Closed
Bug 1387531
Opened 8 years ago
Closed 8 years ago
stylo: AddressSanitizer: SEGV on unknown address 0x000000001460 | AddressSanitizer: heap-use-after-free on address 0x61a000a6f2a8
Categories
(Core :: CSS Parsing and Computation, defect, P1)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
DUPLICATE
of bug 1384824
People
(Reporter: bc, Unassigned)
References
()
Details
Attachments
(2 files)
Seen on 3 urls with most frequent/reliable to less frequent/less reliable:
http://m.cda.pl/video/p3
http://www.dailymotion.com/video/kAxSRBPLcZ179VkLOoh
http://www.dailymotion.com/video/x54vg5j
export STYLO_FORCE_ENABLED=1
1. Load url in asan build
2. Wait a bit... 60 seconds
3. Crash
Pretty reliably get:
==19256==ERROR: AddressSanitizer: SEGV on unknown address 0x000000001460 (pc 0x7fe50f27acef bp 0x7ffd7d53cd70 sp 0x7ffd7d53cd30 T0)
==19256==The signal is caused by a READ memory access.
#0 0x7fe50f27acee in Get /home/worker/workspace/build/src/xpcom/ds/PLDHashTable.h:228:26
...
|
Reporter | |
Comment 1•8 years ago
|
||
1. Install Spider
https://bclary.com/projects/spider/spider-0.1.0.5-an+fn+fx+sm+tb.xpi
2. firefox -spider -start -quit -url <url>
3. ==18403==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a000a6f2a8 at pc 0x7fdba70815e0 bp 0x7ffc51a73d40 sp 0x7ffc51a73d38
READ of size 8 at 0x61a000a6f2a8 thread T0
#0 0x7fdba70815df in PresShell /home/worker/workspace/build/src/obj-firefox/dist/include/nsPresContext.h:171:12
This is less reliable. Often, the previous SEGV will be hit. I think setting export STYLO_THREADS=8 will help reproduce this.
|
||
Updated•8 years ago
|
Priority: -- → P1
Summary: [stylo] AddressSanitizer: SEGV on unknown address 0x000000001460 | AddressSanitizer: heap-use-after-free on address 0x61a000a6f2a8 → stylo: AddressSanitizer: SEGV on unknown address 0x000000001460 | AddressSanitizer: heap-use-after-free on address 0x61a000a6f2a8
|
||
Updated•8 years ago
|
Group: core-security → layout-core-security
|
||
Comment 2•8 years ago
|
||
This is the arena refptr stuff... Manish and Cam could help faster than I I guess...
|
||
Comment 3•8 years ago
|
||
This seems to be related to bug 1384824, might want to wait for those patches to get through.
Depends on: 1384824
|
|
||
Updated•8 years ago
|
Component: General → CSS Parsing and Computation
|
||
Comment 4•8 years ago
|
||
Does this still reproduce now that bug 1384824 is fixed?
Flags: needinfo?(bob)
|
|
Reporter | |
Comment 5•8 years ago
|
||
No. I submitted
http://m.cda.pl/video/p3
http://www.dailymotion.com/video/kAxSRBPLcZ179VkLOoh
http://www.dailymotion.com/video/x54vg5j
multiple times and did not reproduce at all.
WFM or FIXED?
Flags: needinfo?(bob)
|
||
Updated•8 years ago
|
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•5 years ago
|
Group: layout-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•