Closed
Bug 1415083
Opened 7 years ago
Closed 7 years ago
ERROR: AddressSanitizer: stack-use-after-scope in ~Movable from TestTArray.cpp
Categories
(Core :: XPCOM, defect)
Core
XPCOM
Tracking
()
RESOLVED
FIXED
mozilla58
| Tracking | Status | |
|---|---|---|
| firefox58 | --- | fixed |
People
(Reporter: glandium, Assigned: JamesCheng)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
From an ASAN build with clang 5 (with the patch from bug 1409267 applied):
[task 2017-11-07T08:18:06.854Z] 08:18:06 ERROR - ==965==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffca38c28b0 at pc 0x7f26bd8cd3de bp 0x7ffca38c27c0 sp 0x7ffca38c27b8
[task 2017-11-07T08:18:06.855Z] 08:18:06 INFO - READ of size 4 at 0x7ffca38c28b0 thread T0
[task 2017-11-07T08:18:07.440Z] 08:18:07 INFO - #0 0x7f26bd8cd3dd in ~Movable /builds/worker/workspace/build/src/xpcom/tests/gtest/TestTArray.cpp:44:29
[task 2017-11-07T08:18:07.440Z] 08:18:07 INFO - #1 0x7f26bd8cd3dd in Destruct /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:562
[task 2017-11-07T08:18:07.440Z] 08:18:07 INFO - #2 0x7f26bd8cd3dd in DestructRange /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2026
[task 2017-11-07T08:18:07.441Z] 08:18:07 INFO - #3 0x7f26bd8cd3dd in nsTArray_Impl<TestTArray::Movable, nsTArrayInfallibleAllocator>::RemoveElementsAt(unsigned long, unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2079
[task 2017-11-07T08:18:07.441Z] 08:18:07 INFO - #4 0x7f26bd8cc090 in Clear /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1752:18
[task 2017-11-07T08:18:07.441Z] 08:18:07 INFO - #5 0x7f26bd8cc090 in ~nsTArray_Impl /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:885
[task 2017-11-07T08:18:07.442Z] 08:18:07 INFO - #6 0x7f26bd8cc090 in TestTArray::TArray_CopyOverlappingForwards_Test::TestBody() /builds/worker/workspace/build/src/xpcom/tests/gtest/TestTArray.cpp:169
[task 2017-11-07T08:18:07.458Z] 08:18:07 INFO - #7 0x7f26be173b5c in HandleExceptionsInMethodIfSupported<testing::Test, void> /builds/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2460:12
[task 2017-11-07T08:18:07.458Z] 08:18:07 INFO - #8 0x7f26be173b5c in testing::Test::Run() /builds/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2476
[task 2017-11-07T08:18:07.459Z] 08:18:07 INFO - #9 0x7f26be176074 in testing::TestInfo::Run() /builds/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2658:11
[task 2017-11-07T08:18:07.459Z] 08:18:07 INFO - #10 0x7f26be1770c6 in testing::TestCase::Run() /builds/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2776:28
[task 2017-11-07T08:18:07.460Z] 08:18:07 INFO - #11 0x7f26be18e076 in testing::internal::UnitTestImpl::RunAllTests() /builds/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:4651:43
[task 2017-11-07T08:18:07.460Z] 08:18:07 INFO - #12 0x7f26be18d5fa in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> /builds/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2460:12
[task 2017-11-07T08:18:07.460Z] 08:18:07 INFO - #13 0x7f26be18d5fa in testing::UnitTest::Run() /builds/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:4259
[task 2017-11-07T08:18:07.461Z] 08:18:07 INFO - #14 0x7f26be1bece9 in RUN_ALL_TESTS /builds/worker/workspace/build/src/obj-firefox/dist/include/gtest/gtest.h:2233:46
[task 2017-11-07T08:18:07.461Z] 08:18:07 INFO - #15 0x7f26be1bece9 in mozilla::RunGTestFunc(int*, char**) /builds/worker/workspace/build/src/testing/gtest/mozilla/GTestRunner.cpp:117
[task 2017-11-07T08:18:07.462Z] 08:18:07 INFO - #16 0x7f26bd159dcd in XREMain::XRE_mainStartup(bool*) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:3879:16
[task 2017-11-07T08:18:07.462Z] 08:18:07 INFO - #17 0x7f26bd168702 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4822:12
[task 2017-11-07T08:18:07.462Z] 08:18:07 INFO - #18 0x7f26bd169f35 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4932:21
[task 2017-11-07T08:18:07.478Z] 08:18:07 INFO - #19 0x4ed92b in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
[task 2017-11-07T08:18:07.479Z] 08:18:07 INFO - #20 0x4ed92b in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
[task 2017-11-07T08:18:07.515Z] 08:18:07 INFO - #21 0x7f26d278c82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
[task 2017-11-07T08:18:07.515Z] 08:18:07 INFO - #22 0x41e528 in _start (/builds/worker/workspace/build/application/firefox/firefox+0x41e528)
[task 2017-11-07T08:18:07.516Z] 08:18:07 INFO - Address 0x7ffca38c28b0 is located in stack of thread T0 at offset 112 in frame
[task 2017-11-07T08:18:07.516Z] 08:18:07 INFO - #0 0x7f26bd8cb16f in TestTArray::TArray_CopyOverlappingForwards_Test::TestBody() /builds/worker/workspace/build/src/xpcom/tests/gtest/TestTArray.cpp:146
[task 2017-11-07T08:18:07.518Z] 08:18:07 INFO - This frame has 12 object(s):
[task 2017-11-07T08:18:07.519Z] 08:18:07 INFO - [32, 33) 'ref.tmp.i.i.i.i87'
[task 2017-11-07T08:18:07.520Z] 08:18:07 INFO - [48, 49) 'ref.tmp.i.i.i.i'
[task 2017-11-07T08:18:07.520Z] 08:18:07 INFO - [64, 72) 'array' (line 147)
[task 2017-11-07T08:18:07.520Z] 08:18:07 INFO - [96, 160) 'destructionCounters' (line 152) <== Memory access at offset 112 is inside this variable
[task 2017-11-07T08:18:07.520Z] 08:18:07 INFO - [192, 208) 'gtest_ar' (line 164)
[task 2017-11-07T08:18:07.521Z] 08:18:07 INFO - [224, 228) 'ref.tmp' (line 164)
[task 2017-11-07T08:18:07.521Z] 08:18:07 INFO - [240, 248) 'ref.tmp16' (line 164)
[task 2017-11-07T08:18:07.521Z] 08:18:07 INFO - [272, 280) 'temp.lvalue'
[task 2017-11-07T08:18:07.522Z] 08:18:07 INFO - [304, 320) 'gtest_ar23' (line 167)
[task 2017-11-07T08:18:07.522Z] 08:18:07 INFO - [336, 340) 'ref.tmp26' (line 167)
[task 2017-11-07T08:18:07.522Z] 08:18:07 INFO - [352, 360) 'ref.tmp28' (line 167)
[task 2017-11-07T08:18:07.523Z] 08:18:07 INFO - [384, 392) 'temp.lvalue29'
[task 2017-11-07T08:18:07.523Z] 08:18:07 INFO - HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
[task 2017-11-07T08:18:07.524Z] 08:18:07 INFO - (longjmp and C++ exceptions *are* supported)
[task 2017-11-07T08:18:07.524Z] 08:18:07 INFO - SUMMARY: AddressSanitizer: stack-use-after-scope /builds/worker/workspace/build/src/xpcom/tests/gtest/TestTArray.cpp:44:29 in ~Movable
[task 2017-11-07T08:18:07.524Z] 08:18:07 INFO - Shadow bytes around the buggy address:
[task 2017-11-07T08:18:07.524Z] 08:18:07 INFO - 0x1000147104c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:18:07.524Z] 08:18:07 INFO - 0x1000147104d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:18:07.525Z] 08:18:07 INFO - 0x1000147104e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:18:07.525Z] 08:18:07 INFO - 0x1000147104f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:18:07.526Z] 08:18:07 INFO - 0x100014710500: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f2 f8 f2
[task 2017-11-07T08:18:07.526Z] 08:18:07 INFO - =>0x100014710510: 00 f2 f2 f2 f8 f8[f8]f8 f8 f8 f8 f8 f2 f2 f2 f2
[task 2017-11-07T08:18:07.526Z] 08:18:07 INFO - 0x100014710520: f8 f8 f2 f2 f8 f2 f8 f2 f2 f2 00 f2 f2 f2 f8 f8
[task 2017-11-07T08:18:07.527Z] 08:18:07 INFO - 0x100014710530: f2 f2 f8 f2 f8 f2 f2 f2 00 f3 f3 f3 00 00 00 00
[task 2017-11-07T08:18:07.527Z] 08:18:07 INFO - 0x100014710540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:18:07.528Z] 08:18:07 INFO - 0x100014710550: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:18:07.528Z] 08:18:07 INFO - 0x100014710560: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 f8 f8 f2 f2
[task 2017-11-07T08:18:07.529Z] 08:18:07 INFO - Shadow byte legend (one shadow byte represents 8 application bytes):
[task 2017-11-07T08:18:07.529Z] 08:18:07 INFO - Addressable: 00
[task 2017-11-07T08:18:07.529Z] 08:18:07 INFO - Partially addressable: 01 02 03 04 05 06 07
[task 2017-11-07T08:18:07.530Z] 08:18:07 INFO - Heap left redzone: fa
[task 2017-11-07T08:18:07.530Z] 08:18:07 INFO - Freed heap region: fd
[task 2017-11-07T08:18:07.530Z] 08:18:07 INFO - Stack left redzone: f1
[task 2017-11-07T08:18:07.531Z] 08:18:07 INFO - Stack mid redzone: f2
[task 2017-11-07T08:18:07.531Z] 08:18:07 INFO - Stack right redzone: f3
[task 2017-11-07T08:18:07.532Z] 08:18:07 INFO - Stack after return: f5
[task 2017-11-07T08:18:07.532Z] 08:18:07 INFO - Stack use after scope: f8
[task 2017-11-07T08:18:07.532Z] 08:18:07 INFO - Global redzone: f9
[task 2017-11-07T08:18:07.533Z] 08:18:07 INFO - Global init order: f6
[task 2017-11-07T08:18:07.533Z] 08:18:07 INFO - Poisoned by user: f7
[task 2017-11-07T08:18:07.534Z] 08:18:07 INFO - Container overflow: fc
[task 2017-11-07T08:18:07.534Z] 08:18:07 INFO - Array cookie: ac
[task 2017-11-07T08:18:07.534Z] 08:18:07 INFO - Intra object redzone: bb
[task 2017-11-07T08:18:07.535Z] 08:18:07 INFO - ASan internal: fe
[task 2017-11-07T08:18:07.535Z] 08:18:07 INFO - Left alloca redzone: ca
[task 2017-11-07T08:18:07.535Z] 08:18:07 INFO - Right alloca redzone: cb
[task 2017-11-07T08:18:07.536Z] 08:18:07 INFO - ==965==ABORTING
|
Reporter | |
Comment 1•7 years ago
|
||
|
Assignee | |
Comment 2•7 years ago
|
||
I think it can be fixed by simply rearranging the declaration of the objects.
Assignee: nobody → jacheng
| Comment hidden (mozreview-request) |
|
|
Assignee | |
Updated•7 years ago
|
Attachment #8925841 -
Flags: review?(nfroyd)
|
|
Reporter | |
Comment 4•7 years ago
|
||
Can you do a try push for a linux64-asan gtest with the patches from bug 1409267 and the taskcluster/ci/toolchain/linux.yml part of bug 1409265?
|
|
Assignee | |
Comment 5•7 years ago
|
||
Sure,
https://treeherder.mozilla.org/#/jobs?repo=try&revision=ee8d47ec6d099f9c2834d93a92a8ffdf35253d53
I applied the patches from bug 1409267 and bug 1409265 with try syntax only selecting gtest.
try: -b do -p linux64-asan -u gtest -t none
Hope it is what you want!
Thanks.
|
|
Assignee | |
Comment 6•7 years ago
|
||
Try looks fixed.
|
|
Reporter | |
Comment 7•7 years ago
|
||
Unfortunately, you took the full patch for bug 1409265, not just the taskcluster/ci/toolchain/linux.yml part. The full patch doesn't make asan builds use clang 5.
|
|
Assignee | |
Comment 8•7 years ago
|
||
Oops, I redo it again. thanks
|
|
Assignee | |
Comment 9•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=1ca6e89a1ebccabb705fa09f5e5fee704a7b4261
with only taskcluster/ci/toolchain/linux.yml part
https://hg.mozilla.org/try/rev/0ee1b81d73e5695f01fb913d271102fa23064483
Hope it's correct!
|
|
Assignee | |
Comment 10•7 years ago
|
||
Seems like the patch works in try
|
||
Updated•7 years ago
|
|
||
Comment 11•7 years ago
|
||
| mozreview-review | ||
Comment on attachment 8925841 [details]
Bug 1415083 - Rearrange the declaration of objects to avoid stack-use-after-scope.
https://reviewboard.mozilla.org/r/197042/#review202294
Thank you!
Attachment #8925841 -
Flags: review?(nfroyd) → review+
|
||
Comment 12•7 years ago
|
||
Pushed by jacheng@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1528ff0ed838
Rearrange the declaration of objects to avoid stack-use-after-scope. r=froydnj
|
||
Comment 13•7 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox58:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
|
||
Updated•5 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•