User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.106 Safari/537.36
Steps to reproduce:
I have been randomly obtaining this Use-After-Free at a specific website that I was investigating. I don't have a reproducer so far. Not sure if it's due to recent Firefox code changes or has really been triggered intentionally since it was with a custom Firefox build and m-c-20200226162551-fuzzing-asan-opt.
Actual results:
=================================================================
==27386==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0001009c0 at pc 0x7f098a30d54a bp 0x7ffe5a8f3a60 sp 0x7ffe5a8f3a58
READ of size 8 at 0x60e0001009c0 thread T0 (Web Content)
#0 0x7f098a30d549 in SynchronizeLayoutHistoryState /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:3302:12
#1 0x7f098a30d549 in non-virtual thunk to nsDocShell::SynchronizeLayoutHistoryState() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
#2 0x7f09877e53f2 in nsDocumentViewer::Close(nsISHEntry*) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1656:44
#3 0x7f09877e487d in nsDocumentViewer::~nsDocumentViewer() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:627:5
#4 0x7f09877e6ccd in nsDocumentViewer::~nsDocumentViewer() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:625:39
#5 0x7f09877e4486 in nsDocumentViewer::Release() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:613:1
#6 0x7f098a2e7cc7 in ~nsCOMPtr_base /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:330:7
#7 0x7f098a2e7cc7 in nsDocShell::~nsDocShell() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:450:1
#8 0x7f098a2e937d in nsDocShell::~nsDocShell() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:411:27
#9 0x7f097edb2c88 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2460:9
#10 0x7f097ed91876 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:942:23
#11 0x7f097ed92135 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2625:14
#12 0x7f09813d97dc in AsyncFreeSnowWhite::Run() /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:147:9
#13 0x7f097ef6cea8 in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:326:22
#14 0x7f097ef48bd8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
#15 0x7f097ef53a3c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:481:10
#16 0x7f09801a9fcf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:87:21
#17 0x7f098009d1f7 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#18 0x7f098009d1f7 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
#19 0x7f098009d1f7 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
#20 0x7f0987230cb8 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#21 0x7f098ad63ca6 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:944:20
#22 0x7f098009d1f7 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#23 0x7f098009d1f7 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
#24 0x7f098009d1f7 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
#25 0x7f098ad63269 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:779:34
#26 0x55fdb83a2433 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#27 0x55fdb83a2433 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:303:18
#28 0x7f099ad2c1e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
#29 0x55fdb82f7ddc in _start (/home/fuzzer/dev/m-c-20200226162551-fuzzing-asan-opt/firefox+0x9bddc)
0x60e0001009c0 is located 0 bytes inside of 160-byte region [0x60e0001009c0,0x60e000100a60)
freed by thread T0 (Web Content) here:
#0 0x55fdb836faad in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
#1 0x7f098a3be096 in nsSHEntry::Release() /builds/worker/workspace/build/src/docshell/shistory/nsSHEntry.cpp:81:1
#2 0x7f098a2e79a4 in ~nsCOMPtr_base /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:330:7
#3 0x7f098a2e79a4 in nsDocShell::~nsDocShell() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:450:1
#4 0x7f098a2e937d in nsDocShell::~nsDocShell() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:411:27
#5 0x7f097edb2c88 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2460:9
#6 0x7f097ed91876 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:942:23
#7 0x7f097ed92135 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2625:14
#8 0x7f09813d97dc in AsyncFreeSnowWhite::Run() /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:147:9
#9 0x7f097ef6cea8 in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:326:22
#10 0x7f097ef48bd8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
#11 0x7f097ef53a3c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:481:10
#12 0x7f09801a9fcf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:87:21
#13 0x7f098009d1f7 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#14 0x7f098009d1f7 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
#15 0x7f098009d1f7 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
#16 0x7f0987230cb8 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#17 0x7f098ad63ca6 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:944:20
#18 0x7f098009d1f7 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#19 0x7f098009d1f7 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
#20 0x7f098009d1f7 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
#21 0x7f098ad63269 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:779:34
#22 0x55fdb83a2433 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#23 0x55fdb83a2433 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:303:18
#24 0x7f099ad2c1e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
previously allocated by thread T0 (Web Content) here:
#0 0x55fdb836fd2d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
#1 0x55fdb83a582d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:52:15
#2 0x7f098a3ae651 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7f098a3ae651 in mozilla::dom::CreateSHEntryForDocShell(nsISHistory*) /builds/worker/workspace/build/src/docshell/shistory/ChildSHistory.cpp:126:32
#4 0x7f098a3525d4 in nsDocShell::AddToSessionHistory(nsIURI*, nsIChannel*, nsIPrincipal*, nsIPrincipal*, nsIPrincipal*, nsIContentSecurityPolicy*, bool, nsISHEntry**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:11073:13
#5 0x7f098a33efc3 in nsDocShell::OnNewURI(nsIURI*, nsIChannel*, nsIPrincipal*, nsIPrincipal*, nsIPrincipal*, unsigned int, nsIContentSecurityPolicy*, bool, bool, bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:10540:13
#6 0x7f098a33fbac in nsDocShell::OnLoadingSite(nsIChannel*, bool, bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:10602:10
#7 0x7f098a2d9a8a in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7705:33
#8 0x7f098a2d7c9c in nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) /builds/worker/workspace/build/src/docshell/base/nsDSURIContentListener.cpp:168:20
#9 0x7f098195227a in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:632:18
#10 0x7f098194f84a in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:313:9
#11 0x7f098194e211 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:191:8
#12 0x7f097faa807c in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:707:20
#13 0x7f097fab671c in mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStructArgs const&, bool const&, mozilla::Maybe<unsigned int> const&, bool const&, nsILoadInfo::CrossOriginOpenerPolicy const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:557:3
#14 0x7f097fb6d806 in operator() /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:411:15
#15 0x7f097fb6d806 in std::_Function_handler<void (), mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStructArgs const&, bool const&, mozilla::Maybe<unsigned int> const&, bool const&, nsILoadInfo::CrossOriginOpenerPolicy const&)::$_5>::_M_invoke(std::_Any_data const&) /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/std_function.h:316:2
#16 0x7f097f8e83ba in mozilla::net::ChannelEventQueue::RunOrEnqueue(mozilla::net::ChannelEvent*, bool) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:260:10
#17 0x7f097fab47ff in mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStructArgs const&, bool const&, mozilla::Maybe<unsigned int> const&, bool const&, nsILoadInfo::CrossOriginOpenerPolicy const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:401:12
#18 0x7f098086677c in mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PHttpChannelChild.cpp:862:28
#19 0x7f098057a777 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:8563:32
#20 0x7f098019e122 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2214:25
#21 0x7f098019932a in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2136:9
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:3302:12 in SynchronizeLayoutHistoryState
Shadow bytes around the buggy address:
0x0c1c800180e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1c800180f0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c1c80018100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1c80018110: fd fd fd fd fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1c80018120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
=>0x0c1c80018130: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
0x0c1c80018140: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c1c80018150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c80018160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c80018170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c80018180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==27386==ABORTING
Bug 1620818 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.106 Safari/537.36
Steps to reproduce:
I have been randomly obtaining this Use-After-Free at a specific website that I was investigating. I don't have a reproducer so far. Not sure if it's due to recent Firefox code changes or has really been triggered intentionally since it was with a custom Firefox build and m-c-20200226162551-fuzzing-asan-opt.
Actual results:
```
=================================================================
==27386==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0001009c0 at pc 0x7f098a30d54a bp 0x7ffe5a8f3a60 sp 0x7ffe5a8f3a58
READ of size 8 at 0x60e0001009c0 thread T0 (Web Content)
#0 0x7f098a30d549 in SynchronizeLayoutHistoryState /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:3302:12
#1 0x7f098a30d549 in non-virtual thunk to nsDocShell::SynchronizeLayoutHistoryState() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
#2 0x7f09877e53f2 in nsDocumentViewer::Close(nsISHEntry*) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1656:44
#3 0x7f09877e487d in nsDocumentViewer::~nsDocumentViewer() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:627:5
#4 0x7f09877e6ccd in nsDocumentViewer::~nsDocumentViewer() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:625:39
#5 0x7f09877e4486 in nsDocumentViewer::Release() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:613:1
#6 0x7f098a2e7cc7 in ~nsCOMPtr_base /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:330:7
#7 0x7f098a2e7cc7 in nsDocShell::~nsDocShell() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:450:1
#8 0x7f098a2e937d in nsDocShell::~nsDocShell() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:411:27
#9 0x7f097edb2c88 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2460:9
#10 0x7f097ed91876 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:942:23
#11 0x7f097ed92135 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2625:14
#12 0x7f09813d97dc in AsyncFreeSnowWhite::Run() /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:147:9
#13 0x7f097ef6cea8 in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:326:22
#14 0x7f097ef48bd8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
#15 0x7f097ef53a3c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:481:10
#16 0x7f09801a9fcf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:87:21
#17 0x7f098009d1f7 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#18 0x7f098009d1f7 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
#19 0x7f098009d1f7 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
#20 0x7f0987230cb8 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#21 0x7f098ad63ca6 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:944:20
#22 0x7f098009d1f7 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#23 0x7f098009d1f7 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
#24 0x7f098009d1f7 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
#25 0x7f098ad63269 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:779:34
#26 0x55fdb83a2433 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#27 0x55fdb83a2433 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:303:18
#28 0x7f099ad2c1e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
#29 0x55fdb82f7ddc in _start (/home/fuzzer/dev/m-c-20200226162551-fuzzing-asan-opt/firefox+0x9bddc)
0x60e0001009c0 is located 0 bytes inside of 160-byte region [0x60e0001009c0,0x60e000100a60)
freed by thread T0 (Web Content) here:
#0 0x55fdb836faad in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
#1 0x7f098a3be096 in nsSHEntry::Release() /builds/worker/workspace/build/src/docshell/shistory/nsSHEntry.cpp:81:1
#2 0x7f098a2e79a4 in ~nsCOMPtr_base /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:330:7
#3 0x7f098a2e79a4 in nsDocShell::~nsDocShell() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:450:1
#4 0x7f098a2e937d in nsDocShell::~nsDocShell() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:411:27
#5 0x7f097edb2c88 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2460:9
#6 0x7f097ed91876 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:942:23
#7 0x7f097ed92135 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2625:14
#8 0x7f09813d97dc in AsyncFreeSnowWhite::Run() /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:147:9
#9 0x7f097ef6cea8 in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:326:22
#10 0x7f097ef48bd8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
#11 0x7f097ef53a3c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:481:10
#12 0x7f09801a9fcf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:87:21
#13 0x7f098009d1f7 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#14 0x7f098009d1f7 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
#15 0x7f098009d1f7 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
#16 0x7f0987230cb8 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#17 0x7f098ad63ca6 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:944:20
#18 0x7f098009d1f7 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#19 0x7f098009d1f7 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
#20 0x7f098009d1f7 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
#21 0x7f098ad63269 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:779:34
#22 0x55fdb83a2433 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#23 0x55fdb83a2433 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:303:18
#24 0x7f099ad2c1e2 in __libc_start_main /build/glibc-4WA41p/glibc-2.30/csu/../csu/libc-start.c:308:16
previously allocated by thread T0 (Web Content) here:
#0 0x55fdb836fd2d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
#1 0x55fdb83a582d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:52:15
#2 0x7f098a3ae651 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7f098a3ae651 in mozilla::dom::CreateSHEntryForDocShell(nsISHistory*) /builds/worker/workspace/build/src/docshell/shistory/ChildSHistory.cpp:126:32
#4 0x7f098a3525d4 in nsDocShell::AddToSessionHistory(nsIURI*, nsIChannel*, nsIPrincipal*, nsIPrincipal*, nsIPrincipal*, nsIContentSecurityPolicy*, bool, nsISHEntry**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:11073:13
#5 0x7f098a33efc3 in nsDocShell::OnNewURI(nsIURI*, nsIChannel*, nsIPrincipal*, nsIPrincipal*, nsIPrincipal*, unsigned int, nsIContentSecurityPolicy*, bool, bool, bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:10540:13
#6 0x7f098a33fbac in nsDocShell::OnLoadingSite(nsIChannel*, bool, bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:10602:10
#7 0x7f098a2d9a8a in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7705:33
#8 0x7f098a2d7c9c in nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) /builds/worker/workspace/build/src/docshell/base/nsDSURIContentListener.cpp:168:20
#9 0x7f098195227a in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:632:18
#10 0x7f098194f84a in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:313:9
#11 0x7f098194e211 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:191:8
#12 0x7f097faa807c in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:707:20
#13 0x7f097fab671c in mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStructArgs const&, bool const&, mozilla::Maybe<unsigned int> const&, bool const&, nsILoadInfo::CrossOriginOpenerPolicy const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:557:3
#14 0x7f097fb6d806 in operator() /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:411:15
#15 0x7f097fb6d806 in std::_Function_handler<void (), mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStructArgs const&, bool const&, mozilla::Maybe<unsigned int> const&, bool const&, nsILoadInfo::CrossOriginOpenerPolicy const&)::$_5>::_M_invoke(std::_Any_data const&) /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/std_function.h:316:2
#16 0x7f097f8e83ba in mozilla::net::ChannelEventQueue::RunOrEnqueue(mozilla::net::ChannelEvent*, bool) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:260:10
#17 0x7f097fab47ff in mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, bool const&, mozilla::net::ResourceTimingStructArgs const&, bool const&, mozilla::Maybe<unsigned int> const&, bool const&, nsILoadInfo::CrossOriginOpenerPolicy const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:401:12
#18 0x7f098086677c in mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PHttpChannelChild.cpp:862:28
#19 0x7f098057a777 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:8563:32
#20 0x7f098019e122 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2214:25
#21 0x7f098019932a in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2136:9
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:3302:12 in SynchronizeLayoutHistoryState
Shadow bytes around the buggy address:
0x0c1c800180e0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1c800180f0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c1c80018100: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c1c80018110: fd fd fd fd fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1c80018120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
=>0x0c1c80018130: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
0x0c1c80018140: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c1c80018150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c80018160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c80018170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c1c80018180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==27386==ABORTING
```