unit_tests, ASAN, mac. ConfirmBubbleControllerTest
Reported by
dyaros...@yandex-team.ru,
Jun 16 2017
|
|||||
Issue description
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3071.86 YaBrowser/17.7.0.1004 Yowser/2.5 Safari/537.36
Steps to reproduce the problem:
Run unit_tests on mac with address sanitizer.
What is the expected behavior?
What went wrong?
==41601==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000112d78 at pc 0x00010b4c90d9 bp 0x7fff59012eb0 sp 0x7fff59012ea8
WRITE of size 1 at 0x608000112d78 thread T0
#0 0x10b4c90d8 in (anonymous namespace)::TestConfirmBubbleModel::~TestConfirmBubbleModel() confirm_bubble_controller_unittest.mm:57
#1 0x7fffd699bbb3 in object_cxxDestructFromClass(objc_object*, objc_class*) (libobjc.A.dylib:x86_64h+0x10bb3)
#2 0x7fffd69945f5 in objc_destructInstance (libobjc.A.dylib:x86_64h+0x95f5)
#3 0x115a26aba in (anonymous namespace)::ZombieDealloc(objc_object*, objc_selector*) objc_zombie.mm:117
#4 0x7fffbf5f965a in -[NSResponder dealloc] (AppKit:x86_64+0x3a65a)
#5 0x7fffbf8c6c0d in -[NSViewController dealloc] (AppKit:x86_64+0x307c0d)
#6 0x7fffbf64ca98 in -[NSViewController release] (AppKit:x86_64+0x8da98)
#7 0x7fffd72b9951 in _Block_release (libsystem_blocks.dylib:x86_64+0x951)
#8 0x7fffd72b9951 in _Block_release (libsystem_blocks.dylib:x86_64+0x951)
#9 0x7fffd724f8fb in _dispatch_client_callout (libdispatch.dylib:x86_64+0x18fb)
#10 0x7fffd725caab in _dispatch_main_queue_callback_4CF (libdispatch.dylib:x86_64+0xeaab)
#11 0x7fffc1b4abc8 in __CFRUNLOOP_IS_SERVICING_THE_MAIN_DISPATCH_QUEUE__ (CoreFoundation:x86_64h+0xc6bc8)
#12 0x7fffc1b0bc0c in __CFRunLoopRun (CoreFoundation:x86_64h+0x87c0c)
#13 0x7fffc1b0b113 in CFRunLoopRunSpecific (CoreFoundation:x86_64h+0x87113)
#14 0x7fffc106cebb in RunCurrentEventLoopInMode (HIToolbox:x86_64+0x30ebb)
#15 0x7fffc106cbf8 in ReceiveNextEventCommon (HIToolbox:x86_64+0x30bf8)
#16 0x7fffc106cb25 in _BlockUntilNextEventMatchingListInModeWithFilter (HIToolbox:x86_64+0x30b25)
#17 0x7fffbf605a53 in _DPSNextEvent (AppKit:x86_64+0x46a53)
#18 0x7fffbfd817ed in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (AppKit:x86_64+0x7c27ed)
#19 0x113e24a0b in __71-[BrowserCrApplication nextEventMatchingMask:untilDate:inMode:dequeue:]_block_invoke chrome_browser_application_mac.mm:187
#20 0x11357fd19 in base::mac::CallWithEHFrame(void () block_pointer) (unit_tests:x86_64+0x10c996d19)
#21 0x113e245ea in -[BrowserCrApplication nextEventMatchingMask:untilDate:inMode:dequeue:] chrome_browser_application_mac.mm:186
#22 0x112e9dc71 in ui::CocoaTest::TearDown() ui_cocoa_test_helper.mm:171
#23 0x10bf85bc3 in testing::TestInfo::Run() gtest.cc:2653
#24 0x10bf86f16 in testing::TestCase::Run() gtest.cc:2771
#25 0x10bf9a466 in testing::internal::UnitTestImpl::RunAllTests() gtest.cc:4648
#26 0x10bf99a18 in testing::UnitTest::Run() gtest.cc:4256
#27 0x11112504e in base::TestSuite::Run() test_suite.cc:271
#28 0x111151f77 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::Callback<int (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&, int, int, bool, base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) callback.h:80
#29 0x111151c03 in base::LaunchUnitTests(int, char**, base::Callback<int (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) unit_test_launcher.cc:458
#30 0x111101da1 in main run_all_unittests.cc:30
#31 0x7fffd7285234 in start (libdyld.dylib:x86_64+0x5234)
0x608000112d78 is located 88 bytes inside of 96-byte region [0x608000112d20,0x608000112d80)
freed by thread T0 here:
#0 0x12f8b49c2 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x619c2)
#1 0x10bf85ce3 in testing::TestInfo::Run() gtest.h:453
#2 0x10bf86f16 in testing::TestCase::Run() gtest.cc:2771
#3 0x10bf9a466 in testing::internal::UnitTestImpl::RunAllTests() gtest.cc:4648
#4 0x10bf99a18 in testing::UnitTest::Run() gtest.cc:4256
#5 0x11112504e in base::TestSuite::Run() test_suite.cc:271
#6 0x111151f77 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::Callback<int (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&, int, int, bool, base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) callback.h:80
#7 0x111151c03 in base::LaunchUnitTests(int, char**, base::Callback<int (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) unit_test_launcher.cc:458
#8 0x111101da1 in main run_all_unittests.cc:30
#9 0x7fffd7285234 in start (libdyld.dylib:x86_64+0x5234)
previously allocated by thread T0 here:
#0 0x12f8b43c2 (libclang_rt.asan_osx_dynamic.dylib:x86_64+0x613c2)
#1 0x10b4c8870 in testing::internal::TestFactoryImpl<ConfirmBubbleControllerTest_ClickOk_Test>::CreateTest() gtest-internal.h:484
#2 0x10bf85aee in testing::TestInfo::Run() gtest.cc:2644
#3 0x10bf86f16 in testing::TestCase::Run() gtest.cc:2771
#4 0x10bf9a466 in testing::internal::UnitTestImpl::RunAllTests() gtest.cc:4648
#5 0x10bf99a18 in testing::UnitTest::Run() gtest.cc:4256
#6 0x11112504e in base::TestSuite::Run() test_suite.cc:271
#7 0x111151f77 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::Callback<int (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&, int, int, bool, base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) callback.h:80
#8 0x111151c03 in base::LaunchUnitTests(int, char**, base::Callback<int (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) unit_test_launcher.cc:458
#9 0x111101da1 in main run_all_unittests.cc:30
#10 0x7fffd7285234 in start (libdyld.dylib:x86_64+0x5234)
SUMMARY: AddressSanitizer: heap-use-after-free confirm_bubble_controller_unittest.mm:57 in (anonymous namespace)::TestConfirmBubbleModel::~TestConfirmBubbleModel()
Shadow bytes around the buggy address:
0x1c1000022550: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x1c1000022560: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x1c1000022570: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x1c1000022580: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x1c1000022590: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c10000225a0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd[fd]
0x1c10000225b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x1c10000225c0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x1c10000225d0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x1c10000225e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x1c10000225f0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==41601==ABORTING
Received signal 6
[0x00011351c57c]
[0x00011351c2d5]
[0x7fffd7494b3a]
[0x000000000003]
[0x7fffd7319420]
[0x00012f8c8866]
[0x00012f8c7894]
[0x00012f8adfb7]
[0x00012f8ada12]
[0x00012f8ae9ee]
[0x00010b4c90d9]
[0x7fffd699bbb4]
[0x7fffd69945f6]
[0x000115a26abb]
[0x7fffbf5f965b]
[0x7fffbf8c6c0e]
[0x7fffbf64ca99]
[0x7fffd72b9952]
[0x7fffd72b9952]
[0x7fffd724f8fc]
[0x7fffd725caac]
[0x7fffc1b4abc9]
[0x7fffc1b0bc0d]
[0x7fffc1b0b114]
[0x7fffc106cebc]
[0x7fffc106cbf9]
[0x7fffc106cb26]
[0x7fffbf605a54]
[0x7fffbfd817ee]
[0x000113e24a0c]
[0x00011357fd1a]
[0x000113e245eb]
[0x000112e9dc72]
[0x00010bf85bc4]
[0x00010bf86f17]
[0x00010bf9a467]
[0x00010bf99a19]
[0x00011112504f]
[0x000111151f78]
[0x000111151c04]
[0x000111101da2]
[0x7fffd7285235]
[end of stack trace]
Crashed report ID:
How much crashed? Just one tab
Is it a problem with a plugin? No
Did this work before? N/A
Chrome version: master Channel: n/a
OS Version: OS X 10.12.5
Flash Version: Shockwave Flash 26.0 r0
,
Jun 19 2017
,
Jul 6 2017
,
Sep 20 2017
,
Sep 20 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/0005a85ef2170612825800393186a4b4a506509f commit 0005a85ef2170612825800393186a4b4a506509f Author: Jayson Adams <shrike@chromium.org> Date: Wed Sep 20 22:21:23 2017 [Mac] Fix ASAN failure in ConfirmBubbleControllerTest unit test. ConfirmBubbleControllerTest contains a TestConfirmBubbleModel ivar and several bool ivars. When ConfirmBubbleControllerTest creates the TestConfirmBubbleModel it passes pointers to its bool ivars. Ordinarily it should always be safe for TestConfirmBubbleModel to use the bool pointers because its lifetime cannot extend beyond theirs (the ConfirmBubbleControllerTest owns the bools and the TestConfirmBubbleModel). However, after ConfirmBubbleControllerTest creates the TestConfirmBubbleModel it passes ownership of that object to the ConfirmBubbleController via the std::unique_ptr / std::move pattern. Because the ConfirmBubbleControllerTest no longer owns the TestConfirmBubbleModel, no assumptions can be made about the relative lifetimes of the two objects. The ASAN bug is a heap access after free where the TestConfirmBubbleModel attempts to write to one of the bools after the ConfirmBubbleControllerTest has been freed. The bool in question tracked when the model was deleted, but no part of the test code actually checked the state of that bool. Removing the bool fixes the ASAN problem and does not alter the correctness of the test. R=mark@chromium.org Bug: 734019 Change-Id: Iffb034db91443c5663ebe74be603a5bfaee061ce Reviewed-on: https://chromium-review.googlesource.com/676136 Reviewed-by: Mark Mentovai <mark@chromium.org> Commit-Queue: Jayson Adams <shrike@chromium.org> Cr-Commit-Position: refs/heads/master@{#503268} [modify] https://crrev.com/0005a85ef2170612825800393186a4b4a506509f/chrome/browser/ui/cocoa/confirm_bubble_controller_unittest.mm
,
Sep 20 2017
|
|||||
►
Sign in to add a comment |
|||||
Comment 1 by rsesek@chromium.org
, Jun 17 2017