Created attachment 8646709 [details] try-linux64-asan-bm79-try1-build698.txt.gz https://treeherder.mozilla.org/#/jobs?repo=try&revision=3749f1987ea7 In this try-run totally unrelated to images, I observed the following failure: https://treeherder.mozilla.org/logviewer.html#?job_id=10292855&repo=try "SUMMARY: AddressSanitizer: heap-use-after-free image/test/gtest/../../../dist/include/mozilla/RefPtr.h:125 Release" (Full log attached) From what I can interpret: 1. An nsRefPtr<SourceSurface> is created in Go() in TestDecodeToSurface.cpp:54, ASAN thinks it is the creation point of the contentious memory block. 2. The SourceSurface is passed as a raw pointer 'aSurface' to IsSolidColor in Common.cpp:78 (so it shouldn't possibly be deleted in this function). 3. Inside IsSolidColor, an nsRefPtr<DataSourceSurface> is created from aSurface->GetDataSurface(). 4. At the return point in IsSolidColor, ASAN thinks the contentious memory block is deleted here while deleting an nsRefPtr, probably the one created at step 3. 5. Back in Go(), at the implicit return point, ASAN thinks the contentious memory block is accessed again while deleting an nsRefPtr, probably the one created at step 1. If I'm correct (and ASAN as well), this would mean a SourceSurface (not sure of the exact derived type, the test is decoding a GIF) and a SourceSurface->GetDataSurface() both think they exclusively own one thing that they in fact share. Or something like that.
Note: Re-running the same test in the same try-run didn't show the issue. And at a quick glance I couldn't see it happening in recent inbound try-runs. Good luck reproducing it!
Another instance: https://treeherder.mozilla.org/logviewer.html#?job_id=10790014&repo=try
Pretty sure this was resolved by the patch in bug 1191347.
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Depends on: 1191347
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.