Bug 1677194 Comment 8 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by
on 
|this| is a valid pointer as far as weakFrame.IsAlive() check is concerned, I think. 
Yet, pointer to (((char*)this) + 0x134) [ = 0x625001200e44.] points at an area already poisoned.

Wait. 0x134 (hex) = 308.
308 / 8 = 38.

According to the memory block status reported by ASAN (each byte signifies 8 bytes of user memory.),
we count back 38 bytes from the problematic location ([f7]).
|this| points to already poisoned area.
weakarea() returns IsAlive().

Something is amiss here, isn't it?

```

 1:51.06 GECKO(518898) Shadow bytes around the buggy address:
 1:51.06 GECKO(518898)   0x0c4a80238170: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a80238180: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a80238190: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a802381a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7  <--- |this| seems to point at somewhere here.
..............................................................................................xxx
 1:51.06 GECKO(518898)   0x0c4a802381b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898) =>0x0c4a802381c0: f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7  <=== invalid read
 1:51.06 GECKO(518898)   0x0c4a802381d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a802381e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a802381f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a80238200: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a80238210: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898) Shadow byte legend (one shadow byte represents 8 application bytes):
```
Revision 1 by
on 
|this| is a valid pointer as far as weakFrame.IsAlive() check is concerned, I think. 
Yet, pointer to (((char*)this) + 0x134) [ = 0x625001200e44.] points at an area already poisoned.

Wait. 0x134 (hex) = 308.
308 / 8 = 38.

According to the memory block status reported by ASAN (each byte signifies 8 bytes of user memory.),
we count back 38 bytes from the problematic location ([f7]).
From the status info, we find that |this| points at an already poisoned area.
weakFrame returns tree |IsAlive()|.

Something is amiss here, isn't it?

```

 1:51.06 GECKO(518898) Shadow bytes around the buggy address:
 1:51.06 GECKO(518898)   0x0c4a80238170: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a80238180: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a80238190: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a802381a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7  <--- |this| seems to point at somewhere here.
..............................................................................................xxx
 1:51.06 GECKO(518898)   0x0c4a802381b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898) =>0x0c4a802381c0: f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7  <=== invalid read
 1:51.06 GECKO(518898)   0x0c4a802381d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a802381e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a802381f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a80238200: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a80238210: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898) Shadow byte legend (one shadow byte represents 8 application bytes):
```
Revision 2 by
on 
|this| is a valid pointer as far as weakFrame.IsAlive() check is concerned, I think. 
Yet, pointer to (((char*)this) + 0x134) [ = 0x625001200e44.] points at an area already poisoned.

Wait. 0x134 (hex) = 308.
308 / 8 = 38.

According to the memory block status reported by ASAN (each byte signifies 8 bytes of user memory.),
we count back 38 bytes from the problematic location ([f7]).
From the status info, we find that |this| points at an already poisoned area.
weakFrame returns tree |IsAlive()|.

Something is amiss here, isn't it?

```

 1:51.06 GECKO(518898) Shadow bytes around the buggy address:
 1:51.06 GECKO(518898)   0x0c4a80238170: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a80238180: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a80238190: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a802381a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7  <--- |this| seems to point at somewhere here.
................................................xxx
 1:51.06 GECKO(518898)   0x0c4a802381b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898) =>0x0c4a802381c0: f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7  <=== invalid read
 1:51.06 GECKO(518898)   0x0c4a802381d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a802381e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a802381f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a80238200: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a80238210: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898) Shadow byte legend (one shadow byte represents 8 application bytes):
```
Revision 3 by
on 
|this| is a valid pointer as far as weakFrame.IsAlive() check is concerned, I think. 
Yet, pointer to (((char*)this) + 0x134) [ = 0x625001200e44.] points at an area already poisoned.

Wait. 0x134 (hex) = 308.
308 / 8 = 38.

According to the memory block status reported by ASAN (each byte signifies 8 bytes of user memory.),
we count back 38 bytes from the problematic location ([f7]).
From the status info, we find that |this| points at an already poisoned area.
weakFrame returns tree |IsAlive()|.

Something is amiss here, isn't it?

```

 1:51.06 GECKO(518898) Shadow bytes around the buggy address:
 1:51.06 GECKO(518898)   0x0c4a80238170: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a80238180: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a80238190: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a802381a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7  <--- |this| seems to point at somewhere here.
...............................................................xxx
 1:51.06 GECKO(518898)   0x0c4a802381b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898) =>0x0c4a802381c0: f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7  <=== invalid read
 1:51.06 GECKO(518898)   0x0c4a802381d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a802381e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a802381f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a80238200: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a80238210: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898) Shadow byte legend (one shadow byte represents 8 application bytes):
```
Revision 4 by
on 
|this| is a valid pointer as far as weakFrame.IsAlive() check is concerned, I think. 
Yet, pointer to (((char*)this) + 0x134) [ = 0x625001200e44.] points at an area already poisoned.

Wait. 0x134 (hex) = 308.
308 / 8 = 38.

According to the memory block status reported by ASAN (each byte signifies 8 bytes of user memory.),
we count back 38 bytes from the problematic location ([f7]).
From the status info, we find that |this| points at an already poisoned area.
weakFrame returns true |IsAlive()|.

Something is amiss here, isn't it?

```

 1:51.06 GECKO(518898) Shadow bytes around the buggy address:
 1:51.06 GECKO(518898)   0x0c4a80238170: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a80238180: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a80238190: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a802381a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7  <--- |this| seems to point at somewhere here.
...............................................................xxx
 1:51.06 GECKO(518898)   0x0c4a802381b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898) =>0x0c4a802381c0: f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7  <=== invalid read
 1:51.06 GECKO(518898)   0x0c4a802381d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a802381e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a802381f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a80238200: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898)   0x0c4a80238210: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
 1:51.06 GECKO(518898) Shadow byte legend (one shadow byte represents 8 application bytes):
```

Back to Bug 1677194 Comment 8