Closed Bug 899802 Opened 7 years ago Closed Last year

Heap-use-after-free in Mesa swrast_dri.so, in test_webgl_conformance_test_suite.html

Categories

(Core :: Canvas: WebGL, defect)

x86_64
All
defect
Not set

Tracking

()

RESOLVED INCOMPLETE
Tracking Status
firefox-esr17 --- fixed

People

(Reporter: karlt, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, intermittent-failure, Whiteboard: [asan][adv-main18+][adv-esr17+][asan-test-failure] webgl-driver)

+++ This bug was initially created as a clone of Bug #791905 +++

Cloning to keep tracking this as it is affecting mochitest-1 on Ubuntu VM 12.04, enabled through webgl.force-enabled.

Explicitly detected through ASAN at https://tbpl.mozilla.org/php/getParsedLog.php?id=25905735&full=1&branch=try#error0

04:37:02     INFO -  67670 INFO TEST-INFO | /tests/content/canvas/test/webgl/test_webgl_conformance_test_suite.html | [conformance/limits/gl-min-textures.html] (WebGL mochitest) Starting test page
04:37:02     INFO -  =================================================================
04:37:02     INFO -  ==2387==ERROR: AddressSanitizer: heap-use-after-free on address 0x607000322540 at pc 0x41ec11 bp 0x7fff40c34810 sp 0x7fff40c33fd8
04:37:02     INFO -  READ of size 16 at 0x607000322540 thread T0
04:37:02     INFO -      #0 0x41ec10 (/builds/slave/test/build/application/firefox/firefox+0x41ec10)
04:37:02     INFO -      #1 0x7fe0bdd9d8e1 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x738e1)
04:37:02     INFO -      #2 0x7fe0bdd9dcd1 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x73cd1)
04:37:02     INFO -      #3 0x7fe0bdd9e317 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x74317)
04:37:02     INFO -      #4 0x7fe0bdd9e88a (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x7488a)
04:37:02     INFO -      #5 0x7fe0bdd97e29 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x6de29)
04:37:02     INFO -      #6 0x7fe0bd4358ba (/usr/lib/x86_64-linux-gnu/dri/libgallium.so+0x1218ba)
04:37:02     INFO -      #7 0x7fe0bdd5b6e3 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x316e3)
04:37:02     INFO -      #8 0x7fe0bdd586b4 (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x2e6b4)
04:37:02     INFO -      #9 0x7fe0bfacb08c (/usr/lib/x86_64-linux-gnu/mesa/libGL.so.1.2+0x1f08c)
04:37:02     INFO -      #10 0x7fe0fb22524e (/builds/slave/test/build/application/firefox/libxul.so+0x546d24e)
04:37:02     INFO -      #11 0x7fe0fb2232ac (/builds/slave/test/build/application/firefox/libxul.so+0x546b2ac)
04:37:02     INFO -      #12 0x7fe0fb223e2a (/builds/slave/test/build/application/firefox/libxul.so+0x546be2a)
04:37:02     INFO -      #13 0x7fe0fb22352c (/builds/slave/test/build/application/firefox/libxul.so+0x546b52c)
04:37:02     INFO -      #14 0x7fe0f9366f6e (/builds/slave/test/build/application/firefox/libxul.so+0x35aef6e)
04:37:02     INFO -      #15 0x7fe0f94ef5b5 (/builds/slave/test/build/application/firefox/libxul.so+0x37375b5)
04:37:02     INFO -      #16 0x7fe0f94f4f72 (/builds/slave/test/build/application/firefox/libxul.so+0x373cf72)
04:37:02     INFO -      #17 0x7fe0f76e6527 (/builds/slave/test/build/application/firefox/libxul.so+0x192e527)
04:37:02     INFO -      #18 0x7fe0f76e421b (/builds/slave/test/build/application/firefox/libxul.so+0x192c21b)
04:37:02     INFO -      #19 0x7fe0fc456b43 (/builds/slave/test/build/application/firefox/libxul.so+0x669eb43)
04:37:02     INFO -      #20 0x7fe0fc447c04 (/builds/slave/test/build/application/firefox/libxul.so+0x668fc04)
04:37:02     INFO -      #21 0x7fe0fc437e47 (/builds/slave/test/build/application/firefox/libxul.so+0x667fe47)
04:37:02     INFO -      #22 0x7fe0fc458b31 (/builds/slave/test/build/application/firefox/libxul.so+0x66a0b31)
04:37:02     INFO -      #23 0x7fe0fc458e54 (/builds/slave/test/build/application/firefox/libxul.so+0x66a0e54)
04:37:02     INFO -      #24 0x7fe0fc61173b (/builds/slave/test/build/application/firefox/libxul.so+0x685973b)
04:37:02     INFO -      #25 0x7fe0f9cd0461 (/builds/slave/test/build/application/firefox/libxul.so+0x3f18461)
04:37:02     INFO -      #26 0x7fe0f92c940e (/builds/slave/test/build/application/firefox/libxul.so+0x351140e)
04:37:02     INFO -      #27 0x7fe0f92c8187 (/builds/slave/test/build/application/firefox/libxul.so+0x3510187)
04:37:02     INFO -      #28 0x7fe0f92c6896 (/builds/slave/test/build/application/firefox/libxul.so+0x350e896)
04:37:02     INFO -      #29 0x7fe0f92c051f (/builds/slave/test/build/application/firefox/libxul.so+0x350851f)
04:37:02     INFO -      #30 0x7fe0fa15e6aa (/builds/slave/test/build/application/firefox/libxul.so+0x43a66aa)
04:37:02     INFO -      #31 0x7fe0fa15c1b8 (/builds/slave/test/build/application/firefox/libxul.so+0x43a41b8)
04:37:02     INFO -      #32 0x7fe0fa16221c (/builds/slave/test/build/application/firefox/libxul.so+0x43aa21c)
04:37:02     INFO -      #33 0x7fe0f805aabd (/builds/slave/test/build/application/firefox/libxul.so+0x22a2abd)
04:37:02     INFO -      #34 0x7fe0f7f93306 (/builds/slave/test/build/application/firefox/libxul.so+0x21db306)
04:37:02     INFO -      #35 0x7fe0f7086cac (/builds/slave/test/build/application/firefox/libxul.so+0x12cecac)
04:37:02     INFO -      #36 0x7fe0f8109285 (/builds/slave/test/build/application/firefox/libxul.so+0x2351285)
04:37:02     INFO -      #37 0x7fe0fafad8fc (/builds/slave/test/build/application/firefox/libxul.so+0x51f58fc)
04:37:02     INFO -      #38 0x7fe0faa5a19a (/builds/slave/test/build/application/firefox/libxul.so+0x4ca219a)
04:37:02     INFO -      #39 0x7fe0f6d669ea (/builds/slave/test/build/application/firefox/libxul.so+0xfae9ea)
04:37:02     INFO -      #40 0x7fe0f6d6788f (/builds/slave/test/build/application/firefox/libxul.so+0xfaf88f)
04:37:02     INFO -      #41 0x7fe0f6d68765 (/builds/slave/test/build/application/firefox/libxul.so+0xfb0765)
04:37:02     INFO -      #42 0x43110e (/builds/slave/test/build/application/firefox/firefox+0x43110e)
04:37:02     INFO -      #43 0x7fe102c7976c (/lib/x86_64-linux-gnu/libc-2.15.so+0x2176c)
04:37:02     INFO -      #44 0x43037c (/builds/slave/test/build/application/firefox/firefox+0x43037c)
04:37:02     INFO -  0x607000322540 is located 0 bytes inside of 64-byte region [0x607000322540,0x607000322580)
04:37:02     INFO -  freed by thread T0 here:
04:37:02     INFO -      #0 0x422204 (/builds/slave/test/build/application/firefox/firefox+0x422204)
04:37:02     INFO -      #1 0x7fe0bda1e749 (/usr/lib/x86_64-linux-gnu/dri/libdricore.so+0x156749)
04:37:02     INFO -  previously allocated by thread T0 here:
04:37:02     INFO -      #0 0x42257c (/builds/slave/test/build/application/firefox/firefox+0x42257c)
04:37:02     INFO -      #1 0x7fe0bd953380 (/usr/lib/x86_64-linux-gnu/dri/libdricore.so+0x8b380)
04:37:02     INFO -  Shadow bytes around the buggy address:
04:37:02     INFO -    0x0c0e8005c450: fa fa fa fa fd fd fd fd fd fd fd fd fd fa fa fa
04:37:02     INFO -    0x0c0e8005c460: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
04:37:02     INFO -    0x0c0e8005c470: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fd fd
04:37:02     INFO -    0x0c0e8005c480: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
04:37:02     INFO -    0x0c0e8005c490: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
04:37:02     INFO -  =>0x0c0e8005c4a0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
04:37:02     INFO -    0x0c0e8005c4b0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fa fa
04:37:02     INFO -    0x0c0e8005c4c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
04:37:02     INFO -    0x0c0e8005c4d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
04:37:02     INFO -    0x0c0e8005c4e0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
04:37:02     INFO -    0x0c0e8005c4f0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
04:37:02     INFO -  Shadow byte legend (one shadow byte represents 8 application bytes):
04:37:02     INFO -    Addressable:           00
04:37:02     INFO -    Partially addressable: 01 02 03 04 05 06 07
04:37:02     INFO -    Heap left redzone:     fa
04:37:02     INFO -    Heap right redzone:    fb
04:37:02     INFO -    Freed heap region:     fd
04:37:02     INFO -    Stack left redzone:    f1
04:37:02     INFO -    Stack mid redzone:     f2
04:37:02     INFO -    Stack right redzone:   f3
04:37:02     INFO -    Stack partial redzone: f4
04:37:02     INFO -    Stack after return:    f5
04:37:02     INFO -    Stack use after scope: f8
04:37:02     INFO -    Global redzone:        f9
04:37:02     INFO -    Global init order:     f6
04:37:02     INFO -    Poisoned by user:      f7
04:37:02     INFO -    ASan internal:         fe
04:37:02     INFO -  ==2387==ABORTING
04:37:03  WARNING -  TEST-UNEXPECTED-FAIL | /tests/content/canvas/test/webgl/test_webgl_conformance_test_suite.html | Exited with code 1 during test run
swrast is an antiquated driver. we should blacklist it. Are you sure / how do you know that we are using it on Ubuntu VMs? I thought that we were using llvmpipe (the modern Mesa software renderer) on Ubuntu VMs.
I don't know which Mesa driver is in use.  The stack is the same as that in bug 791905, and other information in that bug led to the conclusion that the crash was llvmpipe specific.
:decoder tells me that llvmpipe is actually built into swrast_dri.so... whence the confusion, sorry.
OK, so Mesa developers said that (on that bug) this would be fixed in Mesa 9.1... but Ubuntu 12.04 LTS, which IIUC is what we're using here, only has Mesa 8.
Whiteboard: [asan][adv-main18+][adv-esr17+] → [asan][adv-main18+][adv-esr17+][asan-test-failure]
This bug has been a problem now for quite a while because it turns mochitest-1 orange. We either need to fix this, or disable the webgl tests in ASan builds.
Duplicate of this bug: 899542
No longer blocking asan-tests because we plan to disable this test for now.
No longer blocks: asan-tests
Whiteboard: [asan][adv-main18+][adv-esr17+][asan-test-failure] → [asan][adv-main18+][adv-esr17+][asan-test-failure] webgl-driver
Keywords: leave-open
See Also: → 1369706
The leave-open keyword is there and there is no activity for 6 months.
:jgilbert, maybe it's time to close this bug?
Flags: needinfo?(jgilbert)
Status: NEW → RESOLVED
Closed: Last year
Flags: needinfo?(jgilbert)
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.