1422820 - Wild pointer write in swrast_dri.so near [@mozilla::layers::CompositorOGL::BindAndDrawQuads]

Status: RESOLVED WORKSFORME

(Core :: Graphics: Layers, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Attachment: trigger.html

Testcase found while fuzzing mozilla-central rev 785572419acc on Linux64.

==21162==ERROR: AddressSanitizer: SEGV on unknown address 0x0001004be28b (pc 0x7f307c6d6ba0 bp 0x000000000005 sp 0x7f302462f4f0 T33)
==21162==The signal is caused by a WRITE memory access.
    #0 0x7f307c6d6b9f  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x72eb9f)
    #1 0x7f307c6d6f6a  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x72ef6a)
    #2 0x7f307c6d911f  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x73111f)
    #3 0x7f307c6ddc37  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x735c37)
    #4 0x7f307c3413eb  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x3993eb)
    #5 0x7f307c42be34  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x483e34)
    #6 0x7f307c42c09e  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x48409e)
    #7 0x7f307c347ab8  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x39fab8)
    #8 0x7f307c340724  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x398724)
    #9 0x7f307c340c78  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x398c78)
    #10 0x7f307c6c9db8  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x721db8)
    #11 0x7f307c194427  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x1ec427)
    #12 0x7f307c153f74  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x1abf74)
    #13 0x7f307c154239  (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x1ac239)
    #14 0x7f3084ac9b9f in raw_fDrawArrays /builds/worker/workspace/build/src/obj-firefox/dist/include/GLContext.h:1079:9
    #15 0x7f3084ac9b9f in fDrawArrays /builds/worker/workspace/build/src/obj-firefox/dist/include/GLContext.h:1092
    #16 0x7f3084ac9b9f in mozilla::layers::CompositorOGL::BindAndDrawQuads(mozilla::layers::ShaderProgramOGL*, int, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*) /builds/worker/workspace/build/src/gfx/layers/opengl/CompositorOGL.cpp:1571
    #17 0x7f3084ac94d4 in mozilla::layers::CompositorOGL::BindAndDrawGeometryWithTextureRect(mozilla::layers::ShaderProgramOGL*, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::layers::TextureSource*) /builds/worker/workspace/build/src/gfx/layers/opengl/CompositorOGL.cpp:1541:3
    #18 0x7f3084ac035d in void mozilla::layers::CompositorOGL::DrawGeometry<mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> >(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&) /builds/worker/workspace/build/src/gfx/layers/opengl/CompositorOGL.cpp:1311:7
    #19 0x7f3084abbb68 in mozilla::layers::CompositorOGL::DrawQuad(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&) /builds/worker/workspace/build/src/gfx/layers/opengl/CompositorOGL.cpp:1006:3
    #20 0x7f3084a52d59 in mozilla::layers::Compositor::DrawGeometry(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::layers::EffectChain const&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/Compositor.cpp:235:5
    #21 0x7f3084ccb886 in DrawGeometry /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/layers/Compositor.h:304:5
    #22 0x7f3084ccb886 in mozilla::layers::ContentHostTexture::Composite(mozilla::layers::Compositor*, mozilla::layers::LayerComposite*, mozilla::layers::EffectChain&, float, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const&, mozilla::gfx::SamplingFilter, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const*, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContentHost.cpp:186
    #23 0x7f3084d1cb6f in operator() /builds/worker/workspace/build/src/gfx/layers/composite/PaintedLayerComposite.cpp:124:14
    #24 0x7f3084d1cb6f in RenderWithAllMasks<(lambda at /builds/worker/workspace/build/src/gfx/layers/composite/PaintedLayerComposite.cpp:120:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/layers/LayerManagerComposite.h:770
    #25 0x7f3084d1cb6f in mozilla::layers::PaintedLayerComposite::RenderLayer(mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/composite/PaintedLayerComposite.cpp:119
    #26 0x7f3084cfa238 in void mozilla::layers::RenderLayers<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::RenderTargetPixel> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:463:22
    #27 0x7f3084cc2213 in void mozilla::layers::ContainerRender<mozilla::layers::ContainerLayerComposite>(mozilla::layers::ContainerLayerComposite*, mozilla::layers::LayerManagerComposite*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<mozilla::gfx::PolygonTyped<mozilla::gfx::UnknownUnits> > const&) /builds/worker/workspace/build/src/gfx/layers/composite/ContainerLayerComposite.cpp:627:5
    #28 0x7f3084d0fff2 in mozilla::layers::LayerManagerComposite::Render(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:952:18
    #29 0x7f3084d0e53f in mozilla::layers::LayerManagerComposite::UpdateAndRender() /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:533:3
    #30 0x7f3084d0da76 in mozilla::layers::LayerManagerComposite::EndTransaction(mozilla::TimeStamp const&, mozilla::layers::LayerManager::EndTransactionFlags) /builds/worker/workspace/build/src/gfx/layers/composite/LayerManagerComposite.cpp:463:5
    #31 0x7f3084d50a2b in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:1047:18
    #32 0x7f3084d75eeb in ComposeToTarget /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorVsyncScheduler.cpp:394:25
    #33 0x7f3084d75eeb in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::TimeStamp) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorVsyncScheduler.cpp:294
    #34 0x7f3084dc3a80 in applyImpl<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), StoreCopyPassByConstLRef<mozilla::TimeStamp> , 0> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
    #35 0x7f3084dc3a80 in apply<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1148
    #36 0x7f3084dc3a80 in mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), true, (mozilla::RunnableKind)1, mozilla::TimeStamp>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1192
    #37 0x7f3083392253 in RunTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:452:9
    #38 0x7f3083392253 in DeferOrRunPendingTask /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:460
    #39 0x7f3083392253 in MessageLoop::DoWork() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:535
    #40 0x7f3083394188 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:31
    #41 0x7f308338f639 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #42 0x7f308338f639 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #43 0x7f308338f639 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #44 0x7f30833ae79f in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
    #45 0x7f30833a02dc in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13
    #46 0x7f30a24ee6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #47 0x7f30a15703dc in clone /build/glibc-bfm8X4/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/usr/lib/x86_64-linux-gnu/dri/swrast_dri.so+0x72eb9f) 
Thread T33 (Compositor) created by T0 here:
    #0 0x4a816d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7f308339dc2f in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14
    #2 0x7f308339dc2f in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146
    #3 0x7f30833ae13f in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8
    #4 0x7f3084d6368d in mozilla::layers::CompositorThreadHolder::CreateCompositorThread() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:103:26
    #5 0x7f3084d63883 in CompositorThreadHolder /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:52:23
    #6 0x7f3084d63883 in mozilla::layers::CompositorThreadHolder::Start() /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:126
    #7 0x7f3084e54659 in gfxPlatform::InitLayersIPC() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:1039:5
    #8 0x7f3084e4f7c5 in gfxPlatform::Init() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:774:5
    #9 0x7f3084e4cdab in gfxPlatform::GetPlatform() /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:543:9
    #10 0x7f30897fae59 in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/widget/GfxInfoBase.cpp:1508:25
    #11 0x7f30825d61e1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
    #12 0x7f3083f6392d in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
    #13 0x7f3083f6392d in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
    #14 0x7f3083f6392d in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
    #15 0x7f3083f6b13d in GetAttribute /builds/worker/workspace/build/src/js/xpconnect/src/xpcprivate.h:1676:17
    #16 0x7f3083f6b13d in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965
    #17 0x7f308e215ac1 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #18 0x7f308e215ac1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #19 0x7f308e217a12 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #20 0x7f308e217a12 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541
    #21 0x7f308e217a12 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:656
    #22 0x7f308f2be2cf in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2120:16
    #23 0x7f308f2be2cf in GetExistingProperty<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2173
    #24 0x7f308f2be2cf in NativeGetPropertyInline<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2376
    #25 0x7f308f2be2cf in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2412
    #26 0x7f308e1f8caf in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1616:12
    #27 0x7f308e1f8caf in GetObjectElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:523
    #28 0x7f308e1f8caf in GetElementOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:629
    #29 0x7f308e1f8caf in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2934
    #30 0x7f308e1e8290 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #31 0x7f308e215f4e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #32 0x7f308e1fbb28 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #33 0x7f308e1fbb28 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3096
    #34 0x7f308e1e8290 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #35 0x7f308e215f4e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #36 0x7f308e1fbb28 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #37 0x7f308e1fbb28 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3096
    #38 0x7f308e1e8290 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #39 0x7f308e215f4e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #40 0x7f308e1fbb28 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #41 0x7f308e1fbb28 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3096
    #42 0x7f308e1e8290 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #43 0x7f308e215f4e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #44 0x7f308e216a52 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #45 0x7f308ed0c441 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2977:12
    #46 0x7f3083f49eb1 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1317:23
    #47 0x7f30825d77bf in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:120:28
    #48 0x7f30825d676a in SharedStub (/home/forb1dden/builds/mc-asan/libxul.so+0x219676a)
    #49 0x7f30825522dd in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/components/nsCategoryManager.cpp:810:19
    #50 0x7f308df6247a in nsXREDirProvider::DoStartup() /builds/worker/workspace/build/src/toolkit/xre/nsXREDirProvider.cpp:1024:11
    #51 0x7f308df3f1c7 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4486:16
    #52 0x7f308df4268e in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4811:8
    #53 0x7f308df43b04 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4903:21
    #54 0x4ee80b in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
    #55 0x4ee80b in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
    #56 0x7f30a148982f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

Comment 1

[Jason Kratzer [:jkratzer]]

During reduction, the original testcase was also found to produce the following use-after-free signature:

=================================================================
==3314==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130001b1088 at pc 0x7ff8519356db bp 0x7ff7f775eef0 sp 0x7ff7f775eee8
READ of size 4 at 0x6130001b1088 thread T460 (Cameras IPC)
    #0 0x7ff8519356da in Id /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/ProtocolUtils.h:181:33
    #1 0x7ff8519356da in mozilla::camera::PCamerasChild::SendNumberOfCaptureDevices(mozilla::camera::CaptureEngine const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCamerasChild.cpp:47
    #2 0x7ff8564eb52c in applyImpl<mozilla::camera::CamerasChild, bool (mozilla::camera::PCamerasChild::*)(const mozilla::camera::CaptureEngine &), StoreCopyPassByConstLRef<mozilla::camera::CaptureEngine> , 0> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
    #3 0x7ff8564eb52c in apply<mozilla::camera::CamerasChild, bool (mozilla::camera::PCamerasChild::*)(const mozilla::camera::CaptureEngine &)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1148
    #4 0x7ff8564eb52c in mozilla::detail::RunnableMethodImpl<mozilla::camera::CamerasChild*, bool (mozilla::camera::PCamerasChild::*)(mozilla::camera::CaptureEngine const&), false, (mozilla::RunnableKind)0, mozilla::camera::CaptureEngine>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1192
    #5 0x7ff8502c781e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1033:14
    #6 0x7ff8502e35a0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
    #7 0x7ff85115a29f in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:334:20
    #8 0x7ff8510ac839 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #9 0x7ff8510ac839 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #10 0x7ff8510ac839 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #11 0x7ff8502c262e in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:423:11
    #12 0x7ff86c84cd7e in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #13 0x7ff86fe456b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #14 0x7ff86eece3dc in clone /build/glibc-bfm8X4/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

0x6130001b1088 is located 8 bytes inside of 384-byte region [0x6130001b1080,0x6130001b1200)
freed by thread T460 (Cameras IPC) here:
    #0 0x4c2f22 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7ff851102735 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/CamerasChild.h:152:3
    #2 0x7ff851102735 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:41
    #3 0x7ff851102735 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:398
    #4 0x7ff851102735 in ~RefPtr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:79
    #5 0x7ff851102735 in mozilla::ipc::BackgroundChildImpl::DeallocPCamerasChild(mozilla::camera::PCamerasChild*) /builds/worker/workspace/build/src/ipc/glue/BackgroundChildImpl.cpp:377
    #6 0x7ff851591ce2 in mozilla::ipc::PBackgroundChild::DeallocSubtree() /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2898:13
    #7 0x7ff85159427a in mozilla::ipc::PBackgroundChild::OnChannelError() /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2334:5
    #8 0x7ff851153d6b in mozilla::ipc::MessageChannel::OnNotifyMaybeChannelError() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp
    #9 0x7ff85116b7f4 in applyImpl<mozilla::ipc::MessageChannel, void (mozilla::ipc::MessageChannel::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1142:12
    #10 0x7ff85116b7f4 in apply<mozilla::ipc::MessageChannel, void (mozilla::ipc::MessageChannel::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1148
    #11 0x7ff85116b7f4 in mozilla::detail::RunnableMethodImpl<mozilla::ipc::MessageChannel*, void (mozilla::ipc::MessageChannel::*)(), false, (mozilla::RunnableKind)1>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1192
    #12 0x7ff8502c781e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1033:14
    #13 0x7ff8502e35a0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
    #14 0x7ff85115a295 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:364:5
    #15 0x7ff8510ac839 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #16 0x7ff8510ac839 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #17 0x7ff8510ac839 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #18 0x7ff8502c262e in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:423:11
    #19 0x7ff86c84cd7e in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #20 0x7ff86fe456b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

previously allocated by thread T460 (Cameras IPC) here:
    #0 0x4c3263 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x4f3d2d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
    #2 0x7ff85110266f in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12
    #3 0x7ff85110266f in mozilla::ipc::BackgroundChildImpl::AllocPCamerasChild() /builds/worker/workspace/build/src/ipc/glue/BackgroundChildImpl.cpp:361
    #4 0x7ff8515786f5 in mozilla::ipc::PBackgroundChild::SendPCamerasConstructor() /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:667:36
    #5 0x7ff8564e9262 in mozilla::camera::InitializeIPCThread::Run() /builds/worker/workspace/build/src/dom/media/systemservices/CamerasChild.cpp:103:76
    #6 0x7ff8503529dd in mozilla::SyncRunnable::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/SyncRunnable.h:112:16
    #7 0x7ff8502c781e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1033:14
    #8 0x7ff8502e35a0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
    #9 0x7ff85115a100 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:334:20
    #10 0x7ff8510ac839 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #11 0x7ff8510ac839 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #12 0x7ff8510ac839 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #13 0x7ff8502c262e in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:423:11
    #14 0x7ff86c84cd7e in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:216:5
    #15 0x7ff86fe456b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T460 (Cameras IPC) created by T253 (MediaManager) here:
    #0 0x4ac5bd in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7ff86c849acf in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:457:14
    #2 0x7ff86c8496be in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:548:12
    #3 0x7ff8502c43f3 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:594:8
    #4 0x7ff8502ccbd1 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:357:22
    #5 0x7ff8502e0dfb in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:134:45
    #6 0x7ff8564c8fd3 in NS_NewNamedThread<12> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:72:10
    #7 0x7ff8564c8fd3 in mozilla::camera::GetCamerasChild() /builds/worker/workspace/build/src/dom/media/systemservices/CamerasChild.cpp:123
    #8 0x7ff856625a2e in GetChildAndCall<int (mozilla::camera::CamerasChild::*)(mozilla::DeviceChangeCallback *), mozilla::MediaEngineWebRTC *> /builds/worker/workspace/build/src/obj-firefox/dist/include/CamerasChild.h:135:25
    #9 0x7ff856625a2e in mozilla::MediaEngineWebRTC::MediaEngineWebRTC(mozilla::MediaEnginePrefs&) /builds/worker/workspace/build/src/dom/media/webrtc/MediaEngineWebRTC.cpp:123
    #10 0x7ff855ff1515 in mozilla::MediaManager::GetBackend(unsigned long) /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:2909:20
    #11 0x7ff856044a55 in operator() /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:1721:30
    #12 0x7ff856044a55 in mozilla::media::LambdaTask<mozilla::MediaManager::EnumerateRawDevices(unsigned long, mozilla::dom::MediaSourceEnum, mozilla::dom::MediaSourceEnum, bool)::$_1>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/media/MediaTaskUtils.h:37
    #13 0x7ff8502c781e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1033:14
    #14 0x7ff8502e35a0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
    #15 0x7ff85115a295 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:364:5
    #16 0x7ff8510ac839 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #17 0x7ff8510ac839 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #18 0x7ff8510ac839 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #19 0x7ff8510cbdaf in base::Thread::ThreadMain() /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
    #20 0x7ff8510bd81c in ThreadFunc(void*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13
    #21 0x7ff86fe456b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T253 (MediaManager) created by T0 (file:// Content) here:
    #0 0x4ac5bd in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7ff8510bb16f in CreateThread /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14
    #2 0x7ff8510bb16f in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:146
    #3 0x7ff8510cb74f in base::Thread::StartWithOptions(base::Thread::Options const&) /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8
    #4 0x7ff855fe10a8 in mozilla::MediaManager::Get() /builds/worker/workspace/build/src/dom/media/MediaManager.cpp:1865:36
    #5 0x7ff855f03865 in mozilla::dom::MediaDevices::AddEventListener(nsTSubstring<char16_t> const&, mozilla::dom::EventListener*, mozilla::dom::AddEventListenerOptionsOrBoolean const&, mozilla::dom::Nullable<bool> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/media/MediaDevices.cpp:299:3
    #6 0x7ff854f1ab04 in mozilla::dom::EventTargetBinding::addEventListener(JSContext*, JS::Handle<JSObject*>, mozilla::dom::EventTarget*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventTargetBinding.cpp:850:9
    #7 0x7ff854f19a36 in mozilla::dom::EventTargetBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventTargetBinding.cpp:1150:13
    #8 0x7ff85bf89ae1 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #9 0x7ff85bf89ae1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #10 0x7ff85bf6fb48 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #11 0x7ff85bf6fb48 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3096
    #12 0x7ff85bf5c2b0 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #13 0x7ff85bf8c9b1 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:706:15
    #14 0x7ff85bfe0c3a in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:323:12
    #15 0x7ff85bfe0153 in js::IndirectEval(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:416:12
    #16 0x238cd5d98af5  (<unknown module>)
    #17 0x6210001ae9f7  (<unknown module>)
    #18 0x238cd5d98ce1  (<unknown module>)
    #19 0x621000203e87  (<unknown module>)
    #20 0x238cd5d314e7  (<unknown module>)
    #21 0x7ff85c202e4b in EnterBaseline /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:149:9
    #22 0x7ff85c202e4b in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:226
    #23 0x7ff85bf7d984 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2049:28
    #24 0x7ff85bf5c2b0 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #25 0x7ff85bf8c9b1 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:706:15
    #26 0x7ff85bf8d14f in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:738:12
    #27 0x7ff85ca97ee6 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4721:12
    #28 0x7ff8535c5686 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:266:8
    #29 0x7ff8574052f9 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2285:25
    #30 0x7ff857400729 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1927:10
    #31 0x7ff8573e2f6a in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1625:10
    #32 0x7ff8573deee7 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:147:18
    #33 0x7ff8523b40e6 in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:226:18
    #34 0x7ff8523b40e6 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:735
    #35 0x7ff8523ad38d in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:539:7
    #36 0x7ff8523b9f9f in nsHtml5ExecutorReflusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:56:18
    #37 0x7ff8502a0f44 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
    #38 0x7ff8502c781e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1033:14
    #39 0x7ff8502e35a0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
    #40 0x7ff851158e9a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #41 0x7ff8510ac839 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #42 0x7ff8510ac839 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #43 0x7ff8510ac839 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #44 0x7ff857590e5a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #45 0x7ff85bca778b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:865:22
    #46 0x7ff8510ac839 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #47 0x7ff8510ac839 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #48 0x7ff8510ac839 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #49 0x7ff85bca717d in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:691:34
    #50 0x4f2e8c in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #51 0x4f2e8c in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #52 0x7ff86ede782f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/ProtocolUtils.h:181:33 in Id
Shadow bytes around the buggy address:
  0x0c268002e1c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268002e1d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268002e1e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268002e1f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268002e200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c268002e210: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c268002e220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c268002e230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c268002e240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268002e250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c268002e260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3314==ABORTING

Comment 2

[Daniel Veditz [:dveditz]]

(In reply to Jason Kratzer [:jkratzer] from comment #1)
> During reduction, the original testcase was also found to produce the
> following use-after-free signature:

This looks like something completely different. was it the exact same attached testcase, or some intermediate stage we no longer have? I think comment 1 should be filed as a separate bug if you have a testcase for it.

Comment 3

[Jason Kratzer [:jkratzer]]

(In reply to Daniel Veditz [:dveditz] from comment #2)
> (In reply to Jason Kratzer [:jkratzer] from comment #1)
> > During reduction, the original testcase was also found to produce the
> > following use-after-free signature:
> 
> This looks like something completely different. was it the exact same
> attached testcase, or some intermediate stage we no longer have? I think
> comment 1 should be filed as a separate bug if you have a testcase for it.

It appears to be some intermediate stage that was lost.  I'm still trying to isolate the use-after-free but reduction is incredibly slow due to the intermittent nature of the bug.  I will update bug 1426129 once a reliable testcase has been found.

Comment 4

[Milan Sreckovic [:milan] (needinfo for best results)]

I'm assuming we can ignore comment 1, as it's being handled in bug 1426129, although I can't verify that's the case (can't see bug 1426129.)

Comment 5

[Nicolas Silva [:nical]]

This is crashing in a software gl implementation (swrast) under the GL compositor, which is not a configuration we ship. Looking at the test case, the window seem to be unreasonably big, so we should probably put a limit on that.

Comment 6

[Nicolas Silva [:nical]]

Attachment: Limit the compositor size to the default maximum texture size.

Comment 7

[Bas Schouten (:bas.schouten)]

Comment on attachment 8943261 [details] [diff] [review]
Limit the compositor size to the default maximum texture size.

Review of attachment 8943261 [details] [diff] [review]:
-----------------------------------------------------------------

::: gfx/layers/ipc/CompositorBridgeParent.cpp
@@ +1488,5 @@
> +    // unreasonably big surfaces and then fail in awful ways.
> +    // Let's at least limit this to the default max texture size we use for content,
> +    // anything larger than that will fail to render on the content side anyway.
> +    // If need be we can revisit this value and make it even tighter if need be.
> +    const auto max_fb_size = 32767;

Please do not use auto here.

@@ +1489,5 @@
> +    // Let's at least limit this to the default max texture size we use for content,
> +    // anything larger than that will fail to render on the content side anyway.
> +    // If need be we can revisit this value and make it even tighter if need be.
> +    const auto max_fb_size = 32767;
> +    const auto size = mWidget->GetClientSize();

Or here.

Comment 8

[Nicolas Silva [:nical]]

Attachment: Updated patch, carrying r=Bas

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

not easily, would already need the privileges to create a very large window (maybe an extension could?), and we don't ship the configuration in which this bug can happen anyway.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No.

Which older supported branches are affected by this flaw?

None, since the bug is really in the user's software gl emulation and we don't ship enable GL compositing by default if there isn't a proper gpu-backend gl driver.

If not all supported branches, which bug introduced the flaw?

None.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

No need to backport.

How likely is this patch to cause regressions; how much testing does it need?

Unlikely.

Comment 9

[Al Billings [:abillings - ex-MoCo]]

Comment on attachment 8943592 [details] [diff] [review]
Updated patch, carrying r=Bas

sec-approval+

Comment 10

[Nicolas Silva [:nical]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/28a267774e17dec9606813cac2610d5e52d0fb69

Comment 11

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/28a267774e17

Comment 12

[Jason Kratzer [:jkratzer]]

This still appears to crash on m-c rev 5201997e7e01 (20180201).

Comment 13

[Nicolas Silva [:nical]]

Is it still an invalid pointer read or an assertion somewhere? Is it with the same test case?

Comment 14

[Jason Kratzer [:jkratzer]]

(In reply to Nicolas Silva [:nical] from comment #13)
> Is it still an invalid pointer read or an assertion somewhere? Is it with
> the same test case?

Yes.  It still triggers an invalid pointer using the same testcase.

Comment 15

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/mozilla-central/rev/246493ebf862

Comment 16

[Randell Jesup [:jesup] (needinfo me)]

Where was this patch reviewed/landed on inbound?

Comment 17

[Paul Adenot (:padenot)]

(In reply to Randell Jesup [:jesup] from comment #16)
> Where was this patch reviewed/landed on inbound?

What do you mean? This is nical and Bas' bug, I'm merely here because there is a test cases that can repro a crash that I picked up from pehrsons, bug 1422820.

Comment 18

[Jason Kratzer [:jkratzer]]

I'm still seeing this issue as recent as m-c c4d818c13868.

Comment 19

[Paul Adenot (:padenot)]

(In reply to Paul Adenot (:padenot) from comment #17)
> (In reply to Randell Jesup [:jesup] from comment #16)
> > Where was this patch reviewed/landed on inbound?
> 
> What do you mean? This is nical and Bas' bug, I'm merely here because there
> is a test cases that can repro a crash that I picked up from pehrsons, bug
> 1422820.

I meant but 1426129 here, sorry about that.

Comment 20

[Frederik Braun [:freddy]]

Nical, this security bug has a testcase, that still reproduces despite your original patch - yet it has not progressed in the last month.
What's the status?

Comment 21

[Nicolas Silva [:nical]]

Nothing new on this front. This is a fair bit down my priority list at the moment because as far as I can tell it is reproducible in a testing configuration but not in a configuration that ships to users.
Don't hesitate to let me and/or Milan know if you think this should be higher priority.

Comment 22

[David Bolter [:davidb] (NeedInfo me for attention)]

Comment 21 makes me think this bug shouldn't contribute to our sec risk index. DVeditz if you agree, how should we mark this bug?

Comment 23

[Randell Jesup [:jesup] (needinfo me)]

sec-other?

Comment 24

[Daniel Veditz [:dveditz]]

Should we WONTFIX it then? Re-resolve as fixed for the bit that did get checked in?