608822 - Syscall param socketcall.sendmsg(msg.msg_iov[i]) points to uninitialised byte

Status: RESOLVED INCOMPLETE

(Core :: IPC, defect)

Description

[Doug Turner (:dougt)]

While closing tabs, valgrind found:

[TabChild] RESIZE to (w,h)= (800d, 500d)
==22492== Thread 2:
==22492== Syscall param socketcall.sendmsg(msg.msg_iov[i]) points to uninitialised byte(s)
==22492==    at 0x4E3BF2D: ??? (syscall-template.S:82)
==22492==    by 0x6CED0EF: IPC::Channel::ChannelImpl::ProcessOutgoingMessages() (ipc_channel_posix.cc:623)
==22492==    by 0x6CEDCAF: IPC::Channel::ChannelImpl::Send(IPC::Message*) (ipc_channel_posix.cc:679)
==22492==    by 0x6CCB5F9: MessageLoop::RunTask(Task*) (message_loop.cc:343)
==22492==    by 0x6CCBA2B: MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) (message_loop.cc:351)
==22492==    by 0x6CCBCC8: MessageLoop::DoWork() (message_loop.cc:451)
==22492==    by 0x6CE6C96: base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) (message_pump_libevent.cc:309)
==22492==    by 0x6CCB7D1: MessageLoop::Run() (message_loop.cc:202)
==22492==    by 0x6CD717B: base::Thread::ThreadMain() (thread.cc:156)
==22492==    by 0x6CE73D5: ThreadFunc(void*) (platform_thread_posix.cc:26)
==22492==    by 0x4E339C9: start_thread (pthread_create.c:300)
==22492==    by 0x833270C: clone (clone.S:112)
==22492==  Address 0x19def858 is 40 bytes inside a block of size 64 alloc'd
==22492==    at 0x4C274A8: malloc (vg_replace_malloc.c:236)
==22492==    by 0x4C27522: realloc (vg_replace_malloc.c:525)
==22492==    by 0x6CCFD3C: Pickle::Resize(unsigned int) (pickle.cc:519)
==22492==    by 0x6CCFE3C: Pickle::Pickle(int) (pickle.cc:46)
==22492==    by 0x6CDFB31: IPC::Message::Message(int, unsigned int, IPC::Message::PriorityValue, char const*) (ipc_message.cc:36)
==22492==    by 0x6BDF068: mozilla::dom::PBrowserParent::OnMessageReceived(IPC::Message const&, IPC::Message*&) (PBrowser.h:382)
==22492==    by 0x6BE2FBB: mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&, IPC::Message*&) (PContentParent.cpp:915)
==22492==    by 0x6BCFBAD: mozilla::ipc::SyncChannel::OnDispatchMessage(IPC::Message const&) (SyncChannel.cpp:169)
==22492==    by 0x6BCD933: mozilla::ipc::RPCChannel::OnMaybeDequeueOne() (RPCChannel.cpp:436)
==22492==    by 0x6CCB5F9: MessageLoop::RunTask(Task*) (message_loop.cc:343)
==22492==    by 0x6CCBA2B: MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) (message_loop.cc:351)
==22492==    by 0x6CCBCC8: MessageLoop::DoWork() (message_loop.cc:451)
==22492==

Comment 1

[Chris Jones [:cjones] inactive; ni?/f?/r? if you need me]

This looks like a serializer writing uninit values.

Comment 2

[Doug Turner (:dougt)]

cjones, how serious is this?

Comment 3

[mitchwharper]

Running Fx 37 trunk, currently running in valgrind as I type this. Copy-pasting complaint from terminal output:

==16799== Syscall param sendmsg(msg.msg_iov[0]) points to uninitialised byte(s)
==16799==    at 0x4E469BD: ??? (syscall-template.S:81)
==16799==    by 0x801A6F3: IPC::Channel::ChannelImpl::ProcessOutgoingMessages() (ipc_channel_posix.cc:720)
==16799==    by 0x801B204: IPC::Channel::ChannelImpl::Send(IPC::Message*) (ipc_channel_posix.cc:796)
==16799==    by 0x801B214: IPC::Channel::Send(IPC::Message*) (ipc_channel_posix.cc:1001)
==16799==    by 0x804C99F: RunnableMethod<IPC::Channel, bool (IPC::Channel::*)(IPC::Message*), Tuple1<IPC::Message*> >::Run() (tuple.h:393)
==16799==    by 0x802373D: MessageLoop::RunTask(Task*) (message_loop.cc:361)
==16799==    by 0x8026E65: MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) (message_loop.cc:369)
==16799==    by 0x8027D4F: MessageLoop::DoWork() (message_loop.cc:447)
==16799==    by 0x80137BC: base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) (message_pump_libevent.cc:311)
==16799==    by 0x802366C: MessageLoop::RunInternal() (message_loop.cc:233)
==16799==    by 0x80238EB: MessageLoop::Run() (message_loop.cc:226)
==16799==    by 0x803376E: base::Thread::ThreadMain() (thread.cc:170)
==16799==  Address 0x3bf71518 is 200 bytes inside a block of size 256 alloc'd
==16799==    at 0x4C2CE8E: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==16799==    by 0x802438C: Pickle::Resize(unsigned int) (pickle.cc:635)
==16799==    by 0x8024558: Pickle::BeginWrite(unsigned int, unsigned int) (pickle.cc:513)
==16799==    by 0x80245E6: Pickle::WriteBytes(void const*, int, unsigned int) (pickle.cc:558)
==16799==    by 0x80C70F9: mozilla::dom::PBrowserParent::SendMouseWheelEvent(mozilla::WidgetWheelEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) (pickle.h:133)
==16799==    by 0x929B5FC: mozilla::dom::TabParent::SendMouseWheelEvent(mozilla::WidgetWheelEvent&) (TabParent.cpp:1000)
==16799==    by 0x8F525B0: mozilla::EventStateManager::DispatchCrossProcessEvent(mozilla::WidgetEvent*, nsFrameLoader*, nsEventStatus*) (EventStateManager.cpp:1103)
==16799==    by 0x8F5A7ED: mozilla::EventStateManager::HandleCrossProcessEvent(mozilla::WidgetEvent*, nsEventStatus*) (EventStateManager.cpp:1270)
==16799==    by 0x8F5BC3A: mozilla::EventStateManager::PostHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsEventStatus*) (EventStateManager.cpp:2685)
==16799==    by 0x9622D83: PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*) (nsPresShell.cpp:8264)
==16799==    by 0x9623974: PresShell::HandlePositionedEvent(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*) (nsPresShell.cpp:7958)
==16799==    by 0x96258FD: PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) (nsPresShell.cpp:7758)

Run with command `G_SLICE=always-malloc valgrind --tool=memcheck --vex-iropt-register-updates=allregs-at-mem-access --smc-check=all-non-file ./firefox` on valgrind 3.10.0.SVN compiled from valgrind trunk, with mozconfig for Fx trunk build:

mk_add_options MOZ_OBJDIR=@TOPSRCDIR@/ff-opt
ac_add_options --disable-tests
ac_add_options --enable-optimize="-g -O -freorder-blocks"
ac_add_options --disable-jemalloc
ac_add_options --enable-valgrind

Comment 4

[mitchwharper]

^ Also found while closing tabs

Comment 5

[Jed Davis [:jld] ⟨⏰|UTC-7⟩ ⟦he/him⟧]

These valgrind reports don't seem to tell us which field was uninitialized (which would allow sending the bug to the right component and seeing whether it's been fixed already), just the last time the buffer was realloc'ed.