Open Bug 1477844 Opened 7 years ago Updated 2 years ago

leaks in native fuzzing interface with ASAN_OPTIONS=detect_leaks=1

Categories

(Core :: Fuzzing, defect, P2)

Product:
Core
Component:
Fuzzing
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: u473386, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36 Steps to reproduce: Some targets cause many leaks. I've observed it with Image and ContentSecurityPolicyParser (WIP). Other targets like StunParser or Qcms work fine. A (significantly trimmed) example leak from Image. ==5021==ERROR: LeakSanitizer: detected memory leaks Direct leak of 26264 byte(s) in 414 object(s) allocated from: #0 0x32e773 in __interceptor_malloc /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x7f1dc0306e9a in js_pod_arena_malloc<char> mozilla-central/obj-fuzz/dist/include/js/Utility.h:585:26 #2 0x7f1dc0306e9a in js_pod_malloc<char> mozilla-central/obj-fuzz/dist/include/js/Utility.h:592 #3 0x7f1dc0306e9a in char* js::MallocProvider<JSContext>::maybe_pod_malloc<char>(unsigned long) mozilla-central/js/src/vm/MallocProvider.h:54 #4 0x7f1dc02f68f6 in char* js::MallocProvider<JSContext>::pod_malloc<char>(unsigned long) mozilla-central/js/src/vm/MallocProvider.h:87:16 #5 0x7f1dc1099bf0 in mozilla::UniquePtr<js::FunctionScope::Data, JS::DeletePolicy<js::FunctionScope::Data> > CopyScopeData<js::FunctionScope>(JSContext*, JS::Handle<js::FunctionScope::Data*>) mozilla-central/js/src/vm/Scope.cpp:159:23 #6 0x7f1dc10998db in js::FunctionScope::create(JSContext*, JS::Handle<js::FunctionScope::Data*>, bool, bool, JS::Handle<JSFunction*>, JS::Handle<js::Scope*>) mozilla-central/js/src/vm/Scope.cpp:638:48 #7 0x7f1dc14bb64c in js::frontend::EmitterScope::enterFunction(js::frontend::BytecodeEmitter*, js::frontend::FunctionBox*)::$_23::operator()(JSContext*, JS::Handle<js::Scope*>) const mozilla-central/js/src/frontend/EmitterScope.cpp:628:16 #8 0x7f1dc14bb27f in bool js::frontend::EmitterScope::internScope<js::frontend::EmitterScope::enterFunction(js::frontend::BytecodeEmitter*, js::frontend::FunctionBox*)::$_23>(js::frontend::BytecodeEmitter*, js::frontend::EmitterScope::enterFunction(js::frontend::BytecodeEmitter*, js::frontend::FunctionBox*)::$_23) mozilla-central/js/src/frontend/EmitterScope.cpp:340:20 #9 0x7f1dc14a3721 in js::frontend::EmitterScope::enterFunction(js::frontend::BytecodeEmitter*, js::frontend::FunctionBox*) mozilla-central/js/src/frontend/EmitterScope.cpp:633:10 #10 0x7f1dc14a22bb in js::frontend::BytecodeEmitter::emitFunctionFormalParametersAndBody(js::frontend::ParseNode*) mozilla-central/js/src/frontend/BytecodeEmitter.cpp:7792:23 #11 0x7f1dc1484868 in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) mozilla-central/js/src/frontend/BytecodeEmitter.cpp:8308:14 #12 0x7f1dc1477669 in js::frontend::BytecodeEmitter::emitFunctionScript(js::frontend::ParseNode*, js::frontend::BytecodeEmitter::TopLevelFunction) mozilla-central/js/src/frontend/BytecodeEmitter.cpp:2683:10 #13 0x7f1dc1497a84 in js::frontend::BytecodeEmitter::emitFunction(js::frontend::ParseNode*, bool) mozilla-central/js/src/frontend/BytecodeEmitter.cpp:5497:23 #14 0x7f1dc148446c in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) mozilla-central/js/src/frontend/BytecodeEmitter.cpp:8303:14 #15 0x7f1dc149c366 in js::frontend::BytecodeEmitter::emitStatementList(js::frontend::ParseNode*) mozilla-central/js/src/frontend/BytecodeEmitter.cpp:6368:14 #16 0x7f1dc148456e in js::frontend::BytecodeEmitter::emitTree(js::frontend::ParseNode*, js::frontend::ValueUsage, js::frontend::BytecodeEmitter::EmitLineNumberNote) mozilla-central/js/src/frontend/BytecodeEmitter.cpp:8406:14 #17 0x7f1dc1475a33 in js::frontend::BytecodeEmitter::emitScript(js::frontend::ParseNode*) mozilla-central/js/src/frontend/BytecodeEmitter.cpp:2618:14 #18 0x7f1dc1475591 in BytecodeCompiler::compileScript(JS::Handle<JSObject*>, js::frontend::SharedContext*) mozilla-central/js/src/frontend/BytecodeCompiler.cpp:347:27 #19 0x7f1dc1475f69 in BytecodeCompiler::compileGlobalScript(js::ScopeKind) mozilla-central/js/src/frontend/BytecodeCompiler.cpp:377:12 #20 0x7f1dc1477afe in js::frontend::CompileGlobalScript(JSContext*, js::LifoAlloc&, js::ScopeKind, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, js::ScriptSourceObject**) mozilla-central/js/src/frontend/BytecodeCompiler.cpp:607:33 #21 0x7f1dc0cd97c2 in Evaluate(JSContext*, js::ScopeKind, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) mozilla-central/js/src/jsapi.cpp:4753:29 #22 0x7f1dc0cd947e in JS::Evaluate(JSContext*, JS::ReadOnlyCompileOptions const&, char const*, unsigned long, JS::MutableHandle<JS::Value>) mozilla-central/js/src/jsapi.cpp:4798:15 #23 0x7f1dc10a37a7 in JSRuntime::initSelfHosting(JSContext*) mozilla-central/js/src/vm/SelfHosting.cpp:2966:10 #24 0x7f1dc0cb6109 in JS::InitSelfHostedCode(JSContext*) mozilla-central/js/src/jsapi.cpp:599:14 #25 0x7f1db6df5617 in nsXPConnect::InitStatics() mozilla-central/js/xpconnect/src/nsXPConnect.cpp:149:10 #26 0x7f1db6d89500 in xpcModuleCtor() mozilla-central/js/xpconnect/src/XPCModule.cpp:13:5 #27 0x7f1dbc98810d in Initialize() mozilla-central/layout/build/nsLayoutModule.cpp:268:8 #28 0x7f1db539b2d1 in nsComponentManagerImpl::KnownModule::Load() mozilla-central/xpcom/components/nsComponentManager.cpp:794:21 #29 0x7f1db539becb in nsFactoryEntry::GetFactory() mozilla-central/xpcom/components/nsComponentManager.cpp:1815:19 #30 0x7f1db539cde7 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) mozilla-central/xpcom/components/nsComponentManager.cpp:1114:41 #31 0x7f1db5397e46 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) mozilla-central/xpcom/components/nsComponentManager.cpp:1477:10 ... SUMMARY: AddressSanitizer: 98183 byte(s) leaked in 1446 allocation(s). Now there are a few interesting parts here. The leak is always the same (regardless of target), with the same bytes and allocations. Also it does not happen when -detect_leaks=1 is set on the cmd line, only as ASAN_OPTIONS (as used by oss-fuzz). That left me wondering. My explanation is that with ASAN_OPTIONS, the option is set immediately, whereas on the cmd line the option is probably parsed (and set) later, after the initialization, and then the affected code was already run. Not that a leak also happens when no target is run. $ ASAN_OPTIONS=detect_leaks=1 ./mach gtest buildbutdonttrun ... Running GTest tests... Note: Google Test filter = buildbutdonttrun [==========] Running 0 tests from 0 test cases. [==========] 0 tests from 0 test cases ran. (1 ms total) [ PASSED ] 0 tests. Finished running GTest tests. ================================================================= ==15160==ERROR: LeakSanitizer: detected memory leaks ... Direct leak of 1760 byte(s) in 55 object(s) allocated from: #0 0x332773 in __interceptor_malloc /tmp/final/llvm.src/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x36497d in moz_xmalloc mozilla-central/memory/mozalloc/mozalloc.cpp:70:17 #2 0x7f92b25a0e93 in operator new mozilla-central/obj-fuzz/dist/include/mozilla/mozalloc.h:136:12 #3 0x7f92b25a0e93 in nsComponentManagerImpl::RegisterCIDEntryLocked(mozilla::Module::CIDEntry const*, nsComponentManagerImpl::KnownModule*)::$_0::operator()() const mozilla-central/xpcom/components/nsComponentManager.cpp:557 #4 0x7f92b259a0ac in nsFactoryEntry* nsBaseHashtable<nsIDHashKey, nsFactoryEntry*, nsFactoryEntry*>::EntryPtr::OrInsert<nsComponentManagerImpl::RegisterCIDEntryLocked(mozilla::Module::CIDEntry const*, nsComponentManagerImpl::KnownModule*)::$_0>(nsComponentManagerImpl::RegisterCIDEntryLocked(mozilla::Module::CIDEntry const*, nsComponentManagerImpl::KnownModule*)::$_0) mozilla-central/xpcom/ds/nsBaseHashtable.h:308:25 #5 0x7f92b2599aef in nsComponentManagerImpl::RegisterCIDEntryLocked(mozilla::Module::CIDEntry const*, nsComponentManagerImpl::KnownModule*) mozilla-central/xpcom/components/nsComponentManager.cpp:557:11 #6 0x7f92b25990ed in nsComponentManagerImpl::RegisterModule(mozilla::Module const*, mozilla::FileLocation*) mozilla-central/xpcom/components/nsComponentManager.cpp:505:9 #7 0x7f92b2598556 in nsComponentManagerImpl::Init() mozilla-central/xpcom/components/nsComponentManager.cpp:363:3 #8 0x7f92b2670c59 in NS_InitXPCOM2 mozilla-central/xpcom/build/XPCOMInit.cpp:691:51 #9 0x7f92bcb8f800 in ScopedXPCOM::ScopedXPCOM(char const*, nsIDirectoryServiceProvider*) mozilla-central/obj-fuzz/dist/include/testing/TestHarness.h:90:21 #10 0x7f92bcb8f205 in mozilla::RunGTestFunc(int*, char**) mozilla-central/testing/gtest/mozilla/GTestRunner.cpp:87:15 #11 0x7f92bc031f07 in XREMain::XRE_mainStartup(bool*) mozilla-central/toolkit/xre/nsAppRunner.cpp:3947:16 #12 0x7f92bc03d9db in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) mozilla-central/toolkit/xre/nsAppRunner.cpp:4891:12 #13 0x7f92bc03e876 in XRE_main(int, char**, mozilla::BootstrapConfig const&) mozilla-central/toolkit/xre/nsAppRunner.cpp:4998:21 #14 0x362e3b in do_main(int, char**, char**) mozilla-central/browser/app/nsBrowserApp.cpp:233:22 #15 0x3626ba in main mozilla-central/browser/app/nsBrowserApp.cpp:311:16 #16 0x7f92ce7a982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) SUMMARY: AddressSanitizer: 15520 byte(s) leaked in 485 allocation(s).
The leak itself seems harmless, but it does block reporting of other leaks of course.
Component: Untriaged → Platform Fuzzing Team
Product: Firefox → Core
Priority: -- → P2
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.