Open Radar

 
26-Jun-2012 06:37 PM Alexander Potapenko:
Summary:
After the default CFAllocator is replaced with any other (a legal operation described in the reference: https://developer.apple.com/library/mac/#documentation/CoreFOundation/Reference/CFAllocatorRef/Reference/reference.html) the standard malloc implementation starts to report invalid frees.

Steps to Reproduce:

$ cat t.mm
#import <Foundation/Foundation.h>
int main() {
#ifdef REPLACE
  CFAllocatorSetDefault(kCFAllocatorMallocZone);
#endif
  NSURL *base = [[NSURL alloc] initWithString:@"file://localhost/Users/glider/Library/"];
  NSURL *u = [[NSURL alloc] initWithString:@"Saved Application State" relativeToURL:base];
  return 0;
}
====================================

$ clang++ t.mm -o t -DREPLACE -framework Foundation -g && ./t
t(47457) malloc: *** error for object 0x10ba14348: pointer being freed was not allocated
*** set a breakpoint in malloc_error_break to debug
Abort trap: 6



Expected Results:
No errors are reported (compare with the same program built with -UREPLACE)

Actual Results:
An invalid free is reported.

Regression:
N/A

Notes:

This happens because _CFRuntimeCreateInstance (which is called from
CFURLAlloc) checks whether the supplied allocator is
kCFAllocatorSystemDefault and, if it is not, stores the allocator
reference at the beginning of the allocated memory and returns the
pointer to the allocated memory plus sizeof(CFAllocatorRef). See
http://www.opensource.apple.com/source/CF/CF-550/CFRuntime.c for the
reference.


To the best of my knowledge, _CFRelease (see CFRuntime.c again) is the
only function that checks for the presence of the allocator reference
at the beginning of the memory block, but it isn't called while
destroying the object.


26-Jun-2012 06:38 PM Alexander Potapenko:
http://code.google.com/p/address-sanitizer/issues/detail?id=70 contains some information about this bug manifesting under AddressSanitizer