Issue 818167 link

Starred by 1 user

Issue metadata

Status:	Fixed
Owner:	pwnall@chromium.org
Closed:	Jun 2018
Cc:	mek@chromium.org pwnall@chromium.org d...@chromium.org kylixrd@chromium.org malaykeshav@chromium.org
Components:	Blink>DataTransfer UI>HighDPI
EstimatedDays:	----
NextAction:	----
OS:	Mac
Pri:	2
Type:	----
Filed-Via-SoM Hotlist-HighSierra

ClipboardMacTest.ReadImageRetina and ClipboardMacTest.ReadImageNonRetina failing after 10.13 flip

Project Member Reported by sheriff-...@appspot.gserviceaccount.com, Mar 2 2018

Issue description

Filed by sheriff-o-matic@appspot.gserviceaccount.com on behalf of grt@chromium.org

ClipboardMacTest.ReadImageNonRetina and 1 other(s) in ui_base_unittests failing on chromium.memory/Mac ASan 64 Tests (1)

Builders failed on: 
- Mac ASan 64 Tests (1): 
  https://build.chromium.org/p/chromium.memory/builders/Mac%20ASan%2064%20Tests%20%281%29

They passed on 10.9: https://chromium-swarm.appspot.com/task?id=3bfd5f2a3dd90310&refresh=10&show_raw=1
and fail on 10.13: https://chromium-swarm.appspot.com/task?id=3bfd9675c0084210&refresh=10&show_raw=1

[ RUN      ] ClipboardMacTest.ReadImageRetina
=================================================================
==26120==ERROR: AddressSanitizer: heap-use-after-free on address 0x000110ace800 at pc 0x00010ce2d039 bp 0x7ffee4fe7ba0 sp 0x7ffee4fe7340
READ of size 792 at 0x000110ace800 thread T0
    #0 0x10ce2d038 in __sanitizer_weak_hook_memmem ??:0:0
    #1 0x7fff3e669c4f in CGAccessSessionGetBytes ??:0:0
    #2 0x7fff40b33134 in alphaProviderGetBytes(void*, void*, unsigned long) ??:0:0
    #3 0x7fff40bd727a in IIOImagePixelDataProvider::getBytesFromAccessSession(void*, unsigned long) ??:0:0
    #4 0x7fff40bd732b in IIOImagePixelDataProvider::getBytesCGAccessSessionNoConvert(void*, unsigned long) ??:0:0
    #5 0x7fff40b4046e in TIFFWritePlugin::writeOne(tiff*, void*, IIOImagePixelDataProvider*, IIODictionary*) ??:0:0
    #6 0x7fff40b40b83 in TIFFWritePlugin::writeAll() ??:0:0
    #7 0x7fff40b40bf1 in TIFFWritePlugin::WriteProc(void*, void*, void*, void*) ??:0:0
    #8 0x7fff40b88f95 in IIOImageDestination::finalize() ??:0:0
    #9 0x7fff3bb3d725 in +[NSBitmapImageRep(NSBitmapImageFileTypeExtensions) representationOfImageRepsInArray:usingType:properties:] ??:0:0
    #10 0x7fff3bb3c7e2 in -[NSImage TIFFRepresentationUsingCompression:factor:] ??:0:0
    #11 0x7fff3be1b0b8 in -[NSImage pasteboardPropertyListForType:] ??:0:0
    #12 0x7fff3ba9548d in -[NSPasteboard writeObjects:] ??:0:0
    #13 0x10ac2364f in ui::ClipboardMacTest_ReadImageRetina_Test::TestBody() ??:0:0
    #14 0x10af060a0 in testing::Test::Run() ??:0:0
    #15 0x10af07f93 in testing::TestInfo::Run() ??:0:0
    #16 0x10af092d6 in testing::TestCase::Run() ??:0:0
    #17 0x10af20ac6 in testing::internal::UnitTestImpl::RunAllTests() ??:0:0
    #18 0x10af20049 in testing::UnitTest::Run() ??:0:0
    #19 0x10b837ec8 in base::TestSuite::Run() ??:0:0
    #20 0x10b8615b5 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::RepeatingCallback<int ()> const&, unsigned long, int, bool, base::RepeatingCallback<void ()> const&) ??:0:0
    #21 0x10b8611e2 in base::LaunchUnitTests(int, char**, base::RepeatingCallback<int ()> const&) ??:0:0
    #22 0x10ad22eb4 in main ??:0:0
    #23 0x7fff65bfb114 in start ??:0:0

0x000110ace800 is located 0 bytes inside of 159984-byte region [0x000110ace800,0x000110af58f0)
freed by thread T0 here:
    #0 0x10ce68e7d in __asan_memmove ??:0:0
    #1 0x10ac24473 in ui::ClipboardMacTest::CreateImage(int, int, bool) ??:0:0
    #2 0x10ac23589 in ui::ClipboardMacTest_ReadImageRetina_Test::TestBody() ??:0:0
    #3 0x10af060a0 in testing::Test::Run() ??:0:0
    #4 0x10af07f93 in testing::TestInfo::Run() ??:0:0
    #5 0x10af092d6 in testing::TestCase::Run() ??:0:0
    #6 0x10af20ac6 in testing::internal::UnitTestImpl::RunAllTests() ??:0:0
    #7 0x10af20049 in testing::UnitTest::Run() ??:0:0
    #8 0x10b837ec8 in base::TestSuite::Run() ??:0:0
    #9 0x10b8615b5 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::RepeatingCallback<int ()> const&, unsigned long, int, bool, base::RepeatingCallback<void ()> const&) ??:0:0
    #10 0x10b8611e2 in base::LaunchUnitTests(int, char**, base::RepeatingCallback<int ()> const&) ??:0:0
    #11 0x10ad22eb4 in main ??:0:0
    #12 0x7fff65bfb114 in start ??:0:0

previously allocated by thread T0 here:
    #0 0x10ce69207 in __asan_memmove ??:0:0
    #1 0x10ac24312 in ui::ClipboardMacTest::CreateImage(int, int, bool) ??:0:0
    #2 0x10ac23589 in ui::ClipboardMacTest_ReadImageRetina_Test::TestBody() ??:0:0
    #3 0x10af060a0 in testing::Test::Run() ??:0:0
    #4 0x10af07f93 in testing::TestInfo::Run() ??:0:0
    #5 0x10af092d6 in testing::TestCase::Run() ??:0:0
    #6 0x10af20ac6 in testing::internal::UnitTestImpl::RunAllTests() ??:0:0
    #7 0x10af20049 in testing::UnitTest::Run() ??:0:0
    #8 0x10b837ec8 in base::TestSuite::Run() ??:0:0
    #9 0x10b8615b5 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::RepeatingCallback<int ()> const&, unsigned long, int, bool, base::RepeatingCallback<void ()> const&) ??:0:0
    #10 0x10b8611e2 in base::LaunchUnitTests(int, char**, base::RepeatingCallback<int ()> const&) ??:0:0
    #11 0x10ad22eb4 in main ??:0:0
    #12 0x7fff65bfb114 in start ??:0:0

SUMMARY: AddressSanitizer: heap-use-after-free (/b/s/w/ir/out/Release/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x1a038)
Shadow bytes around the buggy address:
  0x100022159cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x100022159cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x100022159cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x100022159ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x100022159cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x100022159d00:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x100022159d10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x100022159d20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x100022159d30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x100022159d40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x100022159d50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==26120==ABORTING
Received signal 6
0   ui_base_unittests                   0x000000010b6c3c8c base::debug::StackTrace::StackTrace(unsigned long) + 28
1   ui_base_unittests                   0x000000010b6c39a5 base::debug::(anonymous namespace)::StackDumpSignalHandler(int, __siginfo*, void*) + 4069
2   libsystem_platform.dylib            0x00007fff65e7cf5a _sigtramp + 26
3   ???                                 0x0000000110b4b780 0x0 + 4575246208
4   libsystem_c.dylib                   0x00007fff65ca7312 abort + 127
5   libclang_rt.asan_osx_dynamic.dylib  0x000000010ce8a666 __sanitizer_cov_pcs_init + 1558
6   libclang_rt.asan_osx_dynamic.dylib  0x000000010ce88d44 OnPrint + 23652
7   libclang_rt.asan_osx_dynamic.dylib  0x000000010ce6ef86 __asan_on_error + 886
8   libclang_rt.asan_osx_dynamic.dylib  0x000000010ce6e803 __asan_unpoison_intra_object_redzone + 6307
9   libclang_rt.asan_osx_dynamic.dylib  0x000000010ce2d059 __sanitizer_weak_hook_memmem + 9145
10  CoreGraphics                        0x00007fff3e669c50 CGAccessSessionGetBytes + 112
11  ImageIO                             0x00007fff40b33135 alphaProviderGetBytes(void*, void*, unsigned long) + 1037
12  ImageIO                             0x00007fff40bd727b IIOImagePixelDataProvider::getBytesFromAccessSession(void*, unsigned long) + 47
13  ImageIO                             0x00007fff40bd732c IIOImagePixelDataProvider::getBytesCGAccessSessionNoConvert(void*, unsigned long) + 98
14  ImageIO                             0x00007fff40b4046f TIFFWritePlugin::writeOne(tiff*, void*, IIOImagePixelDataProvider*, IIODictionary*) + 5267
15  ImageIO                             0x00007fff40b40b84 TIFFWritePlugin::writeAll() + 276
16  ImageIO                             0x00007fff40b40bf2 TIFFWritePlugin::WriteProc(void*, void*, void*, void*) + 58
17  ImageIO                             0x00007fff40b88f96 IIOImageDestination::finalize() + 1542
18  AppKit                              0x00007fff3bb3d726 +[NSBitmapImageRep(NSBitmapImageFileTypeExtensions) representationOfImageRepsInArray:usingType:properties:] + 2170
19  AppKit                              0x00007fff3bb3c7e3 -[NSImage TIFFRepresentationUsingCompression:factor:] + 388
20  AppKit                              0x00007fff3be1b0b9 -[NSImage pasteboardPropertyListForType:] + 58
21  AppKit                              0x00007fff3ba9548e -[NSPasteboard writeObjects:] + 1316
22  ui_base_unittests                   0x000000010ac23650 ui::ClipboardMacTest_ReadImageRetina_Test::TestBody() + 512
23  ui_base_unittests                   0x000000010af060a1 testing::Test::Run() + 641
24  ui_base_unittests                   0x000000010af07f94 testing::TestInfo::Run() + 900
25  ui_base_unittests                   0x000000010af092d7 testing::TestCase::Run() + 967
26  ui_base_unittests                   0x000000010af20ac7 testing::internal::UnitTestImpl::RunAllTests() + 2503
27  ui_base_unittests                   0x000000010af2004a testing::UnitTest::Run() + 298
28  ui_base_unittests                   0x000000010b837ec9 base::TestSuite::Run() + 505
29  ui_base_unittests                   0x000000010b8615b6 base::(anonymous namespace)::LaunchUnitTestsInternal(base::RepeatingCallback<int ()> const&, unsigned long, int, bool, base::RepeatingCallback<void ()> const&) + 822
30  ui_base_unittests                   0x000000010b8611e3 base::LaunchUnitTests(int, char**, base::RepeatingCallback<int ()> const&) + 419
31  ui_base_unittests                   0x000000010ad22eb5 main + 373
32  libdyld.dylib                       0x00007fff65bfb115 start + 1
33  ???                                 0x0000000000000009 0x0 + 9
[end of stack trace]
[3/309] ClipboardMacTest.ReadImageRetina (CRASHED)

Comment 1 by grt@chromium.org, Mar 2 2018

Cc: -erikc...@chromium.org
Components: Blink>DataTransfer UI>HighDPI
Labels: OS-Mac
Owner: erikc...@chromium.org
Status: Assigned (was: Available)

Comment 2 by grt@chromium.org, Mar 2 2018

Cc: -grt@chromium.org d...@chromium.org shenghua...@chromium.org
Components: Infra>Client>Chrome

Comment 3 by erikc...@chromium.org, Mar 2 2018

Labels: Hotlist-HighSierra
Owner: ----
Status: Untriaged (was: Assigned)

Project Member

Comment 4 by bugdroid1@chromium.org, Mar 2 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/8d95669c02840164077081876f46fcb95fc32888

commit 8d95669c02840164077081876f46fcb95fc32888
Author: Greg Thompson <grt@chromium.org>
Date: Fri Mar 02 13:26:39 2018

Disable ClipboardMacTest.ReadImage{,Non}Retina under MSAN.

BUG= 818167 
TBR=grt@chromium.org

Change-Id: I568d03c8c644030b248cfa23e837bb4ea59814ee
Reviewed-on: https://chromium-review.googlesource.com/946189
Reviewed-by: Greg Thompson <grt@chromium.org>
Commit-Queue: Greg Thompson <grt@chromium.org>
Cr-Commit-Position: refs/heads/master@{#540508}
[modify] https://crrev.com/8d95669c02840164077081876f46fcb95fc32888/ui/base/clipboard/clipboard_mac_unittest.mm

Project Member

Comment 5 by bugdroid1@chromium.org, Mar 5 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c3e8abab7cfc2bc6c347a8a2db4b8aee9ee583e2

commit c3e8abab7cfc2bc6c347a8a2db4b8aee9ee583e2
Author: Yutaka Hirano <yhirano@chromium.org>
Date: Mon Mar 05 08:59:52 2018

Disable ClipboardMacTest.ReadImage{,Non}Retina under ASAN

TBR=grt@chromium.org

Bug:  818167 
Change-Id: I2b32ad5308e51f4da39947d1f3b631587b2fe2d3
Reviewed-on: https://chromium-review.googlesource.com/948402
Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Commit-Queue: Yutaka Hirano <yhirano@chromium.org>
Cr-Commit-Position: refs/heads/master@{#540795}
[modify] https://crrev.com/c3e8abab7cfc2bc6c347a8a2db4b8aee9ee583e2/ui/base/clipboard/clipboard_mac_unittest.mm

Comment 6 by dmu...@chromium.org, Mar 5 2018

Cc: mek@chromium.org pwnall@chromium.org
Status: Assigned (was: Untriaged)

mek@, was this possibly fixed from the clipboard blob ownership changes?

Comment 7 by dmu...@chromium.org, Mar 5 2018

Status: Untriaged (was: Assigned)

Comment 8 by mek@chromium.org, Mar 5 2018

re #6, I don't see how? If I'm reading the code/stack traces right, this is crashing in the test setup code, i.e. where it tries to write an image to the native clipboard. So this looks very mac specific at least, and unrelated to any clipboard blob code.

Comment 9 by martiniss@chromium.org, Mar 6 2018

Components: -Infra>Client>Chrome

Removing Infra>Client>Chrome compoment; this appears to just be a test failure.

Comment 10 by hongchan@chromium.org, Mar 8 2018

Labels: -Sheriff-Chromium

Comment 11 by pwnall@chromium.org, Jun 20 2018

Owner: pwnall@chromium.org
Status: Started (was: Untriaged)

Comment 12 by shenghua...@chromium.org, Jun 20 2018

Cc: -shenghua...@chromium.org

Project Member

Comment 13 by bugdroid1@chromium.org, Jun 20 2018

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a395067192442fdb60a1cc2d9b6d1f95d176a75e

commit a395067192442fdb60a1cc2d9b6d1f95d176a75e
Author: Victor Costan <pwnall@chromium.org>
Date: Wed Jun 20 22:05:10 2018

Clipboard: Fix ASAN failures in ClipboardMacTest.

MSAN/ASAN correctly identified a user-after-free in
ClipboardMacTest::CreateImage(). Specifically, when using
CGDataProviderCreateWithData(), the caller is responsible for keeping the
data buffer referenced by the CGDataProvider alive as long as necessary.
ClipboardMacTest::CreateImage() incorrectly assumes that the buffer does
not need to be kept alive after an the CGDataProvider is used to create
an NSImage.

This CL implements a CGDataProviderReleaseDataCallback and passes it to
CGDataProviderReleaseDataCallback(), so the data buffer is only freed
after the CGDataProvider stops using it. This fixes the use-after-free.

Bug:  818167 
Cq-Include-Trybots: master.tryserver.chromium.mac:mac_chromium_asan_rel_ng
Change-Id: Iafdc7a4b2448fd2d31bcd6f3078af69b8062c06b
Reviewed-on: https://chromium-review.googlesource.com/1108550
Commit-Queue: Victor Costan <pwnall@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Cr-Commit-Position: refs/heads/master@{#569041}
[modify] https://crrev.com/a395067192442fdb60a1cc2d9b6d1f95d176a75e/ui/base/clipboard/clipboard_mac_unittest.mm

Comment 14 by pwnall@chromium.org, Jun 20 2018

Status: Fixed (was: Started)

►

Issue 818167 link

Issue metadata

ClipboardMacTest.ReadImageRetina and ClipboardMacTest.ReadImageNonRetina failing after 10.13 flip

Issue description

Comment 1 by grt@chromium.org, Mar 2 2018

Comment 1 Deleted

Comment 2 by grt@chromium.org, Mar 2 2018

Comment 2 Deleted

Comment 3 by erikc...@chromium.org, Mar 2 2018

Comment 3 Deleted

Comment 4 by bugdroid1@chromium.org, Mar 2 2018

Comment 4 Deleted

Comment 5 by bugdroid1@chromium.org, Mar 5 2018

Comment 5 Deleted

Comment 6 by dmu...@chromium.org, Mar 5 2018

Comment 6 Deleted

Comment 7 by dmu...@chromium.org, Mar 5 2018

Comment 7 Deleted

Comment 8 by mek@chromium.org, Mar 5 2018

Comment 8 Deleted

Comment 9 by martiniss@chromium.org, Mar 6 2018

Comment 9 Deleted

Comment 10 by hongchan@chromium.org, Mar 8 2018

Comment 10 Deleted

Comment 11 by pwnall@chromium.org, Jun 20 2018

Comment 11 Deleted

Comment 12 by shenghua...@chromium.org, Jun 20 2018

Comment 12 Deleted

Comment 13 by bugdroid1@chromium.org, Jun 20 2018

Comment 13 Deleted

Comment 14 by pwnall@chromium.org, Jun 20 2018

Comment 14 Deleted

Sign in to add a comment