New issue
Advanced search Search tips

Issue 650980 link

Starred by 1 user

Issue metadata

Status: Available
Owner: ----
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: iOS
Pri: 2
Type: Bug



Sign in to add a comment

ASAN: container-overflow on address reported on startup on iOS

Project Member Reported by sdefresne@chromium.org, Sep 28 2016

Issue description

When building Chrome on iOS with ASAN, I get the following report from ASAN. Reproducible at 100% (10 times out of 10), with just changes in the pointer values.

=================================================================
==63808==ERROR: AddressSanitizer: container-overflow on address 0x60200002d1b0 at pc 0x00010c728bc8 bp 0x7000003a34d0 sp 0x7000003a34c8
==63808==AddressSanitizer: while reporting a bug found another one. Ignoring.
READ of size 1 at 0x60200002d1b0 thread T9
    #0 0x10c728bc7 in net::IPAddress::IsZero() const ip_address.cc:198
    #1 0x10d091abe in net::internal::ConvertResStateToDnsConfig(__res_9_state const&, net::DnsConfig*) dns_config_service_posix.cc:557
    #2 0x10d0939e6 in net::internal::(anonymous namespace)::ReadDnsConfig(net::DnsConfig*) dns_config_service_posix.cc:134
    #3 0x10d092989 in net::internal::DnsConfigServicePosix::ConfigReader::DoWork() dns_config_service_posix.cc:287
    #4 0x10d159c6d in net::SerialWorker::DoWorkJob() serial_worker.cc:61
    #5 0x10d15b1da in void base::internal::FunctorTraits<void (net::SerialWorker::*)(), void>::Invoke<scoped_refptr<net::SerialWorker> const&>(void (net::SerialWorker::*)(), scoped_refptr<net::SerialWorker> const&&&) bind_internal.h:214
    #6 0x10d15aec1 in void base::internal::InvokeHelper<false, void>::MakeItSo<void (net::SerialWorker::* const&)(), scoped_refptr<net::SerialWorker> const&>(void (net::SerialWorker::* const&&&)(), scoped_refptr<net::SerialWorker> const&&&) bind_internal.h:285
    #7 0x10d15acb7 in void base::internal::Invoker<base::internal::BindState<void (net::SerialWorker::*)(), scoped_refptr<net::SerialWorker> >, void ()>::RunImpl<void (net::SerialWorker::* const&)(), std::__1::tuple<scoped_refptr<net::SerialWorker> > const&, 0ul>(void (net::SerialWorker::* const&&&)(), std::__1::tuple<scoped_refptr<net::SerialWorker> > const&&&, base::IndexSequence<0ul>) bind_internal.h:361
    #8 0x10d15ac0b in base::internal::Invoker<base::internal::BindState<void (net::SerialWorker::*)(), scoped_refptr<net::SerialWorker> >, void ()>::Run(base::internal::BindStateBase*) bind_internal.h:339
    #9 0x106e3e9fa in base::internal::RunMixin<base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> >::Run() const callback.h:64
    #10 0x10a7679b2 in base::(anonymous namespace)::WorkerThread::ThreadMain() worker_pool_posix.cc:93
    #11 0x10a6e4eb2 in base::(anonymous namespace)::ThreadFunc(void*) platform_thread_posix.cc:71
    #12 0x124ede99c in _pthread_body (libsystem_pthread.dylib+0x399c)
    #13 0x124ede919 in _pthread_start (libsystem_pthread.dylib+0x3919)
    #14 0x124edc350 in thread_start (libsystem_pthread.dylib+0x1350)

0x60200002d1b0 is located 0 bytes inside of 16-byte region [0x60200002d1b0,0x60200002d1c0)
allocated by thread T9 here:
    #0 0x120acdd7b  (libclang_rt.asan_iossim_dynamic.dylib+0x5cd7b)
    #1 0x106fb6a19 in std::__1::vector<unsigned char, std::__1::allocator<unsigned char> >::allocate(unsigned long) new:171
    #2 0x11382b006 in std::__1::enable_if<(__is_forward_iterator<unsigned char*>::value) && (is_constructible<unsigned char, std::__1::iterator_traits<unsigned char*>::reference>::value), void>::type std::__1::vector<unsigned char, std::__1::allocator<unsigned char> >::assign<unsigned char*>(unsigned char*, unsigned char*) (Chromium+0x10cb22006)
    #3 0x10d7624b4 in net::IPAddress::operator=(net::IPAddress const&) vector:1348
    #4 0x10c7368fc in net::IPEndPoint::IPEndPoint(net::IPEndPoint const&) ip_endpoint.cc:91
    #5 0x10c7369dc in net::IPEndPoint::IPEndPoint(net::IPEndPoint const&) ip_endpoint.cc:90
    #6 0x10c70833b in std::__1::vector<net::IPEndPoint, std::__1::allocator<net::IPEndPoint> >::__swap_out_circular_buffer(std::__1::__split_buffer<net::IPEndPoint, std::__1::allocator<net::IPEndPoint>&>&) memory:1783
    #7 0x10c707e80 in void std::__1::vector<net::IPEndPoint, std::__1::allocator<net::IPEndPoint> >::__push_back_slow_path<net::IPEndPoint const&>(net::IPEndPoint const&&&) vector:1569
    #8 0x10d09049c in net::internal::ConvertResStateToDnsConfig(__res_9_state const&, net::DnsConfig*) vector:1586
    #9 0x10d0939e6 in net::internal::(anonymous namespace)::ReadDnsConfig(net::DnsConfig*) dns_config_service_posix.cc:134
    #10 0x10d092989 in net::internal::DnsConfigServicePosix::ConfigReader::DoWork() dns_config_service_posix.cc:287
    #11 0x10d159c6d in net::SerialWorker::DoWorkJob() serial_worker.cc:61
    #12 0x10d15b1da in void base::internal::FunctorTraits<void (net::SerialWorker::*)(), void>::Invoke<scoped_refptr<net::SerialWorker> const&>(void (net::SerialWorker::*)(), scoped_refptr<net::SerialWorker> const&&&) bind_internal.h:214
    #13 0x10d15aec1 in void base::internal::InvokeHelper<false, void>::MakeItSo<void (net::SerialWorker::* const&)(), scoped_refptr<net::SerialWorker> const&>(void (net::SerialWorker::* const&&&)(), scoped_refptr<net::SerialWorker> const&&&) bind_internal.h:285
    #14 0x10d15acb7 in void base::internal::Invoker<base::internal::BindState<void (net::SerialWorker::*)(), scoped_refptr<net::SerialWorker> >, void ()>::RunImpl<void (net::SerialWorker::* const&)(), std::__1::tuple<scoped_refptr<net::SerialWorker> > const&, 0ul>(void (net::SerialWorker::* const&&&)(), std::__1::tuple<scoped_refptr<net::SerialWorker> > const&&&, base::IndexSequence<0ul>) bind_internal.h:361
    #15 0x10d15ac0b in base::internal::Invoker<base::internal::BindState<void (net::SerialWorker::*)(), scoped_refptr<net::SerialWorker> >, void ()>::Run(base::internal::BindStateBase*) bind_internal.h:339
    #16 0x106e3e9fa in base::internal::RunMixin<base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> >::Run() const callback.h:64
    #17 0x10a7679b2 in base::(anonymous namespace)::WorkerThread::ThreadMain() worker_pool_posix.cc:93
    #18 0x10a6e4eb2 in base::(anonymous namespace)::ThreadFunc(void*) platform_thread_posix.cc:71
    #19 0x124ede99c in _pthread_body (libsystem_pthread.dylib+0x399c)
    #20 0x124ede919 in _pthread_start (libsystem_pthread.dylib+0x3919)
    #21 0x124edc350 in thread_start (libsystem_pthread.dylib+0x1350)

Thread T9 created by T8 here:
    #0 0x120aba276  (libclang_rt.asan_iossim_dynamic.dylib+0x49276)
    #1 0x10a6e3982 in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) platform_thread_posix.cc:110
    #2 0x10a6e3feb in base::PlatformThread::CreateNonJoinableWithPriority(unsigned long, base::PlatformThread::Delegate*, base::ThreadPriority) platform_thread_posix.cc:207
    #3 0x10a6e3ed1 in base::PlatformThread::CreateNonJoinable(unsigned long, base::PlatformThread::Delegate*) platform_thread_posix.cc:197
    #4 0x10a764849 in base::PosixDynamicThreadPool::AddTask(base::PendingTask*) worker_pool_posix.cc:162
    #5 0x10a764397 in base::PosixDynamicThreadPool::PostTask(tracked_objects::Location const&, base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) worker_pool_posix.cc:145
    #6 0x10a7630a3 in base::(anonymous namespace)::WorkerPoolImpl::PostTask(tracked_objects::Location const&, base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&, bool) worker_pool_posix.cc:57
    #7 0x10a762fc1 in base::WorkerPool::PostTask(tracked_objects::Location const&, base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&, bool) worker_pool_posix.cc:110
    #8 0x10d159794 in net::SerialWorker::WorkNow() serial_worker.cc:24
    #9 0x10d08da50 in net::internal::DnsConfigServicePosix::ReadNow() dns_config_service_posix.cc:394
    #10 0x10d082b5a in net::DnsConfigService::WatchConfig(base::Callback<void (net::DnsConfig const&), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) dns_config_service.cc:112
    #11 0x10e2a5c9b in net::NetworkChangeNotifierMac::DnsConfigServiceThread::Init() network_change_notifier_mac.cc:51
    #12 0x10a73df24 in base::Thread::ThreadMain() thread.cc:308
    #13 0x10a6e4eb2 in base::(anonymous namespace)::ThreadFunc(void*) platform_thread_posix.cc:71
    #14 0x124ede99c in _pthread_body (libsystem_pthread.dylib+0x399c)
    #15 0x124ede919 in _pthread_start (libsystem_pthread.dylib+0x3919)
    #16 0x124edc350 in thread_start (libsystem_pthread.dylib+0x1350)

Thread T8 created by T0 here:
    #0 0x120aba276  (libclang_rt.asan_iossim_dynamic.dylib+0x49276)
    #1 0x10a6e3982 in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) platform_thread_posix.cc:110
    #2 0x10a6e3012 in base::PlatformThread::CreateWithPriority(unsigned long, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) platform_thread_posix.cc:191
    #3 0x10a739e2d in base::Thread::StartWithOptions(base::Thread::Options const&) thread.cc:108
    #4 0x10e2a2113 in net::NetworkChangeNotifierMac::NetworkChangeNotifierMac() network_change_notifier_mac.cc:72
    #5 0x10e2a26c4 in net::NetworkChangeNotifierMac::NetworkChangeNotifierMac() network_change_notifier_mac.cc:68
    #6 0x10cadc10d in net::NetworkChangeNotifier::Create() network_change_notifier.cc:534
    #7 0x1082bf195 in web::WebMainLoop::MainMessageLoopStart() web_main_loop.mm:79
    #8 0x1082c6160 in web::WebMainRunnerImpl::Initialize(web::WebMainParams const&) web_main_runner.mm:68
    #9 0x1082f2020 in IOSChromeMain::IOSChromeMain() ios_chrome_main.mm:40
    #10 0x1082f21f4 in IOSChromeMain::IOSChromeMain() ios_chrome_main.mm:21
    #11 0x1082ffddc in -[MainController startChromeMain] main_controller.mm:1151
    #12 0x1082f9946 in -[MainController startUpBrowserBackgroundInitialization] main_controller.mm:775
    #13 0x1082f8c2d in -[MainController startUpBrowserToStage:] main_controller.mm:734
    #14 0x1082cfed5 in -[AppState initializeUI] app_state.mm:455
    #15 0x1082cf078 in -[AppState requiresHandlingAfterLaunchWithOptions:stateBackground:] app_state.mm:408
    #16 0x1082f4651 in -[MainApplicationDelegate application:didFinishLaunchingWithOptions:] main_application_delegate.mm:97
    #17 0x11a81768d in -[UIApplication _handleDelegateCallbacksWithOptions:isSuspended:restoreState:] (UIKit+0x1e68d)
    #18 0x11a819012 in -[UIApplication _callInitializationDelegatesForMainScene:transitionContext:] (UIKit+0x20012)
    #19 0x11a81f3b8 in -[UIApplication _runWithMainScene:transitionContext:completion:] (UIKit+0x263b8)
    #20 0x11a81c538 in -[UIApplication workspaceDidEndTransaction:] (UIKit+0x23538)
    #21 0x121e9076a in __FBSSERIALQUEUE_IS_CALLING_OUT_TO_A_BLOCK__ (FrontBoardServices+0x3b76a)
    #22 0x121e905e3 in -[FBSSerialQueue _performNext] (FrontBoardServices+0x3b5e3)
    #23 0x121e9096c in -[FBSSerialQueue _performNextFromRunLoopSource] (FrontBoardServices+0x3b96c)
    #24 0x11c105310 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (CoreFoundation+0x9c310)
    #25 0x11c0ea59b in __CFRunLoopDoSources0 (CoreFoundation+0x8159b)
    #26 0x11c0e9a85 in __CFRunLoopRun (CoreFoundation+0x80a85)
    #27 0x11c0e9493 in CFRunLoopRunSpecific (CoreFoundation+0x80493)
    #28 0x11a81adb5 in -[UIApplication _run] (UIKit+0x21db5)
    #29 0x11a820f33 in UIApplicationMain (UIKit+0x27f33)
    #30 0x106d0c07f in main chrome_exe_main.mm:70
    #31 0x124b8168c in start (libdyld.dylib+0x468c)

HINT: if you don't care about these errors you may set ASAN_OPTIONS=detect_container_overflow=0.
If you suspect a false positive see also: https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow.
SUMMARY: AddressSanitizer: container-overflow ip_address.cc:198 in net::IPAddress::IsZero() const
Shadow bytes around the buggy address:
  0x1c04000059e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c04000059f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400005a00: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x1c0400005a10: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x1c0400005a20: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fc fc
=>0x1c0400005a30: fa fa fc fc fa fa[fc]fc fa fa fa fa fa fa fa fa
  0x1c0400005a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400005a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400005a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400005a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c0400005a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==63808==ABORTING

The error is flagged on "dns_config->nameservers[i].address().IsZero()" line in the following code:

  // If any name server is 0.0.0.0, assume the configuration is invalid.
  // TODO(szym): Measure how often this happens.  http://crbug.com/125599 
  for (unsigned i = 0; i < dns_config->nameservers.size(); ++i) {
    if (dns_config->nameservers[i].address().IsZero())
      return CONFIG_PARSE_POSIX_NULL_ADDRESS;
  }
  return CONFIG_PARSE_POSIX_OK;
}

The error happens when accessing the ip_address_ field of the address() instance.

mmenke@: can you triage?
 

Comment 1 by mmenke@chromium.org, Sep 28 2016

Cc: mmenke@chromium.org
Components: -Internals>Network Internals>Network>DNS
Owner: juliatut...@chromium.org
There are two loops over all objects in a container, both seem to be looping over objects correctly, that does still leave space for cross-thread bugs.  Looks to me like we're correctly limiting the method to be called once at a time, though.  Hrm...

[+juliatuttle]:  Julia, mind investigating?
I was thinking of threading issue too, but to me that would mean some race-condition. I would expect such a race-condition to cause the error to happen only some of the time. Here the callstack is exactly the same for every time I reproduced the issue (and as I said, I had 10/10 repro rate).
Owner: ----
Status: Available (was: Assigned)
Owner: mge...@chromium.org
Status: Assigned (was: Available)

Comment 7 by mge...@chromium.org, Mar 23 2018

Owner: ----
Status: Available (was: Assigned)

Sign in to add a comment