ASSERT: common\alloc.c:1197: is_entirely_in_heap_region(start, end) (heap data struct inconsistency)

[derekbruening]

From [email protected] on August 12, 2010 08:42:01

1. Download base_unittests.exe attached to https://code.google.com/p/dynamorio/issues/detail?id=251 2) drmemory.exe -- base_unittests
   -> asserts right away.
   Looks like it doesn't support something done during googletest startup.

This happens on both r35 and v1.2.1 downloaded from here.

I'll continue using r33 until this is fixed.

Original issue: http://code.google.com/p/drmemory/issues/detail?id=23

[derekbruening]

From [email protected] on August 13, 2010 05:00:36

Smaller repro with source code:
(from Cygwin which is run from VS command prompt):
svn checkout http://data-race-test.googlecode.com/svn/trunk/ data-race-test
cd data-race-test/unittest
make
-> will produce data-race-test/unittest/bin/memory_unittest-windows-x86-O0.exe
drmemory.exe -- data-race-test\unittest\bin\memory_unittest-windows-x86-O0.exe
...
ASSERT ...(...): ...\common\alloc.c:1082: is_entirely_in_heap_region(start, end) (heap data struct inconsistency)

[derekbruening]

From [email protected] on August 13, 2010 05:51:37

The attached binary shows "_BLOCK_TYPE_IS_VALID(pHead->nBlockUse)" Abort/Retry/Ignore window under Dr.Memory (v1.2.1 downloaded from here) on Win XP 32-bit.
The binary is built using the steps described in comment #1 with all tests except "NonGtestTests.All" deleted from memory_unittests.cc

The binary passes if run natively or under r33 .

[derekbruening]

From [email protected] on August 13, 2010 06:14:15

<attached again - last time it has failed for unknown reason>
Also added a couple of debug-printfs.
The first "AAA" printf is located at the beginning of main().

Attachment: memory_unittest.zip

[derekbruening]

From [email protected] on August 13, 2010 07:35:27

A similar crash is reproducible on a simlple googletest unittest, see issue #26 .

Probably, it's worth fixing issue #26 as a first step.

Labels: -Priority-Critical Priority-High

[derekbruening]

From [email protected] on August 23, 2010 05:49:33

This has gone away with the issue #26 fix.
Thank you!

Status: Duplicate
Mergedinto: 26

[derekbruening]

From [email protected] on August 23, 2010 06:23:11

Sorry, my mistake - the assert is still present on the old base_unittests binary (from dr issue #251 )

Status: Accepted
Mergedinto: -26

[derekbruening]

From [email protected] on August 23, 2010 08:12:18

I've been running the issue #251 binary on XPSP2 and have not seen this. Per your initial comment this happens right up front?

can you run with "-verbose 2 -pause_at_assert", attach windbg at the assert, point it at the symbols (since drmemorylib.dll isn't on the loader list), get the address of the malloc in question, and then look in the logfile for "adding heap region" and "removing heap region" entries and figure out where the malloc sits in relation to the heap regions known to DrMem?

to set symbols in windbg:
.sympath c:\my\drmemory\dir\bin\debug
.reload drmemory.dll=10000000

[derekbruening]

From [email protected] on August 23, 2010 08:56:33

Now it passes the initial phase but then fails inside tests (example: MessageLoopTest.RecursiveDenial1)

For the record, my XP is SP3.

I'll try these flags and windbg now.

Summary: ASSERT: common\alloc.c:1197: is_entirely_in_heap_region(start, end) (heap data struct inconsistency)

[derekbruening]

From [email protected] on August 23, 2010 10:11:16

I'm not familiar with windbg yet, so I've just patched the sources locally to print 'start' and 'end':
(also I've removed "??:0" lines from the output)

inside heap routine: adding nop-if-mem-unaddr checks
in event_basic_block(tag=0x5ad8bf83)
inside heap routine: adding nop-if-mem-unaddr checks
exiting heap routine: NOT adding nop-if-mem-unaddr checks
leaving alloc routine 0x77c2c407 malloc
malloc-post 0x00f717f8-0x00f71878 = 0x80 (really 0x00f717f0-0x00f71888 0x98)
malloc-post changing from 0x00f717f0 to 0x00f717f8
@@@ unique callstack #10920
WARNING: unable to load symbols for C:\Windows\system32\uxtheme.dll
0x5ad8bf83 <UxTheme.dll+0x1bf83> UxTheme.dll!GetThemeTextMetrics
0x5ad7165e <UxTheme.dll+0x165e> UxTheme.dll!?
0x7c90118a <ntdll.dll+0x118a> ntdll.dll!LdrInitializeThunk
0x7c91c4fa <ntdll.dll+0x1c4fa> ntdll.dll!LdrFindResourceDirectory_U
0x7c916371 <ntdll.dll+0x16371> ntdll.dll!RtlValidateUnicodeString
0x7c9164d3 <ntdll.dll+0x164d3> ntdll.dll!LdrLoadDll
0x7c801bbd <KERNEL32.dll+0x1bbd> KERNEL32.dll!LoadLibraryExW
0x7e428055 <USER32.dll+0x18055> USER32.dll!GetGUIThreadInfo
0x7c90e473 <ntdll.dll+0xe473> ntdll.dll!KiUserCallbackDispatcher
0x7e42e442 <USER32.dll+0x1e442> USER32.dll!GetScrollInfo
0x7e42d0d6 <USER32.dll+0x1d0d6> USER32.dll!CreateWindowExW
0x007361aa <base_unittests.exe+0x3361aa> base_unittests.exe!base::MessagePumpForUI::InitMessageWnd
c:\users\timurrrr\desktop\chromium\src\base\message_pump_win.cc:249
...
is_entirely_in_heap_region(start=0x00f717f8, end=0x00f71878) failed!

[derekbruening]

From [email protected] on August 23, 2010 10:14:23

$ grep "heap region" <global.log>
adding heap region 0x00160000-0x00260000 arena
adding heap region 0x00160000-0x00260000
set heap region 0x00160000-0x00260000 Heap to 0x00160000
adding heap region 0x00260000-0x00270000 arena
adding heap region 0x00260000-0x00270000
set heap region 0x00260000-0x00270000 Heap to 0x00260000
adding heap region 0x00270000-0x00280000 arena
adding heap region 0x00270000-0x00280000
set heap region 0x00270000-0x00280000 Heap to 0x00270000
adding heap region 0x00350000-0x00360000 arena
adding heap region 0x00350000-0x00360000
set heap region 0x00350000-0x00360000 Heap to 0x00350000
adding heap region 0x00380000-0x00390000 arena
adding heap region 0x00380000-0x00390000
set heap region 0x00380000-0x00390000 Heap to 0x00380000
adding heap region 0x003e0000-0x003f0000 arena
adding heap region 0x003e0000-0x003f0000
set heap region 0x003e0000-0x003f0000 Heap to 0x003e0000
adding heap region 0x011f0000-0x01200000 arena
adding heap region 0x011f0000-0x01200000
set heap region 0x011f0000-0x01200000 Heap to 0x011f0000
adding heap region 0x01220000-0x01230000 arena
adding heap region 0x01220000-0x01230000
set heap region 0x01220000-0x01230000 Heap to 0x01220000
adding heap region 0x01500000-0x01600000 arena
adding heap region 0x01500000-0x01600000
set heap region 0x01500000-0x01600000 Heap to 0x01500000
adding heap region 0x01f00000-0x01f10000 arena
adding heap region 0x01f00000-0x01f10000
set heap region 0x01f00000-0x01f10000 Heap to 0x01f00000
adding heap region 0x02ee0000-0x02fe0000 arena
adding heap region 0x02ee0000-0x02fe0000

[derekbruening]

From [email protected] on August 23, 2010 10:29:05

can you attach the global.*.log (compress it to save space)

[derekbruening]

From [email protected] on August 23, 2010 11:36:04

Sure.

Attachment: 23.zip

[derekbruening]

From [email protected] on August 23, 2010 13:59:45

intercepting malloc @0x77c2c407 size_func=0x77c2bf6c in module msvcrt.dll

grep 0x00f global.6868.log
initial unknown committed region 0x00f70000-0x00f78000
set range 0x00f70000-0x00f78000 => 0x0
replacing shadow special 0x25dc0200 block for write @0x00f70000 0
malloc-post 0x00f717f8-0x00f71878 = 0x80 (really 0x00f717f0-0x00f71888 0x98)
malloc-post changing from 0x00f717f0 to 0x00f717f8
start=0x00f717f8, end=0x00f71878

grep -E '^entering|^leaving|^ASSERT' global.6868.log | tail
entering alloc routine 0x7c9100c4 RtlAllocateHeap direct pre-retaddr
leaving alloc routine 0x7c9100c4 RtlAllocateHeap
entering alloc routine 0x7c90ff2d RtlFreeHeap direct pre-retaddr
leaving alloc routine 0x7c90ff2d RtlFreeHeap
entering alloc routine 0x7c9100c4 RtlAllocateHeap direct pre-retaddr
leaving alloc routine 0x7c9100c4 RtlAllocateHeap
entering alloc routine 0x77c2c407 malloc indirect pre-retaddr
entering heap routine: adding nop-if-mem-unaddr checks
leaving alloc routine 0x77c2c407 malloc
ASSERT FAILURE (thread 7600): Z:\drmemory\GIT_SVN\common\alloc.c:1200: should_be_true (heap data struct inconsistency)

grep '^walking heap' global.6868.log
walking heap 0 0x00160000
walking heap 1 0x00260000
walking heap 2 0x00270000
walking heap 3 0x00350000
walking heap 4 0x00380000
walking heap 5 0x003e0000
walking heap 6 0x011f0000
walking heap 7 0x01220000
walking heap 8 0x01500000

grep '^initial unk' global.6868.log
initial unknown committed region 0x00150000-0x00151000
initial unknown committed region 0x00360000-0x00361000
initial unknown committed region 0x00370000-0x00371000
initial unknown committed region 0x00f70000-0x00f78000
initial unknown committed region 0x01170000-0x01171000
initial unknown committed region 0x01260000-0x01261000
initial unknown committed region 0x01270000-0x01271000
initial unknown committed region 0x01280000-0x01281000
initial unknown committed region 0x01290000-0x01291000
initial unknown committed region 0x012a0000-0x012a1000
initial unknown committed region 0x01600000-0x01700000
initial unknown committed region 0x01700000-0x01900000
initial unknown committed region 0x01900000-0x01987000
initial unknown committed region 0x01990000-0x01a10000
initial unknown committed region 0x01a20000-0x01b49000
initial unknown committed region 0x01b4a000-0x01b51000
initial unknown committed region 0x01b52000-0x01b8c000
initial unknown committed region 0x01b8d000-0x01e20000
initial unknown committed region 0x01e20000-0x01ef8000
initial unknown committed region 0x01f10000-0x02010000
initial unknown committed region 0x02010000-0x02092000
initial unknown committed region 0x020a0000-0x026e0000
initial unknown committed region 0x026e0000-0x02ee0000
initial unknown committed region 0x03120000-0x03287000
initial unknown committed region 0x03288000-0x03302000
initial unknown committed region 0x03305000-0x0330b000
initial unknown committed region 0x04120000-0x04306000
initial unknown committed region 0x04320000-0x043b4000
initial unknown committed region 0x04650000-0x0482a000
initial unknown committed region 0x04830000-0x04b2e000
initial unknown committed region 0x04b30000-0x04efb000
initial unknown committed region 0x04f30000-0x0506e000

PROBLEMS:

1. what are all these unknown regions: and how many are heaps?
   they didn't show up in the Rtl heap iteration.
   w/ early injection what would their allocs look like?
   w/o early injection how can drmem find them?
2. this malloc came straight from msvcrt w/ no call to Rtl...have we seen
   that before (other than cygwin)?
   the call is a plain libc malloc call. what makes it decide to use its
   private heap rather than call into Rtl?

[derekbruening]

From [email protected] on August 24, 2010 05:35:13

(How) Can I provide some additional info/logs?

[derekbruening]

From [email protected] on August 24, 2010 08:41:45

my testing has all been on 64-bit XPSP2. let me find a 32-bit XPSP3 (I assume yours is 32-bit? there is no 64-bit XPSP3 I don't think) and try to repro. this is big enough I would like to have it in front of me.

[derekbruening]

From [email protected] on August 24, 2010 13:02:11

Yes, my XP SP3 is 32-bit running inside VMware player.
Looking forward for the results!

[derekbruening]

From [email protected] on August 25, 2010 22:00:35

I still can't reproduce the assert. I have an XPSP3 VM (Version 5.1.2600 Service Pack 3 Build 2600). When I run the full test list I hit this assert which I will file separately:

[----------] 4 tests from WMIUtilTest
[ RUN ] WMIUtilTest.TestLocalConnectionSecurityBlanket
:::Dr.Memory::: ASSERT FAILURE (thread 134248): E:/derek/dr/win32/oss-clients/drmemory/drmemory/readwrite.c:2564: addr + sz > addr (address overflow)

After fixing that, the full test list aborts at:
Now ends with:
[----------] 3 tests from FileVersionInfoTest
[ RUN ] FileVersionInfoTest.HardCodedProperties
Assertion failed: ptr_ != NULL, file c:\Users\timurrrr\Desktop\chromium\src\base/scoped_ptr.h, line 93
Is "--gtest_catch_exceptions" how you continue beyond asserts?)

If I explicitly run MessageLoopTest*, they all succeed

[derekbruening]

From [email protected] on August 26, 2010 02:54:13

Can you please publish the fix for WMIUtilTest.TestLocalConnectionSecurityBlanket ?

You can skip FileVersion tests by using --gtest_filter="-FileVersion*" as they fail when run natively as well

[derekbruening]

From [email protected] on August 26, 2010 03:24:07

On my machine, the base_unittests from dr issue #251 pass WITHOUT Dr.Memory with
--gtest_filter="-FileVersion*:ProcessUtilTest.GetAppOutput:ReadOnlyFileUtilTest.ContentsEqual:ReadOnlyFileUtilTest.TextContentsEqual:DataPackTest.Load"

[derekbruening]

From [email protected] on August 26, 2010 07:58:17

I still can't reproduce the assert.
Could this because of AV software installed on my machine?
I think I've disabled it but you know you can't be 100% sure on Windows :)

[derekbruening]

From [email protected] on August 26, 2010 18:07:37

Can you please publish the fix for WMIUtilTest.TestLocalConnectionSecurityBlanket ?

Still working on generalizing it since I hit it in another form. Filed as issue #35 .
Are you seeing it too?

Could this because of AV software installed on my machine?
I think I've disabled it but you know you can't be 100% sure on Windows :)

It is present:
module load event: "sophos_detoured.dll" 0x6fa00000-0x6fa3e000

First let's see whether our msvcrt.dll versions are different.

Here's mine, from windbg:
0:001> lm vm msvcrt
start end module name
77c10000 77c68000 msvcrt (deferred)
Image path: C:\WINDOWS\system32\msvcrt.dll
Image name: msvcrt.dll
Timestamp: Sun Apr 13 17:12:56 2008 (4802A188)
CheckSum: 00057341
ImageSize: 00058000
File version: 7.0.2600.5512
Product version: 6.1.8638.5512
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 1.0 App
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: msvcrt.dll
OriginalFilename: msvcrt.dll
ProductVersion: 7.0.2600.5512
FileVersion: 7.0.2600.5512 (xpsp.080413-2111)
FileDescription: Windows NT CRT DLL
LegalCopyright: © Microsoft Corporation. All rights reserved.

What version do you have?

[derekbruening]

From [email protected] on August 27, 2010 03:16:55

I got exactly the same results for "lm vm msvcrt".

[derekbruening]

From [email protected] on August 27, 2010 05:32:20

I've reproduced the original assert on the Chromium bot (without AV) on media tests:

$ drmemory.exe media_unittests --gtest_filter="*NoStreams"
...
[==========] Running 2 tests from 2 test cases.
[----------] Global test environment set-up.
[----------] 1 test from PipelineImplTest
[ RUN ] PipelineImplTest.NoStreams
05:27:49 common.py [INFO] process ended, did not time out
...
05:27:49 common.py [ERROR] C:\b\slave\chromium-dbg-win-drmemory\build\src\tools\valgrind....\third_party\drmemory\unpacked\exports32\bin\drmemory.exe exited with non-zero result code -1
...
05:27:49 drmemory_analyze.py [ERROR]
ASSERT FAILURE (thread 5064): C:\DELETEME\drmemory\common\alloc.c:1197: is_entirely_in_heap_region(start, end) (heap data struct inconsistency)

The media_unittests binary takes 13Mb in .zip so I'll send it to you via e-mail

[derekbruening]

From [email protected] on August 29, 2010 12:03:30

hmmm it works for me, with or without icudt42.dll in the dir:

C:\derek\media\build\Debug>c:\derek\DrMemory-Windows-1.2.1-1\bin\drmemory.exe -pause_at_assert -- media_unittests.exe --gtest_filter="*NoStreams"
:::Dr.Memory::: Dr. Memory version 1.2.2
:::Dr.Memory::: options are "-pause_at_assert -logdir c:\derek\DrMemory-Windows-1.2.1-1/drmemory/logs -resfile_out "
:::Dr.Memory::: log dir is c:\derek\DrMemory-Windows-1.2.1-1/drmemory/logs/DrMemory-media_unittests.exe.131504.000
Note: Google Test filter = *NoStreams
[==========] Running 2 tests from 2 test cases.
[----------] Global test environment set-up.
[----------] 1 test from PipelineImplTest
[ RUN ] PipelineImplTest.NoStreams
[ OK ] PipelineImplTest.NoStreams (4344 ms)
[----------] 1 test from PipelineImplTest (4375 ms total)

[----------] 1 test from FFmpegDemuxerTest
[ RUN ] FFmpegDemuxerTest.Initialize_NoStreams
[ OK ] FFmpegDemuxerTest.Initialize_NoStreams (3578 ms)
[----------] 1 test from FFmpegDemuxerTest (3578 ms total)

[----------] Global test environment tear-down
[==========] 2 tests from 2 test cases ran. (8250 ms total)
[ PASSED ] 2 tests.

YOU HAVE 1 DISABLED TEST

:::Dr.Memory::: ERRORS FOUND:
:::Dr.Memory::: 0 unique, 0 total unaddressable access(es)
:::Dr.Memory::: 96 unique, 644 total uninitialized access(es)
:::Dr.Memory::: 0 unique, 0 total invalid heap argument(s)
:::Dr.Memory::: 0 unique, 0 total warning(s)
:::Dr.Memory::: 1 total, 748 byte(s) of leak(s)
:::Dr.Memory::: (re-run with "-check_leaks" for details)
:::Dr.Memory::: 0 total, 0 byte(s) of possible leak(s)
:::Dr.Memory::: (re-run with "-check_leaks -possible_leaks" for details)
:::Dr.Memory::: ERRORS IGNORED:
:::Dr.Memory::: 0 suppressed error(s)
:::Dr.Memory::: 0 suppressed leak(s)
:::Dr.Memory::: 338 ignored assumed-innocuous system leak(s)
:::Dr.Memory::: 267 still-reachable allocation(s)
:::Dr.Memory::: (re-run with "-check_leaks -show_reachable" for details)
:::Dr.Memory::: 0 error(s) beyond -report_max
:::Dr.Memory::: 0 leak(s) beyond -report_leak_max
:::Dr.Memory::: Details: c:\derek\DrMemory-Windows-1.2.1-1/drmemory/logs/DrMemory-media_unittests.exe.131504.000/results.txt