1469328 - AddressSanitizer: heap-use-after-free [@ mozilla::gfx::VRDisplayPresentation::CreateLayers] with READ of size 8

Status: RESOLVED WORKSFORME

(Core :: WebVR, defect)

Description

[Jesse Schwartzentruber (:truber)]

Crash observed while fuzzing m-c 20180610-8ab6afabc78c on macosx64. At this time I don't have a testcase to reproduce the issue. We have also seen the same stack on linux but as a null dereference.


==9161==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400b17a1a8 at pc 0x0001136e36e9 bp 0x7fff5c30ead0 sp 0x7fff5c30eac8
READ of size 8 at 0x60400b17a1a8 thread T0
    #0 0x1136e36e8 in mozilla::gfx::VRDisplayPresentation::CreateLayers() (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x3adc6e8)
    #1 0x119585e13 in mozilla::dom::VRDisplay::RequestPresent(nsTArray<mozilla::dom::VRLayer> const&, mozilla::dom::CallerType, mozilla::ErrorResult&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x997ee13)
    #2 0x115b429c1 in mozilla::dom::VRDisplayBinding::requestPresent_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::VRDisplay*, JSJitMethodCallArgs const&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x5f3b9c1)
    #3 0x116e21a14 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x721aa14)
    #4 0x11eb04b83 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xeefdb83)
    #5 0x11eaef2c7 in Interpret(JSContext*, js::RunState&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xeee82c7)
    #6 0x11ead4e08 in js::RunScript(JSContext*, js::RunState&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xeecde08)
    #7 0x11eb052e1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xeefe2e1)
    #8 0x11eb06162 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xeeff162)
    #9 0x11ec61410 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xf05a410)
    #10 0x11eb04b83 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xeefdb83)
    #11 0x11eb06162 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xeeff162)
    #12 0x11f7a4cc3 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xfb9dcc3)
    #13 0x114dfa5c0 in mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x51f35c0)
    #14 0x10fccda88 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xc6a88)
    #15 0x10fca4900 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint() (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x9d900)
    #16 0x117655ca0 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x7a4eca0)
    #17 0x117657697 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x7a50697)
    #18 0x11763b497 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x7a34497)
    #19 0x1176393dc in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x7a323dc)
    #20 0x117640016 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x7a39016)
    #21 0x11a3d9ac8 in nsDocumentViewer::LoadComplete(nsresult) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xa7d2ac8)
    #22 0x11d80f550 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xdc08550)
    #23 0x11d80a01e in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xdc0301e)
    #24 0x11d814485 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xdc0d485)
    #25 0x1125cf0d1 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x29c80d1)
    #26 0x1125cdd35 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x29c6d35)
    #27 0x1125c988b in nsDocLoader::DocLoaderIsEmpty(bool) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x29c288b)
    #28 0x1125cc2fd in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x29c52fd)
    #29 0x1125cd872 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x29c6872)
    #30 0x11013c7b1 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x5357b1)
    #31 0x113f7f5dd in nsDocument::UnblockOnload(bool) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x43785dd)
    #32 0x113f59252 in nsIDocument::DispatchContentLoadedEvents() (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x4352252)
    #33 0x11409923c in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x449223c)
    #34 0x10feb5912 in mozilla::SchedulerGroup::Runnable::Run() (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x2ae912)
    #35 0x10fee050e in nsThread::ProcessNextEvent(bool, bool*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x2d950e)
    #36 0x10ff05022 in NS_ProcessPendingEvents(nsIThread*, unsigned int) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x2fe022)
    #37 0x119a4b366 in nsBaseAppShell::NativeEventCallback() (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x9e44366)
    #38 0x119be9cd3 in nsAppShell::ProcessGeckoEvents(void*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x9fe2cd3)
    #39 0x7fffc07cd3e0 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0xa43e0)
    #40 0x7fffc07ae65b in __CFRunLoopDoSources0 (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x8565b)
    #41 0x7fffc07adb45 in __CFRunLoopRun (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x84b45)
    #42 0x7fffc07ad543 in CFRunLoopRunSpecific (/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation:x86_64+0x84543)
    #43 0x7fffbfd0cebb in RunCurrentEventLoopInMode (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30ebb)
    #44 0x7fffbfd0ccf0 in ReceiveNextEventCommon (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30cf0)
    #45 0x7fffbfd0cb25 in _BlockUntilNextEventMatchingListInModeWithFilter (/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox:x86_64+0x30b25)
    #46 0x7fffbe2a5a53 in _DPSNextEvent (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x46a53)
    #47 0x7fffbea217ed in -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x7c27ed)
    #48 0x119be735b in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x9fe035b)
    #49 0x7fffbe29a3da in -[NSApplication run] (/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit:x86_64+0x3b3da)
    #50 0x119beb373 in nsAppShell::Run() (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x9fe4373)
    #51 0x11e5fc74e in XRE_RunAppShell() (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xe9f574e)
    #52 0x110fd8361 in MessageLoop::Run() (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x13d1361)
    #53 0x11e5fb5af in XRE_InitChildProcess(int, char**, XREChildData const*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xe9f45af)
    #54 0x1038e7bf2 in main (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container:x86_64+0x100001bf2)
    #55 0x7fffd637e234 in start (/usr/lib/system/libdyld.dylib:x86_64+0x5234)

0x60400b17a1a8 is located 24 bytes inside of 40-byte region [0x60400b17a190,0x60400b17a1b8)
freed by thread T0 here:
    #0 0x1041d374d in wrap_free (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x5774d)
    #1 0x119586646 in mozilla::dom::VRDisplay::Observe(nsISupports*, char const*, char16_t const*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x997f646)
    #2 0x10fd7651a in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x16f51a)
    #3 0x10fd79dd5 in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x172dd5)
    #4 0x113e32fdc in mozilla::WindowDestroyedEvent::Run() (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x422bfdc)
    #5 0x10feb5912 in mozilla::SchedulerGroup::Runnable::Run() (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x2ae912)
    #6 0x10fee050e in nsThread::ProcessNextEvent(bool, bool*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x2d950e)
    #7 0x10ff05484 in NS_ProcessNextEvent(nsIThread*, bool) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x2fe484)
    #8 0x11908e892 in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::TabChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, nsIDocShellLoadInfo*, bool*, mozIDOMWindowProxy**) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x9487892)
    #9 0x11913f551 in mozilla::dom::TabChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, nsIDocShellLoadInfo*, bool*, mozIDOMWindowProxy**) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x9538551)
    #10 0x11e54e8af in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xe9478af)
    #11 0x11e552337 in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xe94b337)
    #12 0x113bd45d0 in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsIDocShellLoadInfo*, bool, nsPIDOMWindowOuter**) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x3fcd5d0)
    #13 0x113bd3453 in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x3fcc453)
    #14 0x115ed76fe in mozilla::dom::WindowBinding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitMethodCallArgs const&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x62d06fe)
    #15 0x116e22730 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeGlobalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x721b730)
    #16 0x11eb04b83 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xeefdb83)
    #17 0x11eaef2c7 in Interpret(JSContext*, js::RunState&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xeee82c7)
    #18 0x11ead4e08 in js::RunScript(JSContext*, js::RunState&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xeecde08)
    #19 0x11eb052e1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xeefe2e1)
    #20 0x11eb06162 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xeeff162)
    #21 0x11f7a4cc3 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xfb9dcc3)
    #22 0x1165ee1a2 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x69e71a2)
    #23 0x113b7952f in void mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >(nsCOMPtr<nsISupports> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x3f7252f)
    #24 0x113b77c7f in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x3f70c7f)
    #25 0x113e1f2f4 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x42182f4)
    #26 0x113e1e305 in mozilla::dom::TimeoutExecutor::MaybeExecute() (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x4217305)
    #27 0x113e210b2 in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x421a0b2)
    #28 0x10ff0dad0 in nsTimerImpl::Fire(int) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x306ad0)
    #29 0x10fecbdaf in nsTimerEvent::Run() (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x2c4daf)

previously allocated by thread T0 here:
    #0 0x1041d3593 in wrap_malloc (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x57593)
    #1 0x104127e1d in moz_xmalloc (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/libmozglue.dylib:x86_64+0x1e1d)
    #2 0x1136e04f0 in mozilla::gfx::VRDisplayClient::BeginPresentation(nsTArray<mozilla::dom::VRLayer> const&, unsigned int) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x3ad94f0)
    #3 0x119585fa6 in mozilla::dom::VRDisplay::RequestPresent(nsTArray<mozilla::dom::VRLayer> const&, mozilla::dom::CallerType, mozilla::ErrorResult&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x997efa6)
    #4 0x115b429c1 in mozilla::dom::VRDisplayBinding::requestPresent_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::VRDisplay*, JSJitMethodCallArgs const&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x5f3b9c1)
    #5 0x116e21a14 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x721aa14)
    #6 0x11eb04b83 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xeefdb83)
    #7 0x11eaef2c7 in Interpret(JSContext*, js::RunState&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xeee82c7)
    #8 0x11ead4e08 in js::RunScript(JSContext*, js::RunState&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xeecde08)
    #9 0x11eb052e1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xeefe2e1)
    #10 0x11eb06162 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xeeff162)
    #11 0x11ec61410 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xf05a410)
    #12 0x11eb04b83 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xeefdb83)
    #13 0x11eb06162 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xeeff162)
    #14 0x11f7a4cc3 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xfb9dcc3)
    #15 0x114dfa5c0 in mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x51f35c0)
    #16 0x10fccda88 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xc6a88)
    #17 0x10fca4900 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint() (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x9d900)
    #18 0x117655ca0 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x7a4eca0)
    #19 0x117657697 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x7a50697)
    #20 0x11763b497 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x7a34497)
    #21 0x1176393dc in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x7a323dc)
    #22 0x117640016 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x7a39016)
    #23 0x11a3d9ac8 in nsDocumentViewer::LoadComplete(nsresult) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xa7d2ac8)
    #24 0x11d80f550 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xdc08550)
    #25 0x11d80a01e in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xdc0301e)
    #26 0x11d814485 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0xdc0d485)
    #27 0x1125cf0d1 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x29c80d1)
    #28 0x1125cdd35 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x29c6d35)
    #29 0x1125c988b in nsDocLoader::DocLoaderIsEmpty(bool) (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x29c288b)

SUMMARY: AddressSanitizer: heap-use-after-free (/Users/truber/builds/m-c-20180610213656-fuzzing-asan-opt/Nightly.app/Contents/MacOS/XUL:x86_64+0x3adc6e8) in mozilla::gfx::VRDisplayPresentation::CreateLayers()
Shadow bytes around the buggy address:
  0x1c080162f3e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c080162f3f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c080162f400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c080162f410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c080162f420: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
=>0x1c080162f430: fa fa fd fd fd[fd]fd fa fa fa fd fd fd fd fd fd
  0x1c080162f440: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x1c080162f450: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x1c080162f460: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x1c080162f470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c080162f480: fa fa fa fa fa fa fa fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9161==ABORTING

Comment 1

[Andrew McCreight [:mccr8]]

I looked at this a little, but I couldn't really figure anything out. The UAF stack and the allocation stack are clearly related, but I don't understand how the free stack is related, even though it should be occurring some time in between the two.

Maybe I just have iterator invalidation on the brain, but my best this is that we're in VRDisplayPresentation::CreateLayers(), and then iterating over mDOMLayers like so:
  for (dom::VRLayer& layer : mDOMLayers) {
This creates essentially a weak reference to mDOMLayers.

Later inside the loop, we have this code:
  vrLayer->Initialize(canvasElement, leftBounds, rightBounds);

That ends up inside VRManagerChild::RunFrameRequestCallbacks() which has this:
  for (auto& callback : callbacks) {
    callback.mCallback->Call(timeStamp);
  }

The callbacks are some kind of WebIDL CallbackFunction, so presumably they could include arbitrary user code written JS, including something that, as seen in the free stack, creates a new window, spinning a nested event loop, then destroying some window, thereby ending up in VRDisplay::Observe() where we destroy mDOMLayers. Eventually, we get back to CreateLayers() and try to use the trashed data structure.

I'm not exactly sure what the right thing to do is, but it seems like running arbitrary script should be deferred until after the CreateLayers() loop is complete.

Comment 2

[Andrew McCreight [:mccr8]]

BTW, it looks like the stack didn't fully symbolicate. There are function names, but no line numbers. Maybe there's something you can adjust to get line numbers, at least in the future.

Comment 3

[Andrew McCreight [:mccr8]]

I'd forgotten about that other bug, but this looks similar to bug 1463329. Kip, can you take a look? Thanks.

Comment 4

[Daniel Veditz [:dveditz]]

sec-high assuming normal content could trigger this (as opposed to requiring some test-only functionality).

Comment 5

[Jesse Schwartzentruber (:truber)]

(In reply to Andrew McCreight [:mccr8] from comment #2)
> BTW, it looks like the stack didn't fully symbolicate. There are function
> names, but no line numbers. Maybe there's something you can adjust to get
> line numbers, at least in the future.

I opened 1470535 to track this. I don't know what's needed for debug information to work with asan on macos.

Comment 6

[:kip (Kearwood Gilbert)]

(In reply to Andrew McCreight [:mccr8] from comment #3)
> I'd forgotten about that other bug, but this looks similar to bug 1463329.
> Kip, can you take a look? Thanks.

I'll take this.  I'll likely have some time next week to investigate further.

Comment 7

[:kip (Kearwood Gilbert)]

The events described in Comment 1 should no longer occur, as the fix to Bug 1460619 removed the call to VRManagerChild::RunFrameRequestCallbacks() from VRLayerChild::Initialize(). There should no longer be arbitrary JS running during the iteration over mDOMLayers.

I suspect that this patch from Bug 1460619 has also corrected this issue. Bug 1460619 has been uplifted to Beta also.

@truber: Would it be possible to confirm that this is now fixed in Nightly?

Comment 8

[Jesse Schwartzentruber (:truber)]

I haven't seen it on Mac since this report. On Linux, the null-deref with the same signature was last seen 2018/09/18.

Comment 9

[Andrew McCreight [:mccr8]]

This crash hasn't been seen in such a long time, so I'll mark it WORKSFORME.