Closed
Bug 1161062
Opened 9 years ago
Closed 3 years ago
asan crash: Append nsTSubstring
Categories
(Core :: XML, defect)
Core
XML
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: kjozwiak, Unassigned)
References
Details
Attachments
(2 files)
Found the following asan crash while going through bug # 1140537. Filing a separate bug as per bug # 1140537 comment # 26 & bug # 1140537 comment # 28. STR: (using m-c changeset: 1ad65cbeb2f4) - download the python script from comment # 3 - sudo python testcase.py in a terminal/cmd prompt - wait till you receive "Serving Requests." - visit http://localhost:80 from the browser while using e10s - wait about 5 minutes and disable e10s via the preferences (this will take a while after selecting "OK" on the prompt) - wait anywhere between 5-10 minutes until the browser restarts itself in normal mode (no e10s) - wait another 5 minutes or so and the browser will eventually crash ==42524==AddressSanitizer CHECK failed: /home/kjozwiak/code/llvm/projects/compiler-rt/lib/sanitizer_common/sanitizer_posix.cc:68 "(("unable to mmap" && 0)) != (0)" (0x0, 0x0) #0 0x46738d in AsanCheckFailed _asan_rtl_ #1 0x46bfe3 in __sanitizer::CheckFailed(char const*, int, char const*, unsigned long long, unsigned long long) sanitizer_common.cc:76 #2 0x470220 in __sanitizer::MmapOrDie(unsigned long, char const*) sanitizer_posix.cc:68 #3 0x41f035 in __sanitizer::LargeMmapAllocator<__asan::AsanMapUnmapCallback>::Allocate(__sanitizer::AllocatorStats*, unsigned long, unsigned long) sanitizer_allocator.h:1011 #4 0x41fbd5 in Reallocate asan_allocator2.cc:518 #5 0x461046 in __interceptor_realloc _asan_rtl_ #6 0x7f431981db01 in Realloc nsSubstring.cpp:246 #7 0x7f431982504e in ReplacePrepInternal nsTSubstring.cpp:169 #8 0x7f43198280ab in ReplacePrep nsTSubstring.h:1010 #9 0x7f431b52f335 in Append nsTSubstring.h:524 #10 0x7f431b5326a6 in ConsumeToken nsExpatDriver.cpp:1184 #11 0x7f431b542429 in Tokenize nsParser.cpp:1943 #12 0x7f431b53dc5d in ResumeParse nsParser.cpp:1464 #13 0x7f431b5439ba in OnDataAvailable nsParser.cpp:1841 #14 0x7f4319c5ae11 in do_OnDataAvailable nsHTTPCompressConv.cpp:356 #15 0x7f4319f3e525 in OnDataAvailable nsHttpChannel.cpp:5785 #16 0x7f4319b0c967 in OnStateTransfer nsInputStreamPump.cpp:607 #17 0x7f4319b0b727 in OnInputStreamReady nsInputStreamPump.cpp:436 #18 0x7f4319924109 in Run nsStreamUtils.cpp:91 #19 0x7f43199602c4 in ProcessNextEvent nsThread.cpp:868 #20 0x7f43199bdaea in NS_ProcessNextEvent nsThreadUtils.cpp:265 #21 0x7f431a338a59 in Run MessagePump.cpp:95 #22 0x7f431a289c6c in RunInternal message_loop.cc:233 #23 0x7f431f61cce7 in Run nsBaseAppShell.cpp:165 #24 0x7f43212a7468 in Run nsAppStartup.cpp:280 #25 0x7f43213a8b2c in XRE_mainRun nsAppRunner.cpp:4071 #26 0x7f43213a9b4c in XRE_main nsAppRunner.cpp:4151 #27 0x7f43213aa9c5 in XRE_main nsAppRunner.cpp:4240 #28 0x47b07a in do_main nsBrowserApp.cpp:214 #29 0x7f432a8faec4 in __libc_start_main libc-start.c:287 #30 0x47a54a in _start ??:?
Reporter | ||
Comment 1•9 years ago
|
||
While I was trying to verify bug # 1140537 with fx38, the browser eventually crashed after loading the poc several times in the same session. Unfortunately when the crash occurs, it doesn't create a crash report :/ (see image attached) When doing the same thing with an asan build [fx38 changeset b91226cec861], I got the same crash that's mentioned above. So I'm assuming that the crash that's occurring in the regular build is related to this. Used the following build: - https://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/38.0-candidates/build2/linux-x86_64/en-US/
Comment 2•9 years ago
|
||
This sounds like it is just an OOM crash of some sort, so I think we can leave this as sec-other.
Keywords: sec-other
Updated•9 years ago
|
Group: core-security → dom-core-security
Comment 3•3 years ago
|
||
This was an OOM encountered while running the test case for a sec bug. I think we can close this now.
Group: dom-core-security
Status: NEW → RESOLVED
Closed: 3 years ago
Keywords: sec-other
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•