Closed
Bug 1451721
Opened 7 years ago
Closed 7 years ago
use-after-poison WRITE of size 1 nsDisplayList.h:2821:17
Categories
(Core :: Web Painting, defect)
Tracking
()
RESOLVED
FIXED
mozilla61
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox59 | --- | unaffected |
| firefox60 | --- | disabled |
| firefox61 | --- | fixed |
People
(Reporter: rs, Assigned: mattwoodrow)
Details
Attachments
(1 file)
|
84.58 KB,
application/x-gzip
|
Details |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
Steps to reproduce:
tested on Firefox 61.0a1, testcase attached (not minimized)
Actual results:
==2497==ERROR: AddressSanitizer: use-after-poison on address 0x6250003942c2 at pc 0x7f4f564d2335 bp 0x7ffead36ff70 sp 0x7ffead36ff68
WRITE of size 1 at 0x6250003942c2 thread T0 (file:// Content)
#0 0x7f4f564d2334 in SetReused /builds/worker/workspace/build/src/layout/painting/nsDisplayList.h:2821:17
#1 0x7f4f564d2334 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, nsDisplayList*, nsDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:507
#2 0x7f4f564d0b97 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, nsDisplayList*, nsDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:530:17
#3 0x7f4f564d7d62 in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int, mozilla::DisplayListChecker*) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:1187:7
#4 0x7f4f55ca66b3 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3863:40
#5 0x7f4f55b929b4 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6336:5
#6 0x7f4f55529546 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19
#7 0x7f4f5552835c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33
#8 0x7f4f5552bc26 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5
#9 0x7f4f55b0be9f in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2055:11
#10 0x7f4f55b19540 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:338:13
#11 0x7f4f55b19540 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:308
#12 0x7f4f55b19106 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:330:5
#13 0x7f4f55b1be7e in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:771:5
#14 0x7f4f55b1be7e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:684
#15 0x7f4f55b1ba7e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:585:9
#16 0x7f4f563c93af in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16
#17 0x7f4f4f012da0 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:156:20
#18 0x7f4f4eefdc44 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1968:28
#19 0x7f4f4ea9c05e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2135:25
#20 0x7f4f4ea98fe1 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2065:17
#21 0x7f4f4ea9a7dc in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1911:5
#22 0x7f4f4ea9ae38 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1944:15
#23 0x7f4f4dbbbac8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
#24 0x7f4f4dbd7e30 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
#25 0x7f4f4eaa3bb6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5
#26 0x7f4f4e9f6f49 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#27 0x7f4f4e9f6f49 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#28 0x7f4f4e9f6f49 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#29 0x7f4f555b462a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
#30 0x7f4f5983a51b in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
#31 0x7f4f4e9f6f49 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#32 0x7f4f4e9f6f49 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#33 0x7f4f4e9f6f49 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#34 0x7f4f59839efa in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
#35 0x4f1875 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#36 0x4f1875 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#37 0x7f4f6e5c41c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
#38 0x420f48 in _start (/home/fuzzer/dev/firefox/firefox+0x420f48)
0x6250003942c2 is located 4546 bytes inside of 8192-byte region [0x625000393100,0x625000395100)
allocated by thread T0 (file:// Content) here:
#0 0x4c1c93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x7f4f4db67ed3 in AllocateChunk /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:195:15
#2 0x7f4f4db67ed3 in InternalAllocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:230
#3 0x7f4f4db67ed3 in Allocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75
#4 0x7f4f4db67ed3 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80
#5 0x7f4f5654f7ab in AllocateByCustomID /builds/worker/workspace/build/src/layout/base/nsPresArena.h:61:12
#6 0x7f4f5654f7ab in Allocate /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:1550
#7 0x7f4f5654f7ab in operator new /builds/worker/workspace/build/src/layout/painting/nsDisplayList.h:4604
#8 0x7f4f5654f7ab in MakeDisplayItem<nsDisplayCompositorHitTestInfo, nsIFrame *&, mozilla::gfx::CompositorHitTestInfo &> /builds/worker/workspace/build/src/layout/painting/nsDisplayList.h:2041
#9 0x7f4f5654f7ab in nsDisplayListBuilder::BuildCompositorHitTestInfoIfNeeded(nsIFrame*, nsDisplayList*, bool) /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2232
#10 0x7f4f55e5de4b in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3068:15
#11 0x7f4f55d7ef8a in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3769:12
#12 0x7f4f55f0541b in mozilla::ScrollFrameHelper::AppendScrollPartsTo(nsDisplayListBuilder*, nsDisplayListSet const&, bool, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:3188:15
#13 0x7f4f55f096c3 in mozilla::ScrollFrameHelper::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:3469:3
#14 0x7f4f55e5df82 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3072:5
#15 0x7f4f55d7ef8a in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3769:12
#16 0x7f4f55ddfa25 in DisplayLine(nsDisplayListBuilder*, nsRect const&, nsLineList_iterator&, int, int&, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6647:13
#17 0x7f4f55ddd690 in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6742:7
#18 0x7f4f55d801f5 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3830:14
#19 0x7f4f55f0b74e in mozilla::ScrollFrameHelper::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:3634:15
#20 0x7f4f55e5df82 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3072:5
#21 0x7f4f55d7ef8a in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3769:12
#22 0x7f4f55ddfa25 in DisplayLine(nsDisplayListBuilder*, nsRect const&, nsLineList_iterator&, int, int&, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6647:13
#23 0x7f4f55ddd690 in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6742:7
#24 0x7f4f55e5df82 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3072:5
#25 0x7f4f55d7ef8a in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3769:12
#26 0x7f4f55e036e5 in nsCanvasFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:561:5
#27 0x7f4f55d801f5 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3830:14
#28 0x7f4f55f0b74e in mozilla::ScrollFrameHelper::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:3634:15
#29 0x7f4f55d801f5 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3830:14
#30 0x7f4f55d7b5ff in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:66:5
#31 0x7f4f55e5df82 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3072:5
#32 0x7f4f55ca6a6b in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3888:17
#33 0x7f4f55b929b4 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6336:5
#34 0x7f4f55529546 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19
#35 0x7f4f5552835c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33
#36 0x7f4f5552bc26 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5
SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/painting/nsDisplayList.h:2821:17 in SetReused
Shadow bytes around the buggy address:
0x0c4a8006a800: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a8006a810: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a8006a820: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a8006a830: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a8006a840: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c4a8006a850: f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7
0x0c4a8006a860: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a8006a870: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a8006a880: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a8006a890: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a8006a8a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==2497==ABORTING
|
||
Comment 1•7 years ago
|
||
Matt: what kind of poisoning is used on this arena? Is it as strong a guarantee as the "framepoisoning" used for nsIFrame objects (only exact-same-kind objects allocated out of special-purpose arenas, poison value is a pointer to an unmapped memory address)?
Assignee: nobody → matt.woodrow
Group: firefox-core-security → layout-core-security
Status: UNCONFIRMED → NEW
Component: Untriaged → Layout: Web Painting
Ever confirmed: true
Flags: needinfo?(matt.woodrow)
Product: Firefox → Core
|
Assignee | |
Comment 2•7 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #1)
> Matt: what kind of poisoning is used on this arena? Is it as strong a
> guarantee as the "framepoisoning" used for nsIFrame objects (only
> exact-same-kind objects allocated out of special-purpose arenas, poison
> value is a pointer to an unmapped memory address)?
Not quite. The arena recycles chunks based on size, and can use them for a different sub-class of nsDisplayItem. The poison value is the same though.
Fransisco, which build of 61 was this reproduced on (see about:buildconfig for the mercurial changset)?
I can't reproduce on the current tip, and I'm pretty sure this is from code that has now been removed.
Flags: needinfo?(matt.woodrow)
|
Reporter | |
Comment 3•7 years ago
|
||
I can't reproduce with a Nightly build 61.0a1 (2018-04-05), The build that crash with this test it was a Nightly 61.0a1 (2018-04-3) (63-bit) and previous.
|
|
Reporter | |
Comment 4•7 years ago
|
||
I guess this bug is stuck, I do not know if it has been tested in previous versions or should directly be closed.
|
|
Assignee | |
Comment 5•7 years ago
|
||
Yeah, it's fixed in 61, and the code is disabled in 60, so this is fixed now.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
|
||
Updated•7 years ago
|
status-firefox59:
--- → unaffected
status-firefox60:
--- → disabled
status-firefox61:
--- → fixed
status-firefox-esr52:
--- → unaffected
Target Milestone: --- → mozilla61
|
|
||
Updated•7 years ago
|
Group: layout-core-security → core-security-release
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•