Closed
Bug 1150619
Opened 9 years ago
Closed 9 years ago
Intermittent ASAN heap-use-after-free test_webvtt_disabled.html | application terminated with exit code 1, when OMT animations enabled
Categories
(Core :: IPC, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: RyanVM, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-uaf)
I'm sure this is completely unrelated to the pile of OnChannelErrorFromLink crashes we've got in bug 1142693 and others as well. 10:39:41 INFO - 3326 INFO TEST-START | dom/media/test/test_webvtt_disabled.html 10:39:41 INFO - 3327 INFO TEST-OK | dom/media/test/test_webvtt_disabled.html | took 438ms 10:39:41 INFO - ###!!! [Parent][OnMaybeDequeueOne] Error: Channel closing: too late to send/recv, messages will be lost 10:39:42 INFO - ###!!! [Parent][OnMaybeDequeueOne] Error: Channel closing: too late to send/recv, messages will be lost 10:39:43 INFO - ###!!! [Parent][OnMaybeDequeueOne] Error: Channel closing: too late to send/recv, messages will be lost 10:39:43 INFO - ###!!! [Parent][OnMaybeDequeueOne] Error: Channel closing: too late to send/recv, messages will be lost 10:39:43 INFO - ###!!! [Parent][OnMaybeDequeueOne] Error: Channel closing: too late to send/recv, messages will be lost 10:39:43 INFO - ================================================================= 10:39:43 INFO - ==1901==ERROR: AddressSanitizer: heap-use-after-free on address 0x61400009ff78 at pc 0x7f40253bd577 bp 0x7f401c99f410 sp 0x7f401c99f408 10:39:43 INFO - READ of size 8 at 0x61400009ff78 thread T4 (Gecko_IOThread) 10:39:45 INFO - #0 0x7f40253bd576 in push_back /tools/gcc-4.7.3-0moz1/lib/gcc/x86_64-unknown-linux-gnu/4.7.3/../../../../include/c++/4.7.3/bits/stl_deque.h:1373 10:39:45 INFO - #1 0x7f40253bd576 in push /tools/gcc-4.7.3-0moz1/lib/gcc/x86_64-unknown-linux-gnu/4.7.3/../../../../include/c++/4.7.3/bits/stl_queue.h:212 10:39:45 INFO - #2 0x7f40253bd576 in MessageLoop::PostTask_Helper(tracked_objects::Location const&, Task*, int, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:324 10:39:45 INFO - #3 0x7f402542629b in PostErrorNotifyTask /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessageChannel.cpp:1678 10:39:45 INFO - #4 0x7f402542629b in mozilla::ipc::MessageChannel::OnChannelErrorFromLink() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessageChannel.cpp:1616 10:39:45 INFO - #5 0x7f4025429ec0 in OnChannelError /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/glue/MessageLink.cpp:405 10:39:45 INFO - #6 0x7f4025429ec0 in non-virtual thunk to mozilla::ipc::ProcessLink::OnChannelError() /builds/slave/m-in-l64-asan-0000000000000000/build/src/obj-firefox/ipc/glue/Unified_cpp_ipc_glue0.cpp:406 10:39:45 INFO - #7 0x7f402539b212 in event_process_active_single_queue /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/third_party/libevent/event.c:1350 10:39:45 INFO - #8 0x7f402539b212 in event_process_active /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/third_party/libevent/event.c:1420 10:39:45 INFO - #9 0x7f402539b212 in event_base_loop /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/third_party/libevent/event.c:1621 10:39:45 INFO - #10 0x7f40253c2261 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_pump_libevent.cc:357 10:39:45 INFO - #11 0x7f40253bcbdc in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233 10:39:45 INFO - #12 0x7f40253bcbdc in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226 10:39:45 INFO - #13 0x7f40253bcbdc in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200 10:39:45 INFO - #14 0x7f40253d5243 in base::Thread::ThreadMain() /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/thread.cc:170 10:39:45 INFO - #15 0x7f40253d675c in ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:39 10:39:45 INFO - #16 0x7f404007de99 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7e99) 10:39:45 INFO - #17 0x7f403f18d2ec (/lib/x86_64-linux-gnu/libc.so.6+0xf42ec) 10:39:45 INFO - ASAN:SIGSEGV 10:39:45 INFO - ==1901==AddressSanitizer: while reporting a bug found another one.Ignoring. 10:39:45 INFO - TEST-INFO | Main app process: killed by SIGHUP 10:39:45 INFO - 3328 INFO TEST-START | Shutdown 10:39:45 INFO - 3329 INFO Passed: 159735 10:39:45 INFO - 3330 INFO Failed: 0 10:39:45 INFO - 3331 INFO Todo: 14136 10:39:45 INFO - 3332 INFO Slowest: 100532ms - /tests/dom/media/test/test_played.html 10:39:45 INFO - 3333 INFO SimpleTest FINISHED 10:39:45 INFO - 3334 INFO TEST-INFO | Ran 1 Loops 10:39:45 INFO - 3335 INFO SimpleTest FINISHED 10:39:45 WARNING - TEST-UNEXPECTED-FAIL | dom/media/test/test_webvtt_disabled.html | application terminated with exit code 1
Flags: needinfo?
|
Reporter | |
Updated•9 years ago
|
Flags: needinfo? → needinfo?(jmathies)
|
|
Reporter | |
Comment 1•9 years ago
|
||
https://treeherder.mozilla.org/logviewer.html#?job_id=8411650&repo=mozilla-inbound Second instance since dbaron enabled OMTA seems suspicious.
|
|
Reporter | |
Comment 2•9 years ago
|
||
https://treeherder.mozilla.org/logviewer.html#?job_id=8413927&repo=mozilla-inbound
|
||
Comment 3•9 years ago
|
||
I'm reminded of bug 1111079, but the timing looks wrong for that to be the cause — bug 1142693 predates its landing, and this bug is much newer.
|
|
||
Comment 5•9 years ago
|
||
I think the other bugs mentioning OnChannelErrorFromLink aren't directly related — if "Aborting on channel error." appears, then we're deliberately killing the child process in response to an IPC error. If we're seeing segfaults under OnChannelError that *aren't* accompanied by that kind of assertion message, then they might be this bug.
|
||
Comment 6•9 years ago
|
||
Yeah those spurious "..[Parent][OnMaybeDequeueOne].." are passive errors. The error message we see in bug 1142693 is far more severe.
Flags: needinfo?(jmathies)
Blocks: enable-omt-animations
Group: core-security
Backed out bug 980770, again.
| Comment hidden (Legacy TBPL/Treeherder Robot) |
| Comment hidden (Legacy TBPL/Treeherder Robot) |
|
||
Updated•9 years ago
|
Keywords: csectype-uaf
I relanded bug 980770, except disabled on Linux. Still an issue based on: https://treeherder.mozilla.org/#/jobs?repo=try&revision=130e5b485b0b
|
||
Updated•9 years ago
|
Blocks: e10s-tests
https://treeherder.mozilla.org/#/jobs?repo=try&revision=0d6567e7dcb4 makes it look like this has now gone away
|
||
Updated•9 years ago
|
And I think https://treeherder.mozilla.org/#/jobs?repo=try&revision=c3227cdb0bad confirms that none of the other patches in the previous push were needed.
Summary: Intermittent ASAN heap-use-after-free test_webvtt_disabled.html | application terminated with exit code 1 → Intermittent ASAN heap-use-after-free test_webvtt_disabled.html | application terminated with exit code 1, when OMT animations enabled
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → WORKSFORME
|
||
Updated•9 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•