1896637 - AddressSanitizer: ILL on unknown address 0x7f790d3e74d0 [@ elf_update]

Status: VERIFIED FIXED

(Core :: Graphics: WebGPU, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 8f49349eeb0e (built with: --enable-debug --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch --build 8f49349eeb0e --debug --fuzzing  -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

The testcase produces the following signatures:

==27890==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x77597f8a6170 (pc 0x77597f8a6170 bp 0x775a269dd2b8 sp 0x775a269dc9d8 T27992)
==27890==The signal is caused by a READ memory access.
==27890==Hint: PC is at a non-executable region. Maybe a wild jump?

And...

AddressSanitizer: ILL on unknown address 0x7f790d3e74d0 [@ elf_update]

    =================================================================
    ==145795==ERROR: AddressSanitizer: ILL on unknown address 0x7f790d3e74d0 (pc 0x7f790d3e74d0 bp 0x51b0002c5938 sp 0x7f78ed51d2c8 T48)
        #0 0x7f790d3e74d0 in elf_update (/lib/x86_64-linux-gnu/libelf.so.1+0x144d0) (BuildId: 0eaf2d056fb292c3da2d99fa16c13d0ec798f121)
    
    AddressSanitizer can not provide additional info.
    SUMMARY: AddressSanitizer: ILL (/lib/x86_64-linux-gnu/libelf.so.1+0x144d0) (BuildId: 0eaf2d056fb292c3da2d99fa16c13d0ec798f121) in elf_update
    Thread T48 created by T0 here:
        #0 0x55725076453d in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:237:3
        #1 0x7f793d990844 in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
        #2 0x7f793d97e43e in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
        #3 0x7f79147a5029 in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:620:20
        #4 0x7f79147b60ce in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /gecko/xpcom/threads/nsThreadManager.cpp:602:22
        #5 0x7f79147c3c34 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /gecko/xpcom/threads/nsThreadUtils.cpp:176:57
        #6 0x7f7917ce4b56 in NS_NewNamedThread<15UL> /gecko/xpcom/threads/nsThreadUtils.h:76:10
        #7 0x7f7917ce4b56 in mozilla::gfx::CanvasRenderThread::Start() /gecko/gfx/ipc/CanvasRenderThread.cpp:110:17
        #8 0x7f7917a76392 in gfxPlatform::Init() /gecko/gfx/thebes/gfxPlatform.cpp:975:3
        #9 0x7f7917a7e3e6 in GetPlatform /gecko/gfx/thebes/gfxPlatform.cpp:460:5
        #10 0x7f7917a7e3e6 in gfxPlatform::InitializeCMS() /gecko/gfx/thebes/gfxPlatform.cpp:2127:9
        #11 0x7f791ff96b7a in EnsureCMSInitialized /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:972:7
        #12 0x7f791ff96b7a in GetCMSMode /builds/worker/workspace/obj-build/dist/include/gfxPlatform.h:519:5
        #13 0x7f791ff96b7a in nsXPLookAndFeel::GetUncachedColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /gecko/widget/nsXPLookAndFeel.cpp:1020:9
        #14 0x7f791ff9602e in nsXPLookAndFeel::GetColorValue(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins, unsigned int&) /gecko/widget/nsXPLookAndFeel.cpp:1000:17
        #15 0x7f791ff9c236 in mozilla::LookAndFeel::GetColor(mozilla::StyleSystemColor, mozilla::ColorScheme, mozilla::LookAndFeel::UseStandins) /gecko/widget/nsXPLookAndFeel.cpp:1393:47
        #16 0x7f791fec0b2e in Color /builds/worker/workspace/obj-build/dist/include/mozilla/LookAndFeel.h:418:12
        #17 0x7f791fec0b2e in GetAccentColor /gecko/widget/ThemeColors.cpp:91:7
        #18 0x7f791fec0b2e in mozilla::widget::ThemeColors::RecomputeAccentColors() /gecko/widget/ThemeColors.cpp:203:20
        #19 0x7f791fec060d in mozilla::widget::Theme::LookAndFeelChanged() /gecko/widget/Theme.cpp:183:3
        #20 0x7f791ff93bbf in nsXPLookAndFeel::GetInstance() /gecko/widget/nsXPLookAndFeel.cpp:398:3
        #21 0x7f791ff9cd75 in mozilla::LookAndFeel::GetThemeInfo(nsTSubstring<char>&) /gecko/widget/nsXPLookAndFeel.cpp:1511:3
        #22 0x7f79145b46a9 in nsSystemInfo::Init() /gecko/xpcom/base/nsSystemInfo.cpp:1481:5
        #23 0x7f791470e096 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:11899:7
        #24 0x7f7914736859 in CreateInstance /gecko/xpcom/components/nsComponentManager.cpp:189:46
        #25 0x7f7914736859 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::detail::BaseMonitorAutoLock<mozilla::Monitor>>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /gecko/xpcom/components/nsComponentManager.cpp:987:17
        #26 0x7f7914737db3 in nsComponentManagerImpl::GetService(mozilla::xpcom::ModuleID, nsID const&, void**) /gecko/xpcom/components/nsComponentManager.cpp:1077:10
        #27 0x7f791471e5fd in mozilla::xpcom::GetServiceHelper::operator()(nsID const&, void**) const /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:13169:50
        #28 0x7f7916867715 in assign_from_helper /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:901:7
        #29 0x7f7916867715 in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:537:5
        #30 0x7f7916867715 in GetServiceImpl /gecko/js/xpconnect/src/JSServices.cpp:84:32
        #31 0x7f7916867715 in GetService /gecko/js/xpconnect/src/JSServices.cpp:131:8
        #32 0x7f7916867715 in xpc::Services_Resolve(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, bool*) /gecko/js/xpconnect/src/JSServices.cpp:158:25
        #33 0x7f7925805b25 in CallResolveOp /gecko/js/src/vm/NativeObject-inl.h:681:8
        #34 0x7f7925805b25 in NativeLookupOwnPropertyInline<(js::AllowGC)1, (js::LookupResolveMode)1> /gecko/js/src/vm/NativeObject-inl.h:793:14
        #35 0x7f7925805b25 in NativeGetPropertyInline<(js::AllowGC)1> /gecko/js/src/vm/NativeObject.cpp:2302:10
        #36 0x7f7925805b25 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/NativeObject.cpp:2350:10
        #37 0x7f79253e909f in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:117:10
        #38 0x7f79253e909f in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:124:10
        #39 0x7f79253e909f in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:4515:10
        #40 0x7f79253aa3b8 in GetPropertyOperation /gecko/js/src/vm/Interpreter.cpp:246:10
        #41 0x7f79253aa3b8 in js::Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:2726:12
        #42 0x7f792539cbc9 in MaybeEnterInterpreterTrampoline /gecko/js/src/vm/Interpreter.cpp:394:10
        #43 0x7f792539cbc9 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:452:13
        #44 0x7f792539e08a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:606:13
        #45 0x7f79253a01b6 in InternalCall /gecko/js/src/vm/Interpreter.cpp:641:10
        #46 0x7f79253a01b6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:673:8
        #47 0x7f79253a2036 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:795:10
        #48 0x7f79258065bf in CallGetter /gecko/js/src/vm/NativeObject.cpp:2143:12
        #49 0x7f79258065bf in GetExistingProperty<(js::AllowGC)1> /gecko/js/src/vm/NativeObject.cpp:2171:12
        #50 0x7f79258065bf in NativeGetPropertyInline<(js::AllowGC)1> /gecko/js/src/vm/NativeObject.cpp:2319:14
        #51 0x7f79258065bf in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/NativeObject.cpp:2350:10
        #52 0x7f79253e909f in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:117:10
        #53 0x7f79253e909f in GetProperty /gecko/js/src/vm/ObjectOperations-inl.h:124:10
        #54 0x7f79253e909f in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/Interpreter.cpp:4515:10
        #55 0x7f79253aa3b8 in GetPropertyOperation /gecko/js/src/vm/Interpreter.cpp:246:10
        #56 0x7f79253aa3b8 in js::Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:2726:12
        #57 0x7f792539cbc9 in MaybeEnterInterpreterTrampoline /gecko/js/src/vm/Interpreter.cpp:394:10
        #58 0x7f792539cbc9 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:452:13
        #59 0x7f792539e08a in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:606:13
        #60 0x7f79253a01b6 in InternalCall /gecko/js/src/vm/Interpreter.cpp:641:10
        #61 0x7f79253a01b6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:673:8
        #62 0x7f79255647a2 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:55:10
        #63 0x7f79168ac1cf in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:918:17
        #64 0x7f791480532a in PrepareAndDispatch /gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
        #65 0x7f79148040ca in SharedStub xptcstubs_x86_64_linux.cpp
        #66 0x7f791472f35f in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /gecko/xpcom/components/nsCategoryManager.cpp:680:19
        #67 0x7f7924f582c7 in nsXREDirProvider::DoStartup() /gecko/toolkit/xre/nsXREDirProvider.cpp:830:11
        #68 0x7f7924f33b95 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:5491:18
        #69 0x7f7924f3686d in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5953:8
        #70 0x7f7924f37ac1 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:6010:21
        #71 0x5572507be3d2 in do_main /gecko/browser/app/nsBrowserApp.cpp:230:22
        #72 0x5572507be3d2 in main /gecko/browser/app/nsBrowserApp.cpp:448:16
        #73 0x7f793dda8d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    
    ==145795==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 2

[Andrew McCreight [:mccr8]]

Not a ton of information here, but the crash looks scary so I'll mark it sec-high for now.

Comment 3

[Jason Kratzer [:jkratzer]]

Attachment: testcase.zip

Comment 4

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20240514095049-d1f40cf63952.
The bug appears to have been introduced in the following build range:

Start: e79423791be9d0d63898d13dbeefe78b548b47ca (20240304151738)
End: 6c8dfd2a5bcafec953d7303c1fc35ec76d05f6ac (20240304163141)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=e79423791be9d0d63898d13dbeefe78b548b47ca&tochange=6c8dfd2a5bcafec953d7303c1fc35ec76d05f6ac

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Comment 5

[Andrew McCreight [:mccr8]]

Bug 1877488 looks like the obvious WebGPU change in that range, so I'm marking a regressor.

Comment 6

[Bugmon [:jkratzer for issues]]

A pernosco session for this bug can be found here.

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1877488

:ErichDonGubler, since you are the author of the regressor, bug 1877488, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Comment 8

[Jim Blandy :jimb]

Attachment: wgpu-only test case

This is a test case that, when added to tests/tests/pipeline.rs, reproduces the crash without Firefox.

Comment 9

[Jim Blandy :jimb]

Attachment: Backtrace from test's SEGV, captured with GDB

Backtrace.

Comment 10

[Jim Blandy :jimb]

Confirmed with GDB that it is indeed the same stack.

Comment 11

[Erich Gubler [:ErichDonGubler] (he/him)]

wgpu#5715 has been filed upstream to fix this issue.

Comment 12

[Erich Gubler [:ErichDonGubler] (he/him)]

Filed bug 1897554 to smuggle this fix in, with a patch stack that's ready for review.

Comment 13

[Erich Gubler [:ErichDonGubler] (he/him)]

CC'ing :nika for awareness as a reviewer on bug 1897554.

Comment 14

[Erich Gubler [:ErichDonGubler] (he/him)]

Patches for bug 1897554 have landed in autoland, awaiting arrival in mozilla-central.

Comment 15

[Erich Gubler [:ErichDonGubler] (he/him)]

Patches for bug 1897554 have landed in central, and I now see the expected validation error message in Nightly. 🙌🏻 This should be resolved now!

Comment 16

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20240522091937-3eacabfd2f53.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.