compile script:
#!/bin/bash
if [ "$1" != "" ]; then
out_dir="$1"
else
echo "Please specify a v8 build directory: $0 out/dir"
exit 2
fi
echo "V8 build directory: ${out_dir}"
g++ "-fsanitize=address" -Wall -g -O0 test/cctest/test-backing-store.cc \
-o backingstore_test \
${out_dir}/obj/test/cctest/cctest/cctest.o \
${out_dir}/obj/test/cctest/cctest_sources/print-extension.o \
${out_dir}/obj/test/cctest/cctest_sources/profiler-extension.o \
${out_dir}/obj/test/cctest/cctest_sources/trace-extension.o \
-std=c++14 -fno-exceptions -fno-rtti -Wcast-function-type \
-Wno-unused-variable -Wno-class-memaccess -Wno-comment \
-Wno-unused-but-set-variable -DV8_COMPRESS_POINTERS \
-DV8_INTL_SUPPORT -DDEBUG \
-I./include -I./ -I./third_party/icu/source/common/ \
-I./${out_dir}/gen -L./${out_dir} -lv8 -lv8_libplatform -lv8_libbase \
-lv8_for_testing -lv8_debug_helper -Wl,-L./${out_dir} \
-Wl,-rpath,./${out_dir} -Wl,-lstdc++ -Wl,-lpthread
echo "Run the test using the following command:"
echo -n "./backingstore_test --test "
echo "test-backing-store/BackingStoreWithDeleter"Then compile test/cctest/test-backing-store.cc:
$ git co master
$ git show backingstore-asan:test/cctest/test-backing-store.cc > test/cctest/test-backing-store.cc
$ ./compile-backingstore-cctest.sh out/main_with_sanitizer/
V8 build directory: out/main_with_sanitizer/
Run the test using the following command:
./backingstore_test --test test-backing-store/BackingStoreWithDeleterRun the test to produce the asan error:
$ ./backingstore_test --test test-backing-store/BackingStoreWithDeleter
=================================================================
==851678==ERROR: AddressSanitizer: new-delete-type-mismatch on 0x604000007b50 in thread T0:
object passed to delete has wrong type:
size of the allocated type: 48 bytes;
size of the deallocated type: 1 bytes.
#0 0x7f04b004c175 in operator delete(void*, unsigned long) (/lib64/libasan.so.5+0x111175)
#1 0x418754 in std::default_delete<v8::BackingStore>::operator()(v8::BackingStore*) const (/home/danielbevenius/work/google/v8_src/v8/backingstore_test+0x418754)
#2 0x419a9c in std::_Sp_counted_deleter<v8::BackingStore*, std::default_delete<v8::BackingStore>, std::allocator<void>, (__gnu_cxx::_Lock_policy)2>::_M_dispose() (/home/danielbevenius/work/google/v8_src/v8/backingstore_test+0x419a9c)
#3 0x417d96 in std::_Sp_counted_base<(__gnu_cxx::_Lock_policy)2>::_M_release() (/home/danielbevenius/work/google/v8_src/v8/backingstore_test+0x417d96)
#4 0x41685f in std::__shared_count<(__gnu_cxx::_Lock_policy)2>::~__shared_count() (/home/danielbevenius/work/google/v8_src/v8/backingstore_test+0x41685f)
#5 0x7f04aa685f1d in std::__shared_ptr<v8::internal::BackingStore, (__gnu_cxx::_Lock_policy)2>::~__shared_ptr() (out/main_with_sanitizer/libv8.so+0x3cf5f1d)
#6 0x7f04aa591ed7 in std::shared_ptr<v8::internal::BackingStore>::~shared_ptr() (out/main_with_sanitizer/libv8.so+0x3c01ed7)
#7 0x7f04ac25e494 in v8::internal::JSArrayBuffer::Detach(bool) (out/main_with_sanitizer/libv8.so+0x58ce494)
#8 0x7f04aa4fd53f in v8::ArrayBuffer::Detach() (out/main_with_sanitizer/libv8.so+0x3b6d53f)
#9 0x413d4e in TestBackingStoreWithDeleter test/cctest/test-backing-store.cc:106
#10 0x41a4ae in CcTest::Run() (/home/danielbevenius/work/google/v8_src/v8/backingstore_test+0x41a4ae)
#11 0x41e8b9 in main (/home/danielbevenius/work/google/v8_src/v8/backingstore_test+0x41e8b9)
#12 0x7f04986fd1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
#13 0x412bdd in _start (/home/danielbevenius/work/google/v8_src/v8/backingstore_test+0x412bdd)
0x604000007b50 is located 0 bytes inside of 48-byte region [0x604000007b50,0x604000007b80)
allocated by thread T0 here:
#0 0x7f04b004aa97 in operator new(unsigned long) (/lib64/libasan.so.5+0x10fa97)
#1 0x7f04abdd1b4a in v8::internal::BackingStore::WrapAllocation(void*, unsigned long, void (*)(void*, unsigned long, void*), void*, v8::internal::SharedFlag) (out/main_with_sanitizer/libv8.so+0x5441b4a)
#2 0x7f04aa4ff6f3 in v8::ArrayBuffer::NewBackingStore(void*, unsigned long, void (*)(void*, unsigned long, void*), void*) (out/main_with_sanitizer/libv8.so+0x3b6f6f3)
#3 0x413c7f in TestBackingStoreWithDeleter test/cctest/test-backing-store.cc:103
#4 0x41a4ae in CcTest::Run() (/home/danielbevenius/work/google/v8_src/v8/backingstore_test+0x41a4ae)
#5 0x41e8b9 in main (/home/danielbevenius/work/google/v8_src/v8/backingstore_test+0x41e8b9)
#6 0x7f04986fd1a2 in __libc_start_main (/lib64/libc.so.6+0x271a2)
SUMMARY: AddressSanitizer: new-delete-type-mismatch (/lib64/libasan.so.5+0x111175) in operator delete(void*, unsigned long)
==851678==HINT: if you don't care about these errors you may set ASAN_OPTIONS=new_delete_type_mismatch=0
==851678==ABORTINGRunning the above via lldb will also produce the following message:
(lldb) AddressSanitizer report breakpoint hit. Use 'thread info -s' to get extended information about the report.
Process 852238 stopped
* thread #1, name = 'backingstore_te', stop reason = Deallocation size different from allocation size
frame #0: 0x00007ffff768ce70 libasan.so.5`__asan::AsanDie()
libasan.so.5`__asan::AsanDie:
-> 0x7ffff768ce70 <+0>: endbr64
0x7ffff768ce74 <+4>: mov eax, 0x1
0x7ffff768ce79 <+9>: lock
0x7ffff768ce7a <+10>: xadd dword ptr [rip + 0x883b7], eax ; __asan::AsanDie()::num_calls