Closed Bug 798010 Opened 12 years ago Closed 12 years ago

segfault with svg and markers

Categories

(Core :: SVG, defect)

Product:
Core
Component:
SVG
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 795734
Tracking Flags:
Tracking Status
firefox16 --- unaffected
firefox17 --- unaffected
firefox18 + fixed
firefox19 + fixed
firefox-esr10 --- unaffected

People

(Reporter: miaubiz, Assigned: jwatt)

References

Details

(7 keywords, Whiteboard: [asan][fix in bug 807213][adv-main18-] exposed by DLBI timing changes?)

Attachments

(3 files)

testcase (WARNING: crashes nightly)
590 bytes, text/html
Details
asan log linux
951 bytes, text/plain
Details
other asan error log
2.56 KB, text/plain
Details 
==7237== ERROR: AddressSanitizer crashed on unknown address 0x7fff00000000 (pc 0x7fffedad854d sp 0x7fffffff3820 bp 0x100000000000 T0)
AddressSanitizer can not provide additional info. ABORTING
    #0 0x7fffedad854d in nsRect /builds/slave/try-lnx64/build/gfx/src/nsRect.h:33

when I load:

<html>
  <head>
    <script>
      onload = function() {
        el0=document.createElementNS('http://www.w3.org/2000/svg', 'svg')
        el0.setAttribute('marker-start', 'url(#el1)')
        document.body.appendChild(el0)
        el1=document.createElementNS('http://www.w3.org/2000/svg', 'filter')
        el1.setAttribute('id','el1')
        document.body.appendChild(el1)
        document.body.offsetTop
        el1.appendChild(document.createElement('div'))
        document.body.offsetTop
        el1.setAttribute('X', 'X')
      }
    </script>
  </head>
  <body>
  </body>
</html>
Attached file asan log linux 

    
    

    
  

      
      
      
      

        Attached file
          
        other asan error log
      

    


  
sometimes I see this:

==29028== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7fffc4b37098 at pc 0x7fffedadebf8 bp 0x7fffffff3850 sp 0x7fffffff3848
READ of size 4 at 0x7fffc4b37098 thread T0
    #0 0x7fffedadebf7 in nsRegion::Or(nsRegion const&, nsRegion const&) /builds/slave/try-lnx64/build/gfx/src/nsRegion.cpp:776
    #1 0x7fffef4d1d52 in nsRegion /builds/slave/try-lnx64/build/layout/svg/nsSVGOuterSVGFrame.h:150
    #2 0x7fffef4d22ac in nsSVGUtils::InvalidateAndScheduleReflowSVG(nsIFrame*) /builds/slave/try-lnx64/build/layout/svg/nsSVGUtils.cpp:572
    #3 0x7fffee431e8c in nsGenericElement::SetAttrAndNotify(int, nsIAtom*, nsIAtom*, nsAttrValue const&, nsAttrValue&, unsigned char, bool, bool, bool) /builds/slave/try-lnx64/build/content/base/src/nsGenericElement.cpp:2054
    #4 0x7fffee43152c in nsGenericElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) /builds/slave/try-lnx64/build/content/base/src/nsGenericElement.cpp:1956
    #5 0x7fffee42a287 in nsGenericElement::SetAttr(int, nsIAtom*, nsAString_internal const&, bool) /builds/slave/try-lnx64/build/content/base/src/nsGenericElement.h:80
0x7fffc4b37098 is located 24 bytes to the right of 8192-byte region [0x7fffc4b35080,0x7fffc4b37080)
allocated by thread T0 here:
    #0 0x42a900 in __interceptor_malloc ??:0
    #1 0x7ffff5739a4c in PL_ArenaAllocate /builds/slave/try-lnx64/build/nsprpub/lib/ds/plarena.c:200

        Attachment #668125 -
        Attachment mime type: text/plain → text/html

    
    

    
  
Comment on attachment 668125 [details]
testcase (WARNING: crashes nightly)

Confirmed to crash my linux 64-bit nightly. Doesn't seem to affect Aurora on my machine, though.

        Attachment #668125 -
        Attachment description: repro → testcase (WARNING: crashes nightly)

    
    

    
  
Last good nightly: 2012-09-28
First bad nightly: 2012-09-29

Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=895f66c4eada&tochange=c09a0c022b2e

Looks like a regression triggered by DLBI.
Blocks: dlbi
Keywords: crash, 
          
            regression
OS: Mac OS X → All
Hardware: x86 → All

    
    

    
  
In a debug build, this triggers:
###!!! ABORT: Passed bad frame!: 'aFrame->IsFrameOfType(nsIFrame::eSVG) && !(aFrame->GetStateBits() & NS_STATE_IS_OUTER_SVG)', file /mozilla/layout/svg/nsSVGUtils.cpp, line 385
Keywords: assertion, 
          
            testcase

    
    

    
  
Some context from gdb, for the frame "aFrame" that we're asserting about:
gdb) p aFrame
$5 = (nsSVGOuterSVGFrame *) 0x7fc9fd1043d8
(gdb) p/x aFrame->mState
$6 = 0x2060000111000
(gdb) p/x aFrame->mState & (1 << 20)
$7 = 0x100000

NOTE: That 1 << 20 up three is NS_STATE_IS_OUTER_SVG.

So that's presumably the part of the assertion that's failing:
 !(aFrame->GetStateBits() & NS_STATE_IS_OUTER_SVG)

    
    

    
  
Debug build stack trace: http://pastebin.mozilla.org/1861135


Jonathan: Do you have any ideas here? The stack trace isn't familiar to me at all.

It appears that there's an SVG rendering observer on an nsSVGOuterSVGFrame, which isn't expected apparently.

I can't see how DLBI would have affected this, apart from changing timings of when SVG rendering observers get invalidated (though this doesn't look like one of those changes either).

    
    

    
  
This looks like bug 795734
Keywords: sec-critical
Whiteboard: [asan]
Assignee: nobody → jwatt

          status-firefox19:
          --- → affected
Assignee: jwatt → nobody

          status-firefox19:
          affected → ---
Whiteboard: [asan] → [asan] exposed by DLBI timing changes?
Assignee: nobody → jwatt
Blocks: 802638

    
    

    
  
I have a fix for this in bug 807213.
Whiteboard: [asan] exposed by DLBI timing changes? → [asan][fix in bug 807213] exposed by DLBI timing changes?

    
    

    
  
The fix in bug 807213 has now landed for 19, 18 and 17.
Status: NEW → RESOLVED
Closed: 12 years ago

          status-firefox17:
          --- → fixed

          status-firefox18:
          affectedfixed

          status-firefox19:
          affectedfixed
Flags: in-testsuite?
Keywords: verifyme
Resolution: --- → FIXED

    
    

    
  
Did this affect Firefox 16?
Whiteboard: [asan][fix in bug 807213] exposed by DLBI timing changes? → [asan][adv-track-main17+][fix in bug 807213] exposed by DLBI timing changes?
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty-
Resolution: FIXED → DUPLICATE
Whiteboard: [asan][adv-track-main17+][fix in bug 807213] exposed by DLBI timing changes? → [asan][fix in bug 807213][adv-main18-] exposed by DLBI timing changes?
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: