Closed
Bug 1560613
Opened 5 years ago
Closed 5 years ago
heap-use-after-free in [@ nsThreadManager::ReleaseThread]
Categories
(Core :: Graphics: WebRender, defect)
Core
Graphics: WebRender
Tracking
()
RESOLVED
DUPLICATE
of bug 1492988
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-uaf)
This was found by m-c 20190621-516ca8e19a81
Unfortunately I do not have a reproducible testcase but I will attach one if one becomes available.
==18200==ERROR: AddressSanitizer: heap-use-after-free on address 0x61100003a05f at pc 0x7f6603958353 bp 0x7f65f8a44d50 sp 0x7f65f8a44d48
READ of size 1 at 0x61100003a05f thread T6 (WRWorker#1)
#0 0x7f6603958352 in nsThreadManager::ReleaseThread(void*) /src/xpcom/threads/nsThreadManager.cpp:91:15
#1 0x7f6629b7a88d in _PR_DestroyThreadPrivate /src/nsprpub/pr/src/threads/prtpd.c:237:25
#2 0x7f6629b6aaf4 in _pt_thread_death_internal /src/nsprpub/pr/src/pthreads/ptthread.c:855:9
#3 0x7f6629b6ad76 in _pt_thread_death /src/nsprpub/pr/src/pthreads/ptthread.c:828:5
#4 0x7f66297ba407 in __nptl_deallocate_tsd.part.5 (/lib/x86_64-linux-gnu/libpthread.so.0+0x6407)
#5 0x7f66297bb81a in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x781a)
#6 0x7f662879988e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
0x61100003a05f is located 159 bytes inside of 232-byte region [0x611000039fc0,0x61100003a0a8)
freed by thread T0 (GPU Process) here:
#0 0x55d1de53dae2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
#1 0x7f660394ab5c in nsThread::Release() /src/xpcom/threads/nsThread.cpp:191:1
#2 0x7f660395b051 in Release /src/obj-firefox/dist/include/mozilla/RefPtr.h:46:40
#3 0x7f660395b051 in Release /src/obj-firefox/dist/include/mozilla/RefPtr.h:363
#4 0x7f660395b051 in ~RefPtr /src/obj-firefox/dist/include/mozilla/RefPtr.h:77
#5 0x7f660395b051 in Destruct /src/obj-firefox/dist/include/nsTArray.h:525
#6 0x7f660395b051 in DestructRange /src/obj-firefox/dist/include/nsTArray.h:2183
#7 0x7f660395b051 in ClearAndRetainStorage /src/obj-firefox/dist/include/nsTArray.h:1300
#8 0x7f660395b051 in ~nsTArray_Impl /src/obj-firefox/dist/include/nsTArray.h:881
#9 0x7f660395b051 in nsThreadManager::Shutdown() /src/xpcom/threads/nsThreadManager.cpp:318
#10 0x7f66039c48a9 in mozilla::ShutdownXPCOM(nsIServiceManager*) /src/xpcom/build/XPCOMInit.cpp:647:28
#11 0x7f66129ec34f in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:758:16
#12 0x55d1de570f13 in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#13 0x55d1de570f13 in main /src/browser/app/nsBrowserApp.cpp:267
#14 0x7f6628699b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
previously allocated by thread T6 (WRWorker#1) here:
#0 0x55d1de53de63 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0x55d1de572bcd in moz_xmalloc /src/memory/mozalloc/mozalloc.cpp:52:15
#2 0x7f66039519d6 in operator new /src/obj-firefox/dist/include/mozilla/mozalloc.h:144:10
#3 0x7f66039519d6 in nsThreadManager::GetCurrentThread() /src/xpcom/threads/nsThreadManager.cpp:376
#4 0x7f6611eb1710 in profiler_register_thread(char const*, void*) /src/tools/profiler/core/platform.cpp:3743:9
#5 0x7f6606f775c7 in gecko_profiler_register_thread /src/gfx/layers/wr/WebRenderBridgeParent.cpp:142:3
#6 0x7f6614f17952 in webrender_bindings::bindings::wr_thread_pool_new::_$u7b$$u7b$closure$u7d$$u7d$::h9e0a5abfefaf5976 /src/gfx/webrender_bindings/src/bindings.rs:1048:12
Thread T6 (WRWorker#1) created by T0 (GPU Process) here:
#0 0x55d1de52643d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
#1 0x7f661558e515 in std::sys::unix::thread::Thread::new::hba7601f1ccb9f089 /rustc/3c235d5600393dfe6c36eeed34042efad8d4f26e/src/libstd/sys/unix/thread.rs:68:18
Comment 1•5 years ago
|
||
This has been showing up intermittently on Tree Herder, too.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Updated•6 months ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•