This ugly patch fixes the problem: https://codereview.chromium.org/1861543003/

I am not sure that my original explanation was correct. In fact, I was very surprised to see the test passing.

I hope that helps.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/59dd5d45f05cab02ef9410b505cbae3dfd5d4ed4

commit 59dd5d45f05cab02ef9410b505cbae3dfd5d4ed4
Author: rouslan <rouslan@chromium.org>
Date: Wed Apr 06 16:43:04 2016

Fix CFI: Invalid cast in PaymentRequestTest

Do not reset PaymentDetails.items and PaymentDetails.shippingOptions to
avoid double-deletion. Avoid setting these properties instead. This
affects only unit tests.

BUG= 600808 

Review URL: https://codereview.chromium.org/1860303002

Cr-Commit-Position: refs/heads/master@{#385478}

[modify] https://crrev.com/59dd5d45f05cab02ef9410b505cbae3dfd5d4ed4/third_party/WebKit/Source/modules/payments/PaymentDetailsTestHelper.cpp
[modify] https://crrev.com/59dd5d45f05cab02ef9410b505cbae3dfd5d4ed4/third_party/WebKit/Source/modules/payments/PaymentDetailsTestHelper.h
[modify] https://crrev.com/59dd5d45f05cab02ef9410b505cbae3dfd5d4ed4/third_party/WebKit/Source/modules/payments/PaymentRequestTest.cpp

Marking this bug as fixed. Will reference it when I file a bug against the GC.

Filed 601193 against the garbage collector.

Thank you, Rouslan!

This seem to have regressed with https://codereview.chromium.org/2406713002:
https://build.chromium.org/p/chromium.fyi/builders/CFI%20Linux%20Full/builds/581

Rouslan, can you please take a look on Monday?

Issue 601193 against GC is still not fixed. Probably this line is triggering the alert:

options = HeapVector<PaymentShippingOption>();

https://cs.chromium.org/chromium/src/third_party/WebKit/Source/modules/payments/PaymentRequest.cpp?rcl=0&l=236

I am not able to reproduce using these steps. Did the steps to reproduce change?


=====================================================================
$ gn gen out/gn-cfi '--args=is_debug=false is_cfi=true use_cfi_diag=true enable_profiling=true' --check
......
$ build/download_gold_plugin.py
......
$ ninja -Cout/gn-cfi webkit_unit_tests
......
$ gdb -ex 'b __ubsan::__ubsan_handle_cfi_check_fail' -ex r --args ./out/gn-cfi/webkit_unit_tests --single_process --gtest_filter=PaymentRequestTest.ShouldResolveWithEmptyShippingOptionsIfIDsOfShippingOptionsAreDuplicated
GNU gdb (GDB) 7.9-gg19
Copyright (C) 2015 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-grtev4-linux-gnu".
Type "show configuration" for configuration details.

<http://go/gdb-home FAQ: http://go/gdb-faq Email: c-toolchain-team IRC: gdb>
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
Reading symbols from ./out/gn-cfi/webkit_unit_tests...done.

WARNING: no debugging symbols found in ./out/gn-cfi/webkit_unit_tests.
Either the binary was compiled without debugging information
or the debugging information was removed (e.g., with strip or strip -g).
Debugger capabilities will be very limited.
For further information: http://go/gdb#No_debugging_symbols_found

Unable to determine compiler version.
Skipping loading of libstdc++ pretty-printers for now.
Function "__ubsan::__ubsan_handle_cfi_check_fail" not defined.
Make breakpoint pending on future shared library load? (y or [n]) y
Breakpoint 1 (__ubsan::__ubsan_handle_cfi_check_fail) pending.
Starting program: /home/rouslan/chrome/src/out/gn-cfi/webkit_unit_tests --single_process --gtest_filter=PaymentRequestTest.ShouldResolveWithEmptyShippingOptionsIfIDsOfShippingOptionsAreDuplicated
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/grte/v4/lib64/libthread_db.so.1".
Debugger detected, switching to single process mode.
Pass --test-launcher-debug-launcher to debug the launcher itself.
Detected presence of a debugger, running without test timeouts.
Note: Test filter = PaymentRequestTest.ShouldResolveWithEmptyShippingOptionsIfIDsOfShippingOptionsAreDuplicated
[==========] Running 1 test from 1 test case.
[----------] Global test environment set-up.
[----------] 1 test from PaymentRequestTest
[ RUN      ] PaymentRequestTest.ShouldResolveWithEmptyShippingOptionsIfIDsOfShippingOptionsAreDuplicated
[       OK ] PaymentRequestTest.ShouldResolveWithEmptyShippingOptionsIfIDsOfShippingOptionsAreDuplicated (24 ms)
[----------] 1 test from PaymentRequestTest (25 ms total)

[----------] Global test environment tear-down
[==========] 1 test from 1 test case ran. (25 ms total)
[  PASSED  ] 1 test.
PROFILE: interrupts/evictions/bytes = 3/0/1024
[Inferior 1 (process 2498) exited normally]
(gdb) quit
=====================================================================

Oh, sorry, slightly. I have moved the bad-cast check out of is_cfi by default. Please, use this gn command (notice, use_cfi_cast=true):

gn gen out/gn-cfi '--args=is_debug=false is_cfi=true use_cfi_cast=true use_cfi_diag=true enable_profiling=true' --check

This change was due to the fact that we didn't feel we can put the cast check into the official Chrome without having a trybot; and we could not have a trybot until ThinLTO (which is much faster than the regular LTO) is deployed. 

Fixed in http://crrev.com/2427633004, which is pointing to issue 600080 by mistake.

Thank you, Rouslan!

webkit_unit_tests are now green under CFI:
https://build.chromium.org/p/chromium.fyi/builders/CFI%20Linux%20ToT/builds/4677/steps/webkit_unit_tests

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/e177f658f2b6ab19fac1885586f2b25bf9975aa8

commit e177f658f2b6ab19fac1885586f2b25bf9975aa8
Author: rouslan <rouslan@chromium.org>
Date: Mon Oct 24 23:49:05 2016

Overwrite the HeapVector of ShippingOptions for more clear code.

BUG= 600808 

Review-Url: https://codereview.chromium.org/2444493002
Cr-Commit-Position: refs/heads/master@{#427181}

[modify] https://crrev.com/e177f658f2b6ab19fac1885586f2b25bf9975aa8/third_party/WebKit/Source/modules/payments/PaymentRequest.cpp

Sadly, I think this has broken the bots:
https://build.chromium.org/p/chromium.fyi/builders/CFI%20Linux%20Full/builds/668/steps/webkit_unit_tests

To reproduce:

$ gn gen out/cfi-diag '--args=is_debug=false is_cfi=true use_cfi_diag=true use_cfi_cast=true symbol_level=1' --check
$ build/download_gold_plugin.py
$ ninja -C out/cfi-diag webkit_unit_tests # Will take around 40 minutes
$ gdb  -ex 'b __ubsan_handle_cfi_check_fail' -ex r --args ./out/cfi-diag/webkit_unit_tests --gtest_filter=CompleteTest.CannotCallCompleteTwice --single_process

Error message:
../../third_party/WebKit/Source/platform/heap/HeapAllocator.h:302:15: runtime error: control flow integrity check for type 'blink::PaymentShippingOption' failed during cast to unrelated type (vtable address 0x000000000000)
0x000000000000: note: invalid vtable

Stack trace:
#0  0x0000000002fc6434 in __ubsan_handle_cfi_check_fail ()
#1  0x0000000000bec4bf in blink::HeapVectorBacking<blink::PaymentShippingOption, WTF::VectorTraits<blink::PaymentShippingOption> >::finalize(void*) () at ../../third_party/WebKit/Source/platform/heap/HeapAllocator.h:302
#2  0x00000000014a061f in blink::NormalPage::sweep() () at ../../third_party/WebKit/Source/platform/heap/HeapPage.cpp:1216
#3  0x000000000149ebde in blink::BaseArena::sweepUnsweptPage() () at ../../third_party/WebKit/Source/platform/heap/HeapPage.cpp:296
#4  0x000000000149eeb8 in blink::BaseArena::completeSweep() () at ../../third_party/WebKit/Source/platform/heap/HeapPage.cpp:349
#5  0x00000000014a2cc9 in blink::ThreadState::completeSweep() () at ../../third_party/WebKit/Source/platform/heap/ThreadState.cpp:1202
#6  0x00000000014a5049 in collectGarbage () at ../../third_party/WebKit/Source/platform/heap/ThreadState.cpp:1776
#7  0x0000000001a2cac2 in blink::V8GCController::gcEpilogue(v8::Isolate*, v8::GCType, v8::GCCallbackFlags) () at ../../third_party/WebKit/Source/bindings/core/v8/V8GCController.cpp:416
#8  0x0000000001354e00 in v8::internal::Heap::CallGCEpilogueCallbacks(v8::GCType, v8::GCCallbackFlags) () at ../../v8/src/heap/heap.cc:1417
#9  0x0000000001355ce8 in PerformGarbageCollection () at ../../v8/src/heap/heap.cc:1373
#10 0x0000000001355435 in CollectGarbage () at ../../v8/src/heap/heap.cc:998
#11 0x0000000000d5f548 in v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) () at ../../v8/src/heap/heap-inl.h:678
#12 0x000000000135467b in v8::internal::Heap::CollectAllGarbage(int, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) () at ../../v8/src/heap/heap.cc:847
#13 0x0000000001a2cfda in blink::V8GCController::collectAllGarbageForTesting(v8::Isolate*) () at ../../third_party/WebKit/Source/bindings/core/v8/V8GCController.cpp:461
#14 0x0000000000548d55 in (anonymous namespace)::runHelper(base::TestSuite*) () at ../../third_party/WebKit/Source/web/tests/RunAllTests.cpp:60
#15 0x0000000000548f1e in int base::internal::Invoker<base::internal::BindState<int (*)(base::TestSuite*), base::internal::UnretainedWrapper<base::TestSuite> >, int ()>::RunImpl<int (* const&)(base::TestSuite*), std::tuple<base::internal::UnretainedWrapper<base::TestSuite> > const&, 0ul>(int (* const&)(base::TestSuite*), std::tuple<base::internal::UnretainedWrapper<base::TestSuite> > const&, base::IndexSequence<0ul>) () at ../../base/bind_internal.h:361
#16 0x000000000161cddf in base::(anonymous namespace)::LaunchUnitTestsInternal(base::Callback<int (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&, int, int, bool, base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) () at ../../base/test/launcher/unit_test_launcher.cc:210
#17 0x000000000161cc52 in base::LaunchUnitTests(int, char**, base::Callback<int (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) () at ../../base/test/launcher/unit_test_launcher.cc:452
#18 0x0000000000548c4c in main () at ../../third_party/WebKit/Source/web/tests/RunAllTests.cpp:73

haraken@ fixed the GC in Blink in issue 601193, which is why I landed http://crrev.com/2444493002. A different CFI test is failing now. Are we sure that this is the same problem?

Quite possibly that I have confused things. Sorry, if that's the case.

GC fix by haraken@: http://crrev.com/2436123002

Thank you!

I will move the discussion about the current failures there.

Actually, it's definitely not related to the CL by haraken@. The bot became broken on Oct 24 (see the webkit_unit_tests failure):
https://build.chromium.org/p/chromium.fyi/builders/CFI%20Linux%20Full/builds/658

Currently, I suspect https://codereview.chromium.org/2444493002 and will try to revert it locally to confirm it. In any case, I will file a separate issue. This one is fixed.

Filed https://bugs.chromium.org/p/chromium/issues/detail?id=659885

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/38c1be9dce77296f2336d8dd64f7e0e1809f2dfa

commit 38c1be9dce77296f2336d8dd64f7e0e1809f2dfa
Author: rouslan <rouslan@chromium.org>
Date: Thu Oct 27 13:14:00 2016

Revert of Overwrite the HeapVector of ShippingOptions for more clear code. (patchset #2 id:20001 of https://codereview.chromium.org/2444493002/ )

Reason for revert:
Breaks CFI.
https://bugs.chromium.org/p/chromium/issues/detail?id=659885

Original issue's description:
> Overwrite the HeapVector of ShippingOptions for more clear code.
>
> BUG= 600808 
>
> Committed: https://crrev.com/e177f658f2b6ab19fac1885586f2b25bf9975aa8
> Cr-Commit-Position: refs/heads/master@{#427181}

TBR=haraken@chromium.org
# Not skipping CQ checks because original CL landed more than 1 days ago.
BUG= 600808 

Review-Url: https://codereview.chromium.org/2456783004
Cr-Commit-Position: refs/heads/master@{#428008}

[modify] https://crrev.com/38c1be9dce77296f2336d8dd64f7e0e1809f2dfa/third_party/WebKit/Source/modules/payments/PaymentRequest.cpp