Closed Bug 843923 Opened 11 years ago Closed 11 years ago

ASAN: js/xpconnect/tests/unit/test_bug608142.js triggers heap-use-after-free error

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox24 --- fixed
firefox-esr17 --- wontfix
b2g18 --- wontfix

People

(Reporter: decoder, Assigned: bholley)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-uaf, sec-high, Whiteboard: [asan][asan-test-failure][adv-main24-])

Attachments

(1 file)

ASan log
11.42 KB, text/plain
Details
Attached file ASan log 
ASan Try run has detected that js/xpconnect/tests/unit/test_bug608142.js is failing under ASan. I was able to reproduce this locally with a debug build (mozilla-central 885cde564ff3) by running the following command in the objdir:

taskset -c 0 make -C js/xpconnect/tests xpcshell-tests

Without the taskset, the bug doesn't reproduce (it seems to be a thread race). I'll attach the symbolized ASan log.
That looks kind of bad.  Bug 608142 is "Disallow sending JS objects to a different thread", and in the log something in thread T8 is calling  nsXPCWrappedJS::Release() on an object that was freed on the main thread.
Yeah this whole thing is just bad and we should make it go away.
yeah, I'm working on fixing bug 773610. Once we do that, we can rip out all the half-baked thread support.
Keywords: sec-high
Depends on: 773610
over to bobby.  Can you make sure that someone addresses this when you're done with bug 773610
Assignee: nobody → bobbyholley+bmo
No longer depends on: 773610
Depends on: 770535
Blocks: asan-maintenance
Depends on: 773610
This test is gone, I'm assuming as part of bholley's work to add runtime aborts for refcounting nsXPCWrappedJS off the main thread, so I'm going to mark this as fixed. I don't think we have any real way of backporting this, unfortunately.
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox24: --- → fixed
Resolution: --- → FIXED
Whiteboard: [asan][asan-test-failure] → [asan][asan-test-failure][adv-main24-]
status-b2g18: --- → wontfix
status-firefox-esr17: --- → wontfix
Keywords: csec-uaf
Summary: ASAN: js/xpconnect/tests/unit/test_bug608142.js triggers error → ASAN: js/xpconnect/tests/unit/test_bug608142.js triggers heap-use-after-free error
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: