1530663 - Intermittent SUMMARY: AddressSanitizer: heap-use-after-free z:\build\build\src\xpcom\ds\PLDHashTable.cpp:717 in PLDHashTable::Iterator::Iterator(class PLDHashTable *)

Status: RESOLVED FIXED

(Core :: WebVR, defect)

Description

[Treeherder Bug Filer]

#[markdown(off)]
Filed by: nbeleuzu [at] mozilla.com

https://treeherder.mozilla.org/logviewer.html#?job_id=230505649&repo=autoland

https://queue.taskcluster.net/v1/task/dG0_Zon0TKS_2Betbi5-SA/runs/0/artifacts/public/logs/live_backing.log

https://hg.mozilla.org/mozilla-central/raw-file/tip/layout/tools/reftest/reftest-analyzer.xhtml#logurl=https://queue.taskcluster.net/v1/task/dG0_Zon0TKS_2Betbi5-SA/runs/0/artifacts/public/logs/live_backing.log&only_show_unexpected=1

11:08:19 INFO - [GPU 12060, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
11:08:19 INFO - [GPU 12060, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
11:08:19 INFO - [Parent 7128, Gecko_IOThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
11:08:19 INFO - [Parent 7128, Gecko_IOThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
11:08:19 INFO - [Child 6256, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
11:08:19 INFO - [Child 6256, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
11:08:19 INFO - JavaScript error: resource://reftest/reftest.jsm, line 1558: NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIPropertyBag2.getPropertyAsAString]
11:08:19 INFO - [Parent 7128, Gecko_IOThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
11:08:19 INFO - [GPU 12060, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
11:08:19 INFO - [GPU 12060, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chrom
11:08:19 INFO - ###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost
11:08:19 INFO - ium/src/chrome/common/ipc_channel_win.cc, line 341
11:08:19 INFO - [GPU 12060, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
11:08:19 INFO - [Parent 7128, Gecko_IOThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
11:08:19 INFO - 1551179299828 Marionette TRACE Received observer notification xpcom-will-shutdown
11:08:19 INFO - 1551179299829 Marionette INFO Stopped listening on port 2828
11:08:19 INFO - 1551179299829 Marionette DEBUG Remote service is inactive
11:08:19 INFO - [VR 1456, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
11:08:19 INFO - [GPU 12060, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
11:08:19 INFO - =================================================================
11:08:19 ERROR - ==12060==ERROR: AddressSanitizer: heap-use-after-free on address 0x124da9715f20 at pc 0x7ffc9685ff81 bp 0x00bf817feac0 sp 0x00bf817feb08
11:08:19 INFO - READ of size 4 at 0x124da9715f20 thread T2
11:08:19 INFO - ###!!! [Child][MessageChannel] Error: (msgtype=0x9A0002,name=PVRGPU::Msg_StopVRService) Closed channel: cannot send/recv
11:08:19 INFO - [GPU 12060, Chrome_ChildThre
11:08:19 INFO - ###!!! [Child][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost
11:08:19 INFO - ad] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
11:08:19 INFO - [GPU 12060, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
11:08:19 INFO - [Parent 7128, Gecko_IOThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
11:08:19 INFO - [GPU 12060, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
11:08:20 INFO - #0 0x7ffc9685ff80 in PLDHashTable::Iterator::Iterator(class PLDHashTable *) z:\build\build\src\xpcom\ds\PLDHashTable.cpp:717
11:08:20 INFO - #1 0x7ffc99f1983b in mozilla::gfx::VRManager::Run1msTasks(double) z:\build\build\src\gfx\vr\VRManager.cpp:308
11:08:20 INFO - #2 0x7ffc99f194a9 in mozilla::gfx::VRManager::RunTasks(void) z:\build\build\src\gfx\vr\VRManager.cpp:258
11:08:20 INFO - #3 0x7ffc969ecf84 in nsTimerImpl::Fire(int) z:\build\build\src\xpcom\threads\nsTimerImpl.cpp:559
11:08:20 INFO - #4 0x7ffc969ec515 in nsTimerEvent::Run(void) z:\build\build\src\xpcom\threads\TimerThread.cpp:260
11:08:20 INFO - #5 0x7ffc97a1cdd3 in ?DeferOrRunPendingTask@MessageLoop@@IEAA_N$$QEAUPendingTask@1@@Z z:\build\build\src\ipc\chromium\src\base\message_loop.cc:450
11:08:20 INFO - #6 0x7ffc97a1e7ce in MessageLoop::DoWork(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:523
11:08:20 INFO - #7 0x7ffc979eedb1 in base::MessagePumpForUI::DoRunLoop(void) z:\build\build\src\ipc\chromium\src\base\message_pump_win.cc:203
11:08:20 INFO - #8 0x7ffc979f13d9 in base::MessagePumpWin::Run(class base::MessagePump::Delegate *) z:\build\build\src\ipc\chromium\src\base\message_pump_win.h:79
11:08:20 INFO - #9 0x7ffc97a1bb4e in MessageLoop::RunHandler(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:308
11:08:20 INFO - #10 0x7ffc97a2d9d2 in base::Thread::ThreadMain(void) z:\build\build\src\ipc\chromium\src\base\thread.cc:192
11:08:20 INFO - #11 0x7ffc979f2bef in `anonymous namespace'::ThreadFunc z:\build\build\src\ipc\chromium\src\base\platform_thread_win.cc:19
11:08:20 INFO - #12 0x7ffcddece888 in __asan::AsanThread::ThreadStart(unsigned __int64,struct __sanitizer::atomic_uintptr_t *) Z:\task_1550315254\build\src\build\build-clang\build-clang\src\llvm\projects\compiler-rt\lib\asan\asan_thread.cc:264
11:08:20 INFO - #13 0x7ffcf1fb3033 (C:\Windows\System32\KERNEL32.DLL+0x180013033)
11:08:20 INFO - #14 0x7ffceb7adf21 in patched_BaseThreadInitThunk z:\build\build\src\mozglue\build\WindowsDllBlocklist.cpp:735
11:08:20 INFO - #15 0x7ffcf2111460 (C:\Windows\SYSTEM32\ntdll.dll+0x180071460)

Comment 1

[Nathan Froyd [:froydnj]]

Intermittent UAFs do not seem like a good thing.

Comment 2

[:kip (Kearwood Gilbert)]

I suspect this may be related to Bug 1530489, a recent regression.

I'll take this bug and keep it open until we can confirm that Daosheng's fix for Bug 1530489 corrects this also.

Comment 3

[Daosheng Mu[:daoshengmu]]

I believe it is caused by Bug 1523923 because of [1]. Please try to cancel the previous TaskTimerCallback when we call VRManager::StopTasks();

[1] https://searchfox.org/mozilla-central/rev/dbddac86aadf1d4871fb350bbe66db43728a9f81/gfx/vr/ipc/VRGPUChild.cpp#53

Comment 4

[Daosheng Mu[:daoshengmu]]

We also can try to check if (mInitialized==true) in VRManager::RunTasks, and it has been already a atomic. (edited)

Comment 5

[:kip (Kearwood Gilbert)]

Attachment: Bug 1530663 - Avoid running remaining VRManager tasks after mTaskTimer has been stopped

Comment 6

[:kip (Kearwood Gilbert)]

Attachment: Bug 1530663 - Avoid running remaining VRManager tasks after mTaskTimer has been stopped

Comment 7

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/integration/autoland/rev/641501728149842df11bc6353b629bad83b8f204
https://hg.mozilla.org/mozilla-central/rev/641501728149

Comment 8

[:kip (Kearwood Gilbert)]

If this is uplifted, please also uplift Bug 1534390 to avoid regressions to WebVR.

Comment 9

[Liz Henry (:lizzard)]

That would mean uplifting work from bug 1523923 and bug 1530489 as well and I'm not willing to do that when we're releasing next Tuesday.