New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 862750 link

Starred by 1 user
Status: Fixed
Owner:
alph@chromium.org
Closed: Dec 11
Cc:
picksi@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 3
Type: Bug
Hotlist-MemoryInfra



Sign in to add a comment

Sampling heap profiler tests fail on MSAN when base::debug::TraceStackFramePointers is used

Project Member Reported by alph@chromium.org, Jul 11 
https://ci.chromium.org/buildbot/chromium.webkit/WebKit%20Linux%20Trusty%20MSAN/8817

18:06:04.603 5168 worker/1 inspector-protocol/memory/sampling-native-profile-blink-gc.js crashed, (stderr lines):
18:06:04.603 5168   ==1==WARNING: MemorySanitizer: use-of-uninitialized-value
18:06:04.603 5168       #0 0xa90ee80 in IsStackFrameValid ./../../base/debug/stack_trace.cc:60:7
18:06:04.603 5168       #1 0xa90ee80 in base::debug::TraceStackFramePointers(void const**, unsigned long, unsigned long) ./../../base/debug/stack_trace.cc:245:0
18:06:04.603 5168       #2 0xaa55981 in RecordStackTrace ./../../base/sampling_heap_profiler/sampling_heap_profiler.cc:336:24
18:06:04.603 5168       #3 0xaa55981 in base::SamplingHeapProfiler::DoRecordAlloc(unsigned long, unsigned long, void*, unsigned int) ./../../base/sampling_heap_profiler/sampling_heap_profiler.cc:363:0
18:06:04.604 5168       #4 0x14b5e232 in AllocationHookIfEnabled ./../../third_party/blink/renderer/platform/heap/heap.h:103:7
18:06:04.604 5168       #5 0x14b5e232 in AllocateOnArenaIndex ./../../third_party/blink/renderer/platform/heap/heap.h:612:0
18:06:04.604 5168       #6 0x14b5e232 in AllocateObject ./../../third_party/blink/renderer/core/dom/node.h:165:0
18:06:04.604 5168       #7 0x14b5e232 in operator new ./../../third_party/blink/renderer/core/dom/node.h:160:0
18:06:04.604 5168       #8 0x14b5e232 in blink::HTMLDivElement::Create(blink::Document&) ./../../third_party/blink/renderer/core/html/html_div_element.cc:36:0
18:06:04.604 5168       #9 0x136a9787 in blink::HTMLElementFactory::Create(WTF::AtomicString const&, blink::Document&, CreateElementFlags) ./gen/third_party/blink/renderer/core/html_element_factory.cc:973:12
18:06:04.604 5168       #10 0x135ac8d1 in blink::Document::CreateElementForBinding(WTF::AtomicString const&, blink::ExceptionState&) ./../../third_party/blink/renderer/core/dom/document.cc:931:25
18:06:04.604 5168       #11 0x117f9363 in createElement1MethodForMainWorld ./gen/third_party/blink/renderer/bindings/core/v8/v8_document.cc:3434:27
18:06:04.604 5168       #12 0x117f9363 in createElementMethodForMainWorld ./gen/third_party/blink/renderer/bindings/core/v8/v8_document.cc:4416:0
18:06:04.604 5168       #13 0x117f9363 in blink::V8Document::createElementMethodCallbackForMainWorld(v8::FunctionCallbackInfo<v8::Value> const&) ./gen/third_party/blink/renderer/bindings/core/v8/v8_document.cc:7032:0
18:06:04.604 5168       #14 0x47ab8b1 in v8::internal::FunctionCallbackArguments::Call(v8::internal::CallHandlerInfo*) ./../../v8/src/api-arguments-inl.h:95:3
18:06:04.604 5168       #15 0x47a7231 in v8::internal::MaybeHandle<v8::internal::Object> v8::internal::(anonymous namespace)::HandleApiCallHelper<false>(v8::internal::Isolate*, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::HeapObject>, v8::internal::Handle<v8::internal::FunctionTemplateInfo>, v8::internal::Handle<v8::internal::Object>, v8::internal::BuiltinArguments) ./../../v8/src/builtins/builtins-api.cc:110:36
18:06:04.604 5168       #16 0x47a33ee in v8::internal::Builtin_Impl_HandleApiCall(v8::internal::BuiltinArguments, v8::internal::Isolate*) ./../../v8/src/builtins/builtins-api.cc:140:5
18:06:04.604 5168       #17 0x6c40e37 in v8::internal::Simulator::DoRuntimeCall(v8::internal::Instruction*) ./../../v8/src/arm64/simulator-arm64.cc:490:11
18:06:04.604 5168       #18 0x6c4053b in v8::internal::Simulator::ExecuteInstruction() ./../../v8/src/arm64/simulator-arm64.h:779:5
18:06:04.604 5168       #19 0x6c4030e in v8::internal::Simulator::Run() ./../../v8/src/arm64/simulator-arm64.cc:390:5
18:06:04.604 5168       #20 0x6c3d785 in CheckPCSComplianceAndRun ./../../v8/src/arm64/simulator-arm64.cc:188:3
18:06:04.604 5168       #21 0x6c3d785 in v8::internal::Simulator::CallImpl(unsigned long, v8::internal::Simulator::CallArgument*) ./../../v8/src/arm64/simulator-arm64.cc:157:0
18:06:04.604 5168       #22 0x56c6178 in Call<v8::internal::Object *, v8::internal::Object *, v8::internal::Object *, v8::internal::Object *, int, v8::internal::Object ***> ./../../v8/src/arm64/simulator-arm64.h:725:5
18:06:04.604 5168       #23 0x56c6178 in Call ./../../v8/src/simulator.h:107:0
18:06:04.604 5168       #24 0x56c6178 in v8::internal::(anonymous namespace)::Invoke(v8::internal::Isolate*, bool, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*, v8::internal::Handle<v8::internal::Object>, v8::internal::Execution::MessageHandling, v8::internal::Execution::Target) ./../../v8/src/execution.cc:155:0
18:06:04.604 5168       #25 0x56c5033 in CallInternal ./../../v8/src/execution.cc:191:10
18:06:04.604 5168       #26 0x56c5033 in v8::internal::Execution::Call(v8::internal::Isolate*, v8::internal::Handle<v8::internal::Object>, v8::internal::Handle<v8::internal::Object>, int, v8::internal::Handle<v8::internal::Object>*) ./../../v8/src/execution.cc:202:0
18:06:04.604 5168       #27 0x5426a61 in v8::internal::DebugEvaluate::Global(v8::internal::Isolate*, v8::internal::Handle<v8::internal::String>, bool) ./../../v8/src/debug/debug-evaluate.cc:46:32
18:06:04.604 5168       #28 0x45fdbde in v8::debug::EvaluateGlobal(v8::Isolate*, v8::Local<v8::String>, bool) ./../../v8/src/api.cc:9826:7
18:06:04.604 5168       #29 0x7149e9d in v8_inspector::V8RuntimeAgentImpl::evaluate(v8_inspector::String16 const&, v8_inspector::protocol::Maybe<v8_inspector::String16>, v8_inspector::protocol::Maybe<bool>, v8_inspector::protocol::Maybe<bool>, v8_inspector::protocol::Maybe<int>, v8_inspector::protocol::Maybe<bool>, v8_inspector::protocol::Maybe<bool>, v8_inspector::protocol::Maybe<bool>, v8_inspector::protocol::Maybe<bool>, v8_inspector::protocol::Maybe<bool>, v8_inspector::protocol::Maybe<double>, std::__1::unique_ptr<v8_inspector::protocol::Runtime::Backend::EvaluateCallback, std::__1::default_delete<v8_inspector::protocol::Runtime::Backend::EvaluateCallback> >) ./../../v8/src/inspector/v8-runtime-agent-impl.cc:274:24
18:06:04.604 5168       #30 0x6f7ff36 in v8_inspector::protocol::Runtime::DispatcherImpl::evaluate(int, std::__1::unique_ptr<v8_inspector::protocol::DictionaryValue, std::__1::default_delete<v8_inspector::protocol::DictionaryValue> >, v8_inspector::protocol::ErrorSupport*) ./gen/v8/src/inspector/protocol/Runtime.cpp:1717:16
18:06:04.604 5168       #31 0x6f73fea in v8_inspector::protocol::Runtime::DispatcherImpl::dispatch(int, v8_inspector::String16 const&, std::__1::unique_ptr<v8_inspector::protocol::DictionaryValue, std::__1::default_delete<v8_inspector::protocol::DictionaryValue> >) ./gen/v8/src/inspector/protocol/Runtime.cpp:1372:12
18:06:04.604 5168       #32 0x6e9b186 in v8_inspector::protocol::UberDispatcher::dispatch(std::__1::unique_ptr<v8_inspector::protocol::Value, std::__1::default_delete<v8_inspector::protocol::Value> >, int*, v8_inspector::String16*) ./gen/v8/src/inspector/protocol/Protocol.cpp:822:24
18:06:04.604 5168       #33 0x711d662 in v8_inspector::V8InspectorSessionImpl::dispatchProtocolMessage(v8_inspector::StringView const&) ./../../v8/src/inspector/v8-inspector-session-impl.cc:316:16
18:06:04.604 5168       #34 0x152e700c in blink::InspectorSession::DispatchProtocolMessage(WTF::String const&, WTF::String const&) ./../../third_party/blink/renderer/core/inspector/inspector_session.cc:80:18
18:06:04.604 5168       #35 0x4432656 in blink::mojom::blink::DevToolsSessionStubDispatch::Accept(blink::mojom::blink::DevToolsSession*, mojo::Message*) ./gen/third_party/blink/public/web/devtools_agent.mojom-blink.cc:409:13
18:06:04.604 5168       #36 0x13fa0776 in blink::mojom::blink::DevToolsSessionStub<mojo::RawPtrImplRefTraits<blink::mojom::blink::DevToolsSession> >::Accept(mojo::Message*) ./gen/third_party/blink/public/web/devtools_agent.mojom-blink.h:343:12
18:06:04.604 5168       #37 0xad0b8dd in mojo::InterfaceEndpointClient::HandleValidatedMessage(mojo::Message*) ./../../mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:419:32
18:06:04.604 5168       #38 0xad095aa in mojo::FilterChain::Accept(mojo::Message*) ./../../mojo/public/cpp/bindings/lib/filter_chain.cc:40:17
18:06:04.605 5168       #39 0xa8e6d4d in IPC::(anonymous namespace)::ChannelAssociatedGroupController::AcceptOnProxyThread(mojo::Message) ./../../ipc/ipc_mojo_bootstrap.cc:847:24
18:06:04.605 5168       #40 0xa8df0f7 in Invoke<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message), const scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController> &, mojo::Message> ./../../base/bind_internal.h:507:12
18:06:04.605 5168       #41 0xa8df0f7 in MakeItSo<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*const &)(mojo::Message), const scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController> &, mojo::Message> ./../../base/bind_internal.h:607:0
18:06:04.605 5168       #42 0xa8df0f7 in RunImpl<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*const &)(mojo::Message), const std::__1::tuple<scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>, base::internal::PassedWrapper<mojo::Message> > &, 0, 1> ./../../base/bind_internal.h:680:0
18:06:04.605 5168       #43 0xa8df0f7 in base::internal::Invoker<base::internal::BindState<void (IPC::(anonymous namespace)::ChannelAssociatedGroupController::*)(mojo::Message), scoped_refptr<IPC::(anonymous namespace)::ChannelAssociatedGroupController>, base::internal::PassedWrapper<mojo::Message> >, void ()>::Run(base::internal::BindStateBase*) ./../../base/bind_internal.h:662:0
18:06:04.605 5168       #44 0xa9b13bd in Run ./../../base/callback.h:99:12
18:06:04.605 5168       #45 0xa9b13bd in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) ./../../base/debug/task_annotator.cc:101:0
18:06:04.605 5168       #46 0xaaf6b11 in base::sequence_manager::internal::ThreadControllerImpl::DoWork(base::sequence_manager::internal::ThreadControllerImpl::WorkType) ./../../base/task/sequence_manager/thread_controller_impl.cc:166:21
18:06:04.605 5168       #47 0xa9b13bd in Run ./../../base/callback.h:99:12
18:06:04.605 5168       #48 0xa9b13bd in base::debug::TaskAnnotator::RunTask(char const*, base::PendingTask*) ./../../base/debug/task_annotator.cc:101:0
18:06:04.605 5168       #49 0xa9a1a04 in base::MessageLoop::RunTask(base::PendingTask*) ./../../base/message_loop/message_loop.cc:357:25
18:06:04.605 5168       #50 0xa9a41d3 in DeferOrRunPendingTask ./../../base/message_loop/message_loop.cc:367:5
18:06:04.605 5168       #51 0xa9a41d3 in base::MessageLoop::DoWork() ./../../base/message_loop/message_loop.cc:425:0
18:06:04.605 5168       #52 0xa9b5163 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) ./../../base/message_loop/message_pump_default.cc:37:31
18:06:04.605 5168       #53 0xaa4cf4f in base::RunLoop::Run() ./../../base/run_loop.cc:102:14
18:06:04.605 5168       #54 0x1b71e0cd in content::RendererMain(content::MainFunctionParams const&) ./../../content/renderer/renderer_main.cc:200:23
18:06:04.605 5168       #55 0x7a2d1f6 in content::RunZygote(content::ContentMainDelegate*) ./../../content/app/content_main_runner_impl.cc:553:14
18:06:04.605 5168       #56 0x7a307a5 in content::RunOtherNamedProcessTypeMain(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, content::MainFunctionParams const&, content::ContentMainDelegate*) ./../../content/app/content_main_runner_impl.cc:635:12
18:06:04.605 5168       #57 0x7a33e13 in content::ContentMainRunnerImpl::Run() ./../../content/app/content_main_runner_impl.cc:952:10
18:06:04.605 5168       #58 0x1114d3fb in service_manager::Main(service_manager::MainParams const&) ./../../services/service_manager/embedder/main.cc:459:29
18:06:04.605 5168       #59 0x42c8cc7 in content::ContentMain(content::ContentMainParams const&) ./../../content/app/content_main.cc:19:10
18:06:04.605 5168       #60 0x1962685 in main ./../../content/shell/app/shell_main.cc:39:10
18:06:04.605 5168       #61 0x7f05e70e4f44 in __libc_start_main /build/eglibc-ripdx6/eglibc-2.19/csu/libc-start.c:287:0
18:06:04.605 5168       #62 0x18ee029 in _start ??:0:0
18:06:04.605 5168   
18:06:04.605 5168     Uninitialized value was created by an allocation of 'ref.tmp.i.i.i.i' in the stack frame of function '_ZN3WTF14ThreadSpecificINS_13WTFThreadDataEEcvPS1_Ev'
18:06:04.605 5168       #0 0x75559d0 in WTF::ThreadSpecific<WTF::WTFThreadData>::operator WTF::WTFThreadData*() ./../../third_party/blink/renderer/platform/wtf/thread_specific.h:107:0
18:06:04.605 5168   
18:06:04.605 5168   SUMMARY: MemorySanitizer: use-of-uninitialized-value (/b/s/w/ir/out/Release/content_shell+0xa90ee80)
18:06:04.605 5168   Exiting
Project Member

Comment 1 by bugdroid1@chromium.org, Jul 11 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/c4149316c00d643eeddbe3418e8ccf0bb8649973

commit c4149316c00d643eeddbe3418e8ccf0bb8649973
Author: Alexei Filippov <alph@chromium.org>
Date: Wed Jul 11 21:08:32 2018

Mark sampling-heap-profiler* tests as flaky on MSAN

TBR=dgozman@chromium.org,dpranke@chromium.org
NOTRY=true
BUG= 862750 

Change-Id: I715c03f9f1b62bf53d501df35699ad5918ef0d67
Reviewed-on: https://chromium-review.googlesource.com/1134188
Reviewed-by: Alexei Filippov <alph@chromium.org>
Commit-Queue: Alexei Filippov <alph@chromium.org>
Cr-Commit-Position: refs/heads/master@{#574334}
[modify] https://crrev.com/c4149316c00d643eeddbe3418e8ccf0bb8649973/third_party/WebKit/LayoutTests/MSANExpectations

Comment 2 by primiano@chromium.org, Jul 11 

I think some code in that TU should be excluded from MSAN.
That scrapes the stack looking for pointers, and the fact that hits uninitialized memory is IMO wai.

Can't tell why MSAN is barking at that specific line though, that line does:
 if (fp <= prev_fp) return false;
and both variables come from the caller.
Perhaps is propagating the undefined-ness of next-fp that comes from:

-----
uintptr_t GetNextStackFrame(uintptr_t fp) {
  return reinterpret_cast<const uintptr_t*>(fp)[0] - kStackFrameAdjustment;
}
-----
which reads a raw value from the stack that MSAN doesn't like.

Comment 3 by alph@chromium.org, Jul 11 

I had a similar problem in v8 sampling cpu profiler. I plan to just mark those reads just like here https://cs.chromium.org/chromium/src/v8/src/profiler/tick-sample.cc?type=cs&q=f:v8/src/profiler+msan&sq=package:chromium&g=0&l=173

Comment 4 by alph@chromium.org, Dec 11

Components: -Platform>DevTools>Memory

Comment 5 by alph@chromium.org, Dec 11

Status: Fixed (was: Assigned)
Fixed by:

https://chromium-review.googlesource.com/c/chromium/src/+/1215054/

Sign in to add a comment