Closed
Bug 990230
Opened 10 years ago
Closed 10 years ago
Fix Heap use after free in nsDumpUtils
Categories
(Toolkit :: about:memory, defect)
Tracking
()
RESOLVED
FIXED
mozilla31
Tracking | Status | |
---|---|---|
firefox29 | --- | unaffected |
firefox30 | --- | unaffected |
firefox31 | --- | fixed |
firefox-esr24 | --- | unaffected |
People
(Reporter: RyanVM, Assigned: dhylands)
References
Details
(Keywords: intermittent-failure, Whiteboard: [fxos:media])
Attachments
(1 file)
9.08 KB,
patch
|
n.nethercote
:
review+
|
Details | Diff | Splinter Review |
I have no idea what component this should be filed under, but I'm assuming it's related to the recent clang upgrade. Also, the lack of symbols here hurts. https://tbpl.mozilla.org/php/getParsedLog.php?id=37011493&tree=Mozilla-Inbound Linux x86-64 mozilla-inbound debug asan build on 2014-03-31 08:39:34 PDT for push c5acdb9a42d6 slave: bld-linux64-spot-438 make[1]: Entering directory `/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/testing/xpcshell' ......................F..... ====================================================================== FAIL: testRandomExecution (__main__.XPCShellTestsTests) ---------------------------------------------------------------------- Traceback (most recent call last): File "/builds/slave/m-in-l64-asan-d-00000000000000/build/testing/xpcshell/selftest.py", line 588, in testRandomExecution self.assertTestResult(True, shuffle=True) File "/builds/slave/m-in-l64-asan-d-00000000000000/build/testing/xpcshell/selftest.py", line 242, in assertTestResult """ % ("passed" if expected else "failed", self.log.getvalue())) AssertionError: Tests should have passed, log: ======== INFO | Running tests sequentially. TEST-INFO | /tmp/tmpJ07QBf/test_pass_3.js | running test ... TEST-PASS | /tmp/tmpJ07QBf/test_pass_3.js | test passed (time: 365.627ms) TEST-INFO | /tmp/tmpJ07QBf/test_pass_1.js | running test ... TEST-PASS | /tmp/tmpJ07QBf/test_pass_1.js | test passed (time: 363.912ms) TEST-INFO | /tmp/tmpJ07QBf/test_pass_2.js | running test ... TEST-PASS | /tmp/tmpJ07QBf/test_pass_2.js | test passed (time: 365.180ms) TEST-INFO | /tmp/tmpJ07QBf/test_pass_9.js | running test ... TEST-PASS | /tmp/tmpJ07QBf/test_pass_9.js | test passed (time: 365.108ms) TEST-INFO | /tmp/tmpJ07QBf/test_pass_7.js | running test ... TEST-PASS | /tmp/tmpJ07QBf/test_pass_7.js | test passed (time: 364.693ms) TEST-INFO | /tmp/tmpJ07QBf/test_pass_0.js | running test ... TEST-PASS | /tmp/tmpJ07QBf/test_pass_0.js | test passed (time: 364.398ms) TEST-INFO | /tmp/tmpJ07QBf/test_pass_6.js | running test ... TEST-PASS | /tmp/tmpJ07QBf/test_pass_6.js | test passed (time: 365.307ms) TEST-INFO | /tmp/tmpJ07QBf/test_pass_5.js | running test ... TEST-UNEXPECTED-FAIL | /tmp/tmpJ07QBf/test_pass_5.js | test failed (with xpcshell return code: 1), see following log: >>>>>>> ================================================================= ==27754==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000031e70 at pc 0x7f30777d1888 bp 0x7f306abca140 sp 0x7f306abca138 READ of size 4 at 0x603000031e70 thread T1 (Gecko_IOThread) #0 0x7f30777d1887 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b3f887) #1 0x7f307785ac10 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bc8c10) #2 0x7f3077844199 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bb2199) #3 0x7f3077844676 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bb2676) #4 0x7f3077843769 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bb1769) #5 0x7f3077fcdc51 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x233bc51) #6 0x7f3077fce5bf (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x233c5bf) #7 0x7f3077fceafa (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x233cafa) #8 0x7f3077f9b351 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x2309351) #9 0x7f3077fcd955 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x233b955) #10 0x7f3077fcd7f8 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x233b7f8) #11 0x7f3077ff539b (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x236339b) #12 0x7f3077f9ca2c (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x230aa2c) #13 0x7f3081fc27f0 (/lib64/libpthread.so.0+0x77f0) #14 0x7f307456e92c (/lib64/libc.so.6+0xe592c) 0x603000031e70 is located 0 bytes inside of 24-byte region [0x603000031e70,0x603000031e88) freed by thread T0 here: #0 0x47170b (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/xpcshell+0x47170b) #1 0x7f3075a9073d (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libmozalloc.so+0x273d) #2 0x7f30777de0bc (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b4c0bc) #3 0x7f307785aa39 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bc8a39) #4 0x7f3077843f52 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bb1f52) #5 0x7f307784854c (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bb654c) #6 0x7f307784d36b (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bbb36b) #7 0x7f30778080b3 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b760b3) #8 0x7f3077903a37 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1c71a37) #9 0x7f30778fcf66 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1c6af66) #10 0x7f30777d5f24 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b43f24) #11 0x7f3077859694 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bc7694) #12 0x7f307783eeed (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1baceed) #13 0x7f3077b1c79a (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1e8a79a) #14 0x7f3077a5c35c (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1dca35c) #15 0x7f3077a5b02d (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1dc902d) #16 0x7f3077a5a602 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1dc8602) #17 0x7f3077a5ca26 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1dcaa26) #18 0x7f30779d5f0e (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1d43f0e) #19 0x7f3077903a37 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1c71a37) #20 0x7f30778fcf66 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1c6af66) #21 0x7f30777d5f24 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b43f24) #22 0x7f30778013f4 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b6f3f4) #23 0x7f30777f8caa (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b66caa) #24 0x7f30777ceeb7 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b3ceb7) #25 0x7f30777ce61b (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b3c61b) #26 0x7f3077907f31 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1c75f31) #27 0x7f3077943761 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1cb1761) #28 0x7f3077943889 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1cb1889) #29 0x7f307794426a (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1cb226a) previously allocated by thread T0 here: #0 0x471491 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/xpcshell+0x471491) #1 0x7f3075a9048d (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libmozalloc.so+0x248d) #2 0x7f30777ddf7e (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b4bf7e) #3 0x7f307785aa39 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bc8a39) #4 0x7f3077843f52 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bb1f52) #5 0x7f3077848531 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bb6531) #6 0x7f307784d36b (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bbb36b) #7 0x7f30778080b3 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b760b3) #8 0x7f3077903a37 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1c71a37) #9 0x7f30778fcf66 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1c6af66) #10 0x7f30777d5f24 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b43f24) #11 0x7f3077859694 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bc7694) #12 0x7f307783eeed (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1baceed) #13 0x7f3077b1c79a (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1e8a79a) #14 0x7f3077a5c35c (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1dca35c) #15 0x7f3077a5b02d (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1dc902d) #16 0x7f3077a5a602 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1dc8602) #17 0x7f3077a5ca26 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1dcaa26) #18 0x7f30779d5f0e (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1d43f0e) #19 0x7f3077903a37 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1c71a37) #20 0x7f30778fcf66 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1c6af66) #21 0x7f30777d5f24 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b43f24) #22 0x7f30778013f4 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b6f3f4) #23 0x7f30777f8caa (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b66caa) #24 0x7f30777ceeb7 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b3ceb7) #25 0x7f30777ce61b (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b3c61b) #26 0x7f3077907f31 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1c75f31) #27 0x7f3077943761 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1cb1761) #28 0x7f3077943889 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1cb1889) #29 0x7f307794426a (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1cb226a) Thread T1 (Gecko_IOThread) created by T0 here: #0 0x45dd05 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/xpcshell+0x45dd05) #1 0x7f3077f9c987 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x230a987) #2 0x7f3077ff4eeb (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x2362eeb) #3 0x7f30777fbfc7 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b69fc7) #4 0x7f3079a7c739 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x3dea739) #5 0x7f30744a7cdc (/lib64/libc.so.6+0x1ecdc) SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ?? Shadow bytes around the buggy address: 0x0c067fffe370: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 fa fa 0x0c067fffe380: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa 0x0c067fffe390: fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 0x0c067fffe3a0: 05 fa fa fa 00 00 02 fa fa fa 00 00 00 fa fa fa 0x0c067fffe3b0: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 00 =>0x0c067fffe3c0: fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa[fd]fd 0x0c067fffe3d0: fd fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 0x0c067fffe3e0: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa 0x0c067fffe3f0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 0x0c067fffe400: 00 00 fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa 0x0c067fffe410: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==27754==ABORTING <<<<<<<
Reporter | ||
Updated•10 years ago
|
Keywords: intermittent-failure
Reporter | ||
Comment 1•10 years ago
|
||
https://tbpl.mozilla.org/php/getParsedLog.php?id=37010061&tree=Mozilla-Inbound https://tbpl.mozilla.org/php/getParsedLog.php?id=37014588&tree=Fx-Team
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment 8•10 years ago
|
||
comment 3 is an ASAN error while running xpcshell during stage-package. comment 7 is a crash in TestCookie. Whatever's going on here is pervasive but only hitting the build machines.
Comment 9•10 years ago
|
||
So for comment 7 the trace is again this (shortened it a bit): ==26437==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000032e90 at pc 0x7f3e399f796d bp 0x7f3e2d9e4370 sp 0x7f3e2d9e4368 READ of size 4 at 0x603000032e90 thread T1 (Gecko_IOThread) #0 0x7f3e399f796c in RegisterSignalHandler obj-firefox/xpcom/base/../../dist/include/nsTArray.h:368 #1 0x7f3e399f6550 in StartWatching xpcom/base/nsDumpUtils.cpp:83 #2 0x7f3e3a245454 in RunTask ipc/chromium/src/base/message_loop.cc:344 #3 0x7f3e3a246507 in DoWork ipc/chromium/src/base/message_loop.cc:430 #4 0x7f3e3a21793c in Run ipc/chromium/src/base/message_pump_libevent.cc:311 #5 0x7f3e3a243ec0 in RunInternal ipc/chromium/src/base/message_loop.cc:226 #6 0x7f3e3a25c3e1 in ThreadMain ipc/chromium/src/base/thread.cc:162 #7 0x7f3e3a21890c in ThreadFunc ipc/chromium/src/base/platform_thread_posix.cc:39 0x603000032e90 is located 0 bytes inside of 24-byte region [0x603000032e90,0x603000032ea8) freed by thread T0 here: #0 0x47201b (obj-firefox/netwerk/test/TestCookie+0x47201b) #1 0x7f3e38654e9d in moz_xrealloc memory/mozalloc/mozalloc.cpp:84 #2 0x7f3e39994f4f in Realloc obj-firefox/netwerk/wifi/../../dist/include/nsTArray.h:208 #3 0x7f3e399f6c98 in AppendElements<SignalInfo> obj-firefox/xpcom/base/../../dist/include/nsTArray.h:1236 #4 0x7f3e399fc374 in Initialize xpcom/base/nsMemoryInfoDumper.cpp:194 #5 0x7f3e39a02705 in Init xpcom/base/nsMemoryReporterManager.cpp:890 #6 0x7f3e399b7333 in nsMemoryReporterManagerConstructor xpcom/build/nsXPComInit.cpp:217 #7 0x7f3e39ac03de in CreateInstanceByContractID xpcom/components/nsComponentManager.cpp:1079 #8 0x7f3e39ab7530 in GetServiceByContractID xpcom/components/nsComponentManager.cpp:1434 #9 0x7f3e3998d367 in CallGetService xpcom/glue/nsComponentManagerUtils.cpp:62 #10 0x7f3e399f0d4f in nsCOMPtr obj-firefox/xpcom/base/../../dist/include/nsCOMPtr.h:658 #11 0x7f3e39d0c525 in Init netwerk/dns/nsDNSService2.cpp:555 #12 0x7f3e39c2cf07 in SetOffline netwerk/base/src/nsIOService.cpp:720 #13 0x7f3e39c2be18 in InitializeNetworkLinkService netwerk/base/src/nsIOService.cpp:273 #14 0x7f3e39c2b287 in Init netwerk/base/src/nsIOService.cpp:208 #15 0x7f3e39c2db01 in GetInstance netwerk/base/src/nsIOService.cpp:286 #16 0x7f3e39b9a855 in nsIOServiceConstructor netwerk/build/nsNetModule.cpp:58 #17 0x7f3e39ac03de in CreateInstanceByContractID xpcom/components/nsComponentManager.cpp:1079 #18 0x7f3e39ab7530 in GetServiceByContractID xpcom/components/nsComponentManager.cpp:1434 #19 0x7f3e3998d367 in CallGetService xpcom/glue/nsComponentManagerUtils.cpp:62 #20 0x7f3e399af444 in nsCOMPtr xpcom/build/../glue/nsCOMPtr.h:658 #21 0x7f3e39affb01 in do_GetIOService obj-firefox/chrome/src/../../dist/include/nsNetUtil.h:101 #22 0x7f3e39affd07 in ResolveURI chrome/src/nsChromeRegistryChrome.cpp:787 #23 0x7f3e39b00907 in ManifestLocale chrome/src/nsChromeRegistryChrome.cpp:859 #24 0x7f3e39aadd79 in ParseManifest xpcom/components/ManifestParser.cpp:636 #25 0x7f3e39abb615 in RegisterManifest xpcom/components/nsComponentManager.cpp:540 #26 0x7f3e39abb988 in ManifestManifest xpcom/components/nsComponentManager.cpp:553 #27 0x7f3e39aada26 in ParseManifest xpcom/components/ManifestParser.cpp:647 #28 0x7f3e39abb615 in RegisterManifest xpcom/components/nsComponentManager.cpp:540 #29 0x7f3e39ab9440 in RereadChromeManifests xpcom/components/nsComponentManager.cpp:716 Does that make any sense? Who could we ask about this failure?
Comment 10•10 years ago
|
||
Maybe Nick has some idea?
Component: General → about:memory
Flags: needinfo?(n.nethercote)
Product: Core → Toolkit
Comment 11•10 years ago
|
||
Bah, I duplicated that work, but my money is on a regression from bug 964636.
Comment 12•10 years ago
|
||
(I symbolicated the stacks from comment 6, FWIW, and they're identical.)
Assignee | ||
Comment 13•10 years ago
|
||
I'll take a look at this today and see if I can find anything.
Assignee | ||
Comment 14•10 years ago
|
||
This looks like a threading issue. One thread is Appending to the array, and another thread is trying to iterate through it at the same time. I'll work up a patch which causes all of the array accesses/manipulations to occur on the I/O thread. That should fix this.
Comment 15•10 years ago
|
||
So distressingly, as I mentioned on IRC, we only see this on the build machines because our AWS Linux test machines are all single-core, which means we won't hit the same threading issues on them that we would on multi-core systems like our build machines (or lots of our users).
Flags: needinfo?(n.nethercote)
Assignee | ||
Comment 16•10 years ago
|
||
Makes all access to mSignalInfo and/or mFifoInfo occur on the I/O thread. Also a few minor cleanups (removing unnecessary SignalPipeWatcher:: prefixes).
Assignee | ||
Updated•10 years ago
|
Assignee: nobody → dhylands
Assignee | ||
Updated•10 years ago
|
Attachment #8400873 -
Attachment is patch: true
Assignee | ||
Comment 17•10 years ago
|
||
Comment on attachment 8400873 [details] [diff] [review] Fix heap use-after-free in nsDumpUtils njn - I put down you as a reviewer since it looks like you reviewed the original code done by jlebar. Please reassign (or unassign yourself) if this isn't appropriate. Thanks
Attachment #8400873 -
Flags: review?(n.nethercote)
Assignee | ||
Updated•10 years ago
|
Whiteboard: [fxos:media]
Target Milestone: --- → 1.4 S5 (11apr)
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment 19•10 years ago
|
||
(In reply to Dave Hylands [:dhylands] from comment #16) > Created attachment 8400873 [details] [diff] [review] > Fix heap use-after-free in nsDumpUtils > > Makes all access to mSignalInfo and/or mFifoInfo occur on the I/O thread. > > Also a few minor cleanups (removing unnecessary SignalPipeWatcher:: > prefixes). This patch can fix the problem that I didn't find out. Thanks a lot.
Comment 20•10 years ago
|
||
Comment on attachment 8400873 [details] [diff] [review] Fix heap use-after-free in nsDumpUtils Review of attachment 8400873 [details] [diff] [review]: ----------------------------------------------------------------- I think glandium reviewed the relevant parts of the original patch that implemented this code.
Attachment #8400873 -
Flags: review?(n.nethercote) → review?(mh+mozilla)
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment 29•10 years ago
|
||
Comment on attachment 8400873 [details] [diff] [review] Fix heap use-after-free in nsDumpUtils Review of attachment 8400873 [details] [diff] [review]: ----------------------------------------------------------------- (In reply to Nicholas Nethercote [:njn] from comment #20) > I think glandium reviewed the relevant parts of the original patch that > implemented this code. Unfortunately, I haven't. According to mercurial, dhylands did. He won't be reviewing his own patch, obviously. Alphan Chen wrote the original patch, I guess he could at least take a look at the patch to tell whether it makes sense to him or not. Anyways, I won't have immediate time to review the patch. Re-flagging Nick, whom I trust will take the appropriate further actions from here.
Attachment #8400873 -
Flags: review?(mh+mozilla) → review?(n.nethercote)
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Reporter | ||
Comment 32•10 years ago
|
||
https://tbpl.mozilla.org/php/getParsedLog.php?id=37516043&tree=Mozilla-Inbound njn, review ping? :)
Flags: needinfo?(n.nethercote)
Reporter | ||
Comment 33•10 years ago
|
||
https://tbpl.mozilla.org/php/getParsedLog.php?id=37532207&tree=B2g-Inbound
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment 36•10 years ago
|
||
Comment on attachment 8400873 [details] [diff] [review] Fix heap use-after-free in nsDumpUtils Review of attachment 8400873 [details] [diff] [review]: ----------------------------------------------------------------- rs=me if it fixes the problem.
Attachment #8400873 -
Flags: review?(n.nethercote) → review+
Reporter | ||
Comment 37•10 years ago
|
||
https://tbpl.mozilla.org/php/getParsedLog.php?id=37651157&tree=Mozilla-Central
Updated•10 years ago
|
Flags: needinfo?(n.nethercote)
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Assignee | ||
Comment 42•10 years ago
|
||
https://hg.mozilla.org/integration/b2g-inbound/rev/bd71f9da9d7d
Comment 43•10 years ago
|
||
Backed out for aborts during startup cache precompilation: https://tbpl.mozilla.org/php/getParsedLog.php?id=37765493&tree=B2g-Inbound https://tbpl.mozilla.org/php/getParsedLog.php?id=37764694&tree=B2g-Inbound https://tbpl.mozilla.org/php/getParsedLog.php?id=37765028&tree=B2g-Inbound eg: Executing /builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/xpcshell -g /builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/ -a /builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/ -f /builds/slave/b2g-in-l64-d-00000000000000000/build/toolkit/mozapps/installer/precompile_cache.js -e precompile_startupcache("resource://gre/"); [32063] ###!!! ABORT: file /builds/slave/b2g-in-l64-d-00000000000000000/build/ipc/chromium/src/base/message_loop.h, line 517 UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x008FE003] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00907A19] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00907D2A] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00907FFD] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x008E67B0] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00943473] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00943725] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x008E0962] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00901DC3] RegisterWeakMemoryReporter+0x0000001C [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00901F11] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x009FF742] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x009C0C3A] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x009C0FA1] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x009C431B] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x009C5EC5] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x0098C4F8] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00943473] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00943725] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x008E0962] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x008E9E22] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00956F26] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x009571B4] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00957261] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x0095729D] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x009598A2] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x0093CF9C] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x009402F8] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x009403E3] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x0093D093] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x009402F8] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00940398] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x0094401A] NS_InitXPCOM2+0x00000545 [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x008EC264] XRE_XPCShellMain+0x00000635 [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x0140E573] __libc_start_main+0x000000FD [/lib64/libc.so.6 +0x0001ECDD] UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/xpcshell +0x00002561] [32063] ###!!! ABORT: file /builds/slave/b2g-in-l64-d-00000000000000000/build/ipc/chromium/src/base/message_loop.h, line 517 Hit MOZ_CRASH() at /builds/slave/b2g-in-l64-d-00000000000000000/build/memory/mozalloc/mozalloc_abort.cpp:30 Traceback (most recent call last): File "/builds/slave/b2g-in-l64-d-00000000000000000/build/toolkit/mozapps/installer/packager.py", line 401, in <module> main() File "/builds/slave/b2g-in-l64-d-00000000000000000/build/toolkit/mozapps/installer/packager.py", line 393, in main args.source, gre_path, base) File "/builds/slave/b2g-in-l64-d-00000000000000000/build/toolkit/mozapps/installer/packager.py", line 158, in precompile_cache errors.fatal('Error while running startup cache precompilation') File "/builds/slave/b2g-in-l64-d-00000000000000000/build/python/mozbuild/mozpack/errors.py", line 101, in fatal self._handle(self.FATAL, msg) File "/builds/slave/b2g-in-l64-d-00000000000000000/build/python/mozbuild/mozpack/errors.py", line 96, in _handle raise ErrorMessage(msg) mozpack.errors.ErrorMessage: Error: Error while running startup cache precompilation
Reporter | ||
Comment 44•10 years ago
|
||
https://tbpl.mozilla.org/php/getParsedLog.php?id=37768113&tree=Mozilla-Inbound
Comment hidden (Legacy TBPL/Treeherder Robot) |
Reporter | ||
Comment 46•10 years ago
|
||
https://tbpl.mozilla.org/php/getParsedLog.php?id=37871019&tree=Mozilla-Inbound
Assignee | ||
Comment 48•10 years ago
|
||
(In reply to Ted Mielczarek [:ted.mielczarek] from comment #47) > So, thoughts? My next thoughts are to remove the punting to IOThread and just put in a mutex to lock access to the array. The array is only accessed at startup when clients are registering interest, and then when the signal fires to generate a memory report, so the contention points are quite small. It would also be possible to preallocate the array to some size and fail to register a client rather than resize the array (I tend to prefer using the mutex in this particular scenario).
Flags: needinfo?(dhylands)
Comment hidden (Legacy TBPL/Treeherder Robot) |
Assignee | ||
Comment 51•10 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=40b5a8866958
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Reporter | ||
Comment 56•10 years ago
|
||
https://tbpl.mozilla.org/php/getParsedLog.php?id=38036362&tree=Mozilla-Inbound
Comment hidden (Legacy TBPL/Treeherder Robot) |
Assignee | ||
Comment 58•10 years ago
|
||
Since the try run looks green, pushing this revised version: https://hg.mozilla.org/integration/b2g-inbound/rev/e224847eaf96
Reporter | ||
Comment 59•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e224847eaf96
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: 1.4 S5 (11apr) → mozilla31
Reporter | ||
Updated•10 years ago
|
status-firefox29:
--- → unaffected
status-firefox30:
--- → unaffected
status-firefox31:
--- → fixed
status-firefox-esr24:
--- → unaffected
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Comment hidden (Legacy TBPL/Treeherder Robot) |
Assignee | ||
Comment 63•10 years ago
|
||
Renamed, so the the TBPL robot will assign stuff to bug 1017068 instead (comments 60 thru 62 appear to be webgl related)
Summary: Intermittent ASAN "SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??" errors with unusable stacks → Fix Heap use after free in nsDumpUtils
Comment hidden (Legacy TBPL/Treeherder Robot) |
You need to log in
before you can comment on or make changes to this bug.
Description
•