ToTLinuxMSan finds unintialized read in content_unittest's CrossSiteDocumentResourceHandlerTest |
||||
Issue descriptionStarted here: https://ci.chromium.org/buildbot/chromium.clang/ToTLinuxMSan/3496 CrossSiteDocumentResourceHandlerTest.OnWillReadDefer/29 CrossSiteDocumentResourceHandlerTest.ResponseBlocking/29 CrossSiteDocumentResourceHandlerTest.MimeSnifferInterop/29 [ RUN ] CrossSiteDocumentResourceHandlerTest.OnWillReadDefer/29 ==19565==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x14334017 in net::HttpUtil::ParseContentType(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > const&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*, bool*, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >*) net/http/http_util.cc:195:29 #1 0x3c3ce57 in content::CrossSiteDocumentResourceHandlerTest::CreateResponse(char const*, bool, bool, content::(anonymous namespace)::AccessControlAllowOriginHeader, char const*) content/browser/loader/cross_site_document_resource_handler_unittest.cc:1216:5 #2 0x3c44542 in content::CrossSiteDocumentResourceHandlerTest_OnWillReadDefer_Test::TestBody() content/browser/loader/cross_site_document_resource_handler_unittest.cc:1623:55 #3 0xa3cc024 in HandleExceptionsInMethodIfSupported<testing::Test, void> third_party/googletest/src/googletest/src/gtest.cc:0:0 #4 0xa3cc024 in testing::Test::Run() third_party/googletest/src/googletest/src/gtest.cc:2522:0 #5 0xa3cf8d6 in testing::TestInfo::Run() third_party/googletest/src/googletest/src/gtest.cc:2698:11 #6 0xa3d1389 in testing::TestCase::Run() third_party/googletest/src/googletest/src/gtest.cc:2816:28 #7 0xa40aff4 in testing::internal::UnitTestImpl::RunAllTests() third_party/googletest/src/googletest/src/gtest.cc:5182:43 #8 0xa4098a7 in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> third_party/googletest/src/googletest/src/gtest.cc:0:0 #9 0xa4098a7 in testing::UnitTest::Run() third_party/googletest/src/googletest/src/gtest.cc:4791:0 #10 0x10ffe0a0 in RUN_ALL_TESTS third_party/googletest/src/googletest/include/gtest/gtest.h:2333:46 #11 0x10ffe0a0 in base::TestSuite::Run() base/test/test_suite.cc:295:0 #12 0x1101fe20 in Run base/callback.h:99:12 #13 0x1101fe20 in base::(anonymous namespace)::LaunchUnitTestsInternal(base::OnceCallback<int ()>, unsigned long, int, bool, base::OnceCallback<void ()>) base/test/launcher/unit_test_launcher.cc:224:0 #14 0x1101f597 in base::LaunchUnitTests(int, char**, base::OnceCallback<int ()>) base/test/launcher/unit_test_launcher.cc:575:10 #15 0x10d84a2e in main content/test/run_all_unittests.cc:20:10 #16 0x7fa1cea68f44 in __libc_start_main /build/eglibc-ripdx6/eglibc-2.19/csu/libc-start.c:287:0 #17 0x1bc4029 in _start ??:0:0 Uninitialized value was created by an allocation of 'had_charset' in the stack frame of function '_ZN7content36CrossSiteDocumentResourceHandlerTest14CreateResponseEPKcbbNS_12_GLOBAL__N_130AccessControlAllowOriginHeaderES2_' #0 0x3c3c530 in content::CrossSiteDocumentResourceHandlerTest::CreateResponse(char const*, bool, bool, content::(anonymous namespace)::AccessControlAllowOriginHeader, char const*) content/browser/loader/cross_site_document_resource_handler_unittest.cc:1202:0 SUMMARY: MemorySanitizer: use-of-uninitialized-value (/b/s/w/ir/out/Release/content_unittests+0x14334017) Doesn't happen on the main memory waterfall msan bot (https://ci.chromium.org/p/chromium/builders/luci.chromium.ci/Linux%20MSan%20Tests) Either msan got better on trunk, or it broke.
,
Sep 19
,
Sep 19
...or maybe the test just needs to initialize had_charset. I don't understand the intent of that check in ParseContentType.
,
Sep 19
https://chromiumcodereview.appspot.com/10834190 suggests that the bool just needs to be initialized and that this is a confusing API. Every caller passes in false as initial value as far as I can tell, so maybe the first part of the conditional can just be removed?
,
Sep 19
The only thing that looks at the output value is the test. However, for this loop removing the read would be a change in behavior: https://cs.chromium.org/chromium/src/net/http/http_response_headers.cc?l=857 bool had_charset = false; size_t iter = 0; while (EnumerateHeader(&iter, name, &value)) HttpUtil::ParseContentType(value, mime_type, charset, &had_charset, NULL); So the code probably has to stay as-is (but its header comment should point out that *had_charset is always read and must be initialized, and the cc comments should be clearer on what's happening there since I didn't understand it) -- bnc, want to do this part? And the value needs to be initialized in the test. lukasza, I'll send you a CL for that.
,
Sep 19
Yes I'll do the //net part. As for CrossSiteDocumentResourceHandlerTest, I propose https://crrev.com/c/1233814 instead.
,
Sep 19
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/8f2ce189b1622824fc2ec7c83df01443b495f65a commit 8f2ce189b1622824fc2ec7c83df01443b495f65a Author: Nico Weber <thakis@chromium.org> Date: Wed Sep 19 14:41:37 2018 Fix an uninitialized read in a test found by MSan. A different fix is under discussion at https://chromium-review.googlesource.com/c/chromium/src/+/1233814 but since there's some disagreement on the approach, let's land this while the review over there is ongoing, to heal the bot. Bug: 886629 Change-Id: I80c64f6bf969b5b1edf108d2a46155f2f4252595 Reviewed-on: https://chromium-review.googlesource.com/1232591 Reviewed-by: Matt Menke <mmenke@chromium.org> Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Commit-Queue: Nico Weber <thakis@chromium.org> Cr-Commit-Position: refs/heads/master@{#592393} [modify] https://crrev.com/8f2ce189b1622824fc2ec7c83df01443b495f65a/content/browser/loader/cross_site_document_resource_handler_unittest.cc
,
Sep 19
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/579a4f9ae5c3337c2f8d2605f669d6719efb4e97 commit 579a4f9ae5c3337c2f8d2605f669d6719efb4e97 Author: Bence Béky <bnc@chromium.org> Date: Wed Sep 19 15:34:52 2018 Fix Content-Type issues in CrossSiteDocumentResourceHandlerTest. 1. Remove |response->head.mime_type| assignment before ParseContentType call. 2. Rename Content-Type test parameter to response_content_type. 3. Initialize |had_charset| to false to address MSAN bug; this will be removed from this CL as soon as https://crrev.com/c/1232591 lands and I rebase. Bug: 886629 Change-Id: I32fbe9d5c1fa6a0ba735bfd335923f0e1a723b04 Reviewed-on: https://chromium-review.googlesource.com/1233814 Reviewed-by: Łukasz Anforowicz <lukasza@chromium.org> Reviewed-by: Matt Menke <mmenke@chromium.org> Commit-Queue: Bence Béky <bnc@chromium.org> Cr-Commit-Position: refs/heads/master@{#592410} [modify] https://crrev.com/579a4f9ae5c3337c2f8d2605f669d6719efb4e97/content/browser/loader/cross_site_document_resource_handler_unittest.cc
,
Sep 19
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/45844e36bdaa5664ea63467bbe300989798e14af commit 45844e36bdaa5664ea63467bbe300989798e14af Author: Bence Béky <bnc@chromium.org> Date: Wed Sep 19 18:53:37 2018 Fix HttpUtil::ParseContentType() API comment. Bug: 886629 Change-Id: Ie0f096552bec89f57041caebcf248da76f3a468d Reviewed-on: https://chromium-review.googlesource.com/1233936 Commit-Queue: Bence Béky <bnc@chromium.org> Reviewed-by: Matt Menke <mmenke@chromium.org> Cr-Commit-Position: refs/heads/master@{#592496} [modify] https://crrev.com/45844e36bdaa5664ea63467bbe300989798e14af/net/http/http_util.h
,
Sep 19
https://ci.chromium.org/buildbot/chromium.clang/ToTLinuxMSan/ will hopefully cycle green. Thanks! |
||||
►
Sign in to add a comment |
||||
Comment 1 by thakis@chromium.org
, Sep 19Labels: -OS-Mac
chromium//src/content/browser/loader/cross_site_document_resource_handler_unittest.cc // Content-Type header. std::string charset; bool had_charset; std::string boundary; response_headers->AddHeader(std::string("Content-Type: ") + response_mime_type); response->head.mime_type = response_mime_type; net::HttpUtil::ParseContentType(response_mime_type, &response->head.mime_type, &charset, &had_charset, &boundary); Added in https://chromium.googlesource.com/chromium/src/+/0753a97df25d497e872e2945848907ca9a6661bf chromium//src/net/http/http_util.cc if ((!eq && *had_charset) || type_has_charset) { *had_charset = true; *charset = base::ToLowerASCII(charset_value); } Touched in https://chromium.googlesource.com/chromium/src/+/c0399701530ae196c656e644d19646e88cfa58af but has been around since initial.commit. That should probably read if ((!eq && had_charset) || type_has_charset) { *had_charset = true; *charset = base::ToLowerASCII(charset_value); } So it's a true positive and I guess msan progressed to find it (?) bnc, you probably know that code -- want to fix?