Closed Bug 1462029 Opened 7 years ago Closed 7 years ago

heap-use-after-free in [@ nsIFrame::RemoveDisplayItemDataForDeletion]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1461812
Tracking Flags:
Tracking Status
firefox62 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-uaf, testcase)

Crash Data

Attachments

(1 file)

testcase.html
444 bytes, text/html
Details
I am reducing the testcase at the moment I will attach it when it is complete. Found with m-c: BuildID=20180515095353 SourceStamp=cf3ee14023483cbbb57129479537c713e22c1980 ==44728==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500035dae0 at pc 0x7f7f3ad12fb4 bp 0x7ffee87cd000 sp 0x7ffee87ccff8 READ of size 8 at 0x62500035dae0 thread T0 (file:// Content) #0 0x7f7f3ad12fb3 in nsIFrame::RemoveDisplayItemDataForDeletion() src/layout/generic/nsFrame.cpp:949:14 #1 0x7f7f3aa2dd6f in mozilla::PresShell::NotifyDestroyingFrame(nsIFrame*) src/layout/base/PresShell.cpp:2119:11 #2 0x7f7f3aca590c in nsFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrame.cpp:778:10 #3 0x7f7f3ac55a98 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:303:22 #4 0x7f7f3aaf4fdf in Destroy src/layout/generic/nsIFrame.h:675:5 #5 0x7f7f3aaf4fdf in Destroy src/layout/base/nsFrameManager.cpp:59 #6 0x7f7f3aaf4fdf in nsCSSFrameConstructor::WillDestroyFrameTree() src/layout/base/nsCSSFrameConstructor.cpp:8374 #7 0x7f7f3aa1b4da in mozilla::PresShell::Destroy() src/layout/base/PresShell.cpp:1371:22 #8 0x7f7f3ab24192 in nsDocumentViewer::DestroyPresShell() src/layout/base/nsDocumentViewer.cpp:4552:15 #9 0x7f7f3ab1b04d in nsDocumentViewer::Hide() src/layout/base/nsDocumentViewer.cpp:2260:3 #10 0x7f7f3dc69879 in SetVisibility src/docshell/base/nsDocShell.cpp #11 0x7f7f3dc69879 in non-virtual thunk to nsDocShell::SetVisibility(bool) src/docshell/base/nsDocShell.cpp #12 0x7f7f35d98bdc in nsFrameLoader::Hide() src/dom/base/nsFrameLoader.cpp:1004:12 #13 0x7f7f3af40aae in nsHideViewer::Run() src/layout/generic/nsSubDocumentFrame.cpp:977:21 #14 0x7f7f3591d93f in nsContentUtils::RemoveScriptBlocker() src/dom/base/nsContentUtils.cpp:5626:15 #15 0x7f7f3ab12db9 in ~nsAutoScriptBlocker src/obj-firefox/dist/include/nsContentUtils.h:3538:5 #16 0x7f7f3ab12db9 in nsDocumentViewer::Destroy() src/layout/base/nsDocumentViewer.cpp:1814 #17 0x7f7f3dc14724 in nsDocShell::Destroy() src/docshell/base/nsDocShell.cpp:5399:21 #18 0x7f7f3e1b06d9 in nsWebBrowser::SetDocShell(nsIDocShell*) src/toolkit/components/browser/nsWebBrowser.cpp:1696:23 #19 0x7f7f3e1afb6d in nsWebBrowser::InternalDestroy() src/toolkit/components/browser/nsWebBrowser.cpp:95:3 #20 0x7f7f3e1be902 in nsWebBrowser::Destroy() src/toolkit/components/browser/nsWebBrowser.cpp:1290:3 #21 0x7f7f3e1beb0c in non-virtual thunk to nsWebBrowser::Destroy() src/toolkit/components/browser/nsWebBrowser.cpp #22 0x7f7f39d318a6 in mozilla::dom::TabChild::DestroyWindow() src/dom/ipc/TabChild.cpp:1072:21 #23 0x7f7f39d46598 in mozilla::dom::TabChild::RecvDestroy() src/dom/ipc/TabChild.cpp:2513:3 #24 0x7f7f34216267 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:4638:20 #25 0x7f7f33c59fb7 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PContentChild.cpp:5316:28 #26 0x7f7f33afc78e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2136:25 #27 0x7f7f33af9756 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2066:17 #28 0x7f7f33afaf0c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1912:5 #29 0x7f7f33afb568 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1945:15 #30 0x7f7f32bec451 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32 #31 0x7f7f32c0b113 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14 #32 0x7f7f32c26ce0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #33 0x7f7f33b04416 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:125:5 #34 0x7f7f33a58ec9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10 #35 0x7f7f33a58ec9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319 #36 0x7f7f33a58ec9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299 #37 0x7f7f3a481efa in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27 #38 0x7f7f3e6e9e4b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22 #39 0x7f7f33a58ec9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10 #40 0x7f7f33a58ec9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319 #41 0x7f7f33a58ec9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299 #42 0x7f7f3e6e9810 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34 #43 0x4f1875 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #44 0x4f1875 in main src/browser/app/nsBrowserApp.cpp:282 #45 0x7f7f5231182f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #46 0x420f48 in _start (firefox+0x420f48) 0x62500035dae0 is located 6624 bytes inside of 8192-byte region [0x62500035c100,0x62500035e100) freed by thread T0 (file:// Content) here: #0 0x4c1952 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3 #1 0x7f7f3aba76a0 in Clear src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:101:7 #2 0x7f7f3aba76a0 in ~ArenaAllocator src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:64 #3 0x7f7f3aba76a0 in nsPresArena::~nsPresArena() src/layout/base/nsPresArena.cpp:43 #4 0x7f7f3b4101e8 in nsDisplayListBuilder::~nsDisplayListBuilder() src/layout/painting/nsDisplayList.cpp:1245:1 #5 0x7f7f3abcbd65 in ~RetainedDisplayListBuilder src/layout/painting/RetainedDisplayListBuilder.h:26:3 #6 0x7f7f3abcbd65 in DeleteValue<RetainedDisplayListBuilder> src/layout/generic/nsIFrame.h:528 #7 0x7f7f3abcbd65 in void mozilla::FramePropertyDescriptor<RetainedDisplayListBuilder>::Destruct<&(void DeleteValue<RetainedDisplayListBuilder>(RetainedDisplayListBuilder*))>(void*) src/layout/base/FrameProperties.h:102 #8 0x7f7f3aa982b6 in DestroyValueFor src/layout/base/FrameProperties.h:376:9 #9 0x7f7f3aa982b6 in mozilla::FrameProperties::DeleteAll(nsIFrame const*) src/layout/base/FrameProperties.h:295 #10 0x7f7f3aca5bf5 in DeleteAllProperties src/layout/generic/nsIFrame.h:3617:17 #11 0x7f7f3aca5bf5 in nsFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrame.cpp:804 #12 0x7f7f3ac55a98 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:303:22 #13 0x7f7f3aaf4fdf in Destroy src/layout/generic/nsIFrame.h:675:5 #14 0x7f7f3aaf4fdf in Destroy src/layout/base/nsFrameManager.cpp:59 #15 0x7f7f3aaf4fdf in nsCSSFrameConstructor::WillDestroyFrameTree() src/layout/base/nsCSSFrameConstructor.cpp:8374 #16 0x7f7f3aa1b4da in mozilla::PresShell::Destroy() src/layout/base/PresShell.cpp:1371:22 #17 0x7f7f3ab24192 in nsDocumentViewer::DestroyPresShell() src/layout/base/nsDocumentViewer.cpp:4552:15 #18 0x7f7f3ab12853 in nsDocumentViewer::Destroy() src/layout/base/nsDocumentViewer.cpp:1769:5 #19 0x7f7f3dc14724 in nsDocShell::Destroy() src/docshell/base/nsDocShell.cpp:5399:21 #20 0x7f7f3e1b06d9 in nsWebBrowser::SetDocShell(nsIDocShell*) src/toolkit/components/browser/nsWebBrowser.cpp:1696:23 #21 0x7f7f3e1afb6d in nsWebBrowser::InternalDestroy() src/toolkit/components/browser/nsWebBrowser.cpp:95:3 #22 0x7f7f3e1be902 in nsWebBrowser::Destroy() src/toolkit/components/browser/nsWebBrowser.cpp:1290:3 #23 0x7f7f3e1beb0c in non-virtual thunk to nsWebBrowser::Destroy() src/toolkit/components/browser/nsWebBrowser.cpp #24 0x7f7f39d318a6 in mozilla::dom::TabChild::DestroyWindow() src/dom/ipc/TabChild.cpp:1072:21 #25 0x7f7f39d46598 in mozilla::dom::TabChild::RecvDestroy() src/dom/ipc/TabChild.cpp:2513:3 #26 0x7f7f34216267 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:4638:20 #27 0x7f7f33c59fb7 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PContentChild.cpp:5316:28 #28 0x7f7f33afc78e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2136:25 #29 0x7f7f33af9756 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2066:17 #30 0x7f7f33afaf0c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1912:5 #31 0x7f7f33afb568 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1945:15 #32 0x7f7f32bec451 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32 #33 0x7f7f32c0b113 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14 #34 0x7f7f32c26ce0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #35 0x7f7f33b04416 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:125:5 #36 0x7f7f33a58ec9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10 #37 0x7f7f33a58ec9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319 #38 0x7f7f33a58ec9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299 #39 0x7f7f3a481efa in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27 previously allocated by thread T0 (file:// Content) here: #0 0x4c1c93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x7f7f32bba303 in AllocateChunk src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15 #2 0x7f7f32bba303 in InternalAllocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228 #3 0x7f7f32bba303 in Allocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75 #4 0x7f7f32bba303 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80 #5 0x7f7f3b419024 in AllocateByCustomID src/layout/base/nsPresArena.h:61:12 #6 0x7f7f3b419024 in Allocate src/layout/painting/nsDisplayList.cpp:1567 #7 0x7f7f3b419024 in operator new src/layout/painting/nsDisplayList.h:4748 #8 0x7f7f3b419024 in MakeDisplayItem<nsDisplayCompositorHitTestInfo, nsIFrame *&, mozilla::gfx::CompositorHitTestInfo &> src/layout/painting/nsDisplayList.h:2031 #9 0x7f7f3b419024 in nsDisplayListBuilder::BuildCompositorHitTestInfoIfNeeded(nsIFrame*, nsDisplayList*, bool) src/layout/painting/nsDisplayList.cpp:2249 #10 0x7f7f3ac3f43e in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) src/layout/generic/nsFrame.cpp:3820:17 #11 0x7f7f3ac3a64d in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/ViewportFrame.cpp:66:5 #12 0x7f7f3ad24154 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) src/layout/generic/nsFrame.cpp:3087:5 #13 0x7f7f3ab6661e in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3704:17 #14 0x7f7f3aa59885 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6350:5 #15 0x7f7f3a3f416a in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:480:19 #16 0x7f7f3a3f2f6c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:412:33 #17 0x7f7f3a3f85c6 in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1102:5 #18 0x7f7f3a9d0f94 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2067:11 #19 0x7f7f3a9de520 in TickDriver src/layout/base/nsRefreshDriver.cpp:337:13 #20 0x7f7f3a9de520 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:307 #21 0x7f7f3a9de0e6 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:329:5 #22 0x7f7f3a9e0e5e in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:770:5 #23 0x7f7f3a9e0e5e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:683 #24 0x7f7f3a9e0a5e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:584:9 #25 0x7f7f3b286d9f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16 #26 0x7f7f340b4854 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20 #27 0x7f7f33f8c763 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1988:28 #28 0x7f7f33afc78e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2136:25 #29 0x7f7f33af9756 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2066:17 #30 0x7f7f33afaf0c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1912:5 #31 0x7f7f33afb568 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1945:15 #32 0x7f7f32c0b113 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14 #33 0x7f7f32c26ce0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #34 0x7f7f33b0442a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #35 0x7f7f33a58ec9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10 #36 0x7f7f33a58ec9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319 #37 0x7f7f33a58ec9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299 #38 0x7f7f3a481efa in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27 #39 0x7f7f3e6e9e4b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22 #40 0x7f7f33a58ec9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10 #41 0x7f7f33a58ec9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319 #42 0x7f7f33a58ec9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
Attached file testcase.html
Flags: in-testsuite?
Crash Signature: [@ nsIFrame::RemoveDisplayItemDataForDeletion]
This doesn't crash for me after the landing of bug 1461812.
Nice! The regression range (for when this started crashing) matches that bug, too: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=bad54bae22fada00a6441796e2f9e181ccd3d2fd&tochange=9a2af4dad8113d6cfabb7308339e19a6c5dd2309 (FWIW, the testcase doesn't crash 100% reliably for me, but in affected builds, I can make it crash the content process within 5-10 seconds by refreshing over and over.) Miko, does it make sense that your patch might fix this? Shall we dupe to bug 1461812? (And un-hide in a day or two, after nightly users have gotten the fix)
Flags: needinfo?(mikokm)
(In reply to Daniel Holbert [:dholbert] (recovering from vacation reviews/bugmail) from comment #3) > Miko, does it make sense that your patch might fix this? Shall we dupe to > bug 1461812? (And un-hide in a day or two, after nightly users have gotten > the fix) It certainly seems possible. That patch fixes some issues with display item lifetime: previously the partially built display list was not released immediately, which could have left some dangling items on the display list.
Flags: needinfo?(mikokm)
(In reply to Ryan VanderMeulen [:RyanVM] from comment #2) > This doesn't crash for me after the landing of bug 1461812. Same. No repro with the latest m-c.
Keywords: testcase
Group: layout-core-security
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: