Closed Bug 1371982 Opened 3 years ago Closed 3 years ago

Intermittent AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:867:5 in mozilla::MozPromise<mozilla::UniquePtr<int, mozilla::DefaultDelete<int> >, bool, true>::ThenInternal(mozilla::Abstra

Categories

(Core :: XPCOM, defect, P1)

53 Branch
defect

Tracking

()

RESOLVED FIXED
mozilla56
Tracking Status
firefox-esr52 --- unaffected
firefox54 --- wontfix
firefox55 + fixed
firefox56 + fixed

People

(Reporter: aryx, Assigned: jwwang)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [adv-main55+][post-critsmash-triage])

Attachments

(2 files)

https://treeherder.mozilla.org/logviewer.html#?job_id=106133372&repo=autoland

Bug 1342494 is another heap-use-after-free in the vicinity of that code

[task 2017-06-11T01:26:06.845901Z] 01:26:06     INFO -  TEST-START | MozPromise.ResolveOrRejectValue
[task 2017-06-11T01:26:06.845973Z] 01:26:06     INFO -  TEST-PASS | MozPromise.ResolveOrRejectValue | test completed (time: 0ms)
[task 2017-06-11T01:26:06.846027Z] 01:26:06     INFO -  TEST-START | MozPromise.MoveOnlyType
[task 2017-06-11T01:26:06.846088Z] 01:26:06     INFO -  TEST-PASS | MozPromise.MoveOnlyType | test completed (time: 1ms)
[task 2017-06-11T01:26:06.846134Z] 01:26:06     INFO -  TEST-START | MozPromise.HeterogeneousChaining
[task 2017-06-11T01:26:06.846166Z] 01:26:06     INFO -  =================================================================
[task 2017-06-11T01:26:06.846209Z] 01:26:06     INFO -  ==1006==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0001eea50 at pc 0x7f0318ff227e bp 0x7ffc21713090 sp 0x7ffc21713088
[task 2017-06-11T01:26:06.846252Z] 01:26:06     INFO -  READ of size 4 at 0x60d0001eea50 thread T0
[task 2017-06-11T01:26:07.750791Z] 01:26:07     INFO -      #0 0x7f0318ff227d in mozilla::MozPromise<mozilla::UniquePtr<int, mozilla::DefaultDelete<int> >, bool, true>::ThenInternal(mozilla::AbstractThread*, already_AddRefed<mozilla::MozPromise<mozilla::UniquePtr<int, mozilla::DefaultDelete<int> >, bool, true>::ThenValueBase>, char const*) /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:867:5
[task 2017-06-11T01:26:07.751059Z] 01:26:07     INFO -      #1 0x7f0318f86667 in ~ThenCommand /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:925:20
[task 2017-06-11T01:26:07.751445Z] 01:26:07     INFO -      #2 0x7f0318f86667 in MozPromise_HeterogeneousChaining_Test::TestBody() /home/worker/workspace/build/src/dom/media/gtest/TestMozPromise.cpp:382
[task 2017-06-11T01:26:07.754351Z] 01:26:07     INFO -      #3 0x7f031894f51c in HandleExceptionsInMethodIfSupported<testing::Test, void> /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2458:12
[task 2017-06-11T01:26:07.754630Z] 01:26:07     INFO -      #4 0x7f031894f51c in testing::Test::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2474
[task 2017-06-11T01:26:07.755053Z] 01:26:07     INFO -      #5 0x7f0318951a44 in testing::TestInfo::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2656:11
[task 2017-06-11T01:26:07.755492Z] 01:26:07     INFO -      #6 0x7f03189525a4 in testing::TestCase::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2774:28
[task 2017-06-11T01:26:07.755943Z] 01:26:07     INFO -      #7 0x7f0318967b29 in testing::internal::UnitTestImpl::RunAllTests() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:4649:43
[task 2017-06-11T01:26:07.756350Z] 01:26:07     INFO -      #8 0x7f03189670bf in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2458:12
[task 2017-06-11T01:26:07.756741Z] 01:26:07     INFO -      #9 0x7f03189670bf in testing::UnitTest::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:4257
[task 2017-06-11T01:26:07.757126Z] 01:26:07     INFO -      #10 0x7f031898ab67 in RUN_ALL_TESTS /home/worker/workspace/build/src/obj-firefox/dist/include/gtest/gtest.h:2233:46
[task 2017-06-11T01:26:07.757501Z] 01:26:07     INFO -      #11 0x7f031898ab67 in mozilla::RunGTestFunc(int*, char**) /home/worker/workspace/build/src/testing/gtest/mozilla/GTestRunner.cpp:117
[task 2017-06-11T01:26:07.760493Z] 01:26:07     INFO -      #12 0x7f03179f9286 in XREMain::XRE_mainStartup(bool*) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:3817:16
[task 2017-06-11T01:26:07.760987Z] 01:26:07     INFO -      #13 0x7f0317a06d58 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4734:12
[task 2017-06-11T01:26:07.761482Z] 01:26:07     INFO -      #14 0x7f0317a081d1 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4844:21
[task 2017-06-11T01:26:07.763804Z] 01:26:07     INFO -      #15 0x4eb5a3 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:237:22
[task 2017-06-11T01:26:07.764079Z] 01:26:07     INFO -      #16 0x4eb5a3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:310
[task 2017-06-11T01:26:07.805637Z] 01:26:07     INFO -      #17 0x7f032b8cb82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
[task 2017-06-11T01:26:07.805925Z] 01:26:07     INFO -      #18 0x41d0f8 in _start (/home/worker/workspace/build/application/firefox/firefox+0x41d0f8)
[task 2017-06-11T01:26:07.817036Z] 01:26:07     INFO -  0x60d0001eea50 is located 80 bytes inside of 144-byte region [0x60d0001eea00,0x60d0001eea90)
[task 2017-06-11T01:26:07.817325Z] 01:26:07     INFO -  freed by thread T0 here:
[task 2017-06-11T01:26:07.817613Z] 01:26:07     INFO -      #0 0x4bb62b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
[task 2017-06-11T01:26:07.818149Z] 01:26:07     INFO -      #1 0x7f0318f86635 in Release /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:146:3
[task 2017-06-11T01:26:07.818633Z] 01:26:07     INFO -      #2 0x7f0318f86635 in Release /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:40
[task 2017-06-11T01:26:07.818927Z] 01:26:07     INFO -      #3 0x7f0318f86635 in Release /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:395
[task 2017-06-11T01:26:07.819276Z] 01:26:07     INFO -      #4 0x7f0318f86635 in ~RefPtr /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:78
[task 2017-06-11T01:26:07.819707Z] 01:26:07     INFO -      #5 0x7f0318f86635 in Then<RefPtr<mozilla::TaskQueue> &, char const (&)[9], (lambda at /home/worker/workspace/build/src/dom/media/gtest/TestMozPromise.cpp:394:12), (lambda at /home/worker/workspace/build/src/dom/media/gtest/TestMozPromise.cpp:395:12)> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:954
[task 2017-06-11T01:26:07.820228Z] 01:26:07     INFO -      #6 0x7f0318f86635 in MozPromise_HeterogeneousChaining_Test::TestBody() /home/worker/workspace/build/src/dom/media/gtest/TestMozPromise.cpp:392
[task 2017-06-11T01:26:07.820975Z] 01:26:07     INFO -      #7 0x7f031894f51c in HandleExceptionsInMethodIfSupported<testing::Test, void> /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2458:12
[task 2017-06-11T01:26:07.821368Z] 01:26:07     INFO -      #8 0x7f031894f51c in testing::Test::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2474
[task 2017-06-11T01:26:07.821835Z] 01:26:07     INFO -      #9 0x7f0318951a44 in testing::TestInfo::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2656:11
[task 2017-06-11T01:26:07.822191Z] 01:26:07     INFO -      #10 0x7f03189525a4 in testing::TestCase::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2774:28
[task 2017-06-11T01:26:07.822629Z] 01:26:07     INFO -      #11 0x7f0318967b29 in testing::internal::UnitTestImpl::RunAllTests() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:4649:43
[task 2017-06-11T01:26:07.822909Z] 01:26:07     INFO -      #12 0x7f03189670bf in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2458:12
[task 2017-06-11T01:26:07.823337Z] 01:26:07     INFO -      #13 0x7f03189670bf in testing::UnitTest::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:4257
[task 2017-06-11T01:26:07.823621Z] 01:26:07     INFO -      #14 0x7f031898ab67 in RUN_ALL_TESTS /home/worker/workspace/build/src/obj-firefox/dist/include/gtest/gtest.h:2233:46
[task 2017-06-11T01:26:07.824012Z] 01:26:07     INFO -      #15 0x7f031898ab67 in mozilla::RunGTestFunc(int*, char**) /home/worker/workspace/build/src/testing/gtest/mozilla/GTestRunner.cpp:117
[task 2017-06-11T01:26:07.824413Z] 01:26:07     INFO -      #16 0x7f03179f9286 in XREMain::XRE_mainStartup(bool*) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:3817:16
[task 2017-06-11T01:26:07.824801Z] 01:26:07     INFO -      #17 0x7f0317a06d58 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4734:12
[task 2017-06-11T01:26:07.825163Z] 01:26:07     INFO -      #18 0x7f0317a081d1 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4844:21
[task 2017-06-11T01:26:07.825521Z] 01:26:07     INFO -      #19 0x4eb5a3 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:237:22
[task 2017-06-11T01:26:07.825782Z] 01:26:07     INFO -      #20 0x4eb5a3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:310
[task 2017-06-11T01:26:07.826066Z] 01:26:07     INFO -      #21 0x7f032b8cb82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
[task 2017-06-11T01:26:07.826269Z] 01:26:07     INFO -  previously allocated by thread T0 here:
[task 2017-06-11T01:26:07.826617Z] 01:26:07     INFO -      #0 0x4bb97c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
[task 2017-06-11T01:26:07.826993Z] 01:26:07     INFO -      #1 0x4ece9d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
[task 2017-06-11T01:26:07.827215Z] 01:26:07     INFO -      #2 0x7f0318f862dd in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
[task 2017-06-11T01:26:07.827465Z] 01:26:07     INFO -      #3 0x7f0318f862dd in operator RefPtr /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:942
[task 2017-06-11T01:26:07.827985Z] 01:26:07     INFO -      #4 0x7f0318f862dd in Then<RefPtr<mozilla::TaskQueue> &, char const (&)[9], (lambda at /home/worker/workspace/build/src/dom/media/gtest/TestMozPromise.cpp:394:12), (lambda at /home/worker/workspace/build/src/dom/media/gtest/TestMozPromise.cpp:395:12)> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:954
[task 2017-06-11T01:26:07.828371Z] 01:26:07     INFO -      #5 0x7f0318f862dd in MozPromise_HeterogeneousChaining_Test::TestBody() /home/worker/workspace/build/src/dom/media/gtest/TestMozPromise.cpp:392
[task 2017-06-11T01:26:07.828601Z] 01:26:07     INFO -      #6 0x7f031894f51c in HandleExceptionsInMethodIfSupported<testing::Test, void> /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2458:12
[task 2017-06-11T01:26:07.828866Z] 01:26:07     INFO -      #7 0x7f031894f51c in testing::Test::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2474
[task 2017-06-11T01:26:07.829211Z] 01:26:07     INFO -      #8 0x7f0318951a44 in testing::TestInfo::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2656:11
[task 2017-06-11T01:26:07.829450Z] 01:26:07     INFO -      #9 0x7f03189525a4 in testing::TestCase::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2774:28
[task 2017-06-11T01:26:07.829813Z] 01:26:07     INFO -      #10 0x7f0318967b29 in testing::internal::UnitTestImpl::RunAllTests() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:4649:43
[task 2017-06-11T01:26:07.830086Z] 01:26:07     INFO -      #11 0x7f03189670bf in HandleExceptionsInMethodIfSupported<testing::internal::UnitTestImpl, bool> /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:2458:12
[task 2017-06-11T01:26:07.830616Z] 01:26:07     INFO -      #12 0x7f03189670bf in testing::UnitTest::Run() /home/worker/workspace/build/src/testing/gtest/gtest/src/gtest.cc:4257
[task 2017-06-11T01:26:07.830690Z] 01:26:07     INFO -      #13 0x7f031898ab67 in RUN_ALL_TESTS /home/worker/workspace/build/src/obj-firefox/dist/include/gtest/gtest.h:2233:46
[task 2017-06-11T01:26:07.831135Z] 01:26:07     INFO -      #14 0x7f031898ab67 in mozilla::RunGTestFunc(int*, char**) /home/worker/workspace/build/src/testing/gtest/mozilla/GTestRunner.cpp:117
[task 2017-06-11T01:26:07.831211Z] 01:26:07     INFO -      #15 0x7f03179f9286 in XREMain::XRE_mainStartup(bool*) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:3817:16
[task 2017-06-11T01:26:07.831426Z] 01:26:07     INFO -      #16 0x7f0317a06d58 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4734:12
[task 2017-06-11T01:26:07.831714Z] 01:26:07     INFO -      #17 0x7f0317a081d1 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4844:21
[task 2017-06-11T01:26:07.831958Z] 01:26:07     INFO -      #18 0x4eb5a3 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:237:22
[task 2017-06-11T01:26:07.832310Z] 01:26:07     INFO -      #19 0x4eb5a3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:310
[task 2017-06-11T01:26:07.832636Z] 01:26:07     INFO -      #20 0x7f032b8cb82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
[task 2017-06-11T01:26:07.833076Z] 01:26:07     INFO -  SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:867:5 in mozilla::MozPromise<mozilla::UniquePtr<int, mozilla::DefaultDelete<int> >, bool, true>::ThenInternal(mozilla::AbstractThread*, already_AddRefed<mozilla::MozPromise<mozilla::UniquePtr<int, mozilla::DefaultDelete<int> >, bool, true>::ThenValueBase>, char const*)
[task 2017-06-11T01:26:07.833241Z] 01:26:07     INFO -  Shadow bytes around the buggy address:
[task 2017-06-11T01:26:07.833480Z] 01:26:07     INFO -    0x0c1a80035cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2017-06-11T01:26:07.833756Z] 01:26:07     INFO -    0x0c1a80035d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2017-06-11T01:26:07.834002Z] 01:26:07     INFO -    0x0c1a80035d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2017-06-11T01:26:07.834255Z] 01:26:07     INFO -    0x0c1a80035d20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2017-06-11T01:26:07.834492Z] 01:26:07     INFO -    0x0c1a80035d30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2017-06-11T01:26:07.834804Z] 01:26:07     INFO -  =>0x0c1a80035d40: fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd
[task 2017-06-11T01:26:07.835171Z] 01:26:07     INFO -    0x0c1a80035d50: fd fd fa fa fa fa fa fa fa fa 00 00 00 00 00 00
[task 2017-06-11T01:26:07.835381Z] 01:26:07     INFO -    0x0c1a80035d60: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
[task 2017-06-11T01:26:07.835664Z] 01:26:07     INFO -    0x0c1a80035d70: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
[task 2017-06-11T01:26:07.835954Z] 01:26:07     INFO -    0x0c1a80035d80: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
[task 2017-06-11T01:26:07.836298Z] 01:26:07     INFO -    0x0c1a80035d90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2017-06-11T01:26:07.836523Z] 01:26:07     INFO -  Shadow byte legend (one shadow byte represents 8 application bytes):
[task 2017-06-11T01:26:07.836842Z] 01:26:07     INFO -    Addressable:           00
[task 2017-06-11T01:26:07.837089Z] 01:26:07     INFO -    Partially addressable: 01 02 03 04 05 06 07
[task 2017-06-11T01:26:07.837555Z] 01:26:07     INFO -    Heap left redzone:       fa
[task 2017-06-11T01:26:07.837630Z] 01:26:07     INFO -    Heap right redzone:      fb
[task 2017-06-11T01:26:07.837928Z] 01:26:07     INFO -    Freed heap region:       fd
[task 2017-06-11T01:26:07.838162Z] 01:26:07     INFO -    Stack left redzone:      f1
[task 2017-06-11T01:26:07.838467Z] 01:26:07     INFO -    Stack mid redzone:       f2
[task 2017-06-11T01:26:07.838715Z] 01:26:07     INFO -    Stack right redzone:     f3
[task 2017-06-11T01:26:07.838997Z] 01:26:07     INFO -    Stack partial redzone:   f4
[task 2017-06-11T01:26:07.839227Z] 01:26:07     INFO -    Stack after return:      f5
[task 2017-06-11T01:26:07.839476Z] 01:26:07     INFO -    Stack use after scope:   f8
[task 2017-06-11T01:26:07.839736Z] 01:26:07     INFO -    Global redzone:          f9
[task 2017-06-11T01:26:07.840229Z] 01:26:07     INFO -    Global init order:       f6
[task 2017-06-11T01:26:07.840275Z] 01:26:07     INFO -    Poisoned by user:        f7
[task 2017-06-11T01:26:07.840523Z] 01:26:07     INFO -    Container overflow:      fc
[task 2017-06-11T01:26:07.840839Z] 01:26:07     INFO -    Array cookie:            ac
[task 2017-06-11T01:26:07.841149Z] 01:26:07     INFO -    Intra object redzone:    bb
[task 2017-06-11T01:26:07.841445Z] 01:26:07     INFO -    ASan internal:           fe
[task 2017-06-11T01:26:07.841675Z] 01:26:07     INFO -    Left alloca redzone:     ca
[task 2017-06-11T01:26:07.841992Z] 01:26:07     INFO -    Right alloca redzone:    cb
[task 2017-06-11T01:26:07.842214Z] 01:26:07     INFO -  ==1006==ABORTING
[task 2017-06-11T01:26:08.097044Z] 01:26:08    ERROR -  gtest TEST-UNEXPECTED-FAIL | gtest | test failed with return code 1
It looks like this test was added recently in bug 1367679.
Blocks: 1367679
Flags: needinfo?(jwwang)
checking.
Assignee: nobody → jwwang
Flags: needinfo?(jwwang)
Priority: -- → P1
http://searchfox.org/mozilla-central/rev/61054508641ee76f9c49bcf7303ef3cfb6b410d2/xpcom/threads/MozPromise.h#941-947

The ref-count of the temp object (RefPtr<PromiseType>) returned by the conversion operator might drop to 0 when exiting the scope. It is not safe for ThenCommand::mReceiver to hold a raw pointer since it outlives the temp RefPtr<PromiseType>.
This bug is regressed by bug 1321744 which introduced ThenCommand.
Blocks: 1321744
No longer blocks: 1367679
Attachment #8876953 - Flags: review?(gsquelart)
Attachment #8876953 - Flags: review?(gsquelart) → review+
Thanks! Hope this will fix most memory corruption bugs in MozPromise.
Keywords: checkin-needed
(In reply to JW Wang [:jwwang] [:jw_wang] from comment #6)
> Thanks! Hope this will fix most memory corruption bugs in MozPromise.

This needs sec-approval. The bug sounds bad so I have marked it sec-critical.
Flags: needinfo?(jwwang)
Comment on attachment 8876953 [details] [diff] [review]
1371982_fix.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch? Very unlikely. It depends on the specific context switch timing.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No.

Which older supported branches are affected by this flaw? 53 and the later.

If not all supported branches, which bug introduced the flaw? 1321744.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Yes.

How likely is this patch to cause regressions; how much testing does it need? Very unlikely. It is as simple as a one-line change. It is very hard to construct a test to repro this issue. So Try is sufficient to ensure no obvious regressions from this fix.
Flags: needinfo?(jwwang)
Attachment #8876953 - Flags: sec-approval?
See Also: → 1342494
Version: unspecified → 53 Branch
sec-crit, tracking for 55/56
sec-approval+ for checkin on trunk on June 26.
We'll want a Beta patch made and nominated to go in after it lands on trunk as well.
Whiteboard: [checkin on 6/26]
Attachment #8876953 - Flags: sec-approval? → sec-approval+
Group: core-security → dom-core-security
https://hg.mozilla.org/integration/mozilla-inbound/rev/fdbaaf9168ee5e8c447966ef352a013524b084e9

I've confirmed that this grafts cleanly to Beta, so please nominate it for approval when you get a chance.
Flags: needinfo?(jwwang)
Whiteboard: [checkin on 6/26]
A patch for beta55.
Flags: needinfo?(jwwang)
JW, I need an approval request, not a rebased patch :)
Flags: needinfo?(jwwang)
yeah, I am waiting for Try to ensure the patch is good.
Comment on attachment 8881326 [details] [diff] [review]
1371982_fix_beta_55.patch

Approval Request Comment
[Feature/Bug causing the regression]:1321744
[User impact if declined]:memory corruption crash.
[Is this code covered by automated tests?]:yes
[Has the fix been verified in Nightly?]:yes
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]:none
[Is the change risky?]:no
[Why is the change risky/not risky?]:a simple one-line change.
[String changes made/needed]:none
Flags: needinfo?(jwwang)
Attachment #8881326 - Flags: approval-mozilla-beta?
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Comment on attachment 8881326 [details] [diff] [review]
1371982_fix_beta_55.patch

sec-crit fix for 55.0b6
Attachment #8881326 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Group: dom-core-security → core-security-release
Whiteboard: [adv-main55+]
Blocks: 1257921
Flags: qe-verify-
Whiteboard: [adv-main55+] → [adv-main55+][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.