1404751 - AddressSanitizer: use-after-poison in [@get]

Reporter

Description

•

7 years ago

Attached file trigger.html — Details

Testcase found while fuzzing mozilla-central rev 179dccc17c7f.  

Please note that I was only able to reproduce the testcase using xvfb on an EC2 instance.

==22022==ERROR: AddressSanitizer: use-after-poison on address 0x6250011fe840 at pc 0x7f33e4a5db96 bp 0x7ffc989a3030 sp 0x7ffc989a3028
READ of size 8 at 0x6250011fe840 thread T0
    #0 0x7f33e4a5db95 in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:287:27
    #1 0x7f33e4a5db95 in operator-> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:319
    #2 0x7f33e4a5db95 in StyleDisplay /builds/worker/workspace/build/src/obj-firefox/dist/include/nsStyleStructList.h:100
    #3 0x7f33e4a5db95 in nsLineLayout::VerticalAlignFrames(nsLineLayout::PerSpanData*) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:1982
    #4 0x7f33e4a4bae7 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:1108:9
    #5 0x7f33e48b9ac4 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4220:15
    #6 0x7f33e48b86d8 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4016:5
    #7 0x7f33e48b0169 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3890:9
    #8 0x7f33e48a9d98 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2873:5
    #9 0x7f33e489f89f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2409:7
    #10 0x7f33e4896652 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1235:3
    #11 0x7f33e48f247a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14
    #12 0x7f33e48f0db1 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:752:5
    #13 0x7f33e48f247a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14
    #14 0x7f33e49b2278 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:550:3
    #15 0x7f33e49af8e5 in nsHTMLScrollFrame::TryLayout(mozilla::ScrollReflowInput*, mozilla::ReflowOutput*, bool, bool, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:342:5
    #16 0x7f33e49b3c8a in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:718:7
    #17 0x7f33e49b6ad9 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1039:3
    #18 0x7f33e487d733 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:976:14
    #19 0x7f33e487c095 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:330:7
    #20 0x7f33e467aacc in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:8936:11
    #21 0x7f33e4678727 in mozilla::PresShell::ResizeReflowIgnoreOverride(int, int, int, int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1954:9
    #22 0x7f33e3ea0ce9 in DoSetWindowDimensions /builds/worker/workspace/build/src/view/nsViewManager.cpp:191:19
    #23 0x7f33e3ea0ce9 in nsViewManager::FlushDelayedResize(bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:243
    #24 0x7f33e468dd55 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4181:20
    #25 0x7f33e4601f34 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:566:5
    #26 0x7f33e4601f34 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1956
    #27 0x7f33e460bc8e in WillRefresh /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2269:5
    #28 0x7f33e460bc8e in non-virtual thunk to nsRefreshDriver::WillRefresh(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2264
    #29 0x7f33e460138c in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1886:12
    #30 0x7f33e460b299 in nsRefreshDriver::FinishedWaitingForTransaction() /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2189:5
    #31 0x7f33dfbaa1e0 in mozilla::layers::ClientLayerManager::DidComposite(unsigned long, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /builds/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:529:32
    #32 0x7f33dfc8abab in mozilla::layers::CompositorBridgeChild::RecvDidComposite(unsigned long const&, unsigned long const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /builds/worker/workspace/build/src/gfx/layers/ipc/CompositorBridgeChild.cpp:536:8
    #33 0x7f33dec977b6 in mozilla::layers::PCompositorBridgeChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCompositorBridgeChild.cpp:1473:20
    #34 0x7f33de5fe8c9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2119:25
    #35 0x7f33de5fb8df in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2049:17
    #36 0x7f33de5fd014 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1895:5
    #37 0x7f33de5fd668 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1928:15
    #38 0x7f33dd85c722 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
    #39 0x7f33dd8763f8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:524:10
    #40 0x7f33e3d66505 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3101:31)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
    #41 0x7f33e3d66505 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3101
    #42 0x7f33e3d67b92 in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2886:11
    #43 0x7f33e1941167 in mozilla::dom::XMLHttpRequestBinding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1249:9
    #44 0x7f33e20df300 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3053:13
    #45 0x7f33e8527714 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #46 0x7f33e8527714 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
    #47 0x7f33e8511576 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
    #48 0x7f33e8511576 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
    #49 0x7f33e84f8939 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
    #50 0x7f33e852a027 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:724:15
    #51 0x7f33e852a892 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:756:12
    #52 0x7f33e8f7ad09 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4667:12
    #53 0x7f33e06e2de9 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:265:8
    #54 0x7f33e3dc17d8 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2244:25
    #55 0x7f33e3dbcc0c in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1884:10
    #56 0x7f33e3da0465 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1585:10
    #57 0x7f33e3d9c9c8 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:149:18
    #58 0x7f33df60117f in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:225:18
    #59 0x7f33df60117f in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:700
    #60 0x7f33df5fac2a in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:501:7
    #61 0x7f33df604bfb in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:130:20
    #62 0x7f33dd85c722 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
    #63 0x7f33dd8763f8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:524:10
    #64 0x7f33de606541 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #65 0x7f33de5688ab in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #66 0x7f33de5688ab in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #67 0x7f33de5688ab in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #68 0x7f33e3f22bbf in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #69 0x7f33e807f191 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #70 0x7f33e827015b in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4701:22
    #71 0x7f33e8271d78 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4865:8
    #72 0x7f33e82731ab in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4960:21
    #73 0x4ebfe3 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
    #74 0x4ebfe3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
    #75 0x7f33fb1a982f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #76 0x41db38 in _start (/home/ubuntu/firefox/firefox+0x41db38)

0x6250011fe840 is located 5952 bytes inside of 8192-byte region [0x6250011fd100,0x6250011ff100)
allocated by thread T0 here:
    #0 0x4bc3bc in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x7f33dd810e1f in AllocateChunk /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:179:15
    #2 0x7f33dd810e1f in InternalAllocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:214
    #3 0x7f33dd810e1f in Allocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:72
    #4 0x7f33dd810e1f in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:77
    #5 0x7f33e4873443 in AllocateByFrameID /builds/worker/workspace/build/src/layout/base/nsPresArena.h:38:12
    #6 0x7f33e4873443 in AllocateFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:203
    #7 0x7f33e4873443 in operator new /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:33
    #8 0x7f33e4873443 in NS_NewViewportFrame(nsIPresShell*, nsStyleContext*) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:30
    #9 0x7f33e4714804 in nsCSSFrameConstructor::ConstructRootFrame() /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2830:5
    #10 0x7f33e46741db in mozilla::PresShell::Initialize(int, int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1729:36
    #11 0x7f33e052f020 in nsContentSink::StartLayout(bool) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1286:26
    #12 0x7f33e05e54e6 in nsDocument::FlushPendingNotifications(mozilla::FlushType, mozilla::FlushTarget) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8470:13
    #13 0x7f33e05f9a0a in nsIDocument::CaretPositionFromPoint(float, float) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:10874:3
    #14 0x7f33e1b6893f in mozilla::dom::DocumentBinding::caretPositionFromPoint(JSContext*, JS::Handle<JSObject*>, nsIDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/DocumentBinding.cpp:4007:56
    #15 0x7f33e20df300 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3053:13
    #16 0x7f33e8527714 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #17 0x7f33e8527714 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
    #18 0x7f33e8511576 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:546:12
    #19 0x7f33e8511576 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
    #20 0x7f33e84f8939 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
    #21 0x7f33e852a027 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:724:15
    #22 0x7f33e852a892 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:756:12
    #23 0x7f33e8f7ad09 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4667:12
    #24 0x7f33e06e2de9 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:265:8
    #25 0x7f33e3dc17d8 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2244:25
    #26 0x7f33e3dbcc0c in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1884:10
    #27 0x7f33e3da0465 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1585:10
    #28 0x7f33e3d9c9c8 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:149:18
    #29 0x7f33df60117f in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:225:18
    #30 0x7f33df60117f in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:700
    #31 0x7f33df5fac2a in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:501:7
    #32 0x7f33df604bfb in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:130:20
    #33 0x7f33dd85c722 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
    #34 0x7f33dd8763f8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:524:10
    #35 0x7f33de606541 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #36 0x7f33de5688ab in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #37 0x7f33de5688ab in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #38 0x7f33de5688ab in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #39 0x7f33e3f22bbf in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #40 0x7f33e807f191 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30

SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:287:27 in get
Shadow bytes around the buggy address:
  0x0c4a80237cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80237cc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80237cd0: f7 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80237ce0: 00 00 00 00 00 00 f7 f7 00 00 00 00 00 00 00 00
  0x0c4a80237cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a80237d00: 00 00 00 00 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7
  0x0c4a80237d10: f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 00 00 00 00
  0x0c4a80237d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80237d30: 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a80237d40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a80237d50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==22022==ABORTING

Daniel Veditz [:dveditz]

Updated

•

7 years ago

Group: core-security → layout-core-security

Jet Villegas (inactive)

Updated

•

7 years ago

status-firefox57: --- → fix-optional

Priority: -- → P3

Daniel Veditz [:dveditz]

Comment 1

•

7 years ago

This looks like it's handling frame tree objects, so it might be mitigated by "framepoisoning". However in that case I'd expect an opt-build crash and I don't see it (on Mac).

Daniel Veditz [:dveditz]

Updated

•

7 years ago

Keywords: csectype-framepoisoning, sec-low

Mats Palmgren (inactive)

Comment 2

•

7 years ago

I can't reproduce the problem in an up-to-date Linux ASAN debug build.

Daniel Holbert [:dholbert]

Comment 3

•

7 years ago

Did you build + install the fuzzer extension?  That's required for stuff like this in the testcase:
> fuzzPriv.resizeTo(1, 1);
> fuzzPriv.GC(); fuzzPriv.CC(); fuzzPriv.GC(); fuzzPriv.CC();

See bug 1407375 comment 2 for how to do that.

Flags: needinfo?(mats)

Mats Palmgren (inactive)

Comment 4

•

7 years ago

Yes, it's installed and enabled and I see a bunch of "DOMFuzzHelper created" in the output.
Thanks for the tip though, it's easy to miss now that the extra prefs are needed.

It seems Jason couldn't reproduce it either on some machines, so maybe there's
some timing issue with the test or something?  I'll try rebuilding without debug
to see if that helps...

Flags: needinfo?(mats)

Mats Palmgren (inactive)

Comment 5

•

7 years ago

... nope, still can't reproduce it in an ASAN Opt build.

Daniel Holbert [:dholbert]

Comment 6

•

7 years ago

Yeah, I can't reproduce either (using an ASAN opt build from today, with domFuzzLite3.xpi extension).

I tried running under xvfb (since comment 0 mentions that tool as part of the repro environmment), as well as normally and using "-headless".  Couldn't repro in any of these conditions, though.

I also tried the above-mentioned tools while *also* viewing the testcase over HTTP (using "python -m SimpleHTTPServer 8000").  I think that might be required?  Because when I load it as a file:// URI, I get this error for the XMLHttpRequest send() operation:
  JavaScript error: file:///tmp/trigger/trigger.html, line 22: NetworkError: A network error occurred.

However, that still didn't help me reproduce any ASAN badness.

Mats Palmgren (inactive)

Comment 7

•

7 years ago

Jason, can you still reproduce this crash in a recent build?

If so, would it be possible to capture a 'rr' recording of it
that I can take a look at?

Flags: needinfo?(jkratzer)

Jason Kratzer [:jkratzer]

Reporter

Comment 8

•

7 years ago

(In reply to Mats Palmgren (:mats) from comment #7)
> Jason, can you still reproduce this crash in a recent build?
> 
> If so, would it be possible to capture a 'rr' recording of it
> that I can take a look at?

I just tried with the latest nightly and was unable to reproduce the bug.  It looks like it was fixed sometime in between now and 2017-09-30 (179dccc17c7f).

Flags: needinfo?(jkratzer)

Mats Palmgren (inactive)

Comment 9

•

7 years ago

OK, please file a new bug if it occurs again.

Status: NEW → RESOLVED

Closed: 7 years ago

Resolution: --- → WORKSFORME

Daniel Veditz [:dveditz]

Updated

•

4 years ago

Group: layout-core-security

Bugzilla

Quick Search

AddressSanitizer: use-after-poison in [@get]

Categories

(Core :: Layout: Block and Inline, defect, P3)

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Updated

Comment 1

Updated

Comment 2

Comment 3

Comment 4

Comment 5

Comment 6

Comment 7

Comment 8

Comment 9

Updated

Attachment

General

Description

File Name

Content Type