AddressSanitizer: heap-use-after-free [@ operator bool] with READ of size 8 through [@ WorkerScriptLoader::CancelMainThread]
Categories
(Core :: DOM: Workers, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr102 | --- | unaffected |
firefox107 | --- | wontfix |
firefox108 | --- | wontfix |
firefox109 | + | fixed |
People
(Reporter: decoder, Assigned: yulia)
References
Details
(4 keywords, Whiteboard: [post-critsmash-triage][adv-main109+r])
Attachments
(1 file)
26.51 KB,
text/plain
|
Details |
The attached crash information was submitted via the ASan Nightly Reporter on mozilla-central-asan-nightly revision 108.0a1-20221112215806-https://hg.mozilla.org/mozilla-central/rev/6479051196c1165c23a1964a00422e3be55f7ff1.
For detailed crash information, see attachment.
Reporter | ||
Comment 1•2 years ago
|
||
Reporter | ||
Updated•2 years ago
|
Comment 3•2 years ago
•
|
||
After bug 1797327 landed it seems there are still raw WorkerLoadContext*
passed as a (copied) list into a runnable and one of these has been freed before the runnable was executed.
Assignee | ||
Comment 4•2 years ago
|
||
Ok. I am already reverting the behavior, so this should be fixed by the revert.
Assignee | ||
Updated•2 years ago
|
Updated•2 years ago
|
Comment 5•1 year ago
|
||
Now that bug 1800496 landed - are we confident enough to close this?
Assignee | ||
Comment 6•1 year ago
|
||
This can be closed as we are no longer copying the array.
Comment 7•1 year ago
|
||
Fixed by the changes in bug 1800496. Does that patch need uplift to beta 108 then?
Updated•1 year ago
|
Assignee | ||
Comment 8•1 year ago
|
||
The changes may need an uplift as we keep getting reports related to this.
Comment 9•1 year ago
|
||
See also https://bugzilla.mozilla.org/show_bug.cgi?id=1793407#c4 where Yulia started talking about reverting the earlier changes back in October
Updated•1 year ago
|
Updated•1 year ago
|
Comment 10•1 year ago
|
||
Just Following up on this since we are nearing the end of our beta cycle this week.
Can i get some clarification on what we are trying to uplift to fx108? Are we suggesting to uplift bug 1800496 (which seems very risky so late in the cycle) or are we trying to revert some behavior introduced in 108?
Thank you in advance!
Assignee | ||
Comment 11•1 year ago
|
||
I believe it is too risky to uplift bug 1800496, as there are two follow up patches fixing behavior, so the sequence would be quite large. I think it should bake longer on nightly.
Updated•1 year ago
|
Comment 12•1 year ago
|
||
Looks like this bug was fixed regardless of this report. We knew the implementation had issues and worked on it independently (see other bug).
Thanks for reporting this, but at this time we're not awarding a bounty.
Updated•1 year ago
|
Updated•1 year ago
|
Updated•9 months ago
|
Description
•