Open Bug 1438444 Opened 7 years ago Updated 2 years ago

All tabs crash immediately when Firefox is compiled with -O3 & gcc 7

Categories

(Firefox Build System :: General, defect)

59 Branch
defect

Tracking

(Not tracked)

UNCONFIRMED

People

(Reporter: robsmith11, Unassigned)

References

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:59.0) Gecko/20100101 Firefox/59.0 Build ID: 20180215053150 Steps to reproduce: Compile and run firefox 59b09 with gcc 7.1.1 using "--enable-optimize=-march=native -O3". Actual results: All tabs crash when I try to load a webpage. Expected results: Not crash.
Crash report: https://crash-stats.mozilla.com/report/index/f5cf0f3d-7f36-4775-8c66-984d50180215 Backtrace with debug symbols: Thread 1 "firefox-beta" received signal SIGSEGV, Segmentation fault. 0x00007fffeb90b5b8 in nsDocShellTreeOwner::~nsDocShellTreeOwner() () from /usr/lib/firefox-beta/libxul.so (gdb) bt full #0 0x00007fffeb90b5b8 in nsDocShellTreeOwner::~nsDocShellTreeOwner() () at /usr/lib/firefox-beta/libxul.so #1 0x00007fffeb90b6f5 in non-virtual thunk to nsDocShellTreeOwner::Release() () at /usr/lib/firefox-beta/libxul.so #2 0x00007fffea4ec306 in mozilla::EventListenerManager::RemoveEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) () at /usr/lib/firefox-beta/libxul.so #3 0x00007fffeb90b446 in nsDocShellTreeOwner::RemoveChromeListeners() () at /usr/lib/firefox-beta/libxul.so #4 0x00007fffeb90b5ac in nsDocShellTreeOwner::~nsDocShellTreeOwner() () at /usr/lib/firefox-beta/libxul.so #5 0x00007fffeb90b670 in nsDocShellTreeOwner::~nsDocShellTreeOwner() () at /usr/lib/firefox-beta/libxul.so #6 0x00007fffeb90b6f5 in non-virtual thunk to nsDocShellTreeOwner::Release() () at /usr/lib/firefox-beta/libxul.so #7 0x00007fffea4ec306 in mozilla::EventListenerManager::RemoveEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) () at /usr/lib/firefox-beta/libxul.so #8 0x00007fffeb90b4aa in nsDocShellTreeOwner::RemoveChromeListeners() () at /usr/lib/firefox-beta/libxul.so #9 0x00007fffeb90b5ac in nsDocShellTreeOwner::~nsDocShellTreeOwner() () at /usr/lib/firefox-beta/libxul.so #10 0x00007fffeb90b6f5 in non-virtual thunk to nsDocShellTreeOwner::Release() () at /usr/lib/firefox-beta/libxul.so #11 0x00007fffea4ec306 in mozilla::EventListenerManager::RemoveEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) () at /usr/lib/firefox-beta/libxul.so #12 0x00007fffeb90b446 in nsDocShellTreeOwner::RemoveChromeListeners() () at /usr/lib/firefox-beta/libxul.so #13 0x00007fffeb90b5ac in nsDocShellTreeOwner::~nsDocShellTreeOwner() () at /usr/lib/firefox-beta/libxul.so #14 0x00007fffeb90b6f5 in non-virtual thunk to nsDocShellTreeOwner::Release() () at /usr/lib/firefox-beta/libxul.so #15 0x00007fffea4eaf1d in mozilla::EventListenerManager::AddEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsI DOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) () at /usr/lib/firefox-beta/libxul.so #16 0x00007fffeb90af0b in non-virtual thunk to nsDocShellTreeOwner::OnProgressChange(nsIWebProgress*, nsIRequest*, int, int, int, int) () at /usr/lib/firefox-beta/libxul.so #17 0x00007fffe96317f2 in nsDocLoader::FireOnProgressChange(nsDocLoader*, nsIRequest*, long, long, long, long, long) () at /usr/lib/firefox-beta/libxul.so #18 0x00007fffe9631a44 in nsDocLoader::FireOnProgressChange(nsDocLoader*, nsIRequest*, long, long, long, long, long) () at /usr/lib/firefox-beta/libxul.so #19 0x00007fffe9634ba3 in nsDocLoader::OnProgress(nsIRequest*, nsISupports*, long, long) () at /usr/lib/firefox-beta/libxul.so #20 0x00007fffe95c3a97 in nsJARChannel::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) () at /usr/lib/firefox-beta/libxul.so #21 0x00007fffe9016aec in nsInputStreamPump::OnStateTransfer() () at /usr/lib/firefox-beta/libxul.so #22 0x00007fffe9016f28 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) () at /usr/lib/firefox-beta/libxul.so #23 0x00007fffe8f44bec in nsInputStreamReadyEvent::Run() () at /usr/lib/firefox-beta/libxul.so #24 0x00007fffe8f7348e in nsThread::ProcessNextEvent(bool, bool*) () at /usr/lib/firefox-beta/libxul.so #25 0x00007fffe8f7cd28 in NS_ProcessNextEvent(nsIThread*, bool) () at /usr/lib/firefox-beta/libxul.so #26 0x00007fffe926892a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) () at /usr/lib/firefox-beta/libxul.so #27 0x00007fffe92428a5 in MessageLoop::Run() () at /usr/lib/firefox-beta/libxul.so #28 0x00007fffead4be68 in nsBaseAppShell::Run() () at /usr/lib/firefox-beta/libxul.so #29 0x00007fffebaed25e in nsAppStartup::Run() () at /usr/lib/firefox-beta/libxul.so #30 0x00007fffebbc5c0c in XREMain::XRE_mainRun() () at /usr/lib/firefox-beta/libxul.so #31 0x00007fffebbc6bbf in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) () at /usr/lib/firefox-beta/libxul.so #32 0x00007fffebbc6f3b in XRE_main(int, char**, mozilla::BootstrapConfig const&) () at /usr/lib/firefox-beta/libxul.so #33 0x00005555555594c0 in () #34 0x0000555555558daa in () #35 0x00007ffff7081f4a in __libc_start_main () at /usr/lib/libc.so.6 #36 0x0000555555558f1a in _start ()
Disassembly: (gdb) disassemble Dump of assembler code for function _ZN19nsDocShellTreeOwnerD2Ev: 0x00007fffeb90b560 <+0>: push %rbp 0x00007fffeb90b561 <+1>: lea 0x2294c90(%rip),%rax # 0x7fffedba01f8 <_ZTV19nsDocShellTreeOwner+16> 0x00007fffeb90b568 <+8>: push %rbx 0x00007fffeb90b569 <+9>: mov %rdi,%rbx 0x00007fffeb90b56c <+12>: sub $0x8,%rsp 0x00007fffeb90b570 <+16>: mov %rax,(%rdi) 0x00007fffeb90b573 <+19>: add $0x1d8,%rax 0x00007fffeb90b579 <+25>: mov %rax,0x8(%rdi) 0x00007fffeb90b57d <+29>: add $0xf8,%rax 0x00007fffeb90b583 <+35>: mov %rax,0x10(%rdi) 0x00007fffeb90b587 <+39>: add $0x30,%rax 0x00007fffeb90b58b <+43>: mov %rax,0x18(%rdi) 0x00007fffeb90b58f <+47>: add $0x50,%rax 0x00007fffeb90b593 <+51>: mov %rax,0x20(%rdi) 0x00007fffeb90b597 <+55>: add $0x30,%rax 0x00007fffeb90b59b <+59>: mov %rax,0x28(%rdi) 0x00007fffeb90b59f <+63>: add $0x28,%rax 0x00007fffeb90b5a3 <+67>: mov %rax,0x30(%rdi) 0x00007fffeb90b5a7 <+71>: callq 0x7fffeb90b300 <_ZN19nsDocShellTreeOwner21RemoveChromeListenersEv> 0x00007fffeb90b5ac <+76>: mov 0xa0(%rbx),%rdi 0x00007fffeb90b5b3 <+83>: test %rdi,%rdi 0x00007fffeb90b5b6 <+86>: je 0x7fffeb90b5be <_ZN19nsDocShellTreeOwnerD2Ev+94> => 0x00007fffeb90b5b8 <+88>: mov (%rdi),%rax 0x00007fffeb90b5bb <+91>: callq *0x10(%rax) 0x00007fffeb90b5be <+94>: mov 0x98(%rbx),%rdi 0x00007fffeb90b5c5 <+101>: test %rdi,%rdi 0x00007fffeb90b5c8 <+104>: je 0x7fffeb90b5d0 <_ZN19nsDocShellTreeOwnerD2Ev+112> 0x00007fffeb90b5ca <+106>: mov (%rdi),%rax 0x00007fffeb90b5cd <+109>: callq *0x10(%rax) 0x00007fffeb90b5d0 <+112>: mov 0x90(%rbx),%rdi 0x00007fffeb90b5d7 <+119>: test %rdi,%rdi 0x00007fffeb90b5da <+122>: je 0x7fffeb90b5e2 <_ZN19nsDocShellTreeOwnerD2Ev+130> 0x00007fffeb90b5dc <+124>: mov (%rdi),%rax 0x00007fffeb90b5df <+127>: callq *0x10(%rax) 0x00007fffeb90b5e2 <+130>: mov 0x88(%rbx),%rbp 0x00007fffeb90b5e9 <+137>: test %rbp,%rbp 0x00007fffeb90b5ec <+140>: je 0x7fffeb90b5fc <_ZN19nsDocShellTreeOwnerD2Ev+156> 0x00007fffeb90b5ee <+142>: mov 0x40(%rbp),%rax 0x00007fffeb90b5f2 <+146>: sub $0x1,%rax 0x00007fffeb90b5f6 <+150>: je 0x7fffeb90b660 <_ZN19nsDocShellTreeOwnerD2Ev+256> 0x00007fffeb90b5f8 <+152>: mov %rax,0x40(%rbp) 0x00007fffeb90b5fc <+156>: mov 0x80(%rbx),%rbp 0x00007fffeb90b603 <+163>: test %rbp,%rbp 0x00007fffeb90b606 <+166>: je 0x7fffeb90b616 <_ZN19nsDocShellTreeOwnerD2Ev+182> 0x00007fffeb90b608 <+168>: mov 0x8(%rbp),%rax 0x00007fffeb90b60c <+172>: sub $0x1,%rax 0x00007fffeb90b610 <+176>: je 0x7fffeb90b640 <_ZN19nsDocShellTreeOwnerD2Ev+224> 0x00007fffeb90b612 <+178>: mov %rax,0x8(%rbp) 0x00007fffeb90b616 <+182>: mov 0x78(%rbx),%rdi 0x00007fffeb90b61a <+186>: test %rdi,%rdi 0x00007fffeb90b61d <+189>: je 0x7fffeb90b625 <_ZN19nsDocShellTreeOwnerD2Ev+197> 0x00007fffeb90b61f <+191>: mov (%rdi),%rax 0x00007fffeb90b622 <+194>: callq *0x10(%rax) 0x00007fffeb90b625 <+197>: lea 0x231214c(%rip),%rax # 0x7fffedc1d778 <_ZTV23nsSupportsWeakReference+16> 0x00007fffeb90b62c <+204>: lea 0x30(%rbx),%rdi 0x00007fffeb90b630 <+208>: mov %rax,0x30(%rbx) 0x00007fffeb90b634 <+212>: add $0x8,%rsp 0x00007fffeb90b638 <+216>: pop %rbx 0x00007fffeb90b639 <+217>: pop %rbp 0x00007fffeb90b63a <+218>: jmpq 0x7fffe8f10250 <_ZN23nsSupportsWeakReference19ClearWeakReferencesEv> 0x00007fffeb90b63f <+223>: nop 0x00007fffeb90b640 <+224>: mov %rbp,%rdi 0x00007fffeb90b643 <+227>: movq $0x1,0x8(%rbp) 0x00007fffeb90b64b <+235>: callq 0x7fffeb8de4c0 <_ZN21ChromeTooltipListenerD2Ev> 0x00007fffeb90b650 <+240>: mov %rbp,%rdi 0x00007fffeb90b653 <+243>: callq *0x241cb4f(%rip) # 0x7fffedd281a8 0x00007fffeb90b659 <+249>: jmp 0x7fffeb90b616 <_ZN19nsDocShellTreeOwnerD2Ev+182> 0x00007fffeb90b65b <+251>: nopl 0x0(%rax,%rax,1) 0x00007fffeb90b660 <+256>: mov %rbp,%rdi 0x00007fffeb90b663 <+259>: movq $0x1,0x40(%rbp) 0x00007fffeb90b66b <+267>: callq 0x7fffeb90b560 <_ZN19nsDocShellTreeOwnerD2Ev> 0x00007fffeb90b670 <+272>: mov %rbp,%rdi 0x00007fffeb90b673 <+275>: callq *0x241cb2f(%rip) # 0x7fffedd281a8 0x00007fffeb90b679 <+281>: jmp 0x7fffeb90b5fc <_ZN19nsDocShellTreeOwnerD2Ev+156>
(gdb) info registers rax 0x0 0 rbx 0x7fffbf8fc920 140736407259424 rcx 0x0 0 rdx 0x2b 43 rsi 0x0 0 rdi 0xe5e5e5e5e5e5e5e5 -1880844493789993499 rbp 0x7fffbf776790 0x7fffbf776790 rsp 0x7fffffffccc0 0x7fffffffccc0 r8 0x0 0 r9 0x0 0 r10 0x7fffcbd012c8 140736612799176 r11 0x0 0 r12 0x7fffffffcd60 140737488342368 r13 0x7fffffffcd4f 140737488342351 r14 0x7fffffffcd4f 140737488342351 r15 0x7fffbf8fc941 140736407259457 rip 0x7fffeb90b5b8 0x7fffeb90b5b8 <nsDocShellTreeOwner::~nsDocShellTreeOwner()+88> eflags 0x10282 [ SF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0
Forgot to mention that it works fine if I use -O2 instead of -O3.
Component: Untriaged → Build Config
Product: Firefox → Core
Is this really a build config bug? I'm not a C++ developer, but it seems more like a use-after-free error that's simply exposed by a valid optimization flag.
(In reply to robsmith11 from comment #5) > Is this really a build config bug? Quite possibly, yes. > I'm not a C++ developer, but it seems more like a use-after-free error > that's simply exposed by a valid optimization flag. Depends whether we've modified the browser to deal with any extra optimizations that GCC 7 turns on by default, especially at -O3; we compile our release builds with GCC 6 and we're not nearly so aggressive with the optimization level. Sylvestre, are there any special options that your bots running GCC 7 need?
Flags: needinfo?(sledru)
I've just updated my system. Same issue with gcc-7.3.0.
Nope, I am running the build in debug mode but not with -O3 option.
Flags: needinfo?(sledru)
Blocks: build-gcc-7
Summary: All tabs crash immediately when Firefox is compiled with -O3 → All tabs crash immediately when Firefox is compiled with -O3 & gcc 7
Product: Core → Firefox Build System
Not sure how relevant it is, but I just switched to clang 5.0 and firefox (60b3) works fine when built with "-march=native -O3".

FWIW: This can still be seen with GCC 7.4.0 on ESR 60. ASan is indeed complaining about an UAF:

==12142==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0002169b0 at pc 0x7f1629ddb958 bp 0x7ffd3ae8e0c0 sp 0x7ffd3ae8e0b8
READ of size 8 at 0x60f0002169b0 thread T0
#0 0x7f1629ddb957 in nsCOMPtr_base::~nsCOMPtr_base() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/nsCOMPtr.h:275
#1 0x7f1629ddb957 in nsCOMPtr<nsITabParent>::~nsCOMPtr() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/nsCOMPtr.h:325
#2 0x7f1629ddb957 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#3 0x7f1629ddbc9b in non-virtual thunk to nsDocShellTreeOwner::Release() (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd8a0c9b)
#4 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::UnlinkSelf() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:482
#5 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::~CallbackObjectHolder() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:370
#6 0x7f16242b13a1 in mozilla::EventListenerManager::RemoveEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/dom/events/EventListenerManager.cpp:667
#7 0x7f1629ddb08f in mozilla::EventListenerManager::RemoveEventListenerByType(nsIDOMEventListener*, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/EventListenerManager.h:294
#8 0x7f1629ddb08f in nsDocShellTreeOwner::RemoveChromeListeners() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:834
#9 0x7f1629ddb698 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#10 0x7f1629ddb900 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#11 0x7f1629ddb900 in nsDocShellTreeOwner::Release() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:104
#12 0x7f1629ddb900 in mozilla::RefPtrTraits<nsDocShellTreeOwner>::Release(nsDocShellTreeOwner*) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/RefPtr.h:39
#13 0x7f1629ddb900 in RefPtr<nsDocShellTreeOwner>::ConstRemovingRefPtrTraits<nsDocShellTreeOwner>::Release(nsDocShellTreeOwner*) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/RefPtr.h:345
#14 0x7f1629ddb900 in RefPtr<nsDocShellTreeOwner>::~RefPtr() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/RefPtr.h:70
#15 0x7f1629ddb900 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#16 0x7f1629ddbc9b in non-virtual thunk to nsDocShellTreeOwner::Release() (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd8a0c9b)
#17 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::UnlinkSelf() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:482
#18 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::~CallbackObjectHolder() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:370
#19 0x7f16242b13a1 in mozilla::EventListenerManager::RemoveEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/dom/events/EventListenerManager.cpp:667
#20 0x7f1629ddb26d in mozilla::EventListenerManager::RemoveEventListenerByType(nsIDOMEventListener*, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/EventListenerManager.h:294
#21 0x7f1629ddb26d in nsDocShellTreeOwner::RemoveChromeListeners() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:836
#22 0x7f1629ddb698 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#23 0x7f1629ddbc9b in non-virtual thunk to nsDocShellTreeOwner::Release() (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd8a0c9b)
#24 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::UnlinkSelf() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:482
#25 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::~CallbackObjectHolder() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:370
#26 0x7f16242b13a1 in mozilla::EventListenerManager::RemoveEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/dom/events/EventListenerManager.cpp:667
#27 0x7f1629ddb08f in mozilla::EventListenerManager::RemoveEventListenerByType(nsIDOMEventListener*, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/EventListenerManager.h:294
#28 0x7f1629ddb08f in nsDocShellTreeOwner::RemoveChromeListeners() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:834
#29 0x7f1629ddb698 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#30 0x7f1629ddbc9b in non-virtual thunk to nsDocShellTreeOwner::Release() (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd8a0c9b)
#31 0x7f16242a85d1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::UnlinkSelf() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:482
#32 0x7f16242a85d1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::~CallbackObjectHolder() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:370
#33 0x7f16242a85d1 in mozilla::EventListenerManager::AddEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/dom/events/EventListenerManager.cpp:656
#34 0x7f1629dd9939 in non-virtual thunk to nsDocShellTreeOwner::OnProgressChange(nsIWebProgress*, nsIRequest*, int, int, int, int) (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd89e939)
#35 0x7f161fd7837f in nsDocLoader::FireOnProgressChange(nsDocLoader*, nsIRequest*, long, long, long, long, long) /var/tmp/build/firefox-9eee95b2c3c2/uriloader/base/nsDocLoader.cpp:1180
#36 0x7f161fd78a15 in nsDocLoader::FireOnProgressChange(nsDocLoader*, nsIRequest*, long, long, long, long, long) /var/tmp/build/firefox-9eee95b2c3c2/uriloader/base/nsDocLoader.cpp:1189
#37 0x7f161fd8371e in nsDocLoader::OnProgress(nsIRequest*, nsISupports*, long, long) /var/tmp/build/firefox-9eee95b2c3c2/uriloader/base/nsDocLoader.cpp:1060
#38 0x7f161fbae453 in nsJARChannel::FireOnProgress(unsigned long) /var/tmp/build/firefox-9eee95b2c3c2/modules/libjar/nsJARChannel.cpp:356
#39 0x7f161fbae453 in nsJARChannel::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) /var/tmp/build/firefox-9eee95b2c3c2/modules/libjar/nsJARChannel.cpp:1024
#40 0x7f161e18685f in nsInputStreamPump::OnStateTransfer() /var/tmp/build/firefox-9eee95b2c3c2/netwerk/base/nsInputStreamPump.cpp:553
#41 0x7f161e18776e in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /var/tmp/build/firefox-9eee95b2c3c2/netwerk/base/nsInputStreamPump.cpp:398
#42 0x7f161de08ae5 in nsOutputStreamReadyEvent::Run() /var/tmp/build/firefox-9eee95b2c3c2/xpcom/io/nsStreamUtils.cpp:173
#43 0x7f161dedecb0 in nsThread::ProcessNextEvent(bool, bool*) /var/tmp/build/firefox-9eee95b2c3c2/xpcom/threads/nsThread.cpp:975
#44 0x7f161df08088 in NS_ProcessNextEvent(nsIThread*, bool) /var/tmp/build/firefox-9eee95b2c3c2/xpcom/threads/nsThreadUtils.cpp:455
#45 0x7f1629e77364 in SpinEventLoopUntil<> /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/nsThreadUtils.h:311
#46 0x7f1629e77364 in nsXULWindow::ShowModal() /var/tmp/build/firefox-9eee95b2c3c2/xpfe/appshell/nsXULWindow.cpp:352
#47 0x7f162aa6d25e in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /var/tmp/build/firefox-9eee95b2c3c2/toolkit/components/windowwatcher/nsWindowWatcher.cpp:1231
#48 0x7f162aa6f80a in nsWindowWatcher::OpenWindow(mozIDOMWindowProxy*, char const*, char const*, char const*, nsISupports*, mozIDOMWindowProxy**) /var/tmp/build/firefox-9eee95b2c3c2/toolkit/components/windowwatcher/nsWindowWatcher.cpp:324
#49 0x7f161df35e21 (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0x19fae21)
#50 0x7f161fb5a558 in CallMethodHelper::Invoke() /var/tmp/build/firefox-9eee95b2c3c2/js/xpconnect/src/XPCWrappedNative.cpp:1801
#51 0x7f161fb5a558 in CallMethodHelper::Call() /var/tmp/build/firefox-9eee95b2c3c2/js/xpconnect/src/XPCWrappedNative.cpp:1173
#52 0x7f161fb5a558 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /var/tmp/build/firefox-9eee95b2c3c2/js/xpconnect/src/XPCWrappedNative.cpp:1145
#53 0x7f161fb75de3 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /var/tmp/build/firefox-9eee95b2c3c2/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:793
#54 0x7f162aea3599 in js::CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), JS::CallArgs const&) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/JSContext-inl.h:260
#55 0x7f162aea3599 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:435
#56 0x7f162aea48da in InternalCall /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:484
#57 0x7f162ae43998 in js::CallFromStack(JSContext*, JS::CallArgs const&) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:488
#58 0x7f162ae43998 in Interpret /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:2873
#59 0x7f162aea213f in js::RunScript(JSContext*, js::RunState&) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:385
#60 0x7f162aea3c16 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:457
#61 0x7f162aea87fb in InternalCall /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:484
#62 0x7f162aea87fb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:500
#63 0x7f162be09284 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /var/tmp/build/firefox-9eee95b2c3c2/js/src/jsapi.cpp:2549
#64 0x7f161fb6c403 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /var/tmp/build/firefox-9eee95b2c3c2/js/xpconnect/src/XPCWrappedJSClass.cpp:1157
#65 0x7f161df371ee in PrepareAndDispatch /var/tmp/build/firefox-9eee95b2c3c2/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:120
#66 0x7f161df363dc in SharedStub (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0x19fb3dc)
#67 0x7f161de61f1c in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /var/tmp/build/firefox-9eee95b2c3c2/xpcom/components/nsCategoryManager.cpp:713
#68 0x7f162ab6da10 in nsXREDirProvider::DoStartup() /var/tmp/build/firefox-9eee95b2c3c2/toolkit/xre/nsXREDirProvider.cpp:941
#69 0x7f162ab5c222 in XREMain::XRE_mainRun() /var/tmp/build/firefox-9eee95b2c3c2/toolkit/xre/nsAppRunner.cpp:4985
#70 0x7f162ab6203e in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /var/tmp/build/firefox-9eee95b2c3c2/toolkit/xre/nsAppRunner.cpp:5288
#71 0x7f162ab63fb7 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /var/tmp/build/firefox-9eee95b2c3c2/toolkit/xre/nsAppRunner.cpp:5373
#72 0x5571554d06b9 in do_main /var/tmp/build/firefox-9eee95b2c3c2/browser/app/nsBrowserApp.cpp:212
#73 0x5571554cee20 in main /var/tmp/build/firefox-9eee95b2c3c2/browser/app/nsBrowserApp.cpp:282
#74 0x7f1636b2b09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#75 0x5571554cf708 (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/firefox.real+0xa708)

0x60f0002169b0 is located 160 bytes inside of 168-byte region [0x60f000216910,0x60f0002169b8)
freed by thread T0 here:
#0 0x7f16371125f8 in free (TorBrowser/Tor/libasan.so.4+0xdc5f8)
#1 0x7f1629ddbca3 in non-virtual thunk to nsDocShellTreeOwner::Release() (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd8a0ca3)
#2 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::UnlinkSelf() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:482
#3 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::~CallbackObjectHolder() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:370
#4 0x7f16242b13a1 in mozilla::EventListenerManager::RemoveEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/dom/events/EventListenerManager.cpp:667
#5 0x7f1629ddb26d in mozilla::EventListenerManager::RemoveEventListenerByType(nsIDOMEventListener*, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/EventListenerManager.h:294
#6 0x7f1629ddb26d in nsDocShellTreeOwner::RemoveChromeListeners() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:836
#7 0x7f1629ddb698 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#8 0x7f1629ddbc9b in non-virtual thunk to nsDocShellTreeOwner::Release() (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd8a0c9b)
#9 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::UnlinkSelf() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:482
#10 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::~CallbackObjectHolder() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:370
#11 0x7f16242b13a1 in mozilla::EventListenerManager::RemoveEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/dom/events/EventListenerManager.cpp:667
#12 0x7f1629ddb08f in mozilla::EventListenerManager::RemoveEventListenerByType(nsIDOMEventListener*, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/EventListenerManager.h:294
#13 0x7f1629ddb08f in nsDocShellTreeOwner::RemoveChromeListeners() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:834
#14 0x7f1629ddb698 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#15 0x7f1629ddb900 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#16 0x7f1629ddb900 in nsDocShellTreeOwner::Release() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:104
#17 0x7f1629ddb900 in mozilla::RefPtrTraits<nsDocShellTreeOwner>::Release(nsDocShellTreeOwner*) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/RefPtr.h:39
#18 0x7f1629ddb900 in RefPtr<nsDocShellTreeOwner>::ConstRemovingRefPtrTraits<nsDocShellTreeOwner>::Release(nsDocShellTreeOwner*) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/RefPtr.h:345
#19 0x7f1629ddb900 in RefPtr<nsDocShellTreeOwner>::~RefPtr() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/RefPtr.h:70
#20 0x7f1629ddb900 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#21 0x7f1629ddbc9b in non-virtual thunk to nsDocShellTreeOwner::Release() (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd8a0c9b)
#22 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::UnlinkSelf() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:482
#23 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::~CallbackObjectHolder() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:370
#24 0x7f16242b13a1 in mozilla::EventListenerManager::RemoveEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/dom/events/EventListenerManager.cpp:667
#25 0x7f1629ddb26d in mozilla::EventListenerManager::RemoveEventListenerByType(nsIDOMEventListener*, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/EventListenerManager.h:294
#26 0x7f1629ddb26d in nsDocShellTreeOwner::RemoveChromeListeners() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:836
#27 0x7f1629ddb698 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#28 0x7f1629ddbc9b in non-virtual thunk to nsDocShellTreeOwner::Release() (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd8a0c9b)
#29 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::UnlinkSelf() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:482
#30 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::~CallbackObjectHolder() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:370
#31 0x7f16242b13a1 in mozilla::EventListenerManager::RemoveEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/dom/events/EventListenerManager.cpp:667
#32 0x7f1629ddb08f in mozilla::EventListenerManager::RemoveEventListenerByType(nsIDOMEventListener*, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/EventListenerManager.h:294
#33 0x7f1629ddb08f in nsDocShellTreeOwner::RemoveChromeListeners() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:834
#34 0x7f1629ddb698 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#35 0x7f1629ddbc9b in non-virtual thunk to nsDocShellTreeOwner::Release() (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd8a0c9b)
#36 0x7f16242a85d1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::UnlinkSelf() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:482
#37 0x7f16242a85d1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::~CallbackObjectHolder() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:370
#38 0x7f16242a85d1 in mozilla::EventListenerManager::AddEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/dom/events/EventListenerManager.cpp:656
#39 0x7f1629dd9939 in non-virtual thunk to nsDocShellTreeOwner::OnProgressChange(nsIWebProgress*, nsIRequest*, int, int, int, int) (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd89e939)
#40 0x7f161fd7837f in nsDocLoader::FireOnProgressChange(nsDocLoader*, nsIRequest*, long, long, long, long, long) /var/tmp/build/firefox-9eee95b2c3c2/uriloader/base/nsDocLoader.cpp:1180
#41 0x7f161fd78a15 in nsDocLoader::FireOnProgressChange(nsDocLoader*, nsIRequest*, long, long, long, long, long) /var/tmp/build/firefox-9eee95b2c3c2/uriloader/base/nsDocLoader.cpp:1189
#42 0x7f161fd8371e in nsDocLoader::OnProgress(nsIRequest*, nsISupports*, long, long) /var/tmp/build/firefox-9eee95b2c3c2/uriloader/base/nsDocLoader.cpp:1060
#43 0x7f161fbae453 in nsJARChannel::FireOnProgress(unsigned long) /var/tmp/build/firefox-9eee95b2c3c2/modules/libjar/nsJARChannel.cpp:356
#44 0x7f161fbae453 in nsJARChannel::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) /var/tmp/build/firefox-9eee95b2c3c2/modules/libjar/nsJARChannel.cpp:1024
#45 0x7f161e18685f in nsInputStreamPump::OnStateTransfer() /var/tmp/build/firefox-9eee95b2c3c2/netwerk/base/nsInputStreamPump.cpp:553
#46 0x7f161e18776e in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /var/tmp/build/firefox-9eee95b2c3c2/netwerk/base/nsInputStreamPump.cpp:398
#47 0x7f161de08ae5 in nsOutputStreamReadyEvent::Run() /var/tmp/build/firefox-9eee95b2c3c2/xpcom/io/nsStreamUtils.cpp:173
#48 0x7f161dedecb0 in nsThread::ProcessNextEvent(bool, bool*) /var/tmp/build/firefox-9eee95b2c3c2/xpcom/threads/nsThread.cpp:975
#49 0x7f161df08088 in NS_ProcessNextEvent(nsIThread*, bool) /var/tmp/build/firefox-9eee95b2c3c2/xpcom/threads/nsThreadUtils.cpp:455

previously allocated by thread T0 here:
#0 0x7f1637112950 in __interceptor_malloc (TorBrowser/Tor/libasan.so.4+0xdc950)
#1 0x5571554d0f08 in moz_xmalloc /var/tmp/build/firefox-9eee95b2c3c2/memory/mozalloc/mozalloc.cpp:68
#2 0x7f1629ddc17d in operator new(unsigned long) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/mozalloc.h:149
#3 0x7f1629ddc17d in nsDocShellTreeOwner::EnsureContentTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:236
#4 0x7f1629ddc17d in nsDocShellTreeOwner::ContentShellAdded(nsIDocShellTreeItem*, bool) /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:252
#5 0x7f162187d41a in nsFrameLoader::AddTreeItemToTreeOwner(nsIDocShellTreeItem*, nsIDocShellTreeOwner*, int, nsIDocShell*) /var/tmp/build/firefox-9eee95b2c3c2/dom/base/nsFrameLoader.cpp:726
#6 0x7f16218b78f2 in nsFrameLoader::MaybeCreateDocShell() /var/tmp/build/firefox-9eee95b2c3c2/dom/base/nsFrameLoader.cpp:2052
#7 0x7f16218bbb07 in nsFrameLoader::CheckForRecursiveLoad(nsIURI*) /var/tmp/build/firefox-9eee95b2c3c2/dom/base/nsFrameLoader.cpp:2275
#8 0x7f16218bd2fe in nsFrameLoader::CheckURILoad(nsIURI*, nsIPrincipal*) /var/tmp/build/firefox-9eee95b2c3c2/dom/base/nsFrameLoader.cpp:612
#9 0x7f16218bd2fe in nsFrameLoader::LoadURI(nsIURI*, nsIPrincipal*, bool) /var/tmp/build/firefox-9eee95b2c3c2/dom/base/nsFrameLoader.cpp:336
#10 0x7f16218bdf2d in nsFrameLoader::LoadFrame(bool) /var/tmp/build/firefox-9eee95b2c3c2/dom/base/nsFrameLoader.cpp:286
#11 0x7f1626302bfb in nsXULElement::LoadSrc() /var/tmp/build/firefox-9eee95b2c3c2/dom/xul/nsXULElement.cpp:1421
#12 0x7f1626305a75 in nsXULElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /var/tmp/build/firefox-9eee95b2c3c2/dom/xul/nsXULElement.cpp:731
#13 0x7f162188c712 in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) /var/tmp/build/firefox-9eee95b2c3c2/dom/base/nsINode.cpp:1425
#14 0x7f1621880aba in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /var/tmp/build/firefox-9eee95b2c3c2/dom/base/nsINode.cpp:2295
#15 0x7f162208af07 in nsINode::InsertBefore(nsINode&, nsINode*, mozilla::ErrorResult&) /var/tmp/build/firefox-9eee95b2c3c2/dom/base/nsINode.h:1841
#16 0x7f162208af07 in nsINode::AppendChild(nsINode&, mozilla::ErrorResult&) /var/tmp/build/firefox-9eee95b2c3c2/dom/base/nsINode.h:1844
#17 0x7f162208af07 in appendChild /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dom/bindings/NodeBinding.cpp:908
#18 0x7f16238bca0f in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /var/tmp/build/firefox-9eee95b2c3c2/dom/bindings/BindingUtils.cpp:2810
#19 0x7f162aea3599 in js::CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), JS::CallArgs const&) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/JSContext-inl.h:260
#20 0x7f162aea3599 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:435
#21 0x7f162aea87fb in InternalCall /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:484
#22 0x7f162aea87fb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:500
#23 0x7f162be91720 in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /var/tmp/build/firefox-9eee95b2c3c2/js/src/proxy/Wrapper.cpp:158
#24 0x7f162be4aee1 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /var/tmp/build/firefox-9eee95b2c3c2/js/src/proxy/CrossCompartmentWrapper.cpp:294
#25 0x7f162be663a1 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /var/tmp/build/firefox-9eee95b2c3c2/js/src/proxy/Proxy.cpp:432
#26 0x7f162be663a1 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /var/tmp/build/firefox-9eee95b2c3c2/js/src/proxy/Proxy.cpp:652
#27 0x7f162aea3e3e in js::CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), JS::CallArgs const&) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/JSContext-inl.h:260
#28 0x7f162aea3e3e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:416
#29 0x7f162aea48da in InternalCall /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:484
#30 0x7f162ae43998 in js::CallFromStack(JSContext*, JS::CallArgs const&) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:488
#31 0x7f162ae43998 in Interpret /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:2873
#32 0x7f162aea213f in js::RunScript(JSContext*, js::RunState&) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:385
#33 0x7f162aea3c16 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:457
#34 0x7f162aea87fb in InternalCall /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:484
#35 0x7f162aea87fb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:500
#36 0x7f162bb9c99d in js::jit::InterpretResume(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /var/tmp/build/firefox-9eee95b2c3c2/js/src/jit/VMFunctions.cpp:847
#37 0x1f3a86525236 (<unknown module>)
#38 0x1f3a865244e7 (<unknown module>)
#39 0x7f162b65ac32 in EnterJit /var/tmp/build/firefox-9eee95b2c3c2/js/src/jit/Jit.cpp:96
#40 0x7f162b66ab30 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /var/tmp/build/firefox-9eee95b2c3c2/js/src/jit/Jit.cpp:155

SUMMARY: AddressSanitizer: heap-use-after-free /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/nsCOMPtr.h:275 in nsCOMPtr_base::~nsCOMPtr_base()
Shadow bytes around the buggy address:
0x0c1e8003ace0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x0c1e8003acf0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c1e8003ad00: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1e8003ad10: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
0x0c1e8003ad20: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1e8003ad30: fd fd fd fd fd fd[fd]fa fa fa fa fa fa fa fa fa
0x0c1e8003ad40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1e8003ad50: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00
0x0c1e8003ad60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1e8003ad70: 00 00 00 04 fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1e8003ad80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12142==ABORTING

Note: compiling with GCC 8.3.0 is fine. I've not bisected where this got "fixed" on GCC's side.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.