Closed Bug 1079815 Opened 5 years ago Closed 5 years ago

Heap-use-after-free in nsRefPtr<nsCSSFontFaceRule>::get()

Categories

(Core :: DOM: CSS Object Model, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla35
Tracking Status
firefox34 --- unaffected
firefox35 --- fixed
firefox-esr31 --- unaffected

People

(Reporter: attekett, Assigned: jtd)

References

Details

(5 keywords, Whiteboard: [fixed by bug 1079422])

Attachments

(1 file)

Attached file repro-file.html
Tested on: 

OS: Ubuntu 12.04

Firefox: ASAN build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/

To reproduce, open the repro-file with ASAN build Firefox. For more reliable reproduction I added location.reload in the end of the repro-file. You might need to adjust the timing of that location.reload to reproduce the issue.  

ASAN-trace:

==27716==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0001b2438 at pc 0x7f55910c2020 bp 0x7fffe8f033f0 sp 0x7fffe8f033e8
READ of size 8 at 0x60d0001b2438 thread T0
    #0 0x7f55910c201f in get /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/layout/style/../../dist/include/nsRefPtr.h:222:0    
    #1 0x7f55910c201f in operator nsCSSFontFaceRule * /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/layout/style/../../dist/include/nsRefPtr.h:235:0    
    #2 0x7f55910c201f in HasRule /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/layout/style/../../dist/include/mozilla/dom/FontFace.h:125:0    
    #3 0x7f55910c201f in GetDesc /builds/slave/m-cen-l64-asan-000000000000000/build/layout/style/FontFace.cpp:746:0    
    #4 0x7f55910c201f in mozilla::dom::FontFace::GetFamilyName(nsString&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/style/FontFace.cpp:811:0
    #5 0x7f5591058eb3 in mozilla::dom::FontFaceSet::InsertRuleFontFace(mozilla::dom::FontFace*, unsigned char, nsTArray<mozilla::dom::FontFaceSet::FontFaceRecord>&, bool&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/style/FontFaceSet.cpp:676:0
    #6 0x7f55910581a5 in mozilla::dom::FontFaceSet::UpdateRules(nsTArray<nsFontFaceRuleContainer> const&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/style/FontFaceSet.cpp:552:0
.
.
.
0x60d0001b2438 is located 72 bytes inside of 136-byte region [0x60d0001b23f0,0x60d0001b2478)
freed by thread T0 here:
    #0 0x471b71 in __interceptor_free _asan_rtl_:0
    #1 0x7f558c2e9daa in SnowWhiteKiller::~SnowWhiteKiller() /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/base/nsCycleCollector.cpp:2624:0
    #2 0x7f558c2e99b9 in nsCycleCollector::FreeSnowWhite(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/base/nsCycleCollector.cpp:2797:0
    #3 0x7f558d470629 in AsyncFreeSnowWhite::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/js/xpconnect/src/XPCJSRuntime.cpp:228:0
    #4 0x7f558c3ddf71 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:830:0
    #5 0x7f558c43b43a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsThreadUtils.cpp:265:0
.
.
.
Component: General → DOM: CSS Object Model
[Tracking Requested - why for this release]:
regression

Most probably a regression from bug 1028497
Blocks: 1028497
I can reproduce the crash in a local Linux64 ASAN debug build - within a few seconds.
Backing out bug 1077746 (using the first patch in bug 1079422) makes the crash
go away - I ran it for about 10 minutes without any problems.
Severity: normal → critical
Depends on: 1079422
Flags: in-testsuite?
Keywords: crash, testcase
The stack in comment 0 leading up to the crash:
    ...
    #3 GetDesc 
    #4 mozilla::dom::FontFace::GetFamilyName
    #5 mozilla::dom::FontFaceSet::InsertRuleFontFace
    #6 mozilla::dom::FontFaceSet::UpdateRules(nsTArray<nsFontFaceRuleContainer> 

is the same as in bp-1a9abd4a-7c0a-4469-910e-a1c442141007
so I think this bug is likely a dupe of bug 1079422.
It's just that an ASAN build crashes a bit earlier so the top stack
frames differ slightly.
Mats, can you confirm that this is fixed now that bug 1079422 has landed?  Thanks.
Flags: needinfo?(mats)
Yes, I can't reproduce it anymore.  Resolving as fixed by bug 1079422.
Status: NEW → RESOLVED
Closed: 5 years ago
Flags: needinfo?(mats)
Resolution: --- → FIXED
Whiteboard: [fixed by bug 1079422]
Target Milestone: --- → mozilla35
Thanks for checking.
Assignee: nobody → jdaggett
Keywords: regression
Confirmed crash on Fx35, 2014-10-06.
Verified fixed on Fx35, release candidate, 2015-01-06.
Status: RESOLVED → VERIFIED
Group: core-security
You need to log in before you can comment on or make changes to this bug.