ASAN: js/xpconnect/tests/unit/test_bug608142.js triggers heap-use-after-free error

RESOLVED FIXED

Status

()

defect
--
critical
RESOLVED FIXED
7 years ago
5 years ago

People

(Reporter: decoder, Assigned: bholley)

Tracking

(Blocks 1 bug, {csectype-uaf, sec-high})

Trunk
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox24 fixed, firefox-esr17 wontfix, b2g18 wontfix)

Details

(Whiteboard: [asan][asan-test-failure][adv-main24-])

Attachments

(1 attachment)

Posted file ASan log
ASan Try run has detected that js/xpconnect/tests/unit/test_bug608142.js is failing under ASan. I was able to reproduce this locally with a debug build (mozilla-central 885cde564ff3) by running the following command in the objdir:

taskset -c 0 make -C js/xpconnect/tests xpcshell-tests

Without the taskset, the bug doesn't reproduce (it seems to be a thread race). I'll attach the symbolized ASan log.
That looks kind of bad.  Bug 608142 is "Disallow sending JS objects to a different thread", and in the log something in thread T8 is calling  nsXPCWrappedJS::Release() on an object that was freed on the main thread.
Yeah this whole thing is just bad and we should make it go away.
yeah, I'm working on fixing bug 773610. Once we do that, we can rip out all the half-baked thread support.
over to bobby.  Can you make sure that someone addresses this when you're done with bug 773610
Assignee: nobody → bobbyholley+bmo
No longer depends on: 773610
Depends on: 770535
Depends on: 773610
This test is gone, I'm assuming as part of bholley's work to add runtime aborts for refcounting nsXPCWrappedJS off the main thread, so I'm going to mark this as fixed. I don't think we have any real way of backporting this, unfortunately.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Whiteboard: [asan][asan-test-failure] → [asan][asan-test-failure][adv-main24-]
Keywords: csec-uaf
Summary: ASAN: js/xpconnect/tests/unit/test_bug608142.js triggers error → ASAN: js/xpconnect/tests/unit/test_bug608142.js triggers heap-use-after-free error
Group: core-security
You need to log in before you can comment on or make changes to this bug.