Closed
Bug 931381
Opened 11 years ago
Closed 11 years ago
Heap Use After Free in DOM workers (Aurora Build)
Categories
(Core :: DOM: Workers, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: johnvillamil2010, Unassigned)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/30.0.1599.101 Safari/537.36
Steps to reproduce:
Fuzzing Aurora build 20.0a2. I cannot reproduce the bug, it happens randomly at different times usually after a few thousand iterations of starting and killing the browser with various fuzzed inputs.
Actual results:
Here is the output of the Address Sanitizer crash piped to asan-symbolize.py
=================================================================
==27804==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000140c38 at pc 0x7fc5c49c681a bp 0x7fff9b523910 sp 0x7fff9b523908
READ of size 8 at 0x603000140c38 thread T0
#0 0x7fc5c49c6819 in _ZNK9nsAutoPtrIN7mozilla3dom7workers13WorkerPrivate9SyncQueueEE3getEv /builds/slave/m-aurora-l64-asan-000000000000/build/obj-firefox/dom/workers/../../dist/include/nsAutoPtr.h:135
#1 0x7fc5c49bb732 in _ZN7mozilla3dom7workers13WorkerPrivate8DispatchEPNS1_18WorkerSyncRunnableE /builds/slave/m-aurora-l64-asan-000000000000/build/dom/workers/WorkerPrivate.h:706
#2 0x7fc5c49bb151 in _ZN7mozilla3dom7workers14WorkerRunnable8DispatchEP9JSContext /builds/slave/m-aurora-l64-asan-000000000000/build/dom/workers/WorkerPrivate.cpp:1552
#3 0x7fc5c49ace68 in _ZN12_GLOBAL__N_120ScriptLoaderRunnable22ExecuteFinishedScriptsEv /builds/slave/m-aurora-l64-asan-000000000000/build/dom/workers/ScriptLoader.cpp:516
#4 0x7fc5c49ac375 in _ZN12_GLOBAL__N_120ScriptLoaderRunnable16OnStreamCompleteEP15nsIStreamLoaderP11nsISupports12tag_nsresultjPKh /builds/slave/m-aurora-l64-asan-000000000000/build/dom/workers/ScriptLoader.cpp:186
#5 0x7fc5c49acae9 in _ZThn16_N12_GLOBAL__N_120ScriptLoaderRunnable16OnStreamCompleteEP15nsIStreamLoaderP11nsISupports12tag_nsresultjPKh /builds/slave/m-aurora-l64-asan-000000000000/build/dom/workers/ScriptLoader.cpp:150
#6 0x7fc5c2d33c53 in _ZN14nsStreamLoader13OnStopRequestEP10nsIRequestP11nsISupports12tag_nsresult /builds/slave/m-aurora-l64-asan-000000000000/build/netwerk/base/src/nsStreamLoader.cpp:100
#7 0x7fc5c32346a7 in _ZN12nsJARChannel13OnStopRequestEP10nsIRequestP11nsISupports12tag_nsresult /builds/slave/m-aurora-l64-asan-000000000000/build/modules/libjar/nsJARChannel.cpp:978
#8 0x7fc5c32347e9 in _ZThn16_N12nsJARChannel13OnStopRequestEP10nsIRequestP11nsISupports12tag_nsresult /builds/slave/m-aurora-l64-asan-000000000000/build/modules/libjar/nsJARChannel.cpp:994
#9 0x7fc5c2cbd8b8 in _ZN17nsInputStreamPump11OnStateStopEv /builds/slave/m-aurora-l64-asan-000000000000/build/netwerk/base/src/nsInputStreamPump.cpp:703
#10 0x7fc5c2cbbf70 in _ZN17nsInputStreamPump18OnInputStreamReadyEP19nsIAsyncInputStream /builds/slave/m-aurora-l64-asan-000000000000/build/netwerk/base/src/nsInputStreamPump.cpp:438
#11 0x7fc5c7155fe4 in _ZN23nsInputStreamReadyEvent3RunEv /builds/slave/m-aurora-l64-asan-000000000000/build/xpcom/io/nsStreamUtils.cpp:82
#12 0x7fc5c718ebd9 in _ZN8nsThread16ProcessNextEventEbPb /builds/slave/m-aurora-l64-asan-000000000000/build/xpcom/threads/nsThread.cpp:622
#13 0x7fc5c70b9471 in _Z19NS_ProcessNextEventP9nsIThreadb /builds/slave/m-aurora-l64-asan-000000000000/build/xpcom/glue/nsThreadUtils.cpp:238
#14 0x7fc5c5df2491 in _ZN7mozilla3ipc11MessagePump3RunEPN4base11MessagePump8DelegateE /builds/slave/m-aurora-l64-asan-000000000000/build/ipc/glue/MessagePump.cpp:81
#15 0x7fc5c72abc63 in _ZN11MessageLoop11RunInternalEv /builds/slave/m-aurora-l64-asan-000000000000/build/ipc/chromium/src/base/message_loop.cc:220
#16 0x7fc5c5bdd10c in _ZN14nsBaseAppShell3RunEv /builds/slave/m-aurora-l64-asan-000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp:161
#17 0x7fc5c55d425e in _ZN12nsAppStartup3RunEv /builds/slave/m-aurora-l64-asan-000000000000/build/toolkit/components/startup/nsAppStartup.cpp:269
#18 0x7fc5c29d8bb0 in _ZN7XREMain11XRE_mainRunEv /builds/slave/m-aurora-l64-asan-000000000000/build/toolkit/xre/nsAppRunner.cpp:3869
#19 0x7fc5c29d9b05 in _ZN7XREMain8XRE_mainEiPPcPK12nsXREAppData /builds/slave/m-aurora-l64-asan-000000000000/build/toolkit/xre/nsAppRunner.cpp:3937
#20 0x7fc5c29daa3b in XRE_main /builds/slave/m-aurora-l64-asan-000000000000/build/toolkit/xre/nsAppRunner.cpp:4139
#21 0x459c8d in _ZL7do_mainiPPcP7nsIFile /builds/slave/m-aurora-l64-asan-000000000000/build/browser/app/nsBrowserApp.cpp:275
#22 0x7fc5d17abea4 in ?? ??:0
#23 0x45910c in _start ??:?
0x603000140c38 is located 24 bytes inside of 32-byte region [0x603000140c20,0x603000140c40)
freed by thread T11 (DOM Worker) here:
#0 0x4462fb in __interceptor_realloc _asan_rtl_
#1 0x7fc5cb65b65e in moz_xrealloc /builds/slave/m-aurora-l64-asan-000000000000/build/memory/mozalloc/mozalloc.cpp:86
previously allocated by thread T11 (DOM Worker) here:
#0 0x4462fb in __interceptor_realloc _asan_rtl_
#1 0x7fc5cb65b65e in moz_xrealloc /builds/slave/m-aurora-l64-asan-000000000000/build/memory/mozalloc/mozalloc.cpp:86
Thread T11 (DOM Worker) created by T0 here:
#0 0x4375c1 in __interceptor_pthread_create _asan_rtl_
#1 0x7fc5cf257b35 in _PR_CreateThread /builds/slave/m-aurora-l64-asan-000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:444
#2 0x7fc5cf257687 in PR_CreateThread /builds/slave/m-aurora-l64-asan-000000000000/build/nsprpub/pr/src/pthreads/ptthread.c:527
Shadow bytes around the buggy address:
0x0c0680020130: 00 00 00 00 fa fa fd fd fd fa fa fa 00 00 00 00
0x0c0680020140: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
0x0c0680020150: 00 fa fa fa fd fd fd fa fa fa 00 00 00 00 fa fa
0x0c0680020160: 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00 00 00
0x0c0680020170: fa fa 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00
=>0x0c0680020180: 00 00 fa fa fd fd fd[fd]fa fa fd fd fd fa fa fa
0x0c0680020190: fd fd fd fa fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c06800201a0: fa fa 00 00 00 00 fa fa 00 00 00 fa fa fa 00 00
0x0c06800201b0: 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa
0x0c06800201c0: 00 00 00 fa fa fa 00 00 00 00 fa fa 00 00 00 00
0x0c06800201d0: fa fa 00 00 00 00 fa fa 00 00 00 00 fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==27804==ABORTING
|
Reporter | |
Updated•11 years ago
|
OS: Mac OS X → Linux
|
||
Updated•11 years ago
|
Component: Untriaged → DOM: Workers
Product: Firefox → Core
|
||
Comment 1•11 years ago
|
||
I'm not sure we can make any progress here without a testcase. Even if it's unreliable, if we can't reproduce this at all it's not really solvable.
Keywords: testcase-wanted
|
|
||
Comment 2•11 years ago
|
||
Firefox 20 is pretty old. Have you seen this on anything newer?
|
|
||
Comment 3•11 years ago
|
||
I'm going to mark this incomplete. Please reopen if you see something on a more recent version, or have a test case. Thanks.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → INCOMPLETE
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
||
Updated•10 years ago
|
Keywords: testcase-wanted
|
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•