1646104 - AddressSanitizer: heap-use-after-free [@ mozilla::a11y::DocAccessibleChild::GetNativeWindowHandle] with READ of size 8

Status: RESOLVED DUPLICATE of bug 1645067

(Core :: Disability Access APIs, defect)

Description

[Christian Holler (:decoder)]

The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 79.0a1-20200612094620-https://hg.mozilla.org/mozilla-central/rev/fea1e502ea281a9b86b821957e622f0b0d081ce7.

For detailed crash information, see attachment.

Comment 1

[Christian Holler (:decoder)]

Attachment: Detailed Crash Information

Comment 3

[Andrew McCreight [:mccr8]]

Jamie, could you please take a look? It looks like the code around the use was changed recently in bug 1644323.

It looks like that code is calling a method on a DocAccessibleChild from a runnable, and that DocAccessibleChild was freed. Before bug 1644323, that code called a method on BrowserChild, so maybe it is a regression.

Comment 4

[James Teh [:Jamie]]

This is a duplicate of bug 1645067, which I already fixed, but the fix landed just after the revision tested here.

Is it safe for me to close this as a dup?

Comment 5

[Andrew McCreight [:mccr8]]

Yes, duplicating it over is fine. I'll just do that. Thanks.

Comment 6

[Tom Ritter [:tjr]]

What was the first submission date for the ASAN report? It might be within the dupe window. (In the future, it would be good to include that in the private comment with the reporter.)

Comment 7

[Christian Holler (:decoder)]

(In reply to Tom Ritter [:tjr] (ni for response to sec-[approval|rating|advisories|cve]) from comment #6)

What was the first submission date for the ASAN report? It might be within the dupe window. (In the future, it would be good to include that in the private comment with the reporter.)

First report was received at Fri, 12 Jun 2020 19:18:10 +0000.