Closed
Bug 1182496
Opened 9 years ago
Closed 9 years ago
AddressSanitizer: use-after-poison GetParent, layout/generic/nsFrame.cpp:5573
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
FIXED
mozilla42
People
(Reporter: rs, Assigned: heycam)
References
(Blocks 1 open bug)
Details
(5 keywords, Whiteboard: [post-critsmash-triage][adv-main40-])
Attachments
(4 files, 2 obsolete files)
2.61 KB,
text/html
|
Details | |
354 bytes,
text/html
|
Details | |
1.08 KB,
patch
|
Details | Diff | Splinter Review | |
4.32 KB,
patch
|
lmandel
:
approval-mozilla-aurora+
lmandel
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36 Steps to reproduce: Will update with minimized testcase, tested with firefox-41.0a1.en-US.linux-x86_64-ASAN. Actual results: Full debug log: ================================================================= ==30494==ERROR: AddressSanitizer: use-after-poison on address 0x625000e7eac8 at pc 0x7fa94164e984 bp 0x7fffcc32d220 sp 0x7fffcc32d218 READ of size 8 at 0x625000e7eac8 thread T0 (Web Content) #0 0x7fa94164e983 in GetParent /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsFrame.cpp:5573 #1 0x7fa94164e983 in nsIFrame::GetContainingBlock() const /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsFrame.cpp:5593 #2 0x7fa941604765 in InitCBReflowState /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsHTMLReflowState.cpp:466 #3 0x7fa941604765 in nsHTMLReflowState::Init(nsPresContext*, mozilla::LogicalSize const*, nsMargin const*, nsMargin const*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsHTMLReflowState.cpp:377 #4 0x7fa94157933d in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, nsHTMLReflowState const&, nsRect const&, bool, nsIFrame*, unsigned int&, nsOverflowAreas*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsAbsoluteContainingBlock.cpp:397 #5 0x7fa941576248 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, nsHTMLReflowState const&, unsigned int&, nsRect const&, bool, bool, bool, nsOverflowAreas*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsAbsoluteContainingBlock.cpp:143 #6 0x7fa94163f3db in nsFrame::ReflowAbsoluteFrames(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsFrame.cpp:4504 #7 0x7fa941615a75 in nsFrame::FinishReflowWithAbsoluteFrames(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsFrame.cpp:4474 #8 0x7fa9415d54ef in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsCanvasFrame.cpp:740 #9 0x7fa941681c1a in ReflowChild /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsContainerFrame.cpp:977 #10 0x7fa941681c1a in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsGfxScrollFrame.cpp:520 #11 0x7fa941683249 in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsGfxScrollFrame.cpp:631 #12 0x7fa941685606 in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsGfxScrollFrame.cpp:866 #13 0x7fa9415efcbe in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsContainerFrame.cpp:1019 #14 0x7fa9417e8972 in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsViewportFrame.cpp:217 #15 0x7fa9414e0079 in PresShell::DoReflow(nsIFrame*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:9000 #16 0x7fa9414f43d8 in PresShell::ProcessReflowCommands(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:9159 #17 0x7fa9414f3898 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:4078 #18 0x7fa941251870 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:1731 #19 0x7fa94125b6ee in TickDriver /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:195 #20 0x7fa94125b6ee in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:186 #21 0x7fa94125af5d in RunRefreshDrivers /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:437 #22 0x7fa94125af5d in TickRefreshDriver /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:371 #23 0x7fa94125af5d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:342 #24 0x7fa941b04af0 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/ipc/VsyncChild.cpp:63 #25 0x7fa93c4a5c12 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/./PVsyncChild.cpp:220 #26 0x7fa93c03315c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundChild.cpp:1288 #27 0x7fa93bfabc42 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1279 #28 0x7fa93bfa9656 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1198 #29 0x7fa93bf9d2b4 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1182 #30 0x7fa93bf41f94 in RunTask /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:364 #31 0x7fa93bf41f94 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:372 #32 0x7fa93bf43047 in MessageLoop::DoWork() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:459 #33 0x7fa93bfb2ee2 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:220 #34 0x7fa93b6e2b17 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:848 #35 0x7fa93b75d03a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265 #36 0x7fa93bfb2649 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95 #37 0x7fa93bf40b1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #38 0x7fa93bf40b1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #39 0x7fa93bf40b1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #40 0x7fa940c39347 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:165 #41 0x7fa942a2d582 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:778 #42 0x7fa93bf40b1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234 #43 0x7fa93bf40b1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227 #44 0x7fa93bf40b1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201 #45 0x7fa942a2cc7b in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:614 #46 0x48cf52 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:236 #47 0x7fa93918da3f in __libc_start_main /build/buildd/glibc-2.21/csu/libc-start.c:289 #48 0x48c2ac in _start (/home/revskills/Browsers/firefox/plugin-container+0x48c2ac) 0x625000e7eac8 is located 2504 bytes inside of 8192-byte region [0x625000e7e100,0x625000e80100) allocated by thread T0 (Web Content) here: #0 0x4748c1 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74 #1 0x7fa948734e86 in PL_ArenaAllocate /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/lib/ds/plarena.c:203 #2 0x7fa941247ed5 in nsPresArena::Allocate(unsigned int, unsigned long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresArena.cpp:99 #3 0x7fa94198f41c in AllocateByFrameID /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/svg/../base/nsPresArena.h:80 #4 0x7fa94198f41c in AllocateFrame /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/svg/../base/nsIPresShell.h:229 #5 0x7fa94198f41c in operator new /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/svg/nsSVGPathGeometryFrame.cpp:45 #6 0x7fa94198f41c in NS_NewSVGPathGeometryFrame(nsIPresShell*, nsStyleContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/svg/nsSVGPathGeometryFrame.cpp:42 #7 0x7fa94134af24 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3753 #8 0x7fa941357f02 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5935 #9 0x7fa9413363f1 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10255 #10 0x7fa9413363f1 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10455 #11 0x7fa94134cce6 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3888 #12 0x7fa941357f02 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5935 #13 0x7fa9413363f1 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10255 #14 0x7fa9413363f1 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10455 #15 0x7fa94134cce6 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3888 #16 0x7fa941357f02 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5935 #17 0x7fa9413363f1 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10255 #18 0x7fa9413363f1 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10455 #19 0x7fa94134cce6 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3888 #20 0x7fa941357f02 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5935 #21 0x7fa9413363f1 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10255 #22 0x7fa9413363f1 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10455 #23 0x7fa94134cce6 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3888 #24 0x7fa941357f02 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5935 #25 0x7fa9413363f1 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10255 #26 0x7fa9413363f1 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10455 #27 0x7fa94134cce6 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3888 #28 0x7fa941357f02 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5935 #29 0x7fa9413363f1 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10255 #30 0x7fa9413363f1 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10455 #31 0x7fa94134cce6 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3888 #32 0x7fa941357f02 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5935 #33 0x7fa9413363f1 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10255 #34 0x7fa9413363f1 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10455 #35 0x7fa941354084 in nsCSSFrameConstructor::ConstructFrameWithAnonymousChild(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&, nsContainerFrame* (*)(nsIPresShell*, nsStyleContext*), nsContainerFrame* (*)(nsIPresShell*, nsStyleContext*), nsICSSAnonBoxPseudo*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5044 #36 0x7fa94134121b in nsCSSFrameConstructor::ConstructOuterSVG(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5061 #37 0x7fa94134aeb8 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3747 #38 0x7fa941357f02 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5935 #39 0x7fa941364717 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10255 #40 0x7fa941364717 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:7255 SUMMARY: AddressSanitizer: use-after-poison /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsFrame.cpp:5573 GetParent Shadow bytes around the buggy address: 0x0c4a801c7d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a801c7d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a801c7d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a801c7d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a801c7d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c4a801c7d50: 00 00 00 00 00 00 00 00 00[f7]f7 f7 f7 f7 f7 f7 0x0c4a801c7d60: f7 f7 f7 f7 f7 f7 f7 00 00 00 00 00 00 00 00 00 0x0c4a801c7d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a801c7d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a801c7d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a801c7da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Contiguous container OOB:fc ASan internal: fe ==30494==ABORTING
Reporter | ||
Comment 1•9 years ago
|
||
ok, looking at the code, I'm not sure if is hitting in the Assertion. Can anyone confirm?
Reporter | ||
Comment 2•9 years ago
|
||
Adding testcase
Updated•9 years ago
|
Component: Untriaged → Layout
Product: Firefox → Core
Comment 3•9 years ago
|
||
It's a bit odd that we're trying to get the containing block (during reflow, no less) of something that was allocated with NS_NewSVGPathGeometryFrame....
Component: Layout → SVG
Comment 4•9 years ago
|
||
I can reproduce the use-after-poison ASAN issue (using a locally built ASAN debug build). Just before that, we hit these assertion failures: ###!!! ASSERTION: Abs pos whose parent is not the abs pos containing block?: 'aNewFrame->GetParent() == mAbsoluteItems.containingBlock', file layout/base/nsCSSFrameConstructor.cpp, line 1179 * Here, aNewFrame is a nsSVGOuterSVGFrame, and its parent is a nsSVGContainerFrame -- whereas mAbsoluteItems.containingBlock is a nsCanvasFrame. ###!!! ASSERTION: unknown out of flow frame type: 'disp->mDisplay == NS_STYLE_DISPLAY_POPUP', file layout/generic/nsHTMLReflowState.cpp, line 776 * Here, we're setting up a nsHTMLReflowState for the nsSVGOuterSVGFrame.
Comment 5•9 years ago
|
||
Regression range (on mozilla-central): [2013-06-30, 2013-07-01] (1 days) Last good revision: cbb24a4a96af First bad revision: d7553251cf43 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=cbb24a4a96af&tochange=d7553251cf43 (my mozregression couldn't find inbound builds for this date range for some region, so that's the tightest regression range it can get.) That range includes: > 3a23afb038a5 Cameron McCormack — Bug 839955 - Enable new SVG text frames. r=roc which I think is the proximate cause (regression-wise) here. So, this affects all supported branches, I believe.
Updated•9 years ago
|
Version: 41 Branch → Trunk
Comment 6•9 years ago
|
||
Original testcase has the actual SVG encoded. Here's a reduced testcase with the SVG just directly included and simplified.
Updated•9 years ago
|
Attachment #8633672 -
Attachment description: testcase 2 (reduced) → testcase 2 (reduced) (WARNING, crashes Firefox)
Comment 7•9 years ago
|
||
Setting all branches as affected per comment 5. (This goes back to gecko 25.)
status-b2g-v2.0:
--- → affected
status-b2g-v2.0M:
--- → affected
status-b2g-v2.1:
--- → affected
status-b2g-v2.1S:
--- → affected
status-b2g-v2.2:
--- → affected
status-b2g-v2.2r:
--- → affected
status-b2g-master:
--- → affected
status-firefox39:
--- → affected
status-firefox40:
--- → affected
status-firefox41:
--- → affected
status-firefox42:
--- → affected
status-firefox-esr31:
--- → affected
status-firefox-esr38:
--- → affected
Comment 8•9 years ago
|
||
So the main problem here is that the abspos nsSVGOuterSVGFrame has mParent pointer set to the nsSVGContainerFrame (which is for the <foreignObject>) -- but really, it lives in the abspos-frame-list on the root nsCanvasFrame. So its parent frame is wrong (relative to where it actually lives in the frame tree), and this causes havoc when we replace the body's content, because this mis-parented frame isn't part of the subtree that gets destroyed (but it should be). So, the SVG frame stays alive, but its still-incorrect mParent pointer is pointing into a subtree that's been destroyed. So we crash when we call GetContainingBlock and try to walk up its parent chain. (Fortunately, I think frame poisoning might mitigate this at least, making it a safe crash...?)
Comment 9•9 years ago
|
||
So before the dynamic tweak, the frame tree looks like this: Canvas(html)(-1)@6250002f4100 {0,0,86400,39420} [state=000b002000000601] [content=6100000f3540] [sc=6250002e8570:-moz-scrolled-canvas]< Block(html)(-1)@6250002e4300 {0,0,86400,10200} [state=000b100000d00200] [content=6100000f3540] [sc=6250002e4238^0]< line 6250002e4d08: count=1 state=block,clean,prevmarginclean,not impacted,not wrapped,before:nobr,after:nobr[0x48] bm=480 {480,480,85440,9240} < Block(body)(2)@6250002e4c70 {480,480,85440,9240} [state=000b120000100200] [content=60e00003f9e0] [sc=6250002e49f8]< line 62500030a278: count=1 state=inline,clean,prevmarginclean,not impacted,not wrapped,before:nobr,after:nobr[0x100] {0,0,18000,9240} < SVGOuterSVG(svg)(1)@6250002e5290 {0,0,18000,9000} [state=0002060000110000] [content=6140000a4240] [sc=6250002e4b70]< SVGOuterSVGAnonChild(svg)(1)@6250002e53f8 {0,0,0,0} [state=0002180000010000] [content=6140000a4240] [sc=6250002e5348:-moz-svg-outer-svg-anon-child]< SVGText(text)(1)@6250002e5890 {0,0,0,0} [state=0001880000010200] [content=6130000917c0] [sc=6250002e5470^6250002e4b70^6250002e49f8^6250002e4238]< Block(text)(1)@6250002e5ab8 {0,0,0,1140} [state=0000900000d00000] [content=6130000917c0] [sc=6250002e57e0:-moz-svg-text]< line 62500030a228: count=3 state=inline,clean,prevmarginclean,not impacted,not wrapped,before:nobr,after:nobr[0x100] {0,0,0,1140} < Text(0)"\n "@6250002e6070 next=625000309920 {0,900,0,0} [state=4000800028200000] [content=60d0000a5690] [sc=6250002e5b90:-moz-non-element^6250002e5470^6250002e4b70^6250002e49f8] [run=60c00012c400][0,7,T] Frame(foreignObject)(1)@625000309920 next=62500030a1b8 {0,900,0,0} [state=0020880000000000] [content=61200007ad40] [sc=6250002e5d18^6250002e5470^6250002e4b70^6250002e49f8]< Text(0)"\n "@625000309ea0 next=62500030a0f0 {0,0,0,0} [state=0020800000000402] [content=60d0000a55c0] [sc=625000309ac8:-moz-non-element] [run=0][0,9,T] Placeholder(svg)(1)@62500030a0f0 next=62500030a148 {0,0,0,0} [state=0020800000200402] [content=6140000a3e40] [sc=625000309ac8:-moz-non-element] outOfFlowFrame=SVGOuterSVG(svg)(1)@625000309f10 Text(2)"\n "@62500030a148 {0,0,0,0} [state=0020800000000402] [content=60d0000a54f0] [sc=625000309ac8:-moz-non-element] [run=0][0,7,T] > Text(2)"\n "@62500030a1b8 {0,0,0,1140} [state=40008000a0400000] [content=60d0000a5420] [sc=6250002e5b90:-moz-non-element^6250002e5470^6250002e4b70^6250002e49f8] [run=60c00012c280][0,5,T] > > > > > > > > > > AbsoluteList 6030002185f0 < [Child 367] ###!!! ASSERTION: bad parent frame pointer: 'kid->GetParent() == this', file /scratch/work/builds/mozilla-central/mozilla-central.15-07-07.11-31/mozilla/layout/generic/nsContainerFrame.cpp, line 2026 SVGOuterSVG(svg)(1)@625000309f10 {0,0,18000,9000} [state=0020860000110100] [content=6140000a3e40] [sc=625000309bc0]< SVGOuterSVGAnonChild(svg)(1)@62500030a078 {0,0,0,0} [state=0020980000010402] [content=6140000a3e40] [sc=625000309fc8:-moz-svg-outer-svg-anon-child]<> > > > Note the assertion when we print out the SVGOuterSVG. That's because that frame has mParent = @625000309920, which is the foreignObject frame.
Comment 10•9 years ago
|
||
I believe the actual crash is from us calling the virtual function frame->IsFrameOfType(...), inside of GetNearestBlockContainer, on the SVGOuterSVG frame's already-destroyed parent. I believe frame poisoning mitigates this (and I assume that's why ASAN tags this as "use-after-poison"...? Do they recognize our frame poisoning? That's kind of cool.)
Comment 11•9 years ago
|
||
> but really, it lives in the abspos-frame-list on the root nsCanvasFrame
Er, so how did it get some other parent??
Comment 12•9 years ago
|
||
(In reply to Boris Zbarsky [:bz] from comment #11) > Er, so how did it get some other parent?? Because nsFrameConstructorState::GetGeometricParent (which we use to determine the frame's mParent) has an early-return for SVG Text, and we think our parent is SVG Text. :-/ Quoting the code: 1111 if (aContentParentFrame && aContentParentFrame->IsSVGText()) { 1112 return aContentParentFrame; 1113 } [...] 1121 if (aStyleDisplay->mPosition == NS_STYLE_POSITION_ABSOLUTE && 1122 mAbsoluteItems.containingBlock) { 1123 return mAbsoluteItems.containingBlock; 1124 } http://mxr.mozilla.org/mozilla-central/source/layout/base/nsCSSFrameConstructor.cpp?rev=5d4b602cf88f#1095 Here, aContentParentFrame is a nsSVGContainerFrame (for the foreignObject element), and it returns true from IsSVGText() because it has the svg-text frame-state bit set (NS_FRAME_IS_SVG_TEXT). So we never reach the abspos case, because we take the early-return. Next question: why does the foreignObject frame have that state-bit set? Its *parent* is a SVG text frame, but *it* isn't one. Looking into that now...
Comment 13•9 years ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #12) > Next question: why does the foreignObject frame have that state-bit set? Its > *parent* is a SVG text frame, but *it* isn't one. Looking into that now... Hmm, NS_FRAME_IS_SVG_TEXT is documented as "The frame is a descendant of SVGTextFrame and is thus used for SVG text layout". That is technically true here (in that the nsSVGContainerFrame is a child of a SVGTextFrame. Not sure it participates much in SVG text layout, though). heycam, do you know what's supposed to happen here?
Flags: needinfo?(cam)
Assignee | ||
Comment 14•9 years ago
|
||
We shouldn't have an nsSVGContainerFrame child of an SVGTextFrame. An SVGTextFrame should have a single, anonymous nsBlockFrame, which itself should only have nsInlineFrame, nsFirstLetterFrame and nsFirstLineFrame descendants. So it's certainly wrong to have the foreignObject frame in there, but that's probably why it's incorrectly getting the NS_FRAME_IS_SVG_TEXT bit set on it.
Flags: needinfo?(cam)
Comment 15•9 years ago
|
||
(In reply to Cameron McCormack (:heycam) from comment #14) > We shouldn't have an nsSVGContainerFrame child of an SVGTextFrame. An > SVGTextFrame should have a single, anonymous nsBlockFrame, which itself > should only have nsInlineFrame, nsFirstLetterFrame and nsFirstLineFrame > descendants. Sorry, right -- the nsSVGContainerFrame is not a child, but is a *grandchild* of the SVGTextFrame. (It's inside of the single anonymous block -- it's the "Frame(foreignObject)" in my frame dump in comment 9.) It sounds like that's still unexpected though. How do we enforce our expectations on the things that the anonymous block frame can contain?
Assignee | ||
Comment 16•9 years ago
|
||
(In reply to Daniel Holbert [:dholbert] from comment #15) > It sounds like that's still unexpected though. How do we enforce our > expectations on the things that the anonymous block frame can contain? That should be handled by nsCSSFrameConstructor. Specifically, in FindSVGData there is a block |if (aIsWithinSVGText)| that should be ensuring we don't construct regular SVG frames for non-text-related elements.
Assignee | ||
Comment 17•9 years ago
|
||
Oh, I see the problem; earlier in FindSVGData we check for failing conditional processing attributes, and return sContainerData.
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → cam
Status: NEW → ASSIGNED
Comment 18•9 years ago
|
||
This fixes the bug, though I don't have confidence that it's the right fix (particularly given comment 17). Posting it anyway, though, FWIW & since it might still be useful. I noticed this check... > 3848 if (bits & FCDATA_FORCE_NULL_ABSPOS_CONTAINER) { ...while stepping through the code right after we've created the anonymous block container. If we add this FCDATA bit for SVGTextFrames, then it looks like we successfully block our children from discovering any abspos containers, which somewhat tangentially fixes this bug.
Updated•9 years ago
|
Attachment #8633820 -
Attachment description: possible fix: force → possible fix: force null abspos container
Assignee | ||
Updated•9 years ago
|
Assignee: cam → dholbert
Assignee | ||
Comment 19•9 years ago
|
||
Yeah, I think this isn't the right fix. I believe that we'll also incorrectly create an nsSVGContainerFrame for content like <text> <tspan requiredFeatures="blah">... so we really need to fix this inside FindSVGData.
Comment 20•9 years ago
|
||
[assignee-tag! (post IRC discussion.) Thanks for taking. :)]
Assignee: dholbert → cam
Assignee | ||
Comment 21•9 years ago
|
||
I think this is what we need to do. I want to add a comment explaining why we create a non-display container frame for elements with failing conditional processing attributes, but I don't know why we do.
Assignee | ||
Comment 22•9 years ago
|
||
Jonathan/Robert, any idea why we create non-display container frames for SVG elements with failing conditional processing attributes?
Flags: needinfo?(longsonr)
Flags: needinfo?(jwatt)
Assignee | ||
Comment 23•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=03ceb3861d01
Comment 24•9 years ago
|
||
Any suggestions on a rating for this security issue?
Comment 25•9 years ago
|
||
From looking at earlier bugs where we're crashing on a frame-poisoning address (e.g. bug 1015844, bug 947158), it looks like we tag them as "csectype-framepoisoning, sec-other". (And I think this is non-exploitable; frame poisoning means the deref that triggers this crash is guaranteed to be a safe crash.)
Keywords: csectype-framepoisoning,
sec-other
Updated•9 years ago
|
Assignee | ||
Comment 26•9 years ago
|
||
Comment on attachment 8633845 [details] [diff] [review] patch How about we get this in and fix up the comment later.
Attachment #8633845 -
Flags: review?(dholbert)
Comment 27•9 years ago
|
||
This looks fine, bug I think you might be able to fix up the comment sooner... (In reply to Cameron McCormack (:heycam) from comment #22) > Jonathan/Robert, any idea why we create non-display container frames for SVG > elements with failing conditional processing attributes? hg archeology shows that you were actually the one to implement this sContainerData special-case return. :) It was back in 2010, in this changeset for bug 615146: http://hg.mozilla.org/mozilla-central/rev/bb43b6a9b621#l1.36 and there were some later tweaks here: http://hg.mozilla.org/mozilla-central/rev/395fac6a7de4#l3.12 Maybe there's enough information on those bugs to help you fill out the comment?
Flags: needinfo?(cam)
Assignee | ||
Comment 28•9 years ago
|
||
Oh, excellent, thank you. I had a suspicion it was related to <use> but wasn't sure!
Flags: needinfo?(cam)
Assignee | ||
Comment 29•9 years ago
|
||
Reading through bug 614265 it is for references to paint servers in non-displayed subtrees rather than <use> (which uses a different mechanism for tracking the referent that doesn't need frames to be around).
Assignee | ||
Comment 30•9 years ago
|
||
Attachment #8633845 -
Attachment is obsolete: true
Attachment #8633845 -
Flags: review?(dholbert)
Flags: needinfo?(longsonr)
Flags: needinfo?(jwatt)
Attachment #8635050 -
Flags: review?(dholbert)
Comment 31•9 years ago
|
||
Comment on attachment 8635050 [details] [diff] [review] patch v2 Review of attachment 8635050 [details] [diff] [review]: ----------------------------------------------------------------- r=me, just two nits on the filled-in comment: ::: layout/base/nsCSSFrameConstructor.cpp @@ +5190,5 @@ > + return &sSuppressData; > + } > + // Outside of <text>, create an nsSVGContainerFrame (which is a frame > + // that doesn't render) so that references to paint servers within elements > + // with failing conditional processing attributes still work. Two language nits here: (1) "Outside of <text>..." sounds a bit like it means "Wrapping each <text> node...". Let's make that less ambiguous. Maybe s/Outside of <text>,/If we're not inside of <text>,/ (2) The last phrase is ambiguous: "references to paint servers within elements with failing conditional processing". It's unclear whether the *references* are within [...], or the *paint servers* are within [...]. Please clarify along the lines of "so that paint servers can still be referenced, even if they live inside an element with failing conditional processing attributes".
Attachment #8635050 -
Flags: review?(dholbert) → review+
Assignee | ||
Comment 32•9 years ago
|
||
Attachment #8635050 -
Attachment is obsolete: true
Assignee | ||
Comment 33•9 years ago
|
||
Comment on attachment 8635063 [details] [diff] [review] patch v2.1 r=dholbert Approval Request Comment [Feature/regressing bug #]: bug 655877 [User impact if declined]: odd SVG content can cause a safe crash [Describe test coverage new/current, TreeHerder]: tested locally, just landed on inbound with tests [Risks and why]: low, this is just choosing to create no frame for some elements rather than an unexpected frame [String/UUID change made/needed]: N/A
Attachment #8635063 -
Flags: approval-mozilla-beta?
Attachment #8635063 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 34•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/6e62afbb22d3
Comment 35•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/6e62afbb22d3
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Comment 36•9 years ago
|
||
Comment on attachment 8635063 [details] [diff] [review] patch v2.1 r=dholbert dholbert tells me there is no risk of regression due to returning no frame. With that I'm satisfied that we should take this simple crash fix in beta6. Beta+ Aurora+
Attachment #8635063 -
Flags: approval-mozilla-beta?
Attachment #8635063 -
Flags: approval-mozilla-beta+
Attachment #8635063 -
Flags: approval-mozilla-aurora?
Attachment #8635063 -
Flags: approval-mozilla-aurora+
Comment 37•9 years ago
|
||
(In reply to Lawrence Mandel [:lmandel] (use needinfo) from comment #36) > dholbert tells me there is no risk of regression due to returning no frame. (Elaborating slightly: IIUC, the only way this could cause a regression would be by breaking paint servers (gradients, patterns, etc) that are defined inside of SVG <text> nodes. And per comment 14, I think those already wouldn't be expected to work. Hence, I don't see any obvious way that this would cause a regression.)
Comment 40•9 years ago
|
||
If this is a safe crash and a sec-other, can we open this? Francisco, can you verify that this is fixed in a current nightly build?
Flags: needinfo?(rs)
Reporter | ||
Comment 41•9 years ago
|
||
Al Billings, tested and seems to be fixed in current nightly build.
Flags: needinfo?(rs)
Comment 42•9 years ago
|
||
(In reply to Al Billings [:abillings] from comment #40) > If this is a safe crash and a sec-other, can we open this? Probably? I'm not sure what our normal procedure/timeline is for opening bugs about crashes that are mitigated with frame-poisoning. (This is indeed a safe crash, though.)
Comment 43•9 years ago
|
||
Let's get Dan's opinion since he normally opens bugs.
Flags: needinfo?(dveditz)
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage]
Updated•9 years ago
|
Group: core-security
Flags: needinfo?(dveditz)
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main40-]
Comment 44•9 years ago
|
||
Minusing for bounty since this turns out to be a safe crash mitigated by frame poisoning.
Flags: sec-bounty? → sec-bounty-
Updated•4 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•