webkit GC inspects potentially uninitialized memory allocations |
|||||||||
Issue descriptionI saw this report while attempting to roll clang: https://build.chromium.org/p/tryserver.chromium.linux/builders/linux_chromium_msan_rel_ng/builds/307/steps/browser_tests%20%28without%20patch%29%20on%20Ubuntu-12.04/logs/ThreatDOMDetailsTest.Everything [ RUN ] ThreatDOMDetailsTest.Everything ==350==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0xb052d8f in addToFreeList third_party/WebKit/Source/platform/heap/HeapPage.cpp:917:13 #1 0xb05489a in sweep third_party/WebKit/Source/platform/heap/HeapPage.cpp:1153:9 #2 0xb0475a0 in sweepUnsweptPage third_party/WebKit/Source/platform/heap/HeapPage.cpp:299:9 ... Uninitialized value was stored to memory at #0 0x70efd7 in __msan_memcpy ??:0 #1 0x10f63f4f in RuleData third_party/WebKit/Source/core/css/RuleSet.h:72:19 #2 0x10f63f4f in Node third_party/WebKit/Source/platform/heap/HeapLinkedStack.h:76:0 #3 0x10f63f4f in push third_party/WebKit/Source/platform/heap/HeapLinkedStack.h:90:0 #4 0x10f648a2 in findBestRuleSetAndAdd third_party/WebKit/Source/core/css/RuleSet.cpp:174:9 ... Uninitialized value was created by an allocation of 'ruleData' in the stack frame of function '_ZN5blink7RuleSet7addRuleEPNS_9StyleRuleEjNS_12AddRuleFlagsE' #0 0x10f66880 in addRule third_party/WebKit/Source/core/css/RuleSet.cpp:219:0 So, basically some object was allocated on the stack, partially initialized, and then copied to the heap with memcpy. Totally kosher. Then WebKit's heap code tries to inspect the values in the heap allocation for poison bytes or something and does a UMR: https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/platform/heap/HeapPage.cpp&sq=package:chromium&l=917 #if ENABLE(ASSERT) || defined(LEAK_SANITIZER) || defined(ADDRESS_SANITIZER) // The following logic delays reusing free lists for (at least) one GC // cycle or coalescing. This is helpful to detect use-after-free errors // that could be caused by lazy sweeping etc. size_t allowedCount = 0; size_t forbiddenCount = 0; for (size_t i = sizeof(FreeListEntry); i < size; i++) { if (address[i] == reuseAllowedZapValue) { allowedCount++; } else if (address[i] == reuseForbiddenZapValue) { forbiddenCount++; } else { We should probably just unpoison the allocation under and MSan ifdef before this loop.
,
Apr 1 2016
,
Apr 2 2016
,
Apr 4 2016
I can not reproduce this locally. Tried the exact clang revision and GYP flags - the test passes.
,
May 4 2016
Reproduced locally:
$ export GYP_DEFINES='chromeos=1 msan=1 msan_track_origins=2 use_prebuilt_instrumented_libraries=1 component=static_library fastbuild=1 dcheck_always_on=1'
$ gclient runhooks
$ ninja -C out/Release browser_tests
$ ./out/Release/browser_tests --gtest_filter=PasswordGenerationAgentTest.EditingTest
...
[ RUN ] PasswordGenerationAgentTest.EditingTest
==101452==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0xe6215de in blink::FreeList::addToFreeList(unsigned char*, unsigned long) third_party/WebKit/Source/platform/heap/HeapPage.cpp:917:13
#1 0xe62305c in blink::NormalPage::sweep() third_party/WebKit/Source/platform/heap/HeapPage.cpp:1139:13
#2 0xe615b10 in blink::BaseArena::sweepUnsweptPage() third_party/WebKit/Source/platform/heap/HeapPage.cpp:299:9
#3 0xe6162b0 in blink::BaseArena::completeSweep() third_party/WebKit/Source/platform/heap/HeapPage.cpp:340:9
#4 0xe636b54 in blink::ThreadState::completeSweep() third_party/WebKit/Source/platform/heap/ThreadState.cpp:1072:13
#5 0xe6017c4 in ~SafePointScope third_party/WebKit/Source/platform/heap/SafePoint.h:29:13
#6 0xe6017c4 in blink::ThreadHeap::collectGarbage(blink::BlinkGC::StackState, blink::BlinkGC::GCType, blink::BlinkGC::GCReason) third_party/WebKit/Source/platform/heap/Heap.cpp:566
#7 0x16933fdb in blink::V8GCController::gcEpilogue(v8::Isolate*, v8::GCType, v8::GCCallbackFlags) third_party/WebKit/Source/bindings/core/v8/V8GCController.cpp:363:9
#8 0xf6d4876 in CallGCEpilogueCallbacks v8/src/heap/heap.cc:1404:9
#9 0xf6d4876 in v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::GCCallbackFlags) v8/src/heap/heap.cc:1360
#10 0xf6ce65e in v8::internal::Heap::CollectGarbage(v8::internal::GarbageCollector, char const*, char const*, v8::GCCallbackFlags) v8/src/heap/heap.cc:1010:11
#11 0xf6c9760 in CollectGarbage v8/src/heap/heap-inl.h:559:10
#12 0xf6c9760 in v8::internal::Heap::CollectAllGarbage(int, char const*, v8::GCCallbackFlags) v8/src/heap/heap.cc:873
#13 0xea56355 in v8::Isolate::RequestGarbageCollectionForTesting(v8::Isolate::GarbageCollectionType) v8/src/api.cc:7289:5
#14 0x16935457 in blink::V8GCController::collectAllGarbageForTesting(v8::Isolate*) third_party/WebKit/Source/bindings/core/v8/V8GCController.cpp:400:9
#15 0x2177a728 in blink::(anonymous namespace)::WebLeakDetectorImpl::collectGarbageAndReport() third_party/WebKit/Source/web/WebLeakDetector.cpp:113:5
#16 0x1dd2567e in content::RenderViewTest::TearDown() content/public/test/render_view_test.cc:409:3
#17 0x3339e19 in ChromeRenderViewTest::TearDown() chrome/test/base/chrome_render_view_test.cc:125:3
#18 0x734dc49 in testing::TestInfo::Run() testing/gtest/src/gtest.cc:2656:5
#19 0x734f47b in testing::TestCase::Run() testing/gtest/src/gtest.cc:2774:5
#20 0x736cd41 in testing::internal::UnitTestImpl::RunAllTests() testing/gtest/src/gtest.cc:4647:11
#21 0x736bd41 in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> testing/gtest/src/gtest.cc:2458:12
#22 0x736bd41 in testing::UnitTest::Run() testing/gtest/src/gtest.cc:4255
#23 0x60e9854 in RUN_ALL_TESTS testing/gtest/include/gtest/gtest.h:2237:10
#24 0x60e9854 in base::TestSuite::Run() base/test/test_suite.cc:230
#25 0x5b64da1 in ChromeTestSuiteRunner::RunTestSuite(int, char**) chrome/test/base/chrome_test_launcher.cc:59:10
#26 0x1dd3e0ff in content::LaunchTests(content::TestLauncherDelegate*, int, int, char**) content/public/test/test_launcher.cc:517:12
#27 0x342315c in main chrome/test/base/browser_tests_main.cc:25:10
#28 0x7f836c5cbec4 in __libc_start_main /build/eglibc-3GlaMS/eglibc-2.19/csu/libc-start.c:287
#29 0x7588c7 in _start (/usr/local/google/home/krasin/chr25/src/out/Release/browser_tests+0x7588c7)
Uninitialized value was stored to memory at
#0 0x776627 in __msan_memcpy (/usr/local/google/home/krasin/chr25/src/out/Release/browser_tests+0x776627)
#1 0x13f9858e in blink::ResourceResponse::operator=(blink::ResourceResponse const&) third_party/WebKit/Source/platform/network/ResourceResponse.h:47:23
#2 0x1528e9f3 in blink::DocumentLoader::responseReceived(blink::Resource*, blink::ResourceResponse const&, WTF::PassOwnPtr<blink::WebDataConsumerHandle>) third_party/WebKit/Source/core/loader/DocumentLoader
.cpp:408:16
#3 0x14ca290a in blink::RawResource::responseReceived(blink::ResourceResponse const&, WTF::PassOwnPtr<blink::WebDataConsumerHandle>) third_party/WebKit/Source/core/fetch/RawResource.cpp:153:9
#4 0x14d1798c in blink::ResourceLoader::didReceiveResponse(blink::WebURLLoader*, blink::WebURLResponse const&, blink::WebDataConsumerHandle*) third_party/WebKit/Source/core/fetch/ResourceLoader.cpp:280:5
#5 0x21ff83d8 in content::WebURLLoaderImpl::Context::OnReceivedResponse(content::ResourceResponseInfo const&) content/child/web_url_loader_impl.cc:700:5
#6 0x21ffc3a6 in content::WebURLLoaderImpl::Context::HandleDataURL() content/child/web_url_loader_impl.cc:878:5
#7 0x220c55b5 in Run<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > base/bind_internal.h:159:12
#8 0x220c55b5 in MakeItSo<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > base/bind_internal.h:321
#9 0x220c55b5 in base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<void (*)(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delet
e<blink::WebTaskRunner::Task> >)>, void (std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >), base::internal::PassedWrapper<std::__1::unique_ptr<blink::WebTa
skRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > >, base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (*)(std::__1::unique_ptr<blink::WebTaskRunner::Task, st
d::__1::default_delete<blink::WebTaskRunner::Task> >)> >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:372
#10 0x6080bc0 in Run base/callback.h:397:12
#11 0x6080bc0 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51
#12 0x220f4439 in scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(scheduler::internal::WorkQueue*, scheduler::internal::TaskQueueImpl::Task*) components/scheduler/base/task_queue_manager.cc:289:3
#13 0x220ed9ea in scheduler::TaskQueueManager::DoWork(base::TimeTicks, bool) components/scheduler/base/task_queue_manager.cc:201:13
#14 0x220f8d24 in Run<const base::TimeTicks &, const bool &> base/bind_internal.h:181:12
#15 0x220f8d24 in MakeItSo<base::WeakPtr<scheduler::TaskQueueManager>, const base::TimeTicks &, const bool &> base/bind_internal.h:334
#16 0x220f8d24 in base::internal::Invoker<base::IndexSequence<0ul, 1ul, 2ul>, base::internal::BindState<base::internal::RunnableAdapter<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)>, void (s
cheduler::TaskQueueManager*, base::TimeTicks, bool), base::WeakPtr<scheduler::TaskQueueManager>, base::TimeTicks, bool>, base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void (scheduler:
:TaskQueueManager::*)(base::TimeTicks, bool)> >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:372
#17 0x6080bc0 in Run base/callback.h:397:12
#18 0x6080bc0 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51
#19 0x5e63ede in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:484:3
#20 0x5e658e7 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop/message_loop.cc:493:5
#21 0x5e672b7 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:610:13
#22 0x5e757f8 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:33:21
#23 0x5e627bf in base::MessageLoop::RunHandler() base/message_loop/message_loop.cc:448:3
#24 0x5efdbbf in base::RunLoop::Run() base/run_loop.cc:35:3
#25 0x1dd21024 in content::RenderViewTest::LoadHTML(char const*) content/public/test/render_view_test.cc:253:3
Uninitialized value was stored to memory at
#0 0x776627 in __msan_memcpy (/usr/local/google/home/krasin/chr25/src/out/Release/browser_tests+0x776627)
#1 0x13f9858e in blink::ResourceResponse::operator=(blink::ResourceResponse const&) third_party/WebKit/Source/platform/network/ResourceResponse.h:47:23
#2 0x14cb5a8e in setResponse third_party/WebKit/Source/core/fetch/Resource.h:187:69
#3 0x14cb5a8e in blink::Resource::responseReceived(blink::ResourceResponse const&, WTF::PassOwnPtr<blink::WebDataConsumerHandle>) third_party/WebKit/Source/core/fetch/Resource.cpp:500
#4 0x14ca261a in blink::RawResource::responseReceived(blink::ResourceResponse const&, WTF::PassOwnPtr<blink::WebDataConsumerHandle>) third_party/WebKit/Source/core/fetch/RawResource.cpp:146:5
#5 0x14d1798c in blink::ResourceLoader::didReceiveResponse(blink::WebURLLoader*, blink::WebURLResponse const&, blink::WebDataConsumerHandle*) third_party/WebKit/Source/core/fetch/ResourceLoader.cpp:280:5
#6 0x21ff83d8 in content::WebURLLoaderImpl::Context::OnReceivedResponse(content::ResourceResponseInfo const&) content/child/web_url_loader_impl.cc:700:5
#7 0x21ffc3a6 in content::WebURLLoaderImpl::Context::HandleDataURL() content/child/web_url_loader_impl.cc:878:5
#8 0x220c55b5 in Run<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > base/bind_internal.h:159:12
#9 0x220c55b5 in MakeItSo<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > base/bind_internal.h:321
#10 0x220c55b5 in base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<void (*)(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_dele
te<blink::WebTaskRunner::Task> >)>, void (std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >), base::internal::PassedWrapper<std::__1::unique_ptr<blink::WebT
askRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > >, base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (*)(std::__1::unique_ptr<blink::WebTaskRunner::Task, s
td::__1::default_delete<blink::WebTaskRunner::Task> >)> >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:372
#11 0x6080bc0 in Run base/callback.h:397:12
#12 0x6080bc0 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51
#13 0x220f4439 in scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(scheduler::internal::WorkQueue*, scheduler::internal::TaskQueueImpl::Task*) components/scheduler/base/task_queue_manager.cc:289:3
#14 0x220ed9ea in scheduler::TaskQueueManager::DoWork(base::TimeTicks, bool) components/scheduler/base/task_queue_manager.cc:201:13
#15 0x220f8d24 in Run<const base::TimeTicks &, const bool &> base/bind_internal.h:181:12
#16 0x220f8d24 in MakeItSo<base::WeakPtr<scheduler::TaskQueueManager>, const base::TimeTicks &, const bool &> base/bind_internal.h:334
#17 0x220f8d24 in base::internal::Invoker<base::IndexSequence<0ul, 1ul, 2ul>, base::internal::BindState<base::internal::RunnableAdapter<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)>, void (s
cheduler::TaskQueueManager*, base::TimeTicks, bool), base::WeakPtr<scheduler::TaskQueueManager>, base::TimeTicks, bool>, base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void (scheduler:
:TaskQueueManager::*)(base::TimeTicks, bool)> >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:372
#18 0x6080bc0 in Run base/callback.h:397:12
#19 0x6080bc0 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51
#20 0x5e63ede in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:484:3
#21 0x5e658e7 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop/message_loop.cc:493:5
#22 0x5e672b7 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:610:13
#23 0x5e757f8 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:33:21
#24 0x5e627bf in base::MessageLoop::RunHandler() base/message_loop/message_loop.cc:448:3
#25 0x5efdbbf in base::RunLoop::Run() base/run_loop.cc:35:3
#26 0x1dd21024 in content::RenderViewTest::LoadHTML(char const*) content/public/test/render_view_test.cc:253:3
Uninitialized value was created by a heap allocation
#0 0x77d562 in __interceptor_malloc (/usr/local/google/home/krasin/chr25/src/out/Release/browser_tests+0x77d562)
#1 0xe4ea443 in partitionAllocGenericFlags third_party/WebKit/Source/wtf/allocator/PartitionAlloc.h:736:20
#2 0xe4ea443 in partitionAllocGeneric third_party/WebKit/Source/wtf/allocator/PartitionAlloc.h:763
#3 0xe4ea443 in WTF::Partitions::fastMalloc(unsigned long, char const*) third_party/WebKit/Source/wtf/allocator/Partitions.h:110
#4 0xe519f1d in operator new third_party/WebKit/Source/platform/exported/WebURLResponse.cpp:70:5
#5 0xe519f1d in blink::WebURLResponse::initialize() third_party/WebKit/Source/platform/exported/WebURLResponse.cpp:93
#6 0x21ff7416 in content::WebURLLoaderImpl::Context::OnReceivedResponse(content::ResourceResponseInfo const&) content/child/web_url_loader_impl.cc:648:3
#7 0x21ffc3a6 in content::WebURLLoaderImpl::Context::HandleDataURL() content/child/web_url_loader_impl.cc:878:5
#8 0x220c55b5 in Run<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > base/bind_internal.h:159:12
#9 0x220c55b5 in MakeItSo<std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > base/bind_internal.h:321
#10 0x220c55b5 in base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<void (*)(std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_dele
te<blink::WebTaskRunner::Task> >)>, void (std::__1::unique_ptr<blink::WebTaskRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> >), base::internal::PassedWrapper<std::__1::unique_ptr<blink::WebT
askRunner::Task, std::__1::default_delete<blink::WebTaskRunner::Task> > > >, base::internal::InvokeHelper<false, void, base::internal::RunnableAdapter<void (*)(std::__1::unique_ptr<blink::WebTaskRunner::Task, s
td::__1::default_delete<blink::WebTaskRunner::Task> >)> >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:372
#11 0x6080bc0 in Run base/callback.h:397:12
#12 0x6080bc0 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51
#13 0x220f4439 in scheduler::TaskQueueManager::ProcessTaskFromWorkQueue(scheduler::internal::WorkQueue*, scheduler::internal::TaskQueueImpl::Task*) components/scheduler/base/task_queue_manager.cc:289:3
#14 0x220ed9ea in scheduler::TaskQueueManager::DoWork(base::TimeTicks, bool) components/scheduler/base/task_queue_manager.cc:201:13
#15 0x220f8d24 in Run<const base::TimeTicks &, const bool &> base/bind_internal.h:181:12
#16 0x220f8d24 in MakeItSo<base::WeakPtr<scheduler::TaskQueueManager>, const base::TimeTicks &, const bool &> base/bind_internal.h:334
#17 0x220f8d24 in base::internal::Invoker<base::IndexSequence<0ul, 1ul, 2ul>, base::internal::BindState<base::internal::RunnableAdapter<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)>, void (scheduler::TaskQueueManager*, base::TimeTicks, bool), base::WeakPtr<scheduler::TaskQueueManager>, base::TimeTicks, bool>, base::internal::InvokeHelper<true, void, base::internal::RunnableAdapter<void (scheduler::TaskQueueManager::*)(base::TimeTicks, bool)> >, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:372
#18 0x6080bc0 in Run base/callback.h:397:12
#19 0x6080bc0 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51
#20 0x5e63ede in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:484:3
#21 0x5e658e7 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop/message_loop.cc:493:5
#22 0x5e672b7 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:610:13
#23 0x5e757f8 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_default.cc:33:21
#24 0x5e627bf in base::MessageLoop::RunHandler() base/message_loop/message_loop.cc:448:3
#25 0x5efdbbf in base::RunLoop::Run() base/run_loop.cc:35:3
#26 0x1dd21024 in content::RenderViewTest::LoadHTML(char const*) content/public/test/render_view_test.cc:253:3
#27 0x329dffc in autofill::PasswordGenerationAgentTest::TearDown() chrome/renderer/autofill/password_generation_agent_browsertest.cc:39:5
#28 0x734dc49 in testing::TestInfo::Run() testing/gtest/src/gtest.cc:2656:5
SUMMARY: MemorySanitizer: use-of-uninitialized-value third_party/WebKit/Source/platform/heap/HeapPage.cpp:917:13 in blink::FreeList::addToFreeList(unsigned char*, unsigned long)
,
May 4 2016
I used Clang toolchain 268373, see https://codereview.chromium.org/1944713002/
,
May 4 2016
Note that the code failing is behind the following ifdef: #if ENABLE(ASSERT) || defined(LEAK_SANITIZER) || defined(ADDRESS_SANITIZER) It means that dcheck_always_on=1 in GYP_FLAGS is important.
,
May 4 2016
Thanks for reporting this! > So, basically some object was allocated on the stack, partially initialized, and then copied to the heap with memcpy. Hmm, I'm not sure how this happens. When a GC is triggered, all objects must have been fully initialized. HeapLinkedStack is not widely used -- maybe the implementation has some bug (although I cannot find it for now).
,
May 4 2016
This looks like a loader issue, Oilpan GC is just the messenger, copying in an uninit'ed ResourceResponse (from a WebURLResponse) into a Resource heap object, which the GC then touches when performing leak detection at the end.
,
May 4 2016
That's referring to #5, for the one in the description isn't the problem that the RuleData constructor, https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/core/css/RuleSet.cpp&q=RuleData&sq=package:chromium&l=109 doesn't fully initialize m_descendantSelectorIdentifierHashes[] (by way of SelectorFilter::collectIdentifierHashes()) ?
,
May 4 2016
If we don't want to insist on part objects being fully initialized when being on the Oilpan heap, then https://codereview.chromium.org/1950603003/ does what rnk@ suggests, disabling freelist zap filling&checking with MSan enabled.
,
May 4 2016
Thanks for pointing it out -- IMHO I'd prefer explicitly initializing all part objects.
,
May 8 2016
Then you need to separately address the two reported here, probably not too many others hiding. I couldn't make out what's being flagged as uninitialized in #5, all fields of ResourceResponse are initialized by its ctors. I'm assuming MSan quietly ignores internal "slop" due to alignment around bitfields, which ResourceResponse's got a bunch of.
,
May 9 2016
,
Sep 1 2016
keishi@: Could you triage this?
,
Sep 1 2016
,
Sep 1 2017
This issue has been Available for over a year. If it's no longer important or seems unlikely to be fixed, please consider closing it out. If it is important, please re-triage the issue. Sorry for the inconvenience if the bug really should have been left as Available. If you change it back, also remove the "Hotlist-Recharge-Cold" label. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
May 21 2018
|
|||||||||
►
Sign in to add a comment |
|||||||||
Comment 1 by r...@chromium.org
, Mar 31 2016