Closed
Bug 1427748
Opened 5 years ago
Closed 5 years ago
AddressSanitizer: use-after-poison [@ SetFrameIsModified] with READ of size 2
Categories
(Core :: Web Painting, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox57 | --- | unaffected |
| firefox58 | --- | fixed |
| firefox59 | --- | fixed |
People
(Reporter: jkratzer, Assigned: MatsPalmgren_bugz)
References
(Blocks 2 open bugs)
Details
(4 keywords, Whiteboard: [fixed by bug 1427221][post-critsmash-triage])
Attachments
(2 files)
Found while fuzzing mozilla-inbound rev ba12a841ef93. Currently minimizing the testcase. Will update once complete.
==12912==ERROR: AddressSanitizer: use-after-poison on address 0x625001f6b326 at pc 0x7fce75ad1e70 bp 0x7ffd786eb7c0 sp 0x7ffd786eb7b8
READ of size 2 at 0x625001f6b326 thread T0 (file:// Content)
#0 0x7fce75ad1e6f in SetFrameIsModified /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:4129:69
#1 0x7fce75ad1e6f in nsIFrame::MarkNeedsDisplayItemRebuild() /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:1036
#2 0x7fce75afc8e0 in InvalidateFrameInternal(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:6963:11
#3 0x7fce75a80172 in nsIFrame::InvalidateFrameSubtree(unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7007:3
#4 0x7fce75a80352 in nsIFrame::InvalidateFrameSubtree(unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7022:26
#5 0x7fce75a80352 in nsIFrame::InvalidateFrameSubtree(unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7022:26
#6 0x7fce75a80352 in nsIFrame::InvalidateFrameSubtree(unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7022:26
#7 0x7fce75a80352 in nsIFrame::InvalidateFrameSubtree(unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7022:26
#8 0x7fce75a80352 in nsIFrame::InvalidateFrameSubtree(unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7022:26
#9 0x7fce75a80352 in nsIFrame::InvalidateFrameSubtree(unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7022:26
#10 0x7fce75a80352 in nsIFrame::InvalidateFrameSubtree(unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7022:26
#11 0x7fce75a80352 in nsIFrame::InvalidateFrameSubtree(unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7022:26
#12 0x7fce75a80352 in nsIFrame::InvalidateFrameSubtree(unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7022:26
#13 0x7fce75a80352 in nsIFrame::InvalidateFrameSubtree(unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7022:26
#14 0x7fce75a80352 in nsIFrame::InvalidateFrameSubtree(unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7022:26
#15 0x7fce758b1475 in InvalidateCanvasIfNeeded /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8733:14
#16 0x7fce758b1475 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8508
#17 0x7fce7589dc39 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9832:7
#18 0x7fce757bab0d in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:1514:25
#19 0x7fce758378d3 in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1161:9
#20 0x7fce757f20ae in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1237:3
#21 0x7fce757f20ae in ProcessPendingRestyles /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44
#22 0x7fce757f20ae in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4225
#23 0x7fce70e972a5 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:575:5
#24 0x7fce70e972a5 in nsDocument::FlushPendingNotifications(mozilla::FlushType, mozilla::FlushTarget) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8230
#25 0x7fce70c43900 in GetPrimaryFrame /builds/worker/workspace/build/src/dom/base/Element.cpp:2374:10
#26 0x7fce70c43900 in mozilla::dom::Element::GetBoundingClientRect() /builds/worker/workspace/build/src/dom/base/Element.cpp:1084
#27 0x7fce72851ee2 in mozilla::dom::ElementBinding::getBoundingClientRect(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:2712:59
#28 0x7fce72e2ef37 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3042:13
#29 0x7fce799ecbb4 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#30 0x7fce799ecbb4 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:473
#31 0x7fce799d7be6 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:528:12
#32 0x7fce799d7be6 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3096
#33 0x7fce799be580 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:12
#34 0x7fce799efb51 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:706:15
#35 0x7fce79a440da in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:323:12
#36 0x7fce79a435f3 in js::IndirectEval(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:416:12
#37 0x7fce26e3f355 (<unknown module>)
0x625001f6b326 is located 2598 bytes inside of 8192-byte region [0x625001f6a900,0x625001f6c900)
allocated by thread T0 (file:// Content) here:
#0 0x4c31d3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x7fce6dbb5f10 in AllocateChunk /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15
#2 0x7fce6dbb5f10 in InternalAllocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228
#3 0x7fce6dbb5f10 in Allocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75
#4 0x7fce6dbb5f10 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80
#5 0x7fce75a051ff in AllocateByFrameID /builds/worker/workspace/build/src/layout/base/nsPresArena.h:39:12
#6 0x7fce75a051ff in AllocateFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:206
#7 0x7fce75a051ff in operator new /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:34
#8 0x7fce75a051ff in NS_NewViewportFrame(nsIPresShell*, nsStyleContext*) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:31
#9 0x7fce7588646b in nsCSSFrameConstructor::ConstructRootFrame() /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2819:5
#10 0x7fce757d5a7d in mozilla::PresShell::Initialize(int, int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1777:36
#11 0x7fce70dcd50f in nsContentSink::StartLayout(bool) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1277:26
#12 0x7fce74b034af in nsXMLContentSink::HandleStartElement(char16_t const*, char16_t const**, unsigned int, unsigned int, bool) /builds/worker/workspace/build/src/dom/xml/nsXMLContentSink.cpp:1046:7
#13 0x7fce6fc55705 in nsExpatDriver::HandleStartElement(char16_t const*, char16_t const**) /builds/worker/workspace/build/src/parser/htmlparser/nsExpatDriver.cpp:324:7
#14 0x7fce773b119b in doContent /builds/worker/workspace/build/src/parser/expat/lib/xmlparse.c:2442:11
#15 0x7fce773a5c7a in contentProcessor /builds/worker/workspace/build/src/parser/expat/lib/xmlparse.c:2098:27
#16 0x7fce773a5c7a in doProlog /builds/worker/workspace/build/src/parser/expat/lib/xmlparse.c:4078
#17 0x7fce7739bf33 in prologProcessor /builds/worker/workspace/build/src/parser/expat/lib/xmlparse.c:3812:10
#18 0x7fce7739bf33 in prologInitProcessor /builds/worker/workspace/build/src/parser/expat/lib/xmlparse.c:3629
#19 0x7fce7739a336 in MOZ_XML_Parse /builds/worker/workspace/build/src/parser/expat/lib/xmlparse.c:1530:17
#20 0x7fce6fc5b71d in nsExpatDriver::ParseBuffer(char16_t const*, unsigned int, bool, unsigned int*) /builds/worker/workspace/build/src/parser/htmlparser/nsExpatDriver.cpp:887:16
#21 0x7fce6fc5ca2f in nsExpatDriver::ConsumeToken(nsScanner&, bool&) /builds/worker/workspace/build/src/parser/htmlparser/nsExpatDriver.cpp:985:5
#22 0x7fce6fc68a0c in nsParser::Tokenize(bool) /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:1539:30
#23 0x7fce6fc64579 in nsParser::ResumeParse(bool, bool, bool) /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:1056:41
#24 0x7fce6fc69b37 in nsParser::OnDataAvailable(nsIRequest*, nsISupports*, nsIInputStream*, unsigned long, unsigned int) /builds/worker/workspace/build/src/parser/htmlparser/nsParser.cpp:1437:12
#25 0x7fce6e65c6ed in DoOnDataAvailable /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:971:28
#26 0x7fce6e65c6ed in mozilla::net::HttpChannelChild::OnTransportAndData(nsresult const&, nsresult const&, unsigned long const&, unsigned int const&, nsTString<char> const&) /builds/worker/workspace/build/src/netwerk/protocol/http/HttpChannelChild.cpp:897
#27 0x7fce6e85829b in mozilla::net::ChannelEventQueue::FlushQueue() /builds/worker/workspace/build/src/netwerk/ipc/ChannelEventQueue.cpp:93:12
#28 0x7fce6e862920 in MaybeFlushQueue /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:324:5
#29 0x7fce6e862920 in CompleteResume /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:306
#30 0x7fce6e862920 in mozilla::net::ChannelEventQueue::ResumeInternal()::CompleteResumeRunnable::Run() /builds/worker/workspace/build/src/netwerk/ipc/ChannelEventQueue.cpp:160
#31 0x7fce6dbdef50 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:395:25
#32 0x7fce6dc057c6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
#33 0x7fce6dc212b0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:510:10
#34 0x7fce6dc04222 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:796:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
#35 0x7fce6dc04222 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:796
#36 0x7fce7386cc9a in mozilla::MediaStreamGraphShutdownThreadRunnable::Run() /builds/worker/workspace/build/src/dom/media/GraphDriver.cpp:139:14
#37 0x7fce6dbe1b8b in mozilla::EventTargetWrapper::Runner::Run() /builds/worker/workspace/build/src/xpcom/threads/AbstractThread.cpp:150:32
#38 0x7fce6dbdef50 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:395:25
#39 0x7fce6dc057c6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
#40 0x7fce6dc212b0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:510:10
#41 0x7fce6dc04222 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:796:22)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
#42 0x7fce6dc04222 in nsThread::Shutdown() /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:796
SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:4129:69 in SetFrameIsModified
Shadow bytes around the buggy address:
0x0c4a803e5610: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a803e5620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a803e5630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a803e5640: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a803e5650: 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c4a803e5660: f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a803e5670: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a803e5680: f7 f7 f7 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a803e5690: 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a803e56a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a803e56b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==12912==ABORTING
|
Reporter | |
Comment 1•5 years ago
|
||
|
|
Reporter | |
Comment 2•5 years ago
|
||
|
|
Reporter | |
Updated•5 years ago
|
Keywords: testcase-wanted → testcase
|
||
Comment 3•5 years ago
|
||
Mats, is this just frame poisoning? (Then we could unhide it.)
Group: core-security → layout-core-security
Flags: needinfo?(mats)
|
Assignee | |
Comment 4•5 years ago
|
||
Looks like we have a destroyed nsMathMLmfencedFrame in |modifiedFrames|
in nsIFrame::MarkNeedsDisplayItemRebuild:
1034 for (nsIFrame* f : *modifiedFrames) {
1035 if (f) {
1036 f->SetFrameIsModified(false);
1037 }
1038 }Component: Layout → Layout: Web Painting
Flags: needinfo?(mats)
Keywords: csectype-framepoisoning,
sec-other
OS: Unspecified → All
Hardware: Unspecified → All
|
|
Assignee | |
Comment 5•5 years ago
|
||
This should be fixed by bug 1427221.
Assignee: nobody → mats
Flags: in-testsuite?
Whiteboard: [fixed by bug 1427221]
|
|
Assignee | |
Updated•5 years ago
|
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
|
||
Updated•5 years ago
|
status-firefox57:
--- → unaffected
status-firefox58:
--- → affected
status-firefox-esr52:
--- → unaffected
|
||
Comment 6•5 years ago
|
||
bug 1428221 landed in 58 today
|
||
Updated•5 years ago
|
Flags: qe-verify-
Whiteboard: [fixed by bug 1427221] → [fixed by bug 1427221][post-critsmash-triage]
|
||
Updated•5 years ago
|
Group: layout-core-security → core-security-release
|
|
||
Updated•5 years ago
|
Group: core-security-release
|
||
Updated•3 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•