ASan reports a heap-use-after-free error when the attached page is opened. The file was minimized against 14.0a1 (2012-03-24) and doesn't seem to reproduce anymore on 12.0, but similar files caused also it to crash during minimization. The trace was https://crash-stats.mozilla.com/report/index/bp-e750dc35-be93-426f-aff3-cd82b2120324 To reproduce, open idb.html in an ASan build and wait about 7 seconds.

This one seems to usually crash Firefox 12.0 when closing the tab: <script> for (var foo = 0; foo < 1000; foo++) { var x = new Array(1000); IDBKeyRange.only(1); IDBKeyRange.only("'a'").lower; } </script> Crash report: https://crash-stats.mozilla.com/report/index/bp-8684865e-5e04-46ed-997a-f0bdf2120324

I can reproduce this on trunk on Windows.

IDBKeyRange assumes that it will be unlinked before it is destroyed, but that assumption is wrong, because it is not wrapper cached. In Aki's testcase the dead IDBKeyRange remains in the XPConnect hashtable because it never called NS_DROP_JS_OBJECTS. This is a regression from Bug 692669.

Thanks for the bug report and testcase Aki!

Patch looks good here. Neither the attached cases nor the originals cause any issues after applying it. 5h from bug to patch during weekend. Not bad :)

Comment on attachment 609053 [details] [diff] [review] Patch Review of attachment 609053 [details] [diff] [review]: ----------------------------------------------------------------- r=me with this change: ::: dom/indexedDB/IDBKeyRange.cpp @@ +351,5 @@ > +IDBKeyRange::~IDBKeyRange() > +{ > + if (mRooted) { > + NS_DROP_JS_OBJECTS(this, IDBKeyRange); > + mCachedLowerVal = JSVAL_VOID; No need to do anything else after dropping. You're in the destructor.

I'm a little worried that it is easy to figure out the bug from the fix, so I snuck this one into the tree in a merge changeset. https://hg.mozilla.org/mozilla-central/rev/c3fd0768d46a

Comment on attachment 609053 [details] [diff] [review] Patch We'll want this everywhere. [Approval Request Comment] Regression caused by (bug #): bug 692669 User impact if declined: sg:crit Testing completed (on m-c, etc.): It is on m-c Risk to taking this patch (and alternatives if risky): Very low String changes made by this patch: N/A

We should land this on branches all at once near the end of the Firefox 12 cycle. Code freeze is April 13 (I think) so sometime in the day or two before that.

Holding on approval to give this fix some time to bake on m-c. (In reply to Daniel Veditz [:dveditz] from comment #11) > We should land this on branches all at once near the end of the Firefox 12 > cycle. Code freeze is April 13 (I think) so sometime in the day or two > before that. April 13th is the code freeze. Is this a change in process you'd like to make or is this bug particularly nasty?

Comment on attachment 609053 [details] [diff] [review] Patch [Triage Comment] Approving for landing on all branches.

Did we decide when to land this?

(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #14) > Did we decide when to land this? Before beta 5's go-to-build please (4/10).

https://hg.mozilla.org/releases/mozilla-aurora/rev/008838e028ba https://hg.mozilla.org/releases/mozilla-beta/rev/426df312cfa3 https://hg.mozilla.org/releases/mozilla-esr10/rev/c61ea8a2402c

How does one get an ASan build for "releases" (10.0.4ESR, 12 Beta, etc)?

You don't need an ASAN build, just load the testcase in the browser and refresh it a few times.

Verified in nightly (Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:14.0) Gecko/20120417 Firefox/14.0a1) using attached testcase per comment 18. Crashes in Firefox 11 on same machine.

Verified fixed in Firefox ESR 10.0.4pre 2012-04-18.

Verified fixed in Firefox 13.0b4 and Firefox 14.0a2 2012-05-22.

rforbes-bugspam-for-setting-that-bounty-flag-20130719

(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #24) > http://www.vupen.com/blog/20120625. > Advanced_Exploitation_of_Mozilla_Firefox_UaF_CVE-2012-0469.php Hi, thanks for your post, but I couldn't connnect to the website(I have no idea about why, it just doesn't work even if I use a proxy). Could you please post an offline version of your php page or any other reference? I would like to get some more details about this bug so as to study it. Thanks a lot.

(In reply to tgn from comment #26) > Hi, thanks for your post, but I couldn't connnect to the website(I have no > idea about why, it just doesn't work even if I use a proxy). Kyle was linking to a blog post by Vupen. He did not write that post himself. According to Wikipedia, Vupen shut down in 2015, so I guess their blog post was taken down. Maybe you could find the post in some web archive site.