1519145 - SUMMARY: AddressSanitizer: heap-use-after-free (/builds/worker/workspace/build/application/firefox/libxul.so+0x3283e32)

Reporter

Description

•

6 years ago

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=221103037&repo=autoland&lineNumber=4371

[task 2019-01-10T15:30:01.770Z] 15:30:01 [task 2019-01-10T15:30:01.773Z] 15:30:01 [task 2019-01-10T15:30:01.776Z] 15:30:01 [task 2019-01-10T15:30:01.777Z] 15:30:01 [task 2019-01-10T15:30:01.899Z] 15:30:01 [task 2019-01-10T15:30:01.980Z] 15:30:01 [task 2019-01-10T15:30:02.057Z] 15:30:02 [task 2019-01-10T15:30:02.134Z] 15:30:02 [task 2019-01-10T15:30:02.212Z] 15:30:02 [task 2019-01-10T15:30:02.216Z] 15:30:02 [task 2019-01-10T15:30:02.216Z] 15:30:02 [task 2019-01-10T15:30:02.217Z] 15:30:02 [task 2019-01-10T15:30:02.217Z] 15:30:02 [task 2019-01-10T15:30:02.217Z] 15:30:02 [task 2019-01-10T15:30:02.219Z] 15:30:02 [task 2019-01-10T15:30:02.220Z] 15:30:02 [task 2019-01-10T15:30:02.222Z] 15:30:02 [task 2019-01-10T15:30:02.223Z] 15:30:02 [task 2019-01-10T15:30:02.227Z] 15:30:02 [task 2019-01-10T15:30:02.228Z] 15:30:02 [task 2019-01-10T15:30:02.229Z] 15:30:02 [task 2019-01-10T15:30:02.230Z] 15:30:02 [task 2019-01-10T15:30:02.231Z] 15:30:02 [task 2019-01-10T15:30:02.232Z] 15:30:02 [task 2019-01-10T15:30:02.235Z] 15:30:02 [task 2019-01-10T15:30:02.236Z] 15:30:02 [task 2019-01-10T15:30:02.238Z] 15:30:02 [task 2019-01-10T15:30:02.239Z] 15:30:02 [task 2019-01-10T15:30:02.240Z] 15:30:02 [task 2019-01-10T15:30:02.245Z] 15:30:02 [task 2019-01-10T15:30:02.246Z] 15:30:02 [task 2019-01-10T15:30:02.247Z] 15:30:02 [task 2019-01-10T15:30:02.248Z] 15:30:02 [task 2019-01-10T15:30:02.249Z] 15:30:02 [task 2019-01-10T15:30:02.250Z] 15:30:02 [task 2019-01-10T15:30:02.251Z] 15:30:02 [task 2019-01-10T15:30:02.251Z] 15:30:02 [task 2019-01-10T15:30:02.252Z] 15:30:02 [task 2019-01-10T15:30:02.254Z] 15:30:02 [task 2019-01-10T15:30:02.256Z] 15:30:02 [task 2019-01-10T15:30:02.257Z] 15:30:02 [task 2019-01-10T15:30:02.258Z] 15:30:02 [task 2019-01-10T15:30:02.260Z] 15:30:02 [task 2019-01-10T15:30:02.261Z] 15:30:02 [task 2019-01-10T15:30:02.262Z] 15:30:02 [task 2019-01-10T15:30:02.262Z] 15:30:02 [task 2019-01-10T15:30:02.265Z] 15:30:02 [task 2019-01-10T15:30:02.266Z] 15:30:02 [task 2019-01-10T15:30:02.267Z] 15:30:02 [task 2019-01-10T15:30:02.268Z] 15:30:02 [task 2019-01-10T15:30:02.273Z] 15:30:02 [task 2019-01-10T15:30:02.274Z] 15:30:02 [task 2019-01-10T15:30:02.274Z] 15:30:02 [task 2019-01-10T15:30:02.275Z] 15:30:02 [task 2019-01-10T15:30:02.276Z] 15:30:02 [task 2019-01-10T15:30:02.277Z] 15:30:02 [task 2019-01-10T15:30:02.278Z] 15:30:02 [task 2019-01-10T15:30:02.279Z] 15:30:02 [task 2019-01-10T15:30:02.307Z] 15:30:02 [task 2019-01-10T15:30:02.308Z] 15:30:02 [task 2019-01-10T15:30:02.308Z] 15:30:02 [task 2019-01-10T15:30:02.309Z] 15:30:02 [task 2019-01-10T15:30:02.312Z] 15:30:02 [task 2019-01-10T15:30:02.313Z] 15:30:02 [task 2019-01-10T15:30:02.313Z] 15:30:02 [task 2019-01-10T15:30:02.314Z] 15:30:02 [task 2019-01-10T15:30:02.314Z] 15:30:02 [task 2019-01-10T15:30:02.314Z] 15:30:02 [task 2019-01-10T15:30:02.315Z] 15:30:02 [task 2019-01-10T15:30:02.321Z] 15:30:02 [task 2019-01-10T15:30:02.321Z] 15:30:02 [task 2019-01-10T15:30:02.322Z] 15:30:02 [task 2019-01-10T15:30:02.322Z] 15:30:02 [task 2019-01-10T15:30:02.322Z] 15:30:02 [task 2019-01-10T15:30:02.325Z] 15:30:02 [task 2019-01-10T15:30:02.326Z] 15:30:02 [task 2019-01-10T15:30:02.328Z] 15:30:02 [task 2019-01-10T15:30:02.329Z] 15:30:02 [task 2019-01-10T15:30:02.329Z] 15:30:02 [task 2019-01-10T15:30:02.330Z] 15:30:02 [task 2019-01-10T15:30:02.330Z] 15:30:02 [task 2019-01-10T15:30:02.331Z] 15:30:02 [task 2019-01-10T15:30:02.335Z] 15:30:02 [task 2019-01-10T15:30:02.336Z] 15:30:02 [task 2019-01-10T15:30:02.338Z] 15:30:02 [task 2019-01-10T15:30:02.338Z] 15:30:02 [task 2019-01-10T15:30:02.339Z] 15:30:02 [task 2019-01-10T15:30:02.339Z] 15:30:02 [task 2019-01-10T15:30:02.339Z] 15:30:02 [task 2019-01-10T15:30:02.341Z] 15:30:02 [task 2019-01-10T15:30:02.344Z] 15:30:02 [task 2019-01-10T15:30:02.344Z] 15:30:02 [task 2019-01-10T15:30:02.344Z] 15:30:02 [task 2019-01-10T15:30:02.345Z] 15:30:02 [task 2019-01-10T15:30:02.345Z] 15:30:02 [task 2019-01-10T15:30:02.346Z] 15:30:02 [task 2019-01-10T15:30:02.347Z] 15:30:02 [task 2019-01-10T15:30:02.347Z] 15:30:02 [task 2019-01-10T15:30:02.347Z] 15:30:02 [task 2019-01-10T15:30:02.348Z] 15:30:02 [task 2019-01-10T15:30:02.349Z] 15:30:02 [task 2019-01-10T15:30:02.350Z] 15:30:02 [task 2019-01-10T15:30:02.350Z] 15:30:02 [task 2019-01-10T15:30:02.351Z] 15:30:02 [task 2019-01-10T15:30:02.352Z] 15:30:02 [task 2019-01-10T15:30:02.353Z] 15:30:02 [task 2019-01-10T15:30:02.353Z] 15:30:02 [task 2019-01-10T15:30:02.353Z] 15:30:02 [task 2019-01-10T15:30:02.354Z] 15:30:02 [task 2019-01-10T15:30:02.354Z] 15:30:02 [task 2019-01-10T15:30:02.354Z] 15:30:02 [task 2019-01-10T15:30:02.356Z] 15:30:02 [task 2019-01-10T15:30:02.357Z] 15:30:02 [task 2019-01-10T15:30:02.357Z] 15:30:02 [task 2019-01-10T15:30:02.357Z] 15:30:02 [task 2019-01-10T15:30:02.358Z] 15:30:02 [task 2019-01-10T15:30:02.358Z] 15:30:02 [task 2019-01-10T15:30:02.359Z] 15:30:02 [task 2019-01-10T15:30:02.360Z] 15:30:02 [task 2019-01-10T15:30:02.360Z] 15:30:02 [task 2019-01-10T15:30:02.361Z] 15:30:02 [task 2019-01-10T15:30:02.572Z] 15:30:02 [task 2019-01-10T15:30:02.574Z] 15:30:02 [task 2019-01-10T15:30:02.576Z] 15:30:02 [task 2019-01-10T15:30:02.586Z] 15:30:02 [task 2019-01-10T15:30:02.589Z] 15:30:02 [task 2019-01-10T15:30:02.592Z] 15:30:02 [task 2019-01-10T15:30:02.593Z] 15:30:02 [task 2019-01-10T15:30:02.594Z] 15:30:02 [task 2019-01-10T15:30:02.594Z] 15:30:02 [task 2019-01-10T15:30:02.595Z] 15:30:02 [task 2019-01-10T15:30:02.596Z] 15:30:02 [task 2019-01-10T15:30:02.600Z] 15:30:02 [task 2019-01-10T15:30:02.608Z] 15:30:02 INFO - GECKO(2447) | [Parent 2447, Gecko_IOThread] WARNING: pipe error (126): Connection reset by peer: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 359
INFO - GECKO(2447) | =================================================================
ERROR - GECKO(2447) | ==2447==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130001ab230 at pc 0x7fd33a935e33 bp 0x7fd3154eccd0 sp 0x7fd3154eccc8
INFO - GECKO(2447) | READ of size 4 at 0x6130001ab230 thread T751 (IPC Launch #1)
INFO - GECKO(2447) | ==2447==WARNING: failed to fork (errno 12)
INFO - GECKO(2447) | ==2447==WARNING: failed to fork (errno 12)
INFO - GECKO(2447) | ==2447==WARNING: failed to fork (errno 12)
INFO - GECKO(2447) | ==2447==WARNING: failed to fork (errno 12)
INFO - GECKO(2447) | ==2447==WARNING: failed to fork (errno 12)
INFO - GECKO(2447) | ==2447==WARNING: Failed to use and restart external symbolizer!
INFO - GECKO(2447) | #0 0x7fd33a935e32 (/builds/worker/workspace/build/application/firefox/libxul.so+0x3283e32)
INFO - GECKO(2447) | #1 0x7fd3399aa6df (/builds/worker/workspace/build/application/firefox/libxul.so+0x22f86df)
INFO - GECKO(2447) | #2 0x7fd3399aae5c (/builds/worker/workspace/build/application/firefox/libxul.so+0x22f8e5c)
INFO - GECKO(2447) | #3 0x7fd33999fb73 (/builds/worker/workspace/build/application/firefox/libxul.so+0x22edb73)
INFO - GECKO(2447) | #4 0x7fd3399a6d58 (/builds/worker/workspace/build/application/firefox/libxul.so+0x22f4d58)
INFO - GECKO(2447) | #5 0x7fd33a95c6ea (/builds/worker/workspace/build/application/firefox/libxul.so+0x32aa6ea)
INFO - GECKO(2447) | #6 0x7fd33a8a4ddf (/builds/worker/workspace/build/application/firefox/libxul.so+0x31f2ddf)
INFO - GECKO(2447) | #7 0x7fd339999c5a (/builds/worker/workspace/build/application/firefox/libxul.so+0x22e7c5a)
INFO - GECKO(2447) | #8 0x7fd3570d4666 (/builds/worker/workspace/build/application/firefox/libnspr4.so+0x82666)
INFO - GECKO(2447) | #9 0x7fd35ae586b9 (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
INFO - GECKO(2447) | #10 0x7fd359ee141c (/lib/x86_64-linux-gnu/libc.so.6+0x10741c)
INFO - GECKO(2447) | 0x6130001ab230 is located 48 bytes inside of 328-byte region [0x6130001ab200,0x6130001ab348)
INFO - GECKO(2447) | freed by thread T2 (Gecko_IOThread) here:
INFO - GECKO(2447) | #0 0x55afbd00a5d2 (/builds/worker/workspace/build/application/firefox/firefox+0xd25d2)
INFO - GECKO(2447) | #1 0x7fd340fa2aba (/builds/worker/workspace/build/application/firefox/libxul.so+0x98f0aba)
INFO - GECKO(2447) | #2 0x7fd340fa5c64 (/builds/worker/workspace/build/application/firefox/libxul.so+0x98f3c64)
INFO - GECKO(2447) | #3 0x7fd33a8a62f5 (/builds/worker/workspace/build/application/firefox/libxul.so+0x31f42f5)
INFO - GECKO(2447) | #4 0x7fd33a8a744b (/builds/worker/workspace/build/application/firefox/libxul.so+0x31f544b)
INFO - GECKO(2447) | #5 0x7fd33a8aa6c0 (/builds/worker/workspace/build/application/firefox/libxul.so+0x31f86c0)
INFO - GECKO(2447) | #6 0x7fd33a8a4ddf (/builds/worker/workspace/build/application/firefox/libxul.so+0x31f2ddf)
INFO - GECKO(2447) | #7 0x7fd33a8c126d (/builds/worker/workspace/build/application/firefox/libxul.so+0x320f26d)
INFO - GECKO(2447) | #8 0x7fd33a8b608c (/builds/worker/workspace/build/application/firefox/libxul.so+0x320408c)
INFO - GECKO(2447) | #9 0x7fd35ae586b9 (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
INFO - GECKO(2447) | previously allocated by thread T0 here:
INFO - GECKO(2447) | #0 0x55afbd00a953 (/builds/worker/workspace/build/application/firefox/firefox+0xd2953)
INFO - GECKO(2447) | #1 0x55afbd03f17d (/builds/worker/workspace/build/application/firefox/firefox+0x10717d)
INFO - GECKO(2447) | #2 0x7fd340f94737 (/builds/worker/workspace/build/application/firefox/libxul.so+0x98e2737)
INFO - GECKO(2447) | #3 0x7fd340f90b8b (/builds/worker/workspace/build/application/firefox/libxul.so+0x98deb8b)
INFO - GECKO(2447) | #4 0x7fd340eda3c4 (/builds/worker/workspace/build/application/firefox/libxul.so+0x98283c4)
INFO - GECKO(2447) | #5 0x7fd340ef4401 (/builds/worker/workspace/build/application/firefox/libxul.so+0x9842401)
INFO - GECKO(2447) | #6 0x7fd340ef9503 (/builds/worker/workspace/build/application/firefox/libxul.so+0x9847503)
INFO - GECKO(2447) | #7 0x7fd3399d0c31 (/builds/worker/workspace/build/application/firefox/libxul.so+0x231ec31)
INFO - GECKO(2447) | #8 0x7fd33b4554f3 (/builds/worker/workspace/build/application/firefox/libxul.so+0x3da34f3)
INFO - GECKO(2447) | #9 0x7fd33b45b546 (/builds/worker/workspace/build/application/firefox/libxul.so+0x3da9546)
INFO - GECKO(2447) | #10 0x7fd346017ffd (/builds/worker/workspace/build/application/firefox/libxul.so+0xe965ffd)
INFO - GECKO(2447) | #11 0x7fd346003022 (/builds/worker/workspace/build/application/firefox/libxul.so+0xe951022)
INFO - GECKO(2447) | #12 0x7fd345fe4416 (/builds/worker/workspace/build/application/firefox/libxul.so+0xe932416)
INFO - GECKO(2447) | #13 0x7fd3460189a1 (/builds/worker/workspace/build/application/firefox/libxul.so+0xe9669a1)
INFO - GECKO(2447) | #14 0x7fd34601a622 (/builds/worker/workspace/build/application/firefox/libxul.so+0xe968622)
INFO - GECKO(2447) | #15 0x7fd34614c541 (/builds/worker/workspace/build/application/firefox/libxul.so+0xea9a541)
INFO - GECKO(2447) | #16 0x7fd346190d61 (/builds/worker/workspace/build/application/firefox/libxul.so+0xeaded61)
INFO - GECKO(2447) | #17 0x7fd34601b86d (/builds/worker/workspace/build/application/firefox/libxul.so+0xe96986d)
INFO - GECKO(2447) | #18 0x7fd346002eed (/builds/worker/workspace/build/application/firefox/libxul.so+0xe950eed)
INFO - GECKO(2447) | #19 0x7fd345fe4416 (/builds/worker/workspace/build/application/firefox/libxul.so+0xe932416)
INFO - GECKO(2447) | #20 0x7fd3460189a1 (/builds/worker/workspace/build/application/firefox/libxul.so+0xe9669a1)
INFO - GECKO(2447) | #21 0x7fd34601a622 (/builds/worker/workspace/build/application/firefox/libxul.so+0xe968622)
INFO - GECKO(2447) | #22 0x7fd3471ad97f (/builds/worker/workspace/build/application/firefox/libxul.so+0xfafb97f)
INFO - GECKO(2447) | #23 0x7fd3471aed98 (/builds/worker/workspace/build/application/firefox/libxul.so+0xfafcd98)
INFO - GECKO(2447) | #24 0x24c60fb78f63 (<unknown module>)
INFO - GECKO(2447) | Thread T751 (IPC Launch #1) created by T2 (Gecko_IOThread) here:
INFO - GECKO(2447) | #0 0x55afbcff326d (/builds/worker/workspace/build/application/firefox/firefox+0xbb26d)
INFO - GECKO(2447) | #1 0x7fd3570d1395 (/builds/worker/workspace/build/application/firefox/libnspr4.so+0x7f395)
INFO - GECKO(2447) | #2 0x7fd3570d0f7e (/builds/worker/workspace/build/application/firefox/libnspr4.so+0x7ef7e)
INFO - GECKO(2447) | #3 0x7fd33999bfb9 (/builds/worker/workspace/build/application/firefox/libxul.so+0x22e9fb9)
INFO - GECKO(2447) | #4 0x7fd3399a5ea0 (/builds/worker/workspace/build/application/firefox/libxul.so+0x22f3ea0)
INFO - GECKO(2447) | #5 0x7fd3399a9759 (/builds/worker/workspace/build/application/firefox/libxul.so+0x22f7759)
INFO - GECKO(2447) | #6 0x7fd3399a918b (/builds/worker/workspace/build/application/firefox/libxul.so+0x22f718b)
INFO - GECKO(2447) | #7 0x7fd3399ab02b (/builds/worker/workspace/build/application/firefox/libxul.so+0x22f902b)
INFO - GECKO(2447) | #8 0x7fd33a91d042 (/builds/worker/workspace/build/application/firefox/libxul.so+0x326b042)
INFO - GECKO(2447) | #9 0x7fd33a93552b (/builds/worker/workspace/build/application/firefox/libxul.so+0x328352b)
INFO - GECKO(2447) | #10 0x7fd33a934d0e (/builds/worker/workspace/build/application/firefox/libxul.so+0x3282d0e)
INFO - GECKO(2447) | #11 0x7fd33a8a62f5 (/builds/worker/workspace/build/application/firefox/libxul.so+0x31f42f5)
INFO - GECKO(2447) | #12 0x7fd33a8a744b (/builds/worker/workspace/build/application/firefox/libxul.so+0x31f544b)
INFO - GECKO(2447) | #13 0x7fd33a8aa6c0 (/builds/worker/workspace/build/application/firefox/libxul.so+0x31f86c0)
INFO - GECKO(2447) | #14 0x7fd33a8a4ddf (/builds/worker/workspace/build/application/firefox/libxul.so+0x31f2ddf)
INFO - GECKO(2447) | #15 0x7fd33a8c126d (/builds/worker/workspace/build/application/firefox/libxul.so+0x320f26d)
INFO - GECKO(2447) | #16 0x7fd33a8b608c (/builds/worker/workspace/build/application/firefox/libxul.so+0x320408c)
INFO - GECKO(2447) | #17 0x7fd35ae586b9 (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
INFO - GECKO(2447) | Thread T2 (Gecko_IOThread) created by T0 here:
INFO - GECKO(2447) | #0 0x55afbcff326d (/builds/worker/workspace/build/application/firefox/firefox+0xbb26d)
INFO - GECKO(2447) | #1 0x7fd33a8b3adc (/builds/worker/workspace/build/application/firefox/libxul.so+0x3201adc)
INFO - GECKO(2447) | #2 0x7fd33a8c0983 (/builds/worker/workspace/build/application/firefox/libxul.so+0x320e983)
INFO - GECKO(2447) | #3 0x7fd3399fbe87 (/builds/worker/workspace/build/application/firefox/libxul.so+0x2349e87)
INFO - GECKO(2447) | #4 0x7fd345d8c9e4 (/builds/worker/workspace/build/application/firefox/libxul.so+0xe6da9e4)
INFO - GECKO(2447) | #5 0x7fd345d8e580 (/builds/worker/workspace/build/application/firefox/libxul.so+0xe6dc580)
INFO - GECKO(2447) | #6 0x55afbd03d1ec (/builds/worker/workspace/build/application/firefox/firefox+0x1051ec)
INFO - GECKO(2447) | #7 0x7fd359dfa82f (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
INFO - GECKO(2447) | SUMMARY: AddressSanitizer: heap-use-after-free (/builds/worker/workspace/build/application/firefox/libxul.so+0x3283e32)
INFO - GECKO(2447) | Shadow bytes around the buggy address:
INFO - GECKO(2447) | 0x0c268002d5f0: 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa
INFO - GECKO(2447) | 0x0c268002d600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
INFO - GECKO(2447) | 0x0c268002d610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
INFO - GECKO(2447) | 0x0c268002d620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
INFO - GECKO(2447) | 0x0c268002d630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
INFO - GECKO(2447) | =>0x0c268002d640: fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd
INFO - GECKO(2447) | 0x0c268002d650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
INFO - GECKO(2447) | 0x0c268002d660: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
INFO - GECKO(2447) | 0x0c268002d670: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
INFO - GECKO(2447) | 0x0c268002d680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
INFO - GECKO(2447) | 0x0c268002d690: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
INFO - GECKO(2447) | Shadow byte legend (one shadow byte represents 8 application bytes):
INFO - GECKO(2447) | Addressable: 00
INFO - GECKO(2447) | Partially addressable: 01 02 03 04 05 06 07
INFO - GECKO(2447) | Heap left redzone: fa
INFO - GECKO(2447) | Freed heap region: fd
INFO - GECKO(2447) | Stack left redzone: f1
INFO - GECKO(2447) | Stack mid redzone: f2
INFO - GECKO(2447) | Stack right redzone: f3
INFO - GECKO(2447) | Stack after return: f5
INFO - GECKO(2447) | Stack use after scope: f8
INFO - GECKO(2447) | Global redzone: f9
INFO - GECKO(2447) | Global init order: f6
INFO - GECKO(2447) | Poisoned by user: f7
INFO - GECKO(2447) | Container overflow: fc
INFO - GECKO(2447) | Array cookie: ac
INFO - GECKO(2447) | Intra object redzone: bb
INFO - GECKO(2447) | ASan internal: fe
INFO - GECKO(2447) | Left alloca redzone: ca
INFO - GECKO(2447) | Right alloca redzone: cb
INFO - GECKO(2447) | Shadow gap: cc
INFO - GECKO(2447) | ==2447==ABORTING
INFO - GECKO(2447) | AddressSanitizer:DEADLYSIGNAL
INFO - GECKO(2447) | =================================================================
ERROR - GECKO(2447) | ==2698==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f9eed056aac bp 0x7f9ee8ef52c0 sp 0x7f9ee8ef52a0 T2)
INFO - GECKO(2447) | AddressSanitizer:DEADLYSIGNAL
INFO - GECKO(2447) | =================================================================
ERROR - GECKO(2447) | ==2615==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f36e5b56aac bp 0x7f36e19f52c0 sp 0x7f36e19f52a0 T2)
INFO - GECKO(2447) | ==2615==The signal is caused by a WRITE memory access.
INFO - GECKO(2447) | ==2615==Hint: address points to the zero page.
INFO - GECKO(2447) | AddressSanitizer:DEADLYSIGNAL
INFO - GECKO(2447) | =================================================================
ERROR - GECKO(2447) | ==2648==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f4f30756aac bp 0x7f4f2c5f52c0 sp 0x7f4f2c5f52a0 T2)
INFO - GECKO(2447) | ==2648==The signal is caused by a WRITE memory access.
INFO - GECKO(2447) | ==2648==Hint: address points to the zero page.

Andrew McCreight [:mccr8]

Comment 1

•

6 years ago

This stack isn't symbolized, but it is on IPC Launch #1 thread, so maybe something related to Jed's new async process launch stuff.

Group: firefox-core-security → core-security

Component: Preferences → IPC

Product: Firefox → Core

Andrew McCreight [:mccr8]

Updated

•

6 years ago

Keywords: csectype-uaf, sec-high

Andrew McCreight [:mccr8]

Comment 2

•

6 years ago

Jed, you might want to look at this, though it doesn't look actionable right now.

Flags: needinfo?(jld)

Liz Henry (:lizzard) (relman/hg->git project)

Updated

•

6 years ago

status-firefox65: --- → unaffected

status-firefox66: --- → affected

Daniel Veditz [:dveditz]

Updated

•

6 years ago

Group: core-security → dom-core-security

Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧

Assignee

Comment 3

•

6 years ago

The stack isn't symbolized, but the build is unstripped: the UAF is here, in GeckoChildProcessHost::RunPerformAsyncLaunch::launchWrapper, trying to access the GeckoChildProcessHost, which was previously freed on the I/O thread by a PluginProcessParent destructor, would've been dispatched from here, in PluginProcessParent::Delete, from the PluginModuleChromeParent destructor. Plugins launch is synchronous, but if somehow the timeout expired before the launch runnable was run, that could explain this.

This used to work (back when bug 526626 added it) because everything was on the I/O thread and thus serialized; now it's not.

Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧

Assignee

Updated

•

6 years ago

Assignee: nobody → jld

Blocks: 1487287

Flags: needinfo?(jld)

Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧

Assignee

Comment 4

•

6 years ago

I'm going to need to rethink GeckoChildProcessHost's lifetime if I want to make bug 1487287 happen. I'm considering just making it threadsafe refcounted just so this can't be a problem anymore, but requiring destruction to go through a method that defers itself properly might be enough. (But “properly” also has to include anything else happening under the implicit giant-lock that is the I/O thread, like the channel connected callback.)

Andrew McCreight [:mccr8]

Comment 6

•

6 years ago

I'm going to mark this as fixed, because it was fixed by a backout.

Status: NEW → RESOLVED

Closed: 6 years ago

Resolution: --- → FIXED

Ryan VanderMeulen [:RyanVM]

Updated

•

6 years ago

Group: dom-core-security

status-firefox64: --- → unaffected

status-firefox66: affected → fixed

status-firefox-esr60: --- → unaffected

Target Milestone: --- → mozilla66

Comment hidden (Intermittent Failures Robot)

Sylvestre Ledru [:Sylvestre]

Updated

•

5 years ago

Blocks: asan-maintenance

Bugzilla

SUMMARY: AddressSanitizer: heap-use-after-free (/builds/worker/workspace/build/application/firefox/libxul.so+0x3283e32)

Categories

(Core :: IPC, defect)

Tracking

()

People

(Reporter: nataliaCs, Assigned: jld)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uaf, sec-high)

Crash Data

Security

(public)

User Story

Description

Comment 1

Updated

Comment 2

Updated

Updated

Comment 3

Updated

Comment 4

Comment 6

Updated

Comment 7

Updated