Closed
Bug 1391500
Opened 7 years ago
Closed 7 years ago
ASan reports new-delete-type-mismatch for nsCSSShadowArray
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla57
| Tracking | Status | |
|---|---|---|
| firefox57 | --- | fixed |
People
(Reporter: ting, Assigned: ting)
References
Details
Attachments
(1 file)
Spin off from bug 1373562, ASan r310419 reports following error: ==8404==ERROR: AddressSanitizer: new-delete-type-mismatch on 0x122972e2c4e0 in thread T0: object passed to delete has wrong type: size of the allocated type: 64 bytes; size of the deallocated type: 40 bytes. #0 0x7fffaad1c82b in operator delete+0xcb (C:\w\fx\mc\obj-asan\dist\bin\clang_rt.asan_dynamic-x86_64.dll+0x18003c82b) #1 0x7fffa606ba0e in RefPtr<nsCSSShadowArray>::~RefPtr<nsCSSShadowArray> c:\w\fx\mc\obj-asan\dist\include\mozilla\refptr.h:78 #2 0x7fffa0526344 in nsStyleEffects::~nsStyleEffects c:\w\fx\mc\layout\style\nsStyleStruct.cpp:4555 #3 0x7fffa02b1f2a in nsStyleEffects::Destroy c:\w\fx\mc\layout\style\nsStyleStruct.h:3768 #4 0x7fffa052531f in nsConditionalResetStyleData::Destroy c:\w\fx\mc\obj-asan\layout\style\nsStyleStructList.h:155 #5 0x7fffa045971a in nsCachedStyleData::Destroy c:\w\fx\mc\layout\style\nsRuleNode.h:344 #6 0x7fffa0458a16 in nsRuleNode::~nsRuleNode c:\w\fx\mc\layout\style\nsRuleNode.cpp:1875 #7 0x7fffa04588ec in nsRuleNode::Destroy c:\w\fx\mc\layout\style\nsRuleNode.cpp:1818 #8 0x7fffa04e4431 in nsStyleSet::GCRuleTrees c:\w\fx\mc\layout\style\nsStyleSet.cpp:2455 #9 0x7fffa0284356 in mozilla::GeckoStyleContext::~GeckoStyleContext c:\w\fx\mc\layout\style\GeckoStyleContext.cpp:137 #10 0x7fffa02840fe in mozilla::GeckoStyleContext::Destroy c:\w\fx\mc\layout\style\GeckoStyleContext.cpp:94 #11 0x7fffa06b5022 in mozilla::UndisplayedNode::~UndisplayedNode c:\w\fx\mc\layout\base\nsFrameManager.h:45 #12 0x7fffa06b5ba0 in nsFrameManagerBase::UndisplayedMap::Clear c:\w\fx\mc\layout\base\nsFrameManager.cpp:711 #13 0x7fffa067603e in nsFrameManager::Destroy c:\w\fx\mc\layout\base\nsFrameManager.cpp:131 #14 0x7fffa0675c52 in nsCSSFrameConstructor::WillDestroyFrameTree c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:9200 #15 0x7fffa05a7034 in mozilla::PresShell::Destroy c:\w\fx\mc\layout\base\PresShell.cpp:1387 #16 0x7fffa06a1b07 in nsDocumentViewer::DestroyPresShell c:\w\fx\mc\layout\base\nsDocumentViewer.cpp:4724 #17 0x7fffa0690501 in nsDocumentViewer::Destroy c:\w\fx\mc\layout\base\nsDocumentViewer.cpp:1768 #18 0x7fffa06a3aba in nsDocumentViewer::Show c:\w\fx\mc\layout\base\nsDocumentViewer.cpp:2105 #19 0x7fffa072e6d7 in nsPresContext::EnsureVisible c:\w\fx\mc\layout\base\nsPresContext.cpp:2240 #20 0x7fffa05c215e in mozilla::PresShell::UnsuppressAndInvalidate c:\w\fx\mc\layout\base\PresShell.cpp:3904 #21 0x7fffa06a1d45 in nsDocumentViewer::Stop c:\w\fx\mc\layout\base\nsDocumentViewer.cpp:1831 #22 0x7fffa2de994f in nsDocShell::Stop c:\w\fx\mc\docshell\base\nsDocShell.cpp:5599 #23 0x7fffa2e0cccd in nsDocShell::InternalLoad c:\w\fx\mc\docshell\base\nsDocShell.cpp:10718 #24 0x7fffa2e02d49 in nsDocShell::LoadURI c:\w\fx\mc\docshell\base\nsDocShell.cpp:1598 #25 0x7fff9bccb0a7 in mozilla::dom::Location::SetURI c:\w\fx\mc\dom\base\Location.cpp:255 #26 0x7fff9bcce65a in mozilla::dom::Location::SetHrefWithBase c:\w\fx\mc\dom\base\Location.cpp:532 #27 0x7fff9bccdf72 in mozilla::dom::Location::SetHrefWithContext c:\w\fx\mc\dom\base\Location.cpp:485 #28 0x7fff9bccdacc in mozilla::dom::Location::SetHref c:\w\fx\mc\dom\base\Location.cpp:450 #29 0x7fff9c477681 in mozilla::dom::LocationBinding::set_href c:\w\fx\mc\obj-asan\dom\bindings\LocationBinding.cpp:96 #30 0x7fff9c47661a in mozilla::dom::LocationBinding::genericCrossOriginSetter c:\w\fx\mc\obj-asan\dom\bindings\LocationBinding.cpp:970 #31 0x7fffa4d4fc01 in js::InternalCallOrConstruct c:\w\fx\mc\js\src\vm\Interpreter.cpp:434 #32 0x7fffa4d524b0 in js::CallSetter c:\w\fx\mc\js\src\vm\Interpreter.cpp:653 #33 0x7fffa47d86e7 in js::SetPropertyIgnoringNamedGetter c:\w\fx\mc\js\src\proxy\BaseProxyHandler.cpp:245 #34 0x7fff9dae7448 in mozilla::dom::DOMProxyHandler::set c:\w\fx\mc\dom\bindings\DOMJSProxyHandler.cpp:225 #35 0x7fffa48a2e31 in js::Proxy::set c:\w\fx\mc\js\src\proxy\Proxy.cpp:384 #36 0x7fffa42a7168 in JSObject::nonNativeSetProperty c:\w\fx\mc\js\src\jsobj.cpp:1047 #37 0x7fffa3c72e11 in JS_SetProperty c:\w\fx\mc\js\src\jsapi.cpp:2703 #38 0x7fff9d22ee06 in mozilla::dom::WindowBinding::set_location c:\w\fx\mc\obj-asan\dom\bindings\WindowBinding.cpp:1383 #39 0x7fff9d22ca52 in mozilla::dom::WindowBinding::genericCrossOriginSetter c:\w\fx\mc\obj-asan\dom\bindings\WindowBinding.cpp:15800 #40 0x7fffa4d4fc01 in js::InternalCallOrConstruct c:\w\fx\mc\js\src\vm\Interpreter.cpp:434 #41 0x7fffa4d524b0 in js::CallSetter c:\w\fx\mc\js\src\vm\Interpreter.cpp:653 #42 0x7fffa423b3f0 in js::NativeSetProperty c:\w\fx\mc\js\src\vm\NativeObject.cpp:2825 #43 0x7fffa48cbdcb in js::Wrapper::set c:\w\fx\mc\js\src\proxy\Wrapper.cpp:153 #44 0x7fff9bb2d993 in nsOuterWindowProxy::set c:\w\fx\mc\dom\base\nsGlobalWindow.cpp:1418 #45 0x7fffa48a2e31 in js::Proxy::set c:\w\fx\mc\js\src\proxy\Proxy.cpp:384 #46 0x7fffa42a7168 in JSObject::nonNativeSetProperty c:\w\fx\mc\js\src\jsobj.cpp:1047 #47 0x7fffa4d38975 in Interpret c:\w\fx\mc\js\src\vm\Interpreter.cpp:2944 #48 0x7fffa4d17010 in js::RunScript c:\w\fx\mc\js\src\vm\Interpreter.cpp:409 #49 0x7fffa4d52dee in js::ExecuteKernel c:\w\fx\mc\js\src\vm\Interpreter.cpp:698 #50 0x7fffa4d53717 in js::Execute c:\w\fx\mc\js\src\vm\Interpreter.cpp:730 #51 0x7fffa3c913ca in ExecuteScript c:\w\fx\mc\js\src\jsapi.cpp:4651 #52 0x7fff9bf8d61f in nsJSUtils::ExecutionContext::CompileAndExec c:\w\fx\mc\dom\base\nsJSUtils.cpp:265 #53 0x7fff9f5efe88 in mozilla::dom::ScriptLoader::EvaluateScript c:\w\fx\mc\dom\script\ScriptLoader.cpp:2144 #54 0x7fff9f5eb67d in mozilla::dom::ScriptLoader::ProcessRequest c:\w\fx\mc\dom\script\ScriptLoader.cpp:1802 #55 0x7fff9f5d2d6b in mozilla::dom::ScriptLoader::ProcessScriptElement c:\w\fx\mc\dom\script\ScriptLoader.cpp:1499 #56 0x7fff9f5cf9a6 in mozilla::dom::ScriptElement::MaybeProcessScript c:\w\fx\mc\dom\script\ScriptElement.cpp:149 #57 0x7fff9aed48e0 in nsHtml5TreeOpExecutor::RunScript c:\w\fx\mc\parser\html\nsHtml5TreeOpExecutor.cpp:698 #58 0x7fff9aece445 in nsHtml5TreeOpExecutor::RunFlushLoop c:\w\fx\mc\parser\html\nsHtml5TreeOpExecutor.cpp:506 #59 0x7fff9aed939e in nsHtml5ExecutorFlusher::Run c:\w\fx\mc\parser\html\nsHtml5StreamParser.cpp:128 #60 0x7fff993679db in mozilla::SchedulerGroup::Runnable::Run c:\w\fx\mc\xpcom\threads\SchedulerGroup.cpp:387 #61 0x7fff99398a72 in nsThread::ProcessNextEvent c:\w\fx\mc\xpcom\threads\nsThread.cpp:1569 #62 0x7fff9939e6e9 in NS_ProcessNextEvent c:\w\fx\mc\xpcom\threads\nsThreadUtils.cpp:521 #63 0x7fff9a0ef994 in mozilla::ipc::MessagePump::Run c:\w\fx\mc\ipc\glue\MessagePump.cpp:97 #64 0x7fff9a08043e in MessageLoop::RunHandler c:\w\fx\mc\ipc\chromium\src\base\message_loop.cc:312 #65 0x7fff9a0801db in MessageLoop::Run c:\w\fx\mc\ipc\chromium\src\base\message_loop.cc:299 #66 0x7fff9f75debc in nsBaseAppShell::Run c:\w\fx\mc\widget\nsBaseAppShell.cpp:158 #67 0x7fff9f8a45cb in nsAppShell::Run c:\w\fx\mc\widget\windows\nsAppShell.cpp:210 #68 0x7fffa392b881 in XRE_RunAppShell c:\w\fx\mc\toolkit\xre\nsEmbedFunctions.cpp:882 #69 0x7fff9a08043e in MessageLoop::RunHandler c:\w\fx\mc\ipc\chromium\src\base\message_loop.cc:312 #70 0x7fff9a0801db in MessageLoop::Run c:\w\fx\mc\ipc\chromium\src\base\message_loop.cc:299 #71 0x7fffa392ae42 in XRE_InitChildProcess c:\w\fx\mc\toolkit\xre\nsEmbedFunctions.cpp:699 #72 0x7ff715692363 in content_process_main c:\w\fx\mc\ipc\contentproc\plugin-container.cpp:64 #73 0x7ff715691641 in NS_internal_main c:\w\fx\mc\browser\app\nsBrowserApp.cpp:285 #74 0x7ff7156912d8 in wmain c:\w\fx\mc\toolkit\xre\nsWindowsWMain.cpp:115 #75 0x7ff7157202a0 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:253 #76 0x7fffda782773 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180012773) #77 0x7fffdc2e0d50 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180070d50) 0x122972e2c4e0 is located 0 bytes inside of 64-byte region [0x122972e2c4e0,0x122972e2c520) allocated by thread T0 here: #0 0x7fffaad10d91 in _asan_memmove+0x3d1 (C:\w\fx\mc\obj-asan\dist\bin\clang_rt.asan_dynamic-x86_64.dll+0x180030d91) #1 0x7fffaba3aed1 in moz_xmalloc c:\w\fx\mc\memory\mozalloc\mozalloc.cpp:83 #2 0x7fffa04b30de in GetShadowData c:\w\fx\mc\layout\style\nsRuleNode.cpp:4461 #3 0x7fffa049e73a in nsRuleNode::ComputeEffectsData c:\w\fx\mc\layout\style\nsRuleNode.cpp:10342 #4 0x7fffa045b8b9 in nsRuleNode::WalkRuleTree c:\w\fx\mc\layout\style\nsRuleNode.cpp:2832 #5 0x7fff9dc31d2c in nsRuleNode::GetStyleEffects<1> c:\w\fx\mc\obj-asan\dist\include\nsStyleStructList.h:155 #6 0x7fff9e25cfc4 in nsStyleDisplay::HasFixedPosContainingBlockStyleInternal<nsStyleContext> c:\w\fx\mc\layout\style\nsStyleStructInlines.h:163 #7 0x7fffa06534ea in nsCSSFrameConstructor::ConstructScrollableBlockWithConstructor c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:5056 #8 0x7fffa0658d32 in nsCSSFrameConstructor::ConstructScrollableBlock c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:5020 #9 0x7fffa0655401 in nsCSSFrameConstructor::ConstructFrameFromItemInternal c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:4017 #10 0x7fffa065eed4 in nsCSSFrameConstructor::ConstructFramesFromItem c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:6409 #11 0x7fffa0641d3c in nsCSSFrameConstructor::ProcessChildren c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:11279 #12 0x7fffa064a7dd in nsCSSFrameConstructor::ConstructBlock c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:12499 #13 0x7fffa0652ea0 in nsCSSFrameConstructor::ConstructNonScrollableBlockWithConstructor c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:5108 #14 0x7fffa0658d58 in nsCSSFrameConstructor::ConstructNonScrollableBlock c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:5072 #15 0x7fffa0655401 in nsCSSFrameConstructor::ConstructFrameFromItemInternal c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:4017 #16 0x7fffa065eed4 in nsCSSFrameConstructor::ConstructFramesFromItem c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:6409 #17 0x7fffa0641d3c in nsCSSFrameConstructor::ProcessChildren c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:11279 #18 0x7fffa0655f9a in nsCSSFrameConstructor::ConstructFrameFromItemInternal c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:4201 #19 0x7fffa065eed4 in nsCSSFrameConstructor::ConstructFramesFromItem c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:6409 #20 0x7fffa0641d3c in nsCSSFrameConstructor::ProcessChildren c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:11279 #21 0x7fffa064a7dd in nsCSSFrameConstructor::ConstructBlock c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:12499 #22 0x7fffa0652ea0 in nsCSSFrameConstructor::ConstructNonScrollableBlockWithConstructor c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:5108 #23 0x7fffa0658d58 in nsCSSFrameConstructor::ConstructNonScrollableBlock c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:5072 #24 0x7fffa0655401 in nsCSSFrameConstructor::ConstructFrameFromItemInternal c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:4017 #25 0x7fffa065eed4 in nsCSSFrameConstructor::ConstructFramesFromItem c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:6409 #26 0x7fffa0641d3c in nsCSSFrameConstructor::ProcessChildren c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:11279 #27 0x7fffa064a7dd in nsCSSFrameConstructor::ConstructBlock c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:12499 #28 0x7fffa0653641 in nsCSSFrameConstructor::ConstructScrollableBlockWithConstructor c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:5053 #29 0x7fffa0658d32 in nsCSSFrameConstructor::ConstructScrollableBlock c:\w\fx\mc\layout\base\nsCSSFrameConstructor.cpp:5020 SUMMARY: AddressSanitizer: new-delete-type-mismatch (C:\w\fx\mc\obj-asan\dist\bin\clang_rt.asan_dynamic-x86_64.dll+0x18003c82b) in operator delete+0xcb ==8404==HINT: if you don't care about these errors you may set ASAN_OPTIONS=new_delete_type_mismatch=0 ==8404==ABORTING nsCSSValue has a similar implementation but is not reported as an error, it has operator delete defined though.
| Comment hidden (mozreview-request) |
|
||
Comment 2•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8898597 [details] Bug 1391500 - Fix the new-delete-type-mismatch error that ASan reports. https://reviewboard.mozilla.org/r/169984/#review176468
Attachment #8898597 -
Flags: review?(ehsan) → review+
|
|
||
Comment 3•7 years ago
|
||
Botond, I was wondering if you know why this works by any chance?
Flags: needinfo?(botond)
|
||
Comment 4•7 years ago
|
||
(In reply to :Ehsan Akhgari (needinfo please, extremely long backlog, Away 8/23) from comment #3) > Botond, I was wondering if you know why this works by any chance? Do you mean why the patch fixes the ASan warning? I guess ASan doesn't like it when you overload "operator new" for a class without also overloading "operator delete". In this case, omitting the "operator delete" overload is fine, because the overloaded "operator new" just calls the global "operator new" with a larger size, and "operator delete" doesn't need to be passed the size, but you could imagine a different implementation of an overloaded "operator new" which needed a matching implementation of "operator delete", and ASan wants to make sure you didn't forget it.
Flags: needinfo?(botond)
|
|
||
Comment 5•7 years ago
|
||
Yes, thanks, makes sense.
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → janus926
Pushed by tchou@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/22a45764afa4 Fix the new-delete-type-mismatch error that ASan reports. r=Ehsan
|
||
Comment 7•7 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/22a45764afa4
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla57
You need to log in
before you can comment on or make changes to this bug.
Description
•