Closed
Bug 1187018
Opened 9 years ago
Closed 9 years ago
Use After Free in Notification::ReleaseObject
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
VERIFIED
FIXED
mozilla43
| Tracking | Status | |
|---|---|---|
| firefox40 | --- | unaffected |
| firefox41 | + | verified |
| firefox42 | + | verified |
| firefox43 | --- | verified |
| firefox-esr38 | --- | unaffected |
| b2g-v2.0 | --- | unaffected |
| b2g-v2.0M | --- | unaffected |
| b2g-v2.1 | --- | unaffected |
| b2g-v2.1S | --- | unaffected |
| b2g-v2.2 | --- | unaffected |
| b2g-v2.2r | --- | unaffected |
| b2g-master | --- | fixed |
People
(Reporter: loobenyang, Assigned: nsm)
References
Details
(Keywords: regression, reporter-external, sec-critical, Whiteboard: [b2g-adv-main2.5-])
Attachments
(2 files, 1 obsolete file)
|
1.25 KB,
application/javascript
|
Details | |
|
5.09 KB,
patch
|
khuey
:
review+
ritu
:
approval-mozilla-aurora+
lmandel
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
Firefox version:42.0a1 (2015-07-22)
OS: Windows 8.1 64 bit
Reproduce test case(worker code, full test case is attached Uaf_NotificationReleaseObject_Repro.js):
WorkerCode += 'gc = function() \n';
WorkerCode += '{\n';
WorkerCode += ' for (var i = 0; i < 0x40000; ++i)\n';
WorkerCode += ' var s = new String("AAAA");\n';
WorkerCode += '};\n';
WorkerCode += 'var noti0 = new Notification("noti0");\n';
WorkerCode += 'try{ close();} catch(e){}\n';
WorkerCode += 'gc();gc();gc();\n';
Steps to reproduce:
1. Run server side script Uaf_NotificationReleaseObject_Repro.js in Node.js (node Uaf_NotificationReleaseObject_Repro.js).
2. Enter http://localhost:12345 in Firefox browser.
3. Firefox crashes in Notification::ReleaseObject:
(1f08.2214): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=188ec9c8 ecx=5a5a5a5a edx=14f25018 esi=5a5a5a5a edi=14f25a00
eip=562318d8 esp=0e8fe0c8 ebp=0e8fe0d8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
xul!mozilla::dom::Notification::ReleaseObject+0x3:
562318d8 ff8ec4000000 dec dword ptr [esi+0C4h] ds:002b:5a5a5b1e=????????
The byte pattern 5a5a5a5a indicates a Use After Free.
The full Windbg report:
0:057> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
xul!mozilla::dom::Notification::ReleaseObject+3 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\notification\notification.cpp @ 2053]
562318d8 ff8ec4000000 dec dword ptr [esi+0C4h]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 562318d8 (xul!mozilla::dom::Notification::ReleaseObject+0x00000003)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 5a5a5b1e
Attempt to write to address 5a5a5b1e
CONTEXT: 00000000 -- (.cxr 0x0;r)
eax=00000001 ebx=188ec9c8 ecx=5a5a5a5a edx=14f25018 esi=5a5a5a5a edi=14f25a00
eip=562318d8 esp=0e8fe0c8 ebp=0e8fe0d8 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
xul!mozilla::dom::Notification::ReleaseObject+0x3:
562318d8 ff8ec4000000 dec dword ptr [esi+0C4h] ds:002b:5a5a5b1e=????????
FAULTING_THREAD: 00002214
PROCESS_NAME: firefox.exe
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 5a5a5b1e
WRITE_ADDRESS: 5a5a5b1e
FOLLOWUP_IP:
xul!mozilla::dom::Notification::ReleaseObject+3 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\notification\notification.cpp @ 2053]
562318d8 ff8ec4000000 dec dword ptr [esi+0C4h]
NTGLOBALFLAG: 0
APPLICATION_VERIFIER_FLAGS: 0
APP: firefox.exe
ANALYSIS_VERSION: 6.3.9600.17029 (debuggers(dbg).140219-1702) x86fre
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_FILL_PATTERN_5a5a5a5a
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_WRITE_FILL_PATTERN_5a5a5a5a
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE_FILL_PATTERN_5a5a5a5a
LAST_CONTROL_TRANSFER: from 56230c51 to 562318d8
STACK_TEXT:
0e8fe0c8 56230c51 172e8000 172e8000 0e8fe130 xul!mozilla::dom::Notification::ReleaseObject+0x3
0e8fe0d8 5576b025 1498cc80 00000002 00000000 xul!mozilla::dom::NotificationFeature::Notify+0x52
0e8fe130 55267fc6 1498cc80 00000002 0ea03040 xul!mozilla::dom::workers::WorkerPrivate::NotifyFeatures+0x502fbb
0e8fe1b8 55f67784 1498cc80 00000002 00000000 xul!mozilla::dom::workers::WorkerPrivate::NotifyInternal+0x80
0e8fe1d8 551dfa44 1498cc80 0e8fe204 18cfa820 xul!mozilla::dom::WorkerGlobalScopeBinding_workers::close+0x30
0e8fe21c 550b3d50 1498cc80 00000000 18cfa820 xul!mozilla::dom::WorkerGlobalScopeBinding_workers::genericMethod+0xce
0e8fe2ac 551ced6b 15fb1080 00000000 00000000 xul!js::Invoke+0x130
0e8ff1b8 556d5436 1498cc80 00000000 00000000 xul!Interpret+0x5eb
0e8ff228 5522de01 1498cc80 0e8ff270 1498cc80 xul!js::RunScript+0x1e6
0e8ff2f8 5522df81 0e8ff3a4 00000000 00f7d838 xul!js::Execute+0x1c6
0e8ff3a8 55548739 1725f9dc 56cfc69c 0ea070d0 xul!Evaluate+0x99
0e8ff4d8 5529b119 1498cc80 172e8000 1b59c880 xul!`anonymous namespace'::ScriptExecutorRunnable::WorkerRun+0x131
0e8ff5e4 5543a508 1726ea90 172e8000 00000000 xul!mozilla::dom::workers::WorkerRunnable::Run+0x13f
0e8ff6dc 5543b17a 1b59c880 00000000 0e8ff6f7 xul!nsThread::ProcessNextEvent+0x6ca
0e8ff6f8 55268b49 172e8000 14de2c40 00000000 xul!NS_ProcessNextEvent+0x1a
0e8ff720 55546e40 172e8000 165cee98 1498cc80 xul!mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop+0x15d
0e8ff74c 55280902 0e8ff770 00000001 00000000 xul!`anonymous namespace'::LoadAllScripts+0x72
0e8ff774 552808a4 00000000 0e8ff88c 5529b119 xul!mozilla::dom::workers::scriptloader::LoadMainScript+0x45
0e8ff780 5529b119 1498cc80 172e8000 1b59c880 xul!`anonymous namespace'::CompileScriptRunnable::WorkerRun+0x10
0e8ff88c 5543a508 165cee80 172e8000 00000000 xul!mozilla::dom::workers::WorkerRunnable::Run+0x13f
0e8ff984 5543b17a 1b59c880 00000000 0e8ff99f xul!nsThread::ProcessNextEvent+0x6ca
0e8ff9a0 55268df7 1498cc80 14f11000 14f1f8c0 xul!NS_ProcessNextEvent+0x1a
0e8ff9f4 552aa565 1498cc80 1b59c880 00000000 xul!mozilla::dom::workers::WorkerPrivate::DoRunLoop+0xde
0e8ffb04 5543a508 14f1f8c0 1460cc80 0e8ffc01 xul!`anonymous namespace'::WorkerThreadPrimaryRunnable::Run+0x107
0e8ffbfc 5543b17a 1b59c880 0e8ffc01 0e8ffc17 xul!nsThread::ProcessNextEvent+0x6ca
0e8ffc18 552b1195 1460cc80 1460cc80 1d416ae0 xul!NS_ProcessNextEvent+0x1a
0e8ffc3c 5543766b 1460cc80 54564d2c 1b59c880 xul!mozilla::ipc::MessagePumpForNonMainThreads::Run+0xab
0e8ffc74 55437ccd 1460cc80 00000001 1b59c800 xul!MessageLoop::RunHandler+0x20
0e8ffc94 552a781b 762d24f0 1d416a30 1d416ae0 xul!MessageLoop::Run+0x19
0e8ffcac 57638257 1b59c880 577ebfb4 1476d050 xul!nsThread::ThreadFunc+0x8c
0e8ffcc8 576379f5 1d416a30 0e8ffd0c 577ec01d nss3!_PR_NativeRunThread+0x8c
0e8ffcd4 577ec01d 1d416a30 54eb7b6c 577ebfb4 nss3!pr_root+0xd
0e8ffd0c 577ec001 577ebfb4 0e8ffd2c 762d7c04 MSVCR120!_callthreadstartex+0x1b
0e8ffd18 762d7c04 1476c8c0 762d7be0 74d1fd21 MSVCR120!_threadstartex+0x7c
0e8ffd2c 77adad1f 1476c8c0 7555aeba 00000000 KERNEL32!BaseThreadInitThunk+0x24
0e8ffd74 77adacea ffffffff 77ac0238 00000000 ntdll!__RtlUserThreadStart+0x2f
0e8ffd84 00000000 577ebfb4 1476c8c0 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: .cxr 0x0 ; kb
FAULTING_SOURCE_LINE: c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\notification\notification.cpp
FAULTING_SOURCE_FILE: c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\notification\notification.cpp
FAULTING_SOURCE_LINE_NUMBER: 2053
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: xul!mozilla::dom::Notification::ReleaseObject+3
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: xul
IMAGE_NAME: xul.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 55af9cef
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_FILL_PATTERN_5a5a5a5a_c0000005_xul.dll!mozilla::dom::Notification::ReleaseObject
BUCKET_ID: APPLICATION_FAULT_INVALID_POINTER_WRITE_FILL_PATTERN_5a5a5a5a_xul!mozilla::dom::Notification::ReleaseObject+3
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:invalid_pointer_write_fill_pattern_5a5a5a5a_c0000005_xul.dll!mozilla::dom::notification::releaseobject
FAILURE_ID_HASH: {c3d50fcb-bb4e-bb9d-12db-28f13a0bc910}
Followup: MachineOwner
---------
|
||
Updated•9 years ago
|
Flags: sec-bounty?
Flags: needinfo?(nsm.nikhil)
[Tracking Requested - why for this release]:
Looks like a sec-critical crash, and a regression from Bug 916893.
Blocks: 916893
status-firefox41:
--- → ?
tracking-firefox41:
--- → ?
tracking-firefox42:
--- → ?
Keywords: sec-critical
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → nsm.nikhil
Flags: needinfo?(nsm.nikhil)
|
|
Assignee | |
Comment 2•9 years ago
|
||
Could you try this patch? I believe it should fix the crash.
The problem was we would keep around the feature even if adding it failed, but that was relied on by other assertions.
|
|
||
Updated•9 years ago
|
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8638625 -
Flags: review?(khuey)
|
Reporter | |
Comment 3•9 years ago
|
||
Just for your reference, I ran the exact same test case in official Linux asan build (Firefox version 42.0a1 (2015-07-13)), it did report a Use After Free:
=================================================================
==5376==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020000da7d8 at pc 0x7f30e9b717a4 bp 0x7f30c26f3230 sp 0x7f30c26f3228
READ of size 8 at 0x6020000da7d8 thread T27 (DOM Worker)
#0 0x7f30e9b717a3 in mozilla::dom::NotificationFeature::Notify(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/notification/Notification.cpp:1638
#1 0x7f30ea1d694e in mozilla::dom::workers::WorkerPrivate::NotifyFeatures(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6057
#2 0x7f30ea1d26e8 in mozilla::dom::workers::WorkerPrivate::NotifyInternal(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6522
#3 0x7f30e8574548 in mozilla::dom::WorkerGlobalScopeBinding_workers::close(JSContext*, JS::Handle<JSObject*>, mozilla::dom::workers::WorkerGlobalScope*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerGlobalScopeBinding.cpp:174
#4 0x7f30e856d290 in mozilla::dom::WorkerGlobalScopeBinding_workers::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerGlobalScopeBinding.cpp:1191
#5 0x7f30edc2e113 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
#6 0x7f30edc2e113 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:720
#7 0x7f30edc6d1ca in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2972
#8 0x7f30edc4d5b4 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:661
#9 0x7f30edc80108 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:902
#10 0x7f30edc80768 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:935
#11 0x7f30ee70377e in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::ScopeObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4421
#12 0x7f30ea1626c5 in (anonymous namespace)::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1730
#13 0x7f30ea1f18e4 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:359
#14 0x7f30e512b437 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
#15 0x7f30e5199aea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
#16 0x7f30ea1d9997 in mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6187
#17 0x7f30ea14ac64 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.h:1535
#18 0x7f30ea14ac64 in (anonymous namespace)::LoadAllScripts(JSContext*, mozilla::dom::workers::WorkerPrivate*, nsTArray<(anonymous namespace)::ScriptLoadInfo>&, bool, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1811
#19 0x7f30ea14a675 in mozilla::dom::workers::scriptloader::LoadMainScript(JSContext*, nsAString_internal const&, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1908
#20 0x7f30ea21d0ac in (anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:1136
#21 0x7f30ea1f18e4 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:359
#22 0x7f30e512b437 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
#23 0x7f30e5199aea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
#24 0x7f30ea1d0523 in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5363
#25 0x7f30ea16ab67 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2836
#26 0x7f30e512b437 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
#27 0x7f30e5199aea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
#28 0x7f30e59fd758 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:355
#29 0x7f30e5989d5c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
#30 0x7f30e5989d5c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
#31 0x7f30e5989d5c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
#32 0x7f30e51278c1 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:360
#33 0x7f30f1ef0135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
#34 0x7f30f2530181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
#35 0x7f30e2c6b30c (/lib/x86_64-linux-gnu/libc.so.6+0xfb30c)
0x6020000da7d8 is located 8 bytes inside of 16-byte region [0x6020000da7d0,0x6020000da7e0)
freed by thread T27 (DOM Worker) here:
#0 0x474da1 in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
#1 0x7f30e9b74231 in operator() /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/notification/../../dist/include/mozilla/UniquePtr.h:489
#2 0x7f30e9b74231 in reset /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/notification/../../dist/include/mozilla/UniquePtr.h:308
#3 0x7f30e9b74231 in operator= /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/notification/../../dist/include/mozilla/UniquePtr.h:278
#4 0x7f30e9b74231 in UnregisterFeature /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/notification/Notification.cpp:1664
#5 0x7f30e9b74231 in ReleaseObject /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/notification/Notification.cpp:1586
#6 0x7f30e9b74231 in mozilla::dom::(anonymous namespace)::ReleaseNotificationControlRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/notification/Notification.cpp:217
#7 0x7f30ea1f18e4 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:359
#8 0x7f30ea1d2235 in mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5856
#9 0x7f30ea1d9768 in mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6173
#10 0x7f30ea1b2693 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.h:1535
#11 0x7f30ea1b2693 in mozilla::dom::workers::WorkerMainThreadRunnable::Dispatch(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:576
#12 0x7f30e9b71621 in mozilla::dom::NotificationFeature::Notify(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/notification/Notification.cpp:1636
#13 0x7f30ea1d694e in mozilla::dom::workers::WorkerPrivate::NotifyFeatures(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6057
#14 0x7f30ea1d26e8 in mozilla::dom::workers::WorkerPrivate::NotifyInternal(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6522
#15 0x7f30e8574548 in mozilla::dom::WorkerGlobalScopeBinding_workers::close(JSContext*, JS::Handle<JSObject*>, mozilla::dom::workers::WorkerGlobalScope*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerGlobalScopeBinding.cpp:174
#16 0x7f30e856d290 in mozilla::dom::WorkerGlobalScopeBinding_workers::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerGlobalScopeBinding.cpp:1191
#17 0x7f30edc2e113 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
#18 0x7f30edc2e113 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:720
#19 0x7f30edc6d1ca in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2972
#20 0x7f30edc4d5b4 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:661
#21 0x7f30edc80108 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:902
#22 0x7f30edc80768 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:935
#23 0x7f30ee70377e in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::ScopeObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4421
#24 0x7f30ea1626c5 in (anonymous namespace)::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1730
#25 0x7f30ea1f18e4 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:359
#26 0x7f30e512b437 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
#27 0x7f30e5199aea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
#28 0x7f30ea1d9997 in mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6187
#29 0x7f30ea14ac64 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.h:1535
#30 0x7f30ea14ac64 in (anonymous namespace)::LoadAllScripts(JSContext*, mozilla::dom::workers::WorkerPrivate*, nsTArray<(anonymous namespace)::ScriptLoadInfo>&, bool, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1811
#31 0x7f30ea14a675 in mozilla::dom::workers::scriptloader::LoadMainScript(JSContext*, nsAString_internal const&, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1908
#32 0x7f30ea21d0ac in (anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:1136
#33 0x7f30ea1f18e4 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:359
#34 0x7f30e512b437 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
#35 0x7f30e5199aea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
#36 0x7f30ea1d0523 in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5363
#37 0x7f30ea16ab67 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2836
previously allocated by thread T27 (DOM Worker) here:
#0 0x474fa1 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
#1 0x48dc4d in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc.cpp:83
#2 0x7f30e9b6a2b7 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/notification/../../dist/include/mozilla/mozalloc.h:186
#3 0x7f30e9b6a2b7 in MakeUnique<mozilla::dom::NotificationFeature, mozilla::dom::Notification *> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/notification/../../dist/include/mozilla/UniquePtr.h:642
#4 0x7f30e9b6a2b7 in RegisterFeature /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/notification/Notification.cpp:1651
#5 0x7f30e9b6a2b7 in AddRefObject /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/notification/Notification.cpp:1568
#6 0x7f30e9b6a2b7 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/notification/Notification.cpp:370
#7 0x7f30e9b6a2b7 in mozilla::detail::UniqueSelector<mozilla::dom::NotificationRef>::SingleObject mozilla::MakeUnique<mozilla::dom::NotificationRef, nsRefPtr<mozilla::dom::Notification>&>(nsRefPtr<mozilla::dom::Notification>&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/notification/../../dist/include/mozilla/UniquePtr.h:642
#8 0x7f30e9b69508 in mozilla::dom::Notification::Constructor(mozilla::dom::GlobalObject const&, nsAString_internal const&, mozilla::dom::NotificationOptions const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/notification/Notification.cpp:684
#9 0x7f30e7cde5e9 in mozilla::dom::NotificationBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./NotificationBinding.cpp:1694
#10 0x7f30edc7e93e in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
#11 0x7f30edc7e93e in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:268
#12 0x7f30edc7e93e in js::InvokeConstructor(JSContext*, JS::CallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:816
#13 0x7f30edc6d1b9 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2969
#14 0x7f30edc4d5b4 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:661
#15 0x7f30edc80108 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:902
#16 0x7f30edc80768 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:935
#17 0x7f30ee70377e in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::ScopeObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4421
#18 0x7f30ea1626c5 in (anonymous namespace)::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1730
#19 0x7f30ea1f18e4 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:359
#20 0x7f30e512b437 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
#21 0x7f30e5199aea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
#22 0x7f30ea1d9997 in mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6187
#23 0x7f30ea14ac64 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.h:1535
#24 0x7f30ea14ac64 in (anonymous namespace)::LoadAllScripts(JSContext*, mozilla::dom::workers::WorkerPrivate*, nsTArray<(anonymous namespace)::ScriptLoadInfo>&, bool, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1811
#25 0x7f30ea14a675 in mozilla::dom::workers::scriptloader::LoadMainScript(JSContext*, nsAString_internal const&, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1908
#26 0x7f30ea21d0ac in (anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:1136
#27 0x7f30ea1f18e4 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:359
#28 0x7f30e512b437 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
#29 0x7f30e5199aea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
#30 0x7f30ea1d0523 in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5363
#31 0x7f30ea16ab67 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2836
#32 0x7f30e512b437 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
#33 0x7f30e5199aea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
#34 0x7f30e59fd758 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:355
#35 0x7f30e5989d5c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
#36 0x7f30e5989d5c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
#37 0x7f30e5989d5c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
#38 0x7f30e51278c1 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:360
#39 0x7f30f1ef0135 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
Thread T27 (DOM Worker) created by T0 (Web Content) here:
#0 0x461815 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
#1 0x7f30f1eecabd in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
#2 0x7f30f1eec63a in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
#3 0x7f30e5128e8d in nsThread::Init() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:470
#4 0x7f30ea23bc9a in mozilla::dom::workers::WorkerThread::Create(mozilla::dom::workers::WorkerThreadFriendKey const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerThread.cpp:90
#5 0x7f30ea13ed20 in mozilla::dom::workers::RuntimeService::ScheduleWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1741
#6 0x7f30ea13c004 in mozilla::dom::workers::RuntimeService::RegisterWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1580
#7 0x7f30ea1ceeae in mozilla::dom::workers::WorkerPrivate::Constructor(JSContext*, nsAString_internal const&, bool, mozilla::dom::WorkerType, nsACString_internal const&, mozilla::dom::workers::WorkerLoadInfo*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4924
#8 0x7f30ea1ce5a6 in Constructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4859
#9 0x7f30ea1ce5a6 in mozilla::dom::workers::WorkerPrivate::Constructor(mozilla::dom::GlobalObject const&, nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4800
#10 0x7f30e8579417 in mozilla::dom::WorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerBinding.cpp:747
#11 0x7f30edc7e93e in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
#12 0x7f30edc7e93e in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:268
#13 0x7f30edc7e93e in js::InvokeConstructor(JSContext*, JS::CallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:816
#14 0x7f30edc6d1b9 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:2969
#15 0x7f30edc4d5b4 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:661
#16 0x7f30edc80108 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:902
#17 0x7f30edc80768 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:935
#18 0x7f30ee70377e in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::ScopeObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4421
#19 0x7f30ee703fab in Evaluate(JSContext*, JS::AutoVectorRooter<JSObject*>&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4448
#20 0x7f30e75661f4 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:224
#21 0x7f30e7566e51 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:286
#22 0x7f30e75e794f in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, JS::SourceBufferHolder&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:1143
#23 0x7f30e75e5061 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:970
#24 0x7f30e75deb93 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:764
#25 0x7f30e75da1ee in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptElement.cpp:141
#26 0x7f30e69ca1b4 in operator-> /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsIScriptElement.h:221
#27 0x7f30e69ca1b4 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:662
#28 0x7f30e69c86a1 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:487
#29 0x7f30e69ceb8b in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5StreamParser.cpp:127
#30 0x7f30e512b437 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:867
#31 0x7f30e5199aea in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
#32 0x7f30e59fc649 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:95
#33 0x7f30e5989d5c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
#34 0x7f30e5989d5c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
#35 0x7f30e5989d5c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
#36 0x7f30ea689017 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:165
#37 0x7f30ec4ec312 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:778
#38 0x7f30e5989d5c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
#39 0x7f30e5989d5c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
#40 0x7f30e5989d5c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
#41 0x7f30ec4eba09 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:614
#42 0x48d632 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:236
#43 0x7f30e2b91ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/notification/Notification.cpp:1638 mozilla::dom::NotificationFeature::Notify(JSContext*, mozilla::dom::workers::Status)
Shadow bytes around the buggy address:
0x0c04800134a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800134b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800134c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800134d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c04800134e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c04800134f0: fa fa fa fa fa fa fd fd fa fa fd[fd]fa fa fd fd
0x0c0480013500: fa fa fd fa fa fa fd fd fa fa fd fd fa fa 00 fa
0x0c0480013510: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480013520: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 00 06
0x0c0480013530: fa fa 00 00 fa fa fd fd fa fa fd fd fa fa 00 00
0x0c0480013540: fa fa 00 00 fa fa fd fd fa fa 01 fa fa fa 00 03
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: [==5376==ABORTING
ni for comment 3
Also please explain the patch, if it is correct ...
Flags: needinfo?(nsm.nikhil)
|
|
Assignee | |
Comment 5•9 years ago
|
||
|
|
Assignee | |
Updated•9 years ago
|
Flags: needinfo?(nsm.nikhil)
|
|
Assignee | |
Comment 6•9 years ago
|
||
Kyle,
I've updated the patch as the earlier one didn't fix this problem (it did fix the AddFeature/mFeature inconsistency though, so it is still valid).
Here is how the UAF happens:
1) Notification() created, NotificationTask dispatched to main thread to show it that owns UniquePtr<NotificationRef>
2) Worker in test case immediately calls close() -> CloseInternal() -> NotifyFeatures() -> NotificationFeature::Notify(Status = Closing)
3) feature dispatches CloseNotificationRunnable which 'blocks' the worker
4) At this point, NotificationTask::ShowInternal()'s permission check fails since this test doesn't ask for permission. Rather than hand over ownership to the observer which would outlive it, it drops the NotificationRef.
5) NotificationRef's dtor dispatches a control runnable to release the Notification to the worker.
6) the notification is released, taking the feature with it.
7) Worker 'resumes' at mNotification->ReleaseObject() where nothing is valid anymore.
The existing code MOZ_ASSERT(aStatus >= Canceling), which obviously wouldn't crash in release builds, but still encounter the above situation. With the change to if (aStatus >= Canceling), the notification feature will be safely removed in the above case before it encounters the Canceling state.
The second change is to hold a death grip before dispatching the 'blocking' runnable to the main thread so mNotification stays valid.
We also need to make sure Notify() only calls ReleaseObject() to make up for the observer being told not to call ReleaseObject().
Attachment #8638625 -
Attachment is obsolete: true
Attachment #8638625 -
Flags: review?(khuey)
Attachment #8640132 -
Flags: review?(khuey)
|
|
Assignee | |
Comment 7•9 years ago
|
||
|
|
Assignee | |
Comment 8•9 years ago
|
||
Looben, once the build in comment 7 finishes, could you try it out?
Also, this will need uplift to Fx41 since the offending code is present there. I'll upload a patch that applies to aurora once this passes review.
|
|
||
Comment 9•9 years ago
|
||
Is this code in 40 or 39 (or ESR38)?
|
|
Assignee | |
Comment 10•9 years ago
|
||
No, only since 41.
|
||
Updated•9 years ago
|
|
|
Reporter | |
Comment 11•9 years ago
|
||
(In reply to Nikhil Marathe [:nsm] (please needinfo?) from comment #8)
> Looben, once the build in comment 7 finishes, could you try it out?
> Also, this will need uplift to Fx41 since the offending code is present
> there. I'll upload a patch that applies to aurora once this passes review.
I ran the same test case ( Uaf_NotificationReleaseObject_Repro.js ) against your patched build (http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/nsm.nikhil@gmail.com-9218808536eb/try-linux64-asan/), did not see this issue.
|
|
Assignee | |
Comment 12•9 years ago
|
||
Hey Kyle, when could you get to this? Thanks.
Flags: needinfo?(khuey)
Attachment #8640132 -
Flags: review?(khuey) → review+
Flags: needinfo?(khuey)
|
|
Assignee | |
Comment 13•9 years ago
|
||
url: https://hg.mozilla.org/integration/mozilla-inbound/rev/0efe8ea5b1851e8ccf1808d86c32bdae25f10363
changeset: 0efe8ea5b1851e8ccf1808d86c32bdae25f10363
user: Nikhil Marathe <nsm.nikhil@gmail.com>
date: Fri Jul 24 10:25:00 2015 -0700
description:
Bug 1187018 - Ensure feature is nulled out if it does not get added. r=khuey
|
||
Comment 14•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/0efe8ea5b185
This shouldn't have landed without sec-approval. Please request it ASAP and also request uplift to Aurora/Beta.
Status: NEW → RESOLVED
Closed: 9 years ago
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
status-b2g-v2.2r:
--- → unaffected
status-b2g-master:
--- → fixed
status-firefox43:
--- → fixed
Flags: needinfo?(nsm.nikhil)
Resolution: --- → FIXED
Target Milestone: --- → mozilla43
|
|
Assignee | |
Comment 15•9 years ago
|
||
Comment on attachment 8640132 [details] [diff] [review]
fix
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
I am not sure how easy it is. The UAF is quite obvious and easy to trigger.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Yes
Which older supported branches are affected by this flaw?
Firefox 41 (Beta) and 42 (Aurora)
If not all supported branches, which bug introduced the flaw?
Bug 916893
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Yes, it is easy to create.
How likely is this patch to cause regressions; how much testing does it need?
The patch only extends the lifetime of the object, it should not cause regressions.
Flags: needinfo?(nsm.nikhil)
Attachment #8640132 -
Flags: sec-approval?
|
|
Assignee | |
Comment 16•9 years ago
|
||
Comment on attachment 8640132 [details] [diff] [review]
fix
Approval Request Comment
[Feature/regressing bug #]: Bug 916893
[User impact if declined]: Use-after-free crash or exploit.
[Describe test coverage new/current, TreeHerder]: No new test coverage, but the UAF has been fixed.
[Risks and why]: No risk to taking this patch.
[String/UUID change made/needed]: None
Attachment #8640132 -
Flags: approval-mozilla-beta?
Attachment #8640132 -
Flags: approval-mozilla-aurora?
|
|
||
Comment 17•9 years ago
|
||
Comment on attachment 8640132 [details] [diff] [review]
fix
Giving sec-approval+.
Every time we land a critical or high security bug without following the bug process, we risk a zero day on our users. Please follow https://wiki.mozilla.org/Security/Bug_Approval_Process for these.
Attachment #8640132 -
Flags: sec-approval? → sec-approval+
Comment on attachment 8640132 [details] [diff] [review]
fix
Given that the fix was verified using an automated test, let's uplift to Aurora. Will uplift to Beta in a day or two. In the meantime, let's also validate the fix against the aurora end-user base.
Attachment #8640132 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Comment 19•9 years ago
|
||
|
||
Comment 20•9 years ago
|
||
Comment on attachment 8640132 [details] [diff] [review]
fix
(In reply to Ritu Kothari (:ritu) from comment #18)
> Given that the fix was verified using an automated test, let's uplift to
> Aurora. Will uplift to Beta in a day or two. In the meantime, let's also
> validate the fix against the aurora end-user base.
Ritu, sec-crit bugs should land on all branches concurrently. One of the points of sec-approval is to ensure that we land these fixes on all branches at the same time.
Beta+
Flags: needinfo?(rkothari)
Attachment #8640132 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Ok. Will keep that in mind for future.
Flags: needinfo?(rkothari)
|
|
||
Comment 22•9 years ago
|
||
|
||
Updated•9 years ago
|
Flags: sec-bounty? → sec-bounty+
|
||
Comment 23•9 years ago
|
||
Reproduced the original issue using the following build:
- http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1437681888/
Using the steps from comment #0 and the poc that was attached, I managed to get the same asan crash as comment # 3:
=================================================================
==3900==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200012ecd8 at pc 0x7f2397349074 bp 0x7f2370a7e210 sp 0x7f2370a7e208
READ of size 8 at 0x60200012ecd8 thread T25 (DOM Worker)
#0 0x7f2397349073 in Notify Notification.cpp:2107
#1 0x7f23979b3bee in NotifyFeatures WorkerPrivate.cpp:6074
#2 0x7f23979af888 in NotifyInternal WorkerPrivate.cpp:6539
#3 0x7f2395f17d68 in close WorkerGlobalScopeBinding.cpp:174
#4 0x7f2395f10c00 in genericMethod WorkerGlobalScopeBinding.cpp:1191
#5 0x7f239b4488c3 in CallJSNative jscntxtinlines.h:235
#6 0x7f239b48790a in Interpret Interpreter.cpp:2972
etc...
previously allocated by thread T25 (DOM Worker) here:
#0 0x474fe1 in __interceptor_malloc _asan_rtl_
#1 0x48dc8d in moz_xmalloc mozalloc.cpp:83
#2 0x7f2397349f97 in operator new mozalloc.h:186
#3 0x7f239733ee2c in CreateAndShow Notification.cpp:2300
#4 0x7f239733e88e in Constructor Notification.cpp:761
#5 0x7f239547d9f9 in _constructor NotificationBinding.cpp:1689
#6 0x7f239b49907e in CallJSNative jscntxtinlines.h:235
etc...
Went through verifications using the following builds:
- http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1441110804/
- http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-aurora-linux64-asan/1441093209/
- http://inbound-archive.pub.build.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-beta-linux64-asan/1441055449/
Status: RESOLVED → VERIFIED
|
||
Updated•9 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•9 years ago
|
Group: core-security-release
Keywords: regression
|
||
Updated•9 years ago
|
Whiteboard: [b2g-adv-main2.5-]
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
|
||
Updated•5 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•