965314 - Intermittent ASAN use-after-poison in CERT_DestroyCertificate during test_bug514732.html

Status: RESOLVED WORKSFORME

(Core :: Security: PSM, defect)

Description

[Ryan VanderMeulen [:RyanVM]]

Assuming this is s-s. Feel free to unset if it isn't.

https://tbpl.mozilla.org/php/getParsedLog.php?id=33742057&tree=Mozilla-Inbound

Ubuntu ASAN VM 12.04 x64 mozilla-inbound opt test mochitest-5 on 2014-01-29 06:03:22 PST for push c605fcc341a7
slave: tst-linux64-spot-476

06:11:54     INFO -  2276 INFO TEST-PASS | /tests/layout/generic/test/test_bug514732.html | Received expected inner contraction event
06:11:54     INFO -  2277 INFO TEST-PASS | /tests/layout/generic/test/test_bug514732.html | Contraction event x is 0
06:11:54     INFO -  2278 INFO TEST-PASS | /tests/layout/generic/test/test_bug514732.html | Contraction event y is 0
06:11:54     INFO -  2279 INFO TEST-PASS | /tests/layout/generic/test/test_bug514732.html | Inner contraction event width matches body width
06:11:54     INFO -  2280 INFO TEST-PASS | /tests/layout/generic/test/test_bug514732.html | Inner contraction event height matches body height
06:11:55     INFO -  =================================================================
06:11:55     INFO -  ==3003==ERROR: AddressSanitizer: use-after-poison on address 0x61d000569338 at pc 0x7fec2bb41fe8 bp 0x7fec12664170 sp 0x7fec12664168
06:11:55     INFO -  READ of size 8 at 0x61d000569338 thread T5 (Socket Thread)
06:11:55     INFO -      #0 0x7fec2bb41fe7 in CERT_DestroyCertificate /builds/slave/m-in-l64-asan-0000000000000000/build/security/nss/lib/certdb/stanpcertdb.c:791
06:11:55     INFO -      #1 0x7fec2d103a68 in ssl3_CleanupPeerCerts /builds/slave/m-in-l64-asan-0000000000000000/build/security/nss/lib/ssl/ssl3con.c:9658
06:11:55     INFO -      #2 0x7fec2d103a68 in ssl3_DestroySSL3Info /builds/slave/m-in-l64-asan-0000000000000000/build/security/nss/lib/ssl/ssl3con.c:12015
06:11:55     INFO -      #3 0x7fec2d139fbe in ssl_DestroySocketContents /builds/slave/m-in-l64-asan-0000000000000000/build/security/nss/lib/ssl/sslsock.c:337
06:11:55     INFO -      #4 0x7fec2d139d17 in ssl_FreeSocket /builds/slave/m-in-l64-asan-0000000000000000/build/security/nss/lib/ssl/sslsock.c:400
06:11:55     INFO -      #5 0x7fec2d11e0d9 in ssl_DefClose /builds/slave/m-in-l64-asan-0000000000000000/build/security/nss/lib/ssl/ssldef.c:205
06:11:56     INFO -      #6 0x7fec25015a58 in nsNSSSocketInfo::CloseSocketAndDestroy(nsNSSShutDownPreventionLock const&) /builds/slave/m-in-l64-asan-0000000000000000/build/security/manager/ssl/src/nsNSSIOLayer.cpp:865
06:11:56     INFO -      #7 0x7fec250179f6 in nsSSLIOLayerClose(PRFileDesc*) /builds/slave/m-in-l64-asan-0000000000000000/build/security/manager/ssl/src/nsNSSIOLayer.cpp:842
06:11:56     INFO -      #8 0x7fec1f9a6252 in nsSocketTransport::ReleaseFD_Locked(PRFileDesc*) /builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/base/src/nsSocketTransport2.cpp:1604
06:11:56     INFO -      #9 0x7fec1f9b206e in nsSocketTransport::OnSocketDetached(PRFileDesc*) /builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/base/src/nsSocketTransport2.cpp:1867
06:11:56     INFO -      #10 0x7fec1f9b80ef in nsSocketTransportService::DetachSocket(nsSocketTransportService::SocketContext*, nsSocketTransportService::SocketContext*) /builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/base/src/nsSocketTransportService2.cpp:181
06:11:56     INFO -      #11 0x7fec1f9bc1ad in nsSocketTransportService::DoPollIteration(bool) /builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/base/src/nsSocketTransportService2.cpp:782
06:11:56     INFO -      #12 0x7fec1f9bbc2f in nsSocketTransportService::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/base/src/nsSocketTransportService2.cpp:684
06:11:56     INFO -      #13 0x7fec1f9bd419 in non-virtual thunk to nsSocketTransportService::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/netwerk/base/src/nsSocketTransportService2.cpp:728
06:11:56     INFO -      #14 0x7fec1f8d6915 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsThread.cpp:637
06:11:56     INFO -      #15 0x7fec1f7aaba1 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/glue/nsThreadUtils.cpp:263
06:11:56     INFO -      #16 0x7fec20108e0f in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/glue/MessagePump.cpp:303
06:11:56     INFO -      #17 0x7fec2007d013 in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc:226
06:11:56     INFO -      #18 0x7fec2007d013 in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc:219
06:11:56     INFO -      #19 0x7fec2007d013 in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc:193
06:11:56     INFO -      #20 0x7fec1f8d35f2 in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsThread.cpp:258
06:11:56     INFO -      #21 0x7fec2dcbad59 in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:205
06:11:56     INFO -      #22 0x44cf03 in __asan::AsanThread::ThreadStart(unsigned long) /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_thread.cc:138
06:11:56     INFO -      #23 0x7fec311d4e99 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7e99)
06:11:56     INFO -      #24 0x7fec302e5dbc (/lib/x86_64-linux-gnu/libc.so.6+0xf3dbc)
06:11:56     INFO -  0x61d000569338 is located 696 bytes inside of 2048-byte region [0x61d000569080,0x61d000569880)
06:11:56     INFO -  allocated by thread T5 (Socket Thread) here:
06:11:56     INFO -      #0 0x446395 in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
06:11:56     INFO -      #1 0x7fec2d83ed8d in PL_ArenaAllocate /builds/slave/m-in-l64-asan-0000000000000000/build/nsprpub/lib/ds/plarena.c:203
06:11:56     INFO -  Thread T5 (Socket Thread) created by T0 here:
06:11:56     INFO -      #0 0x437801 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:155
06:11:56     INFO -      #1 0x7fec2dcb6cb5 in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:445
06:11:56     INFO -      #2 0x7fec2dcb6807 in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:528
06:11:56     INFO -  SUMMARY: AddressSanitizer: use-after-poison /builds/slave/m-in-l64-asan-0000000000000000/build/security/nss/lib/certdb/stanpcertdb.c:791 CERT_DestroyCertificate
06:11:56     INFO -  Shadow bytes around the buggy address:
06:11:56     INFO -    0x0c3a800a5210: 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
06:11:56     INFO -    0x0c3a800a5220: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
06:11:56     INFO -    0x0c3a800a5230: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
06:11:56     INFO -    0x0c3a800a5240: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
06:11:56     INFO -    0x0c3a800a5250: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
06:11:56     INFO -  =>0x0c3a800a5260: f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7
06:11:56     INFO -    0x0c3a800a5270: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
06:11:56     INFO -    0x0c3a800a5280: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
06:11:56     INFO -    0x0c3a800a5290: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
06:11:56     INFO -    0x0c3a800a52a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
06:11:56     INFO -    0x0c3a800a52b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
06:11:56     INFO -  Shadow byte legend (one shadow byte represents 8 application bytes):
06:11:56     INFO -    Addressable:           00
06:11:56     INFO -    Partially addressable: 01 02 03 04 05 06 07
06:11:56     INFO -    Heap left redzone:     fa
06:11:56     INFO -    Heap right redzone:    fb
06:11:56     INFO -    Freed heap region:     fd
06:11:56     INFO -    Stack left redzone:    f1
06:11:56     INFO -    Stack mid redzone:     f2
06:11:56     INFO -    Stack right redzone:   f3
06:11:56     INFO -    Stack partial redzone: f4
06:11:56     INFO -    Stack after return:    f5
06:11:56     INFO -    Stack use after scope: f8
06:11:56     INFO -    Global redzone:        f9
06:11:56     INFO -    Global init order:     f6
06:11:56     INFO -    Poisoned by user:      f7
06:11:56     INFO -    ASan internal:         fe
06:11:56     INFO -  ==3003==ABORTING
06:11:56  WARNING -  TEST-UNEXPECTED-FAIL | /tests/layout/generic/test/test_bug514732.html | application terminated with exit code 1
06:11:56     INFO -  INFO | runtests.py | Application ran for: 0:00:58.106187
06:11:56     INFO -  INFO | zombiecheck | Reading PID log: /tmp/tmpxIXBNWpidlog
06:11:56     INFO -  WARNING | leakcheck | refcount logging is off, so leaks can't be detected!
06:11:56     INFO -  runtests.py | Running tests: end.
06:11:56    ERROR - Return code: 1

Comment 1

[Andrew McCreight [:mccr8]]

Looks like bug 963150 to me.

Comment 2

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

Almost definitely a problem with PSM or Necko. Thanks for reporting this.

Comment 3

[Al Billings [:abillings - ex-MoCo]]

Changing rating until we can reproduce it since we don't know what's really going on.

Comment 4

[Lukas Blakk [:lsblakk] use ?needinfo]

(In reply to Al Billings [:abillings] from comment #3)
> Changing rating until we can reproduce it since we don't know what's really
> going on.

Based on that comment, we also don't need to track this since there's nothing to go on yet.

Comment 5

[Ed Morley [:emorley]]

Inactive; closing (see bug 1180138).