Closed
Bug 745679
Opened 12 years ago
Closed 12 years ago
Heap-use-after-free in indexedDB::IDBKeyRange::cycleCollection::Trace
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 738985
People
(Reporter: inferno, Unassigned)
Details
(Whiteboard: [sg:dupe 738985][asan])
Attachments
(1 file)
|
6.95 KB,
application/octet-stream
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.83 Safari/535.11
Steps to reproduce:
Unzip testcase archive and run keyrange.html. You will see the crash on ASANified beta and aurora branches in less than 30 secs.
==6401== ERROR: AddressSanitizer heap-use-after-free on address 0x7f333000f180 at pc 0x7f3353337633 bp 0x7f333745d450 sp 0x7f333745d448
READ of size 8 at 0x7f333000f180 thread T2
#0 0x7f3353337633 in nsXPCOMCycleCollectionParticipant::CheckForRightISupports(nsISupports*) firefox/aurora-src/objdir-ff-asan-2/xpcom/build/nsCycleCollectionParticipant.cpp:102
#1 0x7f334d22ce4c in mozilla::dom::indexedDB::IDBKeyRange::cycleCollection::Trace(void*, void (*)(unsigned int, void*, char const*, void*), void*) firefox/aurora-src/dom/indexedDB/IDBKeyRange.cpp:314
#2 0x7f334f2f0972 in NoteJSHolder firefox/aurora-src/js/xpconnect/src/XPCJSRuntime.cpp:469
#3 0x7f3357217603 in JS_DHashTableEnumerate firefox/aurora-src/js/src/jsdhash.cpp:745
#4 0x7f334f2ef772 in XPCJSRuntime::AddXPConnectRoots(nsCycleCollectionTraversalCallback&) firefox/aurora-src/js/xpconnect/src/XPCJSRuntime.cpp:577
#5 0x7f334f0cf2fe in nsXPConnect::BeginCycleCollection(nsCycleCollectionTraversalCallback&, bool) firefox/aurora-src/js/xpconnect/src/nsXPConnect.cpp:597
#6 0x7f334f0d0bae in non-virtual thunk to nsXPConnect::BeginCycleCollection(nsCycleCollectionTraversalCallback&, bool) firefox/aurora-src/modules/zlib/src/inffast.c:0
#7 0x7f33537c0df4 in nsCycleCollector::BeginCollection(nsICycleCollectorListener*) firefox/aurora-src/xpcom/base/nsCycleCollector.cpp:3239
#8 0x7f33537defff in nsCycleCollectorRunner::Run() firefox/aurora-src/xpcom/base/nsCycleCollector.cpp:3982
#9 0x7f33536f06d9 in nsThread::ProcessNextEvent(bool, bool*) firefox/aurora-src/xpcom/threads/nsThread.cpp:658
#10 0x7f3353334ed0 in NS_ProcessNextEvent_P(nsIThread*, bool) firefox/aurora-src/objdir-ff-asan-2/xpcom/build/nsThreadUtils.cpp:245
#11 0x7f33536e74e3 in nsThread::ThreadFunc(void*) firefox/aurora-src/xpcom/threads/nsThread.cpp:289
#12 0x7f33615e8eb6 in _pt_root firefox/aurora-src/nsprpub/pr/src/pthreads/ptthread.c:187
#13 0x432c1b in __asan::AsanThread::ThreadStart() ??:0
0x7f333000f180 is located 0 bytes inside of 80-byte region [0x7f333000f180,0x7f333000f1d0)
freed by thread T0 here:
#0 0x42fb02 in free ??:0
#1 0x7f33609b9673 in moz_free firefox/aurora-src/memory/mozalloc/mozalloc.cpp:98
#2 0x7f334d2303d7 in mozilla::dom::indexedDB::IDBKeyRange::Release() firefox/aurora-src/dom/indexedDB/IDBKeyRange.cpp:343
#3 0x7f334f2f2429 in DoDeferredRelease<nsISupports *> firefox/aurora-src/js/xpconnect/src/XPCJSRuntime.cpp:622
#4 0x7f334f2f1c49 in XPCJSRuntime::GCCallback(JSRuntime*, JSGCStatus) firefox/aurora-src/js/xpconnect/src/XPCJSRuntime.cpp:690
#5 0x7f3357356d5e in Collect firefox/aurora-src/js/src/jsgc.cpp:3721
#6 0x7f335734bcb2 in js::GCSlice(JSContext*, JSCompartment*, js::JSGCInvocationKind, js::gcreason::Reason) firefox/aurora-src/js/src/jsgc.cpp:3743
#7 0x7f33572957a5 in js::IncrementalGC(JSContext*, js::gcreason::Reason) firefox/aurora-src/js/src/jsfriendapi.cpp:159
#8 0x7f334f0cddcb in nsXPConnect::Collect(unsigned int, unsigned int) firefox/aurora-src/js/xpconnect/src/nsXPConnect.cpp:423
#9 0x7f334f0ce959 in nsXPConnect::GarbageCollect(unsigned int, unsigned int) firefox/aurora-src/js/xpconnect/src/nsXPConnect.cpp:433
#10 0x7f334c6e38a4 in nsJSContext::GarbageCollectNow(js::gcreason::Reason, unsigned int) firefox/aurora-src/dom/base/nsJSEnvironment.cpp:3059
#11 0x7f334c72b7ff in GCTimerFired(nsITimer*, void*) firefox/aurora-src/dom/base/nsJSEnvironment.cpp:3182
#12 0x7f3353734b80 in nsTimerImpl::Fire() firefox/aurora-src/xpcom/threads/nsTimerImpl.cpp:509
#13 0x7f3353737459 in nsTimerEvent::Run() firefox/aurora-src/xpcom/threads/nsTimerImpl.cpp:593
#14 0x7f33536f06d9 in nsThread::ProcessNextEvent(bool, bool*) firefox/aurora-src/xpcom/threads/nsThread.cpp:658
#15 0x7f3353334ed0 in NS_ProcessNextEvent_P(nsIThread*, bool) firefox/aurora-src/objdir-ff-asan-2/xpcom/build/nsThreadUtils.cpp:245
#16 0x7f335282ae35 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) firefox/aurora-src/ipc/glue/MessagePump.cpp:135
#17 0x7f33539d0e20 in MessageLoop::RunInternal() firefox/aurora-src/ipc/chromium/src/base/message_loop.cc:209
#18 0x7f33539d0c33 in MessageLoop::RunHandler() firefox/aurora-src/ipc/chromium/src/base/message_loop.cc:202
#19 0x7f33539d0b18 in MessageLoop::Run() firefox/aurora-src/ipc/chromium/src/base/message_loop.cc:176
#20 0x7f3351cd78f6 in nsBaseAppShell::Run() firefox/aurora-src/widget/xpwidgets/nsBaseAppShell.cpp:191
#21 0x7f33506cdf8a in nsAppStartup::Run() firefox/aurora-src/toolkit/components/startup/nsAppStartup.cpp:295
#22 0x7f3346fa07b8 in XRE_main firefox/aurora-src/toolkit/xre/nsAppRunner.cpp:3703
#23 0x409cda in do_main firefox/aurora-src/browser/app/nsBrowserApp.cpp:190
#24 0x407849 in main firefox/aurora-src/browser/app/nsBrowserApp.cpp:277
#25 0x7f336247ac4d in ?? ??:0
previously allocated by thread T0 here:
#0 0x42fbc2 in malloc ??:0
#1 0x7f33609b97c7 in moz_xmalloc firefox/aurora-src/memory/mozalloc/mozalloc.cpp:103
#2 0x7f334d2264a8 in MakeBoundKeyRange firefox/aurora-src/dom/indexedDB/IDBKeyRange.cpp:218
#3 0x7f335764419d in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), js::CallArgs const&) firefox/aurora-src/js/src/jscntxtinlines.h:314
#4 0x7f335764125a in js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) firefox/aurora-src/js/src/jsinterp.cpp:514
#5 0x7f33575ed9da in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) firefox/aurora-src/js/src/jsinterp.cpp:2711
#6 0x7f33575be0b6 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) firefox/aurora-src/js/src/jsinterp.cpp:469
#7 0x7f335764bbff in js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) firefox/aurora-src/js/src/jsinterp.cpp:668
#8 0x7f335774104e in EvalKernel firefox/aurora-src/js/src/jsobj.cpp:1052
#9 0x7f3357742e38 in js::DirectEval(JSContext*, js::CallArgs const&) firefox/aurora-src/js/src/jsobj.cpp:1117
#10 0x7f33575ecda7 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) firefox/aurora-src/js/src/jsinterp.cpp:2681
#11 0x7f33575be0b6 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) firefox/aurora-src/js/src/jsinterp.cpp:469
#12 0x7f335764bbff in js::ExecuteKernel(JSContext*, JSScript*, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) firefox/aurora-src/js/src/jsinterp.cpp:668
#13 0x7f335764dbe4 in js::Execute(JSContext*, JSScript*, JSObject&, JS::Value*) firefox/aurora-src/js/src/jsinterp.cpp:709
#14 0x7f3356ef8416 in EvaluateUCScriptForPrincipalsCommon(JSContext*, JSObject*, JSPrincipals*, JSPrincipals*, unsigned short const*, unsigned int, char const*, unsigned int, JS::Value*, JSVersion) firefox/aurora-src/js/src/jsapi.cpp:5309
#15 0x7f3356efa925 in JS_EvaluateUCScriptForPrincipalsVersionOrigin firefox/aurora-src/js/src/jsapi.cpp:5346
#16 0x7f334c6fc2c2 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, unsigned int, nsAString_internal*, bool*) firefox/aurora-src/dom/base/nsJSEnvironment.cpp:1448
#17 0x7f334ac02897 in nsScriptLoader::EvaluateScript(nsScriptLoadRequest*, nsString const&) firefox/aurora-src/content/base/src/nsScriptLoader.cpp:922
#18 0x7f334abffb91 in nsScriptLoader::ProcessRequest(nsScriptLoadRequest*) firefox/aurora-src/content/base/src/nsScriptLoader.cpp:816
#19 0x7f334abf7ac5 in nsScriptLoader::ProcessScriptElement(nsIScriptElement*) firefox/aurora-src/content/base/src/nsScriptLoader.cpp:663
#20 0x7f334abe71d1 in nsScriptElement::MaybeProcessScript() firefox/aurora-src/content/base/src/nsScriptElement.cpp:182
#21 0x7f334bf4865b in nsIScriptElement::AttemptToExecute() firefox/aurora-src/objdir-ff-asan-2/parser/html/../../dist/include/nsIScriptElement.h:253
#22 0x7f334d867aa1 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) firefox/aurora-src/parser/html/nsHtml5TreeOpExecutor.cpp:759
Thread T2 created by T0 here:
#0 0x42bf73 in pthread_create ??:0
#1 0x7f33615d9516 in _PR_CreateThread firefox/aurora-src/nsprpub/pr/src/pthreads/ptthread.c:424
#2 0x7f33615d7a9f in PR_CreateThread firefox/aurora-src/nsprpub/pr/src/pthreads/ptthread.c:507
#3 0x7f33536e9c28 in nsThread::Init() firefox/aurora-src/xpcom/threads/nsThread.cpp:356
#4 0x7f3353706e26 in nsThreadManager::NewThread(unsigned int, unsigned int, nsIThread**) firefox/aurora-src/xpcom/threads/nsThreadManager.cpp:248
#5 0x7f3353331d37 in NS_NewThread_P(nsIThread**, nsIRunnable*, unsigned int) firefox/aurora-src/objdir-ff-asan-2/xpcom/build/nsThreadUtils.cpp:74
#6 0x7f33537c5577 in nsCycleCollector_startup() firefox/aurora-src/xpcom/base/nsCycleCollector.cpp:4082
#7 0x7f33533a6346 in NS_InitXPCOM2_P firefox/aurora-src/xpcom/build/nsXPComInit.cpp:487
#8 0x7f3346f918b7 in ScopedXPCOMStartup::Initialize() firefox/aurora-src/toolkit/xre/nsAppRunner.cpp:1184
#9 0x7f3346f9dc37 in XRE_main firefox/aurora-src/toolkit/xre/nsAppRunner.cpp:3455
#10 0x409cda in do_main firefox/aurora-src/browser/app/nsBrowserApp.cpp:190
#11 0x407849 in main firefox/aurora-src/browser/app/nsBrowserApp.cpp:277
#12 0x7f336247ac4d in ?? ??:0
==6401== ABORTING
Stats: 210M malloced (217M for red zones) by 452507 calls
Stats: 47M realloced by 24426 calls
Stats: 181M freed by 326023 calls
Stats: 43M really freed by 122285 calls
Stats: 404M (103483 full pages) mmaped in 101 calls
mmaps by size class: 8:278511; 9:65528; 10:24570; 11:22517; 12:5120; 13:2560; 14:1536; 15:512; 16:704; 17:288; 18:128; 19:56; 20:16;
mallocs by size class: 8:317382; 9:75150; 10:25656; 11:23006; 12:5459; 13:2418; 14:1716; 15:471; 16:725; 17:311; 18:147; 19:51; 20:15;
frees by size class: 8:209303; 9:64842; 10:22079; 11:20209; 12:4384; 13:2181; 14:1511; 15:420; 16:618; 17:292; 18:127; 19:46; 20:11;
rfrees by size class: 8:97943; 9:12067; 10:4051; 11:6509; 12:529; 13:408; 14:254; 15:117; 16:336; 17:40; 18:20; 19:10; 20:1;
Stats: malloc large: 524 small slow: 2557
Shadow byte and word:
0x1fe666001e30: fd
0x1fe666001e30: fd fd fd fd fd fd fd fd
More shadow bytes:
0x1fe666001e10: fd fd fd fd fd fd fd fd
0x1fe666001e18: fd fd fd fd fd fd fd fd
0x1fe666001e20: fa fa fa fa fa fa fa fa
0x1fe666001e28: fa fa fa fa fa fa fa fa
=>0x1fe666001e30: fd fd fd fd fd fd fd fd
0x1fe666001e38: fd fd fd fd fd fd fd fd
0x1fe666001e40: fa fa fa fa fa fa fa fa
0x1fe666001e48: fa fa fa fa fa fa fa fa
0x1fe666001e50: fd fd fd fd fd fd fd fd
|
||
Comment 1•12 years ago
|
||
If confirmed this would be potentially critical.
|
||
Comment 3•12 years ago
|
||
I cannot reproduce this on trunk but the trace looks like the one in bug 738985. That bug should be fixed though even on beta and aurora. Abhishek: What revision of beta/aurora did you use? The fix for that other bug landed at April 10. Can you reproduce with beta/aurora tip now?
|
Reporter | |
Comment 4•12 years ago
|
||
I found it on- aurora - beef2cc3afb0 beta - 6323a689d6f1 , but it does seem fixed now. I just tested- aurora, tip - 01ae9ced59c6 Beta, tip - 0ba53003ae26
|
|
||
Updated•12 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:critical][asan] → [sg:dupe 738985][asan]
|
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•