Closed Bug 393770 Opened 13 years ago Closed 13 years ago

Crash [@ nsCachedStyleData::GetStyleData] from [@ nsQuoteNode::Text]

Categories

(Core :: General, defect)

1.8 Branch
defect
Not set
critical

Tracking

()

VERIFIED FIXED

People

(Reporter: pvnick, Assigned: mats)

References

Details

(Keywords: crash, verified1.8.0.14, verified1.8.1.8, Whiteboard: [sg:critical?] wfm trunk. using freed frame)

Crash Data

Attachments

(7 files, 1 obsolete file)

Attached file testcase (obsolete) —
Firefox version:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070812 BonEcho/2.0.0.6

Details:
eax=02717b70 ebx=023ac510 ecx=0271c260 edx=0270ba54 esi=0012fb70 edi=02717b28
eip=02717a75 esp=0012fb3c ebp=0012fb5c iopl=0         nv up ei pl nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000203
02717a75 224402a8        and     al,byte ptr [edx+eax-58h]  ds:0023:04e2356c=??


Disassembly:
gklayout!nsIFrame::GetStateBits+0xa:
0197f53a 8b4024          mov     eax,dword ptr [eax+24h]
0197f53d 8be5            mov     esp,ebp
0197f53f 5d              pop     ebp
0197f540 c3              ret
0197f541 cc              int     3
0197f542 cc              int     3
0197f543 cc              int     3
0197f544 cc              int     3

Stack trace (using release build - debug build didnt crash):
0x2717a75
xpcom_core!nsQueryInterface::operator()
firefox!Java_netscape_javascript_JSObject_initClass
firefox!nsFontList::Release
firefox!jpeg_mem_init
firefox!nsPrintOptions::GetNewPrintSettings
firefox!nsPrintOptions::GetNewPrintSettings
firefox!nsPrintOptions::GetNewPrintSettings
firefox!nsPrintOptions::GetNewPrintSettings
firefox!nsPrintOptions::GetNewPrintSettings
xpcom_core!PL_HandleEvent
xpcom_core!PL_ProcessPendingEvents
xpcom_core!PL_IsQueueNative

This crashes all over the place, and definitely looks exploitable, IMO. Also, I wasn't able to reduce the testcase any further - maybe someone else will have more luck.
Flags: blocking1.8.1.7?
Flags: blocking1.8.0.13?
[STACKHASH:AD5295AC3574BB6B0A3CB7DBA1455E8]
Paul, could you create a testcase that crashes online, directly?
You have external references to localhost in your source.
Attached file fixed testcase
This should work. If anyone can further reduce this testcase, they should do so since it exposes the existence and partial workings of the fuzzer scripts.
Assignee: nobody → mats.palmgren
Keywords: crash
OS: Windows XP → All
Hardware: PC → All
Summary: Crash [@xpcom_core!nsQueryInterface::operator] → Crash [@ nsCachedStyleData::GetStyleData] from [@ nsQuoteNode::Text]
Whiteboard: [sg:critical?] using freed frame
Attached file stack for the crash
Frames can be destroyed while nsQuoteList::RecalcAll is iterating the list.
nsCSSFrameConstructor::NotifyDestroyingFrame removes the corresponding
quote list node for the destroyed frame...
Attached patch wip (branch 1.8)Splinter Review
This avoids the crash.  Looking at nsCounterList::RecalcAll(), I think the
same thing could happen there also:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/base/nsCounterManager.cpp&rev=3.1.12.1&root=/cvsroot&mark=184#163
So on trunk this is OK because no one sees these events, right?  Can we make that change on branch too?  Just not propagate mutation events out of anonymous content?
Mutation events shouldn't propagate from native anonymous content on branch 
either, hmm, unless the nsIContent is a nsGenericDOMDataNode. Is that the case here? Should the same thing be done for nsGenericDOMDataNode as what was done
for nsGenericElement in Bug 382681.
Problem is that on branch nsGenericDOMDataNode doesn't implement
SetNativeAnonymous()
http://lxr.mozilla.org/mozilla1.8/source/content/base/src/nsGenericDOMDataNode.cpp#742
Yes, the anon content is a nsTextNode here.

Can we use GetBindingParent() == this as the native anonymous test on branch?
Unfortunately no, because bug 329122 is trunk only :(
Ah, right.  :(
(In reply to comment #9)
> So on trunk this is OK because no one sees these events, right?

Yes, I disabled the code that prevents these events on trunk and got
the exact same crash on trunk.

> Can we make that change on branch too?

I (naively) implemented nsGenericDOMDataNode::SetNativeAnonymous()
by setting a flag on nsGenericDOMDataNode and used that to avoid calling
HandleDOMEvent() in nsGenericDOMDataNode::HandleDOMEvent().
This fixes the bug, but we'd need to find a place for the extra bit...
(the two bits we have in mParentPtrBits are already in use AFAICT)
Could we steal a bit from the length in nsTextFragment?
Even better would be to use a bit from mNodeInfoManager
Attached patch wip3 (branch 1.8) (obsolete) — Splinter Review
Like this?
Attachment #278694 - Flags: review?(jonas)
Flags: wanted1.8.1.x+
Flags: wanted1.8.0.x+
Flags: blocking1.8.1.7?
Flags: blocking1.8.1.7+
Flags: blocking1.8.0.14?
Flags: blocking1.8.0.13?
Correction for SetNativeAnonymous().
Attachment #278694 - Attachment is obsolete: true
Attachment #278813 - Flags: review?(jonas)
Attachment #278694 - Flags: review?(jonas)
Yes, though I would rename mNodeInfoManager to mNodeInfoManagerPtrBits to avoid someone using it wrongly accidentally.
Comment on attachment 278813 [details] [diff] [review]
wip4 (branch 1.8)

r=me if you rename mNodeInfoManager to mNodeInfoManagerPtrBits and add a define for the 0x1 flag used both in Get/SetNativeAnonymous and in GetNodeInfoManager
Attachment #278813 - Flags: review?(jonas) → review+
since vendors sometimes backport the patches in the bugs rather than the actual checkins (which is very naughty of them), please request branch approval on a patch that incorporates Jonas's comment 21
Whiteboard: [sg:critical?] using freed frame → [sg:critical?] wfm trunk, need 1.8 approval request. using freed frame
Mats: is this going to make the 1.8.1.8 code freeze (Oct 3)?
Addressing Jonas' review comment.
Attachment #283290 - Flags: approval1.8.1.8?
Attachment #283290 - Flags: approval1.8.0.14?
Whiteboard: [sg:critical?] wfm trunk, need 1.8 approval request. using freed frame → [sg:critical?] wfm trunk. using freed frame
Comment on attachment 283290 [details] [diff] [review]
wip5 (branch 1.8)

approved for 1.8.1.8 and 1.8.0.14, a=dveditz
Attachment #283290 - Flags: approval1.8.1.8?
Attachment #283290 - Flags: approval1.8.1.8+
Attachment #283290 - Flags: approval1.8.0.14?
Attachment #283290 - Flags: approval1.8.0.14+
Comment on attachment 283290 [details] [diff] [review]
wip5 (branch 1.8)

guess I need an sr here before checkin...
Attachment #283290 - Flags: superreview?(bzbarsky)
Comment on attachment 283290 [details] [diff] [review]
wip5 (branch 1.8)

sr=bzbarsky
Attachment #283290 - Flags: superreview?(bzbarsky) → superreview+
MOZILLA_1_8_BRANCH
mozilla/content/base/src/nsCommentNode.cpp 	3.72.8.4
mozilla/content/base/src/nsDOMDocumentType.cpp 	1.27.20.5
mozilla/content/base/src/nsGenericDOMDataNode.cpp 	3.156.2.9
mozilla/content/base/src/nsGenericDOMDataNode.h 	3.98.8.9
mozilla/content/base/src/nsTextNode.cpp 	3.49.8.4
mozilla/content/xml/content/src/nsXMLCDATASection.cpp 	1.39.4.4
mozilla/content/xml/content/src/nsXMLProcessingInstruction.cpp 	1.60.8.5

MOZILLA_1_8_0_BRANCH
mozilla/content/base/src/nsCommentNode.cpp 	3.72.14.2
mozilla/content/base/src/nsDOMDocumentType.cpp 	1.27.26.2
mozilla/content/base/src/nsGenericDOMDataNode.cpp 	3.156.8.4
mozilla/content/base/src/nsGenericDOMDataNode.h 	3.98.14.3
mozilla/content/base/src/nsTextNode.cpp 	3.49.14.2
mozilla/content/xml/content/src/nsXMLCDATASection.cpp 	1.39.10.2
mozilla/content/xml/content/src/nsXMLProcessingInstruction.cpp 	1.60.14.2
mozilla/content/xml/content/src/nsXMLStylesheetPI.cpp 	1.12.14.2

-> FIXED
Status: NEW → RESOLVED
Closed: 13 years ago
Flags: blocking1.8.0.14? → in-testsuite?
Resolution: --- → FIXED
Verified fixed, using:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.8pre) Gecko/20071004 BonEcho/2.0.0.8pre

I can see the crash in Firefox2.0.0.7.
Status: RESOLVED → VERIFIED
Group: security
Depends on: 403090
This broke Find code on branch.  See bug 403090.
Verified in Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.0.14pre) Gecko/20071210 Firefox/1.5.0.13pre. 
Crash Signature: [@ nsCachedStyleData::GetStyleData] [@ nsQuoteNode::Text]
You need to log in before you can comment on or make changes to this bug.