ASAN hides issues with posix_memalign() and realloc() |
|||||||
Issue descriptionAs noted in issue 721872 , the ffmpeg_regression_tests test Cr444539/FFmpegRegressionTest.BasicPlayback/0 crashes with: realloc/memalign mismatch at 0xa65df2fb7c0: non-NULL pointers passed to realloc must be obtained from malloc, calloc, or realloc Received signal 11 SEGV_MAPERR 000000000039 #0 0x7ff5476a77fb base::debug::StackTrace::StackTrace() #1 0x7ff5476a64fc base::debug::StackTrace::StackTrace() #2 0x7ff5476a730f base::debug::(anonymous namespace)::StackDumpSignalHandler() #3 0x7ff5486ee330 <unknown> #4 0x7ff54797b628 tcmalloc::Abort() #5 0x7ff54798363a LogPrintf() #6 0x7ff5479834bb RAW_VLOG() #7 0x7ff5479d3d4a tc_realloc #8 0x7ff547969fb5 (anonymous namespace)::TCRealloc() #9 0x7ff547969be7 ShimRealloc #10 0x7ff5479695f1 realloc #11 0x7ff5448a1416 av_reallocp #12 0x7ff5449a4d8f mov_read_extradata #13 0x7ff544998da2 mov_read_default #14 0x7ff54499ed0a mov_read_moov #15 0x7ff544998da2 mov_read_default #16 0x7ff5449992d3 mov_read_header #17 0x7ff544863a6a avformat_open_input #18 0x7ff547e7851b media::FFmpegGlue::OpenContext() FFmpeg as built for Chromium uses posix_memalign() when allocating the blocks, and calls realloc() to change the size. However, if I build it with ASAN enabled, no error is reported. This seems incorrect. Repro steps are in issue 721872 . Additional GN flags: is_asan = true enable_nacl = false is_debug = false
,
May 22 2017
This should be triaged by somebody on the memory team, so moving back to untriaged so that they can look at it.
,
Jun 7 2017
Dale@, who in memory team can take a look this bug?
,
Jun 7 2017
,
Jun 7 2017
Issue 721872 tracked the problem with FFmpeg and getting it fixed (which is done now). This bug is that you get a memory error on a debug build that does not happen with ASAN enabled (and debug=false, as recommended when using ASAN). Removing Internals->Media as this needs to be looked at by somebody on the Memory team.
,
Sep 14 2017
The error is only caught by tcmallloc debug assertions in third_party/tcmalloc/chromium/src/debugallocation.cc, which seem to only work in debug builds without sanitizers.
,
Sep 14 2017
Looks like an ASAN bug / behavior. glider can you help triaging this?
,
Sep 14 2017
(Some context here: https://trac.ffmpeg.org/ticket/6403) Kostya, Evgenii, looks like the behavior of realloc(posix_memalign()) isn't really documented. Do you think we shall report such misuse? (Probably yes)
,
Sep 14 2017
I even think this shouldn't be that hard to fix: we already have
enum AllocType {
FROM_MALLOC = 1, // Memory block came from malloc, calloc, realloc, etc.
FROM_NEW = 2, // Memory block came from operator new.
FROM_NEW_BR = 3 // Memory block came from operator new [ ]
};
, so this should be a matter of adding FROM_POSIX_MEMALIGN and making sure it's allowed in free(), but not realloc().
,
Sep 14 2017
Also see issue 765110 for a rare(r) case of he realloc issue.
,
Sep 15 2017
It might not be as simple due to lack of extra bits, but yes, sure, please file an issue at https://github.com/google/sanitizers/issues/, preferably with a tiny test case.
,
Aug 1
|
|||||||
►
Sign in to add a comment |
|||||||
Comment 1 by yini...@chromium.org
, May 15 2017