Closed Bug 1279096 Opened 8 years ago Closed 8 years ago

AddressSanitizer: dynamic-stack-buffer-overflow /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/ctypes/CTypes.cpp:3191:3 in js::ctypes::ConvertToJS(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, void*, bool, bool, JS::MutableHandl

Categories

(Core :: js-ctypes, defect)

Product:
Core
Component:
js-ctypes
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla50
Tracking Flags:
Tracking Status
firefox50 --- fixed

People

(Reporter: glandium, Assigned: glandium)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1279096 - Exclude ffi_call from ASAN.
58 bytes, text/x-review-board-request
decoder
: review+
Details
Same as bug 1252072, but for libffi. 23:56:44 INFO - PROCESS | 20970 | ================================================================= 23:56:44 INFO - PROCESS | 20970 | ==20970==ERROR: AddressSanitizer: dynamic-stack-buffer-overflow on address 0x7fff9cf8ba60 at pc 0x7f6ccacdbeb5 bp 0x7fff9cf8a4d0 sp 0x7fff9cf8a4c8 23:56:44 INFO - PROCESS | 20970 | READ of size 4 at 0x7fff9cf8ba60 thread T0 23:56:44 INFO - PROCESS | 20970 | #0 0x7f6ccacdbeb4 in js::ctypes::ConvertToJS(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, void*, bool, bool, JS::MutableHandle<JS::Value>) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/ctypes/CTypes.cpp:3191:3 23:56:44 INFO - PROCESS | 20970 | #1 0x7f6ccacf5bf4 in js::ctypes::CClosure::ArgClosure::operator()(JSContext*) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/ctypes/CTypes.cpp:7469:10 23:56:44 INFO - PROCESS | 20970 | #2 0x7f6cc0f80196 in mozilla::CycleCollectedJSRuntime::EnvironmentPreparer::invoke(JS::Handle<JSObject*>, js::ScriptEnvironmentPreparer::Closure&) /builds/slave/try-l64-asan-00000000000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:1660:24 23:56:44 INFO - PROCESS | 20970 | #3 0x7f6ccacf507f in js::ctypes::CClosure::ClosureStub(ffi_cif*, void*, void**, void*) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/ctypes/CTypes.cpp:7411:3 23:56:44 INFO - PROCESS | 20970 | #4 0x7f6ccc0b0aa0 in ffi_closure_unix64_inner (/builds/slave/test/build/application/firefox/libxul.so+0xceb8aa0) 23:56:44 INFO - PROCESS | 20970 | #5 0x7f6ccc0b2e0b in ffi_closure_unix64 (/builds/slave/test/build/application/firefox/libxul.so+0xcebae0b) 23:56:44 INFO - PROCESS | 20970 | #6 0x7f6ccc0b2ca3 in ffi_call_unix64 (/builds/slave/test/build/application/firefox/libxul.so+0xcebaca3) 23:56:44 INFO - PROCESS | 20970 | #7 0x7f6ccc0af535 in ffi_call (/builds/slave/test/build/application/firefox/libxul.so+0xceb7535) 23:56:44 INFO - PROCESS | 20970 | #8 0x7f6ccad62bf0 in js::ctypes::FunctionType::Call(JSContext*, unsigned int, JS::Value*) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/ctypes/CTypes.cpp:7132:3 23:56:44 INFO - PROCESS | 20970 | #9 0x7f6ccba2e1b2 in CallJSNative /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/jscntxtinlines.h:235:15 23:56:44 INFO - PROCESS | 20970 | #10 0x7f6ccba2e1b2 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/vm/Interpreter.cpp:440 23:56:44 INFO - PROCESS | 20970 | #11 0x7f6ccb9ddd21 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/vm/Interpreter.cpp:516:10 23:56:44 INFO - PROCESS | 20970 | #12 0x7f6ccb82d50b in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/proxy/Wrapper.cpp:165:12 23:56:44 INFO - PROCESS | 20970 | #13 0x7f6ccb7fa967 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:309:14 23:56:44 INFO - PROCESS | 20970 | #14 0x7f6ccb808f5b in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/proxy/Proxy.cpp:401:12 23:56:44 INFO - PROCESS | 20970 | #15 0x7f6ccb80baac in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/proxy/Proxy.cpp:693:12 23:56:44 INFO - PROCESS | 20970 | #16 0x7f6ccba2e1b2 in CallJSNative /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/jscntxtinlines.h:235:15 23:56:44 INFO - PROCESS | 20970 | #17 0x7f6ccba2e1b2 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/vm/Interpreter.cpp:440 23:56:44 INFO - PROCESS | 20970 | #18 0x7f6ccba14dcc in CallFromStack /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/vm/Interpreter.cpp:503:12 23:56:44 INFO - PROCESS | 20970 | #19 0x7f6ccba14dcc in Interpret(JSContext*, js::RunState&) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/vm/Interpreter.cpp:2873 23:56:44 INFO - PROCESS | 20970 | #20 0x7f6ccb9fae8a in js::RunScript(JSContext*, js::RunState&) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/vm/Interpreter.cpp:398:12 23:56:44 INFO - PROCESS | 20970 | #21 0x7f6ccba30670 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/vm/Interpreter.cpp:676:15 23:56:44 INFO - PROCESS | 20970 | #22 0x7f6ccba30d9e in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/vm/Interpreter.cpp:708:12 23:56:44 INFO - PROCESS | 20970 | #23 0x7f6ccb5afdfa in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::StaticScope*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/jsapi.cpp:4461:19 23:56:44 INFO - PROCESS | 20970 | #24 0x7f6ccb5b0ea1 in Evaluate /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/jsapi.cpp:4498:10 23:56:44 INFO - PROCESS | 20970 | #25 0x7f6ccb5b0ea1 in JS::Evaluate(JSContext*, JS::ReadOnlyCompileOptions const&, char16_t const*, unsigned long, JS::MutableHandle<JS::Value>) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/jsapi.cpp:4556 23:56:44 INFO - PROCESS | 20970 | #26 0x7f6cc29b5b71 in xpc::EvalInSandbox(JSContext*, JS::Handle<JSObject*>, nsAString_internal const&, nsACString_internal const&, int, JSVersion, JS::MutableHandle<JS::Value>) /builds/slave/try-l64-asan-00000000000000000/build/src/js/xpconnect/src/Sandbox.cpp:1782:14 23:56:44 INFO - PROCESS | 20970 | #27 0x7f6cc298d7d5 in nsXPCComponents_Utils::EvalInSandbox(nsAString_internal const&, JS::Handle<JS::Value>, JS::Handle<JS::Value>, nsACString_internal const&, int, JSContext*, unsigned char, JS::MutableHandle<JS::Value>) /builds/slave/try-l64-asan-00000000000000000/build/src/js/xpconnect/src/XPCComponents.cpp:2438:12 23:56:44 INFO - PROCESS | 20970 | #28 0x7f6cc10d6fd6 in NS_InvokeByIndex /builds/slave/try-l64-asan-00000000000000000/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_x86_64_unix.cpp:180:23 23:56:44 INFO - PROCESS | 20970 | #29 0x7f6cc2a63ed2 in Invoke /builds/slave/try-l64-asan-00000000000000000/build/src/js/xpconnect/src/XPCWrappedNative.cpp:2083:12 23:56:44 INFO - PROCESS | 20970 | #30 0x7f6cc2a63ed2 in Call /builds/slave/try-l64-asan-00000000000000000/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1400 23:56:44 INFO - PROCESS | 20970 | #31 0x7f6cc2a63ed2 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/slave/try-l64-asan-00000000000000000/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1367 23:56:44 INFO - PROCESS | 20970 | #32 0x7f6cc2a6b1b6 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/try-l64-asan-00000000000000000/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1128:12 23:56:44 INFO - PROCESS | 20970 | #33 0x7f6ccba2dc90 in CallJSNative /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/jscntxtinlines.h:235:15 23:56:44 INFO - PROCESS | 20970 | #34 0x7f6ccba2dc90 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/vm/Interpreter.cpp:452 23:56:44 INFO - PROCESS | 20970 | #35 0x7f6ccba14dcc in CallFromStack /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/vm/Interpreter.cpp:503:12 23:56:44 INFO - PROCESS | 20970 | #36 0x7f6ccba14dcc in Interpret(JSContext*, js::RunState&) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/vm/Interpreter.cpp:2873 23:56:44 INFO - PROCESS | 20970 | #37 0x7f6ccb9fae8a in js::RunScript(JSContext*, js::RunState&) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/vm/Interpreter.cpp:398:12 23:56:44 INFO - PROCESS | 20970 | #38 0x7f6ccba2e358 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/vm/Interpreter.cpp:470:15 23:56:44 INFO - PROCESS | 20970 | #39 0x7f6ccae4b6dd in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/jit/BaselineIC.cpp:5979:14 23:56:44 INFO - PROCESS | 20970 | #40 0x7f6cab51188f (<unknown module>) 23:56:44 INFO - PROCESS | 20970 | Address 0x7fff9cf8ba60 is located in stack of thread T0 at offset 928 in frame 23:56:44 INFO - PROCESS | 20970 | #0 0x7f6ccc0af9ef in ffi_closure_unix64_inner (/builds/slave/test/build/application/firefox/libxul.so+0xceb79ef) 23:56:44 INFO - PROCESS | 20970 | This frame has 4 object(s): 23:56:44 INFO - PROCESS | 20970 | [32, 36) 'ngpr' 23:56:44 INFO - PROCESS | 20970 | [48, 52) 'nsse' 23:56:44 INFO - PROCESS | 20970 | [64, 80) 'classes' 23:56:44 INFO - PROCESS | 20970 | [96, 112) 'classes1' <== Memory access at offset 928 overflows this variable 23:56:44 INFO - PROCESS | 20970 | HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext 23:56:44 INFO - PROCESS | 20970 | (longjmp and C++ exceptions *are* supported) 23:56:44 INFO - PROCESS | 20970 | SUMMARY: AddressSanitizer: dynamic-stack-buffer-overflow /builds/slave/try-l64-asan-00000000000000000/build/src/js/src/ctypes/CTypes.cpp:3191:3 in js::ctypes::ConvertToJS(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, void*, bool, bool, JS::MutableHandle<JS::Value>) 23:56:44 INFO - PROCESS | 20970 | Shadow bytes around the buggy address: 23:56:44 INFO - PROCESS | 20970 | 0x1000739e96f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 23:56:44 INFO - PROCESS | 20970 | 0x1000739e9700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 23:56:44 INFO - PROCESS | 20970 | 0x1000739e9710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 23:56:44 INFO - PROCESS | 20970 | 0x1000739e9720: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 23:56:44 INFO - PROCESS | 20970 | 0x1000739e9730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 23:56:44 INFO - PROCESS | 20970 | =>0x1000739e9740: 00 00 00 00 00 00 00 00 00 00 00 00[ca]ca ca ca 23:56:44 INFO - PROCESS | 20970 | 0x1000739e9750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 23:56:44 INFO - PROCESS | 20970 | 0x1000739e9760: 00 00 00 00 00 00 00 00 00 00 cb cb cb cb cb cb 23:56:44 INFO - PROCESS | 20970 | 0x1000739e9770: f1 f1 f1 f1 00 00 f2 f2 04 f2 04 f3 00 00 00 00 23:56:44 INFO - PROCESS | 20970 | 0x1000739e9780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 23:56:44 INFO - PROCESS | 20970 | 0x1000739e9790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 23:56:44 INFO - PROCESS | 20970 | Shadow byte legend (one shadow byte represents 8 application bytes): 23:56:44 INFO - PROCESS | 20970 | Addressable: 00 23:56:44 INFO - PROCESS | 20970 | Partially addressable: 01 02 03 04 05 06 07 23:56:44 INFO - PROCESS | 20970 | Heap left redzone: fa 23:56:44 INFO - PROCESS | 20970 | Heap right redzone: fb 23:56:44 INFO - PROCESS | 20970 | Freed heap region: fd 23:56:44 INFO - PROCESS | 20970 | Stack left redzone: f1 23:56:44 INFO - PROCESS | 20970 | Stack mid redzone: f2 23:56:44 INFO - PROCESS | 20970 | Stack right redzone: f3 23:56:44 INFO - PROCESS | 20970 | Stack partial redzone: f4 23:56:44 INFO - PROCESS | 20970 | Stack after return: f5 23:56:44 INFO - PROCESS | 20970 | Stack use after scope: f8 23:56:44 INFO - PROCESS | 20970 | Global redzone: f9 23:56:44 INFO - PROCESS | 20970 | Global init order: f6 23:56:44 INFO - PROCESS | 20970 | Poisoned by user: f7 23:56:44 INFO - PROCESS | 20970 | Container overflow: fc 23:56:44 INFO - PROCESS | 20970 | Array cookie: ac 23:56:44 INFO - PROCESS | 20970 | Intra object redzone: bb 23:56:44 INFO - PROCESS | 20970 | ASan internal: fe 23:56:44 INFO - PROCESS | 20970 | Left alloca redzone: ca 23:56:44 INFO - PROCESS | 20970 | Right alloca redzone: cb 23:56:44 INFO - PROCESS | 20970 | ==20970==ABORTING
Comment on attachment 8761430 [details] Bug 1279096 - Exclude ffi_call from ASAN. Except GCC doesn't like it like that.
Attachment #8761430 - Flags: review?(choller)
Comment on attachment 8761430 [details] Bug 1279096 - Exclude ffi_call from ASAN. Review request updated; see interdiff: https://reviewboard.mozilla.org/r/58628/diff/1-2/
Attachment #8761430 - Flags: review?(choller)
Comment on attachment 8761430 [details] Bug 1279096 - Exclude ffi_call from ASAN. https://reviewboard.mozilla.org/r/58628/#review55620 Looks good to me. It would still be good if upstream fixed/rewrote the method to work properly with ASan. If there is a bug somewhere in this (and we had random intermittent ASan failures in FFI before, even without dynamic stack instrumentation), then we're covering it now. :/
Attachment #8761430 - Flags: review?(choller) → review+
Pushed by mh@glandium.org: https://hg.mozilla.org/integration/mozilla-inbound/rev/9c62a8406a12 Exclude ffi_call from ASAN. r=decoder
https://hg.mozilla.org/mozilla-central/rev/9c62a8406a12
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox50: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Depends on: 1422254
See Also: → 1709459
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: