Skip to content

asan/msan/tsan fails on morx tests #1225

New issue
New issue
Closed
Closed
asan/msan/tsan fails on morx tests#1225
@ebraminio

Description

@ebraminio
ebraminio
opened on Oct 4, 2018

https://circleci.com/gh/harfbuzz/harfbuzz/37738
https://circleci.com/gh/harfbuzz/harfbuzz/37734
https://circleci.com/gh/harfbuzz/harfbuzz/37740

asan gives a good clue I guess.

Running tests in ./tests/MORX-34.tests
../../../../util/hb-shape fonts/TestMORXThirtyfour.ttf --shaper=ot  --unicodes U+0068,U+0061
=================================================================
==49097==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000009d0 at pc 0x7fe8d03baea0 bp 0x7ffe2aa9f790 sp 0x7ffe2aa9f788
READ of size 4 at 0x6160000009d0 thread T0
    #0 0x7fe8d03bae9f in void AAT::StateTableDriver<AAT::InsertionSubtable::EntryData>::drive<AAT::InsertionSubtable::driver_context_t>(AAT::InsertionSubtable::driver_context_t*) /root/project/src/./hb-aat-layout-common.hh:559
    #1 0x7fe8d03bae9f in ?? ??:0
    #2 0x7fe8d03ba484 in AAT::InsertionSubtable::apply(AAT::hb_aat_apply_context_t*) const /root/project/src/./hb-aat-layout-morx-table.hh:696
    #3 0x7fe8d03ba484 in ?? ??:0
    #4 0x7fe8d03b4f01 in AAT::hb_aat_apply_context_t::return_t AAT::ChainSubtable::dispatch<AAT::hb_aat_apply_context_t>(AAT::hb_aat_apply_context_t*) const /root/project/src/./hb-aat-layout-morx-table.hh:784
    #5 0x7fe8d03b4f01 in ?? ??:0
    #6 0x7fe8d03b4a60 in AAT::Chain::apply(AAT::hb_aat_apply_context_t*) const /root/project/src/./hb-aat-layout-morx-table.hh:887
    #7 0x7fe8d03b4a60 in ?? ??:0
    #8 0x7fe8d03aef3a in AAT::morx::apply(AAT::hb_aat_apply_context_t*) const /root/project/src/./hb-aat-layout-morx-table.hh:960
    #9 0x7fe8d03aef3a in ?? ??:0
    #10 0x7fe8d03ae67e in hb_aat_layout_substitute(hb_font_t*, hb_buffer_t*) /root/project/src/hb-aat-layout.cc:71
    #11 0x7fe8d03ae67e in ?? ??:0
    #12 0x7fe8d0428ccc in hb_ot_shape_internal(hb_ot_shape_context_t*) /root/project/src/hb-ot-shape.cc:917
    #13 0x7fe8d0428ccc in ?? ??:0
    #14 0x7fe8d042884c in _hb_ot_shape /root/project/src/hb-ot-shape.cc:945
    #15 0x7fe8d042884c in ?? ??:0
    #16 0x7fe8d03aa36a in hb_shape_plan_execute /root/project/src/./hb-shaper-list.hh:43
    #17 0x7fe8d03aa36a in ?? ??:0
    #18 0x7fe8d03a92a8 in hb_shape_full /root/project/src/hb-shape.cc:141
    #19 0x7fe8d03a92a8 in ?? ??:0
    #20 0x52eeec in shape_options_t::shape(hb_font_t*, hb_buffer_t*, char const**) /root/project/util/./options.hh:238
    #21 0x52eeec in ?? ??:0
    #22 0x52e27f in shape_consumer_t<output_buffer_t>::consume_line(char const*, unsigned int, char const*, char const*) /root/project/util/./shape-consumer.hh:67
    #23 0x52e27f in ?? ??:0
    #24 0x52cef6 in main_font_text_t<shape_consumer_t<output_buffer_t>, 2147483647, 0>::main(int, char**) /root/project/util/./main-font-text.hh:81
    #25 0x52cef6 in ?? ??:0
    #26 0x52c7b5 in main /root/project/util/hb-shape.cc:164
    #27 0x52c7b5 in ?? ??:0
    #28 0x7fe8cfa5a09a in __libc_start_main ??:?
    #29 0x7fe8cfa5a09a in ?? ??:0
    #30 0x41d8c9 in _start ??:?
    #31 0x41d8c9 in ?? ??:0

0x6160000009d0 is located 80 bytes inside of 640-byte region [0x616000000980,0x616000000c00)
freed by thread T0 here:
    #0 0x4ed4d6 in realloc ??:?
    #1 0x4ed4d6 in ?? ??:0
    #2 0x7fe8d037bb26 in hb_buffer_t::enlarge(unsigned int) /root/project/src/hb-buffer.cc:138
    #3 0x7fe8d037bb26 in ?? ??:0
    #4 0x7fe8d037bdae in hb_buffer_t::make_room_for(unsigned int, unsigned int) /root/project/src/hb-buffer.cc:161
    #5 0x7fe8d037bdae in ?? ??:0
    #6 0x7fe8d03bb88b in hb_buffer_t::output_glyph(unsigned int) /root/project/src/./hb-buffer.hh:229
    #7 0x7fe8d03bb88b in ?? ??:0
    #8 0x7fe8d03bb592 in AAT::InsertionSubtable::driver_context_t::transition(AAT::StateTableDriver<AAT::InsertionSubtable::EntryData>*, AAT::Entry<AAT::InsertionSubtable::EntryData> const*) /root/project/src/./hb-aat-layout-morx-table.hh:651
    #9 0x7fe8d03bb592 in ?? ??:0
    #10 0x7fe8d03baaad in void AAT::StateTableDriver<AAT::InsertionSubtable::EntryData>::drive<AAT::InsertionSubtable::driver_context_t>(AAT::InsertionSubtable::driver_context_t*) /root/project/src/./hb-aat-layout-common.hh:585
    #11 0x7fe8d03baaad in ?? ??:0
    #12 0x7fe8d03ba484 in AAT::InsertionSubtable::apply(AAT::hb_aat_apply_context_t*) const /root/project/src/./hb-aat-layout-morx-table.hh:696
    #13 0x7fe8d03ba484 in ?? ??:0
    #14 0x7fe8d03b4f01 in AAT::hb_aat_apply_context_t::return_t AAT::ChainSubtable::dispatch<AAT::hb_aat_apply_context_t>(AAT::hb_aat_apply_context_t*) const /root/project/src/./hb-aat-layout-morx-table.hh:784
    #15 0x7fe8d03b4f01 in ?? ??:0
    #16 0x7fe8d03b4a60 in AAT::Chain::apply(AAT::hb_aat_apply_context_t*) const /root/project/src/./hb-aat-layout-morx-table.hh:887
    #17 0x7fe8d03b4a60 in ?? ??:0
    #18 0x7fe8d03aef3a in AAT::morx::apply(AAT::hb_aat_apply_context_t*) const /root/project/src/./hb-aat-layout-morx-table.hh:960
    #19 0x7fe8d03aef3a in ?? ??:0
    #20 0x7fe8d03ae67e in hb_aat_layout_substitute(hb_font_t*, hb_buffer_t*) /root/project/src/hb-aat-layout.cc:71
    #21 0x7fe8d03ae67e in ?? ??:0
    #22 0x7fe8d0428ccc in hb_ot_shape_internal(hb_ot_shape_context_t*) /root/project/src/hb-ot-shape.cc:917
    #23 0x7fe8d0428ccc in ?? ??:0
    #24 0x7fe8d042884c in _hb_ot_shape /root/project/src/hb-ot-shape.cc:945
    #25 0x7fe8d042884c in ?? ??:0
    #26 0x7fe8d03aa36a in hb_shape_plan_execute /root/project/src/./hb-shaper-list.hh:43
    #27 0x7fe8d03aa36a in ?? ??:0
    #28 0x7fe8d03a92a8 in hb_shape_full /root/project/src/hb-shape.cc:141
    #29 0x7fe8d03a92a8 in ?? ??:0
    #30 0x52eeec in shape_options_t::shape(hb_font_t*, hb_buffer_t*, char const**) /root/project/util/./options.hh:238
    #31 0x52eeec in ?? ??:0
    #32 0x52e27f in shape_consumer_t<output_buffer_t>::consume_line(char const*, unsigned int, char const*, char const*) /root/project/util/./shape-consumer.hh:67
    #33 0x52e27f in ?? ??:0
    #34 0x52cef6 in main_font_text_t<shape_consumer_t<output_buffer_t>, 2147483647, 0>::main(int, char**) /root/project/util/./main-font-text.hh:81
    #35 0x52cef6 in ?? ??:0
    #36 0x52c7b5 in main /root/project/util/hb-shape.cc:164
    #37 0x52c7b5 in ?? ??:0
    #38 0x7fe8cfa5a09a in __libc_start_main ??:?
    #39 0x7fe8cfa5a09a in ?? ??:0

previously allocated by thread T0 here:
    #0 0x4ed4d6 in realloc ??:?
    #1 0x4ed4d6 in ?? ??:0
    #2 0x7fe8d037bb02 in hb_buffer_t::enlarge(unsigned int) /root/project/src/hb-buffer.cc:137
    #3 0x7fe8d037bb02 in ?? ??:0
    #4 0x7fe8d037c6b2 in hb_buffer_t::add(unsigned int, unsigned int) /root/project/src/hb-buffer.cc:260
    #5 0x7fe8d037c6b2 in ?? ??:0
    #6 0x7fe8d0380363 in void hb_buffer_add_utf<hb_utf8_t>(hb_buffer_t*, hb_utf8_t::codepoint_t const*, int, unsigned int, int) /root/project/src/hb-buffer.cc:1522
    #7 0x7fe8d0380363 in ?? ??:0
    #8 0x52ec28 in shape_options_t::populate_buffer(hb_buffer_t*, char const*, int, char const*, char const*) /root/project/util/./options.hh:209
    #9 0x52ec28 in ?? ??:0
    #10 0x52e20b in shape_consumer_t<output_buffer_t>::consume_line(char const*, unsigned int, char const*, char const*) /root/project/util/./shape-consumer.hh:64
    #11 0x52e20b in ?? ??:0
    #12 0x52cef6 in main_font_text_t<shape_consumer_t<output_buffer_t>, 2147483647, 0>::main(int, char**) /root/project/util/./main-font-text.hh:81
    #13 0x52cef6 in ?? ??:0
    #14 0x52c7b5 in main /root/project/util/hb-shape.cc:164
    #15 0x52c7b5 in ?? ??:0
    #16 0x7fe8cfa5a09a in __libc_start_main ??:?
    #17 0x7fe8cfa5a09a in ?? ??:0

SUMMARY: AddressSanitizer: heap-use-after-free (/root/project/src/.libs/libharfbuzz.so.0+0x5ee9f)
Shadow bytes around the buggy address:
  0x0c2c7fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8110: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2c7fff8130: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
  0x0c2c7fff8140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c7fff8150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c7fff8160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c7fff8170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==49097==ABORTING

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions