Bug 305680
| Summary: | [TestWebKitAPI] WTF_RunLoop.Create: AddressSanitizer detects heap-use-after-free | ||
|---|---|---|---|
| Product: | WebKit | Reporter: | Fujii Hironori <fujii.hironori> |
| Component: | Tools / Tests | Assignee: | Nobody <webkit-unassigned> |
| Status: | RESOLVED FIXED | ||
| Severity: | Normal | CC: | webkit-bug-importer |
| Priority: | P2 | Keywords: | InRadar |
| Version: | WebKit Nightly Build | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
Fujii Hironori
$ ./WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF --gtest_filter=WTF_RunLoop.Create
=================================================================
==771454==ERROR: AddressSanitizer: heap-use-after-free on address 0x50d0000005f0 at pc 0x55cfa85323a0 bp 0x7ffe5a2a0040 sp 0x7ffe5a2a0038
READ of size 8 at 0x50d0000005f0 thread T0
#0 0x55cfa853239f in bool WTF::ThreadSafeWeakHashSet<WTF::Thread>::contains<WTF::Thread>(WTF::Thread const&) const requires std::is_convertible_v<TL0_*, WTF::Thread*> RunLoop.cpp
#1 0x55cfa85316a4 in TestWebKitAPI::WTF_RunLoop_Create_Test::TestBody() RunLoop.cpp
#2 0x7fee3a105c21 in testing::Test::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0x7ec21) (BuildId: b2adffd6359f821c)
#3 0x7fee3a108532 in testing::TestInfo::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0x81532) (BuildId: b2adffd6359f821c)
#4 0x7fee3a10a601 in testing::TestSuite::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0x83601) (BuildId: b2adffd6359f821c)
#5 0x7fee3a13096c in testing::internal::UnitTestImpl::RunAllTests() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0xa996c) (BuildId: b2adffd6359f821c)
#6 0x7fee3a12efdc in testing::UnitTest::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0xa7fdc) (BuildId: b2adffd6359f821c)
#7 0x55cfa7b5d190 in TestWebKitAPI::TestsController::run(int, char**) TestsController.cpp
#8 0x55cfa8a1267f in main main.cpp
#9 0x7fee374fe1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#10 0x7fee374fe28a in __libc_start_main csu/../csu/libc-start.c:360:3
#11 0x55cfa7a8d334 in _start (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x585334) (BuildId: 50714896e1c60e4c)
0x50d0000005f0 is located 0 bytes inside of 144-byte region [0x50d0000005f0,0x50d000000680)
freed by thread T1 (reateTestThread) here:
#0 0x55cfa7b260fa in free (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x61e0fa) (BuildId: 50714896e1c60e4c)
#1 0x55cfa8daf6e0 in pas_system_heap_free (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x18a76e0) (BuildId: 50714896e1c60e4c)
#2 0x55cfa8df1c89 in pas_try_deallocate_slow_no_cache (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x18e9c89) (BuildId: 50714896e1c60e4c)
#3 0x55cfa8a28709 in WTF::fastFree(void*) (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x1520709) (BuildId: 50714896e1c60e4c)
#4 0x55cfa7d2cf0b in void WTF::ThreadSafeWeakPtrControlBlock::strongDeref<WTF::Thread, (WTF::DestructionThread)0>() const CompletionHandlerTests.cpp
#5 0x55cfa8dab89d in WTF::Thread::destructTLS(void*) ThreadingPOSIX.cpp
#6 0x7fee3756d33f in __GI___nptl_deallocate_tsd nptl/nptl_deallocate_tsd.c:73:29
#7 0x7fee3756d33f in __GI___nptl_deallocate_tsd nptl/nptl_deallocate_tsd.c:22:1
#8 0x7fee3757088f in start_thread nptl/pthread_create.c:455:3
previously allocated by thread T0 here:
#0 0x55cfa7b26393 in malloc (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x61e393) (BuildId: 50714896e1c60e4c)
#1 0x55cfa8daf180 in pas_system_heap_malloc (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x18a7180) (BuildId: 50714896e1c60e4c)
#2 0x55cfa8db1ac4 in pas_system_heap_allocate(unsigned long, unsigned long, pas_allocation_mode) bmalloc_heap.c
#3 0x55cfa8db1874 in bmalloc_allocate_impl_casual_case(unsigned long, unsigned long, pas_allocation_mode) bmalloc_heap.c
#4 0x55cfa8db1348 in bmalloc_allocate_casual (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x18a9348) (BuildId: 50714896e1c60e4c)
#5 0x55cfa8a25efa in WTF::fastMalloc(unsigned long) (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x151defa) (BuildId: 50714896e1c60e4c)
#6 0x55cfa8cdb7a6 in WTF::Thread::create(WTF::ASCIILiteral, WTF::Function<void ()>&&, WTF::ThreadType, WTF::Thread::QOS, WTF::Thread::SchedulingPolicy) (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x17d37a6) (BuildId: 50714896e1c60e4c)
#7 0x55cfa8a6a887 in WTF::RunLoop::create(WTF::ASCIILiteral, WTF::ThreadType, WTF::Thread::QOS) (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x1562887) (BuildId: 50714896e1c60e4c)
#8 0x55cfa853119d in TestWebKitAPI::WTF_RunLoop_Create_Test::TestBody() RunLoop.cpp
#9 0x7fee3a105c21 in testing::Test::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0x7ec21) (BuildId: b2adffd6359f821c)
#10 0x7fee3a108532 in testing::TestInfo::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0x81532) (BuildId: b2adffd6359f821c)
#11 0x7fee3a10a601 in testing::TestSuite::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0x83601) (BuildId: b2adffd6359f821c)
#12 0x7fee3a13096c in testing::internal::UnitTestImpl::RunAllTests() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0xa996c) (BuildId: b2adffd6359f821c)
#13 0x7fee3a12efdc in testing::UnitTest::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0xa7fdc) (BuildId: b2adffd6359f821c)
#14 0x55cfa7b5d190 in TestWebKitAPI::TestsController::run(int, char**) TestsController.cpp
#15 0x55cfa8a1267f in main main.cpp
#16 0x7fee374fe1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#17 0x7fee374fe28a in __libc_start_main csu/../csu/libc-start.c:360:3
#18 0x55cfa7a8d334 in _start (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x585334) (BuildId: 50714896e1c60e4c)
Thread T1 (reateTestThread) created by T0 here:
#0 0x55cfa7b0bd65 in pthread_create (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x603d65) (BuildId: 50714896e1c60e4c)
#1 0x55cfa8daa70a in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext&, std::optional<unsigned long>, WTF::Thread::QOS, WTF::Thread::SchedulingPolicy) ThreadingPOSIX.cpp
#2 0x55cfa8cdbc4c in WTF::Thread::create(WTF::ASCIILiteral, WTF::Function<void ()>&&, WTF::ThreadType, WTF::Thread::QOS, WTF::Thread::SchedulingPolicy) (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x17d3c4c) (BuildId: 50714896e1c60e4c)
#3 0x55cfa8a6a887 in WTF::RunLoop::create(WTF::ASCIILiteral, WTF::ThreadType, WTF::Thread::QOS) (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x1562887) (BuildId: 50714896e1c60e4c)
#4 0x55cfa853119d in TestWebKitAPI::WTF_RunLoop_Create_Test::TestBody() RunLoop.cpp
#5 0x7fee3a105c21 in testing::Test::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0x7ec21) (BuildId: b2adffd6359f821c)
#6 0x7fee3a108532 in testing::TestInfo::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0x81532) (BuildId: b2adffd6359f821c)
#7 0x7fee3a10a601 in testing::TestSuite::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0x83601) (BuildId: b2adffd6359f821c)
#8 0x7fee3a13096c in testing::internal::UnitTestImpl::RunAllTests() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0xa996c) (BuildId: b2adffd6359f821c)
#9 0x7fee3a12efdc in testing::UnitTest::Run() (/sdk/webkit/WebKitBuild/GTK/Release/lib/libgtest.so+0xa7fdc) (BuildId: b2adffd6359f821c)
#10 0x55cfa7b5d190 in TestWebKitAPI::TestsController::run(int, char**) TestsController.cpp
#11 0x55cfa8a1267f in main main.cpp
#12 0x7fee374fe1c9 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#13 0x7fee374fe28a in __libc_start_main csu/../csu/libc-start.c:360:3
#14 0x55cfa7a8d334 in _start (/home/fujii/wf/WebKitBuild/GTK/Release/bin/TestWebKitAPI/TestWTF+0x585334) (BuildId: 50714896e1c60e4c)
SUMMARY: AddressSanitizer: heap-use-after-free RunLoop.cpp in bool WTF::ThreadSafeWeakHashSet<WTF::Thread>::contains<WTF::Thread>(WTF::Thread const&) const requires std::is_convertible_v<TL0_*, WTF::Thread*>
Shadow bytes around the buggy address:
0x50d000000300: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x50d000000380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x50d000000400: fd fd fa fa fa fa fa fa fa fa 00 00 00 00 00 00
0x50d000000480: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x50d000000500: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
=>0x50d000000580: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa[fd]fd
0x50d000000600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x50d000000680: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x50d000000700: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
0x50d000000780: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x50d000000800: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==771454==ABORTING
| Attachments | ||
|---|---|---|
| Add attachment proposed patch, testcase, etc. |
Fujii Hironori
Pull request: https://github.com/WebKit/WebKit/pull/56750
EWS
Committed 305821@main (f5aeb1861506): <https://commits.webkit.org/305821@main>
Reviewed commits have been landed. Closing PR #56750 and removing active labels.
Radar WebKit Bug Importer
<rdar://problem/168444749>