocs by size class: 8:9;
  frees   by size class: 8:1;
  rfrees  by size class:
Stats: malloc large: 0 small slow: 1

(I've hacked the runtime a bit: __asan_osx_free is a replacement for free() that looks
up the malloc zone for the pointer and prints it if the zone is NULL)

Reported by glider@chromium.org on 2012-06-19 16:33:11

[ramosian-glider]

==36663== AddressSanitizer: libc interceptors initialized
|| `[0x200000000000, 0x7fffffffffff]` || HighMem    ||
|| `[0x140000000000, 0x1fffffffffff]` || HighShadow ||
|| `[0x120000000000, 0x13ffffffffff]` || ShadowGap  ||
|| `[0x100000000000, 0x11ffffffffff]` || LowShadow  ||
|| `[0x000000000000, 0x0fffffffffff]` || LowMem     ||
MemToShadow(shadow): 0x120000000000 0x123fffffffff 0x128000000000 0x13ffffffffff
red_zone=128
malloc_context_size=30
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 100000000000
==36663== Installed the sigaction for signal 11
==36663== Installed the sigaction for signal 10
==36663== SetCurrent: 0x000102e51ec0 for thread 0x7fff7a703960
==36663== T0: stack [0x7fff601f4000,0x7fff609f4000) size 0x800000; local=0x7fff609f2fe0
==36663== AddressSanitizer Init done
Allocate align: 0 size: 128 class: 8 real: 256
==36663== Allocate(128): 0x0001033dff80
    #0 0x100dfd9ad in (anonymous namespace)::mz_malloc(_malloc_zone_t*, unsigned long)
(in t) + 45
    #1 0x7fff8f4e83c8 in malloc_zone_malloc (in libsystem_c.dylib) + 77
    #2 0x7fff8f4e91a4 in malloc (in libsystem_c.dylib) + 44
    #3 0x7fff9375ba57 in updateVtable(class_t*, signed char) (in libobjc.A.dylib) +
757
    #4 0x7fff9375d7a2 in _class_setInitialized (in libobjc.A.dylib) + 132
    #5 0x7fff9375d64c in _finishInitializing (in libobjc.A.dylib) + 98
    #6 0x7fff9375c6af in _class_initialize (in libobjc.A.dylib) + 397
    #7 0x7fff9375c517 in prepareForMethodLookup (in libobjc.A.dylib) + 237
    #8 0x7fff9375c2bb in lookUpMethod (in libobjc.A.dylib) + 63
    #9 0x7fff93759f3c in objc_msgSend (in libobjc.A.dylib) + 188
    #10 0x100df52c1 in main t.mm:3
    #11 0x100df5174 in start (in t) + 52
    #12 0x1
Allocate align: 0 size: 128 class: 8 real: 256
==36663== Allocate(128): 0x0001033e0080
    #0 0x100dfd9ad in (anonymous namespace)::mz_malloc(_malloc_zone_t*, unsigned long)
(in t) + 45
    #1 0x7fff8f4e83c8 in malloc_zone_malloc (in libsystem_c.dylib) + 77
    #2 0x7fff8f4e91a4 in malloc (in libsystem_c.dylib) + 44
    #3 0x7fff9375ba57 in updateVtable(class_t*, signed char) (in libobjc.A.dylib) +
757
    #4 0x7fff9375d7af in _class_setInitialized (in libobjc.A.dylib) + 145
    #5 0x7fff9375d64c in _finishInitializing (in libobjc.A.dylib) + 98
    #6 0x7fff9375c6af in _class_initialize (in libobjc.A.dylib) + 397
    #7 0x7fff9375c517 in prepareForMethodLookup (in libobjc.A.dylib) + 237
    #8 0x7fff9375c2bb in lookUpMethod (in libobjc.A.dylib) + 63
    #9 0x7fff93759f3c in objc_msgSend (in libobjc.A.dylib) + 188
    #10 0x100df52c1 in main t.mm:3
    #11 0x100df5174 in start (in t) + 52
    #12 0x1
Allocate align: 0 size: 80 class: 8 real: 256
==36663== Allocate(80): 0x0001033e0180
    #0 0x100dfdedd in (anonymous namespace)::cf_malloc(long, unsigned long, void*)
(in t) + 45
    #1 0x7fff8e267cb0 in _CFRuntimeCreateInstance (in CoreFoundation) + 400
    #2 0x7fff8e287647 in _CFURLAlloc (in CoreFoundation) + 23
    #3 0x7fff8e854c46 in +[NSURL(NSURL) allocWithZone:] (in Foundation) + 78
    #4 0x7fff9375d035 in _objc_rootAlloc (in libobjc.A.dylib) + 21
    #5 0x100df52c1 in main t.mm:3
    #6 0x100df5174 in start (in t) + 52
    #7 0x1
Allocate align: 0 size: 64 class: 8 real: 256
==36663== Allocate(64): 0x0001033e0280
    #0 0x100dfdedd in (anonymous namespace)::cf_malloc(long, unsigned long, void*)
(in t) + 45
    #1 0x7fff8e267cb0 in _CFRuntimeCreateInstance (in CoreFoundation) + 400
    #2 0x7fff8e270ccf in CFBasicHashCreate (in CoreFoundation) + 127
    #3 0x7fff8e270c28 in __CFDictionaryCreateGeneric (in CoreFoundation) + 1400
    #4 0x7fff8e270654 in CFDictionaryCreateMutable (in CoreFoundation) + 68
    #5 0x7fff8e26ee99 in __CFGetConverter (in CoreFoundation) + 1017
    #6 0x7fff8e26ea79 in CFStringEncodingIsValidEncoding (in CoreFoundation) + 9
    #7 0x7fff8e26e034 in __CFStringEncodeByteStream (in CoreFoundation) + 2404
    #8 0x7fff8e2866c0 in constructBuffers (in CoreFoundation) + 176
    #9 0x7fff8e285cb9 in _parseComponents (in CoreFoundation) + 137
    #10 0x7fff8e285b7e in _CFURLInitWithString (in CoreFoundation) + 142
    #11 0x7fff8e854d2b in -[NSURL(NSURL) initWithString:relativeToURL:] (in Foundation)
+ 161
    #12 0x7fff8e8d461e in -[NSURL(NSURL) initWithString:] (in Foundation) + 20
    #13 0x100df52d5 in main t.mm:3
    #14 0x100df5174 in start (in t) + 52
    #15 0x1
Allocate align: 0 size: 24 class: 8 real: 256
==36663== Allocate(24): 0x0001033e0380
    #0 0x100dfdedd in (anonymous namespace)::cf_malloc(long, unsigned long, void*)
(in t) + 45
    #1 0x7fff8e278d38 in __CFBasicHashRehash (in CoreFoundation) + 344
    #2 0x7fff8e2720e7 in __CFBasicHashAddValue (in CoreFoundation) + 71
    #3 0x7fff8e27142c in CFDictionarySetValue (in CoreFoundation) + 252
    #4 0x7fff8e26eead in __CFGetConverter (in CoreFoundation) + 1037
    #5 0x7fff8e26ea79 in CFStringEncodingIsValidEncoding (in CoreFoundation) + 9
    #6 0x7fff8e26e034 in __CFStringEncodeByteStream (in CoreFoundation) + 2404
    #7 0x7fff8e2866c0 in constructBuffers (in CoreFoundation) + 176
    #8 0x7fff8e285cb9 in _parseComponents (in CoreFoundation) + 137
    #9 0x7fff8e285b7e in _CFURLInitWithString (in CoreFoundation) + 142
    #10 0x7fff8e854d2b in -[NSURL(NSURL) initWithString:relativeToURL:] (in Foundation)
+ 161
    #11 0x7fff8e8d461e in -[NSURL(NSURL) initWithString:] (in Foundation) + 20
    #12 0x100df52d5 in main t.mm:3
    #13 0x100df5174 in start (in t) + 52
    #14 0x1
Allocate align: 0 size: 24 class: 8 real: 256
==36663== Allocate(24): 0x0001033e0480
    #0 0x100dfdedd in (anonymous namespace)::cf_malloc(long, unsigned long, void*)
(in t) + 45
    #1 0x7fff8e278e35 in __CFBasicHashRehash (in CoreFoundation) + 597
    #2 0x7fff8e2720e7 in __CFBasicHashAddValue (in CoreFoundation) + 71
    #3 0x7fff8e27142c in CFDictionarySetValue (in CoreFoundation) + 252
    #4 0x7fff8e26eead in __CFGetConverter (in CoreFoundation) + 1037
    #5 0x7fff8e26ea79 in CFStringEncodingIsValidEncoding (in CoreFoundation) + 9
    #6 0x7fff8e26e034 in __CFStringEncodeByteStream (in CoreFoundation) + 2404
    #7 0x7fff8e2866c0 in constructBuffers (in CoreFoundation) + 176
    #8 0x7fff8e285cb9 in _parseComponents (in CoreFoundation) + 137
    #9 0x7fff8e285b7e in _CFURLInitWithString (in CoreFoundation) + 142
    #10 0x7fff8e854d2b in -[NSURL(NSURL) initWithString:relativeToURL:] (in Foundation)
+ 161
    #11 0x7fff8e8d461e in -[NSURL(NSURL) initWithString:] (in Foundation) + 20
    #12 0x100df52d5 in main t.mm:3
    #13 0x100df5174 in start (in t) + 52
    #14 0x1
Allocate align: 0 size: 38 class: 8 real: 256
==36663== Allocate(38): 0x0001033e0580
    #0 0x100dfdedd in (anonymous namespace)::cf_malloc(long, unsigned long, void*)
(in t) + 45
    #1 0x7fff8e2866d3 in constructBuffers (in CoreFoundation) + 195
    #2 0x7fff8e285cb9 in _parseComponents (in CoreFoundation) + 137
    #3 0x7fff8e285b7e in _CFURLInitWithString (in CoreFoundation) + 142
    #4 0x7fff8e854d2b in -[NSURL(NSURL) initWithString:relativeToURL:] (in Foundation)
+ 161
    #5 0x7fff8e8d461e in -[NSURL(NSURL) initWithString:] (in Foundation) + 20
    #6 0x100df52d5 in main t.mm:3
    #7 0x100df5174 in start (in t) + 52
    #8 0x1
==36663== Deallocate(0x0001033e0580)
    #0 0x100dfe0d8 in (anonymous namespace)::cf_free(void*, void*) (in t) + 72
    #1 0x7fff8e286570 in _parseComponents (in CoreFoundation) + 2368
    #2 0x7fff8e285b7e in _CFURLInitWithString (in CoreFoundation) + 142
    #3 0x7fff8e854d2b in -[NSURL(NSURL) initWithString:relativeToURL:] (in Foundation)
+ 161
    #4 0x7fff8e8d461e in -[NSURL(NSURL) initWithString:] (in Foundation) + 20
    #5 0x100df52d5 in main t.mm:3
    #6 0x100df5174 in start (in t) + 52
    #7 0x1
Allocate align: 0 size: 48 class: 8 real: 256
==36663== Allocate(48): 0x0001033e0680
    #0 0x100dfdedd in (anonymous namespace)::cf_malloc(long, unsigned long, void*)
(in t) + 45
    #1 0x7fff8e286593 in _parseComponents (in CoreFoundation) + 2403
    #2 0x7fff8e285b7e in _CFURLInitWithString (in CoreFoundation) + 142
    #3 0x7fff8e854d2b in -[NSURL(NSURL) initWithString:relativeToURL:] (in Foundation)
+ 161
    #4 0x7fff8e8d461e in -[NSURL(NSURL) initWithString:] (in Foundation) + 20
    #5 0x100df52d5 in main t.mm:3
    #6 0x100df5174 in start (in t) + 52
    #7 0x1
Allocate align: 0 size: 80 class: 8 real: 256
==36663== Allocate(80): 0x0001033e0780
    #0 0x100dfdedd in (anonymous namespace)::cf_malloc(long, unsigned long, void*)
(in t) + 45
    #1 0x7fff8e267cb0 in _CFRuntimeCreateInstance (in CoreFoundation) + 400
    #2 0x7fff8e287647 in _CFURLAlloc (in CoreFoundation) + 23
    #3 0x7fff8e854c46 in +[NSURL(NSURL) allocWithZone:] (in Foundation) + 78
    #4 0x7fff9375d035 in _objc_rootAlloc (in libobjc.A.dylib) + 21
    #5 0x100df5348 in main t.mm:4
    #6 0x100df5174 in start (in t) + 52
    #7 0x1
==36663== __asan_osx_free(0x0001033e0788), zone=0x000000000000
==36663== Deallocate(0x0001033e0788)
    #0 0x100dfd698 in __asan_osx_free (in t) + 120
    #1 0x7fff9375ed53 in object_dispose (in libobjc.A.dylib) + 57
    #2 0x7fff8e295086 in -[NSObject dealloc] (in CoreFoundation) + 102
    #3 0x7fff8e854d4f in -[NSURL(NSURL) initWithString:relativeToURL:] (in Foundation)
+ 197
    #4 0x100df5392 in main t.mm:4
    #5 0x100df5174 in start (in t) + 52
    #6 0x1
==36663== ERROR: AddressSanitizer attempting free on address which was not malloc()-ed:
0x0001033e0788
    #0 0x100dfd698 in __asan_osx_free (in t) + 120
    #1 0x7fff9375ed53 in object_dispose (in libobjc.A.dylib) + 57
    #2 0x7fff8e295086 in -[NSObject dealloc] (in CoreFoundation) + 102
    #3 0x7fff8e854d4f in -[NSURL(NSURL) initWithString:relativeToURL:] (in Foundation)
+ 197
    #4 0x100df5392 in main t.mm:4
    #5 0x100df5174 in start (in t) + 52
    #6 0x1
Stats: 0M malloced (0M for red zones) by 9 calls
Stats: 0M realloced by 0 calls
Stats: 0M freed by 1 calls
Stats: 0M really freed by 0 calls
Stats: 4M (1024 full pages) mmaped in 1 calls
  mmaps   by size class: 8:16383;
  mallocs by size class: 8:9;
  frees   by size class: 8:1;
  rfrees  by size class:
Stats: malloc large: 0 small slow: 1

CoreFoundation is trying to an off-by-8 pointer. Mark suggests there's some interaction
between the default malloc and CFURL

Reported by ramosian.glider on 2012-06-19 17:43:30

[ramosian-glider]

As usually, we can cause this program to fail even without ASan:

=============================t.mm========

$ cat t.mm
#import <Foundation/Foundation.h>
int main() {
#ifdef REPLACE
  CFAllocatorSetDefault(kCFAllocatorMallocZone);
#endif
  NSURL *base = [[NSURL alloc] initWithString:@"file://localhost/Users/glider/Library/"];
  NSURL *u = [[NSURL alloc] initWithString:@"Saved Application State" relativeToURL:base];
  return 0;
}
====================================

$ clang++ t.mm -o t -DREPLACE -framework Foundation -g && ./t
t(47457) malloc: *** error for object 0x10ba14348: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug
Abort trap: 6

This bug is reproducible on 10.6 as well (as opposed to the original Firefox problem,
I think)

Reported by glider@chromium.org on 2012-06-19 18:54:55

[ramosian-glider]

Does that mean it's a bug in Firefox? If so, how would we fix that? (not being a Mac
expert).

Reported by decoder.oh on 2012-06-19 18:58:28

[ramosian-glider]

I bet this is yet another bug in CFAllocator, which just does not manifest in Firefox
on 10.6.
Until I find out what we can do about it you can try ASAN_OPTIONS=replace_cfallocator=0.
I've just tried it and got much farther (in fact the browser hadn't crashed yet)

Reported by ramosian.glider on 2012-06-19 19:11:25

[ramosian-glider]

Thanks! I'll try that out tomorrow, that would be a great help already.

Reported by decoder.oh on 2012-06-19 19:13:04

[ramosian-glider]

I believe the bug has been fixed by Clang r158863, at least it doesn't manifest on Firefox
and Chrome.
You shouldn't need to set replace_cfallocator=0 anymore.
Please reopen if the bug is still reproducible for you.

Reported by ramosian.glider on 2012-06-20 23:52:19

• Status changed: Fixed

[ramosian-glider]

Christian,

did you have chance to try out the fix?

For the record, I've filed rdar://11748863 (http://openradar.appspot.com/radar?id=1796404)
to track the CFAllocatorSetDefault bug.

Reported by ramosian.glider on 2012-06-26 14:43:24

[ramosian-glider]

Sorry, I forgot to reply here :) A coworker of mine tried a build with the new Clang
revision and confirmed the fix. Once we upgraded our toolchain, we'll be handing out
Mac OSX builds for Firefox+ASan then :)

Thanks again!

Reported by decoder.oh on 2012-06-26 14:52:53

[ramosian-glider]

For the record, I've just hit a similar problem in Chromium net_unittests with a relatively
fresh Clang (https://code.google.com/p/chromium/issues/detail?id=145216):

[ RUN      ] CertVerifyProcTest.WithoutRevocationChecking
=================================================================
==81209== ERROR: AddressSanitizer attempting free on address which was not malloc()-ed:
0x0ff06a84
    #0 0x59df460 in (anonymous namespace)::cf_free(void*, void*) (in net_unittests)
+ 64
    #1 0x9a663aa9 in CFAllocatorDeallocate (in CoreFoundation) + 265
    #2 0x94682089 in Security::SecCFObject::operator delete(void*) (in Security) +
59
    #3 0x9465b9df in Security::CFClass::refCountForType(long, void const*) (in Security)
+ 141
    #4 0x9a6630f9 in CFRelease (in CoreFoundation) + 361
    #5 0x3fa8e4e in net::x509_util::CreateSSLServerPolicy(std::string const&, OpaqueSecPolicyRef**)
(in net_unittests) (x509_util_mac.cc:27)
    #6 0x3e57b1b in net::CertVerifyProcMac::VerifyInternal(net::X509Certificate*, std::string
const&, int, net::CRLSet*, net::CertVerifyResult*) (in net_unittests) (cert_verify_proc_mac.cc:150)
    #7 0x3e5684c in net::CertVerifyProc::Verify(net::X509Certificate*, std::string
const&, int, net::CRLSet*, net::CertVerifyResult*) (in net_unittests) (cert_verify_proc.cc:93)
    #8 0x65dbe in net::CertVerifyProcTest_WithoutRevocationChecking_Test::TestBody()
(in net_unittests) (cert_verify_proc_unittest.cc:58)
    #9 0x4c03023 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test,
void>(testing::Test*, void (testing::Test::*)(), char const*) (in net_unittests) (gtest.cc:2071)
    #10 0x4be6a11 in testing::Test::Run() (in net_unittests) (gtest.cc:2142)
    #11 0x4be8ea0 in testing::TestInfo::Run() (in net_unittests) (gtest.cc:2319)
    #12 0x4be9dd9 in testing::TestCase::Run() (in net_unittests) (gtest.cc:2426)
    #13 0x4bfbe77 in testing::internal::UnitTestImpl::RunAllTests() (in net_unittests)
(gtest.cc:4249)
    #14 0x4c04c83 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl,
bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(),
char const*) (in net_unittests) (gtest.cc:2126)
    #15 0x4bfb047 in testing::UnitTest::Run() (in net_unittests) (gtest.cc:3882)
    #16 0x3d3f346 in base::TestSuite::Run() (in net_unittests) (test_suite.cc:199)
    #17 0x6aa38f in main (in net_unittests) (run_all_unittests.cc:43)
    #18 0x2264 in start (in net_unittests) + 52
    #19 0x1 in 0x00001001 (in net_unittests)
0x0ff06a84 is located 4 bytes inside of 112-byte region [0x0ff06a80,0x0ff06af0)
allocated by thread T0 here:
    #0 0x59df2ab in (anonymous namespace)::cf_malloc(long, unsigned long, void*) (in
net_unittests) + 43
    #1 0x9a65e1a3 in CFAllocatorAllocate (in CoreFoundation) + 355
    #2 0x9a65df00 in _CFRuntimeCreateInstance (in CoreFoundation) + 384
    #3 0x9465a9b8 in Security::SecCFObject::allocate(unsigned long, Security::CFClass
const&) (in Security) + 54
    #4 0x9468228e in Security::KeychainCore::PolicyCursor::operator new(unsigned long)
(in Security) + 30
    #5 0x94682185 in SecPolicySearchCreate (in Security) + 39
    #6 0x3fa8dfc in net::x509_util::CreateSSLServerPolicy(std::string const&, OpaqueSecPolicyRef**)
(in net_unittests) (x509_util_mac.cc:22)
    #7 0x3e57b1b in net::CertVerifyProcMac::VerifyInternal(net::X509Certificate*, std::string
const&, int, net::CRLSet*, net::CertVerifyResult*) (in net_unittests) (cert_verify_proc_mac.cc:150)
    #8 0x3e5684c in net::CertVerifyProc::Verify(net::X509Certificate*, std::string
const&, int, net::CRLSet*, net::CertVerifyResult*) (in net_unittests) (cert_verify_proc.cc:93)
    #9 0x65dbe in net::CertVerifyProcTest_WithoutRevocationChecking_Test::TestBody()
(in net_unittests) (cert_verify_proc_unittest.cc:58)
    #10 0x4c03023 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test,
void>(testing::Test*, void (testing::Test::*)(), char const*) (in net_unittests) (gtest.cc:2071)
    #11 0x4be6a11 in testing::Test::Run() (in net_unittests) (gtest.cc:2142)
    #12 0x4be8ea0 in testing::TestInfo::Run() (in net_unittests) (gtest.cc:2319)
    #13 0x4be9dd9 in testing::TestCase::Run() (in net_unittests) (gtest.cc:2426)
    #14 0x4bfbe77 in testing::internal::UnitTestImpl::RunAllTests() (in net_unittests)
(gtest.cc:4249)
    #15 0x4c04c83 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl,
bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(),
char const*) (in net_unittests) (gtest.cc:2126)
    #16 0x4bfb047 in testing::UnitTest::Run() (in net_unittests) (gtest.cc:3882)
    #17 0x3d3f346 in base::TestSuite::Run() (in net_unittests) (test_suite.cc:199)
    #18 0x6aa38f in main (in net_unittests) (run_all_unittests.cc:43)
    #19 0x2264 in start (in net_unittests) + 52
    #20 0x1 in 0x00001001 (in net_unittests)
Stats: 6M malloced (17M for red zones) by 73087 calls
Stats: 0M realloced by 49 calls
Stats: 3M freed by 53515 calls
Stats: 0M really freed by 0 calls
Stats: 56M (14342 full pages) mmaped in 14 calls
  mmaps   by size class: 8:81915; 9:8191; 10:4095; 11:2047; 12:1024; 13:512; 14:256;
15:128; 17:32; 21:2;
  mallocs by size class: 8:67779; 9:1399; 10:3759; 11:66; 12:62; 13:10; 14:7; 15:2;
17:2; 21:1;
  frees   by size class: 8:48426; 9:1289; 10:3707; 11:32; 12:51; 13:8; 17:2;
  rfrees  by size class:
Stats: malloc large: 9 small slow: 180
==81209== ABORTING

The memory from _CFRuntimeCreateInstance() turns out to be freed via cf_free() as well
as free(). I'm going to fix this as well.

Reported by ramosian.glider on 2012-08-28 16:55:25

[ramosian-glider]

Adding Project:AddressSanitizer as part of GitHub migration.

Reported by ramosian.glider on 2015-07-30 09:12:59

• Labels added: ProjectAddressSanitizer