Bug 161109

Summary:

REGRESSION(204854): ASan is unhappy

Product:

WebKit

Reporter:

Filip Pizlo <fpizlo>

Component:

JavaScriptCore

Assignee:

Filip Pizlo <fpizlo>

Status:

RESOLVED FIXED

Severity:

Normal

CC:

ap, ddkilzer, ryanhaddad

Priority:

Version:

WebKit Nightly Build

Hardware:

All

OS:

All

Bug Depends on:

Bug Blocks:

161117

Attachments:

Description	Flags
the patch	ggaren: review+

Filip Pizlo

Reported 2016-08-23 15:02:15 PDT

See here: https://build-safari.apple.com/results/Trunk%20El%20Capitan%20ASan%20Release%20WK2%20Tests/r204854_86469%20(1539)/results.html For example: ==28827==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000160260 at pc 0x000110f1fa4b bp 0x7fff52724740 sp 0x7fff52724738 READ of size 8 at 0x615000160260 thread T0 #0 0x110f1fa4a in JSC::WeakSet::vm() const (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x3fa4a) #1 0x11220f4a7 in JSC::constructRegExp(JSC::ExecState*, JSC::JSGlobalObject*, JSC::ArgList const&, JSC::JSObject*, JSC::JSValue) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x132f4a7) #2 0x112215dfc in JSC::callRegExpConstructor(JSC::ExecState*) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1335dfc) #3 0x111f9ea08 in JSC::LLInt::handleHostCall(JSC::ExecState*, JSC::Instruction*, JSC::JSValue, JSC::CodeSpecializationKind) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x10bea08) #4 0x111fa32aa in JSC::LLInt::setUpCall(JSC::ExecState*, JSC::Instruction*, JSC::CodeSpecializationKind, JSC::JSValue, JSC::LLIntCallLinkInfo*) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x10c32aa) #5 0x111fabf1f in llint_entry (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x10cbf1f) #6 0x111fabebb in llint_entry (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x10cbebb) #7 0x111fabf2d in llint_entry (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x10cbf2d) #8 0x111fabf2d in llint_entry (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x10cbf2d) #9 0x111fabf2d in llint_entry (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x10cbf2d) #10 0x111fac327 in llint_entry (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x10cc327) #11 0x111fac327 in llint_entry (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x10cc327) #12 0x111fabf2d in llint_entry (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x10cbf2d) #13 0x111fabf2d in llint_entry (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x10cbf2d) #14 0x111fabf2d in llint_entry (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x10cbf2d) #15 0x111fabf2d in llint_entry (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x10cbf2d) #16 0x111fabf2d in llint_entry (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x10cbf2d) #17 0x111fa5b7a in vmEntryToJavaScript (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x10c5b7a) #18 0x111c4b0ed in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xd6b0ed) #19 0x111bb9865 in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0xcd9865) #20 0x111448e6e in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x568e6e) #21 0x1114490ae in JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x5690ae) #22 0x1161e75a3 in WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x1f805a3) #23 0x1161e385a in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x1f7c85a) #24 0x1161f4126 in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x1f8d126) #25 0x1161f1b58 in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x1f8ab58) #26 0x114e0fb9f in WebCore::HTMLScriptRunner::runScript(WebCore::Element*, WTF::TextPosition const&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xba8b9f) #27 0x114e0f8c5 in WebCore::HTMLScriptRunner::execute(WTF::PassRefPtr<WebCore::Element>, WTF::TextPosition const&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xba88c5) #28 0x114d43742 in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xadc742) #29 0x114d43d12 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xadcd12) #30 0x114d42f77 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xadbf77) #31 0x114d44bcd in WebCore::HTMLDocumentParser::resumeParsingAfterScriptExecution() (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xaddbcd) #32 0x114d44e91 in WebCore::HTMLDocumentParser::notifyFinished(WebCore::CachedResource*) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xadde91) #33 0x1144ac9e7 in WebCore::CachedResource::checkNotify() (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x2459e7) #34 0x1164d3298 in WebCore::SubresourceLoader::didFinishLoading(double) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x226c298) #35 0x10dd22785 in void IPC::handleMessage<Messages::WebResourceLoader::DidFinishResourceLoad, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(double)>(IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(double)) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit+0x835785) #36 0x10dd21d5d in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit+0x834d5d) #37 0x10d75f8da in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit+0x2728da) #38 0x10d595903 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit+0xa8903) #39 0x10d59bf74 in IPC::Connection::dispatchOneMessage() (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/WebKit+0xaef74) #40 0x11242b55f in WTF::RunLoop::performWork() (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x154b55f) #41 0x11242bcfe in WTF::RunLoop::performWork(void*) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x154bcfe) #42 0x7fff8fbbe880 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0xaa880) #43 0x7fff8fb9dfbb in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x89fbb) #44 0x7fff8fb9d4de in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x894de) #45 0x7fff8fb9ced7 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation+0x88ed7) #46 0x7fff85d00934 in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x30934) #47 0x7fff85d0076e in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x3076e) #48 0x7fff85d005ae in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox+0x305ae) #49 0x7fff86442ef9 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48ef9) #50 0x7fff86442329 in -[NSApplication _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x48329) #51 0x7fff86436e83 in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x3ce83) #52 0x7fff8640046b in NSApplicationMain (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit+0x646b) #53 0x7fff96149193 in _xpc_objc_main (/usr/lib/system/libxpc.dylib+0x11193) #54 0x7fff96147bbd in xpc_main (/usr/lib/system/libxpc.dylib+0xfbbd) #55 0x10d4d5c3b in main (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.Development.xpc/Contents/MacOS/com.apple.WebKit.WebContent.Development+0x100001c3b) #56 0x7fff8e29d5ac in start (/usr/lib/system/libdyld.dylib+0x35ac) #57 0x0 (<unknown module>) 0x615000160260 is located 352 bytes inside of 512-byte region [0x615000160100,0x615000160300) freed by thread T0 here: #0 0x10f876109 in wrap_free (/Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.11.xctoolchain/usr/lib/clang/7.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x43109) #1 0x112477fa7 in bmalloc::Deallocator::deallocateSlowCase(void*) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x1597fa7) #2 0x115602167 in WTF::Vector<WebCore::CSSParserValue, 4ul, WTF::CrashOnOverflow, 16ul>::expandCapacity(unsigned long, WebCore::CSSParserValue*) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x139b167) #3 0x115602071 in void WTF::Vector<WebCore::CSSParserValue, 4ul, WTF::CrashOnOverflow, 16ul>::appendSlowCase<WebCore::CSSParserValue const&>(WebCore::CSSParserValue const&&&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x139b071) #4 0x114716d2c in cssyyparse(WebCore::CSSParser*) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x4afd2c) #5 0x1166f4de2 in WebCore::CSSParser::parseSheet(WebCore::StyleSheetContents*, WTF::String const&, WTF::TextPosition const&, WTF::Vector<WTF::Ref<WebCore::CSSRuleSourceData>, 0ul, WTF::CrashOnOverflow, 16ul>*, bool) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x248dde2) #6 0x1164b8f24 in WebCore::StyleSheetContents::parseStringAtPosition(WTF::String const&, WTF::TextPosition const&, bool) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x2251f24) #7 0x1164b8dbf in WebCore::StyleSheetContents::parseString(WTF::String const&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x2251dbf) #8 0x1146cbbc8 in WebCore::parseUASheet(WTF::String const&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x464bc8) #9 0x1146cb6ca in WebCore::CSSDefaultStyleSheets::loadFullDefaultStyle() (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x4646ca) #10 0x1146cbf56 in WebCore::CSSDefaultStyleSheets::ensureDefaultStyleSheetsForElement(WebCore::Element const&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x464f56) #11 0x11648c41b in WebCore::StyleResolver::styleForElement(WebCore::Element const&, WebCore::RenderStyle const*, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*, WebCore::SelectorFilter const*) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x222541b) #12 0x1149f2bd9 in WebCore::Element::resolveStyle(WebCore::RenderStyle const*) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x78bbd9) #13 0x114880bb6 in WebCore::Document::styleForElementIgnoringPendingStylesheets(WebCore::Element&, WebCore::RenderStyle const*) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x619bb6) #14 0x1149fb572 in WebCore::Element::resolveComputedStyle() (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x794572) #15 0x1149fb803 in WebCore::Element::computedStyle(WebCore::PseudoId) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x794803) #16 0x114e3cf10 in WebCore::HTMLTitleElement::computedTextWithDirection() (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xbd5f10) #17 0x114e3cddf in WebCore::HTMLTitleElement::childrenChanged(WebCore::ContainerNode::ChildChange const&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xbd5ddf) #18 0x1145b319a in WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x34c19a) #19 0x1145b231d in WebCore::ContainerNode::parserAppendChild(WebCore::Node&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x34b31d) #20 0x114d1eafc in WebCore::executeInsertTask(WebCore::HTMLConstructionSiteTask&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xab7afc) #21 0x114d1d82c in WebCore::HTMLConstructionSite::insertTextNode(WTF::String const&, WebCore::WhitespaceMode) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xab682c) #22 0x114e59039 in WebCore::HTMLTreeBuilder::processCharacterBuffer(WebCore::HTMLTreeBuilder::ExternalCharacterTokenBuffer&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xbf2039) #23 0x114e58021 in WebCore::HTMLTreeBuilder::processCharacter(WebCore::AtomicHTMLToken&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xbf1021) #24 0x114e551de in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xbee1de) #25 0x114d43f48 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xadcf48) #26 0x114d43cb2 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xadccb2) #27 0x114d42f77 in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xadbf77) #28 0x114d44668 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl>&&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xadd668) #29 0x1148089aa in WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, char const*, unsigned long) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x5a19aa) previously allocated by thread T0 here: #0 0x10f875f40 in wrap_malloc (/Applications/Xcode.app/Contents/Developer/Toolchains/OSX10.11.xctoolchain/usr/lib/clang/7.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib+0x42f40) #1 0x11246ce44 in bmalloc::Allocator::allocateSlowCase(unsigned long) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x158ce44) #2 0x11240f645 in bmalloc::Allocator::allocate(unsigned long) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/JavaScriptCore.framework/Versions/A/JavaScriptCore+0x152f645) #3 0x11560238f in WTF::VectorBufferBase<WebCore::CSSParserValue>::allocateBuffer(unsigned long) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x139b38f) #4 0x115602213 in WTF::Vector<WebCore::CSSParserValue, 4ul, WTF::CrashOnOverflow, 16ul>::reserveCapacity(unsigned long) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x139b213) #5 0x115602167 in WTF::Vector<WebCore::CSSParserValue, 4ul, WTF::CrashOnOverflow, 16ul>::expandCapacity(unsigned long, WebCore::CSSParserValue*) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x139b167) #6 0x115602071 in void WTF::Vector<WebCore::CSSParserValue, 4ul, WTF::CrashOnOverflow, 16ul>::appendSlowCase<WebCore::CSSParserValue const&>(WebCore::CSSParserValue const&&&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x139b071) #7 0x114716d14 in cssyyparse(WebCore::CSSParser*) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x4afd14) #8 0x1166f4de2 in WebCore::CSSParser::parseSheet(WebCore::StyleSheetContents*, WTF::String const&, WTF::TextPosition const&, WTF::Vector<WTF::Ref<WebCore::CSSRuleSourceData>, 0ul, WTF::CrashOnOverflow, 16ul>*, bool) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x248dde2) #9 0x1164b8f24 in WebCore::StyleSheetContents::parseStringAtPosition(WTF::String const&, WTF::TextPosition const&, bool) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x2251f24) #10 0x1164b8dbf in WebCore::StyleSheetContents::parseString(WTF::String const&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x2251dbf) #11 0x1146cbbc8 in WebCore::parseUASheet(WTF::String const&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x464bc8) #12 0x1146cb6ca in WebCore::CSSDefaultStyleSheets::loadFullDefaultStyle() (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x4646ca) #13 0x1146cbf56 in WebCore::CSSDefaultStyleSheets::ensureDefaultStyleSheetsForElement(WebCore::Element const&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x464f56) #14 0x11648c41b in WebCore::StyleResolver::styleForElement(WebCore::Element const&, WebCore::RenderStyle const*, WebCore::RuleMatchingBehavior, WebCore::RenderRegion const*, WebCore::SelectorFilter const*) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x222541b) #15 0x1149f2bd9 in WebCore::Element::resolveStyle(WebCore::RenderStyle const*) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x78bbd9) #16 0x114880bb6 in WebCore::Document::styleForElementIgnoringPendingStylesheets(WebCore::Element&, WebCore::RenderStyle const*) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x619bb6) #17 0x1149fb572 in WebCore::Element::resolveComputedStyle() (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x794572) #18 0x1149fb803 in WebCore::Element::computedStyle(WebCore::PseudoId) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x794803) #19 0x114e3cf10 in WebCore::HTMLTitleElement::computedTextWithDirection() (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xbd5f10) #20 0x114e3cddf in WebCore::HTMLTitleElement::childrenChanged(WebCore::ContainerNode::ChildChange const&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xbd5ddf) #21 0x1145b319a in WebCore::ContainerNode::notifyChildInserted(WebCore::Node&, WebCore::ContainerNode::ChildChangeSource) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x34c19a) #22 0x1145b231d in WebCore::ContainerNode::parserAppendChild(WebCore::Node&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0x34b31d) #23 0x114d1eafc in WebCore::executeInsertTask(WebCore::HTMLConstructionSiteTask&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xab7afc) #24 0x114d1d82c in WebCore::HTMLConstructionSite::insertTextNode(WTF::String const&, WebCore::WhitespaceMode) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xab682c) #25 0x114e59039 in WebCore::HTMLTreeBuilder::processCharacterBuffer(WebCore::HTMLTreeBuilder::ExternalCharacterTokenBuffer&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xbf2039) #26 0x114e58021 in WebCore::HTMLTreeBuilder::processCharacter(WebCore::AtomicHTMLToken&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xbf1021) #27 0x114e551de in WebCore::HTMLTreeBuilder::constructTree(WebCore::AtomicHTMLToken&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xbee1de) #28 0x114d43f48 in WebCore::HTMLDocumentParser::constructTreeFromHTMLToken(WebCore::HTMLTokenizer::TokenPtr&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xadcf48) #29 0x114d43cb2 in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) (/Volumes/Data/slave/elcapitan-asan-release-wk2-tests/build/buildToTest/WebCore.framework/Versions/A/WebCore+0xadccb2) SUMMARY: AddressSanitizer: heap-use-after-free ??:0 JSC::WeakSet::vm() const Shadow bytes around the buggy address: 0x1c2a0002bff0: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 0x1c2a0002c000: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc 0x1c2a0002c010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c2a0002c020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x1c2a0002c030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x1c2a0002c040: fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd 0x1c2a0002c050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x1c2a0002c060: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x1c2a0002c070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1c2a0002c080: 00 00 00 00 fc fc fc fc fc fc fc fc fc fc fc fc 0x1c2a0002c090: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==28827==ABORTING

Attachments
the patch (8.41 KB, patch) 2016-08-23 16:09 PDT, Filip Pizlo	ggaren: review+	Details Formatted Diff Diff
View All Add attachment proposed patch, testcase, etc.

Filip Pizlo

Comment 1 2016-08-23 15:18:07 PDT

Looking at this now.

Filip Pizlo

Comment 2 2016-08-23 15:37:51 PDT

I think I found the issue. RegExpConstructor is a large allocation! I'm working on a fix.

Filip Pizlo

Comment 3 2016-08-23 16:09:26 PDT

Created attachment 286800 [details] the patch

Geoffrey Garen

Comment 4 2016-08-23 16:13:29 PDT

Comment on attachment 286800 [details] the patch r=me

Filip Pizlo

Comment 5 2016-08-23 16:21:49 PDT

Landed in http://trac.webkit.org/changeset/204866

Note You need to log in before you can comment on or make changes to this bug.