See https://build.chromium.org/p/chromium.memory/builders/Linux%20ASan%20LSan%20Tests%20%281%29/builds/26857/steps/content_browsertests%20on%20Ubuntu-12.04/logs/stdio:
[ RUN ] DevToolsProtocolTest.ReloadBlankPage
[8247:8247:0608/025607:4106840956:ERROR:browser_main_loop.cc(225)] Running without the SUID sandbox! See https://chromium.googlesource.com/chromium/src/+/master/docs/linux_suid_sandbox_development.md for more information on developing with the sandbox on.
[8247:8247:0608/025607:4106991515:WARNING:audio_manager.cc(297)] Multiple instances of AudioManager detected
[8247:8247:0608/025607:4106991609:WARNING:audio_manager.cc(271)] Multiple instances of AudioManager detected
Xlib: extension "RANDR" missing on display ":9".
[8301:8301:0608/025607:4107136781:ERROR:broker_posix.cc(41)] Invalid node channel message
=================================================================
==8301==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61d00000e670 at pc 0x0000027cafad bp 0x7f6dcc86e250 sp 0x7f6dcc86e248
READ of size 8 at 0x61d00000e670 thread T1 (Chrome_ChildIOT)
#0 0x27cafac in epoll_add base/third_party/libevent/epoll.c:283:12
#1 0x27c4e66 in event_add base/third_party/libevent/event.c:725:9
#2 0xd3ccf76 in base::MessagePumpLibevent::WatchFileDescriptor(int, bool, int, base::MessagePumpLibevent::FileDescriptorWatcher*, base::MessagePumpLibevent::Watcher*) base/message_loop/message_pump_libevent.cc:184:7
#3 0x13f775c in mojo::edk::(anonymous namespace)::ChannelPosix::StartOnIOThread() mojo/edk/system/channel_posix.cc:210:40
#4 0x13f3fb9 in mojo::edk::(anonymous namespace)::ChannelPosix::Start() mojo/edk/system/channel_posix.cc:106:7
#5 0x1420e16 in mojo::edk::NodeChannel::Start() mojo/edk/system/node_channel.cc:184:15
#6 0x142b910 in mojo::edk::NodeController::ConnectToParentOnIOThread(mojo::edk::ScopedPlatformHandle) mojo/edk/system/node_controller.cc:360:30
#7 0x1436763 in Run<mojo::edk::NodeController *, mojo::edk::ScopedPlatformHandle> base/bind_internal.h:187:12
#8 0x1436763 in MakeItSo<base::internal::RunnableAdapter<void (mojo::edk::NodeController::*)(mojo::edk::ScopedPlatformHandle)> &, mojo::edk::NodeController *, mojo::edk::ScopedPlatformHandle> base/bind_internal.h:312
#9 0x1436763 in base::internal::Invoker<base::IndexSequence<0ul, 1ul>, base::internal::BindState<base::internal::RunnableAdapter<void (mojo::edk::NodeController::*)(mojo::edk::ScopedPlatformHandle)>, void (mojo::edk::NodeController*, mojo::edk::ScopedPlatformHandle), base::internal::UnretainedWrapper<mojo::edk::NodeController>, base::internal::PassedWrapper<mojo::edk::ScopedPlatformHandle> >, false, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:364
#10 0xd37c404 in Run base/callback.h:397:12
#11 0xd37c404 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask const&) base/debug/task_annotator.cc:51
#12 0xd3c328c in base::MessageLoop::RunTask(base::PendingTask const&) base/message_loop/message_loop.cc:475:19
#13 0xd3c3b95 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask const&) base/message_loop/message_loop.cc:484:5
#14 0xd3c4afc in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:601:13
#15 0xd3cdcd0 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:217:31
#16 0xd418f28 in base::RunLoop::Run() base/run_loop.cc:35:10
#17 0xd3c1d5e in base::MessageLoop::Run() base/message_loop/message_loop.cc:294:12
#18 0xd473cc0 in base::Thread::ThreadMain() base/threading/thread.cc:256:3
#19 0xd467e94 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:70:13
#20 0x7f6dd5a2ce99 in start_thread /build/eglibc-oqps9y/eglibc-2.15/nptl/pthread_create.c:308
0x61d00000e670 is located 16 bytes to the left of 2048-byte region [0x61d00000e680,0x61d00000ee80)
allocated by thread T1 (Chrome_ChildIOT) here:
#0 0x55c78e in __interceptor_realloc (/tmp/runL7CF4N/out/Release/content_browsertests+0x55c78e)
#1 0x27cabf7 in epoll_recalc base/third_party/libevent/epoll.c:167:9
#2 0x27cabf7 in epoll_add base/third_party/libevent/epoll.c:277
#3 0x27c4e66 in event_add base/third_party/libevent/event.c:725:9
#4 0xd3ccc03 in base::MessagePumpLibevent::Init() base/message_loop/message_pump_libevent.cc:313:7
#5 0xd3c166e in base::MessageLoop::CreateMessagePumpForType(base::MessageLoop::Type) base/message_loop/message_loop.cc:245:45
#6 0xd3c064f in base::MessageLoop::BindToCurrentThread() base/message_loop/message_loop.cc:408:13
#7 0xd473b56 in base::Thread::ThreadMain() base/threading/thread.cc:233:18
#8 0xd467e94 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:70:13
#9 0x7f6dd5a2ce99 in start_thread /build/eglibc-oqps9y/eglibc-2.15/nptl/pthread_create.c:308
Thread T1 (Chrome_ChildIOT) created by T0 (content_browser) here:
#0 0x544e56 in __interceptor_pthread_create (/tmp/runL7CF4N/out/Release/content_browsertests+0x544e56)
#1 0xd46782a in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) base/threading/platform_thread_posix.cc:109:13
#2 0xd4733b9 in base::Thread::StartWithOptions(base::Thread::Options const&) base/threading/thread.cc:118:10
#3 0xbf4db4d in content::ChildProcess::ChildProcess(base::ThreadPriority) content/child/child_process.cc:57:3
#4 0xc2ea2ec in RenderProcess content/renderer/render_process.h:22:3
#5 0xc2ea2ec in content::RenderProcessImpl::RenderProcessImpl() content/renderer/render_process_impl.cc:56
#6 0xc38918b in content::RendererMain(content::MainFunctionParams const&) content/renderer/renderer_main.cc:186:23
#7 0xc751805 in content::RunZygote(content::MainFunctionParams const&, content::ContentMainDelegate*) content/app/content_main_runner.cc:345:14
#8 0xc75463d in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:787:12
#9 0xc750a8a in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:20:28
#10 0x10a5564 in content::LaunchTests(content::TestLauncherDelegate*, int, int, char**) content/public/test/test_launcher.cc:523:12
#11 0xef4ad8 in main content/test/content_test_launcher.cc:131:10
#12 0x7f6dd52397ec in __libc_start_main /build/eglibc-oqps9y/eglibc-2.15/csu/libc-start.c:226
SUMMARY: AddressSanitizer: heap-buffer-overflow base/third_party/libevent/epoll.c:283:12 in epoll_add
Shadow bytes around the buggy address:
0x0c3a7fff9c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff9c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff9c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff9ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3a7fff9cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3a7fff9cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa
0x0c3a7fff9cd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff9ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff9cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff9d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3a7fff9d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8301==ABORTING
-----------------------------------------------------
Suppressions used:
count bytes template
9 736 libfontconfig
-----------------------------------------------------
[ OK ] DevToolsProtocolTest.ReloadBlankPage (1034 ms)
This is also reproducible on ClusterFuzz, see https://cluster-fuzz.appspot.com/testcase?key=4505202551422976
Comment 1 by roc...@chromium.org
, Jun 17 2016Status: Duplicate (was: Assigned)