Closed Bug 1318165 Opened 4 years ago Closed 4 years ago

ASAN: about:memory->measure triggers a crash: attempting to call malloc_usable_size() for pointer which is not owned

Categories

(Core :: DOM: Core & HTML, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla53
Tracking Status
firefox-esr45 --- unaffected
firefox50 --- unaffected
firefox51 --- unaffected
firefox52 --- fixed
firefox53 --- fixed

People

(Reporter: geeknik, Assigned: baku)

References

Details

(Keywords: crash, csectype-wildptr, sec-low)

Attachments

(2 files)

ASAN Nightly Build ID 20161115140229

STR:
Visit about:memory
Click Measure under `Show memory reports`
Crash.

Note: The `Measure and save...` option under `Save memory reports` does NOT trigger a crash. Also, non-ASAN Nightly builds don't crash.

==40607==ERROR: AddressSanitizer: attempting to call malloc_usable_size() for pointer which is not owned: 0x6070006ae748
    #0 0x4b2ddd in malloc_usable_size /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:100:3
    #1 0x7f620751bf62 in nsACString_internal::SizeOfIncludingThisIfUnshared(unsigned long (*)(void const*)) const /home/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:1068:10
    #2 0x7f6207623ed4 in nsStringInputStream::SizeOfIncludingThis(unsigned long (*)(void const*)) /home/worker/workspace/build/src/xpcom/io/nsStringStream.cpp:201:8
    #3 0x7f620a11dc11 in mozilla::dom::BlobImplStream::CollectReports(nsIMemoryReporterCallback*, nsISupports*, bool) /home/worker/workspace/build/src/dom/base/File.cpp:1354:3
    #4 0x7f620a11de3e in non-virtual thunk to mozilla::dom::BlobImplStream::CollectReports(nsIMemoryReporterCallback*, nsISupports*, bool) /home/worker/workspace/build/src/dom/base/File.cpp:1345:17
    #5 0x7f620758daf9 in operator() /home/worker/workspace/build/src/xpcom/base/nsMemoryReporterManager.cpp:1756:7
    #6 0x7f620758daf9 in mozilla::detail::RunnableFunction<nsMemoryReporterManager::DispatchReporter(nsIMemoryReporter*, bool, nsIMemoryReporterCallback*, nsISupports*, bool)::$_0>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:324
    #7 0x7f6207672acb in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1216:7
    #8 0x7f62076f5b0c in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10
    #9 0x7f620849089f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #10 0x7f6208400678 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #11 0x7f6208400678 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
    #12 0x7f6208400678 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
    #13 0x7f620dab155f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
    #14 0x7f620faf7991 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
    #15 0x7f620fc79d8e in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4467:10
    #16 0x7f620fc7b2a2 in XREMain::XRE_main(int, char**, nsXREAppData const*) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4600:8
    #17 0x7f620fc7c15c in XRE_main /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4691:16
    #18 0x4df8ca in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282:10
    #19 0x4df8ca in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:415
    #20 0x7f6221181b44 in __libc_start_main /build/glibc-daoqzt/glibc-2.19/csu/libc-start.c:287
    #21 0x41ba38 in _start (/home/geeknik/firefox/firefox+0x41ba38)

0x6070006ae748 is located 56 bytes inside of 80-byte region [0x6070006ae710,0x6070006ae760)
allocated by thread T0 here:
    #0 0x4b24ab in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x4e0d9d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f6207625c7a in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
    #3 0x7f6207625c7a in nsStringInputStreamConstructor(nsISupports*, nsID const&, void**) /home/worker/workspace/build/src/xpcom/io/nsStringStream.cpp:450
    #4 0x7f620763f60a in nsComponentManagerImpl::CreateInstance(nsID const&, nsISupports*, nsID const&, void**) /home/worker/workspace/build/src/xpcom/components/nsComponentManager.cpp:1087:10
    #5 0x7f62076df01d in CallCreateInstance /home/worker/workspace/build/src/xpcom/glue/nsComponentManagerUtils.cpp:135:10
    #6 0x7f62076df01d in nsCreateInstanceByCID::operator()(nsID const&, void**) const /home/worker/workspace/build/src/xpcom/glue/nsComponentManagerUtils.cpp:183
    #7 0x7f62076d5bd5 in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /home/worker/workspace/build/src/xpcom/glue/nsCOMPtr.cpp:117:7
    #8 0x7f620846c7ba in operator= /home/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:674:5
    #9 0x7f620846c7ba in mozilla::ipc::DeserializeInputStream(mozilla::ipc::InputStreamParams const&, nsTArray<mozilla::ipc::FileDescriptor> const&) /home/worker/workspace/build/src/ipc/glue/InputStreamUtils.cpp:85
    #10 0x7f620846baf4 in mozilla::ipc::DeserializeIPCStream(mozilla::ipc::IPCStream const&) /home/worker/workspace/build/src/ipc/glue/IPCStreamUtils.cpp:309:10
    #11 0x7f620d38dd34 in CreateBlobImpl /home/worker/workspace/build/src/dom/ipc/Blob.cpp:743:42
    #12 0x7f620d38dd34 in mozilla::dom::(anonymous namespace)::CreateBlobImplFromBlobData(mozilla::dom::BlobData const&, mozilla::dom::(anonymous namespace)::CreateBlobImplMetadata&) /home/worker/workspace/build/src/dom/ipc/Blob.cpp:798
    #13 0x7f620d38dccc in CreateBlobImpl /home/worker/workspace/build/src/dom/ipc/Blob.cpp:825:7
    #14 0x7f620d38dccc in mozilla::dom::(anonymous namespace)::CreateBlobImplFromBlobData(mozilla::dom::BlobData const&, mozilla::dom::(anonymous namespace)::CreateBlobImplMetadata&) /home/worker/workspace/build/src/dom/ipc/Blob.cpp:803
    #15 0x7f620d38d5aa in mozilla::dom::(anonymous namespace)::CreateBlobImpl(mozilla::dom::ParentBlobConstructorParams const&, mozilla::dom::BlobData const&, bool) /home/worker/workspace/build/src/dom/ipc/Blob.cpp:931:5
    #16 0x7f620d37cbf8 in mozilla::dom::BlobParent* mozilla::dom::BlobParent::CreateFromParams<mozilla::dom::nsIContentParent>(mozilla::dom::nsIContentParent*, mozilla::dom::ParentBlobConstructorParams const&) /home/worker/workspace/build/src/dom/ipc/Blob.cpp:4108:9
    #17 0x7f6208c4b8df in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentParent.cpp:3240:21
    #18 0x7f6208488ed5 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1743:14
    #19 0x7f62084850cc in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1681:17
    #20 0x7f62084877f4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1572:5
    #21 0x7f6208487eae in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1597:5
    #22 0x7f6207672acb in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1216:7
    #23 0x7f62076f5b0c in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10
    #24 0x7f620849089f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #25 0x7f6208400678 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #26 0x7f6208400678 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
    #27 0x7f6208400678 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
    #28 0x7f620dab155f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
    #29 0x7f620faf7991 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
    #30 0x7f620fc79d8e in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4467:10
    #31 0x7f620fc7b2a2 in XREMain::XRE_main(int, char**, nsXREAppData const*) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4600:8
    #32 0x7f620fc7c15c in XRE_main /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4691:16
    #33 0x4df8ca in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282:10
    #34 0x4df8ca in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:415
    #35 0x7f6221181b44 in __libc_start_main /build/glibc-daoqzt/glibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: bad-malloc_usable_size /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:100:3 in malloc_usable_size
==40607==ABORTING
[Child 40645] ###!!! ABORT: Aborting on channel error.: file /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp, line 2143
[Child 40645] ###!!! ABORT: Aborting on channel error.: file /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp, line 2143
ASAN:DEADLYSIGNAL
=================================================================
==40645==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x0000004e114b bp 0x7f506332a090 sp 0x7f506332a080 T2)
geeknik@plex-test:~/firefox$ Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: Receive IPC close with reason=AbnormalShutdown (t=26.2849)     #0 0x4e114a in mozalloc_abort(char const*) /home/worker/workspace/build/src/memory/mozalloc/mozalloc_abort.cpp:33:5
    #1 0x7f5065f21535 in Abort(char const*) /home/worker/workspace/build/src/xpcom/base/nsDebugImpl.cpp:449:3
    #2 0x7f5065f212dc in NS_DebugBreak /home/worker/workspace/build/src/xpcom/base/nsDebugImpl.cpp:405:7
    #3 0x7f5066e86faf in mozilla::ipc::MessageChannel::OnChannelErrorFromLink() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2143:13
    #4 0x7f5066e8c253 in OnChannelError /home/worker/workspace/build/src/ipc/glue/MessageLink.cpp:367:5
    #5 0x7f5066e8c253 in non-virtual thunk to mozilla::ipc::ProcessLink::OnChannelError() /home/worker/workspace/build/src/ipc/glue/MessageLink.cpp:359
    #6 0x7f5066e42d7b in event_process_active_single_queue /home/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1350:4
    #7 0x7f5066e42d7b in event_process_active /home/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1420
    #8 0x7f5066e42d7b in event_base_loop /home/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1621
    #9 0x7f5066e02211 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/chromium/src/base/message_pump_libevent.cc:364:7
    #10 0x7f5066dfc678 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #11 0x7f5066dfc678 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
    #12 0x7f5066dfc678 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
    #13 0x7f5066e1c821 in base::Thread::ThreadMain() /home/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:180:3
    #14 0x7f5066e1d37c in ThreadFunc(void*) /home/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:3
    #15 0x7f5080b3d0a3 in start_thread /build/glibc-daoqzt/glibc-2.19/nptl/pthread_create.c:309
    #16 0x7f507fc4462c in clone /build/glibc-daoqzt/glibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/worker/workspace/build/src/memory/mozalloc/mozalloc_abort.cpp:33:5 in mozalloc_abort(char const*)
Thread T2 (Chrome_ChildThr) created by T0 (Web Content) here:
    #0 0x49a869 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:238:3
    #1 0x7f5066e1c43b in CreateThread /home/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:137:14
    #2 0x7f5066e1c43b in Create /home/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:148
    #3 0x7f5066e1c43b in base::Thread::StartWithOptions(base::Thread::Options const&) /home/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:98
    #4 0x7f5066e8e437 in mozilla::ipc::ProcessChild::ProcessChild(int) /home/worker/workspace/build/src/ipc/glue/ProcessChild.cpp:24:5
    #5 0x7f506e67c889 in ContentProcess /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/ContentProcess.h:31:7
    #6 0x7f506e67c889 in XRE_InitChildProcess /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:619
    #7 0x4dfb5b in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:197:19
    #8 0x4dfb5b in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:392
    #9 0x7f507fb7db44 in __libc_start_main /build/glibc-daoqzt/glibc-2.19/csu/libc-start.c:287

==40645==ABORTING
baku, this is likely related to bug 1313859.
Blocks: 1313859
Priority: -- → P2
Group: toolkit-core-security → core-security
Component: about:memory → DOM
Priority: P2 → --
Product: Toolkit → Core
Group: core-security → dom-core-security
Flags: needinfo?(amarchesini)
Brian, Tyson was unable to reproduce. Did you have some web pages open?

This doesn't seem very bad, because I think it is a read, and the result is not going to be exposed to content.
Flags: needinfo?(geeknik)
Assignee: nobody → amarchesini
Flags: needinfo?(amarchesini)
Upon further testing, this only seems to happen after you have browsed a few sites (opened and closed some tabs) and increase Nightly's memory footprint. Launching the browser and just clicking measure only seems to crash it about 5% of the time.
Flags: needinfo?(geeknik)
Flags: sec-bounty?
Presumably you need to navigate to a site that uses Blobs in the right way.
(In reply to Brian Carpenter [:geeknik] from comment #3)
> Upon further testing, this only seems to happen after you have browsed a few
> sites (opened and closed some tabs) and increase Nightly's memory footprint.
> Launching the browser and just clicking measure only seems to crash it about
> 5% of the time.

Brian, is it possible to get a specific list of sites?
Flags: needinfo?(geeknik)
I had the browser idle for 1749 minutes, clicked Measure and received the same crash. But then I loaded up the following tabs: www.cnn.com, www.yahoo.com, www.msnbc.com, news.google.com, drudgereport.com and a new tab. After they loaded completely, I clicked each tab to bring them to the foreground, then loaded about:memory in the new tab and clicked measure and 90 seconds after launching Nightly, it crashed.
Flags: needinfo?(geeknik)
I can reproduce the crash following comment 6. Thanks.
Attached file browser_baku.js
This test reproduces the crash.
of course, ASAN build only.
Attached patch asan2.patchSplinter Review
Attachment #8814063 - Flags: review?(n.nethercote)
Attachment #8814063 - Flags: review?(n.nethercote) → review+
https://hg.mozilla.org/mozilla-central/rev/0b6635a4c87d
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Group: dom-core-security → core-security-release
Flags: sec-bounty? → sec-bounty-
BTW, I should have suggested using DMD to check the new reporters before landing, because it's built to find exactly this kind of problem: https://developer.mozilla.org/en-US/docs/Mozilla/Performance/DMD
Seems like we should uplift this to 52 as well?
Flags: needinfo?(amarchesini)
Comment on attachment 8814063 [details] [diff] [review]
asan2.patch

Approval Request Comment
[Feature/Bug causing the regression]: bug 1313859.
[User impact if declined]: wrong memory report.
[Is this code covered by automated tests?]: no
[Has the fix been verified in Nightly?]: yes
[Needs manual test from QE? If yes, steps to reproduce]: Yes, see the description of the bug.
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: We just changed how the string size is reported in nsStringInputStream.
[String changes made/needed]: none
Flags: needinfo?(amarchesini)
Attachment #8814063 - Flags: approval-mozilla-aurora?
Attachment #8814063 - Flags: approval-mozilla-aurora? → approval-mozilla-beta?
Comment on attachment 8814063 [details] [diff] [review]
asan2.patch

fix crash with asan, beta52+
Attachment #8814063 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flagging this for verification, instructions in Comment 0.
Flags: qe-verify+
Reproduced the issue on an affected build (ASAN 53.0a1, 20161115140229) using the str from Comment 6 on Ubuntu 16.04 x64.

This is verified fixed on a recent ASAN build (54.0a1, 20170222230118), using Ubuntu 16.04 x64. I was unable to reproduce the crash after several tries with these same steps.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
Group: core-security-release
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.