New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 807731 link

Starred by 2 users
Status: Verified
Owner:
manojgupta@chromium.org
Closed: Feb 2018
Cc:
derat@chromium.org
xiy...@chromium.org
newcomer@chromium.org
manojgupta@chromium.org
lgcheng@google.com
euge...@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug
Build-Toolchain



Sign in to add a comment

libchromeos-ui fails asan tests

Project Member Reported by manojgupta@chromium.org, Jan 31 2018 
https://build.chromium.org/p/chromiumos/builders/amd64-generic-asan/builds/23151

libchromeos-ui-0.0.1-r1454: 
libchromeos-ui-0.0.1-r1454:  * ASAN error detected:
libchromeos-ui-0.0.1-r1454:  * =================================================================
libchromeos-ui-0.0.1-r1454:  * ==17==ERROR: AddressSanitizer: container-overflow on address 0x6080000003e9 at pc 0x7fee8f942e26 bp 0x7fff48ef9f40 sp 0x7fff48ef96e0
libchromeos-ui-0.0.1-r1454:  * WRITE of size 3 at 0x6080000003e9 thread T0
libchromeos-ui-0.0.1-r1454:  *     #0 0x7fee8f942e25 in __interceptor_memcpy ??:0:0
libchromeos-ui-0.0.1-r1454:  *     #1 0x7fee8f3c75c7 in base::FilePath::GetComponents(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > >*) const ??:0:0
libchromeos-ui-0.0.1-r1454:  * 
libchromeos-ui-0.0.1-r1454:  * 0x6080000003e9 is located 73 bytes inside of 96-byte region [0x6080000003a0,0x608000000400)
libchromeos-ui-0.0.1-r1454:  * allocated by thread T0 here:
libchromeos-ui-0.0.1-r1454:  *     #0 0x7fee8f9f5622 in operator new(unsigned long) ??:0:0
libchromeos-ui-0.0.1-r1454:  *     #1 0x7fee8f89fd4b in std::__1::__allocate(unsigned long) /usr/bin/../include/c++/v1/new:227:10
libchromeos-ui-0.0.1-r1454:  *     #2 0x7fee8f89fd4b in std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >::allocate(unsigned long, void const*) /usr/bin/../include/c++/v1/memory:1771:0
libchromeos-ui-0.0.1-r1454:  *     #3 0x7fee8f89fd4b in std::__1::allocator_traits<std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > >::allocate(std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >&, unsigned long) /usr/bin/../include/c++/v1/memory:1526:0
libchromeos-ui-0.0.1-r1454:  *     #4 0x7fee8f89fd4b in std::__1::__split_buffer<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >&>::__split_buffer(unsigned long, unsigned long, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > >&) /usr/bin/../include/c++/v1/__split_buffer:311:0
libchromeos-ui-0.0.1-r1454:  *     #5 0x7fee8f89f829 in void std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > >::__push_back_slow_path<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&>(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&&&) /usr/bin/../include/c++/v1/vector:1570:49
libchromeos-ui-0.0.1-r1454:  *     #6 0x7fee8f3c7562 in base::FilePath::GetComponents(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, std::__1::allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > >*) const ??:0:0
libchromeos-ui-0.0.1-r1454:  *     #7 0x7fee8f3ca2f5 in base::FilePath::ReferencesParent() const ??:0:0
libchromeos-ui-0.0.1-r1454:  *     #8 0x7fee8f3d3556 in base::ReadFileToStringWithMaxSize(base::FilePath const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*, unsigned long) ??:0:0
libchromeos-ui-0.0.1-r1454:  *     #9 0x7fee8f871c8c in chromeos::ui::ChromiumCommandBuilder::Init() /build/amd64-generic/var/cache/portage/chromeos-base/libchromeos-ui/out/Default/../../../../../../../tmp/portage/chromeos-base/libchromeos-ui-0.0.1-r1454/work/libchromeos-ui-0.0.1/platform2/libchromeos-ui/chromeos/ui/chromium_command_builder.cc:146:8
libchromeos-ui-0.0.1-r1454:  *     #10 0x7fee8fa14293 in chromeos::ui::ChromiumCommandBuilderTest::Init() /build/amd64-generic/var/cache/portage/chromeos-base/libchromeos-ui/out/Default/../../../../../../../tmp/portage/chromeos-base/libchromeos-ui-0.0.1-r1454/work/libchromeos-ui-0.0.1/platform2/libchromeos-ui/chromeos/ui/chromium_command_builder_unittest.cc:45:21
libchromeos-ui-0.0.1-r1454:  *     #11 0x7fee8f9f8540 in chromeos::ui::ChromiumCommandBuilderTest_MissingUseFlagsFile_Test::TestBody() /build/amd64-generic/var/cache/portage/chromeos-base/libchromeos-ui/out/Default/../../../../../../../tmp/portage/chromeos-base/libchromeos-ui-0.0.1-r1454/work/libchromeos-ui-0.0.1/platform2/libchromeos-ui/chromeos/ui/chromium_command_builder_unittest.cc:98:3
libchromeos-ui-0.0.1-r1454:  *     #12 0x7fee8f827678 in void testing::internal::HandleSehExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /build/amd64-generic/tmp/portage/dev-cpp/gtest-1.8.0-r1/work/googletest-release-1.8.0/googletest-abi_x86_64.amd64/./src/gtest.cc:2402:10
libchromeos-ui-0.0.1-r1454:  *     #13 0x7fee8f827678 in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) /build/amd64-generic/tmp/portage/dev-cpp/gtest-1.8.0-r1/work/googletest-release-1.8.0/googletest-abi_x86_64.amd64/./src/gtest.cc:2438:0
libchromeos-ui-0.0.1-r1454:  *     #14 0x7fee8f80bcf8 in testing::Test::Run() /build/amd64-generic/tmp/portage/dev-cpp/gtest-1.8.0-r1/work/googletest-release-1.8.0/googletest-abi_x86_64.amd64/./src/gtest.cc:2474:5
libchromeos-ui-0.0.1-r1454:  *     #15 0x7fee8f80cffc in testing::TestInfo::Run() /build/amd64-generic/tmp/portage/dev-cpp/gtest-1.8.0-r1/work/googletest-release-1.8.0/googletest-abi_x86_64.amd64/./src/gtest.cc:2656:11
libchromeos-ui-0.0.1-r1454:  *     #16 0x7fee8f80d896 in testing::TestCase::Run() /build/amd64-generic/tmp/portage/dev-cpp/gtest-1.8.0-r1/work/googletest-release-1.8.0/googletest-abi_x86_64.amd64/./src/gtest.cc:2774:28
libchromeos-ui-0.0.1-r1454:  *     #17 0x7fee8f816aa6 in testing::internal::UnitTestImpl::RunAllTests() /build/amd64-generic/tmp/portage/dev-cpp/gtest-1.8.0-r1/work/googletest-release-1.8.0/googletest-abi_x86_64.amd64/./src/gtest.cc:4649:43
libchromeos-ui-0.0.1-r1454:  *     #18 0x7fee8f8283e8 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /build/amd64-generic/tmp/portage/dev-cpp/gtest-1.8.0-r1/work/googletest-release-1.8.0/googletest-abi_x86_64.amd64/./src/gtest.cc:2402:10
libchromeos-ui-0.0.1-r1454:  *     #19 0x7fee8f8283e8 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /build/amd64-generic/tmp/portage/dev-cpp/gtest-1.8.0-r1/work/googletest-release-1.8.0/googletest-abi_x86_64.amd64/./src/gtest.cc:2438:0
libchromeos-ui-0.0.1-r1454:  *     #20 0x7fee8f81673e in testing::UnitTest::Run() /build/amd64-generic/tmp/portage/dev-cpp/gtest-1.8.0-r1/work/googletest-release-1.8.0/googletest-abi_x86_64.amd64/./src/gtest.cc:4257:10
libchromeos-ui-0.0.1-r1454:  *     #21 0x7fee8fa3d2a7 in RUN_ALL_TESTS() /build/amd64-generic/var/cache/portage/chromeos-base/libchromeos-ui/out/Default/../../../../../../../usr/include/gtest/gtest.h:2233:46
libchromeos-ui-0.0.1-r1454:  *     #22 0x7fee8fa3d2a7 in main /build/amd64-generic/var/cache/portage/chromeos-base/libchromeos-ui/out/Default/../../../../../../../tmp/portage/chromeos-base/libchromeos-ui-0.0.1-r1454/work/libchromeos-ui-0.0.1/platform2/common-mk/testrunner.cc:16:0
libchromeos-ui-0.0.1-r1454:  *     #23 0x7fee8e7ba735 in __libc_start_main /var/tmp/portage/cross-x86_64-cros-linux-gnu/glibc-2.23-r15/work/glibc-2.23/csu/../csu/libc-start.c:289:0
libchromeos-ui-0.0.1-r1454:  *     #24 0x7fee8f9283d8 in _start ??:0:0
libchromeos-ui-0.0.1-r1454:  * 
libchromeos-ui-0.0.1-r1454:  * HINT: if you don't care about these errors you may set ASAN_OPTIONS=detect_container_overflow=0.
libchromeos-ui-0.0.1-r1454:  * If you suspect a false positive see also: https://github.com/google/sanitizers/wiki/AddressSanitizerContainerOverflow.
libchromeos-ui-0.0.1-r1454:  * SUMMARY: AddressSanitizer: container-overflow (/var/cache/portage/chromeos-base/libchromeos-ui/out/Default/libchromeos-ui-test+0x52e25)
libchromeos-ui-0.0.1-r1454:  * Shadow bytes around the buggy address:
libchromeos-ui-0.0.1-r1454:  *   0x0c107fff8020: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
libchromeos-ui-0.0.1-r1454:  *   0x0c107fff8030: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
libchromeos-ui-0.0.1-r1454:  *   0x0c107fff8040: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
libchromeos-ui-0.0.1-r1454:  *   0x0c107fff8050: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
libchromeos-ui-0.0.1-r1454:  *   0x0c107fff8060: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
libchromeos-ui-0.0.1-r1454:  * =>0x0c107fff8070: fa fa fa fa 00 00 00 00 00 00 00 00 00[fc]fc fc
libchromeos-ui-0.0.1-r1454:  *   0x0c107fff8080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
libchromeos-ui-0.0.1-r1454:  *   0x0c107fff8090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
libchromeos-ui-0.0.1-r1454:  *   0x0c107fff80a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
libchromeos-ui-0.0.1-r1454:  *   0x0c107fff80b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
libchromeos-ui-0.0.1-r1454:  *   0x0c107fff80c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
libchromeos-ui-0.0.1-r1454:  * Shadow byte legend (one shadow byte represents 8 application bytes):
libchromeos-ui-0.0.1-r1454:  *   Addressable:           00
libchromeos-ui-0.0.1-r1454:  *   Partially addressable: 01 02 03 04 05 06 07
libchromeos-ui-0.0.1-r1454:  *   Heap left redzone:       fa
libchromeos-ui-0.0.1-r1454:  *   Freed heap region:       fd
libchromeos-ui-0.0.1-r1454:  *   Stack left redzone:      f1
libchromeos-ui-0.0.1-r1454:  *   Stack mid redzone:       f2
libchromeos-ui-0.0.1-r1454:  *   Stack right redzone:     f3
libchromeos-ui-0.0.1-r1454:  *   Stack after return:      f5
libchromeos-ui-0.0.1-r1454:  *   Stack use after scope:   f8
libchromeos-ui-0.0.1-r1454:  *   Global redzone:          f9
libchromeos-ui-0.0.1-r1454:  *   Global init order:       f6
libchromeos-ui-0.0.1-r1454:  *   Poisoned by user:        f7
libchromeos-ui-0.0.1-r1454:  *   Container overflow:      fc
libchromeos-ui-0.0.1-r1454:  *   Array cookie:            ac
libchromeos-ui-0.0.1-r1454:  *   Intra object redzone:    bb
libchromeos-ui-0.0.1-r1454:  *   ASan internal:           fe
libchromeos-ui-0.0.1-r1454:  *   Left alloca redzone:     ca
libchromeos-ui-0.0.1-r1454:  *   Right alloca redzone:    cb
libchromeos-ui-0.0.1-r1454:  * ==17==ABORTING


void FilePath::GetComponents(std::vector<StringType>* components) const {
  DCHECK(components);
  if (!components)
    return;
  components->clear();
  if (value().empty())
    return;

  std::vector<StringType> ret_val;
  FilePath current = *this;
  FilePath base;

  // Capture path components.
  while (current != current.DirName()) {
    base = current.BaseName();
    if (!AreAllSeparators(base.value()))
      ret_val.push_back(base.value()); <-- Failing here. 
    current = current.DirName();
  }

Comment 1 by manojgupta@chromium.org, Jan 31 2018

Cc: euge...@chromium.org
Evgenii, Can you help me why asan is complaining.

https://cs.chromium.org/chromium/src/base/files/file_path.cc?l=237

ret_val.push_back(base.value()); <-- Failing here.

ret_val is a vector<std::string> and base.value returns a reference to a string.
const StringType& value() const { return path_; }

Debugging shows that at the time of complain, the path_ string contents are :

gdb) p value()
$2 = (const base::FilePath::StringType &) @0x7fffffffb628: {<std::__1::__basic_string_common<true>> = {<No data fields>}, 
  __r_ = {<std::__1::__libcpp_compressed_pair_imp<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >::__rep, std::__1::allocator<char>, 2>> = {<std::__1::allocator<char>> = {<No data fields>}, __first_ = {{__l = {__cap_ = 49, __size_ = 3, 
            __data_ = 0x604000001390 "tmp"}, __s = {{__size_ = 49 '1', __lx = 49 '1'}, 
            __data_ = "\000\000\000\000\000\000\000\003\000\000\000\000\000\000\000\220\023\000\000@`\000"}, __r = {__words = {49, 3, 
              105827994178448}}}}}, <No data fields>}, static npos = 18446744073709551615}

So the path_ string is using the short string (stack allocation) optimization, not sure if that is causing asan to complain.

Comment 2 by manojgupta@chromium.org, Jan 31 2018

Cc: derat@chromium.org

Comment 3 by euge...@chromium.org, Jan 31 2018 

I hate container-overflow :(

It has a failure mode where a mix of asan and non-asan libraries in one process can cause false positive reports. This happens because container memory is poisoned and unpoisoned with annotations in the methods of std::vector, in libc++ headers. If a library that uses std::vector is built without asan, it may export some of those methods w/o the annotations, and they can get called by the library built with asan, and then they fail to update container state.

Could you check which libraries the std::vector methods called with this==ret_val belong to?

Comment 4 by manojgupta@chromium.org, Jan 31 2018 

Thanks Evgenii, I think this explains the problem.

The std::vector usage is coming from libchrome which is not built with asan.
How can I get around this problem?

Comment 5 by euge...@chromium.org, Jan 31 2018 

If you can not guarantee that all C++ code loaded in a process is built with ASan, this kind of problem is unavoidable. We normally disable container overflow detection in such cases with ASAN_OPTIONS=detect_container_overflow=0.

The rest of ASan checks do not have issues with mixing ASan and non-ASan libraries.

Comment 6 by manojgupta@chromium.org, Feb 5 2018

Cc: newcomer@chromium.org xiy...@chromium.org lgcheng@google.com manojgupta@chromium.org
 Issue 809092  has been merged into this issue.
Project Member

Comment 7 by bugdroid1@chromium.org, Feb 6 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/e22ae2685dc8de789764f6506a3cbcef276569aa

commit e22ae2685dc8de789764f6506a3cbcef276569aa
Author: Manoj Gupta <manojgupta@google.com>
Date: Tue Feb 06 12:55:42 2018

ASAN: Disable container overflow checks.

Container overflow checks require that all library code is also
built with -fsanitize=address. Since there is a mix of libraries
built with/without sanitizers in Chrome OS, this check gets
triggered even when there is no overflow.
Disable this check on eugenis@ recommendation.

BUG= chromium:807731 
TEST=cros_run_unit_tests succeeds on amd64-generic-asan.

Change-Id: I0439134933be71d1b98bdd2d06009b5fdd0ddbb6
Reviewed-on: https://chromium-review.googlesource.com/900685
Commit-Ready: Manoj Gupta <manojgupta@chromium.org>
Tested-by: Manoj Gupta <manojgupta@chromium.org>
Reviewed-by: Luis Lozano <llozano@chromium.org>

[modify] https://crrev.com/e22ae2685dc8de789764f6506a3cbcef276569aa/profiles/base/profile.bashrc

Comment 8 by manojgupta@chromium.org, Feb 7 2018

Status: Verified (was: Untriaged)
All asan unit tests passed at https://build.chromium.org/p/chromiumos/builders/amd64-generic-asan/builds/23262

Sign in to add a comment