1816973 - AddressSanitizer: heap-use-after-free [@ fetch_add] with WRITE of size 4

Status: VERIFIED FIXED

(Core :: DOM: File, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 36b67e826e2d (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 36b67e826e2d --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

AddressSanitizer: heap-use-after-free [@ fetch_add] with WRITE of size 4

    =================================================================
    ==25162==ERROR: AddressSanitizer: heap-use-after-free on address 0x614000584a94 at pc 0x7f663e7f1e6c bp 0x7f661d3d66c0 sp 0x7f661d3d66b8
    WRITE of size 4 at 0x614000584a94 thread T30
        #0 0x7f663e7f1e6b in fetch_add /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/atomic_base.h:514:16
        #1 0x7f663e7f1e6b in add /builds/worker/workspace/obj-build/dist/include/mozilla/Atomics.h:219:17
        #2 0x7f663e7f1e6b in inc /builds/worker/workspace/obj-build/dist/include/mozilla/Atomics.h:245:12
        #3 0x7f663e7f1e6b in operator++ /builds/worker/workspace/obj-build/dist/include/mozilla/Atomics.h:341:30
        #4 0x7f663e7f1e6b in Checker::StartReadOp() /xpcom/ds/PLDHashTable.h:129:25
        #5 0x7f663e7eea23 in AutoReadOp /xpcom/ds/PLDHashTable.cpp:32:58
        #6 0x7f663e7eea23 in PLDHashTable::Search(void const*) const /xpcom/ds/PLDHashTable.cpp:493:14
        #7 0x7f6640191b5d in GetEntry /builds/worker/workspace/obj-build/dist/include/nsTHashtable.h:289:16
        #8 0x7f6640191b5d in Remove /builds/worker/workspace/obj-build/dist/include/nsBaseHashtable.h:520:27
        #9 0x7f6640191b5d in Unregister /ipc/glue/ProtocolUtils.cpp:678:13
        #10 0x7f6640191b5d in mozilla::ipc::IProtocol::Unregister(int) /ipc/glue/ProtocolUtils.cpp:326:21
        #11 0x7f66401945f9 in mozilla::ipc::IProtocol::DestroySubtree(mozilla::ipc::IProtocol::ActorDestroyReason) /ipc/glue/ProtocolUtils.cpp:557:5
        #12 0x7f6644b44587 in mozilla::dom::PFileSystemAccessHandleParent::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PFileSystemAccessHandleParent.cpp:90:19
        #13 0x7f664013cc2b in operator() /ipc/glue/Endpoint.cpp:40:33
        #14 0x7f664013cc2b in mozilla::detail::RunnableFunction<mozilla::ipc::UntypedManagedEndpoint::~UntypedManagedEndpoint()::$_8>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
        #15 0x7f663e950cfc in mozilla::TaskQueue::Runner::Run() /xpcom/threads/TaskQueue.cpp:259:20
        #16 0x7f663e97d51d in nsThreadPool::Run() /xpcom/threads/nsThreadPool.cpp:340:14
        #17 0x7f663e96fcf4 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1219:16
        #18 0x7f663e979964 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:477:10
        #19 0x7f6640179ce4 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
        #20 0x7f663fff7627 in RunInternal /ipc/chromium/src/base/message_loop.cc:381:10
        #21 0x7f663fff7627 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #22 0x7f663fff7627 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #23 0x7f663e967645 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:384:10
        #24 0x7f6660feb628 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #25 0x7f666174cb42 in start_thread nptl/pthread_create.c:442:8
        #26 0x7f66617de9ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    0x614000584a94 is located 84 bytes inside of 432-byte region [0x614000584a40,0x614000584bf0)
    freed by thread T30 here:
        #0 0x561e26ad7542 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
        #1 0x7f6644ad6416 in mozilla::dom::FileSystemManagerParent::Release() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/FileSystemManagerParent.h:27:3
        #2 0x7f6644aeaee9 in mozilla::Maybe<mozilla::dom::FileSystemManagerParent::RecvGetAccessHandle(mozilla::dom::fs::FileSystemGetAccessHandleRequest&&, std::function<void (mozilla::dom::fs::FileSystemGetAccessHandleResponse&&)>&&)::$_11>::reset() /builds/worker/workspace/obj-build/dist/include/mozilla/Maybe.h:645:19
        #3 0x7f6644aea61b in mozilla::MozPromise<std::pair<mozilla::dom::fs::Registered<mozilla::dom::FileSystemAccessHandle>, mozilla::ipc::RandomAccessStreamParams>, nsresult, true>::ThenValue<mozilla::dom::FileSystemManagerParent::RecvGetAccessHandle(mozilla::dom::fs::FileSystemGetAccessHandleRequest&&, std::function<void (mozilla::dom::fs::FileSystemGetAccessHandleResponse&&)>&&)::$_11>::DoResolveOrRejectInternal(mozilla::MozPromise<std::pair<mozilla::dom::fs::Registered<mozilla::dom::FileSystemAccessHandle>, mozilla::ipc::RandomAccessStreamParams>, nsresult, true>::ResolveOrRejectValue&) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:924:30
        #4 0x7f6644ae23f7 in mozilla::MozPromise<std::pair<mozilla::dom::fs::Registered<mozilla::dom::FileSystemAccessHandle>, mozilla::ipc::RandomAccessStreamParams>, nsresult, true>::ThenValueBase::ResolveOrRejectRunnable::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:489:21
        #5 0x7f663e950cfc in mozilla::TaskQueue::Runner::Run() /xpcom/threads/TaskQueue.cpp:259:20
        #6 0x7f663e97d51d in nsThreadPool::Run() /xpcom/threads/nsThreadPool.cpp:340:14
        #7 0x7f663e96fcf4 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1219:16
        #8 0x7f663e979964 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:477:10
        #9 0x7f6640179ce4 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
        #10 0x7f663fff7627 in RunInternal /ipc/chromium/src/base/message_loop.cc:381:10
        #11 0x7f663fff7627 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #12 0x7f663fff7627 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #13 0x7f663e967645 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:384:10
        #14 0x7f6660feb628 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #15 0x7f666174cb42 in start_thread nptl/pthread_create.c:442:8
    
    previously allocated by thread T29 here:
        #0 0x561e26ad77ee in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
        #1 0x561e26b1af55 in moz_xmalloc /memory/mozalloc/mozalloc.cpp:52:15
        #2 0x7f6644af043a in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
        #3 0x7f6644af043a in operator() /dom/fs/parent/FileSystemManagerParentFactory.cpp:73:23
        #4 0x7f6644af043a in mozilla::detail::ProxyFunctionRunnable<mozilla::dom::CreateFileSystemManagerParent(mozilla::ipc::PrincipalInfo const&, mozilla::ipc::Endpoint<mozilla::dom::PFileSystemManagerParent>&&, std::function<void (nsresult const&)>&&)::$_30::operator()(mozilla::dom::fs::Registered<mozilla::dom::fs::data::FileSystemDataManager> const&)::'lambda'(), mozilla::MozPromise<RefPtr<mozilla::dom::FileSystemManagerParent>, nsresult, true>>::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1674:29
        #5 0x7f663e950cfc in mozilla::TaskQueue::Runner::Run() /xpcom/threads/TaskQueue.cpp:259:20
        #6 0x7f663e97d51d in nsThreadPool::Run() /xpcom/threads/nsThreadPool.cpp:340:14
        #7 0x7f663e96fcf4 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1219:16
        #8 0x7f663e979964 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:477:10
        #9 0x7f6640179ce4 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
        #10 0x7f663fff7627 in RunInternal /ipc/chromium/src/base/message_loop.cc:381:10
        #11 0x7f663fff7627 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #12 0x7f663fff7627 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #13 0x7f663e967645 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:384:10
        #14 0x7f6660feb628 in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #15 0x7f666174cb42 in start_thread nptl/pthread_create.c:442:8
    
    Thread T30 created by T0 here:
        #0 0x561e26ac06dc in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
        #1 0x7f6660fdb6f9 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
        #2 0x7f6660fccb6e in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
        #3 0x7f663e96aaeb in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:619:18
        #4 0x7f663e9776b0 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /xpcom/threads/nsThreadManager.cpp:548:12
        #5 0x7f663e983f1c in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /xpcom/threads/nsThreadUtils.cpp:173:57
        #6 0x7f663e97bda3 in NS_NewNamedThread /xpcom/threads/nsThreadUtils.cpp:165:10
        #7 0x7f663e97bda3 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /xpcom/threads/nsThreadPool.cpp:126:17
        #8 0x7f663e97e5cd in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /xpcom/threads/nsThreadPool.cpp:392:5
        #9 0x7f663edc978d in mozilla::net::nsStreamTransportService::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /netwerk/base/nsStreamTransportService.cpp:293:16
        #10 0x7f663e8c00ef in Dispatch /builds/worker/workspace/obj-build/dist/include/nsIEventTarget.h:38:14
        #11 0x7f663e8c00ef in nsAStreamCopier::PostContinuationEvent_Locked() /xpcom/io/nsStreamUtils.cpp:463:21
        #12 0x7f663e8b1781 in PostContinuationEvent /xpcom/io/nsStreamUtils.cpp:455:12
        #13 0x7f663e8b1781 in nsAStreamCopier::Start(nsIInputStream*, nsIOutputStream*, nsIEventTarget*, void (*)(void*, nsresult), void*, unsigned int, bool, bool, void (*)(void*, unsigned int)) /xpcom/io/nsStreamUtils.cpp:268:12
        #14 0x7f663e8b13eb in NS_AsyncCopy(nsIInputStream*, nsIOutputStream*, nsIEventTarget*, nsAsyncCopyMode, unsigned int, void (*)(void*, nsresult), void*, bool, bool, nsISupports**, void (*)(void*, unsigned int)) /xpcom/io/nsStreamUtils.cpp:603:16
        #15 0x7f663edc812e in mozilla::net::nsInputStreamTransport::OpenInputStream(unsigned int, unsigned int, unsigned int, nsIInputStream**) /netwerk/base/nsStreamTransportService.cpp:113:8
        #16 0x7f663e8b3fac in NS_MakeAsyncNonBlockingInputStream(already_AddRefed<nsIInputStream>, nsIAsyncInputStream**, bool, unsigned int, unsigned int, unsigned int) /xpcom/io/nsStreamUtils.cpp:961:19
        #17 0x7f663ecf3b72 in nsInputStreamPump::AsyncRead(nsIStreamListener*) /netwerk/base/nsInputStreamPump.cpp:340:17
        #18 0x7f66405644cf in nsJARChannel::ContinueOpenLocalFile(nsJARInputThunk*, bool) /modules/libjar/nsJARChannel.cpp:469:17
        #19 0x7f66405802f7 in applyImpl<nsJARChannel, nsresult (nsJARChannel::*)(nsJARInputThunk *, bool), StoreRefPtrPassByPtr<nsJARInputThunk>, StoreCopyPassByConstLRef<bool>, 0UL, 1UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
        #20 0x7f66405802f7 in apply<nsJARChannel, nsresult (nsJARChannel::*)(nsJARInputThunk *, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
        #21 0x7f66405802f7 in mozilla::detail::RunnableMethodImpl<RefPtr<nsJARChannel>, nsresult (nsJARChannel::*)(nsJARInputThunk*, bool), true, (mozilla::RunnableKind)0, RefPtr<nsJARInputThunk>, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13
        #22 0x7f663e945759 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:539:16
        #23 0x7f663e93bb87 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:852:26
        #24 0x7f663e938e08 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:684:15
        #25 0x7f663e939530 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:462:36
        #26 0x7f663e94bc64 in operator() /xpcom/threads/TaskController.cpp:191:37
        #27 0x7f663e94bc64 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
        #28 0x7f663e96f42e in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1225:16
        #29 0x7f663e978bf3 in NS_ProcessNextEvent /xpcom/threads/nsThreadUtils.cpp:477:10
        #30 0x7f663e978bf3 in SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, (lambda at /xpcom/threads/nsThreadManager.cpp:653:61)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
        #31 0x7f663e978bf3 in nsThreadManager::SpinEventLoopUntilInternal(nsTSubstring<char> const&, nsINestedEventLoopCondition*, mozilla::ShutdownPhase) /xpcom/threads/nsThreadManager.cpp:653:8
        #32 0x7f663e9b89d5 in NS_InvokeByIndex /xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
        #33 0x7f664051146a in Invoke /js/xpconnect/src/XPCWrappedNative.cpp:1626:10
        #34 0x7f664051146a in Call /js/xpconnect/src/XPCWrappedNative.cpp:1179:19
        #35 0x7f664051146a in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /js/xpconnect/src/XPCWrappedNative.cpp:1125:23
        #36 0x7f6640515d7d in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965:10
        #37 0x7f664cbd1bf4 in CallJSNative /js/src/vm/Interpreter.cpp:459:13
        #38 0x7f664cbd1bf4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:547:12
        #39 0x7f664cbc0bda in InternalCall /js/src/vm/Interpreter.cpp:614:10
        #40 0x7f664cbc0bda in CallFromStack /js/src/vm/Interpreter.cpp:619:10
        #41 0x7f664cbc0bda in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3362:16
        #42 0x7f664cba4cfc in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:431:13
        #43 0x7f664cbd1d10 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:579:13
        #44 0x7f664da9ca83 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /js/src/jit/BaselineIC.cpp:1591:10
        #45 0x2cdf42dd3da8  (<unknown module>)
        #46 0x2cdf42ddb53b  (<unknown module>)
        #47 0x2cdf42dd14ed  (<unknown module>)
        #48 0x7f664daa990d in EnterBaseline /js/src/jit/BaselineJIT.cpp:142:5
        #49 0x7f664daa990d in js::jit::EnterBaselineInterpreterAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /js/src/jit/BaselineJIT.cpp:198:26
        #50 0x7f664cbc79c2 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2219:17
        #51 0x7f664cba4cfc in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:431:13
        #52 0x7f664cbd1d10 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:579:13
        #53 0x7f664cbd39cf in InternalCall /js/src/vm/Interpreter.cpp:614:10
        #54 0x7f664cbd39cf in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:646:8
        #55 0x7f664ce11078 in js::fun_apply(JSContext*, unsigned int, JS::Value*) /js/src/vm/JSFunction.cpp:1019:10
        #56 0x7f664cbd1bf4 in CallJSNative /js/src/vm/Interpreter.cpp:459:13
        #57 0x7f664cbd1bf4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:547:12
        #58 0x7f664cbc0bda in InternalCall /js/src/vm/Interpreter.cpp:614:10
        #59 0x7f664cbc0bda in CallFromStack /js/src/vm/Interpreter.cpp:619:10
        #60 0x7f664cbc0bda in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3362:16
        #61 0x7f664cba4cfc in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:431:13
        #62 0x7f664cbd1d10 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:579:13
        #63 0x7f664cbd39cf in InternalCall /js/src/vm/Interpreter.cpp:614:10
        #64 0x7f664cbd39cf in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:646:8
        #65 0x7f664ccdb532 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:53:10
        #66 0x7f6640503234 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /js/xpconnect/src/XPCWrappedJSClass.cpp:918:17
        #67 0x7f663e9ba2fc in PrepareAndDispatch /xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
        #68 0x7f663e9b90fa in SharedStub xptcstubs_x86_64_linux.cpp
        #69 0x7f664c7cceca in nsXREDirProvider::DoStartup() /toolkit/xre/nsXREDirProvider.cpp:810:13
        #70 0x7f664c7a91dd in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:5388:18
        #71 0x7f664c7ab749 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5843:8
        #72 0x7f664c7ac4db in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5899:21
        #73 0x561e26b14e8d in do_main /browser/app/nsBrowserApp.cpp:226:22
        #74 0x561e26b14e8d in main /browser/app/nsBrowserApp.cpp:423:16
        #75 0x7f66616e1d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    
    Thread T29 created by T0 here:
        #0 0x561e26ac06dc in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
        #1 0x7f6660fdb6f9 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
        #2 0x7f6660fccb6e in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
        #3 0x7f663e96aaeb in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:619:18
        #4 0x7f663e9776b0 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /xpcom/threads/nsThreadManager.cpp:548:12
        #5 0x7f663e983f1c in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /xpcom/threads/nsThreadUtils.cpp:173:57
        #6 0x7f663e97bda3 in NS_NewNamedThread /xpcom/threads/nsThreadUtils.cpp:165:10
        #7 0x7f663e97bda3 in nsThreadPool::PutEvent(already_AddRefed<nsIRunnable>, unsigned int) /xpcom/threads/nsThreadPool.cpp:126:17
        #8 0x7f663e97e5cd in nsThreadPool::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /xpcom/threads/nsThreadPool.cpp:392:5
        #9 0x7f663edc978d in mozilla::net::nsStreamTransportService::Dispatch(already_AddRefed<nsIRunnable>, unsigned int) /netwerk/base/nsStreamTransportService.cpp:293:16
        #10 0x7f663e8c00ef in Dispatch /builds/worker/workspace/obj-build/dist/include/nsIEventTarget.h:38:14
        #11 0x7f663e8c00ef in nsAStreamCopier::PostContinuationEvent_Locked() /xpcom/io/nsStreamUtils.cpp:463:21
        #12 0x7f663e8b1781 in PostContinuationEvent /xpcom/io/nsStreamUtils.cpp:455:12
        #13 0x7f663e8b1781 in nsAStreamCopier::Start(nsIInputStream*, nsIOutputStream*, nsIEventTarget*, void (*)(void*, nsresult), void*, unsigned int, bool, bool, void (*)(void*, unsigned int)) /xpcom/io/nsStreamUtils.cpp:268:12
        #14 0x7f663e8b13eb in NS_AsyncCopy(nsIInputStream*, nsIOutputStream*, nsIEventTarget*, nsAsyncCopyMode, unsigned int, void (*)(void*, nsresult), void*, bool, bool, nsISupports**, void (*)(void*, unsigned int)) /xpcom/io/nsStreamUtils.cpp:603:16
        #15 0x7f663edc812e in mozilla::net::nsInputStreamTransport::OpenInputStream(unsigned int, unsigned int, unsigned int, nsIInputStream**) /netwerk/base/nsStreamTransportService.cpp:113:8
        #16 0x7f663e8b3fac in NS_MakeAsyncNonBlockingInputStream(already_AddRefed<nsIInputStream>, nsIAsyncInputStream**, bool, unsigned int, unsigned int, unsigned int) /xpcom/io/nsStreamUtils.cpp:961:19
        #17 0x7f663ecf3b72 in nsInputStreamPump::AsyncRead(nsIStreamListener*) /netwerk/base/nsInputStreamPump.cpp:340:17
        #18 0x7f66405644cf in nsJARChannel::ContinueOpenLocalFile(nsJARInputThunk*, bool) /modules/libjar/nsJARChannel.cpp:469:17
        #19 0x7f66405802f7 in applyImpl<nsJARChannel, nsresult (nsJARChannel::*)(nsJARInputThunk *, bool), StoreRefPtrPassByPtr<nsJARInputThunk>, StoreCopyPassByConstLRef<bool>, 0UL, 1UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
        #20 0x7f66405802f7 in apply<nsJARChannel, nsresult (nsJARChannel::*)(nsJARInputThunk *, bool)> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
        #21 0x7f66405802f7 in mozilla::detail::RunnableMethodImpl<RefPtr<nsJARChannel>, nsresult (nsJARChannel::*)(nsJARInputThunk*, bool), true, (mozilla::RunnableKind)0, RefPtr<nsJARInputThunk>, bool>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13
        #22 0x7f663e945759 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:539:16
        #23 0x7f663e93bb87 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:852:26
        #24 0x7f663e938e08 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:684:15
        #25 0x7f663e939530 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:462:36
        #26 0x7f663e94bc64 in operator() /xpcom/threads/TaskController.cpp:191:37
        #27 0x7f663e94bc64 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
        #28 0x7f663e96f42e in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1225:16
        #29 0x7f663e978bf3 in NS_ProcessNextEvent /xpcom/threads/nsThreadUtils.cpp:477:10
        #30 0x7f663e978bf3 in SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, (lambda at /xpcom/threads/nsThreadManager.cpp:653:61)> /builds/worker/workspace/obj-build/dist/include/mozilla/SpinEventLoopUntil.h:176:25
        #31 0x7f663e978bf3 in nsThreadManager::SpinEventLoopUntilInternal(nsTSubstring<char> const&, nsINestedEventLoopCondition*, mozilla::ShutdownPhase) /xpcom/threads/nsThreadManager.cpp:653:8
        #32 0x7f663e9b89d5 in NS_InvokeByIndex /xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:101
        #33 0x7f664051146a in Invoke /js/xpconnect/src/XPCWrappedNative.cpp:1626:10
        #34 0x7f664051146a in Call /js/xpconnect/src/XPCWrappedNative.cpp:1179:19
        #35 0x7f664051146a in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /js/xpconnect/src/XPCWrappedNative.cpp:1125:23
        #36 0x7f6640515d7d in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /js/xpconnect/src/XPCWrappedNativeJSOps.cpp:965:10
        #37 0x7f664cbd1bf4 in CallJSNative /js/src/vm/Interpreter.cpp:459:13
        #38 0x7f664cbd1bf4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:547:12
        #39 0x7f664cbc0bda in InternalCall /js/src/vm/Interpreter.cpp:614:10
        #40 0x7f664cbc0bda in CallFromStack /js/src/vm/Interpreter.cpp:619:10
        #41 0x7f664cbc0bda in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3362:16
        #42 0x7f664cba4cfc in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:431:13
        #43 0x7f664cbd1d10 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:579:13
        #44 0x7f664da9ca83 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /js/src/jit/BaselineIC.cpp:1591:10
        #45 0x2cdf42dd3da8  (<unknown module>)
        #46 0x2cdf42ddb53b  (<unknown module>)
        #47 0x2cdf42dd14ed  (<unknown module>)
        #48 0x7f664daa990d in EnterBaseline /js/src/jit/BaselineJIT.cpp:142:5
        #49 0x7f664daa990d in js::jit::EnterBaselineInterpreterAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /js/src/jit/BaselineJIT.cpp:198:26
        #50 0x7f664cbc79c2 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2219:17
        #51 0x7f664cba4cfc in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:431:13
        #52 0x7f664cbd1d10 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:579:13
        #53 0x7f664cbd39cf in InternalCall /js/src/vm/Interpreter.cpp:614:10
        #54 0x7f664cbd39cf in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:646:8
        #55 0x7f664ce11078 in js::fun_apply(JSContext*, unsigned int, JS::Value*) /js/src/vm/JSFunction.cpp:1019:10
        #56 0x7f664cbd1bf4 in CallJSNative /js/src/vm/Interpreter.cpp:459:13
        #57 0x7f664cbd1bf4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:547:12
        #58 0x7f664cbc0bda in InternalCall /js/src/vm/Interpreter.cpp:614:10
        #59 0x7f664cbc0bda in CallFromStack /js/src/vm/Interpreter.cpp:619:10
        #60 0x7f664cbc0bda in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3362:16
        #61 0x7f664cba4cfc in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:431:13
        #62 0x7f664cbd1d10 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:579:13
        #63 0x7f664cbd39cf in InternalCall /js/src/vm/Interpreter.cpp:614:10
        #64 0x7f664cbd39cf in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:646:8
        #65 0x7f664ccdb532 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:53:10
        #66 0x7f6640503234 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /js/xpconnect/src/XPCWrappedJSClass.cpp:918:17
        #67 0x7f663e9ba2fc in PrepareAndDispatch /xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37
        #68 0x7f663e9b90fa in SharedStub xptcstubs_x86_64_linux.cpp
        #69 0x7f664c7cceca in nsXREDirProvider::DoStartup() /toolkit/xre/nsXREDirProvider.cpp:810:13
        #70 0x7f664c7a91dd in XREMain::XRE_mainRun() /toolkit/xre/nsAppRunner.cpp:5388:18
        #71 0x7f664c7ab749 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5843:8
        #72 0x7f664c7ac4db in XRE_main(int, char**, mozilla::BootstrapConfig const&) /toolkit/xre/nsAppRunner.cpp:5899:21
        #73 0x561e26b14e8d in do_main /browser/app/nsBrowserApp.cpp:226:22
        #74 0x561e26b14e8d in main /browser/app/nsBrowserApp.cpp:423:16
        #75 0x7f66616e1d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    
    SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7.5.0/../../../../include/c++/7.5.0/bits/atomic_base.h:514:16 in fetch_add
    Shadow bytes around the buggy address:
      0x0c28800a8900: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c28800a8910: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c28800a8920: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c28800a8930: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c28800a8940: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
    =>0x0c28800a8950: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c28800a8960: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x0c28800a8970: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
      0x0c28800a8980: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c28800a8990: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x0c28800a89a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==25162==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

Attachment: Detailed Crash Information

Comment 2

[Jason Kratzer [:jkratzer]]

Attachment: Testcase

Comment 3

[Bugmon [:jkratzer for issues]]

Verified bug as reproducible on mozilla-central 20230215181635-883fd80a1c94.
The bug appears to have been introduced in the following build range:

Start: 4e6cd201a7c1431f2df91ec8da0c597a1c93681a (20230206141139)
End: 5ca64201eaffa8baac027efee0360a35cab4d424 (20230206154033)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=4e6cd201a7c1431f2df91ec8da0c597a1c93681a&tochange=5ca64201eaffa8baac027efee0360a35cab4d424

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1809064

:janv, since you are the author of the regressor, bug 1809064, could you take a look? Also, could you set the severity field?

For more information, please visit auto_nag documentation.

Comment 5

[Jan Varga [:janv]]

I can reproduce it and I think I know what's going on.

Comment 6

[Jan Varga [:janv]]

Attachment: Bug 1816973 - Return early if the actor was already destroyed; r=#dom-storage

Comment 7

[BugBot [:suhaib / :marco/ :calixte]]

The severity field for this bug is set to S3. However, the bug is flagged with the sec-high keyword.
:janv, could you consider increasing the severity of this security bug?

For more information, please visit auto_nag documentation.

Comment 9

[Jan Varga [:janv]]

Comment on attachment 9318220 [details]
Bug 1816973 - Return early if the actor was already destroyed; r=#dom-storage

Security Approval Request

• How easily could an exploit be constructed based on the patch?: The patch just adds a code block which returns early from a function.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
• Which older supported branches are affected by this flaw?: 111
• If not all supported branches, which bug introduced the flaw?: Bug 1809064
• Do you have backports for the affected branches?: Yes
• If not, how different, hard to create, and risky will they be?:
• How likely is this patch to cause regressions; how much testing does it need?: Not very likely to cause regressions. Tested thoroughly locally.
• Is Android affected?: Yes

Comment 10

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Please separate out the tests from the patch so they can be landed separately.

Comment 11

[Jan Varga [:janv]]

Attachment: Bug 1816973 - Add a new test; r=#dom-storage

Depends on D170094

Comment 12

[Jan Varga [:janv]]

(In reply to Tom Ritter [:tjr] from comment #10)

Please separate out the tests from the patch so they can be landed separately.

Done

Comment 13

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Comment on attachment 9318220 [details]
Bug 1816973 - Return early if the actor was already destroyed; r=#dom-storage

Approved to request uplift and land. The test can be landed in April, you'll get a needinfo from a bit when you can land it.

Comment 14

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Return early if the actor was already destroyed; r=dom-storage-reviewers,asuth
https://hg.mozilla.org/integration/autoland/rev/c1af63d98ba8bdb9224214a8af4ce64815c7e3ff
https://hg.mozilla.org/mozilla-central/rev/c1af63d98ba8

Comment 15

[BugBot [:suhaib / :marco/ :calixte]]

The patch landed in nightly and beta is affected.
:janv, is this bug important enough to require an uplift?

• If yes, please nominate the patch for beta approval.
• If no, please set status-firefox111 to wontfix.

For more information, please visit auto_nag documentation.

Comment 16

[Jan Varga [:janv]]

Comment on attachment 9318220 [details]
Bug 1816973 - Return early if the actor was already destroyed; r=#dom-storage

Beta/Release Uplift Approval Request

• User impact if declined: Users can experience crashes when using the new OPFS API
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Very simple patch and well tested.
• String changes made/needed: None
• Is Android affected?: Yes

Comment 17

[Bugmon [:jkratzer for issues]]

Verified bug as fixed on rev mozilla-central 20230228085339-bc3bdd8c19f8.

Comment 18

[Donal Meehan [:dmeehan]]

Comment on attachment 9318220 [details]
Bug 1816973 - Return early if the actor was already destroyed; r=#dom-storage

Approved for 111.0b7

Comment 19

[Donal Meehan [:dmeehan]]

https://hg.mozilla.org/releases/mozilla-beta/rev/356f49dd7e42

Comment 20

[BugBot [:suhaib / :marco/ :calixte]]

a month ago, Tom Ritter [:tjr] placed a reminder on the bug using the whiteboard tag [reminder-test 2023-04-24] .

janv, please refer to the original comment to better understand the reason for the reminder.