Closed Bug 1628120 Opened 4 years ago Closed 4 years ago

Intermittent GECKO(11228) | SUMMARY: AddressSanitizer: heap-use-after-free z:\build\build\src\xpcom\threads\SchedulerGroup.cpp:86 in mozilla::SchedulerGroup::LabeledDispatch

Categories

(Core :: DOM: Navigation, defect, P1)

Product:
Core
Component:
DOM: Navigation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla77
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox74 --- unaffected
firefox75 --- unaffected
firefox76 --- unaffected
firefox77 + fixed

People

(Reporter: intermittent-bug-filer, Assigned: farre)

References

(Regression)

Details

(4 keywords, Whiteboard: [post-critsmash-triage])

Crash Data

Attachments

(1 file)

Bug 1628120 - Make sure to dispatch to correct event target. r=peterv!
47 bytes, text/x-phabricator-request
Details | Review

Filed by: rmaries [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer.html#?job_id=296677860&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/UeqS2swmTZGAwjpYbZv1Fg/runs/0/artifacts/public/logs/live_backing.log

[task 2020-04-07T21:05:06.725Z] 21:05:06 INFO - TEST-START | security/manager/ssl/tests/mochitest/mixedcontent/test_cssBefore1.html
[task 2020-04-07T21:05:06.735Z] 21:05:06 INFO - GECKO(11228) | hostRecordType: 0
[task 2020-04-07T21:05:06.842Z] 21:05:06 INFO - GECKO(11228) | hostRecordType: 0
[task 2020-04-07T21:05:07.033Z] 21:05:07 INFO - GECKO(11228) | hostRecordType: 0
[task 2020-04-07T21:05:07.236Z] 21:05:07 INFO - GECKO(11228) | JavaScript error: https://example.com/tests/SimpleTest/SimpleTest.js, line 66: SecurityError: Permission denied to access property "TestRunner" on cross-origin object
[task 2020-04-07T21:05:07.275Z] 21:05:07 INFO - GECKO(11228) | =================================================================
[task 2020-04-07T21:05:07.275Z] 21:05:07 ERROR - GECKO(11228) | ==2020==ERROR: AddressSanitizer: heap-use-after-free on address 0x12d28003e4e0 at pc 0x7ffb5da6c5f6 bp 0x00ddedafde60 sp 0x00ddedafdea8
[task 2020-04-07T21:05:07.275Z] 21:05:07 INFO - GECKO(11228) | WRITE of size 8 at 0x12d28003e4e0 thread T36
[task 2020-04-07T21:05:07.319Z] 21:05:07 INFO - GECKO(11228) | ==2020==WARNING: Failed to use and restart external symbolizer!
[task 2020-04-07T21:05:07.622Z] 21:05:07 INFO - GECKO(11228) | JavaScript error: https://example.com/tests/SimpleTest/SimpleTest.js, line 66: SecurityError: Permission denied to access property "TestRunner" on cross-origin object
[task 2020-04-07T21:05:08.173Z] 21:05:08 INFO - GECKO(11228) | #35 0x7ffbac5e3033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180013033)
[task 2020-04-07T21:05:08.175Z] 21:05:08 INFO - GECKO(11228) | #36 0x7ffbae9b1460 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180071460)
[task 2020-04-07T21:05:08.175Z] 21:05:08 INFO - GECKO(11228) | SUMMARY: AddressSanitizer: heap-use-after-free z:\build\build\src\xpcom\threads\SchedulerGroup.cpp:86 in mozilla::SchedulerGroup::LabeledDispatch
[task 2020-04-07T21:05:08.175Z] 21:05:08 INFO - GECKO(11228) | Shadow bytes around the buggy address:
[task 2020-04-07T21:05:08.176Z] 21:05:08 INFO - GECKO(11228) | 0x0510d0007c40: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
[task 2020-04-07T21:05:08.176Z] 21:05:08 INFO - GECKO(11228) | 0x0510d0007c50: fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa

Based on the stack traces in the log, I think this belongs somewhere in DOM.

Component: Security: PSM → DOM: Core & HTML
Priority: P5 → --
Group: core-security

Looks like a regression from bug 1620594. Can you please take a look, Andreas? Thanks.

[Tracking Requested - why for this release]: sec-high regression

Group: core-security → dom-core-security
status-firefox76: --- → unaffected
status-firefox77: --- → affected
tracking-firefox77: --- → ?
Component: DOM: Core & HTML → DOM: Navigation
Flags: needinfo?(afarre)
Keywords: csectype-uaf, regression, sec-high
Regressed by: 1620594
Has Regression Range: --- → yes
Priority: -- → P1
Assignee: nobody → afarre
Flags: needinfo?(afarre)

https://hg.mozilla.org/integration/autoland/rev/207cada5013283f4bd078c9648121dfe90ce5ac6
https://hg.mozilla.org/mozilla-central/rev/207cada50132

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox77: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla77
Crash Signature: [@ mozilla::PerformanceCounterState::RunnableWillRun(mozilla::PerformanceCounter*, mozilla::TimeStamp, bool)]
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Crash Signature: [@ mozilla::PerformanceCounterState::RunnableWillRun(mozilla::PerformanceCounter*, mozilla::TimeStamp, bool)] → [@ mozilla::PerformanceCounterState::RunnableWillRun(mozilla::PerformanceCounter*, mozilla::TimeStamp, bool)] [@ RefPtr<mozilla::PerformanceCounter>::assign_with_AddRef(mozilla::PerformanceCounter*)]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: