Closed Bug 1064713 Opened 10 years ago Closed 10 years ago

Intermittent ASan heap-use-after-free in mochitest-1 tests/content/media/webaudio/test/test_mediaDecoding.html reading a freed MediaStreamGraphImpl's GraphDriver

Categories

(Core :: Audio/Video, defect)

x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1064117

People

(Reporter: cpeterson, Unassigned)

References

Details

(Keywords: crash)

I saw this ASan heap-use-after-free once in an unrelated push to TBPL:

https://tbpl.mozilla.org/php/getParsedLog.php?id=47658465&tree=Mozilla-Inbound&full=1

Could this be a regression from bug 1062293? It looks like ThreadedDriver::RunThread() is reading a freed MediaStreamGraphImpl's GraphDriver.


SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/content/media/../../dist/include/nsAutoPtr.h:1017 get
2206 ERROR TEST-UNEXPECTED-FAIL | /tests/content/media/webaudio/test/test_mediaDecoding.html | application terminated with exit code 1


23:17:03     INFO -  2117 INFO TEST-START | /tests/content/media/webaudio/test/test_mediaDecoding.html
23:17:06     INFO -  =================================================================
23:17:06     INFO -  ==1793==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b000128380 at pc 0x7f04a2e817d0 bp 0x7f044968e630 sp 0x7f044968e628
23:17:06     INFO -  READ of size 8 at 0x60b000128380 thread T3094 (MediaStreamGrph)
23:17:07     INFO -      #0 0x7f04a2e817cf in get /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/content/media/../../dist/include/nsAutoPtr.h:1017
23:17:07     INFO -      #1 0x7f04a2e817cf in operator mozilla::GraphDriver * /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/content/media/../../dist/include/nsAutoPtr.h:1030
23:17:07     INFO -      #2 0x7f04a2e817cf in mozilla::ThreadedDriver::RunThread() /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/GraphDriver.cpp:297
23:17:07     INFO -      #3 0x7f04a2e9c442 in mozilla::MediaStreamGraphInitThreadRunnable::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/GraphDriver.cpp:214
23:17:07     INFO -      #4 0x7f049ec5bf31 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsThread.cpp:823
23:17:07     INFO -      #5 0x7f049ecb926a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/glue/nsThreadUtils.cpp:265
23:17:07     INFO -      #6 0x7f049f4ad957 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/glue/MessagePump.cpp:326
23:17:07     INFO -      #7 0x7f049f45d0b0 in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc:229
23:17:08     INFO -      #8 0x7f049f45d0b0 in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc:222
23:17:08     INFO -      #9 0x7f049f45d0b0 in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc:196
23:17:08     INFO -      #10 0x7f049ec58c75 in nsThread::ThreadFunc(void*) /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsThread.cpp:350
23:17:08     INFO -      #11 0x7f04b5095405 in _pt_root /builds/slave/m-in-l64-asan-0000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:212
23:17:08     INFO -      #12 0x7f04b87d2e99 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7e99)
23:17:08     INFO -      #13 0x7f04b78e3dbc (/lib/x86_64-linux-gnu/libc.so.6+0xf3dbc)
23:17:08     INFO -  0x60b000128380 is located 80 bytes inside of 104-byte region [0x60b000128330,0x60b000128398)
23:17:08     INFO -  freed by thread T0 here:
23:17:08     INFO -      #0 0x470d21 in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
23:17:08     INFO -      #1 0x7f04a2ee6a8e in Release /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/GraphDriver.h:77
23:17:08     INFO -      #2 0x7f04a2ee6a8e in ~nsRefPtr /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/content/media/../../dist/include/nsAutoPtr.h:852
23:17:08     INFO -      #3 0x7f04a2ee6a8e in mozilla::MediaStreamGraphImpl::~MediaStreamGraphImpl() /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/MediaStreamGraph.cpp:74
23:17:08     INFO -      #4 0x7f04a2ee7aad in mozilla::MediaStreamGraphImpl::~MediaStreamGraphImpl() /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/MediaStreamGraph.cpp:69
23:17:08     INFO -      #5 0x7f04a2f002fc in mozilla::MediaStreamGraphImpl::Release() /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/MediaStreamGraph.cpp:2822
23:17:08     INFO -      #6 0x7f04a2f22c37 in ~nsRefPtr /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/content/media/../../dist/include/nsAutoPtr.h:852
23:17:08     INFO -      #7 0x7f04a2f22c37 in ~MediaStreamGraphShutDownRunnable /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/MediaStreamGraph.cpp:1471
23:17:08     INFO -      #8 0x7f04a2f22c37 in mozilla::(anonymous namespace)::MediaStreamGraphShutDownRunnable::~MediaStreamGraphShutDownRunnable() /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/MediaStreamGraph.cpp:1471
23:17:08     INFO -  previously allocated by thread T0 here:
23:17:08     INFO -      #0 0x470f21 in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
23:17:08     INFO -      #1 0x7f04b1631bed in moz_xmalloc /builds/slave/m-in-l64-asan-0000000000000000/build/memory/mozalloc/mozalloc.cpp:52
23:17:08     INFO -      #2 0x7f04a2effb0b in operator new /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/content/media/../../dist/include/mozilla/mozalloc.h:201
23:17:08     INFO -      #3 0x7f04a2effb0b in mozilla::MediaStreamGraphImpl::MediaStreamGraphImpl(bool, int, unsigned char, mozilla::dom::AudioChannel) /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/MediaStreamGraph.cpp:2735
23:17:08     INFO -      #4 0x7f04a2efff2b in mozilla::MediaStreamGraph::CreateNonRealtimeInstance(int) /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/MediaStreamGraph.cpp:2798
23:17:08     INFO -      #5 0x7f04a2febc7f in mozilla::dom::AudioDestinationNode::AudioDestinationNode(mozilla::dom::AudioContext*, bool, mozilla::dom::AudioChannel, unsigned int, unsigned int, float) /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/webaudio/AudioDestinationNode.cpp:324
23:17:08     INFO -  Thread T3094 (MediaStreamGrph) created by T0 here:
23:17:08     INFO -      #0 0x45d795 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
23:17:08     INFO -      #1 0x7f04b5091d8d in _PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:453
23:17:08     INFO -      #2 0x7f04b509190a in PR_CreateThread /builds/slave/m-in-l64-asan-0000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:544
23:17:08     INFO -      #3 0x7f049ec5a18b in nsThread::Init() /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsThread.cpp:455
23:17:08     INFO -      #4 0x7f049ec5f67c in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsThreadManager.cpp:269
23:17:08     INFO -      #5 0x7f049ecb899c in NS_NewThread(nsIThread**, nsIRunnable*, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/glue/nsThreadUtils.cpp:68
23:17:08     INFO -      #6 0x7f04a2e80584 in NS_NewNamedThread<16> /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/content/media/../../dist/include/nsThreadUtils.h:74
23:17:08     INFO -      #7 0x7f04a2e80584 in mozilla::ThreadedDriver::Start() /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/GraphDriver.cpp:226
23:17:08     INFO -      #8 0x7f04a2ef8618 in mozilla::MediaStreamGraphImpl::RunInStableState(bool) /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/MediaStreamGraph.cpp:1673
23:17:08     INFO -      #9 0x7f04a2f226fb in mozilla::(anonymous namespace)::MediaStreamGraphStableStateRunnable::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/content/media/MediaStreamGraph.cpp:1527
23:17:08     INFO -      #10 0x7f04a27a206e in assign_assuming_AddRef /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/widget/xpwidgets/../../dist/include/nsCOMPtr.h:467
23:17:08     INFO -      #11 0x7f04a27a206e in forget /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/widget/xpwidgets/../../dist/include/nsCOMPtr.h:701
23:17:08     INFO -      #12 0x7f04a27a206e in Forget /builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.h:108
23:17:08     INFO -      #13 0x7f04a27a206e in nsBaseAppShell::RunSyncSectionsInternal(bool, unsigned int) /builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp:375
23:17:08     INFO -      #14 0x7f04a27a29fd in RunSyncSections /builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.h:93
23:17:08     INFO -      #15 0x7f04a27a29fd in AfterProcessNextEvent /builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp:427
23:17:08     INFO -      #16 0x7f04a27a29fd in non-virtual thunk to nsBaseAppShell::AfterProcessNextEvent(nsIThreadInternal*, unsigned int, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/widget/xpwidgets/Unified_cpp_widget_xpwidgets0.cpp:429
23:17:08     INFO -      #17 0x7f049ec5c412 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/threads/nsThread.cpp:837
23:17:08     INFO -      #18 0x7f049ecb926a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-in-l64-asan-0000000000000000/build/xpcom/glue/nsThreadUtils.cpp:265
23:17:08     INFO -      #19 0x7f049f4ac968 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/glue/MessagePump.cpp:140
23:17:08     INFO -      #20 0x7f049f45d0b0 in RunInternal /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc:229
23:17:08     INFO -      #21 0x7f049f45d0b0 in RunHandler /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc:222
23:17:08     INFO -      #22 0x7f049f45d0b0 in MessageLoop::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/ipc/chromium/src/base/message_loop.cc:196
23:17:08     INFO -      #23 0x7f04a27a0917 in nsBaseAppShell::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp:164
23:17:08     INFO -      #24 0x7f04a4c4d4a8 in nsAppStartup::Run() /builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/components/startup/nsAppStartup.cpp:280
23:17:08     INFO -      #25 0x7f04a4d2c46a in XREMain::XRE_mainRun() /builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp:4098
23:17:08     INFO -      #26 0x7f04a4d2d346 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp:4169
23:17:08     INFO -      #27 0x7f04a4d2e19d in XRE_main /builds/slave/m-in-l64-asan-0000000000000000/build/toolkit/xre/nsAppRunner.cpp:4383
23:17:08     INFO -      #28 0x4894a7 in do_main /builds/slave/m-in-l64-asan-0000000000000000/build/browser/app/nsBrowserApp.cpp:282
23:17:08     INFO -      #29 0x4894a7 in main /builds/slave/m-in-l64-asan-0000000000000000/build/browser/app/nsBrowserApp.cpp:643
23:17:08     INFO -      #30 0x7f04b781176c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c)
23:17:08     INFO -  SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-in-l64-asan-0000000000000000/build/obj-firefox/content/media/../../dist/include/nsAutoPtr.h:1017 get
23:17:08     INFO -  Shadow bytes around the buggy address:
23:17:08     INFO -    0x0c168001d020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
23:17:08     INFO -    0x0c168001d030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
23:17:08     INFO -    0x0c168001d040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
23:17:08     INFO -    0x0c168001d050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
23:17:08     INFO -    0x0c168001d060: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
23:17:08     INFO -  =>0x0c168001d070:[fd]fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
23:17:08     INFO -    0x0c168001d080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
23:17:08     INFO -    0x0c168001d090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
23:17:08     INFO -    0x0c168001d0a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
23:17:08     INFO -    0x0c168001d0b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
23:17:08     INFO -    0x0c168001d0c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
23:17:08     INFO -  Shadow byte legend (one shadow byte represents 8 application bytes):
23:17:08     INFO -    Addressable:           00
23:17:08     INFO -    Partially addressable: 01 02 03 04 05 06 07
23:17:08     INFO -    Heap left redzone:       fa
23:17:08     INFO -    Heap right redzone:      fb
23:17:08     INFO -    Freed heap region:       fd
23:17:08     INFO -    Stack left redzone:      f1
23:17:08     INFO -    Stack mid redzone:       f2
23:17:08     INFO -    Stack right redzone:     f3
23:17:08     INFO -    Stack partial redzone:   f4
23:17:08     INFO -    Stack after return:      f5
23:17:08     INFO -    Stack use after scope:   f8
23:17:08     INFO -    Global redzone:          f9
23:17:08     INFO -    Global init order:       f6
23:17:08     INFO -    Poisoned by user:        f7
23:17:08     INFO -    Contiguous container OOB:fc
23:17:08     INFO -    ASan internal:           fe
23:17:08     INFO -  ==1793==ABORTING
23:17:08     INFO -  TEST-INFO | Main app process: killed by SIGHUP
Flags: needinfo?(paul)
Summary: Intermittent ASan heap-use-after-free in mochitest-1 → Intermittent ASan heap-use-after-free in mochitest-1 tests/content/media/webaudio/test/test_mediaDecoding.html reading a freed MediaStreamGraphImpl's GraphDriver
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(paul)
Resolution: --- → DUPLICATE
Thanks for the heads up, Chris, this is taken care of elsewhere.
You need to log in before you can comment on or make changes to this bug.