Open
Bug 1438260
Opened 7 years ago
Updated 2 years ago
UBSan: downcast of address which does not point to an object of type 'MessageLoopForIO' /ipc/chromium/src/base/message_loop.h
Categories
(Core :: IPC, defect, P3)
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox60 | --- | affected |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-undefined)
This is triggered on launch.
Found in mozilla-central changeset: 403581:375d162649d2. Built with -fsanitize=vptr
/ipc/chromium/src/base/message_loop.h:528:12: runtime error: downcast of address 0x7f7457decca8 which does not point to an object of type 'MessageLoopForIO'
0x7f7457decca8: note: object is of type 'MessageLoop'
00 00 00 00 08 de f7 6e 74 7f 00 00 02 00 00 00 02 00 00 00 40 96 00 4c 74 7f 00 00 08 00 00 00
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'MessageLoop'
#0 0x7f7463fa81f1 in current /ipc/chromium/src/base/message_loop.h:528:12
#1 0x7f7463fa81f1 in FdWatcher::StartWatching() /xpcom/base/nsDumpUtils.cpp:96
#2 0x7f7463fbd9de in applyImpl<FdWatcher, void (FdWatcher::*)()> /objdir-ff-vptr/dist/include/nsThreadUtils.h:1149:12
#3 0x7f7463fbd9de in apply<FdWatcher, void (FdWatcher::*)()> /objdir-ff-vptr/dist/include/nsThreadUtils.h:1155
#4 0x7f7463fbd9de in mozilla::detail::RunnableMethodImpl<FdWatcher*, void (FdWatcher::*)(), true, (mozilla::RunnableKind)0>::Run() /objdir-ff-vptr/dist/include/nsThreadUtils.h:1200
#5 0x7f7464d5876c in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /ipc/chromium/src/base/message_loop.cc:452:9
#6 0x7f7464d59559 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /ipc/chromium/src/base/message_loop.cc:460:5
#7 0x7f7464d59b24 in MessageLoop::DoWork() /ipc/chromium/src/base/message_loop.cc:535:13
#8 0x7f7464d5c5ab in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) /ipc/chromium/src/base/message_pump_libevent.cc:352:31
#9 0x7f7464d58196 in RunHandler /ipc/chromium/src/base/message_loop.cc:319:3
#10 0x7f7464d58196 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:299
#11 0x7f7464d6b43d in base::Thread::ThreadMain() /ipc/chromium/src/base/thread.cc:181:16
#12 0x7f7464d60bfd in ThreadFunc(void*) /ipc/chromium/src/base/platform_thread_posix.cc:38:13
#13 0x7f747d1b07fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb)
#14 0x7f747c1deb5e in clone /build/glibc-itYbWN/glibc-2.26/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
Reporter | |
Comment 1•7 years ago
|
||
This looks similar
/xpcom/base/nsDumpUtils.cpp:96:32: runtime error: member call on address 0x7f7457decca8 which does not point to an object of type 'MessageLoopForIO'
0x7f7457decca8: note: object is of type 'MessageLoop'
00 00 00 00 08 de f7 6e 74 7f 00 00 02 00 00 00 02 00 00 00 40 96 00 4c 74 7f 00 00 08 00 00 00
^~~~~~~~~~~~~~~~~~~~~~~
vptr for 'MessageLoop'
#0 0x7f7463fa81a4 in FdWatcher::StartWatching() /xpcom/base/nsDumpUtils.cpp:96:32
#1 0x7f7463fbd9de in applyImpl<FdWatcher, void (FdWatcher::*)()> /objdir-ff-vptr/dist/include/nsThreadUtils.h:1149:12
#2 0x7f7463fbd9de in apply<FdWatcher, void (FdWatcher::*)()> /objdir-ff-vptr/dist/include/nsThreadUtils.h:1155
#3 0x7f7463fbd9de in mozilla::detail::RunnableMethodImpl<FdWatcher*, void (FdWatcher::*)(), true, (mozilla::RunnableKind)0>::Run() /objdir-ff-vptr/dist/include/nsThreadUtils.h:1200
#4 0x7f7464d5876c in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /ipc/chromium/src/base/message_loop.cc:452:9
#5 0x7f7464d59559 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /ipc/chromium/src/base/message_loop.cc:460:5
#6 0x7f7464d59b24 in MessageLoop::DoWork() /ipc/chromium/src/base/message_loop.cc:535:13
#7 0x7f7464d5c5ab in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) /ipc/chromium/src/base/message_pump_libevent.cc:352:31
#8 0x7f7464d58196 in RunHandler /ipc/chromium/src/base/message_loop.cc:319:3
#9 0x7f7464d58196 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:299
#10 0x7f7464d6b43d in base::Thread::ThreadMain() /ipc/chromium/src/base/thread.cc:181:16
#11 0x7f7464d60bfd in ThreadFunc(void*) /ipc/chromium/src/base/platform_thread_posix.cc:38:13
#12 0x7f747d1b07fb in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x77fb)
#13 0x7f747c1deb5e in clone /build/glibc-itYbWN/glibc-2.26/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
|
||
Comment 2•7 years ago
|
||
message_loop.h does contain this:
// Do not add any member variables to MessageLoopForUI! This is important b/c
// MessageLoopForUI is often allocated via MessageLoop(TYPE_UI). Any extra
// data that you need should be stored on the MessageLoop's pump_ instance.
COMPILE_ASSERT(sizeof(MessageLoop) == sizeof(MessageLoopForUI),
MessageLoopForUI_should_not_have_extra_member_variables);
So yeahhhh. I'm not sure where this happens exactly, but that could be what is happening here.
|
|
||
Comment 3•7 years ago
|
||
I added some asserts, and it looks like this is happening at the MessageLoop created in Thread::ThreadMain().
|
||
Updated•7 years ago
|
OS: Unspecified → Linux
Priority: -- → P3
Yuck, this is a bad pattern, but also tedious to rewrite.
It looks like the IO loop class does the same thing.
// Do not add any member variables to MessageLoopForIO! This is important b/c
// MessageLoopForIO is often allocated via MessageLoop(TYPE_IO). Any extra
// data that you need should be stored on the MessageLoop's pump_ instance.
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•