Bug 1527652 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Hanno Boeck

on 2019-02-13 08:33:14 PST

(Hidden by Administrator)

Revision 1 by

Tyson Smith [:tsmith]

on 2019-02-14 09:13:52 PST

I observed a use after free bug with Firefox ASAN builds.

Unfortunately I don't have much more than a stack trace. The following 5 webpages were opened when it happened:
onlybooks.org circle.page donsat.com.ua finkenbusch.de nfsplanet.com

But I was unable to reproduce the issue a second time.

Trying to make sense of the stack trace the last part where the trace for the access matches the trace for the free is in:
https://hg.mozilla.org/mozilla-central/file/tip/dom/cache/StreamControl.cpp

and it points to these lines:

while (iter.HasMore()) {
    iter.GetNext()->CloseStream();

  }

It doesn't look immediately suspicious.


Stack trace:
```
==23313==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080003a70e0 at pc 0x7fb253bd5a8f bp 0x7fb2396a5bf0 sp 0x7fb2396a5be8
READ of size 8 at 0x6080003a70e0 thread T30 (IPDL Background)
    #0 0x7fb253bd5a8e in Length /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:344:37
    #1 0x7fb253bd5a8e in Length /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTObserverArray.h:84
    #2 0x7fb253bd5a8e in HasMore /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTObserverArray.h:318
    #3 0x7fb253bd5a8e in mozilla::dom::cache::StreamControl::CloseAllReadStreams() /builds/worker/workspace/build/src/dom/cache/StreamControl.cpp:61
    #4 0x7fb253b7dd16 in NotifyCloseAll /builds/worker/workspace/build/src/dom/cache/CacheStreamControlParent.cpp:163:3
    #5 0x7fb253b7dd16 in mozilla::dom::cache::CacheStreamControlParent::CloseAll() /builds/worker/workspace/build/src/dom/cache/CacheStreamControlParent.cpp:143
    #6 0x7fb253b85861 in mozilla::dom::cache::Context::CancelAll() /builds/worker/workspace/build/src/dom/cache/Context.cpp:814:23
    #7 0x7fb253bcccc5 in mozilla::dom::cache::Manager::Shutdown() /builds/worker/workspace/build/src/dom/cache/Manager.cpp:1906:14
    #8 0x7fb253bc2883 in mozilla::dom::cache::Manager::Factory::ShutdownAll() /builds/worker/workspace/build/src/dom/cache/Manager.cpp:317:18
    #9 0x7fb253bc23da in mozilla::dom::cache::Manager::ShutdownAll() /builds/worker/workspace/build/src/dom/cache/Manager.cpp:1524:3
    #10 0x7fb2552403e9 in mozilla::dom::quota::QuotaManager::Shutdown() /builds/worker/workspace/build/src/dom/quota/ActorsParent.cpp:3265:22
    #11 0x7fb25524004b in mozilla::dom::quota::QuotaManager::ShutdownRunnable::Run() /builds/worker/workspace/build/src/dom/quota/ActorsParent.cpp:2473:19
    #12 0x7fb24dfb7836 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1162:14
    #13 0x7fb24dfbda58 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:474:10
    #14 0x7fb24ef6c19a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
    #15 0x7fb24eeb2d7f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #16 0x7fb24eeb2d7f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #17 0x7fb24eeb2d7f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #18 0x7fb24dfb19ea in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:449:11
    #19 0x7fb2660cb666 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #20 0x7fb2692be163 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8163)
    #21 0x7fb268ea3dee in clone (/lib/x86_64-linux-gnu/libc.so.6+0x11adee)

0x6080003a70e0 is located 64 bytes inside of 96-byte region [0x6080003a70a0,0x6080003a7100)
freed by thread T30 (IPDL Background) here:
    #0 0x559b8dbba5d2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7fb24ef0a80b in mozilla::ipc::BackgroundParentImpl::DeallocPCacheStreamControlParent(mozilla::dom::cache::PCacheStreamControlParent*) /builds/worker/workspace/build/src/ipc/glue/BackgroundParentImpl.cpp:904:3
    #2 0x7fb24f78c615 in mozilla::ipc::PBackgroundParent::RemoveManagee(int, mozilla::ipc::IProtocol*) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundParent.cpp
    #3 0x7fb24f886cbf in mozilla::dom::cache::PCacheStreamControlParent::Send__delete__(mozilla::dom::cache::PCacheStreamControlParent*) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCacheStreamControlParent.cpp:117:12
    #4 0x7fb253bd2564 in NoteClosed /builds/worker/workspace/build/src/dom/cache/StreamControl.cpp:29:3
    #5 0x7fb253bd2564 in NoteClosedOnOwningThread /builds/worker/workspace/build/src/dom/cache/ReadStream.cpp:399
    #6 0x7fb253bd2564 in mozilla::dom::cache::ReadStream::Inner::NoteClosed() /builds/worker/workspace/build/src/dom/cache/ReadStream.cpp:363
    #7 0x7fb253bd5941 in mozilla::dom::cache::StreamControl::CloseAllReadStreams() /builds/worker/workspace/build/src/dom/cache/StreamControl.cpp:62:21
    #8 0x7fb253b7dd16 in NotifyCloseAll /builds/worker/workspace/build/src/dom/cache/CacheStreamControlParent.cpp:163:3
    #9 0x7fb253b7dd16 in mozilla::dom::cache::CacheStreamControlParent::CloseAll() /builds/worker/workspace/build/src/dom/cache/CacheStreamControlParent.cpp:143
    #10 0x7fb253b85861 in mozilla::dom::cache::Context::CancelAll() /builds/worker/workspace/build/src/dom/cache/Context.cpp:814:23
    #11 0x7fb253bcccc5 in mozilla::dom::cache::Manager::Shutdown() /builds/worker/workspace/build/src/dom/cache/Manager.cpp:1906:14
    #12 0x7fb253bc2883 in mozilla::dom::cache::Manager::Factory::ShutdownAll() /builds/worker/workspace/build/src/dom/cache/Manager.cpp:317:18
    #13 0x7fb253bc23da in mozilla::dom::cache::Manager::ShutdownAll() /builds/worker/workspace/build/src/dom/cache/Manager.cpp:1524:3
    #14 0x7fb2552403e9 in mozilla::dom::quota::QuotaManager::Shutdown() /builds/worker/workspace/build/src/dom/quota/ActorsParent.cpp:3265:22
    #15 0x7fb25524004b in mozilla::dom::quota::QuotaManager::ShutdownRunnable::Run() /builds/worker/workspace/build/src/dom/quota/ActorsParent.cpp:2473:19
    #16 0x7fb24dfb7836 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1162:14
    #17 0x7fb24dfbda58 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:474:10
    #18 0x7fb24ef6c19a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
    #19 0x7fb24eeb2d7f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #20 0x7fb24eeb2d7f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #21 0x7fb24eeb2d7f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #22 0x7fb24dfb19ea in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:449:11
    #23 0x7fb2660cb666 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #24 0x7fb2692be163 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8163)

previously allocated by thread T30 (IPDL Background) here:
    #0 0x559b8dbba953 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x559b8dbef17d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:68:15
    #2 0x7fb253b5f031 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:131:10
    #3 0x7fb253b5f031 in mozilla::dom::cache::AutoParentOpResult::SerializeReadStream(nsID const&, mozilla::dom::cache::StreamList*, mozilla::dom::cache::CacheReadStream*) /builds/worker/workspace/build/src/dom/cache/AutoUtils.cpp:501
    #4 0x7fb253b5da8c in mozilla::dom::cache::AutoParentOpResult::SerializeResponseBody(mozilla::dom::cache::SavedResponse const&, mozilla::dom::cache::StreamList*, mozilla::dom::cache::CacheResponse*) /builds/worker/workspace/build/src/dom/cache/AutoUtils.cpp:485:3
    #5 0x7fb253b70dc0 in mozilla::dom::cache::CacheOpParent::OnOpComplete(mozilla::ErrorResult&&, mozilla::dom::cache::CacheOpResult const&, long, nsTArray<mozilla::dom::cache::SavedResponse> const&, nsTArray<mozilla::dom::cache::SavedRequest> const&, mozilla::dom::cache::StreamList*) /builds/worker/workspace/build/src/dom/cache/CacheOpParent.cpp:177:12
    #6 0x7fb253bc0f62 in mozilla::dom::cache::Manager::Listener::OnOpComplete(mozilla::ErrorResult&&, mozilla::dom::cache::CacheOpResult const&, mozilla::dom::cache::SavedResponse const&, mozilla::dom::cache::StreamList*) /builds/worker/workspace/build/src/dom/cache/Manager.cpp:1489:3
    #7 0x7fb253be68b3 in mozilla::dom::cache::Manager::CacheMatchAction::Complete(mozilla::dom::cache::Manager::Listener*, mozilla::ErrorResult&&) /builds/worker/workspace/build/src/dom/cache/Manager.cpp:557:18
    #8 0x7fb253be5a58 in mozilla::dom::cache::Manager::BaseAction::CompleteOnInitiatingThread(nsresult) /builds/worker/workspace/build/src/dom/cache/Manager.cpp:436:7
    #9 0x7fb253b8304f in mozilla::dom::cache::Context::ActionRunnable::Run() /builds/worker/workspace/build/src/dom/cache/Context.cpp:645:16
    #10 0x7fb24dfb7836 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1162:14
    #11 0x7fb24dfbda58 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:474:10
    #12 0x7fb2556e7821 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:16106:3)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:348:25
    #13 0x7fb2556e7821 in mozilla::dom::indexedDB::(anonymous namespace)::QuotaClient::ShutdownWorkThreads() /builds/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:16106
    #14 0x7fb2552403e9 in mozilla::dom::quota::QuotaManager::Shutdown() /builds/worker/workspace/build/src/dom/quota/ActorsParent.cpp:3265:22
    #15 0x7fb25524004b in mozilla::dom::quota::QuotaManager::ShutdownRunnable::Run() /builds/worker/workspace/build/src/dom/quota/ActorsParent.cpp:2473:19
    #16 0x7fb24dfb7836 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1162:14
    #17 0x7fb24dfbda58 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:474:10
    #18 0x7fb24ef6c19a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
    #19 0x7fb24eeb2d7f in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #20 0x7fb24eeb2d7f in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #21 0x7fb24eeb2d7f in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #22 0x7fb24dfb19ea in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:449:11
    #23 0x7fb2660cb666 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #24 0x7fb2692be163 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8163)

Thread T30 (IPDL Background) created by T0 here:
    #0 0x559b8dba326d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x7fb2660c8395 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
    #2 0x7fb2660c7f7e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
    #3 0x7fb24dfb3ce9 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:655:8
    #4 0x7fb24dfbcba0 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:414:12
    #5 0x7fb24dfc0769 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:127:57
    #6 0x7fb24ef34e89 in NS_NewNamedThread<16> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:71:10
    #7 0x7fb24ef34e89 in (anonymous namespace)::ParentImpl::CreateBackgroundThread() /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:944
    #8 0x7fb24ef0e867 in CreateActorForSameProcess /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:854:32
    #9 0x7fb24ef0e867 in GetOrCreateForCurrentThread /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1456
    #10 0x7fb24ef0e867 in mozilla::ipc::BackgroundChild::GetOrCreateForCurrentThread(nsIEventTarget*) /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:658
    #11 0x7fb2540da6a1 in mozilla::dom::ClientManager::ClientManager() /builds/worker/workspace/build/src/dom/clients/manager/ClientManager.cpp:51:7
    #12 0x7fb2540dce40 in mozilla::dom::ClientManager::GetOrCreateForCurrentThread() /builds/worker/workspace/build/src/dom/clients/manager/ClientManager.cpp:205:14
    #13 0x7fb2540d227d in mozilla::dom::ClientManager::CreateSource(mozilla::dom::ClientType, nsISerialEventTarget*, nsIPrincipal*) /builds/worker/workspace/build/src/dom/clients/manager/ClientManager.cpp:261:31
    #14 0x7fb2598a5adf in nsDocShell::MaybeCreateInitialClientSource(nsIPrincipal*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:2435:26
    #15 0x7fb2598dfaf5 in nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIURI*, bool, bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7091:5
    #16 0x7fb259960d4a in nsWebShellWindow::Initialize(nsIXULWindow*, nsIXULWindow*, nsIURI*, int, int, bool, nsITabParent*, mozIDOMWindowProxy*, nsWidgetInitData&) /builds/worker/workspace/build/src/xpfe/appshell/nsWebShellWindow.cpp:233:21
    #17 0x7fb25995b2e9 in nsAppShellService::JustCreateTopWindow(nsIXULWindow*, nsIURI*, unsigned int, int, int, bool, nsITabParent*, mozIDOMWindowProxy*, nsWebShellWindow**) /builds/worker/workspace/build/src/xpfe/appshell/nsAppShellService.cpp:667:25
    #18 0x7fb25995a5e4 in nsAppShellService::CreateHiddenWindowHelper(bool) /builds/worker/workspace/build/src/xpfe/appshell/nsAppShellService.cpp:130:7
    #19 0x7fb25a19a4bf in nsAppStartup::CreateHiddenWindow() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:238:27
    #20 0x7fb25a3f8140 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4592:22
    #21 0x7fb25a3fa6b4 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4839:8
    #22 0x7fb25a3fc1e0 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4923:21
    #23 0x559b8dbed1ec in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:214:22
    #24 0x559b8dbed1ec in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:293
    #25 0x7fb268dad09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:344:37 in Length
Shadow bytes around the buggy address:
  0x0c108006cdc0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c108006cdd0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c108006cde0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c108006cdf0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c108006ce00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
=>0x0c108006ce10: fa fa fa fa fd fd fd fd fd fd fd fd[fd]fd fd fd  
  0x0c108006ce20: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c108006ce30: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c108006ce40: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c108006ce50: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c108006ce60: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==23313==ABORTING
```