Closed
Bug 1064713
Opened 10 years ago
Closed 10 years ago
Intermittent ASan heap-use-after-free in mochitest-1 tests/content/media/webaudio/test/test_mediaDecoding.html reading a freed MediaStreamGraphImpl's GraphDriver
Categories
(Core :: Audio/Video, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1064117
People
(Reporter: cpeterson, Unassigned)
References
Details
(Keywords: crash)
I saw this ASan heap-use-after-free once in an unrelated push to TBPL: https://tbpl.mozilla.org/php/getParsedLog.php?id=47658465&tree=Mozilla-Inbound&full=1 Could this be a regression from bug 1062293? It looks like ThreadedDriver::RunThread() is reading a freed MediaStreamGraphImpl's GraphDriver. SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/content/media/../../dist/include/nsAutoPtr.h:1017 get 2206 ERROR TEST-UNEXPECTED-FAIL | /tests/content/media/webaudio/test/test_mediaDecoding.html | application terminated with exit code 1 23:17:03 INFO - 2117 INFO TEST-START | /tests/content/media/webaudio/test/test_mediaDecoding.html 23:17:06 INFO - ================================================================= 23:17:06 INFO - ==1793==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000128380 at pc 0x7f04a2e817d0 bp 0x7f044968e630 sp 0x7f044968e628 23:17:06 INFO - READ of size 8 at 0x60b000128380 thread T3094 (MediaStreamGrph) 23:17:07 INFO - #0 0x7f04a2e817cf in get /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/content/media/../../dist/include/nsAutoPtr.h:1017 23:17:07 INFO - #1 0x7f04a2e817cf in operator mozilla::GraphDriver * /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/content/media/../../dist/include/nsAutoPtr.h:1030 23:17:07 INFO - #2 0x7f04a2e817cf in mozilla::ThreadedDriver::RunThread() /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/GraphDriver.cpp:297 23:17:07 INFO - #3 0x7f04a2e9c442 in mozilla::MediaStreamGraphInitThreadRunnable::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/GraphDriver.cpp:214 23:17:07 INFO - #4 0x7f049ec5bf31 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsThread.cpp:823 23:17:07 INFO - #5 0x7f049ecb926a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/glue/nsThreadUtils.cpp:265 23:17:07 INFO - #6 0x7f049f4ad957 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/glue/MessagePump.cpp:326 23:17:07 INFO - #7 0x7f049f45d0b0 in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc:229 23:17:08 INFO - #8 0x7f049f45d0b0 in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc:222 23:17:08 INFO - #9 0x7f049f45d0b0 in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc:196 23:17:08 INFO - #10 0x7f049ec58c75 in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsThread.cpp:350 23:17:08 INFO - #11 0x7f04b5095405 in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:212 23:17:08 INFO - #12 0x7f04b87d2e99 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7e99) 23:17:08 INFO - #13 0x7f04b78e3dbc (/lib/x86_64-linux-gnu/libc.so.6+0xf3dbc) 23:17:08 INFO - 0x60b000128380 is located 80 bytes inside of 104-byte region [0x60b000128330,0x60b000128398) 23:17:08 INFO - freed by thread T0 here: 23:17:08 INFO - #0 0x470d21 in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64 23:17:08 INFO - #1 0x7f04a2ee6a8e in Release /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/GraphDriver.h:77 23:17:08 INFO - #2 0x7f04a2ee6a8e in ~nsRefPtr /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/content/media/../../dist/include/nsAutoPtr.h:852 23:17:08 INFO - #3 0x7f04a2ee6a8e in mozilla::MediaStreamGraphImpl::~MediaStreamGraphImpl() /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/MediaStreamGraph.cpp:74 23:17:08 INFO - #4 0x7f04a2ee7aad in mozilla::MediaStreamGraphImpl::~MediaStreamGraphImpl() /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/MediaStreamGraph.cpp:69 23:17:08 INFO - #5 0x7f04a2f002fc in mozilla::MediaStreamGraphImpl::Release() /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/MediaStreamGraph.cpp:2822 23:17:08 INFO - #6 0x7f04a2f22c37 in ~nsRefPtr /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/content/media/../../dist/include/nsAutoPtr.h:852 23:17:08 INFO - #7 0x7f04a2f22c37 in ~MediaStreamGraphShutDownRunnable /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/MediaStreamGraph.cpp:1471 23:17:08 INFO - #8 0x7f04a2f22c37 in mozilla::(anonymous namespace)::MediaStreamGraphShutDownRunnable::~MediaStreamGraphShutDownRunnable() /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/MediaStreamGraph.cpp:1471 23:17:08 INFO - previously allocated by thread T0 here: 23:17:08 INFO - #0 0x470f21 in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74 23:17:08 INFO - #1 0x7f04b1631bed in moz_xmalloc /builds/slave/m-in-l64-asan-0000000000000000/build/memory/mozalloc/mozalloc.cpp:52 23:17:08 INFO - #2 0x7f04a2effb0b in operator new /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/content/media/../../dist/include/mozilla/mozalloc.h:201 23:17:08 INFO - #3 0x7f04a2effb0b in mozilla::MediaStreamGraphImpl::MediaStreamGraphImpl(bool, int, unsigned char, mozilla::dom::AudioChannel) /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/MediaStreamGraph.cpp:2735 23:17:08 INFO - #4 0x7f04a2efff2b in mozilla::MediaStreamGraph::CreateNonRealtimeInstance(int) /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/MediaStreamGraph.cpp:2798 23:17:08 INFO - #5 0x7f04a2febc7f in mozilla::dom::AudioDestinationNode::AudioDestinationNode(mozilla::dom::AudioContext*, bool, mozilla::dom::AudioChannel, unsigned int, unsigned int, float) /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/webaudio/AudioDestinationNode.cpp:324 23:17:08 INFO - Thread T3094 (MediaStreamGrph) created by T0 here: 23:17:08 INFO - #0 0x45d795 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175 23:17:08 INFO - #1 0x7f04b5091d8d in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:453 23:17:08 INFO - #2 0x7f04b509190a in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:544 23:17:08 INFO - #3 0x7f049ec5a18b in nsThread::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsThread.cpp:455 23:17:08 INFO - #4 0x7f049ec5f67c in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsThreadManager.cpp:269 23:17:08 INFO - #5 0x7f049ecb899c in NS_NewThread(nsIThread**, nsIRunnable*, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/glue/nsThreadUtils.cpp:68 23:17:08 INFO - #6 0x7f04a2e80584 in NS_NewNamedThread<16> /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/content/media/../../dist/include/nsThreadUtils.h:74 23:17:08 INFO - #7 0x7f04a2e80584 in mozilla::ThreadedDriver::Start() /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/GraphDriver.cpp:226 23:17:08 INFO - #8 0x7f04a2ef8618 in mozilla::MediaStreamGraphImpl::RunInStableState(bool) /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/MediaStreamGraph.cpp:1673 23:17:08 INFO - #9 0x7f04a2f226fb in mozilla::(anonymous namespace)::MediaStreamGraphStableStateRunnable::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/MediaStreamGraph.cpp:1527 23:17:08 INFO - #10 0x7f04a27a206e in assign_assuming_AddRef /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/widget/xpwidgets/../../dist/include/nsCOMPtr.h:467 23:17:08 INFO - #11 0x7f04a27a206e in forget /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/widget/xpwidgets/../../dist/include/nsCOMPtr.h:701 23:17:08 INFO - #12 0x7f04a27a206e in Forget /builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.h:108 23:17:08 INFO - #13 0x7f04a27a206e in nsBaseAppShell::RunSyncSectionsInternal(bool, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp:375 23:17:08 INFO - #14 0x7f04a27a29fd in RunSyncSections /builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.h:93 23:17:08 INFO - #15 0x7f04a27a29fd in AfterProcessNextEvent /builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp:427 23:17:08 INFO - #16 0x7f04a27a29fd in non-virtual thunk to nsBaseAppShell::AfterProcessNextEvent(nsIThreadInternal*, unsigned int, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/widget/xpwidgets/Unified_cpp_widget_xpwidgets0.cpp:429 23:17:08 INFO - #17 0x7f049ec5c412 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsThread.cpp:837 23:17:08 INFO - #18 0x7f049ecb926a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/glue/nsThreadUtils.cpp:265 23:17:08 INFO - #19 0x7f049f4ac968 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/glue/MessagePump.cpp:140 23:17:08 INFO - #20 0x7f049f45d0b0 in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc:229 23:17:08 INFO - #21 0x7f049f45d0b0 in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc:222 23:17:08 INFO - #22 0x7f049f45d0b0 in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc:196 23:17:08 INFO - #23 0x7f04a27a0917 in nsBaseAppShell::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp:164 23:17:08 INFO - #24 0x7f04a4c4d4a8 in nsAppStartup::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/components/startup/nsAppStartup.cpp:280 23:17:08 INFO - #25 0x7f04a4d2c46a in XREMain::XRE_mainRun() /builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp:4098 23:17:08 INFO - #26 0x7f04a4d2d346 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp:4169 23:17:08 INFO - #27 0x7f04a4d2e19d in XRE_main /builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp:4383 23:17:08 INFO - #28 0x4894a7 in do_main /builds/slave/m-in-l64-asan-0000000000000000/build/browser/app/nsBrowserApp.cpp:282 23:17:08 INFO - #29 0x4894a7 in main /builds/slave/m-in-l64-asan-0000000000000000/build/browser/app/nsBrowserApp.cpp:643 23:17:08 INFO - #30 0x7f04b781176c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c) 23:17:08 INFO - SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/content/media/../../dist/include/nsAutoPtr.h:1017 get 23:17:08 INFO - Shadow bytes around the buggy address: 23:17:08 INFO - 0x0c168001d020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 23:17:08 INFO - 0x0c168001d030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 23:17:08 INFO - 0x0c168001d040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 23:17:08 INFO - 0x0c168001d050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 23:17:08 INFO - 0x0c168001d060: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd 23:17:08 INFO - =>0x0c168001d070:[fd]fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa 23:17:08 INFO - 0x0c168001d080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 23:17:08 INFO - 0x0c168001d090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 23:17:08 INFO - 0x0c168001d0a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 23:17:08 INFO - 0x0c168001d0b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 23:17:08 INFO - 0x0c168001d0c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 23:17:08 INFO - Shadow byte legend (one shadow byte represents 8 application bytes): 23:17:08 INFO - Addressable: 00 23:17:08 INFO - Partially addressable: 01 02 03 04 05 06 07 23:17:08 INFO - Heap left redzone: fa 23:17:08 INFO - Heap right redzone: fb 23:17:08 INFO - Freed heap region: fd 23:17:08 INFO - Stack left redzone: f1 23:17:08 INFO - Stack mid redzone: f2 23:17:08 INFO - Stack right redzone: f3 23:17:08 INFO - Stack partial redzone: f4 23:17:08 INFO - Stack after return: f5 23:17:08 INFO - Stack use after scope: f8 23:17:08 INFO - Global redzone: f9 23:17:08 INFO - Global init order: f6 23:17:08 INFO - Poisoned by user: f7 23:17:08 INFO - Contiguous container OOB:fc 23:17:08 INFO - ASan internal: fe 23:17:08 INFO - ==1793==ABORTING 23:17:08 INFO - TEST-INFO | Main app process: killed by SIGHUP
Flags: needinfo?(paul)
Reporter | ||
Updated•10 years ago
|
Summary: Intermittent ASan heap-use-after-free in mochitest-1 → Intermittent ASan heap-use-after-free in mochitest-1 tests/content/media/webaudio/test/test_mediaDecoding.html reading a freed MediaStreamGraphImpl's GraphDriver
Updated•10 years ago
|
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(paul)
Resolution: --- → DUPLICATE
Comment 2•10 years ago
|
||
Thanks for the heads up, Chris, this is taken care of elsewhere.
You need to log in
before you can comment on or make changes to this bug.
Description
•