Closed Bug 443089 Opened 14 years ago Closed 14 years ago

<mtd> with huge rowspan causes crash with sad nsCellMap


(Core :: MathML, defect)

Not set





(Reporter: jruderman, Assigned: bernd_mozilla)


(Blocks 1 open bug)


(5 keywords, Whiteboard: [sg:critical?])


(6 files, 4 obsolete files)

Attached file testcase
Steps to reproduce:
1. Load the testcase in a debug build (Firefox trunk on Tiger).


firefox-bin(17051,0xa000d000) malloc: *** error for object 0x339c001b: pointer being reallocated was not allocated
firefox-bin(17051,0xa000d000) malloc: *** set a breakpoint in szone_error to debug
###!!! ASSERTION: invalid array index: 'i < Length()', file ../../dist/include/xpcom/nsTArray.h, line 317

Always, a crash at one of the following:
nsCellMap::AppendCell - nsTArray_base::EnsureCapacity
nsCellMap::SetDataAt - nsTArrayElementTraits<CellData*>::Construct<CellData*>
nsCellMap::AppendCell - CellData::IsOrig

All of the crashes involve non-null, bogus pointer dereferences.  For the first crash signature, this is easiest to see with:

export MallocScribble=1
export MallocPreScribble=1
Whiteboard: [sg:critical?]
Crashes my linux nightly optimized build, too.  (OS/Hardware --> All)

Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/2008063004 GranParadiso/3.0.1pre

Crash report:
OS: Mac OS X → All
Hardware: PC → All
Here's the backtrace from the crash.

At this point, the array looks like this:

(gdb) p this
$2 = (nsTArray_base * const) 0xae9ffb1c
(gdb) p *this
$3 = {static sEmptyHdr = {mLength = 0, mCapacity = 0, mIsAutoArray = 0}, mHdr = 0xa5a5a5a5}

We're crashing because we try to dereference mHdr, to see mHdr->mCapacity.
We're wrapping around the unsigned int bound here:

101     size_type size = sizeof(Header) + capacity * elemSize;
102     header = static_cast<Header*>(NS_Realloc(mHdr, size));

at this point, we have
  capacity = 1073741825
  elemSize = 4
  sizeof(Heeader) = 8  (I think)

so 'size' ends up being
   (8 + 1073741825 * 4) mod 2^32 = (4294967308) mod 2^32 = 12

which is much smaller than we're expecting it to be.
Sorry, I should've included a larger code snippet:

100     // NS_Realloc existing data
101     size_type size = sizeof(Header) + capacity * elemSize;  // <--- size=12
102     header = static_cast<Header*>(NS_Realloc(mHdr, size));  
103     if (!header)
104       return PR_FALSE;
105   }
107   header->mCapacity = capacity;           // <---- capacity = 1073741825
108   mHdr = header;

The disconnect between the wrapped-around 'size' and the presumed 'capacity' is what's killing us, I think.
Attached patch partial patch v1 (obsolete) — Splinter Review
This patch fixes the bounds check to avoid the issue described in comment 4.  Basically, EnsureCapacity already has a bounds check, but in this case we're wrapping around in that bounds-check as well, which renders it useless. :)  This just fixes that issue by casting to a PRUint64.

After this patch, we print these assertions:

###!!! ASSERTION: Attempting to allocate excessively large array: 'Error', file nsTArray.cpp, line 69
###!!! ASSERTION: invalid array index: 'i < Length()', file ../../dist/include/xpcom/nsTArray.h, line 317

... and crash in nsTArray<CellData*>::SetCapacity.

It sounds like someone's not error-checking the return-value of EnsureCapacity (to bail out if needed).
(In reply to comment #5)
> It sounds like someone's not error-checking the return-value of EnsureCapacity
> (to bail out if needed).

Yup, that's happening here:

1507     // XXXbz handle allocation failures?
1508     Grow(aMap, 1 + endRowIndex - origNumMapRows);

Grow() returns PR_FALSE if it fails, and we're not checking for that right now.
(In reply to comment #6)
> Grow() returns PR_FALSE if it fails, and we're not checking for that right now.

... and then we hit the "invalid array index" assertion and crash down here, because we think we now have endRowIndex rows to work with (when in fact we don't because Grow() failed)

1596   for (PRInt32 rowX = aRowIndex; rowX <= endRowIndex; rowX++) {
1597     // The row at rowX will need to have at least endColIndex columns
1598     mRows[rowX].SetCapacity(endColIndex);

Attachment #327858 - Attachment description: patch v1 → partial patch v1
Attached patch patch v2: abort! (obsolete) — Splinter Review
This patch just aborts with NS_ABORT_IF_FALSE if allocation fails as mentioned in comment 6.

I'll defer to Boris (or anyone else who knows the CellMap code) for the "correct" fix here -- i.e. how we should gracefully handle the allocation failure.

I just wanted to get an initial patch up that would make us at least die safely rather than unsafely, in case there's no easy / immediate more graceful solution for this.
Attachment #327858 - Attachment is obsolete: true
The reason I added the XXX was because I had no idea what to do in that case...  Bernd might know.

We're basically doing an allocation of a size that's under content page control here, right?
why isn't the math rowspan blocked at content level? we did that long time ago for html content

should do the same clamping as

we do at

Will that get us to the point where this can be a never-fails allocation?  Or should we still handle OOM here?
NS_ABORT_IF_FALSE is debug-only.  It does not make opt builds safe.
Comment on attachment 327868 [details] [diff] [review]
patch v2: abort!

Ah, good to know. Marking obsolete.

Bernd mentioned in IRC that he's working on a real fix along the lines of comment 11, so I won't post an updated bail-out patch.
Attachment #327868 - Attachment is obsolete: true
Attached patch patchSplinter Review
Assignee: nobody → bernd_mozilla
Attachment #328086 - Flags: superreview?(bzbarsky)
Attachment #328086 - Flags: review?(bzbarsky)
to my knowledge there is no never-fails allocation, but the patch closes a pretty nasty thing when rowspan/colspan values exceed our internal structure limits which might be before the OOM condition.
> to my knowledge there is no never-fails allocation

The plan for Mozilla2 is to have two types of allocations:

1)  Ones that can never fail (if the memory actually can't be allocated, even after caches are flushed and the memory reserve is used, the program aborts instead of having the allocation fail).

2)  Ones that can fail and need to be null-checked by the caller.

Any allocation that allocates a biggish chunk of data under content control really needs to be the latter.

Sounds like we need a followup bug on actually handling the XXX comment, right?
Comment on attachment 328086 [details] [diff] [review]

Looks OK, except I'd love to see those #defines in a single place instead of in both files.... If there is no good place, maybe that needs fixing.
Attachment #328086 - Flags: superreview?(bzbarsky)
Attachment #328086 - Flags: superreview+
Attachment #328086 - Flags: review?(bzbarsky)
Attachment #328086 - Flags: review+
I will write a second patch which will handle boris comments inside nsCellMap.cpp. However I believe if the cellmap fails with OOM we are pretty much doomed. What happens then is that: if we bail out, our lookup table (cellmap) gets out of sync with the internal frame structure, which from my experience is certain way to get sooner rather than later the beast down.
I did not want to introduce a header dependency, the only .h file that both share is StyleConst.h and adding to that file seems so wrong.
It really sounds like we could use a header both include.  Heck, how about celldata.h?  It should be includable by both.

As for the rest... we really need a way to flag a frame tree as needing immediate destruction in situations like this.  Or something.  Or perhaps we should just stick to abort behavior for now and file a bug to get this sorted out...
Flags: wanted1.9.0.x?
Attached patch patch rev1 (obsolete) — Splinter Review
changes required by bz
Attached file patch rev1 (obsolete) —
Attachment #329228 - Attachment is obsolete: true
Attachment #329231 - Attachment is obsolete: true
I am thick of the following:

	<firebot>	Firefox: 'MacOSX Darwin 9.2.2 mozilla-central qm-moz2mini01 dep unit test' has changed state from Success to Test Failed.
	<firebot>	Firefox: 'Linux mozilla-central qm-centos5-moz2-02-hw dep unit test' has changed state from Success to Test Failed.
	<firebot>	Firefox: 'WINNT 5.2 mozilla-central qm-win2k3-03 dep unit test' has changed state from Success to Test Failed.

I will be away for vacation, so if somebody finds that tiny moment where all boxes are green please check it in. I will only check it in if the boxes are green and this will not happen before august.

The perma-orange together with the hg disaster (no guilty column on tinderbox + no mark as in bonsai, patch juggling when you are not the tip when somebody did check in between commit and push on a completely different edge of the source base) remembers me the old 'Lethal Weapon' slogan: I'm to old for this shit.

Its time for the reedbot to check this in.

Keywords: checkin-needed
I just pushed b87fdbfecc16
Keywords: checkin-needed
Blocks: 348954
Comment on attachment 329264 [details] [diff] [review]
complete patch for checkin

This should probably go after some baking onto branches
Attachment #329264 - Flags: approval1.9.0.2?
the test case should be pushed once the branches are released.
Closed: 14 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Flags: wanted1.9.0.x?
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.2?
Whiteboard: [sg:critical?] → [sg:critical?][needs baking]
Comment on attachment 329264 [details] [diff] [review]
complete patch for checkin

Approved for Please land in CVS. a=ss
Attachment #329264 - Flags: approval1.9.0.2? → approval1.9.0.2+
Flags: blocking1.9.0.2? → blocking1.9.0.2+
Whiteboard: [sg:critical?][needs baking] → [sg:critical?]
Bernd, does this apply to the 1.8 branch or do we need a separate patch? (Or, alternatively, is this bug even applicable on the 1.8 branch?)
Flags: wanted1.8.1.x?
Flags: blocking1.8.1.17?
Attached patch 1.8 branch patchSplinter Review
Attachment #332206 - Flags: approval1.8.1.17?
Comment on attachment 332206 [details] [diff] [review]
1.8 branch patch

Approved for, a=dveditz for release-drivers.
Attachment #332206 - Flags: approval1.8.1.17? → approval1.8.1.17+
Flags: wanted1.8.1.x?
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.17?
Flags: blocking1.8.1.17+
fixed on branches that I care for.
verified fixed on the 1.9.0 branch using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv: Gecko/2008082104 GranParadiso/3.0.2pre (equivalent build on Tiger) and Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv: Gecko/2008082105 GranParadiso/3.0.2pre.
verified fixed for using Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv: Gecko/2008082803 Firefox/ (Debug Build). No Crash on Testcase
Flags: blocking1.8.0.15+
a=asac for
Attachment #336244 - Flags: approval1.8.0.15+
Group: core-security
I checked the testcase in as a crashtest.
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.