New issue
Advanced search Search tips

Issue 635599 link

Starred by 1 user
Status: Fixed
Owner:
shimazu@chromium.org
Closed: Aug 2016
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Chrome
Pri: 3
Type: Bug



Sign in to add a comment

Use of uninitialized value in ServiceWorkerVersionBrowserTest.FetchEvent_respondWithRejection

Project Member Reported by reillyg@chromium.org, Aug 8 2016 
In ServiceWorkerVersionBrowserTest.FetchEvent_respondWithRejection a ConsoleListener is registered with the embedded worker but WaitForConsoleMessages() is not called to set the number of messages it should expect to receive. This leads to an uninitialized read when OnReportConsoleMessageToUI() is called.

The test will be disabled as this makes it flaky and fail under MSan. I am unsure what the correct initial value of expected_message_count_ should be.

ServiceWorkerVersionBrowserTest.FetchEvent_respondWithRejection (run #1):
[ RUN      ] ServiceWorkerVersionBrowserTest.FetchEvent_respondWithRejection
[12893:12893:0808/102117:6437682639:WARNING:audio_manager.cc(317)] Multiple instances of AudioManager detected
[12893:12893:0808/102117:6437682828:WARNING:audio_manager.cc(278)] Multiple instances of AudioManager detected
Xlib:  extension "RANDR" missing on display ":9".
==12893==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0xff5cb0 in OnReportConsoleMessageOnUI content/browser/service_worker/service_worker_browsertest.cc:414:9
    #1 0x810b78f in Run base/callback.h:389:12
    #2 0x810b78f in RunTask base/debug/task_annotator.cc:51:0
    #3 0x817cc41 in RunTask base/message_loop/message_loop.cc:496:19
    #4 0x817dff7 in DeferOrRunPendingTask base/message_loop/message_loop.cc:505:5
    #5 0x817fb98 in DoWork base/message_loop/message_loop.cc:629:13
    #6 0x818d569 in HandleDispatch base/message_loop/message_pump_glib.cc:267:25
    #7 0x818d569 in WorkSourceDispatch base/message_loop/message_pump_glib.cc:109:0
    #8 0x7fa04e016803 in g_main_dispatch /mnt/b/chromium/src/out-msan-chained-origins-precise/Release/obj/third_party/instrumented_libraries/msan-libglib2.0-0.gen/libglib2.0-0/glib2.0-2.32.4/glib/gmain.c:2539:21
    #9 0x7fa04e016803 in g_main_context_dispatch /mnt/b/chromium/src/out-msan-chained-origins-precise/Release/obj/third_party/instrumented_libraries/msan-libglib2.0-0.gen/libglib2.0-0/glib2.0-2.32.4/glib/gmain.c:3075:0
    #10 0x7fa04e017bc9 in g_main_context_iterate /mnt/b/chromium/src/out-msan-chained-origins-precise/Release/obj/third_party/instrumented_libraries/msan-libglib2.0-0.gen/libglib2.0-0/glib2.0-2.32.4/glib/gmain.c:3146:5
    #11 0x7fa04e017f61 in g_main_context_iteration /mnt/b/chromium/src/out-msan-chained-origins-precise/Release/obj/third_party/instrumented_libraries/msan-libglib2.0-0.gen/libglib2.0-0/glib2.0-2.32.4/glib/gmain.c:3207:12
    #12 0x818cb43 in ?? base/message_loop/message_pump_glib.cc:309:30
    #13 0x8208abc in Run base/run_loop.cc:35:10
    #14 0xfca2ec in FetchOnRegisteredWorker content/browser/service_worker/service_worker_browsertest.cc:491:20
    #15 0xfcb8fc in RunTestOnMainThread content/browser/service_worker/service_worker_browsertest.cc:1133:3
    #16 0x73be080 in RunTestOnMainThreadLoop content/public/test/content_browser_test.cc:136:3
    #17 0x73d4b38 in ProxyRunTestOnMainThreadLoop content/public/test/browser_test_base.cc:334:3
    #18 0x75dcfbb in Run base/callback.h:389:12
    #19 0x75dcfbb in PreMainMessageLoopRun content/shell/browser/shell_browser_main_parts.cc:197:0
    #20 0x5e1f694 in PreMainMessageLoopRun content/browser/browser_main_loop.cc:943:13
    #21 0x6d18701 in Run base/callback.h:389:12
    #22 0x6d18701 in RunAllTasksNow content/browser/startup_task_runner.cc:45:0
    #23 0x5e17aae in CreateStartupTasks content/browser/browser_main_loop.cc:833:25
    #24 0x5e2e3da in Initialize content/browser/browser_main_runner.cc:140:17
    #25 0x756b870 in ShellBrowserMain content/shell/browser/shell_browser_main.cc:23:32
    #26 0x75427ac in RunProcess content/shell/app/shell_main_delegate.cc:295:16
    #27 0x5b519dc in RunNamedProcessTypeMain content/app/content_main_runner.cc:405:35
    #28 0x5b550b1 in Run content/app/content_main_runner.cc:785:12
    #29 0x5b341e0 in ContentMain content/app/content_main.cc:20:28
    #30 0x73d3bdc in SetUp content/public/test/browser_test_base.cc:307:3
    #31 0x73bdc70 in SetUp content/public/test/content_browser_test.cc:93:20
    #32 0x7a041f6 in HandleExceptionsInMethodIfSupported\u003Ctesting::Test, void> testing/gtest/src/gtest.cc:2458:12
    #33 0x7a041f6 in Run testing/gtest/src/gtest.cc:2470:0
    #34 0x7a076f7 in Run testing/gtest/src/gtest.cc:2656:11
    #35 0x7a08f0b in Run testing/gtest/src/gtest.cc:2774:28
    #36 0x7a26621 in RunAllTests testing/gtest/src/gtest.cc:4647:43
    #37 0x7a2562a in HandleExceptionsInMethodIfSupported\u003Ctesting::internal::UnitTestImpl, bool> testing/gtest/src/gtest.cc:2458:12
    #38 0x7a2562a in Run testing/gtest/src/gtest.cc:4255:0
    #39 0x7462710 in RUN_ALL_TESTS testing/gtest/include/gtest/gtest.h:2237:46
    #40 0x7462710 in Run base/test/test_suite.cc:245:0
    #41 0x73d1b8a in RunTestSuite content/test/content_test_launcher.cc:105:48
    #42 0x7423fa7 in LaunchTests content/public/test/test_launcher.cc:517:31
    #43 0x73d1a20 in main content/test/content_test_launcher.cc:131:10
    #44 0x7fa046b8f7ec in __libc_start_main /build/eglibc-oqps9y/eglibc-2.15/csu/libc-start.c:226:0
    #45 0x5178a8 in _start ??:0

  Uninitialized value was created by an allocation of 'console_listener' in the stack frame of function '_ZN7content68ServiceWorkerVersionBrowserTest_FetchEvent_respondWithRejection_Test19RunTestOnMainThreadEv'
    #0 0xfcaf80 in RunTestOnMainThread content/browser/service_worker/service_worker_browsertest.cc:1119:0

SUMMARY: MemorySanitizer: use-of-uninitialized-value (/b/swarming/w/irlUhBC1/out/Release/content_browsertests+0xff5cb0)
Exiting
Project Member

Comment 1 by bugdroid1@chromium.org, Aug 8 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cacee1a387b54563d9aecaf54eed3a781288d9fa

commit cacee1a387b54563d9aecaf54eed3a781288d9fa
Author: reillyg <reillyg@chromium.org>
Date: Mon Aug 08 18:37:03 2016

Disable ServiceWorkerVersionBrowserTest.FetchEvent_respondWithRejection.

This test hits a use-of-uninitialized-value under MSan which will cause
it to be flaky on all bots.

BUG= 635599 
TBR=nhiroki@chromium.org
NOTRY=True

Review-Url: https://codereview.chromium.org/2224033002
Cr-Commit-Position: refs/heads/master@{#410402}

[modify] https://crrev.com/cacee1a387b54563d9aecaf54eed3a781288d9fa/content/browser/service_worker/service_worker_browsertest.cc
Project Member

Comment 2 by bugdroid1@chromium.org, Aug 9 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/4d4c3711a48ca7006ecf7e0a860994eaa8fd006e

commit 4d4c3711a48ca7006ecf7e0a860994eaa8fd006e
Author: shimazu <shimazu@chromium.org>
Date: Tue Aug 09 05:26:11 2016

ServiceWorker: Re-enable FetchEvent_respondWithRejection

Memory sanitizer shows an error of uninitialized read in
service_worker_browsertest.cc. This patch adds a check if
WaitForConsoleMessages has been already called, so the variable will be read
only after WaitForConsoleMessages initializes it.

BUG= 635599 
TEST=./out/msan/content_browsertests --no-sandbox --gtest_filter="ServiceWorkerVersionBrowserTest.FetchEvent_respondWithRejection"

Review-Url: https://codereview.chromium.org/2229693002
Cr-Commit-Position: refs/heads/master@{#410584}

[modify] https://crrev.com/4d4c3711a48ca7006ecf7e0a860994eaa8fd006e/content/browser/service_worker/service_worker_browsertest.cc

Comment 3 by shimazu@chromium.org, Aug 10 2016

Status: Fixed (was: Assigned)

Sign in to add a comment