Closed Bug 827190 Opened 12 years ago Closed 12 years ago

Heap-use-after-free in mozilla::ResetDir

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla21
Tracking Flags:
Tracking Status
firefox17 --- unaffected
firefox18 --- unaffected
firefox19 --- unaffected
firefox20 + fixed
firefox21 + fixed
firefox-esr10 --- unaffected
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: inferno, Assigned: smontagu)

References

Details

(5 keywords, Whiteboard: [asan][adv-main20-])

Attachments

(4 files)

Testcase
975 bytes, text/html
Details
Patch
2.16 KB, patch
ehsan.akhgari
: review+
bajaj
: approval-mozilla-aurora+
Details | Diff | Splinter Review
The testcase for checkin
1.76 KB, patch
Details | Diff | Splinter Review
Testcase
513 bytes, text/html
Details
Attached file Testcase 
>==330== ERROR: AddressSanitizer: heap-use-after-free on address 0x7f7d826e11ac at pc 0x7f7da62fdb33 bp 0x7fff9927a4b0 sp 0x7fff9927a4a8
>READ of size 4 at 0x7f7d826e11ac thread T0
>    #0 0x7f7da62fdb32 in nsINode::GetBoolFlag(nsINode::BooleanFlag) const src/content/base/public/nsINode.h:1343
>    #1 0x7f7da819c62e in nsINode::HasTextNodeDirectionalityMap() const src/../../../dist/include/nsINode.h:1426
>    #2 0x7f7da819ae17 in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap(nsINode*, mozilla::dom::Element*) src/content/base/src/DirectionalityUtils.cpp:535
>    #3 0x7f7da81a237f in mozilla::ResetDir(mozilla::dom::Element*) src/content/base/src/DirectionalityUtils.cpp:927
>    #4 0x7f7da87be537 in mozilla::dom::Element::UnbindFromTree(bool, bool) src/content/base/src/Element.cpp:1359
>    #5 0x7f7da974deac in nsGenericHTMLElement::UnbindFromTree(bool, bool) src/content/html/content/src/nsGenericHTMLElement.cpp:657
>    #6 0x7f7da87be865 in mozilla::dom::Element::UnbindFromTree(bool, bool) src/content/base/src/Element.cpp:1372
>    #7 0x7f7da974deac in nsGenericHTMLElement::UnbindFromTree(bool, bool) src/content/html/content/src/nsGenericHTMLElement.cpp:657
>    #8 0x7f7daa12af7e in nsHTMLSharedElement::UnbindFromTree(bool, bool) src/content/html/content/src/nsHTMLSharedElement.cpp:438
>    #9 0x7f7da87be865 in mozilla::dom::Element::UnbindFromTree(bool, bool) src/content/base/src/Element.cpp:1372
>    #10 0x7f7da974deac in nsGenericHTMLElement::UnbindFromTree(bool, bool) src/content/html/content/src/nsGenericHTMLElement.cpp:657
>    #11 0x7f7daa12af7e in nsHTMLSharedElement::UnbindFromTree(bool, bool) src/content/html/content/src/nsHTMLSharedElement.cpp:438
>    #12 0x7f7da8896ba3 in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) src/content/base/src/nsINode.cpp:1386
>    #13 0x7f7da858e122 in nsDocument::RemoveChildAt(unsigned int, bool) src/content/base/src/nsDocument.cpp:3455
>    #14 0x7f7da887d5e3 in nsINode::RemoveChild(nsINode&, mozilla::ErrorResult&) src/content/base/src/nsINode.cpp:459
>    #15 0x7f7db33fcf83 in mozilla::dom::NodeBinding::removeChild(JSContext*, JS::Handle<JSObject*>, nsINode*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/NodeBinding.cpp:712
>    #16 0x7f7db33c8376 in mozilla::dom::NodeBinding::genericMethod(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/NodeBinding.cpp:1390
>    #17 0x7f7dbc03bec5 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:373
>    #18 0x7f7dbc03bec5 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391
>    #19 0x7f7dbbfec986 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2368
>    #20 0x7f7dbbf4cdcb in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348
>    #21 0x7f7dbc0496e5 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) src/js/src/jsinterp.cpp:537
>    #22 0x7f7dbc04b285 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) src/js/src/jsinterp.cpp:576
>    #23 0x7f7dbb7a712e in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) src/js/src/jsapi.cpp:5624
>    #24 0x7f7daaeae420 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) src/dom/base/nsJSEnvironment.cpp:1525
>    #25 0x7f7dab084f29 in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) src/dom/base/nsGlobalWindow.cpp:9755
>    #26 0x7f7dab0396ef in nsGlobalWindow::RunTimeout(nsTimeout*) src/dom/base/nsGlobalWindow.cpp:10007
>    #27 0x7f7dab083029 in nsGlobalWindow::TimerCallback(nsITimer*, void*) src/dom/base/nsGlobalWindow.cpp:10276
>    #28 0x7f7db454a74b in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:482
>    #29 0x7f7db454bbd4 in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:565
>    #30 0x7f7db450df6f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
>    #31 0x7f7db41827b5 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:237
>    #32 0x7f7db16b7593 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:117
>    #33 0x7f7db47ff8e2 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215
>    #34 0x7f7db47ff719 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208
>    #35 0x7f7db47ff5ee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
>    #36 0x7f7db0aa1c07 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
>    #37 0x7f7daf5b8715 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288
>    #38 0x7f7da4800874 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823
>    #39 0x7f7da480645a in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890
>    #40 0x7f7da4809230 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093
>    #41 0x41db83 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195
>    #42 0x41ae86 in main src/browser/app/nsBrowserApp.cpp:388
>    #43 0x7f7dc640e76c in
>0x7f7d826e11ac is located 44 bytes inside of 120-byte region [0x7f7d826e1180,0x7f7d826e11f8)
>freed by thread T0 here:
>    #0 0x40fb32 in __interceptor_free
>    #1 0x7f7dc742b4b9 in moz_free src/memory/mozalloc/mozalloc.cpp:48
>    #2 0x7f7da8af6010 in operator delete(void*) src/../../../dist/include/mozilla/mozalloc.h:224
>    #3 0x7f7da8af6010 in nsTextNode::~nsTextNode() src/content/base/src/nsTextNode.cpp:117
>    #4 0x7f7da89bf417 in nsNodeUtils::LastRelease(nsINode*) src/content/base/src/nsNodeUtils.cpp:258
>    #5 0x7f7da88390f0 in nsGenericDOMDataNode::Release() src/content/base/src/nsGenericDOMDataNode.cpp:117
>    #6 0x7f7da8af650a in nsTextNode::Release() src/content/base/src/nsTextNode.cpp:121
>    #7 0x7f7da47ca32f in nsCOMPtr_base::~nsCOMPtr_base() src/objdir-ff-asan-sym/media/webrtc/signaling/signaling_ecc/../../../../dist/include/nsCOMPtr.h:410
>    #8 0x7f7da65b29ac in nsCOMPtr<nsIContent>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:449
>    #9 0x7f7da65b2679 in nsCOMPtr<nsIContent>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:449
>    #10 0x7f7da8c8558d in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) src/content/base/src/FragmentOrElement.cpp:896
>    #11 0x7f7da87dfae1 in mozilla::dom::Element::SetInnerHTML(nsAString_internal const&, mozilla::ErrorResult&) src/content/base/src/Element.cpp:3373
>    #12 0x7f7db2c4d724 in mozilla::dom::ElementBinding::set_innerHTML(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/ElementBinding.cpp:1689
>    #13 0x7f7db2c36178 in mozilla::dom::ElementBinding::genericSetter(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/ElementBinding.cpp:2031
>    #14 0x7f7dbc03bec5 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:373
>    #15 0x7f7dbc03bec5 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391
>    #16 0x7f7dbb8ecfdf in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112
>    #17 0x7f7dbc041c69 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439
>    #18 0x7f7dbc0480e5 in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:512
>    #19 0x7f7dbc2e0e61 in js::Shape::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool, JS::MutableHandle<JS::Value>) src/js/src/jsscopeinlines.h:315
>    #20 0x7f7dbc3184eb in js::baseops::SetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::MutableHandle<JS::Value>, int) src/js/src/jsobj.cpp:3686
>    #21 0x7f7dbc07c6d1 in js::SetPropertyOperation(JSContext*, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) src/js/src/jsinterpinlines.h:365
>    #22 0x7f7dbbfdbda5 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2278
>    #23 0x7f7dbbf4cdcb in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348
>    #24 0x7f7dbc03c809 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:406
>    #25 0x7f7dbb8ecfdf in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112
>    #26 0x7f7dbc041c69 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439
>    #27 0x7f7dbb7b40f2 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) src/js/src/jsapi.cpp:5805
>    #28 0x7f7dae623bc5 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1432
>    #29 0x7f7dae5c4a10 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:581
>    #30 0x7f7db463d47f in PrepareAndDispatch src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
>    #31 0x7f7db463a166 in SharedStub
>previously allocated by thread T0 here:
>    #0 0x40fc12 in __interceptor_malloc
>    #1 0x7f7dc742b604 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54
>    #2 0x7f7da8af5830 in operator new(unsigned long) src/../../../dist/include/mozilla/mozalloc.h:200
>    #3 0x7f7da8af5830 in NS_NewTextNode(nsIContent**, nsNodeInfoManager*) src/content/base/src/nsTextNode.cpp:106
>    #4 0x7f7dac43b3fe in nsHtml5TreeOperation::AppendText(unsigned short const*, unsigned int, nsIContent*, nsHtml5TreeOpExecutor*) src/parser/html/nsHtml5TreeOperation.cpp:164
>    #5 0x7f7dac446687 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) src/parser/html/nsHtml5TreeOperation.cpp:457
>    #6 0x7f7dac4647e6 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:559
>    #7 0x7f7dac4a27fd in nsHtml5ExecutorFlusher::Run() src/parser/html/nsHtml5StreamParser.cpp:127
>    #8 0x7f7db450df6f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
>    #9 0x7f7db41827b5 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:237
>    #10 0x7f7db16b6f2c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
>    #11 0x7f7db47ff8e2 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215
>    #12 0x7f7db47ff719 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208
>    #13 0x7f7db47ff5ee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
>    #14 0x7f7db0aa1c07 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
>    #15 0x7f7daf5b8715 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288
>    #16 0x7f7da4800874 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823
>    #17 0x7f7da480645a in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890
>    #18 0x7f7da4809230 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093
>    #19 0x41db83 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195
>    #20 0x41ae86 in main src/browser/app/nsBrowserApp.cpp:388
>    #21 0x7f7dc640e76c in
>Shadow bytes around the buggy address:
>  0x1fefb04dc1e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fefb04dc1f0: 00 00 00 00 fb fb fb fb fb fb fb fb fb fb fb fb
>  0x1fefb04dc200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fefb04dc210: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
>  0x1fefb04dc220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>=>0x1fefb04dc230: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
>  0x1fefb04dc240: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fefb04dc250: 00 00 00 00 00 00 00 00 fb fb fb fb fb fb fb fb
>  0x1fefb04dc260: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fefb04dc270: 00 00 00 00 fb fb fb fb fb fb fb fb fb fb fb fb
>  0x1fefb04dc280: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>Shadow byte legend (one shadow byte represents 8 application bytes):
>  Addressable:           00
>  Partially addressable: 01 02 03 04 05 06 07
>  Heap left redzone:     fa
>  Heap righ redzone:     fb
>  Freed Heap region:     fd
>  Stack left redzone:    f1
>  Stack mid redzone:     f2
>  Stack right redzone:   f3
>  Stack partial redzone: f4
>  Stack after return:    f5
>  Stack use after scope: f8
>  Global redzone:        f9
>  Global init order:     f6
>  Poisoned by user:      f7
>  ASan internal:         fe
>Stats: 251M malloced (272M for red zones) by 406313 calls
>Stats: 47M realloced by 24583 calls
>Stats: 225M freed by 284938 calls
>Stats: 92M really freed by 191457 calls
>Stats: 468M (468M-0M) mmaped; 117 maps, 0 unmaps
>  mmaps   by size class: 8:294894; 9:32764; 10:8190; 11:14329; 12:2048; 13:1536; 14:1280; 15:384; 16:1152; 17:1312; 18:48; 19:40; 20:24;
>  mallocs by size class: 8:338531; 9:32611; 10:9288; 11:16543; 12:2557; 13:1783; 14:1633; 15:412; 16:1462; 17:1362; 18:69; 19:40; 20:22;
>  frees   by size class: 8:233296; 9:23435; 10:5898; 11:14508; 12:1651; 13:1557; 14:1458; 15:291; 16:1384; 17:1345; 18:58; 19:38; 20:19;
>  rfrees  by size class: 8:168160; 9:8362; 10:2268; 11:9313; 12:660; 13:596; 14:575; 15:156; 16:970; 17:366; 18:26; 19:4; 20:1;
>Stats: malloc large: 1493 small slow: 2385
>Stats: StackDepot: 0 ids; 0M mapped
>==330== ABORTING
>
Mats, I have a patch for this already (in case you were planning to work on it)
Assignee: nobody → smontagu
Attached patch PatchSplinter Review 
When adding a node with descendants to a node with dir=auto, or to a descendant of such a node, we need to walk the descendant tree and set the AncestorHasDirAuto flag.
Attachment #699609 - Flags: review?(ehsan)
Comment on attachment 699609 [details] [diff] [review]
Patch

Review of attachment 699609 [details] [diff] [review]:
-----------------------------------------------------------------

::: content/base/src/DirectionalityUtils.cpp
@@ +922,5 @@
> +        }
> +
> +        child->SetAncestorHasDirAuto();
> +        child = child->GetNextNode(aElement);
> +      } while (child);

Please rewrite this like below:

nsIContent* child = ...;
while (child) {
  // stuff inside the loop
}
Attachment #699609 - Flags: review?(ehsan) → review+
Attached file Testcase 
I am still seeing another dir=auto crash after this patch. Here it is. Should i file another bug for this dir=auto issue, i don't wanna bug spam :(

>==14226== ERROR: AddressSanitizer: heap-use-after-free on address 0x7f608e3f68ac at pc 0x7f60b4644733 bp 0x7fff1bfaac50 sp 0x7fff1bfaac48
>READ of size 4 at 0x7f608e3f68ac thread T0
>    #0 0x7f60b4644732 in nsINode::GetBoolFlag(nsINode::BooleanFlag) const src/content/base/public/nsINode.h:1348
>    #1 0x7f60b64fb31e in nsINode::HasTextNodeDirectionalityMap() const src/../../../dist/include/nsINode.h:1431
>    #2 0x7f60b64f9b07 in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap(nsINode*, mozilla::dom::Element*) src/content/base/src/DirectionalityUtils.cpp:535
>    #3 0x7f60b64f94ca in mozilla::WalkAncestorsResetAutoDirection(mozilla::dom::Element*, bool) src/content/base/src/DirectionalityUtils.cpp:642
>    #4 0x7f60b6501031 in mozilla::SetDirOnBind(mozilla::dom::Element*, nsIContent*) src/content/base/src/DirectionalityUtils.cpp:927
>    #5 0x7f60b6b18fe0 in mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/content/base/src/Element.cpp:1170
>    #6 0x7f60b7ab1619 in nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) src/content/html/content/src/nsGenericHTMLElement.cpp:604
>    #7 0x7f60b6bf4f4a in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) src/content/base/src/nsINode.cpp:1324
>    #8 0x7f60b6fe8987 in mozilla::dom::FragmentOrElement::InsertChildAt(nsIContent*, unsigned int, bool) src/content/base/src/FragmentOrElement.cpp:884
>    #9 0x7f60b6bfcdd5 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) src/content/base/src/nsINode.cpp:1884
>    #10 0x7f60b6b4328d in nsINode::ReplaceChild(nsINode&, nsINode&, mozilla::ErrorResult&) src/../../dist/include/nsINode.h:1548
>    #11 0x7f60b6b427cb in mozilla::dom::Element::SetOuterHTML(nsAString_internal const&, mozilla::ErrorResult&) src/content/base/src/Element.cpp:3458
>    #12 0x7f60c1001740 in mozilla::dom::ElementBinding::set_outerHTML(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/ElementBinding.cpp:1743
>    #13 0x7f60c0fed3b8 in mozilla::dom::ElementBinding::genericSetter(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/ElementBinding.cpp:2031
>    #14 0x7f60ca47793a in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:373
>    #15 0x7f60ca47793a in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391
>    #16 0x7f60c9d250cf in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112
>    #17 0x7f60ca47d709 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439
>    #18 0x7f60ca483b85 in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:512
>    #19 0x7f60ca71c6e1 in js::Shape::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool, JS::MutableHandle<JS::Value>) src/js/src/jsscopeinlines.h:315
>    #20 0x7f60ca753d41 in js::baseops::SetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::MutableHandle<JS::Value>, int) src/js/src/jsobj.cpp:3686
>    #21 0x7f60ca4b814c in js::SetPropertyOperation(JSContext*, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) src/js/src/jsinterpinlines.h:365
>    #22 0x7f60ca417820 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2278
>    #23 0x7f60ca38887b in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348
>    #24 0x7f60ca47828e in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:406
>    #25 0x7f60c9d250cf in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112
>    #26 0x7f60ca47d709 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439
>    #27 0x7f60c9bec492 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) src/js/src/jsapi.cpp:5806
>    #28 0x7f60bc9b7445 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1432
>    #29 0x7f60bc9580d0 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:581
>    #30 0x7f60c2a5d82f in PrepareAndDispatch src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
>    #31 0x7f60c2a5a516 in SharedStub
>    #32 0x7f60b770ca45 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:922
>    #33 0x7f60b770e257 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.cpp:989
>    #34 0x7f60b78ff42a in nsEventListenerManager::HandleEvent(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) src/content/events/src/nsEventListenerManager.h:278
>    #35 0x7f60b78ee5dc in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:181
>    #36 0x7f60b78ec843 in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, nsDispatchingCallback*, bool, nsCxPusher*) src/content/events/src/nsEventDispatcher.cpp:310
>    #37 0x7f60b78f4577 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) src/content/events/src/nsEventDispatcher.cpp:678
>    #38 0x7f60b78f6dc9 in nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) src/content/events/src/nsEventDispatcher.cpp:738
>    #39 0x7f60b6bf03e5 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) src/content/base/src/nsINode.cpp:1100
>    #40 0x7f60b66d4790 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool, bool*) src/content/base/src/nsContentUtils.cpp:3511
>    #41 0x7f60b66d3a64 in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool*) src/content/base/src/nsContentUtils.cpp:3481
>    #42 0x7f60b6900b6f in nsDocument::DispatchContentLoadedEvents() src/content/base/src/nsDocument.cpp:4241
>    #43 0x7f60b69fc5e2 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() src/../../../dist/include/nsThreadUtils.h:367
>    #44 0x7f60c292e20f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
>    #45 0x7f60c25a29a5 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
>    #46 0x7f60bfa5ac3c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
>    #47 0x7f60c2c1fc92 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215
>    #48 0x7f60c2c1fac9 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208
>    #49 0x7f60c2c1f99e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
>    #50 0x7f60bee42b77 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
>    #51 0x7f60bd94d815 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288
>    #52 0x7f60b2b41d44 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823
>    #53 0x7f60b2b4792a in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890
>    #54 0x7f60b2b4a700 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093
>    #55 0x41db83 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195
>    #56 0x41ae86 in main src/browser/app/nsBrowserApp.cpp:388
>    #57 0x7f60d48b976c in
>0x7f608e3f68ac is located 44 bytes inside of 120-byte region [0x7f608e3f6880,0x7f608e3f68f8)
>freed by thread T0 here:
>    #0 0x40fb32 in __interceptor_free
>    #1 0x7f60d58d64b9 in moz_free src/memory/mozalloc/mozalloc.cpp:48
>    #2 0x7f60b6e59820 in operator delete(void*) src/../../../dist/include/mozilla/mozalloc.h:224
>    #3 0x7f60b6e59820 in nsTextNode::~nsTextNode() src/content/base/src/nsTextNode.cpp:117
>    #4 0x7f60b6d1fd17 in nsNodeUtils::LastRelease(nsINode*) src/content/base/src/nsNodeUtils.cpp:258
>    #5 0x7f60b6b999e0 in nsGenericDOMDataNode::Release() src/content/base/src/nsGenericDOMDataNode.cpp:117
>    #6 0x7f60b6e59d1a in nsTextNode::Release() src/content/base/src/nsTextNode.cpp:121
>    #7 0x7f60b2b0b7ff in nsCOMPtr_base::~nsCOMPtr_base() src/objdir-ff-asan-sym/media/webrtc/signaling/signaling_ecc/../../../../dist/include/nsCOMPtr.h:410
>    #8 0x7f60b48f95ac in nsCOMPtr<nsIContent>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:449
>    #9 0x7f60b48f9279 in nsCOMPtr<nsIContent>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:449
>    #10 0x7f60b6fe8d9d in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) src/content/base/src/FragmentOrElement.cpp:896
>    #11 0x7f60b6b3fed1 in mozilla::dom::Element::SetInnerHTML(nsAString_internal const&, mozilla::ErrorResult&) src/content/base/src/Element.cpp:3376
>    #12 0x7f60c1004964 in mozilla::dom::ElementBinding::set_innerHTML(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/ElementBinding.cpp:1689
>    #13 0x7f60c0fed3b8 in mozilla::dom::ElementBinding::genericSetter(JSContext*, unsigned int, JS::Value*) src/objdir-ff-asan-sym/dom/bindings/ElementBinding.cpp:2031
>    #14 0x7f60ca47793a in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:373
>    #15 0x7f60ca47793a in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:391
>    #16 0x7f60c9d250cf in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112
>    #17 0x7f60ca47d709 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439
>    #18 0x7f60ca483b85 in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:512
>    #19 0x7f60ca71c6e1 in js::Shape::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool, JS::MutableHandle<JS::Value>) src/js/src/jsscopeinlines.h:315
>    #20 0x7f60ca753d41 in js::baseops::SetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::MutableHandle<JS::Value>, int) src/js/src/jsobj.cpp:3686
>    #21 0x7f60ca4b814c in js::SetPropertyOperation(JSContext*, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) src/js/src/jsinterpinlines.h:365
>    #22 0x7f60ca417820 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2278
>    #23 0x7f60ca38887b in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) src/js/src/jsinterp.cpp:348
>    #24 0x7f60ca47828e in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:406
>    #25 0x7f60c9d250cf in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:112
>    #26 0x7f60ca47d709 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:439
>    #27 0x7f60c9bec492 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) src/js/src/jsapi.cpp:5806
>    #28 0x7f60bc9b7445 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1432
>    #29 0x7f60bc9580d0 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:581
>    #30 0x7f60c2a5d82f in PrepareAndDispatch src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122
>    #31 0x7f60c2a5a516 in SharedStub
>previously allocated by thread T0 here:
>    #0 0x40fc12 in __interceptor_malloc
>    #1 0x7f60d58d6604 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54
>    #2 0x7f60b6e59040 in operator new(unsigned long) src/../../../dist/include/mozilla/mozalloc.h:200
>    #3 0x7f60b6e59040 in NS_NewTextNode(nsIContent**, nsNodeInfoManager*) src/content/base/src/nsTextNode.cpp:106
>    #4 0x7f60ba7ad28e in nsHtml5TreeOperation::AppendText(unsigned short const*, unsigned int, nsIContent*, nsHtml5TreeOpExecutor*) src/parser/html/nsHtml5TreeOperation.cpp:164
>    #5 0x7f60ba7b8517 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) src/parser/html/nsHtml5TreeOperation.cpp:457
>    #6 0x7f60ba7d6676 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:559
>    #7 0x7f60ba81468d in nsHtml5ExecutorFlusher::Run() src/parser/html/nsHtml5StreamParser.cpp:127
>    #8 0x7f60c292e20f in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627
>    #9 0x7f60c25a29a5 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:238
>    #10 0x7f60bfa5ac3c in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
>    #11 0x7f60c2c1fc92 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215
>    #12 0x7f60c2c1fac9 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208
>    #13 0x7f60c2c1f99e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182
>    #14 0x7f60bee42b77 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
>    #15 0x7f60bd94d815 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:288
>    #16 0x7f60b2b41d44 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3823
>    #17 0x7f60b2b4792a in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3890
>    #18 0x7f60b2b4a700 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4093
>    #19 0x41db83 in do_main(int, char**, nsIFile*) src/browser/app/nsBrowserApp.cpp:195
>    #20 0x41ae86 in main src/browser/app/nsBrowserApp.cpp:388
>    #21 0x7f60d48b976c in
>Shadow bytes around the buggy address:
>  0x1fec11c7ecc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fec11c7ecd0: 00 00 00 fb fb fb fb fb fb fb fb fb fb fb fb fb
>  0x1fec11c7ece0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fec11c7ecf0: 00 00 00 fb fb fb fb fb fb fb fb fb fb fb fb fb
>  0x1fec11c7ed00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>=>0x1fec11c7ed10: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
>  0x1fec11c7ed20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fec11c7ed30: 00 00 fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>  0x1fec11c7ed40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>  0x1fec11c7ed50: 00 00 00 00 00 00 00 00 00 fb fb fb fb fb fb fb
>  0x1fec11c7ed60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
>Shadow byte legend (one shadow byte represents 8 application bytes):
>  Addressable:           00
>  Partially addressable: 01 02 03 04 05 06 07
>  Heap left redzone:     fa
>  Heap righ redzone:     fb
>  Freed Heap region:     fd
>  Stack left redzone:    f1
>  Stack mid redzone:     f2
>  Stack right redzone:   f3
>  Stack partial redzone: f4
>  Stack after return:    f5
>  Stack use after scope: f8
>  Global redzone:        f9
>  Global init order:     f6
>  Poisoned by user:      f7
>  ASan internal:         fe
>Stats: 249M malloced (270M for red zones) by 401702 calls
>Stats: 47M realloced by 24159 calls
>Stats: 224M freed by 281393 calls
>Stats: 91M really freed by 190096 calls
>Stats: 464M (464M-0M) mmaped; 116 maps, 0 unmaps
>  mmaps   by size class: 8:294894; 9:32764; 10:8190; 11:12282; 12:2048; 13:1536; 14:1280; 15:384; 16:1152; 17:1312; 18:48; 19:40; 20:24;
>  mallocs by size class: 8:335151; 9:32126; 10:8960; 11:16245; 12:2524; 13:1738; 14:1611; 15:407; 16:1447; 17:1362; 18:69; 19:40; 20:22;
>  frees   by size class: 8:230689; 9:23055; 10:5675; 11:14258; 12:1631; 13:1516; 14:1444; 15:284; 16:1381; 17:1345; 18:58; 19:38; 20:19;
>  rfrees  by size class: 8:167077; 9:8215; 10:2211; 11:9295; 12:649; 13:566; 14:572; 15:154; 16:969; 17:357; 18:26; 19:4; 20:1;
>Stats: malloc large: 1493 small slow: 2354
>Stats: StackDepot: 0 ids; 0M mapped
>==14226== ABORTING
>
>
>
Flags: sec-bounty?
(In reply to :Ehsan Akhgari from comment #4)

> Please rewrite this like below:
> 
> nsIContent* child = ...;
> while (child) {
>   // stuff inside the loop
> }

That won't work here, because there is another line
 WalkAncestorsResetAutoDirection(aElement, true);
inside the if{} block but outside the do{} block.
Abhishek, please do file a separate bug for the crash in comment 5. It's not bug spam, having one issue per bug makes it easier to track the fixes.
(In reply to Simon Montagu from comment #7)
> Abhishek, please do file a separate bug for the crash in comment 5. It's not
> bug spam, having one issue per bug makes it easier to track the fixes.

Thanks Simon. filed https://bugzilla.mozilla.org/show_bug.cgi?id=830098.
https://hg.mozilla.org/mozilla-central/rev/7bc1d4a9af9a
https://hg.mozilla.org/mozilla-central/rev/1671d04d9259
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox21: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
Flags: sec-bounty? → sec-bounty+
Comment on attachment 699609 [details] [diff] [review]
Patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 548206 (or one of its followups)
User impact if declined: critical security vulnerability
Testing completed (on m-c, etc.): baked on m-c since 2013-01-13
Risk to taking this patch (and alternatives if risky): minimal
String or UUID changes made by this patch: none
Attachment #699609 - Flags: approval-mozilla-aurora?
Comment on attachment 699609 [details] [diff] [review]
Patch

low risk, well baked patch to fix a sec-crit issue. Approving on aurora.
Attachment #699609 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Shouldn't this patch have gotten explicit sec-approval since it is a sec-critical affecting both trunk and aurora?
Yes apparently it should, but I didn't know about sec-approval until now.
Whiteboard: [asan] → [asan][adv-main20+]
Whiteboard: [asan][adv-main20+] → [asan][adv-main20-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: