Intermittent ASAN test_zmedia_cleanup.html | application terminated with exit code 1 after AddressSanitizer: heap-use-after-free

RESOLVED INCOMPLETE

Status

()

Core
IPC
RESOLVED INCOMPLETE
3 years ago
2 years ago

People

(Reporter: RyanVM, Unassigned)

Tracking

(4 keywords)

Trunk
x86_64
Linux
crash, csectype-uaf, intermittent-failure, sec-high
Points:
---

Firefox Tracking Flags

(e10s+, firefox40 affected)

Details

(Reporter)

Description

3 years ago
https://treeherder.mozilla.org/logviewer.html#?job_id=1793852&repo=b2g-inbound

04:59:35 INFO - 3480 INFO TEST-START | dom/media/tests/mochitest/test_zmedia_cleanup.html
04:59:35 INFO - MEMORY STAT vsize after test: 21991799074816
04:59:35 INFO - MEMORY STAT residentFast after test: 1509470208
04:59:35 INFO - 3481 INFO TEST-OK | dom/media/tests/mochitest/test_zmedia_cleanup.html | took 244ms
04:59:36 INFO - ###!!! [Parent][OnMaybeDequeueOne] Error: Channel closing: too late to send/recv, messages will be lost
04:59:37 INFO - ###!!! [Parent][OnMaybeDequeueOne] Error: Channel closing: too late to send/recv, messages will be lost
04:59:37 INFO - 1429876777275 Browser.Experiments.Experiments TRACE Experiments #0::uninit: started
04:59:37 INFO - 1429876777281 Browser.Experiments.Experiments TRACE Experiments #0::uninit: finished with _loadTask
04:59:37 INFO - 1429876777282 Browser.Experiments.Experiments TRACE Experiments #0::uninit: no previous shutdown
04:59:37 INFO - 1429876777283 Browser.Experiments.Experiments TRACE Experiments #0::Unregistering instance with Addon Manager.
04:59:37 INFO - 1429876777288 Browser.Experiments.Experiments TRACE Experiments #0::Removing install listener from add-on manager.
04:59:37 INFO - 1429876777289 Browser.Experiments.Experiments TRACE Experiments #0::Removing addon listener from add-on manager.
04:59:37 INFO - 1429876777294 Browser.Experiments.Experiments TRACE Experiments #0::Finished unregistering with addon manager.
04:59:37 INFO - 1429876777297 Browser.Experiments.Experiments TRACE Experiments #0::Unregistering previous experiment add-on provider.
04:59:37 INFO - 1429876777302 Browser.Experiments.Experiments INFO Experiments #0::Completed uninitialization.
04:59:37 INFO - 1429876777322 Browser.Experiments.Experiments TRACE PreviousExperimentProvider #0::shutdown()
04:59:37 INFO - ###!!! [Parent][OnMaybeDequeueOne] Error: Channel closing: too late to send/recv, messages will be lost
04:59:37 INFO - ###!!! [Parent][OnMaybeDequeueOne] Error: Channel closing: too late to send/recv, messages will be lost
04:59:37 INFO - ###!!! [Parent][OnMaybeDequeueOne] Error: Channel closing: too late to send/recv, messages will be lost
04:59:37 INFO - =================================================================
04:59:37 INFO - ==4172==ERROR: AddressSanitizer: heap-use-after-free on address 0x61400009ff78 at pc 0x7f7aef300957 bp 0x7f7ae652c410 sp 0x7f7ae652c408
04:59:37 INFO - READ of size 8 at 0x61400009ff78 thread T4 (Gecko_IOThread)
04:59:39 INFO - #0 0x7f7aef300956 in push_back /tools/gcc-4.7.3-0moz1/lib/gcc/x86_64-unknown-linux-gnu/4.7.3/../../../../include/c++/4.7.3/bits/stl_deque.h:1373
04:59:39 INFO - #1 0x7f7aef300956 in push /tools/gcc-4.7.3-0moz1/lib/gcc/x86_64-unknown-linux-gnu/4.7.3/../../../../include/c++/4.7.3/bits/stl_queue.h:212
04:59:39 INFO - #2 0x7f7aef300956 in MessageLoop::PostTask_Helper(tracked_objects::Location const&, Task*, int, bool) /builds/slave/b2g-in-l64-asan-00000000000000/build/src/ipc/chromium/src/base/message_loop.cc:324
04:59:39 INFO - #3 0x7f7aef36d953 in PostErrorNotifyTask /builds/slave/b2g-in-l64-asan-00000000000000/build/src/ipc/glue/MessageChannel.cpp:1698
04:59:39 INFO - #4 0x7f7aef36d953 in mozilla::ipc::MessageChannel::OnChannelErrorFromLink() /builds/slave/b2g-in-l64-asan-00000000000000/build/src/ipc/glue/MessageChannel.cpp:1636
04:59:39 INFO - #5 0x7f7aef372250 in OnChannelError /builds/slave/b2g-in-l64-asan-00000000000000/build/src/ipc/glue/MessageLink.cpp:405
04:59:39 INFO - #6 0x7f7aef372250 in non-virtual thunk to mozilla::ipc::ProcessLink::OnChannelError() /builds/slave/b2g-in-l64-asan-00000000000000/build/src/obj-firefox/ipc/glue/Unified_cpp_ipc_glue0.cpp:406
04:59:39 INFO - #7 0x7f7aef2de7d2 in event_process_active_single_queue /builds/slave/b2g-in-l64-asan-00000000000000/build/src/ipc/chromium/src/third_party/libevent/event.c:1350
04:59:39 INFO - #8 0x7f7aef2de7d2 in event_process_active /builds/slave/b2g-in-l64-asan-00000000000000/build/src/ipc/chromium/src/third_party/libevent/event.c:1420
04:59:39 INFO - #9 0x7f7aef2de7d2 in event_base_loop /builds/slave/b2g-in-l64-asan-00000000000000/build/src/ipc/chromium/src/third_party/libevent/event.c:1621
04:59:39 INFO - #10 0x7f7aef305521 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) /builds/slave/b2g-in-l64-asan-00000000000000/build/src/ipc/chromium/src/base/message_pump_libevent.cc:357
04:59:39 INFO - #11 0x7f7aef2fffbc in RunInternal /builds/slave/b2g-in-l64-asan-00000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
04:59:39 INFO - #12 0x7f7aef2fffbc in RunHandler /builds/slave/b2g-in-l64-asan-00000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
04:59:39 INFO - #13 0x7f7aef2fffbc in MessageLoop::Run() /builds/slave/b2g-in-l64-asan-00000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
04:59:39 INFO - #14 0x7f7aef318693 in base::Thread::ThreadMain() /builds/slave/b2g-in-l64-asan-00000000000000/build/src/ipc/chromium/src/base/thread.cc:170
04:59:39 INFO - #15 0x7f7aef319f4c in ThreadFunc(void*) /builds/slave/b2g-in-l64-asan-00000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:39
04:59:39 INFO - #16 0x7f7b09a3ee99 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x7e99)
04:59:39 INFO - #17 0x7f7b08b4e2ec (/lib/x86_64-linux-gnu/libc.so.6+0xf42ec)
04:59:39 INFO - ASAN:SIGSEGV
04:59:39 INFO - ==4172==AddressSanitizer: while reporting a bug found another one.Ignoring.
04:59:40 INFO - TEST-INFO | Main app process: killed by SIGHUP
04:59:40 INFO - 3482 INFO TEST-START | Shutdown
04:59:40 INFO - 3483 INFO Passed: 180423
04:59:40 INFO - 3484 INFO Failed: 0
04:59:40 INFO - 3485 INFO Todo: 12766
04:59:40 INFO - 3486 INFO Slowest: 99694ms - /tests/dom/media/test/test_played.html
04:59:40 INFO - 3487 INFO SimpleTest FINISHED
04:59:40 INFO - 3488 INFO TEST-INFO | Ran 1 Loops
04:59:40 INFO - 3489 INFO SimpleTest FINISHED
04:59:40 WARNING - TEST-UNEXPECTED-FAIL | dom/media/tests/mochitest/test_zmedia_cleanup.html | application terminated with exit code 1
This is a duplicate... of the other PostErrorNotifyTask bug... that I can't seem to find...
(Reporter)

Comment 2

3 years ago
I could have sworn I filed it before too, also couldn't find it :)
(In reply to Ben Turner [:bent] (use the needinfo flag!) from comment #1)
> This is a duplicate... of the other PostErrorNotifyTask bug... that I can't
> seem to find...

My browser history suggests bug 1150619.
Bug 1151711 might also be related?  See in particular bug 1151711 comment #106.

Updated

3 years ago
tracking-e10s: ? → +
Bug 1158418 looks like the same stack.
Ah hah, here's the other bug.
(Reporter)

Comment 7

3 years ago
We can dupe, but I'm afraid we'll just end up filing more then. FWIW, frequency appears to have picked up recently with the shift to test_waveShaperZeroLengthCurve.html.
This is a use-after-free, but I'm guessing it is some kind of shutdown issue, and some chunking change or additional test made it shift. It is still happening, in the other open bug. It'll be hard to address due to how generic the signature is and the fact that ASan crashes while reporting it.
Keywords: csectype-uaf, sec-high
Duplicate of this bug: 1155385
(Reporter)

Comment 10

3 years ago
https://treeherder.mozilla.org/logviewer.html#?job_id=1629429&repo=mozilla-central hit on m-c today. Looks maybe-related, but has a lot more gfx on the stack. Should we spin this off to a new bug?
Flags: needinfo?(continuation)
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #10)
> https://treeherder.mozilla.org/logviewer.html#?job_id=1629429&repo=mozilla-
> central hit on m-c today. Looks maybe-related, but has a lot more gfx on the
> stack. Should we spin this off to a new bug?

Sure.
Flags: needinfo?(continuation)
(Reporter)

Comment 12

3 years ago
Comment 10 spun off to bug 1173216.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → INCOMPLETE
(Reporter)

Comment 13

3 years ago
(Noting that bug 1158418 is still very much alive and well)

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.