Closed
Bug 1371630
Opened 8 years ago
Closed 8 years ago
heap-use-after-free in mozilla::dom::CanvasRenderingContext2D::EnsureTarget
Categories
(Core :: Graphics: Canvas2D, defect)
Core
Graphics: Canvas2D
Tracking
()
RESOLVED
DUPLICATE
of bug 1371259
People
(Reporter: nils, Unassigned)
References
Details
(4 keywords, Whiteboard: fixed by bug 1371259)
Attachments
(3 files)
The following testcase crashes the latest ASAN build of Firefox ESR 52.2.0 (20170607010726)
<script>
function start() {
o3=document;
o834=o3.createElement('iframe');
o3.documentElement.appendChild(o834);
o834.contentWindow.onresize=fun0;
o834.height='-2px';
fuzzPriv.callDrawWindow(0);
}
function fun0() {
this.onpagehide=fun1;
o3.write('x');
}
function fun1() {
o3.open('data:text/html,<div>','popup88','height=9');
fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();
}
</script>
<body onload="start()"></body>
ASAN output:
=================================================================
==9130==ERROR: AddressSanitizer: heap-use-after-free on address 0x619000dab208 at pc 0x7fd1dfe8d890 bp 0x7ffe3f883c70 sp 0x7ffe3f883c68
READ of size 8 at 0x619000dab208 thread T0
#0 0x7fd1dfe8d88f in operator! /home/worker/workspace/build/src/gfx/gl/../../mfbt/RefPtr.h:312:36
#1 0x7fd1dfe8d88f in AlreadyShutDown /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/CanvasRenderingContext2D.h:784
#2 0x7fd1dfe8d88f in mozilla::dom::CanvasRenderingContext2D::EnsureTarget(mozilla::gfx::RectTyped<mozilla::gfx::UnknownUnits, float> const*, mozilla::dom::CanvasRenderingContext2D::RenderingMode) /home/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp:1588
#3 0x7fd1dfec653d in mozilla::dom::CanvasRenderingContext2D::DrawWindow(nsGlobalWindow&, double, double, double, double, nsAString_internal const&, unsigned int, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp:5472:3
#4 0x7fd1df25d042 in mozilla::dom::CanvasRenderingContext2DBinding::drawWindow(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:5186:3
#5 0x7fd1dfdceea0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2879:13
#6 0x7fd1e614b2e5 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#7 0x7fd1e614b2e5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#8 0x7fd1e612b6ef in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#9 0x7fd1e612b6ef in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#10 0x7fd1e61108ad in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#11 0x7fd1e614b94f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#12 0x7fd1e614bf92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#13 0x7fd1e5c1aec2 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2769:12
#14 0x7fd1dce1c8af in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18
#15 0x7fd1e614b2e5 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#16 0x7fd1e614b2e5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#17 0x7fd1e612b6ef in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#18 0x7fd1e612b6ef in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#19 0x7fd1e61108ad in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#20 0x7fd1e614b94f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#21 0x7fd1e614bf92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#22 0x7fd1e5c1d12d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#23 0x7fd1df7cbbff in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
#24 0x7fd1e01e846a in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
#25 0x7fd1e01e846a in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214
#26 0x7fd1e01b280d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1134:16
#27 0x7fd1e01b4237 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1287:17
#28 0x7fd1e019ef96 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:380:5
#29 0x7fd1e01a2628 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
#30 0x7fd1e238c0ec in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1038:7
#31 0x7fd1e312ff4b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7635:5
#32 0x7fd1e312bd54 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7439:7
#33 0x7fd1e31333bf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7336:13
#34 0x7fd1dd333290 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1255:3
#35 0x7fd1dd332228 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:840:5
#36 0x7fd1dd32ef88 in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:730:9
#37 0x7fd1dd331084 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:612:5
#38 0x7fd1dd331c3c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:468:14
#39 0x7fd1db8881fa in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:633:18
#40 0x7fd1de324696 in nsDocument::DoUnblockOnload() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8640:7
#41 0x7fd1de323f6e in nsDocument::UnblockOnload(bool) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8568:9
#42 0x7fd1de2f922b in nsDocument::DispatchContentLoadedEvents() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:5055:3
#43 0x7fd1de3be032 in applyImpl<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:775:12
#44 0x7fd1de3be032 in apply<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:781
#45 0x7fd1de3be032 in mozilla::detail::RunnableMethodImpl<void (nsDocument::*)(), true, false>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:810
#46 0x7fd1db6a88bb in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1216:7
#47 0x7fd1db72a9fc in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/glue/nsThreadUtils.cpp:361:10
#48 0x7fd1dc4e240f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
#49 0x7fd1dc453fc8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:232:3
#50 0x7fd1dc453fc8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:225
#51 0x7fd1dc453fc8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:205
#52 0x7fd1e1a7d19f in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
#53 0x7fd1e3af7451 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
#54 0x7fd1e3c8e757 in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4488:10
#55 0x7fd1e3c8fecd in XREMain::XRE_main(int, char**, nsXREAppData const*) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4621:8
#56 0x7fd1e3c90d8c in XRE_main /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4712:16
#57 0x4df91a in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:282:10
#58 0x4df91a in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:415
#59 0x7fd1f695282f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
#60 0x41ba88 in _start (/home/nils/fuzzer3/esr/firefox/firefox+0x41ba88)
0x619000dab208 is located 136 bytes inside of 1120-byte region [0x619000dab180,0x619000dab5e0)
freed by thread T0 here:
#0 0x4b21db in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
#1 0x7fd1db571354 in SnowWhiteKiller::~SnowWhiteKiller() /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2665:9
#2 0x7fd1db570f46 in nsCycleCollector::FreeSnowWhite(bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2840:3
#3 0x7fd1db57801e in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3826:3
#4 0x7fd1db5774dc in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3651:9
#5 0x7fd1db57b556 in nsCycleCollector_collect(nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4144:3
#6 0x7fd1de40db19 in nsJSContext::CycleCollectNow(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1440:3
#7 0x7fd1ddf3b55d in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1340:3
#8 0x7fd1db6d0ec6 in NS_InvokeByIndex /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_x86_64_unix.cpp:180:23
#9 0x7fd1dcef3fbe in Invoke /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:2058:12
#10 0x7fd1dcef3fbe in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1377
#11 0x7fd1dcef3fbe in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1344
#12 0x7fd1dcefb648 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:999:12
#13 0x7fd1e614b2e5 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#14 0x7fd1e614b2e5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#15 0x7fd1e612b6ef in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#16 0x7fd1e612b6ef in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#17 0x7fd1e61108ad in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#18 0x7fd1e614b94f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#19 0x7fd1e614bf92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#20 0x7fd1e5c1aec2 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2769:12
#21 0x7fd1dce1c8af in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18
#22 0x7fd1e614b2e5 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#23 0x7fd1e614b2e5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#24 0x7fd1e612b6ef in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#25 0x7fd1e612b6ef in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#26 0x7fd1e61108ad in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#27 0x7fd1e614b94f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#28 0x7fd1e614bf92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#29 0x7fd1e5eba60c in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
#30 0x7fd1e5e89f5f in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:333:14
#31 0x7fd1e5e9772f in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:400:12
#32 0x7fd1e5e99ede in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:689:12
#33 0x7fd1e614b2e5 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#34 0x7fd1e614b2e5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#35 0x7fd1e614bf92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#36 0x7fd1e5c1d12d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
previously allocated by thread T0 here:
#0 0x4b24fb in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
#1 0x4e0ded in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
#2 0x7fd1dfed42d8 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
#3 0x7fd1dfed42d8 in mozilla::dom::CanvasRenderingContextHelper::CreateContextHelper(mozilla::dom::CanvasContextType, mozilla::layers::LayersBackend) /home/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:142
#4 0x7fd1e0379682 in mozilla::dom::HTMLCanvasElement::CreateContext(mozilla::dom::CanvasContextType) /home/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:407:5
#5 0x7fd1e0379b24 in non-virtual thunk to mozilla::dom::HTMLCanvasElement::CreateContext(mozilla::dom::CanvasContextType) /home/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:403:20
#6 0x7fd1dfed498c in mozilla::dom::CanvasRenderingContextHelper::GetContext(JSContext*, nsAString_internal const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:186:15
#7 0x7fd1e0380914 in mozilla::dom::HTMLCanvasElement::GetContext(JSContext*, nsAString_internal const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:950:10
#8 0x7fd1dfa29537 in mozilla::dom::HTMLCanvasElementBinding::getContext(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLCanvasElement*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp:237:43
#9 0x7fd1dfdceea0 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2879:13
#10 0x7fd1e614b2e5 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#11 0x7fd1e614b2e5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#12 0x7fd1e612b6ef in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#13 0x7fd1e612b6ef in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#14 0x7fd1e61108ad in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#15 0x7fd1e614b94f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#16 0x7fd1e614bf92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#17 0x7fd1e5c1aec2 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2769:12
#18 0x7fd1dce1c8af in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18
#19 0x7fd1e614b2e5 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:239:15
#20 0x7fd1e614b2e5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447
#21 0x7fd1e612b6ef in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:510:12
#22 0x7fd1e612b6ef in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2922
#23 0x7fd1e61108ad in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:405:12
#24 0x7fd1e614b94f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:15
#25 0x7fd1e614bf92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:523:10
#26 0x7fd1e5c1d12d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#27 0x7fd1df7cbbff in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:259:37
#28 0x7fd1e01e846a in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:361:12
#29 0x7fd1e01e846a in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214
#30 0x7fd1e01b280d in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1134:16
#31 0x7fd1e01b4237 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1287:17
#32 0x7fd1e019ef96 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:380:5
#33 0x7fd1e01a2628 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:711:9
#34 0x7fd1e238c0ec in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1038:7
#35 0x7fd1e312ff4b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7635:5
SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/gfx/gl/../../mfbt/RefPtr.h:312:36 in operator!
Shadow bytes around the buggy address:
0x0c32801ad5f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c32801ad600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c32801ad610: 00 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa
0x0c32801ad620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c32801ad630: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c32801ad640: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c32801ad650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c32801ad660: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c32801ad670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c32801ad680: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c32801ad690: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==9130==ABORTING
|
||
Updated•8 years ago
|
Group: core-security → gfx-core-security
|
||
Comment 2•8 years ago
|
||
CanvasRenderingContext2D::DrawWindow is called from script.
It does a layout flush, which runs script (resize handler),
which leads to the CanvasRenderingContext2D being destroyed.
Here's the stack when that happens.
|
|
||
Comment 3•8 years ago
|
||
IIRC, drawWindow isn't exposed to non-privileged script, but there are other
ways to trigger this flush that is. So I think this could be exploited,
although it might be hard to do so without the explicit GC/CC calls...
Severity: normal → critical
OS: Unspecified → All
Hardware: Unspecified → All
Version: 52 Branch → Trunk
|
|
||
Updated•8 years ago
|
Component: DOM → Canvas: 2D
|
|
||
Comment 4•8 years ago
|
||
Hmm, I seem to recall someone (bz?) telling me that the DOM object
was always held with a strong ref when calling methods on it from
script - does that invariant not hold under some circumstances?
Flags: needinfo?(bzbarsky)
|
|
||
Comment 5•8 years ago
|
||
Looking at the generated CanvasRenderingContext2DBinding code I don't
see any AddRefs in there, maybe it's meant to be held somewhere else?
|
|
||
Comment 6•8 years ago
|
||
Perhaps the invariant is "it's held until the window is destroyed,
but not on the stack" ?
|
||
Comment 7•8 years ago
|
||
> does that invariant not hold under some circumstances?
Indeed, though it's _meant_ to always hold. That's bug 1371259, of which this is a duplicate. No need to change any canvas code here; the right fix is to make the invariant actually hold.
> maybe it's meant to be held somewhere else?
It's held by the reflector JSObject. Bug 1371259 is that we sometimes allow that to be collected when we should not.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(bzbarsky)
Resolution: --- → DUPLICATE
|
|
||
Comment 8•8 years ago
|
||
Thanks Boris! Phew, I was getting nervous there for a moment. :-)
Flags: in-testsuite?
|
||
Updated•8 years ago
|
Flags: sec-bounty?
|
|
||
Updated•8 years ago
|
Depends on: CVE-2017-7801
Whiteboard: fixed by bug 1371259
|
|
||
Updated•8 years ago
|
Flags: sec-bounty? → sec-bounty-
|
|
||
Updated•5 years ago
|
Group: gfx-core-security
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•