Closed Bug 990230 Opened 10 years ago Closed 10 years ago

Fix Heap use after free in nsDumpUtils

Categories

(Toolkit :: about:memory, defect)

x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla31
Tracking Status
firefox29 --- unaffected
firefox30 --- unaffected
firefox31 --- fixed
firefox-esr24 --- unaffected

People

(Reporter: RyanVM, Assigned: dhylands)

References

Details

(Keywords: intermittent-failure, Whiteboard: [fxos:media])

Attachments

(1 file)

I have no idea what component this should be filed under, but I'm assuming it's related to the recent clang upgrade. Also, the lack of symbols here hurts.

https://tbpl.mozilla.org/php/getParsedLog.php?id=37011493&tree=Mozilla-Inbound

Linux x86-64 mozilla-inbound debug asan build on 2014-03-31 08:39:34 PDT for push c5acdb9a42d6
slave: bld-linux64-spot-438

make[1]: Entering directory `/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/testing/xpcshell'
......................F.....
======================================================================
FAIL: testRandomExecution (__main__.XPCShellTestsTests)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/builds/slave/m-in-l64-asan-d-00000000000000/build/testing/xpcshell/selftest.py", line 588, in testRandomExecution
    self.assertTestResult(True, shuffle=True)
  File "/builds/slave/m-in-l64-asan-d-00000000000000/build/testing/xpcshell/selftest.py", line 242, in assertTestResult
    """ % ("passed" if expected else "failed", self.log.getvalue()))
AssertionError: Tests should have passed, log:
========
INFO | Running tests sequentially.
TEST-INFO | /tmp/tmpJ07QBf/test_pass_3.js | running test ...
TEST-PASS | /tmp/tmpJ07QBf/test_pass_3.js | test passed (time: 365.627ms)
TEST-INFO | /tmp/tmpJ07QBf/test_pass_1.js | running test ...
TEST-PASS | /tmp/tmpJ07QBf/test_pass_1.js | test passed (time: 363.912ms)
TEST-INFO | /tmp/tmpJ07QBf/test_pass_2.js | running test ...
TEST-PASS | /tmp/tmpJ07QBf/test_pass_2.js | test passed (time: 365.180ms)
TEST-INFO | /tmp/tmpJ07QBf/test_pass_9.js | running test ...
TEST-PASS | /tmp/tmpJ07QBf/test_pass_9.js | test passed (time: 365.108ms)
TEST-INFO | /tmp/tmpJ07QBf/test_pass_7.js | running test ...
TEST-PASS | /tmp/tmpJ07QBf/test_pass_7.js | test passed (time: 364.693ms)
TEST-INFO | /tmp/tmpJ07QBf/test_pass_0.js | running test ...
TEST-PASS | /tmp/tmpJ07QBf/test_pass_0.js | test passed (time: 364.398ms)
TEST-INFO | /tmp/tmpJ07QBf/test_pass_6.js | running test ...
TEST-PASS | /tmp/tmpJ07QBf/test_pass_6.js | test passed (time: 365.307ms)
TEST-INFO | /tmp/tmpJ07QBf/test_pass_5.js | running test ...
TEST-UNEXPECTED-FAIL | /tmp/tmpJ07QBf/test_pass_5.js | test failed (with xpcshell return code: 1), see following log:
>>>>>>>
=================================================================
==27754==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000031e70 at pc 0x7f30777d1888 bp 0x7f306abca140 sp 0x7f306abca138
READ of size 4 at 0x603000031e70 thread T1 (Gecko_IOThread)
    #0 0x7f30777d1887 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b3f887)
    #1 0x7f307785ac10 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bc8c10)
    #2 0x7f3077844199 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bb2199)
    #3 0x7f3077844676 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bb2676)
    #4 0x7f3077843769 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bb1769)
    #5 0x7f3077fcdc51 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x233bc51)
    #6 0x7f3077fce5bf (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x233c5bf)
    #7 0x7f3077fceafa (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x233cafa)
    #8 0x7f3077f9b351 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x2309351)
    #9 0x7f3077fcd955 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x233b955)
    #10 0x7f3077fcd7f8 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x233b7f8)
    #11 0x7f3077ff539b (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x236339b)
    #12 0x7f3077f9ca2c (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x230aa2c)
    #13 0x7f3081fc27f0 (/lib64/libpthread.so.0+0x77f0)
    #14 0x7f307456e92c (/lib64/libc.so.6+0xe592c)
0x603000031e70 is located 0 bytes inside of 24-byte region [0x603000031e70,0x603000031e88)
freed by thread T0 here:
    #0 0x47170b (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/xpcshell+0x47170b)
    #1 0x7f3075a9073d (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libmozalloc.so+0x273d)
    #2 0x7f30777de0bc (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b4c0bc)
    #3 0x7f307785aa39 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bc8a39)
    #4 0x7f3077843f52 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bb1f52)
    #5 0x7f307784854c (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bb654c)
    #6 0x7f307784d36b (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bbb36b)
    #7 0x7f30778080b3 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b760b3)
    #8 0x7f3077903a37 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1c71a37)
    #9 0x7f30778fcf66 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1c6af66)
    #10 0x7f30777d5f24 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b43f24)
    #11 0x7f3077859694 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bc7694)
    #12 0x7f307783eeed (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1baceed)
    #13 0x7f3077b1c79a (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1e8a79a)
    #14 0x7f3077a5c35c (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1dca35c)
    #15 0x7f3077a5b02d (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1dc902d)
    #16 0x7f3077a5a602 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1dc8602)
    #17 0x7f3077a5ca26 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1dcaa26)
    #18 0x7f30779d5f0e (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1d43f0e)
    #19 0x7f3077903a37 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1c71a37)
    #20 0x7f30778fcf66 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1c6af66)
    #21 0x7f30777d5f24 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b43f24)
    #22 0x7f30778013f4 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b6f3f4)
    #23 0x7f30777f8caa (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b66caa)
    #24 0x7f30777ceeb7 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b3ceb7)
    #25 0x7f30777ce61b (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b3c61b)
    #26 0x7f3077907f31 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1c75f31)
    #27 0x7f3077943761 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1cb1761)
    #28 0x7f3077943889 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1cb1889)
    #29 0x7f307794426a (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1cb226a)
previously allocated by thread T0 here:
    #0 0x471491 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/xpcshell+0x471491)
    #1 0x7f3075a9048d (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libmozalloc.so+0x248d)
    #2 0x7f30777ddf7e (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b4bf7e)
    #3 0x7f307785aa39 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bc8a39)
    #4 0x7f3077843f52 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bb1f52)
    #5 0x7f3077848531 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bb6531)
    #6 0x7f307784d36b (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bbb36b)
    #7 0x7f30778080b3 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b760b3)
    #8 0x7f3077903a37 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1c71a37)
    #9 0x7f30778fcf66 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1c6af66)
    #10 0x7f30777d5f24 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b43f24)
    #11 0x7f3077859694 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1bc7694)
    #12 0x7f307783eeed (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1baceed)
    #13 0x7f3077b1c79a (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1e8a79a)
    #14 0x7f3077a5c35c (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1dca35c)
    #15 0x7f3077a5b02d (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1dc902d)
    #16 0x7f3077a5a602 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1dc8602)
    #17 0x7f3077a5ca26 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1dcaa26)
    #18 0x7f30779d5f0e (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1d43f0e)
    #19 0x7f3077903a37 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1c71a37)
    #20 0x7f30778fcf66 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1c6af66)
    #21 0x7f30777d5f24 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b43f24)
    #22 0x7f30778013f4 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b6f3f4)
    #23 0x7f30777f8caa (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b66caa)
    #24 0x7f30777ceeb7 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b3ceb7)
    #25 0x7f30777ce61b (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b3c61b)
    #26 0x7f3077907f31 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1c75f31)
    #27 0x7f3077943761 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1cb1761)
    #28 0x7f3077943889 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1cb1889)
    #29 0x7f307794426a (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1cb226a)
Thread T1 (Gecko_IOThread) created by T0 here:
    #0 0x45dd05 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/xpcshell+0x45dd05)
    #1 0x7f3077f9c987 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x230a987)
    #2 0x7f3077ff4eeb (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x2362eeb)
    #3 0x7f30777fbfc7 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x1b69fc7)
    #4 0x7f3079a7c739 (/builds/slave/m-in-l64-asan-d-00000000000000/build/obj-firefox/dist/bin/libxul.so+0x3dea739)
    #5 0x7f30744a7cdc (/lib64/libc.so.6+0x1ecdc)
SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
  0x0c067fffe370: fa fa fa fa fa fa fa fa fa fa 00 00 00 00 fa fa
  0x0c067fffe380: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 fa
  0x0c067fffe390: fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00
  0x0c067fffe3a0: 05 fa fa fa 00 00 02 fa fa fa 00 00 00 fa fa fa
  0x0c067fffe3b0: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 00
=>0x0c067fffe3c0: fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa[fd]fd
  0x0c067fffe3d0: fd fa fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa
  0x0c067fffe3e0: 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00 00 fa
  0x0c067fffe3f0: fa fa 00 00 00 fa fa fa 00 00 00 fa fa fa 00 00
  0x0c067fffe400: 00 00 fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa
  0x0c067fffe410: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==27754==ABORTING
<<<<<<<
Depends on: 990266
comment 3 is an ASAN error while running xpcshell during stage-package. comment 7 is a crash in TestCookie. Whatever's going on here is pervasive but only hitting the build machines.
So for comment 7 the trace is again this (shortened it a bit):

==26437==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000032e90 at pc 0x7f3e399f796d bp 0x7f3e2d9e4370 sp 0x7f3e2d9e4368
READ of size 4 at 0x603000032e90 thread T1 (Gecko_IOThread)   
    #0 0x7f3e399f796c in RegisterSignalHandler obj-firefox/xpcom/base/../../dist/include/nsTArray.h:368
    #1 0x7f3e399f6550 in StartWatching xpcom/base/nsDumpUtils.cpp:83
    #2 0x7f3e3a245454 in RunTask ipc/chromium/src/base/message_loop.cc:344
    #3 0x7f3e3a246507 in DoWork ipc/chromium/src/base/message_loop.cc:430
    #4 0x7f3e3a21793c in Run ipc/chromium/src/base/message_pump_libevent.cc:311
    #5 0x7f3e3a243ec0 in RunInternal ipc/chromium/src/base/message_loop.cc:226
    #6 0x7f3e3a25c3e1 in ThreadMain ipc/chromium/src/base/thread.cc:162
    #7 0x7f3e3a21890c in ThreadFunc ipc/chromium/src/base/platform_thread_posix.cc:39

0x603000032e90 is located 0 bytes inside of 24-byte region [0x603000032e90,0x603000032ea8)
freed by thread T0 here:
    #0 0x47201b (obj-firefox/netwerk/test/TestCookie+0x47201b)
    #1 0x7f3e38654e9d in moz_xrealloc memory/mozalloc/mozalloc.cpp:84
    #2 0x7f3e39994f4f in Realloc obj-firefox/netwerk/wifi/../../dist/include/nsTArray.h:208
    #3 0x7f3e399f6c98 in AppendElements<SignalInfo> obj-firefox/xpcom/base/../../dist/include/nsTArray.h:1236
    #4 0x7f3e399fc374 in Initialize xpcom/base/nsMemoryInfoDumper.cpp:194
    #5 0x7f3e39a02705 in Init xpcom/base/nsMemoryReporterManager.cpp:890
    #6 0x7f3e399b7333 in nsMemoryReporterManagerConstructor xpcom/build/nsXPComInit.cpp:217
    #7 0x7f3e39ac03de in CreateInstanceByContractID xpcom/components/nsComponentManager.cpp:1079
    #8 0x7f3e39ab7530 in GetServiceByContractID xpcom/components/nsComponentManager.cpp:1434
    #9 0x7f3e3998d367 in CallGetService xpcom/glue/nsComponentManagerUtils.cpp:62
    #10 0x7f3e399f0d4f in nsCOMPtr obj-firefox/xpcom/base/../../dist/include/nsCOMPtr.h:658
    #11 0x7f3e39d0c525 in Init netwerk/dns/nsDNSService2.cpp:555
    #12 0x7f3e39c2cf07 in SetOffline netwerk/base/src/nsIOService.cpp:720
    #13 0x7f3e39c2be18 in InitializeNetworkLinkService netwerk/base/src/nsIOService.cpp:273
    #14 0x7f3e39c2b287 in Init netwerk/base/src/nsIOService.cpp:208
    #15 0x7f3e39c2db01 in GetInstance netwerk/base/src/nsIOService.cpp:286
    #16 0x7f3e39b9a855 in nsIOServiceConstructor netwerk/build/nsNetModule.cpp:58
    #17 0x7f3e39ac03de in CreateInstanceByContractID xpcom/components/nsComponentManager.cpp:1079
    #18 0x7f3e39ab7530 in GetServiceByContractID xpcom/components/nsComponentManager.cpp:1434
    #19 0x7f3e3998d367 in CallGetService xpcom/glue/nsComponentManagerUtils.cpp:62
    #20 0x7f3e399af444 in nsCOMPtr xpcom/build/../glue/nsCOMPtr.h:658
    #21 0x7f3e39affb01 in do_GetIOService obj-firefox/chrome/src/../../dist/include/nsNetUtil.h:101
    #22 0x7f3e39affd07 in ResolveURI chrome/src/nsChromeRegistryChrome.cpp:787
    #23 0x7f3e39b00907 in ManifestLocale chrome/src/nsChromeRegistryChrome.cpp:859
    #24 0x7f3e39aadd79 in ParseManifest xpcom/components/ManifestParser.cpp:636
    #25 0x7f3e39abb615 in RegisterManifest xpcom/components/nsComponentManager.cpp:540
    #26 0x7f3e39abb988 in ManifestManifest xpcom/components/nsComponentManager.cpp:553
    #27 0x7f3e39aada26 in ParseManifest xpcom/components/ManifestParser.cpp:647
    #28 0x7f3e39abb615 in RegisterManifest xpcom/components/nsComponentManager.cpp:540
    #29 0x7f3e39ab9440 in RereadChromeManifests xpcom/components/nsComponentManager.cpp:716


Does that make any sense? Who could we ask about this failure?
Maybe Nick has some idea?
Component: General → about:memory
Flags: needinfo?(n.nethercote)
Product: Core → Toolkit
Bah, I duplicated that work, but my money is on a regression from bug 964636.
(I symbolicated the stacks from comment 6, FWIW, and they're identical.)
I'll take a look at this today and see if I can find anything.
This looks like a threading issue.

One thread is Appending to the array, and another thread is trying to iterate through it at the same time.

I'll work up a patch which causes all of the array accesses/manipulations to occur on the I/O thread. That should fix this.
So distressingly, as I mentioned on IRC, we only see this on the build machines because our AWS Linux test machines are all single-core, which means we won't hit the same threading issues on them that we would on multi-core systems like our build machines (or lots of our users).
Flags: needinfo?(n.nethercote)
Makes all access to mSignalInfo and/or mFifoInfo occur on the I/O thread.

Also a few minor cleanups (removing unnecessary SignalPipeWatcher:: prefixes).
Assignee: nobody → dhylands
Attachment #8400873 - Attachment is patch: true
Comment on attachment 8400873 [details] [diff] [review]
Fix heap use-after-free in nsDumpUtils

njn - I put down you as a reviewer since it looks like you reviewed the original code done by jlebar.

Please reassign (or unassign yourself) if this isn't appropriate. Thanks
Attachment #8400873 - Flags: review?(n.nethercote)
Whiteboard: [fxos:media]
Target Milestone: --- → 1.4 S5 (11apr)
(In reply to Dave Hylands [:dhylands] from comment #16)
> Created attachment 8400873 [details] [diff] [review]
> Fix heap use-after-free in nsDumpUtils
> 
> Makes all access to mSignalInfo and/or mFifoInfo occur on the I/O thread.
> 
> Also a few minor cleanups (removing unnecessary SignalPipeWatcher::
> prefixes).

This patch can fix the problem that I didn't find out.
Thanks a lot.
Comment on attachment 8400873 [details] [diff] [review]
Fix heap use-after-free in nsDumpUtils

Review of attachment 8400873 [details] [diff] [review]:
-----------------------------------------------------------------

I think glandium reviewed the relevant parts of the original patch that implemented this code.
Attachment #8400873 - Flags: review?(n.nethercote) → review?(mh+mozilla)
Comment on attachment 8400873 [details] [diff] [review]
Fix heap use-after-free in nsDumpUtils

Review of attachment 8400873 [details] [diff] [review]:
-----------------------------------------------------------------

(In reply to Nicholas Nethercote [:njn] from comment #20)
> I think glandium reviewed the relevant parts of the original patch that
> implemented this code.

Unfortunately, I haven't. According to mercurial, dhylands did. He won't be reviewing his own patch, obviously. Alphan Chen wrote the original patch, I guess he could at least take a look at the patch to tell whether it makes sense to him or not. Anyways, I won't have immediate time to review the patch. Re-flagging Nick, whom I trust will take the appropriate further actions from here.
Attachment #8400873 - Flags: review?(mh+mozilla) → review?(n.nethercote)
https://tbpl.mozilla.org/php/getParsedLog.php?id=37516043&tree=Mozilla-Inbound

njn, review ping? :)
Flags: needinfo?(n.nethercote)
Comment on attachment 8400873 [details] [diff] [review]
Fix heap use-after-free in nsDumpUtils

Review of attachment 8400873 [details] [diff] [review]:
-----------------------------------------------------------------

rs=me if it fixes the problem.
Attachment #8400873 - Flags: review?(n.nethercote) → review+
Flags: needinfo?(n.nethercote)
Backed out for aborts during startup cache precompilation:
https://tbpl.mozilla.org/php/getParsedLog.php?id=37765493&tree=B2g-Inbound
https://tbpl.mozilla.org/php/getParsedLog.php?id=37764694&tree=B2g-Inbound
https://tbpl.mozilla.org/php/getParsedLog.php?id=37765028&tree=B2g-Inbound

eg:
Executing /builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/xpcshell -g /builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/ -a /builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/ -f /builds/slave/b2g-in-l64-d-00000000000000000/build/toolkit/mozapps/installer/precompile_cache.js -e precompile_startupcache("resource://gre/");
[32063] ###!!! ABORT: file /builds/slave/b2g-in-l64-d-00000000000000000/build/ipc/chromium/src/base/message_loop.h, line 517
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x008FE003]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00907A19]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00907D2A]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00907FFD]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x008E67B0]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00943473]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00943725]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x008E0962]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00901DC3]
RegisterWeakMemoryReporter+0x0000001C [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00901F11]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x009FF742]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x009C0C3A]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x009C0FA1]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x009C431B]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x009C5EC5]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x0098C4F8]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00943473]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00943725]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x008E0962]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x008E9E22]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00956F26]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x009571B4]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00957261]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x0095729D]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x009598A2]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x0093CF9C]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x009402F8]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x009403E3]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x0093D093]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x009402F8]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x00940398]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x0094401A]
NS_InitXPCOM2+0x00000545 [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x008EC264]
XRE_XPCShellMain+0x00000635 [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/libxul.so +0x0140E573]
__libc_start_main+0x000000FD [/lib64/libc.so.6 +0x0001ECDD]
UNKNOWN [/builds/slave/b2g-in-l64-d-00000000000000000/build/obj-firefox/dist/bin/xpcshell +0x00002561]
[32063] ###!!! ABORT: file /builds/slave/b2g-in-l64-d-00000000000000000/build/ipc/chromium/src/base/message_loop.h, line 517
Hit MOZ_CRASH() at /builds/slave/b2g-in-l64-d-00000000000000000/build/memory/mozalloc/mozalloc_abort.cpp:30
Traceback (most recent call last):
  File "/builds/slave/b2g-in-l64-d-00000000000000000/build/toolkit/mozapps/installer/packager.py", line 401, in <module>
    main()
  File "/builds/slave/b2g-in-l64-d-00000000000000000/build/toolkit/mozapps/installer/packager.py", line 393, in main
    args.source, gre_path, base)
  File "/builds/slave/b2g-in-l64-d-00000000000000000/build/toolkit/mozapps/installer/packager.py", line 158, in precompile_cache
    errors.fatal('Error while running startup cache precompilation')
  File "/builds/slave/b2g-in-l64-d-00000000000000000/build/python/mozbuild/mozpack/errors.py", line 101, in fatal
    self._handle(self.FATAL, msg)
  File "/builds/slave/b2g-in-l64-d-00000000000000000/build/python/mozbuild/mozpack/errors.py", line 96, in _handle
    raise ErrorMessage(msg)
mozpack.errors.ErrorMessage: Error: Error while running startup cache precompilation
So, thoughts?
Flags: needinfo?(dhylands)
Blocks: 994326
(In reply to Ted Mielczarek [:ted.mielczarek] from comment #47)
> So, thoughts?

My next thoughts are to remove the punting to IOThread and just put in a mutex to lock access to the array.

The array is only accessed at startup when clients are registering interest, and then when the signal fires to generate a memory report, so the contention points are quite small.

It would also be possible to preallocate the array to some size and fail to register a client rather than resize the array (I tend to prefer using the mutex in this particular scenario).
Flags: needinfo?(dhylands)
Since the try run looks green, pushing this revised version:

https://hg.mozilla.org/integration/b2g-inbound/rev/e224847eaf96
https://hg.mozilla.org/mozilla-central/rev/e224847eaf96
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: 1.4 S5 (11apr) → mozilla31
Renamed, so the the TBPL robot will assign stuff to bug 1017068 instead (comments 60 thru 62 appear to be webgl related)
Summary: Intermittent ASAN "SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??" errors with unusable stacks → Fix Heap use after free in nsDumpUtils
You need to log in before you can comment on or make changes to this bug.