Tested Version: Ubuntu 64-bit memory 5G + linux64-fuzzing-asan-opt(95.0.1 (64-bit))
[App]
Vendor=Mozilla
Name=Firefox
RemotingName=firefox
CodeName=Nightly
Version=95.0.1
BuildID=20211213184707
SourceStamp=e1e02ca86a8e08d28a750053f51cc30ed144fbb8
ID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[Gecko]
MinVersion=95.0.1
MaxVersion=95.0.1
[XRE]
EnableProfileMigrator=1
There is no way to reproduce the vulnerability, temporarily can not provide poc samples,I feel that this is a conditional competition vulnerability,The conditions for triggering this vulnerability are demanding, it needs to be based on a very poorly performing environment in order to trigger the vulnerability.the crash report is as follows:
==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040014e2570 at pc 0x7f72b5aaff3c bp 0x7f729053c4b0 sp 0x7f729053c4a8
READ of size 8 at 0x6040014e2570 thread T57 (MediaTimer #1)
==588784==WARNING: Can't create a socket pair to start external symbolizer (errno: 24)
==588784==WARNING: Can't create a socket pair to start external symbolizer (errno: 24)
==588784==WARNING: Can't create a socket pair to start external symbolizer (errno: 24)
==588784==WARNING: Can't create a socket pair to start external symbolizer (errno: 24)
==588784==WARNING: Can't create a socket pair to start external symbolizer (errno: 24)
==588784==WARNING: Failed to use and restart external symbolizer!
#0 0x7f72b5aaff3b in mozilla::Task::PriorityCompare::operator()(RefPtr<mozilla::Task> const&, RefPtr<mozilla::Task> const&) const /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286
#1 0x7f72b5aaff3b in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:316
#2 0x7f72b5aaff3b in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskController.h:160
#3 0x7f72b5aafc91 in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_get_insert_unique_pos(RefPtr<mozilla::Task> const&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:2038
#4 0x7f72b5a708ef in mozilla::TaskController::AddTask(already_AddRefed<mozilla::Task>&&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:2091
#5 0x7f72b5a708ef in insert /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_set.h:511
#6 0x7f72b5a708ef in AddTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:357
#7 0x7f72b5a72422 in mozilla::TaskController::DispatchRunnable(already_AddRefed<nsIRunnable>&&, unsigned int, mozilla::TaskManager*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:504
#8 0x7f72b5a598e2 in mozilla::detail::EventQueueInternal<16ul>::PutEvent(already_AddRefed<nsIRunnable>&&, mozilla::EventQueuePriority, mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) /builds/worker/checkouts/gecko/xpcom/threads/EventQueue.cpp:55
#9 0x7f72b5a7a20d in mozilla::ThreadEventQueue::PutEventInternal(already_AddRefed<nsIRunnable>&&, mozilla::EventQueuePriority, mozilla::ThreadEventQueue::NestedSink*) /builds/worker/checkouts/gecko/xpcom/threads/ThreadEventQueue.cpp:121
#10 0x7f72b5a7c168 in mozilla::ThreadEventTarget::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/ThreadEventTarget.cpp:97
#11 0x7f72b5a892a5 in NS_DispatchToMainThread(already_AddRefed<nsIRunnable>&&, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:229
#12 0x7f72b5a6492a in mozilla::SchedulerGroup::InternalUnlabeledDispatch(mozilla::TaskCategory, already_AddRefed<mozilla::SchedulerGroup::Runnable>&&) /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:92
#13 0x7f72b5a64706 in mozilla::SchedulerGroup::LabeledDispatch(mozilla::TaskCategory, already_AddRefed<nsIRunnable>&&, mozilla::PerformanceCounter*) /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:77
#14 0x7f72b5a9f351 in nsThreadPool::ShutdownThread(nsIThread*) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:166
#15 0x7f72b5aa02e5 in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:319
#16 0x7f72b5a929f4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1169
#17 0x7f72b5a9c6ec in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
#18 0x7f72b6f23e0d in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
#19 0x7f72b6dae1f1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
#20 0x7f72b6dae1f1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
#21 0x7f72b6dae1f1 in Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
#22 0x7f72b5a8bd7b in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391
#23 0x7f72d120609e in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201
#24 0x7f72d2b26608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
#25 0x7f72d26ee292 in clone ??:?
0x6040014e2570 is located 32 bytes inside of 40-byte region [0x6040014e2550,0x6040014e2578)
freed by thread T0 (Web Content) here:
#0 0x55bb39784cb2 in free _asan_rtl_
#1 0x7f72b5a56daa in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_erase(std::_Rb_tree_node<RefPtr<mozilla::Task> >*) /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51
#2 0x7f72b5a56daa in deallocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/ext/new_allocator.h:125
#3 0x7f72b5a56daa in deallocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/alloc_traits.h:462
#4 0x7f72b5a56daa in _M_put_node /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:592
#5 0x7f72b5a56daa in _M_drop_node /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:659
#6 0x7f72b5a56daa in _M_erase /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1858
#7 0x7f72b5a56d7f in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_erase(std::_Rb_tree_node<RefPtr<mozilla::Task> >*) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1856
#8 0x7f72b5a56d7f in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_erase(std::_Rb_tree_node<RefPtr<mozilla::Task> >*) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1856
#9 0x7f72b5a56d7f in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_erase(std::_Rb_tree_node<RefPtr<mozilla::Task> >*) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1856
#10 0x7f72b5a56d7f in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_erase(std::_Rb_tree_node<RefPtr<mozilla::Task> >*) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1856
#11 0x7f72b5a56d7f in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_erase(std::_Rb_tree_node<RefPtr<mozilla::Task> >*) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1856
#12 0x7f72b5ab0284 in mozilla::TaskController::~TaskController() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:949
#13 0x7f72b5ab0284 in ~set /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_set.h:271
#14 0x7f72b5ab0284 in ~TaskController /builds/worker/workspace/obj-build/dist/include/mozilla/TaskController.h:270
#15 0x7f72b5a6dfbc in std::unique_ptr<mozilla::TaskController, std::default_delete<mozilla::TaskController> >::~unique_ptr() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/unique_ptr.h:78
#16 0x7f72b5a6dfbc in ~unique_ptr /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/unique_ptr.h:263
#17 0x7f72d2615a26 in __libc_secure_getenv ??:?
previously allocated by thread T3 (Socket Thread) here:
#0 0x55bb39784f1d in malloc _asan_rtl_
#1 0x55bb397bfb8d in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52
#2 0x7f72b5aaff62 in std::_Rb_tree_node<RefPtr<mozilla::Task> >* std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_Alloc_node::operator()<RefPtr<mozilla::Task> >(RefPtr<mozilla::Task>&&) const /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33
#3 0x7f72b5aaff62 in allocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/ext/new_allocator.h:111
#4 0x7f72b5aaff62 in allocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/alloc_traits.h:436
#5 0x7f72b5aaff62 in _M_get_node /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:588
#6 0x7f72b5aaff62 in _M_create_node<RefPtr<mozilla::Task> > /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:642
#7 0x7f72b5aaff62 in operator()<RefPtr<mozilla::Task> > /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:556
#8 0x7f72b5aafd97 in std::_Rb_tree_iterator<RefPtr<mozilla::Task> > std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_insert_<RefPtr<mozilla::Task>, std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_Alloc_node>(std::_Rb_tree_node_base*, std::_Rb_tree_node_base*, RefPtr<mozilla::Task>&&, std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_Alloc_node&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1753
#9 0x7f72b5a7092b in _M_insert_unique<RefPtr<mozilla::Task> > /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:2096
#10 0x7f72b5a7092b in insert /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_set.h:511
#11 0x7f72b5a7092b in AddTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:357
#12 0x7f72b5a72422 in mozilla::TaskController::DispatchRunnable(already_AddRefed<nsIRunnable>&&, unsigned int, mozilla::TaskManager*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:504
#13 0x7f72b5a598e2 in mozilla::detail::EventQueueInternal<16ul>::PutEvent(already_AddRefed<nsIRunnable>&&, mozilla::EventQueuePriority, mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) /builds/worker/checkouts/gecko/xpcom/threads/EventQueue.cpp:55
#14 0x7f72b5a7a20d in mozilla::ThreadEventQueue::PutEventInternal(already_AddRefed<nsIRunnable>&&, mozilla::EventQueuePriority, mozilla::ThreadEventQueue::NestedSink*) /builds/worker/checkouts/gecko/xpcom/threads/ThreadEventQueue.cpp:121
#15 0x7f72b5a7c168 in mozilla::ThreadEventTarget::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/ThreadEventTarget.cpp:97
#16 0x7f72b5a8ace7 in nsresult detail::ProxyRelease<nsISupports>(char const*, nsIEventTarget*, already_AddRefed<nsISupports>, bool) /builds/worker/workspace/obj-build/dist/include/nsIEventTarget.h:41
#17 0x7f72b5a8ace7 in ProxyRelease<nsISupports> /builds/worker/checkouts/gecko/xpcom/threads/nsProxyRelease.h:79
#18 0x7f72bc403b6b in nsMainThreadPtrHolder<mozilla::TransceiverImpl>::~nsMainThreadPtrHolder() /builds/worker/workspace/obj-build/dist/include/nsProxyRelease.h:105
#19 0x7f72bc403b6b in NS_ProxyRelease<mozilla::TransceiverImpl> /builds/worker/workspace/obj-build/dist/include/nsProxyRelease.h:143
#20 0x7f72bc403b6b in ~nsMainThreadPtrHolder /builds/worker/workspace/obj-build/dist/include/nsProxyRelease.h:279
#21 0x7f72bc4781ee in mozilla::detail::RunnableFunction<mozilla::TransceiverImpl::TransceiverImpl(nsPIDOMWindowInner*, bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, mozilla::MediaTransportHandler*, mozilla::JsepTransceiver*, nsISerialEventTarget*, nsISerialEventTarget*, mozilla::dom::MediaStreamTrack*, mozilla::WebRtcCallWrapper*)::$_98>::~RunnableFunction() /builds/worker/workspace/obj-build/dist/include/nsProxyRelease.h:304
#22 0x7f72bc4781ee in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50
#23 0x7f72bc4781ee in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381
#24 0x7f72bc4781ee in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81
#25 0x7f72bc4781ee in ~nsMainThreadPtrHandle /builds/worker/workspace/obj-build/dist/include/nsProxyRelease.h:321
#26 0x7f72bc4781ee in ~ /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/TransceiverImpl.cpp:97
#27 0x7f72bc4781ee in ~RunnableFunction /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:522
#28 0x7f72bc4781ee in ~RunnableFunction /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:522
#29 0x7f72b5a7dd95 in mozilla::Runnable::Release() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:60
#30 0x7f72b5a9226b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:377
#31 0x7f72b5a9226b in assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:400
#32 0x7f72b5a9226b in operator= /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:696
#33 0x7f72b5a9226b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1185
#34 0x7f72b5a9c6ec in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
#35 0x7f72b5e5d0b1 in mozilla::net::nsSocketTransportService::Run() /builds/worker/checkouts/gecko/netwerk/base/nsSocketTransportService2.cpp:1190
#36 0x7f72b5e5ed0c in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() crtstuff.c:?
#37 0x7f72b5a929f4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1169
#38 0x7f72b5a9c6ec in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
#39 0x7f72b6f23e0d in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
Thread T57 (MediaTimer #1) created by T55 (MediaDe~hine #1) here:
#0 0x55bb3976f61c in pthread_create _asan_rtl_
#1 0x7f72d11f6124 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458
#2 0x7f72d11e73ce in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533
#3 0x7f72b5a8ebcd in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:607
#4 0x7f72b5a9a9cf in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:581
#5 0x7f72b5aa4c31 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:163
#6 0x7f72b5a9e859 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:155
#7 0x7f72b5a9e859 in PutEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:120
#8 0x7f72b5aa0ae9 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:357
#9 0x7f72bbc81877 in mozilla::MediaTimer::ScheduleUpdate() /builds/worker/checkouts/gecko/dom/media/MediaTimer.cpp:99
#10 0x7f72bbc81441 in mozilla::MediaTimer::WaitUntil(mozilla::TimeStamp const&, char const*) /builds/worker/checkouts/gecko/dom/media/MediaTimer.cpp:82
#11 0x7f72bba09001 in mozilla::MediaDecoderStateMachine::SetVideoDecodeModeInternal(mozilla::VideoDecodeMode) /builds/worker/checkouts/gecko/dom/media/MediaTimer.h:140
#12 0x7f72bba09001 in SetVideoDecodeModeInternal /builds/worker/checkouts/gecko/dom/media/MediaDecoderStateMachine.cpp:3198
#13 0x7f72bbba2086 in mozilla::detail::RunnableMethodImpl<mozilla::MediaDecoderStateMachine*, void (mozilla::MediaDecoderStateMachine::*)(mozilla::VideoDecodeMode), true, (mozilla::RunnableKind)0, mozilla::VideoDecodeMode>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147
#14 0x7f72bbba2086 in apply<mozilla::MediaDecoderStateMachine, void (mozilla::MediaDecoderStateMachine::*)(mozilla::VideoDecodeMode)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153
#15 0x7f72bbba2086 in Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200
#16 0x7f72b5a6a9d6 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:217
#17 0x7f72b5a77f0d in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:208
#18 0x7f72b5a9fc3b in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:305
#19 0x7f72b5a929f4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1169
#20 0x7f72b5a9c6ec in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
#21 0x7f72b6f23e0d in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
#22 0x7f72b6dae1f1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
#23 0x7f72b6dae1f1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
#24 0x7f72b6dae1f1 in Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
#25 0x7f72b5a8bd7b in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391
#26 0x7f72d120609e in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201
#27 0x7f72d2b26608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
Thread T55 (MediaDe~hine #1) created by T0 (Web Content) here:
#0 0x55bb3976f61c in pthread_create _asan_rtl_
#1 0x7f72d11f6124 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458
#2 0x7f72d11e73ce in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533
#3 0x7f72b5a8ebcd in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:607
#4 0x7f72b5a9a9cf in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:581
#5 0x7f72b5aa4c31 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:163
#6 0x7f72b5a9e859 in NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:155
#7 0x7f72b5a9e859 in PutEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:120
#8 0x7f72b5aa0ae9 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:357
#9 0x7f72b5a75d23 in mozilla::TaskQueue::DispatchLocked(nsCOMPtr<nsIRunnable>&, unsigned int, mozilla::AbstractThread::DispatchReason) /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:68
#10 0x7f72b5aa8933 in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, mozilla::AbstractThread::DispatchReason) /builds/worker/workspace/obj-build/dist/include/mozilla/TaskQueue.h:87
#11 0x7f72b5a6a755 in mozilla::AutoTaskDispatcher::DispatchTaskGroup(mozilla::UniquePtr<mozilla::AutoTaskDispatcher::PerThreadTaskGroup, mozilla::DefaultDelete<mozilla::AutoTaskDispatcher::PerThreadTaskGroup> >) /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:275
#12 0x7f72b5a69b36 in mozilla::AutoTaskDispatcher::~AutoTaskDispatcher() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:121
#13 0x7f72b5a6bad9 in mozilla::XPCOMThreadWrapper::MaybeFireTailDispatcher() /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:639
#14 0x7f72b5a6bad9 in MaybeFireTailDispatcher /builds/worker/checkouts/gecko/xpcom/threads/AbstractThread.cpp:195
#15 0x7f72b5a67fac in non-virtual thunk to mozilla::XPCOMThreadWrapper::AfterProcessNextEvent(nsIThreadInternal*, bool) /builds/worker/checkouts/gecko/xpcom/threads/AbstractThread.cpp:133
#16 0x7f72b5a67fac in ?? ??:0
#17 0x7f72b5a92537 in ?? ??:0
#18 0x7f72b5a92537 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199
#19 0x7f72b5a9c6ec in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
#20 0x7f72b6f2284f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
#21 0x7f72b6dae1f1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
#22 0x7f72b6dae1f1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
#23 0x7f72b6dae1f1 in Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
#24 0x7f72bd5a8567 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137
#25 0x7f72c16ff5df in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:917
#26 0x7f72b6dae1f1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
#27 0x7f72b6dae1f1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
#28 0x7f72b6dae1f1 in Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
#29 0x7f72c16fe851 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:749
#30 0x55bb397b987d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57
#31 0x55bb397b9ca8 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327
#32 0x7f72d25f30b2 in __libc_start_main ??:?
Thread T3 (Socket Thread) created by T0 (Web Content) here:
#0 0x55bb3976f61c in pthread_create _asan_rtl_
#1 0x7f72d11f6124 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458
#2 0x7f72d11e73ce in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533
#3 0x7f72b5a8ebcd in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:607
#4 0x7f72b5a9a9cf in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:581
#5 0x7f72b5aa4c31 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:163
#6 0x7f72b5e5aaea in mozilla::net::nsSocketTransportService::Init() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:85
#7 0x7f72b5e5aaea in Init /builds/worker/checkouts/gecko/netwerk/base/nsSocketTransportService2.cpp:760
#8 0x7f72b59ff719 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:11443
#9 0x7f72b5a455b6 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::MonitorAutoLock>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:177
#10 0x7f72b5a455b6 in GetServiceLocked /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1276
#11 0x7f72b5a4762c in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1465
#12 0x7f72b5a4d042 in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:61
#13 0x7f72b5a4d042 in operator() /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:253
#14 0x7f72b58a6a2d in nsCOMPtr_base::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /builds/worker/checkouts/gecko/xpcom/base/nsCOMPtr.cpp:91
#15 0x7f72b5db45cb in mozilla::net::nsIOService::InitializeSocketTransportService() /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:774
#16 0x7f72b5db45cb in InitializeSocketTransportService /builds/worker/checkouts/gecko/netwerk/base/nsIOService.cpp:421
#17 0x7f72b5db3340 in mozilla::net::nsIOService::SetOffline(bool) /builds/worker/checkouts/gecko/netwerk/base/nsIOService.cpp:1272
#18 0x7f72b5db1661 in mozilla::net::nsIOService::Init() /builds/worker/checkouts/gecko/netwerk/base/nsIOService.cpp:305
#19 0x7f72b5db524b in mozilla::net::nsIOService::GetInstance() /builds/worker/checkouts/gecko/netwerk/base/nsIOService.cpp:478
#20 0x7f72b5a087b6 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:10077
#21 0x7f72b5a455b6 in CreateInstance /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:177
#22 0x7f72b5a455b6 in GetServiceLocked /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1276
#23 0x7f72b5a4762c in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1465
#24 0x7f72b8035a77 in nsScriptSecurityManager::Init() /builds/worker/workspace/obj-build/dist/include/nsServiceManagerUtils.h:52
#25 0x7f72b8035a77 in Init /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:1476
#26 0x7f72b8036019 in nsScriptSecurityManager::InitStatics() /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:1537
#27 0x7f72b7dc42b7 in nsXPConnect::InitStatics() /builds/worker/checkouts/gecko/js/xpconnect/src/nsXPConnect.cpp:153
#28 0x7f72b7d57f18 in xpcModuleCtor() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCModule.cpp:11
#29 0x7f72be3a5f18 in nsLayoutModuleInitialize() /builds/worker/checkouts/gecko/layout/build/nsLayoutModule.cpp:100
#30 0x7f72b5a3d0b6 in nsComponentManagerImpl::Init() /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:408
#31 0x7f72b5b025ca in NS_InitXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:446
#32 0x7f72c16fdec7 in XRE_InitEmbedding2(nsIFile*, nsIFile*, nsIDirectoryServiceProvider*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:192
#33 0x7f72b6f689aa in mozilla::ipc::ScopedXREEmbed::Start() /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp:?
#34 0x7f72bcdc5c80 in mozilla::dom::ContentProcess::Init(int, char**) /builds/worker/checkouts/gecko/dom/ipc/ContentProcess.cpp:157
#35 0x7f72c16fe824 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:715
#36 0x55bb397b987d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57
#37 0x55bb397b9ca8 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327
#38 0x7f72d25f30b2 in __libc_start_main ??:?
SUMMARY: AddressSanitizer: heap-use-after-free (/home/bobo/code/browsers/firefox/libxul.so+0x5525f3b)
Shadow bytes around the buggy address:
0x0c0880294450: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c0880294460: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c0880294470: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c0880294480: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
0x0c0880294490: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
=>0x0c08802944a0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd[fd]fa
0x0c08802944b0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c08802944c0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c08802944d0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c08802944e0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c08802944f0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==588784==ABORTING
This vuln is discovered by bo13oy of Cyber Kunlun Lab.
Thanks.
Bug 1747526 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Tested Version: Ubuntu 64-bit memory 5G + linux64-fuzzing-asan-opt(95.0.1 (64-bit))
[App]
Vendor=Mozilla
Name=Firefox
RemotingName=firefox
CodeName=Nightly
Version=95.0.1
BuildID=20211213184707
SourceStamp=e1e02ca86a8e08d28a750053f51cc30ed144fbb8
ID={ec8030f7-c20a-464f-9b0e-13a3a9e97384}
[Gecko]
MinVersion=95.0.1
MaxVersion=95.0.1
[XRE]
EnableProfileMigrator=1
There is no way to reproduce the vulnerability, temporarily can not provide poc samples,I feel that this is a conditional competition vulnerability,The conditions for triggering this vulnerability are demanding, it needs to be based on a very poorly performing environment in order to trigger the vulnerability.the crash report is as follows:
```
==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040014e2570 at pc 0x7f72b5aaff3c bp 0x7f729053c4b0 sp 0x7f729053c4a8
READ of size 8 at 0x6040014e2570 thread T57 (MediaTimer #1)
==588784==WARNING: Can't create a socket pair to start external symbolizer (errno: 24)
==588784==WARNING: Can't create a socket pair to start external symbolizer (errno: 24)
==588784==WARNING: Can't create a socket pair to start external symbolizer (errno: 24)
==588784==WARNING: Can't create a socket pair to start external symbolizer (errno: 24)
==588784==WARNING: Can't create a socket pair to start external symbolizer (errno: 24)
==588784==WARNING: Failed to use and restart external symbolizer!
#0 0x7f72b5aaff3b in mozilla::Task::PriorityCompare::operator()(RefPtr<mozilla::Task> const&, RefPtr<mozilla::Task> const&) const /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286
#1 0x7f72b5aaff3b in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:316
#2 0x7f72b5aaff3b in operator() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskController.h:160
#3 0x7f72b5aafc91 in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_get_insert_unique_pos(RefPtr<mozilla::Task> const&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:2038
#4 0x7f72b5a708ef in mozilla::TaskController::AddTask(already_AddRefed<mozilla::Task>&&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:2091
#5 0x7f72b5a708ef in insert /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_set.h:511
#6 0x7f72b5a708ef in AddTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:357
#7 0x7f72b5a72422 in mozilla::TaskController::DispatchRunnable(already_AddRefed<nsIRunnable>&&, unsigned int, mozilla::TaskManager*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:504
#8 0x7f72b5a598e2 in mozilla::detail::EventQueueInternal<16ul>::PutEvent(already_AddRefed<nsIRunnable>&&, mozilla::EventQueuePriority, mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) /builds/worker/checkouts/gecko/xpcom/threads/EventQueue.cpp:55
#9 0x7f72b5a7a20d in mozilla::ThreadEventQueue::PutEventInternal(already_AddRefed<nsIRunnable>&&, mozilla::EventQueuePriority, mozilla::ThreadEventQueue::NestedSink*) /builds/worker/checkouts/gecko/xpcom/threads/ThreadEventQueue.cpp:121
#10 0x7f72b5a7c168 in mozilla::ThreadEventTarget::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/ThreadEventTarget.cpp:97
#11 0x7f72b5a892a5 in NS_DispatchToMainThread(already_AddRefed<nsIRunnable>&&, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:229
#12 0x7f72b5a6492a in mozilla::SchedulerGroup::InternalUnlabeledDispatch(mozilla::TaskCategory, already_AddRefed<mozilla::SchedulerGroup::Runnable>&&) /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:92
#13 0x7f72b5a64706 in mozilla::SchedulerGroup::LabeledDispatch(mozilla::TaskCategory, already_AddRefed<nsIRunnable>&&, mozilla::PerformanceCounter*) /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:77
#14 0x7f72b5a9f351 in nsThreadPool::ShutdownThread(nsIThread*) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:166
#15 0x7f72b5aa02e5 in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:319
#16 0x7f72b5a929f4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1169
#17 0x7f72b5a9c6ec in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
#18 0x7f72b6f23e0d in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
#19 0x7f72b6dae1f1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
#20 0x7f72b6dae1f1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
#21 0x7f72b6dae1f1 in Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
#22 0x7f72b5a8bd7b in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391
#23 0x7f72d120609e in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201
#24 0x7f72d2b26608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
#25 0x7f72d26ee292 in clone ??:?
0x6040014e2570 is located 32 bytes inside of 40-byte region [0x6040014e2550,0x6040014e2578)
freed by thread T0 (Web Content) here:
#0 0x55bb39784cb2 in free _asan_rtl_
#1 0x7f72b5a56daa in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_erase(std::_Rb_tree_node<RefPtr<mozilla::Task> >*) /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51
#2 0x7f72b5a56daa in deallocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/ext/new_allocator.h:125
#3 0x7f72b5a56daa in deallocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/alloc_traits.h:462
#4 0x7f72b5a56daa in _M_put_node /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:592
#5 0x7f72b5a56daa in _M_drop_node /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:659
#6 0x7f72b5a56daa in _M_erase /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1858
#7 0x7f72b5a56d7f in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_erase(std::_Rb_tree_node<RefPtr<mozilla::Task> >*) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1856
#8 0x7f72b5a56d7f in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_erase(std::_Rb_tree_node<RefPtr<mozilla::Task> >*) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1856
#9 0x7f72b5a56d7f in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_erase(std::_Rb_tree_node<RefPtr<mozilla::Task> >*) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1856
#10 0x7f72b5a56d7f in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_erase(std::_Rb_tree_node<RefPtr<mozilla::Task> >*) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1856
#11 0x7f72b5a56d7f in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_erase(std::_Rb_tree_node<RefPtr<mozilla::Task> >*) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1856
#12 0x7f72b5ab0284 in mozilla::TaskController::~TaskController() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:949
#13 0x7f72b5ab0284 in ~set /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_set.h:271
#14 0x7f72b5ab0284 in ~TaskController /builds/worker/workspace/obj-build/dist/include/mozilla/TaskController.h:270
#15 0x7f72b5a6dfbc in std::unique_ptr<mozilla::TaskController, std::default_delete<mozilla::TaskController> >::~unique_ptr() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/unique_ptr.h:78
#16 0x7f72b5a6dfbc in ~unique_ptr /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/unique_ptr.h:263
#17 0x7f72d2615a26 in __libc_secure_getenv ??:?
previously allocated by thread T3 (Socket Thread) here:
#0 0x55bb39784f1d in malloc _asan_rtl_
#1 0x55bb397bfb8d in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52
#2 0x7f72b5aaff62 in std::_Rb_tree_node<RefPtr<mozilla::Task> >* std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_Alloc_node::operator()<RefPtr<mozilla::Task> >(RefPtr<mozilla::Task>&&) const /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33
#3 0x7f72b5aaff62 in allocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/ext/new_allocator.h:111
#4 0x7f72b5aaff62 in allocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/alloc_traits.h:436
#5 0x7f72b5aaff62 in _M_get_node /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:588
#6 0x7f72b5aaff62 in _M_create_node<RefPtr<mozilla::Task> > /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:642
#7 0x7f72b5aaff62 in operator()<RefPtr<mozilla::Task> > /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:556
#8 0x7f72b5aafd97 in std::_Rb_tree_iterator<RefPtr<mozilla::Task> > std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_insert_<RefPtr<mozilla::Task>, std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_Alloc_node>(std::_Rb_tree_node_base*, std::_Rb_tree_node_base*, RefPtr<mozilla::Task>&&, std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_Alloc_node&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1753
#9 0x7f72b5a7092b in _M_insert_unique<RefPtr<mozilla::Task> > /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:2096
#10 0x7f72b5a7092b in insert /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_set.h:511
#11 0x7f72b5a7092b in AddTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:357
#12 0x7f72b5a72422 in mozilla::TaskController::DispatchRunnable(already_AddRefed<nsIRunnable>&&, unsigned int, mozilla::TaskManager*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:504
#13 0x7f72b5a598e2 in mozilla::detail::EventQueueInternal<16ul>::PutEvent(already_AddRefed<nsIRunnable>&&, mozilla::EventQueuePriority, mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) /builds/worker/checkouts/gecko/xpcom/threads/EventQueue.cpp:55
#14 0x7f72b5a7a20d in mozilla::ThreadEventQueue::PutEventInternal(already_AddRefed<nsIRunnable>&&, mozilla::EventQueuePriority, mozilla::ThreadEventQueue::NestedSink*) /builds/worker/checkouts/gecko/xpcom/threads/ThreadEventQueue.cpp:121
#15 0x7f72b5a7c168 in mozilla::ThreadEventTarget::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/ThreadEventTarget.cpp:97
#16 0x7f72b5a8ace7 in nsresult detail::ProxyRelease<nsISupports>(char const*, nsIEventTarget*, already_AddRefed<nsISupports>, bool) /builds/worker/workspace/obj-build/dist/include/nsIEventTarget.h:41
#17 0x7f72b5a8ace7 in ProxyRelease<nsISupports> /builds/worker/checkouts/gecko/xpcom/threads/nsProxyRelease.h:79
#18 0x7f72bc403b6b in nsMainThreadPtrHolder<mozilla::TransceiverImpl>::~nsMainThreadPtrHolder() /builds/worker/workspace/obj-build/dist/include/nsProxyRelease.h:105
#19 0x7f72bc403b6b in NS_ProxyRelease<mozilla::TransceiverImpl> /builds/worker/workspace/obj-build/dist/include/nsProxyRelease.h:143
#20 0x7f72bc403b6b in ~nsMainThreadPtrHolder /builds/worker/workspace/obj-build/dist/include/nsProxyRelease.h:279
#21 0x7f72bc4781ee in mozilla::detail::RunnableFunction<mozilla::TransceiverImpl::TransceiverImpl(nsPIDOMWindowInner*, bool, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&, mozilla::MediaTransportHandler*, mozilla::JsepTransceiver*, nsISerialEventTarget*, nsISerialEventTarget*, mozilla::dom::MediaStreamTrack*, mozilla::WebRtcCallWrapper*)::$_98>::~RunnableFunction() /builds/worker/workspace/obj-build/dist/include/nsProxyRelease.h:304
#22 0x7f72bc4781ee in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50
#23 0x7f72bc4781ee in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381
#24 0x7f72bc4781ee in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81
#25 0x7f72bc4781ee in ~nsMainThreadPtrHandle /builds/worker/workspace/obj-build/dist/include/nsProxyRelease.h:321
#26 0x7f72bc4781ee in ~ /builds/worker/checkouts/gecko/dom/media/webrtc/jsapi/TransceiverImpl.cpp:97
#27 0x7f72bc4781ee in ~RunnableFunction /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:522
#28 0x7f72bc4781ee in ~RunnableFunction /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:522
#29 0x7f72b5a7dd95 in mozilla::Runnable::Release() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:60
#30 0x7f72b5a9226b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:377
#31 0x7f72b5a9226b in assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:400
#32 0x7f72b5a9226b in operator= /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:696
#33 0x7f72b5a9226b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1185
#34 0x7f72b5a9c6ec in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
#35 0x7f72b5e5d0b1 in mozilla::net::nsSocketTransportService::Run() /builds/worker/checkouts/gecko/netwerk/base/nsSocketTransportService2.cpp:1190
#36 0x7f72b5e5ed0c in non-virtual thunk to mozilla::net::nsSocketTransportService::Run() crtstuff.c:?
#37 0x7f72b5a929f4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1169
#38 0x7f72b5a9c6ec in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
#39 0x7f72b6f23e0d in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
Thread T57 (MediaTimer #1) created by T55 (MediaDe~hine #1) here:
#0 0x55bb3976f61c in pthread_create _asan_rtl_
#1 0x7f72d11f6124 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458
#2 0x7f72d11e73ce in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533
#3 0x7f72b5a8ebcd in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:607
#4 0x7f72b5a9a9cf in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:581
#5 0x7f72b5aa4c31 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:163
#6 0x7f72b5a9e859 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:155
#7 0x7f72b5a9e859 in PutEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:120
#8 0x7f72b5aa0ae9 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:357
#9 0x7f72bbc81877 in mozilla::MediaTimer::ScheduleUpdate() /builds/worker/checkouts/gecko/dom/media/MediaTimer.cpp:99
#10 0x7f72bbc81441 in mozilla::MediaTimer::WaitUntil(mozilla::TimeStamp const&, char const*) /builds/worker/checkouts/gecko/dom/media/MediaTimer.cpp:82
#11 0x7f72bba09001 in mozilla::MediaDecoderStateMachine::SetVideoDecodeModeInternal(mozilla::VideoDecodeMode) /builds/worker/checkouts/gecko/dom/media/MediaTimer.h:140
#12 0x7f72bba09001 in SetVideoDecodeModeInternal /builds/worker/checkouts/gecko/dom/media/MediaDecoderStateMachine.cpp:3198
#13 0x7f72bbba2086 in mozilla::detail::RunnableMethodImpl<mozilla::MediaDecoderStateMachine*, void (mozilla::MediaDecoderStateMachine::*)(mozilla::VideoDecodeMode), true, (mozilla::RunnableKind)0, mozilla::VideoDecodeMode>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147
#14 0x7f72bbba2086 in apply<mozilla::MediaDecoderStateMachine, void (mozilla::MediaDecoderStateMachine::*)(mozilla::VideoDecodeMode)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153
#15 0x7f72bbba2086 in Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200
#16 0x7f72b5a6a9d6 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:217
#17 0x7f72b5a77f0d in mozilla::TaskQueue::Runner::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:208
#18 0x7f72b5a9fc3b in nsThreadPool::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:305
#19 0x7f72b5a929f4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1169
#20 0x7f72b5a9c6ec in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
#21 0x7f72b6f23e0d in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
#22 0x7f72b6dae1f1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
#23 0x7f72b6dae1f1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
#24 0x7f72b6dae1f1 in Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
#25 0x7f72b5a8bd7b in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391
#26 0x7f72d120609e in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201
#27 0x7f72d2b26608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477
Thread T55 (MediaDe~hine #1) created by T0 (Web Content) here:
#0 0x55bb3976f61c in pthread_create _asan_rtl_
#1 0x7f72d11f6124 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458
#2 0x7f72d11e73ce in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533
#3 0x7f72b5a8ebcd in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:607
#4 0x7f72b5a9a9cf in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:581
#5 0x7f72b5aa4c31 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:163
#6 0x7f72b5a9e859 in NS_NewNamedThread /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:155
#7 0x7f72b5a9e859 in PutEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:120
#8 0x7f72b5aa0ae9 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadPool.cpp:357
#9 0x7f72b5a75d23 in mozilla::TaskQueue::DispatchLocked(nsCOMPtr<nsIRunnable>&, unsigned int, mozilla::AbstractThread::DispatchReason) /builds/worker/checkouts/gecko/xpcom/threads/TaskQueue.cpp:68
#10 0x7f72b5aa8933 in mozilla::TaskQueue::Dispatch(already_AddRefed<nsIRunnable>, mozilla::AbstractThread::DispatchReason) /builds/worker/workspace/obj-build/dist/include/mozilla/TaskQueue.h:87
#11 0x7f72b5a6a755 in mozilla::AutoTaskDispatcher::DispatchTaskGroup(mozilla::UniquePtr<mozilla::AutoTaskDispatcher::PerThreadTaskGroup, mozilla::DefaultDelete<mozilla::AutoTaskDispatcher::PerThreadTaskGroup> >) /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:275
#12 0x7f72b5a69b36 in mozilla::AutoTaskDispatcher::~AutoTaskDispatcher() /builds/worker/workspace/obj-build/dist/include/mozilla/TaskDispatcher.h:121
#13 0x7f72b5a6bad9 in mozilla::XPCOMThreadWrapper::MaybeFireTailDispatcher() /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:639
#14 0x7f72b5a6bad9 in MaybeFireTailDispatcher /builds/worker/checkouts/gecko/xpcom/threads/AbstractThread.cpp:195
#15 0x7f72b5a67fac in non-virtual thunk to mozilla::XPCOMThreadWrapper::AfterProcessNextEvent(nsIThreadInternal*, bool) /builds/worker/checkouts/gecko/xpcom/threads/AbstractThread.cpp:133
#16 0x7f72b5a67fac in ?? ??:0
#17 0x7f72b5a92537 in ?? ??:0
#18 0x7f72b5a92537 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199
#19 0x7f72b5a9c6ec in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
#20 0x7f72b6f2284f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
#21 0x7f72b6dae1f1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
#22 0x7f72b6dae1f1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
#23 0x7f72b6dae1f1 in Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
#24 0x7f72bd5a8567 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137
#25 0x7f72c16ff5df in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:917
#26 0x7f72b6dae1f1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
#27 0x7f72b6dae1f1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
#28 0x7f72b6dae1f1 in Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
#29 0x7f72c16fe851 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:749
#30 0x55bb397b987d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57
#31 0x55bb397b9ca8 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327
#32 0x7f72d25f30b2 in __libc_start_main ??:?
Thread T3 (Socket Thread) created by T0 (Web Content) here:
#0 0x55bb3976f61c in pthread_create _asan_rtl_
#1 0x7f72d11f6124 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458
#2 0x7f72d11e73ce in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533
#3 0x7f72b5a8ebcd in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:607
#4 0x7f72b5a9a9cf in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:581
#5 0x7f72b5aa4c31 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:163
#6 0x7f72b5e5aaea in mozilla::net::nsSocketTransportService::Init() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:85
#7 0x7f72b5e5aaea in Init /builds/worker/checkouts/gecko/netwerk/base/nsSocketTransportService2.cpp:760
#8 0x7f72b59ff719 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:11443
#9 0x7f72b5a455b6 in nsComponentManagerImpl::GetServiceLocked(mozilla::Maybe<mozilla::MonitorAutoLock>&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:177
#10 0x7f72b5a455b6 in GetServiceLocked /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1276
#11 0x7f72b5a4762c in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1465
#12 0x7f72b5a4d042 in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:61
#13 0x7f72b5a4d042 in operator() /builds/worker/checkouts/gecko/xpcom/components/nsComponentManagerUtils.cpp:253
#14 0x7f72b58a6a2d in nsCOMPtr_base::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /builds/worker/checkouts/gecko/xpcom/base/nsCOMPtr.cpp:91
#15 0x7f72b5db45cb in mozilla::net::nsIOService::InitializeSocketTransportService() /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:774
#16 0x7f72b5db45cb in InitializeSocketTransportService /builds/worker/checkouts/gecko/netwerk/base/nsIOService.cpp:421
#17 0x7f72b5db3340 in mozilla::net::nsIOService::SetOffline(bool) /builds/worker/checkouts/gecko/netwerk/base/nsIOService.cpp:1272
#18 0x7f72b5db1661 in mozilla::net::nsIOService::Init() /builds/worker/checkouts/gecko/netwerk/base/nsIOService.cpp:305
#19 0x7f72b5db524b in mozilla::net::nsIOService::GetInstance() /builds/worker/checkouts/gecko/netwerk/base/nsIOService.cpp:478
#20 0x7f72b5a087b6 in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) /builds/worker/workspace/obj-build/xpcom/components/StaticComponents.cpp:10077
#21 0x7f72b5a455b6 in CreateInstance /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:177
#22 0x7f72b5a455b6 in GetServiceLocked /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1276
#23 0x7f72b5a4762c in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:1465
#24 0x7f72b8035a77 in nsScriptSecurityManager::Init() /builds/worker/workspace/obj-build/dist/include/nsServiceManagerUtils.h:52
#25 0x7f72b8035a77 in Init /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:1476
#26 0x7f72b8036019 in nsScriptSecurityManager::InitStatics() /builds/worker/checkouts/gecko/caps/nsScriptSecurityManager.cpp:1537
#27 0x7f72b7dc42b7 in nsXPConnect::InitStatics() /builds/worker/checkouts/gecko/js/xpconnect/src/nsXPConnect.cpp:153
#28 0x7f72b7d57f18 in xpcModuleCtor() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCModule.cpp:11
#29 0x7f72be3a5f18 in nsLayoutModuleInitialize() /builds/worker/checkouts/gecko/layout/build/nsLayoutModule.cpp:100
#30 0x7f72b5a3d0b6 in nsComponentManagerImpl::Init() /builds/worker/checkouts/gecko/xpcom/components/nsComponentManager.cpp:408
#31 0x7f72b5b025ca in NS_InitXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:446
#32 0x7f72c16fdec7 in XRE_InitEmbedding2(nsIFile*, nsIFile*, nsIDirectoryServiceProvider*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:192
#33 0x7f72b6f689aa in mozilla::ipc::ScopedXREEmbed::Start() /builds/worker/checkouts/gecko/ipc/glue/ScopedXREEmbed.cpp:?
#34 0x7f72bcdc5c80 in mozilla::dom::ContentProcess::Init(int, char**) /builds/worker/checkouts/gecko/dom/ipc/ContentProcess.cpp:157
#35 0x7f72c16fe824 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:715
#36 0x55bb397b987d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57
#37 0x55bb397b9ca8 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327
#38 0x7f72d25f30b2 in __libc_start_main ??:?
SUMMARY: AddressSanitizer: heap-use-after-free (/home/bobo/code/browsers/firefox/libxul.so+0x5525f3b)
Shadow bytes around the buggy address:
0x0c0880294450: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c0880294460: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c0880294470: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c0880294480: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
0x0c0880294490: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
=>0x0c08802944a0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd[fd]fa
0x0c08802944b0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c08802944c0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c08802944d0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c08802944e0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c08802944f0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==588784==ABORTING
```
This vuln is discovered by bo13oy of Cyber Kunlun Lab.
Thanks.