Closed Bug 1415551 Opened 7 years ago Closed 3 years ago

AddressSanitizer: heap-use-after-free [@ OnNonDOMMutationRenderingChange] [@ mozilla::SVGRenderingObserverSet::InvalidateAll] with WRITE of size 1

Categories

(Core :: SVG, defect, P1)

52 Branch
defect

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: jkratzer, Assigned: jwatt)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-bounds, sec-high, Whiteboard: [bug 1539477 may help])

Crash Data

Attachments

(1 file, 1 obsolete file)

Found while fuzzing mozilla-central rev 2ba9ba4fa63b. Testcase was not reproducible. I will update this if another, reproducible testcase is found. ================================================================= ==6317==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b0000361d8 at pc 0x7f672098e9cd bp 0x7ffe5d0aa950 sp 0x7ffe5d0aa948 WRITE of size 1 at 0x60b0000361d8 thread T0 #0 0x7f672098e9cc in OnNonDOMMutationRenderingChange /builds/worker/workspace/build/src/layout/svg/SVGObserverUtils.cpp:103:19 #1 0x7f672098e9cc in nsSVGRenderingObserverList::InvalidateAll() /builds/worker/workspace/build/src/layout/svg/SVGObserverUtils.cpp:804 #2 0x7f672098f7d5 in ~nsSVGRenderingObserverList /builds/worker/workspace/build/src/layout/svg/SVGObserverUtils.h:418:5 #3 0x7f672098f7d5 in void nsINode::DeleteProperty<nsSVGRenderingObserverList>(void*, nsAtom*, void*, void*) /builds/worker/workspace/build/src/dom/base/nsINode.h:843 #4 0x7f671c4132f0 in DeletePropertyFor /builds/worker/workspace/build/src/dom/base/nsPropertyTable.cpp:296:5 #5 0x7f671c4132f0 in nsPropertyTable::TransferOrDeleteAllPropertiesFor(nsPropertyOwner, nsPropertyTable*) /builds/worker/workspace/build/src/dom/base/nsPropertyTable.cpp:105 #6 0x7f671c23b2b9 in nsIDocument::AdoptNode(nsINode&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8145:24 #7 0x7f671c3ab479 in AdoptNodeIntoOwnerDoc /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1524:42 #8 0x7f671c3ab479 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:2443 #9 0x7f671c3a71dd in InsertBefore /builds/worker/workspace/build/src/dom/base/nsINode.h:1841:12 #10 0x7f671c3a71dd in AppendChild /builds/worker/workspace/build/src/dom/base/nsINode.h:1845 #11 0x7f671c3a71dd in ConvertNodesOrStringsIntoNode(mozilla::dom::Sequence<mozilla::dom::OwningNodeOrString> const&, nsIDocument*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1716 #12 0x7f671c3a8570 in nsINode::Prepend(mozilla::dom::Sequence<mozilla::dom::OwningNodeOrString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1887:5 #13 0x7f671d92862d in mozilla::dom::ElementBinding::prepend(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:4477:9 #14 0x7f671de27b30 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3039:13 #15 0x7f672429e6f4 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15 #16 0x7f672429e6f4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473 #17 0x7f672429f6e2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10 #18 0x7f6724f8ee8e in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:175:12 #19 0x7f6724f434b5 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:359:23 #20 0x7f6724f6e803 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:512:21 #21 0x7f6724f712d7 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:787:12 #22 0x7f672429ea73 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15 #23 0x7f672429ea73 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:455 #24 0x7f6724288d5c in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12 #25 0x7f6724288d5c in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3067 #26 0x7f672426f95a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12 #27 0x7f67242a1616 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:706:15 #28 0x7f67242f08be in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:327:12 #29 0x7f67242ef003 in js::IndirectEval(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:420:12 #30 0x3669c3818e67 (<unknown module>) 0x60b0000361d8 is located 8 bytes inside of 104-byte region [0x60b0000361d0,0x60b000036238) freed by thread T0 here: #0 0x4bc0fb in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3 #1 0x7f671939bf07 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2729:25 #2 0x7f67193a2968 in FreeSnowWhite /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2917:3 #3 0x7f67193a2968 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3731 #4 0x7f67193a6e74 in FinishAnyCurrentCollection /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3832:3 #5 0x7f67193a6e74 in PrepareForGarbageCollection /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3819 #6 0x7f67193a6e74 in nsCycleCollector_prepareForGarbageCollection() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4344 #7 0x7f6719379366 in mozilla::CycleCollectedJSRuntime::OnGC(JSContext*, JSGCStatus) /builds/worker/workspace/build/src/xpcom/base/CycleCollectedJSRuntime.cpp:1467:7 #8 0x7f6724ddf524 in callGCCallback /builds/worker/workspace/build/src/js/src/jsgc.cpp:1634:9 #9 0x7f6724ddf524 in js::gc::GCRuntime::maybeCallBeginCallback() /builds/worker/workspace/build/src/js/src/jsgc.cpp:7141 #10 0x7f6724ddfd8f in AutoCallGCCallbacks /builds/worker/workspace/build/src/js/src/jsgc.cpp:7120:13 #11 0x7f6724ddfd8f in js::gc::GCRuntime::gcCycle(bool, js::SliceBudget&, JS::gcreason::Reason) /builds/worker/workspace/build/src/js/src/jsgc.cpp:7175 #12 0x7f6724de3845 in js::gc::GCRuntime::collect(bool, js::SliceBudget, JS::gcreason::Reason) /builds/worker/workspace/build/src/js/src/jsgc.cpp:7371:25 #13 0x7f6724db3efe in js::gc::GCRuntime::startGC(JSGCInvocationKind, JS::gcreason::Reason, long) /builds/worker/workspace/build/src/js/src/jsgc.cpp:7450:5 #14 0x7f6724db38ef in js::gc::GCRuntime::gcIfRequested() /builds/worker/workspace/build/src/js/src/jsgc.cpp:7657:13 #15 0x7f67255f2156 in gcIfNeededAtAllocation /builds/worker/workspace/build/src/js/src/gc/Allocator.cpp:236:9 #16 0x7f67255f2156 in bool js::gc::GCRuntime::checkAllocatorState<(js::AllowGC)1>(JSContext*, js::gc::AllocKind) /builds/worker/workspace/build/src/js/src/gc/Allocator.cpp:191 #17 0x7f67255f1f22 in JSObject* js::Allocate<JSObject, (js::AllowGC)1>(JSContext*, js::gc::AllocKind, unsigned long, js::gc::InitialHeap, js::Class const*) /builds/worker/workspace/build/src/js/src/gc/Allocator.cpp:51:17 #18 0x7f6724e21d69 in js::NativeObject::create(JSContext*, js::gc::AllocKind, js::gc::InitialHeap, JS::Handle<js::Shape*>, JS::Handle<js::ObjectGroup*>) /builds/worker/workspace/build/src/js/src/vm/NativeObject-inl.h:511:21 #19 0x7f6724e4ca1e in NewObject(JSContext*, JS::Handle<js::ObjectGroup*>, js::gc::AllocKind, js::NewObjectKind, unsigned int) /builds/worker/workspace/build/src/js/src/jsobj.cpp:731:9 #20 0x7f6724e4c040 in js::NewObjectWithGivenTaggedProto(JSContext*, js::Class const*, JS::Handle<js::TaggedProto>, js::gc::AllocKind, js::NewObjectKind, unsigned int) /builds/worker/workspace/build/src/js/src/jsobj.cpp:792:26 #21 0x7f671de1f5ee in mozilla::dom::ReparentWrapper(JSContext*, JS::Handle<JSObject*>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2248:22 #22 0x7f671c3fe0de in nsNodeUtils::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JS::Handle<JSObject*>, nsCOMArray<nsINode>*, nsINode*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:613:9 #23 0x7f671c3fe75e in nsNodeUtils::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JS::Handle<JSObject*>, nsCOMArray<nsINode>*, nsINode*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:637:9 #24 0x7f671c3fe75e in nsNodeUtils::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JS::Handle<JSObject*>, nsCOMArray<nsINode>*, nsINode*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:637:9 #25 0x7f671c3fe75e in nsNodeUtils::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JS::Handle<JSObject*>, nsCOMArray<nsINode>*, nsINode*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:637:9 #26 0x7f671c23b077 in Adopt /builds/worker/workspace/build/src/dom/base/nsNodeUtils.h:220:30 #27 0x7f671c23b077 in nsIDocument::AdoptNode(nsINode&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8118 #28 0x7f671c3ab479 in AdoptNodeIntoOwnerDoc /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1524:42 #29 0x7f671c3ab479 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:2443 #30 0x7f671c3a71dd in InsertBefore /builds/worker/workspace/build/src/dom/base/nsINode.h:1841:12 #31 0x7f671c3a71dd in AppendChild /builds/worker/workspace/build/src/dom/base/nsINode.h:1845 #32 0x7f671c3a71dd in ConvertNodesOrStringsIntoNode(mozilla::dom::Sequence<mozilla::dom::OwningNodeOrString> const&, nsIDocument*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1716 #33 0x7f671c3a8570 in nsINode::Prepend(mozilla::dom::Sequence<mozilla::dom::OwningNodeOrString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1887:5 #34 0x7f671d92862d in mozilla::dom::ElementBinding::prepend(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:4477:9 #35 0x7f671de27b30 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3039:13 #36 0x7f672429e6f4 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15 #37 0x7f672429e6f4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473 #38 0x7f672429f6e2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10 #39 0x7f6724f8ee8e in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:175:12 #40 0x7f6724f434b5 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:359:23 previously allocated by thread T0 here: #0 0x4bc44c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3 #1 0x4ed85d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17 #2 0x7f6720989285 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12 #3 0x7f6720989285 in nsSVGFilterChainObserver::nsSVGFilterChainObserver(nsTArray<nsStyleFilter> const&, nsIContent*, nsIFrame*) /builds/worker/workspace/build/src/layout/svg/SVGObserverUtils.cpp:309 #4 0x7f672098c4fb in nsSVGFilterProperty /builds/worker/workspace/build/src/layout/svg/SVGObserverUtils.h:317:7 #5 0x7f672098c4fb in GetOrCreateFilterProperty(nsIFrame*) /builds/worker/workspace/build/src/layout/svg/SVGObserverUtils.cpp:517 #6 0x7f67209825b4 in SVGObserverUtils::UpdateEffects(nsIFrame*) /builds/worker/workspace/build/src/layout/svg/SVGObserverUtils.cpp:764:3 #7 0x7f6720982097 in mozilla::SVGGeometryFrame::ReflowSVG() /builds/worker/workspace/build/src/layout/svg/SVGGeometryFrame.cpp:411:5 #8 0x7f67209a6749 in nsSVGDisplayContainerFrame::ReflowSVG() /builds/worker/workspace/build/src/layout/svg/nsSVGContainerFrame.cpp:349:17 #9 0x7f6720a02b5f in nsSVGOuterSVGFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/svg/nsSVGOuterSVGFrame.cpp:454:14 #10 0x7f6720784cd9 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:921:13 #11 0x7f67205f3b54 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4175:15 #12 0x7f67205f2768 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3971:5 #13 0x7f67205ea3f6 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3845:9 #14 0x7f67205e3a38 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2828:5 #15 0x7f67205d953f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2364:7 #16 0x7f67205d0470 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1235:3 #17 0x7f67205eff5a in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11 #18 0x7f67205e5c00 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3476:11 #19 0x7f67205e3ba2 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2825:5 #20 0x7f67205d953f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2364:7 #21 0x7f67205d0470 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1235:3 #22 0x7f672062cb6a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14 #23 0x7f672062b4a1 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:751:5 #24 0x7f672062cb6a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14 #25 0x7f67206ebf18 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:550:3 #26 0x7f67206ed5ce in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:662:3 #27 0x7f67206f0779 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1039:3 #28 0x7f67205b7553 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:976:14 #29 0x7f67205b5eb5 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:330:7 #30 0x7f67203b852c in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:8941:11 #31 0x7f67203cc621 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9114:24 SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/layout/svg/SVGObserverUtils.cpp:103:19 in OnNonDOMMutationRenderingChange Shadow bytes around the buggy address: 0x0c167fffebe0: fa fa 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c167fffebf0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd 0x0c167fffec00: fd fd fd fd fd fd fa fa fa fa fa fa fa fa fd fd 0x0c167fffec10: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa 0x0c167fffec20: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd =>0x0c167fffec30: fd fa fa fa fa fa fa fa fa fa fd[fd]fd fd fd fd 0x0c167fffec40: fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa fa 0x0c167fffec50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fffec60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fffec70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c167fffec80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==6317==ABORTING
Group: core-security → layout-core-security
P5 for now, Please reset importance to "---" if you find a repro test file. I'd note that the cycle collection in the stack may be what's making this intermittent. Adding ways to force the CC/GC may help unwind this sooner.
Priority: -- → P5
Jason: are we likely to make progress on this one or should we close it "incomplete"?
Flags: needinfo?(jkratzer)
(In reply to Daniel Veditz [:dveditz] from comment #2) > Jason: are we likely to make progress on this one or should we close it > "incomplete"? Unfortunately, no new testcases have come in for this signature since it's been filed. I think we can close it as incomplete for now.
Flags: needinfo?(jkratzer)
Per comment 3, close the bug as incomplete.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INCOMPLETE
I have a testcase that reliably triggers this issue. However, it is not minimized and requires approximately 15 minutes in order to trigger. I'm working on reducing the testcase now and will update if a better, more reliable testcase becomes available. In the meantime, you'll need to do the following in order to use the testcase as is: 1. Unzip the testcase 2. Start a local webserver in the current working directory of the unpacked testcase python -m SimpleHTTPServer & 3. Download both ffpuppet and the fuzzPriv extension: https://github.com/MozillaSecurity/ffpuppet/tree/master/ffpuppet https://github.com/MozillaSecurity/fuzzpriv 4. Launch the testcase via ffpuppet python -m ffpuppet -e ~/path/to/fuzzpriv/ -p prefs.js ~/asan/firefox -d -l log -u http://localhost:8000/harness.html --xvfb
Status: RESOLVED → REOPENED
Resolution: INCOMPLETE → ---
Attached file testcase.zip (obsolete) —
Also, as the attached testcase is not reduced, can we keep this bug closed as S-S as it may reveal information regarding our fuzzing techniques that we may not want public?
Jason, can you help reduce this test case in order to get a priority bump from SVG folks? Otherwise, I'm afraid this won't move :/
Flags: needinfo?(jkratzer)
(In reply to Frederik Braun [:freddyb] from comment #8) > Jason, can you help reduce this test case in order to get a priority bump > from SVG folks? Otherwise, I'm afraid this won't move :/ I'm working on getting a reduced testcase for this bug but due to the instability of the test case, it may take a few days. Keeping NI until it's complete.
The attached testcase is not fully reduced however, it does trigger reliably and in significantly less time (approximately 10s). Although this testcase will trigger on the latest mc-asan build, I've found that it triggers quicker using 68dfe5ee5b80 (2018-03-15). I also have an rr recording of this crash if it would help.
Attachment #8947912 - Attachment is obsolete: true
Flags: needinfo?(jkratzer)
Thanks, Jason! Two questions: * Does the testcase still use the STR from comment 5? * How do you modify comment 5 to run Firefox under rr? (I'm unfamiliar with ffpuppet as a Firefox-wrapper, & how/where rr would fit into that command.)
Flags: needinfo?(jkratzer)
(In reply to Daniel Holbert [:dholbert] from comment #11) > Thanks, Jason! Two questions: > * Does the testcase still use the STR from comment 5? > * How do you modify comment 5 to run Firefox under rr? (I'm unfamiliar with > ffpuppet as a Firefox-wrapper, & how/where rr would fit into that command.) Daniel, the process in comment #5 is no longer required to reproduce the issue. Launching the testcase directly via Firefox should be enough to trigger the bug.
Flags: needinfo?(jkratzer)
Attachment #8962755 - Attachment description: reduced_testcase.zip → reduced_testcase.zip (requires "fuzzpriv" extension to be installed and pop-ups to be allowed)
I spent some time trying to trigger the bug under ASAN builds yesterday, without success yet. I'll give it another shot with ffpuppet for good measure sometime in the next few days, and worst case, I've got the rr trace from Jason that I can perhaps get configured to be able to debug locally.
Flags: needinfo?(dholbert)
I can't reproduce it either (on Linux under rr). There are some nsSVGRenderingObserverList::InvalidateAll() crashes in the wild though (low volume), e.g. bp-e3790faa-902a-482d-a414-920580180527 bp-966905ca-706e-49a0-9477-1c5d90180525 that appears to indicate UAF. Looking at the relevant code: https://searchfox.org/mozilla-central/rev/5a744713370ec47969595e369fd5125f123e6d24/layout/svg/SVGObserverUtils.cpp#789-794 https://searchfox.org/mozilla-central/rev/5a744713370ec47969595e369fd5125f123e6d24/layout/svg/SVGObserverUtils.h#395-396,453 I'm wondering what keeps the raw pointers in 'observers' alive while we're iterating and calling OnNonDOMMutationRenderingChange... Does anyone know how the ownership here works?
can you answer comment 14?
Flags: needinfo?(jwatt)
Priority: P5 → P2
Whiteboard: [layout-secscrub-fix]
The rendering observer code needs some love. I was looking into fixing, cleaning up and documenting it back in March. I might as well take this and see if the crashes go away after working through the todos in my notes.
Assignee: nobody → jwatt
Status: REOPENED → ASSIGNED
Flags: needinfo?(jwatt)
Just a note that nsSVGRenderingObserverList was renamed to SVGRenderingObserverSet (as of Firefox 64).

@jwatt: Have you tried reproducing this since the rendering observer cleanup work? (Looks like we were never able to even with the testcase.) If not, can you mark this as stalled?

Flags: needinfo?(jwatt)
Priority: P2 → P1

I can't reproduce, but I've been looking at this on and off over the last week or so. There are multiple issues I've spotted with the SVGObserverUtils/SVGRenderingObserver code, especially as relates to VectorImage. There are various pieces of confused logic that should be cleaned up but it wouldn't surprise me if we're depending on the confused logic in some way. I'll file separate bugs and get some patches landed spaced out over time to make it easier to isolate the source of any regressions.

Crash Signature: mozilla::SVGRenderingObserverSet::InvalidateAll
Flags: needinfo?(jwatt)
Summary: AddressSanitizer: heap-use-after-free [@ OnNonDOMMutationRenderingChange] with WRITE of size 1 → AddressSanitizer: heap-use-after-free [@ OnNonDOMMutationRenderingChange] [@ mozilla::SVGRenderingObserverSet::InvalidateAll] with WRITE of size 1

I've only filed bug 1539477 so far.

Whiteboard: [layout-secscrub-fix] → [layout-secscrub-fix][bug 1539477 may help]
Whiteboard: [layout-secscrub-fix][bug 1539477 may help] → [bug 1539477 may help]
Keywords: stalled

This is relatively rare in the wild, but happens and still looks exploitable
bp-a2558c20-8013-4089-ae10-719b00201211
bp-28cbca81-e6dd-44ed-a293-6355f0210103

Crash Signature: mozilla::SVGRenderingObserverSet::InvalidateAll → [@ mozilla::SVGRenderingObserverSet::InvalidateAll ] [@ mozilla::SVGRenderingObserverSet::InvalidateAllForReflow ]
Depends on: 1539477
Keywords: testcase-wanted
See Also: → CVE-2022-26381

pretty sure bug 1756793 will fix this.

No longer depends on: 1756793

(In reply to Emilio Cobos Álvarez (:emilio) from comment #22)

pretty sure bug 1756793 will fix this.

I'm marking that as a dupe of bug 1736243 and moving the patch over there --> updating dependency.

If we confirm that the patch fixes this, we can close this as a dupe of bug 1736243 as well. (I'm not using this bug here as the dupe-target since the testcase here requires a bit more setup to run and perhaps isn't reliably reproducible, per comment 13 and 14.)

Depends on: CVE-2022-26381
Flags: needinfo?(dholbert)

Jason, can you see if this is still reproducible with current Nightly?

There's a good chance emilio's patch in bug 1736243 (moved from bug 1756793) fixed this, as discussed above. Would be good to confirm that and close this out, if we can (though per comment 0 it sounds like this maybe wasn't consistently reproducible with the testcase here).

(The fix hit mozilla-central on 2/26 in https://hg.mozilla.org/mozilla-central/pushloghtml?changeset=cf5e6b2865d5e7a370446b0deb00e8ef86489bac ; not sure if it made it into that day's Nightlies or not, but we can safely say that the previous date's Nightly 2022-02-25 should be "bad" and the following date's Nightly 2022-02-27 should be "good".)

Flags: needinfo?(jkratzer)

:dholbert, unfortunately I cannot confirm that it is fixed as I was unable to reproduce it under either a build from 2021-03-01 or tip.

Flags: needinfo?(jkratzer)

OK. Let's call this WORKSFORME for now, then, since we can't reproduce anymore (though it looks like unfortunately never had much success reproducing in the first place, so that's not saying too much).

If it still exists, hopefully fuzzers can rediscover it with a reliable repro and/or a pernosco recording of an intermittent repro.

Status: ASSIGNED → RESOLVED
Closed: 7 years ago3 years ago
Resolution: --- → WORKSFORME

Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.

Keywords: stalled
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: