Closed Bug 1609453 Opened 4 years ago Closed 4 years ago

AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/_ipdlheaders/mozilla/ipc/PBackgroundSharedTypes.h:503:16 in type

Categories

(Core :: DOM: Service Workers, defect, P1)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1609110
Tracking Status
firefox74 --- fixed

People

(Reporter: jkratzer, Assigned: ytausky)

References

(Blocks 2 open bugs)

Details

(5 keywords, Whiteboard: [adv-main74-])

Attachments

(2 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev 5ba39736e74b. Testcase must be served via a local webserver in order to reproduce.

==12590==ERROR: AddressSanitizer: heap-use-after-free on address 0x61000015acf0 at pc 0x7f45085adc4e bp 0x7ffca7965ed0 sp 0x7ffca7965ec8
READ of size 4 at 0x61000015acf0 thread T0
    #0 0x7f45085adc4d in type /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/_ipdlheaders/mozilla/ipc/PBackgroundSharedTypes.h:503:16
    #1 0x7f45085adc4d in mozilla::ipc::PrincipalInfoToPrincipal(mozilla::ipc::PrincipalInfo const&, nsresult*) /builds/worker/workspace/build/src/ipc/glue/BackgroundUtils.cpp:56:26
    #2 0x7f450ef8f9b9 in mozilla::dom::(anonymous namespace)::TransmitPermissionsAndBlobURLsForPrincipalInfo(mozilla::dom::ContentParent*, mozilla::ipc::PrincipalInfo const&) /builds/worker/workspace/build/src/dom/workers/remoteworkers/RemoteWorkerManager.cpp:45:38
    #3 0x7f450ef90d5f in mozilla::dom::RemoteWorkerManager::LaunchNewContentProcess(mozilla::dom::RemoteWorkerData const&)::$_19::operator()() const::'lambda'(mozilla::MozPromise<RefPtr<mozilla::dom::ContentParent>, mozilla::ipc::LaunchError, false>::ResolveOrRejectValue const&)::operator()(mozilla::MozPromise<RefPtr<mozilla::dom::ContentParent>, mozilla::ipc::LaunchError, false>::ResolveOrRejectValue const&) const /builds/worker/workspace/build/src/dom/workers/remoteworkers/RemoteWorkerManager.cpp:374:22
    #4 0x7f450ef9093d in InvokeMethod<(lambda at /builds/worker/workspace/build/src/dom/workers/remoteworkers/RemoteWorkerManager.cpp:366:20), void ((lambda at /builds/worker/workspace/build/src/dom/workers/remoteworkers/RemoteWorkerManager.cpp:366:20)::*)(const mozilla::MozPromise<RefPtr<mozilla::dom::ContentParent>, mozilla::ipc::LaunchError, false>::ResolveOrRejectValue &) const, const mozilla::MozPromise<RefPtr<mozilla::dom::ContentParent>, mozilla::ipc::LaunchError, false>::ResolveOrRejectValue &> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:513:12
    #5 0x7f450ef9093d in InvokeCallbackMethod<false, (lambda at /builds/worker/workspace/build/src/dom/workers/remoteworkers/RemoteWorkerManager.cpp:366:20), void ((lambda at /builds/worker/workspace/build/src/dom/workers/remoteworkers/RemoteWorkerManager.cpp:366:20)::*)(const mozilla::MozPromise<RefPtr<mozilla::dom::ContentParent>, mozilla::ipc::LaunchError, false>::ResolveOrRejectValue &) const, const mozilla::MozPromise<RefPtr<mozilla::dom::ContentParent>, mozilla::ipc::LaunchError, false>::ResolveOrRejectValue &, RefPtr<mozilla::MozPromise<RefPtr<mozilla::dom::ContentParent>, mozilla::ipc::LaunchError, false>::Private> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:545:5
    #6 0x7f450ef9093d in mozilla::MozPromise<RefPtr<mozilla::dom::ContentParent>, mozilla::ipc::LaunchError, false>::ThenValue<mozilla::dom::RemoteWorkerManager::LaunchNewContentProcess(mozilla::dom::RemoteWorkerData const&)::$_19::operator()() const::'lambda'(mozilla::MozPromise<RefPtr<mozilla::dom::ContentParent>, mozilla::ipc::LaunchError, false>::ResolveOrRejectValue const&)>::DoResolveOrRejectInternal(mozilla::MozPromise<RefPtr<mozilla::dom::ContentParent>, mozilla::ipc::LaunchError, false>::ResolveOrRejectValue&) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:794:7
    #7 0x7f450ee30992 in mozilla::MozPromise<RefPtr<mozilla::dom::ContentParent>, mozilla::ipc::LaunchError, false>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:403:21
    #8 0x7f4507410688 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
    #9 0x7f450741b49c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #10 0x7f450864cb0f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:87:21
    #11 0x7f4508546597 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #12 0x7f4508546597 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #13 0x7f4508546597 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #14 0x7f450f5ec2e8 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #15 0x7f4512eeff9f in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:272:30
    #16 0x7f4513103adb in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4605:22
    #17 0x7f4513105a32 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4742:8
    #18 0x7f4513106f73 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4823:21
    #19 0x55f6be7148df in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:217:22
    #20 0x55f6be7148df in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:339:16
    #21 0x7f4529d42b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

0x61000015acf0 is located 176 bytes inside of 184-byte region [0x61000015ac40,0x61000015acf8)
freed by thread T0 here:
    #0 0x55f6be6e1b8d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
    #1 0x7f45073fa81c in mozilla::Runnable::Release() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:54:1
    #2 0x7f4507410875 in ~nsCOMPtr_base /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:331:7
    #3 0x7f4507410875 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1234:3
    #4 0x7f450741b49c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #5 0x7f450864cb0f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:87:21
    #6 0x7f4508546597 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #7 0x7f4508546597 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #8 0x7f4508546597 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #9 0x7f450f5ec2e8 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #10 0x7f4512eeff9f in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:272:30
    #11 0x7f4513103adb in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4605:22
    #12 0x7f4513105a32 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4742:8
    #13 0x7f4513106f73 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4823:21
    #14 0x55f6be7148df in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:217:22
    #15 0x55f6be7148df in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:339:16
    #16 0x7f4529d42b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

previously allocated by thread T34 (IPDL Background) here:
    #0 0x55f6be6e1e0d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
    #1 0x55f6be7175fd in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f450ef7b52f in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7f450ef7b52f in NS_NewRunnableFunction<(lambda at /builds/worker/workspace/build/src/dom/workers/remoteworkers/RemoteWorkerManager.cpp:360:17)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:657:20
    #4 0x7f450ef7b52f in mozilla::dom::RemoteWorkerManager::LaunchNewContentProcess(mozilla::dom::RemoteWorkerData const&) /builds/worker/workspace/build/src/dom/workers/remoteworkers/RemoteWorkerManager.cpp:359:29
    #5 0x7f450ef7257d in mozilla::dom::RemoteWorkerController::Create(mozilla::dom::RemoteWorkerData const&, mozilla::dom::RemoteWorkerObserver*, int) /builds/worker/workspace/build/src/dom/workers/remoteworkers/RemoteWorkerController.cpp:44:12
    #6 0x7f450ef7961c in mozilla::dom::RemoteWorkerControllerParent::RemoteWorkerControllerParent(mozilla::dom::RemoteWorkerData const&) /builds/worker/workspace/build/src/dom/workers/remoteworkers/RemoteWorkerControllerParent.cpp:30:31
    #7 0x7f450859f947 in mozilla::ipc::BackgroundParentImpl::AllocPRemoteWorkerControllerParent(mozilla::dom::RemoteWorkerData const&) /builds/worker/workspace/build/src/ipc/glue/BackgroundParentImpl.cpp:512:11
    #8 0x7f4509583b9b in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundParent.cpp:5530:60
    #9 0x7f4508641182 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2212:25
    #10 0x7f450863bde4 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2134:9
    #11 0x7f450863e0af in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1973:3
    #12 0x7f450863efb0 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2004:13
    #13 0x7f4507410688 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
    #14 0x7f450741b49c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #15 0x7f450864e894 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:332:5
    #16 0x7f4508546597 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #17 0x7f4508546597 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #18 0x7f4508546597 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #19 0x7f45074097d7 in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:464:10
    #20 0x7f452b222cde in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #21 0x7f452ae646da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)

Thread T34 (IPDL Background) created by T0 here:
    #0 0x55f6be6cc59a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
    #1 0x7f452b213185 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f452b2040fe in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f450740c2b4 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:670:8
    #4 0x7f450741a005 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:621:12
    #5 0x7f450741e323 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:139:57
    #6 0x7f45085e5566 in NS_NewNamedThread<16> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:70:10
    #7 0x7f45085e5566 in (anonymous namespace)::ParentImpl::CreateBackgroundThread() /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:943:7
    #8 0x7f45085ed02a in RunOnMainThread /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1243:30
    #9 0x7f45085ed02a in (anonymous namespace)::ParentImpl::CreateActorHelper::Run() /builds/worker/workspace/build/src/ipc/glue/BackgroundImpl.cpp:1262:17
    #10 0x7f4507410688 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
    #11 0x7f450740e66f in NS_ProcessNextEvent /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #12 0x7f450740e66f in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:909:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
    #13 0x7f450740e66f in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:909:3
    #14 0x7f45074210a3 in nsThreadPool::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThreadPool.cpp:396:17
    #15 0x7f45073ed624 in applyImpl<nsIThreadPool, nsresult (nsIThreadPool::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1164:12
    #16 0x7f45073ed624 in apply<nsIThreadPool, nsresult (nsIThreadPool::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1170:12
    #17 0x7f45073ed624 in mozilla::detail::RunnableMethodImpl<nsCOMPtr<nsIThreadPool>, nsresult (nsIThreadPool::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1216:13
    #18 0x7f4507410688 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
    #19 0x7f450741ab2e in NS_ProcessNextEvent /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #20 0x7f450741ab2e in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:694:36)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:347:25
    #21 0x7f450741ab2e in nsThreadManager::SpinEventLoopUntilInternal(nsINestedEventLoopCondition*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:694:8
    #22 0x7f45074532f1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
    #23 0x7f45098bd89b in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1643:10
    #24 0x7f45098bd89b in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1184:19
    #25 0x7f45098bd89b in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1150:23
    #26 0x7f45098c28b0 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:947:10
    #27 0x7f451336f9cd in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:452:13
    #28 0x7f451336f9cd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:544:12
    #29 0x7f451337180a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:608:10
    #30 0x7f4513357ae3 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:612:10
    #31 0x7f4513357ae3 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3046:16
    #32 0x7f4513339b24 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
    #33 0x7f451336fac5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:580:13
    #34 0x7f451337180a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:608:10
    #35 0x7f4513371ae6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:625:8
    #36 0x7f451381ddb9 in js::fun_apply(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/JSFunction.cpp:1191:10
    #37 0x7f451336f9cd in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:452:13
    #38 0x7f451336f9cd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:544:12
    #39 0x7f451337180a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:608:10
    #40 0x7f4513357ae3 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:612:10
    #41 0x7f4513357ae3 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3046:16
    #42 0x7f4513339b24 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
    #43 0x7f451336fac5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:580:13
    #44 0x7f451337180a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:608:10
    #45 0x7f4513371ae6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:625:8
    #46 0x7f4513508105 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2724:10
    #47 0x7f45098af266 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:956:17
    #48 0x7f4507454ae2 in PrepareAndDispatch /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:125:37
    #49 0x7f450745398a in SharedStub (/home/user/builds/mc-asan/libxul.so+0x41d898a)
    #50 0x7f4513122e9d in nsXREDirProvider::DoStartup() /builds/worker/workspace/build/src/toolkit/xre/nsXREDirProvider.cpp:957:11
    #51 0x7f451310306f in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4420:16
    #52 0x7f4513105a32 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4742:8
    #53 0x7f4513106f73 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4823:21
    #54 0x55f6be7148df in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:217:22
    #55 0x55f6be7148df in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:339:16
    #56 0x7f4529d42b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/_ipdlheaders/mozilla/ipc/PBackgroundSharedTypes.h:503:16 in type
Shadow bytes around the buggy address:
  0x0c2080023540: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2080023550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c2080023560: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2080023570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c2080023580: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c2080023590: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fa
  0x0c20800235a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c20800235b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c20800235c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c20800235d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c20800235e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==12590==ABORTING
Flags: in-testsuite?
Attached file worker.js

Yoric, could please you take a look? This looks related to your remote work launching changes. Thanks.

Group: core-security → dom-core-security
Flags: needinfo?(dteller)
Priority: -- → P1

Normally, this should be fixed by 1607530, which landed a few hours ago.

jcratzer, is there any chance you could confirm that the above patch fixes the issue?

Flags: needinfo?(dteller) → needinfo?(jkratzer)

David, unfortunately it looks like that patch does not address this testcase. I've confirmed that the issue still reproduces on mozilla-central rev 7e0886a94d70 (20200116).

Flags: needinfo?(jkratzer)

:jakratzer, do you have a recording that can be uploaded to pernosco? Thank you!

Flags: needinfo?(jkratz)
Flags: needinfo?(jkratz) → needinfo?(jkratzer)

I think you needinfo'd the wrong person. I have fixed the needinfo and removed the other person from the CC list.

Second hyptothesis is that this is what rpl is fixing in bug 1609110.

Flags: needinfo?(lgreco)

(In reply to David Teller [:Yoric] (please use "needinfo") from comment #7)

Second hyptothesis is that this is what rpl is fixing in bug 1609110.

yep, it looks like it, the stacktrace from Comment 0 looks like the same stack trace I got by triggering the MOZ_CRASH(Unknown PrincipalInfo type!) at ipc/glue/BackgroundUtils.cpp:163) assertion in a debug build (also "use-after-free" would definitely match the underlying issue I described in that bugzilla issue).

the patch attached to bug 1609110 is meant to fix that one.

Flags: needinfo?(lgreco)

The attached testcase bisects to the following build range:
Start: 989bbd83ccd5a6fbc706b8eb6635a471596c6a43 (20200106155344)
End: e6427fac5ee8d1d87fb78e917781e85dda119a81 (20200106215403)
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=989bbd83ccd5a6fbc706b8eb6635a471596c6a43&tochange=e6427fac5ee8d1d87fb78e917781e85dda119a81

Flags: needinfo?(jkratzer)

We're currently discussing the potential risk of posting a pernosco trace for this issue. Leaving the NI until a decision is made.

Flags: needinfo?(jkratzer)

(In reply to Jason Kratzer [:jkratzer] from comment #9)

The attached testcase bisects to the following build range:
Start: 989bbd83ccd5a6fbc706b8eb6635a471596c6a43 (20200106155344)
End: e6427fac5ee8d1d87fb78e917781e85dda119a81 (20200106215403)
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=989bbd83ccd5a6fbc706b8eb6635a471596c6a43&tochange=e6427fac5ee8d1d87fb78e917781e85dda119a81

In this set I see bug 1605086 which might sound related to the LaunchNewContentProcess I see in the stack trace here?

Flags: needinfo?(dteller)

While waiting for the pernosco discussion outcome, I started to dig a bit into the trace.

So we free something during event processing by refcounting on a nsCOMPtr filled by popping an event from the queue:

{ // scope start

    nsCOMPtr<nsIRunnable> event =
        mEvents->GetEvent(reallyWait, &priority, &mLastEventDelay);
    ....
} // scope end

After processing this event, the above scope comes to an end and during deconstruction of event the nsIRunnable 0x61000015ac40 is being freed (meaning there was no other reference on it left).

On a subsequent event processing on the same main thread, we crash in #6:

    void DoResolveOrRejectInternal(ResolveOrRejectValue& aValue) override {
      // Note: The usage of InvokeCallbackMethod here requires that
      // ResolveRejectFunction is capture-lambdas (i.e. anonymous
      // classes with ::operator()), since it allows us to share code more
      // easily. We could fix this if need be, though it's quite easy to work
      // around by just capturing something.
---->  InvokeCallbackMethod<SupportChaining::value>(
          mResolveRejectFunction.ptr(), &ResolveRejectFunction::operator(),
          MaybeMove(aValue), std::move(mCompletionPromise));


      // Destroy callbacks after invocation so that any references in closures
      // are released predictably on the dispatch thread. Otherwise, they would
      // be released on whatever thread last drops its reference to the
      // ThenValue, which may or may not be ok.
      mResolveRejectFunction.reset();
    }

called from: mThenValue->DoResolveOrReject(mPromise->Value()); with signature:

mozilla::MozPromise<RefPtr<mozilla::dom::ContentParent>, mozilla::ipc::LaunchError, false>::ThenValue<mozilla::dom::RemoteWorkerManager::LaunchNewContentProcess(mozilla::dom::RemoteWorkerData const&)::$_19::operator()() const::'lambda'(mozilla::MozPromise<RefPtr<mozilla::dom::ContentParent>, mozilla::ipc::LaunchError, false>::ResolveOrRejectValue const&)>::DoResolveOrRejectInternal(mozilla::MozPromise<RefPtr<mozilla::dom::ContentParent>, mozilla::ipc::LaunchError, false>::ResolveOrRejectValue&)

so apparently with mPromise->Value() being the mozilla::dom::RemoteWorkerData instance containing the PrincipalInfo principalInfo_; accessed here.

We seem to have a MozPromise, that refers to a RemoteWorkerData object, that has been already freed on the same main thread probably indirectly (as a member of an nsIRunnable) through refcounting before this event is processed.

Assignee: nobody → ytausky

Bug 1609110's fix is now on mozilla-central, it would be good to double-check that it does fix this AddressSanitizer failure as expected.

(In reply to Luca Greco [:rpl] [:luca] [:lgreco] from comment #13)

Bug 1609110's fix is now on mozilla-central, it would be good to double-check that it does fix this AddressSanitizer failure as expected.

I am no longer able to reproduce this bug using the latest build from mozilla-central (9fd9eeb8160f).

Flags: needinfo?(jkratzer)
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Flags: needinfo?(dteller)

[adv-main74-] because this flaw never shipped on 73

Whiteboard: [adv-main74-]
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.