Closed Bug 1723035 Opened 3 years ago Closed 3 years ago

heap-use-after-free in [@ mozilla::TaskController::AddTask]

Categories

(Core :: XPCOM, defect)

defect

Tracking

()

RESOLVED INCOMPLETE
Tracking Status
firefox92 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uaf, testcase)

I'm not sure how actionable this is, the fuzzers have only hit it once and the test case is not reproducible.

Found while fuzzing m-c 20210726-5f5c284c5fe3 (--enable-address-sanitizer --enable-fuzzing)

==17511==ERROR: AddressSanitizer: heap-use-after-free on address 0x60400021a030 at pc 0x7f6c6480088c bp 0x7f6c519e16b0 sp 0x7f6c519e16a8
READ of size 8 at 0x60400021a030 thread T27 (IPDL Background)
    #0 0x7f6c6480088b in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
    #1 0x7f6c6480088b in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:316:12
    #2 0x7f6c6480088b in mozilla::Task::PriorityCompare::operator()(RefPtr<mozilla::Task> const&, RefPtr<mozilla::Task> const&) const /builds/worker/workspace/obj-build/dist/include/mozilla/TaskController.h:160:24
    #3 0x7f6c648005a1 in std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_get_insert_unique_pos(RefPtr<mozilla::Task> const&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:2038:13
    #4 0x7f6c647c1d2f in _M_insert_unique<RefPtr<mozilla::Task> > /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:2091:4
    #5 0x7f6c647c1d2f in insert /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_set.h:511:9
    #6 0x7f6c647c1d2f in mozilla::TaskController::AddTask(already_AddRefed<mozilla::Task>&&) /gecko/xpcom/threads/TaskController.cpp:391:34
    #7 0x7f6c647c2ff2 in mozilla::TaskController::DispatchRunnable(already_AddRefed<nsIRunnable>&&, unsigned int, mozilla::TaskManager*) /gecko/xpcom/threads/TaskController.cpp:538:26
    #8 0x7f6c647a90be in mozilla::detail::EventQueueInternal<16ul>::PutEvent(already_AddRefed<nsIRunnable>&&, mozilla::EventQueuePriority, mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) /gecko/xpcom/threads/EventQueue.cpp:52:9
    #9 0x7f6c647cad2e in mozilla::ThreadEventQueue::PutEventInternal(already_AddRefed<nsIRunnable>&&, mozilla::EventQueuePriority, mozilla::ThreadEventQueue::NestedSink*) /gecko/xpcom/threads/ThreadEventQueue.cpp:119:19
    #10 0x7f6c647cc8f9 in mozilla::ThreadEventTarget::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /gecko/xpcom/threads/ThreadEventTarget.cpp:96:15
    #11 0x7f6c647d6d15 in NS_DispatchToMainThread(already_AddRefed<nsIRunnable>&&, unsigned int) /gecko/xpcom/threads/nsThreadUtils.cpp:228:18
    #12 0x7f6c647d099d in NS_DispatchToMainThread(nsIRunnable*, unsigned int) /gecko/xpcom/threads/nsThreadUtils.cpp:238:10
    #13 0x7f6c6535177f in mozilla::net::HttpBackgroundChannelParent::Init(unsigned long const&) /gecko/netwerk/protocol/http/HttpBackgroundChannelParent.cpp:94:10
    #14 0x7f6c65970afe in mozilla::ipc::BackgroundParentImpl::RecvPHttpBackgroundChannelConstructor(mozilla::net::PHttpBackgroundChannelParent*, unsigned long const&) /gecko/ipc/glue/BackgroundParentImpl.cpp:1246:7
    #15 0x7f6c6653364e in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundParent.cpp:5163:28
    #16 0x7f6c65a049ba in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2051:25
    #17 0x7f6c65a01988 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:1978:9
    #18 0x7f6c65a031a2 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1826:3
    #19 0x7f6c65a03b6b in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1857:13
    #20 0x7f6c647dfcab in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1142:16
    #21 0x7f6c647ea14c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:466:10
    #22 0x7f6c65a0ec90 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:330:5
    #23 0x7f6c658f80b1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #24 0x7f6c658f80b1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #25 0x7f6c658f80b1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #26 0x7f6c647d9758 in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:390:10
    #27 0x7f6c81c5d3fe in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #28 0x7f6c85d7e608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
    #29 0x7f6c85947292 in clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x60400021a030 is located 32 bytes inside of 40-byte region [0x60400021a010,0x60400021a038)
allocated by thread T2 (IPC I/O Parent) here:
    #0 0x564fc2cdb3cd in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x564fc2d154ed in moz_xmalloc /gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7f6c648008b2 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7f6c648008b2 in allocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/ext/new_allocator.h:111:27
    #4 0x7f6c648008b2 in allocate /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/alloc_traits.h:436:20
    #5 0x7f6c648008b2 in _M_get_node /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:588:16
    #6 0x7f6c648008b2 in _M_create_node<RefPtr<mozilla::Task> > /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:642:23
    #7 0x7f6c648008b2 in std::_Rb_tree_node<RefPtr<mozilla::Task> >* std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_Alloc_node::operator()<RefPtr<mozilla::Task> >(RefPtr<mozilla::Task>&&) const /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:556:18
    #8 0x7f6c648006cc in std::_Rb_tree_iterator<RefPtr<mozilla::Task> > std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_M_insert_<RefPtr<mozilla::Task>, std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_Alloc_node>(std::_Rb_tree_node_base*, std::_Rb_tree_node_base*, RefPtr<mozilla::Task>&&, std::_Rb_tree<RefPtr<mozilla::Task>, RefPtr<mozilla::Task>, std::_Identity<RefPtr<mozilla::Task> >, mozilla::Task::PriorityCompare, std::allocator<RefPtr<mozilla::Task> > >::_Alloc_node&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:1753:19
    #9 0x7f6c647c1d6b in _M_insert_unique<RefPtr<mozilla::Task> > /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_tree.h:2096:16
    #10 0x7f6c647c1d6b in insert /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/stl_set.h:511:9
    #11 0x7f6c647c1d6b in mozilla::TaskController::AddTask(already_AddRefed<mozilla::Task>&&) /gecko/xpcom/threads/TaskController.cpp:391:34
    #12 0x7f6c647c2ff2 in mozilla::TaskController::DispatchRunnable(already_AddRefed<nsIRunnable>&&, unsigned int, mozilla::TaskManager*) /gecko/xpcom/threads/TaskController.cpp:538:26
    #13 0x7f6c647a90be in mozilla::detail::EventQueueInternal<16ul>::PutEvent(already_AddRefed<nsIRunnable>&&, mozilla::EventQueuePriority, mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>*) /gecko/xpcom/threads/EventQueue.cpp:52:9
    #14 0x7f6c647cad2e in mozilla::ThreadEventQueue::PutEventInternal(already_AddRefed<nsIRunnable>&&, mozilla::EventQueuePriority, mozilla::ThreadEventQueue::NestedSink*) /gecko/xpcom/threads/ThreadEventQueue.cpp:119:19
    #15 0x7f6c647cc8f9 in mozilla::ThreadEventTarget::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /gecko/xpcom/threads/ThreadEventTarget.cpp:96:15
    #16 0x7f6c659fa262 in mozilla::ipc::MessageChannel::OnMessageReceivedFromLink(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:1236:11
    #17 0x7f6c65a0be50 in mozilla::ipc::PortLink::OnPortStatusChanged() /gecko/ipc/glue/MessageLink.cpp:188:12
    #18 0x7f6c65a27929 in mozilla::ipc::PortLink::PortObserverThunk::OnPortStatusChanged() /gecko/ipc/glue/MessageLink.cpp:47:14
    #19 0x7f6c65a19065 in mozilla::ipc::NodeController::PortStatusChanged(mojo::core::ports::PortRef const&) /gecko/ipc/glue/NodeController.cpp:347:49
    #20 0x7f6c65935d82 in mojo::core::ports::Node::OnUserMessage(mozilla::UniquePtr<mojo::core::ports::UserMessageEvent, mozilla::DefaultDelete<mojo::core::ports::UserMessageEvent> >) /gecko/ipc/chromium/src/mojo/core/ports/node.cc:574:16
    #21 0x7f6c65934fe6 in mojo::core::ports::Node::AcceptEvent(mozilla::UniquePtr<mojo::core::ports::Event, mozilla::DefaultDelete<mojo::core::ports::Event> >) /gecko/ipc/chromium/src/mojo/core/ports/node.cc:409:14
    #22 0x7f6c65a199e0 in mozilla::ipc::NodeController::OnEventMessage(mojo::core::ports::NodeName const&, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /gecko/ipc/glue/NodeController.cpp:402:16
    #23 0x7f6c65a121f7 in mozilla::ipc::NodeChannel::OnMessageReceived(IPC::Message&&) /gecko/ipc/glue/NodeChannel.cpp:260:18
    #24 0x7f6c6591e72b in IPC::Channel::ChannelImpl::ProcessIncomingMessages() /gecko/ipc/chromium/src/chrome/common/ipc_channel_posix.cc:553:20
    #25 0x7f6c65920b16 in IPC::Channel::ChannelImpl::OnFileCanReadWithoutBlocking(int) /gecko/ipc/chromium/src/chrome/common/ipc_channel_posix.cc:822:10
    #26 0x7f6c658fbfd5 in base::MessagePumpLibevent::OnLibeventNotification(int, short, void*) /gecko/ipc/chromium/src/base/message_pump_libevent.cc:249:14

Thread T27 (IPDL Background) created by T0 here:
    #0 0x564fc2cc5b1c in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:205:3
    #1 0x7f6c81c4d474 in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f6c81c3e94e in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f6c647dc12a in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:602:18
    #4 0x7f6c647e7bf6 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /gecko/xpcom/threads/nsThreadManager.cpp:574:12
    #5 0x7f6c647f2d31 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, unsigned int) /gecko/xpcom/threads/nsThreadUtils.cpp:162:57
    #6 0x7f6c659a9dfa in NS_NewNamedThread<16> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74:10
    #7 0x7f6c659a9dfa in (anonymous namespace)::ParentImpl::CreateBackgroundThread() /gecko/ipc/glue/BackgroundImpl.cpp:1246:7
    #8 0x7f6c659ae8b3 in RunOnMainThread /gecko/ipc/glue/BackgroundImpl.cpp:1456:30
    #9 0x7f6c659ae8b3 in (anonymous namespace)::ParentImpl::CreateActorHelper::Run() /gecko/ipc/glue/BackgroundImpl.cpp:1475:17
    #10 0x7f6c647f8002 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:502:16
    #11 0x7f6c647c4af4 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:805:26
    #12 0x7f6c647c2348 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:641:15
    #13 0x7f6c647c2a5d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:425:36
    #14 0x7f6c64802074 in operator() /gecko/xpcom/threads/TaskController.cpp:138:37
    #15 0x7f6c64802074 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /gecko/xpcom/threads/nsThreadUtils.h:532:5
    #16 0x7f6c647df477 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1148:16
    #17 0x7f6c647e8f4e in NS_ProcessNextEvent /gecko/xpcom/threads/nsThreadUtils.cpp:466:10
    #18 0x7f6c647e8f4e in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:714:36)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:93:25
    #19 0x7f6c647e8f4e in nsThreadManager::SpinEventLoopUntilInternal(nsTSubstring<char> const&, nsINestedEventLoopCondition*, mozilla::ShutdownPhase) /gecko/xpcom/threads/nsThreadManager.cpp:714:8
    #20 0x7f6c6482a8b1 in NS_InvokeByIndex /gecko/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
    #21 0x7f6c667d7739 in Invoke /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1628:10
    #22 0x7f6c667d7739 in Call /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1181:19
    #23 0x7f6c667d7739 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /gecko/js/xpconnect/src/XPCWrappedNative.cpp:1127:23
    #24 0x7f6c667dc17f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /gecko/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:921:10
    #25 0x7f6c70638312 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:402:13
    #26 0x7f6c70638312 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:487:12
    #27 0x7f6c7061fb41 in CallFromStack /gecko/js/src/vm/Interpreter.cpp:551:10
    #28 0x7f6c7061fb41 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3239:16
    #29 0x7f6c70609c2c in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:371:13
    #30 0x7f6c7063844b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:519:13
    #31 0x7f6c7152d9b4 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /gecko/js/src/jit/BaselineIC.cpp:1606:10
    #32 0x1f6c70c33d87  (<unknown module>)
    #33 0x628000025cff  (<unknown module>)
    #34 0x1f6c70c3156e  (<unknown module>)
    #35 0x7f6c7153abf1 in EnterBaseline /gecko/js/src/jit/BaselineJIT.cpp:147:5
    #36 0x7f6c7153abf1 in js::jit::EnterBaselineInterpreterAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /gecko/js/src/jit/BaselineJIT.cpp:216:26
    #37 0x7f6c7062b112 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:2131:17
    #38 0x7f6c70609c2c in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:371:13
    #39 0x7f6c7063844b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:519:13
    #40 0x7f6c7063a04b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:564:8
    #41 0x7f6c70a9c8f2 in js::fun_apply(JSContext*, unsigned int, JS::Value*) /gecko/js/src/vm/JSFunction.cpp:1151:10
    #42 0x7f6c70638312 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:402:13
    #43 0x7f6c70638312 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:487:12
    #44 0x7f6c7061fb41 in CallFromStack /gecko/js/src/vm/Interpreter.cpp:551:10
    #45 0x7f6c7061fb41 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3239:16
    #46 0x7f6c70609c2c in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:371:13
    #47 0x7f6c7063844b in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:519:13
    #48 0x7f6c7063a04b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:564:8
    #49 0x7f6c708ba725 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:53:10
    #50 0x7f6c667c8f29 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:973:17
    #51 0x7f6c6482c242 in PrepareAndDispatch /gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
    #52 0x7f6c6482afca in SharedStub (/home/worker/builds/m-c-20210726215952-fuzzing-asan-opt/libxul.so+0x54d5fca)
    #53 0x7f6c703fe4b3 in nsXREDirProvider::DoStartup() /gecko/toolkit/xre/nsXREDirProvider.cpp:972:13
    #54 0x7f6c703db244 in XREMain::XRE_mainRun() /gecko/toolkit/xre/nsAppRunner.cpp:4998:18
    #55 0x7f6c703de20e in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5434:8
    #56 0x7f6c703def63 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5493:21
    #57 0x564fc2d0fa6a in do_main /gecko/browser/app/nsBrowserApp.cpp:225:22
    #58 0x564fc2d0fa6a in main /gecko/browser/app/nsBrowserApp.cpp:378:16
    #59 0x7f6c8584c0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16

Thread T2 (IPC I/O Parent) created by T0 here:
    #0 0x564fc2cc5b1c in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:205:3
    #1 0x7f6c659043fc in CreateThread /gecko/ipc/chromium/src/base/platform_thread_posix.cc:123:14
    #2 0x7f6c659043fc in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /gecko/ipc/chromium/src/base/platform_thread_posix.cc:134:10
    #3 0x7f6c659161fd in base::Thread::StartWithOptions(base::Thread::Options const&) /gecko/ipc/chromium/src/base/thread.cc:93:8
    #4 0x7f6c6484fa2a in NS_InitXPCOM /gecko/xpcom/build/XPCOMInit.cpp:318:9
    #5 0x7f6c703c8286 in ScopedXPCOMStartup::Initialize(bool) /gecko/toolkit/xre/nsAppRunner.cpp:1715:8
    #6 0x7f6c703de1f4 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5430:22
    #7 0x7f6c703def63 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /gecko/toolkit/xre/nsAppRunner.cpp:5493:21
    #8 0x564fc2d0fa6a in do_main /gecko/browser/app/nsBrowserApp.cpp:225:22
    #9 0x564fc2d0fa6a in main /gecko/browser/app/nsBrowserApp.cpp:378:16
    #10 0x7f6c8584c0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Flags: in-testsuite-

Kind of strange that there's no free stack in there.

There are a lot of frames of TaskController here so I'm going to move it to XPCOM, but I guess it could be an issue with Networking: Http, whatever PBackground is, or IPC.

Component: DOM: Networking → XPCOM

There are a low but steady number of crashes with this signature on Socorro (and with this signature in the call stack) that sometimes have the UAF marker in the crashing address or registers. Not much to go on.

Bas, does this crash ring any bells?

Flags: needinfo?(bas)

It looks similar to this: https://crash-stats.mozilla.org/report/index/6af7fb1f-6a44-41f8-9241-afda70210804 (most crashes with this signature in Socorro are somewhere different). I've looked at some of these in the past, there's very few of them and they all seem to have different stacks many of which seem 'impossible'. My current theory is that this is memory corruption elsewhere and it just crashes inside TaskController simply because it's used by everything. But it's hard to be sure. I've never seen any evidence this is an actual bug inside TaskController.

Flags: needinfo?(bas)

We can revisit if it comes up again.

Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.