Closed
Bug 1500311
Opened 6 years ago
Closed 6 years ago
AddressSanitizer: heap-use-after-free [@ Length] with READ of size 8
Categories
(Core :: Storage: IndexedDB, defect)
Core
Storage: IndexedDB
Tracking
()
RESOLVED
DUPLICATE
of bug 1500310
| Tracking | Status | |
|---|---|---|
| firefox64 | --- | affected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, csectype-uaf, testcase)
Testcase found while fuzzing mozilla-central rev 733484af9034. I'm currently reducing the testcase and will update once complete.
==27984==ERROR: AddressSanitizer: heap-use-after-free on address 0x6060002c24f8 at pc 0x7f7dd83c6f8d bp 0x7ffc9a466470 sp 0x7ffc9a466468
READ of size 8 at 0x6060002c24f8 thread T0 (file:// Content)
#0 0x7f7dd83c6f8c in Length src/obj-firefox/dist/include/nsTArray.h:372:37
#1 0x7f7dd83c6f8c in mozilla::dom::IDBObjectStore::GetAddInfo(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, mozilla::dom::IDBObjectStore::StructuredCloneWriteInfo&, mozilla::dom::indexedDB::Key&, nsTArray<mozilla::dom::indexedDB::IndexUpdateInfo>&) src/dom/indexedDB/IDBObjectStore.cpp:1589
#2 0x7f7dd83822ff in mozilla::dom::IDBObjectStore::AddOrPut(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, bool, bool, mozilla::ErrorResult&) src/dom/indexedDB/IDBObjectStore.cpp:1662:9
#3 0x7f7dd60d6370 in Add src/obj-firefox/dist/include/mozilla/dom/IDBObjectStore.h:214:12
#4 0x7f7dd60d6370 in mozilla::dom::IDBObjectStore_Binding::add(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBObjectStore*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/IDBObjectStoreBinding.cpp:504
#5 0x7f7dd61dd3b0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13
#6 0x7f7ddeff160b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15
#7 0x7f7ddeff160b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560
#8 0x7f7ddefda58e in CallFromStack src/js/src/vm/Interpreter.cpp:620:12
#9 0x7f7ddefda58e in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3462
#10 0x7f7ddefbf85b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12
#11 0x7f7ddeff211e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15
#12 0x7f7ddeff6185 in InternalCall src/js/src/vm/Interpreter.cpp:614:12
#13 0x7f7ddeff6185 in Call src/js/src/vm/Interpreter.cpp:633
#14 0x7f7ddeff6185 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:760
#15 0x7f7dde59e568 in CallGetter src/js/src/vm/NativeObject.cpp:2282:16
#16 0x7f7dde59e568 in GetExistingProperty<js::CanGC> src/js/src/vm/NativeObject.cpp:2337
#17 0x7f7dde59e568 in NativeGetPropertyInline<js::CanGC> src/js/src/vm/NativeObject.cpp:2567
#18 0x7f7dde59e568 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2604
#19 0x7f7ddd5990a7 in GetProperty src/js/src/vm/ObjectOperations-inl.h:122:12
#20 0x7f7ddd5990a7 in GetProperty src/js/src/vm/ObjectOperations-inl.h:138
#21 0x7f7ddd5990a7 in JSStructuredCloneWriter::write(JS::Handle<JS::Value>) src/js/src/vm/StructuredClone.cpp:2104
#22 0x7f7ddd597cbd in WriteStructuredClone(JSContext*, JS::Handle<JS::Value>, JSStructuredCloneData*, JS::StructuredCloneScope, JS::CloneDataPolicy, JSStructuredCloneCallbacks const*, void*, JS::Value const&) src/js/src/vm/StructuredClone.cpp:650:12
#23 0x7f7ddd5b6ee0 in JS_WriteStructuredClone src/js/src/vm/StructuredClone.cpp:3142:12
#24 0x7f7ddd5b6ee0 in write src/js/src/vm/StructuredClone.cpp:3284
#25 0x7f7ddd5b6ee0 in write src/js/src/vm/StructuredClone.cpp:3274
#26 0x7f7ddd5b6ee0 in JS_StructuredClone(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>, JSStructuredCloneCallbacks const*, void*) src/js/src/vm/StructuredClone.cpp:3186
#27 0x7f7dd83c657b in mozilla::dom::IDBObjectStore::GetAddInfo(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, mozilla::dom::IDBObjectStore::StructuredCloneWriteInfo&, mozilla::dom::indexedDB::Key&, nsTArray<mozilla::dom::indexedDB::IndexUpdateInfo>&) src/dom/indexedDB/IDBObjectStore.cpp:2754:8
#28 0x7f7dd83822ff in mozilla::dom::IDBObjectStore::AddOrPut(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, bool, bool, mozilla::ErrorResult&) src/dom/indexedDB/IDBObjectStore.cpp:1662:9
#29 0x7f7dd60d6370 in Add src/obj-firefox/dist/include/mozilla/dom/IDBObjectStore.h:214:12
#30 0x7f7dd60d6370 in mozilla::dom::IDBObjectStore_Binding::add(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBObjectStore*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/IDBObjectStoreBinding.cpp:504
#31 0x7f7dd61dd3b0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13
#32 0x7f7ddeff160b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15
#33 0x7f7ddeff160b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560
#34 0x7f7ddefda58e in CallFromStack src/js/src/vm/Interpreter.cpp:620:12
#35 0x7f7ddefda58e in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3462
#36 0x7f7ddefbf85b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12
#37 0x7f7ddeff211e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15
#38 0x7f7ddeff3eb2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:633:10
#39 0x7f7dde0bffbd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2979:12
#40 0x7f7dd577703a in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:265:37
#41 0x7f7dd6a78f8a in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#42 0x7f7dd6a7640e in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214:12
#43 0x7f7dd6a2b585 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1106:52
#44 0x7f7dd6a2d5a3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1308:15
#45 0x7f7dd6a103ae in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
#46 0x7f7dd6a103ae in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:424
#47 0x7f7dd6a0e653 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:641:16
#48 0x7f7dd6a15128 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1156:11
#49 0x7f7dd6a1b6e6 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp
#50 0x7f7dd69cb290 in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/events/DOMEventTargetHelper.cpp:185:5
#51 0x7f7dd6a3f259 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::ErrorResult&) src/dom/events/EventTarget.cpp:213:13
#52 0x7f7dd834e6b3 in mozilla::dom::indexedDB::(anonymous namespace)::DispatchSuccessEvent(mozilla::dom::indexedDB::(anonymous namespace)::ResultHelper*, mozilla::dom::Event*) src/dom/indexedDB/ActorsChild.cpp:862:12
#53 0x7f7dd8353486 in mozilla::dom::indexedDB::BackgroundDatabaseChild::RecvPBackgroundIDBVersionChangeTransactionConstructor(mozilla::dom::indexedDB::PBackgroundIDBVersionChangeTransactionChild*, unsigned long const&, unsigned long const&, long const&, long const&) src/dom/indexedDB/ActorsChild.cpp:2279:3
#54 0x7f7dd0cc9620 in mozilla::dom::indexedDB::PBackgroundIDBDatabaseChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundIDBDatabaseChild.cpp:598:20
#55 0x7f7dd0a15480 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
#56 0x7f7dd02363b5 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2248:25
#57 0x7f7dd0231e09 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2175:17
#58 0x7f7dd02340bd in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:2012:5
#59 0x7f7dd0234e37 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2045:15
#60 0x7f7dcefdd365 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
#61 0x7f7dcf01a386 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1252:14
#62 0x7f7dcf022ead in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
#63 0x7f7dd023f463 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#64 0x7f7dd014204c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
#65 0x7f7dd014204c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
#66 0x7f7dd014204c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
#67 0x7f7dd8e3d5f3 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
#68 0x7f7ddd2fce4e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:939:22
#69 0x7f7dd014204c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
#70 0x7f7dd014204c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
#71 0x7f7dd014204c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
#72 0x7f7ddd2fbef3 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:765:34
#73 0x56524599bb91 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#74 0x56524599bb91 in main src/browser/app/nsBrowserApp.cpp:287
#75 0x7f7df16f782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#76 0x5652458caf3c in _start (/home/ubuntu/firefox/firefox+0x2cf3c)
0x6060002c24f8 is located 56 bytes inside of 64-byte region [0x6060002c24c0,0x6060002c2500)
freed by thread T0 (file:// Content) here:
#0 0x56524596b372 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
#1 0x7f7dd838b4d4 in Free src/obj-firefox/dist/include/nsTArray.h:216:34
#2 0x7f7dd838b4d4 in ~nsTArray_base src/obj-firefox/dist/include/nsTArray-inl.h:22
#3 0x7f7dd838b4d4 in ~nsTArray_Impl src/obj-firefox/dist/include/nsTArray.h:940
#4 0x7f7dd838b4d4 in ~DatabaseSpec src/obj-firefox/ipc/ipdl/_ipdlheaders/mozilla/dom/indexedDB/PBackgroundIDBSharedTypes.h:1479
#5 0x7f7dd838b4d4 in ~nsAutoPtr src/obj-firefox/dist/include/nsAutoPtr.h:78
#6 0x7f7dd838b4d4 in mozilla::dom::IDBDatabase::RevertToPreviousState() src/dom/indexedDB/IDBDatabase.cpp:349
#7 0x7f7dd83e05d3 in mozilla::dom::IDBTransaction::AbortInternal(nsresult, already_AddRefed<mozilla::dom::DOMException>) src/dom/indexedDB/IDBTransaction.cpp:667:18
#8 0x7f7dd83e1bfc in mozilla::dom::IDBTransaction::Abort(mozilla::ErrorResult&) src/dom/indexedDB/IDBTransaction.cpp:780:3
#9 0x7f7dd60fa8de in mozilla::dom::IDBTransaction_Binding::abort(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBTransaction*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/IDBTransactionBinding.cpp:213:9
#10 0x7f7dd61dd3b0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13
#11 0x7f7ddeff160b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15
#12 0x7f7ddeff160b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560
#13 0x7f7ddefda58e in CallFromStack src/js/src/vm/Interpreter.cpp:620:12
#14 0x7f7ddefda58e in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3462
#15 0x7f7ddefbf85b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12
#16 0x7f7ddeff211e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15
#17 0x7f7ddeff6185 in InternalCall src/js/src/vm/Interpreter.cpp:614:12
#18 0x7f7ddeff6185 in Call src/js/src/vm/Interpreter.cpp:633
#19 0x7f7ddeff6185 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:760
#20 0x7f7dde59e568 in CallGetter src/js/src/vm/NativeObject.cpp:2282:16
#21 0x7f7dde59e568 in GetExistingProperty<js::CanGC> src/js/src/vm/NativeObject.cpp:2337
#22 0x7f7dde59e568 in NativeGetPropertyInline<js::CanGC> src/js/src/vm/NativeObject.cpp:2567
#23 0x7f7dde59e568 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2604
#24 0x7f7ddd5990a7 in GetProperty src/js/src/vm/ObjectOperations-inl.h:122:12
#25 0x7f7ddd5990a7 in GetProperty src/js/src/vm/ObjectOperations-inl.h:138
#26 0x7f7ddd5990a7 in JSStructuredCloneWriter::write(JS::Handle<JS::Value>) src/js/src/vm/StructuredClone.cpp:2104
#27 0x7f7ddd597cbd in WriteStructuredClone(JSContext*, JS::Handle<JS::Value>, JSStructuredCloneData*, JS::StructuredCloneScope, JS::CloneDataPolicy, JSStructuredCloneCallbacks const*, void*, JS::Value const&) src/js/src/vm/StructuredClone.cpp:650:12
#28 0x7f7ddd5b6ee0 in JS_WriteStructuredClone src/js/src/vm/StructuredClone.cpp:3142:12
#29 0x7f7ddd5b6ee0 in write src/js/src/vm/StructuredClone.cpp:3284
#30 0x7f7ddd5b6ee0 in write src/js/src/vm/StructuredClone.cpp:3274
#31 0x7f7ddd5b6ee0 in JS_StructuredClone(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>, JSStructuredCloneCallbacks const*, void*) src/js/src/vm/StructuredClone.cpp:3186
#32 0x7f7dd83c657b in mozilla::dom::IDBObjectStore::GetAddInfo(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, mozilla::dom::IDBObjectStore::StructuredCloneWriteInfo&, mozilla::dom::indexedDB::Key&, nsTArray<mozilla::dom::indexedDB::IndexUpdateInfo>&) src/dom/indexedDB/IDBObjectStore.cpp:2754:8
#33 0x7f7dd83822ff in mozilla::dom::IDBObjectStore::AddOrPut(JSContext*, mozilla::dom::IDBObjectStore::ValueWrapper&, JS::Handle<JS::Value>, bool, bool, mozilla::ErrorResult&) src/dom/indexedDB/IDBObjectStore.cpp:1662:9
#34 0x7f7dd60d6370 in Add src/obj-firefox/dist/include/mozilla/dom/IDBObjectStore.h:214:12
#35 0x7f7dd60d6370 in mozilla::dom::IDBObjectStore_Binding::add(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBObjectStore*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/IDBObjectStoreBinding.cpp:504
#36 0x7f7dd61dd3b0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13
#37 0x7f7ddeff160b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15
#38 0x7f7ddeff160b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560
previously allocated by thread T0 (file:// Content) here:
#0 0x56524596b6b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x56524599cacd in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:70:17
#2 0x7f7dcedc5aaa in Malloc src/obj-firefox/dist/include/nsTArray.h:210:46
#3 0x7f7dcedc5aaa in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) src/obj-firefox/dist/include/nsTArray-inl.h:153
#4 0x7f7dd0e5cbd5 in ExtendCapacity<nsTArrayInfallibleAllocator> src/obj-firefox/dist/include/nsTArray-inl.h:125:16
#5 0x7f7dd0e5cbd5 in mozilla::dom::indexedDB::ObjectStoreSpec* nsTArray_Impl<mozilla::dom::indexedDB::ObjectStoreSpec, nsTArrayInfallibleAllocator>::AppendElements<nsTArrayInfallibleAllocator>(unsigned long) src/obj-firefox/dist/include/nsTArray.h:1776
#6 0x7f7dd838ca4a in AppendElement<nsTArrayInfallibleAllocator> src/obj-firefox/dist/include/nsTArray.h:1804:12
#7 0x7f7dd838ca4a in mozilla::dom::IDBDatabase::CreateObjectStore(nsTSubstring<char16_t> const&, mozilla::dom::IDBObjectStoreParameters const&, mozilla::ErrorResult&) src/dom/indexedDB/IDBDatabase.cpp:468
#8 0x7f7dd5fd2c7e in mozilla::dom::IDBDatabase_Binding::createObjectStore(JSContext*, JS::Handle<JSObject*>, mozilla::dom::IDBDatabase*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/IDBDatabaseBinding.cpp:150:66
#9 0x7f7dd61dd3b0 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3315:13
#10 0x7f7ddeff160b in CallJSNative src/js/src/vm/Interpreter.cpp:468:15
#11 0x7f7ddeff160b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:560
#12 0x7f7ddefda58e in CallFromStack src/js/src/vm/Interpreter.cpp:620:12
#13 0x7f7ddefda58e in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3462
#14 0x7f7ddefbf85b in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:447:12
#15 0x7f7ddeff211e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:587:15
#16 0x7f7ddeff3eb2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:633:10
#17 0x7f7dde0bffbd in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2979:12
#18 0x7f7dd577703a in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:265:37
#19 0x7f7dd6a78f8a in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#20 0x7f7dd6a7640e in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214:12
#21 0x7f7dd6a2b585 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1106:52
#22 0x7f7dd6a2d5a3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1308:15
#23 0x7f7dd6a103ae in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
#24 0x7f7dd6a103ae in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:424
#25 0x7f7dd6a0e653 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:641:16
SUMMARY: AddressSanitizer: heap-use-after-free src/obj-firefox/dist/include/nsTArray.h:372:37 in Length
Shadow bytes around the buggy address:
0x0c0c80050440: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80050450: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80050460: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c0c80050470: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c80050480: fa fa fa fa fa fa fa fa fa fa fa fa fd fd fd fd
=>0x0c0c80050490: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd[fd]
0x0c0c800504a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c800504b0: fa fa fa fa fa fa fa fa fa fa fa fa 00 00 00 00
0x0c0c800504c0: 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c800504d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c0c800504e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==27984==ABORTINGFlags: in-testsuite?
|
Reporter | |
Comment 1•6 years ago
|
||
Looks like this was submitted twice. Closing in favor of the earlier bug 1500310.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
|
||
Updated•1 year ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•