Closed Bug 1419608 Opened 7 years ago Closed 7 years ago

AddressSanitizer: stack-use-after-scope /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:224:32 in isSome

Categories

(Core :: Graphics: ImageLib, defect)

Product:
Core
Component:
Graphics: ImageLib
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla59
Tracking Flags:
Tracking Status
firefox59 --- fixed

People

(Reporter: decoder, Assigned: tnikkel)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

refcopysvg
947 bytes, patch
decoder
: review+
Details | Diff | Splinter Review 
I got the following failure in multiple places when I tried to land Clang 6 for ASan:

REFTEST TEST-LOAD | file:///builds/worker/workspace/build/tests/reftest/tests/dom/media/test/crashtests/1411322.html | 590 / 3491 (16%)
=================================================================
==1050==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffff57d5950 at pc 0x7fcd9fca8f11 bp 0x7ffff57d5890 sp 0x7ffff57d5888
READ of size 1 at 0x7ffff57d5950 thread T0 (Web Content)
    #0 0x7fcd9fca8f10 in isSome /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:224:32
    #1 0x7fcd9fca8f10 in operator bool /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:223
    #2 0x7fcd9fca8f10 in imgMemoryReporter::ReportSurfaces(nsIHandleReportCallback*, nsISupports*, nsTSubstring<char> const&, mozilla::image::ImageMemoryCounter const&) /builds/worker/workspace/build/src/image/imgLoader.cpp:320
    #3 0x7fcd9fca6020 in imgMemoryReporter::ReportImage(nsIHandleReportCallback*, nsISupports*, char const*, mozilla::image::ImageMemoryCounter const&) /builds/worker/workspace/build/src/image/imgLoader.cpp:272:5
    #4 0x7fcd9fca568d in imgMemoryReporter::ReportCounterArray(nsIHandleReportCallback*, nsISupports*, nsTArray<mozilla::image::ImageMemoryCounter>&, char const*, bool) /builds/worker/workspace/build/src/image/imgLoader.cpp:232:9
    #5 0x7fcd9fc81c12 in imgMemoryReporter::CollectReports(nsIHandleReportCallback*, nsISupports*, bool) /builds/worker/workspace/build/src/image/imgLoader.cpp:109:5
    #6 0x7fcd9cfe5419 in operator() /builds/worker/workspace/build/src/xpcom/base/nsMemoryReporterManager.cpp:1777:17
    #7 0x7fcd9cfe5419 in mozilla::detail::RunnableFunction<nsMemoryReporterManager::DispatchReporter(nsIMemoryReporter*, bool, nsIHandleReportCallback*, nsISupports*, bool)::$_0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:529
    #8 0x7fcd9d117cd4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #9 0x7fcd9d133850 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #10 0x7fcd9df911ca in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #11 0x7fcd9deedbd9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #12 0x7fcd9deedbd9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #13 0x7fcd9deedbd9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #14 0x7fcda42ab91a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:159:27
    #15 0x7fcda89c0acb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
    #16 0x7fcd9deedbd9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #17 0x7fcd9deedbd9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #18 0x7fcd9deedbd9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #19 0x7fcda89c04d7 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
    #20 0x4ee9f5 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #21 0x4ee9f5 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #22 0x7fcdbba3582f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #23 0x41e078 in _start (/builds/worker/workspace/build/application/firefox/firefox+0x41e078)
Address 0x7ffff57d5950 is located in stack of thread T0 (Web Content) at offset 176 in frame
    #0 0x7fcd9fca729f in imgMemoryReporter::ReportSurfaces(nsIHandleReportCallback*, nsISupports*, nsTSubstring<char> const&, mozilla::image::ImageMemoryCounter const&) /builds/worker/workspace/build/src/image/imgLoader.cpp:281
  This frame has 3 object(s):
    [32, 120) 'surfacePathPrefix' (line 283)
    [160, 192) 'ref.tmp' (line 318) <== Memory access at offset 176 is inside this variable
    [224, 376) 'aspect' (line 329)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:224:32 in isSome
Shadow bytes around the buggy address:
  0x10007eaf2ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007eaf2ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007eaf2af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007eaf2b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007eaf2b10: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
=>0x10007eaf2b20: 00 00 00 f2 f2 f2 f2 f2 f8 f8[f8]f8 f2 f2 f2 f2
  0x10007eaf2b30: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
  0x10007eaf2b40: f8 f8 f8 f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
  0x10007eaf2b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007eaf2b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007eaf2b70: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==1050==ABORTING
Attached patch refcopysvgSplinter Review 
Assignee: nobody → tnikkel

        Attachment #8930765 -
        Flags: review?(choller)

    
  

        Attachment #8930765 -
        Flags: review?(choller) → review+

    
    

    
  
Pushed by choller@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/41717d086ca1
Make SurfaceKey::SVGContext return a reference instead of a copy. r=decoder

    
    

    
  
Note to future me, always make sure the things that should be refs, are actually refs. Thanks for taking care of this!

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/41717d086ca1
Status: NEW → RESOLVED
Closed: 7 years ago

          status-firefox59:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla59

    
  
No longer blocks: asan-nightly-project

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: