Closed Bug 789766 Opened 13 years ago Closed 13 years ago

Heap-use-after-free in XPCWrappedNativeProto::GetScope

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox18 --- affected

People

(Reporter: inferno, Assigned: bholley)

Details

(Keywords: sec-critical, Whiteboard: [asan] maybe dupe of bug 786142 )

Attachments

(1 file)

Testcase
1.45 KB, text/html
Details
Reproduces on trunk, trying to get a good repro. ================================================================= ==18637== ERROR: AddressSanitizer heap-use-after-free on address 0x7fc3259aa180 at pc 0x7fc36e6cf970 bp 0x7fffb0b16e90 sp 0x7fffb0b16e88 READ of size 8 at 0x7fc3259aa180 thread T0 #0 0x7fc36e6cf96f in XPCWrappedNativeProto::GetScope() const src/js/xpconnect/src/xpcprivate.h:2360 #1 0x7fc36e6aa098 in XPCWrappedNative::GetScope() const src/js/xpconnect/src/xpcprivate.h:2668 #2 0x7fc36ea2aa1d in XPCWrappedNative::Destroy() src/js/xpconnect/src/XPCWrappedNative.cpp:919 #3 0x7fc36ea2a566 in ~XPCWrappedNative src/js/xpconnect/src/XPCWrappedNative.cpp:902 #4 0x7fc36ea2a398 in ~XPCWrappedNative src/js/xpconnect/src/XPCWrappedNative.cpp:899 #5 0x7fc36ea2ff80 in XPCWrappedNative::Release() src/js/xpconnect/src/XPCWrappedNative.cpp:1213 #6 0x7fc36e6ebe8f in ~nsRefPtr src/../../../dist/include/nsAutoPtr.h:874 #7 0x7fc36e6aa442 in ~nsRefPtr src/../../../dist/include/nsAutoPtr.h:872 #8 0x7fc36e6ea7b2 in nsTArrayElementTraits<nsRefPtr<XPCWrappedNative> >::Destruct(nsRefPtr<XPCWrappedNative>*) src/../../../dist/include/nsTArray.h:348 #9 0x7fc36e6ea5c3 in nsTArray<nsRefPtr<XPCWrappedNative>, nsTArrayDefaultAllocator>::DestructRange(unsigned int, unsigned int) src/../../../dist/include/nsTArray.h:1213 #10 0x7fc36e6ea06c in nsTArray<nsRefPtr<XPCWrappedNative>, nsTArrayDefaultAllocator>::RemoveElementsAt(unsigned int, unsigned int) src/../../../dist/include/nsTArray.h:933 #11 0x7fc36e6e9dae in nsTArray<nsRefPtr<XPCWrappedNative>, nsTArrayDefaultAllocator>::Clear() src/../../../dist/include/nsTArray.h:944 #12 0x7fc36e6e9c7a in ~nsTArray src/../../../dist/include/nsTArray.h:430 #13 0x7fc36e6b9e02 in ~nsTArray src/../../../dist/include/nsTArray.h:430 #14 0x7fc36e6b6036 in nsXPConnect::MoveWrappers(JSContext*, JSObject*, JSObject*) src/js/xpconnect/src/nsXPConnect.cpp:1698 #15 0x7fc369747ad9 in nsContentUtils::ReparentContentWrappersInScope(JSContext*, nsIScriptGlobalObject*, nsIScriptGlobalObject*) src/content/base/src/nsContentUtils.cpp:1730 #16 0x7fc36b31de4f in nsHTMLDocument::Open(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, JSContext*, unsigned char, nsISupports**) src/content/html/document/src/nsHTMLDocument.cpp:1519 #17 0x7fc36b323f84 in nsHTMLDocument::WriteCommon(JSContext*, nsAString_internal const&, bool) src/content/html/document/src/nsHTMLDocument.cpp:1703 #18 0x7fc36b325965 in nsHTMLDocument::Write(nsAString_internal const&, JSContext*) src/content/html/document/src/nsHTMLDocument.cpp:1752 #19 0x7fc36eca5ea1 in nsIDOMHTMLDocument_Write(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/js/xpconnect/src/dom_quickstubs.cpp:13713 #20 0x7fc379c44781 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:372 #21 0x7fc3794d6e1c in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:119 #22 0x7fc379c4a13b in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:388 #23 0x7fc37a0bd167 in js::IndirectProxyHandler::call(JSContext*, JSObject*, unsigned int, JS::Value*) src/js/src/jsproxy.cpp:451 #24 0x7fc37a8c6280 in js::DirectWrapper::call(JSContext*, JSObject*, unsigned int, JS::Value*) src/js/src/jswrapper.cpp:316 #25 0x7fc37a8d7825 in js::CrossCompartmentWrapper::call(JSContext*, JSObject*, unsigned int, JS::Value*) src/js/src/jswrapper.cpp:648 #26 0x7fc37a8d7ef4 in non-virtual thunk to js::CrossCompartmentWrapper::call(JSContext*, JSObject*, unsigned int, JS::Value*) ??:0 #27 0x7fc37a147fcd in js::Proxy::call(JSContext*, JSObject*, unsigned int, JS::Value*) src/js/src/jsproxy.cpp:2457 #28 0x7fc37a1629fc in proxy_Call(JSContext*, unsigned int, JS::Value*) src/js/src/jsproxy.cpp:2989 #29 0x7fc379c440fd in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:372 #30 0x7fc379bd18c1 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2406 #31 0x7fc379b38902 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) src/js/src/jsinterp.cpp:301 #32 0x7fc379c51ab6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) src/js/src/jsinterp.cpp:486 #33 0x7fc37b0bc5a3 in EvalKernel(JSContext*, JS::CallArgs const&, EvalType, js::StackFrame*, JS::Handle<JSObject*>) src/js/src/builtin/Eval.cpp:284 #34 0x7fc37b0bd938 in js::DirectEval(JSContext*, JS::CallArgs const&) src/js/src/builtin/Eval.cpp:333 #35 0x7fc37b879f90 in js::mjit::stubs::Eval(js::VMFrame&, unsigned int) src/js/src/methodjit/InvokeHelpers.cpp:393 #36 0x7fc37b20f84a in throwpoline_exit src/js/src/methodjit/MethodJIT.cpp:0 #37 0x7fc37b211d57 in js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) src/js/src/methodjit/MethodJIT.cpp:1016 #38 0x7fc37b2138e0 in CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) src/js/src/methodjit/MethodJIT.cpp:1074 #39 0x7fc37b213d39 in js::mjit::JaegerShotAtSafePoint(JSContext*, void*, bool) src/js/src/methodjit/MethodJIT.cpp:1092 #40 0x7fc379b58336 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:1465 #41 0x7fc379b38902 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) src/js/src/jsinterp.cpp:301 #42 0x7fc379c51ab6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) src/js/src/jsinterp.cpp:486 #43 0x7fc379c53a6e in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) src/js/src/jsinterp.cpp:523 #44 0x7fc3793a62a4 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) src/js/src/jsapi.cpp:5727 #45 0x7fc36baf7bdd in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) src/dom/base/nsJSEnvironment.cpp:1499 #46 0x7fc36bcb061f in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) src/dom/base/nsGlobalWindow.cpp:9609 #47 0x7fc36bc67f69 in nsGlobalWindow::RunTimeout(nsTimeout*) src/dom/base/nsGlobalWindow.cpp:9870 #48 0x7fc36bcae67a in nsGlobalWindow::TimerCallback(nsITimer*, void*) src/dom/base/nsGlobalWindow.cpp:10137 #49 0x7fc3735925a2 in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:473 #50 0x7fc373593c98 in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:556 #51 0x7fc37355723e in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:624 #52 0x7fc3731ed577 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220 #53 0x7fc371f9b655 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82 #54 0x7fc3738022c9 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:208 #55 0x7fc373802112 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:201 #56 0x7fc373801ff7 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:175 #57 0x7fc37144cace in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163 #58 0x7fc370087268 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:273 #59 0x7fc3666bef30 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3835 #60 0x7fc3666c51a4 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3912 #61 0x7fc3666c826e in XRE_main src/toolkit/xre/nsAppRunner.cpp:3988 #62 0x40c5bb in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:174 #63 0x409e20 in main src/browser/app/nsBrowserApp.cpp:279 0x7fc3259aa180 is located 0 bytes inside of 64-byte region [0x7fc3259aa180,0x7fc3259aa1c0) freed by thread T0 here: #0 0x4c3e30 in free ??:0 #1 0x7fc3802ef572 in moz_free src/memory/mozalloc/mozalloc.cpp:51 #2 0x7fc36e90d899 in operator delete(void*) src/../../../dist/include/mozilla/mozalloc.h:224 #3 0x7fc37981adb3 in JS_DHashTableEnumerate src/js/src/jsdhash.cpp:708 #4 0x7fc36e90a48a in XPCWrappedNativeProtoMap::Enumerate(JSDHashOperator (*)(JSDHashTable*, JSDHashEntryHdr*, unsigned int, void*), void*) src/js/xpconnect/src/XPCMaps.h:592 #5 0x7fc36e90955c in XPCJSRuntime::FinalizeCallback(JSFreeOp*, JSFinalizeStatus, int) src/js/xpconnect/src/XPCJSRuntime.cpp:936 #6 0x7fc3799a7be1 in BeginSweepPhase(JSRuntime*) src/js/src/jsgc.cpp:3770 #7 0x7fc3799a2490 in IncrementalCollectSlice(JSRuntime*, long, js::gcreason::Reason, js::JSGCInvocationKind) src/js/src/jsgc.cpp:4205 #8 0x7fc37999fd62 in GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind, js::gcreason::Reason) src/js/src/jsgc.cpp:4383 #9 0x7fc379954ec9 in Collect(JSRuntime*, bool, long, js::JSGCInvocationKind, js::gcreason::Reason) src/js/src/jsgc.cpp:4491 #10 0x7fc379955956 in js::GCFinalSlice(JSRuntime*, js::JSGCInvocationKind, js::gcreason::Reason) src/js/src/jsgc.cpp:4535 #11 0x7fc3798a1d18 in js::FinishIncrementalGC(JSRuntime*, js::gcreason::Reason) src/js/src/jsfriendapi.cpp:177 #12 0x7fc3792f44a3 in JS_TransplantObject src/js/src/jsapi.cpp:1618 #13 0x7fc36fa44e85 in xpc::TransplantObject(JSContext*, JSObject*, JSObject*) src/js/xpconnect/wrappers/WrapperFactory.cpp:664 #14 0x7fc36ea34d9e in XPCWrappedNative::ReparentWrapperIfFound(XPCCallContext&, XPCWrappedNativeScope*, XPCWrappedNativeScope*, JSObject*, nsISupports*, XPCWrappedNative**) src/js/xpconnect/src/XPCWrappedNative.cpp:1669 #15 0x7fc36e6b9245 in MoveWrapper(XPCCallContext&, XPCWrappedNative*, XPCWrappedNativeScope*, XPCWrappedNativeScope*) src/js/xpconnect/src/nsXPConnect.cpp:1656 #16 0x7fc36e6b8cc4 in MoveWrapper(XPCCallContext&, XPCWrappedNative*, XPCWrappedNativeScope*, XPCWrappedNativeScope*) src/js/xpconnect/src/nsXPConnect.cpp:1633 #17 0x7fc36e6b5cc0 in nsXPConnect::MoveWrappers(JSContext*, JSObject*, JSObject*) src/js/xpconnect/src/nsXPConnect.cpp:1693 #18 0x7fc369747ad9 in nsContentUtils::ReparentContentWrappersInScope(JSContext*, nsIScriptGlobalObject*, nsIScriptGlobalObject*) src/content/base/src/nsContentUtils.cpp:1730 #19 0x7fc36b31de4f in nsHTMLDocument::Open(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, JSContext*, unsigned char, nsISupports**) src/content/html/document/src/nsHTMLDocument.cpp:1519 #20 0x7fc36b323f84 in nsHTMLDocument::WriteCommon(JSContext*, nsAString_internal const&, bool) src/content/html/document/src/nsHTMLDocument.cpp:1703 #21 0x7fc36b325965 in nsHTMLDocument::Write(nsAString_internal const&, JSContext*) src/content/html/document/src/nsHTMLDocument.cpp:1752 #22 0x7fc36eca5ea1 in nsIDOMHTMLDocument_Write(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/js/xpconnect/src/dom_quickstubs.cpp:13713 #23 0x7fc379c44781 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:372 #24 0x7fc3794d6e1c in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:119 #25 0x7fc379c4a13b in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:388 #26 0x7fc37a0bd167 in js::IndirectProxyHandler::call(JSContext*, JSObject*, unsigned int, JS::Value*) src/js/src/jsproxy.cpp:451 #27 0x7fc37a8c6280 in js::DirectWrapper::call(JSContext*, JSObject*, unsigned int, JS::Value*) src/js/src/jswrapper.cpp:316 #28 0x7fc37a8d7825 in js::CrossCompartmentWrapper::call(JSContext*, JSObject*, unsigned int, JS::Value*) src/js/src/jswrapper.cpp:648 #29 0x7fc37a8d7ef5 in non-virtual thunk to js::CrossCompartmentWrapper::call(JSContext*, JSObject*, unsigned int, JS::Value*) ??:0 previously allocated by thread T0 here: #0 0x4c3ef0 in __interceptor_malloc ??:0 #1 0x7fc3802ef6c6 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:57 #2 0x7fc36ead7c15 in operator new(unsigned long) src/../../../dist/include/mozilla/mozalloc.h:200 #3 0x7fc36ea22573 in XPCWrappedNative::GetNewOrUsed(XPCCallContext&, xpcObjectHelper&, XPCWrappedNativeScope*, XPCNativeInterface*, XPCWrappedNative**) src/js/xpconnect/src/XPCWrappedNative.cpp:599 #4 0x7fc36e8515a0 in XPCConvert::NativeInterface2JSObject(XPCLazyCallContext&, JS::Value*, nsIXPConnectJSObjectHolder**, xpcObjectHelper&, nsID const*, XPCNativeInterface**, bool, unsigned int*) src/js/xpconnect/src/XPCConvert.cpp:926 #5 0x7fc36e6ac204 in NativeInterface2JSObject(XPCLazyCallContext&, JSObject*, nsISupports*, nsWrapperCache*, nsID const*, bool, JS::Value*, nsIXPConnectJSObjectHolder**) src/js/xpconnect/src/nsXPConnect.cpp:1232 #6 0x7fc36e6ab6fb in nsXPConnect::WrapNative(JSContext*, JSObject*, nsISupports*, nsID const&, nsIXPConnectJSObjectHolder**) src/js/xpconnect/src/nsXPConnect.cpp:1264 #7 0x7fc36e990c04 in XPCThrower::ThrowExceptionObject(JSContext*, nsIException*) src/js/xpconnect/src/XPCThrower.cpp:252 #8 0x7fc36e98e99a in XPCThrower::BuildAndThrowException(JSContext*, unsigned int, char const*) src/js/xpconnect/src/XPCThrower.cpp:201 #9 0x7fc36eafc4b4 in ThrowBadArg(JSContext*, unsigned int, char const*, long, char const*, unsigned int) src/js/xpconnect/src/XPCQuickStubs.cpp:513 #10 0x7fc36eafbbbd in xpc_qsThrowBadArg(JSContext*, unsigned int, JS::Value*, unsigned int) src/js/xpconnect/src/XPCQuickStubs.cpp:525 #11 0x7fc36ed0e2b3 in nsIDOMXPathEvaluator_CreateExpression(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/js/xpconnect/src/dom_quickstubs.cpp:19721 #12 0x7fc379c44781 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:372 #13 0x7fc3794d6e1c in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:119 #14 0x7fc379c4a13b in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:388 #15 0x7fc37a0bd167 in js::IndirectProxyHandler::call(JSContext*, JSObject*, unsigned int, JS::Value*) src/js/src/jsproxy.cpp:451 #16 0x7fc37a8c6280 in js::DirectWrapper::call(JSContext*, JSObject*, unsigned int, JS::Value*) src/js/src/jswrapper.cpp:316 #17 0x7fc37a8d7825 in js::CrossCompartmentWrapper::call(JSContext*, JSObject*, unsigned int, JS::Value*) src/js/src/jswrapper.cpp:648 #18 0x7fc37a8d7ef4 in non-virtual thunk to js::CrossCompartmentWrapper::call(JSContext*, JSObject*, unsigned int, JS::Value*) ??:0 #19 0x7fc37a147fcd in js::Proxy::call(JSContext*, JSObject*, unsigned int, JS::Value*) src/js/src/jsproxy.cpp:2457 #20 0x7fc37a1629fc in proxy_Call(JSContext*, unsigned int, JS::Value*) src/js/src/jsproxy.cpp:2989 #21 0x7fc379c440fd in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:372 #22 0x7fc379bd18c1 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2406 #23 0x7fc379b38902 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) src/js/src/jsinterp.cpp:301 #24 0x7fc379c51ab7 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) src/js/src/jsinterp.cpp:486 Shadow byte and word: 0x1ff864b35430: fd 0x1ff864b35430: fd fd fd fd fd fd fd fd More shadow bytes: 0x1ff864b35410: 00 00 00 00 00 03 fb fb 0x1ff864b35418: fb fb fb fb fb fb fb fb 0x1ff864b35420: fa fa fa fa fa fa fa fa 0x1ff864b35428: fa fa fa fa fa fa fa fa =>0x1ff864b35430: fd fd fd fd fd fd fd fd 0x1ff864b35438: fd fd fd fd fd fd fd fd 0x1ff864b35440: fa fa fa fa fa fa fa fa 0x1ff864b35448: fa fa fa fa fa fa fa fa 0x1ff864b35450: 00 00 00 00 00 00 00 00 Stats: 302M malloced (356M for red zones) by 765404 calls Stats: 64M realloced by 58983 calls Stats: 266M freed by 517871 calls Stats: 150M really freed by 142082 calls Stats: 556M (142423 full pages) mmaped in 139 calls mmaps by size class: 8:540639; 9:65528; 10:12285; 11:16376; 12:4096; 13:4096; 14:1280; 15:256; 16:320; 17:1280; 18:208; 19:40; 20:20; mallocs by size class: 8:623932; 9:89157; 10:17305; 11:20526; 12:5006; 13:4595; 14:2241; 15:462; 16:519; 17:1358; 18:242; 19:44; 20:17; frees by size class: 8:395483; 9:78399; 10:13873; 11:17324; 12:4107; 13:4341; 14:1942; 15:418; 16:368; 17:1340; 18:221; 19:41; 20:14; rfrees by size class: 8:92278; 9:27066; 10:5581; 11:12162; 12:1162; 13:932; 14:1132; 15:213; 16:223; 17:1257; 18:52; 19:23; 20:1; Stats: malloc large: 1661 small slow: 3166 ==18637== ABORTING
Component: General → XPConnect
Product: Firefox → Core
Attached file Testcase
Reliably reproduces with multiple instances, on my machine, like 15.
This might be a dupe of bug 786142 since it also involved MoveWrapper.
Keywords: sec-critical
Whiteboard: [asan] maybe dupe of bug 786142
Assigning to Bobby since he's on bug 786142.
Assignee: nobody → bobbyholley+bmo
Bobby does the low risk patch on bug 786142 fix this one?
I can't reproduce this on nightly OSX. The test case is slightly interactive though, so maybe I'm clicking "ok" when I should hit "cancel" or something?
No user interaction required as I last remember, you just need to start multiple firefox instances (like 10-15) using an automated script and provide testcase path from command line. This was found on linux, so timings on other OS might vary.
(In reply to Abhishek Arya from comment #6) > No user interaction required as I last remember, you just need to start > multiple firefox instances (like 10-15) using an automated script and > provide testcase path from command line. This was found on linux, so timings > on other OS might vary. Ok - if you have a moment, can you give it a shot with the build here and see if you can still reproduce? http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/bobbyholley@gmail.com-67e2dd27223e/try-linux-debug/
(In reply to Bobby Holley (:bholley) from comment #7) > (In reply to Abhishek Arya from comment #6) > > No user interaction required as I last remember, you just need to start > > multiple firefox instances (like 10-15) using an automated script and > > provide testcase path from command line. This was found on linux, so timings > > on other OS might vary. > > Ok - if you have a moment, can you give it a shot with the build here and > see if you can still reproduce? > http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/bobbyholley@gmail. > com-67e2dd27223e/try-linux-debug/ I am on vacation till Monday/Tuesday, i can check it after that. I would need you to upload a patch here so i can build on my ASAN build [memory tool] and check.
(In reply to Abhishek Arya from comment #8) > I am on vacation till Monday/Tuesday, i can check it after that. I would > need you to upload a patch here so i can build on my ASAN build [memory > tool] and check. Great, thanks! The patch is the "lowest risk" patch in bug 786142. You also appear to have reported that bug as well, so presumably you have access. :-)
(In reply to Bobby Holley (:bholley) from comment #10) > (In reply to Abhishek Arya from comment #8) > > I am on vacation till Monday/Tuesday, i can check it after that. I would > > need you to upload a patch here so i can build on my ASAN build [memory > > tool] and check. > > Great, thanks! The patch is the "lowest risk" patch in bug 786142. You also > appear to have reported that bug as well, so presumably you have access. :-) Sorry ! i tried hard to reproduce this on trunk and also on an old build around 09/08. I cannot reproduce it anymore using the testcase. looks like this turned out to be a really bad flaky test. Feel free to close out the bug, i will update if get a better/reproducible testcase.
Closing works for me. Thanks Abhishek and Bobby!
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: