Closed Bug 1415085 Opened 7 years ago Closed 7 years ago

AddressSanitizer: stack-use-after-scope /builds/worker/workspace/build/src/image/SurfaceCache.cpp:228:37 in AreaOfIntSize

Categories

(Core :: Graphics: ImageLib, defect, P3)

Product:
Core
Component:
Graphics: ImageLib
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox58 --- fixed

People

(Reporter: glandium, Assigned: aosmond)

References

(Blocks 1 open bug)

Details

(Whiteboard: [gfx-noted])

Attachments

(1 file)

0001-Bug-1415085-Make-CachedSurface-GetSurfaceKey-return-.patch
1.15 KB, patch
decoder
: review+
Details | Diff | Splinter Review 
From an ASAN build with clang 5 (with the patch from bug 1409267 applied):

[task 2017-11-07T08:19:03.393Z] 08:19:03    ERROR - ==1056==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffd4c977fb0 at pc 0x7f4916885685 bp 0x7ffd4c977d90 sp 0x7ffd4c977d88
[task 2017-11-07T08:19:03.394Z] 08:19:03     INFO - READ of size 4 at 0x7ffd4c977fb0 thread T0 (Web Content)
[task 2017-11-07T08:19:04.371Z] 08:19:04     INFO -     #0 0x7f4916885684 in AreaOfIntSize /builds/worker/workspace/build/src/image/SurfaceCache.cpp:228:37
[task 2017-11-07T08:19:04.371Z] 08:19:04     INFO -     #1 0x7f4916885684 in CompareArea /builds/worker/workspace/build/src/image/SurfaceCache.cpp:593
[task 2017-11-07T08:19:04.372Z] 08:19:04     INFO -     #2 0x7f4916885684 in mozilla::image::ImageSurfaceCache::SuggestedSize(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&) const /builds/worker/workspace/build/src/image/SurfaceCache.cpp:570
[task 2017-11-07T08:19:04.373Z] 08:19:04     INFO -     #3 0x7f4916889fe1 in void mozilla::image::ImageSurfaceCache::CollectSizeOfSurfaces<mozilla::image::SurfaceCacheImpl::CollectSizeOfSurfaces(mozilla::image::Image*, nsTArray<mozilla::image::SurfaceMemoryCounter>&, unsigned long (*)(void const*), mozilla::BaseAutoLock<mozilla::StaticMutex> const&)::{lambda(mozilla::NotNull<mozilla::image::CachedSurface*>)#1}>(nsTArray<mozilla::image::SurfaceMemoryCounter>&, unsigned long (*)(void const*), mozilla::image::SurfaceCacheImpl::CollectSizeOfSurfaces(mozilla::image::Image*, nsTArray<mozilla::image::SurfaceMemoryCounter>&, unsigned long (*)(void const*), mozilla::BaseAutoLock<mozilla::StaticMutex> const&)::{lambda(mozilla::NotNull<mozilla::image::CachedSurface*>)#1}&&) /builds/worker/workspace/build/src/image/SurfaceCache.cpp:640:32
[task 2017-11-07T08:19:04.373Z] 08:19:04     INFO -     #4 0x7f491681bc7e in mozilla::image::SurfaceCacheImpl::CollectSizeOfSurfaces(mozilla::image::Image*, nsTArray<mozilla::image::SurfaceMemoryCounter>&, unsigned long (*)(void const*), mozilla::BaseAutoLock<mozilla::StaticMutex> const&) /builds/worker/workspace/build/src/image/SurfaceCache.cpp:1204:12
[task 2017-11-07T08:19:04.374Z] 08:19:04     INFO -     #5 0x7f4916805440 in mozilla::image::SurfaceCache::CollectSizeOfSurfaces(mozilla::image::Image*, nsTArray<mozilla::image::SurfaceMemoryCounter>&, unsigned long (*)(void const*)) /builds/worker/workspace/build/src/image/SurfaceCache.cpp:1629:16
[task 2017-11-07T08:19:04.374Z] 08:19:04     INFO -     #6 0x7f4916805287 in mozilla::image::RasterImage::CollectSizeOfSurfaces(nsTArray<mozilla::image::SurfaceMemoryCounter>&, unsigned long (*)(void const*)) const /builds/worker/workspace/build/src/image/RasterImage.cpp:758:3
[task 2017-11-07T08:19:04.382Z] 08:19:04     INFO -     #7 0x7f49167e230f in mozilla::image::ImageMemoryCounter::ImageMemoryCounter(mozilla::image::Image*, mozilla::SizeOfState&, bool) /builds/worker/workspace/build/src/image/Image.cpp:40:11
[task 2017-11-07T08:19:04.384Z] 08:19:04     INFO -     #8 0x7f49168380fc in imgMemoryReporter::ImagesContentUsedUncompressedDistinguishedAmount() /builds/worker/workspace/build/src/image/imgLoader.cpp:144:28
[task 2017-11-07T08:19:04.386Z] 08:19:04     INFO -     #9 0x7f4913c06d4a in GetInfallibleAmount /builds/worker/workspace/build/src/xpcom/base/nsMemoryReporterManager.cpp:2437:16
[task 2017-11-07T08:19:04.387Z] 08:19:04     INFO -     #10 0x7f4913c06d4a in nsMemoryReporterManager::GetImagesContentUsedUncompressed(long*) /builds/worker/workspace/build/src/xpcom/base/nsMemoryReporterManager.cpp:2473
[task 2017-11-07T08:19:04.391Z] 08:19:04     INFO -     #11 0x7f4913d74ed1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
[task 2017-11-07T08:19:04.415Z] 08:19:04     INFO -     #12 0x7f491568b089 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
[task 2017-11-07T08:19:04.416Z] 08:19:04     INFO -     #13 0x7f491568b089 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
[task 2017-11-07T08:19:04.417Z] 08:19:04     INFO -     #14 0x7f491568b089 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
[task 2017-11-07T08:19:04.418Z] 08:19:04     INFO -     #15 0x7f4915692837 in GetAttribute /builds/worker/workspace/build/src/js/xpconnect/src/xpcprivate.h:1679:17
[task 2017-11-07T08:19:04.419Z] 08:19:04     INFO -     #16 0x7f4915692837 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965
[task 2017-11-07T08:19:04.436Z] 08:19:04     INFO -     #17 0x7f491f6a6e60 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
[task 2017-11-07T08:19:04.437Z] 08:19:04     INFO -     #18 0x7f491f6a6e60 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472
[task 2017-11-07T08:19:04.438Z] 08:19:04     INFO -     #19 0x7f491f6a8d91 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
[task 2017-11-07T08:19:04.439Z] 08:19:04     INFO -     #20 0x7f491f6a8d91 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540
[task 2017-11-07T08:19:04.440Z] 08:19:04     INFO -     #21 0x7f491f6a8d91 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:655
[task 2017-11-07T08:19:04.465Z] 08:19:04     INFO -     #22 0x7f492072e9ce in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2119:16
[task 2017-11-07T08:19:04.466Z] 08:19:04     INFO -     #23 0x7f492072e9ce in GetExistingProperty<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2172
[task 2017-11-07T08:19:04.466Z] 08:19:04     INFO -     #24 0x7f492072e9ce in NativeGetPropertyInline<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2375
[task 2017-11-07T08:19:04.467Z] 08:19:04     INFO -     #25 0x7f492072e9ce in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2411
[task 2017-11-07T08:19:04.512Z] 08:19:04     INFO -     #26 0x7f491f8d9901 in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1604:12
[task 2017-11-07T08:19:04.512Z] 08:19:04     INFO -     #27 0x7f491f8d9901 in GetObjectElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:523
[task 2017-11-07T08:19:04.513Z] 08:19:04     INFO -     #28 0x7f491f8d9901 in GetElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:629
[task 2017-11-07T08:19:04.514Z] 08:19:04     INFO -     #29 0x7f491f8d9901 in js::jit::DoGetElemFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetElem_Fallback*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:798
[task 2017-11-07T08:19:04.519Z] 08:19:04     INFO -     #30 0x14785d52dac6  (<unknown module>)
[task 2017-11-07T08:19:04.519Z] 08:19:04     INFO - Address 0x7ffd4c977fb0 is located in stack of thread T0 (Web Content) at offset 208 in frame
[task 2017-11-07T08:19:04.520Z] 08:19:04     INFO -     #0 0x7f491688975f in void mozilla::image::ImageSurfaceCache::CollectSizeOfSurfaces<mozilla::image::SurfaceCacheImpl::CollectSizeOfSurfaces(mozilla::image::Image*, nsTArray<mozilla::image::SurfaceMemoryCounter>&, unsigned long (*)(void const*), mozilla::BaseAutoLock<mozilla::StaticMutex> const&)::{lambda(mozilla::NotNull<mozilla::image::CachedSurface*>)#1}>(nsTArray<mozilla::image::SurfaceMemoryCounter>&, unsigned long (*)(void const*), mozilla::image::SurfaceCacheImpl::CollectSizeOfSurfaces(mozilla::image::Image*, nsTArray<mozilla::image::SurfaceMemoryCounter>&, unsigned long (*)(void const*), mozilla::BaseAutoLock<mozilla::StaticMutex> const&)::{lambda(mozilla::NotNull<mozilla::image::CachedSurface*>)#1}&&) /builds/worker/workspace/build/src/image/SurfaceCache.cpp:618
[task 2017-11-07T08:19:04.521Z] 08:19:04     INFO -   This frame has 4 object(s):
[task 2017-11-07T08:19:04.523Z] 08:19:04     INFO -     [32, 48) 'report' (line 619)
[task 2017-11-07T08:19:04.527Z] 08:19:04     INFO -     [64, 112) 'iter' (line 620)
[task 2017-11-07T08:19:04.527Z] 08:19:04     INFO -     [144, 176) 'ref.tmp' (line 629)
[task 2017-11-07T08:19:04.528Z] 08:19:04     INFO -     [208, 256) 'ref.tmp10' (line 637) <== Memory access at offset 208 is inside this variable
[task 2017-11-07T08:19:04.530Z] 08:19:04     INFO - HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
[task 2017-11-07T08:19:04.533Z] 08:19:04     INFO -       (longjmp and C++ exceptions *are* supported)
[task 2017-11-07T08:19:04.534Z] 08:19:04     INFO - SUMMARY: AddressSanitizer: stack-use-after-scope /builds/worker/workspace/build/src/image/SurfaceCache.cpp:228:37 in AreaOfIntSize
[task 2017-11-07T08:19:04.534Z] 08:19:04     INFO - Shadow bytes around the buggy address:
[task 2017-11-07T08:19:04.534Z] 08:19:04     INFO -   0x100029926fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:19:04.534Z] 08:19:04     INFO -   0x100029926fb0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 f2 f2
[task 2017-11-07T08:19:04.535Z] 08:19:04     INFO -   0x100029926fc0: f2 f2 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
[task 2017-11-07T08:19:04.536Z] 08:19:04     INFO -   0x100029926fd0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
[task 2017-11-07T08:19:04.537Z] 08:19:04     INFO -   0x100029926fe0: 00 00 f2 f2 00 00 00 00 00 00 f2 f2 f2 f2 f8 f8
[task 2017-11-07T08:19:04.541Z] 08:19:04     INFO - =>0x100029926ff0: f8 f8 f2 f2 f2 f2[f8]f8 f8 f8 f8 f8 f3 f3 f3 f3
[task 2017-11-07T08:19:04.541Z] 08:19:04     INFO -   0x100029927000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:19:04.541Z] 08:19:04     INFO -   0x100029927010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:19:04.541Z] 08:19:04     INFO -   0x100029927020: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
[task 2017-11-07T08:19:04.541Z] 08:19:04     INFO -   0x100029927030: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:19:04.541Z] 08:19:04     INFO -   0x100029927040: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
[task 2017-11-07T08:19:04.541Z] 08:19:04     INFO - Shadow byte legend (one shadow byte represents 8 application bytes):
[task 2017-11-07T08:19:04.541Z] 08:19:04     INFO -   Addressable:           00
[task 2017-11-07T08:19:04.541Z] 08:19:04     INFO -   Partially addressable: 01 02 03 04 05 06 07
[task 2017-11-07T08:19:04.541Z] 08:19:04     INFO -   Heap left redzone:       fa
[task 2017-11-07T08:19:04.542Z] 08:19:04     INFO -   Freed heap region:       fd
[task 2017-11-07T08:19:04.543Z] 08:19:04     INFO -   Stack left redzone:      f1
[task 2017-11-07T08:19:04.547Z] 08:19:04     INFO -   Stack mid redzone:       f2
[task 2017-11-07T08:19:04.547Z] 08:19:04     INFO -   Stack right redzone:     f3
[task 2017-11-07T08:19:04.547Z] 08:19:04     INFO -   Stack after return:      f5
[task 2017-11-07T08:19:04.547Z] 08:19:04     INFO -   Stack use after scope:   f8
[task 2017-11-07T08:19:04.547Z] 08:19:04     INFO -   Global redzone:          f9
[task 2017-11-07T08:19:04.547Z] 08:19:04     INFO -   Global init order:       f6
[task 2017-11-07T08:19:04.547Z] 08:19:04     INFO -   Poisoned by user:        f7
[task 2017-11-07T08:19:04.547Z] 08:19:04     INFO -   Container overflow:      fc
[task 2017-11-07T08:19:04.547Z] 08:19:04     INFO -   Array cookie:            ac
[task 2017-11-07T08:19:04.548Z] 08:19:04     INFO -   Intra object redzone:    bb
[task 2017-11-07T08:19:04.549Z] 08:19:04     INFO -   ASan internal:           fe
[task 2017-11-07T08:19:04.551Z] 08:19:04     INFO -   Left alloca redzone:     ca
[task 2017-11-07T08:19:04.552Z] 08:19:04     INFO -   Right alloca redzone:    cb
[task 2017-11-07T08:19:04.553Z] 08:19:04     INFO - ==1056==ABORTING
Assignee: nobody → aosmond
Status: NEW → ASSIGNED
Priority: -- → P3
Whiteboard: [gfx-noted]
Comment on attachment 8925889 [details] [diff] [review]
0001-Bug-1415085-Make-CachedSurface-GetSurfaceKey-return-.patch

Great find! I spent quite a bit looking at this error as well and didn't see it until you pointed it out. :D
Attachment #8925889 - Flags: review?(choller) → review+
Pushed by aosmond@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/7dbef7d88601
Make CachedSurface::GetSurfaceKey return a reference instead of a copy. r=decoder
Depends on: 1409267
No longer depends on: 1409267
Blocks: 1370412
https://hg.mozilla.org/mozilla-central/rev/7dbef7d88601
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox58: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: