RESOLVED CONFIGURATION CHANGED 164880
ASan detects container-overflow in HeapUtil::findGCObjectPointersForMarking 
https://bugs.webkit.org/show_bug.cgi?id=164880
Summary ASan detects container-overflow in HeapUtil::findGCObjectPointersForMarking
Alexey Proskuryakov
Reported 2016-11-17 11:34:59 PST
Seen on bots. False positive? Application Specific Information: ================================================================= ==41956==ERROR: AddressSanitizer: container-overflow on address 0x60c0003d0ad8 at pc 0x00011254bb2f bp 0x7000003a4930 sp 0x7000003a4928 READ of size 8 at 0x60c0003d0ad8 thread T1579 #0 0x11254bb2e in void JSC::HeapUtil::findGCObjectPointersForMarking<void JSC::ConservativeRoots::genericAddPointer<JSC::CompositeMarkHook>(void*, unsigned int, JSC::TinyBloomFilter, JSC::CompositeMarkHook&)::'lambda'(void*)>(JSC::Heap&, unsigned int, JSC::TinyBloomFilter, void*, JSC::CompositeMarkHook const&) (JavaScriptCore+0x228b2e) #1 0x11254b3d8 in void JSC::ConservativeRoots::genericAddPointer<JSC::CompositeMarkHook>(void*, unsigned int, JSC::TinyBloomFilter, JSC::CompositeMarkHook&) (JavaScriptCore+0x2283d8) #2 0x112549b17 in void JSC::ConservativeRoots::genericAddSpan<JSC::CompositeMarkHook>(void*, void*, JSC::CompositeMarkHook&) (JavaScriptCore+0x226b17) #3 0x1125499bd in JSC::ConservativeRoots::add(void*, void*, JSC::JITStubRoutineSet&, JSC::CodeBlockSet&) (JavaScriptCore+0x2269bd) #4 0x112e72334 in JSC::MachineThreads::gatherConservativeRoots(JSC::ConservativeRoots&, JSC::JITStubRoutineSet&, JSC::CodeBlockSet&) (JavaScriptCore+0xb4f334) #5 0x11297da70 in JSC::Heap::markToFixpoint(double) (JavaScriptCore+0x65aa70) #6 0x1129836a2 in JSC::Heap::collectInThread() (JavaScriptCore+0x6606a2) #7 0x112989ce8 in JSC::Heap::Thread::work() (JavaScriptCore+0x666ce8) #8 0x113304785 in WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0::operator()() const (JavaScriptCore+0xfe1785) #9 0x113313b7d in WTF::threadEntryPoint(void*) (JavaScriptCore+0xff0b7d) #10 0x11331425d in WTF::wtfThreadEntryPoint(void*) (JavaScriptCore+0xff125d) #11 0x10eea799c in _pthread_body (libsystem_pthread.dylib+0x399c) #12 0x10eea7919 in _pthread_start (libsystem_pthread.dylib+0x3919) #13 0x10eea5350 in thread_start (libsystem_pthread.dylib+0x1350) 0x60c0003d0ad8 is located 88 bytes inside of 128-byte region [0x60c0003d0a80,0x60c0003d0b00) allocated by thread T0 here: #0 0x10c8860b0 in wrap_malloc (libclang_rt.asan_iossim_dynamic.dylib+0x490b0) #1 0x11332ae1e in bmalloc::Allocator::allocateSlowCase(unsigned long) (JavaScriptCore+0x1007e1e) #2 0x1132c7875 in bmalloc::Allocator::allocate(unsigned long) (JavaScriptCore+0xfa4875) #3 0x112eab160 in WTF::VectorBufferBase<JSC::LargeAllocation*>::allocateBuffer(unsigned long) (JavaScriptCore+0xb88160) #4 0x112eab0d3 in WTF::Vector<JSC::LargeAllocation*, 0ul, WTF::CrashOnOverflow, 16ul>::reserveCapacity(unsigned long) (JavaScriptCore+0xb880d3) #5 0x112eab033 in WTF::Vector<JSC::LargeAllocation*, 0ul, WTF::CrashOnOverflow, 16ul>::expandCapacity(unsigned long, JSC::LargeAllocation**) (JavaScriptCore+0xb88033) #6 0x112eaaf21 in void WTF::Vector<JSC::LargeAllocation*, 0ul, WTF::CrashOnOverflow, 16ul>::appendSlowCase<JSC::LargeAllocation*&>(JSC::LargeAllocation*&&&) (JavaScriptCore+0xb87f21) #7 0x112ea3a44 in JSC::MarkedSpace::tryAllocateLarge(JSC::MarkedSpace::Subspace&, JSC::GCDeferralContext*, unsigned long) (JavaScriptCore+0xb80a44) #8 0x112ea3598 in JSC::MarkedSpace::allocateLarge(JSC::MarkedSpace::Subspace&, JSC::GCDeferralContext*, unsigned long) (JavaScriptCore+0xb80598) #9 0x11234e42a in JSC::Butterfly::createUninitialized(JSC::VM&, JSC::JSCell*, unsigned long, unsigned long, bool, unsigned long) (JavaScriptCore+0x2b42a) #10 0x112cb53ae in JSC::Butterfly::createOrGrowPropertyStorage(JSC::Butterfly*, JSC::VM&, JSC::JSCell*, JSC::Structure*, unsigned long, unsigned long) (JavaScriptCore+0x9923ae) #11 0x112379209 in bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int)::operator()(JSC::GCSafeConcurrentJSLocker const&, int) const (JavaScriptCore+0x56209) #12 0x112379099 in int JSC::Structure::add<bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int)>(JSC::VM&, JSC::PropertyName, unsigned int, bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int) const&) (JavaScriptCore+0x56099) #13 0x112377ca3 in bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) (JavaScriptCore+0x54ca3) #14 0x112caa690 in JSC::JSObject::putDirectCustomAccessor(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int) (JavaScriptCore+0x987690) #15 0x112cb0b9d in JSC::reifyStaticProperty(JSC::VM&, JSC::PropertyName const&, JSC::HashTableValue const&, JSC::JSObject&) (JavaScriptCore+0x98db9d) #16 0x112cac884 in JSC::JSObject::reifyAllStaticProperties(JSC::ExecState*) (JavaScriptCore+0x989884) #17 0x112c9d8cd in JSC::JSObject::deleteProperty(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName) (JavaScriptCore+0x97a8cd) #18 0x112cf5bc3 in JSC::JSSymbolTableObject::deleteProperty(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName) (JavaScriptCore+0x9d2bc3) #19 0x115f7f031 in WebCore::JSDOMWindow::deleteProperty(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName) (WebCore+0x1313031) #20 0x112e5141f in llint_slow_path_del_by_id (JavaScriptCore+0xb2e41f) #21 0x112e6d03b in llint_entry (JavaScriptCore+0xb4a03b) #22 0x112e673ea in vmEntryToJavaScript (JavaScriptCore+0xb443ea) #23 0x112b26c6d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (JavaScriptCore+0x803c6d) #24 0x112a9dadc in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) (JavaScriptCore+0x77aadc) #25 0x112546e46 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (JavaScriptCore+0x223e46) #26 0x11254704e in JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (JavaScriptCore+0x22404e) #27 0x1170811b3 in WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (WebCore+0x24151b3) #28 0x117080e54 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) (WebCore+0x2414e54) #29 0x117093d0d in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) (WebCore+0x2427d0d)
Attachments
Add attachment proposed patch, testcase, etc.
Alexey Proskuryakov
Comment 1 2016-11-17 15:14:49 PST
Filip says that this is likely a real bug.
Radar WebKit Bug Importer
Comment 2 2016-11-17 15:15:30 PST
<rdar://problem/29321179>
Alexey Proskuryakov
Comment 3 2017-01-18 14:20:46 PST
Hasn't happened since 2016-12-09.
Note You need to log in before you can comment on or make changes to this bug.