Closed Bug 1507961 Opened 6 years ago Closed 6 years ago

ASan: null pointer dereference in mozilla::DOMSVGLength::SetValueInSpecifiedUnits

Categories

(Core :: SVG, defect, P3)

Product:
Core
Component:
SVG
Version:
63 Branch
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla65
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox63 --- wontfix
firefox64 --- wontfix
firefox65 --- fixed

People

(Reporter: geeknik, Assigned: heycam)

References

Details

(Keywords: csectype-nullptr, nightly-community)

Attachments

(2 files)

fuzz-11.html
473.51 KB, text/html
Details
Bug 1507961 - Check that an SVG DOM item wasn't removed from its list before scheduling its animation update
47 bytes, text/x-phabricator-request
Details | Review
Attached file fuzz-11.html
Found while fuzzing Firefox 63.0.1 (Build 20181030165643) with Domato, verified it still exists in Nightly (Build 20181116100115). I haven't minimized the testcase yet. ==1792==ERROR: AddressSanitizer: access-violation on unknown address 0x000000000038 (pc 0x7ffb38fa06fb bp 0x006dbbdedf40 sp 0x006dbbdede60 T0) ==1792==The signal is caused by a READ memory access. ==1792==Hint: address points to the zero page. #0 0x7ffb38fa06fa in mozilla::DOMSVGLength::SetValueInSpecifiedUnits(float,class mozilla::ErrorResult &) z:\build\build\src\dom\svg\DOMSVGLength.cpp:324 #1 0x7ffb3557a27e in mozilla::dom::SVGLength_Binding::set_valueInSpecifiedUnits z:\build\build\src\obj-firefox\dom\bindings\SVGLengthBinding.cpp:168 #2 0x7ffb374f31c7 in mozilla::dom::binding_detail::GenericSetter<struct mozilla::dom::binding_detail::NormalThisPolicy>(struct JSContext *,unsigned int,union JS::Value *) z:\build\build\src\dom\bindings\BindingUtils.cpp:3322 #3 0x7ffb400713c1 in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:560 #4 0x7ffb4007750f in js::CallSetter(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>) z:\build\build\src\js\src\vm\Interpreter.cpp:775 #5 0x7ffb3ef35569 in SetExistingProperty z:\build\build\src\js\src\vm\NativeObject.cpp:3016 #6 0x7ffb3ef0f934 in js::NativeSetProperty<1>(struct JSContext *,class JS::Handle<class js::NativeObject *>,class JS::Handle<struct jsid>,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class JS::ObjectOpResult &) z:\build\build\src\js\src\vm\NativeObject.cpp:3046 #7 0x7ffb4003ca37 in Interpret z:\build\build\src\js\src\vm\Interpreter.cpp:3241 #8 0x7ffb4003540c in js::RunScript(struct JSContext *,class js::RunState &) z:\build\build\src\js\src\vm\Interpreter.cpp:447 #9 0x7ffb40071d0e in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:587 #10 0x7ffb40074225 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:614 #11 0x7ffb40074456 in js::Call(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class js::AnyInvokeArgs const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\vm\Interpreter.cpp:633 #12 0x7ffb3f4b7cfa in JS::Call(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class JS::HandleValueArray const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\jsapi.cpp:2975 #13 0x7ffb366b9aff in mozilla::dom::EventListener::HandleEvent(struct JSContext *,class JS::Handle<union JS::Value>,class mozilla::dom::Event &,class mozilla::ErrorResult &) z:\build\build\src\obj-firefox\dom\bindings\EventListenerBinding.cpp:52 #14 0x7ffb37d4c55f in mozilla::EventListenerManager::HandleEventSubType(struct mozilla::EventListenerManager::Listener *,class mozilla::dom::Event *,class mozilla::dom::EventTarget *) z:\build\build\src\dom\events\EventListenerManager.cpp:1111 #15 0x7ffb37d4e5c5 in mozilla::EventListenerManager::HandleEventInternal(class nsPresContext *,class mozilla::WidgetEvent *,class mozilla::dom::Event * *,class mozilla::dom::EventTarget *,enum nsEventStatus *,bool) z:\build\build\src\dom\events\EventListenerManager.cpp:1316 #16 0x7ffb37d316f2 in mozilla::EventTargetChainItem::HandleEvent(class mozilla::EventChainPostVisitor &,class mozilla::ELMCreationDetector &) z:\build\build\src\dom\events\EventDispatcher.cpp:425 #17 0x7ffb37d2f93a in mozilla::EventTargetChainItem::HandleEventTargetChain(class nsTArray<class mozilla::EventTargetChainItem> &,class mozilla::EventChainPostVisitor &,class mozilla::EventDispatchingCallback *,class mozilla::ELMCreationDetector &) z:\build\build\src\dom\events\EventDispatcher.cpp:642 #18 0x7ffb37d350a0 in mozilla::EventDispatcher::Dispatch(class nsISupports *,class nsPresContext *,class mozilla::WidgetEvent *,class mozilla::dom::Event *,enum nsEventStatus *,class mozilla::EventDispatchingCallback *,class nsTArray<class mozilla::dom::EventTarget *> *) z:\build\build\src\dom\events\EventDispatcher.cpp:1164 #19 0x7ffb37d3e098 in mozilla::EventDispatcher::DispatchDOMEvent(class nsISupports *,class mozilla::WidgetEvent *,class mozilla::dom::Event *,class nsPresContext *,enum nsEventStatus *) z:\build\build\src\dom\events\EventDispatcher.cpp:1245 #20 0x7ffb33de08c3 in nsINode::DispatchEvent(class mozilla::dom::Event &,enum mozilla::dom::CallerType,class mozilla::ErrorResult &) z:\build\build\src\dom\base\nsINode.cpp:1141 #21 0x7ffb37d5caa8 in mozilla::dom::EventTarget::DispatchEvent(class mozilla::dom::Event &) z:\build\build\src\dom\events\EventTarget.cpp:205 #22 0x7ffb37cb61a5 in mozilla::AsyncEventDispatcher::Run(void) z:\build\build\src\dom\events\AsyncEventDispatcher.cpp:72 #23 0x7ffb3384fa82 in nsContentUtils::RemoveScriptBlocker(void) z:\build\build\src\dom\base\nsContentUtils.cpp:5564 #24 0x7ffb33ce7baf in nsDocument::EndUpdate(void) z:\build\build\src\dom\base\nsDocument.cpp:5113 #25 0x7ffb381c9cbf in nsHTMLDocument::EndUpdate(void) z:\build\build\src\dom\html\nsHTMLDocument.cpp:2179 #26 0x7ffb33a95caf in mozilla::dom::Element::SetAttr(int,class nsAtom *,class nsAtom *,class nsTSubstring<UNKNOWN> const &,class nsIPrincipal *,bool) z:\build\build\src\dom\base\Element.cpp:2643 #27 0x7ffb33a952bb in mozilla::dom::Element::SetAttribute(class nsTSubstring<UNKNOWN> const &,class nsTSubstring<UNKNOWN> const &,class nsIPrincipal *,class mozilla::ErrorResult &) z:\build\build\src\dom\base\Element.cpp:1428 #28 0x7ffb3689a75d in mozilla::dom::Element_Binding::setAttribute z:\build\build\src\obj-firefox\dom\bindings\ElementBinding.cpp:1330 #29 0x7ffb374f6450 in mozilla::dom::binding_detail::GenericMethod<struct mozilla::dom::binding_detail::NormalThisPolicy,struct mozilla::dom::binding_detail::ThrowExceptions>(struct JSContext *,unsigned int,union JS::Value *) z:\build\build\src\dom\bindings\BindingUtils.cpp:3378 #30 0x7ffb400713c1 in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:560 #31 0x7ffb40074225 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:614 #32 0x7ffb4003a022 in Interpret z:\build\build\src\js\src\vm\Interpreter.cpp:3462 #33 0x7ffb4003540c in js::RunScript(struct JSContext *,class js::RunState &) z:\build\build\src\js\src\vm\Interpreter.cpp:447 #34 0x7ffb40071d0e in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:587 #35 0x7ffb40074225 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:614 #36 0x7ffb40074456 in js::Call(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class js::AnyInvokeArgs const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\vm\Interpreter.cpp:633 #37 0x7ffb3f4b7cfa in JS::Call(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class JS::HandleValueArray const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\jsapi.cpp:2975 #38 0x7ffb366b38bf in mozilla::dom::EventHandlerNonNull::Call(struct JSContext *,class JS::Handle<union JS::Value>,class mozilla::dom::Event &,class JS::MutableHandle<union JS::Value>,class mozilla::ErrorResult &) z:\build\build\src\obj-firefox\dom\bindings\EventHandlerBinding.cpp:265 #39 0x7ffb37d8fbbe in mozilla::dom::EventHandlerNonNull::Call<class nsISupports *>(class nsISupports * const &,class mozilla::dom::Event &,class JS::MutableHandle<union JS::Value>,class mozilla::ErrorResult &,char const *,enum mozilla::dom::CallbackObject::ExceptionHandling,class JS::Realm *) z:\build\build\src\obj-firefox\dist\include\mozilla\dom\EventHandlerBinding.h:363 #40 0x7ffb37d8cc5e in mozilla::JSEventHandler::HandleEvent(class mozilla::dom::Event *) z:\build\build\src\dom\events\JSEventHandler.cpp:214 #41 0x7ffb37d4c5af in mozilla::EventListenerManager::HandleEventSubType(struct mozilla::EventListenerManager::Listener *,class mozilla::dom::Event *,class mozilla::dom::EventTarget *) z:\build\build\src\dom\events\EventListenerManager.cpp:1115 #42 0x7ffb37d4e5c5 in mozilla::EventListenerManager::HandleEventInternal(class nsPresContext *,class mozilla::WidgetEvent *,class mozilla::dom::Event * *,class mozilla::dom::EventTarget *,enum nsEventStatus *,bool) z:\build\build\src\dom\events\EventListenerManager.cpp:1316 #43 0x7ffb37d316f2 in mozilla::EventTargetChainItem::HandleEvent(class mozilla::EventChainPostVisitor &,class mozilla::ELMCreationDetector &) z:\build\build\src\dom\events\EventDispatcher.cpp:425 #44 0x7ffb37d2f93a in mozilla::EventTargetChainItem::HandleEventTargetChain(class nsTArray<class mozilla::EventTargetChainItem> &,class mozilla::EventChainPostVisitor &,class mozilla::EventDispatchingCallback *,class mozilla::ELMCreationDetector &) z:\build\build\src\dom\events\EventDispatcher.cpp:642 #45 0x7ffb37d350a0 in mozilla::EventDispatcher::Dispatch(class nsISupports *,class nsPresContext *,class mozilla::WidgetEvent *,class mozilla::dom::Event *,enum nsEventStatus *,class mozilla::EventDispatchingCallback *,class nsTArray<class mozilla::dom::EventTarget *> *) z:\build\build\src\dom\events\EventDispatcher.cpp:1164 #46 0x7ffb3a818077 in nsDocumentViewer::LoadComplete(enum nsresult) z:\build\build\src\layout\base\nsDocumentViewer.cpp:1167 #47 0x7ffb3da4eb3d in nsDocShell::EndPageLoad(class nsIWebProgress *,class nsIChannel *,enum nsresult) z:\build\build\src\docshell\base\nsDocShell.cpp:7050 #48 0x7ffb3da49e23 in nsDocShell::OnStateChange(class nsIWebProgress *,class nsIRequest *,unsigned int,enum nsresult) z:\build\build\src\docshell\base\nsDocShell.cpp:6841 #49 0x7ffb323c70e9 in nsDocLoader::DoFireOnStateChange(class nsIWebProgress * const,class nsIRequest * const,int &,enum nsresult) z:\build\build\src\uriloader\base\nsDocLoader.cpp:1309 #50 0x7ffb323c5eec in nsDocLoader::doStopDocumentLoad(class nsIRequest *,enum nsresult) z:\build\build\src\uriloader\base\nsDocLoader.cpp:852 #51 0x7ffb323c2050 in nsDocLoader::DocLoaderIsEmpty(bool) z:\build\build\src\uriloader\base\nsDocLoader.cpp:741 #52 0x7ffb323c459e in nsDocLoader::OnStopRequest(class nsIRequest *,class nsISupports *,enum nsresult) z:\build\build\src\uriloader\base\nsDocLoader.cpp:630 #53 0x7ffb3037ceac in mozilla::net::nsLoadGroup::RemoveRequest(class nsIRequest *,class nsISupports *,enum nsresult) z:\build\build\src\netwerk\base\nsLoadGroup.cpp:630 #54 0x7ffb3369f1c8 in imgRequestProxy::RemoveFromLoadGroup(void) z:\build\build\src\image\imgRequestProxy.cpp:440 #55 0x7ffb336a8854 in imgRequestProxy::OnLoadComplete(bool) z:\build\build\src\image\imgRequestProxy.cpp:1084 #56 0x7ffb3368abec in mozilla::image::ImageObserverNotifier<class mozilla::image::ObserverTable const *>::operator()<class `mozilla::image::SyncNotifyInternal<class mozilla::image::ObserverTable const *>(class mozilla::image::ObserverTable const * const &,bool,unsigned int,struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const &)'::`1'::<lambda_7> >(class `mozilla::image::SyncNotifyInternal<class mozilla::image::ObserverTable const *>(class mozilla::image::ObserverTable const * const &,bool,unsigned int,struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const &)'::`1'::<lambda_7>) z:\build\build\src\image\ProgressTracker.cpp:283 #57 0x7ffb33688607 in mozilla::image::SyncNotifyInternal<class mozilla::image::ObserverTable const *>(class mozilla::image::ObserverTable const * const &,bool,unsigned int,struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const &) z:\build\build\src\image\ProgressTracker.cpp:357 #58 0x7ffb335efb3d in mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int,struct mozilla::gfx::IntRectTyped<struct mozilla::gfx::UnknownUnits> const &) z:\build\build\src\image\ProgressTracker.cpp:377 #59 0x7ffb3363b6b7 in mozilla::image::VectorImage::OnSVGDocumentLoaded(void) z:\build\build\src\image\VectorImage.cpp:1555 #60 0x7ffb33678c2d in mozilla::image::SVGLoadEventListener::HandleEvent(class mozilla::dom::Event *) z:\build\build\src\image\VectorImage.cpp:231 #61 0x7ffb37d4c5af in mozilla::EventListenerManager::HandleEventSubType(struct mozilla::EventListenerManager::Listener *,class mozilla::dom::Event *,class mozilla::dom::EventTarget *) z:\build\build\src\dom\events\EventListenerManager.cpp:1115 #62 0x7ffb37d4e615 in mozilla::EventListenerManager::HandleEventInternal(class nsPresContext *,class mozilla::WidgetEvent *,class mozilla::dom::Event * *,class mozilla::dom::EventTarget *,enum nsEventStatus *,bool) z:\build\build\src\dom\events\EventListenerManager.cpp:1316 #63 0x7ffb37d316f2 in mozilla::EventTargetChainItem::HandleEvent(class mozilla::EventChainPostVisitor &,class mozilla::ELMCreationDetector &) z:\build\build\src\dom\events\EventDispatcher.cpp:425 #64 0x7ffb37d2f93a in mozilla::EventTargetChainItem::HandleEventTargetChain(class nsTArray<class mozilla::EventTargetChainItem> &,class mozilla::EventChainPostVisitor &,class mozilla::EventDispatchingCallback *,class mozilla::ELMCreationDetector &) z:\build\build\src\dom\events\EventDispatcher.cpp:642 #65 0x7ffb37d350a0 in mozilla::EventDispatcher::Dispatch(class nsISupports *,class nsPresContext *,class mozilla::WidgetEvent *,class mozilla::dom::Event *,enum nsEventStatus *,class mozilla::EventDispatchingCallback *,class nsTArray<class mozilla::dom::EventTarget *> *) z:\build\build\src\dom\events\EventDispatcher.cpp:1164 #66 0x7ffb37d3e098 in mozilla::EventDispatcher::DispatchDOMEvent(class nsISupports *,class mozilla::WidgetEvent *,class mozilla::dom::Event *,class nsPresContext *,enum nsEventStatus *) z:\build\build\src\dom\events\EventDispatcher.cpp:1245 #67 0x7ffb33de08c3 in nsINode::DispatchEvent(class mozilla::dom::Event &,enum mozilla::dom::CallerType,class mozilla::ErrorResult &) z:\build\build\src\dom\base\nsINode.cpp:1141 #68 0x7ffb37d5caa8 in mozilla::dom::EventTarget::DispatchEvent(class mozilla::dom::Event &) z:\build\build\src\dom\events\EventTarget.cpp:205 #69 0x7ffb37cb61a5 in mozilla::AsyncEventDispatcher::Run(void) z:\build\build\src\dom\events\AsyncEventDispatcher.cpp:72 #70 0x7ffb30118db3 in nsThread::ProcessNextEvent(bool,bool *) z:\build\build\src\xpcom\threads\nsThread.cpp:1244 #71 0x7ffb30121688 in NS_ProcessNextEvent(class nsIThread *,bool) z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:530 #72 0x7ffb311cc329 in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) z:\build\build\src\ipc\glue\MessagePump.cpp:97 #73 0x7ffb3113272e in MessageLoop::RunHandler(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:318 #74 0x7ffb311324b6 in MessageLoop::Run(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:298 #75 0x7ffb39f23e0a in nsBaseAppShell::Run(void) z:\build\build\src\widget\nsBaseAppShell.cpp:158 #76 0x7ffb3a0b40a7 in nsAppShell::Run(void) z:\build\build\src\widget\windows\nsAppShell.cpp:420 #77 0x7ffb3e6b477d in XRE_RunAppShell(void) z:\build\build\src\toolkit\xre\nsEmbedFunctions.cpp:961 #78 0x7ffb3113272e in MessageLoop::RunHandler(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:318 #79 0x7ffb311324b6 in MessageLoop::Run(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:298 #80 0x7ffb3e6b3a1d in XRE_InitChildProcess(int,char * * const,struct XREChildData const *) z:\build\build\src\toolkit\xre\nsEmbedFunctions.cpp:787 #81 0x7ff793a01f11 (C:\Program Files\Mozilla Developer Preview\firefox.exe+0x140001f11) #82 0x7ff793a014a1 (C:\Program Files\Mozilla Developer Preview\firefox.exe+0x1400014a1) #83 0x7ff793a0ebdb (C:\Program Files\Mozilla Developer Preview\firefox.exe+0x14000ebdb) #84 0x7ffb8b723033 (C:\Windows\System32\KERNEL32.DLL+0x180013033) #85 0x7ffb8b871470 (C:\Windows\SYSTEM32\ntdll.dll+0x180071470) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: access-violation z:\build\build\src\dom\svg\DOMSVGLength.cpp:324 in mozilla::DOMSVGLength::SetValueInSpecifiedUnits(float,class mozilla::ErrorResult &) ==1792==ABORTING
In the AutoChangeLengthNotifier destructor, the DidChangeLengthList can result in the DOMSVGLength being removed from its list, since it can dispatch events (in this case, a mutation event). We should probably just stick a script blocker in there.
Assignee: nobody → cam
Status: NEW → ASSIGNED
Priority: -- → P3
Or we should can just null check mLength->mList, since we the AnimationNeedsResample call shouldn't be needed if the list has been modified elsewhere.
And thanks for the test case, Brian!
Pushed by cmccormack@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ed44376f7c7a Check that an SVG DOM item wasn't removed from its list before scheduling its animation update r=longsonr
The crashtest is probably too resource intensive (lots of filters and so on). I'm just going to skip the test on Android.
Flags: needinfo?(cam)
Pushed by cmccormack@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/4b0deb3957f0 Check that an SVG DOM item wasn't removed from its list before scheduling its animation update r=longsonr
https://hg.mozilla.org/mozilla-central/rev/4b0deb3957f0
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox65: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
I think this can ride the trains given that 64 is a week from going RC, but feel free to nominate for Beta uplift if you feel strongly otherwise.
status-firefox64: affectedwontfix
status-firefox-esr60: --- → wontfix
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: