1823568 - heap-use-after-free in [@ JS::loader::ScriptLoadRequest::ScriptLoadRequest]

Status: RESOLVED FIXED

(Core :: Web Audio, defect, P1)

Description

[Tyson Smith [:tsmith]]

Found while fuzzing m-c 20230320-caabe78a05ae (--enable-address-sanitizer --enable-fuzzing)

A test case will be attached once reduction is complete.

==4125531==ERROR: AddressSanitizer: heap-use-after-free on address 0x612000210040 at pc 0x7f49b26ac750 bp 0x7f4992b71370 sp 0x7f4992b71368
READ of size 8 at 0x612000210040 thread T30 (GraphRunner)
    #0 0x7f49b26ac74f in nsCOMPtr /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:525:7
    #1 0x7f49b26ac74f in JS::loader::ScriptLoadRequest::ScriptLoadRequest(JS::loader::ScriptKind, nsIURI*, JS::loader::ScriptFetchOptions*, mozilla::dom::SRIMetadata const&, nsIURI*, JS::loader::LoadContextBase*) /builds/worker/checkouts/gecko/js/loader/ScriptLoadRequest.cpp:86:7
    #2 0x7f49b26abe95 in JS::loader::ModuleLoadRequest::ModuleLoadRequest(nsIURI*, JS::loader::ScriptFetchOptions*, mozilla::dom::SRIMetadata const&, nsIURI*, JS::loader::LoadContextBase*, bool, bool, JS::loader::ModuleLoaderBase*, JS::loader::VisitedURLSet*, JS::loader::ModuleLoadRequest*) /builds/worker/checkouts/gecko/js/loader/ModuleLoadRequest.cpp:60:7
    #3 0x7f49b951cee5 in mozilla::dom::StartModuleLoadRunnable::RunOnWorkletThread() /builds/worker/checkouts/gecko/dom/worklet/WorkletFetchHandler.cpp:106:43
    #4 0x7f49b7d33bc3 in mozilla::AudioNodeTrack::SendRunnable(already_AddRefed<nsIRunnable>)::Message::Run() /builds/worker/checkouts/gecko/dom/media/webaudio/AudioNodeTrack.cpp:327:18
    #5 0x7f49b74cd205 in mozilla::MediaTrackGraphImpl::RunMessagesInQueue() /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp:1292:20
    #6 0x7f49b74d0d70 in mozilla::MediaTrackGraphImpl::OneIterationImpl(long, long, mozilla::AudioMixer*) /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp:1545:3
    #7 0x7f49b722486b in mozilla::GraphRunner::Run() /builds/worker/checkouts/gecko/dom/media/GraphRunner.cpp:139:32
    #8 0x7f49b0cbef64 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1233:16
    #9 0x7f49b0cc8c14 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
    #10 0x7f49b24a6fd4 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:300:20
    #11 0x7f49b2323507 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #12 0x7f49b2323507 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #13 0x7f49b2323507 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #14 0x7f49b0cb6805 in nsThread::ThreadFunc(void*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:391:10
    #15 0x7f49d31eb628 in _pt_root /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #16 0x7f49d3eb4608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
    #17 0x7f49d3a5f132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x612000210040 is located 0 bytes inside of 312-byte region [0x612000210040,0x612000210178)
freed by thread T0 (Isolated Web Co) here:
    #0 0x55fd44076a0f in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3

previously allocated by thread T0 (Isolated Web Co) here:
    #0 0x55fd44076cbb in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3

Thread T30 (GraphRunner) created by T0 (Isolated Web Co) here:
    #0 0x55fd4405fbcc in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
    #1 0x7f49d31db6f9 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7f49d31ccb6e in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7f49b0cb9d5b in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:633:18
    #4 0x7f49b0cc6960 in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, nsIThreadManager::ThreadCreationOptions, nsIThread**) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadManager.cpp:548:12
    #5 0x7f49b0cd32ac in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, already_AddRefed<nsIRunnable>, nsIThreadManager::ThreadCreationOptions) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:173:57
    #6 0x7f49b72238d1 in NS_NewNamedThread<12UL> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:86:10
    #7 0x7f49b72238d1 in mozilla::GraphRunner::Create(mozilla::MediaTrackGraphImpl*) /builds/worker/checkouts/gecko/dom/media/GraphRunner.cpp:40:7
    #8 0x7f49b74dfc5a in mozilla::MediaTrackGraphImpl::MediaTrackGraphImpl(mozilla::MediaTrackGraph::GraphDriverType, mozilla::MediaTrackGraph::GraphRunType, int, unsigned int, void const*, nsISerialEventTarget*) /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp:3250:26
    #9 0x7f49b74e1156 in mozilla::MediaTrackGraphImpl::GetInstance(mozilla::MediaTrackGraph::GraphDriverType, unsigned long, bool, int, void const*, nsISerialEventTarget*) /builds/worker/checkouts/gecko/dom/media/MediaTrackGraph.cpp:3387:17
    #10 0x7f49b7d05829 in mozilla::dom::AudioDestinationNode::AudioDestinationNode(mozilla::dom::AudioContext*, bool, unsigned int, unsigned int) /builds/worker/checkouts/gecko/dom/media/webaudio/AudioDestinationNode.cpp:310:28
    #11 0x7f49b7cf92ee in mozilla::dom::AudioContext::AudioContext(nsPIDOMWindowInner*, bool, unsigned int, unsigned int, float) /builds/worker/checkouts/gecko/dom/media/webaudio/AudioContext.cpp:187:11
    #12 0x7f49b7cfae6b in mozilla::dom::AudioContext::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::AudioContextOptions const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/media/webaudio/AudioContext.cpp:295:11
    #13 0x7f49b4486f21 in mozilla::dom::AudioContext_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/AudioContextBinding.cpp:856:58
    #14 0x7f49beddfb2c in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:459:13
    #15 0x7f49beddfb2c in CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:475:8
    #16 0x7f49beddfb2c in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:700:10
    #17 0x7f49bedcc131 in ConstructFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:728:10
    #18 0x7f49bedcc131 in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3353:16
    #19 0x7f49bedb02fc in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:431:13
    #20 0x7f49beddd310 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:585:13
    #21 0x7f49beddef8f in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:620:10
    #22 0x7f49beddef8f in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:652:8
    #23 0x7f49beeef2ed in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #24 0x7f49b5bd1df2 in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
    #25 0x7f49b6b03ac5 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
    #26 0x7f49b6b03583 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1308:43
    #27 0x7f49b6b04e7b in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1504:17
    #28 0x7f49b6af2d62 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:347:17
    #29 0x7f49b6af1614 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:549:16
    #30 0x7f49b6af578a in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1122:11
    #31 0x7f49b6afb4a5 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
    #32 0x7f49b432a0b3 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1382:17
    #33 0x7f49b3c114d7 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4632:28
    #34 0x7f49b3c11225 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:4602:10
    #35 0x7f49b3f8102f in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7887:3
    #36 0x7f49b407494a in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:12
    #37 0x7f49b407494a in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1169:12
    #38 0x7f49b407494a in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1216:13
    #39 0x7f49b0c7fc8f in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:114:20
    #40 0x7f49b0c93eb9 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:553:16
    #41 0x7f49b0c8a24c in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:867:26
    #42 0x7f49b0c87518 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:698:15
    #43 0x7f49b0c87c31 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:464:36
    #44 0x7f49b0c99d91 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:188:37
    #45 0x7f49b0c99d91 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:547:5
    #46 0x7f49b0cbe69e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1239:16
    #47 0x7f49b0cc8c14 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:477:10
    #48 0x7f49b24a598e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #49 0x7f49b2323507 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #50 0x7f49b2323507 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #51 0x7f49b2323507 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #52 0x7f49b99cb489 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #53 0x7f49be9bdf38 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:738:20
    #54 0x7f49b2323507 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #55 0x7f49b2323507 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #56 0x7f49b2323507 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #57 0x7f49be9bd6cf in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:673:34
    #58 0x55fd440b3884 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #59 0x55fd440b3d47 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:353:18
    #60 0x7f49d3964082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:525:7 in nsCOMPtr
Shadow bytes around the buggy address:
  0x0c2480039fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2480039fc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2480039fd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2480039fe0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2480039ff0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c248003a000: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c248003a010: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c248003a020: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c248003a030: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c248003a040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c248003a050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Comment 1

[:Gijs (he/him)]

The top stack frame looks similar to bug 1779628 which was duped to bug 1779762 and fixed there - but this is happening with current m-c.

Filing this in Web Audio makes sense given the bits of the stack lower down, but I wonder if the JS team has context for this - Yulia, can you help disambiguate?

Comment 2

[Yulia Startsev [:yulia]]

It looks like this is related to the recent landing of modules in worklets in m-c. CC'ing yoshi in case this looks familiar. I will take a detailed look in a bit.

Comment 3

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/yMJbLtggn8WL5lm17hp7OA/index.html

Comment 4

[Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]]

(In reply to Tyson Smith [:tsmith] from comment #0)

A test case will be attached once reduction is complete.

Hi Tyson
Can you attach the test case? Without the reduction is also fine.

Thanks

Comment 5

[Tyson Smith [:tsmith]]

I'm still working on it. It seems to be very unreliable when it's mostly reduced.

The unreduced test case is too complex to be useful, the Pernosco session should provide all the required information.

Comment 6

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Comment 7

[Bugmon [:jkratzer for issues]]

Unable to reproduce bug 1823568 using build mozilla-central 20230320162746-caabe78a05ae. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Comment 8

[Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]]

Hi Tyson
How do I reproduce the crash with the testcase.html (See comment 6) you provided?

I've tried https://github.com/MozillaSecurity/fuzzfetch
Use the build generated from

python -m fuzzfetch --asan --fuzzing  -n firefox-asan

to run the testcase.html, but didn't work

I also tried ASAN build with fuzzing enabled
https://firefox-source-docs.mozilla.org/tools/sanitizer/asan.html
with the following options

ac_add_options --enable-fuzzing
ac_add_options --enable-snapshot-fuzzing

But still cannot reproduce the crash with the testcase.html.

Did I miss something? Or what's the correct build to run the testcase.html?

Thanks

Comment 9

[Andrew McCreight [:mccr8]]

To get FuzzingFunctions.garbageCollect() to work, you need a fuzzing build, and you also have to set the fuzzing.enabled pref to true. Maybe that's the issue? (You could also trigger the GC in other ways. For instance, in a Mochitest I think SpecialPowers.forceGC() should do the same thing, even in a non-fuzzing build.

Comment 10

[Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]]

(In reply to Andrew McCreight [:mccr8] from comment #9)

To get FuzzingFunctions.garbageCollect() to work, you need a fuzzing build, and you also have to set the fuzzing.enabled pref to true. Maybe that's the issue?

I do have built a fuzzing build (Comment 8, --enable-fuzzing, and --enable-snapshot-fuzzing)
according to https://searchfox.org/mozilla-central/rev/6fc2f6d5335fb6f70f780b5fea5ed77b0719c3b5/modules/libpref/init/StaticPrefList.yaml#5361

You could also trigger the GC in other ways. For instance, in a Mochitest I think SpecialPowers.forceGC() should do the same thing, even in a non-fuzzing build.

Yes, I have tried to call SpecialPowers.gc() (and forceGC()) when converting the testcase to mochitest, but still couldn't reproduce it when running mochitest.

Comment 11

[Tyson Smith [:tsmith]]

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

You could also serve the test case from a local web server and create a prefs file with fuzzing.enabled=true but Grizzly does all of that automatically.

Is Pernosco session insufficient?

Comment 12

[Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]]

(In reply to Tyson Smith [:tsmith] from comment #11)

Is Pernosco session insufficient?

It's sufficient, just I want to write a test case for it.
Thanks

Comment 13

[Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]]

(In reply to Tyson Smith [:tsmith] from comment #11)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

I still couldn't reproduce it, even though I have added '--repeat 50' to run it.

But anyways, the problem is the Document's URI has been sent to another URI (mp4 -> vtt), so the original document URI has been released.

See the pernosco stack trace

When the worklet thread starts to create the ModuleLoadRequest, the referrer (got from the original document's GetDocumentURIAsReferrer()) has been freed, which caused the heap-use-after-free problem.

Comment 14

[Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]]

Attachment: Bug 1823568: Hold referrer with nsCOMPtr in StartModuleLoadRunnable.

We use a nsCOMPtr to hold referrer to prevent it from being freed before the
Worklet thread starts.

Comment 15

[Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]]

Attachment: Bug 1823568: Hold referrer with nsCOMPtr in StartModuleLoadRunnable.

We use a nsCOMPtr to hold referrer to prevent it from being freed before the
Worklet thread starts.

Original Revision: https://phabricator.services.mozilla.com/D173816

Comment 16

[Yoshi Cheng-Hao Huang [:allstars.chh][:allstarschh][:yoshi]]

Attachment: Bug 1823568: Hold referrer with nsCOMPtr in StartModuleLoadRunnable.

We use a nsCOMPtr to hold referrer to prevent it from being freed before the
Worklet thread starts.

Original Revision: https://phabricator.services.mozilla.com/D173816

Comment 17

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/bef227abfa01