ASAN: js/xpconnect/tests/unit/test_bug608142.js triggers heap-use-after-free error

RESOLVED FIXED

Status

()

Core
XPConnect
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: decoder, Assigned: bholley)

Tracking

(Blocks: 1 bug, {csectype-uaf, sec-high})

Trunk
x86_64
Linux
csectype-uaf, sec-high
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox24 fixed, firefox-esr17 wontfix, b2g18 wontfix)

Details

(Whiteboard: [asan][asan-test-failure][adv-main24-])

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 716899 [details]
ASan log

ASan Try run has detected that js/xpconnect/tests/unit/test_bug608142.js is failing under ASan. I was able to reproduce this locally with a debug build (mozilla-central 885cde564ff3) by running the following command in the objdir:

taskset -c 0 make -C js/xpconnect/tests xpcshell-tests

Without the taskset, the bug doesn't reproduce (it seems to be a thread race). I'll attach the symbolized ASan log.
That looks kind of bad.  Bug 608142 is "Disallow sending JS objects to a different thread", and in the log something in thread T8 is calling  nsXPCWrappedJS::Release() on an object that was freed on the main thread.
Yeah this whole thing is just bad and we should make it go away.
(Assignee)

Comment 3

6 years ago
yeah, I'm working on fixing bug 773610. Once we do that, we can rip out all the half-baked thread support.
Keywords: sec-high
Depends on: 773610

Comment 4

5 years ago
over to bobby.  Can you make sure that someone addresses this when you're done with bug 773610
Assignee: nobody → bobbyholley+bmo
(Assignee)

Updated

5 years ago
No longer depends on: 773610
(Assignee)

Updated

5 years ago
Depends on: 770535
(Reporter)

Updated

5 years ago
Blocks: 863846
(Reporter)

Updated

5 years ago
Depends on: 773610
This test is gone, I'm assuming as part of bholley's work to add runtime aborts for refcounting nsXPCWrappedJS off the main thread, so I'm going to mark this as fixed. I don't think we have any real way of backporting this, unfortunately.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox24: --- → fixed
Resolution: --- → FIXED

Updated

5 years ago
Whiteboard: [asan][asan-test-failure] → [asan][asan-test-failure][adv-main24-]
status-b2g18: --- → wontfix
status-firefox-esr17: --- → wontfix
Keywords: csec-uaf
Summary: ASAN: js/xpconnect/tests/unit/test_bug608142.js triggers error → ASAN: js/xpconnect/tests/unit/test_bug608142.js triggers heap-use-after-free error
Group: core-security
You need to log in before you can comment on or make changes to this bug.