ubsan: invalid cast during SocketsTcpApiTest.SocketTcpExtensionTLS |
|||||
Issue descriptionVersion: tip OS: Linux x86-64 UBSanVptr bot shows a recent regression in extensions_browsertests: https://build.chromium.org/p/chromium.fyi/builders/UBSanVptr%20Linux/builds/401/steps/extensions_browsertests/logs/stdio SocketsTcpApiTest.SocketTcpExtensionTLS ... ../../extensions/browser/api/sockets_tcp/tcp_socket_event_dispatcher.cc:171:15: runtime error: member call on address 0x1b0d744061c0 which does not point to an object of type 'extensions::ResumableTCPSocket' 0x1b0d744061c0: note: object is of type 'extensions::TCPSocket' 00 00 00 00 b8 a4 ef 09 00 00 00 00 d8 a7 28 74 0d 1b 00 00 98 31 4c 74 0d 1b 00 00 00 6f 63 6b ^~~~~~~~~~~~~~~~~~~~~~~ vptr for 'extensions::TCPSocket' Trying to reproduce.
,
Jun 3 2016
,
Jun 3 2016
Reproduced locally:
gn gen //out/gn-vptr '--args=is_ubsan_vptr=true is_ubsan_no_recover=true is_debug=false is_component_build=false symbol_level=1 dcheck_always_on=true' --check
ninja -C out/gn-vptr extensions_browsertests
./out/gn-vptr/extensions_browsertests --gtest_filter=SocketsTcpApiTest.SocketTcpExtensionTLS
...
../../extensions/browser/api/sockets_tcp/tcp_socket_event_dispatcher.cc:171:15: runtime error: member call on address 0x26ffea96c540 which does not point to an object of type 'extensions::ResumableTCPSocket'
0x26ffea96c540: note: object is of type 'extensions::TCPSocket'
00 00 00 00 48 d5 80 0b 00 00 00 00 58 e0 87 ea ff 26 00 00 c8 dd 9a ea ff 26 00 00 00 00 00 00
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'extensions::TCPSocket'
#0 0x875348d in extensions::api::TCPSocketEventDispatcher::ReadCallback(extensions::api::TCPSocketEventDispatcher::ReadParams const&, int, scoped_refptr<net::IOBuffer>) out/gn-vptr/../../extensions/browser/
api/sockets_tcp/tcp_socket_event_dispatcher.cc:171:15
#1 0x8753c15 in Run<const extensions::api::TCPSocketEventDispatcher::ReadParams &, int, scoped_refptr<net::IOBuffer> > out/gn-vptr/../../base/bind_internal.h:160:12
#2 0x8753c15 in MakeItSo<base::internal::RunnableAdapter<void (*)(const extensions::api::TCPSocketEventDispatcher::ReadParams &, int, scoped_refptr<net::IOBuffer>)> &, const extensions::api::TCPSocketEventD
ispatcher::ReadParams &, int, scoped_refptr<net::IOBuffer> > out/gn-vptr/../../base/bind_internal.h:312
#3 0x8753c15 in base::internal::Invoker<base::IndexSequence<0ul>, base::internal::BindState<base::internal::RunnableAdapter<void (*)(extensions::api::TCPSocketEventDispatcher::ReadParams const&, int, scoped
_refptr<net::IOBuffer>)>, void (extensions::api::TCPSocketEventDispatcher::ReadParams const&, int, scoped_refptr<net::IOBuffer>), extensions::api::TCPSocketEventDispatcher::ReadParams const&>, false, void (int,
scoped_refptr<net::IOBuffer>)>::Run(base::internal::BindStateBase*, int&&, scoped_refptr<net::IOBuffer>&&) out/gn-vptr/../../base/bind_internal.h:364
#4 0x87322b6 in Run out/gn-vptr/../../base/callback.h:397:12
#5 0x87322b6 in extensions::TCPSocket::Disconnect() out/gn-vptr/../../extensions/browser/api/socket/tcp_socket.cc:122
#6 0x87312f2 in extensions::TCPSocket::~TCPSocket() out/gn-vptr/../../extensions/browser/api/socket/tcp_socket.cc:81:27
#7 0x87355e3 in ~ResumableTCPSocket out/gn-vptr/../../extensions/browser/api/socket/tcp_socket.h:110:7
#8 0x87355e3 in extensions::ResumableTCPSocket::~ResumableTCPSocket() out/gn-vptr/../../extensions/browser/api/socket/tcp_socket.h:110
#9 0x8736528 in depart out/gn-vptr/../../base/memory/linked_ptr.h:144:25
#10 0x8736528 in ~linked_ptr out/gn-vptr/../../base/memory/linked_ptr.h:82
#11 0x8736528 in ~pair out/gn-vptr/../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_pair.h:87
#12 0x8736528 in ~_Rb_tree_node out/gn-vptr/../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_tree.h:130
#13 0x8736528 in destroy out/gn-vptr/../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/ext/new_allocator.h:118
#14 0x8736528 in _M_destroy_node out/gn-vptr/../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_tree.h:419
#15 0x8736528 in std::_Rb_tree<int, std::pair<int const, linked_ptr<extensions::ResumableTCPSocket> >, std::_Select1st<std::pair<int const, linked_ptr<extensions::ResumableTCPSocket> > >, std::less<int>, st
d::allocator<std::pair<int const, linked_ptr<extensions::ResumableTCPSocket> > > >::_M_erase(std::_Rb_tree_node<std::pair<int const, linked_ptr<extensions::ResumableTCPSocket> > >*) out/gn-vptr/../../build/linu
x/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_tree.h:1076
#16 0x8737e04 in clear out/gn-vptr/../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_tree.h:809:9
#17 0x8737e04 in _M_erase_aux out/gn-vptr/../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_tree.h:1501
#18 0x8737e04 in erase out/gn-vptr/../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_tree.h:791
#19 0x8737e04 in std::_Rb_tree<int, std::pair<int const, linked_ptr<extensions::ResumableTCPSocket> >, std::_Select1st<std::pair<int const, linked_ptr<extensions::ResumableTCPSocket> > >, std::less<int>, st
d::allocator<std::pair<int const, linked_ptr<extensions::ResumableTCPSocket> > > >::erase(int const&) out/gn-vptr/../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../inclu
de/c++/4.6/bits/stl_tree.h:1515
#20 0x87506df in erase out/gn-vptr/../../build/linux/debian_wheezy_amd64-sysroot/usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_map.h:649:21
#21 0x87506df in extensions::ApiResourceManager<extensions::ResumableTCPSocket, extensions::NamedThreadTraits<extensions::ResumableTCPSocket> >::ApiResourceData::Remove(std::string const&, int) out/gn-vptr/
../../extensions/browser/api/api_resource_manager.h:215
#22 0x874e870 in extensions::api::SocketsTcpSecureFunction::TlsConnectDone(std::unique_ptr<extensions::TLSSocket, std::default_delete<extensions::TLSSocket> >, int) out/gn-vptr/../../extensions/browser/api/
sockets_tcp/sockets_tcp_api.cc:539:5
#23 0x875163b in void base::internal::RunnableAdapter<void (extensions::api::SocketsTcpSecureFunction::*)(std::unique_ptr<extensions::TLSSocket, std::default_delete<extensions::TLSSocket> >, int)>::Run<scop
ed_refptr<extensions::api::SocketsTcpSecureFunction> const&, std::unique_ptr<extensions::TLSSocket, std::default_delete<extensions::TLSSocket> >, int>(scoped_refptr<extensions::api::SocketsTcpSecureFunction> co
nst&, std::unique_ptr<extensions::TLSSocket, std::default_delete<extensions::TLSSocket> >&&, int&&) out/gn-vptr/../../base/bind_internal.h:187:12
#24 0x873deb4 in Run out/gn-vptr/../../base/callback.h:397:12
#25 0x873deb4 in (anonymous namespace)::TlsConnectDone(std::unique_ptr<net::SSLClientSocket, std::default_delete<net::SSLClientSocket> >, std::string const&, base::Callback<void (std::unique_ptr<extensions:
:TLSSocket, std::default_delete<extensions::TLSSocket> >, int), (base::internal::CopyMode)1> const&, int) out/gn-vptr/../../extensions/browser/api/socket/tls_socket.cc:50
#26 0x873cc51 in extensions::TLSSocket::UpgradeSocketToTLS(extensions::Socket*, scoped_refptr<net::SSLConfigService>, net::CertVerifier*, net::TransportSecurityState*, std::string const&, extensions::api::s
ocket::SecureOptions*, base::Callback<void (std::unique_ptr<extensions::TLSSocket, std::default_delete<extensions::TLSSocket> >, int), (base::internal::CopyMode)1> const&) out/gn-vptr/../../extensions/browser/a
pi/socket/tls_socket.cc:201:5
#27 0x874db75 in extensions::api::SocketsTcpSecureFunction::AsyncWorkStart() out/gn-vptr/../../extensions/browser/api/sockets_tcp/sockets_tcp_api.cc:519:3
#28 0x85f2b7d in extensions::AsyncApiFunction::WorkOnWorkThread() out/gn-vptr/../../extensions/browser/api/async_api_function.cc:60:3
#29 0x8b42f2d in Run out/gn-vptr/../../base/callback.h:397:12
#30 0x8b42f2d in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) out/gn-vptr/../../base/debug/task_annotator.cc:51
#31 0x8b6df97 in base::MessageLoop::RunTask(base::PendingTask const&) out/gn-vptr/../../base/message_loop/message_loop.cc:475:19
#32 0x8b6e7e8 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) out/gn-vptr/../../base/message_loop/message_loop.cc:484:5
#33 0x8b6f213 in base::MessageLoop::DoWork() out/gn-vptr/../../base/message_loop/message_loop.cc:601:13
#34 0x8b771f5 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) out/gn-vptr/../../base/message_loop/message_pump_libevent.cc:217:31
#35 0x8b6d510 in base::MessageLoop::RunHandler() out/gn-vptr/../../base/message_loop/message_loop.cc:439:10
#36 0x8bb5c88 in base::RunLoop::Run() out/gn-vptr/../../base/run_loop.cc:35:10
#37 0x8b6beb8 in base::MessageLoop::Run() out/gn-vptr/../../base/message_loop/message_loop.cc:294:12
#38 0x274ea08 in content::BrowserThreadImpl::IOThreadRun(base::MessageLoop*) out/gn-vptr/../../content/browser/browser_thread_impl.cc:215:11
#39 0x274ef76 in content::BrowserThreadImpl::Run(base::MessageLoop*) out/gn-vptr/../../content/browser/browser_thread_impl.cc:251:14
#40 0x8be532e in base::Thread::ThreadMain() out/gn-vptr/../../base/threading/thread.cc:256:3
#41 0x8bdad66 in base::(anonymous namespace)::ThreadFunc(void*) out/gn-vptr/../../base/threading/platform_thread_posix.cc:70:13
#42 0x7fdb43e91183 in start_thread /build/eglibc-oGUzwX/eglibc-2.19/nptl/pthread_create.c:312
#43 0x7fdb4346b37c in clone /build/eglibc-oGUzwX/eglibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111
[1/1] SocketsTcpApiTest.SocketTcpExtensionTLS (2096 ms)
1 test failed:
SocketsTcpApiTest.SocketTcpExtensionTLS (../../extensions/browser/api/sockets_tcp/sockets_tcp_apitest.cc:103)
,
Jun 3 2016
What happens here is the call to TCPSocket::Disconnect happens during ~TCPSocket, after ~ResumableTCPSocket already completed. And then a callback calls a member method of ResumableTCPSocket, which is already illegal to do. The proposed fix is also call Disconnect from ~ResumableTCPSocket, so that the callback is fired (and cleared) while ResumableTCPSocket is still alive: https://codereview.chromium.org/2034233002/
,
Jun 3 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/feeee3ad3750286671cf2ca5e90400fa745a13d6 commit feeee3ad3750286671cf2ca5e90400fa745a13d6 Author: krasin <krasin@google.com> Date: Fri Jun 03 22:48:09 2016 Fix ResumableTCPSocket destruction. ResumableTCPSocket sets a read_callback_ that points to TCPSocketEventDispatcher::ReadCallback. This callback gets called from ~TCPSocket, when ~ResumableTCPSocket already completed, and it calls ResumableTCPSocket methods (which are already illegal to call). The fix just calls Disconnect from ~ResumableTCPSocket which clears the callback and all the state that relies on ResumableTCPSocket members. This fixes a bug found with UBSan Vptr. BUG= 617199 Review-Url: https://codereview.chromium.org/2034233002 Cr-Commit-Position: refs/heads/master@{#397829} [modify] https://crrev.com/feeee3ad3750286671cf2ca5e90400fa745a13d6/extensions/browser/api/socket/tcp_socket.cc [modify] https://crrev.com/feeee3ad3750286671cf2ca5e90400fa745a13d6/extensions/browser/api/socket/tcp_socket.h
,
Jun 3 2016
,
Jun 6 2016
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by krasin@chromium.org
, Jun 3 2016