Mozilla Home
Privacy
Cookies
Legal
Bugzilla
Browse
Advanced Search
New Bug
Reports
Documentation
Log In
Log In with GitHub
or
Remember me
Browse
Advanced Search
New Bug
Reports
Documentation
Attachment 9137563 Details for
Bug 1626728
75.0b8-ff.log
75.0b8-ff.log (text/x-log), 19.70 KB, created by
Francisco A.
(
hide
)
Description:
75.0b8-ff.log
Filename:
MIME Type:
Creator:
Francisco A.
Size:
19.70 KB
patch
obsolete
>================================================================= >==7841==ERROR: AddressSanitizer: heap-use-after-free on address 0x6080006452a8 at pc 0x7f1255bf90b0 bp 0x7f11c984d690 sp 0x7f11c984d688 READ of size 4 at 0x6080006452a8 thread T24 (IPDL Background) > #0 0x7f1255bf90af in Id /home/fuzzer/firefox/src/dist/include/mozilla/ipc/ProtocolUtils.h:229:31 > #1 0x7f1255bf90af in mozilla::dom::cache::PCacheStreamControlParent::SendCloseAll() /home/fuzzer/firefox/src/ipc/ipdl/PCacheStreamControlParent.cpp:75:61 > #2 0x7f1259f86832 in mozilla::dom::cache::Context::CancelAll() /home/fuzzer/firefox/checkout/dom/cache/Context.cpp:820:23 > #3 0x7f1259fbd3ed in Abort /home/fuzzer/firefox/checkout/dom/cache/Manager.cpp:1930:12 > #4 0x7f1259fbd3ed in mozilla::dom::cache::Manager::Factory::Abort(nsTSubstring<char> const&) /home/fuzzer/firefox/checkout/dom/cache/Manager.cpp:292:20 > #5 0x7f125b893b2c in mozilla::dom::quota::QuotaManager::OpenDirectoryInternal(mozilla::dom::Nullable<mozilla::dom::quota::PersistenceType> const&, mozilla::dom::quota::OriginScope const&, mozilla::dom::Nullable<mozilla::dom::quota::Client::Type> const&, bool, mozilla::dom::quota::OpenDirectoryListener*) /home/fuzzer/firefox/checkout/dom/quota/ActorsParent.cpp:6756:25 > #6 0x7f125b8ba0e5 in mozilla::dom::quota::(anonymous namespace)::NormalOriginOperationBase::Open() /home/fuzzer/firefox/checkout/dom/quota/ActorsParent.cpp:8392:30 > #7 0x7f125b8b9a77 in mozilla::dom::quota::(anonymous namespace)::OriginOperationBase::Run() /home/fuzzer/firefox/checkout/dom/quota/ActorsParent.cpp > #8 0x7f125b8c35a7 in RunImmediately /home/fuzzer/firefox/checkout/dom/quota/ActorsParent.cpp:1262:5 > #9 0x7f125b8c35a7 in mozilla::dom::quota::(anonymous namespace)::Quota::RecvPQuotaRequestConstructor(mozilla::dom::quota::PQuotaRequestParent*, mozilla::dom::quota::RequestParams const&) /home/fuzzer/firefox/checkout/dom/quota/ActorsParent.cpp:8841:7 > #10 0x7f1255712cd6 in mozilla::dom::quota::PQuotaParent::OnMessageReceived(IPC::Message const&) /home/fuzzer/firefox/src/ipc/ipdl/PQuotaParent.cpp:350:28 > #11 0x7f1255ab6306 in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /home/fuzzer/firefox/src/ipc/ipdl/PBackgroundParent.cpp:3599:32 > #12 0x7f1254f62281 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /home/fuzzer/firefox/checkout/ipc/glue/MessageChannel.cpp:2187:25 > #13 0x7f1254f5e9b1 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/fuzzer/firefox/checkout/ipc/glue/MessageChannel.cpp:2111:9 > #14 0x7f1254f6067a in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/fuzzer/firefox/checkout/ipc/glue/MessageChannel.cpp:1959:3 > #15 0x7f1254f60ff7 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/fuzzer/firefox/checkout/ipc/glue/MessageChannel.cpp:1990:13 > #16 0x7f1253d15d00 in nsThread::ProcessNextEvent(bool, bool*) /home/fuzzer/firefox/checkout/xpcom/threads/nsThread.cpp:1220:14 > #17 0x7f1253d1e981 in NS_ProcessNextEvent(nsIThread*, bool) /home/fuzzer/firefox/checkout/xpcom/threads/nsThreadUtils.cpp:481:10 > #18 0x7f1254f6c2d5 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/fuzzer/firefox/checkout/ipc/glue/MessagePump.cpp:302:20 > #19 0x7f1254e7c322 in RunInternal /home/fuzzer/firefox/checkout/ipc/chromium/src/base/message_loop.cc:315:10 > #20 0x7f1254e7c322 in RunHandler /home/fuzzer/firefox/checkout/ipc/chromium/src/base/message_loop.cc:308:3 > #21 0x7f1254e7c322 in MessageLoop::Run() /home/fuzzer/firefox/checkout/ipc/chromium/src/base/message_loop.cc:290:3 > #22 0x7f1253d10531 in nsThread::ThreadFunc(void*) /home/fuzzer/firefox/checkout/xpcom/threads/nsThread.cpp:464:10 > #23 0x7f126ae772e8 in _pt_root /home/fuzzer/firefox/checkout/nsprpub/pr/src/pthreads/ptthread.c:201:5 > #24 0x7f126e78d668 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9668) > #25 0x7f126e34b322 in clone /build/glibc-t7JzpG/glibc-2.30/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:95 > >0x6080006452a8 is located 8 bytes inside of 96-byte region [0x6080006452a0,0x608000645300) >freed by thread T24 (IPDL Background) here: > #0 0x55fd68bddc7d in free (/home/fuzzer/firefox/src/dist/bin/firefox+0xbbc7d) > #1 0x7f1254ed7c23 in mozilla::ipc::BackgroundParentImpl::DeallocPCacheStreamControlParent(mozilla::dom::cache::PCacheStreamControlParent*) /home/fuzzer/firefox/checkout/ipc/glue/BackgroundParentImpl.cpp:993:3 > #2 0x7f1254f82913 in mozilla::ipc::ActorLifecycleProxy::~ActorLifecycleProxy() /home/fuzzer/firefox/checkout/ipc/glue/ProtocolUtils.cpp:249:11 > #3 0x7f1255ab33dc in mozilla::ipc::PBackgroundParent::RemoveManagee(int, mozilla::ipc::IProtocol*) /home/fuzzer/firefox/src/ipc/ipdl/PBackgroundParent.cpp > #4 0x7f1255bf9634 in mozilla::dom::cache::PCacheStreamControlParent::Send__delete__(mozilla::dom::cache::PCacheStreamControlParent*) /home/fuzzer/firefox/src/ipc/ipdl/PCacheStreamControlParent.cpp:125:10 > #5 0x7f1259fc7e43 in NoteClosed /home/fuzzer/firefox/checkout/dom/cache/StreamControl.cpp:29:3 > #6 0x7f1259fc7e43 in NoteClosedOnOwningThread /home/fuzzer/firefox/checkout/dom/cache/ReadStream.cpp:399:13 > #7 0x7f1259fc7e43 in mozilla::dom::cache::ReadStream::Inner::NoteClosed() /home/fuzzer/firefox/checkout/dom/cache/ReadStream.cpp:363:5 > #8 0x7f1259fcab60 in mozilla::dom::cache::StreamControl::CloseAllReadStreams() /home/fuzzer/firefox/checkout/dom/cache/StreamControl.cpp:68:21 > #9 0x7f1259f80de1 in NotifyCloseAll /home/fuzzer/firefox/checkout/dom/cache/CacheStreamControlParent.cpp:163:3 > #10 0x7f1259f80de1 in mozilla::dom::cache::CacheStreamControlParent::CloseAll() /home/fuzzer/firefox/checkout/dom/cache/CacheStreamControlParent.cpp:143:3 > #11 0x7f1259f86832 in mozilla::dom::cache::Context::CancelAll() /home/fuzzer/firefox/checkout/dom/cache/Context.cpp:820:23 > #12 0x7f1259fbd3ed in Abort /home/fuzzer/firefox/checkout/dom/cache/Manager.cpp:1930:12 > #13 0x7f1259fbd3ed in mozilla::dom::cache::Manager::Factory::Abort(nsTSubstring<char> const&) /home/fuzzer/firefox/checkout/dom/cache/Manager.cpp:292:20 > #14 0x7f125b893b2c in mozilla::dom::quota::QuotaManager::OpenDirectoryInternal(mozilla::dom::Nullable<mozilla::dom::quota::PersistenceType> const&, mozilla::dom::quota::OriginScope const&, mozilla::dom::Nullable<mozilla::dom::quota::Client::Type> const&, bool, mozilla::dom::quota::OpenDirectoryListener*) /home/fuzzer/firefox/checkout/dom/quota/ActorsParent.cpp:6756:25 > #15 0x7f125b8ba0e5 in mozilla::dom::quota::(anonymous namespace)::NormalOriginOperationBase::Open() /home/fuzzer/firefox/checkout/dom/quota/ActorsParent.cpp:8392:30 > #16 0x7f125b8b9a77 in mozilla::dom::quota::(anonymous namespace)::OriginOperationBase::Run() /home/fuzzer/firefox/checkout/dom/quota/ActorsParent.cpp > #17 0x7f125b8c35a7 in RunImmediately /home/fuzzer/firefox/checkout/dom/quota/ActorsParent.cpp:1262:5 > #18 0x7f125b8c35a7 in mozilla::dom::quota::(anonymous namespace)::Quota::RecvPQuotaRequestConstructor(mozilla::dom::quota::PQuotaRequestParent*, mozilla::dom::quota::RequestParams const&) /home/fuzzer/firefox/checkout/dom/quota/ActorsParent.cpp:8841:7 > #19 0x7f1255712cd6 in mozilla::dom::quota::PQuotaParent::OnMessageReceived(IPC::Message const&) /home/fuzzer/firefox/src/ipc/ipdl/PQuotaParent.cpp:350:28 > #20 0x7f1255ab6306 in mozilla::ipc::PBackgroundParent::OnMessageReceived(IPC::Message const&) /home/fuzzer/firefox/src/ipc/ipdl/PBackgroundParent.cpp:3599:32 > #21 0x7f1254f62281 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /home/fuzzer/firefox/checkout/ipc/glue/MessageChannel.cpp:2187:25 > #22 0x7f1254f5e9b1 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/fuzzer/firefox/checkout/ipc/glue/MessageChannel.cpp:2111:9 > #23 0x7f1254f6067a in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/fuzzer/firefox/checkout/ipc/glue/MessageChannel.cpp:1959:3 > #24 0x7f1254f60ff7 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/fuzzer/firefox/checkout/ipc/glue/MessageChannel.cpp:1990:13 > #25 0x7f1253d15d00 in nsThread::ProcessNextEvent(bool, bool*) /home/fuzzer/firefox/checkout/xpcom/threads/nsThread.cpp:1220:14 > #26 0x7f1253d1e981 in NS_ProcessNextEvent(nsIThread*, bool) /home/fuzzer/firefox/checkout/xpcom/threads/nsThreadUtils.cpp:481:10 > #27 0x7f1254f6c2d5 in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/fuzzer/firefox/checkout/ipc/glue/MessagePump.cpp:302:20 > #28 0x7f1254e7c322 in RunInternal /home/fuzzer/firefox/checkout/ipc/chromium/src/base/message_loop.cc:315:10 > #29 0x7f1254e7c322 in RunHandler /home/fuzzer/firefox/checkout/ipc/chromium/src/base/message_loop.cc:308:3 > #30 0x7f1254e7c322 in MessageLoop::Run() /home/fuzzer/firefox/checkout/ipc/chromium/src/base/message_loop.cc:290:3 > #31 0x7f1253d10531 in nsThread::ThreadFunc(void*) /home/fuzzer/firefox/checkout/xpcom/threads/nsThread.cpp:464:10 > #32 0x7f126ae772e8 in _pt_root /home/fuzzer/firefox/checkout/nsprpub/pr/src/pthreads/ptthread.c:201:5 > #33 0x7f126e78d668 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9668) > >previously allocated by thread T24 (IPDL Background) here: > #0 0x55fd68bddefd in malloc (/home/fuzzer/firefox/src/dist/bin/firefox+0xbbefd) > #1 0x55fd68c134cd in moz_xmalloc /home/fuzzer/firefox/checkout/memory/mozalloc/mozalloc.cpp:52:15 > #2 0x7f1259f65f00 in operator new /home/fuzzer/firefox/src/dist/include/mozilla/cxxalloc.h:33:10 > #3 0x7f1259f65f00 in mozilla::dom::cache::AutoParentOpResult::SerializeReadStream(nsID const&, mozilla::dom::cache::StreamList*, mozilla::dom::cache::CacheReadStream*) /home/fuzzer/firefox/checkout/dom/cache/AutoUtils.cpp:497:13 > #4 0x7f1259f652eb in mozilla::dom::cache::AutoParentOpResult::SerializeResponseBody(mozilla::dom::cache::SavedResponse const&, mozilla::dom::cache::StreamList*, mozilla::dom::cache::CacheResponse*) /home/fuzzer/firefox/checkout/dom/cache/AutoUtils.cpp:481:3 > #5 0x7f1259f75d20 in mozilla::dom::cache::CacheOpParent::OnOpComplete(mozilla::ErrorResult&&, mozilla::dom::cache::CacheOpResult const&, long, nsTArray<mozilla::dom::cache::SavedResponse> const&, nsTArray<mozilla::dom::cache::SavedRequest> const&, mozilla::dom::cache::StreamList*) /home/fuzzer/firefox/checkout/dom/cache/CacheOpParent.cpp:174:12 > #6 0x7f1259fbb7f3 in mozilla::dom::cache::Manager::Listener::OnOpComplete(mozilla::ErrorResult&&, mozilla::dom::cache::CacheOpResult const&, mozilla::dom::cache::SavedResponse const&, mozilla::dom::cache::StreamList*) /home/fuzzer/firefox/checkout/dom/cache/Manager.cpp:1497:3 > #7 0x7f1259fd988b in mozilla::dom::cache::Manager::CacheMatchAction::Complete(mozilla::dom::cache::Manager::Listener*, mozilla::ErrorResult&&) /home/fuzzer/firefox/checkout/dom/cache/Manager.cpp:557:18 > #8 0x7f1259fd8e12 in mozilla::dom::cache::Manager::BaseAction::CompleteOnInitiatingThread(nsresult) /home/fuzzer/firefox/checkout/dom/cache/Manager.cpp:436:7 > #9 0x7f1259f84c81 in mozilla::dom::cache::Context::ActionRunnable::Run() /home/fuzzer/firefox/checkout/dom/cache/Context.cpp:651:16 > #10 0x7f1253d15d00 in nsThread::ProcessNextEvent(bool, bool*) /home/fuzzer/firefox/checkout/xpcom/threads/nsThread.cpp:1220:14 > #11 0x7f1253d1e981 in NS_ProcessNextEvent(nsIThread*, bool) /home/fuzzer/firefox/checkout/xpcom/threads/nsThreadUtils.cpp:481:10 > #12 0x7f1254f6c2cb in mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate*) /home/fuzzer/firefox/checkout/ipc/glue/MessagePump.cpp:332:5 > #13 0x7f1254e7c322 in RunInternal /home/fuzzer/firefox/checkout/ipc/chromium/src/base/message_loop.cc:315:10 > #14 0x7f1254e7c322 in RunHandler /home/fuzzer/firefox/checkout/ipc/chromium/src/base/message_loop.cc:308:3 > #15 0x7f1254e7c322 in MessageLoop::Run() /home/fuzzer/firefox/checkout/ipc/chromium/src/base/message_loop.cc:290:3 > #16 0x7f1253d10531 in nsThread::ThreadFunc(void*) /home/fuzzer/firefox/checkout/xpcom/threads/nsThread.cpp:464:10 > #17 0x7f126ae772e8 in _pt_root /home/fuzzer/firefox/checkout/nsprpub/pr/src/pthreads/ptthread.c:201:5 > #18 0x7f126e78d668 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x9668) > >Thread T24 (IPDL Background) created by T0 here: > #0 0x55fd68bc868a in pthread_create (/home/fuzzer/firefox/src/dist/bin/firefox+0xa668a) > #1 0x7f126ae656d3 in _PR_CreateThread /home/fuzzer/firefox/checkout/nsprpub/pr/src/pthreads/ptthread.c:458:14 > #2 0x7f126ae4f70e in PR_CreateThread /home/fuzzer/firefox/checkout/nsprpub/pr/src/pthreads/ptthread.c:533:12 > #3 0x7f1253d12832 in nsThread::Init(nsTSubstring<char> const&) /home/fuzzer/firefox/checkout/xpcom/threads/nsThread.cpp:670:8 > #4 0x7f1253d1db7c in nsThreadManager::NewNamedThread(nsTSubstring<char> const&, unsigned int, nsIThread**) /home/fuzzer/firefox/checkout/xpcom/threads/nsThreadManager.cpp:621:12 > #5 0x7f1253d21383 in NS_NewNamedThread(nsTSubstring<char> const&, nsIThread**, nsIRunnable*, unsigned int) /home/fuzzer/firefox/checkout/xpcom/threads/nsThreadUtils.cpp:139:57 > #6 0x7f1254f11b60 in NS_NewNamedThread<16> /home/fuzzer/firefox/src/dist/include/nsThreadUtils.h:65:10 > #7 0x7f1254f11b60 in (anonymous namespace)::ParentImpl::CreateBackgroundThread() /home/fuzzer/firefox/checkout/ipc/glue/BackgroundImpl.cpp:1325:7 > #8 0x7f1254f16080 in RunOnMainThread /home/fuzzer/firefox/checkout/ipc/glue/BackgroundImpl.cpp:1620:30 > #9 0x7f1254f16080 in (anonymous namespace)::ParentImpl::CreateActorHelper::Run() /home/fuzzer/firefox/checkout/ipc/glue/BackgroundImpl.cpp:1639:17 > #10 0x7f1253d15d00 in nsThread::ProcessNextEvent(bool, bool*) /home/fuzzer/firefox/checkout/xpcom/threads/nsThread.cpp:1220:14 > #11 0x7f1253d1e981 in NS_ProcessNextEvent(nsIThread*, bool) /home/fuzzer/firefox/checkout/xpcom/threads/nsThreadUtils.cpp:481:10 > #12 0x7f1253d1e25c in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /home/fuzzer/firefox/checkout/xpcom/threads/nsThreadManager.cpp:694:36)> /home/fuzzer/firefox/src/dist/include/nsThreadUtils.h:342:25 > #13 0x7f1253d1e25c in nsThreadManager::SpinEventLoopUntilInternal(nsINestedEventLoopCondition*, bool) /home/fuzzer/firefox/checkout/xpcom/threads/nsThreadManager.cpp:694:8 > #14 0x7f1253d4b361 in NS_InvokeByIndex /home/fuzzer/firefox/checkout/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106 > #15 0x7f1255df1c28 in Invoke /home/fuzzer/firefox/checkout/js/xpconnect/src/XPCWrappedNative.cpp:1634:10 > #16 0x7f1255df1c28 in Call /home/fuzzer/firefox/checkout/js/xpconnect/src/XPCWrappedNative.cpp:1175:19 > #17 0x7f1255df1c28 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/fuzzer/firefox/checkout/js/xpconnect/src/XPCWrappedNative.cpp:1141:23 > #18 0x7f1255df7d81 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /home/fuzzer/firefox/checkout/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:947:10 > #19 0x7f1260a4740c in CallJSNative /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:477:13 > #20 0x7f1260a4740c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:569:12 > #21 0x7f1260a30e07 in CallFromStack /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:636:10 > #22 0x7f1260a30e07 in Interpret(JSContext*, js::RunState&) /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:3046:16 > #23 0x7f1260a15278 in js::RunScript(JSContext*, js::RunState&) /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:449:10 > #24 0x7f1260a47c8e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:604:13 > #25 0x7f1260a49809 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:649:8 > #26 0x7f1260fcf438 in js::fun_apply(JSContext*, unsigned int, JS::Value*) /home/fuzzer/firefox/checkout/js/src/vm/JSFunction.cpp:1214:10 > #27 0x7f1260a4740c in CallJSNative /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:477:13 > #28 0x7f1260a4740c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:569:12 > #29 0x7f1260a30e07 in CallFromStack /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:636:10 > #30 0x7f1260a30e07 in Interpret(JSContext*, js::RunState&) /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:3046:16 > #31 0x7f1260a15278 in js::RunScript(JSContext*, js::RunState&) /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:449:10 > #32 0x7f1260a47c8e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:604:13 > #33 0x7f1260a49809 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /home/fuzzer/firefox/checkout/js/src/vm/Interpreter.cpp:649:8 > #34 0x7f1260c03e30 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/fuzzer/firefox/checkout/js/src/jsapi.cpp:2735:10 > #35 0x7f1255de2499 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /home/fuzzer/firefox/checkout/js/xpconnect/src/XPCWrappedJSClass.cpp:959:17 > #36 0x7f1253d4c9f1 in PrepareAndDispatch /home/fuzzer/firefox/checkout/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:125:37 > #37 0x7f1253d4b8fa in SharedStub (/home/fuzzer/firefox/src/dist/bin/libxul.so+0x2cca8fa) > #38 0x7f12607cbd27 in nsXREDirProvider::DoStartup() /home/fuzzer/firefox/checkout/toolkit/xre/nsXREDirProvider.cpp:957:11 > #39 0x7f12607ad0e7 in XREMain::XRE_mainRun() /home/fuzzer/firefox/checkout/toolkit/xre/nsAppRunner.cpp:4348:16 > #40 0x7f12607afa0b in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/fuzzer/firefox/checkout/toolkit/xre/nsAppRunner.cpp:4690:8 > #41 0x7f12607b0920 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/fuzzer/firefox/checkout/toolkit/xre/nsAppRunner.cpp:4741:21 > #42 0x55fd68c109ab in do_main /home/fuzzer/firefox/checkout/browser/app/nsBrowserApp.cpp:217:22 > #43 0x55fd68c109ab in main /home/fuzzer/firefox/checkout/browser/app/nsBrowserApp.cpp:331:16 > #44 0x7f126e2501e2 in __libc_start_main /build/glibc-t7JzpG/glibc-2.30/csu/../csu/libc-start.c:308:16 > >SUMMARY: AddressSanitizer: heap-use-after-free /home/fuzzer/firefox/src/dist/include/mozilla/ipc/ProtocolUtils.h:229:31 in Id >Shadow bytes around the buggy address: >0x0c10800c0a00: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd >0x0c10800c0a10: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa >0x0c10800c0a20: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 >0x0c10800c0a30: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd >0x0c10800c0a40: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa >=>0x0c10800c0a50: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fd >0x0c10800c0a60: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fa >0x0c10800c0a70: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd >0x0c10800c0a80: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 >0x0c10800c0a90: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 >0x0c10800c0aa0: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00 >Shadow byte legend (one shadow byte represents 8 application bytes): >Addressable: 00 >Partially addressable: 01 02 03 04 05 06 07 >Heap left redzone: fa >Freed heap region: fd >Stack left redzone: f1 >Stack mid redzone: f2 >Stack right redzone: f3 >Stack after return: f5 >Stack use after scope: f8 >Global redzone: f9 >Global init order: f6 >Poisoned by user: f7 >Container overflow: fc >Array cookie: ac >Intra object redzone: bb >ASan internal: fe >Left alloca redzone: ca >Right alloca redzone: cb >Shadow gap: cc >==7841==ABORTING
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="/https/bugzilla.mozilla.org/attachment.cgi?id=9137563">View the attachment on a separate page</a>.</b>
Actions:
View
Attachments on
bug 1626728
: 9137563 |
9137897
|
9137954
|
9137955