Closed Bug 1768099 Opened 2 years ago Closed 2 years ago

ERROR: AddressSanitizer: SEGV on unknown address 0x000000000760

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
102 Branch
Tracking Flags:
Tracking Status
firefox102 --- fixed

People

(Reporter: glandium, Assigned: glandium)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1768099 - Workaround ASan failures with clang-trunk.
48 bytes, text/x-phabricator-request
Details | Review

When using clang trunk, all Linux asan builds (spidermonkey and firefox) fail with something like:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==3512==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000760 (pc 0x555556d26478 bp 0x7fffffffcfc0 sp 0x7fffffffcf70 T0)
==3512==The signal is caused by a READ memory access.
==3512==Hint: address points to the zero page.
    #0 0x555556d26478 in JSString* js::AllocateStringImpl<(js::AllowGC)1>(JSContext*, js::gc::AllocKind, unsigned long, js::gc::InitialHeap) /builds/worker/checkouts/gecko/js/src/gc/Allocator.cpp:227:45
    #1 0x5555563c44ee in AllocateString<JSFatInlineString, (js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/gc/Allocator.h:79:7
    #2 0x5555563c44ee in new_<(js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/vm/StringType-inl.h:390:10
    #3 0x5555563c44ee in AllocateInlineString<(js::AllowGC)1, unsigned char> /builds/worker/checkouts/gecko/js/src/vm/StringType-inl.h:44:28
    #4 0x5555563c44ee in NewInlineString<(js::AllowGC)1, unsigned char> /builds/worker/checkouts/gecko/js/src/vm/StringType-inl.h:86:25
    #5 0x5555563c44ee in JSLinearString* js::NewStringCopyNDontDeflateNonStaticValidLength<(js::AllowGC)1, unsigned char>(JSContext*, unsigned char const*, unsigned long, js::gc::InitialHeap) /builds/worker/checkouts/gecko/js/src/vm/StringType.cpp:1651:12
    #6 0x5555563ce727 in NewStringCopyNDontDeflate<(js::AllowGC)1, unsigned char> /builds/worker/checkouts/gecko/js/src/vm/StringType.cpp:1685:10
    #7 0x5555563ce727 in NewStringCopyN<(js::AllowGC)1, unsigned char> /builds/worker/checkouts/gecko/js/src/vm/StringType.cpp:1724:10
    #8 0x5555563ce727 in js::NewStringCopyUTF8N(JSContext*, JS::UTF8Chars, js::gc::InitialHeap) /builds/worker/checkouts/gecko/js/src/vm/StringType.cpp:1793:12
    #9 0x5555566d59ac in NewStringCopyUTF8Z /builds/worker/checkouts/gecko/js/src/vm/StringType.h:1454:10
    #10 0x5555566d59ac in JS_NewStringCopyUTF8Z /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2973:10
    #11 0x5555566d59ac in JSErrorBase::newMessageString(JSContext*) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:3798:10
    #12 0x5555566e9c2f in js::ErrorToException(JSContext*, JSErrorReport*, JSErrorFormatString const* (*)(void*, unsigned int), void*) /builds/worker/checkouts/gecko/js/src/jsexn.cpp:321:40
    #13 0x555555f91718 in ReportError /builds/worker/checkouts/gecko/js/src/vm/ErrorReporting.cpp:171:3
    #14 0x555555f91718 in js::ReportErrorNumberVA(JSContext*, js::IsWarning, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, js::ErrorArgumentsType, __va_list_tag*) /builds/worker/checkouts/gecko/js/src/vm/ErrorReporting.cpp:484:3
    #15 0x5555566a477a in JS_ReportErrorNumberASCIIVA /builds/worker/checkouts/gecko/js/src/jsapi.cpp:3550:3
    #16 0x5555566a477a in JS_ReportErrorNumberASCII(JSContext*, JSErrorFormatString const* (*)(void*, unsigned int), void*, unsigned int, ...) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:3540:3
    #17 0x55555596e51c in js::ReportOverRecursed(JSContext*) /builds/worker/checkouts/gecko/js/src/vm/JSContext.cpp:331:7
    #18 0x555556985037 in check /builds/worker/workspace/obj-spider/dist/include/js/friend/StackLimits.h:149:5
    #19 0x555556985037 in js::frontend::GeneralParser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::statementList(js::frontend::YieldHandling) /builds/worker/checkouts/gecko/js/src/frontend/Parser.cpp:4024:18
    #20 0x555556afd368 in js::frontend::Parser<js::frontend::FullParseHandler, mozilla::Utf8Unit>::globalBody(js::frontend::GlobalSharedContext*) /builds/worker/checkouts/gecko/js/src/frontend/Parser.cpp:1816:20
    #21 0x555556b94330 in ScriptCompiler<mozilla::Utf8Unit>::compile(JSContext*, js::frontend::SharedContext*) /builds/worker/checkouts/gecko/js/src/frontend/BytecodeCompiler.cpp:704:20
    #22 0x555556b9349e in bool CompileGlobalScriptToStencilAndMaybeInstantiate<mozilla::Utf8Unit>(JSContext*, js::frontend::CompilationInput&, JS::SourceText<mozilla::Utf8Unit>&, js::ScopeKind, mozilla::Variant<mozilla::UniquePtr<js::frontend::ExtensibleCompilationStencil, JS::DeletePolicy<js::frontend::ExtensibleCompilationStencil> >, RefPtr<js::frontend::CompilationStencil>, js::frontend::CompilationGCOutput*>&) /builds/worker/checkouts/gecko/js/src/frontend/BytecodeCompiler.cpp:279:17
    #23 0x555556b2559c in CompileGlobalScriptToStencilImpl<mozilla::Utf8Unit> /builds/worker/checkouts/gecko/js/src/frontend/BytecodeCompiler.cpp:326:8
    #24 0x555556b2559c in js::frontend::CompileGlobalScriptToStencil(JSContext*, js::frontend::CompilationInput&, JS::SourceText<mozilla::Utf8Unit>&, js::ScopeKind) /builds/worker/checkouts/gecko/js/src/frontend/BytecodeCompiler.cpp:342:10
    #25 0x555556335744 in JSRuntime::initSelfHostingStencil(JSContext*, mozilla::Span<unsigned char const, 18446744073709551615ul>, bool (*)(JSContext*, mozilla::Span<unsigned char const, 18446744073709551615ul>)) /builds/worker/checkouts/gecko/js/src/vm/SelfHosting.cpp:2832:7
    #26 0x555555fe126f in JS::InitSelfHostedCode(JSContext*, mozilla::Span<unsigned char const, 18446744073709551615ul>, bool (*)(JSContext*, mozilla::Span<unsigned char const, 18446744073709551615ul>)) /builds/worker/checkouts/gecko/js/src/vm/Initialization.cpp:232:12
    #27 0x555555a79ce7 in main /builds/worker/checkouts/gecko/js/src/shell/js.cpp:12628:8
    #28 0x7ffff79efd09 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x26d09) (BuildId: b72adf59ac0a673d1eeb261e662364507cfc8615)
    #29 0x5555559a1ed4 in _start (/builds/worker/workspace/obj-spider/dist/bin/js+0x44ded4) (BuildId: 84ee0c9d105f7902ef52c1653b38c41fe93efaa6)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/checkouts/gecko/js/src/gc/Allocator.cpp:227:45 in JSString* js::AllocateStringImpl<(js::AllowGC)1>(JSContext*, js::gc::AllocKind, unsigned long, js::gc::InitialHeap)
==3512==ABORTING
Exit code: 1

This is reproducible with clang 14 by adding "detect_stack_use_after_return=1" to asan options (which is now enabled by default on linux in clang trunk).

Severity: -- → S3
Priority: -- → P3
Assignee: nobody → mh+mozilla
Status: NEW → ASSIGNED
Pushed by mh@glandium.org:
https://hg.mozilla.org/integration/autoland/rev/86ddb9dede42
Workaround ASan failures with clang-trunk. r=decoder

https://hg.mozilla.org/mozilla-central/rev/86ddb9dede42

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox102: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 102 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: