Closed Bug 1344085 Opened 3 years ago Closed 3 months ago

asan builds report heap-use-after-free inside libpref

Categories

(Core :: Preferences: Backend, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla75
Tracking Status
firefox75 --- fixed

People

(Reporter: markh, Assigned: decoder)

Details

Attachments

(2 files)

Attached file asan crash report
Landing bug 1317223 exposed a heap-use-after-free asan error inside libpref. That bug is a JS only patch so shouldn't be able to cause such an error, so my assumption is that the patch is triggering an existing edge-case. The crash happens when calling nsIPrefBranch::resetBranch().

It reports the use after free at https://dxr.mozilla.org/mozilla-central/rev/d29f84406483c721a13cf9a52936ecced0c5c98a/modules/libpref/prefapi.cpp#1009 while the free is at https://dxr.mozilla.org/mozilla-central/rev/d29f84406483c721a13cf9a52936ecced0c5c98a/modules/libpref/nsPrefBranch.cpp#847

Bug 1317223 is landing with xpcshell tests disabled in asan builds, so to reproduce this, you will need to remove the "skip-if = asan" in services/sync/tests/unit/xpcshell.ini and push to try. Note that using artifact builds on try apparently *does not* trigger the crash, but a full build does.

Attached is one such asan report.

I just "discovered" this bug report while I was looking for slow running tests in TSan. If there is a use-after-free in our codebase indicated by ASan, it should be fixed and the tests re-enabled. I guess the first step is to figure out if this still happens, I'll make a try push.

I did a try push and also retriggered the relevant chunk several times - no failures. I suggest we re-enable these tests to find out if this bug is still present. If it is, it is likely something we want to be aware of and fix, if it is gone, so much the better.

Assignee: nobody → choller
Status: NEW → ASSIGNED
Pushed by choller@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/95b189516d65
Re-enable sync services tests under ASan. r=markh
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
You need to log in before you can comment on or make changes to this bug.