Closed Bug 1446853 Opened 6 years ago Closed 5 years ago

AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:38:11 in AddRef

Categories

(Core :: Graphics: CanvasWebGL, defect, P2)

Product:
Core
Component:
Graphics: CanvasWebGL
Version:
59 Branch
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(1 file)

trigger.html
1020 bytes, text/html
Details
Attached file trigger.html 
Testcase found while fuzzing mozilla-central rev 2c4a055ed5d4.

Testcase is very similar to that in bug 1444086 but I've tested against the patch included there and this appears to be a separate issue.

==21139==ERROR: AddressSanitizer: heap-use-after-free on address 0x61e00006fc80 at pc 0x7f26075c5ef5 bp 0x7ffea233b930 sp 0x7ffea233b928
READ of size 8 at 0x61e00006fc80 thread T0 (file:// Content)
    #0 0x7f26075c5ef4 in AddRef /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:38:11
    #1 0x7f26075c5ef4 in AddRef /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:395
    #2 0x7f26075c5ef4 in assign_with_AddRef /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:55
    #3 0x7f26075c5ef4 in operator= /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:193
    #4 0x7f26075c5ef4 in mozilla::layers::CopyableCanvasRenderer::Initialize(mozilla::layers::CanvasInitializeData const&) /builds/worker/workspace/build/src/gfx/layers/CopyableCanvasRenderer.cpp:61
    #5 0x7f260762525c in mozilla::layers::ShareableCanvasRenderer::Initialize(mozilla::layers::CanvasInitializeData const&) /builds/worker/workspace/build/src/gfx/layers/ShareableCanvasRenderer.cpp:36:27
    #6 0x7f260ac164ab in mozilla::WebGLContext::InitializeCanvasRenderer(nsDisplayListBuilder*, mozilla::layers::CanvasRenderer*) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:1345:16
    #7 0x7f260ac15c6b in mozilla::WebGLContext::GetCanvasLayer(nsDisplayListBuilder*, mozilla::layers::Layer*, mozilla::layers::LayerManager*) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:1280:10
    #8 0x7f260b364dfa in mozilla::dom::HTMLCanvasElement::GetCanvasLayer(nsDisplayListBuilder*, mozilla::layers::Layer*, mozilla::layers::LayerManager*) /builds/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:1199:29
    #9 0x7f260d9b8418 in nsHTMLCanvasFrame::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsDisplayItem*, mozilla::ContainerLayerParameters const&) /builds/worker/workspace/build/src/layout/generic/nsHTMLCanvasFrame.cpp:427:34
    #10 0x7f260df25245 in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:4469:38
    #11 0x7f260df39384 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const*, unsigned int) /builds/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:5784:9
    #12 0x7f260dfcae9e in nsDisplayList::BuildLayers(nsDisplayListBuilder*, mozilla::layers::LayerManager*, unsigned int, bool) /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2556:9
    #13 0x7f260dfcd54c in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2758:20
    #14 0x7f260d6ee866 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:4016:12
    #15 0x7f260d5d0a42 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6354:5
    #16 0x7f260cd1c56c in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19
    #17 0x7f260cd1b33c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33
    #18 0x7f260cd1ec56 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5
    #19 0x7f260d5292df in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2058:11
    #20 0x7f260d536980 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:341:13
    #21 0x7f260d536980 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:311
    #22 0x7f260d536546 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:333:5
    #23 0x7f260d5392be in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:774:5
    #24 0x7f260d5392be in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:687
    #25 0x7f260d538ebe in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:588:9
    #26 0x7f260de2ecef in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16
    #27 0x7f26066b4da9 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:156:20
    #28 0x7f260658b27a in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1968:28
    #29 0x7f26060d03ce in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2135:25
    #30 0x7f26060cd351 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2065:17
    #31 0x7f26060ceb4c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1911:5
    #32 0x7f26060cf1a8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1944:15
    #33 0x7f26051fcb88 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
    #34 0x7f2605218ef0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #35 0x7f26060d7f4a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #36 0x7f2606026769 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #37 0x7f2606026769 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #38 0x7f2606026769 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #39 0x7f260cda780a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #40 0x7f26112cce4b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #41 0x7f2606026769 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #42 0x7f2606026769 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #43 0x7f2606026769 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #44 0x7f26112cc82a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #45 0x4f6f2c in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #46 0x4f6f2c in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #47 0x7f2624e0482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #48 0x4265bc in _start (/home/forb1dden/builds/mc-asan/firefox+0x4265bc)

0x61e00006fc80 is located 0 bytes inside of 2744-byte region [0x61e00006fc80,0x61e000070738)
freed by thread T0 (file:// Content) here:
    #0 0x4c6fc2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7f260ac10ff9 in ForceLoseContext /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:1883:5
    #2 0x7f260ac10ff9 in mozilla::WebGLContext::EnsureDefaultFB(char const*) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:785
    #3 0x7f260ac1635e in DrawingBufferSize /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:1970:10
    #4 0x7f260ac1635e in mozilla::WebGLContext::InitializeCanvasRenderer(nsDisplayListBuilder*, mozilla::layers::CanvasRenderer*) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:1341
    #5 0x7f260ac15c6b in mozilla::WebGLContext::GetCanvasLayer(nsDisplayListBuilder*, mozilla::layers::Layer*, mozilla::layers::LayerManager*) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:1280:10
    #6 0x7f260b364dfa in mozilla::dom::HTMLCanvasElement::GetCanvasLayer(nsDisplayListBuilder*, mozilla::layers::Layer*, mozilla::layers::LayerManager*) /builds/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:1199:29
    #7 0x7f260d9b8418 in nsHTMLCanvasFrame::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsDisplayItem*, mozilla::ContainerLayerParameters const&) /builds/worker/workspace/build/src/layout/generic/nsHTMLCanvasFrame.cpp:427:34
    #8 0x7f260df25245 in mozilla::ContainerState::ProcessDisplayItems(nsDisplayList*) /builds/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:4469:38
    #9 0x7f260df39384 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const*, unsigned int) /builds/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:5784:9
    #10 0x7f260dfcae9e in nsDisplayList::BuildLayers(nsDisplayListBuilder*, mozilla::layers::LayerManager*, unsigned int, bool) /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2556:9
    #11 0x7f260dfcd54c in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2758:20
    #12 0x7f260d6ee866 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:4016:12
    #13 0x7f260d5d0a42 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6354:5
    #14 0x7f260cd1c56c in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19
    #15 0x7f260cd1b33c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33
    #16 0x7f260cd1ec56 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5
    #17 0x7f260d5292df in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2058:11
    #18 0x7f260d536980 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:341:13
    #19 0x7f260d536980 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:311
    #20 0x7f260d536546 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:333:5
    #21 0x7f260d5392be in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:774:5
    #22 0x7f260d5392be in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:687
    #23 0x7f260d538ebe in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:588:9
    #24 0x7f260de2ecef in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16
    #25 0x7f26066b4da9 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:156:20
    #26 0x7f260658b27a in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1968:28
    #27 0x7f26060d03ce in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2135:25
    #28 0x7f26060cd351 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2065:17
    #29 0x7f26060ceb4c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1911:5
    #30 0x7f26060cf1a8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1944:15
    #31 0x7f26051fcb88 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
    #32 0x7f2605218ef0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:517:10
    #33 0x7f26060d7f4a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21

previously allocated by thread T0 (file:// Content) here:
    #0 0x4c7303 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x4f7dcd in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17
    #2 0x7f2607446b70 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:156:12
    #3 0x7f2607446b70 in mozilla::gl::GLContextGLX::CreateGLContext(mozilla::gl::CreateContextFlags, mozilla::gl::SurfaceCaps const&, bool, _XDisplay*, unsigned long, __GLXFBConfigRec*, bool, gfxXlibSurface*) /builds/worker/workspace/build/src/gfx/gl/GLContextProviderGLX.cpp:547
    #4 0x7f2607449942 in mozilla::gl::CreateOffscreenPixmapContext(mozilla::gl::CreateContextFlags, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gl::SurfaceCaps const&, nsTSubstring<char>*) /builds/worker/workspace/build/src/gfx/gl/GLContextProviderGLX.cpp:1036:12
    #5 0x7f2607449ccd in mozilla::gl::GLContextProviderGLX::CreateOffscreen(mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, mozilla::gl::SurfaceCaps const&, mozilla::gl::CreateContextFlags, nsTSubstring<char>*) /builds/worker/workspace/build/src/gfx/gl/GLContextProviderGLX.cpp:1063:10
    #6 0x7f260ac100d5 in mozilla::CreateGLWithDefault(mozilla::gl::SurfaceCaps const&, mozilla::gl::CreateContextFlags, mozilla::WebGLContext*, std::vector<mozilla::WebGLContext::FailureReason, std::allocator<mozilla::WebGLContext::FailureReason> >*) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:565:28
    #7 0x7f260ac0c67f in mozilla::WebGLContext::CreateAndInitGLWith(already_AddRefed<mozilla::gl::GLContext> (*)(mozilla::gl::SurfaceCaps const&, mozilla::gl::CreateContextFlags, mozilla::WebGLContext*, std::vector<mozilla::WebGLContext::FailureReason, std::allocator<mozilla::WebGLContext::FailureReason> >*), mozilla::gl::SurfaceCaps const&, mozilla::gl::CreateContextFlags, std::vector<mozilla::WebGLContext::FailureReason, std::allocator<mozilla::WebGLContext::FailureReason> >*) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:597:23
    #8 0x7f260ac0e8d4 in mozilla::WebGLContext::CreateAndInitGL(bool, std::vector<mozilla::WebGLContext::FailureReason, std::allocator<mozilla::WebGLContext::FailureReason> >*) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:724:13
    #9 0x7f260ac12732 in mozilla::WebGLContext::SetDimensions(int, int) /builds/worker/workspace/build/src/dom/canvas/WebGLContext.cpp:961:10
    #10 0x7f260ab5c28e in mozilla::dom::CanvasRenderingContextHelper::UpdateContext(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:243:24
    #11 0x7f260ab5bd3a in mozilla::dom::CanvasRenderingContextHelper::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:197:19
    #12 0x7f260b3638f0 in mozilla::dom::HTMLCanvasElement::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:1017:40
    #13 0x7f260a4ccb30 in mozilla::dom::HTMLCanvasElementBinding::getContext(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLCanvasElement*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp:275:49
    #14 0x7f260aa3c081 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3031:13
    #15 0x7f26115e012e in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
    #16 0x7f26115e012e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
    #17 0x7f26115c8b00 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #18 0x7f26115c8b00 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3085
    #19 0x7f26115aad14 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #20 0x7f26115dff27 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
    #21 0x7f26115e0c93 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
    #22 0x7f2612240d5a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3011:12
    #23 0x7f260a106ebe in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #24 0x7f260b19ab59 in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #25 0x7f260b19ab59 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
    #26 0x7f260b1631fc in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1090:51
    #27 0x7f260b164a75 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1259:20
    #28 0x7f260b14f227 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:527:16
    #29 0x7f260b152fc3 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:917:9
    #30 0x7f260d6a1548 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1068:7
    #31 0x7f2610846b5b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7303:21
    #32 0x7f2610842cc9 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7096:7
    #33 0x7f261084a85f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:38:11 in AddRef
Shadow bytes around the buggy address:
  0x0c3c80005f40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80005f50: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
  0x0c3c80005f60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c80005f70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3c80005f80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3c80005f90:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80005fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80005fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80005fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80005fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3c80005fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==21139==ABORTING
Flags: in-testsuite?
Group: core-security → gfx-core-security
sec-high with a working & reproducible test case.
I'm assigning to jgilbert, given this seems like fallout from bug 1444086.
Assignee: nobody → jgilbert
> Testcase is very similar to that in bug 1444086 but I've tested against the
> patch included there and this appears to be a separate issue.

Jason: Did you test on a build _before_ that patch? The symptoms here seem worse (and unrelated to TlsScope). Did this always exist? Did the patch in bug 1444086 cause this (a regression, but seems unlikely)?

also ni? to jeff in case he didn't see it.
Flags: needinfo?(jkratzer)
Flags: needinfo?(jgilbert)
(In reply to Daniel Veditz [:dveditz] from comment #2)
> > Testcase is very similar to that in bug 1444086 but I've tested against the
> > patch included there and this appears to be a separate issue.
> 
> Jason: Did you test on a build _before_ that patch? The symptoms here seem
> worse (and unrelated to TlsScope). Did this always exist? Did the patch in
> bug 1444086 cause this (a regression, but seems unlikely)?
> 
> also ni? to jeff in case he didn't see it.

This was initially identified on a build before the patch but due to how closely related the testcases appeared, I test with the patch to confirm that it was a separate issue.  I hadn't had a chance to dig into the root cause.
Flags: needinfo?(jkratzer)
Flags: needinfo?(jgilbert)
OS: Unspecified → Linux
Doesn't repro on Windows.
This issue still reproduces for me on Ubuntu 16.04 (x64) using m-c rev 59005ba3cd3e (build ID 20180507).
What is the next step here?
Flags: needinfo?(matt.woodrow)
Flags: needinfo?(jgilbert)
Looks like this code is broken: https://searchfox.org/mozilla-central/source/dom/canvas/WebGLContext.cpp#1265

We set data.mGLContext which grabs a raw pointer to a refcounted object, alive at this point. Then we call DrawingBufferSize(), which triggers context loss, and the refcounted gl context is destroyed. Then we call into Initialize with data.mGLContext as a dangling pointer.

Should we just call DrawingBufferSize first before we grab the glcontext pointer? And maybe add an early return if it's null?
Flags: needinfo?(matt.woodrow)
We should actually be passing the WebGLContext to the layers client code, not GLContext. (We should also be holding strong refs when we actually want things to stay alive...)
Flags: needinfo?(jgilbert)
(In reply to Jeff Gilbert [:jgilbert] from comment #4)
> Doesn't repro on Windows.

Bug still affects Windows though, per bug 1506665.
See Also: → 1506665
Jeff, can you work on this or assign someone to do so? Thanks!
Flags: needinfo?(jgilbert)
I'll take a look.
Flags: needinfo?(jgilbert)
Adding Jessie (new graphics engineering manager) to all sec-crit and sec-high graphics bugs

Hey Jeff, does this look actionable?

Flags: needinfo?(jgilbert)

Maybe. I suspect it's the same (or very similar) to bug 1506665, which we're having trouble with.

Flags: needinfo?(jgilbert)

Waiting on bug 1506665.

Assignee: jgilbert → nobody
Depends on: 1506665
Keywords: stalled

Please retest!

Flags: needinfo?(jkratzer)

This issue no longer reproduces using build m-c rev 78601cacfe69 (20190305).

Flags: needinfo?(jkratzer)

the "stalled" keyword refers to the investigation into a security bug, not the engineering fix effort. "Stalled" is incompatible with a bug that has working steps to reproduce (and particularly the "testcase" keyword).

Probably should have been marked FIXED (by bug 1506665), DUPLICATE, or WORKSFORME with comment 18.

Status: NEW → RESOLVED
Closed: 5 years ago
Keywords: stalled
Resolution: --- → WORKSFORME

Removing employee no longer with company from CC list of private bugs.

Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: