[Bug sanitizer/60536] Backtrace corrupted on Firefox build with -fsanitize=address and -flto

trippels at gcc dot gnu.org Mon, 17 Mar 2014 01:16:27 -0700

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60536


--- Comment #9 from Markus Trippelsdorf <trippels at gcc dot gnu.org> ---
(In reply to Kostya Serebryany from comment #6)
> > _Unwind_Find_FDE+0x000001D9 /home/markus/gcc/libgcc/unwind-dw2-fde-dip.c:462
> > /home/markus/gcc/libgcc/unwind-dw2.c:1182
> > _Unwind_Backtrace+0x0000004B /home/markus/gcc/libgcc/unwind.inc:291
> 
> Interesting. asan detects a bug and starts reporting it, then if crashes
> inside the slow unwinder. 
> Try the fast unwinder? 
> ASAN_OPTIONS=fast_unwind_on_fatal=1

Thanks, this works fine:

markus@x4 tmp % ASAN_OPTIONS=fast_unwind_on_fatal=1
/var/tmp/moz-build-dir/dist/bin/firefox 
=================================================================
==10632==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200001ec50
at pc 0x7f3e30645dbd bp 0x7fff6d3b2a60 sp 0x7fff6d3b2a38
READ of size 2 at 0x60200001ec50 thread T0
    #0 0x7f3e30645dbc in setlocale
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.0/libasan.so.1+0x3cdbc)
    #1 0x7f3e1d643400 in qtSettingsInit
(/usr/lib64/gtk-2.0/2.10.0/engines/libqtcurve.so+0x20400)
    #2 0x7f3e1d637472 in qtcurve_rc_style_init
(/usr/lib64/gtk-2.0/2.10.0/engines/libqtcurve.so+0x14472)

0x60200001ec50 is located 0 bytes inside of 12-byte region
[0x60200001ec50,0x60200001ec5c)
freed by thread T0 here:
    #0 0x7f3e30667d37 in __interceptor_free
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.0/libasan.so.1+0x5ed37)
    #1 0x7f3e2fc0b6c2 in setlocale (/lib/libc.so.6+0x2a6c2)
    #2 0x7f3e30645cdb in setlocale
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.0/libasan.so.1+0x3ccdb)
    #3 0x7f3e1d641dc2 in qtSettingsInit
(/usr/lib64/gtk-2.0/2.10.0/engines/libqtcurve.so+0x1edc2)
    #4 0x7f3e1d637472 in qtcurve_rc_style_init
(/usr/lib64/gtk-2.0/2.10.0/engines/libqtcurve.so+0x14472)

previously allocated by thread T0 here:
    #0 0x7f3e30667f6f in __interceptor_malloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.0/libasan.so.1+0x5ef6f)
    #1 0x7f3e2fc64639 in __GI___strdup (/lib/libc.so.6+0x83639)

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 setlocale
Shadow bytes around the buggy address:
  0x0c047fffbd30: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa 00 00
  0x0c047fffbd40: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa fd fd
  0x0c047fffbd50: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 fa
  0x0c047fffbd60: fa fa 00 00 fa fa 06 fa fa fa 00 04 fa fa fd fd
  0x0c047fffbd70: fa fa 00 04 fa fa 00 04 fa fa fd fd fa fa 00 04
=>0x0c047fffbd80: fa fa 00 04 fa fa fd fd fa fa[fd]fd fa fa 00 04
  0x0c047fffbd90: fa fa fd fd fa fa 00 04 fa fa 00 04 fa fa fd fd
  0x0c047fffbda0: fa fa 00 04 fa fa 00 04 fa fa fd fd fa fa 00 04
  0x0c047fffbdb0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fffbdc0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
  0x0c047fffbdd0: fa fa 00 fa fa fa 00 07 fa fa 00 fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==10632==ABORTING

The strange thing is that I cannot reproduce the issue above anymore.
Without ASAN_OPTIONS=fast_unwind_on_fatal=1 I now get:
=================================================================
==10801==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200001ec50
at pc 0x7fc97d727dbd bp 0x7fff3cd0d460 sp 0x7fff3cd0d438
READ of size 2 at 0x60200001ec50 thread T0
    #0 0x7fc97d727dbc in setlocale
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.0/libasan.so.1+0x3cdbc)
    #1 0x7fc96a725400 in qtSettingsInit
(/usr/lib64/gtk-2.0/2.10.0/engines/libqtcurve.so+0x20400)
    #2 0x7fc96a719472 in qtcurve_rc_style_init
(/usr/lib64/gtk-2.0/2.10.0/engines/libqtcurve.so+0x14472)
    #3 0x7fc97040da17 in g_type_create_instance
(/usr/lib/libgobject-2.0.so.0+0x31a17)
    #4 0x7fc9703f1562 in g_object_new_internal
(/usr/lib/libgobject-2.0.so.0+0x15562)
    #5 0x7fc9703f327c in g_object_newv (/usr/lib/libgobject-2.0.so.0+0x1727c)
    #6 0x7fc9703f3a0b in g_object_new (/usr/lib/libgobject-2.0.so.0+0x17a0b)
    #7 0x7fc96a720afb in theme_create_rc_style
(/usr/lib64/gtk-2.0/2.10.0/engines/libqtcurve.so+0x1bafb)
    #8 0x7fc96ffe6b1d in gtk_rc_parse_any
(/usr/lib/libgtk-x11-2.0.so.0+0x17cb1d)
    #9 0x7fc96ffe731c in gtk_rc_context_parse_one_file
(/usr/lib/libgtk-x11-2.0.so.0+0x17d31c)
    #10 0x7fc96ffe7584 in gtk_rc_context_parse_file
(/usr/lib/libgtk-x11-2.0.so.0+0x17d584)
    #11 0x7fc96ffe6246 in gtk_rc_parse_any
(/usr/lib/libgtk-x11-2.0.so.0+0x17c246)
    #12 0x7fc96ffe731c in gtk_rc_context_parse_one_file
(/usr/lib/libgtk-x11-2.0.so.0+0x17d31c)
    #13 0x7fc96ffe7584 in gtk_rc_context_parse_file
(/usr/lib/libgtk-x11-2.0.so.0+0x17d584)
    #14 0x7fc96ffe7dce in IA__gtk_rc_reparse_all_for_settings
(/usr/lib/libgtk-x11-2.0.so.0+0x17ddce)
    #15 0x7fc970004b51 in gtk_settings_get_for_screen
(/usr/lib/libgtk-x11-2.0.so.0+0x19ab51)
    #16 0x7fc970019e08 in gtk_style_init
(/usr/lib/libgtk-x11-2.0.so.0+0x1afe08)
    #17 0x7fc97040da17 in g_type_create_instance
(/usr/lib/libgobject-2.0.so.0+0x31a17)
    #18 0x7fc9703f1562 in g_object_new_internal
(/usr/lib/libgobject-2.0.so.0+0x15562)
    #19 0x7fc9703f327c in g_object_newv (/usr/lib/libgobject-2.0.so.0+0x1727c)
    #20 0x7fc9703f3a0b in g_object_new (/usr/lib/libgobject-2.0.so.0+0x17a0b)
    #21 0x7fc9700b1ff8 in IA__gtk_widget_get_default_style
(/usr/lib/libgtk-x11-2.0.so.0+0x247ff8)
    #22 0x7fc9700b20a3 in gtk_widget_init
(/usr/lib/libgtk-x11-2.0.so.0+0x2480a3)
    #23 0x7fc97040d9d6 in g_type_create_instance
(/usr/lib/libgobject-2.0.so.0+0x319d6)
    #24 0x7fc9703f0f97 in g_object_constructor
(/usr/lib/libgobject-2.0.so.0+0x14f97)
    #25 0x7fc96ff895ad in gtk_invisible_constructor
(/usr/lib/libgtk-x11-2.0.so.0+0x11f5ad)
    #26 0x7fc9703f1eaa in g_object_new_internal
(/usr/lib/libgobject-2.0.so.0+0x15eaa)
    #27 0x7fc9703f327c in g_object_newv (/usr/lib/libgobject-2.0.so.0+0x1727c)
    #28 0x7fc9703f3a0b in g_object_new (/usr/lib/libgobject-2.0.so.0+0x17a0b)
    #29 0x7fc974146d62 in nsLookAndFeel::Init()
/var/tmp/mozilla-central/widget/gtk/nsLookAndFeel.cpp:895
    #30 0x7fc974148ead in __base_ctor 
/var/tmp/mozilla-central/widget/gtk/nsLookAndFeel.cpp:47
    #31 0x7fc974148ead in GetInstance
/var/tmp/mozilla-central/widget/xpwidgets/nsXPLookAndFeel.cpp:252
    #32 0x7fc974148ead in
mozilla::LookAndFeel::GetInt(mozilla::LookAndFeel::IntID, int*)
/var/tmp/mozilla-central/widget/xpwidgets/nsXPLookAndFeel.cpp:716

and here the Firefox process keeps allocating memory until the OOM killer
terminates it.

[Bug sanitizer/60536] Backtrace corrupted on Firefox build with -fsanitize=address and -flto

Reply via email to