1819492 - heap-use-after-free in [@ mozilla::MFCDMChild::Shutdown]

Reporter

Description

•

1 year ago

Found while fuzzing m-c 20230224-3290e57446bb (--enable-address-sanitizer --enable-fuzzing)

Unfortunately a reliable test case is not available. The has been reported by fuzzers multiple times since the initial report.

==712==ERROR: AddressSanitizer: heap-use-after-free on address 0x1227910f3388 at pc 0x7ffe53348417 bp 0x00468c7fa380 sp 0x00468c7fa3c8
READ of size 1 at 0x1227910f3388 thread T0
    #0 0x7ffe53348416 in mozilla::Variant<mozilla::Nothing,mozilla::MFCDMCapabilitiesIPDL,nsresult>::is /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:720
    #1 0x7ffe53348416 in mozilla::MozPromise<mozilla::MFCDMCapabilitiesIPDL,nsresult,1>::ResolveOrRejectValue::IsNothing /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:212
    #2 0x7ffe53348416 in mozilla::MozPromise<mozilla::MFCDMCapabilitiesIPDL,nsresult,1>::IsPending /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1129
    #3 0x7ffe53348416 in mozilla::MozPromise<class mozilla::MFCDMCapabilitiesIPDL, enum nsresult, 1>::Private::Reject<enum nsresult>(enum nsresult &&, char const *) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1236
    #4 0x7ffe532e0ab1 in mozilla::MozPromiseHolderBase<mozilla::MozPromise<mozilla::MFCDMCapabilitiesIPDL,nsresult,1>,mozilla::MozPromiseHolder<mozilla::MozPromise<mozilla::MFCDMCapabilitiesIPDL,nsresult,1> > >::Reject /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1394
    #5 0x7ffe532e0ab1 in mozilla::MozPromiseHolderBase<mozilla::MozPromise<mozilla::MFCDMCapabilitiesIPDL,nsresult,1>,mozilla::MozPromiseHolder<mozilla::MozPromise<mozilla::MFCDMCapabilitiesIPDL,nsresult,1> > >::RejectIfExists /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1402
    #6 0x7ffe532e0ab1 in mozilla::MFCDMChild::Shutdown(void) /builds/worker/checkouts/gecko/dom/media/ipc/MFCDMChild.cpp:82
    #7 0x7ffe5303715a in mozilla::WMFCDMImpl::~WMFCDMImpl /builds/worker/workspace/obj-build/dist/include/mozilla/WMFCDMImpl.h:64
    #8 0x7ffe5303715a in mozilla::WMFCDMImpl::Release(void) /builds/worker/workspace/obj-build/dist/include/mozilla/WMFCDMImpl.h:28
    #9 0x7ffe5303eb1b in mozilla::RefPtrTraits<mozilla::WMFCDMImpl>::Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50
    #10 0x7ffe5303eb1b in RefPtr<mozilla::WMFCDMImpl>::ConstRemovingRefPtrTraits<mozilla::WMFCDMImpl>::Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381
    #11 0x7ffe5303eb1b in RefPtr<mozilla::WMFCDMImpl>::~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:81
    #12 0x7ffe5303eb1b in mozilla::WMFCDMImpl::Supports(class nsTSubstring<char16_t> const &) /builds/worker/checkouts/gecko/dom/media/eme/mediafoundation/WMFCDMImpl.cpp:28
    #13 0x7ffe52fe822c in mozilla::KeySystemConfig::Supports(class nsTSubstring<char16_t> const &) /builds/worker/checkouts/gecko/dom/media/eme/KeySystemConfig.cpp:44
    #14 0x7ffe52fe86e9 in mozilla::KeySystemConfig::GetConfig(class nsTSubstring<char16_t> const &, struct mozilla::KeySystemConfig &) /builds/worker/checkouts/gecko/dom/media/eme/KeySystemConfig.cpp:54
    #15 0x7ffe5300675c in mozilla::dom::GetSupportedKeySystems /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccess.cpp:176
    #16 0x7ffe5300675c in mozilla::dom::GetKeySystemConfig /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccess.cpp:195
    #17 0x7ffe53007cb6 in mozilla::dom::MediaKeySystemAccess::GetSupportedConfig(class nsTSubstring<char16_t> const &, class mozilla::dom::Sequence<struct mozilla::dom::MediaKeySystemConfiguration> const &, struct mozilla::dom::MediaKeySystemConfiguration &, class mozilla::DecoderDoctorDiagnostics *, bool, class std::function<(char const *)> const &) /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccess.cpp:972
    #18 0x7ffe53014336 in mozilla::dom::MediaKeySystemAccessManager::RequestMediaKeySystemAccess(class mozilla::UniquePtr<struct mozilla::dom::MediaKeySystemAccessManager::PendingRequest, class mozilla::DefaultDelete<struct mozilla::dom::MediaKeySystemAccessManager::PendingRequest>>) /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccessManager.cpp:504
    #19 0x7ffe53012772 in mozilla::dom::MediaKeySystemAccessManager::OnDoesWindowSupportProtectedMedia(bool, class mozilla::UniquePtr<struct mozilla::dom::MediaKeySystemAccessManager::PendingRequest, class mozilla::DefaultDelete<struct mozilla::dom::MediaKeySystemAccessManager::PendingRequest>>) /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccessManager.cpp:211
    #20 0x7ffe53038612 in mozilla::dom::MediaKeySystemAccessManager::CheckDoesWindowSupportProtectedMedia::<lambda_1>::operator() /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccessManager.cpp:186
    #21 0x7ffe53038612 in mozilla::MozPromise<bool,mozilla::ipc::ResponseRejectReason,1>::InvokeMethod /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:632
    #22 0x7ffe53038612 in mozilla::MozPromise<bool,mozilla::ipc::ResponseRejectReason,1>::InvokeCallbackMethod /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:663
    #23 0x7ffe53038612 in mozilla::MozPromise<bool,mozilla::ipc::ResponseRejectReason,1>::ThenValue<`lambda at /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccessManager.cpp:170:7'>::DoResolveOrRejectInternal /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:916
    #24 0x7ffe4af3a453 in mozilla::MozPromise<bool, enum nsresult, 0>::ThenValueBase::ResolveOrRejectRunnable::Run(void) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:489
    #25 0x7ffe4bb13a83 in mozilla::RunnableTask::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:541
    #26 0x7ffe4bafc12c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:855
    #27 0x7ffe4baf8502 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:686
    #28 0x7ffe4baf912e in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464
    #29 0x7ffe4bb16e41 in mozilla::TaskController::InitializeInternal::<lambda_4>::operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188
    #30 0x7ffe4bb16e41 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:7'>::Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546
    #31 0x7ffe4bb470ea in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1225
    #32 0x7ffe4bb56acd in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477
    #33 0x7ffe4d203567 in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
    #34 0x7ffe4d11a7f2 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381
    #35 0x7ffe4d11a7f2 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #36 0x7ffe4d11a5c7 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #37 0x7ffe5596219c in nsBaseAppShell::Run(void) /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148
    #38 0x7ffe55b6d0ee in nsAppShell::Run(void) /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:614
    #39 0x7ffe5a5ae027 in XRE_RunAppShell(void) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738
    #40 0x7ffe4d11a7f2 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381
    #41 0x7ffe4d11a7f2 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #42 0x7ffe4d11a5c7 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #43 0x7ffe5a5ad53a in XRE_InitChildProcess(int, char **const, struct XREChildData const *) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:671
    #44 0x7ff69bd42c9e in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57
    #45 0x7ff69bd42c9e in NS_internal_main(int, char **, char **) /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353
    #46 0x7ff69bd4166e in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:167
    #47 0x7ff69be35777 in invoke_main d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:90
    #48 0x7ff69be35777 in __scrt_common_main_seh d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #49 0x7ffe86a24ddf  (C:\Windows\System32\KERNEL32.DLL+0x180014ddf)
    #50 0x7ffe87dde40a  (C:\Windows\SYSTEM32\ntdll.dll+0x18007e40a)

0x1227910f3388 is located 136 bytes inside of 216-byte region [0x1227910f3300,0x1227910f33d8)
freed by thread T8 here:
    #0 0x7ffe6593eeec in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:82
    #1 0x7ffe5334c1fc in operator delete /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:51
    #2 0x7ffe5334c1fc in mozilla::MozPromise<class mozilla::MFCDMCapabilitiesIPDL, enum nsresult, 1>::Private::`scalar deleting dtor'(unsigned int) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1160
    #3 0x7ffe5334d7cf in mozilla::MozPromiseRefcountable::Release /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:151
    #4 0x7ffe5334d7cf in mozilla::RefPtrTraits<mozilla::MozPromise<mozilla::MFCDMCapabilitiesIPDL,nsresult,1>::Private>::Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:50
    #5 0x7ffe5334d7cf in RefPtr<mozilla::MozPromise<mozilla::MFCDMCapabilitiesIPDL,nsresult,1>::Private>::ConstRemovingRefPtrTraits<mozilla::MozPromise<mozilla::MFCDMCapabilitiesIPDL,nsresult,1>::Private>::Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:381
    #6 0x7ffe5334d7cf in RefPtr<mozilla::MozPromise<mozilla::MFCDMCapabilitiesIPDL,nsresult,1>::Private>::assign_assuming_AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:69
    #7 0x7ffe5334d7cf in RefPtr<mozilla::MozPromise<mozilla::MFCDMCapabilitiesIPDL,nsresult,1>::Private>::operator= /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:168
    #8 0x7ffe5334d7cf in mozilla::MozPromiseHolderBase<mozilla::MozPromise<mozilla::MFCDMCapabilitiesIPDL,nsresult,1>,mozilla::MozPromiseHolder<mozilla::MozPromise<mozilla::MFCDMCapabilitiesIPDL,nsresult,1> > >::Reject /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1395
    #9 0x7ffe5334d7cf in mozilla::MozPromiseHolderBase<mozilla::MozPromise<mozilla::MFCDMCapabilitiesIPDL,nsresult,1>,mozilla::MozPromiseHolder<mozilla::MozPromise<mozilla::MFCDMCapabilitiesIPDL,nsresult,1> > >::RejectIfExists /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1402
    #10 0x7ffe5334d7cf in mozilla::MFCDMChild::InvokeAsync<mozilla::MozPromise<mozilla::MFCDMCapabilitiesIPDL,nsresult,1> >::<lambda_1>::operator() /builds/worker/checkouts/gecko/dom/media/ipc/MFCDMChild.cpp:147
    #11 0x7ffe5334d7cf in mozilla::MozPromise<bool,nsresult,0>::InvokeMethod /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:632
    #12 0x7ffe5334d7cf in mozilla::MozPromise<bool,nsresult,0>::InvokeCallbackMethod /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:663
    #13 0x7ffe5334d7cf in mozilla::MozPromise<bool, enum nsresult, 0>::ThenValue<class std::function<(void)>, class `public: struct already_AddRefed<class mozilla::MozPromise<class mozilla::MFCDMCapabilitiesIPDL, enum nsresult, 1>> __cdecl mozilla::MFCDMChild::InvokeAsync<class mozilla::MozPromise<class mozilla::MFCDMCapabilitiesIPDL, enum nsresult, 1>>(class std::function<void __cdecl(void)> &&, char const *, class mozilla::MozPromiseHolder<class mozilla::MozPromise<class mozilla::MFCDMCapabilitiesIPDL, enum nsresult, 1>> &)'::`1'::<lambda_1>>::DoResolveOrRejectInternal(class mozilla::MozPromise<bool, enum nsresult, 0>::ResolveOrRejectValue &) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:852
    #14 0x7ffe4af3a453 in mozilla::MozPromise<bool, enum nsresult, 0>::ThenValueBase::ResolveOrRejectRunnable::Run(void) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:489
    #15 0x7ffe4bb47efd in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1219
    #16 0x7ffe4bb56acd in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477
    #17 0x7ffe4d20480e in mozilla::ipc::MessagePumpForNonMainThreads::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300
    #18 0x7ffe4d11a7f2 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381
    #19 0x7ffe4d11a7f2 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #20 0x7ffe4d11a5c7 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #21 0x7ffe4bb3d8d7 in nsThread::ThreadFunc(void *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:384
    #22 0x7ffe720a1a75 in _PR_NativeRunThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:399
    #23 0x7ffe7207b55b in pr_root /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:139
    #24 0x7ffe856b6b4b  (C:\Windows\System32\ucrtbase.dll+0x180026b4b)
    #25 0x7ffe6594abb3 in __asan::AsanThread::ThreadStart(unsigned __int64) /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_thread.cpp:277
    #26 0x12859182002e  (<unknown module>)

previously allocated by thread T0 here:
    #0 0x7ffe6593effc in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:98
    #1 0x7ffe753011ad in moz_xmalloc /builds/worker/checkouts/gecko/memory/mozalloc/mozalloc.cpp:52
    #2 0x7ffe532e1ded in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33
    #3 0x7ffe532e1ded in mozilla::MozPromiseHolderBase<mozilla::MozPromise<mozilla::MFCDMCapabilitiesIPDL,nsresult,1>,mozilla::MozPromiseHolder<mozilla::MozPromise<mozilla::MFCDMCapabilitiesIPDL,nsresult,1> > >::Ensure /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:1347
    #4 0x7ffe532e1ded in mozilla::MFCDMChild::InvokeAsync<class mozilla::MozPromise<class mozilla::MFCDMCapabilitiesIPDL, enum nsresult, 1>>(class std::function<(void)> &&, char const *, class mozilla::MozPromiseHolder<class mozilla::MozPromise<class mozilla::MFCDMCapabilitiesIPDL, enum nsresult, 1>> &) /builds/worker/checkouts/gecko/dom/media/ipc/MFCDMChild.cpp:151
    #5 0x7ffe532e1452 in mozilla::MFCDMChild::GetCapabilities(void) /builds/worker/checkouts/gecko/dom/media/ipc/MFCDMChild.cpp:121
    #6 0x7ffe5303f2ab in mozilla::WMFCDMImpl::GetCapabilities(struct mozilla::KeySystemConfig &) /builds/worker/checkouts/gecko/dom/media/eme/mediafoundation/WMFCDMImpl.cpp:79
    #7 0x7ffe5303ea84 in mozilla::WMFCDMImpl::Supports(class nsTSubstring<char16_t> const &) /builds/worker/checkouts/gecko/dom/media/eme/mediafoundation/WMFCDMImpl.cpp:24
    #8 0x7ffe52fe822c in mozilla::KeySystemConfig::Supports(class nsTSubstring<char16_t> const &) /builds/worker/checkouts/gecko/dom/media/eme/KeySystemConfig.cpp:44
    #9 0x7ffe52fe86e9 in mozilla::KeySystemConfig::GetConfig(class nsTSubstring<char16_t> const &, struct mozilla::KeySystemConfig &) /builds/worker/checkouts/gecko/dom/media/eme/KeySystemConfig.cpp:54
    #10 0x7ffe5300675c in mozilla::dom::GetSupportedKeySystems /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccess.cpp:176
    #11 0x7ffe5300675c in mozilla::dom::GetKeySystemConfig /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccess.cpp:195
    #12 0x7ffe53007cb6 in mozilla::dom::MediaKeySystemAccess::GetSupportedConfig(class nsTSubstring<char16_t> const &, class mozilla::dom::Sequence<struct mozilla::dom::MediaKeySystemConfiguration> const &, struct mozilla::dom::MediaKeySystemConfiguration &, class mozilla::DecoderDoctorDiagnostics *, bool, class std::function<(char const *)> const &) /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccess.cpp:972
    #13 0x7ffe53014336 in mozilla::dom::MediaKeySystemAccessManager::RequestMediaKeySystemAccess(class mozilla::UniquePtr<struct mozilla::dom::MediaKeySystemAccessManager::PendingRequest, class mozilla::DefaultDelete<struct mozilla::dom::MediaKeySystemAccessManager::PendingRequest>>) /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccessManager.cpp:504
    #14 0x7ffe53012772 in mozilla::dom::MediaKeySystemAccessManager::OnDoesWindowSupportProtectedMedia(bool, class mozilla::UniquePtr<struct mozilla::dom::MediaKeySystemAccessManager::PendingRequest, class mozilla::DefaultDelete<struct mozilla::dom::MediaKeySystemAccessManager::PendingRequest>>) /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccessManager.cpp:211
    #15 0x7ffe53038612 in mozilla::dom::MediaKeySystemAccessManager::CheckDoesWindowSupportProtectedMedia::<lambda_1>::operator() /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccessManager.cpp:186
    #16 0x7ffe53038612 in mozilla::MozPromise<bool,mozilla::ipc::ResponseRejectReason,1>::InvokeMethod /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:632
    #17 0x7ffe53038612 in mozilla::MozPromise<bool,mozilla::ipc::ResponseRejectReason,1>::InvokeCallbackMethod /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:663
    #18 0x7ffe53038612 in mozilla::MozPromise<bool,mozilla::ipc::ResponseRejectReason,1>::ThenValue<`lambda at /builds/worker/checkouts/gecko/dom/media/eme/MediaKeySystemAccessManager.cpp:170:7'>::DoResolveOrRejectInternal /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:916
    #19 0x7ffe4af3a453 in mozilla::MozPromise<bool, enum nsresult, 0>::ThenValueBase::ResolveOrRejectRunnable::Run(void) /builds/worker/workspace/obj-build/dist/include/mozilla/MozPromise.h:489
    #20 0x7ffe4bb13a83 in mozilla::RunnableTask::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:541
    #21 0x7ffe4bafc12c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:855
    #22 0x7ffe4baf8502 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:686
    #23 0x7ffe4baf912e in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464
    #24 0x7ffe4bb16e41 in mozilla::TaskController::InitializeInternal::<lambda_4>::operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188
    #25 0x7ffe4bb16e41 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:7'>::Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546
    #26 0x7ffe4bb470ea in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1225
    #27 0x7ffe4bb56acd in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477
    #28 0x7ffe4d203567 in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
    #29 0x7ffe4d11a7f2 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381
    #30 0x7ffe4d11a7f2 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #31 0x7ffe4d11a5c7 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #32 0x7ffe5596219c in nsBaseAppShell::Run(void) /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148
    #33 0x7ffe55b6d0ee in nsAppShell::Run(void) /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:614
    #34 0x7ffe5a5ae027 in XRE_RunAppShell(void) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738
    #35 0x7ffe4d11a7f2 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381
    #36 0x7ffe4d11a7f2 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374

Thread T8 created by T0 here:
    #0 0x7ffe6594bd62 in __asan_wrap_CreateThread /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_win.cpp:146
    #1 0x7ffe856b5be6  (C:\Windows\System32\ucrtbase.dll+0x180025be6)
    #2 0x7ffe7207b38e in _PR_MD_CREATE_THREAD /builds/worker/checkouts/gecko/nsprpub/pr/src/md/windows/w95thred.c:153
    #3 0x7ffe720a281e in _PR_NativeCreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1058
    #4 0x7ffe720a2f98 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1184
    #5 0x7ffe72098f9f in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/threads/combined/pruthr.c:1404
    #6 0x7ffe4bb40e3a in nsThread::Init(class nsTSubstring<char> const &) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:619
    #7 0x7ffe4bb540ea in nsThreadManager::NewNamedThread(class nsTSubstring<char> const &, struct nsIThreadManager::ThreadCreationOptions, class nsIThread **) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:547
    #8 0x7ffe4bb6139d in NS_NewNamedThread(class nsTSubstring<char> const &, class nsIThread **, struct already_AddRefed<class nsIRunnable>, struct nsIThreadManager::ThreadCreationOptions) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:173
    #9 0x7ffe5328f50b in NS_NewNamedThread /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:74
    #10 0x7ffe5328f50b in mozilla::RemoteDecoderManagerChild::Init(void) /builds/worker/checkouts/gecko/dom/media/ipc/RemoteDecoderManagerChild.cpp:102
    #11 0x7ffe54797a88 in mozilla::dom::ContentChild::InitXPCOM(class mozilla::dom::XPCOMInitData &&, class mozilla::dom::ipc::StructuredCloneData const &, bool) /builds/worker/checkouts/gecko/dom/ipc/ContentChild.cpp:1435
    #12 0x7ffe547967b2 in mozilla::dom::ContentChild::RecvSetXPCOMProcessAttributes(class mozilla::dom::XPCOMInitData &&, class mozilla::dom::ipc::StructuredCloneData const &, class mozilla::widget::FullLookAndFeel &&, class mozilla::dom::SystemFontList &&, class mozilla::Maybe<class mozilla::UniquePtr<void *, struct mozilla::detail::FileHandleDeleter>> &&, unsigned __int64 const &, class nsTArray<class mozilla::UniquePtr<void *, struct mozilla::detail::FileHandleDeleter>> &&, bool const &) /builds/worker/checkouts/gecko/dom/ipc/ContentChild.cpp:686
    #13 0x7ffe54b227ec in mozilla::dom::PContentChild::OnMessageReceived(class IPC::Message const &) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:12276
    #14 0x7ffe4d1fae8b in mozilla::ipc::MessageChannel::DispatchAsyncMessage(class mozilla::ipc::ActorLifecycleProxy *, class IPC::Message const &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1800
    #15 0x7ffe4d1f837f in mozilla::ipc::MessageChannel::DispatchMessage(class mozilla::ipc::ActorLifecycleProxy *, class mozilla::UniquePtr<class IPC::Message, class mozilla::DefaultDelete<class IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1725
    #16 0x7ffe4d1f9422 in mozilla::ipc::MessageChannel::RunMessage(class mozilla::ipc::ActorLifecycleProxy *, class mozilla::ipc::MessageChannel::MessageTask &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1525
    #17 0x7ffe4d1f9c21 in mozilla::ipc::MessageChannel::MessageTask::Run(void) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1623
    #18 0x7ffe4bb13a83 in mozilla::RunnableTask::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:541
    #19 0x7ffe4bafc12c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:855
    #20 0x7ffe4baf8502 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:686
    #21 0x7ffe4baf912e in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464
    #22 0x7ffe4bb16e41 in mozilla::TaskController::InitializeInternal::<lambda_4>::operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188
    #23 0x7ffe4bb16e41 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:7'>::Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546
    #24 0x7ffe4bb470ea in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1225
    #25 0x7ffe4bb56acd in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477
    #26 0x7ffe4d203567 in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
    #27 0x7ffe4d11a7f2 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381
    #28 0x7ffe4d11a7f2 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #29 0x7ffe4d11a5c7 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #30 0x7ffe5596219c in nsBaseAppShell::Run(void) /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148
    #31 0x7ffe55b6d0ee in nsAppShell::Run(void) /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:614
    #32 0x7ffe5a5ae027 in XRE_RunAppShell(void) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738
    #33 0x7ffe4d11a7f2 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381
    #34 0x7ffe4d11a7f2 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
    #35 0x7ffe4d11a5c7 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
    #36 0x7ffe5a5ad53a in XRE_InitChildProcess(int, char **const, struct XREChildData const *) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:671
    #37 0x7ff69bd42c9e in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57
    #38 0x7ff69bd42c9e in NS_internal_main(int, char **, char **) /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353
    #39 0x7ff69bd4166e in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:167
    #40 0x7ff69be35777 in invoke_main d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:90
    #41 0x7ff69be35777 in __scrt_common_main_seh d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #42 0x7ffe86a24ddf  (C:\Windows\System32\KERNEL32.DLL+0x180014ddf)
    #43 0x7ffe87dde40a  (C:\Windows\SYSTEM32\ntdll.dll+0x18007e40a)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:720 in mozilla::Variant<mozilla::Nothing,mozilla::MFCDMCapabilitiesIPDL,nsresult>::is
Shadow bytes around the buggy address:
  0x044a8281e620: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x044a8281e630: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x044a8281e640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x044a8281e650: 00 00 00 00 00 00 00 00 fa fa fa fa fa fa fa fa
  0x044a8281e660: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x044a8281e670: fd[fd]fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x044a8281e680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x044a8281e690: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x044a8281e6a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x044a8281e6b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x044a8281e6c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Andrew McCreight [:mccr8]

Comment 1

•

1 year ago

This looks similar to some crashes seen in the wild, eg bp-fc8a5fb0-4c6f-491e-9138-a0f250230228 that I filed as bug 1815798.

Keywords: sec-high

Comment 2

•

1 year ago

Alastor, the free stack here might be useful for figuring out that crash.

Flags: needinfo?(alwu)

Alastor Wu [:alwu]

Assignee

Comment 3

•

1 year ago

They are similar race but different root cause. This one is obvious a race between two different thread, but bug 1815798(for signatures of RequestXXXDataFromReaderAfterEOS) are about on the same thread, which is still very confusing to me.

Assignee: nobody → alwu

Flags: needinfo?(alwu)

Alastor Wu [:alwu]

Assignee

Comment 4

•

1 year ago

Attached file Bug 1819492 - reject promise holders on the manager thread. — Details

Andrew McCreight [:mccr8]

Updated

•

1 year ago

Keywords: csectype-uaf → csectype-race

Phabricator Automation

Updated

•

1 year ago

Attachment #9320901 - Attachment description: Bug 1819492 - reject promise holder on the manager thread. → Bug 1819492 - reject promise holders on the manager thread.

Alastor Wu [:alwu]

Assignee

Comment 5

•

1 year ago

Comment on attachment 9320901 [details]
Bug 1819492 - reject promise holders on the manager thread.

Security Approval Request

How easily could an exploit be constructed based on the patch?: Hard. First, the patch itself doesn't mention where the UAF would happen. Second, the UAF is hard to reproduce.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
Which older supported branches are affected by this flaw?: 111
If not all supported branches, which bug introduced the flaw?: None
Do you have backports for the affected branches?: No
If not, how different, hard to create, and risky will they be?: It's easy to create a patch for beta and no risk at all because it's just about handling some merge conflicts.
How likely is this patch to cause regressions; how much testing does it need?: Low, this patch is about delaying some clean-up tasks and doesn't introduce any new feature. Also, this code path isn't enabled by default on any branches yet.
Is Android affected?: No

Attachment #9320901 - Flags: sec-approval?

Tom Ritter [:tjr] (OOTO until 4/30 at least)

Comment 6

•

1 year ago

Comment on attachment 9320901 [details]
Bug 1819492 - reject promise holders on the manager thread.

Approved to land and uplift.

Attachment #9320901 - Flags: sec-approval? → sec-approval+

Ryan VanderMeulen [:RyanVM]

Updated

•

1 year ago

status-firefox111: --- → wontfix

status-firefox113: --- → affected

status-firefox-esr102: --- → unaffected

tracking-firefox112: --- → +

tracking-firefox113: --- → +

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Comment 7

•

1 year ago

reject promise holders on the manager thread. r=jolin
https://hg.mozilla.org/integration/autoland/rev/4b28a6a227233029c25a7cc6aaee6f66b50d5120
https://hg.mozilla.org/mozilla-central/rev/4b28a6a22723

Group: media-core-security → core-security-release

Status: NEW → RESOLVED

Closed: 1 year ago

status-firefox113: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → 113 Branch

BugBot [:suhaib / :marco/ :calixte]

Comment 8

•

1 year ago

The patch landed in nightly and beta is affected.
:alwu, is this bug important enough to require an uplift?

If yes, please nominate the patch for beta approval.
If no, please set status-firefox112 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(alwu)

Alastor Wu [:alwu]

Assignee

Comment 9

•

1 year ago

Comment on attachment 9320901 [details]
Bug 1819492 - reject promise holders on the manager thread.

Beta/Release Uplift Approval Request

User impact if declined: Crash
Is this code covered by automated tests?: No
Has the fix been verified in Nightly?: No
Needs manual test from QE?: No
If yes, steps to reproduce:
List of other uplifts needed: None
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky): Low risk, this patch is about moving some clean-up tasks to the another thread, which didn't change any functionality and not introduce any new feature. It should be pretty safe and low chance to cause regression.
String changes made/needed:
Is Android affected?: No

Flags: needinfo?(alwu)

Attachment #9320901 - Flags: approval-mozilla-beta?

Dianna Smith [:diannaS]

Comment 10

•

1 year ago

Comment on attachment 9320901 [details]
Bug 1819492 - reject promise holders on the manager thread.

Approved for 112.0b3

Attachment #9320901 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Dianna Smith [:diannaS]

Comment 11

•

1 year ago

uplift

https://hg.mozilla.org/releases/mozilla-beta/rev/d3c17b50c22c

status-firefox112: affected → fixed

Andrew McCreight [:mccr8]

Comment 12

•

1 year ago

Are these mozilla::MFCDMChild::MFCDMChild crashes likely the same issue? The stack is similar but not quite the same. It does look like these crashes went away on any branch where your patches here landed. bp-3e6a838f-53d9-4e4d-a6e4-9ed040230320

Flags: needinfo?(alwu)

Alastor Wu [:alwu]

Assignee

Comment 13

•

1 year ago

Yes, by looking their call stacks, I believe that the crash reason for that signature is the same as this bug.

Flags: needinfo?(alwu)

Andrew McCreight [:mccr8]

Updated

•

1 year ago

Crash Signature: [@ mozilla::MFCDMChild::MFCDMChild ]

Alastor Wu [:alwu]

Assignee

Comment 14

•

1 year ago

Reopen it because there are still some crashes. Also, not sure why this would affect the Release version, because the pref for PlayReady CDM is not enabled. Does that mean there are some cases we incorrectly use MFCDMChild even if the pref is off?

Status: RESOLVED → REOPENED

Crash Signature: [@ mozilla::MFCDMChild::MFCDMChild ]

Flags: needinfo?(jolin)

Resolution: FIXED → ---

Alastor Wu [:alwu]

Assignee

Updated

•

1 year ago

Crash Signature: @ mozilla::MFCDMChild::MFCDMChild

Alastor Wu [:alwu]

Assignee

Updated

•

1 year ago

Crash Signature: @ mozilla::MFCDMChild::MFCDMChild → [ @ mozilla::MFCDMChild::MFCDMChild ]

status-thunderbird_esr102: --- → fixed

status-thunderbird_esr91: --- → fixed

Alastor Wu [:alwu]

Assignee

Updated

•

1 year ago

Crash Signature: [ @ mozilla::MFCDMChild::MFCDMChild ] → [@ mozilla::MFCDMChild::MFCDMChild ]

Alastor Wu [:alwu]

Assignee

Comment 15

•

1 year ago

Attached file Bug 1819492 - check the pref first. — Details

Alastor Wu [:alwu]

Assignee

Comment 16

•

1 year ago

Comment on attachment 9325252 [details]
Bug 1819492 - check the pref first.

Security Approval Request

How easily could an exploit be constructed based on the patch?: Hard. We just added a pref to guard the feature which shouldn't be run on the official branch by default, which doesn't give any hint or cues of what the actual problem is.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
Which older supported branches are affected by this flaw?: 111
If not all supported branches, which bug introduced the flaw?: Bug 1810817
Do you have backports for the affected branches?: Yes
If not, how different, hard to create, and risky will they be?: This patch can also be uplifted to beta, and then let it ride the train with Release 112.
How likely is this patch to cause regressions; how much testing does it need?: Low, we just add a pref check to ensure that that CDM callback won't be triggered on official branches by default. No any new behavior or feature introduced by my patch.
Is Android affected?: Yes

Beta/Release Uplift Approval Request

User impact if declined: Crash.
Is this code covered by automated tests?: No
Has the fix been verified in Nightly?: No
Needs manual test from QE?: No
If yes, steps to reproduce:
List of other uplifts needed: None
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky): Not risky, we just add a pref check to ensure that that CDM callback won't be triggered on official branches by default. No any new behavior or feature introduced by my patch.
String changes made/needed: no
Is Android affected?: No

Attachment #9325252 - Flags: sec-approval?

Attachment #9325252 - Flags: approval-mozilla-beta?

Ryan VanderMeulen [:RyanVM]

Updated

•

1 year ago

Status: REOPENED → NEW

status-firefox112: fixed → affected

status-firefox113: fixed → affected

status-thunderbird_esr102: fixed → ---

status-thunderbird_esr91: fixed → ---

Target Milestone: 113 Branch → ---

Tom Ritter [:tjr] (OOTO until 4/30 at least)

Comment 17

•

1 year ago

Comment on attachment 9325252 [details]
Bug 1819492 - check the pref first.

Stamp

Attachment #9325252 - Flags: sec-approval? → sec-approval+

Dianna Smith [:diannaS]

Comment 18

•

1 year ago

Comment on attachment 9325252 [details]
Bug 1819492 - check the pref first.

Approved for 112.0b8

Attachment #9325252 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Alastor Wu [:alwu]

Assignee

Comment 19

•

1 year ago

I've not landed my patch via lando but I saw the D173744 got closed automatically, does that mean the patch has been landed? Because in lando, I also saw a message "landing is blocked"...? Thanks!

Flags: needinfo?(dsmith)

Dianna Smith [:diannaS]

Comment 20

•

1 year ago

I mistakenly landed this beta thinking this was a beta only patch, I can land in autoland now, was just waiting for it to reopen

Flags: needinfo?(dsmith)

Alastor Wu [:alwu]

Assignee

Comment 21

•

1 year ago

Okay, thank for helping!

Dianna Smith [:diannaS]

Comment 22

•

1 year ago

uplift

https://hg.mozilla.org/releases/mozilla-beta/rev/bb482c8bb831

status-firefox112: affected → fixed

Alastor Wu [:alwu]

Assignee

Comment 23

•

1 year ago

Dianna, did you land my patch on the autoland? Because I saw this change already on the autoland. If so, I will close the D173744 again. Thanks.

Flags: needinfo?(dsmith)

Dianna Smith [:diannaS]

Comment 24

•

1 year ago

https://hg.mozilla.org/integration/autoland/rev/fe1830d92546

Flags: needinfo?(dsmith)

Ryan VanderMeulen [:RyanVM]

Comment 25

•

1 year ago

https://hg.mozilla.org/mozilla-central/rev/fe1830d92546

Status: NEW → RESOLVED

Closed: 1 year ago → 1 year ago

status-firefox113: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → 113 Branch

Brindusa Tot, Desktop QA

Updated

•

1 year ago

Flags: qe-verify-

Whiteboard: [post-critsmash-triage]

Tom Ritter [:tjr] (OOTO until 4/30 at least)

Updated

•

1 year ago

Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main112+r]

Daniel Veditz [:dveditz]

Updated

•

6 months ago

Group: core-security-release

Bug 1819492 - reject promise holders on the manager thread. 1 year ago Alastor Wu [:alwu] 48 bytes, text/x-phabricator-request	diannaS : approval-mozilla-beta+ tjr : sec-approval+	Details \| Review
Bug 1819492 - check the pref first. 1 year ago Alastor Wu [:alwu] 48 bytes, text/x-phabricator-request	diannaS : approval-mozilla-beta+ tjr : sec-approval+	Details \| Review