Closed Bug 1415086 Opened 4 years ago Closed 4 years ago

AddressSanitizer: stack-use-after-scope /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:302:5 in __interceptor_strlen

Categories

(Core :: DOM: Workers, defect)

Product:
Core
Component:
DOM: Workers
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox58 --- fixed

People

(Reporter: glandium, Assigned: baku)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

worker.patch
1.98 KB, patch
qdot
: review+
Details | Diff | Splinter Review 
From an ASAN build with clang 5 (with the patch from bug 1409267 applied):

[task 2017-11-07T08:23:41.694Z] 08:23:41    ERROR - GECKO(3645) | ==3696==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffd44f348e4 at pc 0x000000431a64 bp 0x7ffd44f32cf0 sp 0x7ffd44f32498
[task 2017-11-07T08:23:41.694Z] 08:23:41     INFO - GECKO(3645) | READ of size 24 at 0x7ffd44f348e4 thread T0 (Web Content)
[task 2017-11-07T08:23:41.757Z] 08:23:41     INFO - GECKO(3645) |     #0 0x431a63 in __interceptor_strlen /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:302:5
[task 2017-11-07T08:23:42.243Z] 08:23:42     INFO - GECKO(3645) |     #1 0x7f0b1914a1de in js::DuplicateString(JSContext*, char const*) /builds/worker/workspace/build/src/js/src/jsstr.cpp:3849:16
[task 2017-11-07T08:23:42.285Z] 08:23:42     INFO - GECKO(3645) |     #2 0x7f0b190c8115 in setFilename /builds/worker/workspace/build/src/js/src/jsscript.cpp:2373:17
[task 2017-11-07T08:23:42.286Z] 08:23:42     INFO - GECKO(3645) |     #3 0x7f0b190c8115 in js::ScriptSource::initFromOptions(JSContext*, JS::ReadOnlyCompileOptions const&, mozilla::Maybe<unsigned int> const&) /builds/worker/workspace/build/src/js/src/jsscript.cpp:2356
[task 2017-11-07T08:23:42.313Z] 08:23:42     INFO - GECKO(3645) |     #4 0x7f0b191e5a65 in js::frontend::CreateScriptSourceObject(JSContext*, JS::ReadOnlyCompileOptions const&, mozilla::Maybe<unsigned int> const&) /builds/worker/workspace/build/src/js/src/frontend/BytecodeCompiler.cpp:527:14
[task 2017-11-07T08:23:42.315Z] 08:23:42     INFO - GECKO(3645) |     #5 0x7f0b191e563a in BytecodeCompiler::createScriptSource(mozilla::Maybe<unsigned int> const&) /builds/worker/workspace/build/src/js/src/frontend/BytecodeCompiler.cpp:204:20
[task 2017-11-07T08:23:42.315Z] 08:23:42     INFO - GECKO(3645) |     #6 0x7f0b191e73c8 in createSourceAndParser /builds/worker/workspace/build/src/js/src/frontend/BytecodeCompiler.cpp:259:12
[task 2017-11-07T08:23:42.316Z] 08:23:42     INFO - GECKO(3645) |     #7 0x7f0b191e73c8 in BytecodeCompiler::compileScript(JS::Handle<JSObject*>, js::frontend::SharedContext*) /builds/worker/workspace/build/src/js/src/frontend/BytecodeCompiler.cpp:333
[task 2017-11-07T08:23:42.317Z] 08:23:42     INFO - GECKO(3645) |     #8 0x7f0b191edf3b in compileGlobalScript /builds/worker/workspace/build/src/js/src/frontend/BytecodeCompiler.cpp:394:12
[task 2017-11-07T08:23:42.318Z] 08:23:42     INFO - GECKO(3645) |     #9 0x7f0b191edf3b in js::frontend::CompileGlobalScript(JSContext*, js::LifoAlloc&, js::ScopeKind, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, js::ScriptSourceObject**) /builds/worker/workspace/build/src/js/src/frontend/BytecodeCompiler.cpp:592
[task 2017-11-07T08:23:42.355Z] 08:23:42     INFO - GECKO(3645) |     #10 0x7f0b18eee22c in Evaluate(JSContext*, js::ScopeKind, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4798:29
[task 2017-11-07T08:23:42.356Z] 08:23:42     INFO - GECKO(3645) |     #11 0x7f0b18eeebc4 in JS::Evaluate(JSContext*, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4870:12
[task 2017-11-07T08:23:42.358Z] 08:23:42     INFO - GECKO(3645) |     #12 0x7f0b13937915 in mozilla::dom::WorkletFetchHandler::OnStreamComplete(nsIStreamLoader*, nsISupports*, nsresult, unsigned int, unsigned char const*) /builds/worker/workspace/build/src/dom/worklet/Worklet.cpp:214:10
[task 2017-11-07T08:23:42.374Z] 08:23:42     INFO - GECKO(3645) |     #13 0x7f0b0cd19105 in mozilla::net::nsStreamLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsStreamLoader.cpp:108:30
[task 2017-11-07T08:23:42.392Z] 08:23:42     INFO - GECKO(3645) |     #14 0x7f0b0cc53251 in nsInputStreamPump::OnStateStop() /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:704:20
[task 2017-11-07T08:23:42.392Z] 08:23:42     INFO - GECKO(3645) |     #15 0x7f0b0cc515b6 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:428:25
[task 2017-11-07T08:23:42.396Z] 08:23:42     INFO - GECKO(3645) |     #16 0x7f0b0ca2b682 in nsInputStreamReadyEvent::Run() /builds/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:97:20
[task 2017-11-07T08:23:42.412Z] 08:23:42     INFO - GECKO(3645) |     #17 0x7f0b0ca97474 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
[task 2017-11-07T08:23:42.414Z] 08:23:42     INFO - GECKO(3645) |     #18 0x7f0b0cab2a30 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
[task 2017-11-07T08:23:42.431Z] 08:23:42     INFO - GECKO(3645) |     #19 0x7f0b0d8f91aa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
[task 2017-11-07T08:23:42.432Z] 08:23:42     INFO - GECKO(3645) |     #20 0x7f0b0d854b38 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
[task 2017-11-07T08:23:42.433Z] 08:23:42     INFO - GECKO(3645) |     #21 0x7f0b0d854b38 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
[task 2017-11-07T08:23:42.433Z] 08:23:42     INFO - GECKO(3645) |     #22 0x7f0b0d854b38 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
[task 2017-11-07T08:23:42.450Z] 08:23:42     INFO - GECKO(3645) |     #23 0x7f0b13ad459a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
[task 2017-11-07T08:23:42.452Z] 08:23:42     INFO - GECKO(3645) |     #24 0x7f0b181241db in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
[task 2017-11-07T08:23:42.453Z] 08:23:42     INFO - GECKO(3645) |     #25 0x7f0b0d854b38 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
[task 2017-11-07T08:23:42.454Z] 08:23:42     INFO - GECKO(3645) |     #26 0x7f0b0d854b38 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
[task 2017-11-07T08:23:42.455Z] 08:23:42     INFO - GECKO(3645) |     #27 0x7f0b0d854b38 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
[task 2017-11-07T08:23:42.457Z] 08:23:42     INFO - GECKO(3645) |     #28 0x7f0b18123be3 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
[task 2017-11-07T08:23:42.459Z] 08:23:42     INFO - GECKO(3645) |     #29 0x4edb11 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
[task 2017-11-07T08:23:42.461Z] 08:23:42     INFO - GECKO(3645) |     #30 0x4edb11 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
[task 2017-11-07T08:23:42.532Z] 08:23:42     INFO - GECKO(3645) |     #31 0x7f0b2bee482f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
[task 2017-11-07T08:23:42.533Z] 08:23:42     INFO - GECKO(3645) |     #32 0x41e528 in _start (/builds/worker/workspace/build/application/firefox/firefox+0x41e528)
[task 2017-11-07T08:23:42.536Z] 08:23:42     INFO - GECKO(3645) | Address 0x7ffd44f348e4 is located in stack of thread T0 (Web Content) at offset 868 in frame
[task 2017-11-07T08:23:42.542Z] 08:23:42     INFO - GECKO(3645) |     #0 0x7f0b139370af in mozilla::dom::WorkletFetchHandler::OnStreamComplete(nsIStreamLoader*, nsISupports*, nsresult, unsigned int, unsigned char const*) /builds/worker/workspace/build/src/dom/worklet/Worklet.cpp:167
[task 2017-11-07T08:23:42.544Z] 08:23:42     INFO - GECKO(3645) |   This frame has 12 object(s):
[task 2017-11-07T08:23:42.552Z] 08:23:42     INFO - GECKO(3645) |     [32, 40) 'scriptTextBuf' (line 175)
[task 2017-11-07T08:23:42.553Z] 08:23:42     INFO - GECKO(3645) |     [64, 72) 'scriptTextLength' (line 176)
[task 2017-11-07T08:23:42.553Z] 08:23:42     INFO - GECKO(3645) |     [96, 112) 'ref.tmp' (line 178)
[task 2017-11-07T08:23:42.553Z] 08:23:42     INFO - GECKO(3645) |     [128, 152) 'buffer' (line 187)
[task 2017-11-07T08:23:42.554Z] 08:23:42     INFO - GECKO(3645) |     [192, 288) 'jsapi' (line 190)
[task 2017-11-07T08:23:42.555Z] 08:23:42     INFO - GECKO(3645) |     [320, 472) 'aes' (line 197)
[task 2017-11-07T08:23:42.555Z] 08:23:42     INFO - GECKO(3645) |     [544, 568) 'globalObj' (line 200)
[task 2017-11-07T08:23:42.555Z] 08:23:42     INFO - GECKO(3645) |     [608, 784) 'compileOptions' (line 204)
[task 2017-11-07T08:23:42.556Z] 08:23:42     INFO - GECKO(3645) |     [848, 936) 'ref.tmp24' (line 206) <== Memory access at offset 868 is inside this variable
[task 2017-11-07T08:23:42.557Z] 08:23:42     INFO - GECKO(3645) |     [976, 992) 'comp' (line 211)
[task 2017-11-07T08:23:42.557Z] 08:23:42     INFO - GECKO(3645) |     [1008, 1032) 'unused' (line 213)
[task 2017-11-07T08:23:42.557Z] 08:23:42     INFO - GECKO(3645) |     [1072, 1088) 'error' (line 215)
[task 2017-11-07T08:23:42.558Z] 08:23:42     INFO - GECKO(3645) | HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
[task 2017-11-07T08:23:42.558Z] 08:23:42     INFO - GECKO(3645) |       (longjmp and C++ exceptions *are* supported)
[task 2017-11-07T08:23:42.559Z] 08:23:42     INFO - GECKO(3645) | SUMMARY: AddressSanitizer: stack-use-after-scope /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:302:5 in __interceptor_strlen
[task 2017-11-07T08:23:42.560Z] 08:23:42     INFO - GECKO(3645) | Shadow bytes around the buggy address:
[task 2017-11-07T08:23:42.566Z] 08:23:42     INFO - GECKO(3645) |   0x1000289de8c0: 00 00 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00
[task 2017-11-07T08:23:42.567Z] 08:23:42     INFO - GECKO(3645) |   0x1000289de8d0: 00 00 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00
[task 2017-11-07T08:23:42.567Z] 08:23:42     INFO - GECKO(3645) |   0x1000289de8e0: 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2 f2
[task 2017-11-07T08:23:42.569Z] 08:23:42     INFO - GECKO(3645) |   0x1000289de8f0: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 00 00 00 00
[task 2017-11-07T08:23:42.573Z] 08:23:42     INFO - GECKO(3645) |   0x1000289de900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:23:42.574Z] 08:23:42     INFO - GECKO(3645) | =>0x1000289de910: 00 00 f2 f2 f2 f2 f2 f2 f2 f2 f8 f8[f8]f8 f8 f8
[task 2017-11-07T08:23:42.575Z] 08:23:42     INFO - GECKO(3645) |   0x1000289de920: f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 00 00 f2 f2 00 00
[task 2017-11-07T08:23:42.579Z] 08:23:42     INFO - GECKO(3645) |   0x1000289de930: 00 f2 f2 f2 f2 f2 f8 f8 f3 f3 f3 f3 00 00 00 00
[task 2017-11-07T08:23:42.580Z] 08:23:42     INFO - GECKO(3645) |   0x1000289de940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:23:42.580Z] 08:23:42     INFO - GECKO(3645) |   0x1000289de950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:23:42.581Z] 08:23:42     INFO - GECKO(3645) |   0x1000289de960: f1 f1 f1 f1 00 f3 f3 f3 00 00 00 00 00 00 00 00
[task 2017-11-07T08:23:42.581Z] 08:23:42     INFO - GECKO(3645) | Shadow byte legend (one shadow byte represents 8 application bytes):
[task 2017-11-07T08:23:42.582Z] 08:23:42     INFO - GECKO(3645) |   Addressable:           00
[task 2017-11-07T08:23:42.582Z] 08:23:42     INFO - GECKO(3645) |   Partially addressable: 01 02 03 04 05 06 07
[task 2017-11-07T08:23:42.583Z] 08:23:42     INFO - GECKO(3645) |   Heap left redzone:       fa
[task 2017-11-07T08:23:42.584Z] 08:23:42     INFO - GECKO(3645) |   Freed heap region:       fd
[task 2017-11-07T08:23:42.585Z] 08:23:42     INFO - GECKO(3645) |   Stack left redzone:      f1
[task 2017-11-07T08:23:42.586Z] 08:23:42     INFO - GECKO(3645) |   Stack mid redzone:       f2
[task 2017-11-07T08:23:42.587Z] 08:23:42     INFO - GECKO(3645) |   Stack right redzone:     f3
[task 2017-11-07T08:23:42.587Z] 08:23:42     INFO - GECKO(3645) |   Stack after return:      f5
[task 2017-11-07T08:23:42.591Z] 08:23:42     INFO - GECKO(3645) |   Stack use after scope:   f8
[task 2017-11-07T08:23:42.592Z] 08:23:42     INFO - GECKO(3645) |   Global redzone:          f9
[task 2017-11-07T08:23:42.594Z] 08:23:42     INFO - GECKO(3645) |   Global init order:       f6
[task 2017-11-07T08:23:42.595Z] 08:23:42     INFO - GECKO(3645) |   Poisoned by user:        f7
[task 2017-11-07T08:23:42.597Z] 08:23:42     INFO - GECKO(3645) |   Container overflow:      fc
[task 2017-11-07T08:23:42.598Z] 08:23:42     INFO - GECKO(3645) |   Array cookie:            ac
[task 2017-11-07T08:23:42.598Z] 08:23:42     INFO - GECKO(3645) |   Intra object redzone:    bb
[task 2017-11-07T08:23:42.599Z] 08:23:42     INFO - GECKO(3645) |   ASan internal:           fe
[task 2017-11-07T08:23:42.599Z] 08:23:42     INFO - GECKO(3645) |   Left alloca redzone:     ca
[task 2017-11-07T08:23:42.600Z] 08:23:42     INFO - GECKO(3645) |   Right alloca redzone:    cb
[task 2017-11-07T08:23:42.604Z] 08:23:42     INFO - GECKO(3645) | ==3696==ABORTING

https://treeherder.mozilla.org/logviewer.html#?job_id=142661171&repo=try&lineNumber=5949
The problem is probably this line:

http://searchfox.org/mozilla-central/rev/7e090b227f7a0ec44d4ded604823d48823158c51/dom/worklet/Worklet.cpp#206

My guess is that NS_ConvertUTF16toUTF8 is temporarily constructed and get returns a reference to the result string that is technically no longer in scope when being used.

:baku, could you look into this, since you landed this code? This would greatly help us getting Clang 5 into production. Thanks!
Component: JavaScript Engine → DOM: Workers
Flags: needinfo?(amarchesini)
Attached patch worker.patchSplinter Review
Assignee: nobody → amarchesini
Flags: needinfo?(amarchesini)
Attachment #8926023 - Flags: review?(kyle)
Attachment #8926023 - Flags: review?(kyle) → review+
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1c6eac3c74d5
Fixing a out-of-scope issue for a string in Worklet code, r=qdot
Backed out for build bustage at dom/worklet/Worklet.cpp:204:

https://hg.mozilla.org/integration/mozilla-inbound/rev/67f24343cff8f8befb8b03119346761a14808f41

Push with bustage: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=1c6eac3c74d516b2e76ebee8b07a663341133fda&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=usercancel&filter-resultStatus=runnable&filter-resultStatus=retry
Build log: https://treeherder.mozilla.org/logviewer.html#?job_id=142792623&repo=mozilla-inbound

[task 2017-11-07T19:28:50.843Z] 19:28:50     INFO -  In file included from /builds/worker/workspace/build/src/obj-firefox/dom/worklet/Unified_cpp_dom_worklet0.cpp:20:0:
[task 2017-11-07T19:28:50.843Z] 19:28:50     INFO -  /builds/worker/workspace/build/src/dom/worklet/Worklet.cpp: In member function 'virtual nsresult mozilla::dom::WorkletFetchHandler::OnStreamComplete(nsIStreamLoader*, nsISupports*, nsresult, uint32_t, const uint8_t*)':
[task 2017-11-07T19:28:50.843Z] 19:28:50     INFO -  /builds/worker/workspace/build/src/dom/worklet/Worklet.cpp:204:33: error: expected ';' before 'url'
[task 2017-11-07T19:28:50.843Z] 19:28:50     INFO -       NS_ConvertUTF16toUTF8(mURL) url;
[task 2017-11-07T19:28:50.843Z] 19:28:50     INFO -                                   ^~~
[task 2017-11-07T19:28:50.844Z] 19:28:50     INFO -  /builds/worker/workspace/build/src/dom/worklet/Worklet.cpp:208:35: error: 'url' was not declared in this scope
[task 2017-11-07T19:28:50.844Z] 19:28:50     INFO -       compileOptions.setFileAndLine(url, 0);
[task 2017-11-07T19:28:50.844Z] 19:28:50     INFO -                                     ^~~
[task 2017-11-07T19:28:50.844Z] 19:28:50     INFO -  /builds/worker/workspace/build/src/config/rules.mk:1038: recipe for target 'Unified_cpp_dom_worklet0.o' failed
[task 2017-11-07T19:28:50.844Z] 19:28:50     INFO -  gmake[5]: *** [Unified_cpp_dom_worklet0.o] Error 1
[task 2017-11-07T19:28:50.844Z] 19:28:50     INFO -  gmake[5]: Leaving directory '/builds/worker/workspace/build/src/obj-firefox/dom/worklet'
[task 2017-11-07T19:28:50.844Z] 19:28:50     INFO -  /builds/worker/workspace/build/src/config/recurse.mk:73: recipe for target 'dom/worklet/target' failed
[task 2017-11-07T19:28:50.845Z] 19:28:50     INFO -  gmake[4]: *** [dom/worklet/target] Error 2
Flags: needinfo?(amarchesini)
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/90a7bc300af3
Fixing a out-of-scope issue for a string in Worklet code, r=qdot
Flags: needinfo?(amarchesini)
https://hg.mozilla.org/mozilla-central/rev/90a7bc300af3
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox58: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
You need to log in before you can comment on or make changes to this bug.