882897 - ASAN use-after-free in JS_GetGlobalForScopeChain

Status: VERIFIED FIXED

(Core :: DOM: Core & HTML, defect)

Description

[Nils]

Attachment: testcase (crashes firefox)

The attached testcase crashes Firefox Nightly with the following ASAN output. Needs domFuzzLite and might need several reloads, sometimes helps to open in multiple tabs at the same time.

==7138== ERROR: AddressSanitizer: heap-use-after-free on address 0x7f1337e70060 at pc 0x7f135a3fc2dd bp 0x7fff714b1cf0 sp 0x7fff714b1ce8
READ of size 8 at 0x7f1337e70060 thread T0
    #0 0x7f135a3fc2dc in JS_GetGlobalForScopeChain(JSContext*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsapi.cpp:2267:0
    #1 0x7f13573d4e42 in xpc_UnmarkGrayContext(JSContext*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/xpcpublic.h:200:0
    #2 0x7f1357cd4dec in nsCxPusher::DoPush(JSContext*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/nsCxPusher.cpp:138:0
    #3 0x7f1357355794 in nsGlobalWindow::FreeInnerObjects() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/dom/base/nsGlobalWindow.cpp:1462:0
    #4 0x7f135735f1dc in nsGlobalWindow::DetachFromDocShell() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/dom/base/nsGlobalWindow.cpp:2733:0
    #5 0x7f1357d56bee in nsDocShell::Destroy() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/docshell/base/nsDocShell.cpp:4960:0
    #6 0x7f1357d56f7f in non-virtual thunk to nsDocShell::Destroy() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/docshell/base/nsDocShell.cpp:4993:0
    #7 0x7f1356c72f32 in nsFrameLoader::Finalize() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsFrameLoader.cpp:574:0
    #8 0x7f1356c18aa9 in nsDocument::MaybeInitializeFinalizeFrameLoaders() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsDocument.cpp:6267:0
    #9 0x7f1356c4ea49 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/../../../dist/include/nsThreadUtils.h:350:0
    #10 0x7f1356baa62f in nsContentUtils::AddScriptRunner(nsIRunnable*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsContentUtils.cpp:4831:0
    #11 0x7f1356c262d2 in nsDocument::FinalizeFrameLoader(nsFrameLoader*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsDocument.cpp:6223:0
    #12 0x7f1356c7a245 in nsFrameLoader::Destroy() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsFrameLoader.cpp:1365:0
    #13 0x7f135702d09d in nsGenericHTMLFrameElement::DestroyContent() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/html/content/src/nsGenericHTMLFrameElement.cpp:274:0
    #14 0x7f1356b36562 in mozilla::dom::FragmentOrElement::DestroyContent() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/FragmentOrElement.cpp:950:0
    #15 0x7f1356c2f0da in nsDocument::Destroy() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsDocument.cpp:7736:0
    #16 0x7f13565ee5cc in nsDocumentViewer::Destroy() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/layout/base/nsDocumentViewer.cpp:1618:0
    #17 0x7f13565f0de1 in nsDocumentViewer::Show() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/layout/base/nsDocumentViewer.cpp:1921:0
    #18 0x7f135664009d in nsPresContext::EnsureVisible() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/layout/base/nsPresContext.cpp:1856:0
    #19 0x7f135665c55b in PresShell::UnsuppressAndInvalidate() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/layout/base/nsPresShell.cpp:3562:0
    #20 0x7f13565ea4fa in nsDocumentViewer::LoadComplete(tag_nsresult) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/layout/base/nsDocumentViewer.cpp:1065:0
    #21 0x7f1357d62ed4 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, tag_nsresult) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/docshell/base/nsDocShell.cpp:6657:0
    #22 0x7f1357d60a0b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/docshell/base/nsDocShell.cpp:6454:0
    #23 0x7f1357d60e5f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/docshell/base/nsDocShell.cpp:6461:0
    #24 0x7f1357d9bf95 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, tag_nsresult) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/uriloader/base/nsDocLoader.cpp:1323:0
    #25 0x7f1357d9b69b in nsDocLoader::doStopDocumentLoad(nsIRequest*, tag_nsresult) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/uriloader/base/nsDocLoader.cpp:865:0
    #26 0x7f1357d99a12 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/uriloader/base/nsDocLoader.cpp:755:0
    #27 0x7f1357d9aeab in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/uriloader/base/nsDocLoader.cpp:639:0
    #28 0x7f1357d9b3dc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/uriloader/base/nsDocLoader.cpp:643:0
    #29 0x7f1355f0985e in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/netwerk/base/src/nsLoadGroup.cpp:684:0
    #30 0x7f1356c30544 in nsDocument::DoUnblockOnload() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsDocument.cpp:7953:0
    #31 0x7f1356c302c1 in nsDocument::UnblockOnload(bool) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsDocument.cpp:7881:0
    #32 0x7f1356c19c18 in nsDocument::DispatchContentLoadedEvents() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsDocument.cpp:4625:0
    #33 0x7f1356c4ea49 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/../../../dist/include/nsThreadUtils.h:350:0
    #34 0x7f1358fdc28b in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/xpcom/threads/nsThread.cpp:626:0
    #35 0x7f1358f28931 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238:0
    #36 0x7f13584d805b in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/ipc/glue/MessagePump.cpp:82:0
    #37 0x7f1359089051 in MessageLoop::RunInternal() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/ipc/chromium/src/base/message_loop.cc:219:0
    #38 0x7f1359088f4e in MessageLoop::Run() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/ipc/chromium/src/base/message_loop.cc:186:0
    #39 0x7f135832b851 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/widget/xpwidgets/nsBaseAppShell.cpp:163:0
    #40 0x7f1357ed067f in nsAppStartup::Run() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/toolkit/components/startup/nsAppStartup.cpp:269:0
    #41 0x7f1355ca9a39 in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/toolkit/xre/nsAppRunner.cpp:3851:0
    #42 0x7f1355caad77 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/toolkit/xre/nsAppRunner.cpp:3919:0
    #43 0x7f1355cab701 in XRE_main /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/toolkit/xre/nsAppRunner.cpp:4121:0
    #44 0x40c7e6 in do_main(int, char**, nsIFile*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/browser/app/nsBrowserApp.cpp:272:0
    #45 0x40bd0f in main /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/browser/app/nsBrowserApp.cpp:632:0
    #46 0x7f1362ac4ea4 in ?? ??:0
0x7f1337e70060 is located 32 bytes inside of 1112-byte region [0x7f1337e70040,0x7f1337e70498)
freed by thread T0 here:
    #0 0x43b0e0 in __interceptor_free ??:?
    #1 0x7f135a4fe08e in SweepCompartments(js::FreeOp*, JS::Zone*, bool, bool) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsgc.cpp:2524:0
    #2 0x7f135a4fda6a in SweepZones(js::FreeOp*, bool) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsgc.cpp:2558:0
    #3 0x7f135a4fcc79 in EndSweepPhase(JSRuntime*, js::JSGCInvocationKind, bool) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsgc.cpp:3906:0
    #4 0x7f135a4fab7e in IncrementalCollectSlice(JSRuntime*, long, JS::gcreason::Reason, js::JSGCInvocationKind) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsgc.cpp:4308:0
    #5 0x7f135a4f9993 in GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind, JS::gcreason::Reason) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsgc.cpp:4422:0
    #6 0x7f135a4ec10e in Collect(JSRuntime*, bool, long, js::JSGCInvocationKind, JS::gcreason::Reason) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsgc.cpp:4581:0
    #7 0x7f1357bea26a in nsXPCComponents_Utils::ForceGC() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/XPCComponents.cpp:4012:0
    #8 0x7f1359014b05 in NS_InvokeByIndex /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162:0
    #9 0x7f1357c69c63 in CallMethodHelper::Call() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/XPCWrappedNative.cpp:2267:0
    #10 0x7f1357c69913 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/XPCWrappedNative.cpp:2233:0
    #11 0x7f1357c7ebe7 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1480:0
    #12 0x7f135a299c48 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jscntxtinlines.h:349:0
    #13 0x7f135a299395 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:381:0
    #14 0x7f135a2937fa in
previously allocated by thread T0 here:
    #0 0x43b1a0 in malloc ??:?
    #1 0x7f135a240f59 in js::MallocProvider<JSContext>::malloc_(unsigned long) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jscntxt.h:558:0
    #2 0x7f135a4ecd73 in JSCompartment* js::MallocProvider<JSContext>::new_<JSCompartment, JS::Zone*>(JS::Zone*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jscntxt.h:623:0
    #3 0x7f135a4ec99e in js::NewCompartment(JSContext*, JS::Zone*, JSPrincipals*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsgc.cpp:4724:0
    #4 0x7f135a4023fb in JS_NewGlobalObject(JSContext*, JSClass*, JSPrincipals*, unsigned long) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsapi.cpp:3446:0
    #5 0x7f1357cd8e60 in xpc::CreateGlobalObject(JSContext*, JSClass*, nsIPrincipal*, unsigned long) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/nsXPConnect.cpp:994:0
    #6 0x7f1357c5e80a in XPCWrappedNative::WrapNewGlobal(xpcObjectHelper&, nsIPrincipal*, bool, unsigned long, XPCWrappedNative**) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/XPCWrappedNative.cpp:318:0
    #7 0x7f1357cd972e in nsXPConnect::InitClassesWithNewWrappedGlobal(JSContext*, nsISupports*, nsIPrincipal*, unsigned int, unsigned long, nsIXPConnectJSObjectHolder**) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/nsXPConnect.cpp:1050:0
    #8 0x7f135735cffb in CreateNativeGlobalForInner(JSContext*, nsGlobalWindow*, nsIURI*, nsIPrincipal*, JSObject**, nsIXPConnectJSObjectHolder**) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/dom/base/nsGlobalWindow.cpp:2142:0
Shadow byte and word:
  0x1fe266fce00c: fd
  0x1fe266fce008: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1fe266fcdfe8: 00 00 00 00 00 00 00 00
  0x1fe266fcdff0: 00 00 00 00 00 00 00 00
  0x1fe266fcdff8: 00 00 00 00 00 00 00 00
  0x1fe266fce000: fa fa fa fa fa fa fa fa
=>0x1fe266fce008: fd fd fd fd fd fd fd fd
  0x1fe266fce010: fd fd fd fd fd fd fd fd
  0x1fe266fce018: fd fd fd fd fd fd fd fd
  0x1fe266fce020: fd fd fd fd fd fd fd fd
  0x1fe266fce028: fd fd fd fd fd fd fd fd
Stats: 442M malloced (440M for red zones) by 993366 calls
Stats: 41M realloced by 42405 calls
Stats: 412M freed by 851905 calls
Stats: 376M really freed by 790743 calls
Stats: 270M (69346 full pages) mmaped in 483 calls
  mmaps   by size class: 7:159705; 8:57316; 9:17391; 10:8176; 11:7395; 12:1792; 13:1856; 14:512; 15:256; 16:656; 17:456; 18:26; 19:36; 20:23; 21:11;
  mallocs by size class: 7:688188; 8:180185; 9:48390; 10:33029; 11:23787; 12:5112; 13:6965; 14:2704; 15:980; 16:1981; 17:1831; 18:86; 19:53; 20:46; 21:29;
  frees   by size class: 7:599202; 8:143470; 9:39569; 10:29869; 11:21822; 12:4171; 13:6532; 14:2509; 15:864; 16:1880; 17:1815; 18:81; 19:49; 20:44; 21:28;
  rfrees  by size class: 7:566830; 8:128961; 9:33347; 10:26920; 11:18811; 12:3575; 13:5684; 14:2229; 15:794; 16:1768; 17:1632; 18:78; 19:45; 20:41; 21:28;
Stats: malloc large: 5006 small slow: 11181

Comment 1

[Andrew McCreight [:mccr8]]

In a debug build, I got a similar crash on shutdown, but no assertions otherwise that I noticed:

xpc_UnmarkNonNullGrayObject(JSObject*) + 15 (HeapAPI.h:101)
nsCxPusher::DoPush(JSContext*) + 183 (nsCxPusher.cpp:141)
nsXBLBinding::AllowScripts() + 252 (nsXBLBinding.cpp:1270)
nsXBLBinding::ExecuteDetachedHandler() + 24 (nsXBLBinding.cpp:844)
nsBindingManager::ExecuteDetachedHandlers() + 276 (nsBindingManager.cpp:1015)
nsGlobalWindow::PostHandleEvent(nsEventChainPostVisitor&) + 744 (nsGlobalWindow.cpp:3081)

The test case involves mutation observers, and is crashing in nsCxPusher.

Comment 2

[Andrew McCreight [:mccr8]]

Bobby, do you think this could be related to the nsCxPusher stuff you've been working on?  Both this and bug 883301 involve pushing a dead JSContext.

Comment 3

[Andrew McCreight [:mccr8]]

Bobby said he's looking at this.

Comment 4

[Daniel Veditz [:dveditz]]

This symptom became detectable due to bug 868130, but bholley says the underlying GC problem (which he's fixing in bug 887334) has been around for a while.

Comment 5

[Al Billings [:abillings - ex-MoCo]]

Will this be fixed when bug 887334 lands (and it went to inbound yesterday)?

https://bugzilla.mozilla.org/show_bug.cgi?id=887334#c43

Comment 6

[Bobby Holley (:bholley)]

(In reply to Al Billings [:abillings] from comment #5)
> Will this be fixed when bug 887334 lands (and it went to inbound yesterday)?

Should be. QA should verify.

Comment 7

[Al Billings [:abillings - ex-MoCo]]

Matt, could you please verify that this bug is fixed since bug 887334 went in?

Comment 8

[Matt Wobensmith [:mwobensmith][:matt:]]

Bug reproduced in m-c 2013-07-18
Bug no longer reproduces in m-c 2013-07-19

Looking good!

Only question is whether to mark this fixed or duplicate of 887334.

Comment 10

[Al Billings [:abillings - ex-MoCo]]

Did this even affect ESR17?