[Webkit-unassigned] [Bug 164880] New: ASan detects container-overflow in HeapUtil::findGCObjectPointersForMarking
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Thu Nov 17 11:34:59 PST 2016
https://bugs.webkit.org/show_bug.cgi?id=164880
Bug ID: 164880
Summary: ASan detects container-overflow in
HeapUtil::findGCObjectPointersForMarking
Classification: Unclassified
Product: WebKit
Version: Other
Hardware: Unspecified
OS: Unspecified
Status: NEW
Severity: Normal
Priority: P2
Component: JavaScriptCore
Assignee: webkit-unassigned at lists.webkit.org
Reporter: ap at webkit.org
CC: fpizlo at apple.com, ryanhaddad at apple.com
Seen on bots. False positive?
Application Specific Information:
=================================================================
==41956==ERROR: AddressSanitizer: container-overflow on address 0x60c0003d0ad8 at pc 0x00011254bb2f bp 0x7000003a4930 sp 0x7000003a4928
READ of size 8 at 0x60c0003d0ad8 thread T1579
#0 0x11254bb2e in void JSC::HeapUtil::findGCObjectPointersForMarking<void JSC::ConservativeRoots::genericAddPointer<JSC::CompositeMarkHook>(void*, unsigned int, JSC::TinyBloomFilter, JSC::CompositeMarkHook&)::'lambda'(void*)>(JSC::Heap&, unsigned int, JSC::TinyBloomFilter, void*, JSC::CompositeMarkHook const&) (JavaScriptCore+0x228b2e)
#1 0x11254b3d8 in void JSC::ConservativeRoots::genericAddPointer<JSC::CompositeMarkHook>(void*, unsigned int, JSC::TinyBloomFilter, JSC::CompositeMarkHook&) (JavaScriptCore+0x2283d8)
#2 0x112549b17 in void JSC::ConservativeRoots::genericAddSpan<JSC::CompositeMarkHook>(void*, void*, JSC::CompositeMarkHook&) (JavaScriptCore+0x226b17)
#3 0x1125499bd in JSC::ConservativeRoots::add(void*, void*, JSC::JITStubRoutineSet&, JSC::CodeBlockSet&) (JavaScriptCore+0x2269bd)
#4 0x112e72334 in JSC::MachineThreads::gatherConservativeRoots(JSC::ConservativeRoots&, JSC::JITStubRoutineSet&, JSC::CodeBlockSet&) (JavaScriptCore+0xb4f334)
#5 0x11297da70 in JSC::Heap::markToFixpoint(double) (JavaScriptCore+0x65aa70)
#6 0x1129836a2 in JSC::Heap::collectInThread() (JavaScriptCore+0x6606a2)
#7 0x112989ce8 in JSC::Heap::Thread::work() (JavaScriptCore+0x666ce8)
#8 0x113304785 in WTF::AutomaticThread::start(WTF::Locker<WTF::LockBase> const&)::$_0::operator()() const (JavaScriptCore+0xfe1785)
#9 0x113313b7d in WTF::threadEntryPoint(void*) (JavaScriptCore+0xff0b7d)
#10 0x11331425d in WTF::wtfThreadEntryPoint(void*) (JavaScriptCore+0xff125d)
#11 0x10eea799c in _pthread_body (libsystem_pthread.dylib+0x399c)
#12 0x10eea7919 in _pthread_start (libsystem_pthread.dylib+0x3919)
#13 0x10eea5350 in thread_start (libsystem_pthread.dylib+0x1350)
0x60c0003d0ad8 is located 88 bytes inside of 128-byte region [0x60c0003d0a80,0x60c0003d0b00)
allocated by thread T0 here:
#0 0x10c8860b0 in wrap_malloc (libclang_rt.asan_iossim_dynamic.dylib+0x490b0)
#1 0x11332ae1e in bmalloc::Allocator::allocateSlowCase(unsigned long) (JavaScriptCore+0x1007e1e)
#2 0x1132c7875 in bmalloc::Allocator::allocate(unsigned long) (JavaScriptCore+0xfa4875)
#3 0x112eab160 in WTF::VectorBufferBase<JSC::LargeAllocation*>::allocateBuffer(unsigned long) (JavaScriptCore+0xb88160)
#4 0x112eab0d3 in WTF::Vector<JSC::LargeAllocation*, 0ul, WTF::CrashOnOverflow, 16ul>::reserveCapacity(unsigned long) (JavaScriptCore+0xb880d3)
#5 0x112eab033 in WTF::Vector<JSC::LargeAllocation*, 0ul, WTF::CrashOnOverflow, 16ul>::expandCapacity(unsigned long, JSC::LargeAllocation**) (JavaScriptCore+0xb88033)
#6 0x112eaaf21 in void WTF::Vector<JSC::LargeAllocation*, 0ul, WTF::CrashOnOverflow, 16ul>::appendSlowCase<JSC::LargeAllocation*&>(JSC::LargeAllocation*&&&) (JavaScriptCore+0xb87f21)
#7 0x112ea3a44 in JSC::MarkedSpace::tryAllocateLarge(JSC::MarkedSpace::Subspace&, JSC::GCDeferralContext*, unsigned long) (JavaScriptCore+0xb80a44)
#8 0x112ea3598 in JSC::MarkedSpace::allocateLarge(JSC::MarkedSpace::Subspace&, JSC::GCDeferralContext*, unsigned long) (JavaScriptCore+0xb80598)
#9 0x11234e42a in JSC::Butterfly::createUninitialized(JSC::VM&, JSC::JSCell*, unsigned long, unsigned long, bool, unsigned long) (JavaScriptCore+0x2b42a)
#10 0x112cb53ae in JSC::Butterfly::createOrGrowPropertyStorage(JSC::Butterfly*, JSC::VM&, JSC::JSCell*, JSC::Structure*, unsigned long, unsigned long) (JavaScriptCore+0x9923ae)
#11 0x112379209 in bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int)::operator()(JSC::GCSafeConcurrentJSLocker const&, int) const (JavaScriptCore+0x56209)
#12 0x112379099 in int JSC::Structure::add<bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int)>(JSC::VM&, JSC::PropertyName, unsigned int, bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&)::'lambda'(JSC::GCSafeConcurrentJSLocker const&, int) const&) (JavaScriptCore+0x56099)
#13 0x112377ca3 in bool JSC::JSObject::putDirectInternal<(JSC::JSObject::PutMode)1>(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int, JSC::PutPropertySlot&) (JavaScriptCore+0x54ca3)
#14 0x112caa690 in JSC::JSObject::putDirectCustomAccessor(JSC::VM&, JSC::PropertyName, JSC::JSValue, unsigned int) (JavaScriptCore+0x987690)
#15 0x112cb0b9d in JSC::reifyStaticProperty(JSC::VM&, JSC::PropertyName const&, JSC::HashTableValue const&, JSC::JSObject&) (JavaScriptCore+0x98db9d)
#16 0x112cac884 in JSC::JSObject::reifyAllStaticProperties(JSC::ExecState*) (JavaScriptCore+0x989884)
#17 0x112c9d8cd in JSC::JSObject::deleteProperty(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName) (JavaScriptCore+0x97a8cd)
#18 0x112cf5bc3 in JSC::JSSymbolTableObject::deleteProperty(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName) (JavaScriptCore+0x9d2bc3)
#19 0x115f7f031 in WebCore::JSDOMWindow::deleteProperty(JSC::JSCell*, JSC::ExecState*, JSC::PropertyName) (WebCore+0x1313031)
#20 0x112e5141f in llint_slow_path_del_by_id (JavaScriptCore+0xb2e41f)
#21 0x112e6d03b in llint_entry (JavaScriptCore+0xb4a03b)
#22 0x112e673ea in vmEntryToJavaScript (JavaScriptCore+0xb443ea)
#23 0x112b26c6d in JSC::JITCode::execute(JSC::VM*, JSC::ProtoCallFrame*) (JavaScriptCore+0x803c6d)
#24 0x112a9dadc in JSC::Interpreter::execute(JSC::ProgramExecutable*, JSC::ExecState*, JSC::JSObject*) (JavaScriptCore+0x77aadc)
#25 0x112546e46 in JSC::evaluate(JSC::ExecState*, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (JavaScriptCore+0x223e46)
#26 0x11254704e in JSC::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (JavaScriptCore+0x22404e)
#27 0x1170811b3 in WebCore::JSMainThreadExecState::profiledEvaluate(JSC::ExecState*, JSC::ProfilingReason, JSC::SourceCode const&, JSC::JSValue, WTF::NakedPtr<JSC::Exception>&) (WebCore+0x24151b3)
#28 0x117080e54 in WebCore::ScriptController::evaluateInWorld(WebCore::ScriptSourceCode const&, WebCore::DOMWrapperWorld&, WebCore::ExceptionDetails*) (WebCore+0x2414e54)
#29 0x117093d0d in WebCore::ScriptElement::executeScript(WebCore::ScriptSourceCode const&) (WebCore+0x2427d0d)
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.webkit.org/pipermail/webkit-unassigned/attachments/20161117/8dbb3333/attachment.html>
More information about the webkit-unassigned
mailing list