New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 662238 link

Starred by 1 user
Status: Archived
Owner: ----
Closed: Jan 10
Cc:
kcc@chromium.org
krasin@chromium.org
p...@chromium.org
thakis@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Undefined behavior in PersistentMemoryAllocator constructor

Project Member Reported by krasin@chromium.org, Nov 4 2016 
Version: tip
OS: Linux x86-64

What steps will reproduce the problem?
(1) Add a line into tools/ubsan/vptr_blacklist.txt:

src:*/v8/*

(2) Build browser_tests with UBSan:
gn gen out/ubsan '--args=is_debug=false is_ubsan_no_recover=true is_ubsan_vptr=true is_ubsan_null=true symbol_level=2' --check

(3) Run MediaRouterElementsBrowserTest.MediaRouterContainerSearch test:

$ ./out/ubsan/browser_tests --gtest_filter=MediaRouterElementsBrowserTest.MediaRouterContainerSearch 
...
[ RUN      ] MediaRouterElementsBrowserTest.MediaRouterContainerSearch
../../base/metrics/persistent_memory_allocator.cc:310:3: runtime error: member access within null pointer of type 'base::PersistentMemoryAllocator::SharedMetadata'
    #0 0x457dcd9 in base::PersistentMemoryAllocator::PersistentMemoryAllocator(base::PersistentMemoryAllocator::Memory, unsigned long, unsigned long, unsigned long, base::BasicStringPiece<std::string>, bool) base/metrics/persistent_memory_allocator.cc:310:3
    #1 0x458021e in base::LocalPersistentMemoryAllocator::LocalPersistentMemoryAllocator(unsigned long, unsigned long, base::BasicStringPiece<std::string>) base/metrics/persistent_memory_allocator.cc:772:7
    #2 0x457bb12 in MakeUnique<base::LocalPersistentMemoryAllocator, unsigned long &, unsigned long &, base::BasicStringPiece<std::string> &> base/memory/ptr_util.h:56:33
    #3 0x457bb12 in base::GlobalHistogramAllocator::CreateWithLocalMemory(unsigned long, unsigned long, base::BasicStringPiece<std::string>) base/metrics/persistent_histogram_allocator.cc:701
    #4 0x4ec0d98 in InstantiatePersistentHistograms chrome/browser/chrome_browser_field_trials.cc:86:5
    #5 0x4ec0d98 in ChromeBrowserFieldTrials::InstantiateDynamicTrials() chrome/browser/chrome_browser_field_trials.cc:156
    #6 0x4ec0c42 in ChromeBrowserFieldTrials::SetupFieldTrials() chrome/browser/chrome_browser_field_trials.cc:139:3
    #7 0x4c98925 in ChromeBrowserMainParts::SetupFieldTrials() chrome/browser/chrome_browser_main.cc:765:25
    #8 0x4c9d5c0 in ChromeBrowserMainParts::PreCreateThreadsImpl() chrome/browser/chrome_browser_main.cc:1230:3
    #9 0x4c9afcb in ChromeBrowserMainParts::PreCreateThreads() chrome/browser/chrome_browser_main.cc:952:18
    #10 0x3491c39 in content::BrowserMainLoop::PreCreateThreads() content/browser/browser_main_loop.cc:742:28
    #11 0x3bad5e7 in Run base/callback.h:64:12
    #12 0x3bad5e7 in content::StartupTaskRunner::RunAllTasksNow() content/browser/startup_task_runner.cc:45
    #13 0x3492aae in content::BrowserMainLoop::CreateStartupTasks() content/browser/browser_main_loop.cc:850:25
    #14 0x349bff5 in content::BrowserMainRunnerImpl::Initialize(content::MainFunctionParams const&) content/browser/browser_main_runner.cc:140:17
    #15 0x348d438 in content::BrowserMain(content::MainFunctionParams const&) content/browser/browser_main.cc:42:32
    #16 0x4501fdc in content::ContentMainRunnerImpl::Run() content/app/content_main_runner.cc:776:12
    #17 0x44fee0e in content::ContentMain(content::ContentMainParams const&) content/app/content_main.cc:20:28
    #18 0x554bd45 in content::BrowserTestBase::SetUp() content/public/test/browser_test_base.cc:308:3
    #19 0x4664528 in InProcessBrowserTest::SetUp() chrome/test/base/in_process_browser_test.cc:251:20
    #20 0x648973d in testing::Test::Run() testing/gtest/src/gtest.cc:2470:3
    #21 0x648afce in testing::TestInfo::Run() testing/gtest/src/gtest.cc:2656:11
    #22 0x648c147 in testing::TestCase::Run() testing/gtest/src/gtest.cc:2774:28
    #23 0x64996e7 in testing::internal::UnitTestImpl::RunAllTests() testing/gtest/src/gtest.cc:4647:43
    #24 0x6498899 in testing::UnitTest::Run() testing/gtest/src/gtest.cc:4255:10
    #25 0x467d3ea in RUN_ALL_TESTS testing/gtest/include/gtest/gtest.h:2237:46
    #26 0x467d3ea in base::TestSuite::Run() base/test/test_suite.cc:246
    #27 0x45168ab in ChromeTestSuiteRunner::RunTestSuite(int, char**) chrome/test/base/chrome_test_launcher.cc:58:38
    #28 0x55e9a46 in content::LaunchTests(content::TestLauncherDelegate*, int, int, char**) content/public/test/test_launcher.cc:520:31
    #29 0x4516693 in main chrome/test/base/browser_tests_main.cc:15:10
    #30 0x7f5d69a5ef44 in __libc_start_main /build/eglibc-oGUzwX/eglibc-2.19/csu/libc-start.c:287
    #31 0x70f560 in _start (/usr/local/google/home/krasin/chr31/src/out/ubsan/browser_tests+0x70f560)

This is due to the following code:
https://cs.chromium.org/chromium/src/base/metrics/persistent_memory_allocator.cc?q=base/metrics/persistent_memory_allocator.cc&sq=package:chromium&dr&l=308

  // These atomics operate inter-process and so must be lock-free. The local
  // casts are to make sure it can be evaluated at compile time to a constant.
  CHECK(((SharedMetadata*)0)->freeptr.is_lock_free());
  CHECK(((SharedMetadata*)0)->flags.is_lock_free());
  CHECK(((BlockHeader*)0)->next.is_lock_free());

Looks bogus, but probably harmless. Filing this to add a line in the ubsan vptr blacklist.

Comment 1 by ranjitkan@chromium.org, Dec 7 2016

Labels: M-54

Comment 2 by benhenry@google.com, Jan 10

Status: Archived (was: Untriaged)
Archiving P3s older than 1 year with no owner or component.

Sign in to add a comment