918041 - [webvtt] asan failure on test_bug895091

Status: RESOLVED FIXED

(Core :: Audio/Video, defect)

Description

[Ralph Giles (:rillian)]

Inbound shows an failure with the asan build. The test runs under a pref which is false in current builds, but we still need to fix this asap to keep the tree green.

Comment 1

[Ralph Giles (:rillian)]

Unfortunately we don't get symbols from the buildbot run. I'm doing a local build to try to reproduce.

Inbound log says:

12:43:19     INFO -  0x62d000c56400 is located 0 bytes to the right of 32768-byte region [0x62d000c4e400,0x62d000c56400)
12:43:19     INFO -  allocated by thread T5 (Socket Thread) here:
12:43:19     INFO -      #0 0x446155 (/builds/slave/test/build/application/firefox/firefox+0x446155)
12:43:19     INFO -      #1 0x7f0e2f65b5c8 (/builds/slave/test/build/application/firefox/libmozalloc.so+0x15c8)
12:43:19     INFO -  Thread T5 (Socket Thread) created by T0 here:
12:43:19     INFO -      #0 0x4375c1 (/builds/slave/test/build/application/firefox/firefox+0x4375c1)
12:43:19     INFO -      #1 0x7f0e3308fb35 (/builds/slave/test/build/application/firefox/libnspr4.so+0x6ab35)
12:43:19     INFO -      #2 0x7f0e3308f687 (/builds/slave/test/build/application/firefox/libnspr4.so+0x6a687)
12:43:19     INFO -  Shadow bytes around the buggy address:
12:43:19     INFO -    0x0c5a80182c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
12:43:19     INFO -    0x0c5a80182c40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
12:43:19     INFO -    0x0c5a80182c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
12:43:19     INFO -    0x0c5a80182c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
12:43:19     INFO -    0x0c5a80182c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
12:43:19     INFO -  =>0x0c5a80182c80:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
12:43:19     INFO -    0x0c5a80182c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
12:43:19     INFO -    0x0c5a80182ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
12:43:19     INFO -    0x0c5a80182cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
12:43:19     INFO -    0x0c5a80182cc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
12:43:19     INFO -    0x0c5a80182cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
12:43:19     INFO -  Shadow byte legend (one shadow byte represents 8 application bytes):
12:43:19     INFO -    Addressable:           00
12:43:19     INFO -    Partially addressable: 01 02 03 04 05 06 07
12:43:19     INFO -    Heap left redzone:     fa
12:43:19     INFO -    Heap right redzone:    fb
12:43:19     INFO -    Freed heap region:     fd
12:43:19     INFO -    Stack left redzone:    f1
12:43:19     INFO -    Stack mid redzone:     f2
12:43:19     INFO -    Stack right redzone:   f3
12:43:19     INFO -    Stack partial redzone: f4
12:43:19     INFO -    Stack after return:    f5
12:43:19     INFO -    Stack use after scope: f8
12:43:19     INFO -    Global redzone:        f9
12:43:19     INFO -    Global init order:     f6
12:43:19     INFO -    Poisoned by user:      f7
12:43:19     INFO -    ASan internal:         fe
12:43:19     INFO -  ==2363==ABORTING
12:43:19  WARNING -  TEST-UNEXPECTED-FAIL | /tests/content/media/test/test_bug895091.html | Exited with code 1 during test run

Comment 2

[Ralph Giles (:rillian)]

Got a trace from my asan build. One needs 'export ASAN_SYMBOLIZER_PATH=$LLVM_HOME/bin/llvm-symbolizer '

 0:07.74 WARNING: Need a principal to compare this to!: file /home/giles/mozilla/firefox/caps/src/nsPrincipal.cpp, line 264
 0:08.00 =================================================================
 0:08.00 ==11221==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62d001b9c400 at pc 0x414140 bp 0x7fffd69404f0 sp 0x7fffd69404c8
 0:08.00 READ of size 24577 at 0x62d001b9c400 thread T0
 0:08.01     #0 0x41413f in __interceptor_strlen (/home/giles/mozilla/firefox/obj-asan/dist/bin/firefox+0x41413f)
 0:11.48     #1 0x7f3c44d9f837 in JS_NewStringCopyZ(JSContext*, char const*) /home/giles/mozilla/firefox/js/src/jsapi.cpp:5239
 0:11.48     #2 0x7f3c414ad53f in XPCConvert::NativeData2JS(JS::Value*, void const*, nsXPTType const&, nsID const*, tag_nsresult*) /home/giles/mozilla/firefox/js/xpconnect/src/XPCConvert.cpp:229
 0:11.48     #3 0x7f3c4152066f in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /home/giles/mozilla/firefox/js/xpconnect/src/XPCWrappedJSClass.cpp:1332
 0:11.48     #4 0x7f3c41511bf7 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /home/giles/mozilla/firefox/js/xpconnect/src/XPCWrappedJS.cpp:588
 0:11.48     #5 0x7f3c431fe3b1 in PrepareAndDispatch /home/giles/mozilla/firefox/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
 0:11.48     #6 0x7f3c431fd3ca in SharedStub (/home/giles/mozilla/firefox/obj-asan/dist/bin/libxul.so+0x63de3ca)
 0:11.49 0x62d001b9c400 is located 0 bytes to the right of 32768-byte region [0x62d001b94400,0x62d001b9c400)
 0:11.49 allocated by thread T3 (Socket Thread) here:
 0:11.50     #0 0x431325 in __interceptor_malloc (/home/giles/mozilla/firefox/obj-asan/dist/bin/firefox+0x431325)
 0:11.50     #1 0x7f3c4d0657b2 in moz_xmalloc /home/giles/mozilla/firefox/memory/mozalloc/mozalloc.cpp:54
 0:11.50     #2 0x7f3c431660cc in nsSegmentedBuffer::AppendNewSegment() /home/giles/mozilla/firefox/xpcom/io/nsSegmentedBuffer.cpp:71
 0:11.50     #3 0x7f3c4315efbe in nsPipe::GetWriteSegment(char*&, unsigned int&) /home/giles/mozilla/firefox/xpcom/io/nsPipe3.cpp:463
 0:11.50     #4 0x7f3c4316379a in nsPipeOutputStream::WriteSegments(tag_nsresult (*)(nsIOutputStream*, void*, char*, unsigned int, unsigned int, unsigned int*), void*, unsigned int, unsigned int*) /home/giles/mozilla/firefox/xpcom/io/nsPipe3.cpp:1084
 0:11.50     #5 0x7f3c3f1a9094 in nsHttpTransaction::WriteSegments(nsAHttpSegmentWriter*, unsigned int, unsigned int*) /home/giles/mozilla/firefox/netwerk/protocol/http/nsHttpTransaction.cpp:669
 0:11.50     #6 0x7f3c3f1535e0 in nsHttpConnection::OnSocketReadable() /home/giles/mozilla/firefox/netwerk/protocol/http/nsHttpConnection.cpp:1440
 0:11.50     #7 0x7f3c3f153e3e in nsHttpConnection::OnInputStreamReady(nsIAsyncInputStream*) /home/giles/mozilla/firefox/netwerk/protocol/http/nsHttpConnection.cpp:1561
 0:11.50     #8 0x7f3c3f154178 in non-virtual thunk to nsHttpConnection::OnInputStreamReady(nsIAsyncInputStream*) /home/giles/mozilla/firefox/netwerk/protocol/http/nsHttpConnection.cpp:1565
 0:11.51     #9 0x7f3c3eef8a7d in nsSocketInputStream::OnSocketReady(tag_nsresult) /home/giles/mozilla/firefox/netwerk/base/src/nsSocketTransport2.cpp:292
 0:11.51     #10 0x7f3c3ef03253 in nsSocketTransport::OnSocketReady(PRFileDesc*, short) /home/giles/mozilla/firefox/netwerk/base/src/nsSocketTransport2.cpp:1717
 0:11.51     #11 0x7f3c3ef0f176 in nsSocketTransportService::DoPollIteration(bool) /home/giles/mozilla/firefox/netwerk/base/src/nsSocketTransportService2.cpp:819
 0:11.51     #12 0x7f3c3ef0e4c4 in nsSocketTransportService::Run() /home/giles/mozilla/firefox/netwerk/base/src/nsSocketTransportService2.cpp:670
 0:11.51     #13 0x7f3c3ef0f8f2 in non-virtual thunk to nsSocketTransportService::Run() /home/giles/mozilla/firefox/netwerk/base/src/nsSocketTransportService2.cpp:714
 0:11.51     #14 0x7f3c431ab497 in nsThread::ProcessNextEvent(bool, bool*) /home/giles/mozilla/firefox/xpcom/threads/nsThread.cpp:622
 0:11.51     #15 0x7f3c430c8bde in NS_ProcessNextEvent(nsIThread*, bool) /home/giles/mozilla/firefox/xpcom/glue/nsThreadUtils.cpp:238
 0:11.51     #16 0x7f3c431a8b63 in nsThread::ThreadFunc(void*) /home/giles/mozilla/firefox/xpcom/threads/nsThread.cpp:250
 0:11.51     #17 0x7f3c4dd6ebd5 in _pt_root /home/giles/mozilla/firefox/nsprpub/pr/src/pthreads/ptthread.c:204
 0:11.51     #18 0x438af9 in __asan::AsanThread::ThreadStart(unsigned long) (/home/giles/mozilla/firefox/obj-asan/dist/bin/firefox+0x438af9)
 0:11.51 Thread T3 (Socket Thread) created by T0 here:
 0:11.52     #0 0x413cb1 in __interceptor_pthread_create (/home/giles/mozilla/firefox/obj-asan/dist/bin/firefox+0x413cb1)
 0:11.52     #1 0x7f3c4dd6a3c0 in _PR_CreateThread /home/giles/mozilla/firefox/nsprpub/pr/src/pthreads/ptthread.c:444
 0:11.52     #2 0x7f3c4dd69eba in PR_CreateThread /home/giles/mozilla/firefox/nsprpub/pr/src/pthreads/ptthread.c:527
 0:11.52     #3 0x7f3c431a9b02 in nsThread::Init() /home/giles/mozilla/firefox/xpcom/threads/nsThread.cpp:316
 0:11.52     #4 0x7f3c431aff20 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /home/giles/mozilla/firefox/xpcom/threads/nsThreadManager.cpp:214
 0:11.52     #5 0x7f3c430c8396 in NS_NewThread(nsIThread**, nsIRunnable*, unsigned int) /home/giles/mozilla/firefox/xpcom/glue/nsThreadUtils.cpp:67
 0:11.52     #6 0x7f3c3ef0caf3 in nsSocketTransportService::Init() /home/giles/mozilla/firefox/netwerk/base/src/nsSocketTransportService2.cpp:450
 0:11.53     #7 0x7f3c3ee38c55 in nsSocketTransportServiceConstructor(nsISupports*, nsID const&, void**) /home/giles/mozilla/firefox/netwerk/build/nsNetModule.cpp:73
 0:11.53     #8 0x7f3c4318b405 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /home/giles/mozilla/firefox/xpcom/components/nsComponentManager.cpp:1096
 0:11.53     #9 0x7f3c43183e76 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /home/giles/mozilla/firefox/xpcom/components/nsComponentManager.cpp:1452
 0:11.53     #10 0x7f3c430c013f in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /home/giles/mozilla/firefox/xpcom/glue/nsComponentManagerUtils.cpp:256
 0:11.54     #11 0x7f3c3eeabbff in nsCOMPtr<nsPISocketTransportService>::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /home/giles/mozilla/firefox/obj-asan/netwerk/base/src/../../../dist/include/nsCOMPtr.h:1249
 0:11.54     #12 0x7f3c3eea1d52 in nsCOMPtr<nsPISocketTransportService>::operator=(nsGetServiceByContractIDWithError const&) /home/giles/mozilla/firefox/obj-asan/netwerk/base/src/../../../dist/include/nsCOMPtr.h:718
 0:11.54     #13 0x7f3c3eea1d52 in nsIOService::InitializeSocketTransportService() /home/giles/mozilla/firefox/netwerk/base/src/nsIOService.cpp:232
 0:11.54     #14 0x7f3c3eea29df in nsIOService::SetOffline(bool) /home/giles/mozilla/firefox/netwerk/base/src/nsIOService.cpp:730
 0:11.54     #15 0x7f3c3eea19be in nsIOService::InitializeNetworkLinkService() /home/giles/mozilla/firefox/netwerk/base/src/nsIOService.cpp:280
 0:11.54     #16 0x7f3c3eea0f51 in nsIOService::Init() /home/giles/mozilla/firefox/netwerk/base/src/nsIOService.cpp:215
 0:11.54     #17 0x7f3c3eea2f70 in nsIOService::GetInstance() /home/giles/mozilla/firefox/netwerk/base/src/nsIOService.cpp:293
 0:11.54     #18 0x7f3c3ee389b2 in nsIOServiceConstructor(nsISupports*, nsID const&, void**) /home/giles/mozilla/firefox/netwerk/build/nsNetModule.cpp:59
 0:11.54     #19 0x7f3c4318b405 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /home/giles/mozilla/firefox/xpcom/components/nsComponentManager.cpp:1096
 0:11.54     #20 0x7f3c43183e76 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /home/giles/mozilla/firefox/xpcom/components/nsComponentManager.cpp:1452
 0:11.54     #21 0x7f3c430c00e5 in nsGetServiceByContractID::operator()(nsID const&, void**) const /home/giles/mozilla/firefox/xpcom/glue/nsComponentManagerUtils.cpp:246
 0:11.54     #22 0x7f3c4094678f in nsCOMPtr<nsIIOService>::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) /home/giles/mozilla/firefox/xpcom/build/../glue/nsCOMPtr.h:1239
 0:11.54     #23 0x7f3c430d3fe7 in nsCOMPtr /home/giles/mozilla/firefox/xpcom/build/../glue/nsCOMPtr.h:620
 0:11.54     #24 0x7f3c430d3fe7 in nsCOMPtr /home/giles/mozilla/firefox/xpcom/build/../glue/nsCOMPtr.h:621
 0:11.54     #25 0x7f3c430d3fe7 in mozilla::services::GetIOService() /home/giles/mozilla/firefox/obj-asan/xpcom/build/../../dist/include/mozilla/ServiceList.h:13
 0:11.54     #26 0x7f3c430eb8c5 in do_GetIOService(tag_nsresult*) /home/giles/mozilla/firefox/obj-asan/chrome/src/../../dist/include/nsNetUtil.h:96
 0:11.54     #27 0x7f3c430eb8c5 in net_EnsureIOService(nsIIOService**, nsCOMPtr<nsIIOService>&) /home/giles/mozilla/firefox/obj-asan/chrome/src/../../dist/include/nsNetUtil.h:136
 0:11.54     #28 0x7f3c430eb8c5 in nsGetterAddRefs<nsIURI> getter_AddRefs<nsIURI>(nsCOMPtr<nsIURI>&) /home/giles/mozilla/firefox/obj-asan/chrome/src/../../dist/include/nsNetUtil.h:151
 0:11.54     #29 0x7f3c430eb8c5 in nsChromeRegistry::ManifestProcessingContext::GetManifestURI() /home/giles/mozilla/firefox/chrome/src/nsChromeRegistryChrome.cpp:779
 0:11.54     #30 0x7f3c430ebad6 in nsChromeRegistry::ManifestProcessingContext::ResolveURI(char const*) /home/giles/mozilla/firefox/chrome/src/nsChromeRegistryChrome.cpp:796
 0:11.54     #31 0x7f3c430ec1d9 in nsChromeRegistryChrome::ManifestLocale(nsChromeRegistry::ManifestProcessingContext&, int, char* const*, bool, bool) /home/giles/mozilla/firefox/chrome/src/nsChromeRegistryChrome.cpp:868
 0:11.54     #32 0x7f3c43178faf in ParseManifest(NSLocationType, mozilla::FileLocation&, char*, bool) /home/giles/mozilla/firefox/xpcom/components/ManifestParser.cpp:634
 0:11.54     #33 0x7f3c4318731c in nsComponentManagerImpl::RegisterManifest(NSLocationType, mozilla::FileLocation&, bool) /home/giles/mozilla/firefox/xpcom/components/nsComponentManager.cpp:559
 0:11.54     #34 0x7f3c431875f9 in nsComponentManagerImpl::ManifestManifest(nsComponentManagerImpl::ManifestProcessingContext&, int, char* const*) /home/giles/mozilla/firefox/xpcom/components/nsComponentManager.cpp:572
 0:11.54     #35 0x7f3c43178cc4 in ParseManifest(NSLocationType, mozilla::FileLocation&, char*, bool) /home/giles/mozilla/firefox/xpcom/components/ManifestParser.cpp:645
 0:11.54     #36 0x7f3c4318731c in nsComponentManagerImpl::RegisterManifest(NSLocationType, mozilla::FileLocation&, bool) /home/giles/mozilla/firefox/xpcom/components/nsComponentManager.cpp:559
 0:11.54     #37 0x7f3c43186827 in nsComponentManagerImpl::RereadChromeManifests(bool) /home/giles/mozilla/firefox/xpcom/components/nsComponentManager.cpp:735
 0:11.54     #38 0x7f3c43185796 in nsComponentManagerImpl::Init() /home/giles/mozilla/firefox/xpcom/components/nsComponentManager.cpp:410
 0:11.55     #39 0x7f3c430d6f13 in NS_InitXPCOM2 /home/giles/mozilla/firefox/xpcom/build/nsXPComInit.cpp:541
 0:11.55     #40 0x7f3c3ebf6e09 in ScopedXPCOMStartup::Initialize() /home/giles/mozilla/firefox/toolkit/xre/nsAppRunner.cpp:1191
 0:11.55     #41 0x7f3c3ec06638 in XREMain::XRE_main(int, char**, nsXREAppData const*) /home/giles/mozilla/firefox/toolkit/xre/nsAppRunner.cpp:3933
 0:11.55     #42 0x7f3c3ec071dd in XRE_main /home/giles/mozilla/firefox/toolkit/xre/nsAppRunner.cpp:4139
 0:11.55     #43 0x446e9b in main (/home/giles/mozilla/firefox/obj-asan/dist/bin/firefox+0x446e9b)
 0:11.55     #44 0x3606821734 in __libc_start_main (/lib64/libc.so.6+0x3606821734)
 0:11.55 SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __interceptor_strlen
 0:11.55 Shadow bytes around the buggy address:
 0:11.55   0x0c5a8036b830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0:11.55   0x0c5a8036b840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0:11.55   0x0c5a8036b850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0:11.55   0x0c5a8036b860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0:11.55   0x0c5a8036b870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
 0:11.55 =>0x0c5a8036b880:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0:11.55   0x0c5a8036b890: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0:11.55   0x0c5a8036b8a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0:11.55   0x0c5a8036b8b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0:11.55   0x0c5a8036b8c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0:11.55   0x0c5a8036b8d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
 0:11.55 Shadow byte legend (one shadow byte represents 8 application bytes):
 0:11.55   Addressable:           00
 0:11.55   Partially addressable: 01 02 03 04 05 06 07
 0:11.55   Heap left redzone:     fa
 0:11.55   Heap right redzone:    fb
 0:11.55   Freed heap region:     fd
 0:11.55   Stack left redzone:    f1
 0:11.55   Stack mid redzone:     f2
 0:11.55   Stack right redzone:   f3
 0:11.55   Stack partial redzone: f4
 0:11.55   Stack after return:    f5
 0:11.55   Stack use after scope: f8
 0:11.55   Global redzone:        f9
 0:11.55   Global init order:     f6
 0:11.55   Poisoned by user:      f7
 0:11.55   ASan internal:         fe
 0:11.55 ==11221==ABORTING
 0:11.67 TEST-UNEXPECTED-FAIL | automation.py | Exited with code 1 during test run

Comment 3

[Rick Eyre (:reyre)]

Found the bug. Reason was that I was using the XPIDL 'string' type when passing the buffer (const char *) from the WebVTTLoadListener to the WebVTTParserWrapper. This calls JS_NewStringCopyZ which tries to find the length of char array by using strlen(). The char array is not null-terminated so it reads out of memory.

Solution was to instead use the 'ACString' XPIDL type. On the C++ side we construct an ACString and pass that to JS which calls JS_NewStringCopyN. This function knows the count of the char array so we don't have that problem.

I'll update bug 895091 with the changes and run it on the try server again with the ASAN builds as well ;).

Comment 4

[Ralph Giles (:rillian)]

ASan try push is green.