Comment #1 on issue 321 by [email protected]: CHECK
failed: ... "((trace)) != (0)" (0x0, 0x0)
http://code.google.com/p/address-sanitizer/issues/detail?id=321
This happens because a call to REAL(time) overwrites the stack ID in the
freed memory region:
539 INTERCEPTOR(unsigned long, time, unsigned long *t) {
540 void *ctx;
541 COMMON_INTERCEPTOR_ENTER(ctx, time, t);
542 unsigned long res = REAL(time)(t);
543 if (t && res != (unsigned long)-1) {
544 COMMON_INTERCEPTOR_WRITE_RANGE(ctx, t, sizeof(*t));
545 }
546 return res;
547 }
There is a plenty of other places in sanitizer_common_interceptors.inc
where an interceptor calls the real functions before checking the pointers
for being addressable.
Is it possible to store the stack ID somewhere else?
If not, we must fix all the interceptors that may write to heap-allocated
memory:
1. Upon INTERCEPTOR(fname) entry, copy the chunk header of every pointer
that fname() can potentially overwrite (most of the time there's only one
such pointer);
2. Call REAL(fname)(ptr)
3. Check the return value of the function to determine which pointers were
overwritten.
4. For each such pointer check whether it was addressable. If it was not,
restore the chunk header and bail out.
It's still theoretically possible that the memory passed to
INTERCEPTOR(fname) is unmapped already (although ASan allocator doesn't do
that), and we get a SEGV before knowing that it's unaddressable.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
You received this message because you are subscribed to the Google Groups
"address-sanitizer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
