Closed Bug 988675 Opened 6 years ago Closed 6 years ago

Heap-double-free in nsXMLHttpRequest::GetResponse

Categories

(Core :: DOM: Workers, defect)

x86
All
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 1030667

People

(Reporter: inferno, Unassigned)

References

Details

(Keywords: sec-high)

Testcase (save this to test.html and place in moz_tests/dom/workers/test/ and load this testcase over http).
><script>

  var worker = new Worker("xhr2_worker.js");

  worker.onmessage = function(event) {
  }
  worker.postMessage("testXHR.txt");

</script>


=================================================================
==28570==ERROR: AddressSanitizer: attempting double-free on 0x60900088f760 in thread T0:
    #0 0x473ffb in realloc _asan_rtl_
    #1 0x7fec0b2f2c32 in AllocateArrayBufferContents(JSContext*, unsigned int, void*, unsigned long) objdir-ff-asan/js/src/../../dist/include/js/Utility.h:152
    #2 0x7fec078b63a2 in nsXMLHttpRequest::GetResponse(JSContext*, mozilla::ErrorResult&) content/base/src/nsXMLHttpRequest.cpp:3864
    #3 0x7fec078b58a6 in nsXMLHttpRequest::GetResponse(JSContext*, JS::MutableHandle<JS::Value>) content/base/src/nsXMLHttpRequest.cpp:931
    #4 0x7fec073615c3 in (anonymous namespace)::EventRunnable::PreDispatch(JSContext*, mozilla::dom::workers::WorkerPrivate*) dom/workers/XMLHttpRequest.cpp:1162
    #5 0x7fec0734b289 in mozilla::dom::workers::WorkerRunnable::Dispatch(JSContext*) dom/workers/WorkerRunnable.cpp:104
    #6 0x7fec07353891 in mozilla::dom::workers::Proxy::HandleEvent(nsIDOMEvent*) dom/workers/XMLHttpRequest.cpp:1059
    #7 0x7fec0700db20 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) dom/events/EventListenerManager.cpp:954
    #8 0x7fec0700ecf0 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) dom/events/EventListenerManager.cpp:1015
    #9 0x7fec06fff631 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) dom/events/EventDispatcher.cpp:287
    #10 0x7fec07003746 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) dom/events/EventDispatcher.cpp:597
    #11 0x7fec06fcf485 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) dom/events/EventDispatcher.cpp:661
    #12 0x7fec078b8a16 in nsXMLHttpRequest::DispatchProgressEvent(nsDOMEventTargetHelper*, nsAString_internal const&, bool, unsigned long, unsigned long) content/base/src/nsXMLHttpRequest.cpp:1448
    #13 0x7fec078c5045 in nsXMLHttpRequest::ChangeStateToDone() content/base/src/nsXMLHttpRequest.cpp:2215
    #14 0x7fec078c4578 in nsXMLHttpRequest::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) content/base/src/nsXMLHttpRequest.cpp:2195
    #15 0x7fec0775670e in nsCORSListenerProxy::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) content/base/src/nsCrossSiteListenerProxy.cpp:655
    #16 0x7fec042bb09b in nsStreamListenerTee::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) netwerk/base/src/nsStreamListenerTee.cpp:53
    #17 0x7fec0456b977 in mozilla::net::nsHttpChannel::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) netwerk/protocol/http/nsHttpChannel.cpp:5241
    #18 0x7fec0425e2e1 in nsInputStreamPump::OnStateStop() netwerk/base/src/nsInputStreamPump.cpp:703
    #19 0x7fec0425c915 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) netwerk/base/src/nsInputStreamPump.cpp:438
    #20 0x7fec040c05a9 in nsInputStreamReadyEvent::Run() xpcom/io/nsStreamUtils.cpp:85
    #21 0x7fec040f5bd0 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:694
    #22 0x7fec03fc18ea in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:263
    #23 0x7fec048b7cd9 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:95
    #24 0x7fec04860cd0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:226
    #25 0x7fec069bf467 in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:164
    #26 0x7fec097d3f88 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:276
    #27 0x7fec09643473 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4008
    #28 0x7fec0964435d in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4077
    #29 0x7fec096451ad in XRE_main toolkit/xre/nsAppRunner.cpp:4289
    #30 0x48c6e7 in main browser/app/nsBrowserApp.cpp:282
    #31 0x7fec12631de4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260
0x60900088f760 is located 0 bytes inside of 1-byte region [0x60900088f760,0x60900088f761)
freed by thread T0 here:
    #0 0x473ffb in realloc _asan_rtl_
    #1 0x7fec0b2f2c32 in AllocateArrayBufferContents(JSContext*, unsigned int, void*, unsigned long) objdir-ff-asan/js/src/../../dist/include/js/Utility.h:152
    #2 0x7fec078b63a2 in nsXMLHttpRequest::GetResponse(JSContext*, mozilla::ErrorResult&) content/base/src/nsXMLHttpRequest.cpp:3864
    #3 0x7fec078b58a6 in nsXMLHttpRequest::GetResponse(JSContext*, JS::MutableHandle<JS::Value>) content/base/src/nsXMLHttpRequest.cpp:931
    #4 0x7fec073615c3 in (anonymous namespace)::EventRunnable::PreDispatch(JSContext*, mozilla::dom::workers::WorkerPrivate*) dom/workers/XMLHttpRequest.cpp:1162
    #5 0x7fec0734b289 in mozilla::dom::workers::WorkerRunnable::Dispatch(JSContext*) dom/workers/WorkerRunnable.cpp:104
    #6 0x7fec07353891 in mozilla::dom::workers::Proxy::HandleEvent(nsIDOMEvent*) dom/workers/XMLHttpRequest.cpp:1059
    #7 0x7fec0700db20 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) dom/events/EventListenerManager.cpp:954
    #8 0x7fec0700ecf0 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) dom/events/EventListenerManager.cpp:1015
    #9 0x7fec06fff631 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) dom/events/EventDispatcher.cpp:287
    #10 0x7fec07003746 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) dom/events/EventDispatcher.cpp:597
    #11 0x7fec06fcf485 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) dom/events/EventDispatcher.cpp:661
    #12 0x7fec078b8472 in nsXMLHttpRequest::ChangeState(unsigned int, bool) content/base/src/nsXMLHttpRequest.cpp:3296
    #13 0x7fec078c4e6e in nsXMLHttpRequest::ChangeStateToDone() content/base/src/nsXMLHttpRequest.cpp:2208
    #14 0x7fec078c4578 in nsXMLHttpRequest::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) content/base/src/nsXMLHttpRequest.cpp:2195
    #15 0x7fec0775670e in nsCORSListenerProxy::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) content/base/src/nsCrossSiteListenerProxy.cpp:655
    #16 0x7fec042bb09b in nsStreamListenerTee::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) netwerk/base/src/nsStreamListenerTee.cpp:53
    #17 0x7fec0456b977 in mozilla::net::nsHttpChannel::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) netwerk/protocol/http/nsHttpChannel.cpp:5241
    #18 0x7fec0425e2e1 in nsInputStreamPump::OnStateStop() netwerk/base/src/nsInputStreamPump.cpp:703
    #19 0x7fec0425c915 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) netwerk/base/src/nsInputStreamPump.cpp:438
    #20 0x7fec040c05a9 in nsInputStreamReadyEvent::Run() xpcom/io/nsStreamUtils.cpp:85
    #21 0x7fec040f5bd0 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:694
    #22 0x7fec03fc18ea in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:263
    #23 0x7fec048b7cd9 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:95
    #24 0x7fec04860cd0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:226
    #25 0x7fec069bf467 in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:164
    #26 0x7fec097d3f88 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:276
    #27 0x7fec09643473 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4008
    #28 0x7fec0964435d in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4077
    #29 0x7fec096451ad in XRE_main toolkit/xre/nsAppRunner.cpp:4289

previously allocated by thread T0 here:
    #0 0x473e91 in calloc _asan_rtl_
    #1 0x7fec078c3f62 in nsXMLHttpRequest::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) content/base/src/nsXMLHttpRequest.cpp:3864
    #2 0x7fec0775670e in nsCORSListenerProxy::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) content/base/src/nsCrossSiteListenerProxy.cpp:655
    #3 0x7fec042bb09b in nsStreamListenerTee::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) netwerk/base/src/nsStreamListenerTee.cpp:53
    #4 0x7fec0456b977 in mozilla::net::nsHttpChannel::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) netwerk/protocol/http/nsHttpChannel.cpp:5241
    #5 0x7fec0425e2e1 in nsInputStreamPump::OnStateStop() netwerk/base/src/nsInputStreamPump.cpp:703
    #6 0x7fec0425c915 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) netwerk/base/src/nsInputStreamPump.cpp:438
    #7 0x7fec040c05a9 in nsInputStreamReadyEvent::Run() xpcom/io/nsStreamUtils.cpp:85
    #8 0x7fec040f5bd0 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:694
    #9 0x7fec03fc18ea in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:263
    #10 0x7fec048b7cd9 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:95
    #11 0x7fec04860cd0 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:226
    #12 0x7fec069bf467 in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:164
    #13 0x7fec097d3f88 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:276
    #14 0x7fec09643473 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4008
    #15 0x7fec0964435d in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4077
    #16 0x7fec096451ad in XRE_main toolkit/xre/nsAppRunner.cpp:4289
    #17 0x48c6e7 in main browser/app/nsBrowserApp.cpp:282
    #18 0x7fec12631de4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260

SUMMARY: AddressSanitizer: double-free ??:0 ??
==28570==ABORTING
This is a bit odd.  This is claiming we freed the pointer in a previous JS_ReallocateArrayBufferContents call.  But then how are we still pointing to it?  Unless realloc can manage to free the passed-in pointer _and_ return null somehow?
Component: General → DOM
Component: DOM → DOM: Workers
This looks like it could be array-buffer-y.
Keywords: sec-high
Assignee: nobody → continuation
Sorry this has taken us so long to look into.  Can you still reproduce this?  I just want to make sure it hasn't been incidentally fixed in the interim.
Flags: needinfo?(inferno)
I was not able to get it to crash with the instructions in comment 0, but I was running a debug build, not an ASAN build.
(In reply to Boris Zbarsky [:bz] from comment #1)
> This is a bit odd.  This is claiming we freed the pointer in a previous
> JS_ReallocateArrayBufferContents call.  But then how are we still pointing
> to it?  Unless realloc can manage to free the passed-in pointer _and_ return
> null somehow?

Or we could have created two ArrayBuffers using the same data pointer, and one of them was collected.

Which seems totally impossible, since mDataPtr is set to nullptr after it is used for an ArrayBuffer.
ASAN builds are fairly easy to set up on Linux.  Let me know if you need any help figuring it out.
https://developer.mozilla.org/en-US/docs/Mozilla/Testing/Firefox_and_Address_Sanitizer
We also have Nightly ASAN builds.
(In reply to Andrew McCreight [:mccr8] from comment #3)
> Sorry this has taken us so long to look into.  Can you still reproduce this?
> I just want to make sure it hasn't been incidentally fixed in the interim.

It does not reproduce anymore, just checked on trunk. Don't know what fixed this.
Flags: needinfo?(inferno)
Group: dom-core-security
(In reply to Abhishek Arya from comment #7)
> (In reply to Andrew McCreight [:mccr8] from comment #3)
> > Sorry this has taken us so long to look into.  Can you still reproduce this?
> > I just want to make sure it hasn't been incidentally fixed in the interim.
> 
> It does not reproduce anymore, just checked on trunk. Don't know what fixed
> this.

This testcase again was caught as a one-time-crasher on trunk build. so, its not fixed, but i have a hard time figuring out what is causing this ? line numbers have changed a little.

==9966==ERROR: AddressSanitizer: attempting double-free on 0x6030002da160 in thread T0:
    #0 0x473ffb in realloc _asan_rtl_
    #1 0x7fce960ed7e2 in AllocateArrayBufferContents(JSContext*, unsigned int, void*, unsigned long) objdir-ff-asan/js/src/../../dist/include/js/Utility.h:123
    #2 0x7fce9265fc6d in nsXMLHttpRequest::GetResponse(JSContext*, mozilla::ErrorResult&) content/base/src/nsXMLHttpRequest.cpp:3869
    #3 0x7fce9265f356 in nsXMLHttpRequest::GetResponse(JSContext*, JS::MutableHandle<JS::Value>) content/base/src/nsXMLHttpRequest.cpp:932
    #4 0x7fce9210200b in (anonymous namespace)::EventRunnable::PreDispatch(JSContext*, mozilla::dom::workers::WorkerPrivate*) dom/workers/XMLHttpRequest.cpp:1161
    #5 0x7fce920eb929 in mozilla::dom::workers::WorkerRunnable::Dispatch(JSContext*) dom/workers/WorkerRunnable.cpp:104
    #6 0x7fce920f3fc0 in mozilla::dom::workers::Proxy::HandleEvent(nsIDOMEvent*) dom/workers/XMLHttpRequest.cpp:1058
    #7 0x7fce91daeb60 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) dom/events/EventListenerManager.cpp:950
    #8 0x7fce91daffa0 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) dom/events/EventListenerManager.cpp:1011
    #9 0x7fce91da09b1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) dom/events/EventDispatcher.cpp:287
    #10 0x7fce91da4ad6 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) dom/events/EventDispatcher.cpp:597
    #11 0x7fce91d6ad85 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) dom/events/EventDispatcher.cpp:661
    #12 0x7fce926620e6 in nsXMLHttpRequest::DispatchProgressEvent(mozilla::DOMEventTargetHelper*, nsAString_internal const&, bool, unsigned long, unsigned long) content/base/src/nsXMLHttpRequest.cpp:1447
    #13 0x7fce9266ed45 in nsXMLHttpRequest::ChangeStateToDone() content/base/src/nsXMLHttpRequest.cpp:2226
    #14 0x7fce9266e270 in nsXMLHttpRequest::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) content/base/src/nsXMLHttpRequest.cpp:2206
    #15 0x7fce924fe9ee in nsCORSListenerProxy::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) content/base/src/nsCrossSiteListenerProxy.cpp:655
    #16 0x7fce8f18b327 in mozilla::net::nsHttpChannel::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) netwerk/protocol/http/nsHttpChannel.cpp:5188
    #17 0x7fce8ee68d61 in nsInputStreamPump::OnStateStop() netwerk/base/src/nsInputStreamPump.cpp:703
    #18 0x7fce8ee67395 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) netwerk/base/src/nsInputStreamPump.cpp:438
    #19 0x7fce8ecccb49 in nsInputStreamReadyEvent::Run() xpcom/io/nsStreamUtils.cpp:85
    #20 0x7fce8ed022d0 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:715
    #21 0x7fce8ebc3c8a in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:263
    #22 0x7fce8f4d9e79 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:95
    #23 0x7fce8f482920 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:229
    #24 0x7fce91748bc7 in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:164
    #25 0x7fce945b8418 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:278
    #26 0x7fce9442a143 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4019
    #27 0x7fce9442b02d in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4088
    #28 0x7fce9442be7d in XRE_main toolkit/xre/nsAppRunner.cpp:4300
    #29 0x48c6e7 in main browser/app/nsBrowserApp.cpp:282
    #30 0x7fce9d4fcde4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260
0x6030002da160 is located 0 bytes inside of 1-byte region [0x6030002da160,0x6030002da161)
freed by thread T0 here:
    #0 0x473ffb in realloc _asan_rtl_
    #1 0x7fce960ed7e2 in AllocateArrayBufferContents(JSContext*, unsigned int, void*, unsigned long) objdir-ff-asan/js/src/../../dist/include/js/Utility.h:123
    #2 0x7fce9265fc6d in nsXMLHttpRequest::GetResponse(JSContext*, mozilla::ErrorResult&) content/base/src/nsXMLHttpRequest.cpp:3869
    #3 0x7fce9265f356 in nsXMLHttpRequest::GetResponse(JSContext*, JS::MutableHandle<JS::Value>) content/base/src/nsXMLHttpRequest.cpp:932
    #4 0x7fce9210200b in (anonymous namespace)::EventRunnable::PreDispatch(JSContext*, mozilla::dom::workers::WorkerPrivate*) dom/workers/XMLHttpRequest.cpp:1161
    #5 0x7fce920eb929 in mozilla::dom::workers::WorkerRunnable::Dispatch(JSContext*) dom/workers/WorkerRunnable.cpp:104
    #6 0x7fce920f3fc0 in mozilla::dom::workers::Proxy::HandleEvent(nsIDOMEvent*) dom/workers/XMLHttpRequest.cpp:1058
    #7 0x7fce91daeb60 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) dom/events/EventListenerManager.cpp:950
    #8 0x7fce91daffa0 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) dom/events/EventListenerManager.cpp:1011
    #9 0x7fce91da09b1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) dom/events/EventDispatcher.cpp:287
    #10 0x7fce91da4ad6 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) dom/events/EventDispatcher.cpp:597
    #11 0x7fce91d6ad85 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) dom/events/EventDispatcher.cpp:661
    #12 0x7fce92661b42 in nsXMLHttpRequest::ChangeState(unsigned int, bool) content/base/src/nsXMLHttpRequest.cpp:3311
    #13 0x7fce9266eb6e in nsXMLHttpRequest::ChangeStateToDone() content/base/src/nsXMLHttpRequest.cpp:2219
    #14 0x7fce9266e270 in nsXMLHttpRequest::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) content/base/src/nsXMLHttpRequest.cpp:2206
    #15 0x7fce924fe9ee in nsCORSListenerProxy::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) content/base/src/nsCrossSiteListenerProxy.cpp:655
    #16 0x7fce8f18b327 in mozilla::net::nsHttpChannel::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) netwerk/protocol/http/nsHttpChannel.cpp:5188
    #17 0x7fce8ee68d61 in nsInputStreamPump::OnStateStop() netwerk/base/src/nsInputStreamPump.cpp:703
    #18 0x7fce8ee67395 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) netwerk/base/src/nsInputStreamPump.cpp:438
    #19 0x7fce8ecccb49 in nsInputStreamReadyEvent::Run() xpcom/io/nsStreamUtils.cpp:85
    #20 0x7fce8ed022d0 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:715
    #21 0x7fce8ebc3c8a in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:263
    #22 0x7fce8f4d9e79 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:95
    #23 0x7fce8f482920 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:229
    #24 0x7fce91748bc7 in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:164
    #25 0x7fce945b8418 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:278
    #26 0x7fce9442a143 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4019
    #27 0x7fce9442b02d in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4088
    #28 0x7fce9442be7d in XRE_main toolkit/xre/nsAppRunner.cpp:4300
    #29 0x48c6e7 in main browser/app/nsBrowserApp.cpp:282

previously allocated by thread T0 here:
    #0 0x473e91 in calloc _asan_rtl_
    #1 0x7fce9266dc72 in nsXMLHttpRequest::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) content/base/src/nsXMLHttpRequest.cpp:3869
    #2 0x7fce924fe9ee in nsCORSListenerProxy::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) content/base/src/nsCrossSiteListenerProxy.cpp:655
    #3 0x7fce8f18b327 in mozilla::net::nsHttpChannel::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) netwerk/protocol/http/nsHttpChannel.cpp:5188
    #4 0x7fce8ee68d61 in nsInputStreamPump::OnStateStop() netwerk/base/src/nsInputStreamPump.cpp:703
    #5 0x7fce8ee67395 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) netwerk/base/src/nsInputStreamPump.cpp:438
    #6 0x7fce8ecccb49 in nsInputStreamReadyEvent::Run() xpcom/io/nsStreamUtils.cpp:85
    #7 0x7fce8ed022d0 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:715
    #8 0x7fce8ebc3c8a in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:263
    #9 0x7fce8f4d9e79 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:95
    #10 0x7fce8f482920 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:229
    #11 0x7fce91748bc7 in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:164
    #12 0x7fce945b8418 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:278
    #13 0x7fce9442a143 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4019
    #14 0x7fce9442b02d in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4088
    #15 0x7fce9442be7d in XRE_main toolkit/xre/nsAppRunner.cpp:4300
    #16 0x48c6e7 in main browser/app/nsBrowserApp.cpp:282
    #17 0x7fce9d4fcde4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260
Could you look into this, Steve?  You are likely to make more headway than me...
Flags: needinfo?(sphink)
Assignee: continuation → nobody
Maybe you could look at this Kyle, or see if it reproduces?
Flags: needinfo?(khuey)
Blocks: 1019385
I don't think I'll be able to look at this before the week of June 16th :(
Here's an odd little tidbit I noticed in LSAN.  When I'm running Mochitest 1, I get this leak, with a suspiciously similar stack.  I wonder if it is somehow related.

Direct leak of 34 byte(s) in 1 object(s) allocated from:
    #0 0x471fbb in realloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:95
    #1 0x7fc0a89eae92 in js_realloc /build/obj-firefox/js/src/../../dist/include/js/Utility.h:116
    #2 0x7fc0a89eae92 in AllocateArrayBufferContents(JSContext*, unsigned int, void*, unsigned long) /build/js/src/vm/ArrayBufferObject.cpp:281
    #3 0x7fc0a4f2d04b in length /build/content/base/src/nsXMLHttpRequest.cpp:3965
    #4 0x7fc0a4f2d04b in nsXMLHttpRequest::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /build/content/base/src/nsXMLHttpRequest.cpp:2225
    #5 0x7fc0a4dc206e in nsCORSListenerProxy::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /build/content/base/src/nsCrossSiteListenerProxy.cpp:655
    #6 0x7fc0a15c1e9b in nsStreamListenerTee::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /build/netwerk/base/src/nsStreamListenerTee.cpp:53
Since I keep getting distracted from this, some notes on what's going on:

OnStopRequest
 - calls mArrayBufferBuilder.setCapacity which allocates the memory
   - I don't know this for sure. It's a calloc, not a realloc. But close enough.
 - calls ChangeStateToDone(), which ends up calling GetResponse()
   - which calls AllocateArrayBufferContents twice on that same pointer
     - or once, and it reallocs the same pointer twice (the code says no, trivially)
     - or it just happens to be the identical stack each time
     - or two threads are racing on this stuff

AllocateArrayBufferContents is called by lots of things. It would be really nice to have the inlined functions in the stack.
Bug 1030667 claims to have steps to reproduce.
Flags: needinfo?(khuey)
Can someone cc me on bug 1030667? (Why can't I see that one?)
(In reply to ben turner [:bent] (use the needinfo? flag!) from comment #15)
> Can someone cc me on bug 1030667? (Why can't I see that one?)

Because of the super-awesome bugzilla compartmentalization crap.
Bug 1030667 has a minimal testcase now -- just XHR an empty file, get the response as an ArrayBuffer.  I don't immediately see anything wrong with the code for this case (although I may not fully grok the XHR state mechanism).  It wouldn't surprise me if there's some sort of leaksan bug in handling of realloc of null, actually, but that's probably not likely.  :-)
> But then how are we still pointing to it?  Unless realloc can manage to free the passed-in pointer _and_ return null somehow?

According to Waldo's analysis in bug 1030667 comment 14, this in fact can happen with ASan.
Let's dupe this forward to the bug with a testcase.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(sphink)
Resolution: --- → DUPLICATE
Duplicate of bug: CVE-2015-0828
FWIW, this has a testcase, too, in comment 0.
Group: core-security → core-security-release
Group: dom-core-security, core-security-release
You need to log in before you can comment on or make changes to this bug.