segfault with svg and markers

RESOLVED DUPLICATE of bug 795734

Status

()

RESOLVED DUPLICATE of bug 795734
6 years ago
4 years ago

People

(Reporter: miaubiz, Assigned: jwatt)

Tracking

(7 keywords)

Trunk
assertion, crash, regression, reproducible, sec-critical, testcase, verifyme
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty -
in-testsuite ?

Firefox Tracking Flags

(firefox16 unaffected, firefox17 unaffected, firefox18+ fixed, firefox19+ fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [asan][fix in bug 807213][adv-main18-] exposed by DLBI timing changes?)

Attachments

(3 attachments)

(Reporter)

Description

6 years ago
Created attachment 668125 [details]
testcase (WARNING: crashes nightly)

==7237== ERROR: AddressSanitizer crashed on unknown address 0x7fff00000000 (pc 0x7fffedad854d sp 0x7fffffff3820 bp 0x100000000000 T0)
AddressSanitizer can not provide additional info. ABORTING
    #0 0x7fffedad854d in nsRect /builds/slave/try-lnx64/build/gfx/src/nsRect.h:33

when I load:

<html>
  <head>
    <script>
      onload = function() {
        el0=document.createElementNS('http://www.w3.org/2000/svg', 'svg')
        el0.setAttribute('marker-start', 'url(#el1)')
        document.body.appendChild(el0)
        el1=document.createElementNS('http://www.w3.org/2000/svg', 'filter')
        el1.setAttribute('id','el1')
        document.body.appendChild(el1)
        document.body.offsetTop
        el1.appendChild(document.createElement('div'))
        document.body.offsetTop
        el1.setAttribute('X', 'X')
      }
    </script>
  </head>
  <body>
  </body>
</html>
(Reporter)

Comment 1

6 years ago
Created attachment 668126 [details]
asan log linux
(Reporter)

Comment 2

6 years ago
Created attachment 668131 [details]
other asan error log

sometimes I see this:

==29028== ERROR: AddressSanitizer heap-buffer-overflow on address 0x7fffc4b37098 at pc 0x7fffedadebf8 bp 0x7fffffff3850 sp 0x7fffffff3848
READ of size 4 at 0x7fffc4b37098 thread T0
    #0 0x7fffedadebf7 in nsRegion::Or(nsRegion const&, nsRegion const&) /builds/slave/try-lnx64/build/gfx/src/nsRegion.cpp:776
    #1 0x7fffef4d1d52 in nsRegion /builds/slave/try-lnx64/build/layout/svg/nsSVGOuterSVGFrame.h:150
    #2 0x7fffef4d22ac in nsSVGUtils::InvalidateAndScheduleReflowSVG(nsIFrame*) /builds/slave/try-lnx64/build/layout/svg/nsSVGUtils.cpp:572
    #3 0x7fffee431e8c in nsGenericElement::SetAttrAndNotify(int, nsIAtom*, nsIAtom*, nsAttrValue const&, nsAttrValue&, unsigned char, bool, bool, bool) /builds/slave/try-lnx64/build/content/base/src/nsGenericElement.cpp:2054
    #4 0x7fffee43152c in nsGenericElement::SetAttr(int, nsIAtom*, nsIAtom*, nsAString_internal const&, bool) /builds/slave/try-lnx64/build/content/base/src/nsGenericElement.cpp:1956
    #5 0x7fffee42a287 in nsGenericElement::SetAttr(int, nsIAtom*, nsAString_internal const&, bool) /builds/slave/try-lnx64/build/content/base/src/nsGenericElement.h:80
0x7fffc4b37098 is located 24 bytes to the right of 8192-byte region [0x7fffc4b35080,0x7fffc4b37080)
allocated by thread T0 here:
    #0 0x42a900 in __interceptor_malloc ??:0
    #1 0x7ffff5739a4c in PL_ArenaAllocate /builds/slave/try-lnx64/build/nsprpub/lib/ds/plarena.c:200
Attachment #668125 - Attachment mime type: text/plain → text/html
Comment on attachment 668125 [details]
testcase (WARNING: crashes nightly)

Confirmed to crash my linux 64-bit nightly. Doesn't seem to affect Aurora on my machine, though.
Attachment #668125 - Attachment description: repro → testcase (WARNING: crashes nightly)
status-firefox18: --- → affected
tracking-firefox18: --- → ?
Last good nightly: 2012-09-28
First bad nightly: 2012-09-29

Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=895f66c4eada&tochange=c09a0c022b2e

Looks like a regression triggered by DLBI.
Blocks: 539356
Keywords: crash, regression
OS: Mac OS X → All
Hardware: x86 → All
In a debug build, this triggers:
###!!! ABORT: Passed bad frame!: 'aFrame->IsFrameOfType(nsIFrame::eSVG) && !(aFrame->GetStateBits() & NS_STATE_IS_OUTER_SVG)', file /mozilla/layout/svg/nsSVGUtils.cpp, line 385
Keywords: assertion, testcase
Some context from gdb, for the frame "aFrame" that we're asserting about:
gdb) p aFrame
$5 = (nsSVGOuterSVGFrame *) 0x7fc9fd1043d8
(gdb) p/x aFrame->mState
$6 = 0x2060000111000
(gdb) p/x aFrame->mState & (1 << 20)
$7 = 0x100000

NOTE: That 1 << 20 up three is NS_STATE_IS_OUTER_SVG.

So that's presumably the part of the assertion that's failing:
 !(aFrame->GetStateBits() & NS_STATE_IS_OUTER_SVG)
Keywords: reproducible

Updated

6 years ago
tracking-firefox18: ? → +
Debug build stack trace: http://pastebin.mozilla.org/1861135


Jonathan: Do you have any ideas here? The stack trace isn't familiar to me at all.

It appears that there's an SVG rendering observer on an nsSVGOuterSVGFrame, which isn't expected apparently.

I can't see how DLBI would have affected this, apart from changing timings of when SVG rendering observers get invalidated (though this doesn't look like one of those changes either).
This looks like bug 795734
Keywords: sec-critical
Whiteboard: [asan]
Assignee: nobody → jwatt
status-firefox19: --- → affected
Assignee: jwatt → nobody
status-firefox19: affected → ---
Whiteboard: [asan] → [asan] exposed by DLBI timing changes?
Assignee: nobody → jwatt
Blocks: 802638
status-firefox19: --- → affected
tracking-firefox19: --- → +
(Assignee)

Comment 10

6 years ago
I have a fix for this in bug 807213.
Whiteboard: [asan] exposed by DLBI timing changes? → [asan][fix in bug 807213] exposed by DLBI timing changes?
(Assignee)

Comment 11

6 years ago
The fix in bug 807213 has now landed for 19, 18 and 17.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
status-firefox17: --- → fixed
status-firefox18: affected → fixed
status-firefox19: affected → fixed
Flags: in-testsuite?
Keywords: verifyme
Resolution: --- → FIXED

Updated

6 years ago
status-firefox-esr10: --- → unaffected
Did this affect Firefox 16?
Whiteboard: [asan][fix in bug 807213] exposed by DLBI timing changes? → [asan][adv-track-main17+][fix in bug 807213] exposed by DLBI timing changes?
(Assignee)

Updated

6 years ago
status-firefox16: --- → unaffected
status-firefox17: fixed → unaffected
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty-
Resolution: FIXED → DUPLICATE
Duplicate of bug: 795734
Whiteboard: [asan][adv-track-main17+][fix in bug 807213] exposed by DLBI timing changes? → [asan][fix in bug 807213][adv-main18-] exposed by DLBI timing changes?
Group: core-security
You need to log in before you can comment on or make changes to this bug.