Enable -fsanitize=null on UBSan Vptr bots |
||
Issue descriptionSometimes, UBSan Vptr would fail with no good diagnostics which could lead to a significant debug time penalty. See for example: https://crbug.com/616268 . The issue there turned out to be a null pointer access (and not a corrupted vptable as it felt initially). With UBSan null sanitizer the message becomes significantly easier to understand: ../../base/trace_event/heap_profiler_heap_dump_writer.cc:205:53: runtime error: member call on null pointer of type 'base::trace_event::StackFrameDeduplicator' #0 0x14273bd in base::trace_event::internal::HeapDumpWriter::AddEntryForBucket(base::trace_event::internal::(anonymous namespace)::Bucket const&) out/gn-vptr/../../base/trace_event/heap_profiler_heap_dump_writer.cc:205:53 #1 0x14270d4 in base::trace_event::internal::HeapDumpWriter::Summarize(std::unordered_map<base::trace_event::AllocationContext, base::trace_event::AllocationMetrics, base_hash::hash<base::trace_event::AllocationContext>, std::equal_to<base::trace_event::AllocationContext>, std::allocator<std::pair<base::trace_event::AllocationContext const, base::trace_event::AllocationMetrics> > > const&) out/gn-vptr/../../base/trace_event/heap_profiler_heap_dump_writer.cc:259:3 #2 0x1427be3 in base::trace_event::ExportHeapDump(std::unordered_map<base::trace_event::AllocationContext, base::trace_event::AllocationMetrics, base_hash::hash<base::trace_event::AllocationContext>, std::equal_to<base::trace_event::AllocationContext>, std::allocator<std::pair<base::trace_event::AllocationContext const, base::trace_event::AllocationMetrics> > > const&, base::trace_event::MemoryDumpSessionState const&) out/gn-vptr/../../base/trace_event/heap_profiler_heap_dump_writer.cc:319:27 #3 0x1436383 in base::trace_event::ProcessMemoryDump::DumpHeapUsage(std::unordered_map<base::trace_event::AllocationContext, base::trace_event::AllocationMetrics, base_hash::hash<base::trace_event::AllocationContext>, std::equal_to<base::trace_event::AllocationContext>, std::allocator<std::pair<base::trace_event::AllocationContext const, base::trace_event::AllocationMetrics> > > const&, base::trace_event::TraceEventMemoryOverhead&, char const*) out/gn-vptr/../../base/trace_event/process_memory_dump.cc:229:46 #4 0xd97cbc in base::trace_event::ProcessMemoryDumpTest_TakeAllDumpsFrom_Test::TestBody() out/gn-vptr/../../base/trace_event/process_memory_dump_unittest.cc:92:9 The first step would be to add support for ubsan_null into GN: https://codereview.chromium.org/2028383006/ Then I expect some cleanup to be required (hopefully, real bugs to be fixed) and then we can enable this check on UBSan Vptr buildbots. That will provide better diagnostics in more cases and we'll see fewer obscure segfaults. Thoughts?
,
Jun 2 2016
I've explored this a bit. There're multiple places to cleanup, but all of them look shady enough to be worth it. An issue from mesa: https://code.google.com/p/chromium/codesearch#chromium/src/third_party/mesa/src/src/mesa/swrast_setup/ss_context.c&sq=package:chromium&type=cs&l=93&rcl=1464880652 /** * Helper macros for setup_vertex_format() */ #define SWZ ((SWvertex *)0) #define SWOffset(MEMBER) (((char *)&(SWZ->MEMBER)) - ((char *)SWZ)) #define EMIT_ATTR( ATTR, STYLE, MEMBER ) \ do { \ map[e].attrib = (ATTR); \ map[e].format = (STYLE); \ map[e].offset = SWOffset(MEMBER); \ e++; \ } while (0) They intentionally access a null pointer. This looks a bigger task than I originally thought. While I still would like to introduce is_ubsan_null into GN configs, enabling it on bots might not happen before CFI launch.
,
Jun 2 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/2ec1834c98f0fd1caf86983f31d0d1a122e0ad1e commit 2ec1834c98f0fd1caf86983f31d0d1a122e0ad1e Author: krasin <krasin@google.com> Date: Thu Jun 02 23:10:28 2016 Add GN configs for -fsanitizer=null. This allows to sanitize null pointer accesses and could increase readability of the messages from UBSan Vptr bot (once enabled there). BUG= 616268 , 616870 Review-Url: https://codereview.chromium.org/2028383006 Cr-Commit-Position: refs/heads/master@{#397538} [modify] https://crrev.com/2ec1834c98f0fd1caf86983f31d0d1a122e0ad1e/build/config/BUILD.gn [modify] https://crrev.com/2ec1834c98f0fd1caf86983f31d0d1a122e0ad1e/build/config/sanitizers/BUILD.gn [modify] https://crrev.com/2ec1834c98f0fd1caf86983f31d0d1a122e0ad1e/build/config/sanitizers/sanitizers.gni [modify] https://crrev.com/2ec1834c98f0fd1caf86983f31d0d1a122e0ad1e/build/toolchain/gcc_toolchain.gni
,
Jun 2 2016
My plan is to start fixing the failures on https://build.chromium.org/p/chromium.fyi/builders/UBSanVptr%20Linux using is_ubsan_null. Once I feel that there're no widespread issues (like the mesa one), I will enable is_ubsan_null on the buildbot (and will likely get some new failures). Then I will fix the failures, and then I will merge is_ubsan_null with is_ubsan_vptr (or some other ubsan config; we'll see)
,
Jun 6 2016
WontFix / NotFeasible due to V8 team saying so: https://crbug.com/617227 |
||
►
Sign in to add a comment |
||
Comment 1 by krasin@chromium.org
, Jun 2 2016