Closed
Bug 1492015
Opened 6 years ago
Closed 6 years ago
heap-use-after-free in [@ nsDisplayListBuilder::RemoveFromWillChangeBudget]
Categories
(Core :: Web Painting, defect, P1)
Core
Web Painting
Tracking
()
RESOLVED
DUPLICATE
of bug 1492034
| Tracking | Status | |
|---|---|---|
| firefox64 | --- | fixed |
People
(Reporter: tsmith, Assigned: mikokm)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-uaf, testcase)
Attachments
(1 file)
|
298 bytes,
text/html
|
Details |
Reducing test case now, I will attached it once it is reduced.
==3081==ERROR: AddressSanitizer: heap-use-after-free on address 0x61900069e410 at pc 0x7fddc86e633c bp 0x7ffc2ff1c400 sp 0x7ffc2ff1c3f8
READ of size 8 at 0x61900069e410 thread T0 (file:// Content)
#0 0x7fddc86e633b in nsDisplayListBuilder::RemoveFromWillChangeBudget(nsIFrame*) src/layout/painting/nsDisplayList.cpp:2185:45
#1 0x7fddc7d38bdc in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) src/layout/generic/nsFrame.cpp:3495:13
#2 0x7fddc7de34fa in nsCanvasFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/nsCanvasFrame.cpp:651:5
#3 0x7fddc7d3d1cb in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) src/layout/generic/nsFrame.cpp:3759:14
#4 0x7fddc7f562ed in mozilla::ScrollFrameHelper::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/nsGfxScrollFrame.cpp:3702:15
#5 0x7fddc7d3a9d9 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) src/layout/generic/nsFrame.cpp:3536:12
#6 0x7fddc7d37c29 in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/ViewportFrame.cpp:66:5
#7 0x7fddc7e70297 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) src/layout/generic/nsFrame.cpp:3055:5
#8 0x7fddc865af5b in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int, mozilla::DisplayListChecker*) src/layout/painting/RetainedDisplayListBuilder.cpp:1372:34
#9 0x7fddc7c294b0 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3681:40
#10 0x7fddc7ad2e61 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6350:5
#11 0x7fddc725d706 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:480:19
#12 0x7fddc725c4fc in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:412:33
#13 0x7fddc7262186 in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1102:5
#14 0x7fddc7a2a812 in nsRefreshDriver::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2046:11
#15 0x7fddc7a39681 in TickDriver src/layout/base/nsRefreshDriver.cpp:325:13
#16 0x7fddc7a39681 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:300
#17 0x7fddc7a391a1 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:318:5
#18 0x7fddc7a3c4b1 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:756:5
#19 0x7fddc7a3c4b1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:672
#20 0x7fddc7a3bc08 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:572:9
#21 0x7fddc8500448 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:78:16
#22 0x7fddbf1bed2b in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
#23 0x7fddbef35570 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
#24 0x7fddbe71f4c5 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2248:25
#25 0x7fddbe71b1b9 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2175:17
#26 0x7fddbe71d2fd in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:2012:5
#27 0x7fddbe71e027 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2045:15
#28 0x7fddbd508bf8 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14
#29 0x7fddbd511845 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
#30 0x7fddbe728b83 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#31 0x7fddbe62849c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
#32 0x7fddbe62849c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
#33 0x7fddbe62849c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
#34 0x7fddc73490f3 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
#35 0x7fddcb7e719e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:944:22
#36 0x7fddbe62849c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
#37 0x7fddbe62849c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
#38 0x7fddbe62849c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
#39 0x7fddcb7e62c3 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:770:34
#40 0x556c37d40b91 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#41 0x556c37d40b91 in main src/browser/app/nsBrowserApp.cpp:287
#42 0x7fdddfab282f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#43 0x556c37c6ff3c in _start (/home/ubuntu/firefox/firefox+0x2cf3c)
0x61900069e410 is located 656 bytes inside of 1024-byte region [0x61900069e180,0x61900069e580)
freed by thread T0 (file:// Content) here:
#0 0x556c37d10372 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:68:3
#1 0x7fddbd376d49 in PLDHashTable::ChangeTable(int) src/xpcom/ds/PLDHashTable.cpp:522:3
#2 0x7fddbd378343 in ShrinkIfAppropriate src/xpcom/ds/PLDHashTable.cpp:704:12
#3 0x7fddbd378343 in PLDHashTable::RemoveEntry(PLDHashEntryHdr*) src/xpcom/ds/PLDHashTable.cpp:662
#4 0x7fddc86e629c in RemoveEntry src/obj-firefox/dist/include/nsTHashtable.h:224:12
#5 0x7fddc86e629c in Remove src/obj-firefox/dist/include/nsBaseHashtable.h:196
#6 0x7fddc86e629c in nsDisplayListBuilder::RemoveFromWillChangeBudget(nsIFrame*) src/layout/painting/nsDisplayList.cpp:2182
#7 0x7fddc7d38bdc in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) src/layout/generic/nsFrame.cpp:3495:13
#8 0x7fddc7de34fa in nsCanvasFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/nsCanvasFrame.cpp:651:5
#9 0x7fddc7d3d1cb in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) src/layout/generic/nsFrame.cpp:3759:14
#10 0x7fddc7f562ed in mozilla::ScrollFrameHelper::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/nsGfxScrollFrame.cpp:3702:15
#11 0x7fddc7d3a9d9 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) src/layout/generic/nsFrame.cpp:3536:12
#12 0x7fddc7d37c29 in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/ViewportFrame.cpp:66:5
#13 0x7fddc7e70297 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) src/layout/generic/nsFrame.cpp:3055:5
#14 0x7fddc865af5b in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int, mozilla::DisplayListChecker*) src/layout/painting/RetainedDisplayListBuilder.cpp:1372:34
#15 0x7fddc7c294b0 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) src/layout/base/nsLayoutUtils.cpp:3681:40
#16 0x7fddc7ad2e61 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) src/layout/base/PresShell.cpp:6350:5
#17 0x7fddc725d706 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) src/view/nsViewManager.cpp:480:19
#18 0x7fddc725c4fc in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) src/view/nsViewManager.cpp:412:33
#19 0x7fddc7262186 in nsViewManager::ProcessPendingUpdates() src/view/nsViewManager.cpp:1102:5
#20 0x7fddc7a2a812 in nsRefreshDriver::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2046:11
#21 0x7fddc7a39681 in TickDriver src/layout/base/nsRefreshDriver.cpp:325:13
#22 0x7fddc7a39681 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:300
#23 0x7fddc7a391a1 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:318:5
previously allocated by thread T0 (file:// Content) here:
#0 0x556c37d1089a in calloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:97:3
#1 0x7fddbd376a08 in PLDHashTable::ChangeTable(int) src/xpcom/ds/PLDHashTable.cpp:492:32
#2 0x7fddbd377341 in PLDHashTable::Add(void const*, std::nothrow_t const&) src/xpcom/ds/PLDHashTable.cpp:590:10
#3 0x7fddc86e6056 in PutEntry src/obj-firefox/dist/include/nsTHashtable.h:168:43
#4 0x7fddc86e6056 in Put src/obj-firefox/dist/include/nsBaseHashtable.h:171
#5 0x7fddc86e6056 in Put src/obj-firefox/dist/include/nsBaseHashtable.h:164
#6 0x7fddc86e6056 in nsDisplayListBuilder::AddToWillChangeBudget(nsIFrame*, nsSize const&) src/layout/painting/nsDisplayList.cpp:2137
#7 0x7fddc7e6a91e in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) src/layout/generic/nsFrame.cpp:2820:15
#8 0x7fddc7d3c78c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) src/layout/generic/nsFrame.cpp:3721:12
#9 0x7fddc820f80a in nsTableFrame::GenericTraversal(nsDisplayListBuilder*, nsFrame*, nsDisplayListSet const&) src/layout/tables/nsTableFrame.cpp:1319:13
#10 0x7fddc820d6cb in nsTableFrame::DisplayGenericTablePart(nsDisplayListBuilder*, nsFrame*, nsDisplayListSet const&, void (*)(nsDisplayListBuilder*, nsFrame*, nsDisplayListSet const&)) src/layout/tables/nsTableFrame.cpp:1578:3
#11 0x7fddc7e70297 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) src/layout/generic/nsFrame.cpp:3055:5
#12 0x7fddc7d3c78c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) src/layout/generic/nsFrame.cpp:3721:12
#13 0x7fddc82a81db in BuildDisplayListForInnerTable src/layout/tables/nsTableWrapperFrame.cpp:215:5
#14 0x7fddc82a81db in nsTableWrapperFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/tables/nsTableWrapperFrame.cpp:183
#15 0x7fddc7d3d1cb in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) src/layout/generic/nsFrame.cpp:3759:14
#16 0x7fddc7db6aa0 in DisplayLine(nsDisplayListBuilder*, nsRect const&, nsLineList_iterator&, int, int&, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int) src/layout/generic/nsBlockFrame.cpp:6750:13
#17 0x7fddc7db290f in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/nsBlockFrame.cpp:6844:7
#18 0x7fddc7e70297 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) src/layout/generic/nsFrame.cpp:3055:5
#19 0x7fddc7d3c78c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) src/layout/generic/nsFrame.cpp:3721:12
#20 0x7fddc7db6aa0 in DisplayLine(nsDisplayListBuilder*, nsRect const&, nsLineList_iterator&, int, int&, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int) src/layout/generic/nsBlockFrame.cpp:6750:13
#21 0x7fddc7db290f in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) src/layout/generic/nsBlockFrame.cpp:6844:7
#22 0x7fddc7e70297 in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) src/layout/generic/nsFrame.cpp:3055:5
#23 0x7fddc7d3c78c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) src/layout/generic/nsFrame.cpp:3721:12
|
Reporter | |
Comment 1•6 years ago
|
||
|
|
Reporter | |
Updated•6 years ago
|
Flags: in-testsuite?
|
||
Updated•6 years ago
|
Assignee: nobody → mikokm
Flags: needinfo?(mikokm)
Priority: -- → P1
|
Assignee | |
Comment 2•6 years ago
|
||
Will fix this in the original bug and add the testcase as a crashtest.
Flags: needinfo?(mikokm)
|
||
Updated•6 years ago
|
Group: layout-core-security
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•