The default bug view has changed. See this FAQ.

<mtd> with huge rowspan causes crash with sad nsCellMap

RESOLVED FIXED

Status

()

Core
MathML
--
critical
RESOLVED FIXED
9 years ago
9 years ago

People

(Reporter: Jesse Ruderman, Assigned: Bernd)

Tracking

(Blocks: 1 bug, 5 keywords)

Trunk
assertion, crash, testcase, verified1.8.1.17, verified1.9.0.2
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.0.2 +
wanted1.9.0.x +
blocking1.8.1.17 +
wanted1.8.1.x +
blocking1.8.0.next +
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?])

Attachments

(6 attachments, 4 obsolete attachments)

(Reporter)

Description

9 years ago
Created attachment 327731 [details]
testcase

Steps to reproduce:
1. Load the testcase in a debug build (Firefox trunk on Tiger).

Result:

Sometimes:
firefox-bin(17051,0xa000d000) malloc: *** error for object 0x339c001b: pointer being reallocated was not allocated
firefox-bin(17051,0xa000d000) malloc: *** set a breakpoint in szone_error to debug
###!!! ASSERTION: invalid array index: 'i < Length()', file ../../dist/include/xpcom/nsTArray.h, line 317

Always, a crash at one of the following:
nsCellMap::AppendCell - nsTArray_base::EnsureCapacity
nsCellMap::SetDataAt - nsTArrayElementTraits<CellData*>::Construct<CellData*>
nsCellMap::AppendCell - CellData::IsOrig

All of the crashes involve non-null, bogus pointer dereferences.  For the first crash signature, this is easiest to see with:

export MallocScribble=1
export MallocPreScribble=1
(Reporter)

Updated

9 years ago
Whiteboard: [sg:critical?]
Crashes my linux nightly optimized build, too.  (OS/Hardware --> All)

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.1pre) Gecko/2008063004 GranParadiso/3.0.1pre

Crash report:
http://crash-stats.mozilla.com/report/index/ea776a35-47e5-11dd-af52-001cc45a2ce4
OS: Mac OS X → All
Hardware: PC → All
Created attachment 327835 [details]
backtrace of crash (on linux, in EnsureCapacity)

Here's the backtrace from the crash.

At this point, the array looks like this:

(gdb) p this
$2 = (nsTArray_base * const) 0xae9ffb1c
(gdb) p *this
$3 = {static sEmptyHdr = {mLength = 0, mCapacity = 0, mIsAutoArray = 0}, mHdr = 0xa5a5a5a5}

We're crashing because we try to dereference mHdr, to see mHdr->mCapacity.
We're wrapping around the unsigned int bound here:

http://mxr.mozilla.org/seamonkey/source/xpcom/glue/nsTArray.cpp

101     size_type size = sizeof(Header) + capacity * elemSize;
102     header = static_cast<Header*>(NS_Realloc(mHdr, size));

at this point, we have
  capacity = 1073741825
  elemSize = 4
  sizeof(Heeader) = 8  (I think)

so 'size' ends up being
   (8 + 1073741825 * 4) mod 2^32 = (4294967308) mod 2^32 = 12

which is much smaller than we're expecting it to be.
Sorry, I should've included a larger code snippet:

100     // NS_Realloc existing data
101     size_type size = sizeof(Header) + capacity * elemSize;  // <--- size=12
102     header = static_cast<Header*>(NS_Realloc(mHdr, size));  
103     if (!header)
104       return PR_FALSE;
105   }
106 
107   header->mCapacity = capacity;           // <---- capacity = 1073741825
108   mHdr = header;

The disconnect between the wrapped-around 'size' and the presumed 'capacity' is what's killing us, I think.
Created attachment 327858 [details] [diff] [review]
partial patch v1

This patch fixes the bounds check to avoid the issue described in comment 4.  Basically, EnsureCapacity already has a bounds check, but in this case we're wrapping around in that bounds-check as well, which renders it useless. :)  This just fixes that issue by casting to a PRUint64.

After this patch, we print these assertions:

###!!! ASSERTION: Attempting to allocate excessively large array: 'Error', file nsTArray.cpp, line 69
###!!! ASSERTION: invalid array index: 'i < Length()', file ../../dist/include/xpcom/nsTArray.h, line 317

... and crash in nsTArray<CellData*>::SetCapacity.

It sounds like someone's not error-checking the return-value of EnsureCapacity (to bail out if needed).
(In reply to comment #5)
> It sounds like someone's not error-checking the return-value of EnsureCapacity
> (to bail out if needed).

Yup, that's happening here:
http://mxr.mozilla.org/seamonkey/source/layout/tables/nsCellMap.cpp#1507

1507     // XXXbz handle allocation failures?
1508     Grow(aMap, 1 + endRowIndex - origNumMapRows);

Grow() returns PR_FALSE if it fails, and we're not checking for that right now.
(In reply to comment #6)
> Grow() returns PR_FALSE if it fails, and we're not checking for that right now.

... and then we hit the "invalid array index" assertion and crash down here, because we think we now have endRowIndex rows to work with (when in fact we don't because Grow() failed)

1596   for (PRInt32 rowX = aRowIndex; rowX <= endRowIndex; rowX++) {
1597     // The row at rowX will need to have at least endColIndex columns
1598     mRows[rowX].SetCapacity(endColIndex);
 

Attachment #327858 - Attachment description: patch v1 → partial patch v1
Created attachment 327868 [details] [diff] [review]
patch v2: abort!

This patch just aborts with NS_ABORT_IF_FALSE if allocation fails as mentioned in comment 6.

I'll defer to Boris (or anyone else who knows the CellMap code) for the "correct" fix here -- i.e. how we should gracefully handle the allocation failure.

I just wanted to get an initial patch up that would make us at least die safely rather than unsafely, in case there's no easy / immediate more graceful solution for this.
Attachment #327858 - Attachment is obsolete: true
The reason I added the XXX was because I had no idea what to do in that case...  Bernd might know.

We're basically doing an allocation of a size that's under content page control here, right?
(Assignee)

Comment 10

9 years ago
why isn't the math rowspan blocked at content level? we did that long time ago for html content
(Assignee)

Comment 11

9 years ago
nsMathMLmtdFrame::GetRowSpan()
and 
nsMathMLmtdFrame::GetColSpan()

should do the same clamping as

we do at http://mxr.mozilla.org/seamonkey/source/content/html/content/src/nsHTMLTableCellElement.cpp#264




Will that get us to the point where this can be a never-fails allocation?  Or should we still handle OOM here?
(Reporter)

Comment 13

9 years ago
NS_ABORT_IF_FALSE is debug-only.  It does not make opt builds safe.
Comment on attachment 327868 [details] [diff] [review]
patch v2: abort!

Ah, good to know. Marking obsolete.

Bernd mentioned in IRC that he's working on a real fix along the lines of comment 11, so I won't post an updated bail-out patch.
Attachment #327868 - Attachment is obsolete: true
(Assignee)

Comment 15

9 years ago
Created attachment 328086 [details] [diff] [review]
patch
Assignee: nobody → bernd_mozilla
Status: NEW → ASSIGNED
Attachment #328086 - Flags: superreview?(bzbarsky)
Attachment #328086 - Flags: review?(bzbarsky)
(Assignee)

Comment 16

9 years ago
to my knowledge there is no never-fails allocation, but the patch closes a pretty nasty thing when rowspan/colspan values exceed our internal structure limits which might be before the OOM condition.
> to my knowledge there is no never-fails allocation

The plan for Mozilla2 is to have two types of allocations:

1)  Ones that can never fail (if the memory actually can't be allocated, even after caches are flushed and the memory reserve is used, the program aborts instead of having the allocation fail).

2)  Ones that can fail and need to be null-checked by the caller.

Any allocation that allocates a biggish chunk of data under content control really needs to be the latter.

Sounds like we need a followup bug on actually handling the XXX comment, right?
Comment on attachment 328086 [details] [diff] [review]
patch

Looks OK, except I'd love to see those #defines in a single place instead of in both files.... If there is no good place, maybe that needs fixing.
Attachment #328086 - Flags: superreview?(bzbarsky)
Attachment #328086 - Flags: superreview+
Attachment #328086 - Flags: review?(bzbarsky)
Attachment #328086 - Flags: review+
(Assignee)

Comment 19

9 years ago
I will write a second patch which will handle boris comments inside nsCellMap.cpp. However I believe if the cellmap fails with OOM we are pretty much doomed. What happens then is that: if we bail out, our lookup table (cellmap) gets out of sync with the internal frame structure, which from my experience is certain way to get sooner rather than later the beast down.
(Assignee)

Comment 20

9 years ago
I did not want to introduce a header dependency, the only .h file that both share is StyleConst.h and adding to that file seems so wrong.
It really sounds like we could use a header both include.  Heck, how about celldata.h?  It should be includable by both.

As for the rest... we really need a way to flag a frame tree as needing immediate destruction in situations like this.  Or something.  Or perhaps we should just stick to abort behavior for now and file a bug to get this sorted out...
Flags: wanted1.9.0.x?
(Assignee)

Comment 22

9 years ago
Created attachment 329228 [details] [diff] [review]
patch rev1

changes required by bz
(Assignee)

Comment 23

9 years ago
Created attachment 329231 [details]
patch rev1
Attachment #329228 - Attachment is obsolete: true
(Assignee)

Comment 24

9 years ago
Created attachment 329264 [details] [diff] [review]
complete patch for checkin
Attachment #329231 - Attachment is obsolete: true
(Assignee)

Comment 25

9 years ago
I am thick of the following:

	<firebot>	Firefox: 'MacOSX Darwin 9.2.2 mozilla-central qm-moz2mini01 dep unit test' has changed state from Success to Test Failed.
	<firebot>	Firefox: 'Linux mozilla-central qm-centos5-moz2-02-hw dep unit test' has changed state from Success to Test Failed.
	<firebot>	Firefox: 'WINNT 5.2 mozilla-central qm-win2k3-03 dep unit test' has changed state from Success to Test Failed.

I will be away for vacation, so if somebody finds that tiny moment where all boxes are green please check it in. I will only check it in if the boxes are green and this will not happen before august.

The perma-orange together with the hg disaster (no guilty column on tinderbox + no mark as in bonsai, patch juggling when you are not the tip when somebody did check in between commit and push on a completely different edge of the source base) remembers me the old 'Lethal Weapon' slogan: I'm to old for this shit.

Its time for the reedbot to check this in.

 
Keywords: checkin-needed
(Assignee)

Comment 26

9 years ago
I just pushed b87fdbfecc16
Keywords: checkin-needed
(Assignee)

Updated

9 years ago
Blocks: 348954
(Assignee)

Comment 27

9 years ago
Comment on attachment 329264 [details] [diff] [review]
complete patch for checkin

This should probably go after some baking onto branches
Attachment #329264 - Flags: approval1.9.0.2?
(Assignee)

Comment 28

9 years ago
the test case should be pushed once the branches are released.
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.2?
Whiteboard: [sg:critical?] → [sg:critical?][needs baking]
Comment on attachment 329264 [details] [diff] [review]
complete patch for checkin

Approved for 1.9.0.2. Please land in CVS. a=ss
Attachment #329264 - Flags: approval1.9.0.2? → approval1.9.0.2+
Flags: blocking1.9.0.2? → blocking1.9.0.2+
Whiteboard: [sg:critical?][needs baking] → [sg:critical?]
Bernd, does this apply to the 1.8 branch or do we need a separate patch? (Or, alternatively, is this bug even applicable on the 1.8 branch?)
Flags: wanted1.8.1.x?
Flags: blocking1.8.1.17?
(Assignee)

Comment 31

9 years ago
Created attachment 332206 [details] [diff] [review]
1.8 branch patch
Attachment #332206 - Flags: approval1.8.1.17?
Comment on attachment 332206 [details] [diff] [review]
1.8 branch patch

Approved for 1.8.1.17, a=dveditz for release-drivers.
Attachment #332206 - Flags: approval1.8.1.17? → approval1.8.1.17+
Flags: wanted1.8.1.x?
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.17?
Flags: blocking1.8.1.17+
(Assignee)

Comment 33

9 years ago
fixed on branches that I care for.
Keywords: fixed1.8.1.17, fixed1.9.0.2
verified fixed on the 1.9.0 branch using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.0.2pre) Gecko/2008082104 GranParadiso/3.0.2pre (equivalent build on Tiger) and Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.2pre) Gecko/2008082105 GranParadiso/3.0.2pre.
Keywords: fixed1.9.0.2 → verified1.9.0.2
verified fixed for 1.8.1.17 using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.18pre) Gecko/2008082803 Firefox/2.0.0.18pre (Debug Build). No Crash on Testcase
Keywords: fixed1.8.1.17 → verified1.8.1.17

Updated

9 years ago
Flags: blocking1.8.0.15+

Comment 36

9 years ago
Created attachment 336244 [details] [diff] [review]
for 1.8.0 (1.8 branch without xpcom/glue/nsTArray.cpp bits)

a=asac for 1.8.0.15
Attachment #336244 - Flags: approval1.8.0.15+
Group: core-security
(Reporter)

Comment 37

9 years ago
I checked the testcase in as a crashtest.
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.