Closed Bug 787717 Opened 12 years ago Closed 12 years ago

ASAN: Test netwerk/test/unit/test_permmgr.js triggers error

Categories

(Core :: Networking: Cookies, defect)

Product:
Core
Component:
Networking: Cookies
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla18
Project Flags:
blocking-basecamp +
Tracking Flags:
Tracking Status
firefox15 --- unaffected
firefox16 --- unaffected
firefox17 + fixed
firefox18 + fixed
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: mounir)

References

Details

(Keywords: regression, sec-critical, testcase, Whiteboard: [asan][asan-test-failure][qa-][adv-track-main17-])

Attachments

(1 file)

Patch
1.96 KB, patch
briansmith
: review+
akeybl
: approval-mozilla-aurora+
mounir
: checkin+
Details | Diff | Splinter Review 
This xpcshell test at netwerk/test/unit/test_permmgr.js fails with AddressSanitizer on mozilla-central revision c64a9f342156. Reproduced locally and on try server with debug+opt builds. ASan Log:


TEST-PASS | /srv/repos/browser/mozilla-central-decoder/mozilla-central/objdir-ff-asan64dbg/_tests/xpcshell/netwerk/test/unit/test_permmgr.js | [run_test : 71] 6 == 6
=================================================================
==64555== ERROR: AddressSanitizer heap-use-after-free on address 0x2b8f8ec73898 at pc 0x2b8f80ab938d bp 0x7fffb0c748d0 sp 0x7fffb0c748c8
READ of size 4 at 0x2b8f8ec73898 thread T0
    #0 0x2b8f80ab938d in nsPermissionManager::AddInternal(nsIPrincipal*, nsCString const&, unsigned int, long, unsigned int, long, nsPermissionManager::NotifyOperationType, nsPermissionManager::DBOperationType) /srv/repos/browser/mozilla-central-decoder/mozilla-central/extensions/cookie/nsPermissionManager.cpp:737
    #1 0x2b8f80abd44c in nsPermissionManager::RemoveFromPrincipal(nsIPrincipal*, char const*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/extensions/cookie/nsPermissionManager.cpp:803
    #2 0x2b8f813ee1a0 in NS_InvokeByIndex_P /srv/repos/browser/mozilla-central-decoder/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:165
    #3 0x2b8f802f78a1 in CallMethodHelper::Invoke() /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:3105
    #4 0x2b8f802f737a in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2405
    #5 0x2b8f8030e3b2 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1470
    #6 0x2b8f822b83fb in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jscntxtinlines.h:372
    #7 0x2b8f8293d85e in js::mjit::CallCompiler::generateNativeStub() /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MonoIC.cpp:777
    #8 0x2b8f8293cf53 in js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MonoIC.cpp:1007
    #9 0x2b8f9500cde2 in
    #10 0x2b8f8279382f in js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MethodJIT.cpp:1016
    #11 0x2b8f82794433 in CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MethodJIT.cpp:1074
    #12 0x2b8f82297e2b in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:1464
    #13 0x2b8f822621c8 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:301
    #14 0x2b8f822babb6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:486
    #15 0x2b8f822bb264 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:523
    #16 0x2b8f820bca4f in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsapi.cpp:5702
    #17 0x2b8f820be447 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, char const*, unsigned long, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsapi.cpp:5717
    #18 0x41119c in ProcessArgs(JSContext*, JSObject*, char**, int) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/shell/xpcshell.cpp:1215
    #19 0x2b8f8710730d in __libc_start_main /build/buildd/eglibc-2.13/csu/libc-start.c:258
0x2b8f8ec73898 is located 24 bytes inside of 32-byte region [0x2b8f8ec73880,0x2b8f8ec738a0)
freed by thread T0 here:
    #0 0x441a71 in __interceptor_free ??:0
    #1 0x2b8f80ac0d2e in ~PermissionKey /srv/repos/browser/mozilla-central-decoder/mozilla-central/../../dist/include/mozilla/mozalloc.h:224
    #2 0x2b8f812f21ef in PL_DHashTableRawRemove /srv/repos/browser/mozilla-central-decoder/mozilla-central/objdir-ff-asan64dbg/xpcom/build/pldhash.cpp:684
    #3 0x2b8f80ab8d2c in nsPermissionManager::AddInternal(nsIPrincipal*, nsCString const&, unsigned int, long, unsigned int, long, nsPermissionManager::NotifyOperationType, nsPermissionManager::DBOperationType) /srv/repos/browser/mozilla-central-decoder/mozilla-central/extensions/cookie/nsPermissionManager.cpp:729
    #4 0x2b8f80abd44c in nsPermissionManager::RemoveFromPrincipal(nsIPrincipal*, char const*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/extensions/cookie/nsPermissionManager.cpp:803
    #5 0x2b8f813ee1a0 in NS_InvokeByIndex_P /srv/repos/browser/mozilla-central-decoder/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:165
    #6 0x2b8f802f78a1 in CallMethodHelper::Invoke() /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:3105
    #7 0x2b8f802f737a in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2405
    #8 0x2b8f8030e3b2 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1470
    #9 0x2b8f822b83fb in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jscntxtinlines.h:372
    #10 0x2b8f8293d85e in js::mjit::CallCompiler::generateNativeStub() /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MonoIC.cpp:777
    #11 0x2b8f8293cf53 in js::mjit::ic::NativeCall(js::VMFrame&, js::mjit::ic::CallICInfo*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MonoIC.cpp:1007
    #12 0x2b8f9500cde2 in
    #13 0x2b8f8279382f in js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MethodJIT.cpp:1016
    #14 0x2b8f82794433 in CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/methodjit/MethodJIT.cpp:1074
    #15 0x2b8f82297e2b in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:1464
    #16 0x2b8f822621c8 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:301
    #17 0x2b8f822babb6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:486
    #18 0x2b8f822bb264 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:523
    #19 0x2b8f820bca4f in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsapi.cpp:5702
    #20 0x2b8f820be447 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, char const*, unsigned long, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsapi.cpp:5717
    #21 0x41119c in ProcessArgs(JSContext*, JSObject*, char**, int) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/shell/xpcshell.cpp:1215
    #22 0x2b8f8710730d in __libc_start_main /build/buildd/eglibc-2.13/csu/libc-start.c:258
previously allocated by thread T0 here:
    #0 0x441b31 in __interceptor_malloc ??:0
    #1 0x2b8f7d3ec2cd in moz_xmalloc /srv/repos/browser/mozilla-central-decoder/mozilla-central/memory/mozalloc/mozalloc.cpp:57
    #2 0x2b8f80ab87e8 in operator new(unsigned long) /srv/repos/browser/mozilla-central-decoder/mozilla-central/../../dist/include/mozilla/mozalloc.h:200
    #3 0x2b8f80abc85e in nsPermissionManager::AddFromPrincipal(nsIPrincipal*, char const*, unsigned int, unsigned int, long) /srv/repos/browser/mozilla-central-decoder/mozilla-central/extensions/cookie/nsPermissionManager.cpp:590
    #4 0x2b8f813ee1a0 in NS_InvokeByIndex_P /srv/repos/browser/mozilla-central-decoder/mozilla-central/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:165
    #5 0x2b8f802f78a1 in CallMethodHelper::Invoke() /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:3105
    #6 0x2b8f802f737a in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNative.cpp:2405
    #7 0x2b8f8030e3b2 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1470
    #8 0x2b8f822b83fb in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jscntxtinlines.h:372
    #9 0x2b8f822b6ec5 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:337
    #10 0x2b8f822968e2 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:2405
    #11 0x2b8f822621c8 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:301
    #12 0x2b8f822babb6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:486
    #13 0x2b8f822bb264 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsinterp.cpp:523
    #14 0x2b8f820bca4f in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsapi.cpp:5702
    #15 0x2b8f820be447 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, char const*, unsigned long, JS::Value*) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/src/jsapi.cpp:5717
    #16 0x41119c in ProcessArgs(JSContext*, JSObject*, char**, int) /srv/repos/browser/mozilla-central-decoder/mozilla-central/js/xpconnect/shell/xpcshell.cpp:1215
    #17 0x2b8f8710730d in __libc_start_main /build/buildd/eglibc-2.13/csu/libc-start.c:258


Marking s-s until triaged.
It also seems that the following tests fail with the same error:

extensions/cookie/test/unit/test_permmanager_notifications.js
browser/components/privatebrowsing/test/unit/test_privatebrowsingwrapper_removeDataFromDomain.js
browser/components/privatebrowsing/test/unit/test_removeDataFromDomain.js
Failure seems to be within nsPermissionManager, setting component appropriately.
Component: Networking → Networking: Cookies
Also responsible for failures in mochitest-other:

chrome://mochitests/content/chrome/extensions/cookie/test/test_app_uninstall.html
chrome://mochitests/content/browser/browser/components/preferences/tests/browser_chunk_permissions.js
Whiteboard: [asan][asan-test-failure][orange] → [asan][asan-test-failure]
Bisected this manually because it causes so many failures:

The first bad revision is:
changeset:   103491:789055abc89d
user:        Mounir Lamouri
date:        Thu Aug 23 11:37:31 2012 -0700
summary:     Bug 777072 - 4/7 - Update nsPermission to use appId/isInBrowserElement. r=sicking


Mounir, can you please check if this bisect is correct and if so, fix the regression? Thanks!
Christian, thanks for your help in tracking this down. I am marking this as assigned to Mounir based on comment 4, in order to make sure it is properly documented for our network security bug quota. Mounir, please let me know if/how I can help.
Assignee: nobody → mounir
Since this seems like it is likely to be sec-critical since it a heap-use-after-free.
Keywords: sec-critical
Whiteboard: [asan][asan-test-failure] → [asan][asan-test-failure][sg:critical]
I guess we should block on that, unless we want to ship B2G v1 with a known security bug.
blocking-basecamp: --- → ?
Attached patch PatchSplinter Review 
My patch is using |entry| but that object was implicitly freed a few lines before. I move the implicit free after the last use.
Attachment #662230 - Flags: review?(bsmith)
status-firefox15: --- → unaffected
status-firefox16: --- → unaffected
status-firefox17: --- → affected
status-firefox18: --- → affected
tracking-firefox17: --- → ?
tracking-firefox18: --- → ?
OS: Linux → All
Hardware: x86_64 → All
Comment on attachment 662230 [details] [diff] [review]
Patch

Review of attachment 662230 [details] [diff] [review]:
-----------------------------------------------------------------

LGTM. Thanks.
Attachment #662230 - Flags: review?(bsmith) → review+
Blocks: 792378
Keywords: regression
blocking-basecamp: ? → +
status-firefox18: affectedfixed
Target Milestone: --- → mozilla18
https://hg.mozilla.org/mozilla-central/rev/bf856d547865
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Blocks: 777072
Comment on attachment 662230 [details] [diff] [review]
Patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 777072
User impact if declined: security issues
Risk to taking this patch (and alternatives if risky): risk is very low, the patch is trivial (just moving the place we release the object from a few lines
String or UUID changes made by this patch: none
Attachment #662230 - Flags: approval-mozilla-aurora?
Comment on attachment 662230 [details] [diff] [review]
Patch

[Triage Comment]
Low risk, sec-critical regression in FF17. Approving for Aurora.
Attachment #662230 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Whiteboard: [asan][asan-test-failure][sg:critical] → [asan][asan-test-failure][sg:critical][qa-]
Whiteboard: [asan][asan-test-failure][sg:critical][qa-] → [asan][asan-test-failure][sg:critical][qa-][adv-track-main17-]
Group: core-security
Whiteboard: [asan][asan-test-failure][sg:critical][qa-][adv-track-main17-] → [asan][asan-test-failure][qa-][adv-track-main17-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: