Last Comment Bug 787717 - ASAN: Test netwerk/test/unit/test_permmgr.js triggers error
: ASAN: Test netwerk/test/unit/test_permmgr.js triggers error
Status: RESOLVED FIXED
[asan][asan-test-failure][qa-][adv-tr...
: regression, sec-critical, testcase
Product: Core
Classification: Components
Component: Networking: Cookies (show other bugs)
: Trunk
: All All
: -- critical (vote)
: mozilla18
Assigned To: Mounir Lamouri (:mounir)
:
Mentors:
: 792378 (view as bug list)
Depends on:
Blocks: 777072 792378
  Show dependency treegraph
 
Reported: 2012-09-01 12:59 PDT by Christian Holler (:decoder)
Modified: 2012-11-07 18:14 PST (History)
14 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
unaffected
unaffected
+
fixed
+
fixed
unaffected


Attachments
Patch (1.96 KB, patch)
2012-09-18 11:10 PDT, Mounir Lamouri (:mounir)
brian: review+
akeybl: approval‑mozilla‑aurora+
mounir: checkin+
Details | Diff | Review

Description Christian Holler (:decoder) 2012-09-01 12:59:45 PDT
This xpcshell test at netwerk/test/unit/test_permmgr.js fails with AddressSanitizer on mozilla-central revision c64a9f342156. Reproduced locally and on try server with debug+opt builds. ASan Log:


TEST-PASS | /srv/repos/browser/mozilla-central-decoder/mozilla-central/objdir-ff-asan64dbg/_tests/xpcshell/netwerk/test/unit/test_permmgr.js | [run_test : 71] 6 == 6
=================================================================
==64555== ERROR: AddressSanitizer heap-use-after-free on address 0x2b8f8ec73898 at pc 0x2b8f80ab938d bp 0x7fffb0c748d0 sp 0x7fffb0c748c8
READ of size 4 at 0x2b8f8ec73898 thread T0
    #0 0x2b8f80ab938d in nsPermissionManager::AddInternal(nsIPrincipal*, nsCString const&, unsigned int, long, unsigned int, long, nsPermissionManager::NotifyOperationType, nsPermissionManager::DBOperationType) /srv/repos/browser/mozilla-central-decoder/mozilla-central/extensions/cookie/nsPermissionManager.cpp:737
    #1 0x2b8f80abd44c in nsPermissionManager::RemoveFromPrincipal(nsIPrincipal*, char const*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/extensions/cookie/nsPermissionManager.cpp:803
    #2 0x2b8f813ee1a0 in NS_InvokeByIndex_P /srv/repos/browser/mozilla-central-decoder/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:165
    #3 0x2b8f802f78a1 in CallMethodHelper::Invoke() /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:3105
    #4 0x2b8f802f737a in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2405
    #5 0x2b8f8030e3b2 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1470
    #6 0x2b8f822b83fb in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jscntxtinlines.h:372
    #7 0x2b8f8293d85e in js::mjit::CallCompiler::generateNativeStub() /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MonoIC.cpp:777
    #8 0x2b8f8293cf53 in js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MonoIC.cpp:1007
    #9 0x2b8f9500cde2 in
    #10 0x2b8f8279382f in js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MethodJIT.cpp:1016
    #11 0x2b8f82794433 in CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MethodJIT.cpp:1074
    #12 0x2b8f82297e2b in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:1464
    #13 0x2b8f822621c8 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:301
    #14 0x2b8f822babb6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:486
    #15 0x2b8f822bb264 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:523
    #16 0x2b8f820bca4f in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsapi.cpp:5702
    #17 0x2b8f820be447 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, char const*, unsigned long, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsapi.cpp:5717
    #18 0x41119c in ProcessArgs(JSContext*, JSObject*, char**, int) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/shell/xpcshell.cpp:1215
    #19 0x2b8f8710730d in __libc_start_main /build/buildd/eglibc-2.13/csu/libc-start.c:258
0x2b8f8ec73898 is located 24 bytes inside of 32-byte region [0x2b8f8ec73880,0x2b8f8ec738a0)
freed by thread T0 here:
    #0 0x441a71 in __interceptor_free ??:0
    #1 0x2b8f80ac0d2e in ~PermissionKey /srv/repos/browser/mozilla-central-decoder/mozilla-central/../../dist/include/mozilla/mozalloc.h:224
    #2 0x2b8f812f21ef in PL_DHashTableRawRemove /srv/repos/browser/mozilla-central-decoder/mozilla-central/objdir-ff-asan64dbg/xpcom/build/pldhash.cpp:684
    #3 0x2b8f80ab8d2c in nsPermissionManager::AddInternal(nsIPrincipal*, nsCString const&, unsigned int, long, unsigned int, long, nsPermissionManager::NotifyOperationType, nsPermissionManager::DBOperationType) /srv/repos/browser/mozilla-central-decoder/mozilla-central/extensions/cookie/nsPermissionManager.cpp:729
    #4 0x2b8f80abd44c in nsPermissionManager::RemoveFromPrincipal(nsIPrincipal*, char const*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/extensions/cookie/nsPermissionManager.cpp:803
    #5 0x2b8f813ee1a0 in NS_InvokeByIndex_P /srv/repos/browser/mozilla-central-decoder/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:165
    #6 0x2b8f802f78a1 in CallMethodHelper::Invoke() /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:3105
    #7 0x2b8f802f737a in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2405
    #8 0x2b8f8030e3b2 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1470
    #9 0x2b8f822b83fb in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jscntxtinlines.h:372
    #10 0x2b8f8293d85e in js::mjit::CallCompiler::generateNativeStub() /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MonoIC.cpp:777
    #11 0x2b8f8293cf53 in js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MonoIC.cpp:1007
    #12 0x2b8f9500cde2 in
    #13 0x2b8f8279382f in js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MethodJIT.cpp:1016
    #14 0x2b8f82794433 in CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MethodJIT.cpp:1074
    #15 0x2b8f82297e2b in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:1464
    #16 0x2b8f822621c8 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:301
    #17 0x2b8f822babb6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:486
    #18 0x2b8f822bb264 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:523
    #19 0x2b8f820bca4f in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsapi.cpp:5702
    #20 0x2b8f820be447 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, char const*, unsigned long, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsapi.cpp:5717
    #21 0x41119c in ProcessArgs(JSContext*, JSObject*, char**, int) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/shell/xpcshell.cpp:1215
    #22 0x2b8f8710730d in __libc_start_main /build/buildd/eglibc-2.13/csu/libc-start.c:258
previously allocated by thread T0 here:
    #0 0x441b31 in __interceptor_malloc ??:0
    #1 0x2b8f7d3ec2cd in moz_xmalloc /srv/repos/browser/mozilla-central-decoder/mozilla-central/memory/mozalloc/mozalloc.cpp:57
    #2 0x2b8f80ab87e8 in operator new(unsigned long) /srv/repos/browser/mozilla-central-decoder/mozilla-central/../../dist/include/mozilla/mozalloc.h:200
    #3 0x2b8f80abc85e in nsPermissionManager::AddFromPrincipal(nsIPrincipal*, char const*, unsigned int, unsigned int, long) /srv/repos/browser/mozilla-central-decoder/mozilla-central/extensions/cookie/nsPermissionManager.cpp:590
    #4 0x2b8f813ee1a0 in NS_InvokeByIndex_P /srv/repos/browser/mozilla-central-decoder/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:165
    #5 0x2b8f802f78a1 in CallMethodHelper::Invoke() /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:3105
    #6 0x2b8f802f737a in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2405
    #7 0x2b8f8030e3b2 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1470
    #8 0x2b8f822b83fb in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jscntxtinlines.h:372
    #9 0x2b8f822b6ec5 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:337
    #10 0x2b8f822968e2 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:2405
    #11 0x2b8f822621c8 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:301
    #12 0x2b8f822babb6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:486
    #13 0x2b8f822bb264 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:523
    #14 0x2b8f820bca4f in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsapi.cpp:5702
    #15 0x2b8f820be447 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, char const*, unsigned long, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsapi.cpp:5717
    #16 0x41119c in ProcessArgs(JSContext*, JSObject*, char**, int) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/shell/xpcshell.cpp:1215
    #17 0x2b8f8710730d in __libc_start_main /build/buildd/eglibc-2.13/csu/libc-start.c:258


Marking s-s until triaged.
Comment 1 Christian Holler (:decoder) 2012-09-01 13:05:52 PDT
It also seems that the following tests fail with the same error:

extensions/cookie/test/unit/test_permmanager_notifications.js
browser/components/privatebrowsing/test/unit/test_privatebrowsingwrapper_removeDataFromDomain.js
browser/components/privatebrowsing/test/unit/test_removeDataFromDomain.js
Comment 2 Christian Holler (:decoder) 2012-09-01 13:23:05 PDT
Failure seems to be within nsPermissionManager, setting component appropriately.
Comment 3 Christian Holler (:decoder) 2012-09-01 14:13:34 PDT
Also responsible for failures in mochitest-other:

chrome://mochitests/content/chrome/extensions/cookie/test/test_app_uninstall.html
chrome://mochitests/content/browser/browser/components/preferences/tests/browser_chunk_permissions.js
Comment 4 Christian Holler (:decoder) 2012-09-06 11:31:37 PDT
Bisected this manually because it causes so many failures:

The first bad revision is:
changeset:   103491:789055abc89d
user:        Mounir Lamouri
date:        Thu Aug 23 11:37:31 2012 -0700
summary:     Bug 777072 - 4/7 - Update nsPermission to use appId/isInBrowserElement. r=sicking


Mounir, can you please check if this bisect is correct and if so, fix the regression? Thanks!
Comment 5 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2012-09-06 12:22:59 PDT
Christian, thanks for your help in tracking this down. I am marking this as assigned to Mounir based on comment 4, in order to make sure it is properly documented for our network security bug quota. Mounir, please let me know if/how I can help.
Comment 6 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2012-09-18 08:31:12 PDT
Since this seems like it is likely to be sec-critical since it a heap-use-after-free.
Comment 7 Mounir Lamouri (:mounir) 2012-09-18 08:39:13 PDT
I guess we should block on that, unless we want to ship B2G v1 with a known security bug.
Comment 8 Mounir Lamouri (:mounir) 2012-09-18 11:10:46 PDT
Created attachment 662230 [details] [diff] [review]
Patch

My patch is using |entry| but that object was implicitly freed a few lines before. I move the implicit free after the last use.
Comment 9 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2012-09-18 14:52:25 PDT
Comment on attachment 662230 [details] [diff] [review]
Patch

Review of attachment 662230 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM. Thanks.
Comment 11 Christian Holler (:decoder) 2012-09-20 04:40:11 PDT
https://hg.mozilla.org/mozilla-central/rev/bf856d547865
Comment 12 Mounir Lamouri (:mounir) 2012-09-21 03:17:58 PDT
Comment on attachment 662230 [details] [diff] [review]
Patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 777072
User impact if declined: security issues
Risk to taking this patch (and alternatives if risky): risk is very low, the patch is trivial (just moving the place we release the object from a few lines
String or UUID changes made by this patch: none
Comment 13 Alex Keybl [:akeybl] 2012-09-21 16:41:06 PDT
Comment on attachment 662230 [details] [diff] [review]
Patch

[Triage Comment]
Low risk, sec-critical regression in FF17. Approving for Aurora.
Comment 14 Mounir Lamouri (:mounir) 2012-09-22 03:24:58 PDT
Pushed to aurora:
https://hg.mozilla.org/releases/mozilla-aurora/rev/3312e43c5cf4
Comment 15 Mounir Lamouri (:mounir) 2012-10-10 04:55:43 PDT
*** Bug 792378 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.