Closed
Bug 1366654
Opened 8 years ago
Closed 7 years ago
AddressSanitizer: use-after-poison in [@CalcDifference] with READ of size 1
Categories
(Core :: Layout, defect, P3)
Core
Layout
Tracking
()
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 2 open bugs)
Details
(5 keywords, Whiteboard: [adv-main57-][post-critsmash-triage])
Attachments
(1 file)
|
5.05 KB,
text/html
|
Details |
Found while fuzzing mozilla-central rev 20170520-5b74bbf20e80. Will update with testcase once reduced.
==18047==ERROR: AddressSanitizer: use-after-poison on address 0x625000f06319 at pc 0x7f89354e0e0c bp 0x7ffc6a0d8470 sp 0x7ffc6a0d8468
READ of size 1 at 0x625000f06319 thread T0
#0 0x7f89354e0e0b in CalcDifference /home/worker/workspace/build/src/layout/style/nsStyleStruct.cpp:3747:7
#1 0x7f89354e0e0b in nsChangeHint nsStyleContext::CalcStyleDifferenceInternal<nsStyleContext>(nsStyleContext*, unsigned int*, unsigned int*) /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:1068
#2 0x7f89355b2f90 in mozilla::ElementRestyler::CaptureChange(nsStyleContext*, nsStyleContext*, nsChangeHint, unsigned int*, unsigned int*) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1294:18
#3 0x7f89355ba593 in mozilla::ElementRestyler::RestyleSelf(nsIFrame*, nsRestyleHint, unsigned int*, nsTArray<mozilla::ElementRestyler::SwapInstruction>&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2701:7
#4 0x7f89355b69f6 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1850:7
#5 0x7f89355c05e0 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3456:27
#6 0x7f89355bdd2d in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2981:7
#7 0x7f89355b7355 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2004:5
#8 0x7f89355c05e0 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3456:27
#9 0x7f89355bdd2d in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2981:7
#10 0x7f89355b7355 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2004:5
#11 0x7f89355c2f4f in mozilla::ElementRestyler::ComputeStyleChangeFor(nsIFrame*, nsStyleChangeList*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&, nsTArray<mozilla::ElementRestyler::ContextToClear>&, nsTArray<RefPtr<nsStyleContext> >&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3120:16
#12 0x7f89355aca84 in mozilla::GeckoRestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3531:3
#13 0x7f89355abf6f in mozilla::GeckoRestyleManager::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:151:5
#14 0x7f8935633c9c in ProcessOneRestyle /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:95:22
#15 0x7f8935633c9c in mozilla::RestyleTracker::DoProcessRestyles() /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:262
#16 0x7f89355b0336 in ProcessRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/GeckoRestyleManager.h:371:23
#17 0x7f89355b0336 in mozilla::GeckoRestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:498
#18 0x7f89355f8d96 in ProcessPendingRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44:3
#19 0x7f89355f8d96 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4175
#20 0x7f89317928c1 in FlushPendingNotifications /home/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:590:5
#21 0x7f89317928c1 in nsDocument::FlushPendingNotifications(mozilla::FlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8103
#22 0x7f89353bae7e in nsComputedDOMStyle::UpdateCurrentStyleSources(bool) /home/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:800:13
#23 0x7f89353bc570 in nsComputedDOMStyle::GetPropertyCSSValue(nsAString const&, mozilla::ErrorResult&) /home/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:989:3
#24 0x7f89353ba458 in nsComputedDOMStyle::GetPropertyValue(nsAString const&, nsAString&) /home/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:380:26
#25 0x7f8934fc897c in mozilla::CSSEditUtils::GetCSSInlinePropertyBase(nsINode*, nsIAtom*, nsAString&, mozilla::CSSEditUtils::StyleType) /home/worker/workspace/build/src/editor/libeditor/CSSEditUtils.cpp:541:5
#26 0x7f893502e67f in GetComputedProperty /home/worker/workspace/build/src/editor/libeditor/CSSEditUtils.cpp:520:10
#27 0x7f893502e67f in mozilla::HTMLEditor::GetAbsolutelyPositionedSelectionContainer(nsIDOMElement**) /home/worker/workspace/build/src/editor/libeditor/HTMLAbsPositionEditor.cpp:91
#28 0x7f893503b0a9 in mozilla::HTMLEditor::CheckSelectionStateForAnonymousButtons(nsISelection*) /home/worker/workspace/build/src/editor/libeditor/HTMLAnonymousNodeEditor.cpp:353:7
#29 0x7f89350ece3e in mozilla::HTMLEditor::EndUpdateViewBatch() /home/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:4820:10
#30 0x7f8934fee5a2 in mozilla::EditorBase::EndPlaceHolderTransaction() /home/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:967:7
#31 0x7f89350e2e56 in ~AutoPlaceHolderBatch /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EditorUtils.h:170:16
#32 0x7f89350e2e56 in mozilla::HTMLEditor::SetInlineProperty(nsIAtom*, nsAString const&, nsAString const&) /home/worker/workspace/build/src/editor/libeditor/HTMLStyleEditor.cpp:222
#33 0x7f89351a8c62 in nsHighlightColorStateCommand::SetState(nsIEditor*, nsString&) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:853:22
#34 0x7f89351a5141 in nsMultiStateCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) /home/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:595:12
#35 0x7f89333cc193 in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) /home/worker/workspace/build/src/dom/commandhandler/nsControllerCommandTable.cpp:162:26
#36 0x7f89333c3353 in DoCommandWithParams /home/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:152:25
#37 0x7f89333c3353 in non-virtual thunk to nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) /home/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:140
#38 0x7f89333c93eb in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /home/worker/workspace/build/src/dom/commandhandler/nsCommandManager.cpp:212:29
#39 0x7f89339080d5 in nsHTMLDocument::ExecCommand(nsAString const&, bool, nsAString const&, nsIPrincipal&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:3345:18
#40 0x7f8932dfeb9c in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:835:21
#41 0x7f8933113b4e in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2954:13
#42 0x7f8938be2f03 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#43 0x7f8938be2f03 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
#44 0x7f8938e05296 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2447:14
#45 0x2fefd03302d2 (<unknown module>)
0x625000f06319 is located 4633 bytes inside of 8192-byte region [0x625000f05100,0x625000f07100)
allocated by thread T0 here:
#0 0x4bb97c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
#1 0x7f892ec8ab0f in AllocateChunk /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:179:15
#2 0x7f892ec8ab0f in InternalAllocate /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:214
#3 0x7f892ec8ab0f in Allocate /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:72
#4 0x7f892ec8ab0f in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:77
#5 0x7f8935498adf in AllocateByObjectID /home/worker/workspace/build/src/layout/base/nsPresArena.h:65:12
#6 0x7f8935498adf in AllocateByObjectID /home/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:236
#7 0x7f8935498adf in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/nsStyleStruct.h:1144
#8 0x7f8935498adf in nsRuleNode::ComputeBorderData(void*, nsRuleData const*, nsStyleContext*, nsRuleNode*, nsRuleNode::RuleDetail, mozilla::RuleNodeCacheConditions) /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:7542
#9 0x7f893545af1e in nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*) /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:2709:10
#10 0x7f893392bae7 in nsStyleBorder const* nsRuleNode::GetStyleBorder<true>(nsStyleContext*) /home/worker/workspace/build/src/obj-firefox/dist/include/nsStyleStructList.h:124:1
#11 0x7f89354dce8a in DoGetStyleBorder<true> /home/worker/workspace/build/src/obj-firefox/layout/style/nsStyleStructList.h:124:1
#12 0x7f89354dce8a in StyleBorder /home/worker/workspace/build/src/obj-firefox/layout/style/nsStyleStructList.h:124
#13 0x7f89354dce8a in nsChangeHint nsStyleContext::CalcStyleDifferenceInternal<nsStyleContext>(nsStyleContext*, unsigned int*, unsigned int*) /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:1085
#14 0x7f89355b2f90 in mozilla::ElementRestyler::CaptureChange(nsStyleContext*, nsStyleContext*, nsChangeHint, unsigned int*, unsigned int*) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1294:18
#15 0x7f89355ba593 in mozilla::ElementRestyler::RestyleSelf(nsIFrame*, nsRestyleHint, unsigned int*, nsTArray<mozilla::ElementRestyler::SwapInstruction>&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2701:7
#16 0x7f89355b69f6 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1850:7
#17 0x7f89355c05e0 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3456:27
#18 0x7f89355bdd2d in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2981:7
#19 0x7f89355b7355 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2004:5
#20 0x7f89355c2f4f in mozilla::ElementRestyler::ComputeStyleChangeFor(nsIFrame*, nsStyleChangeList*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&, nsTArray<mozilla::ElementRestyler::ContextToClear>&, nsTArray<RefPtr<nsStyleContext> >&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3120:16
#21 0x7f89355aca84 in mozilla::GeckoRestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3531:3
#22 0x7f89355abf6f in mozilla::GeckoRestyleManager::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:151:5
#23 0x7f8935633c9c in ProcessOneRestyle /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:95:22
#24 0x7f8935633c9c in mozilla::RestyleTracker::DoProcessRestyles() /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:262
#25 0x7f89355b0336 in ProcessRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/GeckoRestyleManager.h:371:23
#26 0x7f89355b0336 in mozilla::GeckoRestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:498
#27 0x7f89355f8d96 in ProcessPendingRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44:3
#28 0x7f89355f8d96 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4175
#29 0x7f89317928c1 in FlushPendingNotifications /home/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:590:5
#30 0x7f89317928c1 in nsDocument::FlushPendingNotifications(mozilla::FlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8103
#31 0x7f893157f1a0 in mozilla::dom::Element::GetPrimaryFrame(mozilla::FlushType) /home/worker/workspace/build/src/dom/base/Element.cpp:2229:10
#32 0x7f89338da20e in nsGenericHTMLElement::GetInnerText(mozilla::dom::DOMString&, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:2958:8
#33 0x7f8932e5cef4 in mozilla::dom::HTMLElementBinding::get_innerText(JSContext*, JS::Handle<JSObject*>, nsGenericHTMLElement*, JSJitGetterCallArgs) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLElementBinding.cpp:250:9
#34 0x7f8933111fac in mozilla::dom::GenericBindingGetter(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2844:13
#35 0x7f8938be2f03 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#36 0x7f8938be2f03 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
#37 0x7f8938be453f in InternalCall /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:515:12
#38 0x7f8938be453f in Call /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:534
#39 0x7f8938be453f in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:649
#40 0x7f8939ab9822 in CallGetter /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:1912:16
#41 0x7f8939ab9822 in GetExistingProperty<js::AllowGC::CanGC> /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:1960
#42 0x7f8939ab9822 in NativeGetPropertyInline<js::AllowGC::CanGC> /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2191
#43 0x7f8939ab9822 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2225
#44 0x7f8938def7f7 in GetProperty /home/worker/workspace/build/src/js/src/vm/NativeObject.h:1524:12
#45 0x7f8938def7f7 in GetProperty /home/worker/workspace/build/src/js/src/jsobj.h:854
#46 0x7f8938def7f7 in GetObjectElementOperation /home/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:525
#47 0x7f8938def7f7 in GetElementOperation /home/worker/workspace/build/src/js/src/vm/Interpreter-inl.h:630
#48 0x7f8938def7f7 in js::jit::DoGetElemFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICGetElem_Fallback*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:829
#49 0x2fefd03308c2 (<unknown module>)
#50 0x2fefd03258a5 (<unknown module>)
#51 0x7f8938e2c722 in EnterBaseline(JSContext*, js::jit::EnterJitData&) /home/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:160:9
SUMMARY: AddressSanitizer: use-after-poison /home/worker/workspace/build/src/layout/style/nsStyleStruct.cpp:3747:7 in CalcDifference
Shadow bytes around the buggy address:
0x0c4a801d8c10: 00 00 00 00 00 00 f7 00 00 00 00 00 00 00 00 00
0x0c4a801d8c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a801d8c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a801d8c40: 00 00 00 00 00 00 00 00 00 00 f7 00 00 00 00 00
0x0c4a801d8c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a801d8c60: 00 00 00[f7]00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a801d8c70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a801d8c80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a801d8c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a801d8ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a801d8cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==18047==ABORTING
|
Reporter | |
Comment 1•8 years ago
|
||
Reduced testcase.
|
||
Updated•8 years ago
|
Group: core-security → layout-core-security
|
||
Comment 2•8 years ago
|
||
This also asserts non-fatally & then asserts fatally in my (non-ASAN) debug build. Here's the assertion output I get:
{
[Child 5936] ###!!! ASSERTION: continuations should have the same style context: 'aOldStyleContext->GetPseudo() != nextStyle->GetPseudo() || aOldStyleContext->GetParentAllowServo() != nextStyle->GetParentAllowServo()', file $SRC/layout/base/RestyleManager.cpp, line 1331
[Child 5936] ###!!! ASSERTION: continuations should have the same style context: 'aOldStyleContext->GetPseudo() != nextStyle->GetPseudo() || aOldStyleContext->GetParentAllowServo() != nextStyle->GetParentAllowServo()', file $SRC/layout/base/RestyleManager.cpp, line 1331
[Child 5936] ###!!! ASSERTION: unknown writing mode!: 'Not Reached', file ../../dist/include/mozilla/WritingModes.h, line 538
Assertion failure: mAllowZoom == aNewData.mAllowZoom (expected mAllowZoom to be the same on both nsStyleFonts), at $SRC/layout/style/nsStyleStruct.cpp:176
}
Keywords: assertion
|
||
Comment 3•8 years ago
|
||
We're accessing a destroyed nsStyleFont (pres-arena allocated, so frame-poisoned).
It was destroyed from nsStyleContext::~nsStyleContext and it appears there's some
other nsStyleContext pointing to the same nsStyleFont.
I'd say it's unlikely this is exploitable.
|
||
Updated•7 years ago
|
Priority: -- → P3
|
|
||
Comment 4•7 years ago
|
||
Good news! This seems to be fixed-by-stylo.
I tried the testcase in a local m-c debug build, and in an ASAN opt build that I downloaded from treeherder. For each build, I tried the testcase with stylo enabled, and then with it disabled.
When stylo is enabled, we load the testcase with no issues (no crashes or warnings/asserts, in either build). When I turn off stylo, I get the same bad results that have been noted above (comment 2 for my debug build, comment 0 for the ASAN opt build).
So: since this is unlikely to be exploitable in non-stylo configurations (comment 3), and it's fixed with stylo which is our default configuration from now on [except on Android], I think we can call this FIXED by stylo and not worth worrying about fixing for non-stylo.
Maybe worth keeping this hidden until we've shipped stylo for android, though...?
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox57:
--- → fixed
Depends on: stylo
Resolution: --- → FIXED
|
||
Updated•7 years ago
|
|
|
||
Updated•7 years ago
|
Group: layout-core-security → core-security-release
|
||
Updated•7 years ago
|
Whiteboard: [adv-main57-]
|
||
Updated•7 years ago
|
Flags: qe-verify-
Whiteboard: [adv-main57-] → [adv-main57-][post-critsmash-triage]
|
|
||
Updated•6 years ago
|
Group: core-security-release
|
||
Updated•5 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•