Chromium Embedded Framework Forum

[Zabrimus]

Hi,

is it generally possible to use the gcc sanitizer with CEF applications? I've added the compile/linker flags "-ggdb -fsanitize=address -fsanitize=leak -fno-omit-frame-pointer" and cefsimple throws these stacktraces:

With branch 4389:

Code: Select all

(gdb) run
Starting program: /home/xxx/client/Release/cefsimple
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe18c0700 (LWP 1417712)]
[Detaching after fork from child process 1417713]
[Detaching after fork from child process 1417714]
[New Thread 0x7fffe10bf700 (LWP 1417715)]
[New Thread 0x7fffe08be700 (LWP 1417716)]
[New Thread 0x7fffd3fff700 (LWP 1417717)]
[New Thread 0x7fffd37fe700 (LWP 1417718)]
[New Thread 0x7fffd2ffd700 (LWP 1417719)]
double free or corruption (out)

Thread 1 "cefsimple" received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht gefunden.
(gdb) bt
#0  0x00007fffeac087bb in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007fffeabf3535 in __GI_abort () at abort.c:79
#2  0x00007fffeac4a508 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7fffead5528d "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007fffeac50c1a in malloc_printerr (str=str@entry=0x7fffead56ff8 "double free or corruption (out)") at malloc.c:5341
#4  0x00007fffeac52730 in _int_free (av=0x7fffead8cc40 <main_arena>, p=0x603000001a40, have_lock=<optimized out>) at malloc.c:4306
#5  0x00007ffff0118b24 in FcEndElement () at ../../third_party/fontconfig/src/src/fcxml.c:2091
#6  0x00007ffff013d9c5 in xmlParseEndTag1 () at ../../third_party/libxml/src/parser.c:8652
#7  0x00007ffff0144adc in xmlParseTryOrFinish () at ../../third_party/libxml/src/parser.c:11559
#8  0x00007ffff014302b in xmlParseChunk () at ../../third_party/libxml/src/parser.c:12129
#9  0x00007ffff01153ad in FcConfigParseAndLoadFromMemoryInternal () at ../../third_party/fontconfig/src/src/fcxml.c:3477
#10 0x00007ffff0114ead in _FcConfigParse () at ../../third_party/fontconfig/src/src/fcxml.c:3626
#11 0x00007ffff010923b in FcInitLoadOwnConfig () at ../../third_party/fontconfig/src/src/fcinit.c:88
#12 0x00007ffff01094d1 in FcInitLoadOwnConfigAndFonts () at ../../third_party/fontconfig/src/src/fcinit.c:169
#13 0x00007ffff01094d1 in IA__FcInitLoadConfigAndFonts () at ../../third_party/fontconfig/src/src/fcinit.c:183
#14 0x00007ffff00fd032 in FcConfigEnsure () at ../../third_party/fontconfig/src/src/fccfg.c:88
#15 0x00007ffff00fd032 in FcConfigInit () at ../../third_party/fontconfig/src/src/fccfg.c:114
#16 0x00007ffff019edb7 in GlobalFontConfig () at ../../ui/gfx/linux/fontconfig_util.cc:30
#17 0x00007ffff019edb7 in NoDestructor<> () at ../../base/no_destructor.h:54
#18 0x00007ffff019edb7 in GetInstance () at ../../ui/gfx/linux/fontconfig_util.cc:60
#19 0x00007ffff019edb7 in GetGlobalFontConfig() () at ../../ui/gfx/linux/fontconfig_util.cc:132
#20 0x00007fffedd7cb25 in Initialize() () at ../../content/browser/browser_main_runner_impl.cc:95
#21 0x00007fffef88d30c in RunMainProcess() () at ../../cef/libcef/browser/main_runner.cc:444
#22 0x00007fffef80e4ae in RunBrowserProcessMain () at ../../content/app/content_main_runner_impl.cc:554
#23 0x00007fffef80e4ae in RunBrowser() () at ../../content/app/content_main_runner_impl.cc:1069
#24 0x00007fffef80e0e8 in Run() () at ../../content/app/content_main_runner_impl.cc:936
#25 0x00007fffef80bfcb in ContentMainRun() () at ../../content/app/content_main.cc:372
#26 0x00007fffef88ca36 in ContentMainRun() () at ../../cef/libcef/browser/main_runner.cc:414
#27 0x00007fffef88c7a0 in Initialize() () at ../../cef/libcef/browser/main_runner.cc:242
#28 0x00007fffef867310 in Initialize() () at ../../cef/libcef/browser/context.cc:356
#29 0x00007fffef86701a in CefInitialize() () at ../../cef/libcef/browser/context.cc:214
#30 0x00007fffecdfaf47 in cef_initialize() () at ../../cef/libcef_dll/libcef_dll.cc:112
#31 0x00005555555c835b in CefInitialize(CefMainArgs const&, CefStructBase<CefSettingsTraits> const&, scoped_refptr<CefApp>, void*) ()
#32 0x000055555559495e in main(int, char**) (argc=1, argv=0x7fffffffe078) at thirdparty/cefsimple/cefsimple_linux.cpp:72


and with branch 4324:

Code: Select all

(gdb) run
Starting program: /home/xxx/client/Release/cefsimple
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[New Thread 0x7fffe1ecf700 (LWP 1423050)]
[Detaching after fork from child process 1423051]
[Detaching after fork from child process 1423052]
[New Thread 0x7fffe16ce700 (LWP 1423053)]
[New Thread 0x7fffe0ecd700 (LWP 1423054)]
[New Thread 0x7fffd37fe700 (LWP 1423055)]
[New Thread 0x7fffd3fff700 (LWP 1423056)]
double free or corruption (out)

Thread 1 "cefsimple" received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50      ../sysdeps/unix/sysv/linux/raise.c: Datei oder Verzeichnis nicht gefunden.
(gdb) bt
#0  0x00007fffeb0167bb in __GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
#1  0x00007fffeb001535 in __GI_abort () at abort.c:79
#2  0x00007fffeb058508 in __libc_message (action=action@entry=do_abort, fmt=fmt@entry=0x7fffeb16328d "%s\n") at ../sysdeps/posix/libc_fatal.c:181
#3  0x00007fffeb05ec1a in malloc_printerr (str=str@entry=0x7fffeb164ff8 "double free or corruption (out)") at malloc.c:5341
#4  0x00007fffeb060730 in _int_free (av=0x7fffeb19ac40 <main_arena>, p=0x610000000330, have_lock=<optimized out>) at malloc.c:4306
#5  0x00007fffee691408 in operator() () at ../../buildtools/third_party/libc++/trunk/include/memory:2378
#6  0x00007fffee691408 in reset () at ../../buildtools/third_party/libc++/trunk/include/memory:2633
#7  0x00007fffee691408 in ~unique_ptr () at ../../buildtools/third_party/libc++/trunk/include/memory:2587
#8  0x00007fffee691408 in CreateOrExtendSerializedEventMessage() () at ../../mojo/core/user_message_impl.cc:268
#9  0x00007fffee691948 in CommitSize() () at ../../mojo/core/user_message_impl.cc:539
#10 0x00007fffee677d62 in AppendMessageData() () at ../../mojo/core/core.cc:395
#11 0x00007fffee67f545 in MojoAppendMessageDataImpl () at ../../mojo/core/entrypoints.cc:92
#12 0x00007ffff004eca6 in Seal() () at ../../mojo/public/cpp/bindings/lib/buffer.cc:121
#13 0x00007ffff004fba6 in TakeMojoMessage() () at ../../mojo/public/cpp/bindings/lib/message.cc:437
#14 0x00007ffff003fc44 in Accept() () at ../../mojo/public/cpp/bindings/lib/connector.cc:314
#15 0x00007ffff0042ceb in SendMessage () at ../../mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:276
#16 0x00007ffff0042ceb in Accept() () at ../../mojo/public/cpp/bindings/lib/interface_endpoint_client.cc:241
#17 0x00007ffff0f4dff3 in Clone() () at gen/services/service_manager/public/mojom/connector.mojom.cc:555
#18 0x00007ffff0f49cef in Clone() () at ../../services/service_manager/public/cpp/connector.cc:88
#19 0x00007fffee436d8a in ServiceManagerContext() () at ../../content/browser/service_manager/service_manager_context.cc:366
#20 0x00007fffefac6f27 in make_unique<content::ServiceManagerContext, scoped_refptr<base::SingleThreadTaskRunner> > () at ../../buildtools/third_party/libc++/trunk/include/memory:3043
#21 0x00007fffefac6f27 in ServiceManagerEnvironment() () at ../../content/app/service_manager_environment.cc:40
#22 0x00007fffefac8efa in make_unique<content::ServiceManagerEnvironment, std::__1::unique_ptr<content::BrowserProcessSubThread, std::__1::default_delete<content::BrowserProcessSubThread> > > ()
    at ../../buildtools/third_party/libc++/trunk/include/memory:3043
#23 0x00007fffefac8efa in RunServiceManager() () at ../../content/app/content_main_runner_impl.cc:970
#24 0x00007fffefac8d08 in Run() () at ../../content/app/content_main_runner_impl.cc:884
#25 0x00007fffefac6b9b in ContentMainRun() () at ../../content/app/content_main.cc:367
#26 0x00007fffefb54a86 in ContentMainRun() () at ../../cef/libcef/browser/main_runner.cc:414
#27 0x00007fffefb547f0 in Initialize() () at ../../cef/libcef/browser/main_runner.cc:242
#28 0x00007fffefb300d6 in Initialize() () at ../../cef/libcef/browser/context.cc:356
#29 0x00007fffefb2fb8f in CefInitialize() () at ../../cef/libcef/browser/context.cc:214
#30 0x00007fffed1bb9f7 in cef_initialize() () at ../../cef/libcef_dll/libcef_dll.cc:112
#31 0x00005555555c835b in CefInitialize(CefMainArgs const&, CefStructBase<CefSettingsTraits> const&, scoped_refptr<CefApp>, void*) ()
#32 0x000055555559495e in main(int, char**) (argc=1, argv=0x7fffffffe078) at thirdparty/cefsimple/cefsimple_linux.cpp:72


The trace of branch 4389 is exactly the same which occurs with my main program. I assume that i have a buffer overflow somewhere and was not able to find it yet and wanted to use the sanitizer to check if these are able to give me a hint.


Regards

[magreenblatt]

It's likely not possible without making a special Chromium build. See here for ASan instructions, as an example.

[Zabrimus]

The wiki page is a little bit outdated, but i was able to compile CEF with asan:
GN_DEFINES="is_asan=true dcheck_always_on=true" and remove "is_official_build=true".

For my project i had to use clang and link libc++abi.a statically. is_msan is more difficult, because some asserts fails, because msan is only possible with x64 architecture, but although --x64-build is used, the directories Debug_GN_x86 and Release_GN_x86 shall be created and this fails because of the checks in config/sanitizers/sanitizers.gni
E.g.
assert(!is_msan || ((is_linux || is_chromeos) && current_cpu == "x64"),
"MSan currently only works on 64-bit Linux and ChromeOS builds.")

But i solved my heap problem.

Zabrimus