New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 660174 link

Starred by 2 users
Status: Fixed
Owner:
krasin@chromium.org
Last visit > 30 days ago
Closed: Nov 2016
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug

Blocking:
issue 607996



Sign in to add a comment

ubsan: invalid cast to SocketAcceptor in UnixDomainSocketUtil.Connect

Project Member Reported by krasin@chromium.org, Oct 27 2016 
Version: tip
OS: Linux 86-64

What steps will reproduce the problem?
(1) Build ipc_tests with UBSan:

$ gn gen out/ubsan '--args=is_debug=false is_ubsan_no_recover=true is_ubsan_vptr=true symbol_level=2 ' --check
$ ninja out/ubsan ipc_tests

(2) Run ipc_tests / UnixDomainSocketUtil.Connect:

$ ./out/ubsan/ipc_tests --gtest_filter=UnixDomainSocketUtil.Connect 
...
[ RUN      ] UnixDomainSocketUtil.Connect
../../base/bind_internal.h:214:12: runtime error: member call on address 0x0f0197a96cc0 which does not point to an object of type '(anonymous namespace)::SocketAcceptor'
0x0f0197a96cc0: note: object has a possibly invalid vptr: abs(offset to top) too big
 00 00 00 00  10 d0 77 00 00 00 00 00  e1 cf 77 00 00 00 00 00  d5 00 00 00 01 0f 00 00  92 b0 57 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              possibly invalid vptr
    #0 0x4d310d in Invoke<(anonymous namespace)::SocketAcceptor *, base::MessagePumpLibevent::FileDescriptorWatcher *const &> base/bind_internal.h:214:12
    #1 0x4d310d in MakeItSo<void ((anonymous namespace)::SocketAcceptor::*const &)(base::MessagePumpLibevent::FileDescriptorWatcher *), (anonymous namespace)::SocketAcceptor *, base::MessagePumpLibevent::FileDescriptorWatcher *const &> base/bind_internal.h:285
    #2 0x4d310d in RunImpl<void ((anonymous namespace)::SocketAcceptor::*const &)(base::MessagePumpLibevent::FileDescriptorWatcher *), const std::tuple<base::internal::UnretainedWrapper<(anonymous namespace)::SocketAcceptor>, base::MessagePumpLibevent::FileDescriptorWatcher *> &, 0, 1> base/bind_internal.h:361
    #3 0x4d310d in base::internal::Invoker<base::internal::BindState<void ((anonymous namespace)::SocketAcceptor::*)(base::MessagePumpLibevent::FileDescriptorWatcher*), base::internal::UnretainedWrapper<(anonymous namespace)::SocketAcceptor>, base::MessagePumpLibevent::FileDescriptorWatcher*>, void ()>::Run(base::internal::BindStateBase*) base/bind_internal.h:339
    #4 0x59eeca in Run base/callback.h:47:12
    #5 0x59eeca in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) base/debug/task_annotator.cc:52
    #6 0x5527ef in base::MessageLoop::RunTask(base::PendingTask*) base/message_loop/message_loop.cc:413:19
    #7 0x552c98 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) base/message_loop/message_loop.cc:422:5
    #8 0x5535d2 in base::MessageLoop::DoWork() base/message_loop/message_loop.cc:515:13
    #9 0x55a035 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:218:31
    #10 0x5520ac in base::MessageLoop::RunHandler() base/message_loop/message_loop.cc:378:10
    #11 0x5624e8 in base::RunLoop::Run() base/run_loop.cc:35:10
    #12 0x57b830 in base::Thread::ThreadMain() base/threading/thread.cc:333:3
    #13 0x573b5a in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:71:13
    #14 0x7f8715fa2183 in start_thread /build/eglibc-oGUzwX/eglibc-2.19/nptl/pthread_create.c:312
    #15 0x7f8715ab937c in clone /build/eglibc-oGUzwX/eglibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111

[1/1] UnixDomainSocketUtil.Connect (CRASHED)
1 test crashed:
    UnixDomainSocketUtil.Connect (../../ipc/unix_domain_socket_util_unittest.cc:157)

The code:
https://cs.chromium.org/chromium/src/ipc/unix_domain_socket_util_unittest.cc?q=unix_domain_socket_util_unittest.cc:157&sq=package:chromium&l=157

TEST(UnixDomainSocketUtil, Connect) {
  TestUnixSocketConnection connection;
  ASSERT_TRUE(connection.CreateServerSocket());
  ASSERT_TRUE(connection.CreateClientSocket());
}

Comment 1 by krasin@chromium.org, Oct 31 2016 

The fix is under review: https://codereview.chromium.org/2468593002/
Project Member

Comment 2 by bugdroid1@chromium.org, Nov 1 2016 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/49c519ecea2ee0d83d0faf76b5f7c4cc2a92b0e0

commit 49c519ecea2ee0d83d0faf76b5f7c4cc2a92b0e0
Author: krasin <krasin@chromium.org>
Date: Tue Nov 01 20:15:22 2016

Fix undefined behavior in UnixDomainSocketUtil.Connect test.

After SocketAcceptor is destructed, the thread might still have been
attached to it, and an invalid cast on the already destructed object
was performed.

This bug was found under UBSan.

BUG= 660174 

Review-Url: https://codereview.chromium.org/2468593002
Cr-Commit-Position: refs/heads/master@{#429085}

[modify] https://crrev.com/49c519ecea2ee0d83d0faf76b5f7c4cc2a92b0e0/ipc/unix_domain_socket_util_unittest.cc
[modify] https://crrev.com/49c519ecea2ee0d83d0faf76b5f7c4cc2a92b0e0/testing/buildbot/chromium.fyi.json

Comment 3 by krasin@chromium.org, Nov 2 2016

Status: Fixed (was: Untriaged)

Sign in to add a comment