Closed Bug 1414999 Opened 2 years ago Closed 2 years ago

stylo: AddressSanitizer: heap-use-after-free [@ PresShell] with READ of size 8

Categories

(Core :: CSS Parsing and Computation, defect, P2)

defect

Tracking

()

RESOLVED FIXED
mozilla59
Tracking Status
firefox-esr52 --- unaffected
firefox56 --- ?
firefox57 - disabled
firefox58 - disabled
firefox59 + fixed

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 2 open bugs)

Details

(4 keywords)

Attachments

(3 files)

Found while fuzzing mozilla-central rev 4ea775c267be.  Will update with testcase once reduction completes.

==13899==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a0002c8ea8 at pc 0x7f931d5a09e0 bp 0x7ffd429ae5e0 sp 0x7ffd429ae5d8
READ of size 8 at 0x61a0002c8ea8 thread T0
    #0 0x7f931d5a09df in PresShell /builds/worker/workspace/build/src/obj-firefox/dist/include/nsPresContext.h:172:12
    #1 0x7f931d5a09df in nsStyleContext::Arena() /builds/worker/workspace/build/src/layout/style/nsStyleContext.cpp:454
    #2 0x7f931d4fb6dd in void mozilla::ArenaRefPtr<nsStyleContext>::assignFrom<nsStyleContext*>(nsStyleContext*&) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaRefPtr.h:153:13
    #3 0x7f931d401c0c in assign /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaRefPtr.h:137:26
    #4 0x7f931d401c0c in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaRefPtr.h:94
    #5 0x7f931d401c0c in SetResolvedStyleContext /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:888
    #6 0x7f931d401c0c in nsComputedDOMStyle::UpdateCurrentStyleSources(bool) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:1072
    #7 0x7f931d402a91 in nsComputedDOMStyle::GetPropertyCSSValue(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:1160:3
    #8 0x7f931d4005d8 in nsComputedDOMStyle::GetPropertyValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:479:26
    #9 0x7f931d04ab8a in mozilla::CSSEditUtils::GetCSSInlinePropertyBase(nsINode*, nsAtom*, nsTSubstring<char16_t>&, mozilla::CSSEditUtils::StyleType) /builds/worker/workspace/build/src/editor/libeditor/CSSEditUtils.cpp:541:5
    #10 0x7f931d0ae1c4 in GetComputedProperty /builds/worker/workspace/build/src/editor/libeditor/CSSEditUtils.cpp:520:10
    #11 0x7f931d0ae1c4 in mozilla::HTMLEditor::GetAbsolutelyPositionedSelectionContainer(nsINode**) /builds/worker/workspace/build/src/editor/libeditor/HTMLAbsPositionEditor.cpp:107
    #12 0x7f931d0adcd7 in mozilla::HTMLEditor::GetAbsolutelyPositionedSelectionContainer(nsIDOMElement**) /builds/worker/workspace/build/src/editor/libeditor/HTMLAbsPositionEditor.cpp:85:5
    #13 0x7f931d0bc44c in mozilla::HTMLEditor::CheckSelectionStateForAnonymousButtons(nsISelection*) /builds/worker/workspace/build/src/editor/libeditor/HTMLAnonymousNodeEditor.cpp:362:7
    #14 0x7f931d179143 in mozilla::HTMLEditor::EndUpdateViewBatch() /builds/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:4585:10
    #15 0x7f931d06f9c6 in mozilla::EditorBase::EndPlaceholderTransaction() /builds/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:1007:5
    #16 0x7f931d152657 in ~AutoPlaceholderBatch /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EditorUtils.h:172:20
    #17 0x7f931d152657 in mozilla::HTMLEditor::Indent(nsTSubstring<char16_t> const&) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:2247
    #18 0x7f931d23587a in nsIndentCommand::DoCommand(char const*, nsISupports*) /builds/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:503:22
    #19 0x7f931b3ca4b5 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) /builds/worker/workspace/build/src/dom/commandhandler/nsControllerCommandTable.cpp:147:26
    #20 0x7f931b3c119e in nsBaseCommandController::DoCommand(char const*) /builds/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:136:25
    #21 0x7f931b3c77a4 in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /builds/worker/workspace/build/src/dom/commandhandler/nsCommandManager.cpp:212:22
    #22 0x7f931b8f7172 in nsHTMLDocument::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:3349:18
    #23 0x7f931ae0afe0 in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:891:21
    #24 0x7f931b0fc120 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3040:13
    #25 0x7f93214f3ba0 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #26 0x7f93214f3ba0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472
    #27 0x7f93214f4b92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540:10
    #28 0x7f93221dd53e in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:176:12
    #29 0x7f9322192fd5 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:358:23
    #30 0x7f93221bd1e3 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:511:21
    #31 0x7f93221bf8c7 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:770:12
    #32 0x7f93214f3f1f in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #33 0x7f93214f3f1f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:454
    #34 0x7f93214df42b in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:527:12
    #35 0x7f93214df42b in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3061
    #36 0x7f93214c700a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12
    #37 0x7f93214f6ac3 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:705:15
    #38 0x7f93214f7302 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:737:12
    #39 0x7f9321f4c5e9 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4721:12
    #40 0x7f931969c899 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:268:8
    #41 0x7f931cdd95e3 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2255:25
    #42 0x7f931cdd4a26 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1895:10
    #43 0x7f931cdb853a in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1596:10
    #44 0x7f931cdb4a28 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:147:18
    #45 0x7f931859ca17 in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:231:18
    #46 0x7f931859ca17 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:728
    #47 0x7f931859637b in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:532:7
    #48 0x7f93185a244f in nsHtml5ExecutorReflusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:56:18
    #49 0x7f9316782b36 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #50 0x7f931679cff8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #51 0x7f931756ecf1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #52 0x7f93174cf34b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #53 0x7f93174cf34b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #54 0x7f93174cf34b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #55 0x7f931cf3b8cf in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #56 0x7f932104aad1 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #57 0x7f93212427ab in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4675:22
    #58 0x7f9321244375 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4837:8
    #59 0x7f9321245726 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4932:21
    #60 0x4ec4ec in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
    #61 0x4ec4ec in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
    #62 0x7f933468c82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #63 0x41dbc8 in _start (/home/forb1dden/builds/mc-asan/firefox+0x41dbc8)

0x61a0002c8ea8 is located 40 bytes inside of 1384-byte region [0x61a0002c8e80,0x61a0002c93e8)
freed by thread T0 here:
    #0 0x4bc0fb in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7f931661e437 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2729:25
    #2 0x7f9316625adb in FreeSnowWhite /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2917:3
    #3 0x7f9316625adb in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3925
    #4 0x7f9316624ff3 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3746:9
    #5 0x7f9316628e40 in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4315:21
    #6 0x7f9319686add in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1479:3
    #7 0x7f93191cb77b in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1437:3
    #8 0x7f93167ad1c1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
    #9 0x7f9317fb1740 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
    #10 0x7f9317fb1740 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
    #11 0x7f9317fb1740 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
    #12 0x7f9317fb84cf in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:929:12
    #13 0x7f93214f3ba0 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #14 0x7f93214f3ba0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472
    #15 0x7f93214df42b in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:527:12
    #16 0x7f93214df42b in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3061
    #17 0x7f93214c700a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12
    #18 0x7f93214f3c9f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:494:15
    #19 0x7f93214f4b92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540:10
    #20 0x7f9321f38f13 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2973:12
    #21 0x7f9317ed0c1b in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:315:18
    #22 0x7f93214f3ba0 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #23 0x7f93214f3ba0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472
    #24 0x7f93214df42b in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:527:12
    #25 0x7f93214df42b in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3061
    #26 0x7f93214c700a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12
    #27 0x7f93214f6ac3 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:705:15
    #28 0x7f93214f7302 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:737:12
    #29 0x7f9321f4c5e9 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4721:12
    #30 0x7f931969c899 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:268:8
    #31 0x7f931cdd95e3 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2255:25
    #32 0x7f931cdd4a26 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1895:10
    #33 0x7f931cdb853a in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1596:10
    #34 0x7f931cdb4a28 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:147:18
    #35 0x7f931859ca17 in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:231:18
    #36 0x7f931859ca17 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:728
    #37 0x7f931859637b in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:532:7

previously allocated by thread T0 here:
    #0 0x4bc44c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x4ed85d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
    #2 0x7f931d78d26a in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12
    #3 0x7f931d78d26a in CreatePresContext /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:801
    #4 0x7f931d78d26a in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:853
    #5 0x7f931d78cf97 in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:659:10
    #6 0x7f932082ebab in nsDocShell::SetupNewViewer(nsIContentViewer*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9557:7
    #7 0x7f932082d56c in nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7381:17
    #8 0x7f93207c62d5 in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9364:3
    #9 0x7f93207c3be0 in nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) /builds/worker/workspace/build/src/docshell/base/nsDSURIContentListener.cpp:196:21
    #10 0x7f93183d0dea in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:739:28
    #11 0x7f93183ce593 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:417:30
    #12 0x7f93183ccfbb in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:295:8
    #13 0x7f93168de387 in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/netwerk/base/nsBaseChannel.cpp:859:25
    #14 0x7f931692b242 in nsInputStreamPump::OnStateStart() /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:518:25
    #15 0x7f931692a8ce in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:421:25
    #16 0x7f931671bcad in nsInputStreamReadyEvent::Run() /builds/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:97:20
    #17 0x7f9316782b36 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #18 0x7f931679cff8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #19 0x7f93208f711f in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpfe/appshell/nsXULWindow.cpp:2003:24)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
    #20 0x7f93208f711f in nsXULWindow::CreateNewContentWindow(int, nsITabParent*, mozIDOMWindowProxy*, unsigned long, nsIXULWindow**) /builds/worker/workspace/build/src/xpfe/appshell/nsXULWindow.cpp:2003
    #21 0x7f932104caff in nsAppStartup::CreateChromeWindow2(nsIWebBrowserChrome*, unsigned int, nsITabParent*, mozIDOMWindowProxy*, unsigned long, bool*, nsIWebBrowserChrome**) /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:661:18
    #22 0x7f93211ac634 in nsWindowWatcher::CreateChromeWindow(nsTSubstring<char> const&, nsIWebBrowserChrome*, unsigned int, nsITabParent*, mozIDOMWindowProxy*, unsigned long, nsIWebBrowserChrome**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:496:21
    #23 0x7f93211aa12f in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:965:14
    #24 0x7f93211ac35f in OpenWindow2 /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:444:10
    #25 0x7f93211ac35f in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:416
    #26 0x7f93192707b5 in nsGlobalWindow::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsIDocShellLoadInfo*, bool, nsPIDOMWindowOuter**) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:12915:21
    #27 0x7f931926ed8f in OpenJS /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8970:10
    #28 0x7f931926ed8f in nsGlobalWindow::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8932
    #29 0x7f931926f21d in nsGlobalWindow::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8941:3
    #30 0x7f931a86c513 in mozilla::dom::WindowBinding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:2192:56
    #31 0x7f931a86a875 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15335:13
    #32 0x7f93214f3ba0 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #33 0x7f93214f3ba0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472
    #34 0x7f93214df42b in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:527:12
    #35 0x7f93214df42b in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3061
    #36 0x7f93214c700a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/nsPresContext.h:172:12 in PresShell
Shadow bytes around the buggy address:
  0x0c3480051180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c3480051190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c34800511a0: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c34800511b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c34800511c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c34800511d0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
  0x0c34800511e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c34800511f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3480051200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3480051210: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c3480051220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==13899==ABORTING
Group: core-security
Attached file trigger.html
The attached testcase requires the fuzzPriv extension which can be found at:
https://github.com/MozillaSecurity/domfuzz/tree/master/dom/extension

The testcase also requires the following prefs:
// Enable web components
user_pref("dom.webcomponents.enabled", true);
user_pref("dom.webcomponents.customelements.enabled", true);
Only reproduces with Stylo enabled.

INFO: Last good revision: a6aaaf9cb7d3a4f3baa430cfa88671f0acabed6c
INFO: First bad revision: da7f10ba43442e258c8ffafbd3b20ae5b2e1f805
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a6aaaf9cb7d3a4f3baa430cfa88671f0acabed6c&tochange=da7f10ba43442e258c8ffafbd3b20ae5b2e1f805
Blocks: 1409079
Group: core-security → layout-core-security
Has Regression Range: --- → yes
Summary: AddressSanitizer: heap-use-after-free [@ PresShell] with READ of size 8 → stylo: AddressSanitizer: heap-use-after-free [@ PresShell] with READ of size 8
Version: 52 Branch → Trunk
This looks like the ArenaRefPtr stuff... Manish, any chance you can have a look? Please let me know if you can't quickly, I can try to get to this this week otherwise.
Flags: needinfo?(manishearth)
I took a look at this, but haven't been able to repro so far. I suspect this may be a dupe of bug 1414692. Can you try to repro again Ryan just to confirm?
Flags: needinfo?(ryanvm)
NVM, managed to repro after a few retries.
Flags: needinfo?(ryanvm)
Uhh, I suspect this may be the reason of the funny hashmap crashes. This is very very bad.
This is very very bad. The pres context may be well dead by then, but we're playing with it. Further more, the hashmaps in the stylist clobber the memory that used to be taken by the pres context, which may explain fun stuff.
Assignee: nobody → emilio
Flags: needinfo?(manishearth)
Ok, just for the record, I think 57 may not be affected, and this may genuinely be a web components + stylo issue. In particular, what I'm working on right now in bug 1415013.

However, given nothing prevents the flat tree from changing while the document is in the bfcache, I think even with that fixed this may need a deeper fix.
Ok, yeah, I'm pretty sure this is bug 1415013.

In short, what's happening here is that when the shadow root is created, the <body> element gets out of the flat tree, but we don't clear the data associated with it.

When the doc comes back from the bfcache, we clear the stale Servo data from the flat tree, but of course the <body> is not part of it, so we never reach it.
This doesn't yet fix the test-case, but prevent similar but nastier issues once bug 1415013 is fixed.

There's nothing preventing the flat tree from changing while the document doesn't have a shell. In that case, we really really don't want to lose track of elements with stale style data, since then we'll mess up.
Attachment #8926929 - Flags: review?(bzbarsky)
There's the other question of what should getComputedStyle return for something that is not in the flat tree...
Priority: -- → P2
Comment on attachment 8926929 [details] [diff] [review]
Synchronously clean style data from the DOM tree when the shell goes away.

I don't see how the bfcache-related changes make sense.  When going into bfcache, DeleteShell() is _not_ called.
Flags: needinfo?(emilio)
Hmm, indeed.

Reading https://developer.mozilla.org/en-US/docs/Working_with_BFCache (I don't know how accurate that may be), it looks like we have the guarantee that the document doesn't run scripts while in the bfcache, is that right?

If so, then this patch should be fine as-is, and the only problematic bit would be "iframe going to display: none, touch shadow dom, iframe coming back".

I suspect that's fine because otherwise we'd have the same problem when the flattened tree changes but we still have frames lying around in the bfcache.

Does that make sense?
Flags: needinfo?(bzbarsky)
The document itself does not run scripts while in bfcache, but other documents can be running scripts and have access to nodes from the bfcached document, unfortunately.
Flags: needinfo?(bzbarsky)
Comment on attachment 8926929 [details] [diff] [review]
Synchronously clean style data from the DOM tree when the shell goes away.

Please document in the commit message why the new bfcache setup is ok.

>+++ b/servo/components/style/lib.rs

I assume this chunk shouldn't be in here, right?
Attachment #8926929 - Flags: review?(bzbarsky) → review+
remote: View your change here:
remote:   https://hg.mozilla.org/integration/mozilla-inbound/rev/d4fa112c3acd46f16c387c5d0532c87598fd1a91
remote: 
remote: Follow the progress of your build on Treeherder:
remote:   https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=d4fa112c3acd46f16c387c5d0532c87598fd1a91
Flags: needinfo?(emilio)
I relanded it with an assertion fix. The pres context can be different if you getComputedStyle on an element in a doc in the bfcache (but with a shell).
Flags: needinfo?(emilio)
Aand self-backout, because I didn't see the second assertion, and I can't reproduce it but looks scary and I don't know a fix off-hand...
Flags: needinfo?(emilio)
Depends on: 1418456
Depends on: 1418560
https://hg.mozilla.org/mozilla-central/rev/409cb807a665
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Group: layout-core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.