AddressSanitizer failed to allocate on iOS devices

[kdbghelp]

Lately when I use Xcode 13.0 to build a sanitizer version of my app, it will crash when the app start:

(lldb) bt
thread #1, stop reason = signal SIGABRT
frame #0: 0x00000001b92159c4 libsystem_kernel.dylib__pthread_kill + 8 frame #1: 0x00000001f2463434 libsystem_pthread.dylibpthread_kill + 268
frame #2: 0x000000018d722f64 libsystem_c.dylibabort + 164 frame #3: 0x0000000103e742f0 libclang_rt.asan_ios_dynamic.dylib__sanitizer::Abort() at sanitizer_posix_libcdep.cpp:143:3
frame #4: 0x0000000103e73d0c libclang_rt.asan_ios_dynamic.dylib__sanitizer::ReserveShadowMemoryRange(beg=12270583808, end=12264275967, name="high shadow", madvise_shadow=true) at sanitizer_common_libcdep.cpp:157:5 frame #5: 0x0000000103e56f24 libclang_rt.asan_ios_dynamic.dylib__asan::InitializeShadowMemory() at asan_shadow_setup.cpp:93:5
frame #6: 0x0000000103e560fc libclang_rt.asan_ios_dynamic.dylib__asan::AsanInitInternal() at asan_rtl.cpp:450:3 frame #7: 0x0000000103e55f74 libclang_rt.asan_ios_dynamic.dylib__asan::AsanInitFromRtl() at asan_rtl.cpp:524:3
frame #8: 0x0000000103e4a320 libclang_rt.asan_ios_dynamic.dylib::wrap_malloc_default_zone() at sanitizer_malloc_mac.inc:86:3 frame #9: 0x0000000194409314 libsystem_malloc.dylib__malloc_init + 724
frame #10: 0x00000001bc649900 libSystem.B.dyliblibSystem_initializer + 184 frame #11: 0x0000000103814794 dyldinvocation function for block in dyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 164
frame #12: 0x0000000103848364 dyldinvocation function for block in dyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 340 frame #13: 0x0000000103812490 dyldinvocation function for block in dyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 532
frame #14: 0x0000000103811698 dylddyld3::MachOFile::forEachLoadCommand(Diagnostics&, void (load_command const*, bool&) block_pointer) const + 168 frame #15: 0x00000001038109f8 dylddyld3::MachOFile::forEachSection(void (dyld3::MachOFile::SectionInfo const&, bool, bool&) block_pointer) const + 192
frame #16: 0x000000010381debc dylddyld3::MachOAnalyzer::forEachInitializer(Diagnostics&, dyld3::MachOAnalyzer::VMAddrConverter const&, void (unsigned int) block_pointer, void const*) const + 516 frame #17: 0x000000010381aa10 dylddyld4::Loader::findAndRunAllInitializers(dyld4::RuntimeState&) const + 172
frame #18: 0x000000010383bc3c dylddyld4::APIs::runAllInitializersForMain() + 48 frame #19: 0x00000001038273ac dylddyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 2820
frame #20: 0x0000000103825a04 dyld`start + 488
==89472==ERROR: AddressSanitizer failed to allocate 0xffffffffff9fc000 (-6307840) bytes at address 2db624000 (errno: 22)

Here is the memory map list:

|| [0x0002db020000, 0x0002d7ffffff] || HighMem ||
|| [0x0002db624000, 0x0002db01ffff] || HighShadow ||
|| [0x0002d0024000, 0x0002db623fff] || ShadowGap ||
|| [0x000280020000, 0x0002d0023fff] || LowShadow ||
|| [0x000000000000, 0x00028001ffff] || LowMem ||
MemToShadow(shadow): 0x0002d0024000 0x0002da0247ff 0x0002db6e4800 0x0002db623fff
redzone=16
max_redzone=2048
quarantine_size_mb=16M
thread_local_quarantine_size_kb=64K
malloc_context_size=30
SHADOW_SCALE: 3
SHADOW_GRANULARITY: 8
SHADOW_OFFSET: 0x280020000

It seems like the memory map macro in <asan_mapping.h> hadn't check the boundary so kHighMemBeg exceed kHighMemEnd and lead the shadow region to be a negative value:

I have modified some code to debug this problem so the line number may not exactly match the upstream repository. After add some sanity check:

This time I failed with ENOMEM:

I'm not familiar with the iOS kernel, but the memory region seems have plenty free space to allocate 0xdfc000 bytes. Hope someone can give me some hints to fix this.

[kdbghelp]

I am using an iPhone XR iOS 15.0 and memory information about this phone is:

(lldb) p vm_info
(__sanitizer::__sanitizer_task_vm_info) $0 = {
virtual_size = 418017918976
region_count = 101
page_size = 16384
resident_size = 31555584
resident_size_peak = 31555584
device = 0
device_peak = 0
internal = 29491200
internal_peak = 29491200
external = 2064384
external_peak = 0
reusable = 0
reusable_peak = 0
purgeable_volatile_pmap = 0
purgeable_volatile_resident = 0
purgeable_volatile_virtual = 0
compressed = 0
compressed_peak = 32768
compressed_lifetime = 32768
phys_footprint = 29819744
min_address = 4333289472
max_address = 12213813248
}

[kdbghelp]

Ok I figured it out that the ENOMEM error is caused by fixed allocate address passed to mmap exceed the max virtual address. After more sanity check:

And now I can successful finish the ASAN init process, but I still can not run my app. Looks like stack overflow happened in the main thread:

Current stack looks like corrupted:
(lldb) memory read -fA $sp-1000 $sp
0x16bbdaba8: 0x0000000000000000
0x16bbdabb0: 0x0000000000000000
0x16bbdabb8: 0x0000000000000000
0x16bbdabc0: 0x0000000000000000
0x16bbdabc8: 0x0000000000000000
0x16bbdabd0: 0x0000000000000000
0x16bbdabd8: 0x0000000000000000
0x16bbdabe0: 0x0000000000000000
0x16bbdabe8: 0x0000000000000000
0x16bbdabf0: 0x0000000000000000
0x16bbdabf8: 0x0000000000000000
0x16bbdac00: 0x0000000000000000
0x16bbdac08: 0x0000000000000000
0x16bbdac10: 0x0000000000000000
0x16bbdac18: 0x0000000000000000
0x16bbdac20: 0x0000000000000000
0x16bbdac28: 0x0000000000000000
0x16bbdac30: 0x0000000000000000
0x16bbdac38: 0x0000000000000000
0x16bbdac40: 0x0000000000000000
0x16bbdac48: 0x0000000000000000
0x16bbdac50: 0x0000000000000000
0x16bbdac58: 0x0000000000000000
0x16bbdac60: 0x0000000000000000
0x16bbdac68: 0x0000000000000000
0x16bbdac70: 0x0000000000000000
0x16bbdac78: 0x0000000000000000
0x16bbdac80: 0x0000000000000000
0x16bbdac88: 0x0000000000000000
0x16bbdac90: 0x0000000000000000
0x16bbdac98: 0x0000000000000000
0x16bbdaca0: 0x0000000000000000
0x16bbdaca8: 0x0000000000000000
0x16bbdacb0: 0x0000000000000000
0x16bbdacb8: 0x0000000000000000
0x16bbdacc0: 0x0000000000000000
0x16bbdacc8: 0x0000000000000000
0x16bbdacd0: 0x0000000000000000
0x16bbdacd8: 0x0000000000000000
0x16bbdace0: 0x0000000000000000
0x16bbdace8: 0x0000000000000000
0x16bbdacf0: 0x0000000000000000
0x16bbdacf8: 0x0000000000000000
0x16bbdad00: 0x0000000000000000
0x16bbdad08: 0x0000000000000000
0x16bbdad10: 0x000000019441e8b0 "MallocExperiment="
0x16bbdad18: 0x000000019441e8a1 "malloc_entropy"
0x16bbdad20: 0x0000000000000000
0x16bbdad28: 0x000000016bbdade8
0x16bbdad30: 0x000000016bbdaee0
0x16bbdad38: 0x60562f81052d484c
0x16bbdad40: 0x0000000000000000
0x16bbdad48: 0x0000000000000000
0x16bbdad50: 0x0000000000000000
0x16bbdad58: 0x0000000000000000
0x16bbdad60: 0x0000000000000000
0x16bbdad68: 0x0000000000000000
0x16bbdad70: 0x0000000000000000
0x16bbdad78: 0x0000000000000000
0x16bbdad80: 0x0000000000000000
0x16bbdad88: 0x0000000000000000
0x16bbdad90: 0x0000000000000000
0x16bbdad98: 0x0000000000000000
0x16bbdada0: 0x0000000000000000
0x16bbdada8: 0x0000000000000000
0x16bbdadb0: 0x0000000000000000
0x16bbdadb8: 0x0000000000000000
0x16bbdadc0: 0x0000000000000000
0x16bbdadc8: 0x0000000000000000
0x16bbdadd0: 0x0000000000000000
0x16bbdadd8: 0x0000000000000000
0x16bbdade0: 0x0000000000000000
0x16bbdade8: 0x0000000000000000
0x16bbdadf0: 0x930a63f100000000
0x16bbdadf8: 0x00000001fb737994
0x16bbdae00: 0x00000001fb737960
0x16bbdae08: 0x0000000082f2daf8
0x16bbdae10: 0x00000c5700000000
0x16bbdae18: 0x00000001d089084c
0x16bbdae20: 0x00000c5700000000
0x16bbdae28: 0x00000001d0890848
0x16bbdae30: 0x73e6378d00000000
0x16bbdae38: 0x0000000196810790 ""
0x16bbdae40: 0x0000000196810774 "PLPTPLegacyConversionSupport"
0x16bbdae48: 0x000000005a335b80
0x16bbdae50: 0x0002000000000001
0x16bbdae58: 0x00000001d0790848
0x16bbdae60: 0x00000001d0710848
0x16bbdae68: 0x00000001d06f0848
0x16bbdae70: 0x0000000106920000
0x16bbdae78: 0x0000000000020000
0x16bbdae80: 0x00000001d06e0428
0x16bbdae88: 0x000000019ae5c260 libobjc.A.dylib_objc_opt_data 0x16bbdae90: 0x000000019ae5c260 libobjc.A.dylib_objc_opt_data
0x16bbdae98: 0x000000019ae5c260 libobjc.A.dylib_objc_opt_data 0x16bbdaea0: 0x0001de3f00000000 0x16bbdaea8: 0x0018000000000000 0x16bbdaeb0: 0x00000001052d8040 0x16bbdaeb8: 0x0000000106920000 0x16bbdaec0: 0x0000000182548000 0x16bbdaec8: 0x000000019ae5c260 libobjc.A.dylib_objc_opt_data
0x16bbdaed0: 0x0000000000000000
0x16bbdaed8: 0x0000000000000002
0x16bbdaee0: 0x000000016bbdaf00
0x16bbdaee8: 0x00000001052c03e4
0x16bbdaef0: 0x00000001052d8080
0x16bbdaef8: 0x00000001052d8080
0x16bbdaf00: 0x0000000000000000
0x16bbdaf08: 0x000000010439e938 `main at AppDelegate.swift
0x16bbdaf10: 0x0000000000000000
0x16bbdaf18: 0x0000000000000000
0x16bbdaf20: 0x0000000000000000
0x16bbdaf28: 0x0000000000000000
0x16bbdaf30: 0x0000000000000000
0x16bbdaf38: 0x0000000000000000
0x16bbdaf40: 0x0000000000000000
0x16bbdaf48: 0x0000000159190000
0x16bbdaf50: 0x0000000000000000
0x16bbdaf58: 0x0000000000000000
0x16bbdaf60: 0x0000000000000000
0x16bbdaf68: 0x0000000000000000
0x16bbdaf70: 0x0000000000000000
0x16bbdaf78: 0x0000000159190000
0x16bbdaf80: 0x0000000000000000
0x16bbdaf88: 0x0000000000000000

[xilin]

I meet similar error. Have you found the root cause?

[mintmy9527]

遇到相同问题，排查下来原因是内存限制因素，解决方法有两种
1.需要开发者证书，开启com.apple.developer.kernel.increased-memory-limit和com.apple.developer.kernel.extended-virtual-addressing
https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_kernel_extended-virtual-addressing
https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_developer_kernel_increased-memory-limit
我当时测试时使用ipad mini5，3GB内存，开启前会异常，开启后异常消失，问题解决
2.需要大内存机器，比如6GB内存的iphone12 pro，不用开启上面的entitlement问题也不会有问题