search

viralcode / address-sanitizer

Automatically exported from code.google.com/p/address-sanitizer
1 stars 0 forks source link

double-free / invalid-free errors should use Report instead of Printf #18

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
There are two errors that are reported using Printf instead of Report, in 
asan_allocator.cc:

  691   AsanChunk *m = PtrToChunk((uintptr_t)ptr);
  692   if (m->chunk_state == CHUNK_QUARANTINE) {
  693     Printf("attempting double-free on %p:\n", ptr);
  694     stack->PrintStack();
  695     m->DescribeAddress((uintptr_t)ptr, 1);
  696     ShowStatsAndAbort();
  697   } else if (m->chunk_state != CHUNK_ALLOCATED) {
  698     Printf("attempting free on address which was not malloc()-ed: %p\n", ptr);
  699     stack->PrintStack();
  700     ShowStatsAndAbort();
  701   }

These two errors do not match the error reporting behavior of all other errors 
reported and are not easily recognizable by external tools. I suggest to use 
the attached patch which changes "Printf" to "Report" and adds "ERROR: 
AddressSanitizer" to the output as it is done for all other errors.

Using this small example for double-free (which is not in tests btw):

#include <stdlib.h>
int main() {
  char *x = (char*)malloc(10 * sizeof(char));
  free(x);
  free(x);
  return 0;
}

I get the following error using the unpatched version:

attempting double-free on 0x7f784a9cb180:
    #0 0x7f784bb3d944 (/home/ownhero/homes/mozilla/repos/llvm/projects/compiler-rt/lib/asan/bin_linux/libasan64.so+0x7944)
    #1 0x4008ae (/home/ownhero/homes/mozilla/repos/llvm/projects/compiler-rt/lib/asan/tests/double-free+0x4008ae)
    #2 0x7f784b2a3c9d (/lib64/libc-2.12.so+0x1ec9d)

and with the patch:

==32367== ERROR: AddressSanitizer - attempting double-free on 0x7f784a9cb180:
    #0 0x7f784bb3d944 (/home/ownhero/homes/mozilla/repos/llvm/projects/compiler-rt/lib/asan/bin_linux/libasan64.so+0x7944)
    #1 0x4008ae (/home/ownhero/homes/mozilla/repos/llvm/projects/compiler-rt/lib/asan/tests/double-free+0x4008ae)
    #2 0x7f784b2a3c9d (/lib64/libc-2.12.so+0x1ec9d)

The other branch could be tested using this small program (called it wild-free):

#include <stdlib.h>
int main() {
  char *x = (char*)malloc(10 * sizeof(char));
  x += 10;
  free(x);
  return 0;
}

Original issue reported on code.google.com by decoder...@googlemail.com on 13 Dec 2011 at 1:43

Attachments:

GoogleCodeExporter commented 9 years ago 
r146501.
BTW, both cases were covered by tests (DoubleFreeTest and WrongFreeTest).

Original comment by konstant...@gmail.com on 13 Dec 2011 at 7:20

GoogleCodeExporter commented 9 years ago 
Must have been blind then :D (happens from time to time^_^) thx :)

Original comment by decoder...@googlemail.com on 13 Dec 2011 at 8:46