Intermittent SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/gfx/gl/../../mfbt/RefPtr.h:69:17 in assign_assuming_AddRef

RESOLVED FIXED in Firefox -esr60

Status

()

defect
RESOLVED FIXED
10 months ago
12 days ago

People

(Reporter: nataliaCs, Assigned: mccr8)

Tracking

({csectype-uaf, intermittent-failure, sec-moderate})

unspecified
mozilla65
Points:
---
Bug Flags:
qe-verify -

Firefox Tracking Flags

(firefox-esr6064+ fixed, firefox63 wontfix, firefox64+ fixed, firefox65+ fixed)

Details

(Whiteboard: [adv-main64+][adv-esr60.4+])

Attachments

(1 attachment)

Push with failure: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=fc21376e28da2879eb57bfe6f9077f8ee74a80ce&group_state=expanded&searchStr=linux%2Cx64%2Casan%2Cweb%2Cplatform%2Ctests%2Cwith%2Ce10s%2Ctest-linux64-asan%2Fopt-web-platform-tests-e10s-12%2Cw-e10s%28wpt12%29&selectedJob=208521436 

Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=208521436&repo=mozilla-inbound&lineNumber=1178

[task 2018-10-30T01:16:57.178Z] 01:16:57     INFO - PID 890 | 1540862217173	Marionette	INFO	Stopped listening on port 2828
[task 2018-10-30T01:16:57.445Z] 01:16:57     INFO - PID 890 | ###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost
[task 2018-10-30T01:16:57.552Z] 01:16:57     INFO - PID 890 | =================================================================
[task 2018-10-30T01:16:57.552Z] 01:16:57    ERROR - PID 890 | ==999==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a0001d2f18 at pc 0x7f6d5365e783 bp 0x7ffe1257a740 sp 0x7ffe1257a738
[task 2018-10-30T01:16:57.552Z] 01:16:57     INFO - PID 890 | READ of size 8 at 0x61a0001d2f18 thread T0 (Web Content)
[task 2018-10-30T01:16:58.383Z] 01:16:58     INFO - PID 890 |     #0 0x7f6d5365e782 in assign_assuming_AddRef /builds/worker/workspace/build/src/gfx/gl/../../mfbt/RefPtr.h:69:17
[task 2018-10-30T01:16:58.384Z] 01:16:58     INFO - PID 890 |     #1 0x7f6d5365e782 in operator= /builds/worker/workspace/build/src/gfx/gl/../../mfbt/RefPtr.h:177
[task 2018-10-30T01:16:58.384Z] 01:16:58     INFO - PID 890 |     #2 0x7f6d5365e782 in mozilla::dom::CanvasRenderingContext2D::OnShutdown() /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp:1178
[task 2018-10-30T01:16:58.384Z] 01:16:58     INFO - PID 890 |     #3 0x7f6d5365e610 in mozilla::dom::CanvasShutdownObserver::Observe(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp:799:14
[task 2018-10-30T01:16:58.392Z] 01:16:58     INFO - PID 890 |     #4 0x7f6d4da3e991 in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/ds/nsObserverList.cpp:111:19
[task 2018-10-30T01:16:58.393Z] 01:16:58     INFO - PID 890 |     #5 0x7f6d4da42213 in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/ds/nsObserverService.cpp:295:19
[task 2018-10-30T01:16:58.393Z] 01:16:58     INFO - PID 890 |     #6 0x7f6d4dbba690 in mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/workspace/build/src/xpcom/build/XPCOMInit.cpp:890:26
[task 2018-10-30T01:16:58.394Z] 01:16:58     INFO - PID 890 |     #7 0x7f6d596eea5c in XRE_TermEmbedding() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:227:3
[task 2018-10-30T01:16:58.410Z] 01:16:58     INFO - PID 890 |     #8 0x7f6d4ead9d32 in mozilla::ipc::ScopedXREEmbed::Stop() /builds/worker/workspace/build/src/ipc/glue/ScopedXREEmbed.cpp:108:5
[task 2018-10-30T01:16:58.411Z] 01:16:58     INFO - PID 890 |     #9 0x7f6d596ef583 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:769:16
[task 2018-10-30T01:16:58.412Z] 01:16:58     INFO - PID 890 |     #10 0x55e622e993c4 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
[task 2018-10-30T01:16:58.413Z] 01:16:58     INFO - PID 890 |     #11 0x55e622e993c4 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:301
[task 2018-10-30T01:16:58.469Z] 01:16:58     INFO - PID 890 | -----------------------------------------------------
[task 2018-10-30T01:16:58.470Z] 01:16:58     INFO - PID 890 | Suppressions used:
[task 2018-10-30T01:16:58.471Z] 01:16:58     INFO - PID 890 |   count      bytes template
[task 2018-10-30T01:16:58.471Z] 01:16:58     INFO - PID 890 |     524      16720 nsComponentManagerImpl
[task 2018-10-30T01:16:58.472Z] 01:16:58     INFO - PID 890 |       3        624 mozJSComponentLoader::LoadModule
[task 2018-10-30T01:16:58.473Z] 01:16:58     INFO - PID 890 |       2        288 libfontconfig.so
[task 2018-10-30T01:16:58.474Z] 01:16:58     INFO - PID 890 | -----------------------------------------------------
[task 2018-10-30T01:16:58.492Z] 01:16:58     INFO - PID 890 |     #12 0x7f6d6d3ec82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
[task 2018-10-30T01:16:58.493Z] 01:16:58     INFO - PID 890 |     #13 0x55e622dbea98 in _start (/builds/worker/workspace/build/application/firefox/firefox+0x2aa98)
[task 2018-10-30T01:16:58.495Z] 01:16:58     INFO - PID 890 | 0x61a0001d2f18 is located 152 bytes inside of 1160-byte region [0x61a0001d2e80,0x61a0001d3308)
[task 2018-10-30T01:16:58.495Z] 01:16:58     INFO - PID 890 | freed by thread T0 (Web Content) here:
[task 2018-10-30T01:16:58.496Z] 01:16:58     INFO - PID 890 |     #0 0x55e622e665c2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
[task 2018-10-30T01:16:58.500Z] 01:16:58     INFO - PID 890 |     #1 0x7f6d4d9eb882 in MaybeKillObject /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2754:29
[task 2018-10-30T01:16:58.502Z] 01:16:58     INFO - PID 890 |     #2 0x7f6d4d9eb882 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2782
[task 2018-10-30T01:16:58.503Z] 01:16:58     INFO - PID 890 |     #3 0x7f6d4d9c9d12 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:1091:23
[task 2018-10-30T01:16:58.505Z] 01:16:58     INFO - PID 890 |     #4 0x7f6d4d9caf36 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2980:14
[task 2018-10-30T01:16:58.525Z] 01:16:58     INFO - PID 890 |     #5 0x7f6d4f509a80 in AsyncFreeSnowWhite::Run() /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:139:9
[task 2018-10-30T01:16:58.532Z] 01:16:58     INFO - PID 890 |     #6 0x7f6d4db74baa in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:354:22
[task 2018-10-30T01:16:58.533Z] 01:16:58     INFO - PID 890 |     #7 0x7f6d4db5d171 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1245:14
[task 2018-10-30T01:16:58.535Z] 01:16:58     INFO - PID 890 |     #8 0x7f6d4db64248 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
[task 2018-10-30T01:16:58.535Z] 01:16:58     INFO - PID 890 |     #9 0x7f6d4db5b67c in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:953:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
[task 2018-10-30T01:16:58.536Z] 01:16:58     INFO - PID 890 |     #10 0x7f6d4db5b67c in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:953
[task 2018-10-30T01:16:58.537Z] 01:16:58     INFO - PID 890 |     #11 0x7f6d4db6932d in nsThreadPool::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:358:17
[task 2018-10-30T01:16:58.541Z] 01:16:58     INFO - PID 890 |     #12 0x7f6d4db3dd64 in applyImpl<nsIThreadPool, nsresult (nsIThreadPool::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1191:12
[task 2018-10-30T01:16:58.542Z] 01:16:58     INFO - PID 890 |     #13 0x7f6d4db3dd64 in apply<nsIThreadPool, nsresult (nsIThreadPool::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1197
[task 2018-10-30T01:16:58.544Z] 01:16:58     INFO - PID 890 |     #14 0x7f6d4db3dd64 in mozilla::detail::RunnableMethodImpl<nsCOMPtr<nsIThreadPool>, nsresult (nsIThreadPool::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1242
[task 2018-10-30T01:16:58.545Z] 01:16:58     INFO - PID 890 |     #15 0x7f6d4db5d171 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1245:14
[task 2018-10-30T01:16:58.545Z] 01:16:58     INFO - PID 890 |     #16 0x7f6d4db8db11 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
[task 2018-10-30T01:16:58.563Z] 01:16:58     INFO - PID 890 |     #17 0x7f6d4f53fc5c in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1723:12
[task 2018-10-30T01:16:58.565Z] 01:16:58     INFO - PID 890 |     #18 0x7f6d4f53fc5c in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1268
[task 2018-10-30T01:16:58.566Z] 01:16:58     INFO - PID 890 |     #19 0x7f6d4f53fc5c in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1232
[task 2018-10-30T01:16:58.567Z] 01:16:58     INFO - PID 890 |     #20 0x7f6d4f545a36 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1020:12
[task 2018-10-30T01:16:58.585Z] 01:16:58     INFO - PID 890 |     #21 0x7f6d06701aff  (<unknown module>)
[task 2018-10-30T01:16:58.586Z] 01:16:58     INFO - PID 890 |     #22 0x621002aa5077  (<unknown module>)
[task 2018-10-30T01:16:58.589Z] 01:16:58     INFO - PID 890 | -----------------------------------------------------
[task 2018-10-30T01:16:58.590Z] 01:16:58     INFO - PID 890 | Suppressions used:
[task 2018-10-30T01:16:58.591Z] 01:16:58     INFO - PID 890 |   count      bytes template
[task 2018-10-30T01:16:58.593Z] 01:16:58     INFO - PID 890 |     524      16720 nsComponentManagerImpl
[task 2018-10-30T01:16:58.595Z] 01:16:58     INFO - PID 890 |       2        416 mozJSComponentLoader::LoadModule
[task 2018-10-30T01:16:58.596Z] 01:16:58     INFO - PID 890 |     611      17713 libfontconfig.so
[task 2018-10-30T01:16:58.598Z] 01:16:58     INFO - PID 890 |       1         29 libglib-2.0.so
[task 2018-10-30T01:16:58.599Z] 01:16:58     INFO - PID 890 | -----------------------------------------------------
[task 2018-10-30T01:16:58.600Z] 01:16:58     INFO - PID 890 |     #23 0x7f6d0669f4e1  (<unknown module>)
[task 2018-10-30T01:16:58.617Z] 01:16:58     INFO - PID 890 |     #24 0x7f6d5afdd2ec in EnterJit /builds/worker/workspace/build/src/js/src/jit/Jit.cpp:103:9
[task 2018-10-30T01:16:58.618Z] 01:16:58     INFO - PID 890 |     #25 0x7f6d5afdd2ec in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/jit/Jit.cpp:170
[task 2018-10-30T01:16:58.628Z] 01:16:58     INFO - PID 890 |     #26 0x7f6d5b36342f in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:432:34
[task 2018-10-30T01:16:58.629Z] 01:16:58     INFO - PID 890 |     #27 0x7f6d5b3986e6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:587:15
[task 2018-10-30T01:16:58.630Z] 01:16:58     INFO - PID 890 |     #28 0x7f6d5b39a392 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:633:10
[task 2018-10-30T01:16:58.665Z] 01:16:58     INFO - PID 890 |     #29 0x7f6d59b8a4ea in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2911:12
[task 2018-10-30T01:16:58.666Z] 01:16:58     INFO - PID 890 |     #30 0x7f6d4f526cdc in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1174:23
[task 2018-10-30T01:16:58.667Z] 01:16:58     INFO - PID 890 |     #31 0x7f6d4db8f218 in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:127:37
[task 2018-10-30T01:16:58.668Z] 01:16:58     INFO - PID 890 |     #32 0x7f6d4db8e0ea in SharedStub (/builds/worker/workspace/build/application/firefox/libxul.so+0x23190ea)
[task 2018-10-30T01:16:58.670Z] 01:16:58     INFO - PID 890 |     #33 0x7f6d4da3e991 in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/ds/nsObserverList.cpp:111:19
[task 2018-10-30T01:16:58.671Z] 01:16:58     INFO - PID 890 |     #34 0x7f6d4da42213 in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/xpcom/ds/nsObserverService.cpp:295:19
[task 2018-10-30T01:16:58.687Z] 01:16:58     INFO - PID 890 |     #35 0x7f6d552c4e59 in mozilla::dom::workerinternals::RuntimeService::Shutdown() /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:1869:14
[task 2018-10-30T01:16:58.688Z] 01:16:58     INFO - PID 890 |     #36 0x7f6d552cc938 in mozilla::dom::workerinternals::RuntimeService::Observe(nsISupports*, char const*, char16_t const*) /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:2636:5
[task 2018-10-30T01:16:58.688Z] 01:16:58     INFO - PID 890 | previously allocated by thread T0 (Web Content) here:
[task 2018-10-30T01:16:58.690Z] 01:16:58     INFO - PID 890 |     #0 0x55e622e66943 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
[task 2018-10-30T01:16:58.691Z] 01:16:58     INFO - PID 890 |     #1 0x55e622e9a2dd in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17
[task 2018-10-30T01:16:58.691Z] 01:16:58     INFO - PID 890 |     #2 0x7f6d536aa2e4 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:139:12
[task 2018-10-30T01:16:58.691Z] 01:16:58     INFO - PID 890 |     #3 0x7f6d536aa2e4 in mozilla::dom::CanvasRenderingContextHelper::CreateContextHelper(mozilla::dom::CanvasContextType, mozilla::layers::LayersBackend) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:136
[task 2018-10-30T01:16:58.693Z] 01:16:58     INFO - PID 890 |     #4 0x7f6d53e97f99 in mozilla::dom::HTMLCanvasElement::CreateContext(mozilla::dom::CanvasContextType) /builds/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:439:5
[task 2018-10-30T01:16:58.693Z] 01:16:58     INFO - PID 890 |     #5 0x7f6d536aa7d1 in mozilla::dom::CanvasRenderingContextHelper::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:180:15
[task 2018-10-30T01:16:58.693Z] 01:16:58     INFO - PID 890 |     #6 0x7f6d53e9e2e2 in mozilla::dom::HTMLCanvasElement::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:1027:40
[task 2018-10-30T01:16:58.774Z] 01:16:58     INFO - PID 890 |     #7 0x7f6d53081dbd in mozilla::dom::HTMLCanvasElement_Binding::getContext(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLCanvasElement*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp:277:49
[task 2018-10-30T01:16:58.782Z] 01:16:58     INFO - PID 890 |     #8 0x7f6d53579fba in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3314:13
[task 2018-10-30T01:16:58.782Z] 01:16:58     INFO - PID 890 |     #9 0x7f6d5b397cd8 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:468:15
[task 2018-10-30T01:16:58.783Z] 01:16:58     INFO - PID 890 |     #10 0x7f6d5b397cd8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:560
[task 2018-10-30T01:16:58.784Z] 01:16:58     INFO - PID 890 |     #11 0x7f6d5b37eaf8 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:620:12
[task 2018-10-30T01:16:58.784Z] 01:16:58     INFO - PID 890 |     #12 0x7f6d5b37eaf8 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3462
[task 2018-10-30T01:16:58.785Z] 01:16:58     INFO - PID 890 |     #13 0x7f6d5b363748 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447:12
[task 2018-10-30T01:16:58.785Z] 01:16:58     INFO - PID 890 |     #14 0x7f6d5b3986e6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:587:15
[task 2018-10-30T01:16:58.785Z] 01:16:58     INFO - PID 890 |     #15 0x7f6d5b39a392 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:633:10
[task 2018-10-30T01:16:58.822Z] 01:16:58     INFO - PID 890 |     #16 0x7f6d59a7a887 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.h:102:12
[task 2018-10-30T01:16:58.823Z] 01:16:58     INFO - PID 890 |     #17 0x7f6d59a7a887 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Promise.cpp:1626
[task 2018-10-30T01:16:58.824Z] 01:16:58     INFO - PID 890 |     #18 0x7f6d5b397cd8 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:468:15
[task 2018-10-30T01:16:58.825Z] 01:16:58     INFO - PID 890 |     #19 0x7f6d5b397cd8 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:560
[task 2018-10-30T01:16:58.825Z] 01:16:58     INFO - PID 890 |     #20 0x7f6d5b39a392 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:633:10
[task 2018-10-30T01:16:58.826Z] 01:16:58     INFO - PID 890 |     #21 0x7f6d59b8cb86 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2975:12
[task 2018-10-30T01:16:58.842Z] 01:16:58     INFO - PID 890 |     #22 0x7f6d51aee5f6 in mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/PromiseBinding.cpp:26:8
[task 2018-10-30T01:16:58.850Z] 01:16:58     INFO - PID 890 |     #23 0x7f6d4d9b30b5 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:91:12
[task 2018-10-30T01:16:58.850Z] 01:16:58     INFO - PID 890 |     #24 0x7f6d4d9b30b5 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:104
[task 2018-10-30T01:16:58.851Z] 01:16:58     INFO - PID 890 |     #25 0x7f6d4d9b30b5 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:247
[task 2018-10-30T01:16:58.852Z] 01:16:58     INFO - PID 890 |     #26 0x7f6d4d992a71 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:603:17
[task 2018-10-30T01:16:58.867Z] 01:16:58     INFO - PID 890 |     #27 0x7f6d53c9da85 in LeaveMicroTask /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/CycleCollectedJSContext.h:210:7
[task 2018-10-30T01:16:58.868Z] 01:16:58     INFO - PID 890 |     #28 0x7f6d53c9da85 in ~nsAutoMicroTask /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/CycleCollectedJSContext.h:305
[task 2018-10-30T01:16:58.868Z] 01:16:58     INFO - PID 890 |     #29 0x7f6d53c9da85 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1109
[task 2018-10-30T01:16:58.869Z] 01:16:58     INFO - PID 890 |     #30 0x7f6d53c9f878 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1309:15
[task 2018-10-30T01:16:58.869Z] 01:16:58     INFO - PID 890 |     #31 0x7f6d53c88108 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
[task 2018-10-30T01:16:58.870Z] 01:16:58     INFO - PID 890 |     #32 0x7f6d53c88108 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:424
[task 2018-10-30T01:16:58.870Z] 01:16:58     INFO - PID 890 |     #33 0x7f6d53c86905 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:641:16
[task 2018-10-30T01:16:58.871Z] 01:16:58     INFO - PID 890 |     #34 0x7f6d53c8c01f in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1156:11
[task 2018-10-30T01:16:58.871Z] 01:16:58     INFO - PID 890 |     #35 0x7f6d53c9198a in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
[task 2018-10-30T01:16:58.928Z] 01:16:58     INFO - PID 890 |     #36 0x7f6d50f5939a in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1142:5
[task 2018-10-30T01:16:58.928Z] 01:16:58     INFO - PID 890 |     #37 0x7f6d53cac6d3 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/workspace/build/src/dom/events/EventTarget.cpp:205:13
[task 2018-10-30T01:16:58.934Z] 01:16:58     INFO - PID 890 |     #38 0x7f6d53c1fcc9 in mozilla::AsyncEventDispatcher::Run() /builds/worker/workspace/build/src/dom/events/AsyncEventDispatcher.cpp:72:12
[task 2018-10-30T01:16:58.934Z] 01:16:58     INFO - PID 890 |     #39 0x7f6d4db2f361 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
[task 2018-10-30T01:16:58.935Z] 01:16:58     INFO - PID 890 | SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/gfx/gl/../../mfbt/RefPtr.h:69:17 in assign_assuming_AddRef
[task 2018-10-30T01:16:58.936Z] 01:16:58     INFO - PID 890 | Shadow bytes around the buggy address:
[task 2018-10-30T01:16:58.937Z] 01:16:58     INFO - PID 890 |   0x0c3480032590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2018-10-30T01:16:58.937Z] 01:16:58     INFO - PID 890 |   0x0c34800325a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2018-10-30T01:16:58.938Z] 01:16:58     INFO - PID 890 |   0x0c34800325b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
[task 2018-10-30T01:16:58.938Z] 01:16:58     INFO - PID 890 |   0x0c34800325c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2018-10-30T01:16:58.939Z] 01:16:58     INFO - PID 890 |   0x0c34800325d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2018-10-30T01:16:58.940Z] 01:16:58     INFO - PID 890 | =>0x0c34800325e0: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
[task 2018-10-30T01:16:58.941Z] 01:16:58     INFO - PID 890 |   0x0c34800325f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2018-10-30T01:16:58.941Z] 01:16:58     INFO - PID 890 |   0x0c3480032600: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2018-10-30T01:16:58.942Z] 01:16:58     INFO - PID 890 |   0x0c3480032610: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2018-10-30T01:16:58.943Z] 01:16:58     INFO - PID 890 |   0x0c3480032620: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2018-10-30T01:16:58.944Z] 01:16:58     INFO - PID 890 |   0x0c3480032630: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2018-10-30T01:16:58.944Z] 01:16:58     INFO - PID 890 | Shadow byte legend (one shadow byte represents 8 application bytes):
[task 2018-10-30T01:16:58.945Z] 01:16:58     INFO - PID 890 |   Addressable:           00
[task 2018-10-30T01:16:58.946Z] 01:16:58     INFO - PID 890 |   Partially addressable: 01 02 03 04 05 06 07
[task 2018-10-30T01:16:58.946Z] 01:16:58     INFO - PID 890 |   Heap left redzone:       fa
[task 2018-10-30T01:16:58.947Z] 01:16:58     INFO - PID 890 |   Freed heap region:       fd
[task 2018-10-30T01:16:58.948Z] 01:16:58     INFO - PID 890 |   Stack left redzone:      f1
[task 2018-10-30T01:16:58.948Z] 01:16:58     INFO - PID 890 |   Stack mid redzone:       f2
[task 2018-10-30T01:16:58.949Z] 01:16:58     INFO - PID 890 |   Stack right redzone:     f3
[task 2018-10-30T01:16:58.951Z] 01:16:58     INFO - PID 890 |   Stack after return:      f5
[task 2018-10-30T01:16:58.951Z] 01:16:58     INFO - PID 890 |   Stack use after scope:   f8
[task 2018-10-30T01:16:58.952Z] 01:16:58     INFO - PID 890 |   Global redzone:          f9
[task 2018-10-30T01:16:58.953Z] 01:16:58     INFO - PID 890 |   Global init order:       f6
[task 2018-10-30T01:16:58.953Z] 01:16:58     INFO - PID 890 |   Poisoned by user:        f7
[task 2018-10-30T01:16:58.954Z] 01:16:58     INFO - PID 890 |   Container overflow:      fc
[task 2018-10-30T01:16:58.955Z] 01:16:58     INFO - PID 890 |   Array cookie:            ac
[task 2018-10-30T01:16:58.956Z] 01:16:58     INFO - PID 890 |   Intra object redzone:    bb
[task 2018-10-30T01:16:58.957Z] 01:16:58     INFO - PID 890 |   ASan internal:           fe
[task 2018-10-30T01:16:58.957Z] 01:16:58     INFO - PID 890 |   Left alloca redzone:     ca
[task 2018-10-30T01:16:58.958Z] 01:16:58     INFO - PID 890 |   Right alloca redzone:    cb
[task 2018-10-30T01:16:58.959Z] 01:16:58     INFO - PID 890 |   Shadow gap:              cc
[task 2018-10-30T01:16:58.960Z] 01:16:58     INFO - PID 890 | ==999==ABORTING
[task 2018-10-30T01:17:00.755Z] 01:17:00     INFO - PID 890 | -----------------------------------------------------
[task 2018-10-30T01:17:00.756Z] 01:17:00     INFO - PID 890 | Suppressions used:
[task 2018-10-30T01:17:00.756Z] 01:17:00     INFO - PID 890 |   count      bytes template
[task 2018-10-30T01:17:00.757Z] 01:17:00     INFO - PID 890 |     534      17032 nsComponentManagerImpl
[task 2018-10-30T01:17:00.757Z] 01:17:00     INFO - PID 890 |      38       7904 mozJSComponentLoader::LoadModule
[task 2018-10-30T01:17:00.758Z] 01:17:00     INFO - PID 890 |     613      17519 libfontconfig.so
[task 2018-10-30T01:17:00.758Z] 01:17:00     INFO - PID 890 |       6        264 _PR_Getfd
[task 2018-10-30T01:17:00.758Z] 01:17:00     INFO - PID 890 |       1         29 libglib-2.0.so
[task 2018-10-30T01:17:00.759Z] 01:17:00     INFO - PID 890 |       3         84 libresolv.so
[task 2018-10-30T01:17:00.760Z] 01:17:00     INFO - PID 890 | -----------------------------------------------------
[task 2018-10-30T01:17:00.906Z] 01:17:00     INFO - Browser exited with return code 0
The object being used after it is freed is a CanvasRenderingContext2D.

It looks like the use is from CanvasShutdownObserver, which has a weak pointer mCanvas to a context, which is likely the issue.
Group: core-security → gfx-core-security
Keywords: csectype-uaf
Can you take a look, Nicolas? It looks like you added this weak pointer back in bug 1167235. Thanks.
Flags: needinfo?(nical.bugzilla)
Interesting. The weak pointer should be fine here because the canvas context's destructor unregisters the shutdown observer (unless there is something special about cycle collections and object destructors?). The observer reference in the canvas is never reassigned and everything happens on the main thread, so if the canvas has been deleted the observer that is tapping into the freed canvas should have been unregistered already.
I'll keep digging.
Flags: needinfo?(nical.bugzilla)
Duplicate of this bug: 1502259
(In reply to Nicolas Silva [:nical] from comment #3)
> Interesting. The weak pointer should be fine here because the canvas
> context's destructor unregisters the shutdown observer (unless there is
> something special about cycle collections and object destructors?).

Oh, I see what you mean. Looking at the free stack, you can see that in frame 36, it looks like we're in the shutdown observer for workers, which spins the event loop, which ends up freeing the canvas. So presumably nsObserverService::NotifyObservers() is already running, so we end up going ahead and running the canvas shutdown observer, even though the canvas has unregistered it.

I think a fix would be to make RemoveShutdownObserver() also null out the mCanvas pointer on the shutdown observer, then null check for that. I can write up a patch, though I'm not sure how to test it.

I wonder if there is or should be an assert for unregistering a shutdown observer while we're running the shutdown observer. I suppose for most things they register themselves, not a holder, so the observer list magic protects against UAF.

This should be hard to exploit, as it happens in shutdown, though early enough that JS is still running.
Assignee: nobody → continuation
Keywords: sec-moderate
Ah those nested event loops! Good catch!
It is possible for the CanvasRenderingContext2D to be destroyed while
we're in the middle of the call to nsObserverService::NotifyObservers()
for shutdown. This leaves the shutdown observer with a dangling pointer
to the canvas, so this patch explicitly clears the pointer when the
context goes away.
See Also: → 1504365
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/d3284735c7fa
Group: gfx-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Please request Beta and ESR60 approval on this when you get a chance. It grafts cleanly to both as-landed.
Flags: needinfo?(continuation)
Comment on attachment 9022315 [details]
Bug 1503082 - Clear CanvasShutdownObserver::mCanvas when the canvas goes away.

[Beta/Release Uplift Approval Request]

Feature/Bug causing the regression: Bug 1167235

User impact if declined: Crashes during shutdown. Some small chance of a security problem, but it would be hard to take advantage of.

Is this code covered by automated tests?: Yes

Has the fix been verified in Nightly?: No

Needs manual test from QE?: No

If yes, steps to reproduce: 

List of other uplifts needed: None

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): This just nulls out a pointer in shutdown.

String changes made/needed: 

[ESR Uplift Approval Request]

If this is not a sec:{high,crit} bug, please state case for ESR consideration: It is only a sec-moderate, but there's some tiny chance it should really be worse.

User impact if declined: crashes in shutdown, possible sec problems.

Fix Landed on Version: 64

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): 

String or UUID changes made by this patch:
Flags: needinfo?(continuation)
Attachment #9022315 - Flags: approval-mozilla-esr60?
Attachment #9022315 - Flags: approval-mozilla-beta?
Comment on attachment 9022315 [details]
Bug 1503082 - Clear CanvasShutdownObserver::mCanvas when the canvas goes away.

[Triage Comment]
Fixes a security-sensitive shutdown crash. Approved for 64.0b8 and 60.4.0esr.
Attachment #9022315 - Flags: approval-mozilla-esr60?
Attachment #9022315 - Flags: approval-mozilla-esr60+
Attachment #9022315 - Flags: approval-mozilla-beta?
Attachment #9022315 - Flags: approval-mozilla-beta+
Whiteboard: [adv-main64+][adv-esr60.4+]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.