Closed
Bug 1322382
Opened 8 years ago
Closed 8 years ago
SEGV on unknown address [@ GetUnit]
Categories
(Core :: DOM: Animation, defect)
Core
DOM: Animation
Tracking
()
RESOLVED
FIXED
mozilla53
Tracking | Status | |
---|---|---|
firefox-esr45 | --- | unaffected |
firefox50 | --- | unaffected |
firefox51 | --- | unaffected |
firefox52 | --- | unaffected |
firefox53 | --- | fixed |
People
(Reporter: truber, Assigned: hiro)
References
(Blocks 1 open bug)
Details
(5 keywords, Whiteboard: [post-critsmash-triage])
Attachments
(3 files)
162 bytes,
text/html
|
Details | |
7.95 KB,
text/plain
|
Details | |
58 bytes,
text/x-review-board-request
|
birtles
:
review+
abillings
:
sec-approval+
|
Details |
The attached testcase causes a SEGV at an unknown high address in mozilla-central rev c2526f6786f0. ==23126==ERROR: AddressSanitizer: SEGV on unknown address 0x000297d74003 (pc 0x7f46b2617d07 bp 0x7ffe56745d60 sp 0x7ffe56745880 T0) #0 0x7f46b2617d06 in GetUnit /home/worker/workspace/build/src/layout/style/nsCSSValue.h:639:38 #1 0x7f46b2617d06 in nsStyleTransformMatrix::ReadTransforms(nsCSSValueList const*, nsStyleContext*, nsPresContext*, mozilla::RuleNodeCacheConditions&, nsStyleTransformMatrix::TransformReferenceBox&, float, bool*) /home/worker/workspace/build/src/layout/style/nsStyleTransformMatrix.cpp:929 #2 0x7f46b238121e in mozilla::StyleAnimationValue::GetScaleValue(nsIFrame const*) const /home/worker/workspace/build/src/layout/style/StyleAnimationValue.cpp:4732:25 #3 0x7f46b27c2983 in UpdateMinMaxScale /home/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:524:18 #4 0x7f46b27c2983 in GetMinAndMaxScaleForAnimationProperty /home/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:561 #5 0x7f46b27c2983 in nsLayoutUtils::ComputeSuitableScaleForAnimation(nsIFrame const*, nsSize const&, nsSize const&) /home/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:591 #6 0x7f46b2f9b753 in ChooseScaleAndSetTransform /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:5317:15 #7 0x7f46b2f9b753 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const*, unsigned int) /home/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:5478 #8 0x7f46b305bd9a in nsDisplayTransform::BuildLayer(nsDisplayListBuilder*, mozilla::layers::LayerManager*, mozilla::ContainerLayerParameters const&) /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:6384:38
Reporter | ||
Comment 1•8 years ago
|
||
Assignee | ||
Comment 2•8 years ago
|
||
I have no idea how to fix this crash yet, but I leave a comment what's going on there. In case of 'details' element, frame reconstruction is processed, as a result, EffectCompositor::UpdateEffectProperties() is called, then the base style is cleared. After the clearing the base style, we have no luck with resolving the base style.
Assignee | ||
Comment 3•8 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=ba3adcc389f1c91b855720a8e67bd9a31e509e5b
Assignee: nobody → hiikezoe
Status: NEW → ASSIGNED
Comment hidden (mozreview-request) |
Comment 5•8 years ago
|
||
mozreview-review |
Comment on attachment 8817653 [details] Bug 1322382 - Add EffectCompositor::GetBaseStyle for nsIFrame. https://reviewboard.mozilla.org/r/97878/#review98242 ::: dom/animation/EffectCompositor.h:231 (Diff revision 1) > dom::Element& aElement, > CSSPseudoElementType aPseudoType); > > + // Returns the base style corresponding to |aFrame|. > + // This function should be called only after restyle process has done, i.e. > + // the |aFrame| has a resolved style context. Drop the "the" here, i.e. s/the |aFrame|/|aFrame/ ::: dom/animation/EffectCompositor.cpp:928 (Diff revision 1) > +/* static */ StyleAnimationValue > +EffectCompositor::GetBaseStyle(nsCSSPropertyID aProperty, > + const nsIFrame* aFrame) This should go immediately after the other GetBaseStyle. ::: dom/animation/EffectCompositor.cpp:938 (Diff revision 1) > + MOZ_ASSERT(pseudoElement, > + "The frame should have an associated element"); Should we assert pseudoElement && pseudoElement->mElement? (Seeing as we dereference mElement below) ::: dom/animation/EffectSet.h:202 (Diff revision 1) > + // Don't use this function directly, use EffectCompositor::GetBaseStyle() > + // instead. "This function is intended to be called by EffectCompositor::GetBaseStyle and should not be called directly." ? ::: layout/base/nsLayoutUtils.cpp:558 (Diff revision 1) > // We need to factor in the scale of the base style if the base style > // will be used on the compositor. > if (effect->NeedsBaseStyle(prop.mProperty)) { > - EffectSet* effects = EffectSet::GetEffectSet(aFrame); > StyleAnimationValue baseStyle = > - effects->GetBaseStyle(prop.mProperty); > + EffectCompositor::GetBaseStyle(eCSSProperty_transform, aFrame); Isn't it better to pass prop.mProperty here?
Attachment #8817653 -
Flags: review?(bbirtles) → review+
Comment hidden (mozreview-request) |
Pushed by hiikezoe@mozilla-japan.org: https://hg.mozilla.org/integration/autoland/rev/35209805acb4 Add EffectCompositor::GetBaseStyle for nsIFrame. r=birtles
Comment 9•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/35209805acb4
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
Updated•7 years ago
|
Group: dom-core-security
Updated•7 years ago
|
Group: dom-core-security → core-security-release
Comment 11•7 years ago
|
||
Hiro: please request sec-approval on this bug retroactively so we can evaluate it for other supported branches https://wiki.mozilla.org/Security/Bug_Approval_Process
Flags: needinfo?(hikezoe)
Keywords: sec-high
Assignee | ||
Comment 12•7 years ago
|
||
This is a regression by bug 1305325, I don't thinks it needs to be uplifted. I am sorry for less information.
Blocks: 1305325
status-firefox50:
--- → unaffected
status-firefox51:
--- → unaffected
status-firefox52:
--- → unaffected
Flags: needinfo?(hikezoe)
Assignee | ||
Comment 13•7 years ago
|
||
Comment on attachment 8817653 [details] Bug 1322382 - Add EffectCompositor::GetBaseStyle for nsIFrame. [Security approval request comment] How easily could an exploit be constructed based on the patch? A test case is included in the patch. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? A test case is included in the patch. Which older supported branches are affected by this flaw? Firefox 53. If not all supported branches, which bug introduced the flaw? Bug 1305325. Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? This bug does not need backports. How likely is this patch to cause regressions; how much testing does it need? It's been for a month after landing the patch.
Attachment #8817653 -
Flags: sec-approval?
Comment 14•7 years ago
|
||
Comment on attachment 8817653 [details] Bug 1322382 - Add EffectCompositor::GetBaseStyle for nsIFrame. sec-approval+ for trunk.
Attachment #8817653 -
Flags: sec-approval? → sec-approval+
Updated•7 years ago
|
status-firefox-esr45:
--- → unaffected
Keywords: regression
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•