1793127 - AddressSanitizer: heap-use-after-free [@ Length] with READ of size 8

Status: RESOLVED FIXED

(Core :: Graphics: Text, defect)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev a2601693650d (built with: --enable-address-sanitizer --enable-fuzzing).

Unfortunately I don't have a working testcase at the moment.

AddressSanitizer: heap-use-after-free [@ Length] with READ of size 8

    =================================================================
    ==31109==ERROR: AddressSanitizer: heap-use-after-free on address 0x6160000cb988 at pc 0x7f088e59261a bp 0x7ffe64c37bf0 sp 0x7ffe64c37be8
    READ of size 8 at 0x6160000cb988 thread T0 (Isolated Web Co)
        #0 0x7f088e592619 in Length /builds/worker/workspace/obj-build/dist/include/nsTArray.h:410:37
        #1 0x7f088e592619 in mozilla::dom::FontFaceImpl::Entry::SetLoadState(gfxUserFontEntry::UserFontLoadState) /gecko/layout/style/FontFaceImpl.cpp:714:37
        #2 0x7f088807165a in gfxUserFontEntry::LoadNextSrc() /gecko/gfx/thebes/gfxUserFontSet.cpp:370:5
        #3 0x7f088e58eade in mozilla::dom::FontFaceImpl::DoLoad() /gecko/layout/style/FontFaceImpl.cpp:345:19
        #4 0x7f088e5afaff in operator() /gecko/layout/style/FontFaceImpl.cpp:338:65
        #5 0x7f088e5afaff in mozilla::detail::RunnableFunction<mozilla::dom::FontFaceImpl::DoLoad()::$_9>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #6 0x7f088561da22 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:538:16
        #7 0x7f08855de26d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:851:26
        #8 0x7f08855db3d8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:683:15
        #9 0x7f08855dbb00 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:461:36
        #10 0x7f0885626951 in operator() /gecko/xpcom/threads/TaskController.cpp:187:37
        #11 0x7f0885626951 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #12 0x7f08855ff5a7 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1205:16
        #13 0x7f0885609a24 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
        #14 0x7f0886da72bf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
        #15 0x7f0886c27011 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
        #16 0x7f0886c27011 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
        #17 0x7f0886c27011 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
        #18 0x7f088e0d0687 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:150:27
        #19 0x7f089327ad97 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20
        #20 0x7f0886c27011 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
        #21 0x7f0886c27011 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
        #22 0x7f0886c27011 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
        #23 0x7f0893279c7c in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34
        #24 0x55dd293eb575 in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #25 0x55dd293eb9c7 in main /gecko/browser/app/nsBrowserApp.cpp:359:18
        #26 0x7f08ad9ea082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
        #27 0x55dd2932b9b9 in _start (/home/worker/builds/m-c-20220929093914-fuzzing-asan-opt/firefox+0x7a9b9) (BuildId: 605bf08917026ffb8f880b90fd07e59c9f095cd8)
    
    0x6160000cb988 is located 520 bytes inside of 544-byte region [0x6160000cb780,0x6160000cb9a0)
    freed by thread T28 (DOM Worker) here:
        #0 0x55dd293adc32 in __interceptor_free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
        #1 0x7f088e58e0bb in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:190:5
        #2 0x7f088e58e0bb in mozilla::dom::FontFaceImpl::SetUserFontEntry(gfxUserFontEntry*) /gecko/layout/style/FontFaceImpl.cpp:504:18
        #3 0x7f088e59eb6e in mozilla::dom::FontFaceSetImpl::InsertNonRuleFontFace(mozilla::dom::FontFaceImpl*, bool&) /gecko/layout/style/FontFaceSetImpl.cpp:327:16
        #4 0x7f088e5a8c6e in mozilla::dom::FontFaceSetWorkerImpl::FlushUserFontSet() /gecko/layout/style/FontFaceSetWorkerImpl.cpp:233:5
        #5 0x7f088e5a35c7 in mozilla::dom::FontFaceSetImpl::Delete(mozilla::dom::FontFaceImpl*) /gecko/layout/style/FontFaceSetImpl.cpp:272:3
        #6 0x7f088e5961fe in mozilla::dom::FontFaceSet::Delete(mozilla::dom::FontFace&) /gecko/layout/style/FontFaceSet.cpp:265:15
        #7 0x7f088a63f0fe in mozilla::dom::FontFaceSet_Binding::_delete_(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/FontFaceSetBinding.cpp:369:36
        #8 0x7f088a8f4b9f in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /gecko/dom/bindings/BindingUtils.cpp:3287:13
        #9 0x7f089516cd23 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:459:13
        #10 0x7f089516cd23 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:547:12
        #11 0x7f089515b6a9 in InternalCall /gecko/js/src/vm/Interpreter.cpp:614:10
        #12 0x7f089515b6a9 in CallFromStack /gecko/js/src/vm/Interpreter.cpp:619:10
        #13 0x7f089515b6a9 in Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3375:16
        #14 0x7f0895140cae in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:431:13
        #15 0x7f089516ce45 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:579:13
        #16 0x7f089516e8ee in InternalCall /gecko/js/src/vm/Interpreter.cpp:614:10
        #17 0x7f089516e8ee in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:646:8
        #18 0x7f0893ac8ab4 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/SelfHosting.cpp:1488:10
        #19 0x7f08937148a1 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /gecko/js/src/vm/AsyncFunction.cpp:154:8
        #20 0x7f08939f13b5 in AsyncFunctionPromiseReactionJob(JSContext*, JS::Handle<PromiseReactionRecord*>) /gecko/js/src/builtin/Promise.cpp:2116:10
        #21 0x7f08939ef1a4 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /gecko/js/src/builtin/Promise.cpp:2174:12
        #22 0x7f089516cd23 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:459:13
        #23 0x7f089516cd23 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:547:12
        #24 0x7f089516e8ee in InternalCall /gecko/js/src/vm/Interpreter.cpp:614:10
        #25 0x7f089516e8ee in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:646:8
        #26 0x7f0893750c25 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
        #27 0x7f0889659bec in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
        #28 0x7f08853e73f7 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
        #29 0x7f08853e73f7 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
        #30 0x7f08853e73f7 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /gecko/xpcom/base/CycleCollectedJSContext.cpp:213:18
        #31 0x7f08853c7ae7 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /gecko/xpcom/base/CycleCollectedJSContext.cpp:676:17
        #32 0x7f088b389c00 in LeaveMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:246:7
        #33 0x7f088b389c00 in ~nsAutoMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:397:13
        #34 0x7f088b389c00 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1318:3
        #35 0x7f088b38b132 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1506:17
        #36 0x7f088b37926e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:348:17
        #37 0x7f088b377ad1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:550:16
        #38 0x7f088b37bcb5 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1119:11
        #39 0x7f088b381631 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /gecko/dom/events/EventDispatcher.cpp
        #40 0x7f088b32a8ad in mozilla::DOMEventTargetHelper::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /gecko/dom/events/DOMEventTargetHelper.cpp:176:17
    
    previously allocated by thread T0 (Isolated Web Co) here:
        #0 0x55dd293adede in __interceptor_malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
        #1 0x55dd293f2795 in moz_xmalloc /gecko/memory/mozalloc/mozalloc.cpp:52:15
        #2 0x7f088e5a67ff in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
        #3 0x7f088e5a67ff in mozilla::dom::FontFaceSetImpl::CreateUserFontEntry(nsTArray<gfxFontFaceSrc> const&, mozilla::WeightRange, mozilla::StretchRange, mozilla::SlantStyleRange, nsTArray<gfxFontFeature> const&, nsTArray<mozilla::gfx::FontVariation> const&, unsigned int, gfxCharacterMap*, mozilla::StyleFontDisplay, gfxFontEntry::RangeFlags, float, float, float, float) /gecko/layout/style/FontFaceSetImpl.cpp:982:36
        #4 0x7f0888078cdf in gfxUserFontSet::FindOrCreateUserFontEntry(nsTSubstring<char> const&, nsTArray<gfxFontFaceSrc> const&, mozilla::WeightRange, mozilla::StretchRange, mozilla::SlantStyleRange, nsTArray<gfxFontFeature> const&, nsTArray<mozilla::gfx::FontVariation> const&, unsigned int, gfxCharacterMap*, mozilla::StyleFontDisplay, gfxFontEntry::RangeFlags, float, float, float, float) /gecko/gfx/thebes/gfxUserFontSet.cpp:977:13
        #5 0x7f088e5a0604 in mozilla::dom::FontFaceSetImpl::FindOrCreateUserFontEntryFromFontFace(nsTSubstring<char> const&, mozilla::dom::FontFaceImpl*, mozilla::StyleOrigin) /gecko/layout/style/FontFaceSetImpl.cpp:633:41
        #6 0x7f088e58f181 in mozilla::dom::FontFaceSetImpl::FindOrCreateUserFontEntryFromFontFace(mozilla::dom::FontFaceImpl*) /gecko/layout/style/FontFaceSetImpl.cpp:345:10
        #7 0x7f088e58f291 in mozilla::dom::FontFaceImpl::CreateUserFontEntry() /gecko/layout/style/FontFaceImpl.cpp:326:9
        #8 0x7f088e58eab5 in mozilla::dom::FontFaceImpl::DoLoad() /gecko/layout/style/FontFaceImpl.cpp:342:8
        #9 0x7f088e5afaff in operator() /gecko/layout/style/FontFaceImpl.cpp:338:65
        #10 0x7f088e5afaff in mozilla::detail::RunnableFunction<mozilla::dom::FontFaceImpl::DoLoad()::$_9>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #11 0x7f088561da22 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:538:16
        #12 0x7f08855de26d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:851:26
        #13 0x7f08855db3d8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:683:15
        #14 0x7f08855dbb00 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:461:36
        #15 0x7f0885626951 in operator() /gecko/xpcom/threads/TaskController.cpp:187:37
        #16 0x7f0885626951 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #17 0x7f08855ff5a7 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1205:16
        #18 0x7f0885609a24 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
        #19 0x7f0886da72bf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
        #20 0x7f0886c27011 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
        #21 0x7f0886c27011 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
        #22 0x7f0886c27011 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
        #23 0x7f088e0d0687 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:150:27
        #24 0x7f089327ad97 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20
        #25 0x7f0886c27011 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
        #26 0x7f0886c27011 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
        #27 0x7f0886c27011 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
        #28 0x7f0893279c7c in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34
        #29 0x55dd293eb575 in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #30 0x55dd293eb9c7 in main /gecko/browser/app/nsBrowserApp.cpp:359:18
        #31 0x7f08ad9ea082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    Thread T28 (DOM Worker) created by T0 (Isolated Web Co) here:
        #0 0x55dd2939743c in __interceptor_pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
        #1 0x7f08ad2c8c2c in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
        #2 0x7f08ad2b9fce in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
        #3 0x7f08855f9e95 in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:618:18
        #4 0x7f088d7d44da in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /gecko/dom/workers/WorkerThread.cpp:102:7
        #5 0x7f088d75fa85 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /gecko/dom/workers/RuntimeService.cpp:1323:37
        #6 0x7f088d75eb0b in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /gecko/dom/workers/RuntimeService.cpp:1205:19
        #7 0x7f088d7a8137 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /gecko/dom/workers/WorkerPrivate.cpp:2588:24
        #8 0x7f088d76f155 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /gecko/dom/workers/Worker.cpp:43:41
        #9 0x7f088a15c724 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1107:52
        #10 0x13cff559aac1  (<unknown module>)
        #11 0x13cff557f6a8  (<unknown module>)
        #12 0x13cff557fc8e  (<unknown module>)
        #13 0x13cff55754ed  (<unknown module>)
        #14 0x7f0894af9471 in EnterJit(JSContext*, js::RunState&, unsigned char*) /gecko/js/src/jit/Jit.cpp:107:5
        #15 0x7f0895140c7e in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:421:32
        #16 0x7f089516ce45 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:579:13
        #17 0x7f089516e8ee in InternalCall /gecko/js/src/vm/Interpreter.cpp:614:10
        #18 0x7f089516e8ee in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:646:8
        #19 0x7f0893ac8ab4 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/SelfHosting.cpp:1488:10
        #20 0x7f08937148a1 in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /gecko/js/src/vm/AsyncFunction.cpp:154:8
        #21 0x7f08939f13ae in AsyncFunctionPromiseReactionJob(JSContext*, JS::Handle<PromiseReactionRecord*>) /gecko/js/src/builtin/Promise.cpp:2111:12
        #22 0x7f08939ef1a4 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /gecko/js/src/builtin/Promise.cpp:2174:12
        #23 0x7f089516cd23 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:459:13
        #24 0x7f089516cd23 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:547:12
        #25 0x7f089516e8ee in InternalCall /gecko/js/src/vm/Interpreter.cpp:614:10
        #26 0x7f089516e8ee in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:646:8
        #27 0x7f0893750c25 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
        #28 0x7f0889659bec in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
        #29 0x7f08853e73f7 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
        #30 0x7f08853e73f7 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
        #31 0x7f08853e73f7 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /gecko/xpcom/base/CycleCollectedJSContext.cpp:213:18
        #32 0x7f08853c7ae7 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /gecko/xpcom/base/CycleCollectedJSContext.cpp:676:17
        #33 0x7f08853c8b3f in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /gecko/xpcom/base/CycleCollectedJSContext.cpp:463:3
        #34 0x7f088708cce0 in XPCJSContext::AfterProcessTask(unsigned int) /gecko/js/xpconnect/src/XPCJSContext.cpp:1480:28
        #35 0x7f08855ffaf8 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1242:24
        #36 0x7f0885609a24 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:465:10
        #37 0x7f0886da72bf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
        #38 0x7f0886c27011 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
        #39 0x7f0886c27011 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
        #40 0x7f0886c27011 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
        #41 0x7f088e0d0687 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:150:27
        #42 0x7f089327ad97 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20
        #43 0x7f0886c27011 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:381:10
        #44 0x7f0886c27011 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:374:3
        #45 0x7f0886c27011 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:356:3
        #46 0x7f0893279c7c in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34
        #47 0x55dd293eb575 in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #48 0x55dd293eb9c7 in main /gecko/browser/app/nsBrowserApp.cpp:359:18
        #49 0x7f08ad9ea082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    
    SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/nsTArray.h:410:37 in Length
    Shadow bytes around the buggy address:
      0x0c2c800116e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2c800116f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c2c80011700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c2c80011710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c2c80011720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
    =>0x0c2c80011730: fd[fd]fd fd fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2c80011740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2c80011750: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2c80011760: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2c80011770: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c2c80011780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==31109==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Detailed Crash Information

Comment 2

[Andrew McCreight [:mccr8]]

From the stacks, it might be a regression from bug 1072107. Doesn't seem very actionable right now, but maybe it is possible to figure something out from the stacks.

Comment 3

[Kelsey Gilbert [:jgilbert]]

This would have to be a UAF of the FontFaceImpl::Entry type, if the UAF is hit in Length():
https://searchfox.org/mozilla-central/rev/ffa4d00965c5281def6d3ddcbcdf6259d38c9b9a/layout/style/FontFaceImpl.cpp#714

I couldn't see anything immediately obvious, but it's hard to trace the ownership graph here for me. There are a bunch of raw pointers floating around, however.

@aosmond:
Thoughts?

@jkratzer:
Are we likely to get a testcase for this?

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:lsalzman, could you consider increasing the severity of this security bug?

For more information, please visit auto_nag documentation.

Comment 5

[Jason Kratzer [:jkratzer]]

Kelsey, I think it's possible but we don't have anything at the moment. We've seen this crash 5 times starting with build m-c 20220927-d1ae84015c22 but unfortunately, none of the testcases have been reproducible. The last instance was yesterday on build m-c 20221010-d420f9190e2f.

Comment 6

[Andrew Osmond [:aosmond] (he/him)]

It took a bit, but I think I understand what has gone wrong here. I'll see about putting together a patch. Testing may be tricky.

Comment 7

[Jonathan Kew [:jfkthame]]

Is it possible/likely this will also resolve other somewhat similar-looking issues such as bug 1793314?

Comment 8

[Andrew Osmond [:aosmond] (he/him)]

Attachment: Bug 1793127.

Comment 9

[Kelsey Gilbert [:jgilbert]]

Fuzzblocker bug 1792043 is probably blocking better repro cases for this bug.

Comment 10

[Andrew Osmond [:aosmond] (he/him)]

Comment on attachment 9299134 [details]
Bug 1793127.

Security Approval Request

• How easily could an exploit be constructed based on the patch?: It is clear from the patch that there are lifetime issues across threads, and it is clear that we dispatch between the DOM worker thread and the main thread for loading. The exploit requires getting the timing just right.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
• Which older supported branches are affected by this flaw?:
• If not all supported branches, which bug introduced the flaw?: Bug 1779009
• Do you have backports for the affected branches?: No
• If not, how different, hard to create, and risky will they be?: It should apply cleanly.
• How likely is this patch to cause regressions; how much testing does it need?: It is unlikely to cause a serious regression. It tracks lifetimes better using RefPtr instead of raw pointers, it protects an array with a briefly held mutex (and never calls back into other font code while holding it) and we ensure we create something earlier on the correct thread. There is some testing coverage for this code via WPT.

This should be landed with bug 1793379.

• Is Android affected?: Yes

Comment 15

[BugBot [:suhaib / :marco/ :calixte]]

The bug is marked as tracked for firefox107 (beta) and tracked for firefox108 (nightly). However, the bug still has low severity.

:bhood, could you please increase the severity for this tracked bug? If you disagree with the tracking decision, please talk with the release managers.

For more information, please visit auto_nag documentation.

Comment 16

[Andrew Osmond [:aosmond] (he/him)]

I think this should be an S2 and considered for uplift.

Comment 17

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Comment on attachment 9299134 [details]
Bug 1793127.

Approved to land and request uplift

Comment 18

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

r=jfkthame
https://hg.mozilla.org/integration/autoland/rev/46c1e1e644f589354b31e6ac6683005d7ea637d5
https://hg.mozilla.org/mozilla-central/rev/46c1e1e644f5

Comment 19

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:aosmond, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox107 to wontfix.

For more information, please visit auto_nag documentation.

Comment 20

[Andrew Osmond [:aosmond] (he/him)]

Comment on attachment 9299134 [details]
Bug 1793127.

Beta/Release Uplift Approval Request

• User impact if declined: Sec issue
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: Bug 1793379
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): It is unlikely to cause a serious regression. It tracks lifetimes better using RefPtr instead of raw pointers, it protects an array with a briefly held mutex (and never calls back into other font code while holding it) and we ensure we create something earlier on the correct thread. There is some testing coverage for this code via WPT.
• String changes made/needed:
• Is Android affected?: Yes

Comment 21

[Donal Meehan [:dmeehan]]

Comment on attachment 9299134 [details]
Bug 1793127.

Approved for 107.0b8.

Comment 22

[Donal Meehan [:dmeehan]]

https://hg.mozilla.org/releases/mozilla-beta/rev/21e88846cd99