1677888 - heap-use-after-free in [@ mozilla::IncrementalFinalizeRunnable::Run]

Status: RESOLVED FIXED

(Core :: XPCOM, defect)

Description

[Tyson Smith [:tsmith]]

Found while fuzzing m-c 20201117-8b19c30190d5.

The test case does not seem to be reliable enough to reduce or to create a Pernosco session.

==31276==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000285508 at pc 0x7ff5b773c80e bp 0x7ff5813a6270 sp 0x7ff5813a6268
READ of size 8 at 0x614000285508 thread T687 (GraphRunner)
    #0 0x7ff5b773c80d in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
    #1 0x7ff5b773c80d in operator!=<mozilla::IncrementalFinalizeRunnable, mozilla::IncrementalFinalizeRunnable> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:515:37
    #2 0x7ff5b773c80d in mozilla::IncrementalFinalizeRunnable::Run() /gecko/xpcom/base/CycleCollectedJSRuntime.cpp:1568:35
    #3 0x7ff5b7966f58 in IdleRunnableWrapper::Run() /gecko/xpcom/threads/nsThreadUtils.cpp:348:22
    #4 0x7ff5b793f377 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1197:14
    #5 0x7ff5b7949f0c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #6 0x7ff5b8c32ed4 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:302:20
    #7 0x7ff5b8b2f4c1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #8 0x7ff5b8b2f4c1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #9 0x7ff5b8b2f4c1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #10 0x7ff5b7938482 in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:442:10
    #11 0x7ff5d09db42e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #12 0x7ff5d42e9608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477:8
    #13 0x7ff5d3eb2292 in clone /build/glibc-ZN95T4/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x614000285508 is located 200 bytes inside of 392-byte region [0x614000285440,0x6140002855c8)
freed by thread T687 (GraphRunner) here:
    #0 0x563ca5ad8b0d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:123:3
    #1 0x7ff5b7729515 in mozilla::CycleCollectedJSContext::~CycleCollectedJSContext() /gecko/xpcom/base/CycleCollectedJSContext.cpp:118:3
    #2 0x7ff5bf5ab42c in ~WorkletJSContext /gecko/dom/worklet/WorkletThread.cpp:116:3
    #3 0x7ff5bf5ab42c in mozilla::dom::WorkletThread::DeleteCycleCollectedJSContext() /gecko/dom/worklet/WorkletThread.cpp:428:3
    #4 0x7ff5bde0a45c in mozilla::MediaTrackGraphImpl::UpdateMainThreadState() /gecko/dom/media/MediaTrackGraph.cpp:1357:3
    #5 0x7ff5bde0ae44 in mozilla::MediaTrackGraphImpl::OneIterationImpl(long, long, mozilla::AudioMixer*) /gecko/dom/media/MediaTrackGraph.cpp:1422:8
    #6 0x7ff5bda737e1 in mozilla::GraphRunner::Run() /gecko/dom/media/GraphRunner.cpp:116:32
    #7 0x7ff5b793f377 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1197:14
    #8 0x7ff5b7949f0c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #9 0x7ff5b8c32e92 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:302:20
    #10 0x7ff5b8b2f4c1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #11 0x7ff5b8b2f4c1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #12 0x7ff5b8b2f4c1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #13 0x7ff5b7938482 in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:442:10
    #14 0x7ff5d09db42e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #15 0x7ff5d42e9608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477:8

previously allocated by thread T687 (GraphRunner) here:
    #0 0x563ca5ad8d8d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x563ca5b1d54d in moz_xmalloc /gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7ff5bf5acf53 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7ff5bf5acf53 in mozilla::dom::WorkletJSContext::CreateRuntime(JSContext*) /gecko/dom/worklet/WorkletThread.cpp:121:12
    #4 0x7ff5b772af03 in mozilla::CycleCollectedJSContext::Initialize(JSRuntime*, unsigned int) /gecko/xpcom/base/CycleCollectedJSContext.cpp:132:14
    #5 0x7ff5bf5aaef2 in mozilla::dom::WorkletJSContext::Initialize(JSRuntime*) /gecko/dom/worklet/WorkletThread.cpp:127:44
    #6 0x7ff5bf5a4f27 in mozilla::dom::WorkletThread::EnsureCycleCollectedJSContext(JSRuntime*) /gecko/dom/worklet/WorkletThread.cpp:348:26
    #7 0x7ff5bf5a44dc in mozilla::dom::ExecutionRunnable::RunOnWorkletThread() /gecko/dom/worklet/Worklet.cpp:385:18
    #8 0x7ff5bf5a43ba in mozilla::dom::ExecutionRunnable::Run() /gecko/dom/worklet/Worklet.cpp:347:5
    #9 0x7ff5bde063b7 in mozilla::MediaTrackGraphImpl::RunMessagesInQueue() /gecko/dom/media/MediaTrackGraph.cpp:1153:20
    #10 0x7ff5bde0ac37 in mozilla::MediaTrackGraphImpl::OneIterationImpl(long, long, mozilla::AudioMixer*) /gecko/dom/media/MediaTrackGraph.cpp:1396:3
    #11 0x7ff5bda737e1 in mozilla::GraphRunner::Run() /gecko/dom/media/GraphRunner.cpp:116:32
    #12 0x7ff5b793f377 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1197:14
    #13 0x7ff5b7949f0c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #14 0x7ff5b8c32e92 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:302:20
    #15 0x7ff5b8b2f4c1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #16 0x7ff5b8b2f4c1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #17 0x7ff5b8b2f4c1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #18 0x7ff5b7938482 in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:442:10
    #19 0x7ff5d09db42e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #20 0x7ff5d42e9608 in start_thread /build/glibc-ZN95T4/glibc-2.31/nptl/pthread_create.c:477:8

Thread T687 (GraphRunner) created by T0 (Web Content) here:
    #0 0x563ca5ac37fa in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:214:3
    #1 0x7ff5d09cb6a4 in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7ff5d09bc7ee in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7ff5b793b0ab in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:659:8
    #4 0x7ff5b7948318 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /gecko/xpcom/threads/nsThreadManager.cpp:640:12
    #5 0x7ff5b7953a78 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /gecko/xpcom/threads/nsThreadUtils.cpp:161:57
    #6 0x7ff5bda7245a in NS_NewNamedThread<12> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:85:10
    #7 0x7ff5bda7245a in mozilla::GraphRunner::Create(mozilla::MediaTrackGraphImpl*) /gecko/dom/media/GraphRunner.cpp:37:7
    #8 0x7ff5bde1d306 in mozilla::MediaTrackGraphImpl::MediaTrackGraphImpl(mozilla::MediaTrackGraph::GraphDriverType, mozilla::MediaTrackGraph::GraphRunType, int, unsigned int, void const*, mozilla::AbstractThread*) /gecko/dom/media/MediaTrackGraph.cpp:3029:26
    #9 0x7ff5bde1e8af in mozilla::MediaTrackGraph::GetInstance(mozilla::MediaTrackGraph::GraphDriverType, nsPIDOMWindowInner*, int, void const*) /gecko/dom/media/MediaTrackGraph.cpp:3168:17
    #10 0x7ff5be465453 in mozilla::dom::AudioDestinationNode::AudioDestinationNode(mozilla::dom::AudioContext*, bool, unsigned int, unsigned int) /gecko/dom/media/webaudio/AudioDestinationNode.cpp:307:28
    #11 0x7ff5be458010 in mozilla::dom::AudioContext::AudioContext(nsPIDOMWindowInner*, bool, unsigned int, unsigned int, float) /gecko/dom/media/webaudio/AudioContext.cpp:177:11
    #12 0x7ff5be459f0b in mozilla::dom::AudioContext::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::AudioContextOptions const&, mozilla::ErrorResult&) /gecko/dom/media/webaudio/AudioContext.cpp:283:11
    #13 0x7ff5bb46e4c8 in mozilla::dom::AudioContext_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/AudioContextBinding.cpp:842:58
    #14 0x7ff5c3918e51 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:499:13
    #15 0x7ff5c3918e51 in CallJSNativeConstructor /gecko/js/src/vm/Interpreter.cpp:515:8
    #16 0x7ff5c3918e51 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /gecko/js/src/vm/Interpreter.cpp:719:10
    #17 0x7ff5c3918493 in js::ConstructFromStack(JSContext*, JS::CallArgs const&) /gecko/js/src/vm/Interpreter.cpp:746:10
    #18 0x7ff5c38e551f in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3297:16
    #19 0x7ff5c38e012b in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:469:13
    #20 0x7ff5c3915c9c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:628:13
    #21 0x7ff5c3917e6e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:656:10
    #22 0x7ff5c39181f0 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:673:8
    #23 0x7ff5c4289982 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/jsapi.cpp:2830:10
    #24 0x7ff5bca25a18 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:57:8
    #25 0x7ff5bd5a0ad8 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #26 0x7ff5bd5a04f4 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1073:43
    #27 0x7ff5bd5a1d41 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1270:17
    #28 0x7ff5bd58f7ce in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:352:17
    #29 0x7ff5bd58dfd3 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:554:16
    #30 0x7ff5bd592429 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1093:11
    #31 0x7ff5bd5977d9 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /gecko/dom/events/EventDispatcher.cpp
    #32 0x7ff5bb323acf in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /gecko/dom/base/nsINode.cpp:1315:17
    #33 0x7ff5bad69c0f in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /gecko/dom/base/nsContentUtils.cpp:4072:28
    #34 0x7ff5bad69953 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /gecko/dom/base/nsContentUtils.cpp:4042:10
    #35 0x7ff5bb02c0de in mozilla::dom::Document::DispatchContentLoadedEvents() /gecko/dom/base/Document.cpp:7369:3
    #36 0x7ff5bb0fd37f in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1188:12
    #37 0x7ff5bb0fd37f in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1194:12
    #38 0x7ff5bb0fd37f in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1240:13
    #39 0x7ff5b790abdd in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:146:20
    #40 0x7ff5b7916ce9 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:450:16
    #41 0x7ff5b79137a7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:720:26
    #42 0x7ff5b79116e7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:579:15
    #43 0x7ff5b7911b3d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:373:36
    #44 0x7ff5b791e7d1 in operator() /gecko/xpcom/threads/TaskController.cpp:120:37
    #45 0x7ff5b791e7d1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
    #46 0x7ff5b793f20b in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1197:14
    #47 0x7ff5b7949f0c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
    #48 0x7ff5b8c318ff in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
    #49 0x7ff5b8b2f4c1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #50 0x7ff5b8b2f4c1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #51 0x7ff5b8b2f4c1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #52 0x7ff5bf970067 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #53 0x7ff5c36af95f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #54 0x7ff5b8b2f4c1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
    #55 0x7ff5b8b2f4c1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
    #56 0x7ff5b8b2f4c1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
    #57 0x7ff5c36aeefc in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #58 0x563ca5b0b55d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #59 0x563ca5b0b997 in main /gecko/browser/app/nsBrowserApp.cpp:304:18
    #60 0x7ff5d3db70b2 in __libc_start_main /build/glibc-ZN95T4/glibc-2.31/csu/../csu/libc-start.c:308:16

Comment 1

[Andrew McCreight [:mccr8]]

It looks like some kind of shutdown code runs in MediaTrackGraphImpl::UpdateMainThreadState() and deletes the CCJSContext for a worklet thread, but then later on the same thread we run the incremental finalize runnable, which runs this line: if (mRuntime->mFinalizeRunnable != this) {. mRuntime is a weak reference to the CC runtime. So basically this is some kind of shutdown issue. I'm not sure what the right component for this would be.

Comment 2

[Karl Tomlinson (:karlt)]

This looks to be as simple as the runnable running after ReleaseNow() has already emptied mDeferredFinalizeFunctions on JSGC_END in JS_DestroyContext(), but the already-done test fails to consider the case of a deleted runtime.

The IncrementalFinalizeRunnable says it is cancelable, but it is not, so there is only its own cancellation mechanism.

There is also an assumption that JS_DestroyContext() will always trigger JSGC_END, but that looks to be valid.

Comment 3

[Karl Tomlinson (:karlt)]

Attachment: Bug 1677888 adjust IncrementalFinalizeRunnable no-op test r?mccr8

Comment 4

[Karl Tomlinson (:karlt)]

Worklet threads, where this bug is seen, were exposed in 77.
The different shutdown for the main thread should avoid the issue there.
I suspect we never saw this on worker threads because of an extra event loop that would clear any FinalizeIncrementally runnables.

I don't know whether or not Thunderbird exposes AudioWorklet.

Comment 5

[Karl Tomlinson (:karlt)]

Comment on attachment 9190178 [details]
Bug 1677888 adjust IncrementalFinalizeRunnable no-op test r?mccr8

Security Approval Request

• How easily could an exploit be constructed based on the patch?: Shutdown of the worklet thread would need to be arranged shortly after a GC. I don't know how easily that can be arranged, but it seems plausible.

The check-in comment does not paint a bulls-eye and there is no test, but there are assertions that highlight the issue.

• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
• Which older supported branches are affected by this flaw?: From 77
• If not all supported branches, which bug introduced the flaw?: Bug 1616725
• Do you have backports for the affected branches?: Yes
• If not, how different, hard to create, and risky will they be?: The code has not changed recently.
• How likely is this patch to cause regressions; how much testing does it need?: This is well understood code and so regressions are not expected.

Comment 6

[Daniel Veditz [:dveditz]]

Comment on attachment 9190178 [details]
Bug 1677888 adjust IncrementalFinalizeRunnable no-op test r?mccr8

sec-approval+

I think next week is RC week so please land ASAP (NZ Monday ought to be OK since it's the weekend already for you)

Comment 7

[Daniel Veditz [:dveditz]]

I see from bug 1675844 comment 15 that release managers are already discouraging uplifts for security bugs. I think the road from patch to creating the conditions for an exploit are long enough that it's probably still OK to check in now. Gives me hope that we weren't able to create a reliable testcase ourselves.

Comment 8

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/integration/autoland/rev/4d8dcbd8732385e491912e929ff3c72bdf4c1efa
https://hg.mozilla.org/mozilla-central/rev/4d8dcbd87323

Comment 9

[BugBot [:suhaib / :marco/ :calixte]]

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Comment 10

[Karl Tomlinson (:karlt)]

Comment on attachment 9190178 [details]
Bug 1677888 adjust IncrementalFinalizeRunnable no-op test r?mccr8

ESR Uplift Approval Request

• If this is not a sec:{high,crit} bug, please state case for ESR consideration: sec-high.
• User impact if declined: UaF
• Fix Landed on Version: 85
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): This is well understood code and so regressions are not expected.
• String or UUID changes made by this patch:

Comment 11

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9190178 [details]
Bug 1677888 adjust IncrementalFinalizeRunnable no-op test r?mccr8

Approved for 78.7esr.

Comment 12

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-esr78/rev/8d497e2aab1d