A bug in _CFRuntimeCreateInstance leads to invalid pointers being freed.
Originator: | ramosian.glider | ||
Number: | rdar://11748863 | Date Originated: | 26-Jun-2012 06:37 PM |
Status: | Open | Resolved: | |
Product: | Product Version: | ||
Classification: | Reproducible: |
26-Jun-2012 06:37 PM Alexander Potapenko: Summary: After the default CFAllocator is replaced with any other (a legal operation described in the reference: https://developer.apple.com/library/mac/#documentation/CoreFOundation/Reference/CFAllocatorRef/Reference/reference.html) the standard malloc implementation starts to report invalid frees. Steps to Reproduce: $ cat t.mm #import <Foundation/Foundation.h> int main() { #ifdef REPLACE CFAllocatorSetDefault(kCFAllocatorMallocZone); #endif NSURL *base = [[NSURL alloc] initWithString:@"file://localhost/Users/glider/Library/"]; NSURL *u = [[NSURL alloc] initWithString:@"Saved Application State" relativeToURL:base]; return 0; } ==================================== $ clang++ t.mm -o t -DREPLACE -framework Foundation -g && ./t t(47457) malloc: *** error for object 0x10ba14348: pointer being freed was not allocated *** set a breakpoint in malloc_error_break to debug Abort trap: 6 Expected Results: No errors are reported (compare with the same program built with -UREPLACE) Actual Results: An invalid free is reported. Regression: N/A Notes: This happens because _CFRuntimeCreateInstance (which is called from CFURLAlloc) checks whether the supplied allocator is kCFAllocatorSystemDefault and, if it is not, stores the allocator reference at the beginning of the allocated memory and returns the pointer to the allocated memory plus sizeof(CFAllocatorRef). See http://www.opensource.apple.com/source/CF/CF-550/CFRuntime.c for the reference. To the best of my knowledge, _CFRelease (see CFRuntime.c again) is the only function that checks for the presence of the allocator reference at the beginning of the memory block, but it isn't called while destroying the object. 26-Jun-2012 06:38 PM Alexander Potapenko: http://code.google.com/p/address-sanitizer/issues/detail?id=70 contains some information about this bug manifesting under AddressSanitizer
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!