Closed
Bug 1324063
Opened 9 years ago
Closed 9 years ago
heap-use-after-free in FrameTransformProperties
Categories
(Core :: Graphics: Layers, defect)
Core
Graphics: Layers
Tracking
()
VERIFIED
FIXED
mozilla53
| Tracking | Status | |
|---|---|---|
| firefox-esr45 | --- | unaffected |
| firefox51 | --- | unaffected |
| firefox52 | --- | unaffected |
| firefox53 | --- | verified |
People
(Reporter: attekett, Assigned: hiro)
References
Details
(5 keywords, Whiteboard: probably will be fixed by bug 1322291)
Crash Data
Attachments
(1 file)
|
439 bytes,
text/html
|
Details |
Tested on:
OS: Ubuntu 16.04
Firefox:ASAN-build moz_source_stamp: bf6270d8941a0f246303e6f2f3231bdceb223a88
ASAN-trace:
=================================================================
==25530==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000401010 at pc 0x7f312d09559c bp 0x7f3111bc7c30 sp 0x7f3111bc7c28
WRITE of size 8 at 0x602000401010 thread T25 (Compositor)
#0 0x7f312d09559b in fetch_add /home/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.8.5/../../../../include/c++/4.8.5/bits/atomic_base.h:614:16
#1 0x7f312d09559b in add /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Atomics.h:254
#2 0x7f312d09559b in inc /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Atomics.h:286
#3 0x7f312d09559b in operator++ /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Atomics.h:609
#4 0x7f312d09559b in operator++ /home/worker/workspace/build/src/obj-firefox/dist/include/nsISupportsImpl.h:310
#5 0x7f312d09559b in AddRef /home/worker/workspace/build/src/obj-firefox/dist/include/nsCSSValue.h:1202
#6 0x7f312d09559b in AddRef /home/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:37
#7 0x7f312d09559b in AddRef /home/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:396
#8 0x7f312d09559b in RefPtr /home/worker/workspace/build/src/gfx/layers/../../mfbt/RefPtr.h:111
#9 0x7f312d09559b in FrameTransformProperties /home/worker/workspace/build/src/obj-firefox/dist/include/nsDisplayList.h:4240
#10 0x7f312d09559b in ApplyAnimatedValue /home/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:663
#11 0x7f312d09559b in operator() /home/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:811
#12 0x7f312d09559b in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_L16SampleAnimationsES4_NS_9TimeStampEE3$_9ZNS0_11ForEachNodeIS2_S4_S6_EENS_8EnableIfIXsr6IsSameIDTclfp0_fp_EEvEE5valueEvE4TypeET0_RKT1_EUlS4_E_EENS8_IXaasr6IsSameIS9_vEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeESC_SF_RKT2_ /home/worker/workspace/build/src/gfx/layers/TreeTraversal.h:137
#13 0x7f312d095016 in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_L16SampleAnimationsES4_NS_9TimeStampEE3$_9ZNS0_11ForEachNodeIS2_S4_S6_EENS_8EnableIfIXsr6IsSameIDTclfp0_fp_EEvEE5valueEvE4TypeET0_RKT1_EUlS4_E_EENS8_IXaasr6IsSameIS9_vEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeESC_SF_RKT2_ /home/worker/workspace/build/src/gfx/layers/TreeTraversal.h:142:5
#14 0x7f312d095016 in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_L16SampleAnimationsES4_NS_9TimeStampEE3$_9ZNS0_11ForEachNodeIS2_S4_S6_EENS_8EnableIfIXsr6IsSameIDTclfp0_fp_EEvEE5valueEvE4TypeET0_RKT1_EUlS4_E_EENS8_IXaasr6IsSameIS9_vEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeESC_SF_RKT2_ /home/worker/workspace/build/src/gfx/layers/TreeTraversal.h:142:5
#15 0x7f312d040108 in ForEachNode<mozilla::layers::ForwardIterator, mozilla::layers::Layer *, (lambda at /home/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:699:7)> /home/worker/workspace/build/src/gfx/layers/TreeTraversal.h:165:3
#16 0x7f312d040108 in SampleAnimations /home/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:697
#17 0x7f312d040108 in mozilla::layers::AsyncCompositionManager::TransformShadowTree(mozilla::TimeStamp, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>, mozilla::layers::AsyncCompositionManager::TransformsToSkip) /home/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:1470
#18 0x7f312d0da336 in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:954:27
.
.
.
0x602000401010 is located 0 bytes inside of 16-byte region [0x602000401010,0x602000401020)
freed by thread T25 (Compositor) here:
#0 0x4b218b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
#1 0x7f312d094fbc in ~StyleAnimationValue /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StyleAnimationValue.h:477:28
#2 0x7f312d094fbc in operator() /home/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:816
#3 0x7f312d094fbc in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_L16SampleAnimationsES4_NS_9TimeStampEE3$_9ZNS0_11ForEachNodeIS2_S4_S6_EENS_8EnableIfIXsr6IsSameIDTclfp0_fp_EEvEE5valueEvE4TypeET0_RKT1_EUlS4_E_EENS8_IXaasr6IsSameIS9_vEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeESC_SF_RKT2_ /home/worker/workspace/build/src/gfx/layers/TreeTraversal.h:137
#4 0x7f312d095016 in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_L16SampleAnimationsES4_NS_9TimeStampEE3$_9ZNS0_11ForEachNodeIS2_S4_S6_EENS_8EnableIfIXsr6IsSameIDTclfp0_fp_EEvEE5valueEvE4TypeET0_RKT1_EUlS4_E_EENS8_IXaasr6IsSameIS9_vEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeESC_SF_RKT2_ /home/worker/workspace/build/src/gfx/layers/TreeTraversal.h:142:5
#5 0x7f312d095016 in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_L16SampleAnimationsES4_NS_9TimeStampEE3$_9ZNS0_11ForEachNodeIS2_S4_S6_EENS_8EnableIfIXsr6IsSameIDTclfp0_fp_EEvEE5valueEvE4TypeET0_RKT1_EUlS4_E_EENS8_IXaasr6IsSameIS9_vEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeESC_SF_RKT2_ /home/worker/workspace/build/src/gfx/layers/TreeTraversal.h:142:5
#6 0x7f312d040108 in ForEachNode<mozilla::layers::ForwardIterator, mozilla::layers::Layer *, (lambda at /home/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:699:7)> /home/worker/workspace/build/src/gfx/layers/TreeTraversal.h:165:3
#7 0x7f312d040108 in SampleAnimations /home/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:697
#8 0x7f312d040108 in mozilla::layers::AsyncCompositionManager::TransformShadowTree(mozilla::TimeStamp, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>, mozilla::layers::AsyncCompositionManager::TransformsToSkip) /home/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:1470
#9 0x7f312d0da336 in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:954:27
.
.
.
|
||
Comment 1•9 years ago
|
||
Crashed on Nightly with bp-9d6b44b7-e3fb-4a6d-ab65-421a52161216
Did not crash on Beta, but didn't try an ASAN build so can't definitely say this is a recent regression but I'm betting it is. Looks more like a layers (graphics) issue than a DOM issue.
Group: core-security → gfx-core-security
Component: DOM: Animation → Graphics: Layers
|
|
||
Comment 2•9 years ago
|
||
Don't crash on Aurora either.
|
|
||
Updated•9 years ago
|
Crash Signature: [@ mozilla::layers::ForEachNode<T> ]
Keywords: csectype-uaf
|
||
Comment 3•9 years ago
|
||
Regression range
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=6bdef7ba8b4108a996b9f61ef9f81c5ea6c93017&tochange=944f98dcb83b740910d547b97181258ed0890afe
-> bug 1305325
Blocks: 1305325
Flags: needinfo?(hiikezoe)
Flags: needinfo?(bbirtles)
Keywords: regressionwindow-wanted
|
Assignee | |
Comment 4•9 years ago
|
||
This will be fixed by bug 1322291.
Flags: needinfo?(hiikezoe)
Flags: needinfo?(bbirtles)
|
Reporter | |
Comment 5•9 years ago
|
||
Can someone give me access to bug 1322291? I have multiple slightly different crash reproducing files I want to check once the fix is available.
|
||
Comment 6•9 years ago
|
||
(In reply to Atte Kettunen from comment #5)
> Can someone give me access to bug 1322291? I have multiple slightly
> different crash reproducing files I want to check once the fix is available.
Done.
|
||
Comment 7•9 years ago
|
||
Atte, can you check whether this one still reproduces with bug 1322291 fixed?
Flags: needinfo?(attekett)
|
|
Reporter | |
Comment 9•9 years ago
|
||
Doesn't reproduce anymore. Also no similar stack traces on my cluster.
Flags: needinfo?(attekett)
|
|
||
Comment 10•9 years ago
|
||
Thank you for checking, Atte.
Marking this fixed by bug 132229.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
|
||
Updated•9 years ago
|
Assignee: nobody → hikezoe
status-firefox51:
--- → unaffected
status-firefox52:
--- → unaffected
status-firefox53:
--- → fixed
status-firefox-esr45:
--- → unaffected
Target Milestone: --- → mozilla53
|
|
||
Updated•9 years ago
|
Group: gfx-core-security → core-security-release
|
||
Comment 11•9 years ago
|
||
Reproduced the issue with 53.0a1 (2016-12-16). The bug is verified fixed on 53.0b9 (20170403142625) (Windows 10 x64, Ubuntu 16.04 x64 and Mac OS X 10.11.6) and latest linux64-asan build (50.0b12 20161103181821).
Status: RESOLVED → VERIFIED
|
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•