FuzzManager icon indicating copy to clipboard operation
FuzzManager copied to clipboard
verified publisher icon MozillaSecurity

[CrashManager] Mac ASan stacks are not parsed correctly

Open nth10sd opened this issue 6 years ago • 1 comments 

Process:               js-dbg-64-dm-asan-darwin-x86_64-b0124f065629 [67162]
Path:                  /Users/USER/*/js-dbg-64-dm-asan-darwin-x86_64-b0124f065629
Identifier:            js-dbg-64-dm-asan-darwin-x86_64-b0124f065629
Version:               0
Code Type:             X86-64 (Native)
Parent Process:        Python [88376]
Responsible:           js-dbg-64-dm-asan-darwin-x86_64-b0124f065629 [67162]
User ID:               501

Date/Time:             2019-07-31 21:47:33.335 -0700
OS Version:            Mac OS X 10.14.6 (18G84)
Report Version:        12
Bridge OS Version:     3.6 (16P6568)
Anonymous UUID:        739364E3-B0DE-78EC-9A45-120F92413713

Sleep/Wake UUID:       C4F544A8-8F8A-4B0E-A718-43DDD9A60A1A

Time Awake Since Boot: 50000 seconds
Time Since Wake:       19000 seconds

System Integrity Protection: enabled

Crashed Thread:        4  JS Helper

Exception Type:        EXC_BAD_ACCESS (SIGABRT)
Exception Codes:       KERN_INVALID_ADDRESS at 0x0000000000000000
Exception Note:        EXC_CORPSE_NOTIFY

VM Regions Near 0:
-->
__TEXT                 000000010a80b000-000000010edc5000 [ 69.7M] r-x/rwx SM=COW  /Users/USER/*

Application Specific Information:
dyld2 mode
=================================================================
==67162==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00010aed64e4 bp 0x70000c009970 sp 0x70000c0098a0 T5)
==67162==The signal is caused by a WRITE memory access.
==67162==Hint: address points to the zero page.
#0 0x10aed64e3 in js::GlobalHelperThreadState::getFirstUnusedContext(js::AutoLockHelperThreadState&) JSContext.h:197
#1 0x10aed5ccf in js::AutoSetHelperThreadContext::AutoSetHelperThreadContext() HelperThreads.cpp:475
#2 0x10d067a55 in js::jit::IonBuilder::runTask() IonBuilder.cpp:1146
#3 0x10aef77f7 in js::HelperThread::handleIonWorkload(js::AutoLockHelperThreadState&) HelperThreads.cpp:2180
#4 0x10aef5129 in js::HelperThread::threadLoop() HelperThreads.cpp:2563
#5 0x10aee192c in js::HelperThread::ThreadMain(void*) HelperThreads.cpp:2083
#6 0x10afa440a in js::detail::ThreadTrampoline<void (&)(void*), js::HelperThread*>::Start(void*) Thread.h:239
#7 0x7fff7a3ab2ea in _pthread_body (libsystem_pthread.dylib:x86_64+0x32ea)
#8 0x7fff7a3ae248 in _pthread_start (libsystem_pthread.dylib:x86_64+0x6248)
#9 0x7fff7a3aa40c in thread_start (libsystem_pthread.dylib:x86_64+0x240c)

==67162==Register values:
rax = 0x0000100000000000  rbx = 0x000070000c0098e0  rcx = 0x000000010e6ce980  rdx = 0x0000000000000000
rdi = 0x000000011171d810  rsi = 0x000070000c009848  rbp = 0x000070000c009970  rsp = 0x000070000c0098a0
r8 = 0x00000001124668b0   r9 = 0x0000000112466890  r10 = 0x0000000112466870  r11 = 0x00007fffb0a4a040
r12 = 0x0000000000000000  r13 = 0x000061e000003e08  r14 = 0x0000100000000000  r15 = 0x00001c0c000010f5
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV JSContext.h:197 in js::GlobalHelperThreadState::getFirstUnusedContext(js::AutoLockHelperThreadState&)
Thread T5 created by T0 here:
#0 0x11162b02d in wrap_pthread_create (libclang_rt.asan_osx_dynamic.dylib:x86_64h+0x5402d)
#1 0x10bd0bc64 in js::Thread::create(void* (*)(void*), void*) Thread.cpp:97
#2 0x10aee16a3 in bool js::Thread::init<void (&)(void*), js::HelperThread*>(void (&&&)(void*), js::HelperThread*&&) Thread.h:124
#3 0x10aecf4dc in js::GlobalHelperThreadState::ensureInitialized() HelperThreads.cpp:1147
#4 0x10b294e8b in JSRuntime::init(JSContext*, unsigned int, unsigned int) Runtime.cpp:201
#5 0x10afbd973 in js::NewContext(unsigned int, unsigned int, JSRuntime*) JSContext.cpp:167
#6 0x10a81cf23 in main js.cpp:11265
#7 0x7fff7a1b73d4 in start (libdyld.dylib:x86_64+0x163d4)

==67162==ABORTING

abort() called

Thread 0:: Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib        	0x00007fff7a2eef06 __psynch_mutexwait + 10
1   libsystem_pthread.dylib       	0x00007fff7a3abd52 _pthread_mutex_firstfit_lock_wait + 96
2   libsystem_pthread.dylib       	0x00007fff7a3a94cd _pthread_mutex_firstfit_lock_slow + 222
3   js-dbg-64-dm-asan-darwin-x86_64-b0124f065629	0x000000010a932e52 mozilla::detail::MutexImpl::lock() + 290 (Mutex_posix.cpp:125)
4   js-dbg-64-dm-asan-darwin-x86_64-b0124f065629	0x000000010bd0849f js::Mutex::lock() + 383 (Mutex.cpp:55)
5   js-dbg-64-dm-asan-darwin-x86_64-b0124f065629	0x000000010d022c89 js::jit::Compile(JSContext*, JS::Handle<JSScript*>, js::jit::BaselineFrame*, unsigned char*, bool) + 10569 (GuardObjects.h:104)
6   js-dbg-64-dm-asan-darwin-x86_64-b0124f065629	0x000000010d025e30 js::jit::IonCompileScriptForBaseline(JSContext*, js::jit::BaselineFrame*, unsigned char*) + 2528 (Ion.cpp:2301)
7   ???                           	0x000020000003dd49 0 + 35184372342089
8   ???                           	0x0000200000030a64 0 + 35184372288100
9   js-dbg-64-dm-asan-darwin-x86_64-b0124f065629	0x000000010d25cc12 js::jit::MaybeEnterJit(JSContext*, js::RunState&) + 4178 (Jit.cpp:109)
10  js-dbg-64-dm-asan-darwin-x86_64-b0124f065629	0x000000010a9dbcee js::RunScript(JSContext*, js::RunState&) + 1342 (Interpreter.cpp:411)
11  js-dbg-64-dm-asan-darwin-x86_64-b0124f065629	0x000000010aa25b64 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) + 1700 (Interpreter.cpp:568)
12  js-dbg-64-dm-asan-darwin-x86_64-b0124f065629	0x000000010c9e361f js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) + 5343 (BaselineIC.cpp:3208)
13  ???                           	0x00002000000393e3 0 + 35184372323299
14  ???                           	0x000062100028b640 0 + 107820861666880
15  ???                           	0x0000200000030a64 0 + 35184372288100
/snip

gets parsed to:

{
  "symptoms": [
    {
      "src": "stderr", 
      "type": "output", 
      "value": "/Hit MOZ_CRASH\\(Expected available JSContext\\) at ([a-zA-Z]:)?/.+/HelperThreads\\.cpp(:[0-9]+)+/"
    }, 
    {
      "type": "stackFrames", 
      "functionNames": [
        "__pthread_kill", 
        "pthread_kill", 
        "abort", 
        "__sanitizer::Abort", 
        "__sanitizer::Die", 
        "__asan::ScopedInErrorReport::~ScopedInErrorReport", 
        "__asan::ReportDeadlySignal", 
        "__asan::AsanOnDeadlySignal"
      ]
    }, 
    {
      "type": "crashAddress", 
      "address": "< 0x100"
    }
  ]
}

Instead, I feel it should be parsed under this stack:

Application Specific Information:
dyld2 mode
=================================================================
==67162==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00010aed64e4 bp 0x70000c009970 sp 0x70000c0098a0 T5)
==67162==The signal is caused by a WRITE memory access.
==67162==Hint: address points to the zero page.
#0 0x10aed64e3 in js::GlobalHelperThreadState::getFirstUnusedContext(js::AutoLockHelperThreadState&) JSContext.h:197
#1 0x10aed5ccf in js::AutoSetHelperThreadContext::AutoSetHelperThreadContext() HelperThreads.cpp:475
#2 0x10d067a55 in js::jit::IonBuilder::runTask() IonBuilder.cpp:1146
#3 0x10aef77f7 in js::HelperThread::handleIonWorkload(js::AutoLockHelperThreadState&) HelperThreads.cpp:2180
/snip

mac-asan-full-log.txt

nth10sd avatar Aug 01 '19 20:08 nth10sd

To me this looks like multiple things (output from ASan and output from Mac Crash Handler?) are mixed together. ASan is outputting its trace in one piece on stderr, there should not be any other data inbetween.

choller avatar Aug 01 '19 20:08 choller