Closed Bug 1404226 Opened 7 years ago Closed 7 years ago

fsanitize=enum (ubsan) runtime errors for mozilla::ipc::Transport::Mode

Categories

(Core :: IPC, defect)

Product:
Core
Component:
IPC
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox58 --- fixed

People

(Reporter: arthur, Assigned: arthur)

References

(Blocks 1 open bug)

Details

(Whiteboard: [tor])

Attachments

(1 file)

0001-Bug-1404226-Fix-ubsan-runtime-error-for-mozilla-ipc-.patch
1.16 KB, patch
billm
: review+
Details | Diff | Splinter Review 
Running automated tests with fsanitize=enum produces errors like:

> [task 2017-09-25T00:24:29.687Z] 00:24:29     INFO - GECKO(1097) | /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/ProtocolUtils.h:626:22: runtime error: load of value 32616, which is not a valid value for type 'Mode'
(In reply to Arthur Edelstein (Tor Browser dev) [:arthuredelstein] from comment #0)
> Running automated tests with fsanitize=enum produces errors like:

Can you give a specific example of a test that produces that error?

What is on line 626 of ProtocolUtils.h in the version you are building against? On trunk, that doesn't appear to involve an enum. There are a few assignments to Endpoint::mMode around there.

Do you have a stack?
Flags: needinfo?(arthuredelstein)
My guess would be that what is happening is that Endpoint() does not initialize mMode, and then we're copying it before it is initialized. We've had similar issues in IPDL code before.
Hi Andrew,

Here's an example stack trace. This happened pretty soon after startup (no sites visited). You were right -- looks like the line has moved slightly when I pulled in the latest code. (The path says "/home/arthur/tor-browser" but it's on the latest mozilla-central branch.)

/home/arthur/tor-browser/obj-x86_64-pc-linux-gnu/dist/include/mozilla/ipc/ProtocolUtils.h:632:35: runtime error: load of value 32585, which is not a valid value for type 'Mode'
    #0 0x7f4995c088f2 in mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild>::Endpoint(mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild>&&) /home/arthur/tor-browser/obj-x86_64-pc-linux-gnu/dist/include/mozilla/ipc/ProtocolUtils.h:632
    #1 0x7f4995c0862d in mozilla::detail::TupleImpl<0ul, mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild> >::TupleImpl<mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild>, , void>(mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild>&&) /home/arthur/tor-browser/obj-x86_64-pc-linux-gnu/dist/include/mozilla/Tuple.h:142
    #2 0x7f4995c0811b in mozilla::Tuple<mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild> >::Tuple<mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild>, , void>(mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild>&&) /home/arthur/tor-browser/obj-x86_64-pc-linux-gnu/dist/include/mozilla/Tuple.h:228
    #3 0x7f4995c076a7 in mozilla::Tuple<mozilla::Decay<mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild> >::Type> mozilla::MakeTuple<mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild> >(mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild>&&) /home/arthur/tor-browser/obj-x86_64-pc-linux-gnu/dist/include/mozilla/Tuple.h:436
    #4 0x7f4995c05fc6 in already_AddRefed<mozilla::Runnable> NewRunnableFunction<void (*)(mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild>&&), mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild> >(void (*)(mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild>&&), mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild>&&) /home/arthur/tor-browser/ipc/chromium/src/base/task.h:379
    #5 0x7f4995c00a32 in mozilla::dom::VideoDecoderManagerChild::InitForContent(mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild>&&) /home/arthur/tor-browser/dom/media/ipc/VideoDecoderManagerChild.cpp:55
    #6 0x7f4996821ff4 in mozilla::dom::ContentChild::RecvInitRendering(mozilla::ipc::Endpoint<mozilla::layers::PCompositorManagerChild>&&, mozilla::ipc::Endpoint<mozilla::layers::PImageBridgeChild>&&, mozilla::ipc::Endpoint<mozilla::gfx::PVRManagerChild>&&, mozilla::ipc::Endpoint<mozilla::dom::PVideoDecoderManagerChild>&&, nsTArray<unsigned int>&&) /home/arthur/tor-browser/dom/ipc/ContentChild.cpp:1358
    #7 0x7f4990ca7303 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /home/arthur/tor-browser/obj-x86_64-pc-linux-gnu/ipc/ipdl/PContentChild.cpp:5330
    #8 0x7f4996830fcf in mozilla::dom::ContentChild::OnMessageReceived(IPC::Message const&) /home/arthur/tor-browser/dom/ipc/ContentChild.cpp:3713
    #9 0x7f498fd85a3c in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/arthur/tor-browser/ipc/glue/MessageChannel.cpp:2119
...etc

There are also thousands of occurrences when I built with -fsanitize=enum and ran the automated tests on try servers.
Flags: needinfo?(arthuredelstein)
Blocks: 1404547
Here's a patch that blocks these errors.

try server: https://treeherder.mozilla.org/#/jobs?repo=try&revision=46c95a91f89f
(third patch from top)
Assignee: nobody → arthuredelstein
Attachment #8914245 - Flags: review?(wmccloskey)
Attachment #8914245 - Flags: review?(wmccloskey) → review+
Thanks for the review, Bill.
Keywords: checkin-needed
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/04b99fcf7234
Fix ubsan runtime error for mozilla::ipc::Transport::Mode enum. r=billm
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/04b99fcf7234
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox58: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: