Closed
Bug 1415085
Opened 7 years ago
Closed 7 years ago
AddressSanitizer: stack-use-after-scope /builds/worker/workspace/build/src/image/SurfaceCache.cpp:228:37 in AreaOfIntSize
Categories
(Core :: Graphics: ImageLib, defect, P3)
Core
Graphics: ImageLib
Tracking
()
RESOLVED
FIXED
mozilla58
| Tracking | Status | |
|---|---|---|
| firefox58 | --- | fixed |
People
(Reporter: glandium, Assigned: aosmond)
References
(Blocks 1 open bug)
Details
(Whiteboard: [gfx-noted])
Attachments
(1 file)
|
(deleted),
patch
|
decoder
:
review+
|
Details | Diff | Splinter Review |
From an ASAN build with clang 5 (with the patch from bug 1409267 applied):
[task 2017-11-07T08:19:03.393Z] 08:19:03 ERROR - ==1056==ERROR: AddressSanitizer: stack-use-after-scope on address 0x7ffd4c977fb0 at pc 0x7f4916885685 bp 0x7ffd4c977d90 sp 0x7ffd4c977d88
[task 2017-11-07T08:19:03.394Z] 08:19:03 INFO - READ of size 4 at 0x7ffd4c977fb0 thread T0 (Web Content)
[task 2017-11-07T08:19:04.371Z] 08:19:04 INFO - #0 0x7f4916885684 in AreaOfIntSize /builds/worker/workspace/build/src/image/SurfaceCache.cpp:228:37
[task 2017-11-07T08:19:04.371Z] 08:19:04 INFO - #1 0x7f4916885684 in CompareArea /builds/worker/workspace/build/src/image/SurfaceCache.cpp:593
[task 2017-11-07T08:19:04.372Z] 08:19:04 INFO - #2 0x7f4916885684 in mozilla::image::ImageSurfaceCache::SuggestedSize(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&) const /builds/worker/workspace/build/src/image/SurfaceCache.cpp:570
[task 2017-11-07T08:19:04.373Z] 08:19:04 INFO - #3 0x7f4916889fe1 in void mozilla::image::ImageSurfaceCache::CollectSizeOfSurfaces<mozilla::image::SurfaceCacheImpl::CollectSizeOfSurfaces(mozilla::image::Image*, nsTArray<mozilla::image::SurfaceMemoryCounter>&, unsigned long (*)(void const*), mozilla::BaseAutoLock<mozilla::StaticMutex> const&)::{lambda(mozilla::NotNull<mozilla::image::CachedSurface*>)#1}>(nsTArray<mozilla::image::SurfaceMemoryCounter>&, unsigned long (*)(void const*), mozilla::image::SurfaceCacheImpl::CollectSizeOfSurfaces(mozilla::image::Image*, nsTArray<mozilla::image::SurfaceMemoryCounter>&, unsigned long (*)(void const*), mozilla::BaseAutoLock<mozilla::StaticMutex> const&)::{lambda(mozilla::NotNull<mozilla::image::CachedSurface*>)#1}&&) /builds/worker/workspace/build/src/image/SurfaceCache.cpp:640:32
[task 2017-11-07T08:19:04.373Z] 08:19:04 INFO - #4 0x7f491681bc7e in mozilla::image::SurfaceCacheImpl::CollectSizeOfSurfaces(mozilla::image::Image*, nsTArray<mozilla::image::SurfaceMemoryCounter>&, unsigned long (*)(void const*), mozilla::BaseAutoLock<mozilla::StaticMutex> const&) /builds/worker/workspace/build/src/image/SurfaceCache.cpp:1204:12
[task 2017-11-07T08:19:04.374Z] 08:19:04 INFO - #5 0x7f4916805440 in mozilla::image::SurfaceCache::CollectSizeOfSurfaces(mozilla::image::Image*, nsTArray<mozilla::image::SurfaceMemoryCounter>&, unsigned long (*)(void const*)) /builds/worker/workspace/build/src/image/SurfaceCache.cpp:1629:16
[task 2017-11-07T08:19:04.374Z] 08:19:04 INFO - #6 0x7f4916805287 in mozilla::image::RasterImage::CollectSizeOfSurfaces(nsTArray<mozilla::image::SurfaceMemoryCounter>&, unsigned long (*)(void const*)) const /builds/worker/workspace/build/src/image/RasterImage.cpp:758:3
[task 2017-11-07T08:19:04.382Z] 08:19:04 INFO - #7 0x7f49167e230f in mozilla::image::ImageMemoryCounter::ImageMemoryCounter(mozilla::image::Image*, mozilla::SizeOfState&, bool) /builds/worker/workspace/build/src/image/Image.cpp:40:11
[task 2017-11-07T08:19:04.384Z] 08:19:04 INFO - #8 0x7f49168380fc in imgMemoryReporter::ImagesContentUsedUncompressedDistinguishedAmount() /builds/worker/workspace/build/src/image/imgLoader.cpp:144:28
[task 2017-11-07T08:19:04.386Z] 08:19:04 INFO - #9 0x7f4913c06d4a in GetInfallibleAmount /builds/worker/workspace/build/src/xpcom/base/nsMemoryReporterManager.cpp:2437:16
[task 2017-11-07T08:19:04.387Z] 08:19:04 INFO - #10 0x7f4913c06d4a in nsMemoryReporterManager::GetImagesContentUsedUncompressed(long*) /builds/worker/workspace/build/src/xpcom/base/nsMemoryReporterManager.cpp:2473
[task 2017-11-07T08:19:04.391Z] 08:19:04 INFO - #11 0x7f4913d74ed1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
[task 2017-11-07T08:19:04.415Z] 08:19:04 INFO - #12 0x7f491568b089 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
[task 2017-11-07T08:19:04.416Z] 08:19:04 INFO - #13 0x7f491568b089 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
[task 2017-11-07T08:19:04.417Z] 08:19:04 INFO - #14 0x7f491568b089 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
[task 2017-11-07T08:19:04.418Z] 08:19:04 INFO - #15 0x7f4915692837 in GetAttribute /builds/worker/workspace/build/src/js/xpconnect/src/xpcprivate.h:1679:17
[task 2017-11-07T08:19:04.419Z] 08:19:04 INFO - #16 0x7f4915692837 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965
[task 2017-11-07T08:19:04.436Z] 08:19:04 INFO - #17 0x7f491f6a6e60 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
[task 2017-11-07T08:19:04.437Z] 08:19:04 INFO - #18 0x7f491f6a6e60 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472
[task 2017-11-07T08:19:04.438Z] 08:19:04 INFO - #19 0x7f491f6a8d91 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
[task 2017-11-07T08:19:04.439Z] 08:19:04 INFO - #20 0x7f491f6a8d91 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540
[task 2017-11-07T08:19:04.440Z] 08:19:04 INFO - #21 0x7f491f6a8d91 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:655
[task 2017-11-07T08:19:04.465Z] 08:19:04 INFO - #22 0x7f492072e9ce in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2119:16
[task 2017-11-07T08:19:04.466Z] 08:19:04 INFO - #23 0x7f492072e9ce in GetExistingProperty<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2172
[task 2017-11-07T08:19:04.466Z] 08:19:04 INFO - #24 0x7f492072e9ce in NativeGetPropertyInline<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2375
[task 2017-11-07T08:19:04.467Z] 08:19:04 INFO - #25 0x7f492072e9ce in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2411
[task 2017-11-07T08:19:04.512Z] 08:19:04 INFO - #26 0x7f491f8d9901 in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1604:12
[task 2017-11-07T08:19:04.512Z] 08:19:04 INFO - #27 0x7f491f8d9901 in GetObjectElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:523
[task 2017-11-07T08:19:04.513Z] 08:19:04 INFO - #28 0x7f491f8d9901 in GetElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:629
[task 2017-11-07T08:19:04.514Z] 08:19:04 INFO - #29 0x7f491f8d9901 in js::jit::DoGetElemFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetElem_Fallback*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:798
[task 2017-11-07T08:19:04.519Z] 08:19:04 INFO - #30 0x14785d52dac6 (<unknown module>)
[task 2017-11-07T08:19:04.519Z] 08:19:04 INFO - Address 0x7ffd4c977fb0 is located in stack of thread T0 (Web Content) at offset 208 in frame
[task 2017-11-07T08:19:04.520Z] 08:19:04 INFO - #0 0x7f491688975f in void mozilla::image::ImageSurfaceCache::CollectSizeOfSurfaces<mozilla::image::SurfaceCacheImpl::CollectSizeOfSurfaces(mozilla::image::Image*, nsTArray<mozilla::image::SurfaceMemoryCounter>&, unsigned long (*)(void const*), mozilla::BaseAutoLock<mozilla::StaticMutex> const&)::{lambda(mozilla::NotNull<mozilla::image::CachedSurface*>)#1}>(nsTArray<mozilla::image::SurfaceMemoryCounter>&, unsigned long (*)(void const*), mozilla::image::SurfaceCacheImpl::CollectSizeOfSurfaces(mozilla::image::Image*, nsTArray<mozilla::image::SurfaceMemoryCounter>&, unsigned long (*)(void const*), mozilla::BaseAutoLock<mozilla::StaticMutex> const&)::{lambda(mozilla::NotNull<mozilla::image::CachedSurface*>)#1}&&) /builds/worker/workspace/build/src/image/SurfaceCache.cpp:618
[task 2017-11-07T08:19:04.521Z] 08:19:04 INFO - This frame has 4 object(s):
[task 2017-11-07T08:19:04.523Z] 08:19:04 INFO - [32, 48) 'report' (line 619)
[task 2017-11-07T08:19:04.527Z] 08:19:04 INFO - [64, 112) 'iter' (line 620)
[task 2017-11-07T08:19:04.527Z] 08:19:04 INFO - [144, 176) 'ref.tmp' (line 629)
[task 2017-11-07T08:19:04.528Z] 08:19:04 INFO - [208, 256) 'ref.tmp10' (line 637) <== Memory access at offset 208 is inside this variable
[task 2017-11-07T08:19:04.530Z] 08:19:04 INFO - HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
[task 2017-11-07T08:19:04.533Z] 08:19:04 INFO - (longjmp and C++ exceptions *are* supported)
[task 2017-11-07T08:19:04.534Z] 08:19:04 INFO - SUMMARY: AddressSanitizer: stack-use-after-scope /builds/worker/workspace/build/src/image/SurfaceCache.cpp:228:37 in AreaOfIntSize
[task 2017-11-07T08:19:04.534Z] 08:19:04 INFO - Shadow bytes around the buggy address:
[task 2017-11-07T08:19:04.534Z] 08:19:04 INFO - 0x100029926fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:19:04.534Z] 08:19:04 INFO - 0x100029926fb0: 00 00 00 00 f1 f1 f1 f1 00 00 00 00 00 00 f2 f2
[task 2017-11-07T08:19:04.535Z] 08:19:04 INFO - 0x100029926fc0: f2 f2 00 f3 f3 f3 f3 f3 00 00 00 00 00 00 00 00
[task 2017-11-07T08:19:04.536Z] 08:19:04 INFO - 0x100029926fd0: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
[task 2017-11-07T08:19:04.537Z] 08:19:04 INFO - 0x100029926fe0: 00 00 f2 f2 00 00 00 00 00 00 f2 f2 f2 f2 f8 f8
[task 2017-11-07T08:19:04.541Z] 08:19:04 INFO - =>0x100029926ff0: f8 f8 f2 f2 f2 f2[f8]f8 f8 f8 f8 f8 f3 f3 f3 f3
[task 2017-11-07T08:19:04.541Z] 08:19:04 INFO - 0x100029927000: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:19:04.541Z] 08:19:04 INFO - 0x100029927010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:19:04.541Z] 08:19:04 INFO - 0x100029927020: 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1 f1 f1
[task 2017-11-07T08:19:04.541Z] 08:19:04 INFO - 0x100029927030: 00 00 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
[task 2017-11-07T08:19:04.541Z] 08:19:04 INFO - 0x100029927040: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
[task 2017-11-07T08:19:04.541Z] 08:19:04 INFO - Shadow byte legend (one shadow byte represents 8 application bytes):
[task 2017-11-07T08:19:04.541Z] 08:19:04 INFO - Addressable: 00
[task 2017-11-07T08:19:04.541Z] 08:19:04 INFO - Partially addressable: 01 02 03 04 05 06 07
[task 2017-11-07T08:19:04.541Z] 08:19:04 INFO - Heap left redzone: fa
[task 2017-11-07T08:19:04.542Z] 08:19:04 INFO - Freed heap region: fd
[task 2017-11-07T08:19:04.543Z] 08:19:04 INFO - Stack left redzone: f1
[task 2017-11-07T08:19:04.547Z] 08:19:04 INFO - Stack mid redzone: f2
[task 2017-11-07T08:19:04.547Z] 08:19:04 INFO - Stack right redzone: f3
[task 2017-11-07T08:19:04.547Z] 08:19:04 INFO - Stack after return: f5
[task 2017-11-07T08:19:04.547Z] 08:19:04 INFO - Stack use after scope: f8
[task 2017-11-07T08:19:04.547Z] 08:19:04 INFO - Global redzone: f9
[task 2017-11-07T08:19:04.547Z] 08:19:04 INFO - Global init order: f6
[task 2017-11-07T08:19:04.547Z] 08:19:04 INFO - Poisoned by user: f7
[task 2017-11-07T08:19:04.547Z] 08:19:04 INFO - Container overflow: fc
[task 2017-11-07T08:19:04.547Z] 08:19:04 INFO - Array cookie: ac
[task 2017-11-07T08:19:04.548Z] 08:19:04 INFO - Intra object redzone: bb
[task 2017-11-07T08:19:04.549Z] 08:19:04 INFO - ASan internal: fe
[task 2017-11-07T08:19:04.551Z] 08:19:04 INFO - Left alloca redzone: ca
[task 2017-11-07T08:19:04.552Z] 08:19:04 INFO - Right alloca redzone: cb
[task 2017-11-07T08:19:04.553Z] 08:19:04 INFO - ==1056==ABORTING
|
Reporter | |
Comment 1•7 years ago
|
||
|
Assignee | |
Updated•7 years ago
|
Assignee: nobody → aosmond
Status: NEW → ASSIGNED
Priority: -- → P3
Whiteboard: [gfx-noted]
|
|
Assignee | |
Comment 2•7 years ago
|
||
Attachment #8925889 -
Flags: review?(choller)
|
||
Comment 3•7 years ago
|
||
Comment on attachment 8925889 [details] [diff] [review]
0001-Bug-1415085-Make-CachedSurface-GetSurfaceKey-return-.patch
Great find! I spent quite a bit looking at this error as well and didn't see it until you pointed it out. :D
Attachment #8925889 -
Flags: review?(choller) → review+
Pushed by aosmond@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/7dbef7d88601
Make CachedSurface::GetSurfaceKey return a reference instead of a copy. r=decoder
|
||
Comment 5•7 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox58:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
|
||
Updated•5 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•