1427742 - AddressSanitizer: use-after-poison [@ HasOverrideDirtyRegion] with READ of size 2

Status: RESOLVED DUPLICATE of bug 1427748

(Core :: Web Painting, defect)

Description

[Jason Kratzer [:jkratzer]]

Found while fuzzing mozilla-inbound rev 26d0fd4b639a.  Currently minimizing the testcase.  Will update once complete.

==9727==ERROR: AddressSanitizer: use-after-poison on address 0x6250005d2b26 at pc 0x7fadd2127688 bp 0x7ffc8e4d16d0 sp 0x7ffc8e4d16c8
READ of size 2 at 0x6250005d2b26 thread T0 (file:// Content)
    #0 0x7fadd2127687 in HasOverrideDirtyRegion /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:4131:42
    #1 0x7fadd2127687 in ClearFrameProps /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:771
    #2 0x7fadd2127687 in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:875
    #3 0x7fadd18deda6 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3811:35
    #4 0x7fadd17c2bbd in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6495:5
    #5 0x7fadd0f0251c in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19
    #6 0x7fadd0f0101c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33
    #7 0x7fadd0f04f36 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5
    #8 0x7fadd170e6f9 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2046:11
    #9 0x7fadd171b19f in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:336:13
    #10 0x7fadd171b19f in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:306
    #11 0x7fadd171ad66 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:328:5
    #12 0x7fadd171d5de in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:769:5
    #13 0x7fadd171d5de in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:682
    #14 0x7fadd171d1de in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:583:9
    #15 0x7fadd200a7af in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16
    #16 0x7fadcaff6f69 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:155:20
    #17 0x7fadcae9b463 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1812:28
    #18 0x7fadcaa602ee in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2110:25
    #19 0x7fadcaa5d367 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2040:17
    #20 0x7fadcaa5ea6c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1886:5
    #21 0x7fadcaa5f0c8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1919:15
    #22 0x7fadc9bbb75d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
    #23 0x7fadc9bd7210 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:510:10
    #24 0x7fadcaa6840a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #25 0x7fadca9bbda9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #26 0x7fadca9bbda9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #27 0x7fadca9bbda9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #28 0x7fadd0f8c0ea in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #29 0x7fadd56b6e3b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:875:22
    #30 0x7fadca9bbda9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #31 0x7fadca9bbda9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #32 0x7fadca9bbda9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #33 0x7fadd56b682d in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:701:34
    #34 0x4f2dfc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #35 0x4f2dfc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #36 0x7fade886382f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #37 0x42243c in _start (/home/ubuntu/builds/inbound-asan26d0fd4b639a/firefox+0x42243c)

0x6250005d2b26 is located 2598 bytes inside of 8192-byte region [0x6250005d2100,0x6250005d4100)
allocated by thread T0 (file:// Content) here:
    #0 0x4c31d3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x7fadc9b6bee0 in AllocateChunk /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15
    #2 0x7fadc9b6bee0 in InternalAllocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228
    #3 0x7fadc9b6bee0 in Allocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75
    #4 0x7fadc9b6bee0 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80
    #5 0x7fadd19bb10f in AllocateByFrameID /builds/worker/workspace/build/src/layout/base/nsPresArena.h:39:12
    #6 0x7fadd19bb10f in AllocateFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:206
    #7 0x7fadd19bb10f in operator new /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:34
    #8 0x7fadd19bb10f in NS_NewViewportFrame(nsIPresShell*, nsStyleContext*) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:31
    #9 0x7fadd183c37b in nsCSSFrameConstructor::ConstructRootFrame() /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2819:5
    #10 0x7fadd178b98d in mozilla::PresShell::Initialize(int, int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1777:36
    #11 0x7fadccd8381f in nsContentSink::StartLayout(bool) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1277:26
    #12 0x7fadd0ab92af in nsXMLContentSink::HandleStartElement(char16_t const*, char16_t const**, unsigned int, unsigned int, bool) /builds/worker/workspace/build/src/dom/xml/nsXMLContentSink.cpp:1046:7
    #13 0x7fadcbc0ba15 in nsExpatDriver::HandleStartElement(char16_t const*, char16_t const**) /builds/worker/workspace/build/src/parser/htmlparser/nsExpatDriver.cpp:324:7
    #14 0x7fadd33670ab in doContent /builds/worker/workspace/build/src/parser/expat/lib/xmlparse.c:2442:11
    #15 0x7fadd335bb8a in contentProcessor /builds/worker/workspace/build/src/parser/expat/lib/xmlparse.c:2098:27
    #16 0x7fadd335bb8a in doProlog /builds/worker/workspace/build/src/parser/expat/lib/xmlparse.c:4078
    #17 0x7fadd3351e43 in prologProcessor /builds/worker/workspace/build/src/parser/expat/lib/xmlparse.c:3812:10
    #18 0x7fadd3351e43 in prologInitProcessor /builds/worker/workspace/build/src/parser/expat/lib/xmlparse.c:3629
    #19 0x7fadd3350246 in MOZ_XML_Parse /builds/worker/workspace/build/src/parser/expat/lib/xmlparse.c:1530:17
    #20 0x7fadcbc11a2d in nsExpatDriver::ParseBuffer(char16_t const*, unsigned int, bool, unsigned int*) /builds/worker/workspace/build/src/parser/htmlparser/nsExpatDriver.cpp:887:16
    #21 0x7fadcbc12d3f in nsExpatDriver::ConsumeToken(nsScanner&, bool&) /builds/worker/workspace/build/src/parser/htmlparser/nsExpatDriver.cpp:985:5
    #22 0x7fadcbc1ed1c in nsParser::Tokenize(bool) /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:1539:30
    #23 0x7fadcbc1a889 in nsParser::ResumeParse(bool, bool, bool) /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:1056:41
    #24 0x7fadcbc1fe47 in nsParser::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:1437:12
    #25 0x7fadca6129fd in DoOnDataAvailable /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:971:28
    #26 0x7fadca6129fd in mozilla::net::HttpChannelChild::OnTransportAndData(nsresult const&, nsresult const&, unsigned long const&, unsigned int const&, nsTString<char> const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:897
    #27 0x7fadca80e5ab in mozilla::net::ChannelEventQueue::FlushQueue() /builds/worker/workspace/build/src/netwerk/ipc/ChannelEventQueue.cpp:93:12
    #28 0x7fadca818c30 in MaybeFlushQueue /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:324:5
    #29 0x7fadca818c30 in CompleteResume /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:306
    #30 0x7fadca818c30 in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /builds/worker/workspace/build/src/netwerk/ipc/ChannelEventQueue.cpp:160
    #31 0x7fadc9b94f20 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:395:25
    #32 0x7fadc9bbb75d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1040:14
    #33 0x7fadc9bd7210 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:510:10
    #34 0x7fadd070bb1c in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1086:24)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
    #35 0x7fadd070bb1c in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::TabChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, nsIDocShellLoadInfo*, bool*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1086
    #36 0x7fadd0797dec in mozilla::dom::TabChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, nsIDocShellLoadInfo*, bool*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1061:16
    #37 0x7fadd560659b in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:852:24
    #38 0x7fadd560bf8c in OpenWindow2 /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:444:10
    #39 0x7fadd560bf8c in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp
    #40 0x7fadccb2bf24 in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsIDocShellLoadInfo*, bool, nsPIDOMWindowOuter**) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:7193:21
    #41 0x7fadccb2ad4d in OpenJS /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5599:10
    #42 0x7fadccb2ad4d in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5574
    #43 0x7fadccacb032 in nsGlobalWindowInner::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowInner.cpp:3898:3

SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:4131:42 in HasOverrideDirtyRegion
Shadow bytes around the buggy address:
  0x0c4a800b2510: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a800b2520: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a800b2530: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a800b2540: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a800b2550: 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c4a800b2560: f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a800b2570: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a800b2580: f7 f7 f7 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a800b2590: 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a800b25a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a800b25b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==9727==ABORTING

Comment 1

[Jason Kratzer [:jkratzer]]

During minimization this issue routinely manifested as bug 1427748.  Can someone confirm this before I mark as a duplicate?

Comment 2

[Daniel Veditz [:dveditz]]

Matt: is this likely something you already fixed (e.g. comment 1)?

Comment 3

[Matt Woodrow (:mattwoodrow)]

Can someone please CC me on bug 1427748 so that I can take a look :)

Comment 4

[Andrew McCreight [:mccr8]]

(In reply to Matt Woodrow (:mattwoodrow) from comment #3)
> Can someone please CC me on bug 1427748 so that I can take a look :)

We should probably get you access to layout security bugs if you are the triage owner for Layout: Web Painting.

Comment 5

[Andrew McCreight [:mccr8]]

(Also, I CCed you.)

Comment 6

[Matt Woodrow (:mattwoodrow)]

That's probably a good idea, I'll look into it.

I strongly suspect this is the same bug, and is fixed. The callstacks shown here don't involve MathML, but allocations are combined as the arena chunks, so the chunk allocated by NS_NewViewportFrame can easily have been (partially) poisoned by a mathml frame in the same chunk.

Comment 7

[Mats Palmgren (inactive)]

Does this crash still occur in Nightly?
Please upload a minimized testcase if you have one.

Comment 8

[Mats Palmgren (inactive)]

(In reply to Matt Woodrow (:mattwoodrow) from comment #6)
> The callstacks shown
> here don't involve MathML, but allocations are combined as the arena chunks,
> so the chunk allocated by NS_NewViewportFrame can easily have been
> (partially) poisoned by a mathml frame in the same chunk.

No, that's not how the shell arena works for frames.  Memory that is
allocated for a nsViewportFrame and later destroyed is put on a list
to be recycled for the next *nsViewportFrame* allocation.  So memory
used for one type of frame is *never* used for any other type (until
the shell dies and the whole arena is deallocated).  (I think that's
how it works also for non-frame types these days, but I'm not sure
if some types still share an "allocation ID".)

Comment 9

[Jason Kratzer [:jkratzer]]

(In reply to Mats Palmgren (:mats) from comment #7)
> Does this crash still occur in Nightly?
> Please upload a minimized testcase if you have one.

I just tested this on the latest nightly (20180123002217) and was unable to reproduce the original issue.

Comment 10

[Matt Woodrow (:mattwoodrow)]

(In reply to Mats Palmgren (:mats) from comment #8)
> (In reply to Matt Woodrow (:mattwoodrow) from comment #6)
> > The callstacks shown
> > here don't involve MathML, but allocations are combined as the arena chunks,
> > so the chunk allocated by NS_NewViewportFrame can easily have been
> > (partially) poisoned by a mathml frame in the same chunk.
> 
> No, that's not how the shell arena works for frames.  Memory that is
> allocated for a nsViewportFrame and later destroyed is put on a list
> to be recycled for the next *nsViewportFrame* allocation.  So memory
> used for one type of frame is *never* used for any other type (until
> the shell dies and the whole arena is deallocated).  (I think that's
> how it works also for non-frame types these days, but I'm not sure
> if some types still share an "allocation ID".)

Right, but the actual allocation (as seen by ASAN) is an 8192 block allocated by ArenaAllocator, which nsPresArena then subdivides as needed for frames.

If we UAF on an address block+X (where X!=0), then ASAN will report the allocation callstack for the block itself, which will show the type we used for block+0, which might be different to the type at block+X.

Comment 11

[Mats Palmgren (inactive)]

Right, the "allocated by" reported by ASAN is rather useless for arenas.
Your comment 6 seemed to imply that there is some kind of C++ type confusion
involved in the crash, which there isn't.

Anyway, if this was fixed by bug 1427748, shouldn't we resolve this bug?