Closed Bug 1547757 Opened 5 years ago Closed 5 years ago

AddressSanitizer: heap-use-after-free [@ get] with READ of size 8 near [@ mozilla::BaseMediaResource::ModifyLoadFlags]

Categories

(Core :: Audio/Video, defect, P1)

defect

Tracking

()

VERIFIED FIXED
mozilla69
Tracking Status
firefox-esr60 68+ verified
firefox67 --- wontfix
firefox68 + verified
firefox69 + verified

People

(Reporter: jkratzer, Assigned: bryce)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main68+][adv-esr60.8+])

Attachments

(4 files)

Found while fuzzing mozilla-central rev 420e18a75314. I'm currently reducing the testcase and will update once complete.

Flags: in-testsuite?
Group: core-security → media-core-security
==7008==ERROR: AddressSanitizer: heap-use-after-free on address 0x6140003dfe60 at pc 0x7f3458ae87e8 bp 0x7ffc6aa06f30 sp 0x7ffc6aa06f28
READ of size 8 at 0x6140003dfe60 thread T0 (file:// Content)
    #0 0x7f3458ae87e7 in get /src/obj-firefox/dist/include/nsCOMPtr.h:823:48
    #1 0x7f3458ae87e7 in operator-> /src/obj-firefox/dist/include/nsCOMPtr.h:844
    #2 0x7f3458ae87e7 in mozilla::BaseMediaResource::ModifyLoadFlags(unsigned int) /src/dom/media/BaseMediaResource.cpp:154
    #3 0x7f3458ae8253 in mozilla::BaseMediaResource::SetLoadInBackground(bool) /src/dom/media/BaseMediaResource.cpp:134:5
    #4 0x7f345884c895 in mozilla::dom::HTMLMediaElement::ChangeDelayLoadStatus(bool) /src/dom/html/HTMLMediaElement.cpp:6159:15
    #5 0x7f3458888afb in mozilla::dom::HTMLMediaElement::FirstFrameLoaded() /src/dom/html/HTMLMediaElement.cpp:5021:3
    #6 0x7f3458bca490 in mozilla::MediaDecoder::FirstFrameLoaded(nsAutoPtr<mozilla::MediaInfo>, mozilla::MediaDecoderEventVisibility) /src/dom/media/MediaDecoder.cpp:744:17
    #7 0x7f3458c4b704 in operator() /src/obj-firefox/dist/include/MediaEventSource.h:343:7
    #8 0x7f3458c4b704 in ApplyWithArgsImpl<(lambda at /builds/worker/workspace/build/src/obj-firefox/dist/include/MediaEventSource.h:342:37)> /src/obj-firefox/dist/include/MediaEventSource.h:191
    #9 0x7f3458c4b704 in mozilla::detail::ListenerImpl<mozilla::AbstractThread, mozilla::EnableIf<TakeArgs<void (mozilla::MediaDecoder::*)(nsAutoPtr<mozilla::MediaInfo>, mozilla::MediaDecoderEventVisibility)>::value, mozilla::MediaEventListener>::Type mozilla::MediaEventSourceImpl<(mozilla::ListenerPolicy)0, nsAutoPtr<mozilla::MediaInfo>, mozilla::MediaDecoderEventVisibility>::ConnectInternal<mozilla::AbstractThread, mozilla::MediaDecoder, void (mozilla::MediaDecoder::*)(nsAutoPtr<mozilla::MediaInfo>, mozilla::MediaDecoderEventVisibility)>(mozilla::AbstractThread*, mozilla::MediaDecoder*, void (mozilla::MediaDecoder::*)(nsAutoPtr<mozilla::MediaInfo>, mozilla::MediaDecoderEventVisibility))::'lambda'(nsAutoPtr<mozilla::MediaInfo>&&, mozilla::MediaDecoderEventVisibility&&), nsAutoPtr<mozilla::MediaInfo>, mozilla::MediaDecoderEventVisibility>::ApplyWithArgs(nsAutoPtr<mozilla::MediaInfo>&&, mozilla::MediaDecoderEventVisibility&&) /src/obj-firefox/dist/include/MediaEventSource.h:205
    #10 0x7f3458ccde80 in applyImpl<mozilla::detail::Listener<nsAutoPtr<mozilla::MediaInfo>, mozilla::MediaDecoderEventVisibility>, void (mozilla::detail::Listener<nsAutoPtr<mozilla::MediaInfo>, mozilla::MediaDecoderEventVisibility>::*)(nsAutoPtr<mozilla::MediaInfo> &&, mozilla::MediaDecoderEventVisibility &&), StoreCopyPassByRRef<nsAutoPtr<mozilla::MediaInfo> >, StoreCopyPassByRRef<mozilla::MediaDecoderEventVisibility> , 0, 1> /src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
    #11 0x7f3458ccde80 in apply<mozilla::detail::Listener<nsAutoPtr<mozilla::MediaInfo>, mozilla::MediaDecoderEventVisibility>, void (mozilla::detail::Listener<nsAutoPtr<mozilla::MediaInfo>, mozilla::MediaDecoderEventVisibility>::*)(nsAutoPtr<mozilla::MediaInfo> &&, mozilla::MediaDecoderEventVisibility &&)> /src/obj-firefox/dist/include/nsThreadUtils.h:1128
    #12 0x7f3458ccde80 in mozilla::detail::RunnableMethodImpl<mozilla::detail::Listener<nsAutoPtr<mozilla::MediaInfo>, mozilla::MediaDecoderEventVisibility>*, void (mozilla::detail::Listener<nsAutoPtr<mozilla::MediaInfo>, mozilla::MediaDecoderEventVisibility>::*)(nsAutoPtr<mozilla::MediaInfo>&&, mozilla::MediaDecoderEventVisibility&&), true, (mozilla::RunnableKind)0, nsAutoPtr<mozilla::MediaInfo>&&, mozilla::MediaDecoderEventVisibility&&>::Run() /src/obj-firefox/dist/include/nsThreadUtils.h:1174
    #13 0x7f345022a5dc in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() /src/obj-firefox/dist/include/mozilla/TaskDispatcher.h:197:35
    #14 0x7f3450226188 in mozilla::EventTargetWrapper::Runner::Run() /src/xpcom/threads/AbstractThread.cpp:113:25
    #15 0x7f3450218d45 in mozilla::SchedulerGroup::Runnable::Run() /src/xpcom/threads/SchedulerGroup.cpp:295:32
    #16 0x7f3450258d01 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1180:14
    #17 0x7f3450260924 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #18 0x7f34515d06c4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:110:5
    #19 0x7f34514a6d6e in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #20 0x7f34514a6d6e in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #21 0x7f34514a6d6e in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #22 0x7f345aba2183 in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:137:27
    #23 0x7f345f1c089e in XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #24 0x7f34514a6d6e in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #25 0x7f34514a6d6e in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #26 0x7f34514a6d6e in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #27 0x7f345f1bfa0c in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:757:34
    #28 0x5641997a172e in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #29 0x5641997a172e in main /src/browser/app/nsBrowserApp.cpp:263
    #30 0x7f3474440b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #31 0x5641996c2e1c in _start (/home/worker/builds/m-c-20190430121130-fuzzing-asan-opt/firefox+0x2fe1c)

0x6140003dfe60 is located 32 bytes inside of 416-byte region [0x6140003dfe40,0x6140003dffe0)
freed by thread T0 (file:// Content) here:
    #0 0x56419976e4b2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7f3458e903af in mozilla::MediaResource::Destroy() /src/dom/media/MediaResource.cpp:29:5
    #2 0x7f3458e90673 in mozilla::MediaResource::Release() /src/dom/media/MediaResource.cpp:40:1
    #3 0x7f3458b4317e in Release /src/obj-firefox/dist/include/mozilla/RefPtr.h:46:40
    #4 0x7f3458b4317e in Release /src/obj-firefox/dist/include/mozilla/RefPtr.h:363
    #5 0x7f3458b4317e in ~RefPtr /src/obj-firefox/dist/include/mozilla/RefPtr.h:77
    #6 0x7f3458b4317e in ~ChannelMediaDecoder /src/dom/media/ChannelMediaDecoder.h:23
    #7 0x7f3458b4317e in mozilla::ChannelMediaDecoder::~ChannelMediaDecoder() /src/dom/media/ChannelMediaDecoder.h:23
    #8 0x7f345022e3eb in mozilla::MozPromise<bool, bool, false>::ThenValueBase::ResolveOrRejectRunnable::Run() /src/obj-firefox/dist/include/mozilla/MozPromise.h:393:21
    #9 0x7f3450226188 in mozilla::EventTargetWrapper::Runner::Run() /src/xpcom/threads/AbstractThread.cpp:113:25
    #10 0x7f3450218d45 in mozilla::SchedulerGroup::Runnable::Run() /src/xpcom/threads/SchedulerGroup.cpp:295:32
    #11 0x7f3450258d01 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1180:14
    #12 0x7f3450260924 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #13 0x7f345a697e23 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2907:31)> /src/obj-firefox/dist/include/nsThreadUtils.h:348:25
    #14 0x7f345a697e23 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool) /src/dom/xhr/XMLHttpRequestMainThread.cpp:2907
    #15 0x7f345a69569d in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /src/dom/xhr/XMLHttpRequestMainThread.cpp:2681:11
    #16 0x7f3456e193cd in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1345:9
    #17 0x7f3457bb43b2 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3153:13
    #18 0x7f345f4a4f80 in CallJSNative /src/js/src/vm/Interpreter.cpp:443:13
    #19 0x7f345f4a4f80 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:535
    #20 0x7f345f4856e4 in CallFromStack /src/js/src/vm/Interpreter.cpp:594:10
    #21 0x7f345f4856e4 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3080
    #22 0x7f345f46f1b8 in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:423:10
    #23 0x7f345f4a58f3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:563:13
    #24 0x7f34606edb4a in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /src/js/src/jit/BaselineIC.cpp:3875:10
    #25 0x18318878d8f7  (<unknown module>)
    #26 0x621000b2a03f  (<unknown module>)

previously allocated by thread T0 (file:// Content) here:
    #0 0x56419976e833 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x5641997a336d in moz_xmalloc /src/memory/mozalloc/mozalloc.cpp:68:15
    #2 0x7f3458ae7a30 in operator new /src/obj-firefox/dist/include/mozilla/mozalloc.h:131:10
    #3 0x7f3458ae7a30 in mozilla::BaseMediaResource::Create(mozilla::MediaResourceCallback*, nsIChannel*, bool) /src/dom/media/BaseMediaResource.cpp:97
    #4 0x7f3458b1f428 in mozilla::ChannelMediaDecoder::Load(nsIChannel*, bool, nsIStreamListener**) /src/dom/media/ChannelMediaDecoder.cpp:242:15
    #5 0x7f345887f8de in nsresult mozilla::dom::HTMLMediaElement::SetupDecoder<mozilla::ChannelMediaDecoder, nsIChannel*&, bool&, nsIStreamListener**&>(mozilla::ChannelMediaDecoder*, nsIChannel*&, bool&, nsIStreamListener**&) /src/dom/html/HTMLMediaElement.cpp:4431:27
    #6 0x7f345883532d in mozilla::dom::HTMLMediaElement::InitializeDecoderForChannel(nsIChannel*, nsIStreamListener**) /src/dom/html/HTMLMediaElement.cpp:4515:10
    #7 0x7f3458832c38 in mozilla::dom::HTMLMediaElement::MediaLoadListener::OnStartRequest(nsIRequest*) /src/dom/html/HTMLMediaElement.cpp:680:7
    #8 0x7f3450ee470b in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) /src/netwerk/protocol/http/HttpChannelChild.cpp:680:28
    #9 0x7f3450ef11bc in mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, mozilla::net::ResourceTimingStruct const&) /src/netwerk/protocol/http/HttpChannelChild.cpp:610:3
    #10 0x7f3450fb8df7 in mozilla::net::StartRequestEvent::Run() /src/netwerk/protocol/http/HttpChannelChild.cpp:437:13
    #11 0x7f3450d627c6 in mozilla::net::ChannelEventQueue::RunOrEnqueue(mozilla::net::ChannelEvent*, bool) /src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:210:10
    #12 0x7f3450eef4a8 in mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, bool const&, mozilla::net::ResourceTimingStruct const&) /src/netwerk/protocol/http/HttpChannelChild.cpp:496:12
    #13 0x7f3451c458d8 in mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PHttpChannelChild.cpp:786:20
    #14 0x7f34518f9c1d in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PContentChild.cpp:6482:28
    #15 0x7f34515c728c in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /src/ipc/glue/MessageChannel.cpp:2151:21
    #16 0x7f34515c2fb3 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /src/ipc/glue/MessageChannel.cpp:2078:9
    #17 0x7f34515c5287 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /src/ipc/glue/MessageChannel.cpp:1937:3
    #18 0x7f34515c6017 in mozilla::ipc::MessageChannel::MessageTask::Run() /src/ipc/glue/MessageChannel.cpp:1968:13
    #19 0x7f3450218d45 in mozilla::SchedulerGroup::Runnable::Run() /src/xpcom/threads/SchedulerGroup.cpp:295:32
    #20 0x7f3450258d01 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1180:14

SUMMARY: AddressSanitizer: heap-use-after-free /src/obj-firefox/dist/include/nsCOMPtr.h:823:48 in get
Shadow bytes around the buggy address:
  0x0c2880073f70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2880073f80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2880073f90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2880073fa0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2880073fb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c2880073fc0: fa fa fa fa fa fa fa fa fd fd fd fd[fd]fd fd fd
  0x0c2880073fd0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2880073fe0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2880073ff0: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c2880074000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2880074010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==7008==ABORTING
Attached file testcase.html

Testcase appears to be due to a race condition so it may take several reloads to trigger.

Steps to reproduce:

  1. Download and install ffpuppet
  2. Start local webserver in testcase directory
    • python -m SimpleHTTPServer &
  3. Launch ffpuppet
Attached file prefs.js
Keywords: sec-high

Bryce, can you please have a look at what is going on here?

Assignee: nobody → bvandyk
Priority: -- → P1
Flags: needinfo?(bvandyk)

Investigating.

Flags: needinfo?(bvandyk)

Having trouble reproing under a Linux Mint VM with the latest taskcluster debug-asan. I've been soaking for about half an hour. I imagine there's nothing special, and am just waiting for the race to happen. Will continue to leave it running while I look at the code involved.

(In reply to Bryce Seager van Dyk (:bryce) from comment #7)

Having trouble reproing under a Linux Mint VM with the latest taskcluster debug-asan. I've been soaking for about half an hour. I imagine there's nothing special, and am just waiting for the race to happen. Will continue to leave it running while I look at the code involved.

Bryce, please note that the testcase requires a build with --enable-fuzzing due to forced garbage collection calls. Further, the testcase should only take a minute or two to reproduce.

(In reply to Jason Kratzer [:jkratzer] from comment #8)

(In reply to Bryce Seager van Dyk (:bryce) from comment #7)

Having trouble reproing under a Linux Mint VM with the latest taskcluster debug-asan. I've been soaking for about half an hour. I imagine there's nothing special, and am just waiting for the race to happen. Will continue to leave it running while I look at the code involved.

Bryce, please note that the testcase requires a build with --enable-fuzzing due to forced garbage collection calls. Further, the testcase should only take a minute or two to reproduce.

Doh -- the fuzzing supported build is probably what I'm missing. Will grab/build one of those and see where I get to.

What I've found so far from some debugging of this:

  • Looks like the MediaResouce is being destroyed while still in use (as one may imagine given the bug).
  • The destruction of the media resource seems to happening during ModifyLoadFlags. Looks like we call RemoveRequest on the load group which results in the load group calling OnStopRequest on its observer -> nsDocLoader calls DocLoaderIsEmpty -> calls doStopDocumentLoad -> calls doFireOnStateChange on ancestors and so on. These calls result in our media resource being destroyed, but I'm not sure how much I'll need to keep pulling on this thread before I find out exactly why (ref count going to zero somewhere, I expect).
  • I think we're racing on if the media resource is destroyed during the above. If it is, then when we continue with ModifyLoadFlags following the above request removal we run into this issue when we touch this.
  • Could probably mitigate this by having ModifyLoadFlags hold a reference/kungfuDeathGrip, but I want to have more of a look before I touch anything.

Stack showing the calls from ModifyLoadFlags (frame 43) that result in the destruction of that same resource.

#0  0x00007fcb4758a58f in mozilla::MediaResource::Destroy() (this=0x6140000d6a40) at /home/b/projects/mozilla/mozilla-central/dom/media/MediaResource.cpp:26
#1  0x00007fcb4758ae67 in mozilla::MediaResource::Release() (this=0x6140000d6a40) at /home/b/projects/mozilla/mozilla-central/dom/media/MediaResource.cpp:40
#2  0x00007fcb4729c6b0 in mozilla::RefPtrTraits<mozilla::BaseMediaResource>::Release(mozilla::BaseMediaResource*) (aPtr=0x6140000d6a40)
    at /home/b/projects/mozilla/mozilla-builds/obj-ff-fuzz-dbg/dist/include/mozilla/RefPtr.h:46
#3  0x00007fcb4729c6b0 in RefPtr<mozilla::BaseMediaResource>::ConstRemovingRefPtrTraits<mozilla::BaseMediaResource>::Release(mozilla::BaseMediaResource*) (aPtr=0x6140000d6a40)
    at /home/b/projects/mozilla/mozilla-builds/obj-ff-fuzz-dbg/dist/include/mozilla/RefPtr.h:363
#4  0x00007fcb4729c6b0 in RefPtr<mozilla::BaseMediaResource>::~RefPtr() (this=<optimized out>) at /home/b/projects/mozilla/mozilla-builds/obj-ff-fuzz-dbg/dist/include/mozilla/RefPtr.h:77
#5  0x00007fcb4729c6b0 in mozilla::ChannelMediaDecoder::~ChannelMediaDecoder() (this=<optimized out>) at /home/b/projects/mozilla/mozilla-central/dom/media/ChannelMediaDecoder.h:23
#6  0x00007fcb4729c6b0 in mozilla::ChannelMediaDecoder::~ChannelMediaDecoder() (this=0x616000103280) at /home/b/projects/mozilla/mozilla-central/dom/media/ChannelMediaDecoder.h:23
#7  0x00007fcb4708b99a in mozilla::MediaDecoder::Release() (this=0x616000103280) at /home/b/projects/mozilla/mozilla-builds/obj-ff-fuzz-dbg/dist/include/MediaDecoder.h:92
#8  0x00007fcb4005042f in mozilla::MozPromise<bool, bool, false>::ThenValueBase::ResolveOrRejectRunnable::Run() (this=<optimized out>)
    at /home/b/projects/mozilla/mozilla-builds/obj-ff-fuzz-dbg/dist/include/mozilla/MozPromise.h:393
#9  0x00007fcb40046fa1 in mozilla::EventTargetWrapper::Runner::Run() (this=<optimized out>) at /home/b/projects/mozilla/mozilla-central/xpcom/threads/AbstractThread.cpp:113
#10 0x00007fcb4003b127 in mozilla::SchedulerGroup::Runnable::Run() (this=0x6070001871b0) at /home/b/projects/mozilla/mozilla-central/xpcom/threads/SchedulerGroup.cpp:295
#11 0x00007fcb40081de1 in nsThread::ProcessNextEvent(bool, bool*) (this=0x611000005540, aMayWait=<optimized out>, aResult=0x7ffc7f2049a0)
    at /home/b/projects/mozilla/mozilla-central/xpcom/threads/nsThread.cpp:1180
#12 0x00007fcb4008a69f in NS_ProcessNextEvent(nsIThread*, bool) (aThread=0x611000005540, aMayWait=<optimized out>) at /home/b/projects/mozilla/mozilla-central/xpcom/threads/nsThreadUtils.cpp:486
#13 0x00007fcb48ab5616 in mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool)::$_0>(mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool)::$_0&&, nsIThread*) (aPredicate=..., aThread=0x0)
    at /home/b/projects/mozilla/mozilla-builds/obj-ff-fuzz-dbg/dist/include/nsThreadUtils.h:348
#14 0x00007fcb48ab5616 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool) (this=0x617000131300, aBody=0x6170001314c6, aBodyIsDocumentOrString=<optimized out>) at /home/b/projects/mozilla/mozilla-central/dom/xhr/XMLHttpRequestMainThread.cpp:2907
#15 0x00007fcb48ab3752 in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) (this=0x617000131300, aCx=<optimized out>, aData=..., aRv=...) at /home/b/projects/mozilla/mozilla-central/dom/xhr/XMLHttpRequestMainThread.cpp:2681
#16 0x00007fcb45a7058d in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) (cx=0x620000004080, obj=..., self=0x617000131300, args=...) at XMLHttpRequestBinding.cpp:1345
#17 0x00007fcb4651fd8d in mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) (cx=0x7fcb54deadc0 <mozilla::dom::XMLHttpRequest_Binding::send_methodinfo>, argc=<optimized out>, vp=<optimized out>) at /home/b/projects/mozilla/mozilla-central/dom/bindings/BindingUtils.cpp:3153
#18 0x00007fcb4d05e8e9 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (cx=<optimized out>, native=0x7fcb4651f8e0 <mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /home/b/projects/mozilla/mozilla-central/js/src/vm/Interpreter.cpp:443
#19 0x00007fcb4d02d461 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (cx=0x620000004080, args=..., construct=js::NO_CONSTRUCT)
    at /home/b/projects/mozilla/mozilla-central/js/src/vm/Interpreter.cpp:535
#20 0x00007fcb4d00a688 in js::CallFromStack(JSContext*, JS::CallArgs const&) (cx=0x620000004080, args=...) at /home/b/projects/mozilla/mozilla-central/js/src/vm/Interpreter.cpp:594
#21 0x00007fcb4d00a688 in Interpret(JSContext*, js::RunState&) (cx=<optimized out>, state=...) at /home/b/projects/mozilla/mozilla-central/js/src/vm/Interpreter.cpp:3082
#22 0x00007fcb4cfea987 in js::RunScript(JSContext*, js::RunState&) (cx=0x620000004080, state=...) at /home/b/projects/mozilla/mozilla-central/js/src/vm/Interpreter.cpp:423
#23 0x00007fcb4d02d3f0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (cx=0x620000004080, args=..., construct=js::NO_CONSTRUCT)
    at /home/b/projects/mozilla/mozilla-central/js/src/vm/Interpreter.cpp:563
#24 0x00007fcb4d030078 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (cx=0x6140000d6a40, fval=..., thisv=..., args=..., rval=...) at /home/b/projects/mozilla/mozilla-central/js/src/vm/Interpreter.cpp:606
#25 0x00007fcb4e381fd7 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (cx=<optimized out>, thisv=..., fval=..., args=..., rval=...) at /home/b/projects/mozilla/mozilla-central/js/src/jsapi.cpp:2647
#26 0x00007fcb45d4cea4 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) (this=0x7ffc7f208d90, cx=0x620000004080, aThisVal=..., event=..., aRv=...) at EventListenerBinding.cpp:52
---Type <return> to continue, or q <return> to quit---
#27 0x00007fcb46cbd12e in mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) (this=0x606000330aa0, thisVal=@0x7ffc7f2092c0: 0x61900040d880, event=..., aRv=..., aExecutionReason=<optimized out>, aExceptionHandling=(unknown: 2132840800), aRealm=<optimized out>) at /home/b/projects/mozilla/mozilla-builds/obj-ff-fuzz-dbg/dist/include/mozilla/dom/EventListenerBinding.h:66
#28 0x00007fcb46cbca5d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) (this=<optimized out>, aListener=0x0, aDOMEvent=0x608000149c20, aCurrentTarget=0x61900040d880) at /home/b/projects/mozilla/mozilla-central/dom/events/EventListenerManager.cpp:1039
#29 0x00007fcb46cbe737 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) (this=0x60b000103290, aPresContext=0x61700011a000, aEvent=0x7ffc7f20a7f0, aDOMEvent=0x7ffc7f20a060, aCurrentTarget=0x61900040d880, aEventStatus=0x7ffc7f20a068, aItemInShadowTree=<optimized out>)
    at /home/b/projects/mozilla/mozilla-central/dom/events/EventListenerManager.cpp:1240
#30 0x00007fcb46ca7021 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) (this=<optimized out>, aVisitor=..., aCd=...)
    at /home/b/projects/mozilla/mozilla-central/dom/events/EventDispatcher.cpp:349
#31 0x00007fcb46ca5143 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (aChain=..., aVisitor=..., aCallback=0x0, aCd=...) at /home/b/projects/mozilla/mozilla-central/dom/events/EventDispatcher.cpp:551
#32 0x00007fcb46cab31c in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) (aTarget=<optimized out>, aPresContext=0x61700011a000, aEvent=0x7ffc7f20a7f0, aDOMEvent=0x0, aEventStatus=0x7ffc7f20a7e0, aCallback=0x0, aTargets=<optimized out>)
    at /home/b/projects/mozilla/mozilla-central/dom/events/EventDispatcher.cpp:1047
#33 0x00007fcb496aa1af in nsDocumentViewer::LoadComplete(nsresult) (this=<optimized out>, aStatus=<optimized out>) at /home/b/projects/mozilla/mozilla-central/layout/base/nsDocumentViewer.cpp:1104
#34 0x00007fcb4bf384aa in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) (this=0x6190001cf280, aProgress=<optimized out>, aChannel=0x61d000422cf8, aStatus=nsresult::NS_OK)
    at /home/b/projects/mozilla/mozilla-central/docshell/base/nsDocShell.cpp:6641
#35 0x00007fcb4bf37989 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) (this=0x6190001cf280, aProgress=0x6190001cf2a8, aRequest=0x61d000422cf8, aStateFlags=131088, aStatus=nsresult::NS_OK) at /home/b/projects/mozilla/mozilla-central/docshell/base/nsDocShell.cpp:6441
#36 0x00007fcb4bf3cac3 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) ()
    at /home/b/projects/mozilla/mozilla-builds/obj-ff-fuzz-dbg/dist/include/nsIChannel.h:129
#37 0x00007fcb4271597d in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) (this=<optimized out>, aProgress=0x6190001cf2a8, aRequest=0x61d000422cf8, aStateFlags=@0x7ffc7f20bef0: 131088, aStatus=nsresult::NS_OK) at /home/b/projects/mozilla/mozilla-central/uriloader/base/nsDocLoader.cpp:1313
#38 0x00007fcb4271458b in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) (this=0x6190001cf280, request=0x61d000422cf8, aStatus=nsresult::NS_OK)
    at /home/b/projects/mozilla/mozilla-central/uriloader/base/nsDocLoader.cpp:872
#39 0x00007fcb4270f9c4 in nsDocLoader::DocLoaderIsEmpty(bool) (this=0x6190001cf280, aFlushLayout=<optimized out>) at /home/b/projects/mozilla/mozilla-central/uriloader/base/nsDocLoader.cpp:710
#40 0x00007fcb42712847 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) (this=0x6190001cf280, aRequest=0x7ffc7f20c450, aStatus=2132853872)
    at /home/b/projects/mozilla/mozilla-central/uriloader/base/nsDocLoader.cpp:598
#41 0x00007fcb42713dd8 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) () at /home/b/projects/mozilla/mozilla-builds/obj-ff-fuzz-dbg/dist/include/nsTString.h:159
#42 0x00007fcb4034fa88 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) (this=0x6110000e2440, request=0x61d000427cf8, ctxt=<optimized out>, aStatus=nsresult::NS_OK)
    at /home/b/projects/mozilla/mozilla-central/netwerk/base/nsLoadGroup.cpp:568
#43 0x00007fcb4724e200 in mozilla::BaseMediaResource::ModifyLoadFlags(unsigned int) (this=<optimized out>, aFlags=547356673) at /home/b/projects/mozilla/mozilla-central/dom/media/BaseMediaResource.cpp:148
#44 0x00007fcb4724dd82 in mozilla::BaseMediaResource::SetLoadInBackground(bool) (this=0x6140000d6a40, aLoadInBackground=true)
    at /home/b/projects/mozilla/mozilla-central/dom/media/BaseMediaResource.cpp:134
#45 0x00007fcb47015dae in mozilla::dom::HTMLMediaElement::ChangeDelayLoadStatus(bool) (this=0x61c0000ba880, aDelay=false) at /home/b/projects/mozilla/mozilla-central/dom/html/HTMLMediaElement.cpp:6176
#46 0x00007fcb47046f88 in mozilla::dom::HTMLMediaElement::FirstFrameLoaded() (this=0x61c0000ba880) at /home/b/projects/mozilla/mozilla-central/dom/html/HTMLMediaElement.cpp:5038
#47 0x00007fcb47311574 in mozilla::MediaDecoder::FirstFrameLoaded(nsAutoPtr<mozilla::MediaInfo>, mozilla::MediaDecoderEventVisibility) (this=<optimized out>, aInfo=..., aEventVisibility=<optimized out>)
    at /home/b/projects/mozilla/mozilla-central/dom/media/MediaDecoder.cpp:744
#48 0x00007fcb4738a14b in _ZZN7mozilla20MediaEventSourceImplILNS_14ListenerPolicyE0EJ9nsAutoPtrINS_9MediaInfoEENS_27MediaDecoderEventVisibilityEEE15ConnectInternalINS_14AbstractThreadENS_12MediaDecoderEMS9_FvS4_S5_EEENS_8EnableIfIXsr8TakeArgsIT1_EE5valueENS_18MediaEventListenerEE4TypeEPT_PT0_SD_ENKUlOS4_OS5_E_clESL_SM_ (this=<optimized out>, aEvents=..., aEvents=<error reading variable>)
    at /home/b/projects/mozilla/mozilla-builds/obj-ff-fuzz-dbg/dist/include/MediaEventSource.h:343
#49 0x00007fcb4738a14b in _ZN7mozilla6detail12ListenerImplINS_14AbstractThreadEZNS_20MediaEventSourceImplILNS_14ListenerPolicyE0EJ9nsAutoPtrINS_9MediaInfoEENS_27MediaDecoderEventVisibilityEEE15ConnectInternalIS2_NS_12MediaDecoderEMSB_FvS7_S8_EEENS_8EnableIfIXsr8TakeArgsIT1_EE5valueENS_18MediaEventListenerEE4TypeEPT_PT0_SF_EUlOS7_OS8_E_JS7_S8_EE17ApplyWithArgsImplISP_EENSE_IXsr8TakeArgsISJ_EE5valueEvE4TypeER---Type <return> to continue, or q <return> to quit---
KSJ_SN_SO_ (this=<optimized out>, aFunc=..., aEvents=..., aEvents=<error reading variable>) at /home/b/projects/mozilla/mozilla-builds/obj-ff-fuzz-dbg/dist/include/MediaEventSource.h:191
#50 0x00007fcb4738a14b in _ZN7mozilla6detail12ListenerImplINS_14AbstractThreadEZNS_20MediaEventSourceImplILNS_14ListenerPolicyE0EJ9nsAutoPtrINS_9MediaInfoEENS_27MediaDecoderEventVisibilityEEE15ConnectInternalIS2_NS_12MediaDecoderEMSB_FvS7_S8_EEENS_8EnableIfIXsr8TakeArgsIT1_EE5valueENS_18MediaEventListenerEE4TypeEPT_PT0_SF_EUlOS7_OS8_E_JS7_S8_EE13ApplyWithArgsESN_SO_ (this=<optimized out>, aEvents=..., aEvents=<error reading variable>) at /home/b/projects/mozilla/mozilla-builds/obj-ff-fuzz-dbg/dist/include/MediaEventSource.h:205
#51 0x00007fcb4740bde6 in mozilla::detail::RunnableMethodArguments<nsAutoPtr<mozilla::MediaInfo>&&, mozilla::MediaDecoderEventVisibility&&>::applyImpl<mozilla::detail::Listener<nsAutoPtr<mozilla::MediaInfo>, mozilla::MediaDecoderEventVisibility>, void (mozilla::detail::Listener<nsAutoPtr<mozilla::MediaInfo>, mozilla::MediaDecoderEventVisibility>::*)(nsAutoPtr<mozilla::MediaInfo>&&, mozilla::MediaDecoderEventVisibility&&), StoreCopyPassByRRef<nsAutoPtr<mozilla::MediaInfo> >, StoreCopyPassByRRef<mozilla::MediaDecoderEventVisibility>, 0ul, 1ul>(mozilla::detail::Listener<nsAutoPtr<mozilla::MediaInfo>, mozilla::MediaDecoderEventVisibility>*, void (mozilla::detail::Listener<nsAutoPtr<mozilla::MediaInfo>, mozilla::MediaDecoderEventVisibility>::*)(nsAutoPtr<mozilla::MediaInfo>&&, mozilla::MediaDecoderEventVisibility&&), mozilla::Tuple<StoreCopyPassByRRef<nsAutoPtr<mozilla::MediaInfo> >, StoreCopyPassByRRef<mozilla::MediaDecoderEventVisibility> >&, std::integer_sequence<unsigned long, 0ul, 1ul>) (o=<optimized out>, m=<optimized out>, args=...) at /home/b/projects/mozilla/mozilla-builds/obj-ff-fuzz-dbg/dist/include/nsThreadUtils.h:1122
#52 0x00007fcb4740bde6 in _ZN7mozilla6detail23RunnableMethodArgumentsIJO9nsAutoPtrINS_9MediaInfoEEONS_27MediaDecoderEventVisibilityEEE5applyINS0_8ListenerIJS4_S6_EEEMSB_FvS5_S7_EEEDTcl9applyImplfp_fp0_dtdefpT10mArgumentstlSt16integer_sequenceImJLm0ELm1EEEEEEPT_T0_ (this=<optimized out>, o=<optimized out>, m=<optimized out>)
    at /home/b/projects/mozilla/mozilla-builds/obj-ff-fuzz-dbg/dist/include/nsThreadUtils.h:1128
#53 0x00007fcb4740bde6 in mozilla::detail::RunnableMethodImpl<mozilla::detail::Listener<nsAutoPtr<mozilla::MediaInfo>, mozilla::MediaDecoderEventVisibility>*, void (mozilla::detail::Listener<nsAutoPtr<mozilla::MediaInfo>, mozilla::MediaDecoderEventVisibility>::*)(nsAutoPtr<mozilla::MediaInfo>&&, mozilla::MediaDecoderEventVisibility&&), true, (mozilla::RunnableKind)0, nsAutoPtr<mozilla::MediaInfo>&&, mozilla::MediaDecoderEventVisibility&&>::Run() (this=<optimized out>) at /home/b/projects/mozilla/mozilla-builds/obj-ff-fuzz-dbg/dist/include/nsThreadUtils.h:1174
#54 0x00007fcb4004b073 in mozilla::AutoTaskDispatcher::TaskGroupRunnable::Run() (this=<optimized out>) at /home/b/projects/mozilla/mozilla-builds/obj-ff-fuzz-dbg/dist/include/mozilla/TaskDispatcher.h:197
#55 0x00007fcb40046fa1 in mozilla::EventTargetWrapper::Runner::Run() (this=<optimized out>) at /home/b/projects/mozilla/mozilla-central/xpcom/threads/AbstractThread.cpp:113
#56 0x00007fcb4003b127 in mozilla::SchedulerGroup::Runnable::Run() (this=0x6070001266b0) at /home/b/projects/mozilla/mozilla-central/xpcom/threads/SchedulerGroup.cpp:295
#57 0x00007fcb40081de1 in nsThread::ProcessNextEvent(bool, bool*) (this=0x611000005540, aMayWait=<optimized out>, aResult=0x7ffc7f20d860)
    at /home/b/projects/mozilla/mozilla-central/xpcom/threads/nsThread.cpp:1180
#58 0x00007fcb4008a69f in NS_ProcessNextEvent(nsIThread*, bool) (aThread=0x611000005540, aMayWait=<optimized out>) at /home/b/projects/mozilla/mozilla-central/xpcom/threads/nsThreadUtils.cpp:486
#59 0x00007fcb414247aa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (this=0x607000002a40, aDelegate=0x7ffc7f20e080)
    at /home/b/projects/mozilla/mozilla-central/ipc/glue/MessagePump.cpp:110
#60 0x00007fcb412cc15a in MessageLoop::RunInternal() (this=0x7ffc7f20e080) at /home/b/projects/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:315
#61 0x00007fcb412cbe7b in MessageLoop::RunHandler() (this=<optimized out>) at /home/b/projects/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:308
#62 0x00007fcb412cbe7b in MessageLoop::Run() (this=0x7ffc7f20e080) at /home/b/projects/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:290
#63 0x00007fcb48f4f591 in nsBaseAppShell::Run() (this=<optimized out>) at /home/b/projects/mozilla/mozilla-central/widget/nsBaseAppShell.cpp:137
#64 0x00007fcb4cce1fde in XRE_RunAppShell() () at /home/b/projects/mozilla/mozilla-central/toolkit/xre/nsEmbedFunctions.cpp:919
#65 0x00007fcb414259ee in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (this=0x607000002a20, aDelegate=0x7ffc7f20e080)
    at /home/b/projects/mozilla/mozilla-central/ipc/glue/MessagePump.cpp:238
#66 0x00007fcb412cc15a in MessageLoop::RunInternal() (this=0x7ffc7f20e080) at /home/b/projects/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:315
#67 0x00007fcb412cbe7b in MessageLoop::RunHandler() (this=<optimized out>) at /home/b/projects/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:308
#68 0x00007fcb412cbe7b in MessageLoop::Run() (this=0x7ffc7f20e080) at /home/b/projects/mozilla/mozilla-central/ipc/chromium/src/base/message_loop.cc:290
#69 0x00007fcb4cce0d22 in XRE_InitChildProcess(int, char**, XREChildData const*) (aArgc=13, aArgv=0x7ffc7f20f6b8, aChildData=<optimized out>)
    at /home/b/projects/mozilla/mozilla-central/toolkit/xre/nsEmbedFunctions.cpp:757
#70 0x0000559662021027 in content_process_main(mozilla::Bootstrap*, int, char**) (bootstrap=<optimized

After some discussion with :cpearce my understanding is thus: once the MediaElement has its first frame loaded we move the load to the background, this is why we're calling ModifyLoadFlags. This triggers us removing the request from the load group (frame 42), if that was the last request this means the document is treated as loaded (frame 33), we then start firing events and doing JS. During JS execution XHR causes us to spin th event loop (frame 13), this triggers processing some inflight promises that result in ref counts going to 0 and the decoder associated with the resource is destroyed, which destroys our resource.

(In reply to Bryce Seager van Dyk (:bryce) from comment #11)

[...] this triggers processing some inflight promises that result in ref counts going to 0 and the decoder associated with the resource is destroyed, which destroys our resource.

I think we end up GC'ing the HTMLMediaElement here (the script reloads the page), and that triggers the death of the ChannelMediaDecoder here. And that's why your patch which adds a strong ref on the HTMLMediaElement (and not the resource or the decoder) is sufficient to fix the issue.

Comment on attachment 9064662 [details]
Bug 1547757 - Use a RefPtr to hold owner element ref when moving media resource load to background. r?cpearce

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: The patch itself doesn't give much away (intentionally vague commit message, avoids calling the new deathgrip a deathgrip): an attacker would need to figure out something like the test case attached in order to hit the uaf, and even then, it would be harder without fuzzing enabled. I don't think an attack could easily be constructed from the patch.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: All
  • If not all supported branches, which bug introduced the flaw?: All are
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: I believe the patch should graft onto other trees (though I have not manually attempted the graft).
  • How likely is this patch to cause regressions; how much testing does it need?: Low IMO: the patch is simple: changes a raw ptr to a RefPtr to prolong the life of an object. The only possible regression I foresee is shutdown hangs or similar, but have not encountered any in my testing. I don't think we need any further testing.
Attachment #9064662 - Flags: sec-approval?
See Also: → 1539884

Comment on attachment 9064662 [details]
Bug 1547757 - Use a RefPtr to hold owner element ref when moving media resource load to background. r?cpearce

sec-approval+ for mozilla-central

Attachment #9064662 - Flags: sec-approval? → sec-approval+
Group: media-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69

Bryce, please request uplift for Gecko 68.

Flags: needinfo?(bvandyk)

And ESR60. Grafts cleanly as-landed.

Comment on attachment 9064662 [details]
Bug 1547757 - Use a RefPtr to hold owner element ref when moving media resource load to background. r?cpearce

Beta/Release Uplift Approval Request

  • User impact if declined: A known UAF will continue to exist in the browser. If the UAF is exploited it would be quite detrimental to users.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: No others needed.
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The change is simple (one liner), and deals with a fairly well understood case of bugs (refs not living long enough).
  • String changes made/needed: None.

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: The bug is sec high.
  • User impact if declined: A known UAF will continue to exist in the browser. If the UAF is exploited it would be quite detrimental to users.
  • Fix Landed on Version: 69
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The change is simple (one liner), and deals with a fairly well understood case of bugs (refs not living long enough).
  • String or UUID changes made by this patch: None.
Flags: needinfo?(bvandyk)
Attachment #9064662 - Flags: approval-mozilla-esr60?
Attachment #9064662 - Flags: approval-mozilla-beta?

Comment on attachment 9064662 [details]
Bug 1547757 - Use a RefPtr to hold owner element ref when moving media resource load to background. r?cpearce

approved for 68.0b4, thanks

Attachment #9064662 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
QA Whiteboard: [qa-triaged]

I successfully reproduced the issue on Firefox Nightly (20190429095544) under Ubuntu 18.04 (x64) using the STR from Comment 2 and some help from Bryce.

The issue is no longer reproducible on latest Firefox Nightly (20190528214841) and on Firefox Beta (20190528124446) under Ubuntu 18.04 (x64).

Comment on attachment 9064662 [details]
Bug 1547757 - Use a RefPtr to hold owner element ref when moving media resource load to background. r?cpearce

Fixes a sec-high issue. Verified by QA on Nightly and Beta. Approved for 60.8esr.

Attachment #9064662 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+

The issue is verified on latest Firefox ESR60 (20190620183641) under Ubuntu 18.04 (x64).

Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main68+][adv-esr60.8+]
Status: RESOLVED → VERIFIED
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: