All tabs crash immediately when Firefox is compiled with -O3 & gcc 7
Categories
(Firefox Build System :: General, defect)
Tracking
(Not tracked)
People
(Reporter: robsmith11, Unassigned)
References
Details
Reporter | ||
Comment 1•7 years ago
|
||
Reporter | ||
Comment 2•7 years ago
|
||
Reporter | ||
Comment 3•7 years ago
|
||
Reporter | ||
Comment 4•7 years ago
|
||
Updated•7 years ago
|
Reporter | ||
Comment 5•7 years ago
|
||
Comment 6•7 years ago
|
||
Reporter | ||
Comment 7•7 years ago
|
||
Comment 8•7 years ago
|
||
Updated•7 years ago
|
Updated•7 years ago
|
Reporter | ||
Comment 9•7 years ago
|
||
Comment 10•6 years ago
|
||
FWIW: This can still be seen with GCC 7.4.0 on ESR 60. ASan is indeed complaining about an UAF:
==12142==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f0002169b0 at pc 0x7f1629ddb958 bp 0x7ffd3ae8e0c0 sp 0x7ffd3ae8e0b8
READ of size 8 at 0x60f0002169b0 thread T0
#0 0x7f1629ddb957 in nsCOMPtr_base::~nsCOMPtr_base() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/nsCOMPtr.h:275
#1 0x7f1629ddb957 in nsCOMPtr<nsITabParent>::~nsCOMPtr() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/nsCOMPtr.h:325
#2 0x7f1629ddb957 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#3 0x7f1629ddbc9b in non-virtual thunk to nsDocShellTreeOwner::Release() (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd8a0c9b)
#4 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::UnlinkSelf() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:482
#5 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::~CallbackObjectHolder() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:370
#6 0x7f16242b13a1 in mozilla::EventListenerManager::RemoveEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/dom/events/EventListenerManager.cpp:667
#7 0x7f1629ddb08f in mozilla::EventListenerManager::RemoveEventListenerByType(nsIDOMEventListener*, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/EventListenerManager.h:294
#8 0x7f1629ddb08f in nsDocShellTreeOwner::RemoveChromeListeners() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:834
#9 0x7f1629ddb698 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#10 0x7f1629ddb900 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#11 0x7f1629ddb900 in nsDocShellTreeOwner::Release() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:104
#12 0x7f1629ddb900 in mozilla::RefPtrTraits<nsDocShellTreeOwner>::Release(nsDocShellTreeOwner*) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/RefPtr.h:39
#13 0x7f1629ddb900 in RefPtr<nsDocShellTreeOwner>::ConstRemovingRefPtrTraits<nsDocShellTreeOwner>::Release(nsDocShellTreeOwner*) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/RefPtr.h:345
#14 0x7f1629ddb900 in RefPtr<nsDocShellTreeOwner>::~RefPtr() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/RefPtr.h:70
#15 0x7f1629ddb900 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#16 0x7f1629ddbc9b in non-virtual thunk to nsDocShellTreeOwner::Release() (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd8a0c9b)
#17 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::UnlinkSelf() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:482
#18 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::~CallbackObjectHolder() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:370
#19 0x7f16242b13a1 in mozilla::EventListenerManager::RemoveEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/dom/events/EventListenerManager.cpp:667
#20 0x7f1629ddb26d in mozilla::EventListenerManager::RemoveEventListenerByType(nsIDOMEventListener*, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/EventListenerManager.h:294
#21 0x7f1629ddb26d in nsDocShellTreeOwner::RemoveChromeListeners() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:836
#22 0x7f1629ddb698 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#23 0x7f1629ddbc9b in non-virtual thunk to nsDocShellTreeOwner::Release() (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd8a0c9b)
#24 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::UnlinkSelf() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:482
#25 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::~CallbackObjectHolder() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:370
#26 0x7f16242b13a1 in mozilla::EventListenerManager::RemoveEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/dom/events/EventListenerManager.cpp:667
#27 0x7f1629ddb08f in mozilla::EventListenerManager::RemoveEventListenerByType(nsIDOMEventListener*, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/EventListenerManager.h:294
#28 0x7f1629ddb08f in nsDocShellTreeOwner::RemoveChromeListeners() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:834
#29 0x7f1629ddb698 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#30 0x7f1629ddbc9b in non-virtual thunk to nsDocShellTreeOwner::Release() (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd8a0c9b)
#31 0x7f16242a85d1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::UnlinkSelf() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:482
#32 0x7f16242a85d1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::~CallbackObjectHolder() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:370
#33 0x7f16242a85d1 in mozilla::EventListenerManager::AddEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/dom/events/EventListenerManager.cpp:656
#34 0x7f1629dd9939 in non-virtual thunk to nsDocShellTreeOwner::OnProgressChange(nsIWebProgress*, nsIRequest*, int, int, int, int) (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd89e939)
#35 0x7f161fd7837f in nsDocLoader::FireOnProgressChange(nsDocLoader*, nsIRequest*, long, long, long, long, long) /var/tmp/build/firefox-9eee95b2c3c2/uriloader/base/nsDocLoader.cpp:1180
#36 0x7f161fd78a15 in nsDocLoader::FireOnProgressChange(nsDocLoader*, nsIRequest*, long, long, long, long, long) /var/tmp/build/firefox-9eee95b2c3c2/uriloader/base/nsDocLoader.cpp:1189
#37 0x7f161fd8371e in nsDocLoader::OnProgress(nsIRequest*, nsISupports*, long, long) /var/tmp/build/firefox-9eee95b2c3c2/uriloader/base/nsDocLoader.cpp:1060
#38 0x7f161fbae453 in nsJARChannel::FireOnProgress(unsigned long) /var/tmp/build/firefox-9eee95b2c3c2/modules/libjar/nsJARChannel.cpp:356
#39 0x7f161fbae453 in nsJARChannel::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) /var/tmp/build/firefox-9eee95b2c3c2/modules/libjar/nsJARChannel.cpp:1024
#40 0x7f161e18685f in nsInputStreamPump::OnStateTransfer() /var/tmp/build/firefox-9eee95b2c3c2/netwerk/base/nsInputStreamPump.cpp:553
#41 0x7f161e18776e in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /var/tmp/build/firefox-9eee95b2c3c2/netwerk/base/nsInputStreamPump.cpp:398
#42 0x7f161de08ae5 in nsOutputStreamReadyEvent::Run() /var/tmp/build/firefox-9eee95b2c3c2/xpcom/io/nsStreamUtils.cpp:173
#43 0x7f161dedecb0 in nsThread::ProcessNextEvent(bool, bool*) /var/tmp/build/firefox-9eee95b2c3c2/xpcom/threads/nsThread.cpp:975
#44 0x7f161df08088 in NS_ProcessNextEvent(nsIThread*, bool) /var/tmp/build/firefox-9eee95b2c3c2/xpcom/threads/nsThreadUtils.cpp:455
#45 0x7f1629e77364 in SpinEventLoopUntil<> /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/nsThreadUtils.h:311
#46 0x7f1629e77364 in nsXULWindow::ShowModal() /var/tmp/build/firefox-9eee95b2c3c2/xpfe/appshell/nsXULWindow.cpp:352
#47 0x7f162aa6d25e in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /var/tmp/build/firefox-9eee95b2c3c2/toolkit/components/windowwatcher/nsWindowWatcher.cpp:1231
#48 0x7f162aa6f80a in nsWindowWatcher::OpenWindow(mozIDOMWindowProxy*, char const*, char const*, char const*, nsISupports*, mozIDOMWindowProxy**) /var/tmp/build/firefox-9eee95b2c3c2/toolkit/components/windowwatcher/nsWindowWatcher.cpp:324
#49 0x7f161df35e21 (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0x19fae21)
#50 0x7f161fb5a558 in CallMethodHelper::Invoke() /var/tmp/build/firefox-9eee95b2c3c2/js/xpconnect/src/XPCWrappedNative.cpp:1801
#51 0x7f161fb5a558 in CallMethodHelper::Call() /var/tmp/build/firefox-9eee95b2c3c2/js/xpconnect/src/XPCWrappedNative.cpp:1173
#52 0x7f161fb5a558 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /var/tmp/build/firefox-9eee95b2c3c2/js/xpconnect/src/XPCWrappedNative.cpp:1145
#53 0x7f161fb75de3 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /var/tmp/build/firefox-9eee95b2c3c2/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:793
#54 0x7f162aea3599 in js::CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), JS::CallArgs const&) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/JSContext-inl.h:260
#55 0x7f162aea3599 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:435
#56 0x7f162aea48da in InternalCall /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:484
#57 0x7f162ae43998 in js::CallFromStack(JSContext*, JS::CallArgs const&) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:488
#58 0x7f162ae43998 in Interpret /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:2873
#59 0x7f162aea213f in js::RunScript(JSContext*, js::RunState&) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:385
#60 0x7f162aea3c16 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:457
#61 0x7f162aea87fb in InternalCall /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:484
#62 0x7f162aea87fb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:500
#63 0x7f162be09284 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /var/tmp/build/firefox-9eee95b2c3c2/js/src/jsapi.cpp:2549
#64 0x7f161fb6c403 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /var/tmp/build/firefox-9eee95b2c3c2/js/xpconnect/src/XPCWrappedJSClass.cpp:1157
#65 0x7f161df371ee in PrepareAndDispatch /var/tmp/build/firefox-9eee95b2c3c2/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:120
#66 0x7f161df363dc in SharedStub (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0x19fb3dc)
#67 0x7f161de61f1c in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /var/tmp/build/firefox-9eee95b2c3c2/xpcom/components/nsCategoryManager.cpp:713
#68 0x7f162ab6da10 in nsXREDirProvider::DoStartup() /var/tmp/build/firefox-9eee95b2c3c2/toolkit/xre/nsXREDirProvider.cpp:941
#69 0x7f162ab5c222 in XREMain::XRE_mainRun() /var/tmp/build/firefox-9eee95b2c3c2/toolkit/xre/nsAppRunner.cpp:4985
#70 0x7f162ab6203e in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /var/tmp/build/firefox-9eee95b2c3c2/toolkit/xre/nsAppRunner.cpp:5288
#71 0x7f162ab63fb7 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /var/tmp/build/firefox-9eee95b2c3c2/toolkit/xre/nsAppRunner.cpp:5373
#72 0x5571554d06b9 in do_main /var/tmp/build/firefox-9eee95b2c3c2/browser/app/nsBrowserApp.cpp:212
#73 0x5571554cee20 in main /var/tmp/build/firefox-9eee95b2c3c2/browser/app/nsBrowserApp.cpp:282
#74 0x7f1636b2b09a in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2409a)
#75 0x5571554cf708 (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/firefox.real+0xa708)
0x60f0002169b0 is located 160 bytes inside of 168-byte region [0x60f000216910,0x60f0002169b8)
freed by thread T0 here:
#0 0x7f16371125f8 in free (TorBrowser/Tor/libasan.so.4+0xdc5f8)
#1 0x7f1629ddbca3 in non-virtual thunk to nsDocShellTreeOwner::Release() (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd8a0ca3)
#2 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::UnlinkSelf() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:482
#3 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::~CallbackObjectHolder() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:370
#4 0x7f16242b13a1 in mozilla::EventListenerManager::RemoveEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/dom/events/EventListenerManager.cpp:667
#5 0x7f1629ddb26d in mozilla::EventListenerManager::RemoveEventListenerByType(nsIDOMEventListener*, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/EventListenerManager.h:294
#6 0x7f1629ddb26d in nsDocShellTreeOwner::RemoveChromeListeners() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:836
#7 0x7f1629ddb698 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#8 0x7f1629ddbc9b in non-virtual thunk to nsDocShellTreeOwner::Release() (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd8a0c9b)
#9 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::UnlinkSelf() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:482
#10 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::~CallbackObjectHolder() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:370
#11 0x7f16242b13a1 in mozilla::EventListenerManager::RemoveEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/dom/events/EventListenerManager.cpp:667
#12 0x7f1629ddb08f in mozilla::EventListenerManager::RemoveEventListenerByType(nsIDOMEventListener*, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/EventListenerManager.h:294
#13 0x7f1629ddb08f in nsDocShellTreeOwner::RemoveChromeListeners() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:834
#14 0x7f1629ddb698 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#15 0x7f1629ddb900 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#16 0x7f1629ddb900 in nsDocShellTreeOwner::Release() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:104
#17 0x7f1629ddb900 in mozilla::RefPtrTraits<nsDocShellTreeOwner>::Release(nsDocShellTreeOwner*) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/RefPtr.h:39
#18 0x7f1629ddb900 in RefPtr<nsDocShellTreeOwner>::ConstRemovingRefPtrTraits<nsDocShellTreeOwner>::Release(nsDocShellTreeOwner*) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/RefPtr.h:345
#19 0x7f1629ddb900 in RefPtr<nsDocShellTreeOwner>::~RefPtr() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/RefPtr.h:70
#20 0x7f1629ddb900 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#21 0x7f1629ddbc9b in non-virtual thunk to nsDocShellTreeOwner::Release() (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd8a0c9b)
#22 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::UnlinkSelf() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:482
#23 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::~CallbackObjectHolder() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:370
#24 0x7f16242b13a1 in mozilla::EventListenerManager::RemoveEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/dom/events/EventListenerManager.cpp:667
#25 0x7f1629ddb26d in mozilla::EventListenerManager::RemoveEventListenerByType(nsIDOMEventListener*, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/EventListenerManager.h:294
#26 0x7f1629ddb26d in nsDocShellTreeOwner::RemoveChromeListeners() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:836
#27 0x7f1629ddb698 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#28 0x7f1629ddbc9b in non-virtual thunk to nsDocShellTreeOwner::Release() (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd8a0c9b)
#29 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::UnlinkSelf() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:482
#30 0x7f16242b13a1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::~CallbackObjectHolder() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:370
#31 0x7f16242b13a1 in mozilla::EventListenerManager::RemoveEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/dom/events/EventListenerManager.cpp:667
#32 0x7f1629ddb08f in mozilla::EventListenerManager::RemoveEventListenerByType(nsIDOMEventListener*, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/EventListenerManager.h:294
#33 0x7f1629ddb08f in nsDocShellTreeOwner::RemoveChromeListeners() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:834
#34 0x7f1629ddb698 in nsDocShellTreeOwner::~nsDocShellTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:101
#35 0x7f1629ddbc9b in non-virtual thunk to nsDocShellTreeOwner::Release() (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd8a0c9b)
#36 0x7f16242a85d1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::UnlinkSelf() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:482
#37 0x7f16242a85d1 in mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>::~CallbackObjectHolder() /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/dom/CallbackObject.h:370
#38 0x7f16242a85d1 in mozilla::EventListenerManager::AddEventListenerByType(mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener>, nsTSubstring<char16_t> const&, mozilla::EventListenerFlags const&) /var/tmp/build/firefox-9eee95b2c3c2/dom/events/EventListenerManager.cpp:656
#39 0x7f1629dd9939 in non-virtual thunk to nsDocShellTreeOwner::OnProgressChange(nsIWebProgress*, nsIRequest*, int, int, int, int) (/home/thomas/Arbeit/Tor/debugging/25930/tor-browser_en-US/Browser/libxul.so+0xd89e939)
#40 0x7f161fd7837f in nsDocLoader::FireOnProgressChange(nsDocLoader*, nsIRequest*, long, long, long, long, long) /var/tmp/build/firefox-9eee95b2c3c2/uriloader/base/nsDocLoader.cpp:1180
#41 0x7f161fd78a15 in nsDocLoader::FireOnProgressChange(nsDocLoader*, nsIRequest*, long, long, long, long, long) /var/tmp/build/firefox-9eee95b2c3c2/uriloader/base/nsDocLoader.cpp:1189
#42 0x7f161fd8371e in nsDocLoader::OnProgress(nsIRequest*, nsISupports*, long, long) /var/tmp/build/firefox-9eee95b2c3c2/uriloader/base/nsDocLoader.cpp:1060
#43 0x7f161fbae453 in nsJARChannel::FireOnProgress(unsigned long) /var/tmp/build/firefox-9eee95b2c3c2/modules/libjar/nsJARChannel.cpp:356
#44 0x7f161fbae453 in nsJARChannel::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) /var/tmp/build/firefox-9eee95b2c3c2/modules/libjar/nsJARChannel.cpp:1024
#45 0x7f161e18685f in nsInputStreamPump::OnStateTransfer() /var/tmp/build/firefox-9eee95b2c3c2/netwerk/base/nsInputStreamPump.cpp:553
#46 0x7f161e18776e in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /var/tmp/build/firefox-9eee95b2c3c2/netwerk/base/nsInputStreamPump.cpp:398
#47 0x7f161de08ae5 in nsOutputStreamReadyEvent::Run() /var/tmp/build/firefox-9eee95b2c3c2/xpcom/io/nsStreamUtils.cpp:173
#48 0x7f161dedecb0 in nsThread::ProcessNextEvent(bool, bool*) /var/tmp/build/firefox-9eee95b2c3c2/xpcom/threads/nsThread.cpp:975
#49 0x7f161df08088 in NS_ProcessNextEvent(nsIThread*, bool) /var/tmp/build/firefox-9eee95b2c3c2/xpcom/threads/nsThreadUtils.cpp:455
previously allocated by thread T0 here:
#0 0x7f1637112950 in __interceptor_malloc (TorBrowser/Tor/libasan.so.4+0xdc950)
#1 0x5571554d0f08 in moz_xmalloc /var/tmp/build/firefox-9eee95b2c3c2/memory/mozalloc/mozalloc.cpp:68
#2 0x7f1629ddc17d in operator new(unsigned long) /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/mozilla/mozalloc.h:149
#3 0x7f1629ddc17d in nsDocShellTreeOwner::EnsureContentTreeOwner() /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:236
#4 0x7f1629ddc17d in nsDocShellTreeOwner::ContentShellAdded(nsIDocShellTreeItem*, bool) /var/tmp/build/firefox-9eee95b2c3c2/docshell/base/nsDocShellTreeOwner.cpp:252
#5 0x7f162187d41a in nsFrameLoader::AddTreeItemToTreeOwner(nsIDocShellTreeItem*, nsIDocShellTreeOwner*, int, nsIDocShell*) /var/tmp/build/firefox-9eee95b2c3c2/dom/base/nsFrameLoader.cpp:726
#6 0x7f16218b78f2 in nsFrameLoader::MaybeCreateDocShell() /var/tmp/build/firefox-9eee95b2c3c2/dom/base/nsFrameLoader.cpp:2052
#7 0x7f16218bbb07 in nsFrameLoader::CheckForRecursiveLoad(nsIURI*) /var/tmp/build/firefox-9eee95b2c3c2/dom/base/nsFrameLoader.cpp:2275
#8 0x7f16218bd2fe in nsFrameLoader::CheckURILoad(nsIURI*, nsIPrincipal*) /var/tmp/build/firefox-9eee95b2c3c2/dom/base/nsFrameLoader.cpp:612
#9 0x7f16218bd2fe in nsFrameLoader::LoadURI(nsIURI*, nsIPrincipal*, bool) /var/tmp/build/firefox-9eee95b2c3c2/dom/base/nsFrameLoader.cpp:336
#10 0x7f16218bdf2d in nsFrameLoader::LoadFrame(bool) /var/tmp/build/firefox-9eee95b2c3c2/dom/base/nsFrameLoader.cpp:286
#11 0x7f1626302bfb in nsXULElement::LoadSrc() /var/tmp/build/firefox-9eee95b2c3c2/dom/xul/nsXULElement.cpp:1421
#12 0x7f1626305a75 in nsXULElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /var/tmp/build/firefox-9eee95b2c3c2/dom/xul/nsXULElement.cpp:731
#13 0x7f162188c712 in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) /var/tmp/build/firefox-9eee95b2c3c2/dom/base/nsINode.cpp:1425
#14 0x7f1621880aba in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /var/tmp/build/firefox-9eee95b2c3c2/dom/base/nsINode.cpp:2295
#15 0x7f162208af07 in nsINode::InsertBefore(nsINode&, nsINode*, mozilla::ErrorResult&) /var/tmp/build/firefox-9eee95b2c3c2/dom/base/nsINode.h:1841
#16 0x7f162208af07 in nsINode::AppendChild(nsINode&, mozilla::ErrorResult&) /var/tmp/build/firefox-9eee95b2c3c2/dom/base/nsINode.h:1844
#17 0x7f162208af07 in appendChild /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dom/bindings/NodeBinding.cpp:908
#18 0x7f16238bca0f in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /var/tmp/build/firefox-9eee95b2c3c2/dom/bindings/BindingUtils.cpp:2810
#19 0x7f162aea3599 in js::CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), JS::CallArgs const&) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/JSContext-inl.h:260
#20 0x7f162aea3599 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:435
#21 0x7f162aea87fb in InternalCall /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:484
#22 0x7f162aea87fb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:500
#23 0x7f162be91720 in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /var/tmp/build/firefox-9eee95b2c3c2/js/src/proxy/Wrapper.cpp:158
#24 0x7f162be4aee1 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /var/tmp/build/firefox-9eee95b2c3c2/js/src/proxy/CrossCompartmentWrapper.cpp:294
#25 0x7f162be663a1 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /var/tmp/build/firefox-9eee95b2c3c2/js/src/proxy/Proxy.cpp:432
#26 0x7f162be663a1 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /var/tmp/build/firefox-9eee95b2c3c2/js/src/proxy/Proxy.cpp:652
#27 0x7f162aea3e3e in js::CallJSNative(JSContext*, bool ()(JSContext, unsigned int, JS::Value*), JS::CallArgs const&) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/JSContext-inl.h:260
#28 0x7f162aea3e3e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:416
#29 0x7f162aea48da in InternalCall /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:484
#30 0x7f162ae43998 in js::CallFromStack(JSContext*, JS::CallArgs const&) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:488
#31 0x7f162ae43998 in Interpret /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:2873
#32 0x7f162aea213f in js::RunScript(JSContext*, js::RunState&) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:385
#33 0x7f162aea3c16 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:457
#34 0x7f162aea87fb in InternalCall /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:484
#35 0x7f162aea87fb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /var/tmp/build/firefox-9eee95b2c3c2/js/src/vm/Interpreter.cpp:500
#36 0x7f162bb9c99d in js::jit::InterpretResume(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /var/tmp/build/firefox-9eee95b2c3c2/js/src/jit/VMFunctions.cpp:847
#37 0x1f3a86525236 (<unknown module>)
#38 0x1f3a865244e7 (<unknown module>)
#39 0x7f162b65ac32 in EnterJit /var/tmp/build/firefox-9eee95b2c3c2/js/src/jit/Jit.cpp:96
#40 0x7f162b66ab30 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /var/tmp/build/firefox-9eee95b2c3c2/js/src/jit/Jit.cpp:155
SUMMARY: AddressSanitizer: heap-use-after-free /var/tmp/build/firefox-9eee95b2c3c2/obj-x86_64-pc-linux-gnu/dist/include/nsCOMPtr.h:275 in nsCOMPtr_base::~nsCOMPtr_base()
Shadow bytes around the buggy address:
0x0c1e8003ace0: fa fa fa fa fa fa fd fd fd fd fd fd fd fd fd fd
0x0c1e8003acf0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
0x0c1e8003ad00: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1e8003ad10: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
0x0c1e8003ad20: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c1e8003ad30: fd fd fd fd fd fd[fd]fa fa fa fa fa fa fa fa fa
0x0c1e8003ad40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1e8003ad50: 00 00 00 00 00 00 fa fa fa fa fa fa fa fa 00 00
0x0c1e8003ad60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1e8003ad70: 00 00 00 04 fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1e8003ad80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12142==ABORTING
Note: compiling with GCC 8.3.0 is fine. I've not bisected where this got "fixed" on GCC's side.
Updated•2 years ago
|
Description
•