Closed
Bug 1699334
Opened 4 years ago
Closed 4 years ago
Intermittent SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/js/HeapAPI.h:558:34 in CellHasStoreBuffer
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1699364
People
(Reporter: bogdan_tara, Unassigned)
References
Details
(Keywords: csectype-uaf, regression, sec-high)
Attachments
(1 file)
|
19.64 KB,
text/plain
|
Details |
https://treeherder.mozilla.org/logviewer?job_id=333581408&repo=autoland&lineNumber=4710
[task 2021-03-18T01:48:53.732Z] 01:48:53 INFO - SimpleTest START
[task 2021-03-18T01:48:53.768Z] 01:48:53 INFO - TEST-START | dom/tests/mochitest/ajax/prototype/test_Prototype.html
[task 2021-03-18T01:48:55.639Z] 01:48:55 INFO - GECKO(2901) | JavaScript warning: http://mochi.test:8888/tests/dom/tests/mochitest/ajax/prototype/test/lib/unittest.js, line 129: unreachable code after return statement
[task 2021-03-18T01:48:55.796Z] 01:48:55 INFO - GECKO(2901) | JavaScript warning: http://mochi.test:8888/tests/dom/tests/mochitest/ajax/prototype/test/lib/unittest.js, line 129: unreachable code after return statement
[task 2021-03-18T01:48:56.100Z] 01:48:56 INFO - GECKO(2901) | JavaScript warning: http://mochi.test:8888/tests/dom/tests/mochitest/ajax/prototype/test/lib/unittest.js, line 129: unreachable code after return statement
[task 2021-03-18T01:48:56.224Z] 01:48:56 INFO - GECKO(2901) | JavaScript warning: http://mochi.test:8888/tests/dom/tests/mochitest/ajax/prototype/test/lib/unittest.js, line 129: unreachable code after return statement
[task 2021-03-18T01:48:56.448Z] 01:48:56 INFO - GECKO(2901) | JavaScript warning: http://mochi.test:8888/tests/dom/tests/mochitest/ajax/prototype/test/lib/unittest.js, line 129: unreachable code after return statement
[task 2021-03-18T01:48:56.584Z] 01:48:56 INFO - GECKO(2901) | JavaScript warning: http://mochi.test:8888/tests/dom/tests/mochitest/ajax/prototype/test/lib/unittest.js, line 129: unreachable code after return statement
[task 2021-03-18T01:48:57.979Z] 01:48:57 INFO - GECKO(2901) | JavaScript warning: http://mochi.test:8888/tests/dom/tests/mochitest/ajax/prototype/test/lib/unittest.js, line 129: unreachable code after return statement
[task 2021-03-18T01:48:58.440Z] 01:48:58 INFO - GECKO(2901) | JavaScript warning: http://mochi.test:8888/tests/dom/tests/mochitest/ajax/prototype/test/lib/unittest.js, line 129: unreachable code after return statement
[task 2021-03-18T01:48:59.806Z] 01:48:59 INFO - GECKO(2901) | JavaScript warning: http://mochi.test:8888/tests/dom/tests/mochitest/ajax/prototype/test/lib/unittest.js, line 129: unreachable code after return statement
[task 2021-03-18T01:49:00.069Z] 01:49:00 INFO - GECKO(2901) | JavaScript warning: http://mochi.test:8888/tests/dom/tests/mochitest/ajax/prototype/test/lib/unittest.js, line 129: unreachable code after return statement
[task 2021-03-18T01:49:00.412Z] 01:49:00 INFO - GECKO(2901) | JavaScript warning: http://mochi.test:8888/tests/dom/tests/mochitest/ajax/prototype/test/lib/unittest.js, line 129: unreachable code after return statement
[task 2021-03-18T01:49:00.784Z] 01:49:00 INFO - GECKO(2901) | JavaScript warning: http://mochi.test:8888/tests/dom/tests/mochitest/ajax/prototype/test/lib/unittest.js, line 129: unreachable code after return statement
[task 2021-03-18T01:49:05.375Z] 01:49:05 INFO - GECKO(2901) | JavaScript warning: http://mochi.test:8888/tests/dom/tests/mochitest/ajax/prototype/test/lib/unittest.js, line 129: unreachable code after return statement
[task 2021-03-18T01:49:05.685Z] 01:49:05 INFO - GECKO(2901) | JavaScript warning: http://mochi.test:8888/tests/dom/tests/mochitest/ajax/prototype/test/lib/unittest.js, line 129: unreachable code after return statement
[task 2021-03-18T01:49:05.944Z] 01:49:05 INFO - GECKO(2901) | JavaScript warning: http://mochi.test:8888/tests/dom/tests/mochitest/ajax/prototype/test/lib/unittest.js, line 129: unreachable code after return statement
[task 2021-03-18T01:49:06.186Z] 01:49:06 INFO - GECKO(2901) | JavaScript warning: http://mochi.test:8888/tests/dom/tests/mochitest/ajax/prototype/test/lib/unittest.js, line 129: unreachable code after return statement
[task 2021-03-18T01:49:06.510Z] 01:49:06 INFO - GECKO(2901) | JavaScript warning: http://mochi.test:8888/tests/dom/tests/mochitest/ajax/prototype/test/lib/unittest.js, line 129: unreachable code after return statement
[task 2021-03-18T01:49:07.038Z] 01:49:07 INFO - GECKO(2901) | JavaScript warning: http://mochi.test:8888/tests/dom/tests/mochitest/ajax/prototype/test/lib/unittest.js, line 129: unreachable code after return statement
[task 2021-03-18T01:49:07.106Z] 01:49:07 INFO - GECKO(2901) | =================================================================
[task 2021-03-18T01:49:07.106Z] 01:49:07 ERROR - GECKO(2901) | ==2953==ERROR: AddressSanitizer: heap-use-after-free on address 0x629000600000 at pc 0x7ffae5056338 bp 0x7ffe69f4a3b0 sp 0x7ffe69f4a3a8
[task 2021-03-18T01:49:07.106Z] 01:49:07 INFO - GECKO(2901) | READ of size 8 at 0x629000600000 thread T0 (Web Content)
[task 2021-03-18T01:49:07.645Z] 01:49:07 INFO - GECKO(2901) | #0 0x7ffae5056337 in CellHasStoreBuffer /builds/worker/workspace/obj-build/dist/include/js/HeapAPI.h:558:34
[task 2021-03-18T01:49:07.645Z] 01:49:07 INFO - GECKO(2901) | #1 0x7ffae5056337 in IsInsideNursery /builds/worker/workspace/obj-build/dist/include/js/HeapAPI.h:567:10
[task 2021-03-18T01:49:07.646Z] 01:49:07 INFO - GECKO(2901) | #2 0x7ffae5056337 in isTenured /builds/worker/checkouts/gecko/js/src/gc/Cell.h:157:54
[task 2021-03-18T01:49:07.646Z] 01:49:07 INFO - GECKO(2901) | #3 0x7ffae5056337 in bool js::GCMarker::mark<JSString>(JSString*) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1203:15
[task 2021-03-18T01:49:07.647Z] 01:49:07 INFO - GECKO(2901) | #4 0x7ffae505d040 in js::GCMarker::eagerlyMarkChildren(JSRope*) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1373:37
[task 2021-03-18T01:49:07.647Z] 01:49:07 INFO - GECKO(2901) | #5 0x7ffae5038deb in eagerlyMarkChildren /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1313:5
[task 2021-03-18T01:49:07.647Z] 01:49:07 INFO - GECKO(2901) | #6 0x7ffae5038deb in scanChildren<JSString> /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1066:3
[task 2021-03-18T01:49:07.648Z] 01:49:07 INFO - GECKO(2901) | #7 0x7ffae5038deb in traverse<JSString> /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:1071:3
[task 2021-03-18T01:49:07.648Z] 01:49:07 INFO - GECKO(2901) | #8 0x7ffae5038deb in operator()<JSString *> /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:4203:5
[task 2021-03-18T01:49:07.648Z] 01:49:07 INFO - GECKO(2901) | #9 0x7ffae5038deb in MapGCThingTyped<(lambda at /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:4187:27) &> /builds/worker/workspace/obj-build/dist/include/js/HeapAPI.h:450:5
[task 2021-03-18T01:49:07.649Z] 01:49:07 INFO - GECKO(2901) | #10 0x7ffae5038deb in ApplyGCThingTyped<(lambda at /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:4187:27)> /builds/worker/workspace/obj-build/dist/include/js/HeapAPI.h:464:3
[task 2021-03-18T01:49:07.649Z] 01:49:07 INFO - GECKO(2901) | #11 0x7ffae5038deb in js::GCMarker::traceBarrieredCell(JS::GCCellPtr) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:4187:3
[task 2021-03-18T01:49:07.649Z] 01:49:07 INFO - GECKO(2901) | #12 0x7ffae50293be in js::GCMarker::traceBarrieredCells(js::SliceBudget&) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:4172:5
[task 2021-03-18T01:49:07.649Z] 01:49:07 INFO - GECKO(2901) | #13 0x7ffae5038b01 in js::gc::BarrierTracer::handleBufferFull(JS::GCCellPtr) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:4157:10
[task 2021-03-18T01:49:07.650Z] 01:49:07 INFO - GECKO(2901) | #14 0x7ffae50269c1 in js::gc::BarrierTracer::performBarrier(JS::GCCellPtr) /builds/worker/checkouts/gecko/js/src/gc/Marking.cpp:4151:5
[task 2021-03-18T01:49:07.670Z] 01:49:07 INFO - GECKO(2901) | #15 0x7ffae49fa437 in PreWriteBarrierImpl /builds/worker/checkouts/gecko/js/src/gc/Cell.h:542:3
[task 2021-03-18T01:49:07.671Z] 01:49:07 INFO - GECKO(2901) | #16 0x7ffae49fa437 in PreWriteBarrierImpl /builds/worker/checkouts/gecko/js/src/gc/Cell.h:548:5
[task 2021-03-18T01:49:07.671Z] 01:49:07 INFO - GECKO(2901) | #17 0x7ffae49fa437 in PreWriteBarrier<JSString> /builds/worker/checkouts/gecko/js/src/gc/Cell.h:558:5
[task 2021-03-18T01:49:07.671Z] 01:49:07 INFO - GECKO(2901) | #18 0x7ffae49fa437 in JSLinearString* JSRope::flattenInternal<(JSRope::UsingBarrier)0, unsigned char>(JSContext*) /builds/worker/checkouts/gecko/js/src/vm/StringType.cpp:765:5
[task 2021-03-18T01:49:07.671Z] 01:49:07 INFO - GECKO(2901) | #19 0x7ffae49c0b9d in flattenInternal<JSRope::WithIncrementalBarrier> /builds/worker/checkouts/gecko/js/src/vm/StringType.cpp:848:10
[task 2021-03-18T01:49:07.671Z] 01:49:07 INFO - GECKO(2901) | #20 0x7ffae49c0b9d in JSRope::flatten(JSContext*) /builds/worker/checkouts/gecko/js/src/vm/StringType.cpp:858:12
[task 2021-03-18T01:49:07.686Z] 01:49:07 INFO - GECKO(2901) | #21 0x7ffae5907182 in ensureLinear /builds/worker/checkouts/gecko/js/src/vm/StringType.h:1826:46
[task 2021-03-18T01:49:07.687Z] 01:49:07 INFO - GECKO(2901) | #22 0x7ffae5907182 in ExecuteRegExp(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSString*>, int, js::VectorMatchPairs*) /builds/worker/checkouts/gecko/js/src/builtin/RegExp.cpp:1068:40
[task 2021-03-18T01:49:07.687Z] 01:49:07 INFO - GECKO(2901) | #23 0x7ffae5905605 in RegExpMatcherImpl(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSString*>, int, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/builtin/RegExp.cpp:1131:7
[task 2021-03-18T01:49:07.688Z] 01:49:07 INFO - GECKO(2901) | #24 0x7ffae5905ae0 in js::RegExpMatcherRaw(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSString*>, int, js::MatchPairs*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/builtin/RegExp.cpp:1185:10
[task 2021-03-18T01:49:07.689Z] 01:49:07 INFO - GECKO(2901) | #25 0x1af53a30d167 (<unknown module>)
[task 2021-03-18T01:49:07.690Z] 01:49:07 INFO - GECKO(2901) | 0x629000600000 is located 3584 bytes inside of 16384-byte region [0x6290005ff200,0x629000603200)
[task 2021-03-18T01:49:07.690Z] 01:49:07 INFO - GECKO(2901) | freed by thread T7 (JS Helper) here:
[task 2021-03-18T01:49:07.698Z] 01:49:07 INFO - GECKO(2901) | #0 0x55f9ee63b64d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
[task 2021-03-18T01:49:07.700Z] 01:49:07 INFO - GECKO(2901) | #1 0x7ffae50b422c in js_free /builds/worker/workspace/obj-build/dist/include/js/Utility.h:432:3
[task 2021-03-18T01:49:07.700Z] 01:49:07 INFO - GECKO(2901) | #2 0x7ffae50b422c in free_<unsigned char> /builds/worker/workspace/obj-build/dist/include/js/AllocPolicy.h:83:5
[task 2021-03-18T01:49:07.701Z] 01:49:07 INFO - GECKO(2901) | #3 0x7ffae50b422c in ~Vector /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:903:11
[task 2021-03-18T01:49:07.701Z] 01:49:07 INFO - GECKO(2901) | #4 0x7ffae50b422c in ~AssemblerBuffer /builds/worker/checkouts/gecko/js/src/jit/x86-shared/AssemblerBuffer-x86-shared.h:116:7
[task 2021-03-18T01:49:07.702Z] 01:49:07 INFO - GECKO(2901) | #5 0x7ffae50b422c in ~X86InstructionFormatter /builds/worker/checkouts/gecko/js/src/jit/x86-shared/BaseAssembler-x86-shared.h:5175:9
[task 2021-03-18T01:49:07.702Z] 01:49:07 INFO - GECKO(2901) | #6 0x7ffae50b422c in ~BaseAssembler /builds/worker/checkouts/gecko/js/src/jit/x86-shared/BaseAssembler-x86-shared.h:49:7
[task 2021-03-18T01:49:07.703Z] 01:49:07 INFO - GECKO(2901) | #7 0x7ffae50b422c in js::jit::AssemblerX86Shared::~AssemblerX86Shared() /builds/worker/checkouts/gecko/js/src/jit/x86-shared/Assembler-x86-shared.h:268:7
[task 2021-03-18T01:49:07.703Z] 01:49:07 INFO - GECKO(2901) | #8 0x7ffae50b335f in js::jit::MacroAssemblerX86Shared::~MacroAssemblerX86Shared() /builds/worker/checkouts/gecko/js/src/jit/x86-shared/MacroAssembler-x86-shared.h:23:7
[task 2021-03-18T01:49:07.743Z] 01:49:07 INFO - GECKO(2901) | #9 0x7ffae53e2bb2 in ~MaybeStorage /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:283:24
[task 2021-03-18T01:49:07.744Z] 01:49:07 INFO - GECKO(2901) | #10 0x7ffae53e2bb2 in js::jit::CodeGeneratorShared::~CodeGeneratorShared() /builds/worker/checkouts/gecko/js/src/jit/shared/CodeGenerator-shared.h:40:7
[task 2021-03-18T01:49:07.751Z] 01:49:07 INFO - GECKO(2901) | #11 0x7ffae550384d in js_delete<js::jit::CodeGenerator> /builds/worker/workspace/obj-build/dist/include/js/Utility.h:573:9
[task 2021-03-18T01:49:07.752Z] 01:49:07 INFO - GECKO(2901) | #12 0x7ffae550384d in js::jit::FreeIonCompileTask(js::jit::IonCompileTask*) /builds/worker/checkouts/gecko/js/src/jit/IonCompileTask.cpp:160:3
[task 2021-03-18T01:49:07.753Z] 01:49:07 INFO - GECKO(2901) | #13 0x7ffae5503911 in js::jit::IonFreeTask::runHelperThreadTask(js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/jit/IonCompileTask.cpp:167:5
[task 2021-03-18T01:49:07.789Z] 01:49:07 INFO - GECKO(2901) | #14 0x7ffae47464dc in js::GlobalHelperThreadState::runTaskLocked(js::HelperThreadTask*, js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:2701:9
[task 2021-03-18T01:49:07.789Z] 01:49:07 INFO - GECKO(2901) | #15 0x7ffae4744256 in js::HelperThread::threadLoop() /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:2673:25
[task 2021-03-18T01:49:07.790Z] 01:49:07 INFO - GECKO(2901) | #16 0x7ffae4744015 in js::HelperThread::ThreadMain(void*) /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:2364:11
[task 2021-03-18T01:49:07.790Z] 01:49:07 INFO - GECKO(2901) | #17 0x7ffae47c7e47 in callMain<0> /builds/worker/checkouts/gecko/js/src/threading/Thread.h:216:5
[task 2021-03-18T01:49:07.791Z] 01:49:07 INFO - GECKO(2901) | #18 0x7ffae47c7e47 in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start(void*) /builds/worker/checkouts/gecko/js/src/threading/Thread.h:205:11
[task 2021-03-18T01:49:07.807Z] 01:49:07 INFO - GECKO(2901) | #19 0x7ffafe5a86da in start_thread /build/glibc-2ORdQG/glibc-2.27/nptl/pthread_create.c:463
[task 2021-03-18T01:49:07.807Z] 01:49:07 INFO - GECKO(2901) | previously allocated by thread T8 (JS Helper) here:
[task 2021-03-18T01:49:07.808Z] 01:49:07 INFO - GECKO(2901) | #0 0x55f9ee63bbe9 in realloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:164:3
[task 2021-03-18T01:49:07.828Z] 01:49:07 INFO - GECKO(2901) | #1 0x7ffae5178520 in js_arena_realloc /builds/worker/workspace/obj-build/dist/include/js/Utility.h:421:10
[task 2021-03-18T01:49:07.828Z] 01:49:07 INFO - GECKO(2901) | #2 0x7ffae5178520 in js_pod_arena_realloc<unsigned char> /builds/worker/workspace/obj-build/dist/include/js/Utility.h:626:26
[task 2021-03-18T01:49:07.828Z] 01:49:07 INFO - GECKO(2901) | #3 0x7ffae5178520 in maybe_pod_arena_realloc<unsigned char> /builds/worker/workspace/obj-build/dist/include/js/AllocPolicy.h:40:12
[task 2021-03-18T01:49:07.828Z] 01:49:07 INFO - GECKO(2901) | #4 0x7ffae5178520 in pod_arena_realloc<unsigned char> /builds/worker/workspace/obj-build/dist/include/js/AllocPolicy.h:53:12
[task 2021-03-18T01:49:07.828Z] 01:49:07 INFO - GECKO(2901) | #5 0x7ffae5178520 in pod_realloc<unsigned char> /builds/worker/workspace/obj-build/dist/include/js/AllocPolicy.h:78:12
[task 2021-03-18T01:49:07.828Z] 01:49:07 INFO - GECKO(2901) | #6 0x7ffae5178520 in pod_realloc<unsigned char> /builds/worker/checkouts/gecko/js/src/jit/x86-shared/AssemblerBuffer-x86-shared.h:102:31
[task 2021-03-18T01:49:07.828Z] 01:49:07 INFO - GECKO(2901) | #7 0x7ffae5178520 in growTo /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:209:21
[task 2021-03-18T01:49:07.832Z] 01:49:07 INFO - GECKO(2901) | #8 0x7ffae5178520 in mozilla::Vector<unsigned char, 256ul, js::jit::AssemblerBufferAllocPolicy>::growStorageBy(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:1021:10
[task 2021-03-18T01:49:07.832Z] 01:49:07 INFO - GECKO(2901) | #9 0x7ffae517afd6 in reserve /builds/worker/workspace/obj-build/dist/include/mozilla/Vector.h:1071:9
[task 2021-03-18T01:49:07.833Z] 01:49:07 INFO - GECKO(2901) | #10 0x7ffae517afd6 in ensureSpace /builds/worker/checkouts/gecko/js/src/jit/x86-shared/AssemblerBuffer-x86-shared.h:137:9
[task 2021-03-18T01:49:07.833Z] 01:49:07 INFO - GECKO(2901) | #11 0x7ffae517afd6 in js::jit::X86Encoding::BaseAssembler::X86InstructionFormatter::oneByteOp(js::jit::X86Encoding::OneByteOpcodeID) /builds/worker/checkouts/gecko/js/src/jit/x86-shared/BaseAssembler-x86-shared.h:5220:16
[task 2021-03-18T01:49:07.834Z] 01:49:07 INFO - GECKO(2901) | #12 0x7ffae5181bfc in jmp /builds/worker/checkouts/gecko/js/src/jit/x86-shared/BaseAssembler-x86-shared.h:2578:17
[task 2021-03-18T01:49:07.835Z] 01:49:07 INFO - GECKO(2901) | #13 0x7ffae5181bfc in js::jit::AssemblerX86Shared::jmpSrc(js::jit::Label*) /builds/worker/checkouts/gecko/js/src/jit/x86-shared/Assembler-x86-shared.h:953:23
[task 2021-03-18T01:49:07.843Z] 01:49:07 INFO - GECKO(2901) | #14 0x7ffae51ffed5 in js::jit::CodeGeneratorShared::generateOutOfLineCode() /builds/worker/checkouts/gecko/js/src/jit/shared/CodeGenerator-shared.cpp:188:24
[task 2021-03-18T01:49:07.858Z] 01:49:07 INFO - GECKO(2901) | #15 0x7ffae52585d2 in js::jit::CodeGeneratorX86Shared::generateOutOfLineCode() /builds/worker/checkouts/gecko/js/src/jit/x86-shared/CodeGenerator-x86-shared.cpp:526:29
[task 2021-03-18T01:49:07.858Z] 01:49:07 INFO - GECKO(2901) | #16 0x7ffae5470bf4 in js::jit::CodeGenerator::generate() /builds/worker/checkouts/gecko/js/src/jit/CodeGenerator.cpp:11476:8
[task 2021-03-18T01:49:07.879Z] 01:49:07 INFO - GECKO(2901) | #17 0x7ffae54b90f6 in js::jit::GenerateCode(js::jit::MIRGenerator*, js::jit::LIRGraph*) /builds/worker/checkouts/gecko/js/src/jit/Ion.cpp:1553:17
[task 2021-03-18T01:49:07.880Z] 01:49:07 INFO - GECKO(2901) | #18 0x7ffae54b9501 in js::jit::CompileBackEnd(js::jit::MIRGenerator*, js::jit::WarpSnapshot*) /builds/worker/checkouts/gecko/js/src/jit/Ion.cpp:1582:10
[task 2021-03-18T01:49:07.880Z] 01:49:07 INFO - GECKO(2901) | #19 0x7ffae5502c0f in js::jit::IonCompileTask::runTask() /builds/worker/checkouts/gecko/js/src/jit/IonCompileTask.cpp:56:24
[task 2021-03-18T01:49:07.880Z] 01:49:07 INFO - GECKO(2901) | #20 0x7ffae5502962 in js::jit::IonCompileTask::runHelperThreadTask(js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/jit/IonCompileTask.cpp:30:5
[task 2021-03-18T01:49:07.881Z] 01:49:07 INFO - GECKO(2901) | #21 0x7ffae47464dc in js::GlobalHelperThreadState::runTaskLocked(js::HelperThreadTask*, js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:2701:9
[task 2021-03-18T01:49:07.881Z] 01:49:07 INFO - GECKO(2901) | #22 0x7ffae4744256 in js::HelperThread::threadLoop() /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:2673:25
[task 2021-03-18T01:49:07.883Z] 01:49:07 INFO - GECKO(2901) | #23 0x7ffae4744015 in js::HelperThread::ThreadMain(void*) /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:2364:11
[task 2021-03-18T01:49:07.883Z] 01:49:07 INFO - GECKO(2901) | #24 0x7ffae47c7e47 in callMain<0> /builds/worker/checkouts/gecko/js/src/threading/Thread.h:216:5
[task 2021-03-18T01:49:07.884Z] 01:49:07 INFO - GECKO(2901) | #25 0x7ffae47c7e47 in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start(void*) /builds/worker/checkouts/gecko/js/src/threading/Thread.h:205:11
[task 2021-03-18T01:49:07.885Z] 01:49:07 INFO - GECKO(2901) | #26 0x7ffafe5a86da in start_thread /build/glibc-2ORdQG/glibc-2.27/nptl/pthread_create.c:463
[task 2021-03-18T01:49:07.885Z] 01:49:07 INFO - GECKO(2901) | Thread T7 (JS Helper) created by T0 (Web Content) here:
[task 2021-03-18T01:49:07.892Z] 01:49:07 INFO - GECKO(2901) | #0 0x55f9ee62633a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
[task 2021-03-18T01:49:07.892Z] 01:49:07 INFO - GECKO(2901) | #1 0x7ffae4577a79 in js::Thread::create(void* (*)(void*), void*) /builds/worker/checkouts/gecko/js/src/threading/posix/PosixThread.cpp:54:7
[task 2021-03-18T01:49:07.893Z] 01:49:07 INFO - GECKO(2901) | #2 0x7ffae4743efe in bool js::Thread::init<void (&)(void*), js::HelperThread*>(void (&)(void*), js::HelperThread*&&) /builds/worker/checkouts/gecko/js/src/threading/Thread.h:89:12
[task 2021-03-18T01:49:07.894Z] 01:49:07 INFO - GECKO(2901) | #3 0x7ffae473b086 in init /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:2318:17
[task 2021-03-18T01:49:07.894Z] 01:49:07 INFO - GECKO(2901) | #4 0x7ffae473b086 in js::GlobalHelperThreadState::ensureThreadCount(unsigned long) /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:1331:29
[task 2021-03-18T01:49:07.910Z] 01:49:07 INFO - GECKO(2901) | #5 0x7ffae48f2109 in JSRuntime::init(JSContext*, unsigned int) /builds/worker/checkouts/gecko/js/src/vm/Runtime.cpp:199:32
[task 2021-03-18T01:49:07.945Z] 01:49:07 INFO - GECKO(2901) | #6 0x7ffae47cfcaf in js::NewContext(unsigned int, JSRuntime*) /builds/worker/checkouts/gecko/js/src/vm/JSContext.cpp:184:17
[task 2021-03-18T01:49:07.961Z] 01:49:07 INFO - GECKO(2901) | #7 0x7ffad972d4f0 in mozilla::CycleCollectedJSContext::Initialize(JSRuntime*, unsigned int) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:128:16
[task 2021-03-18T01:49:07.981Z] 01:49:07 INFO - GECKO(2901) | #8 0x7ffadb3142cb in XPCJSContext::Initialize() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1195:32
[task 2021-03-18T01:49:07.982Z] 01:49:07 INFO - GECKO(2901) | #9 0x7ffadb316472 in XPCJSContext::NewXPCJSContext() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1397:23
[task 2021-03-18T01:49:07.997Z] 01:49:07 INFO - GECKO(2901) | #10 0x7ffadb3a5948 in nsXPConnect::InitJSContext() /builds/worker/checkouts/gecko/js/xpconnect/src/nsXPConnect.cpp:84:25
[task 2021-03-18T01:49:07.997Z] 01:49:07 INFO - GECKO(2901) | #11 0x7ffad99ae8c8 in NS_InitXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:489:5
[task 2021-03-18T01:49:08.000Z] 01:49:08 INFO - GECKO(2901) | #12 0x7ffae419a637 in XRE_InitEmbedding2(nsIFile*, nsIFile*, nsIDirectoryServiceProvider*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:186:8
[task 2021-03-18T01:49:08.016Z] 01:49:08 INFO - GECKO(2901) | #13 0x7ffadaa53fb2 in mozilla::ipc::ScopedXREEmbed::Start() /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp
[task 2021-03-18T01:49:08.057Z] 01:49:08 INFO - GECKO(2901) | #14 0x7ffae01aabbb in mozilla::dom::ContentProcess::Init(int, char**) /builds/worker/checkouts/gecko/dom/ipc/ContentProcess.cpp:183:13
[task 2021-03-18T01:49:08.058Z] 01:49:08 INFO - GECKO(2901) | #15 0x7ffae419b1e6 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:699:21
[task 2021-03-18T01:49:08.059Z] 01:49:08 INFO - GECKO(2901) | #16 0x55f9ee66e08d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
[task 2021-03-18T01:49:08.059Z] 01:49:08 INFO - GECKO(2901) | #17 0x55f9ee66e4b1 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
[task 2021-03-18T01:49:08.133Z] 01:49:08 INFO - GECKO(2901) | #18 0x7ffafd486b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
[task 2021-03-18T01:49:08.133Z] 01:49:08 INFO - GECKO(2901) | Thread T8 (JS Helper) created by T0 (Web Content) here:
[task 2021-03-18T01:49:08.133Z] 01:49:08 INFO - GECKO(2901) | #0 0x55f9ee62633a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
[task 2021-03-18T01:49:08.134Z] 01:49:08 INFO - GECKO(2901) | #1 0x7ffae4577a79 in js::Thread::create(void* (*)(void*), void*) /builds/worker/checkouts/gecko/js/src/threading/posix/PosixThread.cpp:54:7
[task 2021-03-18T01:49:08.134Z] 01:49:08 INFO - GECKO(2901) | #2 0x7ffae4743efe in bool js::Thread::init<void (&)(void*), js::HelperThread*>(void (&)(void*), js::HelperThread*&&) /builds/worker/checkouts/gecko/js/src/threading/Thread.h:89:12
[task 2021-03-18T01:49:08.134Z] 01:49:08 INFO - GECKO(2901) | #3 0x7ffae473b086 in init /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:2318:17
[task 2021-03-18T01:49:08.134Z] 01:49:08 INFO - GECKO(2901) | #4 0x7ffae473b086 in js::GlobalHelperThreadState::ensureThreadCount(unsigned long) /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:1331:29
[task 2021-03-18T01:49:08.135Z] 01:49:08 INFO - GECKO(2901) | #5 0x7ffae48f2109 in JSRuntime::init(JSContext*, unsigned int) /builds/worker/checkouts/gecko/js/src/vm/Runtime.cpp:199:32
[task 2021-03-18T01:49:08.136Z] 01:49:08 INFO - GECKO(2901) | #6 0x7ffae47cfcaf in js::NewContext(unsigned int, JSRuntime*) /builds/worker/checkouts/gecko/js/src/vm/JSContext.cpp:184:17
[task 2021-03-18T01:49:08.136Z] 01:49:08 INFO - GECKO(2901) | #7 0x7ffad972d4f0 in mozilla::CycleCollectedJSContext::Initialize(JSRuntime*, unsigned int) /builds/worker/checkouts/gecko/xpcom/base/CycleCollectedJSContext.cpp:128:16
[task 2021-03-18T01:49:08.138Z] 01:49:08 INFO - GECKO(2901) | #8 0x7ffadb3142cb in XPCJSContext::Initialize() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1195:32
[task 2021-03-18T01:49:08.139Z] 01:49:08 INFO - GECKO(2901) | #9 0x7ffadb316472 in XPCJSContext::NewXPCJSContext() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1397:23
[task 2021-03-18T01:49:08.142Z] 01:49:08 INFO - GECKO(2901) | #10 0x7ffadb3a5948 in nsXPConnect::InitJSContext() /builds/worker/checkouts/gecko/js/xpconnect/src/nsXPConnect.cpp:84:25
[task 2021-03-18T01:49:08.145Z] 01:49:08 INFO - GECKO(2901) | #11 0x7ffad99ae8c8 in NS_InitXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:489:5
[task 2021-03-18T01:49:08.145Z] 01:49:08 INFO - GECKO(2901) | #12 0x7ffae419a637 in XRE_InitEmbedding2(nsIFile*, nsIFile*, nsIDirectoryServiceProvider*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:186:8
[task 2021-03-18T01:49:08.145Z] 01:49:08 INFO - GECKO(2901) | #13 0x7ffadaa53fb2 in mozilla::ipc::ScopedXREEmbed::Start() /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp
[task 2021-03-18T01:49:08.145Z] 01:49:08 INFO - GECKO(2901) | #14 0x7ffae01aabbb in mozilla::dom::ContentProcess::Init(int, char**) /builds/worker/checkouts/gecko/dom/ipc/ContentProcess.cpp:183:13
[task 2021-03-18T01:49:08.145Z] 01:49:08 INFO - GECKO(2901) | #15 0x7ffae419b1e6 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:699:21
[task 2021-03-18T01:49:08.145Z] 01:49:08 INFO - GECKO(2901) | #16 0x55f9ee66e08d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
[task 2021-03-18T01:49:08.145Z] 01:49:08 INFO - GECKO(2901) | #17 0x55f9ee66e4b1 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:309:18
[task 2021-03-18T01:49:08.145Z] 01:49:08 INFO - GECKO(2901) | #18 0x7ffafd486b96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
[task 2021-03-18T01:49:08.145Z] 01:49:08 INFO - GECKO(2901) | SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/js/HeapAPI.h:558:34 in CellHasStoreBuffer
[task 2021-03-18T01:49:08.145Z] 01:49:08 INFO - GECKO(2901) | Shadow bytes around the buggy address:
[task 2021-03-18T01:49:08.145Z] 01:49:08 INFO - GECKO(2901) | 0x0c52800b7fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2021-03-18T01:49:08.145Z] 01:49:08 INFO - GECKO(2901) | 0x0c52800b7fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2021-03-18T01:49:08.145Z] 01:49:08 INFO - GECKO(2901) | 0x0c52800b7fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2021-03-18T01:49:08.145Z] 01:49:08 INFO - GECKO(2901) | 0x0c52800b7fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2021-03-18T01:49:08.145Z] 01:49:08 INFO - GECKO(2901) | 0x0c52800b7ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2021-03-18T01:49:08.145Z] 01:49:08 INFO - GECKO(2901) | =>0x0c52800b8000:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2021-03-18T01:49:08.146Z] 01:49:08 INFO - GECKO(2901) | 0x0c52800b8010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2021-03-18T01:49:08.147Z] 01:49:08 INFO - GECKO(2901) | 0x0c52800b8020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2021-03-18T01:49:08.147Z] 01:49:08 INFO - GECKO(2901) | 0x0c52800b8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2021-03-18T01:49:08.147Z] 01:49:08 INFO - GECKO(2901) | 0x0c52800b8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2021-03-18T01:49:08.149Z] 01:49:08 INFO - GECKO(2901) | 0x0c52800b8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2021-03-18T01:49:08.149Z] 01:49:08 INFO - GECKO(2901) | Shadow byte legend (one shadow byte represents 8 application bytes):
[task 2021-03-18T01:49:08.149Z] 01:49:08 INFO - GECKO(2901) | Addressable: 00
[task 2021-03-18T01:49:08.150Z] 01:49:08 INFO - GECKO(2901) | Partially addressable: 01 02 03 04 05 06 07
[task 2021-03-18T01:49:08.150Z] 01:49:08 INFO - GECKO(2901) | Heap left redzone: fa
[task 2021-03-18T01:49:08.150Z] 01:49:08 INFO - GECKO(2901) | Freed heap region: fd
[task 2021-03-18T01:49:08.150Z] 01:49:08 INFO - GECKO(2901) | Stack left redzone: f1
[task 2021-03-18T01:49:08.151Z] 01:49:08 INFO - GECKO(2901) | Stack mid redzone: f2
[task 2021-03-18T01:49:08.152Z] 01:49:08 INFO - GECKO(2901) | Stack right redzone: f3
[task 2021-03-18T01:49:08.152Z] 01:49:08 INFO - GECKO(2901) | Stack after return: f5
[task 2021-03-18T01:49:08.152Z] 01:49:08 INFO - GECKO(2901) | Stack use after scope: f8
[task 2021-03-18T01:49:08.153Z] 01:49:08 INFO - GECKO(2901) | Global redzone: f9
[task 2021-03-18T01:49:08.153Z] 01:49:08 INFO - GECKO(2901) | Global init order: f6
[task 2021-03-18T01:49:08.154Z] 01:49:08 INFO - GECKO(2901) | Poisoned by user: f7
[task 2021-03-18T01:49:08.154Z] 01:49:08 INFO - GECKO(2901) | Container overflow: fc
[task 2021-03-18T01:49:08.154Z] 01:49:08 INFO - GECKO(2901) | Array cookie: ac
[task 2021-03-18T01:49:08.155Z] 01:49:08 INFO - GECKO(2901) | Intra object redzone: bb
[task 2021-03-18T01:49:08.155Z] 01:49:08 INFO - GECKO(2901) | ASan internal: fe
[task 2021-03-18T01:49:08.155Z] 01:49:08 INFO - GECKO(2901) | Left alloca redzone: ca
[task 2021-03-18T01:49:08.155Z] 01:49:08 INFO - GECKO(2901) | Right alloca redzone: cb
[task 2021-03-18T01:49:08.155Z] 01:49:08 INFO - GECKO(2901) | Shadow gap: cc
[task 2021-03-18T01:49:08.156Z] 01:49:08 INFO - GECKO(2901) | ==2953==ABORTING
[task 2021-03-18T01:49:08.287Z] 01:49:08 ERROR - GECKO(2901) | A content process crashed and MOZ_CRASHREPORTER_SHUTDOWN is set, shutting down
[task 2021-03-18T01:49:08.672Z] 01:49:08 INFO - GECKO(2901) | ###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost
[task 2021-03-18T01:49:08.793Z] 01:49:08 INFO - GECKO(2901) | ###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost
[task 2021-03-18T01:49:09.735Z] 01:49:09 INFO - GECKO(2901) | 1616032149727 Marionette TRACE Received observer notification xpcom-will-shutdown
[task 2021-03-18T01:49:09.735Z] 01:49:09 INFO - GECKO(2901) | 1616032149727 Marionette INFO Stopped listening on port 2828
[task 2021-03-18T01:49:09.735Z] 01:49:09 INFO - GECKO(2901) | 1616032149728 Marionette DEBUG Marionette stopped listening
[task 2021-03-18T01:49:10.959Z] 01:49:10 INFO - GECKO(2901) | -----------------------------------------------------
[task 2021-03-18T01:49:10.959Z] 01:49:10 INFO - GECKO(2901) | Suppressions used:
[task 2021-03-18T01:49:10.959Z] 01:49:10 INFO - GECKO(2901) | count bytes template
[task 2021-03-18T01:49:10.959Z] 01:49:10 INFO - GECKO(2901) | 14 448 nsComponentManagerImpl
[task 2021-03-18T01:49:10.959Z] 01:49:10 INFO - GECKO(2901) | 2 288 libfontconfig.so
[task 2021-03-18T01:49:10.959Z] 01:49:10 INFO - GECKO(2901) | -----------------------------------------------------
[task 2021-03-18T01:49:11.015Z] 01:49:11 INFO - GECKO(2901) | -----------------------------------------------------
[task 2021-03-18T01:49:11.015Z] 01:49:11 INFO - GECKO(2901) | Suppressions used:
[task 2021-03-18T01:49:11.015Z] 01:49:11 INFO - GECKO(2901) | count bytes template
[task 2021-03-18T01:49:11.015Z] 01:49:11 INFO - GECKO(2901) | 14 448 nsComponentManagerImpl
[task 2021-03-18T01:49:11.015Z] 01:49:11 INFO - GECKO(2901) | 2 288 libfontconfig.so
[task 2021-03-18T01:49:11.015Z] 01:49:11 INFO - GECKO(2901) | -----------------------------------------------------
[task 2021-03-18T01:49:11.096Z] 01:49:11 INFO - GECKO(2901) | -----------------------------------------------------
[task 2021-03-18T01:49:11.096Z] 01:49:11 INFO - GECKO(2901) | Suppressions used:
[task 2021-03-18T01:49:11.096Z] 01:49:11 INFO - GECKO(2901) | count bytes template
[task 2021-03-18T01:49:11.096Z] 01:49:11 INFO - GECKO(2901) | 14 448 nsComponentManagerImpl
[task 2021-03-18T01:49:11.096Z] 01:49:11 INFO - GECKO(2901) | 2 288 libfontconfig.so
[task 2021-03-18T01:49:11.096Z] 01:49:11 INFO - GECKO(2901) | -----------------------------------------------------
[task 2021-03-18T01:49:12.384Z] 01:49:12 INFO - GECKO(2901) | -----------------------------------------------------
[task 2021-03-18T01:49:12.384Z] 01:49:12 INFO - GECKO(2901) | Suppressions used:
[task 2021-03-18T01:49:12.384Z] 01:49:12 INFO - GECKO(2901) | count bytes template
[task 2021-03-18T01:49:12.384Z] 01:49:12 INFO - GECKO(2901) | 14 432 nsComponentManagerImpl
[task 2021-03-18T01:49:12.386Z] 01:49:12 INFO - GECKO(2901) | 633 18083 libfontconfig.so
[task 2021-03-18T01:49:12.387Z] 01:49:12 INFO - GECKO(2901) | 3 624 mozJSComponentLoader
[task 2021-03-18T01:49:12.390Z] 01:49:12 INFO - GECKO(2901) | -----------------------------------------------------
[task 2021-03-18T01:49:12.469Z] 01:49:12 INFO - TEST-INFO | Main app process: exit 0
[task 2021-03-18T01:49:12.469Z] 01:49:12 INFO - runtests.py | Application ran for: 0:00:27.248567
|
||
Updated•4 years ago
|
Component: Mochitest → JavaScript: GC
Product: Testing → Core
|
|
||
Updated•4 years ago
|
Group: core-security-release → javascript-core-security
|
|
||
Comment 1•4 years ago
|
||
This also hit Try in https://treeherder.mozilla.org/logviewer?job_id=333563567&repo=try&lineNumber=4704 as heap-buffer-overflow and again in dom/tests/mochitest/ajax/prototype/test_Prototype.html
|
||
Comment 2•4 years ago
|
||
Here's the buffer overflow from the log in the previous comment. The read looks similar, but the free stack looks different.
|
|
||
Comment 3•4 years ago
|
||
[Tracking Requested - why for this release]: possible sec-high regression
Jon, could you take a look? I'm not sure if there's anything actionable here or not, but it would be good to see if there is. Does this look similar to the other sec regressions you've been investigating recently? Thanks.
|
|
||
Comment 4•4 years ago
|
||
The stack looks a bit like bug 1699364, with the string stuff.
See Also: → 1699364
|
||
Updated•4 years ago
|
status-firefox86:
--- → unaffected
status-firefox87:
--- → unaffected
status-firefox-esr78:
--- → unaffected
|
||
Updated•4 years ago
|
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
|
|
||
Updated•4 years ago
|
status-firefox86:
unaffected → ---
status-firefox87:
unaffected → ---
status-firefox88:
affected → ---
status-firefox-esr78:
unaffected → ---
tracking-firefox88:
+ → ---
|
||
Updated•1 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•