Closed Bug 1709976 (CVE-2021-29970) Opened 3 years ago Closed 3 years ago

AddressSanitizer: heap-use-after-free in [@ mozilla::PresShell::RemoveRefreshObserver]

Categories

(Core :: Disability Access APIs, defect)

defect

Tracking

()

VERIFIED FIXED
91 Branch
Tracking Status
firefox-esr78 90+ verified
firefox88 --- wontfix
firefox89 --- wontfix
firefox90 + verified
firefox91 + verified

People

(Reporter: sourc7, Assigned: eeejay)

Details

(Keywords: csectype-uaf, reporter-external, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey][adv-main90+][adv-esr78.12+])

Crash Data

Attachments

(12 files, 7 obsolete files)

42.35 KB, text/plain
Details
13.30 KB, text/plain
Details
1.63 MB, video/mp4
Details
20.48 KB, text/plain
Details
15.23 KB, text/plain
Details
19.37 KB, text/plain
Details
48 bytes, text/x-phabricator-request
Details | Review
643 bytes, text/html
Details
247 bytes, text/html
Details
495.23 KB, video/mp4
Details
785.93 KB, video/mp4
Details
258 bytes, text/plain
Details
Attached file asan.archlinux.txt

While fuzzing on Firefox ASan fuzzing build, the tab crashed on Arch Linux with SUMMARY: AddressSanitizer: heap-use-after-free RefPtr.h:286:27 in get and Windows 10 with heap-use-after-free gecko/layout/base/PresShell.cpp:9914 in mozilla::PresShell::RemoveRefreshObserver

The testcase is still intermittent it require FuzzingFunctions.enableAccessibility() function and few interaction. Currently I'm still refactor the code in hope it able to reproduce easily. I'll attach the testcase once I'm done with it =).

Reproduced on

  • Firefox Nightly 90.0a1 (m-c-20210506092558-fuzzing-asan-opt) (64-bit) on Arch Linux
  • Firefox Nightly 90.0a1 (m-c-20210506214311-fuzzing-asan-opt) (64-bit) on Windows 10

ASan

Arch Linux

=================================================================
==1607538==ERROR: AddressSanitizer: heap-use-after-free on address 0x622000051170 at pc 0x7fbf691d93a9 bp 0x7ffc02fc2f20 sp 0x7ffc02fc2f18
READ of size 8 at 0x622000051170 thread T0 (Web Content)
    #0 0x7fbf691d93a8 in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
    #1 0x7fbf691d93a8 in operator nsPresContext * /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:299:12
    #2 0x7fbf691d93a8 in GetPresContext /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:285:50
    #3 0x7fbf691d93a8 in mozilla::PresShell::RemoveRefreshObserver(nsARefreshObserver*, mozilla::FlushType) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9913:32
    #4 0x7fbf6c554c63 in mozilla::a11y::NotificationController::Shutdown() /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:82:19
    #5 0x7fbf6c5af1ef in mozilla::a11y::DocAccessible::Shutdown() /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:397:30
    #6 0x7fbf6c5ab4ed in Unlink /builds/worker/checkouts/gecko/accessible/generic/LocalAccessible.cpp:93:8
    #7 0x7fbf6c5ab4ed in mozilla::a11y::DocAccessible::cycleCollection::Unlink(void*) /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:140:1
    #8 0x7fbf6128d1e5 in nsCycleCollector::CollectWhite() /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3081:26
    #9 0x7fbf6128ffa3 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3435:26
    #10 0x7fbf6129319d in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3910:28
    #11 0x7fbf64a42e5e in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/checkouts/gecko/dom/base/nsJSEnvironment.cpp:1411:3
    #12 0x7fbf66081c82 in mozilla::dom::FuzzingFunctions_Binding::cycleCollect(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/FuzzingFunctionsBinding.cpp:96:3
    #13 0x7fbf6d0e6022 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:427:13
    #14 0x7fbf6d0e6022 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512:12
    #15 0x7fbf6d0cd7c5 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:576:10
    #16 0x7fbf6d0cd7c5 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3227:16
    #17 0x7fbf6d0b6e36 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:396:13
    #18 0x7fbf6d0e615b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:544:13
    #19 0x7fbf6d0e7d5b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:589:8
    #20 0x7fbf6d953f62 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2849:10
    #21 0x7fbf65e76ad4 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:279:37
    #22 0x7fbf66b21961 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
    #23 0x7fbf66b1fda3 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
    #24 0x7fbf66ae8cf8 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1114:22
    #25 0x7fbf66aea287 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1305:17
    #26 0x7fbf66ad79ae in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:354:17
    #27 0x7fbf66ad6440 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:592:14
    #28 0x7fbf66ada48d in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1099:11
    #29 0x7fbf66adfc99 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
    #30 0x7fbf64a33d3a in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1331:17
    #31 0x7fbf6450d1cf in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4301:28
    #32 0x7fbf6450cf13 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4271:10
    #33 0x7fbf648f9975 in DispatchTrustedEvent /builds/worker/workspace/obj-build/dist/include/nsContentUtils.h:1453:12
    #34 0x7fbf648f9975 in MaybeDispatchSelectstartEvent(nsRange const&, bool, mozilla::dom::Document*) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:825:5
    #35 0x7fbf648f91f2 in mozilla::dom::Selection::AddRangesForUserSelectableNodes(nsRange*, int*, mozilla::dom::Selection::DispatchSelectstartEvent) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:890:41
    #36 0x7fbf6490040b in mozilla::dom::Selection::AddRangeAndSelectFramesAndNotifyListeners(nsRange&, mozilla::dom::Document*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1936:14
    #37 0x7fbf649001e5 in mozilla::dom::Selection::AddRangeAndSelectFramesAndNotifyListeners(nsRange&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:1895:10
    #38 0x7fbf64905493 in mozilla::dom::Selection::SetStartAndEndInternal(mozilla::dom::Selection::InLimiter, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, mozilla::RangeBoundaryBase<nsINode*, nsIContent*> const&, nsDirection, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:3461:3
    #39 0x7fbf649051b9 in mozilla::dom::Selection::SelectAllChildren(nsINode&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Selection.cpp:2676:3
    #40 0x7fbf68edce90 in mozilla::HTMLEditor::SelectAllInternal() /builds/worker/checkouts/gecko/editor/libeditor/HTMLEditor.cpp:3972:18
    #41 0x7fbf68e26bc2 in mozilla::EditorBase::SelectAll() /builds/worker/checkouts/gecko/editor/libeditor/EditorBase.cpp:1083:17
    #42 0x7fbf64773a31 in mozilla::dom::Document::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Document.cpp:5293:37
    #43 0x7fbf65eb0e1c in mozilla::dom::Document_Binding::execCommand(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/DocumentBinding.cpp:3471:36
    #44 0x7fbf6633b4c9 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3260:13
    #45 0x7fbf6d0e6022 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:427:13
    #46 0x7fbf6d0e6022 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512:12
    #47 0x7fbf6d0cd7c5 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:576:10
    #48 0x7fbf6d0cd7c5 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3227:16
    #49 0x7fbf6d0b6e36 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:396:13
    #50 0x7fbf6d0e615b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:544:13
    #51 0x7fbf6d0e7d5b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:589:8
    #52 0x7fbf6d953f62 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2849:10
    #53 0x7fbf65e797a9 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:58:8
    #54 0x7fbf66ae9168 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #55 0x7fbf66ae8c60 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1108:43
    #56 0x7fbf66aea287 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1305:17
    #57 0x7fbf66ad79ae in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:354:17
    #58 0x7fbf66ad6440 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:592:14
    #59 0x7fbf66ada48d in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1099:11
    #60 0x7fbf66adfc99 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
    #61 0x7fbf64a33d3a in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1331:17
    #62 0x7fbf66af6a33 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/checkouts/gecko/dom/events/EventTarget.cpp:177:13
    #63 0x7fbf66a6985c in mozilla::AsyncEventDispatcher::Run() /builds/worker/checkouts/gecko/dom/events/AsyncEventDispatcher.cpp:69:12
    #64 0x7fbf64518ca4 in nsContentUtils::RemoveScriptBlocker() /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:5682:17
    #65 0x7fbf64487569 in mozAutoDocUpdate::~mozAutoDocUpdate() /builds/worker/checkouts/gecko/dom/base/mozAutoDocUpdate.h:36:7
    #66 0x7fbf647e8d27 in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /builds/worker/checkouts/gecko/dom/base/Element.cpp:2362:1
    #67 0x7fbf647e85f6 in SetAttr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:942:12
    #68 0x7fbf647e85f6 in mozilla::dom::Element::SetAttribute(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsIPrincipal*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:1421:14
    #69 0x7fbf65f2f7a5 in mozilla::dom::Element_Binding::setAttribute(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/ElementBinding.cpp:1366:24
    #70 0x7fbf6633b4c9 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3260:13
    #71 0x7fbf6d0e6022 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:427:13
    #72 0x7fbf6d0e6022 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512:12
    #73 0x7fbf6d0cd7c5 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:576:10
    #74 0x7fbf6d0cd7c5 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3227:16
    #75 0x7fbf6d0b6e36 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:396:13
    #76 0x7fbf6d0e615b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:544:13
    #77 0x7fbf6d0e7d5b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:589:8
    #78 0x7fbf6d953f62 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2849:10
    #79 0x7fbf65e797a9 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:58:8
    #80 0x7fbf66ae9168 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #81 0x7fbf66ae8c60 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1108:43
    #82 0x7fbf66aea287 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1305:17
    #83 0x7fbf66ad79ae in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:354:17
    #84 0x7fbf66ad61d1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:556:16
    #85 0x7fbf66ada48d in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1099:11
    #86 0x7fbf66adfc99 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
    #87 0x7fbf64a33d3a in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1331:17
    #88 0x7fbf66af6a33 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/checkouts/gecko/dom/events/EventTarget.cpp:177:13
    #89 0x7fbf66a6985c in mozilla::AsyncEventDispatcher::Run() /builds/worker/checkouts/gecko/dom/events/AsyncEventDispatcher.cpp:69:12
    #90 0x7fbf64518ca4 in nsContentUtils::RemoveScriptBlocker() /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:5682:17
    #91 0x7fbf64787e68 in mozilla::dom::Document::EndUpdate() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7582:3
    #92 0x7fbf64487526 in mozAutoDocUpdate::~mozAutoDocUpdate() /builds/worker/checkouts/gecko/dom/base/mozAutoDocUpdate.h:34:18
    #93 0x7fbf647e8d27 in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /builds/worker/checkouts/gecko/dom/base/Element.cpp:2362:1
    #94 0x7fbf647e868a in mozilla::dom::Element::SetAttribute(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsIPrincipal*, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:1426:12
    #95 0x7fbf65f2f7a5 in mozilla::dom::Element_Binding::setAttribute(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/ElementBinding.cpp:1366:24
    #96 0x7fbf6633b4c9 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3260:13
    #97 0x7fbf6d0e6022 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:427:13
    #98 0x7fbf6d0e6022 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512:12
    #99 0x7fbf6d0cd7c5 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:576:10
    #100 0x7fbf6d0cd7c5 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3227:16
    #101 0x7fbf6d0b6e36 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:396:13
    #102 0x7fbf6d0e615b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:544:13
    #103 0x7fbf6d0e7d5b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:589:8
    #104 0x7fbf6d953f62 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2849:10
    #105 0x7fbf65e797a9 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:58:8
    #106 0x7fbf66ae9168 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #107 0x7fbf66ae8c60 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1108:43
    #108 0x7fbf66aea287 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1305:17
    #109 0x7fbf66ad79ae in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:354:17
    #110 0x7fbf66ad61d1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:556:16
    #111 0x7fbf66ada48d in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1099:11
    #112 0x7fbf66adfc99 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
    #113 0x7fbf64a33d3a in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1331:17
    #114 0x7fbf66af6a33 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/checkouts/gecko/dom/events/EventTarget.cpp:177:13
    #115 0x7fbf66a6985c in mozilla::AsyncEventDispatcher::Run() /builds/worker/checkouts/gecko/dom/events/AsyncEventDispatcher.cpp:69:12
    #116 0x7fbf64518ca4 in nsContentUtils::RemoveScriptBlocker() /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:5682:17
    #117 0x7fbf64787e68 in mozilla::dom::Document::EndUpdate() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7582:3
    #118 0x7fbf64487526 in mozAutoDocUpdate::~mozAutoDocUpdate() /builds/worker/checkouts/gecko/dom/base/mozAutoDocUpdate.h:34:18
    #119 0x7fbf647e8d27 in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /builds/worker/checkouts/gecko/dom/base/Element.cpp:2362:1
    #120 0x7fbf6612e991 in SetAttr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:938:12
    #121 0x7fbf6612e991 in SetAttr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:934:12
    #122 0x7fbf6612e991 in SetAttr /builds/worker/workspace/obj-build/dist/include/mozilla/dom/Element.h:1573:14
    #123 0x7fbf6612e991 in SetHTMLAttr /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.h:733:5
    #124 0x7fbf6612e991 in SetDraggable /builds/worker/checkouts/gecko/dom/html/nsGenericHTMLElement.h:105:5
    #125 0x7fbf6612e991 in mozilla::dom::HTMLElement_Binding::set_draggable(JSContext*, JS::Handle<JSObject*>, void*, JSJitSetterCallArgs) /builds/worker/workspace/obj-build/dom/bindings/HTMLElementBinding.cpp:732:24
    #126 0x7fbf66336b64 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3208:8
    #127 0x7fbf6d0e6022 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:427:13
    #128 0x7fbf6d0e6022 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512:12
    #129 0x7fbf6d0e7d5b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:589:8
    #130 0x7fbf6d0e9573 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:729:10
    #131 0x7fbf6d5ebd91 in SetExistingProperty(JSContext*, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, js::PropertyResult const&, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2661:8
    #132 0x7fbf6d5e8570 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyKey>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/checkouts/gecko/js/src/vm/NativeObject.cpp:2695:14
    #133 0x7fbf6d0cde92 in SetProperty /builds/worker/checkouts/gecko/js/src/vm/ObjectOperations-inl.h:300:10
    #134 0x7fbf6d0cde92 in SetPropertyOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:262:10
    #135 0x7fbf6d0cde92 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3003:12
    #136 0x7fbf6d0b6e36 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:396:13
    #137 0x7fbf6d0e615b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:544:13
    #138 0x7fbf6d0e7d5b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:589:8
    #139 0x7fbf6d953f62 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2849:10
    #140 0x7fbf65e76ad4 in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:279:37
    #141 0x7fbf66b21961 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:365:12
    #142 0x7fbf66b1fda3 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
    #143 0x7fbf66ae8cf8 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1114:22
    #144 0x7fbf66aea287 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1305:17
    #145 0x7fbf66ad79ae in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:354:17
    #146 0x7fbf66ad61d1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:556:16
    #147 0x7fbf66ada48d in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1099:11
    #148 0x7fbf6926b436 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1084:7
    #149 0x7fbf6c3e3277 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6501:20
    #150 0x7fbf6c3e2563 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5891:7
    #151 0x7fbf6c3e44ef in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
    #152 0x7fbf634d69f9 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1348:3
    #153 0x7fbf634d5774 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:954:14
    #154 0x7fbf634d26b3 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:773:9
    #155 0x7fbf634d4604 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:656:5
    #156 0x7fbf6c41c0af in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13628:23
    #157 0x7fbf6172ef4e in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:625:22
    #158 0x7fbf61731713 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:529:10
    #159 0x7fbf647aa4f0 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11309:18
    #160 0x7fbf64829caf in mozilla::dom::nsUnblockOnloadEvent::Run() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11263:11
    #161 0x7fbf6141961f in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:143:20
    #162 0x7fbf6145d2f2 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:482:16
    #163 0x7fbf61429d00 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:766:26
    #164 0x7fbf61427807 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:621:15
    #165 0x7fbf61427c5d in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:405:36
    #166 0x7fbf61466ca1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:138:37
    #167 0x7fbf61466ca1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534:5
    #168 0x7fbf61444628 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
    #169 0x7fbf6144f3dc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #170 0x7fbf625f334f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #171 0x7fbf624fdb71 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #172 0x7fbf624fdb71 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #173 0x7fbf624fdb71 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #174 0x7fbf68c6dc37 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #175 0x7fbf6ce946df in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:911:20
    #176 0x7fbf624fdb71 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #177 0x7fbf624fdb71 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #178 0x7fbf624fdb71 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #179 0x7fbf6ce940b8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
    #180 0x55c9d35ba5bd in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #181 0x55c9d35ba9ed in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:313:18
    #182 0x7fbf821c6b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
    #183 0x55c9d350b8b9 in _start (/tmp/m-c-20210506092558-fuzzing-asan-opt/firefox+0x5b8b9)

0x622000051170 is located 112 bytes inside of 4968-byte region [0x622000051100,0x622000052468)
freed by thread T0 (Web Content) here:
    #0 0x55c9d35866c2 in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3
    #1 0x7fbf691948d9 in operator delete /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51:10
    #2 0x7fbf691948d9 in mozilla::PresShell::Release() /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:889:1
    #3 0x7fbf68fe4119 in ~nsCOMPtr_base /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:328:7
    #4 0x7fbf68fe4119 in mozilla::TextServicesDocument::~TextServicesDocument() /builds/worker/checkouts/gecko/editor/spellchecker/TextServicesDocument.cpp:78:1
    #5 0x7fbf68ff3350 in DeleteCycleCollectable /builds/worker/checkouts/gecko/editor/spellchecker/TextServicesDocument.cpp:81:1
    #6 0x7fbf68ff3350 in mozilla::TextServicesDocument::cycleCollection::DeleteCycleCollectable(void*) /builds/worker/checkouts/gecko/editor/spellchecker/TextServicesDocument.h:77:3
    #7 0x7fbf612a7fd5 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2451:9
    #8 0x7fbf612892f6 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:939:23
    #9 0x7fbf61289bbe in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2619:14
    #10 0x7fbf632ddae3 in AsyncFreeSnowWhite::Run() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSRuntime.cpp:145:9
    #11 0x7fbf6145bdb9 in IdleRunnableWrapper::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:364:22
    #12 0x7fbf6145d2f2 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:482:16
    #13 0x7fbf61429d00 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:766:26
    #14 0x7fbf6142799d in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:644:15
    #15 0x7fbf61427c5d in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:405:36
    #16 0x7fbf61466ca1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:138:37
    #17 0x7fbf61466ca1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534:5
    #18 0x7fbf61444628 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
    #19 0x7fbf6144f3dc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #20 0x7fbf625f334f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #21 0x7fbf624fdb71 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #22 0x7fbf624fdb71 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #23 0x7fbf624fdb71 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #24 0x7fbf68c6dc37 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #25 0x7fbf6ce946df in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:911:20

previously allocated by thread T0 (Web Content) here:
    #0 0x55c9d358692d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x55c9d35c0a4d in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7fbf6477e6d1 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7fbf6477e6d1 in mozilla::dom::Document::CreatePresShell(nsPresContext*, nsViewManager*) /builds/worker/checkouts/gecko/dom/base/Document.cpp:6600:33
    #4 0x7fbf692685c5 in nsDocumentViewer::InitPresentationStuff(bool) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:705:27
    #5 0x7fbf69268089 in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::dom::WindowGlobalChild*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:910:10
    #6 0x7fbf69267557 in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, mozilla::dom::WindowGlobalChild*) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:681:10
    #7 0x7fbf6c3e05dc in nsDocShell::SetupNewViewer(nsIContentViewer*, mozilla::dom::WindowGlobalChild*) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:8242:7
    #8 0x7fbf6c3df65e in nsDocShell::Embed(nsIContentViewer*, mozilla::dom::WindowGlobalChild*, bool, bool) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5766:17
    #9 0x7fbf6c3a6c65 in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:8055:3
    #10 0x7fbf6c3a4c45 in nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) /builds/worker/checkouts/gecko/docshell/base/nsDSURIContentListener.cpp:178:20
    #11 0x7fbf634e08e5 in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:597:18
    #12 0x7fbf634de040 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:276:9
    #13 0x7fbf634dcf64 in nsDocumentOpenInfo::OnStartRequest(nsIRequest*) /builds/worker/checkouts/gecko/uriloader/base/nsURILoader.cpp:154:8
    #14 0x7fbf61fdee4d in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:575:20
    #15 0x7fbf61fdda52 in mozilla::net::HttpChannelChild::OnStartRequest(mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::HttpChannelOnStartRequestArgs const&) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:506:3
    #16 0x7fbf622cf479 in mozilla::net::ChannelEventQueue::FlushQueue() /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.cpp:90:12
    #17 0x7fbf6231a647 in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.cpp:148:17
    #18 0x7fbf6145d2f2 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:482:16
    #19 0x7fbf61429d00 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:766:26
    #20 0x7fbf61427807 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:621:15

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27 in get
Shadow bytes around the buggy address:
  0x0c44800021d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c44800021e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c44800021f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4480002200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4480002210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4480002220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
  0x0c4480002230: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4480002240: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4480002250: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4480002260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4480002270: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1607538==ABORTING

Windows 10

=================================================================
==3420==ERROR: AddressSanitizer: heap-use-after-free on address 0x129b11675970 at pc 0x7ffd203f44df bp 0x00f7383f4f00 sp 0x00f7383f4f48
READ of size 8 at 0x129b11675970 thread T0
    #0 0x7ffd203f44de in mozilla::PresShell::RemoveRefreshObserver /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9914
    #1 0x7ffd2359999a in mozilla::a11y::NotificationController::Shutdown /builds/worker/checkouts/gecko/accessible/base/NotificationController.cpp:81
    #2 0x7ffd23619b22 in mozilla::a11y::DocAccessible::Shutdown /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:397
    #3 0x7ffd23615021 in mozilla::a11y::DocAccessible::cycleCollection::Unlink /builds/worker/checkouts/gecko/accessible/generic/DocAccessible.cpp:140
    #4 0x7ffd165b5580 in nsCycleCollector::CollectWhite /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3081
    #5 0x7ffd165b8abf in nsCycleCollector::Collect /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3435
    #6 0x7ffd165bce7b in nsCycleCollector_collect /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3910
    #7 0x7ffd1a4c82ef in nsJSContext::CycleCollectNow /builds/worker/checkouts/gecko/dom/base/nsJSEnvironment.cpp:1411
    #8 0x7ffd1c435b20 in mozilla::dom::FuzzingFunctions_Binding::cycleCollect /builds/worker/workspace/obj-build/dom/bindings/FuzzingFunctionsBinding.cpp:96
    #9 0x7ffd24373705 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512
    #10 0x7ffd2435fbbe in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3227
    #11 0x7ffd2434569a in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:396
    #12 0x7ffd243739f5 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:544
    #13 0x7ffd24376368 in js::Call /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:589
    #14 0x7ffd24db97fb in JS::Call /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2849
    #15 0x7ffd1c1194cd in mozilla::dom::EventHandlerNonNull::Call /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:279
    #16 0x7ffd1d3521c6 in mozilla::JSEventHandler::HandleEvent /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201
    #17 0x7ffd1d3085e0 in mozilla::EventListenerManager::HandleEventSubType /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1113
    #18 0x7ffd1d30a34c in mozilla::EventListenerManager::HandleEventInternal /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1304
    #19 0x7ffd1d2ef856 in mozilla::EventTargetChainItem::HandleEvent /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:354
    #20 0x7ffd1d2ed9da in mozilla::EventTargetChainItem::HandleEventTargetChain /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:556
    #21 0x7ffd1d2f4093 in mozilla::EventDispatcher::Dispatch /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1099
    #22 0x7ffd204c31b8 in nsDocumentViewer::LoadComplete /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1084
    #23 0x7ffd233b8c1a in nsDocShell::EndPageLoad /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6501
    #24 0x7ffd233b7d15 in nsDocShell::OnStateChange /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5891
    #25 0x7ffd18a0621a in nsDocLoader::DoFireOnStateChange /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1348
    #26 0x7ffd18a04cb6 in nsDocLoader::doStopDocumentLoad /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:954
    #27 0x7ffd18a005b9 in nsDocLoader::DocLoaderIsEmpty /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:773
    #28 0x7ffd18a03289 in nsDocLoader::OnStopRequest /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:656
    #29 0x7ffd233fefca in nsDocShell::OnStopRequest /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13628
    #30 0x7ffd16b5a506 in mozilla::net::nsLoadGroup::NotifyRemovalObservers /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:625
    #31 0x7ffd16b5d361 in mozilla::net::nsLoadGroup::RemoveRequest /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:529
    #32 0x7ffd1a160451 in mozilla::dom::Document::DoUnblockOnload /builds/worker/checkouts/gecko/dom/base/Document.cpp:11309
    #33 0x7ffd1a101ddb in mozilla::dom::Document::UnblockOnload /builds/worker/checkouts/gecko/dom/base/Document.cpp:11239
    #34 0x7ffd1a132fa1 in mozilla::dom::Document::DispatchContentLoadedEvents /builds/worker/checkouts/gecko/dom/base/Document.cpp:7774
    #35 0x7ffd165fe97a in mozilla::detail::RunnableMethodImpl<nsMemoryReporterManager *,nsresult (nsMemoryReporterManager::*)(),1,mozilla::RunnableKind::Standard>::Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1201
    #36 0x7ffd167ab8d6 in mozilla::SchedulerGroup::Runnable::Run /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:143
    #37 0x7ffd168048fd in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:482
    #38 0x7ffd167c2359 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:766
    #39 0x7ffd167be64e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:621
    #40 0x7ffd167beb60 in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:405
    #41 0x7ffd1680e6f1 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:138:7'>::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534
    #42 0x7ffd167e667f in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159
    #43 0x7ffd167f69ec in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548
    #44 0x7ffd17aed25e in mozilla::ipc::MessagePump::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
    #45 0x7ffd17a272c5 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328
    #46 0x7ffd17a27095 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310
    #47 0x7ffd1fb520da in nsBaseAppShell::Run /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137
    #48 0x7ffd1fd370fb in nsAppShell::Run /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:603
    #49 0x7ffd2408a844 in XRE_RunAppShell /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:911
    #50 0x7ffd17a272c5 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328
    #51 0x7ffd17a27095 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310
    #52 0x7ffd24089cbd in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743
    #53 0x7ff78e6c1f3d in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:313
    #54 0x7ff78e6c14d4 in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:131
    #55 0x7ff78e7bf2d7 in __scrt_common_main_seh f:\dd\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #56 0x7ffdbe077033 in BaseThreadInitThunk+0x13 (C:\Windows\System32\KERNEL32.DLL+0x180017033)
    #57 0x7ffdbfbc2650 in RtlUserThreadStart+0x20 (C:\Windows\SYSTEM32\ntdll.dll+0x180052650)

0x129b11675970 is located 112 bytes inside of 5000-byte region [0x129b11675900,0x129b11676c88)
freed by thread T0 here:
    #0 0x7ffd6d4d5afb in free Z:\task_1619604322\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cpp:82
    #1 0x7ffd203921db in mozilla::PresShell::Release /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:889
    #2 0x7ffd204c9ad6 in nsDocumentViewer::DestroyPresShell /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:3572
    #3 0x7ffd204c0d77 in nsDocumentViewer::Hide /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:2193
    #4 0x7ffd27a60671 in XPTC__InvokebyIndex+0x71 (C:\Users\susah\git\grizzly-framework\browser\m-c-20210506214311-fuzzing-asan-opt\xul.dll+0x191630671)
    #5 0x7ffd18808b6a in XPCWrappedNative::CallMethod /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1143
    #6 0x7ffd1880f04a in XPC_WN_CallMethod /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:925
    #7 0x7ffd24373705 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512
    #8 0x7ffd2435fbbe in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3227
    #9 0x7ffd2434569a in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:396
    #10 0x7ffd243739f5 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:544
    #11 0x7ffd24376368 in js::Call /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:589
    #12 0x7ffd2485c596 in js::fun_apply /builds/worker/checkouts/gecko/js/src/vm/JSFunction.cpp:1150
    #13 0x7ffd24373705 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512
    #14 0x7ffd2435fbbe in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3227
    #15 0x7ffd2434569a in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:396
    #16 0x7ffd243739f5 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:544
    #17 0x7ffd24376368 in js::Call /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:589
    #18 0x7ffd24db97fb in JS::Call /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2849

previously allocated by thread T0 here:
    #0 0x7ffd6d4d5c0b in malloc Z:\task_1619604322\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cpp:98
    #1 0x7ffd8fe6139d in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52
    #2 0x7ffd1a123d69 in mozilla::dom::Document::CreatePresShell /builds/worker/checkouts/gecko/dom/base/Document.cpp:6600
    #3 0x7ffd204bee13 in nsDocumentViewer::InitPresentationStuff /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:705
    #4 0x7ffd204cc51d in nsDocumentViewer::Show /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:2131
    #5 0x7ffd27a60671 in XPTC__InvokebyIndex+0x71 (C:\Users\susah\git\grizzly-framework\browser\m-c-20210506214311-fuzzing-asan-opt\xul.dll+0x191630671)
    #6 0x7ffd18808b6a in XPCWrappedNative::CallMethod /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1143
    #7 0x7ffd1880f04a in XPC_WN_CallMethod /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:925
    #8 0x7ffd24373705 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512
    #9 0x7ffd2435fbbe in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3227
    #10 0x7ffd2434569a in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:396
    #11 0x7ffd243739f5 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:544
    #12 0x7ffd24376368 in js::Call /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:589
    #13 0x7ffd2485c596 in js::fun_apply /builds/worker/checkouts/gecko/js/src/vm/JSFunction.cpp:1150
    #14 0x7ffd24373705 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512
    #15 0x7ffd2435fbbe in Interpret /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3227
    #16 0x7ffd2434569a in js::RunScript /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:396
    #17 0x7ffd243739f5 in js::InternalCallOrConstruct /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:544
    #18 0x7ffd24376368 in js::Call /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:589

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9914 in mozilla::PresShell::RemoveRefreshObserver
Shadow bytes around the buggy address:
  0x04aa738cead0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x04aa738ceae0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x04aa738ceaf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x04aa738ceb00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x04aa738ceb10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x04aa738ceb20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]fa
  0x04aa738ceb30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x04aa738ceb40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x04aa738ceb50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x04aa738ceb60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x04aa738ceb70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==3420==ABORTING

Flags: sec-bounty?
Attached file asan.windows10.txt

It looks like NotificationController::Shutdown is being called on a freed mPressShell.

Group: firefox-core-security → dom-core-security
Component: Security → Disability Access APIs
Keywords: csectype-uaf
Product: Firefox → Core

Just looking at the stack, it kind of looks like mPresShell should be rooted on this line in nsDocumentViewer::LoadComplete: EventDispatcher::Dispatch(window, mPresContext, &event, nullptr, &status);. There's an earlier scope in this method that holds a strong stack ref to the pres shell with the comment "Hold strong ref because this could conceivably run script" but I'm not sure why it wouldn't be needed here.

What puzzles me about this is that PresShell::Destroy should call DocAccessible::Shutdown. So, if NotificationController has a freed PresShell, that means PresShell::Destroy never got called? Or a DocAccessible was somehow created with a freed PresShell? Or a DocAccessible was created with a PresShell after the PresShell was destroyed (but before it was freed)?

It's probably worth at least adding an assertion to the DocAccessible constructor to ensure it never gets passed a destroyed PresShell.

See also bug 1502338.

It is possible that the test case is doing something weird like calling FuzzingFunctions.enableAccessibility() during an event or something. Hopefully if we get a test case it will shed some light on the situation.

Alright I've refactored the code, it require responsive design mode + multiple fast click to trigger the UAF. I think it's still possible to trigger the UAF without RDM which is interesting to find out.

There are 3 ways to trigger the crash, with ./mach run (e10s enabled) and ./mach run --disable-e10s (e10s disabled). On e10s disabled, it doesn't require launcher or reload to trigger the crash (which is more easy to trigger).

Steps to Reproduce:

e10s enabled (with launcher):

  1. Open Firefox with fuzzing build (ac_add_options --enable-fuzzing)
  2. Go to about:config
  3. Set fuzzing.enabled to true
  4. Set dom.disable_open_during_load to false
  5. Restart Firefox
  6. Visit attached launcher.bundle.html
  7. Click "Launch" button
  8. Repeatedly click the text then simultaneously press ctrl+shift+m every ~2s
  9. After repeated tries, the tab is crashed

e10s enabled (close the tab):

  1. Open Firefox with fuzzing build (ac_add_options --enable-fuzzing)
  2. Go to about:config
  3. Set fuzzing.enabled to true
  4. Restart Firefox
  5. Visit attached testcase.main.html
  6. Click "Launch" button
  7. Repeatedly click the text then simultaneously press ctrl+shift+m every ~2s
  8. After trying for a few seconds, close the tab
  9. ASan will show heap-use-after-free

e10s disabled:

  1. Open Firefox with fuzzing build (ac_add_options --enable-fuzzing) then ./mach run --disable-e10s
  2. Go to about:config
  3. Set fuzzing.enabled to true
  4. Visit attached testcase.main.html
  5. Repeatedly click the text then simultaneously press ctrl+shift+m every ~2s
  6. The tab is crashed.

(I also will attach steps to reproduce video to demonstrate the crash)

Attached file launcher.bundle.html (obsolete) —
Attached file testcase.reload.html (obsolete) —
Attached file testcase.main.html (obsolete) —
Attached file asan.e10senabled.txt
Attached file asan.e10sdisabled.txt

This could be more of a fuzzing harness problem than something that could be reproduced in the wild, given that fuzzing hook function wasn't really designed to be called at random times repeatedly, and wouldn't be in a real web page.

but needs more investigation to be sure of that.

(In reply to Daniel Veditz [:dveditz] from comment #14)

This could be more of a fuzzing harness problem than something that could be reproduced in the wild, given that fuzzing hook function wasn't really designed to be called at random times repeatedly, and wouldn't be in a real web page.

but needs more investigation to be sure of that.

I've installed NVDA on Windows 10, then run the launcher.bundle.html (with steps to reproduce above) on Firefox 90.0a1 (2021-05-12) (64-bit) official build, the Firefox crashes on the first try with signature mozilla::PresShell::RemoveRefreshObserver (as on attached ASan stack above).

Hereby the crash reports: https://crash-stats.mozilla.org/report/index/4bad5f58-da2c-4262-b017-7f82a0210512

In the crash report above, one of the CPU registers shows "0xe5e5e5e5e5e5e5e5" indicating UAF.

I can also reproduce this on Arch Linux with Orca screen reader activated using Firefox Nightly 90.0a1 (2021-05-17) (64-bit) (Official Build) then run launcher.bundle.html without FuzzingFunctions.enableAccessibility() on the code.

Interestingly I got 3 different crash reports as follows:

  1. [@ nsRefreshDriver::RemoveRefreshObserver ] SIGSEGV at 0xe5e5e5e5e5e5e5e5 -> 0x0
  2. [@ nsRefreshDriver::RemoveRefreshObserver ] SIGSEGV /SEGV_MAPERR at 0xcad00000000
  3. [@ nsFrameSelection::GetSelection ] SIGSEGV /SEGV_MAPERR at 0x40db1bf0

(In reply to Irvan Kurniawan (:sourc7) from comment #15)

I've installed NVDA on Windows 10, then run the launcher.bundle.html (with steps to reproduce above) on Firefox 90.0a1 (2021-05-12) (64-bit) official build, the Firefox crashes on the first try with signature mozilla::PresShell::RemoveRefreshObserver (as on attached ASan stack above).

It turns out that I also able to reproduce this when using Microsoft Narrator (Windows built in screen reader).

I'm sure that as long the Accessibility shows Activated: true on about:support it able to reproduce on Firefox official build (same as using FuzzingFunctions.enableAccessibility() on Firefox fuzzing build)

I can't reproduce this here with the NVDA screen reader despite many attempts. :(

I can think of some assertions we could add, but that's probably not helpful because catching local build assertions in content processes is currently really difficult, at least on Windows. I guess we could land some diagnostic assertions to try to catch the problem on crash-stats, but that might expose the bug.

In addition to my thoughts in comment 4, I wonder whether somehow a second DocAccessible is being created for the same PresShell. If that happens, PresShell::SetDocAccessible would get called, overriding its DocAccessible. When the PresShell gets destroyed, it would shut down the second DocAccessible, but not the first, leaving the first with a destroyed DocSAccessible. That said, I don't see how a second DocAccessible could be created; we always ask the PresShell for its DocAccessible before creating a new one.

:dveditz, do you think it'd make sense to land these as DIAGNOSTIC_ASSERTs? If so, how should I go about doing that without exposing a potential UAF?

Flags: needinfo?(dveditz)

(In reply to James Teh [:Jamie] from comment #19)

In addition to my thoughts in comment 4, I wonder whether somehow a second DocAccessible is being created for the same PresShell. If that happens, PresShell::SetDocAccessible would get called, overriding its DocAccessible. When the PresShell gets destroyed, it would shut down the second DocAccessible, but not the first, leaving the first with a destroyed DocSAccessible. That said, I don't see how a second DocAccessible could be created; we always ask the PresShell for its DocAccessible before creating a new one.

In another testcase it throw assertion as follow Assertion failure: !mDocument->GetPresShell() (Where did this shell come from?), at layout/base/PresShell.cpp:4121.

From the assertion message, I think it's related to this bug. I also found the assertion and UAF occur because of combination of ctrl+shift+m and mouse click. Without mouse click the RemoveRefreshObserver won't use the freed mPressShell.

(In reply to Irvan Kurniawan (:sourc7) from comment #20)

In another testcase it throw assertion as follow Assertion failure: !mDocument->GetPresShell() (Where did this shell come from?), at layout/base/PresShell.cpp:4121.

From the assertion message, I think it's related to this bug. I also found the assertion and UAF occur because of combination of ctrl+shift+m and mouse click. Without mouse click the RemoveRefreshObserver won't use the freed mPressShell.

Hmm, I'm not sure whether it is related or not, hereby the signature report for mozilla::PresShell::DoFlushPendingNotifications.

I think someone who knows about PresShell could look into this bug, hopefully it will solve this problem too.

If you're able to see assertions, perhaps I can provide a patch which adds assertions I'd like to verify for the accessibility crash?

diff --git a/accessible/generic/DocAccessible.cpp b/accessible/generic/DocAccessible.cpp
index c7411cb66f724..e19674c6d9556 100644
--- a/accessible/generic/DocAccessible.cpp
+++ b/accessible/generic/DocAccessible.cpp
@@ -98,6 +98,10 @@ DocAccessible::DocAccessible(dom::Document* aDocument,
   mDoc = this;
 
   MOZ_ASSERT(mPresShell, "should have been given a pres shell");
+  MOZ_ASSERT(!mPresShell->IsDestroying(),
+      "Should never get a destroying PresShell");
+  MOZ_ASSERT(!mPresShell->GetDocAccessible(),
+      "PresShell shouldn't already have a DocAccessible");
   mPresShell->SetDocAccessible(this);
 }
 

(In reply to James Teh [:Jamie] from comment #22)

If you're able to see assertions, perhaps I can provide a patch which adds assertions I'd like to verify for the accessibility crash?

diff --git a/accessible/generic/DocAccessible.cpp b/accessible/generic/DocAccessible.cpp
index c7411cb66f724..e19674c6d9556 100644
--- a/accessible/generic/DocAccessible.cpp
+++ b/accessible/generic/DocAccessible.cpp
@@ -98,6 +98,10 @@ DocAccessible::DocAccessible(dom::Document* aDocument,
   mDoc = this;
 
   MOZ_ASSERT(mPresShell, "should have been given a pres shell");
+  MOZ_ASSERT(!mPresShell->IsDestroying(),
+      "Should never get a destroying PresShell");
+  MOZ_ASSERT(!mPresShell->GetDocAccessible(),
+      "PresShell shouldn't already have a DocAccessible");
   mPresShell->SetDocAccessible(this);
 }
 

Sorry I forgot to add, the assertion on comment 20 is from another testcase, it not required Accessiblity and more easily triggered just by switch to Responsive Design Mode (ctrl+shift+m) then click the text. I'm still not sure whether that related or not, but it give a clue as PresShell is also on the stack.

Thanks for the patch, I've added both assertion to my Firefox ASan build, but unfortunately the browser still crashes with heap-use-after-free.

Okay. Thanks for trying it. In that case, no point in landing these assertions for this bug.

Back to the drawing board.

Flags: needinfo?(dveditz)

Oh, I see the assertions in comment 20 are DIAGNOSTIC_ASSERTs. Do ASan builds have debug asserts enabled? It might be worth changing the MOZ_ASSERTs in my patch to MOZ_DIAGNOSTIC_ASSERT.

The usual ASan builds are opt, so they don't have MOZ_ASSERT enabled.

(In reply to James Teh [:Jamie] from comment #25)

Oh, I see the assertions in comment 20 are DIAGNOSTIC_ASSERTs. Do ASan builds have debug asserts enabled? It might be worth changing the MOZ_ASSERTs in my patch to MOZ_DIAGNOSTIC_ASSERT.

Still same, it still crash with heap-use-after-free.

Alright I've captured the UAF with RR, here the pernosco debugging session link: https://pernos.co/debug/2EryKI_CiVGymWBqd-qw-A/index.html

Thanks.

Eitan, Pernosco is still mostly unusable with a screen reader. :( Would you mind taking a look at this?

Flags: needinfo?(eitan)

A DocAccessible is not supposed to outlive its PresShell. The DocAccessible indirectly holds a weak ref to the PresShell (via NotificationController). When the doc is constructed, it passes its pointer to its PresShell so that when the PresShell is destroyed it will shutdown the doc, and thus a weak reference is assumed to be safe.

This crash happens when a doc is shutdown after its presshell is destroyed. This happens because a doc is constructed, and sets its reference on its presshell via SetDocAccessible, but then when the doc is inserted into its outerdoc, the previous doc is shutdown, and calls SetDocAccessible with nullptr on the same PresShell. So the PresShell never has a valid reverence to the current DocAccessible. This typically is not a problem unless the PresShell is destroyed before the DocAccessible is shutdown, which is what happens here.

Flags: needinfo?(eitan)

(In reply to Eitan Isaacson [:eeejay] from comment #30)

but then when the doc is inserted into its outerdoc, the previous doc is shutdown,

But how did we create a new doc for that PresShell without shutting the other one down first? As I understand it, that's never supposed to happen. DocManager::GetDocAccessible always checks for an existing DocAccessible on the PresShell first.

Even if a doc is bound to its OuterDoc late, we just bind the doc; we don't create a new one.

Flags: needinfo?(eitan)

A DOM document is not guaranteed to have the same presshell thru its entire lifetime, see Document::CreatePresShell and Document::DeletePresShell. So if the DocManager tries to find a DocAccessilble with a Document that had its PresShell swapped, it will fail. This will create a new DocAccessible.

Flags: needinfo?(eitan)

To add to that, you would think PresShell::Destroy would be called on the old presshell to shutdown the previous DocAccessible, but that seems to not be the case.

Right... and that's the really problematic piece here. If that's the cause of the problem, why isn't PresShell::Destroy being called? And if that's intentional, where else are we supposed to shut down the DocAccessible?

Attached file valgrind.txt

From Valgrind report it show 2 invalid read and 1 invalid write on following function:

  • Invalid read of size 8 on mozilla::PresShell::RemoveRefreshObserver -> GetPresContext
  • Invalid read of size 8 on mozilla::a11y::SelectionManager::RemoveDocSelectionListener -> nsFrameSelection
  • Invalid write of size 8 on mozilla::a11y::DocAccessible::Shutdown()-> SetDocAccessible

(In reply to Eitan Isaacson [:eeejay] from comment #30)

This happens because a doc is constructed, and sets its reference on its presshell via SetDocAccessible

If there were a previous doc, this should have triggered the assertion I suggested adding in comment 22, but it didn't.

We could also try this assertion, but I don't think it'll help if the other one didn't:

diff --git a/accessible/generic/DocAccessible.cpp b/accessible/generic/DocAccessible.cpp
index e19674c6d9556..20486bf7fdcc9 100644
--- a/accessible/generic/DocAccessible.cpp
+++ b/accessible/generic/DocAccessible.cpp
@@ -415,6 +415,8 @@ void DocAccessible::Shutdown() {
     MOZ_ASSERT(!mParent, "Parent has to be null!");
   }
 
+  MOZ_ASSERT(mPresShell->GetDocAccessible() == this,
+      "PresShell should reference this DocAccessible");
   mPresShell->SetDocAccessible(nullptr);
   mPresShell = nullptr;  // Avoid reentrancy
 

(Of course, if testing with an opt build, that should be MOZ_DIAGNOSTIC_ASSERT)

(In reply to James Teh [:Jamie] from comment #36)

(In reply to Eitan Isaacson [:eeejay] from comment #30)

This happens because a doc is constructed, and sets its reference on its presshell via SetDocAccessible

If there were a previous doc, this should have triggered the assertion I suggested adding in comment 22, but it didn't.

We could also try this assertion, but I don't think it'll help if the other one didn't:

diff --git a/accessible/generic/DocAccessible.cpp b/accessible/generic/DocAccessible.cpp
index e19674c6d9556..20486bf7fdcc9 100644
--- a/accessible/generic/DocAccessible.cpp
+++ b/accessible/generic/DocAccessible.cpp
@@ -415,6 +415,8 @@ void DocAccessible::Shutdown() {
     MOZ_ASSERT(!mParent, "Parent has to be null!");
   }
 
+  MOZ_ASSERT(mPresShell->GetDocAccessible() == this,
+      "PresShell should reference this DocAccessible");
   mPresShell->SetDocAccessible(nullptr);
   mPresShell = nullptr;  // Avoid reentrancy
 

I've added the assertion using MOZ_DIAGNOSTIC_ASSERT on ASan build, but unfortunately it still crashes with UAF on RemoveRefreshObserver.

In the Arch Linux and Windows 10 when using debug build it hit assertion as follow:
Assertion failure: ObserverCount() == mEarlyRunners.Length() (observers, except pending selection scrolls, should have been unregistered), at /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1153

OK. I was just kidding about all that and I was way off. Looks like yes indeed presshell/docacc pairs get out of sync, that is why docaccessibles keep on getting created when there should already be a live one.

But i needed to figure out the origin of the mixup.. looks like during the Destroy method of a presshell, its DocAccessible is correctly shut down, but if there is a selection change that needs to get flushed it happens via MaybeReleaseCapturingContent in the PresShell's destroy method after the current DocAccessible was shut down. This triggers our selection manager to spawn a new DocAccessible in the Destroy phase of the presshell, and things get out of whack.

This shouldn't happen because the old DocAccessible's shutdown should remove the doc's/presshell's selection listeners. But this isn't the case because we add special control listeners via SetControlSelectionListener and don't clear those outside of focus changes. I think those should be cleared in doc shutdown as well.

This is a similar issue to bug 1330739, I think the weak references might still be of use there in case of SelectionManager/DocManager shutdown.

Assignee: nobody → eitan
Status: NEW → ASSIGNED

Since this crash is hard to reproduce, i would rely on the reporter to verify that this is actually remedied.

(In reply to Eitan Isaacson [:eeejay] from comment #40)

This triggers our selection manager to spawn a new DocAccessible in the Destroy phase of the presshell, and things get out of whack.

That was the purpose of the mPresShell->IsDestroying() assertion I suggested, but it turns out that mIsDestroying is set pretty late in PresShell::Destroy(), after the DocAccessible is shut down and MaybeReleaseCapturingContent is called. Ug.

I didn't realize that was your suggestion. I thought of moving it earlier but don't know what that would screw with.

Irvan,

Is there a chance you can try this patch and verify it remedies the issue?

Flags: needinfo?(susah.yak)

(In reply to Eitan Isaacson [:eeejay] from comment #44)

I didn't realize that was your suggestion.

It was earlier in the bug; see comment 22. Anyway, this wouldn't have fixed the bug; it just would have made it easier to catch. :)

Thanks for figuring this out (and patching it).

(In reply to Eitan Isaacson [:eeejay] from comment #45)

Irvan,

Is there a chance you can try this patch and verify it remedies the issue?

Thanks! It finally solve the issue!

After applied the patch (on Arch Linux), I no longer able to reproduce the crash, and on debug build it no longer hit the assertion on comment 39.

Flags: needinfo?(susah.yak)
Attached file launcher.bundlewfx.html (obsolete) —

(In reply to Eitan Isaacson [:eeejay] from comment #42)

Since this crash is hard to reproduce, i would rely on the reporter to verify that this is actually remedied.

Eitan, can you reproduce with steps to reproduce below:

  1. Open Microsoft Narrator
  2. Open Firefox Nightly
  3. Go to about:config
  4. Set dom.disable_open_during_load to false (to disable pop-up blocker)
  5. Visit attached launcher.bundlewfx.html
  6. Click "Launch" button
  7. Repeatedly fast click the text as possible (my click per second: 7) then simultaneously press ctrl+shift+m every ~1s (as on attached video below)
  8. The tab will crashed.
Summary: AddressSanitizer: heap-use-after-free in [mozilla::PresShell::RemoveRefreshObserver] and [@ get] → AddressSanitizer: heap-use-after-free in [@ mozilla::PresShell::RemoveRefreshObserver]

Given the user interaction required to mostly-reliably trigger this race this is sec-moderate in severity

Keywords: sec-moderate

Comment on attachment 9223266 [details]
Bug 1709976 - Remove selection listeners from shutting down PresShell. r?Jamie

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Not at all. This fixes an issue well before any potential UAF.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?:
  • If not all supported branches, which bug introduced the flaw?: None
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Since this patch has no test coverage, and since this is a hard to reproduce UAF I propose that this shouldn't be backported.
  • How likely is this patch to cause regressions; how much testing does it need?:
Attachment #9223266 - Flags: sec-approval?

The sec-moderate rating means you can land without sec-approval.

Flags: needinfo?(eitan)

(In reply to Eitan Isaacson [:eeejay] from comment #51)

  • If not, how different, hard to create, and risky will they be?: Since this patch has no test coverage, and since this is a hard to reproduce UAF I propose that this shouldn't be backported.

Glady! I found new test case that gets triggered by pressing ctrl+shift+m then just with 1-click which is very easy to reproduce. I'll attach the new testcase in a moment.

Attached file launcher.bundle.html

Hereby I attach the new testcase "launcher.bundle.html" which triggers UAF more easily and reliably (works every time).

When in responsive design mode then one click inside RDM viewport it will crash with use-after-free.

Steps to reproduce

e10s enabled:

  1. Visit attached launcher.bundle.html
  2. Click "Launch Testcase"
  3. After switched to new window, press Ctrl + Shift + M to switch to Responsive Design Mode
  4. Click duration section on <audio> element or click anywhere inside RDM viewport
  5. The tab will crash with use-after-free

e10s disabled:

  1. Visit attached testcase.main.html
  2. Press Ctrl + Shift + M to switch to Responsive Design Mode
  3. Click duration section on <audio> element or click anywhere inside RDM viewport
  4. The tab will crash with use-after-free
Attachment #9221225 - Attachment is obsolete: true
Attachment #9223279 - Attachment is obsolete: true
Attached file testcase.main.html
Attachment #9221226 - Attachment is obsolete: true
Attachment #9221227 - Attachment is obsolete: true

Sorry I forgot to mention on new STR above, it require screen reader e.g. Microsoft Narrator, NVDA (on Windows 10), or Orca (on Linux) to activate Accesibility Activated: true on about:support in order to reproduce the UAF.

Crash Signature: [@ nsRefreshDriver::RemoveRefreshObserver ]
Crash Signature: [@ nsRefreshDriver::RemoveRefreshObserver ] → [@ nsRefreshDriver::RemoveRefreshObserver ] [@ mozilla::detail::MutexImpl::lock ] [@ mozilla::PresShell::RemoveRefreshObserver ]
  • Which older supported branches are affected by this flaw?:
  • If not all supported branches, which bug introduced the flaw?: None

Presumably all branches are affected based on those answers, and I did reproduce a crash on ESR and Release.

  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: Since this patch has no test coverage, and since this is a hard to reproduce UAF I propose that this shouldn't be backported.

The code being patched is identical to what's on ESR-78 and Release so it should apply easily, though I can't say whether other relevant context changed around it. It was not hard to reproduce the crash with Irvan's latest testcases. They were very consistent, though less obviously UAF crashes in a release build. The ESR-78 crash behavior was different from the others -- it hung up my browser (partially responsive but mostly dead) and I had to force-kill it from the task manager. The ultimately reported crash had the same signature though -- presumably sent from the crashing tab before the browser became unresponsive as a whole.

ESR-78: bp-a4946ab8-9039-468c-b580-d10880210602
Release (88.0.1): bp-cc018aad-9d65-4b2d-84d5-729300210602
Nightly: bp-a3a23889-d9f0-4294-b0d3-29c240210602

It would be easy to verify the fix if this is backported, but I don't know about regressions.

  • How likely is this patch to cause regressions; how much testing does it need?:

This is an important question to get your opinion on.

I think the chance that this patch causes a regression is very small but isn't 0. Maybe we can uplift to release, and wait a bit before ESR?

Flags: needinfo?(eitan)

Comment on attachment 9223266 [details]
Bug 1709976 - Remove selection listeners from shutting down PresShell. r?Jamie

Approved to land and uplift. I'm not sure about delaying the ESR patch one release; we try to avoid doing that.

Attachment #9223266 - Flags: sec-approval?
Attachment #9223266 - Flags: sec-approval+
Attachment #9223266 - Flags: approval-mozilla-esr78+
Attachment #9223266 - Flags: approval-mozilla-beta+
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → 91 Branch
Flags: sec-bounty? → sec-bounty+

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(eitan)
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][sec-survey]
Flags: needinfo?(eitan)
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify+

Hi Irvan, I have been using your steps from Comment 54 and your attached test case in order to verify the fix in our latest Nightly Asan Fuzzing build i got from :

https://treeherder.mozilla.org/jobs?repo=mozilla-central&selectedTaskRun=NCAkqN8eTBuc7_dJsX3f7Q.0

I started Narrator on Windows 10 and opened the ASAN Fuzzing Build (here tried both ways with fuzzing.enabled = true/false ) and loaded the attached case in a new tab.
Clicked Launch Testcase wich opened the audio player in a new tab.
Hit Ctrl Shift M in order to start RDM and click the seek bar for the audio a few times

Tab Crashed
Please also note that I was able to reproduce the Tab crash in older Nightly asan fuzzing builds.

I also tried this with Beta 90.0b1 and Firefox didn't crash it would just close the tab , also tried the same thing with non asan Fuzzing builds , normal builds would not crash, they would just close the tab.

Am I missing some steps ? or Prefs I might need to set before launching the test case ? Is the Expected result to simply Close the Tab ? or it's suppose to keep the tab open without crashing it ?

Flags: needinfo?(susah.yak)

(In reply to Rares Doghi from comment #66)

I also tried this with Beta 90.0b1 and Firefox didn't crash it would just close the tab , also tried the same thing with non asan Fuzzing builds , normal builds would not crash, they would just close the tab.

Am I missing some steps ? or Prefs I might need to set before launching the test case ? Is the Expected result to simply Close the Tab ? or it's suppose to keep the tab open without crashing it ?

I still able to reproduce this in Firefox 89.0.2 (64-bit) on Windows 10 (video attached), make sure to click the duration section (0:00 / 0:00) (not the seek bar section) or the white page section as on attached video. I hope this helps!

Flags: needinfo?(susah.yak)

Thank you Irvan, I was able to reproduce the issue in older builds and Verify the fix in ESR 78.12.0esr, Beta 90.0b12 and our latest Nightly build on Windows 10 using Narrator and Ubuntu 20.04 using Screen Reader (orca)

Status: RESOLVED → VERIFIED
Flags: qe-verify+
Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey] → [reporter-external] [client-bounty-form] [verif?][sec-survey][adv-main90+]
Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey][adv-main90+] → [reporter-external] [client-bounty-form] [verif?][sec-survey][adv-main90+][adv-esr78.12+]
Attached file advisory.txt (obsolete) —
Attached file advisory.txt
Attachment #9230315 - Attachment is obsolete: true
Alias: CVE-2021-29970
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: