Closed Bug 1462029 Opened 5 years ago Closed 5 years ago

heap-use-after-free in [@ nsIFrame::RemoveDisplayItemDataForDeletion]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1461812
Tracking Flags:
Tracking Status
firefox62 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-uaf, testcase)

Crash Data

Attachments

(1 file)

testcase.html
444 bytes, text/html
Details 
I am reducing the testcase at the moment I will attach it when it is complete.

Found with m-c:
BuildID=20180515095353
SourceStamp=cf3ee14023483cbbb57129479537c713e22c1980

==44728==ERROR: AddressSanitizer: heap-use-after-free on address 0x62500035dae0 at pc 0x7f7f3ad12fb4 bp 0x7ffee87cd000 sp 0x7ffee87ccff8
READ of size 8 at 0x62500035dae0 thread T0 (file:// Content)
    #0 0x7f7f3ad12fb3 in nsIFrame::RemoveDisplayItemDataForDeletion() src/layout/generic/nsFrame.cpp:949:14
    #1 0x7f7f3aa2dd6f in mozilla::PresShell::NotifyDestroyingFrame(nsIFrame*) src/layout/base/PresShell.cpp:2119:11
    #2 0x7f7f3aca590c in nsFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrame.cpp:778:10
    #3 0x7f7f3ac55a98 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:303:22
    #4 0x7f7f3aaf4fdf in Destroy src/layout/generic/nsIFrame.h:675:5
    #5 0x7f7f3aaf4fdf in Destroy src/layout/base/nsFrameManager.cpp:59
    #6 0x7f7f3aaf4fdf in nsCSSFrameConstructor::WillDestroyFrameTree() src/layout/base/nsCSSFrameConstructor.cpp:8374
    #7 0x7f7f3aa1b4da in mozilla::PresShell::Destroy() src/layout/base/PresShell.cpp:1371:22
    #8 0x7f7f3ab24192 in nsDocumentViewer::DestroyPresShell() src/layout/base/nsDocumentViewer.cpp:4552:15
    #9 0x7f7f3ab1b04d in nsDocumentViewer::Hide() src/layout/base/nsDocumentViewer.cpp:2260:3
    #10 0x7f7f3dc69879 in SetVisibility src/docshell/base/nsDocShell.cpp
    #11 0x7f7f3dc69879 in non-virtual thunk to nsDocShell::SetVisibility(bool) src/docshell/base/nsDocShell.cpp
    #12 0x7f7f35d98bdc in nsFrameLoader::Hide() src/dom/base/nsFrameLoader.cpp:1004:12
    #13 0x7f7f3af40aae in nsHideViewer::Run() src/layout/generic/nsSubDocumentFrame.cpp:977:21
    #14 0x7f7f3591d93f in nsContentUtils::RemoveScriptBlocker() src/dom/base/nsContentUtils.cpp:5626:15
    #15 0x7f7f3ab12db9 in ~nsAutoScriptBlocker src/obj-firefox/dist/include/nsContentUtils.h:3538:5
    #16 0x7f7f3ab12db9 in nsDocumentViewer::Destroy() src/layout/base/nsDocumentViewer.cpp:1814
    #17 0x7f7f3dc14724 in nsDocShell::Destroy() src/docshell/base/nsDocShell.cpp:5399:21
    #18 0x7f7f3e1b06d9 in nsWebBrowser::SetDocShell(nsIDocShell*) src/toolkit/components/browser/nsWebBrowser.cpp:1696:23
    #19 0x7f7f3e1afb6d in nsWebBrowser::InternalDestroy() src/toolkit/components/browser/nsWebBrowser.cpp:95:3
    #20 0x7f7f3e1be902 in nsWebBrowser::Destroy() src/toolkit/components/browser/nsWebBrowser.cpp:1290:3
    #21 0x7f7f3e1beb0c in non-virtual thunk to nsWebBrowser::Destroy() src/toolkit/components/browser/nsWebBrowser.cpp
    #22 0x7f7f39d318a6 in mozilla::dom::TabChild::DestroyWindow() src/dom/ipc/TabChild.cpp:1072:21
    #23 0x7f7f39d46598 in mozilla::dom::TabChild::RecvDestroy() src/dom/ipc/TabChild.cpp:2513:3
    #24 0x7f7f34216267 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:4638:20
    #25 0x7f7f33c59fb7 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PContentChild.cpp:5316:28
    #26 0x7f7f33afc78e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2136:25
    #27 0x7f7f33af9756 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2066:17
    #28 0x7f7f33afaf0c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1912:5
    #29 0x7f7f33afb568 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1945:15
    #30 0x7f7f32bec451 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
    #31 0x7f7f32c0b113 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14
    #32 0x7f7f32c26ce0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #33 0x7f7f33b04416 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:125:5
    #34 0x7f7f33a58ec9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #35 0x7f7f33a58ec9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #36 0x7f7f33a58ec9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #37 0x7f7f3a481efa in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
    #38 0x7f7f3e6e9e4b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #39 0x7f7f33a58ec9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #40 0x7f7f33a58ec9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #41 0x7f7f33a58ec9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #42 0x7f7f3e6e9810 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #43 0x4f1875 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #44 0x4f1875 in main src/browser/app/nsBrowserApp.cpp:282
    #45 0x7f7f5231182f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #46 0x420f48 in _start (firefox+0x420f48)

0x62500035dae0 is located 6624 bytes inside of 8192-byte region [0x62500035c100,0x62500035e100)
freed by thread T0 (file:// Content) here:
    #0 0x4c1952 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
    #1 0x7f7f3aba76a0 in Clear src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:101:7
    #2 0x7f7f3aba76a0 in ~ArenaAllocator src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:64
    #3 0x7f7f3aba76a0 in nsPresArena::~nsPresArena() src/layout/base/nsPresArena.cpp:43
    #4 0x7f7f3b4101e8 in nsDisplayListBuilder::~nsDisplayListBuilder() src/layout/painting/nsDisplayList.cpp:1245:1
    #5 0x7f7f3abcbd65 in ~RetainedDisplayListBuilder src/layout/painting/RetainedDisplayListBuilder.h:26:3
    #6 0x7f7f3abcbd65 in DeleteValue<RetainedDisplayListBuilder> src/layout/generic/nsIFrame.h:528
    #7 0x7f7f3abcbd65 in void mozilla::FramePropertyDescriptor<RetainedDisplayListBuilder>::Destruct<&(void DeleteValue<RetainedDisplayListBuilder>(RetainedDisplayListBuilder*))>(void*) src/layout/base/FrameProperties.h:102
    #8 0x7f7f3aa982b6 in DestroyValueFor src/layout/base/FrameProperties.h:376:9
    #9 0x7f7f3aa982b6 in mozilla::FrameProperties::DeleteAll(nsIFrame const*) src/layout/base/FrameProperties.h:295
    #10 0x7f7f3aca5bf5 in DeleteAllProperties src/layout/generic/nsIFrame.h:3617:17
    #11 0x7f7f3aca5bf5 in nsFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrame.cpp:804
    #12 0x7f7f3ac55a98 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:303:22
    #13 0x7f7f3aaf4fdf in Destroy src/layout/generic/nsIFrame.h:675:5
    #14 0x7f7f3aaf4fdf in Destroy src/layout/base/nsFrameManager.cpp:59
    #15 0x7f7f3aaf4fdf in nsCSSFrameConstructor::WillDestroyFrameTree() src/layout/base/nsCSSFrameConstructor.cpp:8374
    #16 0x7f7f3aa1b4da in mozilla::PresShell::Destroy() src/layout/base/PresShell.cpp:1371:22
    #17 0x7f7f3ab24192 in nsDocumentViewer::DestroyPresShell() src/layout/base/nsDocumentViewer.cpp:4552:15
    #18 0x7f7f3ab12853 in nsDocumentViewer::Destroy() src/layout/base/nsDocumentViewer.cpp:1769:5
    #19 0x7f7f3dc14724 in nsDocShell::Destroy() src/docshell/base/nsDocShell.cpp:5399:21
    #20 0x7f7f3e1b06d9 in nsWebBrowser::SetDocShell(nsIDocShell*) src/toolkit/components/browser/nsWebBrowser.cpp:1696:23
    #21 0x7f7f3e1afb6d in nsWebBrowser::InternalDestroy() src/toolkit/components/browser/nsWebBrowser.cpp:95:3
    #22 0x7f7f3e1be902 in nsWebBrowser::Destroy() src/toolkit/components/browser/nsWebBrowser.cpp:1290:3
    #23 0x7f7f3e1beb0c in non-virtual thunk to nsWebBrowser::Destroy() src/toolkit/components/browser/nsWebBrowser.cpp
    #24 0x7f7f39d318a6 in mozilla::dom::TabChild::DestroyWindow() src/dom/ipc/TabChild.cpp:1072:21
    #25 0x7f7f39d46598 in mozilla::dom::TabChild::RecvDestroy() src/dom/ipc/TabChild.cpp:2513:3
    #26 0x7f7f34216267 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:4638:20
    #27 0x7f7f33c59fb7 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PContentChild.cpp:5316:28
    #28 0x7f7f33afc78e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2136:25
    #29 0x7f7f33af9756 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2066:17
    #30 0x7f7f33afaf0c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1912:5
    #31 0x7f7f33afb568 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1945:15
    #32 0x7f7f32bec451 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
    #33 0x7f7f32c0b113 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14
    #34 0x7f7f32c26ce0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #35 0x7f7f33b04416 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:125:5
    #36 0x7f7f33a58ec9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #37 0x7f7f33a58ec9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #38 0x7f7f33a58ec9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #39 0x7f7f3a481efa in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27

previously allocated by thread T0 (file:// Content) here:
    #0 0x4c1c93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x7f7f32bba303 in AllocateChunk src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15
    #2 0x7f7f32bba303 in InternalAllocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228
    #3 0x7f7f32bba303 in Allocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75
    #4 0x7f7f32bba303 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80
    #5 0x7f7f3b419024 in AllocateByCustomID src/layout/base/nsPresArena.h:61:12
    #6 0x7f7f3b419024 in Allocate src/layout/painting/nsDisplayList.cpp:1567
    #7 0x7f7f3b419024 in operator new src/layout/painting/nsDisplayList.h:4748
    #8 0x7f7f3b419024 in MakeDisplayItem<nsDisplayCompositorHitTestInfo, nsIFrame *&, mozilla::gfx::CompositorHitTestInfo &> src/layout/painting/nsDisplayList.h:2031
    #9 0x7f7f3b419024 in nsDisplayListBuilder::BuildCompositorHitTestInfoIfNeeded(nsIFrame*, nsDisplayList*, bool) src/layout/painting/nsDisplayList.cpp:2249
    #10 0x7f7f3ac3f43e in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) src/layout/generic/nsFrame.cpp:3820:17
    #11 0x7f7f3ac3a64d in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/ViewportFrame.cpp:66:5
    #12 0x7f7f3ad24154 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) src/layout/generic/nsFrame.cpp:3087:5
    #13 0x7f7f3ab6661e in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3704:17
    #14 0x7f7f3aa59885 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6350:5
    #15 0x7f7f3a3f416a in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:480:19
    #16 0x7f7f3a3f2f6c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:412:33
    #17 0x7f7f3a3f85c6 in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1102:5
    #18 0x7f7f3a9d0f94 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2067:11
    #19 0x7f7f3a9de520 in TickDriver src/layout/base/nsRefreshDriver.cpp:337:13
    #20 0x7f7f3a9de520 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:307
    #21 0x7f7f3a9de0e6 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:329:5
    #22 0x7f7f3a9e0e5e in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:770:5
    #23 0x7f7f3a9e0e5e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:683
    #24 0x7f7f3a9e0a5e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:584:9
    #25 0x7f7f3b286d9f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16
    #26 0x7f7f340b4854 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #27 0x7f7f33f8c763 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1988:28
    #28 0x7f7f33afc78e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2136:25
    #29 0x7f7f33af9756 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2066:17
    #30 0x7f7f33afaf0c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1912:5
    #31 0x7f7f33afb568 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1945:15
    #32 0x7f7f32c0b113 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1090:14
    #33 0x7f7f32c26ce0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #34 0x7f7f33b0442a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #35 0x7f7f33a58ec9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #36 0x7f7f33a58ec9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #37 0x7f7f33a58ec9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #38 0x7f7f3a481efa in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
    #39 0x7f7f3e6e9e4b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #40 0x7f7f33a58ec9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #41 0x7f7f33a58ec9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #42 0x7f7f33a58ec9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
Attached file testcase.html 

    
  
Flags: in-testsuite?

    
  
Crash Signature: [@ nsIFrame::RemoveDisplayItemDataForDeletion]

    
    

    
  
This doesn't crash for me after the landing of bug 1461812.

    
    

    
  
Nice! The regression range (for when this started crashing) matches that bug, too:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=bad54bae22fada00a6441796e2f9e181ccd3d2fd&tochange=9a2af4dad8113d6cfabb7308339e19a6c5dd2309

(FWIW, the testcase doesn't crash 100% reliably for me, but in affected builds, I can make it crash the content process within 5-10 seconds by refreshing over and over.)

Miko, does it make sense that your patch might fix this? Shall we dupe to bug 1461812?  (And un-hide in a day or two, after nightly users have gotten the fix)
Flags: needinfo?(mikokm)

    
    

    
  
(In reply to Daniel Holbert [:dholbert] (recovering from vacation reviews/bugmail) from comment #3)
> Miko, does it make sense that your patch might fix this? Shall we dupe to
> bug 1461812?  (And un-hide in a day or two, after nightly users have gotten
> the fix)

It certainly seems possible. That patch fixes some issues with display item lifetime: previously the partially built display list was not released immediately, which could have left some dangling items on the display list.
Flags: needinfo?(mikokm)

    
    

    
  
(In reply to Ryan VanderMeulen [:RyanVM] from comment #2)
> This doesn't crash for me after the landing of bug 1461812.

Same. No repro with the latest m-c.
Keywords: testcase
Group: layout-core-security
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.