search

watery01 / libyuv

Automatically exported from code.google.com/p/libyuv
0 stars 0 forks source link

Address Sanitizer (Asan) failure #81

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
tools/valgrind/chrome_tests.sh --tool asan -t cmdline 
out/Release/libyuv_unittest  
[ RUN      ] libyuvTest.TestInterpolate
=================================================================
==20252== ERROR: AddressSanitizer stack-buffer-overflow on address 
0x7fff1ce7acc0 at pc 0x4c28b4 bp 0x7fff1ce79fa0 sp 0x7fff1ce79f98
READ of size 16 at 0x7fff1ce7acc0 thread T0
    #0 0x4c28b4 in ARGBInterpolate /usr/local/google/users/kjellander/dev/libyuv/trunk/out/Release/../../source/planar_functions.cc:1188
    #1 0x46a559 in libyuv::libyuvTest_TestInterpolate_Test::TestBody() /usr/local/google/users/kjellander/dev/libyuv/trunk/out/Release/../../unit_test/planar_test.cc:924
    #2 0x495242 in testing::Test::Run() /usr/local/google/users/kjellander/dev/libyuv/trunk/out/Release/../../testing/gtest/src/gtest.cc:2169
    #3 0x495d7b in testing::TestInfo::Run() /usr/local/google/users/kjellander/dev/libyuv/trunk/out/Release/../../testing/gtest/src/gtest.cc:2343
    #4 0x496b32 in testing::TestCase::Run() /usr/local/google/users/kjellander/dev/libyuv/trunk/out/Release/../../testing/gtest/src/gtest.cc:2445
    #5 0x49d493 in testing::internal::UnitTestImpl::RunAllTests() /usr/local/google/users/kjellander/dev/libyuv/trunk/out/Release/../../testing/gtest/src/gtest.cc:4268
    #6 0x4a4db2 in bool testing::internal::HandleSehExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /usr/local/google/users/kjellander/dev/libyuv/trunk/out/Release/../../testing/gtest/src/gtest.cc:2091
    #7 0x49ced2 in bool testing::internal::HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool>(testing::internal::UnitTestImpl*, bool (testing::internal::UnitTestImpl::*)(), char const*) /usr/local/google/users/kjellander/dev/libyuv/trunk/out/Release/../../testing/gtest/src/gtest.cc:2143
    #8 0x49ce3d in testing::UnitTest::Run() /usr/local/google/users/kjellander/dev/libyuv/trunk/out/Release/../../testing/gtest/src/gtest.cc:3902
    #9 0x48f6f0 in main /usr/local/google/users/kjellander/dev/libyuv/trunk/out/Release/../../unit_test/unit_test.cc:26
    #10 0x7ffad4dbcc4d in __libc_start_main /build/buildd/eglibc-2.11.1/csu/libc-start.c:258
Address 0x7fff1ce7acc0 is located at offset 3168 in frame 
<libyuv::libyuvTest_TestInterpolate_Test::TestBody()> of T0's stack:
  This frame has 94 object(s):
    [32, 1056) 'orig_pixels_0'
    [1088, 2112) 'orig_pixels_1'
    [2144, 3168) 'interpolate_pixels'
...
    [8960, 8968) 'ref.tmp708'
HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism
      (longjmp and C++ exceptions *are* supported)
==20252== ABORTING
Stats: 3132M malloced (1183M for red zones) by 420228 calls
Stats: 0M realloced by 0 calls
Stats: 3132M freed by 419352 calls
Stats: 2915M really freed by 418233 calls
Stats: 1461M (374017 full pages) mmaped in 274 calls
  mmaps   by size class: 8:16383; 9:8191; 10:16380; 11:22517; 12:23552; 13:16896; 14:11008; 17:64; 18:144; 19:64; 20:100; 21:42; 22:60; 23:24; 24:3; 25:4; 26:2;
  mallocs by size class: 8:6622; 9:14143; 10:44428; 11:84835; 12:111802; 13:107524; 14:49777; 17:54; 18:280; 19:140; 20:267; 21:135; 22:160; 23:52; 24:3; 25:4; 26:2;
  frees   by size class: 8:5960; 9:13932; 10:44427; 11:84834; 12:111801; 13:107524; 14:49777; 17:54; 18:280; 19:140; 20:267; 21:135; 22:160; 23:52; 24:3; 25:4; 26:2;
  rfrees  by size class: 8:5160; 9:13832; 10:44327; 11:84834; 12:111801; 13:107479; 14:49777; 17:54; 18:280; 19:140; 20:267; 21:113; 22:108; 23:52; 24:3; 25:4; 26:2;
Stats: malloc large: 1097 small slow: 18181
Shadow byte and word:
  0x1fffe39cf598: f2
  0x1fffe39cf598: f2 f2 f2 f2 00 00 f4 f4
More shadow bytes:
  0x1fffe39cf578: 00 00 00 00 00 00 00 00
  0x1fffe39cf580: 00 00 00 00 00 00 00 00
  0x1fffe39cf588: 00 00 00 00 00 00 00 00
  0x1fffe39cf590: 00 00 00 00 00 00 00 00
=>0x1fffe39cf598: f2 f2 f2 f2 00 00 f4 f4
  0x1fffe39cf5a0: f2 f2 f2 f2 04 f4 f4 f4
  0x1fffe39cf5a8: f2 f2 f2 f2 00 f4 f4 f4
  0x1fffe39cf5b0: f2 f2 f2 f2 00 f4 f4 f4
  0x1fffe39cf5b8: f2 f2 f2 f2 00 00 f4 f4
16:43:58 common.py [INFO] process ended, did not time out
16:43:58 common.py [INFO] flushing stdout
16:43:58 common.py [INFO] collecting result code
16:43:58 valgrind_test.py [INFO] Test execution completed successfully.
16:43:58 valgrind_test.py [INFO] Analysis completed successfully.
16:43:58 valgrind_test.py [INFO] elapsed time: 00:00:14

Original issue reported on code.google.com by fbarch...@google.com on 10 Sep 2012 at 7:24

GoogleCodeExporter commented 9 years ago 
r341 disables this test.  But the root cause of failure is not fixed.

Original comment by fbarch...@google.com on 10 Sep 2012 at 8:53

GoogleCodeExporter commented 9 years ago 
In planar_test.cc you're passing interpolate_pixels[256][4] to 
ARGBInterpolate(), which does the following:

  memcpy(last16, dst_argb + width * 4, 16);  // Save last 16 beyond end.

It looks like |dst_argb| always has the size of |width|*4 (at least it has in 
this case), so this memcpy isn't legitimate.

Original comment by gli...@chromium.org on 13 Sep 2012 at 9:36

GoogleCodeExporter commented 9 years ago 
r349 fixes this - interpolate unittest did not allocate the required pad bytes 
in the destination.

Original comment by fbarch...@google.com on 13 Sep 2012 at 11:44