A simple ObjC program crashes in objc_msgSend

[ramosian-glider]

Originally reported on Google Code with ID 88

A test case from Anna Zaks:

$ cat t.mm
#import <Foundation/Foundation.h>
int main() {
  NSString *number = [[NSString alloc] initWithFormat:@"5 %d", 5];
  [number release];
  NSString *d = [number description];
}
$ clang t.mm -o t-native -framework Foundation
$ ./t-native
$ clang t.mm -o t -framework Foundation -faddress-sanitizer

$ ./t 2>&1  | /Users/glider/src/asan/llvm/projects/compiler-rt/lib/asan/scripts/asan_symbolize.py

ASAN:SIGSEGV
==44396== ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc 0x7fff8a6f1f0c
sp 0x7fff5fbffa58 bp 0x7fff5fbffb90 T0)
AddressSanitizer can not provide additional info. ABORTING
    #0 0x7fff8a6f1f0b in objc_msgSend (in libobjc.A.dylib) + 40
    #1 0x100001254 in start (in t) + 52
atos cannot load symbols for the file /Users/glider/src/t for architecture i386.
    #2 0x1 in 
Stats: 0M malloced (0M for red zones) by 11 calls
Stats: 0M realloced by 0 calls
Stats: 0M freed by 3 calls
Stats: 0M really freed by 0 calls
Stats: 4M (1024 full pages) mmaped in 1 calls
  mmaps   by size class: 8:16383;
  mallocs by size class: 8:11;
  frees   by size class: 8:3;
  rfrees  by size class:
Stats: malloc large: 0 small slow: 1

$ gdb t
(gdb) r
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: 13 at address: 0x0000000000000000
0x00007fff8a6f1f0c in objc_msgSend ()
(gdb) bt
#0  0x00007fff8a6f1f0c in objc_msgSend ()
#1  0x0000000100001412 in main ()

Reported by ramosian.glider on 2012-07-11 07:19:25

[ramosian-glider]

This example is really a buggy program, but ASan should be more verbose about the problem.
For example, NSZombie detects the bug correctly:

$ NSZombieEnabled=YES ./t-native
2012-07-11 16:50:18.581 t-native[94386:903] *** -[CFString description]: message sent
to deallocated instance 0x10010e080
Trace/BPT trap

even with ASan:

$ NSZombieEnabled=YES ./t
2012-07-11 16:53:27.968 t[94894:903] *** -[CFString description]: message sent to deallocated
instance 0x16e0284
Trace/BPT trap

Reported by ramosian.glider on 2012-07-11 13:06:15

[ramosian-glider]

are we going to take any action here? 

Reported by konstantin.s.serebryany on 2013-02-18 08:19:30

[ramosian-glider]

Yes, if we want to improve the coverage for ObjC

Reported by ramosian.glider on 2013-02-18 09:36:28

[ramosian-glider]

Reported by ramosian.glider on 2015-07-30 09:05:30

• Labels added: ProjectAddressSanitizer

[ramosian-glider]

Adding Project:AddressSanitizer as part of GitHub migration.

Reported by ramosian.glider on 2015-07-30 09:06:54