<mtd> with huge rowspan causes crash with sad nsCellMap

RESOLVED FIXED

Status

()

defect
--
critical
RESOLVED FIXED
11 years ago
11 years ago

People

(Reporter: jruderman, Assigned: bernd_mozilla)

Tracking

(Blocks 1 bug, 5 keywords)

Dependency tree / graph
Bug Flags:
blocking1.9.0.2 +
wanted1.9.0.x +
blocking1.8.1.17 +
wanted1.8.1.x +
blocking1.8.0.next +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?])

Attachments

(6 attachments, 4 obsolete attachments)

Reporter

Description

11 years ago
Posted file testcase
Steps to reproduce:
1. Load the testcase in a debug build (Firefox trunk on Tiger).

Result:

Sometimes:
firefox-bin(17051,0xa000d000) malloc: *** error for object 0x339c001b: pointer being reallocated was not allocated
firefox-bin(17051,0xa000d000) malloc: *** set a breakpoint in szone_error to debug
###!!! ASSERTION: invalid array index: 'i < Length()', file ../../dist/include/xpcom/nsTArray.h, line 317

Always, a crash at one of the following:
nsCellMap::AppendCell - nsTArray_base::EnsureCapacity
nsCellMap::SetDataAt - nsTArrayElementTraits<CellData*>::Construct<CellData*>
nsCellMap::AppendCell - CellData::IsOrig

All of the crashes involve non-null, bogus pointer dereferences.  For the first crash signature, this is easiest to see with:

export MallocScribble=1
export MallocPreScribble=1
Reporter

Updated

11 years ago
Whiteboard: [sg:critical?]
Crashes my linux nightly optimized build, too.  (OS/Hardware --> All)

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1pre) Gecko/2008063004 GranParadiso/3.0.1pre

Crash report:
http://crash-stats.mozilla.com/report/index/ea776a35-47e5-11dd-af52-001cc45a2ce4
OS: Mac OS X → All
Hardware: PC → All
Here's the backtrace from the crash.

At this point, the array looks like this:

(gdb) p this
$2 = (nsTArray_base * const) 0xae9ffb1c
(gdb) p *this
$3 = {static sEmptyHdr = {mLength = 0, mCapacity = 0, mIsAutoArray = 0}, mHdr = 0xa5a5a5a5}

We're crashing because we try to dereference mHdr, to see mHdr->mCapacity.
We're wrapping around the unsigned int bound here:

http://mxr.mozilla.org/seamonkey/source/xpcom/glue/nsTArray.cpp

101     size_type size = sizeof(Header) + capacity * elemSize;
102     header = static_cast<Header*>(NS_Realloc(mHdr, size));

at this point, we have
  capacity = 1073741825
  elemSize = 4
  sizeof(Heeader) = 8  (I think)

so 'size' ends up being
   (8 + 1073741825 * 4) mod 2^32 = (4294967308) mod 2^32 = 12

which is much smaller than we're expecting it to be.
Sorry, I should've included a larger code snippet:

100     // NS_Realloc existing data
101     size_type size = sizeof(Header) + capacity * elemSize;  // <--- size=12
102     header = static_cast<Header*>(NS_Realloc(mHdr, size));  
103     if (!header)
104       return PR_FALSE;
105   }
106 
107   header->mCapacity = capacity;           // <---- capacity = 1073741825
108   mHdr = header;

The disconnect between the wrapped-around 'size' and the presumed 'capacity' is what's killing us, I think.
Posted patch partial patch v1 (obsolete) — Splinter Review
This patch fixes the bounds check to avoid the issue described in comment 4.  Basically, EnsureCapacity already has a bounds check, but in this case we're wrapping around in that bounds-check as well, which renders it useless. :)  This just fixes that issue by casting to a PRUint64.

After this patch, we print these assertions:

###!!! ASSERTION: Attempting to allocate excessively large array: 'Error', file nsTArray.cpp, line 69
###!!! ASSERTION: invalid array index: 'i < Length()', file ../../dist/include/xpcom/nsTArray.h, line 317

... and crash in nsTArray<CellData*>::SetCapacity.

It sounds like someone's not error-checking the return-value of EnsureCapacity (to bail out if needed).
(In reply to comment #5)
> It sounds like someone's not error-checking the return-value of EnsureCapacity
> (to bail out if needed).

Yup, that's happening here:
http://mxr.mozilla.org/seamonkey/source/layout/tables/nsCellMap.cpp#1507

1507     // XXXbz handle allocation failures?
1508     Grow(aMap, 1 + endRowIndex - origNumMapRows);

Grow() returns PR_FALSE if it fails, and we're not checking for that right now.
(In reply to comment #6)
> Grow() returns PR_FALSE if it fails, and we're not checking for that right now.

... and then we hit the "invalid array index" assertion and crash down here, because we think we now have endRowIndex rows to work with (when in fact we don't because Grow() failed)

1596   for (PRInt32 rowX = aRowIndex; rowX <= endRowIndex; rowX++) {
1597     // The row at rowX will need to have at least endColIndex columns
1598     mRows[rowX].SetCapacity(endColIndex);
 

Attachment #327858 - Attachment description: patch v1 → partial patch v1
Posted patch patch v2: abort! (obsolete) — Splinter Review
This patch just aborts with NS_ABORT_IF_FALSE if allocation fails as mentioned in comment 6.

I'll defer to Boris (or anyone else who knows the CellMap code) for the "correct" fix here -- i.e. how we should gracefully handle the allocation failure.

I just wanted to get an initial patch up that would make us at least die safely rather than unsafely, in case there's no easy / immediate more graceful solution for this.
Attachment #327858 - Attachment is obsolete: true
The reason I added the XXX was because I had no idea what to do in that case...  Bernd might know.

We're basically doing an allocation of a size that's under content page control here, right?
Assignee

Comment 10

11 years ago
why isn't the math rowspan blocked at content level? we did that long time ago for html content
Assignee

Comment 11

11 years ago
nsMathMLmtdFrame::GetRowSpan()
and 
nsMathMLmtdFrame::GetColSpan()

should do the same clamping as

we do at http://mxr.mozilla.org/seamonkey/source/content/html/content/src/nsHTMLTableCellElement.cpp#264




Will that get us to the point where this can be a never-fails allocation?  Or should we still handle OOM here?
Reporter

Comment 13

11 years ago
NS_ABORT_IF_FALSE is debug-only.  It does not make opt builds safe.
Comment on attachment 327868 [details] [diff] [review]
patch v2: abort!

Ah, good to know. Marking obsolete.

Bernd mentioned in IRC that he's working on a real fix along the lines of comment 11, so I won't post an updated bail-out patch.
Attachment #327868 - Attachment is obsolete: true
Assignee

Comment 15

11 years ago
Posted patch patchSplinter Review
Assignee: nobody → bernd_mozilla
Status: NEW → ASSIGNED
Attachment #328086 - Flags: superreview?(bzbarsky)
Attachment #328086 - Flags: review?(bzbarsky)
Assignee

Comment 16

11 years ago
to my knowledge there is no never-fails allocation, but the patch closes a pretty nasty thing when rowspan/colspan values exceed our internal structure limits which might be before the OOM condition.
> to my knowledge there is no never-fails allocation

The plan for Mozilla2 is to have two types of allocations:

1)  Ones that can never fail (if the memory actually can't be allocated, even after caches are flushed and the memory reserve is used, the program aborts instead of having the allocation fail).

2)  Ones that can fail and need to be null-checked by the caller.

Any allocation that allocates a biggish chunk of data under content control really needs to be the latter.

Sounds like we need a followup bug on actually handling the XXX comment, right?
Comment on attachment 328086 [details] [diff] [review]
patch

Looks OK, except I'd love to see those #defines in a single place instead of in both files.... If there is no good place, maybe that needs fixing.
Attachment #328086 - Flags: superreview?(bzbarsky)
Attachment #328086 - Flags: superreview+
Attachment #328086 - Flags: review?(bzbarsky)
Attachment #328086 - Flags: review+
Assignee

Comment 19

11 years ago
I will write a second patch which will handle boris comments inside nsCellMap.cpp. However I believe if the cellmap fails with OOM we are pretty much doomed. What happens then is that: if we bail out, our lookup table (cellmap) gets out of sync with the internal frame structure, which from my experience is certain way to get sooner rather than later the beast down.
Assignee

Comment 20

11 years ago
I did not want to introduce a header dependency, the only .h file that both share is StyleConst.h and adding to that file seems so wrong.
It really sounds like we could use a header both include.  Heck, how about celldata.h?  It should be includable by both.

As for the rest... we really need a way to flag a frame tree as needing immediate destruction in situations like this.  Or something.  Or perhaps we should just stick to abort behavior for now and file a bug to get this sorted out...
Flags: wanted1.9.0.x?
Assignee

Comment 22

11 years ago
Posted patch patch rev1 (obsolete) — Splinter Review
changes required by bz
Assignee

Comment 23

11 years ago
Posted file patch rev1 (obsolete) —
Attachment #329228 - Attachment is obsolete: true
Assignee

Comment 24

11 years ago
Attachment #329231 - Attachment is obsolete: true
Assignee

Comment 25

11 years ago
I am thick of the following:

	<firebot>	Firefox: 'MacOSX Darwin 9.2.2 mozilla-central qm-moz2mini01 dep unit test' has changed state from Success to Test Failed.
	<firebot>	Firefox: 'Linux mozilla-central qm-centos5-moz2-02-hw dep unit test' has changed state from Success to Test Failed.
	<firebot>	Firefox: 'WINNT 5.2 mozilla-central qm-win2k3-03 dep unit test' has changed state from Success to Test Failed.

I will be away for vacation, so if somebody finds that tiny moment where all boxes are green please check it in. I will only check it in if the boxes are green and this will not happen before august.

The perma-orange together with the hg disaster (no guilty column on tinderbox + no mark as in bonsai, patch juggling when you are not the tip when somebody did check in between commit and push on a completely different edge of the source base) remembers me the old 'Lethal Weapon' slogan: I'm to old for this shit.

Its time for the reedbot to check this in.

 
Keywords: checkin-needed
Assignee

Comment 26

11 years ago
I just pushed b87fdbfecc16
Keywords: checkin-needed
Assignee

Updated

11 years ago
Blocks: 348954
Assignee

Comment 27

11 years ago
Comment on attachment 329264 [details] [diff] [review]
complete patch for checkin

This should probably go after some baking onto branches
Attachment #329264 - Flags: approval1.9.0.2?
Assignee

Comment 28

11 years ago
the test case should be pushed once the branches are released.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.2?
Whiteboard: [sg:critical?] → [sg:critical?][needs baking]
Comment on attachment 329264 [details] [diff] [review]
complete patch for checkin

Approved for 1.9.0.2. Please land in CVS. a=ss
Attachment #329264 - Flags: approval1.9.0.2? → approval1.9.0.2+
Flags: blocking1.9.0.2? → blocking1.9.0.2+
Whiteboard: [sg:critical?][needs baking] → [sg:critical?]
Bernd, does this apply to the 1.8 branch or do we need a separate patch? (Or, alternatively, is this bug even applicable on the 1.8 branch?)
Flags: wanted1.8.1.x?
Flags: blocking1.8.1.17?
Assignee

Comment 31

11 years ago
Attachment #332206 - Flags: approval1.8.1.17?
Comment on attachment 332206 [details] [diff] [review]
1.8 branch patch

Approved for 1.8.1.17, a=dveditz for release-drivers.
Attachment #332206 - Flags: approval1.8.1.17? → approval1.8.1.17+
Flags: wanted1.8.1.x?
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.17?
Flags: blocking1.8.1.17+
Assignee

Comment 33

11 years ago
fixed on branches that I care for.
verified fixed on the 1.9.0 branch using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.2pre) Gecko/2008082104 GranParadiso/3.0.2pre (equivalent build on Tiger) and Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.2pre) Gecko/2008082105 GranParadiso/3.0.2pre.
verified fixed for 1.8.1.17 using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.18pre) Gecko/2008082803 Firefox/2.0.0.18pre (Debug Build). No Crash on Testcase

Updated

11 years ago
Flags: blocking1.8.0.15+

Comment 36

11 years ago
a=asac for 1.8.0.15
Attachment #336244 - Flags: approval1.8.0.15+
Group: core-security
Reporter

Comment 37

11 years ago
I checked the testcase in as a crashtest.
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.