==606==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d00011d01c at pc 0x7f1d7a6f98d4 bp 0x7ffedb784b30 sp 0x7ffedb784b28 READ of size 4 at 0x60d00011d01c thread T0 (file:// Content) #0 0x7f1d7a6f98d3 in GetBoolFlag src/obj-firefox/dist/include/nsINode.h:1644:12 #1 0x7f1d7a6f98d3 in IsElement src/obj-firefox/dist/include/nsINode.h:511 #2 0x7f1d7a6f98d3 in GetShadowRoot src/dom/base/nsIContentInlines.h:58 #3 0x7f1d7a6f98d3 in mozilla::dom::HTMLLinkElement::UnbindFromTree(bool, bool) src/dom/html/HTMLLinkElement.cpp:190 #4 0x7f1d776d78db in ContentUnbinder::UnbindSubtree(nsIContent*) src/dom/base/FragmentOrElement.cpp:1353:16 #5 0x7f1d776d7899 in ContentUnbinder::UnbindSubtree(nsIContent*) src/dom/base/FragmentOrElement.cpp:1352:9 #6 0x7f1d776d714a in ContentUnbinder::Run() src/dom/base/FragmentOrElement.cpp:1364:9 #7 0x7f1d7465c976 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14 #8 0x7f1d746788b0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #9 0x7f1d7555902a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #10 0x7f1d754ac6c9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10 #11 0x7f1d754ac6c9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319 #12 0x7f1d754ac6c9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299 #13 0x7f1d7c0c314a in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27 #14 0x7f1d8031687b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22 #15 0x7f1d754ac6c9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10 #16 0x7f1d754ac6c9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319 #17 0x7f1d754ac6c9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299 #18 0x7f1d80316240 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34 #19 0x4f50dc in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #20 0x4f50dc in main src/browser/app/nsBrowserApp.cpp:282 #21 0x7f1d93fb882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #22 0x42476c in _start (/home/ubuntu/firefox/firefox+0x42476c) 0x60d00011d01c is located 28 bytes inside of 136-byte region [0x60d00011d000,0x60d00011d088) freed by thread T0 (file:// Content) here: #0 0x4c5172 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3 #1 0x7f1d744ea3a0 in SnowWhiteKiller::~SnowWhiteKiller() src/xpcom/base/nsCycleCollector.cpp:2729:25 #2 0x7f1d744f552d in FreeSnowWhite src/xpcom/base/nsCycleCollector.cpp:2917:3 #3 0x7f1d744f552d in nsCycleCollector_doDeferredDeletion() src/xpcom/base/nsCycleCollector.cpp:4293 #4 0x7f1d75f96d39 in AsyncFreeSnowWhite::Run() src/js/xpconnect/src/XPCJSRuntime.cpp:126:34 #5 0x7f1d7467fa6a in IdleRunnableWrapper::Run() src/xpcom/threads/nsThreadUtils.cpp:343:22 #6 0x7f1d7465c976 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14 #7 0x7f1d746788b0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #8 0x7f1d7555902a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #9 0x7f1d754ac6c9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10 #10 0x7f1d754ac6c9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319 #11 0x7f1d754ac6c9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299 #12 0x7f1d7c0c314a in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27 #13 0x7f1d8031687b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22 #14 0x7f1d754ac6c9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10 #15 0x7f1d754ac6c9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319 #16 0x7f1d754ac6c9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299 #17 0x7f1d80316240 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34 #18 0x4f50dc in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #19 0x4f50dc in main src/browser/app/nsBrowserApp.cpp:282 #20 0x7f1d93fb882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 previously allocated by thread T0 (file:// Content) here: #0 0x4c54b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x4f5f7d in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:70:17 #2 0x7f1d7a7ab8d3 in operator new src/obj-firefox/dist/include/mozilla/mozalloc.h:156:12 #3 0x7f1d7a7ab8d3 in NS_NewHTMLSharedElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) src/dom/html/HTMLSharedElement.cpp:23 #4 0x7f1d7a832f49 in CreateHTMLElement(unsigned int, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) src/dom/html/nsHTMLContentSink.cpp:251:41 #5 0x7f1d774a2ed7 in nsContentUtils::NewXULOrHTMLElement(mozilla::dom::Element**, mozilla::dom::NodeInfo*, mozilla::dom::FromParser, nsAtom*, mozilla::dom::CustomElementDefinition*) src/dom/base/nsContentUtils.cpp:10006:18 #6 0x7f1d7a832ea8 in NS_NewHTMLElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsAtom*, mozilla::dom::CustomElementDefinition*) src/dom/html/nsHTMLContentSink.cpp:234:10 #7 0x7f1d779796d2 in NS_NewElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsTSubstring<char16_t> const*) src/dom/base/nsNameSpaceManager.cpp:191:12 #8 0x7f1d77853d6f in nsIDocument::CreateElem(nsTSubstring<char16_t> const&, nsAtom*, int, nsTSubstring<char16_t> const*) src/dom/base/nsDocument.cpp:7875:17 #9 0x7f1d77853790 in nsIDocument::CreateElement(nsTSubstring<char16_t> const&, mozilla::dom::ElementCreationOptionsOrString const&, mozilla::ErrorResult&) src/dom/base/nsDocument.cpp:5704:26 #10 0x7f1d7952b4b1 in mozilla::dom::DocumentBinding::createElement(JSContext*, JS::Handle<JSObject*>, nsIDocument*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/DocumentBinding.cpp:1258:59 #11 0x7f1d79d371b1 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3260:13 #12 0x7f1d805feb97 in CallJSNative src/js/src/vm/JSContext-inl.h:280:15 #13 0x7f1d805feb97 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:467 #14 0x7f1d805e9393 in CallFromStack src/js/src/vm/Interpreter.cpp:522:12 #15 0x7f1d805e9393 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3086 #16 0x7f1d805cfb53 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:417:12 #17 0x7f1d805fe915 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:489:15 #18 0x7f1d805ffb92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:535:10 #19 0x7f1d8114225a in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2981:12 #20 0x7f1d794df17e in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:264:37 #21 0x7f1d7a4a6d6a in void mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JSCompartment*) src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12 #22 0x7f1d7a4a46d4 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:214:12 #23 0x7f1d7a46b24d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1124:52 #24 0x7f1d7a46c98b in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*) src/dom/events/EventListenerManager.cpp:1291:20 #25 0x7f1d7a456c97 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:528:16 #26 0x7f1d7a45aa93 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:961:9 #27 0x7f1d7a45cfcb in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp #28 0x7f1d7791a128 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:1077:5 #29 0x7f1d7746fc93 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool, bool*, bool) src/dom/base/nsContentUtils.cpp:4469:28 #30 0x7f1d7746fa74 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsTSubstring<char16_t> const&, bool, bool, bool*) src/dom/base/nsContentUtils.cpp:4437:10 #31 0x7f1d7c4a4999 in mozilla::css::SheetLoadData::FireLoadEvent(nsIThreadInternal*) src/layout/style/Loader.cpp:321:3 #32 0x7f1d7c4a4d5c in AfterProcessNextEvent src/layout/style/Loader.cpp:304:3 #33 0x7f1d7c4a4d5c in non-virtual thunk to mozilla::css::SheetLoadData::AfterProcessNextEvent(nsIThreadInternal*, bool) src/layout/style/Loader.cpp

I will upload the testcase when reduction is complete.

This testcase does require the fuzzpriv extension[1] [1] https://github.com/MozillaSecurity/fuzzpriv/tree/legacy

How do I install that legacy addon? though, looks like I have the addon installed on one of the FF profiles, but it is disabled.

Aha, xpinstall.whitelist.required = false is needed too. But still, even when addon is enabled, the testcase throws line 2: ReferenceError: fuzzPriv is not defined

Tyson, could you explain how to reproduce the issue?

(but I think I see where the issue is, https://searchfox.org/mozilla-central/rev/8affe6e83188787eb61fe0528eeb6eef6081ba06/dom/base/nsIContent.h#811)

Patch for bug 1463116 might fix this one.

Looking at the patch this doesn't seem to affect ESR-52 but would apply to ESR-60+. Is that right, Olli?

the issue is shadow DOM dependent, and shadow DOM isn't enabled by default anywhere.

This bug was fixed by the patch in bug 1463116. I verified with m-c: BuildID=20180522095022 SourceStamp=f85be0c4f0562ea59a91000883e0e7848491837c

Thanks for checking.

Can we land the test still?

Hi Tyson, Unfortunately I didn't managed to reproduce the bug described in comment 0 using an affected Firefox 62.0a1 (BuildId:20180517094542) asan build. I tried reproducing this issue using an fuzzing asan build but as soon as I load the provided testcase (from Comment 2) the following error is displayed: "ReferenceError: fuzzPriv is not defined" - same as in Comment 4. I managed to install the fuzzpriv extension, but as soon as the testcase is loaded, an "document.createElement(...).attachShadow is not a function" error gets thrown. Is there something that I might be missing? Could you help us by confirming that this is fixed on the latest 62 beta asan build as well? Thank You!

Verified in Firefox 62. (In reply to Tyson Smith [:tsmith] from comment #11) > This bug was fixed by the patch in bug 1463116. I verified with m-c: > BuildID=20180522095022 > SourceStamp=f85be0c4f0562ea59a91000883e0e7848491837c The fuzzPriv extension is not supported on release or beta.

Thanks Tyson, Marking this as verified fixed (per comment 15).