Closed
Bug 1741869
Opened 3 years ago
Closed 2 years ago
AddressSanitizer: heap-use-after-free [@ load] with READ of size 8
Categories
(Core :: DOM: Workers, defect, P1)
Tracking
()
People
(Reporter: jkratzer, Assigned: jstutte)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-uaf, sec-high, testcase, Whiteboard: [keep hidden while 1748401 is][fixed by 1650214][bugmon:confirm][adv-main96+r][adv-ESR91.5+r][sec-survey][post-critsmash-triage])
Attachments
(1 file)
|
6.58 KB,
application/zip
|
Details |
Found while fuzzing mozilla-central rev 0799fad6d9ec (built with: --enable-address-sanitizer --enable-fuzzing). I do not currently have a reliable testcase for this issue.
AddressSanitizer: heap-use-after-free [@ load] with READ of size 8
=================================================================
==16718==ERROR: AddressSanitizer: heap-use-after-free on address 0x61b00018cbe8 at pc 0x7f39e688d4b0 bp 0x7f39cd5f8140 sp 0x7f39cd5f8138
READ of size 8 at 0x61b00018cbe8 thread T21 (DOM Worker)
#0 0x7f39e688d4af in load /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/atomic_base.h:713:9
#1 0x7f39e688d4af in load /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/atomic:452:21
#2 0x7f39e688d4af in load /builds/worker/workspace/obj-build/dist/include/mozilla/Atomics.h:195:17
#3 0x7f39e688d4af in operator const PRThread * /builds/worker/workspace/obj-build/dist/include/mozilla/Atomics.h:340:31
#4 0x7f39e688d4af in IsCorrectThread /builds/worker/workspace/obj-build/dist/include/mozilla/ThreadBound.h:128:41
#5 0x7f39e688d4af in AssertIsCorrectThread /builds/worker/workspace/obj-build/dist/include/mozilla/ThreadBound.h:135:3
#6 0x7f39e688d4af in mozilla::ThreadBound<mozilla::dom::WorkerPrivate::WorkerThreadAccessible>::Accessor<false>::Accessor(mozilla::ThreadBound<mozilla::dom::WorkerPrivate::WorkerThreadAccessible>&) /builds/worker/workspace/obj-build/dist/include/mozilla/ThreadBound.h:100:20
#7 0x7f39e686c94e in Access /builds/worker/workspace/obj-build/dist/include/mozilla/ThreadBound.h:123:26
#8 0x7f39e686c94e in mozilla::dom::WorkerPrivate::TraverseTimeouts(nsCycleCollectionTraversalCallback&) /gecko/dom/workers/WorkerPrivate.cpp:3794:39
#9 0x7f39e68819ce in mozilla::dom::WorkerGlobalScopeBase::cycleCollection::TraverseNative(void*, nsCycleCollectionTraversalCallback&) /gecko/dom/workers/WorkerScope.cpp:187:24
#10 0x7f39e6882df8 in mozilla::dom::WorkerGlobalScope::cycleCollection::TraverseNative(void*, nsCycleCollectionTraversalCallback&) /gecko/dom/workers/WorkerScope.cpp:350:1
#11 0x7f39e6887818 in mozilla::dom::ServiceWorkerGlobalScope::cycleCollection::TraverseNative(void*, nsCycleCollectionTraversalCallback&) /gecko/dom/workers/WorkerScope.cpp:842:1
#12 0x7f39dee899b5 in TraverseNativeAndJS /gecko/xpcom/base/nsCycleCollectionParticipant.h:223:19
#13 0x7f39dee899b5 in CCGraphBuilder::BuildGraph(js::SliceBudget&) /gecko/xpcom/base/nsCycleCollector.cpp:2051:39
#14 0x7f39dee8f211 in nsCycleCollector::MarkRoots(js::SliceBudget&) /gecko/xpcom/base/nsCycleCollector.cpp:2656:33
#15 0x7f39dee9532b in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /gecko/xpcom/base/nsCycleCollector.cpp:3406:9
#16 0x7f39dee98973 in nsCycleCollector_collect(mozilla::CCReason, nsICycleCollectorListener*) /gecko/xpcom/base/nsCycleCollector.cpp:3907:28
#17 0x7f39e68300dd in mozilla::dom::workerinternals::(anonymous namespace)::WorkerJSRuntime::CustomGCCallback(JSGCStatus) /gecko/dom/workers/RuntimeService.cpp:863:11
#18 0x7f39dee3e190 in mozilla::CycleCollectedJSRuntime::OnGC(JSContext*, JSGCStatus, JS::GCReason) /gecko/xpcom/base/CycleCollectedJSRuntime.cpp:1877:3
#19 0x7f39eca0422a in js::gc::GCRuntime::maybeCallGCCallback(JSGCStatus, JS::GCReason) /gecko/js/src/gc/GC.cpp:3600:3
#20 0x7f39eca0522f in ~AutoCallGCCallbacks /gecko/js/src/gc/GC.cpp:3579:32
#21 0x7f39eca0522f in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason) /gecko/js/src/gc/GC.cpp:3677:1
#22 0x7f39eca06ae6 in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason) /gecko/js/src/gc/GC.cpp:3880:9
#23 0x7f39ec9cf0c2 in js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason) /gecko/js/src/gc/GC.cpp:3960:3
#24 0x7f39e682edfa in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /gecko/dom/workers/RuntimeService.cpp:2264:7
#25 0x7f39df06bfeb in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1169:16
#26 0x7f39df0768dc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#27 0x7f39e0558dc1 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:330:5
#28 0x7f39e03d6e71 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#29 0x7f39e03d6e71 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#30 0x7f39e03d6e71 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#31 0x7f39df06457f in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:391:10
#32 0x7f39fbcd309e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#33 0x7f39fddf5608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#34 0x7f39fd9bd292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
0x61b00018cbe8 is located 1384 bytes inside of 1472-byte region [0x61b00018c680,0x61b00018cc40)
freed by thread T0 (Isolated Web Co) here:
#0 0x55adbec8d122 in __interceptor_free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:111:3
#1 0x7f39e684b849 in operator delete /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51:10
#2 0x7f39e684b849 in mozilla::dom::WorkerPrivate::Release() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WorkerPrivate.h:124:3
#3 0x7f39e6890340 in mozilla::dom::(anonymous namespace)::TopLevelWorkerFinishedRunnable::Run() /gecko/dom/workers/WorkerPrivate.cpp:308:22
#4 0x7f39df08bc22 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /gecko/xpcom/threads/ThrottledEventQueue.cpp:254:22
#5 0x7f39df083bff in mozilla::ThrottledEventQueue::Inner::Executor::Run() /gecko/xpcom/threads/ThrottledEventQueue.cpp:81:15
#6 0x7f39df085a92 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:468:16
#7 0x7f39df04b45d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:771:26
#8 0x7f39df0489b8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:607:15
#9 0x7f39df0490c9 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:391:36
#10 0x7f39df08f104 in operator() /gecko/xpcom/threads/TaskController.cpp:127:37
#11 0x7f39df08f104 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /gecko/xpcom/threads/nsThreadUtils.h:531:5
#12 0x7f39df06b7b7 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1175:16
#13 0x7f39df0768dc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#14 0x7f39e05574c4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:107:5
#15 0x7f39e03d6e71 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#16 0x7f39e03d6e71 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#17 0x7f39e03d6e71 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#18 0x7f39e6f75157 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#19 0x7f39eba09b6f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:917:20
#20 0x7f39e03d6e71 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#21 0x7f39e03d6e71 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#22 0x7f39e03d6e71 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#23 0x7f39eba08da2 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:749:34
#24 0x55adbecc1ced in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#25 0x55adbecc2118 in main /gecko/browser/app/nsBrowserApp.cpp:327:18
#26 0x7f39fd8c20b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
previously allocated by thread T0 (Isolated Web Co) here:
#0 0x55adbec8d38d in __interceptor_malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x55adbecc80ad in moz_xmalloc /gecko/memory/mozalloc/mozalloc.cpp:52:15
#2 0x7f39e68614ae in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7f39e68614ae in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /gecko/dom/workers/WorkerPrivate.cpp:2509:7
#4 0x7f39e6899a06 in mozilla::dom::RemoteWorkerChild::ExecWorkerOnMainThread(mozilla::dom::RemoteWorkerData&&) /gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:437:41
#5 0x7f39e68b6f7a in operator() /gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:298:29
#6 0x7f39e68b6f7a in mozilla::detail::RunnableFunction<mozilla::dom::RemoteWorkerChild::ExecWorker(mozilla::dom::RemoteWorkerData const&)::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#7 0x7f39df03939f in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:144:20
#8 0x7f39df085a92 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:468:16
#9 0x7f39df04b45d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:771:26
#10 0x7f39df0489b8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:607:15
#11 0x7f39df0490c9 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:391:36
#12 0x7f39df08f104 in operator() /gecko/xpcom/threads/TaskController.cpp:127:37
#13 0x7f39df08f104 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /gecko/xpcom/threads/nsThreadUtils.h:531:5
#14 0x7f39df06b7b7 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1175:16
#15 0x7f39df0768dc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#16 0x7f39e05574c4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:107:5
#17 0x7f39e03d6e71 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#18 0x7f39e03d6e71 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#19 0x7f39e03d6e71 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#20 0x7f39e6f75157 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#21 0x7f39eba09b6f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:917:20
#22 0x7f39e03d6e71 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#23 0x7f39e03d6e71 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#24 0x7f39e03d6e71 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#25 0x7f39eba08da2 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:749:34
#26 0x55adbecc1ced in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#27 0x55adbecc2118 in main /gecko/browser/app/nsBrowserApp.cpp:327:18
#28 0x7f39fd8c20b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
Thread T21 (DOM Worker) created by T0 (Isolated Web Co) here:
#0 0x55adbec77a8c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:207:3
#1 0x7f39fbcc3124 in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7f39fbcb43ce in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7f39df067845 in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:607:18
#4 0x7f39e688b572 in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /gecko/dom/workers/WorkerThread.cpp:102:7
#5 0x7f39e680daa8 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /gecko/dom/workers/RuntimeService.cpp:1389:14
#6 0x7f39e680c7a3 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /gecko/dom/workers/RuntimeService.cpp:1256:19
#7 0x7f39e68615d0 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /gecko/dom/workers/WorkerPrivate.cpp:2525:24
#8 0x7f39e6899a06 in mozilla::dom::RemoteWorkerChild::ExecWorkerOnMainThread(mozilla::dom::RemoteWorkerData&&) /gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:437:41
#9 0x7f39e68b6f7a in operator() /gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:298:29
#10 0x7f39e68b6f7a in mozilla::detail::RunnableFunction<mozilla::dom::RemoteWorkerChild::ExecWorker(mozilla::dom::RemoteWorkerData const&)::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#11 0x7f39df03939f in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:144:20
#12 0x7f39df085a92 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:468:16
#13 0x7f39df04b45d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:771:26
#14 0x7f39df0489b8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:607:15
#15 0x7f39df0490c9 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:391:36
#16 0x7f39df08f104 in operator() /gecko/xpcom/threads/TaskController.cpp:127:37
#17 0x7f39df08f104 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /gecko/xpcom/threads/nsThreadUtils.h:531:5
#18 0x7f39df06b7b7 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1175:16
#19 0x7f39df0768dc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#20 0x7f39e05574c4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:107:5
#21 0x7f39e03d6e71 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#22 0x7f39e03d6e71 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#23 0x7f39e03d6e71 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#24 0x7f39e6f75157 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#25 0x7f39eba09b6f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:917:20
#26 0x7f39e03d6e71 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#27 0x7f39e03d6e71 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#28 0x7f39e03d6e71 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#29 0x7f39eba08da2 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:749:34
#30 0x55adbecc1ced in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#31 0x55adbecc2118 in main /gecko/browser/app/nsBrowserApp.cpp:327:18
#32 0x7f39fd8c20b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/atomic_base.h:713:9 in load
Shadow bytes around the buggy address:
0x0c3680029920: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3680029930: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3680029940: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3680029950: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3680029960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c3680029970: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
0x0c3680029980: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c3680029990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c36800299a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c36800299b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c36800299c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==16718==ABORTING
|
Reporter | |
Comment 1•3 years ago
•
|
||
While trying to reduce a testcase that triggers the crash signature in comment 0, I also see the following signature.
==2389766==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7faa49b22d77 bp 0x7fa9b7ec9490 sp 0x7fa9b7ec93c0 T28)
==2389766==The signal is caused by a READ memory access.
==2389766==Hint: address points to the zero page.
#0 0x7faa49b22d77 in operator! /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:311:36
#1 0x7faa49b22d77 in NS_CycleCollectorSuspect3 /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3758:7
#2 0x7faa4f8b28a3 in incr<&NS_CycleCollectorSuspect3> /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:248:7
#3 0x7faa4f8b28a3 in incr<&NS_CycleCollectorSuspect3> /builds/worker/workspace/obj-build/dist/include/nsISupportsImpl.h:234:12
#4 0x7faa4f8b28a3 in mozilla::DOMEventTargetHelper::AddRef() /builds/worker/checkouts/gecko/dom/events/DOMEventTargetHelper.cpp:86:1
#5 0x7faa49d3c279 in copyConstruct<mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> > /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:224:7
#6 0x7faa49d3c279 in Variant /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:653:5
#7 0x7faa49d3c279 in mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback>::operator=(mozilla::Variant<nsTimerImpl::UnknownCallback, nsCOMPtr<nsITimerCallback>, nsCOMPtr<nsIObserver>, nsTimerImpl::FuncCallback, nsTimerImpl::ClosureCallback> const&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:665:32
#8 0x7faa49d3b321 in nsTimerImpl::Fire(int) /builds/worker/checkouts/gecko/xpcom/threads/nsTimerImpl.cpp:615:24
#9 0x7faa49ce383f in nsTimerEvent::Run() /builds/worker/checkouts/gecko/xpcom/threads/TimerThread.cpp:265:11
#10 0x7faa49cf74cb in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1169:16
#11 0x7faa49cf148e in NS_ProcessPendingEvents(nsIThread*, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:432:19
#12 0x7faa51509844 in mozilla::dom::WorkerPrivate::ClearMainEventQueue(mozilla::dom::WorkerPrivate::WorkerRanOrNot) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3720:5
#13 0x7faa514f6ef5 in mozilla::dom::WorkerPrivate::ScheduleDeletion(mozilla::dom::WorkerPrivate::WorkerRanOrNot) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3547:3
#14 0x7faa514ccc36 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:2277:19
#15 0x7faa49cf74cb in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1169:16
#16 0x7faa49d01dbc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#17 0x7faa4b1f64f1 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:330:5
#18 0x7faa4b0745a1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#19 0x7faa4b0745a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#20 0x7faa4b0745a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#21 0x7faa49cefa5f in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
#22 0x7faa66a1609e in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#23 0x7faa6832c608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#24 0x7faa67ef4292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:311:36 in operator!
Thread T28 (DOM Worker) created by T0 (Isolated Web Co) here:
#0 0x55e719792a8c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:207:3
#1 0x7faa66a06124 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7faa669f73ce in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7faa49cf2d25 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:607:18
#4 0x7faa515292c2 in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:102:7
#5 0x7faa514ab7f8 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1389:14
#6 0x7faa514aa4f3 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1256:19
#7 0x7faa514ff320 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:2525:24
#8 0x7faa51537756 in mozilla::dom::RemoteWorkerChild::ExecWorkerOnMainThread(mozilla::dom::RemoteWorkerData&&) /builds/worker/checkouts/gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:437:41
#9 0x7faa51554cca in operator() /builds/worker/checkouts/gecko/dom/workers/remoteworkers/RemoteWorkerChild.cpp:298:29
#10 0x7faa51554cca in mozilla::detail::RunnableFunction<mozilla::dom::RemoteWorkerChild::ExecWorker(mozilla::dom::RemoteWorkerData const&)::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#11 0x7faa49cc487f in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:144:20
#12 0x7faa49d10f72 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:468:16
#13 0x7faa49cd693d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:771:26
#14 0x7faa49cd3e98 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:607:15
#15 0x7faa49cd45a9 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:391:36
#16 0x7faa49d1a5e4 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:127:37
#17 0x7faa49d1a5e4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:531:5
#18 0x7faa49cf6c97 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1175:16
#19 0x7faa49d01dbc in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#20 0x7faa4b1f4bf4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
#21 0x7faa4b0745a1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#22 0x7faa4b0745a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#23 0x7faa4b0745a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#24 0x7faa51c15347 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#25 0x7faa566d5d8f in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:917:20
#26 0x7faa4b0745a1 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
#27 0x7faa4b0745a1 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
#28 0x7faa4b0745a1 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
#29 0x7faa566d4fc2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:749:34
#30 0x55e7197dcced in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#31 0x55e7197dd118 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
#32 0x7faa67df90b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
|
|
Reporter | |
Updated•3 years ago
|
Group: dom-core-security
|
Assignee | |
Comment 2•3 years ago
•
|
||
So TopLevelWorkerFinishedRunnable clears the WorkerPrivate self reference which makes it go away.
But we have WorkerGlobalScopeBase.mWorkerPrivate and for reasons I ignore the ServiceWorkerGlobalScope this is part of is cycle collected only later and there we have a custom traverse function that triggers WorkerPrivate::TraverseTimeouts on the already freed WorkerPrivate memory.
A naive approach could be to make WorkerGlobalScopeBase.mWorkerPrivate become a RefPtr, but WorkerPrivate is not thread safe for refcounting. I assume the solution might be part of a more general overhaul of WorkerPrivate?
Flags: needinfo?(ytausky)
|
|
Reporter | |
Comment 3•3 years ago
|
||
:jstutte, unfortunately I initially filed this bug without the S-S flag. This may have exposed the contents of comment 0 to anyone monitoring this component. Do you know how likely a exploit can be created based on the contents of comment 0? Also, any idea how far back this issue may have existed?
Flags: needinfo?(jstutte)
|
|
Assignee | |
Comment 4•3 years ago
•
|
||
The mWorkerPrivatehas been added by bug 1618546, it seems, thus April 2020. Obviously I don't know if it is possible to reach this constellation since then, but it is likely.
Yaron, can you give some hint how exploitable this could be? I assume without a reproducing testcase it is hard to say?
Flags: needinfo?(jstutte)
| Comment hidden (obsolete) |
|
||
Comment 6•3 years ago
|
||
Unfortunately I can't estimate the exploitability of this issue. Generally we treat UAFs as high risk, but maybe someone with a security background can elaborate.
WorkerPrivate is a problematic class, since some of its members are accessed (supposedly) only from specific threads and without synchronization.
Flags: needinfo?(ytausky)
Keywords: bugmon
|
||
Updated•3 years ago
|
Keywords: csectype-uaf,
sec-high
|
|
Assignee | |
Comment 7•3 years ago
|
||
Hi Jason, are you trying to get a more reliable test case for this? Thanks!
Flags: needinfo?(jkratzer)
|
|
Assignee | |
Updated•3 years ago
|
Severity: -- → S2
Priority: -- → P1
|
|
Reporter | |
Comment 8•3 years ago
|
||
Jens, yes - I'm not sure if it'll be reliable enough to produce a pernosco session but I'm fairly close on a fully minimal testcase. I'll attach it here shortly.
|
|
Reporter | |
Comment 9•3 years ago
•
|
||
Attached is a mostly reduced testcase. Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build ace2f4af2c29 -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip --repeat 10 --relaunch 2
I have not yet been able to reproduce this issue using a --disable-optimize build (required by pernosco).
Flags: needinfo?(jkratzer)
|
|
||
Updated•2 years ago
|
Assignee: nobody → ytausky
|
|
Assignee | |
Updated•2 years ago
|
Assignee: ytausky → jstutte
|
|
Assignee | |
Updated•2 years ago
|
Flags: needinfo?(echuang)
|
||
Comment 10•2 years ago
|
||
According to the core-dump stack, it seems that a cycle-collect job is triggered on the worker thread after the workerPrivate is freed.
It seems that we probably need to add some checks on the worker thread queue to make sure it must be empty before we free the WorkerPrivate.
Making WorkerGlobleScope::mWorkerPrivate might not be a good solution here, since it would change the life-cycle of WorkerPrivate. And in the current design, we want the self-reference, which means WorkerPrivate::mSelf, to be the last reference in its life-cycle.
I will take some time to figure the whole picture out.
I totally agree that WorkerPrivate is a very complicated class that needs to be refacted.
Flags: needinfo?(echuang)
|
|
Assignee | |
Comment 11•2 years ago
|
||
I talked with Eden and filed bug 1744025. We might want to start that patch set from WorkerGlobalScopeBase.mWorkerPrivate.
|
||
Comment 12•2 years ago
|
||
(In reply to Jason Kratzer [:jkratzer] from comment #9)
I have not yet been able to reproduce this issue using a --disable-optimize build (required by pernosco).
I've found pernosco to be perfectly happy with (clang) builds generated using the following, if that helps. (Maybe it nets out to the same thing? Our configure flow now seems to be cleaner but more distributed throughout the codebase.)
ac_add_options --enable-profiling
ac_add_options --enable-optimize="-Og"
|
|
||
Comment 13•2 years ago
|
||
(In reply to Jens Stutte [:jstutte] from comment #4)
The
mWorkerPrivatehas been added by bug 1618546, it seems, thus April 2020. Obviously I don't know if it is possible to reach this constellation since then, but it is likely.
This actually has existed since at least 2013 here; Perry's patch (phab diff (scroll up into the removed hunk that's not directly removable) just upgraded it from WorkerPrivate* mWorkerPrivate; to const NotNull<WorkerPrivate*> mWorkerPrivate;.
|
|
||
Comment 14•2 years ago
|
||
The comment 0 stack is somewhat confusing. Frame 24 of the UAF on the worker is at the call to JS_GC(cx, JS::GCReason::WORKER_SHUTDOWN);
which strictly happens before ScheduleDeletion is called which would create the TopLevelWorkerFinishedRunnable. For this stack to occur, it would tend to imply that we ended up in the notify/cancel edge case that calls ScheduleDeletion or that the run loop's failureCleanup case got invoked which calls RunLoopNeverRan which calls ScheduleDeletion.
The comment 1 stack combined with the use of FileReader in the test makes me suspect that the problem is that the FileReader's StrongWorkerRef callback invoking Shutdown is failing to call ClearProgressEventTimer() like Abort() does. (Shutdown seems to be a specialized variant of Abort.) This would explain the rogue timer event.
|
|
Assignee | |
Comment 15•2 years ago
•
|
||
(In reply to Andrew Sutherland [:asuth] (he/him) from comment #14)
The comment 1 stack combined with the use of FileReader in the test makes me suspect that the problem is that the FileReader's StrongWorkerRef callback invoking Shutdown is failing to call
ClearProgressEventTimer()like Abort() does. (Shutdown seems to be a specialized variant of Abort.) This would explain the rogue timer event.
Thanks for the analysis! This would make it become a duplicate of bug 1650214 then, I should have realized this earlier, sorry. A fix is already up for review there.
Still I am a bit unsure about the expected lifecycle of the WorkerGlobalScopeBase object in relation to the WorkerPrivate one. It is not clear to me why we would want to include WorkerGlobalScopeBase::mWorkerPrivate in the cycle collection here at all if we do not want it to happen in the end. Doing this through a weak raw pointer reference makes it kind of unpredictable, anyway. So even if the canceling of the timer will fix this specific one, we should continue to reason about bug 1744025 in general and the nature of every single WorkerPrivate reference (weak or strong) in particular, IMHO.
Depends on: 1650214
|
|
||
Comment 16•2 years ago
|
||
(In reply to Jens Stutte [:jstutte] from comment #15)
Still I am a bit unsure about the expected lifecycle of the
WorkerGlobalScopeBaseobject in relation to theWorkerPrivateone.
The scope is strictly outlived by the WorkerPrivate. The scope is created on the worker when creating the context and torn down before we ScheduleDeletion. This is the lifetime of the JSContext which bounds the scope, but it's possible to dig more into the global.
It is not clear to me why we would want to include
WorkerGlobalScopeBase::mWorkerPrivatein the cycle collection here at all if we do not want it to happen in the end.
So, we're not directly cycle collecting the WorkerPrivate itself, as I understand it. Instead, we're calling TraverseTimeouts because the timeouts created by setTimeout() are tracked on the WorkerPrivate in mTimeouts and the TimeoutInfo has a TimeoutHandler which can hold JS::Values which need to be considered by cycle collection for garbage collection because those timeouts effectively need to keep their associated JS closures alive. That is, the timers are part of the live object graph and we need to help the cycle collector find them. I don't have enough in my head about the timer implementation for workers right now, but it wouldn't surprise me if we could move those off of WorkerPrivate and that it would be cleaner as a result.
Doing this through a weak raw pointer reference makes it kind of unpredictable, anyway.
So, this all should be covered by the self-reference by invariant. But as I say in https://bugzilla.mozilla.org/show_bug.cgi?id=1744025#c6 I agree that there clearly are bugs and it would be better for the bugs to not result in UAFs and/or for us to have a better way to more proactively detect these things and be able to incrementally move forward.
|
|
Assignee | |
Comment 17•2 years ago
|
||
(In reply to Andrew Sutherland [:asuth] (he/him) from comment #16)
That is, the timers are part of the live object graph and we need to help the cycle collector find them. I don't have enough in my head about the timer implementation for workers right now, but it wouldn't surprise me if we could move those off of WorkerPrivate and that it would be cleaner as a result.
Thanks for the precise description and I also think we should find a more elegant way to find those timers than through this WorkerPrivate raw pointer. If we do not find a different access than through the worker, a WeakWorkerRef (or a similar concept) might be the answer here.
|
|
Assignee | |
Comment 18•2 years ago
|
||
Now that bug 1650214 landed to central, we might want to uplift that patch? Should I request uplift there or sec-approval here?
Flags: needinfo?(dveditz)
|
|
||
Comment 19•2 years ago
|
||
Probably best to request uplift on the patch in bug 1650214 for beta and ESR as a simple and safe stability fix, without mentioning the security bug (release managers will see that it blocks this one, while the dependency will be invisible to others who can't see this bug).
We don't need sec-approval for uplifts, and the main patch has already landed on -central.
The testcase in comment 9 is definitely not something we can check in, but if you do come up with a reliable regression test you can put it in this bug and we'll land it later.
Flags: needinfo?(dveditz)
|
|
Assignee | |
Comment 20•2 years ago
|
||
(In reply to Jason Kratzer [:jkratzer] from comment #9)
Created attachment 9251943 [details]
testcase.zipAttached is a mostly reduced testcase. Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework $ python -m fuzzfetch --build ace2f4af2c29 -a --fuzzing -n firefox $ python -m grizzly.replay ./firefox/firefox testcase.zip --repeat 10 --relaunch 2I have not yet been able to reproduce this issue using a --disable-optimize build (required by pernosco).
Hi Jason, can you confirm if bug bug 1650214 solved this issue? Thanks!
Flags: needinfo?(jkratzer)
|
|
Reporter | |
Comment 21•2 years ago
|
||
Jens, I can no longer reproduce the issue on tip. Bisection appears to point to bug 1650214 as having fixed this issue.
Flags: needinfo?(jkratzer)
|
|
Assignee | |
Comment 22•2 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #19)
The testcase in comment 9 is definitely not something we can check in, but if you do come up with a reliable regression test you can put it in this bug and we'll land it later.
We do not have a reliable testcase for this, sorry. Fixed by bug 1650214.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
|
|
Reporter | |
Comment 23•2 years ago
•
|
||
It appears that the fuzzers have identified another crash with a very similar looking stack on m-c rev 818c851d0aeb (20211224). Unfortunately, the testcase does not reproduce. If you feel like this is a different issue, please let me know and I'll file a separate bug.
==6911==ERROR: AddressSanitizer: heap-use-after-free on address 0x61b000222ce8 at pc 0x7f59b0a0d9a0 bp 0x7f591345d160 sp 0x7f591345d158
READ of size 8 at 0x61b000222ce8 thread T107 (DOM Worker)
#0 0x7f59b0a0d99f in load /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/atomic_base.h:713:9
#1 0x7f59b0a0d99f in load /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/atomic:452:21
#2 0x7f59b0a0d99f in load /builds/worker/workspace/obj-build/dist/include/mozilla/Atomics.h:195:17
#3 0x7f59b0a0d99f in operator const PRThread * /builds/worker/workspace/obj-build/dist/include/mozilla/Atomics.h:340:31
#4 0x7f59b0a0d99f in IsCorrectThread /builds/worker/workspace/obj-build/dist/include/mozilla/ThreadBound.h:128:41
#5 0x7f59b0a0d99f in AssertIsCorrectThread /builds/worker/workspace/obj-build/dist/include/mozilla/ThreadBound.h:135:3
#6 0x7f59b0a0d99f in mozilla::ThreadBound<mozilla::dom::WorkerPrivate::WorkerThreadAccessible>::Accessor<false>::Accessor(mozilla::ThreadBound<mozilla::dom::WorkerPrivate::WorkerThreadAccessible>&) /builds/worker/workspace/obj-build/dist/include/mozilla/ThreadBound.h:100:20
#7 0x7f59b09eb15e in Access /builds/worker/workspace/obj-build/dist/include/mozilla/ThreadBound.h:123:26
#8 0x7f59b09eb15e in mozilla::dom::WorkerPrivate::TraverseTimeouts(nsCycleCollectionTraversalCallback&) /gecko/dom/workers/WorkerPrivate.cpp:3795:39
#9 0x7f59b0a0038e in mozilla::dom::WorkerGlobalScopeBase::cycleCollection::TraverseNative(void*, nsCycleCollectionTraversalCallback&) /gecko/dom/workers/WorkerScope.cpp:195:24
#10 0x7f59b0a01798 in mozilla::dom::WorkerGlobalScope::cycleCollection::TraverseNative(void*, nsCycleCollectionTraversalCallback&) /gecko/dom/workers/WorkerScope.cpp:358:1
#11 0x7f59b0a04ee1 in mozilla::dom::DedicatedWorkerGlobalScope::cycleCollection::TraverseNative(void*, nsCycleCollectionTraversalCallback&) /gecko/dom/workers/WorkerScope.cpp:772:1
#12 0x7f59a8c6cb95 in TraverseNativeAndJS /gecko/xpcom/base/nsCycleCollectionParticipant.h:223:19
#13 0x7f59a8c6cb95 in CCGraphBuilder::BuildGraph(js::SliceBudget&) /gecko/xpcom/base/nsCycleCollector.cpp:2051:39
#14 0x7f59a8c723f1 in nsCycleCollector::MarkRoots(js::SliceBudget&) /gecko/xpcom/base/nsCycleCollector.cpp:2656:33
#15 0x7f59a8c7856b in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /gecko/xpcom/base/nsCycleCollector.cpp:3406:9
#16 0x7f59a8c7bc58 in nsCycleCollector_collect(mozilla::CCReason, nsICycleCollectorListener*) /gecko/xpcom/base/nsCycleCollector.cpp:3907:28
#17 0x7f59b09ac7cd in mozilla::dom::workerinternals::(anonymous namespace)::WorkerJSRuntime::CustomGCCallback(JSGCStatus) /gecko/dom/workers/RuntimeService.cpp:834:11
#18 0x7f59a8c25f30 in mozilla::CycleCollectedJSRuntime::OnGC(JSContext*, JSGCStatus, JS::GCReason) /gecko/xpcom/base/CycleCollectedJSRuntime.cpp:1877:3
#19 0x7f59b6d50f1a in js::gc::GCRuntime::maybeCallGCCallback(JSGCStatus, JS::GCReason) /gecko/js/src/gc/GC.cpp:3595:3
#20 0x7f59b6d51ebc in ~AutoCallGCCallbacks /gecko/js/src/gc/GC.cpp:3574:32
#21 0x7f59b6d51ebc in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason) /gecko/js/src/gc/GC.cpp:3672:1
#22 0x7f59b6d53475 in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, mozilla::Maybe<JS::GCOptions> const&, JS::GCReason) /gecko/js/src/gc/GC.cpp:3855:9
#23 0x7f59b6d1c616 in js::gc::GCRuntime::gc(JS::GCOptions, JS::GCReason) /gecko/js/src/gc/GC.cpp:3938:3
#24 0x7f59b09ab4ea in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /gecko/dom/workers/RuntimeService.cpp:2231:7
#25 0x7f59a8e5650b in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1177:16
#26 0x7f59a8e6133c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#27 0x7f59aa3762c1 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:330:5
#28 0x7f59aa1f3ec1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#29 0x7f59aa1f3ec1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#30 0x7f59aa1f3ec1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#31 0x7f59a8e4ea0f in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:391:10
#32 0x7f59cb61202e in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
#33 0x7f59cd734608 in start_thread /build/glibc-eX1tMB/glibc-2.31/nptl/pthread_create.c:477:8
#34 0x7f59cd2fc292 in __clone /build/glibc-eX1tMB/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95
0x61b000222ce8 is located 1384 bytes inside of 1472-byte region [0x61b000222780,0x61b000222d40)
freed by thread T0 (Isolated Web Co) here:
#0 0x55d8f67984c2 in __interceptor_free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:111:3
#1 0x7f59b09c8849 in operator delete /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51:10
#2 0x7f59b09c8849 in mozilla::dom::WorkerPrivate::Release() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WorkerPrivate.h:124:3
#3 0x7f59b0a10820 in mozilla::dom::(anonymous namespace)::TopLevelWorkerFinishedRunnable::Run() /gecko/dom/workers/WorkerPrivate.cpp:309:22
#4 0x7f59a8e766f2 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /gecko/xpcom/threads/ThrottledEventQueue.cpp:254:22
#5 0x7f59a8e6e6cf in mozilla::ThrottledEventQueue::Inner::Executor::Run() /gecko/xpcom/threads/ThrottledEventQueue.cpp:81:15
#6 0x7f59a8e766f2 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /gecko/xpcom/threads/ThrottledEventQueue.cpp:254:22
#7 0x7f59a8e6e6cf in mozilla::ThrottledEventQueue::Inner::Executor::Run() /gecko/xpcom/threads/ThrottledEventQueue.cpp:81:15
#8 0x7f59a8e70562 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:468:16
#9 0x7f59a8e357ad in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:771:26
#10 0x7f59a8e32d08 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:607:15
#11 0x7f59a8e33419 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:391:36
#12 0x7f59a8e79f24 in operator() /gecko/xpcom/threads/TaskController.cpp:127:37
#13 0x7f59a8e79f24 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /gecko/xpcom/threads/nsThreadUtils.h:531:5
#14 0x7f59a8e55cd7 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1183:16
#15 0x7f59a8e6133c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#16 0x7f59b0d1d9fa in bool mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool, mozilla::ErrorResult&)::$_1>(nsTSubstring<char> const&, mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool, mozilla::ErrorResult&)::$_1&&, nsIThread*) /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
#17 0x7f59b0d1ac08 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*, bool, mozilla::ErrorResult&) /gecko/dom/xhr/XMLHttpRequestMainThread.cpp:3063:10
#18 0x7f59b0d1932b in mozilla::dom::XMLHttpRequestMainThread::Send(mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /gecko/dom/xhr/XMLHttpRequestMainThread.cpp:2817:5
#19 0x7f59ade0cf24 in mozilla::dom::XMLHttpRequest_Binding::send(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/XMLHttpRequestBinding.cpp:1374:24
#20 0x7f59ae522cfd in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3306:13
#21 0x7f59b6059404 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:425:13
#22 0x7f59b6059404 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:512:12
#23 0x7f59b60458ce in CallFromStack /gecko/js/src/vm/Interpreter.cpp:576:10
#24 0x7f59b60458ce in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3309:16
#25 0x7f59b602a6d1 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:394:13
#26 0x7f59b605953f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:544:13
#27 0x7f59b605b68b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:589:8
#28 0x7f59b65f4ba7 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/SelfHosting.cpp:1539:10
#29 0x7f59b62a2d89 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /gecko/js/src/vm/AsyncFunction.cpp:152:8
#30 0x7f59b645374d in AsyncFunctionPromiseReactionJob /gecko/js/src/builtin/Promise.cpp:1954:10
#31 0x7f59b645374d in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /gecko/js/src/builtin/Promise.cpp:2012:12
#32 0x7f59b6059404 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:425:13
#33 0x7f59b6059404 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:512:12
#34 0x7f59b605b68b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:589:8
#35 0x7f59b62d9a1d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
previously allocated by thread T0 (Isolated Web Co) here:
#0 0x55d8f679872d in __interceptor_malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:129:3
#1 0x55d8f67d33bd in moz_xmalloc /gecko/memory/mozalloc/mozalloc.cpp:52:15
#2 0x7f59b09dfd47 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
#3 0x7f59b09dfd47 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /gecko/dom/workers/WorkerPrivate.cpp:2502:7
#4 0x7f59b0995e4d in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /gecko/dom/workers/Worker.cpp:44:41
#5 0x7f59adde522c in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1107:52
#6 0x7f59b605c235 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:425:13
#7 0x7f59b605c235 in CallJSNativeConstructor /gecko/js/src/vm/Interpreter.cpp:441:8
#8 0x7f59b605c235 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /gecko/js/src/vm/Interpreter.cpp:636:10
#9 0x7f59b604587f in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3299:16
#10 0x7f59b602a6d1 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:394:13
#11 0x7f59b605953f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:544:13
#12 0x7f59b605b68b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:589:8
#13 0x7f59b62d9a1d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
#14 0x7f59ae141b79 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
#15 0x7f59aedf5894 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#16 0x7f59aedf5350 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1303:43
#17 0x7f59aedf69fc in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1500:17
#18 0x7f59aede4ace in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:348:17
#19 0x7f59aede32dd in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:550:16
#20 0x7f59aede7555 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1085:11
#21 0x7f59b178d5c7 in nsDocumentViewer::LoadComplete(nsresult) /gecko/layout/base/nsDocumentViewer.cpp:1086:7
#22 0x7f59b5118033 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /gecko/docshell/base/nsDocShell.cpp:6309:20
#23 0x7f59b511732b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/docshell/base/nsDocShell.cpp:5698:7
#24 0x7f59b51192ff in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/docshell/base/nsDocShell.cpp
#25 0x7f59ab492ac0 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:1377:3
#26 0x7f59ab4916d4 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:975:14
#27 0x7f59ab48df02 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /gecko/uriloader/base/nsDocLoader.cpp:794:9
#28 0x7f59ab4900c5 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:677:5
#29 0x7f59b515187b in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /gecko/docshell/base/nsDocShell.cpp:13571:23
#30 0x7f59a91bca8e in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:614:22
#31 0x7f59a91bf4d3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:518:10
#32 0x7f59ac6ca2a2 in mozilla::dom::Document::DoUnblockOnload() /gecko/dom/base/Document.cpp:11556:18
Thread T107 (DOM Worker) created by T0 (Isolated Web Co) here:
#0 0x55d8f6782e2c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cpp:207:3
#1 0x7f59cb6020b4 in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
#2 0x7f59cb5f335e in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
#3 0x7f59a8e51d65 in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:615:18
#4 0x7f59b0a0b792 in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /gecko/dom/workers/WorkerThread.cpp:102:7
#5 0x7f59b098b7b8 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /gecko/dom/workers/RuntimeService.cpp:1360:14
#6 0x7f59b098a6d4 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /gecko/dom/workers/RuntimeService.cpp:1227:19
#7 0x7f59b09dfe64 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /gecko/dom/workers/WorkerPrivate.cpp:2518:24
#8 0x7f59b0995e4d in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /gecko/dom/workers/Worker.cpp:44:41
#9 0x7f59adde522c in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1107:52
#10 0x7f59b605c235 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:425:13
#11 0x7f59b605c235 in CallJSNativeConstructor /gecko/js/src/vm/Interpreter.cpp:441:8
#12 0x7f59b605c235 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /gecko/js/src/vm/Interpreter.cpp:636:10
#13 0x7f59b604587f in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3299:16
#14 0x7f59b602a6d1 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:394:13
#15 0x7f59b605953f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:544:13
#16 0x7f59b605b68b in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:589:8
#17 0x7f59b62d9a1d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
#18 0x7f59ae141b79 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
#19 0x7f59aedf5894 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#20 0x7f59aedf5350 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1303:43
#21 0x7f59aedf69fc in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1500:17
#22 0x7f59aede4ace in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:348:17
#23 0x7f59aede32dd in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:550:16
#24 0x7f59aede7555 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1085:11
#25 0x7f59b178d5c7 in nsDocumentViewer::LoadComplete(nsresult) /gecko/layout/base/nsDocumentViewer.cpp:1086:7
#26 0x7f59b5118033 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /gecko/docshell/base/nsDocShell.cpp:6309:20
#27 0x7f59b511732b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/docshell/base/nsDocShell.cpp:5698:7
#28 0x7f59b51192ff in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/docshell/base/nsDocShell.cpp
#29 0x7f59ab492ac0 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:1377:3
#30 0x7f59ab4916d4 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:975:14
#31 0x7f59ab48df02 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /gecko/uriloader/base/nsDocLoader.cpp:794:9
#32 0x7f59ab4900c5 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:677:5
#33 0x7f59b515187b in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /gecko/docshell/base/nsDocShell.cpp:13571:23
#34 0x7f59a91bca8e in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:614:22
#35 0x7f59a91bf4d3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:518:10
#36 0x7f59ac6ca2a2 in mozilla::dom::Document::DoUnblockOnload() /gecko/dom/base/Document.cpp:11556:18
#37 0x7f59ac6772f7 in mozilla::dom::Document::UnblockOnload(bool) /gecko/dom/base/Document.cpp:11486:9
#38 0x7f59ac6a1fb1 in mozilla::dom::Document::DispatchContentLoadedEvents() /gecko/dom/base/Document.cpp:8001:3
#39 0x7f59ac79171d in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
#40 0x7f59ac79171d in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
#41 0x7f59ac79171d in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
#42 0x7f59a8e2391f in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:144:20
#43 0x7f59a8e70562 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:468:16
#44 0x7f59a8e357ad in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:771:26
#45 0x7f59a8e32d08 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:607:15
#46 0x7f59a8e33419 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:391:36
#47 0x7f59a8e79ef1 in operator() /gecko/xpcom/threads/TaskController.cpp:124:37
#48 0x7f59a8e79ef1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:531:5
#49 0x7f59a8e55cd7 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1183:16
#50 0x7f59a8e6133c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:467:10
#51 0x7f59aa3749cf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
#52 0x7f59aa1f3ec1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#53 0x7f59aa1f3ec1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#54 0x7f59aa1f3ec1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#55 0x7f59b1105fa7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#56 0x7f59b5d76f7f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:864:20
#57 0x7f59aa1f3ec1 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:331:10
#58 0x7f59aa1f3ec1 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:324:3
#59 0x7f59aa1f3ec1 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:306:3
#60 0x7f59b5d761b2 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:701:34
#61 0x55d8f67cd08d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#62 0x55d8f67cd4b8 in main /gecko/browser/app/nsBrowserApp.cpp:327:18
#63 0x7f59cd2010b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/atomic_base.h:713:9 in load
Shadow bytes around the buggy address:
0x0c368003c540: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c368003c550: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c368003c560: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c368003c570: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c368003c580: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c368003c590: fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd fd
0x0c368003c5a0: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
0x0c368003c5b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c368003c5c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c368003c5d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c368003c5e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==6911==ABORTING
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
|
|
Assignee | |
Updated•2 years ago
|
Flags: needinfo?(jstutte)
|
|
Assignee | |
Comment 24•2 years ago
|
||
(In reply to Jason Kratzer [:jkratzer] from comment #23)
It appears that the fuzzers have identified another crash with a very similar looking stack on m-c rev 818c851d0aeb (20211224). Unfortunately, the testcase does not reproduce. If you feel like this is a different issue, please let me know and I'll file a separate bug.
If the original testcase attached here does not reproduce on the same revision, I'd prefer to have a new bug for this one, even if the stack looks the same. I suspect there to be a different root cause. And on that new bug we might want to discuss also if we can find some hardening/mitigation that does not require us to fix all ordering problems. I assume from comment 2 that WorkerGlobalScopeBase.mWorkerPrivate could become a RefPtr<StrongWorkerRef> or even RefPtr<ThreadSafeWorkerRef>.
Flags: needinfo?(jstutte)
|
|
Assignee | |
Updated•2 years ago
|
Flags: needinfo?(jkratzer)
|
|
Assignee | |
Comment 25•2 years ago
•
|
||
I created bug 1748401 for this. Should we leave this open to ensure we do not remove the security level before we really fixed all problems? The testcase attached here seems to be fixed, at least. So the question is probably: should we keep the dependency here?
Edit: Since we talked here about further cases, we should definitely keep it hidden, I assume.
|
|
||
Comment 26•2 years ago
•
|
||
We should close this as FIXED, by bug 1650214. Otherwise this will get missed as a security fix in the relevant releases. The new case is best spun out as a new bug--as you've done. Since the original testcase remains fixed we've definitely got an improvement here, even if the new similar stack hints that it may not be complete.
I'll add a whiteboard note that this should stay hidden while that other bug is.
Group: dom-core-security → core-security-release
Status: REOPENED → RESOLVED
Closed: 2 years ago → 2 years ago
Flags: needinfo?(dveditz)
Resolution: --- → FIXED
Whiteboard: [bugmon:confirm] → [keep hidden while 1748401 is][fixed by 1650214][bugmon:confirm]
|
|
||
Updated•2 years ago
|
status-firefox95:
--- → wontfix
status-firefox96:
--- → fixed
status-firefox97:
--- → fixed
status-firefox-esr91:
--- → fixed
tracking-firefox96:
--- → +
tracking-firefox97:
--- → +
tracking-firefox-esr91:
--- → 96+
|
|
Assignee | |
Comment 27•2 years ago
|
||
Thanks, I think it is reasonable to remove the dependency then, too.
No longer depends on: 1748401
|
||
Updated•2 years ago
|
Whiteboard: [keep hidden while 1748401 is][fixed by 1650214][bugmon:confirm] → [keep hidden while 1748401 is][fixed by 1650214][bugmon:confirm][adv-main96+r][adv-ESR91.5+r]
|
||
Comment 28•2 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Flags: needinfo?(jstutte)
Whiteboard: [keep hidden while 1748401 is][fixed by 1650214][bugmon:confirm][adv-main96+r][adv-ESR91.5+r] → [keep hidden while 1748401 is][fixed by 1650214][bugmon:confirm][adv-main96+r][adv-ESR91.5+r][sec-survey]
|
|
Assignee | |
Comment 29•2 years ago
|
||
(In reply to Release mgmt bot [:sylvestre / :calixte / :marco for bugbug] from comment #28)
Please visit this google form to reply.
Done.
Flags: needinfo?(jstutte)
|
||
Updated•2 years ago
|
Flags: qe-verify-
Whiteboard: [keep hidden while 1748401 is][fixed by 1650214][bugmon:confirm][adv-main96+r][adv-ESR91.5+r][sec-survey] → [keep hidden while 1748401 is][fixed by 1650214][bugmon:confirm][adv-main96+r][adv-ESR91.5+r][sec-survey][post-critsmash-triage]
|
|
||
Comment 30•2 years ago
|
||
:jstutte, since this bug contains a bisection range, could you fill (if possible) the regressed_by field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(jstutte)
|
|
Assignee | |
Comment 31•2 years ago
|
||
Assuming from bug 1650214 comment 25 that also here the bot failed.
Flags: needinfo?(jstutte)
|
|
||
Updated•2 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•