Description
Lately when I use Xcode 13.0 to build a sanitizer version of my app, it will crash when the app start:
(lldb) bt
thread #1, stop reason = signal SIGABRT
frame #0: 0x00000001b92159c4 libsystem_kernel.dylib__pthread_kill + 8 frame #1: 0x00000001f2463434 libsystem_pthread.dylibpthread_kill + 268
frame #2: 0x000000018d722f64 libsystem_c.dylibabort + 164 frame #3: 0x0000000103e742f0 libclang_rt.asan_ios_dynamic.dylib__sanitizer::Abort() at sanitizer_posix_libcdep.cpp:143:3
frame #4: 0x0000000103e73d0c libclang_rt.asan_ios_dynamic.dylib__sanitizer::ReserveShadowMemoryRange(beg=12270583808, end=12264275967, name="high shadow", madvise_shadow=true) at sanitizer_common_libcdep.cpp:157:5 frame #5: 0x0000000103e56f24 libclang_rt.asan_ios_dynamic.dylib__asan::InitializeShadowMemory() at asan_shadow_setup.cpp:93:5
frame #6: 0x0000000103e560fc libclang_rt.asan_ios_dynamic.dylib__asan::AsanInitInternal() at asan_rtl.cpp:450:3 frame #7: 0x0000000103e55f74 libclang_rt.asan_ios_dynamic.dylib__asan::AsanInitFromRtl() at asan_rtl.cpp:524:3
frame #8: 0x0000000103e4a320 libclang_rt.asan_ios_dynamic.dylib::wrap_malloc_default_zone() at sanitizer_malloc_mac.inc:86:3 frame #9: 0x0000000194409314 libsystem_malloc.dylib__malloc_init + 724
frame #10: 0x00000001bc649900 libSystem.B.dyliblibSystem_initializer + 184 frame #11: 0x0000000103814794 dyldinvocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 164
frame #12: 0x0000000103848364 dyldinvocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 340 frame #13: 0x0000000103812490 dyldinvocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 532
frame #14: 0x0000000103811698 dylddyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 168 frame #15: 0x00000001038109f8 dylddyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 192
frame #16: 0x000000010381debc dylddyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 516 frame #17: 0x000000010381aa10 dylddyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 172
frame #18: 0x000000010383bc3c dylddyld4::APIs::runAllInitializersForMain() + 48 frame #19: 0x00000001038273ac dylddyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 2820
frame #20: 0x0000000103825a04 dyld`start + 488
==89472==ERROR: AddressSanitizer failed to allocate 0xffffffffff9fc000 (-6307840) bytes at address 2db624000 (errno: 22)
Here is the memory map list:
||
[0x0002db020000, 0x0002d7ffffff]|| HighMem ||
||[0x0002db624000, 0x0002db01ffff]|| HighShadow ||
||[0x0002d0024000, 0x0002db623fff]|| ShadowGap ||
||[0x000280020000, 0x0002d0023fff]|| LowShadow ||
||[0x000000000000, 0x00028001ffff]|| LowMem ||
MemToShadow(shadow): 0x0002d0024000 0x0002da0247ff 0x0002db6e4800 0x0002db623fff
redzone=16
max_redzone=2048
quarantine_size_mb=16M
thread_local_quarantine_size_kb=64K
malloc_context_size=30
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 0x280020000
It seems like the memory map macro in <asan_mapping.h> hadn't check the boundary so kHighMemBeg exceed kHighMemEnd and lead the shadow region to be a negative value:
I have modified some code to debug this problem so the line number may not exactly match the upstream repository. After add some sanity check:
This time I failed with ENOMEM:
I'm not familiar with the iOS kernel, but the memory region seems have plenty free space to allocate 0xdfc000 bytes. Hope someone can give me some hints to fix this.