1196079 - Use After Free in nsQueryInterface::operator()

Status: VERIFIED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Looben Yang]

Using Notification in web workers can trigger a Use After Free in nsQueryInterface::operator():


First-chance exception at 0x5E50DD7D (xul.dll) in firefox.exe: 0xC0000005: Access violation reading location 0x5A5A5A5A.
Unhandled exception at 0x5E50DD7D (xul.dll) in firefox.exe: 0xC0000005: Access violation reading location 0x5A5A5A5A.


Firefox version: 43.0a1 (2015-08-13)

Call Stack:

>	xul.dll!nsQueryInterface::operator()(const nsID & aIID, void * * aAnswer) Line 14	C++
 	xul.dll!nsCOMPtr_base::assign_from_qi(const nsQueryInterface aQI, const nsID & aIID) Line 62	C++
 	xul.dll!mozilla::dom::Event::SetOwner(mozilla::dom::EventTarget * aOwner) Line 1189	C++
 	xul.dll!mozilla::dom::Event::ConstructorInit(mozilla::dom::EventTarget * aOwner, nsPresContext * aPresContext, mozilla::WidgetEvent * aEvent) Line 67	C++
 	xul.dll!mozilla::dom::Event::Event(mozilla::dom::EventTarget * aOwner, nsPresContext * aPresContext, mozilla::WidgetEvent * aEvent) Line 54	C++
 	xul.dll!NS_NewDOMEvent(nsIDOMEvent * * aInstancePtrResult, mozilla::dom::EventTarget * aOwner, nsPresContext * aPresContext, mozilla::WidgetEvent * aEvent) Line 1266	C++
 	xul.dll!mozilla::DOMEventTargetHelper::DispatchTrustedEvent(const nsAString_internal & aEventName) Line 267	C++
 	xul.dll!mozilla::dom::NotificationEventWorkerRunnable::WorkerRunInternal(JSContext * aCx, mozilla::dom::workers::WorkerPrivate * aWorkerPrivate) Line 409	C++
 	xul.dll!mozilla::dom::NotificationWorkerRunnable::WorkerRun(JSContext * aCx, mozilla::dom::workers::WorkerPrivate * aWorkerPrivate) Line 377	C++
 	xul.dll!mozilla::dom::workers::WorkerRunnable::Run() Line 363	C++
 	xul.dll!nsThread::ProcessNextEvent(bool aMayWait, bool * aResult) Line 864	C++
 	xul.dll!NS_ProcessNextEvent(nsIThread * aThread, bool aMayWait) Line 277	C++
 	xul.dll!mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext * aCx) Line 5174	C++
 	xul.dll!`anonymous namespace'::WorkerThreadPrimaryRunnable::Run() Line 2877	C++
 	xul.dll!nsThread::ProcessNextEvent(bool aMayWait, bool * aResult) Line 864	C++
 	xul.dll!NS_ProcessNextEvent(nsIThread * aThread, bool aMayWait) Line 277	C++
 	xul.dll!mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate * aDelegate) Line 355	C++
 	xul.dll!MessageLoop::RunHandler() Line 228	C++
 	xul.dll!MessageLoop::Run() Line 202	C++
 	xul.dll!nsThread::ThreadFunc(void * aArg) Line 361	C++
 	nss3.dll!_PR_NativeRunThread(void * arg) Line 419	C
 	nss3.dll!pr_root(void * arg) Line 90	C
 	[External Code]	
 	[Frames below may be incorrect and/or missing, no symbols loaded for msvcr120.dll]	

Variables:

+		aAnswer	0x1c8cf9e4 {0x1c8cf9fc}	void * *
+		aIID	{m0=3908948519 m1=10202 m2=18158 ...}	const nsID &
+		mRawPtr	0x5a5a5a5a {...}	nsISupports *
+		this	0x0b411040 {mRawPtr=0x5a5a5a5a {...} }	nsQueryInterface *


Registers:
EAX = 5A5A5A5A EBX = 0B411040 ECX = 0B411040 EDX = 5FFADB78 ESI = 1C8CF9FC EDI = 0B411040 EIP = 5E50DD7D ESP = 1C8CF9CC EBP = 1C8CF9E8 EFL = 00010202 

0x5a5a5a5a = 00000000 


The address pattern 0x5a5a5a5a  indicates a Use After Free.

Comment 1

[Olli Pettay [:smaug][bugs@pettay.fi]]

NotificationEventWorkerRunnable seems to play with raw pointers.

Bug 874842 also landed recently, but Bug 916893 looks still more suspicious.

Comment 2

[Nikhil Marathe [:nsm] (No longer reading bugmail, please needinfo?)]

The notification object is held alive by a manual addref while all the runnables are dancing around. It is possible I missed some edge cases. I'll look into this today.

Comment 3

[Olli Pettay [:smaug][bugs@pettay.fi]]

are we perhaps calling Release while the runnable is still on queue to be processed?

Comment 4

[Nikhil Marathe [:nsm] (No longer reading bugmail, please needinfo?)]

Looben, do you have a reliable test case for this? I have a theory for why this happens but have been completely unable to reproduce it. Even if you could just tell me the event name that is being fired when this crash occurs that would help a lot. Thank you!

Comment 5

[Nikhil Marathe [:nsm] (No longer reading bugmail, please needinfo?)]

(In reply to Olli Pettay [:smaug] from comment #3)
> are we perhaps calling Release while the runnable is still on queue to be
> processed?

Something like that, but it may be fairly complicated. The easiest hypothesis is that after we dispatch a runnable to fire the error event in Notification::ShowInternal(), we immediately return, at which point ~NotificationRef() dispatches a control runnable to the worker. This control runnable preempts the event runnable and releases the reference. Unfortunately on my machine, it seems a js reference or something keeps the notification alive and the event runnable gets a valid notification instance. I'm not sure how to try this out.

The fix is to have ShowInternal() attempt to release the notification via a WorkerRunnable (which will get queued after the event runnable) and only fall back to a control runnable if the worker is shutting down (in which case the event runnable won't get to run).

Comment 6

[Olli Pettay [:smaug][bugs@pettay.fi]]

(sec-critical bugs should be assigned to someone rather soon)

Comment 7

[Looben Yang]

Attachment: Uaf_operator()_Repro.js

Comment 8

[Looben Yang]

(In reply to Nikhil Marathe [:nsm] (please needinfo?) from comment #4)
> Looben, do you have a reliable test case for this? I have a theory for why
> this happens but have been completely unable to reproduce it. Even if you
> could just tell me the event name that is being fired when this crash occurs
> that would help a lot. Thank you!

test case is attached.
With this test case, the event name is error:


+		this	0x0aeaea20 {mRefCnt={mRefCntAndFlags=438098976 } _mOwningThread={mThread=0x0793d010 } mListenerManager=...}	mozilla::DOMEventTargetHelper *
-		aEventName	{mData=0x10f71fbc L"error" mLength=5 mFlags=33 }	const nsAString_internal &
+		mData	0x10f71fbc L"error"	wchar_t *
		mLength	5	unsigned int
		mFlags	33	unsigned int
+		event	{...}	nsCOMPtr<nsIDOMEvent>

Comment 9

[Looben Yang]

(In reply to Looben Yang from comment #7)
> Created attachment 8651575 [details]
> Uaf_operator()_Repro.js


Steps to reproduce: 
1. Run server side script Uaf_operator()_Repro.js in Node.js (node Uaf_operator()_Repro.js).
2. Enter http://localhost:12345 in Firefox browser.

Comment 10

[Liz Henry (:lizzard) (relman/hg->git project)]

Once you are able to reproduce this can you check whether versions other than 43 are affected? Thanks.

Comment 11

[Nikhil Marathe [:nsm] (No longer reading bugmail, please needinfo?)]

Attachment: Always try to release Notification via normal WorkerRunnable first

Looben, could you try with this patch?

Comment 12

[Nikhil Marathe [:nsm] (No longer reading bugmail, please needinfo?)]

I cannot get the test case to lead to a crash on Linux.

Comment 13

[Looben Yang]

For your reference, I ran the exact same test case (Uaf_operator()_Repro.js) in official Linux Asan build, it did report a Use After Free, I got:


Firefox version: 43.0a1 (2015-08-12)
=================================================================
==5423==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130000d5bc0 at pc 0x7fa2a4d0d5c5 bp 0x7fa283be3430 sp 0x7fa283be3428
READ of size 8 at 0x6130000d5bc0 thread T127 (DOM Worker)
    #0 0x7fa2a4d0d5c4 in operator() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsCOMPtr.cpp:14
    #1 0x7fa2a4d0d5c4 in nsCOMPtr_base::assign_from_qi(nsQueryInterface, nsID const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsCOMPtr.cpp:59
    #2 0x7fa2a8f6b2f5 in nsCOMPtr /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/events/../../dist/include/nsCOMPtr.h:504
    #3 0x7fa2a8f6b2f5 in mozilla::dom::Event::SetOwner(mozilla::dom::EventTarget*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/Event.cpp:1188
    #4 0x7fa2a8f630cb in mozilla::dom::Event::ConstructorInit(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/Event.cpp:66
    #5 0x7fa2a8f49305 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/Event.cpp:53
    #6 0x7fa2a8f49305 in NS_NewDOMEvent /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/Event.cpp:1265
    #7 0x7fa2a8f49305 in mozilla::DOMEventTargetHelper::DispatchTrustedEvent(nsAString_internal const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/DOMEventTargetHelper.cpp:265
    #8 0x7fa2a98e8e71 in mozilla::dom::NotificationWorkerRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/notification/Notification.cpp:376
    #9 0x7fa2a9f760c4 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:359
    #10 0x7fa2a4cb3114 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:864
    #11 0x7fa2a4d297da in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #12 0x7fa2a9f55473 in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5163
    #13 0x7fa2a9eec207 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2875
    #14 0x7fa2a4cb3114 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:864
    #15 0x7fa2a4d297da in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #16 0x7fa2a559f728 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:355
    #17 0x7fa2a552b55c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #18 0x7fa2a552b55c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #19 0x7fa2a552b55c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #20 0x7fa2a4caf5d5 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:359
    #21 0x7fa2b1dc04b5 in _pt_root /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:212
    #22 0x7fa2b2408181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
    #23 0x7fa2a27b330c (/lib/x86_64-linux-gnu/libc.so.6+0xfb30c)

0x6130000d5bc0 is located 0 bytes inside of 328-byte region [0x6130000d5bc0,0x6130000d5d08)
freed by thread T127 (DOM Worker) here:
    #0 0x474de1 in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7fa2a4bab4ad in SnowWhiteKiller::~SnowWhiteKiller() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2638
    #2 0x7fa2a4bab0de in nsCycleCollector::FreeSnowWhite(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2806
    #3 0x7fa2a4bb1d5e in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:3782
    #4 0x7fa2a4bb133b in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:3607
    #5 0x7fa2a4bb499a in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:4106
    #6 0x7fa2a4b9cf7c in mozilla::CycleCollectedJSRuntime::OnGC(JSGCStatus) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:1327
    #7 0x7fa2ae62b00c in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsgc.cpp:6207
    #8 0x7fa2ae6331a0 in gc /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsgc.cpp:6263
    #9 0x7fa2ae6331a0 in JS::GCForReason(JSRuntime*, JSGCInvocationKind, JS::gcreason::Reason) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsgc.cpp:7110
    #10 0x7fa2a9f65c56 in mozilla::dom::workers::WorkerPrivate::GarbageCollectInternal(JSContext*, bool, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:6825
    #11 0x7fa2a9fa1f6b in (anonymous namespace)::GarbageCollectRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:1905
    #12 0x7fa2a9f760c4 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:359
    #13 0x7fa2a9f57185 in mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5608
    #14 0x7fa2a9f5db48 in mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5925
    #15 0x7fa2a9ecba94 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.h:1557
    #16 0x7fa2a9ecba94 in (anonymous namespace)::LoadAllScripts(JSContext*, mozilla::dom::workers::WorkerPrivate*, nsTArray<(anonymous namespace)::ScriptLoadInfo>&, bool, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1837
    #17 0x7fa2a9ecc3ee in mozilla::dom::workers::scriptloader::Load(JSContext*, mozilla::dom::workers::WorkerPrivate*, nsTArray<nsString> const&, mozilla::dom::workers::WorkerScriptType, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1960
    #18 0x7fa2a8367d4a in mozilla::dom::WorkerGlobalScopeBinding_workers::importScripts(JSContext*, JS::Handle<JSObject*>, mozilla::dom::workers::WorkerGlobalScope*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerGlobalScopeBinding.cpp:423
    #19 0x7fa2a835ce30 in mozilla::dom::WorkerGlobalScopeBinding_workers::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./WorkerGlobalScopeBinding.cpp:1327
    #20 0x7fa2ada13863 in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #21 0x7fa2ada13863 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:773
    #22 0x7fa2ada62ad4 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:3035
    #23 0x7fa2ada34f97 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:714
    #24 0x7fa2ada854b8 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:955
    #25 0x7fa2ada85b18 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:988
    #26 0x7fa2ae5670f6 in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::ScopeObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4442
    #27 0x7fa2a9ee3bd4 in (anonymous namespace)::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1756
    #28 0x7fa2a9f760c4 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:359
    #29 0x7fa2a4cb3114 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:864
    #30 0x7fa2a4d297da in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #31 0x7fa2a9f5dd77 in mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5939
    #32 0x7fa2a9ecba94 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.h:1557
    #33 0x7fa2a9ecba94 in (anonymous namespace)::LoadAllScripts(JSContext*, mozilla::dom::workers::WorkerPrivate*, nsTArray<(anonymous namespace)::ScriptLoadInfo>&, bool, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1837

previously allocated by thread T127 (DOM Worker) here:
    #0 0x474fe1 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x48dc8d in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc.cpp:83
    #2 0x7fa2a98d9c29 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/notification/../../dist/include/mozilla/mozalloc.h:186
    #3 0x7fa2a98d9c29 in mozilla::dom::Notification::CreateInternal(nsIGlobalObject*, nsAString_internal const&, nsAString_internal const&, mozilla::dom::NotificationOptions const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/notification/Notification.cpp:900
    #4 0x7fa2a98d8c6d in mozilla::dom::Notification::CreateAndShow(nsIGlobalObject*, nsAString_internal const&, mozilla::dom::NotificationOptions const&, nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/notification/Notification.cpp:2336
    #5 0x7fa2a98d891e in mozilla::dom::Notification::Constructor(mozilla::dom::GlobalObject const&, nsAString_internal const&, mozilla::dom::NotificationOptions const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/notification/Notification.cpp:762
    #6 0x7fa2a796cfd3 in mozilla::dom::NotificationBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./NotificationBinding.cpp:1696
    #7 0x7fa2ada83cee in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #8 0x7fa2ada83cee in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:268
    #9 0x7fa2ada83cee in js::InvokeConstructor(JSContext*, JS::CallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:869
    #10 0x7fa2ada62ac0 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:3032
    #11 0x7fa2ada34f97 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:714
    #12 0x7fa2ada854b8 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:955
    #13 0x7fa2ada85b18 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:988
    #14 0x7fa2ae5670f6 in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::ScopeObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4442
    #15 0x7fa2a9ee3bd4 in (anonymous namespace)::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1756
    #16 0x7fa2a9f760c4 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:359
    #17 0x7fa2a4cb3114 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:864
    #18 0x7fa2a4d297da in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #19 0x7fa2a9f5dd77 in mozilla::dom::workers::WorkerPrivate::RunCurrentSyncLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5939
    #20 0x7fa2a9ecba94 in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.h:1557
    #21 0x7fa2a9ecba94 in (anonymous namespace)::LoadAllScripts(JSContext*, mozilla::dom::workers::WorkerPrivate*, nsTArray<(anonymous namespace)::ScriptLoadInfo>&, bool, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1837
    #22 0x7fa2a9ecb49e in mozilla::dom::workers::scriptloader::LoadMainScript(JSContext*, nsAString_internal const&, mozilla::dom::workers::WorkerScriptType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/ScriptLoader.cpp:1934
    #23 0x7fa2a9fa201c in (anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:982
    #24 0x7fa2a9f760c4 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerRunnable.cpp:359
    #25 0x7fa2a4cb3114 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:864
    #26 0x7fa2a4d297da in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #27 0x7fa2a9f55473 in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:5163
    #28 0x7fa2a9eec207 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2875
    #29 0x7fa2a4cb3114 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:864
    #30 0x7fa2a4d297da in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #31 0x7fa2a559f728 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:355
    #32 0x7fa2a552b55c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #33 0x7fa2a552b55c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #34 0x7fa2a552b55c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #35 0x7fa2a4caf5d5 in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:359

Thread T127 (DOM Worker) created by T0 (Web Content) here:
    #0 0x461855 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7fa2b1dbce3d in _PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:453
    #2 0x7fa2b1dbc9ba in PR_CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:544
    #3 0x7fa2a4cb0bdd in nsThread::Init() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:470
    #4 0x7fa2a9fc32aa in mozilla::dom::workers::WorkerThread::Create(mozilla::dom::workers::WorkerThreadFriendKey const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerThread.cpp:90
    #5 0x7fa2a9ebfc10 in mozilla::dom::workers::RuntimeService::ScheduleWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1753
    #6 0x7fa2a9ebcf34 in mozilla::dom::workers::RuntimeService::RegisterWorker(JSContext*, mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:1592
    #7 0x7fa2a9f53e02 in mozilla::dom::workers::WorkerPrivate::Constructor(JSContext*, nsAString_internal const&, bool, mozilla::dom::WorkerType, nsACString_internal const&, mozilla::dom::workers::WorkerLoadInfo*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/WorkerPrivate.cpp:4724
    #8 0x7fa2a9ec6083 in mozilla::dom::workers::RuntimeService::CreateSharedWorkerFromLoadInfo(JSContext*, mozilla::dom::workers::WorkerLoadInfo*, nsAString_internal const&, nsACString_internal const&, mozilla::dom::WorkerType, mozilla::dom::workers::SharedWorker**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2499
    #9 0x7fa2a9ec591f in mozilla::dom::workers::RuntimeService::CreateSharedWorkerInternal(mozilla::dom::GlobalObject const&, nsAString_internal const&, nsACString_internal const&, mozilla::dom::WorkerType, mozilla::dom::workers::SharedWorker**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.cpp:2450
    #10 0x7fa2a9f3aa3a in CreateSharedWorker /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/RuntimeService.h:157
    #11 0x7fa2a9f3aa3a in mozilla::dom::workers::SharedWorker::Constructor(mozilla::dom::GlobalObject const&, JSContext*, nsAString_internal const&, mozilla::dom::Optional<nsAString_internal> const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/workers/SharedWorker.cpp:69
    #12 0x7fa2a8056b13 in mozilla::dom::SharedWorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/./SharedWorkerBinding.cpp:240
    #13 0x7fa2ada83cee in CallJSNative /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:235
    #14 0x7fa2ada83cee in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jscntxtinlines.h:268
    #15 0x7fa2ada83cee in js::InvokeConstructor(JSContext*, JS::CallArgs) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:869
    #16 0x7fa2ada62ac0 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:3032
    #17 0x7fa2ada34f97 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:714
    #18 0x7fa2ada854b8 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:955
    #19 0x7fa2ada85b18 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:988
    #20 0x7fa2ae5670f6 in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::ScopeObject*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4442
    #21 0x7fa2ae56791b in Evaluate(JSContext*, JS::AutoVectorRooter<JSObject*>&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsapi.cpp:4469
    #22 0x7fa2a71ccb64 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:224
    #23 0x7fa2a71cd7c1 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSUtils.cpp:286
    #24 0x7fa2a7250aaf in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, JS::SourceBufferHolder&, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:1143
    #25 0x7fa2a724e1d5 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:970
    #26 0x7fa2a7247d23 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptLoader.cpp:764
    #27 0x7fa2a724337e in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsScriptElement.cpp:142
    #28 0x7fa2a66001c4 in operator-> /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsIScriptElement.h:221
    #29 0x7fa2a66001c4 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:662
    #30 0x7fa2a65fe7ff in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:487
    #31 0x7fa2a66049ab in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/parser/html/nsHtml5StreamParser.cpp:127
    #32 0x7fa2a4cb3114 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:864
    #33 0x7fa2a4d297da in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:277
    #34 0x7fa2a559e619 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:95
    #35 0x7fa2a552b55c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #36 0x7fa2a552b55c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #37 0x7fa2a552b55c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #38 0x7fa2aa43ac87 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:156
    #39 0x7fa2ac293b82 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:785
    #40 0x7fa2a552b55c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #41 0x7fa2a552b55c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #42 0x7fa2a552b55c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #43 0x7fa2ac293279 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:621
    #44 0x48d670 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:237
    #45 0x7fa2a26d9ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsCOMPtr.cpp:14 operator()
Shadow bytes around the buggy address:
  0x0c2680012b20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2680012b30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2680012b40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2680012b50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2680012b60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2680012b70: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c2680012b80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2680012b90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2680012ba0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2680012bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2680012bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzon==5423==ABORTING

Comment 14

[Looben Yang]

(In reply to Nikhil Marathe [:nsm] (please needinfo?) from comment #12)
> I cannot get the test case to lead to a crash on Linux.

It seems hard to get crash in Linux with this test case. However, when I open two tabs both with http://localhost:12345 then it gets reproduced easily.

Comment 15

[Nikhil Marathe [:nsm] (No longer reading bugmail, please needinfo?)]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=6833448fbf1a

Comment 16

[Nikhil Marathe [:nsm] (No longer reading bugmail, please needinfo?)]

Looben, you should be able to try this build soon https://treeherder.mozilla.org/#/jobs?repo=try&revision=1f0ff65ea40c

Comment 17

[Looben Yang]

(In reply to Nikhil Marathe [:nsm] (please needinfo?) from comment #16)
> Looben, you should be able to try this build soon
> https://treeherder.mozilla.org/#/jobs?repo=try&revision=1f0ff65ea40c

I ran the same test case in this build, could not reproduce it.

Comment 18

[Liz Henry (:lizzard) (relman/hg->git project)]

Which versions does this affect? If bug 874842 caused this then maybe only 43.

Comment 19

[Nikhil Marathe [:nsm] (No longer reading bugmail, please needinfo?)]

This was caused by bug 916893.

Comment 20

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/157099d1ec27

Comment 21

[Nikhil Marathe [:nsm] (No longer reading bugmail, please needinfo?)]

Comment on attachment 8652037 [details] [diff] [review]
Always try to release Notification via normal WorkerRunnable first

I'm really sorry I forgot to ask for sec-approval before landing this :( Could that be automated?

Approval Request Comment
[Feature/regressing bug #]: 916893
[User impact if declined]: Use after free could be exploited
[Describe test coverage new/current, TreeHerder]: It is hard to really test this, it relies on certain states that I couldn't even reproduce locally, but had the reporter confirm. That said, this patch tries to do the correct thing in all cases, which we were not doing before.
[Risks and why]: Low
[String/UUID change made/needed]: None

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
I think it would be pretty hard considering the precise sequence to get the Notification released depends on scheduling.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No

Which older supported branches are affected by this flaw?

Beta and Aurora

If not all supported branches, which bug introduced the flaw?

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

This patch should apply on all branches. If not, it is trivial to create one that does.

How likely is this patch to cause regressions; how much testing does it need?
Nothing changed that could cause a regression.

Comment 22

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Nikhil, could you please confirm that this issue does not impact ESR38? Otherwise, we need to uplift to esr38 branch too.

Comment 23

[Nikhil Marathe [:nsm] (No longer reading bugmail, please needinfo?)]

It does not, these changes only landed in 41.

Comment 24

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Thanks Nikhil. I am waiting for Al/DVeditz to approve and then I can approve uplift to Aurora & Beta.

Comment 25

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

N-I Al and DVeditz. I am waiting for sec-approval before approving uplift to Aurora & Beta.

Comment 26

[Al Billings [:abillings - ex-MoCo]]

You don't need to ni? me to do sec-approvals. I'm notified when folks ask for them!

Comment 27

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Comment on attachment 8652037 [details] [diff] [review]
Always try to release Notification via normal WorkerRunnable first

This is a sec-critical issue, let's uplift to Aurora42 and Beta41.

Comment 28

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Setting status-esr38 to unaffected based on comment 23.

Comment 29

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/e58ce20624cd

Comment 30

[Ryan VanderMeulen [:RyanVM]]

Needs rebasing for Beta uplift.

Comment 31

[Nikhil Marathe [:nsm] (No longer reading bugmail, please needinfo?)]

Attachment: fix for beta

Comment 32

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/aa586e6b0111

Comment 33

[Kamil Jozwiak [:kjozwiak]]

Reproduced the crash using the following build:
- https://archive.mozilla.org/pub/firefox/nightly/2015-08-13-03-02-08-mozilla-central/

I could only reproduce the crash while using OSX 10.10.5. I tried both Win 8.1 x64 and Ubuntu 14.04.3 x64 but I couldn't get those platforms to crash. I also tried running the poc in at least two or more tabs as suggested in comment # 14 but that didn't work either. I ended up running the poc in several tabs under Win/Ubuntu for about 30 minutes but never ran into any issues. I'll use OSX for verification as that's the only platform that I could get to crash.

e10s enabled crashes:
- https://crash-stats.mozilla.com/report/index/b9345719-e158-43ec-acdf-a704a2150910
- https://crash-stats.mozilla.com/report/index/d8528e50-fca8-4b2e-ba82-1d10d2150910

e10s disabled crash:
- https://crash-stats.mozilla.com/report/index/c1a826bd-828f-43c0-84df-d79d02150910

Went through verification using the following builds:
- https://archive.mozilla.org/pub/firefox/nightly/2015-09-08-03-02-03-mozilla-central/
- https://archive.mozilla.org/pub/firefox/nightly/2015-09-11-00-41-12-mozilla-aurora/
- https://archive.mozilla.org/pub/firefox/candidates/41.0b9-candidates/build1/mac/en-US/