#Summary AddressSanitizer: heap-use-after-free MessageChannel.cpp:1844 in mozilla::ipc::MessageChannel::MessageTask::Run #Reproduce OS:Win10 X64 Firefox: Nightly 93.0a1 (2021-08-11) (64-bit) step: 1. sudo python -m http.server 80 2. install node puppeteer-core (ffpuppet not work on windows) 3. node ff.test.js D:\firefox_asan\target\firefox\firefox.exe http://localhost/fuzz1/1628742733366/fuzz-00005.htm 4. wait for 30s if not crashes try again I will try to make a minicase. #Type of crash Tab process #Analysis MessageTask hold a raw pointer to MessageChannel[1] with out correct observation object life cycle and used AT[2]. when mozilla::ShutdownXPCOM, PCompositorManagerChild destruct will free the mChannel[3] cause uaf. ``` [1] ipc/glue/MessageChannel.h 553 MessageChannel* mChannel; // found in mozilla::ipc::MessageChannel::MessageTask [2] ipc/glue/MessageChannel.cpp 1844 mChannel->AssertWorkerThread(); // found in mozilla::ipc::MessageChannel::MessageTask::Run [3] ipc/glue/ProtocolUtils.h 555 MessageChannel mChannel; // found in mozilla::ipc::IToplevelProtocol ``` #Patch Not Yet #ASAN ================================================================= ==11116==ERROR: AddressSanitizer: heap-use-after-free on address 0x12778a4c5f88 at pc 0x7ff8e52cb16a bp 0x00dff11fd570 sp 0x00dff11fd5b8 READ of size 8 at 0x12778a4c5f88 thread T0 #0 0x7ff8e52cb169 in mozilla::ipc::MessageChannel::MessageTask::Run /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1844 #1 0x7ff8e3f2e75d in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:502 #2 0x7ff8e3eeaae9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:805 #3 0x7ff8e3ee692c in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641 #4 0x7ff8e3ee72f0 in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:425 #5 0x7ff8e3f38bc1 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:138:7'>::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:532 #6 0x7ff8e3f0f71b in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1148 #7 0x7ff8e3f1fffc in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:466 #8 0x7ff8e3f0d41d in nsThread::Shutdown /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:840 #9 0x7ff8e6e94a26 in mozilla::layers::ImageBridgeChild::ShutDown /builds/worker/checkouts/gecko/gfx/layers/ipc/ImageBridgeChild.cpp:489 #10 0x7ff8e6f249b6 in gfxPlatform::ShutdownLayersIPC /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:1340 #11 0x7ff8e3fafb8f in mozilla::ShutdownXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:622 #12 0x7ff8f1a0be30 in XRE_TermEmbedding /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:218 #13 0x7ff8e52f4b98 in mozilla::ipc::ScopedXREEmbed::Stop /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp:90 #14 0x7ff8f1a0cdff in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:753 #15 0x7ff61d731f49 in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327 #16 0x7ff61d7314d4 in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:131 #17 0x7ff61d82f3f7 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288 #18 0x7ff97f857033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033) #19 0x7ff980ee2650 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650) 0x12778a4c5f88 is located 264 bytes inside of 592-byte region [0x12778a4c5e80,0x12778a4c60d0) freed by thread T0 here: #0 0x7ff94f755afb in free Z:\task_162801323523615\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cpp:82 #1 0x7ff8e55da72c in mozilla::layers::PCompositorManagerChild::~PCompositorManagerChild /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerChild.cpp:62 #2 0x7ff8e52ece8e in mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy /builds/worker/checkouts/gecko/ipc/glue/ProtocolUtils.cpp:280 #3 0x7ff8e54b46d1 in mozilla::layers::PCompositorManagerParent::OnChannelClose /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerChild.cpp:596 #4 0x7ff8e52d0945 in mozilla::ipc::MessageChannel::Close /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2580 #5 0x7ff8e6e79061 in mozilla::layers::CompositorManagerChild::Shutdown /builds/worker/checkouts/gecko/gfx/layers/ipc/CompositorManagerChild.cpp:79 #6 0x7ff8e6f249b1 in gfxPlatform::ShutdownLayersIPC /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:1339 #7 0x7ff8e3fafb8f in mozilla::ShutdownXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:622 #8 0x7ff8f1a0be30 in XRE_TermEmbedding /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:218 #9 0x7ff8e52f4b98 in mozilla::ipc::ScopedXREEmbed::Stop /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp:90 #10 0x7ff8f1a0cdff in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:753 #11 0x7ff61d731f49 in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327 #12 0x7ff61d7314d4 in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:131 #13 0x7ff61d82f3f7 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288 #14 0x7ff97f857033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033) #15 0x7ff980ee2650 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650) previously allocated by thread T0 here: #0 0x7ff94f755c0b in malloc Z:\task_162801323523615\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cpp:98 #1 0x7ff95ca1139d in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52 #2 0x7ff8e6e78d34 in mozilla::layers::CompositorManagerChild::Init /builds/worker/checkouts/gecko/gfx/layers/ipc/CompositorManagerChild.cpp:65 #3 0x7ff8ec883cde in mozilla::dom::ContentChild::RecvInitRendering /builds/worker/checkouts/gecko/dom/ipc/ContentChild.cpp:1542 #4 0x7ff8e5533a67 in mozilla::dom::PContentChild::OnMessageReceived /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8826 #5 0x7ff8e52cc854 in mozilla::ipc::MessageChannel::DispatchAsyncMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2051 #6 0x7ff8e52c8cbf in mozilla::ipc::MessageChannel::DispatchMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1978 #7 0x7ff8e52cab3c in mozilla::ipc::MessageChannel::RunMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1826 #8 0x7ff8e52cb0ec in mozilla::ipc::MessageChannel::MessageTask::Run /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1857 #9 0x7ff8e3f2e75d in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:502 #10 0x7ff8e3eeaae9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:805 #11 0x7ff8e3ee692c in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641 #12 0x7ff8e3ee72f0 in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:425 #13 0x7ff8e3f38ba1 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:7'>::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:532 #14 0x7ff8e3f0f71b in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1148 #15 0x7ff8e3f1fffc in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:466 #16 0x7ff8e52d5eae in mozilla::ipc::MessagePump::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85 #17 0x7ff8e51e41a5 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324 #18 0x7ff8e51e3f75 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306 #19 0x7ff8ed40cfda in nsBaseAppShell::Run /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137 #20 0x7ff8ed5f410b in nsAppShell::Run /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:603 #21 0x7ff8f1a0d934 in XRE_RunAppShell /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:917 #22 0x7ff8e51e41a5 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324 #23 0x7ff8e51e3f75 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306 #24 0x7ff8f1a0cdc7 in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:749 #25 0x7ff61d731f49 in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327 #26 0x7ff61d7314d4 in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:131 #27 0x7ff61d82f3f7 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288 #28 0x7ff97f857033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033) SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1844 in mozilla::ipc::MessageChannel::MessageTask::Run Shadow bytes around the buggy address: 0x049a7b918ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x049a7b918bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x049a7b918bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x049a7b918bd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x049a7b918be0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x049a7b918bf0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x049a7b918c00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x049a7b918c10: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x049a7b918c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x049a7b918c30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x049a7b918c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==11116==ABORTING
Bug 1725335 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
#Summary AddressSanitizer: heap-use-after-free MessageChannel.cpp:1844 in mozilla::ipc::MessageChannel::MessageTask::Run #Reproduce OS:Win10 X64 Firefox: Nightly 93.0a1 (2021-08-11) (64-bit) step: 1. sudo python -m http.server 80 2. install node puppeteer-core (ffpuppet not work on windows) 3. node ff.test.js D:\firefox_asan\target\firefox\firefox.exe http://localhost/fuzz1/1628742733366/fuzz-00005.htm 4. wait for 30s if not crashes try again I will try to make a minicase. #Type of crash Tab process #Analysis MessageTask hold a raw pointer to MessageChannel[1] with out correct observation object life cycle and used AT[2]. when mozilla::ShutdownXPCOM, PCompositorManagerChild destruct will free the mChannel[3] cause uaf. ``` [1] ipc/glue/MessageChannel.h 553 MessageChannel* mChannel; // found in mozilla::ipc::MessageChannel::MessageTask [2] ipc/glue/MessageChannel.cpp 1844 mChannel->AssertWorkerThread(); // found in mozilla::ipc::MessageChannel::MessageTask::Run [3] ipc/glue/ProtocolUtils.h 555 MessageChannel mChannel; // found in mozilla::ipc::IToplevelProtocol ``` #Patch Not Yet #ASAN ``` ================================================================= ==11116==ERROR: AddressSanitizer: heap-use-after-free on address 0x12778a4c5f88 at pc 0x7ff8e52cb16a bp 0x00dff11fd570 sp 0x00dff11fd5b8 READ of size 8 at 0x12778a4c5f88 thread T0 #0 0x7ff8e52cb169 in mozilla::ipc::MessageChannel::MessageTask::Run /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1844 #1 0x7ff8e3f2e75d in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:502 #2 0x7ff8e3eeaae9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:805 #3 0x7ff8e3ee692c in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641 #4 0x7ff8e3ee72f0 in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:425 #5 0x7ff8e3f38bc1 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:138:7'>::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:532 #6 0x7ff8e3f0f71b in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1148 #7 0x7ff8e3f1fffc in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:466 #8 0x7ff8e3f0d41d in nsThread::Shutdown /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:840 #9 0x7ff8e6e94a26 in mozilla::layers::ImageBridgeChild::ShutDown /builds/worker/checkouts/gecko/gfx/layers/ipc/ImageBridgeChild.cpp:489 #10 0x7ff8e6f249b6 in gfxPlatform::ShutdownLayersIPC /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:1340 #11 0x7ff8e3fafb8f in mozilla::ShutdownXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:622 #12 0x7ff8f1a0be30 in XRE_TermEmbedding /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:218 #13 0x7ff8e52f4b98 in mozilla::ipc::ScopedXREEmbed::Stop /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp:90 #14 0x7ff8f1a0cdff in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:753 #15 0x7ff61d731f49 in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327 #16 0x7ff61d7314d4 in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:131 #17 0x7ff61d82f3f7 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288 #18 0x7ff97f857033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033) #19 0x7ff980ee2650 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650) 0x12778a4c5f88 is located 264 bytes inside of 592-byte region [0x12778a4c5e80,0x12778a4c60d0) freed by thread T0 here: #0 0x7ff94f755afb in free Z:\task_162801323523615\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cpp:82 #1 0x7ff8e55da72c in mozilla::layers::PCompositorManagerChild::~PCompositorManagerChild /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerChild.cpp:62 #2 0x7ff8e52ece8e in mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy /builds/worker/checkouts/gecko/ipc/glue/ProtocolUtils.cpp:280 #3 0x7ff8e54b46d1 in mozilla::layers::PCompositorManagerParent::OnChannelClose /builds/worker/workspace/obj-build/ipc/ipdl/PCompositorManagerChild.cpp:596 #4 0x7ff8e52d0945 in mozilla::ipc::MessageChannel::Close /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2580 #5 0x7ff8e6e79061 in mozilla::layers::CompositorManagerChild::Shutdown /builds/worker/checkouts/gecko/gfx/layers/ipc/CompositorManagerChild.cpp:79 #6 0x7ff8e6f249b1 in gfxPlatform::ShutdownLayersIPC /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:1339 #7 0x7ff8e3fafb8f in mozilla::ShutdownXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:622 #8 0x7ff8f1a0be30 in XRE_TermEmbedding /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:218 #9 0x7ff8e52f4b98 in mozilla::ipc::ScopedXREEmbed::Stop /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp:90 #10 0x7ff8f1a0cdff in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:753 #11 0x7ff61d731f49 in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327 #12 0x7ff61d7314d4 in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:131 #13 0x7ff61d82f3f7 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288 #14 0x7ff97f857033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033) #15 0x7ff980ee2650 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650) previously allocated by thread T0 here: #0 0x7ff94f755c0b in malloc Z:\task_162801323523615\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cpp:98 #1 0x7ff95ca1139d in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52 #2 0x7ff8e6e78d34 in mozilla::layers::CompositorManagerChild::Init /builds/worker/checkouts/gecko/gfx/layers/ipc/CompositorManagerChild.cpp:65 #3 0x7ff8ec883cde in mozilla::dom::ContentChild::RecvInitRendering /builds/worker/checkouts/gecko/dom/ipc/ContentChild.cpp:1542 #4 0x7ff8e5533a67 in mozilla::dom::PContentChild::OnMessageReceived /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8826 #5 0x7ff8e52cc854 in mozilla::ipc::MessageChannel::DispatchAsyncMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2051 #6 0x7ff8e52c8cbf in mozilla::ipc::MessageChannel::DispatchMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1978 #7 0x7ff8e52cab3c in mozilla::ipc::MessageChannel::RunMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1826 #8 0x7ff8e52cb0ec in mozilla::ipc::MessageChannel::MessageTask::Run /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1857 #9 0x7ff8e3f2e75d in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:502 #10 0x7ff8e3eeaae9 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:805 #11 0x7ff8e3ee692c in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641 #12 0x7ff8e3ee72f0 in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:425 #13 0x7ff8e3f38ba1 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:7'>::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:532 #14 0x7ff8e3f0f71b in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1148 #15 0x7ff8e3f1fffc in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:466 #16 0x7ff8e52d5eae in mozilla::ipc::MessagePump::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85 #17 0x7ff8e51e41a5 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324 #18 0x7ff8e51e3f75 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306 #19 0x7ff8ed40cfda in nsBaseAppShell::Run /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137 #20 0x7ff8ed5f410b in nsAppShell::Run /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:603 #21 0x7ff8f1a0d934 in XRE_RunAppShell /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:917 #22 0x7ff8e51e41a5 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324 #23 0x7ff8e51e3f75 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306 #24 0x7ff8f1a0cdc7 in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:749 #25 0x7ff61d731f49 in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327 #26 0x7ff61d7314d4 in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:131 #27 0x7ff61d82f3f7 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288 #28 0x7ff97f857033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033) SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1844 in mozilla::ipc::MessageChannel::MessageTask::Run Shadow bytes around the buggy address: 0x049a7b918ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x049a7b918bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x049a7b918bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x049a7b918bd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x049a7b918be0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x049a7b918bf0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x049a7b918c00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x049a7b918c10: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x049a7b918c20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x049a7b918c30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x049a7b918c40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==11116==ABORTING ```