Closed Bug 1418125 Opened 8 years ago Closed 7 years ago

Intermittent SUMMARY: AddressSanitizer: heap-use-after-free under mozilla::dom::PContentChild::SendBHRThreadHang while testing oop-extensions

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1424766

People

(Reporter: aryx, Unassigned)

Details

(Keywords: csectype-uaf, intermittent-failure, sec-moderate)

Attachments

(1 file)

Symbolized ASan trace
13.47 KB, text/plain
Details
https://treeherder.mozilla.org/logviewer.html#?job_id=145390200&repo=mozilla-inbound [task 2017-11-16T19:56:11.784Z] 19:56:11 INFO - TEST-START | browser/components/extensions/test/browser/test-oop-extensions/browser_ext_windows_create_params.js [task 2017-11-16T19:56:13.963Z] 19:56:13 INFO - GECKO(1131) | MEMORY STAT | vsize 20975550MB | residentFast 2502MB [task 2017-11-16T19:56:13.966Z] 19:56:13 INFO - TEST-OK | browser/components/extensions/test/browser/test-oop-extensions/browser_ext_windows_create_params.js | took 2212ms [task 2017-11-16T19:56:14.151Z] 19:56:14 INFO - checking window state [task 2017-11-16T19:56:14.791Z] 19:56:14 INFO - TEST-START | browser/components/extensions/test/browser/test-oop-extensions/browser_ext_windows_create_tabId.js [task 2017-11-16T19:56:28.217Z] 19:56:28 INFO - GECKO(1131) | IPDL protocol error: Handler returned error code! [task 2017-11-16T19:56:28.221Z] 19:56:28 INFO - GECKO(1131) | ###!!! [Parent][DispatchAsyncMessage] Error: PLayerTransaction::Msg_ReleaseLayer Processing error: message was deserialized, but the handler returned false (indicating failure) [task 2017-11-16T19:56:28.222Z] 19:56:28 INFO - GECKO(1131) | IPDL protocol error: Handler returned error code! [task 2017-11-16T19:56:28.222Z] 19:56:28 INFO - GECKO(1131) | ###!!! [Parent][DispatchAsyncMessage] Error: PLayerTransaction::Msg_ReleaseLayer Processing error: message was deserialized, but the handler returned false (indicating failure) [task 2017-11-16T19:56:28.223Z] 19:56:28 INFO - GECKO(1131) | IPDL protocol error: Handler returned error code! [task 2017-11-16T19:56:28.223Z] 19:56:28 INFO - GECKO(1131) | ###!!! [Parent][DispatchAsyncMessage] Error: PLayerTransaction::Msg_ReleaseLayer Processing error: message was deserialized, but the handler returned false (indicating failure) [task 2017-11-16T19:56:28.223Z] 19:56:28 INFO - GECKO(1131) | IPDL protocol error: Handler returned error code! [task 2017-11-16T19:56:28.224Z] 19:56:28 INFO - GECKO(1131) | ###!!! [Parent][DispatchAsyncMessage] Error: PLayerTransaction::Msg_ReleaseLayer Processing error: message was deserialized, but the handler returned false (indicating failure) [task 2017-11-16T19:56:28.224Z] 19:56:28 INFO - GECKO(1131) | IPDL protocol error: Handler returned error code! [task 2017-11-16T19:56:28.225Z] 19:56:28 INFO - GECKO(1131) | ###!!! [Parent][DispatchAsyncMessage] Error: PLayerTransaction::Msg_ReleaseLayer Processing error: message was deserialized, but the handler returned false (indicating failure) [task 2017-11-16T19:56:45.721Z] 19:56:45 INFO - GECKO(1131) | ================================================================= [task 2017-11-16T19:56:45.750Z] 19:56:45 ERROR - GECKO(1131) | ==1182==ERROR: AddressSanitizer: heap-use-after-free on address 0x6150000e3b00 at pc 0x00000042822f bp 0x7ffe05d93090 sp 0x7ffe05d92838 [task 2017-11-16T19:56:45.750Z] 19:56:45 INFO - GECKO(1131) | READ of size 2 at 0x6150000e3b00 thread T0 (Web Content) [task 2017-11-16T19:56:45.798Z] 19:56:45 INFO - GECKO(1131) | ==1182==WARNING: failed to fork (errno 12) [task 2017-11-16T19:56:45.800Z] 19:56:45 INFO - GECKO(1131) | ==1182==WARNING: failed to fork (errno 12) [task 2017-11-16T19:56:45.805Z] 19:56:45 INFO - GECKO(1131) | ==1182==WARNING: failed to fork (errno 12) [task 2017-11-16T19:56:45.914Z] 19:56:45 INFO - GECKO(1131) | ==1182==WARNING: failed to fork (errno 12) [task 2017-11-16T19:56:45.919Z] 19:56:45 INFO - GECKO(1131) | ==1182==WARNING: failed to fork (errno 12) [task 2017-11-16T19:56:45.920Z] 19:56:45 INFO - GECKO(1131) | ==1182==WARNING: Failed to use and restart external symbolizer! [task 2017-11-16T19:56:45.920Z] 19:56:45 INFO - GECKO(1131) | #0 0x42822e (/builds/worker/workspace/build/application/firefox/firefox+0x42822e) [task 2017-11-16T19:56:45.920Z] 19:56:45 INFO - GECKO(1131) | #1 0x7f4c18fde558 (/builds/worker/workspace/build/application/firefox/libxul.so+0xc7e8558) [task 2017-11-16T19:56:45.920Z] 19:56:45 INFO - GECKO(1131) | #2 0x7f4c18fdb934 (/builds/worker/workspace/build/application/firefox/libxul.so+0xc7e5934) [task 2017-11-16T19:56:45.920Z] 19:56:45 INFO - GECKO(1131) | #3 0x7f4c0fef5a8b (/builds/worker/workspace/build/application/firefox/libxul.so+0x36ffa8b) [task 2017-11-16T19:56:45.920Z] 19:56:45 INFO - GECKO(1131) | #4 0x7f4c18fe12ae (/builds/worker/workspace/build/application/firefox/libxul.so+0xc7eb2ae) [task 2017-11-16T19:56:45.921Z] 19:56:45 INFO - GECKO(1131) | #5 0x7f4c0e927ae1 (/builds/worker/workspace/build/application/firefox/libxul.so+0x2131ae1) [task 2017-11-16T19:56:45.924Z] 19:56:45 INFO - GECKO(1131) | #6 0x7f4c0e94d416 (/builds/worker/workspace/build/application/firefox/libxul.so+0x2157416) [task 2017-11-16T19:56:45.927Z] 19:56:45 INFO - GECKO(1131) | #7 0x7f4c0e967d98 (/builds/worker/workspace/build/application/firefox/libxul.so+0x2171d98) [task 2017-11-16T19:56:45.929Z] 19:56:45 INFO - GECKO(1131) | #8 0x7f4c0f741131 (/builds/worker/workspace/build/application/firefox/libxul.so+0x2f4b131) [task 2017-11-16T19:56:45.934Z] 19:56:45 INFO - GECKO(1131) | #9 0x7f4c0f6a18ab (/builds/worker/workspace/build/application/firefox/libxul.so+0x2eab8ab) [task 2017-11-16T19:56:45.934Z] 19:56:45 INFO - GECKO(1131) | #10 0x7f4c151a46df (/builds/worker/workspace/build/application/firefox/libxul.so+0x89ae6df) [task 2017-11-16T19:56:45.934Z] 19:56:45 INFO - GECKO(1131) | #11 0x7f4c194d9557 (/builds/worker/workspace/build/application/firefox/libxul.so+0xcce3557) [task 2017-11-16T19:56:45.936Z] 19:56:45 INFO - GECKO(1131) | #12 0x7f4c0f6a18ab (/builds/worker/workspace/build/application/firefox/libxul.so+0x2eab8ab) [task 2017-11-16T19:56:45.939Z] 19:56:45 INFO - GECKO(1131) | #13 0x7f4c194d8f0a (/builds/worker/workspace/build/application/firefox/libxul.so+0xcce2f0a) [task 2017-11-16T19:56:45.939Z] 19:56:45 INFO - GECKO(1131) | #14 0x4ebb0e (/builds/worker/workspace/build/application/firefox/firefox+0x4ebb0e) [task 2017-11-16T19:56:45.941Z] 19:56:45 INFO - GECKO(1131) | #15 0x7f4c2ced682f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) [task 2017-11-16T19:56:45.942Z] 19:56:45 INFO - GECKO(1131) | #16 0x41d3f8 (/builds/worker/workspace/build/application/firefox/firefox+0x41d3f8) [task 2017-11-16T19:56:45.943Z] 19:56:45 INFO - GECKO(1131) | 0x6150000e3b00 is located 0 bytes inside of 512-byte region [0x6150000e3b00,0x6150000e3d00) [task 2017-11-16T19:56:45.943Z] 19:56:45 INFO - GECKO(1131) | freed by thread T0 (Web Content) here: [task 2017-11-16T19:56:45.944Z] 19:56:45 INFO - GECKO(1131) | #0 0x4bb92b (/builds/worker/workspace/build/application/firefox/firefox+0x4bb92b) [task 2017-11-16T19:56:45.945Z] 19:56:45 INFO - GECKO(1131) | #1 0x7f4c0f8e2c69 (/builds/worker/workspace/build/application/firefox/libxul.so+0x30ecc69) [task 2017-11-16T19:56:45.946Z] 19:56:45 INFO - GECKO(1131) | #2 0x7f4c18fe0bdb (/builds/worker/workspace/build/application/firefox/libxul.so+0xc7eabdb) [task 2017-11-16T19:56:45.947Z] 19:56:45 INFO - GECKO(1131) | #3 0x7f4c18fda0bb (/builds/worker/workspace/build/application/firefox/libxul.so+0xc7e40bb) [task 2017-11-16T19:56:45.948Z] 19:56:45 INFO - GECKO(1131) | #4 0x7f4c18fe155e (/builds/worker/workspace/build/application/firefox/libxul.so+0xc7eb55e) [task 2017-11-16T19:56:45.949Z] 19:56:45 INFO - GECKO(1131) | #5 0x7f4c0e96445b (/builds/worker/workspace/build/application/firefox/libxul.so+0x216e45b) [task 2017-11-16T19:56:45.950Z] 19:56:45 INFO - GECKO(1131) | #6 0x7f4c0e927cf1 (/builds/worker/workspace/build/application/firefox/libxul.so+0x2131cf1) [task 2017-11-16T19:56:45.951Z] 19:56:45 INFO - GECKO(1131) | #7 0x7f4c0e94d416 (/builds/worker/workspace/build/application/firefox/libxul.so+0x2157416) [task 2017-11-16T19:56:45.951Z] 19:56:45 INFO - GECKO(1131) | #8 0x7f4c0e967d98 (/builds/worker/workspace/build/application/firefox/libxul.so+0x2171d98) [task 2017-11-16T19:56:45.952Z] 19:56:45 INFO - GECKO(1131) | #9 0x7f4c0f741131 (/builds/worker/workspace/build/application/firefox/libxul.so+0x2f4b131) [task 2017-11-16T19:56:45.953Z] 19:56:45 INFO - GECKO(1131) | #10 0x7f4c0f6a18ab (/builds/worker/workspace/build/application/firefox/libxul.so+0x2eab8ab) [task 2017-11-16T19:56:45.954Z] 19:56:45 INFO - GECKO(1131) | #11 0x7f4c151a46df (/builds/worker/workspace/build/application/firefox/libxul.so+0x89ae6df) [task 2017-11-16T19:56:45.955Z] 19:56:45 INFO - GECKO(1131) | #12 0x7f4c194d9557 (/builds/worker/workspace/build/application/firefox/libxul.so+0xcce3557) [task 2017-11-16T19:56:45.956Z] 19:56:45 INFO - GECKO(1131) | #13 0x7f4c0f6a18ab (/builds/worker/workspace/build/application/firefox/libxul.so+0x2eab8ab) [task 2017-11-16T19:56:45.957Z] 19:56:45 INFO - GECKO(1131) | #14 0x7f4c194d8f0a (/builds/worker/workspace/build/application/firefox/libxul.so+0xcce2f0a) [task 2017-11-16T19:56:45.958Z] 19:56:45 INFO - GECKO(1131) | #15 0x4ebb0e (/builds/worker/workspace/build/application/firefox/firefox+0x4ebb0e) [task 2017-11-16T19:56:45.958Z] 19:56:45 INFO - GECKO(1131) | #16 0x7f4c2ced682f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) [task 2017-11-16T19:56:45.959Z] 19:56:45 INFO - GECKO(1131) | previously allocated by thread T12 (BgHangManager) here: [task 2017-11-16T19:56:45.960Z] 19:56:45 INFO - GECKO(1131) | #0 0x4bbc7c (/builds/worker/workspace/build/application/firefox/firefox+0x4bbc7c) [task 2017-11-16T19:56:45.961Z] 19:56:45 INFO - GECKO(1131) | #1 0x7f4c110846f5 (/builds/worker/workspace/build/application/firefox/libxul.so+0x488e6f5) [task 2017-11-16T19:56:45.962Z] 19:56:45 INFO - GECKO(1131) | #2 0x7f4c18fdf695 (/builds/worker/workspace/build/application/firefox/libxul.so+0xc7e9695) [task 2017-11-16T19:56:45.963Z] 19:56:45 INFO - GECKO(1131) | #3 0x7f4c18fd49e3 (/builds/worker/workspace/build/application/firefox/libxul.so+0xc7de9e3) [task 2017-11-16T19:56:45.963Z] 19:56:45 INFO - GECKO(1131) | #4 0x7f4c18fd435f (/builds/worker/workspace/build/application/firefox/libxul.so+0xc7de35f) [task 2017-11-16T19:56:45.964Z] 19:56:45 INFO - GECKO(1131) | #5 0x7f4c18fd3b49 (/builds/worker/workspace/build/application/firefox/libxul.so+0xc7ddb49) [task 2017-11-16T19:56:45.965Z] 19:56:45 INFO - GECKO(1131) | #6 0x7f4c29bd7513 (/builds/worker/workspace/build/application/firefox/libnspr4.so+0x7a513) [task 2017-11-16T19:56:45.966Z] 19:56:45 INFO - GECKO(1131) | #7 0x7f4c2df346b9 (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) [task 2017-11-16T19:56:45.966Z] 19:56:45 INFO - GECKO(1131) | Thread T12 (BgHangManager) created by T0 (Web Content) here: [task 2017-11-16T19:56:45.967Z] 19:56:45 INFO - GECKO(1131) | #0 0x4a4056 (/builds/worker/workspace/build/application/firefox/firefox+0x4a4056) [task 2017-11-16T19:56:45.968Z] 19:56:45 INFO - GECKO(1131) | #1 0x7f4c29bd42b9 (/builds/worker/workspace/build/application/firefox/libnspr4.so+0x772b9) [task 2017-11-16T19:56:45.969Z] 19:56:45 INFO - GECKO(1131) | #2 0x7f4c29bd3ece (/builds/worker/workspace/build/application/firefox/libnspr4.so+0x76ece) [task 2017-11-16T19:56:45.970Z] 19:56:45 INFO - GECKO(1131) | #3 0x7f4c18fd704e (/builds/worker/workspace/build/application/firefox/libxul.so+0xc7e104e) [task 2017-11-16T19:56:45.970Z] 19:56:45 INFO - GECKO(1131) | #4 0x7f4c0e9a3771 (/builds/worker/workspace/build/application/firefox/libxul.so+0x21ad771) [task 2017-11-16T19:56:45.971Z] 19:56:45 INFO - GECKO(1131) | #5 0x7f4c194d84be (/builds/worker/workspace/build/application/firefox/libxul.so+0xcce24be) [task 2017-11-16T19:56:45.972Z] 19:56:45 INFO - GECKO(1131) | #6 0x7f4c0f74bad4 (/builds/worker/workspace/build/application/firefox/libxul.so+0x2f55ad4) [task 2017-11-16T19:56:45.973Z] 19:56:45 INFO - GECKO(1131) | #7 0x7f4c149f3cac (/builds/worker/workspace/build/application/firefox/libxul.so+0x81fdcac) [task 2017-11-16T19:56:45.974Z] 19:56:45 INFO - GECKO(1131) | #8 0x7f4c194d8ef8 (/builds/worker/workspace/build/application/firefox/libxul.so+0xcce2ef8) [task 2017-11-16T19:56:45.975Z] 19:56:45 INFO - GECKO(1131) | #9 0x4ebb0e (/builds/worker/workspace/build/application/firefox/firefox+0x4ebb0e) [task 2017-11-16T19:56:45.976Z] 19:56:45 INFO - GECKO(1131) | #10 0x7f4c2ced682f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) [task 2017-11-16T19:56:45.976Z] 19:56:45 INFO - GECKO(1131) | SUMMARY: AddressSanitizer: heap-use-after-free (/builds/worker/workspace/build/application/firefox/firefox+0x42822e) [task 2017-11-16T19:56:45.978Z] 19:56:45 INFO - GECKO(1131) | Shadow bytes around the buggy address: [task 2017-11-16T19:56:45.978Z] 19:56:45 INFO - GECKO(1131) | 0x0c2a80014710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [task 2017-11-16T19:56:45.979Z] 19:56:45 INFO - GECKO(1131) | 0x0c2a80014720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [task 2017-11-16T19:56:45.979Z] 19:56:45 INFO - GECKO(1131) | 0x0c2a80014730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [task 2017-11-16T19:56:45.980Z] 19:56:45 INFO - GECKO(1131) | 0x0c2a80014740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [task 2017-11-16T19:56:45.980Z] 19:56:45 INFO - GECKO(1131) | 0x0c2a80014750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [task 2017-11-16T19:56:45.981Z] 19:56:45 INFO - GECKO(1131) | =>0x0c2a80014760:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [task 2017-11-16T19:56:45.981Z] 19:56:45 INFO - GECKO(1131) | 0x0c2a80014770: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [task 2017-11-16T19:56:45.982Z] 19:56:45 INFO - GECKO(1131) | 0x0c2a80014780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [task 2017-11-16T19:56:45.982Z] 19:56:45 INFO - GECKO(1131) | 0x0c2a80014790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [task 2017-11-16T19:56:45.983Z] 19:56:45 INFO - GECKO(1131) | 0x0c2a800147a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa [task 2017-11-16T19:56:45.983Z] 19:56:45 INFO - GECKO(1131) | 0x0c2a800147b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd [task 2017-11-16T19:56:45.983Z] 19:56:45 INFO - GECKO(1131) | Shadow byte legend (one shadow byte represents 8 application bytes): [task 2017-11-16T19:56:45.984Z] 19:56:45 INFO - GECKO(1131) | Addressable: 00 [task 2017-11-16T19:56:45.984Z] 19:56:45 INFO - GECKO(1131) | Partially addressable: 01 02 03 04 05 06 07 [task 2017-11-16T19:56:45.985Z] 19:56:45 INFO - GECKO(1131) | Heap left redzone: fa [task 2017-11-16T19:56:45.985Z] 19:56:45 INFO - GECKO(1131) | Heap right redzone: fb [task 2017-11-16T19:56:45.986Z] 19:56:45 INFO - GECKO(1131) | Freed heap region: fd [task 2017-11-16T19:56:45.986Z] 19:56:45 INFO - GECKO(1131) | Stack left redzone: f1 [task 2017-11-16T19:56:45.986Z] 19:56:45 INFO - GECKO(1131) | Stack mid redzone: f2 [task 2017-11-16T19:56:45.987Z] 19:56:45 INFO - GECKO(1131) | Stack right redzone: f3 [task 2017-11-16T19:56:45.988Z] 19:56:45 INFO - GECKO(1131) | Stack partial redzone: f4 [task 2017-11-16T19:56:45.988Z] 19:56:45 INFO - GECKO(1131) | Stack after return: f5 [task 2017-11-16T19:56:45.988Z] 19:56:45 INFO - GECKO(1131) | Stack use after scope: f8 [task 2017-11-16T19:56:45.989Z] 19:56:45 INFO - GECKO(1131) | Global redzone: f9 [task 2017-11-16T19:56:45.989Z] 19:56:45 INFO - GECKO(1131) | Global init order: f6 [task 2017-11-16T19:56:45.989Z] 19:56:45 INFO - GECKO(1131) | Poisoned by user: f7 [task 2017-11-16T19:56:45.990Z] 19:56:45 INFO - GECKO(1131) | Container overflow: fc [task 2017-11-16T19:56:45.990Z] 19:56:45 INFO - GECKO(1131) | Array cookie: ac [task 2017-11-16T19:56:45.991Z] 19:56:45 INFO - GECKO(1131) | Intra object redzone: bb [task 2017-11-16T19:56:45.991Z] 19:56:45 INFO - GECKO(1131) | ASan internal: fe [task 2017-11-16T19:56:45.992Z] 19:56:45 INFO - GECKO(1131) | Left alloca redzone: ca [task 2017-11-16T19:56:45.992Z] 19:56:45 INFO - GECKO(1131) | Right alloca redzone: cb [task 2017-11-16T19:56:45.993Z] 19:56:45 INFO - GECKO(1131) | ==1182==ABORTING
Is there any way to get a symbolized stack for these? Intermittent ASAN crashes without a testcase are hard enough to make progress on.
Flags: needinfo?(aryx.bugmail)
That log is all I got. Maybe jseward has information how to get a symbolized version of that stack.
Flags: needinfo?(aryx.bugmail) → needinfo?(jseward)
I don't know, but Decoder probably does know.
Flags: needinfo?(jseward) → needinfo?(choller)
Attached file Symbolized ASan trace
Flags: needinfo?(choller)
Looks pretty interesting because it involves BgHangManager. Might be very relevant for stability.
Component: General → WebExtensions: General
Keywords: sec-moderate
Product: Core → Toolkit
Summary: Intermittent SUMMARY: AddressSanitizer: heap-use-after-free (/builds/worker/workspace/build/application/firefox/firefox+0x42822e) → Intermittent SUMMARY: AddressSanitizer: heap-use-after-free under mozilla::dom::PContentChild::SendBHRThreadHang while testing oop-extensions
Group: core-security → toolkit-core-security
It was suggested in our triage, that although the WebExtensions code is tripping this, the real bug is in BgHangManager, for that reason I'm moving to hopefully a more relevant component.
Group: toolkit-core-security → core-security
Component: WebExtensions: General → XPCOM
Product: Toolkit → Core
This could be a dupe of bug 1424766 that Nika has a fix for. It is at least in the ball park.
Depends on: 1424766
Yeah, this looks like a dupe of bug 1424766, given that its an out of bounds read on data allocated on the BHR thread. We don't allocate too much data there.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
(In reply to Nika Layzell [:mystor] from comment #9) > Yeah, this looks like a dupe of bug 1424766, given that its an out of bounds > read on data allocated on the BHR thread. We don't allocate too much data > there. Yup, looks even more like a dup once I noticed the symbolicated stack. The change should fix it :-).
No longer depends on: 1424766
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: