Bug 1823365 Comment 1 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by
on
(Hidden by Administrator)
Revision 1 by
on 
I also run the PoC on the official Firefox ASAN build. Here is the ASAN report for your easier assessment:

113.0a1 (2023-03-19) (64-bit)

```
=================================================================
==18340==ERROR: AddressSanitizer: heap-use-after-free on address 0x12709a7ebec0 at pc 0x7ff9b892b6ca bp 0x00ff60bf4d20 sp 0x00ff60bf4d68
READ of size 8 at 0x12709a7ebec0 thread T26
    #0 0x7ff9b892b6c9 in mozilla::gfx::GetSkImageForSurface /builds/worker/checkouts/gecko/gfx/2d/DrawTargetSkia.cpp:246
    #1 0x7ff9b89373fb in mozilla::gfx::DrawTargetSkia::MaskSurface /builds/worker/checkouts/gecko/gfx/2d/DrawTargetSkia.cpp:1441
    #2 0x7ff9b923c31e in gfxFontMissingGlyphs::DrawMissingGlyph /builds/worker/checkouts/gecko/gfx/thebes/gfxFontMissingGlyphs.cpp:418
    #3 0x7ff9b91ce249 in gfxFont::DrawMissingGlyph /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2202
    #4 0x7ff9b91d8338 in gfxFont::DrawGlyphs<0,0> /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2030
    #5 0x7ff9b91d1e8d in gfxFont::Draw /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2530
    #6 0x7ff9b9293f6a in gfxTextRun::Draw /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:683
    #7 0x7ff9bc86e121 in mozilla::dom::CanvasBidiProcessor::DrawText /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:4123
    #8 0x7ff9c11c9b54 in nsBidiPresUtils::ProcessSimpleRun /builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp:2387
    #9 0x7ff9c11c90ea in nsBidiPresUtils::ProcessText /builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp:2165
    #10 0x7ff9bc71197c in mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:4448
    #11 0x7ff9bc70f9d9 in mozilla::dom::CanvasRenderingContext2D::FillText /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:3860
    #12 0x7ff9baa76ed4 in mozilla::dom::OffscreenCanvasRenderingContext2D_Binding::fillText /builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasRenderingContext2DBinding.cpp:3904
    #13 0x7ff9bc53b092 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3318
    #14 0x7ff9c73ba9d3 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:553
    #15 0x7ff9c73a5ccc in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3368
    #16 0x7ff9c7391506 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431
    #17 0x7ff9c73bab0d in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:585
    #18 0x7ff9c73bc9f1 in js::Call /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652
    #19 0x7ff9c57cbe00 in JS::Call /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117
    #20 0x7ff9bc09aacd in mozilla::dom::Function::Call /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:50
    #21 0x7ff9b9e3cc99 in mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> > /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71
    #22 0x7ff9b9e3c609 in mozilla::dom::CallbackTimeoutHandler::Call /builds/worker/checkouts/gecko/dom/base/TimeoutHandler.cpp:167
    #23 0x7ff9bfb7886c in mozilla::dom::WorkerPrivate::RunExpiredTimeouts /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:5163
    #24 0x7ff9bfb864eb in mozilla::dom::WorkerRunnable::Run /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377
    #25 0x7ff9b68bed58 in nsTimerImpl::Fire /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:654
    #26 0x7ff9b685ba48 in nsTimerEvent::Run /builds/worker/checkouts/gecko/xpcom/threads/TimerThread.cpp:469
    #27 0x7ff9bfb9bbe0 in mozilla::dom::`anonymous namespace'::ExternalRunnableWrapper::WorkerRun /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:201
    #28 0x7ff9bfb864eb in mozilla::dom::WorkerRunnable::Run /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377
    #29 0x7ff9b687938d in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1233
    #30 0x7ff9b6887f5d in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477
    #31 0x7ff9bfb64d64 in mozilla::dom::WorkerPrivate::DoRunLoop /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3279
    #32 0x7ff9bfb385c8 in mozilla::dom::workerinternals::`anonymous namespace'::WorkerThreadPrimaryRunnable::Run /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2043
    #33 0x7ff9b687938d in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1233
    #34 0x7ff9b6887f5d in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477
    #35 0x7ff9b7f3150e in mozilla::ipc::MessagePumpForNonMainThreads::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
    #36 0x7ff9b7e47432 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #37 0x7ff9b7e47207 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #38 0x7ff9b686ed3c in nsThread::ThreadFunc /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391
    #39 0x7ff9d5c152c5 in _PR_NativeRunThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:399
    #40 0x7ff9d5beedab in pr_root /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:139
    #41 0x7ffa5c849362 in recalloc+0xa2 (C:\WINDOWS\System32\ucrtbase.dll+0x180029362)
    #42 0x7ff9d5feabb3 in __asan::AsanThread::ThreadStart /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_thread.cpp:277
    #43 0x7ffa5dc626bc in BaseThreadInitThunk+0x1c (C:\WINDOWS\System32\KERNEL32.DLL+0x1800126bc)
    #44 0x7ffa21bba5ae in patched_BaseThreadInitThunk /builds/worker/checkouts/gecko/toolkit/xre/dllservices/mozglue/WindowsDllBlocklist.cpp:592
    #45 0x7ffa5ecca9f7 in RtlUserThreadStart+0x27 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18005a9f7)

0x12709a7ebec0 is located 0 bytes inside of 128-byte region [0x12709a7ebec0,0x12709a7ebf40)
freed by thread T32 here:
    #0 0x7ff9d5fdeeec in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:82
    #1 0x7ff9b8a255ec in mozilla::gfx::SourceSurfaceSkia::~SourceSurfaceSkia /builds/worker/checkouts/gecko/gfx/2d/SourceSurfaceSkia.cpp:25
    #2 0x7ff9b923c1a4 in gfxFontMissingGlyphs::DrawMissingGlyph /builds/worker/checkouts/gecko/gfx/thebes/gfxFontMissingGlyphs.cpp:418
    #3 0x7ff9b91ce249 in gfxFont::DrawMissingGlyph /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2202
    #4 0x7ff9b91d8338 in gfxFont::DrawGlyphs<0,0> /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2030
    #5 0x7ff9b91d1e8d in gfxFont::Draw /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2530
    #6 0x7ff9b9293f6a in gfxTextRun::Draw /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:683
    #7 0x7ff9bc86e121 in mozilla::dom::CanvasBidiProcessor::DrawText /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:4123
    #8 0x7ff9c11c9b54 in nsBidiPresUtils::ProcessSimpleRun /builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp:2387
    #9 0x7ff9c11c90ea in nsBidiPresUtils::ProcessText /builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp:2165
    #10 0x7ff9bc71197c in mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:4448
    #11 0x7ff9bc70f9d9 in mozilla::dom::CanvasRenderingContext2D::FillText /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:3860
    #12 0x7ff9baa76ed4 in mozilla::dom::OffscreenCanvasRenderingContext2D_Binding::fillText /builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasRenderingContext2DBinding.cpp:3904
    #13 0x7ff9bc53b092 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3318
    #14 0x7ff9c73ba9d3 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:553
    #15 0x7ff9c73a5ccc in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3368
    #16 0x7ff9c7391506 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431
    #17 0x7ff9c73bab0d in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:585
    #18 0x7ff9c73bc9f1 in js::Call /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652
    #19 0x7ff9c57cbe00 in JS::Call /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117
    #20 0x7ff9bc09aacd in mozilla::dom::Function::Call /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:50
    #21 0x7ff9b9e3cc99 in mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> > /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71
    #22 0x7ff9b9e3c609 in mozilla::dom::CallbackTimeoutHandler::Call /builds/worker/checkouts/gecko/dom/base/TimeoutHandler.cpp:167
    #23 0x7ff9bfb7886c in mozilla::dom::WorkerPrivate::RunExpiredTimeouts /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:5163
    #24 0x7ff9bfb864eb in mozilla::dom::WorkerRunnable::Run /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377
    #25 0x7ff9b68bed58 in nsTimerImpl::Fire /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:654
    #26 0x7ff9b685ba48 in nsTimerEvent::Run /builds/worker/checkouts/gecko/xpcom/threads/TimerThread.cpp:469
    #27 0x7ff9bfb9bbe0 in mozilla::dom::`anonymous namespace'::ExternalRunnableWrapper::WorkerRun /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:201

previously allocated by thread T25 here:
    #0 0x7ff9d5fdeffc in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:98
    #1 0x7ffa21aa11ad in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52
    #2 0x7ff9b8938d99 in mozilla::gfx::DrawTargetSkia::CreateSourceSurfaceFromData /builds/worker/checkouts/gecko/gfx/2d/DrawTargetSkia.cpp:1558
    #3 0x7ff9b923c0f4 in gfxFontMissingGlyphs::DrawMissingGlyph /builds/worker/checkouts/gecko/gfx/thebes/gfxFontMissingGlyphs.cpp:418
    #4 0x7ff9b91ce249 in gfxFont::DrawMissingGlyph /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2202
    #5 0x7ff9b91d8338 in gfxFont::DrawGlyphs<0,0> /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2030
    #6 0x7ff9b91d1e8d in gfxFont::Draw /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:2530
    #7 0x7ff9b9293f6a in gfxTextRun::Draw /builds/worker/checkouts/gecko/gfx/thebes/gfxTextRun.cpp:683
    #8 0x7ff9bc86e121 in mozilla::dom::CanvasBidiProcessor::DrawText /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:4123
    #9 0x7ff9c11c9b54 in nsBidiPresUtils::ProcessSimpleRun /builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp:2387
    #10 0x7ff9c11c90ea in nsBidiPresUtils::ProcessText /builds/worker/checkouts/gecko/layout/base/nsBidiPresUtils.cpp:2165
    #11 0x7ff9bc71197c in mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:4448
    #12 0x7ff9bc70f9d9 in mozilla::dom::CanvasRenderingContext2D::FillText /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:3860
    #13 0x7ff9baa76ed4 in mozilla::dom::OffscreenCanvasRenderingContext2D_Binding::fillText /builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasRenderingContext2DBinding.cpp:3904
    #14 0x7ff9bc53b092 in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy,mozilla::dom::binding_detail::ThrowExceptions> /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3318
    #15 0x7ff9c73ba9d3 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:553
    #16 0x7ff9c73a5ccc in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3368
    #17 0x7ff9c7391506 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431
    #18 0x7ff9c73bab0d in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:585
    #19 0x7ff9c73bc9f1 in js::Call /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652
    #20 0x7ff9c57cbe00 in JS::Call /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117
    #21 0x7ff9bc09aacd in mozilla::dom::Function::Call /builds/worker/workspace/obj-build/dom/bindings/FunctionBinding.cpp:50
    #22 0x7ff9b9e3cc99 in mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> > /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FunctionBinding.h:71
    #23 0x7ff9b9e3c609 in mozilla::dom::CallbackTimeoutHandler::Call /builds/worker/checkouts/gecko/dom/base/TimeoutHandler.cpp:167
    #24 0x7ff9bfb7886c in mozilla::dom::WorkerPrivate::RunExpiredTimeouts /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:5163
    #25 0x7ff9bfb864eb in mozilla::dom::WorkerRunnable::Run /builds/worker/checkouts/gecko/dom/workers/WorkerRunnable.cpp:377
    #26 0x7ff9b68bed58 in nsTimerImpl::Fire /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:654
    #27 0x7ff9b685ba48 in nsTimerEvent::Run /builds/worker/checkouts/gecko/xpcom/threads/TimerThread.cpp:469

Thread T26 created by T0 here:
    #0 0x7ff9d5febd62 in __asan_wrap_CreateThread /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_win.cpp:146
    #1 0x7ffa5c84838d in beginthreadex+0x5d (C:\WINDOWS\System32\ucrtbase.dll+0x18002838d)
    #2 0x7ff9d5beebde in _PR_MD_CREATE_THREAD /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:153
    #3 0x7ff9d5c1606e in _PR_NativeCreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1058
    #4 0x7ff9d5c167e8 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1184
    #5 0x7ff9d5c0c7ef in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1404
    #6 0x7ff9b68722ea in nsThread::Init /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:633
    #7 0x7ff9bfb98ff0 in mozilla::dom::WorkerThread::Create /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:102
    #8 0x7ff9bfafced8 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1324
    #9 0x7ff9bfafad52 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1206
    #10 0x7ff9bfb5c22f in mozilla::dom::WorkerPrivate::Constructor /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2652
    #11 0x7ff9bfb19624 in mozilla::dom::Worker::Constructor /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:43
    #12 0x7ff9bb9ded46 in mozilla::dom::Worker_Binding::_constructor /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1173
    #13 0x7ff9c73bdaa0 in InternalConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:700
    #14 0x7ff9c73a5c88 in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3353
    #15 0x7ff9c7391506 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431
    #16 0x7ff9c73bf07a in js::ExecuteKernel /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:818
    #17 0x7ff9c73bf4b0 in js::Execute /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:850
    #18 0x7ff9c57fd0fa in JS_ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:496
    #19 0x7ff9b9d0a167 in mozilla::dom::JSExecutionContext::ExecScript /builds/worker/checkouts/gecko/dom/base/JSExecutionContext.cpp:241
    #20 0x7ff9c01a10e7 in mozilla::dom::ScriptLoader::EvaluateScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2403
    #21 0x7ff9c019f2f4 in mozilla::dom::ScriptLoader::EvaluateScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2207
    #22 0x7ff9c0195f15 in mozilla::dom::ScriptLoader::ProcessRequest /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1857
    #23 0x7ff9c0191440 in mozilla::dom::ScriptLoader::ProcessInlineScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1300
    #24 0x7ff9c017aec3 in mozilla::dom::ScriptLoader::ProcessScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:927
    #25 0x7ff9c0179e26 in mozilla::dom::ScriptElement::MaybeProcessScript /builds/worker/checkouts/gecko/dom/script/ScriptElement.cpp:134
    #26 0x7ff9b87dd28d in nsHtml5TreeOpExecutor::RunScript /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:950
    #27 0x7ff9b87d7361 in nsHtml5TreeOpExecutor::RunFlushLoop /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:741
    #28 0x7ff9b87e4f90 in nsHtml5ExecutorFlusher::Run /builds/worker/checkouts/gecko/parser/html/nsHtml5StreamParser.cpp:174
    #29 0x7ff9b68217d6 in mozilla::SchedulerGroup::Runnable::Run /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114
    #30 0x7ff9b6844c83 in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:553
    #31 0x7ff9b682d38c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:867
    #32 0x7ff9b68297f2 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:698
    #33 0x7ff9b682a413 in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464
    #34 0x7ff9b68481c1 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:7'>::Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:547
    #35 0x7ff9b687857a in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239
    #36 0x7ff9b6887f5d in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477
    #37 0x7ff9b7f30267 in mozilla::ipc::MessagePump::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
    #38 0x7ff9b7e47432 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #39 0x7ff9b7e47207 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #40 0x7ff9c06ec81c in nsBaseAppShell::Run /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148
    #41 0x7ff9c08f779e in nsAppShell::Run /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:614
    #42 0x7ff9c5377ff7 in XRE_RunAppShell /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738
    #43 0x7ff9b7e47432 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #44 0x7ff9b7e47207 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #45 0x7ff9c537753a in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:673
    #46 0x7ff7e1632c9e in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353
    #47 0x7ff7e163166e in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:167
    #48 0x7ff7e1725a67 in __scrt_common_main_seh d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #49 0x7ffa5dc626bc in BaseThreadInitThunk+0x1c (C:\WINDOWS\System32\KERNEL32.DLL+0x1800126bc)
    #50 0x7ffa5ecca9f7 in RtlUserThreadStart+0x27 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18005a9f7)

Thread T32 created by T0 here:
    #0 0x7ff9d5febd62 in __asan_wrap_CreateThread /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_win.cpp:146
    #1 0x7ffa5c84838d in beginthreadex+0x5d (C:\WINDOWS\System32\ucrtbase.dll+0x18002838d)
    #2 0x7ff9d5beebde in _PR_MD_CREATE_THREAD /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:153
    #3 0x7ff9d5c1606e in _PR_NativeCreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1058
    #4 0x7ff9d5c167e8 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1184
    #5 0x7ff9d5c0c7ef in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1404
    #6 0x7ff9b68722ea in nsThread::Init /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:633
    #7 0x7ff9bfb98ff0 in mozilla::dom::WorkerThread::Create /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:102
    #8 0x7ff9bfafced8 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1324
    #9 0x7ff9bfafad52 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1206
    #10 0x7ff9bfb5c22f in mozilla::dom::WorkerPrivate::Constructor /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2652
    #11 0x7ff9bfb19624 in mozilla::dom::Worker::Constructor /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:43
    #12 0x7ff9bb9ded46 in mozilla::dom::Worker_Binding::_constructor /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1173
    #13 0x7ff9c73bdaa0 in InternalConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:700
    #14 0x7ff9c73a5c88 in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3353
    #15 0x7ff9c7391506 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431
    #16 0x7ff9c73bf07a in js::ExecuteKernel /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:818
    #17 0x7ff9c73bf4b0 in js::Execute /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:850
    #18 0x7ff9c57fd0fa in JS_ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:496
    #19 0x7ff9b9d0a167 in mozilla::dom::JSExecutionContext::ExecScript /builds/worker/checkouts/gecko/dom/base/JSExecutionContext.cpp:241
    #20 0x7ff9c01a10e7 in mozilla::dom::ScriptLoader::EvaluateScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2403
    #21 0x7ff9c019f2f4 in mozilla::dom::ScriptLoader::EvaluateScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2207
    #22 0x7ff9c0195f15 in mozilla::dom::ScriptLoader::ProcessRequest /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1857
    #23 0x7ff9c0191440 in mozilla::dom::ScriptLoader::ProcessInlineScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1300
    #24 0x7ff9c017aec3 in mozilla::dom::ScriptLoader::ProcessScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:927
    #25 0x7ff9c0179e26 in mozilla::dom::ScriptElement::MaybeProcessScript /builds/worker/checkouts/gecko/dom/script/ScriptElement.cpp:134
    #26 0x7ff9b87dd28d in nsHtml5TreeOpExecutor::RunScript /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:950
    #27 0x7ff9b87d7361 in nsHtml5TreeOpExecutor::RunFlushLoop /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:741
    #28 0x7ff9b87e4f90 in nsHtml5ExecutorFlusher::Run /builds/worker/checkouts/gecko/parser/html/nsHtml5StreamParser.cpp:174
    #29 0x7ff9b68217d6 in mozilla::SchedulerGroup::Runnable::Run /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114
    #30 0x7ff9b6844c83 in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:553
    #31 0x7ff9b682d38c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:867
    #32 0x7ff9b68297f2 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:698
    #33 0x7ff9b682a413 in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464
    #34 0x7ff9b68481c1 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:7'>::Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:547
    #35 0x7ff9b687857a in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239
    #36 0x7ff9b6887f5d in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477
    #37 0x7ff9b7f30267 in mozilla::ipc::MessagePump::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
    #38 0x7ff9b7e47432 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #39 0x7ff9b7e47207 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #40 0x7ff9c06ec81c in nsBaseAppShell::Run /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148
    #41 0x7ff9c08f779e in nsAppShell::Run /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:614
    #42 0x7ff9c5377ff7 in XRE_RunAppShell /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738
    #43 0x7ff9b7e47432 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #44 0x7ff9b7e47207 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #45 0x7ff9c537753a in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:673
    #46 0x7ff7e1632c9e in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353
    #47 0x7ff7e163166e in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:167
    #48 0x7ff7e1725a67 in __scrt_common_main_seh d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #49 0x7ffa5dc626bc in BaseThreadInitThunk+0x1c (C:\WINDOWS\System32\KERNEL32.DLL+0x1800126bc)
    #50 0x7ffa5ecca9f7 in RtlUserThreadStart+0x27 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18005a9f7)

Thread T25 created by T0 here:
    #0 0x7ff9d5febd62 in __asan_wrap_CreateThread /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_win.cpp:146
    #1 0x7ffa5c84838d in beginthreadex+0x5d (C:\WINDOWS\System32\ucrtbase.dll+0x18002838d)
    #2 0x7ff9d5beebde in _PR_MD_CREATE_THREAD /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:153
    #3 0x7ff9d5c1606e in _PR_NativeCreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1058
    #4 0x7ff9d5c167e8 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1184
    #5 0x7ff9d5c0c7ef in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1404
    #6 0x7ff9b68722ea in nsThread::Init /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:633
    #7 0x7ff9bfb98ff0 in mozilla::dom::WorkerThread::Create /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:102
    #8 0x7ff9bfafced8 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1324
    #9 0x7ff9bfafad52 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1206
    #10 0x7ff9bfb5c22f in mozilla::dom::WorkerPrivate::Constructor /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2652
    #11 0x7ff9bfb19624 in mozilla::dom::Worker::Constructor /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:43
    #12 0x7ff9bb9ded46 in mozilla::dom::Worker_Binding::_constructor /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1173
    #13 0x7ff9c73bdaa0 in InternalConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:700
    #14 0x7ff9c73a5c88 in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3353
    #15 0x7ff9c7391506 in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431
    #16 0x7ff9c73bf07a in js::ExecuteKernel /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:818
    #17 0x7ff9c73bf4b0 in js::Execute /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:850
    #18 0x7ff9c57fd0fa in JS_ExecuteScript /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:496
    #19 0x7ff9b9d0a167 in mozilla::dom::JSExecutionContext::ExecScript /builds/worker/checkouts/gecko/dom/base/JSExecutionContext.cpp:241
    #20 0x7ff9c01a10e7 in mozilla::dom::ScriptLoader::EvaluateScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2403
    #21 0x7ff9c019f2f4 in mozilla::dom::ScriptLoader::EvaluateScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2207
    #22 0x7ff9c0195f15 in mozilla::dom::ScriptLoader::ProcessRequest /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1857
    #23 0x7ff9c0191440 in mozilla::dom::ScriptLoader::ProcessInlineScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1300
    #24 0x7ff9c017aec3 in mozilla::dom::ScriptLoader::ProcessScriptElement /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:927
    #25 0x7ff9c0179e26 in mozilla::dom::ScriptElement::MaybeProcessScript /builds/worker/checkouts/gecko/dom/script/ScriptElement.cpp:134
    #26 0x7ff9b87dd28d in nsHtml5TreeOpExecutor::RunScript /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:950
    #27 0x7ff9b87d7361 in nsHtml5TreeOpExecutor::RunFlushLoop /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:741
    #28 0x7ff9b87e4f90 in nsHtml5ExecutorFlusher::Run /builds/worker/checkouts/gecko/parser/html/nsHtml5StreamParser.cpp:174
    #29 0x7ff9b68217d6 in mozilla::SchedulerGroup::Runnable::Run /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114
    #30 0x7ff9b6844c83 in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:553
    #31 0x7ff9b682d38c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:867
    #32 0x7ff9b68297f2 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:698
    #33 0x7ff9b682a413 in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464
    #34 0x7ff9b68481c1 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:7'>::Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:547
    #35 0x7ff9b687857a in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239
    #36 0x7ff9b6887f5d in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477
    #37 0x7ff9b7f30267 in mozilla::ipc::MessagePump::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
    #38 0x7ff9b7e47432 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #39 0x7ff9b7e47207 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #40 0x7ff9c06ec81c in nsBaseAppShell::Run /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148
    #41 0x7ff9c08f779e in nsAppShell::Run /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:614
    #42 0x7ff9c5377ff7 in XRE_RunAppShell /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738
    #43 0x7ff9b7e47432 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #44 0x7ff9b7e47207 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #45 0x7ff9c537753a in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:673
    #46 0x7ff7e1632c9e in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353
    #47 0x7ff7e163166e in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:167
    #48 0x7ff7e1725a67 in __scrt_common_main_seh d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #49 0x7ffa5dc626bc in BaseThreadInitThunk+0x1c (C:\WINDOWS\System32\KERNEL32.DLL+0x1800126bc)
    #50 0x7ffa5ecca9f7 in RtlUserThreadStart+0x27 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x18005a9f7)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/gfx/2d/DrawTargetSkia.cpp:246 in mozilla::gfx::GetSkImageForSurface
Shadow bytes around the buggy address:
  0x04a6adbfd780: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x04a6adbfd790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x04a6adbfd7a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x04a6adbfd7b0: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x04a6adbfd7c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x04a6adbfd7d0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x04a6adbfd7e0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x04a6adbfd7f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x04a6adbfd800: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x04a6adbfd810: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x04a6adbfd820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18340==ABORTING
```

Back to Bug 1823365 Comment 1