Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

asan/msan/tsan fails on morx tests #1225

Closed
ebraminio opened this issue Oct 4, 2018 · 0 comments
Closed

asan/msan/tsan fails on morx tests #1225

ebraminio opened this issue Oct 4, 2018 · 0 comments

Comments

@ebraminio
Copy link
Collaborator

https://circleci.com/gh/harfbuzz/harfbuzz/37738
https://circleci.com/gh/harfbuzz/harfbuzz/37734
https://circleci.com/gh/harfbuzz/harfbuzz/37740

asan gives a good clue I guess.

Running tests in ./tests/MORX-34.tests
../../../../util/hb-shape fonts/TestMORXThirtyfour.ttf --shaper=ot  --unicodes U+0068,U+0061
=================================================================
==49097==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000009d0 at pc 0x7fe8d03baea0 bp 0x7ffe2aa9f790 sp 0x7ffe2aa9f788
READ of size 4 at 0x6160000009d0 thread T0
    #0 0x7fe8d03bae9f in void AAT::StateTableDriver<AAT::InsertionSubtable::EntryData>::drive<AAT::InsertionSubtable::driver_context_t>(AAT::InsertionSubtable::driver_context_t*) /root/project/src/./hb-aat-layout-common.hh:559
    #1 0x7fe8d03bae9f in ?? ??:0
    #2 0x7fe8d03ba484 in AAT::InsertionSubtable::apply(AAT::hb_aat_apply_context_t*) const /root/project/src/./hb-aat-layout-morx-table.hh:696
    #3 0x7fe8d03ba484 in ?? ??:0
    #4 0x7fe8d03b4f01 in AAT::hb_aat_apply_context_t::return_t AAT::ChainSubtable::dispatch<AAT::hb_aat_apply_context_t>(AAT::hb_aat_apply_context_t*) const /root/project/src/./hb-aat-layout-morx-table.hh:784
    #5 0x7fe8d03b4f01 in ?? ??:0
    #6 0x7fe8d03b4a60 in AAT::Chain::apply(AAT::hb_aat_apply_context_t*) const /root/project/src/./hb-aat-layout-morx-table.hh:887
    #7 0x7fe8d03b4a60 in ?? ??:0
    #8 0x7fe8d03aef3a in AAT::morx::apply(AAT::hb_aat_apply_context_t*) const /root/project/src/./hb-aat-layout-morx-table.hh:960
    #9 0x7fe8d03aef3a in ?? ??:0
    #10 0x7fe8d03ae67e in hb_aat_layout_substitute(hb_font_t*, hb_buffer_t*) /root/project/src/hb-aat-layout.cc:71
    #11 0x7fe8d03ae67e in ?? ??:0
    #12 0x7fe8d0428ccc in hb_ot_shape_internal(hb_ot_shape_context_t*) /root/project/src/hb-ot-shape.cc:917
    #13 0x7fe8d0428ccc in ?? ??:0
    #14 0x7fe8d042884c in _hb_ot_shape /root/project/src/hb-ot-shape.cc:945
    #15 0x7fe8d042884c in ?? ??:0
    #16 0x7fe8d03aa36a in hb_shape_plan_execute /root/project/src/./hb-shaper-list.hh:43
    #17 0x7fe8d03aa36a in ?? ??:0
    #18 0x7fe8d03a92a8 in hb_shape_full /root/project/src/hb-shape.cc:141
    #19 0x7fe8d03a92a8 in ?? ??:0
    #20 0x52eeec in shape_options_t::shape(hb_font_t*, hb_buffer_t*, char const**) /root/project/util/./options.hh:238
    #21 0x52eeec in ?? ??:0
    #22 0x52e27f in shape_consumer_t<output_buffer_t>::consume_line(char const*, unsigned int, char const*, char const*) /root/project/util/./shape-consumer.hh:67
    #23 0x52e27f in ?? ??:0
    #24 0x52cef6 in main_font_text_t<shape_consumer_t<output_buffer_t>, 2147483647, 0>::main(int, char**) /root/project/util/./main-font-text.hh:81
    #25 0x52cef6 in ?? ??:0
    #26 0x52c7b5 in main /root/project/util/hb-shape.cc:164
    #27 0x52c7b5 in ?? ??:0
    #28 0x7fe8cfa5a09a in __libc_start_main ??:?
    #29 0x7fe8cfa5a09a in ?? ??:0
    #30 0x41d8c9 in _start ??:?
    #31 0x41d8c9 in ?? ??:0

0x6160000009d0 is located 80 bytes inside of 640-byte region [0x616000000980,0x616000000c00)
freed by thread T0 here:
    #0 0x4ed4d6 in realloc ??:?
    #1 0x4ed4d6 in ?? ??:0
    #2 0x7fe8d037bb26 in hb_buffer_t::enlarge(unsigned int) /root/project/src/hb-buffer.cc:138
    #3 0x7fe8d037bb26 in ?? ??:0
    #4 0x7fe8d037bdae in hb_buffer_t::make_room_for(unsigned int, unsigned int) /root/project/src/hb-buffer.cc:161
    #5 0x7fe8d037bdae in ?? ??:0
    #6 0x7fe8d03bb88b in hb_buffer_t::output_glyph(unsigned int) /root/project/src/./hb-buffer.hh:229
    #7 0x7fe8d03bb88b in ?? ??:0
    #8 0x7fe8d03bb592 in AAT::InsertionSubtable::driver_context_t::transition(AAT::StateTableDriver<AAT::InsertionSubtable::EntryData>*, AAT::Entry<AAT::InsertionSubtable::EntryData> const*) /root/project/src/./hb-aat-layout-morx-table.hh:651
    #9 0x7fe8d03bb592 in ?? ??:0
    #10 0x7fe8d03baaad in void AAT::StateTableDriver<AAT::InsertionSubtable::EntryData>::drive<AAT::InsertionSubtable::driver_context_t>(AAT::InsertionSubtable::driver_context_t*) /root/project/src/./hb-aat-layout-common.hh:585
    #11 0x7fe8d03baaad in ?? ??:0
    #12 0x7fe8d03ba484 in AAT::InsertionSubtable::apply(AAT::hb_aat_apply_context_t*) const /root/project/src/./hb-aat-layout-morx-table.hh:696
    #13 0x7fe8d03ba484 in ?? ??:0
    #14 0x7fe8d03b4f01 in AAT::hb_aat_apply_context_t::return_t AAT::ChainSubtable::dispatch<AAT::hb_aat_apply_context_t>(AAT::hb_aat_apply_context_t*) const /root/project/src/./hb-aat-layout-morx-table.hh:784
    #15 0x7fe8d03b4f01 in ?? ??:0
    #16 0x7fe8d03b4a60 in AAT::Chain::apply(AAT::hb_aat_apply_context_t*) const /root/project/src/./hb-aat-layout-morx-table.hh:887
    #17 0x7fe8d03b4a60 in ?? ??:0
    #18 0x7fe8d03aef3a in AAT::morx::apply(AAT::hb_aat_apply_context_t*) const /root/project/src/./hb-aat-layout-morx-table.hh:960
    #19 0x7fe8d03aef3a in ?? ??:0
    #20 0x7fe8d03ae67e in hb_aat_layout_substitute(hb_font_t*, hb_buffer_t*) /root/project/src/hb-aat-layout.cc:71
    #21 0x7fe8d03ae67e in ?? ??:0
    #22 0x7fe8d0428ccc in hb_ot_shape_internal(hb_ot_shape_context_t*) /root/project/src/hb-ot-shape.cc:917
    #23 0x7fe8d0428ccc in ?? ??:0
    #24 0x7fe8d042884c in _hb_ot_shape /root/project/src/hb-ot-shape.cc:945
    #25 0x7fe8d042884c in ?? ??:0
    #26 0x7fe8d03aa36a in hb_shape_plan_execute /root/project/src/./hb-shaper-list.hh:43
    #27 0x7fe8d03aa36a in ?? ??:0
    #28 0x7fe8d03a92a8 in hb_shape_full /root/project/src/hb-shape.cc:141
    #29 0x7fe8d03a92a8 in ?? ??:0
    #30 0x52eeec in shape_options_t::shape(hb_font_t*, hb_buffer_t*, char const**) /root/project/util/./options.hh:238
    #31 0x52eeec in ?? ??:0
    #32 0x52e27f in shape_consumer_t<output_buffer_t>::consume_line(char const*, unsigned int, char const*, char const*) /root/project/util/./shape-consumer.hh:67
    #33 0x52e27f in ?? ??:0
    #34 0x52cef6 in main_font_text_t<shape_consumer_t<output_buffer_t>, 2147483647, 0>::main(int, char**) /root/project/util/./main-font-text.hh:81
    #35 0x52cef6 in ?? ??:0
    #36 0x52c7b5 in main /root/project/util/hb-shape.cc:164
    #37 0x52c7b5 in ?? ??:0
    #38 0x7fe8cfa5a09a in __libc_start_main ??:?
    #39 0x7fe8cfa5a09a in ?? ??:0

previously allocated by thread T0 here:
    #0 0x4ed4d6 in realloc ??:?
    #1 0x4ed4d6 in ?? ??:0
    #2 0x7fe8d037bb02 in hb_buffer_t::enlarge(unsigned int) /root/project/src/hb-buffer.cc:137
    #3 0x7fe8d037bb02 in ?? ??:0
    #4 0x7fe8d037c6b2 in hb_buffer_t::add(unsigned int, unsigned int) /root/project/src/hb-buffer.cc:260
    #5 0x7fe8d037c6b2 in ?? ??:0
    #6 0x7fe8d0380363 in void hb_buffer_add_utf<hb_utf8_t>(hb_buffer_t*, hb_utf8_t::codepoint_t const*, int, unsigned int, int) /root/project/src/hb-buffer.cc:1522
    #7 0x7fe8d0380363 in ?? ??:0
    #8 0x52ec28 in shape_options_t::populate_buffer(hb_buffer_t*, char const*, int, char const*, char const*) /root/project/util/./options.hh:209
    #9 0x52ec28 in ?? ??:0
    #10 0x52e20b in shape_consumer_t<output_buffer_t>::consume_line(char const*, unsigned int, char const*, char const*) /root/project/util/./shape-consumer.hh:64
    #11 0x52e20b in ?? ??:0
    #12 0x52cef6 in main_font_text_t<shape_consumer_t<output_buffer_t>, 2147483647, 0>::main(int, char**) /root/project/util/./main-font-text.hh:81
    #13 0x52cef6 in ?? ??:0
    #14 0x52c7b5 in main /root/project/util/hb-shape.cc:164
    #15 0x52c7b5 in ?? ??:0
    #16 0x7fe8cfa5a09a in __libc_start_main ??:?
    #17 0x7fe8cfa5a09a in ?? ??:0

SUMMARY: AddressSanitizer: heap-use-after-free (/root/project/src/.libs/libharfbuzz.so.0+0x5ee9f)
Shadow bytes around the buggy address:
  0x0c2c7fff80e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff80f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c2c7fff8110: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2c7fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2c7fff8130: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
  0x0c2c7fff8140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c7fff8150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c7fff8160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c7fff8170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2c7fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==49097==ABORTING
@behdad behdad closed this as completed in 4831e61 Oct 5, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ebraminio