Bug 1864118 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by
on 
#Reproduce
OS:win X64
121.0a1 (2023-11-06) (64-bit)

1. python -m http.server 1337
2. python -m ffpuppet firefox --headless -p prefs.js -d -u http://localhost:1337/poc.html

#Analysis
Not yet

#ASAN
=================================================================
==36900==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x12959aa2c548 at pc 0x7ffdb43a10c9 bp 0x00b1a35fc010 sp 0x00b1a35fc058
READ of size 4 at 0x12959aa2c548 thread T0
    #0 0x7ffdb43a10c8 in nsWindow::PickerOpen(void) /builds/worker/checkouts/gecko/widget/windows/nsWindow.cpp:8197
    #1 0x7ffdb41fe18d in AutoWidgetPickerState::PickerState /builds/worker/checkouts/gecko/widget/windows/nsFilePicker.cpp:68
    #2 0x7ffdb41fe18d in AutoWidgetPickerState::AutoWidgetPickerState /builds/worker/checkouts/gecko/widget/windows/nsFilePicker.cpp:59
    #3 0x7ffdb41fe18d in nsFilePicker::ShowFilePicker(class nsTString<char16_t> const &) /builds/worker/checkouts/gecko/widget/windows/nsFilePicker.cpp:490
    #4 0x7ffdb420128c in nsFilePicker::ShowW(enum nsIFilePicker::ResultCode *) /builds/worker/checkouts/gecko/widget/windows/nsFilePicker.cpp:566
    #5 0x7ffdb40d368b in nsBaseFilePicker::AsyncShowFilePicker::Run(void) /builds/worker/checkouts/gecko/widget/nsBaseFilePicker.cpp:86
    #6 0x7ffdaa3057ce in mozilla::RunnableTask::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:549
    #7 0x7ffdaa2e7675 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:876
    #8 0x7ffdaa2e2dc5 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:699
    #9 0x7ffdaa2e3a14 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:485
    #10 0x7ffdaa309111 in mozilla::TaskController::TaskController::<lambda_5>::operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:211
    #11 0x7ffdaa309111 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:211:7'>::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548
    #12 0x7ffdaa339bc5 in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198
    #13 0x7ffdaa34aa8a in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480
    #14 0x7ffdaba43477 in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
    #15 0x7ffdab960483 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370
    #16 0x7ffdab960483 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363
    #17 0x7ffdab96024a in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345
    #18 0x7ffdb40b3a1c in nsBaseAppShell::Run(void) /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148
    #19 0x7ffdb42f6487 in nsAppShell::Run(void) /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:824
    #20 0x7ffdb894682b in nsAppStartup::Run(void) /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:296
    #21 0x7ffdb8c90586 in XREMain::XRE_mainRun(void) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5680
    #22 0x7ffdb8c95b17 in XREMain::XRE_main(int, char **const, struct mozilla::BootstrapConfig const &) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5889
    #23 0x7ffdb8c96c3f in XRE_main(int, char **const, struct mozilla::BootstrapConfig const &) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5945
    #24 0x7ff74be320d8 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:227
    #25 0x7ff74be320d8 in NS_internal_main(int, char **, char **) /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:445
    #26 0x7ff74be314d8 in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:151
    #27 0x7ff74bf14207 in invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:90
    #28 0x7ff74bf14207 in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #29 0x7ffe18107343  (C:\WINDOWS\System32\KERNEL32.DLL+0x180017343)
    #30 0x7ffe192e26b0  (C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800526b0)

0x12959aa2c548 is located 56 bytes before 608-byte region [0x12959aa2c580,0x12959aa2c7e0)
allocated by thread T0 here:
    #0 0x7ffdc70150e4 in calloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:114
    #1 0x7ffdaa17a054 in PLDHashTable::MakeEntryHandle(void const *, struct std::nothrow_t const &) /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:630
    #2 0x7ffdaa17b080 in PLDHashTable::MakeEntryHandle(void const *) /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:674
    #3 0x7ffdad9047bc in PLDHashTable::WithEntryHandle<class `protected: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::WithEntryHandle<class `public: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::PutEntry(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &)'::`1'::<lambda_1>>(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &, class `public: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::PutEntry(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &)'::`1'::<lambda_1> &&)'::`1'::<lambda_1>>(void const *, class `protected: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::WithEntryHandle<class `public: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::PutEntry(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &)'::`1'::<lambda_1>>(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &, class `public: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::PutEntry(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &)'::`1'::<lambda_1> &&)'::`1'::<lambda_1> &&) /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.h:605
    #4 0x7ffdad8c7437 in nsTHashtable<mozilla::IdentifierMapEntry>::WithEntryHandle /builds/worker/checkouts/gecko/xpcom/ds/nsTHashtable.h:434
    #5 0x7ffdad8c7437 in nsTHashtable<mozilla::IdentifierMapEntry>::PutEntry /builds/worker/checkouts/gecko/xpcom/ds/nsTHashtable.h:306
    #6 0x7ffdad8c7437 in mozilla::dom::ShadowRoot::AddToIdTable(class mozilla::dom::Element *, class nsAtom *) /builds/worker/checkouts/gecko/dom/base/ShadowRoot.cpp:553
    #7 0x7ffdad736a6b in mozilla::dom::Element::AddToIdTable /builds/worker/checkouts/gecko/dom/base/Element.cpp:1136
    #8 0x7ffdad736a6b in mozilla::dom::Element::BindToTree(struct mozilla::dom::BindContext &, class nsINode &) /builds/worker/checkouts/gecko/dom/base/Element.cpp:1921
    #9 0x7ffdad5895fa in nsStyledElement::BindToTree(struct mozilla::dom::BindContext &, class nsINode &) /builds/worker/checkouts/gecko/dom/base/nsStyledElement.cpp:210
    #10 0x7ffdb105236a in nsGenericHTMLElement::BindToTree(struct mozilla::dom::BindContext &, class nsINode &) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:466
    #11 0x7ffdada4edaf in nsINode::InsertChildBefore(class nsIContent *, class nsIContent *, bool, class mozilla::ErrorResult &) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1613
    #12 0x7ffdb4a35013 in nsINode::AppendChildTo /builds/worker/checkouts/gecko/dom/base/nsINode.h:967
    #13 0x7ffdb4a35013 in mozilla::AccessibleCaret::CreateCaretElement::<lambda_1>::operator() /builds/worker/checkouts/gecko/layout/base/AccessibleCaret.cpp:237
    #14 0x7ffdb4a35013 in mozilla::AccessibleCaret::CreateCaretElement(void) const /builds/worker/checkouts/gecko/layout/base/AccessibleCaret.cpp:240
    #15 0x7ffdb4a31d44 in mozilla::AccessibleCaret::InjectCaretElement(class mozilla::dom::Document *) /builds/worker/checkouts/gecko/layout/base/AccessibleCaret.cpp:199
    #16 0x7ffdb4a3ba06 in mozilla::AccessibleCaret::AccessibleCaret /builds/worker/checkouts/gecko/layout/base/AccessibleCaret.cpp:82
    #17 0x7ffdb4a3ba06 in mozilla::MakeUnique<class mozilla::AccessibleCaret, class mozilla::PresShell *&>(class mozilla::PresShell *&) /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:605
    #18 0x7ffdb4a37baa in mozilla::AccessibleCaretManager::AccessibleCaretManager /builds/worker/checkouts/gecko/layout/base/AccessibleCaretManager.cpp:86
    #19 0x7ffdb4a37baa in mozilla::MakeUnique /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:605
    #20 0x7ffdb4a37baa in mozilla::AccessibleCaretEventHub::Init(void) /builds/worker/checkouts/gecko/layout/base/AccessibleCaretEventHub.cpp:365
    #21 0x7ffdb4a7d9fa in mozilla::PresShell::Init(class nsPresContext *, class nsViewManager *) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:907
    #22 0x7ffdad68ca47 in mozilla::dom::Document::CreatePresShell(class nsPresContext *, class nsViewManager *) /builds/worker/checkouts/gecko/dom/base/Document.cpp:6948
    #23 0x7ffdb4bb1924 in nsDocumentViewer::InitPresentationStuff(bool) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:702
    #24 0x7ffdb4bb1279 in nsDocumentViewer::InitInternal(class nsIWidget *, class nsISupports *, class mozilla::dom::WindowGlobalChild *, struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const &, bool, bool, bool) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:909
    #25 0x7ffdb4bb08bf in nsDocumentViewer::Init(class nsIWidget *, struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const &, class mozilla::dom::WindowGlobalChild *) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:675
    #26 0x7ffdb7d25722 in nsDocShell::SetupNewViewer(class nsIContentViewer *, class mozilla::dom::WindowGlobalChild *) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:8129
    #27 0x7ffdb7d23f5c in nsDocShell::Embed(class nsIContentViewer *, class mozilla::dom::WindowGlobalChild *, bool, bool, class nsIRequest *, class nsIURI *) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5603
    #28 0x7ffdb7d32fa2 in nsDocShell::CreateAboutBlankContentViewer(class nsIPrincipal *, class nsIPrincipal *, class nsIContentSecurityPolicy *, class nsIURI *, bool, class mozilla::Maybe<enum nsILoadInfo::CrossOriginEmbedderPolicy> const &, bool, bool, class mozilla::dom::WindowGlobalChild *) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6685
    #29 0x7ffdb7e8065f in nsAppShellService::JustCreateTopWindow(class nsIAppWindow *, class nsIURI *, unsigned int, int, int, bool, class mozilla::AppWindow **) /builds/worker/checkouts/gecko/xpfe/appshell/nsAppShellService.cpp:716
    #30 0x7ffdb7e812a4 in nsAppShellService::CreateTopLevelWindow(class nsIAppWindow *, class nsIURI *, unsigned int, int, int, class nsIAppWindow **) /builds/worker/checkouts/gecko/xpfe/appshell/nsAppShellService.cpp:179
    #31 0x7ffdb8949c5d in nsAppStartup::CreateChromeWindow(class nsIWebBrowserChrome *, unsigned int, class nsIOpenWindowInfo *, bool *, class nsIWebBrowserChrome **) /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:757
    #32 0x7ffdb8b00951 in nsWindowWatcher::CreateChromeWindow(class nsIWebBrowserChrome *, unsigned int, class nsIOpenWindowInfo *, class nsIWebBrowserChrome **) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:437
    #33 0x7ffdb8afc3ca in nsWindowWatcher::OpenWindowInternal(class mozIDOMWindowProxy *, class nsTSubstring<char> const &, class nsTSubstring<char> const &, class nsTSubstring<char> const &, bool, bool, bool, class nsIArray *, bool, bool, bool, enum nsPIWindowWatcher::PrintKind, class nsDocShellLoadState *, class mozilla::dom::BrowsingContext **) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:1045
    #34 0x7ffdb8af7e36 in nsWindowWatcher::OpenWindow(class mozIDOMWindowProxy *, class nsTSubstring<char> const &, class nsTSubstring<char> const &, class nsTSubstring<char> const &, class nsISupports *, class mozIDOMWindowProxy **) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:293
    #35 0x7ffdbc685471 in XPTC__InvokebyIndex (E:\firefox_asan\target\firefox\xul.dll+0x193015471)

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/checkouts/gecko/widget/windows/nsWindow.cpp:8197 in nsWindow::PickerOpen(void)
Shadow bytes around the buggy address:
  0x12959aa2c280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c480: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
=>0x12959aa2c500: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
  0x12959aa2c580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c780: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==36900==ABORTING
Revision 1 by
on 
#Reproduce
OS:win X64
121.0a1 (2023-11-06) (64-bit)

1. python -m http.server 1337
2. python -m ffpuppet firefox --headless -p prefs.js -d -u http://localhost:1337/poc.html

#Analysis
Not yet

#ASAN
```
==36900==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x12959aa2c548 at pc 0x7ffdb43a10c9 bp 0x00b1a35fc010 sp 0x00b1a35fc058
READ of size 4 at 0x12959aa2c548 thread T0
    #0 0x7ffdb43a10c8 in nsWindow::PickerOpen(void) /builds/worker/checkouts/gecko/widget/windows/nsWindow.cpp:8197
    #1 0x7ffdb41fe18d in AutoWidgetPickerState::PickerState /builds/worker/checkouts/gecko/widget/windows/nsFilePicker.cpp:68
    #2 0x7ffdb41fe18d in AutoWidgetPickerState::AutoWidgetPickerState /builds/worker/checkouts/gecko/widget/windows/nsFilePicker.cpp:59
    #3 0x7ffdb41fe18d in nsFilePicker::ShowFilePicker(class nsTString<char16_t> const &) /builds/worker/checkouts/gecko/widget/windows/nsFilePicker.cpp:490
    #4 0x7ffdb420128c in nsFilePicker::ShowW(enum nsIFilePicker::ResultCode *) /builds/worker/checkouts/gecko/widget/windows/nsFilePicker.cpp:566
    #5 0x7ffdb40d368b in nsBaseFilePicker::AsyncShowFilePicker::Run(void) /builds/worker/checkouts/gecko/widget/nsBaseFilePicker.cpp:86
    #6 0x7ffdaa3057ce in mozilla::RunnableTask::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:549
    #7 0x7ffdaa2e7675 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:876
    #8 0x7ffdaa2e2dc5 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:699
    #9 0x7ffdaa2e3a14 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:485
    #10 0x7ffdaa309111 in mozilla::TaskController::TaskController::<lambda_5>::operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:211
    #11 0x7ffdaa309111 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:211:7'>::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548
    #12 0x7ffdaa339bc5 in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1198
    #13 0x7ffdaa34aa8a in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480
    #14 0x7ffdaba43477 in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
    #15 0x7ffdab960483 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370
    #16 0x7ffdab960483 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363
    #17 0x7ffdab96024a in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345
    #18 0x7ffdb40b3a1c in nsBaseAppShell::Run(void) /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148
    #19 0x7ffdb42f6487 in nsAppShell::Run(void) /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:824
    #20 0x7ffdb894682b in nsAppStartup::Run(void) /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:296
    #21 0x7ffdb8c90586 in XREMain::XRE_mainRun(void) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5680
    #22 0x7ffdb8c95b17 in XREMain::XRE_main(int, char **const, struct mozilla::BootstrapConfig const &) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5889
    #23 0x7ffdb8c96c3f in XRE_main(int, char **const, struct mozilla::BootstrapConfig const &) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5945
    #24 0x7ff74be320d8 in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:227
    #25 0x7ff74be320d8 in NS_internal_main(int, char **, char **) /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:445
    #26 0x7ff74be314d8 in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:151
    #27 0x7ff74bf14207 in invoke_main D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:90
    #28 0x7ff74bf14207 in __scrt_common_main_seh D:\a\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #29 0x7ffe18107343  (C:\WINDOWS\System32\KERNEL32.DLL+0x180017343)
    #30 0x7ffe192e26b0  (C:\WINDOWS\SYSTEM32\ntdll.dll+0x1800526b0)

0x12959aa2c548 is located 56 bytes before 608-byte region [0x12959aa2c580,0x12959aa2c7e0)
allocated by thread T0 here:
    #0 0x7ffdc70150e4 in calloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:114
    #1 0x7ffdaa17a054 in PLDHashTable::MakeEntryHandle(void const *, struct std::nothrow_t const &) /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:630
    #2 0x7ffdaa17b080 in PLDHashTable::MakeEntryHandle(void const *) /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.cpp:674
    #3 0x7ffdad9047bc in PLDHashTable::WithEntryHandle<class `protected: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::WithEntryHandle<class `public: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::PutEntry(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &)'::`1'::<lambda_1>>(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &, class `public: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::PutEntry(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &)'::`1'::<lambda_1> &&)'::`1'::<lambda_1>>(void const *, class `protected: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::WithEntryHandle<class `public: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::PutEntry(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &)'::`1'::<lambda_1>>(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &, class `public: class mozilla::IdentifierMapEntry * __cdecl nsTHashtable<class mozilla::IdentifierMapEntry>::PutEntry(struct mozilla::IdentifierMapEntry::DependentAtomOrString const &)'::`1'::<lambda_1> &&)'::`1'::<lambda_1> &&) /builds/worker/checkouts/gecko/xpcom/ds/PLDHashTable.h:605
    #4 0x7ffdad8c7437 in nsTHashtable<mozilla::IdentifierMapEntry>::WithEntryHandle /builds/worker/checkouts/gecko/xpcom/ds/nsTHashtable.h:434
    #5 0x7ffdad8c7437 in nsTHashtable<mozilla::IdentifierMapEntry>::PutEntry /builds/worker/checkouts/gecko/xpcom/ds/nsTHashtable.h:306
    #6 0x7ffdad8c7437 in mozilla::dom::ShadowRoot::AddToIdTable(class mozilla::dom::Element *, class nsAtom *) /builds/worker/checkouts/gecko/dom/base/ShadowRoot.cpp:553
    #7 0x7ffdad736a6b in mozilla::dom::Element::AddToIdTable /builds/worker/checkouts/gecko/dom/base/Element.cpp:1136
    #8 0x7ffdad736a6b in mozilla::dom::Element::BindToTree(struct mozilla::dom::BindContext &, class nsINode &) /builds/worker/checkouts/gecko/dom/base/Element.cpp:1921
    #9 0x7ffdad5895fa in nsStyledElement::BindToTree(struct mozilla::dom::BindContext &, class nsINode &) /builds/worker/checkouts/gecko/dom/base/nsStyledElement.cpp:210
    #10 0x7ffdb105236a in nsGenericHTMLElement::BindToTree(struct mozilla::dom::BindContext &, class nsINode &) /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.cpp:466
    #11 0x7ffdada4edaf in nsINode::InsertChildBefore(class nsIContent *, class nsIContent *, bool, class mozilla::ErrorResult &) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1613
    #12 0x7ffdb4a35013 in nsINode::AppendChildTo /builds/worker/checkouts/gecko/dom/base/nsINode.h:967
    #13 0x7ffdb4a35013 in mozilla::AccessibleCaret::CreateCaretElement::<lambda_1>::operator() /builds/worker/checkouts/gecko/layout/base/AccessibleCaret.cpp:237
    #14 0x7ffdb4a35013 in mozilla::AccessibleCaret::CreateCaretElement(void) const /builds/worker/checkouts/gecko/layout/base/AccessibleCaret.cpp:240
    #15 0x7ffdb4a31d44 in mozilla::AccessibleCaret::InjectCaretElement(class mozilla::dom::Document *) /builds/worker/checkouts/gecko/layout/base/AccessibleCaret.cpp:199
    #16 0x7ffdb4a3ba06 in mozilla::AccessibleCaret::AccessibleCaret /builds/worker/checkouts/gecko/layout/base/AccessibleCaret.cpp:82
    #17 0x7ffdb4a3ba06 in mozilla::MakeUnique<class mozilla::AccessibleCaret, class mozilla::PresShell *&>(class mozilla::PresShell *&) /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:605
    #18 0x7ffdb4a37baa in mozilla::AccessibleCaretManager::AccessibleCaretManager /builds/worker/checkouts/gecko/layout/base/AccessibleCaretManager.cpp:86
    #19 0x7ffdb4a37baa in mozilla::MakeUnique /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:605
    #20 0x7ffdb4a37baa in mozilla::AccessibleCaretEventHub::Init(void) /builds/worker/checkouts/gecko/layout/base/AccessibleCaretEventHub.cpp:365
    #21 0x7ffdb4a7d9fa in mozilla::PresShell::Init(class nsPresContext *, class nsViewManager *) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:907
    #22 0x7ffdad68ca47 in mozilla::dom::Document::CreatePresShell(class nsPresContext *, class nsViewManager *) /builds/worker/checkouts/gecko/dom/base/Document.cpp:6948
    #23 0x7ffdb4bb1924 in nsDocumentViewer::InitPresentationStuff(bool) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:702
    #24 0x7ffdb4bb1279 in nsDocumentViewer::InitInternal(class nsIWidget *, class nsISupports *, class mozilla::dom::WindowGlobalChild *, struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const &, bool, bool, bool) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:909
    #25 0x7ffdb4bb08bf in nsDocumentViewer::Init(class nsIWidget *, struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const &, class mozilla::dom::WindowGlobalChild *) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:675
    #26 0x7ffdb7d25722 in nsDocShell::SetupNewViewer(class nsIContentViewer *, class mozilla::dom::WindowGlobalChild *) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:8129
    #27 0x7ffdb7d23f5c in nsDocShell::Embed(class nsIContentViewer *, class mozilla::dom::WindowGlobalChild *, bool, bool, class nsIRequest *, class nsIURI *) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5603
    #28 0x7ffdb7d32fa2 in nsDocShell::CreateAboutBlankContentViewer(class nsIPrincipal *, class nsIPrincipal *, class nsIContentSecurityPolicy *, class nsIURI *, bool, class mozilla::Maybe<enum nsILoadInfo::CrossOriginEmbedderPolicy> const &, bool, bool, class mozilla::dom::WindowGlobalChild *) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6685
    #29 0x7ffdb7e8065f in nsAppShellService::JustCreateTopWindow(class nsIAppWindow *, class nsIURI *, unsigned int, int, int, bool, class mozilla::AppWindow **) /builds/worker/checkouts/gecko/xpfe/appshell/nsAppShellService.cpp:716
    #30 0x7ffdb7e812a4 in nsAppShellService::CreateTopLevelWindow(class nsIAppWindow *, class nsIURI *, unsigned int, int, int, class nsIAppWindow **) /builds/worker/checkouts/gecko/xpfe/appshell/nsAppShellService.cpp:179
    #31 0x7ffdb8949c5d in nsAppStartup::CreateChromeWindow(class nsIWebBrowserChrome *, unsigned int, class nsIOpenWindowInfo *, bool *, class nsIWebBrowserChrome **) /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:757
    #32 0x7ffdb8b00951 in nsWindowWatcher::CreateChromeWindow(class nsIWebBrowserChrome *, unsigned int, class nsIOpenWindowInfo *, class nsIWebBrowserChrome **) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:437
    #33 0x7ffdb8afc3ca in nsWindowWatcher::OpenWindowInternal(class mozIDOMWindowProxy *, class nsTSubstring<char> const &, class nsTSubstring<char> const &, class nsTSubstring<char> const &, bool, bool, bool, class nsIArray *, bool, bool, bool, enum nsPIWindowWatcher::PrintKind, class nsDocShellLoadState *, class mozilla::dom::BrowsingContext **) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:1045
    #34 0x7ffdb8af7e36 in nsWindowWatcher::OpenWindow(class mozIDOMWindowProxy *, class nsTSubstring<char> const &, class nsTSubstring<char> const &, class nsTSubstring<char> const &, class nsISupports *, class mozIDOMWindowProxy **) /builds/worker/checkouts/gecko/toolkit/components/windowwatcher/nsWindowWatcher.cpp:293
    #35 0x7ffdbc685471 in XPTC__InvokebyIndex (E:\firefox_asan\target\firefox\xul.dll+0x193015471)

SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/checkouts/gecko/widget/windows/nsWindow.cpp:8197 in nsWindow::PickerOpen(void)
Shadow bytes around the buggy address:
  0x12959aa2c280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c480: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
=>0x12959aa2c500: fa fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa
  0x12959aa2c580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x12959aa2c780: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==36900==ABORTING
```

Back to Bug 1864118 Comment 0