961394 - MOZ_ASAN_BLACKLIST does not work with GCC ASAN

techmeology.co.uk

Reporter

Description

•

6 years ago

Attached file asan.mozconfig — Details

Note: I've marked this as a security issue as a precaution because it is a buffer overflow. I do not expect it to turn out to be a security vulnerability. (Please let me know if this precaution is unhelpful.)

Steps to reproduce:
[*] hg clone http://hg.mozilla.org/releases/mozilla-aurora/ aurora-src    (;ast update was roughly 18 hours ago)
[*] Build with GCC and address sanitizer (see asan.mozconfig)
[*] Start Firefox

Expected results: no address sanitizer output

Actual results (symbolized):
[-] ==24598== ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f0613de9da8 at pc 0x7f063682cde5 bp 0x7f0613de8900 sp 0x7f0613de88f8
[-] READ of size 8 at 0x7f0613de9da8 thread T15 (DOM Worker)
[+]     #0 0x7f063682cde4 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x5f34de4): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/gc/RootMarking.cpp:264
[+]     #1 0x7f063682d38a (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x5f3538a): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/gc/RootMarking.cpp:287
[+]     #2 0x7f063682fcea (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x5f37cea): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/gc/RootMarking.cpp:680
[+]     #3 0x7f0636e17249 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x651f249): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsgc.cpp:3090
[+]     #4 0x7f0636e2040b (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x652840b): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsgc.cpp:4791
[+]     #5 0x7f0636e21bcc (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x6529bcc): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsgc.cpp:4929
[+]     #6 0x7f06340e26a0 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x37ea6a0): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/dom/workers/WorkerPrivate.cpp:5250
[+]     #7 0x7f06340e27c6 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x37ea7c6): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/dom/workers/WorkerPrivate.cpp:1580
[+]     #8 0x7f06340e1a04 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x37e9a04): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/dom/workers/WorkerPrivate.cpp:1880
[+]     #9 0x7f06340f0c28 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x37f8c28): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/dom/workers/WorkerPrivate.cpp:3850
[+]     #10 0x7f06340c0332 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x37c8332): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/dom/workers/RuntimeService.cpp:959
[+]     #11 0x7f06322da771 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x19e2771): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/xpcom/threads/nsThread.cpp:612
[+]     #12 0x7f06321eb745 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x18f3745): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/xpcom/glue/nsThreadUtils.cpp:263
[+]     #13 0x7f06322dc218 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x19e4218): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/xpcom/threads/nsThread.cpp:246
[+]     #14 0x7f063ef73f13 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/nsprpub/pr/src/libnspr4.so+0x6df13): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/nsprpub/pr/src/pthreads/ptthread.c:205
[+]     #15 0x7f06401c0bb7 (/usr/lib/libasan.so.0.0.0+0x18bb7): ??:?
[+]     #16 0x7f063fd8f0a1 (/usr/lib/libpthread-2.18.so+0x80a1): pthread_create.c:?
[+]     #17 0x7f063f2a53dc (/usr/lib/libc-2.18.so+0xe53dc): ??:?
[-] Address 0x7f0613de9da8 is located at offset 312 in frame <GCCycle> of T15's stack:
[-]   This frame has 4 object(s):
[-]     [32, 40) 'safe'
[-]     [96, 112) 'zone'
[-]     [160, 176) 'zone'
[-]     [224, 272) 'gcsession'
[-] HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
[-]       (longjmp and C++ exceptions *are* supported)
[-] Thread T15 (DOM Worker) created by T0 here:
[+]     #0 0x7f06401b2b6b (/usr/lib/libasan.so.0.0.0+0xab6b): ??:?
[+]     #1 0x7f063ef73247 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/nsprpub/pr/src/libnspr4.so+0x6d247): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/nsprpub/pr/src/pthreads/ptthread.c:445
[+]     #2 0x7f063ef7526a (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/nsprpub/pr/src/libnspr4.so+0x6f26a): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/nsprpub/pr/src/pthreads/ptthread.c:528
[+]     #3 0x7f06322dc6bc (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x19e46bc): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/xpcom/threads/nsThread.cpp:317
[+]     #4 0x7f06322df2ec (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x19e72ec): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/xpcom/threads/nsThreadManager.cpp:228
[+]     #5 0x7f06321ebf5e (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x18f3f5e): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/xpcom/glue/nsThreadUtils.cpp:68
[+]     #6 0x7f06340c876a (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x37d076a): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/dom/workers/../../dist/include/nsThreadUtils.h:73
[+]     #7 0x7f06340c99d6 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x37d19d6): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/dom/workers/RuntimeService.cpp:1309 (discriminator 1)
[+]     #8 0x7f06340ebe34 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x37f3e34): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/dom/workers/WorkerPrivate.cpp:3501
[+]     #9 0x7f06340ec020 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x37f4020): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/dom/workers/WorkerPrivate.cpp:3421
[+]     #10 0x7f063391b0ef (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x30230ef): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/dom/bindings/WorkerBinding.cpp:69
[+]     #11 0x7f06371e2b41 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68eab41): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jscntxtinlines.h:220
[+]     #12 0x7f06371a9e63 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b1e63): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:559
[+]     #13 0x7f06371b15f8 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b95f8): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:2508
[+]     #14 0x7f06371da228 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68e2228): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:420
[+]     #15 0x7f06371a8e5e (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b0e5e): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:482
[+]     #16 0x7f06371dde5f (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68e5e5f): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:519
[+]     #17 0x7f06371de870 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68e6870): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:590
[+]     #18 0x7f0636ed38dd (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x65db8dd): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Shape-inl.h:68
[+]     #19 0x7f0636ed66ed (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x65de6ed): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsobj.cpp:4271
[+]     #20 0x7f06371c219b (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68ca19b): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsobj.h:1000
[+]     #21 0x7f06371da228 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68e2228): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:420
[+]     #22 0x7f06371a8e5e (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b0e5e): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:482
[+]     #23 0x7f0636dd74a4 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x64df4a4): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsfun.cpp:1046
[+]     #24 0x7f06371e204f (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68ea04f): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jscntxtinlines.h:220
[+]     #25 0x7f06371a8a4f (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b0a4f): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:463
[+]     #26 0x7f06371dde5f (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68e5e5f): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:519
[+]     #27 0x7f0636f790ec (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x66810ec): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsproxy.cpp:467
[+]     #28 0x7f06370a61cb (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x67ae1cb): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jswrapper.cpp:455
[+]     #29 0x7f0636f7bb08 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x6683b08): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsproxy.cpp:2658
[+]     #30 0x7f0636f7be89 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x6683e89): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsproxy.cpp:3066
[+]     #31 0x7f06371e204f (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68ea04f): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jscntxtinlines.h:220
[+]     #32 0x7f06371a924f (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b124f): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:456
[+]     #33 0x7f06371b0af8 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b8af8): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:2511
[+]     #34 0x7f06371da228 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68e2228): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:420
[+]     #35 0x7f06371a8e5e (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b0e5e): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:482
[+]     #36 0x7f06371dde5f (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68e5e5f): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:519
[+]     #37 0x7f0636f790ec (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x66810ec): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsproxy.cpp:467
[+]     #38 0x7f06370a61cb (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x67ae1cb): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jswrapper.cpp:455
[+]     #39 0x7f0636f7bb08 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x6683b08): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsproxy.cpp:2658
[+]     #40 0x7f0636f7be89 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x6683e89): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsproxy.cpp:3066
[+]     #41 0x7f06371e204f (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68ea04f): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jscntxtinlines.h:220
[+]     #42 0x7f06371a924f (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b124f): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:456
[+]     #43 0x7f06371b0af8 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b8af8): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:2511
[+]     #44 0x7f06371da228 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68e2228): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:420
[+]     #45 0x7f06371a8e5e (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68b0e5e): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:482
[+]     #46 0x7f06371dde5f (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x68e5e5f): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/vm/Interpreter.cpp:519
[+]     #47 0x7f0636d1586b (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x641d86b): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/jsapi.cpp:4983
[+]     #48 0x7f0633c6b645 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x3373645): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/xpconnect/src/XPCWrappedJSClass.cpp:1413
[+]     #49 0x7f06322eda1d (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x19f5a1d): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
[+]     #50 0x7f06322ecc84 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x19f4c84): xptcstubs_x86_64_linux.cpp:?
[+]     #51 0x7f06322594c6 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x19614c6): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/xpcom/ds/nsObserverList.cpp:96
[+]     #52 0x7f063225ad05 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x1962d05): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/xpcom/ds/nsObserverService.cpp:302
[+]     #53 0x7f06359881ea (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x50901ea): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/toolkit/xre/nsAppRunner.cpp:3974
[+]     #54 0x7f0635988dfa (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x5090dfa): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/toolkit/xre/nsAppRunner.cpp:4076
[+]     #55 0x7f06359893a5 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x50913a5): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/toolkit/xre/nsAppRunner.cpp:4316
[+]     #56 0x404445 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/dist/bin/firefox+0x404445): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/browser/app/nsBrowserApp.cpp:280
[+]     #57 0x4036e0 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/dist/bin/firefox+0x4036e0): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/browser/app/nsBrowserApp.cpp:648
[+]     #58 0x7f063f1e1b04 (/usr/lib/libc-2.18.so+0x21b04): ??:?
[-] Shadow bytes around the buggy address:
[-]   0x0fe1427b5360: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 f4
[-]   0x0fe1427b5370: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
[-]   0x0fe1427b5380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
[-]   0x0fe1427b5390: f1 f1 00 f4 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2
[-]   0x0fe1427b53a0: f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 00 00 00 00
[-] =>0x0fe1427b53b0: f4 f4 f3 f3 f3[f3]00 00 00 00 00 00 00 00 00 00
[-]   0x0fe1427b53c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[-]   0x0fe1427b53d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[-]   0x0fe1427b53e0: 00 00 f1 f1 f1 f1 00 00 f4 f4 f2 f2 f2 f2 00 00
[-]   0x0fe1427b53f0: f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00
[-]   0x0fe1427b5400: f4 f4 f2 f2 f2 f2 00 00 00 00 00 f4 f4 f4 f3 f3
[-] Shadow byte legend (one shadow byte represents 8 application bytes):
[-]   Addressable:           00
[-]   Partially addressable: 01 02 03 04 05 06 07 
[-]   Heap left redzone:     fa
[-]   Heap righ redzone:     fb
[-]   Freed Heap region:     fd
[-]   Stack left redzone:    f1
[-]   Stack mid redzone:     f2
[-]   Stack right redzone:   f3
[-]   Stack partial redzone: f4
[-]   Stack after return:    f5
[-]   Stack use after scope: f8
[-]   Global redzone:        f9
[-]   Global init order:     f6
[-]   Poisoned by user:      f7
[-]   ASan internal:         fe
[-] ==24598== ABORTING

techmeology.co.uk

Reporter

Updated

•

6 years ago

Version: unspecified → 28 Branch

techmeology.co.uk

Reporter

Updated

•

6 years ago

Summary: address sanitizer aurora → AddressSanitizer: stack-buffer-overflow on recent Aurora build

techmeology.co.uk

Reporter

Comment 1

•

6 years ago

The bug also appears in beta (pulled a few hours ago).

Summary: AddressSanitizer: stack-buffer-overflow on recent Aurora build → AddressSanitizer: stack-buffer-overflow on recent Aurora and Beta build

Andrew McCreight [:mccr8]

Updated

•

6 years ago

Whiteboard: [asan]

Andrew McCreight [:mccr8]

Updated

•

6 years ago

Component: Untriaged → JavaScript Engine

Product: Firefox → Core

Christian Holler (:decoder)

Comment 2

•

6 years ago

Can you please provide symbolized traces? We are not seeing this issue on aurora and beta with Clang ASan. Either this is a bug/false positive in GCC's ASan or for some reason Clang ASan misses it.

Blocks: asan-maintenance

Flags: needinfo?(techmeology.co.uk)

techmeology.co.uk

Reporter

Comment 3

•

6 years ago

Hello

Lines beginning "[+]" show symbolized output (I've not been able to get GCC's Asan to produce symbolized output on its own, so I wrote a script to do this from the unsymbolized output).
E.g: "[+]     #0 0x7f063682cde4 (/mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/objdir-ff-asan/toolkit/library/libxul.so+0x5f34de4): /mnt/sdb1/home/sandbox/aurora/asan-firefox-build/mozilla-release/js/src/gc/RootMarking.cpp:264"

Note: the reason I'm using GCC's ASAN (I noted the blocks task) is because I had difficulty with building Firefox using Clang before. But I haven't investigated this much recently.

I hope this helps

Flags: needinfo?(techmeology.co.uk)

Christian Holler (:decoder)

Comment 4

•

6 years ago

Okay, I was just confused by the missing function frames, but I see now that this is not a bug. The function frame in #0 points to this function:

MOZ_ASAN_BLACKLIST
static void
MarkRangeConservatively(JSTracer *trc, const uintptr_t *begin, const uintptr_t *end)
{
    JS_ASSERT(begin <= end);
    for (const uintptr_t *i = begin; i < end; ++i)
        MarkWordConservatively(trc, *i);
}


Note the MOZ_ASAN_BLACKLIST. That macro uses an annotation that tells Clang ASan to not instrument this function, because this function is allowed to touch invalid memory (it's part of the conservative stack scanner of the GC).

In order to properly use GCC ASan with Firefox, you need to tell GCC ASan to someone ignore this and other functions annotated with MOZ_ASAN_BLACKLIST. I don't know if and what ways GCC ASan offers to do this. Best would be to check with their manual or the GCC devs.

If there is something we can do to our macros then, then I'll happily make those changes.

Andrew McCreight [:mccr8]

Updated

•

6 years ago

Group: core-security

Status: UNCONFIRMED → NEW

Component: JavaScript Engine → MFBT

Ever confirmed: true

Summary: AddressSanitizer: stack-buffer-overflow on recent Aurora and Beta build → MOZ_ASAN_BLACKLIST does not work with GCC ASAN

Nathan Froyd [:froydnj]

Assignee

Comment 5

•

6 years ago

(In reply to Christian Holler (:decoder) from comment #4)
> In order to properly use GCC ASan with Firefox, you need to tell GCC ASan to
> someone ignore this and other functions annotated with MOZ_ASAN_BLACKLIST. I
> don't know if and what ways GCC ASan offers to do this. Best would be to
> check with their manual or the GCC devs.
> 
> If there is something we can do to our macros then, then I'll happily make
> those changes.

It looks like our macros don't really support ASan in GCC.  I'll have a quick look through the GCC sources to tell whether they support no_sanitize_address.  (Pretty sure they do; there was strong support for source code annotations rather than -blacklist command-line options.)

Nathan Froyd [:froydnj]

Assignee

Comment 6

•

6 years ago

Attached patch update MOZ_ASAN_BLACKLIST to work with recent versions of GCC — Details — Splinter Review

All right, so a bit of code spelunking later, and we have some GCC support for
ASan.  Sadly, GCC's preprocessor doesn't let you know whether you're doing
TSan or not; should probably submit a patch for that upstream.

Nathan Froyd [:froydnj]

Assignee

Comment 7

•

6 years ago

Comment on attachment 8363078 [details] [diff] [review]
update MOZ_ASAN_BLACKLIST to work with recent versions of GCC

I guess Waldo gets to review this, even though his queue is pretty long.

If somebody else wanted to review this and then Waldo could pick nits after the fact, we could do that too.

Attachment #8363078 - Flags: review?(jwalden+bmo)

:ehsan akhgari

Updated

•

6 years ago

Attachment #8363078 - Flags: review?(jwalden+bmo) → review+

Nathan Froyd [:froydnj]

Assignee

Comment 8

•

6 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/70629eef62c6

Flags: in-testsuite-

Nathan Froyd [:froydnj]

Assignee

Updated

•

6 years ago

Assignee: nobody → nfroyd

Ryan VanderMeulen [:RyanVM]

Comment 9

•

6 years ago

https://hg.mozilla.org/mozilla-central/rev/70629eef62c6

Status: NEW → RESOLVED

Closed: 6 years ago

Resolution: --- → FIXED

Target Milestone: --- → mozilla29

asan.mozconfig 6 years ago techmeology.co.uk 1.38 KB, text/plain		Details
update MOZ_ASAN_BLACKLIST to work with recent versions of GCC 6 years ago Nathan Froyd [:froydnj] 1.77 KB, patch	ehsan : review+	Details \| Diff \| Splinter Review

Bugzilla

MOZ_ASAN_BLACKLIST does not work with GCC ASAN

Categories

(Core :: MFBT, defect)

Tracking

()

People

(Reporter: techmeology.co.uk, Assigned: froydnj)

References

(Blocks 1 open bug)

Details

(Whiteboard: [asan])

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Updated

Updated

Comment 1

Updated

Updated

Comment 2

Comment 3

Comment 4

Updated

Comment 5

Comment 6

Comment 7

Updated

Comment 8

Updated

Comment 9