ASAN false positive stack-buffer-underflow bmalloc_allocate_impl_casual_case
<rdar://problem/88364275>
see also <rdar://87613908>
Created attachment 450611 [details] Patch
Created attachment 450613 [details] Patch
Comment on attachment 450613 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450613&action=review > Source/bmalloc/Configurations/bmalloc.xcconfig:36 > +BMALLOC_ADDRESS_SANITIZER_OTHER_CFLAGS_YES = -fno-sanitize-address-use-after-scope; This will turn it off for all ASan builds on older clang versions, not just the affected versions of clang. We should figure out how to only enable this on given versions of Xcode or the SDK. Just need to find an example of how to do this in other xcconfig files. (I’m not actually awake. :)
Comment on attachment 450613 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=450613&action=review >> Source/bmalloc/Configurations/bmalloc.xcconfig:36 >> +BMALLOC_ADDRESS_SANITIZER_OTHER_CFLAGS_YES = -fno-sanitize-address-use-after-scope; > > This will turn it off for all ASan builds on older clang versions, not just the affected versions of clang. > > We should figure out how to only enable this on given versions of Xcode or the SDK. Just need to find an example of how to do this in other xcconfig files. > > (I’m not actually awake. :) Modeling this after the `WK_XCODE_SUPPORTS_LTO` variables in Source/bmalloc/Configurations/Base.xcconfig should work here. Something like this: OTHER_CFLAGS = $(inherited) $(BMALLOC_ADDRESS_SANITIZER_OTHER_CFLAGS); // Workaround a false positive <https://bugs.webkit.org/show_bug.cgi?id=236001>. BMALLOC_ADDRESS_SANITIZER_OTHER_CFLAGS = $(BMALLOC_ADDRESS_SANITIZER_OTHER_CFLAGS_$(WK_WORKAROUND_ASAN_USE_AFTER_SCOPE)); BMALLOC_ADDRESS_SANITIZER_OTHER_CFLAGS_YES = -fno-sanitize-address-use-after-scope; WK_WORKAROUND_ASAN_USE_AFTER_SCOPE = $(WK_NOT_$(WK_XCODE_VERSION_BEFORE_13_3_$(XCODE_VERSION_MAJOR))); WK_XCODE_VERSION_BEFORE_13_3_0800 = YES; WK_XCODE_VERSION_BEFORE_13_3_0900 = YES; WK_XCODE_VERSION_BEFORE_13_3_1000 = YES; WK_XCODE_VERSION_BEFORE_13_3_1100 = YES; WK_XCODE_VERSION_BEFORE_13_3_1200 = YES; WK_XCODE_VERSION_BEFORE_13_3_1300 = $(WK_XCODE_VERSION_BEFORE_13_3_1300_$(XCODE_VERSION_MINOR)); WK_XCODE_VERSION_BEFORE_13_3_1300_1300 = YES; WK_XCODE_VERSION_BEFORE_13_3_1300_1310 = YES; WK_XCODE_VERSION_BEFORE_13_3_1300_1320 = YES;
When the bug is fixed, we'll have to add another clause for the fixed-in version.
Created attachment 450717 [details] Patch v2
Confirmed that this only
(In reply to David Kilzer (:ddkilzer) from comment #9) > Confirmed that this only ... adds -fno-sanitize-address-use-after-scope when compiling the bmalloc project. Hmm...I probably need to only enable this for Asan builds, though. "Patch v2" is enabling it for all builds. Might also be able to move this to Tools/sanitizer/asan.xcconfig using the project name to enable it.
Created attachment 450812 [details] Patch v3
(In reply to David Kilzer (:ddkilzer) from comment #11) > Created attachment 450812 [details] > Patch v3 Moved the workaround to Tools/sanitizer/asan.xcconfig so that it's only applied when building with ASan, and limited it to the bmalloc project via $(PRODUCT_NAME).
(In reply to David Kilzer (:ddkilzer) from comment #12) > limited it to the bmalloc project via $(PRODUCT_NAME). Great! Just makes me wonder if we could easily make it just the one source file (kidding, kind of).
Comment on attachment 450812 [details] Patch v3 Just tested this and the bug still reproduces with this change. I think the change may need to include JavaScriptCore as well. Doing more testing.
Comment on attachment 450812 [details] Patch v3 View in context: https://bugs.webkit.org/attachment.cgi?id=450812&action=review > Tools/sanitizer/asan.xcconfig:9 > +WK_ADDRESS_SANITIZER_OTHER_CPLUSPLUSFLAGS_YES = -U_LIBCPP_HAS_NO_ASAN $(WK_NEEDS_ASAN_USE_AFTER_SCOPE_WORKAROUND_FOR_$(PRODUCT_NAME)_$(WK_NEEDS_ASAN_USE_AFTER_SCOPE_WORKAROUND)); I don't think CPLUSPLUSFLAGS applies for libpas, it's C code? Maybe this is why it's still reproing for you.
Comment on attachment 450812 [details] Patch v3 View in context: https://bugs.webkit.org/attachment.cgi?id=450812&action=review >> Tools/sanitizer/asan.xcconfig:9 >> +WK_ADDRESS_SANITIZER_OTHER_CPLUSPLUSFLAGS_YES = -U_LIBCPP_HAS_NO_ASAN $(WK_NEEDS_ASAN_USE_AFTER_SCOPE_WORKAROUND_FOR_$(PRODUCT_NAME)_$(WK_NEEDS_ASAN_USE_AFTER_SCOPE_WORKAROUND)); > > I don't think CPLUSPLUSFLAGS applies for libpas, it's C code? > Maybe this is why it's still reproing for you. This is probably correct. I have a more targeted workaround for "v4" now.
Created attachment 452125 [details] Patch v4
(In reply to David Kilzer (:ddkilzer) from comment #17) > Created attachment 452125 [details] > Patch v4 This is the super-targeted fix for the specific function having the issue, and only with specific versions of Xcode.
Comment on attachment 452125 [details] Patch v4 Adding cq+ since this doesn't change how the code is compiled unless ASan is enabled.
(In reply to David Kilzer (:ddkilzer) from comment #19) > Comment on attachment 452125 [details] > Patch v4 > > Adding cq+ since this doesn't change how the code is compiled unless ASan is > enabled. This change doesn't even impact the Windows build, so the win test failures are flakey tests.
Committed r289904 (247337@main): <https://commits.webkit.org/247337@main> All reviewed patches have been landed. Closing bug and clearing flags on attachment 452125 [details].
Still seeing this ==40555==ERROR: AddressSanitizer: stack-use-after-scope on address 0x700004b81480 at pc 0x0004a7527ae3 bp 0x700004b80c30 sp 0x700004b80c28 READ of size 72 at 0x700004b81480 thread T321 #0 0x4a7527ae2 in try_allocate_without_fixing pas_simple_large_free_heap.c:396 #1 0x4a7523b85 in pas_simple_large_free_heap_try_allocate pas_simple_large_free_heap.c:472 #2 0x4a74e5374 in pas_large_heap_physical_page_sharing_cache_try_allocate_with_alignment pas_large_heap_physical_page_sharing_cache.c:188 #3 0x4a74a2f64 in jit_aligned_allocator jit_heap_config.c:260 #4 0x4a74e5089 in aligned_allocator pas_large_heap.c:69 #5 0x4a74d4117 in pas_fast_large_free_heap_try_allocate pas_fast_large_free_heap.c:422 #6 0x4a74e3717 in allocate_impl pas_large_heap.c:125 #7 0x4a74e3ac6 in pas_large_heap_try_allocate pas_large_heap.c:174 #8 0x4a74a903d in jit_heap_config_specialized_try_allocate_common_impl_slow jit_heap_config.c:375 #9 0x4a749158c in jit_try_allocate_common_primitive_impl_impl_slow jit_heap.c:65 #10 0x4a74912bd in jit_try_allocate_common_primitive_impl_casual_case jit_heap.c:65 #11 0x4a7490239 in jit_heap_try_allocate jit_heap.c:81 #12 0x4a9c224cf in JSC::ExecutableMemoryHandle::createImpl(unsigned long) ExecutableAllocator.cpp:1221 #13 0x4a9c21bd1 in JSC::FixedVMPoolExecutableAllocator::allocate(unsigned long) ExecutableAllocator.cpp:489 #14 0x4a9c21538 in JSC::ExecutableAllocator::allocate(unsigned long, JSC::JITCompilationEffort) ExecutableAllocator.cpp:1047 #15 0x4a83f527c in JSC::LinkBuffer::allocate(JSC::MacroAssembler&, JSC::JITCompilationEffort) LinkBuffer.cpp:444 #16 0x4a83f4da9 in JSC::LinkBuffer::linkCode(JSC::MacroAssembler&, JSC::JITCompilationEffort) LinkBuffer.cpp:399 #17 0x4a84156a9 in JSC::LinkBuffer::LinkBuffer(JSC::MacroAssembler&, void*, JSC::LinkBuffer::Profile, JSC::JITCompilationEffort) LinkBuffer.h:126 #18 0x4a8411e88 in JSC::LinkBuffer::LinkBuffer(JSC::MacroAssembler&, void*, JSC::LinkBuffer::Profile, JSC::JITCompilationEffort) LinkBuffer.h:124 #19 0x4a9c56dda in JSC::JIT::compileAndLinkWithoutFinalizing(JSC::JITCompilationEffort) JIT.cpp:865 #20 0x4a9c03f0e in JSC::BaselineJITPlan::compileInThreadImpl() BaselineJITPlan.cpp:48 #21 0x4a9e79cb1 in JSC::JITPlan::compileInThread(JSC::JITWorklistThread*) JITPlan.cpp:170 #22 0x4aa129dd1 in JSC::JITWorklistThread::work() JITWorklistThread.cpp:123 #23 0x4a72357d0 in WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0::operator()() const AutomaticThread.cpp:229 #24 0x4a72350fc in WTF::Detail::CallableWrapper<WTF::AutomaticThread::start(WTF::AbstractLocker const&)::$_0, void>::call() Function.h:53 #25 0x4a725195a in WTF::Function<void ()>::operator()() const Function.h:82 #26 0x4a73670b6 in WTF::Thread::entryPoint(WTF::Thread::NewThreadContext*) Threading.cpp:235 #27 0x4a7372678 in WTF::wtfThreadEntryPoint(void*) ThreadingPOSIX.cpp:242 #28 0x7fff71a094e0 in _pthread_start+0x7c (libsystem_pthread.dylib:x86_64+0x64e0) #29 0x7fff71a04f6a in thread_start+0xe (libsystem_pthread.dylib:x86_64+0x1f6a) Address 0x700004b81480 is located in stack of thread T321 at offset 2112 in frame #0 0x4a7523bbf in try_allocate_without_fixing pas_simple_large_free_heap.c:393 This frame has 26 object(s): [32, 56) 'left_free.i165' (line 292) [96, 168) 'tmp.i114' [208, 256) 'tmp8.i115' [288, 336) 'tmp24.i' [368, 416) 'tmp31.i' [448, 472) 'candidate.i5760113' [512, 584) 'candidate_result.i61' [624, 696) 'tmp.i' [736, 760) 'candidate.i5760' [800, 824) 'new_free.i600.i' [864, 888) 'new_free.i571.i' [928, 952) 'new_free.i.i' [992, 1064) 'tmp.i.i' [1104, 1152) 'tmp8.i.i' [1184, 1232) 'tmp24.i.i' [1264, 1312) 'tmp31.i.i' [1344, 1416) 'best.i' [1456, 1576) 'test_allocation_candidate_data.i' [1616, 1672) 'page_allocation.i' [1712, 1736) 'candidate.i' [1776, 1848) 'candidate_result.i' [1888, 1912) 'merged.i' [1952, 2008) 'tmp13.i' [2048, 2072) 'new_free.i' [2112, 2184) 'tmp66.i' <== Memory access at offset 2112 is inside this variable [2224, 2272) 'additions.i' HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) Thread T321 created by T0 here: #0 0x47850cd9c in wrap_pthread_create+0x5c (libclang_rt.asan_iossim_dynamic.dylib:x86_64+0x3bd9c) #1 0x4a7372540 in WTF::Thread::establishHandle(WTF::Thread::NewThreadContext*, std::__1::optional<unsigned long>, WTF::Thread::QOS) ThreadingPOSIX.cpp:292 #2 0x4a7367395 in WTF::Thread::create(char const*, WTF::Function<void ()>&&, WTF::ThreadType, WTF::Thread::QOS) Threading.cpp:251 #3 0x4a7230788 in WTF::AutomaticThread::start(WTF::AbstractLocker const&) AutomaticThread.cpp:171 #4 0x4a72303ba in WTF::AutomaticThreadCondition::notifyOne(WTF::AbstractLocker const&) AutomaticThread.cpp:60 #5 0x4aa110377 in JSC::JITWorklist::enqueue(WTF::Ref<JSC::JITPlan, WTF::RawPtrTraits<JSC::JITPlan> >) JITWorklist.cpp:96 #6 0x4a9412d08 in JSC::DFG::compileImpl(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::JITCompilationMode, JSC::BytecodeIndex, JSC::Operands<std::__1::optional<JSC::JSValue>, WTF::Vector<std::__1::optional<JSC::JSValue>, 0ul, WTF::UnsafeVectorOverflow, 16ul, WTF::FastMalloc> > const&, WTF::Ref<JSC::DeferredCompilationCallback, WTF::RawPtrTraits<JSC::DeferredCompilationCallback> >&&) DFGDriver.cpp:90 #7 0x4a94128a3 in JSC::DFG::compile(JSC::VM&, JSC::CodeBlock*, JSC::CodeBlock*, JSC::JITCompilationMode, JSC::BytecodeIndex, JSC::Operands<std::__1::optional<JSC::JSValue>, WTF::Vector<std::__1::optional<JSC::JSValue>, 0ul, WTF::UnsafeVectorOverflow, 16ul, WTF::FastMalloc> > const&, WTF::Ref<JSC::DeferredCompilationCallback, WTF::RawPtrTraits<JSC::DeferredCompilationCallback> >&&) DFGDriver.cpp:106 #8 0x4a9db7be1 in operationOptimize JITOperations.cpp:2001 #9 0x21a0e5a1c0f3 (<unknown module>) #10 0x21a0e5adbcd3 (<unknown module>) #11 0x21a0e5adbcd3 (<unknown module>) #12 0x21a0e5adbcd3 (<unknown module>) #13 0x21a0e5adbcd3 (<unknown module>) #14 0x21a0e5c080a1 (<unknown module>) #15 0x21a0e5bf7977 (<unknown module>) #16 0x4a81ef43b in llint_entry LowLevelInterpreter.asm:1171 #17 0x4a81d21d8 in vmEntryToJavaScript LowLevelInterpreter64.asm:351 #18 0x4a9bd9581 in JSC::Interpreter::executeProgram(JSC::SourceCode const&, JSC::JSGlobalObject*, JSC::JSObject*) Interpreter.cpp:977 #19 0x4aa620572 in JSC::evaluate(JSC::JSGlobalObject*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) Completion.cpp:137 #20 0x4aa62082b in JSC::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) Completion.cpp:152 #21 0x4ce9bc9df in WebCore::JSExecState::profiledEvaluate(JSC::JSGlobalObject*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) JSExecState.h:104 #22 0x4ce9bc17c in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) ScriptController.cpp:152 #23 0x4ce9bbcf1 in WebCore::ScriptController::evaluateInWorldIgnoringException(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&) ScriptController.cpp:119 #24 0x4ce9bcbbf in WebCore::ScriptController::evaluateIgnoringException(WebCore::ScriptSourceCode const&) ScriptController.cpp:171 #25 0x4cf4ceba7 in WebCore::ScriptElement::executeClassicScript(WebCore::ScriptSourceCode const&) ScriptElement.cpp:400 #26 0x4cf4cb3a2 in WebCore::ScriptElement::prepareScript(WTF::TextPosition const&, WebCore::ScriptElement::LegacyTypeSupport) ScriptElement.cpp:283 #27 0x4cfbaee68 in WebCore::HTMLScriptRunner::runScript(WebCore::ScriptElement&, WTF::TextPosition const&) HTMLScriptRunner.cpp:250 #28 0x4cfbaeb56 in WebCore::HTMLScriptRunner::execute(WTF::Ref<WebCore::ScriptElement, WTF::RawPtrTraits<WebCore::ScriptElement> >&&, WTF::TextPosition const&) HTMLScriptRunner.cpp:140 #29 0x4cfb8937f in WebCore::HTMLDocumentParser::runScriptsForPausedTreeBuilder() HTMLDocumentParser.cpp:241 #30 0x4cfb898ba in WebCore::HTMLDocumentParser::pumpTokenizerLoop(WebCore::HTMLDocumentParser::SynchronousMode, bool, WebCore::PumpSession&) HTMLDocumentParser.cpp:261 #31 0x4cfb889df in WebCore::HTMLDocumentParser::pumpTokenizer(WebCore::HTMLDocumentParser::SynchronousMode) HTMLDocumentParser.cpp:306 #32 0x4cfb88578 in WebCore::HTMLDocumentParser::pumpTokenizerIfPossible(WebCore::HTMLDocumentParser::SynchronousMode) HTMLDocumentParser.cpp:193 #33 0x4cfb8a7d0 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl> >&&, WebCore::HTMLDocumentParser::SynchronousMode) HTMLDocumentParser.cpp:431 #34 0x4cfb8a4d5 in WebCore::HTMLDocumentParser::append(WTF::RefPtr<WTF::StringImpl, WTF::RawPtrTraits<WTF::StringImpl>, WTF::DefaultRefDerefTraits<WTF::StringImpl> >&&) HTMLDocumentParser.cpp:391 #35 0x4cf24874b in WebCore::DecodedDataDocumentParser::appendBytes(WebCore::DocumentWriter&, unsigned char const*, unsigned long) DecodedDataDocumentParser.cpp:50 #36 0x4d01033af in WebCore::DocumentWriter::addData(WebCore::SharedBuffer const&) DocumentWriter.cpp:276 #37 0x4d00f89aa in WebCore::DocumentLoader::commitData(WebCore::SharedBuffer const&) DocumentLoader.cpp:1314 #38 0x48d5037a2 in WebKit::WebFrameLoaderClient::committedLoad(WebCore::DocumentLoader*, WebCore::SharedBuffer const&) WebFrameLoaderClient.cpp:1163 #39 0x4d01016d7 in WebCore::DocumentLoader::commitLoad(WebCore::SharedBuffer const&) DocumentLoader.cpp:1178 #40 0x4d0103511 in WebCore::DocumentLoader::dataReceived(WebCore::SharedBuffer const&) DocumentLoader.cpp:1346 #41 0x4d010342b in WebCore::DocumentLoader::dataReceived(WebCore::CachedResource&, WebCore::SharedBuffer const&) DocumentLoader.cpp:1320 #42 0x4d02e0772 in WebCore::CachedRawResource::notifyClientsDataWasReceived(WebCore::SharedBuffer const&) CachedRawResource.cpp:145 #43 0x4d02e03c2 in WebCore::CachedRawResource::updateBuffer(WebCore::FragmentedSharedBuffer const&) CachedRawResource.cpp:81 #44 0x4d0253b39 in WebCore::SubresourceLoader::didReceiveBuffer(WebCore::FragmentedSharedBuffer const&, long long, WebCore::DataPayloadType) SubresourceLoader.cpp:545 #45 0x4d022b085 in WebCore::ResourceLoader::didReceiveData(WebCore::SharedBuffer const&, long long, WebCore::DataPayloadType) ResourceLoader.cpp:559 #46 0x48d37693e in WebKit::WebResourceLoader::didReceiveData(IPC::SharedBufferCopy const&, long long) WebResourceLoader.cpp:238 #47 0x48dd86acc in void IPC::callMemberFunctionImpl<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferCopy const&, long long), std::__1::tuple<IPC::SharedBufferCopy, long long>, 0ul, 1ul>(WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferCopy const&, long long), std::__1::tuple<IPC::SharedBufferCopy, long long>&&, std::__1::integer_sequence<unsigned long, 0ul, 1ul>) HandleMessage.h:125 #48 0x48dd86a38 in void IPC::callMemberFunction<WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferCopy const&, long long), std::__1::tuple<IPC::SharedBufferCopy, long long>, std::__1::integer_sequence<unsigned long, 0ul, 1ul> >(std::__1::tuple<IPC::SharedBufferCopy, long long>&&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferCopy const&, long long)) HandleMessage.h:131 #49 0x48dd81394 in void IPC::handleMessage<Messages::WebResourceLoader::DidReceiveData, WebKit::WebResourceLoader, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferCopy const&, long long)>(IPC::Connection&, IPC::Decoder&, WebKit::WebResourceLoader*, void (WebKit::WebResourceLoader::*)(IPC::SharedBufferCopy const&, long long)) HandleMessage.h:196 #50 0x48dd80aec in WebKit::WebResourceLoader::didReceiveWebResourceLoaderMessage(IPC::Connection&, IPC::Decoder&) WebResourceLoaderMessageReceiver.cpp:74 #51 0x48d35fbe6 in WebKit::NetworkProcessConnection::didReceiveMessage(IPC::Connection&, IPC::Decoder&) NetworkProcessConnection.cpp:102 #52 0x48c20fcf7 in IPC::Connection::dispatchMessage(IPC::Decoder&) Connection.cpp:1092 #53 0x48c210757 in IPC::Connection::dispatchMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >) Connection.cpp:1137 #54 0x48c2112c5 in IPC::Connection::dispatchOneIncomingMessage() Connection.cpp:1206 #55 0x48c22e275 in IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_15::operator()() Connection.cpp:1056 #56 0x48c22e1dc in WTF::Detail::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::__1::unique_ptr<IPC::Decoder, std::__1::default_delete<IPC::Decoder> >)::$_15, void>::call() Function.h:53 #57 0x4a725195a in WTF::Function<void ()>::operator()() const Function.h:82 #58 0x4a7311fd7 in WTF::RunLoop::performWork() RunLoop.cpp:133 #59 0x4a7315589 in WTF::RunLoop::performWork(void*) RunLoopCF.cpp:46 #60 0x7fff2037490e in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__+0x10 (CoreFoundation:x86_64+0x8290e) #61 0x7fff20374806 in __CFRunLoopDoSource0+0xb3 (CoreFoundation:x86_64+0x82806) #62 0x7fff20373cd3 in __CFRunLoopDoSources0+0xf1 (CoreFoundation:x86_64+0x81cd3) #63 0x7fff2036e3cf in __CFRunLoopRun+0x366 (CoreFoundation:x86_64+0x7c3cf) #64 0x7fff2036db6b in CFRunLoopRunSpecific+0x231 (CoreFoundation:x86_64+0x7bb6b) #65 0x7fff20828860 in -[NSRunLoop(NSRunLoop) runMode:beforeDate:]+0xd4 (Foundation:x86_64+0x123860) #66 0x7fff20828a7e in -[NSRunLoop(NSRunLoop) run]+0x4b (Foundation:x86_64+0x123a7e) #67 0x7fff2006afea in _xpc_objc_main+0x1b7 (libxpc.dylib:x86_64+0x12fea) #68 0x7fff2006cfd3 in xpc_main+0x79 (libxpc.dylib:x86_64+0x14fd3) #69 0x48b93f60f in WebKit::XPCServiceMain(int, char const**) XPCServiceMain.mm:223 #70 0x48df69da8 in WKXPCServiceMain WKMain.mm:35 #71 0x104465cc8 in main AuxiliaryProcessMain.cpp:30 #72 0x47820bf20 (<unknown module>) #73 0x1141ec51d in start+0x1cd (dyld:x86_64+0x551d) SUMMARY: AddressSanitizer: stack-use-after-scope pas_simple_large_free_heap.c:396 in try_allocate_without_fixing Shadow bytes around the buggy address: 0x0e04e6630240: 00 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 0x0e04e6630250: f2 f2 00 00 00 00 00 00 00 f2 f2 f2 f2 f2 00 00 0x0e04e6630260: 00 f2 f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 f2 0x0e04e6630270: f2 f2 f2 f2 00 00 00 f2 f2 f2 f2 f2 f8 f8 f8 f8 0x0e04e6630280: f8 f8 f8 f2 f2 f2 f2 f2 f8 f8 f8 f2 f2 f2 f2 f2 =>0x0e04e6630290:[f8]f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f8 f8 0x0e04e66302a0: f8 f8 f8 f8 f3 f3 f3 f3 00 00 00 00 00 00 00 00 0x0e04e66302b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0e04e66302c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0e04e66302d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0e04e66302e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==40555==ABORTING com.apple.WebKit.WebContent.Development terminated (pid 40555) because the process crashed
This should cover remaining issues: Bug 244560: Workaround ASAN false positive stack-buffer-underflow in pas_fast_large_free_heap_try_allocate