XPCMessageServerTest.RejectMessageSimpleRoutine flakily fails on mac asan clang tot bot |
|
Issue descriptionIt failed in 30 of the last 200 builds: https://build.chromium.org/p/chromium.fyi/builders/ClangToTMacASan%20tester?numbuilds=200 Recent example: https://build.chromium.org/p/chromium.fyi/builders/ClangToTMacASan%20tester/builds/2335/steps/sandbox_mac_unittests%20on%20Mac-10.9/logs/XPCMessageServerTest.RejectMessageSimpleRoutine XPCMessageServerTest.RejectMessageSimpleRoutine (run #1): [ RUN ] XPCMessageServerTest.RejectMessageSimpleRoutine ================================================================= ==51847==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000001be0 at pc 0x00010216397b bp 0x0001065e64e0 sp 0x0001065e64d8 READ of size 8 at 0x604000001be0 thread T1 2016-06-09 11:51:08.381 atos[51849:282f] Metadata.framework [Error]: couldn't get the client port #0 0x10216397a in sandbox::BlockDemuxer::DemuxMessage(sandbox::IPCMessage) (sandbox_mac_unittests+0x10002d97a) #1 0x102171326 in sandbox::XPCMessageServer::ReceiveMessage() (sandbox_mac_unittests+0x10003b326) #2 0x10261e8f3 in __wrap_dispatch_source_set_event_handler_block_invoke (libclang_rt.asan_osx_dynamic.dylib+0x4a8f3) #3 0x7fff936bf28c in _dispatch_client_callout (libdispatch.dylib+0x128c) #4 0x7fff936c1884 in _dispatch_source_invoke (libdispatch.dylib+0x3884) #5 0x7fff936c1616 in _dispatch_queue_drain (libdispatch.dylib+0x3616) #6 0x7fff936c29c0 in _dispatch_queue_invoke (libdispatch.dylib+0x49c0) #7 0x7fff936c0f86 in _dispatch_root_queue_drain (libdispatch.dylib+0x2f86) #8 0x7fff936c2176 in _dispatch_worker_thread2 (libdispatch.dylib+0x4176) #9 0x7fff8cddcef7 in _pthread_wqthread (libsystem_pthread.dylib+0x2ef7) #10 0x7fff8cddffb8 in start_wqthread (libsystem_pthread.dylib+0x5fb8) 0x604000001be0 is located 16 bytes inside of 40-byte region [0x604000001bd0,0x604000001bf8) freed by thread T0 here: #0 0x10261f069 in wrap_free (libclang_rt.asan_osx_dynamic.dylib+0x4b069) #1 0x10215f347 in sandbox::XPCMessageServerTest_RejectMessageSimpleRoutine_Test::TestBody() (sandbox_mac_unittests+0x100029347) #2 0x10227c31d in testing::Test::Run() (sandbox_mac_unittests+0x10014631d) #3 0x10227d52c in testing::TestInfo::Run() (sandbox_mac_unittests+0x10014752c) #4 0x10227e804 in testing::TestCase::Run() (sandbox_mac_unittests+0x100148804) #5 0x10229015e in testing::internal::UnitTestImpl::RunAllTests() (sandbox_mac_unittests+0x10015a15e) #6 0x10228f7c9 in testing::UnitTest::Run() (sandbox_mac_unittests+0x1001597c9) #7 0x1022d5c56 in base::TestSuite::Run() (sandbox_mac_unittests+0x10019fc56) #8 0x1022cd194 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::Callback<int (), (base::internal::CopyMode)1> const&, int, int, bool, base::Callback<void (), (base::internal::CopyMode)1> const&) (sandbox_mac_unittests+0x100197194) #9 0x1022cce20 in base::LaunchUnitTests(int, char**, base::Callback<int (), (base::internal::CopyMode)1> const&) (sandbox_mac_unittests+0x100196e20) #10 0x10225a6fa in main (sandbox_mac_unittests+0x1001246fa) #11 0x102138163 in start (sandbox_mac_unittests+0x100002163) #12 0x5 (<unknown module>) previously allocated by thread T0 here: #0 0x10261eea0 in wrap_malloc (libclang_rt.asan_osx_dynamic.dylib+0x4aea0) #1 0x7fff8dbc1537 in _Block_copy_internal (libsystem_blocks.dylib+0x1537) #2 0x10215d594 in sandbox::BlockDemuxer::Initialize(void (sandbox::IPCMessage) block_pointer) (sandbox_mac_unittests+0x100027594) #3 0x10215ee38 in sandbox::XPCMessageServerTest_RejectMessageSimpleRoutine_Test::TestBody() (sandbox_mac_unittests+0x100028e38) #4 0x10227c31d in testing::Test::Run() (sandbox_mac_unittests+0x10014631d) #5 0x10227d52c in testing::TestInfo::Run() (sandbox_mac_unittests+0x10014752c) #6 0x10227e804 in testing::TestCase::Run() (sandbox_mac_unittests+0x100148804) #7 0x10229015e in testing::internal::UnitTestImpl::RunAllTests() (sandbox_mac_unittests+0x10015a15e) #8 0x10228f7c9 in testing::UnitTest::Run() (sandbox_mac_unittests+0x1001597c9) #9 0x1022d5c56 in base::TestSuite::Run() (sandbox_mac_unittests+0x10019fc56) #10 0x1022cd194 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::Callback<int (), (base::internal::CopyMode)1> const&, int, int, bool, base::Callback<void (), (base::internal::CopyMode)1> const&) (sandbox_mac_unittests+0x100197194) #11 0x1022cce20 in base::LaunchUnitTests(int, char**, base::Callback<int (), (base::internal::CopyMode)1> const&) (sandbox_mac_unittests+0x100196e20) #12 0x10225a6fa in main (sandbox_mac_unittests+0x1001246fa) #13 0x102138163 in start (sandbox_mac_unittests+0x100002163) #14 0x5 (<unknown module>) Thread T1 created by T0 here: <empty stack> SUMMARY: AddressSanitizer: heap-use-after-free (sandbox_mac_unittests+0x10002d97a) in sandbox::BlockDemuxer::DemuxMessage(sandbox::IPCMessage) Shadow bytes around the buggy address: 0x1c0800000320: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c0800000330: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c0800000340: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c0800000350: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c0800000360: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x1c0800000370: fa fa fa fa fa fa fa fa fa fa fd fd[fd]fd fd fa 0x1c0800000380: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 04 0x1c0800000390: fa fa 00 00 00 00 00 fa fa fa 00 00 00 00 00 04 0x1c08000003a0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x1c08000003b0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa 0x1c08000003c0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==51847==ABORTING Received signal 6 [0x00010218a929] [0x7fff969625aa] [0x000102636afd] [0x7fff93eefb1a] [0x00010263f2c6] [0x000102627246] [0x00010216397b] [0x000102171327] [0x00010261e8f4] [0x7fff936bf28d] [0x7fff936c1885] [0x7fff936c1617] [0x7fff936c29c1] [0x7fff936c0f87] [0x7fff936c2177] [0x7fff8cddcef8] [0x7fff8cddffb9] [end of stack trace] XPCMessageServerTest.Rejec
,
Oct 13 2016
Seen again: https://build.chromium.org/p/chromium.fyi/builders/ClangToTMacASan%20tester/builds/3187/steps/sandbox_mac_unittests%20on%20Mac-10.9/logs/XPCMessageServerTest.RejectMessageSimpleRoutine XPCMessageServerTest.RejectMessageSimpleRoutine (run #1): [ RUN ] XPCMessageServerTest.RejectMessageSimpleRoutine ================================================================= ==41003==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400000cca0 at pc 0x00010abb8b8b bp 0x00010f480320 sp 0x00010f480318 READ of size 8 at 0x60400000cca0 thread T1 #0 0x10abb8b8a in sandbox::BlockDemuxer::DemuxMessage(sandbox::IPCMessage) (in sandbox_mac_unittests) + 74 #1 0x10abc60e8 in sandbox::XPCMessageServer::ReceiveMessage() (in sandbox_mac_unittests) + 440 #2 0x10b1d9133 in __wrap_dispatch_source_set_event_handler_block_invoke (in libclang_rt.asan_osx_dynamic.dylib) + 275 #3 0x7fff998ab28c in _dispatch_client_callout (in libdispatch.dylib) + 7 #4 0x7fff998ad884 in _dispatch_source_invoke (in libdispatch.dylib) + 412 #5 0x7fff998ad616 in _dispatch_queue_drain (in libdispatch.dylib) + 358 #6 0x7fff998ae9c0 in _dispatch_queue_invoke (in libdispatch.dylib) + 109 #7 0x7fff998acf86 in _dispatch_root_queue_drain (in libdispatch.dylib) + 74 #8 0x7fff998ae176 in _dispatch_worker_thread2 (in libdispatch.dylib) + 39 #9 0x7fff91c62ef7 in _pthread_wqthread (in libsystem_pthread.dylib) + 313 #10 0x7fff91c65fb8 in start_wqthread (in libsystem_pthread.dylib) + 12 0x60400000cca0 is located 16 bytes inside of 40-byte region [0x60400000cc90,0x60400000ccb8) freed by thread T0 here: #0 0x10b1d98e9 in wrap_free (in libclang_rt.asan_osx_dynamic.dylib) + 201 #1 0x10abb46a0 in sandbox::XPCMessageServerTest_RejectMessageSimpleRoutine_Test::TestBody() (in sandbox_mac_unittests) + 1920 #2 0x10acdd30d in testing::Test::Run() (in sandbox_mac_unittests) + 765 #3 0x10acde9a2 in testing::TestInfo::Run() (in sandbox_mac_unittests) + 1074 #4 0x10acdfe76 in testing::TestCase::Run() (in sandbox_mac_unittests) + 1286 #5 0x10acf23d6 in testing::internal::UnitTestImpl::RunAllTests() (in sandbox_mac_unittests) + 2310 #6 0x10acf1a1c in testing::UnitTest::Run() (in sandbox_mac_unittests) + 412 #7 0x10ad144ba in base::TestSuite::Run() (in sandbox_mac_unittests) + 490 #8 0x10ad39a86 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::Callback\u003Cint (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&, int, int, bool, base::Callback\u003Cvoid (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) (in sandbox_mac_unittests) + 678 #9 0x10ad39743 in base::LaunchUnitTests(int, char**, base::Callback\u003Cint (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) (in sandbox_mac_unittests) + 403 #10 0x10acba672 in main (in sandbox_mac_unittests) + 338 #11 0x10ab8aff3 in start (in sandbox_mac_unittests) + 51 previously allocated by thread T0 here: #0 0x10b1d970f in wrap_malloc (in libclang_rt.asan_osx_dynamic.dylib) + 191 #1 0x7fff8c2fa537 in _Block_copy_internal (in libsystem_blocks.dylib) + 235 #2 0x10abb29b4 in sandbox::BlockDemuxer::Initialize(void (sandbox::IPCMessage) block_pointer) (in sandbox_mac_unittests) + 244 #3 0x10abb4198 in sandbox::XPCMessageServerTest_RejectMessageSimpleRoutine_Test::TestBody() (in sandbox_mac_unittests) + 632 #4 0x10acdd30d in testing::Test::Run() (in sandbox_mac_unittests) + 765 #5 0x10acde9a2 in testing::TestInfo::Run() (in sandbox_mac_unittests) + 1074 #6 0x10acdfe76 in testing::TestCase::Run() (in sandbox_mac_unittests) + 1286 #7 0x10acf23d6 in testing::internal::UnitTestImpl::RunAllTests() (in sandbox_mac_unittests) + 2310 #8 0x10acf1a1c in testing::UnitTest::Run() (in sandbox_mac_unittests) + 412 #9 0x10ad144ba in base::TestSuite::Run() (in sandbox_mac_unittests) + 490 #10 0x10ad39a86 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::Callback\u003Cint (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&, int, int, bool, base::Callback\u003Cvoid (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) (in sandbox_mac_unittests) + 678 #11 0x10ad39743 in base::LaunchUnitTests(int, char**, base::Callback\u003Cint (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) (in sandbox_mac_unittests) + 403 #12 0x10acba672 in main (in sandbox_mac_unittests) + 338 #13 0x10ab8aff3 in start (in sandbox_mac_unittests) + 51 How come we don't have line info? Are we building with -gline-tables-only on MacASan? The stacks show that TestBody is freeing the memory allocated by BlockDemuxer::Initialize and Block_copy. I think they only way that can happen is if we're running ~BlockDemuxer while returning from TestBody without blocking until the message source thread stops.
,
Oct 17 2017
|
|
►
Sign in to add a comment |
|
Comment 1 by rsesek@chromium.org
, Jun 14 2016Status: Assigned (was: Untriaged)