Closed Bug 1751965 Opened 2 years ago Closed 2 years ago

use-after-poison in [@ mozilla::RDL::ClearPreviousItems]

Categories

(Core :: Web Painting, defect, P1)

Product:
Core
Component:
Web Painting
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
98 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox96 --- unaffected
firefox97 --- unaffected
firefox98 + fixed

People

(Reporter: tsmith, Assigned: mikokm)

References

(Blocks 3 open bugs, Regression)

Details

(5 keywords)

Crash Data

Attachments

(2 files)

testcase.html
150 bytes, text/html
Details
Bug 1751965 - Remove destroyed display items from reused display items list r=mstange
48 bytes, text/x-phabricator-request
Details | Review

Found while fuzzing m-c 20220125-e960e654cbc9 (--enable-address-sanitizer --enable-fuzzing)

A reproducible test case is not available at this time.

==3228==ERROR: AddressSanitizer: use-after-poison on address 0x124951892b16 at pc 0x7ffaab91fe30 bp 0x0066ff1f98d0 sp 0x0066ff1f9918
READ of size 1 at 0x124951892b16 thread T0
    #0 0x7ffaab91fe2f in mozilla::nsDisplayItem::IsReusedItem /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:2806
    #1 0x7ffaab91fe2f in mozilla::RDL::ClearPreviousItems(class mozilla::nsDisplayListBuilder *, class nsTArray<class mozilla::nsDisplayItem *> &) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:1636
    #2 0x7ffaab9215ac in mozilla::RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int) /builds/worker/checkouts/gecko/layout/painting/RetainedDisplayListBuilder.cpp:1776
    #3 0x7ffaab08a1ac in nsLayoutUtils::PaintFrame(class gfxContext *, class nsIFrame *, class nsRegion const &, unsigned int, enum mozilla::nsDisplayListBuilderMode, enum nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3319
    #4 0x7ffaaaf4edfa in mozilla::PresShell::PaintInternal(class nsView *, enum mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6445
    #5 0x7ffaaa5a1a68 in nsViewManager::ProcessPendingUpdatesPaint(class nsIWidget *) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:440
    #6 0x7ffaaa5a0bb1 in nsViewManager::ProcessPendingUpdatesForView(class nsView *, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:375
    #7 0x7ffaaa5a59b3 in nsViewManager::ProcessPendingUpdates(void) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:948
    #8 0x7ffaaa59c2ca in nsViewManager::WillPaintWindow(class nsIWidget *) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:606
    #9 0x7ffaaa59c0a9 in nsView::WillPaintWindow(class nsIWidget *) /builds/worker/checkouts/gecko/view/nsView.cpp:1044
    #10 0x7ffaaa648ddd in mozilla::widget::PuppetWidget::Paint(void) /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:975
    #11 0x7ffaaa648b98 in mozilla::widget::PuppetWidget::WidgetPaintTask::Run(void) /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:963
    #12 0x7ffaa12d3986 in mozilla::SchedulerGroup::Runnable::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:144
    #13 0x7ffaa1335e0d in mozilla::RunnableTask::Run(void) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:467
    #14 0x7ffaa12ec161 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:770
    #15 0x7ffaa12e86bc in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(class mozilla::detail::BaseAutoLock<class mozilla::Mutex &> const &) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:606
    #16 0x7ffaa12e9084 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:390
    #17 0x7ffaa133df61 in mozilla::TaskController::InitializeInternal::<lambda_1>::operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:124
    #18 0x7ffaa133df61 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:124:7'>::Run /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:531
    #19 0x7ffaa1316843 in nsThread::ProcessNextEvent(bool, bool *) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1195
    #20 0x7ffaa132769c in NS_ProcessNextEvent(class nsIThread *, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:467
    #21 0x7ffaa27b62cd in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
    #22 0x7ffaa26c8f05 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
    #23 0x7ffaa26c8f05 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
    #24 0x7ffaa26c8cd5 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
    #25 0x7ffaaa6b57fa in nsBaseAppShell::Run(void) /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137
    #26 0x7ffaaa8a4ebb in nsAppShell::Run(void) /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:605
    #27 0x7ffaaeed1104 in XRE_RunAppShell(void) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:870
    #28 0x7ffaa26c8f05 in MessageLoop::RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331
    #29 0x7ffaa26c8f05 in MessageLoop::RunHandler(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324
    #30 0x7ffaa26c8cd5 in MessageLoop::Run(void) /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306
    #31 0x7ffaaeed06a1 in XRE_InitChildProcess(int, char **const, struct XREChildData const *) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:707
    #32 0x7ff772f22095 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:58
    #33 0x7ff772f22095 in NS_internal_main(int, char **, char **) /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327
    #34 0x7ff772f217ad in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:147
    #35 0x7ff7730215b7 in invoke_main d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:90
    #36 0x7ff7730215b7 in __scrt_common_main_seh d:\agent\_work\1\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
    #37 0x7ffad97e84d3  (C:\Windows\System32\KERNEL32.DLL+0x1800084d3)
    #38 0x7ffadb421790  (C:\Windows\SYSTEM32\ntdll.dll+0x180051790)

0x124951892b16 is located 1814 bytes inside of 32768-byte region [0x124951892400,0x12495189a400)
allocated by thread T0 here:
    #0 0x7ffac5ff7deb in malloc Z:\task_164246493435785\fetches\llvm-project\llvm\projects\compiler-rt\lib\asan\asan_malloc_win.cpp:98
    #1 0x7ffaab10133c in mozilla::ArenaAllocator<32768,8>::AllocateChunk /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:171
    #2 0x7ffaab10133c in mozilla::ArenaAllocator<32768,8>::InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:205
    #3 0x7ffaab10133c in mozilla::ArenaAllocator<32768,8>::Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:66
    #4 0x7ffaab10133c in mozilla::ArenaAllocator<32768, 8>::Allocate(unsigned __int64) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:70
    #5 0x7ffaaba3fa86 in mozilla::nsDisplayListBuilder::Allocate /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:889
    #6 0x7ffaaba3fa86 in mozilla::nsDisplayListBuilder::Allocate /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:901
    #7 0x7ffaaba3fa86 in mozilla::nsDisplayCompositorHitTestInfo::operator new /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:4688
    #8 0x7ffaaba3fa86 in mozilla::MakeDisplayItemWithIndex /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:1980
    #9 0x7ffaaba3fa86 in mozilla::nsDisplayList::AppendNewToTopWithIndex<class mozilla::nsDisplayCompositorHitTestInfo, class nsIFrame>(class mozilla::nsDisplayListBuilder *, class nsIFrame *, unsigned short) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:3113
    #10 0x7ffaab9a8465 in mozilla::nsDisplayList::AppendNewToTop /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.h:3106
    #11 0x7ffaab9a8465 in mozilla::nsDisplayListBuilder::BuildCompositorHitTestInfoIfNeeded(class nsIFrame *, class mozilla::nsDisplayList *) /builds/worker/checkouts/gecko/layout/painting/nsDisplayList.cpp:2007
    #12 0x7ffaab3805c4 in nsIFrame::DisplayBackgroundUnconditional(class mozilla::nsDisplayListBuilder *, class mozilla::nsDisplayListSet const &, bool) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:2593
    #13 0x7ffaab219ae5 in nsIFrame::DisplayBorderBackgroundOutline(class mozilla::nsDisplayListBuilder *, class mozilla::nsDisplayListSet const &, bool) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:2612
    #14 0x7ffaab2ca125 in mozilla::ScrollFrameHelper::BuildDisplayList(class mozilla::nsDisplayListBuilder *, class mozilla::nsDisplayListSet const &) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:3703
    #15 0x7ffaab21eb6a in nsIFrame::BuildDisplayListForChild(class mozilla::nsDisplayListBuilder *, class nsIFrame *, class mozilla::nsDisplayListSet const &, class mozilla::EnumSet<enum nsIFrame::DisplayChildFlag, unsigned int>) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:4370
    #16 0x7ffaab164c93 in mozilla::ViewportFrame::BuildDisplayList(class mozilla::nsDisplayListBuilder *, class mozilla::nsDisplayListSet const &) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:66
    #17 0x7ffaab384fd9 in nsIFrame::BuildDisplayListForStackingContext(class mozilla::nsDisplayListBuilder *, class mozilla::nsDisplayList *, bool *) /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:3488
    #18 0x7ffaab08a503 in nsLayoutUtils::PaintFrame(class gfxContext *, class nsIFrame *, class nsRegion const &, unsigned int, enum mozilla::nsDisplayListBuilderMode, enum nsLayoutUtils::PaintFrameFlags) /builds/worker/checkouts/gecko/layout/base/nsLayoutUtils.cpp:3358
    #19 0x7ffaaaf4edfa in mozilla::PresShell::PaintInternal(class nsView *, enum mozilla::PaintInternalFlags) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6445
    #20 0x7ffaaa5a1a68 in nsViewManager::ProcessPendingUpdatesPaint(class nsIWidget *) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:440
    #21 0x7ffaaa5a0bb1 in nsViewManager::ProcessPendingUpdatesForView(class nsView *, bool) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:375
    #22 0x7ffaaa5a59b3 in nsViewManager::ProcessPendingUpdates(void) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:948
    #23 0x7ffaaae9b5f8 in nsRefreshDriver::Tick(struct mozilla::layers::BaseTransactionId<class mozilla::VsyncIdType>, class mozilla::TimeStamp, enum nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2570
    #24 0x7ffaaaeaff33 in mozilla::RefreshDriverTimer::TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:349
    #25 0x7ffaaaeaff33 in mozilla::RefreshDriverTimer::TickRefreshDrivers(struct mozilla::layers::BaseTransactionId<class mozilla::VsyncIdType>, class mozilla::TimeStamp, class nsTArray<class RefPtr<class nsRefreshDriver>> &) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:326
    #26 0x7ffaaaeafb33 in mozilla::RefreshDriverTimer::Tick(struct mozilla::layers::BaseTransactionId<class mozilla::VsyncIdType>, class mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:342
    #27 0x7ffaaaeaf653 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(struct mozilla::layers::BaseTransactionId<class mozilla::VsyncIdType>, class mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:780
    #28 0x7ffaaaeae8e3 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(struct mozilla::layers::BaseTransactionId<class mozilla::VsyncIdType>, class mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:703
    #29 0x7ffaaaead50e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync(void) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:620
    #30 0x7ffaaaeaccee in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(struct mozilla::VsyncEvent const &) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:541
    #31 0x7ffaa9b4a920 in mozilla::dom::VsyncMainChild::RecvNotify(struct mozilla::VsyncEvent const &, float const &) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:68
    #32 0x7ffaa2ef9968 in mozilla::dom::PVsyncChild::OnMessageReceived(class IPC::Message const &) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:208
    #33 0x7ffaa2c3696d in mozilla::ipc::PBackgroundChild::OnMessageReceived(class IPC::Message const &) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6187
    #34 0x7ffaa27aceb4 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(class mozilla::ipc::ActorLifecycleProxy *, class IPC::Message const &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2039
    #35 0x7ffaa27a91ef in mozilla::ipc::MessageChannel::DispatchMessage(class IPC::Message &&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1964
    #36 0x7ffaa27ab096 in mozilla::ipc::MessageChannel::RunMessage(class mozilla::ipc::MessageChannel::MessageTask &) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1823

Maybe Fission related. (DOMFissionEnabled=1)

Crash report: https://crash-stats.mozilla.org/report/index/0dc6c877-0463-41d1-9913-1613c0220125

Reason: EXCEPTION_ACCESS_VIOLATION_READ

Top 10 frames of crashing thread:

0 xul.dll mozilla::RDL::ClearPreviousItems layout/painting/RetainedDisplayListBuilder.cpp:1636
1 xul.dll mozilla::RetainedDisplayListBuilder::AttemptPartialUpdate layout/painting/RetainedDisplayListBuilder.cpp:1776
2 xul.dll static nsLayoutUtils::PaintFrame layout/base/nsLayoutUtils.cpp:3319
3 xul.dll mozilla::PresShell::PaintInternal layout/base/PresShell.cpp:6445
4 xul.dll nsViewManager::ProcessPendingUpdatesPaint view/nsViewManager.cpp:440
5 xul.dll nsViewManager::ProcessPendingUpdatesForView view/nsViewManager.cpp:375
6 xul.dll nsViewManager::ProcessPendingUpdates view/nsViewManager.cpp:948
7 xul.dll nsRefreshDriver::Tick layout/base/nsRefreshDriver.cpp:2570
8 xul.dll mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:1609:15'>::Run xpcom/threads/nsThreadUtils.h:531
9 xul.dll mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal xpcom/threads/TaskController.cpp:770

There are 5 crashes (from 2 installations) in nightly 98 with buildid 20220125100058. In analyzing the backtrace, the regression may have been introduced by patch [1] to fix bug 1697979.

[1] https://hg.mozilla.org/mozilla-central/rev?node=1513c7b10085

Blocks: clouseau
status-firefox96: --- → unaffected
status-firefox97: --- → unaffected
status-firefox-esr91: --- → unaffected
Flags: needinfo?(mikokm)
Regressed by: 1697979
Attached file testcase.html
Flags: in-testsuite?
Keywords: testcase

A Pernosco session is available here: https://pernos.co/debug/myAr9Sh1jgbfEfILRb6pVg/index.html

Assignee: nobody → mikokm
Status: NEW → ASSIGNED
Flags: needinfo?(mikokm)
Has Regression Range: --- → yes
Depends on: domino
Blocks: domino
No longer depends on: domino

[Tracking Requested - why for this release]: the number of crashes is a bit high for nightly.

tracking-firefox98: --- → ?

Tracking for 98, miko do you have a fix coming in the 98 cycle or should we backout bug 1697979? Thanks

tracking-firefox98: ?+
Flags: needinfo?(mikokm)

(In reply to Pascal Chevrel:pascalc from comment #5)

Tracking for 98, miko do you have a fix coming in the 98 cycle or should we backout bug 1697979? Thanks

This feature is behind a pref, enabled for Nightly builds only in bug 1751742.

Flags: needinfo?(mikokm) → behind-pref+
Regressed by: 1751742
No longer regressed by: 1697979
Priority: -- → P1

In this testcase ViewportFrame::BuildDisplayList() was detecting an opaque top layer (fullscreen) which causes us to delete the display list contents below1. This was causing UAF because RetainedDisplayListBuilder still had those items in its previous items list.
This patch moves those items to nsDisplayListBuilder where they can be removed when display items are destroyed.

Ideally this would be solved with better display item lifetime handling, rather than deleting them all over the place. We also do this with blend modes (when using RDL) and text overflows.

Pushed by mikokm@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/cef9ae46c125
Remove destroyed display items from reused display items list r=mstange
Flags: in-testsuite? → in-testsuite-

Unfortunately it turned out to be very difficult to add the test as crashtest. I also tried to convert it to a mochitest, but was unable to reproduce the crash.

https://hg.mozilla.org/mozilla-central/rev/cef9ae46c125

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox98: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 98 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: