1839231 - heap-use-after-free in [@ mozilla::dom::Event::SetOwner]

Status: RESOLVED FIXED

(Core :: DOM: Workers, defect, P3)

Description

[Tyson Smith [:tsmith]]

Found while fuzzing m-c 20230609-2c6e3897f527 (--enable-address-sanitizer --enable-fuzzing)

A reliable test case is unavailable. It appears this was a short lived bug but I am logging it to be safe. This was first found with 20230609-2c6e3897f527 and last reported with 20230610-463e881a627c.

==308604==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000323500 at pc 0x7ff5188c37b5 bp 0x7ff4f8182440 sp 0x7ff4f8182438
READ of size 8 at 0x615000323500 thread T24 (DOM Worker)
    #0 0x7ff5188c37b4 in nsQueryInterfaceISupports::operator()(nsID const&, void**) const /gecko/xpcom/base/nsCOMPtr.cpp:13:23
    #1 0x7ff520339707 in operator() /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:161:39
    #2 0x7ff520339707 in assign_from_qi<mozilla::dom::EventTarget> /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:823:7
    #3 0x7ff520339707 in nsCOMPtr<mozilla::dom::EventTarget> /builds/worker/workspace/obj-build/dist/include/nsCOMPtr.h:478:5
    #4 0x7ff520339707 in mozilla::dom::Event::SetOwner(mozilla::dom::EventTarget*) /gecko/dom/events/Event.cpp:826:25
    #5 0x7ff520339068 in ConstructorInit /gecko/dom/events/Event.cpp:62:3
    #6 0x7ff520339068 in mozilla::dom::Event::Event(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*) /gecko/dom/events/Event.cpp:53:3
    #7 0x7ff520344039 in NS_NewDOMEvent(mozilla::dom::EventTarget*, nsPresContext*, mozilla::WidgetEvent*) /gecko/dom/events/Event.cpp:885:26
    #8 0x7ff5202e28cb in mozilla::DOMEventTargetHelper::DispatchTrustedEvent(nsTSubstring<char16_t> const&) /gecko/dom/events/DOMEventTargetHelper.cpp:187:25
    #9 0x7ff5222446e8 in mozilla::dom::NotificationWorkerRunnable::WorkerRun(JSContext*, mozilla::dom::WorkerPrivate*) /gecko/dom/notification/Notification.cpp:324:5
    #10 0x7ff52324e9e8 in mozilla::dom::WorkerRunnable::Run() /gecko/dom/workers/WorkerRunnable.cpp:372:12
    #11 0x7ff518b095c9 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1193:16
    #12 0x7ff518b16ca4 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:479:10
    #13 0x7ff52322dde0 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /gecko/dom/workers/WorkerPrivate.cpp:3341:7
    #14 0x7ff5231fe921 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /gecko/dom/workers/RuntimeService.cpp:2141:42
    #15 0x7ff518b095c9 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1193:16
    #16 0x7ff518b16ca4 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:479:10
    #17 0x7ff51a71a851 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:300:20
    #18 0x7ff51a546e8a in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #19 0x7ff51a546e8a in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #20 0x7ff51a546e8a in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #21 0x7ff518b0062a in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:391:10
    #22 0x7ff53f1d3b3f in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #23 0x7ff53fc16608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8
    #24 0x7ff53f7c1132 in __clone /build/glibc-SzIz7B/glibc-2.31/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95

0x615000323500 is located 0 bytes inside of 488-byte region [0x615000323500,0x6150003236e8)
freed by thread T24 (DOM Worker) here:
    #0 0x55c4059063a6 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
    #1 0x7ff5188d57c6 in SnowWhiteKiller::~SnowWhiteKiller() /gecko/xpcom/base/nsCycleCollector.cpp:2473:7
    #2 0x7ff5188d462e in nsCycleCollector::FreeSnowWhite(bool) /gecko/xpcom/base/nsCycleCollector.cpp:2663:3
    #3 0x7ff5188df967 in nsCycleCollector::BeginCollection(mozilla::CCReason, ccIsManual, nsICycleCollectorListener*) /gecko/xpcom/base/nsCycleCollector.cpp:3655:3
    #4 0x7ff5188deb9d in nsCycleCollector::Collect(mozilla::CCReason, ccIsManual, js::SliceBudget&, nsICycleCollectorListener*, bool) /gecko/xpcom/base/nsCycleCollector.cpp:3479:9
    #5 0x7ff5188e2e11 in nsCycleCollector_collect(mozilla::CCReason, nsICycleCollectorListener*) /gecko/xpcom/base/nsCycleCollector.cpp:3990:28
    #6 0x7ff5232001ad in mozilla::dom::workerinternals::(anonymous namespace)::WorkerJSRuntime::CustomGCCallback(JSGCStatus) /gecko/dom/workers/RuntimeService.cpp:819:11
    #7 0x7ff51888986a in mozilla::CycleCollectedJSRuntime::OnGC(JSContext*, JSGCStatus, JS::GCReason) /gecko/xpcom/base/CycleCollectedJSRuntime.cpp:1888:3
    #8 0x7ff52b0fc785 in callGCCallback /gecko/js/src/gc/GC.cpp:1408:3
    #9 0x7ff52b0fc785 in js::gc::GCRuntime::maybeCallGCCallback(JSGCStatus, JS::GCReason) /gecko/js/src/gc/GC.cpp:4079:3
    #10 0x7ff52b0fd87b in ~AutoCallGCCallbacks /gecko/js/src/gc/GC.cpp:4052:32
    #11 0x7ff52b0fd87b in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget const&, JS::GCReason) /gecko/js/src/gc/GC.cpp:4169:1
    #12 0x7ff52b0ff560 in js::gc::GCRuntime::collect(bool, js::SliceBudget const&, JS::GCReason) /gecko/js/src/gc/GC.cpp:4351:9
    #13 0x7ff52b100507 in js::gc::GCRuntime::startGC(JS::GCOptions, JS::GCReason, js::SliceBudget const&) /gecko/js/src/gc/GC.cpp:4437:5
    #14 0x7ff52b0e5978 in js::gc::GCRuntime::gcIfRequestedImpl(bool) /gecko/js/src/gc/GC.cpp:4625:5
    #15 0x7ff52322defd in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /gecko/dom/workers/WorkerPrivate.cpp:3348:9
    #16 0x7ff5231fe921 in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /gecko/dom/workers/RuntimeService.cpp:2141:42
    #17 0x7ff518b095c9 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1193:16
    #18 0x7ff518b16ca4 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:479:10
    #19 0x7ff51a71a851 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:300:20
    #20 0x7ff51a546e8a in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #21 0x7ff51a546e8a in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #22 0x7ff51a546e8a in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #23 0x7ff518b0062a in nsThread::ThreadFunc(void*) /gecko/xpcom/threads/nsThread.cpp:391:10
    #24 0x7ff53f1d3b3f in _pt_root /gecko/nsprpub/pr/src/pthreads/ptthread.c:201:5
    #25 0x7ff53fc16608 in start_thread /build/glibc-SzIz7B/glibc-2.31/nptl/pthread_create.c:477:8

previously allocated by thread T24 (DOM Worker) here:
    #0 0x55c40590664e in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x55c405949965 in moz_xmalloc /gecko/memory/mozalloc/mozalloc.cpp:52:15
    #2 0x7ff5222315c5 in operator new /builds/worker/workspace/obj-build/dist/include/mozilla/cxxalloc.h:33:10
    #3 0x7ff5222315c5 in mozilla::dom::Notification::CreateInternal(nsIGlobalObject*, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::dom::NotificationOptions const&, mozilla::ErrorResult&) /gecko/dom/notification/Notification.cpp:913:39
    #4 0x7ff52222fe2a in mozilla::dom::Notification::CreateAndShow(JSContext*, nsIGlobalObject*, nsTSubstring<char16_t> const&, mozilla::dom::NotificationOptions const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /gecko/dom/notification/Notification.cpp:2212:7
    #5 0x7ff52222f98c in mozilla::dom::Notification::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::NotificationOptions const&, mozilla::ErrorResult&) /gecko/dom/notification/Notification.cpp:776:7
    #6 0x7ff51d8dfc73 in mozilla::dom::Notification_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/NotificationBinding.cpp:2323:58
    #7 0x7ff52a133b09 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:486:13
    #8 0x7ff52a133b09 in CallJSNativeConstructor /gecko/js/src/vm/Interpreter.cpp:502:8
    #9 0x7ff52a133b09 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:727:10
    #10 0x7ff52b40fc18 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /gecko/js/src/jit/BaselineIC.cpp:1570:10
    #11 0x19666f990e6b  (<unknown module>)
    #12 0x19666f996a08  (<unknown module>)
    #13 0x19666f998df5  (<unknown module>)
    #14 0x19666f9993db  (<unknown module>)
    #15 0x19666f98e4ed  (<unknown module>)
    #16 0x7ff52bde55c8 in EnterJit /gecko/js/src/jit/Jit.cpp:104:5
    #17 0x7ff52bde55c8 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /gecko/js/src/jit/Jit.cpp:213:10
    #18 0x7ff52a12f377 in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:448:32
    #19 0x7ff52a130a7c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:612:13
    #20 0x7ff52a1329f6 in InternalCall /gecko/js/src/vm/Interpreter.cpp:647:10
    #21 0x7ff52a1329f6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:679:8
    #22 0x7ff52a68c593 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/SelfHosting.cpp:1499:10
    #23 0x7ff52a249a8f in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /gecko/js/src/vm/AsyncFunction.cpp:149:8
    #24 0x7ff52a59ea0f in AsyncFunctionPromiseReactionJob /gecko/js/src/builtin/Promise.cpp:2116:10
    #25 0x7ff52a59ea0f in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /gecko/js/src/builtin/Promise.cpp:2174:12
    #26 0x7ff52a1308c3 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:486:13
    #27 0x7ff52a1308c3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:580:12
    #28 0x7ff52a1329f6 in InternalCall /gecko/js/src/vm/Interpreter.cpp:647:10
    #29 0x7ff52a1329f6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:679:8
    #30 0x7ff52a28639b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #31 0x7ff51daf9693 in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
    #32 0x7ff51889dcf6 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
    #33 0x7ff51889dcf6 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
    #34 0x7ff51889dcf6 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /gecko/xpcom/base/CycleCollectedJSContext.cpp:213:18
    #35 0x7ff51887488b in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /gecko/xpcom/base/CycleCollectedJSContext.cpp:676:17
    #36 0x7ff518875b8f in mozilla::CycleCollectedJSContext::AfterProcessTask(unsigned int) /gecko/xpcom/base/CycleCollectedJSContext.cpp:463:3
    #37 0x7ff518b09c46 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1237:24
    #38 0x7ff518b16ca4 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:479:10
    #39 0x7ff52322dde0 in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /gecko/dom/workers/WorkerPrivate.cpp:3341:7

Thread T24 (DOM Worker) created by T0 (Isolated Web Co) here:
    #0 0x55c4058ee7ca in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:208:3
    #1 0x7ff53f1c22a4 in _PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14
    #2 0x7ff53f1afe9e in PR_CreateThread /gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12
    #3 0x7ff518b0431c in nsThread::Init(nsTSubstring<char> const&) /gecko/xpcom/threads/nsThread.cpp:634:18
    #4 0x7ff5232619ca in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /gecko/dom/workers/WorkerThread.cpp:101:7
    #5 0x7ff5231c7667 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /gecko/dom/workers/RuntimeService.cpp:1327:37
    #6 0x7ff5231c6004 in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /gecko/dom/workers/RuntimeService.cpp:1209:19
    #7 0x7ff5232264cc in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, mozilla::dom::RequestCredentials, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>, std::function<void (bool)>&&, std::function<void ()>&&) /gecko/dom/workers/WorkerPrivate.cpp:2679:24
    #8 0x7ff5231e4fe7 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /gecko/dom/workers/Worker.cpp:43:41
    #9 0x7ff51e9c4fdf in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/WorkerBinding.cpp:1178:52
    #10 0x7ff52a133b09 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:486:13
    #11 0x7ff52a133b09 in CallJSNativeConstructor /gecko/js/src/vm/Interpreter.cpp:502:8
    #12 0x7ff52a133b09 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:727:10
    #13 0x7ff52a1553c6 in ConstructFromStack /gecko/js/src/vm/Interpreter.cpp:755:10
    #14 0x7ff52a1553c6 in js::Interpret(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:3380:16
    #15 0x7ff52a12f63b in MaybeEnterInterpreterTrampoline /gecko/js/src/vm/Interpreter.cpp:400:10
    #16 0x7ff52a12f63b in js::RunScript(JSContext*, js::RunState&) /gecko/js/src/vm/Interpreter.cpp:458:13
    #17 0x7ff52a130a7c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:612:13
    #18 0x7ff52a1329f6 in InternalCall /gecko/js/src/vm/Interpreter.cpp:647:10
    #19 0x7ff52a1329f6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:679:8
    #20 0x7ff52a68c593 in js::CallSelfHostedFunction(JSContext*, JS::Handle<js::PropertyName*>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/SelfHosting.cpp:1499:10
    #21 0x7ff52a249a8f in AsyncFunctionResume(JSContext*, JS::Handle<js::AsyncFunctionGeneratorObject*>, ResumeKind, JS::Handle<JS::Value>) /gecko/js/src/vm/AsyncFunction.cpp:149:8
    #22 0x7ff52a59ea0f in AsyncFunctionPromiseReactionJob /gecko/js/src/builtin/Promise.cpp:2116:10
    #23 0x7ff52a59ea0f in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /gecko/js/src/builtin/Promise.cpp:2174:12
    #24 0x7ff52a1308c3 in CallJSNative /gecko/js/src/vm/Interpreter.cpp:486:13
    #25 0x7ff52a1308c3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:580:12
    #26 0x7ff52a1329f6 in InternalCall /gecko/js/src/vm/Interpreter.cpp:647:10
    #27 0x7ff52a1329f6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /gecko/js/src/vm/Interpreter.cpp:679:8
    #28 0x7ff52a28639b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /gecko/js/src/vm/CallAndConstruct.cpp:117:10
    #29 0x7ff51daf9693 in mozilla::dom::PromiseJobCallback::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/PromiseBinding.cpp:83:8
    #30 0x7ff51889dcf6 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:198:12
    #31 0x7ff51889dcf6 in Call /builds/worker/workspace/obj-build/dist/include/mozilla/dom/PromiseBinding.h:211:12
    #32 0x7ff51889dcf6 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /gecko/xpcom/base/CycleCollectedJSContext.cpp:213:18
    #33 0x7ff51887488b in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /gecko/xpcom/base/CycleCollectedJSContext.cpp:676:17
    #34 0x7ff52035ee31 in LeaveMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:246:7
    #35 0x7ff52035ee31 in ~nsAutoMicroTask /builds/worker/workspace/obj-build/dist/include/mozilla/CycleCollectedJSContext.h:394:13
    #36 0x7ff52035ee31 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /gecko/dom/events/EventListenerManager.cpp:1243:3
    #37 0x7ff520360a29 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /gecko/dom/events/EventListenerManager.cpp:1427:21
    #38 0x7ff520348664 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:342:17
    #39 0x7ff520346151 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /gecko/dom/events/EventDispatcher.cpp:559:18
    #40 0x7ff52034c7ff in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /gecko/dom/events/EventDispatcher.cpp:1152:11
    #41 0x7ff5249420a6 in nsDocumentViewer::LoadComplete(nsresult) /gecko/layout/base/nsDocumentViewer.cpp:1082:7
    #42 0x7ff528ac8ea8 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /gecko/docshell/base/nsDocShell.cpp:6393:20
    #43 0x7ff528ac7a05 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/docshell/base/nsDocShell.cpp:5786:7
    #44 0x7ff528aca776 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /gecko/docshell/base/nsDocShell.cpp
    #45 0x7ff51ad4ce23 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:1380:3
    #46 0x7ff51ad4b5fd in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:978:14
    #47 0x7ff51ad46ac8 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /gecko/uriloader/base/nsDocLoader.cpp:797:9
    #48 0x7ff51ad49c1a in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /gecko/uriloader/base/nsDocLoader.cpp:680:5
    #49 0x7ff528b1e7ba in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /gecko/docshell/base/nsDocShell.cpp:13848:23
    #50 0x7ff518f0d2d3 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:631:22
    #51 0x7ff518f107f4 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /gecko/netwerk/base/nsLoadGroup.cpp:535:10
    #52 0x7ff51c84434e in DoUnblockOnload /gecko/dom/base/Document.cpp:11675:18
    #53 0x7ff51c84434e in mozilla::dom::Document::UnblockOnload(bool) /gecko/dom/base/Document.cpp:11613:9
    #54 0x7ff51c87cced in mozilla::dom::Document::DispatchContentLoadedEvents() /gecko/dom/base/Document.cpp:8145:3
    #55 0x7ff51c9b520b in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1164:18
    #56 0x7ff51c9b520b in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
    #57 0x7ff51c9b520b in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
    #58 0x7ff51c9b520b in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
    #59 0x7ff51c9b520b in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1163:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
    #60 0x7ff51c9b520b in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
    #61 0x7ff51c9b520b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1213:13
    #62 0x7ff518ad7a8a in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:555:16
    #63 0x7ff518ac29be in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:880:26
    #64 0x7ff518abf907 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:704:15
    #65 0x7ff518ac01ef in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:491:36
    #66 0x7ff518adf3d1 in operator() /gecko/xpcom/threads/TaskController.cpp:218:37
    #67 0x7ff518adf3d1 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:548:5
    #68 0x7ff518b091c3 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1199:16
    #69 0x7ff518b16ca4 in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:479:10
    #70 0x7ff51a71909e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
    #71 0x7ff51a546e8a in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #72 0x7ff51a546e8a in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #73 0x7ff51a546e8a in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #74 0x7ff523e6ac49 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:148:27
    #75 0x7ff529cd945e in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:717:20
    #76 0x7ff51a546e8a in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #77 0x7ff51a546e8a in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #78 0x7ff51a546e8a in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #79 0x7ff529cd8b14 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:652:34
    #80 0x55c4059446de in content_process_main /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #81 0x55c4059446de in main /gecko/browser/app/nsBrowserApp.cpp:375:18
    #82 0x7ff53f6c6082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16

Comment 1

[Olli Pettay [:smaug][bugs@pettay.fi]]

hmm, there are things like https://searchfox.org/mozilla-central/rev/a5da23c8c9c1151dcdf0ca34b3cfd0a4d0fc3b48/dom/notification/Notification.cpp#338,340

Comment 2

[Eden Chuang[:edenchuang]]

It looks like a same-thread UAF when WorkerRun tries to create an Event for notification.
I think this is a side-effect of bug 1800659, since we call WorkerRun() instead of Cancel() for resource releasing.
It could be a case that the notification object has been freed by GC already after the Worker gets into the "Canceling" status.
However, a NotificationRunnable had been dispatched already and tries to execute WorkerRun() after the Worker is in "Canceling" status.

Tyson, do we have a way to reproduce the bug?

Comment 3

[Eden Chuang[:edenchuang]]

Attachment: Bug 1839231 - Checking nsIGlobalObject::IsDying() before dispatching Notification Event on Worker. r=#dom-worker-reviewers

Comment 4

[Eden Chuang[:edenchuang]]

Comment on attachment 9340264 [details]
Bug 1839231 - Checking nsIGlobalObject::IsDying() before dispatching Notification Event on Worker. r=#dom-worker-reviewers

Security Approval Request

• How easily could an exploit be constructed based on the patch?: It is not easy to create the situation since it happens with an edge case of race conditions.
• Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
• Which older supported branches are affected by this flaw?: 115
• If not all supported branches, which bug introduced the flaw?: Bug 1800659
• Do you have backports for the affected branches?: Yes
• If not, how different, hard to create, and risky will they be?:
• How likely is this patch to cause regressions; how much testing does it need?: The patch restores the case handling for NotificationEventWorkerRunnable before landing bug 1800659, so it supposes not to cause regressions.
• Is Android affected?: Yes

Comment 5

[Tom Ritter [:tjr]]

Comment on attachment 9340264 [details]
Bug 1839231 - Checking nsIGlobalObject::IsDying() before dispatching Notification Event on Worker. r=#dom-worker-reviewers

Approved to request uplift and land

Comment 6

[Tyson Smith [:tsmith]]

(In reply to Eden Chuang[:edenchuang] from comment #2)

Tyson, do we have a way to reproduce the bug?

Yes but the test case is unreduced and unreliable. It only seems to work on one of my available machines. I could likely get a Pernosco session if that would be helpful (I see you already have a patch).

Comment 7

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

Checking nsIGlobalObject::IsDying() before dispatching Notification Event on Worker. r=dom-worker-reviewers,smaug
https://hg.mozilla.org/integration/autoland/rev/c88dd88f20b843539c7d88659c75b9f513dbf9a3
https://hg.mozilla.org/mozilla-central/rev/c88dd88f20b8

Comment 8

[Ryan VanderMeulen [:RyanVM]]

Eden, can you please clarify which releases are affected by this? Comment 4 says 115 is affected, but the regressing bug (bug 1800659) landed in 116. As we're already in RC week for Fx115, we need to know very soon whether this is something that needs to drive a respin or not.