This is an archive of the discontinued LLVM Phabricator instance.

Differential D31978

Fix memory leaks in address sanitizer darwin tests
ClosedPublic

Authored by fjricci on Apr 12 2017, 7:31 AM.

Download Raw Diff

Details

Reviewers

kcc
glider
kubamracek
alekseyshl

Commits

rGe9438b35aad8: Fix memory leaks in address sanitizer darwin tests
rCRT300080: Fix memory leaks in address sanitizer darwin tests
rL300080: Fix memory leaks in address sanitizer darwin tests

Summary

These leaks are detected by leak sanitizer for darwin.

Diff Detail

Repository: rL LLVM

Event Timeline

fjricci created this revision.Apr 12 2017, 7:31 AM

alekseyshl accepted this revision.Apr 12 2017, 8:37 AM

alekseyshl added inline comments.

test/asan/TestCases/Darwin/malloc_set_zone_name-mprotect.cc
52 ↗	(On Diff #94966)	Who's holding (and leaking) the buffer?

This revision is now accepted and ready to land.Apr 12 2017, 8:37 AM

fjricci added inline comments.Apr 12 2017, 8:44 AM

test/asan/TestCases/Darwin/malloc_set_zone_name-mprotect.cc
52 ↗	(On Diff #94966)	From looking at the only malloc_set_zone_name source I could find (https://opensource.apple.com/source/Libc/Libc-320.1.3/gen/malloc.c), it looks like libc itself is holding a copy, which it frees whenever the name is overwritten. For some reason, malloc_destroy_zone doesn't free that buffer (I assume it should).

fjricci added inline comments.Apr 12 2017, 8:46 AM

test/asan/TestCases/Darwin/malloc_set_zone_name-mprotect.cc
52 ↗	(On Diff #94966)	Another alternative which would probably work would be calling 'free(malloc_get_zone_name(zone))`, but that seemed hackier.

alekseyshl added inline comments.Apr 12 2017, 9:36 AM

test/asan/TestCases/Darwin/malloc_set_zone_name-mprotect.cc
52 ↗	(On Diff #94966)	Looking at the code, it's not a leak. The zone name buffer is allocated within the zone itself, so destroying the zone effectively deallocates the name too.

kubamracek added inline comments.Apr 12 2017, 9:41 AM

test/asan/TestCases/Darwin/malloc_set_zone_name-mprotect.cc
52 ↗	(On Diff #94966)	This leaks because we have an interceptor for malloc_destroy_zone, which doesn't really destroy the zone, nor does it free the name (see sanitizer_malloc_mac.inc). Could this be fixed in the interceptor instead?

alekseyshl added inline comments.Apr 12 2017, 10:00 AM

test/asan/TestCases/Darwin/malloc_set_zone_name-mprotect.cc
52 ↗	(On Diff #94966)	Right, what I meant to say, the actual malloc does not leak the name. Fixing it in the interceptor sounds like a better idea.

fjricci added inline comments.Apr 12 2017, 10:03 AM

test/asan/TestCases/Darwin/malloc_set_zone_name-mprotect.cc
52 ↗	(On Diff #94966)	Changing the interceptor to free the name does fix the leak, I'll pull that out into a separate patch.

kubamracek added inline comments.Apr 12 2017, 10:05 AM

test/asan/TestCases/Darwin/malloc_set_zone_name-mprotect.cc
52 ↗	(On Diff #94966)	Great, thanks!

Remove hack to clear malloc zone name

kubamracek accepted this revision.Apr 12 2017, 10:14 AM

Closed by commit rL300080: Fix memory leaks in address sanitizer darwin tests (authored by fjricci). · Explain WhyApr 12 2017, 10:44 AM

This revision was automatically updated to reflect the committed changes.

fjricci mentioned this in D32191: Enable lsan test suite for darwin x86-64.Apr 20 2017, 2:46 PM

Revision Contents

Path

Size

compiler-rt/

trunk/

lib/

asan/

tests/

asan_mac_test_helpers.mm

1 line

test/

asan/

TestCases/

Darwin/

malloc_set_zone_name-mprotect.cc

1 line

1 line

suppressions-darwin.cc

1 line

suppressions-sandbox.cc

1 line

Diff 94996

compiler-rt/trunk/lib/asan/tests/asan_mac_test_helpers.mm

	Show First 20 Lines • Show All 231 Lines • ▼ Show 20 Lines

	void TestNSURLDeallocation() {			void TestNSURLDeallocation() {
	NSURL *base =			NSURL *base =
	[[NSURL alloc] initWithString:@"file://localhost/Users/glider/Library/"];			[[NSURL alloc] initWithString:@"file://localhost/Users/glider/Library/"];
	volatile NSURL *u =			volatile NSURL *u =
	[[NSURL alloc] initWithString:@"Saved Application State"			[[NSURL alloc] initWithString:@"Saved Application State"
	relativeToURL:base];			relativeToURL:base];
	[u release];			[u release];
				[base release];
	}			}

compiler-rt/trunk/test/asan/TestCases/Darwin/malloc_set_zone_name-mprotect.cc

	Show First 20 Lines • Show All 41 Lines • ▼ Show 20 Lines		int main() {
	for (int i = 0; i < kNumIter; i++) {			for (int i = 0; i < kNumIter; i++) {
	mem[i + kNumIter] = (char)malloc(8 i);			mem[i + kNumIter] = (char)malloc(8 i);
	}			}
	// Access the allocated memory chunks and free them.			// Access the allocated memory chunks and free them.
	for (int i = 0; i < kNumIter * 2; i++) {			for (int i = 0; i < kNumIter * 2; i++) {
	memset(mem[i], 'a', 8 * (i % kNumIter));			memset(mem[i], 'a', 8 * (i % kNumIter));
	free(mem[i]);			free(mem[i]);
	}			}
				malloc_destroy_zone(zone);
	return 0;			return 0;
	}			}

compiler-rt/trunk/test/asan/TestCases/Darwin/scribble.cc

	Show First 20 Lines • Show All 48 Lines • ▼ Show 20 Lines		int main() {

	my_object->print_my_class_name();			my_object->print_my_class_name();
	// CHECK-NOSCRIBBLE: class name: MyClass			// CHECK-NOSCRIBBLE: class name: MyClass
	// CHECK-SCRIBBLE: isa = {{(0x)?}}{{5555555555555555\|55555555}}			// CHECK-SCRIBBLE: isa = {{(0x)?}}{{5555555555555555\|55555555}}

	fprintf(stderr, "okthxbai!\n");			fprintf(stderr, "okthxbai!\n");
	// CHECK-SCRIBBLE: okthxbai!			// CHECK-SCRIBBLE: okthxbai!
	// CHECK-NOSCRIBBLE: okthxbai!			// CHECK-NOSCRIBBLE: okthxbai!
				free(my_class_isa);
	}			}

compiler-rt/trunk/test/asan/TestCases/Darwin/suppressions-darwin.cc

	Show All 21 Lines
	int main() {			int main() {
	char a = (char )malloc(6);			char a = (char )malloc(6);
	strcpy(a, "hello");			strcpy(a, "hello");
	CFStringRef str =			CFStringRef str =
	CFStringCreateWithBytes(kCFAllocatorDefault, (unsigned char *)a, 10,			CFStringCreateWithBytes(kCFAllocatorDefault, (unsigned char *)a, 10,
	kCFStringEncodingUTF8, FALSE); // BOOM			kCFStringEncodingUTF8, FALSE); // BOOM
	fprintf(stderr, "Ignored.\n");			fprintf(stderr, "Ignored.\n");
	free(a);			free(a);
				CFRelease(str);
	}			}

	// CHECK-CRASH: AddressSanitizer: heap-buffer-overflow			// CHECK-CRASH: AddressSanitizer: heap-buffer-overflow
	// CHECK-CRASH-NOT: Ignored.			// CHECK-CRASH-NOT: Ignored.
	// CHECK-IGNORE-NOT: AddressSanitizer: heap-buffer-overflow			// CHECK-IGNORE-NOT: AddressSanitizer: heap-buffer-overflow
	// CHECK-IGNORE: Ignored.			// CHECK-IGNORE: Ignored.

compiler-rt/trunk/test/asan/TestCases/Darwin/suppressions-sandbox.cc

	Show All 12 Lines
	int main() {			int main() {
	char a = (char )malloc(6);			char a = (char )malloc(6);
	strcpy(a, "hello");			strcpy(a, "hello");
	CFStringRef str =			CFStringRef str =
	CFStringCreateWithBytes(kCFAllocatorDefault, (unsigned char *)a, 10,			CFStringCreateWithBytes(kCFAllocatorDefault, (unsigned char *)a, 10,
	kCFStringEncodingUTF8, FALSE); // BOOM			kCFStringEncodingUTF8, FALSE); // BOOM
	fprintf(stderr, "Ignored.\n");			fprintf(stderr, "Ignored.\n");
	free(a);			free(a);
				CFRelease(str);
	}			}

	// CHECK-CRASH: AddressSanitizer: heap-buffer-overflow			// CHECK-CRASH: AddressSanitizer: heap-buffer-overflow
	// CHECK-CRASH-NOT: Ignored.			// CHECK-CRASH-NOT: Ignored.
	// CHECK-IGNORE-NOT: AddressSanitizer: heap-buffer-overflow			// CHECK-IGNORE-NOT: AddressSanitizer: heap-buffer-overflow
	// CHECK-IGNORE: Ignored.			// CHECK-IGNORE: Ignored.