Bug 1185820 (CVE-2015-4492)

Use After Free in XMLHttpRequest::Open()

RESOLVED FIXED in Firefox 40

Status

()

defect
--
critical
RESOLVED FIXED
4 years ago
2 years ago

People

(Reporter: loobenyang, Assigned: baku)

Tracking

({csectype-uaf, sec-high})

42 Branch
mozilla42
Other
Windows 7
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty +
in-testsuite ?

Firefox Tracking Flags

(firefox39 wontfix, firefox40 fixed, firefox41 fixed, firefox42 fixed, firefox-esr31 wontfix, firefox-esr3840+ fixed, b2g-v2.0 wontfix, b2g-v2.0M wontfix, b2g-v2.1 wontfix, b2g-v2.1S fixed, b2g-v2.2 fixed, b2g-v2.2r fixed, b2g-master fixed)

Details

(Whiteboard: [adv-main40+][adv-esr38.2+])

Attachments

(2 attachments, 1 obsolete attachment)

Use XMLHttpRequestf in Web Workers can have Use After Free.

Firefox version:42.0a1 (2015-07-16)
OS: Windows 7 64 bit

Steps to reproduce: 
1. Run server side script Uaf_XMLHttpRequest_Open.js in Node.js (node Uaf_XMLHttpRequest_Open.js).
2. Enter http://localhost:12345 in Firefox browser.
3. Firefox crashes in XMLHttpRequest::Open():


First-chance exception at 0x10AFD112 (xul.dll) in firefox.exe: 0xC0000005: Access violation writing location 0x0000005D.
Unhandled exception at 0x10AFD112 (xul.dll) in firefox.exe: 0xC0000005: Access violation writing location 0x0000005D.

The variables:

+		mProxy	{mRawPtr=0x5a5a5a5a {mWorkerPrivate=??? mXMLHttpRequestPrivate=??? mMozAnon=??? ...} }	nsRefPtr<mozilla::dom::workers::Proxy>
+		mWorkerPrivate	0x5a5a5a5a {mDebugger={mRawPtr=??? } mControlQueue={mStorage1={...} mStorage2={...} mFront=??? ...} ...}	mozilla::dom::workers::WorkerPrivate *
-		this	0x1e722100 {mUpload={mRawPtr=0x1c202118 {mXHR={mRawPtr=0x00000000 <NULL> } } } mWorkerPrivate=0x5a5a5a5a {...} ...}	mozilla::dom::workers::XMLHttpRequest *
+		nsXHREventTarget	{...}	nsXHREventTarget
+		mozilla::dom::workers::WorkerFeature	{...}	mozilla::dom::workers::WorkerFeature
+		mUpload	{mRawPtr=0x1c202118 {mXHR={mRawPtr=0x00000000 <NULL> } } }	nsRefPtr<mozilla::dom::workers::XMLHttpRequestUpload>
+		mWorkerPrivate	0x5a5a5a5a {mDebugger={mRawPtr=??? } mControlQueue={mStorage1={...} mStorage2={...} mFront=??? ...} ...}	mozilla::dom::workers::WorkerPrivate *
+		mProxy	{mRawPtr=0x5a5a5a5a {mWorkerPrivate=??? mXMLHttpRequestPrivate=??? mMozAnon=??? ...} }	nsRefPtr<mozilla::dom::workers::Proxy>
		mResponseType	0x5a5a5a5a	mozilla::dom::XMLHttpRequestResponseType
+		mStateData	{mResponseText={...} mResponseURL={...} mStatus=0x5a5a5a5a ...}	mozilla::dom::workers::XMLHttpRequest::StateData
		mTimeout	0x00000000	unsigned int
		mRooted	true (0x82)	bool
		mBackgroundRequest	true (0xff)	bool
		mWithCredentials	true (0xff)	bool
		mCanceled	true (0xff)	bool
		mMozAnon	false	bool
		mMozSystem	false	bool

0x1E722100  5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a c8 8b c2 11 dc 8b c2 11 01 00 00 00 40 11 71 00 18 21


The address byte pattern 0x5a5a5a5a indicates a Use After Free. The memory of the object was prematurely released in runnable->Dispatch(mWorkerPrivate->GetJSContext()).


The full call stack:

>	xul.dll!mozilla::dom::workers::XMLHttpRequest::Open(const nsACString_internal & aMethod, const nsAString_internal & aUrl, bool aAsync, const mozilla::dom::Optional<nsAString_internal> & aUser, const mozilla::dom::Optional<nsAString_internal> & aPassword, mozilla::ErrorResult & aRv) Line 1959	C++
 	xul.dll!mozilla::dom::XMLHttpRequestBinding_workers::open(JSContext * cx, JS::Handle<JSObject *> obj, mozilla::dom::workers::XMLHttpRequest * self, const JSJitMethodCallArgs & args) Line 2169	C++
 	xul.dll!mozilla::dom::GenericBindingMethod(JSContext * cx, unsigned int argc, JS::Value * vp) Line 2577	C++
 	xul.dll!js::Invoke(JSContext * cx, JS::CallArgs args, js::MaybeConstruct construct) Line 720	C++
 	xul.dll!Interpret(JSContext * cx, js::RunState & state) Line 2972	C++
 	xul.dll!js::RunScript(JSContext * cx, js::RunState & state) Line 661	C++
 	xul.dll!js::Invoke(JSContext * cx, JS::CallArgs args, js::MaybeConstruct construct) Line 741	C++
 	xul.dll!js::Invoke(JSContext * cx, const JS::Value & thisv, const JS::Value & fval, unsigned int argc, const JS::Value * argv, JS::MutableHandle<JS::Value> rval) Line 775	C++
 	xul.dll!JS::Call(JSContext * cx, JS::Handle<JS::Value> thisv, JS::Handle<JS::Value> fval, const JS::HandleValueArray & args, JS::MutableHandle<JS::Value> rval) Line 4585	C++
 	xul.dll!mozilla::dom::EventHandlerNonNull::Call(JSContext * cx, JS::Handle<JS::Value> aThisVal, mozilla::dom::Event & event, JS::MutableHandle<JS::Value> aRetVal, mozilla::ErrorResult & aRv) Line 260	C++
 	xul.dll!mozilla::dom::EventHandlerNonNull::Call<nsISupports *>(nsISupports * const & thisVal, mozilla::dom::Event & event, JS::MutableHandle<JS::Value> aRetVal, mozilla::ErrorResult & aRv, const char * aExecutionReason, mozilla::dom::CallbackObject::ExceptionHandling aExceptionHandling, JSCompartment * aCompartment) Line 351	C++
 	xul.dll!mozilla::JSEventHandler::HandleEvent(nsIDOMEvent * aEvent) Line 216	C++
 	xul.dll!mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener * aListener, nsIDOMEvent * aDOMEvent, mozilla::dom::EventTarget * aCurrentTarget) Line 995	C++
 	xul.dll!mozilla::EventListenerManager::HandleEventInternal(nsPresContext * aPresContext, mozilla::WidgetEvent * aEvent, nsIDOMEvent * * aDOMEvent, mozilla::dom::EventTarget * aCurrentTarget, nsEventStatus * aEventStatus) Line 1145	C++
 	xul.dll!mozilla::EventListenerManager::HandleEvent(nsPresContext * aPresContext, mozilla::WidgetEvent * aEvent, nsIDOMEvent * * aDOMEvent, mozilla::dom::EventTarget * aCurrentTarget, nsEventStatus * aEventStatus) Line 330	C++
 	xul.dll!mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor & aVisitor, mozilla::ELMCreationDetector & aCd) Line 209	C++
 	xul.dll!mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem> & aChain, mozilla::EventChainPostVisitor & aVisitor, mozilla::EventDispatchingCallback * aCallback, mozilla::ELMCreationDetector & aCd) Line 301	C++
 	xul.dll!mozilla::EventDispatcher::Dispatch(nsISupports * aTarget, nsPresContext * aPresContext, mozilla::WidgetEvent * aEvent, nsIDOMEvent * aDOMEvent, nsEventStatus * aEventStatus, mozilla::EventDispatchingCallback * aCallback, nsTArray<mozilla::dom::EventTarget *> * aTargets) Line 638	C++
 	xul.dll!mozilla::EventDispatcher::DispatchDOMEvent(nsISupports * aTarget, mozilla::WidgetEvent * aEvent, nsIDOMEvent * aDOMEvent, nsPresContext * aPresContext, nsEventStatus * aEventStatus) Line 700	C++
 	xul.dll!nsWindowRoot::DispatchDOMEvent(mozilla::WidgetEvent * aEvent, nsIDOMEvent * aDOMEvent, nsPresContext * aPresContext, nsEventStatus * aEventStatus) Line 97	C++
 	xul.dll!`anonymous namespace'::EventRunnable::WorkerRun(JSContext * aCx, mozilla::dom::workers::WorkerPrivate * aWorkerPrivate) Line 1428	C++
 	xul.dll!mozilla::dom::workers::WorkerRunnable::Run() Line 363	C++
 	xul.dll!nsThread::ProcessNextEvent(bool aMayWait, bool * aResult) Line 867	C++
 	xul.dll!NS_ProcessNextEvent(nsIThread * aThread, bool aMayWait) Line 277	C++
 	xul.dll!mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() Line 6190	C++
 	xul.dll!`anonymous namespace'::WorkerThreadProxySyncRunnable::Dispatch(JSContext * aCx) Line 547	C++
 	xul.dll!mozilla::dom::workers::XMLHttpRequest::Open(const nsACString_internal & aMethod, const nsAString_internal & aUrl, bool aAsync, const mozilla::dom::Optional<nsAString_internal> & aUser, const mozilla::dom::Optional<nsAString_internal> & aPassword, mozilla::ErrorResult & aRv) Line 1958	C++
 	xul.dll!mozilla::dom::XMLHttpRequestBinding_workers::open(JSContext * cx, JS::Handle<JSObject *> obj, mozilla::dom::workers::XMLHttpRequest * self, const JSJitMethodCallArgs & args) Line 2169	C++
 	xul.dll!mozilla::dom::GenericBindingMethod(JSContext * cx, unsigned int argc, JS::Value * vp) Line 2577	C++
 	xul.dll!js::Invoke(JSContext * cx, JS::CallArgs args, js::MaybeConstruct construct) Line 720	C++
 	xul.dll!Interpret(JSContext * cx, js::RunState & state) Line 2972	C++
 	xul.dll!js::RunScript(JSContext * cx, js::RunState & state) Line 661	C++
 	xul.dll!js::Invoke(JSContext * cx, JS::CallArgs args, js::MaybeConstruct construct) Line 741	C++
 	xul.dll!js::Invoke(JSContext * cx, const JS::Value & thisv, const JS::Value & fval, unsigned int argc, const JS::Value * argv, JS::MutableHandle<JS::Value> rval) Line 775	C++
 	xul.dll!JS::Call(JSContext * cx, JS::Handle<JS::Value> thisv, JS::Handle<JS::Value> fval, const JS::HandleValueArray & args, JS::MutableHandle<JS::Value> rval) Line 4585	C++
 	xul.dll!mozilla::dom::EventHandlerNonNull::Call(JSContext * cx, JS::Handle<JS::Value> aThisVal, mozilla::dom::Event & event, JS::MutableHandle<JS::Value> aRetVal, mozilla::ErrorResult & aRv) Line 260	C++
 	xul.dll!mozilla::dom::EventHandlerNonNull::Call<nsISupports *>(nsISupports * const & thisVal, mozilla::dom::Event & event, JS::MutableHandle<JS::Value> aRetVal, mozilla::ErrorResult & aRv, const char * aExecutionReason, mozilla::dom::CallbackObject::ExceptionHandling aExceptionHandling, JSCompartment * aCompartment) Line 351	C++
 	xul.dll!mozilla::JSEventHandler::HandleEvent(nsIDOMEvent * aEvent) Line 216	C++
 	xul.dll!mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener * aListener, nsIDOMEvent * aDOMEvent, mozilla::dom::EventTarget * aCurrentTarget) Line 995	C++
 	xul.dll!mozilla::EventListenerManager::HandleEventInternal(nsPresContext * aPresContext, mozilla::WidgetEvent * aEvent, nsIDOMEvent * * aDOMEvent, mozilla::dom::EventTarget * aCurrentTarget, nsEventStatus * aEventStatus) Line 1145	C++
 	xul.dll!mozilla::EventListenerManager::HandleEvent(nsPresContext * aPresContext, mozilla::WidgetEvent * aEvent, nsIDOMEvent * * aDOMEvent, mozilla::dom::EventTarget * aCurrentTarget, nsEventStatus * aEventStatus) Line 330	C++
 	xul.dll!mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor & aVisitor, mozilla::ELMCreationDetector & aCd) Line 209	C++
 	xul.dll!mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem> & aChain, mozilla::EventChainPostVisitor & aVisitor, mozilla::EventDispatchingCallback * aCallback, mozilla::ELMCreationDetector & aCd) Line 301	C++
 	xul.dll!mozilla::EventDispatcher::Dispatch(nsISupports * aTarget, nsPresContext * aPresContext, mozilla::WidgetEvent * aEvent, nsIDOMEvent * aDOMEvent, nsEventStatus * aEventStatus, mozilla::EventDispatchingCallback * aCallback, nsTArray<mozilla::dom::EventTarget *> * aTargets) Line 638	C++
 	xul.dll!mozilla::EventDispatcher::DispatchDOMEvent(nsISupports * aTarget, mozilla::WidgetEvent * aEvent, nsIDOMEvent * aDOMEvent, nsPresContext * aPresContext, nsEventStatus * aEventStatus) Line 700	C++
 	xul.dll!nsWindowRoot::DispatchDOMEvent(mozilla::WidgetEvent * aEvent, nsIDOMEvent * aDOMEvent, nsPresContext * aPresContext, nsEventStatus * aEventStatus) Line 97	C++
 	xul.dll!mozilla::dom::workers::XMLHttpRequest::DispatchPrematureAbortEvent(mozilla::dom::EventTarget * aTarget, const nsAString_internal & aEventType, bool aUploadTarget, mozilla::ErrorResult & aRv) Line 1834	C++
 	xul.dll!mozilla::dom::workers::XMLHttpRequest::MaybeDispatchPrematureAbortEvents(mozilla::ErrorResult & aRv) Line 1767	C++
 	xul.dll!mozilla::dom::workers::XMLHttpRequest::Open(const nsACString_internal & aMethod, const nsAString_internal & aUrl, bool aAsync, const mozilla::dom::Optional<nsAString_internal> & aUser, const mozilla::dom::Optional<nsAString_internal> & aPassword, mozilla::ErrorResult & aRv) Line 1942	C++
 	xul.dll!mozilla::dom::XMLHttpRequestBinding_workers::open(JSContext * cx, JS::Handle<JSObject *> obj, mozilla::dom::workers::XMLHttpRequest * self, const JSJitMethodCallArgs & args) Line 2169	C++
 	xul.dll!mozilla::dom::GenericBindingMethod(JSContext * cx, unsigned int argc, JS::Value * vp) Line 2577	C++
 	xul.dll!js::Invoke(JSContext * cx, JS::CallArgs args, js::MaybeConstruct construct) Line 720	C++
 	xul.dll!Interpret(JSContext * cx, js::RunState & state) Line 2972	C++
 	xul.dll!js::RunScript(JSContext * cx, js::RunState & state) Line 661	C++
 	xul.dll!js::Invoke(JSContext * cx, JS::CallArgs args, js::MaybeConstruct construct) Line 741	C++
 	xul.dll!js::Invoke(JSContext * cx, const JS::Value & thisv, const JS::Value & fval, unsigned int argc, const JS::Value * argv, JS::MutableHandle<JS::Value> rval) Line 775	C++
 	xul.dll!JS::Call(JSContext * cx, JS::Handle<JS::Value> thisv, JS::Handle<JS::Value> fval, const JS::HandleValueArray & args, JS::MutableHandle<JS::Value> rval) Line 4585	C++
 	xul.dll!mozilla::dom::EventHandlerNonNull::Call(JSContext * cx, JS::Handle<JS::Value> aThisVal, mozilla::dom::Event & event, JS::MutableHandle<JS::Value> aRetVal, mozilla::ErrorResult & aRv) Line 260	C++
 	xul.dll!mozilla::dom::EventHandlerNonNull::Call<nsISupports *>(nsISupports * const & thisVal, mozilla::dom::Event & event, JS::MutableHandle<JS::Value> aRetVal, mozilla::ErrorResult & aRv, const char * aExecutionReason, mozilla::dom::CallbackObject::ExceptionHandling aExceptionHandling, JSCompartment * aCompartment) Line 351	C++
 	xul.dll!mozilla::JSEventHandler::HandleEvent(nsIDOMEvent * aEvent) Line 216	C++
 	xul.dll!mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener * aListener, nsIDOMEvent * aDOMEvent, mozilla::dom::EventTarget * aCurrentTarget) Line 995	C++
 	xul.dll!mozilla::EventListenerManager::HandleEventInternal(nsPresContext * aPresContext, mozilla::WidgetEvent * aEvent, nsIDOMEvent * * aDOMEvent, mozilla::dom::EventTarget * aCurrentTarget, nsEventStatus * aEventStatus) Line 1145	C++
 	xul.dll!mozilla::EventListenerManager::HandleEvent(nsPresContext * aPresContext, mozilla::WidgetEvent * aEvent, nsIDOMEvent * * aDOMEvent, mozilla::dom::EventTarget * aCurrentTarget, nsEventStatus * aEventStatus) Line 330	C++
 	xul.dll!mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor & aVisitor, mozilla::ELMCreationDetector & aCd) Line 209	C++
 	xul.dll!mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem> & aChain, mozilla::EventChainPostVisitor & aVisitor, mozilla::EventDispatchingCallback * aCallback, mozilla::ELMCreationDetector & aCd) Line 301	C++
 	xul.dll!mozilla::EventDispatcher::Dispatch(nsISupports * aTarget, nsPresContext * aPresContext, mozilla::WidgetEvent * aEvent, nsIDOMEvent * aDOMEvent, nsEventStatus * aEventStatus, mozilla::EventDispatchingCallback * aCallback, nsTArray<mozilla::dom::EventTarget *> * aTargets) Line 638	C++
 	xul.dll!mozilla::EventDispatcher::DispatchDOMEvent(nsISupports * aTarget, mozilla::WidgetEvent * aEvent, nsIDOMEvent * aDOMEvent, nsPresContext * aPresContext, nsEventStatus * aEventStatus) Line 700	C++
 	xul.dll!nsWindowRoot::DispatchDOMEvent(mozilla::WidgetEvent * aEvent, nsIDOMEvent * aDOMEvent, nsPresContext * aPresContext, nsEventStatus * aEventStatus) Line 97	C++
 	xul.dll!`anonymous namespace'::EventRunnable::WorkerRun(JSContext * aCx, mozilla::dom::workers::WorkerPrivate * aWorkerPrivate) Line 1428	C++
 	xul.dll!mozilla::dom::workers::WorkerRunnable::Run() Line 363	C++
 	xul.dll!nsThread::ProcessNextEvent(bool aMayWait, bool * aResult) Line 867	C++
 	xul.dll!NS_ProcessNextEvent(nsIThread * aThread, bool aMayWait) Line 277	C++
 	xul.dll!mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext * aCx) Line 5367	C++
 	xul.dll!`anonymous namespace'::WorkerThreadPrimaryRunnable::Run() Line 2838	C++
 	xul.dll!nsThread::ProcessNextEvent(bool aMayWait, bool * aResult) Line 867	C++
 	xul.dll!NS_ProcessNextEvent(nsIThread * aThread, bool aMayWait) Line 277	C++
 	xul.dll!mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate * aDelegate) Line 326	C++
 	xul.dll!MessageLoop::RunHandler() Line 228	C++
 	xul.dll!MessageLoop::Run() Line 202	C++
 	xul.dll!nsThread::ThreadFunc(void * aArg) Line 362	C++
 	nss3.dll!_PR_NativeRunThread(void * arg) Line 419	C
 	nss3.dll!pr_root(void * arg) Line 90	C
 	msvcr120.dll!__beginthreadex()	Unknown
 	msvcr120.dll!__endthreadex()	Unknown
 	kernel32.dll!@BaseThreadInitThunk@12()	Unknown
 	ntdll.dll!___RtlUserThreadStart@8()	Unknown
 	ntdll.dll!__RtlUserThreadStart@8()	Unknown
Posted patch crash.patch (obsolete) — Splinter Review
Attachment #8636654 - Flags: review?(khuey)
Assignee: nobody → amarchesini
In official Linux Asan build, I did see a Use After Free report. The stack further proves that there is a premature deallocation in runnable->Dispatch(mWorkerPrivate->GetJSContext()).

    #15 0x7f44944ba1c5 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.h:1535
    #16 0x7f44944ba1c5 in (anonymous namespace)::WorkerThreadProxySyncRunnable::Dispatch(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/XMLHttpRequest.cpp:547
    #17 0x7f44944bc880 in mozilla::dom::workers::XMLHttpRequest::Open(nsACString_internal const&, nsAString_internal const&, bool, mozilla::dom::Optional<nsAString_internal> const&, mozilla::dom::Optional<nsAString_internal> const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/XMLHttpRequest.cpp:1958



Firefox version: 42.0a1 (2015-07-13)

Asan report:
=================================================================
==3451==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110003b3c80 at pc 0x7f448f27a0e5 bp 0x7f446d10f120 sp 0x7f446d10f118
READ of size 8 at 0x6110003b3c80 thread T25 (DOM Worker)
    #0 0x7f448f27a0e4 in SetCapacity /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/string/nsTSubstring.cpp:656
    #1 0x7f448f27a0e4 in SetCapacity /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/string/nsTSubstring.cpp:644
    #2 0x7f448f27a0e4 in SetLength /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/string/nsTSubstring.cpp:696
    #3 0x7f448f27a0e4 in Truncate /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/string/nsTSubstring.h:738
    #4 0x7f448f27a0e4 in nsAString_internal::Assign(nsAString_internal const&, mozilla::fallible_t const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/string/nsTSubstring.cpp:406
    #5 0x7f448f2628d4 in nsAString_internal::Assign(nsAString_internal const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/string/nsTSubstring.cpp:390
    #6 0x7f44944c2f5c in operator= /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/workers/../../dist/include/nsTString.h:86
    #7 0x7f44944c2f5c in operator= /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/XMLHttpRequest.h:37
    #8 0x7f44944c2f5c in mozilla::dom::workers::XMLHttpRequest::UpdateState(mozilla::dom::workers::XMLHttpRequest::StateData const&, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/XMLHttpRequest.cpp:2490
    #9 0x7f44944c9cfb in (anonymous namespace)::EventRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/XMLHttpRequest.cpp:1377
    #10 0x7f44944698e4 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:359
    #11 0x7f448f3a3437 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
    #12 0x7f448f411aea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #13 0x7f4494448523 in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5363
    #14 0x7f44943e2b67 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2836
    #15 0x7f448f3a3437 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
    #16 0x7f448f411aea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #17 0x7f448fc75758 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:355
    #18 0x7f448fc01d5c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #19 0x7f448fc01d5c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #20 0x7f448fc01d5c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #21 0x7f448f39f8c1 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:360
    #22 0x7f449c168135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #23 0x7f449c7a8181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
    #24 0x7f448cee330c (/lib/x86_64-linux-gnu/libc.so.6+0xfb30c)

0x6110003b3c80 is located 128 bytes inside of 232-byte region [0x6110003b3c00,0x6110003b3ce8)
freed by thread T25 (DOM Worker) here:
    #0 0x474da1 in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7f448f2a04dd in SnowWhiteKiller::~SnowWhiteKiller() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2638
    #2 0x7f448f2a010e in nsCycleCollector::FreeSnowWhite(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2806
    #3 0x7f448f2a6da9 in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:3783
    #4 0x7f448f2a638d in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:3608
    #5 0x7f448f2a99ea in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:4107
    #6 0x7f448f2936cc in mozilla::CycleCollectedJSRuntime::OnGC(JSGCStatus) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:1214
    #7 0x7f4498a393fc in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsgc.cpp:6168
    #8 0x7f4498a41500 in gc /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsgc.cpp:6224
    #9 0x7f4498a41500 in JS::GCForReason(JSRuntime*, JSGCInvocationKind, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsgc.cpp:7069
    #10 0x7f4494459866 in mozilla::dom::workers::WorkerPrivate::GarbageCollectInternal(JSContext*, bool, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:7077
    #11 0x7f4494494f8b in (anonymous namespace)::GarbageCollectRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:2126
    #12 0x7f44944698e4 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:359
    #13 0x7f449444a235 in mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5856
    #14 0x7f4494451768 in mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6173
    #15 0x7f44944ba1c5 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.h:1535
    #16 0x7f44944ba1c5 in (anonymous namespace)::WorkerThreadProxySyncRunnable::Dispatch(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/XMLHttpRequest.cpp:547
    #17 0x7f44944bc880 in mozilla::dom::workers::XMLHttpRequest::Open(nsACString_internal const&, nsAString_internal const&, bool, mozilla::dom::Optional<nsAString_internal> const&, mozilla::dom::Optional<nsAString_internal> const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/XMLHttpRequest.cpp:1958
    #18 0x7f44929cd808 in mozilla::dom::XMLHttpRequestBinding_workers::open(JSContext*, JS::Handle<JSObject*>, mozilla::dom::workers::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./XMLHttpRequestBinding.cpp:2167
    #19 0x7f449313a417 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/bindings/BindingUtils.cpp:2571
    #20 0x7f4497ea6113 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #21 0x7f4497ea6113 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:720
    #22 0x7f4497ee51ca in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2972
    #23 0x7f4497ec55b4 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:661
    #24 0x7f4497ea68e0 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:738
    #25 0x7f4497e4a0a3 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:775
    #26 0x7f449897d2bf in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4585
    #27 0x7f4492cc6975 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./EventHandlerBinding.cpp:259
    #28 0x7f44934fd15e in Call<nsISupports *> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/events/../../dist/include/mozilla/dom/EventHandlerBinding.h:351
    #29 0x7f44934fd15e in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/JSEventHandler.cpp:215
    #30 0x7f44934bb768 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:995
    #31 0x7f44934bd0f5 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:1144
    #32 0x7f44934acc71 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:299
    #33 0x7f44934b1062 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:635

previously allocated by thread T25 (DOM Worker) here:
    #0 0x474fa1 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x48dc4d in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc.cpp:83
    #2 0x7f44944b9768 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/workers/../../dist/include/mozilla/mozalloc.h:186
    #3 0x7f44944b9768 in mozilla::dom::workers::XMLHttpRequest::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::MozXMLHttpRequestParameters const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/XMLHttpRequest.cpp:1662
    #4 0x7f44929ce505 in mozilla::dom::XMLHttpRequestBinding_workers::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./XMLHttpRequestBinding.cpp:3175
    #5 0x7f4497ef693e in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #6 0x7f4497ef693e in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:268
    #7 0x7f4497ef693e in js::InvokeConstructor(JSContext*, JS::CallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:816
    #8 0x7f4497ee51b9 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2969
    #9 0x7f4497ec55b4 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:661
    #10 0x7f4497ef8108 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:902
    #11 0x7f4497ef8768 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:935
    #12 0x7f449897b77e in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::ScopeObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4421
    #13 0x7f44943da6c5 in (anonymous namespace)::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1730
    #14 0x7f44944698e4 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:359
    #15 0x7f448f3a3437 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
    #16 0x7f448f411aea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #17 0x7f4494451997 in mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6187
    #18 0x7f44943c2c64 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.h:1535
    #19 0x7f44943c2c64 in (anonymous namespace)::LoadAllScripts(JSContext*, mozilla::dom::workers::WorkerPrivate*, nsTArray<(anonymous namespace)::ScriptLoadInfo>&, bool, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1811
    #20 0x7f44943c359e in mozilla::dom::workers::scriptloader::Load(JSContext*, mozilla::dom::workers::WorkerPrivate*, nsTArray<nsString> const&, mozilla::dom::workers::WorkerScriptType, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1934
    #21 0x7f44927ec24a in mozilla::dom::WorkerGlobalScopeBinding_workers::importScripts(JSContext*, JS::Handle<JSObject*>, mozilla::dom::workers::WorkerGlobalScope*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerGlobalScopeBinding.cpp:422
    #22 0x7f44927e5290 in mozilla::dom::WorkerGlobalScopeBinding_workers::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerGlobalScopeBinding.cpp:1191
    #23 0x7f4497ea6113 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #24 0x7f4497ea6113 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:720
    #25 0x7f4497ee51ca in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2972
    #26 0x7f4497ec55b4 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:661
    #27 0x7f4497ea68e0 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:738
    #28 0x7f4497e4a0a3 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:775
    #29 0x7f449897d2bf in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4585
    #30 0x7f4492cc6975 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./EventHandlerBinding.cpp:259
    #31 0x7f44934fd15e in Call<nsISupports *> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/events/../../dist/include/mozilla/dom/EventHandlerBinding.h:351
    #32 0x7f44934fd15e in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/JSEventHandler.cpp:215
    #33 0x7f44934bb768 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:995
    #34 0x7f44934bd0f5 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:1144
    #35 0x7f44934acc71 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:299

Thread T25 (DOM Worker) created by T0 (Web Content) here:
    #0 0x461815 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7f449c164abd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7f449c16463a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7f448f3a0e8d in nsThread::Init() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:470
    #4 0x7f44944b3c9a in mozilla::dom::workers::WorkerThread::Create(mozilla::dom::workers::WorkerThreadFriendKey const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerThread.cpp:90
    #5 0x7f44943b6d20 in mozilla::dom::workers::RuntimeService::ScheduleWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1741
    #6 0x7f44943b4004 in mozilla::dom::workers::RuntimeService::RegisterWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1580
    #7 0x7f4494446eae in mozilla::dom::workers::WorkerPrivate::Constructor(JSContext*, nsAString_internal const&, bool, mozilla::dom::WorkerType, nsACString_internal const&, mozilla::dom::workers::WorkerLoadInfo*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4924
    #8 0x7f44943bd193 in mozilla::dom::workers::RuntimeService::CreateSharedWorkerFromLoadInfo(JSContext*, mozilla::dom::workers::WorkerLoadInfo*, nsAString_internal const&, nsACString_internal const&, mozilla::dom::WorkerType, mozilla::dom::workers::SharedWorker**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2463
    #9 0x7f44943bca21 in mozilla::dom::workers::RuntimeService::CreateSharedWorkerInternal(mozilla::dom::GlobalObject const&, nsAString_internal const&, nsACString_internal const&, mozilla::dom::WorkerType, mozilla::dom::workers::SharedWorker**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2414
    #10 0x7f449442e39a in CreateSharedWorker /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.h:157
    #11 0x7f449442e39a in mozilla::dom::workers::SharedWorker::Constructor(mozilla::dom::GlobalObject const&, JSContext*, nsAString_internal const&, mozilla::dom::Optional<nsAString_internal> const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/SharedWorker.cpp:69
    #12 0x7f4492451590 in mozilla::dom::SharedWorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./SharedWorkerBinding.cpp:233
    #13 0x7f4497ef693e in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #14 0x7f4497ef693e in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:268
    #15 0x7f4497ef693e in js::InvokeConstructor(JSContext*, JS::CallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:816
    #16 0x7f4497ef72e1 in js::InvokeConstructor(JSContext*, JS::Value, unsigned int, JS::Value const*, bool, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:835
    #17 0x7f449838f147 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jit/BaselineIC.cpp:9845
    #18 0x7f44983ada4d in EnterBaseline(JSContext*, js::jit::EnterJitData&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jit/BaselineJIT.cpp:124
    #19 0x7f44983aeda7 in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jit/BaselineJIT.cpp:228
    #20 0x7f4497eea479 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2031
    #21 0x7f4497ec55b4 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:661
    #22 0x7f4497ef8108 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:902
    #23 0x7f4497ef8768 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:935
    #24 0x7f449897b77e in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::ScopeObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4421
    #25 0x7f449897bfab in Evaluate(JSContext*, JS::AutoVectorRooter<JSObject*>&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4448
    #26 0x7f44917de1f4 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:224
    #27 0x7f44917dee51 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:286
    #28 0x7f449185f94f in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, JS::SourceBufferHolder&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:1143
    #29 0x7f449185d061 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:970
    #30 0x7f4491856b93 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:764
    #31 0x7f44918521ee in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptElement.cpp:141
    #32 0x7f4490c421b4 in operator-> /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsIScriptElement.h:221
    #33 0x7f4490c421b4 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:662
    #34 0x7f4490c406a1 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:487
    #35 0x7f4490c46b8b in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5StreamParser.cpp:127
    #36 0x7f448f3a3437 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
    #37 0x7f448f411aea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #38 0x7f448fc74649 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:95
    #39 0x7f448fc01d5c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #40 0x7f448fc01d5c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #41 0x7f448fc01d5c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #42 0x7f4494901017 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:165
    #43 0x7f4496764312 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:778
    #44 0x7f448fc01d5c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #45 0x7f448fc01d5c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #46 0x7f448fc01d5c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #47 0x7f4496763a09 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:614
    #48 0x48d632 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:236
    #49 0x7f448ce09ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/string/nsTSubstring.cpp:656 SetCapacity
Shadow bytes around the buggy address:
  0x0c228006e740: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02
  0x0c228006e750: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c228006e760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c228006e770: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c228006e780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c228006e790:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
  0x0c228006e7a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c228006e7b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c228006e7c0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c228006e7d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c228006e7e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      [31==3451==ABORTING

###!!! [Parent][MessageChannel] Error: (msgtype=0x200081,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv
Flags: sec-bounty?
Comment on attachment 8636654 [details] [diff] [review]
crash.patch

Review of attachment 8636654 [details] [diff] [review]:
-----------------------------------------------------------------

mOpening needs to be renamed (mOpenCount perhaps) and reordered with the other uint32_t variables.  Also you should remove the comment, this is a security bug after all.
Attachment #8636654 - Flags: review?(khuey) → review+
Posted patch crash.patchSplinter Review
[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Easy. a test is attached.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Yes. But just to be clear: we should not count the recursion using a boolean but a uint32. Then call ReleaseProxy() only when the first open() is completed.

Which older supported branches are affected by this flaw?

This is a continuation/regression of bug 1166924. So we should land this patch wherever the other patch landed: everywhere.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

Easy to backport.

How likely is this patch to cause regressions; how much testing does it need?

I would say: none.
Attachment #8636654 - Attachment is obsolete: true
Attachment #8639795 - Flags: sec-approval?
We don't normally take tests in these security checkins as it zero days ourselves. We'd need to check this in without the test.

I'm not sure this can go in until two weeks into the next release. We've run out of room to take new fixes for the release in a couple of weeks because of a lack of betas. 

I'm needinfo? lmandel for his opinion.
Flags: needinfo?(lmandel)
We have one beta left this cycle, which gtb on Thursday. We really don't have much room to account for regressions. If this change can reasonably wait until the next cycle, I think that's the best approach from the release perspective.
Flags: needinfo?(lmandel)
Comment on attachment 8639795 [details] [diff] [review]
crash.patch

On some reflection, I think we should take this. Please get this into trunk and then nominate Beta, Aurora, and ESR38 patches. I'd like to get this into tomorrow's Beta build.
Flags: needinfo?(amarchesini)
Attachment #8639795 - Flags: sec-approval? → sec-approval+
This needs to be checked in *without* the test though.
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/13588e7747b1
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
This backports cleanly to all supported branches, FWIW.
Comment on attachment 8639795 [details] [diff] [review]
crash.patch

[Approval Request Comment]
User impact if declined: A crash
Fix Landed on Version: 41 ?
Risk to taking this patch (and alternatives if risky): no big risks. The patch is simple: instead a boolean, we use a uint32.
String or UUID changes made by this patch: none

[Approval Request Comment]
Bug caused by (feature/regressing bug #): XHR in workers
Testing completed: no tests. It's racy.
Flags: needinfo?(amarchesini)
Attachment #8639795 - Flags: approval-mozilla-esr38?
Attachment #8639795 - Flags: approval-mozilla-beta?
Attachment #8639795 - Flags: approval-mozilla-aurora?
Comment on attachment 8639795 [details] [diff] [review]
crash.patch

Going on Al's advice, we'll take this fix in the final beta of the 40 cycle and in ESR 38.2.0. Beta+ Aurora+ ESR38+
Attachment #8639795 - Flags: approval-mozilla-esr38?
Attachment #8639795 - Flags: approval-mozilla-esr38+
Attachment #8639795 - Flags: approval-mozilla-beta?
Attachment #8639795 - Flags: approval-mozilla-beta+
Attachment #8639795 - Flags: approval-mozilla-aurora?
Attachment #8639795 - Flags: approval-mozilla-aurora+
Thanks for the prompt fix guys!

- Looben
Alias: CVE-2015-4492
Whiteboard: [adv-main40+][adv-esr38.2+]
Using the .js attached I came up with this results:

Reproduced with old Nightly 2015-07-20
https://crash-stats.mozilla.com/report/index/cbf789cd-772b-4eb5-9298-f762d2150803
https://crash-stats.mozilla.com/report/index/a9308e81-25c3-4eef-9f16-d917b2150803

Also I did reproduce on latest builds (see bellow), not every time though, sometimes closing the tab with http://localhost:12345 generated the crash.

Windows 7 64-bit:
- latest Nightly
bp-c7fed119-ffac-409d-9fac-d3eee2150803
- latest Aurora
bp-16a29a45-0b93-472d-9b28-ad5ff2150803
- Firefox 40 beta 9
bp-859af877-1c56-4ae8-970b-051772150803
- latest tinderbox 38ESR 
bp-0c33dd61-7189-47be-b383-912f32150803
Which I don`t think is related to this bug

Ubuntu 14.04 32-bit:
- Firefox 40 beta 9
bp-5e2c9854-dbe2-48ae-bdac-831592150803

Mac OS X 10.10.4:
- latest Nightly:
bp-721e7240-ee75-4457-be25-635032150803
bp-2ab7c8bc-ea28-4120-a435-b4a182150803
- latest Aurora
Did not receive crash, maybe if I kept the tab opened for more time it would have crashed as well.
- Firefox 40 beta 9
bp-f7b7b76e-c177-48d8-ab39-df1a12150803
- latest tinderbox 38ESR
bp-c1ca93a0-4f52-4322-810b-47eaf2150803

Any ideas why?
https://crash-stats.mozilla.com/report/index/be1b9d3d-4f3d-47fe-9042-47b122150803
Flags: needinfo?(amarchesini)
Flags: sec-bounty? → sec-bounty+
Since Andrea is on PTO for another week, can anyone else review Bogdan's test results in comment 17, as it seems the crash still reproduces.
Flags: needinfo?(khuey)
Flags: needinfo?(abillings)
Is it the same crash?

Kamil or Matt, can you take a look?
Flags: needinfo?(mwobensmith)
Flags: needinfo?(kjozwiak)
Flags: needinfo?(abillings)
I couldn't check it across every branch/OS, but I was able to see this a few times. So, I can confirm what Bogdan sees in comment 17.

Mac Aurora 41.0a2:
https://crash-stats.mozilla.com/report/index/41b040d8-4ab5-443b-b510-e146a2150806

Win7, 40.0b9:
https://crash-stats.mozilla.com/report/index/a2f48faf-456f-4bc2-868f-3adac2150806
Flags: needinfo?(mwobensmith)
What does the crash look like on an ASan build?
the crashes in comment 20 look null+offset crashes.
Also the ones in comment 17.
mProxy is null?
(In reply to Andrew McCreight [:mccr8] from comment #21)
> What does the crash look like on an ASan build?

Using the following asan m-c build:
- http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1438856161/

=================================================================
==4819==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000054 (pc 0x7fcdab001ac5 sp 0x7fcd848d5bc0 bp 0x7fcd848d5c50 T32)
ASAN:SIGSEGV
==4819==AddressSanitizer: while reporting a bug found another one.Ignoring.
    #0 0x7fcdab001ac4 in Open XMLHttpRequest.cpp:1970
    #1 0x7fcda93bb518 in open XMLHttpRequestBinding.cpp:2200
    #2 0x7fcda9c23967 in GenericBindingMethod BindingUtils.cpp:2599
    #3 0x7fcdaea118f3 in CallJSNative jscntxtinlines.h:235
    #4 0x7fcdaea608d4 in Interpret Interpreter.cpp:3035
    #5 0x7fcdaea32d97 in RunScript Interpreter.cpp:714
    #6 0x7fcdaea120c8 in Invoke Interpreter.cpp:791
    #7 0x7fcdae9b1ca3 in Invoke Interpreter.cpp:828
    #8 0x7fcdaf56fd7f in Call jsapi.cpp:4628
    #9 0x7fcda9762c9f in Call EventHandlerBinding.cpp:259
    #10 0x7fcdaa009669 in Call<nsISupports *> EventHandlerBinding.h:351
    #11 0x7fcda9fc590c in HandleEventSubType EventListenerManager.cpp:998
    #12 0x7fcda9fc7160 in HandleEventInternal EventListenerManager.cpp:1147
    #13 0x7fcda9fb6b11 in HandleEventTargetChain EventDispatcher.cpp:299
    #14 0x7fcda9fbafca in Dispatch EventDispatcher.cpp:635
    #15 0x7fcda9f93e25 in DispatchDOMEvent EventDispatcher.cpp:699
    #16 0x7fcdab00e947 in WorkerRun XMLHttpRequest.cpp:1427
    #17 0x7fcdaafab7a4 in Run WorkerRunnable.cpp:359
    #18 0x7fcda5d8a0d7 in ProcessNextEvent nsThread.cpp:867
    #19 0x7fcda5df831a in NS_ProcessNextEvent nsThreadUtils.cpp:277
    #20 0x7fcdaaf93347 in RunCurrentSyncLoop WorkerPrivate.cpp:6253
    #21 0x7fcdaafff3e5 in Run WorkerPrivate.h:1568
    #22 0x7fcdab001a84 in Open XMLHttpRequest.cpp:1961
    #23 0x7fcda93bb518 in open XMLHttpRequestBinding.cpp:2200
    #24 0x7fcda9c23967 in GenericBindingMethod BindingUtils.cpp:2599
    #25 0x7fcdaea118f3 in CallJSNative jscntxtinlines.h:235
    #26 0x7fcdaea608d4 in Interpret Interpreter.cpp:3035
    #27 0x7fcdaea32d97 in RunScript Interpreter.cpp:714
    #28 0x7fcdaea120c8 in Invoke Interpreter.cpp:791
    #29 0x7fcdae9b1ca3 in Invoke Interpreter.cpp:828
    #30 0x7fcdaf56fd7f in Call jsapi.cpp:4628
    #31 0x7fcda9762c9f in Call EventHandlerBinding.cpp:259
    #32 0x7fcdaa009669 in Call<nsISupports *> EventHandlerBinding.h:351
    #33 0x7fcda9fc590c in HandleEventSubType EventListenerManager.cpp:998
    #34 0x7fcda9fc7160 in HandleEventInternal EventListenerManager.cpp:1147
    #35 0x7fcda9fb6b11 in HandleEventTargetChain EventDispatcher.cpp:299
    #36 0x7fcda9fbafca in Dispatch EventDispatcher.cpp:635
    #37 0x7fcda9f93e25 in DispatchDOMEvent EventDispatcher.cpp:699
    #38 0x7fcdab0001d6 in DispatchPrematureAbortEvent XMLHttpRequest.cpp:1837
    #39 0x7fcdaafff95f in MaybeDispatchPrematureAbortEvents XMLHttpRequest.cpp:1769
    #40 0x7fcdab0010fb in Open XMLHttpRequest.cpp:1944
    #41 0x7fcda93bb518 in open XMLHttpRequestBinding.cpp:2200
    #42 0x7fcda9c23967 in GenericBindingMethod BindingUtils.cpp:2599
    #43 0x7fcdaea118f3 in CallJSNative jscntxtinlines.h:235
    #44 0x7fcdaea608d4 in Interpret Interpreter.cpp:3035
    #45 0x7fcdaea32d97 in RunScript Interpreter.cpp:714
    #46 0x7fcdaea120c8 in Invoke Interpreter.cpp:791
    #47 0x7fcdae9b1ca3 in Invoke Interpreter.cpp:828
    #48 0x7fcdaf56fd7f in Call jsapi.cpp:4628
    #49 0x7fcda9762c9f in Call EventHandlerBinding.cpp:259
    #50 0x7fcdaa009669 in Call<nsISupports *> EventHandlerBinding.h:351
    #51 0x7fcda9fc590c in HandleEventSubType EventListenerManager.cpp:998
    #52 0x7fcda9fc7160 in HandleEventInternal EventListenerManager.cpp:1147
    #53 0x7fcda9fb6b11 in HandleEventTargetChain EventDispatcher.cpp:299
    #54 0x7fcda9fbafca in Dispatch EventDispatcher.cpp:635
    #55 0x7fcda9f93e25 in DispatchDOMEvent EventDispatcher.cpp:699
    #56 0x7fcdab00e947 in WorkerRun XMLHttpRequest.cpp:1427
    #57 0x7fcdaafab7a4 in Run WorkerRunnable.cpp:359
    #58 0x7fcda5d8a0d7 in ProcessNextEvent nsThread.cpp:867
    #59 0x7fcda5df831a in NS_ProcessNextEvent nsThreadUtils.cpp:277
    #60 0x7fcdaaf89dd3 in DoRunLoop WorkerPrivate.cpp:5416
    #61 0x7fcdaaf21147 in Run RuntimeService.cpp:2866
    #62 0x7fcda5d8a0d7 in ProcessNextEvent nsThread.cpp:867
    #63 0x7fcda5df831a in NS_ProcessNextEvent nsThreadUtils.cpp:277
    #64 0x7fcda6669f58 in Run MessagePump.cpp:355
    #65 0x7fcda65f5d8c in RunInternal message_loop.cc:234
    #66 0x7fcda5d864f5 in ThreadFunc nsThread.cpp:360
    #67 0x7fcdb2d804b5 in _pt_root ptthread.c:212
    #68 0x7fcdb33bf181 in start_thread pthread_create.c:312 (discriminator 2)
    #69 0x7fcda38bd47c in clone clone.S:111

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV ??:0 ??
Thread T32 (DOM Worker) created by T0 (Web Content) here:
    #0 0x461855 in __interceptor_pthread_create _asan_rtl_
    #1 0x7fcdb2d7ce3d in _PR_CreateThread ptthread.c:453
    #2 0x7fcdb2d7c9ba in PR_CreateThread ptthread.c:544
    #3 0x7fcda5d87aed in Init nsThread.cpp:470
    #4 0x7fcdaaff8c5a in Create WorkerThread.cpp:90
    #5 0x7fcdaaef4f40 in ScheduleWorker RuntimeService.cpp:1744
    #6 0x7fcdaaef2234 in RegisterWorker RuntimeService.cpp:1583
    #7 0x7fcdaaf88762 in Constructor WorkerPrivate.cpp:4977
    #8 0x7fcdaaefb3b3 in CreateSharedWorkerFromLoadInfo RuntimeService.cpp:2490
    #9 0x7fcdaaefac4f in CreateSharedWorkerInternal RuntimeService.cpp:2441
    #10 0x7fcdaaf6f65a in CreateSharedWorker RuntimeService.h:157
    #11 0x7fcda8edd873 in _constructor SharedWorkerBinding.cpp:240
    #12 0x7fcdaea81aee in CallJSNative jscntxtinlines.h:235
    #13 0x7fcdaea608c0 in Interpret Interpreter.cpp:3032
    #14 0x7fcdaea32d97 in RunScript Interpreter.cpp:714
    #15 0x7fcdaea832b8 in ExecuteKernel Interpreter.cpp:955
    #16 0x7fcdaea83918 in Execute Interpreter.cpp:988
    #17 0x7fcdaf56e253 in Evaluate jsapi.cpp:4464
    #18 0x7fcdaf56ea6b in Evaluate jsapi.cpp:4491
    #19 0x7fcda823b2f4 in EvaluateString nsJSUtils.cpp:224
    #20 0x7fcda823bf51 in EvaluateString nsJSUtils.cpp:286
    #21 0x7fcda82bf60f in EvaluateScript nsScriptLoader.cpp:1143
    #22 0x7fcda82bcd45 in ProcessRequest nsScriptLoader.cpp:970
    #23 0x7fcda82b6893 in ProcessScriptElement nsScriptLoader.cpp:764
    #24 0x7fcda82b1eee in MaybeProcessScript nsScriptElement.cpp:142
    #25 0x7fcda7675da4 in operator-> nsIScriptElement.h:221
    #26 0x7fcda7674291 in RunFlushLoop nsHtml5TreeOpExecutor.cpp:487
    #27 0x7fcda767a66b in Run nsHtml5StreamParser.cpp:127
    #28 0x7fcda5d8a0d7 in ProcessNextEvent nsThread.cpp:867
    #29 0x7fcda5df831a in NS_ProcessNextEvent nsThreadUtils.cpp:277
    #30 0x7fcda6668e49 in Run MessagePump.cpp:95
    #31 0x7fcda65f5d8c in RunInternal message_loop.cc:234
    #32 0x7fcdab451417 in Run nsBaseAppShell.cpp:165
    #33 0x7fcdad297f32 in XRE_RunAppShell nsEmbedFunctions.cpp:785
    #34 0x7fcda65f5d8c in RunInternal message_loop.cc:234
    #35 0x7fcdad297629 in XRE_InitChildProcess nsEmbedFunctions.cpp:621
    #36 0x48d670 in content_process_main plugin-container.cpp:237
    #37 0x7fcda37e4ec4 in __libc_start_main libc-start.c:287

==4819==ABORTING
Flags: needinfo?(kjozwiak)
Hmm. Well, at least it is an actual null crash and not just a UAF that looks like one. Thanks for checking that.
So is this considered fixed as it's a null crash rather than the original UAF? Should we create a new ticket that will address the null crash?
(In reply to Kamil Jozwiak [:kjozwiak] from comment #25)
> Should we create a new ticket that will address the null crash?

Yes, we should clone this into a new "null-crash" bug. For now keep it security-sensitive because it will have this same testcase, but mark the keywords "sec-other, csectype-nullptr"
Working on it.
Flags: needinfo?(amarchesini)
Flags: needinfo?(khuey)
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.