Closed Bug 1828992 Opened 1 year ago Closed 1 year ago

Land the test for bug 1828130

Categories

(Core :: DOM: Workers, defect, P3)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
118 Branch
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- fixed
firefox112 --- unaffected
firefox113 --- wontfix
firefox114 --- wontfix
firefox116 --- wontfix
firefox117 --- fixed
firefox118 --- fixed

People

(Reporter: allstars.chh, Assigned: allstars.chh)

References

Details

(Keywords: sec-other, Whiteboard: [adv-main117-])

Attachments

(1 file)

+++ This bug was initially created as a clone of Bug #1828130 +++

Testcase found while fuzzing mozilla-central rev 5c9aa60ea6f4 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 5c9aa60ea6f4 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip
AddressSanitizer: heap-use-after-free [@ AddRef] with READ of size 8

    =================================================================
    ==2746764==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110000e2580 at pc 0x7f87244874b1 bp 0x7f86fd1f8670 sp 0x7f86fd1f8668
    READ of size 8 at 0x6110000e2580 thread T20
        #0 0x7f87244874b0 in AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:53:39
        #1 0x7f87244874b0 in AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:419:35
        #2 0x7f87244874b0 in assign_with_AddRef /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:64:7
        #3 0x7f87244874b0 in operator= /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:210:5
        #4 0x7f87244874b0 in SetScriptLoader /builds/worker/workspace/obj-build/dist/include/mozilla/dom/workerinternals/WorkerModuleLoader.h:49:13
        #5 0x7f87244874b0 in mozilla::dom::workerinternals::loader::WorkerModuleLoader::CreateDynamicImportLoader() /dom/workers/loader/WorkerModuleLoader.cpp:70:3
        #6 0x7f8724487612 in mozilla::dom::workerinternals::loader::WorkerModuleLoader::CreateDynamicImport(JSContext*, nsIURI*, JS::loader::LoadedScript*, JS::Handle<JS::Value>, JS::Handle<JSString*>, JS::Handle<JSObject*>) /dom/workers/loader/WorkerModuleLoader.cpp:83:3
        #7 0x7f871bb10030 in JS::loader::ModuleLoaderBase::HostImportModuleDynamically(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSObject*>, JS::Handle<JSObject*>) /js/loader/ModuleLoaderBase.cpp:317:47
        #8 0x7f872b240d46 in js::StartDynamicModuleImport(JSContext*, JS::Handle<JSScript*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /js/src/builtin/ModuleObject.cpp:2356:8
        #9 0x7f872b1b1ddf in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:4576:11
        #10 0x7f872b194988 in MaybeEnterInterpreterTrampoline /js/src/vm/Interpreter.cpp:400:10
        #11 0x7f872b194988 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:458:13
        #12 0x7f872b19a373 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:845:13
        #13 0x7f872b231651 in js::ModuleObject::execute(JSContext*, JS::Handle<js::ModuleObject*>) /js/src/builtin/ModuleObject.cpp:1284:10
        #14 0x7f872b521077 in InnerModuleEvaluation(JSContext*, JS::Handle<js::ModuleObject*>, JS::MutableHandle<JS::GCVector<js::ModuleObject*, 0ul, js::SystemAllocPolicy>>, unsigned long, unsigned long*) /js/src/vm/Modules.cpp
        #15 0x7f872b513dba in js::ModuleEvaluate(JSContext*, JS::Handle<js::ModuleObject*>, JS::MutableHandle<JS::Value>) /js/src/vm/Modules.cpp:1280:13
        #16 0x7f871bb1ddf9 in JS::loader::ModuleLoaderBase::EvaluateModuleInContext(JSContext*, JS::loader::ModuleLoadRequest*, JS::ModuleErrorBehaviour) /js/loader/ModuleLoaderBase.cpp:1233:13
        #17 0x7f871bb1d512 in JS::loader::ModuleLoaderBase::EvaluateModule(JS::loader::ModuleLoadRequest*) /js/loader/ModuleLoaderBase.cpp:1175:10
        #18 0x7f8724341b91 in EvaluateModule /builds/worker/workspace/obj-build/dist/include/js/loader/ModuleLoadRequest.h:113:47
        #19 0x7f8724341b91 in mozilla::dom::workerinternals::loader::WorkerScriptLoader::EvaluateScript(JSContext*, JS::loader::ScriptLoadRequest*) /dom/workers/ScriptLoader.cpp:1126:28
        #20 0x7f87243411d9 in mozilla::dom::workerinternals::loader::WorkerScriptLoader::ProcessPendingRequests(JSContext*) /dom/workers/ScriptLoader.cpp:848:10
        #21 0x7f8724488be5 in mozilla::dom::workerinternals::loader::WorkerModuleLoader::OnModuleLoadComplete(JS::loader::ModuleLoadRequest*) /dom/workers/loader/WorkerModuleLoader.cpp:186:28
        #22 0x7f871bb0c6ad in JS::loader::ModuleLoadRequest::LoadFinished() /js/loader/ModuleLoadRequest.cpp:213:12
        #23 0x7f871bb0cee2 in JS::loader::ModuleLoadRequest::DependenciesLoaded() /js/loader/ModuleLoadRequest.cpp:179:3
        #24 0x7f871bb0c019 in JS::loader::ModuleLoaderBase::StartFetchingModuleDependencies(JS::loader::ModuleLoadRequest*) /js/loader/ModuleLoaderBase.cpp:853:15
        #25 0x7f871bb15ff1 in JS::loader::ModuleLoaderBase::OnFetchComplete(JS::loader::ModuleLoadRequest*, nsresult) /js/loader/ModuleLoaderBase.cpp:568:5
        #26 0x7f872434c6b1 in OnFetchComplete /builds/worker/workspace/obj-build/dist/include/js/loader/ModuleLoadRequest.h:108:21
        #27 0x7f872434c6b1 in mozilla::dom::workerinternals::loader::ScriptExecutorRunnable::ProcessModuleScript(JSContext*, mozilla::dom::WorkerPrivate*) /dom/workers/ScriptLoader.cpp:1568:18
        #28 0x7f872434ce9c in mozilla::dom::workerinternals::loader::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /dom/workers/ScriptLoader.cpp:1618:12
        #29 0x7f87243be6b4 in mozilla::dom::WorkerRunnable::Run() /dom/workers/WorkerRunnable.cpp:377:12
        #30 0x7f8719cd795b in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1233:16
        #31 0x7f8719ce4874 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
        #32 0x7f87243aa66b in mozilla::dom::WorkerPrivate::RunCurrentSyncLoop() /dom/workers/WorkerPrivate.cpp:4374:9
        #33 0x7f87216a9fc5 in mozilla::dom::AutoSyncLoopHolder::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WorkerPrivate.h:1608:27
        #34 0x7f872434e572 in mozilla::dom::workerinternals::(anonymous namespace)::LoadAllScripts(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder>>, nsTArray<nsTString<char16_t>> const&, bool, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&, mozilla::Encoding const*) /dom/workers/ScriptLoader.cpp:254:16
        #35 0x7f872434ddb4 in mozilla::dom::workerinternals::LoadMainScript(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder>>, nsTSubstring<char16_t> const&, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&, mozilla::Encoding const*) /dom/workers/ScriptLoader.cpp:1749:3
        #36 0x7f87243d6e0a in mozilla::dom::(anonymous namespace)::CompileScriptRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /dom/workers/WorkerPrivate.cpp:380:5
        #37 0x7f87243be6b4 in mozilla::dom::WorkerRunnable::Run() /dom/workers/WorkerRunnable.cpp:377:12
        #38 0x7f8719cd795b in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1233:16
        #39 0x7f8719ce4874 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
        #40 0x7f872439f0f1 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /dom/workers/WorkerPrivate.cpp:3280:7
        #41 0x7f872436c7ee in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /dom/workers/RuntimeService.cpp:2149:42
        #42 0x7f8719cd795b in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1233:16
        #43 0x7f8719ce4874 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
        #44 0x7f871b8c4c11 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:300:20
        #45 0x7f871b6eea6a in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #46 0x7f871b6eea6a in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #47 0x7f871b6eea6a in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #48 0x7f8719ccdbf2 in nsThread::ThreadFunc(void*) /xpcom/threads/nsThread.cpp:391:10
        #49 0x7f873feeab5f in _pt_root /nsprpub/pr/src/pthreads/ptthread.c:201:5
        #50 0x7f8740694b42 in start_thread nptl/pthread_create.c:442:8
        #51 0x7f87407269ff  misc/../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
    
    0x6110000e2580 is located 0 bytes inside of 200-byte region [0x6110000e2580,0x6110000e2648)
    freed by thread T20 here:
        #0 0x55aff30ac826 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
        #1 0x7f872434858a in mozilla::dom::workerinternals::loader::WorkerScriptLoader::Release() /dom/workers/ScriptLoader.cpp:1284:1
        #2 0x7f872433c2dd in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:54:40
        #3 0x7f872433c2dd in Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:420:36
        #4 0x7f872433c2dd in ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:85:7
        #5 0x7f872433c2dd in mozilla::dom::workerinternals::loader::WorkerScriptLoader::WorkerScriptLoader(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder>>, nsISerialEventTarget*, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&) /dom/workers/ScriptLoader.cpp:519:1
        #6 0x7f87244872cf in mozilla::dom::workerinternals::loader::WorkerModuleLoader::CreateDynamicImportLoader() /dom/workers/loader/WorkerModuleLoader.cpp:70:23
        #7 0x7f8724487612 in mozilla::dom::workerinternals::loader::WorkerModuleLoader::CreateDynamicImport(JSContext*, nsIURI*, JS::loader::LoadedScript*, JS::Handle<JS::Value>, JS::Handle<JSString*>, JS::Handle<JSObject*>) /dom/workers/loader/WorkerModuleLoader.cpp:83:3
        #8 0x7f871bb10030 in JS::loader::ModuleLoaderBase::HostImportModuleDynamically(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSObject*>, JS::Handle<JSObject*>) /js/loader/ModuleLoaderBase.cpp:317:47
        #9 0x7f872b240d46 in js::StartDynamicModuleImport(JSContext*, JS::Handle<JSScript*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /js/src/builtin/ModuleObject.cpp:2356:8
        #10 0x7f872b1b1ddf in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:4576:11
        #11 0x7f872b194988 in MaybeEnterInterpreterTrampoline /js/src/vm/Interpreter.cpp:400:10
        #12 0x7f872b194988 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:458:13
        #13 0x7f872b19a373 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:845:13
        #14 0x7f872b231651 in js::ModuleObject::execute(JSContext*, JS::Handle<js::ModuleObject*>) /js/src/builtin/ModuleObject.cpp:1284:10
        #15 0x7f872b521077 in InnerModuleEvaluation(JSContext*, JS::Handle<js::ModuleObject*>, JS::MutableHandle<JS::GCVector<js::ModuleObject*, 0ul, js::SystemAllocPolicy>>, unsigned long, unsigned long*) /js/src/vm/Modules.cpp
        #16 0x7f872b513dba in js::ModuleEvaluate(JSContext*, JS::Handle<js::ModuleObject*>, JS::MutableHandle<JS::Value>) /js/src/vm/Modules.cpp:1280:13
        #17 0x7f871bb1ddf9 in JS::loader::ModuleLoaderBase::EvaluateModuleInContext(JSContext*, JS::loader::ModuleLoadRequest*, JS::ModuleErrorBehaviour) /js/loader/ModuleLoaderBase.cpp:1233:13
        #18 0x7f871bb1d512 in JS::loader::ModuleLoaderBase::EvaluateModule(JS::loader::ModuleLoadRequest*) /js/loader/ModuleLoaderBase.cpp:1175:10
        #19 0x7f8724341b91 in EvaluateModule /builds/worker/workspace/obj-build/dist/include/js/loader/ModuleLoadRequest.h:113:47
        #20 0x7f8724341b91 in mozilla::dom::workerinternals::loader::WorkerScriptLoader::EvaluateScript(JSContext*, JS::loader::ScriptLoadRequest*) /dom/workers/ScriptLoader.cpp:1126:28
        #21 0x7f87243411d9 in mozilla::dom::workerinternals::loader::WorkerScriptLoader::ProcessPendingRequests(JSContext*) /dom/workers/ScriptLoader.cpp:848:10
        #22 0x7f8724488be5 in mozilla::dom::workerinternals::loader::WorkerModuleLoader::OnModuleLoadComplete(JS::loader::ModuleLoadRequest*) /dom/workers/loader/WorkerModuleLoader.cpp:186:28
        #23 0x7f871bb0c6ad in JS::loader::ModuleLoadRequest::LoadFinished() /js/loader/ModuleLoadRequest.cpp:213:12
        #24 0x7f871bb0cee2 in JS::loader::ModuleLoadRequest::DependenciesLoaded() /js/loader/ModuleLoadRequest.cpp:179:3
        #25 0x7f871bb0c019 in JS::loader::ModuleLoaderBase::StartFetchingModuleDependencies(JS::loader::ModuleLoadRequest*) /js/loader/ModuleLoaderBase.cpp:853:15
        #26 0x7f871bb15ff1 in JS::loader::ModuleLoaderBase::OnFetchComplete(JS::loader::ModuleLoadRequest*, nsresult) /js/loader/ModuleLoaderBase.cpp:568:5
        #27 0x7f872434c6b1 in OnFetchComplete /builds/worker/workspace/obj-build/dist/include/js/loader/ModuleLoadRequest.h:108:21
        #28 0x7f872434c6b1 in mozilla::dom::workerinternals::loader::ScriptExecutorRunnable::ProcessModuleScript(JSContext*, mozilla::dom::WorkerPrivate*) /dom/workers/ScriptLoader.cpp:1568:18
        #29 0x7f872434ce9c in mozilla::dom::workerinternals::loader::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /dom/workers/ScriptLoader.cpp:1618:12
        #30 0x7f87243be6b4 in mozilla::dom::WorkerRunnable::Run() /dom/workers/WorkerRunnable.cpp:377:12
        #31 0x7f8719cd795b in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1233:16
        #32 0x7f8719ce4874 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
        #33 0x7f87243aa66b in mozilla::dom::WorkerPrivate::RunCurrentSyncLoop() /dom/workers/WorkerPrivate.cpp:4374:9
        #34 0x7f87216a9fc5 in mozilla::dom::AutoSyncLoopHolder::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WorkerPrivate.h:1608:27
        #35 0x7f872434e572 in mozilla::dom::workerinternals::(anonymous namespace)::LoadAllScripts(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder>>, nsTArray<nsTString<char16_t>> const&, bool, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&, mozilla::Encoding const*) /dom/workers/ScriptLoader.cpp:254:16
    
    previously allocated by thread T20 here:
        #0 0x55aff30acace in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
        #1 0x55aff30efd75 in moz_xmalloc /memory/mozalloc/mozalloc.cpp:52:15
        #2 0x7f8724487249 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
        #3 0x7f8724487249 in mozilla::dom::workerinternals::loader::WorkerModuleLoader::CreateDynamicImportLoader() /dom/workers/loader/WorkerModuleLoader.cpp:70:19
        #4 0x7f8724487612 in mozilla::dom::workerinternals::loader::WorkerModuleLoader::CreateDynamicImport(JSContext*, nsIURI*, JS::loader::LoadedScript*, JS::Handle<JS::Value>, JS::Handle<JSString*>, JS::Handle<JSObject*>) /dom/workers/loader/WorkerModuleLoader.cpp:83:3
        #5 0x7f871bb10030 in JS::loader::ModuleLoaderBase::HostImportModuleDynamically(JSContext*, JS::Handle<JS::Value>, JS::Handle<JSObject*>, JS::Handle<JSObject*>) /js/loader/ModuleLoaderBase.cpp:317:47
        #6 0x7f872b240d46 in js::StartDynamicModuleImport(JSContext*, JS::Handle<JSScript*>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /js/src/builtin/ModuleObject.cpp:2356:8
        #7 0x7f872b1b1ddf in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:4576:11
        #8 0x7f872b194988 in MaybeEnterInterpreterTrampoline /js/src/vm/Interpreter.cpp:400:10
        #9 0x7f872b194988 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:458:13
        #10 0x7f872b19a373 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:845:13
        #11 0x7f872b231651 in js::ModuleObject::execute(JSContext*, JS::Handle<js::ModuleObject*>) /js/src/builtin/ModuleObject.cpp:1284:10
        #12 0x7f872b521077 in InnerModuleEvaluation(JSContext*, JS::Handle<js::ModuleObject*>, JS::MutableHandle<JS::GCVector<js::ModuleObject*, 0ul, js::SystemAllocPolicy>>, unsigned long, unsigned long*) /js/src/vm/Modules.cpp
        #13 0x7f872b513dba in js::ModuleEvaluate(JSContext*, JS::Handle<js::ModuleObject*>, JS::MutableHandle<JS::Value>) /js/src/vm/Modules.cpp:1280:13
        #14 0x7f871bb1ddf9 in JS::loader::ModuleLoaderBase::EvaluateModuleInContext(JSContext*, JS::loader::ModuleLoadRequest*, JS::ModuleErrorBehaviour) /js/loader/ModuleLoaderBase.cpp:1233:13
        #15 0x7f871bb1d512 in JS::loader::ModuleLoaderBase::EvaluateModule(JS::loader::ModuleLoadRequest*) /js/loader/ModuleLoaderBase.cpp:1175:10
        #16 0x7f8724341b91 in EvaluateModule /builds/worker/workspace/obj-build/dist/include/js/loader/ModuleLoadRequest.h:113:47
        #17 0x7f8724341b91 in mozilla::dom::workerinternals::loader::WorkerScriptLoader::EvaluateScript(JSContext*, JS::loader::ScriptLoadRequest*) /dom/workers/ScriptLoader.cpp:1126:28
        #18 0x7f87243411d9 in mozilla::dom::workerinternals::loader::WorkerScriptLoader::ProcessPendingRequests(JSContext*) /dom/workers/ScriptLoader.cpp:848:10
        #19 0x7f8724488be5 in mozilla::dom::workerinternals::loader::WorkerModuleLoader::OnModuleLoadComplete(JS::loader::ModuleLoadRequest*) /dom/workers/loader/WorkerModuleLoader.cpp:186:28
        #20 0x7f871bb0c6ad in JS::loader::ModuleLoadRequest::LoadFinished() /js/loader/ModuleLoadRequest.cpp:213:12
        #21 0x7f871bb0cee2 in JS::loader::ModuleLoadRequest::DependenciesLoaded() /js/loader/ModuleLoadRequest.cpp:179:3
        #22 0x7f871bb0c019 in JS::loader::ModuleLoaderBase::StartFetchingModuleDependencies(JS::loader::ModuleLoadRequest*) /js/loader/ModuleLoaderBase.cpp:853:15
        #23 0x7f871bb15ff1 in JS::loader::ModuleLoaderBase::OnFetchComplete(JS::loader::ModuleLoadRequest*, nsresult) /js/loader/ModuleLoaderBase.cpp:568:5
        #24 0x7f872434c6b1 in OnFetchComplete /builds/worker/workspace/obj-build/dist/include/js/loader/ModuleLoadRequest.h:108:21
        #25 0x7f872434c6b1 in mozilla::dom::workerinternals::loader::ScriptExecutorRunnable::ProcessModuleScript(JSContext*, mozilla::dom::WorkerPrivate*) /dom/workers/ScriptLoader.cpp:1568:18
        #26 0x7f872434ce9c in mozilla::dom::workerinternals::loader::ScriptExecutorRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /dom/workers/ScriptLoader.cpp:1618:12
        #27 0x7f87243be6b4 in mozilla::dom::WorkerRunnable::Run() /dom/workers/WorkerRunnable.cpp:377:12
        #28 0x7f8719cd795b in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1233:16
        #29 0x7f8719ce4874 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
        #30 0x7f87243aa66b in mozilla::dom::WorkerPrivate::RunCurrentSyncLoop() /dom/workers/WorkerPrivate.cpp:4374:9
        #31 0x7f87216a9fc5 in mozilla::dom::AutoSyncLoopHolder::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/dom/WorkerPrivate.h:1608:27
        #32 0x7f872434e572 in mozilla::dom::workerinternals::(anonymous namespace)::LoadAllScripts(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder>>, nsTArray<nsTString<char16_t>> const&, bool, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&, mozilla::Encoding const*) /dom/workers/ScriptLoader.cpp:254:16
        #33 0x7f872434ddb4 in mozilla::dom::workerinternals::LoadMainScript(mozilla::dom::WorkerPrivate*, mozilla::UniquePtr<mozilla::dom::SerializedStackHolder, mozilla::DefaultDelete<mozilla::dom::SerializedStackHolder>>, nsTSubstring<char16_t> const&, mozilla::dom::WorkerScriptType, mozilla::ErrorResult&, mozilla::Encoding const*) /dom/workers/ScriptLoader.cpp:1749:3
    
    Thread T20 created by T0 (Isolated Web Co) here:
        #0 0x55aff30951da in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
        #1 0x7f873fed92c4 in _PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:458:14
        #2 0x7f873fec6ebe in PR_CreateThread /nsprpub/pr/src/pthreads/ptthread.c:533:12
        #3 0x7f8719cd19bc in nsThread::Init(nsTSubstring<char> const&) /xpcom/threads/nsThread.cpp:633:18
        #4 0x7f87243d18ea in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /dom/workers/WorkerThread.cpp:102:7
        #5 0x7f8724331737 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /dom/workers/RuntimeService.cpp:1331:37
        #6 0x7f872433007c in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /dom/workers/RuntimeService.cpp:1213:19
        #7 0x7f872439759b in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, mozilla::dom::RequestCredentials, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>, std::function<void (bool)>&&, std::function<void ()>&&) /dom/workers/WorkerPrivate.cpp:2653:24
        #8 0x7f872434ef26 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /dom/workers/Worker.cpp:43:41
        #9 0x7f871fb6ef17 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1173:52
        #10 0x7f872b198e29 in CallJSNative /js/src/vm/Interpreter.cpp:486:13
        #11 0x7f872b198e29 in CallJSNativeConstructor /js/src/vm/Interpreter.cpp:502:8
        #12 0x7f872b198e29 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /js/src/vm/Interpreter.cpp:727:10
        #13 0x7f872b1bace8 in ConstructFromStack /js/src/vm/Interpreter.cpp:755:10
        #14 0x7f872b1bace8 in js::Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:3380:16
        #15 0x7f872b194988 in MaybeEnterInterpreterTrampoline /js/src/vm/Interpreter.cpp:400:10
        #16 0x7f872b194988 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:458:13
        #17 0x7f872b195d9c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /js/src/vm/Interpreter.cpp:612:13
        #18 0x7f872b197d16 in InternalCall /js/src/vm/Interpreter.cpp:647:10
        #19 0x7f872b197d16 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /js/src/vm/Interpreter.cpp:679:8
        #20 0x7f872b303910 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /js/src/vm/CallAndConstruct.cpp:117:10
        #21 0x7f87200a88ef in mozilla::dom::EventListener::HandleEvent(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventListenerBinding.cpp:62:8
        #22 0x7f872150a4a6 in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventListenerBinding.h:65:12
        #23 0x7f8721509d7c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /dom/events/EventListenerManager.cpp:1327:43
        #24 0x7f872150b738 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /dom/events/EventListenerManager.cpp:1502:17
        #25 0x7f87214f37b3 in HandleEvent /builds/worker/workspace/obj-build/dist/include/mozilla/EventListenerManager.h:395:5
        #26 0x7f87214f37b3 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:347:17
        #27 0x7f87214f1986 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /dom/events/EventDispatcher.cpp:549:16
        #28 0x7f87214f7004 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /dom/events/EventDispatcher.cpp:1122:11
        #29 0x7f87214fe351 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /dom/events/EventDispatcher.cpp
        #30 0x7f871debf553 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /dom/base/nsINode.cpp:1390:17
        #31 0x7f871d572c07 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /dom/base/nsContentUtils.cpp:4645:28
        #32 0x7f871d572954 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /dom/base/nsContentUtils.cpp:4615:10
        #33 0x7f871da17fc3 in mozilla::dom::Document::DispatchContentLoadedEvents() /dom/base/Document.cpp:8008:3
        #34 0x7f871db42b7b in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
        #35 0x7f871db42b7b in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/invoke.h:60:14
        #36 0x7f871db42b7b in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/bits/invoke.h:95:14
        #37 0x7f871db42b7b in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/tuple:1662:14
        #38 0x7f871db42b7b in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/7/../../../../include/c++/7/tuple:1671:14
        #39 0x7f871db42b7b in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
        #40 0x7f871db42b7b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
        #41 0x7f8719c8bef0 in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:114:20
        #42 0x7f8719ca6ade in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:553:16
        #43 0x7f8719c9768d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:869:26
        #44 0x7f8719c947e7 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:700:15
        #45 0x7f8719c950cf in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:464:36
        #46 0x7f8719cac3a1 in operator() /xpcom/threads/TaskController.cpp:191:37
        #47 0x7f8719cac3a1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /xpcom/threads/nsThreadUtils.h:548:5
        #48 0x7f8719cd70cb in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1239:16
        #49 0x7f8719ce4874 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:479:10
        #50 0x7f871b8c33ee in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #51 0x7f871b6eea6a in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #52 0x7f871b6eea6a in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #53 0x7f871b6eea6a in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #54 0x7f8724ff8d29 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:148:27
        #55 0x7f872ad3f578 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:738:20
        #56 0x7f871b6eea6a in RunInternal /ipc/chromium/src/base/message_loop.cc:369:10
        #57 0x7f871b6eea6a in RunHandler /ipc/chromium/src/base/message_loop.cc:362:3
        #58 0x7f871b6eea6a in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:344:3
        #59 0x7f872ad3ec7a in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:673:34
        #60 0x55aff30eab5e in content_process_main /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #61 0x55aff30eab5e in main /browser/app/nsBrowserApp.cpp:375:18
        #62 0x7f8740629d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    
    SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:53:39 in AddRef
    Shadow bytes around the buggy address:
      0x6110000e2300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x6110000e2380: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
      0x6110000e2400: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
      0x6110000e2480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x6110000e2500: 00 fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    =>0x6110000e2580:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
      0x6110000e2600: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
      0x6110000e2680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x6110000e2700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x6110000e2780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
      0x6110000e2800: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==2746764==ABORTING
Group: core-security

Set release status flags based on info from the regressing bug 1540913

Group: core-security → dom-core-security
Whiteboard: [bugmon:bisected,confirmed]
No longer blocks: domino
Severity: -- → S3
Priority: -- → P3
Keywords: regression
No longer regressed by: 1540913

There is an r+ patch which didn't land and no activity in this bug for 2 weeks.
:allstars.chh, could you have a look please?
If you still have some work to do, you can add an action "Plan Changes" in Phabricator.
For more information, please visit BugBot documentation.

Flags: needinfo?(jcoppeard)
Flags: needinfo?(allstars.chh)

https://firefox-source-docs.mozilla.org/bug-mgmt/processes/fixing-security-bugs.html#landing-your-patch

Tests should only be checked in later, after an official Firefox release that contains the fix has been live for at least four weeks

The fix is in Firefox 114, https://bugzilla.mozilla.org/show_bug.cgi?id=1828130#c12
Firefox 114 is released on Jun. 6, so this test should be checked in 4 weeks after Jun. 6, which should be Jul. 6.

Flags: needinfo?(jcoppeard)
Flags: needinfo?(allstars.chh)
Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 1 year ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → 118 Branch
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [adv-main117-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: