Closed
Bug 802599
Opened 12 years ago
Closed 11 years ago
Assertion failure: false, at toolkit/components/places/AsyncFaviconHelpers.cpp:527 Crash [@ AsyncFetchAndSetIconForPage] or use-after-free across threads
Categories
(Toolkit :: Places, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: decoder, Unassigned)
Details
(Keywords: csectype-uaf, Whiteboard: [asan])
Crash Data
Attachments
(3 files)
The attached test (from a crossfuzz instance) triggers some assertions and crashes, but in an opt-build (AddressSanitizer) it also shows a use-after-free. To reproduce, the following instructions should work on Linux: 1. Download an AdressSanitizer debug and opt builds at http://people.mozilla.org/~choller/firefox/asan/ 2. Unpack the attached test, create a new profile, move prefs.js from the test to the profile (might not be necessary, but it enables stuff like private browsing to prevent caching effects etc.) 3. Open cross_fuzz_randomized_20110105_seed.html with the debug build, after at most 30 seconds you should get: WARNING: NS_ENSURE_TRUE(mMutable) failed: file /builds/slave/try-lnx64-dbg/build/netwerk/base/src/nsSimpleURI.cpp, line 272 WARNING: attempt to modify an immutable nsStandardURL: file /builds/slave/try-lnx64-dbg/build/netwerk/base/src/nsStandardURL.cpp, line 1210 Assertion failure: false, at /builds/slave/try-lnx64-dbg/build/toolkit/components/places/AsyncFaviconHelpers.cpp:527 ASAN:SIGSEGV ================================================================= ==701== ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc 0x7f98623049b5 sp 0x7fff0ce65440 bp 0x7fff0ce65550 T0) AddressSanitizer can not provide additional info. #0 0x7f98623049b4 in AsyncFetchAndSetIconForPage /builds/slave/try-lnx64-dbg/build/toolkit/components/places/AsyncFaviconHelpers.cpp:528 #1 0x7f9862304082 in mozilla::places::AsyncFetchAndSetIconForPage::start(nsIURI*, nsIURI*, mozilla::places::AsyncFaviconFetchMode, unsigned int, nsIFaviconDataCallback*) /builds/slave/try-lnx64-dbg/build/toolkit/components/places/AsyncFaviconHelpers.cpp:489 [...] 4. Start the opt-build firefox (I recommend using "taskset -c 0 firefox/firefox cross_fuzz_randomized_20110105_seed.html" because the issue is a thread race which reproduces much more reliably on a single core) and you should see after at most 30 seconds: ==992== ERROR: AddressSanitizer heap-use-after-free on address 0x7eff7a7d2cc0 at pc 0x7effb43bc7af bp 0x7eff792fe710 sp 0x7eff792fe708 READ of size 4 at 0x7eff7a7d2cc0 thread T29 #0 0x7effb43bc7ae in nsAutoRefCnt::operator unsigned int() const /builds/slave/try-lnx64/build/../../../dist/include/nsISupportsImpl.h:266 #1 0x7effb491cb74 in ~nsCOMPtr_base /builds/slave/try-lnx64/build/../../../dist/include/nsCOMPtr.h:408 0x7eff7a7d2cc0 is located 64 bytes inside of 120-byte region [0x7eff7a7d2c80,0x7eff7a7d2cf8) freed by thread T0 here: #0 0x4335e0 in free ??:0 #1 0x7effb43bc6c6 in nsXPCWrappedJS::Release() /builds/slave/try-lnx64/build/js/xpconnect/src/XPCWrappedJS.cpp:197 [... full log attached ...] I don't know if the two issues are related to each other. Marking s-s due to use-after-free. Version Info: The opt-build I tried was from rev 942ed5747b63, the debug build was from 8f702f78a929.
Reporter | ||
Comment 1•12 years ago
|
||
Reporter | ||
Comment 2•12 years ago
|
||
Reporter | ||
Updated•12 years ago
|
Attachment #672293 -
Attachment mime type: application/java-archive → application/zip
Comment 3•12 years ago
|
||
fixed by bug 722983 ?
Comment 4•11 years ago
|
||
decoder, is this bug still reproducible? see comment 3
Flags: needinfo?(choller)
Reporter | ||
Comment 5•11 years ago
|
||
Wasn't able to reproduce this with a recent build. I'll mark it as WFM.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME
Reporter | ||
Updated•11 years ago
|
Flags: needinfo?(choller)
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•