Closed
Bug 1454048
Opened 8 years ago
Closed 7 years ago
AddressSanitizer: SEGV /builds/worker/workspace/build/src/js/src/gc/Heap.h in markAndPush<js::ObjectGroup>
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: rs, Unassigned)
Details
Attachments
(3 files)
User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.108 Safari/537.36
Firefox for Android
Steps to reproduce:
I am going to report these issues that I do not always reproduce in case someone wants to take a look at them (like some of my other issues from few days ago).
Firefox 61.0a1
Build ID 2018041209357 (fuzzing/asan) + DOMFuzz helper enabled
Actual results:
=================================================================
==28795==ERROR: AddressSanitizer: SEGV on unknown address 0x7f6d2eefc518 (pc 0x7f6d4f429108 bp 0x7fff766d33f0 sp 0x7fff766d3390 T0)
==28795==The signal is caused by a WRITE memory access.
#0 0x7f6d4f429107 in markAndPush<js::ObjectGroup> /builds/worker/workspace/build/src/js/src/gc/Heap.h
#1 0x7f6d4f429107 in void js::GCMarker::traverse<js::ObjectGroup*>(js::ObjectGroup*) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:934
#2 0x7f6d4f42dea7 in traverseEdge<JSObject *, js::ObjectGroup> /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:979:5
#3 0x7f6d4f42dea7 in js::GCMarker::processMarkStackTop(js::SliceBudget&) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1810
#4 0x7f6d4f42d613 in js::GCMarker::drainMarkStack(js::SliceBudget&) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1631:13
#5 0x7f6d4f3e2d20 in drainMarkStack /builds/worker/workspace/build/src/js/src/gc/GC.cpp:5836:19
#6 0x7f6d4f3e2d20 in js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason, js::gc::AutoTraceSession&) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7030
#7 0x7f6d4f3e6cc3 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7392:5
#8 0x7f6d4f3eb1a5 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7535:25
#9 0x7f6d4f3f6496 in gc /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7605:5
#10 0x7f6d4f3f6496 in JS::GCForReason(JSContext*, JSGCInvocationKind, JS::gcreason::Reason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:8505
#11 0x7f6d4e4f3b08 in GC(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/TestingFunctions.cpp:340:5
#12 0x7f6d4dc46bd7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
#13 0x7f6d4dc46bd7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
#14 0x7f6d4dc47bd2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
#15 0x7f6d4eaf3cc9 in js::fun_apply(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/JSFunction.cpp:1248:12
#16 0x7f6d4dc46bd7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
#17 0x7f6d4dc46bd7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
#18 0x7f6d4dc31691 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
#19 0x7f6d4dc31691 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
#20 0x7f6d4dc17ada in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
#21 0x7f6d4dc46955 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
#22 0x7f6d4dc47bd2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
#23 0x7f6d4e761f9d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3003:12
#24 0x7f6d4360498c in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18
#25 0x7f6d4dc46bd7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
#26 0x7f6d4dc46bd7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
#27 0x7f6d4dc31691 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
#28 0x7f6d4dc31691 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
#29 0x7f6d4dc17ada in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
#30 0x7f6d4dc46955 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
#31 0x7f6d4dc47bd2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
#32 0x7f6d4e761f9d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3003:12
#33 0x7f6d46b2fd8e in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37
#34 0x7f6d47af2b1e in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#35 0x7f6d47af2b1e in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
#36 0x7f6d47ab8bcd in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1121:51
#37 0x7f6d47aba3b3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1290:20
#38 0x7f6d47aa4837 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:527:16
#39 0x7f6d47aa85d7 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:933:9
#40 0x7f6d49d66a88 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1066:7
#41 0x7f6d4cef182b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7220:21
#42 0x7f6d4ceedc29 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7013:7
#43 0x7f6d4cef552f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
#44 0x7f6d43bf9e97 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1315:3
#45 0x7f6d43bf8f1a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:858:14
#46 0x7f6d43bf5af5 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:747:9
#47 0x7f6d43bf7abc in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:632:5
#48 0x7f6d43bf8adc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
#49 0x7f6d41f87bda in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
#50 0x7f6d44fbf3da in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8409:18
#51 0x7f6d44fbf3da in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8331
#52 0x7f6d47a3f76a in ~LoadBlockingAsyncEventDispatcher /builds/worker/workspace/build/src/dom/events/AsyncEventDispatcher.cpp:124:18
#53 0x7f6d47a3f76a in mozilla::LoadBlockingAsyncEventDispatcher::~LoadBlockingAsyncEventDispatcher() /builds/worker/workspace/build/src/dom/events/AsyncEventDispatcher.cpp:122
#54 0x7f6d41dc923c in Release /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:50:1
#55 0x7f6d41dc923c in mozilla::CancelableRunnable::Release() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:74
#56 0x7f6d41d91964 in assign_assuming_AddRef /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:355:7
#57 0x7f6d41d91964 in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:638
#58 0x7f6d41d91964 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:341
#59 0x7f6d41db0709 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
#60 0x7f6d41dcc140 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
#61 0x7f6d42c9b76a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#62 0x7f6d42bec509 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#63 0x7f6d42bec509 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#64 0x7f6d42bec509 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#65 0x7f6d496c6faa in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#66 0x7f6d4d968a3b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
#67 0x7f6d42bec509 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#68 0x7f6d42bec509 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#69 0x7f6d42bec509 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#70 0x7f6d4d968402 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
#71 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#72 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#73 0x7f6d627081c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
#74 0x42476c in _start (/home/fuzzer/dev/firefox/firefox+0x42476c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/js/src/gc/Heap.h in markAndPush<js::ObjectGroup>
==28795==ABORTING
|
||
Updated•8 years ago
|
Group: firefox-core-security → core-security
Component: Untriaged → JavaScript: GC
Product: Firefox → Core
|
|
||
Updated•8 years ago
|
Group: core-security → javascript-core-security
|
||
Comment 1•8 years ago
|
||
I'm unable to reproduce this.
|
Reporter | |
Comment 2•8 years ago
|
||
I've another stacktrace around this code. Build 61.0a1 20180416095348.
DOMFuzzHelper created
Crash Annotation GraphicsCriticalError: |[0][GFX1-]: [OPENGL] Failed to init compositor with reason: FEATURE_FAILURE_OPENGL_CREATE_CONTEXT (t=1.44156) [GFX1-]: [OPENGL] Failed to init compositor with reason: FEATURE_FAILURE_OPENGL_CREATE_CONTEXT
JavaScript error: jar:file:///home/fuzzer/dev/firefox/omni.ja!/components/captivedetect.js, line 236: NS_ERROR_FAILURE: No canonical URL set up.
DOMFuzzHelper created
DOMFuzzHelper created
=================================================================
==9113==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f0e26ffeba0 at pc 0x7f0e4750eea7 bp 0x7ffc47c045e0 sp 0x7ffc47c045d8
READ of size 8 at 0x7f0e26ffeba0 thread T0 (file:// Content)
#0 0x7f0e4750eea6 in markIfUnmarked /builds/worker/workspace/build/src/js/src/gc/Heap.h:630:13
#1 0x7f0e4750eea6 in markIfUnmarked /builds/worker/workspace/build/src/js/src/gc/Cell.h:306
#2 0x7f0e4750eea6 in mark<js::ObjectGroup> /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1016
#3 0x7f0e4750eea6 in markAndPush<js::ObjectGroup> /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:927
#4 0x7f0e4750eea6 in void js::GCMarker::traverse<js::ObjectGroup*>(js::ObjectGroup*) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:934
#5 0x7f0e47513a57 in traverseEdge<JSObject *, js::ObjectGroup> /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:979:5
#6 0x7f0e47513a57 in js::GCMarker::processMarkStackTop(js::SliceBudget&) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1810
#7 0x7f0e475131c3 in js::GCMarker::drainMarkStack(js::SliceBudget&) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1631:13
#8 0x7f0e474cb68e in drainMarkStack /builds/worker/workspace/build/src/js/src/gc/GC.cpp:5827:19
#9 0x7f0e474cb68e in js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason, js::gc::AutoTraceSession&) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:6996
#10 0x7f0e474cee07 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7358:5
#11 0x7f0e474d21b5 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7501:25
#12 0x7f0e474dc706 in gc /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7571:5
#13 0x7f0e474dc706 in JS::GCForReason(JSContext*, JSGCInvocationKind, JS::gcreason::Reason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:8411
#14 0x7f0e466042b8 in GC(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/TestingFunctions.cpp:340:5
#15 0x7f0e45d3c3d7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15
#16 0x7f0e45d3c3d7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
#17 0x7f0e45d3d3d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
#18 0x7f0e46bd64a9 in js::fun_apply(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/JSFunction.cpp:1248:12
#19 0x7f0e45d3c3d7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15
#20 0x7f0e45d3c3d7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
#21 0x7f0e45d26ec8 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
#22 0x7f0e45d26ec8 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
#23 0x7f0e45d0d5c7 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
#24 0x7f0e45d3c155 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
#25 0x7f0e45d3d3d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
#26 0x7f0e468636ad in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2973:12
#27 0x7f0e3b67c01c in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18
#28 0x2ac8c273c77f (<unknown module>)
0x7f0e26ffeba0 is located 730016 bytes inside of 1048576-byte region [0x7f0e26f4c800,0x7f0e2704c800)
freed by thread T0 (file:// Content) here:
#0 0x4c5172 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
#1 0x7f0e41567653 in ~nsTSubstring /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTSubstring.h:77:5
#2 0x7f0e41567653 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2334
#3 0x7f0e4156146b in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1956:10
#4 0x7f0e4155e821 in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, mozilla::dom::ScriptKind) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1595:10
#5 0x7f0e41542a08 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1314:10
#6 0x7f0e41541b85 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:141:18
#7 0x7f0e3be570bb in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:247:18
#8 0x7f0e3be570bb in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:739
#9 0x7f0e3be5055f in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:538:7
#10 0x7f0e3be5c4ab in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:121:18
#11 0x7f0e39dd2a11 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#12 0x7f0e39df1809 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
#13 0x7f0e39e0d240 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
#14 0x7f0e3acd9e6a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#15 0x7f0e3ac2b3f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#16 0x7f0e3ac2b3f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#17 0x7f0e3ac2b3f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#18 0x7f0e417b851a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
#19 0x7f0e45a5e8bb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
#20 0x7f0e3ac2b3f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#21 0x7f0e3ac2b3f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#22 0x7f0e3ac2b3f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#23 0x7f0e45a5e280 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
#24 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#25 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#26 0x7f0e5a8501c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
previously allocated by thread T0 (file:// Content) here:
#0 0x4c54b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x7f0e39c2a95a in Alloc /builds/worker/workspace/build/src/xpcom/string/nsSubstring.cpp:256:22
#2 0x7f0e39c2a95a in nsTSubstring<char16_t>::MutatePrep(unsigned int, char16_t**, mozilla::detail::StringDataFlags*) /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:167
#3 0x7f0e39c3f456 in nsTSubstring<char16_t>::SetCapacity(unsigned int, std::nothrow_t const&) /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:782:8
#4 0x7f0e39c158ac in SetLength /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:822:8
#5 0x7f0e39c158ac in AppendASCIItoUTF16(nsTSubstring<char> const&, nsTSubstring<char16_t>&, std::nothrow_t const&) /builds/worker/workspace/build/src/xpcom/string/nsReadableUtils.cpp:199
#6 0x7f0e3cc6e8fd in nsTextFragment::AppendTo(nsTSubstring<char16_t>&, std::nothrow_t const&) const /builds/worker/workspace/build/src/dom/base/nsTextFragment.h:177:14
#7 0x7f0e3cc4908c in AppendNodeTextContent /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5400:23
#8 0x7f0e3cc4908c in nsContentUtils::GetNodeTextContent(nsINode*, bool, nsTSubstring<char16_t>&, std::nothrow_t const&) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:7540
#9 0x7f0e3feb6ae0 in GetText /builds/worker/workspace/build/src/dom/html/HTMLScriptElement.cpp:158:8
#10 0x7f0e3feb6ae0 in GetScriptText /builds/worker/workspace/build/src/dom/html/HTMLScriptElement.cpp:192
#11 0x7f0e3feb6ae0 in non-virtual thunk to mozilla::dom::HTMLScriptElement::GetScriptText(nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/dom/html/HTMLScriptElement.cpp
#12 0x7f0e4156731c in GetScriptSource /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1878:25
#13 0x7f0e4156731c in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2326
#14 0x7f0e4156146b in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1956:10
#15 0x7f0e4155e821 in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, mozilla::dom::ScriptKind) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1595:10
#16 0x7f0e41542a08 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1314:10
#17 0x7f0e41541b85 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:141:18
#18 0x7f0e3be570bb in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:247:18
#19 0x7f0e3be570bb in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:739
#20 0x7f0e3be5055f in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:538:7
#21 0x7f0e3be5c4ab in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:121:18
#22 0x7f0e39dd2a11 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#23 0x7f0e39df1809 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
#24 0x7f0e39e0d240 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
#25 0x7f0e3acd9e6a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#26 0x7f0e3ac2b3f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#27 0x7f0e3ac2b3f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#28 0x7f0e3ac2b3f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#29 0x7f0e417b851a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
#30 0x7f0e45a5e8bb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
#31 0x7f0e3ac2b3f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#32 0x7f0e3ac2b3f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#33 0x7f0e3ac2b3f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#34 0x7f0e45a5e280 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
#35 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#36 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#37 0x7f0e5a8501c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/js/src/gc/Heap.h:630:13 in markIfUnmarked
Shadow bytes around the buggy address:
0x0fe244df7d20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe244df7d30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe244df7d40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe244df7d50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe244df7d60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0fe244df7d70: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x0fe244df7d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe244df7d90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe244df7da0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe244df7db0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0fe244df7dc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==9113==ABORTING
[Parent 8355, Gecko_IOThread] WARNING: pipe error (81): Connection reset by peer: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353
[Parent 8355, Gecko_IOThread] WARNING: pipe error: Broken pipe: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 709
###!!! [Parent][MessageChannel] Error: (msgtype=0x16007F,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv
|
|
Reporter | |
Comment 3•8 years ago
|
||
Happened in another machine aswell. The only thing I have noticed this time is slowness in D-BUS when this happened and I think it is related in some way. In other stderr/stdout process at the same time in that machine I got (not the ASAN output):
(firefox:19173): GConf-WARNING **: Client failed to connect to the D-BUS daemon:
Failed to connect to socket /run/user/1000/bus: No such file or directory
DOMFuzzHelper created
DOMFuzzHelper created
(firefox:19173): dconf-CRITICAL **: unable to create directory '/run/user/1000/dconf': Permission denied. dconf will not work properly.
(firefox:19173): dconf-CRITICAL **: unable to create directory '/run/user/1000/dconf': Permission denied. dconf will not work properly.
(firefox:19173): dconf-CRITICAL **: unable to create directory '/run/user/1000/dconf': Permission denied. dconf will not work properly.
(firefox:19173): dconf-CRITICAL **: unable to create directory '/run/user/1000/dconf': Permission denied. dconf will not work properly.
(firefox:19173): dconf-CRITICAL **: unable to create directory '/run/user/1000/dconf': Permission denied. dconf will not work properly.
fuzzPriv.enableAccessibility
Enabled accessibility!
DOMFuzzHelper created
ASAN output:
=================================================================
==19734==ERROR: AddressSanitizer: heap-use-after-free on address 0x7f9a62ffc9d8 at pc 0x7f9a82d0eea7 bp 0x7ffedb56b500 sp 0x7ffedb56b4f8
READ of size 8 at 0x7f9a62ffc9d8 thread T0 (file:// Content)
#0 0x7f9a82d0eea6 in markIfUnmarked /builds/worker/workspace/build/src/js/src/gc/Heap.h:630:13
#1 0x7f9a82d0eea6 in markIfUnmarked /builds/worker/workspace/build/src/js/src/gc/Cell.h:306
#2 0x7f9a82d0eea6 in mark<js::ObjectGroup> /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1016
#3 0x7f9a82d0eea6 in markAndPush<js::ObjectGroup> /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:927
#4 0x7f9a82d0eea6 in void js::GCMarker::traverse<js::ObjectGroup*>(js::ObjectGroup*) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:934
#5 0x7f9a82d13a57 in traverseEdge<JSObject *, js::ObjectGroup> /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:979:5
#6 0x7f9a82d13a57 in js::GCMarker::processMarkStackTop(js::SliceBudget&) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1810
#7 0x7f9a82d131c3 in js::GCMarker::drainMarkStack(js::SliceBudget&) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1631:13
#8 0x7f9a82ccb68e in drainMarkStack /builds/worker/workspace/build/src/js/src/gc/GC.cpp:5827:19
#9 0x7f9a82ccb68e in js::gc::GCRuntime::incrementalCollectSlice(js::SliceBudget&, JS::gcreason::Reason, js::gc::AutoTraceSession&) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:6996
#10 0x7f9a82ccee07 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7358:5
#11 0x7f9a82cd21b5 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7501:25
#12 0x7f9a82cdc706 in gc /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7571:5
#13 0x7f9a82cdc706 in JS::GCForReason(JSContext*, JSGCInvocationKind, JS::gcreason::Reason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:8411
#14 0x7f9a81e042b8 in GC(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/TestingFunctions.cpp:340:5
#15 0x7f9a8153c3d7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15
#16 0x7f9a8153c3d7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
#17 0x7f9a8153d3d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
#18 0x7f9a823d64a9 in js::fun_apply(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/JSFunction.cpp:1248:12
#19 0x7f9a8153c3d7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15
#20 0x7f9a8153c3d7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
#21 0x7f9a81526ec8 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
#22 0x7f9a81526ec8 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
#23 0x7f9a8150d5c7 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
#24 0x7f9a8153c155 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
#25 0x7f9a8153d3d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
#26 0x7f9a820636ad in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2973:12
#27 0x7f9a76e7c01c in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18
#28 0x7f9a8153c3d7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15
#29 0x7f9a8153c3d7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
#30 0x7f9a81526ec8 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
#31 0x7f9a81526ec8 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
#32 0x7f9a8150d5c7 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
#33 0x7f9a8153c155 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
#34 0x7f9a8153d3d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
#35 0x7f9a820636ad in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2973:12
#36 0x7f9a7a40080e in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37
#37 0x7f9a7b3e1990 in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#38 0x7f9a7b3e1990 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
#39 0x7f9a7b3a7afc in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1121:51
#40 0x7f9a7b3a92dc in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1290:20
#41 0x7f9a7b393697 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:528:16
#42 0x7f9a7b3974c3 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:934:9
#43 0x7f9a7d65b928 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1066:7
#44 0x7f9a807e9e1b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7222:21
#45 0x7f9a807e6219 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7015:7
#46 0x7f9a807edb1f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
#47 0x7f9a7746ff37 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1315:3
#48 0x7f9a7746efba in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:858:14
#49 0x7f9a7746bb95 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:747:9
#50 0x7f9a7746db5c in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:632:5
#51 0x7f9a7746eb7c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
#52 0x7f9a757ca9aa in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
#53 0x7f9a782c2452 in imgRequestProxy::RemoveFromLoadGroup() /builds/worker/workspace/build/src/image/imgRequestProxy.cpp:446:15
#54 0x7f9a782cab20 in imgRequestProxy::OnLoadComplete(bool) /builds/worker/workspace/build/src/image/imgRequestProxy.cpp:1131:7
#55 0x7f9a782b8d99 in operator() /builds/worker/workspace/build/src/image/ProgressTracker.cpp:370:13
#56 0x7f9a782b8d99 in void mozilla::image::ImageObserverNotifier<mozilla::image::ObserverTable const*>::operator()<void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::{lambda(mozilla::image::IProgressObserver*)#7}>(void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::{lambda(mozilla::image::IProgressObserver*)#7}) /builds/worker/workspace/build/src/image/ProgressTracker.cpp:295
#57 0x7f9a782b6793 in void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/image/ProgressTracker.cpp:369:5
#58 0x7f9a7821b28e in operator() /builds/worker/workspace/build/src/image/ProgressTracker.cpp:390:5
#59 0x7f9a7821b28e in Read<(lambda at /builds/worker/workspace/build/src/image/ProgressTracker.cpp:389:19)> /builds/worker/workspace/build/src/image/CopyOnWrite.h:154
#60 0x7f9a7821b28e in mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/image/ProgressTracker.cpp:389
#61 0x7f9a782292d9 in mozilla::image::RasterImage::NotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<unsigned int> const&, mozilla::image::DecoderFlags, mozilla::image::SurfaceFlags) /builds/worker/workspace/build/src/image/RasterImage.cpp:1695:28
#62 0x7f9a7823df17 in NotifyForLoadEvent /builds/worker/workspace/build/src/image/RasterImage.cpp:978:3
#63 0x7f9a7823df17 in mozilla::image::RasterImage::NotifyDecodeComplete(mozilla::image::DecoderFinalStatus const&, mozilla::image::ImageMetadata const&, mozilla::image::DecoderTelemetry const&, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::Maybe<unsigned int> const&, mozilla::image::DecoderFlags, mozilla::image::SurfaceFlags) /builds/worker/workspace/build/src/image/RasterImage.cpp:1782
#64 0x7f9a78213b27 in operator() /builds/worker/workspace/build/src/image/IDecodingTask.cpp:130:12
#65 0x7f9a78213b27 in mozilla::detail::RunnableFunction<mozilla::image::IDecodingTask::NotifyDecodeComplete(mozilla::NotNull<mozilla::image::RasterImage*>, mozilla::NotNull<mozilla::image::Decoder*>)::$_2>::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.h:552
#66 0x7f9a755f1809 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
#67 0x7f9a7560d240 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
#68 0x7f9a764d9e6a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#69 0x7f9a7642b3f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#70 0x7f9a7642b3f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#71 0x7f9a7642b3f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#72 0x7f9a7cfb851a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
#73 0x7f9a8125e8bb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
#74 0x7f9a7642b3f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#75 0x7f9a7642b3f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#76 0x7f9a7642b3f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#77 0x7f9a8125e280 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
#78 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#79 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#80 0x7f9a95fc01c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
#81 0x42476c in _start (/home/fuzzer/dev/firefox/firefox+0x42476c)
0x7f9a62ffc9d8 is located 139736 bytes inside of 1048576-byte region [0x7f9a62fda800,0x7f9a630da800)
freed by thread T0 (file:// Content) here:
#0 0x4c5172 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
#1 0x7f9a7cd6229d in ~nsTSubstring /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTSubstring.h:77:5
#2 0x7f9a7cd6229d in mozilla::dom::CollectScriptTelemetry(nsIIncrementalStreamLoader*, mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:219
#3 0x7f9a7cd5decf in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, mozilla::dom::ScriptKind) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1529:3
#4 0x7f9a7cd42a08 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1314:10
#5 0x7f9a7cd41b85 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:141:18
#6 0x7f9a776570bb in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:247:18
#7 0x7f9a776570bb in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:739
#8 0x7f9a7765055f in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:538:7
#9 0x7f9a7765c4ab in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:121:18
#10 0x7f9a755d2a11 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#11 0x7f9a755f1809 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
#12 0x7f9a7560d240 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
#13 0x7f9a764d9e6a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#14 0x7f9a7642b3f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#15 0x7f9a7642b3f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#16 0x7f9a7642b3f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#17 0x7f9a7cfb851a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
#18 0x7f9a8125e8bb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
#19 0x7f9a7642b3f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#20 0x7f9a7642b3f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#21 0x7f9a7642b3f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#22 0x7f9a8125e280 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
#23 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#24 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#25 0x7f9a95fc01c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
previously allocated by thread T0 (file:// Content) here:
#0 0x4c54b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x7f9a7542a95a in Alloc /builds/worker/workspace/build/src/xpcom/string/nsSubstring.cpp:256:22
#2 0x7f9a7542a95a in nsTSubstring<char16_t>::MutatePrep(unsigned int, char16_t**, mozilla::detail::StringDataFlags*) /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:167
#3 0x7f9a7543f456 in nsTSubstring<char16_t>::SetCapacity(unsigned int, std::nothrow_t const&) /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:782:8
#4 0x7f9a754158ac in SetLength /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:822:8
#5 0x7f9a754158ac in AppendASCIItoUTF16(nsTSubstring<char> const&, nsTSubstring<char16_t>&, std::nothrow_t const&) /builds/worker/workspace/build/src/xpcom/string/nsReadableUtils.cpp:199
#6 0x7f9a7846e8fd in nsTextFragment::AppendTo(nsTSubstring<char16_t>&, std::nothrow_t const&) const /builds/worker/workspace/build/src/dom/base/nsTextFragment.h:177:14
#7 0x7f9a7844908c in AppendNodeTextContent /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5400:23
#8 0x7f9a7844908c in nsContentUtils::GetNodeTextContent(nsINode*, bool, nsTSubstring<char16_t>&, std::nothrow_t const&) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:7540
#9 0x7f9a7b6b6ae0 in GetText /builds/worker/workspace/build/src/dom/html/HTMLScriptElement.cpp:158:8
#10 0x7f9a7b6b6ae0 in GetScriptText /builds/worker/workspace/build/src/dom/html/HTMLScriptElement.cpp:192
#11 0x7f9a7b6b6ae0 in non-virtual thunk to mozilla::dom::HTMLScriptElement::GetScriptText(nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/dom/html/HTMLScriptElement.cpp
#12 0x7f9a7cd62277 in mozilla::dom::CollectScriptTelemetry(nsIIncrementalStreamLoader*, mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:217:27
#13 0x7f9a7cd5decf in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, mozilla::dom::ScriptKind) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1529:3
#14 0x7f9a7cd42a08 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1314:10
#15 0x7f9a7cd41b85 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:141:18
#16 0x7f9a776570bb in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:247:18
#17 0x7f9a776570bb in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:739
#18 0x7f9a7765055f in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:538:7
#19 0x7f9a7765c4ab in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:121:18
#20 0x7f9a755d2a11 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#21 0x7f9a755f1809 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
#22 0x7f9a7560d240 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
#23 0x7f9a764d9e6a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#24 0x7f9a7642b3f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#25 0x7f9a7642b3f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#26 0x7f9a7642b3f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#27 0x7f9a7cfb851a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
#28 0x7f9a8125e8bb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
#29 0x7f9a7642b3f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#30 0x7f9a7642b3f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#31 0x7f9a7642b3f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#32 0x7f9a8125e280 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
#33 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#34 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#35 0x7f9a95fc01c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/js/src/gc/Heap.h:630:13 in markIfUnmarked
Shadow bytes around the buggy address:
0x0ff3cc5f78e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff3cc5f78f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff3cc5f7900: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff3cc5f7910: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff3cc5f7920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0ff3cc5f7930: fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd fd fd
0x0ff3cc5f7940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff3cc5f7950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff3cc5f7960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff3cc5f7970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff3cc5f7980: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==19734==ABORTING
|
|
Reporter | |
Comment 4•8 years ago
|
||
There have been no problems with dconf this time, so it's strange
Crash Annotation GraphicsCriticalError: |[0][GFX1-]: [OPENGL] Failed to init compositor with reason: FEATURE_FAILURE_OPENGL_CREATE_CONTEXT (t=0.725359) [GFX1-]: [OPENGL] Failed to init compositor with reason: FEATURE_FAILURE_OPENGL_CREATE_CONTEXT
DOMFuzzHelper created
JavaScript error: jar:file:///home/fuzzer/dev/firefox/omni.ja!/components/captivedetect.js, line 236: NS_ERROR_FAILURE: No canonical URL set up.
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
DOMFuzzHelper created
=================================================================
==30333==ERROR: AddressSanitizer: heap-use-after-free on address 0x7fb8a21fffe8 at pc 0x7fb8c27e2872 bp 0x7ffff83700d0 sp 0x7ffff83700c8
READ of size 4 at 0x7fb8a21fffe8 thread T0 (file:// Content)
#0 0x7fb8c27e2871 in GetCellLocation /builds/worker/workspace/build/src/obj-firefox/dist/include/js/HeapAPI.h:414:12
#1 0x7fb8c27e2871 in IsInsideNursery /builds/worker/workspace/build/src/obj-firefox/dist/include/js/HeapAPI.h:433
#2 0x7fb8c27e2871 in isTenured /builds/worker/workspace/build/src/js/src/gc/Cell.h:55
#3 0x7fb8c27e2871 in CanCheckGrayBits /builds/worker/workspace/build/src/js/src/gc/GC.cpp:8923
#4 0x7fb8c27e2871 in js::gc::detail::CellIsMarkedGrayIfKnown(js::gc::Cell const*) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:8948
#5 0x7fb8b4f5043e in GCThingIsMarkedGray /builds/worker/workspace/build/src/obj-firefox/dist/include/js/HeapAPI.h:491:12
#6 0x7fb8b4f5043e in TraversalTracer::onChild(JS::GCCellPtr const&) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:417
#7 0x7fb8b4f68f6c in JS::CallbackTracer::onObjectGroupEdge(js::ObjectGroup**) /builds/worker/workspace/build/src/obj-firefox/dist/include/js/TracingAPI.h:156:9
#8 0x7fb8c2857370 in dispatchToOnEdge /builds/worker/workspace/build/src/obj-firefox/dist/include/js/TracingAPI.h:245:55
#9 0x7fb8c2857370 in js::ObjectGroup* DoCallback<js::ObjectGroup*>(JS::CallbackTracer*, js::ObjectGroup**, char const*) /builds/worker/workspace/build/src/js/src/gc/Tracer.cpp:47
#10 0x7fb8c1f44c9f in JSObject::traceChildren(JSTracer*) /builds/worker/workspace/build/src/js/src/vm/JSObject.cpp:3931:5
#11 0x7fb8c28588b4 in TraceChildren /builds/worker/workspace/build/src/js/src/gc/Tracer.cpp:127:5
#12 0x7fb8c28588b4 in JS::TraceChildren(JSTracer*, JS::GCCellPtr) /builds/worker/workspace/build/src/js/src/gc/Tracer.cpp:107
#13 0x7fb8b4f4fcc1 in NoteGCThingJSChildren /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:677:3
#14 0x7fb8b4f4fcc1 in mozilla::CycleCollectedJSRuntime::TraverseGCThing(mozilla::CycleCollectedJSRuntime::TraverseSelect, JS::GCCellPtr, nsCycleCollectionTraversalCallback&) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:735
#15 0x7fb8b4f4f957 in mozilla::JSGCThingParticipant::TraverseNative(void*, nsCycleCollectionTraversalCallback&) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:374:12
#16 0x7fb8b4f77dde in TraverseNativeAndJS /builds/worker/workspace/build/src/xpcom/base/nsCycleCollectionParticipant.h:133:19
#17 0x7fb8b4f77dde in CCGraphBuilder::BuildGraph(js::SliceBudget&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2336
#18 0x7fb8b4f7fb7e in nsCycleCollector::MarkRoots(js::SliceBudget&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2957:33
#19 0x7fb8b4f86a9c in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3750:9
#20 0x7fb8b4f8a8c2 in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4315:21
#21 0x7fb8b840614e in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1488:3
#22 0x7fb8b7f7c9bb in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1271:3
#23 0x7fb8b511d421 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
#24 0x7fb8b6a525be in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1951:12
#25 0x7fb8b6a525be in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1267
#26 0x7fb8b6a525be in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1234
#27 0x7fb8b6a59258 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:911:12
#28 0x7fb8c103c3d7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15
#29 0x7fb8c103c3d7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
#30 0x7fb8c1026ec8 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
#31 0x7fb8c1026ec8 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
#32 0x7fb8c100d5c7 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
#33 0x7fb8c103c155 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
#34 0x7fb8c103d3d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
#35 0x7fb8c1b636ad in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2973:12
#36 0x7fb8b697c01c in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18
#37 0x7fb8c103c3d7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15
#38 0x7fb8c103c3d7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
#39 0x7fb8c1026ec8 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
#40 0x7fb8c1026ec8 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
#41 0x7fb8c100d5c7 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
#42 0x7fb8c103c155 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
#43 0x7fb8c103d3d2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
#44 0x7fb8c1b636ad in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2973:12
#45 0x7fb8b9f0080e in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37
#46 0x7fb8baee1990 in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#47 0x7fb8baee1990 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
#48 0x7fb8baea7afc in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1121:51
#49 0x7fb8baea92dc in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1290:20
#50 0x7fb8bae93697 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:528:16
#51 0x7fb8bae974c3 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:934:9
#52 0x7fb8bae9983c in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1013:12
#53 0x7fb8b83ebd78 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1084:5
#54 0x7fb8b7f2e134 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool, bool*, bool) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4484:28
#55 0x7fb8b7f2def4 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4452:10
#56 0x7fb8bceac029 in mozilla::css::SheetLoadData::FireLoadEvent(nsIThreadInternal*) /builds/worker/workspace/build/src/layout/style/Loader.cpp:316:3
#57 0x7fb8bceac3ec in AfterProcessNextEvent /builds/worker/workspace/build/src/layout/style/Loader.cpp:299:3
#58 0x7fb8bceac3ec in non-virtual thunk to mozilla::css::SheetLoadData::AfterProcessNextEvent(nsIThreadInternal*, bool) /builds/worker/workspace/build/src/layout/style/Loader.cpp
#59 0x7fb8b50f20a2 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1125:3
#60 0x7fb8b510d240 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
#61 0x7fb8b5fd9e6a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#62 0x7fb8b5f2b3f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#63 0x7fb8b5f2b3f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#64 0x7fb8b5f2b3f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#65 0x7fb8bcab851a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
#66 0x7fb8c0d5e8bb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
#67 0x7fb8b5f2b3f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#68 0x7fb8b5f2b3f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#69 0x7fb8b5f2b3f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#70 0x7fb8c0d5e280 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
#71 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#72 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#73 0x7fb8d5a771c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
#74 0x42476c in _start (/home/fuzzer/dev/firefox/firefox+0x42476c)
0x7fb8a21fffe8 is located 559080 bytes inside of 1048576-byte region [0x7fb8a2177800,0x7fb8a2277800)
freed by thread T0 (file:// Content) here:
#0 0x4c5172 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
#1 0x7fb8bc867653 in ~nsTSubstring /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTSubstring.h:77:5
#2 0x7fb8bc867653 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2334
#3 0x7fb8bc86146b in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1956:10
#4 0x7fb8bc85e821 in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, mozilla::dom::ScriptKind) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1595:10
#5 0x7fb8bc842a08 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1314:10
#6 0x7fb8bc841b85 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:141:18
#7 0x7fb8b71570bb in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:247:18
#8 0x7fb8b71570bb in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:739
#9 0x7fb8b715055f in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:538:7
#10 0x7fb8b715c4ab in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:121:18
#11 0x7fb8b50d2a11 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#12 0x7fb8b50f1809 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
#13 0x7fb8b510d240 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
#14 0x7fb8b5fd9e56 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5
#15 0x7fb8b5f2b3f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#16 0x7fb8b5f2b3f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#17 0x7fb8b5f2b3f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#18 0x7fb8bcab851a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
#19 0x7fb8c0d5e8bb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
#20 0x7fb8b5f2b3f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#21 0x7fb8b5f2b3f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#22 0x7fb8b5f2b3f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#23 0x7fb8c0d5e280 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
#24 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#25 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#26 0x7fb8d5a771c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
previously allocated by thread T0 (file:// Content) here:
#0 0x4c54b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x7fb8b4f2a95a in Alloc /builds/worker/workspace/build/src/xpcom/string/nsSubstring.cpp:256:22
#2 0x7fb8b4f2a95a in nsTSubstring<char16_t>::MutatePrep(unsigned int, char16_t**, mozilla::detail::StringDataFlags*) /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:167
#3 0x7fb8b4f3f456 in nsTSubstring<char16_t>::SetCapacity(unsigned int, std::nothrow_t const&) /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:782:8
#4 0x7fb8b4f158ac in SetLength /builds/worker/workspace/build/src/xpcom/string/nsTSubstring.cpp:822:8
#5 0x7fb8b4f158ac in AppendASCIItoUTF16(nsTSubstring<char> const&, nsTSubstring<char16_t>&, std::nothrow_t const&) /builds/worker/workspace/build/src/xpcom/string/nsReadableUtils.cpp:199
#6 0x7fb8b7f6e8fd in nsTextFragment::AppendTo(nsTSubstring<char16_t>&, std::nothrow_t const&) const /builds/worker/workspace/build/src/dom/base/nsTextFragment.h:177:14
#7 0x7fb8b7f4908c in AppendNodeTextContent /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5400:23
#8 0x7fb8b7f4908c in nsContentUtils::GetNodeTextContent(nsINode*, bool, nsTSubstring<char16_t>&, std::nothrow_t const&) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:7540
#9 0x7fb8bb1b6ae0 in GetText /builds/worker/workspace/build/src/dom/html/HTMLScriptElement.cpp:158:8
#10 0x7fb8bb1b6ae0 in GetScriptText /builds/worker/workspace/build/src/dom/html/HTMLScriptElement.cpp:192
#11 0x7fb8bb1b6ae0 in non-virtual thunk to mozilla::dom::HTMLScriptElement::GetScriptText(nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/dom/html/HTMLScriptElement.cpp
#12 0x7fb8bc86731c in GetScriptSource /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1878:25
#13 0x7fb8bc86731c in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2326
#14 0x7fb8bc86146b in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1956:10
#15 0x7fb8bc85e821 in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, mozilla::dom::ScriptKind) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1595:10
#16 0x7fb8bc842a08 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1314:10
#17 0x7fb8bc841b85 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:141:18
#18 0x7fb8b71570bb in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:247:18
#19 0x7fb8b71570bb in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:739
#20 0x7fb8b715055f in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:538:7
#21 0x7fb8b715c4ab in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:121:18
#22 0x7fb8b50d2a11 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#23 0x7fb8b50f1809 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
#24 0x7fb8b510d240 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
#25 0x7fb8b5fd9e56 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5
#26 0x7fb8b5f2b3f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#27 0x7fb8b5f2b3f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#28 0x7fb8b5f2b3f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#29 0x7fb8bcab851a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
#30 0x7fb8c0d5e8bb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
#31 0x7fb8b5f2b3f9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#32 0x7fb8b5f2b3f9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#33 0x7fb8b5f2b3f9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#34 0x7fb8c0d5e280 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
#35 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#36 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#37 0x7fb8d5a771c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/js/HeapAPI.h:414:12 in GetCellLocation
Shadow bytes around the buggy address:
0x0ff794437fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff794437fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff794437fc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff794437fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff794437fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0ff794437ff0: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
0x0ff794438000: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff794438010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff794438020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff794438030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0ff794438040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==30333==ABORTING
|
|
Reporter | |
Updated•7 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
|
||
Updated•6 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•