Closed Bug 1414038 Opened 8 years ago Closed 8 years ago

Use-after-free 8 byte READ running tests under ASAN on macOS

Categories

(Core :: Graphics: CanvasWebGL, defect)

Product:
Core
Component:
Graphics: CanvasWebGL
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1414725
Tracking Flags:
Tracking Status
firefox58 --- affected

People

(Reporter: Alex_Gaynor, Unassigned)

Details

STR, tested on macOS only: 1) Build nightly (3502694e2053) with ASAN 2) ./mach mochitest dom/canvas/test/webgl-mochitest/ 3) Observe GECKO(18669) | ==18670==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300055e9b0 at pc 0x00012397b53a bp 0x7ffee2124c30 sp 0x7ffee2124c28 GECKO(18669) | READ of size 8 at 0x60300055e9b0 thread T0 GECKO(18669) | ==18670==WARNING: invalid path to external symbolizer! GECKO(18669) | ==18670==WARNING: Failed to use and restart external symbolizer! GECKO(18669) | #0 0x12397b539 in std::__1::__hash_iterator<std::__1::__hash_node<mozilla::detail::CacheMapUntypedEntry const*, void*>*> std::__1::__hash_table<mozilla::detail::CacheMapUntypedEntry const*, std::__1::hash<mozilla::detail::CacheMapUntypedEntry const*>, std::__1::equal_to<mozilla::detail::CacheMapUntypedEntry const*>, std::__1::allocator<mozilla::detail::CacheMapUntypedEntry const*> >::find<mozilla::detail::CacheMapUntypedEntry const*>(mozilla::detail::CacheMapUntypedEntry const* const&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6b9a539) GECKO(18669) | #1 0x123889c34 in mozilla::CacheMapInvalidator::InvalidateCaches() const (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6aa8c34) GECKO(18669) | #2 0x1239a020f in mozilla::WebGLBuffer::Delete() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6bbf20f) GECKO(18669) | #3 0x1239a973d in mozilla::WebGLContext::DestroyResourcesAndContext() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6bc873d) GECKO(18669) | #4 0x1239ac1d0 in mozilla::WebGLContext::ForceLoseContext(bool) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6bcb1d0) GECKO(18669) | #5 0x1239b78ad in mozilla::WebGLContext::LoseOldestWebGLContextIfLimitExceeded() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6bd68ad) GECKO(18669) | #6 0x1239b2f04 in mozilla::WebGLContext::SetDimensions(int, int) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6bd1f04) GECKO(18669) | #7 0x1238e1e54 in mozilla::dom::CanvasRenderingContextHelper::UpdateContext(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6b00e54) GECKO(18669) | #8 0x1238e14fa in mozilla::dom::CanvasRenderingContextHelper::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6b004fa) GECKO(18669) | #9 0x123f6af00 in mozilla::dom::HTMLCanvasElement::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x7189f00) GECKO(18669) | #10 0x1232b546a in mozilla::dom::HTMLCanvasElementBinding::getContext(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLCanvasElement*, JSJitMethodCallArgs const&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x64d446a) GECKO(18669) | #11 0x12377f073 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x699e073) GECKO(18669) | #12 0x200000311a82 (<unknown module>) GECKO(18669) | #13 0x6210015e1597 (<unknown module>) GECKO(18669) | #14 0x2000002f6e7d (<unknown module>) GECKO(18669) | #15 0x6210015f473f (<unknown module>) GECKO(18669) | #16 0x200000010dbe (<unknown module>) GECKO(18669) | #17 0x12bcb2b35 in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xeed1b35) GECKO(18669) | #18 0x12b952db8 in Interpret(JSContext*, js::RunState&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xeb71db8) GECKO(18669) | #19 0x12b9254d3 in js::RunScript(JSContext*, js::RunState&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xeb444d3) GECKO(18669) | #20 0x12b96cde6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xeb8bde6) GECKO(18669) | #21 0x12b96db2e in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xeb8cb2e) GECKO(18669) | #22 0x12c86c59a in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xfa8b59a) GECKO(18669) | #23 0x12c86d30c in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xfa8c30c) GECKO(18669) | #24 0x1210dd879 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x42fc879) GECKO(18669) | #25 0x125d71a4e in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x8f90a4e) GECKO(18669) | #26 0x125d6bc3a in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x8f8ac3a) GECKO(18669) | #27 0x125d46edd in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x8f65edd) GECKO(18669) | #28 0x125d42368 in mozilla::dom::ScriptElement::MaybeProcessScript() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x8f61368) GECKO(18669) | #29 0x11faf7b6e in nsHtml5TreeOpExecutor::RunScript(nsIContent*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x2d16b6e) GECKO(18669) | #30 0x11faf0e20 in nsHtml5TreeOpExecutor::RunFlushLoop() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x2d0fe20) GECKO(18669) | #31 0x11fb00b1f in nsHtml5ExecutorReflusher::Run() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x2d1fb1f) GECKO(18669) | #32 0x11d134aaa in mozilla::SchedulerGroup::Runnable::Run() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x353aaa) GECKO(18669) | #33 0x11d1732a2 in nsThread::ProcessNextEvent(bool, bool*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x3922a2) GECKO(18669) | #34 0x11d19c805 in NS_ProcessPendingEvents(nsIThread*, unsigned int) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x3bb805) GECKO(18669) | #35 0x125f73872 in nsBaseAppShell::NativeEventCallback() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x9192872) GECKO(18669) | #36 0x1260946a9 in nsAppShell::ProcessGeckoEvents(void*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x92b36a9) GECKO(18669) | #37 0x7fff354e0820 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa3820) GECKO(18669) | #38 0x7fff3559a4cb in __CFRunLoopDoSource0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x15d4cb) GECKO(18669) | #39 0x7fff354c32bf in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x862bf) GECKO(18669) | #40 0x7fff354c273c in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x8573c) GECKO(18669) | #41 0x7fff354c1fa2 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0x84fa2) GECKO(18669) | #42 0x7fff347e1865 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f865) GECKO(18669) | #43 0x7fff347e15d5 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f5d5) GECKO(18669) | #44 0x7fff347e1353 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x2f353) GECKO(18669) | #45 0x7fff32adea22 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x41a22) GECKO(18669) | #46 0x7fff33273e6b in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7d6e6b) GECKO(18669) | #47 0x126092492 in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x92b1492) GECKO(18669) | #48 0x7fff32ad3830 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x36830) GECKO(18669) | #49 0x1260959e8 in nsAppShell::Run() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x92b49e8) GECKO(18669) | #50 0x12b4c5e7f in XRE_RunAppShell() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xe6e4e7f) GECKO(18669) | #51 0x11e300eba in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x151feba) GECKO(18669) | #52 0x11e20b7d9 in MessageLoop::RunInternal() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x142a7d9) GECKO(18669) | #53 0x11e20b41c in MessageLoop::Run() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x142a41c) GECKO(18669) | #54 0x12b4c50fc in XRE_InitChildProcess(int, char**, XREChildData const*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xe6e40fc) GECKO(18669) | #55 0x10dad260e in main (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container:x86_64+0x10000160e) GECKO(18669) | #56 0x10dad2453 in start (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container:x86_64+0x100001453) GECKO(18669) | 0x60300055e9b0 is located 16 bytes inside of 24-byte region [0x60300055e9a0,0x60300055e9b8) GECKO(18669) | freed by thread T0 here: GECKO(18669) | #0 0x10e573106 in wrap_free (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x59106) GECKO(18669) | #1 0x12388a76c in mozilla::detail::CacheMapUntypedEntry::~CacheMapUntypedEntry() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6aa976c) GECKO(18669) | #2 0x123b0e08f in unsigned long std::__1::__tree<std::__1::__value_type<mozilla::WebGLVertexArray const* const*, mozilla::UniquePtr<mozilla::CacheMap<mozilla::WebGLVertexArray const*, mozilla::webgl::CachedDrawFetchLimits>::Entry const, mozilla::DefaultDelete<mozilla::CacheMap<mozilla::WebGLVertexArray const*, mozilla::webgl::CachedDrawFetchLimits>::Entry const> > >, std::__1::__map_value_compare<mozilla::WebGLVertexArray const* const*, std::__1::__value_type<mozilla::WebGLVertexArray const* const*, mozilla::UniquePtr<mozilla::CacheMap<mozilla::WebGLVertexArray const*, mozilla::webgl::CachedDrawFetchLimits>::Entry const, mozilla::DefaultDelete<mozilla::CacheMap<mozilla::WebGLVertexArray const*, mozilla::webgl::CachedDrawFetchLimits>::Entry const> > >, mozilla::detail::DerefLess<mozilla::WebGLVertexArray const*>, false>, std::__1::allocator<std::__1::__value_type<mozilla::WebGLVertexArray const* const*, mozilla::UniquePtr<mozilla::CacheMap<mozilla::WebGLVertexArray const*, mozilla::webgl::CachedDrawFetchLimits>::Entry const, mozilla::DefaultDelete<mozilla::CacheMap<mozilla::WebGLVertexArray const*, mozilla::webgl::CachedDrawFetchLimits>::Entry const> > > > >::__erase_unique<mozilla::WebGLVertexArray const* const*>(mozilla::WebGLVertexArray const* const* const&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6d2d08f) GECKO(18669) | #3 0x123b0dd35 in mozilla::CacheMap<mozilla::WebGLVertexArray const*, mozilla::webgl::CachedDrawFetchLimits>::Entry::Invalidate() const (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6d2cd35) GECKO(18669) | #4 0x123889c29 in mozilla::CacheMapInvalidator::InvalidateCaches() const (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6aa8c29) GECKO(18669) | #5 0x1239a020f in mozilla::WebGLBuffer::Delete() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6bbf20f) GECKO(18669) | #6 0x1239a973d in mozilla::WebGLContext::DestroyResourcesAndContext() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6bc873d) GECKO(18669) | #7 0x1239ac1d0 in mozilla::WebGLContext::ForceLoseContext(bool) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6bcb1d0) GECKO(18669) | #8 0x1239b78ad in mozilla::WebGLContext::LoseOldestWebGLContextIfLimitExceeded() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6bd68ad) GECKO(18669) | #9 0x1239b2f04 in mozilla::WebGLContext::SetDimensions(int, int) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6bd1f04) GECKO(18669) | #10 0x1238e1e54 in mozilla::dom::CanvasRenderingContextHelper::UpdateContext(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6b00e54) GECKO(18669) | #11 0x1238e14fa in mozilla::dom::CanvasRenderingContextHelper::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6b004fa) GECKO(18669) | #12 0x123f6af00 in mozilla::dom::HTMLCanvasElement::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x7189f00) GECKO(18669) | #13 0x1232b546a in mozilla::dom::HTMLCanvasElementBinding::getContext(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLCanvasElement*, JSJitMethodCallArgs const&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x64d446a) GECKO(18669) | #14 0x12377f073 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x699e073) GECKO(18669) | #15 0x200000311a82 (<unknown module>) GECKO(18669) | #16 0x6210015e1597 (<unknown module>) GECKO(18669) | #17 0x2000002f6e7d (<unknown module>) GECKO(18669) | #18 0x6210015f473f (<unknown module>) GECKO(18669) | #19 0x200000010dbe (<unknown module>) GECKO(18669) | #20 0x12bcb2b35 in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xeed1b35) GECKO(18669) | #21 0x12b952db8 in Interpret(JSContext*, js::RunState&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xeb71db8) GECKO(18669) | #22 0x12b9254d3 in js::RunScript(JSContext*, js::RunState&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xeb444d3) GECKO(18669) | #23 0x12b96cde6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xeb8bde6) GECKO(18669) | #24 0x12b96db2e in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xeb8cb2e) GECKO(18669) | #25 0x12c86c59a in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xfa8b59a) GECKO(18669) | #26 0x12c86d30c in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xfa8c30c) GECKO(18669) | #27 0x1210dd879 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x42fc879) GECKO(18669) | #28 0x125d71a4e in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x8f90a4e) GECKO(18669) | #29 0x125d6bc3a in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x8f8ac3a) GECKO(18669) | previously allocated by thread T0 here: GECKO(18669) | #0 0x10e572f3c in wrap_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/9.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x58f3c) GECKO(18669) | #1 0x10e45580d in moz_xmalloc (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/libmozglue.dylib:x86_64+0x180d) GECKO(18669) | #2 0x12388a087 in mozilla::detail::CacheMapUntypedEntry::CacheMapUntypedEntry(std::__1::vector<mozilla::CacheMapInvalidator const*, std::__1::allocator<mozilla::CacheMapInvalidator const*> >&&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6aa9087) GECKO(18669) | #3 0x123a6112f in mozilla::CacheMap<mozilla::WebGLVertexArray const*, mozilla::webgl::CachedDrawFetchLimits>::Insert(mozilla::WebGLVertexArray const*&&, mozilla::webgl::CachedDrawFetchLimits&&, std::__1::vector<mozilla::CacheMapInvalidator const*, std::__1::allocator<mozilla::CacheMapInvalidator const*> >&&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6c8012f) GECKO(18669) | #4 0x123a6087c in mozilla::webgl::LinkedProgramInfo::GetDrawFetchLimits(char const*) const (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6c7f87c) GECKO(18669) | #5 0x123a194a2 in mozilla::ScopedDrawHelper::ScopedDrawHelper(mozilla::WebGLContext*, char const*, unsigned int, mozilla::Maybe<unsigned int> const&, unsigned int, bool*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6c384a2) GECKO(18669) | #6 0x1239d57db in mozilla::WebGLContext::DrawArrays(unsigned int, int, int) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6bf47db) GECKO(18669) | #7 0x122af428f in mozilla::dom::WebGLRenderingContextBinding::drawArrays(JSContext*, JS::Handle<JSObject*>, mozilla::WebGLContext*, JSJitMethodCallArgs const&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x5d1328f) GECKO(18669) | #8 0x12377f073 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x699e073) GECKO(18669) | #9 0x12b9675d5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xeb865d5) GECKO(18669) | #10 0x12b94a405 in Interpret(JSContext*, js::RunState&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xeb69405) GECKO(18669) | #11 0x12b9254d3 in js::RunScript(JSContext*, js::RunState&) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xeb444d3) GECKO(18669) | #12 0x12b96cde6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xeb8bde6) GECKO(18669) | #13 0x12b96db2e in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xeb8cb2e) GECKO(18669) | #14 0x12c86c59a in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xfa8b59a) GECKO(18669) | #15 0x12c86d30c in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0xfa8c30c) GECKO(18669) | #16 0x1210dd879 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x42fc879) GECKO(18669) | #17 0x125d71a4e in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x8f90a4e) GECKO(18669) | #18 0x125d6bc3a in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x8f8ac3a) GECKO(18669) | #19 0x125d46edd in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x8f65edd) GECKO(18669) | #20 0x125d42368 in mozilla::dom::ScriptElement::MaybeProcessScript() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x8f61368) GECKO(18669) | #21 0x11faf7b6e in nsHtml5TreeOpExecutor::RunScript(nsIContent*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x2d16b6e) GECKO(18669) | #22 0x11faf0e20 in nsHtml5TreeOpExecutor::RunFlushLoop() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x2d0fe20) GECKO(18669) | #23 0x11fb00b1f in nsHtml5ExecutorReflusher::Run() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x2d1fb1f) GECKO(18669) | #24 0x11d134aaa in mozilla::SchedulerGroup::Runnable::Run() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x353aaa) GECKO(18669) | #25 0x11d1732a2 in nsThread::ProcessNextEvent(bool, bool*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x3922a2) GECKO(18669) | #26 0x11d19c805 in NS_ProcessPendingEvents(nsIThread*, unsigned int) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x3bb805) GECKO(18669) | #27 0x125f73872 in nsBaseAppShell::NativeEventCallback() (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x9192872) GECKO(18669) | #28 0x1260946a9 in nsAppShell::ProcessGeckoEvents(void*) (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x92b36a9) GECKO(18669) | #29 0x7fff354e0820 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64h+0xa3820) GECKO(18669) | SUMMARY: AddressSanitizer: heap-use-after-free (/Users/agaynor/projects/mozilla-central/obj-x86_64-apple-darwin17.2.0/dist/NightlyDebug.app/Contents/MacOS/XUL:x86_64+0x6b9a539) in std::__1::__hash_iterator<std::__1::__hash_node<mozilla::detail::CacheMapUntypedEntry const*, void*>*> std::__1::__hash_table<mozilla::detail::CacheMapUntypedEntry const*, std::__1::hash<mozilla::detail::CacheMapUntypedEntry const*>, std::__1::equal_to<mozilla::detail::CacheMapUntypedEntry const*>, std::__1::allocator<mozilla::detail::CacheMapUntypedEntry const*> >::find<mozilla::detail::CacheMapUntypedEntry const*>(mozilla::detail::CacheMapUntypedEntry const* const&) GECKO(18669) | Shadow bytes around the buggy address: GECKO(18669) | 0x1c06000abce0: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fd GECKO(18669) | 0x1c06000abcf0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd GECKO(18669) | 0x1c06000abd00: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa GECKO(18669) | 0x1c06000abd10: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa GECKO(18669) | 0x1c06000abd20: fa fa fd fd fd fa fa fa 00 00 00 00 fa fa fd fd GECKO(18669) | =>0x1c06000abd30: fd fd fa fa fd fd[fd]fa fa fa fd fd fd fa fa fa GECKO(18669) | 0x1c06000abd40: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa GECKO(18669) | 0x1c06000abd50: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00 GECKO(18669) | 0x1c06000abd60: 00 fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa GECKO(18669) | 0x1c06000abd70: fd fd fd fa fa fa fd fd fd fa fa fa 00 00 00 00 GECKO(18669) | 0x1c06000abd80: fa fa 00 00 00 00 fa fa fd fd fd fa fa fa 00 00 GECKO(18669) | Shadow byte legend (one shadow byte represents 8 application bytes): GECKO(18669) | Addressable: 00 GECKO(18669) | Partially addressable: 01 02 03 04 05 06 07 GECKO(18669) | Heap left redzone: fa GECKO(18669) | Freed heap region: fd GECKO(18669) | Stack left redzone: f1 GECKO(18669) | Stack mid redzone: f2 GECKO(18669) | Stack right redzone: f3 GECKO(18669) | Stack after return: f5 GECKO(18669) | Stack use after scope: f8 GECKO(18669) | Global redzone: f9 GECKO(18669) | Global init order: f6 GECKO(18669) | Poisoned by user: f7 GECKO(18669) | Container overflow: fc GECKO(18669) | Array cookie: ac GECKO(18669) | Intra object redzone: bb GECKO(18669) | ASan internal: fe GECKO(18669) | Left alloca redzone: ca GECKO(18669) | Right alloca redzone: cb
Group: core-security → gfx-core-security
This is an error in `CacheMapInvalidator::InvalidateCaches()`, I'll add notes in bug 1414725.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.