Closed Bug 1480998 Opened 2 years ago Closed 2 years ago

Intermittent AddressSanitizer: heap-use-after-free obj-firefox/dist/include/mozilla/BinarySearch.h:80:33 in BinarySearchIf<mozilla::Vector<const js::wasm::CodeSegment *, 0, js::SystemAllocPolicy>, ProcessCodeSegmentMap::CodeSegmentPC>

Categories

(Core :: Javascript: WebAssembly, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla63
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- wontfix
firefox61 --- wontfix
firefox62 --- wontfix
firefox63 --- fixed

People

(Reporter: apavel, Assigned: luke)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uaf)

Attachments

(1 file)

Central as Beta simulation

Treeherder link: https://treeherder.mozilla.org/?failureClassificationId=3#/jobs?repo=try&revision=8fb0fee57749d0fb437ea895ea2f363517357ac7&group_state=expanded&filter-resultStatus=testfailed&filter-resultStatus=busted&filter-resultStatus=exception&filter-resultStatus=runnable&selectedJob=192056349

Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=192056349&repo=try&lineNumber=13572


[task 2018-08-04T14:09:15.902Z] 14:09:15     INFO - GECKO(1508) | Suppressions used:
[task 2018-08-04T14:09:15.902Z] 14:09:15     INFO - GECKO(1508) |   count      bytes template
[task 2018-08-04T14:09:15.902Z] 14:09:15     INFO - GECKO(1508) |     672      21344 nsComponentManagerImpl
[task 2018-08-04T14:09:15.903Z] 14:09:15     INFO - GECKO(1508) |       5        960 mozJSComponentLoader::LoadModule
[task 2018-08-04T14:09:15.903Z] 14:09:15     INFO - GECKO(1508) |     611      17713 libfontconfig.so
[task 2018-08-04T14:09:15.904Z] 14:09:15     INFO - GECKO(1508) |       1         29 libglib-2.0.so
[task 2018-08-04T14:09:15.904Z] 14:09:15     INFO - GECKO(1508) | -----------------------------------------------------
[task 2018-08-04T14:12:19.939Z] 14:12:19     INFO - GECKO(1508) | =================================================================
[task 2018-08-04T14:12:19.940Z] 14:12:19    ERROR - GECKO(1508) | ==1508==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200050ef70 at pc 0x7f5982b761de bp 0x7f596cd08920 sp 0x7f596cd08918
[task 2018-08-04T14:12:19.940Z] 14:12:19     INFO - GECKO(1508) | READ of size 8 at 0x60200050ef70 thread T1149 (Shutdow~minator)
[task 2018-08-04T14:12:20.011Z] 14:12:20     INFO - GECKO(1508) |     #0 0x7f5982b761dd in BinarySearchIf<mozilla::Vector<const js::wasm::CodeSegment *, 0, js::SystemAllocPolicy>, ProcessCodeSegmentMap::CodeSegmentPC> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/BinarySearch.h:80:33
[task 2018-08-04T14:12:20.011Z] 14:12:20     INFO - GECKO(1508) |     #1 0x7f5982b761dd in lookup /builds/worker/workspace/build/src/js/src/wasm/WasmProcess.cpp:205
[task 2018-08-04T14:12:20.012Z] 14:12:20     INFO - GECKO(1508) |     #2 0x7f5982b761dd in js::wasm::LookupCodeSegment(void const*, js::wasm::CodeRange const**) /builds/worker/workspace/build/src/js/src/wasm/WasmProcess.cpp:234
[task 2018-08-04T14:12:20.013Z] 14:12:20     INFO - GECKO(1508) |     #3 0x7f5982c225bc in HandleFault /builds/worker/workspace/build/src/js/src/wasm/WasmSignalHandlers.cpp:1273:34
[task 2018-08-04T14:12:20.015Z] 14:12:20     INFO - GECKO(1508) |     #4 0x7f5982c225bc in WasmFaultHandler(int, siginfo*, void*) /builds/worker/workspace/build/src/js/src/wasm/WasmSignalHandlers.cpp:1347
[task 2018-08-04T14:12:20.015Z] 14:12:20     INFO - GECKO(1508) |     #5 0x7f599692738f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1138f)
[task 2018-08-04T14:12:20.015Z] 14:12:20     INFO - GECKO(1508) |     #6 0x7f598146c485 in mozilla::(anonymous namespace)::RunWatchdog(void*) /builds/worker/workspace/build/src/toolkit/components/terminator/nsTerminator.cpp:219:5
[task 2018-08-04T14:12:20.015Z] 14:12:20     INFO - GECKO(1508) |     #7 0x7f59925d6f08 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
[task 2018-08-04T14:12:20.015Z] 14:12:20     INFO - GECKO(1508) |     #8 0x7f599691d6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
[task 2018-08-04T14:12:20.051Z] 14:12:20     INFO - GECKO(1508) |     #9 0x7f59959a641c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
[task 2018-08-04T14:12:20.051Z] 14:12:20     INFO - GECKO(1508) | 0x60200050ef70 is located 0 bytes inside of 8-byte region [0x60200050ef70,0x60200050ef78)
[task 2018-08-04T14:12:20.051Z] 14:12:20     INFO - GECKO(1508) | freed by thread T0 here:
[task 2018-08-04T14:12:20.051Z] 14:12:20     INFO - GECKO(1508) |     #0 0x4c1ac2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
[task 2018-08-04T14:12:20.137Z] 14:12:20     INFO - GECKO(1508) |     #1 0x7f5982b7578a in js_free /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:432:5
[task 2018-08-04T14:12:20.140Z] 14:12:20     INFO - GECKO(1508) |     #2 0x7f5982b7578a in free_<const js::wasm::CodeSegment *> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:44
[task 2018-08-04T14:12:20.141Z] 14:12:20     INFO - GECKO(1508) |     #3 0x7f5982b7578a in ~Vector /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Vector.h:930
[task 2018-08-04T14:12:20.141Z] 14:12:20     INFO - GECKO(1508) |     #4 0x7f5982b7578a in ProcessCodeSegmentMap::~ProcessCodeSegmentMap() /builds/worker/workspace/build/src/js/src/wasm/WasmProcess.cpp:129
[task 2018-08-04T14:12:20.142Z] 14:12:20     INFO - GECKO(1508) |     #5 0x7f59958d8ff7 in __run_exit_handlers /build/glibc-Cl5G7W/glibc-2.23/stdlib/exit.c:82
Fallout from bug 1480012?

[task 2018-08-04T14:12:19.940Z] 14:12:19    ERROR - GECKO(1508) | ==1508==ERROR: AddressSanitizer: heap-use-after-free on address 0x60200050ef70 at pc 0x7f5982b761de bp 0x7f596cd08920 sp 0x7f596cd08918
[task 2018-08-04T14:12:19.940Z] 14:12:19     INFO - GECKO(1508) | READ of size 8 at 0x60200050ef70 thread T1149 (Shutdow~minator)
[task 2018-08-04T14:12:20.011Z] 14:12:20     INFO - GECKO(1508) |     #0 0x7f5982b761dd in BinarySearchIf<mozilla::Vector<const js::wasm::CodeSegment *, 0, js::SystemAllocPolicy>, ProcessCodeSegmentMap::CodeSegmentPC> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/BinarySearch.h:80:33
[task 2018-08-04T14:12:20.011Z] 14:12:20     INFO - GECKO(1508) |     #1 0x7f5982b761dd in lookup /builds/worker/workspace/build/src/js/src/wasm/WasmProcess.cpp:205
[task 2018-08-04T14:12:20.012Z] 14:12:20     INFO - GECKO(1508) |     #2 0x7f5982b761dd in js::wasm::LookupCodeSegment(void const*, js::wasm::CodeRange const**) /builds/worker/workspace/build/src/js/src/wasm/WasmProcess.cpp:234
[task 2018-08-04T14:12:20.013Z] 14:12:20     INFO - GECKO(1508) |     #3 0x7f5982c225bc in HandleFault /builds/worker/workspace/build/src/js/src/wasm/WasmSignalHandlers.cpp:1273:34
[task 2018-08-04T14:12:20.015Z] 14:12:20     INFO - GECKO(1508) |     #4 0x7f5982c225bc in WasmFaultHandler(int, siginfo*, void*) /builds/worker/workspace/build/src/js/src/wasm/WasmSignalHandlers.cpp:1347
[task 2018-08-04T14:12:20.015Z] 14:12:20     INFO - GECKO(1508) |     #5 0x7f599692738f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x1138f)
[task 2018-08-04T14:12:20.015Z] 14:12:20     INFO - GECKO(1508) |     #6 0x7f598146c485 in mozilla::(anonymous namespace)::RunWatchdog(void*) /builds/worker/workspace/build/src/toolkit/components/terminator/nsTerminator.cpp:219:5
[task 2018-08-04T14:12:20.015Z] 14:12:20     INFO - GECKO(1508) |     #7 0x7f59925d6f08 in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
[task 2018-08-04T14:12:20.015Z] 14:12:20     INFO - GECKO(1508) |     #8 0x7f599691d6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
[task 2018-08-04T14:12:20.051Z] 14:12:20     INFO - GECKO(1508) |     #9 0x7f59959a641c in clone /build/glibc-Cl5G7W/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
[task 2018-08-04T14:12:20.051Z] 14:12:20     INFO - GECKO(1508) | 0x60200050ef70 is located 0 bytes inside of 8-byte region [0x60200050ef70,0x60200050ef78)
[task 2018-08-04T14:12:20.051Z] 14:12:20     INFO - GECKO(1508) | freed by thread T0 here:
[task 2018-08-04T14:12:20.051Z] 14:12:20     INFO - GECKO(1508) |     #0 0x4c1ac2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
[task 2018-08-04T14:12:20.137Z] 14:12:20     INFO - GECKO(1508) |     #1 0x7f5982b7578a in js_free /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:432:5
[task 2018-08-04T14:12:20.140Z] 14:12:20     INFO - GECKO(1508) |     #2 0x7f5982b7578a in free_<const js::wasm::CodeSegment *> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:44
[task 2018-08-04T14:12:20.141Z] 14:12:20     INFO - GECKO(1508) |     #3 0x7f5982b7578a in ~Vector /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Vector.h:930
[task 2018-08-04T14:12:20.141Z] 14:12:20     INFO - GECKO(1508) |     #4 0x7f5982b7578a in ProcessCodeSegmentMap::~ProcessCodeSegmentMap() /builds/worker/workspace/build/src/js/src/wasm/WasmProcess.cpp:129
[task 2018-08-04T14:12:20.142Z] 14:12:20     INFO - GECKO(1508) |     #5 0x7f59958d8ff7 in __run_exit_handlers /build/glibc-Cl5G7W/glibc-2.23/stdlib/exit.c:82
[task 2018-08-04T14:12:20.143Z] 14:12:20     INFO - GECKO(1508) | previously allocated by thread T0 here:
[task 2018-08-04T14:12:20.143Z] 14:12:20     INFO - GECKO(1508) |     #0 0x4c1e03 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
[task 2018-08-04T14:12:20.148Z] 14:12:20     INFO - GECKO(1508) |     #1 0x7f5982baa650 in js_arena_malloc /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:387:12
[task 2018-08-04T14:12:20.149Z] 14:12:20     INFO - GECKO(1508) |     #2 0x7f5982baa650 in js_pod_arena_malloc<const js::wasm::CodeSegment *> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:584
[task 2018-08-04T14:12:20.149Z] 14:12:20     INFO - GECKO(1508) |     #3 0x7f5982baa650 in js_pod_malloc<const js::wasm::CodeSegment *> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:591
[task 2018-08-04T14:12:20.150Z] 14:12:20     INFO - GECKO(1508) |     #4 0x7f5982baa650 in maybe_pod_malloc<const js::wasm::CodeSegment *> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:34
[task 2018-08-04T14:12:20.150Z] 14:12:20     INFO - GECKO(1508) |     #5 0x7f5982baa650 in pod_malloc<const js::wasm::CodeSegment *> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:39
[task 2018-08-04T14:12:20.150Z] 14:12:20     INFO - GECKO(1508) |     #6 0x7f5982baa650 in convertToHeapStorage /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Vector.h:959
[task 2018-08-04T14:12:20.151Z] 14:12:20     INFO - GECKO(1508) |     #7 0x7f5982baa650 in mozilla::Vector<js::wasm::CodeSegment const*, 0ul, js::SystemAllocPolicy>::growStorageBy(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Vector.h:1050
[task 2018-08-04T14:12:20.151Z] 14:12:20     INFO - GECKO(1508) |     #8 0x7f5982baa00c in append<const js::wasm::CodeSegment *&> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Vector.h:1409:9
[task 2018-08-04T14:12:20.152Z] 14:12:20     INFO - GECKO(1508) |     #9 0x7f5982baa00c in js::wasm::CodeSegment const** mozilla::Vector<js::wasm::CodeSegment const*, 0ul, js::SystemAllocPolicy>::insert<js::wasm::CodeSegment const*&>(js::wasm::CodeSegment const**, js::wasm::CodeSegment const*&) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Vector.h:1326
[task 2018-08-04T14:12:20.152Z] 14:12:20     INFO - GECKO(1508) |     #10 0x7f5982b759de in ProcessCodeSegmentMap::insert(js::wasm::CodeSegment const*) /builds/worker/workspace/build/src/js/src/wasm/WasmProcess.cpp:145:36
[task 2018-08-04T14:12:20.153Z] 14:12:20     INFO - GECKO(1508) |     #11 0x7f5982aa76b8 in initialize /builds/worker/workspace/build/src/js/src/wasm/WasmCode.cpp:101:10
[task 2018-08-04T14:12:20.153Z] 14:12:20     INFO - GECKO(1508) |     #12 0x7f5982aa76b8 in js::wasm::ModuleSegment::initialize(js::wasm::CodeTier const&, js::wasm::ShareableBytes const&, js::wasm::LinkDataTier const&, js::wasm::Metadata const&, js::wasm::MetadataTier const&) /builds/worker/workspace/build/src/js/src/wasm/WasmCode.cpp:335
[task 2018-08-04T14:12:20.153Z] 14:12:20     INFO - GECKO(1508) |     #13 0x7f5982acd486 in js::wasm::ModuleGenerator::finishModule(js::wasm::ShareableBytes const&) /builds/worker/workspace/build/src/js/src/wasm/WasmCode.cpp:1375:20
[task 2018-08-04T14:12:20.154Z] 14:12:20     INFO - GECKO(1508) |     #14 0x7f5982a486dd in ModuleValidator::finish() /builds/worker/workspace/build/src/js/src/wasm/AsmJS.cpp:2214:19
[task 2018-08-04T14:12:20.154Z] 14:12:20     INFO - GECKO(1508) |     #15 0x7f59829cabf5 in CheckModule(JSContext*, js::frontend::Parser<js::frontend::FullParseHandler, char16_t>&, js::frontend::ParseNode*, unsigned int*) /builds/worker/workspace/build/src/js/src/wasm/AsmJS.cpp:6062:29
[task 2018-08-04T14:12:20.155Z] 14:12:20     INFO - GECKO(1508) |     #16 0x7f59829b8c9a in js::CompileAsmJS(JSContext*, js::frontend::Parser<js::frontend::FullParseHandler, char16_t>&, js::frontend::ParseNode*, bool*) /builds/worker/workspace/build/src/js/src/wasm/AsmJS.cpp:7157:18
[task 2018-08-04T14:12:20.155Z] 14:12:20     INFO - GECKO(1508) |     #17 0x7f5982ece2cd in asmJS /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:4147:10
[task 2018-08-04T14:12:20.156Z] 14:12:20     INFO - GECKO(1508) |     #18 0x7f5982ece2cd in asmJS /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:4171
[task 2018-08-04T14:12:20.156Z] 14:12:20     INFO - GECKO(1508) |     #19 0x7f5982ece2cd in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::maybeParseDirective(js::frontend::ParseNode*, js::frontend::ParseNode*, bool*) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:4250
[task 2018-08-04T14:12:20.157Z] 14:12:20     INFO - GECKO(1508) |     #20 0x7f5982ea260d in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::statementList(js::frontend::YieldHandling) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:4313:18
[task 2018-08-04T14:12:20.157Z] 14:12:20     INFO - GECKO(1508) |     #21 0x7f5982ec5e6c in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::FunctionBodyType) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:2792:14
[task 2018-08-04T14:12:20.237Z] 14:12:20     INFO - GECKO(1508) |     #22 0x7f5982ec12d4 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionFormalParametersAndBody(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::ParseNode**, js::frontend::FunctionSyntaxKind, mozilla::Maybe<unsigned int> const&, bool) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:3886:16
[task 2018-08-04T14:12:20.237Z] 14:12:20     INFO - GECKO(1508) |     #23 0x7f5982ec035c in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::innerFunctionForFunctionBox(js::frontend::ParseNode*, js::frontend::ParseContext*, js::frontend::FunctionBox*, js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::frontend::Directives*) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:3676:10
[task 2018-08-04T14:12:20.238Z] 14:12:20     INFO - GECKO(1508) |     #24 0x7f5982ea8cb8 in innerFunction /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:3709:9
[task 2018-08-04T14:12:20.238Z] 14:12:20     INFO - GECKO(1508) |     #25 0x7f5982ea8cb8 in js::frontend::Parser<js::frontend::FullParseHandler, char16_t>::trySyntaxParseInnerFunction(js::frontend::ParseNode**, JS::Handle<JSFunction*>, unsigned int, js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::FunctionAsyncKind, bool, js::frontend::Directives, js::frontend::Directives*) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:3603
[task 2018-08-04T14:12:20.239Z] 14:12:20     INFO - GECKO(1508) |     #26 0x7f5982ecaf35 in trySyntaxParseInnerFunction /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:3650:29
[task 2018-08-04T14:12:20.239Z] 14:12:20     INFO - GECKO(1508) |     #27 0x7f5982ecaf35 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionDefinition(js::frontend::ParseNode*, unsigned int, js::frontend::InHandling, js::frontend::YieldHandling, JS::Handle<JSAtom*>, js::frontend::FunctionSyntaxKind, js::GeneratorKind, js::FunctionAsyncKind, bool) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:3493
[task 2018-08-04T14:12:20.245Z] 14:12:20     INFO - GECKO(1508) |     #28 0x7f5982ecbaf3 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::functionExpr(unsigned int, js::frontend::ParserBase::InvokedPrediction, js::FunctionAsyncKind) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:4077:12
[task 2018-08-04T14:12:20.246Z] 14:12:20     INFO - GECKO(1508) |     #29 0x7f5982eef630 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::primaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::PossibleError*, js::frontend::ParserBase::InvokedPrediction) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:9990:16
[task 2018-08-04T14:12:20.246Z] 14:12:20     INFO - GECKO(1508) |     #30 0x7f5982ee953a in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::memberExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, bool, js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::PossibleError*, js::frontend::ParserBase::InvokedPrediction) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:8770:15
[task 2018-08-04T14:12:20.247Z] 14:12:20     INFO - GECKO(1508) |     #31 0x7f5982ee74cb in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::unaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::PossibleError*, js::frontend::ParserBase::InvokedPrediction) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:8600:21
[task 2018-08-04T14:12:20.247Z] 14:12:20     INFO - GECKO(1508) |     #32 0x7f5982ee62a8 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::orExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::PossibleError*, js::frontend::ParserBase::InvokedPrediction) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:8106:14
[task 2018-08-04T14:12:20.248Z] 14:12:20     INFO - GECKO(1508) |     #33 0x7f5982ee5a8e in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::condExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::PossibleError*, js::frontend::ParserBase::InvokedPrediction) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:8177:22
[task 2018-08-04T14:12:20.248Z] 14:12:20     INFO - GECKO(1508) |     #34 0x7f5982ed30cd in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::assignExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::PossibleError*, js::frontend::ParserBase::InvokedPrediction) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:8304:15
[task 2018-08-04T14:12:20.249Z] 14:12:20     INFO - GECKO(1508) |     #35 0x7f5982ea690d in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::expr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::PossibleError*, js::frontend::ParserBase::InvokedPrediction) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:7970:15
[task 2018-08-04T14:12:20.249Z] 14:12:20     INFO - GECKO(1508) |     #36 0x7f5982ef0600 in exprInParens /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:10157:12
[task 2018-08-04T14:12:20.250Z] 14:12:20     INFO - GECKO(1508) |     #37 0x7f5982ef0600 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::primaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::PossibleError*, js::frontend::ParserBase::InvokedPrediction) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:10025
[task 2018-08-04T14:12:20.250Z] 14:12:20     INFO - GECKO(1508) |     #38 0x7f5982ee953a in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::memberExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::TokenKind, bool, js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::PossibleError*, js::frontend::ParserBase::InvokedPrediction) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:8770:15
[task 2018-08-04T14:12:20.251Z] 14:12:20     INFO - GECKO(1508) |     #39 0x7f5982ee74cb in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::unaryExpr(js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::PossibleError*, js::frontend::ParserBase::InvokedPrediction) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:8600:21
[task 2018-08-04T14:12:20.251Z] 14:12:20     INFO - GECKO(1508) |     #40 0x7f5982ee62a8 in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::orExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::PossibleError*, js::frontend::ParserBase::InvokedPrediction) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:8106:14
[task 2018-08-04T14:12:20.252Z] 14:12:20     INFO - GECKO(1508) |     #41 0x7f5982ee5a8e in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::condExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::PossibleError*, js::frontend::ParserBase::InvokedPrediction) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:8177:22
[task 2018-08-04T14:12:20.253Z] 14:12:20     INFO - GECKO(1508) |     #42 0x7f5982ed30cd in js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::assignExpr(js::frontend::InHandling, js::frontend::YieldHandling, js::frontend::TripledotHandling, js::frontend::GeneralParser<js::frontend::FullParseHandler, char16_t>::PossibleError*, js::frontend::ParserBase::InvokedPrediction) /builds/worker/workspace/build/src/js/src/frontend/Parser.cpp:8304:15
[task 2018-08-04T14:12:20.256Z] 14:12:20     INFO - GECKO(1508) | Thread T1149 (Shutdow~minator) created by T0 here:
[task 2018-08-04T14:12:20.256Z] 14:12:20     INFO - GECKO(1508) |     #0 0x4aae8d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:204:3
[task 2018-08-04T14:12:20.257Z] 14:12:20     INFO - GECKO(1508) |     #1 0x7f59925d3c45 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
[task 2018-08-04T14:12:20.257Z] 14:12:20     INFO - GECKO(1508) |     #2 0x7f59925d382e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
[task 2018-08-04T14:12:20.257Z] 14:12:20     INFO - GECKO(1508) |     #3 0x7f598146c242 in CreateSystemThread /builds/worker/workspace/build/src/toolkit/components/terminator/nsTerminator.cpp:103:22
[task 2018-08-04T14:12:20.258Z] 14:12:20     INFO - GECKO(1508) |     #4 0x7f598146c242 in mozilla::nsTerminator::StartWatchdog() /builds/worker/workspace/build/src/toolkit/components/terminator/nsTerminator.cpp:453
[task 2018-08-04T14:12:20.258Z] 14:12:20     INFO - GECKO(1508) |     #5 0x7f598146c756 in Start /builds/worker/workspace/build/src/toolkit/components/terminator/nsTerminator.cpp:393:3
[task 2018-08-04T14:12:20.259Z] 14:12:20     INFO - GECKO(1508) |     #6 0x7f598146c756 in mozilla::nsTerminator::Observe(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/toolkit/components/terminator/nsTerminator.cpp:508
[task 2018-08-04T14:12:20.260Z] 14:12:20     INFO - GECKO(1508) |     #7 0x7f5975f71283 in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/ds/nsObserverList.cpp:112:19
[task 2018-08-04T14:12:20.260Z] 14:12:20     INFO - GECKO(1508) |     #8 0x7f5975f74eb2 in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/ds/nsObserverService.cpp:295:19
[task 2018-08-04T14:12:20.261Z] 14:12:20     INFO - GECKO(1508) |     #9 0x7f5981286a2e in nsAppStartup::Quit(unsigned int) /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:468:19
[task 2018-08-04T14:12:20.261Z] 14:12:20     INFO - GECKO(1508) |     #10 0x7f59760ac0c1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
[task 2018-08-04T14:12:20.265Z] 14:12:20     INFO - GECKO(1508) |     #11 0x7f59779371a6 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1673:12
[task 2018-08-04T14:12:20.266Z] 14:12:20     INFO - GECKO(1508) |     #12 0x7f59779371a6 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1231
[task 2018-08-04T14:12:20.268Z] 14:12:20     INFO - GECKO(1508) |     #13 0x7f59779371a6 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1198
[task 2018-08-04T14:12:20.273Z] 14:12:20     INFO - GECKO(1508) |     #14 0x7f597793d22d in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:893:12
[task 2018-08-04T14:12:20.274Z] 14:12:20     INFO - GECKO(1508) |     #15 0x7f59817884a4 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:445:15
[task 2018-08-04T14:12:20.275Z] 14:12:20     INFO - GECKO(1508) |     #16 0x7f59817884a4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:533
[task 2018-08-04T14:12:20.276Z] 14:12:20     INFO - GECKO(1508) |     #17 0x7f59817737a4 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:590:12
[task 2018-08-04T14:12:20.279Z] 14:12:20     INFO - GECKO(1508) |     #18 0x7f59817737a4 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3239
[task 2018-08-04T14:12:20.280Z] 14:12:20     INFO - GECKO(1508) |     #19 0x7f5981759869 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:12
[task 2018-08-04T14:12:20.280Z] 14:12:20     INFO - GECKO(1508) |     #20 0x7f5981788dc6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:557:15
[task 2018-08-04T14:12:20.280Z] 14:12:20     INFO - GECKO(1508) |     #21 0x7f598178a0a2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:603:10
[task 2018-08-04T14:12:20.281Z] 14:12:20     INFO - GECKO(1508) |     #22 0x7f59822e8de5 in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:176:12
[task 2018-08-04T14:12:20.282Z] 14:12:20     INFO - GECKO(1508) |     #23 0x7f59822b1d28 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:359:23
[task 2018-08-04T14:12:20.282Z] 14:12:20     INFO - GECKO(1508) |     #24 0x7f59822c5363 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:510:21
[task 2018-08-04T14:12:20.283Z] 14:12:20     INFO - GECKO(1508) |     #25 0x7f5981789409 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:509:20
[task 2018-08-04T14:12:20.283Z] 14:12:20     INFO - GECKO(1508) |     #26 0x7f59817737a4 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:590:12
[task 2018-08-04T14:12:20.284Z] 14:12:20     INFO - GECKO(1508) |     #27 0x7f59817737a4 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3239
[task 2018-08-04T14:12:20.285Z] 14:12:20     INFO - GECKO(1508) |     #28 0x7f5981759869 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:12
[task 2018-08-04T14:12:20.285Z] 14:12:20     INFO - GECKO(1508) |     #29 0x7f5981788dc6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:557:15
[task 2018-08-04T14:12:20.286Z] 14:12:20     INFO - GECKO(1508) |     #30 0x7f598178a0a2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:603:10
[task 2018-08-04T14:12:20.286Z] 14:12:20     INFO - GECKO(1508) |     #31 0x7f59821f1dfd in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2841:12
[task 2018-08-04T14:12:20.286Z] 14:12:20     INFO - GECKO(1508) |     #32 0x7f5977920371 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1135:23
[task 2018-08-04T14:12:20.287Z] 14:12:20     INFO - GECKO(1508) |     #33 0x7f59760ad798 in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:127:37
[task 2018-08-04T14:12:20.288Z] 14:12:20     INFO - GECKO(1508) |     #34 0x7f59760ac66a in SharedStub (/builds/worker/workspace/build/application/firefox/libxul.so+0x1f7566a)
[task 2018-08-04T14:12:20.289Z] 14:12:20     INFO - GECKO(1508) |     #35 0x7f59778fda05 in PreciseGCRunnable::Run() /builds/worker/workspace/build/src/js/xpconnect/src/XPCComponents.cpp:2361:20
[task 2018-08-04T14:12:20.289Z] 14:12:20     INFO - GECKO(1508) |     #36 0x7f5976081d2f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1235:14
[task 2018-08-04T14:12:20.290Z] 14:12:20     INFO - GECKO(1508) |     #37 0x7f5976088858 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
[task 2018-08-04T14:12:20.290Z] 14:12:20     INFO - GECKO(1508) |     #38 0x7f5976f8520a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
[task 2018-08-04T14:12:20.291Z] 14:12:20     INFO - GECKO(1508) |     #39 0x7f5976ede03c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
[task 2018-08-04T14:12:20.291Z] 14:12:20     INFO - GECKO(1508) |     #40 0x7f5976ede03c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
[task 2018-08-04T14:12:20.291Z] 14:12:20     INFO - GECKO(1508) |     #41 0x7f5976ede03c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
[task 2018-08-04T14:12:20.292Z] 14:12:20     INFO - GECKO(1508) |     #42 0x7f597d9c698a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
[task 2018-08-04T14:12:20.292Z] 14:12:20     INFO - GECKO(1508) |     #43 0x7f5981285cfb in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:290:30
[task 2018-08-04T14:12:20.292Z] 14:12:20     INFO - GECKO(1508) |     #44 0x7f59814b59db in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4764:22
[task 2018-08-04T14:12:20.341Z] 14:12:20     INFO - GECKO(1508) |     #45 0x7f59814b8ace in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4909:8
[task 2018-08-04T14:12:20.342Z] 14:12:20     INFO - GECKO(1508) |     #46 0x7f59814b9f98 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:5001:21
[task 2018-08-04T14:12:20.343Z] 14:12:20     INFO - GECKO(1508) |     #47 0x4f20ac in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:233:22
[task 2018-08-04T14:12:20.344Z] 14:12:20     INFO - GECKO(1508) |     #48 0x4f20ac in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:311
[task 2018-08-04T14:12:20.345Z] 14:12:20     INFO - GECKO(1508) |     #49 0x7f59958bf82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
[task 2018-08-04T14:12:20.345Z] 14:12:20     INFO - GECKO(1508) | SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/BinarySearch.h:80:33 in BinarySearchIf<mozilla::Vector<const js::wasm::CodeSegment *, 0, js::SystemAllocPolicy>, ProcessCodeSegmentMap::CodeSegmentPC>
[task 2018-08-04T14:12:20.346Z] 14:12:20     INFO - GECKO(1508) | Shadow bytes around the buggy address:
[task 2018-08-04T14:12:20.346Z] 14:12:20     INFO - GECKO(1508) |   0x0c0480099d90: fa fa fd fd fa fa fa fa fa fa fa fa fa fa fa fa
[task 2018-08-04T14:12:20.347Z] 14:12:20     INFO - GECKO(1508) |   0x0c0480099da0: fa fa fa fa fa fa fd fd fa fa fd fd fa fa fd fd
[task 2018-08-04T14:12:20.348Z] 14:12:20     INFO - GECKO(1508) |   0x0c0480099db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2018-08-04T14:12:20.348Z] 14:12:20     INFO - GECKO(1508) |   0x0c0480099dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2018-08-04T14:12:20.349Z] 14:12:20     INFO - GECKO(1508) |   0x0c0480099dd0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fa fa
[task 2018-08-04T14:12:20.349Z] 14:12:20     INFO - GECKO(1508) | =>0x0c0480099de0: fa fa fa fa fa fa fa fa fa fa fd fd fa fa[fd]fa
[task 2018-08-04T14:12:20.350Z] 14:12:20     INFO - GECKO(1508) |   0x0c0480099df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2018-08-04T14:12:20.350Z] 14:12:20     INFO - GECKO(1508) |   0x0c0480099e00: fa fa fa fa fa fa fa fa fa fa fd fd fa fa fa fa
[task 2018-08-04T14:12:20.351Z] 14:12:20     INFO - GECKO(1508) |   0x0c0480099e10: fa fa fa fa fa fa fa fa fa fa fd fd fa fa fd fa
[task 2018-08-04T14:12:20.351Z] 14:12:20     INFO - GECKO(1508) |   0x0c0480099e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2018-08-04T14:12:20.355Z] 14:12:20     INFO - GECKO(1508) |   0x0c0480099e30: fa fa fd fd fa fa fa fa fa fa fd fa fa fa fa fa
[task 2018-08-04T14:12:20.356Z] 14:12:20     INFO - GECKO(1508) | Shadow byte legend (one shadow byte represents 8 application bytes):
[task 2018-08-04T14:12:20.356Z] 14:12:20     INFO - GECKO(1508) |   Addressable:           00
[task 2018-08-04T14:12:20.356Z] 14:12:20     INFO - GECKO(1508) |   Partially addressable: 01 02 03 04 05 06 07
[task 2018-08-04T14:12:20.356Z] 14:12:20     INFO - GECKO(1508) |   Heap left redzone:       fa
[task 2018-08-04T14:12:20.357Z] 14:12:20     INFO - GECKO(1508) |   Freed heap region:       fd
[task 2018-08-04T14:12:20.357Z] 14:12:20     INFO - GECKO(1508) |   Stack left redzone:      f1
[task 2018-08-04T14:12:20.358Z] 14:12:20     INFO - GECKO(1508) |   Stack mid redzone:       f2
[task 2018-08-04T14:12:20.358Z] 14:12:20     INFO - GECKO(1508) |   Stack right redzone:     f3
[task 2018-08-04T14:12:20.358Z] 14:12:20     INFO - GECKO(1508) |   Stack after return:      f5
[task 2018-08-04T14:12:20.359Z] 14:12:20     INFO - GECKO(1508) |   Stack use after scope:   f8
[task 2018-08-04T14:12:20.359Z] 14:12:20     INFO - GECKO(1508) |   Global redzone:          f9
[task 2018-08-04T14:12:20.360Z] 14:12:20     INFO - GECKO(1508) |   Global init order:       f6
[task 2018-08-04T14:12:20.360Z] 14:12:20     INFO - GECKO(1508) |   Poisoned by user:        f7
[task 2018-08-04T14:12:20.361Z] 14:12:20     INFO - GECKO(1508) |   Container overflow:      fc
[task 2018-08-04T14:12:20.361Z] 14:12:20     INFO - GECKO(1508) |   Array cookie:            ac
[task 2018-08-04T14:12:20.361Z] 14:12:20     INFO - GECKO(1508) |   Intra object redzone:    bb
[task 2018-08-04T14:12:20.362Z] 14:12:20     INFO - GECKO(1508) |   ASan internal:           fe
[task 2018-08-04T14:12:20.362Z] 14:12:20     INFO - GECKO(1508) |   Left alloca redzone:     ca
[task 2018-08-04T14:12:20.363Z] 14:12:20     INFO - GECKO(1508) |   Right alloca redzone:    cb
[task 2018-08-04T14:12:20.363Z] 14:12:20     INFO - GECKO(1508) | ==1508==ABORTING
[task 2018-08-04T14:12:20.633Z] 14:12:20     INFO - TEST-INFO | Main app process: exit 0
Group: firefox-core-security → core-security
Component: Framework → Javascript: Web Assembly
Flags: needinfo?(lhansen)
Keywords: csectype-uaf
Product: DevTools → Core
Summary: Intermittent ERROR: AddressSanitizer: heap-use-after-free on address 0x60200016eb10 at pc 0x7f7387d723ae bp 0x7f7371f18920 sp 0x7f7371f18918 → Intermittent AddressSanitizer: heap-use-after-free obj-firefox/dist/include/mozilla/BinarySearch.h:80:33 in BinarySearchIf<mozilla::Vector<const js::wasm::CodeSegment *, 0, js::SystemAllocPolicy>, ProcessCodeSegmentMap::CodeSegmentPC>
Looking.  Probably this is a shell-only problem (because the code that landed is shell-only) but it's possible we've uncovered a latent problem in the code, so it's fine to keep it closed for now.
Flags: needinfo?(lhansen)
Group: core-security → javascript-core-security
Looks like this is a pre-existing problem.

We have a /static/ variable called `processCodeSegmentMap` in wasm/WasmProcess.cpp.  This is shared among threads.  According to the log, however, a worker thread is busy accessing this map (to handle a trap) while the main thread is in the process of running exit handlers.  One exit handler destroys the value of `processCodeSegmentMap`, basically pulling the rug out from underneath the worker thread.

Now it could be the case that the worker thread is also trying to shut down, so that this is a shutdown race, but I'm not sure that really changes much.  Either way the shared resource cannot be destroyed unilaterally by one thread.
Luke, maybe you have an opinion about how this is supposed to work?
Flags: needinfo?(luke)
It could also be that the trap that the worker is handling during shutdown happens precisely because the map has already been removed and code has been decommitted or at least read-protected.  In that case this would be a race on the code.  Not sure how ASAN would react to that.
Ah hah, I was curious why a trap handler was being called while the process was being shut down, but I see that the trap handler is from a MOZ_CRASH("Shutdown too long, probably frozen, causing a crash.") at nsTerminator.cpp:219.

So one way to look at this is that our synchronization is only correct assuming that the only faults are valid, wasm-triggered ones, but of course the WasmFaultHandler gets called for all manner of crashes that ultimately need to propagate through WasmFaultHandler to breakpad.

So I think the fix here is to have a static Atomic<bool> shuttingDown_ that short-circuits lookups to return null.  I think we'll need a spin-lock to wait for observers_ to go to 0 (like we do in swapAndWait()) and there's also some subtle lifetime issues with observers_ itself that I think might require pulling observers_ out of ProcessCodeSegmentMap and into a static.

Maybe bbouvier wants to write up the fix?
Flags: needinfo?(luke) → needinfo?(bbouvier)
I'll be in PTO next week, so feel free to steal in the meanwhile.
(as discussed on irc, redirecting to Luke who seems to have a clear idea of what's to do here)
Flags: needinfo?(bbouvier) → needinfo?(luke)
Assignee: nobody → luke
Flags: needinfo?(luke)
Attachment #9002976 - Flags: review?(lhansen)
Attachment #9002976 - Flags: review?(bbouvier)
Comment on attachment 9002976 [details] [diff] [review]
fix-shutdown-race

Review of attachment 9002976 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good to me, thanks.

::: js/src/wasm/WasmProcess.cpp
@@ +51,5 @@
> +// sampled). Since the writer could be modifying the data that is getting
> +// looked up, the writer functions use spin-locks to know if there are any
> +// observers (i.e. calls to lookup()) of the atomic data.
> +
> +static Atomic<size_t> sObserverCount(0);

nit: maybe something more traditional like sNumObservers?

@@ +217,5 @@
>  
>  void
>  wasm::UnregisterCodeSegment(const CodeSegment* cs)
>  {
> +    sProcessCodeSegmentMap.remove(cs);

The reason why we don't need to care about shutdown for insert/remove is that these happen on the same thread, as shutting down does, right?

@@ +226,5 @@
>  {
> +    // Avoid accessing an uninitialized sProcessCodeSegmentMap if there is a
> +    // crash early in startup. Returning null will allow the crash to propagate
> +    // properly to breakpad.
> +    if (!CodeExists)

Nice, can you remove the two now-redundant checks against CodeExists in the canonicalize* functions in Simulator-arm.cpp?

@@ +250,5 @@
>                         : found->asLazyStub()->lookupRange(pc);
>          }
> +
> +        // Returning 'found' without sObserverCount incremented is valid under
> +        // the assumption that valid wasm traps don't occur during shutdown.

Is this comment here because the ScopeExit will execute before the ret instruction? (that's the only reason I can imagine)

If so, can it badly interact with other LoopupCode{,Range} use cases (frame iteration, etc.)?
Attachment #9002976 - Flags: review?(bbouvier) → review+
(In reply to Benjamin Bouvier [:bbouvier] from comment #10)
> > +    sProcessCodeSegmentMap.remove(cs);
> 
> The reason why we don't need to care about shutdown for insert/remove is
> that these happen on the same thread, as shutting down does, right?

Right, the only concern is LookupCodeSegment() since it's called from (crash) signal handlers.

> > +    if (!CodeExists)
> 
> Nice, can you remove the two now-redundant checks against CodeExists in the
> canonicalize* functions in Simulator-arm.cpp?

Without LTO on most builds (I believe), I think there's still a small perf benefit from having the check inline in the simulators since it's so very hot and affects overall test runtime significantly.

> > +        // Returning 'found' without sObserverCount incremented is valid under
> > +        // the assumption that valid wasm traps don't occur during shutdown.
> 
> Is this comment here because the ScopeExit will execute before the ret
> instruction? (that's the only reason I can imagine)

No, it's more that, after sObserverCount is decremented, in theory, shutdown could proceed and destroy the CodeSegment.  But actually, we already have a comment in lookup() about why CodeSegments that are returned can't go away and the shutdown case is no different, so I'll just remove this comment.
Attachment #9002976 - Flags: review?(lhansen) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/e4a245dc212abd00595bb4e4489096c6daefc73c
https://hg.mozilla.org/mozilla-central/rev/e4a245dc212a
Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Luke, you said this is a pre-existing issue? How far back does this go and what severity should the bug be assigned?
Flags: needinfo?(luke)
Probably the original bug that added this code: bug 1406041.  I think it's a very low priority since it's an unlikely race and the race doesn't cause a crash, it just causes us to blame wasm code instead of the real crash site (but we will get a crash report).
Flags: needinfo?(luke)
Based on comment 14 and the fact that this doesn't cause any crash (or make crashes more exploitable), I don't think this should be a security bug.  It's basically a quality-of-crash-reporting fix.
Thanks, opening the bug per comment 15.
Group: core-security-release
Depends on: 1493373
You need to log in before you can comment on or make changes to this bug.