CFI: invalid cast during blink::PaymentShippingOption destruction |
||||||
Issue descriptionVersion: tip OS: Linux x86-64 What steps will reproduce the problem? (1) Build webkit_unit_tests with CFI: $ gn gen out/cfi-diag '--args=is_debug=false is_cfi=true use_cfi_diag=true use_cfi_cast=true symbol_level=1' --check $ build/download_gold_plugin.py $ ninja -C out/cfi-diag webkit_unit_tests # Will take around 40 minutes $ gdb -ex 'b __ubsan_handle_cfi_check_fail' -ex r --args ./out/cfi-diag/webkit_unit_tests --gtest_filter=CompleteTest.CannotCallCompleteTwice --single_process (2) Observe the error message: ../../third_party/WebKit/Source/platform/heap/HeapAllocator.h:302:15: runtime error: control flow integrity check for type 'blink::PaymentShippingOption' failed during cast to unrelated type (vtable address 0x000000000000) 0x000000000000: note: invalid vtable Stack trace: #0 0x0000000002fc6434 in __ubsan_handle_cfi_check_fail () #1 0x0000000000bec4bf in blink::HeapVectorBacking<blink::PaymentShippingOption, WTF::VectorTraits<blink::PaymentShippingOption> >::finalize(void*) () at ../../third_party/WebKit/Source/platform/heap/HeapAllocator.h:302 #2 0x00000000014a061f in blink::NormalPage::sweep() () at ../../third_party/WebKit/Source/platform/heap/HeapPage.cpp:1216 #3 0x000000000149ebde in blink::BaseArena::sweepUnsweptPage() () at ../../third_party/WebKit/Source/platform/heap/HeapPage.cpp:296 #4 0x000000000149eeb8 in blink::BaseArena::completeSweep() () at ../../third_party/WebKit/Source/platform/heap/HeapPage.cpp:349 #5 0x00000000014a2cc9 in blink::ThreadState::completeSweep() () at ../../third_party/WebKit/Source/platform/heap/ThreadState.cpp:1202 #6 0x00000000014a5049 in collectGarbage () at ../../third_party/WebKit/Source/platform/heap/ThreadState.cpp:1776 #7 0x0000000001a2cac2 in blink::V8GCController::gcEpilogue(v8::Isolate*, v8::GCType, v8::GCCallbackFlags) () at ../../third_party/WebKit/Source/bindings/core/v8/V8GCController.cpp:416 #8 0x0000000001354e00 in v8::internal::Heap::CallGCEpilogueCallbacks(v8::GCType, v8::GCCallbackFlags) () at ../../v8/src/heap/heap.cc:1417 #9 0x0000000001355ce8 in PerformGarbageCollection () at ../../v8/src/heap/heap.cc:1373 #10 0x0000000001355435 in CollectGarbage () at ../../v8/src/heap/heap.cc:998 #11 0x0000000000d5f548 in v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) () at ../../v8/src/heap/heap-inl.h:678 #12 0x000000000135467b in v8::internal::Heap::CollectAllGarbage(int, v8::internal::GarbageCollectionReason, v8::GCCallbackFlags) () at ../../v8/src/heap/heap.cc:847 #13 0x0000000001a2cfda in blink::V8GCController::collectAllGarbageForTesting(v8::Isolate*) () at ../../third_party/WebKit/Source/bindings/core/v8/V8GCController.cpp:461 #14 0x0000000000548d55 in (anonymous namespace)::runHelper(base::TestSuite*) () at ../../third_party/WebKit/Source/web/tests/RunAllTests.cpp:60 #15 0x0000000000548f1e in int base::internal::Invoker<base::internal::BindState<int (*)(base::TestSuite*), base::internal::UnretainedWrapper<base::TestSuite> >, int ()>::RunImpl<int (* const&)(base::TestSuite*), std::tuple<base::internal::UnretainedWrapper<base::TestSuite> > const&, 0ul>(int (* const&)(base::TestSuite*), std::tuple<base::internal::UnretainedWrapper<base::TestSuite> > const&, base::IndexSequence<0ul>) () at ../../base/bind_internal.h:361 #16 0x000000000161cddf in base::(anonymous namespace)::LaunchUnitTestsInternal(base::Callback<int (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&, int, int, bool, base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) () at ../../base/test/launcher/unit_test_launcher.cc:210 #17 0x000000000161cc52 in base::LaunchUnitTests(int, char**, base::Callback<int (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) () at ../../base/test/launcher/unit_test_launcher.cc:452 #18 0x0000000000548c4c in main () at ../../third_party/WebKit/Source/web/tests/RunAllTests.cpp:73 This failure has broken a couple of bots (CFI Linux ToT and CFI Linux Full). The bots became broken on Oct 24 (see the webkit_unit_tests failure): https://build.chromium.org/p/chromium.fyi/builders/CFI%20Linux%20Full/builds/658 After reverting https://codereview.chromium.org/2444493002 everything becomes green. Sorry, we will eventually have a try bot, after we moved to ThinLTO (http://blog.llvm.org/2016/06/thinlto-scalable-and-incremental-lto.html), which should dramatically reduce the linking time. Before that, such eventual regressions are unfortunately expected. :(
,
Oct 27 2016
,
Oct 27 2016
Thank you, Rouslan! That made the bot green: https://build.chromium.org/p/chromium.fyi/builders/CFI%20Linux%20Full/builds/673
,
Nov 21 2016
Not sure which component to use, so using all of them :-)
,
Dec 19 2016
There is an owner on this bug, but the status was not "Assigned" or "Started". Fixing. If you do not own this bug, please remove yourself as the owner and make the status "Available".
,
Feb 5 2017
,
Apr 6 2017
I don't think there's more to do here post-revert; marking as fixed per #3. |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by rouslan@chromium.org
, Oct 27 2016