Created attachment 629613 [details]
test-case triggering the crash (*.zip)
ASan detected use-after-free when running attached test-case. ASan log is for build http://hg.mozilla.org/mozilla-central/rev/12ab69851e05
When testing, was not able to reproduce on Windows 7 x64 - nor stable, neither 15.0a1. Crashes for me only on Linux (Ubuntu 11.10 x64)
Created attachment 629614 [details]
ASan log (12ab69851e05)
Is DOMSVGTests.cpp only a test file, or is that present in release builds? Is the problem _in_ the SVG file or is it a bug in the underlying nsTArray?
Daniel: can you find an owner for this one? Thanks!
(In reply to Daniel Veditz [:dveditz] from comment #2)
> Is DOMSVGTests.cpp only a test file, or is that present in release builds?
Present in release builds. It lets authors render different content depending on available features & the system language.
> Is the problem _in_ the SVG file or is it a bug in the underlying nsTArray?
It's almost certainly a SVG bug.
> Daniel: can you find an owner for this one? Thanks!
CC'ing longsonr, since he wrote that file and has been working with that code recently.
In fact -- I'd bet that this is fixed by his patch on bug 761507. (That patch lets us keep DOMSVGTests' PropertyTable entries around after adoptNode is called, and this bug's ASAN log is in nsDocument::AdoptNode() calling nsPropertyTable::PropertyList::DeletePropertyFor, so I doubt we'll hit the ASAN-flagged stack anymore.)
That patch has landed on mozilla-inbound, but it hasn't quite made it to mozilla-central yet. Once it does, it'd be awesome if Arthur or someone with ASAN configuration could re-test to verify that this is fixed.
bug 761507's patch has now made it to mozilla-central (bug 761507 comment 9).
:decoder tells me he's making automated Linux 64-bit ASAN builds now, so I tried the one from yesterday and the one from today -- those are, in order:
Using the testcase attached here, yesterday's build crashes and reports a use-after-free. Today's build is fine -- no crash, no use-after-free. So, confirmed fixed by bug 761507. Pretty sure this is a duplicate of that bug -- marking as such.
Thanks for the bug report, Arthur!
*** This bug has been marked as a duplicate of bug 761507 ***
...though note that, for security-bug-bounty purposes, this bug here was filed before bug 761507 (as well as before related bug 761499).
Daniel: if you don't mind I'd like to call this one "FIXED" rather than "DUPE" as a testing hint that we should verify this testcase separately to be sure. I'm going to save Al some work by marking this verified based on comment 4, but we should double-check when this lands on Aurora (to make Firefox 15).
(In reply to Daniel Holbert [:dholbert] from comment #5)
> ...though note that, for security-bug-bounty purposes, this bug here was
> filed before bug 761507 (as well as before related bug 761499).
According to http://www.mozilla.org/security/bug-bounty.html the bug must be in a Beta or release candidate. Unless we fail to fix it in Aurora, that won't be the case will it?
(In reply to Robert Longson from comment #8)
> According to http://www.mozilla.org/security/bug-bounty.html the bug must be
> in a Beta or release candidate. Unless we fail to fix it in Aurora, that
> won't be the case will it?
I don't think the document is right there, or at least the formulation is misleading. Even nightly is eligible for bug bounty and has always been since I learned about the program.
Someone should update the document to match reality then.
(In reply to Robert Longson from comment #10)
> Someone should update the document to match reality then.
The FAQ has always said
Fixed by bug 761507, fixed in 15.