Closed Bug 1452772 Opened 6 years ago Closed 6 years ago

AddressSanitizer: heap-use-after-free on address [@ get | DidComposite]

Categories

(Core :: Graphics, defect, P2)

Product:
Core
Component:
Graphics
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox61 --- affected

People

(Reporter: truber, Assigned: botond)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(1 file)

testcase.html
768 bytes, text/html
Details
Attached file testcase.html 
The attached testcase causes a heap use-after-free on shutdown in m-c rev 20180409-15678b283f0f

Normally the testcase exits with this:
[warn] epoll_create: Too many open files
[warn] evutil_make_internal_pipe_: pipe: Too many open files
[err] evsig_init_: socketpair: Too many open files
Exit code: 1

At least 20% of the time it causes the heap use-after-free below (usually the error report is truncated by exit and unsymbolized):

==3372==ERROR: AddressSanitizer: heap-use-after-free on address 0x60f000162fe0 at pc 0x7f9087f02b68 bp 0x7f906a4bb370 sp 0x7f906a4bb368
READ of size 8 at 0x60f000162fe0 thread T29 (Compositor)
    #0 0x7f9087f02b67 in get at /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:287:27
    #1 0x7f9087ef8848 in DidComposite at /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:2025:5
    #2 0x7f9087f1baa5 in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::TimeStamp) at /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorVsyncScheduler.cpp:243:27
    #3 0x7f9087f67670 in applyImpl<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), StoreCopyPassByConstLRef<mozilla::TimeStamp> , 0> at /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1164:12
    #4 0x7f90864d0d13 in RunTask at /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:452:9
    #5 0x7f90864d2c88 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) at /builds/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:31
    #6 0x7f90864ce329 in RunInternal at /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #7 0x7f90864ec4ff in base::Thread::ThreadMain() at /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:181:16
    #8 0x7f90864df10c in ThreadFunc(void*) at /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:13
    #9 0x7f90a59de08b in start_thread at ??:0:0
    #10 0x7f90a4a1fe7e in __GI___clone at ??:0:0

0x60f000162fe0 is located 64 bytes inside of 176-byte region [0x60f000162fa0,0x60f000163050)
freed by thread T0 here:
    #0 0x4c5172 in __interceptor_free at /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7f9087f0a428 in operator delete at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:180:12
    #2 0x7f90a4961447 in __run_exit_handlers at ??:0:0

previously allocated by thread T0 here:
    #0 0x4c54b3 in malloc at /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x4f5f7d in moz_xmalloc at /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17
    #2 0x7f9087f115b3 in operator new at /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:156:12
    #3 0x7f9087ef28c5 in operator[] at /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/bits/stl_map.h:500:15
    #4 0x7f908818a179 in mozilla::layers::InProcessCompositorSession::Create(nsBaseWidget*, mozilla::layers::LayerManager*, mozilla::layers::LayersId const&, mozilla::gfx::ScaleFactor<mozilla::CSSPixel, mozilla::LayoutDevicePixel>, mozilla::layers::CompositorOptions const&, bool, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, unsigned int) at /builds/worker/workspace/build/src/gfx/ipc/InProcessCompositorSession.cpp:46:11
    #5 0x7f9088188c0d in mozilla::gfx::GPUProcessManager::CreateTopLevelCompositor(nsBaseWidget*, mozilla::layers::LayerManager*, mozilla::gfx::ScaleFactor<mozilla::CSSPixel, mozilla::LayoutDevicePixel>, mozilla::layers::CompositorOptions const&, bool, mozilla::gfx::IntSizeTyped<mozilla::gfx::UnknownUnits> const&, bool*) at /builds/worker/workspace/build/src/gfx/ipc/GPUProcessManager.cpp:761:15
    #6 0x7f908d17d3e4 in nsBaseWidget::CreateCompositorSession(int, int, mozilla::layers::CompositorOptions*) at /builds/worker/workspace/build/src/widget/nsBaseWidget.cpp:1335:31
    #7 0x7f908d17dddf in nsBaseWidget::CreateCompositor(int, int) at /builds/worker/workspace/build/src/widget/nsBaseWidget.cpp:1391:5
    #8 0x7f908d17f679 in nsBaseWidget::GetLayerManager(mozilla::layers::PLayerTransactionChild*, mozilla::layers::LayersBackend, nsIWidget::LayerManagerPersistence) at /builds/worker/workspace/build/src/widget/nsBaseWidget.cpp:1500:7
    #9 0x7f908d7c204f in GetLayerManager at /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIWidget.h:1270:16
    #10 0x7f908d16133a in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) at /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19
    #11 0x7f908d16013c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) at /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33
    #12 0x7f908d165766 in nsViewManager::ProcessPendingUpdates() at /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5
    #13 0x7f908d73a01f in nsRefreshDriver::Tick(long, mozilla::TimeStamp) at /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2053:11
    #14 0x7f908d747640 in TickDriver at /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:337:13
    #15 0x7f908d747206 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) at /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:329:5
    #16 0x7f908d749f7e in RunRefreshDrivers at /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:770:5
    #17 0x7f908d745029 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() at /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:529:20
    #18 0x7f908568dfd8 in nsThread::ProcessNextEvent(bool, bool*) at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
    #19 0x7f90856aa410 in NS_ProcessNextEvent(nsIThread*, bool) at /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #20 0x7f908657e55a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) at /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #21 0x7f90864ce329 in RunInternal at /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #22 0x7f908d1eff6a in nsBaseAppShell::Run() at /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #23 0x7f909129cd8b in nsAppStartup::Run() at /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:290:30
    #24 0x7f90914a8e0c in XREMain::XRE_mainRun() at /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4834:22
    #25 0x7f90914abf4d in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) at /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4979:8
    #26 0x7f90914ad414 in XRE_main(int, char**, mozilla::BootstrapConfig const&) at /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:5071:21
    #27 0x4f4ef5 in do_main at /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
    #28 0x7f90a494af49 in __libc_start_main at ??:0:0

Thread T29 (Compositor) created by T0 here:
    #0 0x4ae80d in __interceptor_pthread_create at /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7f90864dca6f in CreateThread at /builds/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:135:14
    #2 0x7f90864ebe9f in base::Thread::StartWithOptions(base::Thread::Options const&) at /builds/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:99:8
    #3 0x7f9087f1a1ca in CreateCompositorThread at /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:102:26
    #4 0x7f9087f1a483 in mozilla::layers::CompositorThreadHolder::Start() at /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:124:33
    #5 0x7f9087fe9a82 in gfxPlatform::InitLayersIPC() at /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:1038:5
    #6 0x7f9087fe5797 in gfxPlatform::Init() at /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:774:5
    #7 0x7f9087fe2b8b in gfxPlatform::GetPlatform() at /builds/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:533:9
    #8 0x7f908d1b3a39 in mozilla::widget::GfxInfoBase::GetContentBackend(nsTSubstring<char16_t>&) at /builds/worker/workspace/build/src/widget/GfxInfoBase.cpp:1518:25
    #9 0x7f90856ba361 in NS_InvokeByIndex at /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106:0
    #10 0x7f9086fc021e in Invoke at /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1951:12
    #11 0x7f9086fc76a0 in GetAttribute at /builds/worker/workspace/build/src/js/xpconnect/src/xpcprivate.h:1605:17
    #12 0x7f9091796f87 in CallJSNative at /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
    #13 0x7f9091799463 in InternalCall at /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:516:12
    #14 0x7f909274de90 in CallGetter at /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2176:16
    #15 0x7f9091783434 in GetProperty at /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1640:12
    #16 0x7f9091767e8a in js::RunScript(JSContext*, js::RunState&) at /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #17 0x7f9091796d05 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) at /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
    #18 0x7f9091781a41 in CallFromStack at /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #19 0x7f9091767e8a in js::RunScript(JSContext*, js::RunState&) at /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #20 0x7f9091796d05 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) at /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
    #21 0x7f9091781a41 in CallFromStack at /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #22 0x7f9091767e8a in js::RunScript(JSContext*, js::RunState&) at /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #23 0x7f9091796d05 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) at /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
    #24 0x7f9091781a41 in CallFromStack at /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
    #25 0x7f9091767e8a in js::RunScript(JSContext*, js::RunState&) at /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #26 0x7f9091796d05 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) at /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
    #27 0x7f9091797f82 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) at /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
    #28 0x7f90922b6230 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) at /builds/worker/workspace/build/src/js/src/jsapi.cpp:2944:12
    #29 0x7f9086fa702d in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) at /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1210:23
    #30 0x7f90856bb949 in PrepareAndDispatch at /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:120:28
    #31 0x7f90856ba8ea in SharedStub at ??:0:0
    #32 0x7f9085632e6d in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) at /builds/worker/workspace/build/src/xpcom/components/nsCategoryManager.cpp:810:19
    #33 0x7f90914cbf2c in nsXREDirProvider::DoStartup() at /builds/worker/workspace/build/src/toolkit/xre/nsXREDirProvider.cpp:1021:11
    #34 0x7f90914a87a8 in XREMain::XRE_mainRun() at /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4671:16
    #35 0x7f90914abf4d in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) at /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4979:8
    #36 0x7f90914ad414 in XRE_main(int, char**, mozilla::BootstrapConfig const&) at /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:5071:21
    #37 0x4f4ef5 in do_main at /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
    #38 0x7f90a494af49 in __libc_start_main at ??:0:0

SUMMARY: AddressSanitizer: heap-use-after-free in get at /builds/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:287:27 
Shadow bytes around the buggy address:
  0x0c1e800245a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 fa
  0x0c1e800245b0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c1e800245c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c1e800245d0: fa fa fa fa fa fa 00 00 00 00 00 00 00 00 00 00
  0x0c1e800245e0: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c1e800245f0: fa fa fa fa fd fd fd fd fd fd fd fd[fd]fd fd fd
  0x0c1e80024600: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c1e80024610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e80024620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e80024630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c1e80024640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3372==ABORTING
David, can you help us find an owner?
This security bug has a reproducible test case yet it has not seen any action for a month.
It says intermittent, but 20% chance according to comment 0.
Flags: needinfo?(dbolter)
Nical should probably look at this.
Assignee: nobody → nical.bugzilla
Flags: needinfo?(dbolter)
Adding Matt for thoughts.
Flags: needinfo?(matt.woodrow)
Adding Jessie (new graphics engineering manager) to all sec-crit and sec-high graphics bugs
Assignee: nical.bugzilla → botond
Is this still reproducible for you with the latest nightly? I did a local ASAN build and opened the testcase in it, but it neither exited with the output mentioned in comment 0, nor gave me an ASAN error report.
Flags: needinfo?(jschwartzentruber)
No, this doesn't reproduce anymore for me. The last time it was seen during fuzzing was May 8.
Flags: needinfo?(jschwartzentruber)
(In reply to Jesse Schwartzentruber (:truber) from comment #6)
> No, this doesn't reproduce anymore for me. The last time it was seen during
> fuzzing was May 8.

Thanks for the info!

I tried to find a fix range (so we can e.g. consider an esr-60 uplift), but I'm not able to reproduce the issue with older ASAN builds, either (the oldest one I could find was 2018-04-26), so I'm just going to close this as WORKSFORME.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(matt.woodrow)
Resolution: --- → WORKSFORME
Group: gfx-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: