Closed
Bug 961394
Opened 7 years ago
Closed 7 years ago
MOZ_ASAN_BLACKLIST does not work with GCC ASAN
Categories
(Core :: MFBT, defect)
Tracking
()
RESOLVED
FIXED
mozilla29
People
(Reporter: techmeology.co.uk, Assigned: froydnj)
References
(Blocks 1 open bug)
Details
(Whiteboard: [asan])
Attachments
(2 files)
|
1.38 KB,
text/plain
|
Details | |
|
1.77 KB,
patch
|
ehsan
:
review+
|
Details | Diff | Splinter Review |
Note: I've marked this as a security issue as a precaution because it is a buffer overflow. I do not expect it to turn out to be a security vulnerability. (Please let me know if this precaution is unhelpful.) Steps to reproduce: [*] hg clone http://hg.mozilla.org/releases/mozilla-aurora/ aurora-src (;ast update was roughly 18 hours ago) [*] Build with GCC and address sanitizer (see asan.mozconfig) [*] Start Firefox Expected results: no address sanitizer output Actual results (symbolized): [-] ==24598== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f0613de9da8 at pc 0x7f063682cde5 bp 0x7f0613de8900 sp 0x7f0613de88f8 [-] READ of size 8 at 0x7f0613de9da8 thread T15 (DOM Worker) [+] #0 0x7f063682cde4 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x5f34de4): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/gc/RootMarking.cpp:264 [+] #1 0x7f063682d38a (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x5f3538a): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/gc/RootMarking.cpp:287 [+] #2 0x7f063682fcea (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x5f37cea): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/gc/RootMarking.cpp:680 [+] #3 0x7f0636e17249 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x651f249): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsgc.cpp:3090 [+] #4 0x7f0636e2040b (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x652840b): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsgc.cpp:4791 [+] #5 0x7f0636e21bcc (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x6529bcc): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsgc.cpp:4929 [+] #6 0x7f06340e26a0 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x37ea6a0): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/dom/workers/WorkerPrivate.cpp:5250 [+] #7 0x7f06340e27c6 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x37ea7c6): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/dom/workers/WorkerPrivate.cpp:1580 [+] #8 0x7f06340e1a04 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x37e9a04): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/dom/workers/WorkerPrivate.cpp:1880 [+] #9 0x7f06340f0c28 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x37f8c28): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/dom/workers/WorkerPrivate.cpp:3850 [+] #10 0x7f06340c0332 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x37c8332): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/dom/workers/RuntimeService.cpp:959 [+] #11 0x7f06322da771 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x19e2771): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/xpcom/threads/nsThread.cpp:612 [+] #12 0x7f06321eb745 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x18f3745): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/xpcom/glue/nsThreadUtils.cpp:263 [+] #13 0x7f06322dc218 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x19e4218): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/xpcom/threads/nsThread.cpp:246 [+] #14 0x7f063ef73f13 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/nsprpub/pr/src/libnspr4.so+0x6df13): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/nsprpub/pr/src/pthreads/ptthread.c:205 [+] #15 0x7f06401c0bb7 (/usr/lib/libasan.so.0.0.0+0x18bb7): ??:? [+] #16 0x7f063fd8f0a1 (/usr/lib/libpthread-2.18.so+0x80a1): pthread_create.c:? [+] #17 0x7f063f2a53dc (/usr/lib/libc-2.18.so+0xe53dc): ??:? [-] Address 0x7f0613de9da8 is located at offset 312 in frame <GCCycle> of T15's stack: [-] This frame has 4 object(s): [-] [32, 40) 'safe' [-] [96, 112) 'zone' [-] [160, 176) 'zone' [-] [224, 272) 'gcsession' [-] HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext [-] (longjmp and C++ exceptions *are* supported) [-] Thread T15 (DOM Worker) created by T0 here: [+] #0 0x7f06401b2b6b (/usr/lib/libasan.so.0.0.0+0xab6b): ??:? [+] #1 0x7f063ef73247 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/nsprpub/pr/src/libnspr4.so+0x6d247): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/nsprpub/pr/src/pthreads/ptthread.c:445 [+] #2 0x7f063ef7526a (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/nsprpub/pr/src/libnspr4.so+0x6f26a): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/nsprpub/pr/src/pthreads/ptthread.c:528 [+] #3 0x7f06322dc6bc (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x19e46bc): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/xpcom/threads/nsThread.cpp:317 [+] #4 0x7f06322df2ec (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x19e72ec): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/xpcom/threads/nsThreadManager.cpp:228 [+] #5 0x7f06321ebf5e (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x18f3f5e): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/xpcom/glue/nsThreadUtils.cpp:68 [+] #6 0x7f06340c876a (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x37d076a): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/dom/workers/../../dist/include/nsThreadUtils.h:73 [+] #7 0x7f06340c99d6 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x37d19d6): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/dom/workers/RuntimeService.cpp:1309 (discriminator 1) [+] #8 0x7f06340ebe34 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x37f3e34): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/dom/workers/WorkerPrivate.cpp:3501 [+] #9 0x7f06340ec020 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x37f4020): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/dom/workers/WorkerPrivate.cpp:3421 [+] #10 0x7f063391b0ef (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x30230ef): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/dom/bindings/WorkerBinding.cpp:69 [+] #11 0x7f06371e2b41 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68eab41): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jscntxtinlines.h:220 [+] #12 0x7f06371a9e63 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b1e63): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:559 [+] #13 0x7f06371b15f8 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b95f8): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:2508 [+] #14 0x7f06371da228 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68e2228): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:420 [+] #15 0x7f06371a8e5e (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b0e5e): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:482 [+] #16 0x7f06371dde5f (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68e5e5f): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:519 [+] #17 0x7f06371de870 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68e6870): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:590 [+] #18 0x7f0636ed38dd (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x65db8dd): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Shape-inl.h:68 [+] #19 0x7f0636ed66ed (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x65de6ed): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsobj.cpp:4271 [+] #20 0x7f06371c219b (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68ca19b): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsobj.h:1000 [+] #21 0x7f06371da228 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68e2228): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:420 [+] #22 0x7f06371a8e5e (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b0e5e): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:482 [+] #23 0x7f0636dd74a4 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x64df4a4): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsfun.cpp:1046 [+] #24 0x7f06371e204f (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68ea04f): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jscntxtinlines.h:220 [+] #25 0x7f06371a8a4f (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b0a4f): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:463 [+] #26 0x7f06371dde5f (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68e5e5f): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:519 [+] #27 0x7f0636f790ec (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x66810ec): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsproxy.cpp:467 [+] #28 0x7f06370a61cb (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x67ae1cb): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jswrapper.cpp:455 [+] #29 0x7f0636f7bb08 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x6683b08): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsproxy.cpp:2658 [+] #30 0x7f0636f7be89 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x6683e89): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsproxy.cpp:3066 [+] #31 0x7f06371e204f (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68ea04f): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jscntxtinlines.h:220 [+] #32 0x7f06371a924f (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b124f): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:456 [+] #33 0x7f06371b0af8 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b8af8): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:2511 [+] #34 0x7f06371da228 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68e2228): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:420 [+] #35 0x7f06371a8e5e (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b0e5e): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:482 [+] #36 0x7f06371dde5f (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68e5e5f): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:519 [+] #37 0x7f0636f790ec (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x66810ec): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsproxy.cpp:467 [+] #38 0x7f06370a61cb (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x67ae1cb): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jswrapper.cpp:455 [+] #39 0x7f0636f7bb08 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x6683b08): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsproxy.cpp:2658 [+] #40 0x7f0636f7be89 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x6683e89): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsproxy.cpp:3066 [+] #41 0x7f06371e204f (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68ea04f): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jscntxtinlines.h:220 [+] #42 0x7f06371a924f (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b124f): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:456 [+] #43 0x7f06371b0af8 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b8af8): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:2511 [+] #44 0x7f06371da228 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68e2228): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:420 [+] #45 0x7f06371a8e5e (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b0e5e): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:482 [+] #46 0x7f06371dde5f (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68e5e5f): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:519 [+] #47 0x7f0636d1586b (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x641d86b): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsapi.cpp:4983 [+] #48 0x7f0633c6b645 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x3373645): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/xpconnect/src/XPCWrappedJSClass.cpp:1413 [+] #49 0x7f06322eda1d (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x19f5a1d): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122 [+] #50 0x7f06322ecc84 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x19f4c84): xptcstubs_x86_64_linux.cpp:? [+] #51 0x7f06322594c6 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x19614c6): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/xpcom/ds/nsObserverList.cpp:96 [+] #52 0x7f063225ad05 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x1962d05): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/xpcom/ds/nsObserverService.cpp:302 [+] #53 0x7f06359881ea (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x50901ea): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/toolkit/xre/nsAppRunner.cpp:3974 [+] #54 0x7f0635988dfa (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x5090dfa): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/toolkit/xre/nsAppRunner.cpp:4076 [+] #55 0x7f06359893a5 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x50913a5): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/toolkit/xre/nsAppRunner.cpp:4316 [+] #56 0x404445 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/dist/bin/firefox+0x404445): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/browser/app/nsBrowserApp.cpp:280 [+] #57 0x4036e0 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/dist/bin/firefox+0x4036e0): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/browser/app/nsBrowserApp.cpp:648 [+] #58 0x7f063f1e1b04 (/usr/lib/libc-2.18.so+0x21b04): ??:? [-] Shadow bytes around the buggy address: [-] 0x0fe1427b5360: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 f4 [-] 0x0fe1427b5370: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 [-] 0x0fe1427b5380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 [-] 0x0fe1427b5390: f1 f1 00 f4 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 [-] 0x0fe1427b53a0: f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00 [-] =>0x0fe1427b53b0: f4 f4 f3 f3 f3[f3]00 00 00 00 00 00 00 00 00 00 [-] 0x0fe1427b53c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [-] 0x0fe1427b53d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [-] 0x0fe1427b53e0: 00 00 f1 f1 f1 f1 00 00 f4 f4 f2 f2 f2 f2 00 00 [-] 0x0fe1427b53f0: f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 [-] 0x0fe1427b5400: f4 f4 f2 f2 f2 f2 00 00 00 00 00 f4 f4 f4 f3 f3 [-] Shadow byte legend (one shadow byte represents 8 application bytes): [-] Addressable: 00 [-] Partially addressable: 01 02 03 04 05 06 07 [-] Heap left redzone: fa [-] Heap righ redzone: fb [-] Freed Heap region: fd [-] Stack left redzone: f1 [-] Stack mid redzone: f2 [-] Stack right redzone: f3 [-] Stack partial redzone: f4 [-] Stack after return: f5 [-] Stack use after scope: f8 [-] Global redzone: f9 [-] Global init order: f6 [-] Poisoned by user: f7 [-] ASan internal: fe [-] ==24598== ABORTING
|
Reporter | |
Updated•7 years ago
|
Version: unspecified → 28 Branch
|
|
Reporter | |
Updated•7 years ago
|
Summary: address sanitizer aurora → AddressSanitizer: stack-buffer-overflow on recent Aurora build
|
|
Reporter | |
Comment 1•7 years ago
|
||
The bug also appears in beta (pulled a few hours ago).
Summary: AddressSanitizer: stack-buffer-overflow on recent Aurora build → AddressSanitizer: stack-buffer-overflow on recent Aurora and Beta build
|
||
Updated•7 years ago
|
Whiteboard: [asan]
|
|
||
Updated•7 years ago
|
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
|
||
Comment 2•7 years ago
|
||
Can you please provide symbolized traces? We are not seeing this issue on aurora and beta with Clang ASan. Either this is a bug/false positive in GCC's ASan or for some reason Clang ASan misses it.
Blocks: asan-maintenance
Flags: needinfo?(techmeology.co.uk)
|
|
Reporter | |
Comment 3•7 years ago
|
||
Hello Lines beginning "[+]" show symbolized output (I've not been able to get GCC's Asan to produce symbolized output on its own, so I wrote a script to do this from the unsymbolized output). E.g: "[+] #0 0x7f063682cde4 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x5f34de4): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/gc/RootMarking.cpp:264" Note: the reason I'm using GCC's ASAN (I noted the blocks task) is because I had difficulty with building Firefox using Clang before. But I haven't investigated this much recently. I hope this helps
Flags: needinfo?(techmeology.co.uk)
|
|
||
Comment 4•7 years ago
|
||
Okay, I was just confused by the missing function frames, but I see now that this is not a bug. The function frame in #0 points to this function:
MOZ_ASAN_BLACKLIST
static void
MarkRangeConservatively(JSTracer *trc, const uintptr_t *begin, const uintptr_t *end)
{
JS_ASSERT(begin <= end);
for (const uintptr_t *i = begin; i < end; ++i)
MarkWordConservatively(trc, *i);
}
Note the MOZ_ASAN_BLACKLIST. That macro uses an annotation that tells Clang ASan to not instrument this function, because this function is allowed to touch invalid memory (it's part of the conservative stack scanner of the GC).
In order to properly use GCC ASan with Firefox, you need to tell GCC ASan to someone ignore this and other functions annotated with MOZ_ASAN_BLACKLIST. I don't know if and what ways GCC ASan offers to do this. Best would be to check with their manual or the GCC devs.
If there is something we can do to our macros then, then I'll happily make those changes.|
|
||
Updated•7 years ago
|
Group: core-security
Status: UNCONFIRMED → NEW
Component: JavaScript Engine → MFBT
Ever confirmed: true
Summary: AddressSanitizer: stack-buffer-overflow on recent Aurora and Beta build → MOZ_ASAN_BLACKLIST does not work with GCC ASAN
|
Assignee | |
Comment 5•7 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #4) > In order to properly use GCC ASan with Firefox, you need to tell GCC ASan to > someone ignore this and other functions annotated with MOZ_ASAN_BLACKLIST. I > don't know if and what ways GCC ASan offers to do this. Best would be to > check with their manual or the GCC devs. > > If there is something we can do to our macros then, then I'll happily make > those changes. It looks like our macros don't really support ASan in GCC. I'll have a quick look through the GCC sources to tell whether they support no_sanitize_address. (Pretty sure they do; there was strong support for source code annotations rather than -blacklist command-line options.)
|
|
Assignee | |
Comment 6•7 years ago
|
||
All right, so a bit of code spelunking later, and we have some GCC support for ASan. Sadly, GCC's preprocessor doesn't let you know whether you're doing TSan or not; should probably submit a patch for that upstream.
|
|
Assignee | |
Comment 7•7 years ago
|
||
Comment on attachment 8363078 [details] [diff] [review] update MOZ_ASAN_BLACKLIST to work with recent versions of GCC I guess Waldo gets to review this, even though his queue is pretty long. If somebody else wanted to review this and then Waldo could pick nits after the fact, we could do that too.
Attachment #8363078 -
Flags: review?(jwalden+bmo)
|
||
Updated•7 years ago
|
Attachment #8363078 -
Flags: review?(jwalden+bmo) → review+
|
|
Assignee | |
Comment 8•7 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/70629eef62c6
Flags: in-testsuite-
|
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → nfroyd
|
||
Comment 9•7 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/70629eef62c6
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
You need to log in
before you can comment on or make changes to this bug.
Description
•