1613547 - heap-use-after-free in [@ mozilla::LayerActivityTracker::NotifyExpired]

Status: RESOLVED WORKSFORME

(Core :: Web Painting, defect, P3)

Description

[Tyson Smith [:tsmith]]

I hit this while reducing another test case. I am working on getting a reproducible test case.

Report is from m-c 20200205-0fa466366383

==32223==ERROR: AddressSanitizer: heap-use-after-free on address 0x625000309a18 at pc 0x7f649583a8d6 bp 0x7ffc601793d0 sp 0x7ffc601793c8
READ of size 8 at 0x625000309a18 thread T0 (file:// Content)
    #0 0x7f649583a8d5 in PresContext src/layout/generic/nsIFrame.h:612:47
    #1 0x7f649583a8d5 in mozilla::LayerActivityTracker::NotifyExpired(mozilla::LayerActivity*) src/layout/painting/ActiveLayerTracker.cpp:197:12
    #2 0x7f6495960e8e in ExpirationTrackerImpl<mozilla::LayerActivity, 4u, detail::PlaceholderLock, detail::PlaceholderAutoLock>::AgeOneGenerationLocked(detail::PlaceholderAutoLock const&) src/obj-firefox/dist/include/nsExpirationTracker.h:251:7
    #3 0x7f6495960b30 in ExpirationTrackerImpl<mozilla::LayerActivity, 4u, detail::PlaceholderLock, detail::PlaceholderAutoLock>::HandleTimeout() src/obj-firefox/dist/include/nsExpirationTracker.h:432:7
    #4 0x7f648c99ce45 in nsTimerImpl::Fire(int) src/xpcom/threads/nsTimerImpl.cpp:562:7
    #5 0x7f648c99c6fc in nsTimerEvent::Run() src/xpcom/threads/TimerThread.cpp:259:11
    #6 0x7f648c97ba33 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:282:20
    #7 0x7f648c9b01b8 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1220:14
    #8 0x7f648c9f2de1 in NS_InvokeByIndex src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:106
    #9 0x7f648ee4c88b in Invoke src/js/xpconnect/src/XPCWrappedNative.cpp:1643:10
    #10 0x7f648ee4c88b in Call src/js/xpconnect/src/XPCWrappedNative.cpp:1184:19
    #11 0x7f648ee4c88b in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) src/js/xpconnect/src/XPCWrappedNative.cpp:1150:23
    #12 0x7f648ee518a0 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:947:10
    #13 0x7f649893de23 in CallJSNative src/js/src/vm/Interpreter.cpp:470:13
    #14 0x7f649893de23 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:562:12
    #15 0x7f649893fc1a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:625:10
    #16 0x7f649892473b in CallFromStack src/js/src/vm/Interpreter.cpp:629:10
    #17 0x7f649892473b in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3042:16
    #18 0x7f6498907d94 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:442:10
    #19 0x7f649893df05 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) src/js/src/vm/Interpreter.cpp:597:13
    #20 0x7f649893fc1a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) src/js/src/vm/Interpreter.cpp:625:10
    #21 0x7f649893fef6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) src/js/src/vm/Interpreter.cpp:642:8
    #22 0x7f6498ad46a5 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2734:10
    #23 0x7f648ee3e256 in nsXPCWrappedJS::CallMethod(unsigned short, nsXPTMethodInfo const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:959:17
    #24 0x7f648c9f45d2 in PrepareAndDispatch src/xpcom/reflect/xptcall/md/unix/xptcstubs_x86_64_linux.cpp:125:37
    #25 0x7f648c9f347a in SharedStub (/home/user/workspace/browsers/m-c-20200205162717-fuzzing-asan-opt/libxul.so+0x421847a)
    #26 0x7f648c876873 in nsObserverList::NotifyObservers(nsISupports*, char const*, char16_t const*) src/xpcom/ds/nsObserverList.cpp:65:19
    #27 0x7f648c87dc5f in nsObserverService::NotifyObservers(nsISupports*, char const*, char16_t const*) src/xpcom/ds/nsObserverService.cpp:291:19
    #28 0x7f648ca19e34 in mozilla::ShutdownXPCOM(nsIServiceManager*) src/xpcom/build/XPCOMInit.cpp:613:24
    #29 0x7f64986d69ec in XRE_TermEmbedding() src/toolkit/xre/nsEmbedFunctions.cpp:226:3
    #30 0x7f648dc1d042 in mozilla::ipc::ScopedXREEmbed::Stop() src/ipc/glue/ScopedXREEmbed.cpp:90:5
    #31 0x7f64986d7796 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:782:16
    #32 0x561e5e274401 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #33 0x561e5e274401 in main src/browser/app/nsBrowserApp.cpp:303:18
    #34 0x7f64afac282f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #35 0x561e5e1c9ecc in _start (/home/user/workspace/browsers/m-c-20200205162717-fuzzing-asan-opt/firefox+0x9becc)

0x625000309a18 is located 280 bytes inside of 8192-byte region [0x625000309900,0x62500030b900)
freed by thread T0 (file:// Content) here:
    #0 0x561e5e241b9d in free /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:123:3
    #1 0x7f648c96a22c in mozilla::ArenaAllocator<8192ul, 8ul>::Clear() src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:91:7
    #2 0x7f64951dc172 in ~ArenaAllocator src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:58:23
    #3 0x7f64951dc172 in nsPresArena<8192ul, mozilla::ArenaObjectID, 175ul>::~nsPresArena() src/layout/base/nsPresArena.cpp:38:1
    #4 0x7f649508fb36 in mozilla::PresShell::~PresShell() src/layout/base/PresShell.cpp:909:1
    #5 0x7f649508f701 in mozilla::PresShell::Release() src/layout/base/PresShell.cpp:876:1
    #6 0x7f6494ed6169 in ~nsCOMPtr_base src/obj-firefox/dist/include/nsCOMPtr.h:330:7
    #7 0x7f6494ed6169 in mozilla::TextServicesDocument::~TextServicesDocument() src/editor/spellchecker/TextServicesDocument.cpp:77:1
    #8 0x7f6494ed64dd in mozilla::TextServicesDocument::~TextServicesDocument() src/editor/spellchecker/TextServicesDocument.cpp:75:47
    #9 0x7f648c81c088 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) src/xpcom/base/nsCycleCollector.cpp:2460:9
    #10 0x7f648c7fac56 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) src/xpcom/base/nsCycleCollector.cpp:942:23
    #11 0x7f648c7fb515 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) src/xpcom/base/nsCycleCollector.cpp:2625:14
    #12 0x7f648ee1616c in AsyncFreeSnowWhite::Run() src/js/xpconnect/src/XPCJSRuntime.cpp:147:9
    #13 0x7f648c9d44e8 in IdleRunnableWrapper::Run() src/xpcom/threads/nsThreadUtils.cpp:331:22
    #14 0x7f648c9b01b8 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1220:14
    #15 0x7f648c9bafcc in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #16 0x7f648dc0be2f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:87:21
    #17 0x7f648db05db7 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #18 0x7f648db05db7 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308:3
    #19 0x7f648db05db7 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
    #20 0x7f6494bc7b98 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #21 0x7f64986d80a6 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:943:20
    #22 0x7f648db05db7 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #23 0x7f648db05db7 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308:3
    #24 0x7f648db05db7 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
    #25 0x7f64986d774f in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:778:34

previously allocated by thread T0 (file:// Content) here:
    #0 0x561e5e241e1d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
    #1 0x7f648c969e80 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:171:15
    #2 0x7f64951dc64d in InternalAllocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:205:25
    #3 0x7f64951dc64d in Allocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:67:12
    #4 0x7f64951dc64d in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:71:15
    #5 0x7f6495284b65 in AllocateByObjectID src/obj-firefox/dist/include/mozilla/PresShell.h:280:32
    #6 0x7f6495284b65 in AllocateFrame src/obj-firefox/dist/include/mozilla/PresShell.h:272:12
    #7 0x7f6495284b65 in operator new src/layout/generic/nsBlockFrame.cpp:408:1
    #8 0x7f6495284b65 in NS_NewBlockFrame(mozilla::PresShell*, mozilla::ComputedStyle*) src/layout/generic/nsBlockFrame.cpp:398:10
    #9 0x7f6495150a54 in nsCSSFrameConstructor::CreateContinuingFrame(nsPresContext*, nsIFrame*, nsContainerFrame*, bool) src/layout/base/nsCSSFrameConstructor.cpp:7963:16
    #10 0x7f64952e1665 in nsContainerFrame::CreateNextInFlow(nsIFrame*) src/layout/generic/nsContainerFrame.cpp:1359:55
    #11 0x7f64952de60f in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) src/layout/generic/nsColumnSetFrame.cpp:802:23
    #12 0x7f64952dce48 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig&, bool) src/layout/generic/nsColumnSetFrame.cpp:442:37
    #13 0x7f64952e2479 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1179:5
    #14 0x7f64952e2db3 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1244:5
    #15 0x7f64952a99c8 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:293:11
    #16 0x7f64952a0009 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3796:11
    #17 0x7f649529c887 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3143:5
    #18 0x7f6495293929 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2686:7
    #19 0x7f649528c274 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1398:3
    #20 0x7f64954ad858 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:878:13
    #21 0x7f6495461a96 in nsInlineFrame::ReflowInlineFrame(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, nsIFrame*, nsReflowStatus&) src/layout/generic/nsInlineFrame.cpp:674:15
    #22 0x7f6495460dca in nsInlineFrame::ReflowFrames(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, mozilla::ReflowOutput&, nsReflowStatus&) src/layout/generic/nsInlineFrame.cpp:548:7
    #23 0x7f649545fef1 in nsInlineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsInlineFrame.cpp:363:3
    #24 0x7f64954ad858 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:878:13

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

The priority flag is not set for this bug.
:mattwoodrow, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 2

[Emilio Cobos Álvarez (:emilio)]

Any luck with that test-case?

Comment 3

[Tyson Smith [:tsmith]]

No sorry. I have not seen it again and the fuzzers also have not reported it.

Comment 4

[Tyson Smith [:tsmith]]

The fuzzers were reporting this for a few days last week but none of the test cases were reliable enough to reduce.

I did manage to get a Pernosco session: https://pernos.co/debug/oGVFFjt8-vwkM9dLNgJy0w/index.html

Comment 5

[Timothy Nikkel (:tnikkel)]

(In reply to Tyson Smith [:tsmith] from comment #4)

The fuzzers were reporting this for a few days last week but none of the test cases were reliable enough to reduce.

I did manage to get a Pernosco session: https://pernos.co/debug/oGVFFjt8-vwkM9dLNgJy0w/index.html

I looked in to this, it looks like the fixed list is messed up (firstchild and lastchild are different and non-null but there are no next/prev sibling pointers setup so we skip calling Destroy on any fixed frames past the first one). The build in this recording does not have the fix from bug 1797703 which I could see fixing the problem but I haven't debugged further to show that clearly; just seems like the fix from bug 1797703 is in a very close place to where the bug in this recording could be. The timeline for that bug lines up with when you were able to reproduce last week. So I would suggest seeing if you can get a new recording after bug 1797703 is this still reproduces.

Comment 6

[Emilio Cobos Álvarez (:emilio)]

Thanks Tim! Yeah, seems like that would do it.

Comment 7

[Tyson Smith [:tsmith]]

I ran the test case over night with m-c 20221101-d0fd41bff926 and I was unable to reproduce the issue.

Can we close this?

Comment 8

[Timothy Nikkel (:tnikkel)]

Bug 1797703 only existed for a few days but this bug was filed 3 years ago. So UAFs here could still happen but from a different bug. I guess it depends if you are still seeing this show up or not.

Comment 9

[Tyson Smith [:tsmith]]

Unfortunately(?) besides last week I have not seen it reported by the fuzzers. I only saw it initially during reduction of a test case for another bug. Since that was 3 years ago I've totally forgotten which bug it was.

Comment 10

[Daniel Veditz [:dveditz]]

Should we call this WFM? We have a plausible explanation for this being caught by fuzzers again in November and then going away: bug 1797703. We haven't seen it since in the lab. Socorro crashes with this signature in the wild are rare (59 in 6 months), only some are UAF, and the crash doesn't seem to happen in newer versions.

Fx 103 — 9 crashes (3 UAF)
Fx 104 — 6 crashes (2 UAF)
Fx 105 — 10 crashes (1 UAF)
fx 106 — 1 crash
fx 107-109 — zero

Comment 11

[Tyson Smith [:tsmith]]

That sounds good.