Closed Bug 1607276 Opened 5 years ago Closed 5 years ago

heap-use-after-free in [@ mozilla::DOMEventTargetHelper::IgnoreKeepAliveIfHasListenersFor]

Categories

(Core :: DOM: Service Workers, defect, P1)

Product:
Core
Component:
DOM: Service Workers
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla75
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox72 --- unaffected
firefox73 --- disabled
firefox74 + fixed
firefox75 + fixed

People

(Reporter: tsmith, Assigned: perry)

References

(Blocks 2 open bugs, Regression)

Details

(4 keywords, Whiteboard: [post-critsmash-triage])

Attachments

(3 files, 1 obsolete file)

testcase.html
711 bytes, text/html
Details
a.js
35 bytes, application/x-javascript
Details
Bug 1607276 - Hold strong reference before calling method r=#dom-workers-and-storage-reviewers
47 bytes, text/x-phabricator-request
pascalc
: approval-mozilla-beta+
tjr
: sec-approval+
Details | Review

Report from m-c 20200104-d5402d5ef78b

A test case is currently being reduced and will be attached once it is available.

==16536==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110006789a8 at pc 0x7f848a6da0bd bp 0x7ffe490dc470 sp 0x7ffe490dc468
READ of size 8 at 0x6110006789a8 thread T0 (file:// Content)
    #0 0x7f848a6da0bc in Hdr /src/obj-firefox/dist/include/nsTArray.h:494:32
    #1 0x7f848a6da0bc in Elements /src/obj-firefox/dist/include/nsTArray.h:1058:47
    #2 0x7f848a6da0bc in unsigned long nsTArray_Impl<nsTString<char16_t>, nsTArrayInfallibleAllocator>::IndexOf<nsTSubstring<char16_t>, nsDefaultComparator<nsTString<char16_t>, nsTSubstring<char16_t> > >(nsTSubstring<char16_t> const&, unsigned long, nsDefaultComparator<nsTString<char16_t>, nsTSubstring<char16_t> > const&) const /src/obj-firefox/dist/include/nsTArray.h:1204:29
    #3 0x7f848a6d9dd9 in bool nsTArray_Impl<nsTString<char16_t>, nsTArrayInfallibleAllocator>::RemoveElement<nsTSubstring<char16_t>, nsDefaultComparator<nsTString<char16_t>, nsTSubstring<char16_t> > >(nsTSubstring<char16_t> const&, nsDefaultComparator<nsTString<char16_t>, nsTSubstring<char16_t> > const&) /src/obj-firefox/dist/include/nsTArray.h:1850:20
    #4 0x7f848a6b4fdc in RemoveElement<nsTSubstring<char16_t> > /src/obj-firefox/dist/include/nsTArray.h:1863:12
    #5 0x7f848a6b4fdc in mozilla::DOMEventTargetHelper::IgnoreKeepAliveIfHasListenersFor(nsTSubstring<char16_t> const&) /src/dom/events/DOMEventTargetHelper.cpp:247:31
    #6 0x7f848c507713 in mozilla::dom::ServiceWorkerRegistration::RegistrationCleared() /src/dom/serviceworkers/ServiceWorkerRegistration.cpp:129:3
    #7 0x7f848c50cd3b in mozilla::dom::ServiceWorkerRegistrationChild::ActorDestroy(mozilla::ipc::IProtocol::ActorDestroyReason) /src/dom/serviceworkers/ServiceWorkerRegistrationChild.cpp:21:13
    #8 0x7f8485907b4d in mozilla::ipc::IProtocol::DestroySubtree(mozilla::ipc::IProtocol::ActorDestroyReason) /src/ipc/glue/ProtocolUtils.cpp:572:3
    #9 0x7f848648c78a in mozilla::dom::PServiceWorkerRegistrationChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PServiceWorkerRegistrationChild.cpp:338:20
    #10 0x7f848606eeaf in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:5876:32
    #11 0x7f84858ee8f2 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /src/ipc/glue/MessageChannel.cpp:2212:25
    #12 0x7f84858e9554 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /src/ipc/glue/MessageChannel.cpp:2134:9
    #13 0x7f84858eb81f in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /src/ipc/glue/MessageChannel.cpp:1973:3
    #14 0x7f84858ec720 in mozilla::ipc::MessageChannel::MessageTask::Run() /src/ipc/glue/MessageChannel.cpp:2004:13
    #15 0x7f84846c9907 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1241:14
    #16 0x7f84846d410c in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #17 0x7f84858fa27f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:87:21
    #18 0x7f84857f37a7 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #19 0x7f84857f37a7 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308:3
    #20 0x7f84857f37a7 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290:3
    #21 0x7f848c6f0848 in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:137:27
    #22 0x7f849021c4b6 in XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:946:20
    #23 0x7f84857f37a7 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #24 0x7f84857f37a7 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308:3
    #25 0x7f84857f37a7 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290:3
    #26 0x7f849021bb5f in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:781:34
    #27 0x55b908f62331 in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #28 0x55b908f62331 in main /src/browser/app/nsBrowserApp.cpp:303:18
    #29 0x7f84a6c0eb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #30 0x55b908eb7dfc in _start (/home/worker/builds/m-c-20200104094647-fuzzing-asan-opt/firefox+0x9bdfc)

0x6110006789a8 is located 104 bytes inside of 200-byte region [0x611000678940,0x611000678a08)
freed by thread T0 (file:// Content) here:
    #0 0x55b908f2facd in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
    #1 0x7f848451b132 in SnowWhiteKiller::~SnowWhiteKiller() /src/xpcom/base/nsCycleCollector.cpp:2416:7
    #2 0x7f848451a588 in nsCycleCollector::FreeSnowWhite(bool) /src/xpcom/base/nsCycleCollector.cpp:2609:3
    #3 0x7f8484521da4 in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /src/xpcom/base/nsCycleCollector.cpp:3584:3
    #4 0x7f8484521640 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /src/xpcom/base/nsCycleCollector.cpp:3413:9
    #5 0x7f84845248be in nsCycleCollector_collect(nsICycleCollectorListener*) /src/xpcom/base/nsCycleCollector.cpp:3913:21
    #6 0x7f84888287e4 in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /src/dom/base/nsJSEnvironment.cpp:1535:3
    #7 0x7f8489defbd1 in mozilla::dom::FuzzingFunctions_Binding::cycleCollect(JSContext*, unsigned int, JS::Value*) /src/obj-firefox/dom/bindings/FuzzingFunctionsBinding.cpp:67:3
    #8 0x7f84904820cd in CallJSNative /src/js/src/vm/Interpreter.cpp:452:13
    #9 0x7f84904820cd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /src/js/src/vm/Interpreter.cpp:544:12
    #10 0x7f8490483f0a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /src/js/src/vm/Interpreter.cpp:608:10
    #11 0x7f8490469942 in CallFromStack /src/js/src/vm/Interpreter.cpp:612:10
    #12 0x7f8490469942 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3038:16
    #13 0x7f849044c124 in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:424:10
    #14 0x7f84904821c5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /src/js/src/vm/Interpreter.cpp:580:13
    #15 0x7f8490483f0a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /src/js/src/vm/Interpreter.cpp:608:10
    #16 0x7f84904841e6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /src/js/src/vm/Interpreter.cpp:625:8
    #17 0x7f8490668cb2 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:2755:10
    #18 0x7f8489cf3200 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #19 0x7f848a6fafab in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #20 0x7f848a6fa9e4 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1065:43
    #21 0x7f848a6fc046 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /src/dom/events/EventListenerManager.cpp:1263:17

previously allocated by thread T0 (file:// Content) here:
    #0 0x55b908f2fd4d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
    #1 0x55b908f6553d in moz_xmalloc /src/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f848c506c8c in operator new /src/obj-firefox/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7f848c506c8c in mozilla::dom::ServiceWorkerRegistration::CreateForMainThread(nsPIDOMWindowInner*, mozilla::dom::ServiceWorkerRegistrationDescriptor const&) /src/dom/serviceworkers/ServiceWorkerRegistration.cpp:83:7
    #4 0x7f8488349f8e in nsGlobalWindowInner::GetOrCreateServiceWorkerRegistration(mozilla::dom::ServiceWorkerRegistrationDescriptor const&) /src/dom/base/nsGlobalWindowInner.cpp:5522:11
    #5 0x7f848834a104 in non-virtual thunk to nsGlobalWindowInner::GetOrCreateServiceWorkerRegistration(mozilla::dom::ServiceWorkerRegistrationDescriptor const&) /src/dom/base/nsGlobalWindowInner.cpp
    #6 0x7f848c457e0e in operator() /src/dom/serviceworkers/ServiceWorkerContainer.cpp:515:21
    #7 0x7f848c457e0e in std::_Function_handler<void (mozilla::dom::ServiceWorkerRegistrationDescriptor const&), mozilla::dom::ServiceWorkerContainer::GetRegistration(nsTSubstring<char16_t> const&, mozilla::ErrorResult&)::$_24>::_M_invoke(std::_Any_data const&, mozilla::dom::ServiceWorkerRegistrationDescriptor const&) /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/std_function.h:316:2
    #8 0x7f848c44ff20 in operator() /src/dom/serviceworkers/RemoteServiceWorkerContainerImpl.cpp:113:9
    #9 0x7f848c44ff20 in std::_Function_handler<void (mozilla::dom::IPCServiceWorkerRegistrationDescriptorOrCopyableErrorResult&&), mozilla::dom::RemoteServiceWorkerContainerImpl::GetRegistration(mozilla::dom::ClientInfo const&, nsTSubstring<char> const&, std::function<void (mozilla::dom::ServiceWorkerRegistrationDescriptor const&)>&&, std::function<void (mozilla::ErrorResult&)>&&) const::$_4>::_M_invoke(std::_Any_data const&, mozilla::dom::IPCServiceWorkerRegistrationDescriptorOrCopyableErrorResult&&) /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/std_function.h:316:2
    #10 0x7f84864739dc in Resolve /src/obj-firefox/dist/include/mozilla/ipc/MessageChannel.h:131:37
    #11 0x7f84864739dc in mozilla::dom::PServiceWorkerContainerChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PServiceWorkerContainerChild.cpp:381:27
    #12 0x7f848606eeaf in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:5876:32
    #13 0x7f84858ee8f2 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /src/ipc/glue/MessageChannel.cpp:2212:25
    #14 0x7f84858e9554 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /src/ipc/glue/MessageChannel.cpp:2134:9
    #15 0x7f84858eb81f in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /src/ipc/glue/MessageChannel.cpp:1973:3
    #16 0x7f84858ec720 in mozilla::ipc::MessageChannel::MessageTask::Run() /src/ipc/glue/MessageChannel.cpp:2004:13
    #17 0x7f84846c9907 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1241:14
    #18 0x7f84846d410c in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #19 0x7f848c3493ce in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2954:31)> /src/obj-firefox/dist/include/nsThreadUtils.h:348:25
    #20 0x7f848c3493ce in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool) /src/dom/xhr/XMLHttpRequestMainThread.cpp:2954:12
    #21 0x7f848c3476cb in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /src/dom/xhr/XMLHttpRequestMainThread.cpp:2728:11
    #22 0x7f8489a1f1da in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1295:24
    #23 0x7f848a0d1898 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3151:13
    #24 0x7f84904820cd in CallJSNative /src/js/src/vm/Interpreter.cpp:452:13
    #25 0x7f84904820cd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /src/js/src/vm/Interpreter.cpp:544:12
Priority: -- → P1

Seems like RemoteServiceWorkerRegistrationImpl contains a raw pointer to a cycle collected ServiceWorkerRegistration (which is a subclass of DOMEventTargetHelper).
During an ipc::IProtocol::DestroySubtree this raw pointer is accessed after that the ServiceWorkerRegistration has already been freed by the CC (who obviously ignored this raw pointer).

I see here two raw pointers that probably should be converted to RefPtr then:

RemoteServiceWorkerRegistrationImpl: ServiceWorkerRegistration* mOuter;

ServiceWorkerRegistrationChild RemoteServiceWorkerRegistrationImpl* mOwner;

Not sure about the nearby ServiceWorkerRegistrationChild* mActor;. There is a permanent cycle (forth and back) between ServiceWorkerRegistrationChild and RemoteServiceWorkerRegistrationImpl which looks a bit insane and we might want to avoid entirely rather than fix the raw pointers.

Keywords: sec-high
Assignee: nobody → perry
Assignee: perry → ytausky

ni? myself so I remember to attach the test case.

Flags: needinfo?(twsmith)
Attached file testcase.html

This test case requires a fuzzing build with the pref fuzzing.enabled=trueset. It also must be served from a local web server.

2 additional files are required a.js (which I will attach) and b.js which is just an empty file.

Flags: needinfo?(twsmith)
Attached file a.js

With this test case I'm getting an assertion failure instead of the UAF error:

Assertion failure: mChannel == chan (HttpChannelParent getting OnStartRequest from a different HttpBaseChannel instance), at /Users/yarontausky/src/gecko/netwerk/protocol/http/HttpChannelParent.cpp:1389
#01: mozilla::net::ParentChannelListener::OnStartRequest(nsIRequest*)[/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL +0x16c1148]
#02: mozilla::net::HttpBaseChannel::DoNotifyListener()[/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL +0x155595b]
#03: mozilla::net::nsHttpChannel::ContinueAsyncRedirectChannelToURI(nsresult)[/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL +0x178686c]
#04: mozilla::net::nsHttpChannel::OnRedirectVerifyCallback(nsresult)[/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL +0x17ec6f2]
#05: mozilla::net::nsAsyncVerifyRedirectCallbackEvent::Run()[/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL +0x863430]
#06: nsThread::ProcessNextEvent(bool, bool*)[/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL +0x46fc5a]
#07: NS_ProcessPendingEvents(nsIThread*, unsigned int)[/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL +0x466633]
#08: nsBaseAppShell::NativeEventCallback()[/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL +0xe166126]
#09: nsAppShell::ProcessGeckoEvents(void*)[/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL +0xe2af6f5]
#10: __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0x84b21]
#11: __CFRunLoopDoSource0[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0x84ac0]
#12: __CFRunLoopDoSources0[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0x848d4]
#13: __CFRunLoopRun[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0x83740]
#14: CFRunLoopRunSpecific[/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation +0x82bd3]
#15: RunCurrentEventLoopInMode[/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox +0x2f65d]
#16: ReceiveNextEventCommon[/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox +0x2f39d]
#17: _BlockUntilNextEventMatchingListInModeWithFilter[/System/Library/Frameworks/Carbon.framework/Versions/A/Frameworks/HIToolbox.framework/Versions/A/HIToolbox +0x2f127]
#18: _DPSNextEvent[/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit +0x40eb4]
#19: -[NSApplication(NSEvent) _nextEventMatchingEventMask:untilDate:inMode:dequeue:][/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit +0x3f690]
#20: -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:][/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL +0xe2acb93]
#21: -[NSApplication run][/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit +0x313ae]
#22: nsAppShell::Run()[/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL +0xe2b0f62]
#23: nsAppStartup::Run()[/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL +0x12fde316]
#24: XREMain::XRE_mainRun()[/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL +0x134757f4]
#25: XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&)[/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL +0x13479fec]
#26: XRE_main(int, char**, mozilla::BootstrapConfig const&)[/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL +0x1347d0f6]
#27: main[/Users/yarontausky/src/gecko/obj-fuzzing/dist/NightlyDebug.app/Contents/MacOS/firefox +0x1a4a]

Running it a few more times, I also get the following (different) UAF:

=================================================================
==47629==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110003cb8b0 at pc 0x000115ef20c9 bp 0x7ffee3265910 sp 0x7ffee3265908
READ of size 8 at 0x6110003cb8b0 thread T0
==47629==WARNING: failed to fork external symbolizer (errno: 1)
==47629==WARNING: failed to fork external symbolizer (errno: 1)
==47629==WARNING: failed to fork external symbolizer (errno: 1)
==47629==WARNING: failed to fork external symbolizer (errno: 1)
==47629==WARNING: failed to fork external symbolizer (errno: 1)
==47629==WARNING: Failed to use and restart external symbolizer!
    #0 0x115ef20c8 in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::SwapArrayElements<nsTArrayInfallibleAllocator, nsTArrayInfallibleAllocator>(nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>&, unsigned long, unsigned long) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x16b0c8)
    #1 0x123b38c17 in mozilla::dom::ServiceWorkerRegistration::UpdateState(mozilla::dom::ServiceWorkerRegistrationDescriptor const&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xddb1c17)
    #2 0x123b4253f in mozilla::dom::ServiceWorkerRegistrationChild::RecvUpdateState(mozilla::dom::IPCServiceWorkerRegistrationDescriptor const&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xddbb53f)
    #3 0x118e280f4 in mozilla::dom::PServiceWorkerRegistrationChild::OnMessageReceived(IPC::Message const&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x30a10f4)
    #4 0x11877739c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x29f039c)
    #5 0x117c1a67b in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1e9367b)
    #6 0x117c0fb25 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1e88b25)
    #7 0x117c13ac5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1e8cac5)
    #8 0x117c159b3 in mozilla::ipc::MessageChannel::MessageTask::Run() (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1e8e9b3)
    #9 0x1161f6c59 in nsThread::ProcessNextEvent(bool, bool*) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x46fc59)
    #10 0x11620baa3 in NS_ProcessNextEvent(nsIThread*, bool) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x484aa3)
    #11 0x117c294c3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1ea24c3)
    #12 0x117a8ab50 in MessageLoop::RunInternal() (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1d03b50)
    #13 0x117a8a78d in MessageLoop::Run() (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1d0378d)
    #14 0x123eed3ff in nsBaseAppShell::Run() (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xe1663ff)
    #15 0x124037f78 in nsAppShell::Run() (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xe2b0f78)
    #16 0x1292094a3 in XRE_RunAppShell() (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x134824a3)
    #17 0x117c2b021 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1ea4021)
    #18 0x117a8ab50 in MessageLoop::RunInternal() (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1d03b50)
    #19 0x117a8a78d in MessageLoop::Run() (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1d0378d)
    #20 0x129207b27 in XRE_InitChildProcess(int, char**, XREChildData const*) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x13480b27)
    #21 0x10c995efd in main (/Users/yarontausky/src/gecko/obj-fuzzing/dist/NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container:x86_64+0x100000efd)
    #22 0x7fff6780f7fc in start (/usr/lib/system/libdyld.dylib:x86_64+0x1a7fc)

0x6110003cb8b0 is located 176 bytes inside of 200-byte region [0x6110003cb800,0x6110003cb8c8)
freed by thread T0 here:
    #0 0x10d5e3116 in wrap_free (/Users/yarontausky/.mozbuild/clang/lib/clang/9.0.1/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x45116)
    #1 0x115f4d3f6 in SnowWhiteKiller::MaybeKillObject(SnowWhiteKiller::SnowWhiteObject&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1c63f6)
    #2 0x115f4cd5f in SnowWhiteKiller::~SnowWhiteKiller() (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1c5d5f)
    #3 0x115f2580d in nsCycleCollector::FreeSnowWhite(bool) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x19e80d)
    #4 0x115f33f3e in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1acf3e)
    #5 0x115f33242 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1ac242)
    #6 0x115f3a7a3 in nsCycleCollector_collect(nsICycleCollectorListener*) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1b37a3)
    #7 0x11c46988b in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x66e288b)
    #8 0x11f8aedf7 in mozilla::dom::FuzzingFunctions_Binding::cycleCollect(JSContext*, unsigned int, JS::Value*) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x9b27df7)
    #9 0x129626bca in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1389fbca)
    #10 0x129624acb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1389dacb)
    #11 0x1295f8b8c in Interpret(JSContext*, js::RunState&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x13871b8c)
    #12 0x1295d2b82 in js::RunScript(JSContext*, js::RunState&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1384bb82)
    #13 0x1296249c3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1389d9c3)
    #14 0x129628a3f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x138a1a3f)
    #15 0x1299e9345 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x13c62345)
    #16 0x11f67a035 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x98f3035)
    #17 0x120b50e7e in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xadc9e7e)
    #18 0x120b505ed in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xadc95ed)
    #19 0x120b52ab1 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xadcbab1)
    #20 0x120b2cf98 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xada5f98)
    #21 0x120b2a53c in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xada353c)
    #22 0x120b32aa0 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xadabaa0)
    #23 0x120b3dbd3 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xadb6bd3)
    #24 0x120ad3f37 in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xad4cf37)
    #25 0x120b6685f in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&, mozilla::ErrorResult&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xaddf85f)
    #26 0x120ad41bd in mozilla::DOMEventTargetHelper::DispatchTrustedEvent(nsTSubstring<char16_t> const&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xad4d1bd)
    #27 0x12399c352 in mozilla::dom::ServiceWorker::MaybeDispatchStateChangeEvent() (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xdc15352)
    #28 0x123b3b72c in mozilla::dom::ServiceWorkerRegistration::UpdateStateInternal(mozilla::Maybe<mozilla::dom::ServiceWorkerDescriptor> const&, mozilla::Maybe<mozilla::dom::ServiceWorkerDescriptor> const&, mozilla::Maybe<mozilla::dom::ServiceWorkerDescriptor> const&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xddb472c)
    #29 0x123b389e3 in mozilla::dom::ServiceWorkerRegistration::UpdateState(mozilla::dom::ServiceWorkerRegistrationDescriptor const&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xddb19e3)

previously allocated by thread T0 here:
    #0 0x10d5e2fcd in wrap_malloc (/Users/yarontausky/.mozbuild/clang/lib/clang/9.0.1/lib/darwin/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x44fcd)
    #1 0x10d3bdecd in moz_xmalloc (/Users/yarontausky/src/gecko/obj-fuzzing/dist/NightlyDebug.app/Contents/MacOS/libmozglue.dylib:x86_64+0x1ecd)
    #2 0x123b39e2a in mozilla::dom::ServiceWorkerRegistration::CreateForMainThread(nsPIDOMWindowInner*, mozilla::dom::ServiceWorkerRegistrationDescriptor const&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xddb2e2a)
    #3 0x11bbdaac6 in nsGlobalWindowInner::GetOrCreateServiceWorkerRegistration(mozilla::dom::ServiceWorkerRegistrationDescriptor const&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x5e53ac6)
    #4 0x11bbdad14 in non-virtual thunk to nsGlobalWindowInner::GetOrCreateServiceWorkerRegistration(mozilla::dom::ServiceWorkerRegistrationDescriptor const&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x5e53d14)
    #5 0x1239de042 in std::__1::__function::__func<mozilla::dom::ServiceWorkerContainer::GetRegistration(nsTSubstring<char16_t> const&, mozilla::ErrorResult&)::$_24, std::__1::allocator<mozilla::dom::ServiceWorkerContainer::GetRegistration(nsTSubstring<char16_t> const&, mozilla::ErrorResult&)::$_24>, void (mozilla::dom::ServiceWorkerRegistrationDescriptor const&)>::operator()(mozilla::dom::ServiceWorkerRegistrationDescriptor const&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xdc57042)
    #6 0x1239cc4a0 in std::__1::__function::__func<mozilla::dom::RemoteServiceWorkerContainerImpl::GetRegistration(mozilla::dom::ClientInfo const&, nsTSubstring<char> const&, std::__1::function<void (mozilla::dom::ServiceWorkerRegistrationDescriptor const&)>&&, std::__1::function<void (mozilla::ErrorResult&)>&&) const::$_4, std::__1::allocator<mozilla::dom::RemoteServiceWorkerContainerImpl::GetRegistration(mozilla::dom::ClientInfo const&, nsTSubstring<char> const&, std::__1::function<void (mozilla::dom::ServiceWorkerRegistrationDescriptor const&)>&&, std::__1::function<void (mozilla::ErrorResult&)>&&) const::$_4>, void (mozilla::dom::IPCServiceWorkerRegistrationDescriptorOrCopyableErrorResult&&)>::operator()(mozilla::dom::IPCServiceWorkerRegistrationDescriptorOrCopyableErrorResult&&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xdc454a0)
    #7 0x118df7aea in mozilla::dom::PServiceWorkerContainerChild::OnMessageReceived(IPC::Message const&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x3070aea)
    #8 0x11877739c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x29f039c)
    #9 0x117c1a67b in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1e9367b)
    #10 0x117c0fb25 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1e88b25)
    #11 0x117c13ac5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1e8cac5)
    #12 0x117c159b3 in mozilla::ipc::MessageChannel::MessageTask::Run() (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1e8e9b3)
    #13 0x1161f6c59 in nsThread::ProcessNextEvent(bool, bool*) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x46fc59)
    #14 0x11620baa3 in NS_ProcessNextEvent(nsIThread*, bool) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x484aa3)
    #15 0x117c294db in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1ea24db)
    #16 0x117a8ab50 in MessageLoop::RunInternal() (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1d03b50)
    #17 0x117a8a78d in MessageLoop::Run() (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1d0378d)
    #18 0x123eed3ff in nsBaseAppShell::Run() (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xe1663ff)
    #19 0x124037f78 in nsAppShell::Run() (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0xe2b0f78)
    #20 0x1292094a3 in XRE_RunAppShell() (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x134824a3)
    #21 0x117c2b021 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1ea4021)
    #22 0x117a8ab50 in MessageLoop::RunInternal() (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1d03b50)
    #23 0x117a8a78d in MessageLoop::Run() (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x1d0378d)
    #24 0x129207b27 in XRE_InitChildProcess(int, char**, XREChildData const*) (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x13480b27)
    #25 0x10c995efd in main (/Users/yarontausky/src/gecko/obj-fuzzing/dist/NightlyDebug.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container:x86_64+0x100000efd)
    #26 0x7fff6780f7fc in start (/usr/lib/system/libdyld.dylib:x86_64+0x1a7fc)

SUMMARY: AddressSanitizer: heap-use-after-free (/Users/yarontausky/src/gecko/obj-fuzzing/toolkit/library/build/XUL:x86_64+0x16b0c8) in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::SwapArrayElements<nsTArrayInfallibleAllocator, nsTArrayInfallibleAllocator>(nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>&, unsigned long, unsigned long)
Shadow bytes around the buggy address:
  0x1c22000796c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x1c22000796d0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c22000796e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c22000796f0: fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2200079700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c2200079710: fd fd fd fd fd fd[fd]fd fd fa fa fa fa fa fa fa
  0x1c2200079720: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x1c2200079730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2200079740: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x1c2200079750: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x1c2200079760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==47629==ABORTING

The assertion in comment 5 is logged as bug 1589749. It would be great to get that fixed since the fuzzer are hitting it a lot (I have commented on the bug).

The stack in comment 6 is a variation of the original. It is different because I had to modify the test case to make it more reliable. The original was performing large allocations to trigger GC the attached test case is using FuzzingFunctions.

I tried solving this by using RefPtr and making subclasses of ServiceWorkerRegistration::Inner participate in cycle collection, but that causes a UAF in the child intercept case. I'll see tomorrow whether that solution can be salvaged, or another one is needed.

The stack reads very similar to bug 1610692. Moving discussion here as it might be security relevant. If I understand well, we have a race between a (long running) constructor of a cycle collector participant and the CC itself. So in general the order during construction of a CCP seems to be (I am over-simplifying for sure):

  1. The memory is allocated by the CC and added to its control structures
  2. The constructor of the CCP is called and does whatever it likes (in bug 1610692 it even creates events)
  3. After the constructor returns, the pointer to the CCP is put for the first time into a RefPtr or alike

If the CC runs during 2., it sees the CCP as orphaned, as there is still nobody pointing at it. The outer code can only reduce the probability for this race, reducing construction time, but I think it can be solved 100% only in the CCP base classes. So during its construction a CCP should be in a state that prevents it from being CCed ahead of time?

:smaug, what do you think?

Flags: needinfo?(bugs)

CC runs in the same thread as cycle collectable objects, so there can't be really a race there.
If someone doesn't keep the object alive while construction process is ongoing, and let's JS to be called, the object may get deleted.
That isn't really a CC thing, but normal refcounting. (CC may just postpone deletion when refcnt drops to 0, but if event loop spins or so, there may not be delay. If object isn't CCable, refcnt dropping to 0 means instant deletion)

https://searchfox.org/mozilla-central/rev/f98dad153b59a985efd4505912588d4651033395/dom/serviceworkers/ServiceWorkerRegistrationChild.cpp#29
Nothing keeps mOwner alive if UpdateState triggers JS which may kill ServiceWorkerRegistrationChild.

https://searchfox.org/mozilla-central/rev/f98dad153b59a985efd4505912588d4651033395/dom/serviceworkers/RemoteServiceWorkerRegistrationImpl.cpp#153
Nothing keeps mOwner alive here either if UpdateState triggers JS which may kill RemoteServiceWorkerRegistrationImpl
And based on the stack, some DOM event is dispatched underneath, and DOM Events may have JS implemented listeners which get then called
synchronously.

This isn't about CC, but seems to about normal COM-rules. Caller should keep the callee alive.
Obvious I was just looking around the code, didn't debug this. So could be wrong. But caller not keeping callee alive is a rather common mistake in refcounted systems.
Annotating the code with MOZ_CAN_RUN_SCRIPT might be useful.
https://searchfox.org/mozilla-central/rev/f98dad153b59a985efd4505912588d4651033395/mfbt/Attributes.h#503-511

Flags: needinfo?(bugs)

(In reply to Olli Pettay [:smaug] from comment #10)

CC runs in the same thread as cycle collectable objects, so there can't be really a race there.
If someone doesn't keep the object alive while construction process is ongoing, and let's JS to be called, the object may get deleted.
That isn't really a CC thing, but normal refcounting. (CC may just postpone deletion when refcnt drops to 0, but if event loop spins or so, there may not be delay. If object isn't CCable, refcnt dropping to 0 means instant deletion)

https://searchfox.org/mozilla-central/rev/f98dad153b59a985efd4505912588d4651033395/dom/serviceworkers/ServiceWorkerRegistrationChild.cpp#29
Nothing keeps mOwner alive if UpdateState triggers JS which may kill ServiceWorkerRegistrationChild.

https://searchfox.org/mozilla-central/rev/f98dad153b59a985efd4505912588d4651033395/dom/serviceworkers/RemoteServiceWorkerRegistrationImpl.cpp#153
Nothing keeps mOwner alive here either if UpdateState triggers JS which may kill RemoteServiceWorkerRegistrationImpl
And based on the stack, some DOM event is dispatched underneath, and DOM Events may have JS implemented listeners which get then called
synchronously.

So I take away from this that it is a bad idea to push JS events during the construction phase of a CCP. And that if we do not do so, everything should be fine, as then the CC can't chip in. It is something to keep in mind and easily violated, though.

This isn't about CC, but seems to about normal COM-rules. Caller should keep the callee alive.
Obvious I was just looking around the code, didn't debug this. So could be wrong. But caller not keeping callee alive is a rather common mistake in refcounted systems.
Annotating the code with MOZ_CAN_RUN_SCRIPT might be useful.
https://searchfox.org/mozilla-central/rev/f98dad153b59a985efd4505912588d4651033395/mfbt/Attributes.h#503-511

I assume, this does not change the behavior but enforces/reminds us to keep references in the caller (and helps us to keep in mind the above rule). And that it is not meant to be applied to a constructor.

Thanks!

(In reply to Jens Stutte [:jstutte] from comment #11)

So I take away from this that it is a bad idea to push events during the construction phase of a CCP. And that if we do not do so, everything should be fine, as then the CC can't chip in. It is something to keep in mind and easily violated, though.

Well, it is not about construction, and nothing to do with CC as such. It is about refcounting. One needs to keep refcounted objects alive
as long as they need to stay alive. Triggering some JS to run may often end up closing down browser windows or workers or what not, leading to
start shutting down and thus releasing various member variables (even if they are RefPtr. One may just set them to null explicitly).

I assume, this does not change the behavior but enforces us to keep references in the callee (and helps us to keep in mind the above rule). And that it is not meant to be applied to a constructor.

I don't quite understand this constructor part here. This is about refcounting. When constructor runs, refcnt is 0 initially, but if one wants, explicitly increasing it is of course possible. The caller just needs to know about it, so it can be a tad confusing.
The normal pattern however is to do something like
RefPtr<MyClass> myObject = new MyClass();
myObject->Init(); // Init may do complicated stuff, and the RefPtr on the stack keeps 'myObject' alive.

One needs to still remember that RefPtr as member variables aren't something which in general keep callee alive.
That is why
https://searchfox.org/mozilla-central/rev/f98dad153b59a985efd4505912588d4651033395/layout/base/nsDocumentViewer.cpp#1002-1004
is rather common pattern.

(In reply to Olli Pettay [:smaug] from comment #12)

I don't quite understand this constructor part here. This is about refcounting. When constructor runs, refcnt is 0 initially, but if one wants, explicitly increasing it is of course possible. The caller just needs to know about it, so it can be a tad confusing.
The normal pattern however is to do something like
RefPtr<MyClass> myObject = new MyClass();
myObject->Init(); // Init may do complicated stuff, and the RefPtr on the stack keeps 'myObject' alive.

I might not use the same language here yet, sorry (looking forward to the CC session next week). The example you show makes clear, that complicated initialization logic (including JS calls) is better placed outside the constructor. Period. Then, if I understand right, there are two possible triggers for deleting an object: directly when the refcount goes zero and indirectly through cycle collection of orphaned cycles. In bug 1610692 I see the latter case caused by a missing assignment to any RefPtr before the constructor ended, that is why I was talking about CC.

One needs to still remember that RefPtr as member variables aren't something which in general keep callee alive.
That is why
https://searchfox.org/mozilla-central/rev/f98dad153b59a985efd4505912588d4651033395/layout/base/nsDocumentViewer.cpp#1002-1004
is rather common pattern.

Thanks, that would be interesting for next week, too. :-)

Attachment #9122882 - Attachment is obsolete: true

Comment on attachment 9124069 [details]
Bug 1607276 - Hold strong reference before calling method r=#dom-workers-and-storage-reviewers

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: It's a relatively easy to trigger UAF. It's pretty obvious from the patch where to look for the problem.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: None
  • If not all supported branches, which bug introduced the flaw?: Bug 1588154
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Older branches are not affected because the pref flip is only for nightly.
  • How likely is this patch to cause regressions; how much testing does it need?: Unlikely to cause regressions.
Attachment #9124069 - Flags: sec-approval?

Keeping sec-approval open, I expect we'll land this midway through next cycle.

:perry assigning to you for landing support.

Assignee: ytausky → perry
Has Regression Range: --- → yes
Keywords: regression

SW-e10s was disabled for 73, so presumably we're OK there anyway.

status-firefox73: wontfixdisabled

Comment on attachment 9124069 [details]
Bug 1607276 - Hold strong reference before calling method r=#dom-workers-and-storage-reviewers

Approved to land.

Attachment #9124069 - Flags: sec-approval? → sec-approval+

https://hg.mozilla.org/integration/autoland/rev/c08452b2acb4132045209918af5e81310ee8b984
https://hg.mozilla.org/mozilla-central/rev/c08452b2acb4

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox75: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75

Please nominate this for Beta approval when you get a chance.

Flags: needinfo?(perry)

As today is bank holiday: Eden, can you please make the beta uplift request?

Flags: needinfo?(echuang)

Comment on attachment 9124069 [details]
Bug 1607276 - Hold strong reference before calling method r=#dom-workers-and-storage-reviewers

Beta/Release Uplift Approval Request

  • User impact if declined: Users will meet Firefox crash with the specified case.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This change is not risky. It just replaces raw pointers with RefPtr.
  • String changes made/needed: No
Flags: needinfo?(echuang)
Attachment #9124069 - Flags: approval-mozilla-beta?

I ask uplift request, remove ni on Perry.

Flags: needinfo?(perry)

Comment on attachment 9124069 [details]
Bug 1607276 - Hold strong reference before calling method r=#dom-workers-and-storage-reviewers

Uplift approved for our next beta, thanks.

Attachment #9124069 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: