If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Heap-use-after-free in XPCNativeScriptableInfo::Mark()

RESOLVED DUPLICATE of bug 752340

Status

()

Core
XPConnect
--
critical
RESOLVED DUPLICATE of bug 752340
5 years ago
5 years ago

People

(Reporter: Arthur Gerkis, Assigned: mccr8)

Tracking

({crash, sec-other, testcase})

15 Branch
x86_64
Linux
crash, sec-other, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [asan][sg:dupe 752340])

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
Created attachment 625619 [details]
ASan log

ASan reported heap-use-after-free, log is attached. Unfortunately no test-case at the moment. 

Version where bug was found: http://hg.mozilla.org/mozilla-central/rev/95437bcc43dc
Don't know how far we'll get without a testcase, but maybe bholley can spot something from the trace.
Component: Untriaged → XPConnect
Keywords: crash, testcase-wanted
Product: Firefox → Core
QA Contact: untriaged → xpconnect
Whiteboard: [asan]
Maybe this is bug 751454? Fix just landed.
(Reporter)

Comment 3

5 years ago
Created attachment 627566 [details]
ASan log (cff5b4470690)

I still see this bug on http://hg.mozilla.org/mozilla-central/rev/cff5b4470690
(Reporter)

Comment 4

5 years ago
The bug is still on cf4face65451, but I am working on test-case - will provide it in a day or two.
(Reporter)

Comment 5

5 years ago
Created attachment 632383 [details]
test-case triggering the crash (*.zip)

It is not that reliable - sometimes one have to wait for ~15 seconds until it crashes.
Confirmed this using today's daily m-c asan build ( https://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/choller@mozilla.com-2debc330caa1/try-linux64/ ).
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Assignee)

Updated

5 years ago
Assignee: nobody → continuation
Severity: normal → critical
Keywords: testcase-wanted → testcase
(Assignee)

Comment 7

5 years ago
This looks like another variant of bug 752340.  With the assertion from that bug, this test case hits it immediately.  With the assertion and the fix in place, it doesn't seem to crash, even after a minute or so.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 752340
Group: core-security
Keywords: sec-other
Whiteboard: [asan] → [asan][sg:dupe 752340]
You need to log in before you can comment on or make changes to this bug.