1440533 - UBSan: member access within address which does not point to an object of type 'mozilla::dom::IDBRequest' dom/indexedDB/IDBRequest.cpp

Status: RESOLVED INCOMPLETE

(Core :: Storage: IndexedDB, defect, P2)

Description

[Tyson Smith [:tsmith]]

This is triggered with regular browsing when built with -fsanitize=vptr

Found with mozilla-central changeset: 404902:169b1ba48437

src/dom/indexedDB/IDBRequest.cpp:395:3: runtime error: member access within address 0x610000359640 which does not point to an object of type 'mozilla::dom::IDBRequest'
0x610000359640: note: object is of type 'mozilla::dom::IDBWrapperCache'
 59 03 80 3a  70 a4 ac ac 65 7f 00 00  98 a5 ac ac 65 7f 00 00  00 00 00 00 00 00 00 00  00 00 00 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for 'mozilla::dom::IDBWrapperCache'
    #0 0x7f65a0020daa in mozilla::dom::IDBRequest::cycleCollection::Trace(void*, TraceCallbacks const&, void*) src/dom/indexedDB/IDBRequest.cpp:395:3
    #1 0x7f6595e2fb69 in mozilla::CycleCollectedJSRuntime::RemoveJSHolder(void*) src/xpcom/base/CycleCollectedJSRuntime.cpp:1137:20
    #2 0x7f659ffbcb4c in Drop src/objdir-ff-vptr/dist/include/mozilla/HoldDropJSObjects.h:52:5
    #3 0x7f659ffbcb4c in DropJSObjects<mozilla::dom::IDBWrapperCache> src/objdir-ff-vptr/dist/include/mozilla/HoldDropJSObjects.h:68
    #4 0x7f659ffbcb4c in mozilla::dom::IDBWrapperCache::~IDBWrapperCache() src/dom/indexedDB/IDBWrapperCache.cpp:56
    #5 0x7f65a001d776 in mozilla::dom::IDBRequest::~IDBRequest() src/dom/indexedDB/IDBRequest.cpp:77:1
    #6 0x7f65a001d84d in mozilla::dom::IDBRequest::~IDBRequest() src/dom/indexedDB/IDBRequest.cpp:75:1
    #7 0x7f6595e8b5ed in SnowWhiteKiller::~SnowWhiteKiller() src/xpcom/base/nsCycleCollector.cpp:2729:25
    #8 0x7f6595e5d925 in nsCycleCollector::FreeSnowWhite(bool) src/xpcom/base/nsCycleCollector.cpp:2917:3
    #9 0x7f65991fec39 in AsyncFreeSnowWhite::Run() src/js/xpconnect/src/XPCJSRuntime.cpp:126:34
    #10 0x7f65960ba955 in IdleRunnableWrapper::Run() src/xpcom/threads/nsThreadUtils.cpp:343:22
    #11 0x7f659606db9a in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1040:14
    #12 0x7f65960af71e in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:517:10
    #13 0x7f65979d0168 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #14 0x7f6597857a7d in RunHandler src/ipc/chromium/src/base/message_loop.cc:319:3
    #15 0x7f6597857a7d in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #16 0x7f65a0c36d46 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
    #17 0x7f65a6ac0344 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #18 0x7f65a6dafa2f in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4679:22
    #19 0x7f65a6db398a in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4814:8
    #20 0x7f65a6db51d5 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4906:21
    #21 0x51685a in do_main src/browser/app/nsBrowserApp.cpp:231:22
    #22 0x51685a in main src/browser/app/nsBrowserApp.cpp:304
    #23 0x7f65bd1e11c0 in __libc_start_main /build/glibc-itYbWN/glibc-2.26/csu/../csu/libc-start.c:308
    #24 0x41eef9 in _start (firefox+0x41eef9)

Comment 1

[Marion Daly [:mdaly]]

:janv can you take a look at this please?

Comment 2

[Marion Daly [:mdaly]]

removing old NI and adding to backlog

Comment 3

[Jens Stutte [:jstutte]]

The code in question is no longer in the trunk since quite a while (before 68). This does not guarantee that there is no other underlying cause, but it can be neither reproduced nor investigated through the old trace.