Closed
Bug 1419608
Opened 7 years ago
Closed 7 years ago
AddressSanitizer: stack-use-after-scope /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:224:32 in isSome
Categories
(Core :: Graphics: ImageLib, defect)
Tracking
()
RESOLVED
FIXED
mozilla59
| Tracking | Status | |
|---|---|---|
| firefox59 | --- | fixed |
People
(Reporter: decoder, Assigned: tnikkel)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
|
947 bytes,
patch
|
decoder
:
review+
|
Details | Diff | Splinter Review |
I got the following failure in multiple places when I tried to land Clang 6 for ASan:
REFTEST TEST-LOAD | file:///builds/worker/workspace/build/tests/reftest/tests/dom/media/test/crashtests/1411322.html | 590 / 3491 (16%)
=================================================================
==1050==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffff57d5950 at pc 0x7fcd9fca8f11 bp 0x7ffff57d5890 sp 0x7ffff57d5888
READ of size 1 at 0x7ffff57d5950 thread T0 (Web Content)
#0 0x7fcd9fca8f10 in isSome /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:224:32
#1 0x7fcd9fca8f10 in operator bool /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:223
#2 0x7fcd9fca8f10 in imgMemoryReporter::ReportSurfaces(nsIHandleReportCallback*, nsISupports*, nsTSubstring<char> const&, mozilla::image::ImageMemoryCounter const&) /builds/worker/workspace/build/src/image/imgLoader.cpp:320
#3 0x7fcd9fca6020 in imgMemoryReporter::ReportImage(nsIHandleReportCallback*, nsISupports*, char const*, mozilla::image::ImageMemoryCounter const&) /builds/worker/workspace/build/src/image/imgLoader.cpp:272:5
#4 0x7fcd9fca568d in imgMemoryReporter::ReportCounterArray(nsIHandleReportCallback*, nsISupports*, nsTArray<mozilla::image::ImageMemoryCounter>&, char const*, bool) /builds/worker/workspace/build/src/image/imgLoader.cpp:232:9
#5 0x7fcd9fc81c12 in imgMemoryReporter::CollectReports(nsIHandleReportCallback*, nsISupports*, bool) /builds/worker/workspace/build/src/image/imgLoader.cpp:109:5
#6 0x7fcd9cfe5419 in operator() /builds/worker/workspace/build/src/xpcom/base/nsMemoryReporterManager.cpp:1777:17
#7 0x7fcd9cfe5419 in mozilla::detail::RunnableFunction<nsMemoryReporterManager::DispatchReporter(nsIMemoryReporter*, bool, nsIHandleReportCallback*, nsISupports*, bool)::$_0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:529
#8 0x7fcd9d117cd4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
#9 0x7fcd9d133850 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
#10 0x7fcd9df911ca in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#11 0x7fcd9deedbd9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#12 0x7fcd9deedbd9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#13 0x7fcd9deedbd9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#14 0x7fcda42ab91a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:159:27
#15 0x7fcda89c0acb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
#16 0x7fcd9deedbd9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#17 0x7fcd9deedbd9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#18 0x7fcd9deedbd9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#19 0x7fcda89c04d7 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
#20 0x4ee9f5 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
#21 0x4ee9f5 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#22 0x7fcdbba3582f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#23 0x41e078 in _start (/builds/worker/workspace/build/application/firefox/firefox+0x41e078)
Address 0x7ffff57d5950 is located in stack of thread T0 (Web Content) at offset 176 in frame
#0 0x7fcd9fca729f in imgMemoryReporter::ReportSurfaces(nsIHandleReportCallback*, nsISupports*, nsTSubstring<char> const&, mozilla::image::ImageMemoryCounter const&) /builds/worker/workspace/build/src/image/imgLoader.cpp:281
This frame has 3 object(s):
[32, 120) 'surfacePathPrefix' (line 283)
[160, 192) 'ref.tmp' (line 318) <== Memory access at offset 176 is inside this variable
[224, 376) 'aspect' (line 329)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-use-after-scope /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:224:32 in isSome
Shadow bytes around the buggy address:
0x10007eaf2ad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007eaf2ae0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007eaf2af0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007eaf2b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007eaf2b10: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00
=>0x10007eaf2b20: 00 00 00 f2 f2 f2 f2 f2 f8 f8[f8]f8 f2 f2 f2 f2
0x10007eaf2b30: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x10007eaf2b40: f8 f8 f8 f3 f3 f3 f3 f3 f3 f3 f3 f3 00 00 00 00
0x10007eaf2b50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007eaf2b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10007eaf2b70: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1050==ABORTING
|
Assignee | |
Comment 1•7 years ago
|
||
Assignee: nobody → tnikkel
Attachment #8930765 -
Flags: review?(choller)
|
Reporter | |
Updated•7 years ago
|
Attachment #8930765 -
Flags: review?(choller) → review+
Pushed by choller@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/41717d086ca1
Make SurfaceKey::SVGContext return a reference instead of a copy. r=decoder
Note to future me, always make sure the things that should be refs, are actually refs. Thanks for taking care of this!
|
||
Comment 4•7 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
|
|
Reporter | |
Updated•6 years ago
|
No longer blocks: asan-nightly-project
|
||
Updated•5 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•