New issue
Advanced search Search tips

Issue 751385 link

Starred by 1 user
Status: Verified
Owner:
vtsyrklevich@chromium.org
Closed: Aug 2017
Cc:
kcc@chromium.org
p...@chromium.org
EstimatedDays: ----
NextAction: ----
OS: Linux
Pri: 2
Type: Bug

Blocking:
issue 750434



Sign in to add a comment

CFI: libc++ unrelated cast in skia

Project Member Reported by vtsyrklevich@chromium.org, Aug 2 2017 
Chrome Version: tip
OS: linux-x86_64

What steps will reproduce the problem?
(1) Remove libc++ symbols from the CFI blacklist, e.g. apply https://reviews.llvm.org/D35855 to third_party/llvm-build/Release+Asserts/lib/clang/6.0.0/cfi_blacklist.txt
(2) Build browser_tests with is_cfi=true use_cfi_diag=true and run it with ./browser_tests --gtest_filter=NetInternalsTest.netInternalsTimelineViewScrollbar *

*To enable use_cfi_diag=true to get pretty printed error messages the builds needs to be performed with a version of clang that includes https://reviews.llvm.org/D36013 which hasn't been rolled in yet.

You will get a failure like the following:
[ RUN      ] NetInternalsTest.netInternalsTimelineViewScrollbar
[61834:61834:0801/201918.868918:INFO:CONSOLE(1220)] "Running TestCase NetInternalsTest.netInternalsTimelineViewScrollbar", source: test_api.js (1220)
../../buildtools/third_party/libc++/trunk/include/memory:1786:16: runtime error: control flow integrity check for type 'std::__1::__function::__func<(lambda at ../../third_party/skia/src/gpu/GrDrawOpAtlas.cpp:218:13), std::__1::allocator<(lambda at ../../third_party/skia/src/gpu/GrDrawOpAtlas.cpp:218:13)>, void (std::__1::function<bool (GrSurface *, int, int, int, int, GrPixelConfig, const void *, unsigned long)> &)>' failed during cast to unrelated type (vtable address 0x000000000018)
0x000000000018: note: invalid vtable

Comment 1 by vtsyrklevich@chromium.org, Aug 2 2017

Blocking: 750434
Labels: OS-Linux

Comment 2 by vtsyrklevich@chromium.org, Aug 2 2017 

Just tracked this bug down, it's because that particular allocator symbol mangling uses a 'compression' mechanism [0] that bypasses the current CFI blacklist. In particular, the CFI blacklist [1] includes a regular expression for '*8allocateEmPKv' but the symbol here resolves to '...8allocateEmSF_' where the 'SF_' is a stand-in for 'PKv'. The correct solution to this might be to normalize out such 'compressed' entries in clang.

[0] https://itanium-cxx-abi.github.io/cxx-abi/abi.html#mangling-compression
[1] third_party/llvm-build/Release+Asserts/lib/clang/6.0.0/cfi_blacklist.txt

Comment 3 by vtsyrklevich@chromium.org, Aug 4 2017

Status: Verified (was: Assigned)
Fixed by https://reviews.llvm.org/D36294
Project Member

Comment 4 by bugdroid1@chromium.org, Oct 5 2017 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/3069a573fce8c2f9eb1d0b6a20811f1e662afa3b

commit 3069a573fce8c2f9eb1d0b6a20811f1e662afa3b
Author: Vlad Tsyrklevich <vtsyrklevich@chromium.org>
Date: Thu Oct 05 00:33:04 2017

[CFI] Delete outdated STL blacklist entry

This blacklist entry was required to work around a symbol compression
mangling bug in clang after the libstdc++ blacklist entries were
deleted. That bug was fixed in r310132.

Bug:  751385 
Change-Id: I90b856bd1b8e1d9e9680a530010c79d276fcb1f2
Reviewed-on: https://chromium-review.googlesource.com/691213
Reviewed-by: Peter Collingbourne <pcc@chromium.org>
Commit-Queue: Peter Collingbourne <pcc@chromium.org>
Cr-Commit-Position: refs/heads/master@{#506585}
[modify] https://crrev.com/3069a573fce8c2f9eb1d0b6a20811f1e662afa3b/tools/cfi/blacklist.txt

Sign in to add a comment