AddressSanitizer: heap-use-after-free [@ OnNonDOMMutationRenderingChange] [@ mozilla::SVGRenderingObserverSet::InvalidateAll] with WRITE of size 1
Categories
(Core :: SVG, defect, P1)
Tracking
()
People
(Reporter: jkratzer, Assigned: jwatt)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-bounds, sec-high, Whiteboard: [bug 1539477 may help])
Crash Data
Attachments
(1 file, 1 obsolete file)
14.61 KB,
application/zip
|
Details |
Updated•7 years ago
|
Updated•7 years ago
|
Comment 1•7 years ago
|
||
Comment 2•7 years ago
|
||
Reporter | ||
Comment 3•7 years ago
|
||
Comment 4•7 years ago
|
||
Reporter | ||
Comment 5•7 years ago
|
||
Reporter | ||
Comment 6•7 years ago
|
||
Reporter | ||
Comment 7•7 years ago
|
||
Comment 8•7 years ago
|
||
Reporter | ||
Comment 9•7 years ago
|
||
Reporter | ||
Comment 10•7 years ago
|
||
Comment 11•7 years ago
|
||
Updated•7 years ago
|
Reporter | ||
Comment 12•7 years ago
|
||
Updated•7 years ago
|
Comment 13•7 years ago
|
||
Comment 14•6 years ago
|
||
Updated•6 years ago
|
Assignee | ||
Comment 16•6 years ago
|
||
Assignee | ||
Comment 17•6 years ago
|
||
Comment 18•6 years ago
|
||
@jwatt: Have you tried reproducing this since the rendering observer cleanup work? (Looks like we were never able to even with the testcase.) If not, can you mark this as stalled?
Updated•6 years ago
|
Assignee | ||
Comment 19•6 years ago
|
||
I can't reproduce, but I've been looking at this on and off over the last week or so. There are multiple issues I've spotted with the SVGObserverUtils/SVGRenderingObserver code, especially as relates to VectorImage. There are various pieces of confused logic that should be cleaned up but it wouldn't surprise me if we're depending on the confused logic in some way. I'll file separate bugs and get some patches landed spaced out over time to make it easier to isolate the source of any regressions.
Assignee | ||
Comment 20•6 years ago
|
||
I've only filed bug 1539477 so far.
Updated•6 years ago
|
Comment 21•4 years ago
|
||
This is relatively rare in the wild, but happens and still looks exploitable
bp-a2558c20-8013-4089-ae10-719b00201211
bp-28cbca81-e6dd-44ed-a293-6355f0210103
Updated•3 years ago
|
Comment 22•3 years ago
|
||
pretty sure bug 1756793 will fix this.
Comment 23•3 years ago
•
|
||
(In reply to Emilio Cobos Álvarez (:emilio) from comment #22)
pretty sure bug 1756793 will fix this.
I'm marking that as a dupe of bug 1736243 and moving the patch over there --> updating dependency.
If we confirm that the patch fixes this, we can close this as a dupe of bug 1736243 as well. (I'm not using this bug here as the dupe-target since the testcase here requires a bit more setup to run and perhaps isn't reliably reproducible, per comment 13 and 14.)
Comment 24•3 years ago
•
|
||
Jason, can you see if this is still reproducible with current Nightly?
There's a good chance emilio's patch in bug 1736243 (moved from bug 1756793) fixed this, as discussed above. Would be good to confirm that and close this out, if we can (though per comment 0 it sounds like this maybe wasn't consistently reproducible with the testcase here).
(The fix hit mozilla-central on 2/26 in https://hg.mozilla.org/mozilla-central/pushloghtml?changeset=cf5e6b2865d5e7a370446b0deb00e8ef86489bac ; not sure if it made it into that day's Nightlies or not, but we can safely say that the previous date's Nightly 2022-02-25 should be "bad" and the following date's Nightly 2022-02-27 should be "good".)
Reporter | ||
Comment 25•3 years ago
|
||
:dholbert, unfortunately I cannot confirm that it is fixed as I was unable to reproduce it under either a build from 2021-03-01 or tip.
Comment 26•3 years ago
|
||
OK. Let's call this WORKSFORME for now, then, since we can't reproduce anymore (though it looks like unfortunately never had much success reproducing in the first place, so that's not saying too much).
If it still exists, hopefully fuzzers can rediscover it with a reliable repro and/or a pernosco recording of an intermittent repro.
Comment 27•3 years ago
|
||
Since the bug is closed, the stalled keyword is now meaningless.
For more information, please visit auto_nag documentation.
Updated•1 year ago
|
Description
•