Bug 166722 - [SOUP] AddressSanitizer: heap-use-after-free under WTF::String::fromUTF8()
Summary: [SOUP] AddressSanitizer: heap-use-after-free under WTF::String::fromUTF8()
Status: RESOLVED FIXED
Alias: None
Product: WebKit
Classification: Unclassified
Component: WebKitGTK (show other bugs)
Version: WebKit Local Build
Hardware: Unspecified Unspecified
: P2 Normal
Assignee: Nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-01-05 03:19 PST by Milan Crha
Modified: 2017-01-05 09:31 PST (History)
6 users (show)

See Also:


Attachments
proposed patch (1.47 KB, patch)
2017-01-05 05:37 PST, Milan Crha
cgarcia: commit-queue-
Details | Formatted Diff | Diff
proposed patch ][ (1.66 KB, patch)
2017-01-05 08:45 PST, Milan Crha
no flags Details | Formatted Diff | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Milan Crha 2017-01-05 03:19:32 PST
I just faced an address sanitizer error about use-after-free under WTF::String::fromUTF8().

Steps to reproduce (make sure the LD_PRELOAD library exists in your system, or change its name accordingly):

   $ export LD_PRELOAD=/usr/lib64/libasan.so.3
   $ export ASAN_OPTIONS=abort_on_error=1:detect_stack_use_after_return=0:detect_leaks=0:handle_segv=0:check_printf=0:detect_deadlocks=1:replace_str=1:replace_intrin=1:alloc_dealloc_mismatch=1:new_delete_type_mismatch=1:detect_container_overflow=1:symbolize=1
   $ export ASAN_SYMBOLIZER_PATH=/usr/bin/llvm-symbolizer
   $ $PREFIX/libexec/webkit2gtk-4.0/MiniBrowser

The MiniBrowser opens in http://www.webkitgtk.org and shortly after the page is loaded the WebKitWebProcess crashes due to the ASan report:

==23181==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000a1364 at pc 0x7fe834a72fd3 bp 0x7ffc82df2fc0 sp 0x7ffc82df2768
READ of size 14 at 0x6040000a1364 thread T0
    #0 0x7fe834a72fd2  (/usr/lib64/libasan.so.3+0x3cfd2)
    #1 0x7fe829624656 in WTF::String::fromUTF8(unsigned char const*) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24dc656)
    #2 0x7fe82e0f1c89 in WTF::String::fromUTF8(char const*) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x724c89)
    #3 0x7fe82ff5e819 in WebCore::topPrivatelyControlledDomain(WTF::String const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2591819)
    #4 0x7fe82fef0b5e in WebCore::urlRequiresChromeBrowser(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2523b5e)
    #5 0x7fe82fef0db1 in WebCore::UserAgentQuirks::quirksForURL(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2523db1)
    #6 0x7fe82ff4a966 in WebCore::standardUserAgentForURL(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x257d966)
    #7 0x7fe82e6f47a7 in WebKit::WebPage::platformUserAgent(WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xd277a7)
    #8 0x7fe82e46afa8 in WebKit::WebPage::userAgent(WebKit::WebFrame*, WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa9dfa8)
    #9 0x7fe82e422044 in WebKit::WebFrameLoaderClient::userAgent(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa55044)
    #10 0x7fe82f421e9a in WebCore::FrameLoader::userAgent(WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a54e9a)
    #11 0x7fe82f42589e in WebCore::FrameLoader::applyUserAgent(WebCore::ResourceRequest&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a5889e)
    #12 0x7fe82f422602 in WebCore::FrameLoader::addExtraFieldsToRequest(WebCore::ResourceRequest&, WebCore::FrameLoadType, bool) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a55602)
    #13 0x7fe82f4221cd in WebCore::FrameLoader::addExtraFieldsToMainResourceRequest(WebCore::ResourceRequest&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a551cd)
    #14 0x7fe82f41cb18 in WebCore::FrameLoader::load(WebCore::DocumentLoader*) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a4fb18)
    #15 0x7fe82f41c70e in WebCore::FrameLoader::load(WebCore::FrameLoadRequest const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a4f70e)
    #16 0x7fe82fbcefb7 in WebCore::UserInputBridge::loadRequest(WebCore::FrameLoadRequest const&, WebCore::InputSource) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2201fb7)
    #17 0x7fe82e4647da in WebKit::WebPage::loadRequest(WebKit::LoadParameters const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa977da)
    #18 0x7fe82e7eee73 in void IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>, 0ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>&&, std::integer_sequence<unsigned long, 0ul>) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe21e73)
    #19 0x7fe82e7ed0ed in void IPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>, std::integer_sequence<unsigned long, 0ul> >(std::tuple<WebKit::LoadParameters>&&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe200ed)
    #20 0x7fe82e7e6d30 in void IPC::handleMessage<Messages::WebPage::LoadRequest, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe19d30)
    #21 0x7fe82e7e193b in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe1493b)
    #22 0x7fe82e46fc07 in WebKit::WebPage::didReceiveMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xaa2c07)
    #23 0x7fe82e05d6da in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6906da)
    #24 0x7fe82e2ee3c9 in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x9213c9)
    #25 0x7fe82e04265b in IPC::Connection::dispatchMessage(IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x67565b)
    #26 0x7fe82e0427c5 in IPC::Connection::dispatchMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6757c5)
    #27 0x7fe82e0429b7 in IPC::Connection::dispatchOneMessage() ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6759b7)
    #28 0x7fe82e0424fb in IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}::operator()() ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6754fb)
    #29 0x7fe82e0490cf in WTF::Function<void ()>::CallableWrapper<IPC::Connection::enqueueIncomingMessage(std::unique_ptr<IPC::Decoder, std::default_delete<IPC::Decoder> >)::{lambda()#1}>::call() ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x67c0cf)
    #30 0x7fe8295d73e8 in WTF::Function<void ()>::operator()() const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x248f3e8)
    #31 0x7fe8295eb839 in WTF::RunLoop::performWork() ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24a3839)
    #32 0x7fe8296326fb in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::operator()(void*) const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24ea6fb)
    #33 0x7fe82963271f in WTF::RunLoop::RunLoop()::{lambda(void*)#1}::_FUN(void*) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24ea71f)
    #34 0x7fe82963269b in WTF::{lambda(_GSource*, int (*)(void*), void*)#1}::operator()(_GSource*, int (*)(void*), void*) const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24ea69b)
    #35 0x7fe8296326ca in WTF::{lambda(_GSource*, int (*)(void*), void*)#1}::_FUN(_GSource*, int (*)(void*), void*) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24ea6ca)
    #36 0x7fe82a8c5e41 in g_main_context_dispatch (/lib64/libglib-2.0.so.0+0x49e41)
    #37 0x7fe82a8c61bf  (/lib64/libglib-2.0.so.0+0x4a1bf)
    #38 0x7fe82a8c64e1 in g_main_loop_run (/lib64/libglib-2.0.so.0+0x4a4e1)
    #39 0x7fe829632c7b in WTF::RunLoop::run() ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24eac7b)
    #40 0x7fe82e6faec3 in int WebKit::ChildProcessMain<WebKit::WebProcess, WebKit::WebProcessMain>(int, char**) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xd2dec3)
    #41 0x7fe82e6fad71 in WebProcessMainUnix ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xd2dd71)
    #42 0x400859 in main ($PREFIX/libexec/webkit2gtk-4.0/WebKitWebProcess+0x400859)
    #43 0x7fe82d627400 in __libc_start_main (/lib64/libc.so.6+0x20400)
    #44 0x400759 in _start ($PREFIX/libexec/webkit2gtk-4.0/WebKitWebProcess+0x400759)

0x6040000a1364 is located 20 bytes inside of 34-byte region [0x6040000a1350,0x6040000a1372)
freed by thread T0 here:
    #0 0x7fe834afcaf0 in free (/usr/lib64/libasan.so.3+0xc6af0)
    #1 0x7fe8295d55c6 in WTF::fastFree(void*) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x248d5c6)
    #2 0x7fe82e011362 in WTF::RefCounted<WTF::CStringBuffer>::operator delete(void*) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x644362)
    #3 0x7fe82e00f63e in WTF::RefCounted<WTF::CStringBuffer>::deref() const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x64263e)
    #4 0x7fe82e00d2d9 in void WTF::derefIfNotNull<WTF::CStringBuffer>(WTF::CStringBuffer*) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6402d9)
    #5 0x7fe82e00b498 in WTF::RefPtr<WTF::CStringBuffer>::~RefPtr() ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x63e498)
    #6 0x7fe82e00b0f3 in WTF::CString::~CString() ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x63e0f3)
    #7 0x7fe82ff5e7ff in WebCore::topPrivatelyControlledDomain(WTF::String const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x25917ff)
    #8 0x7fe82fef0b5e in WebCore::urlRequiresChromeBrowser(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2523b5e)
    #9 0x7fe82fef0db1 in WebCore::UserAgentQuirks::quirksForURL(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2523db1)
    #10 0x7fe82ff4a966 in WebCore::standardUserAgentForURL(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x257d966)
    #11 0x7fe82e6f47a7 in WebKit::WebPage::platformUserAgent(WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xd277a7)
    #12 0x7fe82e46afa8 in WebKit::WebPage::userAgent(WebKit::WebFrame*, WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa9dfa8)
    #13 0x7fe82e422044 in WebKit::WebFrameLoaderClient::userAgent(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa55044)
    #14 0x7fe82f421e9a in WebCore::FrameLoader::userAgent(WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a54e9a)
    #15 0x7fe82f42589e in WebCore::FrameLoader::applyUserAgent(WebCore::ResourceRequest&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a5889e)
    #16 0x7fe82f422602 in WebCore::FrameLoader::addExtraFieldsToRequest(WebCore::ResourceRequest&, WebCore::FrameLoadType, bool) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a55602)
    #17 0x7fe82f4221cd in WebCore::FrameLoader::addExtraFieldsToMainResourceRequest(WebCore::ResourceRequest&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a551cd)
    #18 0x7fe82f41cb18 in WebCore::FrameLoader::load(WebCore::DocumentLoader*) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a4fb18)
    #19 0x7fe82f41c70e in WebCore::FrameLoader::load(WebCore::FrameLoadRequest const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a4f70e)
    #20 0x7fe82fbcefb7 in WebCore::UserInputBridge::loadRequest(WebCore::FrameLoadRequest const&, WebCore::InputSource) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2201fb7)
    #21 0x7fe82e4647da in WebKit::WebPage::loadRequest(WebKit::LoadParameters const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa977da)
    #22 0x7fe82e7eee73 in void IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>, 0ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>&&, std::integer_sequence<unsigned long, 0ul>) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe21e73)
    #23 0x7fe82e7ed0ed in void IPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>, std::integer_sequence<unsigned long, 0ul> >(std::tuple<WebKit::LoadParameters>&&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe200ed)
    #24 0x7fe82e7e6d30 in void IPC::handleMessage<Messages::WebPage::LoadRequest, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe19d30)
    #25 0x7fe82e7e193b in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe1493b)
    #26 0x7fe82e46fc07 in WebKit::WebPage::didReceiveMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xaa2c07)
    #27 0x7fe82e05d6da in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6906da)
    #28 0x7fe82e2ee3c9 in WebKit::WebProcess::didReceiveMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x9213c9)
    #29 0x7fe82e04265b in IPC::Connection::dispatchMessage(IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x67565b)

previously allocated by thread T0 here:
    #0 0x7fe834afce50 in malloc (/usr/lib64/libasan.so.3+0xc6e50)
    #1 0x7fe8295d5488 in WTF::fastMalloc(unsigned long) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x248d488)
    #2 0x7fe8296053c6 in WTF::CStringBuffer::createUninitialized(unsigned long) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24bd3c6)
    #3 0x7fe82960555a in WTF::CString::init(char const*, unsigned long) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24bd55a)
    #4 0x7fe8296054e1 in WTF::CString::CString(char const*, unsigned long) ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24bd4e1)
    #5 0x7fe82960fb50 in WTF::StringImpl::utf8ForRange(unsigned int, unsigned int, WTF::ConversionMode) const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24c7b50)
    #6 0x7fe82960fbcb in WTF::StringImpl::utf8(WTF::ConversionMode) const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24c7bcb)
    #7 0x7fe829624229 in WTF::String::utf8(WTF::ConversionMode) const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24dc229)
    #8 0x7fe829624257 in WTF::String::utf8() const ($PREFIX/lib/libjavascriptcoregtk-4.0.so.18+0x24dc257)
    #9 0x7fe82ff5e7d8 in WebCore::topPrivatelyControlledDomain(WTF::String const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x25917d8)
    #10 0x7fe82fef0b5e in WebCore::urlRequiresChromeBrowser(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2523b5e)
    #11 0x7fe82fef0db1 in WebCore::UserAgentQuirks::quirksForURL(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2523db1)
    #12 0x7fe82ff4a966 in WebCore::standardUserAgentForURL(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x257d966)
    #13 0x7fe82e6f47a7 in WebKit::WebPage::platformUserAgent(WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xd277a7)
    #14 0x7fe82e46afa8 in WebKit::WebPage::userAgent(WebKit::WebFrame*, WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa9dfa8)
    #15 0x7fe82e422044 in WebKit::WebFrameLoaderClient::userAgent(WebCore::URL const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa55044)
    #16 0x7fe82f421e9a in WebCore::FrameLoader::userAgent(WebCore::URL const&) const ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a54e9a)
    #17 0x7fe82f42589e in WebCore::FrameLoader::applyUserAgent(WebCore::ResourceRequest&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a5889e)
    #18 0x7fe82f422602 in WebCore::FrameLoader::addExtraFieldsToRequest(WebCore::ResourceRequest&, WebCore::FrameLoadType, bool) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a55602)
    #19 0x7fe82f4221cd in WebCore::FrameLoader::addExtraFieldsToMainResourceRequest(WebCore::ResourceRequest&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a551cd)
    #20 0x7fe82f41cb18 in WebCore::FrameLoader::load(WebCore::DocumentLoader*) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a4fb18)
    #21 0x7fe82f41c70e in WebCore::FrameLoader::load(WebCore::FrameLoadRequest const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x1a4f70e)
    #22 0x7fe82fbcefb7 in WebCore::UserInputBridge::loadRequest(WebCore::FrameLoadRequest const&, WebCore::InputSource) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x2201fb7)
    #23 0x7fe82e4647da in WebKit::WebPage::loadRequest(WebKit::LoadParameters const&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xa977da)
    #24 0x7fe82e7eee73 in void IPC::callMemberFunctionImpl<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>, 0ul>(WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>&&, std::integer_sequence<unsigned long, 0ul>) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe21e73)
    #25 0x7fe82e7ed0ed in void IPC::callMemberFunction<WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&), std::tuple<WebKit::LoadParameters>, std::integer_sequence<unsigned long, 0ul> >(std::tuple<WebKit::LoadParameters>&&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe200ed)
    #26 0x7fe82e7e6d30 in void IPC::handleMessage<Messages::WebPage::LoadRequest, WebKit::WebPage, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)>(IPC::Decoder&, WebKit::WebPage*, void (WebKit::WebPage::*)(WebKit::LoadParameters const&)) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe19d30)
    #27 0x7fe82e7e193b in WebKit::WebPage::didReceiveWebPageMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xe1493b)
    #28 0x7fe82e46fc07 in WebKit::WebPage::didReceiveMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0xaa2c07)
    #29 0x7fe82e05d6da in IPC::MessageReceiverMap::dispatchMessage(IPC::Connection&, IPC::Decoder&) ($PREFIX/lib/libwebkit2gtk-4.0.so.37+0x6906da)

SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib64/libasan.so.3+0x3cfd2) 
Shadow bytes around the buggy address:
  0x0c088000c210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c088000c220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c088000c230: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c088000c240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c088000c250: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c088000c260: fa fa fa fa fa fa fa fa fa fa fd fd[fd]fd fd fa
  0x0c088000c270: fa fa 00 00 00 00 05 fa fa fa 00 00 00 00 00 05
  0x0c088000c280: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
  0x0c088000c290: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fd
  0x0c088000c2a0: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
  0x0c088000c2b0: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23181==ABORTING

This is with git master at commit 5f042ff6a01d0 built with -O0. I'll update the backtrace, if I manage to get one with line numbers.
Comment 1 Milan Crha 2017-01-05 05:37:41 PST
Created attachment 298095 [details]
proposed patch
Comment 2 WebKit Commit Bot 2017-01-05 05:38:33 PST
Attachment 298095 [details] did not pass style-queue:


ERROR: Source/WebCore/platform/soup/PublicSuffixSoup.cpp:50:  domain_utf8 is incorrectly named. Don't use underscores in your identifier names.  [readability/naming/underscores] [4]
ERROR: Source/WebCore/ChangeLog:8:  You should remove the 'No new tests' and either add and list tests, or explain why no new tests were possible.  [changelog/nonewtests] [5]
ERROR: Source/WebCore/ChangeLog:3:  Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: use-after-free  [changelog/unwantedsecurityterms] [3]
Total errors found: 3 in 2 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 3 Carlos Garcia Campos 2017-01-05 05:44:53 PST
This is not specific to GTK
Comment 4 Carlos Garcia Campos 2017-01-05 05:49:18 PST
Comment on attachment 298095 [details]
proposed patch

View in context: https://bugs.webkit.org/attachment.cgi?id=298095&action=review

> Source/WebCore/ChangeLog:8
> +        No new tests (OOPS!).

You should remove this line since this patch shouldn't affect tests. And also explain the change, what was broken and how this patch fixes it.

> Source/WebCore/platform/soup/PublicSuffixSoup.cpp:50
> +    CString domain_utf8 = domain.utf8();

domain_utf8 -> domainUTF8

> Source/WebCore/platform/soup/PublicSuffixSoup.cpp:52
> +    if (const char* baseDomain = soup_tld_get_base_domain(domain_utf8.data(), &error.outPtr()))
>          return String::fromUTF8(baseDomain);

I don't understand why we can't use the temporary here. Can soup_tld_get_base_domain() return the passed in hostname?
Comment 5 Carlos Garcia Campos 2017-01-05 05:50:36 PST
Ah! "a pointer to the start of the base domain in @hostname" That's what you should explain in the changelog.
Comment 6 Milan Crha 2017-01-05 08:45:27 PST
Created attachment 298105 [details]
proposed patch ][

(In reply to comment #4)
> Comment on attachment 298095 [details]
> > Source/WebCore/ChangeLog:8
> > +        No new tests (OOPS!).
> 
> You should remove this line since this patch shouldn't affect tests. And
> also explain the change, what was broken and how this patch fixes it.

Ah, right, that's a long time since I sent any patches to webkit.
 
> domain_utf8 -> domainUTF8

Yeah, I'm sorry (bug #166725 filled).

> I don't understand why we can't use the temporary here. Can
> soup_tld_get_base_domain() return the passed in hostname?

Right, it consumes 'const char *' and also returns 'const char *', then it makes sense it returns something from within the passed-in string. I tried to write some so-called explanation to the ChangeLog, though it sounds odd to me. I couldn't come up with anything better.
Comment 7 WebKit Commit Bot 2017-01-05 08:46:38 PST
Attachment 298105 [details] did not pass style-queue:


ERROR: Source/WebCore/ChangeLog:3:  Please consider whether the use of security-sensitive phrasing could help someone exploit WebKit: use-after-free  [changelog/unwantedsecurityterms] [3]
Total errors found: 1 in 2 files


If any of these errors are false positives, please file a bug against check-webkit-style.
Comment 8 WebKit Commit Bot 2017-01-05 09:31:55 PST
Comment on attachment 298105 [details]
proposed patch ][

Clearing flags on attachment: 298105

Committed r210357: <http://trac.webkit.org/changeset/210357>
Comment 9 WebKit Commit Bot 2017-01-05 09:31:58 PST
All reviewed patches have been landed.  Closing bug.