Asan crashes when loading an applet

[ramosian-glider]

Originally reported on Google Code with ID 15

What steps will reproduce the problem?
1.Copy HelloWorld.html and two HelloWorld.class files to same folder.
2.Open HelloWorld.html in chrome web browser built with asan.
3. If applet is blocked due to lack of permission click on Run this time button.
Applet will not load and asan displays this error message.

==2022== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7fe0eb6acaae at
pc 0x7fe1040ab9d9 bp 0x7fffd07c76a0 sp 0x7fffd07c7660
READ of size 1 at 0x7fe0eb6acaae thread T0
    #0 0x7fe1040ab9d9 in strlen /usr/local/google/asan/address-sanitizer/asan/asan_interceptors.cc:270
    #1 0x7fe0fae82112 in IA__g_strdup /build/buildd/glib2.0-2.24.1/glib/gstrfuncs.c:101
    #2 0x7fe0fae83cff in IA__g_strsplit /build/buildd/glib2.0-2.24.1/glib/gstrfuncs.c:2431
    #3 0x7fe0eb174eea in ?? ??:0
    #4 0x7fe0eb17524d in ?? ??:0
    #5 0x7fe1028b5c55 in _ZN6webkit5npapi14PluginInstance7NPP_NewEtsPPcS3_ /home/chamal/chrome/home/chrome-svn/tarball/chromium/src/webkit/plugins/npapi/plugin_instance.cc:222
    #6 0x7fe1028b58b4 in _ZN6webkit5npapi14PluginInstance5StartERK4GURLPPcS6_ib /home/chamal/chrome/home/chrome-svn/tarball/chromium/src/webkit/plugins/npapi/plugin_instance.cc:157
    #7 0x7fe103e02610 in _ZN6webkit5npapi21WebPluginDelegateImpl10InitializeERK4GURLRKSt6vectorISsSaISsEES9_PNS0_9WebPluginEb
/home/chamal/chrome/home/chrome-svn/tarball/chromium/src/webkit/plugins/npapi/webplugin_delegate_impl.cc:90
    #8 0x7fe1033fce36 in _ZN21WebPluginDelegateStub6OnInitERK21PluginMsg_Init_ParamsPb
/home/chamal/chrome/home/chrome-svn/tarball/chromium/src/content/plugin/webplugin_delegate_stub.cc:194
    #9 0x7fe103400360 in _ZN3IPC11ParamTraitsIbE5WriteEPNS_7MessageERKb /home/chamal/chrome/home/chrome-svn/tarball/chromium/src/./ipc/ipc_message_utils.h:187
    #10 0x7fe1033fa611 in ~Tuple1 /home/chamal/chrome/home/chrome-svn/tarball/chromium/src/./base/tuple.h:79
    #11 0x7fe0fffd3738 in _ZN13MessageRouter12RouteMessageERKN3IPC7MessageE /home/chamal/chrome/home/chrome-svn/tarball/chromium/src/content/common/message_router.cc:46
    #12 0x7fe1039b8621 in _ZN13NPChannelBase17OnMessageReceivedERKN3IPC7MessageE /home/chamal/chrome/home/chrome-svn/tarball/chromium/src/content/common/np_channel_base.cc:169
    #13 0x7fe1033f2bb5 in _ZN13PluginChannel17OnMessageReceivedERKN3IPC7MessageE /home/chamal/chrome/home/chrome-svn/tarball/chromium/src/content/plugin/plugin_channel.cc:202
    #14 0x7fe10004baa9 in _ZN3IPC12ChannelProxy7Context17OnDispatchMessageERKNS_7MessageE
/home/chamal/chrome/home/chrome-svn/tarball/chromium/src/ipc/ipc_channel_proxy.cc:263
    #15 0x7fe1000558c4 in _ZN3IPC11SyncChannel20ReceivedSyncMsgQueue16DispatchMessagesEPNS0_11SyncContextE
/home/chamal/chrome/home/chrome-svn/tarball/chromium/src/ipc/ipc_sync_channel.cc:110
    #16 0x7fe100058c76 in _ZN3IPC11SyncChannel23OnWaitableEventSignaledEPN4base13WaitableEventE
/home/chamal/chrome/home/chrome-svn/tarball/chromium/src/ipc/ipc_sync_channel.cc:516
    #17 0x7fe0fe8e86bf in _ZNK4base8CallbackIFvvEE3RunEv /home/chamal/chrome/home/chrome-svn/tarball/chromium/src/./base/callback.h:274
    #18 0x7fe0fe8e8f56 in _ZN11MessageLoop21DeferOrRunPendingTaskERKN4base11PendingTaskE
/home/chamal/chrome/home/chrome-svn/tarball/chromium/src/base/message_loop.cc:512
    #19 0x7fe0fe8ea25f in _ZN11MessageLoop6DoWorkEv /home/chamal/chrome/home/chrome-svn/tarball/chromium/src/base/message_loop.cc:702
    #20 0x7fe0fe986fff in _ZN4base15MessagePumpGlib14HandleDispatchEv /home/chamal/chrome/home/chrome-svn/tarball/chromium/src/base/message_pump_glib.cc:278
    #21 0x7fe0fae618c2 in g_main_dispatch /build/buildd/glib2.0-2.24.1/glib/gmain.c:1960
    #22 0x7fe0fae65748 in g_main_context_iterate /build/buildd/glib2.0-2.24.1/glib/gmain.c:2591
    #23 0x7fe0fae658fc in IA__g_main_context_iteration /build/buildd/glib2.0-2.24.1/glib/gmain.c:2654
    #24 0x7fe0fe98a001 in _ZN4base14MessagePumpGtk7RunOnceEP13_GMainContextb /home/chamal/chrome/home/chrome-svn/tarball/chromium/src/base/message_pump_gtk.cc:41
    #25 0x7fe0fe987ab5 in _ZN4base15MessagePumpGlib17RunWithDispatcherEPNS_11MessagePump8DelegateEPNS_21MessagePumpDispatcherE
/home/chamal/chrome/home/chrome-svn/tarball/chromium/src/base/message_pump_glib.cc:209
    #26 0x7fe0fe8e727e in _ZN11MessageLoop11RunInternalEv /home/chamal/chrome/home/chrome-svn/tarball/chromium/src/base/message_loop.cc:460
    #27 0x7fe0fe8e55cf in ~AutoRunState /home/chamal/chrome/home/chrome-svn/tarball/chromium/src/base/message_loop.cc:774
    #28 0x7fe1033ef9ac in _Z10PluginMainRKN7content18MainFunctionParamsE /home/chamal/chrome/home/chrome-svn/tarball/chromium/src/content/plugin/plugin_main.cc:164
    #29 0x7fe0fe83c91c in _ZN12_GLOBAL__N_123RunNamedProcessTypeMainERKSsRKN7content18MainFunctionParamsEPNS2_19ContentMainDelegateE
/home/chamal/chrome/home/chrome-svn/tarball/chromium/src/content/app/content_main.cc:263
    #30 0x7fe0fe83c0b2 in _ZN7content11ContentMainEiPPKcPNS_19ContentMainDelegateE
/home/chamal/chrome/home/chrome-svn/tarball/chromium/src/content/app/content_main.cc:454
    #31 0x7fe0fd054fc7 in ChromeMain /home/chamal/chrome/home/chrome-svn/tarball/chromium/src/chrome/app/chrome_main.cc:32
    #32 0x7fe0fd054eeb in main /home/chamal/chrome/home/chrome-svn/tarball/chromium/src/chrome/app/chrome_exe_main_gtk.cc:18
    #33 0x7fe0f65f7c4d in __libc_start_main /build/buildd/eglibc-2.11.1/csu/libc-start.c:258
    #34 0x7fe0fd054e09 in _start ??:0
0x7fe0eb6acaae is located 0 bytes to the right of 46-byte region [0x7fe0eb6aca80,0x7fe0eb6acaae)
allocated by thread T0 here:
    #0 0x7fe1040b0177 in malloc /usr/local/google/asan/address-sanitizer/asan/asan_malloc_linux.cc:49
    #1 0x7fe1039cf6c4 in _Z15CreateNPVariantRK15NPVariant_ParamP13NPChannelBaseP10_NPVariantlRK4GURL
/home/chamal/chrome/home/chrome-svn/tarball/chromium/src/content/common/npobject_util.cc:245
    #2 0x7fe1039c2451 in _ZN13NPObjectProxy13NPGetPropertyEP8NPObjectPvP10_NPVariant
/home/chamal/chrome/home/chrome-svn/tarball/chromium/src/content/common/npobject_proxy.cc:289
    #3 0x7fe1039cfd42 in _ZN12_GLOBAL__N_1L20NPN_GetPropertyPatchEP4_NPPP8NPObjectPvP10_NPVariant
/home/chamal/chrome/home/chrome-svn/tarball/chromium/src/content/common/npobject_util.cc:62
    #4 0x7fe0eb174ed4 in ?? ??:0
==2022== ABORTING
Shadow byte and word:
  0x1ffc1d6d5955: 6
  0x1ffc1d6d5950: 00 00 00 00 00 06 fb fb
More shadow bytes:
  0x1ffc1d6d5930: fd fd fd fd fd fd fd fd
  0x1ffc1d6d5938: fd fd fd fd fd fd fd fd
  0x1ffc1d6d5940: fa fa fa fa fa fa fa fa
  0x1ffc1d6d5948: fa fa fa fa fa fa fa fa
=>0x1ffc1d6d5950: 00 00 00 00 00 06 fb fb
  0x1ffc1d6d5958: fb fb fb fb fb fb fb fb
  0x1ffc1d6d5960: fa fa fa fa fa fa fa fa
  0x1ffc1d6d5968: fa fa fa fa fa fa fa fa
  0x1ffc1d6d5970: 06 fb fb fb fb fb fb fb


What is the expected output? What do you see instead?

Applet should load without error.


What version of the product are you using? On what operating system?
Chrome:18.0.966.0 (Developer Build 113593 Linux)
Java Plugin:OpenJDK Runtime Environment (IcedTea6 1.9.10) 
OS: Ubuntu 10.04 64 bit.

Please provide any additional information below.

Reported by chamal.desilva on 2011-12-09 14:46:41

[ramosian-glider]

Looks like you've chosen an incorrect bug tracker for this. Could you please try crbug.com
or somehow elaborate why this is an ASan bug?

Reported by ramosian.glider on 2011-12-09 14:51:25

[ramosian-glider]

This is legitimate bug report. Let's continue the discussion in crbug.  

Reported by konstantin.s.serebryany on 2011-12-09 17:59:02

• Status changed: WontFix

[ramosian-glider]

I thought the error happens because of asan and not because of chrome. I am sorry for
my misjudgement.

Reported by chamal.desilva on 2011-12-09 21:55:21

[ramosian-glider]

Changed the labels. Kudos to eugenis@ for finding this.

Reported by ramosian.glider on 2012-04-04 08:42:23

• Labels added: Restrict-View-Commit

[ramosian-glider]

Adding Project:AddressSanitizer as part of GitHub migration.

Reported by ramosian.glider on 2015-07-30 09:12:58

• Labels added: ProjectAddressSanitizer