1564273 - heap-use-after-free in [@ nsThreadManager::Shutdown]

Status: RESOLVED DUPLICATE of bug 1479273

(Core :: Graphics: WebRender, defect)

Description

[Tyson Smith [:tsmith]]

Found with m-c 20190707-483d687212fb

==52564==ERROR: AddressSanitizer: heap-use-after-free on address 0x611000069f40 at pc 0x7f1f40a4cf25 bp 0x7ffcf685e8d0 sp 0x7ffcf685e8c8
READ of size 8 at 0x611000069f40 thread T0 (GPU Process)
    #0 0x7f1f40a4cf24 in Release /src/obj-firefox/dist/include/mozilla/RefPtr.h:46:40
    #1 0x7f1f40a4cf24 in Release /src/obj-firefox/dist/include/mozilla/RefPtr.h:363
    #2 0x7f1f40a4cf24 in ~RefPtr /src/obj-firefox/dist/include/mozilla/RefPtr.h:77
    #3 0x7f1f40a4cf24 in Destruct /src/obj-firefox/dist/include/nsTArray.h:525
    #4 0x7f1f40a4cf24 in DestructRange /src/obj-firefox/dist/include/nsTArray.h:2183
    #5 0x7f1f40a4cf24 in ClearAndRetainStorage /src/obj-firefox/dist/include/nsTArray.h:1300
    #6 0x7f1f40a4cf24 in ~nsTArray_Impl /src/obj-firefox/dist/include/nsTArray.h:881
    #7 0x7f1f40a4cf24 in nsThreadManager::Shutdown() /src/xpcom/threads/nsThreadManager.cpp:318
    #8 0x7f1f40ab5f79 in mozilla::ShutdownXPCOM(nsIServiceManager*) /src/xpcom/build/XPCOMInit.cpp:647:28
    #9 0x7f1f4fac3c3f in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:758:16
    #10 0x561e59ae2113 in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #11 0x561e59ae2113 in main /src/browser/app/nsBrowserApp.cpp:267
    #12 0x7f1f6580bb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #13 0x561e59a0364c in _start (/home/worker/builds/m-c-20190707211726-fuzzing-asan-opt/firefox+0x4564c)

0x611000069f40 is located 0 bytes inside of 232-byte region [0x611000069f40,0x61100006a028)
freed by thread T11 (WRWorker#6) here:
    #0 0x561e59aaece2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7f1f40a3c7dc in nsThread::Release() /src/xpcom/threads/nsThread.cpp:191:1
    #2 0x7f1f66cec88d in _PR_DestroyThreadPrivate /src/nsprpub/pr/src/threads/prtpd.c:237:25
    #3 0x7f1f66cdcaf4 in _pt_thread_death_internal /src/nsprpub/pr/src/pthreads/ptthread.c:855:9
    #4 0x7f1f66cdcd76 in _pt_thread_death /src/nsprpub/pr/src/pthreads/ptthread.c:828:5
    #5 0x7f1f6692c407 in __nptl_deallocate_tsd.part.5 (/lib/x86_64-linux-gnu/libpthread.so.0+0x6407)

previously allocated by thread T11 (WRWorker#6) here:
    #0 0x561e59aaf063 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x561e59ae3dcd in moz_xmalloc /src/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f1f40a43586 in operator new /src/obj-firefox/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7f1f40a43586 in nsThreadManager::GetCurrentThread() /src/xpcom/threads/nsThreadManager.cpp:376
    #4 0x7f1f4ef74280 in profiler_register_thread(char const*, void*) /src/tools/profiler/core/platform.cpp:3777:9
    #5 0x7f1f44040627 in gecko_profiler_register_thread /src/gfx/layers/wr/WebRenderBridgeParent.cpp:142:3
    #6 0x7f1f520ac1c2 in webrender_bindings::bindings::wr_thread_pool_new::_$u7b$$u7b$closure$u7d$$u7d$::h9e0a5abfefaf5976 /src/gfx/webrender_bindings/src/bindings.rs:1046:12

Thread T11 (WRWorker#6) created by T0 (GPU Process) here:
    #0 0x561e59a9763d in __interceptor_pthread_create /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x7f1f527245b5 in std::sys::unix::thread::Thread::new::hba7601f1ccb9f089 /rustc/3c235d5600393dfe6c36eeed34042efad8d4f26e/src/libstd/sys/unix/thread.rs:68:18

Comment 1

[Tyson Smith [:tsmith]]

Attachment: alternate_asan_log.txt