MediaEngagementServiceTest.HistoryExpirationIsNoOp failing on ubsan bot |
|||||
Issue descriptionhttps://logs.chromium.org/v/?s=chromium%2Fbb%2Fchromium.clang%2FToTLinuxUBSanVptr%2F2253%2F%2B%2Frecipes%2Fsteps%2Funit_tests%2F0%2Flogs%2FMediaEngagementServiceTest.HistoryExpirationIsNoOp%2F0 [ RUN ] MediaEngagementServiceTest.HistoryExpirationIsNoOp ../../base/bind_internal.h:447:12: runtime error: member call on address 0x1305e5d4c320 which does not point to an object of type 'MediaEngagementService' 0x1305e5d4c320: note: object has invalid vptr 00 00 00 00 c4 0c 2b 1a fa ec ff ff c4 f3 2a 1a fa ec ff ff 00 00 00 00 00 00 00 00 00 00 00 00 ^~~~~~~~~~~~~~~~~~~~~~~ invalid vptr #0 0xe710ded (/b/s/w/ir/out/Release/unit_tests+0xe710ded) #1 0x11b81514 (/b/s/w/ir/out/Release/unit_tests+0x11b81514) #2 0x11b81679 (/b/s/w/ir/out/Release/unit_tests+0x11b81679) #3 0xde34162 (/b/s/w/ir/out/Release/unit_tests+0xde34162) #4 0xdd1a271 (/b/s/w/ir/out/Release/unit_tests+0xdd1a271) #5 0xdd5f3ee (/b/s/w/ir/out/Release/unit_tests+0xdd5f3ee) #6 0xdd5fe46 (/b/s/w/ir/out/Release/unit_tests+0xdd5fe46) #7 0xdd6066a (/b/s/w/ir/out/Release/unit_tests+0xdd6066a) #8 0xdd6a81c (/b/s/w/ir/out/Release/unit_tests+0xdd6a81c) #9 0xddd333f (/b/s/w/ir/out/Release/unit_tests+0xddd333f) #10 0xc3fda3f (/b/s/w/ir/out/Release/unit_tests+0xc3fda3f) #11 0xc403c98 (/b/s/w/ir/out/Release/unit_tests+0xc403c98) #12 0x7a122fb (/b/s/w/ir/out/Release/unit_tests+0x7a122fb) #13 0x7a13c62 (/b/s/w/ir/out/Release/unit_tests+0x7a13c62) #14 0x7a2b357 (/b/s/w/ir/out/Release/unit_tests+0x7a2b357) #15 0x7a2a27b (/b/s/w/ir/out/Release/unit_tests+0x7a2a27b) #16 0xc15e019 (/b/s/w/ir/out/Release/unit_tests+0xc15e019) #17 0xc163b31 (/b/s/w/ir/out/Release/unit_tests+0xc163b31) #18 0xc16395e (/b/s/w/ir/out/Release/unit_tests+0xc16395e) #19 0xc14c728 (/b/s/w/ir/out/Release/unit_tests+0xc14c728) #20 0x7f5e2f940f44 (/lib/x86_64-linux-gnu/libc.so.6+0x21f44) #21 0x3214029 (/b/s/w/ir/out/Release/unit_tests+0x3214029)
,
Mar 30 2018
,
Mar 30 2018
,
Apr 17 2018
This is a use-after-free in TearDown. There's a simple fix, destroy service_ later:
$ git diff
diff --git a/chrome/browser/media/media_engagement_service_unittest.cc b/chrome/browser/media/media_engagement_service_unittest.cc
index f1dbd0285991..9d93c06c3063 100644
--- a/chrome/browser/media/media_engagement_service_unittest.cc
+++ b/chrome/browser/media/media_engagement_service_unittest.cc
@@ -151,8 +151,8 @@ class MediaEngagementServiceTest : public ChromeRenderViewHostTestHarness {
void TearDown() override {
service_->Shutdown();
- service_.reset();
ChromeRenderViewHostTestHarness::TearDown();
+ service_.reset();
}
void AdvanceClock() {
ASan doesn't catch this (but UBSan does accidentally) because RemoveOriginsWithNoVisits doesn't ever access memory through |this|.
,
Apr 17 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/81f52968191da689a9ed51aadd5737cdb1e4488a commit 81f52968191da689a9ed51aadd5737cdb1e4488a Author: Reid Kleckner <rnk@google.com> Date: Tue Apr 17 22:11:31 2018 Fix teardown use-after-free in MediaEngagementServiceTest Destroy the MediaEngagementService object later. Should fix the ToTLinuxUBSanVptr bot on the clang ToT waterfall. R=beccahughes@chromium.org,mlamouri@chromium.org BUG= chromium:827609 Change-Id: I9570279416a39d1018f714762d3df871cf2ce07a Reviewed-on: https://chromium-review.googlesource.com/1015770 Reviewed-by: Becca Hughes <beccahughes@chromium.org> Commit-Queue: Reid Kleckner <rnk@chromium.org> Cr-Commit-Position: refs/heads/master@{#551497} [modify] https://crrev.com/81f52968191da689a9ed51aadd5737cdb1e4488a/chrome/browser/media/media_engagement_service_unittest.cc
,
Apr 18 2018
The bot cycled green: https://ci.chromium.org/buildbot/chromium.clang/ToTLinuxUBSanVptr/2462 |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by thakis@chromium.org
, Mar 30 2018