Last Comment Bug 747688 - (CVE-2012-1940) Heap-use-after-free in nsFrameList::FirstChild
(CVE-2012-1940)
: Heap-use-after-free in nsFrameList::FirstChild
Status: VERIFIED FIXED
[asan][sg:critical][advisory-tracking...
: crash, sec-critical, testcase
Product: Core
Classification: Components
Component: Layout (show other bugs)
: Trunk
: x86_64 All
: -- critical (vote)
: mozilla15
Assigned To: Mats Palmgren (:mats)
:
Mentors:
Depends on:
Blocks: 695222
  Show dependency treegraph
 
Reported: 2012-04-21 18:31 PDT by Abhishek Arya
Modified: 2015-10-16 11:51 PDT (History)
15 users (show)
rforbes: sec‑bounty+
mats: in‑testsuite+
See Also:
Crash Signature:
(edit)
nsOverflowContinuationTracker::Finish
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
fixed
+
fixed
verified
13+
fixed


Attachments
Testcase (364 bytes, text/html)
2012-04-21 18:31 PDT, Abhishek Arya
no flags Details
frame dump (7.98 KB, text/html)
2012-04-24 09:27 PDT, Mats Palmgren (:mats)
no flags Details
fix (2.07 KB, patch)
2012-04-24 09:34 PDT, Mats Palmgren (:mats)
roc: review+
lukasblakk+bugs: approval‑mozilla‑aurora+
lukasblakk+bugs: approval‑mozilla‑beta+
lukasblakk+bugs: approval‑mozilla‑esr10+
Details | Diff | Review
Original test in patch form (check-in after the fix is in all relevant channels) (1.16 KB, patch)
2012-05-03 17:59 PDT, Mats Palmgren (:mats)
no flags Details | Diff | Review

Description Abhishek Arya 2012-04-21 18:31:16 PDT
Created attachment 617267 [details]
Testcase

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.162 Safari/535.19

Steps to reproduce:

Tested on Aurora 20120421074909
http://hg.mozilla.org/releases/mozilla-aurora/rev/6f27de794daa
and Trunk 20120419154942
http://hg.mozilla.org/mozilla-central/rev/c861d58b7ade

ASAN stack::
==18828== ERROR: AddressSanitizer heap-use-after-free on address 0x7fdb84d6bd80 at pc 0x7fdbafbd1f54 bp 0x7fffecab7970 sp 0x7fffecab7968
READ of size 8 at 0x7fdb84d6bd80 thread T0
    #0 0x7fdbafbd1f54 in nsFrameList::FirstChild() const /usr/local/google/home/aarya/firefox/aurora-src/modules/zlib/src/inffast.c:0
    #1 0x7fdb8ac27660 in  
0x7fdb84d6bd80 is located 0 bytes inside of 16-byte region [0x7fdb84d6bd80,0x7fdb84d6bd90)
freed by thread T0 here:
    #0 0x410dd2 in free ??:0
    #1 0x7fdbafd55b96 in operator delete(void*) /usr/local/google/home/aarya/firefox/aurora-src/../../dist/include/mozilla/mozalloc.h:253
    #2 0x2000007fdbaf8308
previously allocated by thread T0 here:
    #0 0x410e92 in malloc ??:0
    #1 0x7fdbb5469450 in moz_xmalloc /usr/local/google/home/aarya/firefox/aurora-src/memory/mozalloc/mozalloc.cpp:103
==18828== ABORTING
Stats: 162M malloced (161M for red zones) by 345347 calls
Stats: 43M realloced by 19180 calls
Stats: 131M freed by 228972 calls
Stats: 0M really freed by 0 calls
Stats: 356M (91189 full pages) mmaped in 89 calls
  mmaps   by size class: 8:262128; 9:57337; 10:20475; 11:16376; 12:3072; 13:2048; 14:1536; 15:384; 16:704; 17:224; 18:128; 19:56; 20:16;
  mallocs by size class: 8:254495; 9:49981; 10:18431; 11:15427; 12:2334; 13:1818; 14:1464; 15:381; 16:639; 17:199; 18:116; 19:49; 20:13;
  frees   by size class: 8:154593; 9:40949; 10:15619; 11:12669; 12:1671; 13:991; 14:1276; 15:335; 16:566; 17:185; 18:63; 19:45; 20:10;
  rfrees  by size class:
Stats: malloc large: 377 small slow: 1901
Shadow byte and word:
  0x1ffb709ad7b0: fd
  0x1ffb709ad7b0: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ffb709ad790: fd fd fd fd fd fd fd fd
  0x1ffb709ad798: fd fd fd fd fd fd fd fd
  0x1ffb709ad7a0: fa fa fa fa fa fa fa fa
  0x1ffb709ad7a8: fa fa fa fa fa fa fa fa
=>0x1ffb709ad7b0: fd fd fd fd fd fd fd fd
  0x1ffb709ad7b8: fd fd fd fd fd fd fd fd
  0x1ffb709ad7c0: fa fa fa fa fa fa fa fa
  0x1ffb709ad7c8: fa fa fa fa fa fa fa fa
  0x1ffb709ad7d0: fd fd fd fd fd fd fd fd



Valgrind stack::

==19089== Invalid read of size 8
==19089==    at 0x85360B8: nsFrameList::FirstChild() const (nsFrameList.h:246)
==19089==    by 0x862C43C: nsOverflowContinuationTracker::Finish(nsIFrame*) (nsContainerFrame.cpp:1724)
==19089==    by 0x861FCF9: nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) (nsBlockReflowContext.cpp:333)
==19089==    by 0x8615899: nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) (nsBlockFrame.cpp:3202)
==19089==    by 0x8614071: nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) (nsBlockFrame.cpp:2511)
==19089==    by 0x8612C93: nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) (nsBlockFrame.cpp:2022)
==19089==    by 0x8610E7B: nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) (nsBlockFrame.cpp:1071)
==19089==    by 0x862A824: nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) (nsContainerFrame.cpp:941)
==19089==    by 0x862774C: nsColumnSetFrame::ReflowChildren(nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) (nsColumnSetFrame.cpp:704)
==19089==    by 0x8628575: nsColumnSetFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) (nsColumnSetFrame.cpp:1066)
==19089==    by 0x861FC1B: nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) (nsBlockReflowContext.cpp:295)
==19089==    by 0x8615899: nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) (nsBlockFrame.cpp:3202)
==19089==  Address 0x1de137f0 is 0 bytes inside a block of size 16 free'd
==19089==    at 0x4C2779F: free (vg_replace_malloc.c:427)
==19089==    by 0x69DF1A3: moz_free (mozalloc.cpp:81)
==19089==    by 0x862BA11: nsContainerFrame::RemovePropTableFrame(nsPresContext*, nsIFrame*, mozilla::FramePropertyDescriptor const*) (mozalloc.h:253)
==19089==    by 0x862B377: nsContainerFrame::StealFrame(nsPresContext*, nsIFrame*, bool) (nsContainerFrame.cpp:1226)
==19089==    by 0x861B7DA: nsBlockFrame::StealFrame(nsPresContext*, nsIFrame*, bool) (nsBlockFrame.cpp:5654)
==19089==    by 0x862B827: nsContainerFrame::DeleteNextInFlowChild(nsPresContext*, nsIFrame*, bool) (nsContainerFrame.cpp:1372)
==19089==    by 0x861BC1B: nsBlockFrame::DeleteNextInFlowChild(nsPresContext*, nsIFrame*, bool) (nsBlockFrame.cpp:5742)
==19089==    by 0x861FD2B: nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) (nsBlockReflowContext.cpp:335)
==19089==    by 0x8615899: nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) (nsBlockFrame.cpp:3202)
==19089==    by 0x8614071: nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) (nsBlockFrame.cpp:2511)
==19089==    by 0x8612C93: nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) (nsBlockFrame.cpp:2022)
==19089==    by 0x8610E7B: nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) (nsBlockFrame.cpp:1071)
==19089==
Comment 1 Abhishek Arya 2012-04-21 19:28:40 PDT
Nicer version of ASAN Stack

=================================================================
==24249== ERROR: AddressSanitizer heap-use-after-free on address 0x7f66ca3da180 at pc 0x7f66f5af4930 bp 0x7fff35d1c610 sp 0x7fff35d1c608
READ of size 8 at 0x7f66ca3da180 thread T0
    #0 0x7f66f5af4930 in Enumerator aurora-src/layout/base/../generic/nsFrameList.h:367
    #1 0x7f66f6305e0f in nsOverflowContinuationTracker::Finish(nsIFrame*) aurora-src/layout/generic/nsContainerFrame.cpp:1725
    #2 0x7f66f62a43cf in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) aurora-src/layout/generic/nsBlockReflowContext.cpp:334
    #3 0x7f66f6243caf in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:3202
    #4 0x7f66f6239516 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:2511
    #5 0x7f66f621ead1 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) aurora-src/layout/generic/nsBlockFrame.cpp:2022
    #6 0x7f66f621222f in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsBlockFrame.cpp:1071
    #7 0x7f66f6305207 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) aurora-src/layout/generic/nsContainerFrame.cpp:940
    #8 0x7f66f62e66a5 in nsColumnSetFrame::ReflowChildren(nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) aurora-src/layout/generic/nsColumnSetFrame.cpp:710
    #9 0x7f66f62eea73 in nsColumnSetFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsColumnSetFrame.cpp:1068
    #10 0x7f66f62a3f2b in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) aurora-src/layout/generic/nsBlockReflowContext.cpp:295
    #11 0x7f66f6243caf in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:3202
    #12 0x7f66f6239516 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:2511
    #13 0x7f66f621ead1 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) aurora-src/layout/generic/nsBlockFrame.cpp:2022
    #14 0x7f66f621222f in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsBlockFrame.cpp:1071
    #15 0x7f66f6305207 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) aurora-src/layout/generic/nsContainerFrame.cpp:940
    #16 0x7f66f62e66a5 in nsColumnSetFrame::ReflowChildren(nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) aurora-src/layout/generic/nsColumnSetFrame.cpp:710
    #17 0x7f66f62eea73 in nsColumnSetFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsColumnSetFrame.cpp:1068
    #18 0x7f66f61fc0a0 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, nsHTMLReflowState const&, int, int, bool, nsIFrame*, unsigned int&, nsOverflowAreas*) aurora-src/layout/generic/nsAbsoluteContainingBlock.cpp:443
    #19 0x7f66f61f81b6 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, nsHTMLReflowState const&, unsigned int&, int, int, bool, bool, bool, nsOverflowAreas*) aurora-src/layout/generic/nsAbsoluteContainingBlock.cpp:158
    #20 0x7f66f637f15d in nsFrame::ReflowAbsoluteFrames(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, bool) aurora-src/layout/generic/nsFrame.cpp:4001
    #21 0x7f66f637e6f6 in nsFrame::FinishReflowWithAbsoluteFrames(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, bool) aurora-src/layout/generic/nsFrame.cpp:3966
    #22 0x7f66f64c438d in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsCanvasFrame.cpp:563
    #23 0x7f66f6305207 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) aurora-src/layout/generic/nsContainerFrame.cpp:940
    #24 0x7f66f6442639 in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) aurora-src/layout/generic/nsGfxScrollFrame.cpp:547
    #25 0x7f66f6447e4a in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) aurora-src/layout/generic/nsGfxScrollFrame.cpp:641
    #26 0x7f66f644c1bf in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsGfxScrollFrame.cpp:882
    #27 0x7f66f6305207 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) aurora-src/layout/generic/nsContainerFrame.cpp:940
    #28 0x7f66f68113e6 in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsViewportFrame.cpp:230
    #29 0x7f66f5f9c7e9 in PresShell::DoReflow(nsIFrame*, bool) aurora-src/layout/base/nsPresShell.cpp:7549
    #30 0x7f66f5fcb368 in PresShell::ProcessReflowCommands(bool) aurora-src/layout/base/nsPresShell.cpp:7690
    #31 0x7f66f5fc989f in PresShell::FlushPendingNotifications(mozFlushType) aurora-src/layout/base/nsPresShell.cpp:3999
    #32 0x7f66f5dd5d35 in DocumentViewerImpl::LoadComplete(unsigned int) aurora-src/layout/base/nsDocumentViewer.cpp:1018
    #33 0x7f66fccda193 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, unsigned int) aurora-src/docshell/base/nsDocShell.cpp:6164
    #34 0x7f66fccd2781 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) aurora-src/docshell/base/nsDocShell.cpp:6003
    #35 0x7f66fccd3965 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, unsigned int) aurora-src/modules/zlib/src/inffast.c:0
    #36 0x7f66fcdd08b4 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, unsigned int) aurora-src/uriloader/base/nsDocLoader.cpp:1384
    #37 0x7f66fcdce2c5 in nsDocLoader::doStopDocumentLoad(nsIRequest*, unsigned int) aurora-src/uriloader/base/nsDocLoader.cpp:962
    #38 0x7f66fcdc7458 in nsDocLoader::DocLoaderIsEmpty(bool) aurora-src/uriloader/base/nsDocLoader.cpp:854
    #39 0x7f66fcdcba7c in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) aurora-src/uriloader/base/nsDocLoader.cpp:736
    #40 0x7f66fcdcd5ed in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, unsigned int) aurora-src/modules/zlib/src/inffast.c:0
    #41 0x7f66f474e829 in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, unsigned int) aurora-src/netwerk/base/src/nsLoadGroup.cpp:731
    #42 0x7f66f780ec54 in nsDocument::DoUnblockOnload() aurora-src/content/base/src/nsDocument.cpp:7255
    #43 0x7f66f780e6d1 in nsDocument::UnblockOnload(bool) aurora-src/content/base/src/nsDocument.cpp:7198
    #44 0x7f66f77c0f34 in nsDocument::DispatchContentLoadedEvents() aurora-src/content/base/src/nsDocument.cpp:4269
    #45 0x7f66f7871139 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() aurora-src/../../../dist/include/nsThreadUtils.h:345
    #46 0x7f66fff74f81 in nsThread::ProcessNextEvent(bool, bool*) aurora-src/xpcom/threads/nsThread.cpp:658
    #47 0x7f66ffc01bdd in NS_ProcessNextEvent_P(nsIThread*, bool) aurora-src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:245
    #48 0x7f66ff15a8c6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) aurora-src/ipc/glue/MessagePump.cpp:110
    #49 0x7f670022ce3a in MessageLoop::RunInternal() aurora-src/ipc/chromium/src/base/message_loop.cc:209
    #50 0x7f670022cc83 in MessageLoop::RunHandler() aurora-src/ipc/chromium/src/base/message_loop.cc:202
    #51 0x7f670022cb68 in MessageLoop::Run() aurora-src/ipc/chromium/src/base/message_loop.cc:176
    #52 0x7f66fe6947fe in nsBaseAppShell::Run() aurora-src/widget/xpwidgets/nsBaseAppShell.cpp:191
    #53 0x7f66fd264098 in nsAppStartup::Run() aurora-src/toolkit/components/startup/nsAppStartup.cpp:295
    #54 0x7f66f4516323 in XRE_main aurora-src/toolkit/xre/nsAppRunner.cpp:3703
    #55 0x40a1f3 in do_main aurora-src/browser/app/nsBrowserApp.cpp:190
    #56 0x407d7e in main aurora-src/browser/app/nsBrowserApp.cpp:277
    #57 0x7f670c7afc4d in ?? ??:0
0x7f66ca3da180 is located 0 bytes inside of 16-byte region [0x7f66ca3da180,0x7f66ca3da190)
freed by thread T0 here:
    #0 0x42b972 in free ??:0
    #1 0x7f670ad18673 in moz_free aurora-src/memory/mozalloc/mozalloc.cpp:98
    #2 0x7f66f630e3f8 in nsContainerFrame::RemovePropTableFrame(nsPresContext*, nsIFrame*, mozilla::FramePropertyDescriptor const*) aurora-src/layout/generic/nsContainerFrame.cpp:1436
    #3 0x7f66f630d903 in nsContainerFrame::StealFrame(nsPresContext*, nsIFrame*, bool) aurora-src/layout/generic/nsContainerFrame.cpp:1226
    #4 0x7f66f62819d9 in nsBlockFrame::StealFrame(nsPresContext*, nsIFrame*, bool) aurora-src/layout/generic/nsBlockFrame.cpp:5654
    #5 0x7f66f630fe0f in nsContainerFrame::DeleteNextInFlowChild(nsPresContext*, nsIFrame*, bool) aurora-src/layout/generic/nsContainerFrame.cpp:1372
    #6 0x7f66f6283b25 in nsBlockFrame::DeleteNextInFlowChild(nsPresContext*, nsIFrame*, bool) aurora-src/layout/generic/nsBlockFrame.cpp:5743
    #7 0x7f66f62a44df in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) aurora-src/layout/generic/nsBlockReflowContext.cpp:337
    #8 0x7f66f6243caf in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:3202
    #9 0x7f66f6239516 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:2511
    #10 0x7f66f621ead1 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) aurora-src/layout/generic/nsBlockFrame.cpp:2022
    #11 0x7f66f621222f in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsBlockFrame.cpp:1071
    #12 0x7f66f6305207 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) aurora-src/layout/generic/nsContainerFrame.cpp:940
    #13 0x7f66f62e66a5 in nsColumnSetFrame::ReflowChildren(nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) aurora-src/layout/generic/nsColumnSetFrame.cpp:710
    #14 0x7f66f62eea73 in nsColumnSetFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsColumnSetFrame.cpp:1068
    #15 0x7f66f62a3f2b in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) aurora-src/layout/generic/nsBlockReflowContext.cpp:295
    #16 0x7f66f6243caf in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:3202
    #17 0x7f66f6239516 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:2511
    #18 0x7f66f621ead1 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) aurora-src/layout/generic/nsBlockFrame.cpp:2022
    #19 0x7f66f621222f in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsBlockFrame.cpp:1071
    #20 0x7f66f6305207 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) aurora-src/layout/generic/nsContainerFrame.cpp:940
    #21 0x7f66f62e66a5 in nsColumnSetFrame::ReflowChildren(nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) aurora-src/layout/generic/nsColumnSetFrame.cpp:710
    #22 0x7f66f62eea73 in nsColumnSetFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsColumnSetFrame.cpp:1068
    #23 0x7f66f61fc0a0 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, nsHTMLReflowState const&, int, int, bool, nsIFrame*, unsigned int&, nsOverflowAreas*) aurora-src/layout/generic/nsAbsoluteContainingBlock.cpp:443
    #24 0x7f66f61f81b6 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, nsHTMLReflowState const&, unsigned int&, int, int, bool, bool, bool, nsOverflowAreas*) aurora-src/layout/generic/nsAbsoluteContainingBlock.cpp:158
    #25 0x7f66f637f15d in nsFrame::ReflowAbsoluteFrames(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, bool) aurora-src/layout/generic/nsFrame.cpp:4001
    #26 0x7f66f637e6f6 in nsFrame::FinishReflowWithAbsoluteFrames(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, bool) aurora-src/layout/generic/nsFrame.cpp:3966
    #27 0x7f66f64c438d in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsCanvasFrame.cpp:563
    #28 0x7f66f6305207 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) aurora-src/layout/generic/nsContainerFrame.cpp:940
    #29 0x7f66f6442639 in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) aurora-src/layout/generic/nsGfxScrollFrame.cpp:547
previously allocated by thread T0 here:
    #0 0x42ba32 in malloc ??:0
    #1 0x7f670ad187c7 in moz_xmalloc aurora-src/memory/mozalloc/mozalloc.cpp:103
    #2 0x7f66f630bb6c in nsOverflowContinuationTracker::Insert(nsIFrame*, unsigned int&) aurora-src/layout/generic/nsContainerFrame.cpp:1671
    #3 0x7f66f62466ee in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:3371
    #4 0x7f66f6239516 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:2511
    #5 0x7f66f621ead1 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) aurora-src/layout/generic/nsBlockFrame.cpp:2022
    #6 0x7f66f621222f in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsBlockFrame.cpp:1071
    #7 0x7f66f6305207 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) aurora-src/layout/generic/nsContainerFrame.cpp:940
    #8 0x7f66f62e66a5 in nsColumnSetFrame::ReflowChildren(nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) aurora-src/layout/generic/nsColumnSetFrame.cpp:710
    #9 0x7f66f62eea73 in nsColumnSetFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsColumnSetFrame.cpp:1068
    #10 0x7f66f62a3f2b in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) aurora-src/layout/generic/nsBlockReflowContext.cpp:295
    #11 0x7f66f6243caf in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:3202
    #12 0x7f66f6239516 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) aurora-src/layout/generic/nsBlockFrame.cpp:2511
    #13 0x7f66f621ead1 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) aurora-src/layout/generic/nsBlockFrame.cpp:2022
    #14 0x7f66f621222f in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsBlockFrame.cpp:1071
    #15 0x7f66f6305207 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) aurora-src/layout/generic/nsContainerFrame.cpp:940
    #16 0x7f66f62e66a5 in nsColumnSetFrame::ReflowChildren(nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) aurora-src/layout/generic/nsColumnSetFrame.cpp:710
    #17 0x7f66f62eea73 in nsColumnSetFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsColumnSetFrame.cpp:1068
    #18 0x7f66f61fc0a0 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, nsHTMLReflowState const&, int, int, bool, nsIFrame*, unsigned int&, nsOverflowAreas*) aurora-src/layout/generic/nsAbsoluteContainingBlock.cpp:443
    #19 0x7f66f61f81b6 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, nsHTMLReflowState const&, unsigned int&, int, int, bool, bool, bool, nsOverflowAreas*) aurora-src/layout/generic/nsAbsoluteContainingBlock.cpp:158
    #20 0x7f66f637f15d in nsFrame::ReflowAbsoluteFrames(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, bool) aurora-src/layout/generic/nsFrame.cpp:4001
    #21 0x7f66f637e6f6 in nsFrame::FinishReflowWithAbsoluteFrames(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, bool) aurora-src/layout/generic/nsFrame.cpp:3966
    #22 0x7f66f64c438d in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) aurora-src/layout/generic/nsCanvasFrame.cpp:563
==24249== ABORTING
Stats: 150M malloced (151M for red zones) by 326898 calls
Stats: 40M realloced by 18262 calls
Stats: 123M freed by 217083 calls
Stats: 0M really freed by 0 calls
Stats: 332M (85040 full pages) mmaped in 83 calls
  mmaps   by size class: 8:262128; 9:49146; 10:20475; 11:16376; 12:3072; 13:2048; 14:1536; 15:384; 16:640; 17:192; 18:96; 19:48; 20:16;
  mallocs by size class: 8:242208; 9:47151; 10:17027; 11:13982; 12:2117; 13:1706; 14:1419; 15:337; 16:612; 17:183; 18:95; 19:48; 20:13;
  frees   by size class: 8:147874; 9:38691; 10:14400; 11:11362; 12:1503; 13:893; 14:1239; 15:295; 16:546; 17:170; 18:56; 19:44; 20:10;
  rfrees  by size class:
Stats: malloc large: 339 small slow: 1780
Shadow byte and word:
  0x1fecd947b430: fd
  0x1fecd947b430: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1fecd947b410: fd fd fd fd fd fd fd fd
  0x1fecd947b418: fd fd fd fd fd fd fd fd
  0x1fecd947b420: fa fa fa fa fa fa fa fa
  0x1fecd947b428: fa fa fa fa fa fa fa fa
=>0x1fecd947b430: fd fd fd fd fd fd fd fd
  0x1fecd947b438: fd fd fd fd fd fd fd fd
  0x1fecd947b440: fa fa fa fa fa fa fa fa
  0x1fecd947b448: fa fa fa fa fa fa fa fa
  0x1fecd947b450: fd fd fd fd fd fd fd fd
Comment 2 Kyle Huey [:khuey] (khuey@mozilla.com) 2012-04-22 02:08:32 PDT
I can reproduce this on trunk.
Comment 3 Kyle Huey [:khuey] (khuey@mozilla.com) 2012-04-22 02:14:48 PDT
Interestingly it does not seem to crash my local debug build.
Comment 4 Kyle Huey [:khuey] (khuey@mozilla.com) 2012-04-22 02:15:55 PDT
https://crash-stats.mozilla.com/report/index/bp-c3374fa5-b03c-48fa-8dac-4dc792120422
Comment 5 Kyle Huey [:khuey] (khuey@mozilla.com) 2012-04-22 02:36:18 PDT
I can't get this to happen on beta or release.  Alice, could you narrow down a regression range?
Comment 6 Alice0775 White 2012-04-22 03:04:30 PDT
No crash:
http://hg.mozilla.org/mozilla-central/rev/9f29daaecbcc
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a1) Gecko/20111226 Firefox/12.0a1 ID:20111226031002
Crash:
http://hg.mozilla.org/mozilla-central/rev/838515a06d27
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0a1) Gecko/20111226 Firefox/12.0a1 ID:20111226175818
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=9f29daaecbcc&tochange=838515a06d27
Comment 7 Alice0775 White 2012-04-22 03:22:35 PDT
Fixed range in beta channel
Crash:
http://hg.mozilla.org/releases/mozilla-beta/rev/e78e518d5269
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0 ID:20120328051619
No crash:
http://hg.mozilla.org/releases/mozilla-beta/rev/9bfe6330d055
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0 ID:20120403211507
Pushlog:
http://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=e78e518d5269&tochange=9bfe6330d055
Comment 8 Kyle Huey [:khuey] (khuey@mozilla.com) 2012-04-22 08:29:48 PDT
Thanks Alice!

Scott, can you dig in here?
Comment 9 Kyle Huey [:khuey] (khuey@mozilla.com) 2012-04-22 08:38:49 PDT
Jesse might be interested in this from a fuzzing perspective.
Comment 11 Mats Palmgren (:mats) 2012-04-24 09:27:22 PDT
Created attachment 617905 [details]
frame dump

We have an nsOverflowContinuationTracker tracking the
ExcessOverflowContainersList in this frame tree...
Comment 12 Mats Palmgren (:mats) 2012-04-24 09:34:45 PDT
Created attachment 617908 [details] [diff] [review]
fix

nsOverflowContinuationTracker::Finish checks if the list it's tracking
will become empty (and thus deleted), it's doing this by checking for
a null next-sibling on the next-in-flow.  This isn't enough, there's also
the case that there's a next-sibling but it's also a next-in-flow and so
it will also be removed by the DeleteNextInFlowChild call.
(see frame dump above)

Try results pending:
https://tbpl.mozilla.org/?tree=Try&rev=49c76b1fef8e
Comment 13 Mats Palmgren (:mats) 2012-04-24 09:43:04 PDT
This seems unlikely to be exploitable because nsFrameList doesn't have virtual
methods, and it has only has two members, both nsIFrame* and using those should
be covered by frame poisoning.  The other nsOverflowContinuationTracker members
that might be stale are also nsIFrame*.
Comment 14 Mats Palmgren (:mats) 2012-04-24 09:53:44 PDT
Actually, since nsFrameList is heap-allocated rather than in our presshell arena,
its members might point to arbitrary memory so that would still be exploitable.
It still seems rather unlikely since there would be very few (if any) heap
allocations from the time DeleteNextInFlowChild is done, until we unwind to the
nsOverflowContinuationTracker call (at least on the main thread).
Comment 15 Mats Palmgren (:mats) 2012-04-24 13:56:11 PDT
(perhaps this bug tips bug 729519 over the edge to actually be worth it)
Comment 16 Jesse Ruderman 2012-04-24 17:44:06 PDT
Mats, do you understand why this crashes release builds but not debug builds?
Comment 17 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2012-04-24 23:41:57 PDT
That could just be luck.
Comment 18 Alex Keybl [:akeybl] 2012-05-01 12:33:12 PDT
Based upon the tracking nom, I'm assuming yes, but I'll ask anyway.

At this point, are we concerned enough with this being an sg:high/crit bug to land a fix FF13's release?
Comment 19 Robert O'Callahan (:roc) (Exited; email my personal email if necessary) 2012-05-01 15:21:57 PDT
Yes.
Comment 20 Daniel Veditz [:dveditz] 2012-05-01 21:34:12 PDT
This bug is not a regression from bug 695222, we just got lucky(?) that it changed layout in a way that allowed inferno's fuzzer to trigger it. The original testcase in the bug no longer triggers the problem so a new testcase would be useful for verification and to add to the regression testsuite. Maybe Mats has some ideas on what would set up the necessary conditions?

The nsOverflowContinuationTracker::Finish code looks like it goes back quite a ways, to bug 422283. So much has changed in layout since then that I don't know if this has been a problem the whole time, but it's probably safe to assume the ESR-10 branch ought to be patched.
Comment 22 Mats Palmgren (:mats) 2012-05-03 17:57:16 PDT
(In reply to Daniel Veditz [:dveditz] from comment #20)
> The original testcase in the bug no longer triggers the problem

Fwiw, it still crash my ASAN build on Linux64.  So I think it's still
valuable as a crash test even though it might not crash non-ASAN builds
currently.

> Maybe Mats has some ideas on what would set up the necessary
> conditions?

Guessing: column layout with abs.pos. blocks children, in a container
that changes size causing the abs.pos. children to move to a different
column?

> The nsOverflowContinuationTracker::Finish code looks like it goes back quite
> a ways, to bug 422283. So much has changed in layout since then that I don't
> know if this has been a problem the whole time, but it's probably safe to
> assume the ESR-10 branch ought to be patched.

I think the bug was there all the time, but it might be recent abs.pos. containing
block changes that made it possible to trigger, I don't know (I don't have ASAN
branch builds), I think we should take this on all branches, just in case.  It's a
quite low-risk patch.
Comment 23 Mats Palmgren (:mats) 2012-05-03 17:59:39 PDT
Created attachment 620915 [details] [diff] [review]
Original test in patch form (check-in after the fix is in all relevant channels)
Comment 24 Ed Morley [:emorley] 2012-05-04 10:55:43 PDT
https://hg.mozilla.org/mozilla-central/rev/0cb419f67ab7
Comment 25 Daniel Veditz [:dveditz] 2012-05-10 13:53:00 PDT
Please request branch and ESR approvals on this patch. Only a couple of weeks to get this in.
Comment 26 Mats Palmgren (:mats) 2012-05-10 14:38:21 PDT
Comment on attachment 617908 [details] [diff] [review]
fix

[Approval Request Comment]
Regression caused by (bug #): 
User impact if declined: sg:crit crash
Testing completed (on m-c, etc.): on m-c since 2012-05-04
Risk to taking this patch (and alternatives if risky): fairly simple code
change, but the code involved is complex so that adds to the risk
String changes made by this patch: none
Comment 27 Lukas Blakk [:lsblakk] use ?needinfo 2012-05-11 16:36:37 PDT
Comment on attachment 617908 [details] [diff] [review]
fix

approving - will we need a separate patch for ESR or can this patch get ESR nom?

also, what can QA look for in terms of verifying/checking for regressions?
Comment 28 Mats Palmgren (:mats) 2012-05-11 16:47:53 PDT
Comment on attachment 617908 [details] [diff] [review]
fix

This patch also applies to ESR.
Comment 29 Mats Palmgren (:mats) 2012-05-11 17:02:13 PDT
>also, what can QA look for in terms of verifying/checking for regressions?

For testing, see comment 22.  Hopefully, the crash signature 
nsOverflowContinuationTracker::Finish should go away.
(for example bp-eca8998b-a155-4501-bb4e-eb6ae2120502)
I'm afraid any regressions would only show up as new crashes in layout code.
Comment 31 Lukas Blakk [:lsblakk] use ?needinfo 2012-05-14 12:58:08 PDT
Comment on attachment 617908 [details] [diff] [review]
fix

this is in beta now, so approved for ESR as well.
Comment 33 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-05-22 15:29:18 PDT
Can someone please clarify what is required for QA to verify this fix? Specifically, is the attached testcase sufficient? and where can we get ASAN builds for Firefox 13, 14, 15, and latest-mozilla-esr10?
Comment 34 Mats Palmgren (:mats) 2012-05-23 07:51:25 PDT
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #33)
> Can someone please clarify what is required for QA to verify this fix?

See comment 29 / 22.

> Specifically, is the attached testcase sufficient?

Yes, but you need ASAN builds.

> and where can we get ASAN
> builds for Firefox 13, 14, 15, and latest-mozilla-esr10?

I think you have to build them yourself.
https://developer.mozilla.org/en/Building_Firefox_with_Address_Sanitizer
Comment 35 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-05-23 13:18:45 PDT
(In reply to Mats Palmgren [:mats] from comment #34)
> I think you have to build them yourself.
> https://developer.mozilla.org/en/Building_Firefox_with_Address_Sanitizer

Is it possible to do this for Beta and ESR, which is what I'm immediately interested in. I'm hearing via email that *may* be possible for Beta and *may not* for ESR.
Comment 36 Mats Palmgren (:mats) 2012-05-23 13:40:22 PDT
I don't know.
Comment 37 Naoki Hirata :nhirata (please use needinfo instead of cc) 2012-06-02 10:09:40 PDT
Doesn't comment 7 mean that it wouldn't happen in current beta?
Comment 38 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-06-02 10:17:19 PDT
(In reply to Naoki Hirata :nhirata from comment #37)
> Doesn't comment 7 mean that it wouldn't happen in current beta?

That was for Firefox 12 Beta, not Firefox 13 Beta.
Comment 39 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-06-03 10:48:33 PDT
Verified fixed in an ASAN build I made from mozilla-central tip. Unfortunately, for the time being we will not be able to verify this fixed in Beta 13 / ESR 13. Untracking for QA until this changes.
Comment 40 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-06-21 15:01:07 PDT
qa- as per comment 39.
Comment 41 Mats Palmgren (:mats) 2013-05-14 06:58:10 PDT
Crash test:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c92a2293ad18
Comment 42 Ryan VanderMeulen [:RyanVM] 2013-05-14 13:29:30 PDT
https://hg.mozilla.org/mozilla-central/rev/c92a2293ad18

Note You need to log in before you can comment on or make changes to this bug.