Closed Bug 750146 Opened 12 years ago Closed 12 years ago

Heap-use-after-free in RestoreSelectionState::Run

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla15

People

(Reporter: inferno, Assigned: ehsan.akhgari)

Details

(Keywords: csectype-uaf, Whiteboard: [asan])

Attachments

(2 files)

Testcase
123 bytes, text/html
Details
Patch (v1)
1.49 KB, patch
bzbarsky
: review+
Details | Diff | Splinter Review
Attached file Testcase 
Reproduces on Aurora, Trunk.

=================================================================
==15631== ERROR: AddressSanitizer heap-use-after-free on address 0x7ff5b2dad998 at pc 0x7ff5e1ac381b bp 0x7fffbd364bd0 sp 0x7fffbd364bc8
WRITE of size 8 at 0x7ff5b2dad998 thread T0
    #0 0x7ff5e1ac381b in nsTextEditorState::FinishedRestoringSelection() firefox/aurora/modules/zlib/src/gzlib.c:0
    #1 0x7ff5e1ac3031 in RestoreSelectionState::Run() firefox/aurora/content/html/content/src/nsTextEditorState.cpp:101
    #2 0x7ff5e0a0dc15 in nsContentUtils::RemoveScriptBlocker() firefox/aurora/content/base/src/nsContentUtils.cpp:4729
    #3 0x7ff5df0391cb in ~nsAutoScriptBlocker firefox/aurora/../../../dist/include/nsContentUtils.h:2169
    #4 0x7ff5df0290b3 in ~nsAutoScriptBlocker firefox/aurora/../../../dist/include/nsContentUtils.h:2169
    #5 0x7ff5df5c0be6 in nsTextControlFrame::EditorInitializer::Run() firefox/aurora/layout/forms/nsTextControlFrame.h:316
    #6 0x7ff5e0a0dc15 in nsContentUtils::RemoveScriptBlocker() firefox/aurora/content/base/src/nsContentUtils.cpp:4729
    #7 0x7ff5e0be39c0 in nsDocument::EndUpdate(unsigned int) firefox/aurora/content/base/src/nsDocument.cpp:4042
    #8 0x7ff5e2280a4e in nsHTMLDocument::EndUpdate(unsigned int) firefox/aurora/content/html/document/src/nsHTMLDocument.cpp:2277
    #9 0x7ff5e3a713c1 in nsHtml5TreeOpExecutor::EndDocUpdate() firefox/aurora/parser/html/nsHtml5TreeOpExecutor.h:296
    #10 0x7ff5e3a709a7 in nsHtml5TreeOpExecutor::DidBuildModel(bool) firefox/aurora/parser/html/nsHtml5TreeOpExecutor.cpp:151
    #11 0x7ff5e3a5a82f in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) firefox/aurora/parser/html/nsHtml5TreeOperation.cpp:662
    #12 0x7ff5e3a761d6 in nsHtml5TreeOpExecutor::RunFlushLoop() firefox/aurora/parser/html/nsHtml5TreeOpExecutor.cpp:550
    #13 0x7ff5e3aaf865 in nsHtml5ExecutorFlusher::Run() firefox/aurora/parser/html/nsHtml5StreamParser.cpp:160
    #14 0x7ff5e968530e in nsThread::ProcessNextEvent(bool, bool*) firefox/aurora/xpcom/threads/nsThread.cpp:657
    #15 0x7ff5e93133fd in NS_ProcessNextEvent_P(nsIThread*, bool) firefox/aurora/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:245
    #16 0x7ff5e8705146 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) firefox/aurora/ipc/glue/MessagePump.cpp:110
    #17 0x7ff5e993ca8a in MessageLoop::RunInternal() firefox/aurora/ipc/chromium/src/base/message_loop.cc:209
    #18 0x7ff5e993c8d3 in MessageLoop::RunHandler() firefox/aurora/ipc/chromium/src/base/message_loop.cc:202
    #19 0x7ff5e993c7b8 in MessageLoop::Run() firefox/aurora/ipc/chromium/src/base/message_loop.cc:176
    #20 0x7ff5e7c4bbde in nsBaseAppShell::Run() firefox/aurora/widget/xpwidgets/nsBaseAppShell.cpp:191
    #21 0x7ff5e6875c88 in nsAppStartup::Run() firefox/aurora/toolkit/components/startup/nsAppStartup.cpp:295
    #22 0x7ff5dd903fb2 in XREMain::XRE_mainRun() firefox/aurora/toolkit/xre/nsAppRunner.cpp:3780
    #23 0x7ff5dd90a112 in XREMain::XRE_main(int, char**, nsXREAppData const*) firefox/aurora/toolkit/xre/nsAppRunner.cpp:3857
    #24 0x7ff5dd90d5c8 in XRE_main firefox/aurora/toolkit/xre/nsAppRunner.cpp:3933
    #25 0x40a7a3 in do_main(int, char**) firefox/aurora/browser/app/nsBrowserApp.cpp:190
    #26 0x40832e in main firefox/aurora/browser/app/nsBrowserApp.cpp:277
    #27 0x7ff5f6de3c4d in ?? ??:0
0x7ff5b2dad998 is located 24 bytes inside of 128-byte region [0x7ff5b2dad980,0x7ff5b2dada00)
freed by thread T0 here:
    #0 0x4a4272 in free ??:0
    #1 0x7ff5f534d673 in moz_free firefox/aurora/memory/mozalloc/mozalloc.cpp:82
    #2 0x7ff5e1aa35fb in nsTextEditorState::Release() firefox/aurora/content/html/content/src/nsTextEditorState.h:158
    #3 0x7ff5e1d257ea in nsHTMLInputElement::FreeData() firefox/aurora/content/html/content/src/nsHTMLInputElement.cpp:608
    #4 0x7ff5e1d2541d in ~nsHTMLInputElement firefox/aurora/content/html/content/src/nsHTMLInputElement.cpp:598
    #5 0x7ff5e1d24f89 in ~nsHTMLInputElement firefox/aurora/content/html/content/src/nsHTMLInputElement.cpp:592
    #6 0x7ff5e0f2b0bd in nsNodeUtils::LastRelease(nsINode*) firefox/aurora/content/base/src/nsNodeUtils.cpp:284
    #7 0x7ff5e0e2f3cf in nsGenericElement::Release() firefox/aurora/content/base/src/nsGenericElement.cpp:5099
    #8 0x7ff5e1d27a34 in nsHTMLInputElement::Release() firefox/aurora/content/html/content/src/nsHTMLInputElement.cpp:651
    #9 0x7ff5e92c9ff0 in ~nsCOMPtr_base firefox/aurora/objdir-ff-asan-sym/xpcom/build/nsCOMPtr.cpp:81
    #10 0x7ff5deeb6dd6 in ~nsCOMPtr firefox/aurora/../../dist/include/nsCOMPtr.h:476
    #11 0x7ff5deeb6aa3 in ~nsCOMPtr firefox/aurora/../../dist/include/nsCOMPtr.h:476
    #12 0x7ff5e0a4f470 in AnonymousContentDestroyer::~AnonymousContentDestroyer() firefox/aurora/content/base/src/nsContentUtils.cpp:4282
    #13 0x7ff5e0a4f163 in AnonymousContentDestroyer::~AnonymousContentDestroyer() firefox/aurora/content/base/src/nsContentUtils.cpp:4282
    #14 0x7ff5e0a4f299 in AnonymousContentDestroyer::~AnonymousContentDestroyer() firefox/aurora/content/base/src/nsContentUtils.cpp:4282
    #15 0x7ff5e930fd52 in nsRunnable::Release() firefox/aurora/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:55
    #16 0x7ff5e92c9ff0 in ~nsCOMPtr_base firefox/aurora/objdir-ff-asan-sym/xpcom/build/nsCOMPtr.cpp:81
    #17 0x7ff5dd96a336 in ~nsCOMPtr firefox/aurora/../../dist/include/nsCOMPtr.h:476
    #18 0x7ff5dd9659e3 in ~nsCOMPtr firefox/aurora/../../dist/include/nsCOMPtr.h:476
    #19 0x7ff5df373663 in nsTArrayElementTraits<nsCOMPtr<nsIRunnable> >::Destruct(nsCOMPtr<nsIRunnable>*) firefox/aurora/../../dist/include/nsTArray.h:381
    #20 0x7ff5df3733d8 in nsTArray<nsCOMPtr<nsIRunnable>, nsTArrayDefaultAllocator>::DestructRange(unsigned int, unsigned int) firefox/aurora/../../dist/include/nsTArray.h:1242
    #21 0x7ff5df372e67 in nsTArray<nsCOMPtr<nsIRunnable>, nsTArrayDefaultAllocator>::RemoveElementsAt(unsigned int, unsigned int) firefox/aurora/../../dist/include/nsTArray.h:964
    #22 0x7ff5e0a0dcea in nsContentUtils::RemoveScriptBlocker() firefox/aurora/content/base/src/nsContentUtils.cpp:4735
    #23 0x7ff5df0391cb in ~nsAutoScriptBlocker firefox/aurora/../../../dist/include/nsContentUtils.h:2169
    #24 0x7ff5e1a6a5e6 in ~nsAutoScriptBlockerSuppressNodeRemoved firefox/aurora/../../../dist/include/nsContentUtils.h:2186
    #25 0x7ff5e1a2aac3 in ~nsAutoScriptBlockerSuppressNodeRemoved firefox/aurora/../../../dist/include/nsContentUtils.h:2186
    #26 0x7ff5e3e5aa4a in nsHTMLEditRules::DocumentModifiedWorker() firefox/aurora/editor/libeditor/html/nsHTMLEditRules.cpp:9253
    #27 0x7ff5e3e5ba69 in nsRunnableMethodImpl<void (nsHTMLEditRules::*)(), true>::Run() firefox/aurora/../../../dist/include/nsThreadUtils.h:345
    #28 0x7ff5e0a0dc15 in nsContentUtils::RemoveScriptBlocker() firefox/aurora/content/base/src/nsContentUtils.cpp:4729
    #29 0x7ff5df0391cb in ~nsAutoScriptBlocker firefox/aurora/../../../dist/include/nsContentUtils.h:2169
previously allocated by thread T0 here:
    #0 0x4a4332 in malloc ??:0
    #1 0x7ff5f534d7c7 in moz_xmalloc firefox/aurora/memory/mozalloc/mozalloc.cpp:87
    #2 0x7ff5e1d24194 in nsHTMLInputElement firefox/aurora/content/html/content/src/nsHTMLInputElement.cpp:575
    #3 0x7ff5e1d232e2 in NS_NewHTMLInputElement(already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) firefox/aurora/content/html/content/src/nsHTMLInputElement.cpp:555
    #4 0x7ff5e221b65e in CreateHTMLElement(unsigned int, already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) firefox/aurora/content/html/document/src/nsHTMLContentSink.cpp:533
    #5 0x7ff5e221bf30 in NS_NewHTMLElement(nsIContent**, already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) firefox/aurora/content/html/document/src/nsHTMLContentSink.cpp:516
    #6 0x7ff5df553ebd in nsFileControlFrame::CreateAnonymousContent(nsTArray<nsIAnonymousContentCreator::ContentInfo, nsTArrayDefaultAllocator>&) firefox/aurora/layout/forms/nsFileControlFrame.cpp:176
    #7 0x7ff5df5599bf in non-virtual thunk to nsFileControlFrame::CreateAnonymousContent(nsTArray<nsIAnonymousContentCreator::ContentInfo, nsTArrayDefaultAllocator>&) firefox/aurora/modules/zlib/src/gzlib.c:0
    #8 0x7ff5defb4aa9 in nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo, nsTArrayDefaultAllocator>&) firefox/aurora/layout/base/nsCSSFrameConstructor.cpp:3885
    #9 0x7ff5def82cdf in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsIFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) firefox/aurora/layout/base/nsCSSFrameConstructor.cpp:9524
    #10 0x7ff5defb09ea in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsIFrame*, nsFrameItems&) firefox/aurora/layout/base/nsCSSFrameConstructor.cpp:3752
    #11 0x7ff5defc66cf in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsIFrame*, nsFrameItems&) firefox/aurora/layout/base/nsCSSFrameConstructor.cpp:5429
    #12 0x7ff5def818fa in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsIFrame*, nsFrameItems&) firefox/aurora/layout/base/nsCSSFrameConstructor.cpp:9458
    #13 0x7ff5def83944 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsIFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) firefox/aurora/layout/base/nsCSSFrameConstructor.cpp:9602
    #14 0x7ff5def97b61 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsStyleDisplay const*, nsIContent*, nsIFrame*, nsIFrame*, nsStyleContext*, nsIFrame**, nsFrameItems&, bool, PendingBinding*) firefox/aurora/layout/base/nsCSSFrameConstructor.cpp:10649
    #15 0x7ff5defbb1df in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsIFrame*, nsStyleDisplay const*, nsFrameItems&, nsIFrame**) firefox/aurora/layout/base/nsCSSFrameConstructor.cpp:4481
    #16 0x7ff5defaea74 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsIFrame*, nsFrameItems&) firefox/aurora/layout/base/nsCSSFrameConstructor.cpp:3627
    #17 0x7ff5defc66cf in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsIFrame*, nsFrameItems&) firefox/aurora/layout/base/nsCSSFrameConstructor.cpp:5429
    #18 0x7ff5def818fa in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsIFrame*, nsFrameItems&) firefox/aurora/layout/base/nsCSSFrameConstructor.cpp:9458
    #19 0x7ff5defe8bc6 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool) firefox/aurora/layout/base/nsCSSFrameConstructor.cpp:6618
    #20 0x7ff5df3e714e in PresShell::ContentAppended(nsIDocument*, nsIContent*, nsIContent*, int) firefox/aurora/layout/base/nsPresShell.cpp:4182
    #21 0x7ff5df3e7307 in non-virtual thunk to PresShell::ContentAppended(nsIDocument*, nsIContent*, nsIContent*, int) firefox/aurora/modules/zlib/src/gzlib.c:0
    #22 0x7ff5e0f27e53 in nsNodeUtils::ContentAppended(nsIContent*, nsIContent*, int) firefox/aurora/content/base/src/nsNodeUtils.cpp:150
==15631== ABORTING
Stats: 136M malloced (169M for red zones) by 426069 calls
Stats: 41M realloced by 18288 calls
Stats: 104M freed by 209917 calls
Stats: 0M really freed by 0 calls
Stats: 344M (88110 full pages) mmaped in 86 calls
  mmaps   by size class: 8:360426; 9:49146; 10:16380; 11:16376; 12:3072; 13:2048; 14:1536; 15:384; 16:576; 17:128; 18:96; 19:56; 20:16;
  mallocs by size class: 8:348901; 9:42470; 10:14100; 11:14458; 12:2054; 13:1645; 14:1383; 15:270; 16:519; 17:113; 18:93; 19:50; 20:13;
  frees   by size class: 8:148518; 9:33826; 10:11376; 11:11882; 12:1415; 13:816; 14:1202; 15:231; 16:446; 17:98; 18:52; 19:45; 20:10;
  rfrees  by size class:
Stats: malloc large: 269 small slow: 1878
Shadow byte and word:
  0x1ffeb65b5b33: fd
  0x1ffeb65b5b30: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ffeb65b5b10: fd fd fd fd fd fd fd fd
  0x1ffeb65b5b18: fd fd fd fd fd fd fd fd
  0x1ffeb65b5b20: fa fa fa fa fa fa fa fa
  0x1ffeb65b5b28: fa fa fa fa fa fa fa fa
=>0x1ffeb65b5b30: fd fd fd fd fd fd fd fd
  0x1ffeb65b5b38: fd fd fd fd fd fd fd fd
  0x1ffeb65b5b40: fa fa fa fa fa fa fa fa
  0x1ffeb65b5b48: fa fa fa fa fa fa fa fa
  0x1ffeb65b5b50: fd fd fd fd fd fd fd fd
Whiteboard: [asan]
Component: General → DOM: Core & HTML
Product: Firefox → Core
QA Contact: general → general
Hmm, so that's on Aurora, right?  This is what happens on trunk:

ERROR: AddressSanitizer heap-use-after-free on address 0x7faf4613d2a0 at pc 0x7faf71c460bb bp 0x7fffc0f29d10 sp 0x7fffc0f29d08
WRITE of size 8 at 0x7faf4613d2a0 thread T0
    #0 0x7faf71c460bb in ~nsCOMPtr /home/ehsan/moz/mozilla-inbound/objdir-ff-asan/content/html/content/src/../../../../dist/include/nsCOMPtr.h:518
    #1 0x7faf71c458c1 in nsCOMPtr<nsIControllers>::assign_from_qi(nsQueryInterface, nsID const&) /home/ehsan/moz/mozilla-inbound/objdir-ff-asan/content/html/content/src/../../../../dist/include/nsCOMPtr.h:1170
    #2 0x7faf70a570af in nsContentUtils::GetViewportInfo(nsIDocument*) /home/ehsan/moz/mozilla-inbound/content/base/src/nsContentUtils.cpp:4899
    #3 0x7faf6edccd58 in nsCSSFrameConstructor::CreateNeededTablePseudos(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsIFrame*) /home/ehsan/moz/mozilla-inbound/layout/base/nsCSSFrameConstructor.cpp:9438
    #4 0x7faf6edb0ae3 in nsCSSFrameConstructor::FrameConstructionItemList::Iterator::AppendItemToList(nsCSSFrameConstructor::FrameConstructionItemList&) /home/ehsan/moz/mozilla-inbound/layout/base/nsCSSFrameConstructor.cpp:11838
    #5 0x7faf6f4139d6 in nsHTMLButtonControlFrame::Init(nsIContent*, nsIFrame*, nsIFrame*) /home/ehsan/moz/mozilla-inbound/layout/forms/nsHTMLButtonControlFrame.cpp:100
    #6 0x7faf70a570af in nsContentUtils::GetViewportInfo(nsIDocument*) /home/ehsan/moz/mozilla-inbound/content/base/src/nsContentUtils.cpp:4899
    #7 0x7faf70c6f4f0 in nsDocument::GetElementById(nsAString_internal const&, nsIDOMElement**) /home/ehsan/moz/mozilla-inbound/content/base/src/nsDocument.cpp:4100
    #8 0x7faf7244a64e in nsScriptLoader::GetCurrentParserInsertedScript() /home/ehsan/moz/mozilla-inbound/content/html/document/src/../../../base/src/nsScriptLoader.h:130
    #9 0x7faf73e451d8 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) /home/ehsan/moz/mozilla-inbound/parser/html/nsHtml5TreeOperation.cpp:700
    #10 0x7faf73e44727 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) /home/ehsan/moz/mozilla-inbound/parser/html/nsHtml5TreeOperation.cpp:631
    #11 0x7faf73e2caab in nsHtml5TreeOperation::AppendTextToTextNode(unsigned short const*, unsigned int, nsIContent*, nsHtml5TreeOpExecutor*) /home/ehsan/moz/mozilla-inbound/parser/html/nsHtml5TreeOperation.cpp:168
    #12 0x7faf73e4a1f1 in nsHtml5PendingNotification::Contains(nsIContent*) /home/ehsan/moz/mozilla-inbound/parser/html/nsHtml5PendingNotification.h:65
    #13 0x7faf73e89285 in nsHtml5StreamParser::DoDataAvailable(unsigned char*, unsigned int) /home/ehsan/moz/mozilla-inbound/parser/html/nsHtml5StreamParser.cpp:1099
    #14 0x7faf7a132d56 in ~nsRunnableMethodImpl /home/ehsan/moz/mozilla-inbound/objdir-ff-asan/xpcom/threads/../../dist/include/nsThreadUtils.h:329
    #15 0x7faf79d64cb0 in nsTArrayElementTraits<mozilla::DeadlockDetector<mozilla::BlockingResourceBase::DeadlockDetectorEntry>::ResourceAcquisition>::Destruct(mozilla::DeadlockDetector<mozilla::BlockingResourceBase::DeadlockDetectorEntry>::ResourceAcquisition*) /home/ehsan/moz/mozilla-inbound/objdir-ff-asan/xpcom/build/../../dist/include/nsTArray.h:379
    #16 0x7faf78f66d88 in _Deque_base /usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_deque.h:460
    #17 0x7faf7a50f300 in std::_Miter_base<MessageLoop::DestructionObserver**>::iterator_type std::__miter_base<MessageLoop::DestructionObserver**>(MessageLoop::DestructionObserver**) /usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_algobase.h:283
    #18 0x7faf7a50ef13 in std::_Vector_base<MessageLoop::DestructionObserver*, std::allocator<MessageLoop::DestructionObserver*> >::_M_get_Tp_allocator() const /usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_vector.h:100
    #19 0x7faf7a50edf8 in std::vector<MessageLoop::DestructionObserver*, std::allocator<MessageLoop::DestructionObserver*> >::size() const /usr/lib/gcc/x86_64-linux-gnu/4.6/../../../../include/c++/4.6/bits/stl_vector.h:571
    #20 0x7faf783cbcb6 in nsTArray<DataStruct, nsTArrayDefaultAllocator>::ElementAt(unsigned int) const /home/ehsan/moz/mozilla-inbound/objdir-ff-asan/widget/xpwidgets/../../dist/include/nsTArray.h:568
    #21 0x7faf76da2dea in nsTypeAheadFind::FindItNow(nsIPresShell*, bool, bool, bool, unsigned short*) /home/ehsan/moz/mozilla-inbound/toolkit/components/typeaheadfind/nsTypeAheadFind.cpp:306
    #22 0x7faf6d3edc7b in XREMain::XRE_mainRun() /home/ehsan/moz/mozilla-inbound/toolkit/xre/nsAppRunner.cpp:3749
    #23 0x7faf6d3f41ea in SamplerStackFrameRAII /home/ehsan/moz/mozilla-inbound/objdir-ff-asan/xpcom/base/../../dist/include/sps_sampler.h:177
    #24 0x7faf6d3f7ec8 in nsCOMPtr<nsIObserverService>::Assert_NoQueryNeeded() /home/ehsan/moz/mozilla-inbound/objdir-ff-asan/xpcom/base/../../dist/include/nsCOMPtr.h:528
    #25 0x40899a in do_main /home/ehsan/moz/mozilla-inbound/browser/app/nsBrowserApp.cpp:190
    #26 0x406509 in main /home/ehsan/moz/mozilla-inbound/browser/app/nsBrowserApp.cpp:277
    #27 0x7faf8b73230d in __libc_start_main /build/buildd/eglibc-2.13/csu/libc-start.c:258
0x7faf4613d2a0 is located 32 bytes inside of 136-byte region [0x7faf4613d280,0x7faf4613d308)
freed by thread T0 here:
    #0 0x4ad142 in free ??:0
    #1 0x7faf89c72583 in moz_free /home/ehsan/moz/mozilla-inbound/memory/mozalloc/mozalloc.cpp:82
    #2 0x7faf71c1fece in nsTextEditorState::UnbindFromFrame(nsTextControlFrame*) /home/ehsan/moz/mozilla-inbound/content/html/content/src/nsTextEditorState.cpp:1447
    #3 0x7faf71eb772a in UploadLastDir::Observe(nsISupports*, char const*, unsigned short const*) /home/ehsan/moz/mozilla-inbound/content/html/content/src/nsHTMLInputElement.cpp:541
    #4 0x7faf71eb735d in UploadLastDir::Observe(nsISupports*, char const*, unsigned short const*) /home/ehsan/moz/mozilla-inbound/content/html/content/src/nsHTMLInputElement.cpp:534
    #5 0x7faf71eb6ec9 in nsCOMPtr /home/ehsan/moz/mozilla-inbound/objdir-ff-asan/editor/composer/src/../../../dist/include/nsCOMPtr.h:616
    #6 0x7faf7100c7b3 in nsCOMPtr<nsIDOMNode>::operator=(nsQueryInterfaceWithError const&) /home/ehsan/moz/mozilla-inbound/objdir-ff-asan/content/base/src/../../../dist/include/nsCOMPtr.h:678
    #7 0x7faf70ef6df1 in nsGenericElement::CopyInnerTo(nsGenericElement*) const /home/ehsan/moz/mozilla-inbound/content/base/src/nsGenericElement.cpp:5171
    #8 0x7faf71eb9afc in ~nsHTMLInputElement /home/ehsan/moz/mozilla-inbound/content/html/content/src/nsHTMLInputElement.cpp:592
    #9 0x7faf6ec1a3ef in already_AddRefed /home/ehsan/moz/mozilla-inbound/xpcom/build/../glue/nsCOMPtr.h:180
    #10 0x7faf6ec19e33 in nsXPCJSContextStackIterator /home/ehsan/moz/mozilla-inbound/js/xpconnect/src/xpcprivate.h:3688
    #11 0x7faf70aaca70 in nsAutoArrayBase<nsTArray<nsAutoMutationBatch::BatchObserver, nsTArrayDefaultAllocator>, 2u>::Init() /home/ehsan/moz/mozilla-inbound/objdir-ff-asan/content/html/content/src/../../../../dist/include/nsTArray.h:1353
    #12 0x7faf70aac763 in nsAutoArrayBase /home/ehsan/moz/mozilla-inbound/objdir-ff-asan/content/html/content/src/../../../../dist/include/nsTArray.h:1329
    #13 0x7faf70aac899 in nsTArray /home/ehsan/moz/mozilla-inbound/objdir-ff-asan/content/html/content/src/../../../../dist/include/nsTArray.h:468
    #14 0x7faf79d61093 in mozilla::Mutex::Lock() /home/ehsan/moz/mozilla-inbound/objdir-ff-asan/xpcom/build/BlockingResourceBase.cpp:257
    #15 0x7faf6d47e65f in nsAString_internal::IsEmpty() const /home/ehsan/moz/mozilla-inbound/objdir-ff-asan/xpcom/io/../../dist/include/nsTSubstring.h:217
    #16 0x7faf6d479363 in XRE_SendTestShellCommand /home/ehsan/moz/mozilla-inbound/toolkit/xre/nsEmbedFunctions.cpp:745
    #17 0x7faf6f166bc3 in nsTArray<nsFontFaceRuleContainer, nsTArrayDefaultAllocator>::DestructRange(unsigned int, unsigned int) /home/ehsan/moz/mozilla-inbound/objdir-ff-asan/layout/style/../../dist/include/nsTArray.h:1241
    #18 0x7faf6f166938 in nsTArray<nsFontFaceRuleContainer, nsTArrayDefaultAllocator>::RemoveElementsAt(unsigned int, unsigned int) /home/ehsan/moz/mozilla-inbound/objdir-ff-asan/layout/style/../../dist/include/nsTArray.h:963
    #19 0x7faf6f166305 in nsTArray<nsFontFaceRuleContainer, nsTArrayDefaultAllocator>::Clear() /home/ehsan/moz/mozilla-inbound/objdir-ff-asan/layout/style/../../dist/include/nsTArray.h:973
    #20 0x7faf70a57223 in nsContentUtils::GetViewportInfo(nsIDocument*) /home/ehsan/moz/mozilla-inbound/content/base/src/nsContentUtils.cpp:4904
    #21 0x7faf6edccd58 in nsCSSFrameConstructor::CreateNeededTablePseudos(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsIFrame*) /home/ehsan/moz/mozilla-inbound/layout/base/nsCSSFrameConstructor.cpp:9438
    #22 0x7faf71be1958 in nsTArray<nsGenericHTMLFormElement*, nsTArrayDefaultAllocator>::RemoveElementAt(unsigned int) /home/ehsan/moz/mozilla-inbound/objdir-ff-asan/content/html/content/src/../../../../dist/include/nsTArray.h:968
    #23 0x7faf71b9e663 in nsIDocument::GetCachedEncoder() /home/ehsan/moz/mozilla-inbound/objdir-ff-asan/content/html/content/src/../../../../dist/include/nsIDocument.h:1213
    #24 0x7faf742a692a in nsHTMLEditRules::UpdateDocChangeRange(nsIDOMRange*) /home/ehsan/moz/mozilla-inbound/editor/libeditor/html/nsHTMLEditRules.cpp:8422
    #25 0x7faf742a7969 in nsHTMLEditRules::WillCreateNode(nsAString_internal const&, nsIDOMNode*, int) /home/ehsan/moz/mozilla-inbound/editor/libeditor/html/nsHTMLEditRules.cpp:8479
    #26 0x7faf70a570af in nsContentUtils::GetViewportInfo(nsIDocument*) /home/ehsan/moz/mozilla-inbound/content/base/src/nsContentUtils.cpp:4899
    #27 0x7faf6edccd58 in nsCSSFrameConstructor::CreateNeededTablePseudos(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsIFrame*) /home/ehsan/moz/mozilla-inbound/layout/base/nsCSSFrameConstructor.cpp:9438
    #28 0x7faf6edb0ae3 in nsCSSFrameConstructor::FrameConstructionItemList::Iterator::AppendItemToList(nsCSSFrameConstructor::FrameConstructionItemList&) /home/ehsan/moz/mozilla-inbound/layout/base/nsCSSFrameConstructor.cpp:11838
    #29 0x7faf6f4139d6 in nsHTMLButtonControlFrame::Init(nsIContent*, nsIFrame*, nsIFrame*) /home/ehsan/moz/mozilla-inbound/layout/forms/nsHTMLButtonControlFrame.cpp:100
previously allocated by thread T0 here:
    #0 0x4ad202 in malloc ??:0
    #1 0x7faf89c726d7 in moz_xmalloc /home/ehsan/moz/mozilla-inbound/memory/mozalloc/mozalloc.cpp:87
    #2 0x7faf71eb60d4 in UploadLastDir::Release() /home/ehsan/moz/mozilla-inbound/content/html/content/src/nsHTMLInputElement.cpp:447
    #3 0x7faf71eb5222 in UploadLastDir::StoreLastUsedDirectory(nsIURI*, nsILocalFile*) /home/ehsan/moz/mozilla-inbound/content/html/content/src/nsHTMLInputElement.cpp:530
    #4 0x7faf723dacb0 in HTMLContentSink::CreateContentObject(nsIParserNode const&, nsHTMLTag) /home/ehsan/moz/mozilla-inbound/content/html/document/src/nsHTMLContentSink.cpp:495
    #5 0x7faf723db63d in CreateHTMLElement(unsigned int, already_AddRefed<nsINodeInfo>, mozilla::dom::FromParser) /home/ehsan/moz/mozilla-inbound/content/html/document/src/nsHTMLContentSink.cpp:523
    #6 0x7faf6f38c36d in nsCOMPtr /home/ehsan/moz/mozilla-inbound/objdir-ff-asan/accessible/src/html/../../../dist/include/nsCOMPtr.h:581
    #7 0x7faf6f39246f in nsFileControlFrame::CaptureMouseListener::HandleEvent(nsIDOMEvent*) /home/ehsan/moz/mozilla-inbound/layout/forms/nsFileControlFrame.cpp:339
    #8 0x7faf6ed31d28 in nsCSSFrameConstructor::FindXULListItemData(mozilla::dom::Element*, nsStyleContext*) /home/ehsan/moz/mozilla-inbound/layout/base/nsCSSFrameConstructor.cpp:4133
    #9 0x7faf6ecfaf1a in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsIFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/ehsan/moz/mozilla-inbound/layout/base/nsCSSFrameConstructor.cpp:9667
    #10 0x7faf6ed2c76e in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsIFrame*, nsStyleDisplay const*, nsFrameItems&, nsIFrame**) /home/ehsan/moz/mozilla-inbound/layout/base/nsCSSFrameConstructor.cpp:4472
    #11 0x7faf6ed434ef in nsCSSFrameConstructor::BuildInlineChildItems(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&) /home/ehsan/moz/mozilla-inbound/layout/base/nsCSSFrameConstructor.cpp:10923
    #12 0x7faf6ecf973f in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsIFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/ehsan/moz/mozilla-inbound/layout/base/nsCSSFrameConstructor.cpp:9643
    #13 0x7faf6ecfc026 in nsCSSFrameConstructor::ConstructTableRow(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsIFrame*, nsStyleDisplay const*, nsFrameItems&, nsIFrame**) /home/ehsan/moz/mozilla-inbound/layout/base/nsCSSFrameConstructor.cpp:2001
    #14 0x7faf6ed11a92 in nsCSSFrameConstructor::BeginBuildingScrollFrame(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsIFrame*, nsIAtom*, bool, nsIFrame*&) /home/ehsan/moz/mozilla-inbound/layout/base/nsCSSFrameConstructor.cpp:4216
    #15 0x7faf6ed2ffaf in nsCSSFrameConstructor::ConstructFrame(nsFrameConstructorState&, nsIContent*, nsIFrame*, nsFrameItems&) /home/ehsan/moz/mozilla-inbound/layout/base/nsCSSFrameConstructor.cpp:4938
    #16 0x7faf6ed2a479 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsIFrame*, nsFrameItems&) /home/ehsan/moz/mozilla-inbound/layout/base/nsCSSFrameConstructor.cpp:3825
    #17 0x7faf6ed434ef in nsCSSFrameConstructor::BuildInlineChildItems(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&) /home/ehsan/moz/mozilla-inbound/layout/base/nsCSSFrameConstructor.cpp:10923
    #18 0x7faf6ecf973f in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsIFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/ehsan/moz/mozilla-inbound/layout/base/nsCSSFrameConstructor.cpp:9643
    #19 0x7faf6ed6abe0 in MaybeGetListBoxBodyFrame /home/ehsan/moz/mozilla-inbound/layout/base/nsCSSFrameConstructor.cpp:6064
    #20 0x7faf6f1e744c in nsIPresShell::ReconstructStyleDataInternal() /home/ehsan/moz/mozilla-inbound/layout/base/nsPresShell.cpp:4286
    #21 0x7faf6f1e7717 in nsIPresShell::ReconstructStyleDataInternal() /home/ehsan/moz/mozilla-inbound/layout/base/nsPresShell.cpp:4290
    #22 0x7faf71008e6d in nsNodeUtils::ContentRemoved(nsINode*, nsIContent*, int, nsIContent*) /home/ehsan/moz/mozilla-inbound/content/base/src/nsNodeUtils.cpp:200
==16068== ABORTING
Stats: 710M malloced (729M for red zones) by 1563660 calls
Stats: 115M realloced by 101456 calls
Stats: 659M freed by 1245137 calls
Stats: 532M really freed by 909720 calls
Stats: 616M (157788 full pages) mmaped in 154 calls
  mmaps   by size class: 8:573405; 9:65528; 10:36855; 11:20470; 12:8192; 13:5632; 14:3072; 15:768; 16:640; 17:256; 18:288; 19:56; 20:28; 21:4; 22:3;
  mallocs by size class: 8:1180107; 9:180121; 10:94164; 11:61050; 12:20792; 13:14018; 14:8161; 15:2216; 16:1684; 17:502; 18:686; 19:91; 20:61; 21:4; 22:3;
  frees   by size class: 8:897158; 9:158797; 10:87363; 11:56500; 12:19155; 13:13511; 14:7746; 15:2133; 16:1495; 17:479; 18:648; 19:88; 20:58; 21:3; 22:3;
  rfrees  by size class: 8:631652; 9:125980; 10:69496; 11:48357; 12:13765; 13:11124; 14:5401; 15:1613; 16:1213; 17:416; 18:558; 19:86; 20:53; 21:3; 22:3;
Stats: malloc large: 1347 small slow: 8751
Shadow byte and word:
  0x1ff5e8c27a54: fd
  0x1ff5e8c27a50: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ff5e8c27a30: 00 00 00 02 fb fb fb fb
  0x1ff5e8c27a38: fb fb fb fb fb fb fb fb
  0x1ff5e8c27a40: fa fa fa fa fa fa fa fa
  0x1ff5e8c27a48: fa fa fa fa fa fa fa fa
=>0x1ff5e8c27a50: fd fd fd fd fd fd fd fd
  0x1ff5e8c27a58: fd fd fd fd fd fd fd fd
  0x1ff5e8c27a60: fd fd fd fd fd fd fd fd
  0x1ff5e8c27a68: fd fd fd fd fd fd fd fd
  0x1ff5e8c27a70: fd fd fd fd fd fd fd fd
Hmm, the stacks I'm getting seem to be completely bogus.  Can someone else try to reproduce this as well?
With a Mac opt ASAN build and the testcase, I get the following, which is probably useless since I'm running optimized:

=================================================================
==99745== ERROR: AddressSanitizer heap-use-after-free on address 0x000177bde990 at pc 0x1053abf3c bp 0x7fff5fbfa100 sp 0x7fff5fbfa0f8
WRITE of size 8 at 0x000177bde990 thread T0
    #0 0x1053abf3c (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0xc27f3c)
    #1 0x1050dcc5a (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0x958c5a)
    #2 0x104d032a0 (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0x57f2a0)
    #3 0x1050dcc5a (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0x958c5a)
    #4 0x10512fb09 (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0x9abb09)
    #5 0x10549d7d9 (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0xd197d9)
    #6 0x1058ed60c (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0x116960c)
    #7 0x1058f2e3b (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0x116ee3b)
    #8 0x1058ff372 (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0x117b372)
    #9 0x1067eed48 (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0x206ad48)
    #10 0x106428893 (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0x1ca4893)
0x000177bde990 is located 16 bytes inside of 120-byte region [0x000177bde980,0x000177bde9f8)
freed by thread T0 here:
    #0 0x10000bdb7 (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/./firefox+0xbdb7)
    #1 0x7fff8e0e7857 (/usr/lib/system/libsystem_c.dylib+0xa0857)
    #2 0x1053ed5f5 (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0xc695f5)
    #3 0x1051915bf (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0xa0d5bf)
previously allocated by thread T0 here:
    #0 0x10000bbb4 (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/./firefox+0xbbb4)
    #1 0x7fff8e0e73c8 (/usr/lib/system/libsystem_c.dylib+0xa03c8)
    #2 0x7fff8e0e81a4 (/usr/lib/system/libsystem_c.dylib+0xa11a4)
    #3 0x1020da530 (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/libmozalloc.dylib+0x1530)
    #4 0x1053ecd54 (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0xc68d54)
    #5 0x105487919 (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0xd03919)
    #6 0x104cee745 (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0x56a745)
    #7 0x104bd6327 (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0x452327)
    #8 0x104bcdb93 (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0x449b93)
    #9 0x104bd57dc (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0x4517dc)
    #10 0x104bd8cfc (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0x454cfc)
    #11 0x104bebe9c (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0x467e9c)
    #12 0x104bcdef7 (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0x449ef7)
    #13 0x104bd1786 (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0x44d786)
    #14 0x104bd7106 (/Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/XUL+0x453106)
==99745== ABORTING
Stats: 628M malloced (601M for red zones) by 1339082 calls
Stats: 72M realloced by 43352 calls
Stats: 571M freed by 1003158 calls
Stats: 430M really freed by 747024 calls
Stats: 600M (153683 full pages) mmaped in 149 calls
  mmaps   by size class: 8:491490; 9:90101; 10:53235; 11:24564; 12:5120; 13:3072; 14:2560; 15:896; 16:704; 17:512; 18:144; 19:72; 20:16; 21:2; 22:4; 23:1; 
  mallocs by size class: 8:959492; 9:196993; 10:109991; 11:45591; 12:9336; 13:8059; 14:4360; 15:1961; 16:1377; 17:1472; 18:298; 19:105; 20:37; 21:2; 22:7; 23:1; 
  frees   by size class: 8:660169; 9:172816; 10:103969; 11:41890; 12:7882; 13:7667; 14:3905; 15:1862; 16:1151; 17:1445; 18:267; 19:92; 20:35; 22:7; 23:1; 
  rfrees  by size class: 8:494249; 9:125456; 10:76690; 11:32250; 12:5678; 13:5883; 14:3218; 15:1343; 16:927; 17:1010; 18:206; 19:84; 20:23; 22:6; 23:1; 
Stats: malloc large: 1978 small slow: 6987
Shadow byte and word:
  0x10002ef7bd32: fd
  0x10002ef7bd30: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x10002ef7bd10: fd fd fd fd fd fd fd fd
  0x10002ef7bd18: fd fd fd fd fd fd fd fd
  0x10002ef7bd20: fa fa fa fa fa fa fa fa
  0x10002ef7bd28: fa fa fa fa fa fa fa fa
=>0x10002ef7bd30: fd fd fd fd fd fd fd fd
  0x10002ef7bd38: fd fd fd fd fd fd fd fd
  0x10002ef7bd40: fa fa fa fa fa fa fa fa
  0x10002ef7bd48: fa fa fa fa fa fa fa fa
  0x10002ef7bd50: fd fd fd fd fd fd fd fd
You need to use the script here <http://code.google.com/p/address-sanitizer/wiki/AddressSanitizer#Call_stack> to get a sensible callstack (piping it through c++filt is also a good idea).
Yeah, I have the asan_symbolize.py from llvm. I didn't realize that I needed to do that. The output from the crash after going through that is:

==99745== ERROR: AddressSanitizer heap-use-after-free on address 0x000177bde990 at pc 0x1053abf3c bp 0x7fff5fbfa100 sp 0x7fff5fbfa0f8
WRITE of size 8 at 0x000177bde990 thread T0
    #0 0x1053abf3b in 0x00c27f3c (in XUL)
    #1 0x1050dcc5a in nsContentUtils::RemoveScriptBlocker nsContentUtils.cpp:4809
    #2 0x104d032a0 in nsTextControlFrame::EditorInitializer::Run nsTextControlFrame.h:316
    #3 0x1050dcc5a in nsContentUtils::RemoveScriptBlocker nsContentUtils.cpp:4809
    #4 0x10512fb09 in nsDocument::EndUpdate nsDocument.cpp:4042
    #5 0x10549d7d9 in nsHTMLDocument::EndUpdate nsHTMLDocument.cpp:2277
    #6 0x1058ed60c in nsHtml5TreeOperation::Perform nsHtml5TreeOperation.cpp:661
    #7 0x1058f2e3b in nsHtml5TreeOpExecutor::RunFlushLoop nsHtml5TreeOpExecutor.cpp:547
    #8 0x1058ff372 in nsHtml5ExecutorFlusher::Run nsHtml5StreamParser.cpp:160
    #9 0x1067eed48 in NS_ProcessPendingEvents_P nsThreadUtils.cpp:195
    #10 0x106428893 in nsBaseAppShell::NativeEventCallback nsBaseAppShell.cpp:131
0x000177bde990 is located 16 bytes inside of 120-byte region [0x000177bde980,0x000177bde9f8)
freed by thread T0 here:
got symbolicator for /Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/firefox, base address 100000000
    #0 0x10000bdb6 in (anonymous namespace)::mz_free(_malloc_zone_t*, void*) (in firefox) + 86
    #1 0x7fff8e0e7857 in free (in libsystem_c.dylib) + 400
    #2 0x1053ed5f5 in nsHTMLInputElement::FreeData mozalloc.h:253
    #3 0x1051915bf in nsGenericElement::Release nsGenericElement.cpp:5096
previously allocated by thread T0 here:
got symbolicator for /Users/albill/hg/mozilla-central-asan/objdir-ff-asan/dist/bin/firefox, base address 100000000
    #0 0x10000bbb3 in (anonymous namespace)::mz_malloc(_malloc_zone_t*, unsigned long) (in firefox) + 67
    #1 0x7fff8e0e73c8 in malloc_zone_malloc (in libsystem_c.dylib) + 77
    #2 0x7fff8e0e81a4 in malloc (in libsystem_c.dylib) + 44
    #3 0x1020da530 in moz_xmalloc mozalloc.cpp:87
    #4 0x1053ecd54 in NS_NewHTMLInputElement nsHTMLInputElement.cpp:555
    #5 0x105487919 in NS_NewHTMLElement nsHTMLContentSink.cpp:516
    #6 0x104cee745 in nsFileControlFrame::CreateAnonymousContent nsFileControlFrame.cpp:176
    #7 0x104bd6327 in nsCSSFrameConstructor::GetAnonymousContent nsCSSFrameConstructor.cpp:3885
    #8 0x104bcdb93 in nsCSSFrameConstructor::ProcessChildren nsCSSFrameConstructor.cpp:9524
    #9 0x104bd57dc in nsCSSFrameConstructor::ConstructFrameFromItemInternal nsCSSFrameConstructor.cpp:3752
    #10 0x104bd8cfc in nsCSSFrameConstructor::ConstructFramesFromItem nsCSSFrameConstructor.cpp:5429
    #11 0x104bebe9c in nsCSSFrameConstructor::ConstructFramesFromItemList nsCSSFrameConstructor.cpp:9458
    #12 0x104bcdef7 in nsCSSFrameConstructor::ProcessChildren nsCSSFrameConstructor.cpp:9602
    #13 0x104bd1786 in nsCSSFrameConstructor::ConstructBlock nsCSSFrameConstructor.cpp:10649
    #14 0x104bd7106 in nsCSSFrameConstructor::ConstructNonScrollableBlock nsCSSFrameConstructor.cpp:4481
==99745== ABORTING
Stats: 628M malloced (601M for red zones) by 1339082 calls
Stats: 72M realloced by 43352 calls
Stats: 571M freed by 1003158 calls
Stats: 430M really freed by 747024 calls
Stats: 600M (153683 full pages) mmaped in 149 calls
  mmaps   by size class: 8:491490; 9:90101; 10:53235; 11:24564; 12:5120; 13:3072; 14:2560; 15:896; 16:704; 17:512; 18:144; 19:72; 20:16; 21:2; 22:4; 23:1;
  mallocs by size class: 8:959492; 9:196993; 10:109991; 11:45591; 12:9336; 13:8059; 14:4360; 15:1961; 16:1377; 17:1472; 18:298; 19:105; 20:37; 21:2; 22:7; 23:1;
  frees   by size class: 8:660169; 9:172816; 10:103969; 11:41890; 12:7882; 13:7667; 14:3905; 15:1862; 16:1151; 17:1445; 18:267; 19:92; 20:35; 22:7; 23:1;
  rfrees  by size class: 8:494249; 9:125456; 10:76690; 11:32250; 12:5678; 13:5883; 14:3218; 15:1343; 16:927; 17:1010; 18:206; 19:84; 20:23; 22:6; 23:1;
Stats: malloc large: 1978 small slow: 6987
Shadow byte and word:
  0x10002ef7bd32: fd
  0x10002ef7bd30: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x10002ef7bd10: fd fd fd fd fd fd fd fd
  0x10002ef7bd18: fd fd fd fd fd fd fd fd
  0x10002ef7bd20: fa fa fa fa fa fa fa fa
  0x10002ef7bd28: fa fa fa fa fa fa fa fa
=>0x10002ef7bd30: fd fd fd fd fd fd fd fd
  0x10002ef7bd38: fd fd fd fd fd fd fd fd
  0x10002ef7bd40: fa fa fa fa fa fa fa fa
  0x10002ef7bd48: fa fa fa fa fa fa fa fa
  0x10002ef7bd50: fd fd fd fd fd fd fd fd
Assigning to Johnny to get it on someone's plate. Please reassign as you see fit.
Assignee: nobody → jst
I have figured this out...
Assignee: jst → ehsan
Attached patch Patch (v1)Splinter Review 
What's happening is that the RestoreSelectionState object gets revoked, but it still calls back on the nsTextEditorState object.  But that object could be destroyed now.

This patch adds the same protection as we have for mFrame for mTextEditorState as well.
Attachment #619679 - Flags: review?(bzbarsky)
Also, FWIW, I do not think this is exploitable.  Worst comes to worst, this should trigger a safe crash.
Comment on attachment 619679 [details] [diff] [review]
Patch (v1)

r=me
Attachment #619679 - Flags: review?(bzbarsky) → review+
Opening based on comment 10. Thanks Ehsan.
Group: core-security
https://hg.mozilla.org/mozilla-central/rev/8c8e5e2631be
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Verified in my ASAN build on OS X. I'm not getting the error anymore.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: