1402973 - ASan: heap use after free (READ of size 1) during WebRender failure on Debian 8 under VMWare Workstation 12

Status: RESOLVED INVALID

(Core :: Graphics: WebRender, defect)

Description

[Brian Carpenter [:geeknik]]

Read https://mozillagfx.wordpress.com/2017/09/25/webrender-newsletter-5/, fired up ASan Build ID 20170924022042 and set the webrender prefs as per the blog and this happens on startup. Debian 8 x64 + VMWare Workstation 12.

==12997==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030004a3a42 at pc 0x000000429796 bp 0x7f61967a3da0 sp 0x7f61967a3530
READ of size 1 at 0x6030004a3a42 thread T25 (Renderer)
    #0 0x429795 in __interceptor_strcmp /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:284:3
    #1 0x7f619d01ae27 in stub_find_dynamic (/usr/lib/x86_64-linux-gnu/libglapi.so.0+0x12e27)
    #2 0x7f619d01ac8d in _glapi_get_proc_address (/usr/lib/x86_64-linux-gnu/libglapi.so.0+0x12c8d)
    #3 0x7f619d24e842 in glXGetProcAddress (/usr/lib/x86_64-linux-gnu/libGL.so.1+0x1c842)
    #4 0x7f61b32851ee in LookupSymbol /builds/worker/workspace/build/src/gfx/gl/GLLibraryLoader.cpp:63:15
    #5 0x7f61b32851ee in mozilla::gl::GLLibraryLoader::LookupSymbol(char const*) /builds/worker/workspace/build/src/gfx/gl/GLLibraryLoader.cpp:46
    #6 0x7f61b343fa63 in get_proc_address_from_glcontext /builds/worker/workspace/build/src/gfx/layers/wr/WebRenderBridgeParent.cpp:80:28
    #7 0x7f61bdc177b2 in webrender_bindings::bindings::get_proc_address::h8300ed8c82fc8c61 /builds/worker/workspace/build/src/gfx/webrender_bindings/src/bindings.rs:412
    #8 0x7f61bdcb25ce in webrender_bindings::bindings::wr_window_new::{{closure}} /builds/worker/workspace/build/src/gfx/webrender_bindings/src/bindings.rs:644
    #9 0x7f61bdcb25ce in gleam::ffi_gl::Gl::load_with::do_metaloadfn::hf2f57da0d75049d6 /builds/worker/workspace/build/src/obj-firefox/toolkit/library/x86_64-unknown-linux-gnu/release/build/gleam-4a234b93fa4e8dc9/out/gl_bindings.rs:1617
    #10 0x7f61bdc0482b in gleam::ffi_gl::{{impl}}::load_with::{{closure}}<closure> /builds/worker/workspace/build/src/obj-firefox/toolkit/library/x86_64-unknown-linux-gnu/release/build/gleam-4a234b93fa4e8dc9/out/gl_bindings.rs:1627
    #11 0x7f61bdc0482b in gleam::ffi_gl::Gl::load_with::hf8c87940c73688b1 /builds/worker/workspace/build/src/obj-firefox/toolkit/library/x86_64-unknown-linux-gnu/release/build/gleam-4a234b93fa4e8dc9/out/gl_bindings.rs:1844
    #12 0x7f61bdbfd047 in gleam::gl::{{impl}}::load_with<closure> /builds/worker/workspace/build/src/third_party/rust/gleam/src/gl_fns.rs:17
    #13 0x7f61bdbfd047 in wr_window_new /builds/worker/workspace/build/src/gfx/webrender_bindings/src/bindings.rs:644
    #14 0x7f61b399991c in mozilla::wr::NewRenderer::Run(mozilla::wr::RenderThread&, mozilla::wr::WrWindowId) /builds/worker/workspace/build/src/gfx/webrender_bindings/WebRenderAPI.cpp:73:10
    #15 0x7f61b398d276 in mozilla::wr::RenderThread::RunEvent(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >) /builds/worker/workspace/build/src/gfx/webrender_bindings/RenderThread.cpp:187:11
    #16 0x7f61b3998778 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > > , 0, 1> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
    #17 0x7f61b3998778 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1148
    #18 0x7f61b3998778 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1192
    #19 0x7f61b2173203 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:452:9
    #20 0x7f61b2173203 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:460
    #21 0x7f61b2173203 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:535
    #22 0x7f61b2174e59 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:31
    #23 0x7f61b2170deb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #24 0x7f61b2170deb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #25 0x7f61b2170deb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #26 0x7f61b218e289 in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
    #27 0x7f61b217fb5c in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13
    #28 0x7f61cdf31063 in start_thread /build/glibc-6V9RKT/glibc-2.19/nptl/pthread_create.c:309
    #29 0x7f61cd03862c in clone /build/glibc-6V9RKT/glibc-2.19/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:111

0x6030004a3a42 is located 2 bytes inside of 23-byte region [0x6030004a3a40,0x6030004a3a57)
freed by thread T25 (Renderer) here:
    #0 0x4bc06b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7f61bdc17814 in alloc_system::imp::deallocate /checkout/src/liballoc_system/lib.rs:163
    #2 0x7f61bdc17814 in alloc_system::__rust_deallocate /checkout/src/liballoc_system/lib.rs:54
    #3 0x7f61bdc17814 in alloc::heap::deallocate /checkout/src/liballoc/heap.rs:127
    #4 0x7f61bdc17814 in alloc::heap::box_free<[u8]> /checkout/src/liballoc/heap.rs:169
    #5 0x7f61bdc17814 in core::ptr::drop_in_place<alloc::boxed::Box<[u8]>> /checkout/src/libcore/ptr.rs:60
    #6 0x7f61bdc17814 in core::ptr::drop_in_place<std::ffi::c_str::CString> /checkout/src/libcore/ptr.rs:60
    #7 0x7f61bdc17814 in webrender_bindings::bindings::get_proc_address::h8300ed8c82fc8c61 /builds/worker/workspace/build/src/gfx/webrender_bindings/src/bindings.rs:421
    #8 0x7f61bdcb25ce in webrender_bindings::bindings::wr_window_new::{{closure}} /builds/worker/workspace/build/src/gfx/webrender_bindings/src/bindings.rs:644
    #9 0x7f61bdcb25ce in gleam::ffi_gl::Gl::load_with::do_metaloadfn::hf2f57da0d75049d6 /builds/worker/workspace/build/src/obj-firefox/toolkit/library/x86_64-unknown-linux-gnu/release/build/gleam-4a234b93fa4e8dc9/out/gl_bindings.rs:1617
    #10 0x7f61bdc04285 in gleam::ffi_gl::{{impl}}::load_with::{{closure}}<closure> /builds/worker/workspace/build/src/obj-firefox/toolkit/library/x86_64-unknown-linux-gnu/release/build/gleam-4a234b93fa4e8dc9/out/gl_bindings.rs:1627
    #11 0x7f61bdc04285 in gleam::ffi_gl::Gl::load_with::hf8c87940c73688b1 /builds/worker/workspace/build/src/obj-firefox/toolkit/library/x86_64-unknown-linux-gnu/release/build/gleam-4a234b93fa4e8dc9/out/gl_bindings.rs:1804
    #12 0x7f61bdbfd047 in gleam::gl::{{impl}}::load_with<closure> /builds/worker/workspace/build/src/third_party/rust/gleam/src/gl_fns.rs:17
    #13 0x7f61bdbfd047 in wr_window_new /builds/worker/workspace/build/src/gfx/webrender_bindings/src/bindings.rs:644
    #14 0x7f61b399991c in mozilla::wr::NewRenderer::Run(mozilla::wr::RenderThread&, mozilla::wr::WrWindowId) /builds/worker/workspace/build/src/gfx/webrender_bindings/WebRenderAPI.cpp:73:10
    #15 0x7f61b398d276 in mozilla::wr::RenderThread::RunEvent(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >) /builds/worker/workspace/build/src/gfx/webrender_bindings/RenderThread.cpp:187:11
    #16 0x7f61b3998778 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > > , 0, 1> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
    #17 0x7f61b3998778 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1148
    #18 0x7f61b3998778 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1192
    #19 0x7f61b2173203 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:452:9
    #20 0x7f61b2173203 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:460
    #21 0x7f61b2173203 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:535
    #22 0x7f61b2174e59 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:31
    #23 0x7f61b2170deb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #24 0x7f61b2170deb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #25 0x7f61b2170deb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #26 0x7f61b218e289 in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
    #27 0x7f61b217fb5c in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13
    #28 0x7f61cdf31063 in start_thread /build/glibc-6V9RKT/glibc-2.19/nptl/pthread_create.c:309

previously allocated by thread T25 (Renderer) here:
    #0 0x4bc76e in realloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:77:3
    #1 0x7f61bdfb37f9 in alloc_system::imp::reallocate /checkout/src/liballoc_system/lib.rs:143
    #2 0x7f61bdfb37f9 in alloc_system::__rust_reallocate /checkout/src/liballoc_system/lib.rs:63
    #3 0x7f61bdfb37f9 in alloc::heap::reallocate /checkout/src/liballoc/heap.rs:93
    #4 0x7f61bdfb37f9 in alloc::raw_vec::{{impl}}::reserve_exact<u8> /checkout/src/liballoc/raw_vec.rs:332
    #5 0x7f61bdfb37f9 in collections::vec::{{impl}}::reserve_exact<u8> /checkout/src/libcollections/vec.rs:485
    #6 0x7f61bdfb37f9 in std::ffi::c_str::CString::from_vec_unchecked::h744386070dd6b673 /checkout/src/libstd/ffi/c_str.rs:257
    #7 0x7f61bdc17797 in std::ffi::c_str::{{impl}}::_new /checkout/src/libstd/ffi/c_str.rs:232
    #8 0x7f61bdc17797 in std::ffi::c_str::{{impl}}::new<&str> /checkout/src/libstd/ffi/c_str.rs:226
    #9 0x7f61bdc17797 in webrender_bindings::bindings::get_proc_address::h8300ed8c82fc8c61 /builds/worker/workspace/build/src/gfx/webrender_bindings/src/bindings.rs:411
    #10 0x7f61bdcb25ce in webrender_bindings::bindings::wr_window_new::{{closure}} /builds/worker/workspace/build/src/gfx/webrender_bindings/src/bindings.rs:644
    #11 0x7f61bdcb25ce in gleam::ffi_gl::Gl::load_with::do_metaloadfn::hf2f57da0d75049d6 /builds/worker/workspace/build/src/obj-firefox/toolkit/library/x86_64-unknown-linux-gnu/release/build/gleam-4a234b93fa4e8dc9/out/gl_bindings.rs:1617
    #12 0x7f61bdc04285 in gleam::ffi_gl::{{impl}}::load_with::{{closure}}<closure> /builds/worker/workspace/build/src/obj-firefox/toolkit/library/x86_64-unknown-linux-gnu/release/build/gleam-4a234b93fa4e8dc9/out/gl_bindings.rs:1627
    #13 0x7f61bdc04285 in gleam::ffi_gl::Gl::load_with::hf8c87940c73688b1 /builds/worker/workspace/build/src/obj-firefox/toolkit/library/x86_64-unknown-linux-gnu/release/build/gleam-4a234b93fa4e8dc9/out/gl_bindings.rs:1804
    #14 0x7f61bdbfd047 in gleam::gl::{{impl}}::load_with<closure> /builds/worker/workspace/build/src/third_party/rust/gleam/src/gl_fns.rs:17
    #15 0x7f61bdbfd047 in wr_window_new /builds/worker/workspace/build/src/gfx/webrender_bindings/src/bindings.rs:644
    #16 0x7f61b399991c in mozilla::wr::NewRenderer::Run(mozilla::wr::RenderThread&, mozilla::wr::WrWindowId) /builds/worker/workspace/build/src/gfx/webrender_bindings/WebRenderAPI.cpp:73:10
    #17 0x7f61b398d276 in mozilla::wr::RenderThread::RunEvent(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >) /builds/worker/workspace/build/src/gfx/webrender_bindings/RenderThread.cpp:187:11
    #18 0x7f61b3998778 in applyImpl<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), StoreCopyPassByConstLRef<mozilla::wr::WrWindowId>, StoreCopyPassByRRef<mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> > > , 0, 1> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
    #19 0x7f61b3998778 in apply<mozilla::wr::RenderThread, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1148
    #20 0x7f61b3998778 in mozilla::detail::RunnableMethodImpl<mozilla::wr::RenderThread*, void (mozilla::wr::RenderThread::*)(mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >), true, (mozilla::RunnableKind)0, mozilla::wr::WrWindowId, mozilla::UniquePtr<mozilla::wr::RendererEvent, mozilla::DefaultDelete<mozilla::wr::RendererEvent> >&&>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1192
    #21 0x7f61b2173203 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:452:9
    #22 0x7f61b2173203 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:460
    #23 0x7f61b2173203 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:535
    #24 0x7f61b2174e59 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:31
    #25 0x7f61b2170deb in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #26 0x7f61b2170deb in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #27 0x7f61b2170deb in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #28 0x7f61b218e289 in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
    #29 0x7f61b217fb5c in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13
    #30 0x7f61cdf31063 in start_thread /build/glibc-6V9RKT/glibc-2.19/nptl/pthread_create.c:309

Thread T25 (Renderer) created by T0 here:
    #0 0x4a4796 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:245:3
    #1 0x7f61b217ee3c in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14
    #2 0x7f61b217ee3c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146
    #3 0x7f61b218dcce in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8
    #4 0x7f61b398b6f3 in mozilla::wr::RenderThread::Start() /builds/worker/workspace/build/src/gfx/webrender_bindings/RenderThread.cpp:56:16
    #5 0x7f61b377919f in InitLayersIPC /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:1034:7
    #6 0x7f61b377919f in gfxPlatform::Init() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:776
    #7 0x7f61b3775d8b in gfxPlatform::GetPlatform() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:545:9
    #8 0x7f61b78d9497 in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/widget/GfxInfoBase.cpp:1493:25
    #9 0x7f61b148ba91 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
    #10 0x7f61b2c28340 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
    #11 0x7f61b2c28340 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
    #12 0x7f61b2c28340 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
    #13 0x7f61b2c2fac5 in GetAttribute /builds/worker/workspace/build/src/js/xpconnect/src/xpcprivate.h:1685:17
    #14 0x7f61b2c2fac5 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965
    #15 0x7f61bc141ff4 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #16 0x7f61bc141ff4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
    #17 0x7f61bc143a2f in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540:12
    #18 0x7f61bc143a2f in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559
    #19 0x7f61bc143a2f in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:674
    #20 0x7f61bd0f1c05 in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2123:16
    #21 0x7f61bd0f1c05 in GetExistingProperty<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2171
    #22 0x7f61bd0f1c05 in NativeGetPropertyInline<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2385
    #23 0x7f61bd0f1c05 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2421
    #24 0x7f61bc12f095 in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1590:12
    #25 0x7f61bc12f095 in GetObjectElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:524
    #26 0x7f61bc12f095 in GetElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:630
    #27 0x7f61bc12f095 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
    #28 0x7f61bc11321b in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
    #29 0x7f61bc14218c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
    #30 0x7f61bc12be56 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
    #31 0x7f61bc12be56 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
    #32 0x7f61bc11321b in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
    #33 0x7f61bc14218c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
    #34 0x7f61bc12be56 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
    #35 0x7f61bc12be56 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
    #36 0x7f61bc11321b in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
    #37 0x7f61bc14218c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
    #38 0x7f61bc12be56 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
    #39 0x7f61bc12be56 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
    #40 0x7f61bc11321b in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
    #41 0x7f61bc14218c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
    #42 0x7f61bc142ae2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10
    #43 0x7f61bcb94543 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2906:12
    #44 0x7f61b2c0ecb3 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1318:23
    #45 0x7f61b148d17a in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:120:28
    #46 0x7f61b148c156 in SharedStub (/home/geeknik/firefox/libxul.so+0x220b156)
    #47 0x7f61b140dc5b in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/components/nsCategoryManager.cpp:810:19
    #48 0x7f61bbc78635 in nsXREDirProvider::DoStartup() /builds/worker/workspace/build/src/toolkit/xre/nsXREDirProvider.cpp:1040:11
    #49 0x7f61bbc570e8 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4530:16
    #50 0x7f61bbc59828 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4865:8
    #51 0x7f61bbc5ac5b in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4960:21
    #52 0x4ebfe3 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
    #53 0x4ebfe3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:309
    #54 0x7f61ccf71b44 in __libc_start_main /build/glibc-6V9RKT/glibc-2.19/csu/libc-start.c:287

SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_common_interceptors.inc:284:3 in __interceptor_strcmp
Shadow bytes around the buggy address:
  0x0c068008c6f0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c068008c700: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c068008c710: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
  0x0c068008c720: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c068008c730: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
=>0x0c068008c740: fa fa fd fd fd fa fa fa[fd]fd fd fa fa fa fd fd
  0x0c068008c750: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c068008c760: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
  0x0c068008c770: fa fa fd fd fd fa fa fa fd fd fd fd fa fa fd fd
  0x0c068008c780: fd fd fa fa fd fd fd fa fa fa fd fd fd fa fa fa
  0x0c068008c790: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12997==ABORTING

Comment 1

[Daniel Veditz [:dveditz]]

Note from the blog post "Again, some key parts of the WebRender integration are still in a very rough shape."

Comment 2

[Brian Carpenter [:geeknik]]

(In reply to Daniel Veditz [:dveditz] from comment #1)
> Note from the blog post "Again, some key parts of the WebRender integration
> are still in a very rough shape."

Agreed. On a non-VM Fedora 26 x64 machine, this memory error doesn't manifest itself.

Comment 3

[Daniel Veditz [:dveditz]]

"unaffected" status seems wrong since the ASAN crash seems to show an effect. --> "disabled"

Comment 4

[Andrew McCreight [:mccr8]]

Searching for the function name in frame 1, the top result on Google is this: https://bugs.freedesktop.org/show_bug.cgi?id=81992

The top frames are the same, so it seems like this is a bug in Debian.

Comment 5

[Brian Carpenter [:geeknik]]

Upon further investigation here, I have found the following: Setting gfx.webrender.enabled and gfx.webrendest.enabled to true on their own does not trigger the UAF, you have to set layers.acceleration.force-enabled to true as well. Also of note, setting layers.acceleration.force-enabled to true on it's own and leaving the webrender options set to false does not trigger the UAF.

Comment 6

[Daniel Veditz [:dveditz]]

Brian: does the system you're testing have the fix for the bug Andrew mentioned in comment 4?
Mail us at security@ to reopen the bug if it does, but really we think this is a Debian bug.