1243337 - MOZ_CRASH(shouldn't depend on this context) in txEarlyEvalContext::getPrivateContext()

Status: RESOLVED FIXED

(Core :: XSLT, defect)

Description

[Nicolas Grégoire]

Tested on latest Firefox 44 compiled with ASan+debug

Description: assertion MOZ_CRASH hit (+ crash) via generate-id()

XSLT:

<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
 <xsl:template match="/">
  <xsl:value-of select="generate-id(33/foo)"/>
 </xsl:template>
</xsl:stylesheet>

Output:

Hit MOZ_CRASH(shouldn't depend on this context) at /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xpath/txXPathOptimizer.cpp:35
ASAN:SIGSEGV
=================================================================
==30584==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f68097a1e66 sp 0x7fff23887e70 bp 0x7fff23887e70 T0)
    #0 0x7f68097a1e65 in txEarlyEvalContext::getPrivateContext() /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xpath/txXPathOptimizer.cpp:35
    #1 0x7f68097b02be in GenerateIdFunctionCall::evaluate(txIEvalContext*, txAExprResult**) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xslt/txGenerateIdFunctionCall.cpp:41
    #2 0x7f680979f7d5 in txXPathOptimizer::optimize(Expr*, Expr**) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xpath/txXPathOptimizer.cpp:79
    #3 0x7f6809780943 in txExprParser::createExprInternal(nsAString_internal const&, unsigned int, txIParseContext*, Expr**) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xpath/txExprParser.cpp:180
    #4 0x7f68097f82cd in getExprAttr(txStylesheetAttr*, int, nsIAtom*, bool, txStylesheetCompilerState&, nsAutoPtr<Expr>&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xslt/txStylesheetCompileHandlers.cpp:184
    #5 0x7f68097ff7bc in txFnStartValueOf(int, nsIAtom*, nsIAtom*, txStylesheetAttr*, int, txStylesheetCompilerState&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xslt/txStylesheetCompileHandlers.cpp:2438
    #6 0x7f68097e245a in txStylesheetCompiler::startElementInternal(int, nsIAtom*, nsIAtom*, txStylesheetAttr*, int) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xslt/txStylesheetCompiler.cpp:295
    #7 0x7f68097bee6a in handleNode(nsINode*, txStylesheetCompiler*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xslt/txMozillaStylesheetCompiler.cpp:547
    #8 0x7f68097beeba in handleNode(nsINode*, txStylesheetCompiler*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xslt/txMozillaStylesheetCompiler.cpp:560
    #9 0x7f68097beeba in handleNode(nsINode*, txStylesheetCompiler*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xslt/txMozillaStylesheetCompiler.cpp:560
    #10 0x7f68097bf02a in handleNode(nsINode*, txStylesheetCompiler*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xslt/txMozillaStylesheetCompiler.cpp:578
    #11 0x7f68097bf77e in TX_CompileStylesheet(nsINode*, txMozillaXSLTProcessor*, txStylesheet**) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xslt/txMozillaStylesheetCompiler.cpp:722
    #12 0x7f68097cc9a8 in txMozillaXSLTProcessor::ImportStylesheet(nsIDOMNode*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:613
    #13 0x7f68097d03e4 in txMozillaXSLTProcessor::ImportStylesheet(nsINode&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xslt/txMozillaXSLTProcessor.cpp:1306
    #14 0x7f68080023a7 in mozilla::dom::XSLTProcessorBinding::importStylesheet(JSContext*, JS::Handle<JSObject*>, txMozillaXSLTProcessor*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/obj-firefox/dom/bindings/./XSLTProcessorBinding.cpp:43
    #15 0x7f680868b1ce in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/bindings/BindingUtils.cpp:2691
    #16 0x7f680ca05142 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jscntxtinlines.h:235
    #17 0x7f680c9cb9ac in js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:772:16
    #18 0x7f680c9f7add in Interpret(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:3105
    #19 0x7f680c9e3990 in js::RunScript(JSContext*, js::RunState&) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:725
    #20 0x7f680ca06e42 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:1000
    #21 0x7f680ca079ab in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/vm/Interpreter.cpp:1034
    #22 0x7f680c6b0c4c in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Value*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jsapi.cpp:4598
    #23 0x7f680c6b0992 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/src/jsapi.cpp:4624
    #24 0x7f68062cd7d4 in ProcessFile(mozilla::dom::AutoJSAPI&, char const*, _IO_FILE*, bool) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/xpconnect/src/XPCShellImpl.cpp:876
    #25 0x7f68062cda73 in Process(mozilla::dom::AutoJSAPI&, char const*, bool) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/xpconnect/src/XPCShellImpl.cpp:929
    #26 0x7f680626e12f in ProcessArgs(mozilla::dom::AutoJSAPI&, char**, int, XPCShellDirProvider*) /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/xpconnect/src/XPCShellImpl.cpp:1128
    #27 0x7f680626b7c2 in XRE_XPCShellMain /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/xpconnect/src/XPCShellImpl.cpp:1546
    #28 0x48a94f in main /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/js/xpconnect/shell/xpcshell.cpp:54
    #29 0x7f67ff9a4ec4 (/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #30 0x48a6cc in _start (/home/azureuser/ff-44/xpcshell+0x48a6cc)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/slave/m-cen-l64-asan-d-0000000000000/build/src/dom/xslt/xpath/txXPathOptimizer.cpp:35 txEarlyEvalContext::getPrivateContext()

Live demo:

http://nicob.net/firefox-aeshooT3/Bug-3/crasher.xml

Comment 1

[Daniel Veditz [:dveditz]]

Confirming the crash: bp-0c8b3149-fd75-4cb1-bcf4-72bc92160130

This is an intentional crash so I don't see how it could exploited, but it is an unexpected error and DOS.

Nick: can we unhide this one? looks like you introduced these in bug 1117593

Comment 2

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

I can take this.

This doesn't seem exploitable so I'll open it.

Comment 3

[Nicholas Nethercote [inactive]]

Thanks, Jonas!

Comment 4

[Jonas Sicking (:sicking) No longer reading bugmail consistently]

Attachment: xslt1

I think this is a regression from bug 640339. But it's never been exploitable as far as I can tell.

Comment 5

[Pulsebot]

https://hg.mozilla.org/integration/mozilla-inbound/rev/f747eed25488

Comment 6

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/f747eed25488

Comment 7

[Al Billings [:abillings - ex-MoCo]]

Minusing for bounty as it isn't an exploitable security issue.