New issue
Advanced search Search tips

Issue 841768 link

Starred by 2 users
Status: Fixed
Owner:
est...@chromium.org
Closed: May 2018
Cc:
tetsui@chromium.org
dmu...@chromium.org
est...@chromium.org
mustash-bugs@google.com
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 1
Type: Bug



Sign in to add a comment

ash: uninitialized read in ResolutionNotificationControllerTest.*

Project Member Reported by ellyjo...@chromium.org, May 10 2018 
All of these tests fail on msan bots like this:

[ RUN      ] ResolutionNotificationControllerTest.Close
==7328==WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x48e434e in ash::Shelf::IsHorizontalAlignment() const ./../../ash/shelf/shelf.cc:128:11
    #1 0x4a0b7c5 in ash::WebNotificationItem::AnimationProgressed(gfx::Animation const*) ./../../ash/system/message_center/notification_tray.cc:193:25
    #2 0x7a01851 in gfx::LinearAnimation::Step(base::TimeTicks) ./../../ui/gfx/animation/linear_animation.cc:78:17
    #3 0x79fda6d in gfx::AnimationContainer::Run() ./../../ui/gfx/animation/animation_container.cc:91:13
    #4 0x50ae81d in Run ./../../base/callback.h:125:12
    #5 0x50ae81d in base::Timer::RunScheduledTask() ./../../base/timer/timer.cc:263:0
    #6 0x5189521 in Run ./../../base/callback.h:96:12
    #7 0x5189521 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) ./../../base/debug/task_annotator.cc:101:0
    #8 0x4fa9c04 in base::MessageLoop::RunTask(base::PendingTask*) ./../../base/message_loop/message_loop.cc:319:25
    #9 0x4fac99a in DeferOrRunPendingTask ./../../base/message_loop/message_loop.cc:329:5
    #10 0x4fac99a in base::MessageLoop::DoDelayedWork(base::TimeTicks*) ./../../base/message_loop/message_loop.cc:413:0
    #11 0x5173826 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) ./../../base/message_loop/message_pump_libevent.cc:220:27
    #12 0x500fb6d in Run ./../../base/run_loop.cc:131:14
    #13 0x500fb6d in base::RunLoop::RunUntilIdle() ./../../base/run_loop.cc:144:0
    #14 0x8ee1cf5 in RunAllPendingInMessageLoop ./../../ash/test/ash_test_helper.cc:268:12
    #15 0x8ee1cf5 in ash::AshTestHelper::TearDown() ./../../ash/test/ash_test_helper.cc:223:0
    #16 0x8ed7871 in ash::AshTestBase::TearDown() ./../../ash/test/ash_test_base.cc:186:21
    #17 0x44abf0b in testing::TestInfo::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2667:11
    #18 0x44ad989 in testing::TestCase::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2785:28
    #19 0x44e4244 in testing::internal::UnitTestImpl::RunAllTests() ./../../third_party/googletest/src/googletest/src/gtest.cc:5047:43
    #20 0x44e2b32 in testing::UnitTest::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:0:0
    #21 0x520d4d6 in RUN_ALL_TESTS ./../../third_party/googletest/src/googletest/include/gtest/gtest.h:2329:46
    #22 0x520d4d6 in base::TestSuite::Run() ./../../base/test/test_suite.cc:275:0
    #23 0x521558e in Run ./../../base/callback.h:96:12
    #24 0x521558e in base::(anonymous namespace)::LaunchUnitTestsInternal(base::OnceCallback<int ()>, unsigned long, int, bool, base::OnceCallback<void ()>) ./../../base/test/launcher/unit_test_launcher.cc:225:0
    #25 0x5214d9e in base::LaunchUnitTests(int, char**, base::OnceCallback<int ()>) ./../../base/test/launcher/unit_test_launcher.cc:576:10
    #26 0x2017e82 in main ./../../ash/test/ash_unittests.cc:14:10
    #27 0x7fa09b4baf44 in __libc_start_main /build/eglibc-ripdx6/eglibc-2.19/csu/libc-start.c:287:0
    #28 0x6175f9 in _start ??:0:0
  Uninitialized value was created by a heap deallocation
    #0 0x689e69 in operator delete(void*) /b/build/slave/linux_upload_clang/build/src/third_party/llvm/compiler-rt/lib/msan/msan_new_delete.cc:74:44
    #1 0x4aedbef in operator() ./../../buildtools/third_party/libc++/trunk/include/memory:2321:5
    #2 0x4aedbef in reset ./../../buildtools/third_party/libc++/trunk/include/memory:2634:0
    #3 0x4aedbef in ash::StatusAreaWidget::~StatusAreaWidget() ./../../ash/system/status_area_widget.cc:128:0
    #4 0x4aeed0c in ash::StatusAreaWidget::~StatusAreaWidget() ./../../ash/system/status_area_widget.cc:125:39
    #5 0x495ca8b in operator() ./../../buildtools/third_party/libc++/trunk/include/memory:2321:5
    #6 0x495ca8b in reset ./../../buildtools/third_party/libc++/trunk/include/memory:2634:0
    #7 0x495ca8b in ash::ShelfWidget::Shutdown() ./../../ash/shelf/shelf_widget.cc:239:0
    #8 0x489521f in ash::RootWindowController::CloseChildWindows() ./../../ash/root_window_controller.cc:489:11
    #9 0x4989b9a in ash::Shell::CloseAllRootWindowChildWindows() ./../../ash/shell.cc:1398:19
    #10 0x497ff7c in ash::Shell::~Shell() ./../../ash/shell.cc:823:3
    #11 0x4989f2c in ash::Shell::~Shell() ./../../ash/shell.cc:719:17
    #12 0x8ee1cbd in ash::AshTestHelper::TearDown() ./../../ash/test/ash_test_helper.cc:219:5
    #13 0x8ed7871 in ash::AshTestBase::TearDown() ./../../ash/test/ash_test_base.cc:186:21
    #14 0x44abf0b in testing::TestInfo::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2667:11
    #15 0x44ad989 in testing::TestCase::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:2785:28
    #16 0x44e4244 in testing::internal::UnitTestImpl::RunAllTests() ./../../third_party/googletest/src/googletest/src/gtest.cc:5047:43
    #17 0x44e2b32 in testing::UnitTest::Run() ./../../third_party/googletest/src/googletest/src/gtest.cc:0:0
    #18 0x520d4d6 in RUN_ALL_TESTS ./../../third_party/googletest/src/googletest/include/gtest/gtest.h:2329:46
    #19 0x520d4d6 in base::TestSuite::Run() ./../../base/test/test_suite.cc:275:0
    #20 0x521558e in Run ./../../base/callback.h:96:12
    #21 0x521558e in base::(anonymous namespace)::LaunchUnitTestsInternal(base::OnceCallback<int ()>, unsigned long, int, bool, base::OnceCallback<void ()>) ./../../base/test/launcher/unit_test_launcher.cc:225:0
    #22 0x5214d9e in base::LaunchUnitTests(int, char**, base::OnceCallback<int ()>) ./../../base/test/launcher/unit_test_launcher.cc:576:10
    #23 0x2017e82 in main ./../../ash/test/ash_unittests.cc:14:10
    #24 0x7fa09b4baf44 in __libc_start_main /build/eglibc-ripdx6/eglibc-2.19/csu/libc-start.c:287:0
SUMMARY: MemorySanitizer: use-of-uninitialized-value (/b/s/w/ir/out/Release/ash_unittests+0x48e434e)
Exiting

Comment 1 by ellyjo...@chromium.org, May 10 2018

Cc: tetsui@chromium.org
Owner: est...@chromium.org
Ah, no, I bet this was f57e1c35076dedd3a90ab55adae20772404b6702.

From linux-chromeos-rel:

[ RUN      ] ResolutionNotificationControllerTest.Timeout
Received signal 11 <unknown> 000000000000
#0 0x7f0d9a8f2d6d base::debug::StackTrace::StackTrace()
#1 0x7f0d9a623fdc base::debug::StackTrace::StackTrace()
#2 0x7f0d9a8f27f8 base::debug::(anonymous namespace)::StackDumpSignalHandler()
#3 0x7f0d9e199330 <unknown>
#4 0x7f0d9c6adf33 ash::Shelf::IsHorizontalAlignment()
#5 0x7f0d9c78ae5c ash::WebNotificationItem::AnimationProgressed()
#6 0x7f0d93e6f4ab gfx::LinearAnimation::Step()
#7 0x7f0d93e6a736 gfx::AnimationContainer::Run()
#8 0x7f0d93e6ec3d _ZN4base8internal13FunctorTraitsIMN3gfx18AnimationContainerEFvvEvE6InvokeIS5_PS3_JEEEvT_OT0_DpOT1_
#9 0x7f0d93e6eb84 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMN3gfx18AnimationContainerEFvvEJPS5_EEEvOT_DpOT0_
#10 0x7f0d93e6eb35 _ZN4base8internal7InvokerINS0_9BindStateIMN3gfx18AnimationContainerEFvvEJNS0_17UnretainedWrapperIS4_EEEEEFvvEE7RunImplIRKS6_RKNSt3__15tupleIJS8_EEEJLm0EEEEvOT_OT0_NSF_16integer_sequenceImJXspT1_EEEE
#11 0x7f0d93e6ea4c _ZN4base8internal7InvokerINS0_9BindStateIMN3gfx18AnimationContainerEFvvEJNS0_17UnretainedWrapperIS4_EEEEEFvvEE3RunEPNS0_13BindStateBaseE
#12 0x7f0d9a5d0c5d _ZNKR4base17RepeatingCallbackIFvvEE3RunEv
#13 0x7f0d9a8229f8 base::Timer::RunScheduledTask()
#14 0x7f0d9a822b19 base::BaseTimerTaskInternal::Run()
#15 0x7f0d9a66b89d _ZN4base8internal13FunctorTraitsIMNS_19ImportantFileWriterEFvvEvE6InvokeIS4_PS2_JEEEvT_OT0_DpOT1_
#16 0x7f0d9a66b7e4 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIRKMNS_19ImportantFileWriterEFvvEJPS4_EEEvOT_DpOT0_
#17 0x7f0d9a822c75 _ZN4base8internal7InvokerINS0_9BindStateIMNS_21BaseTimerTaskInternalEFvvEJNS0_12OwnedWrapperIS3_EEEEEFvvEE7RunImplIS5_NSt3__15tupleIJS7_EEEJLm0EEEEvOT_OT0_NSC_16integer_sequenceImJXspT1_EEEE
#18 0x7f0d9a822bc9 _ZN4base8internal7InvokerINS0_9BindStateIMNS_21BaseTimerTaskInternalEFvvEJNS0_12OwnedWrapperIS3_EEEEEFvvEE7RunOnceEPNS0_13BindStateBaseE
#19 0x7f0d9a5d530e _ZNO4base12OnceCallbackIFvvEE3RunEv
#20 0x7f0d9a6253ca base::debug::TaskAnnotator::RunTask()
#21 0x7f0d9a6b15aa base::internal::IncomingTaskQueue::RunTask()
#22 0x7f0d9a6b9bcb base::MessageLoop::RunTask()
#23 0x7f0d9a6b9e15 base::MessageLoop::DeferOrRunPendingTask()
#24 0x7f0d9a6ba3c3 base::MessageLoop::DoDelayedWork()
#25 0x7f0d9a929ba2 base::MessagePumpLibevent::Run()
#26 0x7f0d9a6b94be base::MessageLoop::Run()
#27 0x7f0d9a762652 base::RunLoop::Run()
#28 0x7f0d9a76327e base::RunLoop::RunUntilIdle()
#29 0x000001c6bd90 ash::AshTestHelper::RunAllPendingInMessageLoop()
#30 0x000001c6b6f8 ash::AshTestHelper::TearDown()
#31 0x000001c63e90 ash::AshTestBase::TearDown()
#32 0x0000012baefe testing::internal::HandleSehExceptionsInMethodIfSupported<>()
#33 0x0000012af052 testing::internal::HandleExceptionsInMethodIfSupported<>()
#34 0x000001292e6b testing::Test::Run()
#35 0x000001293810 testing::TestInfo::Run()
#36 0x0000012942bf testing::TestCase::Run()
#37 0x0000012a6468 testing::internal::UnitTestImpl::RunAllTests()
#38 0x0000012baf8e testing::internal::HandleSehExceptionsInMethodIfSupported<>()
#39 0x0000012b07a2 testing::internal::HandleExceptionsInMethodIfSupported<>()
#40 0x0000012a60c7 testing::UnitTest::Run()
#41 0x000001b92171 RUN_ALL_TESTS()
#42 0x000001b8ebcb base::TestSuite::Run()
#43 0x0000008292dd _ZN4base8internal13FunctorTraitsIMN3ash36ResolutionNotificationControllerTestEFvvEvE6InvokeIS5_PS3_JEEEvT_OT0_DpOT1_
#44 0x000000829224 _ZN4base8internal12InvokeHelperILb0EvE8MakeItSoIMN3ash36ResolutionNotificationControllerTestEFvvEJPS5_EEEvOT_DpOT0_
#45 0x000000d2a315 _ZN4base8internal7InvokerINS0_9BindStateIMNS_9TestSuiteEFivEJNS0_17UnretainedWrapperIN3ash12AshTestSuiteEEEEEEFivEE7RunImplIRKS5_RKNSt3__15tupleIJS9_EEEJLm0EEEEiOT_OT0_NSG_16integer_sequenceImJXspT1_EEEE
#46 0x000000d2a25c _ZN4base8internal7InvokerINS0_9BindStateIMNS_9TestSuiteEFivEJNS0_17UnretainedWrapperIN3ash12AshTestSuiteEEEEEEFivEE3RunEPNS0_13BindStateBaseE
#47 0x000001ba129e _ZNO4base12OnceCallbackIFivEE3RunEv
#48 0x000001b9a1b0 base::(anonymous namespace)::LaunchUnitTestsInternal()
#49 0x000001b9a025 base::LaunchUnitTests()
#50 0x000000d2a0fa main
#51 0x7f0d8dbd8f45 __libc_start_main
#52 0x0000005de2aa _start
  r8: 00007fff5e793ab8  r9: 0000000000000000 r10: 0000000034818b1d r11: 0000000000000003
 r12: 00000000005de280 r13: 00007fff5e7967a0 r14: 0000000000000000 r15: 0000000000000000
  di: 3636363636363636  si: 00000222305c1520  bp: 00007fff5e793a80  bx: 0000000000000000
  dx: 0000000000000040  ax: 3636363636363636  cx: 0000000000000000  sp: 00007fff5e793930
  ip: 00007f0d9c6adf33 efl: 0000000000010206 cgf: 0000000000000033 erf: 0000000000000000
 trp: 000000000000000d msk: 0000000000000000 cr2: 0000000000000000
[end of stack trace]

Comment 2 by est...@chromium.org, May 10 2018 

I don't think my change caused this as I pretty much just swapped one image for another. WebNotificationItem::HideAndDelete looks pretty suspect to me since it means the item can outlive |tray_|; not sure why this would have just started failing though.

Comment 3 by est...@chromium.org, May 10 2018

Labels: -OS-Linux OS-Chrome
Project Member

Comment 4 by bugdroid1@chromium.org, May 10 2018 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/d8f72fd2090cb340d5151f985955c73734353ba3

commit d8f72fd2090cb340d5151f985955c73734353ba3
Author: Evan Stade <estade@chromium.org>
Date: Thu May 10 18:31:33 2018

cros - Fix use-after-free in notification tray item

Bug:  841768 
Change-Id: I7b2d23223f270c129a6c38510ba51cb0eca5f287
Reviewed-on: https://chromium-review.googlesource.com/1054212
Reviewed-by: Xiyuan Xia <xiyuan@chromium.org>
Commit-Queue: Evan Stade <estade@chromium.org>
Cr-Commit-Position: refs/heads/master@{#557596}
[modify] https://crrev.com/d8f72fd2090cb340d5151f985955c73734353ba3/ash/system/message_center/notification_tray.cc

Comment 5 by est...@chromium.org, May 10 2018

Cc: est...@chromium.org dmu...@chromium.org
 Issue 841889  has been merged into this issue.

Comment 6 by est...@chromium.org, May 10 2018

Status: Fixed (was: Assigned)

Sign in to add a comment