1417561 - stylo: AddressSanitizer: double-free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3 in __interceptor_free

Status: RESOLVED DUPLICATE of bug 1415013

(Core :: CSS Parsing and Computation, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: trigger.html

Testcase found while fuzzing mozilla-central rev 45715ece25fc.

==1485==ERROR: AddressSanitizer: attempting double-free on 0x6070003fd1b0 in thread T0:
    #0 0x4bc0fb in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7f121063e9aa in core::ptr::drop_in_place<style::rule_tree::StrongRuleNode> /checkout/src/libcore/ptr.rs:61
    #2 0x7f121063e9aa in _$LT$style..rule_tree..StrongRuleNode$u20$as$u20$core..ops..drop..Drop$GT$::drop::hd2016aa4df8df41b /builds/worker/workspace/build/src/servo/components/style/rule_tree/mod.rs:1478
    #3 0x7f121064a8c2 in core::ptr::drop_in_place<style::rule_tree::StrongRuleNode> /checkout/src/libcore/ptr.rs:61
    #4 0x7f121064a8c2 in core::ptr::drop_in_place<core::option::Option<style::rule_tree::StrongRuleNode>> /checkout/src/libcore/ptr.rs:61
    #5 0x7f121064a8c2 in core::ptr::drop_in_place<style::gecko_bindings::structs::root::ServoComputedData> /checkout/src/libcore/ptr.rs:61
    #6 0x7f121064a8c2 in core::ptr::drop_in_place<style::gecko_bindings::structs::root::mozilla::ServoStyleContext> /checkout/src/libcore/ptr.rs:61
    #7 0x7f121064a8c2 in core::ptr::drop_in_place<style::gecko_properties::ComputedValues> /checkout/src/libcore/ptr.rs:61
    #8 0x7f121064a8c2 in core::ptr::drop_in_place<servo_arc::ArcInner<style::gecko_properties::ComputedValues>> /checkout/src/libcore/ptr.rs:61
    #9 0x7f121064a8c2 in core::ptr::drop_in_place<alloc::boxed::Box<servo_arc::ArcInner<style::gecko_properties::ComputedValues>>> /checkout/src/libcore/ptr.rs:61
    #10 0x7f121064a8c2 in _$LT$servo_arc..Arc$LT$T$GT$$GT$::drop_slow::h1b3e5ce81f8f0a70 /builds/worker/workspace/build/src/servo/components/servo_arc/lib.rs:250
    #11 0x7f12103392b4 in servo_arc::{{impl}}::drop<style::gecko_properties::ComputedValues> /builds/worker/workspace/build/src/servo/components/servo_arc/lib.rs:384
    #12 0x7f12103392b4 in core::ptr::drop_in_place<servo_arc::Arc<style::gecko_properties::ComputedValues>> /checkout/src/libcore/ptr.rs:61
    #13 0x7f12103392b4 in core::ptr::drop_in_place<core::option::Option<servo_arc::Arc<style::gecko_properties::ComputedValues>>> /checkout/src/libcore/ptr.rs:61
    #14 0x7f12103392b4 in core::ptr::drop_in_place<style::data::ElementStyles> /checkout/src/libcore/ptr.rs:61
    #15 0x7f12103392b4 in core::ptr::drop_in_place<style::data::ElementData> /checkout/src/libcore/ptr.rs:61
    #16 0x7f12103392b4 in core::ptr::drop_in_place<core::cell::UnsafeCell<style::data::ElementData>> /checkout/src/libcore/ptr.rs:61
    #17 0x7f12103392b4 in core::ptr::drop_in_place<atomic_refcell::AtomicRefCell<style::data::ElementData>> /checkout/src/libcore/ptr.rs:61
    #18 0x7f12103392b4 in core::ptr::drop_in_place<alloc::boxed::Box<atomic_refcell::AtomicRefCell<style::data::ElementData>>> /checkout/src/libcore/ptr.rs:61
    #19 0x7f12103392b4 in style::gecko::wrapper::{{impl}}::clear_data /builds/worker/workspace/build/src/servo/components/style/gecko/wrapper.rs:1242
    #20 0x7f12103392b4 in Servo_Element_ClearData /builds/worker/workspace/build/src/servo/ports/geckolib/glue.rs:934
    #21 0x7f120687a39b in ClearServoData /builds/worker/workspace/build/src/dom/base/Element.cpp:4387:3
    #22 0x7f120687a39b in ClearServoData /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:536
    #23 0x7f120687a39b in mozilla::dom::FragmentOrElement::DestroyContent() /builds/worker/workspace/build/src/dom/base/FragmentOrElement.cpp:1393
    #24 0x7f120687a5f7 in mozilla::dom::FragmentOrElement::DestroyContent() /builds/worker/workspace/build/src/dom/base/FragmentOrElement.cpp:1404:35
    #25 0x7f1206a779e5 in nsDocument::Destroy() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9170:27
    #26 0x7f120acb9684 in nsDocumentViewer::Destroy() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1768:16
    #27 0x7f120accb15e in nsDocumentViewer::Show() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2102:17
    #28 0x7f120ad5f33b in nsPresContext::EnsureVisible() /builds/worker/workspace/build/src/layout/base/nsPresContext.cpp:2246:31
    #29 0x7f120abe15e4 in mozilla::PresShell::UnsuppressAndInvalidate() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:3895:54
    #30 0x7f120acc1cb7 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1098:14
    #31 0x7f120dd60fe1 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7779:21
    #32 0x7f120dd5d004 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7577:7
    #33 0x7f120dd6488f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7474:13
    #34 0x7f120589a2a3 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1321:3
    #35 0x7f120589940c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:862:14
    #36 0x7f1205896498 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:751:9
    #37 0x7f12058983b2 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:633:5
    #38 0x7f120589900c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:489:14
    #39 0x7f1203e174c0 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
    #40 0x7f1206a7931d in nsDocument::DoUnblockOnload() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9379:18
    #41 0x7f1206a78ee1 in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9301:9
    #42 0x7f1206a52b29 in nsDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5666:3
    #43 0x7f1206af41f2 in applyImpl<nsDocument, void (nsDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
    #44 0x7f1206af41f2 in apply<nsDocument, void (nsDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1148
    #45 0x7f1206af41f2 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1192
    #46 0x7f1203c6f286 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #47 0x7f1203c89a18 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #48 0x7f1204a3a811 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #49 0x7f120499ae0b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #50 0x7f120499ae0b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #51 0x7f120499ae0b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #52 0x7f120a43d95f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:159:27
    #53 0x7f120e575ea1 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #54 0x7f120e76deab in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4685:22
    #55 0x7f120e76fa75 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4847:8
    #56 0x7f120e770e26 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4942:21
    #57 0x4ec4ec in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
    #58 0x4ec4ec in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
    #59 0x7f1221bc382f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #60 0x41dbc8 in _start (/home/forb1dden/builds/mc-asan/firefox+0x41dbc8)

0x6070003fd1b0 is located 0 bytes inside of 80-byte region [0x6070003fd1b0,0x6070003fd200)
freed by thread T0 here:
    #0 0x4bc0fb in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7f121063e9aa in core::ptr::drop_in_place<style::rule_tree::StrongRuleNode> /checkout/src/libcore/ptr.rs:61
    #2 0x7f121063e9aa in _$LT$style..rule_tree..StrongRuleNode$u20$as$u20$core..ops..drop..Drop$GT$::drop::hd2016aa4df8df41b /builds/worker/workspace/build/src/servo/components/style/rule_tree/mod.rs:1478
    #3 0x7f121064a8c2 in core::ptr::drop_in_place<style::rule_tree::StrongRuleNode> /checkout/src/libcore/ptr.rs:61
    #4 0x7f121064a8c2 in core::ptr::drop_in_place<core::option::Option<style::rule_tree::StrongRuleNode>> /checkout/src/libcore/ptr.rs:61
    #5 0x7f121064a8c2 in core::ptr::drop_in_place<style::gecko_bindings::structs::root::ServoComputedData> /checkout/src/libcore/ptr.rs:61
    #6 0x7f121064a8c2 in core::ptr::drop_in_place<style::gecko_bindings::structs::root::mozilla::ServoStyleContext> /checkout/src/libcore/ptr.rs:61
    #7 0x7f121064a8c2 in core::ptr::drop_in_place<style::gecko_properties::ComputedValues> /checkout/src/libcore/ptr.rs:61
    #8 0x7f121064a8c2 in core::ptr::drop_in_place<servo_arc::ArcInner<style::gecko_properties::ComputedValues>> /checkout/src/libcore/ptr.rs:61
    #9 0x7f121064a8c2 in core::ptr::drop_in_place<alloc::boxed::Box<servo_arc::ArcInner<style::gecko_properties::ComputedValues>>> /checkout/src/libcore/ptr.rs:61
    #10 0x7f121064a8c2 in _$LT$servo_arc..Arc$LT$T$GT$$GT$::drop_slow::h1b3e5ce81f8f0a70 /builds/worker/workspace/build/src/servo/components/servo_arc/lib.rs:250
    #11 0x7f12103392b4 in servo_arc::{{impl}}::drop<style::gecko_properties::ComputedValues> /builds/worker/workspace/build/src/servo/components/servo_arc/lib.rs:384
    #12 0x7f12103392b4 in core::ptr::drop_in_place<servo_arc::Arc<style::gecko_properties::ComputedValues>> /checkout/src/libcore/ptr.rs:61
    #13 0x7f12103392b4 in core::ptr::drop_in_place<core::option::Option<servo_arc::Arc<style::gecko_properties::ComputedValues>>> /checkout/src/libcore/ptr.rs:61
    #14 0x7f12103392b4 in core::ptr::drop_in_place<style::data::ElementStyles> /checkout/src/libcore/ptr.rs:61
    #15 0x7f12103392b4 in core::ptr::drop_in_place<style::data::ElementData> /checkout/src/libcore/ptr.rs:61
    #16 0x7f12103392b4 in core::ptr::drop_in_place<core::cell::UnsafeCell<style::data::ElementData>> /checkout/src/libcore/ptr.rs:61
    #17 0x7f12103392b4 in core::ptr::drop_in_place<atomic_refcell::AtomicRefCell<style::data::ElementData>> /checkout/src/libcore/ptr.rs:61
    #18 0x7f12103392b4 in core::ptr::drop_in_place<alloc::boxed::Box<atomic_refcell::AtomicRefCell<style::data::ElementData>>> /checkout/src/libcore/ptr.rs:61
    #19 0x7f12103392b4 in style::gecko::wrapper::{{impl}}::clear_data /builds/worker/workspace/build/src/servo/components/style/gecko/wrapper.rs:1242
    #20 0x7f12103392b4 in Servo_Element_ClearData /builds/worker/workspace/build/src/servo/ports/geckolib/glue.rs:934
    #21 0x7f120687a39b in ClearServoData /builds/worker/workspace/build/src/dom/base/Element.cpp:4387:3
    #22 0x7f120687a39b in ClearServoData /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:536
    #23 0x7f120687a39b in mozilla::dom::FragmentOrElement::DestroyContent() /builds/worker/workspace/build/src/dom/base/FragmentOrElement.cpp:1393
    #24 0x7f1206a779e5 in nsDocument::Destroy() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9170:27
    #25 0x7f120acb9684 in nsDocumentViewer::Destroy() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1768:16
    #26 0x7f120accb15e in nsDocumentViewer::Show() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2102:17
    #27 0x7f120ad5f33b in nsPresContext::EnsureVisible() /builds/worker/workspace/build/src/layout/base/nsPresContext.cpp:2246:31
    #28 0x7f120abe15e4 in mozilla::PresShell::UnsuppressAndInvalidate() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:3895:54
    #29 0x7f120acc1cb7 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1098:14
    #30 0x7f120dd60fe1 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7779:21
    #31 0x7f120dd5d004 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7577:7
    #32 0x7f120dd6488f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7474:13
    #33 0x7f120589a2a3 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1321:3
    #34 0x7f120589940c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:862:14
    #35 0x7f1205896498 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:751:9
    #36 0x7f12058983b2 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:633:5
    #37 0x7f120589900c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:489:14
    #38 0x7f1203e174c0 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
    #39 0x7f1206a7931d in nsDocument::DoUnblockOnload() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9379:18
    #40 0x7f1206a78ee1 in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9301:9
    #41 0x7f1206a52b29 in nsDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5666:3
    #42 0x7f1206af41f2 in applyImpl<nsDocument, void (nsDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
    #43 0x7f1206af41f2 in apply<nsDocument, void (nsDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1148
    #44 0x7f1206af41f2 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1192
    #45 0x7f1203c6f286 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #46 0x7f1203c89a18 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #47 0x7f1204a3a811 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #48 0x7f120499ae0b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #49 0x7f120499ae0b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #50 0x7f120499ae0b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #51 0x7f120a43d95f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:159:27
    #52 0x7f120e575ea1 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30

previously allocated by thread T0 here:
    #0 0x4bc44c in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x7f1210651152 in alloc_system::platform::{{impl}}::alloc /checkout/src/liballoc_system/lib.rs:131
    #2 0x7f1210651152 in alloc_system::{{impl}}::alloc /checkout/src/liballoc_system/lib.rs:53
    #3 0x7f1210651152 in std::heap::__default_lib_allocator::__rdl_alloc /checkout/src/libstd/heap.rs:35
    #4 0x7f1210651152 in alloc::heap::{{impl}}::alloc /checkout/src/liballoc/heap.rs:84
    #5 0x7f1210651152 in alloc::heap::exchange_malloc /checkout/src/liballoc/heap.rs:249
    #6 0x7f1210651152 in alloc::boxed::{{impl}}::new<style::rule_tree::RuleNode> /checkout/src/liballoc/boxed.rs:242
    #7 0x7f1210651152 in style::rule_tree::{{impl}}::new /builds/worker/workspace/build/src/servo/components/style/rule_tree/mod.rs:159
    #8 0x7f1210651152 in style::stylist::{{impl}}::new /builds/worker/workspace/build/src/servo/components/style/stylist.rs:440
    #9 0x7f1210651152 in style::gecko::data::PerDocumentStyleData::new::hc5bd7871037f7a2b /builds/worker/workspace/build/src/servo/components/style/gecko/data.rs:136
    #10 0x7f121038e206 in Servo_StyleSet_Init /builds/worker/workspace/build/src/servo/ports/geckolib/glue.rs:2393
    #11 0x7f120a859db7 in mozilla::ServoStyleSet::Init(nsPresContext*, nsBindingManager*) /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:148:17
    #12 0x7f120abc4563 in Init /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StyleSetHandleInlines.h:50:3
    #13 0x7f120abc4563 in mozilla::PresShell::Init(nsIDocument*, nsPresContext*, nsViewManager*, mozilla::StyleSetHandle) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:922
    #14 0x7f1206a3ebe4 in nsDocument::CreateShell(nsPresContext*, nsViewManager*, mozilla::StyleSetHandle) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:4125:10
    #15 0x7f120acbbeef in nsDocumentViewer::InitPresentationStuff(bool) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:684:27
    #16 0x7f120accbe5f in nsDocumentViewer::Show() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2195:12
    #17 0x7f120dd52c69 in SetVisibility /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6626:9
    #18 0x7f120dd52c69 in non-virtual thunk to nsDocShell::SetVisibility(bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6616
    #19 0x7f1206b090b3 in nsFrameLoader::Show(int, int, int, int, nsSubDocumentFrame*) /builds/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:1299:15
    #20 0x7f120b0203c2 in nsSubDocumentFrame::ShowViewer() /builds/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:190:22
    #21 0x7f120b099509 in AsyncFrameInit::Run() /builds/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:97:60
    #22 0x7f120666ac70 in nsContentUtils::RemoveScriptBlocker() /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5738:15
    #23 0x7f120abe3aca in ~nsAutoScriptBlocker /builds/worker/workspace/build/src/obj-firefox/dist/include/nsContentUtils.h:3523:5
    #24 0x7f120abe3aca in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4194
    #25 0x7f1206a734c0 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:570:5
    #26 0x7f1206a734c0 in nsDocument::FlushPendingNotifications(mozilla::FlushType, mozilla::FlushTarget) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8550
    #27 0x7f120683b9d7 in GetPrimaryFrame /builds/worker/workspace/build/src/dom/base/Element.cpp:2396:10
    #28 0x7f120683b9d7 in mozilla::dom::Element::GetBoundingClientRect() /builds/worker/workspace/build/src/dom/base/Element.cpp:1074
    #29 0x7f12080c51dc in mozilla::dom::ElementBinding::getBoundingClientRect(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:2603:59
    #30 0x7f12085d7a60 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3040:13
    #31 0x7f120ea20420 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #32 0x7f120ea20420 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #33 0x7f120ea0b95c in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #34 0x7f120ea0b95c in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3098
    #35 0x7f120e9f39ea in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #36 0x7f120ea23343 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:706:15
    #37 0x7f120ea23b82 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:738:12
    #38 0x7f120f477aa9 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4721:12
    #39 0x7f1206b741a9 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:268:8
    #40 0x7f120a2c4e73 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2254:25
    #41 0x7f120a2c02b6 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1894:10
    #42 0x7f120a2a3dca in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1595:10
    #43 0x7f120a2a02b8 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:147:18
    #44 0x7f1205a6dbfe in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:226:18
    #45 0x7f1205a6dbfe in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:740

SUMMARY: AddressSanitizer: double-free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3 in __interceptor_free
==1485==ABORTING

Comment 1

[Emilio Cobos Álvarez (:emilio)]

This one looks extremely nasty, Thanks!

Comment 2

[Emilio Cobos Álvarez (:emilio)]

I can't repro with the patch from bug 1415013 (and it'd make sense, actually). Mind confirming?

Comment 3

[Emilio Cobos Álvarez (:emilio)]

(There may still be value in reverting that patch and investigating, because this is definitely not supposed to happen)

Comment 4

[Jason Kratzer [:jkratzer]]

(In reply to Emilio Cobos Álvarez [:emilio] from comment #2)
> I can't repro with the patch from bug 1415013 (and it'd make sense,
> actually). Mind confirming?

I just tested with the latest nightly (rev 92235deefc25) and could not reproduce the issue.

Comment 5

[Daniel Veditz [:dveditz]]

Is Rust operating on unsafe types here, or do we need to investigate Rust itself for memory errors it's not supposed to have?

Comment 6

[Emilio Cobos Álvarez (:emilio)]

This is pretty unsafe code added in bug 1378005.

Comment 7

[Emilio Cobos Álvarez (:emilio)]

Note that this can only happen with shadow DOM, so 57 and 58 are "disabled", I'd say.

Comment 8

[Liz Henry (:lizzard) (relman/hg->git project)]

Emilio, is this something you might take on to fix, or can you suggest someone to investigate (since bholley is out on leave)?

Comment 9

[Emilio Cobos Álvarez (:emilio)]

This should be fixed already per comment 4.