ERROR: AddressSanitizer: stack-use-after-scope in ~Movable from TestTArray.cpp

RESOLVED FIXED in Firefox 58

Status

()

Core
XPCOM
RESOLVED FIXED
13 days ago
12 days ago

People

(Reporter: glandium, Assigned: JamesCheng)

Tracking

unspecified
mozilla58
Points:
---

Firefox Tracking Flags

(firefox58 fixed)

Details

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(1 attachment)

(Reporter)

Description

13 days ago
From an ASAN build with clang 5 (with the patch from bug 1409267 applied):

[task 2017-11-07T08:18:06.854Z] 08:18:06    ERROR -  ==965==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffca38c28b0 at pc 0x7f26bd8cd3de bp 0x7ffca38c27c0 sp 0x7ffca38c27b8
[task 2017-11-07T08:18:06.855Z] 08:18:06     INFO -  READ of size 4 at 0x7ffca38c28b0 thread T0
[task 2017-11-07T08:18:07.440Z] 08:18:07     INFO -      #0 0x7f26bd8cd3dd in ~Movable /builds/worker/workspace/build/src/xpcom/tests/gtest/TestTArray.cpp:44:29
[task 2017-11-07T08:18:07.440Z] 08:18:07     INFO -      #1 0x7f26bd8cd3dd in Destruct /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:562
[task 2017-11-07T08:18:07.440Z] 08:18:07     INFO -      #2 0x7f26bd8cd3dd in DestructRange /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2026
[task 2017-11-07T08:18:07.441Z] 08:18:07     INFO -      #3 0x7f26bd8cd3dd in nsTArray_Impl<TestTArray::Movable, nsTArrayInfallibleAllocator>::RemoveElementsAt(unsigned long, unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2079
[task 2017-11-07T08:18:07.441Z] 08:18:07     INFO -      #4 0x7f26bd8cc090 in Clear /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1752:18
[task 2017-11-07T08:18:07.441Z] 08:18:07     INFO -      #5 0x7f26bd8cc090 in ~nsTArray_Impl /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:885
[task 2017-11-07T08:18:07.442Z] 08:18:07     INFO -      #6 0x7f26bd8cc090 in TestTArray::TArray_CopyOverlappingForwards_Test::TestBody() /builds/worker/workspace/build/src/xpcom/tests/gtest/TestTArray.cpp:169
[task 2017-11-07T08:18:07.458Z] 08:18:07     INFO -      #7 0x7f26be173b5c in HandleExceptionsInMethodIfSupported<testing::Test, void> /builds/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2460:12
[task 2017-11-07T08:18:07.458Z] 08:18:07     INFO -      #8 0x7f26be173b5c in testing::Test::Run() /builds/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2476
[task 2017-11-07T08:18:07.459Z] 08:18:07     INFO -      #9 0x7f26be176074 in testing::TestInfo::Run() /builds/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2658:11
[task 2017-11-07T08:18:07.459Z] 08:18:07     INFO -      #10 0x7f26be1770c6 in testing::TestCase::Run() /builds/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2776:28
[task 2017-11-07T08:18:07.460Z] 08:18:07     INFO -      #11 0x7f26be18e076 in testing::internal::UnitTestImpl::RunAllTests() /builds/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:4651:43
[task 2017-11-07T08:18:07.460Z] 08:18:07     INFO -      #12 0x7f26be18d5fa in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> /builds/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2460:12
[task 2017-11-07T08:18:07.460Z] 08:18:07     INFO -      #13 0x7f26be18d5fa in testing::UnitTest::Run() /builds/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:4259
[task 2017-11-07T08:18:07.461Z] 08:18:07     INFO -      #14 0x7f26be1bece9 in RUN_ALL_TESTS /builds/worker/workspace/build/src/obj-firefox/dist/include/gtest/gtest.h:2233:46
[task 2017-11-07T08:18:07.461Z] 08:18:07     INFO -      #15 0x7f26be1bece9 in mozilla::RunGTestFunc(int*, char**) /builds/worker/workspace/build/src/testing/gtest/mozilla/GTestRunner.cpp:117
[task 2017-11-07T08:18:07.462Z] 08:18:07     INFO -      #16 0x7f26bd159dcd in XREMain::XRE_mainStartup(bool*) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:3879:16
[task 2017-11-07T08:18:07.462Z] 08:18:07     INFO -      #17 0x7f26bd168702 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4822:12
[task 2017-11-07T08:18:07.462Z] 08:18:07     INFO -      #18 0x7f26bd169f35 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4932:21
[task 2017-11-07T08:18:07.478Z] 08:18:07     INFO -      #19 0x4ed92b in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
[task 2017-11-07T08:18:07.479Z] 08:18:07     INFO -      #20 0x4ed92b in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
[task 2017-11-07T08:18:07.515Z] 08:18:07     INFO -      #21 0x7f26d278c82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
[task 2017-11-07T08:18:07.515Z] 08:18:07     INFO -      #22 0x41e528 in _start (/builds/worker/workspace/build/application/firefox/firefox+0x41e528)
[task 2017-11-07T08:18:07.516Z] 08:18:07     INFO -  Address 0x7ffca38c28b0 is located in stack of thread T0 at offset 112 in frame
[task 2017-11-07T08:18:07.516Z] 08:18:07     INFO -      #0 0x7f26bd8cb16f in TestTArray::TArray_CopyOverlappingForwards_Test::TestBody() /builds/worker/workspace/build/src/xpcom/tests/gtest/TestTArray.cpp:146
[task 2017-11-07T08:18:07.518Z] 08:18:07     INFO -    This frame has 12 object(s):
[task 2017-11-07T08:18:07.519Z] 08:18:07     INFO -      [32, 33) 'ref.tmp.i.i.i.i87'
[task 2017-11-07T08:18:07.520Z] 08:18:07     INFO -      [48, 49) 'ref.tmp.i.i.i.i'
[task 2017-11-07T08:18:07.520Z] 08:18:07     INFO -      [64, 72) 'array' (line 147)
[task 2017-11-07T08:18:07.520Z] 08:18:07     INFO -      [96, 160) 'destructionCounters' (line 152) <== Memory access at offset 112 is inside this variable
[task 2017-11-07T08:18:07.520Z] 08:18:07     INFO -      [192, 208) 'gtest_ar' (line 164)
[task 2017-11-07T08:18:07.521Z] 08:18:07     INFO -      [224, 228) 'ref.tmp' (line 164)
[task 2017-11-07T08:18:07.521Z] 08:18:07     INFO -      [240, 248) 'ref.tmp16' (line 164)
[task 2017-11-07T08:18:07.521Z] 08:18:07     INFO -      [272, 280) 'temp.lvalue'
[task 2017-11-07T08:18:07.522Z] 08:18:07     INFO -      [304, 320) 'gtest_ar23' (line 167)
[task 2017-11-07T08:18:07.522Z] 08:18:07     INFO -      [336, 340) 'ref.tmp26' (line 167)
[task 2017-11-07T08:18:07.522Z] 08:18:07     INFO -      [352, 360) 'ref.tmp28' (line 167)
[task 2017-11-07T08:18:07.523Z] 08:18:07     INFO -      [384, 392) 'temp.lvalue29'
[task 2017-11-07T08:18:07.523Z] 08:18:07     INFO -  HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
[task 2017-11-07T08:18:07.524Z] 08:18:07     INFO -        (longjmp and C++ exceptions *are* supported)
[task 2017-11-07T08:18:07.524Z] 08:18:07     INFO -  SUMMARY: AddressSanitizer: stack-use-after-scope /builds/worker/workspace/build/src/xpcom/tests/gtest/TestTArray.cpp:44:29 in ~Movable
[task 2017-11-07T08:18:07.524Z] 08:18:07     INFO -  Shadow bytes around the buggy address:
[task 2017-11-07T08:18:07.524Z] 08:18:07     INFO -    0x1000147104c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:18:07.524Z] 08:18:07     INFO -    0x1000147104d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:18:07.525Z] 08:18:07     INFO -    0x1000147104e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:18:07.525Z] 08:18:07     INFO -    0x1000147104f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:18:07.526Z] 08:18:07     INFO -    0x100014710500: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f8 f2
[task 2017-11-07T08:18:07.526Z] 08:18:07     INFO -  =>0x100014710510: 00 f2 f2 f2 f8 f8[f8]f8 f8 f8 f8 f8 f2 f2 f2 f2
[task 2017-11-07T08:18:07.526Z] 08:18:07     INFO -    0x100014710520: f8 f8 f2 f2 f8 f2 f8 f2 f2 f2 00 f2 f2 f2 f8 f8
[task 2017-11-07T08:18:07.527Z] 08:18:07     INFO -    0x100014710530: f2 f2 f8 f2 f8 f2 f2 f2 00 f3 f3 f3 00 00 00 00
[task 2017-11-07T08:18:07.527Z] 08:18:07     INFO -    0x100014710540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:18:07.528Z] 08:18:07     INFO -    0x100014710550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:18:07.528Z] 08:18:07     INFO -    0x100014710560: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f8 f2 f2
[task 2017-11-07T08:18:07.529Z] 08:18:07     INFO -  Shadow byte legend (one shadow byte represents 8 application bytes):
[task 2017-11-07T08:18:07.529Z] 08:18:07     INFO -    Addressable:           00
[task 2017-11-07T08:18:07.529Z] 08:18:07     INFO -    Partially addressable: 01 02 03 04 05 06 07
[task 2017-11-07T08:18:07.530Z] 08:18:07     INFO -    Heap left redzone:       fa
[task 2017-11-07T08:18:07.530Z] 08:18:07     INFO -    Freed heap region:       fd
[task 2017-11-07T08:18:07.530Z] 08:18:07     INFO -    Stack left redzone:      f1
[task 2017-11-07T08:18:07.531Z] 08:18:07     INFO -    Stack mid redzone:       f2
[task 2017-11-07T08:18:07.531Z] 08:18:07     INFO -    Stack right redzone:     f3
[task 2017-11-07T08:18:07.532Z] 08:18:07     INFO -    Stack after return:      f5
[task 2017-11-07T08:18:07.532Z] 08:18:07     INFO -    Stack use after scope:   f8
[task 2017-11-07T08:18:07.532Z] 08:18:07     INFO -    Global redzone:          f9
[task 2017-11-07T08:18:07.533Z] 08:18:07     INFO -    Global init order:       f6
[task 2017-11-07T08:18:07.533Z] 08:18:07     INFO -    Poisoned by user:        f7
[task 2017-11-07T08:18:07.534Z] 08:18:07     INFO -    Container overflow:      fc
[task 2017-11-07T08:18:07.534Z] 08:18:07     INFO -    Array cookie:            ac
[task 2017-11-07T08:18:07.534Z] 08:18:07     INFO -    Intra object redzone:    bb
[task 2017-11-07T08:18:07.535Z] 08:18:07     INFO -    ASan internal:           fe
[task 2017-11-07T08:18:07.535Z] 08:18:07     INFO -    Left alloca redzone:     ca
[task 2017-11-07T08:18:07.535Z] 08:18:07     INFO -    Right alloca redzone:    cb
[task 2017-11-07T08:18:07.536Z] 08:18:07     INFO -  ==965==ABORTING
(Reporter)

Comment 1

13 days ago
https://treeherder.mozilla.org/logviewer.html#?job_id=142661100&repo=try&lineNumber=3548
(Assignee)

Comment 2

13 days ago
I think it can be fixed by simply rearranging the declaration of the objects.
Assignee: nobody → jacheng
Comment hidden (mozreview-request)
(Assignee)

Updated

13 days ago
Attachment #8925841 - Flags: review?(nfroyd)
(Reporter)

Comment 4

13 days ago
Can you do a try push for a linux64-asan gtest with the patches from bug 1409267 and the taskcluster/ci/toolchain/linux.yml part of bug 1409265?
(Assignee)

Comment 5

13 days ago
Sure,

https://treeherder.mozilla.org/#/jobs?repo=try&revision=ee8d47ec6d099f9c2834d93a92a8ffdf35253d53

I applied the patches from bug 1409267 and bug 1409265 with try syntax only selecting gtest.

try: -b do -p linux64-asan -u gtest -t none

Hope it is what you want!

Thanks.
(Assignee)

Comment 6

13 days ago
Try looks fixed.
(Reporter)

Comment 7

13 days ago
Unfortunately, you took the full patch for bug 1409265, not just the taskcluster/ci/toolchain/linux.yml part. The full patch doesn't make asan builds use clang 5.
(Assignee)

Comment 8

13 days ago
Oops, I redo it again. thanks
(Assignee)

Comment 9

13 days ago
https://treeherder.mozilla.org/#/jobs?repo=try&revision=1ca6e89a1ebccabb705fa09f5e5fee704a7b4261

with only taskcluster/ci/toolchain/linux.yml part

https://hg.mozilla.org/try/rev/0ee1b81d73e5695f01fb913d271102fa23064483

Hope it's correct!
(Assignee)

Comment 10

13 days ago
Seems like the patch works in try
Blocks: 1409267
No longer blocks: 1409267
Depends on: 1409267
Comment on attachment 8925841 [details]
Bug 1415083 - Rearrange the declaration of objects to avoid stack-use-after-scope.

https://reviewboard.mozilla.org/r/197042/#review202294

Thank you!
Attachment #8925841 - Flags: review?(nfroyd) → review+

Comment 12

12 days ago
Pushed by jacheng@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1528ff0ed838
Rearrange the declaration of objects to avoid stack-use-after-scope. r=froydnj

Comment 13

12 days ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/1528ff0ed838
Status: NEW → RESOLVED
Last Resolved: 12 days ago
status-firefox58: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in before you can comment on or make changes to this bug.