765585 - Heap-use-after-free in js::GCThingIsMarkedGray involving DOM events

Status: RESOLVED INCOMPLETE

(Core :: DOM: Events, defect)

Description

[Arthur Gerkis]

Attachment: ASan log

ASan detected heap-use-after-free on build cf4face65451. Without testcase, trying to catch bug.

Comment 1

[Andrew McCreight [:mccr8]]

Looks like an nsGenericElement is holding a pointer to the mEvent field of an nsDOMEvent that has been freed.  Does that ring any bells for you, Olli?

Comment 2

[Olli Pettay [:smaug][bugs@pettay.fi]]

Elements shouldn't geep (In reply to Andrew McCreight [:mccr8] from comment #1)
> Looks like an nsGenericElement is holding a pointer to the mEvent field of
> an nsDOMEvent that has been freed.  Does that ring any bells for you, Olli?
No. But if that is the case, it is a bug.

Comment 3

[Daniel Veditz [:dveditz]]

Is there enough information to do anything with this bug, or should we close it incomplete and hope if there's a bad condition here we'll catch it again in future fuzzing?

Comment 4

[Andrew McCreight [:mccr8]]

Looking back at the old revision, it looks the line that touches freed memory is the NoteXPCOMChild from here:
    PRUint32 kids = tmp->mAttrsAndChildren.ChildCount();
    for (i = 0; i < kids; i++) {
      NS_CYCLE_COLLECTION_NOTE_EDGE_NAME(cb, "mAttrsAndChildren[i]");
      cb.NoteXPCOMChild(tmp->mAttrsAndChildren.GetSafeChildAt(i));
    }

The line number in ~nsDOMEvent was the final close brace.  I'm not sure what that means.

The allocation point in Alloc is this:

    nsStringBuffer *hdr =
        (nsStringBuffer *) malloc(sizeof(nsStringBuffer) + size);

I'm not sure how a string buffer ends up as a child of a node... It all seems pretty odd.  None of the three points references by ASAN seem to relate to any other.  So I think we'd probably need a test case.

Comment 5

[Andrew McCreight [:mccr8]]

I don't think there's anything more we can do here without a test case. Please reopen or file a new bug if you have one.