Closed Bug 1647007 Opened 5 years ago Closed 5 years ago

Intermittent SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.h:820:69 in runtimeMatches

Categories

(Core :: JavaScript Engine, defect, P5)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1647115

People

(Reporter: intermittent-bug-filer, Unassigned)

References

Details

(Keywords: csectype-race, intermittent-failure, sec-high)

Filed by: nbeleuzu [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer.html#?job_id=306922535&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/T8TevJO4T7-gPYTXb2Ky0A/runs/0/artifacts/public/logs/live_backing.log

[task 2020-06-19T19:11:47.580Z] 19:11:47 INFO - TEST-START | /css/css-grid/alignment/grid-alignment-implies-size-change-004.html
[task 2020-06-19T19:11:47.584Z] 19:11:47 INFO - Closing window 56
[task 2020-06-19T19:11:47.754Z] 19:11:47 INFO - PID 1847 | Thread T7 (JS Helper) created by T0 (Web Content) here:
[task 2020-06-19T19:11:47.756Z] 19:11:47 INFO - PID 1847 | #0 0x560a7dab0b2a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
[task 2020-06-19T19:11:47.757Z] 19:11:47 INFO - PID 1847 | #1 0x7f060c2d5f21 in js::Thread::create(void* ()(void), void*) /builds/worker/checkouts/gecko/js/src/threading/posix/PosixThread.cpp:52:7
[task 2020-06-19T19:11:47.757Z] 19:11:47 INFO - PID 1847 | #2 0x7f060c3ed444 in bool js::Thread::init<void (&)(void*), js::HelperThread*>(void (&)(void*), js::HelperThread*&&) /builds/worker/checkouts/gecko/js/src/threading/Thread.h:90:12
[task 2020-06-19T19:11:47.757Z] 19:11:47 INFO - PID 1847 | #3 0x7f060c3e5b32 in js::GlobalHelperThreadState::ensureInitialized() /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:1109:27
[task 2020-06-19T19:11:47.758Z] 19:11:47 INFO - PID 1847 | #4 0x7f060c688eec in JSRuntime::init(JSContext*, unsigned int) /builds/worker/checkouts/gecko/js/src/vm/Runtime.cpp:200:32
[task 2020-06-19T19:11:47.758Z] 19:11:47 INFO - PID 1847 | #5 0x7f060c50a1ec in js::NewContext(unsigned int, JSRuntime*) /builds/worker/checkouts/gecko/js/src/vm/JSContext.cpp:182:17
[task 2020-06-19T19:11:47.759Z] 19:11:47 INFO - PID 1847 | #6 0x7f0601264352 in mozilla::CycleCollectedJSContext::Initialize(JSRuntime*, unsigned int) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:123:16
[task 2020-06-19T19:11:47.780Z] 19:11:47 INFO - PID 1847 | #7 0x7f0602e0371f in XPCJSContext::Initialize() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1136:32
[task 2020-06-19T19:11:47.781Z] 19:11:47 INFO - PID 1847 | #8 0x7f0602e04fb2 in XPCJSContext::NewXPCJSContext() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1332:23
[task 2020-06-19T19:11:47.796Z] 19:11:47 INFO - PID 1847 | #9 0x7f0602e94e48 in nsXPConnect::InitJSContext() /builds/worker/checkouts/gecko/js/xpconnect/src/nsXPConnect.cpp:80:25
[task 2020-06-19T19:11:47.797Z] 19:11:47 INFO - PID 1847 | #10 0x7f06014e6f77 in NS_InitXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:491:5
[task 2020-06-19T19:11:47.797Z] 19:11:47 INFO - PID 1847 | #11 0x7f060be6e5fa in XRE_InitEmbedding2(nsIFile*, nsIFile*, nsIDirectoryServiceProvider*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:197:8
[task 2020-06-19T19:11:47.800Z] 19:11:47 INFO - PID 1847 | #12 0x7f060259b263 in mozilla::ipc::ScopedXREEmbed::Start() /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp
[task 2020-06-19T19:11:47.805Z] 19:11:47 INFO - PID 1847 | #13 0x7f0607e90aea in mozilla::dom::ContentProcess::Init(int, char**) /builds/worker/checkouts/gecko/dom/ipc/ContentProcess.cpp:181:13
[task 2020-06-19T19:11:47.806Z] 19:11:47 INFO - PID 1847 | #14 0x7f060be6f5a4 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:710:21
[task 2020-06-19T19:11:47.806Z] 19:11:47 INFO - PID 1847 | #15 0x560a7daf903b in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
[task 2020-06-19T19:11:47.807Z] 19:11:47 INFO - PID 1847 | #16 0x560a7daf903b in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
[task 2020-06-19T19:11:47.807Z] 19:11:47 INFO - PID 1847 | #17 0x7f062161ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
[task 2020-06-19T19:11:47.810Z] 19:11:47 INFO - PID 1847 | SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.h:820:69 in runtimeMatches
[task 2020-06-19T19:11:47.810Z] 19:11:47 INFO - PID 1847 | Shadow bytes around the buggy address:
[task 2020-06-19T19:11:47.811Z] 19:11:47 INFO - PID 1847 | 0x0c0c80037060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2020-06-19T19:11:47.811Z] 19:11:47 INFO - PID 1847 | 0x0c0c80037070: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2020-06-19T19:11:47.811Z] 19:11:47 INFO - PID 1847 | 0x0c0c80037080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2020-06-19T19:11:47.811Z] 19:11:47 INFO - PID 1847 | 0x0c0c80037090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2020-06-19T19:11:47.812Z] 19:11:47 INFO - PID 1847 | 0x0c0c800370a0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
[task 2020-06-19T19:11:47.812Z] 19:11:47 INFO - PID 1847 | =>0x0c0c800370b0: fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd fd fa
[task 2020-06-19T19:11:47.812Z] 19:11:47 INFO - PID 1847 | 0x0c0c800370c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2020-06-19T19:11:47.813Z] 19:11:47 INFO - PID 1847 | 0x0c0c800370d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2020-06-19T19:11:47.813Z] 19:11:47 INFO - PID 1847 | 0x0c0c800370e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2020-06-19T19:11:47.813Z] 19:11:47 INFO - PID 1847 | 0x0c0c800370f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2020-06-19T19:11:47.814Z] 19:11:47 INFO - PID 1847 | 0x0c0c80037100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

The failure in comment 1 happened while running /workers/dedicated-worker-from-blob-url.window.html it looks like.

The top of the use stack is:
#0 0x7f060c3f8856 in runtimeMatches /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.h:820:69
#1 0x7f060c3f8856 in js::CancelOffThreadCompressions(JSRuntime*) /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:2277:25
#2 0x7f060c68981c in JSRuntime::destroyRuntime() /builds/worker/checkouts/gecko/js/src/vm/Runtime.cpp:272:5
#3 0x7f060c50a62e in js::DestroyContext(JSContext*) /builds/worker/checkouts/gecko/js/src/vm/JSContext.cpp:213:7
#4 0x7f06012625ec in mozilla::CycleCollectedJSContext::~CycleCollectedJSContext() /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:104:3
#5 0x7f0607f58b1f in ~WorkerJSContext /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:893:3
#6 0x7f0607f58b1f in mozilla::dom::WorkerJSContext::~WorkerJSContext() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:877:50

The free stack includes js::AttachFinishedCompression().

This looks like the same crash as bug 1647115.

Flags: needinfo?(sphink)
Keywords: csectype-race, sec-high
See Also: → 1647115
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Flags: needinfo?(sphink)
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.