1506162 - AddressSanitizer: heap-use-after-free src/obj-firefox/dist/include/nsCOMPtr.h:919:48 in get

Status: RESOLVED WORKSFORME

(Core :: Layout, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Testcase found while fuzzing mozilla-central rev 5e7636ec12c5.  I'm currently reducing the testcase and will update once complete.

==11082==ERROR: AddressSanitizer: heap-use-after-free on address 0x62200007b108 at pc 0x7eff3125a691 bp 0x7fff2c7d2ff0 sp 0x7fff2c7d2fe8
READ of size 8 at 0x62200007b108 thread T0 (file:// Content)
    #0 0x7eff3125a690 in get src/obj-firefox/dist/include/nsCOMPtr.h:919:48
    #1 0x7eff3125a690 in operator nsIDocument * src/obj-firefox/dist/include/nsCOMPtr.h:927
    #2 0x7eff3125a690 in GetDocument src/layout/base/nsIPresShell.h:256
    #3 0x7eff3125a690 in nsFrameSelection::cycleCollection::TraverseNative(void*, nsCycleCollectionTraversalCallback&) src/layout/generic/nsFrameSelection.cpp:346
    #4 0x7eff2653fc45 in TraverseNativeAndJS src/xpcom/base/nsCycleCollectionParticipant.h:133:19
    #5 0x7eff2653fc45 in CCGraphBuilder::BuildGraph(js::SliceBudget&) src/xpcom/base/nsCycleCollector.cpp:2346
    #6 0x7eff2654a579 in nsCycleCollector::MarkRoots(js::SliceBudget&) src/xpcom/base/nsCycleCollector.cpp:3028:33
    #7 0x7eff26553aac in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) src/xpcom/base/nsCycleCollector.cpp:3824:9
    #8 0x7eff26558dbf in nsCycleCollector_collectSlice(js::SliceBudget&, bool) src/xpcom/base/nsCycleCollector.cpp:4426:21
    #9 0x7eff2aac030a in nsJSContext::RunCycleCollectorSlice(mozilla::TimeStamp) src/dom/base/nsJSEnvironment.cpp:1582:3
    #10 0x7eff2aac13ed in ICCRunnerFired(mozilla::TimeStamp) src/dom/base/nsJSEnvironment.cpp:1641:3
    #11 0x7eff266e80a9 in operator() src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/functional:2440:14
    #12 0x7eff266e80a9 in mozilla::IdleTaskRunner::Run() src/xpcom/threads/IdleTaskRunner.cpp:63
    #13 0x7eff26748be1 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1246:14
    #14 0x7eff2675198d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
    #15 0x7eff279c352f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #16 0x7eff278bf9ee in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #17 0x7eff278bf9ee in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #18 0x7eff278bf9ee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #19 0x7eff30697ee3 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #20 0x7eff34db230e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:954:22
    #21 0x7eff278bf9ee in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #22 0x7eff278bf9ee in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #23 0x7eff278bf9ee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #24 0x7eff34db136b in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:780:34
    #25 0x56054fc13864 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #26 0x56054fc13864 in main src/browser/app/nsBrowserApp.cpp:287
    #27 0x7eff49bed82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #28 0x56054fb38eec in _start (/home/ubuntu/firefox/firefox+0x2deec)

0x62200007b108 is located 8 bytes inside of 5072-byte region [0x62200007b100,0x62200007c4d0)
freed by thread T0 (file:// Content) here:
    #0 0x56054fbe0a12 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7eff30dc1f1f in operator delete src/obj-firefox/dist/include/mozilla/mozalloc.h:163:12
    #2 0x7eff30dc1f1f in Release src/layout/base/PresShell.cpp:865
    #3 0x7eff30dc1f1f in non-virtual thunk to mozilla::PresShell::Release() src/layout/base/PresShell.cpp
    #4 0x7eff30b1c4cc in ~nsCOMPtr_base src/obj-firefox/dist/include/nsCOMPtr.h:371:7
    #5 0x7eff30b1c4cc in mozilla::TextServicesDocument::~TextServicesDocument() src/editor/spellchecker/TextServicesDocument.cpp:86
    #6 0x7eff30b1c68d in mozilla::TextServicesDocument::~TextServicesDocument() src/editor/spellchecker/TextServicesDocument.cpp:84:1
    #7 0x7eff26549841 in SnowWhiteKiller::~SnowWhiteKiller() src/xpcom/base/nsCycleCollector.cpp:2740:7
    #8 0x7eff26546329 in ~RemoveSkippableVisitor src/xpcom/base/nsCycleCollector.cpp:2892:3
    #9 0x7eff26546329 in nsPurpleBuffer::RemoveSkippable(nsCycleCollector*, js::SliceBudget&, bool, bool, void (*)()) src/xpcom/base/nsCycleCollector.cpp:2943
    #10 0x7eff2654a1e6 in nsCycleCollector::ForgetSkippable(js::SliceBudget&, bool, bool) src/xpcom/base/nsCycleCollector.cpp:3013:14
    #11 0x7eff26558270 in nsCycleCollector_forgetSkippable(js::SliceBudget&, bool, bool) src/xpcom/base/nsCycleCollector.cpp:4351:21
    #12 0x7eff2aabebc2 in FireForgetSkippable(unsigned int, bool, mozilla::TimeStamp) src/dom/base/nsJSEnvironment.cpp:1296:3
    #13 0x7eff2aac5fd1 in CCRunnerFired(mozilla::TimeStamp) src/dom/base/nsJSEnvironment.cpp:1995:7
    #14 0x7eff266e80a9 in operator() src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/functional:2440:14
    #15 0x7eff266e80a9 in mozilla::IdleTaskRunner::Run() src/xpcom/threads/IdleTaskRunner.cpp:63
    #16 0x7eff2aac4e0a in nsJSContext::RunNextCollectorTimer(JS::gcreason::Reason, mozilla::TimeStamp) src/dom/base/nsJSEnvironment.cpp:2061:15
    #17 0x7eff2aac5367 in nsJSContext::MaybeRunNextCollectorSlice(nsIDocShell*, JS::gcreason::Reason) src/dom/base/nsJSEnvironment.cpp:2111:7
    #18 0x7eff2925dd54 in MaybeRunCollector::Run() src/parser/html/nsHtml5StreamParser.cpp:896:5
    #19 0x7eff2670b6e5 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
    #20 0x7eff26748be1 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1246:14
    #21 0x7eff2675198d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
    #22 0x7eff279c352f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #23 0x7eff278bf9ee in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #24 0x7eff278bf9ee in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #25 0x7eff278bf9ee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #26 0x7eff30697ee3 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27

previously allocated by thread T0 (file:// Content) here:
    #0 0x56054fbe0d93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x56054fc1479d in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:70:17
    #2 0x7eff2a984c81 in operator new src/obj-firefox/dist/include/mozilla/mozalloc.h:139:12
    #3 0x7eff2a984c81 in nsIDocument::CreateShell(nsPresContext*, nsViewManager*, mozilla::UniquePtr<mozilla::ServoStyleSet, mozilla::DefaultDelete<mozilla::ServoStyleSet> >) src/dom/base/nsDocument.cpp:4036
    #4 0x7eff30f1773e in nsDocumentViewer::InitPresentationStuff(bool) src/layout/base/nsDocumentViewer.cpp:796:27
    #5 0x7eff30f16cec in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) src/layout/base/nsDocumentViewer.cpp:1045:10
    #6 0x7eff30f15b4f in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) src/layout/base/nsDocumentViewer.cpp:771:10
    #7 0x7eff33fbe118 in nsDocShell::SetupNewViewer(nsIContentViewer*) src/docshell/base/nsDocShell.cpp:8853:7
    #8 0x7eff33fbc7f6 in nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) src/docshell/base/nsDocShell.cpp:6666:17
    #9 0x7eff33f3b30a in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) src/docshell/base/nsDocShell.cpp:8653:3
    #10 0x7eff33f384fb in nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) src/docshell/base/nsDSURIContentListener.cpp:196:21
    #11 0x7eff2904a772 in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) src/uriloader/base/nsURILoader.cpp:759:28
    #12 0x7eff29046a75 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) src/uriloader/base/nsURILoader.cpp:428:30
    #13 0x7eff2904594a in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) src/uriloader/base/nsURILoader.cpp:306:8
    #14 0x7eff273a1679 in mozilla::net::HttpChannelChild::DoOnStartRequest(nsIRequest*, nsISupports*) src/netwerk/protocol/http/HttpChannelChild.cpp:775:28
    #15 0x7eff273ad1f3 in mozilla::net::HttpChannelChild::OnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, mozilla::net::ResourceTimingStruct const&) src/netwerk/protocol/http/HttpChannelChild.cpp:642:3
    #16 0x7eff27463c80 in mozilla::net::StartRequestEvent::Run() src/netwerk/protocol/http/HttpChannelChild.cpp:463:13
    #17 0x7eff2724337a in mozilla::net::ChannelEventQueue::RunOrEnqueue(mozilla::net::ChannelEvent*, bool) src/obj-firefox/dist/include/mozilla/net/ChannelEventQueue.h:215:10
    #18 0x7eff273abab1 in mozilla::net::HttpChannelChild::RecvOnStartRequest(nsresult const&, mozilla::net::nsHttpResponseHead const&, bool const&, mozilla::net::nsHttpHeaderArray const&, mozilla::net::ParentLoadInfoForwarderArgs const&, bool const&, bool const&, unsigned long const&, int const&, unsigned int const&, nsTString<char> const&, nsTString<char> const&, mozilla::net::NetAddr const&, mozilla::net::NetAddr const&, short const&, unsigned int const&, nsTString<char> const&, long const&, bool const&, mozilla::net::ResourceTimingStruct const&) src/netwerk/protocol/http/HttpChannelChild.cpp:528:12
    #19 0x7eff27fafb38 in mozilla::net::PHttpChannelChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PHttpChannelChild.cpp:743:20
    #20 0x7eff27ca3499 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PContentChild.cpp:5422:28

SUMMARY: AddressSanitizer: heap-use-after-free src/obj-firefox/dist/include/nsCOMPtr.h:919:48 in get
Shadow bytes around the buggy address:
  0x0c44800075d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c44800075e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c44800075f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4480007600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4480007610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c4480007620: fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4480007630: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4480007640: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4480007650: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4480007660: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4480007670: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==11082==ABORTING

Comment 1

[Olli Pettay [:smaug][bugs@pettay.fi]]

Tadaa 
https://searchfox.org/mozilla-central/rev/a3894a4dcfb5d42f2e6eee6cb9faf7141879ef1a/layout/generic/nsFrameSelection.h#796

Comment 2

[Olli Pettay [:smaug][bugs@pettay.fi]]

Ok, based on code inspection 
https://searchfox.org/mozilla-central/rev/a3894a4dcfb5d42f2e6eee6cb9faf7141879ef1a/dom/html/nsTextEditorState.cpp#1294-1298 is the issue.
FrameSelection's DisconnectFromPresShell isn't always called

Comment 3

[Emilio Cobos Álvarez (:emilio)]

(In reply to Olli Pettay [:smaug] (high review load) from comment #2)
> Ok, based on code inspection 
> https://searchfox.org/mozilla-central/rev/
> a3894a4dcfb5d42f2e6eee6cb9faf7141879ef1a/dom/html/nsTextEditorState.cpp#1294-
> 1298 is the issue.
> FrameSelection's DisconnectFromPresShell isn't always called

I'd wait to see the test-case. I suspect is a bug related to the recently landed column-span changes in bug 1421105.

There's another bug reported today and related to column-span where it seems we fail to destroy a frame, which would explain this.

Comment 4

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Comment 5

[Olli Pettay [:smaug][bugs@pettay.fi]]

Ah, that kind of bug would trigger this too, because
https://searchfox.org/mozilla-central/rev/a3894a4dcfb5d42f2e6eee6cb9faf7141879ef1a/dom/html/nsTextEditorState.cpp#2071 wouldn't be called.

Comment 6

[Emilio Cobos Álvarez (:emilio)]

Bingo, thank Tyson!

Comment 7

[Ryan VanderMeulen [:RyanVM]]

We don't need to track this for 65 since it's behind a pref.

Comment 8

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

I cannot reproduce this bug on 2018-12-20 fuzzing asan opt build [1] with prefs [2] having layout.css.column-span.enabled=true. Close as WORKSFORME.

[1] https://tools.taskcluster.net/index/gecko.v2.mozilla-central.latest.firefox/linux64-fuzzing-asan-opt
[2] https://github.com/MozillaSecurity/fuzzdata/blob/00d671853af1bea93bae22f5e052138c7a8f269d/settings/firefox/prefs-default.js