search

staticanalysis / address-sanitizer

Automatically exported from code.google.com/p/address-sanitizer
0 stars 0 forks source link

A simple ObjC program crashes in objc_msgSend #88

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
A test case from Anna Zaks:

$ cat t.mm
#import <Foundation/Foundation.h>
int main() {
  NSString *number = [[NSString alloc] initWithFormat:@"5 %d", 5];
  [number release];
  NSString *d = [number description];
}
$ clang t.mm -o t-native -framework Foundation
$ ./t-native
$ clang t.mm -o t -framework Foundation -faddress-sanitizer

$ ./t 2>&1  | 
/Users/glider/src/asan/llvm/projects/compiler-rt/lib/asan/scripts/asan_symbolize
.py 
ASAN:SIGSEGV
==44396== ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc 
0x7fff8a6f1f0c sp 0x7fff5fbffa58 bp 0x7fff5fbffb90 T0)
AddressSanitizer can not provide additional info. ABORTING
    #0 0x7fff8a6f1f0b in objc_msgSend (in libobjc.A.dylib) + 40
    #1 0x100001254 in start (in t) + 52
atos cannot load symbols for the file /Users/glider/src/t for architecture i386.
    #2 0x1 in 
Stats: 0M malloced (0M for red zones) by 11 calls
Stats: 0M realloced by 0 calls
Stats: 0M freed by 3 calls
Stats: 0M really freed by 0 calls
Stats: 4M (1024 full pages) mmaped in 1 calls
  mmaps   by size class: 8:16383;
  mallocs by size class: 8:11;
  frees   by size class: 8:3;
  rfrees  by size class:
Stats: malloc large: 0 small slow: 1

$ gdb t
(gdb) r
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: 13 at address: 0x0000000000000000
0x00007fff8a6f1f0c in objc_msgSend ()
(gdb) bt
#0  0x00007fff8a6f1f0c in objc_msgSend ()
#1  0x0000000100001412 in main ()

Original issue reported on code.google.com by ramosian.glider@gmail.com on 11 Jul 2012 at 7:19

GoogleCodeExporter commented 9 years ago 
This example is really a buggy program, but ASan should be more verbose about 
the problem.
For example, NSZombie detects the bug correctly:

$ NSZombieEnabled=YES ./t-native
2012-07-11 16:50:18.581 t-native[94386:903] *** -[CFString description]: 
message sent to deallocated instance 0x10010e080
Trace/BPT trap

even with ASan:

$ NSZombieEnabled=YES ./t
2012-07-11 16:53:27.968 t[94894:903] *** -[CFString description]: message sent 
to deallocated instance 0x16e0284
Trace/BPT trap

Original comment by ramosian.glider@gmail.com on 11 Jul 2012 at 1:06

GoogleCodeExporter commented 9 years ago 
are we going to take any action here?

Original comment by konstant...@gmail.com on 18 Feb 2013 at 8:19

GoogleCodeExporter commented 9 years ago 
Yes, if we want to improve the coverage for ObjC

Original comment by ramosian.glider@gmail.com on 18 Feb 2013 at 9:36