AddressSanitizer reports a heap buffer overflow in OpenCL
| Originator: | ramosian.glider | ||
| Number: | rdar://12761446 | Date Originated: | 28-Nov-2012 02:39 AM |
| Status: | Open | Resolved: | |
| Product: | Mac OS X | Product Version: | |
| Classification: | Serious bug | Reproducible: | Always |
28-Nov-2012 02:39 AM Alexander Potapenko:
Summary: for a Chromium built with AddressSanitizer (clang.llvm.org/docs/AddressSanitizer.html, see http://dev.chromium.org/developers/testing/addresssanitizer for an instruction for building Chrome with ASan) the following report is printed just as the browser starts:
$ out/Release/Chromium.app/Contents/MacOS/Chromium 2>&1 | tools/valgrind/asan/asan_symbolize.py
=================================================================
==26382== ERROR: AddressSanitizer: heap-buffer-overflow on address 0x198e044f at pc 0x20f60 bp 0xbffdca68 sp 0xbffdca54
WRITE of size 1 at 0x198e044f thread T0
#0 0x20f5f in wrap_memmove (in Chromium) + 255
#1 0x922f3a42 in 0x0001ca42 (in OpenCL) + 520
#2 0x922f3b77 in 0x0001cb77 (in OpenCL) + 101
#3 0x922f1ee5 in clEnqueueNDRangeKernel (in OpenCL) + 181
#4 0x985298be in -[FEOpenCLContext _quad:] (in CoreImage) + 3776
#5 0x9863870b in -[FEContext(Drawing) quad:kernel:] (in CoreImage) + 105
#6 0x985662d4 in FEApplyTreeNode::render1(FETreeContext*, FEShape const&, fe_kernel_target_struct*, int, float*, FETreeTexture*) (in CoreImage) + 2176
#7 0x98566af2 in FEApplyTreeNode::render2(FETreeContext*, FEShape const*, void (*)(FEContext*, void*, FEFormat), void (*)(FEContext*, void*), void*) (in CoreImage) + 1620
#8 0x98563d5a in FETreeNode::render_(FETreeContext*, FEShape const*, void (*)(FEContext*, void*, FEFormat), void (*)(FEContext*, void*), void*) (in CoreImage) + 150
#9 0x98563f22 in FETreeNode::renderTexture(void*, CGRect, FEFormat, void (*)(FEContext*, void*, FEFormat), void (*)(FEContext*, void*), void*) (in CoreImage) + 68
#10 0x9855e702 in FETexture::retainTextureObject(FETextureCache*, FEContext*, unsigned int, void*, void (*)(void*, CGRect, FEFormat, void (*)(FEContext*, void*, FEFormat), void (*)(FEContext*, void*), void*), CGRect const*, bool, fe_texture_object_struct**) (in CoreImage) + 748
#11 0x9855f081 in FETexture::newTexture(FEContext*, fe_texture_params_struct const*, void*, void (*)(void*, CGRect, FEFormat, void (*)(FEContext*, void*, FEFormat), void (*)(FEContext*, void*), void*), fe_texture_object_struct**) (in CoreImage) + 995
#12 0x985642b6 in FETreeNode::createTexture(FETreeContext*, unsigned int, unsigned int, bool, bool, FETreeTexture*, unsigned int) (in CoreImage) + 884
#13 0x9856676c in FEApplyTreeNode::render2(FETreeContext*, FEShape const*, void (*)(FEContext*, void*, FEFormat), void (*)(FEContext*, void*), void*) (in CoreImage) + 718
#14 0x98563d5a in FETreeNode::render_(FETreeContext*, FEShape const*, void (*)(FEContext*, void*, FEFormat), void (*)(FEContext*, void*), void*) (in CoreImage) + 150
#15 0x9856776e in FETreeNode::render(FETreeContext*, FEShape const&, void (*)(FEContext*, void*, FEFormat), void (*)(FEContext*, void*), void*) (in CoreImage) + 96
#16 0x98567707 in FETreeContext::render(FETreeNode*, FEShape const&, void (*)(FEContext*, void*, FEFormat), void (*)(FEContext*, void*), void*) (in CoreImage) + 51
#17 0x9856ae56 in FETreeContext::renderTree(FETreeNode*, FEShape const&, void (*)(FEContext*, void*, FEFormat), void (*)(FEContext*, void*), void*) (in CoreImage) + 184
#18 0x9856b1a6 in FETreeContext::renderImage_(FEImage*, CGRect, FEShape const*, CGAffineTransform, CGColorSpace*, FEFormat, bool, void (*)(FEContext*, void*, FEFormat), void (*)(FEContext*, void*), void*) (in CoreImage) + 784
#19 0x9856b4ef in FETreeContext::renderImage(FEImage*, CGRect, FEShape const*, CGAffineTransform, CGColorSpace*, FEFormat, bool, void (*)(FEContext*, void*, FEFormat), void (*)(FEContext*, void*), void*) (in CoreImage) + 355
#20 0x985411ab in -[FEImage(Internal) _renderWithContext:bounds:transform:colorSpace:format:premultiplied:setupCallback:finishCallback:callbackData:] (in CoreImage) + 267
#21 0x98540a4f in -[FEImage getBitmap:withContext:origin:transform:colorSpace:] (in CoreImage) + 1441
#22 0x984f2176 in -[CIContextImpl render:toBitmap:rowBytes:bounds:format:colorSpace:] (in CoreImage) + 352
#23 0x984f106a in -[CIContext render:toBitmap:rowBytes:bounds:format:colorSpace:] (in CoreImage) + 92
#24 0x970278d5 in _CUICreateImageByApplyingEffectsToImageViaCI(long, CUIDescriptor const*, __CFArray const*, CGImage*, float, unsigned char) (in CoreUI) + 17850
#25 0x97020e38 in CUIArtFileRenderer::DrawImage(CGRect, long, CUIDescriptor const*) (in CoreUI) + 7848
#26 0x97010845 in CUIArtFileRenderer::Draw(CUIDescriptor const*, CGAffineTransform, CUIReturnInfo&) (in CoreUI) + 1855
#27 0x96fefd3e in CUIRenderer::Draw(CGRect, CGContext*, __CFDictionary const*, __CFDictionary const**) (in CoreUI) + 3518
#28 0x9701688b in CUIDraw (in CoreUI) + 175
#29 0x94df3425 in -[NSCoreUIImageRep draw] (in AppKit) + 288
#30 0x94df32a3 in -[NSImageRep drawInRect:] (in AppKit) + 371
#31 0x951909ae in __block_global_0 (in AppKit) + 58
#32 0x94df2fc3 in NSGraphicsContextPushContextWithFlippedMetadata_drawWithBlock_ (in AppKit) + 381
#33 0x94df2c7f in __74-[NSImageRep drawInRect:fromRect:operation:fraction:respectFlipped:hints:]_block_invoke_0 (in AppKit) + 1640
#34 0x94df255f in NSUsingGraphicsStateForHints_drawWithBlock_ (in AppKit) + 66
#35 0x94df23c1 in -[NSImageRep drawInRect:fromRect:operation:fraction:respectFlipped:hints:] (in AppKit) + 892
#36 0x94df07a9 in -[NSImage _drawMappingAlignmentRectToRect:withState:backgroundStyle:operation:fraction:flip:hints:] (in AppKit) + 2429
#37 0x94cfaf85 in -[_NSThemeFullScreenButtonCell drawImage:withFrame:inView:] (in AppKit) + 120
#38 0x94e090bd in -[NSButtonCell _configureAndDrawImageWithRect:cellFrame:controlView:] (in AppKit) + 705
#39 0x94e07d4b in -[NSButtonCell drawInteriorWithFrame:inView:] (in AppKit) + 1720
#40 0x94e0762f in -[NSButtonCell drawWithFrame:inView:] (in AppKit) + 501
#41 0x94de9f52 in -[NSControl drawRect:] (in AppKit) + 378
#42 0x94ddd35d in -[NSView _drawRect:clip:] (in AppKit) + 3491
#43 0x94ddbd73 in -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] (in AppKit) + 1315
#44 0x94ddc0a9 in -[NSView _recursiveDisplayAllDirtyWithLockFocus:visRect:] (in AppKit) + 2137
#45 0x94ddb671 in -[NSView _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] (in AppKit) + 5444
#46 0x94dd9f1e in -[NSThemeFrame _recursiveDisplayRectIfNeededIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:topView:] (in AppKit) + 289
#47 0x94dd5c82 in -[NSView _displayRectIgnoringOpacity:isVisibleRect:rectIsVisibleRectForView:] (in AppKit) + 4424
#48 0x94d9e480 in -[NSView displayIfNeeded] (in AppKit) + 1467
#49 0x94d9de3c in -[NSWindow displayIfNeeded] (in AppKit) + 305
#50 0x94e56718 in -[NSWindow _reallyDoOrderWindow:relativeTo:findKey:forCounter:force:isModal:] (in AppKit) + 1366
#51 0x94e561b5 in -[NSWindow _doOrderWindowWithoutAnimation:relativeTo:findKey:forCounter:force:isModal:] (in AppKit) + 78
#52 0x94e55ccc in -[NSWindow _doOrderWindow:relativeTo:findKey:forCounter:force:isModal:] (in AppKit) + 1051
#53 0x94e55833 in -[NSWindow orderWindow:relativeTo:] (in AppKit) + 126
#54 0x94e4e437 in -[NSWindow makeKeyAndOrderFront:] (in AppKit) + 68
#55 0x39df4fd in BrowserWindowCocoa::Show browser_window_cocoa.mm:124
#56 0x3cedce4 in StartupBrowserCreatorImpl::OpenTabsInBrowser startup_browser_creator_impl.cc:884
#57 0x3cec8ac in StartupBrowserCreatorImpl::OpenURLsInBrowser startup_browser_creator_impl.cc:792
#58 0x3ce60e2 in StartupBrowserCreatorImpl::ProcessLaunchURLs startup_browser_creator_impl.cc:636
#59 0x3ce2541 in StartupBrowserCreatorImpl::Launch startup_browser_creator_impl.cc:394
#60 0x3cda46c in StartupBrowserCreator::LaunchBrowser startup_browser_creator.cc:201
#61 0x3cde1b4 in StartupBrowserCreator::ProcessCmdLineImpl startup_browser_creator.cc:518
#62 0x7b5a0c3 in ChromeBrowserMainParts::PreMainMessageLoopRunImpl startup_browser_creator.h:46
#63 0x7b5681b in ChromeBrowserMainParts::PreMainMessageLoopRun chrome_browser_main.cc:937
#64 0x71ee0e1 in content::BrowserMainLoop::CreateThreads browser_main_loop.cc:464
#65 0x71f0faf in content::BrowserMainRunnerImpl::Initialize browser_main_runner.cc:105
#66 0x71eac2d in content::BrowserMain browser_main.cc:18
#67 0x9b0441f in content::RunNamedProcessTypeMain content_main_runner.cc:448
#68 0x9b066a0 in content::ContentMainRunnerImpl::Run content_main_runner.cc:741
#69 0x9b038c5 in content::ContentMain content_main.cc:35
#70 0x1145f69 in ChromeMain chrome_main.cc:32
#71 0x1c138 in main chrome_exe_main_mac.cc:16
#72 0x1c114 in start (in Chromium) + 52
#73 0x0
0x198e044f is located 7 bytes to the right of 8-byte region [0x198e0440,0x198e0448)
allocated by thread T0 here:
#0 0x25a1b in (anonymous namespace)::mz_malloc(_malloc_zone_t*, unsigned long) (in Chromium) + 43
#1 0x9129b54a in malloc_zone_malloc (in libsystem_c.dylib) + 74
#2 0x9129c044 in realloc (in libsystem_c.dylib) + 79
#3 0x922f0df1 in 0x00019df1 (in OpenCL) + 1041
#4 0x922f09dd in clSetKernelArg (in OpenCL) + 122
#5 0x9852942a in -[FEOpenCLContext _quad:] (in CoreImage) + 2604
#6 0x9863870b in -[FEContext(Drawing) quad:kernel:] (in CoreImage) + 105
#7 0x985662d4 in FEApplyTreeNode::render1(FETreeContext*, FEShape const&, fe_kernel_target_struct*, int, float*, FETreeTexture*) (in CoreImage) + 2176
#8 0x98566af2 in FEApplyTreeNode::render2(FETreeContext*, FEShape const*, void (*)(FEContext*, void*, FEFormat), void (*)(FEContext*, void*), void*) (in CoreImage) + 1620
#9 0x98563d5a in FETreeNode::render_(FETreeContext*, FEShape const*, void (*)(FEContext*, void*, FEFormat), void (*)(FEContext*, void*), void*) (in CoreImage) + 150
#10 0x98563f22 in FETreeNode::renderTexture(void*, CGRect, FEFormat, void (*)(FEContext*, void*, FEFormat), void (*)(FEContext*, void*), void*) (in CoreImage) + 68
Shadow byte and word:
0x2331c089: fb
0x2331c088: 00 fb fb fb
More shadow bytes:
0x2331c078: 00 00 fb fb
0x2331c07c: fb fb fb fb
0x2331c080: fa fa fa fa
0x2331c084: fa fa fa fa
=>0x2331c088: 00 fb fb fb
0x2331c08c: fb fb fb fb
0x2331c090: fa fa fa fa
0x2331c094: fa fa fa fa
0x2331c098: 00 00 fb fb
Stats: 18M malloced (24M for red zones) by 175894 calls
Stats: 2M realloced by 704 calls
Stats: 12M freed by 89071 calls
Stats: 0M really freed by 0 calls
Stats: 49M (12578 full pages) mmaped in 93 calls
mmaps by size class: 7:167895; 8:12282; 9:4092; 10:2044; 11:1020; 12:384; 13:384; 14:160; 15:128; 16:24; 17:12; 18:4; 19:1; 20:2; 21:1;
mallocs by size class: 7:162831; 8:8397; 9:2077; 10:1033; 11:654; 12:266; 13:347; 14:124; 15:125; 16:22; 17:10; 18:4; 19:1; 20:2; 21:1;
frees by size class: 7:80770; 8:5009; 9:1319; 10:696; 11:543; 12:216; 13:292; 14:83; 15:112; 16:17; 17:8; 18:3; 19:1; 20:1; 21:1;
rfrees by size class:
Stats: malloc large: 190 small slow: 1082
==26382== ABORTING
Steps to Reproduce:
Get the Google Chromium source (http://dev.chromium.org/developers/how-tos/get-the-code) and build Chrome with AddressSanitizer (http://dev.chromium.org/developers/testing/addresssanitizer)
Otherwise download the Chromium build from http://commondatastorage.googleapis.com/chromium-browser-asan/index.html?path=mac-release/
Expected Results: the browser works fine
Actual Results: an error report is printed
Notes: see also http://crbug.com/162461
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!