Open Bug 306939 (randomstyles) Opened 15 years ago Updated 3 years ago

Bugs found by Random Styles (adding random style properties to DOM elements)

Categories

(Core :: Platform Fuzzing Team, defect)

defect
Not set

Tracking

()

People

(Reporter: jruderman, Assigned: jruderman)

References

(Depends on 165 open bugs, Blocks 1 open bug)

Details

(Keywords: meta, sec-other, Whiteboard: [sg:nse] meta)

Attachments

(1 file, 7 obsolete files)

This bookmarklet gives random inline styles to random elements in the page. 
Like the bookmarklet in bug 306663, "Random styles" is fairly effective at
finding crash bugs in Gecko.

I'm filing this bug as security-sensitive and keeping the bookmarklet secret for
now.

I've seen this bookmarklet give me three unique stack signatures so far, but
I've only been able to reproduce one somewhat reliably.  Testcase coming up in a
bug that will block this one.
Severity: normal → critical
Keywords: crash, meta
Depends on: 306940
Bug 306940 happens often enough that it makes it difficult to tell whether there
are other crashes.  I'll do another round of testing once it is fixed.
Flags: blocking1.8b5?
Depends on: 307809
Bug fix: add a check that n.style exists before trying to change a node's
style.
Attachment #195383 - Attachment is obsolete: true
Depends on: 307979
Depends on: 307981
Depends on: 307989
Depends on: 307992
Flags: blocking1.8b5? → blocking1.8b5+
dbaron, can you look into this?
Assignee: nobody → dbaron
If you come up with a very safe fix in the next couple of days, please request
approval for the patch and we'll evaluate.
Flags: blocking1.8b5+ → blocking1.8b5-
Attached file Random Styles recorder (obsolete) —
This is one of the tools I use when I want to reduce a Random Styles testcase. 
Its output is meant to be pasted back into the script, replacing the first two
lines.
Depends on: 311457
Whiteboard: [sg:investigate]
Depends on: 253479
Depends on: 313086
Depends on: 316598
Depends on: 316599
Depends on: 316604
Depends on: 316608
Depends on: 316623
Depends on: 316631
Depends on: 316635
Depends on: 316636
Depends on: 316639
Depends on: 316641
Depends on: 316653
Alias: randomstyles
Blocks: fuzz
Depends on: 317502
Depends on: 317519
Depends on: 317520
Depends on: 317521
Depends on: 317522
The crash points of bug 316599 and bug 316608 appear in many of the others random styles and stir dom crashers. I didn't report each individually, but bug 316599 and bug 316608 look like good candidates to fix first so that we find other crashers which are hiding behind them.
Depends on: 318451
Depends on: 319280
i don't have enough permissions to see the individual bugs, so commenting here:

on 1.5 i crash in XmlInitUnknownEncodingNS
 probably due to null dereference.

on latest trunk jesse's programs stops generating new styles after several seconds.

on trunk on linux from several days before there is potential stack overflow from this starting values:

808080, 3, 100, 400
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1222022944 (LWP 2717)]
0xdddddddd in ?? ()
(gdb) info stack
#0  0xdddddddd in ?? ()
#1  0x082ce69c in nsIFrame::GetStyleData (this=0x954a4d8, 
    aSID=eStyleStruct_Display) at nsIFrame.h:610




(In reply to comment #8)
Bug 316608 seems to have a similar stacktrace as the GetStyleData crash.

It's also important to mention on which page you crash and with what parameters.
(In reply to comment #9)
> (In reply to comment #8)
> Bug 316608 seems to have a similar stacktrace as the GetStyleData crash.
> 

this bug gives me "access denied".

> It's also important to mention on which page you crash and with what
> parameters.

as mentioned in my previous post, the starting parameters in the confirm dialog are:
808080, 3, 100, 400
waiting is several seconds.
tested on linux.

don't know how to find the exact page.






if someone cc's me on Bug 316608 i will try the testcase.
The problem is, I'm not really sure I'm allowed to cc you on that bug.
running jesse's fuzzer on linux:

ff 1.5: crashes only in XmlInitUnknownEncodingNS for me.
on latest trunk: stops generating new pages after several seconds.

am i doing something wrong?

starting values in the confirm dialog:
161616, 4, 100, 400


all linux:
1.5 - innocent crash in XmlInitUnknownEncodingNS
latest trunk on x86_64 (64 bit) - smashed |this| in nsCachedStyleData::GetStyleData
latest trunk on i386: the stack seems smashed
Without knowing what page you're starting on (and the parameters, which you did give), we can't reproduce the crashes you're seeing.
(In reply to comment #15)
> Without knowing what page you're starting on (and the parameters, which you did
> give), we can't reproduce the crashes you're seeing.
> 

starting local copy of "Random Styles 1.5.1 (for pasting into testcases)"
the paramaters are described in comment #14:

starting values in the confirm dialog:
161616, 4, 100, 400
jesse: what about adding window.dump(CURRENTVALUES)
in debug builds started from terminal, this will print the current values in the terminal, so the exact page will be easily found?
crashes or timeouts found in this run appear as 

randomstyles: url?fuzz=parms...

The test loads the page (with the querystring), then runs the randomstyles bookmarklet with the specified parameters. You can copy/paste the parameters from the query string directly into the randomstyles input prompt.

The end of each line identifies the machine, the date the test run began and
the build which was tested. For example, 

prunessh/2005-12-17-02-34-33-firefox-1.5-build-dbg-1.8_2005121411.log

was run on prune (a windows machine), on Dec 17, using a 1.8 debug build built
on 2005-12-14-11. 

You can reproduce each test case by loading the url including the query string, then running randomstyles with the appropriate parameter.
latest ff trunk build from source stops the crashes in comment 8 and comment 14, but the generator stops generating new pages. there are assertions in the terminal.
Depends on: 321901
Attached file Random Styles recorder (obsolete) —
Changes made to both Stir DOM and Random Styles recorders:
1. Make it record information about chunks/intervals so that
  (a) it can record the equivalent of a nonzero "number of changes to do immediately" in the bookmarklet.
  (b) while reducing, the chunk boundaries don't move.
2. Make it work with both XML and HTML without requiring separate versions.
3. Improve the instructions.

Changes made only to Random Styles recorder:
1. Add "if(n.style)" check in addElements to match bookmarklet.
Attachment #198554 - Attachment is obsolete: true
Depends on: 322185
Whiteboard: [sg:investigate] → [sg:nse] meta
Depends on: 322436
Depends on: 322704
Depends on: 323589
Depends on: 326495
Depends on: 284844
Assignee: dbaron → nobody
Depends on: 330480
Depends on: 330486
See also bug 331889.  The "Random Classes" bookmarklet there does most of what this one does, and more.
Keywords: crash
Depends on: 336291
Depends on: 336899
Depends on: 336962
Depends on: 336999
Depends on: 321073
Depends on: 323489
Depends on: 337268
OS: Mac OS X 10.2 → All
Hardware: Macintosh → All
Depends on: 337476
Depends on: 337883
Depends on: 337896
Depends on: 338702
Depends on: 338703
Attached file Random Styles 1.6 (requires fuzz.js) (obsolete) —
* Converted it to use fuzz.js (see bug 339948).
* No longer uses separate versions for bookmarklet-source and recording.
* Changed "float" to "cssFloat" (???).
Attachment #195488 - Attachment is obsolete: true
Attachment #207403 - Attachment is obsolete: true
Depends on: 340945
Depends on: 311161
Depends on: 342322
Attached file Random Styles 2.0 (obsolete) —
Attachment #224050 - Attachment is obsolete: true
Depends on: 343221
Depends on: 348991
Depends on: 349974
Depends on: 353008
Depends on: 353610
Depends on: 354458
Depends on: 354771
Depends on: 355426
Attached file Random Styles 3.0 (obsolete) —
Attachment #226745 - Attachment is obsolete: true
Shouldn't have security bugs assigned to nobody. Jesse can own his test bugs
Assignee: nobody → jruderman
Depends on: 364407
Depends on: 364427
Depends on: 364512
Depends on: 366271
Depends on: 366583
Depends on: 366667
Depends on: 366952
Summary: Crashes found by Jesse's "Random styles" bookmarklet → Bugs found by Jesse's "Random styles" bookmarklet
Depends on: 367740
Depends on: 368330
Depends on: 370699
Depends on: 370703
Depends on: 370794
Depends on: 370866
Comment on attachment 242968 [details]
Random Styles 3.0

New version in bug 339948.
Attachment #242968 - Attachment is obsolete: true
Depends on: 371563
Depends on: 371566
Severity: critical → normal
Depends on: 372475
Depends on: 373122
Depends on: 373611
Depends on: 373859
Depends on: 373868
Depends on: 374356
Depends on: 379687
Depends on: 379768
Depends on: 379788
Depends on: 380096
Depends on: 380200
Depends on: 380359
Depends on: 381786
Depends on: 382129
Depends on: 382199
Depends on: 382204
Depends on: 382610
Depends on: 383089
Depends on: 384728
Depends on: 386554
Depends on: 387051
Depends on: 387058
Depends on: 387205
Depends on: 387209
Depends on: 387213
Depends on: 387214
Depends on: 387215
Depends on: 387233
Depends on: 387282
Depends on: 389635
Depends on: 391034
Depends on: 391157
Depends on: 391178
Depends on: 391879
Depends on: 391898
Depends on: 391909
Depends on: 391979
Depends on: 392115
Depends on: 392132
Depends on: 393330
Depends on: 393656
Depends on: 393665
Depends on: 393671
Depends on: 393906
Depends on: 393956
Depends on: 394820
Depends on: 395340
Depends on: 395575
Depends on: 395628
Depends on: 397011
Depends on: 397852
Depends on: 397961
Depends on: 398181
Depends on: 399411
Depends on: 399715
Depends on: 399951
Depends on: 400081
Depends on: 400190
Depends on: 400223
Depends on: 400232
Depends on: 400244
Depends on: 403143
Depends on: 403296
Depends on: 403576
Depends on: 404118
Depends on: 404140
Depends on: 404470
Depends on: 404721
Depends on: 406380
Depends on: 406485
Depends on: 407277
Depends on: 407550
Depends on: 408292
Depends on: 408299
Depends on: 408602
Depends on: 408749
Depends on: 408753
Depends on: 408883
Depends on: 409513
Depends on: 409565
Depends on: 410267
Depends on: 410426
Depends on: 410428
Depends on: 410595
Depends on: 410596
Depends on: 411213
Depends on: 411835
Depends on: 411851
Depends on: 411853
Depends on: 411870
Depends on: 412014
Depends on: 412201
Depends on: 413048
Depends on: 413079
Depends on: 414180
Depends on: 414188
Depends on: 414719
Depends on: 415685
Depends on: 416088
Depends on: 416107
Depends on: 416264
Depends on: 416476
Depends on: 416637
Depends on: 416639
Depends on: 416648
Depends on: 416734
Depends on: 417848
Depends on: 417902
Depends on: 418139
Depends on: 418932
Depends on: 419737
Depends on: 420000
Depends on: 420213
Depends on: 420219
Depends on: 420242
Depends on: 420415
Depends on: 420651
Depends on: 420945
Depends on: 421185
Depends on: 422301
Depends on: 423055
Depends on: 423098
Depends on: 423107
Depends on: 423110
Depends on: 424225
Depends on: 426040
Depends on: 426272
Depends on: 428138
Depends on: 428263
Depends on: 429454
Depends on: 429881
Depends on: 429960
Depends on: 429981
Depends on: 430352
Depends on: 430374
Depends on: 430569
Depends on: 430744
Depends on: 430887
Depends on: 431086
Depends on: 431738
Depends on: 433450
Depends on: 435223
Depends on: 436194
Depends on: 436602
Depends on: 436823
Depends on: 436969
Depends on: 436977
Depends on: 437142
Depends on: 437156
Depends on: 437328
Depends on: 437565, 437566
Depends on: 438266
Depends on: 439204
Depends on: 441683
Depends on: 442860
Depends on: 443528
Depends on: 444230
Depends on: 444431
Depends on: 444702
Depends on: 444863
Depends on: 444864
Depends on: 445288
Depends on: 448903
Depends on: 449111
Depends on: 451315
Depends on: 451316
Depends on: 451334
Depends on: 452157
Depends on: 452165
Depends on: 453762
Depends on: 453894
Depends on: 454345
Depends on: 454719
Depends on: 455643
Depends on: 457375
Depends on: 458637
Depends on: 459968
Depends on: 460387
Depends on: 461294
Depends on: 461296
Depends on: 462968
Depends on: 463307
Depends on: 463741
Depends on: 464407
Depends on: 464589
Depends on: 465651
Depends on: 467213
Depends on: 467487
Depends on: 467493
Depends on: 467703
Depends on: 467873
Depends on: 467875
Depends on: 468207
Depends on: 468556
Depends on: 468563
Depends on: 468578
Depends on: 468967
Depends on: 471064
Depends on: 471619
Depends on: 472218
Depends on: 472587
Depends on: 472909
Depends on: 473278
Depends on: 474075
Depends on: CVE-2010-3174
Depends on: 476579
Depends on: 477928
Depends on: 478128
Depends on: 478170
Depends on: 479373
Depends on: 480686
Depends on: 486052
Depends on: 487544
Depends on: 489480
Depends on: 490778
Depends on: 493118
Depends on: 493649
Depends on: 493863
Depends on: 495875
Depends on: 497519
Depends on: 498533
Depends on: 499858
Depends on: 499862
Depends on: 499885
Depends on: 501870
Depends on: 502707
Depends on: 505320
Depends on: 505399
Depends on: 505912
Depends on: 507563
Depends on: 508154
Depends on: 508168
Depends on: 508325
Depends on: 508911
Depends on: 509156
Depends on: 509569
Depends on: 512724
Depends on: 512725
Depends on: 512749
Depends on: 512978
Depends on: 513106
Depends on: 513113
Depends on: 513394
Depends on: 514800
Depends on: 515811
Depends on: 516512
Depends on: 520340
Depends on: 532726
Depends on: 533379
Depends on: 534368
Depends on: 534768
Depends on: 537562
Depends on: 537631
Depends on: 537645
Depends on: 539137
Depends on: 539342
Depends on: 541714
Depends on: 541868, 541869
Depends on: 542136
Depends on: 543648
Depends on: 543649
Depends on: 545571
Depends on: 546870
Depends on: 547843
Depends on: 550325
Depends on: 550364
Depends on: 553504
Depends on: 557348
Depends on: 562510
Depends on: 563740
Depends on: 564231
Depends on: 565248
Depends on: 569193
Depends on: 570038
Depends on: 570289
Depends on: 570386
Depends on: 571618
Depends on: 571975
Depends on: 571995
Depends on: 572003
Depends on: 574889
Depends on: 574904
Depends on: 575446
Depends on: 575464
Depends on: 576649
Depends on: 576719
Depends on: 576927
Depends on: 580481
Depends on: 588627
Depends on: 589002
Depends on: 591075
Depends on: 591138
Depends on: 591998
Depends on: 592118