Issue 568891 in chromium: CFI: invalid cast in HeapTest.VectorDestructorsWithVtable
1 view
Skip to first unread message
chro...@googlecode.com
Dec 10, 2015, 11:12:55 PM12/10/15
to chromi...@chromium.org
Status: Untriaged
Owner: ----
CC: kra...@chromium.org, k...@chromium.org, p...@chromium.org,
tha...@chromium.org, tk...@chromium.org, har...@chromium.org
Labels: Type-Bug Pri-2 OS-Linux
New issue 568891 by kra...@chromium.org: CFI: invalid cast in
HeapTest.VectorDestructorsWithVtable
https://code.google.com/p/chromium/issues/detail?id=568891
Version: tip
OS: Linux x86-64
What steps will reproduce the problem?
1. Build blink_heap_unittests with Control Flow Integrity enabled
(GYP_DEFINES='cfi_vptr=1 cfi_diag=1'):
https://www.chromium.org/developers/testing/control-flow-integrity
2. Run under gdb:
xvfb-run -s "-screen 0 1024x768x24" gdb -ex 'b HandleCFIBadType' -ex r
--args ./out/Release/blink_heap_unittests --single_process
3. Observe the report:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff39b7153 in __dynamic_cast () from
/usr/lib/x86_64-linux-gnu/libstdc++.so.6
Stack trace:
Breakpoint 1, HandleCFIBadType (Data=0x4152af0, Vtable=10929616807656,
Opts=...) at
/usr/local/google/home/krasin/src/llvm.org/llvm/projects/compiler-rt/lib/ubsan/ubsan_handlers_cxx.cc:90
90 ReportOptions Opts) {
(gdb) bt
#0 HandleCFIBadType (Data=0x4152af0, Vtable=10929616807656, Opts=...) at
/usr/local/google/home/krasin/src/llvm.org/llvm/projects/compiler-rt/lib/ubsan/ubsan_handlers_cxx.cc:90
#1 0x0000000000439e63 in __ubsan::__ubsan_handle_cfi_bad_type
(Data=<optimized out>, Vtable=<optimized out>) at
/usr/local/google/home/krasin/src/llvm.org/llvm/projects/compiler-rt/lib/ubsan/ubsan_handlers_cxx.cc:120
#2 0x000000000046f6d9 in inlineBuffer ()
at ../../third_party/WebKit/Source/wtf/Vector.h:609
#3 VectorBuffer () at ../../third_party/WebKit/Source/wtf/Vector.h:464
#4 Vector () at ../../third_party/WebKit/Source/wtf/Vector.h:632
#5 HeapVector ()
at ../../third_party/WebKit/Source/platform/heap/HeapAllocator.h:348
#6 TestBody ()
at ../../third_party/WebKit/Source/platform/heap/HeapTest.cpp:4286
#7 0x0000000000569240 in Run () at ../../testing/gtest/src/gtest.cc:2474
#8 0x0000000000569d15 in Run () at ../../testing/gtest/src/gtest.cc:2656
#9 0x0000000000569ff5 in Run () at ../../testing/gtest/src/gtest.cc:2774
#10 0x000000000056aa65 in RunAllTests ()
at ../../testing/gtest/src/gtest.cc:4647
#11 0x000000000056a668 in
HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>
() at ../../testing/gtest/src/gtest.cc:2458
#12 Run () at ../../testing/gtest/src/gtest.cc:4255
#13 0x00000000004a81c4 in RUN_ALL_TESTS ()
at ../../testing/gtest/include/gtest/gtest.h:2237
#14 Run () at ../../base/test/test_suite.cc:236
#15 0x000000000043b19e in runHelper ()
at ../../third_party/WebKit/Source/platform/heap/RunAllTests.cpp:59
#16 0x00000000004a6b53 in Run () at ../../base/callback.h:396
#17 LaunchUnitTestsInternal ()
at ../../base/test/launcher/unit_test_launcher.cc:204
#18 0x00000000004a6a10 in LaunchUnitTests ()
at ../../base/test/launcher/unit_test_launcher.cc:443
#19 0x000000000043b23a in main ()
at ../../third_party/WebKit/Source/platform/heap/RunAllTests.cpp:67
Code line:
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/wtf/Vector.h&q=wtf/Vector.h:609&sq=package:chromium&l=609
It's most likely to make a reinterpret_cast on garbage data, before calling
new. There had been similar cases in skia, most of which were fixed and a
couple of which were blacklisted and will be fixed in the future.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
Owner: ----
CC: kra...@chromium.org, k...@chromium.org, p...@chromium.org,
tha...@chromium.org, tk...@chromium.org, har...@chromium.org
Labels: Type-Bug Pri-2 OS-Linux
New issue 568891 by kra...@chromium.org: CFI: invalid cast in
HeapTest.VectorDestructorsWithVtable
https://code.google.com/p/chromium/issues/detail?id=568891
Version: tip
OS: Linux x86-64
What steps will reproduce the problem?
1. Build blink_heap_unittests with Control Flow Integrity enabled
(GYP_DEFINES='cfi_vptr=1 cfi_diag=1'):
https://www.chromium.org/developers/testing/control-flow-integrity
2. Run under gdb:
xvfb-run -s "-screen 0 1024x768x24" gdb -ex 'b HandleCFIBadType' -ex r
--args ./out/Release/blink_heap_unittests --single_process
3. Observe the report:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff39b7153 in __dynamic_cast () from
/usr/lib/x86_64-linux-gnu/libstdc++.so.6
Stack trace:
Breakpoint 1, HandleCFIBadType (Data=0x4152af0, Vtable=10929616807656,
Opts=...) at
/usr/local/google/home/krasin/src/llvm.org/llvm/projects/compiler-rt/lib/ubsan/ubsan_handlers_cxx.cc:90
90 ReportOptions Opts) {
(gdb) bt
#0 HandleCFIBadType (Data=0x4152af0, Vtable=10929616807656, Opts=...) at
/usr/local/google/home/krasin/src/llvm.org/llvm/projects/compiler-rt/lib/ubsan/ubsan_handlers_cxx.cc:90
#1 0x0000000000439e63 in __ubsan::__ubsan_handle_cfi_bad_type
(Data=<optimized out>, Vtable=<optimized out>) at
/usr/local/google/home/krasin/src/llvm.org/llvm/projects/compiler-rt/lib/ubsan/ubsan_handlers_cxx.cc:120
#2 0x000000000046f6d9 in inlineBuffer ()
at ../../third_party/WebKit/Source/wtf/Vector.h:609
#3 VectorBuffer () at ../../third_party/WebKit/Source/wtf/Vector.h:464
#4 Vector () at ../../third_party/WebKit/Source/wtf/Vector.h:632
#5 HeapVector ()
at ../../third_party/WebKit/Source/platform/heap/HeapAllocator.h:348
#6 TestBody ()
at ../../third_party/WebKit/Source/platform/heap/HeapTest.cpp:4286
#7 0x0000000000569240 in Run () at ../../testing/gtest/src/gtest.cc:2474
#8 0x0000000000569d15 in Run () at ../../testing/gtest/src/gtest.cc:2656
#9 0x0000000000569ff5 in Run () at ../../testing/gtest/src/gtest.cc:2774
#10 0x000000000056aa65 in RunAllTests ()
at ../../testing/gtest/src/gtest.cc:4647
#11 0x000000000056a668 in
HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>
() at ../../testing/gtest/src/gtest.cc:2458
#12 Run () at ../../testing/gtest/src/gtest.cc:4255
#13 0x00000000004a81c4 in RUN_ALL_TESTS ()
at ../../testing/gtest/include/gtest/gtest.h:2237
#14 Run () at ../../base/test/test_suite.cc:236
#15 0x000000000043b19e in runHelper ()
at ../../third_party/WebKit/Source/platform/heap/RunAllTests.cpp:59
#16 0x00000000004a6b53 in Run () at ../../base/callback.h:396
#17 LaunchUnitTestsInternal ()
at ../../base/test/launcher/unit_test_launcher.cc:204
#18 0x00000000004a6a10 in LaunchUnitTests ()
at ../../base/test/launcher/unit_test_launcher.cc:443
#19 0x000000000043b23a in main ()
at ../../third_party/WebKit/Source/platform/heap/RunAllTests.cpp:67
Code line:
https://code.google.com/p/chromium/codesearch#chromium/src/third_party/WebKit/Source/wtf/Vector.h&q=wtf/Vector.h:609&sq=package:chromium&l=609
It's most likely to make a reinterpret_cast on garbage data, before calling
new. There had been similar cases in skia, most of which were fixed and a
couple of which were blacklisted and will be fixed in the future.
--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings
chro...@googlecode.com
Dec 11, 2015, 1:34:07 AM12/11/15
to chromi...@chromium.org
Comment #2 on issue 568891 by bugd...@chromium.org: CFI: invalid cast in
HeapTest.VectorDestructorsWithVtable
https://code.google.com/p/chromium/issues/detail?id=568891#c2
The following revision refers to this bug:
https://chromium.googlesource.com/chromium/src.git/+/2db5d15849e6d7a0dcfb01f3b7aa10ecbeea6bee
commit 2db5d15849e6d7a0dcfb01f3b7aa10ecbeea6bee
Author: krasin <kra...@google.com>
Date: Fri Dec 11 06:12:58 2015
CFI: blacklist wtf::Vector that sometimes casts garbage data.
BUG=568891
Review URL: https://codereview.chromium.org/1504333012
Cr-Commit-Position: refs/heads/master@{#364625}
[modify]
http://crrev.com/2db5d15849e6d7a0dcfb01f3b7aa10ecbeea6bee/tools/cfi/blacklist.txt
chro...@googlecode.com
Dec 11, 2015, 1:45:04 AM12/11/15
to chromi...@chromium.org
Updates:
Owner: kra...@chromium.org
Comment #3 on issue 568891 by kra...@chromium.org: CFI: invalid cast in
HeapTest.VectorDestructorsWithVtable
https://code.google.com/p/chromium/issues/detail?id=568891
The committed CL only suppresses the issue, but does not fix it. This is
left for later.
Owner: kra...@chromium.org
Comment #3 on issue 568891 by kra...@chromium.org: CFI: invalid cast in
HeapTest.VectorDestructorsWithVtable
https://code.google.com/p/chromium/issues/detail?id=568891
The committed CL only suppresses the issue, but does not fix it. This is
left for later.
Reply all
Reply to author
Forward
0 new messages