Closed Bug 802599 Opened 8 years ago Closed 7 years ago

Assertion failure: false, at toolkit/components/places/AsyncFaviconHelpers.cpp:527 Crash [@ AsyncFetchAndSetIconForPage] or use-after-free across threads


(Toolkit :: Places, defect)

Not set





(Reporter: decoder, Unassigned)


(Keywords: csectype-uaf, Whiteboard: [asan])

Crash Data


(3 files)

Attached file Test case for browser
The attached test (from a crossfuzz instance) triggers some assertions and crashes, but in an opt-build (AddressSanitizer) it also shows a use-after-free. To reproduce, the following instructions should work on Linux:

1. Download an AdressSanitizer debug and opt builds at

2. Unpack the attached test, create a new profile, move prefs.js from the test to the profile (might not be necessary, but it enables stuff like private browsing to prevent caching effects etc.)

3. Open cross_fuzz_randomized_20110105_seed.html with the debug build, after at most 30 seconds you should get:

WARNING: NS_ENSURE_TRUE(mMutable) failed: file /builds/slave/try-lnx64-dbg/build/netwerk/base/src/nsSimpleURI.cpp, line 272
WARNING: attempt to modify an immutable nsStandardURL: file /builds/slave/try-lnx64-dbg/build/netwerk/base/src/nsStandardURL.cpp, line 1210
Assertion failure: false, at /builds/slave/try-lnx64-dbg/build/toolkit/components/places/AsyncFaviconHelpers.cpp:527
==701== ERROR: AddressSanitizer crashed on unknown address 0x000000000000 (pc 0x7f98623049b5 sp 0x7fff0ce65440 bp 0x7fff0ce65550 T0)
AddressSanitizer can not provide additional info.
    #0 0x7f98623049b4 in AsyncFetchAndSetIconForPage /builds/slave/try-lnx64-dbg/build/toolkit/components/places/AsyncFaviconHelpers.cpp:528
    #1 0x7f9862304082 in mozilla::places::AsyncFetchAndSetIconForPage::start(nsIURI*, nsIURI*, mozilla::places::AsyncFaviconFetchMode, unsigned int, nsIFaviconDataCallback*) /builds/slave/try-lnx64-dbg/build/toolkit/components/places/AsyncFaviconHelpers.cpp:489

4. Start the opt-build firefox (I recommend using "taskset -c 0 firefox/firefox cross_fuzz_randomized_20110105_seed.html" because the issue is a thread race which reproduces much more reliably on a single core) and you should see after at most 30 seconds:

==992== ERROR: AddressSanitizer heap-use-after-free on address 0x7eff7a7d2cc0 at pc 0x7effb43bc7af bp 0x7eff792fe710 sp 0x7eff792fe708
READ of size 4 at 0x7eff7a7d2cc0 thread T29
    #0 0x7effb43bc7ae in nsAutoRefCnt::operator unsigned int() const /builds/slave/try-lnx64/build/../../../dist/include/nsISupportsImpl.h:266
    #1 0x7effb491cb74 in ~nsCOMPtr_base /builds/slave/try-lnx64/build/../../../dist/include/nsCOMPtr.h:408
0x7eff7a7d2cc0 is located 64 bytes inside of 120-byte region [0x7eff7a7d2c80,0x7eff7a7d2cf8)
freed by thread T0 here:
    #0 0x4335e0 in free ??:0
    #1 0x7effb43bc6c6 in nsXPCWrappedJS::Release() /builds/slave/try-lnx64/build/js/xpconnect/src/XPCWrappedJS.cpp:197

[... full log attached ...]

I don't know if the two issues are related to each other. Marking s-s due to use-after-free.

Version Info: The opt-build I tried was from rev 942ed5747b63, the debug build was from 8f702f78a929.
Attachment #672293 - Attachment mime type: application/java-archive → application/zip
fixed by bug 722983 ?
decoder, is this bug still reproducible? see comment 3
Flags: needinfo?(choller)
Wasn't able to reproduce this with a recent build. I'll mark it as WFM.
Closed: 7 years ago
Resolution: --- → WORKSFORME
Flags: needinfo?(choller)
Group: core-security
You need to log in before you can comment on or make changes to this bug.