Closed
Bug 1399572
Opened 6 years ago
Closed 6 years ago
AddressSanitizer: heap-use-after-free [@ remove] with WRITE of size 8 in include/mozilla/LinkedList.h:246:18
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
DUPLICATE
of bug 1399091
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(4 keywords)
Found while fuzzing mozilla-central rev 20170912-b0e945eed81d. A reproducible testcase is not currently available. I will update this bug once one is found.
==1951==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030015193f8 at pc 0x7ff0663d7874 bp 0x7ffda72254b0 sp 0x7ffda72254a8
WRITE of size 8 at 0x6030015193f8 thread T0
#0 0x7ff0663d7873 in remove /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/LinkedList.h:246:18
#1 0x7ff0663d7873 in ~LinkedListElement /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/LinkedList.h:198
#2 0x7ff0663d7873 in nsRange::~nsRange() /builds/worker/workspace/build/src/dom/base/nsRange.cpp:259
#3 0x7ff0663d789d in nsRange::~nsRange() /builds/worker/workspace/build/src/dom/base/nsRange.cpp:254:1
#4 0x7ff0635a3e97 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2695:25
#5 0x7ff0635ae594 in FreeSnowWhite /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2883:3
#6 0x7ff0635ae594 in nsCycleCollector_doDeferredDeletion() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4267
#7 0x7ff064ebf153 in AsyncFreeSnowWhite::Run() /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:124:34
#8 0x7ff063721d6f in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:345:22
#9 0x7ff063723361 in IdleRunnableWrapper::TimedOut(nsITimer*, void*) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:353:15
#10 0x7ff06372a6e6 in nsTimerImpl::Fire(int) /builds/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:514:7
#11 0x7ff0636fd086 in nsTimerEvent::Run() /builds/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:286:11
#12 0x7ff06370bd5d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
#13 0x7ff063711a88 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:521:10
#14 0x7ff06d483e8f in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpfe/appshell/nsXULWindow.cpp:2007:24)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
#15 0x7ff06d483e8f in nsXULWindow::CreateNewContentWindow(int, nsITabParent*, mozIDOMWindowProxy*, unsigned long, nsIXULWindow**) /builds/worker/workspace/build/src/xpfe/appshell/nsXULWindow.cpp:2007
#16 0x7ff06dd2ee7f in nsAppStartup::CreateChromeWindow2(nsIWebBrowserChrome*, unsigned int, nsITabParent*, mozIDOMWindowProxy*, unsigned long, bool*, nsIWebBrowserChrome**) /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:661:18
#17 0x7ff06de76184 in nsWindowWatcher::CreateChromeWindow(nsTSubstring<char> const&, nsIWebBrowserChrome*, unsigned int, nsITabParent*, mozIDOMWindowProxy*, unsigned long, nsIWebBrowserChrome**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:496:21
#18 0x7ff06de73c5f in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:965:14
#19 0x7ff06de75eaf in OpenWindow2 /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:444:10
#20 0x7ff06de75eaf in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:416
#21 0x7ff065f663d8 in nsGlobalWindow::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsIDocShellLoadInfo*, bool, nsPIDOMWindowOuter**) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:12951:21
#22 0x7ff065f6496f in OpenJS /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:9005:10
#23 0x7ff065f6496f in nsGlobalWindow::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8967
#24 0x7ff065f64dfd in nsGlobalWindow::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8976:3
#25 0x7ff0675265f8 in mozilla::dom::WindowBinding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:2414:56
#26 0x7ff067524a15 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15498:13
#27 0x7ff06e3f9f34 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#28 0x7ff06e3f9f34 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
#29 0x7ff06e3e37a9 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
#30 0x7ff06e3e37a9 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
#31 0x7ff06e3cad0b in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
#32 0x7ff06e3fc847 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:724:15
#33 0x7ff06e44c75e in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:327:12
#34 0x7ff06e44aea3 in js::IndirectEval(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:420:12
#35 0x1f6ba8be0467 (<unknown module>)
0x6030015193f8 is located 8 bytes inside of 24-byte region [0x6030015193f0,0x603001519408)
freed by thread T0 here:
#0 0x4bb6fb in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
#1 0x7ff066360a49 in operator delete /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:230:12
#2 0x7ff066360a49 in operator() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:528
#3 0x7ff066360a49 in reset /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:343
#4 0x7ff066360a49 in ~UniquePtr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:288
#5 0x7ff066360a49 in nsINode::nsSlots::~nsSlots() /builds/worker/workspace/build/src/dom/base/nsINode.cpp:135
#6 0x7ff06608c80d in mozilla::dom::FragmentOrElement::nsDOMSlots::~nsDOMSlots() /builds/worker/workspace/build/src/dom/base/FragmentOrElement.cpp:761:1
#7 0x7ff0663bc817 in nsNodeUtils::LastRelease(nsINode*) /builds/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:313:5
#8 0x7ff066048c02 in mozilla::dom::FragmentOrElement::Release() /builds/worker/workspace/build/src/dom/base/FragmentOrElement.cpp:2221:1
#9 0x7ff063595ea3 in ~nsCOMPtr_base /builds/worker/workspace/build/src/xpcom/base/nsCOMPtr.h:313:7
#10 0x7ff063595ea3 in ~SegmentImpl /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/SegmentedVector.h:65
#11 0x7ff063595ea3 in mozilla::SegmentedVector<nsCOMPtr<nsISupports>, 4096ul, mozilla::MallocAllocPolicy>::PopLastN(unsigned int) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/SegmentedVector.h:249
#12 0x7ff06358574e in mozilla::dom::DeferredFinalizerImpl<nsISupports>::DeferredFinalize(unsigned int, void*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BindingUtils.h:2965:15
#13 0x7ff0635867e6 in mozilla::IncrementalFinalizeRunnable::ReleaseNow(bool) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:1360:17
#14 0x7ff063586e9a in mozilla::CycleCollectedJSRuntime::FinalizeDeferredThings(mozilla::CycleCollectedJSContext::DeferredFinalizeType) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:1431:24
#15 0x7ff063582512 in mozilla::CycleCollectedJSRuntime::OnGC(JSContext*, JSGCStatus) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:1481:7
#16 0x7ff06ef4f012 in callGCCallback /builds/worker/workspace/build/src/js/src/jsgc.cpp:1641:9
#17 0x7ff06ef4f012 in ~AutoNotifyGCActivity /builds/worker/workspace/build/src/js/src/jsgc.cpp:1669
#18 0x7ff06ef4f012 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) /builds/worker/workspace/build/src/js/src/jsgc.cpp:7159
#19 0x7ff06ef52f94 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) /builds/worker/workspace/build/src/js/src/jsgc.cpp:7290:25
#20 0x7ff06ef5a773 in gc /builds/worker/workspace/build/src/js/src/jsgc.cpp:7357:5
#21 0x7ff06ef5a773 in JS::GCForReason(JSContext*, JSGCInvocationKind, JS::gcreason::Reason) /builds/worker/workspace/build/src/js/src/jsgc.cpp:8264
#22 0x7ff064e437d7 in nsXPCComponents_Utils::ForceGC() /builds/worker/workspace/build/src/js/xpconnect/src/XPCComponents.cpp:2580:5
#23 0x7ff063734c21 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
#24 0x7ff064ef2b70 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
#25 0x7ff064ef2b70 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
#26 0x7ff064ef2b70 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
#27 0x7ff064ef9b3f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:928:12
#28 0x7ff06e3f9f34 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#29 0x7ff06e3f9f34 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
#30 0x7ff06e3e37a9 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
#31 0x7ff06e3e37a9 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
#32 0x7ff06e3cad0b in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
#33 0x7ff06e3fa0cc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
#34 0x7ff06e3faa22 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10
#35 0x7ff06ee4b0a3 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2906:12
#36 0x7ff064e10f8b in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:315:18
#37 0x7ff06e3f9f34 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#38 0x7ff06e3f9f34 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
#39 0x7ff06e3e37a9 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
#40 0x7ff06e3e37a9 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
#41 0x7ff06e3cad0b in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
#42 0x7ff06e3fc847 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:724:15
#43 0x7ff06e44c75e in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:327:12
#44 0x7ff06e44aea3 in js::IndirectEval(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:420:12
previously allocated by thread T0 here:
#0 0x4bba4c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
#1 0x4ecf6d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
#2 0x7ff0663db70f in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12
#3 0x7ff0663db70f in MakeUnique<mozilla::LinkedList<nsRange>> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:680
#4 0x7ff0663db70f in nsRange::RegisterCommonAncestor(nsINode*) /builds/worker/workspace/build/src/dom/base/nsRange.cpp:423
#5 0x7ff0663d9a67 in nsRange::DoSetRange(nsRange::RangeBoundaryBase<nsINode*, nsIContent*> const&, nsRange::RangeBoundaryBase<nsINode*, nsIContent*> const&, nsINode*, bool) /builds/worker/workspace/build/src/dom/base/nsRange.cpp:999:9
#6 0x7ff0663eb7e7 in DoSetRange /builds/worker/workspace/build/src/dom/base/nsRange.h:661:5
#7 0x7ff0663eb7e7 in nsRange::SelectNode(nsINode&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsRange.cpp:1725
#8 0x7ff0663ebab8 in nsRange::SelectNodeJS(nsINode&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsRange.cpp:1693:3
#9 0x7ff066d582a5 in mozilla::dom::RangeBinding::selectNode(JSContext*, JS::Handle<JSObject*>, nsRange*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/RangeBinding.cpp:776:9
#10 0x7ff067d91eb0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3050:13
#11 0x7ff06e3f9f34 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#12 0x7ff06e3f9f34 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
#13 0x7ff06e3e37a9 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
#14 0x7ff06e3e37a9 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
#15 0x7ff06e3cad0b in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
#16 0x7ff06e3fc847 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:724:15
#17 0x7ff06e44c75e in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:327:12
#18 0x7ff06e44aea3 in js::IndirectEval(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:420:12
#19 0x1f6ba85762b7 (<unknown module>)
#20 0x621000cb67bf (<unknown module>)
#21 0x1f6ba8576b50 (<unknown module>)
#22 0x6210026c321f (<unknown module>)
#23 0x1f6ba85038a9 (<unknown module>)
#24 0x7ff06e6583d2 in EnterBaseline(JSContext*, js::jit::EnterJitData&) /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:160:9
#25 0x7ff06e65953c in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:268:28
#26 0x7ff06e3ed150 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2040:28
#27 0x7ff06e3cad0b in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
#28 0x7ff06e3fc847 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:724:15
#29 0x7ff06e3fd0b2 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:756:12
#30 0x7ff06ee5e399 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4667:12
#31 0x7ff066397989 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:265:8
#32 0x7ff069a742e8 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2244:25
#33 0x7ff069a6f71c in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1884:10
#34 0x7ff069a52f85 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1585:10
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/LinkedList.h:246:18 in remove
Shadow bytes around the buggy address:
0x0c068029b220: 00 fa fa fa fd fd fd fd fa fa 00 00 00 00 fa fa
0x0c068029b230: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
0x0c068029b240: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
0x0c068029b250: fd fd fa fa fd fd fd fa fa fa fd fd fd fd fa fa
0x0c068029b260: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
=>0x0c068029b270: fa fa 00 00 00 fa fa fa fa fa fa fa fa fa fd[fd]
0x0c068029b280: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
0x0c068029b290: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fa
0x0c068029b2a0: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
0x0c068029b2b0: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x0c068029b2c0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==1951==ABORTING
[ffpuppet] Exit code: -6
|
||
Comment 1•6 years ago
|
||
Hm, this involves nsRange too. Wonder if it's related to nils' bug 1399091
Group: core-security → dom-core-security
Keywords: csectype-uaf,
sec-critical
|
||
Comment 2•6 years ago
|
||
Yeah, this looks the same.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
|
Assignee | |
Updated•4 years ago
|
Component: DOM → DOM: Core & HTML
|
|
||
Updated•3 years ago
|
Group: dom-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•