ASAN: container-overflow on address reported on startup on iOS |
||||||
Issue description
When building Chrome on iOS with ASAN, I get the following report from ASAN. Reproducible at 100% (10 times out of 10), with just changes in the pointer values.
=================================================================
==63808==ERROR: AddressSanitizer: container-overflow on address 0x60200002d1b0 at pc 0x00010c728bc8 bp 0x7000003a34d0 sp 0x7000003a34c8
==63808==AddressSanitizer: while reporting a bug found another one. Ignoring.
READ of size 1 at 0x60200002d1b0 thread T9
#0 0x10c728bc7 in net::IPAddress::IsZero() const ip_address.cc:198
#1 0x10d091abe in net::internal::ConvertResStateToDnsConfig(__res_9_state const&, net::DnsConfig*) dns_config_service_posix.cc:557
#2 0x10d0939e6 in net::internal::(anonymous namespace)::ReadDnsConfig(net::DnsConfig*) dns_config_service_posix.cc:134
#3 0x10d092989 in net::internal::DnsConfigServicePosix::ConfigReader::DoWork() dns_config_service_posix.cc:287
#4 0x10d159c6d in net::SerialWorker::DoWorkJob() serial_worker.cc:61
#5 0x10d15b1da in void base::internal::FunctorTraits<void (net::SerialWorker::*)(), void>::Invoke<scoped_refptr<net::SerialWorker> const&>(void (net::SerialWorker::*)(), scoped_refptr<net::SerialWorker> const&&&) bind_internal.h:214
#6 0x10d15aec1 in void base::internal::InvokeHelper<false, void>::MakeItSo<void (net::SerialWorker::* const&)(), scoped_refptr<net::SerialWorker> const&>(void (net::SerialWorker::* const&&&)(), scoped_refptr<net::SerialWorker> const&&&) bind_internal.h:285
#7 0x10d15acb7 in void base::internal::Invoker<base::internal::BindState<void (net::SerialWorker::*)(), scoped_refptr<net::SerialWorker> >, void ()>::RunImpl<void (net::SerialWorker::* const&)(), std::__1::tuple<scoped_refptr<net::SerialWorker> > const&, 0ul>(void (net::SerialWorker::* const&&&)(), std::__1::tuple<scoped_refptr<net::SerialWorker> > const&&&, base::IndexSequence<0ul>) bind_internal.h:361
#8 0x10d15ac0b in base::internal::Invoker<base::internal::BindState<void (net::SerialWorker::*)(), scoped_refptr<net::SerialWorker> >, void ()>::Run(base::internal::BindStateBase*) bind_internal.h:339
#9 0x106e3e9fa in base::internal::RunMixin<base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> >::Run() const callback.h:64
#10 0x10a7679b2 in base::(anonymous namespace)::WorkerThread::ThreadMain() worker_pool_posix.cc:93
#11 0x10a6e4eb2 in base::(anonymous namespace)::ThreadFunc(void*) platform_thread_posix.cc:71
#12 0x124ede99c in _pthread_body (libsystem_pthread.dylib+0x399c)
#13 0x124ede919 in _pthread_start (libsystem_pthread.dylib+0x3919)
#14 0x124edc350 in thread_start (libsystem_pthread.dylib+0x1350)
0x60200002d1b0 is located 0 bytes inside of 16-byte region [0x60200002d1b0,0x60200002d1c0)
allocated by thread T9 here:
#0 0x120acdd7b (libclang_rt.asan_iossim_dynamic.dylib+0x5cd7b)
#1 0x106fb6a19 in std::__1::vector<unsigned char, std::__1::allocator<unsigned char> >::allocate(unsigned long) new:171
#2 0x11382b006 in std::__1::enable_if<(__is_forward_iterator<unsigned char*>::value) && (is_constructible<unsigned char, std::__1::iterator_traits<unsigned char*>::reference>::value), void>::type std::__1::vector<unsigned char, std::__1::allocator<unsigned char> >::assign<unsigned char*>(unsigned char*, unsigned char*) (Chromium+0x10cb22006)
#3 0x10d7624b4 in net::IPAddress::operator=(net::IPAddress const&) vector:1348
#4 0x10c7368fc in net::IPEndPoint::IPEndPoint(net::IPEndPoint const&) ip_endpoint.cc:91
#5 0x10c7369dc in net::IPEndPoint::IPEndPoint(net::IPEndPoint const&) ip_endpoint.cc:90
#6 0x10c70833b in std::__1::vector<net::IPEndPoint, std::__1::allocator<net::IPEndPoint> >::__swap_out_circular_buffer(std::__1::__split_buffer<net::IPEndPoint, std::__1::allocator<net::IPEndPoint>&>&) memory:1783
#7 0x10c707e80 in void std::__1::vector<net::IPEndPoint, std::__1::allocator<net::IPEndPoint> >::__push_back_slow_path<net::IPEndPoint const&>(net::IPEndPoint const&&&) vector:1569
#8 0x10d09049c in net::internal::ConvertResStateToDnsConfig(__res_9_state const&, net::DnsConfig*) vector:1586
#9 0x10d0939e6 in net::internal::(anonymous namespace)::ReadDnsConfig(net::DnsConfig*) dns_config_service_posix.cc:134
#10 0x10d092989 in net::internal::DnsConfigServicePosix::ConfigReader::DoWork() dns_config_service_posix.cc:287
#11 0x10d159c6d in net::SerialWorker::DoWorkJob() serial_worker.cc:61
#12 0x10d15b1da in void base::internal::FunctorTraits<void (net::SerialWorker::*)(), void>::Invoke<scoped_refptr<net::SerialWorker> const&>(void (net::SerialWorker::*)(), scoped_refptr<net::SerialWorker> const&&&) bind_internal.h:214
#13 0x10d15aec1 in void base::internal::InvokeHelper<false, void>::MakeItSo<void (net::SerialWorker::* const&)(), scoped_refptr<net::SerialWorker> const&>(void (net::SerialWorker::* const&&&)(), scoped_refptr<net::SerialWorker> const&&&) bind_internal.h:285
#14 0x10d15acb7 in void base::internal::Invoker<base::internal::BindState<void (net::SerialWorker::*)(), scoped_refptr<net::SerialWorker> >, void ()>::RunImpl<void (net::SerialWorker::* const&)(), std::__1::tuple<scoped_refptr<net::SerialWorker> > const&, 0ul>(void (net::SerialWorker::* const&&&)(), std::__1::tuple<scoped_refptr<net::SerialWorker> > const&&&, base::IndexSequence<0ul>) bind_internal.h:361
#15 0x10d15ac0b in base::internal::Invoker<base::internal::BindState<void (net::SerialWorker::*)(), scoped_refptr<net::SerialWorker> >, void ()>::Run(base::internal::BindStateBase*) bind_internal.h:339
#16 0x106e3e9fa in base::internal::RunMixin<base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> >::Run() const callback.h:64
#17 0x10a7679b2 in base::(anonymous namespace)::WorkerThread::ThreadMain() worker_pool_posix.cc:93
#18 0x10a6e4eb2 in base::(anonymous namespace)::ThreadFunc(void*) platform_thread_posix.cc:71
#19 0x124ede99c in _pthread_body (libsystem_pthread.dylib+0x399c)
#20 0x124ede919 in _pthread_start (libsystem_pthread.dylib+0x3919)
#21 0x124edc350 in thread_start (libsystem_pthread.dylib+0x1350)
Thread T9 created by T8 here:
#0 0x120aba276 (libclang_rt.asan_iossim_dynamic.dylib+0x49276)
#1 0x10a6e3982 in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) platform_thread_posix.cc:110
#2 0x10a6e3feb in base::PlatformThread::CreateNonJoinableWithPriority(unsigned long, base::PlatformThread::Delegate*, base::ThreadPriority) platform_thread_posix.cc:207
#3 0x10a6e3ed1 in base::PlatformThread::CreateNonJoinable(unsigned long, base::PlatformThread::Delegate*) platform_thread_posix.cc:197
#4 0x10a764849 in base::PosixDynamicThreadPool::AddTask(base::PendingTask*) worker_pool_posix.cc:162
#5 0x10a764397 in base::PosixDynamicThreadPool::PostTask(tracked_objects::Location const&, base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) worker_pool_posix.cc:145
#6 0x10a7630a3 in base::(anonymous namespace)::WorkerPoolImpl::PostTask(tracked_objects::Location const&, base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&, bool) worker_pool_posix.cc:57
#7 0x10a762fc1 in base::WorkerPool::PostTask(tracked_objects::Location const&, base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&, bool) worker_pool_posix.cc:110
#8 0x10d159794 in net::SerialWorker::WorkNow() serial_worker.cc:24
#9 0x10d08da50 in net::internal::DnsConfigServicePosix::ReadNow() dns_config_service_posix.cc:394
#10 0x10d082b5a in net::DnsConfigService::WatchConfig(base::Callback<void (net::DnsConfig const&), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) dns_config_service.cc:112
#11 0x10e2a5c9b in net::NetworkChangeNotifierMac::DnsConfigServiceThread::Init() network_change_notifier_mac.cc:51
#12 0x10a73df24 in base::Thread::ThreadMain() thread.cc:308
#13 0x10a6e4eb2 in base::(anonymous namespace)::ThreadFunc(void*) platform_thread_posix.cc:71
#14 0x124ede99c in _pthread_body (libsystem_pthread.dylib+0x399c)
#15 0x124ede919 in _pthread_start (libsystem_pthread.dylib+0x3919)
#16 0x124edc350 in thread_start (libsystem_pthread.dylib+0x1350)
Thread T8 created by T0 here:
#0 0x120aba276 (libclang_rt.asan_iossim_dynamic.dylib+0x49276)
#1 0x10a6e3982 in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) platform_thread_posix.cc:110
#2 0x10a6e3012 in base::PlatformThread::CreateWithPriority(unsigned long, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) platform_thread_posix.cc:191
#3 0x10a739e2d in base::Thread::StartWithOptions(base::Thread::Options const&) thread.cc:108
#4 0x10e2a2113 in net::NetworkChangeNotifierMac::NetworkChangeNotifierMac() network_change_notifier_mac.cc:72
#5 0x10e2a26c4 in net::NetworkChangeNotifierMac::NetworkChangeNotifierMac() network_change_notifier_mac.cc:68
#6 0x10cadc10d in net::NetworkChangeNotifier::Create() network_change_notifier.cc:534
#7 0x1082bf195 in web::WebMainLoop::MainMessageLoopStart() web_main_loop.mm:79
#8 0x1082c6160 in web::WebMainRunnerImpl::Initialize(web::WebMainParams const&) web_main_runner.mm:68
#9 0x1082f2020 in IOSChromeMain::IOSChromeMain() ios_chrome_main.mm:40
#10 0x1082f21f4 in IOSChromeMain::IOSChromeMain() ios_chrome_main.mm:21
#11 0x1082ffddc in -[MainController startChromeMain] main_controller.mm:1151
#12 0x1082f9946 in -[MainController startUpBrowserBackgroundInitialization] main_controller.mm:775
#13 0x1082f8c2d in -[MainController startUpBrowserToStage:] main_controller.mm:734
#14 0x1082cfed5 in -[AppState initializeUI] app_state.mm:455
#15 0x1082cf078 in -[AppState requiresHandlingAfterLaunchWithOptions:stateBackground:] app_state.mm:408
#16 0x1082f4651 in -[MainApplicationDelegate application:didFinishLaunchingWithOptions:] main_application_delegate.mm:97
#17 0x11a81768d in -[UIApplication _handleDelegateCallbacksWithOptions:isSuspended:restoreState:] (UIKit+0x1e68d)
#18 0x11a819012 in -[UIApplication _callInitializationDelegatesForMainScene:transitionContext:] (UIKit+0x20012)
#19 0x11a81f3b8 in -[UIApplication _runWithMainScene:transitionContext:completion:] (UIKit+0x263b8)
#20 0x11a81c538 in -[UIApplication workspaceDidEndTransaction:] (UIKit+0x23538)
#21 0x121e9076a in __FBSSERIALQUEUE_IS_CALLING_OUT_TO_A_BLOCK__ (FrontBoardServices+0x3b76a)
#22 0x121e905e3 in -[FBSSerialQueue _performNext] (FrontBoardServices+0x3b5e3)
#23 0x121e9096c in -[FBSSerialQueue _performNextFromRunLoopSource] (FrontBoardServices+0x3b96c)
#24 0x11c105310 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (CoreFoundation+0x9c310)
#25 0x11c0ea59b in __CFRunLoopDoSources0 (CoreFoundation+0x8159b)
#26 0x11c0e9a85 in __CFRunLoopRun (CoreFoundation+0x80a85)
#27 0x11c0e9493 in CFRunLoopRunSpecific (CoreFoundation+0x80493)
#28 0x11a81adb5 in -[UIApplication _run] (UIKit+0x21db5)
#29 0x11a820f33 in UIApplicationMain (UIKit+0x27f33)
#30 0x106d0c07f in main chrome_exe_main.mm:70
#31 0x124b8168c in start (libdyld.dylib+0x468c)
HINT: if you don't care about these errors you may set ASAN_OPTIONS=detect_container_overflow=0.
If you suspect a false positive see also: https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow.
SUMMARY: AddressSanitizer: container-overflow ip_address.cc:198 in net::IPAddress::IsZero() const
Shadow bytes around the buggy address:
0x1c04000059e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c04000059f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400005a00: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x1c0400005a10: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x1c0400005a20: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fc fc
=>0x1c0400005a30: fa fa fc fc fa fa[fc]fc fa fa fa fa fa fa fa fa
0x1c0400005a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400005a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400005a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400005a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c0400005a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==63808==ABORTING
The error is flagged on "dns_config->nameservers[i].address().IsZero()" line in the following code:
// If any name server is 0.0.0.0, assume the configuration is invalid.
// TODO(szym): Measure how often this happens. http://crbug.com/125599
for (unsigned i = 0; i < dns_config->nameservers.size(); ++i) {
if (dns_config->nameservers[i].address().IsZero())
return CONFIG_PARSE_POSIX_NULL_ADDRESS;
}
return CONFIG_PARSE_POSIX_OK;
}
The error happens when accessing the ip_address_ field of the address() instance.
mmenke@: can you triage?
,
Sep 28 2016
I was thinking of threading issue too, but to me that would mean some race-condition. I would expect such a race-condition to cause the error to happen only some of the time. Here the callstack is exactly the same for every time I reproduced the issue (and as I said, I had 10/10 repro rate).
,
May 8 2017
,
May 9 2017
,
May 9 2017
,
Jun 2 2017
,
Mar 23 2018
|
||||||
►
Sign in to add a comment |
||||||
Comment 1 by mmenke@chromium.org
, Sep 28 2016Components: -Internals>Network Internals>Network>DNS
Owner: juliatut...@chromium.org