Closed Bug 1079815 Opened 10 years ago Closed 10 years ago

Heap-use-after-free in nsRefPtr<nsCSSFontFaceRule>::get()

Categories

(Core :: DOM: CSS Object Model, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla35
Tracking Status
firefox34 --- unaffected
firefox35 --- fixed
firefox-esr31 --- unaffected

People

(Reporter: attekett, Assigned: jtd)

References

Details

(5 keywords, Whiteboard: [fixed by bug 1079422])

Attachments

(1 file)

Attached file repro-file.html
Tested on: OS: Ubuntu 12.04 Firefox: ASAN build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/ To reproduce, open the repro-file with ASAN build Firefox. For more reliable reproduction I added location.reload in the end of the repro-file. You might need to adjust the timing of that location.reload to reproduce the issue. ASAN-trace: ==27716==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0001b2438 at pc 0x7f55910c2020 bp 0x7fffe8f033f0 sp 0x7fffe8f033e8 READ of size 8 at 0x60d0001b2438 thread T0 #0 0x7f55910c201f in get /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/layout/style/../../dist/include/nsRefPtr.h:222:0 #1 0x7f55910c201f in operator nsCSSFontFaceRule * /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/layout/style/../../dist/include/nsRefPtr.h:235:0 #2 0x7f55910c201f in HasRule /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/layout/style/../../dist/include/mozilla/dom/FontFace.h:125:0 #3 0x7f55910c201f in GetDesc /builds/slave/m-cen-l64-asan-000000000000000/build/layout/style/FontFace.cpp:746:0 #4 0x7f55910c201f in mozilla::dom::FontFace::GetFamilyName(nsString&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/style/FontFace.cpp:811:0 #5 0x7f5591058eb3 in mozilla::dom::FontFaceSet::InsertRuleFontFace(mozilla::dom::FontFace*, unsigned char, nsTArray<mozilla::dom::FontFaceSet::FontFaceRecord>&, bool&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/style/FontFaceSet.cpp:676:0 #6 0x7f55910581a5 in mozilla::dom::FontFaceSet::UpdateRules(nsTArray<nsFontFaceRuleContainer> const&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/style/FontFaceSet.cpp:552:0 . . . 0x60d0001b2438 is located 72 bytes inside of 136-byte region [0x60d0001b23f0,0x60d0001b2478) freed by thread T0 here: #0 0x471b71 in __interceptor_free _asan_rtl_:0 #1 0x7f558c2e9daa in SnowWhiteKiller::~SnowWhiteKiller() /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/base/nsCycleCollector.cpp:2624:0 #2 0x7f558c2e99b9 in nsCycleCollector::FreeSnowWhite(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/base/nsCycleCollector.cpp:2797:0 #3 0x7f558d470629 in AsyncFreeSnowWhite::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCJSRuntime.cpp:228:0 #4 0x7f558c3ddf71 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:830:0 #5 0x7f558c43b43a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsThreadUtils.cpp:265:0 . . .
Component: General → DOM: CSS Object Model
[Tracking Requested - why for this release]: regression Most probably a regression from bug 1028497
I can reproduce the crash in a local Linux64 ASAN debug build - within a few seconds. Backing out bug 1077746 (using the first patch in bug 1079422) makes the crash go away - I ran it for about 10 minutes without any problems.
Severity: normal → critical
Depends on: 1079422
Flags: in-testsuite?
Keywords: crash, testcase
The stack in comment 0 leading up to the crash: ... #3 GetDesc #4 mozilla::dom::FontFace::GetFamilyName #5 mozilla::dom::FontFaceSet::InsertRuleFontFace #6 mozilla::dom::FontFaceSet::UpdateRules(nsTArray<nsFontFaceRuleContainer> is the same as in bp-1a9abd4a-7c0a-4469-910e-a1c442141007 so I think this bug is likely a dupe of bug 1079422. It's just that an ASAN build crashes a bit earlier so the top stack frames differ slightly.
Mats, can you confirm that this is fixed now that bug 1079422 has landed? Thanks.
Flags: needinfo?(mats)
Yes, I can't reproduce it anymore. Resolving as fixed by bug 1079422.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(mats)
Resolution: --- → FIXED
Whiteboard: [fixed by bug 1079422]
Target Milestone: --- → mozilla35
Thanks for checking.
Assignee: nobody → jdaggett
Keywords: regression
Confirmed crash on Fx35, 2014-10-06. Verified fixed on Fx35, release candidate, 2015-01-06.
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: