Closed
Bug 1477324
Opened 6 years ago
Closed 6 years ago
AddressSanitizer: heap-use-after-free [@ _cairo_user_data_array_get_data] with READ of size 8
Categories
(Core :: Graphics, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1476952
| Tracking | Status | |
|---|---|---|
| firefox63 | --- | unaffected |
People
(Reporter: decoder, Unassigned)
Details
(Keywords: crash, regression, testcase-wanted)
Attachments
(1 file)
|
33.45 KB,
text/plain
|
Details |
The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 63.0a1-20180719220047-https://hg.mozilla.org/mozilla-central/rev/690cb3015db6645b335ac4835a50073cb6a3e23c. For detailed crash information, see attachment.
|
Reporter | |
Comment 1•6 years ago
|
||
|
||
Comment 2•6 years ago
|
||
This looks like it's probably the same as bug 1476952.
|
||
Comment 3•6 years ago
|
||
agreed. Duping because they're equivalent ASAN traces. If the older bug were just a crash-stats report with no investigation I'd probably dupe the other way.
|
|
||
Updated•6 years ago
|
Group: core-security → gfx-core-security
|
|
Reporter | |
Updated•6 years ago
|
No longer blocks: asan-nightly-project
|
|
Reporter | |
Comment 4•6 years ago
|
||
When you find some time, it would be very helpful if you could answer the following questions so I can work on improving ASan Nightly further. In particular, many of the reports we saw about use-after-free were sent only once, not multiple times. So I'm asking myself what changes to ASan Nightly I can make to improve overall uaf detection rate: 1) Do you think more frequent GC/CC would have helped detecting this problem more frequently? 2) Do you think GC/CC on specific DOM events (e.g. beforeunload, pagehide, DOMContentLoaded) would have helped? 3) Do you think triggering the event loop in the specific child processes would have helped here? (e.g. dummy XMLHttpRequest onbeforeunload, useful in fuzzing). 4) Do you have any other ideas to reproduce this particular problem better or do you think any of the above points (or other approaches) might help to find other use-after-free issues in areas that you work in? Any feedback would be greatly appreciated. Thanks! (This bug was fixed somewhere else and also found in fuzzing, but I would still like to find out if we can detect this or similar problems better in ASan Nightly as well).
Flags: needinfo?(lsalzman)
|
||
Comment 5•6 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #4) > When you find some time, it would be very helpful if you could answer the > following questions so I can work on improving ASan Nightly further. In > particular, many of the reports we saw about use-after-free were sent only > once, not multiple times. So I'm asking myself what changes to ASan Nightly > I can make to improve overall uaf detection rate: > > 1) Do you think more frequent GC/CC would have helped detecting this problem > more frequently? > > 2) Do you think GC/CC on specific DOM events (e.g. beforeunload, pagehide, > DOMContentLoaded) would have helped? > > 3) Do you think triggering the event loop in the specific child processes > would have helped here? (e.g. dummy XMLHttpRequest onbeforeunload, useful in > fuzzing). > > 4) Do you have any other ideas to reproduce this particular problem better > or do you think any of the above points (or other approaches) might help to > find other use-after-free issues in areas that you work in? > > Any feedback would be greatly appreciated. Thanks! > > > (This bug was fixed somewhere else and also found in fuzzing, but I would > still like to find out if we can detect this or similar problems better in > ASan Nightly as well). This was a race condition unaffected by the above suggestions.
Flags: needinfo?(lsalzman)
|
||
Comment 6•6 years ago
|
||
Removing the affected flag for 63 based on comments here and bug 1476952. It was likely fixed in another issue.
|
|
||
Updated•1 year ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•