AddressSanitizer: use-after-poison GetParent, layout/generic/nsFrame.cpp:5573

RESOLVED FIXED in Firefox 40

Status

()

defect
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: rs, Assigned: heycam)

Tracking

(5 keywords)

Trunk
mozilla42
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty -
in-testsuite +

Firefox Tracking Flags

(firefox39 wontfix, firefox40 fixed, firefox41 fixed, firefox42 fixed, firefox-esr31 wontfix, firefox-esr38 wontfix, b2g-v2.0 wontfix, b2g-v2.0M wontfix, b2g-v2.1 wontfix, b2g-v2.1S wontfix, b2g-v2.2 wontfix, b2g-v2.2r wontfix, b2g-master fixed)

Details

(Whiteboard: [post-critsmash-triage][adv-main40-])

Attachments

(4 attachments, 2 obsolete attachments)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.132 Safari/537.36

Steps to reproduce:

Will update with minimized testcase, tested with firefox-41.0a1.en-US.linux-x86_64-ASAN. 


Actual results:

Full debug log:

=================================================================
==30494==ERROR: AddressSanitizer: use-after-poison on address 0x625000e7eac8 at pc 0x7fa94164e984 bp 0x7fffcc32d220 sp 0x7fffcc32d218
READ of size 8 at 0x625000e7eac8 thread T0 (Web Content)
    #0 0x7fa94164e983 in GetParent /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsFrame.cpp:5573
    #1 0x7fa94164e983 in nsIFrame::GetContainingBlock() const /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsFrame.cpp:5593
    #2 0x7fa941604765 in InitCBReflowState /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsHTMLReflowState.cpp:466
    #3 0x7fa941604765 in nsHTMLReflowState::Init(nsPresContext*, mozilla::LogicalSize const*, nsMargin const*, nsMargin const*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsHTMLReflowState.cpp:377
    #4 0x7fa94157933d in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, nsHTMLReflowState const&, nsRect const&, bool, nsIFrame*, unsigned int&, nsOverflowAreas*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsAbsoluteContainingBlock.cpp:397
    #5 0x7fa941576248 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, nsHTMLReflowState const&, unsigned int&, nsRect const&, bool, bool, bool, nsOverflowAreas*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsAbsoluteContainingBlock.cpp:143
    #6 0x7fa94163f3db in nsFrame::ReflowAbsoluteFrames(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsFrame.cpp:4504
    #7 0x7fa941615a75 in nsFrame::FinishReflowWithAbsoluteFrames(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsFrame.cpp:4474
    #8 0x7fa9415d54ef in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsCanvasFrame.cpp:740
    #9 0x7fa941681c1a in ReflowChild /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsContainerFrame.cpp:977
    #10 0x7fa941681c1a in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsGfxScrollFrame.cpp:520
    #11 0x7fa941683249 in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsGfxScrollFrame.cpp:631
    #12 0x7fa941685606 in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsGfxScrollFrame.cpp:866
    #13 0x7fa9415efcbe in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsContainerFrame.cpp:1019
    #14 0x7fa9417e8972 in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsViewportFrame.cpp:217
    #15 0x7fa9414e0079 in PresShell::DoReflow(nsIFrame*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:9000
    #16 0x7fa9414f43d8 in PresShell::ProcessReflowCommands(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:9159
    #17 0x7fa9414f3898 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:4078
    #18 0x7fa941251870 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:1731
    #19 0x7fa94125b6ee in TickDriver /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:195
    #20 0x7fa94125b6ee in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:186
    #21 0x7fa94125af5d in RunRefreshDrivers /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:437
    #22 0x7fa94125af5d in TickRefreshDriver /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:371
    #23 0x7fa94125af5d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:342
    #24 0x7fa941b04af0 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/ipc/VsyncChild.cpp:63
    #25 0x7fa93c4a5c12 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/./PVsyncChild.cpp:220
    #26 0x7fa93c03315c in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/./PBackgroundChild.cpp:1288
    #27 0x7fa93bfabc42 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1279
    #28 0x7fa93bfa9656 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1198
    #29 0x7fa93bf9d2b4 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1182
    #30 0x7fa93bf41f94 in RunTask /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:364
    #31 0x7fa93bf41f94 in MessageLoop::DeferOrRunPendingTask(MessageLoop::PendingTask const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:372
    #32 0x7fa93bf43047 in MessageLoop::DoWork() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:459
    #33 0x7fa93bfb2ee2 in mozilla::ipc::DoWorkRunnable::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:220
    #34 0x7fa93b6e2b17 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:848
    #35 0x7fa93b75d03a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:265
    #36 0x7fa93bfb2649 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:95
    #37 0x7fa93bf40b1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #38 0x7fa93bf40b1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #39 0x7fa93bf40b1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #40 0x7fa940c39347 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:165
    #41 0x7fa942a2d582 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:778
    #42 0x7fa93bf40b1c in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:234
    #43 0x7fa93bf40b1c in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:227
    #44 0x7fa93bf40b1c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:201
    #45 0x7fa942a2cc7b in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:614
    #46 0x48cf52 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:236
    #47 0x7fa93918da3f in __libc_start_main /build/buildd/glibc-2.21/csu/libc-start.c:289
    #48 0x48c2ac in _start (/home/revskills/Browsers/firefox/plugin-container+0x48c2ac)

0x625000e7eac8 is located 2504 bytes inside of 8192-byte region [0x625000e7e100,0x625000e80100)
allocated by thread T0 (Web Content) here:
    #0 0x4748c1 in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:74
    #1 0x7fa948734e86 in PL_ArenaAllocate /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/lib/ds/plarena.c:203
    #2 0x7fa941247ed5 in nsPresArena::Allocate(unsigned int, unsigned long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresArena.cpp:99
    #3 0x7fa94198f41c in AllocateByFrameID /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/svg/../base/nsPresArena.h:80
    #4 0x7fa94198f41c in AllocateFrame /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/svg/../base/nsIPresShell.h:229
    #5 0x7fa94198f41c in operator new /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/svg/nsSVGPathGeometryFrame.cpp:45
    #6 0x7fa94198f41c in NS_NewSVGPathGeometryFrame(nsIPresShell*, nsStyleContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/svg/nsSVGPathGeometryFrame.cpp:42
    #7 0x7fa94134af24 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3753
    #8 0x7fa941357f02 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5935
    #9 0x7fa9413363f1 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10255
    #10 0x7fa9413363f1 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10455
    #11 0x7fa94134cce6 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3888
    #12 0x7fa941357f02 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5935
    #13 0x7fa9413363f1 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10255
    #14 0x7fa9413363f1 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10455
    #15 0x7fa94134cce6 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3888
    #16 0x7fa941357f02 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5935
    #17 0x7fa9413363f1 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10255
    #18 0x7fa9413363f1 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10455
    #19 0x7fa94134cce6 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3888
    #20 0x7fa941357f02 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5935
    #21 0x7fa9413363f1 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10255
    #22 0x7fa9413363f1 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10455
    #23 0x7fa94134cce6 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3888
    #24 0x7fa941357f02 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5935
    #25 0x7fa9413363f1 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10255
    #26 0x7fa9413363f1 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10455
    #27 0x7fa94134cce6 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3888
    #28 0x7fa941357f02 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5935
    #29 0x7fa9413363f1 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10255
    #30 0x7fa9413363f1 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10455
    #31 0x7fa94134cce6 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3888
    #32 0x7fa941357f02 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5935
    #33 0x7fa9413363f1 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10255
    #34 0x7fa9413363f1 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10455
    #35 0x7fa941354084 in nsCSSFrameConstructor::ConstructFrameWithAnonymousChild(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&, nsContainerFrame* (*)(nsIPresShell*, nsStyleContext*), nsContainerFrame* (*)(nsIPresShell*, nsStyleContext*), nsICSSAnonBoxPseudo*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5044
    #36 0x7fa94134121b in nsCSSFrameConstructor::ConstructOuterSVG(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5061
    #37 0x7fa94134aeb8 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3747
    #38 0x7fa941357f02 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5935
    #39 0x7fa941364717 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10255
    #40 0x7fa941364717 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:7255

SUMMARY: AddressSanitizer: use-after-poison /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsFrame.cpp:5573 GetParent
Shadow bytes around the buggy address:
  0x0c4a801c7d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a801c7d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a801c7d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a801c7d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a801c7d40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a801c7d50: 00 00 00 00 00 00 00 00 00[f7]f7 f7 f7 f7 f7 f7
  0x0c4a801c7d60: f7 f7 f7 f7 f7 f7 f7 00 00 00 00 00 00 00 00 00
  0x0c4a801c7d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a801c7d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a801c7d90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a801c7da0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==30494==ABORTING
ok, looking at the code, I'm not sure if is hitting in the Assertion. Can anyone confirm?
Posted file uap_getparent.html
Adding testcase
Component: Untriaged → Layout
Product: Firefox → Core
It's a bit odd that we're trying to get the containing block (during reflow, no less) of something that was allocated with NS_NewSVGPathGeometryFrame....
Component: Layout → SVG
I can reproduce the use-after-poison ASAN issue (using a locally built ASAN debug build). Just before that, we hit these assertion failures:

###!!! ASSERTION: Abs pos whose parent is not the abs pos containing block?: 'aNewFrame->GetParent() == mAbsoluteItems.containingBlock', file layout/base/nsCSSFrameConstructor.cpp, line 1179
* Here, aNewFrame is a nsSVGOuterSVGFrame, and its parent is a nsSVGContainerFrame -- whereas  mAbsoluteItems.containingBlock is a nsCanvasFrame.

###!!! ASSERTION: unknown out of flow frame type: 'disp->mDisplay == NS_STYLE_DISPLAY_POPUP', file layout/generic/nsHTMLReflowState.cpp, line 776
* Here, we're setting up a nsHTMLReflowState for the nsSVGOuterSVGFrame.
Regression range (on mozilla-central): [2013-06-30, 2013-07-01] (1 days)
Last good revision: cbb24a4a96af
First bad revision: d7553251cf43
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=cbb24a4a96af&tochange=d7553251cf43

(my mozregression couldn't find inbound builds for this date range for some region, so that's the tightest regression range it can get.)

That range includes:
> 3a23afb038a5 Cameron McCormack — Bug 839955 - Enable new SVG text frames. r=roc
which I think is the proximate cause (regression-wise) here.

So, this affects all supported branches, I believe.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: regression
Version: 41 Branch → Trunk
Original testcase has the actual SVG encoded. Here's a reduced testcase with the SVG just directly included and simplified.
Attachment #8633672 - Attachment description: testcase 2 (reduced) → testcase 2 (reduced) (WARNING, crashes Firefox)
So the main problem here is that the abspos nsSVGOuterSVGFrame has mParent pointer set to the nsSVGContainerFrame (which is for the <foreignObject>) -- but really, it lives in the abspos-frame-list on the root nsCanvasFrame.

So its parent frame is wrong (relative to where it actually lives in the frame tree), and this causes havoc when we replace the body's content, because this mis-parented frame isn't part of the subtree that gets destroyed (but it should be).

So, the SVG frame stays alive, but its still-incorrect mParent pointer is pointing into a subtree that's been destroyed. So we crash when we call GetContainingBlock and try to walk up its parent chain.

(Fortunately, I think frame poisoning might mitigate this at least, making it a safe crash...?)
So before the dynamic tweak, the frame tree looks like this:

    Canvas(html)(-1)@6250002f4100 {0,0,86400,39420} [state=000b002000000601] [content=6100000f3540] [sc=6250002e8570:-moz-scrolled-canvas]<
      Block(html)(-1)@6250002e4300 {0,0,86400,10200} [state=000b100000d00200] [content=6100000f3540] [sc=6250002e4238^0]<
        line 6250002e4d08: count=1 state=block,clean,prevmarginclean,not impacted,not wrapped,before:nobr,after:nobr[0x48] bm=480 {480,480,85440,9240} <
          Block(body)(2)@6250002e4c70 {480,480,85440,9240} [state=000b120000100200] [content=60e00003f9e0] [sc=6250002e49f8]<
            line 62500030a278: count=1 state=inline,clean,prevmarginclean,not impacted,not wrapped,before:nobr,after:nobr[0x100] {0,0,18000,9240} <
              SVGOuterSVG(svg)(1)@6250002e5290 {0,0,18000,9000} [state=0002060000110000] [content=6140000a4240] [sc=6250002e4b70]<
                SVGOuterSVGAnonChild(svg)(1)@6250002e53f8 {0,0,0,0} [state=0002180000010000] [content=6140000a4240] [sc=6250002e5348:-moz-svg-outer-svg-anon-child]<
                  SVGText(text)(1)@6250002e5890 {0,0,0,0} [state=0001880000010200] [content=6130000917c0] [sc=6250002e5470^6250002e4b70^6250002e49f8^6250002e4238]<
                    Block(text)(1)@6250002e5ab8 {0,0,0,1140} [state=0000900000d00000] [content=6130000917c0] [sc=6250002e57e0:-moz-svg-text]<
                      line 62500030a228: count=3 state=inline,clean,prevmarginclean,not impacted,not wrapped,before:nobr,after:nobr[0x100] {0,0,0,1140} <
                        Text(0)"\n      "@6250002e6070 next=625000309920 {0,900,0,0} [state=4000800028200000] [content=60d0000a5690] [sc=6250002e5b90:-moz-non-element^6250002e5470^6250002e4b70^6250002e49f8] [run=60c00012c400][0,7,T] 
                        Frame(foreignObject)(1)@625000309920 next=62500030a1b8 {0,900,0,0} [state=0020880000000000] [content=61200007ad40] [sc=6250002e5d18^6250002e5470^6250002e4b70^6250002e49f8]<
                          Text(0)"\n        "@625000309ea0 next=62500030a0f0 {0,0,0,0} [state=0020800000000402] [content=60d0000a55c0] [sc=625000309ac8:-moz-non-element] [run=0][0,9,T] 
                          Placeholder(svg)(1)@62500030a0f0 next=62500030a148 {0,0,0,0} [state=0020800000200402] [content=6140000a3e40] [sc=625000309ac8:-moz-non-element] outOfFlowFrame=SVGOuterSVG(svg)(1)@625000309f10
                          Text(2)"\n      "@62500030a148 {0,0,0,0} [state=0020800000000402] [content=60d0000a54f0] [sc=625000309ac8:-moz-non-element] [run=0][0,7,T] 
                        >
                        Text(2)"\n    "@62500030a1b8 {0,0,0,1140} [state=40008000a0400000] [content=60d0000a5420] [sc=6250002e5b90:-moz-non-element^6250002e5470^6250002e4b70^6250002e49f8] [run=60c00012c280][0,5,T] 
                      >
                    >
                  >
                >
              >
            >
          >
        >
      >
    >
    AbsoluteList 6030002185f0 <
[Child 367] ###!!! ASSERTION: bad parent frame pointer: 'kid->GetParent() == this', file /scratch/work/builds/mozilla-central/mozilla-central.15-07-07.11-31/mozilla/layout/generic/nsContainerFrame.cpp, line 2026
      SVGOuterSVG(svg)(1)@625000309f10 {0,0,18000,9000} [state=0020860000110100] [content=6140000a3e40] [sc=625000309bc0]<
        SVGOuterSVGAnonChild(svg)(1)@62500030a078 {0,0,0,0} [state=0020980000010402] [content=6140000a3e40] [sc=625000309fc8:-moz-svg-outer-svg-anon-child]<>
      >
    >
  >

Note the assertion when we print out the SVGOuterSVG. That's because that frame has mParent = @625000309920, which is the foreignObject frame.
I believe the actual crash is from us calling the virtual function frame->IsFrameOfType(...), inside of GetNearestBlockContainer, on the SVGOuterSVG frame's already-destroyed parent.

I believe frame poisoning mitigates this (and I assume that's why ASAN tags this as "use-after-poison"...? Do they recognize our frame poisoning? That's kind of cool.)
> but really, it lives in the abspos-frame-list on the root nsCanvasFrame

Er, so how did it get some other parent??
(In reply to Boris Zbarsky [:bz] from comment #11)
> Er, so how did it get some other parent??

Because nsFrameConstructorState::GetGeometricParent (which we use to determine the frame's mParent) has an early-return for SVG Text, and we think our parent is SVG Text. :-/

Quoting the code:
1111   if (aContentParentFrame && aContentParentFrame->IsSVGText()) {
1112     return aContentParentFrame;
1113   }
[...]
1121   if (aStyleDisplay->mPosition == NS_STYLE_POSITION_ABSOLUTE &&
1122       mAbsoluteItems.containingBlock) {
1123     return mAbsoluteItems.containingBlock;
1124   }
http://mxr.mozilla.org/mozilla-central/source/layout/base/nsCSSFrameConstructor.cpp?rev=5d4b602cf88f#1095

Here, aContentParentFrame is a nsSVGContainerFrame (for the foreignObject element), and it returns true from IsSVGText() because it has the svg-text frame-state bit set (NS_FRAME_IS_SVG_TEXT).  So we never reach the abspos case, because we take the early-return.

Next question: why does the foreignObject frame have that state-bit set? Its *parent* is a SVG text frame, but *it* isn't one. Looking into that now...
(In reply to Daniel Holbert [:dholbert] from comment #12)
> Next question: why does the foreignObject frame have that state-bit set? Its
> *parent* is a SVG text frame, but *it* isn't one. Looking into that now...

Hmm, NS_FRAME_IS_SVG_TEXT is documented as "The frame is a descendant of SVGTextFrame and is thus used for SVG text layout". That is technically true here (in that the nsSVGContainerFrame is a child of a SVGTextFrame. Not sure it participates much in SVG text layout, though).

heycam, do you know what's supposed to happen here?
Flags: needinfo?(cam)
We shouldn't have an nsSVGContainerFrame child of an SVGTextFrame.  An SVGTextFrame should have a single, anonymous nsBlockFrame, which itself should only have nsInlineFrame, nsFirstLetterFrame and nsFirstLineFrame descendants.  So it's certainly wrong to have the foreignObject frame in there, but that's probably why it's incorrectly getting the NS_FRAME_IS_SVG_TEXT bit set on it.
Flags: needinfo?(cam)
(In reply to Cameron McCormack (:heycam) from comment #14)
> We shouldn't have an nsSVGContainerFrame child of an SVGTextFrame.  An
> SVGTextFrame should have a single, anonymous nsBlockFrame, which itself
> should only have nsInlineFrame, nsFirstLetterFrame and nsFirstLineFrame
> descendants.

Sorry, right -- the nsSVGContainerFrame is not a child, but is a *grandchild* of the SVGTextFrame. (It's inside of the single anonymous block -- it's the "Frame(foreignObject)" in my frame dump in comment 9.)

It sounds like that's still unexpected though. How do we enforce our expectations on the things that the anonymous block frame can contain?
(In reply to Daniel Holbert [:dholbert] from comment #15)
> It sounds like that's still unexpected though. How do we enforce our
> expectations on the things that the anonymous block frame can contain?

That should be handled by nsCSSFrameConstructor.  Specifically, in FindSVGData there is a block |if (aIsWithinSVGText)| that should be ensuring we don't construct regular SVG frames for non-text-related elements.
Oh, I see the problem; earlier in FindSVGData we check for failing conditional processing attributes, and return sContainerData.
Assignee: nobody → cam
Status: NEW → ASSIGNED
This fixes the bug, though I don't have confidence that it's the right fix (particularly given comment 17). Posting it anyway, though, FWIW & since it might still be useful.

I noticed this check...
> 3848       if (bits & FCDATA_FORCE_NULL_ABSPOS_CONTAINER) {
...while stepping through the code right after we've created the anonymous block container.

If we add this FCDATA bit for SVGTextFrames, then it looks like we successfully block our children from discovering any abspos containers, which somewhat tangentially fixes this bug.
Attachment #8633820 - Attachment description: possible fix: force → possible fix: force null abspos container
Assignee: cam → dholbert
Yeah, I think this isn't the right fix.  I believe that we'll also incorrectly create an nsSVGContainerFrame for content like

  <text>
    <tspan requiredFeatures="blah">...

so we really need to fix this inside FindSVGData.
[assignee-tag! (post IRC discussion.) Thanks for taking. :)]
Assignee: dholbert → cam
Posted patch patch (obsolete) — Splinter Review
I think this is what we need to do.  I want to add a comment explaining why we create a non-display container frame for elements with failing conditional processing attributes, but I don't know why we do.
Jonathan/Robert, any idea why we create non-display container frames for SVG elements with failing conditional processing attributes?
Flags: needinfo?(longsonr)
Flags: needinfo?(jwatt)
Any suggestions on a rating for this security issue?
From looking at earlier bugs where we're crashing on a frame-poisoning address (e.g. bug 1015844, bug 947158), it looks like we tag them as "csectype-framepoisoning, sec-other".

(And I think this is non-exploitable; frame poisoning means the deref that triggers this crash is guaranteed to be a safe crash.)
Comment on attachment 8633845 [details] [diff] [review]
patch

How about we get this in and fix up the comment later.
Attachment #8633845 - Flags: review?(dholbert)
This looks fine, bug I think you might be able to fix up the comment sooner...

(In reply to Cameron McCormack (:heycam) from comment #22)
> Jonathan/Robert, any idea why we create non-display container frames for SVG
> elements with failing conditional processing attributes?

hg archeology shows that you were actually the one to implement this sContainerData special-case return. :)  It was back in 2010, in this changeset for bug 615146:
  http://hg.mozilla.org/mozilla-central/rev/bb43b6a9b621#l1.36

and there were some later tweaks here:
  http://hg.mozilla.org/mozilla-central/rev/395fac6a7de4#l3.12

Maybe there's enough information on those bugs to help you fill out the comment?
Flags: needinfo?(cam)
Oh, excellent, thank you.  I had a suspicion it was related to <use> but wasn't sure!
Flags: needinfo?(cam)
Reading through bug 614265 it is for references to paint servers in non-displayed subtrees rather than <use> (which uses a different mechanism for tracking the referent that doesn't need frames to be around).
Posted patch patch v2 (obsolete) — Splinter Review
Attachment #8633845 - Attachment is obsolete: true
Attachment #8633845 - Flags: review?(dholbert)
Flags: needinfo?(longsonr)
Flags: needinfo?(jwatt)
Attachment #8635050 - Flags: review?(dholbert)
Comment on attachment 8635050 [details] [diff] [review]
patch v2

Review of attachment 8635050 [details] [diff] [review]:
-----------------------------------------------------------------

r=me, just two nits on the filled-in comment:

::: layout/base/nsCSSFrameConstructor.cpp
@@ +5190,5 @@
> +      return &sSuppressData;
> +    }
> +    // Outside of <text>, create an nsSVGContainerFrame (which is a frame
> +    // that doesn't render) so that references to paint servers within elements
> +    // with failing conditional processing attributes still work.

Two language nits here:

 (1) "Outside of <text>..." sounds a bit like it means "Wrapping each <text> node...". Let's make that less ambiguous.

Maybe s/Outside of <text>,/If we're not inside of <text>,/

 (2) The last phrase is ambiguous: "references to paint servers within elements with failing conditional processing".  It's unclear whether the *references* are within [...], or the *paint servers* are within [...].

Please clarify along the lines of
"so that paint servers can still be referenced, even if they live inside an element with failing conditional processing attributes".
Attachment #8635050 - Flags: review?(dholbert) → review+
Attachment #8635050 - Attachment is obsolete: true
Comment on attachment 8635063 [details] [diff] [review]
patch v2.1 r=dholbert

Approval Request Comment
[Feature/regressing bug #]: bug 655877
[User impact if declined]: odd SVG content can cause a safe crash
[Describe test coverage new/current, TreeHerder]: tested locally, just landed on inbound with tests
[Risks and why]: low, this is just choosing to create no frame for some elements rather than an unexpected frame
[String/UUID change made/needed]: N/A
Attachment #8635063 - Flags: approval-mozilla-beta?
Attachment #8635063 - Flags: approval-mozilla-aurora?
Blocks: svgtext
Comment on attachment 8635063 [details] [diff] [review]
patch v2.1 r=dholbert

dholbert tells me there is no risk of regression due to returning no frame. With that I'm satisfied that we should take this simple crash fix in beta6. Beta+ Aurora+
Attachment #8635063 - Flags: approval-mozilla-beta?
Attachment #8635063 - Flags: approval-mozilla-beta+
Attachment #8635063 - Flags: approval-mozilla-aurora?
Attachment #8635063 - Flags: approval-mozilla-aurora+
(In reply to Lawrence Mandel [:lmandel] (use needinfo) from comment #36)
> dholbert tells me there is no risk of regression due to returning no frame.

(Elaborating slightly: IIUC, the only way this could cause a regression would be by breaking paint servers (gradients, patterns, etc) that are defined inside of SVG <text> nodes. And per comment 14, I think those already wouldn't be expected to work. Hence, I don't see any obvious way that this would cause a regression.)
If this is a safe crash and a sec-other, can we open this?

Francisco, can you verify that this is fixed in a current nightly build?
Flags: needinfo?(rs)
Al Billings, tested and seems to be fixed in current nightly build.
Flags: needinfo?(rs)
(In reply to Al Billings [:abillings] from comment #40)
> If this is a safe crash and a sec-other, can we open this?

Probably?  I'm not sure what our normal procedure/timeline is for opening bugs about crashes that are mitigated with frame-poisoning.  (This is indeed a safe crash, though.)
Let's get Dan's opinion since he normally opens bugs.
Flags: needinfo?(dveditz)
Whiteboard: [post-critsmash-triage]
Group: core-security
Flags: needinfo?(dveditz)
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main40-]
Minusing for bounty since this turns out to be a safe crash mitigated by frame poisoning.
Flags: sec-bounty? → sec-bounty-
Duplicate of this bug: 897384
You need to log in before you can comment on or make changes to this bug.