Ji, This happens when uninstrumented code calls glibc functions that are intercepted by Asan (e.g. memset).
On Thu, Aug 7, 2014 at 2:39 PM, ji wang <[email protected]> wrote: > There is one more question, kcc > Accroding to my test result, Asan report some error at non-instrumented > code, which means the stacks asan reported lead to the non-instrumented > code, why this happened? > > > ==2415==ERROR: AddressSanitizer: attempting double-free on 0xb4c28b20 in > thread T16777215: > ==2415==AddressSanitizer CHECK failed: > ../../../.././../gcc/gcc-4.9/libsanitizer/asan/asan_report.cc:586 > "((free_stack->size)) > ((0))" (0x0, 0x0) > #0 0xb67af94f (/system/lib/libasan.so.1+0x3f94f) > #1 0xb67b2f8b (/system/lib/libasan.so.1+0x42f8b) > #2 0xb67ae137 (/system/lib/libasan.so.1+0x3e137) > #3 0xb6785bff (/system/lib/libasan.so.1+0x15bff) > #4 0xb67aab63 (/system/lib/libasan.so.1+0x3ab63) > #5 0xb6ec0cbf (/system/lib/libc.so+0xdcbf) > #6 0xb6cf0369 (/system/lib/libbinder.so+0x20369) > #7 0xb6cf041b (/system/lib/libbinder.so+0x2041b) > #8 0xb6ced789 (/system/lib/libbinder.so+0x1d789) > #9 0xb6cedabd (/system/lib/libbinder.so+0x1dabd) > #10 0xb6cedb33 (/system/lib/libbinder.so+0x1db33) > #11 0xb6cf1983 (/system/lib/libbinder.so+0x21983) > #12 0xb6e00a11 (/system/lib/libutils.so+0xea11) > #13 0xb6e00543 (/system/lib/libutils.so+0xe543) > #14 0xb6ec0223 (/system/lib/libc.so+0xd223) > #15 0xb6ec03bb (/system/lib/libc.so+0xd3bb) > > > 在 2014年8月6日星期三UTC+8下午5时49分35秒,kcc写道: >> >> On Wed, Aug 6, 2014 at 1:45 PM, ji wang <[email protected]> wrote: >> >> (it is possible if e.g. you have >> >>uninstrumented code). >> > Do you mean if we want to test a single process, we must recomplied all >> > the >> > source code that the process using? In my part, an excutable using lots >> > of >> > shared lib when it runs as a single process, do we need recompiled all >> > those >> > shared lib and the excutable code? >> >> >> There is no "must" here. But if the non-instrumented code has a bug >> which leads to memory corruption asan will not report it >> and may itself die due to that memory corruption. >> >> > >> > >> >>Hard to tell more w/o reproducer. >> > I can reproduce those errors using my device now at my hands, but it >> > maybe >> > diffcult for anybody else to reproduce those errors. >> > >> > 在 2014年8月6日星期三UTC+8下午4时52分29秒,kcc写道: >> >> >> >> The first one (((free_stack->size)) > ((0))" (0x0, 0x0)) looks like >> >> asan could not find the stack trace where the first free() happened. >> >> The second one ("((id)) != (0)" (0x0, 0x0)) is something similar -- >> >> asan fails to find the allocation stack trace. >> >> In either case this looks like some bug in asan, or maybe a memory >> >> corruption that asan has missed (it is possible if e.g. you have >> >> uninstrumented code). >> >> Hard to tell more w/o reproducer. >> >> >> >> On Wed, Aug 6, 2014 at 12:40 PM, ji wang <[email protected]> wrote: >> >> > Hi, kcc >> >> > Thanks,again haha:) >> >> > I just simple want to know what thoes errors means, so I can correct >> >> > it >> >> > , as >> >> > to my GCC and asan runtime lib was compiled by myself base on Gcc4.9 >> >> > source >> >> > code maybe something went wrong.I think those not right print, may >> >> > happen on >> >> > muti-thread program? Or any other advices? >> >> > And PS, Those occurs on my Android device, I've mentioned in other >> >> > posts,Using asan enable GCC android toolchain to test >> >> > libstagefright.so >> >> > on >> >> > my android device, push this recompiled lib and then run monkey test, >> >> > got >> >> > errors like above. >> >> > >> >> > >> >> > 在 2014年8月6日星期三UTC+8下午2时15分03秒,kcc写道: >> >> >> >> >> >> Do you have a reproducer? >> >> >> >> >> >> On Wed, Aug 6, 2014 at 6:04 AM, ji wang <[email protected]> wrote: >> >> >> > First: Double Free >> >> >> > ================================================================= >> >> >> > ==2415==ERROR: AddressSanitizer: attempting double-free on >> >> >> > 0xb4c28b20 >> >> >> > in >> >> >> > thread T16777215: >> >> >> > ==2415==AddressSanitizer CHECK failed: >> >> >> > ../../../.././../gcc/gcc-4.9/libsanitizer/asan/asan_report.cc:586 >> >> >> > "((free_stack->size)) > ((0))" (0x0, 0x0) >> >> >> > #0 0xb67af94f (/system/lib/libasan.so.1+0x3f94f) >> >> >> > #1 0xb67b2f8b (/system/lib/libasan.so.1+0x42f8b) >> >> >> > #2 0xb67ae137 (/system/lib/libasan.so.1+0x3e137 >> >> >> > ... >> >> >> > ... ... >> >> >> > According to the asan code, free_stack maybe should not be >> >> >> > empty, >> >> >> > should >> >> >> > print something like “freed by thread T0 here:... ...previously >> >> >> > allocated by >> >> >> > thread T0 here:... ..." >> >> >> > And of cource It's important, for what reason we may lose this >> >> >> > part >> >> >> > log >> >> >> > print or somethine went wrong on my asan? >> >> >> > >> >> >> > Second: UseAfterFree >> >> >> > ================================================================= >> >> >> > ==4782==ERROR: AddressSanitizer: heap-use-after-free on address >> >> >> > 0xadb64ff7 >> >> >> > at pc 0xb5916e87 bp 0xb09ff8bc sp 0xb09ff8b4 >> >> >> > WRITE of size 1 at 0xadb64ff7 thread T16777215 >> >> >> > #0 0xb5916e85 (/system/lib/libstagefright.so+0x12ce85) >> >> >> > #1 0xb59185b3 (/system/lib/libstagefright.so+0x12e5b3) >> >> >> > ... >> >> >> > >> >> >> > 0xadb64ff7 is located 7 bytes inside of 8-byte region >> >> >> > [0xadb64ff0,0xadb64ff8) >> >> >> > ==4782==AddressSanitizer CHECK failed: >> >> >> > >> >> >> > ../../../.././../gcc/gcc-4.9/libsanitizer/asan/asan_allocator2.cc:234 >> >> >> > "((id)) != (0)" (0x0, 0x0) >> >> >> > #0 0xb65cd94f (/system/lib/libasan.so.1+0x3f94f) >> >> >> > #1 0xb65d0f8b (/system/lib/libasan.so.1+0x42f8b) >> >> >> > #2 0xb65a2637 (/system/lib/libasan.so.1+0x14637) >> >> >> > ... >> >> >> > #6 0xb58ff04f (/system/lib/libstagefright.so+0x12c04f) >> >> >> > #7 0xb59273d3 (/system/lib/libstagefright.so+0x1543d3) >> >> >> > This one is the "CHECK(id);" error, what this id for? And >> >> >> > more, >> >> >> > the >> >> >> > stack printed first and second which I maked red colour is the >> >> >> > same, >> >> >> > this is >> >> >> > werid, why? >> >> >> > >> >> >> > -- >> >> >> > You received this message because you are subscribed to the Google >> >> >> > Groups >> >> >> > "address-sanitizer" group. >> >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> >> > send >> >> >> > an >> >> >> > email to [email protected]. >> >> >> > For more options, visit https://groups.google.com/d/optout. >> >> > >> >> > -- >> >> > You received this message because you are subscribed to the Google >> >> > Groups >> >> > "address-sanitizer" group. >> >> > To unsubscribe from this group and stop receiving emails from it, >> >> > send >> >> > an >> >> > email to [email protected]. >> >> > For more options, visit https://groups.google.com/d/optout. >> > >> > -- >> > You received this message because you are subscribed to the Google >> > Groups >> > "address-sanitizer" group. >> > To unsubscribe from this group and stop receiving emails from it, send >> > an >> > email to [email protected]. >> > For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "address-sanitizer" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "address-sanitizer" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
