Comment #1 on issue 323 by [email protected]: AddressSanitizer:
double-free with zero-length XHR, depending on behavior of realloc(p, 0)
http://code.google.com/p/address-sanitizer/issues/detail?id=323
More context :: (also fixed in syzyasan as
https://codereview.appspot.com/10374044).
Oho!
void* p = nullptr;
p = realloc(p, 0);
if (!p)
return 1;
void* newp = realloc(p, 0);
if (!newp)
{
free(p);
return 1;
}
With that, the first realloc returns a non-null pointer. The *second*
realloc returns nullptr. This would be okay if |p| were left alone. But
this apparently *also*, with the ASAN replacement, frees |p|! So we enter
the |!newp| block, and the |free(p)| triggers ASAN complaints about
double-free. I don't believe that's okay. Either realloc returns a
non-null pointer, possibly deallocating the one passed in (*always* doing
so with the special ASAN semantics), or it returns nullptr and leaves the
incoming memory alone.
Perhaps someone reimplemented realloc based on something like
http://linux.die.net/man/3/realloc which claims realloc(..., 0) will free
the pointer. But that flatly contradicts C99's *actual* specification for
realloc, which says only "If memory for the new object cannot be allocated,
the old object is not deallocated and its value is unchanged" and "The
realloc function returns a pointer to the new object (which may have the
same value as a pointer to the old object), or a null pointer if the new
object could not be allocated." If we observe a null pointer returned,
then the new object could not be allocated, and therefore "the old object
is not deallocated and its value is unchanged".
I'm not 100% sure this is functionally identical to the series of calls
being performed in our code. But this behavior looks like a clear ASAN bug
to me in any event.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
--
You received this message because you are subscribed to the Google Groups
"address-sanitizer" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/d/optout.
