Closed Bug 745679 Opened 13 years ago Closed 13 years ago

Heap-use-after-free in indexedDB::IDBKeyRange::cycleCollection::Trace

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
12 Branch
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 738985
Tracking Flags:
Tracking Status
firefox12 --- fixed
firefox13 --- fixed

People

(Reporter: inferno, Unassigned)

Details

(Whiteboard: [sg:dupe 738985][asan])

Attachments

(1 file)

Testcase archive
6.95 KB, application/octet-stream
Details
Attached file Testcase archive
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11 Steps to reproduce: Unzip testcase archive and run keyrange.html. You will see the crash on ASANified beta and aurora branches in less than 30 secs. ==6401== ERROR: AddressSanitizer heap-use-after-free on address 0x7f333000f180 at pc 0x7f3353337633 bp 0x7f333745d450 sp 0x7f333745d448 READ of size 8 at 0x7f333000f180 thread T2 #0 0x7f3353337633 in nsXPCOMCycleCollectionParticipant::CheckForRightISupports(nsISupports*) firefox/aurora-src/objdir-ff-asan-2/xpcom/build/nsCycleCollectionParticipant.cpp:102 #1 0x7f334d22ce4c in mozilla::dom::indexedDB::IDBKeyRange::cycleCollection::Trace(void*, void (*)(unsigned int, void*, char const*, void*), void*) firefox/aurora-src/dom/indexedDB/IDBKeyRange.cpp:314 #2 0x7f334f2f0972 in NoteJSHolder firefox/aurora-src/js/xpconnect/src/XPCJSRuntime.cpp:469 #3 0x7f3357217603 in JS_DHashTableEnumerate firefox/aurora-src/js/src/jsdhash.cpp:745 #4 0x7f334f2ef772 in XPCJSRuntime::AddXPConnectRoots(nsCycleCollectionTraversalCallback&) firefox/aurora-src/js/xpconnect/src/XPCJSRuntime.cpp:577 #5 0x7f334f0cf2fe in nsXPConnect::BeginCycleCollection(nsCycleCollectionTraversalCallback&, bool) firefox/aurora-src/js/xpconnect/src/nsXPConnect.cpp:597 #6 0x7f334f0d0bae in non-virtual thunk to nsXPConnect::BeginCycleCollection(nsCycleCollectionTraversalCallback&, bool) firefox/aurora-src/modules/zlib/src/inffast.c:0 #7 0x7f33537c0df4 in nsCycleCollector::BeginCollection(nsICycleCollectorListener*) firefox/aurora-src/xpcom/base/nsCycleCollector.cpp:3239 #8 0x7f33537defff in nsCycleCollectorRunner::Run() firefox/aurora-src/xpcom/base/nsCycleCollector.cpp:3982 #9 0x7f33536f06d9 in nsThread::ProcessNextEvent(bool, bool*) firefox/aurora-src/xpcom/threads/nsThread.cpp:658 #10 0x7f3353334ed0 in NS_ProcessNextEvent_P(nsIThread*, bool) firefox/aurora-src/objdir-ff-asan-2/xpcom/build/nsThreadUtils.cpp:245 #11 0x7f33536e74e3 in nsThread::ThreadFunc(void*) firefox/aurora-src/xpcom/threads/nsThread.cpp:289 #12 0x7f33615e8eb6 in _pt_root firefox/aurora-src/nsprpub/pr/src/pthreads/ptthread.c:187 #13 0x432c1b in __asan::AsanThread::ThreadStart() ??:0 0x7f333000f180 is located 0 bytes inside of 80-byte region [0x7f333000f180,0x7f333000f1d0) freed by thread T0 here: #0 0x42fb02 in free ??:0 #1 0x7f33609b9673 in moz_free firefox/aurora-src/memory/mozalloc/mozalloc.cpp:98 #2 0x7f334d2303d7 in mozilla::dom::indexedDB::IDBKeyRange::Release() firefox/aurora-src/dom/indexedDB/IDBKeyRange.cpp:343 #3 0x7f334f2f2429 in DoDeferredRelease<nsISupports *> firefox/aurora-src/js/xpconnect/src/XPCJSRuntime.cpp:622 #4 0x7f334f2f1c49 in XPCJSRuntime::GCCallback(JSRuntime*, JSGCStatus) firefox/aurora-src/js/xpconnect/src/XPCJSRuntime.cpp:690 #5 0x7f3357356d5e in Collect firefox/aurora-src/js/src/jsgc.cpp:3721 #6 0x7f335734bcb2 in js::GCSlice(JSContext*, JSCompartment*, js::JSGCInvocationKind, js::gcreason::Reason) firefox/aurora-src/js/src/jsgc.cpp:3743 #7 0x7f33572957a5 in js::IncrementalGC(JSContext*, js::gcreason::Reason) firefox/aurora-src/js/src/jsfriendapi.cpp:159 #8 0x7f334f0cddcb in nsXPConnect::Collect(unsigned int, unsigned int) firefox/aurora-src/js/xpconnect/src/nsXPConnect.cpp:423 #9 0x7f334f0ce959 in nsXPConnect::GarbageCollect(unsigned int, unsigned int) firefox/aurora-src/js/xpconnect/src/nsXPConnect.cpp:433 #10 0x7f334c6e38a4 in nsJSContext::GarbageCollectNow(js::gcreason::Reason, unsigned int) firefox/aurora-src/dom/base/nsJSEnvironment.cpp:3059 #11 0x7f334c72b7ff in GCTimerFired(nsITimer*, void*) firefox/aurora-src/dom/base/nsJSEnvironment.cpp:3182 #12 0x7f3353734b80 in nsTimerImpl::Fire() firefox/aurora-src/xpcom/threads/nsTimerImpl.cpp:509 #13 0x7f3353737459 in nsTimerEvent::Run() firefox/aurora-src/xpcom/threads/nsTimerImpl.cpp:593 #14 0x7f33536f06d9 in nsThread::ProcessNextEvent(bool, bool*) firefox/aurora-src/xpcom/threads/nsThread.cpp:658 #15 0x7f3353334ed0 in NS_ProcessNextEvent_P(nsIThread*, bool) firefox/aurora-src/objdir-ff-asan-2/xpcom/build/nsThreadUtils.cpp:245 #16 0x7f335282ae35 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) firefox/aurora-src/ipc/glue/MessagePump.cpp:135 #17 0x7f33539d0e20 in MessageLoop::RunInternal() firefox/aurora-src/ipc/chromium/src/base/message_loop.cc:209 #18 0x7f33539d0c33 in MessageLoop::RunHandler() firefox/aurora-src/ipc/chromium/src/base/message_loop.cc:202 #19 0x7f33539d0b18 in MessageLoop::Run() firefox/aurora-src/ipc/chromium/src/base/message_loop.cc:176 #20 0x7f3351cd78f6 in nsBaseAppShell::Run() firefox/aurora-src/widget/xpwidgets/nsBaseAppShell.cpp:191 #21 0x7f33506cdf8a in nsAppStartup::Run() firefox/aurora-src/toolkit/components/startup/nsAppStartup.cpp:295 #22 0x7f3346fa07b8 in XRE_main firefox/aurora-src/toolkit/xre/nsAppRunner.cpp:3703 #23 0x409cda in do_main firefox/aurora-src/browser/app/nsBrowserApp.cpp:190 #24 0x407849 in main firefox/aurora-src/browser/app/nsBrowserApp.cpp:277 #25 0x7f336247ac4d in ?? ??:0 previously allocated by thread T0 here: #0 0x42fbc2 in malloc ??:0 #1 0x7f33609b97c7 in moz_xmalloc firefox/aurora-src/memory/mozalloc/mozalloc.cpp:103 #2 0x7f334d2264a8 in MakeBoundKeyRange firefox/aurora-src/dom/indexedDB/IDBKeyRange.cpp:218 #3 0x7f335764419d in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), js::CallArgs const&) firefox/aurora-src/js/src/jscntxtinlines.h:314 #4 0x7f335764125a in js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) firefox/aurora-src/js/src/jsinterp.cpp:514 #5 0x7f33575ed9da in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) firefox/aurora-src/js/src/jsinterp.cpp:2711 #6 0x7f33575be0b6 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) firefox/aurora-src/js/src/jsinterp.cpp:469 #7 0x7f335764bbff in js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) firefox/aurora-src/js/src/jsinterp.cpp:668 #8 0x7f335774104e in EvalKernel firefox/aurora-src/js/src/jsobj.cpp:1052 #9 0x7f3357742e38 in js::DirectEval(JSContext*, js::CallArgs const&) firefox/aurora-src/js/src/jsobj.cpp:1117 #10 0x7f33575ecda7 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) firefox/aurora-src/js/src/jsinterp.cpp:2681 #11 0x7f33575be0b6 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) firefox/aurora-src/js/src/jsinterp.cpp:469 #12 0x7f335764bbff in js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) firefox/aurora-src/js/src/jsinterp.cpp:668 #13 0x7f335764dbe4 in js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) firefox/aurora-src/js/src/jsinterp.cpp:709 #14 0x7f3356ef8416 in EvaluateUCScriptForPrincipalsCommon(JSContext*, JSObject*, JSPrincipals*, JSPrincipals*, unsigned short const*, unsigned int, char const*, unsigned int, JS::Value*, JSVersion) firefox/aurora-src/js/src/jsapi.cpp:5309 #15 0x7f3356efa925 in JS_EvaluateUCScriptForPrincipalsVersionOrigin firefox/aurora-src/js/src/jsapi.cpp:5346 #16 0x7f334c6fc2c2 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, unsigned int, nsAString_internal*, bool*) firefox/aurora-src/dom/base/nsJSEnvironment.cpp:1448 #17 0x7f334ac02897 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, nsString const&) firefox/aurora-src/content/base/src/nsScriptLoader.cpp:922 #18 0x7f334abffb91 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) firefox/aurora-src/content/base/src/nsScriptLoader.cpp:816 #19 0x7f334abf7ac5 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) firefox/aurora-src/content/base/src/nsScriptLoader.cpp:663 #20 0x7f334abe71d1 in nsScriptElement::MaybeProcessScript() firefox/aurora-src/content/base/src/nsScriptElement.cpp:182 #21 0x7f334bf4865b in nsIScriptElement::AttemptToExecute() firefox/aurora-src/objdir-ff-asan-2/parser/html/../../dist/include/nsIScriptElement.h:253 #22 0x7f334d867aa1 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) firefox/aurora-src/parser/html/nsHtml5TreeOpExecutor.cpp:759 Thread T2 created by T0 here: #0 0x42bf73 in pthread_create ??:0 #1 0x7f33615d9516 in _PR_CreateThread firefox/aurora-src/nsprpub/pr/src/pthreads/ptthread.c:424 #2 0x7f33615d7a9f in PR_CreateThread firefox/aurora-src/nsprpub/pr/src/pthreads/ptthread.c:507 #3 0x7f33536e9c28 in nsThread::Init() firefox/aurora-src/xpcom/threads/nsThread.cpp:356 #4 0x7f3353706e26 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) firefox/aurora-src/xpcom/threads/nsThreadManager.cpp:248 #5 0x7f3353331d37 in NS_NewThread_P(nsIThread**, nsIRunnable*, unsigned int) firefox/aurora-src/objdir-ff-asan-2/xpcom/build/nsThreadUtils.cpp:74 #6 0x7f33537c5577 in nsCycleCollector_startup() firefox/aurora-src/xpcom/base/nsCycleCollector.cpp:4082 #7 0x7f33533a6346 in NS_InitXPCOM2_P firefox/aurora-src/xpcom/build/nsXPComInit.cpp:487 #8 0x7f3346f918b7 in ScopedXPCOMStartup::Initialize() firefox/aurora-src/toolkit/xre/nsAppRunner.cpp:1184 #9 0x7f3346f9dc37 in XRE_main firefox/aurora-src/toolkit/xre/nsAppRunner.cpp:3455 #10 0x409cda in do_main firefox/aurora-src/browser/app/nsBrowserApp.cpp:190 #11 0x407849 in main firefox/aurora-src/browser/app/nsBrowserApp.cpp:277 #12 0x7f336247ac4d in ?? ??:0 ==6401== ABORTING Stats: 210M malloced (217M for red zones) by 452507 calls Stats: 47M realloced by 24426 calls Stats: 181M freed by 326023 calls Stats: 43M really freed by 122285 calls Stats: 404M (103483 full pages) mmaped in 101 calls mmaps by size class: 8:278511; 9:65528; 10:24570; 11:22517; 12:5120; 13:2560; 14:1536; 15:512; 16:704; 17:288; 18:128; 19:56; 20:16; mallocs by size class: 8:317382; 9:75150; 10:25656; 11:23006; 12:5459; 13:2418; 14:1716; 15:471; 16:725; 17:311; 18:147; 19:51; 20:15; frees by size class: 8:209303; 9:64842; 10:22079; 11:20209; 12:4384; 13:2181; 14:1511; 15:420; 16:618; 17:292; 18:127; 19:46; 20:11; rfrees by size class: 8:97943; 9:12067; 10:4051; 11:6509; 12:529; 13:408; 14:254; 15:117; 16:336; 17:40; 18:20; 19:10; 20:1; Stats: malloc large: 524 small slow: 2557 Shadow byte and word: 0x1fe666001e30: fd 0x1fe666001e30: fd fd fd fd fd fd fd fd More shadow bytes: 0x1fe666001e10: fd fd fd fd fd fd fd fd 0x1fe666001e18: fd fd fd fd fd fd fd fd 0x1fe666001e20: fa fa fa fa fa fa fa fa 0x1fe666001e28: fa fa fa fa fa fa fa fa =>0x1fe666001e30: fd fd fd fd fd fd fd fd 0x1fe666001e38: fd fd fd fd fd fd fd fd 0x1fe666001e40: fa fa fa fa fa fa fa fa 0x1fe666001e48: fa fa fa fa fa fa fa fa 0x1fe666001e50: fd fd fd fd fd fd fd fd
If confirmed this would be potentially critical.
status-firefox12: --- → affected
status-firefox13: --- → affected
Whiteboard: [sg:critical][asan]
I cannot reproduce this on trunk but the trace looks like the one in bug 738985. That bug should be fixed though even on beta and aurora. Abhishek: What revision of beta/aurora did you use? The fix for that other bug landed at April 10. Can you reproduce with beta/aurora tip now?
I found it on- aurora - beef2cc3afb0 beta - 6323a689d6f1 , but it does seem fixed now. I just tested- aurora, tip - 01ae9ced59c6 Beta, tip - 0ba53003ae26
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
status-firefox12: affectedfixed
status-firefox13: affectedfixed
Resolution: --- → DUPLICATE
Whiteboard: [sg:critical][asan] → [sg:dupe 738985][asan]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: