Closed Bug 1716481 Opened 4 years ago Closed 4 years ago

Intermittent SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27 in get

Categories

(Core :: Layout, defect, P5)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
91 Branch
Tracking Flags:
Tracking Status
firefox-esr78 --- unaffected
firefox89 --- wontfix
firefox90 --- wontfix
firefox91 --- fixed

People

(Reporter: intermittent-bug-filer, Assigned: emilio)

References

(Regression)

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-main91+r])

Attachments

(1 file)

Bug 1716481 - Improve ManagedPostRefreshObserver. r=smaug
48 bytes, text/x-phabricator-request
dveditz
: sec-approval+
Details | Review

Filed by: ncsoregi [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=342785949&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/bfmXLHK1SPaVtUxbHcrDkQ/runs/2/artifacts/public/logs/live_backing.log

[task 2021-06-15T03:31:45.867Z] 03:31:45     INFO - TEST-START | dom/base/test/browser_promiseDocumentFlushed.js
[task 2021-06-15T03:31:47.128Z] 03:31:47     INFO - GECKO(3274) | =================================================================
[task 2021-06-15T03:31:47.130Z] 03:31:47    ERROR - GECKO(3274) | ==3274==ERROR: AddressSanitizer: heap-use-after-free on address 0x6020004ffbb0 at pc 0x7fcdecbeb39e bp 0x7fffd6446650 sp 0x7fffd6446648
[task 2021-06-15T03:31:47.131Z] 03:31:47     INFO - GECKO(3274) | READ of size 8 at 0x6020004ffbb0 thread T0
[task 2021-06-15T03:31:47.741Z] 03:31:47     INFO - GECKO(3274) |     #0 0x7fcdecbeb39d in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
[task 2021-06-15T03:31:47.743Z] 03:31:47     INFO - GECKO(3274) |     #1 0x7fcdecbeb39d in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:316:12
[task 2021-06-15T03:31:47.744Z] 03:31:47     INFO - GECKO(3274) |     #2 0x7fcdecbeb39d in operator() /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:7077:9
[task 2021-06-15T03:31:47.744Z] 03:31:47     INFO - GECKO(3274) |     #3 0x7fcdecbeb39d in std::_Function_handler<mozilla::ManagedPostRefreshObserver::Unregister (bool), nsGlobalWindowInner::TryToObserveRefresh()::$_6>::_M_invoke(std::_Any_data const&, bool&&) /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:301:9
[task 2021-06-15T03:31:47.773Z] 03:31:47     INFO - GECKO(3274) |     #4 0x7fcdf173b2d1 in operator() /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:706:14
[task 2021-06-15T03:31:47.774Z] 03:31:47     INFO - GECKO(3274) |     #5 0x7fcdf173b2d1 in mozilla::ManagedPostRefreshObserver::DidRefresh() /builds/worker/checkouts/gecko/layout/base/nsRefreshObservers.cpp:34:27
[task 2021-06-15T03:31:47.786Z] 03:31:47     INFO - GECKO(3274) |     #6 0x7fcdf157ee75 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2537:15
[task 2021-06-15T03:31:47.787Z] 03:31:47     INFO - GECKO(3274) |     #7 0x7fcdf15895f7 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:348:13
[task 2021-06-15T03:31:47.787Z] 03:31:47     INFO - GECKO(3274) |     #8 0x7fcdf15895f7 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:326:7
[task 2021-06-15T03:31:47.789Z] 03:31:47     INFO - GECKO(3274) |     #9 0x7fcdf158935d in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:342:5
[task 2021-06-15T03:31:47.789Z] 03:31:47     INFO - GECKO(3274) |     #10 0x7fcdf15890e5 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:775:5
[task 2021-06-15T03:31:47.790Z] 03:31:47     INFO - GECKO(3274) |     #11 0x7fcdf15886ef in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:704:16
[task 2021-06-15T03:31:47.790Z] 03:31:47     INFO - GECKO(3274) |     #12 0x7fcdf1587cab in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:617:7
[task 2021-06-15T03:31:47.791Z] 03:31:47     INFO - GECKO(3274) |     #13 0x7fcdf1585f42 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:507:20
[task 2021-06-15T03:31:47.814Z] 03:31:47     INFO - GECKO(3274) |     #14 0x7fcdea088ff2 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:479:16
[task 2021-06-15T03:31:47.815Z] 03:31:47     INFO - GECKO(3274) |     #15 0x7fcdea055b10 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:782:26
[task 2021-06-15T03:31:47.817Z] 03:31:47     INFO - GECKO(3274) |     #16 0x7fcdea053358 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:15
[task 2021-06-15T03:31:47.817Z] 03:31:47     INFO - GECKO(3274) |     #17 0x7fcdea053a6d in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:402:36
[task 2021-06-15T03:31:47.818Z] 03:31:47     INFO - GECKO(3274) |     #18 0x7fcdea0932d1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:37
[task 2021-06-15T03:31:47.819Z] 03:31:47     INFO - GECKO(3274) |     #19 0x7fcdea0932d1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534:5
[task 2021-06-15T03:31:47.820Z] 03:31:47     INFO - GECKO(3274) |     #20 0x7fcdea070468 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1162:16
[task 2021-06-15T03:31:47.820Z] 03:31:47     INFO - GECKO(3274) |     #21 0x7fcdea07b2ac in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
[task 2021-06-15T03:31:47.836Z] 03:31:47     INFO - GECKO(3274) |     #22 0x7fcdeb13e90a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
[task 2021-06-15T03:31:47.847Z] 03:31:47     INFO - GECKO(3274) |     #23 0x7fcdeb068391 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
[task 2021-06-15T03:31:47.848Z] 03:31:47     INFO - GECKO(3274) |     #24 0x7fcdeb068391 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
[task 2021-06-15T03:31:47.849Z] 03:31:47     INFO - GECKO(3274) |     #25 0x7fcdeb068391 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
[task 2021-06-15T03:31:47.857Z] 03:31:47     INFO - GECKO(3274) |     #26 0x7fcdf10906b7 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
[task 2021-06-15T03:31:47.861Z] 03:31:47     INFO - GECKO(3274) |     #27 0x7fcdf4dcf2f7 in nsAppStartup::Run() /builds/worker/checkouts/gecko/toolkit/components/startup/nsAppStartup.cpp:273:30
[task 2021-06-15T03:31:47.869Z] 03:31:47     INFO - GECKO(3274) |     #28 0x7fcdf4fd3fa7 in XREMain::XRE_mainRun() /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5239:22
[task 2021-06-15T03:31:47.870Z] 03:31:47     INFO - GECKO(3274) |     #29 0x7fcdf4fd5ffe in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5437:8
[task 2021-06-15T03:31:47.872Z] 03:31:47     INFO - GECKO(3274) |     #30 0x7fcdf4fd6d53 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/checkouts/gecko/toolkit/xre/nsAppRunner.cpp:5496:21
[task 2021-06-15T03:31:47.876Z] 03:31:47     INFO - GECKO(3274) |     #31 0x56370ad1adcf in do_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:224:22
[task 2021-06-15T03:31:47.876Z] 03:31:47     INFO - GECKO(3274) |     #32 0x56370ad1adcf in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:351:16
[task 2021-06-15T03:31:47.966Z] 03:31:47     INFO - GECKO(3274) |     #33 0x7fce0e5ebb96 in __libc_start_main /build/glibc-2ORdQG/glibc-2.27/csu/../csu/libc-start.c:310
[task 2021-06-15T03:31:47.967Z] 03:31:47     INFO - GECKO(3274) |     #34 0x56370ac6b74c in _start (/builds/worker/workspace/build/application/firefox/firefox+0x5674c)
[task 2021-06-15T03:31:47.967Z] 03:31:47     INFO - GECKO(3274) | 0x6020004ffbb0 is located 0 bytes inside of 8-byte region [0x6020004ffbb0,0x6020004ffbb8)
[task 2021-06-15T03:31:47.968Z] 03:31:47     INFO - GECKO(3274) | freed by thread T0 here:
[task 2021-06-15T03:31:47.969Z] 03:31:47     INFO - GECKO(3274) |     #0 0x56370ace6542 in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:127:3
[task 2021-06-15T03:31:47.970Z] 03:31:47     INFO - GECKO(3274) |     #1 0x7fcdecbeb4b4 in operator delete /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51:10
[task 2021-06-15T03:31:47.970Z] 03:31:47     INFO - GECKO(3274) |     #2 0x7fcdecbeb4b4 in _M_destroy /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:207:4
[task 2021-06-15T03:31:47.970Z] 03:31:47     INFO - GECKO(3274) |     #3 0x7fcdecbeb4b4 in std::_Function_base::_Base_manager<nsGlobalWindowInner::TryToObserveRefresh()::$_6>::_M_manager(std::_Any_data&, std::_Any_data const&, std::_Manager_operation) /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:231:8
[task 2021-06-15T03:31:47.973Z] 03:31:47     INFO - GECKO(3274) |     #4 0x7fcdf173b14c in ~_Function_base /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:276:2
[task 2021-06-15T03:31:47.973Z] 03:31:47     INFO - GECKO(3274) |     #5 0x7fcdf173b14c in mozilla::ManagedPostRefreshObserver::~ManagedPostRefreshObserver() /builds/worker/checkouts/gecko/layout/base/nsRefreshObservers.cpp:19:57
[task 2021-06-15T03:31:47.974Z] 03:31:47     INFO - GECKO(3274) |     #6 0x7fcdf173b19d in mozilla::ManagedPostRefreshObserver::~ManagedPostRefreshObserver() /builds/worker/checkouts/gecko/layout/base/nsRefreshObservers.cpp:19:57
[task 2021-06-15T03:31:47.975Z] 03:31:47     INFO - GECKO(3274) |     #7 0x7fcdf1747362 in Release /builds/worker/workspace/obj-build/dist/include/nsRefreshObservers.h:82:3
[task 2021-06-15T03:31:47.978Z] 03:31:47     INFO - GECKO(3274) |     #8 0x7fcdf1747362 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
[task 2021-06-15T03:31:47.979Z] 03:31:47     INFO - GECKO(3274) |     #9 0x7fcdf1747362 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
[task 2021-06-15T03:31:47.979Z] 03:31:47     INFO - GECKO(3274) |     #10 0x7fcdf1747362 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
[task 2021-06-15T03:31:47.980Z] 03:31:47     INFO - GECKO(3274) |     #11 0x7fcdf1747362 in Destruct /builds/worker/workspace/obj-build/dist/include/nsTArray.h:645:45
[task 2021-06-15T03:31:47.981Z] 03:31:47     INFO - GECKO(3274) |     #12 0x7fcdf1747362 in nsTArray_Impl<RefPtr<mozilla::ManagedPostRefreshObserver>, nsTArrayInfallibleAllocator>::DestructRange(unsigned long, unsigned long) /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2404:7
[task 2021-06-15T03:31:47.981Z] 03:31:47     INFO - GECKO(3274) |     #13 0x7fcdf174c3cc in RemoveElementsAtUnsafe /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2493:3
[task 2021-06-15T03:31:47.982Z] 03:31:47     INFO - GECKO(3274) |     #14 0x7fcdf174c3cc in bool nsTArray_Impl<RefPtr<mozilla::ManagedPostRefreshObserver>, nsTArrayInfallibleAllocator>::RemoveElement<mozilla::ManagedPostRefreshObserver*, nsDefaultComparator<RefPtr<mozilla::ManagedPostRefreshObserver>, mozilla::ManagedPostRefreshObserver*> >(mozilla::ManagedPostRefreshObserver* const&, nsDefaultComparator<RefPtr<mozilla::ManagedPostRefreshObserver>, mozilla::ManagedPostRefreshObserver*> const&) /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1958:5
[task 2021-06-15T03:31:47.983Z] 03:31:47     INFO - GECKO(3274) |     #15 0x7fcdf1731f7e in RemoveElement<mozilla::ManagedPostRefreshObserver *> /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1966:12
[task 2021-06-15T03:31:47.983Z] 03:31:47     INFO - GECKO(3274) |     #16 0x7fcdf1731f7e in nsPresContext::UnregisterManagedPostRefreshObserver(mozilla::ManagedPostRefreshObserver*) /builds/worker/checkouts/gecko/layout/base/nsPresContext.cpp:1515:36
[task 2021-06-15T03:31:47.985Z] 03:31:47     INFO - GECKO(3274) |     #17 0x7fcdf173b322 in mozilla::ManagedPostRefreshObserver::DidRefresh() /builds/worker/checkouts/gecko/layout/base/nsRefreshObservers.cpp:46:18
[task 2021-06-15T03:31:47.986Z] 03:31:47     INFO - GECKO(3274) |     #18 0x7fcdf157ee75 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2537:15
[task 2021-06-15T03:31:47.987Z] 03:31:47     INFO - GECKO(3274) |     #19 0x7fcdf15895f7 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:348:13
[task 2021-06-15T03:31:47.988Z] 03:31:47     INFO - GECKO(3274) |     #20 0x7fcdf15895f7 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:326:7
[task 2021-06-15T03:31:47.989Z] 03:31:47     INFO - GECKO(3274) |     #21 0x7fcdf158935d in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:342:5
[task 2021-06-15T03:31:47.990Z] 03:31:47     INFO - GECKO(3274) |     #22 0x7fcdf15890e5 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:775:5
[task 2021-06-15T03:31:47.990Z] 03:31:47     INFO - GECKO(3274) |     #23 0x7fcdf15886ef in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:704:16
[task 2021-06-15T03:31:47.991Z] 03:31:47     INFO - GECKO(3274) |     #24 0x7fcdf1587cab in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:617:7
[task 2021-06-15T03:31:47.993Z] 03:31:47     INFO - GECKO(3274) |     #25 0x7fcdf1585f42 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:507:20
[task 2021-06-15T03:31:47.994Z] 03:31:47     INFO - GECKO(3274) |     #26 0x7fcdea088ff2 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:479:16
[task 2021-06-15T03:31:47.995Z] 03:31:47     INFO - GECKO(3274) |     #27 0x7fcdea055b10 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:782:26
[task 2021-06-15T03:31:47.996Z] 03:31:47     INFO - GECKO(3274) |     #28 0x7fcdea053358 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:618:15
[task 2021-06-15T03:31:47.997Z] 03:31:47     INFO - GECKO(3274) |     #29 0x7fcdea053a6d in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:402:36
[task 2021-06-15T03:31:47.997Z] 03:31:47     INFO - GECKO(3274) |     #30 0x7fcdea093304 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:138:37
[task 2021-06-15T03:31:47.998Z] 03:31:47     INFO - GECKO(3274) |     #31 0x7fcdea093304 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534:5
[task 2021-06-15T03:31:47.999Z] 03:31:47     INFO - GECKO(3274) |     #32 0x7fcdea070468 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1162:16
[task 2021-06-15T03:31:48.000Z] 03:31:47     INFO - GECKO(3274) |     #33 0x7fcdea07a0ae in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
[task 2021-06-15T03:31:48.000Z] 03:31:48     INFO - GECKO(3274) |     #34 0x7fcdea07a0ae in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:714:36)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:93:25
[task 2021-06-15T03:31:48.001Z] 03:31:48     INFO - GECKO(3274) |     #35 0x7fcdea07a0ae in nsThreadManager::SpinEventLoopUntilInternal(nsTSubstring<char> const&, nsINestedEventLoopCondition*, mozilla::ShutdownPhase) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:714:8
[task 2021-06-15T03:31:48.002Z] 03:31:48     INFO - GECKO(3274) |     #36 0x7fcdea0bbb01 in NS_InvokeByIndex /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
[task 2021-06-15T03:31:48.015Z] 03:31:48     INFO - GECKO(3274) |     #37 0x7fcdebacbc89 in Invoke /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1644:10
[task 2021-06-15T03:31:48.016Z] 03:31:48     INFO - GECKO(3274) |     #38 0x7fcdebacbc89 in Call /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1197:19
[task 2021-06-15T03:31:48.017Z] 03:31:48     INFO - GECKO(3274) |     #39 0x7fcdebacbc89 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNative.cpp:1143:23
[task 2021-06-15T03:31:48.018Z] 03:31:48     INFO - GECKO(3274) |     #40 0x7fcdebad06cf in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:922:10
[task 2021-06-15T03:31:48.026Z] 03:31:48     INFO - GECKO(3274) |     #41 0x3f5baa550fdf  (<unknown module>)
[task 2021-06-15T03:31:48.035Z] 03:31:48     INFO - GECKO(3274) |     #42 0x6210019c821f  (<unknown module>)
[task 2021-06-15T03:31:48.045Z] 03:31:48     INFO - GECKO(3274) |     #43 0x3f5baa55e299  (<unknown module>)
[task 2021-06-15T03:31:48.055Z] 03:31:48     INFO - GECKO(3274) |     #44 0x621000be8fc7  (<unknown module>)
[task 2021-06-15T03:31:48.065Z] 03:31:48     INFO - GECKO(3274) |     #45 0x3f5baa70c82f  (<unknown module>)
[task 2021-06-15T03:31:48.065Z] 03:31:48     INFO - GECKO(3274) | previously allocated by thread T0 here:
[task 2021-06-15T03:31:48.066Z] 03:31:48     INFO - GECKO(3274) |     #0 0x56370ace67ad in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
[task 2021-06-15T03:31:48.066Z] 03:31:48     INFO - GECKO(3274) |     #1 0x56370ad20acd in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52:15
[task 2021-06-15T03:31:48.067Z] 03:31:48     INFO - GECKO(3274) |     #2 0x7fcdecbdeb01 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
[task 2021-06-15T03:31:48.068Z] 03:31:48     INFO - GECKO(3274) |     #3 0x7fcdecbdeb01 in _M_init_functor /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:268:39
[task 2021-06-15T03:31:48.069Z] 03:31:48     INFO - GECKO(3274) |     #4 0x7fcdecbdeb01 in _M_init_functor /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:239:4
[task 2021-06-15T03:31:48.071Z] 03:31:48     INFO - GECKO(3274) |     #5 0x7fcdecbdeb01 in function<(lambda at /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:7072:24), void, void> /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/std_function.h:693:6
[task 2021-06-15T03:31:48.071Z] 03:31:48     INFO - GECKO(3274) |     #6 0x7fcdecbdeb01 in MakeRefPtr<mozilla::ManagedPostRefreshObserver, mozilla::PresShell *, (lambda at /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:7072:24)> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:603:21
[task 2021-06-15T03:31:48.072Z] 03:31:48     INFO - GECKO(3274) |     #7 0x7fcdecbdeb01 in nsGlobalWindowInner::TryToObserveRefresh() /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:7071:19
[task 2021-06-15T03:31:48.072Z] 03:31:48     INFO - GECKO(3274) |     #8 0x7fcdecbddb83 in nsGlobalWindowInner::PromiseDocumentFlushed(mozilla::dom::PromiseDocumentFlushedCallback&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsGlobalWindowInner.cpp:7048:8
[task 2021-06-15T03:31:48.268Z] 03:31:48     INFO - GECKO(3274) |     #9 0x7fcdee1dd003 in promiseDocumentFlushed /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:8278:60
[task 2021-06-15T03:31:48.269Z] 03:31:48     INFO - GECKO(3274) |     #10 0x7fcdee1dd003 in mozilla::dom::Window_Binding::promiseDocumentFlushed_promiseWrapper(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/WindowBinding.cpp:8292:13
[task 2021-06-15T03:31:48.284Z] 03:31:48     INFO - GECKO(3274) |     #11 0x7fcdee961aca in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3298:13
[task 2021-06-15T03:31:48.304Z] 03:31:48     INFO - GECKO(3274) |     #12 0x7fcdf52079b2 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:426:13
[task 2021-06-15T03:31:48.305Z] 03:31:48     INFO - GECKO(3274) |     #13 0x7fcdf52079b2 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:511:12
[task 2021-06-15T03:31:48.306Z] 03:31:48     INFO - GECKO(3274) |     #14 0x7fcdf51ef2a9 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:575:10
[task 2021-06-15T03:31:48.307Z] 03:31:48     INFO - GECKO(3274) |     #15 0x7fcdf51ef2a9 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3244:16
[task 2021-06-15T03:31:48.307Z] 03:31:48     INFO - GECKO(3274) |     #16 0x7fcdf51d8bb6 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:13
[task 2021-06-15T03:31:48.308Z] 03:31:48     INFO - GECKO(3274) |     #17 0x7fcdf5207aeb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:543:13
[task 2021-06-15T03:31:48.309Z] 03:31:48     INFO - GECKO(3274) |     #18 0x7fcdf52096eb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:588:8
[task 2021-06-15T03:31:48.359Z] 03:31:48     INFO - GECKO(3274) |     #19 0x7fcdf5619186 in js::fun_call(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/vm/JSFunction.cpp:1098:10
[task 2021-06-15T03:31:48.360Z] 03:31:48     INFO - GECKO(3274) |     #20 0x7fcdf5619c14 in js::fun_apply(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/vm/JSFunction.cpp:1118:12
[task 2021-06-15T03:31:48.361Z] 03:31:48     INFO - GECKO(3274) |     #21 0x7fcdf52079b2 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:426:13
[task 2021-06-15T03:31:48.362Z] 03:31:48     INFO - GECKO(3274) |     #22 0x7fcdf52079b2 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:511:12
[task 2021-06-15T03:31:48.387Z] 03:31:48     INFO - GECKO(3274) |     #23 0x7fcdf5fb179e in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1595:10
[task 2021-06-15T03:31:48.397Z] 03:31:48     INFO - GECKO(3274) |     #24 0x3f5baa532d87  (<unknown module>)
[task 2021-06-15T03:31:48.407Z] 03:31:48     INFO - GECKO(3274) |     #25 0x62600017def7  (<unknown module>)
[task 2021-06-15T03:31:48.416Z] 03:31:48     INFO - GECKO(3274) |     #26 0x3f5baa550ad2  (<unknown module>)
[task 2021-06-15T03:31:48.426Z] 03:31:48     INFO - GECKO(3274) |     #27 0x621002c9495f  (<unknown module>)
[task 2021-06-15T03:31:48.435Z] 03:31:48     INFO - GECKO(3274) |     #28 0x3f5baa558ad8  (<unknown module>)
[task 2021-06-15T03:31:48.445Z] 03:31:48     INFO - GECKO(3274) |     #29 0x62100177a15f  (<unknown module>)
[task 2021-06-15T03:31:48.455Z] 03:31:48     INFO - GECKO(3274) |     #30 0x3f5baa53056e  (<unknown module>)
[task 2021-06-15T03:31:48.461Z] 03:31:48     INFO - GECKO(3274) |     #31 0x7fcdf636fe60 in EnterJit /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:109:5
[task 2021-06-15T03:31:48.463Z] 03:31:48     INFO - GECKO(3274) |     #32 0x7fcdf636fe60 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:207:10
[task 2021-06-15T03:31:48.463Z] 03:31:48     INFO - GECKO(3274) |     #33 0x7fcdf51d8b98 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:385:32
[task 2021-06-15T03:31:48.464Z] 03:31:48     INFO - GECKO(3274) |     #34 0x7fcdf5207aeb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:543:13
[task 2021-06-15T03:31:48.467Z] 03:31:48     INFO - GECKO(3274) |     #35 0x7fcdf52096eb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:588:8
[task 2021-06-15T03:31:48.481Z] 03:31:48     INFO - GECKO(3274) |     #36 0x7fcdf5a5ea70 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2722:10
[task 2021-06-15T03:31:48.498Z] 03:31:48     INFO - GECKO(3274) |     #37 0x7fcdebabd7d9 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:971:17
[task 2021-06-15T03:31:48.499Z] 03:31:48     INFO - GECKO(3274) |     #38 0x7fcdea0bd492 in PrepareAndDispatch /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
[task 2021-06-15T03:31:48.499Z] 03:31:48     INFO - GECKO(3274) |     #39 0x7fcdea0bc21a in SharedStub (/builds/worker/workspace/build/application/firefox/libxul.so+0x358421a)
[task 2021-06-15T03:31:48.500Z] 03:31:48     INFO - GECKO(3274) | SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27 in get
[task 2021-06-15T03:31:48.500Z] 03:31:48     INFO - GECKO(3274) | Shadow bytes around the buggy address:
[task 2021-06-15T03:31:48.500Z] 03:31:48     INFO - GECKO(3274) |   0x0c0480097f20: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
[task 2021-06-15T03:31:48.502Z] 03:31:48     INFO - GECKO(3274) |   0x0c0480097f30: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fd
[task 2021-06-15T03:31:48.502Z] 03:31:48     INFO - GECKO(3274) |   0x0c0480097f40: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fa
[task 2021-06-15T03:31:48.502Z] 03:31:48     INFO - GECKO(3274) |   0x0c0480097f50: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fa
[task 2021-06-15T03:31:48.502Z] 03:31:48     INFO - GECKO(3274) |   0x0c0480097f60: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
[task 2021-06-15T03:31:48.502Z] 03:31:48     INFO - GECKO(3274) | =>0x0c0480097f70: fa fa fd fd fa fa[fd]fa fa fa fd fd fa fa fd fd
[task 2021-06-15T03:31:48.502Z] 03:31:48     INFO - GECKO(3274) |   0x0c0480097f80: fa fa fd fa fa fa fd fd fa fa fd fa fa fa fd fa
[task 2021-06-15T03:31:48.502Z] 03:31:48     INFO - GECKO(3274) |   0x0c0480097f90: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
[task 2021-06-15T03:31:48.502Z] 03:31:48     INFO - GECKO(3274) |   0x0c0480097fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fd fa
[task 2021-06-15T03:31:48.502Z] 03:31:48     INFO - GECKO(3274) |   0x0c0480097fb0: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
[task 2021-06-15T03:31:48.502Z] 03:31:48     INFO - GECKO(3274) |   0x0c0480097fc0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
[task 2021-06-15T03:31:48.502Z] 03:31:48     INFO - GECKO(3274) | Shadow byte legend (one shadow byte represents 8 application bytes):
[task 2021-06-15T03:31:48.502Z] 03:31:48     INFO - GECKO(3274) |   Addressable:           00
[task 2021-06-15T03:31:48.502Z] 03:31:48     INFO - GECKO(3274) |   Partially addressable: 01 02 03 04 05 06 07
[task 2021-06-15T03:31:48.502Z] 03:31:48     INFO - GECKO(3274) |   Heap left redzone:       fa
[task 2021-06-15T03:31:48.502Z] 03:31:48     INFO - GECKO(3274) |   Freed heap region:       fd
[task 2021-06-15T03:31:48.502Z] 03:31:48     INFO - GECKO(3274) |   Stack left redzone:      f1
[task 2021-06-15T03:31:48.502Z] 03:31:48     INFO - GECKO(3274) |   Stack mid redzone:       f2
[task 2021-06-15T03:31:48.502Z] 03:31:48     INFO - GECKO(3274) |   Stack right redzone:     f3
[task 2021-06-15T03:31:48.502Z] 03:31:48     INFO - GECKO(3274) |   Stack after return:      f5
[task 2021-06-15T03:31:48.503Z] 03:31:48     INFO - GECKO(3274) |   Stack use after scope:   f8
[task 2021-06-15T03:31:48.503Z] 03:31:48     INFO - GECKO(3274) |   Global redzone:          f9
[task 2021-06-15T03:31:48.504Z] 03:31:48     INFO - GECKO(3274) |   Global init order:       f6
[task 2021-06-15T03:31:48.504Z] 03:31:48     INFO - GECKO(3274) |   Poisoned by user:        f7
[task 2021-06-15T03:31:48.505Z] 03:31:48     INFO - GECKO(3274) |   Container overflow:      fc
[task 2021-06-15T03:31:48.505Z] 03:31:48     INFO - GECKO(3274) |   Array cookie:            ac
[task 2021-06-15T03:31:48.506Z] 03:31:48     INFO - GECKO(3274) |   Intra object redzone:    bb
[task 2021-06-15T03:31:48.506Z] 03:31:48     INFO - GECKO(3274) |   ASan internal:           fe
[task 2021-06-15T03:31:48.506Z] 03:31:48     INFO - GECKO(3274) |   Left alloca redzone:     ca
[task 2021-06-15T03:31:48.507Z] 03:31:48     INFO - GECKO(3274) |   Right alloca redzone:    cb
[task 2021-06-15T03:31:48.507Z] 03:31:48     INFO - GECKO(3274) |   Shadow gap:              cc
[task 2021-06-15T03:31:48.507Z] 03:31:48     INFO - GECKO(3274) | ==3274==ABORTING
[task 2021-06-15T03:31:48.630Z] 03:31:48     INFO - GECKO(3274) | Exiting due to channel error.
[task 2021-06-15T03:31:48.634Z] 03:31:48     INFO - GECKO(3274) | Crash Annotation GraphicsCriticalError: |[C0][GFX1-]: Receive IPC close with reason=AbnormalShutdown (t=24.1351) [GFX1-]: Receive IPC close with reason=AbnormalShutdown
[task 2021-06-15T03:31:48.635Z] 03:31:48     INFO - GECKO(3274) | Exiting due to channel error.
[task 2021-06-15T03:31:48.636Z] 03:31:48     INFO - GECKO(3274) | Exiting due to channel error.
[task 2021-06-15T03:31:48.637Z] 03:31:48     INFO - GECKO(3274) | Exiting due to channel error.
[task 2021-06-15T03:31:48.639Z] 03:31:48     INFO - GECKO(3274) | Exiting due to channel error.
[task 2021-06-15T03:31:48.639Z] 03:31:48     INFO - GECKO(3274) | Exiting due to channel error.
[task 2021-06-15T03:31:48.713Z] 03:31:48     INFO - TEST-INFO | Main app process: exit 0
Group: core-security

Everything is happening on the same thread here. It seems that nsTObserverArray<nsAPostRefreshObserver*> mPostRefreshObservers; contains a raw pointer to some nsAPostRefreshObserver after that this has been freed during ManagedPostRefreshObserver::DidRefresh by removing it from
mManagedPostRefreshObservers. This raw pointer is used then to unregister the observer in ManagedPostRefreshObserver::DidRefresh
I obviously ignore, if we should expect this object to be still alive in that situation, but from the variable names I would suspect that we miss a timely removal of that instance from mPostRefreshObservers.

Emilio, I see your name next to some of the most recent changes here, feel free to forward to someone else, of course.

Flags: needinfo?(emilio)

Hmm, so there's a nested JS event loop and somehow DidRefresh runs twice...

Group: core-security → layout-core-security
Component: DOM: Core & HTML → Layout
Keywords: csectype-uaf, sec-high
Assignee: nobody → emilio
See Also: → 1713170

I'm not sure what spinEventLoopUntil call is on the stack when this happens, but the attached patch should fix the issue.

Flags: needinfo?(emilio)

Comment on attachment 9227926 [details]
Bug 1716481 - Improve ManagedPostRefreshObserver. r=smaug

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: Probably not easy. The only potentially-exploitable issue we've found is accessible only via a [ChromeOnly] API.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which older supported branches are affected by this flaw?: stable/beta
  • If not all supported branches, which bug introduced the flaw?: Bug 1699844
  • Do you have backports for the affected branches?: Yes
  • If not, how different, hard to create, and risky will they be?: Should apply cleanly, though based on the fact that this is probably only an issue with ChromeOnly APIs not sure if it's worth uplifting, your call.
  • How likely is this patch to cause regressions; how much testing does it need?: not too much, though the patch is less trivial than what I would've liked.
Attachment #9227926 - Flags: sec-approval?
Has Regression Range: --- → yes
Keywords: regression

Reduced severity to sec-moderate given [ChromeOnly]. probably doesn't need to be uplifted unless it's causing a stability issue in Release.

Keywords: sec-highsec-moderate

Comment on attachment 9227926 [details]
Bug 1716481 - Improve ManagedPostRefreshObserver. r=smaug

sec-approval = dveditz

Attachment #9227926 - Flags: sec-approval? → sec-approval+

https://hg.mozilla.org/mozilla-central/rev/9d23f785e755

Group: layout-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox91: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 91 Branch
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main90+r]
Whiteboard: [post-critsmash-triage][adv-main90+r] → [post-critsmash-triage][adv-main91+r]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: