Closed Bug 1963715 Opened 1 year ago Closed 9 months ago

AddressSanitizer: heap-use-after-free [@ operator unsigned short] with READ of size 2

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1976782

People

(Reporter: tsmith, Assigned: jfkthame)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: crash, csectype-uaf, sec-high)

Crash Data

Tyson Smith [:tsmith]

Reporter

Description

•

1 year ago

•

Edited

Found with m-c 20250430-c39268ce319f (--enable-address-sanitizer)

This was found by visiting a live website with an ASan build.

This issue was triggered by visiting http://kinozone.net/. I have not been able to reproduce the issue.

==115827==ERROR: AddressSanitizer: heap-use-after-free on address 0x511000925d08 at pc 0x7fffdec6ff1a bp 0x7fff20dec460 sp 0x7fff20dec458
READ of size 2 at 0x511000925d08 thread T31
    #0 0x7fffdec6ff19 in operator unsigned short /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-algs.hh:137:56
    #1 0x7fffdec6ff19 in operator unsigned int /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-open-type.hh:68:109
    #2 0x7fffdec6ff19 in OT::BASE::sanitize(hb_sanitize_context_t*) const /builds/worker/checkouts/gecko/gfx/harfbuzz/src/hb-ot-layout-base-table.hh:822:5
    #3 0x7fffded03d0d in hb_blob_t* hb_sanitize_context_t::sanitize_blob<OT::BASE>(hb_blob_t*) /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-sanitize.hh:448:15
    #4 0x7fffded038a8 in create /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:301:14
    #5 0x7fffded038a8 in hb_blob_t* hb_data_wrapper_t<hb_face_t, 27u>::call_create<hb_blob_t, hb_table_lazy_loader_t<OT::BASE, 27u, true>>() const /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:158:42
    #6 0x7fffdeaf2606 in get_stored /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:221:26
    #7 0x7fffdeaf2606 in get /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:245:58
    #8 0x7fffdeaf2606 in operator-> /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:205:50
    #9 0x7fffdeaf2606 in hb_ot_layout_get_baseline /builds/worker/checkouts/gecko/gfx/harfbuzz/src/hb-ot-layout.cc:2305:10
    #10 0x7fffdeeb4ea3 in gfxFont::GetBaselines(nsFontMetrics::FontOrientation) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:4445:7
    #11 0x7fffe1ad9f16 in mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText(nsTSubstring<char16_t> const&, float, float, mozilla::dom::Optional<double> const&, mozilla::dom::CanvasRenderingContext2D::TextDrawOperation, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:5043:30
    #12 0x7fffe1adaee9 in mozilla::dom::CanvasRenderingContext2D::MeasureText(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:4470:10
    #13 0x7fffe06485a3 in mozilla::dom::OffscreenCanvasRenderingContext2D_Binding::measureText(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./OffscreenCanvasRenderingContext2DBinding.cpp:4128:78
    #14 0x7fffe19361cf in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3302:13
    #15 0x7fff4ed13fac  ([anon:js-executable-memory]+0xfac)

0x511000925d08 is located 8 bytes inside of 248-byte region [0x511000925d00,0x511000925df8)
freed by thread T32 here:
    #0 0x5555556bc556 in free /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:52:3
    #1 0x7fffdeebb7ec in ~FontTableBlobData /builds/worker/checkouts/gecko/gfx/thebes/gfxFontEntry.cpp:424:3
    #2 0x7fffdeebb7ec in gfxFontEntry::FontTableHashEntry::DeleteFontTableBlobData(void*) /builds/worker/checkouts/gecko/gfx/thebes/gfxFontEntry.cpp:508:3
    #3 0x7fffdeac89dc in destroy_user_data /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-blob.hh:47:7
    #4 0x7fffdeac89dc in ~hb_blob_t /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-blob.hh:41:19
    #5 0x7fffdeac89dc in hb_object_destroy<hb_blob_t> /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-object.hh:297:11
    #6 0x7fffdeac89dc in hb_blob_destroy /builds/worker/checkouts/gecko/gfx/harfbuzz/src/hb-blob.cc:264:8
    #7 0x7fffdead3afd in destroy /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:303:40
    #8 0x7fffdead3afd in do_destroy /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:202:7
    #9 0x7fffdead3afd in fini /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:188:19
    #10 0x7fffdead3afd in hb_ot_face_t::fini() /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-ot-face-table-list.hh:122:1
    #11 0x7fffdead2b24 in hb_face_destroy /builds/worker/checkouts/gecko/gfx/harfbuzz/src/hb-face.cc:593:15
    #12 0x7fffdeadff77 in hb_font_destroy /builds/worker/checkouts/gecko/gfx/harfbuzz/src/hb-font.cc:2097:3
    #13 0x7fffdeeb508f in gfxFont::GetBaselines(nsFontMetrics::FontOrientation) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:4463:3
    #14 0x7fffe1ada0ac in mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText(nsTSubstring<char16_t> const&, float, float, mozilla::dom::Optional<double> const&, mozilla::dom::CanvasRenderingContext2D::TextDrawOperation, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:5079:28
    #15 0x7fffe1adaee9 in mozilla::dom::CanvasRenderingContext2D::MeasureText(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:4470:10
    #16 0x7fffe06485a3 in mozilla::dom::OffscreenCanvasRenderingContext2D_Binding::measureText(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./OffscreenCanvasRenderingContext2DBinding.cpp:4128:78
    #17 0x7fffe19361cf in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3302:13
    #18 0x7fff4ed23fac  ([anon:js-executable-memory]+0x10fac)
    #19 0x7fff4ecdd5c2  ([anon:js-executable-memory]+0x1a5c2)
    #20 0x7fff4ed23745  ([anon:js-executable-memory]+0x10745)
    #21 0x7fff4ed24998  ([anon:js-executable-memory]+0x11998)
    #22 0x7fff4ed243ac  ([anon:js-executable-memory]+0x113ac)
    #23 0x7fff4ecdd5c2  ([anon:js-executable-memory]+0x1a5c2)
    #24 0x7fff4ed2449c  ([anon:js-executable-memory]+0x1149c)
    #25 0x7fff4ecdd5c2  ([anon:js-executable-memory]+0x1a5c2)
    #26 0x7fff4ed235c2  ([anon:js-executable-memory]+0x105c2)

previously allocated by thread T32 here:
    #0 0x5555556bc7ef in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
    #1 0x7fffdc38d058 in Malloc /builds/worker/workspace/obj-build/dist/include/nsTArray.h:245:46
    #2 0x7fffdc38d058 in nsTArrayFallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_RelocateUsingMemutils>::EnsureCapacityImpl<nsTArrayFallibleAllocator>(unsigned long, unsigned long) /builds/worker/workspace/obj-build/dist/include/nsTArray-inl.h:173:43
    #3 0x7fffdc38cb3c in EnsureCapacity<nsTArrayFallibleAllocator> /builds/worker/workspace/obj-build/dist/include/nsTArray.h:472:12
    #4 0x7fffdc38cb3c in ExtendCapacity<nsTArrayFallibleAllocator> /builds/worker/workspace/obj-build/dist/include/nsTArray-inl.h:148:16
    #5 0x7fffdc38cb3c in InsertSlotsAt<nsTArrayFallibleAllocator> /builds/worker/workspace/obj-build/dist/include/nsTArray-inl.h:417:17
    #6 0x7fffdc38cb3c in unsigned char* nsTArray_Impl<unsigned char, nsTArrayInfallibleAllocator>::InsertElementsAtInternal<nsTArrayFallibleAllocator>(unsigned long, unsigned long) /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2321:49
    #7 0x7fffdee017ff in SetLength<nsTArrayFallibleAllocator> /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2250:11
    #8 0x7fffdee017ff in SetLength /builds/worker/workspace/obj-build/dist/include/nsTArray.h:2260:12
    #9 0x7fffdee017ff in gfxFT2FontEntryBase::CopyFaceTable(mozilla::gfx::SharedFTFace*, unsigned int, nsTArray<unsigned char>&) /builds/worker/checkouts/gecko/gfx/thebes/gfxFT2FontBase.cpp:85:16
    #10 0x7fffdeebbfb1 in gfxFontEntry::GetFontTable(unsigned int) /builds/worker/checkouts/gecko/gfx/thebes/gfxFontEntry.cpp:569:20
    #11 0x7fffded039d9 in reference_table /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-face.hh:83:12
    #12 0x7fffded039d9 in hb_face_reference_table /builds/worker/checkouts/gecko/gfx/harfbuzz/src/hb-face.cc:701:16
    #13 0x7fffded039d9 in hb_blob_t* hb_sanitize_context_t::reference_table<OT::BASE>(hb_face_t const*, unsigned int) /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-sanitize.hh:500:33
    #14 0x7fffded038a8 in create /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:301:14
    #15 0x7fffded038a8 in hb_blob_t* hb_data_wrapper_t<hb_face_t, 27u>::call_create<hb_blob_t, hb_table_lazy_loader_t<OT::BASE, 27u, true>>() const /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:158:42
    #16 0x7fffdeaf2606 in get_stored /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:221:26
    #17 0x7fffdeaf2606 in get /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:245:58
    #18 0x7fffdeaf2606 in operator-> /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-machinery.hh:205:50
    #19 0x7fffdeaf2606 in hb_ot_layout_get_baseline /builds/worker/checkouts/gecko/gfx/harfbuzz/src/hb-ot-layout.cc:2305:10
    #20 0x7fffdeeb4ea3 in gfxFont::GetBaselines(nsFontMetrics::FontOrientation) /builds/worker/checkouts/gecko/gfx/thebes/gfxFont.cpp:4445:7
    #21 0x7fffe1ada0ac in mozilla::dom::CanvasRenderingContext2D::DrawOrMeasureText(nsTSubstring<char16_t> const&, float, float, mozilla::dom::Optional<double> const&, mozilla::dom::CanvasRenderingContext2D::TextDrawOperation, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:5079:28
    #22 0x7fffe1adaee9 in mozilla::dom::CanvasRenderingContext2D::MeasureText(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/canvas/CanvasRenderingContext2D.cpp:4470:10
    #23 0x7fffe06485a3 in mozilla::dom::OffscreenCanvasRenderingContext2D_Binding::measureText(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/./OffscreenCanvasRenderingContext2DBinding.cpp:4128:78
    #24 0x7fffe19361cf in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3302:13
    #25 0x7fff4ed23fac  ([anon:js-executable-memory]+0x10fac)
    #26 0x7fff4ecdd5c2  ([anon:js-executable-memory]+0x1a5c2)
    #27 0x7fff4ed23745  ([anon:js-executable-memory]+0x10745)
    #28 0x7fff4ed24998  ([anon:js-executable-memory]+0x11998)
    #29 0x7fff4ed243ac  ([anon:js-executable-memory]+0x113ac)
    #30 0x7fff4ecdd5c2  ([anon:js-executable-memory]+0x1a5c2)
    #31 0x7fff4ed2449c  ([anon:js-executable-memory]+0x1149c)

Thread T31 created by T0 (Isolated Web Co) here:
    #0 0x5555556a2031 in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:250:3
    #1 0x7ffff73dc2b9 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:429:10
    #2 0x7ffff73ca4fe in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:496:10
    #3 0x7fffdc46b761 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:615:20
    #4 0x7fffe5310fc3 in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:97:7
    #5 0x7fffe527f707 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1376:37
    #6 0x7fffe527e3fd in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1259:19
    #7 0x7fffe52d7114 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, mozilla::dom::RequestCredentials, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>, std::function<void (bool)>&&, std::function<void ()>&&, mozilla::ipc::Endpoint<mozilla::dom::PRemoteWorkerNonLifeCycleOpControllerChild>&&) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3165:24
    #8 0x7fffe5297646 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::TrustedScriptURLOrUSVString const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:77:41
    #9 0x7fffe1185556 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/./WorkerBinding.cpp:1084:52
    #10 0x7fffe7dc5175 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:494:13
    #11 0x7fffe7dc5175 in CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512:8
    #12 0x7fffe7dc5175 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:718:14
    #13 0x7fffe7de043e in ConstructFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:765:10
    #14 0x7fffe7de043e in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3271:16
    #15 0x7fffe7dc15b8 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:10
    #16 0x7fffe7dc15b8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:464:13
    #17 0x7fffe7dc295d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:622:13
    #18 0x7fffe7dc4661 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:10
    #19 0x7fffe7dc4661 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:689:8
    #20 0x7fffe8e4a5f3 in js::jit::InvokeFunction(JSContext*, JS::Handle<JSObject*>, bool, bool, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/VMFunctions.cpp:549:10
    #21 0x7fffe8e4b1c0 in js::jit::InvokeFromInterpreterStub(JSContext*, js::jit::InterpreterStubExitFrameLayout*) /builds/worker/checkouts/gecko/js/src/jit/VMFunctions.cpp:573:8
    #22 0x7fff4eb93d74  ([anon:js-executable-memory]+0xd74)
    #23 0x7fff4ec1e10d  ([anon:js-executable-memory]+0x1b10d)
    #24 0x7fff4eb9d6c6  ([anon:js-executable-memory]+0xa6c6)
    #25 0x7fff4eb934e5  ([anon:js-executable-memory]+0x4e5)
    #26 0x7fffe948c822 in EnterJit /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:114:5
    #27 0x7fffe948c822 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:260:10
    #28 0x7fffe7de2ffa in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3325:40
    #29 0x7fffe7dc15b8 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:10
    #30 0x7fffe7dc15b8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:464:13
    #31 0x7fffe7dc295d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:622:13
    #32 0x7fffe7dc4661 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:10
    #33 0x7fffe7dc4661 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:689:8
    #34 0x7fffe8e4a5f3 in js::jit::InvokeFunction(JSContext*, JS::Handle<JSObject*>, bool, bool, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/VMFunctions.cpp:549:10
    #35 0x7fffe8e4b1c0 in js::jit::InvokeFromInterpreterStub(JSContext*, js::jit::InterpreterStubExitFrameLayout*) /builds/worker/checkouts/gecko/js/src/jit/VMFunctions.cpp:573:8
    #36 0x7fff4eb93d74  ([anon:js-executable-memory]+0xd74)
    #37 0x7fff4ec1e10d  ([anon:js-executable-memory]+0x1b10d)
    #38 0x7fff4eb9d6c6  ([anon:js-executable-memory]+0xa6c6)
    #39 0x7fff4eb934e5  ([anon:js-executable-memory]+0x4e5)
    #40 0x7fffe948c822 in EnterJit /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:114:5
    #41 0x7fffe948c822 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:260:10
    #42 0x7fffe7de2ffa in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3325:40
    #43 0x7fffe7dc15b8 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:10
    #44 0x7fffe7dc15b8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:464:13
    #45 0x7fffe7dc295d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:622:13
    #46 0x7fffe7dc4661 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:10
    #47 0x7fffe7dc4661 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:689:8
    #48 0x7fffe801ac88 in js::fun_call(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/vm/JSFunction.cpp:1118:10
    #49 0x7fffe7dc27e7 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:494:13
    #50 0x7fffe7dc27e7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:590:12
    #51 0x7fffe8caf4e9 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1705:10
    #52 0x7fff4eb95873  ([anon:js-executable-memory]+0x2873)
    #53 0x7fff4eb9b1d5  ([anon:js-executable-memory]+0x81d5)
    #54 0x7fff4eb9d6c6  ([anon:js-executable-memory]+0xa6c6)
    #55 0x7fff4eb934e5  ([anon:js-executable-memory]+0x4e5)
    #56 0x7fffe948c822 in EnterJit /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:114:5
    #57 0x7fffe948c822 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:260:10
    #58 0x7fffe7de2ffa in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3325:40
    #59 0x7fffe7dc15b8 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:10
    #60 0x7fffe7dc15b8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:464:13
    #61 0x7fffe7dc295d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:622:13
    #62 0x7fffe7dc4661 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:10
    #63 0x7fffe7dc4661 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:689:8
    #64 0x7fffe801ac88 in js::fun_call(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/vm/JSFunction.cpp:1118:10
    #65 0x7fffe7dc27e7 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:494:13
    #66 0x7fffe7dc27e7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:590:12
    #67 0x7fffe7de04c6 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:10
    #68 0x7fffe7de04c6 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:662:10
    #69 0x7fffe7de04c6 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3286:16
    #70 0x7fffe7dc15b8 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:10
    #71 0x7fffe7dc15b8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:464:13
    #72 0x7fffe7dc295d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:622:13
    #73 0x7fffe7dc4661 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:10
    #74 0x7fffe7dc4661 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:689:8
    #75 0x7fffe801ac88 in js::fun_call(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/vm/JSFunction.cpp:1118:10
    #76 0x7fffe7dc27e7 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:494:13
    #77 0x7fffe7dc27e7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:590:12
    #78 0x7fffe7de04c6 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:10
    #79 0x7fffe7de04c6 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:662:10
    #80 0x7fffe7de04c6 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3286:16
    #81 0x7fffe7dc15b8 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:10
    #82 0x7fffe7dc15b8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:464:13
    #83 0x7fffe7dc295d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:622:13
    #84 0x7fffe7dc4661 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:10
    #85 0x7fffe7dc4661 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:689:8
    #86 0x7fffe801ac88 in js::fun_call(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/vm/JSFunction.cpp:1118:10
    #87 0x7fffe7dc27e7 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:494:13
    #88 0x7fffe7dc27e7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:590:12
    #89 0x7fffe7de04c6 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:10
    #90 0x7fffe7de04c6 in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:662:10
    #91 0x7fffe7de04c6 in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3286:16
    #92 0x7fffe7dc15b8 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:10
    #93 0x7fffe7dc15b8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:464:13
    #94 0x7fffe7dc6aab in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:855:13
    #95 0x7fffe7f14348 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:601:10
    #96 0x7fffe7f14641 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:625:10
    #97 0x7fffe5864dca in ExecuteCompiledScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2760:8
    #98 0x7fffe5864dca in mozilla::dom::ScriptLoader::EvaluateScript(nsIGlobalObject*, JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:3316:7
    #99 0x7fffe58639a5 in mozilla::dom::ScriptLoader::EvaluateScriptElement(JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2846:10
    #100 0x7fffe585bd4b in mozilla::dom::ScriptLoader::ProcessRequest(JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2458:10
    #101 0x7fffe585e31d in mozilla::dom::ScriptLoader::CompileOffThreadOrProcessRequest(JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1856:10
    #102 0x7fffe583a21a in mozilla::dom::ScriptLoader::ProcessPendingRequests(bool) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:3693:7
    #103 0x7fffe5862f9d in mozilla::dom::ScriptLoader::ProcessOffThreadRequest(JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2367:3
    #104 0x7fffe5878ece in mozilla::dom::(anonymous namespace)::OffThreadCompilationCompleteTask::Run() /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1909:20
    #105 0x7fffdc42f1d8 in mozilla::TaskController::RunTask(mozilla::Task*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:196:19
    #106 0x7fffdc4362bd in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1252:20
    #107 0x7fffdc433df8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1075:15
    #108 0x7fffdc434416 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:639:36
    #109 0x7fffdc450401 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:333:37
    #110 0x7fffdc450401 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #111 0x7fffdc46fb7b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
    #112 0x7fffdc47a4f8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #113 0x7fffdd8e0449 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #114 0x7fffdd7ef8d4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
    #115 0x7fffdd7ef8d4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
    #116 0x7fffdd7ef8d4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
    #117 0x7fffe5cde786 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #118 0x7fffe5eb912b in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:539:33
    #119 0x7fffe7b6ce1d in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:654:20
    #120 0x7fffdd7ef8d4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
    #121 0x7fffdd7ef8d4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
    #122 0x7fffdd7ef8d4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
    #123 0x7fffe7b6b3d6 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:592:34
    #124 0x5555556ff152 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:397:22
    #125 0x7ffff7a51d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

Thread T32 created by T0 (Isolated Web Co) here:
    #0 0x5555556a2031 in pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_interceptors.cpp:250:3
    #1 0x7ffff73dc2b9 in _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:429:10
    #2 0x7ffff73ca4fe in PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:496:10
    #3 0x7fffdc46b761 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:615:20
    #4 0x7fffe5310fc3 in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/checkouts/gecko/dom/workers/WorkerThread.cpp:97:7
    #5 0x7fffe527f707 in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1376:37
    #6 0x7fffe527e3fd in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate&) /builds/worker/checkouts/gecko/dom/workers/RuntimeService.cpp:1259:19
    #7 0x7fffe52d7114 in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerKind, mozilla::dom::RequestCredentials, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>, std::function<void (bool)>&&, std::function<void ()>&&, mozilla::ipc::Endpoint<mozilla::dom::PRemoteWorkerNonLifeCycleOpControllerChild>&&) /builds/worker/checkouts/gecko/dom/workers/WorkerPrivate.cpp:3165:24
    #8 0x7fffe5297646 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, mozilla::dom::TrustedScriptURLOrUSVString const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/workers/Worker.cpp:77:41
    #9 0x7fffe1185556 in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/obj-build/dom/bindings/./WorkerBinding.cpp:1084:52
    #10 0x7fffe7dc5175 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:494:13
    #11 0x7fffe7dc5175 in CallJSNativeConstructor /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:512:8
    #12 0x7fffe7dc5175 in InternalConstruct(JSContext*, js::AnyConstructArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:718:14
    #13 0x7fffe7de043e in ConstructFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:765:10
    #14 0x7fffe7de043e in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3271:16
    #15 0x7fffe7dc15b8 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:10
    #16 0x7fffe7dc15b8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:464:13
    #17 0x7fffe7dc295d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:622:13
    #18 0x7fffe7dc4661 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:10
    #19 0x7fffe7dc4661 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:689:8
    #20 0x7fffe8e4a5f3 in js::jit::InvokeFunction(JSContext*, JS::Handle<JSObject*>, bool, bool, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/VMFunctions.cpp:549:10
    #21 0x7fffe8e4b1c0 in js::jit::InvokeFromInterpreterStub(JSContext*, js::jit::InterpreterStubExitFrameLayout*) /builds/worker/checkouts/gecko/js/src/jit/VMFunctions.cpp:573:8
    #22 0x7fff4eb93d74  ([anon:js-executable-memory]+0xd74)
    #23 0x7fff4ec1e10d  ([anon:js-executable-memory]+0x1b10d)
    #24 0x7fff4eca2fa5  ([anon:js-executable-memory]+0x1ffa5)
    #25 0x7fff4eb934e5  ([anon:js-executable-memory]+0x4e5)
    #26 0x7fffe948c822 in EnterJit /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:114:5
    #27 0x7fffe948c822 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:260:10
    #28 0x7fffe7de2ffa in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3325:40
    #29 0x7fffe7dc15b8 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:10
    #30 0x7fffe7dc15b8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:464:13
    #31 0x7fffe7dc295d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:622:13
    #32 0x7fffe7dc4661 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:10
    #33 0x7fffe7dc4661 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:689:8
    #34 0x7fffe8e4a5f3 in js::jit::InvokeFunction(JSContext*, JS::Handle<JSObject*>, bool, bool, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/VMFunctions.cpp:549:10
    #35 0x7fffe8e4b1c0 in js::jit::InvokeFromInterpreterStub(JSContext*, js::jit::InterpreterStubExitFrameLayout*) /builds/worker/checkouts/gecko/js/src/jit/VMFunctions.cpp:573:8
    #36 0x7fff4eb93d74  ([anon:js-executable-memory]+0xd74)
    #37 0x7fff4ec1e10d  ([anon:js-executable-memory]+0x1b10d)
    #38 0x7fff4eca2fa5  ([anon:js-executable-memory]+0x1ffa5)
    #39 0x7fff4eb934e5  ([anon:js-executable-memory]+0x4e5)
    #40 0x7fffe948c822 in EnterJit /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:114:5
    #41 0x7fffe948c822 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:260:10
    #42 0x7fffe7de2ffa in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3325:40
    #43 0x7fffe7dc15b8 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:10
    #44 0x7fffe7dc15b8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:464:13
    #45 0x7fffe7dc295d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:622:13
    #46 0x7fffe7dc4661 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:10
    #47 0x7fffe7dc4661 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:689:8
    #48 0x7fffe8e4a5f3 in js::jit::InvokeFunction(JSContext*, JS::Handle<JSObject*>, bool, bool, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/VMFunctions.cpp:549:10
    #49 0x7fffe8e4b1c0 in js::jit::InvokeFromInterpreterStub(JSContext*, js::jit::InterpreterStubExitFrameLayout*) /builds/worker/checkouts/gecko/js/src/jit/VMFunctions.cpp:573:8
    #50 0x7fff4eb93d74  ([anon:js-executable-memory]+0xd74)
    #51 0x7fff4ec1e10d  ([anon:js-executable-memory]+0x1b10d)
    #52 0x7fff4eca2fa5  ([anon:js-executable-memory]+0x1ffa5)
    #53 0x7fff4eb934e5  ([anon:js-executable-memory]+0x4e5)
    #54 0x7fffe948c822 in EnterJit /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:114:5
    #55 0x7fffe948c822 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:260:10
    #56 0x7fffe7de2ffa in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3325:40
    #57 0x7fffe7dc15b8 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:10
    #58 0x7fffe7dc15b8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:464:13
    #59 0x7fffe7dc295d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:622:13
    #60 0x7fffe7dc4661 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:10
    #61 0x7fffe7dc4661 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:689:8
    #62 0x7fffe801ac88 in js::fun_call(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/vm/JSFunction.cpp:1118:10
    #63 0x7fffe7dc27e7 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:494:13
    #64 0x7fffe7dc27e7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:590:12
    #65 0x7fffe8caf4e9 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1705:10
    #66 0x7fff4eb95873  ([anon:js-executable-memory]+0x2873)
    #67 0x7fff4eb9b1d5  ([anon:js-executable-memory]+0x81d5)
    #68 0x7fff4eca2fa5  ([anon:js-executable-memory]+0x1ffa5)
    #69 0x7fff4eb934e5  ([anon:js-executable-memory]+0x4e5)
    #70 0x7fffe948c822 in EnterJit /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:114:5
    #71 0x7fffe948c822 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:260:10
    #72 0x7fffe7de2ffa in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3325:40
    #73 0x7fffe7dc15b8 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:10
    #74 0x7fffe7dc15b8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:464:13
    #75 0x7fffe7dc295d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:622:13
    #76 0x7fffe7dc4661 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:10
    #77 0x7fffe7dc4661 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:689:8
    #78 0x7fffe801ac88 in js::fun_call(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/vm/JSFunction.cpp:1118:10
    #79 0x7fffe7dc27e7 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:494:13
    #80 0x7fffe7dc27e7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:590:12
    #81 0x7fffe8caf4e9 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1705:10
    #82 0x7fff4eb95873  ([anon:js-executable-memory]+0x2873)
    #83 0x7fff4eb9b1d5  ([anon:js-executable-memory]+0x81d5)
    #84 0x7fff4eca2fa5  ([anon:js-executable-memory]+0x1ffa5)
    #85 0x7fff4eb934e5  ([anon:js-executable-memory]+0x4e5)
    #86 0x7fffe948c822 in EnterJit /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:114:5
    #87 0x7fffe948c822 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:260:10
    #88 0x7fffe7de2ffa in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3325:40
    #89 0x7fffe7dc15b8 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:10
    #90 0x7fffe7dc15b8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:464:13
    #91 0x7fffe7dc295d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:622:13
    #92 0x7fffe7dc4661 in InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:657:10
    #93 0x7fffe7dc4661 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:689:8
    #94 0x7fffe801ac88 in js::fun_call(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/js/src/vm/JSFunction.cpp:1118:10
    #95 0x7fffe7dc27e7 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:494:13
    #96 0x7fffe7dc27e7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:590:12
    #97 0x7fffe8caf4e9 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICFallbackStub*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jit/BaselineIC.cpp:1705:10
    #98 0x7fff4eb95873  ([anon:js-executable-memory]+0x2873)
    #99 0x7fff4eb9b1d5  ([anon:js-executable-memory]+0x81d5)
    #100 0x7fff4eca2fa5  ([anon:js-executable-memory]+0x1ffa5)
    #101 0x7fff4eb934e5  ([anon:js-executable-memory]+0x4e5)
    #102 0x7fffe948c822 in EnterJit /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:114:5
    #103 0x7fffe948c822 in js::jit::MaybeEnterJit(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/jit/Jit.cpp:260:10
    #104 0x7fffe7de2ffa in js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3325:40
    #105 0x7fffe7dc15b8 in MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:395:10
    #106 0x7fffe7dc15b8 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:464:13
    #107 0x7fffe7dc6aab in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:855:13
    #108 0x7fffe7f14348 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:601:10
    #109 0x7fffe7f14641 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) /builds/worker/checkouts/gecko/js/src/vm/CompilationAndEvaluation.cpp:625:10
    #110 0x7fffe5864dca in ExecuteCompiledScript /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2760:8
    #111 0x7fffe5864dca in mozilla::dom::ScriptLoader::EvaluateScript(nsIGlobalObject*, JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:3316:7
    #112 0x7fffe58639a5 in mozilla::dom::ScriptLoader::EvaluateScriptElement(JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2846:10
    #113 0x7fffe585bd4b in mozilla::dom::ScriptLoader::ProcessRequest(JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2458:10
    #114 0x7fffe585e31d in mozilla::dom::ScriptLoader::CompileOffThreadOrProcessRequest(JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1856:10
    #115 0x7fffe583a21a in mozilla::dom::ScriptLoader::ProcessPendingRequests(bool) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:3693:7
    #116 0x7fffe5862f9d in mozilla::dom::ScriptLoader::ProcessOffThreadRequest(JS::loader::ScriptLoadRequest*) /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:2367:3
    #117 0x7fffe5878ece in mozilla::dom::(anonymous namespace)::OffThreadCompilationCompleteTask::Run() /builds/worker/checkouts/gecko/dom/script/ScriptLoader.cpp:1909:20
    #118 0x7fffdc42f1d8 in mozilla::TaskController::RunTask(mozilla::Task*) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:196:19
    #119 0x7fffdc4362bd in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1252:20
    #120 0x7fffdc433df8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:1075:15
    #121 0x7fffdc43478e in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:639:36
    #122 0x7fffdc450424 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:336:37
    #123 0x7fffdc450424 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #124 0x7fffdc46fb7b in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1159:16
    #125 0x7fffdc47a4f8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #126 0x7fffdd8e05b6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5
    #127 0x7fffdd7ef8d4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
    #128 0x7fffdd7ef8d4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
    #129 0x7fffdd7ef8d4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
    #130 0x7fffe5cde786 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #131 0x7fffe5eb912b in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:539:33
    #132 0x7fffe7b6ce1d in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:654:20
    #133 0x7fffdd7ef8d4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:369:10
    #134 0x7fffdd7ef8d4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:362:3
    #135 0x7fffdd7ef8d4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:344:3
    #136 0x7fffe7b6b3d6 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:592:34
    #137 0x5555556ff152 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:397:22
    #138 0x7ffff7a51d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/gfx/harfbuzz/src/graph/../hb-algs.hh:137:56 in operator unsigned short
Shadow bytes around the buggy address:
  0x511000925a80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x511000925b00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa
  0x511000925b80: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x511000925c00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x511000925c80: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
=>0x511000925d00: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x511000925d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x511000925e00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x511000925e80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x511000925f00: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa fa
  0x511000925f80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Tyson Smith [:tsmith]

Reporter

Comment 1

•

1 year ago

Maybe related to bug 1963110?

Flags: needinfo?(jfkthame)

Tyson Smith [:tsmith]

Reporter

Updated

•

1 year ago

Crash Signature: [@ OT::BASE::sanitize ]

Daniel Veditz [:dveditz]

Comment 2

•

11 months ago

Similar stack in bug 1966495 hit on http://godsunchained.com/. we're going to assume it's a dupe even though the crash reason was slightly different

Keywords: sec-high

Updated

•

11 months ago

Duplicate of this bug: 1966495

Jonathan Kew [:jfkthame]

Assignee

Comment 4

•

10 months ago

This looks related to font-table management, and we recently fixed a data race in this area in bug 1970422. So we should try to determine whether that has resolved this issue (though without reliable STR, it may be difficult to confirm for sure).

Maybe when Tyson is back from PTO he could confirm whether this has been seen again, or have another crack at reproducing it.

Flags: needinfo?(jfkthame) → needinfo?(twsmith)

Glenn Watson [:gw]

Updated

•

10 months ago

Assignee: nobody → jfkthame

Tyson Smith [:tsmith]

Reporter

Updated

•

10 months ago

Comment 5

•

10 months ago

There have not been any new reports of this issue but bug 1976782 has been reported. I'm not sure if it is a duplicate or not.

Flags: needinfo?(twsmith)

Lee Salzman [:lsalzman]

Updated

•

9 months ago

Component: Graphics: Text → Layout: Text and Fonts

Jonathan Kew [:jfkthame]

Assignee

Comment 6

•

9 months ago

I this this is very likely a dupe of bug 1976782. Without reliable STR, we can't easily verify this, but for now I'm closing as a dupe. We can re-open (or file a new issue) if this does show up again.

Status: NEW → RESOLVED

Closed: 9 months ago

Duplicate of bug: 1976782

Resolution: --- → DUPLICATE

Tyson Smith [:tsmith]

Reporter

Comment 7

•

8 months ago

Update blocks for tracking.

Blocks: crash-scout
No longer blocks: site-scout

Ryan VanderMeulen [:RyanVM]

Updated

•

8 months ago

status-firefox140: affected → ---

Daniel Veditz [:dveditz]

Updated

•

15 days ago

Group: gfx-core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

AddressSanitizer: heap-use-after-free [@ operator unsigned short] with READ of size 2

Categories

(Core :: Layout: Text and Fonts, defect)

Tracking

()

People

(Reporter: tsmith, Assigned: jfkthame)

References

(Blocks 1 open bug,
URL
)

Details

(Keywords: crash, csectype-uaf, sec-high)

Crash Data

Security

(public)

User Story

Description

Comment 1

Updated

Comment 2

Updated

Comment 4

Updated

Updated

Comment 5

Updated

Comment 6

Comment 7

Updated

Updated