New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 688518 link

Starred by 2 users
Status: Fixed
Owner:
krasin@chromium.org
Last visit > 30 days ago
Closed: Feb 2017
Cc:
jam@chromium.org
kcc@chromium.org
p...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

CFI: invalid cast in DeclarativeChromeContentRulesRegistryTest.ActiveRulesDoesntGrow

Project Member Reported by krasin@chromium.org, Feb 3 2017 
Chrome Version: tip
OS: Linux x86-64

What steps will reproduce the problem?
(1) Build unit_tests with Control Flow Integrity:

$ GYP_DEFINES='buildtype=Official' gclient sync
$ gn gen out/cfi-diag '--args=is_debug=false is_cfi=true use_cfi_diag=true use_cfi_cast=true symbol_level=1 dcheck_always_on=true' --check
$ ninja -C out/cfi-diag unit_tests

See more details at https://www.chromium.org/developers/testing/control-flow-integrity

(2) Run DeclarativeChromeContentRulesRegistryTest.ActiveRulesDoesntGrow test case:

./out/cfi-diag/unit_tests --gtest_filter=DeclarativeChromeContentRulesRegistryTest.ActiveRulesDoesntGrow

Failure:

../../content/test/test_web_contents.cc:53:10: runtime error: control flow integrity check for type 'content::TestRenderFrameHost' failed during base-to-derived cast (vtable address 0x00000a65fca0)
0x00000a65fca0: note: vtable is of type 'content::RenderFrameHostImpl'
 00 00 00 00  50 3c eb 01 00 00 00 00  10 e0 0e 09 00 00 00 00  10 e0 0e 09 00 00 00 00  10 e0 0e 09

This is very similar to  https://crbug.com/516528 .
The issue is first detected by 'CFI Linux ToT' bot in https://build.chromium.org/p/chromium.fyi/builders/CFI%20Linux%20ToT/builds/5693 and 'CFI Linux Full' bot in https://build.chromium.org/p/chromium.fyi/builders/CFI%20Linux%20Full/builds/1334 but none of the commits from the intersection look relevant.

Comment 1 by krasin@chromium.org, Feb 3 2017 

Stack trace:

Breakpoint 1, content::TestWebContents::GetMainFrame() () at ../../content/test/test_web_contents.cc:53
53        return static_cast<TestRenderFrameHost*>(WebContentsImpl::GetMainFrame());
(gdb) bt
#0  content::TestWebContents::GetMainFrame() () at ../../content/test/test_web_contents.cc:53
#1  0x0000000000d4f3a8 in extensions::DeclarativeChromeContentRulesRegistryTest_ActiveRulesDoesntGrow_Test::TestBody() () at ../../chrome/browser/extensions/api/declarative_content/chrome_content_rules_registry_unittest.cc:155
#2  0x000000000377fdc1 in testing::Test::Run() () at ../../testing/gtest/src/gtest.cc:2474
#3  0x00000000037818a4 in testing::TestInfo::Run() () at ../../testing/gtest/src/gtest.cc:2656
#4  0x0000000003781bb2 in testing::TestCase::Run() () at ../../testing/gtest/src/gtest.cc:2774
#5  0x00000000037848f2 in testing::internal::UnitTestImpl::RunAllTests() () at ../../testing/gtest/src/gtest.cc:4647
#6  0x000000000378449d in testing::UnitTest::Run() () at ../../testing/gtest/src/gtest.cc:4255
#7  0x00000000032c5021 in base::TestSuite::Run() () at ../../base/test/test_suite.cc:271
#8  0x00000000032bd30e in int base::internal::Invoker<base::internal::BindState<int (content::UnitTestTestSuite::*)(), base::internal::UnretainedWrapper<content::UnitTestTestSuite> >, int ()>::RunImpl<int (content::UnitTestTestSuite::* const&)(), std::tuple<base::internal::UnretainedWrapper<content::UnitTestTestSuite> > const&, 0ul>(int (content::UnitTestTestSuite::* const&)(), std::tuple<base::internal::UnretainedWrapper<content::UnitTestTestSuite> > const&, base::IndexSequence<0ul>) () at ../../base/bind_internal.h:361
#9  0x00000000032c75af in base::(anonymous namespace)::LaunchUnitTestsInternal(base::Callback<int (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&, int, int, bool, base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) () at ../../base/test/launcher/unit_test_launcher.cc:211
#10 0x00000000032c7422 in base::LaunchUnitTests(int, char**, base::Callback<int (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) () at ../../base/test/launcher/unit_test_launcher.cc:453
#11 0x00000000032bd041 in main () at ../../chrome/test/base/run_all_unittests.cc:21

Comment 2 by krasin@chromium.org, Feb 3 2017

Cc: jam@chromium.org
Fix posted: https://codereview.chromium.org/2678563002/
Project Member

Comment 3 by bugdroid1@chromium.org, Feb 6 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/17c45669733a9c6acc7f3a0d095a92f118eb0e2a

commit 17c45669733a9c6acc7f3a0d095a92f118eb0e2a
Author: krasin <krasin@chromium.org>
Date: Mon Feb 06 20:19:22 2017

Properly set up TestRenderFrameHost in DeclarativeChromeContentRulesRegistryTest.

This fixes an invalid cast detected by Control Flow Integrity
check.

BUG= 688518 

Review-Url: https://codereview.chromium.org/2678563002
Cr-Commit-Position: refs/heads/master@{#448370}

[modify] https://crrev.com/17c45669733a9c6acc7f3a0d095a92f118eb0e2a/chrome/browser/extensions/api/declarative_content/chrome_content_rules_registry_unittest.cc

Comment 4 by krasin@chromium.org, Feb 6 2017

Status: Fixed (was: Assigned)

Sign in to add a comment