Closed Bug 1894428 Opened 1 year ago Closed 1 year ago

Intermittent SUMMARY: ThreadSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/js/src/builtin/String.cpp:3827:31 in SplitSingleCharHelper<unsigned char> | single tracking bug

Categories

(Core :: JavaScript: Standard Library, defect, P1)

Product:
Core
Component:
JavaScript: Standard Library
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
128 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox126 --- unaffected
firefox127 + wontfix
firefox128 + fixed

People

(Reporter: intermittent-bug-filer, Assigned: sfink, NeedInfo)

References

(Blocks 1 open bug, Regression)

Details

(5 keywords, Whiteboard: [adv-main128+r])

Attachments

(5 files)

use-after-free from the log
29.90 KB, text/plain
Details
Bug 1894428 - Do not AtomRef-ify non-deduplicatable strings r?sfink
48 bytes, text/x-phabricator-request
Details | Review
Bug 1894428 - AtomRef + AutoStableStringChars test
48 bytes, text/x-phabricator-request
Details | Review
Bug 1894428 - Set depended on bit from AutoStableStringChars r?sfink
48 bytes, text/x-phabricator-request
tjr
: sec-approval+
Details | Review
Bug 1894428 - Set depended on bit from AutoStableStringChars r?sfink
48 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-release-
Details | Review

Filed by: sstanca [at] mozilla.com
Parsed log: https://treeherder.mozilla.org/logviewer?job_id=456519424&repo=autoland
Full log: https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/VQmYyd5FQsue8Ol8u9XCuA/runs/0/artifacts/public/logs/live_backing.log

[task 2024-05-01T04:21:32.726Z] 04:21:32     INFO - STDOUT: PASSED
[task 2024-05-01T04:21:32.822Z] 04:21:32     INFO - PID 1732 | 1714537292821	RemoteAgent	DEBUG	WebDriverBiDiConnection 2dd93fd7-9f34-4030-8c02-a3f9b3498efb -> {"id":81,"method":"session.unsubscribe","params":{"events":["browsingContext.fragmentNavigated"]}}
[task 2024-05-01T04:21:32.823Z] 04:21:32     INFO - PID 1732 | 1714537292821	RemoteAgent	TRACE	Module root/session.sys.mjs found for ROOT
[task 2024-05-01T04:21:32.823Z] 04:21:32     INFO - PID 1732 | 1714537292821	RemoteAgent	TRACE	Received command session.unsubscribe for destination ROOT
[task 2024-05-01T04:21:32.824Z] 04:21:32     INFO - PID 1732 | 1714537292821	RemoteAgent	TRACE	Module root/session.sys.mjs found for ROOT
[task 2024-05-01T04:21:32.824Z] 04:21:32     INFO - PID 1732 | 1714537292821	RemoteAgent	TRACE	Module root/browsingContext.sys.mjs found for ROOT
[task 2024-05-01T04:21:32.827Z] 04:21:32     INFO - PID 1732 | 1714537292826	RemoteAgent	TRACE	Module windowglobal-in-root/browsingContext.sys.mjs found for WINDOW_GLOBAL
[task 2024-05-01T04:21:32.827Z] 04:21:32     INFO - PID 1732 | 1714537292826	RemoteAgent	TRACE	Module windowglobal/browsingContext.sys.mjs found for WINDOW_GLOBAL
[task 2024-05-01T04:21:32.830Z] 04:21:32     INFO - PID 1732 | 1714537292826	RemoteAgent	TRACE	Received command browsingContext._applySessionData for destination WINDOW_GLOBAL
[task 2024-05-01T04:21:32.831Z] 04:21:32     INFO - PID 1732 | 1714537292826	RemoteAgent	TRACE	Module windowglobal-in-root/browsingContext.sys.mjs found for WINDOW_GLOBAL
[task 2024-05-01T04:21:32.831Z] 04:21:32     INFO - PID 1732 | 1714537292826	RemoteAgent	TRACE	Module windowglobal/browsingContext.sys.mjs found for WINDOW_GLOBAL
[task 2024-05-01T04:21:32.832Z] 04:21:32     INFO - PID 1732 | 1714537292828	RemoteAgent	TRACE	Module root/browsingContext.sys.mjs found for ROOT
[task 2024-05-01T04:21:32.832Z] 04:21:32     INFO - PID 1732 | 1714537292828	RemoteAgent	TRACE	Received command browsingContext._applySessionData for destination ROOT
[task 2024-05-01T04:21:32.833Z] 04:21:32     INFO - PID 1732 | 1714537292828	RemoteAgent	TRACE	Module root/browsingContext.sys.mjs found for ROOT
[task 2024-05-01T04:21:32.833Z] 04:21:32     INFO - PID 1732 | 1714537292828	RemoteAgent	TRACE	Received command browsingContext._applySessionData for destination WINDOW_GLOBAL
[task 2024-05-01T04:21:32.834Z] 04:21:32     INFO - PID 1732 | 1714537292828	RemoteAgent	TRACE	Module windowglobal/browsingContext.sys.mjs found for WINDOW_GLOBAL
[task 2024-05-01T04:21:32.834Z] 04:21:32     INFO - PID 1732 | 1714537292828	RemoteAgent	TRACE	Received command browsingContext._applySessionData for destination WINDOW_GLOBAL
[task 2024-05-01T04:21:32.835Z] 04:21:32     INFO - PID 1732 | 1714537292829	RemoteAgent	TRACE	Module windowglobal/browsingContext.sys.mjs found for WINDOW_GLOBAL
[task 2024-05-01T04:21:32.921Z] 04:21:32     INFO - PID 1732 | 1714537292920	RemoteAgent	DEBUG	WebDriverBiDiConnection 2dd93fd7-9f34-4030-8c02-a3f9b3498efb <- {"type":"success","id":81,"result":{}}
[task 2024-05-01T04:21:32.926Z] 04:21:32     INFO - PID 1732 | 1714537292925	RemoteAgent	DEBUG	WebDriverBiDiConnection 2dd93fd7-9f34-4030-8c02-a3f9b3498efb closed
[task 2024-05-01T04:21:32.928Z] 04:21:32     INFO - PID 1732 | 1714537292927	webdriver::server	DEBUG	-> POST /session/70581b01-4650-4dfa-87b8-f42645e9a3a7/timeouts {"implicit": 0}
[task 2024-05-01T04:21:32.929Z] 04:21:32     INFO - PID 1732 | 1714537292929	Marionette	DEBUG	0 -> [0,218,"WebDriver:SetTimeouts",{"implicit":0}]
[task 2024-05-01T04:21:32.930Z] 04:21:32     INFO - PID 1732 | 1714537292929	Marionette	DEBUG	0 <- [1,218,null,{"value":null}]
[task 2024-05-01T04:21:32.931Z] 04:21:32     INFO - PID 1732 | 1714537292930	webdriver::server	DEBUG	<- 200 OK {"value":null}
[task 2024-05-01T04:21:32.932Z] 04:21:32     INFO - PID 1732 | 1714537292931	webdriver::server	DEBUG	-> POST /session/70581b01-4650-4dfa-87b8-f42645e9a3a7/timeouts {"pageLoad": 300000}
[task 2024-05-01T04:21:32.938Z] 04:21:32     INFO - PID 1732 | 1714537292935	Marionette	DEBUG	0 -> [0,219,"WebDriver:SetTimeouts",{"pageLoad":300000}]
[task 2024-05-01T04:21:32.948Z] 04:21:32     INFO - PID 1732 | 1714537292947	Marionette	DEBUG	0 <- [1,219,null,{"value":null}]
[task 2024-05-01T04:21:32.972Z] 04:21:32     INFO - PID 1732 | 1714537292971	webdriver::server	DEBUG	<- 200 OK {"value":null}
[task 2024-05-01T04:21:32.974Z] 04:21:32     INFO - PID 1732 | 1714537292972	webdriver::server	DEBUG	-> POST /session/70581b01-4650-4dfa-87b8-f42645e9a3a7/timeouts {"script": 30000}
[task 2024-05-01T04:21:32.981Z] 04:21:32     INFO - PID 1732 | 1714537292980	Marionette	DEBUG	0 -> [0,220,"WebDriver:SetTimeouts",{"script":30000}]
<...>
[task 2024-05-01T04:21:35.330Z] 04:21:35     INFO - PID 1732 |   Thread T19 'TaskCon~ller #0' (tid=2695, running) created by main thread at:
[task 2024-05-01T04:21:35.330Z] 04:21:35     INFO - PID 1732 |     #0 pthread_create /builds/worker/fetches/llvm-project/compiler-rt/lib/tsan/rtl/tsan_interceptors_posix.cpp:1020:3 (firefox-bin+0xc58ab) (BuildId: 7e5548c4dc39f86696202a73881504ad3b5293a4)
[task 2024-05-01T04:21:35.331Z] 04:21:35     INFO - PID 1732 |     #1 _PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:458:14 (libnspr4.so+0x42cee) (BuildId: bc31c74a45b1d0905acafb431fb8165a84a87c38)
[task 2024-05-01T04:21:35.331Z] 04:21:35     INFO - PID 1732 |     #2 PR_CreateThread /builds/worker/checkouts/gecko/nsprpub/pr/src/pthreads/ptthread.c:533:12 (libnspr4.so+0x37f84) (BuildId: bc31c74a45b1d0905acafb431fb8165a84a87c38)
[task 2024-05-01T04:21:35.332Z] 04:21:35     INFO - PID 1732 |     #3 mozilla::TaskController::InitializeThreadPool() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:271:10 (libxul.so+0x31fa859) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.332Z] 04:21:35     INFO - PID 1732 |     #4 mozilla::TaskController::AddTask(already_AddRefed<mozilla::Task>&&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:436:7 (libxul.so+0x31fb275) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.333Z] 04:21:35     INFO - PID 1732 |     #5 DispatchOffThreadTask(JS::DispatchReason) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCJSContext.cpp:1133:26 (libxul.so+0x3ebcf88) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.334Z] 04:21:35     INFO - PID 1732 |     #6 dispatch /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:903:5 (libxul.so+0x9ff7a31) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.334Z] 04:21:35     INFO - PID 1732 |     #7 js::GlobalHelperThreadState::submitTask(js::GCParallelTask*, js::AutoLockHelperThreadState const&) /builds/worker/checkouts/gecko/js/src/vm/HelperThreads.cpp:1420:3 (libxul.so+0x9ff7a31)
[task 2024-05-01T04:21:35.335Z] 04:21:35     INFO - PID 1732 |     #8 maybeDispatchParallelTasks /builds/worker/checkouts/gecko/js/src/gc/GCParallelTask.cpp:229:25 (libxul.so+0xa5ca33a) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.335Z] 04:21:35     INFO - PID 1732 |     #9 dispatchOrQueueParallelTask /builds/worker/checkouts/gecko/js/src/gc/GCParallelTask.cpp:217:3 (libxul.so+0xa5ca33a)
[task 2024-05-01T04:21:35.336Z] 04:21:35     INFO - PID 1732 |     #10 js::GCParallelTask::startWithLockHeld(js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/gc/GCParallelTask.cpp:54:7 (libxul.so+0xa5ca33a)
[task 2024-05-01T04:21:35.336Z] 04:21:35     INFO - PID 1732 |     #11 js::GCParallelTask::startOrRunIfIdle(js::AutoLockHelperThreadState&) /builds/worker/checkouts/gecko/js/src/gc/GCParallelTask.cpp:81:3 (libxul.so+0xa5ca5cf) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.337Z] 04:21:35     INFO - PID 1732 |     #12 js::gc::GCRuntime::startBackgroundFreeAfterMinorGC() /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4799:12 (libxul.so+0xa5b885f) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.337Z] 04:21:35     INFO - PID 1732 |     #13 js::gc::GCRuntime::collectNursery(JS::GCOptions, JS::GCReason, js::gcstats::PhaseKind) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4764:3 (libxul.so+0xa5b5695) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.338Z] 04:21:35     INFO - PID 1732 |     #14 js::gc::GCRuntime::minorGC(JS::GCReason, js::gcstats::PhaseKind) /builds/worker/checkouts/gecko/js/src/gc/GC.cpp:4735:3 (libxul.so+0xa5988a1) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.339Z] 04:21:35     INFO - PID 1732 |     #15 void* js::gc::CellAllocator::RetryNurseryAlloc<(js::AllowGC)1>(JSContext*, JS::TraceKind, js::gc::AllocKind, unsigned long, js::gc::AllocSite*) /builds/worker/checkouts/gecko/js/src/gc/Allocator.cpp:103:23 (libxul.so+0xa598560) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.339Z] 04:21:35     INFO - PID 1732 |     #16 AllocNurseryOrTenuredCell<(JS::TraceKind)2, (js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/gc/Allocator-inl.h:130:12 (libxul.so+0xa1996d0) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.340Z] 04:21:35     INFO - PID 1732 |     #17 JSRope* js::gc::CellAllocator::NewString<JSRope, (js::AllowGC)1, JS::Handle<JSString*>&, JS::Handle<JSString*>&, unsigned long&>(JSContext*, js::gc::Heap, JS::Handle<JSString*>&, JS::Handle<JSString*>&, unsigned long&) /builds/worker/checkouts/gecko/js/src/gc/Allocator-inl.h:66:15 (libxul.so+0xa1996d0)
[task 2024-05-01T04:21:35.340Z] 04:21:35     INFO - PID 1732 |     #18 NewCell<JSRope, (js::AllowGC)1, js::gc::Heap &, JS::Handle<JSString *> &, JS::Handle<JSString *> &, unsigned long &> /builds/worker/checkouts/gecko/js/src/gc/Allocator-inl.h:50:12 (libxul.so+0xa186dd9) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.341Z] 04:21:35     INFO - PID 1732 |     #19 newCell<JSRope, (js::AllowGC)1, js::gc::Heap &, JS::Handle<JSString *> &, JS::Handle<JSString *> &, unsigned long &> /builds/worker/checkouts/gecko/js/src/vm/JSContext-inl.h:359:10 (libxul.so+0xa186dd9)
[task 2024-05-01T04:21:35.341Z] 04:21:35     INFO - PID 1732 |     #20 new_<(js::AllowGC)1> /builds/worker/checkouts/gecko/js/src/vm/StringType-inl.h:365:14 (libxul.so+0xa186dd9)
[task 2024-05-01T04:21:35.342Z] 04:21:35     INFO - PID 1732 |     #21 JSString* js::ConcatStrings<(js::AllowGC)1>(JSContext*, js::MaybeRooted<JSString*, (js::AllowGC)1>::HandleType, js::MaybeRooted<JSString*, (js::AllowGC)1>::HandleType, js::gc::Heap) /builds/worker/checkouts/gecko/js/src/vm/StringType.cpp:1213:10 (libxul.so+0xa186dd9)
[task 2024-05-01T04:21:35.342Z] 04:21:35     INFO - PID 1732 |     #22 AddOperation /builds/worker/checkouts/gecko/js/src/vm/Interpreter-inl.h:704:13 (libxul.so+0x9ececc8) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.343Z] 04:21:35     INFO - PID 1732 |     #23 js::Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:2493:12 (libxul.so+0x9ececc8)
[task 2024-05-01T04:21:35.343Z] 04:21:35     INFO - PID 1732 |     #24 MaybeEnterInterpreterTrampoline /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:394:10 (libxul.so+0x9ec39c6) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.344Z] 04:21:35     INFO - PID 1732 |     #25 js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:452:13 (libxul.so+0x9ec39c6)
[task 2024-05-01T04:21:35.344Z] 04:21:35     INFO - PID 1732 |     #26 js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:606:13 (libxul.so+0x9ec44a6) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.345Z] 04:21:35     INFO - PID 1732 |     #27 InternalCall /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:641:10 (libxul.so+0x9ec5107) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.345Z] 04:21:35     INFO - PID 1732 |     #28 js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:673:8 (libxul.so+0x9ec5107)
[task 2024-05-01T04:21:35.346Z] 04:21:35     INFO - PID 1732 |     #29 JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/vm/CallAndConstruct.cpp:55:10 (libxul.so+0x9f8dd6e) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.346Z] 04:21:35     INFO - PID 1732 |     #30 nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) /builds/worker/checkouts/gecko/js/xpconnect/src/XPCWrappedJSClass.cpp:918:17 (libxul.so+0x3eeef13) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.347Z] 04:21:35     INFO - PID 1732 |     #31 PrepareAndDispatch /builds/worker/checkouts/gecko/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:115:37 (libxul.so+0x324ddc4) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.347Z] 04:21:35     INFO - PID 1732 |     #32 SharedStub xptcstubs_x86_64_linux.cpp (libxul.so+0x324d0e2) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.348Z] 04:21:35     INFO - PID 1732 |     #33 nsDocLoader::FireOnStateChange(nsIWebProgress*, nsIRequest*, int, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1319:14 (libxul.so+0x3ff7c81) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.348Z] 04:21:35     INFO - PID 1732 |     #34 nsDocLoader::OnProgress(nsIRequest*, long, long) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1147:7 (libxul.so+0x3ff95d9) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.349Z] 04:21:35     INFO - PID 1732 |     #35 non-virtual thunk to nsDocLoader::OnProgress(nsIRequest*, long, long) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp (libxul.so+0x3ff9a42) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.350Z] 04:21:35     INFO - PID 1732 |     #36 mozilla::net::HttpChannelChild::DoOnProgress(nsIRequest*, long, long) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:790:22 (libxul.so+0x3934d67) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.350Z] 04:21:35     INFO - PID 1732 |     #37 mozilla::net::HttpChannelChild::OnTransportAndData(nsresult const&, nsresult const&, unsigned long const&, unsigned int const&, nsTSubstring<char> const&) /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:673:5 (libxul.so+0x3933f62) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.351Z] 04:21:35     INFO - PID 1732 |     #38 operator() /builds/worker/checkouts/gecko/netwerk/protocol/http/HttpChannelChild.cpp:631:15 (libxul.so+0x3984de9) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.352Z] 04:21:35     INFO - PID 1732 |     #39 std::_Function_handler<void (), mozilla::net::HttpChannelChild::ProcessOnTransportAndData(nsresult const&, nsresult const&, unsigned long const&, unsigned int const&, nsTSubstring<char> const&, mozilla::TimeStamp const&)::$_1>::_M_invoke(std::_Any_data const&) /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:297:2 (libxul.so+0x3984de9)
[task 2024-05-01T04:21:35.352Z] 04:21:35     INFO - PID 1732 |     #40 operator() /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/std_function.h:687:14 (libxul.so+0x385b543) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.353Z] 04:21:35     INFO - PID 1732 |     #41 mozilla::net::ChannelFunctionEvent::Run() /builds/worker/workspace/obj-build/dist/include/mozilla/net/ChannelEventQueue.h:55:25 (libxul.so+0x385b543)
[task 2024-05-01T04:21:35.354Z] 04:21:35     INFO - PID 1732 |     #42 mozilla::net::ChannelEventQueue::FlushQueue() /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.cpp:94:12 (libxul.so+0x3b3260d) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.354Z] 04:21:35     INFO - PID 1732 |     #43 MaybeFlushQueue /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.h:354:5 (libxul.so+0x3b56a6c) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.355Z] 04:21:35     INFO - PID 1732 |     #44 mozilla::net::ChannelEventQueue::CompleteResume() /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.h:333:5 (libxul.so+0x3b56a6c)
[task 2024-05-01T04:21:35.355Z] 04:21:35     INFO - PID 1732 |     #45 mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /builds/worker/checkouts/gecko/netwerk/ipc/ChannelEventQueue.cpp:152:17 (libxul.so+0x3b5685f) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.356Z] 04:21:35     INFO - PID 1732 |     #46 mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:580:16 (libxul.so+0x32083f2) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.356Z] 04:21:35     INFO - PID 1732 |     #47 mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26 (libxul.so+0x31fcebe) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.357Z] 04:21:35     INFO - PID 1732 |     #48 mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:730:15 (libxul.so+0x31fb6e6) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.358Z] 04:21:35     INFO - PID 1732 |     #49 mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36 (libxul.so+0x31fba1f) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.358Z] 04:21:35     INFO - PID 1732 |     #50 operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:237:37 (libxul.so+0x320b6e7) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.358Z] 04:21:35     INFO - PID 1732 |     #51 mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_1>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5 (libxul.so+0x320b6e7)
[task 2024-05-01T04:21:35.359Z] 04:21:35     INFO - PID 1732 |     #52 nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1199:16 (libxul.so+0x3220558) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.359Z] 04:21:35     INFO - PID 1732 |     #53 NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10 (libxul.so+0x3226d04) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.360Z] 04:21:35     INFO - PID 1732 |     #54 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107:5 (libxul.so+0x3d79c66) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.360Z] 04:21:35     INFO - PID 1732 |     #55 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:268:30 (libxul.so+0x3d7a6bb) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.361Z] 04:21:35     INFO - PID 1732 |     #56 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3cec788) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.361Z] 04:21:35     INFO - PID 1732 |     #57 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3cec788)
[task 2024-05-01T04:21:35.362Z] 04:21:35     INFO - PID 1732 |     #58 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3cec788)
[task 2024-05-01T04:21:35.362Z] 04:21:35     INFO - PID 1732 |     #59 nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27 (libxul.so+0x7dbc3d3) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.363Z] 04:21:35     INFO - PID 1732 |     #60 nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:470:33 (libxul.so+0x7eadfec) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.364Z] 04:21:35     INFO - PID 1732 |     #61 XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20 (libxul.so+0x9d4a74f) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.364Z] 04:21:35     INFO - PID 1732 |     #62 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9 (libxul.so+0x3d7a66a) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.365Z] 04:21:35     INFO - PID 1732 |     #63 RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10 (libxul.so+0x3cec788) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.366Z] 04:21:35     INFO - PID 1732 |     #64 RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3 (libxul.so+0x3cec788)
[task 2024-05-01T04:21:35.366Z] 04:21:35     INFO - PID 1732 |     #65 MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3 (libxul.so+0x3cec788)
[task 2024-05-01T04:21:35.367Z] 04:21:35     INFO - PID 1732 |     #66 XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34 (libxul.so+0x9d4a45d) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.368Z] 04:21:35     INFO - PID 1732 |     #67 mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/Bootstrap.cpp:67:12 (libxul.so+0x9d56702) (BuildId: 797be96e661ed06085461f4659c6b4342ec0462f)
[task 2024-05-01T04:21:35.368Z] 04:21:35     INFO - PID 1732 |     #68 content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28 (firefox-bin+0x14e762) (BuildId: 7e5548c4dc39f86696202a73881504ad3b5293a4)
[task 2024-05-01T04:21:35.369Z] 04:21:35     INFO - PID 1732 |     #69 main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:375:18 (firefox-bin+0x14e762)
[task 2024-05-01T04:21:35.369Z] 04:21:35     INFO - PID 1732 | SUMMARY: ThreadSanitizer: heap-use-after-free /builds/worker/checkouts/gecko/js/src/builtin/String.cpp:3827:31 in SplitSingleCharHelper<unsigned char>
[task 2024-05-01T04:21:35.370Z] 04:21:35     INFO - PID 1732 | ==================
[task 2024-05-01T04:21:35.371Z] 04:21:35     INFO - PID 1732 | 1714537295362	RemoteAgent	TRACE	[41] NavigationListener onStateChange, stateFlags: 983041, status: 0, isStart: true, isStop: false, isNetwork: true, isBindingAborted: false, targetURI: about:blank
[task 2024-05-01T04:21:35.413Z] 04:21:35     INFO - PID 1732 | 1714537295412	RemoteAgent	TRACE	[41] NavigationListener onStateChange, stateFlags: 131088, status: 2152398850, isStart: false, isStop: true, isNetwork: false, isBindingAborted: true, targetURI: about:blank
[task 2024-05-01T04:21:35.414Z] 04:21:35     INFO - PID 1732 | 1714537295413	RemoteAgent	TRACE	[41] ProgressListener Check loading state: isStart=0 isStop=16
[task 2024-05-01T04:21:35.415Z] 04:21:35     INFO - PID 1732 | 1714537295413	RemoteAgent	TRACE	[41] ProgressListener Ignore aborted navigation error to the initial document, real document will be loaded.
[task 2024-05-01T04:21:35.424Z] 04:21:35     INFO - PID 1732 | A content process crashed and MOZ_CRASHREPORTER_SHUTDOWN is set, shutting down
[task 2024-05-01T04:21:35.555Z] 04:21:35     INFO - PID 1732 | 1714537295554	RemoteAgent	TRACE	[c263542d-9acd-4596-9e1c-3ac8f5c61a26] Skipping already tracked navigation, navigationId: 628e55ef-6d93-4fff-99f8-328828524534
[task 2024-05-01T04:21:35.653Z] 04:21:35     INFO - PID 1732 | 1714537295652	RemoteAgent	TRACE	[41] NavigationListener onStateChange, stateFlags: 196610, status: 0, isStart: false, isStop: false, isNetwork: false, isBindingAborted: false, targetURI: about:tabcrashed?e=tabcrashed&u=https%3A//web-platform.test%3A8443/webdriver/tests/bidi/support/empty.html&c=UTF-8&d=undefined
[task 2024-05-01T04:21:35.710Z] 04:21:35     INFO - PID 1732 | 1714537295708	Marionette	TRACE	Received observer notification quit-application
[task 2024-05-01T04:21:35.710Z] 04:21:35     INFO - PID 1732 | 1714537295708	Marionette	INFO	Stopped listening on port 44366
[task 2024-05-01T04:21:35.710Z] 04:21:35     INFO - PID 1732 | 1714537295708	RemoteAgent	DEBUG	Resetting recommended pref browser.contentblocking.introCount
[task 2024-05-01T04:21:35.711Z] 04:21:35     INFO - PID 1732 | 1714537295711	RemoteAgent	DEBUG	Resetting recommended pref browser.search.update
[task 2024-05-01T04:21:35.715Z] 04:21:35     INFO - PID 1732 | 1714537295713	RemoteAgent	DEBUG	Resetting recommended pref browser.tabs.remote.unloadDelayMs
[task 2024-05-01T04:21:35.716Z] 04:21:35     INFO - PID 1732 | 1714537295714	RemoteAgent	DEBUG	Resetting recommended pref browser.tabs.warnOnClose
[task 2024-05-01T04:21:35.716Z] 04:21:35     INFO - PID 1732 | 1714537295714	RemoteAgent	DEBUG	Resetting recommended pref browser.tabs.warnOnCloseOtherTabs
[task 2024-05-01T04:21:35.717Z] 04:21:35     INFO - PID 1732 | 1714537295716	RemoteAgent	DEBUG	Resetting recommended pref browser.tabs.warnOnOpen
[task 2024-05-01T04:21:35.719Z] 04:21:35     INFO - PID 1732 | 1714537295718	RemoteAgent	DEBUG	Resetting recommended pref browser.usedOnWindows10.introURL
[task 2024-05-01T04:21:35.721Z] 04:21:35     INFO - PID 1732 | 1714537295720	RemoteAgent	DEBUG	Resetting recommended pref datareporting.policy.dataSubmissionPolicyAccepted
[task 2024-05-01T04:21:35.722Z] 04:21:35     INFO - PID 1732 | 1714537295721	RemoteAgent	DEBUG	Resetting recommended pref dom.navigation.locationChangeRateLimit.count
[task 2024-05-01T04:21:35.724Z] 04:21:35     INFO - PID 1732 | 1714537295724	RemoteAgent	DEBUG	Resetting recommended pref dom.screenorientation.allow-lock
[task 2024-05-01T04:21:35.725Z] 04:21:35     INFO - PID 1732 | 1714537295724	RemoteAgent	DEBUG	Resetting recommended pref network.connectivity-service.enabled
[task 2024-05-01T04:21:35.727Z] 04:21:35     INFO - PID 1732 | 1714537295726	RemoteAgent	DEBUG	Resetting recommended pref privacy.trackingprotection.enabled
[task 2024-05-01T04:21:35.727Z] 04:21:35     INFO - PID 1732 | 1714537295726	RemoteAgent	DEBUG	Resetting recommended pref remote.prefs.recommended.applied
[task 2024-05-01T04:21:35.728Z] 04:21:35     INFO - PID 1732 | 1714537295727	RemoteAgent	DEBUG	Resetting recommended pref security.fileuri.strict_origin_policy
[task 2024-05-01T04:21:35.731Z] 04:21:35     INFO - PID 1732 | 1714537295730	RemoteAgent	DEBUG	Resetting recommended pref signon.autofillForms
[task 2024-05-01T04:21:35.740Z] 04:21:35     INFO - PID 1732 | 1714537295739	RemoteAgent	DEBUG	Resetting recommended pref widget.windows.window_occlusion_tracking.enabled
[task 2024-05-01T04:21:35.742Z] 04:21:35     INFO - PID 1732 | 1714537295741	RemoteAgent	DEBUG	Resetting recommended pref browser.contentblocking.features.standard
[task 2024-05-01T04:21:35.744Z] 04:21:35     INFO - PID 1732 | 1714537295743	RemoteAgent	TRACE	Received observer notification quit-application
[task 2024-05-01T04:21:35.749Z] 04:21:35     INFO - PID 1732 | 1714537295749	Marionette	DEBUG	Marionette stopped listening
[task 2024-05-01T04:21:35.833Z] 04:21:35     INFO - PID 1732 | 1714537295832	RemoteAgent	TRACE	MessageHandler WINDOW_GLOBAL for session 70581b01-4650-4dfa-87b8-f42645e9a3a7 is being destroyed
[task 2024-05-01T04:21:35.834Z] 04:21:35     INFO - PID 1732 | 1714537295832	RemoteAgent	TRACE	Unregistered MessageHandler WINDOW_GLOBAL for session 70581b01-4650-4dfa-87b8-f42645e9a3a7
[task 2024-05-01T04:21:35.835Z] 04:21:35     INFO - PID 1732 | 1714537295833	Marionette	TRACE	[12] MarionetteCommands actor destroyed for window id 8589934593
[task 2024-05-01T04:21:35.845Z] 04:21:35     INFO - PID 1732 | [Parent 1749, IPC I/O Parent] WARNING: process 2637 exited on signal 6: file /builds/worker/checkouts/gecko/ipc/chromium/src/base/process_util_posix.cc:335
[task 2024-05-01T04:21:35.846Z] 04:21:35     INFO - PID 1732 | 1714537295845	RemoteAgent	DEBUG	Resetting recommended pref browser.contentblocking.features.standard
[task 2024-05-01T04:21:35.863Z] 04:21:35     INFO - PID 1732 | 1714537295862	WebDriver BiDi	DEBUG	Unregistered session handler: /session/70581b01-4650-4dfa-87b8-f42645e9a3a7
[task 2024-05-01T04:21:35.867Z] 04:21:35     INFO - PID 1732 | 1714537295866	RemoteAgent	DEBUG	WebDriverBiDiConnection eb9fc938-1d26-4e89-92d0-0cb4483d7bfb closed
[task 2024-05-01T04:21:35.873Z] 04:21:35     INFO - PID 1732 | 1714537295873	RemoteAgent	TRACE	MessageHandler ROOT for session 70581b01-4650-4dfa-87b8-f42645e9a3a7 is being destroyed
[task 2024-05-01T04:21:35.874Z] 04:21:35     INFO - PID 1732 | 1714537295874	RemoteAgent	TRACE	Unregistered MessageHandler ROOT for session 70581b01-4650-4dfa-87b8-f42645e9a3a7
[task 2024-05-01T04:21:35.900Z] 04:21:35     INFO - PID 1732 | 1714537295899	Marionette	DEBUG	Closed connection 0
[task 2024-05-01T04:24:25.711Z] 04:24:25     INFO - TEST-UNEXPECTED-TIMEOUT | /webdriver/tests/bidi/browsing_context/fragment_navigated/fragment_navigated.py | expected OK
[task 2024-05-01T04:24:25.711Z] 04:24:25     INFO - TEST-INFO took 205002ms
[task 2024-05-01T04:24:35.743Z] 04:24:35  WARNING - Forcibly terminating runner process
[task 2024-05-01T04:24:35.851Z] 04:24:35     INFO - PID 2765 | 1714537475749	geckodriver	INFO	Listening on 127.0.0.1:36856
[task 2024-05-01T04:24:35.851Z] 04:24:35     INFO - Starting runner
[task 2024-05-01T04:24:36.128Z] 04:24:36     INFO - TEST-START | /webdriver/tests/bidi/browsing_context/fragment_navigated/history_api.py
Group: core-security → javascript-core-security

I'm not sure how actionable this really is.

Keywords: csectype-uaf, sec-high
Severity: -- → S2
Priority: -- → P1

This is weird. The log says we read one byte in SplitSingleCharHelper at this line, from memory that was freed in a BackgroundFreeTask. The memory being read in that line belongs to the TextChar* argument that we passed in. At both call sites, that argument is taken from an AutoStableStringChars, the entire point of which is to guarantee that we don't have to worry about the string going missing during a GC.

We've made a couple of changes here recently. Alex, does any of this code look like it would interact poorly with your AtomRef work? Steve, could any of your nursery string work be related?

Flags: needinfo?(sphink)
Flags: needinfo?(dothayer)

Does AutoStableStringChars promise the stability across executing arbitrary JS, or just across things within a C++ context which might trigger a GC? I could see how there would be a problem here if we're atom-reffing a string while we have an AutoStableStringChars of it alive, but is that possible?

Flags: needinfo?(dothayer)

I don't think it's possible to execute arbitrary JS while this particular AutoStableStringChars is alive, but off the top of my head I'm not sure whether that's always true.

Assignee: nobody → dothayer
Status: NEW → ASSIGNED

I do see this being used in contexts (i.e. eval stuff) which feel fishy enough to warrant a patch, so I put one up. I still don't see the specific chain of events which would lead to this particular problem though.

QA Whiteboard: csectype-uaf, intermittent-failure, intermittent-testcase, sec-high,leave-open,
QA Whiteboard: csectype-uaf, intermittent-failure, intermittent-testcase, sec-high,leave-open,
Keywords: leave-open

AutoStableStringChars should make things stable across GCs and arbitrary JS, even if this callsite doesn't do anything like that. ASSC guarantees stability by either (1) if the chars are malloced, keeping the string alive, and (2) if the chars are not malloced, copying them before there's any chance of a GC. Actually, (1) is incomplete, since deduplication might free the string's chars and adopt another string's chars instead, but ASSC prevents that from happening.

Ok, so now I need to think through what AtomRef could do... ooh, yeah, it would happily kill them. I think your change is good.

Bug 1890909 has a fix for a somewhat similar problem. The two are sort of duals of each other: in this one, deduplication was handled but AtomRef wasn't, and in the other, AtomRef was handled but deduplication wasn't. Based on Iain's analysis in comment 3, it seems like the stack here was mostly likely the AtomRef problem. The other stacks I've been seeing smell more like the deduplication problem. Then again, I haven't figured out a way for this bug to happen with the callsite given.

I do need to go back and figure out what exactly the difference is between NON_DEDUP_BIT and DEPENDED_ON_BIT. Originally, they were distinct and could not be shared (I tried). But with recent changes, I'm wondering if that's still true. I mean, NON_DEDUP_BIT only applies to nursery strings. But that just makes it a subset of DEPENDED_ON_BIT. They're still not the same otherwise, but at the very least maybe there's a way to get two orthogonal bits instead of the current 90% overlap? Anyway, that shouldn't hold up landing these fixes for now. (I also have a patch to remove most of the deduplication code now that we can sweep dependent strings, though it doesn't touch any of the parts that are problematic here or in bug 1890909.)

I looked for possible call chains where SplitSingleCharHelper could run JS, but the hazard analysis's suspicions seem unlikely. (It would require GlobalObject::ensureConstructor to be called while creating the return Array, and I don't see that happening past early early startup.)

Flags: needinfo?(sphink)

Comment on attachment 9400103 [details]
Bug 1894428 - Do not AtomRef-ify non-deduplicatable strings r?sfink

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: I think it would require fuzzing to nail down the reproducibility of it. A lot of timings have to work out right. So I would say hard.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: Just nightly - and it's a bit messy since this may or may not be the fix
  • If not all supported branches, which bug introduced the flaw?: Bug 1881995
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: N/A
  • How likely is this patch to cause regressions; how much testing does it need?: Unlikely - it's pretty trivial
  • Is the patch ready to land after security approval is given?: Yes
  • Is Android affected?: Yes
Attachment #9400103 - Flags: sec-approval?

Sorry if the procedure is a little wonky here. I don't have a clear chain of causality between this and the observed issue, and so I can't guarantee that Bug 1881995 is the regressor. It is however the regressor if the specific issue that the patch is trying to address.

In writing up a comment on another bug, I think I found a plausible chain of causality, though perhaps not for this exact stack. Unfortunately, the patch here will not fully fix it. Consider this test:

  const char text[] = "that that is is that that is not is not is not that it it is";
  auto* str = js::NewStringCopyZ<js::CanGC>(cx, text, Heap::Tenured);
  auto* atom = AtomizeString(cx, js::NewStringCopyZ<js::CanGC>(cx, text, Heap::Tenured));
  JS::AutoStableStringChars assc(cx);
  assc.init(cx, str);
  AtomizeString(cx, str); // returns `atom`

This creates an AutoStableStringChars that gets its assc.latin1Chars() pointer from a regular linear string during assc.init(). Then the final AtomizeString replaces that string with an AtomRef, freeing the chars. At this point, assc.latin1Chars() will point to freed memory.

The ASSC needs to prevent its stored char* from being freed. The use of the NON_DEDUP_BIT added in the patch here will do that for a nursery string. However, that bit is not valid for tenured strings.

I think ASSC will need to set DEPENDED_ON_BIT. Which is a little unfortunate, since the bit will be permanent and thus any string used for ASSC will never be convertible to an AtomRef.

Assignee: dothayer → sphink

Comment on attachment 9400103 [details]
Bug 1894428 - Do not AtomRef-ify non-deduplicatable strings r?sfink

Cancelling sec-approval? for now.

Attachment #9400103 - Flags: sec-approval?

I wasn't able to see any significant performance regression from this, so
I think for the time being let's just take it?

Keywords: regression
Regressed by: 1881995

Set release status flags based on info from the regressing bug 1881995

status-firefox126: --- → unaffected
status-firefox127: --- → affected
status-firefox128: --- → affected
status-firefox-esr115: --- → unaffected

So, I think this patch is necessary and correct, but to be clear I don't think the observed issue is what is fixed by the patch.

However, I feel like the observed issue is actually likely fixed by bug 1895055? Steve, does that feel plausible to you?

If so I'll rename this and do the sec-approval for the actual issue that this patch is addressing, which so far I haven't seen a real world manifestation of.

Flags: needinfo?(sfink)

Thinking through it... bug 1895055 would mean that ASSC was holding onto a dependent string and its chars came from owning string S1, GC was triggered within the ASSC scope, and the dependent string was deduplicated during GC to a different dependent string whose chars came from S2. S1 was then discarded and its chars freed. That would require a GC in that scope, and it calls js::NewDependentString a bunch so that could definitely happen.

The alternative is that the ASSC is initialized with a string that is replaced with an AtomRef within its scope. That requires more than GC, it would require performing some operation that could invoke JSString::tryReplaceWithAtomRef (or the JITted equivalent, I guess). The only ways I can see that happening are obscure and unlikely (allocation metadata, or error interceptor, or early startup initialization, or a truly bizarre one involving ReportAllocationOverflow and capturing a stack and freezing the stack and... well, never mind).

Ok, I agree with Alex. The fix here looks to be for a different problem than the bug was created for. Triggering the one that the patch is for would probably require scanning all AutoStableStringChars uses in the tree and finding one that can run JS.

Flags: needinfo?(sfink)

Comment on attachment 9401978 [details]
Bug 1894428 - Set depended on bit from AutoStableStringChars r?sfink

Security Approval Request

  • How easily could an exploit be constructed based on the patch?: I haven't found a way. The vast majority of uses of AutoStableStringChars do not access the chars after doing something that could run JS (or otherwise trigger an atomization). Also, it only gives you a UAF read. I haven't audited all of the other AutoStableStringChars users, though. JSON.parse with a reviver comes very close, but the reviver is only called after the input string has been fully used.
  • Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
  • Which branches (beta, release, and/or ESR) are affected by this flaw, and do the release status flags reflect this affected/unaffected state correctly?: beta
  • If not all supported branches, which bug introduced the flaw?: Bug 1881995
  • Do you have backports for the affected branches?: No
  • If not, how different, hard to create, and risky will they be?: I think it'll apply cleanly?
  • How likely is this patch to cause regressions; how much testing does it need?: low risk, this just disables optimizations.
  • Is the patch ready to land after security approval is given?: Yes
  • Is Android affected?: Yes
Attachment #9401978 - Flags: sec-approval?

Comment on attachment 9401978 [details]
Bug 1894428 - Set depended on bit from AutoStableStringChars r?sfink

Approved to land and uplift

Attachment #9401978 - Flags: sec-approval? → sec-approval+
Whiteboard: [reminder-test 2024-07-23]

I wasn't able to see any significant performance regression from this, so
I think for the time being let's just take it?

Original Revision: https://phabricator.services.mozilla.com/D210521

Attachment #9403288 - Flags: approval-mozilla-beta?

beta Uplift Approval Request

  • User impact if declined: None currently known, but it is possible that it provides a UAF read.
  • Code covered by automated testing: no
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: (there is a test in a separate patch, but it is a jsapi-test since there is no known way to trigger this in the browser)
  • Risk associated with taking this patch: low
  • Explanation of risk level: disables an optimization
  • String changes made/needed: none
  • Is Android affected?: yes
Pushed by dothayer@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/63e1298b0754 Set depended on bit from AutoStableStringChars r=sfink
Backout by csabou@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/25b8ec912ef6 Backed out changeset 63e1298b0754 for causing SM failures. CLOSED TREE

Steve, are you planning on landing a fix this week and request sec-appoval for an uplift to beta (we are in our last week of betas) or should we target the next cycle? Thanks

Flags: needinfo?(sphink)

302 Alex

Flags: needinfo?(sphink) → needinfo?(dothayer)

Augh 🤦- hang on I'm hitting assertion failures with the update

So, we're just going to disable the test. It's not a safety issue, it's just behaving slightly too conservatively. Watching the try run but I don't see how it wouldn't be green.

Pascal I know it's late in the week - is this still okay to go through? Do you need me to resubmit anything? Everything in the previous approval requests should still be accurate.

Flags: needinfo?(dothayer) → needinfo?(pascalc)

(In reply to Alex Thayer [:alexical] (she/her) from comment #28)

So, we're just going to disable the test. It's not a safety issue, it's just behaving slightly too conservatively. Watching the try run but I don't see how it wouldn't be green.

Pascal I know it's late in the week - is this still okay to go through? Do you need me to resubmit anything? Everything in the previous approval requests should still be accurate.

The beta cycle is over and it hasn't landed on mozilla-central and we build our release candidate on Monday, this would need to land in mozilla-central first before uplifting.

Flags: needinfo?(pascalc)
Pushed by dothayer@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/1e2d0339f93a Set depended on bit from AutoStableStringChars r=sfink

Alex, the patch failed to land on beta https://lando.services.mozilla.com/D211241/

Flags: needinfo?(dothayer)
Flags: needinfo?(sphink)
Attachment #9403288 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Updated

Flags: needinfo?(sphink)
Flags: needinfo?(dothayer)

(In reply to Alex Thayer [:alexical] (she/her) from comment #33)

Updated

We already merged and are building our Release Candidate, so this patch cannot make it into 127 unless we have an unplanned RC2 this week.

Attachment #9403288 - Flags: approval-mozilla-release+
Attachment #9403288 - Flags: approval-mozilla-release+ → approval-mozilla-release?
Assignee: sphink → dothayer
Group: javascript-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
status-firefox128: affectedfixed
Keywords: leave-open
Resolution: --- → FIXED
Target Milestone: --- → 128 Branch

Comment on attachment 9403288 [details]
Bug 1894428 - Set depended on bit from AutoStableStringChars r?sfink

We're not taking this in an RC respin or a dot release.

Attachment #9403288 - Flags: approval-mozilla-release?
Attachment #9403288 - Flags: approval-mozilla-release-
Attachment #9403288 - Flags: approval-mozilla-beta+
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Whiteboard: [reminder-test 2024-07-23] → [reminder-test 2024-07-23][adv-main128+r]

2 months ago, tjr placed a reminder on the bug using the whiteboard tag [reminder-test 2024-07-23] .

alexical, please refer to the original comment to better understand the reason for the reminder.

Flags: needinfo?(dothayer)
Whiteboard: [reminder-test 2024-07-23][adv-main128+r] → [adv-main128+r]
Assignee: dothayer → sphink

Oops, stupid automation. And I think I just pushed a broken test here. :-(

Assignee: sphink → dothayer
Assignee: dothayer → sphink
Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/681c46b6414d AtomRef + AutoStableStringChars test r=dthayer

Backed out for causing bustages related to testAtomRef_ASSC:

https://hg.mozilla.org/integration/autoland/rev/d171b74a8585c576b73fa8024eb74be2a6ca6e70

Push with failures
Failure log

[task 2024-07-28T22:53:17.026Z] TEST-PASS | testDeepFreeze_bug535703 | ok
[task 2024-07-28T22:53:17.026Z] testAtomRef_ASSC
[task 2024-07-28T22:53:17.057Z] /builds/worker/checkouts/gecko/js/src/jsapi-tests/testDeduplication.cpp:159:CHECK failed: memcmp(text, assc.latin1Chars(), sizeof(text)) == 0
[task 2024-07-28T22:53:17.059Z] TEST-UNEXPECTED-FAIL | testAtomRef_ASSC | /builds/worker/checkouts/gecko/js/src/jsapi-tests/testDeduplication.cpp:159:CHECK failed: memcmp(text, assc.latin1Chars(), sizeof(text)) == 0
Flags: needinfo?(sphink)
Flags: needinfo?(dothayer)
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: