http://gcc.gnu.org/bugzilla/show_bug.cgi?id=60536
--- Comment #9 from Markus Trippelsdorf <trippels at gcc dot gnu.org> ---
(In reply to Kostya Serebryany from comment #6)
> > _Unwind_Find_FDE+0x000001D9 /home/markus/gcc/libgcc/unwind-dw2-fde-dip.c:462
> > /home/markus/gcc/libgcc/unwind-dw2.c:1182
> > _Unwind_Backtrace+0x0000004B /home/markus/gcc/libgcc/unwind.inc:291
>
> Interesting. asan detects a bug and starts reporting it, then if crashes
> inside the slow unwinder.
> Try the fast unwinder?
> ASAN_OPTIONS=fast_unwind_on_fatal=1
Thanks, this works fine:
markus@x4 tmp % ASAN_OPTIONS=fast_unwind_on_fatal=1
/var/tmp/moz-build-dir/dist/bin/firefox
=================================================================
==10632==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200001ec50
at pc 0x7f3e30645dbd bp 0x7fff6d3b2a60 sp 0x7fff6d3b2a38
READ of size 2 at 0x60200001ec50 thread T0
#0 0x7f3e30645dbc in setlocale
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.0/libasan.so.1+0x3cdbc)
#1 0x7f3e1d643400 in qtSettingsInit
(/usr/lib64/gtk-2.0/2.10.0/engines/libqtcurve.so+0x20400)
#2 0x7f3e1d637472 in qtcurve_rc_style_init
(/usr/lib64/gtk-2.0/2.10.0/engines/libqtcurve.so+0x14472)
0x60200001ec50 is located 0 bytes inside of 12-byte region
[0x60200001ec50,0x60200001ec5c)
freed by thread T0 here:
#0 0x7f3e30667d37 in __interceptor_free
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.0/libasan.so.1+0x5ed37)
#1 0x7f3e2fc0b6c2 in setlocale (/lib/libc.so.6+0x2a6c2)
#2 0x7f3e30645cdb in setlocale
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.0/libasan.so.1+0x3ccdb)
#3 0x7f3e1d641dc2 in qtSettingsInit
(/usr/lib64/gtk-2.0/2.10.0/engines/libqtcurve.so+0x1edc2)
#4 0x7f3e1d637472 in qtcurve_rc_style_init
(/usr/lib64/gtk-2.0/2.10.0/engines/libqtcurve.so+0x14472)
previously allocated by thread T0 here:
#0 0x7f3e30667f6f in __interceptor_malloc
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.0/libasan.so.1+0x5ef6f)
#1 0x7f3e2fc64639 in __GI___strdup (/lib/libc.so.6+0x83639)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 setlocale
Shadow bytes around the buggy address:
0x0c047fffbd30: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa 00 00
0x0c047fffbd40: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa fd fd
0x0c047fffbd50: fa fa 00 00 fa fa 00 00 fa fa 00 fa fa fa 00 fa
0x0c047fffbd60: fa fa 00 00 fa fa 06 fa fa fa 00 04 fa fa fd fd
0x0c047fffbd70: fa fa 00 04 fa fa 00 04 fa fa fd fd fa fa 00 04
=>0x0c047fffbd80: fa fa 00 04 fa fa fd fd fa fa[fd]fd fa fa 00 04
0x0c047fffbd90: fa fa fd fd fa fa 00 04 fa fa 00 04 fa fa fd fd
0x0c047fffbda0: fa fa 00 04 fa fa 00 04 fa fa fd fd fa fa 00 04
0x0c047fffbdb0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c047fffbdc0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x0c047fffbdd0: fa fa 00 fa fa fa 00 07 fa fa 00 fa fa fa fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Contiguous container OOB:fc
ASan internal: fe
==10632==ABORTING
The strange thing is that I cannot reproduce the issue above anymore.
Without ASAN_OPTIONS=fast_unwind_on_fatal=1 I now get:
=================================================================
==10801==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200001ec50
at pc 0x7fc97d727dbd bp 0x7fff3cd0d460 sp 0x7fff3cd0d438
READ of size 2 at 0x60200001ec50 thread T0
#0 0x7fc97d727dbc in setlocale
(/usr/lib/gcc/x86_64-pc-linux-gnu/4.9.0/libasan.so.1+0x3cdbc)
#1 0x7fc96a725400 in qtSettingsInit
(/usr/lib64/gtk-2.0/2.10.0/engines/libqtcurve.so+0x20400)
#2 0x7fc96a719472 in qtcurve_rc_style_init
(/usr/lib64/gtk-2.0/2.10.0/engines/libqtcurve.so+0x14472)
#3 0x7fc97040da17 in g_type_create_instance
(/usr/lib/libgobject-2.0.so.0+0x31a17)
#4 0x7fc9703f1562 in g_object_new_internal
(/usr/lib/libgobject-2.0.so.0+0x15562)
#5 0x7fc9703f327c in g_object_newv (/usr/lib/libgobject-2.0.so.0+0x1727c)
#6 0x7fc9703f3a0b in g_object_new (/usr/lib/libgobject-2.0.so.0+0x17a0b)
#7 0x7fc96a720afb in theme_create_rc_style
(/usr/lib64/gtk-2.0/2.10.0/engines/libqtcurve.so+0x1bafb)
#8 0x7fc96ffe6b1d in gtk_rc_parse_any
(/usr/lib/libgtk-x11-2.0.so.0+0x17cb1d)
#9 0x7fc96ffe731c in gtk_rc_context_parse_one_file
(/usr/lib/libgtk-x11-2.0.so.0+0x17d31c)
#10 0x7fc96ffe7584 in gtk_rc_context_parse_file
(/usr/lib/libgtk-x11-2.0.so.0+0x17d584)
#11 0x7fc96ffe6246 in gtk_rc_parse_any
(/usr/lib/libgtk-x11-2.0.so.0+0x17c246)
#12 0x7fc96ffe731c in gtk_rc_context_parse_one_file
(/usr/lib/libgtk-x11-2.0.so.0+0x17d31c)
#13 0x7fc96ffe7584 in gtk_rc_context_parse_file
(/usr/lib/libgtk-x11-2.0.so.0+0x17d584)
#14 0x7fc96ffe7dce in IA__gtk_rc_reparse_all_for_settings
(/usr/lib/libgtk-x11-2.0.so.0+0x17ddce)
#15 0x7fc970004b51 in gtk_settings_get_for_screen
(/usr/lib/libgtk-x11-2.0.so.0+0x19ab51)
#16 0x7fc970019e08 in gtk_style_init
(/usr/lib/libgtk-x11-2.0.so.0+0x1afe08)
#17 0x7fc97040da17 in g_type_create_instance
(/usr/lib/libgobject-2.0.so.0+0x31a17)
#18 0x7fc9703f1562 in g_object_new_internal
(/usr/lib/libgobject-2.0.so.0+0x15562)
#19 0x7fc9703f327c in g_object_newv (/usr/lib/libgobject-2.0.so.0+0x1727c)
#20 0x7fc9703f3a0b in g_object_new (/usr/lib/libgobject-2.0.so.0+0x17a0b)
#21 0x7fc9700b1ff8 in IA__gtk_widget_get_default_style
(/usr/lib/libgtk-x11-2.0.so.0+0x247ff8)
#22 0x7fc9700b20a3 in gtk_widget_init
(/usr/lib/libgtk-x11-2.0.so.0+0x2480a3)
#23 0x7fc97040d9d6 in g_type_create_instance
(/usr/lib/libgobject-2.0.so.0+0x319d6)
#24 0x7fc9703f0f97 in g_object_constructor
(/usr/lib/libgobject-2.0.so.0+0x14f97)
#25 0x7fc96ff895ad in gtk_invisible_constructor
(/usr/lib/libgtk-x11-2.0.so.0+0x11f5ad)
#26 0x7fc9703f1eaa in g_object_new_internal
(/usr/lib/libgobject-2.0.so.0+0x15eaa)
#27 0x7fc9703f327c in g_object_newv (/usr/lib/libgobject-2.0.so.0+0x1727c)
#28 0x7fc9703f3a0b in g_object_new (/usr/lib/libgobject-2.0.so.0+0x17a0b)
#29 0x7fc974146d62 in nsLookAndFeel::Init()
/var/tmp/mozilla-central/widget/gtk/nsLookAndFeel.cpp:895
#30 0x7fc974148ead in __base_ctor
/var/tmp/mozilla-central/widget/gtk/nsLookAndFeel.cpp:47
#31 0x7fc974148ead in GetInstance
/var/tmp/mozilla-central/widget/xpwidgets/nsXPLookAndFeel.cpp:252
#32 0x7fc974148ead in
mozilla::LookAndFeel::GetInt(mozilla::LookAndFeel::IntID, int*)
/var/tmp/mozilla-central/widget/xpwidgets/nsXPLookAndFeel.cpp:716
and here the Firefox process keeps allocating memory until the OOM killer
terminates it.
