Closed Bug 1366654 Opened 6 years ago Closed 6 years ago

AddressSanitizer: use-after-poison in [@CalcDifference] with READ of size 1

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr52 --- wontfix
firefox55 --- wontfix
firefox56 --- wontfix
firefox57 --- fixed

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(5 keywords, Whiteboard: [adv-main57-][post-critsmash-triage])

Attachments

(1 file)

trigger.html
5.05 KB, text/html
Details 
Found while fuzzing mozilla-central rev 20170520-5b74bbf20e80.  Will update with testcase once reduced.

==18047==ERROR: AddressSanitizer: use-after-poison on address 0x625000f06319 at pc 0x7f89354e0e0c bp 0x7ffc6a0d8470 sp 0x7ffc6a0d8468
READ of size 1 at 0x625000f06319 thread T0
    #0 0x7f89354e0e0b in CalcDifference /home/worker/workspace/build/src/layout/style/nsStyleStruct.cpp:3747:7
    #1 0x7f89354e0e0b in nsChangeHint nsStyleContext::CalcStyleDifferenceInternal<nsStyleContext>(nsStyleContext*, unsigned int*, unsigned int*) /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:1068
    #2 0x7f89355b2f90 in mozilla::ElementRestyler::CaptureChange(nsStyleContext*, nsStyleContext*, nsChangeHint, unsigned int*, unsigned int*) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1294:18
    #3 0x7f89355ba593 in mozilla::ElementRestyler::RestyleSelf(nsIFrame*, nsRestyleHint, unsigned int*, nsTArray<mozilla::ElementRestyler::SwapInstruction>&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2701:7
    #4 0x7f89355b69f6 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1850:7
    #5 0x7f89355c05e0 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3456:27
    #6 0x7f89355bdd2d in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2981:7
    #7 0x7f89355b7355 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2004:5
    #8 0x7f89355c05e0 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3456:27
    #9 0x7f89355bdd2d in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2981:7
    #10 0x7f89355b7355 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2004:5
    #11 0x7f89355c2f4f in mozilla::ElementRestyler::ComputeStyleChangeFor(nsIFrame*, nsStyleChangeList*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&, nsTArray<mozilla::ElementRestyler::ContextToClear>&, nsTArray<RefPtr<nsStyleContext> >&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3120:16
    #12 0x7f89355aca84 in mozilla::GeckoRestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3531:3
    #13 0x7f89355abf6f in mozilla::GeckoRestyleManager::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:151:5
    #14 0x7f8935633c9c in ProcessOneRestyle /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:95:22
    #15 0x7f8935633c9c in mozilla::RestyleTracker::DoProcessRestyles() /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:262
    #16 0x7f89355b0336 in ProcessRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/GeckoRestyleManager.h:371:23
    #17 0x7f89355b0336 in mozilla::GeckoRestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:498
    #18 0x7f89355f8d96 in ProcessPendingRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44:3
    #19 0x7f89355f8d96 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4175
    #20 0x7f89317928c1 in FlushPendingNotifications /home/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:590:5
    #21 0x7f89317928c1 in nsDocument::FlushPendingNotifications(mozilla::FlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8103
    #22 0x7f89353bae7e in nsComputedDOMStyle::UpdateCurrentStyleSources(bool) /home/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:800:13
    #23 0x7f89353bc570 in nsComputedDOMStyle::GetPropertyCSSValue(nsAString const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:989:3
    #24 0x7f89353ba458 in nsComputedDOMStyle::GetPropertyValue(nsAString const&, nsAString&) /home/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:380:26
    #25 0x7f8934fc897c in mozilla::CSSEditUtils::GetCSSInlinePropertyBase(nsINode*, nsIAtom*, nsAString&, mozilla::CSSEditUtils::StyleType) /home/worker/workspace/build/src/editor/libeditor/CSSEditUtils.cpp:541:5
    #26 0x7f893502e67f in GetComputedProperty /home/worker/workspace/build/src/editor/libeditor/CSSEditUtils.cpp:520:10
    #27 0x7f893502e67f in mozilla::HTMLEditor::GetAbsolutelyPositionedSelectionContainer(nsIDOMElement**) /home/worker/workspace/build/src/editor/libeditor/HTMLAbsPositionEditor.cpp:91
    #28 0x7f893503b0a9 in mozilla::HTMLEditor::CheckSelectionStateForAnonymousButtons(nsISelection*) /home/worker/workspace/build/src/editor/libeditor/HTMLAnonymousNodeEditor.cpp:353:7
    #29 0x7f89350ece3e in mozilla::HTMLEditor::EndUpdateViewBatch() /home/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:4820:10
    #30 0x7f8934fee5a2 in mozilla::EditorBase::EndPlaceHolderTransaction() /home/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:967:7
    #31 0x7f89350e2e56 in ~AutoPlaceHolderBatch /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EditorUtils.h:170:16
    #32 0x7f89350e2e56 in mozilla::HTMLEditor::SetInlineProperty(nsIAtom*, nsAString const&, nsAString const&) /home/worker/workspace/build/src/editor/libeditor/HTMLStyleEditor.cpp:222
    #33 0x7f89351a8c62 in nsHighlightColorStateCommand::SetState(nsIEditor*, nsString&) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:853:22
    #34 0x7f89351a5141 in nsMultiStateCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:595:12
    #35 0x7f89333cc193 in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) /home/worker/workspace/build/src/dom/commandhandler/nsControllerCommandTable.cpp:162:26
    #36 0x7f89333c3353 in DoCommandWithParams /home/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:152:25
    #37 0x7f89333c3353 in non-virtual thunk to nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) /home/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:140
    #38 0x7f89333c93eb in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /home/worker/workspace/build/src/dom/commandhandler/nsCommandManager.cpp:212:29
    #39 0x7f89339080d5 in nsHTMLDocument::ExecCommand(nsAString const&, bool, nsAString const&, nsIPrincipal&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:3345:18
    #40 0x7f8932dfeb9c in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:835:21
    #41 0x7f8933113b4e in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2954:13
    #42 0x7f8938be2f03 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #43 0x7f8938be2f03 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
    #44 0x7f8938e05296 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2447:14
    #45 0x2fefd03302d2  (<unknown module>)

0x625000f06319 is located 4633 bytes inside of 8192-byte region [0x625000f05100,0x625000f07100)
allocated by thread T0 here:
    #0 0x4bb97c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x7f892ec8ab0f in AllocateChunk /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:179:15
    #2 0x7f892ec8ab0f in InternalAllocate /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:214
    #3 0x7f892ec8ab0f in Allocate /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:72
    #4 0x7f892ec8ab0f in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:77
    #5 0x7f8935498adf in AllocateByObjectID /home/worker/workspace/build/src/layout/base/nsPresArena.h:65:12
    #6 0x7f8935498adf in AllocateByObjectID /home/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:236
    #7 0x7f8935498adf in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/nsStyleStruct.h:1144
    #8 0x7f8935498adf in nsRuleNode::ComputeBorderData(void*, nsRuleData const*, nsStyleContext*, nsRuleNode*, nsRuleNode::RuleDetail, mozilla::RuleNodeCacheConditions) /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:7542
    #9 0x7f893545af1e in nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*) /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:2709:10
    #10 0x7f893392bae7 in nsStyleBorder const* nsRuleNode::GetStyleBorder<true>(nsStyleContext*) /home/worker/workspace/build/src/obj-firefox/dist/include/nsStyleStructList.h:124:1
    #11 0x7f89354dce8a in DoGetStyleBorder<true> /home/worker/workspace/build/src/obj-firefox/layout/style/nsStyleStructList.h:124:1
    #12 0x7f89354dce8a in StyleBorder /home/worker/workspace/build/src/obj-firefox/layout/style/nsStyleStructList.h:124
    #13 0x7f89354dce8a in nsChangeHint nsStyleContext::CalcStyleDifferenceInternal<nsStyleContext>(nsStyleContext*, unsigned int*, unsigned int*) /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:1085
    #14 0x7f89355b2f90 in mozilla::ElementRestyler::CaptureChange(nsStyleContext*, nsStyleContext*, nsChangeHint, unsigned int*, unsigned int*) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1294:18
    #15 0x7f89355ba593 in mozilla::ElementRestyler::RestyleSelf(nsIFrame*, nsRestyleHint, unsigned int*, nsTArray<mozilla::ElementRestyler::SwapInstruction>&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2701:7
    #16 0x7f89355b69f6 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1850:7
    #17 0x7f89355c05e0 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3456:27
    #18 0x7f89355bdd2d in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2981:7
    #19 0x7f89355b7355 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2004:5
    #20 0x7f89355c2f4f in mozilla::ElementRestyler::ComputeStyleChangeFor(nsIFrame*, nsStyleChangeList*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&, nsTArray<mozilla::ElementRestyler::ContextToClear>&, nsTArray<RefPtr<nsStyleContext> >&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3120:16
    #21 0x7f89355aca84 in mozilla::GeckoRestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3531:3
    #22 0x7f89355abf6f in mozilla::GeckoRestyleManager::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:151:5
    #23 0x7f8935633c9c in ProcessOneRestyle /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:95:22
    #24 0x7f8935633c9c in mozilla::RestyleTracker::DoProcessRestyles() /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:262
    #25 0x7f89355b0336 in ProcessRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/GeckoRestyleManager.h:371:23
    #26 0x7f89355b0336 in mozilla::GeckoRestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:498
    #27 0x7f89355f8d96 in ProcessPendingRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44:3
    #28 0x7f89355f8d96 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4175
    #29 0x7f89317928c1 in FlushPendingNotifications /home/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:590:5
    #30 0x7f89317928c1 in nsDocument::FlushPendingNotifications(mozilla::FlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8103
    #31 0x7f893157f1a0 in mozilla::dom::Element::GetPrimaryFrame(mozilla::FlushType) /home/worker/workspace/build/src/dom/base/Element.cpp:2229:10
    #32 0x7f89338da20e in nsGenericHTMLElement::GetInnerText(mozilla::dom::DOMString&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:2958:8
    #33 0x7f8932e5cef4 in mozilla::dom::HTMLElementBinding::get_innerText(JSContext*, JS::Handle<JSObject*>, nsGenericHTMLElement*, JSJitGetterCallArgs) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLElementBinding.cpp:250:9
    #34 0x7f8933111fac in mozilla::dom::GenericBindingGetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2844:13
    #35 0x7f8938be2f03 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #36 0x7f8938be2f03 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
    #37 0x7f8938be453f in InternalCall /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:515:12
    #38 0x7f8938be453f in Call /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534
    #39 0x7f8938be453f in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:649
    #40 0x7f8939ab9822 in CallGetter /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:1912:16
    #41 0x7f8939ab9822 in GetExistingProperty<js::AllowGC::CanGC> /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:1960
    #42 0x7f8939ab9822 in NativeGetPropertyInline<js::AllowGC::CanGC> /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2191
    #43 0x7f8939ab9822 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2225
    #44 0x7f8938def7f7 in GetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1524:12
    #45 0x7f8938def7f7 in GetProperty /home/worker/workspace/build/src/js/src/jsobj.h:854
    #46 0x7f8938def7f7 in GetObjectElementOperation /home/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:525
    #47 0x7f8938def7f7 in GetElementOperation /home/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:630
    #48 0x7f8938def7f7 in js::jit::DoGetElemFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetElem_Fallback*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:829
    #49 0x2fefd03308c2  (<unknown module>)
    #50 0x2fefd03258a5  (<unknown module>)
    #51 0x7f8938e2c722 in EnterBaseline(JSContext*, js::jit::EnterJitData&) /home/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:160:9

SUMMARY: AddressSanitizer: use-after-poison /home/worker/workspace/build/src/layout/style/nsStyleStruct.cpp:3747:7 in CalcDifference
Shadow bytes around the buggy address:
  0x0c4a801d8c10: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
  0x0c4a801d8c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a801d8c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a801d8c40: 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00
  0x0c4a801d8c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a801d8c60: 00 00 00[f7]00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a801d8c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a801d8c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a801d8c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a801d8ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a801d8cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==18047==ABORTING
Attached file trigger.html 
Reduced testcase.
Group: core-security → layout-core-security
This also asserts non-fatally & then asserts fatally in my (non-ASAN) debug build.  Here's the assertion output I get:

{
[Child 5936] ###!!! ASSERTION: continuations should have the same style context: 'aOldStyleContext->GetPseudo() != nextStyle->GetPseudo() || aOldStyleContext->GetParentAllowServo() != nextStyle->GetParentAllowServo()', file $SRC/layout/base/RestyleManager.cpp, line 1331

[Child 5936] ###!!! ASSERTION: continuations should have the same style context: 'aOldStyleContext->GetPseudo() != nextStyle->GetPseudo() || aOldStyleContext->GetParentAllowServo() != nextStyle->GetParentAllowServo()', file $SRC/layout/base/RestyleManager.cpp, line 1331

[Child 5936] ###!!! ASSERTION: unknown writing mode!: 'Not Reached', file ../../dist/include/mozilla/WritingModes.h, line 538

Assertion failure: mAllowZoom == aNewData.mAllowZoom (expected mAllowZoom to be the same on both nsStyleFonts), at $SRC/layout/style/nsStyleStruct.cpp:176
}
Keywords: assertion
We're accessing a destroyed nsStyleFont (pres-arena allocated, so frame-poisoned).
It was destroyed from nsStyleContext::~nsStyleContext and it appears there's some
other nsStyleContext pointing to the same nsStyleFont.
I'd say it's unlikely this is exploitable.
Keywords: csectype-uninitializedcsectype-framepoisoning, sec-other
Priority: -- → P3
Good news! This seems to be fixed-by-stylo.

I tried the testcase in a local m-c debug build, and in an ASAN opt build that I downloaded from treeherder.  For each build, I tried the testcase with stylo enabled, and then with it disabled.

When stylo is enabled, we load the testcase with no issues (no crashes or warnings/asserts, in either build).  When I turn off stylo, I get the same bad results that have been noted above (comment 2 for my debug build, comment 0 for the ASAN opt build).

So: since this is unlikely to be exploitable in non-stylo configurations (comment 3), and it's fixed with stylo which is our default configuration from now on [except on Android], I think we can call this FIXED by stylo and not worth worrying about fixing for non-stylo.

Maybe worth keeping this hidden until we've shipped stylo for android, though...?
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox57: --- → fixed
Depends on: stylo
Resolution: --- → FIXED
Flags: in-testsuite?
Keywords: testcase
Group: layout-core-security → core-security-release
Whiteboard: [adv-main57-]
Flags: qe-verify-
Whiteboard: [adv-main57-] → [adv-main57-][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.