Closed Bug 1562378 Opened 4 months ago Closed 4 months ago

LeakSanitizer: [@ mozilla::SprintfState]

Categories

(Core :: Javascript: WebAssembly, defect, critical)

ARM64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla69
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- wontfix
firefox68 --- wontfix
firefox69 --- fixed

People

(Reporter: gkw, Assigned: bbouvier)

References

(Blocks 2 open bugs, Regression)

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files, 2 obsolete files)

The following testcase crashes on mozilla-central revision 900a0b127043 (build with --enable-debug --enable-more-deterministic --enable-address-sanitizer, run with --fuzzing-safe --no-threads --no-baseline --no-ion w2-out.wrapper w2-out.wasm):

See attachment.

Backtrace:

Direct leak of 640 byte(s) in 20 object(s) allocated from:

    #0 0xaaaae9692d33 in malloc (/home/ubuntu/shell-cache/js-dbg-64-dm-asan-linux-aarch64-900a0b127043/js-dbg-64-dm-asan-linux-aarch64-900a0b127043+0xb39d33)
    #1 0xaaaae9b49813 in js_arena_malloc(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-dbg-64-dm-asan-linux-aarch64-900a0b127043/objdir-js/dist/include/js/Utility.h:393:10
    #2 0xaaaae9b49813 in char* js_pod_arena_malloc<char>(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-dbg-64-dm-asan-linux-aarch64-900a0b127043/objdir-js/dist/include/js/Utility.h:601
    #3 0xaaaae9b49813 in char* js::AllocPolicyBase::maybe_pod_arena_malloc<char>(unsigned long, unsigned long) /home/ubuntu/shell-cache/js-dbg-64-dm-asan-linux-aarch64-900a0b127043/objdir-js/dist/include/js/AllocPolicy.h:31
    #4 0xaaaae9b49813 in char* js::AllocPolicyBase::maybe_pod_malloc<char>(unsigned long) /home/ubuntu/shell-cache/js-dbg-64-dm-asan-linux-aarch64-900a0b127043/objdir-js/dist/include/js/AllocPolicy.h:58
    #5 0xaaaae9b49813 in mozilla::SprintfState<js::SystemAllocPolicy>::append(char const*, unsigned long) /home/ubuntu/shell-cache/js-dbg-64-dm-asan-linux-aarch64-900a0b127043/objdir-js/dist/include/mozilla/Printf.h:176
    #6 0xaaaae97c10db in mozilla::PrintfTarget::emit(char const*, unsigned long) /home/ubuntu/shell-cache/js-dbg-64-dm-asan-linux-aarch64-900a0b127043/objdir-js/dist/include/mozilla/Printf.h:108:12
    #7 0xaaaae97c10db in mozilla::PrintfTarget::vprint(char const*, std::__va_list) mozglue/misc/Printf.cpp:633
/snip

For detailed crash information, see attachment.

Attached file Testcase (obsolete) —

I think this is only on aarch64 Linux builds, not on x86-64 and not on x86-64 ARM64 builds either.

Type: -- → defect
Hardware: x86_64 → ARM64

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/de9bc20a8ed5
user: Benjamin Bouvier
date: Thu Jan 31 15:42:44 2019 +0100
summary: Bug 1523993: Spew debug information for wasm calls; r=luke

Benjamin, is bug 1523993 a likely regressor?

Flags: needinfo?(bbouvier)
Regressed by: 1523993

Uhh yes. This is embarrassing, there's a comment saying that we leak the string when we use the debugging strings, but we actually leak them all the time.

Flags: needinfo?(bbouvier)

Gary, I couldn't reproduce the problem locally, even on an arm64 asan debug build. Can you try the patch I just posted and see if it fixes the issue you were seeing, please? Thanks!

Flags: needinfo?(nth10sd)
Assignee: nobody → bbouvier
Status: NEW → ASSIGNED
Pushed by bbouvier@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/83c5f5a8dc41
Don't leak debugging strings when not using wasm spew; r=luke
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69

autobisectjs shows this is probably related to the following changeset:

The first good revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/83c5f5a8dc41
user: Benjamin Bouvier
date: Mon Jul 01 16:52:55 2019 +0000
summary: Bug 1562378: Don't leak debugging strings when not using wasm spew; r=luke

Yes, it's fixed by this patch, thanks!

Status: RESOLVED → VERIFIED
Flags: needinfo?(nth10sd)
Attached file 2.tar.xz (obsolete) —

Compile with --enable-debug --enable-more-deterministic --enable-address-sanitizer and run with --fuzzing-safe --no-threads --no-baseline --no-ion w2-out.wrapper w2-out.wasm
on m-c rev 6db28048fd8a

Reduced with wasm-reduce on the .wasm file and lithium on the .wrapper file.

Attachment #9074946 - Attachment is obsolete: true
new WebAssembly.Module(wasmTextToBinary('(module(import""""))'));

is the ultimate smallest testcase I can finally come up with, after trying out various reduction strategies. Run with --fuzzing-safe --no-threads --no-baseline --no-ion testcase.js

Attachment #9080483 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.