Closed Bug 787715 Opened 8 years ago Closed 7 years ago

ASAN: Crashtest content/xul/templates/src/crashtests/329335-1.xul triggers error


(Core :: XUL, defect, critical)

Not set





(Reporter: decoder, Unassigned)


(Blocks 1 open bug)


(Keywords: sec-moderate, testcase, Whiteboard: [asan][asan-test-failure])


(1 file)

This crashtest in content/xul/templates/src/crashtests/329335-1.xul fails with AddressSanitizer on mozilla-central revision c64a9f342156. This failure only reproduces on optimized builds with --disable-debug. Here is the ASan error trace:

REFTEST TEST-START | file:///srv/repos/browser/mozilla-central-decoder/mozilla-central/content/xul/templates/src/crashtests/329335-1.xul | 405 / 2109 (19%)
==64384== ERROR: AddressSanitizer heap-use-after-free on address 0x2afcfe6474d8 at pc 0x2afcd3f87f7b bp 0x7fff516c5060 sp 0x7fff516c5058
READ of size 8 at 0x2afcfe6474d8 thread T0
    #0 0x2afcd3f87f7b in PL_DHashTableOperate /srv/repos/browser/mozilla-central-decoder/mozilla-central/objdir-ff-asan64opt/xpcom/build/pldhash.cpp:631
    #1 0x2afcd2e804d4 in nsXULTemplateQueryProcessorRDF::OnAssert(nsIRDFDataSource*, nsIRDFResource*, nsIRDFResource*, nsIRDFNode*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/content/xul/templates/src/nsXULTemplateQueryProcessorRDF.cpp:772
    #2 0x2afcd378ab04 in InMemoryDataSource::Assert(nsIRDFResource*, nsIRDFResource*, nsIRDFNode*, bool) /srv/repos/browser/mozilla-central-decoder/mozilla-central/rdf/base/src/nsInMemoryDataSource.cpp:1351
0x2afcfe6474d8 is located 88 bytes inside of 272-byte region [0x2afcfe647480,0x2afcfe647590)
freed by thread T0 here:
    #0 0x424931 in __interceptor_free ??:0
    #1 0x2afcd2e77994 in nsCycleCollectingAutoRefCnt::stabilizeForDeletion() /srv/repos/browser/mozilla-central-decoder/mozilla-central/../../../../dist/include/mozilla/mozalloc.h:224
    #2 0x2afcd2e643e8 in nsCOMPtr<nsIXULTemplateResult>::operator=(nsIXULTemplateResult*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/../../../../dist/include/nsCOMPtr.h:622
previously allocated by thread T0 here:
    #0 0x4249f1 in __interceptor_malloc ??:0
    #1 0x2afcd0b842c8 in moz_xmalloc /srv/repos/browser/mozilla-central-decoder/mozilla-central/memory/mozalloc/mozalloc.cpp:57
    #2 0x2afcd2e66dab in nsXULTemplateBuilder::Init(nsIContent*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/content/xul/templates/src/nsXULTemplateBuilder.cpp:438
    #3 0x2afcd26c862f in nsXULDocument::CreateTemplateBuilder(nsIContent*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/content/xul/document/src/nsXULDocument.cpp:3815
    #4 0x2afcd26d6d30 in nsXULDocument::TemplateBuilderHookup::Resolve() /srv/repos/browser/mozilla-central-decoder/mozilla-central/content/xul/document/src/nsXULDocument.cpp:4165
    #5 0x2afcd26c4fcd in nsXULDocument::ResolveForwardReferences() /srv/repos/browser/mozilla-central-decoder/mozilla-central/content/xul/document/src/nsXULDocument.cpp:1195
==64384== ABORTING
Stats: 17517M malloced (1970M for red zones) by 3767939 calls
Stats: 113M realloced by 330009 calls
Stats: 17465M freed by 3454689 calls
Stats: 17330M really freed by 3274693 calls
Stats: 1316M (337061 full pages) mmaped in 234 calls
  mmaps   by size class: 8:507873; 9:90101; 10:28665; 11:40940; 12:5120; 13:6656; 14:3072; 15:384; 16:640; 17:448; 18:416; 19:520; 20:16; 21:22; 22:1; 32:1;
  mallocs by size class: 8:2554842; 9:606630; 10:164576; 11:319566; 12:32068; 13:38069; 14:11277; 15:2008; 16:4189; 17:1651; 18:1747; 19:31175; 20:37; 21:102; 22:1; 32:1;
  frees   by size class: 8:2278548; 9:581201; 10:159030; 11:316045; 12:30941; 13:37763; 14:10508; 15:1963; 16:4058; 17:1637; 18:1686; 19:31171; 20:34; 21:102; 22:1; 32:1;
  rfrees  by size class: 8:2161543; 9:552341; 10:150008; 11:296051; 12:28980; 13:35909; 14:9978; 15:1832; 16:3798; 17:1526; 18:1445; 19:31166; 20:32; 21:82; 22:1; 32:1;
Stats: malloc large: 34714 small slow: 21124
Shadow byte and word:
  0x155f9fcc8e9b: fd
  0x155f9fcc8e98: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x155f9fcc8e78: fa fa fa fa fa fa fa fa
  0x155f9fcc8e80: fa fa fa fa fa fa fa fa
  0x155f9fcc8e88: fa fa fa fa fa fa fa fa
  0x155f9fcc8e90: fd fd fd fd fd fd fd fd
=>0x155f9fcc8e98: fd fd fd fd fd fd fd fd
  0x155f9fcc8ea0: fd fd fd fd fd fd fd fd
  0x155f9fcc8ea8: fd fd fd fd fd fd fd fd
  0x155f9fcc8eb0: fd fd fd fd fd fd fd fd
  0x155f9fcc8eb8: fd fd fd fd fd fd fd fd
TEST-UNEXPECTED-FAIL | file:///srv/repos/browser/mozilla-central-decoder/mozilla-central/content/xul/templates/src/crashtests/329335-1.xul | Exited with code 1 during test run

Marking s-s until this has been triaged.
Blocks: 438871
No longer blocks: 438871
Whiteboard: [asan][asan-test-failure][orange] → [asan][asan-test-failure]
Crashtest content/xul/content/crashtests/252448-1.xul also hits this sometimes.
The valgrind errors (invalid reads and writes involving hash tables) running content/xul/templates/src/crashtests/330010-1.xul on OSX may be related to this.
Marking this moderate since XUL can't be used directly from content (as far as I know). Feel free to correct this if it's wrong.
Keywords: sec-moderate
Blocks: 797900
Blocks: asan-tests
Blocks: 874527
I took a look at this and couldn't figure it out. Looking at the stacks, the obvious cause of this bug would be that somebody isn't holding a strong reference to a template builder when they should be, but looking through all of the relevant code, I can't find a case for it. Even scarier is that this only hits sometimes, so this might actually be a case where code somewhere incorrectly releases an object.
Neil, could you look at this?
Flags: needinfo?(enndeakin)
I haven't seen this on trunk anymore for quite a while now. Closing as WFM and I will reopen if this ever pops up again.
Closed: 7 years ago
Flags: needinfo?(enndeakin)
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.