Closed Bug 1586879 Opened 5 years ago Closed 5 years ago

Intermittent PID 17041 | SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc:963:10 in IPC::Channel::Unsound_IsClosed() const

Categories

(Core :: IPC, defect, P5)

Product:
Core
Component:
IPC
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1493656
Tracking Flags:
Tracking Status
firefox71 --- affected

People

(Reporter: intermittent-bug-filer, Assigned: jld)

References

Details

(Keywords: csectype-uaf, intermittent-failure, regression)

Filed by: dvarga [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer.html#?job_id=270103846&repo=autoland
Full log: https://queue.taskcluster.net/v1/task/HnOezCR_TA29_BbChgPvzw/runs/0/artifacts/public/logs/live_backing.log

READ of size 8 at 0x602000148170 thread T0 (Web Content)
    #0 0x7f93b3570cec in IPC::Channel::Unsound_IsClosed() const src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc:963:10
    #1 0x7f93b3608682 in Unsound_IsClosed src/obj-firefox/dist/include/mozilla/ipc/MessageChannel.h:305:27
    #2 0x7f93b3608682 in mozilla::ipc::MessageChannel::Clear() src/ipc/glue/MessageChannel.cpp:748
    #3 0x7f93b36074f8 in mozilla::ipc::MessageChannel::~MessageChannel() src/ipc/glue/MessageChannel.cpp:643:3
    #4 0x7f93b362fd88 in mozilla::ipc::IToplevelProtocol::~IToplevelProtocol() src/ipc/glue/ProtocolUtils.cpp:593:1
    #5 0x7f93b971cfed in mozilla::gmp::GMPContentParent::~GMPContentParent() src/dom/media/gmp/GMPContentParent.cpp:35:39
    #6 0x7f93b23998bc in operator() src/xpcom/ds/PLDHashTable.cpp:304:7
    #7 0x7f93b23998bc in ForEachSlot<(lambda at src/xpcom/ds/PLDHashTable.cpp:302:51)> src/obj-firefox/dist/include/PLDHashTable.h:359
    #8 0x7f93b23998bc in ForEachSlot<(lambda at src/xpcom/ds/PLDHashTable.cpp:302:51)> src/obj-firefox/dist/include/PLDHashTable.h:349
    #9 0x7f93b23998bc in PLDHashTable::~PLDHashTable() src/xpcom/ds/PLDHashTable.cpp:302
    #10 0x7f93b976e48e in ~nsTHashtable src/obj-firefox/dist/include/nsTHashtable.h:384:43
    #11 0x7f93b976e48e in ~GMPServiceChild src/dom/media/gmp/GMPServiceChild.cpp:428
    #12 0x7f93b976e48e in mozilla::gmp::GMPServiceChild::~GMPServiceChild() src/dom/media/gmp/GMPServiceChild.cpp:428
    #13 0x7f93b976cb44 in operator() src/obj-firefox/dist/include/mozilla/UniquePtr.h:486:5
    #14 0x7f93b976cb44 in reset src/obj-firefox/dist/include/mozilla/UniquePtr.h:323
    #15 0x7f93b976cb44 in operator= src/obj-firefox/dist/include/mozilla/UniquePtr.h:296
    #16 0x7f93b976cb44 in mozilla::gmp::GeckoMediaPluginServiceChild::Observe(nsISupports*, char const*, char16_t const*) src/dom/media/gmp/GMPServiceChild.cpp:359
    #17 0x7f93b976cc2c in non-virtual thunk to mozilla::gmp::GeckoMediaPluginServiceChild::Observe(nsISupports*, char const*, char16_t const*) src/dom/media/gmp/GMPServiceChild.cpp
    #18 0x7f93b23bd9b1 in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) src/xpcom/ds/nsObserverList.cpp:66:19
    #19 0x7f93b23c3645 in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) src/xpcom/ds/nsObserverService.cpp:291:19
    #20 0x7f93b255aa6a in mozilla::ShutdownXPCOM(nsIServiceManager*) src/xpcom/build/XPCOMInit.cpp:631:24
    #21 0x7f93beb9271c in XRE_TermEmbedding() src/toolkit/xre/nsEmbedFunctions.cpp:223:3
    #22 0x7f93b3631b12 in mozilla::ipc::ScopedXREEmbed::Stop() src/ipc/glue/ScopedXREEmbed.cpp:90:5
    #23 0x7f93beb9336a in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:773:16
    #24 0x5622b0936740 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #25 0x5622b0936740 in main src/browser/app/nsBrowserApp.cpp:272
    #26 0x7f93d3c0d82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #27 0x5622b0857dc8 in _start (/builds/worker/workspace/build/application/firefox/firefox+0x46dc8)
0x602000148170 is located 0 bytes inside of 8-byte region [0x602000148170,0x602000148178)
freed by thread T2 (Chrome_~dThread) here:
    #0 0x5622b0903452 in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7f93b363f181 in operator delete src/obj-firefox/dist/include/mozilla/cxxalloc.h:51:10
    #2 0x7f93b363f181 in DeleteTask<IPC::Channel>::Run() src/ipc/chromium/src/base/task.h:194
    #3 0x7f93b3542c05 in RunTask src/ipc/chromium/src/base/message_loop.cc:442:9
    #4 0x7f93b3542c05 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask&&) src/ipc/chromium/src/base/message_loop.cc:450
    #5 0x7f93b3543d4b in MessageLoop::DoWork() src/ipc/chromium/src/base/message_loop.cc:523:13
    #6 0x7f93b3546fc0 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) src/ipc/chromium/src/base/message_pump_libevent.cc:321:31
    #7 0x7f93b35416f2 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #8 0x7f93b35416f2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #9 0x7f93b35416f2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #10 0x7f93b355ebbf in base::Thread::ThreadMain() src/ipc/chromium/src/base/thread.cc:192:16
    #11 0x7f93b3554e6c in ThreadFunc(void*) src/ipc/chromium/src/base/platform_thread_posix.cc:40:13
    #12 0x7f93d4c6b6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
previously allocated by thread T26 (GMPThread) here:
    #0 0x5622b09037d3 in __interceptor_malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x5622b0938d9d in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f93b36425fd in operator new src/obj-firefox/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7f93b36425fd in MakeUnique<IPC::Channel, const int &, IPC::Channel::Mode &, nullptr_t> src/obj-firefox/dist/include/mozilla/UniquePtr.h:617
    #4 0x7f93b36425fd in mozilla::ipc::OpenDescriptor(mozilla::ipc::TransportDescriptor const&, IPC::Channel::Mode) src/ipc/glue/Transport_posix.cpp:60
    #5 0x7f93b972f806 in mozilla::ipc::Endpoint<mozilla::gmp::PGMPContentParent>::Bind(mozilla::gmp::PGMPContentParent*) src/obj-firefox/dist/include/mozilla/ipc/ProtocolUtils.h:776:30
    #6 0x7f93b976e742 in mozilla::gmp::GMPServiceChild::GetBridgedGMPContentParent(int, mozilla::ipc::Endpoint<mozilla::gmp::PGMPContentParent>&&) src/dom/media/gmp/GMPServiceChild.cpp:443:33
    #7 0x7f93b97b8ca6 in mozilla::gmp::GeckoMediaPluginServiceChild::GetContentParent(mozilla::GMPCrashHelper*, mozilla::gmp::NodeId const&, nsTString<char> const&, nsTArray<nsTString<char> > const&)::$_8::operator()(mozilla::gmp::GMPServiceChild*) const src/dom/media/gmp/GMPServiceChild.cpp:185:50
    #8 0x7f93b97b7803 in InvokeMethod<(lambda at src/dom/media/gmp/GMPServiceChild.cpp:145:7), void ((lambda at src/dom/media/gmp/GMPServiceChild.cpp:145:7)::*)(mozilla::gmp::GMPServiceChild *) const, mozilla::gmp::GMPServiceChild *> src/obj-firefox/dist/include/mozilla/MozPromise.h:512:12
    #9 0x7f93b97b7803 in InvokeCallbackMethod<false, (lambda at src/dom/media/gmp/GMPServiceChild.cpp:145:7), void ((lambda at src/dom/media/gmp/GMPServiceChild.cpp:145:7)::*)(mozilla::gmp::GMPServiceChild *) const, mozilla::gmp::GMPServiceChild *, RefPtr<mozilla::MozPromise<mozilla::gmp::GMPServiceChild *, mozilla::MediaResult, true>::Private> > src/obj-firefox/dist/include/mozilla/MozPromise.h:544
    #10 0x7f93b97b7803 in mozilla::MozPromise<mozilla::gmp::GMPServiceChild*, mozilla::MediaResult, true>::ThenValue<mozilla::gmp::GeckoMediaPluginServiceChild::GetContentParent(mozilla::GMPCrashHelper*, mozilla::gmp::NodeId const&, nsTString<char> const&, nsTArray<nsTString<char> > const&)::$_8, mozilla::gmp::GeckoMediaPluginServiceChild::GetContentParent(mozilla::GMPCrashHelper*, mozilla::gmp::NodeId const&, nsTString<char> const&, nsTArray<nsTString<char> > const&)::$_9>::DoResolveOrRejectInternal(mozilla::MozPromise<mozilla::gmp::GMPServiceChild*, mozilla::MediaResult, true>::ResolveOrRejectValue&) src/obj-firefox/dist/include/mozilla/MozPromise.h:726
    #11 0x7f93b97b6082 in mozilla::MozPromise<mozilla::gmp::GMPServiceChild*, mozilla::MediaResult, true>::ThenValueBase::ResolveOrRejectRunnable::Run() src/obj-firefox/dist/include/mozilla/MozPromise.h:402:21
    #12 0x7f93b24dd942 in mozilla::EventTargetWrapper::Runner::Run() src/xpcom/threads/AbstractThread.cpp:113:25
    #13 0x7f93b2504d39 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
    #14 0x7f93b250b9a8 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #15 0x7f93b362579a in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:303:20
    #16 0x7f93b35416f2 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #17 0x7f93b35416f2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #18 0x7f93b35416f2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #19 0x7f93b24fe5fa in nsThread::ThreadFunc(void*) src/xpcom/threads/nsThread.cpp:458:11
    #20 0x7f93d0ed505d in _pt_root src/nsprpub/pr/src/pthreads/ptthread.c:198:5
    #21 0x7f93d4c6b6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
Thread T2 (Chrome_~dThread) created by T0 (Web Content) here:
    #0 0x5622b08ebdad in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x7f93b355029c in CreateThread src/ipc/chromium/src/base/platform_thread_posix.cc:123:14
    #2 0x7f93b355029c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) src/ipc/chromium/src/base/platform_thread_posix.cc:134
    #3 0x7f93b355e2e3 in base::Thread::StartWithOptions(base::Thread::Options const&) src/ipc/chromium/src/base/thread.cc:97:8
    #4 0x7f93b3625d17 in mozilla::ipc::ProcessChild::ProcessChild(int) src/ipc/glue/ProcessChild.cpp:24:7
    #5 0x7f93beb9320d in ContentProcess src/obj-firefox/dist/include/mozilla/dom/ContentProcess.h:29:51
    #6 0x7f93beb9320d in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:699
    #7 0x5622b0936740 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #8 0x5622b0936740 in main src/browser/app/nsBrowserApp.cpp:272
    #9 0x7f93d3c0d82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
Thread T26 (GMPThread) created by T0 (Web Content) here:
    #0 0x5622b08ebdad in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:210:3
    #1 0x7f93d0ec7158 in _PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:430:14
    #2 0x7f93d0eb0d3e in PR_CreateThread src/nsprpub/pr/src/pthreads/ptthread.c:503:12
    #3 0x7f93b2500b29 in nsThread::Init(nsTSubstring<char> const&) src/xpcom/threads/nsThread.cpp:672:8
    #4 0x7f93b250aad0 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) src/xpcom/threads/nsThreadManager.cpp:515:12
    #5 0x7f93b250e8ea in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) src/xpcom/threads/nsThreadUtils.cpp:139:57
    #6 0x7f93b9763e0c in NS_NewNamedThread<10> src/obj-firefox/dist/include/nsThreadUtils.h:71:10
    #7 0x7f93b9763e0c in mozilla::gmp::GeckoMediaPluginService::GetThread(nsIThread**) src/dom/media/gmp/GMPService.cpp:311
    #8 0x7f93b976222f in mozilla::gmp::GeckoMediaPluginService::Init() src/dom/media/gmp/GMPService.cpp:211:10
    #9 0x7f93b97a5931 in mozilla::gmp::GMPServiceCreateHelper::GetOrCreateOnMainThread() src/dom/media/gmp/GMPService.cpp:102:18
    #10 0x7f93b9760667 in mozilla::gmp::GMPServiceCreateHelper::GetOrCreate() src/dom/media/gmp/GMPService.cpp:65:17
    #11 0x7f93b24822ef in mozilla::xpcom::CreateInstanceImpl(mozilla::xpcom::ModuleID, nsISupports*, nsID const&, void**) src/obj-firefox/xpcom/components/StaticComponents.cpp:9230:60
    #12 0x7f93b24b97c2 in CreateInstance src/xpcom/components/nsComponentManager.cpp:224:46
    #13 0x7f93b24b97c2 in nsComponentManagerImpl::GetServiceLocked((anonymous namespace)::MutexLock&, (anonymous namespace)::EntryWrapper&, nsID const&, void**) src/xpcom/components/nsComponentManager.cpp:1383
    #14 0x7f93b24ae12b in nsComponentManagerImpl::GetServiceByContractID(char const*, nsID const&, void**) src/xpcom/components/nsComponentManager.cpp:1570:10
    #15 0x7f93b24c27e9 in CallGetService src/xpcom/components/nsComponentManagerUtils.cpp:61:43
    #16 0x7f93b24c27e9 in nsGetServiceByContractID::operator()(nsID const&, void**) const src/xpcom/components/nsComponentManagerUtils.cpp:243
    #17 0x7f93b2336ca0 in nsCOMPtr_base::assign_from_gs_contractid(nsGetServiceByContractID, nsID const&) src/xpcom/base/nsCOMPtr.cpp:82:7
    #18 0x7f93b9799805 in nsCOMPtr src/obj-firefox/dist/include/nsCOMPtr.h:607:5
    #19 0x7f93b9799805 in mozilla::HaveGMPFor(nsTString<char> const&, nsTArray<nsTString<char> >&&) src/dom/media/gmp/GMPUtils.cpp:179
    #20 0x7f93b9679ffe in mozilla::dom::HavePluginForKeySystem(nsTString<char> const&) src/dom/media/eme/MediaKeySystemAccess.cpp:91:21
    #21 0x7f93b965d1fc in EnsureCDMInstalled src/dom/media/eme/MediaKeySystemAccess.cpp:103:8
    #22 0x7f93b965d1fc in mozilla::dom::MediaKeySystemAccess::GetKeySystemStatus(nsTSubstring<char16_t> const&, nsTSubstring<char>&) src/dom/media/eme/MediaKeySystemAccess.cpp:118
    #23 0x7f93b966d283 in mozilla::dom::MediaKeySystemAccessManager::RequestCallback(bool, mozilla::dom::DetailedPromise*, nsTSubstring<char16_t> const&, mozilla::dom::Sequence<mozilla::dom::MediaKeySystemConfiguration> const&, mozilla::dom::MediaKeySystemAccessManager::RequestType) src/dom/media/eme/MediaKeySystemAccessManager.cpp:169:7
    #24 0x7f93b966c7c1 in mozilla::dom::MediaKeySystemAccessManager::Request(mozilla::dom::DetailedPromise*, nsTSubstring<char16_t> const&, mozilla::dom::Sequence<mozilla::dom::MediaKeySystemConfiguration> const&, mozilla::dom::MediaKeySystemAccessManager::RequestType) src/dom/media/eme/MediaKeySystemAccessManager.cpp:110:5
    #25 0x7f93b5db1a13 in mozilla::dom::Navigator::RequestMediaKeySystemAccess(nsTSubstring<char16_t> const&, mozilla::dom::Sequence<mozilla::dom::MediaKeySystemConfiguration> const&, mozilla::ErrorResult&) src/dom/base/Navigator.cpp:1801:33
    #26 0x7f93b691b0fb in requestMediaKeySystemAccess src/obj-firefox/dom/bindings/NavigatorBinding.cpp:1897:60
    #27 0x7f93b691b0fb in mozilla::dom::Navigator_Binding::requestMediaKeySystemAccess_promiseWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Navigator*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/NavigatorBinding.cpp:1913
    #28 0x7f93b8643a83 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3250:13
    #29 0x7f93bee18ccc in CallJSNative src/js/src/vm/Interpreter.cpp:457:13
    #30 0x7f93bee18ccc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:549
    #31 0x7f93bee01350 in CallFromStack src/js/src/vm/Interpreter.cpp:622:10
    #32 0x7f93bee01350 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3111
    #33 0x7f93bede2baf in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:424:10
    #34 0x7f93bee197d6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:590:13
    #35 0x7f93bee1bb29 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:635:8
    #36 0x7f93bf286f49 in js::fun_apply(JSContext*, unsigned int, JS::Value*) src/js/src/vm/JSFunction.cpp:1184:10
    #37 0x7f93bee18ccc in CallJSNative src/js/src/vm/Interpreter.cpp:457:13
    #38 0x7f93bee18ccc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:549
    #39 0x7f93bee01350 in CallFromStack src/js/src/vm/Interpreter.cpp:622:10
    #40 0x7f93bee01350 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3111
    #41 0x7f93bede2baf in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:424:10
    #42 0x7f93bee197d6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:590:13
    #43 0x7f93bee1bb29 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:635:8
    #44 0x7f93bef5c487 in js::PromiseObject::create(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool) src/js/src/builtin/Promise.cpp:2234:15
    #45 0x7f93befa4a5c in PromiseConstructor(JSContext*, unsigned int, JS::Value*) src/js/src/builtin/Promise.cpp:2155:7
    #46 0x7f93bee1d30b in CallJSNative src/js/src/vm/Interpreter.cpp:457:13
    #47 0x7f93bee1d30b in CallJSNativeConstructor src/js/src/vm/Interpreter.cpp:473
    #48 0x7f93bee1d30b in InternalConstruct(JSContext*, js::AnyConstructArgs const&) src/js/src/vm/Interpreter.cpp:662
    #49 0x7f93bee0113d in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3102:16
    #50 0x7f93bede2baf in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:424:10
    #51 0x7f93bee197d6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:590:13
    #52 0x7f93bee1bb29 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:635:8
    #53 0x7f93befb0a3e in Call src/js/src/vm/Interpreter.h:103:10
    #54 0x7f93befb0a3e in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) src/js/src/builtin/Promise.cpp:1701
    #55 0x7f93bee18ccc in CallJSNative src/js/src/vm/Interpreter.cpp:457:13
    #56 0x7f93bee18ccc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:549
    #57 0x7f93bee1bb29 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:635:8
    #58 0x7f93bf9bf20b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2722:10
    #59 0x7f93b6bcea16 in mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/PromiseBinding.cpp:26:8
    #60 0x7f93b2327f10 in Call src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:91:12
    #61 0x7f93b2327f10 in Call src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:104
    #62 0x7f93b2327f10 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) src/xpcom/base/CycleCollectedJSContext.cpp:245
    #63 0x7f93b23015c1 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) src/xpcom/base/CycleCollectedJSContext.cpp:667:17
    #64 0x7f93baa89da4 in LeaveMicroTask src/obj-firefox/dist/include/mozilla/CycleCollectedJSContext.h:213:7
    #65 0x7f93baa89da4 in ~nsAutoMicroTask src/obj-firefox/dist/include/mozilla/CycleCollectedJSContext.h:367
    #66 0x7f93baa89da4 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) src/dom/script/ScriptLoader.cpp:2871
    #67 0x7f93baa81ce8 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) src/dom/script/ScriptLoader.cpp:2315:10
    #68 0x7f93baa7e5e4 in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, mozilla::dom::ScriptKind) src/dom/script/ScriptLoader.cpp:1864:10
    #69 0x7f93baa56aee in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) src/dom/script/ScriptLoader.cpp:1587:10
    #70 0x7f93baa55dbe in mozilla::dom::ScriptElement::MaybeProcessScript() src/dom/script/ScriptElement.cpp:118:18
    #71 0x7f93b4a7108a in AttemptToExecute src/obj-firefox/dist/include/nsIScriptElement.h:224:18
    #72 0x7f93b4a7108a in nsHtml5TreeOpExecutor::RunScript(nsIContent*) src/parser/html/nsHtml5TreeOpExecutor.cpp:729
    #73 0x7f93b4a6a8d3 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:532:7
    #74 0x7f93b4a79b3f in nsHtml5ExecutorReflusher::Run() src/parser/html/nsHtml5TreeOpExecutor.cpp:70:16
    #75 0x7f93b24d37a1 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:295:32
    #76 0x7f93b2504d39 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
    #77 0x7f93b250b9a8 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #78 0x7f93b362471a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #79 0x7f93b35416f2 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #80 0x7f93b35416f2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #81 0x7f93b35416f2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #82 0x7f93bae66049 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #83 0x7f93beb93a9f in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:934:20
    #84 0x7f93b35416f2 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #85 0x7f93b35416f2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #86 0x7f93b35416f2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #87 0x7f93beb9333b in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:769:34
    #88 0x5622b0936740 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #89 0x5622b0936740 in main src/browser/app/nsBrowserApp.cpp:272
    #90 0x7f93d3c0d82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
SUMMARY: AddressSanitizer: heap-use-after-free src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc:963:10 in IPC::Channel::Unsound_IsClosed() const
Shadow bytes around the buggy address:
  0x0c0480020fd0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480020fe0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480020ff0: fa fa fd fd fa fa 00 00 fa fa 00 06 fa fa 00 06
  0x0c0480021000: fa fa fd fd fa fa 00 02 fa fa 01 fa fa fa fd fa
  0x0c0480021010: fa fa fd fd fa fa fd fd fa fa 00 fa fa fa 00 00
=>0x0c0480021020: fa fa fd fd fa fa 00 fa fa fa 00 00 fa fa[fd]fa
  0x0c0480021030: fa fa fd fd fa fa fd fd fa fa 00 00 fa fa 00 00
  0x0c0480021040: fa fa fd fd fa fa fd fa fa fa fd fa fa fa fd fd
  0x0c0480021050: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
  0x0c0480021060: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
  0x0c0480021070: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==19018==ABORTING
Group: dom-core-security

Looks similar to bug 1557739 -- seems like a GMP shutdown crash due to the rather complicated ownership model.

See Also: → 1557739

https://wiki.mozilla.org/Bug_Triage#Intermittent_Test_Failure_Cleanup
For more information, please visit auto_nag documentation.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INCOMPLETE

Recent failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=277001146&repo=autoland&lineNumber=7294

Status: RESOLVED → REOPENED
Resolution: INCOMPLETE → ---

New sec-high showing up in ipc. Might be GMP related in which case this may be a media issue. Maybe Jed or Haik have some bandwidth?

Flags: needinfo?(gpascutto)

Seems a likely duplicate of bug 1493656.

Assignee: nobody → jld
Flags: needinfo?(gpascutto)

This does look like a duplicate of bug 1493656. However, the scope of bug 1493656 is just to make this a safe crash instead of a race condition / use-after-free; there isn't a simple fix to the problem of the top-level actor being destroyed before the channel is closed. But it's a shutdown crash, so as long as it's not exploitable it shouldn't be a major problem for the end user, I wouldn't think.

Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Resolution: --- → DUPLICATE
Keywords: sec-high
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.