[Pkg-chromium-maint] Bug#660187: #660187 chromium-browser: Entry #3 in data pack points off end of file. Was the file corrupted?

Timo Juhani Lindfors timo.lindfors at iki.fi
Fri Jun 1 09:41:45 UTC 2012


Hi,

src/ui/base/resource/data_pack.cc


bool DataPack::Load(const FilePath& path) {
  mmap_.reset(new file_util::MemoryMappedFile);
  if (!mmap_->Initialize(path)) {
    DLOG(ERROR) << "Failed to mmap datapack";
    UMA_HISTOGRAM_ENUMERATION("DataPack.Load", INIT_FAILED,
                              LOAD_ERRORS_COUNT);
    mmap_.reset();
    return false;
  }

  // Sanity check the header of the file.
  if (kHeaderLength > mmap_->length()) {
    DLOG(ERROR) << "Data pack file corruption: incomplete file header.";
    UMA_HISTOGRAM_ENUMERATION("DataPack.Load", HEADER_TRUNCATED,
                              LOAD_ERRORS_COUNT);
    mmap_.reset();
    return false;
  }

  // Parse the header of the file.
  // First uint32: version; second: resource count;
  const uint32* ptr = reinterpret_cast<const uint32*>(mmap_->data());
  uint32 version = ptr[0];
  if (version != kFileFormatVersion) {
    LOG(ERROR) << "Bad data pack version: got " << version << ", expected "
               << kFileFormatVersion;
    UMA_HISTOGRAM_ENUMERATION("DataPack.Load", BAD_VERSION,
                              LOAD_ERRORS_COUNT);
    mmap_.reset();
    return false;
  }
  resource_count_ = ptr[1];

  // third: text encoding.
  const uint8* ptr_encoding = reinterpret_cast<const uint8*>(ptr + 2);
  text_encoding_type_ = static_cast<TextEncodingType>(*ptr_encoding);
  if (text_encoding_type_ != UTF8 && text_encoding_type_ != UTF16 &&
      text_encoding_type_ != BINARY) {
    LOG(ERROR) << "Bad data pack text encoding: got " << text_encoding_type_
               << ", expected between " << BINARY << " and " << UTF16;
    UMA_HISTOGRAM_ENUMERATION("DataPack.Load", WRONG_ENCODING,
                              LOAD_ERRORS_COUNT);
    mmap_.reset();
    return false;
  }

  // Sanity check the file.
  // 1) Check we have enough entries.
  if (kHeaderLength + resource_count_ * sizeof(DataPackEntry) >
      mmap_->length()) {
    LOG(ERROR) << "Data pack file corruption: too short for number of "
                  "entries specified.";
    UMA_HISTOGRAM_ENUMERATION("DataPack.Load", INDEX_TRUNCATED,
                              LOAD_ERRORS_COUNT);
    mmap_.reset();
    return false;
  }
  // 2) Verify the entries are within the appropriate bounds. There's an extra
  // entry after the last item which gives us the length of the last item.
  for (size_t i = 0; i < resource_count_ + 1; ++i) {
    const DataPackEntry* entry = reinterpret_cast<const DataPackEntry*>(
        mmap_->data() + kHeaderLength + (i * sizeof(DataPackEntry)));
    if (entry->file_offset > mmap_->length()) {
      LOG(ERROR) << "Entry #" << i << " in data pack points off end of file. "
                 << "Was the file corrupted?";
      UMA_HISTOGRAM_ENUMERATION("DataPack.Load", ENTRY_NOT_FOUND,
                                LOAD_ERRORS_COUNT);
      mmap_.reset();
      return false;
    }
  }

  return true;
}

$ chromium --debug --no-sandbox
(gdb) break ui::DataPack::Load(FilePath const&)
(gdb) run
(gdb) bt
#0  ui::DataPack::Load (this=0x2d38cbd8, path=...) at ui/base/resource/data_pack.cc:70
#1  0x2ad09e98 in ui::ResourceBundle::LoadResourcesDataPak (path=...) at ui/base/resource/resource_bundle.cc:72
#2  0x2ad0c078 in ui::ResourceBundle::LoadCommonResources (this=0x2d38ca60) at ui/base/resource/resource_bundle_posix.cc:55
#3  0x2ad0ab00 in ui::ResourceBundle::InitSharedInstanceWithLocale (pref_locale=...) at ui/base/resource/resource_bundle.cc:57
#4  0x2a934688 in ChromeBrowserMainParts::PreCreateThreadsImpl (this=0x2d351788) at chrome/browser/chrome_browser_main.cc:1191
#5  0x2a9354b8 in ChromeBrowserMainParts::PreCreateThreads (this=0x2d351788) at chrome/browser/chrome_browser_main.cc:1118
#6  0x2be1922c in content::BrowserMainLoop::RunMainMessageLoopParts (this=<optimized out>, completed_main_message_loop=0x2d342158) at content/browser/browser_main_loop.cc:321
#7  0x2be177f0 in BrowserMain (parameters=...) at content/browser/browser_main.cc:100
#8  0x2ab2ef9c in RunNamedProcessTypeMain (delegate=<optimized out>, main_function_params=..., process_type=...) at content/app/content_main.cc:264
#9  content::ContentMain (argc=29927, argv=0xbeb93214, delegate=0xbeb93094) at content/app/content_main.cc:457
#10 0x2a1bb974 in ChromeMain (argc=3, argv=0xbeb93214) at chrome/app/chrome_main.cc:32
#11 0x2a1baba8 in main (argc=<optimized out>, argv=<optimized out>) at chrome/app/chrome_exe_main_gtk.cc:18
(gdb) p path
$1 = (const FilePath &) @0xbeb921b8: {static kSeparators = 0x2c5c1f1c "/", static kCurrentDirectory = <same as static member of an already seen type>, 
  static kParentDirectory = <same as static member of an already seen type>, static kExtensionSeparator = 46 '.', path_ = {static npos = <optimized out>, 
    _M_dataplus = {<std::allocator<char>> = {<__gnu_cxx::new_allocator<char>> = {<No data fields>}, <No data fields>}, _M_p = 0x2d38cb9c "/usr/lib/chromium/chrome.pak"}}}

# The file /usr/lib/chromium/chrome.pak is identical (md5sum
# 74e9a2d34aaeb9c096c9c7a382b9b3d5) on amd64 and armel so it should not
# be corrupted specifically on armel (chromium 18.0.1025.168~r134367-1).


This looks like a classic unaligned word access to me. If I 

sudo sh -c 'echo 3 > /proc/cpu/alignment'

the error does not occur and kernel logs a lot of warnings:

Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb5d1 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d4c Instr=0xe1d310b4 Address=0x43ceb5d3 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb5d7 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d4c Instr=0xe1d310b4 Address=0x43ceb5d9 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb5dd FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d4c Instr=0xe1d310b4 Address=0x43ceb5df FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb5e3 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d4c Instr=0xe1d310b4 Address=0x43ceb5e5 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb5e9 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d4c Instr=0xe1d310b4 Address=0x43ceb5eb FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb5ef FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d4c Instr=0xe1d310b4 Address=0x43ceb5f1 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb5f5 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d4c Instr=0xe1d310b4 Address=0x43ceb5f7 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb5fb FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d4c Instr=0xe1d310b4 Address=0x43ceb5fd FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb601 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d4c Instr=0xe1d310b4 Address=0x43ceb603 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb607 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d4c Instr=0xe1d310b4 Address=0x43ceb609 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb60d FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d4c Instr=0xe1d310b4 Address=0x43ceb60f FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb613 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d4c Instr=0xe1d310b4 Address=0x43ceb615 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb619 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d4c Instr=0xe1d310b4 Address=0x43ceb61b FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb61f FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d4c Instr=0xe1d310b4 Address=0x43ceb621 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb625 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d4c Instr=0xe1d310b4 Address=0x43ceb627 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb62b FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d4c Instr=0xe1d310b4 Address=0x43ceb62d FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb631 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d4c Instr=0xe1d310b4 Address=0x43ceb633 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb637 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d4c Instr=0xe1d310b4 Address=0x43ceb639 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb63d FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d4c Instr=0xe1d310b4 Address=0x43ceb63f FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb643 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d4c Instr=0xe1d310b4 Address=0x43ceb645 FSR 0x001
Jun  1 11:42:59 mv78100 kernel: Alignment trap: chromium (29999) PC=0x2ad08d48 Instr=0xe1d320b2 Address=0x43ceb649 FSR 0x001


After a while I get a screen that says "Welcome to Chromium"! o/

Tested a few sites (still under debugger and with --no-sandbox):

1) debian.org loads, clicking a few links works

2) www.openstreetmap.org loads, zooming and panning the map works.

3) www.reittiopas.fi loads and can search for routes. The maps are shown
too so this closes #595680!

4) facebook.com loads, didn't try to login.

5) sunspider javascript benchmark loads. Results in the end of 

http://lindi.iki.fi/lindi/chromium/benchmark/results.txt

We are bit slower than 11.0.696.71~r86024-1 (7674.2ms vs. 10658.4ms)

I repeated sunspider without debugger and --no-sandbox, got 10115.9 ms.


I tested the above also on openmoko. Still waiting for sunspider to complete..

-Timo






More information about the Pkg-chromium-maint mailing list