Particular malformed XML docs may lead to a state where history navigation causes a heap-use-after-free due to the (root) session history dereferencing a dead BC.
I suspect the issue is connected to how an error representation replaces the active document when a transformation via an XSLT sheet fails.
The ASAN reports below show a UAF on a local nightly build with *fission disabled*, and on ESR 91.9 with default settings. (There's still buggy behavior *with* fission, but I can't tell yet if there are similar potential consequences given the right testcase.)
1. local mozilla-central build rev `fb7973567fac` with `--disable-fission`:
```
==659463==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a00020d420 at pc 0x7fe868ccdde9 bp 0x7fffec58b020 sp 0x7fffec58b018
READ of size 8 at 0x61a00020d420 thread T0
#0 0x7fe868ccdde8 in get /m-c/obj-asan/dist/include/mozilla/RefPtr.h:286:27
#1 0x7fe868ccdde8 in operator mozilla::dom::WindowContext * /m-c/obj-asan/dist/include/mozilla/RefPtr.h:299:12
#2 0x7fe868ccdde8 in Children /m-c/docshell/base/BrowsingContext.cpp:1031:32
#3 0x7fe868ccdde8 in mozilla::dom::BrowsingContext::GetChildren(nsTArray<RefPtr<mozilla::dom::BrowsingContext> >&) /m-c/docshell/base/BrowsingContext.cpp:1039:28
#4 0x7fe868ec22fe in nsSHistory::LoadDifferingEntries(nsISHEntry*, nsISHEntry*, mozilla::dom::BrowsingContext*, long, nsTArray<nsSHistory::LoadEntryResult>&, bool, bool, int) /m-c/docshell/shistory/nsSHistory.cpp:2165:12
#5 0x7fe868eba169 in nsSHistory::LoadEntry(int, long, unsigned int, nsTArray<nsSHistory::LoadEntryResult>&, bool, bool, bool) /m-c/docshell/shistory/nsSHistory.cpp:2123:26
#6 0x7fe868ec0761 in GotoIndex /m-c/docshell/shistory/nsSHistory.cpp:2005:10
#7 0x7fe868ec0761 in nsSHistory::GotoIndex(int, bool) /m-c/docshell/shistory/nsSHistory.cpp:1985:17
#8 0x7fe868e83390 in mozilla::dom::ChildSHistory::GotoIndex(int, int, bool, bool, mozilla::ErrorResult&) /m-c/docshell/shistory/ChildSHistory.cpp:219:21
#9 0x7fe868e82b8f in mozilla::dom::ChildSHistory::Go(int, bool, bool, mozilla::ErrorResult&) /m-c/docshell/shistory/ChildSHistory.cpp:167:3
#10 0x7fe868d1cbdb in nsDocShell::GoBack(bool, bool) /m-c/docshell/base/nsDocShell.cpp:3400:11
#11 0x7fe85a97ffd5 in NS_InvokeByIndex /m-c/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
#12 0x7fe85c5d3b52 in Invoke /m-c/js/xpconnect/src/XPCWrappedNative.cpp:1626:10
#13 0x7fe85c5d3b52 in Call /m-c/js/xpconnect/src/XPCWrappedNative.cpp:1179:19
#14 0x7fe85c5d3b52 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /m-c/js/xpconnect/src/XPCWrappedNative.cpp:1125:23
#15 0x7fe85c5d9985 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /m-c/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:963:10
#16 0x7fe86a2d920f in CallJSNative /m-c/js/src/vm/Interpreter.cpp:420:13
#17 0x7fe86a2d920f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:507:12
#18 0x7fe86a2c4dc8 in CallFromStack /m-c/js/src/vm/Interpreter.cpp:571:10
#19 0x7fe86a2c4dc8 in Interpret(JSContext*, js::RunState&) /m-c/js/src/vm/Interpreter.cpp:3293:16
#20 0x7fe86a2af6f8 in js::RunScript(JSContext*, js::RunState&) /m-c/js/src/vm/Interpreter.cpp:389:13
#21 0x7fe86a2d9470 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:539:13
#22 0x7fe86a2dbbc5 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:584:8
#23 0x7fe86a409180 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /m-c/js/src/vm/CallAndConstruct.cpp:117:10
#24 0x7fe86021864c in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /m-c/obj-asan/dom/bindings/EventHandlerBinding.cpp:283:37
#25 0x7fe861444140 in Call<nsCOMPtr<mozilla::dom::EventTarget> > /m-c/obj-asan/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#26 0x7fe861444140 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /m-c/dom/events/JSEventHandler.cpp:201:12
#27 0x7fe8613fc006 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /m-c/dom/events/EventListenerManager.cpp:1316:22
#28 0x7fe8613fe005 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /m-c/dom/events/EventListenerManager.cpp:1507:17
#29 0x7fe8614568ce in HandleEvent /m-c/dom/events/EventListenerManager.h:395:5
#30 0x7fe8614568ce in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /m-c/dom/events/EventDispatcher.cpp:348:17
#31 0x7fe8613e4e98 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /m-c/dom/events/EventDispatcher.cpp:550:16
#32 0x7fe8613ea74d in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /m-c/dom/events/EventDispatcher.cpp:1119:11
#33 0x7fe8613f0b99 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /m-c/dom/events/EventDispatcher.cpp
#34 0x7fe85e1c15aa in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /m-c/dom/base/nsINode.cpp:1354:17
#35 0x7fe86140f663 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::ErrorResult&) /m-c/dom/events/EventTarget.cpp:186:13
#36 0x7fe85dac74d9 in nsContentUtils::DispatchXULCommand(nsIContent*, bool, mozilla::dom::Event*, mozilla::PresShell*, bool, bool, bool, bool, unsigned short, short) /m-c/dom/base/nsContentUtils.cpp:6351:12
#37 0x7fe863f70da4 in nsXULElement::DispatchXULCommand(mozilla::EventChainVisitor const&, nsTAutoStringN<char16_t, 64ul>&) /m-c/dom/xul/nsXULElement.cpp:935:5
#38 0x7fe863f71616 in nsXULElement::PreHandleEvent(mozilla::EventChainVisitor&) /m-c/dom/xul/nsXULElement.cpp:983:12
#39 0x7fe8613e8e66 in PreHandleEvent /m-c/dom/events/EventDispatcher.cpp:436:22
#40 0x7fe8613e8e66 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /m-c/dom/events/EventDispatcher.cpp:921:16
#41 0x7fe8613f0b99 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /m-c/dom/events/EventDispatcher.cpp
#42 0x7fe85e1c15aa in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /m-c/dom/base/nsINode.cpp:1354:17
#43 0x7fe86027a6bb in mozilla::dom::EventTarget_Binding::dispatchEvent(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /m-c/obj-asan/dom/bindings/EventTargetBinding.cpp:851:36
#44 0x7fe860840149 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /m-c/dom/bindings/BindingUtils.cpp:3270:13
#45 0x7fe86a2d920f in CallJSNative /m-c/js/src/vm/Interpreter.cpp:420:13
#46 0x7fe86a2d920f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:507:12
#47 0x7fe86b4c8032 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /m-c/js/src/jit/BaselineIC.cpp:1582:10
#48 0x15d0e33eddc7 (<unknown module>)
0x61a00020d420 is located 928 bytes inside of 1368-byte region [0x61a00020d080,0x61a00020d5d8)
freed by thread T0 here:
#0 0x55c9e7e4a862 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:111:3
#1 0x7fe85a72b473 in MaybeKillObject /m-c/xpcom/base/nsCycleCollector.cpp:2419:29
#2 0x7fe85a72b473 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /m-c/xpcom/base/nsCycleCollector.cpp:2444:9
#3 0x7fe85a716d55 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /m-c/xpcom/base/nsCycleCollector.cpp:939:23
#4 0x7fe85a6fb438 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /m-c/xpcom/base/nsCycleCollector.cpp:2612:14
#5 0x7fe85c595002 in AsyncFreeSnowWhite::Run() /m-c/js/xpconnect/src/XPCJSRuntime.cpp:150:9
#6 0x7fe85a9493d9 in IdleRunnableWrapper::Run() /m-c/xpcom/threads/nsThreadUtils.cpp:309:22
#7 0x7fe85a94b600 in mozilla::RunnableTask::Run() /m-c/xpcom/threads/TaskController.cpp:467:16
#8 0x7fe85a900483 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /m-c/xpcom/threads/TaskController.cpp:780:26
#9 0x7fe85a8fd1f5 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /m-c/xpcom/threads/TaskController.cpp:654:15
#10 0x7fe85a8fd5ef in mozilla::TaskController::ProcessPendingMTTask(bool) /m-c/xpcom/threads/TaskController.cpp:390:36
#11 0x7fe85a93d9f1 in operator() /m-c/xpcom/threads/TaskController.cpp:124:37
#12 0x7fe85a93d9f1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /m-c/obj-asan/dist/include/nsThreadUtils.h:531:5
#13 0x7fe85a924517 in nsThread::ProcessNextEvent(bool, bool*) /m-c/xpcom/threads/nsThread.cpp:1180:16
#14 0x7fe85a92f4f1 in NS_ProcessNextEvent(nsIThread*, bool) /m-c/xpcom/threads/nsThreadUtils.cpp:465:10
#15 0x7fe85c275ba6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /m-c/ipc/glue/MessagePump.cpp:85:21
#16 0x7fe85c0c96b2 in RunInternal /m-c/ipc/chromium/src/base/message_loop.cc:380:10
#17 0x7fe85c0c96b2 in RunHandler /m-c/ipc/chromium/src/base/message_loop.cc:373:3
#18 0x7fe85c0c96b2 in MessageLoop::Run() /m-c/ipc/chromium/src/base/message_loop.cc:355:3
#19 0x7fe86470715a in nsBaseAppShell::Run() /m-c/widget/nsBaseAppShell.cpp:137:27
#20 0x7fe869c33ca9 in nsAppStartup::Run() /m-c/toolkit/components/startup/nsAppStartup.cpp:295:30
#21 0x7fe869ef16ad in XREMain::XRE_mainRun() /m-c/toolkit/xre/nsAppRunner.cpp:5746:22
#22 0x7fe869ef36ef in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /m-c/toolkit/xre/nsAppRunner.cpp:5931:8
#23 0x7fe869ef46a0 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /m-c/toolkit/xre/nsAppRunner.cpp:5998:21
#24 0x55c9e7e7fc47 in do_main /m-c/browser/app/nsBrowserApp.cpp:225:22
#25 0x55c9e7e7fc47 in main /m-c/browser/app/nsBrowserApp.cpp:395:16
#26 0x7fe875aea30f in __libc_start_call_main libc-start.c
previously allocated by thread T0 here:
#0 0x55c9e7e4aacd in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x55c9e7e840bd in moz_xmalloc /m-c/memory/mozalloc/mozalloc.cpp:52:15
#2 0x7fe868cbe1d6 in operator new /m-c/obj-asan/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7fe868cbe1d6 in mozilla::dom::BrowsingContext::CreateDetached(nsGlobalWindowInner*, mozilla::dom::BrowsingContext*, mozilla::dom::BrowsingContextGroup*, nsTSubstring<char16_t> const&, mozilla::dom::BrowsingContext::Type, bool, bool) /m-c/docshell/base/BrowsingContext.cpp:431:15
#4 0x7fe85e15721c in CreateBrowsingContext(mozilla::dom::Element*, nsIOpenWindowInfo*, mozilla::dom::BrowsingContextGroup*, bool) /m-c/dom/base/nsFrameLoader.cpp
#5 0x7fe85e15765a in nsFrameLoader::Recreate(mozilla::dom::Element*, mozilla::dom::BrowsingContext*, mozilla::dom::BrowsingContextGroup*, mozilla::dom::NavigationIsolationOptions const&, bool, bool, bool) /m-c/dom/base/nsFrameLoader.cpp:496:15
#6 0x7fe85e17d264 in nsFrameLoaderOwner::ChangeRemotenessCommon(nsFrameLoaderOwner::ChangeRemotenessContextType const&, mozilla::dom::NavigationIsolationOptions const&, bool, bool, mozilla::dom::BrowsingContextGroup*, std::function<void ()>&, mozilla::ErrorResult&) /m-c/dom/base/nsFrameLoaderOwner.cpp:168:20
#7 0x7fe85e17eb84 in nsFrameLoaderOwner::ChangeRemoteness(mozilla::dom::RemotenessOptions const&, mozilla::ErrorResult&) /m-c/dom/base/nsFrameLoaderOwner.cpp:272:3
#8 0x7fe85fe20e9d in mozilla::dom::XULFrameElement_Binding::changeRemoteness(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /m-c/obj-asan/dom/bindings/XULFrameElementBinding.cpp:517:24
#9 0x7fe86083bf12 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /m-c/dom/bindings/BindingUtils.cpp:3270:13
#10 0x7fe86a2d920f in CallJSNative /m-c/js/src/vm/Interpreter.cpp:420:13
#11 0x7fe86a2d920f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:507:12
#12 0x7fe86a2c4dc8 in CallFromStack /m-c/js/src/vm/Interpreter.cpp:571:10
#13 0x7fe86a2c4dc8 in Interpret(JSContext*, js::RunState&) /m-c/js/src/vm/Interpreter.cpp:3293:16
#14 0x7fe86a2af6f8 in js::RunScript(JSContext*, js::RunState&) /m-c/js/src/vm/Interpreter.cpp:389:13
#15 0x7fe86a2d9470 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:539:13
#16 0x7fe86a2dbbc5 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:584:8
#17 0x7fe86a406e5e in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /m-c/js/src/vm/CallAndConstruct.cpp:53:10
#18 0x7fe85c5c2b9f in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /m-c/js/xpconnect/src/XPCWrappedJSClass.cpp:981:17
#19 0x7fe85a98160c in PrepareAndDispatch /m-c/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
#20 0x7fe85a98052a in SharedStub xptcstubs_x86_64_linux.cpp
#21 0x7fe85a78bbe0 in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) /m-c/xpcom/ds/nsObserverList.cpp:70:19
#22 0x7fe85a7bb0b0 in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) /m-c/xpcom/ds/nsObserverService.cpp:292:19
#23 0x7fe86371b9fa in mozilla::dom::ContentParent::ActorDestroy(mozilla::ipc::IProtocol::ActorDestroyReason) /m-c/dom/ipc/ContentParent.cpp:2062:10
#24 0x7fe85c2ae763 in mozilla::ipc::IProtocol::DestroySubtree(mozilla::ipc::IProtocol::ActorDestroyReason) /m-c/ipc/glue/ProtocolUtils.cpp:577:3
#25 0x7fe863a173a2 in mozilla::dom::PContentParent::OnChannelError() /m-c/obj-asan/ipc/ipdl/PContentParent.cpp:16719:5
#26 0x7fe86371a035 in mozilla::dom::ContentParent::OnChannelError() /m-c/dom/ipc/ContentParent.cpp:1949:19
#27 0x7fe85c26fff4 in mozilla::ipc::MessageChannel::OnNotifyMaybeChannelError() /m-c/ipc/glue/MessageChannel.cpp:1982:3
#28 0x7fe85c2a3d7f in applyImpl<mozilla::ipc::MessageChannel, void (mozilla::ipc::MessageChannel::*)()> /m-c/obj-asan/dist/include/nsThreadUtils.h:1147:12
#29 0x7fe85c2a3d7f in apply<mozilla::ipc::MessageChannel, void (mozilla::ipc::MessageChannel::*)()> /m-c/obj-asan/dist/include/nsThreadUtils.h:1153:12
#30 0x7fe85c2a3d7f in mozilla::detail::RunnableMethodImpl<mozilla::ipc::MessageChannel*, void (mozilla::ipc::MessageChannel::*)(), false, (mozilla::RunnableKind)1>::Run() /m-c/obj-asan/dist/include/nsThreadUtils.h:1200:13
#31 0x7fe85a94b600 in mozilla::RunnableTask::Run() /m-c/xpcom/threads/TaskController.cpp:467:16
#32 0x7fe85a900483 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /m-c/xpcom/threads/TaskController.cpp:780:26
#33 0x7fe85a8fced8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /m-c/xpcom/threads/TaskController.cpp:612:15
#34 0x7fe85a8fd5ef in mozilla::TaskController::ProcessPendingMTTask(bool) /m-c/xpcom/threads/TaskController.cpp:390:36
SUMMARY: AddressSanitizer: heap-use-after-free /m-c/obj-asan/dist/include/mozilla/RefPtr.h:286:27 in get
Shadow bytes around the buggy address:
0x0c3480039a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3480039a80: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039a90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039aa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039ab0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c3480039ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3480039ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==659463==ABORTING
```
2. `mozilla-esr91.revision.7de26aa38d0d1ac5339bc1794cd55582651d410a.firefox.linux64-asan-opt`:
```
==1134023==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a000b3e05c at pc 0x7f0f89a32079 bp 0x7ffcdba155b0 sp 0x7ffcdba155a8
READ of size 2 at 0x61a000b3e05c thread T0
#0 0x7f0f89a32078 in IsDiscarded /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BrowsingContext.h:301:37
#1 0x7f0f89a32078 in mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext>::Commit(mozilla::dom::BrowsingContext*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/SyncedContextInlines.h:92:7
#2 0x7f0f89bcfe3a in SetHistoryEntryCount /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BrowsingContext.h:227:3
#3 0x7f0f89bcfe3a in operator() /builds/worker/checkouts/gecko/docshell/shistory/nsSHistory.cpp:1057:22
#4 0x7f0f89bcfe3a in std::_Function_handler<void (mozilla::dom::BrowsingContext*), nsSHistory::PurgeHistory(int)::$_5>::_M_invoke(std::_Any_data const&, mozilla::dom::BrowsingContext*&&) /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:316:2
#5 0x7f0f89a3f82b in operator() /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:706:14
#6 0x7f0f89a3f82b in mozilla::dom::BrowsingContext::PreOrderWalkVoid(std::function<void (mozilla::dom::BrowsingContext*)> const&) /builds/worker/checkouts/gecko/docshell/base/BrowsingContext.cpp:1027:3
#7 0x7f0f89bbabb7 in PreOrderWalk<(lambda at /builds/worker/checkouts/gecko/docshell/shistory/nsSHistory.cpp:1055:27)> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BrowsingContext.h:496:7
#8 0x7f0f89bbabb7 in nsSHistory::PurgeHistory(int) /builds/worker/checkouts/gecko/docshell/shistory/nsSHistory.cpp:1055:14
#9 0x7f0f7ff49e31 in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
#10 0x7f0f818e7c29 in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1644:10
#11 0x7f0f818e7c29 in Call /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1197:19
#12 0x7f0f818e7c29 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1143:23
#13 0x7f0f818ec60c in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:922:10
#14 0x7f0f8a7aed11 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:426:13
#15 0x7f0f8a7aed11 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:511:12
#16 0x7f0f8b53815e in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1595:10
#17 0x2daaf004ad87 (<unknown module>)
0x61a000b3e05c is located 988 bytes inside of 1176-byte region [0x61a000b3dc80,0x61a000b3e118)
Thread T74 (WRRenderBackend) created by T26 here:
#0 0x55cb5aa41acc in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:205:3
#1 0x7f0f8d3cbc4f in std::sys::unix::thread::Thread::new::hfcb67ed381ed8607 gkrust.3qd15s5o-cgu.0
#2 0x7f0f8e970920 in wr_window_new /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:1665:36
#3 0x7f0f826cfb0e in mozilla::wr::NewRenderer::Run(mozilla::wr::RenderThread&, mozilla::wr::WrWindowId) /builds/worker/checkouts/gecko/gfx/webrender_bindings/WebRenderAPI.cpp:157:10
#4 0x7f0f8269ff4e in mozilla::wr::RenderThread::RunEvent(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:414:11 r
#5 0x7f0f826b6636 in decltype(*(fp).*fp0(Get<0ul>(fp1).PassAsParameter(), Get<1ul>(fp1).PassAsParameter())) mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > >, 0ul, 1ul>(mozilla::wr::RenderThread*, void (mozilla::wr::RendaerThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), mozilla::Tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > > >&, std::integer_sequence<unsigned long, 0ul, 1ul>) /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#6 0x7f0f826b639b in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent>)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#7 0x7f0f826b639b in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#8 0x7f0f80ecf649 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:454:11
#9 0x7f0f80ed02de in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:463:5
#10 0x7f0f80ed0b6b in MessageLoop::DoWork() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:538:13
#11 0x7f0f80ed1e26 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
#12 0x7f0f80ecf241 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#13 0x7f0f80ecf241 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#14 0x7f0f80ecf241 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#15 0x7f0f80eed8ea in base::Thread::ThreadMain() /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:187:16
#16 0x7f0f80ee151c in ThreadFunc(void*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
#17 0x7f0f9e0145c1 in start_thread pthread_create.c
Thread T26 created by T0 here:
#0 0x55cb5aa41acc in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:205:3
#1 0x7f0f80edb37c in CreateThread /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:123:14
#2 0x7f0f80edb37c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:134:10
#3 0x7f0f80eed11d in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:93:8
#4 0x7f0f8269ae4a in mozilla::wr::RenderThread::Start() /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:91:16
#5 0x7f0f82402089 in gfxPlatform::InitLayersIPC() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:1331:7
#6 0x7f0f823fd943 in gfxPlatform::Init() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:971:3
#7 0x7f0f823fc35b in gfxPlatform::GetPlatform() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:481:5
#8 0x7f0f86cf2a6c in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /builds/worker/checkouts/gecko/widget/GfxInfoBase.cpp:1851:25
#9 0x7f0f7ff49e31 in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
#10 0x7f0f818e7c29 in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1644:10
#11 0x7f0f818e7c29 in Call /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1197:19
#12 0x7f0f818e7c29 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1143:23
#13 0x7f0f818ed04e in GetAttribute /builds/worker/checkouts/gecko/js/xpconnect/src/xpcprivate.h:1461:12
#14 0x7f0f818ed04e in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:962:10
#15 0x7f0f8a7aed11 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:426:13
#16 0x7f0f8a7aed11 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:511:12
#17 0x7f0f8a7b090b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:588:8
#18 0x7f0f8a7b1bbb in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:713:10
#19 0x7f0f8acb0be2 in CallGetter /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2040:12
#20 0x7f0f8acb0be2 in GetExistingProperty<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2068:12
#21 0x7f0f8acb0be2 in NativeGetPropertyInline<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2214:14
#22 0x7f0f8acb0be2 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2245:10
#23 0x7f0f8a79d6fe in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:116:10
#24 0x7f0f8a79d6fe in GetObjectElementOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter-inl.h:419:10
#25 0x7f0f8a79d6fe in GetElementOperationWithStackIndex /builds/worker/checkouts/gecko/js/src/vm/Interpreter-inl.h:505:10
#26 0x7f0f8a79d6fe in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3040:12
#27 0x7f0f8a780547 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:13
#28 0x7f0f8a7aedf5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:543:13
#29 0x7f0f8a7b090b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:588:8
#30 0x7f0f8a8e491c in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2722:10
#31 0x7f0f818d9359 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:971:17
#32 0x7f0f7ff4b7c2 in PrepareAndDispatch /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
#33 0x7f0f7ff4a54a in SharedStub xptcstubs_x86_64_linux.cpp
#34 0x7f0f7feb6210 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/checkouts/gecko/xpcom/components/nsCategoryManager.cpp:687:19
#35 0x7f0f8a591fc9 in nsXREDirProvider::DoStartup() /builds/worker/checkouts/gecko/toolkit/xre/nsXREDirProvider.cpp:982:11
#36 0x7f0f8a56dab8 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:4998:18
#37 0x7f0f8a570afc in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5434:8
#38 0x7f0f8a5718b3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5493:21
#39 0x55cb5aa8bd3f in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:225:22
#40 0x55cb5aa8bd3f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:16
#41 0x7f0f9dfb430f in __libc_start_call_main libc-start.c
Thread T72 (WRSceneBuilder#) created by T26 here:
#0 0x55cb5aa41acc in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:205:3
#1 0x7f0f8d3cbc4f in std::sys::unix::thread::Thread::new::hfcb67ed381ed8607 gkrust.3qd15s5o-cgu.0
#2 0x7f0f8e970920 in wr_window_new /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:1665:36
#3 0x7f0f826cfb0e in mozilla::wr::NewRenderer::Run(mozilla::wr::RenderThread&, mozilla::wr::WrWindowId) /builds/worker/checkouts/gecko/gfx/webrender_bindings/WebRenderAPI.cpp:157:10
#4 0x7f0f8269ff4e in mozilla::wr::RenderThread::RunEvent(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:414:11
#5 0x7f0f826b6636 in decltype(*(fp).*fp0(Get<0ul>(fp1).PassAsParameter(), Get<1ul>(fp1).PassAsParameter())) mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > >, 0ul, 1ul>(mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), mozilla::Tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > > >&, std::integer_sequence<unsigned long, 0ul, 1ul>) /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#6 0x7f0f826b639b in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent>)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#7 0x7f0f826b639b in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#8 0x7f0f80ecf649 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:454:11
#9 0x7f0f80ed02de in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:463:5
#10 0x7f0f80ed0b6b in MessageLoop::DoWork() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:538:13
#11 0x7f0f80ed1e26 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
#12 0x7f0f80ecf241 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#13 0x7f0f80ecf241 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#14 0x7f0f80ecf241 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#15 0x7f0f80eed8ea in base::Thread::ThreadMain() /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:187:16
#16 0x7f0f80ee151c in ThreadFunc(void*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
#17 0x7f0f9e0145c1 in start_thread pthread_create.c
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BrowsingContext.h:301:37 in IsDiscarded
Shadow bytes around the buggy address:
0x0c348015fbb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348015fbc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348015fbd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348015fbe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348015fbf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c348015fc00: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
0x0c348015fc10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348015fc20: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c348015fc30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c348015fc40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c348015fc50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1134023==ABORTING
```
I don't have a reliable testcase available yet, but I'll keep investigating and follow up.
Bug 1765951 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Particular history navigation may cause a heap-use-after-free due to the (root) session history dereferencing a dead BC.
~~~I suspect the issue is connected to how an error representation replaces the active document when a transformation via an XSLT sheet fails.~~~
*Edit: The XSLT issue was in fact unconnected to the UAF and moved to a different bug.*
The ASAN reports below show a UAF on a local nightly build with *fission disabled*, and on ESR 91.9 with default settings. (There's still buggy behavior *with* fission, but I can't tell yet if there are similar potential consequences given the right testcase.)
1. local mozilla-central build rev `fb7973567fac` with `--disable-fission`:
```
==659463==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a00020d420 at pc 0x7fe868ccdde9 bp 0x7fffec58b020 sp 0x7fffec58b018
READ of size 8 at 0x61a00020d420 thread T0
#0 0x7fe868ccdde8 in get /m-c/obj-asan/dist/include/mozilla/RefPtr.h:286:27
#1 0x7fe868ccdde8 in operator mozilla::dom::WindowContext * /m-c/obj-asan/dist/include/mozilla/RefPtr.h:299:12
#2 0x7fe868ccdde8 in Children /m-c/docshell/base/BrowsingContext.cpp:1031:32
#3 0x7fe868ccdde8 in mozilla::dom::BrowsingContext::GetChildren(nsTArray<RefPtr<mozilla::dom::BrowsingContext> >&) /m-c/docshell/base/BrowsingContext.cpp:1039:28
#4 0x7fe868ec22fe in nsSHistory::LoadDifferingEntries(nsISHEntry*, nsISHEntry*, mozilla::dom::BrowsingContext*, long, nsTArray<nsSHistory::LoadEntryResult>&, bool, bool, int) /m-c/docshell/shistory/nsSHistory.cpp:2165:12
#5 0x7fe868eba169 in nsSHistory::LoadEntry(int, long, unsigned int, nsTArray<nsSHistory::LoadEntryResult>&, bool, bool, bool) /m-c/docshell/shistory/nsSHistory.cpp:2123:26
#6 0x7fe868ec0761 in GotoIndex /m-c/docshell/shistory/nsSHistory.cpp:2005:10
#7 0x7fe868ec0761 in nsSHistory::GotoIndex(int, bool) /m-c/docshell/shistory/nsSHistory.cpp:1985:17
#8 0x7fe868e83390 in mozilla::dom::ChildSHistory::GotoIndex(int, int, bool, bool, mozilla::ErrorResult&) /m-c/docshell/shistory/ChildSHistory.cpp:219:21
#9 0x7fe868e82b8f in mozilla::dom::ChildSHistory::Go(int, bool, bool, mozilla::ErrorResult&) /m-c/docshell/shistory/ChildSHistory.cpp:167:3
#10 0x7fe868d1cbdb in nsDocShell::GoBack(bool, bool) /m-c/docshell/base/nsDocShell.cpp:3400:11
#11 0x7fe85a97ffd5 in NS_InvokeByIndex /m-c/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
#12 0x7fe85c5d3b52 in Invoke /m-c/js/xpconnect/src/XPCWrappedNative.cpp:1626:10
#13 0x7fe85c5d3b52 in Call /m-c/js/xpconnect/src/XPCWrappedNative.cpp:1179:19
#14 0x7fe85c5d3b52 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /m-c/js/xpconnect/src/XPCWrappedNative.cpp:1125:23
#15 0x7fe85c5d9985 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /m-c/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:963:10
#16 0x7fe86a2d920f in CallJSNative /m-c/js/src/vm/Interpreter.cpp:420:13
#17 0x7fe86a2d920f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:507:12
#18 0x7fe86a2c4dc8 in CallFromStack /m-c/js/src/vm/Interpreter.cpp:571:10
#19 0x7fe86a2c4dc8 in Interpret(JSContext*, js::RunState&) /m-c/js/src/vm/Interpreter.cpp:3293:16
#20 0x7fe86a2af6f8 in js::RunScript(JSContext*, js::RunState&) /m-c/js/src/vm/Interpreter.cpp:389:13
#21 0x7fe86a2d9470 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:539:13
#22 0x7fe86a2dbbc5 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:584:8
#23 0x7fe86a409180 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /m-c/js/src/vm/CallAndConstruct.cpp:117:10
#24 0x7fe86021864c in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /m-c/obj-asan/dom/bindings/EventHandlerBinding.cpp:283:37
#25 0x7fe861444140 in Call<nsCOMPtr<mozilla::dom::EventTarget> > /m-c/obj-asan/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
#26 0x7fe861444140 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /m-c/dom/events/JSEventHandler.cpp:201:12
#27 0x7fe8613fc006 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /m-c/dom/events/EventListenerManager.cpp:1316:22
#28 0x7fe8613fe005 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /m-c/dom/events/EventListenerManager.cpp:1507:17
#29 0x7fe8614568ce in HandleEvent /m-c/dom/events/EventListenerManager.h:395:5
#30 0x7fe8614568ce in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /m-c/dom/events/EventDispatcher.cpp:348:17
#31 0x7fe8613e4e98 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /m-c/dom/events/EventDispatcher.cpp:550:16
#32 0x7fe8613ea74d in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /m-c/dom/events/EventDispatcher.cpp:1119:11
#33 0x7fe8613f0b99 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /m-c/dom/events/EventDispatcher.cpp
#34 0x7fe85e1c15aa in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /m-c/dom/base/nsINode.cpp:1354:17
#35 0x7fe86140f663 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::ErrorResult&) /m-c/dom/events/EventTarget.cpp:186:13
#36 0x7fe85dac74d9 in nsContentUtils::DispatchXULCommand(nsIContent*, bool, mozilla::dom::Event*, mozilla::PresShell*, bool, bool, bool, bool, unsigned short, short) /m-c/dom/base/nsContentUtils.cpp:6351:12
#37 0x7fe863f70da4 in nsXULElement::DispatchXULCommand(mozilla::EventChainVisitor const&, nsTAutoStringN<char16_t, 64ul>&) /m-c/dom/xul/nsXULElement.cpp:935:5
#38 0x7fe863f71616 in nsXULElement::PreHandleEvent(mozilla::EventChainVisitor&) /m-c/dom/xul/nsXULElement.cpp:983:12
#39 0x7fe8613e8e66 in PreHandleEvent /m-c/dom/events/EventDispatcher.cpp:436:22
#40 0x7fe8613e8e66 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /m-c/dom/events/EventDispatcher.cpp:921:16
#41 0x7fe8613f0b99 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /m-c/dom/events/EventDispatcher.cpp
#42 0x7fe85e1c15aa in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /m-c/dom/base/nsINode.cpp:1354:17
#43 0x7fe86027a6bb in mozilla::dom::EventTarget_Binding::dispatchEvent(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /m-c/obj-asan/dom/bindings/EventTargetBinding.cpp:851:36
#44 0x7fe860840149 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /m-c/dom/bindings/BindingUtils.cpp:3270:13
#45 0x7fe86a2d920f in CallJSNative /m-c/js/src/vm/Interpreter.cpp:420:13
#46 0x7fe86a2d920f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:507:12
#47 0x7fe86b4c8032 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /m-c/js/src/jit/BaselineIC.cpp:1582:10
#48 0x15d0e33eddc7 (<unknown module>)
0x61a00020d420 is located 928 bytes inside of 1368-byte region [0x61a00020d080,0x61a00020d5d8)
freed by thread T0 here:
#0 0x55c9e7e4a862 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:111:3
#1 0x7fe85a72b473 in MaybeKillObject /m-c/xpcom/base/nsCycleCollector.cpp:2419:29
#2 0x7fe85a72b473 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /m-c/xpcom/base/nsCycleCollector.cpp:2444:9
#3 0x7fe85a716d55 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /m-c/xpcom/base/nsCycleCollector.cpp:939:23
#4 0x7fe85a6fb438 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /m-c/xpcom/base/nsCycleCollector.cpp:2612:14
#5 0x7fe85c595002 in AsyncFreeSnowWhite::Run() /m-c/js/xpconnect/src/XPCJSRuntime.cpp:150:9
#6 0x7fe85a9493d9 in IdleRunnableWrapper::Run() /m-c/xpcom/threads/nsThreadUtils.cpp:309:22
#7 0x7fe85a94b600 in mozilla::RunnableTask::Run() /m-c/xpcom/threads/TaskController.cpp:467:16
#8 0x7fe85a900483 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /m-c/xpcom/threads/TaskController.cpp:780:26
#9 0x7fe85a8fd1f5 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /m-c/xpcom/threads/TaskController.cpp:654:15
#10 0x7fe85a8fd5ef in mozilla::TaskController::ProcessPendingMTTask(bool) /m-c/xpcom/threads/TaskController.cpp:390:36
#11 0x7fe85a93d9f1 in operator() /m-c/xpcom/threads/TaskController.cpp:124:37
#12 0x7fe85a93d9f1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /m-c/obj-asan/dist/include/nsThreadUtils.h:531:5
#13 0x7fe85a924517 in nsThread::ProcessNextEvent(bool, bool*) /m-c/xpcom/threads/nsThread.cpp:1180:16
#14 0x7fe85a92f4f1 in NS_ProcessNextEvent(nsIThread*, bool) /m-c/xpcom/threads/nsThreadUtils.cpp:465:10
#15 0x7fe85c275ba6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /m-c/ipc/glue/MessagePump.cpp:85:21
#16 0x7fe85c0c96b2 in RunInternal /m-c/ipc/chromium/src/base/message_loop.cc:380:10
#17 0x7fe85c0c96b2 in RunHandler /m-c/ipc/chromium/src/base/message_loop.cc:373:3
#18 0x7fe85c0c96b2 in MessageLoop::Run() /m-c/ipc/chromium/src/base/message_loop.cc:355:3
#19 0x7fe86470715a in nsBaseAppShell::Run() /m-c/widget/nsBaseAppShell.cpp:137:27
#20 0x7fe869c33ca9 in nsAppStartup::Run() /m-c/toolkit/components/startup/nsAppStartup.cpp:295:30
#21 0x7fe869ef16ad in XREMain::XRE_mainRun() /m-c/toolkit/xre/nsAppRunner.cpp:5746:22
#22 0x7fe869ef36ef in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /m-c/toolkit/xre/nsAppRunner.cpp:5931:8
#23 0x7fe869ef46a0 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /m-c/toolkit/xre/nsAppRunner.cpp:5998:21
#24 0x55c9e7e7fc47 in do_main /m-c/browser/app/nsBrowserApp.cpp:225:22
#25 0x55c9e7e7fc47 in main /m-c/browser/app/nsBrowserApp.cpp:395:16
#26 0x7fe875aea30f in __libc_start_call_main libc-start.c
previously allocated by thread T0 here:
#0 0x55c9e7e4aacd in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x55c9e7e840bd in moz_xmalloc /m-c/memory/mozalloc/mozalloc.cpp:52:15
#2 0x7fe868cbe1d6 in operator new /m-c/obj-asan/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7fe868cbe1d6 in mozilla::dom::BrowsingContext::CreateDetached(nsGlobalWindowInner*, mozilla::dom::BrowsingContext*, mozilla::dom::BrowsingContextGroup*, nsTSubstring<char16_t> const&, mozilla::dom::BrowsingContext::Type, bool, bool) /m-c/docshell/base/BrowsingContext.cpp:431:15
#4 0x7fe85e15721c in CreateBrowsingContext(mozilla::dom::Element*, nsIOpenWindowInfo*, mozilla::dom::BrowsingContextGroup*, bool) /m-c/dom/base/nsFrameLoader.cpp
#5 0x7fe85e15765a in nsFrameLoader::Recreate(mozilla::dom::Element*, mozilla::dom::BrowsingContext*, mozilla::dom::BrowsingContextGroup*, mozilla::dom::NavigationIsolationOptions const&, bool, bool, bool) /m-c/dom/base/nsFrameLoader.cpp:496:15
#6 0x7fe85e17d264 in nsFrameLoaderOwner::ChangeRemotenessCommon(nsFrameLoaderOwner::ChangeRemotenessContextType const&, mozilla::dom::NavigationIsolationOptions const&, bool, bool, mozilla::dom::BrowsingContextGroup*, std::function<void ()>&, mozilla::ErrorResult&) /m-c/dom/base/nsFrameLoaderOwner.cpp:168:20
#7 0x7fe85e17eb84 in nsFrameLoaderOwner::ChangeRemoteness(mozilla::dom::RemotenessOptions const&, mozilla::ErrorResult&) /m-c/dom/base/nsFrameLoaderOwner.cpp:272:3
#8 0x7fe85fe20e9d in mozilla::dom::XULFrameElement_Binding::changeRemoteness(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /m-c/obj-asan/dom/bindings/XULFrameElementBinding.cpp:517:24
#9 0x7fe86083bf12 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /m-c/dom/bindings/BindingUtils.cpp:3270:13
#10 0x7fe86a2d920f in CallJSNative /m-c/js/src/vm/Interpreter.cpp:420:13
#11 0x7fe86a2d920f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:507:12
#12 0x7fe86a2c4dc8 in CallFromStack /m-c/js/src/vm/Interpreter.cpp:571:10
#13 0x7fe86a2c4dc8 in Interpret(JSContext*, js::RunState&) /m-c/js/src/vm/Interpreter.cpp:3293:16
#14 0x7fe86a2af6f8 in js::RunScript(JSContext*, js::RunState&) /m-c/js/src/vm/Interpreter.cpp:389:13
#15 0x7fe86a2d9470 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:539:13
#16 0x7fe86a2dbbc5 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /m-c/js/src/vm/Interpreter.cpp:584:8
#17 0x7fe86a406e5e in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /m-c/js/src/vm/CallAndConstruct.cpp:53:10
#18 0x7fe85c5c2b9f in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /m-c/js/xpconnect/src/XPCWrappedJSClass.cpp:981:17
#19 0x7fe85a98160c in PrepareAndDispatch /m-c/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
#20 0x7fe85a98052a in SharedStub xptcstubs_x86_64_linux.cpp
#21 0x7fe85a78bbe0 in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) /m-c/xpcom/ds/nsObserverList.cpp:70:19
#22 0x7fe85a7bb0b0 in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) /m-c/xpcom/ds/nsObserverService.cpp:292:19
#23 0x7fe86371b9fa in mozilla::dom::ContentParent::ActorDestroy(mozilla::ipc::IProtocol::ActorDestroyReason) /m-c/dom/ipc/ContentParent.cpp:2062:10
#24 0x7fe85c2ae763 in mozilla::ipc::IProtocol::DestroySubtree(mozilla::ipc::IProtocol::ActorDestroyReason) /m-c/ipc/glue/ProtocolUtils.cpp:577:3
#25 0x7fe863a173a2 in mozilla::dom::PContentParent::OnChannelError() /m-c/obj-asan/ipc/ipdl/PContentParent.cpp:16719:5
#26 0x7fe86371a035 in mozilla::dom::ContentParent::OnChannelError() /m-c/dom/ipc/ContentParent.cpp:1949:19
#27 0x7fe85c26fff4 in mozilla::ipc::MessageChannel::OnNotifyMaybeChannelError() /m-c/ipc/glue/MessageChannel.cpp:1982:3
#28 0x7fe85c2a3d7f in applyImpl<mozilla::ipc::MessageChannel, void (mozilla::ipc::MessageChannel::*)()> /m-c/obj-asan/dist/include/nsThreadUtils.h:1147:12
#29 0x7fe85c2a3d7f in apply<mozilla::ipc::MessageChannel, void (mozilla::ipc::MessageChannel::*)()> /m-c/obj-asan/dist/include/nsThreadUtils.h:1153:12
#30 0x7fe85c2a3d7f in mozilla::detail::RunnableMethodImpl<mozilla::ipc::MessageChannel*, void (mozilla::ipc::MessageChannel::*)(), false, (mozilla::RunnableKind)1>::Run() /m-c/obj-asan/dist/include/nsThreadUtils.h:1200:13
#31 0x7fe85a94b600 in mozilla::RunnableTask::Run() /m-c/xpcom/threads/TaskController.cpp:467:16
#32 0x7fe85a900483 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /m-c/xpcom/threads/TaskController.cpp:780:26
#33 0x7fe85a8fced8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /m-c/xpcom/threads/TaskController.cpp:612:15
#34 0x7fe85a8fd5ef in mozilla::TaskController::ProcessPendingMTTask(bool) /m-c/xpcom/threads/TaskController.cpp:390:36
SUMMARY: AddressSanitizer: heap-use-after-free /m-c/obj-asan/dist/include/mozilla/RefPtr.h:286:27 in get
Shadow bytes around the buggy address:
0x0c3480039a30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039a40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3480039a80: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039a90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039aa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480039ab0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c3480039ac0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c3480039ad0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==659463==ABORTING
```
2. `mozilla-esr91.revision.7de26aa38d0d1ac5339bc1794cd55582651d410a.firefox.linux64-asan-opt`:
```
==1134023==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a000b3e05c at pc 0x7f0f89a32079 bp 0x7ffcdba155b0 sp 0x7ffcdba155a8
READ of size 2 at 0x61a000b3e05c thread T0
#0 0x7f0f89a32078 in IsDiscarded /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BrowsingContext.h:301:37
#1 0x7f0f89a32078 in mozilla::dom::syncedcontext::Transaction<mozilla::dom::BrowsingContext>::Commit(mozilla::dom::BrowsingContext*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/SyncedContextInlines.h:92:7
#2 0x7f0f89bcfe3a in SetHistoryEntryCount /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BrowsingContext.h:227:3
#3 0x7f0f89bcfe3a in operator() /builds/worker/checkouts/gecko/docshell/shistory/nsSHistory.cpp:1057:22
#4 0x7f0f89bcfe3a in std::_Function_handler<void (mozilla::dom::BrowsingContext*), nsSHistory::PurgeHistory(int)::$_5>::_M_invoke(std::_Any_data const&, mozilla::dom::BrowsingContext*&&) /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:316:2
#5 0x7f0f89a3f82b in operator() /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:706:14
#6 0x7f0f89a3f82b in mozilla::dom::BrowsingContext::PreOrderWalkVoid(std::function<void (mozilla::dom::BrowsingContext*)> const&) /builds/worker/checkouts/gecko/docshell/base/BrowsingContext.cpp:1027:3
#7 0x7f0f89bbabb7 in PreOrderWalk<(lambda at /builds/worker/checkouts/gecko/docshell/shistory/nsSHistory.cpp:1055:27)> /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BrowsingContext.h:496:7
#8 0x7f0f89bbabb7 in nsSHistory::PurgeHistory(int) /builds/worker/checkouts/gecko/docshell/shistory/nsSHistory.cpp:1055:14
#9 0x7f0f7ff49e31 in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
#10 0x7f0f818e7c29 in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1644:10
#11 0x7f0f818e7c29 in Call /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1197:19
#12 0x7f0f818e7c29 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1143:23
#13 0x7f0f818ec60c in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:922:10
#14 0x7f0f8a7aed11 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:426:13
#15 0x7f0f8a7aed11 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:511:12
#16 0x7f0f8b53815e in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1595:10
#17 0x2daaf004ad87 (<unknown module>)
0x61a000b3e05c is located 988 bytes inside of 1176-byte region [0x61a000b3dc80,0x61a000b3e118)
Thread T74 (WRRenderBackend) created by T26 here:
#0 0x55cb5aa41acc in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:205:3
#1 0x7f0f8d3cbc4f in std::sys::unix::thread::Thread::new::hfcb67ed381ed8607 gkrust.3qd15s5o-cgu.0
#2 0x7f0f8e970920 in wr_window_new /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:1665:36
#3 0x7f0f826cfb0e in mozilla::wr::NewRenderer::Run(mozilla::wr::RenderThread&, mozilla::wr::WrWindowId) /builds/worker/checkouts/gecko/gfx/webrender_bindings/WebRenderAPI.cpp:157:10
#4 0x7f0f8269ff4e in mozilla::wr::RenderThread::RunEvent(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:414:11 r
#5 0x7f0f826b6636 in decltype(*(fp).*fp0(Get<0ul>(fp1).PassAsParameter(), Get<1ul>(fp1).PassAsParameter())) mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > >, 0ul, 1ul>(mozilla::wr::RenderThread*, void (mozilla::wr::RendaerThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), mozilla::Tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > > >&, std::integer_sequence<unsigned long, 0ul, 1ul>) /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#6 0x7f0f826b639b in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent>)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#7 0x7f0f826b639b in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#8 0x7f0f80ecf649 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:454:11
#9 0x7f0f80ed02de in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:463:5
#10 0x7f0f80ed0b6b in MessageLoop::DoWork() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:538:13
#11 0x7f0f80ed1e26 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
#12 0x7f0f80ecf241 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#13 0x7f0f80ecf241 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#14 0x7f0f80ecf241 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#15 0x7f0f80eed8ea in base::Thread::ThreadMain() /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:187:16
#16 0x7f0f80ee151c in ThreadFunc(void*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
#17 0x7f0f9e0145c1 in start_thread pthread_create.c
Thread T26 created by T0 here:
#0 0x55cb5aa41acc in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:205:3
#1 0x7f0f80edb37c in CreateThread /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:123:14
#2 0x7f0f80edb37c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:134:10
#3 0x7f0f80eed11d in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:93:8
#4 0x7f0f8269ae4a in mozilla::wr::RenderThread::Start() /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:91:16
#5 0x7f0f82402089 in gfxPlatform::InitLayersIPC() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:1331:7
#6 0x7f0f823fd943 in gfxPlatform::Init() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:971:3
#7 0x7f0f823fc35b in gfxPlatform::GetPlatform() /builds/worker/checkouts/gecko/gfx/thebes/gfxPlatform.cpp:481:5
#8 0x7f0f86cf2a6c in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /builds/worker/checkouts/gecko/widget/GfxInfoBase.cpp:1851:25
#9 0x7f0f7ff49e31 in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
#10 0x7f0f818e7c29 in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1644:10
#11 0x7f0f818e7c29 in Call /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1197:19
#12 0x7f0f818e7c29 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1143:23
#13 0x7f0f818ed04e in GetAttribute /builds/worker/checkouts/gecko/js/xpconnect/src/xpcprivate.h:1461:12
#14 0x7f0f818ed04e in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:962:10
#15 0x7f0f8a7aed11 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:426:13
#16 0x7f0f8a7aed11 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:511:12
#17 0x7f0f8a7b090b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:588:8
#18 0x7f0f8a7b1bbb in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:713:10
#19 0x7f0f8acb0be2 in CallGetter /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2040:12
#20 0x7f0f8acb0be2 in GetExistingProperty<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2068:12
#21 0x7f0f8acb0be2 in NativeGetPropertyInline<js::CanGC> /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2214:14
#22 0x7f0f8acb0be2 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2245:10
#23 0x7f0f8a79d6fe in GetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:116:10
#24 0x7f0f8a79d6fe in GetObjectElementOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter-inl.h:419:10
#25 0x7f0f8a79d6fe in GetElementOperationWithStackIndex /builds/worker/checkouts/gecko/js/src/vm/Interpreter-inl.h:505:10
#26 0x7f0f8a79d6fe in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3040:12
#27 0x7f0f8a780547 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:13
#28 0x7f0f8a7aedf5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:543:13
#29 0x7f0f8a7b090b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:588:8
#30 0x7f0f8a8e491c in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2722:10
#31 0x7f0f818d9359 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:971:17
#32 0x7f0f7ff4b7c2 in PrepareAndDispatch /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
#33 0x7f0f7ff4a54a in SharedStub xptcstubs_x86_64_linux.cpp
#34 0x7f0f7feb6210 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/checkouts/gecko/xpcom/components/nsCategoryManager.cpp:687:19
#35 0x7f0f8a591fc9 in nsXREDirProvider::DoStartup() /builds/worker/checkouts/gecko/toolkit/xre/nsXREDirProvider.cpp:982:11
#36 0x7f0f8a56dab8 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:4998:18
#37 0x7f0f8a570afc in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5434:8
#38 0x7f0f8a5718b3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5493:21
#39 0x55cb5aa8bd3f in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:225:22
#40 0x55cb5aa8bd3f in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:16
#41 0x7f0f9dfb430f in __libc_start_call_main libc-start.c
Thread T72 (WRSceneBuilder#) created by T26 here:
#0 0x55cb5aa41acc in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:205:3
#1 0x7f0f8d3cbc4f in std::sys::unix::thread::Thread::new::hfcb67ed381ed8607 gkrust.3qd15s5o-cgu.0
#2 0x7f0f8e970920 in wr_window_new /builds/worker/checkouts/gecko/gfx/webrender_bindings/src/bindings.rs:1665:36
#3 0x7f0f826cfb0e in mozilla::wr::NewRenderer::Run(mozilla::wr::RenderThread&, mozilla::wr::WrWindowId) /builds/worker/checkouts/gecko/gfx/webrender_bindings/WebRenderAPI.cpp:157:10
#4 0x7f0f8269ff4e in mozilla::wr::RenderThread::RunEvent(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >) /builds/worker/checkouts/gecko/gfx/webrender_bindings/RenderThread.cpp:414:11
#5 0x7f0f826b6636 in decltype(*(fp).*fp0(Get<0ul>(fp1).PassAsParameter(), Get<1ul>(fp1).PassAsParameter())) mozilla::detail::RunnableMethodArguments<mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > >, 0ul, 1ul>(mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), mozilla::Tuple<StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > > >&, std::integer_sequence<unsigned long, 0ul, 1ul>) /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1148:12
#6 0x7f0f826b639b in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent>)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1154:12
#7 0x7f0f826b639b in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201:13
#8 0x7f0f80ecf649 in MessageLoop::RunTask(already_AddRefed<nsIRunnable>) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:454:11
#9 0x7f0f80ed02de in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:463:5
#10 0x7f0f80ed0b6b in MessageLoop::DoWork() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:538:13
#11 0x7f0f80ed1e26 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_pump_default.cc:35:31
#12 0x7f0f80ecf241 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#13 0x7f0f80ecf241 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#14 0x7f0f80ecf241 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#15 0x7f0f80eed8ea in base::Thread::ThreadMain() /builds/worker/checkouts/gecko/ipc/chromium/src/base/thread.cc:187:16
#16 0x7f0f80ee151c in ThreadFunc(void*) /builds/worker/checkouts/gecko/ipc/chromium/src/base/platform_thread_posix.cc:40:13
#17 0x7f0f9e0145c1 in start_thread pthread_create.c
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/dom/BrowsingContext.h:301:37 in IsDiscarded
Shadow bytes around the buggy address:
0x0c348015fbb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348015fbc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348015fbd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348015fbe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348015fbf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c348015fc00: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
0x0c348015fc10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348015fc20: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c348015fc30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c348015fc40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c348015fc50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==1134023==ABORTING
```
I don't have a reliable testcase available yet, but I'll keep investigating and follow up.