Closed Bug 1415086 Opened 8 years ago Closed 8 years ago

AddressSanitizer: stack-use-after-scope /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:302:5 in __interceptor_strlen

Categories

(Core :: DOM: Workers, defect)

Product:
Core
Component:
DOM: Workers
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox58 --- fixed

People

(Reporter: glandium, Assigned: baku)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

worker.patch
1.98 KB, patch
qdot
: review+
Details | Diff | Splinter Review
From an ASAN build with clang 5 (with the patch from bug 1409267 applied): [task 2017-11-07T08:23:41.694Z] 08:23:41 ERROR - GECKO(3645) | ==3696==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffd44f348e4 at pc 0x000000431a64 bp 0x7ffd44f32cf0 sp 0x7ffd44f32498 [task 2017-11-07T08:23:41.694Z] 08:23:41 INFO - GECKO(3645) | READ of size 24 at 0x7ffd44f348e4 thread T0 (Web Content) [task 2017-11-07T08:23:41.757Z] 08:23:41 INFO - GECKO(3645) | #0 0x431a63 in __interceptor_strlen /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:302:5 [task 2017-11-07T08:23:42.243Z] 08:23:42 INFO - GECKO(3645) | #1 0x7f0b1914a1de in js::DuplicateString(JSContext*, char const*) /builds/worker/workspace/build/src/js/src/jsstr.cpp:3849:16 [task 2017-11-07T08:23:42.285Z] 08:23:42 INFO - GECKO(3645) | #2 0x7f0b190c8115 in setFilename /builds/worker/workspace/build/src/js/src/jsscript.cpp:2373:17 [task 2017-11-07T08:23:42.286Z] 08:23:42 INFO - GECKO(3645) | #3 0x7f0b190c8115 in js::ScriptSource::initFromOptions(JSContext*, JS::ReadOnlyCompileOptions const&, mozilla::Maybe<unsigned int> const&) /builds/worker/workspace/build/src/js/src/jsscript.cpp:2356 [task 2017-11-07T08:23:42.313Z] 08:23:42 INFO - GECKO(3645) | #4 0x7f0b191e5a65 in js::frontend::CreateScriptSourceObject(JSContext*, JS::ReadOnlyCompileOptions const&, mozilla::Maybe<unsigned int> const&) /builds/worker/workspace/build/src/js/src/frontend/BytecodeCompiler.cpp:527:14 [task 2017-11-07T08:23:42.315Z] 08:23:42 INFO - GECKO(3645) | #5 0x7f0b191e563a in BytecodeCompiler::createScriptSource(mozilla::Maybe<unsigned int> const&) /builds/worker/workspace/build/src/js/src/frontend/BytecodeCompiler.cpp:204:20 [task 2017-11-07T08:23:42.315Z] 08:23:42 INFO - GECKO(3645) | #6 0x7f0b191e73c8 in createSourceAndParser /builds/worker/workspace/build/src/js/src/frontend/BytecodeCompiler.cpp:259:12 [task 2017-11-07T08:23:42.316Z] 08:23:42 INFO - GECKO(3645) | #7 0x7f0b191e73c8 in BytecodeCompiler::compileScript(JS::Handle<JSObject*>, js::frontend::SharedContext*) /builds/worker/workspace/build/src/js/src/frontend/BytecodeCompiler.cpp:333 [task 2017-11-07T08:23:42.317Z] 08:23:42 INFO - GECKO(3645) | #8 0x7f0b191edf3b in compileGlobalScript /builds/worker/workspace/build/src/js/src/frontend/BytecodeCompiler.cpp:394:12 [task 2017-11-07T08:23:42.318Z] 08:23:42 INFO - GECKO(3645) | #9 0x7f0b191edf3b in js::frontend::CompileGlobalScript(JSContext*, js::LifoAlloc&, js::ScopeKind, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, js::ScriptSourceObject**) /builds/worker/workspace/build/src/js/src/frontend/BytecodeCompiler.cpp:592 [task 2017-11-07T08:23:42.355Z] 08:23:42 INFO - GECKO(3645) | #10 0x7f0b18eee22c in Evaluate(JSContext*, js::ScopeKind, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4798:29 [task 2017-11-07T08:23:42.356Z] 08:23:42 INFO - GECKO(3645) | #11 0x7f0b18eeebc4 in JS::Evaluate(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4870:12 [task 2017-11-07T08:23:42.358Z] 08:23:42 INFO - GECKO(3645) | #12 0x7f0b13937915 in mozilla::dom::WorkletFetchHandler::OnStreamComplete(nsIStreamLoader*, nsISupports*, nsresult, unsigned int, unsigned char const*) /builds/worker/workspace/build/src/dom/worklet/Worklet.cpp:214:10 [task 2017-11-07T08:23:42.374Z] 08:23:42 INFO - GECKO(3645) | #13 0x7f0b0cd19105 in mozilla::net::nsStreamLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsStreamLoader.cpp:108:30 [task 2017-11-07T08:23:42.392Z] 08:23:42 INFO - GECKO(3645) | #14 0x7f0b0cc53251 in nsInputStreamPump::OnStateStop() /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:704:20 [task 2017-11-07T08:23:42.392Z] 08:23:42 INFO - GECKO(3645) | #15 0x7f0b0cc515b6 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:428:25 [task 2017-11-07T08:23:42.396Z] 08:23:42 INFO - GECKO(3645) | #16 0x7f0b0ca2b682 in nsInputStreamReadyEvent::Run() /builds/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:97:20 [task 2017-11-07T08:23:42.412Z] 08:23:42 INFO - GECKO(3645) | #17 0x7f0b0ca97474 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14 [task 2017-11-07T08:23:42.414Z] 08:23:42 INFO - GECKO(3645) | #18 0x7f0b0cab2a30 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10 [task 2017-11-07T08:23:42.431Z] 08:23:42 INFO - GECKO(3645) | #19 0x7f0b0d8f91aa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 [task 2017-11-07T08:23:42.432Z] 08:23:42 INFO - GECKO(3645) | #20 0x7f0b0d854b38 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 [task 2017-11-07T08:23:42.433Z] 08:23:42 INFO - GECKO(3645) | #21 0x7f0b0d854b38 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 [task 2017-11-07T08:23:42.433Z] 08:23:42 INFO - GECKO(3645) | #22 0x7f0b0d854b38 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 [task 2017-11-07T08:23:42.450Z] 08:23:42 INFO - GECKO(3645) | #23 0x7f0b13ad459a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27 [task 2017-11-07T08:23:42.452Z] 08:23:42 INFO - GECKO(3645) | #24 0x7f0b181241db in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22 [task 2017-11-07T08:23:42.453Z] 08:23:42 INFO - GECKO(3645) | #25 0x7f0b0d854b38 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10 [task 2017-11-07T08:23:42.454Z] 08:23:42 INFO - GECKO(3645) | #26 0x7f0b0d854b38 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319 [task 2017-11-07T08:23:42.455Z] 08:23:42 INFO - GECKO(3645) | #27 0x7f0b0d854b38 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299 [task 2017-11-07T08:23:42.457Z] 08:23:42 INFO - GECKO(3645) | #28 0x7f0b18123be3 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34 [task 2017-11-07T08:23:42.459Z] 08:23:42 INFO - GECKO(3645) | #29 0x4edb11 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30 [task 2017-11-07T08:23:42.461Z] 08:23:42 INFO - GECKO(3645) | #30 0x4edb11 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280 [task 2017-11-07T08:23:42.532Z] 08:23:42 INFO - GECKO(3645) | #31 0x7f0b2bee482f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291 [task 2017-11-07T08:23:42.533Z] 08:23:42 INFO - GECKO(3645) | #32 0x41e528 in _start (/builds/worker/workspace/build/application/firefox/firefox+0x41e528) [task 2017-11-07T08:23:42.536Z] 08:23:42 INFO - GECKO(3645) | Address 0x7ffd44f348e4 is located in stack of thread T0 (Web Content) at offset 868 in frame [task 2017-11-07T08:23:42.542Z] 08:23:42 INFO - GECKO(3645) | #0 0x7f0b139370af in mozilla::dom::WorkletFetchHandler::OnStreamComplete(nsIStreamLoader*, nsISupports*, nsresult, unsigned int, unsigned char const*) /builds/worker/workspace/build/src/dom/worklet/Worklet.cpp:167 [task 2017-11-07T08:23:42.544Z] 08:23:42 INFO - GECKO(3645) | This frame has 12 object(s): [task 2017-11-07T08:23:42.552Z] 08:23:42 INFO - GECKO(3645) | [32, 40) 'scriptTextBuf' (line 175) [task 2017-11-07T08:23:42.553Z] 08:23:42 INFO - GECKO(3645) | [64, 72) 'scriptTextLength' (line 176) [task 2017-11-07T08:23:42.553Z] 08:23:42 INFO - GECKO(3645) | [96, 112) 'ref.tmp' (line 178) [task 2017-11-07T08:23:42.553Z] 08:23:42 INFO - GECKO(3645) | [128, 152) 'buffer' (line 187) [task 2017-11-07T08:23:42.554Z] 08:23:42 INFO - GECKO(3645) | [192, 288) 'jsapi' (line 190) [task 2017-11-07T08:23:42.555Z] 08:23:42 INFO - GECKO(3645) | [320, 472) 'aes' (line 197) [task 2017-11-07T08:23:42.555Z] 08:23:42 INFO - GECKO(3645) | [544, 568) 'globalObj' (line 200) [task 2017-11-07T08:23:42.555Z] 08:23:42 INFO - GECKO(3645) | [608, 784) 'compileOptions' (line 204) [task 2017-11-07T08:23:42.556Z] 08:23:42 INFO - GECKO(3645) | [848, 936) 'ref.tmp24' (line 206) <== Memory access at offset 868 is inside this variable [task 2017-11-07T08:23:42.557Z] 08:23:42 INFO - GECKO(3645) | [976, 992) 'comp' (line 211) [task 2017-11-07T08:23:42.557Z] 08:23:42 INFO - GECKO(3645) | [1008, 1032) 'unused' (line 213) [task 2017-11-07T08:23:42.557Z] 08:23:42 INFO - GECKO(3645) | [1072, 1088) 'error' (line 215) [task 2017-11-07T08:23:42.558Z] 08:23:42 INFO - GECKO(3645) | HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext [task 2017-11-07T08:23:42.558Z] 08:23:42 INFO - GECKO(3645) | (longjmp and C++ exceptions *are* supported) [task 2017-11-07T08:23:42.559Z] 08:23:42 INFO - GECKO(3645) | SUMMARY: AddressSanitizer: stack-use-after-scope /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:302:5 in __interceptor_strlen [task 2017-11-07T08:23:42.560Z] 08:23:42 INFO - GECKO(3645) | Shadow bytes around the buggy address: [task 2017-11-07T08:23:42.566Z] 08:23:42 INFO - GECKO(3645) | 0x1000289de8c0: 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 [task 2017-11-07T08:23:42.567Z] 08:23:42 INFO - GECKO(3645) | 0x1000289de8d0: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00 [task 2017-11-07T08:23:42.567Z] 08:23:42 INFO - GECKO(3645) | 0x1000289de8e0: 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 [task 2017-11-07T08:23:42.569Z] 08:23:42 INFO - GECKO(3645) | 0x1000289de8f0: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 [task 2017-11-07T08:23:42.573Z] 08:23:42 INFO - GECKO(3645) | 0x1000289de900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [task 2017-11-07T08:23:42.574Z] 08:23:42 INFO - GECKO(3645) | =>0x1000289de910: 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f8 f8[f8]f8 f8 f8 [task 2017-11-07T08:23:42.575Z] 08:23:42 INFO - GECKO(3645) | 0x1000289de920: f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 00 00 f2 f2 00 00 [task 2017-11-07T08:23:42.579Z] 08:23:42 INFO - GECKO(3645) | 0x1000289de930: 00 f2 f2 f2 f2 f2 f8 f8 f3 f3 f3 f3 00 00 00 00 [task 2017-11-07T08:23:42.580Z] 08:23:42 INFO - GECKO(3645) | 0x1000289de940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [task 2017-11-07T08:23:42.580Z] 08:23:42 INFO - GECKO(3645) | 0x1000289de950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [task 2017-11-07T08:23:42.581Z] 08:23:42 INFO - GECKO(3645) | 0x1000289de960: f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00 00 00 00 00 [task 2017-11-07T08:23:42.581Z] 08:23:42 INFO - GECKO(3645) | Shadow byte legend (one shadow byte represents 8 application bytes): [task 2017-11-07T08:23:42.582Z] 08:23:42 INFO - GECKO(3645) | Addressable: 00 [task 2017-11-07T08:23:42.582Z] 08:23:42 INFO - GECKO(3645) | Partially addressable: 01 02 03 04 05 06 07 [task 2017-11-07T08:23:42.583Z] 08:23:42 INFO - GECKO(3645) | Heap left redzone: fa [task 2017-11-07T08:23:42.584Z] 08:23:42 INFO - GECKO(3645) | Freed heap region: fd [task 2017-11-07T08:23:42.585Z] 08:23:42 INFO - GECKO(3645) | Stack left redzone: f1 [task 2017-11-07T08:23:42.586Z] 08:23:42 INFO - GECKO(3645) | Stack mid redzone: f2 [task 2017-11-07T08:23:42.587Z] 08:23:42 INFO - GECKO(3645) | Stack right redzone: f3 [task 2017-11-07T08:23:42.587Z] 08:23:42 INFO - GECKO(3645) | Stack after return: f5 [task 2017-11-07T08:23:42.591Z] 08:23:42 INFO - GECKO(3645) | Stack use after scope: f8 [task 2017-11-07T08:23:42.592Z] 08:23:42 INFO - GECKO(3645) | Global redzone: f9 [task 2017-11-07T08:23:42.594Z] 08:23:42 INFO - GECKO(3645) | Global init order: f6 [task 2017-11-07T08:23:42.595Z] 08:23:42 INFO - GECKO(3645) | Poisoned by user: f7 [task 2017-11-07T08:23:42.597Z] 08:23:42 INFO - GECKO(3645) | Container overflow: fc [task 2017-11-07T08:23:42.598Z] 08:23:42 INFO - GECKO(3645) | Array cookie: ac [task 2017-11-07T08:23:42.598Z] 08:23:42 INFO - GECKO(3645) | Intra object redzone: bb [task 2017-11-07T08:23:42.599Z] 08:23:42 INFO - GECKO(3645) | ASan internal: fe [task 2017-11-07T08:23:42.599Z] 08:23:42 INFO - GECKO(3645) | Left alloca redzone: ca [task 2017-11-07T08:23:42.600Z] 08:23:42 INFO - GECKO(3645) | Right alloca redzone: cb [task 2017-11-07T08:23:42.604Z] 08:23:42 INFO - GECKO(3645) | ==3696==ABORTING https://treeherder.mozilla.org/logviewer.html#?job_id=142661171&repo=try&lineNumber=5949
The problem is probably this line: http://searchfox.org/mozilla-central/rev/7e090b227f7a0ec44d4ded604823d48823158c51/dom/worklet/Worklet.cpp#206 My guess is that NS_ConvertUTF16toUTF8 is temporarily constructed and get returns a reference to the result string that is technically no longer in scope when being used. :baku, could you look into this, since you landed this code? This would greatly help us getting Clang 5 into production. Thanks!
Component: JavaScript Engine → DOM: Workers
Flags: needinfo?(amarchesini)
Attached patch worker.patchSplinter Review
Assignee: nobody → amarchesini
Flags: needinfo?(amarchesini)
Attachment #8926023 - Flags: review?(kyle)
Attachment #8926023 - Flags: review?(kyle) → review+
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/1c6eac3c74d5 Fixing a out-of-scope issue for a string in Worklet code, r=qdot
Backed out for build bustage at dom/worklet/Worklet.cpp:204: https://hg.mozilla.org/integration/mozilla-inbound/rev/67f24343cff8f8befb8b03119346761a14808f41 Push with bustage: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=1c6eac3c74d516b2e76ebee8b07a663341133fda&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=usercancel&filter-resultStatus=runnable&filter-resultStatus=retry Build log: https://treeherder.mozilla.org/logviewer.html#?job_id=142792623&repo=mozilla-inbound [task 2017-11-07T19:28:50.843Z] 19:28:50 INFO - In file included from /builds/worker/workspace/build/src/obj-firefox/dom/worklet/Unified_cpp_dom_worklet0.cpp:20:0: [task 2017-11-07T19:28:50.843Z] 19:28:50 INFO - /builds/worker/workspace/build/src/dom/worklet/Worklet.cpp: In member function 'virtual nsresult mozilla::dom::WorkletFetchHandler::OnStreamComplete(nsIStreamLoader*, nsISupports*, nsresult, uint32_t, const uint8_t*)': [task 2017-11-07T19:28:50.843Z] 19:28:50 INFO - /builds/worker/workspace/build/src/dom/worklet/Worklet.cpp:204:33: error: expected ';' before 'url' [task 2017-11-07T19:28:50.843Z] 19:28:50 INFO - NS_ConvertUTF16toUTF8(mURL) url; [task 2017-11-07T19:28:50.843Z] 19:28:50 INFO - ^~~ [task 2017-11-07T19:28:50.844Z] 19:28:50 INFO - /builds/worker/workspace/build/src/dom/worklet/Worklet.cpp:208:35: error: 'url' was not declared in this scope [task 2017-11-07T19:28:50.844Z] 19:28:50 INFO - compileOptions.setFileAndLine(url, 0); [task 2017-11-07T19:28:50.844Z] 19:28:50 INFO - ^~~ [task 2017-11-07T19:28:50.844Z] 19:28:50 INFO - /builds/worker/workspace/build/src/config/rules.mk:1038: recipe for target 'Unified_cpp_dom_worklet0.o' failed [task 2017-11-07T19:28:50.844Z] 19:28:50 INFO - gmake[5]: *** [Unified_cpp_dom_worklet0.o] Error 1 [task 2017-11-07T19:28:50.844Z] 19:28:50 INFO - gmake[5]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/dom/worklet' [task 2017-11-07T19:28:50.844Z] 19:28:50 INFO - /builds/worker/workspace/build/src/config/recurse.mk:73: recipe for target 'dom/worklet/target' failed [task 2017-11-07T19:28:50.845Z] 19:28:50 INFO - gmake[4]: *** [dom/worklet/target] Error 2
Flags: needinfo?(amarchesini)
Pushed by amarchesini@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/90a7bc300af3 Fixing a out-of-scope issue for a string in Worklet code, r=qdot
Flags: needinfo?(amarchesini)
https://hg.mozilla.org/mozilla-central/rev/90a7bc300af3
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox58: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: