[Bug sanitizer/55521] many instances of ASAN:SIGSEGV failures in g++ testsuite with -fsanitize=address

[howarth at nitro dot med.uc.edu]

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=55521



--- Comment #6 from Jack Howarth <howarth at nitro dot med.uc.edu> 2012-11-29 
21:25:07 UTC ---

Opened radr://12777299 so that the darwin linker maintainer could look at this

issue. His analysis of the failing test case so far is...



----------------------------------------------------------------------------------



I debugged this a bit and it seems the mach_override patching of __cxa_throw is

bogus.  The start of that function is patched to jump to garbage.



Breakpoint 1, 0x0000000100001c19 in main ()

(gdb) display/i $pc

2: x/i $pc  0x100001c19 <main+318>:     callq  0x100016386

<dyld_stub___cxa_throw>

(gdb) si

0x0000000100016386 in dyld_stub___cxa_throw ()

2: x/i $pc  0x100016386 <dyld_stub___cxa_throw>:        jmpq   *0xae1c(%rip)   

    # 0x1000211a8

(gdb)

0x0000000102244870 in __cxa_throw ()

2: x/i $pc  0x102244870 <__cxa_throw>:  jmpq   0xffd27000

(gdb)  # the above its __cxa_throw in gcc's libstdc++.6.dylib.  The first

instruction has been patch to jump to a garbage address.



(gdb) x/8i 0x102244870-8

0x102244868

<_ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception+56>: std

0x102244869

<_ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception+57>:

(bad)

0x10224486a

<_ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception+58>:

decl   (%rdi)

0x10224486c

<_ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception+60>:

(bad)

0x10224486d

<_ZL23__gxx_exception_cleanup19_Unwind_Reason_CodeP17_Unwind_Exception+61>: add

   %r8b,(%rax)

0x102244870 <__cxa_throw>:    jmpq   0xffd27000

0x102244875 <__cxa_throw+5>:    or     (%rax),%eax

0x102244877 <__cxa_throw+7>:    push   %rbx

(gdb)

(gdb) watch *0x102244870

Hardware watchpoint 2: *4330899568

(gdb) r



Old value = -788165304

New value = -1373139991

0x0000000100016203 in __asan_mach_override_ptr_custom ()

(gdb) bt

#0  0x0000000100016203 in __asan_mach_override_ptr_custom ()

#1  0x0000000100015a9e in __interception::OverrideFunction ()

#2  0x00007fff5fc13378 in ImageLoaderMachO::doModInitFunctions ()

#3  0x00007fff5fc13762 in ImageLoaderMachO::doInitialization ()

#4  0x00007fff5fc1006e in ImageLoader::recursiveInitialization ()

#5  0x00007fff5fc0feba in ImageLoader::runInitializers ()

#6  0x00007fff5fc01fc0 in dyld::initializeMainExecutable ()

#7  0x00007fff5fc05b04 in dyld::_main ()

#8  0x00007fff5fc01397 in dyldbootstrap::start ()

#9  0x00007fff5fc0105e in _dyld_start ()

(gdb) x/8i 0x102244870

0x102244870 <__cxa_throw>:      jmpq   0xffd27000

0x102244875 <__cxa_throw+5>:    or     (%rax),%eax

0x102244877 <__cxa_throw+7>:    push   %rbx

0x102244878 <__cxa_throw+8>:    lea    -0x20(%rdi),%rbx

0x10224487c <__cxa_throw+12>:   mov    %rsi,-0x70(%rdi)

# Here is where the patching is being done