New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 742440 link

Starred by 1 user
Status: Verified
Owner:
kbr@chromium.org
OOO until 2019-01-24
Closed: Jul 2017
Cc:
piman@chromium.org
zmo@chromium.org
dsinclair@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: All
Pri: 2
Type: Bug-Regression

Blocked on:
issue 742004
issue 743094
Blocking:
issue 736117



Sign in to add a comment

Mac GPU ASAN bot failing with buffer overflow in gpu::gles2::Program::Update()

Project Member Reported by kbr@chromium.org, Jul 13 2017 
The Mac ASAN bot on the chromium.gpu.fyi waterfall has been red for a while. It's building again after the fixes in Issue 742004 and earlier bugs and is catching a real bug now in gles2_conform_test. Full excerpt from one of the failures follows. Investigating.

==3600==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff580d186d at pc 0x00010905a24e bp 0x7fff580ce7f0 sp 0x7fff580ce7e8
READ of size 1 at 0x7fff580d186d thread T0
    #0 0x10905a24d in gpu::gles2::Program::Update() ??:0:0
    #1 0x109067e56 in gpu::gles2::Program::Link(gpu::gles2::ShaderManager*, gpu::gles2::Program::VaryingsPackingOption, gpu::gles2::GLES2DecoderClient*) ??:0:0
    #2 0x108f56ae6 in gpu::gles2::GLES2DecoderImpl::DoLinkProgram(unsigned int) ??:0:0
    #3 0x108ed0bf8 in gpu::gles2::GLES2DecoderImpl::HandleLinkProgram(unsigned int, void const volatile*) ??:0:0
    #4 0x108f37928 in gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false>(unsigned int, void const volatile*, int, int*) ??:0:0
    #5 0x108e29a78 in gpu::CommandBufferService::Flush(int, gpu::AsyncAPIInterface*) ??:0:0
    #6 0x108e282a4 in gpu::CommandBufferDirect::Flush(int) ??:0:0
    #7 0x107d996db in gpu::CommandBufferHelper::Flush() ??:0:0
    #8 0x107d9a17e in gpu::CommandBufferHelper::Finish() ??:0:0
    #9 0x107f934dd in gpu::gles2::GLES2Implementation::WaitForCmd() ??:0:0
    #10 0x107feb267 in gpu::gles2::GLES2Implementation::IsShader(unsigned int) ??:0:0
    #11 0x107d780dc in GTFLinkProgram_2_0 ??:0:0
    #12 0x107d38430 in GTFTestBuildGLApply ??:0:0
    #13 0x107d552fb in GTFRunTest ??:0:0
    #14 0x107d50464 in GTFRunTestDriver ??:0:0
    #15 0x107d23d0f in GTFRun ??:0:0
    #16 0x107d189b3 in GTFInitEGL ??:0:0
    #17 0x107d22939 in GTFMain ??:0:0
    #18 0x107d8dfa8 in main ??:0:0
    #19 0x7fff9475d234 in start ??:0:0
Address 0x7fff580d186d is located in stack of thread T0 at offset 301 in frame
    #0 0x107d53fbf in GTFRunTest ??:0:0
  This frame has 9 object(s):
    [32, 40) 'mode'
    [64, 72) 'pattern'
    [96, 104) 'root'
    [128, 132) 'err_line'
    [144, 160) 'dir'
    [176, 192) 'name'
    [208, 224) 'ext'
    [240, 256) 'group_name'
    [272, 288) 'err_msg' <== Memory access at offset 301 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow (/b/s/w/ir/out/Release/gles2_conform_test_windowless:x86_64+0x10152d24d)
Shadow bytes around the buggy address:
  0x1fffeb01a2b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1fffeb01a2c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1fffeb01a2d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1fffeb01a2e0: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
  0x1fffeb01a2f0: 00 f2 f2 f2 00 f2 f2 f2 04 f2 00 00 f2 f2 00 00
=>0x1fffeb01a300: f2 f2 00 00 f2 f2 00 00 f2 f2 00 00 f3[f3]f3 f3
  0x1fffeb01a310: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1fffeb01a320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x1fffeb01a330: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
  0x1fffeb01a340: 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2 00 00 f2 f2
  0x1fffeb01a350: 00 00 f2 f2 00 f2 f2 f2 04 f2 00 00 00 f3 f3 f3
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3600==ABORTING
gen/gpu/gles2_conform_support/gles2_conform_test_autogen.cc:566: Failure
Value of: RunGLES2ConformTest("GL2Tests/validate_program/input.run")
  Actual: false
Expected: true
[  FAILED  ] GLES2ConformTest.GL2Tests_validate_program_input_run (262 ms)

Comment 1 by kbr@chromium.org, Jul 13 2017

Status: Started (was: Assigned)
Incredibly, it's this dereference:

==32404==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7fff5d2e490d at pc 0x000104bd611e bp 0x7fff5d2e1670 sp 0x7fff5d2e1668
READ of size 1 at 0x7fff5d2e490d thread T0
    #0 0x104bd611d in gpu::gles2::Program::Update() program_manager.cc:770
    #1 0x104be3ff6 in gpu::gles2::Program::Link(gpu::gles2::ShaderManager*, gpu::gles2::Program::VaryingsPackingOption, gpu::gles2::GLES2DecoderClient*) program_manager.cc:1430
    #2 0x104ac4bd6 in gpu::gles2::GLES2DecoderImpl::DoLinkProgram(unsigned int) gles2_cmd_decoder.cc:8786
    #3 0x104a38538 in gpu::gles2::GLES2DecoderImpl::HandleLinkProgram(unsigned int, void const volatile*) gles2_cmd_decoder_autogen.h:2400
    #4 0x104aa3698 in gpu::error::Error gpu::gles2::GLES2DecoderImpl::DoCommandsImpl<false>(unsigned int, void const volatile*, int, int*) gles2_cmd_decoder.cc:5285

which is:

>>if (manager_->gpu_preferences_.enable_gpu_service_logging_gpu) {
    DVLOG(1) << "----: attribs for service_id: " << service_id();
    for (size_t ii = 0; ii < attrib_infos_.size(); ++ii) {

The gpu_preferences_ reference appears to have gone stale. Certainly manually removing this dereference fixes the ASAN error.

Comment 2 by kbr@chromium.org, Jul 13 2017 

The bug's caused specifically by this test harness. Fix in https://chromium-review.googlesource.com/570675/ .
Project Member

Comment 3 by bugdroid1@chromium.org, Jul 14 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d72b8780344f261a3b29b13f9af757d635ac1144

commit d72b8780344f261a3b29b13f9af757d635ac1144
Author: Kenneth Russell <kbr@chromium.org>
Date: Fri Jul 14 02:05:01 2017

Fixed ASAN error in gles2_conform_test.

Make a copy of the GpuPreferences inside the ContextGroup to make it
easier for all callers -- including test harnesses -- to be correct.

BUG= 742440 

Change-Id: I839866e24ec6ebe7b88e7012b7165ac5f9e10bc0
Reviewed-on: https://chromium-review.googlesource.com/570675
Reviewed-by: Zhenyao Mo <zmo@chromium.org>
Reviewed-by: Antoine Labour <piman@chromium.org>
Commit-Queue: Kenneth Russell <kbr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#486630}
[modify] https://crrev.com/d72b8780344f261a3b29b13f9af757d635ac1144/gpu/command_buffer/service/context_group.h

Comment 4 by kbr@chromium.org, Jul 14 2017

Blockedon: 743094

Comment 5 by kbr@chromium.org, Jul 15 2017

Status: Verified (was: Started)
This bot's finally green again as of https://luci-milo.appspot.com/buildbot/chromium.gpu.fyi/Mac%20GPU%20ASAN%20Release/5060 .

Comment 6 by kbr@chromium.org, Oct 14 2017

Blocking: 736117

Sign in to add a comment