Closed Bug 1173216 Opened 9 years ago Closed 9 years ago

Intermittent test_getUserMedia_gumWithinGum.html | application terminated with exit code 1 after "AddressSanitizer: heap-use-after-free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:366 memcpy"

Categories

(Core :: Graphics: Layers, defect)

Product:
Core
Component:
Graphics: Layers
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INCOMPLETE
Tracking Flags:
Tracking Status
firefox41 --- affected

People

(Reporter: RyanVM, Unassigned)

References

Details

(4 keywords)

Spun off from bug 1158155/bug 1158418 since this looks different enough stackwise to be another issue. https://treeherder.mozilla.org/logviewer.html#?job_id=1629429&repo=mozilla-central 17:02:39 INFO - 1792 INFO TEST-START | dom/media/tests/mochitest/test_getUserMedia_gumWithinGum.html 17:02:39 INFO - TEST DEVICES: Using media devices: 17:02:39 INFO - audio: Sine source at 440 Hz 17:02:39 INFO - video: Dummy video device 17:02:40 INFO - ================================================================= 17:02:40 INFO - ==4558==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000455f20 at pc 0x45f5b7 bp 0x7fff501b63b0 sp 0x7fff501b5b70 17:02:40 INFO - READ of size 16 at 0x603000455f20 thread T0 17:02:41 INFO - #0 0x45f5b6 in memcpy /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:366 17:02:41 INFO - #1 0x7fe600a32898 (/usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0+0x33898) 17:02:41 INFO - #2 0x7fe600a4546b (/usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0+0x4646b) 17:02:42 INFO - #3 0x7fe5f7a225db in nsWindow::NativeResize(int, int, int, int, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/gtk/nsWindow.cpp:3941 17:02:42 INFO - #4 0x7fe5f7a2386b in nsWindow::Resize(double, double, double, double, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/gtk/nsWindow.cpp:1108 17:02:42 INFO - #5 0x7fe5f81c21ed in nsDocumentViewer::SetBounds(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsDocumentViewer.cpp:1939 17:02:42 INFO - #6 0x7fe5f8e0a209 in SetPositionAndSize /builds/slave/m-cen-l64-asan-000000000000000/build/src/docshell/base/nsDocShell.cpp:5937 17:02:42 INFO - #7 0x7fe5f8e0a209 in non-virtual thunk to nsDocShell::SetPositionAndSize(int, int, int, int, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/docshell/base/Unified_cpp_docshell_base0.cpp:5941 17:02:42 INFO - #8 0x7fe5f8f3fc8a in WindowResized /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpfe/appshell/nsWebShellWindow.cpp:282 17:02:42 INFO - #9 0x7fe5f8f3fc8a in non-virtual thunk to nsWebShellWindow::WindowResized(nsIWidget*, int, int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/xpfe/appshell/Unified_cpp_xpfe_appshell0.cpp:289 17:02:42 INFO - #10 0x7fe5f7a23209 in DispatchResized /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/gtk/nsWindow.cpp:446 17:02:42 INFO - #11 0x7fe5f7a23209 in nsWindow::Resize(double, double, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/gtk/nsWindow.cpp:1072 17:02:42 INFO - #12 0x7fe5f8f518e2 in nsXULWindow::SetSize(int, int, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpfe/appshell/nsXULWindow.cpp:565 17:02:42 INFO - #13 0x7fe5f8f5bd61 in nsXULWindow::SizeShellTo(nsIDocShellTreeItem*, int, int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpfe/appshell/nsXULWindow.cpp:1694 17:02:42 INFO - #14 0x7fe5f44ba7e6 in nsGlobalWindow::SizeToContent(mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsGlobalWindow.cpp:7276 17:02:42 INFO - #15 0x7fe5f44ba68e in nsGlobalWindow::SizeToContent(mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsGlobalWindow.cpp:7233 17:02:42 INFO - #16 0x7fe5f5a243aa in mozilla::dom::WindowBinding::sizeToContent(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WindowBinding.cpp:4450 17:02:42 INFO - #17 0x7fe5f5a19390 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WindowBinding.cpp:13050 17:02:42 INFO - #18 0x7fe5fae5281e in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235 17:02:42 INFO - #19 0x7fe5fae5281e in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:703 17:02:42 INFO - #20 0x7fe5fae918b8 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2954 17:02:43 INFO - #21 0x7fe5fae71bd4 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:652 17:02:43 INFO - #22 0x7fe5fae52da9 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:723 17:02:43 INFO - #23 0x7fe5fae008c3 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:760 17:02:43 INFO - #24 0x7fe5fbb4c2fb in call /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/proxy/DirectProxyHandler.cpp:77 17:02:43 INFO - #25 0x7fe5fbb4c2fb in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:289 17:02:43 INFO - #26 0x7fe5fbb5dedf in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/proxy/Proxy.cpp:391 17:02:43 INFO - #27 0x7fe5fbb60b52 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/proxy/Proxy.cpp:697 17:02:43 INFO - #28 0x7fe5fae52b7f in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235 17:02:43 INFO - #29 0x7fe5fae52b7f in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:696 17:02:43 INFO - #30 0x7fe5fae918b8 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2954 17:02:43 INFO - #31 0x7fe5fae71bd4 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:652 17:02:43 INFO - #32 0x7fe5fae52da9 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:723 17:02:43 INFO - #33 0x7fe5fae008c3 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:760 17:02:43 INFO - #34 0x7fe5fb91bdd8 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4418 17:02:43 INFO - #35 0x7fe5f44592f6 in nsFrameMessageManager::ReceiveMessage(nsISupports*, nsIFrameLoader*, bool, nsAString_internal const&, bool, mozilla::dom::StructuredCloneData const*, mozilla::jsipc::CpowHolder*, nsIPrincipal*, nsTArray<mozilla::OwningSerializedStructuredCloneBuffer>*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsFrameMessageManager.cpp:1253 17:02:43 INFO - #36 0x7fe5f445a2c7 in nsFrameMessageManager::ReceiveMessage(nsISupports*, nsIFrameLoader*, bool, nsAString_internal const&, bool, mozilla::dom::StructuredCloneData const*, mozilla::jsipc::CpowHolder*, nsIPrincipal*, nsTArray<mozilla::OwningSerializedStructuredCloneBuffer>*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsFrameMessageManager.cpp:1281 17:02:43 INFO - #37 0x7fe5f4462c44 in ReceiveMessage /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsFrameMessageManager.cpp:1070 17:02:43 INFO - #38 0x7fe5f4462c44 in nsSameProcessAsyncMessageBase::ReceiveMessage(nsISupports*, nsIFrameLoader*, nsFrameMessageManager*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsFrameMessageManager.cpp:2230 17:02:43 INFO - #39 0x7fe5f44655e8 in nsAsyncMessageToSameProcessParent::HandleMessage() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsFrameMessageManager.cpp:2053 17:02:43 INFO - #40 0x7fe5f2519a57 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:846 17:02:43 INFO - #41 0x7fe5f25931ba in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265 17:02:43 INFO - #42 0x7fe5f2de74b9 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:95 17:02:43 INFO - #43 0x7fe5f2d747ec in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233 17:02:43 INFO - #44 0x7fe5f2d747ec in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226 17:02:43 INFO - #45 0x7fe5f2d747ec in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200 17:02:43 INFO - #46 0x7fe5f79c5347 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:165 17:02:43 INFO - #47 0x7fe5f969d928 in nsAppStartup::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:280 17:02:43 INFO - #48 0x7fe5f97a9d27 in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4258 17:02:43 INFO - #49 0x7fe5f97aad3c in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4342 17:02:43 INFO - #50 0x7fe5f97abbb5 in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4431 17:02:43 INFO - #51 0x48a70a in do_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:214 17:02:43 INFO - #52 0x48a70a in main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:478 17:02:43 INFO - #53 0x7fe60c69c76c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c) 17:02:43 INFO - #54 0x489b6c in _start (/builds/slave/test/build/application/firefox/firefox+0x489b6c) 17:02:43 INFO - 0x603000455f20 is located 0 bytes inside of 32-byte region [0x603000455f20,0x603000455f40) 17:02:43 INFO - freed by thread T29 (Compositor) here: 17:02:43 INFO - #0 0x471f81 in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64 17:02:43 INFO - #1 0x7fe600a32a2a (/usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0+0x33a2a) 17:02:43 INFO - previously allocated by thread T0 here: 17:02:43 INFO - #0 0x472181 in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74 17:02:43 INFO - #1 0x7fe602b09a38 (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4da38) 17:02:43 INFO - Thread T29 (Compositor) created by T0 here: 17:02:43 INFO - #0 0x45e9f5 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175 17:02:43 INFO - #1 0x7fe5f2d8caa4 in CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:144 17:02:43 INFO - #2 0x7fe5f2d8caa4 in Create /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:155 17:02:43 INFO - #3 0x7fe5f2d8caa4 in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/thread.cc:92 17:02:43 INFO - #4 0x7fe5f40dea20 in mozilla::layers::CompositorThreadHolder::CreateCompositorThread() /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/layers/ipc/CompositorParent.cpp:191 17:02:43 INFO - #5 0x7fe5f40e28b0 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/layers/ipc/CompositorParent.cpp:143 17:02:43 INFO - #6 0x7fe5f40e28b0 in mozilla::layers::CompositorParent::StartUp() /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/layers/ipc/CompositorParent.cpp:587 17:02:43 INFO - #7 0x7fe5f41ce32e in gfxPlatform::InitLayersIPC() /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/thebes/gfxPlatform.cpp:719 17:02:43 INFO - #8 0x7fe5f41cc37b in gfxPlatform::Init() /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/thebes/gfxPlatform.cpp:548 17:02:43 INFO - #9 0x7fe5f41cacf4 in gfxPlatform::GetPlatform() /builds/slave/m-cen-l64-asan-000000000000000/build/src/gfx/thebes/gfxPlatform.cpp:462 17:02:43 INFO - #10 0x7fe5f7fd8864 in CreateVsyncRefreshTimer /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:863 17:02:43 INFO - #11 0x7fe5f7fd8864 in nsRefreshDriver::ChooseTimer() const /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:1006 17:02:43 INFO - #12 0x7fe5f7fdb77b in nsRefreshDriver::EnsureTimerStarted(nsRefreshDriver::EnsureTimerStartedFlags) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:1216 17:02:43 INFO - #13 0x7fe5f7fdbbcf in nsRefreshDriver::MostRecentRefresh() const /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:1105 17:02:43 INFO - #14 0x7fe5f824d9bd in nsPresContext::Init(nsDeviceContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsPresContext.cpp:1034 17:02:43 INFO - #15 0x7fe5f81b283e in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsDocumentViewer.cpp:808 17:02:43 INFO - #16 0x7fe5f81b19f7 in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsDocumentViewer.cpp:620 17:02:43 INFO - #17 0x7fe5f8e151cc in nsDocShell::SetupNewViewer(nsIContentViewer*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/docshell/base/nsDocShell.cpp:9281 17:02:43 INFO - #18 0x7fe5f8e13ac7 in nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/docshell/base/nsDocShell.cpp:7188 17:02:43 INFO - #19 0x7fe5f8e213e8 in nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIURI*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/docshell/base/nsDocShell.cpp:8001 17:02:43 INFO - #20 0x7fe5f8f2343d in nsWebShellWindow::Initialize(nsIXULWindow*, nsIXULWindow*, nsIURI*, int, int, bool, nsITabParent*, nsWidgetInitData&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpfe/appshell/nsWebShellWindow.cpp:216 17:02:43 INFO - #21 0x7fe5f8f1dd76 in nsAppShellService::JustCreateTopWindow(nsIXULWindow*, nsIURI*, unsigned int, int, int, bool, nsITabParent*, nsWebShellWindow**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpfe/appshell/nsAppShellService.cpp:615 17:02:43 INFO - #22 0x7fe5f8f1d0ec in nsAppShellService::CreateHiddenWindowHelper(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpfe/appshell/nsAppShellService.cpp:136 17:02:43 INFO - #23 0x7fe5f969d5c2 in nsAppStartup::CreateHiddenWindow() /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:244 17:02:43 INFO - #24 0x7fe5f97a9860 in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4187 17:02:43 INFO - #25 0x7fe5f97aad3c in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4342 17:02:43 INFO - #26 0x7fe5f97abbb5 in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4431 17:02:43 INFO - #27 0x48a70a in do_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:214 17:02:43 INFO - #28 0x48a70a in main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:478 17:02:43 INFO - #29 0x7fe60c69c76c (/lib/x86_64-linux-gnu/libc.so.6+0x2176c) 17:02:43 INFO - SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:366 memcpy 17:02:43 INFO - Shadow bytes around the buggy address: 17:02:43 INFO - 0x0c0680082b90: 00 00 00 00 fa fa fd fd fd fd fa fa 00 00 00 00 17:02:43 INFO - 0x0c0680082ba0: fa fa fd fd fd fa fa fa 00 00 00 00 fa fa 00 00 17:02:43 INFO - 0x0c0680082bb0: 00 00 fa fa fd fd fd fa fa fa fd fd fd fd fa fa 17:02:43 INFO - 0x0c0680082bc0: fd fd fd fa fa fa 00 00 04 fa fa fa 00 00 00 00 17:02:43 INFO - 0x0c0680082bd0: fa fa fa fa fa fa fa fa fd fd fd fa fa fa 00 00 17:02:43 INFO - =>0x0c0680082be0: 00 00 fa fa[fd]fd fd fd fa fa 00 00 00 00 fa fa 17:02:43 INFO - 0x0c0680082bf0: 00 00 00 07 fa fa fd fd fd fa fa fa fa fa fa fa 17:02:43 INFO - 0x0c0680082c00: fa fa 00 00 00 02 fa fa 00 00 00 fa fa fa 00 00 17:02:43 INFO - 0x0c0680082c10: 00 02 fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 17:02:43 INFO - 0x0c0680082c20: 00 00 00 fa fa fa 00 00 00 02 fa fa 00 00 00 fa 17:02:43 INFO - 0x0c0680082c30: fa fa 00 00 00 fa fa fa 00 00 00 02 fa fa 00 00 17:02:43 INFO - Shadow byte legend (one shadow byte represents 8 application bytes): 17:02:43 INFO - Addressable: 00 17:02:43 INFO - Partially addressable: 01 02 03 04 05 06 07 17:02:43 INFO - Heap left redzone: fa 17:02:43 INFO - Heap right redzone: fb 17:02:43 INFO - Freed heap region: fd 17:02:43 INFO - Stack left redzone: f1 17:02:43 INFO - Stack mid redzone: f2 17:02:43 INFO - Stack right redzone: f3 17:02:43 INFO - Stack partial redzone: f4 17:02:43 INFO - Stack after return: f5 17:02:43 INFO - Stack use after scope: f8 17:02:43 INFO - Global redzone: f9 17:02:43 INFO - Global init order: f6 17:02:43 INFO - Poisoned by user: f7 17:02:43 INFO - Contiguous container OOB:fc 17:02:43 INFO - ASan internal: fe 17:02:43 INFO - ==4558==ABORTING 17:02:43 INFO - TEST-INFO | Main app process: killed by SIGHUP 17:02:43 INFO - 1793 INFO TEST-PASS | dom/media/tests/mochitest/test_getUserMedia_gumWithinGum.html | A valid string reason is expected 17:02:43 INFO - 1794 INFO TEST-PASS | dom/media/tests/mochitest/test_getUserMedia_gumWithinGum.html | Reason cannot be empty 17:02:43 INFO - 1795 INFO Call getUserMedia for {"video":true} 17:02:43 INFO - 1796 INFO TEST-PASS | dom/media/tests/mochitest/test_getUserMedia_gumWithinGum.html | Stream should be a LocalMediaStream 17:02:43 INFO - 1797 INFO TEST-PASS | dom/media/tests/mochitest/test_getUserMedia_gumWithinGum.html | Before starting the media element, currentTime = 0 17:02:43 INFO - 1798 INFO TEST-FAIL | dom/media/tests/mochitest/test_getUserMedia_gumWithinGum.html | The author of the test has indicated that flaky timeouts are expected. Reason: WebRTC inherently depends on timeouts 17:02:43 INFO - 1799 INFO TEST-PASS | dom/media/tests/mochitest/test_getUserMedia_gumWithinGum.html | Media element should be playing 17:02:43 INFO - 1800 INFO TEST-PASS | dom/media/tests/mochitest/test_getUserMedia_gumWithinGum.html | Duration should be infinity 17:02:43 INFO - 1801 INFO TEST-PASS | dom/media/tests/mochitest/test_getUserMedia_gumWithinGum.html | Ready state shall be HAVE_ENOUGH_DATA or HAVE_CURRENT_DATA 17:02:43 INFO - 1802 INFO TEST-PASS | dom/media/tests/mochitest/test_getUserMedia_gumWithinGum.html | Seekable length shall be zero 17:02:43 INFO - 1803 INFO TEST-PASS | dom/media/tests/mochitest/test_getUserMedia_gumWithinGum.html | Buffered length shall be zero 17:02:43 INFO - 1804 INFO TEST-PASS | dom/media/tests/mochitest/test_getUserMedia_gumWithinGum.html | MediaElement is not seekable with MediaStream 17:02:43 INFO - 1805 INFO TEST-PASS | dom/media/tests/mochitest/test_getUserMedia_gumWithinGum.html | Start offset time shall not be a number 17:02:43 INFO - 1806 INFO TEST-PASS | dom/media/tests/mochitest/test_getUserMedia_gumWithinGum.html | Loop shall be false 17:02:43 INFO - 1807 INFO TEST-PASS | dom/media/tests/mochitest/test_getUserMedia_gumWithinGum.html | Preload should not exist 17:02:43 INFO - 1808 INFO TEST-PASS | dom/media/tests/mochitest/test_getUserMedia_gumWithinGum.html | No src should be defined 17:02:43 INFO - 1809 INFO TEST-PASS | dom/media/tests/mochitest/test_getUserMedia_gumWithinGum.html | Current src should still be an empty string 17:02:43 INFO - 1810 INFO TEST-FAIL | dom/media/tests/mochitest/test_getUserMedia_gumWithinGum.html | The author of the test has indicated that flaky timeouts are expected. Reason: WebRTC inherently depends on timeouts 17:02:43 INFO - 1811 INFO Call getUserMedia for {"audio":true} 17:02:43 WARNING - TEST-UNEXPECTED-FAIL | dom/media/tests/mochitest/test_getUserMedia_gumWithinGum.html | application terminated with exit code 1
Component: Graphics → Graphics: Layers
Keywords: csectype-uaf, sec-high
Assignee: nobody → lsalzman
I did manage to at least dissect the place it is triggering the use-after-free, though I have not isolated a definitive cause. In the gtk window code, it is doing gdk_region_copy(window->clip_region) in all cases where this seems to get triggered. This is slightly puzzling as this is the window's internal clip_region, which we don't theoretically have access to, and the window does not appear to be marked as destroyed nor triggering use-after-free warnings on its own memory that would indicate it was actually destroyed. So, somehow, window->clip_region is being destroyed, without the window being destroyed, and none of the stack traces go beyond telling us gdk_region_destroy was used to destroy it. Still looking for possible causes at the moment...
After some more hunting, I still found nothing conclusive. Because our build and test machines are using stripped versions of glib/gtk rather than the debug versions, the stack traces here aren't very helpful either. So at least one way to move this particular bug forward might be to get debug versions of glib/gtk deployed on our Linux test machines so that when this problem, or very many others that happen to fail in gtk for entirely different reasons, then we can more easily identify the points of failure. How to proceed there?
Flags: needinfo?(ryanvm)
I have no idea. Maybe glandium has an idea of how feasible that is?
Flags: needinfo?(ryanvm) → needinfo?(mh+mozilla)
As answered on irc: The first thing to know is whether having the debug symbols installed on the machines would make them used by whatever is printing out the traces. I think they would, but I'm not 100% sure. Ted probably knows. Then assuming that would work, just ask releng to install specific debug packages.
Flags: needinfo?(mh+mozilla) → needinfo?(ted)
That's llvm-symbolizer doing the symbolication. I don't know if installing debug packages would make it do the right thing, but it does use native symbols and not Breakpad symbols like our stacks from normal crashes.
Flags: needinfo?(ted)
Yeah, I've installed debug packages before locally and ASan produced some better results.
addr2line -if -e can be used on files from dbg packages to get more information from the stack. It would be helpful to identify exactly exactly which versions of the package are providing libgdk-x11-2.0.so.0. Do these tests run on CentOS or Ubuntu precise. If CentOS, which version?
AFAIK those tests run on Ubuntu 12.04.
I was talking to someone about a different ASAN failure, and I wrote a little Python script to look up functions from the dynsym section, which might give usable results without having debug packages installed: https://gist.github.com/luser/6533bc82f5efc23c4954 If someone gets a slave loan of the type matching one of these logs you could take the bad frames like: 17:02:41 INFO - #1 0x7fe600a32898 (/usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0+0x33898) and run `python dynsym_lookup.py /usr/lib/x86_64-linux-gnu/libgdk-x11-2.0.so.0 0x33898`, and the script will spit out the nearest public symbol.
Group: core-security → gfx-core-security
Should we just close this? It sounds like you did some investigating and couldn't figure anything out, and this problems seems to have no recurred.
Flags: needinfo?(lsalzman)
(In reply to Andrew McCreight [:mccr8] from comment #12) > Should we just close this? It sounds like you did some investigating and > couldn't figure anything out, and this problems seems to have no recurred. I have nothing more insightful on this to add than what I already discovered in earlier comments, so really I don't know. But if it hasn't recurred since, then maybe worth just closing out, and reopening again later if it does turn up again.
Assignee: lsalzman → nobody
Flags: needinfo?(lsalzman)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → INCOMPLETE
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.