Closed Bug 1091962 Opened 10 years ago Closed 9 years ago

Use After Free in EndForcedQueueing

Categories

(Core :: DOM: Workers, defect)

36 Branch
x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla37
Tracking Status
firefox34 --- unaffected
firefox35 + fixed
firefox36 + fixed
firefox37 --- fixed
firefox-esr31 --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.2 --- fixed

People

(Reporter: loobenyang, Assigned: baku)

References

Details

(Keywords: csectype-uaf, regression, sec-critical, Whiteboard: [b2g-adv-main2.2-])

Attachments

(2 files, 1 obsolete file)

Firefox Version: 36.0a1 (2014-10-27)
Operating System: Ubuntu 14.04 LTS 64bit

Open the reproduction test case Uaf_EndForcedQueueing_Repro.html in Firefox asan instrumented build(No websocket server is needed in this case; If it hits a null pointer reference, just refresh or restart), Asan reported a Use After Free in EndForcedQueueing:


=================================================================
==9881==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000df36d at pc 0x7ffa2c68a757 bp 0x7ffa10fbe920 sp 0x7ffa10fbe918
WRITE of size 1 at 0x6040000df36d thread T19 (DOM Worker)
    #0 0x7ffa2c68a756 in EndForcedQueueing /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/netwerk/protocol/websocket/../../../dist/include/mozilla/net/ChannelEventQueue.h:129
    #1 0x7ffa2c68a756 in ~AutoEventEnqueuer /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/netwerk/protocol/websocket/../../../dist/include/mozilla/net/ChannelEventQueue.h:172
    #2 0x7ffa2c68a756 in OnStop /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/protocol/websocket/WebSocketChannelChild.cpp:224
    #3 0x7ffa2c68a756 in mozilla::net::StopEvent::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/protocol/websocket/WebSocketChannelChild.cpp:197
    #4 0x7ffa2c68a8e3 in mozilla::net::WrappedChannelEvent::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/protocol/websocket/WebSocketChannelChild.cpp:105
    #5 0x7ffa2dff6f28 in mozilla::dom::(anonymous namespace)::WorkerRunnableDispatcher::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/WebSocket.cpp:2367
    #6 0x7ffa306c6321 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/dom/workers/WorkerRunnable.cpp:326
    #7 0x7ffa2c04cf44 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:830
    #8 0x7ffa2c0abf6a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsThreadUtils.cpp:265
    #9 0x7ffa306a7f7d in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/workers/WorkerPrivate.cpp:4113
    #10 0x7ffa306833ef in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/dom/workers/RuntimeService.cpp:2838
    #11 0x7ffa2c04cf44 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:830
    #12 0x7ffa2c0abf6a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsThreadUtils.cpp:265
    #13 0x7ffa2c8e4d09 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/glue/MessagePump.cpp:339
    #14 0x7ffa2c8933ac in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:233
    #15 0x7ffa2c8933ac in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:226
    #16 0x7ffa2c8933ac in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:200
    #17 0x7ffa2c0499d5 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:350
    #18 0x7ffa37ab8405 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:212
    #19 0x7ffa38310181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
    #20 0x7ffa29d4b30c (/lib/x86_64-linux-gnu/libc.so.6+0xfb30c)

0x6040000df36d is located 29 bytes inside of 48-byte region [0x6040000df350,0x6040000df380)
freed by thread T0 (Web Content) here:
    #0 0x471721 in free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7ffa2c4a272a in operator= /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/netwerk/ipc/../../dist/include/mozilla/mozalloc.h:232
    #2 0x7ffa2c4a272a in mozilla::net::ChannelEventQueue::Release() /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/netwerk/ipc/../../dist/include/mozilla/net/ChannelEventQueue.h:40
    #3 0x7ffa2c6831c8 in ~nsAString_internal /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/netwerk/protocol/websocket/../../../dist/include/nsRefPtr.h:57
    #4 0x7ffa2c6831c8 in mozilla::net::WebSocketChannelChild::~WebSocketChannelChild() /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/protocol/websocket/WebSocketChannelChild.cpp:65
    #5 0x7ffa2c68324d in mozilla::net::WebSocketChannelChild::~WebSocketChannelChild() /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/protocol/websocket/WebSocketChannelChild.cpp:63
    #6 0x7ffa2c681cfd in mozilla::net::WebSocketChannelChild::Release() /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/protocol/websocket/WebSocketChannelChild.cpp:39
    #7 0x7ffa2c6a4659 in mozilla::net::NeckoChild::DeallocPWebSocketChild(mozilla::net::PWebSocketChild*) /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/ipc/NeckoChild.cpp:166
    #8 0x7ffa2cf99556 in mozilla::net::PWebSocketChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/ipc/ipdl/./PWebSocketChild.cpp:500
    #9 0x7ffa2cb2a8aa in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/ipc/ipdl/./PContentChild.cpp:4421
    #10 0x7ffa2c8dd1c1 in DispatchAsyncMessage /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/glue/MessageChannel.cpp:1110
    #11 0x7ffa2c8dd1c1 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/glue/MessageChannel.cpp:1050
    #12 0x7ffa2c8d3de5 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/glue/MessageChannel.cpp:1037
    #13 0x7ffa2c894824 in RunTask /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:361
    #14 0x7ffa2c894824 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:369
    #15 0x7ffa2c8958d7 in MessageLoop::DoWork() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:447
    #16 0x7ffa2c8e45a2 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/glue/MessagePump.cpp:233
    #17 0x7ffa2c04cf44 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:830
    #18 0x7ffa2c0abf6a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsThreadUtils.cpp:265
    #19 0x7ffa2c8e3ce8 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/glue/MessagePump.cpp:140
    #20 0x7ffa2c8933ac in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:233
    #21 0x7ffa2c8933ac in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:226
    #22 0x7ffa2c8933ac in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:200
    #23 0x7ffa30a81b57 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/widget/nsBaseAppShell.cpp:164
    #24 0x7ffa32558812 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/toolkit/xre/nsEmbedFunctions.cpp:713
    #25 0x7ffa2c8933ac in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:233
    #26 0x7ffa2c8933ac in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:226
    #27 0x7ffa2c8933ac in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:200
    #28 0x7ffa32557eaf in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/toolkit/xre/nsEmbedFunctions.cpp:550
    #29 0x4894cf in content_process_main /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/app/../contentproc/plugin-container.cpp:158
    #30 0x4894cf in main /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/app/MozillaRuntimeMain.cpp:11
    #31 0x7ffa29c71ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

previously allocated by thread T0 (Web Content) here:
    #0 0x471921 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x7ffa380facbd in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/memory/mozalloc/mozalloc.cpp:52
    #2 0x7ffa2c682e03 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/netwerk/protocol/websocket/../../../dist/include/mozilla/mozalloc.h:208
    #3 0x7ffa2c682e03 in mozilla::net::WebSocketChannelChild::WebSocketChannelChild(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/protocol/websocket/WebSocketChannelChild.cpp:59
    #4 0x7ffa2c83e27c in WebSocketChannelConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/build/nsNetModule.cpp:295
    #5 0x7ffa2c83e27c in mozilla::net::WebSocketChannelConstructor(nsISupports*, nsID const&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/build/nsNetModule.cpp:326
    #6 0x7ffa2c02a1d1 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/components/nsComponentManager.cpp:1199
    #7 0x7ffa2c09b9b6 in CallCreateInstance /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsComponentManagerUtils.cpp:149
    #8 0x7ffa2c09b9b6 in nsCreateInstanceByContractID::operator()(nsID const&, void**) const /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsComponentManagerUtils.cpp:197
    #9 0x7ffa2c0980ed in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsCOMPtr.cpp:125
    #10 0x7ffa2dfee114 in operator= /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/dom/base/../../dist/include/nsCOMPtr.h:752
    #11 0x7ffa2dfee114 in mozilla::dom::WebSocketImpl::InitializeConnection() /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/WebSocket.cpp:1380
    #12 0x7ffa2dfeb1bd in mozilla::dom::WebSocketImpl::Init(JSContext*, nsIPrincipal*, nsAString_internal const&, nsTArray<nsString>&, nsACString_internal const&, unsigned int, mozilla::ErrorResult&, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/WebSocket.cpp:1315
    #13 0x7ffa2dff7c1f in mozilla::dom::(anonymous namespace)::InitRunnable::MainThreadRun() /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/WebSocket.cpp:894
    #14 0x7ffa306c74c7 in mozilla::dom::workers::WorkerMainThreadRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/dom/workers/WorkerRunnable.cpp:527
    #15 0x7ffa2c04cf44 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:830
    #16 0x7ffa2c0abf6a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsThreadUtils.cpp:265
    #17 0x7ffa2c8e3ce8 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/glue/MessagePump.cpp:140
    #18 0x7ffa2c8933ac in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:233
    #19 0x7ffa2c8933ac in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:226
    #20 0x7ffa2c8933ac in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:200
    #21 0x7ffa30a81b57 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/widget/nsBaseAppShell.cpp:164
    #22 0x7ffa32558812 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/toolkit/xre/nsEmbedFunctions.cpp:713
    #23 0x7ffa2c8933ac in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:233
    #24 0x7ffa2c8933ac in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:226
    #25 0x7ffa2c8933ac in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:200
    #26 0x7ffa32557eaf in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/toolkit/xre/nsEmbedFunctions.cpp:550
    #27 0x4894cf in content_process_main /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/app/../contentproc/plugin-container.cpp:158
    #28 0x4894cf in main /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/app/MozillaRuntimeMain.cpp:11
    #29 0x7ffa29c71ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

Thread T19 (DOM Worker) created by T0 (Web Content) here:
    #0 0x45e195 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7ffa37ab4d8d in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7ffa37ab490a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7ffa2c04aeeb in nsThread::Init() /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:455
    #4 0x7ffa3064987e in mozilla::dom::workers::RuntimeService::WorkerThread::Create() /builds/slave/m-cen-l64-asan-000000000000000/build/dom/workers/RuntimeService.cpp:2612
    #5 0x7ffa30648cb6 in mozilla::dom::workers::RuntimeService::ScheduleWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/workers/RuntimeService.cpp:1628
    #6 0x7ffa30646768 in mozilla::dom::workers::RuntimeService::RegisterWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/workers/RuntimeService.cpp:1493
    #7 0x7ffa306a377b in mozilla::dom::workers::WorkerPrivate::Constructor(JSContext*, nsAString_internal const&, bool, mozilla::dom::workers::WorkerType, nsACString_internal const&, mozilla::dom::workers::WorkerPrivateParent<mozilla::dom::workers::WorkerPrivate>::LoadInfo*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/workers/WorkerPrivate.cpp:3749
    #8 0x7ffa306a3106 in Constructor /builds/slave/m-cen-l64-asan-000000000000000/build/dom/workers/WorkerPrivate.cpp:3685
    #9 0x7ffa306a3106 in mozilla::dom::workers::WorkerPrivate::Constructor(mozilla::dom::GlobalObject const&, nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/workers/WorkerPrivate.cpp:3626
    #10 0x7ffa2f6d73eb in mozilla::dom::WorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/dom/bindings/./WorkerBinding.cpp:708
    #11 0x7ffa343d95d9 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/jscntxtinlines.h:231
    #12 0x7ffa343d95d9 in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/jscntxtinlines.h:264
    #13 0x7ffa343d95d9 in js::InvokeConstructor(JSContext*, JS::CallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:579
    #14 0x7ffa343cbc75 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:2534
    #15 0x7ffa343afe7c in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:432
    #16 0x7ffa34378fef in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:638
    #17 0x7ffa343da794 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:674
    #18 0x7ffa3404b00d in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/jsapi.cpp:4794
    #19 0x7ffa2e23cd1d in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/nsJSUtils.cpp:246
    #20 0x7ffa2e23dbc0 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/nsJSUtils.cpp:312
    #21 0x7ffa2e2bcb51 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, JS::SourceBufferHolder&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/nsScriptLoader.cpp:1127
    #22 0x7ffa2e2ba25e in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/nsScriptLoader.cpp:960
    #23 0x7ffa2e2b4363 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/nsScriptLoader.cpp:773
    #24 0x7ffa2e2aff0e in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/nsScriptElement.cpp:140
    #25 0x7ffa2d790964 in operator-> /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/nsIScriptElement.h:220
    #26 0x7ffa2d790964 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5TreeOpExecutor.cpp:652
    #27 0x7ffa2d78ecd7 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5TreeOpExecutor.cpp:481
    #28 0x7ffa2d79578b in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5StreamParser.cpp:126
    #29 0x7ffa2c04cf44 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:830
    #30 0x7ffa2c0abf6a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsThreadUtils.cpp:265
    #31 0x7ffa2c8e3d09 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/glue/MessagePump.cpp:99
    #32 0x7ffa2c8933ac in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:233
    #33 0x7ffa2c8933ac in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:226
    #34 0x7ffa2c8933ac in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:200
    #35 0x7ffa30a81b57 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/widget/nsBaseAppShell.cpp:164
    #36 0x7ffa32558812 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/toolkit/xre/nsEmbedFunctions.cpp:713
    #37 0x7ffa2c8933ac in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:233
    #38 0x7ffa2c8933ac in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:226
    #39 0x7ffa2c8933ac in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:200
    #40 0x7ffa32557eaf in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/toolkit/xre/nsEmbedFunctions.cpp:550
    #41 0x4894cf in content_process_main /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/app/../contentproc/plugin-container.cpp:158
    #42 0x4894cf in main /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/app/MozillaRuntimeMain.cpp:11
    #43 0x7ffa29c71ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/netwerk/protocol/websocket/../../../dist/include/mozilla/net/ChannelEventQueue.h:129 EndForcedQueueing
Shadow bytes around the buggy address:
  0x0c0880013e10: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c0880013e20: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c0880013e30: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c0880013e40: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 05 fa
  0x0c0880013e50: fa fa 00 00 00 00 05 fa fa fa fd fd fd fd fd fa
=>0x0c0880013e60: fa fa fd fd fd fd fd fd fa fa fd fd fd[fd]fd fd
  0x0c0880013e70: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c0880013e80: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c0880013e90: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c0880013ea0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 07
  0x0c0880013eb0: fa fa 00 00 00 00 00 07 fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap regio==9881==ABORTING
it seems a duplicate of Bug 1090142. With that patch I cannot reproduce this issue.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
It turns out a different bug from  bug 1090142. I can reproduce it in latest official Asan build(36.0a1 (2014-11-07)) after  bug 1090142 was fixed (we can tell the patch is in the build from the line numbers in the stack "WebSocketChannelChild.cpp:252", "WebSocketChannelChild.cpp:224"):



==3449==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000d306d at pc 0x7f05f7f33d47 bp 0x7f05d8bf7920 sp 0x7f05d8bf7918
WRITE of size 1 at 0x6040000d306d thread T21 (DOM Worker)
    #0 0x7f05f7f33d46 in EndForcedQueueing /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/netwerk/protocol/websocket/../../../dist/include/mozilla/net/ChannelEventQueue.h:129
    #1 0x7f05f7f33d46 in ~AutoEventEnqueuer /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/netwerk/protocol/websocket/../../../dist/include/mozilla/net/ChannelEventQueue.h:172
    #2 0x7f05f7f33d46 in OnStop /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/protocol/websocket/WebSocketChannelChild.cpp:252
    #3 0x7f05f7f33d46 in mozilla::net::StopEvent::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/protocol/websocket/WebSocketChannelChild.cpp:224
    #4 0x7f05f7f34233 in mozilla::net::WrappedChannelEvent::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/protocol/websocket/WebSocketChannelChild.cpp:105
    #5 0x7f05f9936b18 in mozilla::dom::(anonymous namespace)::WorkerRunnableDispatcher::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/WebSocket.cpp:2408
    #6 0x7f05fc03fc31 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/dom/workers/WorkerRunnable.cpp:326
    #7 0x7f05f78f4374 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:830
    #8 0x7f05f795339a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsThreadUtils.cpp:265
    #9 0x7f05fc021d4d in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/workers/WorkerPrivate.cpp:4242
    #10 0x7f05fbfe8aaf in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/dom/workers/RuntimeService.cpp:2828
    #11 0x7f05f78f4374 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:830
    #12 0x7f05f795339a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsThreadUtils.cpp:265
    #13 0x7f05f818fa49 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/glue/MessagePump.cpp:339
    #14 0x7f05f813d2ec in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:233
    #15 0x7f05f813d2ec in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:226
    #16 0x7f05f813d2ec in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:200
    #17 0x7f05f78f0e05 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:350
    #18 0x7f06034f0405 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:212
    #19 0x7f0603d48181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
    #20 0x7f05f55c330c (/lib/x86_64-linux-gnu/libc.so.6+0xfb30c)

0x6040000d306d is located 29 bytes inside of 48-byte region [0x6040000d3050,0x6040000d3080)
freed by thread T0 (Web Content) here:
    #0 0x471721 in free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7f05f7d4a6aa in operator= /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/netwerk/ipc/../../dist/include/mozilla/mozalloc.h:232
    #2 0x7f05f7d4a6aa in mozilla::net::ChannelEventQueue::Release() /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/netwerk/ipc/../../dist/include/mozilla/net/ChannelEventQueue.h:40
    #3 0x7f05f7f2c238 in ~nsAString_internal /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/netwerk/protocol/websocket/../../../dist/include/nsRefPtr.h:57
    #4 0x7f05f7f2c238 in mozilla::net::WebSocketChannelChild::~WebSocketChannelChild() /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/protocol/websocket/WebSocketChannelChild.cpp:65
    #5 0x7f05f7f2c2bd in mozilla::net::WebSocketChannelChild::~WebSocketChannelChild() /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/protocol/websocket/WebSocketChannelChild.cpp:63
    #6 0x7f05f7f2ad6d in mozilla::net::WebSocketChannelChild::Release() /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/protocol/websocket/WebSocketChannelChild.cpp:39
    #7 0x7f05f7f4e009 in mozilla::net::NeckoChild::DeallocPWebSocketChild(mozilla::net::PWebSocketChild*) /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/ipc/NeckoChild.cpp:166
    #8 0x7f05f8861276 in mozilla::net::PWebSocketChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/ipc/ipdl/./PWebSocketChild.cpp:500
    #9 0x7f05f83d827c in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/ipc/ipdl/./PContentChild.cpp:4692
    #10 0x7f05f8187ce1 in DispatchAsyncMessage /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/glue/MessageChannel.cpp:1106
    #11 0x7f05f8187ce1 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/glue/MessageChannel.cpp:1046
    #12 0x7f05f817dc55 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/glue/MessageChannel.cpp:1033
    #13 0x7f05f813e764 in RunTask /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:361
    #14 0x7f05f813e764 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:369
    #15 0x7f05f813f817 in MessageLoop::DoWork() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:447
    #16 0x7f05f818f2e2 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/glue/MessagePump.cpp:233
    #17 0x7f05f78f4374 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:830
    #18 0x7f05f795339a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsThreadUtils.cpp:265
    #19 0x7f05f818ea49 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/glue/MessagePump.cpp:99
    #20 0x7f05f813d2ec in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:233
    #21 0x7f05f813d2ec in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:226
    #22 0x7f05f813d2ec in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:200
    #23 0x7f05fc43a3c7 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/widget/nsBaseAppShell.cpp:164
    #24 0x7f05fdf1dfb2 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/toolkit/xre/nsEmbedFunctions.cpp:713
    #25 0x7f05f813d2ec in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:233
    #26 0x7f05f813d2ec in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:226
    #27 0x7f05f813d2ec in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:200
    #28 0x7f05fdf1d654 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/toolkit/xre/nsEmbedFunctions.cpp:550
    #29 0x4894cf in content_process_main /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/app/../contentproc/plugin-container.cpp:158
    #30 0x4894cf in main /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/app/MozillaRuntimeMain.cpp:11
    #31 0x7f05f54e9ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

previously allocated by thread T0 (Web Content) here:
    #0 0x471921 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x7f0603b32cbd in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/memory/mozalloc/mozalloc.cpp:52
    #2 0x7f05f7f2be73 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/netwerk/protocol/websocket/../../../dist/include/mozilla/mozalloc.h:208
    #3 0x7f05f7f2be73 in mozilla::net::WebSocketChannelChild::WebSocketChannelChild(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/protocol/websocket/WebSocketChannelChild.cpp:59
    #4 0x7f05f80e81bc in WebSocketChannelConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/build/nsNetModule.cpp:295
    #5 0x7f05f80e81bc in mozilla::net::WebSocketChannelConstructor(nsISupports*, nsID const&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/build/nsNetModule.cpp:326
    #6 0x7f05f78d1601 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/components/nsComponentManager.cpp:1199
    #7 0x7f05f7942de6 in CallCreateInstance /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsComponentManagerUtils.cpp:149
    #8 0x7f05f7942de6 in nsCreateInstanceByContractID::operator()(nsID const&, void**) const /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsComponentManagerUtils.cpp:197
    #9 0x7f05f793f51d in nsCOMPtr_base::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsCOMPtr.cpp:125
    #10 0x7f05f98c33e4 in operator= /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/dom/base/../../dist/include/nsCOMPtr.h:752
    #11 0x7f05f98c33e4 in mozilla::dom::WebSocketImpl::InitializeConnection() /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/WebSocket.cpp:1414
    #12 0x7f05f98c04bf in mozilla::dom::WebSocketImpl::Init(JSContext*, nsIPrincipal*, nsAString_internal const&, nsTArray<nsString>&, nsACString_internal const&, unsigned int, mozilla::ErrorResult&, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/WebSocket.cpp:1349
    #13 0x7f05f993770a in InitWithWindow /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/WebSocket.cpp:907
    #14 0x7f05f993770a in mozilla::dom::(anonymous namespace)::InitRunnable::MainThreadRun() /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/WebSocket.cpp:878
    #15 0x7f05fc040dd7 in mozilla::dom::workers::WorkerMainThreadRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/dom/workers/WorkerRunnable.cpp:527
    #16 0x7f05f78f4374 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:830
    #17 0x7f05f795339a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsThreadUtils.cpp:265
    #18 0x7f05f818ea28 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/glue/MessagePump.cpp:140
    #19 0x7f05f813d2ec in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:233
    #20 0x7f05f813d2ec in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:226
    #21 0x7f05f813d2ec in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:200
    #22 0x7f05fc43a3c7 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/widget/nsBaseAppShell.cpp:164
    #23 0x7f05fdf1dfb2 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/toolkit/xre/nsEmbedFunctions.cpp:713
    #24 0x7f05f813d2ec in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:233
    #25 0x7f05f813d2ec in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:226
    #26 0x7f05f813d2ec in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:200
    #27 0x7f05fdf1d654 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/toolkit/xre/nsEmbedFunctions.cpp:550
    #28 0x4894cf in content_process_main /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/app/../contentproc/plugin-container.cpp:158
    #29 0x4894cf in main /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/app/MozillaRuntimeMain.cpp:11
    #30 0x7f05f54e9ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

Thread T21 (DOM Worker) created by T0 (Web Content) here:
    #0 0x45e195 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7f06034ecd8d in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7f06034ec90a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7f05f78f231b in nsThread::Init() /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:455
    #4 0x7f05fbfc832e in mozilla::dom::workers::RuntimeService::WorkerThread::Create() /builds/slave/m-cen-l64-asan-000000000000000/build/dom/workers/RuntimeService.cpp:2602
    #5 0x7f05fbfc7766 in mozilla::dom::workers::RuntimeService::ScheduleWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/workers/RuntimeService.cpp:1618
    #6 0x7f05fbfc5218 in mozilla::dom::workers::RuntimeService::RegisterWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/workers/RuntimeService.cpp:1483
    #7 0x7f05fc01dadb in mozilla::dom::workers::WorkerPrivate::Constructor(JSContext*, nsAString_internal const&, bool, mozilla::dom::workers::WorkerType, nsACString_internal const&, mozilla::dom::workers::WorkerPrivateParent<mozilla::dom::workers::WorkerPrivate>::LoadInfo*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/workers/WorkerPrivate.cpp:3878
    #8 0x7f05fc01d466 in Constructor /builds/slave/m-cen-l64-asan-000000000000000/build/dom/workers/WorkerPrivate.cpp:3814
    #9 0x7f05fc01d466 in mozilla::dom::workers::WorkerPrivate::Constructor(mozilla::dom::GlobalObject const&, nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/workers/WorkerPrivate.cpp:3755
    #10 0x7f05fb09df6b in mozilla::dom::WorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/dom/bindings/./WorkerBinding.cpp:706
    #11 0x7f05ffdbf479 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/jscntxtinlines.h:231
    #12 0x7f05ffdbf479 in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/jscntxtinlines.h:264
    #13 0x7f05ffdbf479 in js::InvokeConstructor(JSContext*, JS::CallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:579
    #14 0x7f05ffdb2c11 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:2514
    #15 0x7f05ffd9699f in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:432
    #16 0x7f05ffd5f51f in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:638
    #17 0x7f05ffdc0634 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/vm/Interpreter.cpp:674
    #18 0x7f05ffa2e9cd in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/js/src/jsapi.cpp:4798
    #19 0x7f05f9b0b0ad in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/nsJSUtils.cpp:248
    #20 0x7f05f9b0bf50 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/nsJSUtils.cpp:314
    #21 0x7f05f9b88b51 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, JS::SourceBufferHolder&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/nsScriptLoader.cpp:1127
    #22 0x7f05f9b8625e in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/nsScriptLoader.cpp:960
    #23 0x7f05f9b80363 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/nsScriptLoader.cpp:773
    #24 0x7f05f9b7bf0e in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/nsScriptElement.cpp:140
    #25 0x7f05f9058774 in operator-> /builds/slave/m-cen-l64-asan-000000000000000/build/dom/base/nsIScriptElement.h:220
    #26 0x7f05f9058774 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5TreeOpExecutor.cpp:661
    #27 0x7f05f9056a88 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5TreeOpExecutor.cpp:486
    #28 0x7f05f905d72b in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/parser/html/nsHtml5StreamParser.cpp:127
    #29 0x7f05f78f4374 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:830
    #30 0x7f05f795339a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsThreadUtils.cpp:265
    #31 0x7f05f818ea49 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/glue/MessagePump.cpp:99
    #32 0x7f05f813d2ec in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:233
    #33 0x7f05f813d2ec in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:226
    #34 0x7f05f813d2ec in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:200
    #35 0x7f05fc43a3c7 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/widget/nsBaseAppShell.cpp:164
    #36 0x7f05fdf1dfb2 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/toolkit/xre/nsEmbedFunctions.cpp:713
    #37 0x7f05f813d2ec in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:233
    #38 0x7f05f813d2ec in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:226
    #39 0x7f05f813d2ec in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:200
    #40 0x7f05fdf1d654 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/toolkit/xre/nsEmbedFunctions.cpp:550
    #41 0x4894cf in content_process_main /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/app/../contentproc/plugin-container.cpp:158
    #42 0x4894cf in main /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/app/MozillaRuntimeMain.cpp:11
    #43 0x7f05f54e9ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/netwerk/protocol/websocket/../../../dist/include/mozilla/net/ChannelEventQueue.h:129 EndForcedQueueing
Shadow bytes around the buggy address:
  0x0c08800125b0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c08800125c0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c08800125d0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c08800125e0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c08800125f0: fa fa 00 00 00 00 05 fa fa fa 00 00 00 00 05 fa
=>0x0c0880012600: fa fa fd fd fd fd fd fa fa fa fd fd fd[fd]fd fd
  0x0c0880012610: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
  0x0c0880012620: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c0880012630: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
  0x0c0880012640: fa fa 00 00 00 00 00 07 fa fa 00 00 00 00 00 07
  0x0c0880012650: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Free==3449==ABORTING

###!!! [Parent][MessageChannel] Error: Channel error: cannot send/recv
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Flags: sec-bounty?
[Tracking Requested - why for this release]:
Regression from bug 504553 which is currently enabled for FF35 and FF36.
sec-critical bug.
Andrea, can you look at this?  Thanks.
Flags: needinfo?(amarchesini)
Attached patch 1091962.patch (obsolete) — Splinter Review
Flags: needinfo?(amarchesini)
Attachment #8519940 - Flags: review?(bugs)
Assignee: nobody → amarchesini
Comment on attachment 8519940 [details] [diff] [review]
1091962.patch

Looks ok
(though, I wonder why AutoEventEnqueuer doesn't keep mEventQ alive.)

Could you ask additional review from a necko peer.
Attachment #8519940 - Flags: review?(bugs) → review+
Comment on attachment 8519940 [details] [diff] [review]
1091962.patch

jduell, can you take a look at this patch? Thanks
Attachment #8519940 - Flags: review?(jduell.mcbugs)
Group: dom-core-security
Comment on attachment 8519940 [details] [diff] [review]
1091962.patch

Review of attachment 8519940 [details] [diff] [review]:
-----------------------------------------------------------------

::: netwerk/protocol/websocket/WebSocketChannelChild.cpp
@@ +250,5 @@
> +    // OnStop will close the channel. We must keep this object alive otherwise
> +    // AutoEventEnqueuer could have an invalid reference to the
> +    // ChannelEventQueue.
> +    nsRefPtr<WebSocketChannelChild> kungfuDeathGrip = this;
> +    AutoEventEnqueuer ensureSerialDispatch(mEventQ);

> (though, I wonder why AutoEventEnqueuer doesn't keep mEventQ alive.)

Because we didn't consider this use case :)

So yes, instead of using a kungfuDeathGrip here, I think it's cleaner if we just change AutoEventEnqueuer to keep a ref to the event queue, i.e. turn mEventQueue from a pointer to a nsRefPtr here:

  http://mxr.mozilla.org/mozilla-central/source/netwerk/ipc/ChannelEventQueue.h#175

+r if you make that change--no need for review.

Thanks for finding all those extra semicolons :)
Attachment #8519940 - Flags: review?(jduell.mcbugs) → review-
Attached patch 1091962.patchSplinter Review
Attachment #8519940 - Attachment is obsolete: true
Comment on attachment 8527167 [details] [diff] [review]
1091962.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Easy. A test is attached.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Yes. The issue is that the queue of events is not kept alive by AutoEventEnqueuer and, when an event deletes the channel, the queue is freed.

Which older supported branches are affected by this flaw?

aurora.

If not all supported branches, which bug introduced the flaw?

The bug is not introduced by bug 504553, but that bug makes this issue happen.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

Easy to create.

How likely is this patch to cause regressions; how much testing does it need?

I don't see possibilities for regressions.
Attachment #8527167 - Flags: sec-approval?
Comment on attachment 8527167 [details] [diff] [review]
1091962.patch

Since this doesn't affect Beta that is about to ship, I'm giving this sec-approval+ now. Please check it into trunk and nominate the patch for Aurora. 

Please check it in *without* tests until it is fixed in both places (so we don't screw up, check in tests, and then somehow only fix it in trunk).
Attachment #8527167 - Flags: sec-approval? → sec-approval+
When will this patch land?
Baku, is this ready to land?
Flags: needinfo?(amarchesini)
Yes it is.
Flags: needinfo?(amarchesini)
https://hg.mozilla.org/mozilla-central/rev/18f07a17281f
Status: REOPENED → RESOLVED
Closed: 10 years ago9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Please nominate for Aurora and Beta when you get a chance, Andrea.
Flags: needinfo?(amarchesini)
Comment on attachment 8527167 [details] [diff] [review]
1091962.patch

Approval Request Comment
[Feature/regressing bug #]: bug 504553
[User impact if declined]: wrong sequence of events can cause a crash.
[Describe test coverage new/current, TBPL]: race condition hard to test.
[Risks and why]: none. This patch keeps the event queue alive with a refptr instead a raw pointer.
[String/UUID change made/needed]: none
Flags: needinfo?(amarchesini)
Attachment #8527167 - Flags: approval-mozilla-beta?
Attachment #8527167 - Flags: approval-mozilla-aurora?
Flags: sec-bounty? → sec-bounty+
Group: dom-core-security
Attachment #8527167 - Flags: approval-mozilla-beta?
Attachment #8527167 - Flags: approval-mozilla-beta+
Attachment #8527167 - Flags: approval-mozilla-aurora?
Attachment #8527167 - Flags: approval-mozilla-aurora+
Reproduced the original crash several times using the steps/poc from comment #0 with the following build:
- http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2014/10/2014-10-25-03-02-02-mozilla-central/

Used the following to reproduce & test:

- Win 8.1 x64
- nodejs v0.10.35
- npm v1.4.28 (npm install websocket)

Verified using the following build(s):
- http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-01-06-03-02-01-mozilla-central/
- http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2015-01-06-00-40-07-mozilla-aurora/
- http://ftp.mozilla.org/pub/mozilla.org/firefox/candidates/35.0b8-candidates/build1/

I let the testcase from comment #0 run for about 20 minutes on each of the above builds and never received the original crash. I originally reproduced the crash within a few minutes.
Apologies for the spam, closed the wrong ticket :/ I was trying to close Bug # 1089328
Status: VERIFIED → RESOLVED
Closed: 9 years ago9 years ago
Group: core-security
Whiteboard: [b2g-adv-main2.2-]
You need to log in before you can comment on or make changes to this bug.