New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 619631 link

Starred by 1 user
Status: Fixed
Owner:
qiangchen@chromium.org
Closed: Jun 2016
Cc:
dalecur...@chromium.org
mariakho...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Android
Pri: 1
Type: Bug



Sign in to add a comment

ASAN build with WebMediaPlayerMSTest.HiddenPlayerTests is failing

Project Member Reported by mariakho...@chromium.org, Jun 13 2016 
Suspecting https://codereview.chromium.org/2053133003/ as the cause.

From https://uberchromegw.corp.google.com/i/internal.client.clank/builders/asan-clang-phone/builds/408/steps/content_unittests/logs/stdio:

C  246.186s Main  [UNKNOWN] WebMediaPlayerMSTest.HiddenPlayerTests:
C  246.186s Main  [ RUN      ] WebMediaPlayerMSTest.HiddenPlayerTests
C  246.186s Main  =================================================================
C  246.186s Main  ==19992==ERROR: AddressSanitizer: heap-use-after-free on address 0x8d04bf8c at pc 0x8902f127 bp 0xbeb7fb18 sp 0xbeb7fb14
C  246.186s Main  READ of size 4 at 0x8d04bf8c thread T0 (st:test_process)
C  246.186s Main      #0 0x8902f125  (/data/app-lib/org.chromium.native_test-1/lib_content_unittests__library.cr.so+0x44b125)
C  246.186s Main      #1 0x8a743869  (/data/app-lib/org.chromium.native_test-1/lib_content_unittests__library.cr.so+0x1b5f869)
C  246.186s Main      #2 0x7a30cbcd  (/data/app-lib/org.chromium.native_test-1/libbase.cr.so+0xa7bcd)
C  246.186s Main      #3 0x7a36956d  (/data/app-lib/org.chromium.native_test-1/libbase.cr.so+0x10456d)
C  246.186s Main      #4 0x7a369edb  (/data/app-lib/org.chromium.native_test-1/libbase.cr.so+0x104edb)
C  246.186s Main      #5 0x7a36a72f  (/data/app-lib/org.chromium.native_test-1/libbase.cr.so+0x10572f)
C  246.186s Main      #6 0x7a3726e5  (/data/app-lib/org.chromium.native_test-1/libbase.cr.so+0x10d6e5)
C  246.186s Main      #7 0x7a368d6d  (/data/app-lib/org.chromium.native_test-1/libbase.cr.so+0x103d6d)
C  246.186s Main      #8 0x7a3cfb73  (/data/app-lib/org.chromium.native_test-1/libbase.cr.so+0x16ab73)
C  246.186s Main      #9 0x8a74e523  (/data/app-lib/org.chromium.native_test-1/lib_content_unittests__library.cr.so+0x1b6a523)
C  246.186s Main      #10 0x8a74e7bf  (/data/app-lib/org.chromium.native_test-1/lib_content_unittests__library.cr.so+0x1b6a7bf)
C  246.186s Main      #11 0x8be3c699  (/data/app-lib/org.chromium.native_test-1/lib_content_unittests__library.cr.so+0x3258699)
C  246.186s Main      #12 0x8be3d4ef  (/data/app-lib/org.chromium.native_test-1/lib_content_unittests__library.cr.so+0x32594ef)
C  246.186s Main      #13 0x8be4a127  (/data/app-lib/org.chromium.native_test-1/lib_content_unittests__library.cr.so+0x3266127)
C  246.187s Main      #14 0x8be49915  (/data/app-lib/org.chromium.native_test-1/lib_content_unittests__library.cr.so+0x3265915)
C  246.187s Main      #15 0x8aade505  (/data/app-lib/org.chromium.native_test-1/lib_content_unittests__library.cr.so+0x1efa505)
C  246.187s Main      #16 0x8ab0d449  (/data/app-lib/org.chromium.native_test-1/lib_content_unittests__library.cr.so+0x1f29449)
C  246.187s Main      #17 0x8a7c6037  (/data/app-lib/org.chromium.native_test-1/lib_content_unittests__library.cr.so+0x1be2037)
C  246.187s Main      #18 0x8bd171cf  (/data/app-lib/org.chromium.native_test-1/lib_content_unittests__library.cr.so+0x31331cf)
C  246.187s Main      #19 0x42c58bcf  (/system/lib/libdvm.so+0x1dbcf)
C  246.187s Main      #20 0x42c89125  (/system/lib/libdvm.so+0x4e125)
C  246.187s Main      #21 0x42c61fe3  (/system/lib/libdvm.so+0x26fe3)
C  246.187s Main      #22 0x42c68fa3  (/system/lib/libdvm.so+0x2dfa3)
C  246.187s Main      #23 0x42c6663b  (/system/lib/libdvm.so+0x2b63b)
C  246.187s Main      #24 0x42c9b863  (/system/lib/libdvm.so+0x60863)
C  246.187s Main      #25 0x42ca37c5  (/system/lib/libdvm.so+0x687c5)
C  246.187s Main      #26 0x42c61fe3  (/system/lib/libdvm.so+0x26fe3)
C  246.187s Main      #27 0x42c68fa3  (/system/lib/libdvm.so+0x2dfa3)
C  246.187s Main      #28 0x42c6663b  (/system/lib/libdvm.so+0x2b63b)
C  246.187s Main      #29 0x42c9b57f  (/system/lib/libdvm.so+0x6057f)
C  246.187s Main      #30 0x42c84d0d  (/system/lib/libdvm.so+0x49d0d)
C  246.187s Main      #31 0x406d02b3  (/system/lib/libandroid_runtime.so+0x4d2b3)
C  246.187s Main      #32 0x406d0fd9  (/system/lib/libandroid_runtime.so+0x4dfd9)
C  246.187s Main      #33 0x4003205d  (/system/bin/app_process32+0x105d)
C  246.187s Main      #34 0x405ba34b  (/system/lib/libc.so+0xe34b)
C  246.187s Main  
C  246.187s Main  0x8d04bf8c is located 12 bytes inside of 72-byte region [0x8d04bf80,0x8d04bfc8)
C  246.187s Main  freed by thread T0 (st:test_process) here:
C  246.187s Main      #0 0x400f522b  (/system/lib/libclang_rt.asan-arm-android.so+0xaa22b)
C  246.187s Main  
C  246.187s Main  previously allocated by thread T0 (st:test_process) here:
C  246.187s Main      #0 0x400f4c8b  (/system/lib/libclang_rt.asan-arm-android.so+0xa9c8b)
C  246.187s Main  
C  246.187s Main  SUMMARY: AddressSanitizer: heap-use-after-free (/data/app-lib/org.chromium.native_test-1/lib_content_unittests__library.cr.so+0x44b125) 
C  246.187s Main  Shadow bytes around the buggy address:
C  246.187s Main    0x11a097a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
C  246.187s Main    0x11a097b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
C  246.187s Main    0x11a097c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
C  246.187s Main    0x11a097d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
C  246.187s Main    0x11a097e0: fa fa 00 00 00 00 00 00 00 00 00 04 fa fa fa fa
C  246.187s Main  =>0x11a097f0: fd[fd]fd fd fd fd fd fd fd fa fa fa fa fa 00 00
C  246.187s Main    0x11a09800: 00 00 00 00 00 00 04 fa fa fa fa fa 00 00 00 00
C  246.187s Main    0x11a09810: 00 00 00 00 00 00 fa fa fa fa fd fd fd fd fd fd
C  246.187s Main    0x11a09820: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
C  246.187s Main    0x11a09830: fd fd fa fa fa fa fd fd fd fd fd fd fd fd fd fd
C  246.187s Main    0x11a09840: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fa fa
C  246.187s Main  Shadow byte legend (one shadow byte represents 8 application bytes):
C  246.187s Main    Addressable:           00
C  246.188s Main    Partially addressable: 01 02 03 04 05 06 07 
C  246.188s Main    Heap left redzone:       fa
C  246.188s Main    Heap right redzone:      fb
C  246.188s Main    Freed heap region:       fd
C  246.188s Main    Stack left redzone:      f1
C  246.188s Main    Stack mid redzone:       f2
C  246.188s Main    Stack right redzone:     f3
C  246.188s Main    Stack partial redzone:   f4
C  246.188s Main    Stack after return:      f5
C  246.188s Main    Stack use after scope:   f8
C  246.188s Main    Global redzone:          f9
C  246.188s Main    Global init order:       f6
C  246.188s Main    Poisoned by user:        f7
C  246.188s Main    Container overflow:      fc
C  246.188s Main    Array cookie:            ac
C  246.188s Main    Intra object redzone:    bb
C  246.188s Main    ASan internal:           fe
C  246.188s Main    Left alloca redzone:     ca
C  246.188s Main    Right alloca redzone:    cb
C  246.188s Main  ==19992==ABORTING

Comment 1 by qiangchen@chromium.org, Jun 13 2016

Cc: dalecur...@chromium.org mariakho...@chromium.org
 mariakhomenko@: is there a way I can run this trybot?

Comment 2 by mariakho...@chromium.org, Jun 13 2016 

I don't think there is a trybot for this. You could enable asan locally in your client.

https://sites.google.com/a/google.com/clank/engineering/sdk-build/addresssanitizer

Comment 3 by qiangchen@chromium.org, Jun 13 2016 

I figured out the reason:

1. For WebMediaPlayerMSTest.HiddenPlayerTest, it does not actually run the frames. 
2. But in player_->load(), we actually started the frame injection on [1].
3. In the destructor ~WebMediaPlayerMSTest, finally we run message_loop_.RunUntilIdle(), which actually calls InjectFrame() [2]
4. But at this time, player_ is already invalid.

A possible solution is to run those tasks (and add possible EXPECT_CALLs) before entering destructor.

[1]https://cs.chromium.org/chromium/src/content/renderer/media/webmediaplayer_ms_unittest.cc?q=webmediaplayermstest&sq=package:chromium&l=169

[2]https://cs.chromium.org/chromium/src/content/renderer/media/webmediaplayer_ms_unittest.cc?q=webmediaplayermstest&sq=package:chromium&l=262
Project Member

Comment 4 by bugdroid1@chromium.org, Jun 14 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bc252541d581eeca9086fe4fb2265b229c20bdb0

commit bc252541d581eeca9086fe4fb2265b229c20bdb0
Author: qiangchen <qiangchen@chromium.org>
Date: Tue Jun 14 20:14:05 2016

WebMediaPlayerMSTest Fix

In ASAN build, the HiddenPlayerTests would fail, because some
posted tasks get run after the player is destroyed.

We fix that issue in this CL.

BUG= 619631 

Review-Url: https://codereview.chromium.org/2066483006
Cr-Commit-Position: refs/heads/master@{#399771}

[modify] https://crrev.com/bc252541d581eeca9086fe4fb2265b229c20bdb0/content/renderer/media/webmediaplayer_ms_unittest.cc

Comment 5 by qiangchen@chromium.org, Jun 14 2016

Status: Fixed (was: Assigned)
Keep an eye on the ASAN build on android.

I do not have an android device to run the test in android platform.

My test strategy was to remove the "#if defined(OS_ANDROID)" in WebMediaPlayerMS to force the test run, and verified my fix worked.
Project Member

Comment 6 by bugdroid1@chromium.org, Jun 15 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/bc252541d581eeca9086fe4fb2265b229c20bdb0

commit bc252541d581eeca9086fe4fb2265b229c20bdb0
Author: qiangchen <qiangchen@chromium.org>
Date: Tue Jun 14 20:14:05 2016

WebMediaPlayerMSTest Fix

In ASAN build, the HiddenPlayerTests would fail, because some
posted tasks get run after the player is destroyed.

We fix that issue in this CL.

BUG= 619631 

Review-Url: https://codereview.chromium.org/2066483006
Cr-Commit-Position: refs/heads/master@{#399771}

[modify] https://crrev.com/bc252541d581eeca9086fe4fb2265b229c20bdb0/content/renderer/media/webmediaplayer_ms_unittest.cc

Sign in to add a comment