12761446: AddressSanitizer reports a heap buffer overflow in OpenCL #14258
Milestone
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
Description
28-Nov-2012 02:39 AM Alexander Potapenko:
Summary: for a Chromium built with AddressSanitizer (clang.llvm.org/docs/AddressSanitizer.html, see http://dev.chromium.org/developers/testing/addresssanitizer for an instruction for building Chrome with ASan) the following report is printed just as the browser starts:
$ out/Release/Chromium.app/Contents/MacOS/Chromium 2>&1 | tools/valgrind/asan/asan_symbolize.py
==26382== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x198e044f at pc 0x20f60 bp 0xbffdca68 sp 0xbffdca54
WRITE of size 1 at 0x198e044f thread T0
#0 0x20f5f in wrap_memmove (in Chromium) + 255
#1 0x922f3a42 in 0x0001ca42 (in OpenCL) + 520
#2 0x922f3b77 in 0x0001cb77 (in OpenCL) + 101
#3 0x922f1ee5 in clEnqueueNDRangeKernel (in OpenCL) + 181
#4 0x985298be in -[FEOpenCLContext quad:](in CoreImage) + 3776
#5 0x9863870b in -[FEContext(Drawing) quad:kernel:](in CoreImage) + 105
#6 0x985662d4 in FEApplyTreeNode::render1(FETreeContext, FEShape const&, fe_kernel_target_struct_, int, float_, FETreeTexture_) (in CoreImage) + 2176
#7 0x98566af2 in FEApplyTreeNode::render2(FETreeContext_, FEShape const_, void ()(FEContext, void_, FEFormat), void ()(FEContext, void_), void_) (in CoreImage) + 1620
#8 0x98563d5a in FETreeNode::render_(FETreeContext_, FEShape const_, void ()(FEContext, void_, FEFormat), void ()(FEContext, void_), void_) (in CoreImage) + 150
#9 0x98563f22 in FETreeNode::renderTexture(void_, CGRect, FEFormat, void ()(FEContext, void_, FEFormat), void ()(FEContext, void_), void_) (in CoreImage) + 68
#10 0x9855e702 in FETexture::retainTextureObject(FETextureCache_, FEContext_, unsigned int, void_, void ()(void, CGRect, FEFormat, void ()(FEContext, void_, FEFormat), void ()(FEContext, void_), void_), CGRect const_, bool, fe_texture_object_struct__) (in CoreImage) + 748
#11 0x9855f081 in FETexture::newTexture(FEContext_, fe_texture_params_struct const_, void_, void ()(void, CGRect, FEFormat, void ()(FEContext, void_, FEFormat), void ()(FEContext, void_), void_), fe_texture_object_struct__) (in CoreImage) + 995
#12 0x985642b6 in FETreeNode::createTexture(FETreeContext_, unsigned int, unsigned int, bool, bool, FETreeTexture_, unsigned int) (in CoreImage) + 884
#13 0x9856676c in FEApplyTreeNode::render2(FETreeContext_, FEShape const_, void ()(FEContext, void_, FEFormat), void ()(FEContext, void_), void_) (in CoreImage) + 718
#14 0x98563d5a in FETreeNode::render_(FETreeContext_, FEShape const_, void ()(FEContext, void_, FEFormat), void ()(FEContext, void_), void_) (in CoreImage) + 150
#15 0x9856776e in FETreeNode::render(FETreeContext_, FEShape const&, void ()(FEContext, void_, FEFormat), void ()(FEContext, void_), void_) (in CoreImage) + 96
#16 0x98567707 in FETreeContext::render(FETreeNode_, FEShape const&, void ()(FEContext, void_, FEFormat), void ()(FEContext, void_), void_) (in CoreImage) + 51
#17 0x9856ae56 in FETreeContext::renderTree(FETreeNode_, FEShape const&, void ()(FEContext, void_, FEFormat), void ()(FEContext, void_), void_) (in CoreImage) + 184
#18 0x9856b1a6 in FETreeContext::renderImage_(FEImage_, CGRect, FEShape const_, CGAffineTransform, CGColorSpace_, FEFormat, bool, void ()(FEContext, void_, FEFormat), void ()(FEContext, void_), void_) (in CoreImage) + 784
#19 0x9856b4ef in FETreeContext::renderImage(FEImage_, CGRect, FEShape const_, CGAffineTransform, CGColorSpace_, FEFormat, bool, void ()(FEContext, void_, FEFormat), void ()(FEContext, void_), void_) (in CoreImage) + 355
#20 0x985411ab in -[FEImage(Internal) renderWithContext:bounds:transform:colorSpace:format:premultiplied:setupCallback:finishCallback:callbackData:](in CoreImage) + 267
#21 0x98540a4f in -[FEImage getBitmap:withContext:origin:transform:colorSpace:](in CoreImage) + 1441
#22 0x984f2176 in -[CIContextImpl render:toBitmap:rowBytes:bounds:format:colorSpace:](in CoreImage) + 352
#23 0x984f106a in -[CIContext render:toBitmap:rowBytes:bounds:format:colorSpace:](in CoreImage) + 92
#24 0x970278d5 in CUICreateImageByApplyingEffectsToImageViaCI(long, CUIDescriptor const, CFArray const, CGImage, float, unsigned char) (in CoreUI) + 17850
#25 0x97020e38 in CUIArtFileRenderer::DrawImage(CGRect, long, CUIDescriptor const) (in CoreUI) + 7848
#26 0x97010845 in CUIArtFileRenderer::Draw(CUIDescriptor const_, CGAffineTransform, CUIReturnInfo&) (in CoreUI) + 1855
#27 0x96fefd3e in CUIRenderer::Draw(CGRect, CGContext_, _CFDictionary const, __CFDictionary const*) (in CoreUI) + 3518
#28 0x9701688b in CUIDraw (in CoreUI) + 175
#29 0x94df3425 in -[NSCoreUIImageRep draw](in AppKit) + 288
#30 0x94df32a3 in -[NSImageRep drawInRect:](in AppKit) + 371
#31 0x951909ae in _block_global_0 (in AppKit) + 58
#32 0x94df2fc3 in NSGraphicsContextPushContextWithFlippedMetadata_drawWithBlock (in AppKit) + 381
#33 0x94df2c7f in 74-[NSImageRep drawInRect:fromRect:operation:fraction:respectFlipped:hints:]block_invoke_0 (in AppKit) + 1640
#34 0x94df255f in NSUsingGraphicsStateForHints_drawWithBlock (in AppKit) + 66
#35 0x94df23c1 in -[NSImageRep drawInRect:fromRect:operation:fraction:respectFlipped:hints:](in AppKit) + 892
#36 0x94df07a9 in -[NSImage drawMappingAlignmentRectToRect:withState:backgroundStyle:operation:fraction:flip:hints:](in AppKit) + 2429
#37 0x94cfaf85 in -[NSThemeFullScreenButtonCell drawImage:withFrame:inView:](in AppKit) + 120
#38 0x94e090bd in -[NSButtonCell configureAndDrawImageWithRect:cellFrame:controlView:](in AppKit) + 705
#39 0x94e07d4b in -[NSButtonCell drawInteriorWithFrame:inView:](in AppKit) + 1720
#40 0x94e0762f in -[NSButtonCell drawWithFrame:inView:](in AppKit) + 501
#41 0x94de9f52 in -[NSControl drawRect:](in AppKit) + 378
#42 0x94ddd35d in -[NSView drawRect:clip:](in AppKit) + 3491
#43 0x94ddbd73 in -[NSView recursiveDisplayAllDirtyWithLockFocus:visRect:](in AppKit) + 1315
#44 0x94ddc0a9 in -[NSView recursiveDisplayAllDirtyWithLockFocus:visRect:](in AppKit) + 2137
#45 0x94ddb671 in -[NSView recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:](in AppKit) + 5444
#46 0x94dd9f1e in -[NSThemeFrame recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:](in AppKit) + 289
#47 0x94dd5c82 in -[NSView displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:](in AppKit) + 4424
#48 0x94d9e480 in -[NSView displayIfNeeded](in AppKit) + 1467
#49 0x94d9de3c in -[NSWindow displayIfNeeded](in AppKit) + 305
#50 0x94e56718 in -[NSWindow reallyDoOrderWindow:relativeTo:findKey:forCounter:force:isModal:](in AppKit) + 1366
#51 0x94e561b5 in -[NSWindow doOrderWindowWithoutAnimation:relativeTo:findKey:forCounter:force:isModal:](in AppKit) + 78
#52 0x94e55ccc in -[NSWindow doOrderWindow:relativeTo:findKey:forCounter:force:isModal:](in AppKit) + 1051
#53 0x94e55833 in -[NSWindow orderWindow:relativeTo:](in AppKit) + 126
#54 0x94e4e437 in -[NSWindow makeKeyAndOrderFront:](in AppKit) + 68
#55 0x39df4fd in BrowserWindowCocoa::Show browser_window_cocoa.mm:124
#56 0x3cedce4 in StartupBrowserCreatorImpl::OpenTabsInBrowser startup_browser_creator_impl.cc:884
#57 0x3cec8ac in StartupBrowserCreatorImpl::OpenURLsInBrowser startup_browser_creator_impl.cc:792
#58 0x3ce60e2 in StartupBrowserCreatorImpl::ProcessLaunchURLs startup_browser_creator_impl.cc:636
#59 0x3ce2541 in StartupBrowserCreatorImpl::Launch startup_browser_creator_impl.cc:394
#60 0x3cda46c in StartupBrowserCreator::LaunchBrowser startup_browser_creator.cc:201
#61 0x3cde1b4 in StartupBrowserCreator::ProcessCmdLineImpl startup_browser_creator.cc:518
#62 0x7b5a0c3 in ChromeBrowserMainParts::PreMainMessageLoopRunImpl startup_browser_creator.h:46
#63 0x7b5681b in ChromeBrowserMainParts::PreMainMessageLoopRun chrome_browser_main.cc:937
#64 0x71ee0e1 in content::BrowserMainLoop::CreateThreads browser_main_loop.cc:464
#65 0x71f0faf in content::BrowserMainRunnerImpl::Initialize browser_main_runner.cc:105
#66 0x71eac2d in content::BrowserMain browser_main.cc:18
#67 0x9b0441f in content::RunNamedProcessTypeMain content_main_runner.cc:448
#68 0x9b066a0 in content::ContentMainRunnerImpl::Run content_main_runner.cc:741
#69 0x9b038c5 in content::ContentMain content_main.cc:35
#70 0x1145f69 in ChromeMain chrome_main.cc:32
#71 0x1c138 in main chrome_exe_main_mac.cc:16
#72 0x1c114 in start (in Chromium) + 52
#73 0x0
0x198e044f is located 7 bytes to the right of 8-byte region [0x198e0440,0x198e0448)
allocated by thread T0 here:
#0 0x25a1b in (anonymous namespace)::mz_malloc(malloc_zone_t*, unsigned long) (in Chromium) + 43
#1 0x9129b54a in malloc_zone_malloc (in libsystem_c.dylib) + 74
#2 0x9129c044 in realloc (in libsystem_c.dylib) + 79
#3 0x922f0df1 in 0x00019df1 (in OpenCL) + 1041
#4 0x922f09dd in clSetKernelArg (in OpenCL) + 122
#5 0x9852942a in -[FEOpenCLContext quad:](in CoreImage) + 2604
#6 0x9863870b in -[FEContext(Drawing) quad:kernel:](in CoreImage) + 105
#7 0x985662d4 in FEApplyTreeNode::render1(FETreeContext, FEShape const&, fe_kernel_target_struct, int, float, FETreeTexture) (in CoreImage) + 2176
#8 0x98566af2 in FEApplyTreeNode::render2(FETreeContext, FEShape const, void ()(FEContext, void, FEFormat), void ()(FEContext, void), void) (in CoreImage) + 1620
#9 0x98563d5a in FETreeNode::render(FETreeContext, FEShape const, void ()(FEContext_, void_, FEFormat), void ()(FEContext, void_), void_) (in CoreImage) + 150
#10 0x98563f22 in FETreeNode::renderTexture(void_, CGRect, FEFormat, void ()(FEContext, void_, FEFormat), void ()(FEContext, void_), void*) (in CoreImage) + 68
Shadow byte and word:
0x2331c089: fb
0x2331c088: 00 fb fb fb
More shadow bytes:
0x2331c078: 00 00 fb fb
0x2331c07c: fb fb fb fb
0x2331c080: fa fa fa fa
0x2331c084: fa fa fa fa
=>0x2331c088: 00 fb fb fb
0x2331c08c: fb fb fb fb
0x2331c090: fa fa fa fa
0x2331c094: fa fa fa fa
0x2331c098: 00 00 fb fb
Stats: 18M malloced (24M for red zones) by 175894 calls
Stats: 2M realloced by 704 calls
Stats: 12M freed by 89071 calls
Stats: 0M really freed by 0 calls
Stats: 49M (12578 full pages) mmaped in 93 calls
mmaps by size class: 7:167895; 8:12282; 9:4092; 10:2044; 11:1020; 12:384; 13:384; 14:160; 15:128; 16:24; 17:12; 18:4; 19:1; 20:2; 21:1;
mallocs by size class: 7:162831; 8:8397; 9:2077; 10:1033; 11:654; 12:266; 13:347; 14:124; 15:125; 16:22; 17:10; 18:4; 19:1; 20:2; 21:1;
frees by size class: 7:80770; 8:5009; 9:1319; 10:696; 11:543; 12:216; 13:292; 14:83; 15:112; 16:17; 17:8; 18:3; 19:1; 20:1; 21:1;
rfrees by size class:
Stats: malloc large: 190 small slow: 1082
==26382== ABORTING
Steps to Reproduce:
Get the Google Chromium source (http://dev.chromium.org/developers/how-tos/get-the-code) and build Chrome with AddressSanitizer (http://dev.chromium.org/developers/testing/addresssanitizer)
Otherwise download the Chromium build from http://commondatastorage.googleapis.com/chromium-browser-asan/index.html?path=mac-release/
Expected Results: the browser works fine
Actual Results: an error report is printed
Notes: see also http://crbug.com/162461
Product Version:
Created: 2012-11-27T22:40:35.218805
Originated: 2012-11-28T02:39:00
Open Radar Link: http://www.openradar.me/12761446
The text was updated successfully, but these errors were encountered: