Test flakiness on "Check "result" failed"
emaxx-google opened this issue · 3 comments
emaxx-google commented
The full error:
[INFO] [PC/SC from aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (id 1234)] SCardGetStatusChange#1702(hContext=0x79EA809A, dwTimeout=4294967295, rgReaderStates=0xCE3854C0[{szReader="Dell Dell Smart Card Reader Keyboard 00 00", pvUserData=NULL, dwCurrentState=SCARD_STATE_EMPTY}]): called...
[INFO] 00622395 ../../src/src/ifdhandler.c:1247:IFDHPowerICC() action: PowerDown, usb:413c/2101:libusb-1.0:1:123:1 (lun: 0)
[INFO] 00004802 ../../src/src/ifdhandler.c:1247:IFDHPowerICC() action: PowerUp, usb:413c/2101:libusb-1.0:1:123:1 (lun: 0)
[INFO] [PC/SC from aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (id 1234)] SCardGetStatusChange#1702: returning 0x00000000 ["Command successful."], rgReaderStates=0xCE3854C0[{szReader="Dell Dell Smart Card Reader Keyboard 00 00", pvUserData=NULL, dwCurrentState=SCARD_STATE_EMPTY, dwEventState=SCARD_STATE_CHANGED|SCARD_STATE_PRESENT with eventCount=123, cbAtr=22, rgbAtr=<0x3B 0xDB 0x96 0x00 0x80 0xB1 0xFE 0x45 0x1F 0x83 0x00 0x31 0xC0 0x64 0xC7 0xFC 0x10 0x00 0x01 0x90 0x00 0x74>}]
[INFO] 00403639 ../../src/src/ifdhandler.c:1247:IFDHPowerICC() action: PowerDown, usb:413c/2101:libusb-1.0:1:123:1 (lun: 0)
[INFO] [PC/SC from aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (id 1234)] SCardConnect#1703(hContext=0x79EA809A, szReader="Dell Dell Smart Card Reader Keyboard 00 00", dwShareMode=SCARD_SHARE_SHARED, dwPreferredProtocols=SCARD_PROTOCOL_T0|SCARD_PROTOCOL_T1): called...
[INFO] 00269583 ../../src/src/ifdhandler.c:1247:IFDHPowerICC() action: PowerUp, usb:413c/2101:libusb-1.0:1:123:1 (lun: 0)
[INFO] 00001345 ../../src/src/ifdhandler.c:744:IFDHSetProtocolParameters() protocol T=1, usb:413c/2101:libusb-1.0:1:123:1 (lun: 0)
[INFO] [PC/SC from aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (id 1234)] SCardConnect#1703: returning 0x00000000 ["Command successful."], hCard=0x3FB854DF, dwActiveProtocol=SCARD_PROTOCOL_T1
[INFO] [PC/SC from aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa (id 1234)] SCardDisconnect#1704(hCard=0x3FB854DF, dwDisposition=SCARD_LEAVE_CARD): called...
[INFO] 00135930 ../../src/src/ifdhandler.c:390:IFDHGetCapabilities() tag: 0xFB2, usb:413c/2101:libusb-1.0:1:123:1 (lun: 0)
[INFO] 00000077 ../../src/src/ifdhandler.c:355:IFDHStopPolling() usb:413c/2101:libusb-1.0:1:123:1 (lun: 0)
[FATAL] Check "result" failed. File "../src/libusb_js_proxy.cc", line 126, function "GetLibusbTransferContextChecked"
It's happening in a new (not landed yet) test that simulates the insert+connect+disconnect+remove sequence in a loop.
emaxx-google commented
The crash is triggered by this assertion:
emaxx-google commented
Another stress run found an ASan use-after-free report in the same function, which is likely reporting about the same problem:
ERROR: AddressSanitizer: heap-use-after-free on address 0xcbfe5910 at pc 0x56acf314 bp 0xd1abdb08 sp 0xd1abdb00
READ of size 4 at 0xcbfe5910 thread T2000
#0 0x56acf313 in google_smart_card::(anonymous namespace)::GetLibusbTransferContext(libusb_transfer const*) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/libusb_js_proxy.cc:115:57
#1 0x56acf313 in google_smart_card::(anonymous namespace)::GetLibusbTransferContextChecked(libusb_transfer const*) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/libusb_js_proxy.cc:125:34
#2 0x56ad1e94 in google_smart_card::LibusbJsProxy::LibusbCancelTransfer(libusb_transfer*) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/libusb_js_proxy.cc:891:35
#3 0x56ab4ae6 in libusb_cancel_transfer /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/public/libusb_web_port_service.cc:166:27
#4 0x56a8534c in InterruptStop /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/ccid/webport/build/../../src/src/ccid_usb.c:1603:9
#5 0x56a59c05 in IFDHStopPolling /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/ccid/webport/build/../../src/src/ifdhandler.c:357:8
#6 0x56a212c5 in SCardDisconnectServer /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/winscard.c:1027:4
#7 0x56a121e9 in ContextThread /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/winscard_svc.c:556:16
#8 0x56738229 in __asan::AsanThread::ThreadStart(unsigned long long) (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x18a229) (BuildId: 626ea752d772fd794f0ee4aab75731afc2c6c770)
#9 0x56714d0e in asan_thread_start(void*) asan_interceptors.cpp.o
#10 0xf788791c (/lib/i386-linux-gnu/libc.so.6+0x8791c) (BuildId: a098c9624e774a2b27e7cc84a9bb6290f93d26c4)
#11 0xf79211c7 (/lib/i386-linux-gnu/libc.so.6+0x1211c7) (BuildId: a098c9624e774a2b27e7cc84a9bb6290f93d26c4)
0xcbfe5910 is located 0 bytes inside of 40-byte region [0xcbfe5910,0xcbfe5938)
freed by thread T1997 here:
#0 0x5676a0d7 in operator delete(void*) (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x1bc0d7) (BuildId: 626ea752d772fd794f0ee4aab75731afc2c6c770)
#1 0x56ad244c in google_smart_card::LibusbJsProxy::LibusbFreeTransfer(libusb_transfer*) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/libusb_js_proxy.cc:901:3
#2 0x56ab4b66 in libusb_free_transfer /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/public/libusb_web_port_service.cc:170:20
#3 0x56a84a83 in InterruptRead /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/ccid/webport/build/../../src/src/ccid_usb.c:1551:2
#4 0x56a59a91 in IFDHPolling /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/ccid/webport/build/../../src/src/ifdhandler.c:321:9
#5 0x56a0dce6 in EHStatusHandlerThread /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/eventhandler.c:467:10
#6 0x56738229 in __asan::AsanThread::ThreadStart(unsigned long long) (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x18a229) (BuildId: 626ea752d772fd794f0ee4aab75731afc2c6c770)
previously allocated by thread T1997 here:
#0 0x56769859 in operator new(unsigned int) (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x1bb859) (BuildId: 626ea752d772fd794f0ee4aab75731afc2c6c770)
#1 0x56ac64cc in google_smart_card::LibusbJsProxy::LibusbAllocTransfer(int) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/libusb_js_proxy.cc:591:35
#2 0x56ab49e6 in libusb_alloc_transfer /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/public/libusb_web_port_service.cc:158:27
#3 0x56a846f0 in InterruptRead /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/ccid/webport/build/../../src/src/ccid_usb.c:1501:13
#4 0x56a59a91 in IFDHPolling /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/ccid/webport/build/../../src/src/ifdhandler.c:321:9
#5 0x56a0dce6 in EHStatusHandlerThread /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/eventhandler.c:467:10
#6 0x56738229 in __asan::AsanThread::ThreadStart(unsigned long long) (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x18a229) (BuildId: 626ea752d772fd794f0ee4aab75731afc2c6c770)
Thread T2000 created by T1998 here:
#0 0x56714c3c in __interceptor_pthread_create (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x166c3c) (BuildId: 626ea752d772fd794f0ee4aab75731afc2c6c770)
#1 0x56a16c79 in ThreadCreate /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/utils.c:184:8
#2 0x56a1015a in CreateContextThread /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/winscard_svc.c:237:7
#3 0x569ef26c in google_smart_card::(anonymous namespace)::PcscLiteServerDaemonThreadMain() /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../src/public/pcsc_lite_server_web_port_service.cc:141:5
#4 0x569faf87 in void std::__invoke_impl<void, void (*)()>(std::__invoke_other, void (*&&)()) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:61:14
#5 0x569faf87 in std::__invoke_result<void (*)()>::type std::__invoke<void (*)()>(void (*&&)()) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:96:14
#6 0x569faf87 in void std::thread::_Invoker<std::tuple<void (*)()> >::_M_invoke<0u>(std::_Index_tuple<0u>) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:292:13
#7 0x569faf87 in std::thread::_Invoker<std::tuple<void (*)()> >::operator()() /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:299:11
#8 0x569faf87 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (*)()> > >::_M_run() /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:244:13
#9 0xf7cc008c (/lib/i386-linux-gnu/libstdc++.so.6+0xc008c) (BuildId: 05b5343f4d239e42fe172576ef952a7d1a34439f)
#10 0x56738229 in __asan::AsanThread::ThreadStart(unsigned long long) (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x18a229) (BuildId: 626ea752d772fd794f0ee4aab75731afc2c6c770)
Thread T1998 created by T1995 here:
#0 0x56714c3c in __interceptor_pthread_create (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x166c3c) (BuildId: 626ea752d772fd794f0ee4aab75731afc2c6c770)
#1 0xf7cc02a7 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/i386-linux-gnu/libstdc++.so.6+0xc02a7) (BuildId: 05b5343f4d239e42fe172576ef952a7d1a34439f)
#2 0x56954d2a in google_smart_card::Application::InitializeServicesOnBackgroundThread() /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/cpp_lib/../../../smart_card_connector_app/src/application.cc:69:39
#3 0x56955b16 in void std::__invoke_impl<void, void (google_smart_card::Application::*)(), google_smart_card::Application*>(std::__invoke_memfun_deref, void (google_smart_card::Application::*&&)(), google_smart_card::Application*&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:74:14
#4 0x56955b16 in std::__invoke_result<void (google_smart_card::Application::*)(), google_smart_card::Application*>::type std::__invoke<void (google_smart_card::Application::*)(), google_smart_card::Application*>(void (google_smart_card::Application::*&&)(), google_smart_card::Application*&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:96:14
#5 0x56955b16 in void std::thread::_Invoker<std::tuple<void (google_smart_card::Application::*)(), google_smart_card::Application*> >::_M_invoke<0u, 1u>(std::_Index_tuple<0u, 1u>) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:292:13
#6 0x56955b16 in std::thread::_Invoker<std::tuple<void (google_smart_card::Application::*)(), google_smart_card::Application*> >::operator()() /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:299:11
#7 0x56955b16 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (google_smart_card::Application::*)(), google_smart_card::Application*> > >::_M_run() /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:244:13
#8 0xf7cc008c (/lib/i386-linux-gnu/libstdc++.so.6+0xc008c) (BuildId: 05b5343f4d239e42fe172576ef952a7d1a34439f)
#9 0x56738229 in __asan::AsanThread::ThreadStart(unsigned long long) (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x18a229) (BuildId: 626ea752d772fd794f0ee4aab75731afc2c6c770)
Thread T1995 created by T0 here:
#0 0x56714c3c in __interceptor_pthread_create (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x166c3c) (BuildId: 626ea752d772fd794f0ee4aab75731afc2c6c770)
#1 0xf7cc02a7 in std::thread::_M_start_thread(std::unique_ptr<std::thread::_State, std::default_delete<std::thread::_State> >, void (*)()) (/lib/i386-linux-gnu/libstdc++.so.6+0xc02a7) (BuildId: 05b5343f4d239e42fe172576ef952a7d1a34439f)
#2 0x569541fa in google_smart_card::Application::Application(google_smart_card::GlobalContext*, google_smart_card::TypedMessageRouter*, std::function<void ()>) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/cpp_lib/../../../smart_card_connector_app/src/application.cc:47:3
#3 0x5681417f in std::unique_ptr<google_smart_card::Application, std::default_delete<google_smart_card::Application> > google_smart_card::MakeUnique<google_smart_card::Application, google_smart_card::TestingGlobalContext*, google_smart_card::TypedMessageRouter*, std::function<void ()> >(google_smart_card::TestingGlobalContext*&&, google_smart_card::TypedMessageRouter*&&, std::function<void ()>&&) /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/../../../../common/cpp/src/public/unique_ptr_utils.h:26:33
#4 0x5681417f in google_smart_card::SmartCardConnectorApplicationTest::StartApplication() /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/../../../src/application_unittest.cc:258:20
#5 0x567cd7e0 in google_smart_card::SmartCardConnectorApplicationReaderWithoutBuiltinCardCompatibilityTest_Emaxx_Test::TestBody() /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/../../../src/application_unittest.cc:2103:3
#6 0x56c23f4b in void testing::internal::HandleExceptionsInMethodIfSupported<testing::Test, void>(testing::Test*, void (testing::Test::*)(), char const*) (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x675f4b) (BuildId: 626ea752d772fd794f0ee4aab75731afc2c6c770)
Thread T1997 created by T1996 here:
#0 0x56714c3c in __interceptor_pthread_create (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x166c3c) (BuildId: 626ea752d772fd794f0ee4aab75731afc2c6c770)
#1 0x56a16c79 in ThreadCreate /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/utils.c:184:8
#2 0x56a0d1a7 in EHSpawnEventHandler /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/eventhandler.c:233:7
#3 0x56a03833 in RFAddReaderOriginal /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/readerfactory.c:397:8
#4 0x56a1cf3b in RFAddReader /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../src/readerfactory_webport.cc:52:22
#5 0x56a1acd4 in HPAddHotPluggable /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/hotplug_libusb.c:736:8
#6 0x56a1acd4 in HPRescanUsbBus /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/hotplug_libusb.c:431:5
#7 0x56a18eba in HPEstablishUSBNotifications /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/hotplug_libusb.c:468:2
#8 0x56738229 in __asan::AsanThread::ThreadStart(unsigned long long) (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x18a229) (BuildId: 626ea752d772fd794f0ee4aab75731afc2c6c770)
Thread T1996 created by T1995 here:
#0 0x56714c3c in __interceptor_pthread_create (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x166c3c) (BuildId: 626ea752d772fd794f0ee4aab75731afc2c6c770)
#1 0x56a16c79 in ThreadCreate /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/utils.c:184:8
#2 0x56a18aa8 in HPSearchHotPluggables /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../../../../../third_party/pcsc-lite/src/src/hotplug_libusb.c:575:3
#3 0x569edb58 in google_smart_card::PcscLiteServerWebPortService::InitializeAndRunDaemonThread() /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/pcsc-lite/naclport/server/build/../src/public/pcsc_lite_server_web_port_service.cc:247:17
#4 0x56954d2a in google_smart_card::Application::InitializeServicesOnBackgroundThread() /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/cpp_lib/../../../smart_card_connector_app/src/application.cc:69:39
#5 0x56955b16 in void std::__invoke_impl<void, void (google_smart_card::Application::*)(), google_smart_card::Application*>(std::__invoke_memfun_deref, void (google_smart_card::Application::*&&)(), google_smart_card::Application*&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:74:14
#6 0x56955b16 in std::__invoke_result<void (google_smart_card::Application::*)(), google_smart_card::Application*>::type std::__invoke<void (google_smart_card::Application::*)(), google_smart_card::Application*>(void (google_smart_card::Application::*&&)(), google_smart_card::Application*&&) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/invoke.h:96:14
#7 0x56955b16 in void std::thread::_Invoker<std::tuple<void (google_smart_card::Application::*)(), google_smart_card::Application*> >::_M_invoke<0u, 1u>(std::_Index_tuple<0u, 1u>) /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:292:13
#8 0x56955b16 in std::thread::_Invoker<std::tuple<void (google_smart_card::Application::*)(), google_smart_card::Application*> >::operator()() /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:299:11
#9 0x56955b16 in std::thread::_State_impl<std::thread::_Invoker<std::tuple<void (google_smart_card::Application::*)(), google_smart_card::Application*> > >::_M_run() /usr/bin/../lib/gcc/x86_64-linux-gnu/13/../../../../include/c++/13/bits/std_thread.h:244:13
#10 0xf7cc008c (/lib/i386-linux-gnu/libstdc++.so.6+0xc008c) (BuildId: 05b5343f4d239e42fe172576ef952a7d1a34439f)
#11 0x56738229 in __asan::AsanThread::ThreadStart(unsigned long long) (/usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/smart_card_connector_app/build/executable_module/cpp_unittests/out/cpp_unit_test_runner/cpp_unit_test_runner+0x18a229) (BuildId: 626ea752d772fd794f0ee4aab75731afc2c6c770)
SUMMARY: AddressSanitizer: heap-use-after-free /usr/local/google/home/emaxx/smartcard/chromeos_smart_card_connector/third_party/libusb/webport/build/../src/libusb_js_proxy.cc:115:57 in google_smart_card::(anonymous namespace)::GetLibusbTransferContext(libusb_transfer const*)
Shadow bytes around the buggy address:
0x397fcad0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
0x397fcae0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x397fcaf0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x397fcb00: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x397fcb10: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
=>0x397fcb20: fa fa[fd]fd fd fd fd fa fa fa fd fd fd fd fd fd
0x397fcb30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x397fcb40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x397fcb50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x397fcb60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x397fcb70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3402761==ABORTING
emaxx-google commented
Seems like another reincarnation of the unsafe multi-threaded handling of polling_transfer by CCID, around the same code that we already discovered to be problematic in #1078...
Basically, one thread is doing this (InterruptStop() from ccid_usb.c):
transfer = atomic_load(&usbDevice[reader_index].polling_transfer);
if (transfer)
{
int ret;
ret = libusb_cancel_transfer(transfer);
meanwhile the other thread is doing (InterruptRead() from ccid_usb.c):
atomic_store(&usbDevice[reader_index].polling_transfer, NULL);
libusb_free_transfer(transfer);
So it's possible that by the time libusb_cancel_transfer() is called, the transfer pointer has already been deallocated by the other thread. The polling_transfer being an atomic variable doesn't really help, because this doesn't guarantee that the value that was read from it remains valid while it's passed to other libusb functions.