Closed Bug 1577311 Opened 5 years ago Closed 5 years ago

AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/js/RootingAPI.h:339:56 in operator bool

Categories

(Core :: DOM: File, defect, P1)

defect

Tracking

()

VERIFIED FIXED
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox67 --- unaffected
firefox68 --- unaffected
firefox69 --- wontfix
firefox70 + verified
firefox71 + verified

People

(Reporter: jkratzer, Assigned: tt)

References

(Blocks 2 open bugs, Regression)

Details

(5 keywords, Whiteboard: [adv-main70+][adv-main70+r][post-critsmash-triage])

Attachments

(6 files)

Attached file testcase.html —

Testcase found while fuzzing mozilla-central rev 546d1fd47c9a. This bug appears to be due to a race condition and may require up to a minute to trigger. Further, due to the use of XHR, the testcase must be served via a local webserver.

Also note, that the top contents of worker.js is not relevant to the bug but it appears that the load time of workers.js is related and the additional content delays loading enough to trigger the crash.

==28067==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000741778 at pc 0x7fc3444f05a2 bp 0x7fc3314fd100 sp 0x7fc3314fd0f8
READ of size 8 at 0x603000741778 thread T41 (DOM Worker)
    #0 0x7fc3444f05a1 in operator bool /builds/worker/workspace/build/src/obj-firefox/dist/include/js/RootingAPI.h:339:56
    #1 0x7fc3444f05a1 in TraceCallbackFunc::Trace(JS::Heap<JSObject*>*, char const*, void*) const /builds/worker/workspace/build/src/xpcom/base/nsCycleCollectorTraceJSHelpers.cpp:48
    #2 0x7fc3444a70ee in mozilla::CycleCollectedJSRuntime::TraverseNativeRoots(nsCycleCollectionNoteRootCallback&) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:797:15
    #3 0x7fc3444a8e97 in mozilla::CycleCollectedJSRuntime::TraverseRoots(nsCycleCollectionNoteRootCallback&) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:1140:3
    #4 0x7fc3444ec0de in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3611:19
    #5 0x7fc3444eb300 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3413:9
    #6 0x7fc3444eee6c in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3949:21
    #7 0x7fc352d7ee17 in callGCCallback /builds/worker/workspace/build/src/js/src/gc/GC.cpp:1488:3
    #8 0x7fc352d7ee17 in js::gc::GCRuntime::maybeCallGCCallback(JSGCStatus) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:6986
    #9 0x7fc352d7fe70 in ~AutoCallGCCallbacks /builds/worker/workspace/build/src/js/src/gc/GC.cpp:6965:32
    #10 0x7fc352d7fe70 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7076
    #11 0x7fc352d83759 in js::gc::GCRuntime::collect(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7247:9
    #12 0x7fc352d1ae8f in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::GCReason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7329:3
    #13 0x7fc34d221ad1 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:2342:5
    #14 0x7fc3446a23a0 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #15 0x7fc3446a83e8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #16 0x7fc3458a79f4 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:333:5
    #17 0x7fc3457a1202 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #18 0x7fc3457a1202 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #19 0x7fc3457a1202 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #20 0x7fc34469bcea in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:458:11
    #21 0x7fc3674db0bd in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:198:5
    #22 0x7fc36711f6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #23 0x7fc3660fd88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x603000741778 is located 24 bytes inside of 32-byte region [0x603000741760,0x603000741780)
freed by thread T41 (DOM Worker) here:
    #0 0x5569afb3e942 in __interceptor_free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7fc3444e3876 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2416:7
    #2 0x7fc3444e255e in nsCycleCollector::FreeSnowWhite(bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2609:3
    #3 0x7fc3444ebd18 in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3584:3
    #4 0x7fc3444eb300 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3413:9
    #5 0x7fc3444eee6c in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3949:21
    #6 0x7fc352d7ee17 in callGCCallback /builds/worker/workspace/build/src/js/src/gc/GC.cpp:1488:3
    #7 0x7fc352d7ee17 in js::gc::GCRuntime::maybeCallGCCallback(JSGCStatus) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:6986
    #8 0x7fc352d7fe70 in ~AutoCallGCCallbacks /builds/worker/workspace/build/src/js/src/gc/GC.cpp:6965:32
    #9 0x7fc352d7fe70 in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7076
    #10 0x7fc352d83759 in js::gc::GCRuntime::collect(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7247:9
    #11 0x7fc352d1ae8f in js::gc::GCRuntime::gc(JSGCInvocationKind, JS::GCReason) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:7329:3
    #12 0x7fc34d221ad1 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:2342:5
    #13 0x7fc3446a23a0 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #14 0x7fc3446a83e8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #15 0x7fc3458a79f4 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:333:5
    #16 0x7fc3457a1202 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #17 0x7fc3457a1202 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #18 0x7fc3457a1202 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #19 0x7fc34469bcea in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:458:11
    #20 0x7fc3674db0bd in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:198:5
    #21 0x7fc36711f6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

previously allocated by thread T41 (DOM Worker) here:
    #0 0x5569afb3ecc3 in __interceptor_malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x5569afb73a2d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7fc34b8e8ce1 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7fc34b8e8ce1 in mozilla::dom::Blob::Stream(JSContext*, JS::MutableHandle<JSObject*>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/file/Blob.cpp:362
    #4 0x7fc348d2c051 in mozilla::dom::Blob_Binding::stream(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Blob*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/BlobBinding.cpp:745:24
    #5 0x7fc34b07179d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3163:13
    #6 0x7fc351c6df07 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447:13
    #7 0x7fc351c6df07 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:539
    #8 0x7fc351c561ac in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:598:10
    #9 0x7fc351c561ac in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
    #10 0x7fc351c3784f in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
    #11 0x7fc351c6ea0f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:567:13
    #12 0x7fc351c70c32 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:610:8
    #13 0x7fc352782368 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2722:10
    #14 0x7fc34a8d5a24 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:267:37
    #15 0x7fc34b83afb1 in Call<nsCOMPtr<mozilla::dom::EventTarget> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #16 0x7fc34b83afb1 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:205
    #17 0x7fc34b7ff59c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1041:22
    #18 0x7fc34b80103e in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1233:17
    #19 0x7fc34b7e7a5a in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #20 0x7fc34b7e7a5a in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
    #21 0x7fc34b7e6272 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
    #22 0x7fc34b7ebc3b in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1047:11
    #23 0x7fc34b7f2cb0 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
    #24 0x7fc34b7ae01d in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/events/DOMEventTargetHelper.cpp:166:17

Thread T41 (DOM Worker) created by T0 (file:// Content) here:
    #0 0x5569afb2729d in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x7fc3674cd1b8 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:430:14
    #2 0x7fc3674b6d9e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:503:12
    #3 0x7fc34469e1d9 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:672:8
    #4 0x7fc34d2829c8 in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/workspace/build/src/dom/workers/WorkerThread.cpp:92:7
    #5 0x7fc34d1f293d in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate*) /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:1431:14
    #6 0x7fc34d1f0fb4 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate*) /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:1296:19
    #7 0x7fc34d251202 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:2327:24
    #8 0x7fc34d201765 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/workers/Worker.cpp:30:41
    #9 0x7fc34a5be50c in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WorkerBinding.cpp:1141:52
    #10 0x7fc351c71bf7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447:13
    #11 0x7fc351c71bf7 in CallJSNativeConstructor /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:463
    #12 0x7fc351c71bf7 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:656
    #13 0x7fc352f59829 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:3210:10
    #14 0x2384695c8797  (<unknown module>)
    #15 0x62100044c1ff  (<unknown module>)
    #16 0x2384695c648e  (<unknown module>)
    #17 0x7fc35315ee3d in EnterBaseline /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:111:5
    #18 0x7fc35315ee3d in js::jit::EnterBaselineInterpreterAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:184
    #19 0x7fc351c5e167 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:1991:17
    #20 0x7fc351c3784f in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
    #21 0x7fc351c6ea0f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:567:13
    #22 0x7fc351c70c32 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:610:8
    #23 0x7fc352782368 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2722:10
    #24 0x7fc34a8dad40 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #25 0x7fc34b7ff565 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #26 0x7fc34b7ff565 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1035
    #27 0x7fc34b800fe0 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1233:17
    #28 0x7fc34b7e7a5a in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #29 0x7fc34b7e7a5a in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
    #30 0x7fc34b7e6272 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
    #31 0x7fc34b7ebc3b in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1047:11
    #32 0x7fc34b7f2cb0 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
    #33 0x7fc348ad2fca in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1061:17
    #34 0x7fc348470559 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:3973:28
    #35 0x7fc348470323 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:3943:10
    #36 0x7fc3487ba9b2 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:7060:3
    #37 0x7fc3488a2484 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
    #38 0x7fc3488a2484 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130
    #39 0x7fc3488a2484 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176
    #40 0x7fc344670451 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
    #41 0x7fc3446a23a0 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #42 0x7fc3446a83e8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #43 0x7fc3458a602f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #44 0x7fc3457a1202 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #45 0x7fc3457a1202 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #46 0x7fc3457a1202 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #47 0x7fc34dab8d99 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #48 0x7fc3519b68df in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:934:20
    #49 0x7fc3457a1202 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #50 0x7fc3457a1202 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #51 0x7fc3457a1202 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #52 0x7fc3519b6186 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:769:34
    #53 0x5569afb71d73 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #54 0x5569afb71d73 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:267
    #55 0x7fc365ffdb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/js/RootingAPI.h:339:56 in operator bool
Shadow bytes around the buggy address:
  0x0c06800e0290: fa fa fd fd fd fa fa fa 00 00 00 fa fa fa 00 00
  0x0c06800e02a0: 00 fa fa fa fd fd fd fa fa fa fd fd fd fd fa fa
  0x0c06800e02b0: fd fd fd fa fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c06800e02c0: fa fa 00 00 00 00 fa fa fd fd fd fd fa fa fd fd
  0x0c06800e02d0: fd fa fa fa fd fd fd fd fa fa fd fd fd fd fa fa
=>0x0c06800e02e0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd[fd]
  0x0c06800e02f0: fa fa fd fd fd fd fa fa fd fd fd fa fa fa fd fd
  0x0c06800e0300: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
  0x0c06800e0310: fd fd fd fd fa fa fd fd fd fd fa fa fd fd fd fd
  0x0c06800e0320: fa fa fd fd fd fd fa fa fd fd fd fd fa fa fd fd
  0x0c06800e0330: fd fd fa fa fd fd fd fd fa fa fd fd fd fd fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==28067==ABORTING
Flags: in-testsuite?
Attached file worker.js —
Attached file prefs.js —

The attached testcase bisects back to the original implementation of Blob.stream() which was introduced in bug 1557121.

Flags: needinfo?(amarchesini)
Group: core-security → dom-core-security

It seems (though I have no proof), that during the same call to:
#3 0x7fc3444ebd18 in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3584:3
first a SnowWhiteKiller deletes some object without removing it from the mJSHolders Vectror of JSHolderInfo (containing raw pointers):
#1 0x7fc3444e3876 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2416:7
then mCCJSRuntime->TraverseRoots(*mBuilder); is iterating that vector and crashes:
#2 0x7fc3444a70ee in mozilla::CycleCollectedJSRuntime::TraverseNativeRoots(nsCycleCollectionNoteRootCallback&) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:797:15

But I am not sure, if the expected behavior of the SnowWhiteKiller in nsCycleCollector.cpp should be to keep in sync the private vector mJSHolders in CycleCollectedRuntime.cpp, though. This might need some further investigation.

Flags: needinfo?(peterv)

This bug is a dup of bug 1571037.

Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(peterv)
Flags: needinfo?(amarchesini)
Resolution: --- → DUPLICATE

This doesn't appear to be the same bug as the attached testcase still reproduces this issue using the latest nightly (6b93a83735ed).

Flags: needinfo?(amarchesini)

Tyson, do you think it's possible to record this too?

Flags: needinfo?(amarchesini) → needinfo?(twsmith)
Flags: needinfo?(twsmith)
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---

Here is a trace from a debug build:
BuildID=20190919094654
SourceStamp=6b93a83735ed3ab3b57b46c1b768814b1a1af5d6

Assertion failure: T::cycleCollection::CheckForRightISupports(s) (not the nsISupports pointer we expect), at /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCycleCollectionParticipant.h:357

rax = 0x000055e9d27f5340   rdx = 0x0000000000000000
rcx = 0x00007f9bd006758e   rbx = 0x00007f9ba4fbf310
rsi = 0x00007f9bdcfd5770   rdi = 0x00007f9bdcfd4540
rbp = 0x00007f9bc03fdf70   rsp = 0x00007f9bc03fdf60
r8 = 0x00007f9bdcfd5770    r9 = 0x00007f9bc03ff700
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007f9bc03fdfd8   r13 = 0x00007f9bc03fdfd7
r14 = 0x00007f9bd2badf60   r15 = 0x00007f9bd2badf60
rip = 0x00007f9bccc44cfc
OS|Linux|0.0.0 Linux 4.15.0-64-generic #73~16.04.1-Ubuntu SMP Fri Sep 13 09:56:18 UTC 2019 x86_64
CPU|amd64|family 6 model 158 stepping 9|1
GPU|||
Crash|SIGSEGV|0x0|33
33|0|libxul.so|DowncastCCParticipantImpl<mozilla::dom::(anonymous namespace)::BlobBodyStreamHolder, true>::Run|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollectionParticipant.h:6b93a83735ed3ab3b57b46c1b768814b1a1af5d6|356|0x32
33|1|libxul.so|BlobBodyStreamHolder::cycleCollection::Trace|hg:hg.mozilla.org/mozilla-central:dom/file/Blob.cpp:6b93a83735ed3ab3b57b46c1b768814b1a1af5d6|326|0x24
33|2|libxul.so|mozilla::CycleCollectedJSRuntime::TraverseNativeRoots(nsCycleCollectionNoteRootCallback&)|hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSRuntime.cpp:6b93a83735ed3ab3b57b46c1b768814b1a1af5d6|799|0xb
33|3|libxul.so|mozilla::CycleCollectedJSRuntime::TraverseRoots(nsCycleCollectionNoteRootCallback&)|hg:hg.mozilla.org/mozilla-central:xpcom/base/CycleCollectedJSRuntime.cpp:6b93a83735ed3ab3b57b46c1b768814b1a1af5d6|1138|0x5
33|4|libxul.so|nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*)|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:6b93a83735ed3ab3b57b46c1b768814b1a1af5d6|3611|0x15
33|5|libxul.so|nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:6b93a83735ed3ab3b57b46c1b768814b1a1af5d6|3413|0xf
33|6|libxul.so|nsCycleCollector_collect(nsICycleCollectorListener*)|hg:hg.mozilla.org/mozilla-central:xpcom/base/nsCycleCollector.cpp:6b93a83735ed3ab3b57b46c1b768814b1a1af5d6|3949|0x1e
33|7|libxul.so|js::gc::GCRuntime::maybeCallGCCallback(JSGCStatus)|hg:hg.mozilla.org/mozilla-central:js/src/gc/GC.cpp:6b93a83735ed3ab3b57b46c1b768814b1a1af5d6|7060|0xb
33|8|libxul.so|js::gc::GCRuntime::gcCycle(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason)|hg:hg.mozilla.org/mozilla-central:js/src/gc/GC.cpp:6b93a83735ed3ab3b57b46c1b768814b1a1af5d6|7089|0xd
33|9|libxul.so|js::gc::GCRuntime::collect(bool, js::SliceBudget, mozilla::Maybe<JSGCInvocationKind> const&, JS::GCReason)|hg:hg.mozilla.org/mozilla-central:js/src/gc/GC.cpp:6b93a83735ed3ab3b57b46c1b768814b1a1af5d6|7321|0x1d
33|10|libxul.so|js::gc::GCRuntime::gc(JSGCInvocationKind, JS::GCReason)|hg:hg.mozilla.org/mozilla-central:js/src/gc/GC.cpp:6b93a83735ed3ab3b57b46c1b768814b1a1af5d6|7403|0x24
33|11|libxul.so|WorkerThreadPrimaryRunnable::Run|hg:hg.mozilla.org/mozilla-central:dom/workers/RuntimeService.cpp:6b93a83735ed3ab3b57b46c1b768814b1a1af5d6|2342|0x5
33|12|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:6b93a83735ed3ab3b57b46c1b768814b1a1af5d6|1225|0x15
33|13|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:6b93a83735ed3ab3b57b46c1b768814b1a1af5d6|486|0x11
33|14|libxul.so|mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:6b93a83735ed3ab3b57b46c1b768814b1a1af5d6|333|0xd
33|15|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:6b93a83735ed3ab3b57b46c1b768814b1a1af5d6|315|0x17
33|16|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:6b93a83735ed3ab3b57b46c1b768814b1a1af5d6|290|0x8
33|17|libxul.so|nsThread::ThreadFunc(void*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:6b93a83735ed3ab3b57b46c1b768814b1a1af5d6|458|0x38
33|18|libnspr4.so|_pt_root|hg:hg.mozilla.org/mozilla-central:nsprpub/pr/src/pthreads/ptthread.c:6b93a83735ed3ab3b57b46c1b768814b1a1af5d6|198|0x7
33|19|libpthread-2.23.so|start_thread|/build/glibc-LK5gWL/glibc-2.23/nptl/pthread_create.c|333|0x11
33|20|libc-2.23.so|clone|||0x6d

Sorry for my probably very incomplete knowledge of our toolchain, but is there a way to see (always regarding Comment 4) if it is actually the same call to BeginCollection? It is definitely the same Thread and the same stack trace up to that call, but it might be always different moments in time. Do we have a possibility to see this (from timestamps, log information or whatever) ?

But in the end probably it does not even make a real difference: The memory has been freed by that same function in that same thread, so I would exclude strange side effects and look straight into the implementation of the SnowWhiteKiller and surroundings also in the implementing classes.

The debug information just tells us, that we have a BlobBodyStreamHolder object, that gets corrupted:

326 CRASH--> NS_IMPL_CYCLE_COLLECTION_TRACE_BEGIN_INHERITED(BlobBodyStreamHolder,
                                               BodyStreamHolder)
  NS_IMPL_CYCLE_COLLECTION_TRACE_JS_MEMBER_CALLBACK(mStream)
NS_IMPL_CYCLE_COLLECTION_TRACE_END

The BlobBodyStreamHolder is held as a RefPtr by a BodyStream (mStreamHolder), which is in turn held by Blob, which itself is a Cycle Collector participant.

I assume, this nested situation leads to a situation, in which:

  1. CycleCollector collects all potential objects in a vector
  2. while looking on them, the Blob is evicted
  3. This removes (obscure to the cycle collector) also the nested BlobBodyStreamHolder
  4. which then the Cycle Collector wants to remove

As I am new to Cycle Collectors: Is it a foreseen usage, to nest those Cycle Collector participants and to delete them through the owner rather than leave deletion to the Collector itself?

Component: DOM: Workers → DOM: File
Attached file BlobBodyStreamHolderSnippet —
Hmmm, I should read better the provided information: Assertion failure: T::cycleCollection::CheckForRightISupports(s) (not the nsISupports pointer we expect), at /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCycleCollectionParticipant.h:357 This would indicate, that there is simply something wrong with the way BlobBodyStreamHolder has been defined: https://bugzilla.mozilla.org/attachment.cgi?id=9094180

Probably BlobBodyStreamHolder should not just declare NS_DECL_ISUPPORTS_INHERITED but a cycle collector variant one? Which?

Flags: needinfo?(bugmail)

Actually, I don't see anything wrong with the CC macros. BlobBodyStreamHolder uses NS_DECL_ISUPPORTS_INHERITED and NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS_INHERITED, which should be fine. It might need to |mozilla::DropJSObjects(this);| in its destructor and unlink though.

(In reply to Peter Van der Beken [:peterv] from comment #14)

Actually, I don't see anything wrong with the CC macros. BlobBodyStreamHolder uses NS_DECL_ISUPPORTS_INHERITED and NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS_INHERITED, which should be fine. It might need to |mozilla::DropJSObjects(this);| in its destructor and unlink though.

Thanks for that hint! In fact, the unlink function and the destructor look incomplete.

Assignee: nobody → shes050117
Status: REOPENED → ASSIGNED
Priority: -- → P1

(In reply to Peter Van der Beken [:peterv] from comment #14)

Actually, I don't see anything wrong with the CC macros. BlobBodyStreamHolder uses NS_DECL_ISUPPORTS_INHERITED and NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS_INHERITED, which should be fine. It might need to |mozilla::DropJSObjects(this);| in its destructor and unlink though.

Apply this comment can fix the issue. However, I also found in BlobBodyStreamHolder::NullifyStream() [1] would call that as well and it's called by BodyStream::ReleaseObjects(). I wonder if something (XHR) blocks the normal calls for cleaning up/releasing objects and thus we have UAF in this case. I need to dig into the code path more.

[1] https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/dom/file/Blob.cpp#304

I would strongly recommend to implement in any case the expected unlink functions directly into the holder object and not to rely on BodyStream::ReleaseObjects(), because I suspect, that the order of deletion might not be in a way, that BodyStream::ReleaseObjects() is ever called before trying to delete the Holder through the Cycle Collector. It might be a good idea, though, to guide all flows to the same implementing function (from the holder's destructor and the BodyStream::ReleaseObjects()/BlobBodyStreamHolder::NullifyStream() path), which could be directly the unlink function implemented by the macro (and with the right content).

So, the issue caught by this test is:

  • It failed at the BodyStream::Create() [1]
  • BlobBodyStreamHolder tells CC it holds a JSObject in [2] (before [1])
  • Thus, BodyStream is deleted right after BodyStream::Create() (because it fails and doesn't call the addref)
  • And thus, BlobBodyStreamHolder is called after that (ref count is zero; on snow white)
  • The second access is probably when CC check the registered object and then UAF

Normally, BodyStream::Close() would be called (and thus BlodyStream::ReleaseObject(), NullifyStream(), DropJSObject would be called) before it's deleted. However, in the case here, the BlodyStream::ReleaseObject() was not called before it got destructed.

To fix this, we should clean up (calling Close()) when we fail on the creation of the BodyStream. I'll update a patch for that.

[1] https://searchfox.org/mozilla-central/rev/45f30e1d19bde27bf07e47a0a5dd0962dd27ba18/dom/base/BodyStream.cpp#115
[2] https://searchfox.org/mozilla-central/rev/f43ae7e1c43a4a940b658381157a6ea6c5a185c1/dom/file/Blob.cpp#362

Flags: needinfo?(bugmail)

(In reply to Jens Stutte [:jstutte] from comment #17)

I would strongly recommend to implement in any case the expected unlink functions directly into the holder object and not to rely on BodyStream::ReleaseObjects(), because I suspect, that the order of deletion might not be in a way, that BodyStream::ReleaseObjects() is ever called before trying to delete the Holder through the Cycle Collector. It might be a good idea, though, to guide all flows to the same implementing function (from the holder's destructor and the BodyStream::ReleaseObjects()/BlobBodyStreamHolder::NullifyStream() path), which could be directly the unlink function implemented by the macro (and with the right content).

In this case, the unlink function for the BlobBodyStreamHolder wasn't called. So, if it's what we suppose to do, we should open another bug for that.

I could reproduce the issue on my desktop. After applying the patch I attached, I cannot hit the issue by the provided testcase.

(In reply to Tom Tung [:tt, :ttung] from comment #19)

In this case, the unlink function for the BlobBodyStreamHolder wasn't called. So, if it's what we suppose to do, we should open another bug for that.

Talked with Jens this morning, we suspect the reason for that is probably because the SnowWhiteKiller doesn't have any way to understand these stuff. Thus the holder is killed and its work inside unlink is not called.

Also, we should probably call DropJSObjects on the holder's destructor to avoid another edge case in the future. And we have checked DropJSObjects is safe to be called multiple times.

The only thing we are not so sure about is that usage for also calling DropJSObjects on unlink function if we will do that on the destructor.

(In reply to Peter Van der Beken [:peterv] from comment #14)

Actually, I don't see anything wrong with the CC macros. BlobBodyStreamHolder uses NS_DECL_ISUPPORTS_INHERITED and NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS_INHERITED, which should be fine. It might need to |mozilla::DropJSObjects(this);| in its destructor and unlink though.

Peter, could you shed the light on the usage for doing that in unlink? My question is more like why it's not enough for calling that on destructor. Would it happen like we need to DropJSObjects at the point of unlink? Thank you in advance!

Flags: needinfo?(peterv)
Attachment #9095244 - Attachment description: Bug 1577311 - Close the stream if the creation fail; → Bug 1577311 - Close the stream if there is a failure during the creation;

Comment on attachment 9095244 [details]
Bug 1577311 - Close the stream if there is a failure during the creation; r=baku

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: The attacker might understand it's probably related to not close the stream on the creation, but they cannot understand the way for making that fail on the creation.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: 69
  • If not all supported branches, which bug introduced the flaw?: Bug 1557121
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Not really sure about the answer to this. Again, the attacker might understand it's probably related to not close the stream on the creation, but they cannot understand the way for making that fail on the creation
  • How likely is this patch to cause regressions; how much testing does it need?: The code path itself is for the failure cases and it only close the stream on the failure cases. So, I guess it should be hard.
Attachment #9095244 - Flags: sec-approval?

sec-approval+ for trunk. We'll want this nominated for beta as well.

Attachment #9095244 - Flags: sec-approval? → sec-approval+

Jason, could you help me to verify if P1 solves the issue? It works on my machine. Thanks!

Flags: needinfo?(jkratzer)

Land Patch 1 first since I cannot reproduce the issue once I apply that.

Keywords: leave-open

Initial landing: https://hg.mozilla.org/integration/autoland/rev/7d1f6ed3ccf56db2f558bd8aaf352543122e09a2

Backed out for build bustage in dom/file/Blob.cpp::

https://hg.mozilla.org/integration/autoland/rev/9ffde0fb448b092c0b931610ee26d26e0ddb30a7

Push with bustage: https://treeherder.mozilla.org/#/jobs?repo=autoland&group_state=expanded&selectedJob=269255700&resultStatus=testfailed%2Cbusted%2Cexception%2Csuperseded%2Cretry%2Cusercancel&revision=7d1f6ed3ccf56db2f558bd8aaf352543122e09a2
Failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=269251355&repo=autoland

[task 2019-10-01T17:08:45.937Z] 17:08:45 ERROR - /builds/worker/workspace/build/src/dom/file/Blob.cpp:362:41: error: variable of type 'mozilla::dom::(anonymous namespace)::BlobBodyStreamHolder' only valid on the stack
[task 2019-10-01T17:08:45.937Z] 17:08:45 INFO - RefPtr<BlobBodyStreamHolder> holder = new BlobBodyStreamHolder();
[task 2019-10-01T17:08:45.937Z] 17:08:45 INFO - ^
[task 2019-10-01T17:08:45.937Z] 17:08:45 INFO - /builds/worker/workspace/build/src/dom/file/Blob.cpp:362:41: note: value incorrectly allocated on the heap
[task 2019-10-01T17:08:45.937Z] 17:08:45 INFO - /builds/worker/workspace/build/src/dom/file/Blob.cpp:295:7: note: 'mozilla::dom::(anonymous namespace)::BlobBodyStreamHolder' is a stack type because it inherits from a stack type 'mozilla::dom::BodyStreamHolder'
[task 2019-10-01T17:08:45.938Z] 17:08:45 INFO - class BlobBodyStreamHolder final : public BodyStreamHolder {
[task 2019-10-01T17:08:45.939Z] 17:08:45 INFO - ^
[task 2019-10-01T17:08:45.939Z] 17:08:45 INFO - /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/BodyStream.h:55:19: note: 'mozilla::dom::BodyStreamHolder' is a stack type because member 'mStreamCreated' is a stack type 'DebugOnly<bool>'
[task 2019-10-01T17:08:45.939Z] 17:08:45 INFO - DebugOnly<bool> mStreamCreated = false;
[task 2019-10-01T17:08:45.939Z] 17:08:45 INFO - ^
[task 2019-10-01T17:08:45.939Z] 17:08:45 INFO - 1 error generated.

Flags: needinfo?(ttung)

(In reply to Tom Tung [:tt, :ttung] from comment #26)

Jason, could you help me to verify if P1 solves the issue? It works on my machine. Thanks!

I can confirm that this issue no longer reproduces using the patch in comment 24.

Flags: needinfo?(jkratzer)
Attachment #9095244 - Attachment description: Bug 1577311 - Close the stream if there is a failure during the creation; → Bug 1577311 - Close the stream if there is a failure during the creation; r=baku

Fix the DebugOnly<> issue

Flags: needinfo?(ttung)

(In reply to Peter Van der Beken [:peterv] from comment #14)

Actually, I don't see anything wrong with the CC macros. BlobBodyStreamHolder uses NS_DECL_ISUPPORTS_INHERITED and NS_DECL_CYCLE_COLLECTION_SCRIPT_HOLDER_CLASS_INHERITED, which should be fine. It might need to |mozilla::DropJSObjects(this);| in its destructor and unlink though.

Peter, could you shed the light on the usage for doing that in unlink? My question is more like why it's not enough for calling that on destructor. Would it happen like we need to DropJSObjects at the point of unlink? Thank you in advance!

Not doing it in unlink might lead to leaks, the easiest to understand case is that there's a cycle between the BlobBodyStreamHolder and a JS object, with one edge from BlobBodyStreamHolder to the JS object and one edge from the JS object to the BlobBodyStreamHolder. If you don't DropJSObjects in unlink, then the JS object will not be collected by the JS GC (because the JS holder, the BlobBodyStreamHolder in this case, still has a reference to it). In turn, we will not release the BlobBodyStreamHolder because it's held alive by a JS object. So the destructor for BlobBodyStreamHolder might not even be run in this case.

Note that the cycles and edges involved might be much more complicated, but incomplete unlinking can definitely lead to leaks.

Flags: needinfo?(peterv)
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 5 years ago5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
Group: core-security-release → dom-core-security
Status: RESOLVED → REOPENED
Keywords: leave-open
Resolution: FIXED → ---
Target Milestone: mozilla71 → ---
Keywords: regression

(In reply to Peter Van der Beken [:peterv] from comment #31)

Not doing it in unlink might lead to leaks, the easiest to understand case is that there's a cycle between the BlobBodyStreamHolder and a JS object, with one edge from BlobBodyStreamHolder to the JS object and one edge from the JS object to the BlobBodyStreamHolder. If you don't DropJSObjects in unlink, then the JS object will not be collected by the JS GC (because the JS holder, the BlobBodyStreamHolder in this case, still has a reference to it). In turn, we will not release the BlobBodyStreamHolder because it's held alive by a JS object. So the destructor for BlobBodyStreamHolder might not even be run in this case.

Note that the cycles and edges involved might be much more complicated, but incomplete unlinking can definitely lead to leaks.

Thanks for the explanation! That clear on thought and I will call DropJSObject in the unlink fucntion in D47218.

Attachment #9095443 - Attachment description: Bug 1577311 - Ensure the js object is dropped while the holder is destructored; → Bug 1577311 - Ensure the js object is dropped while the holder is unlinked and destructored;

Comment on attachment 9095443 [details]
Bug 1577311 - Ensure the js object is dropped while the holder is unlinked and destructored;

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: This patch cleanup the link between the holder and the js object in unlink function and dtor of the holder. It's a safeguard to prevent leaking in the worst case in theory. So, it should be hard to attack based on this patch.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: 69
  • If not all supported branches, which bug introduced the flaw?: Bug 1557121
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: So this patch prevents the worst case in theory so it should be hard to attack.
  • How likely is this patch to cause regressions; how much testing does it need?: Shouldn't be since it only calls cleanup function in its dtor and unlink function
Attachment #9095443 - Flags: sec-approval?

I will uplift these two patches to the beta once the second stay in m-c for more than two days without reporting any issue.

(In reply to Jason Kratzer [:jkratzer] from comment #29)

(In reply to Tom Tung [:tt, :ttung] from comment #26)

Jason, could you help me to verify if P1 solves the issue? It works on my machine. Thanks!

I can confirm that this issue no longer reproduces using the patch in comment 24.

Thanks for the verify! (And sorry that I somehow missed this comment : (

Comment on attachment 9095443 [details]
Bug 1577311 - Ensure the js object is dropped while the holder is unlinked and destructored;

sec-approval+ for trunk and I'll copy Al and ask to please nominate for beta as well.

Attachment #9095443 - Flags: sec-approval? → sec-approval+

Can you request beta uplift please (and provide a rebased patch for beta if necessary?) Thanks!

Flags: needinfo?(ttung)

Comment on attachment 9095244 [details]
Bug 1577311 - Close the stream if there is a failure during the creation; r=baku

Beta/Release Uplift Approval Request

  • User impact if declined: UAF if run the script provided by the reporter
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The patch calls the cleanup function while there is a failure in the creation of a Stream object. In general, this code path is not easy to be run (because, normally, it is not easy to have a failure during the creation). Note that this patch fixes the reported issue and confirmed by the reporter.

Another patch (Ensure the js ...) is a cleanup function to ensure there is no other similar case that is not covered by the previous patch. Note, it was pushed to m-c only for one day, but I think it should be safe to uplift.

  • String changes made/needed:
Flags: needinfo?(ttung)
Attachment #9095244 - Flags: approval-mozilla-beta?
Attachment #9095443 - Flags: approval-mozilla-beta?

Comment on attachment 9095244 [details]
Bug 1577311 - Close the stream if there is a failure during the creation; r=baku

Fix for sec-high issue, OK for beta 14 uplift.

Attachment #9095244 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Attachment #9095443 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Resolution: --- → FIXED
Whiteboard: [adv-main70+][adv-main70-rollup]
Whiteboard: [adv-main70+][adv-main70-rollup] → [adv-main70+][adv-main70+r]
Group: dom-core-security → core-security-release
Flags: qe-verify+
Whiteboard: [adv-main70+][adv-main70+r] → [adv-main70+][adv-main70+r][post-critsmash-triage]
QA Whiteboard: [qa-triaged]

Hey Tom,

Are there any steps to reproduce this issue and the expected result?
Based on what is here so far I loaded the testcase on a local webserver, opened it in Firefox and expected it to crash after 1-2 minutes but nothing happened. I'm also getting an error in cmd so not quite sure if I can verify this fix..

Flags: needinfo?(ttung)

(In reply to Timea Cernea [:tbabos] from comment #44)

Hey Tom,

Are there any steps to reproduce this issue and the expected result?
Based on what is here so far I loaded the testcase on a local webserver, opened it in Firefox and expected it to crash after 1-2 minutes but nothing happened. I'm also getting an error in cmd so not quite sure if I can verify this fix..

Hi Timea,

IIRC, if the web page doesn't crashing, then the fix is verified. Before the fixed is landed, it crashed immedicately on my machine.

Flags: needinfo?(ttung)

That sounds good, but I can't reproduce the crash on affected Nightly 69 either.
If you could find the time to verify Nightly and Beta for uplift, that would be great. I can't vouch for the fix if I can't reproduce it on affected builds :(

Flags: needinfo?(ttung)

(In reply to Timea Cernea [:tbabos] from comment #46)

That sounds good, but I can't reproduce the crash on affected Nightly 69 either.

Did you enable the fuzzy mode? (ac_add_options --enable-fuzzing)

The testcase is 100% reproducible to me while I was testing (both Mac Book Pro and Linux machine). And I used an ASAN build with enable fuzzy mode.

I put the command I ran below:
python -m ffpuppet -p prefs.js --xvfb -d -l log ~/Work/mozilla-central/objdir-ff-asan/dist/bin/firefox -u http://localhost:8000/testcase.html

If you are curious about ffpuppet you can go to this https://github.com/MozillaSecurity/ffpuppet

Please let me know if you need more information.

If you could find the time to verify Nightly and Beta for uplift, that would be great. I can't vouch for the fix if I can't reproduce it on affected builds :(

Could you elaborate more? I guess you are asking for the reversion number? I put that below:

(In reply to Sebastian Hengst [:aryx] (needinfo on intermittent or backout) from comment #43)

https://hg.mozilla.org/releases/mozilla-beta/rev/d18091b73cc4
https://hg.mozilla.org/releases/mozilla-beta/rev/a465465b5d98

Flags: needinfo?(ttung) → needinfo?(tbabos)
Flags: needinfo?(tbabos)

Thanks for the help Tom!
Managed to reproduce the crash on 69 Nightly on linux and macOS, it required some setup I was not aware of and had to do some research.
Verified - fixed on fuzzing asan builds on latest Beta 71.0b7 and latest Release 70.0.2 on Ubuntu 18.04 and MacOS 10.14.

Status: RESOLVED → VERIFIED
QA Whiteboard: [qa-triaged]
Flags: qe-verify+
Group: core-security-release
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: