Closed
Bug 791534
Opened 12 years ago
Closed 12 years ago
Heap-use-after-free in DocumentViewerImpl::SetBounds
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 790856
People
(Reporter: inferno, Unassigned)
Details
(Keywords: csectype-uaf, Whiteboard: [sg:dupe 790856][asan])
Reproduces on trunk, trying to reduce down an extremely flaky fuzzed testcase. Looks like mPreviousViewer is blown away from underneath.
1922 DocumentViewerImpl::Show(void)
1923 {
1924 NS_ENSURE_TRUE(mDocument, NS_ERROR_NOT_AVAILABLE);
1925
1926 // We don't need the previous viewer anymore since we're not
1927 // displaying it.
1928 if (mPreviousViewer) {
1929 // This little dance *may* only be to keep
1930 // PresShell::EndObservingDocument happy, but I'm not sure.
1931 nsCOMPtr<nsIContentViewer> prevViewer(mPreviousViewer);
1932 mPreviousViewer = nullptr;
1933 prevViewer->Destroy()
=================================================================
==7322== ERROR: AddressSanitizer heap-use-after-free on address 0x7f5aafd7f108 at pc 0x7f5adb2a9a43 bp 0x7fffdf7d6310 sp 0x7fffdf7d6308
READ of size 8 at 0x7f5aafd7f108 thread T0
#0 0x7f5adb2a9a42 in nsCOMPtr<nsIContentViewer>::get() const src/../../dist/include/nsCOMPtr.h:762
#1 0x7f5adb29da22 in nsCOMPtr<nsIContentViewer>::operator nsIContentViewer*() const src/../../dist/include/nsCOMPtr.h:775
#2 0x7f5adb918e62 in DocumentViewerImpl::SetBounds(nsIntRect const&) src/layout/base/nsDocumentViewer.cpp:1904
#3 0x7f5adb918f25 in DocumentViewerImpl::SetBounds(nsIntRect const&) src/layout/base/nsDocumentViewer.cpp:1905
#4 0x7f5ae34a36d2 in nsDocShell::SetPositionAndSize(int, int, int, int, bool) src/docshell/base/nsDocShell.cpp:4914
#5 0x7f5ae34a3b46 in non-virtual thunk to nsDocShell::SetPositionAndSize(int, int, int, int, bool) src/gfx/cairo/cairo/src/cairo-surface-subsurface.c:0
#6 0x7f5add4eaaef in nsFrameLoader::UpdateBaseWindowPositionAndSize(nsIFrame*) src/content/base/src/nsFrameLoader.cpp:1813
#7 0x7f5add4ea04f in nsFrameLoader::UpdatePositionAndSize(nsIFrame*) src/content/base/src/nsFrameLoader.cpp:1787
#8 0x7f5adc21a449 in nsSubDocumentFrame::ReflowFinished() src/layout/generic/nsSubDocumentFrame.cpp:640
#9 0x7f5adc21a5ab in non-virtual thunk to nsSubDocumentFrame::ReflowFinished() src/gfx/cairo/cairo/src/cairo-surface-subsurface.c:0
#10 0x7f5adbaec647 in PresShell::HandlePostedReflowCallbacks(bool) src/layout/base/nsPresShell.cpp:3724
#11 0x7f5adbac49ca in PresShell::DidDoReflow(bool) src/layout/base/nsPresShell.cpp:7293
#12 0x7f5adbaefd68 in PresShell::ProcessReflowCommands(bool) src/layout/base/nsPresShell.cpp:7597
#13 0x7f5adbaee291 in PresShell::FlushPendingNotifications(mozFlushType) src/layout/base/nsPresShell.cpp:3893
#14 0x7f5adbb91081 in nsRefreshDriver::Notify(nsITimer*) src/layout/base/nsRefreshDriver.cpp:398
#15 0x7f5ae6fb09e6 in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:476
#16 0x7f5ae6fb2018 in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:556
#17 0x7f5ae6f755be in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:624
#18 0x7f5ae6c081d7 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220
#19 0x7f5ae596c695 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
#20 0x7f5ae722e3a9 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:208
#21 0x7f5ae722e1f2 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:201
#22 0x7f5ae722e0d7 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:175
#23 0x7f5ae4e1c5be in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163
#24 0x7f5ae3a54948 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:296
#25 0x7f5ada095b50 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3834
#26 0x7f5ada09bdc4 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3911
#27 0x7f5ada09ee8e in XRE_main src/toolkit/xre/nsAppRunner.cpp:3987
#28 0x40c5bb in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:174
#29 0x409e1f in main src/browser/app/nsBrowserApp.cpp:279
#30 0x7f5af7974c4d in ?? ??:0
0x7f5aafd7f108 is located 136 bytes inside of 320-byte region [0x7f5aafd7f080,0x7f5aafd7f1c0)
freed by thread T0 here:
#0 0x4c3e30 in free ??:0
#1 0x7f5af4812572 in moz_free src/memory/mozalloc/mozalloc.cpp:51
#2 0x7f5adb8efab1 in operator delete(void*) src/../../dist/include/mozilla/mozalloc.h:224
#3 0x7f5adb8ef937 in ~DocumentViewerImpl src/layout/base/nsDocumentViewer.cpp:565
#4 0x7f5adb8ee9d3 in DocumentViewerImpl::Release() src/layout/base/nsDocumentViewer.cpp:550
#5 0x7f5ada059e9f in ~nsCOMPtr_base src/../../dist/include/nsCOMPtr.h:408
#6 0x7f5adb2aedd5 in nsCOMPtr<nsIContentViewer>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:447
#7 0x7f5adb29d912 in nsCOMPtr<nsIContentViewer>::~nsCOMPtr() src/../../dist/include/nsCOMPtr.h:447
#8 0x7f5adb91a5d6 in DocumentViewerImpl::Show() src/layout/base/nsDocumentViewer.cpp:1958
#9 0x7f5adba69a4e in nsPresContext::EnsureVisible() src/layout/base/nsPresContext.cpp:1747
#10 0x7f5adbae9c95 in PresShell::UnsuppressAndInvalidate() src/layout/base/nsPresShell.cpp:3577
#11 0x7f5adbaeffe0 in PresShell::ProcessReflowCommands(bool) src/layout/base/nsPresShell.cpp:7630
#12 0x7f5adbaee291 in PresShell::FlushPendingNotifications(mozFlushType) src/layout/base/nsPresShell.cpp:3893
#13 0x7f5adbaec891 in PresShell::HandlePostedReflowCallbacks(bool) src/layout/base/nsPresShell.cpp:3733
#14 0x7f5adbac49ca in PresShell::DidDoReflow(bool) src/layout/base/nsPresShell.cpp:7293
#15 0x7f5adbaefd68 in PresShell::ProcessReflowCommands(bool) src/layout/base/nsPresShell.cpp:7597
#16 0x7f5adbaee291 in PresShell::FlushPendingNotifications(mozFlushType) src/layout/base/nsPresShell.cpp:3893
#17 0x7f5add39a54b in nsDocument::FlushPendingNotifications(mozFlushType) src/content/base/src/nsDocument.cpp:6454
#18 0x7f5adf5f8c97 in nsGlobalWindow::FlushPendingNotifications(mozFlushType) src/dom/base/nsGlobalWindow.cpp:10308
#19 0x7f5adf607f5d in nsGlobalWindow::GetScrollMaxXY(int*, int*) src/dom/base/nsGlobalWindow.cpp:4253
#20 0x7f5adf607ed9 in nsGlobalWindow::GetScrollMaxXY(int*, int*) src/dom/base/nsGlobalWindow.cpp:4250
#21 0x7f5adf6090d1 in nsGlobalWindow::GetScrollMaxX(int*) src/dom/base/nsGlobalWindow.cpp:4275
#22 0x7f5ae707c827 in NS_InvokeByIndex_P src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:162
#23 0x7f5ae243edce in CallMethodHelper::Invoke() src/js/xpconnect/src/XPCWrappedNative.cpp:3105
#24 0x7f5ae24a5f17 in XPCWrappedNative::GetAttribute(XPCCallContext&) src/js/xpconnect/src/xpcprivate.h:2817
#25 0x7f5ae24a533c in XPC_WN_GetterSetter(JSContext*, unsigned int, JS::Value*) src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1517
#26 0x7f5aed69db51 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) src/js/src/jscntxtinlines.h:372
#27 0x7f5aecf093fc in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) src/js/src/jsinterp.h:119
#28 0x7f5aed6a3511 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:411
#29 0x7f5aed6a9f71 in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) src/js/src/jsinterp.cpp:484
previously allocated by thread T0 here:
#0 0x4c3ef0 in __interceptor_malloc ??:0
#1 0x7f5af48126c6 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:57
#2 0x7f5adb8ebf39 in operator new(unsigned long) src/../../dist/include/mozilla/mozalloc.h:200
#3 0x7f5adb8ebc23 in NS_NewContentViewer(nsIContentViewer**) src/layout/base/nsDocumentViewer.cpp:499
#4 0x7f5adb558caf in nsContentDLF::CreateDocument(char const*, nsIChannel*, nsILoadGroup*, nsISupports*, nsID const&, nsIStreamListener**, nsIContentViewer**) src/layout/build/nsContentDLF.cpp:422
#5 0x7f5adb555b6a in nsContentDLF::CreateInstance(char const*, nsIChannel*, nsILoadGroup*, char const*, nsISupports*, nsISupports*, nsIStreamListener**, nsIContentViewer**) src/layout/build/nsContentDLF.cpp:218
#6 0x7f5ae34ef403 in nsDocShell::NewContentViewerObj(char const*, nsIRequest*, nsILoadGroup*, nsIStreamListener**, nsIContentViewer**) src/docshell/base/nsDocShell.cpp:7844
#7 0x7f5ae34e76c9 in nsDocShell::CreateContentViewer(char const*, nsIRequest*, nsIStreamListener**) src/docshell/base/nsDocShell.cpp:7649
#8 0x7f5ae3582688 in nsDSURIContentListener::DoContent(char const*, bool, nsIRequest*, nsIStreamListener**, bool*) src/docshell/base/nsDSURIContentListener.cpp:120
#9 0x7f5ae35af8f4 in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) src/uriloader/base/nsURILoader.cpp:679
#10 0x7f5ae35ab2c9 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) src/uriloader/base/nsURILoader.cpp:377
#11 0x7f5ae35a9b9e in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) src/uriloader/base/nsURILoader.cpp:263
#12 0x7f5ada1cd343 in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) src/netwerk/base/src/nsBaseChannel.cpp:704
#13 0x7f5ada1ced26 in non-virtual thunk to nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) src/gfx/cairo/cairo/src/cairo-surface-subsurface.c:0
#14 0x7f5ada264b8e in nsInputStreamPump::OnStateStart() src/netwerk/base/src/nsInputStreamPump.cpp:417
#15 0x7f5ada263db6 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) src/netwerk/base/src/nsInputStreamPump.cpp:368
#16 0x7f5ada26722e in non-virtual thunk to nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) src/gfx/cairo/cairo/src/cairo-surface-subsurface.c:0
#17 0x7f5ae6e6705d in nsInputStreamReadyEvent::Run() src/xpcom/io/nsStreamUtils.cpp:82
#18 0x7f5ae6f755be in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:624
#19 0x7f5ae6c081d7 in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:220
#20 0x7f5ae596c695 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82
#21 0x7f5ae722e3a9 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:208
#22 0x7f5ae722e1f2 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:201
#23 0x7f5ae722e0d7 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:175
#24 0x7f5ae4e1c5bf in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:165
Shadow byte and word:
0x1feb55fafe21: fd
0x1feb55fafe20: fd fd fd fd fd fd fd fd
More shadow bytes:
0x1feb55fafe00: fa fa fa fa fa fa fa fa
0x1feb55fafe08: fa fa fa fa fa fa fa fa
0x1feb55fafe10: fd fd fd fd fd fd fd fd
0x1feb55fafe18: fd fd fd fd fd fd fd fd
=>0x1feb55fafe20: fd fd fd fd fd fd fd fd
0x1feb55fafe28: fd fd fd fd fd fd fd fd
0x1feb55fafe30: fd fd fd fd fd fd fd fd
0x1feb55fafe38: fd fd fd fd fd fd fd fd
0x1feb55fafe40: fa fa fa fa fa fa fa fa
Stats: 233M malloced (257M for red zones) by 423404 calls
Stats: 44M realloced by 24832 calls
Stats: 191M freed by 274257 calls
Stats: 60M really freed by 160594 calls
Stats: 440M (112718 full pages) mmaped in 110 calls
mmaps by size class: 8:262128; 9:40955; 10:12285; 11:16376; 12:3072; 13:1536; 14:1280; 15:256; 16:448; 17:1248; 18:144; 19:40; 20:20;
mallocs by size class: 8:329898; 9:52758; 10:15006; 11:17278; 12:2676; 13:1873; 14:1523; 15:328; 16:534; 17:1305; 18:166; 19:41; 20:18;
frees by size class: 8:199741; 9:42605; 10:11564; 11:13953; 12:1633; 13:1343; 14:1297; 15:271; 16:455; 17:1285; 18:57; 19:38; 20:15;
rfrees by size class: 8:123932; 9:20603; 10:4585; 11:9325; 12:626; 13:476; 14:350; 15:155; 16:330; 17:177; 18:29; 19:5; 20:1;
Stats: malloc large: 1530 small slow: 2031
==7322== ABORTING
|
||
Comment 1•12 years ago
|
||
This is a dup.
|
|
||
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
|
Reporter | |
Comment 3•12 years ago
|
||
Can i be cced on the dup bug 790856
|
||
Updated•12 years ago
|
Whiteboard: [sg:dupe 790856] → [sg:dupe 790856][asan]
|
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•