Fix use of uninitialized memory.
When creating an UnwindMapLocal fails in the Build() function call,
the destructor for UnwindMap is called. Unfortunately, the map_cursor_
member variable has not been initialized, so the call to destroy it
winds up operating on garbage data.
Part of this is a result of a bad class hierarchy, so this refactors
the classes slightly, and properly initializes the map_cursor_ member
variable in the base class.
Bug: 26931578
Change-Id: I885596bf65e4ef63559cee2c56cd41576d5ecc1b
diff --git a/libbacktrace/UnwindMap.cpp b/libbacktrace/UnwindMap.cpp
index 879fea5..34d79f9 100644
--- a/libbacktrace/UnwindMap.cpp
+++ b/libbacktrace/UnwindMap.cpp
@@ -33,14 +33,18 @@
// of maps using the same map cursor.
//-------------------------------------------------------------------------
UnwindMap::UnwindMap(pid_t pid) : BacktraceMap(pid) {
+ unw_map_cursor_clear(&map_cursor_);
}
-UnwindMap::~UnwindMap() {
+UnwindMapRemote::UnwindMapRemote(pid_t pid) : UnwindMap(pid) {
+}
+
+UnwindMapRemote::~UnwindMapRemote() {
unw_map_cursor_destroy(&map_cursor_);
unw_map_cursor_clear(&map_cursor_);
}
-bool UnwindMap::GenerateMap() {
+bool UnwindMapRemote::GenerateMap() {
// Use the map_cursor information to construct the BacktraceMap data
// rather than reparsing /proc/self/maps.
unw_map_cursor_reset(&map_cursor_);
@@ -63,7 +67,7 @@
return true;
}
-bool UnwindMap::Build() {
+bool UnwindMapRemote::Build() {
return (unw_map_cursor_create(&map_cursor_, pid_) == 0) && GenerateMap();
}
@@ -84,6 +88,7 @@
for (int i = 0; i < 3; i++) {
maps_.clear();
+ // Save the map data retrieved so we can tell if it changes.
unw_map_local_cursor_get(&map_cursor_);
unw_map_t unw_map;
@@ -142,7 +147,7 @@
} else if (pid == getpid()) {
map = new UnwindMapLocal();
} else {
- map = new UnwindMap(pid);
+ map = new UnwindMapRemote(pid);
}
if (!map->Build()) {
delete map;