Closed Bug 1440903 Opened 2 years ago Closed 1 year ago

AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7adab76a74 bp 0x7ffe85d0dd50 sp 0x7ffe85d0dc40 T0) DON'T USE FOR CLASSIFICATION

Categories

(Core :: General, defect, P3)

52 Branch
defect

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: rforbes, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, Whiteboard: [stockwell unknown])

Attachments

(1 file)

11.04 KB, application/x-javascript
Details
found while fuzzing REV 8ea19594df71

==95655==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7adab76a74 bp 0x7ffe85d0dd50 sp 0x7ffe85d0dc40 T0)
    #0 0x7f7adab76a73 in mozilla::gfx::SurfaceToPackedBGRA(mozilla::gfx::DataSourceSurface*) /home/worker/workspace/build/src/gfx/2d/DataSurfaceHelpers.cpp:173:26
    #1 0x7f7add572f43 in mozilla::dom::ImageBitmapRenderingContext::GetImageBuffer(int*) /home/worker/workspace/build/src/dom/canvas/ImageBitmapRenderingContext.cpp:153:10
    #2 0x7f7add573402 in mozilla::dom::ImageBitmapRenderingContext::GetInputStream(char const*, char16_t const*, nsIInputStream**) /home/worker/workspace/build/src/dom/canvas/ImageBitmapRenderingContext.cpp:169:38
    #3 0x7f7adb754d8b in mozilla::dom::ImageEncoder::ExtractDataInternal(nsAString_internal const&, nsAString_internal const&, unsigned char*, int, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, mozilla::layers::Image*, nsICanvasRenderingContextInternal*, mozilla::layers::AsyncCanvasRenderer*, nsIInputStream**, imgIEncoder*) /home/worker/workspace/build/src/dom/base/ImageEncoder.cpp:386:10
    #4 0x7f7adb753edf in mozilla::dom::ImageEncoder::ExtractData(nsAString_internal&, nsAString_internal const&, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits>, nsICanvasRenderingContextInternal*, mozilla::layers::AsyncCanvasRenderer*, nsIInputStream**) /home/worker/workspace/build/src/dom/base/ImageEncoder.cpp:258:10
    #5 0x7f7add9e82e4 in ExtractData /home/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:754:10
    #6 0x7f7add9e82e4 in mozilla::dom::HTMLCanvasElement::ToDataURLImpl(JSContext*, nsAString_internal const&, JS::Value const&, nsAString_internal&) /home/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:786
    #7 0x7f7add088592 in ToDataURL /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/HTMLCanvasElement.h:181:11
    #8 0x7f7add088592 in mozilla::dom::HTMLCanvasElementBinding::toDataURL(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLCanvasElement*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp:290
    #9 0x7f7add4366a9 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2904:13
    #10 0x7f7ae37c6085 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
    #11 0x7f7ae37c6085 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
    #12 0x7f7ae37a648f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
    #13 0x7f7ae37a648f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
    #14 0x7f7ae378b64d in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
    #15 0x7f7ae37c8572 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:686:15
    #16 0x7f7ae37c8e0b in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:718:12
    #17 0x7f7ae32aa3e4 in Evaluate(JSContext*, js::ScopeKind, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:4439:19
    #18 0x7f7ae32ab13b in Evaluate /home/worker/workspace/build/src/js/src/jsapi.cpp:4466:12
    #19 0x7f7ae32ab13b in JS::Evaluate(JSContext*, JS::AutoObjectVector&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:4524
    #20 0x7f7adba27c40 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /home/worker/workspace/build/src/dom/base/nsJSUtils.cpp:207:12
    #21 0x7f7adba28d59 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /home/worker/workspace/build/src/dom/base/nsJSUtils.cpp:274:10
    #22 0x7f7adbabf891 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*) /home/worker/workspace/build/src/dom/base/nsScriptLoader.cpp:2193:14
    #23 0x7f7adbabc79e in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) /home/worker/workspace/build/src/dom/base/nsScriptLoader.cpp:1979:10
    #24 0x7f7adbaa3af5 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /home/worker/workspace/build/src/dom/base/nsScriptLoader.cpp:1712:10
    #25 0x7f7adbaa0461 in nsScriptElement::MaybeProcessScript() /home/worker/workspace/build/src/dom/base/nsScriptElement.cpp:149:10
    #26 0x7f7adab0f8f3 in AttemptToExecute /home/worker/workspace/build/src/dom/base/nsIScriptElement.h:222:18
    #27 0x7f7adab0f8f3 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /home/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:666
    #28 0x7f7adab0e075 in nsHtml5TreeOpExecutor::RunFlushLoop() /home/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:489:7
    #29 0x7f7adab12ceb in nsHtml5ExecutorFlusher::Run() /home/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:128:9
    #30 0x7f7ad8ca352b in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1216:7
    #31 0x7f7ad8d2566c in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10
    #32 0x7f7ad9ade5d4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:124:5
    #33 0x7f7ad9a50138 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #34 0x7f7ad9a50138 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
    #35 0x7f7ad9a50138 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
    #36 0x7f7adf0ef82f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
    #37 0x7f7ae130e997 in XRE_RunAppShell /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:866:12
    #38 0x7f7ad9a50138 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #39 0x7f7ad9a50138 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
    #40 0x7f7ad9a50138 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
    #41 0x7f7ae130dfa2 in XRE_InitChildProcess /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:698:7
    #42 0x4e037b in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:197:19
    #43 0x4e037b in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:392
    #44 0x7f7af4abe82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #45 0x41c258 in _start (/home/rforbes/fuzzing/builds/esr-asan/firefox+0x41c258)
Attached file prefs.js
In the last 7 days, there are 41 failures.

They occur on linux64 (asan).

Recent failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=195038046&repo=mozilla-inbound&lineNumber=5583

:davidb, Hi, could you please have a look at this?
Flags: needinfo?(dbolter)
Lee might have a hunch here.
Flags: needinfo?(dbolter) → needinfo?(lsalzman)
Most of these failures appear to be in RuntimeService::CrashIfHanging. The clang build is just mutilating the stack trace, so this just shows up as a null pointer dereference, but it is really just an assertion being triggered (which does the null pointer dereference to force a crash). Those failures don't have anything to do with the stack trace in the original post. Looks like that was implemented by Andrea Marchesini in bug 1405290, though it is not letting me need-info them right now.

That said, aside from that one source, I am not sure how useful a bug this is going to be since we're not even getting useful stack traces out of the builds, everything just getting lumped into the null pointer dereference signature. So while it is possible to symbolize the traces manually it in each case gives by downloading the bins and such, it is tedious and makes bug categorization untenable for this.
Flags: needinfo?(lsalzman) → needinfo?(dmajor)
Linux Asan -> 302 decoder
Flags: needinfo?(dmajor) → needinfo?(choller)
418 I'm a teapot.


I do not understand the part about the stack being mutilated. The fact that the assertion (MOZ_CRASH here), shows up as a null dereference is normal behavior and expected for ASan builds. That doesn't explain though why the stacks would be broken.

Looking at some of the treeherder links, it rather looks like the symbolizing is not working in these cases, most likely due to the machine being out-of-memory (errno 12 indicating that). Is that what you meant with broken stacks?

Is this always the same test failing? If so, maybe that test is broken or needs to be disabled under ASan if it really consumes nearly all memory. If this happens randomly, then we need to revisit ASan settings for tests and tune them to use less memory.

I don't see though how this is related to comment 0.
Flags: needinfo?(choller) → needinfo?(lsalzman)
Categorizing this as a general bug, since pretty much any assert will show up with this signature. The trace in comment 0 is a red herring, as the recent signatures are a mixture of a bunch of stuff asserting in a variety of places. The majority of these seem to be hangs on mochitest-devtools (i.e. see comment 8), though, with associated OOM situation preventing the stack trace from showing up, as noted above.
Component: Graphics → General
Flags: needinfo?(lsalzman) → needinfo?(nchevobbe)
Summary: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7adab76a74 bp 0x7ffe85d0dd50 sp 0x7ffe85d0dc40 T0) → AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f7adab76a74 bp 0x7ffe85d0dd50 sp 0x7ffe85d0dc40 T0) DON'T USE FOR CLASSIFICATION

Is this still relevant? I don't see any Intermittent Failures Robot comments for 2 months.

Flags: needinfo?(nchevobbe)

If the failures still occur, they should be in different bugs with a stable signature.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.