1130541 - (CVE-2015-0831) Heap use-after-free in mozilla::dom::IndexedDB::IDBObjectStore::CreateIndex

Status: VERIFIED FIXED

(Core :: Storage: IndexedDB, defect)

Description

[Paul]

Attachment: test5.html

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Steps to reproduce:

Open the attached html file in Firefox. It crashes with latest asan and also crashes on latest regular Nightly for me on Windows and Linux.

This is the stacktrace I get with latest build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/

==2401==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000274108 at pc 0x7fcdabfee8db bp 0x7fffac242540 sp 0x7fffac242538
READ of size 8 at 0x606000274108 thread T0 (Web Content)
    #0 0x7fcdabfee8da in Assign /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundIDBSharedTypes.cpp:519
    #1 0x7fcdaff05f7e in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/_ipdlheaders/mozilla/dom/indexedDB/PBackgroundIDBSharedTypes.h:807
    #2 0x7fcdaff26d58 in NoteDeletion /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/IDBObjectStore.cpp:2074
    #3 0x7fcdaff21893 in CreateIndexInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/IDBObjectStore.cpp:1760
    #4 0x7fcdaff20fad in CreateIndex /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/IDBObjectStore.cpp:1682
    #5 0x7fcdae49e431 in createIndex /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./IDBObjectStoreBinding.cpp:667
    #6 0x7fcdaf0c1643 in GenericBindingMethod /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/bindings/BindingUtils.cpp:2522
    #7 0x7fcdb3f5d270 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:226
    #8 0x7fcdb3f9a00e in Interpret /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2558
    #9 0x7fcdb3f7dc89 in RunScript /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:448
    #10 0x7fcdb3f5d82a in Invoke /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:517
    #11 0x7fcdb3fa820e in Invoke /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:554
    #12 0x7fcdb3bbc99f in Call /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4474
    #13 0x7fcdae02ee05 in Call /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./EventHandlerBinding.cpp:259
    #14 0x7fcdaf3ca0d1 in Call<nsISupports *> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/events/../../dist/include/mozilla/dom/EventHandlerBinding.h:350
    #15 0x7fcdaf3c83c2 in HandleEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/JSEventHandler.cpp:214
    #16 0x7fcdaf38beaf in HandleEventSubType /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:976
    #17 0x7fcdaf38dedf in HandleEventInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:1124
    #18 0x7fcdaf37d781 in HandleEventTargetChain /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:299
    #19 0x7fcdaf381a06 in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:633
    #20 0x7fcdaf342655 in DispatchDOMEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:697
    #21 0x7fcdaf35d7d9 in DispatchEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/DOMEventTargetHelper.cpp:251
    #22 0x7fcdafeced58 in DispatchSuccessEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/ActorsChild.cpp:751
    #23 0x7fcdafed1f39 in RecvPBackgroundIDBVersionChangeTransactionConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/ActorsChild.cpp:1406
    #24 0x7fcdabfbe66d in OnMessageReceived /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundIDBDatabaseChild.cpp:560
    #25 0x7fcdabf9839c in OnMessageReceived /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundChild.cpp:761
    #26 0x7fcdabf2a941 in DispatchAsyncMessage /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1231
    #27 0x7fcdabf201b5 in OnMaybeDequeueOne /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1142
    #28 0x7fcdabede3e4 in RunTask /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:361
    #29 0x7fcdabedf497 in DoWork /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:447
    #30 0x7fcdabf325c2 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:233
    #31 0x7fcdab69d364 in ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:855
    #32 0x7fcdab6fd51a in NS_ProcessNextEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #33 0x7fcdabf31d29 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:99
    #34 0x7fcdabedcf6c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #35 0x7fcdb04f6367 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:164
    #36 0x7fcdb206a732 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:738
    #37 0x7fcdabedcf6c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #38 0x7fcdb2069d14 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:575
    #39 0x48a9f1 in content_process_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:211
    #40 0x7fcda92a9d54 in __libc_start_main ??:?
    #41 0x489dcc in _start ??:?

0x606000274108 is located 8 bytes inside of 56-byte region [0x606000274100,0x606000274138)
freed by thread T0 (Web Content) here:
    #0 0x47265b in __interceptor_realloc _asan_rtl_
    #1 0x7fcdb7bf2a8d in moz_xrealloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc.cpp:84
    #2 0x7fcdab51d6cf in Realloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/toolkit/mozapps/extensions/../../../dist/include/nsTArray.h:184
    #3 0x7fcdaff22642 in AppendElement<mozilla::dom::indexedDB::IndexMetadata> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/indexedDB/../../dist/include/nsTArray.h:1330
    #4 0x7fcdaff2183e in CreateIndexInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/IDBObjectStore.cpp:1750
    #5 0x7fcdaff20fad in CreateIndex /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/IDBObjectStore.cpp:1682
    #6 0x7fcdae49e431 in createIndex /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./IDBObjectStoreBinding.cpp:667
    #7 0x7fcdaf0c1643 in GenericBindingMethod /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/bindings/BindingUtils.cpp:2522
    #8 0x7fcdb3f5d270 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:226
    #9 0x7fcdb3f9a00e in Interpret /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2558
    #10 0x7fcdb3f7dc89 in RunScript /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:448
    #11 0x7fcdb3f5d82a in Invoke /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:517
    #12 0x7fcdb3fa820e in Invoke /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:554
    #13 0x7fcdb3bbc99f in Call /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4474
    #14 0x7fcdae02ee05 in Call /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./EventHandlerBinding.cpp:259
    #15 0x7fcdaf3ca0d1 in Call<nsISupports *> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/events/../../dist/include/mozilla/dom/EventHandlerBinding.h:350
    #16 0x7fcdaf3c83c2 in HandleEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/JSEventHandler.cpp:214
    #17 0x7fcdaf38beaf in HandleEventSubType /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:976
    #18 0x7fcdaf38dedf in HandleEventInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:1124
    #19 0x7fcdaf37d781 in HandleEventTargetChain /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:299
    #20 0x7fcdaf381a06 in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:633
    #21 0x7fcdaf342655 in DispatchDOMEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:697
    #22 0x7fcdaf35d7d9 in DispatchEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/DOMEventTargetHelper.cpp:251
    #23 0x7fcdafeced58 in DispatchSuccessEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/ActorsChild.cpp:751
    #24 0x7fcdafed1f39 in RecvPBackgroundIDBVersionChangeTransactionConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/ActorsChild.cpp:1406
    #25 0x7fcdabfbe66d in OnMessageReceived /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundIDBDatabaseChild.cpp:560
    #26 0x7fcdabf9839c in OnMessageReceived /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundChild.cpp:761
    #27 0x7fcdabf2a941 in DispatchAsyncMessage /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1231
    #28 0x7fcdabf201b5 in OnMaybeDequeueOne /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1142
    #29 0x7fcdabede3e4 in RunTask /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:361

previously allocated by thread T0 (Web Content) here:
    #0 0x4723e1 in __interceptor_malloc _asan_rtl_
    #1 0x7fcdb7bf27dd in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc.cpp:52
    #2 0x7fcdab51d5f3 in Malloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/toolkit/mozapps/extensions/../../../dist/include/nsTArray.h:181
    #3 0x7fcdaff22642 in AppendElement<mozilla::dom::indexedDB::IndexMetadata> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/indexedDB/../../dist/include/nsTArray.h:1330
    #4 0x7fcdaff2183e in CreateIndexInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/IDBObjectStore.cpp:1750
    #5 0x7fcdaff20fad in CreateIndex /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/IDBObjectStore.cpp:1682
    #6 0x7fcdae49e431 in createIndex /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./IDBObjectStoreBinding.cpp:667
    #7 0x7fcdaf0c1643 in GenericBindingMethod /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/bindings/BindingUtils.cpp:2522
    #8 0x7fcdb3f5d270 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:226
    #9 0x7fcdb3f9a00e in Interpret /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2558
    #10 0x7fcdb3f7dc89 in RunScript /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:448
    #11 0x7fcdb3f5d82a in Invoke /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:517
    #12 0x7fcdb3fa820e in Invoke /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:554
    #13 0x7fcdb3bbc99f in Call /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4474
    #14 0x7fcdae02ee05 in Call /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./EventHandlerBinding.cpp:259
    #15 0x7fcdaf3ca0d1 in Call<nsISupports *> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/events/../../dist/include/mozilla/dom/EventHandlerBinding.h:350
    #16 0x7fcdaf3c83c2 in HandleEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/JSEventHandler.cpp:214
    #17 0x7fcdaf38beaf in HandleEventSubType /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:976
    #18 0x7fcdaf38dedf in HandleEventInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:1124
    #19 0x7fcdaf37d781 in HandleEventTargetChain /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:299
    #20 0x7fcdaf381a06 in Dispatch /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:633
    #21 0x7fcdaf342655 in DispatchDOMEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:697
    #22 0x7fcdaf35d7d9 in DispatchEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/DOMEventTargetHelper.cpp:251
    #23 0x7fcdafeced58 in DispatchSuccessEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/ActorsChild.cpp:751
    #24 0x7fcdafed1f39 in RecvPBackgroundIDBVersionChangeTransactionConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/indexedDB/ActorsChild.cpp:1406
    #25 0x7fcdabfbe66d in OnMessageReceived /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundIDBDatabaseChild.cpp:560
    #26 0x7fcdabf9839c in OnMessageReceived /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundChild.cpp:761
    #27 0x7fcdabf2a941 in DispatchAsyncMessage /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1231
    #28 0x7fcdabf201b5 in OnMaybeDequeueOne /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1142
    #29 0x7fcdabede3e4 in RunTask /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:361

SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
Shadow bytes around the buggy address:
  0x0c0c800467d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c800467e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c800467f0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c0c80046800: 00 00 00 fa fa fa fa fa fd fd fd fd fd fd fd fa
  0x0c0c80046810: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
=>0x0c0c80046820: fd[fd]fd fd fd fd fd fa fa fa fa fa 00 00 00 00
  0x0c0c80046830: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c80046840: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c80046850: 00 00 00 00 00 00 00 00 fa fa fa fa 00 00 00 00
  0x0c0c80046860: 00 00 00 00 fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c80046870: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       ==2401==ABORTING

p.s. Please let me know if something's wrong it's my first time with open source


Actual results:

It crashes


Expected results:

It should create index

Comment 1

[Ben Turner (not reading bugmail, use the needinfo flag!)]

Attachment: changes.patch

Yikes, this is dumb!

Comment 2

[Ben Turner (not reading bugmail, use the needinfo flag!)]

Comment on attachment 8560657 [details] [diff] [review]
changes.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Which older supported branches are affected by this flaw? The specific crash here was introduced in bug 994190. However, previous versions would have probably crashed in some other way. The general problem probably goes back all the way to the first version of IndexedDB...

If not all supported branches, which bug introduced the flaw? All supported branches

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? A separate patch would be required for esr31, but it's basically identical.

How likely is this patch to cause regressions; how much testing does it need? It's very safe.

Comment 3

[Ben Turner (not reading bugmail, use the needinfo flag!)]

[Security approval request comment]
How easily could an exploit be constructed based on the patch? Easily

Do comments in the patch, the check-in comment, or tests included in the
patch paint a bulls-eye on the security problem? Yes

Comment 4

[Al Billings [:abillings - ex-MoCo]]

We're going to want this on Aurora, Beta, and ESR31. 

Sec-approval+ for trunk and I will approve it for Beta and Aurora.

Comment 5

[Al Billings [:abillings - ex-MoCo]]

Comment on attachment 8560657 [details] [diff] [review]
changes.patch

[Triage Comment]

Comment 6

[Ben Turner (not reading bugmail, use the needinfo flag!)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/2565e56e117c

Comment 7

[Phil Ringnalda (:philor)]

https://hg.mozilla.org/mozilla-central/rev/2565e56e117c

Comment 8

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/6c0b609839b1
https://hg.mozilla.org/releases/mozilla-beta/rev/cb5d2bbf9234

Comment 9

[Sylvestre Ledru [:Sylvestre]]

Comment on attachment 8560657 [details] [diff] [review]
changes.patch

Taking it for esr since it seems affected.

Comment 10

[Ben Turner (not reading bugmail, use the needinfo flag!)]

Attachment: Patch for esr31

Comment 11

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-b2g37_v2_2/rev/6c0b609839b1
https://hg.mozilla.org/releases/mozilla-b2g34_v2_1/rev/ecfc931ec936
https://hg.mozilla.org/releases/mozilla-b2g32_v2_0/rev/2ca6a9e7cb81
https://hg.mozilla.org/releases/mozilla-b2g30_v1_4/rev/4adc5cc8294d
https://hg.mozilla.org/releases/mozilla-esr31/rev/9abab90e9b0b

Comment 12

[Ben Turner (not reading bugmail, use the needinfo flag!)]

Attachment: changes.patch

Test fix for esr31

Comment 13

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

Landed the test fix on esr31.

Ryan, I'm unsure whether this needs to go onto the b2g branches as it's a test-only fix for a test suite that doesn't get run on those trees. I'll leave that call to you.

Comment 14

[Ryan VanderMeulen [:RyanVM]]

I don't think we need to, but thanks for checking!

Comment 15

[Kamil Jozwiak [:kjozwiak]]

Reproduced the issue using the POC from comment #0 using the following build:
- https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1423184190/

Went through verification using the following builds:

fx 38:
* Build: https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1424257348/

fx 37:
* Build: https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-aurora-linux64-asan/1424276351/

fx 36:
* Build: https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-beta-linux64-asan/1424276528/

fx 31.5.0
* Build: https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-esr31-linux64/1424276997/

Test Cases Used:

* Opened the POC from comment #0 several times without any issues in regular tabs/windows
* Opened the POC from comment #0 several times without any issues in private tabs/windows

Comment 16

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-b2g34_v2_1s/rev/ecfc931ec936
https://hg.mozilla.org/releases/mozilla-b2g32_v2_0m/rev/2ca6a9e7cb81