Closed Bug 1580496 Opened 1 year ago Closed 1 year ago

AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/payments/ipc/PaymentRequestChild.cpp:21:8 in mozilla::dom::PaymentRequestChild::RequestPayment(mozilla::dom::IPCPaymentActionRequest const&)

Categories

(Core :: DOM: Web Payments, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla71
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- disabled
firefox69 --- disabled
firefox70 --- disabled
firefox71 --- fixed

People

(Reporter: jkratzer, Assigned: edenchuang)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [post-critsmash-triage])

Attachments

(3 files, 1 obsolete file)

Attached file testcase.html (obsolete) —

Testcase found while fuzzing mozilla-central rev ed89fc2a60d8. Testcase must be served via a local webserver in order to reproduce. Further, due to a race, index.html must be used as the starting point. Repeatedly opening the testcase reduces the amount of time required to trigger the issue.

==24421==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000397bb0 at pc 0x7fdf4a62004e bp 0x7ffe6a10ff60 sp 0x7ffe6a10ff58
READ of size 8 at 0x606000397bb0 thread T0 (file:// Content)
    #0 0x7fdf4a62004d in mozilla::dom::PaymentRequestChild::RequestPayment(mozilla::dom::IPCPaymentActionRequest const&) /builds/worker/workspace/build/src/dom/payments/ipc/PaymentRequestChild.cpp:21:8
    #1 0x7fdf4a5f58c6 in SendRequestPayment /builds/worker/workspace/build/src/dom/payments/PaymentRequestManager.cpp:374:31
    #2 0x7fdf4a5f58c6 in mozilla::dom::PaymentRequestManager::ClosePayment(mozilla::dom::PaymentRequest*) /builds/worker/workspace/build/src/dom/payments/PaymentRequestManager.cpp:593
    #3 0x7fdf4a5f53a8 in mozilla::dom::PaymentRequest::NotifyOwnerDocumentActivityChanged() /builds/worker/workspace/build/src/dom/payments/PaymentRequest.cpp:1185:10
    #4 0x7fdf455d2379 in mozilla::dom::NotifyActivityChanged(nsISupports*, void*) /builds/worker/workspace/build/src/dom/base/Document.cpp:6654:29
    #5 0x7fdf45604a3f in EnumerateActivityObservers /builds/worker/workspace/build/src/dom/base/Document.cpp:11900:5
    #6 0x7fdf45604a3f in mozilla::dom::Document::RemovedFromDocShell() /builds/worker/workspace/build/src/dom/base/Document.cpp:10518
    #7 0x7fdf4b075ba5 in nsDocumentViewer::Close(nsISHEntry*) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1689:44
    #8 0x7fdf4dc7341a in nsDocShell::Destroy() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:4925:21
    #9 0x7fdf458c9987 in nsFrameLoader::DestroyDocShell() /builds/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:1880:20
    #10 0x7fdf458c9724 in nsFrameLoaderDestroyRunnable::Run() /builds/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:1816:21
    #11 0x7fdf455d7e43 in mozilla::dom::Document::MaybeInitializeFinalizeFrameLoaders() /builds/worker/workspace/build/src/dom/base/Document.cpp:8478:22
    #12 0x7fdf455d744b in mozilla::dom::Document::EndUpdate() /builds/worker/workspace/build/src/dom/base/Document.cpp:6992:3
    #13 0x7fdf45655bf7 in ~mozAutoDocUpdate /builds/worker/workspace/build/src/dom/base/mozAutoDocUpdate.h:34:18
    #14 0x7fdf45655bf7 in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2386
    #15 0x7fdf47baafce in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:835:12
    #16 0x7fdf47baafce in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:831
    #17 0x7fdf47baafce in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:1558
    #18 0x7fdf47baafce in SetHTMLAttr /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.h:712
    #19 0x7fdf47baafce in SetMethod /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/HTMLFormElement.h:336
    #20 0x7fdf47baafce in mozilla::dom::HTMLFormElement_Binding::set_method(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLFormElement*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLFormElementBinding.cpp:487
    #21 0x7fdf47f57835 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3121:8
    #22 0x7fdf4eb40547 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447:13
    #23 0x7fdf4eb40547 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:539
    #24 0x7fdf4eb465dd in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:594:10
    #25 0x7fdf4eb465dd in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:610
    #26 0x7fdf4eb465dd in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:748
    #27 0x7fdf4f089bf3 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2932:8
    #28 0x7fdf4f0826c1 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2961:14
    #29 0x7fdf4f6fb59a in SetProperty /builds/worker/workspace/build/src/js/src/vm/ObjectOperations-inl.h:283:10
    #30 0x7fdf4f6fb59a in js::SetPropertyIgnoringNamedGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/proxy/BaseProxyHandler.cpp:166
    #31 0x7fdf47f84806 in mozilla::dom::DOMProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /builds/worker/workspace/build/src/dom/bindings/DOMJSProxyHandler.cpp:241:10
    #32 0x7fdf4ed60a61 in setInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:395:19
    #33 0x7fdf4ed60a61 in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:403
    #34 0x7fdf4eb1ea18 in SetProperty /builds/worker/workspace/build/src/js/src/vm/ObjectOperations-inl.h:280:12
    #35 0x7fdf4eb1ea18 in SetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:269
    #36 0x7fdf4eb1ea18 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2849
    #37 0x7fdf4eb09e8f in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
    #38 0x7fdf4eb4104f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:567:13
    #39 0x7fdf4eb43272 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:610:8
    #40 0x7fdf4f6ab128 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2723:10
    #41 0x7fdf477236a0 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #42 0x7fdf486f0df5 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #43 0x7fdf486f0df5 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1032
    #44 0x7fdf486f286b in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1230:17
    #45 0x7fdf486d964a in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #46 0x7fdf486d964a in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
    #47 0x7fdf486d7e62 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
    #48 0x7fdf486dd82b in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1045:11
    #49 0x7fdf486e4750 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
    #50 0x7fdf458eeada in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1061:17
    #51 0x7fdf452919d9 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:3953:28
    #52 0x7fdf452917a3 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:3923:10
    #53 0x7fdf455d9112 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:7076:3
    #54 0x7fdf456c0444 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
    #55 0x7fdf456c0444 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130
    #56 0x7fdf456c0444 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176
    #57 0x7fdf41437bc1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
    #58 0x7fdf41469626 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #59 0x7fdf4146f528 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #60 0x7fdf49f14763 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1225:24)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:348:25
    #61 0x7fdf49f14763 in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::BrowserChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1225
    #62 0x7fdf49f74cea in mozilla::dom::BrowserChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, bool, nsDocShellLoadState*, bool*, mozilla::dom::BrowsingContext**) /builds/worker/workspace/build/src/dom/ipc/BrowserChild.cpp:947:14
    #63 0x7fdf4e7d0c04 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, bool, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:781:24
    #64 0x7fdf4e7d64d5 in OpenWindow2 /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:377:10
    #65 0x7fdf4e7d64d5 in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, bool, nsDocShellLoadState*, mozilla::dom::BrowsingContext**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp
    #66 0x7fdf453c6a2d in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, mozilla::dom::BrowsingContext**) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:7272:21
    #67 0x7fdf453c539c in OpenJS /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5752:10
    #68 0x7fdf453c539c in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5725
    #69 0x7fdf45360591 in nsGlobalWindowInner::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:3742:3
    #70 0x7fdf47329019 in mozilla::dom::Window_Binding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:2868:59
    #71 0x7fdf47f5c167 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeGlobalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3168:13
    #72 0x7fdf4eb40547 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447:13
    #73 0x7fdf4eb40547 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:539
    #74 0x7fdf4eb287ec in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:598:10
    #75 0x7fdf4eb287ec in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
    #76 0x7fdf4eb09e8f in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
    #77 0x7fdf4eb4104f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:567:13
    #78 0x7fdf4eb43272 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:610:8
    #79 0x7fdf4f6ab128 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2723:10
    #80 0x7fdf479be8c2 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:41:8
    #81 0x7fdf457bafff in void mozilla::dom::Function::Call<nsCOMPtr<nsIGlobalObject> >(nsCOMPtr<nsIGlobalObject> const&, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:73:12
    #82 0x7fdf457ba9b1 in mozilla::dom::CallbackTimeoutHandler::Call(char const*) /builds/worker/workspace/build/src/dom/base/TimeoutHandler.cpp:181:29
    #83 0x7fdf453797aa in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:5893:38
    #84 0x7fdf457b4c7c in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&, bool) /builds/worker/workspace/build/src/dom/base/TimeoutManager.cpp:892:44
    #85 0x7fdf457b3875 in mozilla::dom::TimeoutExecutor::MaybeExecute() /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp:179:11
    #86 0x7fdf457b739c in mozilla::dom::TimeoutExecutor::Run() /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp:234:5
    #87 0x7fdf41483f64 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /builds/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:252:22
    #88 0x7fdf4147ec5f in mozilla::ThrottledEventQueue::Inner::Executor::Run() /builds/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:80:15
    #89 0x7fdf41437bc1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
    #90 0x7fdf41469626 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #91 0x7fdf4146f528 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #92 0x7fdf4268b68f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #93 0x7fdf42588352 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #94 0x7fdf42588352 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #95 0x7fdf42588352 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #96 0x7fdf4a994449 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #97 0x7fdf4e886e8f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:934:20
    #98 0x7fdf42588352 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #99 0x7fdf42588352 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #100 0x7fdf42588352 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #101 0x7fdf4e886736 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:769:34
    #102 0x55fb93129dda in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #103 0x55fb93129dda in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:272
    #104 0x7fdf62f75b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #105 0x55fb9304b3fc in _start (/home/forb1dden/builds/mc-asan/firefox+0x453fc)

0x606000397bb0 is located 48 bytes inside of 56-byte region [0x606000397b80,0x606000397bb8)
freed by thread T0 (file:// Content) here:
    #0 0x55fb930f6a92 in __interceptor_free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7fdf49f9fcf5 in mozilla::dom::BrowserChild::DeallocPPaymentRequestChild(mozilla::dom::PPaymentRequestChild*) /builds/worker/workspace/build/src/dom/ipc/BrowserChild.cpp:3305:3
    #2 0x7fdf42693d23 in mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy() /builds/worker/workspace/build/src/ipc/glue/ProtocolUtils.cpp:253:11
    #3 0x7fdf435c044f in mozilla::dom::PBrowserChild::RemoveManagee(int, mozilla::ipc::IProtocol*) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp
    #4 0x7fdf4359650c in mozilla::dom::PBrowserChild::SendPPaymentRequestConstructor(mozilla::dom::PPaymentRequestChild*) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:630:14
    #5 0x7fdf4a5fe01e in mozilla::dom::PaymentRequestManager::GetPaymentChild(mozilla::dom::PaymentRequest*) /builds/worker/workspace/build/src/dom/payments/PaymentRequestManager.cpp:365:17
    #6 0x7fdf4a5f58bb in SendRequestPayment /builds/worker/workspace/build/src/dom/payments/PaymentRequestManager.cpp:373:39
    #7 0x7fdf4a5f58bb in mozilla::dom::PaymentRequestManager::ClosePayment(mozilla::dom::PaymentRequest*) /builds/worker/workspace/build/src/dom/payments/PaymentRequestManager.cpp:593
    #8 0x7fdf4a5f53a8 in mozilla::dom::PaymentRequest::NotifyOwnerDocumentActivityChanged() /builds/worker/workspace/build/src/dom/payments/PaymentRequest.cpp:1185:10
    #9 0x7fdf455d2379 in mozilla::dom::NotifyActivityChanged(nsISupports*, void*) /builds/worker/workspace/build/src/dom/base/Document.cpp:6654:29
    #10 0x7fdf45604a3f in EnumerateActivityObservers /builds/worker/workspace/build/src/dom/base/Document.cpp:11900:5
    #11 0x7fdf45604a3f in mozilla::dom::Document::RemovedFromDocShell() /builds/worker/workspace/build/src/dom/base/Document.cpp:10518
    #12 0x7fdf4b075ba5 in nsDocumentViewer::Close(nsISHEntry*) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1689:44
    #13 0x7fdf4dc7341a in nsDocShell::Destroy() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:4925:21
    #14 0x7fdf458c9987 in nsFrameLoader::DestroyDocShell() /builds/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:1880:20
    #15 0x7fdf458c9724 in nsFrameLoaderDestroyRunnable::Run() /builds/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:1816:21
    #16 0x7fdf455d7e43 in mozilla::dom::Document::MaybeInitializeFinalizeFrameLoaders() /builds/worker/workspace/build/src/dom/base/Document.cpp:8478:22
    #17 0x7fdf455d744b in mozilla::dom::Document::EndUpdate() /builds/worker/workspace/build/src/dom/base/Document.cpp:6992:3
    #18 0x7fdf45655bf7 in ~mozAutoDocUpdate /builds/worker/workspace/build/src/dom/base/mozAutoDocUpdate.h:34:18
    #19 0x7fdf45655bf7 in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2386
    #20 0x7fdf47baafce in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:835:12
    #21 0x7fdf47baafce in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:831
    #22 0x7fdf47baafce in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:1558
    #23 0x7fdf47baafce in SetHTMLAttr /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.h:712
    #24 0x7fdf47baafce in SetMethod /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/HTMLFormElement.h:336
    #25 0x7fdf47baafce in mozilla::dom::HTMLFormElement_Binding::set_method(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLFormElement*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLFormElementBinding.cpp:487
    #26 0x7fdf47f57835 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3121:8
    #27 0x7fdf4eb40547 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447:13
    #28 0x7fdf4eb40547 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:539

previously allocated by thread T0 (file:// Content) here:
    #0 0x55fb930f6e13 in __interceptor_malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x55fb9312c49d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7fdf4a5fdffd in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7fdf4a5fdffd in mozilla::dom::PaymentRequestManager::GetPaymentChild(mozilla::dom::PaymentRequest*) /builds/worker/workspace/build/src/dom/payments/PaymentRequestManager.cpp:364
    #4 0x7fdf4a5f58bb in SendRequestPayment /builds/worker/workspace/build/src/dom/payments/PaymentRequestManager.cpp:373:39
    #5 0x7fdf4a5f58bb in mozilla::dom::PaymentRequestManager::ClosePayment(mozilla::dom::PaymentRequest*) /builds/worker/workspace/build/src/dom/payments/PaymentRequestManager.cpp:593
    #6 0x7fdf4a5f53a8 in mozilla::dom::PaymentRequest::NotifyOwnerDocumentActivityChanged() /builds/worker/workspace/build/src/dom/payments/PaymentRequest.cpp:1185:10
    #7 0x7fdf455d2379 in mozilla::dom::NotifyActivityChanged(nsISupports*, void*) /builds/worker/workspace/build/src/dom/base/Document.cpp:6654:29
    #8 0x7fdf45604a3f in EnumerateActivityObservers /builds/worker/workspace/build/src/dom/base/Document.cpp:11900:5
    #9 0x7fdf45604a3f in mozilla::dom::Document::RemovedFromDocShell() /builds/worker/workspace/build/src/dom/base/Document.cpp:10518
    #10 0x7fdf4b075ba5 in nsDocumentViewer::Close(nsISHEntry*) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1689:44
    #11 0x7fdf4dc7341a in nsDocShell::Destroy() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:4925:21
    #12 0x7fdf458c9987 in nsFrameLoader::DestroyDocShell() /builds/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:1880:20
    #13 0x7fdf458c9724 in nsFrameLoaderDestroyRunnable::Run() /builds/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:1816:21
    #14 0x7fdf455d7e43 in mozilla::dom::Document::MaybeInitializeFinalizeFrameLoaders() /builds/worker/workspace/build/src/dom/base/Document.cpp:8478:22
    #15 0x7fdf455d744b in mozilla::dom::Document::EndUpdate() /builds/worker/workspace/build/src/dom/base/Document.cpp:6992:3
    #16 0x7fdf45655bf7 in ~mozAutoDocUpdate /builds/worker/workspace/build/src/dom/base/mozAutoDocUpdate.h:34:18
    #17 0x7fdf45655bf7 in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2386
    #18 0x7fdf47baafce in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:835:12
    #19 0x7fdf47baafce in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:831
    #20 0x7fdf47baafce in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:1558
    #21 0x7fdf47baafce in SetHTMLAttr /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.h:712
    #22 0x7fdf47baafce in SetMethod /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/HTMLFormElement.h:336
    #23 0x7fdf47baafce in mozilla::dom::HTMLFormElement_Binding::set_method(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLFormElement*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLFormElementBinding.cpp:487
    #24 0x7fdf47f57835 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3121:8
    #25 0x7fdf4eb40547 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447:13
    #26 0x7fdf4eb40547 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:539
    #27 0x7fdf4eb465dd in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:594:10
    #28 0x7fdf4eb465dd in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:610
    #29 0x7fdf4eb465dd in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:748
    #30 0x7fdf4f089bf3 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2932:8
    #31 0x7fdf4f0826c1 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2961:14

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/payments/ipc/PaymentRequestChild.cpp:21:8 in mozilla::dom::PaymentRequestChild::RequestPayment(mozilla::dom::IPCPaymentActionRequest const&)
Shadow bytes around the buggy address:
  0x0c0c8006af20: 00 00 00 00 fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c8006af30: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c8006af40: fd fd fd fd fd fd fd fd fa fa fa fa 00 00 00 00
  0x0c0c8006af50: 00 00 00 fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c8006af60: fa fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
=>0x0c0c8006af70: fd fd fd fd fd fd[fd]fa fa fa fa fa fd fd fd fd
  0x0c0c8006af80: fd fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c8006af90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c8006afa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c8006afb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c8006afc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==24421==ABORTING
Flags: in-testsuite?
Attached file testcase.html

I previously attached the wrong testcase. Use this one instead.

Attachment #9092089 - Attachment is obsolete: true
Attached file index.html

Testcase bisects back further than a year.

Group: core-security → dom-core-security

marcos: can you help us find someone to work on this bug?

Flags: needinfo?(mcaceres)
Keywords: sec-high
Priority: -- → P1

Eden Chuang would probably be the right person. Otherwise, I can take a look after TPAC. Note that Payment API stuff is not shipping on the web, though it’s accessible (but completely broken) in Nightly... so at least there is that :)

Flags: needinfo?(mcaceres)

Hi Eden, see above. I’m traveling this week. Can you take a look please.

Flags: needinfo?(echuang)

Sure, I will take a look.

Flags: needinfo?(echuang)
Assignee: nobody → echuang

PaymentRequestManager::GetPaymentChild() could return nullptr while window.close().

https://searchfox.org/mozilla-central/source/dom/payments/PaymentRequestManager.cpp#357

For the case, nsPIDOMWindowInner is nullptr after window.close(). In the meantime, PaymentRequest::NotifyOwnerDocumentActivityChanged() is triggered to close the existing PaymentRequest. Then we meet the situation that doesn't have nsPIDOMWindowInner to create the PaymentRequestChild actor.

Here, the simplest solution is directly returning and skipping removing PaymentRequest on the parent process. There is no memory leak issue for this solution because the PaymentRequest in the parent process would be removed eventually while closing PaymentRequestService.

No need to worry about PaymentRequest UI is showing cases since there must be an existing PaymentRequestChild already and saved in PaymentRequest::mIPC in those cases.

PaymentRequestChild could be nullptr while PaymentRequest's owner is nullptr.

We don't ship PaymentRequest, do we? I'm just wondering if this needs to be sec-high given the lack of exposure on release.

Flags: needinfo?(echuang)

I think it does not need to be sec-high.

Flags: needinfo?(echuang)

OK I'm going to go with sec-moderate and give Dan the opportunity to chastise me when he's back by needinfoing him.

Note: I'm glad Eden is still working on this :)

Flags: needinfo?(dveditz)
Keywords: sec-highsec-moderate
Keywords: checkin-needed
Priority: P1 → P2
Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla71

For a feature we intend to ship that is currently disabled we usually go with sec-high for bugs like this, but make sure to set the various branch status flags to "disabled". That is, rate it with the urgency it will have once we do ship it so that we're not lulled into putting off the fix by an artificially low rating. And we'd probably forget to re-rate it once it is enabled.

For a power feature that's present but disabled by default, and always will be, then sec-moderate is exactly right. The Payments API might be in a kind of mushy grey area of intending to ship but no definite plan on when that will be?

Flags: needinfo?(dveditz)
Keywords: sec-moderatesec-high

This is marked as fixed however I can still reproduce this issue using the attached testcase on the latest m-c rev 035f52aed442.

Flags: needinfo?(aryx.bugmail)

Only added the commits. Eden, please see commit 16 - issue can still be reproduced.

Flags: needinfo?(aryx.bugmail) → needinfo?(echuang)
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
Flags: needinfo?(echuang)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.