Dr. Memory reports UAF errors in WebRtcMediaRecorderTest.MediaRecorderStartWithTimeSlice/2 |
||
Issue descriptionSee https://build.chromium.org/p/chromium.memory.fyi/builders/Windows%20Content%20Browser%20%28DrMemory%20full%29%20%282%29/builds/3857/steps/memory%20test%3A%20content_browsertests/logs/stdio 19:58:59 drmemory_analyze.py [INFO] Report #2 ### BEGIN MEMORY TOOL REPORT (error hash=#03B8A1DDC79D9B8D#) UNADDRESSABLE ACCESS of freed memory: reading 0x035ba930-0x035ba934 4 byte(s) # 0 cc.dll!cc::ScrollTree::MaxScrollOffset [cc\trees\property_tree.cc:1684] # 1 cc.dll!cc::LayerImpl::MaxScrollOffset [cc\layers\layer_impl.cc:1106] # 2 cc.dll!cc::LayerTreeImpl::TotalMaxScrollOffset [cc\trees\layer_tree_impl.cc:303] # 3 cc.dll!cc::LayerTreeHostImpl::UpdateRootLayerStateForSynchronousInputHandler [cc\trees\layer_tree_host_impl.cc:3827] # 4 cc.dll!cc::LayerTreeHostImpl::AnimateInternal [cc\trees\layer_tree_host_impl.cc:474] # 5 cc.dll!cc::LayerTreeHostImpl::Animate [cc\trees\layer_tree_host_impl.cc:437] # 6 cc.dll!cc::ProxyImpl::WillBeginImplFrame [cc\trees\proxy_impl.cc:497] # 7 cc.dll!cc::Scheduler::BeginImplFrame [cc\scheduler\scheduler.cc:519] # 8 cc.dll!cc::Scheduler::BeginImplFrameWithDeadline [cc\scheduler\scheduler.cc:476] # 9 cc.dll!cc::Scheduler::OnBeginFrameDerivedImpl [cc\scheduler\scheduler.cc:321] #10 cc.dll!cc::BeginFrameObserverBase::OnBeginFrame [cc\scheduler\begin_frame_source.cc:43] #11 cc.dll!cc::SyntheticBeginFrameSource::OnTimerTick [cc\scheduler\begin_frame_source.cc:231] #12 cc.dll!cc::DelayBasedTimeSource::OnTimerTick [cc\scheduler\delay_based_time_source.cc:78] #13 cc.dll!base::internal::Invoker<>::Run [base\bind_internal.h:364] #14 cc.dll!base::CancelableCallback<>::Forward [base\cancelable_callback.h:107] #15 base.dll!base::debug::TaskAnnotator::RunTask [base\debug\task_annotator.cc:51] #16 base.dll!base::MessageLoop::RunTask [base\message_loop\message_loop.cc:475] #17 base.dll!base::MessageLoop::DeferOrRunPendingTask [base\message_loop\message_loop.cc:484] #18 base.dll!base::MessageLoop::DoDelayedWork [base\message_loop\message_loop.cc:639] #19 base.dll!base::MessagePumpDefault::Run [base\message_loop\message_pump_default.cc:37] #20 base.dll!base::MessageLoop::RunHandler [base\message_loop\message_loop.cc:439] #21 base.dll!base::MessageLoop::Run [base\message_loop\message_loop.cc:294] #22 base.dll!base::Thread::Run [base\threading\thread.cc:204] #23 base.dll!base::Thread::ThreadMain [base\threading\thread.cc:256] #24 base.dll!base::`anonymous namespace'::ThreadFunc [base\threading\platform_thread_win.cc:84] #25 KERNEL32.dll!BaseThreadInitThunk +0x11 (0x770f337a <KERNEL32.dll+0x1337a>) Note: @0:02:23.684 in thread 2388 Note: next higher malloc: 0x035bad98-0x035badac Note: prev lower malloc: 0x035ba828-0x035ba860 Note: 0x035ba930-0x035ba934 overlaps memory 0x035ba880-0x035ba9e8 that was freed here: Note: # 0 replace_operator_delete_array [d:\drmemory_package\common\alloc_replace.c:2998] Note: # 1 media.dll!mkvmuxer::Frame::~Frame [third_party\libwebm\source\mkvmuxer\mkvmuxer.cc:181] Note: # 2 media.dll!mkvmuxer::Segment::MakeNewCluster [third_party\libwebm\source\mkvmuxer\mkvmuxer.cc:3574] Note: # 3 media.dll!mkvmuxer::Segment::DoNewClusterProcessing [third_party\libwebm\source\mkvmuxer\mkvmuxer.cc:3640] Note: # 4 media.dll!mkvmuxer::Segment::AddGenericFrame [third_party\libwebm\source\mkvmuxer\mkvmuxer.cc:3257] Note: # 5 media.dll!mkvmuxer::Segment::AddFrame [third_party\libwebm\source\mkvmuxer\mkvmuxer.cc:3173] Note: instruction: movd 0x20(%edi) -> %xmm0 The report came from the `WebRtcMediaRecorderTest.MediaRecorderStartWithTimeSlice/2` test. Suppression (error hash=#03B8A1DDC79D9B8D#): For more info on using suppressions see http://dev.chromium.org/developers/how-tos/using-drmemory#TOC-Suppressing-error-reports-from-the- { UNADDRESSABLE ACCESS name=<insert_a_suppression_name_here> cc.dll!cc::ScrollTree::MaxScrollOffset cc.dll!cc::LayerImpl::MaxScrollOffset cc.dll!cc::LayerTreeImpl::TotalMaxScrollOffset cc.dll!cc::LayerTreeHostImpl::UpdateRootLayerStateForSynchronousInputHandler cc.dll!cc::LayerTreeHostImpl::AnimateInternal cc.dll!cc::LayerTreeHostImpl::Animate cc.dll!cc::ProxyImpl::WillBeginImplFrame cc.dll!cc::Scheduler::BeginImplFrame cc.dll!cc::Scheduler::BeginImplFrameWithDeadline cc.dll!cc::Scheduler::OnBeginFrameDerivedImpl cc.dll!cc::BeginFrameObserverBase::OnBeginFrame cc.dll!cc::SyntheticBeginFrameSource::OnTimerTick cc.dll!cc::DelayBasedTimeSource::OnTimerTick cc.dll!base::internal::Invoker<>::Run cc.dll!base::CancelableCallback<>::Forward base.dll!base::debug::TaskAnnotator::RunTask base.dll!base::MessageLoop::RunTask base.dll!base::MessageLoop::DeferOrRunPendingTask base.dll!base::MessageLoop::DoDelayedWork base.dll!base::MessagePumpDefault::Run base.dll!base::MessageLoop::RunHandler base.dll!base::MessageLoop::Run base.dll!base::Thread::Run base.dll!base::Thread::ThreadMain base.dll!base::`anonymous namespace'::ThreadFunc KERNEL32.dll!BaseThreadInitThunk } ### END MEMORY TOOL REPORT (error hash=#03B8A1DDC79D9B8D#) 19:58:59 drmemory_analyze.py [INFO] Report #3 ### BEGIN MEMORY TOOL REPORT (error hash=#9D3F184C37AB8C7B#) UNADDRESSABLE ACCESS of freed memory: reading 0x035ba928-0x035ba92c 4 byte(s) # 0 cc.dll!cc::ScrollTree::scroll_clip_layer_bounds [cc\trees\property_tree.cc:1719] # 1 cc.dll!cc::ScrollTree::MaxScrollOffset [cc\trees\property_tree.cc:1705] # 2 cc.dll!cc::LayerImpl::MaxScrollOffset [cc\layers\layer_impl.cc:1106] # 3 cc.dll!cc::LayerTreeImpl::TotalMaxScrollOffset [cc\trees\layer_tree_impl.cc:303] # 4 cc.dll!cc::LayerTreeHostImpl::UpdateRootLayerStateForSynchronousInputHandler [cc\trees\layer_tree_host_impl.cc:3827] # 5 cc.dll!cc::LayerTreeHostImpl::AnimateInternal [cc\trees\layer_tree_host_impl.cc:474] # 6 cc.dll!cc::LayerTreeHostImpl::Animate [cc\trees\layer_tree_host_impl.cc:437] # 7 cc.dll!cc::ProxyImpl::WillBeginImplFrame [cc\trees\proxy_impl.cc:497] # 8 cc.dll!cc::Scheduler::BeginImplFrame [cc\scheduler\scheduler.cc:519] # 9 cc.dll!cc::Scheduler::BeginImplFrameWithDeadline [cc\scheduler\scheduler.cc:476] #10 cc.dll!cc::Scheduler::OnBeginFrameDerivedImpl [cc\scheduler\scheduler.cc:321] #11 cc.dll!cc::BeginFrameObserverBase::OnBeginFrame [cc\scheduler\begin_frame_source.cc:43] #12 cc.dll!cc::SyntheticBeginFrameSource::OnTimerTick [cc\scheduler\begin_frame_source.cc:231] #13 cc.dll!cc::DelayBasedTimeSource::OnTimerTick [cc\scheduler\delay_based_time_source.cc:78] #14 cc.dll!base::internal::Invoker<>::Run [base\bind_internal.h:364] #15 cc.dll!base::CancelableCallback<>::Forward [base\cancelable_callback.h:107] #16 base.dll!base::debug::TaskAnnotator::RunTask [base\debug\task_annotator.cc:51] #17 base.dll!base::MessageLoop::RunTask [base\message_loop\message_loop.cc:475] #18 base.dll!base::MessageLoop::DeferOrRunPendingTask [base\message_loop\message_loop.cc:484] #19 base.dll!base::MessageLoop::DoDelayedWork [base\message_loop\message_loop.cc:639] #20 base.dll!base::MessagePumpDefault::Run [base\message_loop\message_pump_default.cc:37] #21 base.dll!base::MessageLoop::RunHandler [base\message_loop\message_loop.cc:439] #22 base.dll!base::MessageLoop::Run [base\message_loop\message_loop.cc:294] #23 base.dll!base::Thread::Run [base\threading\thread.cc:204] #24 base.dll!base::Thread::ThreadMain [base\threading\thread.cc:256] #25 base.dll!base::`anonymous namespace'::ThreadFunc [base\threading\platform_thread_win.cc:84] #26 KERNEL32.dll!BaseThreadInitThunk +0x11 (0x770f337a <KERNEL32.dll+0x1337a>) Note: @0:02:23.754 in thread 2388 Note: next higher malloc: 0x035bad98-0x035badac Note: prev lower malloc: 0x035ba828-0x035ba860 Note: 0x035ba928-0x035ba92c overlaps memory 0x035ba880-0x035ba9e8 that was freed here: Note: # 0 replace_operator_delete_array [d:\drmemory_package\common\alloc_replace.c:2998] Note: # 1 media.dll!mkvmuxer::Frame::~Frame [third_party\libwebm\source\mkvmuxer\mkvmuxer.cc:181] Note: # 2 media.dll!mkvmuxer::Segment::MakeNewCluster [third_party\libwebm\source\mkvmuxer\mkvmuxer.cc:3574] Note: # 3 media.dll!mkvmuxer::Segment::DoNewClusterProcessing [third_party\libwebm\source\mkvmuxer\mkvmuxer.cc:3640] Note: # 4 media.dll!mkvmuxer::Segment::AddGenericFrame [third_party\libwebm\source\mkvmuxer\mkvmuxer.cc:3257] Note: # 5 media.dll!mkvmuxer::Segment::AddFrame [third_party\libwebm\source\mkvmuxer\mkvmuxer.cc:3173] Note: instruction: mov 0x18(%eax) -> %edx The report came from the `WebRtcMediaRecorderTest.MediaRecorderStartWithTimeSlice/2` test. Suppression (error hash=#9D3F184C37AB8C7B#): For more info on using suppressions see http://dev.chromium.org/developers/how-tos/using-drmemory#TOC-Suppressing-error-reports-from-the- { UNADDRESSABLE ACCESS name=<insert_a_suppression_name_here> cc.dll!cc::ScrollTree::scroll_clip_layer_bounds cc.dll!cc::ScrollTree::MaxScrollOffset cc.dll!cc::LayerImpl::MaxScrollOffset cc.dll!cc::LayerTreeImpl::TotalMaxScrollOffset cc.dll!cc::LayerTreeHostImpl::UpdateRootLayerStateForSynchronousInputHandler cc.dll!cc::LayerTreeHostImpl::AnimateInternal cc.dll!cc::LayerTreeHostImpl::Animate cc.dll!cc::ProxyImpl::WillBeginImplFrame cc.dll!cc::Scheduler::BeginImplFrame cc.dll!cc::Scheduler::BeginImplFrameWithDeadline cc.dll!cc::Scheduler::OnBeginFrameDerivedImpl cc.dll!cc::BeginFrameObserverBase::OnBeginFrame cc.dll!cc::SyntheticBeginFrameSource::OnTimerTick cc.dll!cc::DelayBasedTimeSource::OnTimerTick cc.dll!base::internal::Invoker<>::Run cc.dll!base::CancelableCallback<>::Forward base.dll!base::debug::TaskAnnotator::RunTask base.dll!base::MessageLoop::RunTask base.dll!base::MessageLoop::DeferOrRunPendingTask base.dll!base::MessageLoop::DoDelayedWork base.dll!base::MessagePumpDefault::Run base.dll!base::MessageLoop::RunHandler base.dll!base::MessageLoop::Run base.dll!base::Thread::Run base.dll!base::Thread::ThreadMain base.dll!base::`anonymous namespace'::ThreadFunc KERNEL32.dll!BaseThreadInitThunk } ### END MEMORY TOOL REPORT (error hash=#9D3F184C37AB8C7B#)
,
Jun 8 2016
Looking at it. But it's weird that the bot went green again before the suppression CL.
,
Jun 9 2016
Hi glider@, it seems I cannot reproduce the unaddressable access without the suppression on my local windows machine. Could it be a problem that the bot ran out of memory and the address for ScrollTree data got wiped out? Can you undo the suppression and see if it's breaking again?
,
Jun 9 2016
I've checked all builds after https://build.chromium.org/p/chromium.memory.fyi/builders/Windows%20Content%20Browser%20%28DrMemory%20full%29%20%282%29/builds/3857/steps/memory%20test%3A%20content_browsertests/logs/stdio, and the new suppression indeed never fired. I'll try to remove the suppression now.
,
Jun 9 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ffcc052fa43942e31cc0b7c9c3beda112dfe2e06 commit ffcc052fa43942e31cc0b7c9c3beda112dfe2e06 Author: glider <glider@chromium.org> Date: Thu Jun 09 14:51:03 2016 Try to remove Dr.Memory suppression for issue 618265 . BUG= 618265 NOTRY=true TBR=sunxd@chromium.org Review-Url: https://codereview.chromium.org/2052633003 Cr-Commit-Position: refs/heads/master@{#398878} [modify] https://crrev.com/ffcc052fa43942e31cc0b7c9c3beda112dfe2e06/tools/valgrind/drmemory/suppressions_full.txt
,
Jun 15 2016
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ffcc052fa43942e31cc0b7c9c3beda112dfe2e06 commit ffcc052fa43942e31cc0b7c9c3beda112dfe2e06 Author: glider <glider@chromium.org> Date: Thu Jun 09 14:51:03 2016 Try to remove Dr.Memory suppression for issue 618265 . BUG= 618265 NOTRY=true TBR=sunxd@chromium.org Review-Url: https://codereview.chromium.org/2052633003 Cr-Commit-Position: refs/heads/master@{#398878} [modify] https://crrev.com/ffcc052fa43942e31cc0b7c9c3beda112dfe2e06/tools/valgrind/drmemory/suppressions_full.txt
,
Jun 20 2016
I think the bug did not reproduce again and can be closed. |
||
►
Sign in to add a comment |
||
Comment 1 by bugdroid1@chromium.org
, Jun 8 2016