Closed Bug 1776878 Opened 2 years ago Closed 2 years ago

AddressSanitizer: heap-use-after-free [@ operator!] with READ of size 8

Categories

(Core :: Graphics: Canvas2D, defect)

Product:
Core
Component:
Graphics: Canvas2D
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
104 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- unaffected
firefox102 --- unaffected
firefox103 + fixed
firefox104 + fixed

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(2 files)

Testcase
862 bytes, text/plain
Details
Bug 1776878 - Extract the WorkerRef initialization from the EventCallback constructor. r?smaug
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
tjr
: sec-approval+
Details | Review

Testcase found while fuzzing mozilla-central rev 3a227a2156b9 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 3a227a2156b9 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

AddressSanitizer: heap-use-after-free [@ operator!] with READ of size 8

    =================================================================
    ==3413755==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000d83a8 at pc 0x7f030342e19a bp 0x7f0268bbf4d0 sp 0x7f0268bbf4c8
    READ of size 8 at 0x6040000d83a8 thread T20 (DOM Worker)
        #0 0x7f030342e199 in operator! /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:311:36
        #1 0x7f030342e199 in EncodeCallback /dom/canvas/OffscreenCanvas.cpp:288:13
        #2 0x7f030342e199 in already_AddRefed<mozilla::dom::OffscreenCanvas::CreateEncodeCompleteCallback(mozilla::dom::Promise*)::EncodeCallback> mozilla::MakeAndAddRef<mozilla::dom::OffscreenCanvas::CreateEncodeCompleteCallback(mozilla::dom::Promise*)::EncodeCallback, mozilla::dom::Promise*&>(mozilla::dom::Promise*&) /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:590:19
        #3 0x7f030342ea04 in CreateEncodeCompleteCallback /dom/canvas/OffscreenCanvas.cpp:330:10
        #4 0x7f030342ea04 in mozilla::dom::OffscreenCanvas::ConvertToBlob(mozilla::dom::ImageEncodeOptions const&, mozilla::ErrorResult&) /dom/canvas/OffscreenCanvas.cpp:372:7
        #5 0x7f0301e03025 in mozilla::dom::OffscreenCanvas_Binding::convertToBlob(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasBinding.cpp:956:60
        #6 0x7f0301e02c99 in mozilla::dom::OffscreenCanvas_Binding::convertToBlob_promiseWrapper(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasBinding.cpp:972:13
        #7 0x7f0303196631 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3272:13
        #8 0x7f026e8fc497  (<unknown module>)
    
    0x6040000d83a8 is located 24 bytes inside of 40-byte region [0x6040000d8390,0x6040000d83b8)
    freed by thread T20 (DOM Worker) here:
        #0 0x5633da972d92 in __interceptor_free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
        #1 0x7f03034ddaf9 in Release /dom/base/ImageEncoder.h:109:3
        #2 0x7f03034ddaf9 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50:40
        #3 0x7f03034ddaf9 in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381:36
        #4 0x7f03034ddaf9 in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81:7
        #5 0x7f03034ddaf9 in ~ /dom/canvas/OffscreenCanvas.cpp:287:17
        #6 0x7f03034ddaf9 in ~box /builds/worker/workspace/obj-build/dist/include/function2/function2.hpp:403:18
        #7 0x7f03034ddaf9 in void fu2::abi_400::detail::type_erasure::tables::vtable<fu2::abi_400::detail::property<false, false, void ()> >::trait<fu2::abi_400::detail::type_erasure::box<false, mozilla::dom::OffscreenCanvas::CreateEncodeCompleteCallback(mozilla::dom::Promise*)::EncodeCallback::EncodeCallback(mozilla::dom::Promise*)::'lambda'(), std::allocator<mozilla::dom::OffscreenCanvas::CreateEncodeCompleteCallback(mozilla::dom::Promise*)::EncodeCallback::EncodeCallback(mozilla::dom::Promise*)::'lambda'()> > >::process_cmd<true>(fu2::abi_400::detail::type_erasure::tables::vtable<fu2::abi_400::detail::property<false, false, void ()> >*, fu2::abi_400::detail::type_erasure::tables::opcode, fu2::abi_400::detail::type_erasure::data_accessor*, unsigned long, fu2::abi_400::detail::type_erasure::data_accessor*, unsigned long) /builds/worker/workspace/obj-build/dist/include/function2/function2.hpp:912:19
        #8 0x7f030342e05e in weak_destroy /builds/worker/workspace/obj-build/dist/include/function2/function2.hpp:1022:5
        #9 0x7f030342e05e in ~erasure /builds/worker/workspace/obj-build/dist/include/function2/function2.hpp:1189:13
        #10 0x7f030342e05e in ~function /builds/worker/workspace/obj-build/dist/include/function2/function2.hpp:1550:23
        #11 0x7f030342e05e in EncodeCallback /dom/canvas/OffscreenCanvas.cpp:286:9
        #12 0x7f030342e05e in already_AddRefed<mozilla::dom::OffscreenCanvas::CreateEncodeCompleteCallback(mozilla::dom::Promise*)::EncodeCallback> mozilla::MakeAndAddRef<mozilla::dom::OffscreenCanvas::CreateEncodeCompleteCallback(mozilla::dom::Promise*)::EncodeCallback, mozilla::dom::Promise*&>(mozilla::dom::Promise*&) /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:590:19
        #13 0x7f030342ea04 in CreateEncodeCompleteCallback /dom/canvas/OffscreenCanvas.cpp:330:10
        #14 0x7f030342ea04 in mozilla::dom::OffscreenCanvas::ConvertToBlob(mozilla::dom::ImageEncodeOptions const&, mozilla::ErrorResult&) /dom/canvas/OffscreenCanvas.cpp:372:7
        #15 0x7f0301e03025 in mozilla::dom::OffscreenCanvas_Binding::convertToBlob(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasBinding.cpp:956:60
        #16 0x7f0301e02c99 in mozilla::dom::OffscreenCanvas_Binding::convertToBlob_promiseWrapper(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasBinding.cpp:972:13
        #17 0x7f0303196631 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3272:13
        #18 0x7f026e8fc497  (<unknown module>)
        #19 0x7f026e8e6330  (<unknown module>)
        #20 0x7f026e8dc4ed  (<unknown module>)
        #21 0x7f030cf5c4e4 in EnterJit(JSContext*, js::RunState&, unsigned char*) /js/src/jit/Jit.cpp:107:5
        #22 0x7f030d527eaa in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:380:32
        #23 0x7f030d5544be in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:540:13
        #24 0x7f030d555f9e in InternalCall /js/src/vm/Interpreter.cpp:575:10
        #25 0x7f030d555f9e in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:606:8
        #26 0x7f030bc03335 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #27 0x7f0302da843f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:266:37
        #28 0x7f0303bc7043 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
        #29 0x7f0303bc55e8 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /dom/events/JSEventHandler.cpp:201:12
        #30 0x7f0303b8b918 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1316:22
        #31 0x7f0303b8ce9c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1507:17
        #32 0x7f0303b7afbe in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:348:17
        #33 0x7f0303b79821 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:550:16
        #34 0x7f0303b7da05 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1119:11
        #35 0x7f0303b83381 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
        #36 0x7f0303b3145d in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/events/DOMEventTargetHelper.cpp:180:17
        #37 0x7f0302dfe5bd in mozilla::dom::EventTarget_Binding::dispatchEvent(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/EventTargetBinding.cpp:841:36
        #38 0x7f0303199830 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3272:13
        #39 0x7f026e8fc497  (<unknown module>)
        #40 0x7f026e8e63aa  (<unknown module>)
        #41 0x7f026e8dc4ed  (<unknown module>)
    
    previously allocated by thread T20 (DOM Worker) here:
        #0 0x5633da97303e in __interceptor_malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
        #1 0x5633da9b7625 in moz_xmalloc /memory/mozalloc/mozalloc.cpp:52:15
        #2 0x7f030342dd8a in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
        #3 0x7f030342dd8a in already_AddRefed<mozilla::dom::OffscreenCanvas::CreateEncodeCompleteCallback(mozilla::dom::Promise*)::EncodeCallback> mozilla::MakeAndAddRef<mozilla::dom::OffscreenCanvas::CreateEncodeCompleteCallback(mozilla::dom::Promise*)::EncodeCallback, mozilla::dom::Promise*&>(mozilla::dom::Promise*&) /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:590:15
        #4 0x7f030342ea04 in CreateEncodeCompleteCallback /dom/canvas/OffscreenCanvas.cpp:330:10
        #5 0x7f030342ea04 in mozilla::dom::OffscreenCanvas::ConvertToBlob(mozilla::dom::ImageEncodeOptions const&, mozilla::ErrorResult&) /dom/canvas/OffscreenCanvas.cpp:372:7
        #6 0x7f0301e03025 in mozilla::dom::OffscreenCanvas_Binding::convertToBlob(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasBinding.cpp:956:60
        #7 0x7f0301e02c99 in mozilla::dom::OffscreenCanvas_Binding::convertToBlob_promiseWrapper(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/OffscreenCanvasBinding.cpp:972:13
        #8 0x7f0303196631 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3272:13
        #9 0x7f026e8fc497  (<unknown module>)
        #10 0x7f026e8e6330  (<unknown module>)
        #11 0x7f026e8dc4ed  (<unknown module>)
        #12 0x7f030cf5c4e4 in EnterJit(JSContext*, js::RunState&, unsigned char*) /js/src/jit/Jit.cpp:107:5
        #13 0x7f030d527eaa in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:380:32
        #14 0x7f030d5544be in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:540:13
        #15 0x7f030d555f9e in InternalCall /js/src/vm/Interpreter.cpp:575:10
        #16 0x7f030d555f9e in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:606:8
        #17 0x7f030bc03335 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #18 0x7f0302da843f in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:266:37
        #19 0x7f0303bc7043 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
        #20 0x7f0303bc55e8 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /dom/events/JSEventHandler.cpp:201:12
        #21 0x7f0303b8b918 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1316:22
        #22 0x7f0303b8ce9c in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1507:17
        #23 0x7f0303b7afbe in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:348:17
        #24 0x7f0303b79821 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:550:16
        #25 0x7f0303b7da05 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1119:11
        #26 0x7f0303b83381 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
        #27 0x7f0303b3145d in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/events/DOMEventTargetHelper.cpp:180:17
        #28 0x7f0302dfe5bd in mozilla::dom::EventTarget_Binding::dispatchEvent(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/EventTargetBinding.cpp:841:36
        #29 0x7f0303199830 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:3272:13
        #30 0x7f026e8fc497  (<unknown module>)
        #31 0x7f026e8e63aa  (<unknown module>)
        #32 0x7f026e8dc4ed  (<unknown module>)
    
    Thread T20 (DOM Worker) created by T0 (Isolated Web Co) here:
        #0 0x5633da95c59c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
        #1 0x7f03251c8c2c in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
        #2 0x7f03251b9fce in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
        #3 0x7f02fe09c895 in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:618:18
        #4 0x7f0305eb643a in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /dom/workers/WorkerThread.cpp:102:7
        #5 0x7f0305e40155 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /dom/workers/RuntimeService.cpp:1324:37
        #6 0x7f0305e3f121 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /dom/workers/RuntimeService.cpp:1200:19
        #7 0x7f0305e8a476 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /dom/workers/WorkerPrivate.cpp:2562:24
        #8 0x7f0305e4f935 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /dom/workers/Worker.cpp:43:41
        #9 0x7f0302a052d4 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1114:52
        #10 0x7f030d556d9b in CallJSNative /js/src/vm/Interpreter.cpp:421:13
        #11 0x7f030d556d9b in CallJSNativeConstructor /js/src/vm/Interpreter.cpp:437:8
        #12 0x7f030d556d9b in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /js/src/vm/Interpreter.cpp:653:10
        #13 0x7f030d54297a in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3315:16
        #14 0x7f030d527ed9 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:390:13
        #15 0x7f030d5544be in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:540:13
        #16 0x7f030d555f9e in InternalCall /js/src/vm/Interpreter.cpp:575:10
        #17 0x7f030d555f9e in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:606:8
        #18 0x7f030bc03335 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #19 0x7f0302daaea9 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
        #20 0x7f0303b8bdc4 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #21 0x7f0303b8b880 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1310:43
        #22 0x7f0303b8ce40 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1507:17
        #23 0x7f0303b7afbe in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:348:17
        #24 0x7f0303b79821 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:550:16
        #25 0x7f0303b7da05 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1119:11
        #26 0x7f0306e89372 in nsDocumentViewer::LoadComplete(nsresult) /layout/base/nsDocumentViewer.cpp:1085:7
        #27 0x7f030a8e83b6 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /docshell/base/nsDocShell.cpp:6436:20
        #28 0x7f030a8e7658 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp:5828:7
        #29 0x7f030a8e95af in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /docshell/base/nsDocShell.cpp
        #30 0x7f02ffd660b0 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /uriloader/base/nsDocLoader.cpp:1377:3
        #31 0x7f02ffd64ab4 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:975:14
        #32 0x7f02ffd61402 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /uriloader/base/nsDocLoader.cpp:794:9
        #33 0x7f02ffd63471 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /uriloader/base/nsDocLoader.cpp:677:5
        #34 0x7f030a92375b in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /docshell/base/nsDocShell.cpp:13841:23
        #35 0x7f02fe428e5e in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /netwerk/base/nsLoadGroup.cpp:614:22
        #36 0x7f02fe42b854 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /netwerk/base/nsLoadGroup.cpp:518:10
        #37 0x7f0301242dc4 in mozilla::dom::Document::DoUnblockOnload() /dom/base/Document.cpp:11662:18
        #38 0x7f03011ef2d0 in mozilla::dom::Document::UnblockOnload(bool) /dom/base/Document.cpp:11600:9
        #39 0x7f030121a639 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8135:3
        #40 0x7f030130d32d in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1147:12
        #41 0x7f030130d32d in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1153:12
        #42 0x7f030130d32d in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1200:13
        #43 0x7f02fe06d42f in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20
        #44 0x7f02fe0c0422 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
        #45 0x7f02fe080d6d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
        #46 0x7f02fe07ded8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
        #47 0x7f02fe07e600 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
        #48 0x7f02fe0c9351 in operator() /xpcom/threads/TaskController.cpp:187:37
        #49 0x7f02fe0c9351 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #50 0x7f02fe0a1fa7 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1205:16
        #51 0x7f02fe0ac424 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #52 0x7f02ff8200ff in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #53 0x7f02ff6a1051 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10
        #54 0x7f02ff6a1051 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #55 0x7f02ff6a1051 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #56 0x7f03067a6ab7 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
        #57 0x7f030b7820a7 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:875:20
        #58 0x7f02ff6a1051 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10
        #59 0x7f02ff6a1051 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
        #60 0x7f02ff6a1051 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
        #61 0x7f030b78120f in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:734:34
        #62 0x5633da9b06d5 in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #63 0x5633da9b0a86 in main /browser/app/nsBrowserApp.cpp:338:18
        #64 0x7f032593a082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:311:36 in operator!
    Shadow bytes around the buggy address:
      0x0c0880013020: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
      0x0c0880013030: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
      0x0c0880013040: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
      0x0c0880013050: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
      0x0c0880013060: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
    =>0x0c0880013070: fa fa fd fd fd[fd]fd fa fa fa fa fa fa fa fa fa
      0x0c0880013080: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c0880013090: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c08800130a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c08800130b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c08800130c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==3413755==ABORTING
Attached file Testcase 

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20220628091640-3a227a2156b9.

The bug appears to have been introduced in the following build range:




Start: 485960624319f7058f00951f988e7d94af554de6 (20220622131143)

End: cd4ca1691c0b74f665e4e43692d04a992d2a11db (20220622145358)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=485960624319f7058f00951f988e7d94af554de6&tochange=cd4ca1691c0b74f665e4e43692d04a992d2a11db




Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Group: core-security → gfx-core-security

    
    

    
  
Maybe bug 1769878 is the regressor? The changesets for that bug talk about releasing things when workers shut down, and also something about an EncodeComplete callback. Nothing else looks very related.


Flags: needinfo?(jstutte)
Flags: needinfo?(bugs)
Regressed by: 1769878

    
    

    
  
At least the crash is happening in code added by D149693, it seems, though I cannot really see how it could crash on this line inside the constructor of EventCallback accessing a member variable of that class that two lines above has just been set ?


Wait - so my guess would be here, that WeakWorkerRef::Create returns nullptr and due to this it forgets the aCallback. Given that this is our only reference to ourselves, we are already dead inside our own constructor. We can probably avoid this by having a local variable store the result of WeakWorkerRef::Create and move it to mWorkerRef only in case of success?


Flags: needinfo?(jstutte)

    
    

    
  
Actually looking more at this, I believe we must extract all the WorkerRef initialization out of the constructor, otherwise we will end up trying to addref an already freed pointer.



    
    

    
  
Set release status flags based on info from the regressing bug 1769878



          status-firefox102:
          --- → unaffected

          status-firefox103:
          --- → affected

          status-firefox104:
          --- → affected

          status-firefox-esr102:
          --- → unaffected

          status-firefox-esr91:
          --- → unaffected
Assignee: nobody → jstutte
Status: NEW → ASSIGNED

    
    

    
  
Moving :smaug's attention to the patch.


Flags: needinfo?(bugs)

        Attachment #9283256 -
        Attachment description: Bug 1776878 - Extract WorkerRef initialization from EventCallback constructor to avoid sudden death. r?smaug → Bug 1776878 - Extract the WorkerRef initialization from the EventCallback constructor. r?smaug

    
    

    
  
Comment on attachment 9283256 [details]

Bug 1776878 - Extract the WorkerRef initialization from the EventCallback constructor. r?smaug


Security Approval Request


    

  • How easily could an exploit be constructed based on the patch?: Unknown, fortunately the regression arrived only in early beta.
    
It is a regression introduced by a fix we have a crash-test for, and the fuzzers found it, so other people's fuzzers could find it, too.
    • 

  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
    • 

  • Which older supported branches are affected by this flaw?: none
    • 

  • If not all supported branches, which bug introduced the flaw?: Bug 1769878
    • 

  • Do you have backports for the affected branches?: No
    • 

  • If not, how different, hard to create, and risky will they be?: not needed
    • 

  • How likely is this patch to cause regressions; how much testing does it need?: Unlikely. We just avoid giving away a RefPtr to ourselves while our constructor is still running.
    • 

  • Is Android affected?: Unknown
    • 




        Attachment #9283256 -
        Flags: sec-approval?

    
    

    
  
Comment on attachment 9283256 [details]

Bug 1776878 - Extract the WorkerRef initialization from the EventCallback constructor. r?smaug


Approved to land and request uplift



        Attachment #9283256 -
        Flags: sec-approval? → sec-approval+

    
    

    
  
Comment on attachment 9283256 [details]

Bug 1776878 - Extract the WorkerRef initialization from the EventCallback constructor. r?smaug


Beta/Release Uplift Approval Request


    

  • User impact if declined: sec-high (potential UAF), for now only in 103 (beta).
    
Fix is landing now in nightly.
    • 

  • Is this code covered by automated tests?: Unknown
    • 

  • Has the fix been verified in Nightly?: No
    • 

  • Needs manual test from QE?: No
    • 

  • If yes, steps to reproduce:
    • 

  • List of other uplifts needed: None
    • 

  • Risk to taking this patch: Low
    • 

  • Why is the change risky/not risky? (and alternatives if risky): No logic change, we just keep a strong reference alive until needed during initialization.
    • 

  • String changes made/needed:
    • 

  • Is Android affected?: Unknown
    • 




        Attachment #9283256 -
        Flags: approval-mozilla-beta?

    
    

    
  
Extract the WorkerRef initialization from the EventCallback constructor. r=smaug

https://hg.mozilla.org/integration/autoland/rev/e7a0eeec8c3d981836f6ad3091d65d8b8d009848

https://hg.mozilla.org/mozilla-central/rev/e7a0eeec8c3d


Group: gfx-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 2 years ago

          status-firefox104:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 104 Branch

    
    

    
  
Comment on attachment 9283256 [details]

Bug 1776878 - Extract the WorkerRef initialization from the EventCallback constructor. r?smaug


Approved for 103.0b6, thanks.



        Attachment #9283256 -
        Flags: approval-mozilla-beta? → approval-mozilla-beta+

    
    

    
  
Bugmon Analysis

Verified bug as fixed on rev mozilla-central 20220707153100-68ec3d16cb3f.


Status: RESOLVED → VERIFIED

    
    

    
  
Copying crash signatures from duplicate bugs.


Crash Signature: [@ mozilla::dom::EncodingCompleteEvent::Run()]
Group: core-security-release
Assignee: jstutte → nobody
Keywords: bugmon

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: