New issue
Advanced search Search tips

Issue 783148 link

Starred by 1 user
Status: Untriaged
Owner: ----
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

Second test in NetworkServiceTest suite crashes on OS X 10.12.6

Project Member Reported by mpichlin...@opera.com, Nov 9 2017 
Chrome Version: 64.0.3251.0

What steps will reproduce the problem?
Run content_unitests --gtest_filter=NetworkServiceTest*" on OS X 10.12.6

What is the expected result?
All tests pass.

What happens instead?
Second test crashes at call notify_register_file_descriptor in NotifyWatcherMac::Watch.

On OS X 10.13.1 all tests pass. Moreover on OS X 10.12.6 if each test is run separately then crash does not occur.

Comment 1 by ganenk...@yandex-team.ru, Aug 9 

Example of crash stack:
[ RUN      ] SimpleURLLoaderTest.BasicRequest/1
services_unittests(63481,0x70000917d000) malloc: *** error for object 0x7f8457d421e0: pointer being realloc'd was not allocated
*** set a breakpoint in malloc_error_break to debug
Received signal 6
0   libbase.dylib                       0x0000000110766c0c base::debug::StackTrace::StackTrace(unsigned long) + 28
1   libbase.dylib                       0x0000000110766a31 base::debug::(anonymous namespace)::StackDumpSignalHandler(int, __siginfo*, void*) + 2401
2   libsystem_platform.dylib            0x00007fffb1bfeb3a _sigtramp + 26
3   ???                                 0x0000000000000000 0x0 + 0
4   libsystem_c.dylib                   0x00007fffb1a83420 abort + 129
5   libsystem_malloc.dylib              0x00007fffb1b740ad realloc + 413
6   libsystem_c.dylib                   0x00007fffb1a889ed reallocf + 21
7   libsystem_notify.dylib              0x00007fffb1bf962f notify_retain_file_descriptor + 160
8   libsystem_notify.dylib              0x00007fffb1bf94c3 notify_register_file_descriptor + 1091
9   libnet.dylib                        0x0000000111832021 net::NotifyWatcherMac::Watch(char const*, base::RepeatingCallback<void (bool)> const&) + 241
10  libnet.dylib                        0x0000000111835990 net::internal::DnsConfigServicePosix::Watcher::Watch() + 112
11  libnet.dylib                        0x000000011181084a net::DnsConfigService::WatchConfig(base::RepeatingCallback<void (net::DnsConfig const&)> const&) + 266
12  libnet.dylib                        0x0000000111472afb net::NetworkChangeNotifierMac::DnsConfigServiceThread::Init() + 171
13  libbase.dylib                       0x00000001107287df base::Thread::ThreadMain() + 687
14  libbase.dylib                       0x00000001107775ff base::(anonymous namespace)::ThreadFunc(void*) + 95
15  libsystem_pthread.dylib             0x00007fffb1c0893b _pthread_body + 180
16  libsystem_pthread.dylib             0x00007fffb1c08887 _pthread_body + 0
17  libsystem_pthread.dylib             0x00007fffb1c0808d thread_start + 13
Project Member

Comment 2 by bugdroid1@chromium.org, Aug 13 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/2f74c00ee75348fc74946a3717f3fa23c49068f6

commit 2f74c00ee75348fc74946a3717f3fa23c49068f6
Author: Konstantin Ganenko <ganenkokb@yandex-team.ru>
Date: Mon Aug 13 16:45:23 2018

Fix net services unittests on masos earlier than 10.13

The short crash stack:
6   libsystem_c.dylib                   0x00007fffb1a889ed reallocf + 21
7   libsystem_notify.dylib              0x00007fffb1bf962f notify_retain_file_descriptor + 160
8   libsystem_notify.dylib              0x00007fffb1bf94c3 notify_register_file_descriptor + 1091
9   libnet.dylib                        0x0000000111832021 net::NotifyWatcherMac::Watch(char const*, base::RepeatingCallback<void (bool)> const&) + 241

Crash happens on OS X 10.12.X.
The fall occurs in the libnotify library.
For macos 10.12.X libnotify library version 165 is used.
https://opensource.apple.com/release/macos-1012.html
By source code:
https://opensource.apple.com/source/Libnotify/Libnotify-165/notify_client.c.auto.html
the fall occurs in

globals->fd_clnt = (int *)reallocf(globals - >fd_clnt, globals->fd_count * sizeof(int));

, or the same with fd_srv, fd_refcount.
Global pointers to file descriptor tables are reset only when global is initialized and nowhere else.
On releasing the last file descriptor free is called  for these pointers without zeroing them. (see notify_release_file_descriptor in same file).
Accordingly, when creating one file descriptor (notify_register_file_descriptor)  with subsequent its destruction (notify_cancel), the creation of the next will lead to a crash - realloc on freed pointer.
Here introduced simple approach to repair issue. We need to hold one stub file descriptor to avoid freeing globals in libnotify.
For earlier implementations of the libraries (looked 10.11.X - version of library is 149) the problem is also there.

More detailed crash stack is added in issue.

R=agl@chromium.org

Bug: 783148
Change-Id: I23396372bf6fdff78c70bf6a53a4183795677b02
Reviewed-on: https://chromium-review.googlesource.com/1168490
Commit-Queue: Adam Langley <agl@chromium.org>
Reviewed-by: Adam Langley <agl@chromium.org>
Cr-Commit-Position: refs/heads/master@{#582612}
[modify] https://crrev.com/2f74c00ee75348fc74946a3717f3fa23c49068f6/net/dns/notify_watcher_mac.cc

Sign in to add a comment