(Hidden by Administrator)
Bug 1586879 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
**Filed by:** dvarga [at] mozilla.com **Parsed log:** https://treeherder.mozilla.org/logviewer.html#?job_id=270103846&repo=autoland **Full log:** https://queue.taskcluster.net/v1/task/HnOezCR_TA29_BbChgPvzw/runs/0/artifacts/public/logs/live_backing.log --- ```==19018==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000148170 at pc 0x7f93b3570ced bp 0x7fff884d8430 sp 0x7fff884d8428 READ of size 8 at 0x602000148170 thread T0 (Web Content) #0 0x7f93b3570cec in IPC::Channel::Unsound_IsClosed() const src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc:963:10 #1 0x7f93b3608682 in Unsound_IsClosed src/obj-firefox/dist/include/mozilla/ipc/MessageChannel.h:305:27 #2 0x7f93b3608682 in mozilla::ipc::MessageChannel::Clear() src/ipc/glue/MessageChannel.cpp:748 #3 0x7f93b36074f8 in mozilla::ipc::MessageChannel::~MessageChannel() src/ipc/glue/MessageChannel.cpp:643:3 #4 0x7f93b362fd88 in mozilla::ipc::IToplevelProtocol::~IToplevelProtocol() src/ipc/glue/ProtocolUtils.cpp:593:1 #5 0x7f93b971cfed in mozilla::gmp::GMPContentParent::~GMPContentParent() src/dom/media/gmp/GMPContentParent.cpp:35:39 #6 0x7f93b23998bc in operator() src/xpcom/ds/PLDHashTable.cpp:304:7 #7 0x7f93b23998bc in ForEachSlot<(lambda at src/xpcom/ds/PLDHashTable.cpp:302:51)> src/obj-firefox/dist/include/PLDHashTable.h:359 #8 0x7f93b23998bc in ForEachSlot<(lambda at src/xpcom/ds/PLDHashTable.cpp:302:51)> src/obj-firefox/dist/include/PLDHashTable.h:349 #9 0x7f93b23998bc in PLDHashTable::~PLDHashTable() src/xpcom/ds/PLDHashTable.cpp:302 #10 0x7f93b976e48e in ~nsTHashtable src/obj-firefox/dist/include/nsTHashtable.h:384:43 #11 0x7f93b976e48e in ~GMPServiceChild src/dom/media/gmp/GMPServiceChild.cpp:428 #12 0x7f93b976e48e in mozilla::gmp::GMPServiceChild::~GMPServiceChild() src/dom/media/gmp/GMPServiceChild.cpp:428 #13 0x7f93b976cb44 in operator() src/obj-firefox/dist/include/mozilla/UniquePtr.h:486:5 #14 0x7f93b976cb44 in reset src/obj-firefox/dist/include/mozilla/UniquePtr.h:323 #15 0x7f93b976cb44 in operator= src/obj-firefox/dist/include/mozilla/UniquePtr.h:296 #16 0x7f93b976cb44 in mozilla::gmp::GeckoMediaPluginServiceChild::Observe(nsISupports*, char const*, char16_t const*) src/dom/media/gmp/GMPServiceChild.cpp:359 #17 0x7f93b976cc2c in non-virtual thunk to mozilla::gmp::GeckoMediaPluginServiceChild::Observe(nsISupports*, char const*, char16_t const*) src/dom/media/gmp/GMPServiceChild.cpp #18 0x7f93b23bd9b1 in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) src/xpcom/ds/nsObserverList.cpp:66:19 #19 0x7f93b23c3645 in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) src/xpcom/ds/nsObserverService.cpp:291:19 #20 0x7f93b255aa6a in mozilla::ShutdownXPCOM(nsIServiceManager*) src/xpcom/build/XPCOMInit.cpp:631:24 #21 0x7f93beb9271c in XRE_TermEmbedding() src/toolkit/xre/nsEmbedFunctions.cpp:223:3 #22 0x7f93b3631b12 in mozilla::ipc::ScopedXREEmbed::Stop() src/ipc/glue/ScopedXREEmbed.cpp:90:5 #23 0x7f93beb9336a in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:773:16 #24 0x5622b0936740 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28 #25 0x5622b0936740 in main src/browser/app/nsBrowserApp.cpp:272 #26 0x7f93d3c0d82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291 #27 0x5622b0857dc8 in _start (/builds/worker/workspace/build/application/firefox/firefox+0x46dc8) 0x602000148170 is located 0 bytes inside of 8-byte region [0x602000148170,0x602000148178) freed by thread T2 (Chrome_~dThread) here: #0 0x5622b0903452 in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3 #1 0x7f93b363f181 in operator delete src/obj-firefox/dist/include/mozilla/cxxalloc.h:51:10 #2 0x7f93b363f181 in DeleteTask<IPC::Channel>::Run() src/ipc/chromium/src/base/task.h:194 #3 0x7f93b3542c05 in RunTask src/ipc/chromium/src/base/message_loop.cc:442:9 #4 0x7f93b3542c05 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) src/ipc/chromium/src/base/message_loop.cc:450 #5 0x7f93b3543d4b in MessageLoop::DoWork() src/ipc/chromium/src/base/message_loop.cc:523:13 #6 0x7f93b3546fc0 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) src/ipc/chromium/src/base/message_pump_libevent.cc:321:31 #7 0x7f93b35416f2 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10 #8 0x7f93b35416f2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308 #9 0x7f93b35416f2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290 #10 0x7f93b355ebbf in base::Thread::ThreadMain() src/ipc/chromium/src/base/thread.cc:192:16 #11 0x7f93b3554e6c in ThreadFunc(void*) src/ipc/chromium/src/base/platform_thread_posix.cc:40:13 #12 0x7f93d4c6b6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) previously allocated by thread T26 (GMPThread) here: #0 0x5622b09037d3 in __interceptor_malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3 #1 0x5622b0938d9d in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:52:15 #2 0x7f93b36425fd in operator new src/obj-firefox/dist/include/mozilla/cxxalloc.h:33:10 #3 0x7f93b36425fd in MakeUnique<IPC::Channel, const int &, IPC::Channel::Mode &, nullptr_t> src/obj-firefox/dist/include/mozilla/UniquePtr.h:617 #4 0x7f93b36425fd in mozilla::ipc::OpenDescriptor(mozilla::ipc::TransportDescriptor const&, IPC::Channel::Mode) src/ipc/glue/Transport_posix.cpp:60 #5 0x7f93b972f806 in mozilla::ipc::Endpoint<mozilla::gmp::PGMPContentParent>::Bind(mozilla::gmp::PGMPContentParent*) src/obj-firefox/dist/include/mozilla/ipc/ProtocolUtils.h:776:30 #6 0x7f93b976e742 in mozilla::gmp::GMPServiceChild::GetBridgedGMPContentParent(int, mozilla::ipc::Endpoint<mozilla::gmp::PGMPContentParent>&&) src/dom/media/gmp/GMPServiceChild.cpp:443:33 #7 0x7f93b97b8ca6 in mozilla::gmp::GeckoMediaPluginServiceChild::GetContentParent(mozilla::GMPCrashHelper*, mozilla::gmp::NodeId const&, nsTString<char> const&, nsTArray<nsTString<char> > const&)::$_8::operator()(mozilla::gmp::GMPServiceChild*) const src/dom/media/gmp/GMPServiceChild.cpp:185:50 #8 0x7f93b97b7803 in InvokeMethod<(lambda at src/dom/media/gmp/GMPServiceChild.cpp:145:7), void ((lambda at src/dom/media/gmp/GMPServiceChild.cpp:145:7)::*)(mozilla::gmp::GMPServiceChild *) const, mozilla::gmp::GMPServiceChild *> src/obj-firefox/dist/include/mozilla/MozPromise.h:512:12 #9 0x7f93b97b7803 in InvokeCallbackMethod<false, (lambda at src/dom/media/gmp/GMPServiceChild.cpp:145:7), void ((lambda at src/dom/media/gmp/GMPServiceChild.cpp:145:7)::*)(mozilla::gmp::GMPServiceChild *) const, mozilla::gmp::GMPServiceChild *, RefPtr<mozilla::MozPromise<mozilla::gmp::GMPServiceChild *, mozilla::MediaResult, true>::Private> > src/obj-firefox/dist/include/mozilla/MozPromise.h:544 #10 0x7f93b97b7803 in mozilla::MozPromise<mozilla::gmp::GMPServiceChild*, mozilla::MediaResult, true>::ThenValue<mozilla::gmp::GeckoMediaPluginServiceChild::GetContentParent(mozilla::GMPCrashHelper*, mozilla::gmp::NodeId const&, nsTString<char> const&, nsTArray<nsTString<char> > const&)::$_8, mozilla::gmp::GeckoMediaPluginServiceChild::GetContentParent(mozilla::GMPCrashHelper*, mozilla::gmp::NodeId const&, nsTString<char> const&, nsTArray<nsTString<char> > const&)::$_9>::DoResolveOrRejectInternal(mozilla::MozPromise<mozilla::gmp::GMPServiceChild*, mozilla::MediaResult, true>::ResolveOrRejectValue&) src/obj-firefox/dist/include/mozilla/MozPromise.h:726 #11 0x7f93b97b6082 in mozilla::MozPromise<mozilla::gmp::GMPServiceChild*, mozilla::MediaResult, true>::ThenValueBase::ResolveOrRejectRunnable::Run() src/obj-firefox/dist/include/mozilla/MozPromise.h:402:21 #12 0x7f93b24dd942 in mozilla::EventTargetWrapper::Runner::Run() src/xpcom/threads/AbstractThread.cpp:113:25 #13 0x7f93b2504d39 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14 #14 0x7f93b250b9a8 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10 #15 0x7f93b362579a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:303:20 #16 0x7f93b35416f2 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10 #17 0x7f93b35416f2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308 #18 0x7f93b35416f2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290 #19 0x7f93b24fe5fa in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:458:11 #20 0x7f93d0ed505d in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:198:5 #21 0x7f93d4c6b6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9) Thread T2 (Chrome_~dThread) created by T0 (Web Content) here: #0 0x5622b08ebdad in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3 #1 0x7f93b355029c in CreateThread src/ipc/chromium/src/base/platform_thread_posix.cc:123:14 #2 0x7f93b355029c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) src/ipc/chromium/src/base/platform_thread_posix.cc:134 #3 0x7f93b355e2e3 in base::Thread::StartWithOptions(base::Thread::Options const&) src/ipc/chromium/src/base/thread.cc:97:8 #4 0x7f93b3625d17 in mozilla::ipc::ProcessChild::ProcessChild(int) src/ipc/glue/ProcessChild.cpp:24:7 #5 0x7f93beb9320d in ContentProcess src/obj-firefox/dist/include/mozilla/dom/ContentProcess.h:29:51 #6 0x7f93beb9320d in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:699 #7 0x5622b0936740 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28 #8 0x5622b0936740 in main src/browser/app/nsBrowserApp.cpp:272 #9 0x7f93d3c0d82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291 Thread T26 (GMPThread) created by T0 (Web Content) here: #0 0x5622b08ebdad in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3 #1 0x7f93d0ec7158 in _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:430:14 #2 0x7f93d0eb0d3e in PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:503:12 #3 0x7f93b2500b29 in nsThread::Init(nsTSubstring<char> const&) src/xpcom/threads/nsThread.cpp:672:8 #4 0x7f93b250aad0 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) src/xpcom/threads/nsThreadManager.cpp:515:12 #5 0x7f93b250e8ea in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) src/xpcom/threads/nsThreadUtils.cpp:139:57 #6 0x7f93b9763e0c in NS_NewNamedThread<10> src/obj-firefox/dist/include/nsThreadUtils.h:71:10 #7 0x7f93b9763e0c in mozilla::gmp::GeckoMediaPluginService::GetThread(nsIThread**) src/dom/media/gmp/GMPService.cpp:311 #8 0x7f93b976222f in mozilla::gmp::GeckoMediaPluginService::Init() src/dom/media/gmp/GMPService.cpp:211:10 #9 0x7f93b97a5931 in mozilla::gmp::GMPServiceCreateHelper::GetOrCreateOnMainThread() src/dom/media/gmp/GMPService.cpp:102:18 #10 0x7f93b9760667 in mozilla::gmp::GMPServiceCreateHelper::GetOrCreate() src/dom/media/gmp/GMPService.cpp:65:17 #11 0x7f93b24822ef in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) src/obj-firefox/xpcom/components/StaticComponents.cpp:9230:60 #12 0x7f93b24b97c2 in CreateInstance src/xpcom/components/nsComponentManager.cpp:224:46 #13 0x7f93b24b97c2 in nsComponentManagerImpl::GetServiceLocked((anonymous namespace)::MutexLock&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) src/xpcom/components/nsComponentManager.cpp:1383 #14 0x7f93b24ae12b in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) src/xpcom/components/nsComponentManager.cpp:1570:10 #15 0x7f93b24c27e9 in CallGetService src/xpcom/components/nsComponentManagerUtils.cpp:61:43 #16 0x7f93b24c27e9 in nsGetServiceByContractID::operator()(nsID const&, void**) const src/xpcom/components/nsComponentManagerUtils.cpp:243 #17 0x7f93b2336ca0 in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) src/xpcom/base/nsCOMPtr.cpp:82:7 #18 0x7f93b9799805 in nsCOMPtr src/obj-firefox/dist/include/nsCOMPtr.h:607:5 #19 0x7f93b9799805 in mozilla::HaveGMPFor(nsTString<char> const&, nsTArray<nsTString<char> >&&) src/dom/media/gmp/GMPUtils.cpp:179 #20 0x7f93b9679ffe in mozilla::dom::HavePluginForKeySystem(nsTString<char> const&) src/dom/media/eme/MediaKeySystemAccess.cpp:91:21 #21 0x7f93b965d1fc in EnsureCDMInstalled src/dom/media/eme/MediaKeySystemAccess.cpp:103:8 #22 0x7f93b965d1fc in mozilla::dom::MediaKeySystemAccess::GetKeySystemStatus(nsTSubstring<char16_t> const&, nsTSubstring<char>&) src/dom/media/eme/MediaKeySystemAccess.cpp:118 #23 0x7f93b966d283 in mozilla::dom::MediaKeySystemAccessManager::RequestCallback(bool, mozilla::dom::DetailedPromise*, nsTSubstring<char16_t> const&, mozilla::dom::Sequence<mozilla::dom::MediaKeySystemConfiguration> const&, mozilla::dom::MediaKeySystemAccessManager::RequestType) src/dom/media/eme/MediaKeySystemAccessManager.cpp:169:7 #24 0x7f93b966c7c1 in mozilla::dom::MediaKeySystemAccessManager::Request(mozilla::dom::DetailedPromise*, nsTSubstring<char16_t> const&, mozilla::dom::Sequence<mozilla::dom::MediaKeySystemConfiguration> const&, mozilla::dom::MediaKeySystemAccessManager::RequestType) src/dom/media/eme/MediaKeySystemAccessManager.cpp:110:5 #25 0x7f93b5db1a13 in mozilla::dom::Navigator::RequestMediaKeySystemAccess(nsTSubstring<char16_t> const&, mozilla::dom::Sequence<mozilla::dom::MediaKeySystemConfiguration> const&, mozilla::ErrorResult&) src/dom/base/Navigator.cpp:1801:33 #26 0x7f93b691b0fb in requestMediaKeySystemAccess src/obj-firefox/dom/bindings/NavigatorBinding.cpp:1897:60 #27 0x7f93b691b0fb in mozilla::dom::Navigator_Binding::requestMediaKeySystemAccess_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Navigator*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/NavigatorBinding.cpp:1913 #28 0x7f93b8643a83 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3250:13 #29 0x7f93bee18ccc in CallJSNative src/js/src/vm/Interpreter.cpp:457:13 #30 0x7f93bee18ccc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:549 #31 0x7f93bee01350 in CallFromStack src/js/src/vm/Interpreter.cpp:622:10 #32 0x7f93bee01350 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3111 #33 0x7f93bede2baf in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:424:10 #34 0x7f93bee197d6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:590:13 #35 0x7f93bee1bb29 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:635:8 #36 0x7f93bf286f49 in js::fun_apply(JSContext*, unsigned int, JS::Value*) src/js/src/vm/JSFunction.cpp:1184:10 #37 0x7f93bee18ccc in CallJSNative src/js/src/vm/Interpreter.cpp:457:13 #38 0x7f93bee18ccc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:549 #39 0x7f93bee01350 in CallFromStack src/js/src/vm/Interpreter.cpp:622:10 #40 0x7f93bee01350 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3111 #41 0x7f93bede2baf in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:424:10 #42 0x7f93bee197d6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:590:13 #43 0x7f93bee1bb29 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:635:8 #44 0x7f93bef5c487 in js::PromiseObject::create(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool) src/js/src/builtin/Promise.cpp:2234:15 #45 0x7f93befa4a5c in PromiseConstructor(JSContext*, unsigned int, JS::Value*) src/js/src/builtin/Promise.cpp:2155:7 #46 0x7f93bee1d30b in CallJSNative src/js/src/vm/Interpreter.cpp:457:13 #47 0x7f93bee1d30b in CallJSNativeConstructor src/js/src/vm/Interpreter.cpp:473 #48 0x7f93bee1d30b in InternalConstruct(JSContext*, js::AnyConstructArgs const&) src/js/src/vm/Interpreter.cpp:662 #49 0x7f93bee0113d in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3102:16 #50 0x7f93bede2baf in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:424:10 #51 0x7f93bee197d6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:590:13 #52 0x7f93bee1bb29 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:635:8 #53 0x7f93befb0a3e in Call src/js/src/vm/Interpreter.h:103:10 #54 0x7f93befb0a3e in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) src/js/src/builtin/Promise.cpp:1701 #55 0x7f93bee18ccc in CallJSNative src/js/src/vm/Interpreter.cpp:457:13 #56 0x7f93bee18ccc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:549 #57 0x7f93bee1bb29 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:635:8 #58 0x7f93bf9bf20b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2722:10 #59 0x7f93b6bcea16 in mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/PromiseBinding.cpp:26:8 #60 0x7f93b2327f10 in Call src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:91:12 #61 0x7f93b2327f10 in Call src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:104 #62 0x7f93b2327f10 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) src/xpcom/base/CycleCollectedJSContext.cpp:245 #63 0x7f93b23015c1 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) src/xpcom/base/CycleCollectedJSContext.cpp:667:17 #64 0x7f93baa89da4 in LeaveMicroTask src/obj-firefox/dist/include/mozilla/CycleCollectedJSContext.h:213:7 #65 0x7f93baa89da4 in ~nsAutoMicroTask src/obj-firefox/dist/include/mozilla/CycleCollectedJSContext.h:367 #66 0x7f93baa89da4 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) src/dom/script/ScriptLoader.cpp:2871 #67 0x7f93baa81ce8 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) src/dom/script/ScriptLoader.cpp:2315:10 #68 0x7f93baa7e5e4 in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, mozilla::dom::ScriptKind) src/dom/script/ScriptLoader.cpp:1864:10 #69 0x7f93baa56aee in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) src/dom/script/ScriptLoader.cpp:1587:10 #70 0x7f93baa55dbe in mozilla::dom::ScriptElement::MaybeProcessScript() src/dom/script/ScriptElement.cpp:118:18 #71 0x7f93b4a7108a in AttemptToExecute src/obj-firefox/dist/include/nsIScriptElement.h:224:18 #72 0x7f93b4a7108a in nsHtml5TreeOpExecutor::RunScript(nsIContent*) src/parser/html/nsHtml5TreeOpExecutor.cpp:729 #73 0x7f93b4a6a8d3 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:532:7 #74 0x7f93b4a79b3f in nsHtml5ExecutorReflusher::Run() src/parser/html/nsHtml5TreeOpExecutor.cpp:70:16 #75 0x7f93b24d37a1 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:295:32 #76 0x7f93b2504d39 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14 #77 0x7f93b250b9a8 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10 #78 0x7f93b362471a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21 #79 0x7f93b35416f2 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10 #80 0x7f93b35416f2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308 #81 0x7f93b35416f2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290 #82 0x7f93bae66049 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27 #83 0x7f93beb93a9f in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:934:20 #84 0x7f93b35416f2 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10 #85 0x7f93b35416f2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308 #86 0x7f93b35416f2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290 #87 0x7f93beb9333b in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:769:34 #88 0x5622b0936740 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28 #89 0x5622b0936740 in main src/browser/app/nsBrowserApp.cpp:272 #90 0x7f93d3c0d82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291 SUMMARY: AddressSanitizer: heap-use-after-free src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc:963:10 in IPC::Channel::Unsound_IsClosed() const Shadow bytes around the buggy address: 0x0c0480020fd0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c0480020fe0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd 0x0c0480020ff0: fa fa fd fd fa fa 00 00 fa fa 00 06 fa fa 00 06 0x0c0480021000: fa fa fd fd fa fa 00 02 fa fa 01 fa fa fa fd fa 0x0c0480021010: fa fa fd fd fa fa fd fd fa fa 00 fa fa fa 00 00 =>0x0c0480021020: fa fa fd fd fa fa 00 fa fa fa 00 00 fa fa[fd]fa 0x0c0480021030: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 00 00 0x0c0480021040: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fd 0x0c0480021050: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd 0x0c0480021060: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd 0x0c0480021070: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==19018==ABORTING ```