Closed Bug 1836883 Opened 3 years ago Closed 3 years ago

[rust 1.70] Perma SUMMARY: ThreadSanitizer: heap-use-after-free /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:1386:9 in core::ptr::write::hef20bad9c2fce732

Categories

(Core :: Internationalization: Localization, defect)

Product:
Core
Component:
Internationalization: Localization
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
116 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- fixed
firefox114 --- fixed
firefox115 --- fixed
firefox116 --- fixed

People

(Reporter: intermittent-bug-filer, Assigned: glandium)

References

Details

(Keywords: csectype-undefined, sec-high, Whiteboard: [doesn't affect compilers we currently use to ship Firefox])

Attachments

(1 file)

Bug 1836883. Avoid passing ref function arguments to Rc::from_raw.
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-beta+
pascalc
: approval-mozilla-release+
dmeehan
: approval-mozilla-esr102+
Details | Review

Filed by: mh [at] glandium.org
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=418177368&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/fBv-0yITTeqe5kwHHF2dkQ/runs/0/artifacts/public/logs/live_backing.log

[task 2023-06-05T21:42:03.170Z] 21:42:03     INFO -  PID 22300 | WARNING: ThreadSanitizer: heap-use-after-free (pid=22300)
[task 2023-06-05T21:42:03.170Z] 21:42:03     INFO -  PID 22300 |   Write of size 8 at 0x7b080001cb00 by main thread:
[task 2023-06-05T21:42:03.170Z] 21:42:03     INFO -  PID 22300 |     #0 core::ptr::write::hef20bad9c2fce732 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:1386:9 (libxul.so+0xd701034) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.170Z] 21:42:03     INFO -  PID 22300 |     #1 core::mem::replace::h1489adeb292f3c50 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/mem/mod.rs:910:9 (libxul.so+0xd701034)
[task 2023-06-05T21:42:03.170Z] 21:42:03     INFO -  PID 22300 |     #2 core::cell::Cell$LT$T$GT$::replace::hec24fc1c1d69e262 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/cell.rs:462:9 (libxul.so+0xd701034)
[task 2023-06-05T21:42:03.170Z] 21:42:03     INFO -  PID 22300 |     #3 core::cell::Cell$LT$T$GT$::set::h84708a9308299c8f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/cell.rs:412:24 (libxul.so+0xd701034)
[task 2023-06-05T21:42:03.170Z] 21:42:03     INFO -  PID 22300 |     #4 alloc::rc::RcInnerPtr::dec_strong::hbf7d259e7e98083d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/rc.rs:2650:27 (libxul.so+0xd701034)
[task 2023-06-05T21:42:03.170Z] 21:42:03     INFO -  PID 22300 |     #5 _$LT$alloc..rc..Rc$LT$T$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::hd26502cf8fc0379d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/rc.rs:1606:13 (libxul.so+0xd701034)
[task 2023-06-05T21:42:03.170Z] 21:42:03     INFO -  PID 22300 |     #6 core::ptr::drop_in_place$LT$alloc..rc..Rc$LT$fluent_bundle..resource..FluentResource$GT$$GT$::h8e3d666c02564d8f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:490:1 (libxul.so+0xd701034)
[task 2023-06-05T21:42:03.170Z] 21:42:03     INFO -  PID 22300 |     #7 core::ptr::drop_in_place$LT$$u5b$alloc..rc..Rc$LT$fluent_bundle..resource..FluentResource$GT$$u5d$$GT$::h8a45642fe96f9da4 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:490:1 (libxul.so+0xd701034)
[task 2023-06-05T21:42:03.170Z] 21:42:03     INFO -  PID 22300 |     #8 _$LT$alloc..vec..Vec$LT$T$C$A$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::hd6543e3f2a93539d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/vec/mod.rs:3018:13 (libxul.so+0xd701034)
[task 2023-06-05T21:42:03.171Z] 21:42:03     INFO -  PID 22300 |     #9 core::ptr::drop_in_place$LT$alloc..vec..Vec$LT$alloc..rc..Rc$LT$fluent_bundle..resource..FluentResource$GT$$GT$$GT$::hb7193fa56384f15b /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:490:1 (libxul.so+0xd701034)
[task 2023-06-05T21:42:03.171Z] 21:42:03     INFO -  PID 22300 |     #10 core::ptr::drop_in_place$LT$fluent_bundle..bundle..FluentBundle$LT$alloc..rc..Rc$LT$fluent_bundle..resource..FluentResource$GT$$C$intl_memoizer..IntlLangMemoizer$GT$$GT$::hedabece17b192202 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:490:1 (libxul.so+0xd701034)
[task 2023-06-05T21:42:03.172Z] 21:42:03     INFO -  PID 22300 |     #11 core::ptr::drop_in_place$LT$alloc..boxed..Box$LT$fluent_bundle..bundle..FluentBundle$LT$alloc..rc..Rc$LT$fluent_bundle..resource..FluentResource$GT$$C$intl_memoizer..IntlLangMemoizer$GT$$GT$$GT$::h9db66a5f19981261 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:490:1 (libxul.so+0xd701034)
[task 2023-06-05T21:42:03.173Z] 21:42:03     INFO -  PID 22300 |     #12 fluent_bundle_destroy /builds/worker/checkouts/gecko/intl/l10n/rust/fluent-ffi/src/bundle.rs:227:34 (libxul.so+0xd701034)
[task 2023-06-05T21:42:03.173Z] 21:42:03     INFO -  PID 22300 |     #13 operator() /builds/worker/workspace/obj-build/dist/include/mozilla/intl/FluentBindings.h:28:5 (libxul.so+0x45a6a02) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.174Z] 21:42:03     INFO -  PID 22300 |     #14 reset /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:301:7 (libxul.so+0x45a6a02)
[task 2023-06-05T21:42:03.174Z] 21:42:03     INFO -  PID 22300 |     #15 ~UniquePtr /builds/worker/workspace/obj-build/dist/include/mozilla/UniquePtr.h:249:18 (libxul.so+0x45a6a02)
[task 2023-06-05T21:42:03.175Z] 21:42:03     INFO -  PID 22300 |     #16 ~FluentBundle /builds/worker/checkouts/gecko/intl/l10n/FluentBundle.cpp:123:63 (libxul.so+0x45a6a02)
[task 2023-06-05T21:42:03.175Z] 21:42:03     INFO -  PID 22300 |     #17 DeleteCycleCollectable /builds/worker/workspace/obj-build/dist/include/mozilla/intl/FluentBundle.h:63:3 (libxul.so+0x45a6a02)
[task 2023-06-05T21:42:03.176Z] 21:42:03     INFO -  PID 22300 |     #18 mozilla::intl::FluentBundle::cycleCollection::DeleteCycleCollectable(void*) /builds/worker/workspace/obj-build/dist/include/mozilla/intl/FluentBundle.h:63:3 (libxul.so+0x45a6a02)
[task 2023-06-05T21:42:03.183Z] 21:42:03     INFO -  PID 22300 |     #19 MaybeKillObject /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2486:29 (libxul.so+0x439c55a) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.183Z] 21:42:03     INFO -  PID 22300 |     #20 SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2511:9 (libxul.so+0x439c55a)
[task 2023-06-05T21:42:03.183Z] 21:42:03     INFO -  PID 22300 |     #21 void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:984:27 (libxul.so+0x43892a1) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.183Z] 21:42:03     INFO -  PID 22300 |     #22 nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2679:14 (libxul.so+0x4389d7e) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.183Z] 21:42:03     INFO -  PID 22300 |     #23 nsCycleCollector_doDeferredDeletionWithBudget(js::SliceBudget&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3971:28 (libxul.so+0x4390535) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.183Z] 21:42:03     INFO -  PID 22300 |     #24 AsyncFreeSnowWhite::Run() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSRuntime.cpp:159:9 (libxul.so+0x5363097) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.184Z] 21:42:03     INFO -  PID 22300 |     #25 IdleRunnableWrapper::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:326:22 (libxul.so+0x44a46e4) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.184Z] 21:42:03     INFO -  PID 22300 |     #26 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16 (libxul.so+0x4472e22) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.184Z] 21:42:03     INFO -  PID 22300 |     #27 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:879:26 (libxul.so+0x446bdd4) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.184Z] 21:42:03     INFO -  PID 22300 |     #28 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:744:15 (libxul.so+0x446a4d8) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.185Z] 21:42:03     INFO -  PID 22300 |     #29 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36 (libxul.so+0x446a69f) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.186Z] 21:42:03     INFO -  PID 22300 |     #30 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37 (libxul.so+0x44755a4) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.186Z] 21:42:03     INFO -  PID 22300 |     #31 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5 (libxul.so+0x44755a4)
[task 2023-06-05T21:42:03.187Z] 21:42:03     INFO -  PID 22300 |     #32 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1240:16 (libxul.so+0x448cc8d) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.187Z] 21:42:03     INFO -  PID 22300 |     #33 NS_ProcessPendingEvents(nsIThread*, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:444:19 (libxul.so+0x4488f53) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.188Z] 21:42:03     INFO -  PID 22300 |     #34 mozilla::AppShutdown::AdvanceShutdownPhaseInternal(mozilla::ShutdownPhase, bool, char16_t const*, nsCOMPtr<nsISupports> const&) /builds/worker/checkouts/gecko/xpcom/base/AppShutdown.cpp:398:5 (libxul.so+0x43444ce) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.188Z] 21:42:03     INFO -  PID 22300 |     #35 mozilla::AppShutdown::AdvanceShutdownPhase(mozilla::ShutdownPhase, char16_t const*, nsCOMPtr<nsISupports> const&) /builds/worker/checkouts/gecko/xpcom/base/AppShutdown.cpp:456:3 (libxul.so+0x4344847) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.189Z] 21:42:03     INFO -  PID 22300 |     #36 mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:576:5 (libxul.so+0x44d11fd) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.189Z] 21:42:03     INFO -  PID 22300 |     #37 NS_ShutdownXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:542:10 (libxul.so+0x44d1135) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.190Z] 21:42:03     INFO -  PID 22300 |     #38 XRE_XPCShellMain(int, char**, char**, XREShellData const*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCShellImpl.cpp:1436:8 (libxul.so+0x536d6f2) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.190Z] 21:42:03     INFO -  PID 22300 |     #39 mozilla::BootstrapImpl::XRE_XPCShellMain(int, char**, char**, XREShellData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:54:12 (libxul.so+0xc10308b) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.191Z] 21:42:03     INFO -  PID 22300 |     #40 main /builds/worker/checkouts/gecko/js/xpconnect/shell/xpcshell.cpp:81:27 (xpcshell+0x133ac0) (BuildId: 54bd7801c9eac3621db76eac0ad7efcd24891b38)
[task 2023-06-05T21:42:03.192Z] 21:42:03     INFO -  PID 22300 |   Previous write of size 8 at 0x7b080001cb00 by main thread:
[task 2023-06-05T21:42:03.193Z] 21:42:03     INFO -  PID 22300 |     #0 free /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:751:3 (xpcshell+0xaa025) (BuildId: 54bd7801c9eac3621db76eac0ad7efcd24891b38)
[task 2023-06-05T21:42:03.194Z] 21:42:03     INFO -  PID 22300 |     #1 std::sys::unix::alloc::_$LT$impl$u20$core..alloc..global..GlobalAlloc$u20$for$u20$std..alloc..System$GT$::dealloc::h740a33c2aa94d9bc /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/sys/unix/alloc.rs:42:9 (libxul.so+0xddd5fd6) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.195Z] 21:42:03     INFO -  PID 22300 |     #2 __rdl_dealloc /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/std/src/alloc.rs:389:25 (libxul.so+0xddd5fd6)
[task 2023-06-05T21:42:03.196Z] 21:42:03     INFO -  PID 22300 |     #3 alloc::alloc::dealloc::h51ba2b0c5fede5a6 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/alloc.rs:111:14 (libxul.so+0xd70c4a0) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.197Z] 21:42:03     INFO -  PID 22300 |     #4 _$LT$alloc..alloc..Global$u20$as$u20$core..alloc..Allocator$GT$::deallocate::h45c4c3d2dda7b005 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/alloc.rs:248:22 (libxul.so+0xd70c4a0)
[task 2023-06-05T21:42:03.197Z] 21:42:03     INFO -  PID 22300 |     #5 _$LT$alloc..rc..Rc$LT$T$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::hd26502cf8fc0379d /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/alloc/src/rc.rs:1616:21 (libxul.so+0xd70c4a0)
[task 2023-06-05T21:42:03.198Z] 21:42:03     INFO -  PID 22300 |     #6 core::ptr::drop_in_place$LT$alloc..rc..Rc$LT$fluent_bundle..resource..FluentResource$GT$$GT$::h8e3d666c02564d8f /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:490:1 (libxul.so+0xd70c4a0)
[task 2023-06-05T21:42:03.199Z] 21:42:03     INFO -  PID 22300 |     #7 fluent_resource_release /builds/worker/checkouts/gecko/intl/l10n/rust/fluent-ffi/src/resource.rs:38:30 (libxul.so+0xd70c4a0)
[task 2023-06-05T21:42:03.200Z] 21:42:03     INFO -  PID 22300 |     #8 Release /builds/worker/workspace/obj-build/dist/include/mozilla/intl/FluentBindings.h:20:5 (libxul.so+0x45a662c) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.201Z] 21:42:03     INFO -  PID 22300 |     #9 Release /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:428:7 (libxul.so+0x45a662c)
[task 2023-06-05T21:42:03.202Z] 21:42:03     INFO -  PID 22300 |     #10 ~RefPtr /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:85:7 (libxul.so+0x45a662c)
[task 2023-06-05T21:42:03.203Z] 21:42:03     INFO -  PID 22300 |     #11 ~FluentResource /builds/worker/workspace/obj-build/dist/include/mozilla/intl/FluentResource.h:37:37 (libxul.so+0x45a662c)
[task 2023-06-05T21:42:03.204Z] 21:42:03     INFO -  PID 22300 |     #12 mozilla::intl::FluentResource::~FluentResource() /builds/worker/workspace/obj-build/dist/include/mozilla/intl/FluentResource.h:37:37 (libxul.so+0x45a662c)
[task 2023-06-05T21:42:03.205Z] 21:42:03     INFO -  PID 22300 |     #13 DeleteCycleCollectable /builds/worker/workspace/obj-build/dist/include/mozilla/intl/FluentResource.h:22:3 (libxul.so+0x45a678e) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.206Z] 21:42:03     INFO -  PID 22300 |     #14 mozilla::intl::FluentResource::cycleCollection::DeleteCycleCollectable(void*) /builds/worker/workspace/obj-build/dist/include/mozilla/intl/FluentResource.h:22:3 (libxul.so+0x45a678e)
[task 2023-06-05T21:42:03.206Z] 21:42:03     INFO -  PID 22300 |     #15 MaybeKillObject /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2486:29 (libxul.so+0x439c55a) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.207Z] 21:42:03     INFO -  PID 22300 |     #16 SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2511:9 (libxul.so+0x439c55a)
[task 2023-06-05T21:42:03.208Z] 21:42:03     INFO -  PID 22300 |     #17 void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:984:27 (libxul.so+0x43892a1) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.209Z] 21:42:03     INFO -  PID 22300 |     #18 nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:2679:14 (libxul.so+0x4389d7e) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.209Z] 21:42:03     INFO -  PID 22300 |     #19 nsCycleCollector_doDeferredDeletionWithBudget(js::SliceBudget&) /builds/worker/checkouts/gecko/xpcom/base/nsCycleCollector.cpp:3971:28 (libxul.so+0x4390535) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.210Z] 21:42:03     INFO -  PID 22300 |     #20 AsyncFreeSnowWhite::Run() /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSRuntime.cpp:159:9 (libxul.so+0x5363097) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.211Z] 21:42:03     INFO -  PID 22300 |     #21 IdleRunnableWrapper::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:326:22 (libxul.so+0x44a46e4) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.211Z] 21:42:03     INFO -  PID 22300 |     #22 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:555:16 (libxul.so+0x4472e22) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.212Z] 21:42:03     INFO -  PID 22300 |     #23 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:879:26 (libxul.so+0x446bdd4) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.212Z] 21:42:03     INFO -  PID 22300 |     #24 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:744:15 (libxul.so+0x446a4d8) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.213Z] 21:42:03     INFO -  PID 22300 |     #25 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:491:36 (libxul.so+0x446a69f) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.213Z] 21:42:03     INFO -  PID 22300 |     #26 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:218:37 (libxul.so+0x44755a4) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.214Z] 21:42:03     INFO -  PID 22300 |     #27 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5 (libxul.so+0x44755a4)
[task 2023-06-05T21:42:03.214Z] 21:42:03     INFO -  PID 22300 |     #28 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1240:16 (libxul.so+0x448cc8d) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.215Z] 21:42:03     INFO -  PID 22300 |     #29 NS_ProcessPendingEvents(nsIThread*, unsigned int) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:444:19 (libxul.so+0x4488f53) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.216Z] 21:42:03     INFO -  PID 22300 |     #30 mozilla::AppShutdown::AdvanceShutdownPhaseInternal(mozilla::ShutdownPhase, bool, char16_t const*, nsCOMPtr<nsISupports> const&) /builds/worker/checkouts/gecko/xpcom/base/AppShutdown.cpp:398:5 (libxul.so+0x43444ce) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.216Z] 21:42:03     INFO -  PID 22300 |     #31 mozilla::AppShutdown::AdvanceShutdownPhase(mozilla::ShutdownPhase, char16_t const*, nsCOMPtr<nsISupports> const&) /builds/worker/checkouts/gecko/xpcom/base/AppShutdown.cpp:456:3 (libxul.so+0x4344847) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.217Z] 21:42:03     INFO -  PID 22300 |     #32 mozilla::ShutdownXPCOM(nsIServiceManager*) /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:576:5 (libxul.so+0x44d11fd) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.217Z] 21:42:03     INFO -  PID 22300 |     #33 NS_ShutdownXPCOM /builds/worker/checkouts/gecko/xpcom/build/XPCOMInit.cpp:542:10 (libxul.so+0x44d1135) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.218Z] 21:42:03     INFO -  PID 22300 |     #34 XRE_XPCShellMain(int, char**, char**, XREShellData const*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCShellImpl.cpp:1436:8 (libxul.so+0x536d6f2) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.219Z] 21:42:03     INFO -  PID 22300 |     #35 mozilla::BootstrapImpl::XRE_XPCShellMain(int, char**, char**, XREShellData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:54:12 (libxul.so+0xc10308b) (BuildId: 4540a2fedc7e6d6a6ebbbcf8445f3e561db6e820)
[task 2023-06-05T21:42:03.219Z] 21:42:03     INFO -  PID 22300 |     #36 main /builds/worker/checkouts/gecko/js/xpconnect/shell/xpcshell.cpp:81:27 (xpcshell+0x133ac0) (BuildId: 54bd7801c9eac3621db76eac0ad7efcd24891b38)
[task 2023-06-05T21:42:03.220Z] 21:42:03     INFO -  PID 22300 | SUMMARY: ThreadSanitizer: heap-use-after-free /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:1386:9 in core::ptr::write::hef20bad9c2fce732
[task 2023-06-05T21:42:03.221Z] 21:42:03     INFO -  PID 22300 | ==================
Blocks: rustc-1.70

This comes from new unexpected UB in the fluent FFI.

Assignee: nobody → mh+mozilla
Group: firefox-core-security → core-security
Component: Toolchains → Internationalization: Localization
Product: Firefox Build System → Core

It is unfortunately undefined behavior and leads with problems with LLVM
16.

Comment on attachment 9337621 [details]
Bug 1836883. Avoid passing ref function arguments to Rc::from_raw.

Beta/Release Uplift Approval Request

  • User impact if declined: Downstream builds with a rust compiler using LLVM 16, or with cross-language LTO with LLVM 16 may be broken because of undefined behavior in rust code in Firefox.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): A straightforward change in function signatures that avoid the problem with LLVM 16 while retaining FFI compatibility.
  • String changes made/needed: N/A
  • Is Android affected?: Yes

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: See beta uplift approval request.
  • User impact if declined: See beta uplift approval request.
  • Fix Landed on Version: 116
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): See beta uplift approval request.
Attachment #9337621 - Flags: approval-mozilla-esr102?
Attachment #9337621 - Flags: approval-mozilla-beta?

If there is going to be a 114.0.1, we may also want it there.

I guess I'll mark this sec-high even though it doesn't affect any version of Firefox we ship ourselves? I'm not sure if that's right though.

Keywords: csectype-undefined, sec-high
Group: core-security → dom-core-security
Whiteboard: [doesn't affect compilers we currently use to ship Firefox]

I'm going to mark older release as "disabled" because we're not shipping this on any branches. As glandium said, it would be nice to take these patches for others doing their own builds on newer Rust versions.

status-firefox114: affecteddisabled
status-firefox115: affecteddisabled
status-firefox-esr102: affecteddisabled

https://hg.mozilla.org/mozilla-central/rev/0f67c08efde5

Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox116: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 116 Branch

Comment on attachment 9337621 [details]
Bug 1836883. Avoid passing ref function arguments to Rc::from_raw.

Approved for 115.0b3.

Attachment #9337621 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Comment on attachment 9337621 [details]
Bug 1836883. Avoid passing ref function arguments to Rc::from_raw.

Per comment 4

Attachment #9337621 - Flags: approval-mozilla-release?

Comment on attachment 9337621 [details]
Bug 1836883. Avoid passing ref function arguments to Rc::from_raw.

Approved for 102.13esr.

Attachment #9337621 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+

Comment on attachment 9337621 [details]
Bug 1836883. Avoid passing ref function arguments to Rc::from_raw.

Taking for 114.0.2 this week, thanks.

Attachment #9337621 - Flags: approval-mozilla-release? → approval-mozilla-release+
QA Whiteboard: [post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: