New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 739361 link

Starred by 2 users
Status: Fixed
Owner:
roc...@chromium.org
please use my google.com address
Closed: Jul 2017
Cc:
yhirano@chromium.org
tzik@chromium.org
ellyjo...@chromium.org
hirosh...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug



Sign in to add a comment

MSan: uninitialized read in mojo::edk::DataPipeConsumerDispatcher::UpdateSignalsStateNoLock

Project Member Reported by ellyjo...@chromium.org, Jul 5 2017 
MSan output from https://luci-logdog.appspot.com/v/?s=chromium%2Fbb%2Fchromium.webkit%2FWebKit_Linux_Trusty_MSAN%2F1769%2F%2B%2Frecipes%2Fsteps%2Fwebkit_layout_tests%2F0%2Fstdout:

05:24:39.261 9155   ==1==WARNING: MemorySanitizer: use-of-uninitialized-value
05:24:39.261 9155       #0 0xb302a52 in mojo::edk::DataPipeConsumerDispatcher::UpdateSignalsStateNoLock() mojo/edk/system/data_pipe_consumer_dispatcher.cc:581:7
05:24:39.261 9155       #1 0xb303e7c in OnPortStatusChanged mojo/edk/system/data_pipe_consumer_dispatcher.cc:521:3
05:24:39.261 9155       #2 0xb303e7c in mojo::edk::DataPipeConsumerDispatcher::PortObserverThunk::OnPortStatusChanged() mojo/edk/system/data_pipe_consumer_dispatcher.cc:67:0
05:24:39.261 9155       #3 0xb32da12 in mojo::edk::NodeController::PortStatusChanged(mojo::edk::ports::PortRef const&) mojo/edk/system/node_controller.cc:745:15
05:24:39.261 9155       #4 0x1310a1b in mojo::edk::ports::Node::OnObserveClosure(std::__1::unique_ptr<mojo::edk::ports::ObserveClosureEvent, std::__1::default_delete<mojo::edk::ports::ObserveClosureEvent> >) mojo/edk/system/ports/node.cc:698:16
05:24:39.261 9155       #5 0x130dec5 in mojo::edk::ports::Node::AcceptEvent(std::__1::unique_ptr<mojo::edk::ports::Event, std::__1::default_delete<mojo::edk::ports::Event> >) mojo/edk/system/ports/node.cc:344:14
05:24:39.261 9155       #6 0xb3336e9 in mojo::edk::NodeController::OnEventMessage(mojo::edk::ports::NodeName const&, std::__1::unique_ptr<mojo::edk::Channel::Message, std::__1::default_delete<mojo::edk::Channel::Message> >) mojo/edk/system/node_controller.cc:1000:10
05:24:39.261 9155       #7 0xb38b741 in mojo::edk::NodeChannel::OnChannelMessage(void const*, unsigned long, std::__1::unique_ptr<std::__1::vector<mojo::edk::PlatformHandle, std::__1::allocator<mojo::edk::PlatformHandle> >, mojo::edk::PlatformHandleVectorDeleter>) mojo/edk/system/node_channel.cc:616:18
05:24:39.261 9155       #8 0xb372e1a in mojo::edk::Channel::OnReadComplete(unsigned long, unsigned long*) mojo/edk/system/channel.cc:662:18
05:24:39.261 9155       #9 0xb37b3b3 in mojo::edk::(anonymous namespace)::ChannelPosix::OnFileCanReadWithoutBlocking(int) mojo/edk/system/channel_posix.cc:318:14
05:24:39.261 9155       #10 0x69a18f7 in base::MessagePumpLibevent::OnLibeventNotification(int, short, void*) base/message_loop/message_pump_libevent.cc:0:13
05:24:39.261 9155       #11 0x6c3c4ca in event_process_active base/third_party/libevent/event.c:381:4
05:24:39.261 9155       #12 0x6c3c4ca in event_base_loop base/third_party/libevent/event.c:521:0
05:24:39.261 9155       #13 0x69a2818 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:246:7
05:24:39.261 9155       #14 0x6a2fe58 in base::RunLoop::Run() base/run_loop.cc:111:14
05:24:39.261 9155       #15 0x6ae4733 in base::Thread::ThreadMain() base/threading/thread.cc:338:3
05:24:39.261 9155       #16 0x6ac98e5 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:71:13
05:24:39.261 9155       #17 0x7fc8f9645183 in start_thread /build/eglibc-MjiXCM/eglibc-2.19/nptl/pthread_create.c:312:0
05:24:39.261 9155       #18 0x7fc8f7285bec in clone /build/eglibc-MjiXCM/eglibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111:0
05:24:39.261 9155   
05:24:39.261 9155     Uninitialized value was stored to memory at
05:24:39.261 9155       #0 0xb302808 in mojo::edk::DataPipeConsumerDispatcher::UpdateSignalsStateNoLock() mojo/edk/system/data_pipe_consumer_dispatcher.cc:533:16
05:24:39.261 9155       #1 0xb303e7c in OnPortStatusChanged mojo/edk/system/data_pipe_consumer_dispatcher.cc:521:3
05:24:39.262 9155       #2 0xb303e7c in mojo::edk::DataPipeConsumerDispatcher::PortObserverThunk::OnPortStatusChanged() mojo/edk/system/data_pipe_consumer_dispatcher.cc:67:0
05:24:39.262 9155       #3 0xb32da12 in mojo::edk::NodeController::PortStatusChanged(mojo::edk::ports::PortRef const&) mojo/edk/system/node_controller.cc:745:15
05:24:39.262 9155       #4 0x1310a1b in mojo::edk::ports::Node::OnObserveClosure(std::__1::unique_ptr<mojo::edk::ports::ObserveClosureEvent, std::__1::default_delete<mojo::edk::ports::ObserveClosureEvent> >) mojo/edk/system/ports/node.cc:698:16
05:24:39.262 9155       #5 0x130dec5 in mojo::edk::ports::Node::AcceptEvent(std::__1::unique_ptr<mojo::edk::ports::Event, std::__1::default_delete<mojo::edk::ports::Event> >) mojo/edk/system/ports/node.cc:344:14
05:24:39.262 9155       #6 0xb3336e9 in mojo::edk::NodeController::OnEventMessage(mojo::edk::ports::NodeName const&, std::__1::unique_ptr<mojo::edk::Channel::Message, std::__1::default_delete<mojo::edk::Channel::Message> >) mojo/edk/system/node_controller.cc:1000:10
05:24:39.262 9155       #7 0xb38b741 in mojo::edk::NodeChannel::OnChannelMessage(void const*, unsigned long, std::__1::unique_ptr<std::__1::vector<mojo::edk::PlatformHandle, std::__1::allocator<mojo::edk::PlatformHandle> >, mojo::edk::PlatformHandleVectorDeleter>) mojo/edk/system/node_channel.cc:616:18
05:24:39.262 9155       #8 0xb372e1a in mojo::edk::Channel::OnReadComplete(unsigned long, unsigned long*) mojo/edk/system/channel.cc:662:18
05:24:39.262 9155       #9 0xb37b3b3 in mojo::edk::(anonymous namespace)::ChannelPosix::OnFileCanReadWithoutBlocking(int) mojo/edk/system/channel_posix.cc:318:14
05:24:39.262 9155       #10 0x69a18f7 in base::MessagePumpLibevent::OnLibeventNotification(int, short, void*) base/message_loop/message_pump_libevent.cc:0:13
05:24:39.262 9155       #11 0x6c3c4ca in event_process_active base/third_party/libevent/event.c:381:4
05:24:39.262 9155       #12 0x6c3c4ca in event_base_loop base/third_party/libevent/event.c:521:0
05:24:39.262 9155       #13 0x69a2818 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) base/message_loop/message_pump_libevent.cc:246:7
05:24:39.262 9155       #14 0x6a2fe58 in base::RunLoop::Run() base/run_loop.cc:111:14
05:24:39.262 9155       #15 0x6ae4733 in base::Thread::ThreadMain() base/threading/thread.cc:338:3
05:24:39.262 9155       #16 0x6ac98e5 in base::(anonymous namespace)::ThreadFunc(void*) base/threading/platform_thread_posix.cc:71:13
05:24:39.262 9155       #17 0x7fc8f9645183 in start_thread /build/eglibc-MjiXCM/eglibc-2.19/nptl/pthread_create.c:312:0
05:24:39.262 9155   
05:24:39.262 9155     Uninitialized value was created by an allocation of 'port_status' in the stack frame of function '_ZN4mojo3edk26DataPipeConsumerDispatcher24UpdateSignalsStateNoLockEv'
05:24:39.262 9155       #0 0xb301f30 in mojo::edk::DataPipeConsumerDispatcher::UpdateSignalsStateNoLock() mojo/edk/system/data_pipe_consumer_dispatcher.cc:524:0
05:24:39.262 9155   
05:24:39.262 9155   SUMMARY: MemorySanitizer: use-of-uninitialized-value (/b/s/w/ir/out/Release/content_shell+0xb302a52)
05:24:39.262 9155   Exiting

This resembles  issue 608434  so assigning to rockot@.

Comment 1 by glider@chromium.org, Jul 5 2017 

Here's what's going on:

DataPipeConsumerDispatcher::UpdateSignalsStateNoLock() allocates |port_status| and attempts to initialize it at line 532.
Apparently node_controller_->node()->GetStatus() returns ERROR_PORT_STATE_UNEXPECTED and leaves port_status.peer_remote uninitialized, so |peer_remote_| is also uninitialized.
At line 581 |peer_remote_| is used in a condition, which triggers the error report.

Comment 2 by roc...@chromium.org, Jul 5 2017 

Thanks for looking. I'll upload a fix.
Project Member

Comment 3 by bugdroid1@chromium.org, Jul 6 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/b5ac971cfbf3afa2230534369912bffccefb0fc1

commit b5ac971cfbf3afa2230534369912bffccefb0fc1
Author: Ken Rockot <rockot@chromium.org>
Date: Thu Jul 06 19:30:42 2017

Fix uninitialized read in data pipe peer remoteness

It's possible (albeit innocuous) for an uninitialized PortStatus to be
read when updating a data pipe handle's peer-remoteness signal. This
fixes that.

BUG= 739361 

Change-Id: I73383949a8f7d657cd384f645d348a1223724e61
Reviewed-on: https://chromium-review.googlesource.com/561971
Reviewed-by: Jay Civelli <jcivelli@chromium.org>
Commit-Queue: Ken Rockot <rockot@chromium.org>
Cr-Commit-Position: refs/heads/master@{#484710}
[modify] https://crrev.com/b5ac971cfbf3afa2230534369912bffccefb0fc1/mojo/edk/system/data_pipe_consumer_dispatcher.cc
[modify] https://crrev.com/b5ac971cfbf3afa2230534369912bffccefb0fc1/mojo/edk/system/data_pipe_producer_dispatcher.cc

Comment 4 by roc...@chromium.org, Jul 6 2017

Status: Fixed (was: Assigned)

Comment 5 by yhirano@chromium.org, Jul 10 2017

Cc: tzik@chromium.org yhirano@chromium.org hirosh...@chromium.org
 Issue 736802  has been merged into this issue.

Sign in to add a comment