Closed
Bug 1177367
Opened 9 years ago
Closed 9 years ago
AddressSanitizer (invalid READ of size 4) GetMostRecentDestWindow widget/gtk/nsDragService.h:105
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(firefox39 wontfix, firefox40 wontfix, firefox41 fixed, firefox42 verified, firefox-esr38 wontfix, b2g-v2.0 unaffected, b2g-v2.0M unaffected, b2g-v2.1 unaffected, b2g-v2.1S unaffected, b2g-v2.2 unaffected, b2g-v2.2r unaffected, b2g-master unaffected)
RESOLVED
FIXED
mozilla42
Tracking | Status | |
---|---|---|
firefox39 | --- | wontfix |
firefox40 | --- | wontfix |
firefox41 | --- | fixed |
firefox42 | --- | verified |
firefox-esr38 | --- | wontfix |
b2g-v2.0 | --- | unaffected |
b2g-v2.0M | --- | unaffected |
b2g-v2.1 | --- | unaffected |
b2g-v2.1S | --- | unaffected |
b2g-v2.2 | --- | unaffected |
b2g-v2.2r | --- | unaffected |
b2g-master | --- | unaffected |
People
(Reporter: rs, Assigned: jimm)
References
(Blocks 1 open bug, )
Details
(Keywords: sec-moderate, Whiteboard: [adv-main41-])
Attachments
(1 file, 1 obsolete file)
1.22 KB,
patch
|
bugzilla
:
review+
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.130 Safari/537.36 Steps to reproduce: firefox-41.0a1 ASAN debug build Related to GetMostRecentDestWindow, no testcase so If anyone wants to take a look, thanks. Actual results: ================================================================= ==1667==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d000231158 at pc 0x7f4974d6ab25 bp 0x7ffff908ce90 sp 0x7ffff908ce88 READ of size 4 at 0x60d000231158 thread T0 (Web Content) #0 0x7f4974d6ab24 in GetMostRecentDestWindow /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/gtk/nsDragService.h:105 #1 0x7f4974d6ab24 in nsWindow::Destroy() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/gtk/nsWindow.cpp:630 #2 0x7f49744f60dc in nsPluginInstanceOwner::CreateWidget() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/plugins/base/nsPluginInstanceOwner.cpp:2917 #3 0x7f49744ac401 in CreateWidget /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/plugins/base/nsPluginHost.cpp:3374 #4 0x7f49744ac401 in nsPluginHost::InstantiatePluginInstance(nsACString_internal const&, nsIURI*, nsObjectLoadingContent*, nsPluginInstanceOwner**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/plugins/base/nsPluginHost.cpp:845 #5 0x7f4971801967 in nsObjectLoadingContent::InstantiatePluginInstance(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsObjectLoadingContent.cpp:788 #6 0x7f497180abea in nsObjectLoadingContent::LoadObject(bool, bool, nsIRequest*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsObjectLoadingContent.cpp:2385 #7 0x7f4971807c6a in nsObjectLoadingContent::OnStartRequest(nsIRequest*, nsISupports*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsObjectLoadingContent.cpp:1127 #8 0x7f496fcbd174 in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/HttpChannelChild.cpp:492 #9 0x7f496fcc6c69 in mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, bool const&, bool const&, unsigned int const&, nsCString const&, nsCString const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/HttpChannelChild.cpp:482 #10 0x7f496fcc5e0a in mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, bool const&, bool const&, unsigned int const&, nsCString const&, nsCString const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/HttpChannelChild.cpp:407 #11 0x7f4970200630 in mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/./PHttpChannelChild.cpp:529 #12 0x7f49707793b8 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/./PContentChild.cpp:5337 #13 0x7f4970084c42 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1279 #14 0x7f4970082656 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1198 #15 0x7f49700762b4 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1182 #16 0x7f497001af94 in RunTask /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:364 #17 0x7f497001af94 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:372 #18 0x7f497001c047 in MessageLoop::DoWork() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:459 #19 0x7f497008bee2 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:220 #20 0x7f496f7bbb17 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:848 #21 0x7f496f83603a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265 #22 0x7f497008b649 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95 #23 0x7f4970019b1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #24 0x7f4970019b1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #25 0x7f4970019b1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #26 0x7f4974d12347 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:165 #27 0x7f4976b06582 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:778 #28 0x7f4970019b1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #29 0x7f4970019b1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #30 0x7f4970019b1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #31 0x7f4976b05c7b in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:614 #32 0x48cf52 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:236 #33 0x7f496d266a3f in __libc_start_main /build/buildd/glibc-2.21/csu/libc-start.c:289 #34 0x48c2ac in _start (/home/revskills/Browsers/firefox/plugin-container+0x48c2ac) 0x60d000231158 is located 8 bytes to the right of 144-byte region [0x60d0002310c0,0x60d000231150) allocated by thread T0 (Web Content) here: #0 0x4748c1 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74 #1 0x48d56d in moz_xmalloc /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/memory/mozalloc/mozalloc.cpp:83 #2 0x7f4974d34dfa in operator new /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/widget/../dist/include/mozilla/mozalloc.h:186 #3 0x7f4974d34dfa in nsDragServiceProxyConstructor(nsISupports*, nsID const&, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsContentProcessWidgetFactory.cpp:24 #4 0x7f496f794911 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/components/nsComponentManager.cpp:1223 #5 0x7f496f78bf1a in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/components/nsComponentManager.cpp:1584 #6 0x7f496f825771 in CallGetService /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsComponentManagerUtils.cpp:67 #7 0x7f496f825771 in nsGetServiceByContractID::operator()(nsID const&, void**) const /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsComponentManagerUtils.cpp:280 #8 0x7f496f81aa06 in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsCOMPtr.cpp:103 #9 0x7f49716e54fb in nsCOMPtr /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/base/../../dist/include/nsCOMPtr.h:514 #10 0x7f49716e54fb in nsContentUtils::GetDragSession() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsContentUtils.cpp:5349 #11 0x7f49755d9e2c in PresShell::ProcessSynthMouseMoveEvent(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:5456 #12 0x7f4975607678 in PresShell::nsSynthMouseMoveEvent::WillRefresh(mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.h:643 #13 0x7f4975329a9d in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:1649 #14 0x7f49753346ee in TickDriver /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:195 #15 0x7f49753346ee in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:186 #16 0x7f4975333f5d in RunRefreshDrivers /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:437 #17 0x7f4975333f5d in TickRefreshDriver /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:371 #18 0x7f4975333f5d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:342 #19 0x7f4975bddaf0 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/ipc/VsyncChild.cpp:63 #20 0x7f497057ec12 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/./PVsyncChild.cpp:220 #21 0x7f497010c15c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundChild.cpp:1288 #22 0x7f4970084c42 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1279 #23 0x7f4970082656 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1198 #24 0x7f49700762b4 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1182 #25 0x7f497001af94 in RunTask /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:364 #26 0x7f497001af94 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:372 #27 0x7f497001c047 in MessageLoop::DoWork() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:459 #28 0x7f497008bee2 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:220 #29 0x7f496f7bbb17 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:848 #30 0x7f496f83603a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265 #31 0x7f497008b649 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95 #32 0x7f4970019b1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #33 0x7f4970019b1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #34 0x7f4970019b1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #35 0x7f4974d12347 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:165 #36 0x7f4976b06582 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:778 #37 0x7f4970019b1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #38 0x7f4970019b1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #39 0x7f4970019b1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #40 0x7f4976b05c7b in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:614 SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/gtk/nsDragService.h:105 GetMostRecentDestWindow Shadow bytes around the buggy address: 0x0c1a8003e1d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a8003e1e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a8003e1f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00 00 0x0c1a8003e200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1a8003e210: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00 =>0x0c1a8003e220: 00 00 00 00 00 00 00 00 00 00 fa[fa]fa fa fa fa 0x0c1a8003e230: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c1a8003e240: 00 00 00 fa fa fa fa fa fa fa fa fa 00 00 00 00 0x0c1a8003e250: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa 0x0c1a8003e260: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00 0x0c1a8003e270: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==1667==ABORTING
Reporter | ||
Comment 1•9 years ago
|
||
The problem occurs when you click on a page usually has enough content to load or slow (which it is easy to do, and I shared a real example). When you click eg: on a pager (page 2), and to load the following content, you go back to click on previous page using pager (page 1, before we proceed to load the page 2). I've tried also here: http://www.dafont.com/fr/theme.php?cat=402&page=12 Doing exactly the same. So it's valid also to reproduce the error. Click on page 11 and then click again on page 12. Obviously prevent cached pages for testing (so you can just try to load different numbers for testing).
Updated•9 years ago
|
Comment 2•9 years ago
|
||
drag and drog and plugin related? e10s related?
Component: Untriaged → Plug-ins
Flags: needinfo?(bugs)
Product: Firefox → Core
Updated•9 years ago
|
Flags: needinfo?(aklotz)
Comment 3•9 years ago
|
||
I don't quite understand this. Does plugin code create GTK Widget on child process, not PuppetWidget?
Flags: needinfo?(bugs)
Comment 4•9 years ago
|
||
Oh, we do something silly in nsDragService::GetInstance(). Hardcoding to use drag service based on NS_DRAGSERVICE_CID and then static_cast that to the gtk's implementation.
Comment 5•9 years ago
|
||
But I still don't understand why we have gtk widget in child process. Is that something plugins code need?
Comment 6•9 years ago
|
||
This should fix the crash, but I really don't understand why we have non-PuppetWidget here. Do we support dnd on plugins, also in e10s?
Updated•9 years ago
|
Flags: needinfo?(aklotz) → needinfo?(jmathies)
Assignee | ||
Comment 7•9 years ago
|
||
#1 0x7f4974d6ab24 in nsWindow::Destroy() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/gtk/nsWindow.cpp:630 #2 0x7f49744f60dc in nsPluginInstanceOwner::CreateWidget() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/plugins/base/nsPluginInstanceOwner.cpp:2917 Look like: 1) we try to create a e10s plugin widget here - https://dxr.mozilla.org/mozilla-central/source/dom/plugins/base/nsPluginInstanceOwner.cpp#2818 2) either content, window, topWindow, or tc are unexpected null. 3) we fall through to code we shouldn't fall through too here - https://dxr.mozilla.org/mozilla-central/source/dom/plugins/base/nsPluginInstanceOwner.cpp#2862
Flags: needinfo?(jmathies)
Assignee | ||
Comment 8•9 years ago
|
||
This is with e10s correct? If not my synopsis makes no sense.
Flags: needinfo?(rs)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → jmathies
Reporter | ||
Comment 9•9 years ago
|
||
right, I'm using a firefox-41.0a1 ASAN debug build with the default preferences, hence e10s is enabled by default.
Flags: needinfo?(rs)
Reporter | ||
Comment 10•9 years ago
|
||
crashing again: ================================================================= ==19779==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60d0000ccda8 at pc 0x7f227d9e0b25 bp 0x7fffd087bc90 sp 0x7fffd087bc88 READ of size 4 at 0x60d0000ccda8 thread T0 (Web Content) #0 0x7f227d9e0b24 in GetMostRecentDestWindow /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/gtk/nsDragService.h:105 #1 0x7f227d9e0b24 in nsWindow::Destroy() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/gtk/nsWindow.cpp:630 #2 0x7f227d16c0dc in nsPluginInstanceOwner::CreateWidget() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/plugins/base/nsPluginInstanceOwner.cpp:2917 #3 0x7f227d122401 in CreateWidget /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/plugins/base/nsPluginHost.cpp:3374 #4 0x7f227d122401 in nsPluginHost::InstantiatePluginInstance(nsACString_internal const&, nsIURI*, nsObjectLoadingContent*, nsPluginInstanceOwner**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/plugins/base/nsPluginHost.cpp:845 #5 0x7f227a477967 in nsObjectLoadingContent::InstantiatePluginInstance(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsObjectLoadingContent.cpp:788 #6 0x7f227a480bea in nsObjectLoadingContent::LoadObject(bool, bool, nsIRequest*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsObjectLoadingContent.cpp:2385 #7 0x7f227a47dc6a in nsObjectLoadingContent::OnStartRequest(nsIRequest*, nsISupports*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsObjectLoadingContent.cpp:1127 #8 0x7f2278933174 in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/HttpChannelChild.cpp:492 #9 0x7f227893cc69 in mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, bool const&, bool const&, unsigned int const&, nsCString const&, nsCString const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/HttpChannelChild.cpp:482 #10 0x7f227893be0a in mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, bool const&, bool const&, unsigned int const&, nsCString const&, nsCString const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/netwerk/protocol/http/HttpChannelChild.cpp:407 #11 0x7f2278e76630 in mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/./PHttpChannelChild.cpp:529 #12 0x7f22793ef3b8 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/./PContentChild.cpp:5337 #13 0x7f2278cfac42 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1279 #14 0x7f2278cf8656 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1198 #15 0x7f2278cec2b4 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1182 #16 0x7f2278c90f94 in RunTask /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:364 #17 0x7f2278c90f94 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:372 #18 0x7f2278c92047 in MessageLoop::DoWork() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:459 #19 0x7f2278d01ee2 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:220 #20 0x7f2278431b17 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:848 #21 0x7f22784ac03a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265 #22 0x7f2278d01649 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95 #23 0x7f2278c8fb1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #24 0x7f2278c8fb1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #25 0x7f2278c8fb1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #26 0x7f227d988347 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:165 #27 0x7f227f77c582 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:778 #28 0x7f2278c8fb1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #29 0x7f2278c8fb1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #30 0x7f2278c8fb1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #31 0x7f227f77bc7b in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:614 #32 0x48cf52 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:236 #33 0x7f2275edca3f in __libc_start_main /build/buildd/glibc-2.21/csu/libc-start.c:289 #34 0x48c2ac in _start (/home/revskills/Browsers/firefox/plugin-container+0x48c2ac) 0x60d0000ccda8 is located 8 bytes to the right of 144-byte region [0x60d0000ccd10,0x60d0000ccda0) allocated by thread T0 (Web Content) here: #0 0x4748c1 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74 #1 0x48d56d in moz_xmalloc /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/memory/mozalloc/mozalloc.cpp:83 #2 0x7f227d9aadfa in operator new /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/widget/../dist/include/mozilla/mozalloc.h:186 #3 0x7f227d9aadfa in nsDragServiceProxyConstructor(nsISupports*, nsID const&, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsContentProcessWidgetFactory.cpp:24 #4 0x7f227840a911 in nsComponentManagerImpl::CreateInstanceByContractID(char const*, nsISupports*, nsID const&, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/components/nsComponentManager.cpp:1223 #5 0x7f2278401f1a in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/components/nsComponentManager.cpp:1584 #6 0x7f227849b771 in CallGetService /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsComponentManagerUtils.cpp:67 #7 0x7f227849b771 in nsGetServiceByContractID::operator()(nsID const&, void**) const /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsComponentManagerUtils.cpp:280 #8 0x7f2278490a06 in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsCOMPtr.cpp:103 #9 0x7f227a35b4fb in nsCOMPtr /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/base/../../dist/include/nsCOMPtr.h:514 #10 0x7f227a35b4fb in nsContentUtils::GetDragSession() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsContentUtils.cpp:5349 #11 0x7f227e24fe2c in PresShell::ProcessSynthMouseMoveEvent(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:5456 #12 0x7f227e27d678 in PresShell::nsSynthMouseMoveEvent::WillRefresh(mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.h:643 #13 0x7f227df9fa9d in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:1649 #14 0x7f227dfaa6ee in TickDriver /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:195 #15 0x7f227dfaa6ee in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:186 #16 0x7f227dfa9f5d in RunRefreshDrivers /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:437 #17 0x7f227dfa9f5d in TickRefreshDriver /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:371 #18 0x7f227dfa9f5d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:342 #19 0x7f227e853af0 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/ipc/VsyncChild.cpp:63 #20 0x7f22791f4c12 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/./PVsyncChild.cpp:220 #21 0x7f2278d8215c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundChild.cpp:1288 #22 0x7f2278cfac42 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1279 #23 0x7f2278cf8656 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1198 #24 0x7f2278cec2b4 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1182 #25 0x7f2278c90f94 in RunTask /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:364 #26 0x7f2278c90f94 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:372 #27 0x7f2278c92047 in MessageLoop::DoWork() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:459 #28 0x7f2278d01ee2 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:220 #29 0x7f2278431b17 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:848 #30 0x7f22784ac03a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265 #31 0x7f2278d01649 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95 #32 0x7f2278c8fb1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #33 0x7f2278c8fb1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #34 0x7f2278c8fb1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #35 0x7f227d988347 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:165 #36 0x7f227f77c582 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:778 #37 0x7f2278c8fb1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #38 0x7f2278c8fb1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #39 0x7f2278c8fb1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #40 0x7f227f77bc7b in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:614 SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/gtk/nsDragService.h:105 GetMostRecentDestWindow Shadow bytes around the buggy address: 0x0c1a80011960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a80011970: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a80011980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a80011990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a800119a0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c1a800119b0: 00 00 00 00 fa[fa]fa fa fa fa fa fa fa fa fa fa 0x0c1a800119c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a800119d0: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00 0x0c1a800119e0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa 0x0c1a800119f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c1a80011a00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==19779==ABORTING [Parent 19586] WARNING: pipe error (61): Connection reset by peer: file /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 459 ###!!! [Parent][MessageChannel] Error: (msgtype=0x20007A,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv ###!!! [Child][MessageChannel] Error: (msgtype=0x980018,name=PPluginScriptableObject::Msg_Unprotect) Channel error: cannot send/recv
Flags: needinfo?(jmathies)
Assignee | ||
Comment 11•9 years ago
|
||
ok I'll take this.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(jmathies)
Updated•9 years ago
|
Keywords: sec-moderate
Assignee | ||
Comment 12•9 years ago
|
||
Attachment #8627833 -
Attachment is obsolete: true
Attachment #8630069 -
Flags: review?(aklotz)
Assignee | ||
Updated•9 years ago
|
Attachment #8630069 -
Flags: sec-approval?
Assignee | ||
Updated•9 years ago
|
Updated•9 years ago
|
Attachment #8630069 -
Flags: review?(aklotz) → review+
Reporter | ||
Comment 13•9 years ago
|
||
Is there a CVE number assigned?
Comment 14•9 years ago
|
||
(In reply to Francisco A. from comment #13) > Is there a CVE number assigned? When there is a CVE number assigned, it will be included in the summary. You can see an example of this in bug 851781. CVE numbers are usually assigned by abillings closer to the end of the release cycle where we release the fix.
Reporter | ||
Comment 15•9 years ago
|
||
Thanks Andrew, just asking to know if was asigned via internal CVE pool.
Comment 16•9 years ago
|
||
Comment on attachment 8630069 [details] [diff] [review] patch This doesn't need sec-approval+ as a sec-moderate
Attachment #8630069 -
Flags: sec-approval?
Comment 17•9 years ago
|
||
(In reply to Francisco A. from comment #15) > Thanks Andrew, just asking to know if was asigned via internal CVE pool. We have a list of CVE numbers. I assign them the week or so before we ship the release with the fix.
Assignee | ||
Comment 18•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=49779b88e820
Keywords: checkin-needed
Comment 19•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/914364a18846 Going off code inspection, marking esr38 as affected as well.
status-firefox39:
--- → wontfix
status-firefox-esr38:
--- → affected
tracking-firefox-esr38:
--- → ?
Keywords: checkin-needed
Updated•9 years ago
|
Flags: sec-bounty?
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
Comment 21•9 years ago
|
||
Looks like this could use Beta/esr38 approval requests.
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
status-b2g-v2.2r:
--- → unaffected
status-b2g-master:
--- → unaffected
Flags: needinfo?(jmathies)
Target Milestone: --- → mozilla42
Assignee | ||
Comment 22•9 years ago
|
||
Comment on attachment 8630069 [details] [diff] [review] patch Approval Request Comment [Feature/regressing bug #]: e10s plugin work that landed last fall [User impact if declined]: rare tab crashes. [Describe test coverage new/current, TreeHerder]: on mc for a two months, in aurora. [Risks and why]: none [String/UUID change made/needed]: none the esr approval form said it had to be sec critical so I didn't request.
Flags: needinfo?(jmathies)
Attachment #8630069 -
Flags: approval-mozilla-beta?
Comment on attachment 8630069 [details] [diff] [review] patch Since this is circumventing a crash by returning an error flag, it is safe to uplift to Beta41. In general, for the remainder of the cycle, I would be very cautious approving uplifts to Beta41 that are e10s related given that it is not enabled by default in 41. Thanks!
Attachment #8630069 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 25•9 years ago
|
||
Backed out for bustage: https://treeherder.mozilla.org/logviewer.html#?job_id=486433&repo=mozilla-beta https://hg.mozilla.org/releases/mozilla-beta/rev/38954707ed7d
Flags: needinfo?(jmathies)
Comment 26•9 years ago
|
||
https://hg.mozilla.org/releases/mozilla-beta/rev/5f5ea5959499
Flags: needinfo?(jmathies)
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Flags: qe-verify+
Comment 27•9 years ago
|
||
Unable to reproduce this issue on 41.0a1 asan debug build, under Ubuntu 13.10 64-bit and 14.04 64-bit, with STR from comment 1 and different heavy content websites; same result with 41.0a1 debug build on Mac OS X 10.9.5. Francisco, could you please check out if this issue is fixed?
Flags: needinfo?(rs)
Reporter | ||
Comment 28•9 years ago
|
||
I tried the patches and looked good, it must be fixed.
Flags: needinfo?(rs)
Updated•9 years ago
|
Updated•9 years ago
|
Whiteboard: [adv-main41+]
Updated•9 years ago
|
Alias: CVE-2015-4513
Updated•9 years ago
|
Flags: qe-verify+
Updated•9 years ago
|
Alias: CVE-2015-4513
Whiteboard: [adv-main41+] → [adv-main41-]
Updated•8 years ago
|
Group: core-security-release
Updated•4 years ago
|
Blocks: asan-maintenance
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•