Closed
Bug 1146100
Opened 9 years ago
Closed 9 years ago
Uninitialized value (actually a value left in free'ed area) seeps to JS world:
Categories
(Thunderbird :: Filters, defect)
Thunderbird
Filters
Tracking
(thunderbird38+ fixed, thunderbird_esr31 unaffected)
RESOLVED
FIXED
Thunderbird 39.0
| Tracking | Status | |
|---|---|---|
| thunderbird38 | + | fixed |
| thunderbird_esr31 | --- | unaffected |
People
(Reporter: ishikawa, Assigned: ishikawa)
Details
(Keywords: sec-high)
Attachments
(2 files)
|
1.37 KB,
patch
|
Details | Diff | Splinter Review | |
|
881 bytes,
patch
|
rkent
:
review+
rkent
:
approval-comm-aurora+
|
Details | Diff | Splinter Review |
I have found a usage of uninitialized field in thunderbird. It seeps through to Java Script side and noticed by an error return code there. In the following, I attach an excerpt to show such invalid error code. I found this problem by calling mallopt() [available in glibc] to fill the newly malloc'ed area with 0xC3. Looking at the log, I realized 0xC3C3C3C3C3C3C3C3 is printed as unexpected error value from |nsIMsgFilterService.applyFilters| chrome://messenger/content/mailWindowOverlay.js Problem is that I have no idea when this problem crept in. - Because of the piling up of many local queues, I forgot to enable this mallopt() call in my local patch. Today, I have done so probably for the first time in months and noticed the issue in |make mozmill| output immediately. Usually, if I find memory issue, I will resort to valgrind/memcheck. - But today, I found out that valgrind/memcheck + thunderbird would cause segmentation fault on my PC. Here is the short excerpt. valgrind --trace-children=yes --smc-check=all-non-file --gen-suppressions=all --track-origins=yes --malloc-fill=0xA5 --free-fill=0xC3 --leak-check=full --num-callers=50 --suppressions=$HOME/TB-NEW/TB-3HG/new-src/mozilla/build/valgrind/cross-architecture.sup --suppressions=$HOME/TB-NEW/TB-3HG/new-src/mozilla/build/valgrind/i386-redhat-linux-gnu.sup --suppressions=$HOME/TB-NEW/TB-3HG/new-src/mozilla/build/valgrind/x86_64-redhat-linux-gnu.sup --suppressions=$HOME/Dropbox/myown.sup --show-possibly-lost=no /REF-OBJ-DIR/objdir-tb3/dist/bin/thunderbird-bin ==25068== Memcheck, a memory error detector ==25068== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==25068== Using Valgrind-3.11.0.SVN and LibVEX; rerun with -h for copyright info ==25068== Command: /REF-OBJ-DIR/objdir-tb3/dist/bin/thunderbird-bin ==25068== --25068-- WARNING: unhandled syscall: 317 --25068-- You may be able to write your own handler. --25068-- Read the file README_MISSING_SYSCALL_OR_IOCTL. --25068-- Nevertheless we consider this a bug. Please report --25068-- it at http://valgrind.org/support/bug_reports.html. DEBUG: nsNativeCharsetConverter::LazyInit() is called. gLock=(nil) DEBUG: nsNativeCharsetConverter: native_charset = <<ANSI_X3.4-1968>> DEBUG: xp_iconv_open: VALID res=0x5a61080, to_name=<<UTF-16LE>>, from_name==<<ANSI_X3.4-1968>> DEBUG: xp_iconv_open: VALID res=0x5a632c0, to_name=<<ANSI_X3.4-1968>>, from_name==<<UTF-16LE>> DEBUG: nsNativeCharsetConverter: at the end of LayzInit call path DEBUG: nsNativeCharsetConverter::gNativeToUnicode = 0x5a61080 DEBUG: nsNativeCharsetConverter::gUnicodeToNative = 0x5a632c0 [25068] WARNING: Re-registering a CID?: file /REF-COMM-CENTRAL/comm-central/mozilla/xpcom/components/nsComponentManager.cpp, line 531 Segmentation fault valgrind aborts with or without the options other than the pathname of thunderbird binary itself, by the way. Maybe valgrind has not kept pace with the latest change in the linux kernel and glibc. It used to work two years ago or so definitely. (I would have noticed the problem with valgrind/memcheck if I run memcheck regularly. But since early last summer, the change in the manner |make mozmill| invokes tests has made it difficult to extend the time-out value for compensating the slowdown caused by |memcheck| and so I have not been able to run the |memcheck| test regularly for like two years now. [Come to think of it, even if I extended timeout to 30 minutes last fall and early this winter, I did not see meaningful progress of |make mozmill|: it seems to get stuck until this 30 minutes timeout. That could have been caused by the crash (which could have been well hidden by the unexpected processing of log files...) Hmm...] Anyway, here is the log from the run of |make mozmill| of locally created full DEBUG BUILD of TB. This shows the return value of 0xc3c3c3c3c3c3c3c3. TEST-START | /REF-COMM-CENTRAL/comm-central/mail/test/mozmill/folder-display/test-message-commands.js | test_yearly_archive [24793] WARNING: Subdocument container has no frame: file /REF-COMM-CENTRAL/comm-central/mozilla/layout/base/nsDocumentViewer.cpp, line 2511 ++DOMWINDOW == 72 (0x59208f0) [pid = 24793] [serial = 72] [outer = 0x2846ac0] ++DOMWINDOW == 73 (0x1d63c10) [pid = 24793] [serial = 73] [outer = 0x28488b0] [24793] WARNING: Failed to retarget HTML data delivery to the parser thread.: file /REF-COMM-CENTRAL/comm-central/mozilla/parser/html/nsHtml5StreamParser.cpp, line 951 [24793] WARNING: Subdocument container has no frame: file /REF-COMM-CENTRAL/comm-central/mozilla/layout/base/nsDocumentViewer.cpp, line 2511 ++DOMWINDOW == 74 (0x27a6790) [pid = 24793] [serial = 74] [outer = 0x28488b0] ++DOMWINDOW == 75 (0x56bb9e0) [pid = 24793] [serial = 75] [outer = 0x2846ac0] GetDiskSpaceAvailable returned: 3727065088 bytes [24793] WARNING: Failed to run next filter: file /REF-COMM-CENTRAL/comm-central/mailnews/base/search/src/nsMsgFilterService.cpp, line 449 GetDiskSpaceAvailable returned: 3727060992 bytes [24793] WARNING: Failed to run next filter: file /REF-COMM-CENTRAL/comm-central/mailnews/base/search/src/nsMsgFilterService.cpp, line 449 JavaScript error: chrome://messenger/content/mailWindowOverlay.js, line 1719: : Component returned failure code: 0xc3c3c3c3 [nsIMsgFilterService.applyFilters] <==== See the failure code of 0xc3c3c3c3 [24793] WARNING: Subdocument container has no frame: file /REF-COMM-CENTRAL/comm-central/mozilla/layout/base/nsDocumentViewer.cpp, line 2511 ++DOMWINDOW == 76 (0x5650a00) [pid = 24793] [serial = 76] [outer = 0x2846ac0] ++DOMWINDOW == 77 (0x3d70140) [pid = 24793] [serial = 77] [outer = 0x28488b0] [24793] WARNING: Failed to retarget HTML data delivery to the parser thread.: file /REF-COMM-CENTRAL/comm-central/mozilla/parser/html/nsHtml5StreamParser.cpp, line 951 ++DOMWINDOW == 78 (0x2528330) [pid = 24793] [serial = 78] [outer = 0x28488b0] [24793] WARNING: Failed to retarget HTML data delivery to the parser thread.: file /REF-COMM-CENTRAL/comm-central/mozilla/parser/html/nsHtml5StreamParser.cpp, line 951 ++DOMWINDOW == 79 (0x3d46ca0) [pid = 24793] [serial = 79] [outer = 0x28488b0] TEST-PASS | /REF-COMM-CENTRAL/comm-central/mail/test/mozmill/folder-display/test-message-commands.js | test-message-commands.js::test_yearly_archive TEST-START | /REF-COMM-CENTRAL/comm-central/mail/test/mozmill/folder-display/test-message-commands.js | test_monthly_archive There are a few more places (I count five) where the error value is returned. In one place, this is summarized as below. SUMMARY-UNEXPECTED-FAIL | test-archive-messages.js | test-archive-messages.js::test_batch_archiver EXCEPTION: Component returned failure code: 0xc3c3c3c3 [nsIMsgFilterService.applyFilters] at: nonesuch line 1719 BatchMessageMover.prototype.filterBatch mailWindowOverlay.js:1719 0 BatchMessageMover.prototype.processNextBatch mailWindowOverlay.js:1700 13 BatchMessageMover.prototype.archiveMessages mailWindowOverlay.js:1692 4 archive_messages test-folder-display-helpers.js:2077 2 test_batch_archiver test-archive-messages.js:51 0 Runner.prototype.wrapper frame.js:585 8 Runner.prototype._runTestModule frame.js:655 8 Runner.prototype.runTestModule frame.js:701 2 Runner.prototype.runTestDirectory frame.js:525 6 runTestDirectory frame.js:707 2 Bridge.prototype._execFunction server.js:179 9 Bridge.prototype.execFunction server.js:183 15 Session.prototype.receive server.js:283 2 AsyncRead.prototype.onDataAvailable server.js:88 2 SUMMARY-PASS | test-archive-messages.js::teardownModule If I know the exact cause of this memory issue, I would have created the patch immediately, or at least assess the severity of the issue. Unfortunately, due to the issue above, it is difficult to see the exact cause or where the problem lies. But since there *IS* uninitialized memory issue and surprising enough, people found ways to exploit such issues, I have marked this as security-related. Maybe someone familiar with addresssanitizer or something can check if they detect something funny when they run |make mozmill|. TIA
|
Assignee | |
Comment 1•9 years ago
|
||
>I found this problem by calling mallopt() [available in glibc]
>to fill the newly malloc'ed area with 0xC3.
I got this wrong.
I used mallopt() to set the newly malloc'ed area with 0xA5,
and filled the free'ed area with 0xC3.
So the code is returning a value left in the *FREE*ed area!
I am about to change the title to reflect this.
TIA|
|
Assignee | |
Updated•9 years ago
|
Summary: Uninitialized value seeps to JS world: → Uninitialized value (actually a value left in free'ed area) seeps to JS world:
|
|
Assignee | |
Comment 2•9 years ago
|
||
If someone wants to test the problem on their PC, this is how I do it. The attached patch is how I invoke mallopt. By placing this call in main() of thunderbird, I enable mallopt() by setting MOZILLA_MALLOPT environment variable under linux. if MOZILLA_MALLOPT is set to a hexadecimal string, the value would be used, but right now, I have the following in my shell script to invoke |make mozmill| MOZILLA_MALLOPT=C3 export MOZILLA_MALLOPT and use 0xc3 as the value to set free'ed area. On malloc, the complement, 0xA5 is used. If the environment variable is not set, thunderbird behaves as before (without the call to mallopt.)
|
||
Comment 3•9 years ago
|
||
One possible source of that is this code:
// do what we have to do to cleanup.
nsresult nsMsgFilterAfterTheFact::OnEndExecution()
{
...
Release(); // release ourselves.
return mFinalResult;
}
If the release frees the memory, mFinalResult would be freed before return. Storing a local copy on the stack would solve that.
Since you can reproduce this, can you add a debugger and see the full stack when it fails?|
|
Assignee | |
Comment 4•9 years ago
|
||
(In reply to Kent James (:rkent) from comment #3) > One possible source of that is this code: > > // do what we have to do to cleanup. > nsresult nsMsgFilterAfterTheFact::OnEndExecution() > { > ... > Release(); // release ourselves. > return mFinalResult; > } > > If the release frees the memory, mFinalResult would be freed before return. > Storing a local copy on the stack would solve that. > > Since you can reproduce this, can you add a debugger and see the full stack > when it fails? Dear Kent, I think you are right on the spot! I linked TB using Address sanitizer (ASAN). It took me a day to figure out how to compile and link TB using GCC 4.9. I will report how to do this in a separate bugzilla since I needed to patch a file. Here is the excerpt from the |make mozmill| log: When the freed memory is referenced, ASAN aborts, and so here is the dump from the abort. TEST-PASS | /REF-COMM-CENTRAL/comm-central/mail/test/mozmill/folder-display/test-message-commands.js | test-message-commands.js::test_thread_delete_prompt TEST-START | /REF-COMM-CENTRAL/comm-central/mail/test/mozmill/folder-display/test-message-commands.js | test_yearly_archive [12037] WARNING: Subdocument container has no frame: file /REF-COMM-CENTRAL/comm-central/mozilla/layout/base/nsDocumentViewer.cpp, line 2511 ++DOMWINDOW == 65 (0x6190007fbc80) [pid = 12037] [serial = 72] [outer = 0x619000b09080] ++DOMWINDOW == 66 (0x618000119880) [pid = 12037] [serial = 73] [outer = 0x61800005b080] [12037] WARNING: Failed to retarget HTML data delivery to the parser thread.: file /REF-COMM-CENTRAL/comm-central/mozilla/parser/html/nsHtml5StreamParser.cpp, line 951 [12037] WARNING: Subdocument container has no frame: file /REF-COMM-CENTRAL/comm-central/mozilla/layout/base/nsDocumentViewer.cpp, line 2511 ++DOMWINDOW == 67 (0x618000106080) [pid = 12037] [serial = 74] [outer = 0x61800005b080] ++DOMWINDOW == 68 (0x619000235f80) [pid = 12037] [serial = 75] [outer = 0x619000b09080] GetDiskSpaceAvailable returned: 2120339456 bytes ================================================================= ==12037==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0001ada94 at pc 0x7f25b74d5c8c bp 0x7fff3e380aa0 sp 0x7fff3e380a98 READ of size 4 at 0x60f0001ada94 thread T0 #0 0x7f25b74d5c8b in nsMsgFilterAfterTheFact::OnEndExecution() (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x21a0c8b) #1 0x7f25b74e512e in nsMsgFilterAfterTheFact::AdvanceToNextFolder() (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x21b012e) #2 0x7f25b74e8388 in nsMsgApplyFiltersToMessages::RunNextFilter() (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x21b3388) #3 0x7f25b74e4c81 in nsMsgFilterAfterTheFact::AdvanceToNextFolder() (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x21afc81) #4 0x7f25b74e7311 in nsMsgFilterService::ApplyFilters(int, nsIArray*, nsIMsgFolder*, nsIMsgWindow*, nsIMsgOperationListener*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x21b2311) #5 0x7f25b7d6a1c1 in NS_InvokeByIndex (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x2a351c1) #6 0x7f25b92700f3 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x3f3b0f3) #7 0x7f25b9278939 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x3f43939) #8 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) #9 0x7f25bfcad7e0 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9787e0) #10 0x7f25bfca0b4c in Interpret(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa96bb4c) #11 0x7f25bfcad025 in js::RunScript(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978025) #12 0x7f25bfcad97f in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97897f) #13 0x7f25c0767184 in js::fun_apply(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb432184) #14 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) #15 0x7f25bfcad7e0 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9787e0) #16 0x7f25bfcb11d3 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97c1d3) #17 0x7f25c08740f9 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb53f0f9) #18 0x7f25c0881120 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb54c120) #19 0x7f25c089ba41 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566a41) #20 0x7f25c089bd52 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566d52) #21 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) #22 0x7f25bfcadaf2 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978af2) #23 0x7f25bfca0b4c in Interpret(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa96bb4c) #24 0x7f25bfcad025 in js::RunScript(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978025) #25 0x7f25bfcad97f in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97897f) #26 0x7f25bfcb11d3 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97c1d3) #27 0x7f25c08740f9 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb53f0f9) #28 0x7f25c0881120 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb54c120) #29 0x7f25c089ba41 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566a41) #30 0x7f25c089bd52 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566d52) #31 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) #32 0x7f25bfcadaf2 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978af2) #33 0x7f25bfca0b4c in Interpret(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa96bb4c) #34 0x7f25bfcad025 in js::RunScript(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978025) #35 0x7f25bfcad97f in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97897f) #36 0x7f25c070d5d2 in js::fun_call(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb3d85d2) #37 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) #38 0x7f25bfcad7e0 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9787e0) #39 0x7f25bfca0b4c in Interpret(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa96bb4c) #40 0x7f25bfcad025 in js::RunScript(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978025) #41 0x7f25bfcad97f in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97897f) #42 0x7f25c0767184 in js::fun_apply(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb432184) #43 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) #44 0x7f25bfcad7e0 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9787e0) #45 0x7f25bfcb11d3 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97c1d3) #46 0x7f25c08740f9 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb53f0f9) #47 0x7f25c0881120 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb54c120) #48 0x7f25c089ba41 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566a41) #49 0x7f25c089bd52 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566d52) #50 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) #51 0x7f25bfcadaf2 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978af2) #52 0x7f25bfca0b4c in Interpret(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa96bb4c) #53 0x7f25bfcad025 in js::RunScript(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978025) #54 0x7f25bfcad97f in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97897f) #55 0x7f25bfcb11d3 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97c1d3) #56 0x7f25c08740f9 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb53f0f9) #57 0x7f25c0881120 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb54c120) #58 0x7f25c089ba41 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566a41) #59 0x7f25c089bd52 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566d52) #60 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) #61 0x7f25bfcadaf2 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978af2) #62 0x7f25bfca0b4c in Interpret(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa96bb4c) #63 0x7f25bfcad025 in js::RunScript(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978025) #64 0x7f25bfcad97f in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97897f) #65 0x7f25bfcb11d3 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97c1d3) #66 0x7f25c0615f7a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb2e0f7a) #67 0x7f25bb2287bc in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x5ef37bc) #68 0x7f25bb8e2c9e in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x65adc9e) #69 0x7f25bb8aef17 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x6579f17) #70 0x7f25bb8af9c5 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x657a9c5) #71 0x7f25bb8c5f19 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x6590f19) #72 0x7f25bb8b0f6c in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x657bf6c) #73 0x7f25bb8b3e31 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x657ee31) #74 0x7f25bb8b44ea in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x657f4ea) #75 0x7f25ba295140 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x4f60140) #76 0x7f25b9e62558 in nsContentUtils::DispatchXULCommand(nsIContent*, bool, nsIDOMEvent*, nsIPresShell*, bool, bool, bool, bool) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x4b2d558) #77 0x7f25bc8005cd in nsXBLPrototypeHandler::DispatchXULKeyCommand(nsIDOMEvent*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x74cb5cd) #78 0x7f25bc825a21 in nsXBLPrototypeHandler::ExecuteHandler(mozilla::dom::EventTarget*, nsIDOMEvent*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x74f0a21) #79 0x7f25bc849374 in nsXBLWindowKeyHandler::WalkHandlersAndExecute(nsIDOMKeyEvent*, nsIAtom*, nsXBLPrototypeHandler*, unsigned int, mozilla::dom::IgnoreModifierState const&, bool, bool*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x7514374) #80 0x7f25bc84a585 in nsXBLWindowKeyHandler::WalkHandlersInternal(nsIDOMKeyEvent*, nsIAtom*, nsXBLPrototypeHandler*, bool, bool*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x7515585) #81 0x7f25bc84c0ab in nsXBLWindowKeyHandler::WalkHandlers(nsIDOMKeyEvent*, nsIAtom*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x75170ab) #82 0x7f25bc84d203 in nsXBLWindowKeyHandler::HandleEvent(nsIDOMEvent*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x7518203) #83 0x7f25bb8aef17 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x6579f17) #84 0x7f25bb8af9c5 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x657a9c5) #85 0x7f25bb8c5f19 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x6590f19) #86 0x7f25bb8b123d in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x657c23d) #87 0x7f25bb8b179a in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x657c79a) #88 0x7f25bb8b3e31 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x657ee31) #89 0x7f25bd2fd2b7 in PresShell::HandleKeyboardEvent(nsINode*, mozilla::WidgetKeyboardEvent&, bool, nsEventStatus*, mozilla::EventDispatchingCallback*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x7fc82b7) #90 0x7f25bd2fd7d2 in PresShell::DispatchEventToDOM(mozilla::WidgetEvent*, nsEventStatus*, nsPresShellEventCB*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x7fc87d2) #91 0x7f25bd32da40 in PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x7ff8a40) #92 0x7f25bd32fcf6 in PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x7ffacf6) #93 0x7f25bca80a37 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x774ba37) #94 0x7f25bca70e59 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x773be59) #95 0x7f25bcb2a08e in nsWindow::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x77f508e) #96 0x7f25b9e9f42e in nsDOMWindowUtils::SendKeyEvent(nsAString_internal const&, int, int, int, unsigned int, bool*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x4b6a42e) #97 0x7f25b7d6a1c1 in NS_InvokeByIndex (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x2a351c1) #98 0x7f25b92700f3 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x3f3b0f3) #99 0x7f25b9278939 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x3f43939) #100 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) #101 0x7f25bfcad7e0 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9787e0) #102 0x7f25bfca0b4c in Interpret(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa96bb4c) #103 0x7f25bfcad025 in js::RunScript(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978025) #104 0x7f25bfcad97f in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97897f) #105 0x7f25bfcb11d3 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97c1d3) #106 0x7f25c08740f9 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb53f0f9) #107 0x7f25c0881120 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb54c120) #108 0x7f25c089ba41 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566a41) #109 0x7f25c089bd52 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566d52) #110 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) #111 0x7f25bfcadaf2 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978af2) #112 0x7f25bfca0b4c in Interpret(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa96bb4c) #113 0x7f25bfcad025 in js::RunScript(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978025) #114 0x7f25bfcad97f in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97897f) #115 0x7f25bfcb11d3 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97c1d3) #116 0x7f25c08740f9 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb53f0f9) #117 0x7f25c0881120 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb54c120) #118 0x7f25c089ba41 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566a41) #119 0x7f25c089bd52 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566d52) #120 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) #121 0x7f25bfcadaf2 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978af2) #122 0x7f25bfca0b4c in Interpret(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa96bb4c) #123 0x7f25bfcad025 in js::RunScript(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978025) #124 0x7f25bfcad97f in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97897f) #125 0x7f25bfcb11d3 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97c1d3) #126 0x7f25c08740f9 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb53f0f9) #127 0x7f25c0881120 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb54c120) #128 0x7f25c089ba41 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566a41) #129 0x7f25c089bd52 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566d52) #130 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) #131 0x7f25bfcadaf2 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978af2) #132 0x7f25bfca0b4c in Interpret(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa96bb4c) #133 0x7f25bfcad025 in js::RunScript(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978025) #134 0x7f25bfcad97f in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97897f) #135 0x7f25bfcb11d3 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97c1d3) #136 0x7f25c08740f9 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb53f0f9) #137 0x7f25c0881120 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb54c120) #138 0x7f25c089ba41 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566a41) #139 0x7f25c089bd52 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566d52) #140 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) #141 0x7f25bfcadaf2 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978af2) #142 0x7f25bfca0b4c in Interpret(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa96bb4c) #143 0x7f25bfcad025 in js::RunScript(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978025) #144 0x7f25bfcad97f in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97897f) #145 0x7f25bfcb11d3 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97c1d3) #146 0x7f25c08740f9 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb53f0f9) #147 0x7f25c0881120 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb54c120) #148 0x7f25c089ba41 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566a41) #149 0x7f25c089bd52 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566d52) #150 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) #151 0x7f25bfcadaf2 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978af2) #152 0x7f25bfcb11d3 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97c1d3) #153 0x7f25c018d472 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xae58472) #154 0x7f25a961803a (+0x703a) 0x60f0001ada94 is located 148 bytes inside of 168-byte region [0x60f0001ada00,0x60f0001adaa8) freed by thread T0 here: #0 0x7f25c8c11527 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x54527) #1 0x40c4be in moz_free (/REF-OBJ-DIR/objdir-tb3/dist/bin/thunderbird+0x40c4be) #2 0x7f25b74e9acb in nsMsgApplyFiltersToMessages::~nsMsgApplyFiltersToMessages() (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x21b4acb) #3 0x7f25b74d4454 in nsMsgFilterAfterTheFact::Release() (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x219f454) #4 0x7f25b74d5c01 in nsMsgFilterAfterTheFact::OnEndExecution() (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x21a0c01) #5 0x7f25b74e512e in nsMsgFilterAfterTheFact::AdvanceToNextFolder() (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x21b012e) #6 0x7f25b74e8388 in nsMsgApplyFiltersToMessages::RunNextFilter() (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x21b3388) #7 0x7f25b74e4c81 in nsMsgFilterAfterTheFact::AdvanceToNextFolder() (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x21afc81) #8 0x7f25b74e7311 in nsMsgFilterService::ApplyFilters(int, nsIArray*, nsIMsgFolder*, nsIMsgWindow*, nsIMsgOperationListener*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x21b2311) #9 0x7f25b7d6a1c1 in NS_InvokeByIndex (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x2a351c1) #10 0x7f25b92700f3 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x3f3b0f3) #11 0x7f25b9278939 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x3f43939) #12 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) #13 0x7f25bfcad7e0 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9787e0) #14 0x7f25bfca0b4c in Interpret(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa96bb4c) #15 0x7f25bfcad025 in js::RunScript(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978025) #16 0x7f25bfcad97f in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97897f) #17 0x7f25c0767184 in js::fun_apply(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb432184) #18 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) #19 0x7f25bfcad7e0 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9787e0) #20 0x7f25bfcb11d3 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97c1d3) #21 0x7f25c08740f9 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb53f0f9) #22 0x7f25c0881120 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb54c120) #23 0x7f25c089ba41 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566a41) #24 0x7f25c089bd52 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566d52) #25 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) #26 0x7f25bfcadaf2 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978af2) #27 0x7f25bfca0b4c in Interpret(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa96bb4c) #28 0x7f25bfcad025 in js::RunScript(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978025) #29 0x7f25bfcad97f in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97897f) previously allocated by thread T0 here: #0 0x7f25c8c1173f in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.1+0x5473f) #1 0x40c825 in moz_xmalloc (/REF-OBJ-DIR/objdir-tb3/dist/bin/thunderbird+0x40c825) #2 0x7f25b74e72c6 in nsMsgFilterService::ApplyFilters(int, nsIArray*, nsIMsgFolder*, nsIMsgWindow*, nsIMsgOperationListener*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x21b22c6) #3 0x7f25b7d6a1c1 in NS_InvokeByIndex (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x2a351c1) #4 0x7f25b92700f3 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x3f3b0f3) #5 0x7f25b9278939 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0x3f43939) #6 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) #7 0x7f25bfcad7e0 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9787e0) #8 0x7f25bfca0b4c in Interpret(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa96bb4c) #9 0x7f25bfcad025 in js::RunScript(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978025) #10 0x7f25bfcad97f in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97897f) #11 0x7f25c0767184 in js::fun_apply(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb432184) #12 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) #13 0x7f25bfcad7e0 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9787e0) #14 0x7f25bfcb11d3 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97c1d3) #15 0x7f25c08740f9 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb53f0f9) #16 0x7f25c0881120 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb54c120) #17 0x7f25c089ba41 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566a41) #18 0x7f25c089bd52 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566d52) #19 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) #20 0x7f25bfcadaf2 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978af2) #21 0x7f25bfca0b4c in Interpret(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa96bb4c) #22 0x7f25bfcad025 in js::RunScript(JSContext*, js::RunState&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa978025) #23 0x7f25bfcad97f in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97897f) #24 0x7f25bfcb11d3 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa97c1d3) #25 0x7f25c08740f9 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb53f0f9) #26 0x7f25c0881120 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb54c120) #27 0x7f25c089ba41 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566a41) #28 0x7f25c089bd52 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xb566d52) #29 0x7f25bfccb2aa in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (/REF-OBJ-DIR/objdir-tb3/dist/bin/libxul.so+0xa9962aa) SUMMARY: AddressSanitizer: heap-use-after-free ??:0 nsMsgFilterAfterTheFact::OnEndExecution() Shadow bytes around the buggy address: 0x0c1e8002db00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd 0x0c1e8002db10: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa 0x0c1e8002db20: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c1e8002db30: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa 0x0c1e8002db40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c1e8002db50: fd fd[fd]fd fd fa fa fa fa fa fa fa fa fa fd fd 0x0c1e8002db60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c1e8002db70: fd fd fd fd fa fa fa fa fa fa fa fa fd fd fd fd 0x0c1e8002db80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd 0x0c1e8002db90: fd fd fa fa fa fa fa fa fa fa fd fd fd fd fd fd 0x0c1e8002dba0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==12037==ABORTING I think your analysis is correct about releasing from the look of the stack. It looks not a serious issue, and a simple fix would be enough. But this ASAN build is a powerful tool. (Valgrind/memcheck doesn't run at this moment: it can check even the JIT generated code from JS interpreter/compiler, but unless it can run successfully, it is not very useful at this moment :-( I found several memory issues using valgrind/memcheck before, and so I hope it will be fixed not in the distant future... [I filed a bug for valgrind, and the issue will be looked into: https://bugs.kde.org/show_bug.cgi?id=345414 ] TIA
|
|
Assignee | |
Comment 5•9 years ago
|
||
Here is a patch. This fixes the issue of referencing the freed area. ASAN did not complain and the particular tests have passed. I am running |make mozmill| just to be sure that there are no other issues. I hope this is going to help us make TB a better/safer software. TIA
Attachment #8582810 -
Flags: review?(rkent)
|
|
Assignee | |
Updated•9 years ago
|
QA Contact: ishikawa
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → ishikawa
QA Contact: ishikawa
|
|
Assignee | |
Comment 6•9 years ago
|
||
I assigned this to me (Sorry for QA contact noise. My mouse slipped...)
|
|
Assignee | |
Comment 7•9 years ago
|
||
BTW, once the patch is accepted, I think it is OK to clear the security flag. This is not something easy to exploit, etc. if I am not mistaken. (Of course, we can wait until the version with the patch is released just to play it safe.)
|
|
Assignee | |
Comment 8•9 years ago
|
||
|make mozmill| and |make xpcshell-tests| ran just fine with the patch. So there are no other memory-related issues that ASAN could catch. (ASAN can't catch the misbehavior of JIT-generated code, I think.) TIA
|
|
||
Updated•9 years ago
|
Attachment #8582810 -
Flags: review?(rkent) → review+
|
|
||
Comment 9•9 years ago
|
||
Comment on attachment 8582810 [details] [diff] [review] save a to-be-freed value for later use Checked in https://hg.mozilla.org/comm-central/rev/831c95685e21 We'll push to comm-aurora after a nightly cycle.
Attachment #8582810 -
Flags: approval-comm-aurora?
|
|
||
Updated•9 years ago
|
Status: NEW → RESOLVED
Closed: 9 years ago
status-thunderbird38:
--- → affected
tracking-thunderbird38:
--- → +
OS: Linux → All
Hardware: x86_64 → All
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird 39.0
|
|
||
Comment 10•9 years ago
|
||
Comment on attachment 8582810 [details] [diff] [review] save a to-be-freed value for later use http://hg.mozilla.org/releases/comm-aurora/rev/c91007a6f7b3
Attachment #8582810 -
Flags: approval-comm-aurora? → approval-comm-aurora+
|
|
||
Updated•9 years ago
|
|
|
Assignee | |
Comment 11•9 years ago
|
||
(In reply to Kent James (:rkent) from comment #10) > Comment on attachment 8582810 [details] [diff] [review] > save a to-be-freed value for later use > > http://hg.mozilla.org/releases/comm-aurora/rev/c91007a6f7b3 Thank you for the quick fix!
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•