Closed
Bug 1588353
Opened 6 years ago
Closed 6 years ago
Intermittent GECKO(2373) | SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Variant.h:661:24 in is<0>
Categories
(Core :: DOM: Service Workers, defect, P1)
Core
DOM: Service Workers
Tracking
()
RESOLVED
FIXED
mozilla72
| Tracking | Status | |
|---|---|---|
| firefox-esr68 | --- | unaffected |
| firefox70 | --- | unaffected |
| firefox71 | --- | unaffected |
| firefox72 | --- | fixed |
People
(Reporter: cbrindusan, Assigned: perry)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-uaf, intermittent-failure, sec-high, Whiteboard: [post-critsmash-triage])
Attachments
(1 file)
Log:
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=271043282&repo=autoland&lineNumber=5448
[task 2019-10-13T06:37:19.315Z] 06:37:19 INFO - TEST-OK | dom/cache/test/mochitest/test_cache_matchAll_request.html | took 1603ms
[task 2019-10-13T06:37:19.356Z] 06:37:19 INFO - TEST-START | dom/cache/test/mochitest/test_cache_match_request.html
[task 2019-10-13T06:37:20.253Z] 06:37:20 INFO - GECKO(2373) | =================================================================
[task 2019-10-13T06:37:20.256Z] 06:37:20 ERROR - GECKO(2373) | ==2438==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0000d95c4 at pc 0x7f7a63266b4b bp 0x7f7a59065050 sp 0x7f7a59065048
[task 2019-10-13T06:37:20.256Z] 06:37:20 INFO - GECKO(2373) | READ of size 1 at 0x60e0000d95c4 thread T9 (Worker Launcher)
[task 2019-10-13T06:37:20.775Z] 06:37:20 INFO - GECKO(2373) | MEMORY STAT | vsize 20974537MB | residentFast 774MB
[task 2019-10-13T06:37:20.776Z] 06:37:20 INFO - TEST-OK | dom/cache/test/mochitest/test_cache_match_request.html | took 1419ms
|
||
Comment 1•6 years ago
|
||
INFO - TEST-START | dom/cache/test/mochitest/test_cache_match_request.html
INFO - GECKO(2373) | =================================================================
RROR - GECKO(2373) | ==2438==ERROR: AddressSanitizer: heap-use-after-free on address 0x60e0000d95c4 at pc 0x7f7a63266b4b bp 0x7f7a59065050 sp 0x7f7a59065048
INFO - GECKO(2373) | READ of size 1 at 0x60e0000d95c4 thread T9 (Worker Launcher)
INFO - GECKO(2373) | MEMORY STAT | vsize 20974537MB | residentFast 774MB
INFO - TEST-OK | dom/cache/test/mochitest/test_cache_match_request.html | took 1419ms
INFO - TEST-START | dom/cache/test/mochitest/test_cache_match_vary.html
INFO - GECKO(2373) | #0 0x7f7a63266b4a in is<0> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Variant.h:661:24
INFO - GECKO(2373) | #1 0x7f7a63266b4a in IsNothing /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:206:53
INFO - GECKO(2373) | #2 0x7f7a63266b4a in IsPending /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:984:42
INFO - GECKO(2373) | #3 0x7f7a63266b4a in void mozilla::MozPromise<bool, nsresult, false>::Private::Reject<nsresult const&>(nsresult const&, char const*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:1088:10
INFO - GECKO(2373) | #4 0x7f7a6a569c89 in Reject<const nsresult &> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:1212:15
INFO - GECKO(2373) | #5 0x7f7a6a569c89 in RejectIfExists<const nsresult &> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:1220:7
INFO - GECKO(2373) | #6 0x7f7a6a569c89 in mozilla::dom::RemoteWorkerChild::ActorDestroy(mozilla::ipc::IProtocol::ActorDestroyReason) /builds/worker/workspace/build/src/dom/workers/remoteworkers/RemoteWorkerChild.cpp:280:23
INFO - GECKO(2373) | #7 0x7f7a6372bac6 in mozilla::ipc::IProtocol::DestroySubtree(mozilla::ipc::IProtocol::ActorDestroyReason) /builds/worker/workspace/build/src/ipc/glue/ProtocolUtils.cpp:572:3
INFO - GECKO(2373) | #8 0x7f7a63da0c16 in mozilla::dom::PRemoteWorkerChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PRemoteWorkerChild.cpp:404:20
INFO - GECKO(2373) | #9 0x7f7a63ba80be in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:5876:32
INFO - GECKO(2373) | #10 0x7f7a63719a41 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2185:25
INFO - GECKO(2373) | #11 0x7f7a63715ced in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2109:9
INFO - GECKO(2373) | #12 0x7f7a63717980 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1954:3
INFO - GECKO(2373) | #13 0x7f7a63717f57 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1985:13
INFO - GECKO(2373) | #14 0x7f7a6260ee53 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
INFO - GECKO(2373) | #15 0x7f7a626158a1 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
INFO - GECKO(2373) | #16 0x7f7a63721e29 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:333:5
INFO - GECKO(2373) | #17 0x7f7a6363fe62 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
INFO - GECKO(2373) | #18 0x7f7a6363fe62 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
INFO - GECKO(2373) | #19 0x7f7a6363fe62 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
INFO - GECKO(2373) | #20 0x7f7a626087fe in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:458:11
INFO - GECKO(2373) | #21 0x7f7a80ebcfbd in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
INFO - GECKO(2373) | #22 0x7f7a84ab86b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
INFO - GECKO(2373) | #23 0x7f7a83b4141c in clone /build/glibc-LK5gWL/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109
INFO - GECKO(2373) | 0x60e0000d95c4 is located 68 bytes inside of 152-byte region [0x60e0000d9580,0x60e0000d9618)
INFO - GECKO(2373) | freed by thread T29 (DOM Worker) here:
INFO - GECKO(2373) | #0 0x560bfebd4a8d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
INFO - GECKO(2373) | #1 0x7f7a6a56e8d3 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:145:3
INFO - GECKO(2373) | #2 0x7f7a6a56e8d3 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:48:40
INFO - GECKO(2373) | #3 0x7f7a6a56e8d3 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:373:36
INFO - GECKO(2373) | #4 0x7f7a6a56e8d3 in assign_assuming_AddRef /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:67:7
INFO - GECKO(2373) | #5 0x7f7a6a56e8d3 in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:162:5
INFO - GECKO(2373) | #6 0x7f7a6a56e8d3 in Resolve<bool> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:1190:14
INFO - GECKO(2373) | #7 0x7f7a6a56e8d3 in ResolveIfExists<bool> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:1197:7
INFO - GECKO(2373) | #8 0x7f7a6a56e8d3 in mozilla::dom::RemoteWorkerChild::TransitionStateToTerminated(mozilla::Variant<mozilla::dom::RemoteWorkerChild::Pending, mozilla::dom::RemoteWorkerChild::Running, mozilla::dom::RemoteWorkerChild::PendingTerminated, mozilla::dom::RemoteWorkerChild::Terminated>&) /builds/worker/workspace/build/src/dom/workers/remoteworkers/RemoteWorkerChild.cpp:772:23
INFO - GECKO(2373) | #9 0x7f7a6a58663c in TransitionStateToTerminated /builds/worker/workspace/build/src/dom/workers/remoteworkers/RemoteWorkerChild.cpp:764:3
INFO - GECKO(2373) | #10 0x7f7a6a58663c in operator() /builds/worker/workspace/build/src/dom/workers/remoteworkers/RemoteWorkerChild.cpp:531:15
INFO - GECKO(2373) | #11 0x7f7a6a58663c in std::_Function_handler<void (), mozilla::dom::RemoteWorkerChild::InitializeOnWorker(already_AddRefed<mozilla::dom::WorkerPrivate>)::$_5>::_M_invoke(std::_Any_data const&) /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/functional:1731:2
INFO - GECKO(2373) | #12 0x7f7a6a548460 in operator() /builds/worker/fetches/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/6.4.0/../../../../include/c++/6.4.0/functional:2127:14
INFO - GECKO(2373) | #13 0x7f7a6a548460 in Notify /builds/worker/workspace/build/src/dom/workers/WorkerRef.cpp:98:3
INFO - GECKO(2373) | #14 0x7f7a6a548460 in mozilla::dom::WeakWorkerRef::Notify() /builds/worker/workspace/build/src/dom/workers/WorkerRef.cpp:133:14
INFO - GECKO(2373) | #15 0x7f7a6a5381a6 in mozilla::dom::WorkerPrivate::NotifyWorkerRefs(mozilla::dom::WorkerStatus) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:3617:21
INFO - GECKO(2373) | #16 0x7f7a6a532777 in mozilla::dom::WorkerPrivate::NotifyInternal(mozilla::dom::WorkerStatus) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:4139:5
INFO - GECKO(2373) | #17 0x7f7a6a54abae in mozilla::dom::WorkerRunnable::Run() /builds/worker/workspace/build/src/dom/workers/WorkerRunnable.cpp:369:12
INFO - GECKO(2373) | #18 0x7f7a6a53063c in ProcessAllControlRunnablesLocked /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:3402:9
INFO - GECKO(2373) | #19 0x7f7a6a53063c in mozilla::dom::WorkerPrivate::DoRunLoop(JSContext*) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:2770:21
INFO - GECKO(2373) | #20 0x7f7a6a4fb3de in mozilla::dom::workerinternals::(anonymous namespace)::WorkerThreadPrimaryRunnable::Run() /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:2330:40
INFO - GECKO(2373) | #21 0x7f7a6260ee53 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
INFO - GECKO(2373) | #22 0x7f7a626158a1 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
INFO - GECKO(2373) | #23 0x7f7a63721e29 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:333:5
INFO - GECKO(2373) | #24 0x7f7a6363fe62 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
INFO - GECKO(2373) | #25 0x7f7a6363fe62 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
INFO - GECKO(2373) | #26 0x7f7a6363fe62 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
INFO - GECKO(2373) | #27 0x7f7a626087fe in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:458:11
INFO - GECKO(2373) | #28 0x7f7a80ebcfbd in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
INFO - GECKO(2373) | #29 0x7f7a84ab86b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
INFO - GECKO(2373) | previously allocated by thread T9 (Worker Launcher) here:
INFO - GECKO(2373) | #0 0x560bfebd4d0d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
INFO - GECKO(2373) | #1 0x560bfec0a01d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:52:15
INFO - GECKO(2373) | #2 0x7f7a631e79c6 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/cxxalloc.h:33:10
INFO - GECKO(2373) | #3 0x7f7a631e79c6 in mozilla::MozPromiseHolder<mozilla::MozPromise<bool, nsresult, false> >::Ensure(char const*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/MozPromise.h:1154:18
INFO - GECKO(2373) | #4 0x7f7a6a56f67b in mozilla::dom::RemoteWorkerChild::GetTerminationPromise() /builds/worker/workspace/build/src/dom/workers/remoteworkers/RemoteWorkerChild.cpp:571:30
INFO - GECKO(2373) | #5 0x7f7a6aa53795 in mozilla::dom::ServiceWorkerOp::MaybeStart(mozilla::dom::RemoteWorkerChild*, mozilla::Variant<mozilla::dom::RemoteWorkerChild::Pending, mozilla::dom::RemoteWorkerChild::Running, mozilla::dom::RemoteWorkerChild::PendingTerminated, mozilla::dom::RemoteWorkerChild::Terminated>&) /builds/worker/workspace/build/src/dom/serviceworkers/ServiceWorkerOp.cpp:329:13
INFO - GECKO(2373) | #6 0x7f7a6a571835 in mozilla::dom::RemoteWorkerChild::MaybeStartOp(RefPtr<mozilla::dom::RemoteWorkerChild::Op>&&) /builds/worker/workspace/build/src/dom/workers/remoteworkers/RemoteWorkerChild.cpp:932:13
INFO - GECKO(2373) | #7 0x7f7a6a571d35 in mozilla::dom::RemoteWorkerChild::RecvExecServiceWorkerOp(mozilla::dom::ServiceWorkerOpArgs&&, std::function<void (mozilla::dom::ServiceWorkerOpResult const&)>&&) /builds/worker/workspace/build/src/dom/workers/remoteworkers/RemoteWorkerChild.cpp:952:3
INFO - GECKO(2373) | #8 0x7f7a63da1bf2 in mozilla::dom::PRemoteWorkerChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PRemoteWorkerChild.cpp:502:61
INFO - GECKO(2373) | #9 0x7f7a63ba80be in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:5876:32
INFO - GECKO(2373) | #10 0x7f7a63719a41 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2185:25
INFO - GECKO(2373) | #11 0x7f7a63715ced in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2109:9
INFO - GECKO(2373) | #12 0x7f7a63717980 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1954:3
INFO - GECKO(2373) | #13 0x7f7a63717f57 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1985:13
INFO - GECKO(2373) | #14 0x7f7a6260ee53 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
INFO - GECKO(2373) | #15 0x7f7a626158a1 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
INFO - GECKO(2373) | #16 0x7f7a63721e29 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:333:5
INFO - GECKO(2373) | #17 0x7f7a6363fe62 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
INFO - GECKO(2373) | #18 0x7f7a6363fe62 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
INFO - GECKO(2373) | #19 0x7f7a6363fe62 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
INFO - GECKO(2373) | #20 0x7f7a626087fe in nsThread::ThreadFunc(void*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:458:11
INFO - GECKO(2373) | #21 0x7f7a80ebcfbd in _pt_root /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:201:5
INFO - GECKO(2373) | #22 0x7f7a84ab86b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
INFO - GECKO(2373) | Thread T9 (Worker Launcher) created by T0 (Web Content) here:
INFO - GECKO(2373) | #0 0x560bfebbf49a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
INFO - GECKO(2373) | #1 0x7f7a80eaf129 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:458:14
INFO - GECKO(2373) | #2 0x7f7a80e98e5e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:533:12
INFO - GECKO(2373) | #3 0x7f7a6260acd6 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:672:8
INFO - GECKO(2373) | #4 0x7f7a62614a0b in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /builds/worker/workspace/build/src/xpcom/threads/nsThreadManager.cpp:515:12
INFO - GECKO(2373) | #5 0x7f7a62618763 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:139:57
INFO - GECKO(2373) | #6 0x7f7a6a57f403 in NS_NewNamedThread<16> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:71:10
INFO - GECKO(2373) | #7 0x7f7a6a57f403 in mozilla::dom::RemoteWorkerService::InitializeOnMainThread() /builds/worker/workspace/build/src/dom/workers/remoteworkers/RemoteWorkerService.cpp:82:17
INFO - GECKO(2373) | #8 0x7f7a6a57ee38 in mozilla::dom::RemoteWorkerService::Initialize() /builds/worker/workspace/build/src/dom/workers/remoteworkers/RemoteWorkerService.cpp:49:28
INFO - GECKO(2373) | #9 0x7f7a6a34c9df in mozilla::dom::ContentChild::InitXPCOM(mozilla::dom::XPCOMInitData const&, mozilla::dom::ipc::StructuredCloneData const&) /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1335:3
INFO - GECKO(2373) | #10 0x7f7a6a34c772 in mozilla::dom::ContentChild::RecvSetXPCOMProcessAttributes(mozilla::dom::XPCOMInitData const&, mozilla::dom::ipc::StructuredCloneData const&, nsTArray<LookAndFeelInt>&&, nsTArray<mozilla::dom::SystemFontListEntry>&&, mozilla::Maybe<base::FileDescriptor> const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:614:3
INFO - GECKO(2373) | #11 0x7f7a638fac81 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:10235:56
INFO - GECKO(2373) | #12 0x7f7a63719a41 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2185:25
INFO - GECKO(2373) | #13 0x7f7a63715ced in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2109:9
INFO - GECKO(2373) | #14 0x7f7a63717980 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1954:3
INFO - GECKO(2373) | #15 0x7f7a63717f57 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1985:13
INFO - GECKO(2373) | #16 0x7f7a6260ee53 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
INFO - GECKO(2373) | #17 0x7f7a626158a1 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
INFO - GECKO(2373) | #18 0x7f7a63720c7c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
INFO - GECKO(2373) | #19 0x7f7a6363fe62 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
INFO - GECKO(2373) | #20 0x7f7a6363fe62 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
INFO - GECKO(2373) | #21 0x7f7a6363fe62 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
INFO - GECKO(2373) | #22 0x7f7a6ad6d988 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
INFO - GECKO(2373) | #23 0x7f7a6ea25526 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:934:20
INFO - GECKO(2373) | #24 0x7f7a6363fe62 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
INFO - GECKO(2373) | #25 0x7f7a6363fe62 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
INFO - GECKO(2373) | #26 0x7f7a6363fe62 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
INFO - GECKO(2373) | #27 0x7f7a6ea24dda in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:769:34
INFO - GECKO(2373) | #28 0x560bfec078b2 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
INFO - GECKO(2373) | #29 0x560bfec078b2 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:272:18
INFO - GECKO(2373) | #30 0x7f7a83a5a82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
INFO - GECKO(2373) | Thread T29 (DOM Worker) created by T0 (Web Content) here:
INFO - GECKO(2373) | #0 0x560bfebbf49a in pthread_create /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:209:3
INFO - GECKO(2373) | #1 0x7f7a80eaf129 in _PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:458:14
INFO - GECKO(2373) | #2 0x7f7a80e98e5e in PR_CreateThread /builds/worker/workspace/build/src/nsprpub/pr/src/pthreads/ptthread.c:533:12
INFO - GECKO(2373) | #3 0x7f7a6260acd6 in nsThread::Init(nsTSubstring<char> const&) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:672:8
INFO - GECKO(2373) | #4 0x7f7a6a55c1e8 in mozilla::dom::WorkerThread::Create(mozilla::dom::WorkerThreadFriendKey const&) /builds/worker/workspace/build/src/dom/workers/WorkerThread.cpp:92:7
INFO - GECKO(2373) | #5 0x7f7a6a4cc24f in mozilla::dom::workerinternals::RuntimeService::ScheduleWorker(mozilla::dom::WorkerPrivate*) /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:1439:14
INFO - GECKO(2373) | #6 0x7f7a6a4ca8dc in mozilla::dom::workerinternals::RuntimeService::RegisterWorker(mozilla::dom::WorkerPrivate*) /builds/worker/workspace/build/src/dom/workers/RuntimeService.cpp:1304:19
INFO - GECKO(2373) | #7 0x7f7a6a52a98e in mozilla::dom::WorkerPrivate::Constructor(JSContext*, nsTSubstring<char16_t> const&, bool, mozilla::dom::WorkerType, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, mozilla::dom::WorkerLoadInfo*, mozilla::ErrorResult&, nsTString<char16_t>) /builds/worker/workspace/build/src/dom/workers/WorkerPrivate.cpp:2362:24
INFO - GECKO(2373) | #8 0x7f7a6a4daf25 in mozilla::dom::Worker::Constructor(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::WorkerOptions const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/workers/Worker.cpp:31:41
INFO - GECKO(2373) | #9 0x7f7a67ab872d in mozilla::dom::Worker_Binding::_constructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WorkerBinding.cpp:1141:52
INFO - GECKO(2373) | #10 0x7f7a6ec9ecac in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:457:13
INFO - GECKO(2373) | #11 0x7f7a6ec9ecac in CallJSNativeConstructor /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473:8
INFO - GECKO(2373) | #12 0x7f7a6ec9ecac in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:681:10
INFO - GECKO(2373) | #13 0x7f7a6ec836ee in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3102:16
INFO - GECKO(2373) | #14 0x7f7a6ec657ca in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
INFO - GECKO(2373) | #15 0x7f7a6ec9b8ee in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:590:13
INFO - GECKO(2373) | #16 0x7f7a6ec9dbf9 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:635:8
INFO - GECKO(2373) | #17 0x7f7a6eddb0c0 in js::PromiseObject::create(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool) /builds/worker/workspace/build/src/js/src/builtin/Promise.cpp:2231:15
INFO - GECKO(2373) | #18 0x7f7a6ee219fc in PromiseConstructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Promise.cpp:2152:7
INFO - GECKO(2373) | #19 0x7f7a6ec9f3d0 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:457:13
INFO - GECKO(2373) | #20 0x7f7a6ec9f3d0 in CallJSNativeConstructor /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473:8
INFO - GECKO(2373) | #21 0x7f7a6ec9f3d0 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:662:14
INFO - GECKO(2373) | #22 0x7f7a6ec836ee in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3102:16
INFO - GECKO(2373) | #23 0x7f7a6ec657ca in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
INFO - GECKO(2373) | #24 0x7f7a6ec9b8ee in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:590:13
INFO - GECKO(2373) | #25 0x7f7a6ec9dbf9 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:635:8
INFO - GECKO(2373) | #26 0x7f7a6ef53393 in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:162:10
INFO - GECKO(2373) | #27 0x7f7a6ef1a1f1 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:237:19
INFO - GECKO(2373) | #28 0x7f7a64181ca5 in xpc::JSXrayTraits::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&, js::Wrapper const&) /builds/worker/workspace/build/src/js/xpconnect/wrappers/XrayWrapper.h:213:27
INFO - GECKO(2373) | #29 0x7f7a6ef300dc in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:504:19
INFO - GECKO(2373) | #30 0x7f7a6ec9bfe6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:14
INFO - GECKO(2373) | #31 0x7f7a6ec9dbf9 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:635:8
INFO - GECKO(2373) | #32 0x7f7a6ee2dc13 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.h:103:10
INFO - GECKO(2373) | #33 0x7f7a6ee2dc13 in PromiseReactionJob(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Promise.cpp:1698:10
INFO - GECKO(2373) | #34 0x7f7a6ec9ade9 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:457:13
INFO - GECKO(2373) | #35 0x7f7a6ec9ade9 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:549:12
INFO - GECKO(2373) | #36 0x7f7a6ec9dbf9 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:635:8
INFO - GECKO(2373) | #37 0x7f7a6ee7cbcc in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2722:10
INFO - GECKO(2373) | #38 0x7f7a66bfe3a6 in mozilla::dom::PromiseJobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/PromiseBinding.cpp:26:8
INFO - GECKO(2373) | #39 0x7f7a62435bf7 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:91:12
INFO - GECKO(2373) | #40 0x7f7a62435bf7 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/PromiseBinding.h:104:12
INFO - GECKO(2373) | #41 0x7f7a62435bf7 in mozilla::PromiseJobRunnable::Run(mozilla::AutoSlowOperation&) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:245:18
INFO - GECKO(2373) | #42 0x7f7a62410011 in mozilla::CycleCollectedJSContext::PerformMicroTaskCheckPoint(bool) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSContext.cpp:667:17
INFO - GECKO(2373) | #43 0x7f7a68d1b053 in LeaveMicroTask /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/CycleCollectedJSContext.h:213:7
INFO - GECKO(2373) | #44 0x7f7a68d1b053 in ~nsAutoMicroTask /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/CycleCollectedJSContext.h:367:13
INFO - GECKO(2373) | #45 0x7f7a68d1b053 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1041:3
INFO - GECKO(2373) | #46 0x7f7a68d1c94a in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1231:17
INFO - GECKO(2373) | #47 0x7f7a68d03db8 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
INFO - GECKO(2373) | #48 0x7f7a68d03db8 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349:17
INFO - GECKO(2373) | #49 0x7f7a68d025f1 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
INFO - GECKO(2373) | #50 0x7f7a68d07ef3 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1049:11
INFO - GECKO(2373) | #51 0x7f7a6a903a4a in mozilla::dom::ScriptElement::ScriptEvaluated(nsresult, nsIScriptElement*, bool) /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:64:5
INFO - GECKO(2373) | #52 0x7f7a6a92fc8a in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2326:3
INFO - GECKO(2373) | #53 0x7f7a6a926a45 in CompileOffThreadOrProcessRequest /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2178:10
INFO - GECKO(2373) | #54 0x7f7a6a926a45 in mozilla::dom::ScriptLoader::ProcessPendingRequests() /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:3113:7
INFO - GECKO(2373) | #55 0x7f7a6a90f43b in mozilla::dom::ScriptLoader::OnStreamComplete(nsIIncrementalStreamLoader*, mozilla::dom::ScriptLoadRequest*, nsresult, nsresult, mozilla::dom::SRICheckDataVerifier*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:3320:3
INFO - GECKO(2373) | #56 0x7f7a6a90de70 in mozilla::dom::ScriptLoadHandler::OnStreamComplete(nsIIncrementalStreamLoader*, nsISupports*, nsresult, unsigned int, unsigned char const*) /builds/worker/workspace/build/src/dom/script/ScriptLoadHandler.cpp:425:23
INFO - GECKO(2373) | #57 0x7f7a62877254 in nsIncrementalStreamLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsIncrementalStreamLoader.cpp:86:20
INFO - GECKO(2373) | #58 0x7f7a631ab76c in mozilla::net::HttpChannelChild::DoOnStopRequest(nsIRequest*, nsresult, nsISupports*) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:1258:15
INFO - GECKO(2373) | #59 0x7f7a631b6724 in mozilla::net::HttpChannelChild::OnStopRequest(nsresult const&, mozilla::net::ResourceTimingStruct const&, mozilla::net::nsHttpHeaderArray const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:1135:5
INFO - GECKO(2373) | #60 0x7f7a6343859d in mozilla::net::ChannelEventQueue::FlushQueue() /builds/worker/workspace/build/src/netwerk/ipc/ChannelEventQueue.cpp:90:12
INFO - GECKO(2373) | #61 0x7f7a6346b14a in CompleteResume /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:293:5
INFO - GECKO(2373) | #62 0x7f7a6346b14a in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /builds/worker/workspace/build/src/netwerk/ipc/ChannelEventQueue.cpp:148:17
INFO - GECKO(2373) | #63 0x7f7a625dde21 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
INFO - GECKO(2373) | #64 0x7f7a6260ee53 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
INFO - GECKO(2373) | #65 0x7f7a626158a1 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
INFO - GECKO(2373) | #66 0x7f7a63720c7c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
INFO - GECKO(2373) | #67 0x7f7a6363fe62 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
INFO - GECKO(2373) | #68 0x7f7a6363fe62 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
INFO - GECKO(2373) | #69 0x7f7a6363fe62 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
INFO - GECKO(2373) | #70 0x7f7a6ad6d988 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
INFO - GECKO(2373) | #71 0x7f7a6ea25526 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:934:20
INFO - GECKO(2373) | #72 0x7f7a6363fe62 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
INFO - GECKO(2373) | #73 0x7f7a6363fe62 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
INFO - GECKO(2373) | #74 0x7f7a6363fe62 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
INFO - GECKO(2373) | #75 0x7f7a6ea24dda in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:769:34
INFO - GECKO(2373) | #76 0x560bfec078b2 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
INFO - GECKO(2373) | #77 0x560bfec078b2 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:272:18
INFO - GECKO(2373) | #78 0x7f7a83a5a82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
INFO - GECKO(2373) | SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Variant.h:661:24 in is<0>
INFO - GECKO(2373) | Shadow bytes around the buggy address:
INFO - GECKO(2373) | 0x0c1c80013260: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
INFO - GECKO(2373) | 0x0c1c80013270: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
INFO - GECKO(2373) | 0x0c1c80013280: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
INFO - GECKO(2373) | 0x0c1c80013290: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
INFO - GECKO(2373) | 0x0c1c800132a0: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
INFO - GECKO(2373) | =>0x0c1c800132b0: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
INFO - GECKO(2373) | 0x0c1c800132c0: fd fd fd fa fa fa fa fa fa fa fa fa fa fa fa fa
INFO - GECKO(2373) | 0x0c1c800132d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
INFO - GECKO(2373) | 0x0c1c800132e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
INFO - GECKO(2373) | 0x0c1c800132f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
INFO - GECKO(2373) | 0x0c1c80013300: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
INFO - GECKO(2373) | Shadow byte legend (one shadow byte represents 8 application bytes):
INFO - GECKO(2373) | Addressable: 00
INFO - GECKO(2373) | Partially addressable: 01 02 03 04 05 06 07
INFO - GECKO(2373) | Heap left redzone: fa
INFO - GECKO(2373) | Freed heap region: fd
INFO - GECKO(2373) | Stack left redzone: f1
INFO - GECKO(2373) | Stack mid redzone: f2
INFO - GECKO(2373) | Stack right redzone: f3
INFO - GECKO(2373) | Stack after return: f5
INFO - GECKO(2373) | Stack use after scope: f8
INFO - GECKO(2373) | Global redzone: f9
INFO - GECKO(2373) | Global init order: f6
INFO - GECKO(2373) | Poisoned by user: f7
INFO - GECKO(2373) | Container overflow: fc
INFO - GECKO(2373) | Array cookie: ac
INFO - GECKO(2373) | Intra object redzone: bb
INFO - GECKO(2373) | ASan internal: fe
INFO - GECKO(2373) | Left alloca redzone: ca
INFO - GECKO(2373) | Right alloca redzone: cb
INFO - GECKO(2373) | Shadow gap: cc
INFO - GECKO(2373) | ==2438==ABORTING
|
||
Updated•6 years ago
|
Group: core-security → dom-core-security
Keywords: csectype-uaf,
sec-high
|
||
Comment 2•6 years ago
|
||
We will monitor this, by now it seemed to happen only once.
Priority: -- → P3
|
|
||
Updated•6 years ago
|
Assignee: nobody → perry
Status: NEW → ASSIGNED
Priority: P3 → P1
|
|
||
Comment 3•6 years ago
|
||
Saw this on try today with identical stacks.
|
||
Comment 4•6 years ago
|
||
Without more to go on here (no STR, seen so infrequently), I wonder if we should mark it stalled.
|
Assignee | |
Comment 6•6 years ago
•
|
||
Jens pointed out that the stacks in comment 1's link shows thread T9 (Worker Launcher) calling MozPromiseHolder::Reject while thread T29 (DOM Worker) calls MozPromiseHolder::Resolve. It looks like while MozPromise is threadsafe, MozPromiseHolder isn't, so one thread can null MozPromiseHolder::mPromise right before/while another thread tries to de-reference it. And these two calls are in fact called on the same RemoteWorkerChild::mTerminationPromise.
I'll make this particular usage of MozPromiseHolder threadsafe, but MozPromiseHolder itself should also be a threadsafe class to be consistent with MozPromise, and I filed bug 1594651 for that.
|
|
Assignee | |
Comment 7•6 years ago
|
||
|
|
||
Comment 8•6 years ago
|
||
(In reply to Andrew Sutherland [:asuth] (he/him) from comment #5)
This is bug 1587702 but with a much more useful trace.
Is this still true or is it more bug 1594651 Perry just filed (I did not look into it, so it's an open question)?
Flags: needinfo?(bugmail)
|
|
||
Comment 9•6 years ago
•
|
||
Probably off-topic, but I was also wondering what MozPromise is intended to do with two contradicting EOL messages (one reject, one resolve). From Perry's code changes I understand that we are in a cleanup phase, so probably it just doesn't matter really, what message is sent for closing?
|
||
Comment 10•6 years ago
|
||
(In reply to Perry Jiang [:perry] from comment #6)
Jens pointed out that the stacks
Great eye, Jens!
(In reply to Jens Stutte [:jstutte] from comment #8)
(In reply to Andrew Sutherland [:asuth] (he/him) from comment #5)
This is bug 1587702 but with a much more useful trace.
Is this still true or is it more bug 1594651 Perry just filed (I did not look into it, so it's an open question)?
There may be other incidences of the bug 1594651 phenomenon, but I believe this bug is literally the exact same scenario as bug 1587702. Because this was marked as a security bug and had the more useful information, I wanted to avoid duping in this direction but establish a link.
(In reply to Jens Stutte [:jstutte] from comment #9)
Probably off-topic, but I was also wondering what
MozPromiseis intended to do with two contradicting EOL messages (one reject, one resolve). From Perry's code changes I understand that we are in a cleanup phase, so probably it just doesn't matter really, what message is sent for closing?
Although MozPromise frequently diverges from JS Promise's semantics, this is the main case where they overlap. Promises explicitly are intended to resolve/reject with the first value they're resolved/rejected with and latch that. This allows UI's to have an automatic timeout for requests by having the request race a setTimeout that will auto-reject.
It is, of course, explicitly on the code creating these parallel paths to make sure that some kind of sane/orderly cleanup happens for the code whose resolve/reject will potentially end up moot. Like you would want to cancel the underlying request if possible to save resources, etc. (And in some cases it's better to have the timeout directly trigger the cancellation of the underlying request and let that then reject. For example the fetch API has an explicit AbortController mechanism for this.
Flags: needinfo?(bugmail)
|
|
Assignee | |
Comment 11•6 years ago
|
||
We'll land this fix without explicit sec-approval because the vulnerability meets the condition that B) "We have not shipped this vulnerability in anything other than a nightly build" . Specifically, it requires the pref dom.serviceWorkers.parent_intercept=true, which is only the case for Nightly.
|
|
||
Comment 12•6 years ago
|
||
(setting flags to convey nightly-only-ness.)
status-firefox70:
--- → unaffected
status-firefox71:
--- → unaffected
status-firefox72:
--- → affected
status-firefox-esr68:
--- → unaffected
|
|
||
Comment 13•6 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/48e4197e500330589012afb685f17903ac89428b
https://hg.mozilla.org/mozilla-central/rev/48e4197e5003
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
|
||
Updated•6 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
|
||
Updated•5 years ago
|
Blocks: asan-maintenance
|
||
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•