1399520 - Intermittent AddressSanitizer: heap-use-after-free modules/libjar/nsJAR.cpp:61:21 in Release

Status: RESOLVED FIXED

(Core :: Networking: JAR, defect, P2)

Description

[Ryan VanderMeulen [:RyanVM]]

This might be the symbolicated version of bug 1398568 - impossible to say of course :) Not sure if the WebRequest part is relevant here or not also.

https://treeherder.mozilla.org/logviewer.html#?job_id=130676534&repo=try

337 INFO TEST-START | toolkit/components/extensions/test/mochitest/test-oop-extensions/test_ext_webrequest_responseBody.html
GECKO(1722) | Console message: Warning: attempting to write 9593 bytes to preference extensions.webextensions.uuids. This is bad for general performance and memory usage. Such an amount of data should rather be written to an external file. This preference will not be sent to any content processes.
GECKO(1722) | ###!!! [Child][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost
GECKO(1722) | ###!!! [Child][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost
JavaScript error: /builds/worker/workspace/build/tests/mochitest/server.js, line 196: uncaught exception: 2147746065
GECKO(1722) | Console message: Warning: attempting to write 9673 bytes to preference extensions.webextensions.uuids. This is bad for general performance and memory usage. Such an amount of data should rather be written to an external file. This preference will not be sent to any content processes.
GECKO(1722) | =================================================================
15:05:04    ERROR -  GECKO(1722) | ==1722==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c0002c21b8 at pc 0x7f9cc85785a4 bp 0x7ffe56e7eef0 sp 0x7ffe56e7eee8
GECKO(1722) | READ of size 8 at 0x60c0002c21b8 thread T0
GECKO(1722) |     #0 0x7f9cc85785a3 in Release /builds/worker/workspace/build/src/modules/libjar/nsJAR.cpp:61:21
GECKO(1722) |     #1 0x7f9cc85785a3 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:41
GECKO(1722) |     #2 0x7f9cc85785a3 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:398
GECKO(1722) |     #3 0x7f9cc85785a3 in ~RefPtr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:79
GECKO(1722) |     #4 0x7f9cc85785a3 in nsZipReaderCache::Observe(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/modules/libjar/nsJAR.cpp:895
GECKO(1722) |     #5 0x7f9cc85785bc in non-virtual thunk to nsZipReaderCache::Observe(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/modules/libjar/nsJAR.cpp:842:19
GECKO(1722) |     #6 0x7f9cc6d076dc in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/ds/nsObserverList.cpp:112:19
GECKO(1722) |     #7 0x7f9cc6d0aec8 in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/ds/nsObserverService.cpp:296:19
GECKO(1722) |     #8 0x7f9cc6e22b31 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
GECKO(1722) |     #9 0x7f9cc852c490 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
GECKO(1722) |     #10 0x7f9cc852c490 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
GECKO(1722) |     #11 0x7f9cc852c490 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
GECKO(1722) |     #12 0x7f9cc853382a in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:928:12
GECKO(1722) |     #13 0x7f9cd0ed07a4 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
GECKO(1722) |     #14 0x7f9cd0ed07a4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
GECKO(1722) |     #15 0x7f9cd0eba33f in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
GECKO(1722) |     #16 0x7f9cd0eba33f in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
GECKO(1722) |     #17 0x7f9cd0ea1a57 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
GECKO(1722) |     #18 0x7f9cd0ed093c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
GECKO(1722) |     #19 0x7f9cd0ed1292 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10
GECKO(1722) |     #20 0x7f9cd1bd6f1e in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:175:12
GECKO(1722) |     #21 0x7f9cd1b999c9 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:359:23
GECKO(1722) |     #22 0x7f9cd1bb6f73 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:497:21
GECKO(1722) |     #23 0x7f9cd1bb9937 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:757:12
GECKO(1722) |     #24 0x7f9cd0ed0bec in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
GECKO(1722) |     #25 0x7f9cd0ed0bec in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477
GECKO(1722) |     #26 0x7f9cd0eba33f in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
GECKO(1722) |     #27 0x7f9cd0eba33f in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
GECKO(1722) |     #28 0x7f9cd0ea1a57 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
GECKO(1722) |     #29 0x7f9cd0ed093c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
GECKO(1722) |     #30 0x7f9cd0ed1292 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10
GECKO(1722) |     #31 0x7f9cd1bd6f1e in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:175:12
GECKO(1722) |     #32 0x7f9cd1b999c9 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:359:23
GECKO(1722) |     #33 0x7f9cd1bb6f73 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:497:21
GECKO(1722) |     #34 0x7f9cd1bb9937 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:757:12
GECKO(1722) |     #35 0x7f9cd0ed0bec in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
GECKO(1722) |     #36 0x7f9cd0ed0bec in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477
GECKO(1722) |     #37 0x7f9cd0ed1292 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10
GECKO(1722) |     #38 0x7f9cd19206b3 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2906:12
GECKO(1722) |     #39 0x7f9cc94fe83f in nsFrameMessageManager::ReceiveMessage(nsISupports*, nsIFrameLoader*, bool, nsTSubstring<char16_t> const&, bool, mozilla::dom::ipc::StructuredCloneData*, mozilla::jsipc::CpowHolder*, nsIPrincipal*, nsTArray<mozilla::dom::ipc::StructuredCloneData>*) /builds/worker/workspace/build/src/dom/base/nsFrameMessageManager.cpp:1100:14
GECKO(1722) |     #40 0x7f9cc95078f2 in ReceiveMessage /builds/worker/workspace/build/src/dom/base/nsFrameMessageManager.cpp:909:10
GECKO(1722) |     #41 0x7f9cc95078f2 in nsSameProcessAsyncMessageBase::ReceiveMessage(nsISupports*, nsIFrameLoader*, nsFrameMessageManager*) /builds/worker/workspace/build/src/dom/base/nsFrameMessageManager.cpp:2100
GECKO(1722) |     #42 0x7f9cc95083c8 in nsAsyncMessageToSameProcessChild::Run() /builds/worker/workspace/build/src/dom/base/nsFrameMessageManager.cpp:1777:5
GECKO(1722) |     #43 0x7f9cc6dfb71e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
GECKO(1722) |     #44 0x7f9cc6e00f18 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:521:10
GECKO(1722) |     #45 0x7f9cc7b76531 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
GECKO(1722) |     #46 0x7f9cc7adb6cb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
GECKO(1722) |     #47 0x7f9cc7adb6cb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
GECKO(1722) |     #48 0x7f9cc7adb6cb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
GECKO(1722) |     #49 0x7f9ccd12661f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
GECKO(1722) |     #50 0x7f9cd080a5e1 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
GECKO(1722) |     #51 0x7f9cd09e7e61 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4653:22
GECKO(1722) |     #52 0x7f9cd09e9a53 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4817:8
GECKO(1722) |     #53 0x7f9cd09eae7b in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4912:21
GECKO(1722) |     #54 0x4ebbb3 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
GECKO(1722) |     #55 0x4ebbb3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:309
GECKO(1722) |     #56 0x7f9ce41cd82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
GECKO(1722) |     #57 0x41d708 in _start (/builds/worker/workspace/build/application/firefox/firefox+0x41d708)
GECKO(1722) | 0x60c0002c21b8 is located 56 bytes inside of 120-byte region [0x60c0002c2180,0x60c0002c21f8)
GECKO(1722) | freed by thread T101 (StreamTrans #22) here:
GECKO(1722) |     #0 0x4bbc3b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
GECKO(1722) |     #1 0x7f9cc856c6e4 in nsJAR::Release() /builds/worker/workspace/build/src/modules/libjar/nsJAR.cpp:58:5
GECKO(1722) |     #2 0x7f9cc8593567 in assign_assuming_AddRef /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:355:7
GECKO(1722) |     #3 0x7f9cc8593567 in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:631
GECKO(1722) |     #4 0x7f9cc8593567 in Close /builds/worker/workspace/build/src/modules/libjar/nsJARChannel.cpp:157
GECKO(1722) |     #5 0x7f9cc8593567 in nsJARInputThunk::~nsJARInputThunk() /builds/worker/workspace/build/src/modules/libjar/nsJARChannel.cpp:97
GECKO(1722) |     #6 0x7f9cc85936cd in nsJARInputThunk::~nsJARInputThunk() /builds/worker/workspace/build/src/modules/libjar/nsJARChannel.cpp:96:5
GECKO(1722) |     #7 0x7f9cc857866b in nsJARInputThunk::Release() /builds/worker/workspace/build/src/modules/libjar/nsJARChannel.cpp:108:1
GECKO(1722) | previously allocated by thread T0 here:
GECKO(1722) |     #0 0x4bbf8c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
GECKO(1722) |     #1 0x4ed4ad in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
GECKO(1722) |     #2 0x7f9cc8575a00 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12
GECKO(1722) |     #3 0x7f9cc8575a00 in nsZipReaderCache::GetZip(nsIFile*, nsIZipReader**, bool) /builds/worker/workspace/build/src/modules/libjar/nsJAR.cpp:642
GECKO(1722) |     #4 0x7f9cc857b05f in nsJARChannel::CreateJarInput(nsIZipReaderCache*, nsJARInputThunk**) /builds/worker/workspace/build/src/modules/libjar/nsJARChannel.cpp:280:28
GECKO(1722) |     #5 0x7f9cc857c5ca in nsJARChannel::OpenLocalFile() /builds/worker/workspace/build/src/modules/libjar/nsJARChannel.cpp:393:19
GECKO(1722) | Thread T101 (StreamTrans #22) created by T0 here:
GECKO(1722) |     #0 0x4a4366 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:245:3
GECKO(1722) |     #1 0x7f9ce0ed4279 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:457:14
GECKO(1722) |     #2 0x7f9ce0ed3e8e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:548:12
GECKO(1722) |     #3 0x7f9cc6df87f1 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:600:8
GECKO(1722) |     #4 0x7f9cc6e0007f in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:349:22
GECKO(1722) |     #5 0x7f9cc6e03242 in NS_NewNamedThread /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:145:45
GECKO(1722) |     #6 0x7f9cc6e03242 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:107
GECKO(1722) |     #7 0x7f9cc6e04e0d in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:275:5
GECKO(1722) |     #8 0x7f9cc7050331 in mozilla::net::nsStreamTransportService::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/build/src/netwerk/base/nsStreamTransportService.cpp:490:18
GECKO(1722) |     #9 0x7f9cc6d8de44 in Dispatch /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIEventTarget.h:37:14
GECKO(1722) |     #10 0x7f9cc6d8de44 in PostContinuationEvent_Locked /builds/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:481
GECKO(1722) |     #11 0x7f9cc6d8de44 in PostContinuationEvent /builds/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:472
GECKO(1722) |     #12 0x7f9cc6d8de44 in nsAStreamCopier::Start(nsIInputStream*, nsIOutputStream*, nsIEventTarget*, void (*)(void*, nsresult), void*, unsigned int, bool, bool, void (*)(void*, unsigned int)) /builds/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:287
GECKO(1722) |     #13 0x7f9cc6d8d9dc in NS_AsyncCopy(nsIInputStream*, nsIOutputStream*, nsIEventTarget*, nsAsyncCopyMode, unsigned int, void (*)(void*, nsresult), void*, bool, bool, nsISupports**, void (*)(void*, unsigned int)) /builds/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:660:16
GECKO(1722) |     #14 0x7f9cc704d607 in mozilla::net::nsInputStreamTransport::OpenInputStream(unsigned int, unsigned int, unsigned int, nsIInputStream**) /builds/worker/workspace/build/src/netwerk/base/nsStreamTransportService.cpp:112:10
GECKO(1722) |     #15 0x7f9cc6f951cd in nsInputStreamPump::AsyncRead(nsIStreamListener*, nsISupports*) /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:366:25
GECKO(1722) |     #16 0x7f9cc857c67c in nsJARChannel::OpenLocalFile() /builds/worker/workspace/build/src/modules/libjar/nsJARChannel.cpp:399:25
GECKO(1722) |     #17 0x7f9cc857e8f0 in nsJARChannel::AsyncOpen(nsIStreamListener*, nsISupports*) /builds/worker/workspace/build/src/modules/libjar/nsJARChannel.cpp:842:14
GECKO(1722) |     #18 0x7f9cc857f825 in nsJARChannel::AsyncOpen2(nsIStreamListener*) /builds/worker/workspace/build/src/modules/libjar/nsJARChannel.cpp:876:10
GECKO(1722) |     #19 0x7f9cc6e22b31 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
GECKO(1722) |     #20 0x7f9cc852c490 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
GECKO(1722) |     #21 0x7f9cc852c490 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
GECKO(1722) |     #22 0x7f9cc852c490 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
GECKO(1722) |     #23 0x7f9cc853382a in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:928:12
GECKO(1722) |     #24 0x7f9cd0ed07a4 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
GECKO(1722) |     #25 0x7f9cd0ed07a4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
GECKO(1722) |     #26 0x7f9cd0eba33f in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
GECKO(1722) |     #27 0x7f9cd0eba33f in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
GECKO(1722) |     #28 0x7f9cd0ea1a57 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
GECKO(1722) |     #29 0x7f9cd0ed093c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
GECKO(1722) |     #30 0x7f9cd0ed1292 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10
GECKO(1722) |     #31 0x7f9cd1bd6f1e in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:175:12
GECKO(1722) |     #32 0x7f9cd1b999c9 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:359:23
GECKO(1722) |     #33 0x7f9cd1bb6f73 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:497:21
GECKO(1722) |     #34 0x7f9cd1bb9937 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:757:12
GECKO(1722) |     #35 0x7f9cd0ed0bec in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
GECKO(1722) |     #36 0x7f9cd0ed0bec in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477
GECKO(1722) |     #37 0x7f9cd0eba33f in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
GECKO(1722) |     #38 0x7f9cd0eba33f in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
GECKO(1722) |     #39 0x7f9cd0ea1a57 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
GECKO(1722) |     #40 0x7f9cd0ed093c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
GECKO(1722) |     #41 0x7f9cd0ed1292 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10
GECKO(1722) |     #42 0x7f9cd0fb4b66 in js::PromiseObject::create(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool) /builds/worker/workspace/build/src/js/src/builtin/Promise.cpp:1621:19
GECKO(1722) |     #43 0x7f9cd108bc64 in PromiseConstructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Promise.cpp:1551:40
GECKO(1722) |     #44 0x7f9cd0ed193e in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
GECKO(1722) |     #45 0x7f9cd0ed193e in CallJSNativeConstructor /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:326
GECKO(1722) |     #46 0x7f9cd0ed193e in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:586
GECKO(1722) |     #47 0x7f9cd0eba4e0 in ConstructFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:624:12
GECKO(1722) |     #48 0x7f9cd0eba4e0 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3076
GECKO(1722) |     #49 0x7f9cd0ea1a57 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
GECKO(1722) |     #50 0x7f9cd0ed093c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
GECKO(1722) |     #51 0x7f9cd110417c in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2589:14
GECKO(1722) |     #52 0x7f9c7fedf306  (<unknown module>)
GECKO(1722) |     #53 0x621000f9dae7  (<unknown module>)
GECKO(1722) |     #54 0x7f9c7ff50cdc  (<unknown module>)
GECKO(1722) |     #55 0x7f9c7fed38a9  (<unknown module>)
GECKO(1722) |     #56 0x7f9cd1131272 in EnterBaseline(JSContext*, js::jit::EnterJitData&) /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:160:9
GECKO(1722) |     #57 0x7f9cd1130ad7 in js::jit::EnterBaselineMethod(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:200:28
GECKO(1722) |     #58 0x7f9cd0ea189e in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:41
GECKO(1722) |     #59 0x7f9cd0ed093c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
GECKO(1722) |     #60 0x7f9cd0ed1292 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10
GECKO(1722) |     #61 0x7f9cd1f189ca in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/SelfHosting.cpp:1784:12
GECKO(1722) |     #62 0x7f9cd1bfb81a in AsyncFunctionResume(JSContext*, JS::Handle<js::PromiseObject*>, JS::Handle<JS::Value>, ResumeKind, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/AsyncFunction.cpp:192:10
GECKO(1722) |     #63 0x7f9cd1bfa775 in AsyncFunctionStart /builds/worker/workspace/build/src/js/src/vm/AsyncFunction.cpp:205:12
GECKO(1722) |     #64 0x7f9cd1bfa775 in WrappedAsyncFunction(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/AsyncFunction.cpp:90
GECKO(1722) |     #65 0x7f9cd0ed07a4 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
GECKO(1722) |     #66 0x7f9cd0ed07a4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
GECKO(1722) |     #67 0x7f9cd0eba33f in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
GECKO(1722) |     #68 0x7f9cd0eba33f in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
GECKO(1722) |     #69 0x7f9cd0ea1a57 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
GECKO(1722) |     #70 0x7f9cd0ed093c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
GECKO(1722) |     #71 0x7f9cd0ed1292 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10
GECKO(1722) |     #72 0x7f9cd16c8e03 in js::jit::InterpretResume(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/VMFunctions.cpp:941:12
GECKO(1722) |     #73 0x7f9c7fed46b2  (<unknown module>)
GECKO(1722) |     #74 0x7f9c7fed38a9  (<unknown module>)
GECKO(1722) |     #75 0x7f9cd1131272 in EnterBaseline(JSContext*, js::jit::EnterJitData&) /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:160:9
GECKO(1722) |     #76 0x7f9cd1130ad7 in js::jit::EnterBaselineMethod(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:200:28
GECKO(1722) |     #77 0x7f9cd0ea189e in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:41
GECKO(1722) |     #78 0x7f9cd0ed093c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
GECKO(1722) |     #79 0x7f9cd0ed1292 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10
GECKO(1722) |     #80 0x7f9cd1f189ca in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/SelfHosting.cpp:1784:12
GECKO(1722) |     #81 0x7f9cd1bfb81a in AsyncFunctionResume(JSContext*, JS::Handle<js::PromiseObject*>, JS::Handle<JS::Value>, ResumeKind, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/AsyncFunction.cpp:192:10
GECKO(1722) |     #82 0x7f9cd1bfa775 in AsyncFunctionStart /builds/worker/workspace/build/src/js/src/vm/AsyncFunction.cpp:205:12
GECKO(1722) |     #83 0x7f9cd1bfa775 in WrappedAsyncFunction(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/AsyncFunction.cpp:90
GECKO(1722) |     #84 0x7f9cd0ed07a4 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
GECKO(1722) |     #85 0x7f9cd0ed07a4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
GECKO(1722) |     #86 0x7f9cd0ed1292 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10
GECKO(1722) |     #87 0x7f9cd1bd6f1e in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:175:12
GECKO(1722) |     #88 0x7f9cd1b999c9 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:359:23
GECKO(1722) |     #89 0x7f9cc83f8a9f in xpc::AddonWrapper<js::CrossCompartmentWrapper>::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/xpconnect/wrappers/AddonWrapper.cpp:155:26
GECKO(1722) |     #90 0x7f9cd1bb6f73 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:497:21
GECKO(1722) |     #91 0x7f9cd1bb9937 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:757:12
GECKO(1722) |     #92 0x7f9cd0ed0bec in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
GECKO(1722) |     #93 0x7f9cd0ed0bec in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477
GECKO(1722) |     #94 0x7f9cd0eba33f in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
GECKO(1722) |     #95 0x7f9cd0eba33f in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
GECKO(1722) |     #96 0x7f9cd0ea1a57 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
GECKO(1722) |     #97 0x7f9cd0ed093c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
GECKO(1722) |     #98 0x7f9cd0eba33f in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
GECKO(1722) |     #99 0x7f9cd0eba33f in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
GECKO(1722) |     #100 0x7f9cd0ea1a57 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
GECKO(1722) |     #101 0x7f9cd0ed093c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
GECKO(1722) |     #102 0x7f9cd0ed1292 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10
GECKO(1722) |     #103 0x7f9cd19206b3 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2906:12
GECKO(1722) |     #104 0x7f9cc94fe83f in nsFrameMessageManager::ReceiveMessage(nsISupports*, nsIFrameLoader*, bool, nsTSubstring<char16_t> const&, bool, mozilla::dom::ipc::StructuredCloneData*, mozilla::jsipc::CpowHolder*, nsIPrincipal*, nsTArray<mozilla::dom::ipc::StructuredCloneData>*) /builds/worker/workspace/build/src/dom/base/nsFrameMessageManager.cpp:1100:14
GECKO(1722) |     #105 0x7f9cc94ff5bf in nsFrameMessageManager::ReceiveMessage(nsISupports*, nsIFrameLoader*, bool, nsTSubstring<char16_t> const&, bool, mozilla::dom::ipc::StructuredCloneData*, mozilla::jsipc::CpowHolder*, nsIPrincipal*, nsTArray<mozilla::dom::ipc::StructuredCloneData>*) /builds/worker/workspace/build/src/dom/base/nsFrameMessageManager.cpp:1130:29
GECKO(1722) |     #106 0x7f9cc94ff5bf in nsFrameMessageManager::ReceiveMessage(nsISupports*, nsIFrameLoader*, bool, nsTSubstring<char16_t> const&, bool, mozilla::dom::ipc::StructuredCloneData*, mozilla::jsipc::CpowHolder*, nsIPrincipal*, nsTArray<mozilla::dom::ipc::StructuredCloneData>*) /builds/worker/workspace/build/src/dom/base/nsFrameMessageManager.cpp:1130:29
GECKO(1722) |     #107 0x7f9cc94ff5bf in nsFrameMessageManager::ReceiveMessage(nsISupports*, nsIFrameLoader*, bool, nsTSubstring<char16_t> const&, bool, mozilla::dom::ipc::StructuredCloneData*, mozilla::jsipc::CpowHolder*, nsIPrincipal*, nsTArray<mozilla::dom::ipc::StructuredCloneData>*) /builds/worker/workspace/build/src/dom/base/nsFrameMessageManager.cpp:1130:29
GECKO(1722) |     #108 0x7f9cc94fbdf9 in nsFrameMessageManager::ReceiveMessage(nsISupports*, nsIFrameLoader*, nsTSubstring<char16_t> const&, bool, mozilla::dom::ipc::StructuredCloneData*, mozilla::jsipc::CpowHolder*, nsIPrincipal*, nsTArray<mozilla::dom::ipc::StructuredCloneData>*) /builds/worker/workspace/build/src/dom/base/nsFrameMessageManager.cpp:909:10
GECKO(1722) |     #109 0x7f9ccc9f332d in mozilla::dom::TabParent::ReceiveMessage(nsTString<char16_t> const&, bool, mozilla::dom::ipc::StructuredCloneData*, mozilla::jsipc::CpowHolder*, nsIPrincipal*, nsTArray<mozilla::dom::ipc::StructuredCloneData>*) /builds/worker/workspace/build/src/dom/ipc/TabParent.cpp:2590:14
GECKO(1722) |     #110 0x7f9ccca04010 in mozilla::dom::TabParent::RecvAsyncMessage(nsTString<char16_t> const&, nsTArray<mozilla::jsipc::CpowEntry>&&, IPC::Principal const&, mozilla::dom::ClonedMessageData const&) /builds/worker/workspace/build/src/dom/ipc/TabParent.cpp:1757:8
GECKO(1722) |     #111 0x7f9cc8127f2e in mozilla::dom::PBrowserParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserParent.cpp:1922:20
GECKO(1722) |     #112 0x7f9cc828463c in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentParent.cpp:3184:28
GECKO(1722) |     #113 0x7f9cc7b6ec79 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2119:25
GECKO(1722) |     #114 0x7f9cc7b6ba44 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2045:17
GECKO(1722) |     #115 0x7f9cc7b6d254 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1891:5
GECKO(1722) |     #116 0x7f9cc7b6d8a8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1924:15
GECKO(1722) |     #117 0x7f9cc6dfb71e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
GECKO(1722) |     #118 0x7f9cc6e00f18 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:521:10
GECKO(1722) |     #119 0x7f9cc7b76531 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
GECKO(1722) |     #120 0x7f9cc7adb6cb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
GECKO(1722) |     #121 0x7f9cc7adb6cb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
GECKO(1722) |     #122 0x7f9cc7adb6cb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
GECKO(1722) |     #123 0x7f9ccd12661f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
GECKO(1722) |     #124 0x7f9cd080a5e1 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
GECKO(1722) |     #125 0x7f9cd09e7e61 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4653:22
GECKO(1722) |     #126 0x7f9cd09e9a53 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4817:8
GECKO(1722) |     #127 0x7f9cd09eae7b in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4912:21
GECKO(1722) |     #128 0x4ebbb3 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
GECKO(1722) |     #129 0x4ebbb3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:309
GECKO(1722) |     #130 0x7f9ce41cd82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
GECKO(1722) | SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/modules/libjar/nsJAR.cpp:61:21 in Release
GECKO(1722) | Shadow bytes around the buggy address:
GECKO(1722) |   0x0c18800503e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
GECKO(1722) |   0x0c18800503f0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
GECKO(1722) |   0x0c1880050400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa
GECKO(1722) |   0x0c1880050410: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
GECKO(1722) |   0x0c1880050420: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
GECKO(1722) | =>0x0c1880050430: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fa
GECKO(1722) |   0x0c1880050440: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
GECKO(1722) |   0x0c1880050450: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
GECKO(1722) |   0x0c1880050460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
GECKO(1722) |   0x0c1880050470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
GECKO(1722) |   0x0c1880050480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
GECKO(1722) | Shadow byte legend (one shadow byte represents 8 application bytes):
GECKO(1722) |   Addressable:           00
GECKO(1722) |   Partially addressable: 01 02 03 04 05 06 07
GECKO(1722) |   Heap left redzone:       fa
GECKO(1722) |   Heap right redzone:      fb
GECKO(1722) |   Freed heap region:       fd
GECKO(1722) |   Stack left redzone:      f1
GECKO(1722) |   Stack mid redzone:       f2
GECKO(1722) |   Stack right redzone:     f3
GECKO(1722) |   Stack partial redzone:   f4
GECKO(1722) |   Stack after return:      f5
GECKO(1722) |   Stack use after scope:   f8
GECKO(1722) |   Global redzone:          f9
GECKO(1722) |   Global init order:       f6
GECKO(1722) |   Poisoned by user:        f7
GECKO(1722) |   Container overflow:      fc
GECKO(1722) |   Array cookie:            ac
GECKO(1722) |   Intra object redzone:    bb
GECKO(1722) |   ASan internal:           fe
GECKO(1722) |   Left alloca redzone:     ca
GECKO(1722) |   Right alloca redzone:    cb
GECKO(1722) | ==1722==ABORTING
GECKO(1722) | [Child 1812, Chrome_ChildThread] WARNING: pipe error (3): Connection reset by peer: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353
GECKO(1722) | ASAN:DEADLYSIGNAL

Comment 1

[Valentin Gosu [:valentin] (he/him)]

I think Gary has looked at a similar issue before.

Comment 2

[Ryan VanderMeulen [:RyanVM]]

Is this possibly-related to the long-running intermittent assertion/crash tracked by bug 1185489?

Comment 3

[Valentin Gosu [:valentin] (he/him)]

It looks similar, but this crash does not involve nsZipArchive, so it is probably different.

Comment 4

[Gary Chen [:xeonchen]]

Looks like there're only two objects will hold the ref-count of |nsJAR|:

  |nsJARInputThunk|, which destroy the instance, and
  |mZips| of |nsZipReaderCache|, where the use-after-free hits.

The root cause might be related to the customized |nsJAR::Release|, [1] tries to access |mCache| while it might already have been deleted by another |nsJAR::Release| call in another thread?

[1] https://hg.mozilla.org/try/file/f9e25d9c9d0c7e06978454a29d845b3b4dd4953b/modules/libjar/nsJAR.cpp#l61

Comment 5

[Gary Chen [:xeonchen]]

By the way, |nsJAR| is declared as thread-safe, but at least |mCache| is not handled well for thread safety.

Comment 6

[Gary Chen [:xeonchen]]

Attachment: 0001-Bug-1399520-avoid-access-member-variables-in-a-ponte.patch

Comment 7

[Gary Chen [:xeonchen]]

Hi Ryan, do you have any idea how often this happens?
Because the crash point in nsJAR.cpp was landed 17 years ago!

Comment 8

[Ryan VanderMeulen [:RyanVM]]

I don't, sorry. I just filed the first instance of it I saw, and classification of security-sensitive intermittent failure bugs can be hit and miss because it requires manual knowledge of the bug (since it isn't visible to Treeherder for suggestion).

Comment 9

[Gary Chen [:xeonchen]]

Attachment: 0001-Bug-1399520-use-default-Release-for-nsISupports-r-dr.patch

Hi Dragana,

I tend to remove the customized |Release| function because:

* adding a mutex in AddRef/Release isn't a good idea
* no correct timing to call |ReleaseZip| without a mutex.
* not calling |ReleaseZip| when ref-count is 1 won't cause leakage.

Would you give me some feedback (or maybe review)? Thank you.

Comment 10

[Dragana Damjanovic [:dragana]]

Comment on attachment 8909200 [details] [diff] [review]
0001-Bug-1399520-use-default-Release-for-nsISupports-r-dr.patch

Review of attachment 8909200 [details] [diff] [review]:
-----------------------------------------------------------------

::: modules/libjar/nsJAR.cpp
@@ -61,5 @@
> -  if (1 == count && mCache) {
> -#ifdef DEBUG
> -    nsresult rv =
> -#endif
> -      mCache->ReleaseZip(this);

ReleaseZip already have locks. And we need to release it so that another instance can use it. There are some comments about this in nsZipReaderCache::ReleaseZip(nsJAR* zip). I think you cannot remove ReleaseZip call here.

So the problem is the place where we destroy nsZipReaderCache. Can you check if we can make sure that nsZipReaderCache is only destroyed after all refs are removed (actually from the comment I mentioned it can only be refer from on nsJAR at the time)? And in addition can you look if we can make mCache RefPtr instead of a raw pointer?

Comment 11

[Gary Chen [:xeonchen]]

(In reply to Dragana Damjanovic [:dragana] from comment #10)
> ReleaseZip already have locks. And we need to release it so that another
> instance can use it. There are some comments about this in
> nsZipReaderCache::ReleaseZip(nsJAR* zip). I think you cannot remove
> ReleaseZip call here.
> 

You're right, the dangling pointer might be |nsZipReaderCache|.

> So the problem is the place where we destroy nsZipReaderCache. Can you check
> if we can make sure that nsZipReaderCache is only destroyed after all refs
> are removed (actually from the comment I mentioned it can only be refer from
> on nsJAR at the time)?

It's also used by |nsJARProtocolHandler|.

> And in addition can you look if we can make mCache
> RefPtr instead of a raw pointer?

It looks good, I was checking if weak pointer works, but MFBT's |WeakPtr| is not thread-safe.
Maybe we can leave this as follow-up.

Comment 12

[Gary Chen [:xeonchen]]

(In reply to Gary Chen [:xeonchen] (needinfo plz) from comment #11)
> (In reply to Dragana Damjanovic [:dragana] from comment #10)
> > And in addition can you look if we can make mCache
> > RefPtr instead of a raw pointer?
> 
> It looks good, I was checking if weak pointer works, but MFBT's |WeakPtr| is
> not thread-safe.
> Maybe we can leave this as follow-up.

No, it doesn't look good. Memory leaked if we use RefPtr.

Comment 13

[Gary Chen [:xeonchen]]

Hi Dragana,

In [1] |nsZipReaderCache| clears the pointer before it being deleted, so I think the issue might not be related to dangling pointer?

My idea in comment 4 is that it's a race condition in |nsJAR::Release|: [2] is executed before [3].
It's possible because |mRefCnt| is already decreased before the comparison.

So I don't think the problem is about the lock in |ReleaseZip|, how do you think?

[1] https://searchfox.org/mozilla-central/rev/3dbb47302e114219c53e99ebaf50c5cb727358ab/modules/libjar/nsJAR.cpp#580-582
[2] https://searchfox.org/mozilla-central/rev/3dbb47302e114219c53e99ebaf50c5cb727358ab/modules/libjar/nsJAR.cpp#56
[3] https://searchfox.org/mozilla-central/rev/3dbb47302e114219c53e99ebaf50c5cb727358ab/modules/libjar/nsJAR.cpp#59

Comment 14

[Dragana Damjanovic [:dragana]]

(In reply to Gary Chen [:xeonchen] (needinfo plz) from comment #13)
> Hi Dragana,
> 
> In [1] |nsZipReaderCache| clears the pointer before it being deleted, so I
> think the issue might not be related to dangling pointer?
> 
> My idea in comment 4 is that it's a race condition in |nsJAR::Release|: [2]
> is executed before [3].
> It's possible because |mRefCnt| is already decreased before the comparison.
> 
> So I don't think the problem is about the lock in |ReleaseZip|, how do you
> think?
> 
> [1]
> https://searchfox.org/mozilla-central/rev/
> 3dbb47302e114219c53e99ebaf50c5cb727358ab/modules/libjar/nsJAR.cpp#580-582
> [2]
> https://searchfox.org/mozilla-central/rev/
> 3dbb47302e114219c53e99ebaf50c5cb727358ab/modules/libjar/nsJAR.cpp#56
> [3]
> https://searchfox.org/mozilla-central/rev/
> 3dbb47302e114219c53e99ebaf50c5cb727358ab/modules/libjar/nsJAR.cpp#59

You are right. This is not going to be easy to resolved, except rethinking nsJAR class. We use release as if it thread-safe but it is not. If we could find a way to call ReleaseZip outside of Release.

Comment 15

[Gary Chen [:xeonchen]]

Attachment: 0001-Bug-1399520-Part-0-remove-unused-weak-reference-r-dr.patch

Comment 16

[Gary Chen [:xeonchen]]

Attachment: 0002-Bug-1399520-Part-1-avoid-race-condition-r-dragana.patch

Comment 17

[Dragana Damjanovic [:dragana]]

Comment on attachment 8913617 [details] [diff] [review]
0002-Bug-1399520-Part-1-avoid-race-condition-r-dragana.patch

Review of attachment 8913617 [details] [diff] [review]:
-----------------------------------------------------------------

::: modules/libjar/nsJAR.cpp
@@ +54,5 @@
> +  if (mRefCnt == 2) { // don't use a lock too frequently
> +    // Use a mutex here to guarantee mCache is not racing and the target instance
> +    // is still valid to increase ref-count.
> +    MutexAutoLock lock(mLock);
> +    cache = mCache;

you should set mCache to nullptr here. I think we can have a race condition again. two releases com at almost the same time, both take mCache reference, the both are going to call ReleaseZip, it will not crash, but still work fixing.

Comment 18

[Gary Chen [:xeonchen]]

Attachment: 0001-Bug-1399520-Part-1-avoid-race-condition-r-dragana.patch

fix according to review comment, carry r+

Comment 19

[Gary Chen [:xeonchen]]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=b554f4a59abca0e7a54ee8bec1853a4388b62286

Comment 20

[Valentin Gosu [:valentin] (he/him)]

Any update here? Do you think it would also fix bug 1407493?

Comment 21

[Gary Chen [:xeonchen]]

(In reply to Valentin Gosu [:valentin] from comment #20)
> Any update here?

The patch breaks some tests, especially xpcshell-test, and some of failures are timeout.
Maybe we need a lock-free solution. I'm still working on this and any suggestion is welcome :)

> Do you think it would also fix bug 1407493?

I don't think so since it's a different class.

Comment 22

[Kris Maglione [:kmag]]

(In reply to Gary Chen [:xeonchen] (needinfo plz) from comment #21)
> (In reply to Valentin Gosu [:valentin] from comment #20)
> > Do you think it would also fix bug 1407493?
> 
> I don't think so since it's a different class.

The Release function of that class is called from from every nsZipArchive destructor. since AddRef is called (only) from the nsZipArchive constructor, the only way it can happen is if we're double-freeing nsZipArchive instances. If this fixes those double frees, it seems likely to fix that bug as well.

Comment 23

[Gary Chen [:xeonchen]]

(In reply to Kris Maglione [:kmag] (long backlog; ping on IRC if you're blocked) from comment #22)
> (In reply to Gary Chen [:xeonchen] (needinfo plz) from comment #21)
> > (In reply to Valentin Gosu [:valentin] from comment #20)
> > > Do you think it would also fix bug 1407493?
> > 
> > I don't think so since it's a different class.
> 
> The Release function of that class is called from from every nsZipArchive
> destructor. since AddRef is called (only) from the nsZipArchive constructor,
> the only way it can happen is if we're double-freeing nsZipArchive
> instances. If this fixes those double frees, it seems likely to fix that bug
> as well.

You're right, I didn't aware the use case of |nsZipArchive|.
But my patch doesn't try to fix double-release issue, it tries to fix race condition instead.

Comment 24

[Gary Chen [:xeonchen]]

Comment on attachment 8913616 [details] [diff] [review]
0001-Bug-1399520-Part-0-remove-unused-weak-reference-r-dr.patch

nsISupportsWeakReference is used by JavaScript code, so it's not supposed to be removed here.

Comment 25

[Gary Chen [:xeonchen]]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=02dd730e80be289f112314e868cb039b0818dd30

Comment 26

[Gary Chen [:xeonchen]]

Comment on attachment 8915432 [details] [diff] [review]
0001-Bug-1399520-Part-1-avoid-race-condition-r-dragana.patch

[Security approval request comment]
How easily could an exploit be constructed based on the patch?
It's easy.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
Yes.

Which older supported branches are affected by this flaw?
All branches

If not all supported branches, which bug introduced the flaw?
N/A

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
It's easy to uplift

How likely is this patch to cause regressions; how much testing does it need?
A new lock may introduce timeouts more frequently.

Comment 27

[Al Billings [:abillings - ex-MoCo]]

Comment on attachment 8915432 [details] [diff] [review]
0001-Bug-1399520-Part-1-avoid-race-condition-r-dragana.patch

sec-approval+ for trunk. I don't think we want to take this on beta (57) at this point.

Comment 28

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/7e079f24b9fe6becb844f65dd2e7485edb12219e

Comment 29

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/7e079f24b9fe

Comment 30

[Julien Cristau [:jcristau]]

wontfix for 57 per comment 27.

Comment 31

[Ryan VanderMeulen [:RyanVM]]

Do we want to 58+ this for the next ESR52 cycle?

Comment 32

[Daniel Veditz [:dveditz]]

Yes, but that's not an option yet.

Comment 33

[Ryan VanderMeulen [:RyanVM]]

I think we're ready to proceed with an uplift request here (and 58+ tracking status).

Comment 34

[Gary Chen [:xeonchen]]

Comment on attachment 8915432 [details] [diff] [review]
0001-Bug-1399520-Part-1-avoid-race-condition-r-dragana.patch

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined:  sec-high
Fix Landed on Version: 58
Risk to taking this patch (and alternatives if risky): Performance might be slightly affected.
String or UUID changes made by this patch: N/A

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.

Comment 35

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Comment on attachment 8915432 [details] [diff] [review]
0001-Bug-1399520-Part-1-avoid-race-condition-r-dragana.patch

UAF, low risk, ESR52+

Comment 36

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-esr52/rev/0152d097672f