New issue
Advanced search Search tips

Issue 634960 link

Starred by 2 users
Status: Verified
Owner:
r...@chromium.org
Closed: Aug 2016
Cc:
etienneb@chromium.org
h...@chromium.org
thakis@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Windows
Pri: 3
Type: Bug



Sign in to add a comment

WinASan reports OOB read in WidgetTest.WindowMouseModalityTest, looks like clang bug

Project Member Reported by r...@chromium.org, Aug 5 2016 
[ RUN      ] WidgetTest.WindowMouseModalityTest
=================================================================
==1776==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x07e0ce30 at pc 0x025e039e bp 0xdeadbeef sp 0x0021de20
READ of size 4 at 0x07e0ce30 thread T0
...
    #0 0x25e039d in views::ImageView::GetHorizontalAlignment C:\c\CrWinAsan\src\uiiews\controls\image_view.cc:176
    #1 0x24cd4bc in views::DialogDelegate::GetDialogWidgetInitParams C:\c\CrWinAsan\src\uiiews\window\dialog_delegate.cc:86
    #2 0x24cd263 in views::DialogDelegate::CreateDialogWidget C:\c\CrWinAsan\src\uiiews\window\dialog_delegate.cc:43
    #3 0x155bfa0 in views::test::WidgetTest_WindowMouseModalityTest_Test::TestBody+0xa0a (e:\swarm_slave\w\irt2ubhf\out\Releaseiews_unittests.exe+0xa0bfa0)
...

0x07e0ce30 is located 0 bytes to the right of 240-byte region [0x07e0cd40,0x07e0ce30)
allocated by thread T0 here:
    #0 0x42f1b08 in malloc c:\c\crwinasan\src	hird_party\llvm\projects\compiler-rt\libsansan_malloc_win.cc:65
    #1 0x430d3c5 in operator new f:\ddctools\crtcstartup\src\heap\new_scalar.cpp:19
    #2 0x155beb1 in views::test::WidgetTest_WindowMouseModalityTest_Test::TestBody C:\c\CrWinAsan\src\uiiews\widget\desktop_aura\desktop_native_widget_aura_unittest.cc:562
    #3 0x22cf67f in testing::internal::HandleExceptionsInMethodIfSupported<testing::Test,void> C:\c\CrWinAsan\src\testing\gtest\src\gtest.cc:2458
    #4 0x22cf267 in testing::Test::Run C:\c\CrWinAsan\src\testing\gtest\src\gtest.cc:2474
...

I think this is a clang bug because dialog_delegate.cc:86 is calling DialogDelegate::GetModalType(), not ImageView::GetHorizontalAlignment().

Comment 1 by r...@chromium.org, Aug 5 2016

Labels: Stability-Memory-AddressSanitizer

Comment 2 by r...@chromium.org, Aug 5 2016 

It's not a clang bug, it's an ODR violation. There are two implementations of ModalDialogDelegate in two different tests, and the ASan build is picking up the wrong one I guess:
https://cs.chromium.org/chromium/src/ui/views/widget/widget_unittest.cc?rcl=0&l=3640
https://cs.chromium.org/chromium/src/ui/views/widget/desktop_aura/desktop_native_widget_aura_unittest.cc?rcl=0&l=513
Project Member

Comment 3 by bugdroid1@chromium.org, Aug 5 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3716c0f10365f0f7c1dd225ebc95a5c6aff419f4

commit 3716c0f10365f0f7c1dd225ebc95a5c6aff419f4
Author: rnk <rnk@chromium.org>
Date: Fri Aug 05 18:04:57 2016

Fix an ODR violation for ModalDialogDelegate found by ASan

Move these classes into anonymous namespaces so the names of their
vtables and virtual methods don't collide at link time.

R=thakis@chromium.org
BUG= 634960 

Review-Url: https://codereview.chromium.org/2217233002
Cr-Commit-Position: refs/heads/master@{#410109}

[modify] https://crrev.com/3716c0f10365f0f7c1dd225ebc95a5c6aff419f4/ui/views/widget/desktop_aura/desktop_native_widget_aura_unittest.cc
[modify] https://crrev.com/3716c0f10365f0f7c1dd225ebc95a5c6aff419f4/ui/views/widget/widget_unittest.cc

Comment 4 by msrchandra@chromium.org, Aug 8 2016

Labels: TE-NeedsTriageHelp

Comment 5 by r...@chromium.org, Aug 10 2016

Status: Verified (was: Unconfirmed)
Fixed, views_unittests is green here: https://build.chromium.org/p/chromium.fyi/builders/CrWinAsan%20tester/builds/1147

Sign in to add a comment