I'm developing some code of my own using Bitlbee and that's why I compile it using configure --debug=1 --asan=1. Using this, I've seen the following two or three times as bitlbee is about to disconnect (mostly because I've been spending too much time in the debugger):
=================================================================
==52955==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200006f310 at pc 0x0001006b6798 bp 0x7fff5fbfe660 sp 0x7fff5fbfddd0
READ of size 2 at 0x60200006f310 thread T0
#0 0x1006b6797 in printf_common(void*, char const*, __va_list_tag*) (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x1f797)
#1 0x1006b745d in wrap_vasprintf (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x2045d)
#2 0x1003f9025 in g_vasprintf (libglib-2.0.0.dylib:x86_64+0x67025)
#3 0x1003d8513 in g_strdup_vprintf (libglib-2.0.0.dylib:x86_64+0x46513)
#4 0x103c616ba in discord_debug (discord.so:x86_64+0x46ba)
#5 0x103c61ff9 in discord_ws_send_payload (discord.so:x86_64+0x4ff9)
#6 0x103c624fc in discord_ws_writable (discord.so:x86_64+0x54fc)
#7 0x1000725fd in gaim_io_invoke (bitlbee:x86_64+0x1000725fd)
#8 0x1003bf1bc in g_main_context_dispatch (libglib-2.0.0.dylib:x86_64+0x2d1bc)
#9 0x1003bf4bb in g_main_context_iterate (libglib-2.0.0.dylib:x86_64+0x2d4bb)
#10 0x1003bf710 in g_main_loop_run (libglib-2.0.0.dylib:x86_64+0x2d710)
#11 0x10007232f in b_main_run (bitlbee:x86_64+0x10007232f)
#12 0x1000682e2 in main unix.c:182
#13 0x7fffc030d234 in start (libdyld.dylib:x86_64+0x5234)
0x60200006f310 is located 0 bytes inside of 16-byte region [0x60200006f310,0x60200006f320)
freed by thread T0 here:
#0 0x1006ea1c6 in wrap_free (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x531c6)
#1 0x103c618ed in free_discord_data (discord.so:x86_64+0x48ed)
#2 0x103c5e28d in discord_logout (discord.so:x86_64+0x128d)
#3 0x1000af8f2 in imc_logout (bitlbee:x86_64+0x1000af8f2)
#4 0x103c6276b in discord_ws_in_cb (discord.so:x86_64+0x576b)
#5 0x1000725fd in gaim_io_invoke (bitlbee:x86_64+0x1000725fd)
#6 0x1003bf1bc in g_main_context_dispatch (libglib-2.0.0.dylib:x86_64+0x2d1bc)
#7 0x1003bf4bb in g_main_context_iterate (libglib-2.0.0.dylib:x86_64+0x2d4bb)
#8 0x1003bf710 in g_main_loop_run (libglib-2.0.0.dylib:x86_64+0x2d710)
#9 0x10007232f in b_main_run (bitlbee:x86_64+0x10007232f)
#10 0x1000682e2 in main unix.c:182
#11 0x7fffc030d234 in start (libdyld.dylib:x86_64+0x5234)
previously allocated by thread T0 here:
#0 0x1006ea390 in wrap_realloc (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x53390)
#1 0x1003c42d8 in g_realloc (libglib-2.0.0.dylib:x86_64+0x322d8)
#2 0x1003da778 in g_string_maybe_expand (libglib-2.0.0.dylib:x86_64+0x48778)
#3 0x1003da72b in g_string_sized_new (libglib-2.0.0.dylib:x86_64+0x4872b)
#4 0x1003cfdf6 in g_regex_replace_eval (libglib-2.0.0.dylib:x86_64+0x3ddf6)
#5 0x1003cff9e in g_regex_replace_literal (libglib-2.0.0.dylib:x86_64+0x3df9e)
#6 0x103c61d88 in discord_canonize_name (discord.so:x86_64+0x4d88)
#7 0x103c5f77a in discord_parse_message (discord.so:x86_64+0x277a)
#8 0x103c627e6 in discord_ws_in_cb (discord.so:x86_64+0x57e6)
#9 0x1000725fd in gaim_io_invoke (bitlbee:x86_64+0x1000725fd)
#10 0x1003bf1bc in g_main_context_dispatch (libglib-2.0.0.dylib:x86_64+0x2d1bc)
#11 0x1003bf4bb in g_main_context_iterate (libglib-2.0.0.dylib:x86_64+0x2d4bb)
#12 0x1003bf710 in g_main_loop_run (libglib-2.0.0.dylib:x86_64+0x2d710)
#13 0x10007232f in b_main_run (bitlbee:x86_64+0x10007232f)
#14 0x1000682e2 in main unix.c:182
#15 0x7fffc030d234 in start (libdyld.dylib:x86_64+0x5234)
SUMMARY: AddressSanitizer: heap-use-after-free (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x1f797) in printf_common(void*, char const*, __va_list_tag*)
Shadow bytes around the buggy address:
0x1c040000de10: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
0x1c040000de20: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
0x1c040000de30: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
0x1c040000de40: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x1c040000de50: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
=>0x1c040000de60: fa fa[fd]fd fa fa fd fd fa fa fd fa fa fa fd fd
0x1c040000de70: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa
0x1c040000de80: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa
0x1c040000de90: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x1c040000dea0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fd
0x1c040000deb0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==52955==ABORTING
sm00th
commented
7 years ago
I'm developing some code of my own using Bitlbee and that's why I compile it using
configure --debug=1 --asan=1. Using this, I've seen the following two or three times as bitlbee is about to disconnect (mostly because I've been spending too much time in the debugger):