Use of uninitialized value in media::AudioBus
Reported by
sabbaku...@yandex-team.ru,
Jun 26 2018
|
|||||
Issue description
UserAgent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.87 YaBrowser/18.7.0.1428 (beta) Yowser/2.5 Safari/537.36
Steps to reproduce the problem:
Running services_unittests.OutputControllerTest.DivertPlayPausePlayRevertClose under MSAN one encounters use of uninitialize value of AudioBus aligned memory.
What is the expected behavior?
What went wrong?
==177525==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x7e9cd11 in media::AudioPowerMonitor::Scan(media::AudioBus const&, int) /src/media/audio/audio_power_monitor.cc:54:9
#1 0x8907073 in audio::OutputController::OnMoreData(base::TimeDelta, base::TimeTicks, int, media::AudioBus*) /src/services/audio/output_controller.cc:348:20
#2 0x1f3f4d8 in audio::(anonymous namespace)::MockAudioOutputStream::OnMoreData(base::TimeDelta, base::TimeTicks, int, media::AudioBus*) /src/services/audio/output_controller_unittest.cc:200:26
#3 0x1f40e86 in audio::(anonymous namespace)::MockAudioOutputStream::RunDataLoop(scoped_refptr<base::SingleThreadTaskRunner>) /src/services/audio/output_controller_unittest.cc:188:5
#4 0x1f41a95 in Invoke<void (audio::(anonymous namespace)::MockAudioOutputStream::*)(scoped_refptr<base::SingleThreadTaskRunner>), audio::(anonymous namespace)::MockAudioOutputStream *, scoped_refptr<base::SingleThreadTaskRunner> > /src/base/bind_internal.h:447:12
#5 0x1f41a95 in MakeItSo<void (audio::(anonymous namespace)::MockAudioOutputStream::*)(scoped_refptr<base::SingleThreadTaskRunner>), audio::(anonymous namespace)::MockAudioOutputStream *, scoped_refptr<base::SingleThreadTaskRunner> > /src/base/bind_internal.h:547:0
#6 0x1f41a95 in RunImpl<void (audio::(anonymous namespace)::MockAudioOutputStream::*)(scoped_refptr<base::SingleThreadTaskRunner>), std::__1::tuple<base::internal::UnretainedWrapper<audio::(anonymous namespace)::MockAudioOutputStream>, scoped_refptr<base::SingleThreadTaskRunner> >, 0, 1> /src/base/bind_internal.h:621:0
#7 0x1f41a95 in base::internal::Invoker<base::internal::BindState<void (audio::(anonymous namespace)::MockAudioOutputStream::*)(scoped_refptr<base::SingleThreadTaskRunner>), base::internal::UnretainedWrapper<audio::(anonymous namespace)::MockAudioOutputStream>, scoped_refptr<base::SingleThreadTaskRunner> >, void ()>::RunOnce(base::internal::BindStateBase*) /src/base/bind_internal.h:589:0
#8 0xa3e1461 in Run /src/base/callback.h:96:12
#9 0xa3e1461 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /src/base/debug/task_annotator.cc:101:0
#10 0xa469d7b in base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) /src/base/message_loop/incoming_task_queue.cc:124:19
#11 0x312c509 in base::MessageLoop::RunTask(base::PendingTask*) /src/base/message_loop/message_loop.cc:330:25
#12 0x312e89d in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) /src/base/message_loop/message_loop.cc:340:5
#13 0x313004d in base::MessageLoop::DoDelayedWork(base::TimeTicks*) /src/base/message_loop/message_loop.cc:424:10
#14 0xa47849d in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /src/base/message_loop/message_pump_default.cc:41:27
#15 0x312aa9e in base::MessageLoop::Run(bool) /src/base/message_loop/message_loop.cc:272:12
#16 0x313772b in base::RunLoop::Run() /src/base/run_loop.cc:131:14
#17 0xa5d24b4 in base::Thread::Run(base::RunLoop*) /src/base/threading/thread.cc:255:13
#18 0xa5d367e in base::Thread::ThreadMain() /src/base/threading/thread.cc:337:3
#19 0xa73b774 in base::(anonymous namespace)::ThreadFunc(void*) /src/base/threading/platform_thread_posix.cc:76:13
#20 0x7fde424c0183 in start_thread /src/??:0:0
#21 0x7fde3b5fa03c in clone /src/??:0:0
Uninitialized value was stored to memory at
#0 0xfa32a95 in pair<float &, float, false> /src/buildtools/third_party/libc++/trunk/include/utility:437:11
#1 0xfa32a95 in EWMAAndMaxPower_SSE /src/media/base/vector_math.cc:184:0
#2 0xfa32a95 in media::vector_math::EWMAAndMaxPower(float, float const*, int, float) /src/media/base/vector_math.cc:77:0
#3 0x7e9c888 in media::AudioPowerMonitor::Scan(media::AudioBus const&, int) /src/media/audio/audio_power_monitor.cc:51:50
#4 0x8907073 in audio::OutputController::OnMoreData(base::TimeDelta, base::TimeTicks, int, media::AudioBus*) /src/services/audio/output_controller.cc:348:20
#5 0x1f3f4d8 in audio::(anonymous namespace)::MockAudioOutputStream::OnMoreData(base::TimeDelta, base::TimeTicks, int, media::AudioBus*) /src/services/audio/output_controller_unittest.cc:200:26
#6 0x1f40e86 in audio::(anonymous namespace)::MockAudioOutputStream::RunDataLoop(scoped_refptr<base::SingleThreadTaskRunner>) /src/services/audio/output_controller_unittest.cc:188:5
#7 0x1f41a95 in Invoke<void (audio::(anonymous namespace)::MockAudioOutputStream::*)(scoped_refptr<base::SingleThreadTaskRunner>), audio::(anonymous namespace)::MockAudioOutputStream *, scoped_refptr<base::SingleThreadTaskRunner> > /src/base/bind_internal.h:447:12
#8 0x1f41a95 in MakeItSo<void (audio::(anonymous namespace)::MockAudioOutputStream::*)(scoped_refptr<base::SingleThreadTaskRunner>), audio::(anonymous namespace)::MockAudioOutputStream *, scoped_refptr<base::SingleThreadTaskRunner> > /src/base/bind_internal.h:547:0
#9 0x1f41a95 in RunImpl<void (audio::(anonymous namespace)::MockAudioOutputStream::*)(scoped_refptr<base::SingleThreadTaskRunner>), std::__1::tuple<base::internal::UnretainedWrapper<audio::(anonymous namespace)::MockAudioOutputStream>, scoped_refptr<base::SingleThreadTaskRunner> >, 0, 1> /src/base/bind_internal.h:621:0
#10 0x1f41a95 in base::internal::Invoker<base::internal::BindState<void (audio::(anonymous namespace)::MockAudioOutputStream::*)(scoped_refptr<base::SingleThreadTaskRunner>), base::internal::UnretainedWrapper<audio::(anonymous namespace)::MockAudioOutputStream>, scoped_refptr<base::SingleThreadTaskRunner> >, void ()>::RunOnce(base::internal::BindStateBase*) /src/base/bind_internal.h:589:0
#11 0xa3e1461 in Run /src/base/callback.h:96:12
#12 0xa3e1461 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /src/base/debug/task_annotator.cc:101:0
#13 0xa469d7b in base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) /src/base/message_loop/incoming_task_queue.cc:124:19
#14 0x312c509 in base::MessageLoop::RunTask(base::PendingTask*) /src/base/message_loop/message_loop.cc:330:25
#15 0x312e89d in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) /src/base/message_loop/message_loop.cc:340:5
#16 0x313004d in base::MessageLoop::DoDelayedWork(base::TimeTicks*) /src/base/message_loop/message_loop.cc:424:10
#17 0xa47849d in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /src/base/message_loop/message_pump_default.cc:41:27
#18 0x312aa9e in base::MessageLoop::Run(bool) /src/base/message_loop/message_loop.cc:272:12
#19 0x313772b in base::RunLoop::Run() /src/base/run_loop.cc:131:14
#20 0xa5d24b4 in base::Thread::Run(base::RunLoop*) /src/base/threading/thread.cc:255:13
#21 0xa5d367e in base::Thread::ThreadMain() /src/base/threading/thread.cc:337:3
#22 0xa73b774 in base::(anonymous namespace)::ThreadFunc(void*) /src/base/threading/platform_thread_posix.cc:76:13
#23 0x7fde424c0183 in start_thread /src/??:0:0
Uninitialized value was created by a heap allocation
#0 0x1510513 in __interceptor_posix_memalign /src/third_party/llvm/compiler-rt/lib/msan/msan_interceptors.cc:165:3
#1 0xa45acf4 in base::AlignedAlloc(unsigned long, unsigned long) /src/base/memory/aligned_memory.cc:31:7
#2 0xfa231f6 in media::AudioBus::AudioBus(int, int) /src/media/base/audio_bus.cc:72:35
#3 0xfa2544e in media::AudioBus::Create(media::AudioParameters const&) /src/media/base/audio_bus.cc:120:11
#4 0x1f40dad in audio::(anonymous namespace)::MockAudioOutputStream::RunDataLoop(scoped_refptr<base::SingleThreadTaskRunner>) /src/services/audio/output_controller_unittest.cc:187:16
#5 0x1f41a95 in Invoke<void (audio::(anonymous namespace)::MockAudioOutputStream::*)(scoped_refptr<base::SingleThreadTaskRunner>), audio::(anonymous namespace)::MockAudioOutputStream *, scoped_refptr<base::SingleThreadTaskRunner> > /src/base/bind_internal.h:447:12
#6 0x1f41a95 in MakeItSo<void (audio::(anonymous namespace)::MockAudioOutputStream::*)(scoped_refptr<base::SingleThreadTaskRunner>), audio::(anonymous namespace)::MockAudioOutputStream *, scoped_refptr<base::SingleThreadTaskRunner> > /src/base/bind_internal.h:547:0
#7 0x1f41a95 in RunImpl<void (audio::(anonymous namespace)::MockAudioOutputStream::*)(scoped_refptr<base::SingleThreadTaskRunner>), std::__1::tuple<base::internal::UnretainedWrapper<audio::(anonymous namespace)::MockAudioOutputStream>, scoped_refptr<base::SingleThreadTaskRunner> >, 0, 1> /src/base/bind_internal.h:621:0
#8 0x1f41a95 in base::internal::Invoker<base::internal::BindState<void (audio::(anonymous namespace)::MockAudioOutputStream::*)(scoped_refptr<base::SingleThreadTaskRunner>), base::internal::UnretainedWrapper<audio::(anonymous namespace)::MockAudioOutputStream>, scoped_refptr<base::SingleThreadTaskRunner> >, void ()>::RunOnce(base::internal::BindStateBase*) /src/base/bind_internal.h:589:0
#9 0xa3e1461 in Run /src/base/callback.h:96:12
#10 0xa3e1461 in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) /src/base/debug/task_annotator.cc:101:0
#11 0xa469d7b in base::internal::IncomingTaskQueue::RunTask(base::PendingTask*) /src/base/message_loop/incoming_task_queue.cc:124:19
#12 0x312c509 in base::MessageLoop::RunTask(base::PendingTask*) /src/base/message_loop/message_loop.cc:330:25
#13 0x312e89d in base::MessageLoop::DeferOrRunPendingTask(base::PendingTask) /src/base/message_loop/message_loop.cc:340:5
#14 0x313004d in base::MessageLoop::DoDelayedWork(base::TimeTicks*) /src/base/message_loop/message_loop.cc:424:10
#15 0xa47849d in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /src/base/message_loop/message_pump_default.cc:41:27
#16 0x312aa9e in base::MessageLoop::Run(bool) /src/base/message_loop/message_loop.cc:272:12
#17 0x313772b in base::RunLoop::Run() /src/base/run_loop.cc:131:14
#18 0xa5d24b4 in base::Thread::Run(base::RunLoop*) /src/base/threading/thread.cc:255:13
#19 0xa5d367e in base::Thread::ThreadMain() /src/base/threading/thread.cc:337:3
#20 0xa73b774 in base::(anonymous namespace)::ThreadFunc(void*) /src/base/threading/platform_thread_posix.cc:76:13
#21 0x7fde424c0183 in start_thread /src/??:0:0
Did this work before? N/A
Chrome version: 67.0.3396.87 Channel: n/a
OS Version: 10.0
Flash Version: Shockwave Flash 30.0 r0
,
Jun 26 2018
I've reverted the above change. We don't want to always zero these objects for performance reasons, you need to call Zero() before reading if it may be uninitialized prior to read.
,
Jun 26 2018
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8ae42a33c7e91b2d7fd09fecc700ca089ff4bf92 commit 8ae42a33c7e91b2d7fd09fecc700ca089ff4bf92 Author: Dale Curtis <dalecurtis@chromium.org> Date: Tue Jun 26 17:14:30 2018 Revert "Zero AudioBus internal aligned memory" This reverts commit 4cd9a6046bdff7e97d7cc541fa65632f7f10512c. Reason for revert: Not correct. AudioBus must be zeroed by the code using it. It's intentionally left uninitialized since AudioBus objects may be quite large and frequently created only to be copied into. Zero'ing always adds unnecessary overhead. Original change's description: > Zero AudioBus internal aligned memory > > This prevents from reading uninitialized memory according to MSAN > reports. > > Change-Id: Ifccecf69e6df67ab1d2226155a20455ca5c6e293 > > BUG= 856537 > > Change-Id: Ifccecf69e6df67ab1d2226155a20455ca5c6e293 > Reviewed-on: https://chromium-review.googlesource.com/1113935 > Reviewed-by: Max Morin <maxmorin@chromium.org> > Commit-Queue: Max Morin <maxmorin@chromium.org> > Cr-Commit-Position: refs/heads/master@{#570367} TBR=sabbakumov@yandex-team.ru,maxmorin@chromium.org Change-Id: I87734786f9bbe2513f972572c65c9fc52a1aa114 No-Presubmit: true No-Tree-Checks: true No-Try: true Bug: 856537 Reviewed-on: https://chromium-review.googlesource.com/1115298 Reviewed-by: Dale Curtis <dalecurtis@chromium.org> Commit-Queue: Dale Curtis <dalecurtis@chromium.org> Cr-Commit-Position: refs/heads/master@{#570437} [modify] https://crrev.com/8ae42a33c7e91b2d7fd09fecc700ca089ff4bf92/media/base/audio_bus.cc [modify] https://crrev.com/8ae42a33c7e91b2d7fd09fecc700ca089ff4bf92/media/base/audio_bus_unittest.cc
,
Jun 27 2018
,
Jul 2
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/069977bae615885e9b55c88d875a78dbf9e1b8af commit 069977bae615885e9b55c88d875a78dbf9e1b8af Author: Sergey Abbakumov <sabbakumov@yandex-team.ru> Date: Mon Jul 02 17:26:33 2018 Zero AudioBus internal aligned memory This prevents from reading uninitialized memory according to MSAN reports. Bug: 856537 Change-Id: I750447942c3c0a41f49375cd1335068c4e5e34ce Reviewed-on: https://chromium-review.googlesource.com/1116220 Commit-Queue: Dale Curtis <dalecurtis@chromium.org> Reviewed-by: Dale Curtis <dalecurtis@chromium.org> Cr-Commit-Position: refs/heads/master@{#571932} [modify] https://crrev.com/069977bae615885e9b55c88d875a78dbf9e1b8af/services/audio/output_controller_unittest.cc
,
Jul 4
@Sergey Abbakumov: It seems that the fix has been landed, if there isn't much to be done here further, can it be marked as fixed. Thanks!
,
Jul 4
Yes, it can be marked as fixes. Could you mark it? I don't have the permission to change the issue.
,
Jul 4
Thank you for providing more feedback. Adding the requester to the cc list. For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
,
Jul 5
As per the confirmation given in comment#7 marking the issue as Fixed. Thanks! |
|||||
►
Sign in to add a comment |
|||||
Comment 1 by bugdroid1@chromium.org
, Jun 26 2018