While repeatedly running a Linux ASan base_unittests to repro bug 735701 , I hit this once.
Not very reproducible though.
[ RUN ] MessagePumpLibeventTest.QuitWatcher
=================================================================
==20684==ERROR: AddressSanitizer: stack-use-after-return on address 0x7f88bd36fc80 at pc 0x000000640310 bp 0x7f88bbe730c0 sp 0x7f88bbe72870
READ of size 1 at 0x7f88bd36fc80 thread T5 (MessagePumpLibe)
#0 0x64030f in __interceptor_write ??:0:0
#1 0x7f88c34c50d3 in base::WriteFileDescriptor(int, char const*, int) /work/cr/src/out/Debug/../../base/files/file_util_posix.cc:776:9
#2 0x2a24ca4 in base::(anonymous namespace)::WriteFDWrapper(int, char const*, int, base::WaitableEvent*) /work/cr/src/out/Debug/../../base/message_loop/message_pump_libevent_unittest.cc:236:3
#3 0x2a293b6 in void base::internal::FunctorTraits<void (*)(int, char const*, int, base::WaitableEvent*), void>::Invoke<int, char const*, int, base::WaitableEvent*>(void (*)(int, char const*, int, base::WaitableEvent*), int&&, char const*&&, int&&, base::WaitableEvent*&&) /work/cr/src/out/Debug/../../base/bind_internal.h:164:12
#4 0x2a29254 in void base::internal::InvokeHelper<false, void>::MakeItSo<void (*)(int, char const*, int, base::WaitableEvent*), int, char const*, int, base::WaitableEvent*>(void (*&&)(int, char const*, int, base::WaitableEvent*), int&&, char const*&&, int&&, base::WaitableEvent*&&) /work/cr/src/out/Debug/../../base/bind_internal.h:275:12
#5 0x2a291b8 in void base::internal::Invoker<base::internal::BindState<void (*)(int, char const*, int, base::WaitableEvent*), int, char const*, int>, void (base::WaitableEvent*)>::RunImpl<void (*)(int, char const*, int, base::WaitableEvent*), std::__1::tuple<int, char const*, int>, 0ul, 1ul, 2ul>(void (*&&)(int, char const*, int, base::WaitableEvent*), std::__1::tuple<int, char const*, int>&&, base::IndexSequence<0ul, 1ul, 2ul>, base::WaitableEvent*&&) /work/cr/src/out/Debug/../../base/bind_internal.h:351:12
#6 0x2a29078 in base::internal::Invoker<base::internal::BindState<void (*)(int, char const*, int, base::WaitableEvent*), int, char const*, int>, void (base::WaitableEvent*)>::RunOnce(base::internal::BindStateBase*, base::WaitableEvent*&&) /work/cr/src/out/Debug/../../base/bind_internal.h:316:12
#7 0x7f88c394250e in base::Callback<void (base::WaitableEvent*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>::Run(base::WaitableEvent*) && /work/cr/src/out/Debug/../../base/callback.h:91:12
#8 0x7f88c3940a42 in base::AsyncCallbackHelper(base::Flag*, base::Callback<void (base::WaitableEvent*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>, base::WaitableEvent*) /work/cr/src/out/Debug/../../base/synchronization/waitable_event_watcher_posix.cc:105:25
#9 0x7f88c3943b7a in void base::internal::FunctorTraits<void (*)(base::Flag*, base::Callback<void (base::WaitableEvent*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>, base::WaitableEvent*), void>::Invoke<base::Flag*, base::Callback<void (base::WaitableEvent*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>, base::WaitableEvent*>(void (*)(base::Flag*, base::Callback<void (base::WaitableEvent*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>, base::WaitableEvent*), base::Flag*&&, base::Callback<void (base::WaitableEvent*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>&&, base::WaitableEvent*&&) /work/cr/src/out/Debug/../../base/bind_internal.h:164:12
#10 0x7f88c3943914 in void base::internal::InvokeHelper<false, void>::MakeItSo<void (*)(base::Flag*, base::Callback<void (base::WaitableEvent*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>, base::WaitableEvent*), base::Flag*, base::Callback<void (base::WaitableEvent*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>, base::WaitableEvent*>(void (*&&)(base::Flag*, base::Callback<void (base::WaitableEvent*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>, base::WaitableEvent*), base::Flag*&&, base::Callback<void (base::WaitableEvent*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>&&, base::WaitableEvent*&&) /work/cr/src/out/Debug/../../base/bind_internal.h:275:12
#11 0x7f88c394382b in void base::internal::Invoker<base::internal::BindState<void (*)(base::Flag*, base::Callback<void (base::WaitableEvent*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>, base::WaitableEvent*), base::internal::RetainedRefWrapper<base::Flag>, base::Callback<void (base::WaitableEvent*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>, base::WaitableEvent*>, void ()>::RunImpl<void (*)(base::Flag*, base::Callback<void (base::WaitableEvent*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>, base::WaitableEvent*), std::__1::tuple<base::internal::RetainedRefWrapper<base::Flag>, base::Callback<void (base::WaitableEvent*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>, base::WaitableEvent*>, 0ul, 1ul, 2ul>(void (*&&)(base::Flag*, base::Callback<void (base::WaitableEvent*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>, base::WaitableEvent*), std::__1::tuple<base::internal::RetainedRefWrapper<base::Flag>, base::Callback<void (base::WaitableEvent*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>, base::WaitableEvent*>&&, base::IndexSequence<0ul, 1ul, 2ul>) /work/cr/src/out/Debug/../../base/bind_internal.h:351:12
#12 0x7f88c39435d8 in base::internal::Invoker<base::internal::BindState<void (*)(base::Flag*, base::Callback<void (base::WaitableEvent*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>, base::WaitableEvent*), base::internal::RetainedRefWrapper<base::Flag>, base::Callback<void (base::WaitableEvent*), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>, base::WaitableEvent*>, void ()>::RunOnce(base::internal::BindStateBase*) /work/cr/src/out/Debug/../../base/bind_internal.h:316:12
#13 0x7f88c32cf54e in base::Callback<void (), (base::internal::CopyMode)0, (base::internal::RepeatMode)0>::Run() && /work/cr/src/out/Debug/../../base/callback.h:91:12
#14 0x7f88c33cf1a6 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /work/cr/src/out/Debug/../../base/debug/task_annotator.cc:59:33
#15 0x7f88c35de1fc in base::MessageLoop::RunTask(base::PendingTask*) /work/cr/src/out/Debug/../../base/message_loop/message_loop.cc:422:19
#16 0x7f88c35dea22 in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) /work/cr/src/out/Debug/../../base/message_loop/message_loop.cc:433:5
#17 0x7f88c35e12a6 in base::MessageLoop::DoWork() /work/cr/src/out/Debug/../../base/message_loop/message_loop.cc:540:13
#18 0x7f88c360f793 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) /work/cr/src/out/Debug/../../base/message_loop/message_pump_libevent.cc:219:31
#19 0x7f88c35dcea0 in base::MessageLoop::Run() /work/cr/src/out/Debug/../../base/message_loop/message_loop.cc:369:10
#20 0x7f88c3816888 in base::RunLoop::Run() /work/cr/src/out/Debug/../../base/run_loop.cc:111:14
#21 0x7f88c3a9147a in base::Thread::Run(base::RunLoop*) /work/cr/src/out/Debug/../../base/threading/thread.cc:255:13
#22 0x7f88c3a93370 in base::Thread::ThreadMain() /work/cr/src/out/Debug/../../base/threading/thread.cc:338:3
#23 0x7f88c3a2b138 in base::(anonymous namespace)::ThreadFunc(void*) /work/cr/src/out/Debug/../../base/threading/platform_thread_posix.cc:71:13
#24 0x7f88c1bb96b9 in start_thread ??:0:0
Address 0x7f88bd36fc80 is located in stack of thread T0 at offset 1152 in frame
#0 0x2a230ff in base::(anonymous namespace)::MessagePumpLibeventTest_QuitWatcher_Test::TestBody() /work/cr/src/out/Debug/../../base/message_loop/message_pump_libevent_unittest.cc:241:0
This frame has 30 object(s):
[32, 40) '__p.addr.i91'
[64, 72) 'ref.tmp.i'
[96, 608) 'loop' (line 246)
[672, 680) 'agg.tmp'
[704, 712) 'ref.tmp' (line 246)
[736, 832) 'run_loop' (line 247)
[864, 928) 'controller' (line 248)
[960, 992) 'ref.tmp2' (line 248)
[1024, 1048) 'delegate' (line 249)
[1088, 1096) 'event' (line 250)
[1120, 1128) 'watcher' (line 252)
[1152, 1153) 'buf' (line 259) <== Memory access at offset 1152 is inside this variable
[1168, 1176) 'write_fd_task' (line 260)
[1200, 1208) 'ref.tmp6' (line 261)
[1232, 1240) 'ref.tmp9' (line 261)
[1264, 1268) 'ref.tmp10' (line 261)
[1280, 1312) 'ref.tmp14' (line 262)
[1344, 1352) 'agg.tmp16'
[1376, 1392) 'ref.tmp17' (line 262)
[1408, 1424) 'coerce'
[1440, 1448) 'ref.tmp19' (line 262)
[1472, 1480) 'ref.tmp23' (line 262)
[1504, 1536) 'ref.tmp28' (line 268)
[1568, 1576) 'agg.tmp30'
[1600, 1616) 'ref.tmp31' (line 268)
[1632, 1640) 'ref.tmp32' (line 268)
[1664, 1696) 'ref.tmp39' (line 275)
[1728, 1736) 'agg.tmp41'
[1760, 1776) 'ref.tmp42' (line 275)
[1792, 1800) 'ref.tmp43' (line 275)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-return (/work/cr/src/out/Debug/base_unittests+0x64030f)
Shadow bytes around the buggy address:
0x0ff197a65f40: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x0ff197a65f50: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x0ff197a65f60: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x0ff197a65f70: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x0ff197a65f80: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
=>0x0ff197a65f90:[f5]f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x0ff197a65fa0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x0ff197a65fb0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x0ff197a65fc0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x0ff197a65fd0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
0x0ff197a65fe0: f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5 f5
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Thread T5 (MessagePumpLibe) created by T0 here:
#0 0x6ab7bd in __interceptor_pthread_create ??:0:0
#1 0x7f88c3a294bf in base::(anonymous namespace)::CreateThread(unsigned long, bool, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) /work/cr/src/out/Debug/../../base/threading/platform_thread_posix.cc:110:13
#2 0x7f88c3a28cf2 in base::PlatformThread::CreateWithPriority(unsigned long, base::PlatformThread::Delegate*, base::PlatformThreadHandle*, base::ThreadPriority) /work/cr/src/out/Debug/../../base/threading/platform_thread_posix.cc:193:10
#3 0x7f88c3a8e651 in base::Thread::StartWithOptions(base::Thread::Options const&) /work/cr/src/out/Debug/../../base/threading/thread.cc:112:15
#4 0x2a2621c in base::MessagePumpLibeventTest::SetUp() /work/cr/src/out/Debug/../../base/message_loop/message_pump_libevent_unittest.cc:40:5
#5 0x2b5033b in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /work/cr/src/out/Debug/../../third_party/googletest/src/googletest/src/gtest.cc:2399:10
#6 0x2b21bf1 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /work/cr/src/out/Debug/../../third_party/googletest/src/googletest/src/gtest.cc:2452:12
#7 0x2aee68b in testing::Test::Run() /work/cr/src/out/Debug/../../third_party/googletest/src/googletest/src/gtest.cc:2467:3
#8 0x2af0072 in testing::TestInfo::Run() /work/cr/src/out/Debug/../../third_party/googletest/src/googletest/src/gtest.cc:2653:11
#9 0x2af1adc in testing::TestCase::Run() /work/cr/src/out/Debug/../../third_party/googletest/src/googletest/src/gtest.cc:2771:28
#10 0x2b0b4d1 in testing::internal::UnitTestImpl::RunAllTests() /work/cr/src/out/Debug/../../third_party/googletest/src/googletest/src/gtest.cc:4648:43
#11 0x2b5a546 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /work/cr/src/out/Debug/../../third_party/googletest/src/googletest/src/gtest.cc:2399:10
#12 0x2b269c8 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /work/cr/src/out/Debug/../../third_party/googletest/src/googletest/src/gtest.cc:2452:12
#13 0x2b0a8fa in testing::UnitTest::Run() /work/cr/src/out/Debug/../../third_party/googletest/src/googletest/src/gtest.cc:4256:10
#14 0x2c210d0 in RUN_ALL_TESTS() /work/cr/src/out/Debug/../../third_party/googletest/src/googletest/include/gtest/gtest.h:2237:46
#15 0x2c1c242 in base::TestSuite::Run() /work/cr/src/out/Debug/../../base/test/test_suite.cc:271:16
#16 0x2ba1ccc in int base::internal::FunctorTraits<int (base::TestSuite::*)(), void>::Invoke<base::TestSuite*>(int (base::TestSuite::*)(), base::TestSuite*&&) /work/cr/src/out/Debug/../../base/bind_internal.h:209:12
#17 0x2ba19dd in int base::internal::InvokeHelper<false, int>::MakeItSo<int (base::TestSuite::* const&)(), base::TestSuite*>(int (base::TestSuite::* const&)(), base::TestSuite*&&) /work/cr/src/out/Debug/../../base/bind_internal.h:275:12
#18 0x2ba177f in int base::internal::Invoker<base::internal::BindState<int (base::TestSuite::*)(), base::internal::UnretainedWrapper<base::TestSuite> >, int ()>::RunImpl<int (base::TestSuite::* const&)(), std::__1::tuple<base::internal::UnretainedWrapper<base::TestSuite> > const&, 0ul>(int (base::TestSuite::* const&)(), std::__1::tuple<base::internal::UnretainedWrapper<base::TestSuite> > const&, base::IndexSequence<0ul>) /work/cr/src/out/Debug/../../base/bind_internal.h:351:12
#19 0x2ba15ab in base::internal::Invoker<base::internal::BindState<int (base::TestSuite::*)(), base::internal::UnretainedWrapper<base::TestSuite> >, int ()>::Run(base::internal::BindStateBase*) /work/cr/src/out/Debug/../../base/bind_internal.h:329:12
#20 0x7f7f4c in base::Callback<int (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1>::Run() const & /work/cr/src/out/Debug/../../base/callback.h:80:12
#21 0x2c8584e in base::(anonymous namespace)::LaunchUnitTestsInternal(base::Callback<int (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&, int, int, bool, base::Callback<void (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) /work/cr/src/out/Debug/../../base/test/launcher/unit_test_launcher.cc:216:27
#22 0x2c852d8 in base::LaunchUnitTests(int, char**, base::Callback<int (), (base::internal::CopyMode)1, (base::internal::RepeatMode)1> const&) /work/cr/src/out/Debug/../../base/test/launcher/unit_test_launcher.cc:458:10
#23 0x2ba11ba in main /work/cr/src/out/Debug/../../base/test/run_all_base_unittests.cc:22:10
#24 0x7f88c0c9682f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291:0
==20684==ABORTING
Comment 1 by scottmg@chromium.org
, Jun 27 2017