ASAN SEGV in nsIFrame::GetUsedMargin

VERIFIED DUPLICATE of bug 1272983

Status

()

Core
Layout
VERIFIED DUPLICATE of bug 1272983
2 years ago
2 years ago

People

(Reporter: Nils, Unassigned)

Tracking

49 Branch
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
The following testcase crashes the latest ASAN build of Firefox (buildId 20160523171639).

Testcase:

<script>
function start() {
        o1=window.document.documentElement;
        o5=o1.lastChild;
        o5.innerHTML=unescape("<svg baseProfile><circle transform ></circle>");
        o16=o5.querySelectorAll('*')[1];
        document.designMode='on';
        o16.style.marginLeft="auto";
}
</script>
<body onload="start()"></body>


ASAN output:

ASAN:SIGSEGV
=================================================================
==31249==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffc00000000 (pc 0x7f60cdbe1681 sp 0x7ffc374b9100 bp 0x7ffc374b9130 T0)
    #0 0x7f60cdbe1680 in ToLength /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleCoord.h:96
    #1 0x7f60cdbe1680 in ToLength /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleCoord.h:193
    #2 0x7f60cdbe1680 in ToLength /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleCoord.h:321
    #3 0x7f60cdbe1680 in GetMarginNoPercentage /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleStruct.h:839
    #4 0x7f60cdbe1680 in nsIFrame::GetUsedMargin() const /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsFrame.cpp:970
    #5 0x7f60cdb13ae5 in nsIFrame::GetLogicalUsedMargin(mozilla::WritingMode) const /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsIFrame.h:969
    #6 0x7f60cdbe6575 in nsFrame::GetLogicalBaseline(mozilla::WritingMode) const /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/generic/nsFrame.cpp:1428
    #7 0x7f60cd95deab in nsCaret::GetGeometryForFrame(nsIFrame*, int, int*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCaret.cpp:322
    #8 0x7f60cd9603d5 in nsCaret::GetGeometry(nsISelection*, nsRect*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsCaret.cpp:423
    #9 0x7f60cb9dd24d in mozilla::ContentEventHandler::Init(mozilla::WidgetQueryContentEvent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/ContentEventHandler.cpp:211
    #10 0x7f60cb9e4fc9 in mozilla::ContentEventHandler::OnQueryTextContent(mozilla::WidgetQueryContentEvent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/ContentEventHandler.cpp:1217
    #11 0x7f60cba4d9b4 in mozilla::IMEContentObserver::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/IMEContentObserver.cpp:742
    #12 0x7f60cb9a54d0 in mozilla::EventStateManager::HandleQueryContentEvent(mozilla::WidgetQueryContentEvent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventStateManager.cpp:870
    #13 0x7f60cb9a3708 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventStateManager.cpp:595
    #14 0x7f60cdacd35f in PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsPresShell.cpp:8448
    #15 0x7f60cdac6e0a in PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*, nsIContent**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsPresShell.cpp:8174
    #16 0x7f60cd0ee9bb in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/view/nsViewManager.cpp:814
    #17 0x7f60cd0e6fc9 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/view/nsView.cpp:1121
    #18 0x7f60cd130ffc in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/PuppetWidget.cpp:345
    #19 0x7f60cd108bf2 in mozilla::ContentCacheInChild::CacheText(nsIWidget*, mozilla::widget::IMENotification const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/ContentCache.cpp:258
    #20 0x7f60cd108928 in mozilla::ContentCacheInChild::CacheAll(nsIWidget*, mozilla::widget::IMENotification const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/ContentCache.cpp:137
    #21 0x7f60cd13416c in mozilla::widget::PuppetWidget::NotifyIMEOfFocusChange(mozilla::widget::IMENotification const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/PuppetWidget.cpp:743
    #22 0x7f60cd133e1c in mozilla::widget::PuppetWidget::NotifyIMEInternal(mozilla::widget::IMENotification const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/PuppetWidget.cpp:634
    #23 0x7f60cd0fdf0a in nsBaseWidget::NotifyIME(mozilla::widget::IMENotification const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseWidget.cpp:1816
    #24 0x7f60cba4b72b in mozilla::IMEStateManager::NotifyIME(mozilla::widget::IMENotification const&, nsIWidget*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/IMEStateManager.cpp:1381
    #25 0x7f60cba578dc in mozilla::IMEContentObserver::IMENotificationSender::SendFocusSet() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/IMEContentObserver.cpp:1604
    #26 0x7f60cba5663c in mozilla::IMEContentObserver::IMENotificationSender::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/IMEContentObserver.cpp:1499
    #27 0x7f60cba55c45 in mozilla::IMEContentObserver::TryToFlushPendingNotifications() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/IMEContentObserver.cpp:1410
    #28 0x7f60cd2be659 in nsEditorEventListener::Focus(nsIDOMEvent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/editor/libeditor/nsEditorEventListener.cpp:1126
    #29 0x7f60cd2ba5c2 in nsEditorEventListener::HandleEvent(nsIDOMEvent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/editor/libeditor/nsEditorEventListener.cpp:462
    #30 0x7f60cba388b4 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:1111
    #31 0x7f60cba3a813 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventListenerManager.cpp:1283
    #32 0x7f60cba17921 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:379
    #33 0x7f60cba1bd3c in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/events/EventDispatcher.cpp:710
    #34 0x7f60c99d0be3 in FocusBlurEvent::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsFocusManager.cpp:1985
    #35 0x7f60c952852b in nsContentUtils::AddScriptRunner(already_AddRefed<nsIRunnable>) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsContentUtils.cpp:5016
    #36 0x7f60c95264cc in nsContentUtils::AddScriptRunner(nsIRunnable*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsContentUtils.cpp:5023
    #37 0x7f60c9978d30 in nsFocusManager::SendFocusOrBlurEvent(mozilla::EventMessage, nsIPresShell*, nsIDocument*, nsISupports*, unsigned int, bool, bool, mozilla::dom::EventTarget*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsFocusManager.cpp:2071
    #38 0x7f60c996fd1f in nsFocusManager::Focus(nsPIDOMWindowOuter*, nsIContent*, unsigned int, bool, bool, bool, bool, nsIContent*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsFocusManager.cpp:1856
    #39 0x7f60c99767bd in nsFocusManager::WindowShown(mozIDOMWindowProxy*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsFocusManager.cpp:892
    #40 0x7f60cda9f41d in PresShell::UnsuppressAndInvalidate() /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsPresShell.cpp:3820
    #41 0x7f60cd9ef794 in nsDocumentViewer::LoadComplete(nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsDocumentViewer.cpp:1027
    #42 0x7f60ce73549d in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/docshell/base/nsDocShell.cpp:7533
    #43 0x7f60ce7318a4 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/docshell/base/nsDocShell.cpp:7334
    #44 0x7f60ce7386cf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/docshell/base/Unified_cpp_docshell_base0.cpp:7341
    #45 0x7f60c8aa2e8b in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/uriloader/base/nsDocLoader.cpp:1250
    #46 0x7f60c8aa2173 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/uriloader/base/nsDocLoader.cpp:834
    #47 0x7f60c8a9ee53 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/uriloader/base/nsDocLoader.cpp:724
    #48 0x7f60c8aa112f in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/uriloader/base/nsDocLoader.cpp:608
    #49 0x7f60c8aa1b3c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/uriloader/base/Unified_cpp_uriloader_base0.cpp:612
    #50 0x7f60c6f0a594 in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/src/netwerk/base/nsLoadGroup.cpp:633
    #51 0x7f60c992999c in nsDocument::DoUnblockOnload() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsDocument.cpp:9229
    #52 0x7f60c99d302f in nsUnblockOnloadEvent::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/base/nsDocument.cpp:9182
    #53 0x7f60c6d3d8db in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:1073
    #54 0x7f60c6db7e2a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290
    #55 0x7f60c7ac756e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:98
    #56 0x7f60c7a3c22c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:235
    #57 0x7f60c7a3c22c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:228
    #58 0x7f60c7a3c22c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:208
    #59 0x7f60cd150447 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:156
    #60 0x7f60cf16b342 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:809
    #61 0x7f60c7a3c22c in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:235
    #62 0x7f60c7a3c22c in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:228
    #63 0x7f60c7a3c22c in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:208
    #64 0x7f60cf16aa21 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:644
    #65 0x48df67 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:231
    #66 0x7f60c457882f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #67 0x48cb3c in _start (/home/nils/fuzzer3/firefox/plugin-container+0x48cb3c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleCoord.h:96 ToLength
==31249==ABORTING
The top few frames of the stack are in style, but it is layout a little deeper, so I'm going to move it over there for now. Adjust as appropriate.
Component: DOM: CSS Object Model → Layout
Group: core-security → layout-core-security
> The following testcase crashes the latest ASAN build of Firefox (buildId 20160523171639).

That's actually a build from a little over a week ago. And I can't reproduce using an ASAN build from today, downloaded from:
http://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-inbound-linux64-asan/1464747817/

Given the "margin:auto" usage (the last line of the testcase), I suspect this is a dupe of bug 1272983, whose fix hit mozilla-central on 5-24 (the day after the build ID mentioned here).

I'll test some other ASAN builds to be sure, though.  Nils, if you could confirm that this is already fixed for you in an up-to-date ASAN build, that would be much appreciated, too!
Flags: needinfo?(nils)
Created attachment 8758529 [details]
reporter's testcase
Yup, I verified that the attached testcase gives me a crash with "ERROR: AddressSanitizer: SEGV" if I use an ASAN build from just before bug 1272983 hit mozilla-central:
https//archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64-asan/1464092523/firefox-49.0a1.en-US.linux-x86_64-asan.tar.bz2  (BAD)

But I can load the testcase just fine in an ASAN build from just after:
https://archive.mozilla.org/pub/firefox/tinderbox-builds/mozilla-central-linux64-asan/1464094509/firefox-49.0a1.en-US.linux-x86_64-asan.tar.bz2 (GOOD)

So, looks like this is a dupe of bug 1272983.

(Leaving needinfo open to be sure I'm not missing anything that's still broken here.)
Status: NEW → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1272983
status-firefox49: affected → ---
(Reporter)

Comment 5

2 years ago
Can confirm that this doesn't repro anymore on the very latest ASAN builds. Could I get access to bug 1272983 ?
Flags: needinfo?(nils)
Thanks! And, CC'd you on that bug.
Status: RESOLVED → VERIFIED
Group: layout-core-security
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty-
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.