Closed Bug 1460865 Opened 6 years ago Closed 6 years ago

AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/media/AudioMixer.h:67:17 in FinishMixing

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1457372

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Jason Kratzer [:jkratzer]

Reporter

Description

•

6 years ago

Found while fuzzing mozilla-central rev b52b2eb81d1e.  I don't currently have a usable testcase but will update this bug if one becomes available.

==3443==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000fdc80 at pc 0x7f54517ef4fe bp 0x7f53cad19470 sp 0x7f53cad19468
READ of size 8 at 0x6110000fdc80 thread T31 (AudioIPC0)
    #0 0x7f54517ef4fd in FinishMixing /builds/worker/workspace/build/src/dom/media/AudioMixer.h:67:17
    #1 0x7f54517ef4fd in mozilla::MediaStreamGraphImpl::Process() /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1306
    #2 0x7f54517efadc in mozilla::MediaStreamGraphImpl::OneIteration(long) /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1356:3
    #3 0x7f5451595a5e in mozilla::AudioCallbackDriver::DataCallback(float const*, float*, long) /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:975:35
    #4 0x7f5458d2e08c in _$LT$audioipc_client..stream..CallbackServer$u20$as$u20$audioipc..rpc..server..Server$GT$::process::_$u7b$$u7b$closure$u7d$$u7d$::h255ef58a06b976d7 /builds/worker/workspace/build/src/media/audioipc/client/src/stream.rs:98
    #5 0x7f5458d2e08c in _$LT$futures..future..lazy..Lazy$LT$F$C$$u20$R$GT$$GT$::get::he81f30bda4372db6 /builds/worker/workspace/build/src/third_party/rust/futures/src/future/lazy.rs:64
    #6 0x7f5458d2e08c in _$LT$futures..future..lazy..Lazy$LT$F$C$$u20$R$GT$$u20$as$u20$futures..future..Future$GT$::poll::hc7d3753076f4c2b4 /builds/worker/workspace/build/src/third_party/rust/futures/src/future/lazy.rs:82
    #7 0x7f5458d2e08c in futures::future::catch_unwind::_$LT$impl$u20$futures..future..Future$u20$for$u20$std..panic..AssertUnwindSafe$LT$F$GT$$GT$::poll::hfc82a99a53b85aa4 /builds/worker/workspace/build/src/third_party/rust/futures/src/future/catch_unwind.rs:49
    #8 0x7f5458d2e08c in _$LT$futures..future..catch_unwind..CatchUnwind$LT$F$GT$$u20$as$u20$futures..future..Future$GT$::poll::_$u7b$$u7b$closure$u7d$$u7d$::h42ede3b71abb5754 /builds/worker/workspace/build/src/third_party/rust/futures/src/future/catch_unwind.rs:32
    #9 0x7f5458d2e08c in std::panicking::try::do_call::h8947529258b9184a /checkout/src/libstd/panicking.rs:480
    #10 0x7f5458d2e08c in __rust_maybe_catch_panic /checkout/src/libpanic_abort/lib.rs:38
    #11 0x7f5458d2e08c in std::panicking::try::h86be82cc111cf4a4 /checkout/src/libstd/panicking.rs:459
    #12 0x7f5458d2e08c in std::panic::catch_unwind::h4e7cb1cde312e0d8 /checkout/src/libstd/panic.rs:365
    #13 0x7f5458d2e08c in _$LT$futures..future..catch_unwind..CatchUnwind$LT$F$GT$$u20$as$u20$futures..future..Future$GT$::poll::hc0a139277a4c2850 /builds/worker/workspace/build/src/third_party/rust/futures/src/future/catch_unwind.rs:32
    #14 0x7f5458d2e08c in _$LT$futures_cpupool..MySender$LT$F$C$$u20$core..result..Result$LT$$LT$F$u20$as$u20$futures..future..Future$GT$..Item$C$$u20$$LT$F$u20$as$u20$futures..future..Future$GT$..Error$GT$$GT$$u20$as$u20$futures..future..Future$GT$::poll::h7241a9199d4e8186 /builds/worker/workspace/build/src/third_party/rust/futures-cpupool/src/lib.rs:325
    #15 0x7f5458d4054e in _$LT$alloc..boxed..Box$LT$F$GT$$u20$as$u20$futures..future..Future$GT$::poll::hef8bd2de4bf79d01 /builds/worker/workspace/build/src/third_party/rust/futures/src/future/mod.rs:113
    #16 0x7f5458d4054e in _$LT$futures..task_impl..Spawn$LT$T$GT$$GT$::poll_future_notify::_$u7b$$u7b$closure$u7d$$u7d$::hcd4766cff7f42aaf /builds/worker/workspace/build/src/third_party/rust/futures/src/task_impl/mod.rs:289
    #17 0x7f5458d4054e in _$LT$futures..task_impl..Spawn$LT$T$GT$$GT$::enter::_$u7b$$u7b$closure$u7d$$u7d$::hd8d6e2b5a1290ea4 /builds/worker/workspace/build/src/third_party/rust/futures/src/task_impl/mod.rs:363
    #18 0x7f5458d4054e in futures::task_impl::std::set::he185d5ee772f8476 /builds/worker/workspace/build/src/third_party/rust/futures/src/task_impl/std/mod.rs:78
    #19 0x7f5458d4054e in _$LT$futures..task_impl..Spawn$LT$T$GT$$GT$::enter::hd0619d29abd021b9 /builds/worker/workspace/build/src/third_party/rust/futures/src/task_impl/mod.rs:363
    #20 0x7f5458d4054e in _$LT$futures..task_impl..Spawn$LT$T$GT$$GT$::poll_future_notify::h4c5d0c4fac5b8449 /builds/worker/workspace/build/src/third_party/rust/futures/src/task_impl/mod.rs:289
    #21 0x7f5458d4054e in futures::task_impl::std::Run::run::hcd87035f17c3eba8 /builds/worker/workspace/build/src/third_party/rust/futures/src/task_impl/std/mod.rs:450
    #22 0x7f5458d4054e in futures_cpupool::Inner::work::h2a7fea8576a09348 /builds/worker/workspace/build/src/third_party/rust/futures-cpupool/src/lib.rs:257
    #23 0x7f5458d4054e in futures_cpupool::Builder::create::_$u7b$$u7b$closure$u7d$$u7d$::he49fe1c37e6f3937 /builds/worker/workspace/build/src/third_party/rust/futures-cpupool/src/lib.rs:427
    #24 0x7f5458d4054e in std::sys_common::backtrace::__rust_begin_short_backtrace::hbaa0bfa0b267eb5e /checkout/src/libstd/sys_common/backtrace.rs:133
    #25 0x7f5458d3f65b in std::thread::Builder::spawn::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hf8f6b25d8360e7a4 /checkout/src/libstd/thread/mod.rs:406
    #26 0x7f5458d3f65b in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h8c0df1bb9b89c35d /checkout/src/libstd/panic.rs:300
    #27 0x7f5458d3f65b in std::panicking::try::do_call::ha320786fe0e95bf0 /checkout/src/libstd/panicking.rs:480
    #28 0x7f5458d3f65b in __rust_maybe_catch_panic /checkout/src/libpanic_abort/lib.rs:38
    #29 0x7f5458d3f65b in std::panicking::try::ha16e16d3bf07c8eb /checkout/src/libstd/panicking.rs:459
    #30 0x7f5458d3f65b in std::panic::catch_unwind::h5af12cea0e16f260 /checkout/src/libstd/panic.rs:365
    #31 0x7f5458d3f65b in std::thread::Builder::spawn::_$u7b$$u7b$closure$u7d$$u7d$::h8341ff335d15fac7 /checkout/src/libstd/thread/mod.rs:405
    #32 0x7f5458d3f65b in _$LT$F$u20$as$u20$alloc..boxed..FnBox$LT$A$GT$$GT$::call_box::hd9f2045bf4e2fd53 /checkout/src/liballoc/boxed.rs:815
    #33 0x7f54592d2fb3 in _$LT$alloc..boxed..Box$LT$alloc..boxed..FnBox$LT$A$C$$u20$Output$u3d$R$GT$$u20$$u2b$$u20$$u27$a$GT$$u20$as$u20$core..ops..function..FnOnce$LT$A$GT$$GT$::call_once::hf6357ae8c4e17346 /checkout/src/liballoc/boxed.rs:825
    #34 0x7f54592d2fb3 in std::sys_common::thread::start_thread::hebf0035ba4789615 /checkout/src/libstd/sys_common/thread.rs:24
    #35 0x7f54592d2fb3 in std::sys::unix::thread::Thread::new::thread_start::hd71cb092e75e9bed /checkout/src/libstd/sys/unix/thread.rs:90
    #36 0x7f546bb926b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #37 0x7f546ac0f41c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

0x6110000fdc80 is located 64 bytes inside of 224-byte region [0x6110000fdc40,0x6110000fdd20)
freed by thread T163 (CubebOp~tion #3) here:
    #0 0x4c5172 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7f545158ebd7 in Release /builds/worker/workspace/build/src/dom/media/GraphDriver.h:118:3
    #2 0x7f545158ebd7 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:41
    #3 0x7f545158ebd7 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:398
    #4 0x7f545158ebd7 in assign_assuming_AddRef /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:66
    #5 0x7f545158ebd7 in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:168
    #6 0x7f545158ebd7 in mozilla::AsyncCubebTask::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:512
    #7 0x7f544b2fa7c7 in nsThreadPool::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:229:14
    #8 0x7f544b2faf3c in non-virtual thunk to nsThreadPool::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp
    #9 0x7f544b2e3f63 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #10 0x7f544b2ffb30 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #11 0x7f544c1df7cc in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:364:5
    #12 0x7f544c132649 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #13 0x7f544c132649 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #14 0x7f544c132649 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #15 0x7f544b2de8c8 in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:425:11
    #16 0x7f546858c47e in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #17 0x7f546bb926b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

previously allocated by thread T31 (AudioIPC0) here:
    #0 0x4c54b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x4f5f7d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17
    #2 0x7f54517e734a in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:156:12
    #3 0x7f54517e734a in mozilla::MediaStreamGraphImpl::OpenAudioInputImpl(int, mozilla::AudioDataListener*) /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:831
    #4 0x7f54517eb27a in mozilla::MediaStreamGraphImpl::RunMessagesInQueue() /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1141:20
    #5 0x7f54517efa84 in mozilla::MediaStreamGraphImpl::OneIteration(long) /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1349:3
    #6 0x7f5451595a5e in mozilla::AudioCallbackDriver::DataCallback(float const*, float*, long) /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:975:35
    #7 0x7f5458d2e08c in _$LT$audioipc_client..stream..CallbackServer$u20$as$u20$audioipc..rpc..server..Server$GT$::process::_$u7b$$u7b$closure$u7d$$u7d$::h255ef58a06b976d7 /builds/worker/workspace/build/src/media/audioipc/client/src/stream.rs:98
    #8 0x7f5458d2e08c in _$LT$futures..future..lazy..Lazy$LT$F$C$$u20$R$GT$$GT$::get::he81f30bda4372db6 /builds/worker/workspace/build/src/third_party/rust/futures/src/future/lazy.rs:64
    #9 0x7f5458d2e08c in _$LT$futures..future..lazy..Lazy$LT$F$C$$u20$R$GT$$u20$as$u20$futures..future..Future$GT$::poll::hc7d3753076f4c2b4 /builds/worker/workspace/build/src/third_party/rust/futures/src/future/lazy.rs:82
    #10 0x7f5458d2e08c in futures::future::catch_unwind::_$LT$impl$u20$futures..future..Future$u20$for$u20$std..panic..AssertUnwindSafe$LT$F$GT$$GT$::poll::hfc82a99a53b85aa4 /builds/worker/workspace/build/src/third_party/rust/futures/src/future/catch_unwind.rs:49
    #11 0x7f5458d2e08c in _$LT$futures..future..catch_unwind..CatchUnwind$LT$F$GT$$u20$as$u20$futures..future..Future$GT$::poll::_$u7b$$u7b$closure$u7d$$u7d$::h42ede3b71abb5754 /builds/worker/workspace/build/src/third_party/rust/futures/src/future/catch_unwind.rs:32
    #12 0x7f5458d2e08c in std::panicking::try::do_call::h8947529258b9184a /checkout/src/libstd/panicking.rs:480
    #13 0x7f5458d2e08c in __rust_maybe_catch_panic /checkout/src/libpanic_abort/lib.rs:38
    #14 0x7f5458d2e08c in std::panicking::try::h86be82cc111cf4a4 /checkout/src/libstd/panicking.rs:459
    #15 0x7f5458d2e08c in std::panic::catch_unwind::h4e7cb1cde312e0d8 /checkout/src/libstd/panic.rs:365
    #16 0x7f5458d2e08c in _$LT$futures..future..catch_unwind..CatchUnwind$LT$F$GT$$u20$as$u20$futures..future..Future$GT$::poll::hc0a139277a4c2850 /builds/worker/workspace/build/src/third_party/rust/futures/src/future/catch_unwind.rs:32
    #17 0x7f5458d2e08c in _$LT$futures_cpupool..MySender$LT$F$C$$u20$core..result..Result$LT$$LT$F$u20$as$u20$futures..future..Future$GT$..Item$C$$u20$$LT$F$u20$as$u20$futures..future..Future$GT$..Error$GT$$GT$$u20$as$u20$futures..future..Future$GT$::poll::h7241a9199d4e8186 /builds/worker/workspace/build/src/third_party/rust/futures-cpupool/src/lib.rs:325
    #18 0x7f5458d4054e in _$LT$alloc..boxed..Box$LT$F$GT$$u20$as$u20$futures..future..Future$GT$::poll::hef8bd2de4bf79d01 /builds/worker/workspace/build/src/third_party/rust/futures/src/future/mod.rs:113
    #19 0x7f5458d4054e in _$LT$futures..task_impl..Spawn$LT$T$GT$$GT$::poll_future_notify::_$u7b$$u7b$closure$u7d$$u7d$::hcd4766cff7f42aaf /builds/worker/workspace/build/src/third_party/rust/futures/src/task_impl/mod.rs:289
    #20 0x7f5458d4054e in _$LT$futures..task_impl..Spawn$LT$T$GT$$GT$::enter::_$u7b$$u7b$closure$u7d$$u7d$::hd8d6e2b5a1290ea4 /builds/worker/workspace/build/src/third_party/rust/futures/src/task_impl/mod.rs:363
    #21 0x7f5458d4054e in futures::task_impl::std::set::he185d5ee772f8476 /builds/worker/workspace/build/src/third_party/rust/futures/src/task_impl/std/mod.rs:78
    #22 0x7f5458d4054e in _$LT$futures..task_impl..Spawn$LT$T$GT$$GT$::enter::hd0619d29abd021b9 /builds/worker/workspace/build/src/third_party/rust/futures/src/task_impl/mod.rs:363
    #23 0x7f5458d4054e in _$LT$futures..task_impl..Spawn$LT$T$GT$$GT$::poll_future_notify::h4c5d0c4fac5b8449 /builds/worker/workspace/build/src/third_party/rust/futures/src/task_impl/mod.rs:289
    #24 0x7f5458d4054e in futures::task_impl::std::Run::run::hcd87035f17c3eba8 /builds/worker/workspace/build/src/third_party/rust/futures/src/task_impl/std/mod.rs:450
    #25 0x7f5458d4054e in futures_cpupool::Inner::work::h2a7fea8576a09348 /builds/worker/workspace/build/src/third_party/rust/futures-cpupool/src/lib.rs:257
    #26 0x7f5458d4054e in futures_cpupool::Builder::create::_$u7b$$u7b$closure$u7d$$u7d$::he49fe1c37e6f3937 /builds/worker/workspace/build/src/third_party/rust/futures-cpupool/src/lib.rs:427
    #27 0x7f5458d4054e in std::sys_common::backtrace::__rust_begin_short_backtrace::hbaa0bfa0b267eb5e /checkout/src/libstd/sys_common/backtrace.rs:133
    #28 0x7f5458d3f65b in std::thread::Builder::spawn::_$u7b$$u7b$closure$u7d$$u7d$::_$u7b$$u7b$closure$u7d$$u7d$::hf8f6b25d8360e7a4 /checkout/src/libstd/thread/mod.rs:406
    #29 0x7f5458d3f65b in _$LT$std..panic..AssertUnwindSafe$LT$F$GT$$u20$as$u20$core..ops..function..FnOnce$LT$$LP$$RP$$GT$$GT$::call_once::h8c0df1bb9b89c35d /checkout/src/libstd/panic.rs:300
    #30 0x7f5458d3f65b in std::panicking::try::do_call::ha320786fe0e95bf0 /checkout/src/libstd/panicking.rs:480
    #31 0x7f5458d3f65b in __rust_maybe_catch_panic /checkout/src/libpanic_abort/lib.rs:38
    #32 0x7f5458d3f65b in std::panicking::try::ha16e16d3bf07c8eb /checkout/src/libstd/panicking.rs:459
    #33 0x7f5458d3f65b in std::panic::catch_unwind::h5af12cea0e16f260 /checkout/src/libstd/panic.rs:365
    #34 0x7f5458d3f65b in std::thread::Builder::spawn::_$u7b$$u7b$closure$u7d$$u7d$::h8341ff335d15fac7 /checkout/src/libstd/thread/mod.rs:405
    #35 0x7f5458d3f65b in _$LT$F$u20$as$u20$alloc..boxed..FnBox$LT$A$GT$$GT$::call_box::hd9f2045bf4e2fd53 /checkout/src/liballoc/boxed.rs:815
    #36 0x7f54592d2fb3 in _$LT$alloc..boxed..Box$LT$alloc..boxed..FnBox$LT$A$C$$u20$Output$u3d$R$GT$$u20$$u2b$$u20$$u27$a$GT$$u20$as$u20$core..ops..function..FnOnce$LT$A$GT$$GT$::call_once::hf6357ae8c4e17346 /checkout/src/liballoc/boxed.rs:825
    #37 0x7f54592d2fb3 in std::sys_common::thread::start_thread::hebf0035ba4789615 /checkout/src/libstd/sys_common/thread.rs:24
    #38 0x7f54592d2fb3 in std::sys::unix::thread::Thread::new::thread_start::hd71cb092e75e9bed /checkout/src/libstd/sys/unix/thread.rs:90
    #39 0x7f546bb926b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Thread T31 (AudioIPC0) created by T0 (file:// Content) here:
    #0 0x4ae80d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7f54592d2ce4 in std::sys::unix::thread::Thread::new::hfacd17f85cfe49c8 /checkout/src/libstd/sys/unix/thread.rs:78
    #2 0x7f5458d1d943 in std::thread::Builder::spawn::hcff4ffa19967b409 /checkout/src/libstd/thread/mod.rs:416
    #3 0x7f5458d1d943 in futures_cpupool::Builder::create::h2293b415d3288208 /builds/worker/workspace/build/src/third_party/rust/futures-cpupool/src/lib.rs:427
    #4 0x7f5458d1d943 in _$LT$audioipc_client..context..ClientContext$u20$as$u20$cubeb_backend..traits..ContextOps$GT$::init::_$u7b$$u7b$closure$u7d$$u7d$::hebf51216ea4fa046 /builds/worker/workspace/build/src/media/audioipc/client/src/context.rs:121
    #5 0x7f5458d1d943 in _$LT$std..thread..local..LocalKey$LT$T$GT$$GT$::try_with::hb6615986bad3fa5f /checkout/src/libstd/thread/local.rs:377
    #6 0x7f5458d1d943 in _$LT$std..thread..local..LocalKey$LT$T$GT$$GT$::with::hc556f0429e807045 /checkout/src/libstd/thread/local.rs:288
    #7 0x7f5458d1d943 in _$LT$audioipc_client..context..ClientContext$u20$as$u20$cubeb_backend..traits..ContextOps$GT$::init::h8310c60be768aaa6 /builds/worker/workspace/build/src/media/audioipc/client/src/context.rs:119
    #8 0x7f5458d3f228 in cubeb_backend::capi::capi_init::h3cfdebd406e31fab /builds/worker/workspace/build/src/third_party/rust/cubeb-backend/src/capi.rs:67
    #9 0x7f5458d3f228 in audioipc_client_init /builds/worker/workspace/build/src/media/audioipc/client/src/lib.rs:105
    #10 0x7f54514b0421 in mozilla::CubebUtils::GetCubebContextUnlocked() /builds/worker/workspace/build/src/dom/media/CubebUtils.cpp:436:10
    #11 0x7f54514b06eb in mozilla::CubebUtils::InitPreferredSampleRate() /builds/worker/workspace/build/src/dom/media/CubebUtils.cpp:307:20
    #12 0x7f54514b0789 in mozilla::CubebUtils::PreferredSampleRate() /builds/worker/workspace/build/src/dom/media/CubebUtils.cpp:329:8
    #13 0x7f5451804e07 in mozilla::MediaStreamGraph::GetInstance(mozilla::MediaStreamGraph::GraphDriverType, nsPIDOMWindowInner*, int) /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:3700:54
    #14 0x7f545154bc43 in mozilla::dom::CanvasCaptureMediaStream::CreateSourceStream(nsPIDOMWindowInner*, mozilla::dom::HTMLCanvasElement*) /builds/worker/workspace/build/src/dom/media/CanvasCaptureMediaStream.cpp:290:5
    #15 0x7f5451260545 in mozilla::dom::HTMLCanvasElement::CaptureStream(mozilla::dom::Optional<double> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:772:5
    #16 0x7f54504570a0 in mozilla::dom::HTMLCanvasElementBinding::captureStream(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLCanvasElement*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp:682:76
    #17 0x7f545093e721 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3260:13
    #18 0x7f54571e9027 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15
    #19 0x7f54571e9027 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
    #20 0x7f54573c641b in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2382:14
    #21 0x19d277ea62f7  (<unknown module>)
    #22 0x621000c88077  (<unknown module>)
    #23 0x19d277ea04e1  (<unknown module>)
    #24 0x7f54573efd6d in EnterBaseline /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:149:9
    #25 0x7f54573efd6d in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:226
    #26 0x7f54571dea3f in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2037:28
    #27 0x7f54571b9fe3 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
    #28 0x7f54571e8da5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
    #29 0x7f54571ea022 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
    #30 0x7f5457d21f6a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2989:12
    #31 0x7f54500cacf5 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:51:8
    #32 0x7f5451070c2e in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #33 0x7f5451070c2e in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1118
    #34 0x7f545107238b in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1288:20
    #35 0x7f545105c737 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:528:16
    #36 0x7f5451060533 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:961:9
    #37 0x7f5453340068 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1064:7
    #38 0x7f5456499452 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7246:21
    #39 0x7f5456495879 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7039:7
    #40 0x7f545649d07f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #41 0x7f544d118297 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1315:3
    #42 0x7f544d11731a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:858:14
    #43 0x7f544d113ef5 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:747:9
    #44 0x7f544d115ebc in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:632:5
    #45 0x7f544d116edc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #46 0x7f544b4cd2ea in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
    #47 0x7f544e4f6a9a in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8401:18
    #48 0x7f544e4f6a9a in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8323
    #49 0x7f544e4d7414 in nsIDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5303:3
    #50 0x7f544e5e9da4 in applyImpl<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1165:12
    #51 0x7f544e5e9da4 in apply<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1171
    #52 0x7f544e5e9da4 in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1216
    #53 0x7f544b2c52a1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #54 0x7f544b2e3f63 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1090:14
    #55 0x7f544b2ffb30 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #56 0x7f544c1de65a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #57 0x7f544c132649 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #58 0x7f544c132649 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #59 0x7f544c132649 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #60 0x7f5452ca5efa in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #61 0x7f5456f0032b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #62 0x7f544c132649 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #63 0x7f544c132649 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #64 0x7f544c132649 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #65 0x7f5456effcf0 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #66 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #67 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282
    #68 0x7f546ab2882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

Thread T163 (CubebOp~tion #3) created by T0 (file:// Content) here:
    #0 0x4ae80d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
    #1 0x7f54685891cf in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
    #2 0x7f5468588dbe in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
    #3 0x7f544b2e0843 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:608:8
    #4 0x7f544b2e9f4a in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:471:22
    #5 0x7f544b2f951f in NS_NewNamedThread /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:143:45
    #6 0x7f544b2f951f in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:109
    #7 0x7f544b2fb0f6 in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:278:5
    #8 0x7f545159325d in Dispatch /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIEventTarget.h:37:14
    #9 0x7f545159325d in Dispatch /builds/worker/workspace/build/src/dom/media/GraphDriver.h:583
    #10 0x7f545159325d in mozilla::AudioCallbackDriver::Revive() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:794
    #11 0x7f54517f105d in mozilla::MediaStreamGraphImpl::RunInStableState(bool) /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1666:19
    #12 0x7f545181a2ba in mozilla::(anonymous namespace)::MediaStreamGraphStableStateRunnable::Run() /builds/worker/workspace/build/src/dom/media/MediaStreamGraph.cpp:1544:15
    #13 0x7f544b13e700 in mozilla::CycleCollectedJSContext::ProcessStableStateQueue() /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:312:12
    #14 0x7f544b140895 in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:377:3
    #15 0x7f544cbd9aad in XPCJSContext::AfterProcessTask(unsigned int) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSContext.cpp:1258:30
    #16 0x7f544b2e4a4d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1125:24
    #17 0x7f544b2ffb30 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #18 0x7f544c1de65a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #19 0x7f544c132649 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #20 0x7f544c132649 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #21 0x7f544c132649 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #22 0x7f5452ca5efa in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #23 0x7f5456f0032b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #24 0x7f544c132649 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #25 0x7f544c132649 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #26 0x7f544c132649 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #27 0x7f5456effcf0 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #28 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #29 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282
    #30 0x7f546ab2882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/media/AudioMixer.h:67:17 in FinishMixing
Shadow bytes around the buggy address:
  0x0c2280017b40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280017b50: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2280017b60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280017b70: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c2280017b80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c2280017b90:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280017ba0: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2280017bb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2280017bc0: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
  0x0c2280017bd0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c2280017be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3443==ABORTING

Ryan VanderMeulen [:RyanVM]

Comment 1

•

6 years ago

Go figure, I was just asking Karl about bug 1457372 the other day. Maybe this will give us some insight.

Group: core-security → media-core-security

Comment 2

•

6 years ago

Jason: any hope of a reliable testcase? If not we probably should just dupe to bug 1457372

Flags: needinfo?(jthomas)

Keywords: csectype-uaf, sec-high

Jason Thomas [:jason]

Updated

•

6 years ago

Flags: needinfo?(jthomas) → needinfo?(jkratzer)

Jason Kratzer [:jkratzer]

Reporter

Comment 3

•

6 years ago

Unfortunately not.  It's triggered twice since I filed this but none of the testcases have been reproducible.

Flags: needinfo?(jkratzer)

Karl Tomlinson (:karlt)

Comment 4

•

6 years ago

Thank you for filing, Jason.

This is the same as bug 1457372, and so I think we should track there.

The fact that OpenAudioInputImpl and Revive have both been involved again may be significant, but I can't draw concrete conclusions about thread creators because these threads are reused from a pool.

Even if the testcases are not reproducible, if you have one that is known to have reproduced once without the need to run the browser for too long, then I could try running repeatedly with rr --chaos.

Status: NEW → RESOLVED

Closed: 6 years ago

Resolution: --- → DUPLICATE

David Lawrence [:dkl]

Comment 5

•

4 years ago

Removing employee no longer with company from CC list of private bugs.

Daniel Veditz [:dveditz]

Updated

•

3 years ago

Group: media-core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/media/AudioMixer.h:67:17 in FinishMixing

Categories

(Core :: Graphics: Canvas2D, defect)

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2

Updated

Comment 3

Comment 4

Comment 5

Updated