Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CHECK failure on racy double-free #57

Closed
ramosian-glider opened this issue Aug 31, 2015 · 7 comments
Closed

CHECK failure on racy double-free #57

ramosian-glider opened this issue Aug 31, 2015 · 7 comments
Labels
Priority-Medium ProjectAddressSanitizer Status-Fixed Type-Defect

Comments

@ramosian-glider
Copy link
Member

Originally reported on Google Code with ID 57

1. Insert SleepForSeconds(1) somewhere into __asan::Deallocate()
e.g. here (r153443): 

--- asan_allocator.cc   (revision 153443)
+++ asan_allocator.cc   (working copy)
@@ -718,6 +718,7 @@
   CHECK(m->chunk_state == CHUNK_ALLOCATED);
   CHECK(m->free_tid == AsanThread::kInvalidTid);
   CHECK(m->alloc_tid >= 0);
+  SleepForSeconds(1);
   AsanThread *t = asanThreadRegistry().GetCurrent();
   m->free_tid = t ? t->tid() : 0;
   AsanStackTrace::CompressStack(stack, m->compressed_free_stack(),

2. Run this: 
clang -faddress-sanitizer tests/asan_racy_double_free_test.cc && ./a.out 

==20576== CHECK failed: !last_->next at asan_allocator.cc:267


I don't see how it may happen in a correct program, so this is not a showstopper. 
But on a rare occasion we may crash instead of properly reporting a racy double-free

Reported by konstantin.s.serebryany on 2012-03-28 18:34:55
@ramosian-glider
Copy link
Member Author 

I guess we need to flip m->chunk_state with "LOCK XCHG" 
at the very beginning of __asan::Deallocate()
Dmitry, WDYT?

Reported by konstantin.s.serebryany on 2012-03-28 18:43:01

@ramosian-glider
Copy link
Member Author 

Like this http://codereview.appspot.com/5944044/diff/1/asan_allocator.cc
Timur/Eugeni, plese advice how to implement atomic exchange on Windows and Android.

Reported by konstantin.s.serebryany on 2012-03-28 20:59:54

@ramosian-glider
Copy link
Member Author 

It more depends on the compiler. LLVM should support __sync_xxx everywhere.
On windows it may support _InterlockedExchange as well.

Reported by dvyukov@google.com on 2012-03-29 03:54:45

@ramosian-glider
Copy link
Member Author 

__sync_xxx support depends on the runtime library. AFAIK, on Android it either does
not work, or did not work some time ago.

Reported by eugenis@google.com on 2012-03-29 12:29:13

@ramosian-glider
Copy link
Member Author 

__sync_val_compare_and_swap seems to be working

Reported by eugenis@google.com on 2012-03-29 12:39:12

@ramosian-glider
Copy link
Member Author 

Should be fixed by LLVM r154097

Reported by konstantin.s.serebryany on 2012-04-05 15:57:10

  • Status changed: Fixed

@ramosian-glider
Copy link
Member Author 

Adding Project:AddressSanitizer as part of GitHub migration.

Reported by ramosian.glider on 2015-07-30 09:12:58

  • Labels added: ProjectAddressSanitizer

@oviano oviano mentioned this issue Mar 31, 2020
Open
@UjjwalChitransh UjjwalChitransh mentioned this issue Apr 3, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Priority-Medium ProjectAddressSanitizer Status-Fixed Type-Defect
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ramosian-glider