AddressSanitizer: heap-buffer-overflow (READ of size 8) ipc/ipdl/PContentParent.cpp:3724

RESOLVED FIXED

Status

()

Core
IPC
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: Francisco A., Unassigned)

Tracking

({csectype-bounds, sec-high})

47 Branch
csectype-bounds, sec-high
Points:
---
Bug Flags:
sec-bounty +
qe-verify -

Firefox Tracking Flags

(firefox45 fixed, firefox46 fixed, firefox47 fixed, firefox-esr38 unaffected, firefox-esr45 fixed)

Details

(Whiteboard: [fixed by bug 1247236?])

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36

Steps to reproduce:

I'm trying to reproduce again, if anyone wants to check it out (tested in firefox-47.0a1). Thank you!


Actual results:

=================================================================
==9358==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c000bdcac0 at pc 0x7f1593bac50f bp 0x7ffd5d2ab330 sp 0x7ffd5d2ab328
READ of size 8 at 0x60c000bdcac0 thread T0
    #0 0x7f1593bac50e in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/PContentParent.cpp:3724
    #1 0x7f15933270fc in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1477
    #2 0x7f15933246dc in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1412
    #3 0x7f1593314542 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1381
    #4 0x7f1593299f44 in RunTask /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:364
    #5 0x7f1593299f44 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:372
    #6 0x7f159329aff7 in MessageLoop::DoWork() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:459
    #7 0x7f159332ed32 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:220
    #8 0x7f159290751f in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:995
    #9 0x7f159298281a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
    #10 0x7f159332e369 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:95
    #11 0x7f1593298acc in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #12 0x7f1593298acc in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #13 0x7f1593298acc in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #14 0x7f15986a0857 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:156
    #15 0x7f159a4de078 in nsAppStartup::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:281
    #16 0x7f159a5e0b3a in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4278
    #17 0x7f159a5e1da6 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4375
    #18 0x7f159a5e2bee in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4477
    #19 0x48a6c9 in do_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:212
    #20 0x48a6c9 in main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:352
    #21 0x7f15c19456ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
    #22 0x489c3c in _start (/home/revskillz/browsers/firefox/firefox-bin+0x489c3c)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/PContentParent.cpp:3724 mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&)
Shadow bytes around the buggy address:
  0x0c1880173900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1880173910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1880173920: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1880173930: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c1880173940: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c1880173950: fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa
  0x0c1880173960: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1880173970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c1880173980: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1880173990: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c18801739a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==9358==ABORTING
[Child 9779] ###!!! ABORT: Aborting on channel error.: file /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp, line 1857
[Child 9779] ###!!! ABORT: Aborting on channel error.: file /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp, line 1857
ASAN:SIGSEGV
=================================================================
==9779==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000048e1de sp 0x7f6b0f85bcc0 bp 0x7f6b0f85bcd0 T2)
==9779==AddressSanitizer: while reporting a bug found another one.Ignoring.
    #0 0x48e1dd in mozalloc_abort(char const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc_abort.cpp:33
    #1 0x7f6b2ffb9c75 in Abort(char const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsDebugImpl.cpp:452
    #2 0x7f6b2ffb993e in NS_DebugBreak /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsDebugImpl.cpp:404
    #3 0x7f6b30b11bc1 in mozilla::ipc::MessageChannel::OnChannelErrorFromLink() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1857
    #4 0x7f6b30b16be0 in OnChannelError /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageLink.cpp:429
    #5 0x7f6b30b16be0 in non-virtual thunk to mozilla::ipc::ProcessLink::OnChannelError() /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/glue/Unified_cpp_ipc_glue0.cpp:430
    #6 0x7f6b30ad8492 in event_process_active_single_queue /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/third_party/libevent/event.c:1350
    #7 0x7f6b30ad8492 in event_process_active /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/third_party/libevent/event.c:1420
    #8 0x7f6b30ad8492 in event_base_loop /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/third_party/libevent/event.c:1621
    #9 0x7f6b30a86f5c in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_pump_libevent.cc:362
    #10 0x7f6b30a81acc in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #11 0x7f6b30a81acc in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #12 0x7f6b30a81acc in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #13 0x7f6b30a99a73 in base::Thread::ThreadMain() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/thread.cc:172
    #14 0x7f6b30a9b32c in ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:36
    #15 0x7f6b3e620554 in start_thread (/lib64/libpthread.so.0+0x7554)
    #16 0x7f6b2d9ffb9c in __clone (/lib64/libc.so.6+0x102b9c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc_abort.cpp:33 mozalloc_abort(char const*)
Thread T2 (Chrome_ChildThr) created by T0 (Web Content) here:
    #0 0x461945 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7f6b30a99654 in CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135
    #2 0x7f6b30a99654 in Create /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146
    #3 0x7f6b30a99654 in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/thread.cc:94
    #4 0x7f6b30b1886b in mozilla::ipc::ProcessChild::ProcessChild(int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/ProcessChild.cpp:22
    #5 0x7f6b37dd0349 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/dom/ContentProcess.h:28
    #6 0x7f6b37dd0349 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:574
    #7 0x48d760 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:237
    #8 0x7f6b2d91d6ff in __libc_start_main (/lib64/libc.so.6+0x206ff)

==9779==ABORTING
Group: firefox-core-security → dom-core-security
Component: Untriaged → IPC
Product: Firefox → Core
Keywords: sec-high
Bill, you wanna check this out? Or want me to ask Jed or dvander?
Flags: needinfo?(wmccloskey)
I'm not seeing anything actionable here. It looks like maybe the actor that we received a message for has been deleted, and somehow we failed to remove it as a managee. That's bad, but I don't see any hint of how it might have happened.
Flags: needinfo?(wmccloskey)
Francisco, any more light you can shed here would be appreciated. Thanks.
Flags: needinfo?(rs)
Something that might help is the contents of the Message struct; the message ID would indicate which IPDL message it is and which actor type it's meant for, which could help the code that's deleting a still-live actor, if that's the problem.

The other thing going on here is that, if I'm reading the ASan error correctly, this memory isn't marked as recently freed (0xfa instead of 0xfd); I don't know how meaningful that is.

But I agree that this isn't actionable without more information or STR.
(Reporter)

Comment 5

2 years ago
Apologize for not answering before, I've been sick all week. I have reproduced the issue, I'm trying to determine how exactly happens. 


=================================================================
==26516==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0003b3380 at pc 0x7f56af3e650f bp 0x7ffc28c0ad10 sp 0x7ffc28c0ad08
READ of size 8 at 0x60c0003b3380 thread T0
    #0 0x7f56af3e650e in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/PContentParent.cpp:3724
    #1 0x7f56aeb610fc in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1477
    #2 0x7f56aeb5e6dc in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1412
    #3 0x7f56aeb4e542 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1381
    #4 0x7f56aead3f44 in RunTask /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:364
    #5 0x7f56aead3f44 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:372
    #6 0x7f56aead4ff7 in MessageLoop::DoWork() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:459
    #7 0x7f56aeb68d32 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:220
    #8 0x7f56ae14151f in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:995
    #9 0x7f56ae1bc81a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
    #10 0x7f56aeb68369 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:95
    #11 0x7f56aead2acc in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #12 0x7f56aead2acc in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #13 0x7f56aead2acc in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #14 0x7f56b3eda857 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:156
    #15 0x7f56b5d18078 in nsAppStartup::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:281
    #16 0x7f56b5e1ab3a in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4278
    #17 0x7f56b5e1bda6 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4375
    #18 0x7f56b5e1cbee in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4477
    #19 0x48a6c9 in do_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:212
    #20 0x48a6c9 in main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:352
    #21 0x7f56dd17b6ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
    #22 0x489c3c in _start (/home/revskillz/browsers/firefox/firefox-bin+0x489c3c)

0x60c0003b3380 is located 0 bytes inside of 120-byte region [0x60c0003b3380,0x60c0003b33f8)
freed by thread T0 here:
    #0 0x472051 in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7f56ae025658 in SnowWhiteKiller::~SnowWhiteKiller() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2655
    #2 0x7f56ae024e54 in ~RemoveSkippableVisitor /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2765
    #3 0x7f56ae024e54 in nsPurpleBuffer::RemoveSkippable(nsCycleCollector*, bool, bool, void (*)()) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2806
    #4 0x7f56ae025bd2 in nsCycleCollector::ForgetSkippable(bool, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:2853
    #5 0x7f56ae02ddcc in nsCycleCollector_forgetSkippable(bool, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsCycleCollector.cpp:4063
    #6 0x7f56b0934525 in FireForgetSkippable(unsigned int, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSEnvironment.cpp:1354
    #7 0x7f56b0937a3a in CCTimerFired(nsITimer*, void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsJSEnvironment.cpp:1903
    #8 0x7f56ae15be2f in nsTimerImpl::Fire() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsTimerImpl.cpp:526
    #9 0x7f56ae134ef5 in nsTimerEvent::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/TimerThread.cpp:286
    #10 0x7f56ae14151f in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:995
    #11 0x7f56ae1bc81a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
    #12 0x7f56aeb68348 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:127
    #13 0x7f56aead2acc in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #14 0x7f56aead2acc in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #15 0x7f56aead2acc in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #16 0x7f56b3eda857 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:156
    #17 0x7f56b5d18078 in nsAppStartup::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:281
    #18 0x7f56b5e1ab3a in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4278
    #19 0x7f56b5e1bda6 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4375
    #20 0x7f56b5e1cbee in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4477
    #21 0x48a6c9 in do_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:212
    #22 0x48a6c9 in main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:352
    #23 0x7f56dd17b6ff in __libc_start_main (/lib64/libc.so.6+0x206ff)

previously allocated by thread T0 here:
    #0 0x472251 in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x48b7bd in moz_xmalloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc.cpp:83
    #2 0x7f56b054e3c4 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:186
    #3 0x7f56b054e3c4 in nsGlobalWindow::SetTimeoutOrInterval(nsIScriptTimeoutHandler*, int, bool, int*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsGlobalWindow.cpp:11624
    #4 0x7f56b054ddca in nsGlobalWindow::SetTimeoutOrInterval(JSContext*, mozilla::dom::Function&, int, mozilla::dom::Sequence<JS::Value> const&, bool, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsGlobalWindow.cpp:11748
    #5 0x7f56b054dc33 in nsGlobalWindow::SetTimeout(JSContext*, mozilla::dom::Function&, int, mozilla::dom::Sequence<JS::Value> const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsGlobalWindow.cpp:11549
    #6 0x7f56b1ce047d in mozilla::dom::WindowBinding::setTimeout(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:12921
    #7 0x7f56b1cdcc98 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:13196
    #8 0x7f56b7661e65 in EnterBaseline(JSContext*, js::jit::EnterJitData&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jit/BaselineJIT.cpp:146
    #9 0x7f56b766163d in js::jit::EnterBaselineMethod(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jit/BaselineJIT.cpp:185
    #10 0x7f56b8244830 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:415
    #11 0x7f56b8279284 in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/vm/Interpreter.cpp:493
    #12 0x7f56b7dc80e2 in js::fun_apply(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/js/src/jsfun.cpp:1277

SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/PContentParent.cpp:3724 mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&)
Shadow bytes around the buggy address:
  0x0c188006e620: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c188006e630: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x0c188006e640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c188006e650: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c188006e660: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
=>0x0c188006e670:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c188006e680: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c188006e690: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
  0x0c188006e6a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c188006e6b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c188006e6c0: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==26516==ABORTING
[Child 29886] ###!!! ABORT: Aborting on channel error.: file /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp, line 1857
[Child 29886] ###!!! ABORT: Aborting on channel error.: file /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp, line 1857
ASAN:SIGSEGV
=================================================================
==29886==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000048e1de sp 0x7f49287b7cc0 bp 0x7f49287b7cd0 T2)
    #0 0x48e1dd in mozalloc_abort(char const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc_abort.cpp:33
    #1 0x7f4948d4dc75 in Abort(char const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsDebugImpl.cpp:452
    #2 0x7f4948d4d93e in NS_DebugBreak /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsDebugImpl.cpp:404
    #3 0x7f49498a5bc1 in mozilla::ipc::MessageChannel::OnChannelErrorFromLink() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1857
    #4 0x7f49498aabe0 in OnChannelError /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageLink.cpp:429
    #5 0x7f49498aabe0 in non-virtual thunk to mozilla::ipc::ProcessLink::OnChannelError() /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/glue/Unified_cpp_ipc_glue0.cpp:430
    #6 0x7f494986c492 in event_process_active_single_queue /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/third_party/libevent/event.c:1350
    #7 0x7f494986c492 in event_process_active /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/third_party/libevent/event.c:1420
    #8 0x7f494986c492 in event_base_loop /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/third_party/libevent/event.c:1621
    #9 0x7f494981af5c in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_pump_libevent.cc:362
    #10 0x7f4949815acc in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #11 0x7f4949815acc in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #12 0x7f4949815acc in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #13 0x7f494982da73 in base::Thread::ThreadMain() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/thread.cc:172
    #14 0x7f494982f32c in ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:36
    #15 0x7f49573b4554 in start_thread (/lib64/libpthread.so.0+0x7554)
    #16 0x7f4946793b9c in __clone (/lib64/libc.so.6+0x102b9c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc_abort.cpp:33 mozalloc_abort(char const*)
Thread T2 (Chrome_ChildThr) created by T0 (Web Content) here:
    #0 0x461945 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7f494982d654 in CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135
    #2 0x7f494982d654 in Create /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146
    #3 0x7f494982d654 in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/thread.cc:94
    #4 0x7f49498ac86b in mozilla::ipc::ProcessChild::ProcessChild(int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/ProcessChild.cpp:22
    #5 0x7f4950b64349 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/dom/ContentProcess.h:28
    #6 0x7f4950b64349 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:574
    #7 0x48d760 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:237
    #8 0x7f49466b16ff in __libc_start_main (/lib64/libc.so.6+0x206ff)

==29886==ABORTING
Flags: needinfo?(rs)
If you could describe what you did to make it crash like this, that would be extremely helpful.
(Reporter)

Comment 7

2 years ago
That seems to occur in the transition from one of the samples to another. But not always, I wanted to know exactly _why_ that happened (attached the that produces the crash, after 0-1 2 crash.

Reproduced after 3 attempts again:

=================================================================
==4466==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60c0000b32c0 at pc 0x7f7df370c50f bp 0x7fff3c1a57f0 sp 0x7fff3c1a57e8
READ of size 8 at 0x60c0000b32c0 thread T0
    #0 0x7f7df370c50e in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/PContentParent.cpp:3724
    #1 0x7f7df2e870fc in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1477
    #2 0x7f7df2e846dc in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1412
    #3 0x7f7df2e74542 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1381
    #4 0x7f7df2df9f44 in RunTask /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:364
    #5 0x7f7df2df9f44 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:372
    #6 0x7f7df2dfaff7 in MessageLoop::DoWork() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:459
    #7 0x7f7df2e8ed32 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:220
    #8 0x7f7df246751f in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:995
    #9 0x7f7df24e281a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:297
    #10 0x7f7df2e8e369 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:95
    #11 0x7f7df2df8acc in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #12 0x7f7df2df8acc in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #13 0x7f7df2df8acc in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #14 0x7f7df8200857 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:156
    #15 0x7f7dfa03e078 in nsAppStartup::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:281
    #16 0x7f7dfa140b3a in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4278
    #17 0x7f7dfa141da6 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4375
    #18 0x7f7dfa142bee in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsAppRunner.cpp:4477
    #19 0x48a6c9 in do_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:212
    #20 0x48a6c9 in main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:352
    #21 0x7f7e213246ff in __libc_start_main (/lib64/libc.so.6+0x206ff)
    #22 0x489c3c in _start (/home/revskillz/browsers/firefox/firefox-bin+0x489c3c)

AddressSanitizer can not describe address in more detail (wild memory access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/PContentParent.cpp:3724 mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&)
Shadow bytes around the buggy address:
  0x0c188000e600: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c188000e610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c188000e620: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c188000e630: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c188000e640: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c188000e650: fa fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa
  0x0c188000e660: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c188000e670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c188000e680: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c188000e690: 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa fa
  0x0c188000e6a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==4466==ABORTING
[Child 9607] ###!!! ABORT: Aborting on channel error.: file /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp, line 1857
[Child 9607] ###!!! ABORT: Aborting on channel error.: file /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp, line 1857
ASAN:SIGSEGV
=================================================================
==9607==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x00000048e1de sp 0x7fc84e6e1cc0 bp 0x7fc84e6e1cd0 T2)
    #0 0x48e1dd in mozalloc_abort(char const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc_abort.cpp:33
    #1 0x7fc86eee1c75 in Abort(char const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsDebugImpl.cpp:452
    #2 0x7fc86eee193e in NS_DebugBreak /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/base/nsDebugImpl.cpp:404
    #3 0x7fc86fa39bc1 in mozilla::ipc::MessageChannel::OnChannelErrorFromLink() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1857
    #4 0x7fc86fa3ebe0 in OnChannelError /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageLink.cpp:429
    #5 0x7fc86fa3ebe0 in non-virtual thunk to mozilla::ipc::ProcessLink::OnChannelError() /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/glue/Unified_cpp_ipc_glue0.cpp:430
    #6 0x7fc86fa00492 in event_process_active_single_queue /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/third_party/libevent/event.c:1350
    #7 0x7fc86fa00492 in event_process_active /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/third_party/libevent/event.c:1420
    #8 0x7fc86fa00492 in event_base_loop /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/third_party/libevent/event.c:1621
    #9 0x7fc86f9aef5c in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_pump_libevent.cc:362
    #10 0x7fc86f9a9acc in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #11 0x7fc86f9a9acc in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #12 0x7fc86f9a9acc in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #13 0x7fc86f9c1a73 in base::Thread::ThreadMain() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/thread.cc:172
    #14 0x7fc86f9c332c in ThreadFunc(void*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:36
    #15 0x7fc87d548554 in start_thread (/lib64/libpthread.so.0+0x7554)
    #16 0x7fc86c927b9c in __clone (/lib64/libc.so.6+0x102b9c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc_abort.cpp:33 mozalloc_abort(char const*)
Thread T2 (Chrome_ChildThr) created by T0 (Web Content) here:
    #0 0x461945 in pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7fc86f9c1654 in CreateThread /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135
    #2 0x7fc86f9c1654 in Create /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146
    #3 0x7fc86f9c1654 in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/thread.cc:94
    #4 0x7fc86fa4086b in mozilla::ipc::ProcessChild::ProcessChild(int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/ProcessChild.cpp:22
    #5 0x7fc876cf8349 in operator new /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/dom/ContentProcess.h:28
    #6 0x7fc876cf8349 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:574
    #7 0x48d760 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:237
    #8 0x7fc86c8456ff in __libc_start_main (/lib64/libc.so.6+0x206ff)

==9607==ABORTING
(Reporter)

Comment 8

2 years ago
Created attachment 8716881 [details]
mozilla-IPC.tar.gz

please change window.location.href for your testing
I haven't been able to reproduce this crash yet, but I've found another one that might be related, by killing the browser with SIGINT (^C) while it's running:

==76116==ERROR: AddressSanitizer: heap-use-after-free on address 0x610000117f68 at pc 0x7f2a91ec82a1 bp 0x7f2a72cf2330 sp 0x7f2a72cf2328
READ of size 4 at 0x610000117f68 thread T35 (Cameras IPC)
     #0 0x7f2a91ec82a0 in mozilla::camera::PCamerasChild::SendAllDone() /home/jld/src/obj.gecko-dev/obj-x86_64-unknown-linux-gnu/ipc/ipdl/PCamerasChild.cpp:266:62
    #1 0x7f2a955bb537 in mozilla::camera::CamerasChild::Shutdown()::$_8::operator()() const /home/jld/src/gecko-dev/dom/media/systemservices/CamerasChild.cpp:521:19
    #2 0x7f2a955bb537 in mozilla::media::LambdaRunnable<mozilla::camera::CamerasChild::Shutdown()::$_8>::Run() /home/jld/src/gecko-dev/dom/media/systemservices/MediaUtils.h:196
    #3 0x7f2a90d75d2e in nsThread::ProcessNextEvent(bool, bool*) /home/jld/src/gecko-dev/xpcom/threads/nsThread.cpp:1018:7
    #4 0x7f2a90ddfdc7 in NS_ProcessNextEvent(nsIThread*, bool) /home/jld/src/gecko-dev/xpcom/glue/nsThreadUtils.cpp:297:10

0x610000117f68 is located 40 bytes inside of 184-byte region [0x610000117f40,0x610000117ff8)
freed by thread T35 (Cameras IPC) here:
    #0 0x4be3e0 in __interceptor_free /home/jld/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:30
    #1 0x7f2a916fc976 in mozilla::camera::CamerasChild::Release() /home/jld/src/obj.gecko-dev/obj-x86_64-unknown-linux-gnu/dist/include/CamerasChild.h:150:3
    #2 0x7f2a916fc976 in RefPtr<mozilla::camera::CamerasChild>::AddRefTraitsReleaseHelper(mozilla::camera::CamerasChild*) /home/jld/src/obj.gecko-dev/obj-x86_64-unknown-linux-gnu/dist/include/mozilla/RefPtr.h:362
    #3 0x7f2a916fc976 in RefPtr<mozilla::camera::CamerasChild>::AddRefTraits<mozilla::camera::CamerasChild>::Release(mozilla::camera::CamerasChild*) /home/jld/src/obj.gecko-dev/obj-x86_64-unknown-linux-gnu/dist/include/mozilla/RefPtr.h:372
    #4 0x7f2a916fc976 in RefPtr<mozilla::camera::CamerasChild>::~RefPtr() /home/jld/src/obj.gecko-dev/obj-x86_64-unknown-linux-gnu/dist/include/mozilla/RefPtr.h:56
    #5 0x7f2a916fc976 in mozilla::ipc::BackgroundChildImpl::DeallocPCamerasChild(mozilla::camera::PCamerasChild*) /home/jld/src/gecko-dev/ipc/glue/BackgroundChildImpl.cpp:313
    #6 0x7f2a917cea54 in mozilla::ipc::PBackgroundChild::DeallocSubtree() /home/jld/src/obj.gecko-dev/obj-x86_64-unknown-linux-gnu/ipc/ipdl/PBackgroundChild.cpp:2429:13
    #7 0x7f2a917cfb92 in mozilla::ipc::PBackgroundChild::OnChannelError() /home/jld/src/obj.gecko-dev/obj-x86_64-unknown-linux-gnu/ipc/ipdl/PBackgroundChild.cpp:2062:5
    #8 0x7f2a9171fb1d in mozilla::ipc::MessageChannel::NotifyMaybeChannelError() /home/jld/src/gecko-dev/ipc/glue/MessageChannel.cpp:1848:5
    #9 0x7f2a9171feb9 in mozilla::ipc::MessageChannel::OnNotifyMaybeChannelError() /home/jld/src/gecko-dev/ipc/glue/MessageChannel.cpp:1877:5
    #10 0x7f2a916475b4 in MessageLoop::RunTask(Task*) /home/jld/src/gecko-dev/ipc/chromium/src/base/message_loop.cc:364:3
    #11 0x7f2a916475b4 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /home/jld/src/gecko-dev/ipc/chromium/src/base/message_loop.cc:372
    #12 0x7f2a91647ae4 in MessageLoop::DoWork() /home/jld/src/gecko-dev/ipc/chromium/src/base/message_loop.cc:459:13
    #13 0x7f2a9172368c in mozilla::ipc::DoWorkRunnable::Run() /home/jld/src/gecko-dev/ipc/glue/MessagePump.cpp:220:3
    #14 0x7f2a90d75d2e in nsThread::ProcessNextEvent(bool, bool*) /home/jld/src/gecko-dev/xpcom/threads/nsThread.cpp:1018:7
    #15 0x7f2a90ddfdc7 in NS_ProcessNextEvent(nsIThread*, bool) /home/jld/src/gecko-dev/xpcom/glue/nsThreadUtils.cpp:297:10

previously allocated by thread T35 (Cameras IPC) here:
    #0 0x4be6f8 in __interceptor_malloc /home/jld/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:40
    #1 0x4ec76d in moz_xmalloc /home/jld/src/gecko-dev/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f2a916fc8e1 in operator new(unsigned long) /home/jld/src/obj.gecko-dev/obj-x86_64-unknown-linux-gnu/dist/include/mozilla/mozalloc.h:186:12
    #3 0x7f2a916fc8e1 in mozilla::ipc::BackgroundChildImpl::AllocPCamerasChild() /home/jld/src/gecko-dev/ipc/glue/BackgroundChildImpl.cpp:297
    #4 0x7f2a917bd447 in mozilla::ipc::PBackgroundChild::SendPCamerasConstructor() /home/jld/src/obj.gecko-dev/obj-x86_64-unknown-linux-gnu/ipc/ipdl/PBackgroundChild.cpp:561:36
    #5 0x7f2a955c75ed in mozilla::camera::InitializeIPCThread::Run() /home/jld/src/gecko-dev/dom/media/systemservices/CamerasChild.cpp:67:51
    #6 0x7f2a90d22848 in mozilla::SyncRunnable::Run() /home/jld/src/obj.gecko-dev/obj-x86_64-unknown-linux-gnu/dist/include/mozilla/SyncRunnable.h:75:5
    #7 0x7f2a90d75d2e in nsThread::ProcessNextEvent(bool, bool*) /home/jld/src/gecko-dev/xpcom/threads/nsThread.cpp:1018:7
    #8 0x7f2a90ddfdc7 in NS_ProcessNextEvent(nsIThread*, bool) /home/jld/src/gecko-dev/xpcom/glue/nsThreadUtils.cpp:297:10
I notice you're using getUserMedia — were you running this from an origin that you'd granted camera permissions?
Flags: needinfo?(rs)
(In reply to Jed Davis [:jld] from comment #9)
> I haven't been able to reproduce this crash yet, but I've found another one
> that might be related, by killing the browser with SIGINT (^C) while it's
> running

…and I should mention that when I got that crash, I'd altered the sample documents to do window.location.href=((Math.random()*3)|0)+".html" instead of always reloading the same page.
(Reporter)

Comment 12

2 years ago
these samples are code snippets from testcases mixed with another random code generated by a grammar. I've reproduced the issue on my sever and my Desktop, so afaik I've same permissions granted in both.
Flags: needinfo?(rs)
I think we can file the Cameras one separately, and see if fixing it makes this go away, or just continue investigating here to see what's actually happening and if it's the same (I see no indication it is). 

https://dxr.mozilla.org/mozilla-central/source/dom/media/systemservices/CamerasChild.cpp#518
The comment is wrong for the case where this is called from the destructor (which appears to be the case on channel errors), the "this" reference is non-owning and won't keep the object alive. In normal operation we call Shutdown() on the child first and then the sequence works as intended.
Filed bug 1247236 for the Cameras issue.
(Reporter)

Comment 15

2 years ago
I'm not familiar with IPC in Firefox, any recommendation to debug this issue?
Francisco, can you still reproduce this? The other camera issue has been fixed, so hopefully this was fixed, too. Thanks.
Flags: needinfo?(rs)
(Reporter)

Comment 17

2 years ago
I can't reproduce, I've been waiting for help to identify exactly where this happens, but seems related to camera issue.

Thank you.
Flags: needinfo?(rs)
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → WORKSFORME
Whiteboard: [fixed by bug 1247236?]
Flags: sec-bounty?
This appears to have been fixed by a bug spawned /from/ this bug. For bounty tracking purposes we need to mark this fixed ("depends on") to give Francisco proper credit
Depends on: 1247236
Flags: sec-bounty? → sec-bounty+
Resolution: WORKSFORME → FIXED
Group: dom-core-security → core-security-release
(Reporter)

Comment 19

2 years ago
(In reply to Daniel Veditz [:dveditz] from comment #18)

Please note in credits to do not use NowSecure anymore eg: "Francisco Alonso, revskills" should be fine.

> This appears to have been fixed by a bug spawned /from/ this bug. For bounty
> tracking purposes we need to mark this fixed ("depends on") to give
> Francisco proper credit
(In reply to Daniel Veditz [:dveditz] from comment #18)
> This appears to have been fixed by a bug spawned /from/ this bug. For bounty
> tracking purposes we need to mark this fixed ("depends on") to give
> Francisco proper credit

Please note comment 9 and comment 13. I've seen no evidence the bug reported here is the same as bug 1247236. For one, the bug in 1247236 specifically requires triggering an abnormal shutdown (like with Ctl-Cing a process), and it gives a trace that points rather directly at the problem. None of that seems to apply to what was reported here.
true, but the reporter can't reproduce anymore either; bug 1247236 seems as likely as anything else.
status-firefox45: --- → fixed
status-firefox46: --- → fixed
status-firefox47: --- → fixed
status-firefox-esr38: --- → unaffected
status-firefox-esr45: --- → fixed
Setting qe-verify- based on reporter's comment 17.
Flags: qe-verify-
Group: core-security-release
Keywords: csectype-bounds
You need to log in before you can comment on or make changes to this bug.