1614339 - AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/nsDeque.h:83:42 in GetSize

Status: VERIFIED FIXED

(Core :: DOM: Workers, defect, P1)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev d3aa4a9e4dfd.

==20676==ERROR: AddressSanitizer: heap-use-after-free on address 0x6140003b0cf0 at pc 0x7fe90543b850 bp 0x7fe84ab2cb70 sp 0x7fe84ab2cb68
READ of size 8 at 0x6140003b0cf0 thread T78 (DOM Worker)
    #0 0x7fe90543b84f in GetSize /builds/worker/workspace/build/src/obj-firefox/dist/include/nsDeque.h:83:42
    #1 0x7fe90543b84f in mozilla::dom::EventSourceImpl::CloseInternal() /builds/worker/workspace/build/src/dom/base/EventSource.cpp:392:30
    #2 0x7fe9056c7a89 in operator() /builds/worker/workspace/build/src/dom/base/nsIGlobalObject.cpp:171:14
    #3 0x7fe9056c7a89 in std::_Function_handler<void (mozilla::DOMEventTargetHelper*, bool*), nsIGlobalObject::DisconnectEventTargetObjects()::$_11>::_M_invoke(std::_Any_data const&, mozilla::DOMEventTargetHelper*&&, bool*&&) /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/std_function.h:316:2
    #4 0x7fe905686797 in operator() /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/std_function.h:706:14
    #5 0x7fe905686797 in nsIGlobalObject::ForEachEventTargetObject(std::function<void (mozilla::DOMEventTargetHelper*, bool*)> const&) const /builds/worker/workspace/build/src/dom/base/nsIGlobalObject.cpp:162:5
    #6 0x7fe905685dcb in nsIGlobalObject::DisconnectEventTargetObjects() /builds/worker/workspace/build/src/dom/base/nsIGlobalObject.cpp:170:3
    #7 0x7fe908ffe555 in NoteTerminating /builds/worker/workspace/build/src/dom/workers/WorkerScope.cpp:184:3
    #8 0x7fe908ffe555 in mozilla::dom::WorkerPrivate::NotifyInternal(mozilla::dom::WorkerStatus) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:4198:23
    #9 0x7fe9090156fe in mozilla::dom::WorkerRunnable::Run() /builds/worker/workspace/build/src/dom/workers/WorkerRunnable.cpp:369:12
    #10 0x7fe908ffe191 in mozilla::dom::WorkerPrivate::ProcessAllControlRunnablesLocked() /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:3427:9
    #11 0x7fe908ffcc59 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:2789:21
    #12 0x7fe908fca294 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:2318:40
    #13 0x7fe901490358 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
    #14 0x7fe90149b16c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #15 0x7fe9026eecf4 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:332:5
    #16 0x7fe9025e66d7 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #17 0x7fe9025e66d7 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #18 0x7fe9025e66d7 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #19 0x7fe9014894a7 in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:464:10
    #20 0x7fe92544acde in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #21 0x7fe92508c6da in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76da)
    #22 0x7fe92406a88e in clone /build/glibc-OTsEL5/glibc-2.27/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x6140003b0cf0 is located 176 bytes inside of 432-byte region [0x6140003b0c40,0x6140003b0df0)
freed by thread T78 (DOM Worker) here:
    #0 0x5574da313b9d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
    #1 0x7fe9054a1d28 in ~ /builds/worker/workspace/build/src/dom/base/EventSource.cpp:1704:38
    #2 0x7fe9054a1d28 in _M_destroy /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/std_function.h:207:4
    #3 0x7fe9054a1d28 in std::_Function_base::_Base_manager<mozilla::dom::EventSourceImpl::CreateWorkerRef(mozilla::dom::WorkerPrivate*)::$_21>::_M_manager(std::_Any_data&, std::_Any_data const&, std::_Manager_operation) /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/std_function.h:231:8
    #4 0x7fe90901385d in mozilla::dom::StrongWorkerRef::~StrongWorkerRef() /builds/worker/workspace/build/src/dom/workers/WorkerRef.cpp:186:35
    #5 0x7fe909013c98 in mozilla::dom::ThreadSafeWorkerRef::~ThreadSafeWorkerRef() /builds/worker/workspace/build/src/dom/workers/WorkerRef.cpp:210:1
    #6 0x7fe90543c07a in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/WorkerRef.h:191:3
    #7 0x7fe90543c07a in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:50:40
    #8 0x7fe90543c07a in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:379:36
    #9 0x7fe90543c07a in assign_assuming_AddRef /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:69:7
    #10 0x7fe90543c07a in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:168:5
    #11 0x7fe90543c07a in mozilla::dom::EventSourceImpl::ReleaseWorkerRef() /builds/worker/workspace/build/src/dom/base/EventSource.cpp:1717:14
    #12 0x7fe90543b7f4 in mozilla::dom::EventSourceImpl::CloseInternal() /builds/worker/workspace/build/src/dom/base/EventSource.cpp:389:5
    #13 0x7fe9056c7a89 in operator() /builds/worker/workspace/build/src/dom/base/nsIGlobalObject.cpp:171:14
    #14 0x7fe9056c7a89 in std::_Function_handler<void (mozilla::DOMEventTargetHelper*, bool*), nsIGlobalObject::DisconnectEventTargetObjects()::$_11>::_M_invoke(std::_Any_data const&, mozilla::DOMEventTargetHelper*&&, bool*&&) /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/std_function.h:316:2
    #15 0x7fe905686797 in operator() /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.4.0/../../../../include/c++/7.4.0/bits/std_function.h:706:14
    #16 0x7fe905686797 in nsIGlobalObject::ForEachEventTargetObject(std::function<void (mozilla::DOMEventTargetHelper*, bool*)> const&) const /builds/worker/workspace/build/src/dom/base/nsIGlobalObject.cpp:162:5
    #17 0x7fe905685dcb in nsIGlobalObject::DisconnectEventTargetObjects() /builds/worker/workspace/build/src/dom/base/nsIGlobalObject.cpp:170:3
    #18 0x7fe908ffe555 in NoteTerminating /builds/worker/workspace/build/src/dom/workers/WorkerScope.cpp:184:3
    #19 0x7fe908ffe555 in mozilla::dom::WorkerPrivate::NotifyInternal(mozilla::dom::WorkerStatus) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:4198:23
    #20 0x7fe9090156fe in mozilla::dom::WorkerRunnable::Run() /builds/worker/workspace/build/src/dom/workers/WorkerRunnable.cpp:369:12
    #21 0x7fe908ffe191 in mozilla::dom::WorkerPrivate::ProcessAllControlRunnablesLocked() /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:3427:9
    #22 0x7fe908ffcc59 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:2789:21
    #23 0x7fe908fca294 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:2318:40
    #24 0x7fe901490358 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
    #25 0x7fe90149b16c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #26 0x7fe9026eecf4 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:332:5
    #27 0x7fe9025e66d7 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #28 0x7fe9025e66d7 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #29 0x7fe9025e66d7 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #30 0x7fe9014894a7 in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:464:10
    #31 0x7fe92544acde in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5

previously allocated by thread T78 (DOM Worker) here:
    #0 0x5574da313e1d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
    #1 0x5574da34962d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7fe905447a00 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7fe905447a00 in mozilla::dom::EventSource::EventSource(nsIGlobalObject*, nsICookieSettings*, bool) /builds/worker/workspace/build/src/dom/base/EventSource.cpp:1779:11
    #4 0x7fe905447f66 in mozilla::dom::EventSource::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::EventSourceInit const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/EventSource.cpp:1821:41
    #5 0x7fe906c201bb in mozilla::dom::EventSource_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventSourceBinding.cpp:712:57
    #6 0x7fe90d432a5e in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470:13
    #7 0x7fe90d432a5e in CallJSNativeConstructor /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:486:8
    #8 0x7fe90d432a5e in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:688:10
    #9 0x7fe90d432134 in js::ConstructFromStack(JSContext*, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:715:10
    #10 0x7fe90d40ac1c in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3032:16
    #11 0x7fe90d3f9d44 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442:10
    #12 0x7fe90d42feb5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:597:13
    #13 0x7fe90d431bca in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:625:10
    #14 0x7fe90d431ea6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:642:8
    #15 0x7fe90d5c7ca2 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2797:10
    #16 0x7fe906ad79e3 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:267:37
    #17 0x7fe9076b23cb in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:364:12
    #18 0x7fe9076b06eb in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:201:12
    #19 0x7fe9076755ce in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1079:22
    #20 0x7fe907676ba6 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1271:17
    #21 0x7fe90766488f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:356:17
    #22 0x7fe907662de1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:558:16

Thread T78 (DOM Worker) created by T0 here:
    #0 0x5574da2fe5aa in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
    #1 0x7fe92543b185 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7fe92542c0fe in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7fe90148bf84 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:670:8
    #4 0x7fe9090248ab in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/workspace/build/src/dom/workers/WorkerThread.cpp:92:7
    #5 0x7fe908fa4226 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate*) /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:1427:14
    #6 0x7fe908fa2cb2 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate*) /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:1292:19
    #7 0x7fe908ff7c60 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:2375:24
    #8 0x7fe908fb0867 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/workers/Worker.cpp:32:41
    #9 0x7fe9068ca410 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WorkerBinding.cpp:1088:52
    #10 0x7fe90d432a5e in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470:13
    #11 0x7fe90d432a5e in CallJSNativeConstructor /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:486:8
    #12 0x7fe90d432a5e in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:688:10
    #13 0x7fe90d432134 in js::ConstructFromStack(JSContext*, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:715:10
    #14 0x7fe90d40ac1c in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3032:16
    #15 0x7fe90d3f9d44 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:442:10
    #16 0x7fe90d42feb5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:597:13
    #17 0x7fe90d431bca in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:625:10
    #18 0x7fe90d431ea6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:642:8
    #19 0x7fe90d5c7ca2 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2797:10
    #20 0x7fe906bcb800 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #21 0x7fe907675b0b in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #22 0x7fe907675544 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1073:43
    #23 0x7fe907676ba6 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1271:17
    #24 0x7fe90766488f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:356:17
    #25 0x7fe907662de1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:558:16
    #26 0x7fe90766789b in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1055:11
    #27 0x7fe90766c809 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
    #28 0x7fe90568d71e in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1259:17
    #29 0x7fe9050f5237 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4077:28
    #30 0x7fe9050f4f73 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4047:10
    #31 0x7fe9053b7a15 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:7204:3
    #32 0x7fe9054837c4 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1163:12
    #33 0x7fe9054837c4 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1169:12
    #34 0x7fe9054837c4 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1215:13
    #35 0x7fe901490358 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
    #36 0x7fe90149b16c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #37 0x7fe9026ecf6f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:87:21
    #38 0x7fe9025e66d7 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #39 0x7fe9025e66d7 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #40 0x7fe9025e66d7 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #41 0x7fe9096bba08 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #42 0x7fe90cfb074b in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:272:30
    #43 0x7fe90d1c4501 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4566:22
    #44 0x7fe90d1c6426 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4701:8
    #45 0x7fe90d1c7103 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4752:21
    #46 0x5574da3468ff in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:217:22
    #47 0x5574da3468ff in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:331:16
    #48 0x7fe923f6ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/nsDeque.h:83:42 in GetSize
Shadow bytes around the buggy address:
  0x0c288006e140: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c288006e150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c288006e160: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c288006e170: 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa
  0x0c288006e180: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
=>0x0c288006e190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
  0x0c288006e1a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c288006e1b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x0c288006e1c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c288006e1d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c288006e1e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==20676==ABORTING

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/FnEFXq3QqniKoEeAcOjQCw/index.html

Comment 2

[Jens Stutte [:jstutte]]

:ttung, can you have a look here?

Comment 3

[Tom Tung [:tt, :ttung]]

It looks like:

• EventSourceImpl is expected to increase its ref-count in here, but it didn't because the mSrc is not https/http (so it returned earlier in here)
• When EventSourceImpl was closing, the only remaining holder was WorkerStrongRef and it was released here
• UAF here

A solution to me is to ensure refcount always be increased if it will need to be closed later. So that the calls for AddRefObject and ReleaseObject can be balanced.

Comment 4

[Tom Tung [:tt, :ttung]]

(In reply to Tom Tung [:tt, :ttung] from comment #3)

A solution to me is to ensure refcount always be increased if it will need to be closed later. So that the calls for AddRefObject and ReleaseObject can be balanced.

Another option is to take a kungFuDeathGrip when it's closing to ensure CloseInternal finish.

Comment 5

[Tom Tung [:tt, :ttung]]

Attachment: Bug 1614339 - Ensure CloseInternal alive until it is finished;

Comment 6

[Tom Tung [:tt, :ttung]]

With the attaching patch, I cannot reproduce the issue. (I could reproduce that without it)

Comment 7

[Tom Tung [:tt, :ttung]]

Attachment: Bug 1614339 - Add a crashtest;

Comment 8

[Tom Tung [:tt, :ttung]]

Comment on attachment 9128117 [details]
Bug 1614339 - Ensure CloseInternal alive until it is finished;

Security Approval Request

• How easily could an exploit be constructed based on the patch?: From the fix and a line of the comment above, people might suspect this bug is related to the object itself was freed when its member function is called. However, it's still not clear for them, how to reproduce the bug.

(I think the comment should be fine, but please help me to confirm. If you think it looks too obvious, I can change it.)

• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Unknown
• Which older supported branches are affected by this flaw?: esr 68 (53; it seems this issue can happen since bug 1267903)
• If not all supported branches, which bug introduced the flaw?: None
• Do you have backports for the affected branches?: No
• If not, how different, hard to create, and risky will they be?: (To be clear, I will request uplift to beta and esr68)
  That shouldn't be hard to do that, but the priority for doing that is not so high since:

• I haven't seen a bug/crash report that seems to be related to this issue/in the event source.
• To reproduce this issue, a worker needs to terminate itself before creating an event source with an invalid scheme. So, that should be rare to occur in general script.

• How likely is this patch to cause regressions; how much testing does it need?: It should be hard to cause regressions since this patch only makes EventSourceImpl holds itself in CloseInternal function to ensure itself alive until the function is completed.

Comment 9

[Tom Tung [:tt, :ttung]]

:tjr would you mind checking if it passes the sec-approval?

Comment 10

[Pascal Chevrel:pascalc (PTO until April 26)]

Comment on attachment 9128117 [details]
Bug 1614339 - Ensure CloseInternal alive until it is finished;

Could you land the patch and request an uplift to 74? Thanks

Comment 11

[Tom Tung [:tt, :ttung]]

Comment on attachment 9128117 [details]
Bug 1614339 - Ensure CloseInternal alive until it is finished;

Beta/Release Uplift Approval Request

• User impact if declined: Might hit the UAF issue.

I created a crash test, but I want to land it on another bug.

• Is this code covered by automated tests?: Unknown
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: Yes
• If yes, steps to reproduce: Please run the test Attachment #9128486 [details] locally or follow comment#0 to reproduce it to ensure the problem is fixed.
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): It only added a strong pointer to hold itself in the clean up function
• String changes made/needed:

Comment 12

[Tom Tung [:tt, :ttung]]

(Revert the change I didn't intend to do and remove the ni)

Comment 13

[Pascal Chevrel:pascalc (PTO until April 26)]

Comment on attachment 9128117 [details]
Bug 1614339 - Ensure CloseInternal alive until it is finished;

Approved for 74 RC2

Comment 14

[Andreea Pavel [:apavel]]

Release uplift: https://hg.mozilla.org/releases/mozilla-release/rev/90e3d7f045bdb8847d2d142878ab46812672a965

Comment 15

[Ryan VanderMeulen [:RyanVM]]

It sounds like we need an ESR approval request for this too? (And RC respins...)

Comment 16

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/integration/autoland/rev/3df54b10a300c58e1cf98a2e69fcfe93101c8227
https://hg.mozilla.org/mozilla-central/rev/3df54b10a300

Comment 17

[Tom Tung [:tt, :ttung]]

It's already approval-mozilla-esr68+ :)

Comment 18

[Tom Tung [:tt, :ttung]]

(In reply to Tom Tung [:tt, :ttung] from comment #17)

It's already approval-mozilla-esr68+ :)

To provide more context, the patch applies to esr68 clearly on my local machine

Comment 19

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/releases/mozilla-esr68/rev/0e73e813feb4fc069a90a89eadffe4741a14f1ac

Comment 20

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

As we're now in the RC phase

Comment 21

[Bogdan Maris, Desktop QA]

Reproduced the initial issue on Nightly d3aa4a9e4dfd and I confirm that this issue does not occur anymore on latest fuzz builds for Nightly 75, Fx 74.0 RC2 and 68.6.0esr.