Closed Bug 1556933 Opened 6 years ago Closed 6 years ago

ASAN: heap-use-after-free at Vector.h:501:12 in end

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla69
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- unaffected
firefox68 --- unaffected
firefox69 --- fixed

People

(Reporter: geeknik, Assigned: sfink)

References

(Regression,
URL
)

Details

(7 keywords, Whiteboard: [post-critsmash-triage])

While using ASAN Nightly (https://hg.mozilla.org/mozilla-central/rev/c909c105f914f69054b9a7c6b189ee39fa1cad44), build ID 20190604034844, I loaded up https://en.wikipedia.org/wiki/List_of_companies_based_in_Oklahoma_City and middle clicked the link to https://en.wikipedia.org/wiki/Ackerman_McQueen and the https://en.wikipedia.org/wiki/Ackerman_McQueen tab crashed with the following ASAN output:

==3875==ERROR: AddressSanitizer: heap-use-after-free on address 0x6170000e9008 at pc 0x7f8c661af3d5 bp 0x7ffd62db0420 sp 0x7ffd62db0418
READ of size 8 at 0x6170000e9008 thread T0 (Web Content)
    #0 0x7f8c661af3d4 in end /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Vector.h:501:12
    #1 0x7f8c661af3d4 in EraseIf<mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, (lambda at /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:665:23)> /builds/worker/workspace/build/src/js/src/jsutil.h:94
    #2 0x7f8c661af3d4 in js::GCMarker::severWeakDelegate(JSObject*, JSObject*) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:665
    #3 0x7f8c657b4519 in delegatePreWriteBarrier /builds/worker/workspace/build/src/js/src/gc/Zone.h:409:7
    #4 0x7f8c657b4519 in js::ProxyObject::nuke() /builds/worker/workspace/build/src/js/src/vm/ProxyObject.cpp:161
    #5 0x7f8c65e08eae in NukeRemovedCrossCompartmentWrapper /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:381:30
    #6 0x7f8c65e08eae in js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, JS::Realm*, js::NukeReferencesToWindow, js::NukeReferencesFromTarget) /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:499
    #7 0x7f8c5a8dc4da in xpc::NukeAllWrappersForRealm(JSContext*, JS::Realm*, js::NukeReferencesToWindow) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:691:3
    #8 0x7f8c5c46492f in mozilla::WindowDestroyedEvent::Run() /builds/worker/workspace/build/src/dom/base/WindowDestroyedEvent.cpp:120:13
    #9 0x7f8c58e1e01a in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:331:22
    #10 0x7f8c58e045a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1176:14
    #11 0x7f8c58e0a501 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #12 0x7f8c59e6c15d in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #13 0x7f8c59d9d752 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #14 0x7f8c59d9d752 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #15 0x7f8c59d9d752 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #16 0x7f8c61216b1a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #17 0x7f8c64e8387f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:911:20
    #18 0x7f8c59d9d752 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #19 0x7f8c59d9d752 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #20 0x7f8c59d9d752 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #21 0x7f8c64e831c8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:749:34
    #22 0x5646b849f3b7 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #23 0x5646b849f3b7 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
    #24 0x7f8c70f47412 in __libc_start_main (/lib64/libc.so.6+0x24412)
    #25 0x5646b83c0b08 in _start (/home/geeknik/firefox/firefox+0x2ab08)

0x6170000e9008 is located 8 bytes inside of 720-byte region [0x6170000e9000,0x6170000e92d0)
freed by thread T0 (Web Content) here:
    #0 0x5646b846c192 in free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7f8c654f18f6 in js_free /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:411:3
    #2 0x7f8c654f18f6 in free_<js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::Data> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:83
    #3 0x7f8c654f18f6 in freeData /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:634
    #4 0x7f8c654f18f6 in js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::rehash(unsigned int) /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:728
    #5 0x7f8c654f0abd in bool js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::put<js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry>(js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry&&) /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:189:12
    #6 0x7f8c65c51c4d in put<mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy> > /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:811:17
    #7 0x7f8c65c51c4d in js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::addWeakEntry(js::GCMarker*, js::gc::Cell*, js::gc::WeakMarkable const&) /builds/worker/workspace/build/src/js/src/gc/WeakMap-inl.h:199
    #8 0x7f8c65c4fc67 in js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::postSeverDelegate(js::GCMarker*, js::gc::Cell*, JS::Compartment*) /builds/worker/workspace/build/src/js/src/gc/WeakMap-inl.h:260:5
    #9 0x7f8c661af2de in operator() /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:669:25
    #10 0x7f8c661af2de in RemoveIf<js::gc::WeakMarkable, (lambda at /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:665:23)> /builds/worker/workspace/build/src/js/src/jsutil.h:84
    #11 0x7f8c661af2de in EraseIf<mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, (lambda at /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:665:23)> /builds/worker/workspace/build/src/js/src/jsutil.h:93
    #12 0x7f8c661af2de in js::GCMarker::severWeakDelegate(JSObject*, JSObject*) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:665
    #13 0x7f8c657b4519 in delegatePreWriteBarrier /builds/worker/workspace/build/src/js/src/gc/Zone.h:409:7
    #14 0x7f8c657b4519 in js::ProxyObject::nuke() /builds/worker/workspace/build/src/js/src/vm/ProxyObject.cpp:161
    #15 0x7f8c65e08eae in NukeRemovedCrossCompartmentWrapper /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:381:30
    #16 0x7f8c65e08eae in js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, JS::Realm*, js::NukeReferencesToWindow, js::NukeReferencesFromTarget) /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:499
    #17 0x7f8c5a8dc4da in xpc::NukeAllWrappersForRealm(JSContext*, JS::Realm*, js::NukeReferencesToWindow) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:691:3
    #18 0x7f8c5c46492f in mozilla::WindowDestroyedEvent::Run() /builds/worker/workspace/build/src/dom/base/WindowDestroyedEvent.cpp:120:13
    #19 0x7f8c58e1e01a in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:331:22
    #20 0x7f8c58e045a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1176:14
    #21 0x7f8c58e0a501 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #22 0x7f8c59e6c15d in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #23 0x7f8c59d9d752 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #24 0x7f8c59d9d752 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #25 0x7f8c59d9d752 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #26 0x7f8c61216b1a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #27 0x7f8c64e8387f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:911:20
    #28 0x7f8c59d9d752 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #29 0x7f8c59d9d752 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #30 0x7f8c59d9d752 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #31 0x7f8c64e831c8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:749:34
    #32 0x5646b849f3b7 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #33 0x5646b849f3b7 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263

previously allocated by thread T0 (Web Content) here:
    #0 0x5646b846c513 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x7f8c654f142e in js_arena_malloc /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:367:10
    #2 0x7f8c654f142e in js_pod_arena_malloc<js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::Data> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:572
    #3 0x7f8c654f142e in maybe_pod_arena_malloc<js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::Data> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:31
    #4 0x7f8c654f142e in pod_arena_malloc<js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::Data> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:44
    #5 0x7f8c654f142e in pod_malloc<js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::Data> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:70
    #6 0x7f8c654f142e in js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::rehash(unsigned int) /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:709
    #7 0x7f8c654f0abd in bool js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::put<js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry>(js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry&&) /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:189:12
    #8 0x7f8c65c51c4d in put<mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy> > /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:811:17
    #9 0x7f8c65c51c4d in js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::addWeakEntry(js::GCMarker*, js::gc::Cell*, js::gc::WeakMarkable const&) /builds/worker/workspace/build/src/js/src/gc/WeakMap-inl.h:199
    #10 0x7f8c65c5043f in js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::markEntries(js::GCMarker*) /builds/worker/workspace/build/src/js/src/gc/WeakMap-inl.h
    #11 0x7f8c661b59b4 in doTrace /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Class.h:872:3
    #12 0x7f8c661b59b4 in CallTraceHook<(lambda at /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1849:7)> /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1480
    #13 0x7f8c661b59b4 in js::GCMarker::processMarkStackTop(js::SliceBudget&) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1848
    #14 0x7f8c66187089 in js::GCMarker::markUntilBudgetExhausted(js::SliceBudget&) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:1636:7
    #15 0x7f8c6618fdb5 in markUntilBudgetExhausted /builds/worker/workspace/build/src/js/src/gc/GC.cpp:6053:17
    #16 0x7f8c6618fdb5 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, js::gc::AutoGCSession&) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7215
    #17 0x7f8c66192a43 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, JS::GCReason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7628:3
    #18 0x7f8c66195936 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::GCReason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7808:9
    #19 0x7f8c661966ba in js::gc::GCRuntime::gcSlice(JS::GCReason, long) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7912:3
    #20 0x7f8c5c59842f in nsJSContext::GarbageCollectNow(JS::GCReason, nsJSContext::IsIncremental, nsJSContext::IsShrinking, long) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1126:5
    #21 0x7f8c5c5a60e2 in InterSliceGCRunnerFired(mozilla::TimeStamp, void*) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1748:3
    #22 0x7f8c58dc60b0 in operator() /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/functional:2127:14
    #23 0x7f8c58dc60b0 in mozilla::IdleTaskRunner::Run() /builds/worker/workspace/build/src/xpcom/threads/IdleTaskRunner.cpp:58
    #24 0x7f8c58e045a6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1176:14
    #25 0x7f8c58e0a501 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #26 0x7f8c59e6c15d in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #27 0x7f8c59d9d752 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #28 0x7f8c59d9d752 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #29 0x7f8c59d9d752 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #30 0x7f8c61216b1a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #31 0x7f8c64e8387f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:911:20

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Vector.h:501:12 in end
Shadow bytes around the buggy address:
  0x0c2e800151b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e800151c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e800151d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e800151e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2e800151f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2e80015200: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e80015210: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e80015220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e80015230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e80015240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2e80015250: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3875==ABORTING
Flags: sec-bounty?
Group: core-security → dom-core-security
Keywords: testcase-wanted
Component: General → JavaScript Engine

js::GCMarker::severWeakDelegate() is in the stack, so ni? sfink.

Group: dom-core-security → javascript-core-security
Component: JavaScript Engine → JavaScript: GC
Flags: needinfo?(sphink)

This code has been backed out so closing this bug. Leaving the needinfo as the problem presumably still exists in the unlanded code.

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INVALID

Closing a valid bug as invalid is probably not the right way forward here. If this was in Nightly, then the bug might be bounty-eligible and we should mark it as fixed I guess (and indicate where it was backed out).

Resolution: INVALID → FIXED
Assignee: nobody → sphink
status-firefox67: --- → unaffected
status-firefox68: --- → unaffected
status-firefox69: affectedfixed
status-firefox-esr60: --- → unaffected
Flags: needinfo?(sphink)
Regressed by: 1167452
Target Milestone: --- → mozilla69
Flags: needinfo?(sphink)
Group: javascript-core-security → core-security-release
Flags: sec-bounty? → sec-bounty+
Keywords: regression, sec-high

(In reply to Christian Holler (:decoder) from comment #4)
I'm never sure exactly what these fixed states are supposed to mean.

This was caused by the changes in bug 1167452. The backout happened in bug 1514421 comment 41.

Flags: qe-verify+
Whiteboard: [post-critsmash-triage]

I could not reproduce the issue on the original build
http://archive.mozilla.org/pub/firefox/nightly/2019/06/2019-06-04-03-48-44-mozilla-central/firefox-69.0a1.en-US.linux-x86_64-asan-reporter.tar.bz2
No assertion failure error could be reproduced while following the steps in comment 0 on Ubuntu 18.04.2 LTS.

Considering I cannot reproduce, I also cannot verify it.
@Christian and Jon: Considering that the reporter blocked any requests and you are involved, I am asking you. Do you have any clue how this issue got reproduced?

This bug got the "qe-verify+" tab, which means that it needs to be verified. How do you think we should proceed in this case.

Thank you for your contribution!

Flags: needinfo?(jcoppeard)
Flags: needinfo?(choller)

This issue cannot be reproduced by QA. It was found while browsing and there are no steps to reproduce or test to verify the fix.

Flags: needinfo?(jcoppeard)
Flags: needinfo?(choller)

It seems to me that there are steps that do not reproduce the issue:
"(In reply to Brian Carpenter [:geeknik] from comment #0)

While using ASAN Nightly (https://hg.mozilla.org/mozilla-central/rev/c909c105f914f69054b9a7c6b189ee39fa1cad44), build ID 20190604034844, I loaded up https://en.wikipedia.org/wiki/List_of_companies_based_in_Oklahoma_City and middle clicked the link to https://en.wikipedia.org/wiki/Ackerman_McQueen and the https://en.wikipedia.org/wiki/Ackerman_McQueen tab crashed."

Considering the fact that this issue is supposedly fixed by backing out some code and the fact that this issue does not occur on Nightly v69.0a1, I think the best way for it would be to verify it. In any case, this is the bug where the back-out happened: bug 1514421.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
See Also: → 1514421
Flags: needinfo?(sphink)
Group: core-security-release
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.