Closed Bug 1422092 Opened 2 years ago Closed 2 years ago

heap-use-after-free in mozilla::dom::DOMIntersectionObserver::Update

Categories

(Core :: DOM: Core & HTML, defect)

58 Branch
defect
Not set

Tracking

()

VERIFIED FIXED
mozilla59
Tracking Status
firefox-esr52 --- unaffected
firefox57 --- unaffected
firefox58 + verified
firefox59 + verified

People

(Reporter: nils, Assigned: smaug)

References

Details

(4 keywords, Whiteboard: [post-critsmash-triage])

Attachments

(3 files)

The following testcase crashes the latest ASAN build of Firefox 59.0a1 (SourceStamp=3f6b9aaed8cd57954e0c960cde06d25228196456). It requires the fuzzPriv extension.

crash.html:
<script>
function start() {
	o167=document.createElement('div');
	o211=new IntersectionObserver(fun0,{root: o167,threshold: 0});
	setTimeout(fun0, 4);
}
function fun0() {
	o218=document.createElement('div');
	o211.observe(o167);
	o211.disconnect();
	o211.observe(o218);
	o167=null;
	fuzzPriv.GC();fuzzPriv.CC();fuzzPriv.GC();fuzzPriv.CC();
	setTimeout("location.reload()",4);
}
</script>
<body onload="start()"></body>

ASAN output:
=================================================================
==5612==ERROR: AddressSanitizer: heap-use-after-free on address 0x60d00005068c at pc 0x7fa6e6fb56b9 bp 0x7ffe1871bbd0 sp 0x7ffe1871bbc8
READ of size 4 at 0x60d00005068c thread T0 (file:// Content)
    #0 0x7fa6e6fb56b8 in GetBoolFlag /builds/worker/workspace/build/src/dom/base/nsINode.h:1626:12
    #1 0x7fa6e6fb56b8 in IsInUncomposedDoc /builds/worker/workspace/build/src/dom/base/nsINode.h:545
    #2 0x7fa6e6fb56b8 in GetPrimaryFrame /builds/worker/workspace/build/src/dom/base/nsIContent.h:968
    #3 0x7fa6e6fb56b8 in GetPrimaryFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:1292
    #4 0x7fa6e6fb56b8 in mozilla::dom::DOMIntersectionObserver::Update(nsIDocument*, double) /builds/worker/workspace/build/src/dom/base/DOMIntersectionObserver.cpp:285
    #5 0x7fa6e745002a in nsDocument::UpdateIntersectionObservations() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:13325:17
    #6 0x7fa6ebcc3f90 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1943:10
    #7 0x7fa6ebcd17ff in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:336:13
    #8 0x7fa6ebcd17ff in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:306
    #9 0x7fa6ebcd13c6 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:328:5
    #10 0x7fa6ebcd3c3e in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:769:5
    #11 0x7fa6ebcd3c3e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:682
    #12 0x7fa6ebcd383e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:583:9
    #13 0x7fa6ec5c19ff in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16
    #14 0x7fa6e56833d0 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20
    #15 0x7fa6e5534cc8 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1812:28
    #16 0x7fa6e5147b1e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2110:25
    #17 0x7fa6e5144b97 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2040:17
    #18 0x7fa6e514629c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1886:5
    #19 0x7fa6e51468f8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1919:15
    #20 0x7fa6e42c345e in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1033:14
    #21 0x7fa6e42df1e0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
    #22 0x7fa6e514fc3a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #23 0x7fa6e50a6ed9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #24 0x7fa6e50a6ed9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #25 0x7fa6e50a6ed9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #26 0x7fa6eb54c96a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #27 0x7fa6efc6aedb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:865:22
    #28 0x7fa6e50a6ed9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #29 0x7fa6e50a6ed9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #30 0x7fa6e50a6ed9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #31 0x7fa6efc6a8cd in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:691:34
    #32 0x4ee9f5 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #33 0x4ee9f5 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #34 0x7fa70309082f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #35 0x41e078 in _start (/fuzzer3/firefox/firefox+0x41e078)

0x60d00005068c is located 28 bytes inside of 136-byte region [0x60d000050670,0x60d0000506f8)
freed by thread T0 (file:// Content) here:
    #0 0x4bead2 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7fa6e414c020 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2724:25
    #2 0x7fa6e4153caf in FreeSnowWhite /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2912:3
    #3 0x7fa6e4153caf in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3920
    #4 0x7fa6e4153274 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3741:9
    #5 0x7fa6e4156ef0 in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4310:21
    #6 0x7fa6e751b08c in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1505:3
    #7 0x7fa6e703119b in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1449:3
    #8 0x7fa6e42ef7b1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
    #9 0x7fa6e5c769bd in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
    #10 0x7fa6e5c769bd in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
    #11 0x7fa6e5c769bd in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
    #12 0x7fa6e5c7d9d4 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:929:12
    #13 0x7fa6eff387e1 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #14 0x7fa6eff387e1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #15 0x7fa6eff240ca in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #16 0x7fa6eff240ca in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3098
    #17 0x7fa6eff0a390 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #18 0x7fa6eff38c6e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #19 0x7fa6eff39772 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #20 0x7fa6f0a31e21 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2977:12
    #21 0x7fa6e5b8d022 in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:315:18
    #22 0x7fa6eff387e1 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #23 0x7fa6eff387e1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #24 0x7fa6eff240ca in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #25 0x7fa6eff240ca in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3098
    #26 0x7fa6eff0a390 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #27 0x7fa6eff38c6e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #28 0x7fa6eff39772 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #29 0x7fa6f0a3429c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3036:12
    #30 0x7fa6e8f259f3 in mozilla::dom::Function::Call(JSContext*, JS::Handle<JS::Value>, nsTArray<JS::Value> const&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FunctionBinding.cpp:36:8
    #31 0x7fa6e70bc38b in Call<nsCOMPtr<nsISupports> > /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/FunctionBinding.h:72:12
    #32 0x7fa6e70bc38b in nsGlobalWindowInner::RunTimeoutHandler(mozilla::dom::Timeout*, nsIScriptContext*) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:6375
    #33 0x7fa6e72fa917 in mozilla::dom::TimeoutManager::RunTimeout(mozilla::TimeStamp const&, mozilla::TimeStamp const&) /builds/worker/workspace/build/src/dom/base/TimeoutManager.cpp:876:42
    #34 0x7fa6e72ef164 in mozilla::dom::TimeoutExecutor::MaybeExecute() /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp:171:11
    #35 0x7fa6e72ef9c6 in Notify /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp:239:5
    #36 0x7fa6e72ef9c6 in non-virtual thunk to mozilla::dom::TimeoutExecutor::Notify(nsITimer*) /builds/worker/workspace/build/src/dom/base/TimeoutExecutor.cpp
    #37 0x7fa6e42e428c in nsTimerImpl::Fire(int) /builds/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:704:40
    #38 0x7fa6e42b38e9 in nsTimerEvent::Run() /builds/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:286:11

previously allocated by thread T0 (file:// Content) here:
    #0 0x4bee13 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x4efe2d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
    #2 0x7fa6e9b00af3 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12
    #3 0x7fa6e9b00af3 in NS_NewHTMLDivElement(already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /builds/worker/workspace/build/src/dom/html/HTMLDivElement.cpp:13
    #4 0x7fa6e9cdd02d in CreateHTMLElement(unsigned int, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser) /builds/worker/workspace/build/src/dom/html/nsHTMLContentSink.cpp:254:41
    #5 0x7fa6e7014ff3 in nsContentUtils::NewXULOrHTMLElement(mozilla::dom::Element**, mozilla::dom::NodeInfo*, mozilla::dom::FromParser, nsTSubstring<char16_t> const*, mozilla::dom::CustomElementDefinition*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:10233:18
    #6 0x7fa6e9cdcf88 in NS_NewHTMLElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsTSubstring<char16_t> const*, mozilla::dom::CustomElementDefinition*) /builds/worker/workspace/build/src/dom/html/nsHTMLContentSink.cpp:237:10
    #7 0x7fa6e75521fc in NS_NewElement(mozilla::dom::Element**, already_AddRefed<mozilla::dom::NodeInfo>&&, mozilla::dom::FromParser, nsTSubstring<char16_t> const*) /builds/worker/workspace/build/src/dom/base/nsNameSpaceManager.cpp:182:12
    #8 0x7fa6e7426941 in nsDocument::CreateElem(nsTSubstring<char16_t> const&, nsAtom*, int, nsTSubstring<char16_t> const*) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8929:17
    #9 0x7fa6e7409c67 in nsDocument::CreateElement(nsTSubstring<char16_t> const&, mozilla::dom::ElementCreationOptionsOrString const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:6097:26
    #10 0x7fa6e8e1f3ac in mozilla::dom::DocumentBinding::createElement(JSContext*, JS::Handle<JSObject*>, nsIDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/DocumentBinding.cpp:1224:59
    #11 0x7fa6e948fcf7 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3042:13
    #12 0x7fa6eff387e1 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
    #13 0x7fa6eff387e1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
    #14 0x7fa6eff240ca in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
    #15 0x7fa6eff240ca in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3098
    #16 0x7fa6eff0a390 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
    #17 0x7fa6eff38c6e in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
    #18 0x7fa6eff39772 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
    #19 0x7fa6f0a3429c in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3036:12
    #20 0x7fa6e8dd6fde in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
    #21 0x7fa6e9939323 in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
    #22 0x7fa6e9939323 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
    #23 0x7fa6e98ff2e1 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1111:51
    #24 0x7fa6e99011f2 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1286:20
    #25 0x7fa6e98eb78f in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:462:16
    #26 0x7fa6e98ef0c5 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:826:9
    #27 0x7fa6ebe4eb21 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1070:7
    #28 0x7fa6ef1bef52 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7878:21
    #29 0x7fa6ef1bae7a in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7671:7
    #30 0x7fa6ef1c2c7f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #31 0x7fa6e61577c7 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1319:3
    #32 0x7fa6e61569d1 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:862:14
    #33 0x7fa6e6153664 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:751:9

SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/dom/base/nsINode.h:1626:12 in GetBoolFlag
Shadow bytes around the buggy address:
  0x0c1a80002080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c1a80002090: 00 00 fa fa fa fa fa fa fa fa fd fd fd fd fd fd
  0x0c1a800020a0: fd fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa
  0x0c1a800020b0: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a800020c0: fd fd fd fd fd fa fa fa fa fa fa fa fa fa fd fd
=>0x0c1a800020d0: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c1a800020e0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c1a800020f0: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
  0x0c1a80002100: fa fa fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c1a80002110: fd fd fd fa fa fa fa fa fa fa fa fa fd fd fd fd
  0x0c1a80002120: fd fd fd fd fd fd fd fd fd fd fd fd fd fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==5612==ABORTING
Attached file ASAN output
Regression range:
INFO: Last good revision: c6c355f7633a4d291e38c382a48695c52f9a9ccd
INFO: First bad revision: f70abea8b810cc5a9604d0fb2db77eb46f485000
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=c6c355f7633a4d291e38c382a48695c52f9a9ccd&tochange=f70abea8b810cc5a9604d0fb2db77eb46f485000

Blake, can you please take a look since Tobias is gone and you reviewed the patches in question? Thanks!
Group: core-security → dom-core-security
Has Regression Range: --- → yes
Flags: needinfo?(mrbkap)
Version: 59 Branch → 58 Branch
Track 58+/59+ as regression.
Keywords: sec-high
Overholt, can you recommend someone to look at this? (Assuming this is DOM-land...)
Flags: needinfo?(overholt)
This was implemented by Tobias but I'm not sure he's active much these days. Jet, anyone on your team who knows this code?
Flags: needinfo?(overholt) → needinfo?(bugs)
It appears that the raw Element* mRoot here has gone stale:
https://searchfox.org/mozilla-central/source/dom/base/DOMIntersectionObserver.h#184

We don't seem to clean up properly when an Element* is both the IntersectionObserver root and target. 

dholbert: can you take a look? Thx!
Flags: needinfo?(bugs) → needinfo?(dholbert)
I ended up looking this enough so I could just fix this.
Assignee: nobody → bugs
Flags: needinfo?(mrbkap)
Flags: needinfo?(dholbert)
FWIW, the spec is totally bogus here, and that lead to bug 1399603.
See also https://bugzilla.mozilla.org/show_bug.cgi?id=1399603#c6
This is just backing out bug 1399603.

The spec bug has been opened, in case we want to change the behavior somehow.
Attachment #8935530 - Flags: review?(mrbkap)
The patch seems to apply cleanly to beta too.
Comment on attachment 8935530 [details] [diff] [review]
intersection_root_backout.diff

Review of attachment 8935530 [details] [diff] [review]:
-----------------------------------------------------------------

The reason for the crash is that the existing code gets confused if mRoot is also explicitly being observed, right? r=me since we shouldn't be exposing the weak reference to the web (sorry for reviewing that) anyway.
Attachment #8935530 - Flags: review?(mrbkap) → review+
(In reply to Blake Kaplan (:mrbkap) from comment #11)
> Comment on attachment 8935530 [details] [diff] [review]
> intersection_root_backout.diff
> 
> Review of attachment 8935530 [details] [diff] [review]:
> -----------------------------------------------------------------
> 
> The reason for the crash is that the existing code gets confused if mRoot is
> also explicitly being observed, right?
Right.
Comment on attachment 8935530 [details] [diff] [review]
intersection_root_backout.diff

Approval Request Comment
[Feature/Bug causing the regression]:
bug 1399603
[User impact if declined]:
crashes
[Is this code covered by automated tests?]:
NA. This is backing out bug 1399603.
[Has the fix been verified in Nightly?]:
not yet
[Needs manual test from QE? If yes, steps to reproduce]: 
Shouldn't need
[List of other uplifts needed for the feature/fix]:
NA
[Is the change risky?]:
[Why is the change risky/not risky?]:
This is just a backout. We should get the same behavior what we have in FF57

[String changes made/needed]:NA
Attachment #8935530 - Flags: sec-approval?
Attachment #8935530 - Flags: approval-mozilla-beta?
Attachment #8935530 - Flags: sec-approval? → sec-approval+
Comment on attachment 8935530 [details] [diff] [review]
intersection_root_backout.diff

uaf regression fix, beta58+
Attachment #8935530 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
https://hg.mozilla.org/mozilla-central/rev/059d790500a8

Would be nice if we could land this test as a crashtest at some point.
Status: NEW → RESOLVED
Closed: 2 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
(In reply to Ryan VanderMeulen [:RyanVM] from comment #16)
> Would be nice if we could land this test as a crashtest at some point.

(I'm assuming you meant to set in-testsuite to '?' rather than '+' --> making that change.)
Flags: in-testsuite+ → in-testsuite?
Group: dom-core-security → core-security-release
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
Flags: sec-bounty?
I reproduced this issue using the ASAN build from 2017-11-30 (Fx 59.0a1, build ID: 20171130220131, fuzzPriv  extension added) using Windows 10 x64.
I can confirm this issue is fixed, I verified using the latest ASAN build (Fx 59.0a1, build ID: 20180118100050) and ASAN 58.0, using Windows 10 x64, mac OS X 10.13.3 and Ubuntu 14.04 LTS x64.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
Group: core-security-release
Flags: sec-bounty? → sec-bounty+
You need to log in before you can comment on or make changes to this bug.