New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 661209 link

Starred by 2 users

Issue metadata

Status: Fixed
Owner:
Closed: Nov 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 1
Type: Bug

Blocked on:
issue 665063

Blocking:
issue 649483



Sign in to add a comment

Win Clang ASAN does not detect null ptr crashes.

Project Member Reported by infe...@chromium.org, Nov 1 2016

Issue description

See https://cluster-fuzz.appspot.com/v2/testcase-detail/6634625733754880, ASAN exception handler does not kick it again, just like what happened before - https://bugs.chromium.org/p/chromium/issues/detail?id=626373.

Reid, can you please take a look.
 
Cc: och...@chromium.org
I don't see any security crashes at all as well in last 7 days - https://cluster-fuzz.appspot.com/crashstats?fuzzer_name=All&job_type=windows_asan_chrome&security_flag=Both&date_start=2016-10-24&date_end=2016-11-01. So, it could be Win Clang ASAN is completely broken. 

Comment 4 by r...@chromium.org, Nov 3 2016

I can look into this next Monday after the LLVM dev meeting.

Comment 5 by aarya@google.com, Nov 4 2016

Cc: tanin@chromium.org
Thanks Reid.

Comment 6 by r...@chromium.org, Nov 7 2016

There's a bunch of low-hanging issues on the asan coverage bot that I'm going to look into first:
https://build.chromium.org/p/chromium.fyi/builders/CrWinAsanCov%20tester/builds/696

Essentially, that bot is red because dynamic-tools-team makes changes to sanitizer coverage and I don't have the bandwidth to keep it green by myself.

Comment 7 by r...@chromium.org, Nov 7 2016

 Issue 637048  has been merged into this issue.

Comment 8 by rnk@google.com, Nov 11 2016

A (probably unrelated) bug was making it really hard to debug this. I fixed that in LLVM r286290. I'd recommend building chromium with that version of the asan runtime if anyone else is trying to debug this.

Comment 9 by rnk@google.com, Nov 11 2016

LLVM r286615 should fix a crash on startup in osmesa.dll. That should fix a lot of the test failures on the CrWinAsanCov bot.

Comment 10 by rnk@google.com, Nov 11 2016

I'm seeing a crash on startup in chrome.dll here:
  static void WriteJumpInstruction(uptr from, uptr target) {
    if (!DistanceIsWithin2Gig(from + kJumpInstructionLength, target))
      InterceptionFailed(__LINE__);
    ptrdiff_t offset = target - from - kJumpInstructionLength;
    *(u8*)from = 0xE9;
    *(u32*)(from + 1) = offset;
  }

Chrome is getting loaded at 0x7FFF0000, and the code we are patching is way up around 0x9780e7e6, and chrome.exe and the asan runtime is down at 0x00330000-0x010d8000.

chrome.dll itself is about 468MB. It's possible this is just too much code to work in a 32-bit address space.

Comment 11 by r...@chromium.org, Nov 14 2016

The osmesa bug fix significantly cleaned up the waterfall:
https://build.chromium.org/p/chromium.fyi/builders/CrWinAsanCov%20tester/builds/714

Now there's only one remaining chrome_elf test failure, which is not coverage related, and is already filed here: https://bugs.chromium.org/p/chromium/issues/detail?id=646414

Waterfall aside, the actual chrome crash on startup still needs investigation.

Comment 12 by aarya@google.com, Nov 14 2016

Latest result from today's uploads.

1) Chrome's exception handler is kicking in first, so we dont get sanitizer stack - https://cluster-fuzz.appspot.com/v2/testcase-detail/5963159136632832.
2) Content shell job type is working fine - https://cluster-fuzz.appspot.com/v2/testcase-detail/5633286237061120
Haven't verified with a use-after-free or buffer overflow testcase. Don't even know why we are not crashing on startup on CF for Chrome.

Comment 13 by r...@chromium.org, Nov 15 2016

Cc: chrisha@chromium.org scottmg@chromium.org mark@chromium.org rsesek@chromium.org
Components: Internals>CrashReporting
This looks like it's because of crashpad. There's 3 calls to SetUnhandledExceptionFilter on process startup now:
1. CRT
2. ASan
3. crashpad

Crashpad's exception filter signals the crashpad process to take a crash dump and then waits indefinitely. It does not delegate the ASan's exception handler like the //base stack dumper does.

What should happen here? The easy thing to fix CF would be to disable crashpad in LLVM ASan builds. However, if we ship LLVM ASan to users, we need to wire the crash report through crashpad the way SyzyASan does.
Normally, Crashpad tries to avoid subsequent callers here: https://cs.chromium.org/chromium/src/chrome_elf/chrome_elf_main.cc?rcl=0&l=35. But it's not doing that at the moment due to https://bugs.chromium.org/p/chromium/issues/detail?id=655788, so I unfortunately can't say confidently who gets to last SetUEF, depending on what revision we're talking about. (I'm also not sure where asan tries to SetUEF.)

For dev builds using the ADDRESS_SANITIZER #define seems like the simplest way. I'm not sure about shipping to users. I feel like chrome_elf DllMain() is probably where that decision should happen though.


Comment 15 by aarya@google.com, Nov 15 2016

We are not shipping ASAN builds to users yet. Till we decide how to properly solve this, can we please disable this for ASAN builds to unblock fuzz testing on windows.

Comment 16 by r...@chromium.org, Nov 15 2016

Maybe we should arrange for crashpad's exception filter to call ASan's crash handler. Then we can remove that ifdef I added in https://codereview.chromium.org/2220583002/.

Comment 17 by r...@chromium.org, Nov 15 2016

I wanted to add a test this time around. I can see lots of examples of how to write a test that crashes a renderer by searching for kChromeUICrashURL, but I don't see any examples of capturing renderer logs. Are there any tools I should use to capture the renderer's stderr?
Maybe something like this one? https://cs.chromium.org/chromium/src/content/test/content_browser_test_test.cc?q=MANUAL_RendererCrash&sq=package:chromium&l=61

It's disabled for some silly reason, Dr. Memory bots or something (? I forget), but basically just a test that re-runs a MANUAL_ test capturing output.

John added base::GetAppOutputAndError to do that one; you might need a slight modification if you only want stderr.

Comment 19 by r...@chromium.org, Nov 15 2016

It looks like content_browsertests doesn't use crashpad, so this wouldn't test the fix. Maybe just a unit test in crashpad would be enough. The crashpad multiprocess testing code looks nice, but I don't see an existing way to capture stderr, which is where the asan report is going to come from. Should I go ahead and add that functionality?

Comment 20 by r...@chromium.org, Nov 15 2016

Well, anyway, this fixes the issue, but it could use a real test:
https://codereview.chromium.org/2504773002/

Comment 21 by r...@chromium.org, Nov 21 2016

Blockedon: 665063
Also needs a clang roll, which is  bug 665063 .
Project Member

Comment 22 by bugdroid1@chromium.org, Nov 30 2016

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c9175dab5210cb05151ee27dc3e9bd54439650e2

commit c9175dab5210cb05151ee27dc3e9bd54439650e2
Author: rnk <rnk@chromium.org>
Date: Wed Nov 30 07:57:26 2016

Have crashpad call ASan's crash handler if present

This ensures that ClusterFuzz will see an ASan report for null
dereferences.

We can also remove chrome_elf's ifdefs after this change, since
we don't need ASan's call to SetUnhandledExceptionFilter to succeed.

R=mark@chromium.org
TBR=pennymac@chromium.org
BUG= 661209 
CQ_INCLUDE_TRYBOTS=master.tryserver.chromium.win:win10_chromium_x64_rel_ng

Review-Url: https://codereview.chromium.org/2504773002
Cr-Commit-Position: refs/heads/master@{#435147}

[modify] https://crrev.com/c9175dab5210cb05151ee27dc3e9bd54439650e2/chrome_elf/chrome_elf_main.cc
[modify] https://crrev.com/c9175dab5210cb05151ee27dc3e9bd54439650e2/third_party/crashpad/README.chromium
[modify] https://crrev.com/c9175dab5210cb05151ee27dc3e9bd54439650e2/third_party/crashpad/crashpad/client/crashpad_client_win.cc

Comment 23 by aarya@google.com, Nov 30 2016

Status: Fixed (was: Assigned)

Sign in to add a comment