symcache file has wrong entries resulting in app crash

[derekbruening]

From bruen...@google.com on August 22, 2013 11:47:27

http://build.chromium.org/p/client.drmemory/builders/win7-cr/builds/2990 printing:
INVALID HEAP ARGUMENT to free 0x02979468
#0 replace_operator_delete [e:\b\build\slave\win-builder\drmemory\common\alloc_replace.c:2495]
#1 SHELL32.dll!Ordinal764 +0xfe (0x7580de8c <SHELL32.dll+0x9de8c>)
#2 SHELL32.dll!Ordinal764 +0x222 (0x7580dfb0 <SHELL32.dll+0x9dfb0>)
#3 SHELL32.dll!SHGetItemFromDataObject +0x3c35 (0x757c248a <SHELL32.dll+0x5248a>)
#4 SHELL32.dll!SHGetItemFromDataObject +0x142d (0x757bfc82 <SHELL32.dll+0x4fc82>)
#5 SHELL32.dll!SHGetItemFromDataObject +0x13c4 (0x757bfc19 <SHELL32.dll+0x4fc19>)
#6 SHELL32.dll!Ordinal764 +0x6a5 (0x7580e433 <SHELL32.dll+0x9e433>)
#7 SHELL32.dll!SHGetItemFromDataObject +0x2fbd (0x757c1812 <SHELL32.dll+0x51812>)
#8 SHELL32.dll!SHGetItemFromDataObject +0x31e6 (0x757c1a3b <SHELL32.dll+0x51a3b>)
#9 SHELL32.dll!SHGetItemFromDataObject +0x3e3f (0x757c2694 <SHELL32.dll+0x52694>)
#10 SHELL32.dll!ILFindLastID +0xd78 (0x75813b55 <SHELL32.dll+0xa3b55>)
#11 SHELL32.dll!InternalExtractIconListA +0x1a1 (0x757f71cf <SHELL32.dll+0x871cf>)
#12 SHELL32.dll!Ordinal201 +0x99c (0x757792dd <SHELL32.dll+0x92dd>)
#13 SHELL32.dll!Ordinal201 +0x2258 (0x7577ab99 <SHELL32.dll+0xab99>)
#14 SHELL32.dll!IsUserAnAdmin +0x967 (0x757c4de5 <SHELL32.dll+0x54de5>)
#15 SHELL32.dll!SHFileOperationW +0xe6 (0x757c97ef <SHELL32.dll+0x597ef>)
#16 SHELL32.dll!SHFileOperationW +0xe (0x757c9717 <SHELL32.dll+0x59717>)
#17 base.dll!base::DeleteFileW [base\file_util_win.cc:122]
#18 base.dll!base::ScopedTempDir::Delete [base\files\scoped_temp_dir.cc:66]
#19 base.dll!base::ScopedTempDir::~ScopedTempDir [base\files\scoped_temp_dir.cc:16]
#20 printing::EmfTest_FileBackedEmf_Test::TestBody [printing\emf_win_unittest.cc:203]
#21 testing::internal::HandleExceptionsInMethodIfSupportedtesting::Test,void [testing\gtest\src\gtest.cc:2051]
Note: @0:00:01.092 in thread 3520

sql:
INVALID HEAP ARGUMENT to free 0x0270b370
#0 replace_operator_delete [e:\b\build\slave\win-builder\drmemory\common\alloc_replace.c:2495]
#1 SHELL32.dll!Ordinal764 +0xfe (0x7580de8c <SHELL32.dll+0x9de8c>)
#2 SHELL32.dll!Ordinal764 +0x222 (0x7580dfb0 <SHELL32.dll+0x9dfb0>)
#3 SHELL32.dll!SHGetItemFromDataObject +0x3c35 (0x757c248a <SHELL32.dll+0x5248a>)
#4 SHELL32.dll!SHGetItemFromDataObject +0x142d (0x757bfc82 <SHELL32.dll+0x4fc82>)
#5 SHELL32.dll!SHGetItemFromDataObject +0x13c4 (0x757bfc19 <SHELL32.dll+0x4fc19>)
#6 SHELL32.dll!Ordinal764 +0x6a5 (0x7580e433 <SHELL32.dll+0x9e433>)
#7 SHELL32.dll!SHGetItemFromDataObject +0x2fbd (0x757c1812 <SHELL32.dll+0x51812>)
#8 SHELL32.dll!SHGetItemFromDataObject +0x31e6 (0x757c1a3b <SHELL32.dll+0x51a3b>)
#9 SHELL32.dll!SHGetItemFromDataObject +0x3e3f (0x757c2694 <SHELL32.dll+0x52694>)
#10 SHELL32.dll!ILFindLastID +0xd78 (0x75813b55 <SHELL32.dll+0xa3b55>)
#11 SHELL32.dll!InternalExtractIconListA +0x1a1 (0x757f71cf <SHELL32.dll+0x871cf>)
#12 SHELL32.dll!Ordinal201 +0x99c (0x757792dd <SHELL32.dll+0x92dd>)
#13 SHELL32.dll!Ordinal201 +0x2258 (0x7577ab99 <SHELL32.dll+0xab99>)
#14 SHELL32.dll!IsUserAnAdmin +0x967 (0x757c4de5 <SHELL32.dll+0x54de5>)
#15 SHELL32.dll!SHFileOperationW +0xe6 (0x757c97ef <SHELL32.dll+0x597ef>)
#16 SHELL32.dll!SHFileOperationW +0xe (0x757c9717 <SHELL32.dll+0x59717>)
#17 base.dll!base::DeleteFileW [base\file_util_win.cc:122]
#18 base.dll!base::ScopedTempDir::Delete [base\files\scoped_temp_dir.cc:66]
#19 base.dll!base::ScopedTempDir::~ScopedTempDir [base\files\scoped_temp_dir.cc:16]
#20 anonymous namespace'::SQLStatementTest::~SQLStatementTest \#21 SQLStatementTest_Assign_Test::~SQLStatementTest_Assign_Test \#22 SQLStatementTest_Assign_Test::scalar deleting destructor'
#23 testing::Test::DeleteSelf_ [testing\gtest\include\gtest\gtest.h:438]
#24 testing::internal::HandleExceptionsInMethodIfSupportedtesting::Test,void [testing\gtest\src\gtest.cc:2051]
Note: @0:00:01.155 in thread 3684

remoting_, base_, net_, and unit_ have similar callstacks

Original issue: http://code.google.com/p/drmemory/issues/detail?id=1313

[derekbruening]

From bruen...@google.com on August 22, 2013 10:06:14

The tests seem to crash at the error report point: so either the invalid
arg causes the crash or it's on the crash path. I can't repro it locally
nor on the bot itself. For printing_ it dies on this test:
EmfTest.FileBackedEmf

cmdline w/ forward slashes:
unpacked/bin/drmemory.exe -suppress E:/b/build/slave/win7-cr-builder/build/src/tools/valgrind/drmemory/suppressions.txt -dr_ops -stderr_mask -dr_ops 12 -logdir C:/Users/chrome-bot/AppData/LocalLow/drmemory.logs -symcache_dir C:/Users/chrome-bot/AppData/LocalLow/drmemory.symcache -batch -no_summary -callstack_max_frames 40 -callstack_srcfile_prefix build/src,chromium/src,crt_build/self_x86 -callstack_modname_hide drmemory,chrome.dll -callstack_truncate_below testing::Test::Run,testing::TestInfo::Run,testing::internal::Handle_ExceptionsInMethodIfSupported_,MessageLoop::Run,MessageLoop::RunTask,RunnableMethod_,DispatchToMethod_,base::internal::Invoker_::DoInvoke_,base::internal::RunnableAdapter_::Run_,start_thread,main,BaseThreadInitThunk -light -no_callstack_use_top_fp_selectively -- E:/b/build/slave/win7-cr-builder/build/src/build/Debug/printing_unittests.exe --gtest_print_time --gtest_filter=-PrintingContextTest.FAILS_PrintAll:PrintingContextTest.FAILS_Base:PrintingContextTest.Base:PrintingContextTest.FLAKY_PrintAll:PrintingContextTest.FLAKY_Base:PrintingContextTest.PrintAll --test-tiny-timeout=1000, timeout 10000 sec

On the bot I can repro only when I point at that symcache dir.

It's SHELL32.dll.txt.

$ ls -l SHELL32.dll.txt
-rwx------+ 1 Administrators Domain Users 400 Jun 27 14:14 SHELL32.dll.txt

If I recreate the symcache file it has no operator new or delete:

$ cat SHELL32.dll.txt
Dr. Memory symbol cache version 11
392,12873728,2139568001799028737,2139568001799028737,12906023,1339216345,12886016
0
operator delete,0x0
std::_DebugHeapDelete<>,0x0
Concurrency::details::Security::EncodePointer,0x0
operator delete[] nothrow,0x0
operator delete[],0x0
operator delete nothrow,0x0
operator new nothrow,0x0
operator new,0x0
operator new[] nothrow,0x0
operator new[],0x0

But the old one does:
$ diff SAVE-SHELL32.dll.txt SHELL32.dll.txt
2c2
< 400,12873728,2139568001799028737,2139568001799028737,12906023,1339216345,12886016

   392,12873728,2139568001799028737,2139568001799028737,12906023,1339216345,12886016

4c4
< operator delete,0x9dd2c

operator delete,0x0
11c11
< operator new,0x9dd32

---

operator new,0x0

$ unpacked/bin/winsyms.exe -e c:/windows/syswow64/shell32.dll -v -s 'operator new'
loaded c:/windows/syswow64/shell32.dll at 0x73800000
Only export symbols found
SymFromName error 126 operator new
$ echo 'c:/windows/syswow64/shell32.dll;0x9dd32' | unpacked/bin/winsyms.exe -f -v
loaded c:/windows/syswow64/shell32.dll at 0x11000000
Only export symbols found
SHFree+0x1a41
Symbol 0x1109dd32 => SHFree+0x1a41 (0x1109c2f100000000-0x1109dd8d00000000)
SymGetLineFromAddr64 error 487

windbg on bot:
0:003> U shell32+9dd32
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\syswow64\SHELL32.dll -
SHELL32!SHFree+0x1a41:
7583dd32 90 nop
7583dd33 8bff mov edi,edi
7583dd35 55 push ebp
0:003> .symfix e:\b\build\symbols
Symbol search path is: SRV_e:\b\build\symbols_ http://msdl.microsoft.com/download/symbols 0:003> .reload
Reloading current modules
.............................
0:003> U shell32+9dd32
SHELL32!CAssocShellElement::QueryInterface+0xb:
7583dd32 90 nop
SHELL32!CAssocShellElement::QueryInterface:
7583dd33 8bff mov edi,edi

So it's not at all clear where these entries came from.

Labels: -Bug-FalsePositive Bug-AppCrash

[derekbruening]

From bruen...@google.com on August 22, 2013 10:06:49

Summary: symcache file has wrong entries resulting in app crash (was: invalid heap arg reported from SHELL32.dll!SHFileOperationW on several chrome tests)
Owner: bruen...@google.com