1414725 - AddressSanitizer: heap-use-after-free (Web Content) in std::__detail::_Hash_code_base<...>::::_M_hash_code<...>

Status: RESOLVED DUPLICATE of bug 1417312

(Core :: Graphics: CanvasWebGL, defect)

Description

[Bob Clary [:bc] (inactive)]

Attachment: Linux Debug Asan Log

[Tracking Requested - why for this release]: I think this is a recent regression.

1. http://www.bild.de/regional/hamburg/hamburg-regional/home-16344102.bild.html

2. 
==22106==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020002de778 at pc 0x7fbe09d83d97 bp 0x7ffc39495250 sp 0x7ffc39495248
READ of size 8 at 0x6020002de778 thread T0 (Web Content)
    #0 0x7fbe09d83d96 in std::__detail::_Hash_code_base<mozilla::detail::CacheMapUntypedEntry const*, mozilla::detail::CacheMapUntypedEntry const*, std::__detail::_Identity, std::hash<mozilla::detail::CacheMapUntypedEntry const*>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, false>::_M_hash_code(mozilla::detail::CacheMapUntypedEntry const* const&) const /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/hashtable_policy.h:1175:24
    #1 0x7fbe09d83c8c in std::_Hashtable<mozilla::detail::CacheMapUntypedEntry const*, mozilla::detail::CacheMapUntypedEntry const*, std::allocator<mozilla::detail::CacheMapUntypedEntry const*>, std::__detail::_Identity, std::equal_to<mozilla::detail::CacheMapUntypedEntry const*>, std::hash<mozilla::detail::CacheMapUntypedEntry const*>, std::__detail::_Mod_range_hashing, std::__detail::_Default_ranged_hash, std::__detail::_Prime_rehash_policy, std::__detail::_Hashtable_traits<false, true, true> >::find(mozilla::detail::CacheMapUntypedEntry const* const&) /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/hashtable.h:1302:34
    #2 0x7fbe09cf9a85 in mozilla::CacheMapInvalidator::InvalidateCaches() const /builds/worker/workspace/build/src/dom/canvas/CacheMap.cpp:17:9
    #3 0x7fbe09da5741 in mozilla::WebGLBuffer::Delete() /builds/worker/workspace/build/src/dom/canvas/WebGLBuffer.cpp:64:23
    #4 0x7fbe09d98bea in mozilla::WebGLRefCountedObject<mozilla::WebGLBuffer>::DeleteOnce() /builds/worker/workspace/build/src/dom/canvas/WebGLObjectModel.h:185:42
    #5 0x7fbe09daaef0 in void mozilla::ClearLinkedList<mozilla::WebGLBuffer>(mozilla::LinkedList<mozilla::WebGLBuffer>&) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:204:25

Beta/57, Nightly/58 debug asan

This is pretty recent but is now very very common with hundreds of urls reproducing. I was able to reproduce with a saved version though it may still depend

Comment 1

[Julien Cristau [:jcristau] (back April 22)]

ni jgilbert to have a look since this seems to involve WebGL

Comment 3

[Eric Rahm [:erahm]]

This is a bug in `CacheMapInvalidator::InvalidateCaches` [1]. It's invalidating an entry (which erases it from the map, or a map, it's pretty convoluted) and then reusing a ref to it (not a copy) in an assert.

>        const auto& entry = *(mCacheEntries.begin());
>        entry->Invalidate();                                          // removes the entry, now the above ref is bad
>        MOZ_ASSERT(mCacheEntries.find(entry) == mCacheEntries.end()); // uses the bad ref

`Invalidate` [2] itself asserts it was removed, we should probably just remove the assertion in `InvalidateCaches`, but whoever understands this what's going on here should make that call.

Also AFAICT this is only in debug builds, so maybe not sec-high?

[1] http://searchfox.org/mozilla-central/rev/c99d035f00dd894feff38e4ad28a73fb679c63a6/dom/canvas/CacheMap.cpp#12-19
[2] http://searchfox.org/mozilla-central/rev/c99d035f00dd894feff38e4ad28a73fb679c63a6/dom/canvas/CacheMap.h#76-78

Comment 4

[Julien Cristau [:jcristau] (back April 22)]

Too late for 57.

Comment 5

[Kelsey Gilbert [:jgilbert]]

Non-sec issue.