Closed Bug 1414692 Opened 6 years ago Closed 6 years ago

stylo: AddressSanitizer: heap-use-after-free [@ operator nsIObjectFrame *<nsIObjectFrame>] with READ of size 8

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox56 --- unaffected
firefox57 --- unaffected
firefox58 --- fixed

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files, 1 obsolete file)

trigger.html
671 bytes, text/html
Details
Updated per comments.
1.18 KB, patch
smaug
: review+
Details | Diff | Splinter Review 
Found while fuzzing mozilla-central rev e64846245b00.  Will update shortly with a reduced testcase.

==7347==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000503aa0 at pc 0x7fab5cc04af3 bp 0x7fffc3df3b50 sp 0x7fffc3df3b48
READ of size 8 at 0x625000503aa0 thread T0
    #0 0x7fab5cc04af2 in operator nsIObjectFrame *<nsIObjectFrame> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsQueryFrame.h:114:45
    #1 0x7fab5cc04af2 in nsFocusManager::Focus(nsPIDOMWindowOuter*, nsIContent*, unsigned int, bool, bool, bool, bool, nsIContent*) /builds/worker/workspace/build/src/dom/base/nsFocusManager.cpp:1916
    #2 0x7fab5cc06f0f in nsFocusManager::WindowRaised(mozIDOMWindowProxy*) /builds/worker/workspace/build/src/dom/base/nsFocusManager.cpp:776:3
    #3 0x7fab63eda2c4 in nsWebShellWindow::WindowActivated() /builds/worker/workspace/build/src/xpfe/appshell/nsWebShellWindow.cpp:493:9
    #4 0x7fab6058f8a9 in DispatchActivateEvent /builds/worker/workspace/build/src/widget/gtk/nsWindow.cpp:531:24
    #5 0x7fab6058f8a9 in nsWindow::OnContainerFocusInEvent(_GdkEventFocus*) /builds/worker/workspace/build/src/widget/gtk/nsWindow.cpp:2874
    #6 0x7fab60599856 in focus_in_event_cb(_GtkWidget*, _GdkEventFocus*) /builds/worker/workspace/build/src/widget/gtk/nsWindow.cpp:5700:13
    #7 0x7fab731d6fab  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x212fab)
    #8 0x7fab7068ffa4 in g_closure_invoke (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0xffa4)
    #9 0x7fab706a1fc0  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x21fc0)
    #10 0x7fab706aa7f8 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a7f8)
    #11 0x7fab706ab08e in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2b08e)
    #12 0x7fab73314c3b  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x350c3b)
    #13 0x7fab7332503d in gtk_widget_send_focus_change (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x36103d)
    #14 0x7fab7332944f  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x36544f)
    #15 0x7fab733381ed  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x3741ed)
    #16 0x7fab73338749  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x374749)
    #17 0x7fab731d6fab  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x212fab)
    #18 0x7fab7068ffa4 in g_closure_invoke (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0xffa4)
    #19 0x7fab706a256d  (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2256d)
    #20 0x7fab706aa7f8 in g_signal_emit_valist (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2a7f8)
    #21 0x7fab706ab08e in g_signal_emit (/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0+0x2b08e)
    #22 0x7fab73314c3b  (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x350c3b)
    #23 0x7fab731d6175 in gtk_main_do_event (/usr/lib/x86_64-linux-gnu/libgtk-3.so.0+0x212175)
    #24 0x7fab72d43d91  (/usr/lib/x86_64-linux-gnu/libgdk-3.so.0+0x5ad91)
    #25 0x7fab703b9196 in g_main_context_dispatch (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a196)
    #26 0x7fab703b93ef  (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a3ef)
    #27 0x7fab703b949b in g_main_context_iteration (/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4a49b)
    #28 0x7fab605d82de in nsAppShell::ProcessNextNativeEvent(bool) /builds/worker/workspace/build/src/widget/gtk/nsAppShell.cpp:295:12
    #29 0x7fab6053b6a6 in DoProcessNextNativeEvent /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:140:17
    #30 0x7fab6053b6a6 in nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool) /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:273
    #31 0x7fab6053bfaf in non-virtual thunk to nsBaseAppShell::OnProcessNextEvent(nsIThreadInternal*, bool) /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:235:17
    #32 0x7fab59d7c99a in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:950:10
    #33 0x7fab59d97ae8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #34 0x7fab6037e097 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3080:31)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
    #35 0x7fab6037e097 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3080
    #36 0x7fab6037f542 in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2865:11
    #37 0x7fab5df3186f in mozilla::dom::XMLHttpRequestBinding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1249:9
    #38 0x7fab5e6f6e20 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3040:13
    #39 0x7fab64af3730 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #40 0x7fab64af3730 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472
    #41 0x7fab64d2840f in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2539:14
    #42 0x2da9625f1486  (<unknown module>)

0x625000503aa0 is located 4512 bytes inside of 8192-byte region [0x625000502900,0x625000504900)
freed by thread T0 here:
    #0 0x4bc0fb in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7fab60e08d90 in Clear /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:100:7
    #2 0x7fab60e08d90 in ~ArenaAllocator /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:63
    #3 0x7fab60e08d90 in nsPresArena::~nsPresArena() /builds/worker/workspace/build/src/layout/base/nsPresArena.cpp:44
    #4 0x7fab60c95483 in nsIPresShell::~nsIPresShell() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:166:7
    #5 0x7fab60c955bd in mozilla::PresShell::~PresShell() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:846:1
    #6 0x7fab60c9139e in mozilla::PresShell::Release() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:840:1
    #7 0x7fab60d9aa4b in assign_assuming_AddRef /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:355:7
    #8 0x7fab60d9aa4b in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:631
    #9 0x7fab60d9aa4b in nsDocumentViewer::DestroyPresShell() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:4645
    #10 0x7fab60d91d74 in nsDocumentViewer::Hide() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2245:3
    #11 0x7fab63e25b49 in SetVisibility /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6611:9
    #12 0x7fab63e25b49 in non-virtual thunk to nsDocShell::SetVisibility(bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6601
    #13 0x7fab5cc2e8ba in nsFrameLoader::Hide() /builds/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:1467:12
    #14 0x7fab61166c6d in nsHideViewer::Run() /builds/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:985:21
    #15 0x7fab5c786e10 in nsContentUtils::RemoveScriptBlocker() /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5735:15
    #16 0x7fab60d8b36c in ~nsAutoScriptBlocker /builds/worker/workspace/build/src/obj-firefox/dist/include/nsContentUtils.h:3516:5
    #17 0x7fab60d8b36c in nsDocumentViewer::Destroy() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1797
    #18 0x7fab63dd36b7 in nsDocShell::Destroy() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5966:21
    #19 0x7fab63e1f76f in non-virtual thunk to nsDocShell::Destroy() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5891:13
    #20 0x7fab63edeced in nsXULWindow::Destroy() /builds/worker/workspace/build/src/xpfe/appshell/nsXULWindow.cpp:492:17
    #21 0x7fab63eb6d54 in nsWebShellWindow::Destroy() /builds/worker/workspace/build/src/xpfe/appshell/nsWebShellWindow.cpp:787:23
    #22 0x7fab5c872a8d in nsGlobalWindow::ReallyCloseWindow() /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:9569:27
    #23 0x7fab5c8a34ac in nsCloseEvent::Run() /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:9326:16
    #24 0x7fab59d7d626 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #25 0x7fab59d97ae8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #26 0x7fab6037e097 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3080:31)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
    #27 0x7fab6037e097 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3080
    #28 0x7fab6037f542 in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2865:11
    #29 0x7fab5df3186f in mozilla::dom::XMLHttpRequestBinding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1249:9
    #30 0x7fab5e6f6e20 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3040:13
    #31 0x7fab64af3730 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #32 0x7fab64af3730 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472
    #33 0x7fab64d2840f in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2539:14
    #34 0x2da9625f1486  (<unknown module>)
    #35 0x62100006da47  (<unknown module>)
    #36 0x2da9625e5849  (<unknown module>)
    #37 0x7fab64d55372 in EnterBaseline /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:149:9
    #38 0x7fab64d55372 in js::jit::EnterBaselineAtBranch(JSContext*, js::InterpreterFrame*, unsigned char*) /builds/worker/workspace/build/src/js/src/jit/BaselineJIT.cpp:226

previously allocated by thread T0 here:
    #0 0x4bc44c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x7fab59d3230f in AllocateChunk /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:209:15
    #2 0x7fab59d3230f in InternalAllocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:244
    #3 0x7fab59d3230f in Allocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:74
    #4 0x7fab59d3230f in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:79
    #5 0x7fab60e9d783 in AllocateByFrameID /builds/worker/workspace/build/src/layout/base/nsPresArena.h:39:12
    #6 0x7fab60e9d783 in AllocateFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:204
    #7 0x7fab60e9d783 in operator new /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:34
    #8 0x7fab60e9d783 in NS_NewViewportFrame(nsIPresShell*, nsStyleContext*) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:31
    #9 0x7fab60d3d424 in nsCSSFrameConstructor::ConstructRootFrame() /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2843:5
    #10 0x7fab60c9b268 in mozilla::PresShell::Initialize(int, int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1741:36
    #11 0x7fab5c81c28d in nsGlobalWindow::SetInitialPrincipalToSubject() /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:2621:12
    #12 0x7fab647a5ce6 in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:1117:18
    #13 0x7fab647ab10f in OpenWindow2 /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:444:10
    #14 0x7fab647ab10f in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:416
    #15 0x7fab5c86b7b5 in nsGlobalWindow::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsIDocShellLoadInfo*, bool, nsPIDOMWindowOuter**) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:12915:21
    #16 0x7fab5c869d8f in OpenJS /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8970:10
    #17 0x7fab5c869d8f in nsGlobalWindow::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8932
    #18 0x7fab5c86a21d in nsGlobalWindow::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8941:3
    #19 0x7fab5de67513 in mozilla::dom::WindowBinding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:2192:56
    #20 0x7fab5de65875 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15335:13
    #21 0x7fab64af3730 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #22 0x7fab64af3730 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472
    #23 0x7fab64adefbb in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:527:12
    #24 0x7fab64adefbb in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3061
    #25 0x7fab64ac6b9a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12
    #26 0x7fab64af6653 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:705:15
    #27 0x7fab64af6e92 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:737:12
    #28 0x7fab6554c169 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4721:12
    #29 0x7fab5cc97899 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:268:8
    #30 0x7fab603d8c73 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2255:25
    #31 0x7fab603d40b6 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1895:10
    #32 0x7fab603b7bca in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1596:10
    #33 0x7fab603b40b8 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:147:18
    #34 0x7fab5bb97a37 in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:231:18
    #35 0x7fab5bb97a37 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:728
    #36 0x7fab5bb9139b in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:532:7
    #37 0x7fab5bb9d46f in nsHtml5ExecutorReflusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:56:18
    #38 0x7fab59d7d626 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #39 0x7fab59d97ae8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #40 0x7fab5ab69d11 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/nsQueryFrame.h:114:45 in operator nsIObjectFrame *<nsIObjectFrame>
Shadow bytes around the buggy address:
  0x0c4a80098700: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80098710: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80098720: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80098730: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80098740: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a80098750: fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80098760: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80098770: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80098780: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80098790: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a800987a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==7347==ABORTING
Crash Signature: [@ nsIFrame::InvalidateFrameSubtree], [@ operator nsIScrollableFrame *<nsIScrollableFrame>], [@ operator nsIObjectFrame *<nsIObjectFrame>]
Crash Signature: [@ nsIFrame::InvalidateFrameSubtree], [@ operator nsIScrollableFrame *<nsIScrollableFrame>], [@ operator nsIObjectFrame *<nsIObjectFrame>] → [@ nsIFrame::InvalidateFrameSubtree], [@ operator nsIScrollableFrame *<nsIScrollableFrame>], [@ operator nsIObjectFrame *<nsIObjectFrame>], [@ GetFrame], [@ GetPreviousWeakFrame]
Attached file trigger.html 

    
    

    
  
Requires Stylo to be enabled and dom.webcomponents.enabled to be set to true.

INFO: Last good revision: 2011b90ddb79817efddb3ac8c9feb0b6ed4b24a9
INFO: First bad revision: e214368792a2bad363b383e8efb47fd0133e7cd5
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=2011b90ddb79817efddb3ac8c9feb0b6ed4b24a9&tochange=e214368792a2bad363b383e8efb47fd0133e7cd5
Blocks: 1404789
Has Regression Range: --- → yes

          status-firefox56:
          --- → unaffected

          status-firefox57:
          --- → unaffected

          status-firefox58:
          --- → affected

          status-firefox-esr52:
          --- → unaffected
Flags: needinfo?(emilio)
OS: Unspecified → All
Hardware: Unspecified → All
Summary: AddressSanitizer: heap-use-after-free [@ operator nsIObjectFrame *<nsIObjectFrame>] with READ of size 8 → stylo: AddressSanitizer: heap-use-after-free [@ operator nsIObjectFrame *<nsIObjectFrame>] with READ of size 8
Version: unspecified → Trunk

    
    

    
  
Ugh, this is bad.

On a debug build, this asserts:

  Assertion failure: mAllocatedPointers.IsEmpty() (Some pres arena objects were not freed), at /home/emilio/projects/moz/gecko/layout/base/PresShell.cpp:867

Those objects are the two frames we're misusing.

There are two non-fatal assertions that indicate what is going wrong:

[22879, Main Thread] ###!!! ASSERTION: Unexpected aDocument: 'aDocument == mDocument', file /home/emilio/projects/moz/gecko/layout/base/PresShell.cpp, line 4417
[22879, Main Thread] ###!!! ASSERTION: Should be in an update while creating frames: 'mUpdateCount != 0', file /home/emilio/projects/moz/gecko/layout/base/nsCSSFrameConstructor.cpp, line 7615

So we're inserting content in a ShadowRoot, whose owner doc is:

  $9 = (nsHTMLDocument *) 0x7f03f648f000

But whose host's owner doc is:

  $10 = (nsHTMLDocument *) 0x7f03f648f000

NS_IMPL_MUTATION_NOTIFICATION does:

    ShadowRoot* shadow = ShadowRoot::FromNode(node);              \
    if (shadow) {                                                 \
      node = shadow->GetHost();                                   \
    } else {                                                      \
      node = node->GetParentNode();                               \
    }                                                             \

And that makes us notify the wrong document, causing badness.

Before bug 1404789 this was wallpapered, because we reconstructed the whole thing.

I have no clue what is supposed to happen when adopting a shadow root, but I suspect this state is not correct...
Flags: needinfo?(emilio)

    
  
Assignee: nobody → emilio

    
    

    
  


  
Do we need to do something special when aClone == true? What's up with the XBL binding?

        Attachment #8925590 -
        Flags: review?(bugs)

    
  

        Attachment #8925590 -
        Attachment description: Adopt shadow root when adopting a shadow root. → Adopt shadow root when adopting a shadow host.

    
    

    
  
So per https://dom.spec.whatwg.org/#concept-node-adopt step 3 substep 1, I expect we should in fact adopt a shadow root when its shadow host is adopted, because I _think_ the shadow root is in the "shadow-including inclusive descendants" of the node.  There should really be a web platform test for this, if there isn't one...

When aClone is true, that means we are either cloning or importing.  In either case, we land in https://dom.spec.whatwg.org/#concept-node-clone which does nothing interesting with shadow roots/hosts.  The clones may end up with their own shadow roots attached, depending on whatever.

Cloning or importing a shadowroot directly is supposed to fail; I don't know whether we implement that.  See https://dom.spec.whatwg.org/#dom-document-importnode step 1 and https://dom.spec.whatwg.org/#dom-node-clonenode step 1.

Adopting a shadowRoot directly is also supposed to fail.  See https://dom.spec.whatwg.org/#dom-document-adoptnode step 2...

    
    

    
  
Comment on attachment 8925590 [details] [diff] [review]
Adopt shadow root when adopting a shadow host.

yeah, we shouldn't do this when aClone is true.

        Attachment #8925590 -
        Flags: review?(bugs) → review-

    
    

    
  
Comment on attachment 8925590 [details] [diff] [review]
Adopt shadow root when adopting a shadow host.

This is inside an:

  if (aDeep && (!aClone || !aNode->IsNodeOfType(nsINode::eATTRIBUTE))) {

So this should be good then IIUC.

        Attachment #8925590 -
        Flags: review- → review?(bugs)

    
    

    
  
Comment on attachment 8925590 [details] [diff] [review]
Adopt shadow root when adopting a shadow host.

Err, nevermind, I don't know how to boolean.

        Attachment #8925590 -
        Flags: review?(bugs) → review-

    
    

    
  


  

        Attachment #8925703 -
        Flags: review?(bugs)

    
  

        Attachment #8925590 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 8925703 [details] [diff] [review]
Updated per comments.

Does wpt really not have any tests for this.

Pass aDeep as param, and not true.

        Attachment #8925703 -
        Flags: review?(bugs) → review+

    
    

    
  
(In reply to Olli Pettay [:smaug] from comment #10)
> Comment on attachment 8925703 [details] [diff] [review]
> Updated per comments.
> 
> Does wpt really not have any tests for this.

I haven't run this through try, being a sec bug which is probably there since ShadowRoot was introduced, but I guess it being disabled everywhere I should just do that.

    
  
Flags: in-testsuite?
Keywords: testcase

    
    

    
  
remote: View your change here:
remote:   https://hg.mozilla.org/integration/mozilla-inbound/rev/e13804265867ec492d8b775035698b1bcd8b96f8
Flags: in-testsuite? → in-testsuite+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/e13804265867
Status: NEW → RESOLVED
Closed: 6 years ago

          status-firefox58:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Group: core-security → core-security-release
Group: core-security-release
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.