Closed Bug 1587173 Opened 5 years ago Closed 4 years ago

Call to function through pointer to incorrect function type in dist/include/js/RootingAPI.h:843

Categories

(Core :: JavaScript: GC, defect, P2)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1634459
Tracking Flags:
Tracking Status
firefox71 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-undefined)

This is triggered with an UBSan build. To enable this check add the following to your mozconfig:

ac_add_options --enable-address-sanitizer
ac_add_options --enable-undefined-sanitizer="function"
ac_add_options --disable-jemalloc

This issue can be triggered by running gtests.

[----------] 1 test from GCPostBarriers
[ RUN      ] GCPostBarriers.nsTArray
objdir-ff-ubsan/dist/include/js/RootingAPI.h:843:5: runtime error: call to function JS::StructGCPolicy<JS::GCVector<JSObject*, 0ul, js::SystemAllocPolicy> >::trace(JSTracer*, JS::GCVector<JSObject*, 0ul, js::SystemAllocPolicy>*, char const*) through pointer to incorrect function type 'void (*)(JSTracer *, ConcreteTraceable *, const char *)'
objdir-ff-ubsan/dist/include/js/GCPolicyAPI.h:78: note: JS::StructGCPolicy<JS::GCVector<JSObject*, 0ul, js::SystemAllocPolicy> >::trace(JSTracer*, JS::GCVector<JSObject*, 0ul, js::SystemAllocPolicy>*, char const*) defined here
    #0 0x7fb1192329ab in js::DispatchWrapper<ConcreteTraceable>::TraceWrapped(JSTracer*, ConcreteTraceable*, char const*) objdir-ff-ubsan/dist/include/js/RootingAPI.h:843:5
    #1 0x7fb1192329ab in void TraceStackOrPersistentRoot<ConcreteTraceable>(JSTracer*, ConcreteTraceable*, char const*) js/src/gc/RootMarking.cpp:61
    #2 0x7fb1192329ab in void TracePersistentRootedList<ConcreteTraceable>(JSTracer*, mozilla::LinkedList<JS::PersistentRooted<void*> >&, char const*) js/src/gc/RootMarking.cpp:106
    #3 0x7fb119234997 in TracePersistentRooted(JSRuntime*, JSTracer*) js/src/gc/RootMarking.cpp:130:7
    #4 0x7fb119234997 in js::gc::GCRuntime::traceRuntimeCommon(JSTracer*, js::gc::GCRuntime::TraceOrMarkRuntime) js/src/gc/RootMarking.cpp:372
    #5 0x7fb119233f2a in js::gc::GCRuntime::traceRuntimeForMajorGC(JSTracer*, js::gc::AutoGCSession&) js/src/gc/RootMarking.cpp:288:3
    #6 0x7fb119166718 in js::gc::GCRuntime::beginMarkPhase(JS::GCReason, js::gc::AutoGCSession&) js/src/gc/GC.cpp:4036:5
    #7 0x7fb11917d28b in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason, js::gc::AutoGCSession&) js/src/gc/GC.cpp:6671:12
    #8 0x7fb119180c1c in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) js/src/gc/GC.cpp:7157:3
    #9 0x7fb119183c13 in js::gc::GCRuntime::collect(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) js/src/gc/GC.cpp:7343:9
    #10 0x7fb119144a3e in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::GCReason) js/src/gc/GC.cpp:7425:3
    #11 0x7fb109c731f8 in void RunTest<nsTArray<JS::Heap<JSObject*> > >(JSContext*, nsTArray<JS::Heap<JSObject*> >*) xpcom/tests/gtest/TestGCPostBarriers.cpp:41:3
    #12 0x7fb109be7317 in CreateGlobalAndRunTest(JSContext*) xpcom/tests/gtest/TestGCPostBarriers.cpp:96:5
    #13 0x7fb109be6b3e in GCPostBarriers_nsTArray_Test::TestBody() xpcom/tests/gtest/TestGCPostBarriers.cpp:122:3
    #14 0x7fb10a69a6b5 in testing::Test::Run() testing/gtest/gtest/src/gtest.cc:2519:5
    #15 0x7fb10a69c043 in testing::TestInfo::Run() testing/gtest/gtest/src/gtest.cc:2695:11
    #16 0x7fb10a69d1f7 in testing::TestCase::Run() testing/gtest/gtest/src/gtest.cc:2813:28
    #17 0x7fb10a6b2877 in testing::internal::UnitTestImpl::RunAllTests() testing/gtest/gtest/src/gtest.cc:5179:43
    #18 0x7fb10a6b1ef7 in testing::UnitTest::Run() testing/gtest/gtest/src/gtest.cc:4788:10
    #19 0x7fb10a6e70d2 in RUN_ALL_TESTS() objdir-ff-ubsan/dist/include/gtest/gtest.h:2342:46
    #20 0x7fb10a6e70d2 in mozilla::RunGTestFunc(int*, char**) testing/gtest/mozilla/GTestRunner.cpp:158
    #21 0x7fb117d5f85d in XREMain::XRE_mainStartup(bool*) toolkit/xre/nsAppRunner.cpp:3788:16
    #22 0x7fb117d6e511 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4722:12
    #23 0x7fb117d6fdbb in XRE_main(int, char**, mozilla::BootstrapConfig const&) toolkit/xre/nsAppRunner.cpp:4816:21
    #24 0x56296a057145 in do_main(int, char**, char**) browser/app/nsBrowserApp.cpp:218:22
    #25 0x56296a0563ff in main browser/app/nsBrowserApp.cpp:300:16

This report is certainly true; we do this because when we trace stack rooted structures we don't know the actual type involved.

What we do is to call a function pointer of type | void()(JSTracer, T*, const char* name) | with the wrong T (we use a dummy struct called ConcreteTraceable), so this effectively casts ConcreteTraceable* to T*.

I expect this part of tracing is not performance sensitive enough to worry about adding another layer of indirection. Perhaps we can do with with virtual dispatch, which would also simplify DispatchWrapper.

Priority: -- → P2
Summary: call to function through pointer to incorrect function type in dist/include/js/RootingAPI.h:843 → Call to function through pointer to incorrect function type in dist/include/js/RootingAPI.h:843

Oh, bug 1285057 is about this problem.

See Also: → 1285057

This should have been fixed by the changes in bug 1634459.

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.