Closed
Bug 1512994
Opened 6 years ago
Closed 6 years ago
AddressSanitizer: heap-use-after-free [@ mozilla::WebGLContext::FuncScope::FuncScope] with READ of size 8
Categories
(Core :: Graphics: CanvasWebGL, defect, P1)
Core
Graphics: CanvasWebGL
Tracking
()
RESOLVED
DUPLICATE
of bug 1515052
People
(Reporter: jkratzer, Assigned: jgilbert)
References
(Blocks 1 open bug)
Details
(4 keywords)
Attachments
(2 files, 1 obsolete file)
Testcase found while fuzzing mozilla-central rev caae48e4e6cf. I'm currently reducing the testcase and will update once complete.
==28796==ERROR: AddressSanitizer: heap-use-after-free on address 0x61b000193e08 at pc 0x7fd1e0a12892 bp 0x7ffc99734780 sp 0x7ffc99734778
READ of size 8 at 0x61b000193e08 thread T0 (file:// Content)
#0 0x7fd1e0a12891 in mozilla::WebGLContext::FuncScope::FuncScope(mozilla::WebGLContext const&, char const*) src/dom/canvas/WebGLContext.cpp:2259:44
#1 0x7fd1e0a48d40 in mozilla::WebGLContext::LoseContext() src/dom/canvas/WebGLContextGL.cpp:2124:19
#2 0x7fd1df6eea6f in mozilla::dom::WEBGL_lose_context_Binding::loseContext(JSContext*, JS::Handle<JSObject*>, mozilla::WebGLExtensionLoseContext*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/WebGLRenderingContextBinding.cpp:9853:9
#3 0x7fd1e07a9674 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3063:13
#4 0x7fd1e82b35dd in CallJSNative src/js/src/vm/Interpreter.cpp:443:13
#5 0x7fd1e82b35dd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:535
#6 0x7fd1e829cd33 in CallFromStack src/js/src/vm/Interpreter.cpp:594:10
#7 0x7fd1e829cd33 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3320
#8 0x7fd1e827fc56 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:423:10
#9 0x7fd1e82b3f81 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:563:13
#10 0x7fd1e82b5c02 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:606:8
#11 0x7fd1e8e28f06 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2651:10
#12 0x7fd1dffc0829 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/FunctionBinding.cpp:41:8
#13 0x7fd1dd1d1049 in void mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >(nsCOMPtr<nsISupports> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:73:12
#14 0x7fd1dd1cf720 in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) src/dom/base/nsGlobalWindowInner.cpp:6009:17
#15 0x7fd1dd4cd8ac in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&) src/dom/base/TimeoutManager.cpp:786:42
#16 0x7fd1dd4cc738 in mozilla::dom::TimeoutExecutor::MaybeExecute() src/dom/base/TimeoutExecutor.cpp:157:11
#17 0x7fd1dd4cf9b8 in mozilla::dom::TimeoutExecutor::Run() src/dom/base/TimeoutExecutor.cpp:205:5
#18 0x7fd1d9244b72 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() src/xpcom/threads/ThrottledEventQueue.cpp:230:22
#19 0x7fd1d92445e7 in mozilla::ThrottledEventQueue::Inner::Executor::Run() src/xpcom/threads/ThrottledEventQueue.cpp:76:15
#20 0x7fd1d91eaeb5 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:299:32
#21 0x7fd1d92282f8 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1157:14
#22 0x7fd1d92310ad in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:468:10
#23 0x7fd1da4b53df in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
#24 0x7fd1da3a820e in RunInternal src/ipc/chromium/src/base/message_loop.cc:314:10
#25 0x7fd1da3a820e in RunHandler src/ipc/chromium/src/base/message_loop.cc:307
#26 0x7fd1da3a820e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289
#27 0x7fd1e3574283 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#28 0x7fd1e7fe423e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:915:20
#29 0x7fd1da3a820e in RunInternal src/ipc/chromium/src/base/message_loop.cc:314:10
#30 0x7fd1da3a820e in RunHandler src/ipc/chromium/src/base/message_loop.cc:307
#31 0x7fd1da3a820e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289
#32 0x7fd1e7fe328e in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:753:34
#33 0x55c3e1b07864 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
#34 0x55c3e1b07864 in main src/browser/app/nsBrowserApp.cpp:265
#35 0x7fd1fd16c82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#36 0x55c3e1a2ceec in _start (/home/ubuntu/firefox/firefox+0x2deec)
0x61b000193e08 is located 136 bytes inside of 1472-byte region [0x61b000193d80,0x61b000194340)
freed by thread T0 (file:// Content) here:
#0 0x55c3e1ad4a12 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
#1 0x7fd1d9026e11 in SnowWhiteKiller::~SnowWhiteKiller() src/xpcom/base/nsCycleCollector.cpp:2416:7
#2 0x7fd1d90254c3 in nsCycleCollector::FreeSnowWhite(bool) src/xpcom/base/nsCycleCollector.cpp:2607:3
#3 0x7fd1d9031d92 in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) src/xpcom/base/nsCycleCollector.cpp:3578:3
#4 0x7fd1d9031025 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) src/xpcom/base/nsCycleCollector.cpp:3407:9
#5 0x7fd1d9035fa6 in nsCycleCollector_collect(nsICycleCollectorListener*) src/xpcom/base/nsCycleCollector.cpp:3942:21
#6 0x7fd1dd729c0a in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) src/dom/base/nsJSEnvironment.cpp:1413:3
#7 0x7fd1e00b0f68 in mozilla::dom::FuzzingFunctions_Binding::cycleCollect(JSContext*, unsigned int, JS::Value*) src/obj-firefox/dom/bindings/FuzzingFunctionsBinding.cpp:66:3
#8 0x7fd18f430c8f (<unknown module>)
#9 0x6210018b9627 (<unknown module>)
#10 0x7fd18f3e04de (<unknown module>)
#11 0x7fd1e951fbbd in EnterBaseline src/js/src/jit/BaselineJIT.cpp:124:5
#12 0x7fd1e951fbbd in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) src/js/src/jit/BaselineJIT.cpp:202
#13 0x7fd1e82a4bb0 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:2250:24
#14 0x7fd1e827fc56 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:423:10
#15 0x7fd1e82b3f81 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:563:13
#16 0x7fd1e82b5c02 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:606:8
#17 0x7fd1e8e28f06 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2651:10
#18 0x7fd1dfdb8ad9 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#19 0x7fd1e0ffd8b2 in HandleEvent<mozilla::dom::EventTarget *> src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#20 0x7fd1e0ffd8b2 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1040
#21 0x7fd1e0fffee3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1239:17
previously allocated by thread T0 (file:// Content) here:
#0 0x55c3e1ad4d93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0x55c3e1b0879d in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:68:15
#2 0x7fd1e091dca8 in operator new src/obj-firefox/dist/include/mozilla/mozalloc.h:131:10
#3 0x7fd1e091dca8 in Create src/dom/canvas/WebGL2Context.cpp:38
#4 0x7fd1e091dca8 in mozilla::dom::CanvasRenderingContextHelper::CreateContextHelper(mozilla::dom::CanvasContextType, mozilla::layers::LayersBackend) src/dom/canvas/CanvasRenderingContextHelper.cpp:130
#5 0x7fd1e12a406c in mozilla::dom::HTMLCanvasElement::CreateContext(mozilla::dom::CanvasContextType) src/dom/html/HTMLCanvasElement.cpp:398:7
#6 0x7fd1e091e3a0 in mozilla::dom::CanvasRenderingContextHelper::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) src/dom/canvas/CanvasRenderingContextHelper.cpp:155:15
#7 0x7fd1e12abeb6 in mozilla::dom::HTMLCanvasElement::GetContext(JSContext*, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) src/dom/html/HTMLCanvasElement.cpp:907:40
#8 0x7fd1e01e6f7b in mozilla::dom::HTMLCanvasElement_Binding::getContext(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLCanvasElement*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp:288:49
#9 0x7fd1e07a9674 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3063:13
#10 0x7fd1e82b35dd in CallJSNative src/js/src/vm/Interpreter.cpp:443:13
#11 0x7fd1e82b35dd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:535
#12 0x7fd1e829cd33 in CallFromStack src/js/src/vm/Interpreter.cpp:594:10
#13 0x7fd1e829cd33 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3320
#14 0x7fd1e827fc56 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:423:10
#15 0x7fd1e82b3f81 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:563:13
#16 0x7fd1e82b5c02 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:606:8
#17 0x7fd1e8e28f06 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2651:10
#18 0x7fd1dfdb8ad9 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#19 0x7fd1e0ffd8b2 in HandleEvent<mozilla::dom::EventTarget *> src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#20 0x7fd1e0ffd8b2 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1040
#21 0x7fd1e0fffee3 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1239:17
#22 0x7fd1e0fe08b6 in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:350:5
#23 0x7fd1e0fe08b6 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:346
#24 0x7fd1e0fdeb38 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:548:16
#25 0x7fd1e0fe5590 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1038:11
SUMMARY: AddressSanitizer: heap-use-after-free src/dom/canvas/WebGLContext.cpp:2259:44 in mozilla::WebGLContext::FuncScope::FuncScope(mozilla::WebGLContext const&, char const*)
Shadow bytes around the buggy address:
0x0c368002a770: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c368002a780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c368002a790: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c368002a7a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c368002a7b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c368002a7c0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c368002a7d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c368002a7e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c368002a7f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c368002a800: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c368002a810: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==28796==ABORTING
Flags: in-testsuite?
|
||
Updated•6 years ago
|
Group: core-security → gfx-core-security
|
Reporter | |
Comment 1•6 years ago
|
||
The attached testcase requires a build with --enable-fuzzing.
|
|
Reporter | |
Updated•6 years ago
|
Keywords: testcase-wanted → testcase
|
|
Reporter | |
Comment 2•6 years ago
|
||
Note, testcase bisect back further than a year.
|
Assignee | |
Comment 3•6 years ago
|
||
Huh, ok. Maybe lostContext doesn't handle being called on a lost context properly.
Assignee: nobody → jgilbert
|
||
Updated•6 years ago
|
status-firefox64:
--- → wontfix
status-firefox66:
--- → affected
status-firefox-esr60:
--- → affected
|
|
Assignee | |
Comment 4•6 years ago
|
||
|
|
Reporter | |
Comment 6•6 years ago
|
||
(In reply to Jeff Gilbert [:jgilbert] from comment #5)
Can you retest with this patch?
Jeff, the issue still triggers using the attached patch.
https://treeherder.mozilla.org/#/jobs?repo=try&revision=e27f4ce4837e82b6afc237e152194bc565205e03
Flags: needinfo?(jkratzer)
|
|
Assignee | |
Updated•6 years ago
|
Priority: -- → P1
|
|
||
Updated•6 years ago
|
status-firefox67:
--- → affected
status-firefox68:
--- → affected
|
|
Assignee | |
Comment 7•6 years ago
|
||
I'll need to spin up an ASAN env then.
|
|
Assignee | |
Comment 8•6 years ago
|
||
I cannot reproduce this on an ASAN build with --enable-fuzzing and fuzzing.enabled:true.
|
|
Reporter | |
Comment 9•6 years ago
|
||
The testcase still reproduces for me using the attached prefs and the latest nightly (20190423095327)
Steps to reproduce:
- Use latest nightly build
- Download ffpuppet
- Install ffpuppet
- pip install .
- Launch testcase
- python -m ffpuppet -p prefs.js -d -l log asan-build/firefox -u testcase.html
Please NI me if you're still having issues reproducing.
|
|
Assignee | |
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
|
||
Updated•6 years ago
|
Attachment #9046575 -
Attachment is obsolete: true
|
|
||
Updated•5 years ago
|
|
||
Comment 11•5 years ago
|
||
Removing employee no longer with company from CC list of private bugs.
|
||
Updated•2 years ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•