1161062 - asan crash: Append nsTSubstring

Status: RESOLVED INCOMPLETE

(Core :: XML, defect)

Description

[Kamil Jozwiak [:kjozwiak]]

Attachment: memoryMapError.txt

Found the following asan crash while going through bug # 1140537. Filing a separate bug as per bug # 1140537 comment # 26 & bug # 1140537 comment # 28.

STR: (using m-c changeset: 1ad65cbeb2f4)

- download the python script from comment # 3
- sudo python testcase.py in a terminal/cmd prompt
- wait till you receive "Serving Requests."
- visit http://localhost:80 from the browser while using e10s
- wait about 5 minutes and disable e10s via the preferences (this will take a while after selecting "OK" on the prompt)
- wait anywhere between 5-10 minutes until the browser restarts itself in normal mode (no e10s)
- wait another 5 minutes or so and the browser will eventually crash

==42524==AddressSanitizer CHECK failed: /home/kjozwiak/code/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:68 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0)
    #0 0x46738d in AsanCheckFailed _asan_rtl_
    #1 0x46bfe3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) sanitizer_common.cc:76
    #2 0x470220 in __sanitizer::MmapOrDie(unsigned long, char const*) sanitizer_posix.cc:68
    #3 0x41f035 in __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) sanitizer_allocator.h:1011
    #4 0x41fbd5 in Reallocate asan_allocator2.cc:518
    #5 0x461046 in __interceptor_realloc _asan_rtl_
    #6 0x7f431981db01 in Realloc nsSubstring.cpp:246
    #7 0x7f431982504e in ReplacePrepInternal nsTSubstring.cpp:169
    #8 0x7f43198280ab in ReplacePrep nsTSubstring.h:1010
    #9 0x7f431b52f335 in Append nsTSubstring.h:524
    #10 0x7f431b5326a6 in ConsumeToken nsExpatDriver.cpp:1184
    #11 0x7f431b542429 in Tokenize nsParser.cpp:1943
    #12 0x7f431b53dc5d in ResumeParse nsParser.cpp:1464
    #13 0x7f431b5439ba in OnDataAvailable nsParser.cpp:1841
    #14 0x7f4319c5ae11 in do_OnDataAvailable nsHTTPCompressConv.cpp:356
    #15 0x7f4319f3e525 in OnDataAvailable nsHttpChannel.cpp:5785
    #16 0x7f4319b0c967 in OnStateTransfer nsInputStreamPump.cpp:607
    #17 0x7f4319b0b727 in OnInputStreamReady nsInputStreamPump.cpp:436
    #18 0x7f4319924109 in Run nsStreamUtils.cpp:91
    #19 0x7f43199602c4 in ProcessNextEvent nsThread.cpp:868
    #20 0x7f43199bdaea in NS_ProcessNextEvent nsThreadUtils.cpp:265
    #21 0x7f431a338a59 in Run MessagePump.cpp:95
    #22 0x7f431a289c6c in RunInternal message_loop.cc:233
    #23 0x7f431f61cce7 in Run nsBaseAppShell.cpp:165
    #24 0x7f43212a7468 in Run nsAppStartup.cpp:280
    #25 0x7f43213a8b2c in XRE_mainRun nsAppRunner.cpp:4071
    #26 0x7f43213a9b4c in XRE_main nsAppRunner.cpp:4151
    #27 0x7f43213aa9c5 in XRE_main nsAppRunner.cpp:4240
    #28 0x47b07a in do_main nsBrowserApp.cpp:214
    #29 0x7f432a8faec4 in __libc_start_main libc-start.c:287
    #30 0x47a54a in _start ??:?

Comment 1

[Kamil Jozwiak [:kjozwiak]]

Attachment: crash.png

While I was trying to verify bug # 1140537 with fx38, the browser eventually crashed after loading the poc several times in the same session. Unfortunately when the crash occurs, it doesn't create a crash report :/ (see image attached)

When doing the same thing with an asan build [fx38 changeset b91226cec861], I got the same crash that's mentioned above. So I'm assuming that the crash that's occurring in the regular build is related to this.

Used the following build:
- https://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/38.0-candidates/build2/linux-x86_64/en-US/

Comment 2

[Andrew McCreight [:mccr8]]

This sounds like it is just an OOM crash of some sort, so I think we can leave this as sec-other.

Comment 3

[Andrew McCreight [:mccr8]]

This was an OOM encountered while running the test case for a sec bug. I think we can close this now.