Closed
Bug 1558522
Opened 5 years ago
Closed 5 years ago
AddressSanitizer: heap-use-after-free [@ IsCurrentThread] with READ of size 8
Categories
(Core :: Storage: IndexedDB, defect, P1)
Core
Storage: IndexedDB
Tracking
()
People
(Reporter: jkratzer, Assigned: sg)
References
(Blocks 4 open bugs)
Details
(4 keywords, Whiteboard: [fuzzblocker][adv-main70+][adv-main70+r][adv-esr68.2+][adv-esr68.2+r][post-critsmash-triage])
Attachments
(2 files, 3 obsolete files)
|
1.20 KB,
text/html
|
Details | |
|
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
jcristau
:
approval-mozilla-esr68+
tjr
:
sec-approval+
|
Details | Review |
Testcase found while fuzzing mozilla-central rev 0679bf09303e. Testcase takes 30-60 seconds in order to reproduce.
==27763==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100024c500 at pc 0x7f99156e73d0 bp 0x7f98822d9a90 sp 0x7f98822d9a88
READ of size 8 at 0x61100024c500 thread T32 (DOM Worker)
#0 0x7f99156e73cf in IsCurrentThread /builds/worker/workspace/build/src/xpcom/base/nsISupportsImpl.cpp:45:10
#1 0x7f99156e73cf in nsAutoOwningThread::AssertCurrentThreadOwnsMe(char const*) const /builds/worker/workspace/build/src/xpcom/base/nsISupportsImpl.cpp:38
#2 0x7f991db18bf8 in AssertOwnership<37> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsISupportsImpl.h:59:5
#3 0x7f991db18bf8 in mozilla::DOMEventTargetHelper::AddRef() /builds/worker/workspace/build/src/dom/events/DOMEventTargetHelper.cpp:83
#4 0x7f991f6a53e4 in AddRef /builds/worker/workspace/build/src/dom/indexedDB/IDBDatabase.cpp:1059:1
#5 0x7f991f6a53e4 in AddRef /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:45
#6 0x7f991f6a53e4 in AddRef /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:362
#7 0x7f991f6a53e4 in RefPtr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:105
#8 0x7f991f6a53e4 in mozilla::dom::(anonymous namespace)::DatabaseFile::ActorDestroy(mozilla::ipc::IProtocol::ActorDestroyReason) /builds/worker/workspace/build/src/dom/indexedDB/IDBDatabase.cpp:111
#9 0x7f9916ce936f in mozilla::ipc::IProtocol::DestroySubtree(mozilla::ipc::IProtocol::ActorDestroyReason) /builds/worker/workspace/build/src/ipc/glue/ProtocolUtils.cpp:659:3
#10 0x7f9916ce9238 in mozilla::ipc::IProtocol::DestroySubtree(mozilla::ipc::IProtocol::ActorDestroyReason) /builds/worker/workspace/build/src/ipc/glue/ProtocolUtils.cpp:647:14
#11 0x7f991749928a in mozilla::dom::indexedDB::PBackgroundIDBDatabaseChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundIDBDatabaseChild.cpp:668:20
#12 0x7f991744bf8b in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:4717:32
#13 0x7f9916ccfaf6 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2158:25
#14 0x7f9916cca9fb in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2082:9
#15 0x7f9916cccfb7 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1939:3
#16 0x7f9916ccdd47 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1970:13
#17 0x7f9915905223 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1215:14
#18 0x7f991590cfe4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#19 0x7f991f91a08b in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:2791:7
#20 0x7f991f8d5ab4 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:2316:40
#21 0x7f9915905223 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1215:14
#22 0x7f991590cfe4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#23 0x7f9916cda671 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
#24 0x7f9916bb01ae in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#25 0x7f9916bb01ae in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#26 0x7f9916bb01ae in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#27 0x7f99158fcd23 in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:459:11
#28 0x7f993b9f50bd in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
#29 0x7f993b6396da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
#30 0x7f993a61788e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
0x61100024c500 is located 64 bytes inside of 248-byte region [0x61100024c4c0,0x61100024c5b8)
freed by thread T32 (DOM Worker) here:
#0 0x557243ba6a82 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
#1 0x7f99156c73e1 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2416:7
#2 0x7f99156c5a93 in nsCycleCollector::FreeSnowWhite(bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2607:3
#3 0x7f99156d23f5 in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3582:3
#4 0x7f99156d16a5 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3411:9
#5 0x7f99156d66bc in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3947:21
#6 0x7f9925cb1f17 in callGCCallback /builds/worker/workspace/build/src/js/src/gc/GC.cpp:1924:3
#7 0x7f9925cb1f17 in js::gc::GCRuntime::maybeCallGCCallback(JSGCStatus) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7542
#8 0x7f9925cb2ef5 in ~AutoCallGCCallbacks /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7521:32
#9 0x7f9925cb2ef5 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, JS::GCReason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7631
#10 0x7f9925cb6198 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::GCReason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7796:9
#11 0x7f9925cc00da in gc /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7884:3
#12 0x7f9925cc00da in JS::NonIncrementalGC(JSContext*, JSGCInvocationKind, JS::GCReason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:8720
#13 0x7f991f92fc6f in mozilla::dom::WorkerPrivate::GarbageCollectInternal(JSContext*, bool, bool) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:4551:7
#14 0x7f99158ec8b5 in nsTimerImpl::Fire(int) /builds/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:561:7
#15 0x7f99158ebe91 in nsTimerEvent::Run() /builds/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:260:11
#16 0x7f991f8f74bc in mozilla::dom::(anonymous namespace)::WrappedControlRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /builds/worker/workspace/build/src/dom/workers/WorkerEventTarget.cpp:36:13
#17 0x7f991f93a341 in mozilla::dom::WorkerRunnable::Run() /builds/worker/workspace/build/src/dom/workers/WorkerRunnable.cpp:363:12
#18 0x7f991f919626 in ProcessAllControlRunnablesLocked /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:3319:9
#19 0x7f991f919626 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:2689
#20 0x7f991f8d5ab4 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:2316:40
#21 0x7f9915905223 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1215:14
#22 0x7f991590cfe4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#23 0x7f9916cda671 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
previously allocated by thread T32 (DOM Worker) here:
#0 0x557243ba6e03 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0x557243bdbb6d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:52:15
#2 0x7f991f5f43ca in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:144:10
#3 0x7f991f5f43ca in mozilla::dom::IDBDatabase::Create(mozilla::dom::IDBOpenDBRequest*, mozilla::dom::IDBFactory*, mozilla::dom::indexedDB::BackgroundDatabaseChild*, mozilla::dom::indexedDB::DatabaseSpec*) /builds/worker/workspace/build/src/dom/indexedDB/IDBDatabase.cpp:185
#4 0x7f991f5f50f9 in EnsureDOMObject /builds/worker/workspace/build/src/dom/indexedDB/ActorsChild.cpp:1828:30
#5 0x7f991f5f50f9 in mozilla::dom::indexedDB::BackgroundDatabaseChild::RecvPBackgroundIDBVersionChangeTransactionConstructor(mozilla::dom::indexedDB::PBackgroundIDBVersionChangeTransactionChild*, unsigned long const&, unsigned long const&, long const&, long const&) /builds/worker/workspace/build/src/dom/indexedDB/ActorsChild.cpp:1941
#6 0x7f9917498dfc in mozilla::dom::indexedDB::PBackgroundIDBDatabaseChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundIDBDatabaseChild.cpp:832:28
#7 0x7f991744bf8b in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:4717:32
#8 0x7f9916ccfaf6 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2158:25
#9 0x7f9916cca9fb in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2082:9
#10 0x7f9916cccfb7 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1939:3
#11 0x7f9916ccdd47 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1970:13
#12 0x7f9915905223 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1215:14
#13 0x7f991590cfe4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#14 0x7f991f91a08b in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:2791:7
#15 0x7f991f8d5ab4 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:2316:40
#16 0x7f9915905223 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1215:14
#17 0x7f991590cfe4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#18 0x7f9916cda671 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:303:20
#19 0x7f9916bb01ae in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#20 0x7f9916bb01ae in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#21 0x7f9916bb01ae in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#22 0x7f99158fcd23 in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:459:11
#23 0x7f993b9f50bd in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
Thread T32 (DOM Worker) created by T0 (file:// Content) here:
#0 0x557243b8f3dd in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x7f993b9e71b8 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:433:14
#2 0x7f993b9d0d9e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:518:12
#3 0x7f99158ffe49 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:672:8
#4 0x7f991f94d04e in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/workspace/build/src/dom/workers/WorkerThread.cpp:93:7
#5 0x7f991f8a0ffc in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate*) /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:1435:14
#6 0x7f991f89ef47 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate*) /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:1300:19
#7 0x7f991f913060 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:2283:24
#8 0x7f991f8b2bb1 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/workers/Worker.cpp:30:41
#9 0x7f991c4f8cb6 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WorkerBinding.cpp:1139:52
#10 0x7f9924c00b67 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448:13
#11 0x7f9924c00b67 in CallJSNativeConstructor /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:464
#12 0x7f9924c00b67 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:657
#13 0x7f9924bdd4d8 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3078:16
#14 0x7f9924bc70e8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:10
#15 0x7f9924bfd97f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:568:13
#16 0x7f9924bffba2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:611:8
#17 0x7f9925879f58 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2667:10
#18 0x7f991c913e39 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#19 0x7f991dbb70a2 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#20 0x7f991dbb70a2 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1022
#21 0x7f991dbb8cf7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1220:17
#22 0x7f991db99a61 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
#23 0x7f991db99a61 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
#24 0x7f991db97c96 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
#25 0x7f991db9ea04 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1047:11
#26 0x7f991dba674b in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
#27 0x7f991a1bad64 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1029:17
#28 0x7f9919a06c76 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:3945:28
#29 0x7f9919a069ee in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:3915:10
#30 0x7f9919dd9ec2 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:6871:3
#31 0x7f9919eef0ab in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
#32 0x7f9919eef0ab in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130
#33 0x7f9919eef0ab in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176
#34 0x7f99158c4565 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#35 0x7f9915905223 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1215:14
#36 0x7f991590cfe4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#37 0x7f9916cd8f0f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#38 0x7f9916bb01ae in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#39 0x7f9916bb01ae in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#40 0x7f9916bb01ae in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#41 0x7f99202de313 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#42 0x7f992492401e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
#43 0x7f9916bb01ae in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#44 0x7f9916bb01ae in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#45 0x7f9916bb01ae in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#46 0x7f9924922b61 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:754:34
#47 0x557243bd9eb3 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#48 0x557243bd9eb3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
#49 0x7f993a517b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/xpcom/base/nsISupportsImpl.cpp:45:10 in IsCurrentThread
Shadow bytes around the buggy address:
0x0c2280041850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2280041860: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
0x0c2280041870: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c2280041880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
0x0c2280041890: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c22800418a0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c22800418b0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c22800418c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c22800418d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c22800418e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c22800418f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==27763==ABORTING
Flags: in-testsuite?
|
||
Updated•5 years ago
|
Group: core-security → dom-core-security
|
|
||
Updated•5 years ago
|
Keywords: csectype-uaf,
sec-high
|
||
Comment 1•5 years ago
|
||
Jan, can you take a look at this please? It looks like a DETH is getting destroyed on a worker thread.
Flags: needinfo?(jvarga)
|
||
Updated•5 years ago
|
Status: NEW → ASSIGNED
|
Reporter | |
Updated•5 years ago
|
Whiteboard: [fuzzblocker]
|
|
||
Comment 3•5 years ago
|
||
I think it would be better if someone else from the team took this bug. I'm focused on remaining LSNG bugs right now.
Assignee: jvarga → nobody
Status: ASSIGNED → NEW
Flags: needinfo?(jstutte)
|
||
Updated•5 years ago
|
Flags: needinfo?(jstutte)
|
|
||
Updated•5 years ago
|
Assignee: nobody → sgiesecke
|
Assignee | |
Comment 4•5 years ago
|
||
janv wrote in a mail about this:
I think the main issue is that the DatabaseFile object has a weak pointer to IDBDatabase.
Yes, it does, and I don't quite understand why. Shouldn't DatabaseFile::mDatabase be really a RefPtr, instead of acquiring ownership within DatabaseFile::ActorDestroy, assuming that mDatabase still exists.
Or should the IDBDatabase have destroyed the actor already? Then this might be what's missing in some edge case.
mDatabase is probably not cleared in some edge case.
I don't understand this. DatabaseFile::mDatabase is used exactly once when the actor is destroyed.
Flags: needinfo?(jvarga)
|
|
||
Comment 5•5 years ago
•
|
||
The raw pointer is ok, we don't have to change it. I dug into this a bit deeper and it seems the problem is a bit different (I originally thought that IDBDatabaseFile outlives IDBDatabase). IDBDatabase::GetOrCreateFileActorForBlob is called after the database has been closed (if you look at the testcase, it's doing exactly the same thing), so ExpireFileActors(true) won't be called again in CloseInternal which is called by LastRelease (which is called just before IDBDatabase is destroyed). So here's the fix:
void IDBDatabase::LastRelease() {
AssertIsOnOwningThread();
CloseInternal();
+ ExpireFileActors(/* aExpireAll */ true);
+
However, this deserves a nice comment and thorough testing. Please make sure you understand the code path/flow in this case and try to verify my investigation independently. Thanks.
Flags: needinfo?(jvarga)
|
||
Comment 6•5 years ago
|
||
Are you able to work on this for the 71 release? It is getting late for 70 but we could still get a patch into 71.
|
|
Assignee | |
Comment 7•5 years ago
|
||
|
|
Assignee | |
Comment 8•5 years ago
|
||
Depends on D48045
|
|
Assignee | |
Comment 9•5 years ago
|
||
Please checkin D48046 (but not D48045 yet, as it will expose exploitable information).
Flags: needinfo?(sgiesecke)
Keywords: checkin-needed,
leave-open
|
||
Comment 10•5 years ago
|
||
Please request security approval because the bug is rated as sec-high, see https://wiki.mozilla.org/Security/Bug_Approval_Process
Flags: needinfo?(sgiesecke)
Keywords: checkin-needed
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
status-firefox-esr68:
--- → affected
|
|
Assignee | |
Comment 11•5 years ago
|
||
Comment on attachment 9098478 [details]
Bug 1558522 - Ensure that file actors created after the database was closed are expired. r=asuth
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Not sure. It does not seem possible to deterministically trigger this. Note that there is another patch for this bug that contains a test case that reproduces the issue and an explaining, which should only land later.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: All
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: No
- If not, how different, hard to create, and risky will they be?: Probably, this can be easily applied to esr68 and beta.
- How likely is this patch to cause regressions; how much testing does it need?: Unlikely.
Flags: needinfo?(sgiesecke)
Attachment #9098478 -
Flags: sec-approval?
|
||
Comment 12•5 years ago
|
||
Comment on attachment 9098478 [details]
Bug 1558522 - Ensure that file actors created after the database was closed are expired. r=asuth
Let's land the patch now, and prepare backports to 68 and beta. We'll land the test November 12th or later.
Attachment #9098478 -
Flags: sec-approval? → sec-approval+
|
|
||
Updated•5 years ago
|
tracking-firefox-esr68:
--- → ?
|
|
||
Comment 13•5 years ago
|
||
Ensure that file actors created after the database was closed are expired. r=asuth
https://hg.mozilla.org/integration/autoland/rev/1e1e2bd9ee5209f5fe5994d3fc9c4ebed89f747f
|
|
||
Comment 14•5 years ago
|
||
|
|
Assignee | |
Updated•5 years ago
|
Flags: needinfo?(sgiesecke)
|
|
Assignee | |
Comment 15•5 years ago
|
||
|
|
Assignee | |
Comment 16•5 years ago
|
||
|
|
Assignee | |
Comment 17•5 years ago
|
||
Comment on attachment 9100144 [details]
Bug 1558522 - Ensure that file actors created after the database was closed are expired. r=asuth
Beta/Release Uplift Approval Request
- User impact if declined: Exposure to UAF threat.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The patch only adds checked expiration of file actors.
- String changes made/needed:
Flags: needinfo?(sgiesecke)
Attachment #9100144 -
Flags: approval-mozilla-beta?
|
|
Assignee | |
Comment 18•5 years ago
|
||
Comment on attachment 9100146 [details]
Bug 1558522 - Ensure that file actors created after the database was closed are expired. r=asuth
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: Exposure to UAF threat.
- Fix Landed on Version: 71
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The patch only adds checked expiration of file actors.
- String or UUID changes made by this patch:
Attachment #9100146 -
Flags: approval-mozilla-esr68?
|
||
Updated•5 years ago
|
status-firefox-esr60:
--- → wontfix
|
|
||
Comment 19•5 years ago
|
||
By default, we close bugs when the fix lands and land the tests later. The "in-testsuite" status of "?" shall prevent that the test gets forgotten.
|
|
||
Comment 20•5 years ago
|
||
This isn't in beta yet.
|
|
||
Comment 21•5 years ago
|
||
Comment on attachment 9098478 [details]
Bug 1558522 - Ensure that file actors created after the database was closed are expired. r=asuth
seems pretty late in the cycle to be landing this, but now it's on trunk let's get it on beta and esr68 as well...
Attachment #9098478 -
Flags: approval-mozilla-esr68+
Attachment #9098478 -
Flags: approval-mozilla-beta+
|
|
||
Comment 22•5 years ago
|
||
Comment on attachment 9100146 [details]
Bug 1558522 - Ensure that file actors created after the database was closed are expired. r=asuth
no need for separate phab patches for uplift if the patch from m-c applies cleanly.
Attachment #9100146 -
Attachment is obsolete: true
Attachment #9100146 -
Flags: approval-mozilla-esr68?
|
|
||
Updated•5 years ago
|
Attachment #9100144 -
Attachment is obsolete: true
Attachment #9100144 -
Flags: approval-mozilla-beta?
|
|
||
Comment 23•5 years ago
|
||
| uplift | ||
Group: dom-core-security → core-security-release
Target Milestone: --- → mozilla71
|
|
||
Comment 24•5 years ago
|
||
| uplift | ||
|
||
Updated•5 years ago
|
Attachment #9100144 -
Attachment is obsolete: false
|
|
||
Updated•5 years ago
|
Attachment #9100146 -
Attachment is obsolete: false
|
|
||
Updated•5 years ago
|
Whiteboard: [fuzzblocker] → [fuzzblocker][adv-main70+][adv-main70-rollup]
|
|
||
Updated•5 years ago
|
Whiteboard: [fuzzblocker][adv-main70+][adv-main70-rollup] → [fuzzblocker][adv-main70+][adv-main70-rollup][adv-esr68.2+][adv-esr68.2-rollup]
|
|
||
Updated•5 years ago
|
Attachment #9100144 -
Attachment is obsolete: true
|
|
||
Updated•5 years ago
|
Attachment #9100146 -
Attachment is obsolete: true
|
||
Updated•5 years ago
|
Flags: qe-verify+
Whiteboard: [fuzzblocker][adv-main70+][adv-main70-rollup][adv-esr68.2+][adv-esr68.2-rollup] → [fuzzblocker][adv-main70+][adv-main70-rollup][adv-esr68.2+][adv-esr68.2-rollup][post-crtismash-triage]
|
|
||
Updated•5 years ago
|
Whiteboard: [fuzzblocker][adv-main70+][adv-main70-rollup][adv-esr68.2+][adv-esr68.2-rollup][post-crtismash-triage] → [fuzzblocker][adv-main70+][adv-main70-rollup][adv-esr68.2+][adv-esr68.2-rollup][post-critsmash-triage]
|
|
||
Updated•5 years ago
|
QA Whiteboard: [qa-triaged]
|
||
Comment 25•5 years ago
|
||
Hello,
I want to verify if this bug is fixed, is there a simplified testcase or some steps to reproduce this bug?
Flags: needinfo?(sgiesecke)
|
|
Assignee | |
Comment 26•5 years ago
|
||
The attached https://bugzilla.mozilla.org/attachment.cgi?id=9071311 can be used to reproduce the bug. Unfortunately, I don't have a simpler test case.
Flags: needinfo?(sgiesecke)
|
|
||
Comment 27•5 years ago
|
||
When I was looking at this, I put the testcase to my local web server and then loaded it in my debug build. After several seconds I got a content process crash.
|
|
||
Comment 28•5 years ago
|
||
Hello,
I managed to reproduce this issue on Fx 70.0b3. I can confirm that this issue is fixed on Fx RC 70.0 , Fx 71.0a1 (BuildID: 20191015213743), Fx 68.2.0esr(https://treeherder.mozilla.org/#/jobs?repo=mozilla-esr68&selectedJob=271368812&revision=07ddd492f59bc77690cfb879166f76883b1f6a6a) on Windows 10 X64, Ubuntu 18.04 and macOS 10.15 Beta.
Thank you Simon Giesecke and Jan Varga for the help!
Status: RESOLVED → VERIFIED
Flags: qe-verify+
|
|
Reporter | |
Updated•5 years ago
|
Blocks: fuzzing-indexeddb
|
|
||
Updated•5 years ago
|
Whiteboard: [fuzzblocker][adv-main70+][adv-main70-rollup][adv-esr68.2+][adv-esr68.2-rollup][post-critsmash-triage] → [fuzzblocker][adv-main70+][adv-main70+r][adv-esr68.2+][adv-esr68.2+r][post-critsmash-triage]
|
|
||
Comment 29•5 years ago
•
|
||
Landed: https://hg.mozilla.org/integration/autoland/rev/a13d1af8d1b5c34f19f36ded0014f055403899dd
Backed out for causing crashtest suite shutdown hang:
https://hg.mozilla.org/integration/autoland/rev/b52cafa90e2929c801db706f72863746d57c94f4
Push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&group_state=expanded&selectedJob=277001992&resultStatus=superseded%2Ctestfailed%2Cbusted%2Cexception%2Cusercancel&revision=a13d1af8d1b5c34f19f36ded0014f055403899dd
Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=277001992&repo=autoland
[task 2019-11-19T16:57:42.003Z] 16:57:42 INFO - REFTEST SUITE-END | Shutdown
...
[task 2019-11-19T16:58:47.253Z] 16:58:47 INFO - Hit MOZ_CRASH(Shutdown too long, probably frozen, causing a crash.) at z:/build/build/src/toolkit/components/terminator/nsTerminator.cpp:217
Best chances to reproduce it on Windows x64 debug.
Flags: needinfo?(sgiesecke)
|
|
||
Updated•4 years ago
|
Group: core-security-release
|
||
Updated•4 years ago
|
Blocks: asan-maintenance
|
|
Assignee | |
Comment 30•3 years ago
|
||
I can still reproduce the shutdown timeout on try: https://treeherder.mozilla.org/jobs?repo=try&revision=d090fb95e9afd6f3f43b6d5994cf5756a32e36e7 Jens, maybe you can give this a look?
Flags: needinfo?(sgiesecke) → needinfo?(jstutte)
|
|
||
Comment 31•3 years ago
•
|
||
(In reply to Simon Giesecke [:sg] [he/him] from comment #30)
I can still reproduce the shutdown timeout on try: https://treeherder.mozilla.org/jobs?repo=try&revision=d090fb95e9afd6f3f43b6d5994cf5756a32e36e7 Jens, maybe you can give this a look?
Trying to summarize what this tells us:
MOZ_CRASH(Shutdown hanging after all known phases and workers finished.)
means, we arrived in the shutdown process until after mozilla::XPCOMShutdownNotified(); has been called.
All threads seem to wait for events somehow except for Thread 10 which is apparently doing something bitmap related which might vaguely indicate some active windows driver (but the call stack seems truncated, so we do not know, what actually is happening) and in any case some activity.
I see basically three options:
- We just assist at a long lasting shutdown (due to debug and/or ASAN builds). Then I see not much we can do except add an exception for testing.
- Something bad happens during GFX shutdown.
- Some dangling timer brakes us here.
Simon, does the test in question create timers?
Flags: needinfo?(jstutte) → needinfo?(sgiesecke)
|
|
Assignee | |
Comment 32•3 years ago
|
||
Given this is an IndexedDB test case, I think it's unlikely that option 2 applies.
Timers are not directly created by the test for sure, but obviously there are timers involved in shutdown.
I fear this is not actionable right now.
Adding annotations that are dumped on timeout that indicate what is still being waited for would be very helpful here.
Flags: needinfo?(sgiesecke)
|
|
||
Comment 33•3 years ago
•
|
||
FWIW, I just took a look at the dump of https://treeherder.mozilla.org/logviewer?job_id=332057024&repo=try&lineNumber=1886 (without symbols). The only thing that stands out to me is a thread called "fog.validation.ping" that apparently called some sleep() function. This seems to have to do with telemetry? Could it be, that we try to send some telemetry that never reaches its destination and thus ends up slowing down the shutdown?
(but yes, more annotations are better than guessing for sure)
|
|
||
Updated•11 months ago
|
Attachment #9098477 -
Attachment description: Bug 1558522 - Added test case from fuzzer. r=asuth → Bug 1834041 - Added test case from fuzzer. r=asuth
|
|
||
Comment 35•11 months ago
|
||
Comment on attachment 9098477 [details]
Bug 1834041 - Added test case from fuzzer. r=asuth
Revision D48045 was moved to bug 1834041. Setting attachment 9098477 [details] to obsolete.
Attachment #9098477 -
Attachment is obsolete: true
|
|
||
Updated•11 months ago
|
Flags: needinfo?(jstutte)
You need to log in
before you can comment on or make changes to this bug.
Description
•