real uninit on stack walk in visitStack but need suppress

[GoogleCodeExporter]

16:28|zhaoqin@zhaoqin01:~/Workspace/Chrome/chromium.git/tests
> time ~/Workspace/LLVM/dr/exports/bin64/drrun   -msgbox_mask  0x0  
-no_vm_base_near_app -no_private_loader -no_mangle_app_seg -native_exec_list 
content_shell\;libfreetype.so.6\;libffmpegsumo.so\;libTestNetscapePlugIn.so\;lib
osmesa.so -native_exec_retakeover -native_exec_opt -disable_traces -c 
/usr/local/google/home/zhaoqin/Workspace/LLVM/llvm/build/lib/clang/3.5/lib/linux
/libclang_rt.msandr-x86_64.so -- 
../src/out/Release.msandr.02.03.2014/content_shell --no-sandbox 
--dump-render-tree ./CF/fuzz-2.html 
WARNING: cannot find 
/home/zhaoqin/Workspace/LLVM/dr/exports/bin64/../lib32/debug/libdrpreload.so: 
is this an incomplete installation?
WARNING: cannot find 
/home/zhaoqin/Workspace/LLVM/dr/exports/bin64/../lib32/debug/libdynamorio.so: 
is this an incomplete installation?
WARNING: cannot find 
/home/zhaoqin/Workspace/LLVM/dr/exports/bin64/../lib32/release/libdrpreload.so: 
is this an incomplete installation?
WARNING: cannot find 
/home/zhaoqin/Workspace/LLVM/dr/exports/bin64/../lib32/release/libdynamorio.so: 
is this an incomplete installation?
WARNING: /home/zhaoqin/Workspace/LLVM/dr/exports/bin64/.. does not appear to be 
a valid DynamoRIO root
#READY
[21868:21868:0203/162915:21445036688:ERROR:renderer_main.cc(223)] Running 
without renderer sandbox
CONSOLE ERROR: line 8030: Error: Invalid value for <svg> attribute width="red"
CONSOLE ERROR: line 8031: Error: Invalid value for <feSpotLight> attribute 
z="text"
CONSOLE ERROR: line 8031: Error: Invalid value for <feSpotLight> attribute 
specularExponent="text"
==21868== WARNING: MemorySanitizer: use-of-uninitialized-value
    #0 0x7f20f70e51b3 in address /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../third_party/WebKit/Source/heap/Heap.h:512
    #1 0x7f20f70e51b3 in WebCore::HeapContainsCache::lookup(unsigned char*, WebCore::BaseHeapPage**) /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../third_party/WebKit/Source/heap/Heap.cpp:1100
    #2 0x7f20f70eb0a0 in heapPageFromAddress /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../third_party/WebKit/Source/heap/ThreadState.cpp:454
    #3 0x7f20f70eb0a0 in WebCore::ThreadState::checkAndMarkPointer(WebCore::Visitor*, unsigned char*) /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../third_party/WebKit/Source/heap/ThreadState.cpp:338
    #4 0x7f20f70e5aa6 in WebCore::Heap::checkAndMarkPointer(WebCore::Visitor*, unsigned char*) /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../third_party/WebKit/Source/heap/Heap.cpp:1274
    #5 0x7f20f70eac1b in visitStack /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../third_party/WebKit/Source/heap/ThreadState.cpp:315
    #6 0x7f20f70eac1b in WebCore::ThreadState::trace(WebCore::Visitor*) /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../third_party/WebKit/Source/heap/ThreadState.cpp:332
    #7 0x7f20f70ea92e in WebCore::ThreadState::visitRoots(WebCore::Visitor*) /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../third_party/WebKit/Source/heap/ThreadState.cpp:307
    #8 0x7f20f70e0012 in WebCore::Heap::collectGarbage(WebCore::ThreadState::StackState, WebCore::Heap::GCType) /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../third_party/WebKit/Source/heap/Heap.cpp:1324
    #9 0x7f20fc8fa4d0 in WebCore::V8GCController::gcEpilogue(v8::GCType, v8::GCCallbackFlags) /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../third_party/WebKit/Source/bindings/v8/V8GCController.cpp:380
    #10 0x7f20f7aa2fc3 in CallGCEpilogueCallbacks /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../v8/src/heap.cc:1210
    #11 0x7f20f7aa2fc3 in v8::internal::Heap::PerformGarbageCollection(v8::internal::GarbageCollector, v8::internal::GCTracer*, v8::GCCallbackFlags) /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../v8/src/heap.cc:1172
    #12 0x7f20f7a9f9ec in v8::internal::Heap::CollectGarbage(v8::internal::AllocationSpace, v8::internal::GarbageCollector, char const*, char const*, v8::GCCallbackFlags) /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../v8/src/heap.cc:813
    #13 0x7f20f7a9ee9d in CollectGarbage /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../v8/src/heap-inl.h:552
    #14 0x7f20f7a9ee9d in v8::internal::Heap::CollectAllGarbage(int, char const*, v8::GCCallbackFlags) /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../v8/src/heap.cc:714
    #15 0x7f20f766cdd4 in v8::Isolate::RequestGarbageCollectionForTesting(v8::Isolate::GarbageCollectionType) /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../v8/src/api.cc:6384
    #16 0x7f20f78ac960 in v8::internal::GCExtension::GC(v8::FunctionCallbackInfo<v8::Value> const&) /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../v8/src/extensions/gc-extension.cc:43
    #17 0x7f20f88396dc in v8::internal::FunctionCallbackArguments::Call(void (*)(v8::FunctionCallbackInfo<v8::Value> const&)) /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../v8/src/arguments.cc:56
    #18 0x7f20f771f907 in HandleApiCallHelper<false> /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../v8/src/builtins.cc:1215
    #19 0x7f20f771f907 in Builtin_implHandleApiCall /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../v8/src/builtins.cc:1232
    #20 0x7f20f771f907 in v8::internal::Builtin_HandleApiCall(int, v8::internal::Object**, v8::internal::Isolate*) /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../v8/src/builtins.cc:1231

  Uninitialized value was created by an allocation of 'temp.lvalue' in the stack frame of function 'base::debug::TraceLog::GetCategoryGroupEnabled(char const*)'
    #0 0x7f20f4453b20 in base::debug::TraceLog::GetCategoryGroupEnabled(char const*) /usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../../base/debug/trace_event_impl.cc:1182

SUMMARY: MemorySanitizer: use-of-uninitialized-value 
/usr/local/google/home/zhaoqin/Workspace/Chrome/chromium.git/src/out/Release/../
../third_party/WebKit/Source/heap/Heap.h:512 address
Exiting
#CRASHED - renderer (pid 21868)
Content-Type: text/plain
#CRASHED - renderer (pid 21868)
#EOF
#EOF
#EOF

real    0m23.654s
user    0m5.850s
sys 0m0.440s

The actual uninit happens at third_party/WebKit/Source/heap/ThreadState.cpp:315

NO_SANITIZE_ADDRESS
void ThreadState::visitStack(Visitor* visitor)
{
    Address* end = reinterpret_cast<Address*>(m_startOfStack);
    for (Address* current = reinterpret_cast<Address*>(m_endOfStack); current < end; ++current) {
        Heap::checkAndMarkPointer(visitor, *current);
    }
    ...
}

When visiting stack, the *current could be uninitialized. However, the error is 
reported much later when significant use happens.

(gdb) bt 8
#0  __msan_warning_noreturn () at 
/usr/local/google/home/zhaoqin/Workspace/LLVM/llvm/projects/compiler-rt/lib/msan
/msan.cc:253
#1  0x00007f1a181721b4 in address () at 
../../third_party/WebKit/Source/heap/Heap.h:512
#2  lookup () at ../../third_party/WebKit/Source/heap/Heap.cpp:1100
#3  0x00007f1a181780a1 in heapPageFromAddress () at 
../../third_party/WebKit/Source/heap/ThreadState.cpp:454
#4  checkAndMarkPointer () at 
../../third_party/WebKit/Source/heap/ThreadState.cpp:338
#5  0x00007f1a18172aa7 in checkAndMarkPointer () at 
../../third_party/WebKit/Source/heap/Heap.cpp:1274
#6  0x00007f1a18177c1c in visitStack () at 
../../third_party/WebKit/Source/heap/ThreadState.cpp:315
#7  trace () at ../../third_party/WebKit/Source/heap/ThreadState.cpp:332

at third_party/WebKit/Source/heap/Heap.cpp:1100
bool HeapContainsCache::lookup(Address address, BaseHeapPage** page)
{
    ASSERT(page);
    size_t index = hash(address);
    ASSERT(!(index & 1));
    Address cachePage = roundToBlinkPageStart(address);
    if (m_entries[index].address() == cachePage) {

The line number report is a bit off, it is the index is uninitialized because 
address is not initialized.
It looks like that the uninit is unavoidable and should be suppressed.

Original issue reported on code.google.com by zhao...@google.com on 3 Feb 2014 at 9:32

[GoogleCodeExporter]

Please file Chromium issues on the Chromium bug tracker.

Original comment by earth...@chromium.org on 4 Feb 2014 at 3:27

[GoogleCodeExporter]

filed as crbug.com/340752

Original comment by zhao...@google.com on 6 Feb 2014 at 4:55

[GoogleCodeExporter]

Original comment by earth...@google.com on 6 Feb 2014 at 5:42

• Changed state: Invalid