Bug 1356824 (CVE-2017-7757)

AddressSanitizer: heap-use-after-free WRITE of size 4 dom/indexedDB/ActorsParent.cpp:21164:10

RESOLVED FIXED in Firefox -esr52

Status

()

defect
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: rs, Assigned: janv)

Tracking

({csectype-uaf, sec-high, testcase})

unspecified
mozilla55
Points:
---
Bug Flags:
sec-bounty +

Firefox Tracking Flags

(firefox-esr45 wontfix, firefox-esr5254+ fixed, firefox53 wontfix, firefox54+ fixed, firefox55+ fixed)

Details

(Whiteboard: [post-critsmash-triage][adv-main54+][adv-esr52.2+])

Attachments

(2 attachments, 2 obsolete attachments)

Reporter

Description

2 years ago
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/59.0.3067.0 Safari/537.36

Steps to reproduce:

ASAN build 55.0a1 (2017-04-14) (64-bit)

I'm trying to identify how this exactly happens (please check if some duplicate issue), any help is appreciated. I can reproduce this issue multiple times, attached two stacktraces with latest Nightly ASAN build:




Actual results:

=================================================================
==8636==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000668dc8 at pc 0x7ff0a2b32861 bp 0x7ff03c65c9d0 sp 0x7ff03c65c9c8
WRITE of size 4 at 0x614000668dc8 thread T38 (IPDL Background)
    #0 0x7ff0a2b32860 in mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp::FinishSendResults() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:21164:10
    #1 0x7ff0a2b352ea in mozilla::dom::indexedDB::(anonymous namespace)::DeleteDatabaseOp::SendResults() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:23283:3
    #2 0x7ff0a2a932af in mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp::Run() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:21556:7
    #3 0x7ff0a2b3305f in mozilla::dom::indexedDB::(anonymous namespace)::DeleteDatabaseOp::NoteDatabaseClosed(mozilla::dom::indexedDB::(anonymous namespace)::Database*) /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:23247:5
    #4 0x7ff0a2ab8b0f in CloseInternal /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:14495:30
    #5 0x7ff0a2ab8b0f in mozilla::dom::indexedDB::(anonymous namespace)::Database::RecvClose() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:14948
    #6 0x7ff09e420f24 in mozilla::dom::indexedDB::PBackgroundIDBDatabaseParent::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundIDBDatabaseParent.cpp:431:20
    #7 0x7ff09e590f57 in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundParent.cpp:904:28
    #8 0x7ff09e0cb124 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1903:25
    #9 0x7ff09e0c7957 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1838:17
    #10 0x7ff09e0c9d94 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1711:5
    #11 0x7ff09e0ca396 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1744:15
    #12 0x7ff09d3104f0 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #13 0x7ff09d30cf38 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #14 0x7ff09e0d3bff in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:368:5
    #15 0x7ff09e039070 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #16 0x7ff09e039070 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #17 0x7ff09e039070 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #18 0x7ff09d30991f in nsThread::ThreadFunc(void*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:500:11
    #19 0x7ff0b6ad8c93 in _pt_root /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #20 0x7ff0ba3d66c9 in start_thread (/lib64/libpthread.so.0+0x76c9)
    #21 0x7ff0b945cf7e in __GI___clone (/lib64/libc.so.6+0x107f7e)

0x614000668dc8 is located 392 bytes inside of 448-byte region [0x614000668c40,0x614000668e00)
freed by thread T38 (IPDL Background) here:
    #0 0x4bb44b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7ff09d31a093 in mozilla::Runnable::Release() /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:40:1
    #2 0x7ff0a2b326c2 in Release /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:40:11
    #3 0x7ff0a2b326c2 in Release /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:395
    #4 0x7ff0a2b326c2 in ~RefPtr /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:78
    #5 0x7ff0a2b326c2 in Destruct /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:560
    #6 0x7ff0a2b326c2 in DestructRange /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2007
    #7 0x7ff0a2b326c2 in RemoveElementsAt /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2055
    #8 0x7ff0a2b326c2 in RemoveElementAt /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1730
    #9 0x7ff0a2b326c2 in RemoveElement<mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp *, nsDefaultComparator<RefPtr<mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp>, mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp *> > /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1756
    #10 0x7ff0a2b326c2 in RemoveElement<mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp *> /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1765
    #11 0x7ff0a2b326c2 in mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp::FinishSendResults() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:21158
    #12 0x7ff0a2b352ea in mozilla::dom::indexedDB::(anonymous namespace)::DeleteDatabaseOp::SendResults() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:23283:3
    #13 0x7ff0a2a932af in mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp::Run() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:21556:7
    #14 0x7ff0a2b3305f in mozilla::dom::indexedDB::(anonymous namespace)::DeleteDatabaseOp::NoteDatabaseClosed(mozilla::dom::indexedDB::(anonymous namespace)::Database*) /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:23247:5
    #15 0x7ff0a2ab8b0f in CloseInternal /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:14495:30
    #16 0x7ff0a2ab8b0f in mozilla::dom::indexedDB::(anonymous namespace)::Database::RecvClose() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:14948
    #17 0x7ff09e420f24 in mozilla::dom::indexedDB::PBackgroundIDBDatabaseParent::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundIDBDatabaseParent.cpp:431:20
    #18 0x7ff09e590f57 in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundParent.cpp:904:28
    #19 0x7ff09e0cb124 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1903:25
    #20 0x7ff09e0c7957 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1838:17
    #21 0x7ff09e0c9d94 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1711:5
    #22 0x7ff09e0ca396 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1744:15
    #23 0x7ff09d3104f0 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #24 0x7ff09d30cf38 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #25 0x7ff09e0d3bff in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:368:5
    #26 0x7ff09e039070 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #27 0x7ff09e039070 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #28 0x7ff09e039070 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #29 0x7ff09d30991f in nsThread::ThreadFunc(void*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:500:11
    #30 0x7ff0b6ad8c93 in _pt_root /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #31 0x7ff0ba3d66c9 in start_thread (/lib64/libpthread.so.0+0x76c9)

previously allocated by thread T38 (IPDL Background) here:
    #0 0x4bb79c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x4ec75d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7ff0a2a917dc in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
    #3 0x7ff0a2a917dc in mozilla::dom::indexedDB::(anonymous namespace)::Factory::AllocPBackgroundIDBFactoryRequestParent(mozilla::dom::indexedDB::FactoryRequestParams const&) /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:14056
    #4 0x7ff09e540623 in mozilla::dom::indexedDB::PBackgroundIDBFactoryParent::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundIDBFactoryParent.cpp:234:21
    #5 0x7ff09e590f57 in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundParent.cpp:904:28
    #6 0x7ff09e0cb124 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1903:25
    #7 0x7ff09e0c7957 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1838:17
    #8 0x7ff09e0c9d94 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1711:5
    #9 0x7ff09e0ca396 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1744:15
    #10 0x7ff09d3104f0 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #11 0x7ff09d30cf38 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #12 0x7ff09e0d3bff in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:368:5
    #13 0x7ff09e039070 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #14 0x7ff09e039070 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #15 0x7ff09e039070 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #16 0x7ff09d30991f in nsThread::ThreadFunc(void*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:500:11
    #17 0x7ff0b6ad8c93 in _pt_root /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #18 0x7ff0ba3d66c9 in start_thread (/lib64/libpthread.so.0+0x76c9)

Thread T38 (IPDL Background) created by T0 here:
    #0 0x4a3b76 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:245:3
    #1 0x7ff0b6ad5a39 in _PR_CreateThread /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:457:14
    #2 0x7ff0b6ad564e in PR_CreateThread /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:548:12
    #3 0x7ff09d30b657 in nsThread::Init(nsACString const&) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:680:8
    #4 0x7ff09d314f3b in nsThreadManager::NewNamedThread(nsACString const&, unsigned int, nsIThread**) /home/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:268:22
    #5 0x7ff09d316f03 in NS_NewNamedThread(nsACString const&, nsIThread**, nsIRunnable*, unsigned int) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:105:45
    #6 0x7ff09e0a1529 in NS_NewNamedThread<16> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:71:10
    #7 0x7ff09e0a1529 in (anonymous namespace)::ParentImpl::CreateBackgroundThread() /home/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1125
    #8 0x7ff09e0a7903 in CreateActorForSameProcess /home/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1058:30
    #9 0x7ff09e0a7903 in (anonymous namespace)::ChildImpl::OpenProtocolOnMainThread(nsIEventTarget*) /home/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1992
    #10 0x7ff09e08d99f in (anonymous namespace)::ChildImpl::GetOrCreateForCurrentThread(nsIIPCBackgroundChildCreateCallback*) /home/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1615:9
    #11 0x7ff0a2d0615c in mozilla::dom::workers::ServiceWorkerManager::Init(mozilla::dom::ServiceWorkerRegistrar*) /home/worker/workspace/build/src/dom/workers/ServiceWorkerManager.cpp:283:8
    #12 0x7ff0a2d02d48 in mozilla::dom::workers::ServiceWorkerManager::GetInstance() /home/worker/workspace/build/src/dom/workers/ServiceWorkerManager.cpp:1682:16
    #13 0x7ff09fc0f65b in nsDocument::SetScriptGlobalObject(nsIScriptGlobalObject*) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:4742:40
    #14 0x7ff0a3b551ee in nsDocumentViewer::Close(nsISHEntry*) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1531:18
    #15 0x7ff0a5eb3210 in nsDocShell::SetupNewViewer(nsIContentViewer*) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9434:20
    #16 0x7ff0a5eb1e86 in nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7284:17
    #17 0x7ff0a5e482e1 in nsDocShell::CreateContentViewer(nsACString const&, nsIRequest*, nsIStreamListener**) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9263:3
    #18 0x7ff0a5e4548b in nsDSURIContentListener::DoContent(nsACString const&, bool, nsIRequest*, nsIStreamListener**, bool*) /home/worker/workspace/build/src/docshell/base/nsDSURIContentListener.cpp:128:21
    #19 0x7ff09ec1f706 in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /home/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:756:28
    #20 0x7ff09ec1c8dc in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /home/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:434:30
    #21 0x7ff09ec1b0f3 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) /home/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:296:8
    #22 0x7ff09ea7a27f in nsJARChannel::OnStartRequest(nsIRequest*, nsISupports*) /home/worker/workspace/build/src/modules/libjar/nsJARChannel.cpp:1023:30
    #23 0x7ff09d4bbfa0 in nsInputStreamPump::OnStateStart() /home/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:527:25
    #24 0x7ff09d4bb644 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /home/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:429:25
    #25 0x7ff09d2b0ebd in nsInputStreamReadyEvent::Run() /home/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:96:20
    #26 0x7ff09d3104f0 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #27 0x7ff09d30cf38 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #28 0x7ff09e0d26d1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #29 0x7ff09e039070 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #30 0x7ff09e039070 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #31 0x7ff09e039070 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #32 0x7ff0a33665ef in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
    #33 0x7ff0a67c8881 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:30
    #34 0x7ff0a698db7e in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4538:22
    #35 0x7ff0a698f500 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4718:8
    #36 0x7ff0a69907cc in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4811:21
    #37 0x4eb3c3 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
    #38 0x4eb3c3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:307
    #39 0x7ff0b9375400 in __libc_start_main (/lib64/libc.so.6+0x20400)

SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:21164:10 in mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp::FinishSendResults()
Shadow bytes around the buggy address:
  0x0c28800c5160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c28800c5170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c28800c5180: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c28800c5190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c28800c51a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c28800c51b0: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
  0x0c28800c51c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c28800c51d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c28800c51e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c28800c51f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c28800c5200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8636==ABORTING


Second time is reproduced:


=================================================================
==9220==ERROR: AddressSanitizer: heap-use-after-free on address 0x614003578bc8 at pc 0x7f74f8432861 bp 0x7f74d1f849d0 sp 0x7f74d1f849c8
WRITE of size 4 at 0x614003578bc8 thread T38 (IPDL Background)
    #0 0x7f74f8432860 in mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp::FinishSendResults() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:21164:10
    #1 0x7f74f84352ea in mozilla::dom::indexedDB::(anonymous namespace)::DeleteDatabaseOp::SendResults() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:23283:3
    #2 0x7f74f83932af in mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp::Run() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:21556:7
    #3 0x7f74f843305f in mozilla::dom::indexedDB::(anonymous namespace)::DeleteDatabaseOp::NoteDatabaseClosed(mozilla::dom::indexedDB::(anonymous namespace)::Database*) /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:23247:5
    #4 0x7f74f83b8b0f in CloseInternal /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:14495:30
    #5 0x7f74f83b8b0f in mozilla::dom::indexedDB::(anonymous namespace)::Database::RecvClose() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:14948
    #6 0x7f74f3d20f24 in mozilla::dom::indexedDB::PBackgroundIDBDatabaseParent::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundIDBDatabaseParent.cpp:431:20
    #7 0x7f74f3e90f57 in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundParent.cpp:904:28
    #8 0x7f74f39cb124 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1903:25
    #9 0x7f74f39c7957 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1838:17
    #10 0x7f74f39c9d94 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1711:5
    #11 0x7f74f39ca396 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1744:15
    #12 0x7f74f2c104f0 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #13 0x7f74f2c0cf38 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #14 0x7f74f39d3bff in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:368:5
    #15 0x7f74f3939070 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #16 0x7f74f3939070 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #17 0x7f74f3939070 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #18 0x7f74f2c0991f in nsThread::ThreadFunc(void*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:500:11
    #19 0x7f750c3d8c93 in _pt_root /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #20 0x7f750fcfa6c9 in start_thread (/lib64/libpthread.so.0+0x76c9)
    #21 0x7f750ed80f7e in __GI___clone (/lib64/libc.so.6+0x107f7e)

0x614003578bc8 is located 392 bytes inside of 448-byte region [0x614003578a40,0x614003578c00)
freed by thread T38 (IPDL Background) here:
    #0 0x4bb44b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7f74f2c1a093 in mozilla::Runnable::Release() /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:40:1
    #2 0x7f74f84326c2 in Release /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:40:11
    #3 0x7f74f84326c2 in Release /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:395
    #4 0x7f74f84326c2 in ~RefPtr /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:78
    #5 0x7f74f84326c2 in Destruct /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:560
    #6 0x7f74f84326c2 in DestructRange /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2007
    #7 0x7f74f84326c2 in RemoveElementsAt /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2055
    #8 0x7f74f84326c2 in RemoveElementAt /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1730
    #9 0x7f74f84326c2 in RemoveElement<mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp *, nsDefaultComparator<RefPtr<mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp>, mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp *> > /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1756
    #10 0x7f74f84326c2 in RemoveElement<mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp *> /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1765
    #11 0x7f74f84326c2 in mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp::FinishSendResults() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:21158
    #12 0x7f74f84352ea in mozilla::dom::indexedDB::(anonymous namespace)::DeleteDatabaseOp::SendResults() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:23283:3
    #13 0x7f74f83932af in mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp::Run() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:21556:7
    #14 0x7f74f843305f in mozilla::dom::indexedDB::(anonymous namespace)::DeleteDatabaseOp::NoteDatabaseClosed(mozilla::dom::indexedDB::(anonymous namespace)::Database*) /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:23247:5
    #15 0x7f74f83b8b0f in CloseInternal /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:14495:30
    #16 0x7f74f83b8b0f in mozilla::dom::indexedDB::(anonymous namespace)::Database::RecvClose() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:14948
    #17 0x7f74f3d20f24 in mozilla::dom::indexedDB::PBackgroundIDBDatabaseParent::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundIDBDatabaseParent.cpp:431:20
    #18 0x7f74f3e90f57 in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundParent.cpp:904:28
    #19 0x7f74f39cb124 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1903:25
    #20 0x7f74f39c7957 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1838:17
    #21 0x7f74f39c9d94 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1711:5
    #22 0x7f74f39ca396 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1744:15
    #23 0x7f74f2c104f0 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #24 0x7f74f2c0cf38 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #25 0x7f74f39d3bff in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:368:5
    #26 0x7f74f3939070 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #27 0x7f74f3939070 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #28 0x7f74f3939070 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #29 0x7f74f2c0991f in nsThread::ThreadFunc(void*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:500:11
    #30 0x7f750c3d8c93 in _pt_root /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #31 0x7f750fcfa6c9 in start_thread (/lib64/libpthread.so.0+0x76c9)

previously allocated by thread T38 (IPDL Background) here:
    #0 0x4bb79c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x4ec75d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f74f83917dc in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
    #3 0x7f74f83917dc in mozilla::dom::indexedDB::(anonymous namespace)::Factory::AllocPBackgroundIDBFactoryRequestParent(mozilla::dom::indexedDB::FactoryRequestParams const&) /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:14056
    #4 0x7f74f3e40623 in mozilla::dom::indexedDB::PBackgroundIDBFactoryParent::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundIDBFactoryParent.cpp:234:21
    #5 0x7f74f3e90f57 in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundParent.cpp:904:28
    #6 0x7f74f39cb124 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1903:25
    #7 0x7f74f39c7957 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1838:17
    #8 0x7f74f39c9d94 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1711:5
    #9 0x7f74f39ca396 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1744:15
    #10 0x7f74f2c104f0 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #11 0x7f74f2c0cf38 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #12 0x7f74f39d3bff in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:368:5
    #13 0x7f74f3939070 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #14 0x7f74f3939070 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #15 0x7f74f3939070 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #16 0x7f74f2c0991f in nsThread::ThreadFunc(void*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:500:11
    #17 0x7f750c3d8c93 in _pt_root /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #18 0x7f750fcfa6c9 in start_thread (/lib64/libpthread.so.0+0x76c9)

Thread T38 (IPDL Background) created by T0 here:
    #0 0x4a3b76 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:245:3
    #1 0x7f750c3d5a39 in _PR_CreateThread /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:457:14
    #2 0x7f750c3d564e in PR_CreateThread /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:548:12
    #3 0x7f74f2c0b657 in nsThread::Init(nsACString const&) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:680:8
    #4 0x7f74f2c14f3b in nsThreadManager::NewNamedThread(nsACString const&, unsigned int, nsIThread**) /home/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:268:22
    #5 0x7f74f2c16f03 in NS_NewNamedThread(nsACString const&, nsIThread**, nsIRunnable*, unsigned int) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:105:45
    #6 0x7f74f39a1529 in NS_NewNamedThread<16> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:71:10
    #7 0x7f74f39a1529 in (anonymous namespace)::ParentImpl::CreateBackgroundThread() /home/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1125
    #8 0x7f74f39a7903 in CreateActorForSameProcess /home/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1058:30
    #9 0x7f74f39a7903 in (anonymous namespace)::ChildImpl::OpenProtocolOnMainThread(nsIEventTarget*) /home/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1992
    #10 0x7f74f398d99f in (anonymous namespace)::ChildImpl::GetOrCreateForCurrentThread(nsIIPCBackgroundChildCreateCallback*) /home/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1615:9
    #11 0x7f74f860615c in mozilla::dom::workers::ServiceWorkerManager::Init(mozilla::dom::ServiceWorkerRegistrar*) /home/worker/workspace/build/src/dom/workers/ServiceWorkerManager.cpp:283:8
    #12 0x7f74f8602d48 in mozilla::dom::workers::ServiceWorkerManager::GetInstance() /home/worker/workspace/build/src/dom/workers/ServiceWorkerManager.cpp:1682:16
    #13 0x7f74f550f65b in nsDocument::SetScriptGlobalObject(nsIScriptGlobalObject*) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:4742:40
    #14 0x7f74f94551ee in nsDocumentViewer::Close(nsISHEntry*) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1531:18
    #15 0x7f74fb7b3210 in nsDocShell::SetupNewViewer(nsIContentViewer*) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9434:20
    #16 0x7f74fb7b1e86 in nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7284:17
    #17 0x7f74fb7482e1 in nsDocShell::CreateContentViewer(nsACString const&, nsIRequest*, nsIStreamListener**) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9263:3
    #18 0x7f74fb74548b in nsDSURIContentListener::DoContent(nsACString const&, bool, nsIRequest*, nsIStreamListener**, bool*) /home/worker/workspace/build/src/docshell/base/nsDSURIContentListener.cpp:128:21
    #19 0x7f74f451f706 in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /home/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:756:28
    #20 0x7f74f451c8dc in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /home/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:434:30
    #21 0x7f74f451b0f3 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) /home/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:296:8
    #22 0x7f74f437a27f in nsJARChannel::OnStartRequest(nsIRequest*, nsISupports*) /home/worker/workspace/build/src/modules/libjar/nsJARChannel.cpp:1023:30
    #23 0x7f74f2dbbfa0 in nsInputStreamPump::OnStateStart() /home/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:527:25
    #24 0x7f74f2dbb644 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /home/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:429:25
    #25 0x7f74f2bb0ebd in nsInputStreamReadyEvent::Run() /home/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:96:20
    #26 0x7f74f2c104f0 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #27 0x7f74f2c0cf38 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #28 0x7f74f39d26d1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #29 0x7f74f3939070 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #30 0x7f74f3939070 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #31 0x7f74f3939070 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #32 0x7f74f8c665ef in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
    #33 0x7f74fc0c8881 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:30
    #34 0x7f74fc28db7e in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4538:22
    #35 0x7f74fc28f500 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4718:8
    #36 0x7f74fc2907cc in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4811:21
    #37 0x4eb3c3 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
    #38 0x4eb3c3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:307
    #39 0x7f750ec99400 in __libc_start_main (/lib64/libc.so.6+0x20400)

SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:21164:10 in mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp::FinishSendResults()
Shadow bytes around the buggy address:
  0x0c28806a7120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c28806a7130: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c28806a7140: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c28806a7150: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c28806a7160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c28806a7170: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
  0x0c28806a7180: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c28806a7190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c28806a71a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c28806a71b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c28806a71c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9220==ABORTING
[Child 9324] WARNING: pipe error (3): Connection reset by peer: file /home/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353
Reporter

Comment 1

2 years ago
Another stacktrace:

==11515==ERROR: AddressSanitizer: heap-use-after-free on address 0x6140006b2dc8 at pc 0x7f1a78b32861 bp 0x7f1a534a09d0 sp 0x7f1a534a09c8
WRITE of size 4 at 0x6140006b2dc8 thread T38 (IPDL Background)
    #0 0x7f1a78b32860 in mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp::FinishSendResults() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:21164:10
    #1 0x7f1a78b352ea in mozilla::dom::indexedDB::(anonymous namespace)::DeleteDatabaseOp::SendResults() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:23283:3
    #2 0x7f1a78a932af in mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp::Run() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:21556:7
    #3 0x7f1a78b3305f in mozilla::dom::indexedDB::(anonymous namespace)::DeleteDatabaseOp::NoteDatabaseClosed(mozilla::dom::indexedDB::(anonymous namespace)::Database*) /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:23247:5
    #4 0x7f1a78ab8b0f in CloseInternal /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:14495:30
    #5 0x7f1a78ab8b0f in mozilla::dom::indexedDB::(anonymous namespace)::Database::RecvClose() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:14948
    #6 0x7f1a74420f24 in mozilla::dom::indexedDB::PBackgroundIDBDatabaseParent::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundIDBDatabaseParent.cpp:431:20
    #7 0x7f1a74590f57 in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundParent.cpp:904:28
    #8 0x7f1a740cb124 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1903:25
    #9 0x7f1a740c7957 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1838:17
    #10 0x7f1a740c9d94 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1711:5
    #11 0x7f1a740ca396 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1744:15
    #12 0x7f1a733104f0 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #13 0x7f1a7330cf38 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #14 0x7f1a740d3c0a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:338:20
    #15 0x7f1a74039070 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #16 0x7f1a74039070 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #17 0x7f1a74039070 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #18 0x7f1a7330991f in nsThread::ThreadFunc(void*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:500:11
    #19 0x7f1a8cad8c93 in _pt_root /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #20 0x7f1a903e76c9 in start_thread (/lib64/libpthread.so.0+0x76c9)
    #21 0x7f1a8f46df7e in __GI___clone (/lib64/libc.so.6+0x107f7e)

0x6140006b2dc8 is located 392 bytes inside of 448-byte region [0x6140006b2c40,0x6140006b2e00)
freed by thread T38 (IPDL Background) here:
    #0 0x4bb44b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7f1a7331a093 in mozilla::Runnable::Release() /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:40:1
    #2 0x7f1a78b326c2 in Release /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:40:11
    #3 0x7f1a78b326c2 in Release /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:395
    #4 0x7f1a78b326c2 in ~RefPtr /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:78
    #5 0x7f1a78b326c2 in Destruct /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:560
    #6 0x7f1a78b326c2 in DestructRange /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2007
    #7 0x7f1a78b326c2 in RemoveElementsAt /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2055
    #8 0x7f1a78b326c2 in RemoveElementAt /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1730
    #9 0x7f1a78b326c2 in RemoveElement<mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp *, nsDefaultComparator<RefPtr<mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp>, mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp *> > /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1756
    #10 0x7f1a78b326c2 in RemoveElement<mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp *> /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1765
    #11 0x7f1a78b326c2 in mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp::FinishSendResults() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:21158
    #12 0x7f1a78b352ea in mozilla::dom::indexedDB::(anonymous namespace)::DeleteDatabaseOp::SendResults() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:23283:3
    #13 0x7f1a78a932af in mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp::Run() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:21556:7
    #14 0x7f1a78b3305f in mozilla::dom::indexedDB::(anonymous namespace)::DeleteDatabaseOp::NoteDatabaseClosed(mozilla::dom::indexedDB::(anonymous namespace)::Database*) /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:23247:5
    #15 0x7f1a78ab8b0f in CloseInternal /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:14495:30
    #16 0x7f1a78ab8b0f in mozilla::dom::indexedDB::(anonymous namespace)::Database::RecvClose() /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:14948
    #17 0x7f1a74420f24 in mozilla::dom::indexedDB::PBackgroundIDBDatabaseParent::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundIDBDatabaseParent.cpp:431:20
    #18 0x7f1a74590f57 in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundParent.cpp:904:28
    #19 0x7f1a740cb124 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1903:25
    #20 0x7f1a740c7957 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1838:17
    #21 0x7f1a740c9d94 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1711:5
    #22 0x7f1a740ca396 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1744:15
    #23 0x7f1a733104f0 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #24 0x7f1a7330cf38 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #25 0x7f1a740d3c0a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:338:20
    #26 0x7f1a74039070 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #27 0x7f1a74039070 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #28 0x7f1a74039070 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #29 0x7f1a7330991f in nsThread::ThreadFunc(void*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:500:11
    #30 0x7f1a8cad8c93 in _pt_root /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #31 0x7f1a903e76c9 in start_thread (/lib64/libpthread.so.0+0x76c9)

previously allocated by thread T38 (IPDL Background) here:
    #0 0x4bb79c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x4ec75d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
    #2 0x7f1a78a917dc in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
    #3 0x7f1a78a917dc in mozilla::dom::indexedDB::(anonymous namespace)::Factory::AllocPBackgroundIDBFactoryRequestParent(mozilla::dom::indexedDB::FactoryRequestParams const&) /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:14056
    #4 0x7f1a74540623 in mozilla::dom::indexedDB::PBackgroundIDBFactoryParent::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundIDBFactoryParent.cpp:234:21
    #5 0x7f1a74590f57 in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundParent.cpp:904:28
    #6 0x7f1a740cb124 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1903:25
    #7 0x7f1a740c7957 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1838:17
    #8 0x7f1a740c9d94 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1711:5
    #9 0x7f1a740ca396 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1744:15
    #10 0x7f1a733104f0 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #11 0x7f1a7330cf38 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #12 0x7f1a740d3bff in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:368:5
    #13 0x7f1a74039070 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #14 0x7f1a74039070 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #15 0x7f1a74039070 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #16 0x7f1a7330991f in nsThread::ThreadFunc(void*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:500:11
    #17 0x7f1a8cad8c93 in _pt_root /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #18 0x7f1a903e76c9 in start_thread (/lib64/libpthread.so.0+0x76c9)

Thread T38 (IPDL Background) created by T0 here:
    #0 0x4a3b76 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:245:3
    #1 0x7f1a8cad5a39 in _PR_CreateThread /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:457:14
    #2 0x7f1a8cad564e in PR_CreateThread /home/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:548:12
    #3 0x7f1a7330b657 in nsThread::Init(nsACString const&) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:680:8
    #4 0x7f1a73314f3b in nsThreadManager::NewNamedThread(nsACString const&, unsigned int, nsIThread**) /home/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:268:22
    #5 0x7f1a73316f03 in NS_NewNamedThread(nsACString const&, nsIThread**, nsIRunnable*, unsigned int) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:105:45
    #6 0x7f1a740a1529 in NS_NewNamedThread<16> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:71:10
    #7 0x7f1a740a1529 in (anonymous namespace)::ParentImpl::CreateBackgroundThread() /home/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1125
    #8 0x7f1a740a7903 in CreateActorForSameProcess /home/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1058:30
    #9 0x7f1a740a7903 in (anonymous namespace)::ChildImpl::OpenProtocolOnMainThread(nsIEventTarget*) /home/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1992
    #10 0x7f1a7408d99f in (anonymous namespace)::ChildImpl::GetOrCreateForCurrentThread(nsIIPCBackgroundChildCreateCallback*) /home/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1615:9
    #11 0x7f1a78d0615c in mozilla::dom::workers::ServiceWorkerManager::Init(mozilla::dom::ServiceWorkerRegistrar*) /home/worker/workspace/build/src/dom/workers/ServiceWorkerManager.cpp:283:8
    #12 0x7f1a78d02d48 in mozilla::dom::workers::ServiceWorkerManager::GetInstance() /home/worker/workspace/build/src/dom/workers/ServiceWorkerManager.cpp:1682:16
    #13 0x7f1a75c0f65b in nsDocument::SetScriptGlobalObject(nsIScriptGlobalObject*) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:4742:40
    #14 0x7f1a79b551ee in nsDocumentViewer::Close(nsISHEntry*) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1531:18
    #15 0x7f1a7beb3210 in nsDocShell::SetupNewViewer(nsIContentViewer*) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9434:20
    #16 0x7f1a7beb1e86 in nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7284:17
    #17 0x7f1a7be482e1 in nsDocShell::CreateContentViewer(nsACString const&, nsIRequest*, nsIStreamListener**) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9263:3
    #18 0x7f1a7be4548b in nsDSURIContentListener::DoContent(nsACString const&, bool, nsIRequest*, nsIStreamListener**, bool*) /home/worker/workspace/build/src/docshell/base/nsDSURIContentListener.cpp:128:21
    #19 0x7f1a74c1f706 in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /home/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:756:28
    #20 0x7f1a74c1c8dc in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /home/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:434:30
    #21 0x7f1a74c1b0f3 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) /home/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:296:8
    #22 0x7f1a74a7a27f in nsJARChannel::OnStartRequest(nsIRequest*, nsISupports*) /home/worker/workspace/build/src/modules/libjar/nsJARChannel.cpp:1023:30
    #23 0x7f1a734bbfa0 in nsInputStreamPump::OnStateStart() /home/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:527:25
    #24 0x7f1a734bb644 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /home/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:429:25
    #25 0x7f1a732b0ebd in nsInputStreamReadyEvent::Run() /home/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:96:20
    #26 0x7f1a733104f0 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1269:14
    #27 0x7f1a7330cf38 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
    #28 0x7f1a740d26d1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #29 0x7f1a74039070 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
    #30 0x7f1a74039070 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #31 0x7f1a74039070 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #32 0x7f1a793665ef in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
    #33 0x7f1a7c7c8881 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:30
    #34 0x7f1a7c98db7e in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4538:22
    #35 0x7f1a7c98f500 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4718:8
    #36 0x7f1a7c9907cc in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4811:21
    #37 0x4eb3c3 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
    #38 0x4eb3c3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:307
    #39 0x7f1a8f386400 in __libc_start_main (/lib64/libc.so.6+0x20400)

SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/dom/indexedDB/ActorsParent.cpp:21164:10 in mozilla::dom::indexedDB::(anonymous namespace)::FactoryOp::FinishSendResults()
Shadow bytes around the buggy address:
  0x0c28800ce560: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c28800ce570: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c28800ce580: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c28800ce590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c28800ce5a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c28800ce5b0: fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd
  0x0c28800ce5c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c28800ce5d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c28800ce5e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c28800ce5f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c28800ce600: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==11515==ABORTING
[Child 11559] WARNING: pipe error: Broken pipe: file /home/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 709
[Child 11559] WARNING: pipe error: Broken pipe: file /home/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 709
[Child 11559] WARNING: pipe error (3): Connection reset by peer: file /home/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353
ASAN:DEADLYSIGNAL
Reporter

Comment 2

2 years ago
This catch is using a random surf "puppet" that surfs internet alone so the thing happens between a transition of:

From: 

http://codepen.io/search/pens?q=indexeddb&limit=all&type=type-pens

to (next button at bottom, aka 2 page)

http://codepen.io/search/pens/?limit=all&page=2&q=indexeddb

It does not always happen, but I have been able to reproduce it about 7 of 10 times.
Jan, maybe you can take a look at this?
Group: firefox-core-security → core-security
Component: Untriaged → DOM: IndexedDB
Flags: needinfo?(jvarga)
Product: Firefox → Core
Group: core-security → dom-core-security
Keywords: sec-high
Assignee

Comment 4

2 years ago
Yeah, I'll take a look.
Reporter

Comment 5

2 years ago
(In reply to Jan Varga [:janv] from comment #4)
> Yeah, I'll take a look.

I am unfamiliar this code, do you need help with something?
Reporter

Comment 6

2 years ago
(In reply to Ryan VanderMeulen [:RyanVM] from comment #3)
> Jan, maybe you can take a look at this?

Maybe another person can take a look?
Flags: needinfo?(ryanvm)
Reporter

Comment 7

2 years ago
(In reply to Francisco A. from comment #6)
> (In reply to Ryan VanderMeulen [:RyanVM] from comment #3)
> > Jan, maybe you can take a look at this?
> 
> Maybe another person can take a look?

I do not know why there is so much lack of interest here.
Flags: needinfo?(abillings)
I'm not sure what setting needinfo? on me is meant to accomplish here or what question you expect me to answer. I can't fix this issue as I am not a developer.

Within the last two weeks a developer has said they'll look at it. If it had been six months, I'd see a reason to worry but not after a couple of weeks. Please be patient.
Flags: needinfo?(abillings)
Flags: needinfo?(ryanvm)
Assignee

Comment 9

2 years ago
I think I know what the problem is, let me test it.
Flags: needinfo?(jvarga)
Assignee

Comment 10

2 years ago
Francisco A., Are you able to test a patch ?
I can't reproduce this, but I suspect what the problem is.
Flags: needinfo?(rs)
Reporter

Comment 11

2 years ago
Yed, attach it, I will try my owm build.
Flags: needinfo?(rs)
Assignee

Comment 12

2 years ago
Posted patch possible fix (obsolete) — Splinter Review
Reporter

Comment 13

2 years ago
(In reply to Jan Varga [:janv] from comment #10)
> Francisco A., Are you able to test a patch ?
> I can't reproduce this, but I suspect what the problem is.

I have tried it and for now I can not reproduce this issue. So far, patch looks fine here.
Assignee

Comment 14

2 years ago
Great, I'll test it a bit more and request a review, thanks!
Assignee

Comment 15

2 years ago
Posted patch fix (obsolete) — Splinter Review
Assignee: nobody → jvarga
Attachment #8867100 - Attachment is obsolete: true
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #8867450 - Flags: review?(btseng)
Comment on attachment 8867450 [details] [diff] [review]
fix

Review of attachment 8867450 [details] [diff] [review]:
-----------------------------------------------------------------

After further review, I think the root cause of this problem is that there is no RefPtr<OpenDatabaseOp|DeleteDatabaseOp> held before an immediate call to its Run():
http://searchfox.org/mozilla-central/rev/484d2b7f51b7aed035147bbb4a565061659d9278/dom/indexedDB/ActorsParent.cpp#23270-23271
http://searchfox.org/mozilla-central/rev/484d2b7f51b7aed035147bbb4a565061659d9278/dom/indexedDB/ActorsParent.cpp#22450-22451
when mState == State::SendingResults, compared to the call site of Run() from nsThread::ProcessNextEvent():
http://searchfox.org/mozilla-central/rev/484d2b7f51b7aed035147bbb4a565061659d9278/xpcom/threads/nsThread.cpp#1240

Since SendingResult() might destroy the FactoryOp itself, it makes more sense to me to always hold a RefPtr<FactoryOp> kungFuDeathGrip(this) in both OpenDatabaseOp()::SendingResult() and DeleteDatabaseOp()::SendingResult() and update the comments accordingly.

Holding a kungFuDeathGrip in FinishSendResults() is a little bit confusing to me when reading the implementation in DeleteDatabaseOp()::SendingResult() while it might be possible that this actor could be destroyed earlier by PBackgroundIDBFactoryRequestParent::Send__delete__() if it was not appended to gFactoryOps in FactoryOp::DirectoryOpen(), although it is not possible to be released that early for now according to current implementation in FactoryOp::DirectoryLockAcquired() and DirectoryLockImpl::NotifyOpenListener() in QuotaManager but holding a kungFuDeathGrip(this) in SendingResult() makes me more comfortable when reading these code.

How do you think?
Attachment #8867450 - Flags: review?(btseng)
Flags: sec-bounty?
(In reply to Bevis Tseng[:bevistseng][:btseng] from comment #16)
> Comment on attachment 8867450 [details] [diff] [review]
> fix
> 
> Review of attachment 8867450 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> After further review, I think the root cause of this problem is that there
> is no RefPtr<OpenDatabaseOp|DeleteDatabaseOp> held before an immediate call
> to its Run():
The DeleteDatabaseOp was held by a RefPtr at:
http://searchfox.org/mozilla-central/rev/484d2b7f51b7aed035147bbb4a565061659d9278/dom/indexedDB/ActorsParent.cpp#14424
But was Release() by the same RefPtr before Run() is called at DeleteDatabaseOp::NoteDatabaseClosed():
http://searchfox.org/mozilla-central/rev/484d2b7f51b7aed035147bbb4a565061659d9278/dom/indexedDB/ActorsParent.cpp#23259

Similar scenario can be found in OpenDatabaseOp to be Release() before Run() at OpenDatabaseOp::NoteDatabaseClosed():
http://searchfox.org/mozilla-central/rev/484d2b7f51b7aed035147bbb4a565061659d9278/dom/indexedDB/ActorsParent.cpp#22439
Reporter

Comment 18

2 years ago
(In reply to Bevis Tseng[:bevis][:btseng] from comment #17)

> Similar scenario can be found in OpenDatabaseOp to be Release() before Run()
> at OpenDatabaseOp::NoteDatabaseClosed():
> http://searchfox.org/mozilla-central/rev/
> 484d2b7f51b7aed035147bbb4a565061659d9278/dom/indexedDB/ActorsParent.cpp#22439

right, it's a similar scenario.
Hold a RefPtr instead of a RawPtr in the following line could fix the self-destruction problem for both OpenDatabaseOp and DeleteDatabaseOp in NoteDatabaseClosed() per comment 17:
http://searchfox.org/mozilla-central/rev/484d2b7f51b7aed035147bbb4a565061659d9278/dom/indexedDB/ActorsParent.cpp#14418

How do you think, Jan?
Flags: needinfo?(jvarga)
Reporter

Comment 20

2 years ago
(In reply to Bevis Tseng[:bevis][:btseng] from comment #19)
> Hold a RefPtr instead of a RawPtr in the following line could fix the
> self-destruction problem for both OpenDatabaseOp and DeleteDatabaseOp in
> NoteDatabaseClosed() per comment 17:
> http://searchfox.org/mozilla-central/rev/
> 484d2b7f51b7aed035147bbb4a565061659d9278/dom/indexedDB/ActorsParent.cpp#14418
> 
> How do you think, Jan?

I would say that it is enough. I wonder if I should open another issue and link the new one here or just use this to cover both issues also if are fixed together as per comment 19.
[Tracking Requested - why for this release]: sec-high UAFs are bad.

I think this is a pretty old bug (from bug 1131776?), so marking tracking accordingly.
Track 54+/55+ as sec-high.
(In reply to Bevis Tseng[:bevis][:btseng] from comment #19)
> Hold a RefPtr instead of a RawPtr in the following line could fix the
> self-destruction problem for both OpenDatabaseOp and DeleteDatabaseOp in
> NoteDatabaseClosed() per comment 17:
> http://searchfox.org/mozilla-central/rev/
> 484d2b7f51b7aed035147bbb4a565061659d9278/dom/indexedDB/ActorsParent.cpp#14418
> 
> How do you think, Jan?

To be more precise, it's the |info->mWaitingFactoryOp| in 
http://searchfox.org/mozilla-central/rev/484d2b7f51b7aed035147bbb4a565061659d9278/dom/indexedDB/ActorsParent.cpp#14423
that needs a RefPtr before calling its ::NoteDatabaseClosed() which releases itself as mentioned in comment 17.
Reporter

Comment 24

2 years ago
When is the next release scheduled?
Assignee

Comment 25

2 years ago
Let me finish a review for Bevis and I'll get back to this again.
(In reply to Francisco A. from comment #24)
> When is the next release scheduled?

https://wiki.mozilla.org/RapidRelease/Calendar
Reporter

Comment 27

2 years ago
Browsing both errors, I think it should be marked both issues mentioned above as sec-critical. What do you think?
(In reply to Francisco A. from comment #27)
> Browsing both errors, I think it should be marked both issues mentioned
> above as sec-critical. What do you think?
Flags: needinfo?(continuation)
We rate issues that are difficult to trigger in a controlled way as sec-high instead of sec-critical.
Flags: needinfo?(continuation)
Reporter

Comment 30

2 years ago
(In reply to Andrew McCreight [:mccr8] from comment #29)
> We rate issues that are difficult to trigger in a controlled way as sec-high
> instead of sec-critical.

Could you clarify why both are difficult to trigger? Both are obvious, and I've pasted various stacktraces where I have been able to reproduce it several times and also identified by reading the code, as Bevis Tseng saw also.
It might change the rating if you have a test case case that does not require user interaction like comment 2 does.
"Difficult to trigger" here means "difficult to trigger on a user on a web page." Some attacks are use-after-free errors triggered when a person simply visits a page. Some require user interaction but they are actions used reasonably expect a user to do.

Do you have a test case that demonstrates that this is an easy to trigger attack on an end user? A simple proof of concept would help strengthen an argument for a higher rating as well.

Otherwise, I agree that this is a sec-high, not a critical issue.
Flags: needinfo?(rs)
Reporter

Comment 33

2 years ago
(In reply to Al Billings [:abillings] from comment #32)
> "Difficult to trigger" here means "difficult to trigger on a user on a web
> page." Some attacks are use-after-free errors triggered when a person simply
> visits a page. Some require user interaction but they are actions used
> reasonably expect a user to do.
> 
> Do you have a test case that demonstrates that this is an easy to trigger
> attack on an end user? A simple proof of concept would help strengthen an
> argument for a higher rating as well.
> 
> Otherwise, I agree that this is a sec-high, not a critical issue.

Sounds reasonable, I can work on it. My intention is that they are both solved in the next release, but I am concerned that this does not happen due to the time it is taking to confirm btseng fixes. So a little help from both developers would not hurt to not lengthen it, and keep those samples in mz testsuite.
Flags: needinfo?(rs)
Assignee

Comment 34

2 years ago
(In reply to Bevis Tseng [:bevis][:btseng] from comment #19)
> Hold a RefPtr instead of a RawPtr in the following line could fix the
> self-destruction problem for both OpenDatabaseOp and DeleteDatabaseOp in
> NoteDatabaseClosed() per comment 17:
> http://searchfox.org/mozilla-central/rev/
> 484d2b7f51b7aed035147bbb4a565061659d9278/dom/indexedDB/ActorsParent.cpp#14418
> 
> How do you think, Jan?

Well, we know what the problem is and we also know that it can be fixed by adding a self reference (somewhere).
However, as you can see, there are multiple options where to add the ref.
Your suggestion would work and it requires only one line of code, but I think it won't be obvious in future why
there's such a self ref.
I think we both agree that the root cause is that Run() is being called directly (as opposed to dispatching to 
the current thread). So it looks to me that we should add the ref before we call Run().
So this fix would not only fix this concrete crash, but it can also serve as an example how to call Run() correctly.
I have a patch which implements this and I'm testing it right now.
Flags: needinfo?(jvarga)
Assignee

Comment 35

2 years ago
It's now on try:
https://treeherder.mozilla.org/#/jobs?repo=try&revision=13a8261e3cf4b0410343b983059fb93f3081c5a3

If try is ok, I'll ask Francisco A. to verify the patch again, just to be sure.
Assignee

Comment 36

2 years ago
Posted patch patchSplinter Review
Francisco A., Can you please try this patch ? Thanks.
Attachment #8867450 - Attachment is obsolete: true
(In reply to Jan Varga [:janv] from comment #36)
> Created attachment 8873219 [details] [diff] [review]
> patch
LGTM :)
Reporter

Comment 38

2 years ago
(In reply to Jan Varga [:janv] from comment #36)
> Created attachment 8873219 [details] [diff] [review]
> patch
> 
> Francisco A., Can you please try this patch ? Thanks.

Looks good to me too, tried and can't reproduce the issue so far.
Assignee

Comment 39

2 years ago
Comment on attachment 8873219 [details] [diff] [review]
patch

Ok, ready for a final review hopefully.
Attachment #8873219 - Flags: review?(btseng)
Comment on attachment 8873219 [details] [diff] [review]
patch

Review of attachment 8873219 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for revising these kungFuDeathGrips!

::: dom/indexedDB/ActorsParent.cpp
@@ +22486,5 @@
>    } else {
>      rv = NS_OK;
>    }
>  
> +  // We are being called with an assuption that mWaitingFactoryOp holds a strong

nit: s/assuption/assumption/g

@@ +23313,5 @@
>    } else {
>      rv = NS_OK;
>    }
>  
> +  // We are being called with an assuption that mWaitingFactoryOp holds a strong

ditto
Attachment #8873219 - Flags: review?(btseng) → review+
Assignee

Comment 41

2 years ago
Comment on attachment 8873219 [details] [diff] [review]
patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
I'm not sure about this, but I guess an experienced attacker would be able to do that after reading the patch.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Yes, the comments in the patch and also the check-in comment make it obvious what the problem is (destroying object while its method is still being executed).

Which older supported branches are affected by this flaw?
I think all supported branches may be affected.

If not all supported branches, which bug introduced the flaw?
I suspect this goes back to bug 994190 (mozilla 35).

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Don't have patches by hand, but I'm willing to provide them and they shouldn't differ that much. The risk should be the same as landing the fix on m-c

How likely is this patch to cause regressions; how much testing does it need?
Adding a strong reference can only (in the worst case) cause a cycle (leading to a memory leak), but that's very unlikely.
Testing the fix itself is quite hard for us, since AFAIK, only the reporter of this bug is able to reproduce the crash.
Attachment #8873219 - Flags: sec-approval?
Assignee

Comment 42

2 years ago
(In reply to Bevis Tseng [:bevis][:btseng] from comment #40)
> Thanks for revising these kungFuDeathGrips!

Thanks for the review. The fix may look easy at first glance, but there are multiple code paths here. I had to create all these comments which helped me and hopefully will help other people in future to understand it.
sec-approval+ for trunk.
We need a beta and ESR52 patch made and nominated ASAP or this won't make the last beta for Firefox 54. (We need the patches today).
Attachment #8873219 - Flags: sec-approval? → sec-approval+
Flags: needinfo?(jvarga)
https://hg.mozilla.org/integration/autoland/rev/665f1887a112dac916caac5e659764a0f62db27b

This grafts cleanly to Beta and ESR52, so just need approval requests :)
Comment on attachment 8873219 [details] [diff] [review]
patch

Approval Request Comment
[Feature/Bug causing the regression]: bug 994190
[User impact if declined]: sec-high
[Is this code covered by automated tests?]: IDB is pretty well-tested. Per comment 41, this fix itself is difficult to test due to difficulties in reproducing the problem.
[Has the fix been verified in Nightly?]: No, but the reporter has confirmed that they can no longer reproduce with a Try build (comment 38) and it's green on TH.
[Needs manual test from QE? If yes, steps to reproduce]: If they're able to reproduce, that'd be great. STR in comment 2.
[List of other uplifts needed for the feature/fix]: None
[Is the change risky?]: Not very.
[Why is the change risky/not risky?]: Per comment 41, a memory leak would be the most likely thing to happen. Given our CI coverage of IDB, I would have expected such leaks to materialize there if they were going to.
[String changes made/needed]: None
Flags: needinfo?(jvarga)
Attachment #8873219 - Flags: approval-mozilla-esr52?
Attachment #8873219 - Flags: approval-mozilla-beta?
Comment on attachment 8873219 [details] [diff] [review]
patch

Sec-high, taking it in Beta54, ESR52.2
Attachment #8873219 - Flags: approval-mozilla-esr52?
Attachment #8873219 - Flags: approval-mozilla-esr52+
Attachment #8873219 - Flags: approval-mozilla-beta?
Attachment #8873219 - Flags: approval-mozilla-beta+
https://hg.mozilla.org/mozilla-central/rev/665f1887a112
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Hi Francisco, can you verify that this has been fixed?
Flags: needinfo?(rs)
Whiteboard: [post-critsmash-triage]
Reporter

Comment 51

2 years ago
(In reply to Matt Wobensmith [:mwobensmith][:matt:] from comment #50)
> Hi Francisco, can you verify that this has been fixed?

Hi Matt, it's fixed. Thanks everyone for your help
Flags: needinfo?(rs)
Group: dom-core-security → core-security-release
Couple requests for future bugs:
 * please put the ASAN output in an attachment -- makes it much easier to follow the discussion
 * if possible testcases attached to the bug are better than webhosted ones which will likely evaporate in the future.
Flags: sec-bounty? → sec-bounty+
Keywords: testcase
Reporter

Comment 53

2 years ago
(In reply to Daniel Veditz [:dveditz] from comment #52)
> Couple requests for future bugs:
>  * please put the ASAN output in an attachment -- makes it much easier to
> follow the discussion
>  * if possible testcases attached to the bug are better than webhosted ones
> which will likely evaporate in the future.

It makes sense, thanks for the reminder I will keep it in mind.
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main54+][adv-esr52.2+]
Alias: CVE-2017-7757
Assignee

Comment 54

2 years ago
We should fix this on m-c at least.
Attachment #8875174 - Flags: review?(btseng)
Attachment #8875174 - Flags: review?(btseng) → review+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.