1099388 - DataChannelConnection::DestroyOnSTS leaves timer in callqueue (heap-use-after-free)

Status: RESOLVED DUPLICATE of bug 1080312

(Core :: WebRTC: Networking, defect)

Description

[Nils Ohlmeier [:drno]]

The sctp code has moved a little bit, but the same timer while loop now seems to live here: http://dxr.mozilla.org/mozilla-central/source/netwerk/sctp/src/netinet/sctp_callout.c?from=sctp_handle_tick&case=true#150

This courtesy of some external friends running some fuzzing tests for us. I can provide the test case if needed.

Marking security as a safety measure.

==16775==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d0002e5628 at pc 0x7f3b01a2d5d1 bp 0x7f3ae43eba90 sp 0x7f3ae43eba88
READ of size 4 at 0x61d0002e5628 thread T27
    #0 0x7f3b01a2d5d0 in user_sctp_timer_iterate netwerk/sctp/src/user_sctp_timer_iterate.c:81:8
    #1 0x7f3b0d98ef6d in start_thread /build/buildd/eglibc-2.17/nptl/pthread_create.c:311
0x61d0002e5628 is located 424 bytes inside of 2200-byte region [0x61d0002e5480,0x61d0002e5d18)
freed by thread T8 (Socket Thread) here:
    #0 0x498da1 in __interceptor_free _asan_rtl_
    #1 0x7f3b019c4570 in sctp_free_assoc netwerk/sctp/src/netinet/sctp_pcb.c:5917:2
    #2 0x7f3b019be42f in sctp_inpcb_free netwerk/sctp/src/netinet/sctp_pcb.c:4089:7
    #3 0x7f3b019e2f71 in sctp_close netwerk/sctp/src/netinet/sctp_usrreq.c:946:4
    #4 0x7f3b01a2db2a in sofree netwerk/sctp/src/user_socket.c:254:2
    #5 0x7f3b01a36e0b in mozilla::DataChannelConnection::DestroyOnSTS(socket*, socket*) netwerk/sctp/datachannel/DataChannel.cpp:292:5
    #6 0x7f3b01a4d321 in mozilla::runnable_args_m_2<nsRefPtr<mozilla::DataChannelConnection>, void (mozilla::DataChannelConnection::*)(socket*, socket*), socket*, socket*>::Run() objdir-ff-asan/dist/include/mtransport/runnable_utils_generated.h:200:7
    #7 0x7f3b01266106 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:830:7
    #8 0x7f3b012bc536 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:265:10
    #9 0x7f3b0144ceea in nsSocketTransportService::Run() netwerk/base/src/nsSocketTransportService2.cpp:740:17
    #10 0x7f3b0144e99c in non-virtual thunk to nsSocketTransportService::Run() netwerk/base/src/nsSocketTransportService2.cpp:777:1
    #11 0x7f3b01266106 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:830:7
    #12 0x7f3b012bc536 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:265:10
    #13 0x7f3b01afbb7b in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:339:20
    #14 0x7f3b01aad761 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:233:3
    #15 0x7f3b01262eb6 in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:350:5
    #16 0x7f3b0d142150 in _pt_root nsprpub/pr/src/pthreads/ptthread.c:212:5
    #17 0x7f3b0d98ef6d in start_thread /build/buildd/eglibc-2.17/nptl/pthread_create.c:311

previously allocated by thread T8 (Socket Thread) here:
    #0 0x499079 in __interceptor_malloc _asan_rtl_
    #1 0x7f3b019c7bc9 in sctp_aloc_assoc netwerk/sctp/src/netinet/sctp_pcb.c:5015:9
    #2 0x7f3b01a02bdb in sctpconn_connect netwerk/sctp/src/netinet/sctp_usrreq.c:7157:9
    #3 0x7f3b01a31122 in user_connect netwerk/sctp/src/user_socket.c:2003:10
    #4 0x7f3b01a31364 in usrsctp_connect netwerk/sctp/src/user_socket.c:2060:10
    #5 0x7f3b01a3bdea in mozilla::DataChannelConnection::CompleteConnect(mozilla::TransportFlow*, mozilla::TransportLayer::State) netwerk/sctp/datachannel/DataChannel.cpp:611:9
    #6 0x7f3b0276129b in mozilla::TransportFlow::StateChange(mozilla::TransportLayer*, mozilla::TransportLayer::State) media/mtransport/sigslot.h:2420:6
    #7 0x7f3b02765e4b in mozilla::TransportLayer::SetState(mozilla::TransportLayer::State, char const*, unsigned int) media/mtransport/sigslot.h:2420:6
    #8 0x7f3b02771c53 in mozilla::TransportLayerDtls::Handshake() media/mtransport/transportlayerdtls.cpp:803:9
    #9 0x7f3b0276f23a in mozilla::TransportLayerDtls::PacketReceived(mozilla::TransportLayer*, unsigned char const*, unsigned long) media/mtransport/transportlayerdtls.cpp:825:5
    #10 0x7f3b0277db7d in mozilla::TransportLayerIce::IcePacketReceived(mozilla::NrIceMediaStream*, int, unsigned char const*, int) media/mtransport/sigslot.h:2486:6
    #11 0x7f3b02745f11 in mozilla::NrIceCtx::msg_recvd(void*, nr_ice_peer_ctx_*, nr_ice_media_stream_*, int, unsigned char*, int) media/mtransport/sigslot.h:2553:6
    #12 0x7f3b06f55103 in nr_ice_peer_ctx_deliver_packet_maybe media/mtransport/third_party/nICEr/src/ice/ice_peer_ctx.c:730:7
    #13 0x7f3b06f4c1bb in nr_ice_ctx_deliver_packet media/mtransport/third_party/nICEr/src/ice/ice_ctx.c:659:9
    #14 0x7f3b06f561e7 in nr_ice_socket_readable_cb media/mtransport/third_party/nICEr/src/ice/ice_socket.c:187:7
    #15 0x7f3b0274180d in mozilla::runnable_args_m_1<nsRefPtr<mozilla::NrSocketIpc>, void (mozilla::NrSocketIpc::*)(mozilla::RefPtr<mozilla::nr_udp_message>), mozilla::RefPtr<mozilla::nr_udp_message> >::Run() media/mtransport/runnable_utils_generated.h:122:7
    #16 0x7f3b01266106 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:830:7
    #17 0x7f3b012bc536 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:265:10
    #18 0x7f3b0144ceea in nsSocketTransportService::Run() netwerk/base/src/nsSocketTransportService2.cpp:740:17
    #19 0x7f3b0144e99c in non-virtual thunk to nsSocketTransportService::Run() netwerk/base/src/nsSocketTransportService2.cpp:777:1
    #20 0x7f3b01266106 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:830:7
    #21 0x7f3b012bc536 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:265:10
    #22 0x7f3b01afbb7b in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:339:20
    #23 0x7f3b01aad761 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:233:3
    #24 0x7f3b01262eb6 in nsThread::ThreadFunc(void*) xpcom/threads/nsThread.cpp:350:5
    #25 0x7f3b0d142150 in _pt_root nsprpub/pr/src/pthreads/ptthread.c:212:5
    #26 0x7f3b0d98ef6d in start_thread /build/buildd/eglibc-2.17/nptl/pthread_create.c:311

Thread T27 created by T0 (Web Content) here:
    #0 0x4357be in pthread_create _asan_rtl_
    #1 0x7f3b01a2d60a in sctp_start_timer netwerk/sctp/src/user_sctp_timer_iterate.c:114:7
    #2 0x7f3b01a370bf in mozilla::DataChannelConnection::Init(unsigned short, unsigned short, bool) netwerk/sctp/datachannel/DataChannel.cpp:338:9
    #3 0x7f3b0269e52a in sipcc::PeerConnectionImpl::EnsureDataConnection(unsigned short) media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:768:8
    #4 0x7f3b0269ecac in sipcc::PeerConnectionImpl::CreateDataChannel(nsAString_internal const&, nsAString_internal const&, unsigned short, bool, unsigned short, unsigned short, bool, unsigned short, nsDOMDataChannel**) media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:846:17
    #5 0x7f3b0269eaf9 in sipcc::PeerConnectionImpl::CreateDataChannel(nsAString_internal const&, nsAString_internal const&, unsigned short, bool, unsigned short, unsigned short, bool, unsigned short, mozilla::ErrorResult&) media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:818:8
    #6 0x7f3b0420f591 in mozilla::dom::PeerConnectionImplBinding::createDataChannel(JSContext*, JS::Handle<JSObject*>, sipcc::PeerConnectionImpl*, JSJitMethodCallArgs const&) objdir-ff-asan/dom/bindings/PeerConnectionImplBinding.cpp:1089:48
    #7 0x7f3b04a2be62 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) dom/bindings/BindingUtils.cpp:2431:13
    #8 0x7f3b09632727 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jscntxtinlines.h:231:15
    #9 0x7f3b0967ac46 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2522:18
    #10 0x7f3b09660520 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:432:12
    #11 0x7f3b09632c28 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp:501:15
    #12 0x7f3b095f3d52 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:538:10
    #13 0x7f3b092cf56b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp:5029:12
    #14 0x7f3b042a0cb8 in mozilla::dom::mozRTCPeerConnectionJSImpl::CreateDataChannel(nsAString_internal const&, mozilla::dom::RTCDataChannelInit const&, mozilla::ErrorResult&, JSCompartment*) objdir-ff-asan/dom/bindings/RTCPeerConnectionBinding.cpp:5759:8
    #15 0x7f3b042fa602 in mozilla::dom::mozRTCPeerConnectionBinding::createDataChannel(JSContext*, JS::Handle<JSObject*>, mozilla::dom::mozRTCPeerConnection*, JSJitMethodCallArgs const&) objdir-ff-asan/dom/bindings/RTCPeerConnectionBinding.cpp:7427:10
    #16 0x7f3b04a2be62 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) dom/bindings/BindingUtils.cpp:2431:13
    #17 0x7f3b09632727 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/jscntxtinlines.h:231:15
    #18 0x7f3b0967ac46 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2522:18
    #19 0x7f3b09660520 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:432:12
    #20 0x7f3b09632c28 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp:501:15
    #21 0x7f3b095f3d52 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:538:10
    #22 0x7f3b092cf2d7 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) js/src/jsapi.cpp:5017:12
    #23 0x7f3b0232eaf8 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) js/xpconnect/src/XPCWrappedJSClass.cpp:1187:23
    #24 0x7f3b01281246 in PrepareAndDispatch xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:122:14
    #25 0x7f3b012801b2 in SharedStub
    #26 0x7f3b050d0137 in mozilla::GetUserMediaStreamRunnable::TracksAvailableCallback::NotifyTracksAvailable(mozilla::DOMMediaStream*) dom/media/MediaManager.cpp:780:7
    #27 0x7f3b05000c1a in mozilla::DOMMediaStream::CheckTracksAvailable() dom/media/DOMMediaStream.cpp:457:5
    #28 0x7f3b050007d3 in mozilla::DOMMediaStream::BindDOMTrack(int, mozilla::MediaSegment::Type) dom/media/DOMMediaStream.cpp:391:5
    #29 0x7f3b0501933d in mozilla::DOMMediaStream::StreamListener::TrackChange::Run() dom/media/DOMMediaStream.cpp:53:17
    #30 0x7f3b01266106 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:830:7
    #31 0x7f3b012bc536 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:265:10
    #32 0x7f3b01afadaf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:99:21
    #33 0x7f3b01aad761 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:233:3
    #34 0x7f3b05cbda8f in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:164:3
    #35 0x7f3b07726762 in XRE_RunAppShell toolkit/xre/nsEmbedFunctions.cpp:713:12
    #36 0x7f3b01aad761 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:233:3
    #37 0x7f3b07725c72 in XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:550:7
    #38 0x4ba94f in main ipc/contentproc/plugin-container.cpp:158:19
    #39 0x7f3afe830de4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260

Thread T8 (Socket Thread) created by T0 (Web Content) here:
    #0 0x4357be in pthread_create _asan_rtl_
    #1 0x7f3b0d13ecb0 in _PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:453:14
    #2 0x7f3b0d13e8da in PR_CreateThread nsprpub/pr/src/pthreads/ptthread.c:544:12
    #3 0x7f3b01264215 in nsThread::Init() xpcom/threads/nsThread.cpp:455:19
    #4 0x7f3b01269794 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) xpcom/threads/nsThreadManager.cpp:269:17
    #5 0x7f3b012bbc7c in NS_NewThread(nsIThread**, nsIRunnable*, unsigned int) xpcom/glue/nsThreadUtils.cpp:68:5
    #6 0x7f3b0144adac in nsSocketTransportService::Init() netwerk/base/src/nsSocketTransportService2.cpp:468:19
    #7 0x7f3b01a54721 in nsSocketTransportServiceConstructor(nsISupports*, nsID const&, void**) netwerk/build/nsNetModule.cpp:72:1
    #8 0x7f3b012432d3 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) xpcom/components/nsComponentManager.cpp:1199:10
    #9 0x7f3b0123a6eb in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) xpcom/components/nsComponentManager.cpp:1560:10
    #10 0x7f3b012a4489 in nsCOMPtr_base::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) xpcom/glue/nsComponentManagerUtils.cpp:67:10
    #11 0x7f3b013e2654 in nsIOService::SetOffline(bool) objdir-ff-asan/dist/include/nsCOMPtr.h:744:5
    #12 0x7f3b013e141f in nsIOService::InitializeNetworkLinkService() netwerk/base/src/nsIOService.cpp:290:9
    #13 0x7f3b013e07d2 in nsIOService::Init() netwerk/base/src/nsIOService.cpp:226:5
    #14 0x7f3b013e31f0 in nsIOService::GetInstance() netwerk/base/src/nsIOService.cpp:303:23
    #15 0x7f3b01a54485 in nsIOServiceConstructor(nsISupports*, nsID const&, void**) netwerk/build/nsNetModule.cpp:57:1
    #16 0x7f3b012432d3 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) xpcom/components/nsComponentManager.cpp:1199:10
    #17 0x7f3b0123a6eb in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) xpcom/components/nsComponentManager.cpp:1560:10
    #18 0x7f3b0282d196 in nsScriptSecurityManager::Init() objdir-ff-asan/dist/include/nsServiceManagerUtils.h:88:10
    #19 0x7f3b0282de2b in nsScriptSecurityManager::InitStatics() caps/nsScriptSecurityManager.cpp:1328:19
    #20 0x7f3b02366822 in nsXPConnect::InitStatics() js/xpconnect/src/nsXPConnect.cpp:132:5
    #21 0x7f3b022fb0c8 in xpcModuleCtor() js/xpconnect/src/XPCModule.cpp:13:5
    #22 0x7f3b06b185d4 in Initialize() layout/build/nsLayoutModule.cpp:395:8
    #23 0x7f3b01241fb1 in nsFactoryEntry::GetFactory() xpcom/components/nsComponentManager.cpp:858:21
    #24 0x7f3b01243263 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) xpcom/components/nsComponentManager.cpp:1196:34
    #25 0x7f3b0123a6eb in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) xpcom/components/nsComponentManager.cpp:1560:10
    #26 0x7f3b012a42af in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) xpcom/glue/nsComponentManagerUtils.cpp:67:10
    #27 0x7f3b012cf425 in NS_InitXPCOM2 objdir-ff-asan/dist/include/nsCOMPtr.h:950:5
    #28 0x7f3b077251dd in XRE_InitEmbedding2 toolkit/xre/nsEmbedFunctions.cpp:164:8
    #29 0x7f3b01afdbd5 in mozilla::ipc::ScopedXREEmbed::Start() ipc/glue/ScopedXREEmbed.cpp:104:10
    #30 0x7f3b057d2d0e in mozilla::dom::ContentProcess::Init() dom/ipc/ContentProcess.cpp:28:5
    #31 0x7f3b07725c64 in XRE_InitChildProcess toolkit/xre/nsEmbedFunctions.cpp:537:12
    #32 0x4ba94f in main ipc/contentproc/plugin-container.cpp:158:19
    #33 0x7f3afe830de4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
  0x0c3a80054a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a80054a80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a80054a90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a80054aa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a80054ab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3a80054ac0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c3a80054ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a80054ae0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a80054af0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a80054b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a80054b10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  ASan internal:           fe
==16775==ABORTING

Comment 1

[Michael Tüxen]

Could this test be repeated with Nightly? There was a fix in the timer code affecting locking. So
the problem might be solved already.

Comment 2

[Randell Jesup [:jesup] (needinfo me)]

I also suspect this is a dup to another recently-landed sec fix

Comment 3

[Nils Ohlmeier [:drno]]

Ok. I'll try re-run it Monday. I'm also still waiting for getting to know the exact build version this was executed against (that should hopefully answer if this a dupe or not).
Can someone please link this to the potential and CC me on that bug? Then I can verify it myself once I get the above mentioned information.

Comment 4

[Nils Ohlmeier [:drno]]

I just re-ran the test with a local build from mozilla-central from last week: 215296:66cdb18f36da

And I got the report below, which looks pretty much like the original report to me.

BTW this is running under E10S, not sure if that makes a difference for the data channel implementation.

==2630==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d000265428 at pc 0x7fc2d5f63a8a bp 0x7fc2af3b3a90 sp 0x7fc2af3b3a88
READ of size 4 at 0x61d000265428 thread T34
[Parent 2547] WARNING: No docshells for remote frames!: file /home/nohlmeier/src/mozilla-central-asan/dom/base/nsFrameLoader.cpp, line 511
JavaScript error: file:///home/nohlmeier/src/mozilla-central-asan/objdir-ff-asan/dist/bin/components/PeerConnection.js, line 512: TypeError: can't access dead object
JavaScript error: file:///home/nohlmeier/src/mozilla-central-asan/objdir-ff-asan/dist/bin/components/PeerConnection.js, line 512: TypeError: can't access dead object
JavaScript error: file:///home/nohlmeier/src/mozilla-central-asan/objdir-ff-asan/dist/bin/components/PeerConnection.js, line 512: TypeError: can't access dead object
    #0 0x7fc2d5f63a89 in user_sctp_timer_iterate /home/nohlmeier/src/mozilla-central-asan/netwerk/sctp/src/user_sctp_timer_iterate.c:81
    #1 0x7fc2e178f181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312
    #2 0x7fc2d1f70fbc in clone /build/buildd/eglibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111

0x61d000265428 is located 424 bytes inside of 2200-byte region [0x61d000265280,0x61d000265b18)
freed by thread T17 (Socket Thread) here:
    #0 0x4999a1 in free /home/nohlmeier/checkouts/llvm-20140708/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:69
    #1 0x7fc2d5ef3c6b in sctp_free_assoc /home/nohlmeier/src/mozilla-central-asan/netwerk/sctp/src/netinet/sctp_pcb.c:5917
    #2 0x7fc2d5eedf28 in sctp_inpcb_free /home/nohlmeier/src/mozilla-central-asan/netwerk/sctp/src/netinet/sctp_pcb.c:4089
    #3 0x7fc2d5f127ee in sctp_close /home/nohlmeier/src/mozilla-central-asan/netwerk/sctp/src/netinet/sctp_usrreq.c:946
    #4 0x7fc2d5f64056 in sofree /home/nohlmeier/src/mozilla-central-asan/netwerk/sctp/src/user_socket.c:254
    #5 0x7fc2d5f72e6b in mozilla::DataChannelConnection::DestroyOnSTS(socket*, socket*) /home/nohlmeier/src/mozilla-central-asan/netwerk/sctp/datachannel/DataChannel.cpp:292
    #6 0x7fc2d5f876ff in mozilla::runnable_args_m_2<nsRefPtr<mozilla::DataChannelConnection>, void (mozilla::DataChannelConnection::*)(socket*, socket*), socket*, socket*>::Run() /home/nohlmeier/src/mozilla-central-asan/objdir-ff-asan/netwerk/sctp/datachannel/../../../dist/include/mtransport/runnable_utils_generated.h:200
    #7 0x7fc2d589d879 in nsThread::ProcessNextEvent(bool, bool*) /home/nohlmeier/src/mozilla-central-asan/xpcom/threads/nsThread.cpp:830
    #8 0x7fc2d58f78be in NS_ProcessNextEvent(nsIThread*, bool) /home/nohlmeier/src/mozilla-central-asan/xpcom/glue/nsThreadUtils.cpp:265
    #9 0x7fc2d5a5da30 in nsSocketTransportService::Run() /home/nohlmeier/src/mozilla-central-asan/netwerk/base/src/nsSocketTransportService2.cpp:740
    #10 0x7fc2d5a5eddc in non-virtual thunk to nsSocketTransportService::Run() /home/nohlmeier/src/mozilla-central-asan/netwerk/base/src/nsSocketTransportService2.cpp:777
    #11 0x7fc2d589d879 in nsThread::ProcessNextEvent(bool, bool*) /home/nohlmeier/src/mozilla-central-asan/xpcom/threads/nsThread.cpp:830
    #12 0x7fc2d58f78be in NS_ProcessNextEvent(nsIThread*, bool) /home/nohlmeier/src/mozilla-central-asan/xpcom/glue/nsThreadUtils.cpp:265
    #13 0x7fc2d60ce2b8 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/nohlmeier/src/mozilla-central-asan/ipc/glue/MessagePump.cpp:339
    #14 0x7fc2d6048d41 in MessageLoop::RunInternal() /home/nohlmeier/src/mozilla-central-asan/ipc/chromium/src/base/message_loop.cc:233
    #15 0x7fc2d6048a98 in MessageLoop::Run() /home/nohlmeier/src/mozilla-central-asan/ipc/chromium/src/base/message_loop.cc:200
    #16 0x7fc2d589b2de in nsThread::ThreadFunc(void*) /home/nohlmeier/src/mozilla-central-asan/xpcom/threads/nsThread.cpp:350
    #17 0x7fc2e113d863 in _pt_root /home/nohlmeier/src/mozilla-central-asan/nsprpub/pr/src/pthreads/ptthread.c:212
    #18 0x7fc2e178f181 in start_thread /build/buildd/eglibc-2.19/nptl/pthread_create.c:312

previously allocated by thread T17 (Socket Thread) here:
    #0 0x499c79 in malloc /home/nohlmeier/checkouts/llvm-20140708/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:79
    #1 0x7fc2d5ef728c in sctp_aloc_assoc /home/nohlmeier/src/mozilla-central-asan/netwerk/sctp/src/netinet/sctp_pcb.c:5015
    #2 0x7fc2d5f34534 in sctpconn_connect /home/nohlmeier/src/mozilla-central-asan/netwerk/sctp/src/netinet/sctp_usrreq.c:7157
    #3 0x7fc2d5f6a712 in user_connect /home/nohlmeier/src/mozilla-central-asan/netwerk/sctp/src/user_socket.c:2003
    #4 0x7fc2d5f6a9dd in usrsctp_connect /home/nohlmeier/src/mozilla-central-asan/netwerk/sctp/src/user_socket.c:2060
    #5 0x7fc2d5f75f8b in mozilla::DataChannelConnection::CompleteConnect(mozilla::TransportFlow*, mozilla::TransportLayer::State) /home/nohlmeier/src/mozilla-central-asan/netwerk/sctp/datachannel/DataChannel.cpp:611
    #6 0x7fc2d6cef353 in sigslot::signal2<mozilla::TransportFlow*, mozilla::TransportLayer::State, sigslot::single_threaded>::operator()(mozilla::TransportFlow*, mozilla::TransportLayer::State) /home/nohlmeier/src/mozilla-central-asan/media/mtransport/sigslot.h:2420
    #7 0x7fc2d6cf15e3 in sigslot::signal2<mozilla::TransportLayer*, mozilla::TransportLayer::State, sigslot::single_threaded>::operator()(mozilla::TransportLayer*, mozilla::TransportLayer::State) /home/nohlmeier/src/mozilla-central-asan/media/mtransport/sigslot.h:2420
    #8 0x7fc2d6cf0de4 in mozilla::TransportLayer::SetState(mozilla::TransportLayer::State, char const*, unsigned int) /home/nohlmeier/src/mozilla-central-asan/media/mtransport/transportlayer.cpp:48
    #9 0x7fc2d6cf6d54 in mozilla::TransportLayerDtls::Handshake() /home/nohlmeier/src/mozilla-central-asan/media/mtransport/transportlayerdtls.cpp:803
    #10 0x7fc2d6cf590e in mozilla::TransportLayerDtls::PacketReceived(mozilla::TransportLayer*, unsigned char const*, unsigned long) /home/nohlmeier/src/mozilla-central-asan/media/mtransport/transportlayerdtls.cpp:825
    #11 0x7fc2d6cfcb19 in sigslot::signal3<mozilla::TransportLayer*, unsigned char const*, unsigned long, sigslot::single_threaded>::operator()(mozilla::TransportLayer*, unsigned char const*, unsigned long) /home/nohlmeier/src/mozilla-central-asan/media/mtransport/sigslot.h:2486
    #12 0x7fc2d6d00c3c in mozilla::TransportLayerIce::IcePacketReceived(mozilla::NrIceMediaStream*, int, unsigned char const*, int) /home/nohlmeier/src/mozilla-central-asan/media/mtransport/transportlayerice.cpp:147
    #13 0x7fc2d6ccfe1d in sigslot::signal4<mozilla::NrIceMediaStream*, int, unsigned char const*, int, sigslot::single_threaded>::operator()(mozilla::NrIceMediaStream*, int, unsigned char const*, int) /home/nohlmeier/src/mozilla-central-asan/media/mtransport/sigslot.h:2553
    #14 0x7fc2d6ccb77b in mozilla::NrIceCtx::msg_recvd(void*, nr_ice_peer_ctx_*, nr_ice_media_stream_*, int, unsigned char*, int) /home/nohlmeier/src/mozilla-central-asan/media/mtransport/nricectx.cpp:357
    #15 0x7fc2da3818f7 in nr_ice_peer_ctx_deliver_packet_maybe /home/nohlmeier/src/mozilla-central-asan/media/mtransport/third_party/nICEr/src/ice/ice_peer_ctx.c:730
    #16 0x7fc2da377b2b in nr_ice_ctx_deliver_packet /home/nohlmeier/src/mozilla-central-asan/media/mtransport/third_party/nICEr/src/ice/ice_ctx.c:659
    #17 0x7fc2da382b92 in nr_ice_socket_readable_cb /home/nohlmeier/src/mozilla-central-asan/media/mtransport/third_party/nICEr/src/ice/ice_socket.c:187
    #18 0x7fc2d6cc13e6 in mozilla::NrSocketIpc::recv_callback_s(mozilla::RefPtr<mozilla::nr_udp_message>) /home/nohlmeier/src/mozilla-central-asan/media/mtransport/nr_socket_prsock.cpp:1072
    #19 0x7fc2d6cc850f in mozilla::runnable_args_m_1<nsRefPtr<mozilla::NrSocketIpc>, void (mozilla::NrSocketIpc::*)(mozilla::RefPtr<mozilla::nr_udp_message>), mozilla::RefPtr<mozilla::nr_udp_message> >::Run() /home/nohlmeier/src/mozilla-central-asan/media/mtransport/runnable_utils_generated.h:122
    #20 0x7fc2d589d879 in nsThread::ProcessNextEvent(bool, bool*) /home/nohlmeier/src/mozilla-central-asan/xpcom/threads/nsThread.cpp:830
    #21 0x7fc2d58f78be in NS_ProcessNextEvent(nsIThread*, bool) /home/nohlmeier/src/mozilla-central-asan/xpcom/glue/nsThreadUtils.cpp:265
    #22 0x7fc2d5a5da30 in nsSocketTransportService::Run() /home/nohlmeier/src/mozilla-central-asan/netwerk/base/src/nsSocketTransportService2.cpp:740
    #23 0x7fc2d5a5eddc in non-virtual thunk to nsSocketTransportService::Run() /home/nohlmeier/src/mozilla-central-asan/netwerk/base/src/nsSocketTransportService2.cpp:777
    #24 0x7fc2d589d879 in nsThread::ProcessNextEvent(bool, bool*) /home/nohlmeier/src/mozilla-central-asan/xpcom/threads/nsThread.cpp:830
    #25 0x7fc2d58f78be in NS_ProcessNextEvent(nsIThread*, bool) /home/nohlmeier/src/mozilla-central-asan/xpcom/glue/nsThreadUtils.cpp:265
    #26 0x7fc2d60ce2b8 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/nohlmeier/src/mozilla-central-asan/ipc/glue/MessagePump.cpp:339
    #27 0x7fc2d6048d41 in MessageLoop::RunInternal() /home/nohlmeier/src/mozilla-central-asan/ipc/chromium/src/base/message_loop.cc:233
    #28 0x7fc2d6048a98 in MessageLoop::Run() /home/nohlmeier/src/mozilla-central-asan/ipc/chromium/src/base/message_loop.cc:200
    #29 0x7fc2d589b2de in nsThread::ThreadFunc(void*) /home/nohlmeier/src/mozilla-central-asan/xpcom/threads/nsThread.cpp:350

Thread T34 created by T0 (Web Content) here:
    #0 0x43941e in __interceptor_pthread_create /home/nohlmeier/checkouts/llvm-20140708/projects/compiler-rt/lib/asan/asan_interceptors.cc:180
    #1 0x7fc2d5f63b5a in sctp_start_timer /home/nohlmeier/src/mozilla-central-asan/netwerk/sctp/src/user_sctp_timer_iterate.c:114
    #2 0x7fc2d5f73205 in mozilla::DataChannelConnection::Init(unsigned short, unsigned short, bool) /home/nohlmeier/src/mozilla-central-asan/netwerk/sctp/datachannel/DataChannel.cpp:338
    #3 0x7fc2d6a3507c in sipcc::PeerConnectionImpl::EnsureDataConnection(unsigned short) /home/nohlmeier/src/mozilla-central-asan/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:768
    #4 0x7fc2d6a35670 in sipcc::PeerConnectionImpl::CreateDataChannel(nsAString_internal const&, nsAString_internal const&, unsigned short, bool, unsigned short, unsigned short, bool, unsigned short, nsDOMDataChannel**) /home/nohlmeier/src/mozilla-central-asan/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:846
    #5 0x7fc2d6a3549f in sipcc::PeerConnectionImpl::CreateDataChannel(nsAString_internal const&, nsAString_internal const&, unsigned short, bool, unsigned short, unsigned short, bool, unsigned short, mozilla::ErrorResult&) /home/nohlmeier/src/mozilla-central-asan/media/webrtc/signaling/src/peerconnection/PeerConnectionImpl.cpp:818
    #6 0x7fc2d8106249 in mozilla::dom::PeerConnectionImplBinding::createDataChannel(JSContext*, JS::Handle<JSObject*>, sipcc::PeerConnectionImpl*, JSJitMethodCallArgs const&) /home/nohlmeier/src/mozilla-central-asan/objdir-ff-asan/dom/bindings/./PeerConnectionImplBinding.cpp:1089
    #7 0x7fc2d87860f7 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/nohlmeier/src/mozilla-central-asan/dom/bindings/BindingUtils.cpp:2431
    #8 0x7fc2dc3fc118 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /home/nohlmeier/src/mozilla-central-asan/js/src/jscntxtinlines.h:231
    #9 0x7fc2dc364765 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /home/nohlmeier/src/mozilla-central-asan/js/src/vm/Interpreter.cpp:482:16
    #10 0x7fc2dc38f7da in Interpret(JSContext*, js::RunState&) /home/nohlmeier/src/mozilla-central-asan/js/src/vm/Interpreter.cpp:2517
    #11 0x7fc2dc380ec8 in js::RunScript(JSContext*, js::RunState&) /home/nohlmeier/src/mozilla-central-asan/js/src/vm/Interpreter.cpp:432
    #12 0x7fc2dc3648c3 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /home/nohlmeier/src/mozilla-central-asan/js/src/vm/Interpreter.cpp:501
    #13 0x7fc2dc349541 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /home/nohlmeier/src/mozilla-central-asan/js/src/vm/Interpreter.cpp:538
    #14 0x7fc2dc0df885 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/nohlmeier/src/mozilla-central-asan/js/src/jsapi.cpp:4994
    #15 0x7fc2d817e910 in mozilla::dom::mozRTCPeerConnectionJSImpl::CreateDataChannel(nsAString_internal const&, mozilla::dom::RTCDataChannelInit const&, mozilla::ErrorResult&, JSCompartment*) /home/nohlmeier/src/mozilla-central-asan/objdir-ff-asan/dom/bindings/./RTCPeerConnectionBinding.cpp:5759
    #16 0x7fc2d818af0c in mozilla::dom::mozRTCPeerConnection::CreateDataChannel(nsAString_internal const&, mozilla::dom::RTCDataChannelInit const&, mozilla::ErrorResult&, JSCompartment*) /home/nohlmeier/src/mozilla-central-asan/objdir-ff-asan/dom/bindings/./RTCPeerConnectionBinding.cpp:7427
    #17 0x7fc2d81b7fa2 in mozilla::dom::mozRTCPeerConnectionBinding::createDataChannel(JSContext*, JS::Handle<JSObject*>, mozilla::dom::mozRTCPeerConnection*, JSJitMethodCallArgs const&) /home/nohlmeier/src/mozilla-central-asan/objdir-ff-asan/dom/bindings/./RTCPeerConnectionBinding.cpp:3504
    #18 0x7fc2d87860f7 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/nohlmeier/src/mozilla-central-asan/dom/bindings/BindingUtils.cpp:2431
    #19 0x7fc2dc3fc118 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /home/nohlmeier/src/mozilla-central-asan/js/src/jscntxtinlines.h:231
    #20 0x7fc2dc364765 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /home/nohlmeier/src/mozilla-central-asan/js/src/vm/Interpreter.cpp:482:16
    #21 0x7fc2dc38f7da in Interpret(JSContext*, js::RunState&) /home/nohlmeier/src/mozilla-central-asan/js/src/vm/Interpreter.cpp:2517
    #22 0x7fc2dc380ec8 in js::RunScript(JSContext*, js::RunState&) /home/nohlmeier/src/mozilla-central-asan/js/src/vm/Interpreter.cpp:432
    #23 0x7fc2dc3648c3 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /home/nohlmeier/src/mozilla-central-asan/js/src/vm/Interpreter.cpp:501
    #24 0x7fc2dc349541 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /home/nohlmeier/src/mozilla-central-asan/js/src/vm/Interpreter.cpp:538
    #25 0x7fc2dc0df5ea in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/nohlmeier/src/mozilla-central-asan/js/src/jsapi.cpp:4982
    #26 0x7fc2d6883cc5 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /home/nohlmeier/src/mozilla-central-asan/js/xpconnect/src/XPCWrappedJSClass.cpp:1187
    #27 0x7fc2d58c24da in PrepareAndDispatch /home/nohlmeier/src/mozilla-central-asan/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:122
    #28 0x7fc2d58c131a in SharedStub (/home/nohlmeier/src/mozilla-central-asan/objdir-ff-asan/dist/bin/libxul.so+0x2a5931a)
    #29 0x7fc2d8b9d548 in mozilla::DOMMediaStream::CheckTracksAvailable() /home/nohlmeier/src/mozilla-central-asan/dom/media/DOMMediaStream.cpp:457
    #30 0x7fc2d8b9d2ec in mozilla::DOMMediaStream::BindDOMTrack(int, mozilla::MediaSegment::Type) /home/nohlmeier/src/mozilla-central-asan/dom/media/DOMMediaStream.cpp:391
    #31 0x7fc2d8bb9292 in mozilla::DOMMediaStream::StreamListener::TrackChange::Run() /home/nohlmeier/src/mozilla-central-asan/dom/media/DOMMediaStream.cpp:53
    #32 0x7fc2d589d879 in nsThread::ProcessNextEvent(bool, bool*) /home/nohlmeier/src/mozilla-central-asan/xpcom/threads/nsThread.cpp:830
    #33 0x7fc2d58f78be in NS_ProcessNextEvent(nsIThread*, bool) /home/nohlmeier/src/mozilla-central-asan/xpcom/glue/nsThreadUtils.cpp:265
    #34 0x7fc2d60cd23a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/nohlmeier/src/mozilla-central-asan/ipc/glue/MessagePump.cpp:99
    #35 0x7fc2d60cdf10 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /home/nohlmeier/src/mozilla-central-asan/ipc/glue/MessagePump.cpp:302
    #36 0x7fc2d6048d41 in MessageLoop::RunInternal() /home/nohlmeier/src/mozilla-central-asan/ipc/chromium/src/base/message_loop.cc:233
    #37 0x7fc2d6048a98 in MessageLoop::Run() /home/nohlmeier/src/mozilla-central-asan/ipc/chromium/src/base/message_loop.cc:200
    #38 0x7fc2d955f9c6 in nsBaseAppShell::Run() /home/nohlmeier/src/mozilla-central-asan/widget/nsBaseAppShell.cpp:164
    #39 0x7fc2da966e26 in XRE_RunAppShell /home/nohlmeier/src/mozilla-central-asan/toolkit/xre/nsEmbedFunctions.cpp:713
    #40 0x7fc2d60cddb3 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /home/nohlmeier/src/mozilla-central-asan/ipc/glue/MessagePump.cpp:272
    #41 0x7fc2d6048d41 in MessageLoop::RunInternal() /home/nohlmeier/src/mozilla-central-asan/ipc/chromium/src/base/message_loop.cc:233
    #42 0x7fc2d6048a98 in MessageLoop::Run() /home/nohlmeier/src/mozilla-central-asan/ipc/chromium/src/base/message_loop.cc:200
    #43 0x7fc2da96662b in XRE_InitChildProcess /home/nohlmeier/src/mozilla-central-asan/toolkit/xre/nsEmbedFunctions.cpp:550
    #44 0x4b842f in content_process_main(int, char**) /home/nohlmeier/src/mozilla-central-asan/ipc/app/../contentproc/plugin-container.cpp:158
    #45 0x7fc2d1e97ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

Thread T17 (Socket Thread) created by T0 (Web Content) here:
    #0 0x43941e in __interceptor_pthread_create /home/nohlmeier/checkouts/llvm-20140708/projects/compiler-rt/lib/asan/asan_interceptors.cc:180
    #1 0x7fc2e1139be9 in _PR_CreateThread /home/nohlmeier/src/mozilla-central-asan/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7fc2e11396fa in PR_CreateThread /home/nohlmeier/src/mozilla-central-asan/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7fc2d589bfdf in nsThread::Init() /home/nohlmeier/src/mozilla-central-asan/xpcom/threads/nsThread.cpp:455
    #4 0x7fc2d589fb94 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) /home/nohlmeier/src/mozilla-central-asan/xpcom/threads/nsThreadManager.cpp:269
    #5 0x7fc2d58f70ef in NS_NewThread(nsIThread**, nsIRunnable*, unsigned int) /home/nohlmeier/src/mozilla-central-asan/xpcom/glue/nsThreadUtils.cpp:68
    #6 0x7fc2d5a5bd5d in nsSocketTransportService::Init() /home/nohlmeier/src/mozilla-central-asan/netwerk/base/src/nsSocketTransportService2.cpp:468
    #7 0x7fc2d5f8f0a1 in nsSocketTransportServiceConstructor(nsISupports*, nsID const&, void**) /home/nohlmeier/src/mozilla-central-asan/netwerk/build/nsNetModule.cpp:72
    #8 0x7fc2d587b689 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /home/nohlmeier/src/mozilla-central-asan/xpcom/components/nsComponentManager.cpp:1199
    #9 0x7fc2d5876050 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /home/nohlmeier/src/mozilla-central-asan/xpcom/components/nsComponentManager.cpp:1560
    #10 0x7fc2d58e514e in nsGetServiceByContractIDWithError::operator()(nsID const&, void**) const /home/nohlmeier/src/mozilla-central-asan/xpcom/glue/nsComponentManagerUtils.cpp:292
    #11 0x7fc2d5a256a6 in nsCOMPtr<nsPISocketTransportService>::assign_from_gs_contractid_with_error(nsGetServiceByContractIDWithError const&, nsID const&) /home/nohlmeier/src/mozilla-central-asan/objdir-ff-asan/netwerk/base/src/../../../dist/include/nsCOMPtr.h:1228
    #12 0x7fc2d5a1dc14 in nsCOMPtr<nsPISocketTransportService>::operator=(nsGetServiceByContractIDWithError const&) /home/nohlmeier/src/mozilla-central-asan/objdir-ff-asan/netwerk/base/src/../../../dist/include/nsCOMPtr.h:744
    #13 0x7fc2d5a0326d in nsIOService::InitializeSocketTransportService() /home/nohlmeier/src/mozilla-central-asan/netwerk/base/src/nsIOService.cpp:243
    #14 0x7fc2d5a04054 in nsIOService::SetOffline(bool) /home/nohlmeier/src/mozilla-central-asan/netwerk/base/src/nsIOService.cpp:817
    #15 0x7fc2d5a02f2c in nsIOService::InitializeNetworkLinkService() /home/nohlmeier/src/mozilla-central-asan/netwerk/base/src/nsIOService.cpp:290
    #16 0x7fc2d5a023e7 in nsIOService::Init() /home/nohlmeier/src/mozilla-central-asan/netwerk/base/src/nsIOService.cpp:226
    #17 0x7fc2d5a04666 in nsIOService::GetInstance() /home/nohlmeier/src/mozilla-central-asan/netwerk/base/src/nsIOService.cpp:303
    #18 0x7fc2d5f8ef03 in nsIOServiceConstructor(nsISupports*, nsID const&, void**) /home/nohlmeier/src/mozilla-central-asan/netwerk/build/nsNetModule.cpp:57
    #19 0x7fc2d587b689 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /home/nohlmeier/src/mozilla-central-asan/xpcom/components/nsComponentManager.cpp:1199
    #20 0x7fc2d5876050 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /home/nohlmeier/src/mozilla-central-asan/xpcom/components/nsComponentManager.cpp:1560
    #21 0x7fc2d6d7f7cd in nsScriptSecurityManager::Init() /home/nohlmeier/src/mozilla-central-asan/caps/nsScriptSecurityManager.cpp:1257:19
    #22 0x7fc2d6d7fec2 in nsScriptSecurityManager::InitStatics() /home/nohlmeier/src/mozilla-central-asan/caps/nsScriptSecurityManager.cpp:1328
    #23 0x7fc2d68a2de9 in nsXPConnect::InitStatics() /home/nohlmeier/src/mozilla-central-asan/js/xpconnect/src/nsXPConnect.cpp:132
    #24 0x7fc2d6840b68 in xpcModuleCtor() /home/nohlmeier/src/mozilla-central-asan/js/xpconnect/src/XPCModule.cpp:13
    #25 0x7fc2d9f41584 in Initialize() /home/nohlmeier/src/mozilla-central-asan/layout/build/nsLayoutModule.cpp:395
    #26 0x7fc2d5879c4b in nsComponentManagerImpl::KnownModule::Load() /home/nohlmeier/src/mozilla-central-asan/xpcom/components/nsComponentManager.cpp:858
    #27 0x7fc2d587a87e in nsFactoryEntry::GetFactory() /home/nohlmeier/src/mozilla-central-asan/xpcom/components/nsComponentManager.cpp:1915
    #28 0x7fc2d587b613 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /home/nohlmeier/src/mozilla-central-asan/xpcom/components/nsComponentManager.cpp:1196
    #29 0x7fc2d5876050 in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /home/nohlmeier/src/mozilla-central-asan/xpcom/components/nsComponentManager.cpp:1560
    #30 0x7fc2d58e4fb4 in nsGetServiceByContractID::operator()(nsID const&, void**) const /home/nohlmeier/src/mozilla-central-asan/xpcom/glue/nsComponentManagerUtils.cpp:280
    #31 0x7fc2d58e4ed9 in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) /home/nohlmeier/src/mozilla-central-asan/xpcom/glue/nsCOMPtr.cpp:103
    #32 0x7fc2d5908e3f in NS_InitXPCOM2 /home/nohlmeier/src/mozilla-central-asan/xpcom/build/XPCOMInit.cpp:706
    #33 0x7fc2da965a63 in XRE_InitEmbedding2 /home/nohlmeier/src/mozilla-central-asan/toolkit/xre/nsEmbedFunctions.cpp:164
    #34 0x7fc2d60cf786 in mozilla::ipc::ScopedXREEmbed::Start() /home/nohlmeier/src/mozilla-central-asan/ipc/glue/ScopedXREEmbed.cpp:104
    #35 0x7fc2d91bce99 in mozilla::dom::ContentProcess::Init() /home/nohlmeier/src/mozilla-central-asan/dom/ipc/ContentProcess.cpp:28
    #36 0x7fc2da96661d in XRE_InitChildProcess /home/nohlmeier/src/mozilla-central-asan/toolkit/xre/nsEmbedFunctions.cpp:537
    #37 0x4b842f in content_process_main(int, char**) /home/nohlmeier/src/mozilla-central-asan/ipc/app/../contentproc/plugin-container.cpp:158
    #38 0x7fc2d1e97ec4 in __libc_start_main /build/buildd/eglibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-use-after-free /home/nohlmeier/src/mozilla-central-asan/netwerk/sctp/src/user_sctp_timer_iterate.c:81 user_sctp_timer_iterate
Shadow bytes around the buggy address:
  0x0c3a80044a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a80044a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a80044a50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a80044a60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a80044a70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3a80044a80: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c3a80044a90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a80044aa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a80044ab0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a80044ac0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3a80044ad0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  ASan internal:           fe
==2630==ABORTING

Comment 5

[Nils Ohlmeier [:drno]]

Attachment: fuzz-http-3.html

This is the test case which was used to create these problems. As they involve random timers you might need to run them for a while before you hit the problem.

Comment 6

[Randell Jesup [:jesup] (needinfo me)]

You need  215450:153148514f22 which landed after your pull above

Comment 7

[Nils Ohlmeier [:drno]]

Confirmed. With today's m-c (216020:47f88e6ae34c) I'm no longer able to reproduce the bug.

Apparently I'm allowed to close this as a dupe of 1080312. Can one of you please close this as a dupe or add me to 1080312 so I can close this here properly?

Comment 9

[Michael Tüxen]

Done. Thank you very much for testing!

Best regards
Michael