New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 818525 link

Starred by 2 users
Status: Fixed
Owner:
brettw@chromium.org
Last visit 25 days ago
Closed: Mar 2018
Cc:
dpranke@chromium.org
phosek@chromium.org
brettw@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug



Sign in to add a comment

GN crash with heap-use-after-free

Project Member Reported by mcgrathr@chromium.org, Mar 4 2018 
ToT GN build with use_asan=true.  The ASan report is attached.  Perhaps the backtraces alone will be meaningful to someone.

I don't have an isolated way to reproduce this.
It hits in the Fuchsia build with some GN changes I'm trying, and the GN magic involved is pretty deep.

To reproduce this, start with a current jiri checkout of fuchsia.
Then checkout //build at https://fuchsia-review.googlesource.com/c/build/+/128959/5 and try 'fx set x86'.  You'll just get a silent failure with stock GN that crashes silently.  I hacked the //buildtools/gn script locally to point to my asan build of gn from my chromium checkout.

It might well be that this crash only arises due to some bug in my GN code, but I can't figure it out when GN doesn't give me any feedback.  This is blocking some build cleanup work we want done in Fuchsia.

Comment 1 by mcgrathr@chromium.org, Mar 5 2018

gn-asan-log.txt
29.5 KB View Download

Comment 2 by brettw@chromium.org, Mar 12 2018

Owner: brettw@chromium.org
Status: Started (was: Untriaged)
Project Member

Comment 3 by bugdroid1@chromium.org, Mar 19 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/dcba727e7e8b00cb26c4d797d956d48d2e98371f

commit dcba727e7e8b00cb26c4d797d956d48d2e98371f
Author: Brett Wilson <brettw@chromium.org>
Date: Mon Mar 19 23:36:09 2018

GN: Don't crash when mutating the list in a foreach.

Avoid a crash caused by mutation of the list being iterated over from inside
the foreach loop. This does a full copy of the the iterated list since the
code inside can't mutate the array via the loop variable anyway. Although
theoretically slower, this doesn't seem to have a measurable performance
regression in practice (we generally iterate over few large lists).

Adds documentation and tests for iteration while mutating the underlying list
variable.

Bug:  818525 
Change-Id: I221fa230685b8998f5874154cad8d5c655b8006c
Reviewed-on: https://chromium-review.googlesource.com/959228
Commit-Queue: Brett Wilson <brettw@chromium.org>
Reviewed-by: Roland McGrath <mcgrathr@chromium.org>
Cr-Commit-Position: refs/heads/master@{#544209}
[modify] https://crrev.com/dcba727e7e8b00cb26c4d797d956d48d2e98371f/tools/gn/function_foreach.cc
[modify] https://crrev.com/dcba727e7e8b00cb26c4d797d956d48d2e98371f/tools/gn/function_foreach_unittest.cc

Comment 4 by brettw@chromium.org, Mar 20 2018

Status: Fixed (was: Started)

Sign in to add a comment