1560613 - heap-use-after-free in [@ nsThreadManager::ReleaseThread]

Status: RESOLVED DUPLICATE of bug 1492988

(Core :: Graphics: WebRender, defect)

Description

[Tyson Smith [:tsmith]]

This was found by m-c 20190621-516ca8e19a81

Unfortunately I do not have a reproducible testcase but I will attach one if one becomes available.

==18200==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100003a05f at pc 0x7f6603958353 bp 0x7f65f8a44d50 sp 0x7f65f8a44d48
READ of size 1 at 0x61100003a05f thread T6 (WRWorker#1)
    #0 0x7f6603958352 in nsThreadManager::ReleaseThread(void*) /src/xpcom/threads/nsThreadManager.cpp:91:15
    #1 0x7f6629b7a88d in _PR_DestroyThreadPrivate /src/nsprpub/pr/src/threads/prtpd.c:237:25
    #2 0x7f6629b6aaf4 in _pt_thread_death_internal /src/nsprpub/pr/src/pthreads/ptthread.c:855:9
    #3 0x7f6629b6ad76 in _pt_thread_death /src/nsprpub/pr/src/pthreads/ptthread.c:828:5
    #4 0x7f66297ba407 in __nptl_deallocate_tsd.part.5 (/lib/x86_64-linux-gnu/libpthread.so.0+0x6407)
    #5 0x7f66297bb81a in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x781a)
    #6 0x7f662879988e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x61100003a05f is located 159 bytes inside of 232-byte region [0x611000039fc0,0x61100003a0a8)
freed by thread T0 (GPU Process) here:
    #0 0x55d1de53dae2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7f660394ab5c in nsThread::Release() /src/xpcom/threads/nsThread.cpp:191:1
    #2 0x7f660395b051 in Release /src/obj-firefox/dist/include/mozilla/RefPtr.h:46:40
    #3 0x7f660395b051 in Release /src/obj-firefox/dist/include/mozilla/RefPtr.h:363
    #4 0x7f660395b051 in ~RefPtr /src/obj-firefox/dist/include/mozilla/RefPtr.h:77
    #5 0x7f660395b051 in Destruct /src/obj-firefox/dist/include/nsTArray.h:525
    #6 0x7f660395b051 in DestructRange /src/obj-firefox/dist/include/nsTArray.h:2183
    #7 0x7f660395b051 in ClearAndRetainStorage /src/obj-firefox/dist/include/nsTArray.h:1300
    #8 0x7f660395b051 in ~nsTArray_Impl /src/obj-firefox/dist/include/nsTArray.h:881
    #9 0x7f660395b051 in nsThreadManager::Shutdown() /src/xpcom/threads/nsThreadManager.cpp:318
    #10 0x7f66039c48a9 in mozilla::ShutdownXPCOM(nsIServiceManager*) /src/xpcom/build/XPCOMInit.cpp:647:28
    #11 0x7f66129ec34f in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:758:16
    #12 0x55d1de570f13 in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #13 0x55d1de570f13 in main /src/browser/app/nsBrowserApp.cpp:267
    #14 0x7f6628699b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

previously allocated by thread T6 (WRWorker#1) here:
    #0 0x55d1de53de63 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x55d1de572bcd in moz_xmalloc /src/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f66039519d6 in operator new /src/obj-firefox/dist/include/mozilla/mozalloc.h:144:10
    #3 0x7f66039519d6 in nsThreadManager::GetCurrentThread() /src/xpcom/threads/nsThreadManager.cpp:376
    #4 0x7f6611eb1710 in profiler_register_thread(char const*, void*) /src/tools/profiler/core/platform.cpp:3743:9
    #5 0x7f6606f775c7 in gecko_profiler_register_thread /src/gfx/layers/wr/WebRenderBridgeParent.cpp:142:3
    #6 0x7f6614f17952 in webrender_bindings::bindings::wr_thread_pool_new::_$u7b$$u7b$closure$u7d$$u7d$::h9e0a5abfefaf5976 /src/gfx/webrender_bindings/src/bindings.rs:1048:12

Thread T6 (WRWorker#1) created by T0 (GPU Process) here:
    #0 0x55d1de52643d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x7f661558e515 in std::sys::unix::thread::Thread::new::hba7601f1ccb9f089 /rustc/3c235d5600393dfe6c36eeed34042efad8d4f26e/src/libstd/sys/unix/thread.rs:68:18

Comment 1

[Andrew McCreight [:mccr8]]

This has been showing up intermittently on Tree Herder, too.