Closed Bug 1135534 Opened 9 years ago Closed 9 years ago

Heap-use-after-free in UnlockEnumerator

Categories

(Core :: CSS Parsing and Computation, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla39
Tracking Status
firefox37 --- unaffected
firefox38 + fixed
firefox39 + fixed
firefox-esr31 --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- unaffected
b2g-v2.0M --- unaffected
b2g-v2.1 --- unaffected
b2g-v2.1S --- unaffected
b2g-v2.2 --- unaffected
b2g-master --- fixed

People

(Reporter: inferno, Assigned: xidorn)

References

Details

(Keywords: csectype-uaf, sec-critical, Whiteboard: [asan][fixed by bug 1135954])

Attachments

(4 files)

Attached file Testcase
=================================================================
==28860==ERROR: AddressSanitizer: heap-use-after-free on address 0x61d0178f6600 at pc 0x7f61b70db777 bp 0x7fff9c535960 sp 0x7fff9c535958
READ of size 8 at 0x61d0178f6600 thread T0 (Web Content)
    #0 0x7f61b70db776 in UnlockEnumerator(imgIRequest*, unsigned int, void*) /build/firefox/src/dom/base/nsDocument.cpp:10591:3
    #1 0x7f61b7114ede in nsBaseHashtable<nsPtrHashKey<imgIRequest>, unsigned int, unsigned int>::s_EnumReadStub(PLDHashTable*, PLDHashEntryHdr*, unsigned int, void*) /build/firefox/src/objdir-ff-asan/dom/base/../../dist/include/nsBaseHashtable.h:391:25
    #2 0x7f61b4e79fa2 in Enumerate /build/firefox/src/xpcom/glue/pldhash.cpp:767:28
    #3 0x7f61b4e79fa2 in PL_DHashTableEnumerate(PLDHashTable*, PLDHashOperator (*)(PLDHashTable*, PLDHashEntryHdr*, unsigned int, void*), void*) /build/firefox/src/xpcom/glue/pldhash.cpp:818
    #4 0x7f61b70db90c in EnumerateRead /build/firefox/src/objdir-ff-asan/dom/base/../../dist/include/nsBaseHashtable.h:174:12
    #5 0x7f61b70db90c in nsDocument::SetImageLockingState(bool) /build/firefox/src/dom/base/nsDocument.cpp:10609
    #6 0x7f61b7075470 in nsDocument::~nsDocument() /build/firefox/src/dom/base/nsDocument.cpp:1785:3
    #7 0x7f61b91d6a9d in nsHTMLDocument::~nsHTMLDocument() /build/firefox/src/dom/html/nsHTMLDocument.cpp:200:1
    #8 0x7f61b4d125bf in SnowWhiteKiller::~SnowWhiteKiller() /build/firefox/src/xpcom/base/nsCycleCollector.cpp:2646:9
    #9 0x7f61b4d119a7 in ~RemoveSkippableVisitor /build/firefox/src/xpcom/base/nsCycleCollector.cpp:2750:3
    #10 0x7f61b4d119a7 in nsPurpleBuffer::RemoveSkippable(nsCycleCollector*, bool, bool, void (*)()) /build/firefox/src/xpcom/base/nsCycleCollector.cpp:2791
    #11 0x7f61b4d1ab0b in ForgetSkippable /build/firefox/src/xpcom/base/nsCycleCollector.cpp:2833:3
    #12 0x7f61b4d1ab0b in nsCycleCollector_forgetSkippable(bool, bool) /build/firefox/src/xpcom/base/nsCycleCollector.cpp:4132
    #13 0x7f61b71a6434 in FireForgetSkippable(unsigned int, bool) /build/firefox/src/dom/base/nsJSEnvironment.cpp:1326:3
    #14 0x7f61b71a96c2 in CCTimerFired(nsITimer*, void*) /build/firefox/src/dom/base/nsJSEnvironment.cpp:1864:7
    #15 0x7f61b4e21024 in nsTimerImpl::Fire() /build/firefox/src/xpcom/threads/nsTimerImpl.cpp:631:7
    #16 0x7f61b4e21b90 in nsTimerEvent::Run() /build/firefox/src/xpcom/threads/nsTimerImpl.cpp:724:3
    #17 0x7f61b4e17055 in nsThread::ProcessNextEvent(bool, bool*) /build/firefox/src/xpcom/threads/nsThread.cpp:855:7
    #18 0x7f61b4e7526c in NS_ProcessNextEvent(nsIThread*, bool) /build/firefox/src/xpcom/glue/nsThreadUtils.cpp:265:10
    #19 0x7f61b570a8bf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /build/firefox/src/ipc/glue/MessagePump.cpp:140:5
    #20 0x7f61b56b2a61 in RunInternal /build/firefox/src/ipc/chromium/src/base/message_loop.cc:233:3
    #21 0x7f61b56b2a61 in RunHandler /build/firefox/src/ipc/chromium/src/base/message_loop.cc:226
    #22 0x7f61b56b2a61 in MessageLoop::Run() /build/firefox/src/ipc/chromium/src/base/message_loop.cc:200
    #23 0x7f61ba10845f in nsBaseAppShell::Run() /build/firefox/src/widget/nsBaseAppShell.cpp:164:3
    #24 0x7f61bbd39603 in XRE_RunAppShell /build/firefox/src/toolkit/xre/nsEmbedFunctions.cpp:743:12
    #25 0x7f61b56b2a61 in RunInternal /build/firefox/src/ipc/chromium/src/base/message_loop.cc:233:3
    #26 0x7f61b56b2a61 in RunHandler /build/firefox/src/ipc/chromium/src/base/message_loop.cc:226
    #27 0x7f61b56b2a61 in MessageLoop::Run() /build/firefox/src/ipc/chromium/src/base/message_loop.cc:200
    #28 0x7f61bbd38a2c in XRE_InitChildProcess /build/firefox/src/toolkit/xre/nsEmbedFunctions.cpp:580:7
    #29 0x4db12e in content_process_main(int, char**) /build/firefox/src/ipc/app/../contentproc/plugin-container.cpp:211:19
    #30 0x7f61b23ddec4 in __libc_start_main

0x61d0178f6600 is located 0 bytes inside of 120-byte region [0x61d0178f6600,0x61d0178f6678)
freed by thread T0 (Web Content) here:
    #0 0x4b55d0 in __interceptor_free _asan_rtl_
    #1 0x7f61b6c18308 in imgRequestProxy::Release() /build/firefox/src/image/src/imgRequestProxy.cpp:94:1
    #2 0x7f61b4e79ff8 in RawRemove /build/firefox/src/xpcom/glue/pldhash.cpp:721:3
    #3 0x7f61b4e79ff8 in PL_DHashTableRawRemove /build/firefox/src/xpcom/glue/pldhash.cpp:735
    #4 0x7f61b4e79ff8 in Enumerate /build/firefox/src/xpcom/glue/pldhash.cpp:770
    #5 0x7f61b4e79ff8 in PL_DHashTableEnumerate(PLDHashTable*, PLDHashOperator (*)(PLDHashTable*, PLDHashEntryHdr*, unsigned int, void*), void*) /build/firefox/src/xpcom/glue/pldhash.cpp:818
    #6 0x7f61ba56f5ef in Enumerate /build/firefox/src/objdir-ff-asan/layout/style/../../dist/include/nsBaseHashtable.h:206:12
    #7 0x7f61ba56f5ef in ~ImageValue /build/firefox/src/layout/style/nsCSSValue.cpp:2459
    #8 0x7f61ba56f5ef in mozilla::css::ImageValue::Release() /build/firefox/src/layout/style/nsCSSValue.h:142
    #9 0x7f61ba56ee19 in nsCSSValue::DoReset() /build/firefox/src/layout/style/nsCSSValue.cpp:352:5
    #10 0x7f61ba5263cf in Reset /build/firefox/src/layout/style/nsCSSValue.h:656:7
    #11 0x7f61ba5263cf in ~nsCSSValue /build/firefox/src/layout/style/nsCSSValue.h:412
    #12 0x7f61ba5263cf in nsCSSCompressedDataBlock::~nsCSSCompressedDataBlock() /build/firefox/src/layout/style/nsCSSDataBlock.cpp:334
    #13 0x7f61ba4bb619 in ~nsAutoPtr /build/firefox/src/objdir-ff-asan/layout/style/../../dist/include/nsAutoPtr.h:74:5
    #14 0x7f61ba4bb619 in mozilla::css::Declaration::~Declaration() /build/firefox/src/layout/style/Declaration.cpp:48
    #15 0x7f61ba51b7a6 in mozilla::css::StyleRule::~StyleRule() /build/firefox/src/layout/style/StyleRule.cpp:1374:3
    #16 0x7f61ba51b9ed in mozilla::css::StyleRule::~StyleRule() /build/firefox/src/layout/style/StyleRule.cpp:1372:1
    #17 0x7f61ba519a87 in mozilla::css::StyleRule::Release() /build/firefox/src/layout/style/StyleRule.cpp:1393:1
    #18 0x7f61b4e58254 in ReleaseObjects /build/firefox/src/xpcom/glue/nsCOMArray.cpp:267:5
    #19 0x7f61b4e58254 in nsCOMArray_base::Clear() /build/firefox/src/xpcom/glue/nsCOMArray.cpp:276
    #20 0x7f61ba4a17ec in mozilla::CSSStyleSheet::UnlinkInner() /build/firefox/src/layout/style/CSSStyleSheet.cpp:1075:3
    #21 0x7f61ba4a2cd6 in mozilla::CSSStyleSheet::cycleCollection::Unlink(void*) /build/firefox/src/layout/style/CSSStyleSheet.cpp:1148:3
    #22 0x7f61b4d14850 in nsCycleCollector::CollectWhite() /build/firefox/src/xpcom/base/nsCycleCollector.cpp:3279:5
    #23 0x7f61b4d1761f in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /build/firefox/src/xpcom/base/nsCycleCollector.cpp:3610:24
    #24 0x7f61b4d1b43d in nsCycleCollector_collectSlice(js::SliceBudget&, bool) /build/firefox/src/xpcom/base/nsCycleCollector.cpp:4198:3
    #25 0x7f61b71a6898 in nsJSContext::RunCycleCollectorSlice() /build/firefox/src/dom/base/nsJSEnvironment.cpp:1533:3
    #26 0x7f61b4e21024 in nsTimerImpl::Fire() /build/firefox/src/xpcom/threads/nsTimerImpl.cpp:631:7
    #27 0x7f61b4e21b90 in nsTimerEvent::Run() /build/firefox/src/xpcom/threads/nsTimerImpl.cpp:724:3
    #28 0x7f61b4e17055 in nsThread::ProcessNextEvent(bool, bool*) /build/firefox/src/xpcom/threads/nsThread.cpp:855:7
    #29 0x7f61b4e7526c in NS_ProcessNextEvent(nsIThread*, bool) /build/firefox/src/xpcom/glue/nsThreadUtils.cpp:265:10
    #30 0x7f61b570a8bf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /build/firefox/src/ipc/glue/MessagePump.cpp:140:5
    #31 0x7f61b56b2a61 in RunInternal /build/firefox/src/ipc/chromium/src/base/message_loop.cc:233:3
    #32 0x7f61b56b2a61 in RunHandler /build/firefox/src/ipc/chromium/src/base/message_loop.cc:226
    #33 0x7f61b56b2a61 in MessageLoop::Run() /build/firefox/src/ipc/chromium/src/base/message_loop.cc:200
    #34 0x7f61ba10845f in nsBaseAppShell::Run() /build/firefox/src/widget/nsBaseAppShell.cpp:164:3
    #35 0x7f61bbd39603 in XRE_RunAppShell /build/firefox/src/toolkit/xre/nsEmbedFunctions.cpp:743:12
    #36 0x7f61b56b2a61 in RunInternal /build/firefox/src/ipc/chromium/src/base/message_loop.cc:233:3
    #37 0x7f61b56b2a61 in RunHandler /build/firefox/src/ipc/chromium/src/base/message_loop.cc:226
    #38 0x7f61b56b2a61 in MessageLoop::Run() /build/firefox/src/ipc/chromium/src/base/message_loop.cc:200
    #39 0x7f61bbd38a2c in XRE_InitChildProcess /build/firefox/src/toolkit/xre/nsEmbedFunctions.cpp:580:7
    #40 0x4db12e in content_process_main(int, char**) /build/firefox/src/ipc/app/../contentproc/plugin-container.cpp:211:19
    #41 0x7f61b23ddec4 in __libc_start_main

previously allocated by thread T0 (Web Content) here:
    #0 0x4b58e8 in __interceptor_malloc _asan_rtl_
    #1 0x7f61c1f9d6ed in moz_xmalloc /build/firefox/src/memory/mozalloc/mozalloc.cpp:52:17
    #2 0x7f61b6c1da23 in operator new /build/firefox/src/objdir-ff-asan/image/src/../../dist/include/mozilla/mozalloc.h:209:12
    #3 0x7f61b6c1da23 in NewProxy(imgRequestProxy*) /build/firefox/src/image/src/imgRequestProxy.cpp:582
    #4 0x7f61b6c1d5ee in imgRequestProxy::PerformClone(imgINotificationObserver*, imgRequestProxy* (*)(imgRequestProxy*), imgRequestProxy**) /build/firefox/src/image/src/imgRequestProxy.cpp:618:37
    #5 0x7f61b6c1d4d5 in imgRequestProxy::Clone(imgINotificationObserver*, imgRequestProxy**) /build/firefox/src/image/src/imgRequestProxy.cpp:606:10
    #6 0x7f61ba4d4a7c in mozilla::css::ImageLoader::LoadImage(nsIURI*, nsIPrincipal*, nsIURI*, mozilla::css::ImageValue*) /build/firefox/src/layout/style/ImageLoader.cpp:299:17
    #7 0x7f61ba576ce0 in mozilla::css::ImageValue::ImageValue(nsIURI*, nsStringBuffer*, nsIURI*, nsIPrincipal*, nsIDocument*) /build/firefox/src/layout/style/nsCSSValue.cpp:2423:3
    #8 0x7f61ba572233 in nsCSSValue::StartImageLoad(nsIDocument*) const /build/firefox/src/layout/style/nsCSSValue.cpp:705:9
    #9 0x7f61ba5ad552 in TryToStartImageLoadOnValue(nsCSSValue const&, nsIDocument*, nsCSSValueTokenStream*) /build/firefox/src/layout/style/nsCSSDataBlock.cpp:58:5
    #10 0x7f61ba525b48 in MapSinglePropertyInto(nsCSSProperty, nsCSSValue const*, nsCSSValue*, nsRuleData*) /build/firefox/src/layout/style/nsCSSDataBlock.cpp:146:9
    #11 0x7f61ba525316 in nsCSSCompressedDataBlock::MapRuleInfoInto(nsRuleData*) const /build/firefox/src/layout/style/nsCSSDataBlock.cpp:261:17
    #12 0x7f61ba51c710 in MapNormalRuleInfoInto /build/firefox/src/layout/style/Declaration.h:175:5
    #13 0x7f61ba51c710 in mozilla::css::StyleRule::MapRuleInfoInto(nsRuleData*) /build/firefox/src/layout/style/StyleRule.cpp:1470
    #14 0x7f61ba661c55 in nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*) /build/firefox/src/layout/style/nsRuleNode.cpp:2269:7
    #15 0x7f61ba6daf96 in GetStyleBorder /build/firefox/src/objdir-ff-asan/layout/style/./nsStyleStructList.h:186:1
    #16 0x7f61ba6daf96 in DoGetStyleBorder /build/firefox/src/objdir-ff-asan/layout/style/./nsStyleStructList.h:186
    #17 0x7f61ba6daf96 in StyleBorder /build/firefox/src/objdir-ff-asan/layout/style/./nsStyleStructList.h:186
    #18 0x7f61ba6daf96 in nsStyleContext::ApplyStyleFixups(bool) /build/firefox/src/layout/style/nsStyleContext.cpp:623
    #19 0x7f61ba6f825d in NS_NewStyleContext(nsStyleContext*, nsIAtom*, nsCSSPseudoElements::Type, nsRuleNode*, bool) /build/firefox/src/layout/style/nsStyleContext.cpp:1028:5
    #20 0x7f61ba7016e3 in nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, nsCSSPseudoElements::Type, mozilla::dom::Element*, unsigned int) /build/firefox/src/layout/style/nsStyleSet.cpp:856:14
    #21 0x7f61ba7069e9 in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) /build/firefox/src/layout/style/nsStyleSet.cpp:1290:10
    #22 0x7f61ba83542b in nsCSSFrameConstructor::ResolveStyleContext(nsStyleContext*, nsIContent*, nsFrameConstructorState*) /build/firefox/src/layout/base/nsCSSFrameConstructor.cpp:4829:16
    #23 0x7f61ba831780 in ResolveStyleContext /build/firefox/src/layout/base/nsCSSFrameConstructor.cpp:4798:10
    #24 0x7f61ba831780 in ResolveStyleContext /build/firefox/src/layout/base/nsCSSFrameConstructor.cpp:4814
    #25 0x7f61ba831780 in nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, nsCSSFrameConstructor::InsertionPoint const&, nsCSSFrameConstructor::FrameConstructionItemList&) /build/firefox/src/layout/base/nsCSSFrameConstructor.cpp:5414
    #26 0x7f61ba81b503 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /build/firefox/src/layout/base/nsCSSFrameConstructor.cpp:10403:9
    #27 0x7f61ba81d28d in nsCSSFrameConstructor::ConstructTableRowOrRowGroup(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /build/firefox/src/layout/base/nsCSSFrameConstructor.cpp:2130:5
    #28 0x7f61ba82e70c in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /build/firefox/src/layout/base/nsCSSFrameConstructor.cpp:3743:7
    #29 0x7f61ba83ae94 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /build/firefox/src/layout/base/nsCSSFrameConstructor.cpp:5915:3
    #30 0x7f61ba81b90c in ConstructFramesFromItemList /build/firefox/src/layout/base/nsCSSFrameConstructor.cpp:10222:5
    #31 0x7f61ba81b90c in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /build/firefox/src/layout/base/nsCSSFrameConstructor.cpp:10421
    #32 0x7f61ba819c3c in nsCSSFrameConstructor::ConstructTable(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /build/firefox/src/layout/base/nsCSSFrameConstructor.cpp:2047:5
    #33 0x7f61ba82e70c in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /build/firefox/src/layout/base/nsCSSFrameConstructor.cpp:3743:7
    #34 0x7f61ba83ae94 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /build/firefox/src/layout/base/nsCSSFrameConstructor.cpp:5915:3
    #35 0x7f61ba8491d2 in ConstructFramesFromItemList /build/firefox/src/layout/base/nsCSSFrameConstructor.cpp:10222:5
    #36 0x7f61ba8491d2 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool) /build/firefox/src/layout/base/nsCSSFrameConstructor.cpp:7233
    #37 0x7f61ba842f9c in nsCSSFrameConstructor::CreateNeededFrames(nsIContent*) /build/firefox/src/layout/base/nsCSSFrameConstructor.cpp:6874:5
    #38 0x7f61ba843055 in nsCSSFrameConstructor::CreateNeededFrames(nsIContent*) /build/firefox/src/layout/base/nsCSSFrameConstructor.cpp:6881:7

Shadow bytes around the buggy address:
  0x0c3a82f16c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a82f16c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a82f16c90: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a82f16ca0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a82f16cb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c3a82f16cc0:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c3a82f16cd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a82f16ce0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a82f16cf0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a82f16d00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c3a82f16d10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==28860==ABORTING

###!!! [Parent][MessageChannel] Error: Channel error: cannot send/recv
Just a fyi, you need to let a few reloads to happen to reproduce. Sometime, need to wait for like 20-25 secs.
Whiteboard: [asan]
Do we know if this is a recent regression?
Xidorn, do you know if this is related to the ruby stuff you've been working on?  It is in the test case, and I think was added recently, though I don't know how that might interact with images.
Flags: needinfo?(quanxunzhen)
Flags: sec-bounty?
I guess one thing is probably related to this problem is that, for ruby base container (as well as ruby text container), StyleBorder is computed during constructing nsStyleContext (in nsStyleContext::ApplyStyleFixups), and then border-width is set to zero there.
Flags: needinfo?(quanxunzhen)
I guess I can avoid this particular bug by not computing StyleBorder in ApplyStyleFixups. But it is unknown whether there is any other problem.
It looks like we are getting a nsDocument::AddImage call without a corresponding nsDocument::RemoveImage call when the image goes away. In this case I would expect nsStyleImage::TrackImage and nsStyleImage::UntrackImage to manage that. nsStyleImage has a mImageTracked field in debug builds, but it doesn't appear to assert in the nsStyleImage destructor if mImageTracked is still true.
Filed bug 1135954 (w/o mentioning this bug there, though) which may bypass this condition. But it still worth to see what actually happens here.
Maybe bug 1135313 will end up fixing this for free...
Attached file improved testcase
This testcase changes the url to some image which is available in all platforms. With this change, the testcase can determinately crash on an assert debug build on all platforms:

Assertion failure: mImageTracked (Should be tracking any image we're going to use!), at c:\mozilla-source\central\layout\style\nsStyleStruct.h:224
#01: nsStyleBorder::GetBorderImageRequest (c:\mozilla-source\central\layout\style\nsstylestruct.h:994)
#02: nsFrame::DidSetStyleContext (c:\mozilla-source\central\layout\generic\nsframe.cpp:835)
#03: nsFrame::Init (c:\mozilla-source\central\layout\generic\nsframe.cpp:599)
#04: nsSplittableFrame::Init (c:\mozilla-source\central\layout\generic\nssplittableframe.cpp:26)
#05: nsContainerFrame::Init (c:\mozilla-source\central\layout\generic\nscontainerframe.cpp:61)
#06: nsCSSFrameConstructor::InitAndRestoreFrame (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:4759)
#07: nsCSSFrameConstructor::ConstructFrameFromItemInternal (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:3775)
#08: nsCSSFrameConstructor::ConstructFramesFromItem (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:5917)
#09: nsCSSFrameConstructor::ConstructFramesFromItemList (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:10223)
#10: nsCSSFrameConstructor::ConstructFrameFromItemInternal (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:3881)
#11: nsCSSFrameConstructor::ConstructFramesFromItem (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:5917)
#12: nsCSSFrameConstructor::ConstructFramesFromItemList (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:10223)
#13: nsCSSFrameConstructor::ConstructTableCell (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:2247)
#14: nsCSSFrameConstructor::ConstructFrameFromItemInternal (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:3744)
#15: nsCSSFrameConstructor::ConstructFramesFromItem (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:5917)
#16: nsCSSFrameConstructor::ConstructFramesFromItemList (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:10223)
#17: nsCSSFrameConstructor::ConstructTableRowOrRowGroup (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:2129)
#18: nsCSSFrameConstructor::ConstructFrameFromItemInternal (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:3744)
#19: nsCSSFrameConstructor::ConstructFramesFromItem (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:5917)
#20: nsCSSFrameConstructor::ConstructFramesFromItemList (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:10223)
#21: nsCSSFrameConstructor::ProcessChildren (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:10424)
#22: nsCSSFrameConstructor::ConstructTableRowOrRowGroup (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:2134)
#23: nsCSSFrameConstructor::ConstructFrameFromItemInternal (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:3744)
#24: nsCSSFrameConstructor::ConstructFramesFromItem (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:5917)
#25: nsCSSFrameConstructor::ConstructFramesFromItemList (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:10223)
#26: nsCSSFrameConstructor::ProcessChildren (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:10424)
#27: nsCSSFrameConstructor::ConstructTable (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:2051)
#28: nsCSSFrameConstructor::ConstructFrameFromItemInternal (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:3744)
#29: nsCSSFrameConstructor::ConstructFramesFromItem (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:5917)
#30: nsCSSFrameConstructor::ConstructFramesFromItemList (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:10223)
#31: nsCSSFrameConstructor::ContentAppended (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:7235)
#32: nsCSSFrameConstructor::CreateNeededFrames (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:6878)
#33: nsCSSFrameConstructor::CreateNeededFrames (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:6883)
#34: nsCSSFrameConstructor::CreateNeededFrames (c:\mozilla-source\central\layout\base\nscssframeconstructor.cpp:6897)
#35: mozilla::RestyleManager::ProcessPendingRestyles (c:\mozilla-source\central\layout\base\restylemanager.cpp:1635)
#36: PresShell::FlushPendingNotifications (c:\mozilla-source\central\layout\base\nspresshell.cpp:4315)
#37: nsRefreshDriver::Tick (c:\mozilla-source\central\layout\base\nsrefreshdriver.cpp:1599)
#38: mozilla::RefreshDriverTimer::TickDriver (c:\mozilla-source\central\layout\base\nsrefreshdriver.cpp:199)
#39: mozilla::RefreshDriverTimer::Tick (c:\mozilla-source\central\layout\base\nsrefreshdriver.cpp:190)
#40: mozilla::RefreshDriverTimer::Tick (c:\mozilla-source\central\layout\base\nsrefreshdriver.cpp:167)
#41: mozilla::RefreshDriverTimer::TimerTick (c:\mozilla-source\central\layout\base\nsrefreshdriver.cpp:213)
#42: nsTimerImpl::Fire (c:\mozilla-source\central\xpcom\threads\nstimerimpl.cpp:632)
#43: nsTimerEvent::Run (c:\mozilla-source\central\xpcom\threads\nstimerimpl.cpp:729)
#44: nsThread::ProcessNextEvent (c:\mozilla-source\central\xpcom\threads\nsthread.cpp:855)
#45: NS_ProcessNextEvent (c:\mozilla-source\central\xpcom\glue\nsthreadutils.cpp:265)
#46: mozilla::ipc::MessagePump::Run (c:\mozilla-source\central\ipc\glue\messagepump.cpp:99)
#47: MessageLoop::RunInternal (c:\mozilla-source\central\ipc\chromium\src\base\message_loop.cc:234)
#48: MessageLoop::RunHandler (c:\mozilla-source\central\ipc\chromium\src\base\message_loop.cc:227)
#49: MessageLoop::Run (c:\mozilla-source\central\ipc\chromium\src\base\message_loop.cc:201)
#50: nsBaseAppShell::Run (c:\mozilla-source\central\widget\nsbaseappshell.cpp:166)
#51: nsAppShell::Run (c:\mozilla-source\central\widget\windows\nsappshell.cpp:178)
#52: nsAppStartup::Run (c:\mozilla-source\central\toolkit\components\startup\nsappstartup.cpp:281)
#53: XREMain::XRE_mainRun (c:\mozilla-source\central\toolkit\xre\nsapprunner.cpp:4160)
#54: XREMain::XRE_main (c:\mozilla-source\central\toolkit\xre\nsapprunner.cpp:4236)
#55: XRE_main (c:\mozilla-source\central\toolkit\xre\nsapprunner.cpp:4456)
#56: do_main (c:\mozilla-source\central\browser\app\nsbrowserapp.cpp:294)
#57: NS_internal_main (c:\mozilla-source\central\browser\app\nsbrowserapp.cpp:667)
#58: wmain (c:\mozilla-source\central\toolkit\xre\nswindowswmain.cpp:117)
#59: __tmainCRTStartup (f:\dd\vctools\crt\crtw32\startup\crt0.c:255)
#60: BaseThreadInitThunk[KERNEL32 +0x13d2]
#61: RtlUserThreadStart[ntdll +0x6eb64]
It is because nsStyleContext::ApplyStyleFixups may copy the nsStyleBorder but doesn't call the TrackImage of the newly created one. It means there is probably no further problem, and my patch in bug 1135954 could fix this bug completely.
Hardware: x86_64 → All
[Tracking Requested - why for this release]:
Component: DOM → CSS Parsing and Computation
Assignee: nobody → quanxunzhen
After bug 1135954 get fixed on aurora and nightly.
Attachment #8568393 - Flags: review?(dholbert)
Attachment #8568393 - Flags: review?(dholbert) → review+
Flags: in-testsuite?
[Tracking Requested - why for this release]:
Comment on attachment 8568393 [details] [diff] [review]
crashtest (DO NOT LAND UNTIL BUG IS PUBLIC)

(In reply to Xidorn Quan [:xidorn] (UTC+11) from comment #12)
> Created attachment 8568393 [details] [diff] [review]
> crashtest
> 
> After bug 1135954 get fixed on aurora and nightly.

Please don't land this test until *after* this bug is public.
(as always for security bugs)
Attachment #8568393 - Attachment description: crashtest → crashtest (DO NOT LAND UNTIL BUG IS PUBLIC)
heycam, could you review the patch for bug 1135954 which fixes this secure bug?
Flags: needinfo?(cam)
Done.
Flags: needinfo?(cam)
Approval Request Comment
[Feature/regressing bug #]: bug 1055667
[User impact if declined]: this security bug
[Describe test coverage new/current, TreeHerder]: no change to rendering tests for bug 1055667. security tests will be landed later.
[Risks and why]: no risk given css ruby is just enabled several days ago, we won't break things we supported before by this patch.
[String/UUID change made/needed]: n/a
Attachment #8569702 - Flags: approval-mozilla-aurora?
Is this only needed on Aurora since bug 1135954 just landed?
(In reply to Al Billings [:abillings] from comment #18)
> Is this only needed on Aurora since bug 1135954 just landed?

This patch is the same patch landed in bug 1135954. I request approval here because I don't want to make the relationship between these bugs public, and uplifting doesn't make sense for bug 1135954 itself.
(In reply to Al Billings [:abillings] from comment #18)
> Is this only needed on Aurora since bug 1135954 just landed?

If you meant, it does not need to be in Nightly, then yes, because bug 1135954 will be landed on Nightly. Here, we only need to uplift it to aurora.
Attachment #8569702 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Fixed in Firefox 39 by bug 1135954.
(This is fixed on trunk (per comment 21), so bug status should be RESOLVED|FIXED.)
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: [asan] → [asan][fixed by bug 1135954]
Would it make more sense to just uplift bug 1135954 proper?
Flags: needinfo?(quanxunzhen)
Target Milestone: --- → mozilla39
Either way. As I mentioned in comment 19, the patch here is identical to the patch I landed in bug 1135954. I request approval here because I don't want to make the relationship between these bugs public, and uplifting doesn't make sense for bug 1135954 itself.
Flags: needinfo?(quanxunzhen)
If we land it as-is, we're either going to be a) pointing directly at an s-s bug or b) pointing at a bug that has no discussion in it about uplifting ("nothing to see here..."). Seems a lot more innocent to BS a reason (shouldn't be that hard for a brand new feature) in the other bug and let it land that way.
I'm not sure what you are talking about. But I'm fine with either way. I think we can change the bug number in the patch to this security bug to make sense. Alternately, we can make that bug block this security bug after the fix releases.
(In reply to Ryan VanderMeulen [:RyanVM UTC-5] from comment #25)
> Seems a lot more innocent to BS a reason
> (shouldn't be that hard for a brand new feature) in the other bug and let it
> land that way.

He's suggesting that you request uplift approval in bug 1135954, with the justification being something innocent-sounding like e.g. "Useful optimization for Ruby, which we've enabled by default as far back as Aurora; hence, it'd be nice to uplift this to Aurora, particularly this early in the Aurora time-table."

(and then point abillings or another approval-granter over to that bug to a+ the patch.)

That way we can keep the bug numbers straight (same patch landing with same bug number everywhere), which is good for sanity, and as a bonus, it'll be a bit harder for an attacker to figure out that there's any security relevance. (as opposed to the "if we land it as-is" scenarios in comment 25)
Flags: sec-bounty? → sec-bounty+
Could you grant the approval-m-a in bug 1135954?
Flags: needinfo?(abillings)
Flags: needinfo?(abillings)
Bug 1135954 has been landed on Aurora.
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: