Closed Bug 1556430 Opened 5 years ago Closed 5 years ago

Intermittent SUMMARY: AddressSanitizer: heap-use-after-free dist/include/mozilla/Vector.h:501:12 in end

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla69
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- unaffected
firefox68 --- unaffected
firefox69 --- fixed

People

(Reporter: opoprus, Assigned: sfink)

References

(Blocks 2 open bugs, Regression)

Details

(4 keywords, Whiteboard: [post-critsmash-triage])

Crash Data

Attachments

(1 obsolete file)

Treeherder link: https://treeherder.mozilla.org/#/jobs?repo=autoland&resultStatus=superseded%2Ctestfailed%2Cbusted%2Cexception%2Crunnable&revision=53a5f4a6e1de21b62be288cac96763aeece78277&selectedJob=249707195&searchStr=14d46b9a13d234febfd9f91b6ec50da10d3fe3dd

Failure log: https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=249707195&repo=autoland&lineNumber=2832
Raw log: https://taskcluster-artifacts.net/N4nCnKz7QMa1Y_QCkxiQLA/0/public/logs/live_backing.log

[task 2019-06-03T13:57:45.223Z] 13:57:45 INFO - TEST-START | toolkit/components/extensions/test/mochitest/test_ext_window_postMessage.html
[task 2019-06-03T13:57:45.421Z] 13:57:45 INFO - GECKO(1321) | Console message: [JavaScript Warning: "The character encoding of a framed document was not declared. The document may appear different if viewed without the document framing it." {file: "http://mochi.test:8888/tests/toolkit/components/extensions/test/mochitest/test_ext_window_postMessage.html" line: 0}]
[task 2019-06-03T13:57:45.463Z] 13:57:45 INFO - GECKO(1321) | Console message: Warning: attempting to write 11443 bytes to preference extensions.webextensions.uuids. This is bad for general performance and memory usage. Such an amount of data should rather be written to an external file. This preference will not be sent to any content processes.
[task 2019-06-03T13:57:45.830Z] 13:57:45 INFO - GECKO(1321) | =================================================================
[task 2019-06-03T13:57:45.830Z] 13:57:45 ERROR - GECKO(1321) | ==1389==ERROR: AddressSanitizer: heap-use-after-free on address 0x6130005b7b58 at pc 0x7f199b4c0175 bp 0x7ffd13b8fa60 sp 0x7ffd13b8fa58
[task 2019-06-03T13:57:45.831Z] 13:57:45 INFO - GECKO(1321) | READ of size 8 at 0x6130005b7b58 thread T0 (Web Content)
[task 2019-06-03T13:57:46.497Z] 13:57:46 INFO - GECKO(1321) | #0 0x7f199b4c0174 in end /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Vector.h:501:12
[task 2019-06-03T13:57:46.498Z] 13:57:46 INFO - GECKO(1321) | #1 0x7f199b4c0174 in EraseIf<mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, (lambda at /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:665:23)> /builds/worker/workspace/build/src/js/src/jsutil.h:94
[task 2019-06-03T13:57:46.498Z] 13:57:46 INFO - GECKO(1321) | #2 0x7f199b4c0174 in js::GCMarker::severWeakDelegate(JSObject*, JSObject*) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:665
[task 2019-06-03T13:57:46.514Z] 13:57:46 INFO - GECKO(1321) | #3 0x7f199aab91e9 in delegatePreWriteBarrier /builds/worker/workspace/build/src/js/src/gc/Zone.h:409:7
[task 2019-06-03T13:57:46.514Z] 13:57:46 INFO - GECKO(1321) | #4 0x7f199aab91e9 in js::ProxyObject::nuke() /builds/worker/workspace/build/src/js/src/vm/ProxyObject.cpp:161
[task 2019-06-03T13:57:46.551Z] 13:57:46 INFO - GECKO(1321) | #5 0x7f199b10dde8 in NukeRemovedCrossCompartmentWrapper /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:381:30
[task 2019-06-03T13:57:46.552Z] 13:57:46 INFO - GECKO(1321) | #6 0x7f199b10dde8 in js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, JS::Realm*, js::NukeReferencesToWindow, js::NukeReferencesFromTarget) /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:499
[task 2019-06-03T13:57:46.587Z] 13:57:46 INFO - GECKO(1321) | #7 0x7f198fb22ffa in xpc::NukeAllWrappersForRealm(JSContext*, JS::Realm*, js::NukeReferencesToWindow) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:691:3
[task 2019-06-03T13:57:46.609Z] 13:57:46 INFO - GECKO(1321) | #8 0x7f19916d390e in mozilla::WindowDestroyedEvent::Run() /builds/worker/workspace/build/src/dom/base/WindowDestroyedEvent.cpp:120:13
[task 2019-06-03T13:57:46.630Z] 13:57:46 INFO - GECKO(1321) | #9 0x7f198e0447fa in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:331:22
[task 2019-06-03T13:57:46.631Z] 13:57:46 INFO - GECKO(1321) | #10 0x7f198e02ae7f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1176:14
[task 2019-06-03T13:57:46.631Z] 13:57:46 INFO - GECKO(1321) | #11 0x7f198e030fd8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
[task 2019-06-03T13:57:46.651Z] 13:57:46 INFO - GECKO(1321) | #12 0x7f198f0a5a4a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
[task 2019-06-03T13:57:46.667Z] 13:57:46 INFO - GECKO(1321) | #13 0x7f198efd5272 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
[task 2019-06-03T13:57:46.668Z] 13:57:46 INFO - GECKO(1321) | #14 0x7f198efd5272 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
[task 2019-06-03T13:57:46.668Z] 13:57:46 INFO - GECKO(1321) | #15 0x7f198efd5272 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
[task 2019-06-03T13:57:46.670Z] 13:57:46 INFO - GECKO(1321) | #16 0x7f19965193d9 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
[task 2019-06-03T13:57:46.671Z] 13:57:46 INFO - GECKO(1321) | #17 0x7f199a18449f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:911:20
[task 2019-06-03T13:57:46.677Z] 13:57:46 INFO - GECKO(1321) | #18 0x7f198efd5272 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
[task 2019-06-03T13:57:46.678Z] 13:57:46 INFO - GECKO(1321) | #19 0x7f198efd5272 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
[task 2019-06-03T13:57:46.679Z] 13:57:46 INFO - GECKO(1321) | #20 0x7f198efd5272 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
[task 2019-06-03T13:57:46.679Z] 13:57:46 INFO - GECKO(1321) | #21 0x7f199a183e46 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:749:34
[task 2019-06-03T13:57:46.687Z] 13:57:46 INFO - GECKO(1321) | #22 0x556c5a6553a7 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
[task 2019-06-03T13:57:46.688Z] 13:57:46 INFO - GECKO(1321) | #23 0x556c5a6553a7 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
[task 2019-06-03T13:57:46.765Z] 13:57:46 INFO - GECKO(1321) | #24 0x7f19ae7fa82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
[task 2019-06-03T13:57:46.766Z] 13:57:46 INFO - GECKO(1321) | #25 0x556c5a576af8 in _start (/builds/worker/workspace/build/application/firefox/firefox+0x2aaf8)
[task 2019-06-03T13:57:46.767Z] 13:57:46 INFO - GECKO(1321) | 0x6130005b7b58 is located 152 bytes inside of 360-byte region [0x6130005b7ac0,0x6130005b7c28)
[task 2019-06-03T13:57:46.768Z] 13:57:46 INFO - GECKO(1321) | freed by thread T0 (Web Content) here:
[task 2019-06-03T13:57:46.769Z] 13:57:46 INFO - GECKO(1321) | #0 0x556c5a622182 in free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
[task 2019-06-03T13:57:46.911Z] 13:57:46 INFO - GECKO(1321) | #1 0x7f199a7f5d86 in js_free /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:411:3
[task 2019-06-03T13:57:46.912Z] 13:57:46 INFO - GECKO(1321) | #2 0x7f199a7f5d86 in free_<js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell , mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell , mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::Data> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:83
[task 2019-06-03T13:57:46.913Z] 13:57:46 INFO - GECKO(1321) | #3 0x7f199a7f5d86 in freeData /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:634
[task 2019-06-03T13:57:46.914Z] 13:57:46 INFO - GECKO(1321) | #4 0x7f199a7f5d86 in js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::rehash(unsigned int) /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:728
[task 2019-06-03T13:57:46.920Z] 13:57:46 INFO - GECKO(1321) | #5 0x7f199a7f4f4d in bool js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::put<js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry>(js::OrderedHashMap<js::gc::Cell*, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry&&) /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:189:12
[task 2019-06-03T13:57:46.949Z] 13:57:46 INFO - GECKO(1321) | #6 0x7f199af5acfd in put<mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy> > /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:811:17
[task 2019-06-03T13:57:46.951Z] 13:57:46 INFO - GECKO(1321) | #7 0x7f199af5acfd in js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::addWeakEntry(js::GCMarker*, js::gc::Cell*, js::gc::WeakMarkable const&) /builds/worker/workspace/build/src/js/src/gc/WeakMap-inl.h:199
[task 2019-06-03T13:57:46.952Z] 13:57:46 INFO - GECKO(1321) | #8 0x7f199af572a7 in js::WeakMap<js::HeapPtr<JSObject*>, js::HeapPtr<JS::Value> >::postSeverDelegate(js::GCMarker*, js::gc::Cell*, JS::Compartment*) /builds/worker/workspace/build/src/js/src/gc/WeakMap-inl.h:260:5
[task 2019-06-03T13:57:46.953Z] 13:57:46 INFO - GECKO(1321) | #9 0x7f199b4c007e in operator() /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:669:25
[task 2019-06-03T13:57:46.955Z] 13:57:46 INFO - GECKO(1321) | #10 0x7f199b4c007e in RemoveIf<js::gc::WeakMarkable, (lambda at /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:665:23)> /builds/worker/workspace/build/src/js/src/jsutil.h:84
[task 2019-06-03T13:57:46.956Z] 13:57:46 INFO - GECKO(1321) | #11 0x7f199b4c007e in EraseIf<mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, (lambda at /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:665:23)> /builds/worker/workspace/build/src/js/src/jsutil.h:93
[task 2019-06-03T13:57:46.959Z] 13:57:46 INFO - GECKO(1321) | #12 0x7f199b4c007e in js::GCMarker::severWeakDelegate(JSObject*, JSObject*) /builds/worker/workspace/build/src/js/src/gc/Marking.cpp:665
[task 2019-06-03T13:57:46.960Z] 13:57:46 INFO - GECKO(1321) | #13 0x7f199aab91e9 in delegatePreWriteBarrier /builds/worker/workspace/build/src/js/src/gc/Zone.h:409:7
[task 2019-06-03T13:57:46.961Z] 13:57:46 INFO - GECKO(1321) | #14 0x7f199aab91e9 in js::ProxyObject::nuke() /builds/worker/workspace/build/src/js/src/vm/ProxyObject.cpp:161
[task 2019-06-03T13:57:46.963Z] 13:57:46 INFO - GECKO(1321) | #15 0x7f199b10dde8 in NukeRemovedCrossCompartmentWrapper /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:381:30
[task 2019-06-03T13:57:46.968Z] 13:57:46 INFO - GECKO(1321) | #16 0x7f199b10dde8 in js::NukeCrossCompartmentWrappers(JSContext*, js::CompartmentFilter const&, JS::Realm*, js::NukeReferencesToWindow, js::NukeReferencesFromTarget) /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:499
[task 2019-06-03T13:57:46.969Z] 13:57:46 INFO - GECKO(1321) | #17 0x7f198fb22ffa in xpc::NukeAllWrappersForRealm(JSContext*, JS::Realm*, js::NukeReferencesToWindow) /builds/worker/workspace/build/src/js/xpconnect/src/XPCJSRuntime.cpp:691:3
[task 2019-06-03T13:57:46.974Z] 13:57:46 INFO - GECKO(1321) | #18 0x7f19916d390e in mozilla::WindowDestroyedEvent::Run() /builds/worker/workspace/build/src/dom/base/WindowDestroyedEvent.cpp:120:13
[task 2019-06-03T13:57:46.975Z] 13:57:46 INFO - GECKO(1321) | #19 0x7f198e0447fa in IdleRunnableWrapper::Run() /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:331:22
[task 2019-06-03T13:57:46.978Z] 13:57:46 INFO - GECKO(1321) | #20 0x7f198e02ae7f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1176:14
[task 2019-06-03T13:57:46.980Z] 13:57:46 INFO - GECKO(1321) | #21 0x7f198e030fd8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
[task 2019-06-03T13:57:46.984Z] 13:57:46 INFO - GECKO(1321) | #22 0x7f198f0a5a4a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
[task 2019-06-03T13:57:46.985Z] 13:57:46 INFO - GECKO(1321) | #23 0x7f198efd5272 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
[task 2019-06-03T13:57:47.000Z] 13:57:47 INFO - GECKO(1321) | #24 0x7f198efd5272 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
[task 2019-06-03T13:57:47.002Z] 13:57:47 INFO - GECKO(1321) | #25 0x7f198efd5272 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
[task 2019-06-03T13:57:47.003Z] 13:57:47 INFO - GECKO(1321) | #26 0x7f19965193d9 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
[task 2019-06-03T13:57:47.005Z] 13:57:47 INFO - GECKO(1321) | #27 0x7f199a18449f in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:911:20
[task 2019-06-03T13:57:47.006Z] 13:57:47 INFO - GECKO(1321) | #28 0x7f198efd5272 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
[task 2019-06-03T13:57:47.008Z] 13:57:47 INFO - GECKO(1321) | #29 0x7f198efd5272 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
[task 2019-06-03T13:57:47.009Z] 13:57:47 INFO - GECKO(1321) | #30 0x7f198efd5272 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
[task 2019-06-03T13:57:47.010Z] 13:57:47 INFO - GECKO(1321) | #31 0x7f199a183e46 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:749:34
[task 2019-06-03T13:57:47.011Z] 13:57:47 INFO - GECKO(1321) | #32 0x556c5a6553a7 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
[task 2019-06-03T13:57:47.013Z] 13:57:47 INFO - GECKO(1321) | #33 0x556c5a6553a7 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
[task 2019-06-03T13:57:47.014Z] 13:57:47 INFO - GECKO(1321) | #34 0x7f19ae7fa82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
[task 2019-06-03T13:57:47.015Z] 13:57:47 INFO - GECKO(1321) | previously allocated by thread T5 (JS Helper) here:
[task 2019-06-03T13:57:47.017Z] 13:57:47 INFO - GECKO(1321) | #0 0x556c5a622503 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
[task 2019-06-03T13:57:47.018Z] 13:57:47 INFO - GECKO(1321) | #1 0x7f199b4fd600 in js_arena_malloc /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:367:10
[task 2019-06-03T13:57:47.020Z] 13:57:47 INFO - GECKO(1321) | #2 0x7f199b4fd600 in js_pod_arena_malloc<js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell *, mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::Data> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/Utility.h:572
[task 2019-06-03T13:57:47.021Z] 13:57:47 INFO - GECKO(1321) | #3 0x7f199b4fd600 in maybe_pod_arena_malloc<js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell , mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell , mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::Data> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:31
[task 2019-06-03T13:57:47.024Z] 13:57:47 INFO - GECKO(1321) | #4 0x7f199b4fd600 in pod_arena_malloc<js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell , mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell , mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::Data> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:44
[task 2019-06-03T13:57:47.025Z] 13:57:47 INFO - GECKO(1321) | #5 0x7f199b4fd600 in pod_malloc<js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell , mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell , mozilla::Vector<js::gc::WeakMarkable, 2, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::Data> /builds/worker/workspace/build/src/obj-firefox/dist/include/js/AllocPolicy.h:70
[task 2019-06-03T13:57:47.028Z] 13:57:47 INFO - GECKO(1321) | #6 0x7f199b4fd600 in init /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:127
[task 2019-06-03T13:57:47.032Z] 13:57:47 INFO - GECKO(1321) | #7 0x7f199b4fd600 in js::detail::OrderedHashTable<js::OrderedHashMap<js::gc::Cell, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::Entry, js::OrderedHashMap<js::gc::Cell, mozilla::Vector<js::gc::WeakMarkable, 2ul, js::SystemAllocPolicy>, js::gc::WeakKeyTableHashPolicy, js::SystemAllocPolicy>::MapOps, js::SystemAllocPolicy>::clear() /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:260
[task 2019-06-03T13:57:47.033Z] 13:57:47 INFO - GECKO(1321) | #8 0x7f199b494244 in clear /builds/worker/workspace/build/src/js/src/ds/OrderedHashTable.h:807:43
[task 2019-06-03T13:57:47.034Z] 13:57:47 INFO - GECKO(1321) | #9 0x7f199b494244 in SweepWeakMaps(js::GCParallelTask) /builds/worker/workspace/build/src/js/src/gc/GC.cpp:5624
[task 2019-06-03T13:57:47.036Z] 13:57:47 INFO - GECKO(1321) | #10 0x7f199a8a9340 in runFromHelperThread /builds/worker/workspace/build/src/js/src/vm/HelperThreads.cpp:1708:5
[task 2019-06-03T13:57:47.041Z] 13:57:47 INFO - GECKO(1321) | #11 0x7f199a8a9340 in js::HelperThread::handleGCParallelWorkload(js::AutoLockHelperThreadState&) /builds/worker/workspace/build/src/js/src/vm/HelperThreads.cpp:1729
[task 2019-06-03T13:57:47.042Z] 13:57:47 INFO - GECKO(1321) | #12 0x7f199a8ac6d8 in js::HelperThread::threadLoop() /builds/worker/workspace/build/src/js/src/vm/HelperThreads.cpp:2521:5
[task 2019-06-03T13:57:47.044Z] 13:57:47 INFO - GECKO(1321) | #13 0x7f199a8d3ec2 in callMain<0> /builds/worker/workspace/build/src/js/src/threading/Thread.h:239:5
[task 2019-06-03T13:57:47.045Z] 13:57:47 INFO - GECKO(1321) | #14 0x7f199a8d3ec2 in js::detail::ThreadTrampoline<void (&)(void), js::HelperThread>::Start(void) /builds/worker/workspace/build/src/js/src/threading/Thread.h:232
[task 2019-06-03T13:57:47.046Z] 13:57:47 INFO - GECKO(1321) | #15 0x7f19af8586b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)

Touched by sfink recently in bug 1167452 :)

Group: core-security → javascript-core-security
Flags: needinfo?(sphink)
Regressed by: 1167452
Summary: Intermittent SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Vector.h:501:12 in end → Intermittent SUMMARY: AddressSanitizer: heap-use-after-free dist/include/mozilla/Vector.h:501:12 in end
Keywords: regression
Assignee: nobody → sphink
Flags: needinfo?(sphink)
Priority: -- → P1

This is an iterator invalidation issue, one that I convinced myself wouldn't happen because the zones would be different. I am now unconvinced. A slowish fix is straightforward, but I'll try to craft a test case and then see if I can come up with something better.

Blocks: 1557179

https://hg.mozilla.org/integration/autoland/rev/667da63fb2b1539650c5b94a921797a7913eb1d6
https://hg.mozilla.org/mozilla-central/rev/667da63fb2b1

Group: javascript-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox69: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
Crash Signature: [@ js::GCMarker::severWeakDelegate]
status-firefox67: --- → unaffected
status-firefox68: --- → unaffected
status-firefox-esr60: --- → unaffected
Flags: needinfo?(sphink) → in-testsuite+

More information about the backout in bug 1514421.

Group: core-security-release → javascript-core-security
status-firefox69: fixed → ---
Flags: needinfo?(sphink)
Target Milestone: mozilla69 → ---
Status: RESOLVED → REOPENED
Resolution: FIXED → ---

This can be closed, as it was fixed by the further backout of https://phabricator.services.mozilla.com/D31959

Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Flags: needinfo?(sphink)
Resolution: --- → FIXED
status-firefox69: --- → fixed
Target Milestone: --- → mozilla69
Group: javascript-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Group: core-security-release
Attachment #9069816 - Attachment is obsolete: true
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: