Closed Bug 1654900 Opened 4 years ago Closed 4 years ago

Intermittent Win asan AddressSanitizer: heap-use-after-free dom\plugins\ipc\PluginModuleParent.cpp:1403 in mozilla::plugins::PluginModuleChromeParent::ActorDestroy(enum mozilla::ipc::IProtocol::ActorDestroyReason) after running layout/base/tests/chrome/

Categories

(Core Graveyard :: Plug-ins, defect, P2)

80 Branch

Tracking

(firefox-esr78 wontfix, firefox80 wontfix, firefox81 wontfix, firefox82 wontfix, firefox86 unaffected, firefox87 unaffected, firefox88 unaffected)

RESOLVED DUPLICATE of bug 1670690
Tracking Status
firefox-esr78 --- wontfix
firefox80 --- wontfix
firefox81 --- wontfix
firefox82 --- wontfix
firefox86 --- unaffected
firefox87 --- unaffected
firefox88 --- unaffected

People

(Reporter: malexandru, Unassigned)

Details

(Keywords: csectype-uaf, sec-high)

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=310879666&repo=autoland&lineNumber=6069

Raw log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/Wn-iqbp4RP-M8YKGNhooBQ/runs/0/artifacts/public/logs/live_backing.log

[task 2020-07-23T19:47:02.874Z] 19:47:02     INFO - TEST-START | layout/base/tests/chrome/test_will_change.html
[task 2020-07-23T19:47:03.564Z] 19:47:03     INFO - GECKO(1388) | MEMORY STAT | vsize 19406360MB | vsizeMaxContiguous 65010589MB | residentFast 1455MB
[task 2020-07-23T19:47:03.602Z] 19:47:03     INFO - TEST-OK | layout/base/tests/chrome/test_will_change.html | took 733ms
[task 2020-07-23T19:47:03.721Z] 19:47:03     INFO - TEST-START | Shutdown
[task 2020-07-23T19:47:03.723Z] 19:47:03     INFO - Passed:  1388
[task 2020-07-23T19:47:03.723Z] 19:47:03     INFO - Failed:  0
[task 2020-07-23T19:47:03.723Z] 19:47:03     INFO - Todo:    36
[task 2020-07-23T19:47:03.723Z] 19:47:03     INFO - Mode:    non-e10s
[task 2020-07-23T19:47:03.723Z] 19:47:03     INFO - Slowest: 17866ms - chrome://mochitests/content/chrome/layout/base/tests/chrome/test_printpreview.xhtml
[task 2020-07-23T19:47:03.723Z] 19:47:03     INFO - SimpleTest FINISHED
[task 2020-07-23T19:47:03.723Z] 19:47:03     INFO - TEST-INFO | Ran 1 Loops
[task 2020-07-23T19:47:03.724Z] 19:47:03     INFO - SimpleTest FINISHED
[task 2020-07-23T19:47:03.886Z] 19:47:03     INFO - GECKO(1388) | JavaScript error: resource://gre/modules/AsyncShutdown.jsm, line 554: NotFoundError: No such JSWindowActor 'SpecialPowers'
[task 2020-07-23T19:47:05.350Z] 19:47:05     INFO - GECKO(1388) | 1595533625346	Marionette	TRACE	Received observer notification xpcom-will-shutdown
[task 2020-07-23T19:47:05.350Z] 19:47:05     INFO - GECKO(1388) | 1595533625346	Marionette	INFO	Stopped listening on port 2828
[task 2020-07-23T19:47:05.350Z] 19:47:05     INFO - GECKO(1388) | 1595533625346	Marionette	DEBUG	Marionette stopped listening
[task 2020-07-23T19:47:05.388Z] 19:47:05     INFO - GECKO(1388) | =================================================================
[task 2020-07-23T19:47:05.388Z] 19:47:05    ERROR - GECKO(1388) | ==11176==ERROR: AddressSanitizer: heap-use-after-free on address 0x129456879c40 at pc 0x7ffbf27f793b bp 0x0078a5ffe060 sp 0x0078a5ffe0a0
[task 2020-07-23T19:47:05.388Z] 19:47:05     INFO - GECKO(1388) | WRITE of size 8 at 0x129456879c40 thread T0
[task 2020-07-23T19:47:05.833Z] 19:47:05     INFO - GECKO(1388) |     #0 0x7ffbf27f793a in mozilla::plugins::PluginModuleChromeParent::ActorDestroy(enum mozilla::ipc::IProtocol::ActorDestroyReason) z:\build\build\src\dom\plugins\ipc\PluginModuleParent.cpp:1403
[task 2020-07-23T19:47:05.855Z] 19:47:05     INFO - GECKO(1388) |     #1 0x7ffbeb0b02e5 in mozilla::ipc::IProtocol::DestroySubtree(enum mozilla::ipc::IProtocol::ActorDestroyReason) z:\build\build\src\ipc\glue\ProtocolUtils.cpp:561
[task 2020-07-23T19:47:05.874Z] 19:47:05     INFO - GECKO(1388) |     #2 0x7ffbeb6e0959 in mozilla::plugins::PPluginModuleParent::OnChannelClose(void) z:\build\workspace\obj-build\ipc\ipdl\PPluginModuleParent.cpp:1608
[task 2020-07-23T19:47:05.905Z] 19:47:05     INFO - GECKO(1388) |     #3 0x7ffbeb09fd18 in mozilla::ipc::MessageChannel::Close(void) z:\build\build\src\ipc\glue\MessageChannel.cpp:2713
[task 2020-07-23T19:47:05.929Z] 19:47:05     INFO - GECKO(1388) |     #4 0x7ffbf27fb6c4 in mozilla::plugins::PluginModuleParent::NP_Shutdown(short *) z:\build\build\src\dom\plugins\ipc\PluginModuleParent.cpp:1921
[task 2020-07-23T19:47:05.959Z] 19:47:05     INFO - GECKO(1388) |     #5 0x7ffbf26da9e1 in nsNPAPIPlugin::Shutdown(void) z:\build\build\src\dom\plugins\base\nsNPAPIPlugin.cpp:285
[task 2020-07-23T19:47:05.980Z] 19:47:05     INFO - GECKO(1388) |     #6 0x7ffbf272173d in nsPluginTag::TryUnloadPlugin(bool) z:\build\build\src\dom\plugins\base\nsPluginTags.cpp:594
[task 2020-07-23T19:47:06.010Z] 19:47:06     INFO - GECKO(1388) |     #7 0x7ffbf26ec799 in nsPluginHost::UnloadPlugins(void) z:\build\build\src\dom\plugins\base\nsPluginHost.cpp:613
[task 2020-07-23T19:47:06.040Z] 19:47:06     INFO - GECKO(1388) |     #8 0x7ffbf2708744 in nsPluginHost::Observe(class nsISupports *,char const *,UNKNOWN const *) z:\build\build\src\dom\plugins\base\nsPluginHost.cpp:2464
[task 2020-07-23T19:47:06.065Z] 19:47:06     INFO - GECKO(1388) |     #9 0x7ffbe9ad5e52 in nsObserverList::NotifyObservers(class nsISupports *,char const *,UNKNOWN const *) z:\build\build\src\xpcom\ds\nsObserverList.cpp:65
[task 2020-07-23T19:47:06.095Z] 19:47:06     INFO - GECKO(1388) |     #10 0x7ffbe9aef9be in nsObserverService::NotifyObservers(class nsISupports *,char const *,UNKNOWN const *) z:\build\build\src\xpcom\ds\nsObserverService.cpp:287
[task 2020-07-23T19:47:06.126Z] 19:47:06     INFO - GECKO(1388) |     #11 0x7ffbe9d141db in mozilla::ShutdownXPCOM(class nsIServiceManager *) z:\build\build\src\xpcom\build\XPCOMInit.cpp:621
[task 2020-07-23T19:47:06.156Z] 19:47:06     INFO - GECKO(1388) |     #12 0x7ffbf79ec8bb in ScopedXPCOMStartup::~ScopedXPCOMStartup(void) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:1289
[task 2020-07-23T19:47:06.185Z] 19:47:06     INFO - GECKO(1388) |     #13 0x7ffbf7a1609b in mozilla::UniquePtr<class ScopedXPCOMStartup,class mozilla::DefaultDelete<class ScopedXPCOMStartup> >::reset(class ScopedXPCOMStartup *) z:\build\workspace\obj-build\dist\include\mozilla\UniquePtr.h:302
[task 2020-07-23T19:47:06.210Z] 19:47:06     INFO - GECKO(1388) |     #14 0x7ffbf7a0c1b9 in XREMain::XRE_main(int,char * * const,struct mozilla::BootstrapConfig const &) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4983
[task 2020-07-23T19:47:06.241Z] 19:47:06     INFO - GECKO(1388) |     #15 0x7ffbf7a0d348 in XRE_main(int,char * * const,struct mozilla::BootstrapConfig const &) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:5020
[task 2020-07-23T19:47:06.270Z] 19:47:06     INFO - GECKO(1388) |     #16 0x7ff645a72126 in NS_internal_main(int,char * *,char * *) z:\build\build\src\browser\app\nsBrowserApp.cpp:331
[task 2020-07-23T19:47:06.300Z] 19:47:06     INFO - GECKO(1388) |     #17 0x7ff645a71494 in wmain z:\build\build\src\toolkit\xre\nsWindowsWMain.cpp:131
[task 2020-07-23T19:47:06.339Z] 19:47:06     INFO - GECKO(1388) |     #18 0x7ff645b767c7 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288
[task 2020-07-23T19:47:06.361Z] 19:47:06     INFO - GECKO(1388) |     #19 0x7ffc3af53033  (C:\Windows\System32\KERNEL32.DLL+0x180013033)
[task 2020-07-23T19:47:06.390Z] 19:47:06     INFO - GECKO(1388) |     #20 0x7ffc3b991460  (C:\Windows\SYSTEM32\ntdll.dll+0x180071460)
[task 2020-07-23T19:47:06.390Z] 19:47:06     INFO - GECKO(1388) | 0x129456879c40 is located 960 bytes inside of 984-byte region [0x129456879880,0x129456879c58)
[task 2020-07-23T19:47:06.390Z] 19:47:06     INFO - GECKO(1388) | freed by thread T0 here:
[task 2020-07-23T19:47:06.429Z] 19:47:06     INFO - GECKO(1388) |     #0 0x7ffc15d96b15 in free Z:\task_1595450645\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:85
[task 2020-07-23T19:47:06.722Z] 19:47:06     INFO - GECKO(1388) |     #1 0x7ffbf2804ac6 in [thunk]:mozilla::plugins::PluginModuleChromeParent::`vector deleting destructor'`adjustor{608}' (unsigned int) (Z:\task_1595531441\build\application\firefox\xul.dll+0x188ef4ac6)
[task 2020-07-23T19:47:06.752Z] 19:47:06     INFO - GECKO(1388) |     #2 0x7ffbf26d99a0 in nsNPAPIPlugin::~nsNPAPIPlugin(void) z:\build\build\src\dom\plugins\base\nsNPAPIPlugin.cpp:180
[task 2020-07-23T19:47:06.783Z] 19:47:06     INFO - GECKO(1388) |     #3 0x7ffbf2721792 in nsPluginTag::TryUnloadPlugin(bool) z:\build\build\src\dom\plugins\base\nsPluginTags.cpp:595
[task 2020-07-23T19:47:06.804Z] 19:47:06     INFO - GECKO(1388) |     #4 0x7ffbf2708c6a in nsPluginHost::Notify(class nsITimer *) z:\build\build\src\dom\plugins\base\nsPluginHost.cpp:2680
[task 2020-07-23T19:47:06.843Z] 19:47:06     INFO - GECKO(1388) |     #5 0x7ffbe9c5eb6c in nsTimerImpl::Fire(int) z:\build\build\src\xpcom\threads\nsTimerImpl.cpp:565
[task 2020-07-23T19:47:06.865Z] 19:47:06     INFO - GECKO(1388) |     #6 0x7ffbe9c5e10b in nsTimerEvent::Run(void) z:\build\build\src\xpcom\threads\TimerThread.cpp:251
[task 2020-07-23T19:47:06.903Z] 19:47:06     INFO - GECKO(1388) |     #7 0x7ffbe9c4cf0b in mozilla::RunnableTask::Run(void) z:\build\build\src\xpcom\threads\TaskController.cpp:242
[task 2020-07-23T19:47:06.924Z] 19:47:06     INFO - GECKO(1388) |     #8 0x7ffbe9c43ec0 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) z:\build\build\src\xpcom\threads\TaskController.cpp:512
[task 2020-07-23T19:47:06.955Z] 19:47:06     INFO - GECKO(1388) |     #9 0x7ffbe9c408dc in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) z:\build\build\src\xpcom\threads\TaskController.cpp:371
[task 2020-07-23T19:47:06.995Z] 19:47:06     INFO - GECKO(1388) |     #10 0x7ffbe9c41113 in mozilla::TaskController::ProcessPendingMTTask(bool) z:\build\build\src\xpcom\threads\TaskController.cpp:168
[task 2020-07-23T19:47:07.015Z] 19:47:07     INFO - GECKO(1388) |     #11 0x7ffbe9c52211 in mozilla::detail::RunnableFunction<`lambda at z:/build/build/src/xpcom/threads/TaskController.cpp:86:7'>::Run z:\build\workspace\obj-build\dist\include\nsThreadUtils.h:577
[task 2020-07-23T19:47:07.046Z] 19:47:07     INFO - GECKO(1388) |     #12 0x7ffbe9c76065 in nsThread::ProcessNextEvent(bool,bool *) z:\build\build\src\xpcom\threads\nsThread.cpp:1234
[task 2020-07-23T19:47:07.067Z] 19:47:07     INFO - GECKO(1388) |     #13 0x7ffbe9c83b48 in NS_ProcessNextEvent(class nsIThread *,bool) z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:513
[task 2020-07-23T19:47:07.097Z] 19:47:07     INFO - GECKO(1388) |     #14 0x7ffbe9c7329d in nsThread::Shutdown(void) z:\build\build\src\xpcom\threads\nsThread.cpp:898
[task 2020-07-23T19:47:07.119Z] 19:47:07     INFO - GECKO(1388) |     #15 0x7ffbea0d0c2c in mozilla::net::WaitForThreadShutdown::Run(void) z:\build\build\src\netwerk\base\nsPACMan.cpp:166
[task 2020-07-23T19:47:07.144Z] 19:47:07     INFO - GECKO(1388) |     #16 0x7ffbe9c4cf0b in mozilla::RunnableTask::Run(void) z:\build\build\src\xpcom\threads\TaskController.cpp:242
[task 2020-07-23T19:47:07.174Z] 19:47:07     INFO - GECKO(1388) |     #17 0x7ffbe9c43ec0 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) z:\build\build\src\xpcom\threads\TaskController.cpp:512
[task 2020-07-23T19:47:07.200Z] 19:47:07     INFO - GECKO(1388) |     #18 0x7ffbe9c408dc in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) z:\build\build\src\xpcom\threads\TaskController.cpp:371
[task 2020-07-23T19:47:07.224Z] 19:47:07     INFO - GECKO(1388) |     #19 0x7ffbe9c41113 in mozilla::TaskController::ProcessPendingMTTask(bool) z:\build\build\src\xpcom\threads\TaskController.cpp:168
[task 2020-07-23T19:47:07.249Z] 19:47:07     INFO - GECKO(1388) |     #20 0x7ffbe9c52211 in mozilla::detail::RunnableFunction<`lambda at z:/build/build/src/xpcom/threads/TaskController.cpp:86:7'>::Run z:\build\workspace\obj-build\dist\include\nsThreadUtils.h:577
[task 2020-07-23T19:47:07.270Z] 19:47:07     INFO - GECKO(1388) |     #21 0x7ffbe9c76065 in nsThread::ProcessNextEvent(bool,bool *) z:\build\build\src\xpcom\threads\nsThread.cpp:1234
[task 2020-07-23T19:47:07.300Z] 19:47:07     INFO - GECKO(1388) |     #22 0x7ffbe9c83b48 in NS_ProcessNextEvent(class nsIThread *,bool) z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:513
[task 2020-07-23T19:47:07.325Z] 19:47:07     INFO - GECKO(1388) |     #23 0x7ffbe9c7329d in nsThread::Shutdown(void) z:\build\build\src\xpcom\threads\nsThread.cpp:898
[task 2020-07-23T19:47:07.349Z] 19:47:07     INFO - GECKO(1388) |     #24 0x7ffbf27c3a29 in mozilla::plugins::FunctionBrokerParent::~FunctionBrokerParent(void) z:\build\build\src\dom\plugins\ipc\FunctionBrokerParent.cpp:54
[task 2020-07-23T19:47:07.374Z] 19:47:07     INFO - GECKO(1388) |     #25 0x7ffbf28042cf in mozilla::plugins::FunctionBrokerParent::`scalar deleting destructor'(unsigned int) z:\build\build\src\dom\plugins\ipc\FunctionBrokerParent.cpp:48
[task 2020-07-23T19:47:07.400Z] 19:47:07     INFO - GECKO(1388) |     #26 0x7ffbf27c3f7e in mozilla::plugins::FunctionBrokerParent::Destroy(class mozilla::plugins::FunctionBrokerParent *) z:\build\build\src\dom\plugins\ipc\FunctionBrokerParent.cpp:89
[task 2020-07-23T19:47:07.426Z] 19:47:07     INFO - GECKO(1388) |     #27 0x7ffbf27f7842 in mozilla::plugins::PluginModuleChromeParent::ActorDestroy(enum mozilla::ipc::IProtocol::ActorDestroyReason) z:\build\build\src\dom\plugins\ipc\PluginModuleParent.cpp:1402
[task 2020-07-23T19:47:07.452Z] 19:47:07     INFO - GECKO(1388) |     #28 0x7ffbeb0b02e5 in mozilla::ipc::IProtocol::DestroySubtree(enum mozilla::ipc::IProtocol::ActorDestroyReason) z:\build\build\src\ipc\glue\ProtocolUtils.cpp:561
[task 2020-07-23T19:47:07.452Z] 19:47:07     INFO - GECKO(1388) | previously allocated by thread T0 here:
[task 2020-07-23T19:47:07.474Z] 19:47:07     INFO - GECKO(1388) |     #0 0x7ffc15d96c45 in malloc Z:\task_1595450645\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cc:101
[task 2020-07-23T19:47:07.504Z] 19:47:07     INFO - GECKO(1388) |     #1 0x7ffc2415144e in moz_xmalloc z:\build\build\src\memory\mozalloc\mozalloc.cpp:52
[task 2020-07-23T19:47:07.529Z] 19:47:07     INFO - GECKO(1388) |     #2 0x7ffbf27ef0db in mozilla::plugins::PluginModuleChromeParent::LoadModule(char const *,unsigned int,class nsPluginTag *) z:\build\build\src\dom\plugins\ipc\PluginModuleParent.cpp:426
[task 2020-07-23T19:47:07.554Z] 19:47:07     INFO - GECKO(1388) |     #3 0x7ffbf26da0d7 in nsNPAPIPlugin::CreatePlugin(class nsPluginTag *,class nsNPAPIPlugin * *) z:\build\build\src\dom\plugins\base\nsNPAPIPlugin.cpp:218
[task 2020-07-23T19:47:07.579Z] 19:47:07     INFO - GECKO(1388) |     #4 0x7ffbf26f8217 in nsPluginHost::EnsurePluginLoaded(class nsPluginTag *) z:\build\build\src\dom\plugins\base\nsPluginHost.cpp:1172
[task 2020-07-23T19:47:07.605Z] 19:47:07     INFO - GECKO(1388) |     #5 0x7ffbf26f420a in nsPluginHost::GetPlugin(class nsTSubstring<char> const &,class nsNPAPIPlugin * *) z:\build\build\src\dom\plugins\base\nsPluginHost.cpp:1277
[task 2020-07-23T19:47:07.630Z] 19:47:07     INFO - GECKO(1388) |     #6 0x7ffbf26f3b35 in nsPluginHost::TrySetUpPluginInstance(class nsTSubstring<char> const &,class nsIURI *,class nsPluginInstanceOwner *) z:\build\build\src\dom\plugins\base\nsPluginHost.cpp:827
[task 2020-07-23T19:47:07.656Z] 19:47:07     INFO - GECKO(1388) |     #7 0x7ffbf26f3504 in nsPluginHost::SetUpPluginInstance(class nsTSubstring<char> const &,class nsIURI *,class nsPluginInstanceOwner *) z:\build\build\src\dom\plugins\base\nsPluginHost.cpp:776
[task 2020-07-23T19:47:07.680Z] 19:47:07     INFO - GECKO(1388) |     #8 0x7ffbf26f3188 in nsPluginHost::InstantiatePluginInstance(class nsTSubstring<char> const &,class nsIURI *,class nsObjectLoadingContent *,class nsPluginInstanceOwner * *) z:\build\build\src\dom\plugins\base\nsPluginHost.cpp:717
[task 2020-07-23T19:47:07.706Z] 19:47:07     INFO - GECKO(1388) |     #9 0x7ffbeda9255d in nsObjectLoadingContent::InstantiatePluginInstance(bool) z:\build\build\src\dom\base\nsObjectLoadingContent.cpp:705
[task 2020-07-23T19:47:07.737Z] 19:47:07     INFO - GECKO(1388) |     #10 0x7ffbedab01c1 in nsObjectLoadingContent::SyncStartPluginInstance(void) z:\build\build\src\dom\base\nsObjectLoadingContent.cpp:2745
[task 2020-07-23T19:47:07.759Z] 19:47:07     INFO - GECKO(1388) |     #11 0x7ffbe9c4cf0b in mozilla::RunnableTask::Run(void) z:\build\build\src\xpcom\threads\TaskController.cpp:242
[task 2020-07-23T19:47:07.790Z] 19:47:07     INFO - GECKO(1388) |     #12 0x7ffbe9c43ec0 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) z:\build\build\src\xpcom\threads\TaskController.cpp:512
[task 2020-07-23T19:47:07.810Z] 19:47:07     INFO - GECKO(1388) |     #13 0x7ffbe9c408dc in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) z:\build\build\src\xpcom\threads\TaskController.cpp:371
[task 2020-07-23T19:47:07.835Z] 19:47:07     INFO - GECKO(1388) |     #14 0x7ffbe9c41113 in mozilla::TaskController::ProcessPendingMTTask(bool) z:\build\build\src\xpcom\threads\TaskController.cpp:168
[task 2020-07-23T19:47:07.861Z] 19:47:07     INFO - GECKO(1388) |     #15 0x7ffbe9c521f1 in mozilla::detail::RunnableFunction<`lambda at z:/build/build/src/xpcom/threads/TaskController.cpp:83:7'>::Run z:\build\workspace\obj-build\dist\include\nsThreadUtils.h:577
[task 2020-07-23T19:47:07.886Z] 19:47:07     INFO - GECKO(1388) |     #16 0x7ffbe9c76065 in nsThread::ProcessNextEvent(bool,bool *) z:\build\build\src\xpcom\threads\nsThread.cpp:1234
[task 2020-07-23T19:47:07.925Z] 19:47:07     INFO - GECKO(1388) |     #17 0x7ffbe9c83b48 in NS_ProcessNextEvent(class nsIThread *,bool) z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:513
[task 2020-07-23T19:47:07.943Z] 19:47:07     INFO - GECKO(1388) |     #18 0x7ffbeb0a404f in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) z:\build\build\src\ipc\glue\MessagePump.cpp:87
[task 2020-07-23T19:47:07.964Z] 19:47:07     INFO - GECKO(1388) |     #19 0x7ffbeafe0abe in MessageLoop::RunHandler(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:327
[task 2020-07-23T19:47:07.989Z] 19:47:07     INFO - GECKO(1388) |     #20 0x7ffbeafe0855 in MessageLoop::Run(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:309
[task 2020-07-23T19:47:08.019Z] 19:47:08     INFO - GECKO(1388) |     #21 0x7ffbf36f184a in nsBaseAppShell::Run(void) z:\build\build\src\widget\nsBaseAppShell.cpp:137
[task 2020-07-23T19:47:08.039Z] 19:47:08     INFO - GECKO(1388) |     #22 0x7ffbf38bcd83 in nsAppShell::Run(void) z:\build\build\src\widget\windows\nsAppShell.cpp:430
[task 2020-07-23T19:47:08.065Z] 19:47:08     INFO - GECKO(1388) |     #23 0x7ffbf7756c25 in nsAppStartup::Run(void) z:\build\build\src\toolkit\components\startup\nsAppStartup.cpp:270
[task 2020-07-23T19:47:08.095Z] 19:47:08     INFO - GECKO(1388) |     #24 0x7ffbf7a05e63 in XREMain::XRE_mainRun(void) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4776
[task 2020-07-23T19:47:08.116Z] 19:47:08     INFO - GECKO(1388) |     #25 0x7ffbf7a0c13d in XREMain::XRE_main(int,char * * const,struct mozilla::BootstrapConfig const &) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:4966
[task 2020-07-23T19:47:08.145Z] 19:47:08     INFO - GECKO(1388) |     #26 0x7ffbf7a0d348 in XRE_main(int,char * * const,struct mozilla::BootstrapConfig const &) z:\build\build\src\toolkit\xre\nsAppRunner.cpp:5020
[task 2020-07-23T19:47:08.170Z] 19:47:08     INFO - GECKO(1388) |     #27 0x7ff645a72126 in NS_internal_main(int,char * *,char * *) z:\build\build\src\browser\app\nsBrowserApp.cpp:331
[task 2020-07-23T19:47:08.196Z] 19:47:08     INFO - GECKO(1388) |     #28 0x7ff645a71494 in wmain z:\build\build\src\toolkit\xre\nsWindowsWMain.cpp:131
[task 2020-07-23T19:47:08.226Z] 19:47:08     INFO - GECKO(1388) | SUMMARY: AddressSanitizer: heap-use-after-free z:\build\build\src\dom\plugins\ipc\PluginModuleParent.cpp:1403 in mozilla::plugins::PluginModuleChromeParent::ActorDestroy(enum mozilla::ipc::IProtocol::ActorDestroyReason)
[task 2020-07-23T19:47:08.227Z] 19:47:08     INFO - GECKO(1388) | Shadow bytes around the buggy address:
[task 2020-07-23T19:47:08.227Z] 19:47:08     INFO - GECKO(1388) |   0x04b4dee8f330: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2020-07-23T19:47:08.228Z] 19:47:08     INFO - GECKO(1388) |   0x04b4dee8f340: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2020-07-23T19:47:08.228Z] 19:47:08     INFO - GECKO(1388) |   0x04b4dee8f350: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2020-07-23T19:47:08.228Z] 19:47:08     INFO - GECKO(1388) |   0x04b4dee8f360: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2020-07-23T19:47:08.228Z] 19:47:08     INFO - GECKO(1388) |   0x04b4dee8f370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
[task 2020-07-23T19:47:08.229Z] 19:47:08     INFO - GECKO(1388) | =>0x04b4dee8f380: fd fd fd fd fd fd fd fd[fd]fd fd fa fa fa fa fa
[task 2020-07-23T19:47:08.229Z] 19:47:08     INFO - GECKO(1388) |   0x04b4dee8f390: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2020-07-23T19:47:08.229Z] 19:47:08     INFO - GECKO(1388) |   0x04b4dee8f3a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2020-07-23T19:47:08.229Z] 19:47:08     INFO - GECKO(1388) |   0x04b4dee8f3b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2020-07-23T19:47:08.229Z] 19:47:08     INFO - GECKO(1388) |   0x04b4dee8f3c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2020-07-23T19:47:08.229Z] 19:47:08     INFO - GECKO(1388) |   0x04b4dee8f3d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
[task 2020-07-23T19:47:08.229Z] 19:47:08     INFO - GECKO(1388) | Shadow byte legend (one shadow byte represents 8 application bytes):
[task 2020-07-23T19:47:08.229Z] 19:47:08     INFO - GECKO(1388) |   Addressable:           00
[task 2020-07-23T19:47:08.229Z] 19:47:08     INFO - GECKO(1388) |   Partially addressable: 01 02 03 04 05 06 07
[task 2020-07-23T19:47:08.229Z] 19:47:08     INFO - GECKO(1388) |   Heap left redzone:       fa
[task 2020-07-23T19:47:08.230Z] 19:47:08     INFO - GECKO(1388) |   Freed heap region:       fd
[task 2020-07-23T19:47:08.230Z] 19:47:08     INFO - GECKO(1388) |   Stack left redzone:      f1
[task 2020-07-23T19:47:08.230Z] 19:47:08     INFO - GECKO(1388) |   Stack mid redzone:       f2
[task 2020-07-23T19:47:08.230Z] 19:47:08     INFO - GECKO(1388) |   Stack right redzone:     f3
[task 2020-07-23T19:47:08.230Z] 19:47:08     INFO - GECKO(1388) |   Stack after return:      f5
[task 2020-07-23T19:47:08.230Z] 19:47:08     INFO - GECKO(1388) |   Stack use after scope:   f8
[task 2020-07-23T19:47:08.230Z] 19:47:08     INFO - GECKO(1388) |   Global redzone:          f9
[task 2020-07-23T19:47:08.230Z] 19:47:08     INFO - GECKO(1388) |   Global init order:       f6
[task 2020-07-23T19:47:08.230Z] 19:47:08     INFO - GECKO(1388) |   Poisoned by user:        f7
[task 2020-07-23T19:47:08.231Z] 19:47:08     INFO - GECKO(1388) |   Container overflow:      fc
[task 2020-07-23T19:47:08.231Z] 19:47:08     INFO - GECKO(1388) |   Array cookie:            ac
[task 2020-07-23T19:47:08.231Z] 19:47:08     INFO - GECKO(1388) |   Intra object redzone:    bb
[task 2020-07-23T19:47:08.231Z] 19:47:08     INFO - GECKO(1388) |   ASan internal:           fe
[task 2020-07-23T19:47:08.231Z] 19:47:08     INFO - GECKO(1388) |   Left alloca redzone:     ca
[task 2020-07-23T19:47:08.231Z] 19:47:08     INFO - GECKO(1388) |   Right alloca redzone:    cb
[task 2020-07-23T19:47:08.231Z] 19:47:08     INFO - GECKO(1388) |   Shadow gap:              cc
[task 2020-07-23T19:47:08.231Z] 19:47:08     INFO - GECKO(1388) | ==11176==ABORTING
[task 2020-07-23T19:47:08.555Z] 19:47:08     INFO - TEST-INFO | Main app process: exit 1
[task 2020-07-23T19:47:08.555Z] 19:47:08     INFO - Buffered messages finished
[task 2020-07-23T19:47:08.555Z] 19:47:08    ERROR - TEST-UNEXPECTED-FAIL | Last test finished | application terminated with exit code 1
[task 2020-07-23T19:47:08.555Z] 19:47:08     INFO - runtests.py | Application ran for: 0:01:00.947000
[task 2020-07-23T19:47:08.555Z] 19:47:08     INFO - zombiecheck | Reading PID log: c:\users\task_1595531441\appdata\local\temp\tmpu74b17pidlog
[task 2020-07-23T19:47:08.555Z] 19:47:08     INFO - ==> process 11176 launched child process 8004 ("Z:\task_1595531441\build\application\firefox\plugin-container.exe" --channel="11176.0.1393991820\875305062" "C:\Users\task_1595531441\AppData\Local\Temp\tmpfeh8gs.mozrunner\plugins\nptest.dll" "C:\Users\task_1595531441\AppData\LocalLow\Mozilla\Temp-{6c527d80-a670-42fb-890f-adb4754b9484}" "Z:\task_1595531441\AppData\Roaming\Adobe\\" -appdir "Z:\task_1595531441\build\application\firefox\browser" AB122833519D45B5 11176  plugin)
[task 2020-07-23T19:47:08.555Z] 19:47:08     INFO - zombiecheck | Checking for orphan process with PID: 8004
[task 2020-07-23T19:47:08.555Z] 19:47:08     INFO - Stopping web server
[task 2020-07-23T19:47:08.560Z] 19:47:08     INFO - Stopping web socket server
[task 2020-07-23T19:47:08.579Z] 19:47:08     INFO - Stopping ssltunnel
[task 2020-07-23T19:47:08.619Z] 19:47:08  WARNING - leakcheck | refcount logging is off, so leaks can't be detected!
[task 2020-07-23T19:47:08.619Z] 19:47:08     INFO - runtests.py | Running tests: end.
[task 2020-07-23T19:47:08.678Z] 19:47:08     INFO - Buffered messages finished
[task 2020-07-23T19:47:08.678Z] 19:47:08     INFO - Running manifest: layout\inspector\tests\chrome\chrome.ini
[task 2020-07-23T19:47:08.717Z] 19:47:08     INFO - INFO | runtests.py | ASan using symbolizer at Z:\task_1595531441\build\application\firefox\llvm-symbolizer.exe
[task 2020-07-23T19:47:08.780Z] 19:47:08     INFO - INFO | runtests.py | ASan running in default memory configuration
[task 2020-07-23T19:47:09.918Z] 19:47:09     INFO -  Z:\task_1595531441\build\tests\bin\pk12util.exe: PKCS12 IMPORT SUCCESSFUL
[task 2020-07-23T19:47:10.221Z] 19:47:10     INFO - INFO | runtests.py | ASan using symbolizer at Z:\task_1595531441\build\application\firefox\llvm-symbolizer.exe
[task 2020-07-23T19:47:10.286Z] 19:47:10     INFO - INFO | runtests.py | ASan running in default memory configuration
[task 2020-07-23T19:47:10.286Z] 19:47:10     INFO - INFO | runtests.py | ASan using symbolizer at Z:\task_1595531441\build\application\firefox\llvm-symbolizer.exe
[task 2020-07-23T19:47:10.350Z] 19:47:10     INFO - INFO | runtests.py | ASan running in default memory configuration
[task 2020-07-23T19:47:10.355Z] 19:47:10     INFO - MochitestServer : launching [u'Z:\\task_1595531441\\build\\tests\\bin\\xpcshell.exe', '-g', 'Z:\\task_1595531441\\build\\application\\firefox', '-f', 'Z:\\task_1595531441\\build\\tests\\bin\\components\\httpd.js', '-e', "const _PROFILE_PATH = 'c:\\\\users\\\\task_1595531441\\\\appdata\\\\local\\\\temp\\\\tmpt9nxrt.mozrunner'; const _SERVER_PORT = '8888'; const _SERVER_ADDR = '127.0.0.1'; const _TEST_PREFIX = undefined; const _DISPLAY_RESULTS = false;", '-f', 'Z:\\task_1595531441\\build\\tests\\mochitest\\server.js']
[task 2020-07-23T19:47:10.355Z] 19:47:10     INFO - runtests.py | Server pid: 8636
[task 2020-07-23T19:47:10.357Z] 19:47:10     INFO - runtests.py | Websocket server pid: 8276
[task 2020-07-23T19:47:10.359Z] 19:47:10     INFO - INFO | runtests.py | ASan using symbolizer at Z:\task_1595531441\build\application\firefox\llvm-symbolizer.exe
[task 2020-07-23T19:47:10.437Z] 19:47:10     INFO - INFO | runtests.py | ASan running in default memory configuration
[task 2020-07-23T19:47:10.437Z] 19:47:10     INFO - runtests.py | SSL tunnel pid: 7684
[task 2020-07-23T19:47:10.845Z] 19:47:10     INFO - runtests.py | Running with scheme: http
[task 2020-07-23T19:47:10.845Z] 19:47:10     INFO - runtests.py | Running with e10s: False
[task 2020-07-23T19:47:10.846Z] 19:47:10     INFO - runtests.py | Running with fission: False
[task 2020-07-23T19:47:10.846Z] 19:47:10     INFO - runtests.py | Running with cross-origin iframes: False
[task 2020-07-23T19:47:10.846Z] 19:47:10     INFO - runtests.py | Running with serviceworker_e10s: True
[task 2020-07-23T19:47:10.846Z] 19:47:10     INFO - runtests.py | Running with socketprocess_e10s: False
[task 2020-07-23T19:47:10.846Z] 19:47:10     INFO - runtests.py | Running tests: start.
[task 2020-07-23T19:47:10.846Z] 19:47:10     INFO - 
[task 2020-07-23T19:47:11.026Z] 19:47:11     INFO - Application command: Z:\task_1595531441\build\application\firefox\firefox.exe -marionette --wait-for-browser -foreground -profile c:\users\task_1595531441\appdata\local\temp\tmpt9nxrt.mozrunner
[task 2020-07-23T19:47:11.026Z] 19:47:11     INFO - runtests.py | Application pid: 10212
[task 2020-07-23T19:47:11.026Z] 19:47:11     INFO - TEST-INFO | started process GECKO(10212)
[task 2020-07-23T19:47:13.711Z] 19:47:13     INFO - GECKO(10212) | 1595533633700	Marionette	TRACE	Marionette enabled
[task 2020-07-23T19:47:14.034Z] 19:47:14     INFO - GECKO(10212) | 1595533634027	Marionette	TRACE	Received observer notification toplevel-window-ready
[task 2020-07-23T19:47:18.102Z] 19:47:18     INFO - GECKO(10212) | console.error: SearchCache: "_readCacheFile: Error reading cache file:" (new Error("", "(unknown module)"))
[task 2020-07-23T19:47:18.878Z] 19:47:18     INFO - GECKO(10212) | JavaScript error: resource://gre/modules/ConduitsChild.jsm, line 167: Error: CallResult for closed conduit screenshots@mozilla.org.7: ({childId:"screenshots@mozilla.org.7", callId:29, path:"menusInternal.create", result:{}})
[task 2020-07-23T19:47:21.524Z] 19:47:21     INFO - GECKO(10212) | 1595533641521	Marionette	TRACE	Received observer notification marionette-startup-requested
[task 2020-07-23T19:47:21.524Z] 19:47:21     INFO - GECKO(10212) | 1595533641522	Marionette	TRACE	Waiting until startup recorder finished recording startup scripts...
Group: core-security → dom-core-security
Summary: Intermittent AddressSanitizer: heap-use-after-free z:\build\build\src\dom\plugins\ipc\PluginModuleParent.cpp:1403 in mozilla::plugins::PluginModuleChromeParent::ActorDestroy(enum mozilla::ipc::IProtocol::ActorDestroyReason) → Intermittent AddressSanitizer: heap-use-after-free dom\plugins\ipc\PluginModuleParent.cpp:1403 in mozilla::plugins::PluginModuleChromeParent::ActorDestroy(enum mozilla::ipc::IProtocol::ActorDestroyReason)

starting with sec-high for a UAF, but might have mitigating factors: is non-e10s mode required , or could this happen in normal default e10s mode? Is this strictly a NPAPI (almost dead) plugin, or would it apply to GMP plugins as well? Does this happen at content process shutdown (which attacker could potentially cause) or Firefox parent-initiated shutdown?

The severity field is not set for this bug.
:jimm, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jmathies)

This is plugin code (flash). GMP uses different ipc code. We're going to kill plugins off in 84, I think we can wait for that release to address this.

Flags: needinfo?(jmathies)

The severity field is not set for this bug.
:jimm, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(jmathies)
Summary: Intermittent AddressSanitizer: heap-use-after-free dom\plugins\ipc\PluginModuleParent.cpp:1403 in mozilla::plugins::PluginModuleChromeParent::ActorDestroy(enum mozilla::ipc::IProtocol::ActorDestroyReason) → Intermittent Win asan AddressSanitizer: heap-use-after-free dom\plugins\ipc\PluginModuleParent.cpp:1403 in mozilla::plugins::PluginModuleChromeParent::ActorDestroy(enum mozilla::ipc::IProtocol::ActorDestroyReason) after running layout/base/tests/chrome/
Severity: -- → S3
Flags: needinfo?(jmathies)
Priority: -- → P2

David, same question, can you hang this off of plugin removal and set flags?

Flags: needinfo?(davidp99)

Plugins were disabled in Fx85 and, as part of that, these actors can no longer be created. The actors are being removed in bug 1682030. OTOH, I believe this is the same bug as bug 1670690, so the crash appears in the wild, and has recently spiked in ESR 78, so it can't be completely ignored. Its too bad that ASAN doesn't reliably fail here because we don't have much else to go on.

Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(davidp99)
Resolution: --- → DUPLICATE
Product: Core → Core Graveyard
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.