1874251 - call to function icu_73::initData(UErrorCode&) through pointer to incorrect function type 'void (*)(UErrorCode &)' (XUL:arm64+0x75f6228)

Status: RESOLVED FIXED

(Firefox Build System :: Toolchains, defect, P3)

Comment 1

[Catherine Kim [:catherine]]

This is triggered with an UBSan build. To enable this check add the following to your mozconfig:

ac_add_options --enable-address-sanitizer
ac_add_options --enable-undefined-sanitizer="function"
ac_add_options --disable-jemalloc

This issue can be triggered by running gtests.

mozilla-unified/intl/icu/source/common/umutex.h:171:9: runtime error: call to function icu_73::initData(UErrorCode&) through pointer to incorrect function type 'void (*)(UErrorCode &)'
(XUL:arm64+0x75f6228): note: icu_73::initData(UErrorCode&) defined here
    #0 0x287479f84 in icu_73::umtx_initOnce(icu_73::UInitOnce&, void (*)(UErrorCode&), UErrorCode&)+0x160 (XUL:arm64+0x7479f84)
    #1 0x2875f6210 in u_init_73+0x24 (XUL:arm64+0x75f6210)
    #2 0x286c07940 in mozilla::intl::ICU4CLibrary::Initialize()+0x198 (XUL:arm64+0x6c07940)
    #3 0x2a47ccbe8 in JS::detail::InitWithFailureDiagnostic(bool, JS::detail::FrontendOnly)+0x430 (XUL:arm64+0x247ccbe8)
    #4 0x2867c10f8 in JS_InitWithFailureDiagnostic()+0x10 (XUL:arm64+0x67c10f8)
    #5 0x2867a3664 in InitializeJS()+0x1c (XUL:arm64+0x67a3664)
    #6 0x2867a27e4 in NS_InitXPCOM+0xfd4 (XUL:arm64+0x67a27e4)
    #7 0x2a3cbd644 in (anonymous namespace)::ScopedXPCOM::ScopedXPCOM(char const*, nsIDirectoryServiceProvider*)+0x170 (XUL:arm64+0x23cbd644)
    #8 0x2a3cbd4c0 in (anonymous namespace)::ScopedXPCOM::ScopedXPCOM(char const*, nsIDirectoryServiceProvider*)+0x28 (XUL:arm64+0x23cbd4c0)
    #9 0x2a3cbd1fc in mozilla::_InitFuzzer::InitXPCOM()+0x48 (XUL:arm64+0x23cbd1fc)
    #10 0x2a3cbcd58 in mozilla::FuzzerRunner::Run(int*, char***)+0x164 (XUL:arm64+0x23cbcd58)
    #11 0x2a3b174c4 in XREMain::XRE_mainStartup(bool*)+0x508 (XUL:arm64+0x23b174c4)
    #12 0x2a3b28218 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)+0x1418 (XUL:arm64+0x23b28218)
    #13 0x2a3b28cc4 in XRE_main(int, char**, mozilla::BootstrapConfig const&)+0x184 (XUL:arm64+0x23b28cc4)
    #14 0x2a3b5d1fc in mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&)+0x28 (XUL:arm64+0x23b5d1fc)
    #15 0x102852d34 in do_main(int, char**, char**)+0xef0 (firefox:arm64+0x100002d34)
    #16 0x102850fb4 in main+0x498 (firefox:arm64+0x100000fb4)
    #17 0x1863810dc  (<unknown module>)
    #18 0x2e42fffffffffffc  (<unknown module>)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior

Comment 2

[Andrew McCreight [:mccr8]]

It looks like the stacks need to be symbolicated to get the line numbers.

Comment 3

[Jesse Schwartzentruber (:truber)]

Yes, bug 1470535 prevents source:line info. I ran dsymutil on firefox and XUL to get symbols:

/Users/truber/src/m/u/intl/icu/source/common/umutex.h:171:9: runtime error: call to function icu_73::initData(UErrorCode&) through pointer to incorrect function type 'void (*)(UErrorCode &)'
uinit.cpp:38: note: icu_73::initData(UErrorCode&) defined here
    #0 0x2f613e6e4 in icu_73::umtx_initOnce(icu_73::UInitOnce&, void (*)(UErrorCode&), UErrorCode&) umutex.h:171
    #1 0x2f62ba970 in u_init_73 uinit.cpp:72
    #2 0x2f58c3890 in mozilla::intl::ICU4CLibrary::Initialize() ICU4CLibrary.cpp:23
    #3 0x3134c2ee4 in JS::detail::InitWithFailureDiagnostic(bool, JS::detail::FrontendOnly) Initialization.cpp:190
    #4 0x2f547d0e0 in JS_InitWithFailureDiagnostic() Initialization.h:85
    #5 0x2f545f64c in InitializeJS() XPCOMInit.cpp:235
    #6 0x2f545e7cc in NS_InitXPCOM XPCOMInit.cpp:434
    #7 0x3129b397c in (anonymous namespace)::ScopedXPCOM::ScopedXPCOM(char const*, nsIDirectoryServiceProvider*) FuzzerTestHarness.h:70
    #8 0x3129b37f8 in (anonymous namespace)::ScopedXPCOM::ScopedXPCOM(char const*, nsIDirectoryServiceProvider*) FuzzerTestHarness.h:66
    #9 0x3129b3534 in mozilla::_InitFuzzer::InitXPCOM() FuzzerRunner.cpp:23
    #10 0x3129b3090 in mozilla::FuzzerRunner::Run(int*, char***) FuzzerRunner.cpp:45
    #11 0x31280e190 in XREMain::XRE_mainStartup(bool*) nsAppRunner.cpp:4684
    #12 0x31281eee0 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) nsAppRunner.cpp:5940
    #13 0x31281f98c in XRE_main(int, char**, mozilla::BootstrapConfig const&) nsAppRunner.cpp:6009
    #14 0x312853ec4 in mozilla::BootstrapImpl::XRE_main(int, char**, mozilla::BootstrapConfig const&) Bootstrap.cpp:45
    #15 0x102422d3c in do_main(int, char**, char**) nsBrowserApp.cpp:227
    #16 0x102420fbc in main nsBrowserApp.cpp:445
    #17 0x1ac75fe4c  (<unknown module>)
    #18 0x3d177ffffffffffc  (<unknown module>)

SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /Users/truber/src/m/u/intl/icu/source/common/umutex.h:171:9 in

I don't see what the issue is, it looks the same as the pointer type given: uinit.cpp:37

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

The severity field is not set for this bug.
:m_kato, could you have a look please?

For more information, please visit BugBot documentation.

Comment 5

[Jesse Schwartzentruber (:truber)]

I made a try build adding suppression for umtx_initOnce (which covers both this and bug 1884255) and I get the same error in another place:

/builds/worker/checkouts/gecko/xpcom/ds/Tokenizer.cpp:155:8: runtime error: call to function bool mozilla::IsAsciiAlpha<char>(char) through pointer to incorrect function type 'bool (*)(char)'
(/Users/truber/builds/m-c-try-07ad771d3e-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:arm64+0xde2f6c): note: bool mozilla::IsAsciiAlpha<char>(char) defined here
    #0 0x12cc54e74 in mozilla::TTokenizer<char>::CheckChar(bool (*)(char)) (in XUL) + 384
    #1 0x12d07dce4 in net_ExtractURLScheme(nsTSubstring<char> const&, nsTSubstring<char>&) (in XUL) + 684
    #2 0x12d2382a0 in mozilla::net::nsSimpleURI::SetSpecInternal(nsTSubstring<char> const&, bool) (in XUL) + 368
    #3 0x12d29d328 in mozilla::net::nsSimpleURI::Mutator::SetSpec(nsTSubstring<char> const&, nsIURIMutator**) (in XUL) + 284
    #4 0x12ed72574 in mozilla::NullPrincipal::CreateURI(nsIPrincipal*, nsID const*) (in XUL) + 856
    #5 0x12ed72f8c in mozilla::NullPrincipal::Create(mozilla::OriginAttributes const&, nsIURI*) (in XUL) + 196
    #6 0x12ed73494 in mozilla::NullPrincipal::CreateWithoutOriginAttributes() (in XUL) + 212
    #7 0x1302f8124 in nsContentUtils::Init() (in XUL) + 516
    #8 0x138704dc4 in nsLayoutStatics::Initialize() (in XUL) + 40
    #9 0x138704b5c in nsLayoutModuleInitialize() (in XUL) + 56
    #10 0x12cd66fe8 in nsComponentManagerImpl::Init() (in XUL) + 2580
    #11 0x12ce52f28 in NS_InitXPCOM (in XUL) + 3904
    #12 0x13af4ba84 in ScopedXPCOMStartup::Initialize(bool) (in XUL) + 104
    #13 0x13af603cc in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) (in XUL) + 3176
    #14 0x13af61558 in XRE_main(int, char**, mozilla::BootstrapConfig const&) (in XUL) + 360
    #15 0x1000ed3b4 in main (in firefox) + 2076
    #16 0x1ac75fe4c  (<unknown module>)
    #17 0xa06afffffffffffc  (<unknown module>)

I get the same error as bug 1884255 when launching the latest m-c fuzzing asan build on x86_64 Mac, so there's something wrong with the function check on macOS. Both cases look like a false positive to me.

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:glandium, could you consider increasing the severity?

For more information, please visit BugBot documentation.

Comment 8

[Henrik Skupin [:whimboo][⌚️UTC+2]]

Please note that the same crash happens when trying to run the ASAN builds as generated in CI:
https://treeherder.mozilla.org/jobs?repo=mozilla-central&searchStr=asan%20mac

Comment 9

[Jesse Schwartzentruber (:truber)]

Attachment: Bug 1874251 - Disable ubsan function check for macOS r?#firefox-build-system-reviewers!

Comment 10

[Mike Hommey [:glandium]]

It's actually fixed in clang trunk. I'm testing a backport of the fix.

Comment 11

[Mike Hommey [:glandium]]

Attachment: Bug 1874251 - Apply clang trunk patch fixing -fsanitize=function on macOS.

Comment 12

[Pulsebot]

Pushed by mh@glandium.org:
https://hg.mozilla.org/integration/autoland/rev/4dc54b23500c
Apply clang trunk patch fixing -fsanitize=function on macOS. r=firefox-build-system-reviewers,ahochheiden

Comment 13

[Sandor Molnar[:smolnar]]

https://hg.mozilla.org/mozilla-central/rev/4dc54b23500c

Comment 14

[BugBot [:suhaib / :marco/ :calixte]]

Since nightly and release are affected, beta will likely be affected too.
For more information, please visit BugBot documentation.

Comment 15

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:truber, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox126 to wontfix.

For more information, please visit BugBot documentation.

Comment 16

[Donal Meehan [:dmeehan]]

S3 Bug in the build component, setting all older versions as wontfix.
Keeping the NI open if there's any disagreement .

Comment 17

[Jesse Schwartzentruber (:truber)]

Agreed, thanks.