asan builds report heap-use-after-free inside libpref

NEW
Unassigned

Status

()

2 years ago
2 years ago

People

(Reporter: markh, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Created attachment 8843148 [details]
asan crash report

Landing bug 1317223 exposed a heap-use-after-free asan error inside libpref. That bug is a JS only patch so shouldn't be able to cause such an error, so my assumption is that the patch is triggering an existing edge-case. The crash happens when calling nsIPrefBranch::resetBranch().

It reports the use after free at https://dxr.mozilla.org/mozilla-central/rev/d29f84406483c721a13cf9a52936ecced0c5c98a/modules/libpref/prefapi.cpp#1009 while the free is at https://dxr.mozilla.org/mozilla-central/rev/d29f84406483c721a13cf9a52936ecced0c5c98a/modules/libpref/nsPrefBranch.cpp#847

Bug 1317223 is landing with xpcshell tests disabled in asan builds, so to reproduce this, you will need to remove the "skip-if = asan" in services/sync/tests/unit/xpcshell.ini and push to try. Note that using artifact builds on try apparently *does not* trigger the crash, but a full build does.

Attached is one such asan report.
You need to log in before you can comment on or make changes to this bug.