815477 - Heap-use-after-free in mozilla::WalkAncestorsResetAutoDirection

Status: RESOLVED FIXED

(Core :: Layout: Text and Fonts, defect)

Description

[Abhishek Arya]

Attachment: Testcase

Reproduces on trunk.

=====================
==8883== ERROR: AddressSanitizer: heap-use-after-free on address 0x7fe77b25606c at pc 0x7fe7acb4f3d5 bp 0x7fffcd079250 sp 0x7fffcd079248
READ of size 4 at 0x7fe77b25606c thread T0
    #0 0x7fe7acb4f3d4 in GetBoolFlag src/../../../dist/include/nsINode.h:1334
    #1 0x7fe7acb4f3d4 in HasTextNodeDirectionalityMap src/../../../dist/include/nsINode.h:1417
    #2 0x7fe7acb4f3d4 in RemoveElementFromMap src/content/base/src/DirectionalityUtils.cpp:510
    #3 0x7fe7acb4f3d4 in mozilla::WalkAncestorsResetAutoDirection(mozilla::dom::Element*, bool) src/content/base/src/DirectionalityUtils.cpp:619
    #4 0x7fe7acfc7682 in nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/content/html/content/src/nsGenericHTMLElement.cpp:1527
    #5 0x7fe7acccae82 in mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/content/base/src/Element.cpp:1223
    #6 0x7fe7acfc7682 in nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/content/html/content/src/nsGenericHTMLElement.cpp:1527
    #7 0x7fe7ad270eb2 in nsHTMLSharedElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/content/html/content/src/nsHTMLSharedElement.cpp:409
0x7fe77b25606c is located 44 bytes inside of 120-byte region [0x7fe77b256040,0x7fe77b2560b8)
freed by thread T0 here:
    #0 0x426020 in __interceptor_free
    #1 0x7fe7acd2aaf1 in nsNodeUtils::LastRelease(nsINode*) src/content/base/src/nsNodeUtils.cpp:257
    #2 0x7fe7acce1463 in nsGenericDOMDataNode::Release() src/content/base/src/nsGenericDOMDataNode.cpp:115
    #3 0x7fe7acdf754a in mozilla::dom::FragmentOrElement::SetTextContentInternal(nsAString_internal const&, mozilla::ErrorResult&) src/content/base/src/FragmentOrElement.cpp:902
    #4 0x7fe7af39afe2 in mozilla::dom::NodeBinding::genericSetter(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan/dom/bindings/NodeBinding.cpp:1326
    #5 0x7fe7b080d4dd in native src/js/src/jscntxtinlines.h:364
    #6 0x7fe7b080d4dd in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:369
    #7 0x7fe7b080e292 in Invoke src/js/src/jsinterp.h:109
    #8 0x7fe7b080e292 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:417
    #9 0x7fe7b080ef1d in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:490
    #10 0x7fe7b087376e in js::Shape::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool, JS::MutableHandle<JS::Value>) src/js/src/jsscopeinlines.h:313
    #11 0x7fe7b087aafd in js::baseops::SetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::MutableHandle<JS::Value>, int) src/js/src/jsobj.cpp:4584
    #12 0x7fe7b0814ca8 in setGeneric src/js/src/jsobjinlines.h:95
    #13 0x7fe7b0814ca8 in js::SetPropertyOperation(JSContext*, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) src/js/src/jsinterpinlines.h:367
    #14 0x7fe7b07f385f in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2244
    #15 0x7fe7b07e8d60 in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:326
    #16 0x7fe7b080d3d8 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:384
    #17 0x7fe7b080e292 in Invoke src/js/src/jsinterp.h:109
    #18 0x7fe7b080e292 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:417
previously allocated by thread T0 here:
    #0 0x4260e0 in malloc
    #1 0x7fe7b36fa148 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54
    #2 0x7fe7adb2964c in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) src/parser/html/nsHtml5TreeOperation.cpp:511
    #3 0x7fe7adb362d3 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:565
    #4 0x7fe7adb49b20 in nsHtml5ExecutorFlusher::Run() src/parser/html/nsHtml5StreamParser.cpp:129
    #5 0x7fe7af4e5632 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan/xpcom/build/nsThreadUtils.cpp:221
    #6 0x7fe7af038e9c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
    #7 0x7fe7af63c848 in RunInternal src/ipc/chromium/src/base/message_loop.cc:215
    #8 0x7fe7af63c848 in RunHandler src/ipc/chromium/src/base/message_loop.cc:208
    #9 0x7fe7af63c848 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
    #10 0x7fe7aed313ad in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
Shadow byte and word:
  0x1ffcef64ac0d: fd
  0x1ffcef64ac08: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ffcef64abe8: 00 00 00 00 00 00 00 00
  0x1ffcef64abf0: 00 00 00 00 00 00 00 00
  0x1ffcef64abf8: 00 fb fb fb fb fb fb fb
  0x1ffcef64ac00: fa fa fa fa fa fa fa fa
=>0x1ffcef64ac08: fd fd fd fd fd fd fd fd
  0x1ffcef64ac10: fd fd fd fd fd fd fd fd
  0x1ffcef64ac18: fa fa fa fa fa fa fa fa
  0x1ffcef64ac20: fa fa fa fa fa fa fa fa
  0x1ffcef64ac28: fd fd fd fd fd fd fd fd
Stats: 319M malloced (297M for red zones) by 480655 calls
Stats: 50M realloced by 24853 calls
Stats: 268M freed by 312168 calls
Stats: 230M really freed by 267450 calls
Stats: 269M (68989 full pages) mmaped in 512 calls
  mmaps   by size class: 7:139230; 8:59363; 9:16368; 10:7665; 11:9435; 12:2688; 13:960; 14:576; 15:256; 16:952; 17:464; 18:36; 19:36; 20:21; 21:1;
  mallocs by size class: 7:274564; 8:122232; 9:30400; 10:15477; 11:24514; 12:4701; 13:2457; 14:2033; 15:556; 16:1940; 17:1642; 18:75; 19:41; 20:22; 21:1;
  frees   by size class: 7:169767; 8:77512; 9:21379; 10:11213; 11:21808; 12:3268; 13:1886; 14:1826; 15:393; 16:1375; 17:1623; 18:60; 19:38; 20:20;
  rfrees  by size class: 7:148553; 8:67123; 9:15047; 10:9342; 11:18106; 12:2844; 13:1550; 14:1704; 15:311; 16:1202; 17:1588; 18:53; 19:26; 20:1;
Stats: malloc large: 4277 small slow: 6846
==8883== ABORTING

Comment 1

[Abhishek Arya]

This looks like a very recent regression and hitting pretty crazingly :(

Comment 2

[Abhishek Arya]

Probably http://hg.mozilla.org/mozilla-central/rev/7f2e295e4981

Comment 3

[Mats Palmgren (inactive)]

Other recent bugs that might be related: bug 815043, bug 815276.

Comment 4

[(no longer active)]

Looks like the dirAutoSetBy property that we query for here http://mxr.mozilla.org/mozilla-central/source/content/base/src/DirectionalityUtils.cpp#616 is returning a dead node.

Comment 5

[Daniel Veditz [:dveditz]]

I'm assuming from the tiny patch in bug 815500 that Simon means this is the same problem, but let's wait and confirm that the patches in that bug really do fix the issue first.

Comment 6

[David Bolter [:davidb] (NeedInfo me for attention)]

Hoping Simon doesn't mind owning this bug given you are the dude for bug 815500.

Comment 7

[Simon Montagu :smontagu]

Checked in the testcase with the patch for 815500

https://hg.mozilla.org/integration/mozilla-inbound/rev/3548adeeb163

Comment 8

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/3548adeeb163

Comment 9

[Daniel Veditz [:dveditz]]

Bounty non-qual since this is essentially the same issue and fix as bug 815500

Comment 10

[Simon Montagu :smontagu]

in-testsuite+ per comment 7