Closed Bug 785574 (CVE-2012-4179) Opened 12 years ago Closed 12 years ago

Heap-use-after-free in nsHTMLCSSUtils::CreateCSSPropertyTxn

Categories

(Core :: DOM: Editor, defect)

x86_64
All
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla18
Tracking Status
firefox16 + fixed
firefox17 + fixed
firefox18 + fixed
firefox-esr10 16+ fixed

People

(Reporter: inferno, Assigned: ehsan.akhgari)

Details

(4 keywords, Whiteboard: [asan][advisory-tracking+])

Attachments

(2 files)

Attached file Testcase
Reproduces on trunk

=================================================================
==5528== ERROR: AddressSanitizer heap-use-after-free on address 0x7fdf641dce80 at pc 0x7fdf86465da5 bp 0x7fffd539e810 sp 0x7fffd539e808
READ of size 8 at 0x7fdf641dce80 thread T0
    #0 0x7fdf86465da4 in nsHTMLCSSUtils::CreateCSSPropertyTxn(nsIDOMElement*, nsIAtom*, nsAString_internal const&, ChangeCSSInlineStyleTxn**, bool) src/editor/libeditor/html/nsHTMLCSSUtils.cpp:569
    #1 0x7fdf86464c29 in nsHTMLCSSUtils::SetCSSProperty(nsIDOMElement*, nsIAtom*, nsAString_internal const&, bool) src/editor/libeditor/html/nsHTMLCSSUtils.cpp:512
    #2 0x7fdf86472196 in nsHTMLCSSUtils::SetCSSEquivalentToHTMLStyle(nsIDOMNode*, nsIAtom*, nsAString_internal const*, nsAString_internal const*, int*, bool) src/editor/libeditor/html/nsHTMLCSSUtils.cpp:1012
    #3 0x7fdf86514947 in nsHTMLEditor::SetAttributeOrEquivalent(nsIDOMElement*, nsAString_internal const&, nsAString_internal const&, bool) src/editor/libeditor/html/nsHTMLEditor.cpp:4560
    #4 0x7fdf8667ae27 in nsHTMLEditRules::AlignBlock(nsIDOMElement*, nsAString_internal const*, bool) src/editor/libeditor/html/nsHTMLEditRules.cpp:8465
    #5 0x7fdf865e7340 in nsHTMLEditRules::WillAlign(mozilla::Selection*, nsAString_internal const*, bool*, bool*) src/editor/libeditor/html/nsHTMLEditRules.cpp:4547
    #6 0x7fdf865a58c0 in nsHTMLEditRules::WillDoAction(mozilla::Selection*, nsRulesInfo*, bool*, bool*) src/editor/libeditor/html/nsHTMLEditRules.cpp:609
    #7 0x7fdf864d22c0 in nsHTMLEditor::Align(nsAString_internal const&) src/editor/libeditor/html/nsHTMLEditor.cpp:2258
    #8 0x7fdf864d2a1e in non-virtual thunk to nsHTMLEditor::Align(nsAString_internal const&) src/build/unix/stdc++compat/stdc++compat.cpp:0
    #9 0x7fdf89ac6c05 in nsAlignCommand::SetState(nsIEditor*, nsString&) src/editor/composer/src/nsComposerCommands.cpp:971
    #10 0x7fdf89ababe4 in nsMultiStateCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) src/editor/composer/src/nsComposerCommands.cpp:600
    #11 0x7fdf89324c61 in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) src/embedding/components/commandhandler/src/nsControllerCommandTable.cpp:175
    #12 0x7fdf892f7ef2 in nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) src/embedding/components/commandhandler/src/nsBaseCommandController.cpp:153
    #13 0x7fdf892f81c6 in non-virtual thunk to nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) src/build/unix/stdc++compat/stdc++compat.cpp:0
    #14 0x7fdf8930e81f in nsCommandManager::DoCommand(char const*, nsICommandParams*, nsIDOMWindow*) src/embedding/components/commandhandler/src/nsCommandManager.cpp:234
    #15 0x7fdf84891e08 in nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, bool*) src/content/html/document/src/nsHTMLDocument.cpp:3232
    #16 0x7fdf8489375d in non-virtual thunk to nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, bool*) src/build/unix/stdc++compat/stdc++compat.cpp:0
    #17 0x7fdf8c8db397 in NS_InvokeByIndex_P src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #18 0x7fdf87ea770e in CallMethodHelper::Invoke() src/js/xpconnect/src/XPCWrappedNative.cpp:3117
    #19 0x7fdf87f0a3a5 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1480
    #20 0x7fdf93436b91 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:389
    #21 0x7fdf933c3ab0 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2413
    #22 0x7fdf9332aa35 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) src/js/src/jsinterp.cpp:309
    #23 0x7fdf93443ea6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) src/js/src/jsinterp.cpp:494
    #24 0x7fdf93445e5e in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) src/js/src/jsinterp.cpp:531
    #25 0x7fdf92ba0d94 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) src/js/src/jsapi.cpp:5723
    #26 0x7fdf92ba5d31 in JS_EvaluateUCScriptForPrincipalsVersionOrigin src/js/src/jsapi.cpp:5804
    #27 0x7fdf8502aadf in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) src/dom/base/nsJSEnvironment.cpp:1506
    #28 0x7fdf851daf7f in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) src/dom/base/nsGlobalWindow.cpp:9609
    #29 0x7fdf851928f9 in nsGlobalWindow::RunTimeout(nsTimeout*) src/dom/base/nsGlobalWindow.cpp:9870
    #30 0x7fdf851d8fda in nsGlobalWindow::TimerCallback(nsITimer*, void*) src/dom/base/nsGlobalWindow.cpp:10137
    #31 0x7fdf8c81b902 in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:473
    #32 0x7fdf8c81d1b8 in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:556
    #33 0x7fdf8c7e05ae in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:624
    #34 0x7fdf8c4819c7 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220
    #35 0x7fdf8940c459 in nsXULWindow::ShowModal() src/xpfe/appshell/src/nsXULWindow.cpp:379
    #36 0x7fdf893ef880 in nsContentTreeOwner::ShowAsModal() src/xpfe/appshell/src/nsContentTreeOwner.cpp:529
    #37 0x7fdf893ef9db in non-virtual thunk to nsContentTreeOwner::ShowAsModal() src/build/unix/stdc++compat/stdc++compat.cpp:0
    #38 0x7fdf892220b0 in nsWindowWatcher::OpenWindowInternal(nsIDOMWindow*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, nsIDOMWindow**) src/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:1033
    #39 0x7fdf89215fc0 in nsWindowWatcher::OpenWindow(nsIDOMWindow*, char const*, char const*, char const*, nsISupports*, nsIDOMWindow**) src/embedding/components/windowwatcher/src/nsWindowWatcher.cpp:399
    #40 0x7fdf8c8db397 in NS_InvokeByIndex_P src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #41 0x7fdf87ea770e in CallMethodHelper::Invoke() src/js/xpconnect/src/XPCWrappedNative.cpp:3117
    #42 0x7fdf87f0a3a5 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1480
    #43 0x7fdf93436b91 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:389
    #44 0x7fdf933c3ab0 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2413
    #45 0x7fdf9332aa35 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) src/js/src/jsinterp.cpp:309
    #46 0x7fdf93437205 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:363
    #47 0x7fdf92cd1ffc in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:119
    #48 0x7fdf9343c54b in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:396
    #49 0x7fdf92badd7b in JS_CallFunctionValue src/js/src/jsapi.cpp:5904
    #50 0x7fdf87e563a2 in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJSClass.cpp:1436
    #51 0x7fdf87dfad06 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) src/js/xpconnect/src/XPCWrappedJS.cpp:580
    #52 0x7fdf8c8e0e56 in PrepareAndDispatch src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:121
    #53 0x7fdf8c8de126 in SharedStub src/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:0
    #54 0x7fdf8c8db397 in NS_InvokeByIndex_P src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #55 0x7fdf87ea770e in CallMethodHelper::Invoke() src/js/xpconnect/src/XPCWrappedNative.cpp:3117
    #56 0x7fdf87f0a3a5 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1480
    #57 0x7fdf93436b91 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:389
    #58 0x7fdf933c3ab0 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2413
    #59 0x7fdf9332aa35 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) src/js/src/jsinterp.cpp:309
    #60 0x7fdf93437205 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:363
    #61 0x7fdf92cd1ffc in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:119
    #62 0x7fdf930e0690 in js::CallOrConstructBoundFunction(JSContext*, unsigned int, JS::Value*) src/js/src/jsfun.cpp:1029
    #63 0x7fdf93436b92 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:389
0x7fdf641dce80 is located 0 bytes inside of 16-byte region [0x7fdf641dce80,0x7fdf641dce90)
freed by thread T0 here:
    #0 0x4c3d80 in free ??:0
    #1 0x7fdf99a75572 in moz_free src/memory/mozalloc/mozalloc.cpp:51
    #2 0x7fdf86539480 in operator delete(void*) src/../../../dist/include/mozilla/mozalloc.h:224
    #3 0x7fdf86491dc7 in nsAutoPtr<nsHTMLCSSUtils>::operator=(nsHTMLCSSUtils*) src/../../../dist/include/nsAutoPtr.h:101
    #4 0x7fdf8649058c in nsHTMLEditor::Init(nsIDOMDocument*, nsIContent*, nsISelectionController*, unsigned int) src/editor/libeditor/html/nsHTMLEditor.cpp:249
    #5 0x7fdf89b04aae in nsEditingSession::SetupEditorOnWindow(nsIDOMWindow*) src/editor/composer/src/nsEditingSession.cpp:460
    #6 0x7fdf89afa507 in nsEditingSession::MakeWindowEditable(nsIDOMWindow*, char const*, bool, bool, bool) src/editor/composer/src/nsEditingSession.cpp:173
    #7 0x7fdf84861d10 in nsHTMLDocument::EditingStateChanged() src/content/html/document/src/nsHTMLDocument.cpp:2693
    #8 0x7fdf8485f249 in nsHTMLDocument::BeginLoad() src/content/html/document/src/nsHTMLDocument.cpp:880
    #9 0x7fdf862fcfe2 in nsHtml5TreeOpExecutor::WillBuildModel(nsDTDMode) src/parser/html/nsHtml5TreeOpExecutor.cpp:116
    #10 0x7fdf860ef40b in nsHtml5Parser::Parse(nsAString_internal const&, void*, nsACString_internal const&, bool, nsDTDMode) src/parser/html/nsHtml5Parser.cpp:231
    #11 0x7fdf8487780f in nsHTMLDocument::Close() src/content/html/document/src/nsHTMLDocument.cpp:1606
    #12 0x7fdf84877bdb in non-virtual thunk to nsHTMLDocument::Close() src/build/unix/stdc++compat/stdc++compat.cpp:0
    #13 0x7fdf8c8db397 in NS_InvokeByIndex_P src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
    #14 0x7fdf87ea770e in CallMethodHelper::Invoke() src/js/xpconnect/src/XPCWrappedNative.cpp:3117
    #15 0x7fdf87f0a3a5 in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1480
    #16 0x7fdf93436b91 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:389
    #17 0x7fdf92cd1ffc in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:119
    #18 0x7fdf9343c54b in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:396
    #19 0x7fdf938b0f9c in js::IndirectProxyHandler::call(JSContext*, JSObject*, unsigned int, JS::Value*) src/js/src/jsproxy.cpp:477
    #20 0x7fdf94071a40 in js::DirectWrapper::call(JSContext*, JSObject*, unsigned int, JS::Value*) src/js/src/jswrapper.cpp:318
    #21 0x7fdf9408672d in js::CrossCompartmentWrapper::call(JSContext*, JSObject*, unsigned int, JS::Value*) src/js/src/jswrapper.cpp:731
    #22 0x7fdf94086d54 in non-virtual thunk to js::CrossCompartmentWrapper::call(JSContext*, JSObject*, unsigned int, JS::Value*) ??:0
    #23 0x7fdf938f5977 in js::Proxy::call(JSContext*, JSObject*, unsigned int, JS::Value*) src/js/src/jsproxy.cpp:1320
    #24 0x7fdf9391020c in proxy_Call(JSContext*, unsigned int, JS::Value*) src/js/src/jsproxy.cpp:1856
    #25 0x7fdf9343650d in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:389
    #26 0x7fdf933c3ab0 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2413
    #27 0x7fdf9332aa35 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) src/js/src/jsinterp.cpp:309
    #28 0x7fdf93437205 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) src/js/src/jsinterp.cpp:363
    #29 0x7fdf92cd1ffd in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:119
previously allocated by thread T0 here:
    #0 0x4c3e40 in __interceptor_malloc ??:0
    #1 0x7fdf99a756c6 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:57
    #2 0x7fdf8649055f in operator new(unsigned long) src/../../../dist/include/mozilla/mozalloc.h:200
    #3 0x7fdf89b04aae in nsEditingSession::SetupEditorOnWindow(nsIDOMWindow*) src/editor/composer/src/nsEditingSession.cpp:460
    #4 0x7fdf89afa507 in nsEditingSession::MakeWindowEditable(nsIDOMWindow*, char const*, bool, bool, bool) src/editor/composer/src/nsEditingSession.cpp:173
    #5 0x7fdf84861d10 in nsHTMLDocument::EditingStateChanged() src/content/html/document/src/nsHTMLDocument.cpp:2693
    #6 0x7fdf8488dc6c in nsHTMLDocument::SetDesignMode(nsAString_internal const&) src/content/html/document/src/nsHTMLDocument.cpp:2834
    #7 0x7fdf88721cde in nsIDOMHTMLDocument_SetDesignMode(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, int, JS::MutableHandle<JS::Value>) src/objdir-ff-asan-sym/js/xpconnect/src/dom_quickstubs.cpp:13862
    #8 0x7fdf936b2903 in js::CallJSPropertyOpSetter(JSContext*, int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<long>, int, JS::MutableHandle<JS::Value>), JS::Handle<JSObject*>, JS::Handle<long>, int, JS::MutableHandle<JS::Value>) src/js/src/jscntxtinlines.h:469
    #9 0x7fdf936e7e34 in js::baseops::SetPropertyHelper(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<long>, unsigned int, JS::MutableHandle<JS::Value>, int) src/js/src/jsobj.cpp:4853
    #10 0x7fdf9347beb5 in js::SetPropertyOperation(JSContext*, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) src/js/src/jsinterpinlines.h:345
    #11 0x7fdf933b6700 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) src/js/src/jsinterp.cpp:2323
    #12 0x7fdf9332aa35 in js::RunScript(JSContext*, JSScript*, js::StackFrame*) src/js/src/jsinterp.cpp:309
    #13 0x7fdf93443ea6 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::StackFrame*, JS::Value*) src/js/src/jsinterp.cpp:494
    #14 0x7fdf93445e5e in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) src/js/src/jsinterp.cpp:531
    #15 0x7fdf92ba0d94 in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) src/js/src/jsapi.cpp:5723
    #16 0x7fdf92ba5d31 in JS_EvaluateUCScriptForPrincipalsVersionOrigin src/js/src/jsapi.cpp:5804
    #17 0x7fdf8502aadf in nsJSContext::EvaluateString(nsAString_internal const&, JSObject*, nsIPrincipal*, nsIPrincipal*, char const*, unsigned int, JSVersion, nsAString_internal*, bool*) src/dom/base/nsJSEnvironment.cpp:1506
    #18 0x7fdf851daf7f in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) src/dom/base/nsGlobalWindow.cpp:9609
    #19 0x7fdf851928f9 in nsGlobalWindow::RunTimeout(nsTimeout*) src/dom/base/nsGlobalWindow.cpp:9870
    #20 0x7fdf851d8fda in nsGlobalWindow::TimerCallback(nsITimer*, void*) src/dom/base/nsGlobalWindow.cpp:10137
    #21 0x7fdf8c81b902 in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:473
    #22 0x7fdf8c81d1b8 in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:556
    #23 0x7fdf8c7e05ae in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:624
    #24 0x7fdf8c4819c8 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220
Shadow byte and word:
  0x1ffbec83b9d0: fd
  0x1ffbec83b9d0: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ffbec83b9b0: 00 00 00 fb fb fb fb fb
  0x1ffbec83b9b8: fb fb fb fb fb fb fb fb
  0x1ffbec83b9c0: fa fa fa fa fa fa fa fa
  0x1ffbec83b9c8: fa fa fa fa fa fa fa fa
=>0x1ffbec83b9d0: fd fd fd fd fd fd fd fd
  0x1ffbec83b9d8: fd fd fd fd fd fd fd fd
  0x1ffbec83b9e0: fa fa fa fa fa fa fa fa
  0x1ffbec83b9e8: fa fa fa fa fa fa fa fa
  0x1ffbec83b9f0: 02 fb fb fb fb fb fb fb
Stats: 235M malloced (268M for red zones) by 475854 calls
Stats: 41M realloced by 21216 calls
Stats: 202M freed by 245094 calls
Stats: 69M really freed by 155750 calls
Stats: 440M (112717 full pages) mmaped in 110 calls
  mmaps   by size class: 8:278511; 9:40955; 10:16380; 11:14329; 12:3072; 13:1536; 14:1280; 15:256; 16:448; 17:1248; 18:144; 19:40; 20:16;
  mallocs by size class: 8:385323; 9:48551; 10:16749; 11:16755; 12:2604; 13:1970; 14:1504; 15:316; 16:520; 17:1336; 18:168; 19:42; 20:16;
  frees   by size class: 8:172072; 9:39112; 10:13415; 11:13609; 12:1698; 13:1660; 14:1305; 15:271; 16:462; 17:1323; 18:115; 19:39; 20:13;
  rfrees  by size class: 8:116704; 9:19801; 10:7916; 11:9035; 12:580; 13:511; 14:395; 15:147; 16:339; 17:288; 18:28; 19:5; 20:1;
Stats: malloc large: 1562 small slow: 2104
==5528== ABORTING
Component: General → Editor
Product: Firefox → Core
Aryeh, do you have time to work on this?
I can't guarantee it, so better someone else do it.
Assignee: nobody → ehsan
Calling virtual functions on freed memory => sec-critical.
Keywords: sec-critical
So this is the root cause of this bug: the execCommand call triggers the mutation event which causes us to run script, and destroy the nsHTMLCSSUtils object under this stack:

(gdb) bt
#0  nsHTMLCSSUtils::~nsHTMLCSSUtils (this=0x7fffd3eb8580) at /media/storage/moz/mozilla-inbound/editor/libeditor/html/nsHTMLCSSUtils.cpp:343
#1  0x00007ffff23a1401 in nsAutoPtr<nsHTMLCSSUtils>::assign (this=0x7fffd0f079a0, newPtr=0x7fffd3bf9d10)
    at ../../../dist/include/nsAutoPtr.h:38
#2  0x00007ffff237d82f in nsAutoPtr<nsHTMLCSSUtils>::operator= (this=0x7fffd0f079a0, rhs=0x7fffd3bf9d10)
    at ../../../dist/include/nsAutoPtr.h:101
#3  0x00007ffff237d18e in nsHTMLEditor::Init (this=0x7fffd0f07800, aDoc=0x7fffd1595a10, aRoot=0x0, aSelCon=0x0, aFlags=1024)
    at /media/storage/moz/mozilla-inbound/editor/libeditor/html/nsHTMLEditor.cpp:249
#4  0x00007ffff2bcd75b in nsEditingSession::SetupEditorOnWindow (this=0x7fffd1547af0, aWindow=0x7fffd335f800)
    at /media/storage/moz/mozilla-inbound/editor/composer/src/nsEditingSession.cpp:460
#5  0x00007ffff2bcb45c in nsEditingSession::MakeWindowEditable (this=0x7fffd1547af0, aWindow=0x7fffd335f800, 
    aEditorType=0x7ffff4378775 "html", aDoAfterUriLoad=false, aMakeWholeDocumentEditable=false, aInteractive=true)
    at /media/storage/moz/mozilla-inbound/editor/composer/src/nsEditingSession.cpp:173
#6  0x00007ffff1e52b21 in nsHTMLDocument::EditingStateChanged (this=0x7fffd1595800)
    at /media/storage/moz/mozilla-inbound/content/html/document/src/nsHTMLDocument.cpp:2693
#7  0x00007ffff1e52377 in nsHTMLDocument::BeginLoad (this=0x7fffd1595800)
    at /media/storage/moz/mozilla-inbound/content/html/document/src/nsHTMLDocument.cpp:880
#8  0x00007ffff232ca7c in nsHtml5TreeOpExecutor::WillBuildModel (this=0x7fffd33b9b50, aDTDMode=eDTDMode_unknown)
    at /media/storage/moz/mozilla-inbound/parser/html/nsHtml5TreeOpExecutor.cpp:116
#9  0x00007ffff22cebe8 in nsHtml5Parser::Parse (this=0x7fffd1ffd840, aSourceBuffer=..., aKey=0x0, aContentType=..., aLastCall=true, 
    aMode=eDTDMode_autodetect) at /media/storage/moz/mozilla-inbound/parser/html/nsHtml5Parser.cpp:231
#10 0x00007ffff1e582a8 in nsHTMLDocument::Close (this=0x7fffd1595800)
    at /media/storage/moz/mozilla-inbound/content/html/document/src/nsHTMLDocument.cpp:1606
#11 0x00007ffff1e583cc in non-virtual thunk to nsHTMLDocument::Close() ()
   from /media/storage/moz/mozilla-inbound/obj-ff-dbg/dist/bin/libxul.so
#12 0x00007ffff334cc3a in NS_InvokeByIndex_P (that=0x7fffd1595d88, methodIndex=120, paramCount=0, params=0x7fffffff1d08)
    at /media/storage/moz/mozilla-inbound/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
#13 0x00007ffff2807524 in CallMethodHelper::Invoke (this=0x7fffffff1cc8)
    at /media/storage/moz/mozilla-inbound/js/xpconnect/src/XPCWrappedNative.cpp:3105
#14 0x00007ffff2803e5c in CallMethodHelper::Call (this=0x7fffffff1cc8)
    at /media/storage/moz/mozilla-inbound/js/xpconnect/src/XPCWrappedNative.cpp:2439
#15 0x00007ffff2803c23 in XPCWrappedNative::CallMethod (ccx=..., mode=XPCWrappedNative::CALL_METHOD)
    at /media/storage/moz/mozilla-inbound/js/xpconnect/src/XPCWrappedNative.cpp:2405
#16 0x00007ffff2812ade in XPC_WN_CallMethod (cx=0x7fffd335fc00, argc=0, vp=0x7fffde8ff1f0)
    at /media/storage/moz/mozilla-inbound/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1470
#17 0x00007ffff3f41be7 in js::CallJSNative (cx=0x7fffd335fc00, 
    native=0x7ffff2812840 <XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /media/storage/moz/mozilla-inbound/js/src/jscntxtinlines.h:372
#18 0x00007ffff3f4162d in js::InvokeKernel (cx=0x7fffd335fc00, args=..., construct=js::NO_CONSTRUCT)
    at /media/storage/moz/mozilla-inbound/js/src/jsinterp.cpp:344
#19 0x00007ffff3e5d131 in js::Invoke (cx=0x7fffd335fc00, args=..., construct=js::NO_CONSTRUCT)
    at /media/storage/moz/mozilla-inbound/js/src/jsinterp.h:119
#20 0x00007ffff3f420a8 in js::Invoke (cx=0x7fffd335fc00, thisv=..., fval=..., argc=0, argv=0x7fffde8ff1f0, rval=0x7fffffff22e8)
    at /media/storage/moz/mozilla-inbound/js/src/jsinterp.cpp:388
#21 0x00007ffff3fc3654 in js::IndirectProxyHandler::call (this=0x7ffff55cb6f0, cx=0x7fffd335fc00, proxy=0x7fffcaf8f220, argc=0, 
    vp=0x7fffde8ff1e0) at /media/storage/moz/mozilla-inbound/js/src/jsproxy.cpp:477
#22 0x00007ffff4089236 in js::DirectWrapper::call (this=0x7ffff55cb6e0, cx=0x7fffd335fc00, wrapper=0x7fffcaf8f220, argc=0, vp=0x7fffde8ff1e0)
    at /media/storage/moz/mozilla-inbound/js/src/jswrapper.cpp:318
#23 0x00007ffff408ba2f in js::CrossCompartmentWrapper::call (this=0x7ffff55cb6e0, cx=0x7fffd335fc00, wrapper_=0x7fffcaf8f220, argc=0, 
    vp=0x7fffde8ff1e0) at /media/storage/moz/mozilla-inbound/js/src/jswrapper.cpp:650
---Type <return> to continue, or q <return> to quit---
#24 0x00007ffff408baf5 in non-virtual thunk to js::CrossCompartmentWrapper::call(JSContext*, JSObject*, unsigned int, JS::Value*) ()
   from /media/storage/moz/mozilla-inbound/obj-ff-dbg/dist/bin/libxul.so
#25 0x00007ffff3fca356 in js::Proxy::call (cx=0x7fffd335fc00, proxy=0x7fffcaf8f220, argc=0, vp=0x7fffde8ff1e0)
    at /media/storage/moz/mozilla-inbound/js/src/jsproxy.cpp:1320
#26 0x00007ffff3fcc657 in proxy_Call (cx=0x7fffd335fc00, argc=0, vp=0x7fffde8ff1e0)
    at /media/storage/moz/mozilla-inbound/js/src/jsproxy.cpp:1854
#27 0x00007ffff3f41be7 in js::CallJSNative (cx=0x7fffd335fc00, native=0x7ffff3fcc5e0 <proxy_Call(JSContext*, unsigned int, JS::Value*)>, 
    args=...) at /media/storage/moz/mozilla-inbound/js/src/jscntxtinlines.h:372
#28 0x00007ffff3f41536 in js::InvokeKernel (cx=0x7fffd335fc00, args=..., construct=js::NO_CONSTRUCT)
    at /media/storage/moz/mozilla-inbound/js/src/jsinterp.cpp:337
#29 0x00007ffff3f353bd in js::Interpret (cx=0x7fffd335fc00, entryFrame=0x7fffde8ff170, interpMode=js::JSINTERP_NORMAL)
    at /media/storage/moz/mozilla-inbound/js/src/jsinterp.cpp:2405
#30 0x00007ffff3f28b12 in js::RunScript (cx=0x7fffd335fc00, script=0x7fffcaf752e0, fp=0x7fffde8ff170)
    at /media/storage/moz/mozilla-inbound/js/src/jsinterp.cpp:301
#31 0x00007ffff3f41706 in js::InvokeKernel (cx=0x7fffd335fc00, args=..., construct=js::NO_CONSTRUCT)
    at /media/storage/moz/mozilla-inbound/js/src/jsinterp.cpp:355
#32 0x00007ffff3e5d131 in js::Invoke (cx=0x7fffd335fc00, args=..., construct=js::NO_CONSTRUCT)
    at /media/storage/moz/mozilla-inbound/js/src/jsinterp.h:119
#33 0x00007ffff3f420a8 in js::Invoke (cx=0x7fffd335fc00, thisv=..., fval=..., argc=1, argv=0x7fffffff5578, rval=0x7fffffff5220)
    at /media/storage/moz/mozilla-inbound/js/src/jsinterp.cpp:388
#34 0x00007ffff3e3596c in JS_CallFunctionValue (cx=0x7fffd335fc00, objArg=0x7fffcaf69580, fval=..., argc=1, argv=0x7fffffff5578, 
    rval=0x7fffffff5220) at /media/storage/moz/mozilla-inbound/js/src/jsapi.cpp:5854
#35 0x00007ffff27f7742 in nsXPCWrappedJSClass::CallMethod (this=0x7fffd528cba0, wrapper=0x7fffd11a6d00, methodIndex=3, info=0x7fffe1fd0a00, 
    nativeParams=0x7fffffff58d0) at /media/storage/moz/mozilla-inbound/js/xpconnect/src/XPCWrappedJSClass.cpp:1430
#36 0x00007ffff27eae3b in nsXPCWrappedJS::CallMethod (this=0x7fffd11a6d00, methodIndex=3, info=0x7fffe1fd0a00, params=0x7fffffff58d0)
    at /media/storage/moz/mozilla-inbound/js/xpconnect/src/XPCWrappedJS.cpp:580
#37 0x00007ffff334e0e9 in PrepareAndDispatch (self=0x7fffd1180b80, methodIndex=3, args=0x7fffffff5a20, gpregs=0x7fffffff59a0, 
    fpregs=0x7fffffff59d0) at /media/storage/moz/mozilla-inbound/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:121
#38 0x00007ffff334d123 in SharedStub () from /media/storage/moz/mozilla-inbound/obj-ff-dbg/dist/bin/libxul.so
#39 0x00007ffff1bf7a13 in nsEventListenerManager::HandleEventSubType (this=0x7fffd1547550, aListenerStruct=0x7fffd1547588, 
    aListener=0x7fffd1180b80, aDOMEvent=0x7fffd03cbfe0, aCurrentTarget=0x7fffd04386a0, aPhaseFlags=6, aPusher=0x7fffffff5ea8)
    at /media/storage/moz/mozilla-inbound/content/events/src/nsEventListenerManager.cpp:800
#40 0x00007ffff1bf7d48 in nsEventListenerManager::HandleEventInternal (this=0x7fffd1547550, aPresContext=0x7fffd0f1f800, 
    aEvent=0x7fffd0f36890, aDOMEvent=0x7fffffff5ed0, aCurrentTarget=0x7fffd04386a0, aFlags=6, aEventStatus=0x7fffffff5ed8, 
    aPusher=0x7fffffff5ea8) at /media/storage/moz/mozilla-inbound/content/events/src/nsEventListenerManager.cpp:873
#41 0x00007ffff1c472b2 in nsEventListenerManager::HandleEvent (this=0x7fffd1547550, aPresContext=0x7fffd0f1f800, aEvent=0x7fffd0f36890, 
    aDOMEvent=0x7fffffff5ed0, aCurrentTarget=0x7fffd04386a0, aFlags=6, aEventStatus=0x7fffffff5ed8, aPusher=0x7fffffff5ea8)
    at /media/storage/moz/mozilla-inbound/content/events/src/nsEventListenerManager.h:142
#42 0x00007ffff1c445fa in nsEventTargetChainItem::HandleEvent (this=0x7fffd5291540, aVisitor=..., aFlags=6, 
    aMayHaveNewListenerManagers=false, aPusher=0x7fffffff5ea8)
    at /media/storage/moz/mozilla-inbound/content/events/src/nsEventDispatcher.cpp:183
#43 0x00007ffff1c440e7 in nsEventTargetChainItem::HandleEventTargetChain (this=0x7fffd5291508, aVisitor=..., aFlags=6, aCallback=0x0, 
    aMayHaveNewListenerManagers=false, aPusher=0x7fffffff5ea8)
    at /media/storage/moz/mozilla-inbound/content/events/src/nsEventDispatcher.cpp:314
#44 0x00007ffff1c4569e in nsEventDispatcher::Dispatch (aTarget=0x7fffd04386a0, aPresContext=0x7fffd0f1f800, aEvent=0x7fffd0f36890, 
    aDOMEvent=0x7fffd03cbfe0, aEventStatus=0x7fffffff613c, aCallback=0x0, aTargets=0x0)
    at /media/storage/moz/mozilla-inbound/content/events/src/nsEventDispatcher.cpp:635
#45 0x00007ffff1c45e29 in nsEventDispatcher::DispatchDOMEvent (aTarget=0x7fffd04386a0, aEvent=0x0, aDOMEvent=0x7fffd03cbfe0, 
    aPresContext=0x7fffd0f1f800, aEventStatus=0x7fffffff613c)
---Type <return> to continue, or q <return> to quit---
    at /media/storage/moz/mozilla-inbound/content/events/src/nsEventDispatcher.cpp:696
#46 0x00007ffff1a49092 in nsINode::DispatchEvent (this=0x7fffd04386a0, aEvent=0x7fffd03cbfe0, aRetVal=0x7fffffff61ff)
    at /media/storage/moz/mozilla-inbound/content/base/src/nsINode.cpp:1080
#47 0x00007ffff1c4374a in nsAsyncDOMEvent::Run (this=0x7fffce66ec80)
    at /media/storage/moz/mozilla-inbound/content/events/src/nsAsyncDOMEvent.cpp:34
#48 0x00007ffff197b04c in nsContentUtils::RemoveScriptBlocker ()
    at /media/storage/moz/mozilla-inbound/content/base/src/nsContentUtils.cpp:4961
#49 0x00007ffff19d80b0 in nsDocument::EndUpdate (this=0x7fffd1595800, aUpdateType=1)
    at /media/storage/moz/mozilla-inbound/content/base/src/nsDocument.cpp:4004
#50 0x00007ffff1e5b3d5 in nsHTMLDocument::EndUpdate (this=0x7fffd1595800, aUpdateType=1)
    at /media/storage/moz/mozilla-inbound/content/html/document/src/nsHTMLDocument.cpp:2350
#51 0x00007ffff17dfec7 in mozAutoDocConditionalContentUpdateBatch::~mozAutoDocConditionalContentUpdateBatch (this=0x7fffffff63d0)
    at /media/storage/moz/mozilla-inbound/layout/style/../../content/base/src/mozAutoDocUpdate.h:78
#52 0x00007ffff17cf3e5 in mozAutoDocConditionalContentUpdateBatch::~mozAutoDocConditionalContentUpdateBatch (this=0x7fffffff63d0)
    at /media/storage/moz/mozilla-inbound/layout/style/../../content/base/src/mozAutoDocUpdate.h:76
#53 0x00007ffff17cf07d in nsDOMCSSDeclaration::ParsePropertyValue (this=0x7fffce66ea80, aPropID=eCSSProperty_text_align, aPropValue=..., 
    aIsImportant=false) at /media/storage/moz/mozilla-inbound/layout/style/nsDOMCSSDeclaration.cpp:285
#54 0x00007ffff17cf741 in nsDOMCSSDeclaration::SetProperty (this=0x7fffce66ea80, aPropertyName=..., aValue=..., aPriority=...)
    at /media/storage/moz/mozilla-inbound/layout/style/nsDOMCSSDeclaration.cpp:202
#55 0x00007ffff22bc9c4 in ChangeCSSInlineStyleTxn::DoTransaction (this=0x7fffd0f356a0)
    at /media/storage/moz/mozilla-inbound/editor/libeditor/base/ChangeCSSInlineStyleTxn.cpp:222
#56 0x00007ffff2a9b7b4 in nsTransactionItem::DoTransaction (this=0x7fffd11998e0)
    at /media/storage/moz/mozilla-inbound/editor/txmgr/src/nsTransactionItem.cpp:164
#57 0x00007ffff2aa0f5a in nsTransactionManager::BeginTransaction (this=0x7fffca8243a0, aTransaction=0x7fffd0f356a0)
    at /media/storage/moz/mozilla-inbound/editor/txmgr/src/nsTransactionManager.cpp:734
#58 0x00007ffff2a9ecb1 in nsTransactionManager::DoTransaction (this=0x7fffca8243a0, aTransaction=0x7fffd0f356a0)
    at /media/storage/moz/mozilla-inbound/editor/txmgr/src/nsTransactionManager.cpp:79
#59 0x00007ffff228bf55 in nsEditor::DoTransaction (this=0x7fffd0f07800, aTxn=0x7fffd0f356a0)
    at /media/storage/moz/mozilla-inbound/editor/libeditor/base/nsEditor.cpp:701
#60 0x00007ffff2374839 in nsHTMLCSSUtils::SetCSSProperty (this=0x7fffd3eb8580, aElement=0x7fffd0438718, aProperty=0x7fffe1ef34f0, 
    aValue=..., aSuppressTransaction=false) at /media/storage/moz/mozilla-inbound/editor/libeditor/html/nsHTMLCSSUtils.cpp:518
#61 0x00007ffff2376be8 in nsHTMLCSSUtils::SetCSSEquivalentToHTMLStyle (this=0x7fffd3eb8580, aNode=0x7fffd0438718, aHTMLProperty=0x0, 
    aAttribute=0x7fffffff7060, aValue=0x7fffffff77d8, aCount=0x7fffffff6fcc, aSuppressTransaction=false)
    at /media/storage/moz/mozilla-inbound/editor/libeditor/html/nsHTMLCSSUtils.cpp:1012
#62 0x00007ffff2399821 in nsHTMLEditor::SetAttributeOrEquivalent (this=0x7fffd0f07800, aElement=0x7fffd0438718, aAttribute=..., aValue=..., 
    aSuppressTransaction=false) at /media/storage/moz/mozilla-inbound/editor/libeditor/html/nsHTMLEditor.cpp:4559
#63 0x00007ffff23e59e0 in nsHTMLEditRules::AlignBlock (this=0x7fffd520c800, aElement=0x7fffd0438718, aAlignType=0x7fffffff77d8, 
    aContentsOnly=false) at /media/storage/moz/mozilla-inbound/editor/libeditor/html/nsHTMLEditRules.cpp:8465
#64 0x00007ffff23c712d in nsHTMLEditRules::WillAlign (this=0x7fffd520c800, aSelection=0x7fffd0ff6c80, alignType=0x7fffffff77d8, 
    aCancel=0x7fffffff768f, aHandled=0x7fffffff768e) at /media/storage/moz/mozilla-inbound/editor/libeditor/html/nsHTMLEditRules.cpp:4547
#65 0x00007ffff23b84f4 in nsHTMLEditRules::WillDoAction (this=0x7fffd520c800, aSelection=0x7fffd0ff6c80, aInfo=0x7fffffff7620, 
    aCancel=0x7fffffff768f, aHandled=0x7fffffff768e) at /media/storage/moz/mozilla-inbound/editor/libeditor/html/nsHTMLEditRules.cpp:609
#66 0x00007ffff238bb58 in nsHTMLEditor::Align (this=0x7fffd0f07800, aAlignType=...)
    at /media/storage/moz/mozilla-inbound/editor/libeditor/html/nsHTMLEditor.cpp:2257
#67 0x00007ffff238bcaf in non-virtual thunk to nsHTMLEditor::Align(nsAString_internal const&) ()
   from /media/storage/moz/mozilla-inbound/obj-ff-dbg/dist/bin/libxul.so
#68 0x00007ffff2bc2fc2 in nsAlignCommand::SetState (this=0x7fffd33f7e80, aEditor=0x7fffd0f07800, newState=...)
    at /media/storage/moz/mozilla-inbound/editor/composer/src/nsComposerCommands.cpp:971
#69 0x00007ffff2bc0749 in nsMultiStateCommand::DoCommandParams (this=0x7fffd33f7e80, aCommandName=0x7fffffff7c10 "cmd_align", 
---Type <return> to continue, or q <return> to quit---
    aParams=0x7fffca8746a0, refCon=0x7fffd0f07800) at /media/storage/moz/mozilla-inbound/editor/composer/src/nsComposerCommands.cpp:600
#70 0x00007ffff2a53f4a in nsControllerCommandTable::DoCommandParams (this=0x7fffd1349700, aCommandName=0x7fffffff7c10 "cmd_align", 
    aParams=0x7fffca8746a0, aCommandRefCon=0x7fffd0f07800)
    at /media/storage/moz/mozilla-inbound/embedding/components/commandhandler/src/nsControllerCommandTable.cpp:175
#71 0x00007ffff2a4c5d5 in nsBaseCommandController::DoCommandWithParams (this=0x7fffce67f470, aCommand=0x7fffffff7c10 "cmd_align", 
    aParams=0x7fffca8746a0) at /media/storage/moz/mozilla-inbound/embedding/components/commandhandler/src/nsBaseCommandController.cpp:153
#72 0x00007ffff2a4c637 in non-virtual thunk to nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) ()
   from /media/storage/moz/mozilla-inbound/obj-ff-dbg/dist/bin/libxul.so
#73 0x00007ffff2a5092d in nsCommandManager::DoCommand (this=0x7fffd1f48470, aCommandName=0x7fffffff7c10 "cmd_align", 
    aCommandParams=0x7fffca8746a0, aTargetWindow=0x7fffd335f800)
    at /media/storage/moz/mozilla-inbound/embedding/components/commandhandler/src/nsCommandManager.cpp:234
#74 0x00007ffff1e5da30 in nsHTMLDocument::ExecCommand (this=0x7fffd1595800, commandID=..., doShowUI=false, value=..., _retval=0x7fffffff7f80)
    at /media/storage/moz/mozilla-inbound/content/html/document/src/nsHTMLDocument.cpp:3232
#75 0x00007ffff1e5ddae in non-virtual thunk to nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, bool*)
    () from /media/storage/moz/mozilla-inbound/obj-ff-dbg/dist/bin/libxul.so
#76 0x00007ffff334cc3a in NS_InvokeByIndex_P (that=0x7fffd1595d88, methodIndex=125, paramCount=4, params=0x7fffffff7f38)
    at /media/storage/moz/mozilla-inbound/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
#77 0x00007ffff2807524 in CallMethodHelper::Invoke (this=0x7fffffff7ef8)
    at /media/storage/moz/mozilla-inbound/js/xpconnect/src/XPCWrappedNative.cpp:3105
#78 0x00007ffff2803e5c in CallMethodHelper::Call (this=0x7fffffff7ef8)
    at /media/storage/moz/mozilla-inbound/js/xpconnect/src/XPCWrappedNative.cpp:2439
#79 0x00007ffff2803c23 in XPCWrappedNative::CallMethod (ccx=..., mode=XPCWrappedNative::CALL_METHOD)
    at /media/storage/moz/mozilla-inbound/js/xpconnect/src/XPCWrappedNative.cpp:2405
#80 0x00007ffff2812ade in XPC_WN_CallMethod (cx=0x7fffd335fc00, argc=3, vp=0x7fffde8ff120)
    at /media/storage/moz/mozilla-inbound/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1470
#81 0x00007ffff3f41be7 in js::CallJSNative (cx=0x7fffd335fc00, 
    native=0x7ffff2812840 <XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*)>, args=...)
    at /media/storage/moz/mozilla-inbound/js/src/jscntxtinlines.h:372
#82 0x00007ffff3f4162d in js::InvokeKernel (cx=0x7fffd335fc00, args=..., construct=js::NO_CONSTRUCT)
    at /media/storage/moz/mozilla-inbound/js/src/jsinterp.cpp:344
#83 0x00007ffff3f353bd in js::Interpret (cx=0x7fffd335fc00, entryFrame=0x7fffde8ff030, interpMode=js::JSINTERP_NORMAL)
    at /media/storage/moz/mozilla-inbound/js/src/jsinterp.cpp:2405
#84 0x00007ffff3f28b12 in js::RunScript (cx=0x7fffd335fc00, script=0x7fffcaf75388, fp=0x7fffde8ff030)
    at /media/storage/moz/mozilla-inbound/js/src/jsinterp.cpp:301
#85 0x00007ffff3f42d3e in js::ExecuteKernel (cx=0x7fffd335fc00, script=..., scopeChain=..., thisv=..., type=js::EXECUTE_GLOBAL, 
    evalInFrame=0x0, result=0x0) at /media/storage/moz/mozilla-inbound/js/src/jsinterp.cpp:486
#86 0x00007ffff3f4314a in js::Execute (cx=0x7fffd335fc00, script=..., scopeChainArg=..., rval=0x0)
    at /media/storage/moz/mozilla-inbound/js/src/jsinterp.cpp:523
#87 0x00007ffff3e344ff in JS::Evaluate (cx=0x7fffd335fc00, obj=..., options=..., chars=0x7fffd1018110, length=9, rval=0x0)
    at /media/storage/moz/mozilla-inbound/js/src/jsapi.cpp:5673
#88 0x00007ffff1fb79dc in nsJSContext::EvaluateString (this=0x7fffd3356680, aScript=..., aScopeObject=0x7fffcaf66060, 
    aPrincipal=0x7fffd05ec660, aOriginPrincipal=0x7fffd05ec660, 
    aURL=0x7fffd14ed7c8 "https://bug785574.bugzilla.mozilla.org/attachment.cgi?id=655254&t=Szii8htHl1", aLineNo=5, 
    aVersion=JSVERSION_DEFAULT, aRetValue=0x0, aIsUndefined=0x7fffffffaea3)
    at /media/storage/moz/mozilla-inbound/dom/base/nsJSEnvironment.cpp:1499
#89 0x00007ffff200d459 in nsGlobalWindow::RunTimeoutHandler (this=0x7fffd0f20400, aTimeout=0x7fffd1f06710, aScx=0x7fffd3356680)
    at /media/storage/moz/mozilla-inbound/dom/base/nsGlobalWindow.cpp:9590
#90 0x00007ffff1fff052 in nsGlobalWindow::RunTimeout (this=0x7fffd0f20400, aTimeout=0x7fffd1f06710)
    at /media/storage/moz/mozilla-inbound/dom/base/nsGlobalWindow.cpp:9851

We then return to frame 60 and dereference freed memory.
Severity: normal → critical
Keywords: crash, testcase
Whiteboard: [asan]
Attached patch Patch (v1)Splinter Review
Attachment #656418 - Flags: review?(bzbarsky)
Comment on attachment 656418 [details] [diff] [review]
Patch (v1)

r="damn mutation events to hell"
Attachment #656418 - Flags: review?(bzbarsky) → review+
Comment on attachment 656418 [details] [diff] [review]
Patch (v1)

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Unknown.
User impact if declined: sec-critical
Testing completed (on m-c, etc.): locally and on try server
Risk to taking this patch (and alternatives if risky): minimal
String or UUID changes made by this patch: none
Attachment #656418 - Flags: approval-mozilla-esr10?
Attachment #656418 - Flags: approval-mozilla-beta?
Attachment #656418 - Flags: approval-mozilla-aurora?
Setting status flags so we can be sure this lands in all the right places.  We'll revisit this in our next triage session when hopefully it will have been on central for a bit first before approving uplift.
https://hg.mozilla.org/mozilla-central/rev/42fb32915739
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Attachment #656418 - Flags: approval-mozilla-esr10?
Attachment #656418 - Flags: approval-mozilla-esr10+
Attachment #656418 - Flags: approval-mozilla-beta?
Attachment #656418 - Flags: approval-mozilla-beta+
Attachment #656418 - Flags: approval-mozilla-aurora?
Attachment #656418 - Flags: approval-mozilla-aurora+
Keywords: verifyme
Whiteboard: [asan] → [asan][advisory-tracking+]
Alias: CVE-2012-4179
Flags: sec-bounty?
Group: core-security
Flags: sec-bounty? → sec-bounty+
mass remove verifyme requests greater than 4 months old
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.