heap-use-after-free in AssertWorkerThread
Categories
(Core :: DOM: Workers, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox66 | --- | wontfix |
| firefox67 | --- | fixed |
| firefox68 | --- | fixed |
People
(Reporter: nils, Assigned: baku)
Details
(4 keywords, Whiteboard: [fixed by bug 1514733][adv-main67+])
ASAN crashes with the following signature occur regularly when fuzzing the latest ASAN build of Firefox 68.0a1 . Unfortunatley I havent been able to minimize or reproduce a crash (likely a race condition).
=================================================================
==18599==ERROR: AddressSanitizer: heap-use-after-free on address 0x617000253520 at pc 0x7f8fe74af846 bp 0x7f8f86aa9cb0 sp 0x7f8f86aa9ca8
READ of size 8 at 0x617000253520 thread T41 (IPDL Background)
#0 0x7f8fe74af845 in AssertWorkerThread /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/MessageChannel.h:542:5
#1 0x7f8fe74af845 in mozilla::ipc::MessageChannel::CxxStackFrame::CxxStackFrame(mozilla::ipc::MessageChannel&, mozilla::ipc::Direction, IPC::Message const*) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:225
#2 0x7f8fe74ae3ee in mozilla::ipc::MessageChannel::Send(IPC::Message*) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:980:17
#3 0x7f8fe7f17c99 in mozilla::dom::PRemoteWorkerParent::SendExecOp(mozilla::dom::RemoteWorkerOp const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PRemoteWorkerParent.cpp:87:40
#4 0x7f8feff50537 in mozilla::dom::RemoteWorkerController::Shutdown() /builds/worker/workspace/build/src/dom/workers/remoteworkers/RemoteWorkerController.cpp:163:23
#5 0x7f8feff7051d in Terminate /builds/worker/workspace/build/src/dom/workers/sharedworkers/SharedWorkerManager.cpp:147:28
#6 0x7f8feff7051d in operator() /builds/worker/workspace/build/src/dom/workers/sharedworkers/SharedWorkerManager.cpp:265
#7 0x7f8feff7051d in mozilla::detail::RunnableFunction<mozilla::dom::SharedWorkerManager::UnregisterHolder(mozilla::dom::SharedWorkerManagerHolder*)::$_0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:562
#8 0x7f8fe61f7511 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#9 0x7f8fe61ff91d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
#10 0x7f8fe74cda14 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:333:5
#11 0x7f8fe73a1dbe in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#12 0x7f8fe73a1dbe in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#13 0x7f8fe73a1dbe in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#14 0x7f8fe61ef733 in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:454:11
#15 0x7f900b1ac5ad in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#16 0x7f900adef6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#17 0x7f9009dcd88e in clone (/lib/x86_64-linux-gnu/libc.so.6+0x12188e)
0x617000253520 is located 288 bytes inside of 728-byte region [0x617000253400,0x6170002536d8)
freed by thread T0 here:
#0 0x55788cd4f9e2 in free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
#1 0x7f8fe74d57d0 in operator() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:486:5
#2 0x7f8fe74d57d0 in reset /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:323
#3 0x7f8fe74d57d0 in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:296
#4 0x7f8fe74d57d0 in mozilla::ipc::IToplevelProtocol::~IToplevelProtocol() /builds/worker/workspace/build/src/ipc/glue/ProtocolUtils.cpp:567
#5 0x7f8fe748199f in ~ParentImpl /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:239:3
#6 0x7f8fe748199f in (anonymous namespace)::ParentImpl::~ParentImpl() /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:235
#7 0x7f8fe7481d8b in applyImpl<(anonymous namespace)::ParentImpl, void ((anonymous namespace)::ParentImpl::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
#8 0x7f8fe7481d8b in apply<(anonymous namespace)::ParentImpl, void ((anonymous namespace)::ParentImpl::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1128
#9 0x7f8fe7481d8b in mozilla::detail::RunnableMethodImpl<(anonymous namespace)::ParentImpl*, void ((anonymous namespace)::ParentImpl::)(), false, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1174
#10 0x7f8fe61f7511 in nsThread::ProcessNextEvent(bool, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#11 0x7f8fe61ff91d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
#12 0x7f8fe74cc04f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#13 0x7f8fe73a1dbe in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#14 0x7f8fe73a1dbe in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#15 0x7f8fe73a1dbe in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#16 0x7f8ff0846563 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#17 0x7f8ff4b2f120 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:271:30
#18 0x7f8ff4e2cb0a in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4589:22
#19 0x7f8ff4e2f538 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4727:8
#20 0x7f8ff4e30dc9 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4811:21
#21 0x55788cd8264c in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:212:22
#22 0x55788cd8264c in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:291
#23 0x7f9009ccdb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
previously allocated by thread T0 here:
#0 0x55788cd4fd63 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0x55788cd845fd in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:68:15
#2 0x7f8fe74d536f in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:131:10
#3 0x7f8fe74d536f in MakeUnique<mozilla::ipc::IToplevelProtocol::ToplevelState, const char &, mozilla::ipc::IToplevelProtocol , mozilla::ipc::Side &> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:617
#4 0x7f8fe74d536f in mozilla::ipc::IToplevelProtocol::IToplevelProtocol(char const, IPCMessageStart, mozilla::ipc::Side) /builds/worker/workspace/build/src/ipc/glue/ProtocolUtils.cpp:561
#5 0x7f8fe8292ce7 in mozilla::ipc::PBackgroundParent::PBackgroundParent() /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundParent.cpp:335:5
#6 0x7f8fe7433278 in mozilla::ipc::BackgroundParentImpl::BackgroundParentImpl() /builds/worker/workspace/build/src/ipc/glue/BackgroundParentImpl.cpp:120:23
#7 0x7f8fe743a150 in ParentImpl /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:226:12
#8 0x7f8fe743a150 in Alloc /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:827
#9 0x7f8fe743a150 in mozilla::ipc::BackgroundParent::Alloc(mozilla::dom::ContentParent, mozilla::ipc::Endpoint<mozilla::ipc::PBackgroundParent>&&) /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:640
#10 0x7f8fefd60888 in mozilla::dom::ContentParent::RecvInitBackground(mozilla::ipc::Endpoint<mozilla::ipc::PBackgroundParent>&&) /builds/worker/workspace/build/src/dom/ipc/ContentParent.cpp:3169:8
#11 0x7f8fe786eaea in mozilla::dom::PContentParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentParent.cpp:4356:57
#12 0x7f8fe74c2c49 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2151:21
#13 0x7f8fe74be98a in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2078:9
#14 0x7f8fe74c0bc7 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1937:3
#15 0x7f8fe74c1957 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1968:13
#16 0x7f8fe61f7511 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#17 0x7f8fe61ff91d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
#18 0x7f8fe61f4e0e in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:881:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:348:25
#19 0x7f8fe61f4e0e in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:881
#20 0x7f8ff462bd69 in LoadLoadableRootsTask::Run() /builds/worker/workspace/build/src/security/manager/ssl/nsNSSComponent.cpp:644:16
#21 0x7f8fe61f7511 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#22 0x7f8fe61ff91d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
#23 0x7f8fe74cc04f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#24 0x7f8fe73a1dbe in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#25 0x7f8fe73a1dbe in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#26 0x7f8fe73a1dbe in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#27 0x7f8ff0846563 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#28 0x7f8ff4b2f120 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:271:30
#29 0x7f8ff4e2cb0a in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4589:22
#30 0x7f8ff4e2f538 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4727:8
#31 0x7f8ff4e30dc9 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4811:21
#32 0x55788cd8264c in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:212:22
#33 0x55788cd8264c in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:291
#34 0x7f9009ccdb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
Thread T41 (IPDL Background) created by T0 here:
#0 0x55788cd3867d in pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x7f900b19e613 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
#2 0x7f900b18809e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
#3 0x7f8fe61f26a9 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:661:8
#4 0x7f8fe61fe5d5 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:416:12
#5 0x7f8fe6203684 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:135:57
#6 0x7f8fe747df22 in NS_NewNamedThread<16> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:71:10
#7 0x7f8fe747df22 in (anonymous namespace)::ParentImpl::CreateBackgroundThread() /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:944
#8 0x7f8fe74845ca in RunOnMainThread /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1244:30
#9 0x7f8fe74845ca in (anonymous namespace)::ParentImpl::CreateActorHelper::Run() /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1263
#10 0x7f8fe61f7511 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#11 0x7f8fe61ff91d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
#12 0x7f8fe61f4e0e in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:881:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:348:25
#13 0x7f8fe61f4e0e in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:881
#14 0x7f8fe8579d0b in applyImpl<nsIThread, nsresult (nsIThread::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
#15 0x7f8fe8579d0b in apply<nsIThread, nsresult (nsIThread::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1128
#16 0x7f8fe8579d0b in mozilla::detail::RunnableMethodImpl<RefPtr<nsIThread>, nsresult (nsIThread::)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1174
#17 0x7f8fe61f7511 in nsThread::ProcessNextEvent(bool, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#18 0x7f8fe61ff91d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
#19 0x7f8fe61feed1 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:489:36)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:348:25
#20 0x7f8fe61feed1 in nsThreadManager::SpinEventLoopUntilInternal(nsINestedEventLoopCondition*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:489
#21 0x7f8fe622e891 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
#22 0x7f8fe8673d57 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1630:10
#23 0x7f8fe8673d57 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1178
#24 0x7f8fe8673d57 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1144
#25 0x7f8fe867bef2 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:941:10
#26 0x7f8ff5116307 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442:13
#27 0x7f8ff5116307 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534
#28 0x7f8ff50fe71a in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:593:10
#29 0x7f8ff50fe71a in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3075
#30 0x7f8ff50e0748 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:10
#31 0x7f8ff5116c76 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:562:13
#32 0x7f8ff51188c2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:605:8
#33 0x7f8ff564c6b0 in js::fun_apply(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/JSFunction.cpp:1180:10
#34 0x7f8ff5116307 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442:13
#35 0x7f8ff5116307 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534
#36 0x7f8ff50fe71a in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:593:10
#37 0x7f8ff50fe71a in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3075
#38 0x7f8ff50e0748 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:10
#39 0x7f8ff5116c76 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:562:13
#40 0x7f8ff51188c2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:605:8
#41 0x7f8ff5cfc427 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2558:10
#42 0x7f8fe8659012 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:993:17
#43 0x7f8fe622ff98 in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:127:37
#44 0x7f8fe622ee6a in SharedStub (/firefox/libxul.so+0x4a09e6a)
#45 0x7f8ff4e5617d in nsXREDirProvider::DoStartup() /builds/worker/workspace/build/src/toolkit/xre/nsXREDirProvider.cpp:1010:11
#46 0x7f8ff4e2bd2b in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4409:16
#47 0x7f8ff4e2f538 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4727:8
#48 0x7f8ff4e30dc9 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4811:21
#49 0x55788cd8264c in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:212:22
#50 0x55788cd8264c in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:291
#51 0x7f9009ccdb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/MessageChannel.h:542:5 in AssertWorkerThread
Shadow bytes around the buggy address:
0x0c2e80042650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e80042660: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c2e80042670: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e80042680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e80042690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2e800426a0: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
0x0c2e800426b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e800426c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c2e800426d0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
0x0c2e800426e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c2e800426f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==18599==ABORTING
|
||
Updated•5 years ago
|
|
||
Comment 1•5 years ago
|
||
Andrew, can you take a look? It looks like maybe we're trying to send to a channel on the background thread that has already been destroyed on the main thread.
|
|
||
Updated•5 years ago
|
|
||
Comment 2•5 years ago
|
||
This is being fixed on bug 1514733 with a preliminary patch up. I don't believe this is meaningfully exploitable unless an attacker already is in control of the parent process since it requires them to be able to manipulate the parent process heap. (And the bug will not reproduce in non-e10s.)
However, an attacker can likely reproduce the crash if they are able to cause a content process to crash. (And I do mean crash. Process retiring where a process is terminated for not having any active tabs can't happen because that also depends on it not having any active sharedworkers in the process.) Which seems easily do-able.
|
|
||
Comment 3•5 years ago
|
||
Marking this as fixed by bug 1514733 but not doing dependency stuff because of security bug stuff. (Unless we can have secret bug relationships?)
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
||
Comment 4•5 years ago
|
||
reclassifying as sec-moderate based on comment 2
|
|
||
Updated•4 years ago
|
Description
•