Use-of-uninitialized-value in GpuImageDecodeCacheTest |
||||||||||
Issue descriptionhttps://build.chromium.org/p/chromium.memory.full/builders/Linux%20MSan%20Tests/builds/6967 Started with r462371: [ RUN ] GpuImageDecodeCacheTest.AtRasterUsedDirectlyIfSpaceAllows ==29354==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x527ba44 in downsample_2_2_srgb(void*, void const*, unsigned long, int) third_party/skia/src/core/SkMipMap.cpp:320:26 #1 0x527daef in SkMipMap::Build(SkPixmap const&, SkDestinationSurfaceColorMode, SkDiscardableMemory* (*)(unsigned long)) third_party/skia/src/core/SkMipMap.cpp:564:13 #2 0x529e238 in SkMipMap::Build(SkBitmap const&, SkDestinationSurfaceColorMode, SkDiscardableMemory* (*)(unsigned long)) third_party/skia/src/core/SkMipMap.cpp:693:12 #3 0x513345e in SkMipMapCache::AddAndRef(SkBitmap const&, SkDestinationSurfaceColorMode, SkResourceCache*) third_party/skia/src/core/SkBitmapCache.cpp:250:24 #4 0x51360f9 in SkDefaultBitmapControllerState::processMediumRequest(SkBitmapProvider const&) third_party/skia/src/core/SkBitmapController.cpp:187:28 #5 0x5136734 in SkDefaultBitmapControllerState::SkDefaultBitmapControllerState(SkBitmapProvider const&, SkMatrix const&, SkFilterQuality, bool) third_party/skia/src/core/SkBitmapController.cpp:223:64 #6 0x5136aab in SkInPlaceNewCheck<SkDefaultBitmapControllerState, SkBitmapProvider, SkMatrix, SkFilterQuality, bool> third_party/skia/include/private/SkTemplates.h:443:72 #7 0x5136aab in SkDefaultBitmapController::onRequestBitmap(SkBitmapProvider const&, SkMatrix const&, SkFilterQuality, void*, unsigned long) third_party/skia/src/core/SkBitmapController.cpp:244:0 #8 0x5133ef8 in SkBitmapController::requestBitmap(SkBitmapProvider const&, SkMatrix const&, SkFilterQuality, void*, unsigned long) third_party/skia/src/core/SkBitmapController.cpp:24:26 #9 0x4ae7703 in requestBitmap third_party/skia/src/core/SkBitmapController.h:46:22 #10 0x4ae7703 in SkImageShader::onAppendStages(SkRasterPipeline*, SkColorSpace*, SkArenaAlloc*, SkMatrix const&, SkPaint const&, SkMatrix const*) const third_party/skia/src/image/SkImageShader.cpp:229:0 #11 0x4a85f91 in SkShader::appendStages(SkRasterPipeline*, SkColorSpace*, SkArenaAlloc*, SkMatrix const&, SkPaint const&) const third_party/skia/src/core/SkShader.cpp:260:18 #12 0x52dec9e in SkRasterPipelineBlitter::Create(SkPixmap const&, SkPaint const&, SkMatrix const&, SkArenaAlloc*) third_party/skia/src/core/SkRasterPipelineBlitter.cpp:114:22 #13 0x51540b4 in SkBlitter::Choose(SkPixmap const&, SkMatrix const&, SkPaint const&, SkArenaAlloc*, bool) third_party/skia/src/core/SkBlitter.cpp:850:30 #14 0x48726a7 in SkAutoBlitterChoose third_party/skia/src/core/SkDraw.cpp:60:20 #15 0x48726a7 in SkDraw::drawRect(SkRect const&, SkPaint const&, SkMatrix const*, SkRect const*) const third_party/skia/src/core/SkDraw.cpp:835:0 #16 0x4878b5b in SkDraw::drawBitmap(SkBitmap const&, SkMatrix const&, SkRect const*, SkPaint const&) const third_party/skia/src/core/SkDraw.h:0:15 #17 0x513b727 in SkBitmapDevice::drawBitmapRect(SkBitmap const&, SkRect const*, SkRect const&, SkPaint const&, SkCanvas::SrcRectConstraint) third_party/skia/src/core/SkBitmapDevice.cpp:330:26 #18 0x4694250 in SkCanvas::internalDrawBitmapRect(SkBitmap const&, SkRect const*, SkRect const&, SkPaint const*, SkCanvas::SrcRectConstraint) third_party/skia/src/core/SkCanvas.cpp:2403:23 #19 0x4694bc1 in SkCanvas::onDrawBitmapRect(SkBitmap const&, SkRect const*, SkRect const&, SkPaint const*, SkCanvas::SrcRectConstraint) third_party/skia/src/core/SkCanvas.cpp:2413:11 #20 0x46809ca in drawBitmapRect third_party/skia/src/core/SkCanvas.cpp:1905:11 #21 0x46809ca in SkCanvas::drawBitmapRect(SkBitmap const&, SkRect const&, SkPaint const*, SkCanvas::SrcRectConstraint) third_party/skia/src/core/SkCanvas.cpp:1915:0 #22 0x49cec2f in SkPixmap::scalePixels(SkPixmap const&, SkFilterQuality) const third_party/skia/src/core/SkPixmap.cpp:259:27 #23 0x4ad27d8 in SkImage::scalePixels(SkPixmap const&, SkFilterQuality, SkImage::CachingHint) const third_party/skia/src/image/SkImage.cpp:76:45 #24 0x5012be1 in SkImage::getDeferredTextureImageData(GrContextThreadSafeProxy const&, SkImage::DeferredTextureImageUsageParams const*, int, void*, SkColorSpace*) const third_party/skia/src/image/SkImage_Gpu.cpp:641:28 #25 0x3c19335 in cc::GpuImageDecodeCache::DecodeImageIfNecessary(cc::DrawImage const&, cc::GpuImageDecodeCache::ImageData*) cc/tiles/gpu_image_decode_cache.cc:1120:34 #26 0x3c17436 in cc::GpuImageDecodeCache::GetDecodedImageForDraw(cc::DrawImage const&) cc/tiles/gpu_image_decode_cache.cc:531:3 #27 0x212954d in cc::(anonymous namespace)::GpuImageDecodeCacheTest_AtRasterUsedDirectlyIfSpaceAllows_Test::TestBody() cc/tiles/gpu_image_decode_cache_unittest.cc:914:13 Uninitialized value was stored to memory at #0 0x63678b in __msan_memcpy ??:0:0 #1 0x485f8da in SkData::PrivateNewWithCopy(void const*, unsigned long) third_party/skia/src/core/SkData.cpp:75:9 #2 0x485ff3d in SkData::MakeWithCopy(void const*, unsigned long) third_party/skia/src/core/SkData.cpp:103:12 #3 0x4add9bb in SkImage::MakeRasterCopy(SkPixmap const&) third_party/skia/src/image/SkImage_Raster.cpp:277:24 #4 0x4adf604 in SkMakeImageFromRasterBitmap(SkBitmap const&, SkCopyPixelsMode) third_party/skia/src/image/SkImage_Raster.cpp:327:20 #5 0x4ad47b1 in SkImage::MakeFromBitmap(SkBitmap const&) third_party/skia/src/image/SkImage.cpp:229:12 #6 0x20e44d3 in cc::(anonymous namespace)::CreateImage(int, int) cc/tiles/gpu_image_decode_cache_unittest.cc:35:10 #7 0x2128ace in cc::(anonymous namespace)::GpuImageDecodeCacheTest_AtRasterUsedDirectlyIfSpaceAllows_Test::TestBody() cc/tiles/gpu_image_decode_cache_unittest.cc:898:26 Uninitialized value was created by a heap allocation #0 0x63d8dd in __interceptor_malloc ??:0:0 #1 0x44a5b79 in base::UncheckedMalloc(unsigned long, void**) base/process/memory_linux.cc:203:13 #2 0x460d916 in sk_malloc_nothrow skia/ext/SkMemory_new_handler.cpp:75:19 #3 0x460d916 in sk_malloc_flags(unsigned long, unsigned int) skia/ext/SkMemory_new_handler.cpp:87:0 #4 0x48bc16d in operator() third_party/skia/src/core/SkMallocPixelRef.cpp:95:55 #5 0x48bc16d in __invoke third_party/skia/src/core/SkMallocPixelRef.cpp:95:0 #6 0x48bc16d in MakeUsing third_party/skia/src/core/SkMallocPixelRef.cpp:83:0 #7 0x48bc16d in SkMallocPixelRef::MakeAllocate(SkImageInfo const&, unsigned long, sk_sp<SkColorTable>) third_party/skia/src/core/SkMallocPixelRef.cpp:96:0 #8 0x46201b6 in SkBitmap::tryAllocPixels(SkImageInfo const&, unsigned long) third_party/skia/src/core/SkBitmap.cpp:336:28 #9 0x20e42d9 in allocPixels third_party/skia/include/core/SkBitmap.h:269:20 #10 0x20e42d9 in allocPixels third_party/skia/include/core/SkBitmap.h:279:0 #11 0x20e42d9 in cc::(anonymous namespace)::CreateImage(int, int) cc/tiles/gpu_image_decode_cache_unittest.cc:33:0 #12 0x2128ace in cc::(anonymous namespace)::GpuImageDecodeCacheTest_AtRasterUsedDirectlyIfSpaceAllows_Test::TestBody() cc/tiles/gpu_image_decode_cache_unittest.cc:898:26
,
Apr 11 2017
The patch in https://codereview.chromium.org/2801413002 is likely to change this path to avoid the issue. We'll likely need to re-investigate for linear blending in the future.
,
Apr 11 2017
,
Apr 11 2017
Issue 710484 has been merged into this issue.
,
Apr 11 2017
,
Apr 13 2017
https://codereview.chromium.org/2817443004/ disabled these tests on msan. But it's a real bug, so please reenable them once you think they should work.
,
Apr 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/995002514a6d75ab8065ff7e995ea9e9a1a93951 commit 995002514a6d75ab8065ff7e995ea9e9a1a93951 Author: jdoerrie <jdoerrie@chromium.org> Date: Thu Apr 13 16:04:17 2017 Disable another test failing on Linux MSAN tests on chromium.memory As a follow up to r464367 this conditionally disables GpuImageDecodeCacheTest.GetTaskForImageCanceledGetsNewTask TBR=thakis@chromium.org, danakj@chromium.org, fsamuel@chromium.org, dalecurtis@chromium.org BUG= 697171 , 709341 CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel Review-Url: https://codereview.chromium.org/2813213003 Cr-Commit-Position: refs/heads/master@{#464425} [modify] https://crrev.com/995002514a6d75ab8065ff7e995ea9e9a1a93951/cc/tiles/gpu_image_decode_cache_unittest.cc
,
Apr 13 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/7cefc60264ab620406f71fdb27e817b406465e94 commit 7cefc60264ab620406f71fdb27e817b406465e94 Author: thakis <thakis@chromium.org> Date: Thu Apr 13 17:56:05 2017 Update bug numbers of disabled MSan tests. https://codereview.chromium.org/2817443004/ used a tracking bug as TODO for various tests failing on MSan. Used one targeted bug per failing test instead. BUG= 697171 , 711318 , 709341 ,710486 CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel TBR=danakj,dalecurtis Review-Url: https://codereview.chromium.org/2818763002 Cr-Commit-Position: refs/heads/master@{#464463} [modify] https://crrev.com/7cefc60264ab620406f71fdb27e817b406465e94/cc/tiles/gpu_image_decode_cache_unittest.cc [modify] https://crrev.com/7cefc60264ab620406f71fdb27e817b406465e94/chrome/browser/apps/guest_view/web_view_browsertest.cc [modify] https://crrev.com/7cefc60264ab620406f71fdb27e817b406465e94/media/renderers/video_renderer_impl_unittest.cc
,
Apr 13 2017
ccameron@, do you know why we're seeing this now? Feels like a bad bug if we're reading from uninitialized... is this because we're now hitting a Skia path we missed before due to color profiles (is this a Skia bug?).
,
Apr 14 2017
There are a handful of issues with the path which should be fixed by r464581 and r464458. I have a re-enable in https://codereview.chromium.org/2816173002 -- if we still see something in the tryjobs there, then it's worth talking with skia about the issue.
,
Apr 14 2017
Oop, the bug is still there. Matt, do you know the right person to route this to? ToT crash is at: https://luci-logdog.appspot.com/v/?s=chromium%2Fbb%2Ftryserver.chromium.linux%2Flinux_chromium_msan_rel_ng%2F611%2F%2B%2Frecipes%2Fsteps%2Fcc_unittests__with_patch_%2F0%2Flogs%2FGpuImageDecodeCacheTest.ShouldAggressivelyFreeResources%2F0 ==24299==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x52dc71b in downsample_2_2_srgb(void*, void const*, unsigned long, int) third_party/skia/src/core/SkMipMap.cpp:332:26 #1 0x52e1580 in SkMipMap::Build(SkPixmap const&, SkDestinationSurfaceColorMode, SkDiscardableMemory* (*)(unsigned long)) third_party/skia/src/core/SkMipMap.cpp:662:13 #2 0x53007e8 in SkMipMap::Build(SkBitmap const&, SkDestinationSurfaceColorMode, SkDiscardableMemory* (*)(unsigned long)) third_party/skia/src/core/SkMipMap.cpp:791:12 #3 0x51926b8 in SkMipMapCache::AddAndRef(SkBitmap const&, SkDestinationSurfaceColorMode, SkResourceCache*) third_party/skia/src/core/SkBitmapCache.cpp:412:24 #4 0x5196a69 in SkDefaultBitmapControllerState::processMediumRequest(SkBitmapProvider const&) third_party/skia/src/core/SkBitmapController.cpp:202:28 #5 0x51970a4 in SkDefaultBitmapControllerState::SkDefaultBitmapControllerState(SkBitmapProvider const&, SkMatrix const&, SkFilterQuality, bool) third_party/skia/src/core/SkBitmapController.cpp:238:64
,
Apr 14 2017
Hmm, on first look, I see two bugs... (1) We should not be using sRGB-correct mip-mapping (looks like this is somehow triggered by software scaling). (2) sRGB-correct mip-mapping should not be reading from uninitialized. I'm the right person to take a look.
,
Apr 14 2017
,
Apr 14 2017
The main waterfall is broken because of this too, see purple cc_unittests on https://build.chromium.org/p/chromium.memory/builders/Linux%20MSan%20Tests?numbuilds=200 If there's something you can revert (like the test enablement) to green things up until a real fix arrives, please do.
,
Apr 14 2017
As an update, I have a Skia change in flight to fix (1) from #12. But I don't think that is going to fix the MSAN failures (I'm having issues with local MSAN, so I'm not sure). Looking closer at the stack trace in #11, I think this is actually a new bug that may have been caused by some recent bitmap caching changes in Skia. Will keep digging.
,
Apr 14 2017
I can disable SoftwareImageDecodeCacheTest.GetTaskForImageDifferentColorSpace across the board -- it's testing functionality which isn't shipping (yet).
,
Apr 14 2017
(doing that in https://codereview.chromium.org/2818173002)
,
Apr 14 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/466bc2de9d83036de88b0eb612dbeae603fd547a commit 466bc2de9d83036de88b0eb612dbeae603fd547a Author: ccameron <ccameron@chromium.org> Date: Fri Apr 14 19:06:19 2017 Disable GetTaskForImageDifferentColorSpace on MSAN TBR=thakis BUG= 709341 CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel Review-Url: https://codereview.chromium.org/2818173002 Cr-Commit-Position: refs/heads/master@{#464769} [modify] https://crrev.com/466bc2de9d83036de88b0eb612dbeae603fd547a/cc/tiles/software_image_decode_cache_unittest.cc
,
Apr 14 2017
The following revision refers to this bug: https://skia.googlesource.com/skia/+/ade76e9236788120d8a1a4a7a252d8f66b8b9b02 commit ade76e9236788120d8a1a4a7a252d8f66b8b9b02 Author: Matt Sarett <msarett@google.com> Date: Fri Apr 14 20:29:12 2017 getDeferredTextureImageData(): use legacy scaling in legacy mode Bug:709341 Change-Id: I0dc1dcc3874f9741e0303e376a0ad4a68cd8b03e Reviewed-on: https://skia-review.googlesource.com/13500 Reviewed-by: Brian Osman <brianosman@google.com> Commit-Queue: Matt Sarett <msarett@google.com> [modify] https://crrev.com/ade76e9236788120d8a1a4a7a252d8f66b8b9b02/src/image/SkImage_Gpu.cpp
,
Apr 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/1b89b8d1e13e00b2ec19fcbce8056fd204cb1a0b commit 1b89b8d1e13e00b2ec19fcbce8056fd204cb1a0b Author: msarett <msarett@google.com> Date: Mon Apr 17 19:17:36 2017 GpuImageDecodeCache: Use legacy scaling We don't want to use sRGB correct mips in legacy mode. This is also a speculative fix for MSAN issues. BUG= 709341 CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel Review-Url: https://codereview.chromium.org/2823973002 Cr-Commit-Position: refs/heads/master@{#464969} [modify] https://crrev.com/1b89b8d1e13e00b2ec19fcbce8056fd204cb1a0b/cc/tiles/gpu_image_decode_cache.cc
,
Apr 17 2017
I can't remember for sure, but I think this repros locally on Linux. One could just set up MSAN and test it rather than speculatively make changes.
,
Apr 17 2017
I'm getting a MSAN error (and crash) in OSMesa during the test set-up (before the test actually runs). IIUC, to repro I would need to recompile the OSMesa on my machine with MSAN as well as any other test dependencies. I imagine that this is how the bot works. This seems really hard - so I'm just using the bot. Please let me know if I'm missing something and there is an easier way to get up and running! Typically I just run locally with Valgrind - but for some reason it isn't catching this particular error.
,
Apr 17 2017
We have prebuilt osmesa and whatnot libraries. https://www.chromium.org/developers/testing/memorysanitizer documents how to download them.
,
Apr 17 2017
@ #21, #23: That's great to know, thanks! Reassigning to Chris, I think he should be able to reenable the tests now.
,
Apr 17 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/ba774d82258e8090c70077ee34fd32cf888c33e8 commit ba774d82258e8090c70077ee34fd32cf888c33e8 Author: msarett <msarett@google.com> Date: Mon Apr 17 21:27:58 2017 Initialize SkImage memory in gpu_image_decode_cache_unittest Skia legacy mips only load-do math-store, so they don't care if the SkImage is uninitialized. Skia srgb-correct mips may use a table lookup, so MSAN compains that the memory is uninitialized. The original MSAN bug was fixed by using the legacy mips (since that was what we wanted anyway), but let's initialize the SkImage in the test anyway. This makes logical sense and will avoid a future bug in the case that we actually want the srgb-correct mips. BUG= 709341 CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel Review-Url: https://codereview.chromium.org/2824013002 Cr-Commit-Position: refs/heads/master@{#465025} [modify] https://crrev.com/ba774d82258e8090c70077ee34fd32cf888c33e8/cc/tiles/gpu_image_decode_cache_unittest.cc
,
Apr 27 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/e9fd73b521485674c0039982eecf6adf52520d9e commit e9fd73b521485674c0039982eecf6adf52520d9e Author: ccameron <ccameron@chromium.org> Date: Thu Apr 27 20:39:12 2017 Re-enable GpuImageDecodeCache test under MSAN TBR=thakis BUG= 709341 CQ_INCLUDE_TRYBOTS=master.tryserver.blink:linux_trusty_blink_rel Review-Url: https://codereview.chromium.org/2816173002 Cr-Commit-Position: refs/heads/master@{#467774} [modify] https://crrev.com/e9fd73b521485674c0039982eecf6adf52520d9e/cc/tiles/gpu_image_decode_cache_unittest.cc
,
Nov 20 2017
|
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by thestig@chromium.org
, Apr 11 2017