166722 2017-01-05 03:19:32 -0800 [SOUP] AddressSanitizer: heap-use-after-free under WTF::String::fromUTF8() 2017-01-05 09:31:58 -0800 1 1 1 Unclassified WebKit WebKitGTK WebKit Local Build Unspecified Unspecified RESOLVED FIXED P2 Normal --- 1 mcrha webkit-unassigned bugs-noreply cgarcia commit-queue danw mcatanzaro tpopela oldest_to_newest 1264072 0 mcrha 2017-01-05 03:19:32 -0800 I just faced an address sanitizer error about use-after-free under WTF::String::fromUTF8(). Steps to reproduce (make sure the LD_PRELOAD library exists in your system, or change its name accordingly): $ export LD_PRELOAD=/usr/lib64/libasan.so.3 $ export ASAN_OPTIONS=abort_on_error=1:detect_stack_use_after_return=0:detect_leaks=0:handle_segv=0:check_printf=0:detect_deadlocks=1:replace_str=1:replace_intrin=1:alloc_dealloc_mismatch=1:new_delete_type_mismatch=1:detect_container_overflow=1:symbolize=1 $ export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer $ $PREFIX/libexec/webkit2gtk-4.0/MiniBrowser The MiniBrowser opens in http://www.webkitgtk.org and shortly after the page is loaded the WebKitWebProcess crashes due to the ASan report: ==23181==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000a1364 at pc 0x7fe834a72fd3 bp 0x7ffc82df2fc0 sp 0x7ffc82df2768 READ of size 14 at 0x6040000a1364 thread T0 #0 0x7fe834a72fd2 (/usr/lib64/libasan.so.3+0x3cfd2) #1 0x7fe829624656 in WTF::String::fromUTF8(unsigned char const*) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24dc656) #2 0x7fe82e0f1c89 in WTF::String::fromUTF8(char const*) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x724c89) #3 0x7fe82ff5e819 in WebCore::topPrivatelyControlledDomain(WTF::String const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2591819) #4 0x7fe82fef0b5e in WebCore::urlRequiresChromeBrowser(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2523b5e) #5 0x7fe82fef0db1 in WebCore::UserAgentQuirks::quirksForURL(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2523db1) #6 0x7fe82ff4a966 in WebCore::standardUserAgentForURL(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x257d966) #7 0x7fe82e6f47a7 in WebKit::WebPage::platformUserAgent(WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xd277a7) #8 0x7fe82e46afa8 in WebKit::WebPage::userAgent(WebKit::WebFrame*, WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa9dfa8) #9 0x7fe82e422044 in WebKit::WebFrameLoaderClient::userAgent(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa55044) #10 0x7fe82f421e9a in WebCore::FrameLoader::userAgent(WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a54e9a) #11 0x7fe82f42589e in WebCore::FrameLoader::applyUserAgent(WebCore::ResourceRequest&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a5889e) #12 0x7fe82f422602 in WebCore::FrameLoader::addExtraFieldsToRequest(WebCore::ResourceRequest&, WebCore::FrameLoadType, bool) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a55602) #13 0x7fe82f4221cd in WebCore::FrameLoader::addExtraFieldsToMainResourceRequest(WebCore::ResourceRequest&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a551cd) #14 0x7fe82f41cb18 in WebCore::FrameLoader::load(WebCore::DocumentLoader*) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a4fb18) #15 0x7fe82f41c70e in WebCore::FrameLoader::load(WebCore::FrameLoadRequest const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a4f70e) #16 0x7fe82fbcefb7 in WebCore::UserInputBridge::loadRequest(WebCore::FrameLoadRequest const&, WebCore::InputSource) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2201fb7) #17 0x7fe82e4647da in WebKit::WebPage::loadRequest(WebKit::LoadParameters const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa977da) #18 0x7fe82e7eee73 in void IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>, 0ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>&&, std::integer_sequence<unsigned long, 0ul>) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe21e73) #19 0x7fe82e7ed0ed in void IPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>, std::integer_sequence<unsigned long, 0ul> >(std::tuple<WebKit::LoadParameters>&&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe200ed) #20 0x7fe82e7e6d30 in void IPC::handleMessage<Messages::WebPage::LoadRequest, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe19d30) #21 0x7fe82e7e193b in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe1493b) #22 0x7fe82e46fc07 in WebKit::WebPage::didReceiveMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xaa2c07) #23 0x7fe82e05d6da in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6906da) #24 0x7fe82e2ee3c9 in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x9213c9) #25 0x7fe82e04265b in IPC::Connection::dispatchMessage(IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x67565b) #26 0x7fe82e0427c5 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6757c5) #27 0x7fe82e0429b7 in IPC::Connection::dispatchOneMessage() ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6759b7) #28 0x7fe82e0424fb in IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}::operator()() ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6754fb) #29 0x7fe82e0490cf in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}>::call() ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x67c0cf) #30 0x7fe8295d73e8 in WTF::Function<void ()>::operator()() const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x248f3e8) #31 0x7fe8295eb839 in WTF::RunLoop::performWork() ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24a3839) #32 0x7fe8296326fb in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::operator()(void*) const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24ea6fb) #33 0x7fe82963271f in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24ea71f) #34 0x7fe82963269b in WTF::{lambda(_GSource*, int (*)(void*), void*)#1}::operator()(_GSource*, int (*)(void*), void*) const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24ea69b) #35 0x7fe8296326ca in WTF::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24ea6ca) #36 0x7fe82a8c5e41 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x49e41) #37 0x7fe82a8c61bf (/lib64/libglib-2.0.so.0+0x4a1bf) #38 0x7fe82a8c64e1 in g_main_loop_run (/lib64/libglib-2.0.so.0+0x4a4e1) #39 0x7fe829632c7b in WTF::RunLoop::run() ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24eac7b) #40 0x7fe82e6faec3 in int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xd2dec3) #41 0x7fe82e6fad71 in WebProcessMainUnix ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xd2dd71) #42 0x400859 in main ($PREFIX/libexec/webkit2gtk-4.0/WebKitWebProcess+0x400859) #43 0x7fe82d627400 in __libc_start_main (/lib64/libc.so.6+0x20400) #44 0x400759 in _start ($PREFIX/libexec/webkit2gtk-4.0/WebKitWebProcess+0x400759) 0x6040000a1364 is located 20 bytes inside of 34-byte region [0x6040000a1350,0x6040000a1372) freed by thread T0 here: #0 0x7fe834afcaf0 in free (/usr/lib64/libasan.so.3+0xc6af0) #1 0x7fe8295d55c6 in WTF::fastFree(void*) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x248d5c6) #2 0x7fe82e011362 in WTF::RefCounted<WTF::CStringBuffer>::operator delete(void*) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x644362) #3 0x7fe82e00f63e in WTF::RefCounted<WTF::CStringBuffer>::deref() const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x64263e) #4 0x7fe82e00d2d9 in void WTF::derefIfNotNull<WTF::CStringBuffer>(WTF::CStringBuffer*) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6402d9) #5 0x7fe82e00b498 in WTF::RefPtr<WTF::CStringBuffer>::~RefPtr() ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x63e498) #6 0x7fe82e00b0f3 in WTF::CString::~CString() ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x63e0f3) #7 0x7fe82ff5e7ff in WebCore::topPrivatelyControlledDomain(WTF::String const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x25917ff) #8 0x7fe82fef0b5e in WebCore::urlRequiresChromeBrowser(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2523b5e) #9 0x7fe82fef0db1 in WebCore::UserAgentQuirks::quirksForURL(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2523db1) #10 0x7fe82ff4a966 in WebCore::standardUserAgentForURL(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x257d966) #11 0x7fe82e6f47a7 in WebKit::WebPage::platformUserAgent(WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xd277a7) #12 0x7fe82e46afa8 in WebKit::WebPage::userAgent(WebKit::WebFrame*, WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa9dfa8) #13 0x7fe82e422044 in WebKit::WebFrameLoaderClient::userAgent(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa55044) #14 0x7fe82f421e9a in WebCore::FrameLoader::userAgent(WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a54e9a) #15 0x7fe82f42589e in WebCore::FrameLoader::applyUserAgent(WebCore::ResourceRequest&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a5889e) #16 0x7fe82f422602 in WebCore::FrameLoader::addExtraFieldsToRequest(WebCore::ResourceRequest&, WebCore::FrameLoadType, bool) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a55602) #17 0x7fe82f4221cd in WebCore::FrameLoader::addExtraFieldsToMainResourceRequest(WebCore::ResourceRequest&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a551cd) #18 0x7fe82f41cb18 in WebCore::FrameLoader::load(WebCore::DocumentLoader*) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a4fb18) #19 0x7fe82f41c70e in WebCore::FrameLoader::load(WebCore::FrameLoadRequest const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a4f70e) #20 0x7fe82fbcefb7 in WebCore::UserInputBridge::loadRequest(WebCore::FrameLoadRequest const&, WebCore::InputSource) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2201fb7) #21 0x7fe82e4647da in WebKit::WebPage::loadRequest(WebKit::LoadParameters const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa977da) #22 0x7fe82e7eee73 in void IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>, 0ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>&&, std::integer_sequence<unsigned long, 0ul>) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe21e73) #23 0x7fe82e7ed0ed in void IPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>, std::integer_sequence<unsigned long, 0ul> >(std::tuple<WebKit::LoadParameters>&&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe200ed) #24 0x7fe82e7e6d30 in void IPC::handleMessage<Messages::WebPage::LoadRequest, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe19d30) #25 0x7fe82e7e193b in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe1493b) #26 0x7fe82e46fc07 in WebKit::WebPage::didReceiveMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xaa2c07) #27 0x7fe82e05d6da in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6906da) #28 0x7fe82e2ee3c9 in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x9213c9) #29 0x7fe82e04265b in IPC::Connection::dispatchMessage(IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x67565b) previously allocated by thread T0 here: #0 0x7fe834afce50 in malloc (/usr/lib64/libasan.so.3+0xc6e50) #1 0x7fe8295d5488 in WTF::fastMalloc(unsigned long) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x248d488) #2 0x7fe8296053c6 in WTF::CStringBuffer::createUninitialized(unsigned long) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24bd3c6) #3 0x7fe82960555a in WTF::CString::init(char const*, unsigned long) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24bd55a) #4 0x7fe8296054e1 in WTF::CString::CString(char const*, unsigned long) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24bd4e1) #5 0x7fe82960fb50 in WTF::StringImpl::utf8ForRange(unsigned int, unsigned int, WTF::ConversionMode) const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24c7b50) #6 0x7fe82960fbcb in WTF::StringImpl::utf8(WTF::ConversionMode) const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24c7bcb) #7 0x7fe829624229 in WTF::String::utf8(WTF::ConversionMode) const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24dc229) #8 0x7fe829624257 in WTF::String::utf8() const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24dc257) #9 0x7fe82ff5e7d8 in WebCore::topPrivatelyControlledDomain(WTF::String const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x25917d8) #10 0x7fe82fef0b5e in WebCore::urlRequiresChromeBrowser(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2523b5e) #11 0x7fe82fef0db1 in WebCore::UserAgentQuirks::quirksForURL(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2523db1) #12 0x7fe82ff4a966 in WebCore::standardUserAgentForURL(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x257d966) #13 0x7fe82e6f47a7 in WebKit::WebPage::platformUserAgent(WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xd277a7) #14 0x7fe82e46afa8 in WebKit::WebPage::userAgent(WebKit::WebFrame*, WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa9dfa8) #15 0x7fe82e422044 in WebKit::WebFrameLoaderClient::userAgent(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa55044) #16 0x7fe82f421e9a in WebCore::FrameLoader::userAgent(WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a54e9a) #17 0x7fe82f42589e in WebCore::FrameLoader::applyUserAgent(WebCore::ResourceRequest&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a5889e) #18 0x7fe82f422602 in WebCore::FrameLoader::addExtraFieldsToRequest(WebCore::ResourceRequest&, WebCore::FrameLoadType, bool) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a55602) #19 0x7fe82f4221cd in WebCore::FrameLoader::addExtraFieldsToMainResourceRequest(WebCore::ResourceRequest&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a551cd) #20 0x7fe82f41cb18 in WebCore::FrameLoader::load(WebCore::DocumentLoader*) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a4fb18) #21 0x7fe82f41c70e in WebCore::FrameLoader::load(WebCore::FrameLoadRequest const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a4f70e) #22 0x7fe82fbcefb7 in WebCore::UserInputBridge::loadRequest(WebCore::FrameLoadRequest const&, WebCore::InputSource) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2201fb7) #23 0x7fe82e4647da in WebKit::WebPage::loadRequest(WebKit::LoadParameters const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa977da) #24 0x7fe82e7eee73 in void IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>, 0ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>&&, std::integer_sequence<unsigned long, 0ul>) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe21e73) #25 0x7fe82e7ed0ed in void IPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>, std::integer_sequence<unsigned long, 0ul> >(std::tuple<WebKit::LoadParameters>&&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe200ed) #26 0x7fe82e7e6d30 in void IPC::handleMessage<Messages::WebPage::LoadRequest, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe19d30) #27 0x7fe82e7e193b in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe1493b) #28 0x7fe82e46fc07 in WebKit::WebPage::didReceiveMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xaa2c07) #29 0x7fe82e05d6da in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6906da) SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib64/libasan.so.3+0x3cfd2) Shadow bytes around the buggy address: 0x0c088000c210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c088000c220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c088000c230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c088000c240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c088000c250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c088000c260: fa fa fa fa fa fa fa fa fa fa fd fd[fd]fd fd fa 0x0c088000c270: fa fa 00 00 00 00 05 fa fa fa 00 00 00 00 00 05 0x0c088000c280: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa 0x0c088000c290: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd 0x0c088000c2a0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa 0x0c088000c2b0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==23181==ABORTING This is with git master at commit 5f042ff6a01d0 built with -O0. I'll update the backtrace, if I manage to get one with line numbers. 1264093 1 298095 mcrha 2017-01-05 05:37:41 -0800 Created attachment 298095 proposed patch 1264094 2 commit-queue 2017-01-05 05:38:33 -0800 Attachment 298095 did not pass style-queue: ERROR: Source/WebCore/platform/soup/PublicSuffixSoup.cpp:50: domain_utf8 is incorrectly named. Don't use underscores in your identifier names. [readability/naming/underscores] [4] ERROR: Source/WebCore/ChangeLog:8: You should remove the 'No new tests' and either add and list tests, or explain why no new tests were possible. [changelog/nonewtests] [5] ERROR: Source/WebCore/ChangeLog:3: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: use-after-free [changelog/unwantedsecurityterms] [3] Total errors found: 3 in 2 files If any of these errors are false positives, please file a bug against check-webkit-style. 1264096 3 cgarcia 2017-01-05 05:44:53 -0800 This is not specific to GTK 1264100 4 298095 cgarcia 2017-01-05 05:49:18 -0800 Comment on attachment 298095 proposed patch View in context: https://bugs.webkit.org/attachment.cgi?id=298095&action=review > Source/WebCore/ChangeLog:8 > + No new tests (OOPS!). You should remove this line since this patch shouldn't affect tests. And also explain the change, what was broken and how this patch fixes it. > Source/WebCore/platform/soup/PublicSuffixSoup.cpp:50 > + CString domain_utf8 = domain.utf8(); domain_utf8 -> domainUTF8 > Source/WebCore/platform/soup/PublicSuffixSoup.cpp:52 > + if (const char* baseDomain = soup_tld_get_base_domain(domain_utf8.data(), &error.outPtr())) > return String::fromUTF8(baseDomain); I don't understand why we can't use the temporary here. Can soup_tld_get_base_domain() return the passed in hostname? 1264101 5 cgarcia 2017-01-05 05:50:36 -0800 Ah! "a pointer to the start of the base domain in @hostname" That's what you should explain in the changelog. 1264129 6 298105 mcrha 2017-01-05 08:45:27 -0800 Created attachment 298105 proposed patch ][ (In reply to comment #4) > Comment on attachment 298095 [details] > > Source/WebCore/ChangeLog:8 > > + No new tests (OOPS!). > > You should remove this line since this patch shouldn't affect tests. And > also explain the change, what was broken and how this patch fixes it. Ah, right, that's a long time since I sent any patches to webkit. > domain_utf8 -> domainUTF8 Yeah, I'm sorry (bug #166725 filled). > I don't understand why we can't use the temporary here. Can > soup_tld_get_base_domain() return the passed in hostname? Right, it consumes 'const char *' and also returns 'const char *', then it makes sense it returns something from within the passed-in string. I tried to write some so-called explanation to the ChangeLog, though it sounds odd to me. I couldn't come up with anything better. 1264131 7 commit-queue 2017-01-05 08:46:38 -0800 Attachment 298105 did not pass style-queue: ERROR: Source/WebCore/ChangeLog:3: Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: use-after-free [changelog/unwantedsecurityterms] [3] Total errors found: 1 in 2 files If any of these errors are false positives, please file a bug against check-webkit-style. 1264135 8 298105 commit-queue 2017-01-05 09:31:55 -0800 Comment on attachment 298105 proposed patch ][ Clearing flags on attachment: 298105 Committed r210357: <http://trac.webkit.org/changeset/210357> 1264136 9 commit-queue 2017-01-05 09:31:58 -0800 All reviewed patches have been landed. Closing bug. 298095 2017-01-05 05:37:41 -0800 2017-01-05 08:45:27 -0800 proposed patch wk.patch text/plain 1508 mcrha ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZyBiL1NvdXJjZS9XZWJDb3JlL0No YW5nZUxvZwppbmRleCBmOTE3NjBjLi4yY2Q3ZDZiIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29y ZS9DaGFuZ2VMb2cKKysrIGIvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTUg QEAKKzIwMTctMDEtMDUgIE1pbGFuIENyaGEgIDxtY3JoYUByZWRoYXQuY29tPgorCisgICAgICAg IFtHVEtdIEFkZHJlc3NTYW5pdGl6ZXI6IGhlYXAtdXNlLWFmdGVyLWZyZWUgdW5kZXIgV1RGOjpT dHJpbmc6OmZyb21VVEY4KCkKKyAgICAgICAgaHR0cHM6Ly9idWdzLndlYmtpdC5vcmcvc2hvd19i dWcuY2dpP2lkPTE2NjcyMgorCisgICAgICAgIFJldmlld2VkIGJ5IE5PQk9EWSAoT09QUyEpLgor CisgICAgICAgIE5vIG5ldyB0ZXN0cyAoT09QUyEpLgorCisgICAgICAgICogcGxhdGZvcm0vc291 cC9QdWJsaWNTdWZmaXhTb3VwLmNwcDoKKyAgICAgICAgKFdlYkNvcmU6OnRvcFByaXZhdGVseUNv bnRyb2xsZWREb21haW4pOgorCiAyMDE3LTAxLTA0ICBUaW0gSG9ydG9uICA8dGltb3RoeV9ob3J0 b25AYXBwbGUuY29tPgogCiAgICAgICAgIFByb3ZpZGUgYSBzZXR0aW5nIGZvciBjbGllbnRzIHRv IGFsd2F5cyBwcmVmZXIgbG93LXBvd2VyIFdlYkdMCmRpZmYgLS1naXQgYS9Tb3VyY2UvV2ViQ29y ZS9wbGF0Zm9ybS9zb3VwL1B1YmxpY1N1ZmZpeFNvdXAuY3BwIGIvU291cmNlL1dlYkNvcmUvcGxh dGZvcm0vc291cC9QdWJsaWNTdWZmaXhTb3VwLmNwcAppbmRleCAxNjIzMmM3Li4xMGVmYjlkIDEw MDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS9zb3VwL1B1YmxpY1N1ZmZpeFNvdXAu Y3BwCisrKyBiL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL3NvdXAvUHVibGljU3VmZml4U291cC5j cHAKQEAgLTQ3LDcgKzQ3LDggQEAgU3RyaW5nIHRvcFByaXZhdGVseUNvbnRyb2xsZWREb21haW4o Y29uc3QgU3RyaW5nJiBkb21haW4pCiAgICAgICAgIHJldHVybiBTdHJpbmcoKTsKIAogICAgIEdV bmlxdWVPdXRQdHI8R0Vycm9yPiBlcnJvcjsKLSAgICBpZiAoY29uc3QgY2hhciogYmFzZURvbWFp biA9IHNvdXBfdGxkX2dldF9iYXNlX2RvbWFpbihkb21haW4udXRmOCgpLmRhdGEoKSwgJmVycm9y Lm91dFB0cigpKSkKKyAgICBDU3RyaW5nIGRvbWFpbl91dGY4ID0gZG9tYWluLnV0ZjgoKTsKKyAg ICBpZiAoY29uc3QgY2hhciogYmFzZURvbWFpbiA9IHNvdXBfdGxkX2dldF9iYXNlX2RvbWFpbihk b21haW5fdXRmOC5kYXRhKCksICZlcnJvci5vdXRQdHIoKSkpCiAgICAgICAgIHJldHVybiBTdHJp bmc6OmZyb21VVEY4KGJhc2VEb21haW4pOwogCiAgICAgaWYgKGdfZXJyb3JfbWF0Y2hlcyhlcnJv ci5nZXQoKSwgU09VUF9UTERfRVJST1IsIFNPVVBfVExEX0VSUk9SX05PX0JBU0VfRE9NQUlOKSB8 fCBnX2Vycm9yX21hdGNoZXMoZXJyb3IuZ2V0KCksIFNPVVBfVExEX0VSUk9SLCBTT1VQX1RMRF9F UlJPUl9OT1RfRU5PVUdIX0RPTUFJTlMpKQo= 298105 2017-01-05 08:45:27 -0800 2017-01-05 09:31:55 -0800 proposed patch ][ wk.patch text/plain 1699 mcrha ZGlmZiAtLWdpdCBhL1NvdXJjZS9XZWJDb3JlL0NoYW5nZUxvZyBiL1NvdXJjZS9XZWJDb3JlL0No YW5nZUxvZwppbmRleCBmOTE3NjBjLi42MzcxMDllIDEwMDY0NAotLS0gYS9Tb3VyY2UvV2ViQ29y ZS9DaGFuZ2VMb2cKKysrIGIvU291cmNlL1dlYkNvcmUvQ2hhbmdlTG9nCkBAIC0xLDMgKzEsMTYg QEAKKzIwMTctMDEtMDUgIE1pbGFuIENyaGEgIDxtY3JoYUByZWRoYXQuY29tPgorCisgICAgICAg IFtTT1VQXSBBZGRyZXNzU2FuaXRpemVyOiBoZWFwLXVzZS1hZnRlci1mcmVlIHVuZGVyIFdURjo6 U3RyaW5nOjpmcm9tVVRGOCgpCisgICAgICAgIGh0dHBzOi8vYnVncy53ZWJraXQub3JnL3Nob3df YnVnLmNnaT9pZD0xNjY3MjIKKworICAgICAgICBSZXZpZXdlZCBieSBOT0JPRFkgKE9PUFMhKS4K KworICAgICAgICAqIHBsYXRmb3JtL3NvdXAvUHVibGljU3VmZml4U291cC5jcHA6CisgICAgICAg IChXZWJDb3JlOjp0b3BQcml2YXRlbHlDb250cm9sbGVkRG9tYWluKToKKyAgICAgICAgVXNlIGEg dmFyaWFibGUgdG8gaG9sZCBVVEYtOCB2ZXJzaW9uIG9mIHRoZSBkb21haW4sIGJlY2F1c2UKKyAg ICAgICAgdGhlIHNvdXBfdGxkX2dldF9iYXNlX2RvbWFpbigpIHJldHVybnMgYSBwb2ludGVyIGlu dG8gdGhlIHBhc3NlZC1pbgorICAgICAgICBzdHJpbmcsIHdoaWNoIGNvdWxkIGJlIGZyZWVkIGR1 ZSB0byB0aGUgdGVtcG9yYXJ5IG9iamVjdCBiZWluZyBmcmVlZC4KKwogMjAxNy0wMS0wNCAgVGlt IEhvcnRvbiAgPHRpbW90aHlfaG9ydG9uQGFwcGxlLmNvbT4KIAogICAgICAgICBQcm92aWRlIGEg c2V0dGluZyBmb3IgY2xpZW50cyB0byBhbHdheXMgcHJlZmVyIGxvdy1wb3dlciBXZWJHTApkaWZm IC0tZ2l0IGEvU291cmNlL1dlYkNvcmUvcGxhdGZvcm0vc291cC9QdWJsaWNTdWZmaXhTb3VwLmNw cCBiL1NvdXJjZS9XZWJDb3JlL3BsYXRmb3JtL3NvdXAvUHVibGljU3VmZml4U291cC5jcHAKaW5k ZXggMTYyMzJjNy4uMjM5YzA4MSAxMDA2NDQKLS0tIGEvU291cmNlL1dlYkNvcmUvcGxhdGZvcm0v c291cC9QdWJsaWNTdWZmaXhTb3VwLmNwcAorKysgYi9Tb3VyY2UvV2ViQ29yZS9wbGF0Zm9ybS9z b3VwL1B1YmxpY1N1ZmZpeFNvdXAuY3BwCkBAIC00Nyw3ICs0Nyw4IEBAIFN0cmluZyB0b3BQcml2 YXRlbHlDb250cm9sbGVkRG9tYWluKGNvbnN0IFN0cmluZyYgZG9tYWluKQogICAgICAgICByZXR1 cm4gU3RyaW5nKCk7CiAKICAgICBHVW5pcXVlT3V0UHRyPEdFcnJvcj4gZXJyb3I7Ci0gICAgaWYg KGNvbnN0IGNoYXIqIGJhc2VEb21haW4gPSBzb3VwX3RsZF9nZXRfYmFzZV9kb21haW4oZG9tYWlu LnV0ZjgoKS5kYXRhKCksICZlcnJvci5vdXRQdHIoKSkpCisgICAgQ1N0cmluZyBkb21haW5VVEY4 ID0gZG9tYWluLnV0ZjgoKTsKKyAgICBpZiAoY29uc3QgY2hhciogYmFzZURvbWFpbiA9IHNvdXBf dGxkX2dldF9iYXNlX2RvbWFpbihkb21haW5VVEY4LmRhdGEoKSwgJmVycm9yLm91dFB0cigpKSkK ICAgICAgICAgcmV0dXJuIFN0cmluZzo6ZnJvbVVURjgoYmFzZURvbWFpbik7CiAKICAgICBpZiAo Z19lcnJvcl9tYXRjaGVzKGVycm9yLmdldCgpLCBTT1VQX1RMRF9FUlJPUiwgU09VUF9UTERfRVJS T1JfTk9fQkFTRV9ET01BSU4pIHx8IGdfZXJyb3JfbWF0Y2hlcyhlcnJvci5nZXQoKSwgU09VUF9U TERfRVJST1IsIFNPVVBfVExEX0VSUk9SX05PVF9FTk9VR0hfRE9NQUlOUykpCg==