Closed Bug 819014 Opened 12 years ago Closed 12 years ago

Use-after-free in nsINode::GetBoolFlag

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla20
Tracking Flags:
Tracking Status
firefox19 --- unaffected
firefox20 --- fixed
firefox21 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: attekett, Assigned: smontagu)

References

Details

(5 keywords, Whiteboard: [asan][adv-main20-])

Attachments

(5 files, 1 obsolete file)

repro-file
496 bytes, text/plain
Details
New-repro-file
543 bytes, text/plain
Details
Original unminimized repro-file
77.85 KB, text/plain
Details
Better patch
1.22 KB, patch
ehsan.akhgari
: review+
Details | Diff | Splinter Review
Minimized testcase
1.44 KB, patch
ehsan.akhgari
: review+
Details | Diff | Splinter Review
Attached file repro-file 
Repro-file as attachment. You might need to open the file into multiple tabs at the same time. (./firefox repro.html repro.html repro.html)


Tested on:

OS: Ubuntu 12.04
Firefox: ASAN build from https://people.mozilla.com/~choller/firefox/asan/20121206-mozilla-central-linux64-debug-ddda5400c826+asan.html

ASAN-report:

==26029== ERROR: AddressSanitizer heap-use-after-free on address 0x7ffa9d7a9aac at pc 0x7ffab97b53cd bp 0x7fff23dafc50 sp 0x7fff23dafc48
READ of size 4 at 0x7ffa9d7a9aac thread T0
    #0 0x7ffab97b53cc in nsINode::GetBoolFlag(nsINode::BooleanFlag) const /builds/slave/try-lnx64-dbg/build/../../dist/include/nsINode.h:1344
    #1 0x7ffab9e46a4d in nsINode::HasTextNodeDirectionalityMap() const /builds/slave/try-lnx64-dbg/build/../../../dist/include/nsINode.h:1427
    #2 0x7ffab9e46211 in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap(nsINode*, mozilla::dom::Element*) /builds/slave/try-lnx64-dbg/build/content/base/src/DirectionalityUtils.cpp:510
    #3 0x7ffab9e46658 in mozilla::WalkAncestorsResetAutoDirection(mozilla::dom::Element*, bool) /builds/slave/try-lnx64-dbg/build/content/base/src/DirectionalityUtils.cpp:619
    #4 0x7ffab9f71369 in mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /builds/slave/try-lnx64-dbg/build/content/base/src/Element.cpp:1171
    #5 0x7ffaba1af67a in nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /builds/slave/try-lnx64-dbg/build/content/html/content/src/nsGenericHTMLElement.cpp:1528
    #6 0x7ffab9f9319c in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) /builds/slave/try-lnx64-dbg/build/content/base/src/nsINode.cpp:1321
    #7 0x7ffab9f9512a in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/slave/try-lnx64-dbg/build/content/base/src/nsINode.cpp:1925
    #8 0x7ffabbc682a7 in mozilla::dom::NodeBinding::replaceChild(JSContext*, JS::Handle<JSObject*>, nsINode*, unsigned int, JS::Value*) /builds/slave/try-lnx64-dbg/build/obj-firefox/dom/bindings/NodeBinding.cpp:611
    #9 0x7ffabbc652ad in mozilla::dom::NodeBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/try-lnx64-dbg/build/obj-firefox/dom/bindings/NodeBinding.cpp:1308
    #10 0x7ffabcfb558b in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/try-lnx64-dbg/build/js/src/jscntxtinlines.h:364
    #11 0x7ffabcfb4b73 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/try-lnx64-dbg/build/js/src/jsinterp.cpp:369
    #12 0x7ffabcfacf60 in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) /builds/slave/try-lnx64-dbg/build/js/src/jsinterp.cpp:2321
    #13 0x7ffabcf9e362 in js::RunScript(JSContext*, JS::Handle<JSScript*>, js::StackFrame*) /builds/slave/try-lnx64-dbg/build/js/src/jsinterp.cpp:326
    #14 0x7ffabcfb4c98 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/try-lnx64-dbg/build/js/src/jsinterp.cpp:384
    #15 0x7ffabce74759 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) /builds/slave/try-lnx64-dbg/build/js/src/jsinterp.h:109
    #16 0x7ffabcfb5c55 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) /builds/slave/try-lnx64-dbg/build/js/src/jsinterp.cpp:417
    #17 0x7ffabce39eeb in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) /builds/slave/try-lnx64-dbg/build/js/src/jsapi.cpp:5786
    #18 0x7ffaba5148cf in nsJSContext::CallEventHandler(nsISupports*, JSObject*, JSObject*, nsIArray*, nsIVariant**) /builds/slave/try-lnx64-dbg/build/dom/base/nsJSEnvironment.cpp:1938
    #19 0x7ffaba57dec1 in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) /builds/slave/try-lnx64-dbg/build/dom/base/nsGlobalWindow.cpp:9712
    #20 0x7ffaba56af71 in nsGlobalWindow::RunTimeout(nsTimeout*) /builds/slave/try-lnx64-dbg/build/dom/base/nsGlobalWindow.cpp:9961
    #21 0x7ffaba57d667 in nsGlobalWindow::TimerCallback(nsITimer*, void*) /builds/slave/try-lnx64-dbg/build/dom/base/nsGlobalWindow.cpp:10230
    #22 0x7ffabbe148f0 in nsTimerImpl::Fire() /builds/slave/try-lnx64-dbg/build/xpcom/threads/nsTimerImpl.cpp:482
    #23 0x7ffabbe1522e in nsTimerEvent::Run() /builds/slave/try-lnx64-dbg/build/xpcom/threads/nsTimerImpl.cpp:565
    #24 0x7ffabbe082d7 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/try-lnx64-dbg/build/xpcom/threads/nsThread.cpp:627
    #25 0x7ffabbd55472 in NS_ProcessNextEvent_P(nsIThread*, bool) /builds/slave/try-lnx64-dbg/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:221
    #26 0x7ffabb94c9ab in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/try-lnx64-dbg/build/ipc/glue/MessagePump.cpp:82
    #27 0x7ffabbe9ab51 in MessageLoop::RunInternal() /builds/slave/try-lnx64-dbg/build/ipc/chromium/src/base/message_loop.cc:215
    #28 0x7ffabbe9aa4e in MessageLoop::Run() /builds/slave/try-lnx64-dbg/build/ipc/chromium/src/base/message_loop.cc:182
    #29 0x7ffabb6e6591 in nsBaseAppShell::Run() /builds/slave/try-lnx64-dbg/build/widget/xpwidgets/nsBaseAppShell.cpp:163
    #30 0x7ffabb276b90 in nsAppStartup::Run() /builds/slave/try-lnx64-dbg/build/toolkit/components/startup/nsAppStartup.cpp:291
    #31 0x7ffab920d864 in XREMain::XRE_mainRun() /builds/slave/try-lnx64-dbg/build/toolkit/xre/nsAppRunner.cpp:3824
    #32 0x7ffab920ee07 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/try-lnx64-dbg/build/toolkit/xre/nsAppRunner.cpp:3891
    #33 0x7ffab920f8c1 in XRE_main /builds/slave/try-lnx64-dbg/build/toolkit/xre/nsAppRunner.cpp:4089
    #34 0x409a8d in do_main(int, char**) /builds/slave/try-lnx64-dbg/build/browser/app/nsBrowserApp.cpp:174
    #35 0x409180 in main /builds/slave/try-lnx64-dbg/build/browser/app/nsBrowserApp.cpp:279
    #36 0x7ffac4f5976c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226
0x7ffa9d7a9aac is located 44 bytes inside of 128-byte region [0x7ffa9d7a9a80,0x7ffa9d7a9b00)
freed by thread T0 here:
    #0 0x43f180 in operator delete(void*) ??:0
    #1 0x7ffab9fb7eac in nsNodeUtils::LastRelease(nsINode*) /builds/slave/try-lnx64-dbg/build/content/base/src/nsNodeUtils.cpp:257
    #2 0x7ffab9f81817 in nsGenericDOMDataNode::Release() /builds/slave/try-lnx64-dbg/build/content/base/src/nsGenericDOMDataNode.cpp:115
    #3 0x7ffab9ffc45e in nsTextNode::Release() /builds/slave/try-lnx64-dbg/build/content/base/src/nsTextNode.cpp:127
    #4 0x7ffabbd55c64 in nsXPCOMCycleCollectionParticipant::UnrootImpl(void*) /builds/slave/try-lnx64-dbg/build/obj-firefox/xpcom/build/nsCycleCollectionParticipant.cpp:37
    #5 0x7ffabbe30478 in nsCycleCollector::CollectWhite(nsICycleCollectorListener*) /builds/slave/try-lnx64-dbg/build/xpcom/base/nsCycleCollector.cpp:2409
    #6 0x7ffabbe31dde in nsCycleCollector::FinishCollection(nsICycleCollectorListener*) /builds/slave/try-lnx64-dbg/build/xpcom/base/nsCycleCollector.cpp:2915
    #7 0x7ffabbe335e8 in nsCycleCollectorRunner::Collect(bool, nsCycleCollectorResults*, nsICycleCollectorListener*) /builds/slave/try-lnx64-dbg/build/xpcom/base/nsCycleCollector.cpp:3279
    #8 0x7ffabbe32fc8 in nsCycleCollector_collect(bool, nsCycleCollectorResults*, nsICycleCollectorListener*) /builds/slave/try-lnx64-dbg/build/xpcom/base/nsCycleCollector.cpp:3368
    #9 0x7ffaba50a861 in nsJSContext::CycleCollectNow(nsICycleCollectorListener*, int, bool) /builds/slave/try-lnx64-dbg/build/dom/base/nsJSEnvironment.cpp:3085
    #10 0x7ffaba51aa4d in CCTimerFired(nsITimer*, void*) /builds/slave/try-lnx64-dbg/build/dom/base/nsJSEnvironment.cpp:3278
    #11 0x7ffabbe148f0 in nsTimerImpl::Fire() /builds/slave/try-lnx64-dbg/build/xpcom/threads/nsTimerImpl.cpp:482
    #12 0x7ffabbe1522e in nsTimerEvent::Run() /builds/slave/try-lnx64-dbg/build/xpcom/threads/nsTimerImpl.cpp:565
    #13 0x7ffabbe082d7 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/try-lnx64-dbg/build/xpcom/threads/nsThread.cpp:627
    #14 0x7ffabbd55472 in NS_ProcessNextEvent_P(nsIThread*, bool) /builds/slave/try-lnx64-dbg/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:221
    #15 0x7ffabb94c9ab in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/try-lnx64-dbg/build/ipc/glue/MessagePump.cpp:82
    #16 0x7ffabbe9ab51 in MessageLoop::RunInternal() /builds/slave/try-lnx64-dbg/build/ipc/chromium/src/base/message_loop.cc:215
    #17 0x7ffabbe9aa4e in MessageLoop::Run() /builds/slave/try-lnx64-dbg/build/ipc/chromium/src/base/message_loop.cc:182
    #18 0x7ffabb6e6591 in nsBaseAppShell::Run() /builds/slave/try-lnx64-dbg/build/widget/xpwidgets/nsBaseAppShell.cpp:163
    #19 0x7ffabb276b90 in nsAppStartup::Run() /builds/slave/try-lnx64-dbg/build/toolkit/components/startup/nsAppStartup.cpp:291
    #20 0x7ffab920d864 in XREMain::XRE_mainRun() /builds/slave/try-lnx64-dbg/build/toolkit/xre/nsAppRunner.cpp:3824
    #21 0x7ffab920ee07 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/try-lnx64-dbg/build/toolkit/xre/nsAppRunner.cpp:3891
    #22 0x7ffab920f8c1 in XRE_main /builds/slave/try-lnx64-dbg/build/toolkit/xre/nsAppRunner.cpp:4089
    #23 0x409a8d in do_main(int, char**) /builds/slave/try-lnx64-dbg/build/browser/app/nsBrowserApp.cpp:174
    #24 0x409180 in main /builds/slave/try-lnx64-dbg/build/browser/app/nsBrowserApp.cpp:279
    #25 0x7ffac4f5976c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226
previously allocated by thread T0 here:
    #0 0x43f000 in operator new(unsigned long) ??:0
    #1 0x7ffab9ffc1d4 in NS_NewTextNode(nsIContent**, nsNodeInfoManager*) /builds/slave/try-lnx64-dbg/build/content/base/src/nsTextNode.cpp:105
    #2 0x7ffab9a0948b in nsTextControlFrame::UpdateValueDisplay(bool, bool, nsAString_internal const*) /builds/slave/try-lnx64-dbg/build/layout/forms/nsTextControlFrame.cpp:1344
    #3 0x7ffaba1d0663 in nsTextEditorState::InitializeRootNode() /builds/slave/try-lnx64-dbg/build/content/html/content/src/nsTextEditorState.cpp:1619
    #4 0x7ffaba1cf734 in nsTextEditorState::BindToFrame(nsTextControlFrame*) /builds/slave/try-lnx64-dbg/build/content/html/content/src/nsTextEditorState.cpp:1074
    #5 0x7ffab9a087d4 in nsTextControlFrame::CreateAnonymousContent(nsTArray<nsIAnonymousContentCreator::ContentInfo, nsTArrayDefaultAllocator>&) /builds/slave/try-lnx64-dbg/build/layout/forms/nsTextControlFrame.cpp:361
    #6 0x7ffab98872c1 in nsCSSFrameConstructor::GetAnonymousContent(nsIContent*, nsIFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo, nsTArrayDefaultAllocator>&) /builds/slave/try-lnx64-dbg/build/layout/base/nsCSSFrameConstructor.cpp:3866
    #7 0x7ffab987bace in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsIFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/slave/try-lnx64-dbg/build/layout/base/nsCSSFrameConstructor.cpp:9920
    #8 0x7ffab9886265 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsIFrame*, nsFrameItems&) /builds/slave/try-lnx64-dbg/build/layout/base/nsCSSFrameConstructor.cpp:3708
    #9 0x7ffab988a3c5 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsIFrame*, nsFrameItems&) /builds/slave/try-lnx64-dbg/build/layout/base/nsCSSFrameConstructor.cpp:5506
    #10 0x7ffab987b5b5 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsIFrame*, nsFrameItems&) /builds/slave/try-lnx64-dbg/build/layout/base/nsCSSFrameConstructor.cpp:9856
    #11 0x7ffab987c070 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsIFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/slave/try-lnx64-dbg/build/layout/base/nsCSSFrameConstructor.cpp:10000
    #12 0x7ffab9880dbd in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsStyleDisplay const*, nsIContent*, nsIFrame*, nsIFrame*, nsStyleContext*, nsIFrame**, nsFrameItems&, bool, PendingBinding*) /builds/slave/try-lnx64-dbg/build/layout/base/nsCSSFrameConstructor.cpp:11036
    #13 0x7ffab9886d88 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsIFrame*, nsStyleDisplay const*, nsFrameItems&, nsIFrame**) /builds/slave/try-lnx64-dbg/build/layout/base/nsCSSFrameConstructor.cpp:4483
    #14 0x7ffab98859ef in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsIFrame*, nsFrameItems&) /builds/slave/try-lnx64-dbg/build/layout/base/nsCSSFrameConstructor.cpp:3576
    #15 0x7ffab988a3c5 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsIFrame*, nsFrameItems&) /builds/slave/try-lnx64-dbg/build/layout/base/nsCSSFrameConstructor.cpp:5506
    #16 0x7ffab987b5b5 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsIFrame*, nsFrameItems&) /builds/slave/try-lnx64-dbg/build/layout/base/nsCSSFrameConstructor.cpp:9856
    #17 0x7ffab9892d18 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsIContent*, bool) /builds/slave/try-lnx64-dbg/build/layout/base/nsCSSFrameConstructor.cpp:6682
    #18 0x7ffab988fd15 in nsCSSFrameConstructor::CreateNeededFrames(nsIContent*) /builds/slave/try-lnx64-dbg/build/layout/base/nsCSSFrameConstructor.cpp:6338
    #19 0x7ffab988fd78 in nsCSSFrameConstructor::CreateNeededFrames(nsIContent*) /builds/slave/try-lnx64-dbg/build/layout/base/nsCSSFrameConstructor.cpp:6348
    #20 0x7ffab989313e in nsCSSFrameConstructor::CreateNeededFrames() /builds/slave/try-lnx64-dbg/build/layout/base/nsCSSFrameConstructor.cpp:6363
    #21 0x7ffab99a25da in PresShell::FlushPendingNotifications(mozFlushType) /builds/slave/try-lnx64-dbg/build/layout/base/nsPresShell.cpp:3843
    #22 0x7ffab9f1c69f in nsDocument::FlushPendingNotifications(mozFlushType) /builds/slave/try-lnx64-dbg/build/content/base/src/nsDocument.cpp:6099
    #23 0x7ffabb14d595 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/slave/try-lnx64-dbg/build/uriloader/base/nsDocLoader.cpp:729
    #24 0x7ffabb14ed2d in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/try-lnx64-dbg/build/uriloader/base/nsDocLoader.cpp:659
Shadow byte and word:
  0x1fff53af5355: fd
  0x1fff53af5350: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1fff53af5330: fd fd fd fd fd fd fd fd
  0x1fff53af5338: fd fd fd fd fd fd fd fd
  0x1fff53af5340: fa fa fa fa fa fa fa fa
  0x1fff53af5348: fa fa fa fa fa fa fa fa
=>0x1fff53af5350: fd fd fd fd fd fd fd fd
  0x1fff53af5358: fd fd fd fd fd fd fd fd
  0x1fff53af5360: fa fa fa fa fa fa fa fa
  0x1fff53af5368: fa fa fa fa fa fa fa fa
  0x1fff53af5370: fd fd fd fd fd fd fd fd
Stats: 353M malloced (393M for red zones) by 712305 calls
Stats: 66M realloced by 36321 calls
Stats: 327M freed by 585060 calls
Stats: 208M really freed by 294343 calls
Stats: 588M (150625 full pages) mmaped in 147 calls
  mmaps   by size class: 8:327660; 9:114674; 10:20475; 11:22517; 12:7168; 13:3584; 14:3328; 15:384; 16:640; 17:1312; 18:32; 19:40; 20:28; 21:4;
  mallocs by size class: 8:491547; 9:137307; 10:30787; 11:31329; 12:8807; 13:4782; 14:4717; 15:400; 16:1067; 17:1455; 18:39; 19:38; 20:27; 21:3;
  frees   by size class: 8:384334; 9:126372; 10:25812; 11:28922; 12:7653; 13:4596; 14:4538; 15:286; 16:1014; 17:1439; 18:31; 19:37; 20:23; 21:3;
  rfrees  by size class: 8:212850; 9:42053; 10:17626; 11:13117; 12:2799; 13:1878; 14:1808; 15:233; 16:558; 17:1336; 18:29; 19:36; 20:19; 21:1;
Stats: malloc large: 1562 small slow: 4090
==26029== ABORTING
Whiteboard: [asan]
I believe this is a dup, or a variant of an existing bug which is being fixed.
Yes, I think this is equivalent to bug 816253
Depends on: 816253
Atte: We think we've fixed this in bug 816253 which will be fixed in today's builds (checked-in yesterday). Are you still seeing a problem?
Flags: needinfo?(attekett)
The attached repro-file doesn't cause crash on new m-c ASAN-build.
Flags: needinfo?(attekett)
Thanks for checking.
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: sec-bounty-
Keywords: crash, testcase
Resolution: --- → DUPLICATE
Whiteboard: [asan] → [asan][sg:dupe 816253]
Attached file New-repro-file 
I think that this is still the same crash. Repro-file minimized into a little more complicated than the original one but the ASAN-report from opt-build looks similar. Can't test on debug-build until tomorrow.
reopening since the patch in bug 816253 didn't fix all of what Atte was seeing.
Assignee: nobody → smontagu
Status: RESOLVED → REOPENED
Flags: sec-bounty- → sec-bounty?
Resolution: DUPLICATE → ---
This may be fixed by bug 815500 or bug 815276, but I am unable to reproduce the crash so I am not sure.
Reproduces clean with the new repro-file and ASAN-build from https://people.mozilla.com/~choller/firefox/asan/20121211-mozilla-central-linux64-debug-87f8165c5a0b+asan.html

ASAN-report:

==3166== ERROR: AddressSanitizer heap-use-after-free on address 0x7fd4af48e0ac at pc 0x7fd4cea81ffd bp 0x7fff2f79c8d0 sp 0x7fff2f79c8c8
READ of size 4 at 0x7fd4af48e0ac thread T0
    #0 0x7fd4cea81ffc in nsINode::GetBoolFlag(nsINode::BooleanFlag) const /builds/slave/try-lnx64-dbg/build/../../dist/include/nsINode.h:1343
    #1 0x7fd4cf1135bd in nsINode::HasTextNodeDirectionalityMap() const /builds/slave/try-lnx64-dbg/build/../../../dist/include/nsINode.h:1426
    #2 0x7fd4cf112d81 in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap(nsINode*, mozilla::dom::Element*) /builds/slave/try-lnx64-dbg/build/content/base/src/DirectionalityUtils.cpp:510
    #3 0x7fd4cf1131c8 in mozilla::WalkAncestorsResetAutoDirection(mozilla::dom::Element*, bool) /builds/slave/try-lnx64-dbg/build/content/base/src/DirectionalityUtils.cpp:619
    #4 0x7fd4cf23dd89 in mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /builds/slave/try-lnx64-dbg/build/content/base/src/Element.cpp:1171
    #5 0x7fd4cf472d3a in nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /builds/slave/try-lnx64-dbg/build/content/html/content/src/nsGenericHTMLElement.cpp:1529
    #6 0x7fd4cf25fbcc in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) /builds/slave/try-lnx64-dbg/build/content/base/src/nsINode.cpp:1321
.
.
.
freed by thread T0 here:
    #0 0x43f1a0 in operator delete(void*) ??:0
    #1 0x7fd4cf2848dc in nsNodeUtils::LastRelease(nsINode*) /builds/slave/try-lnx64-dbg/build/content/base/src/nsNodeUtils.cpp:257
    #2 0x7fd4cf24e237 in nsGenericDOMDataNode::Release() /builds/slave/try-lnx64-dbg/build/content/base/src/nsGenericDOMDataNode.cpp:115
    #3 0x7fd4cf2c907e in nsTextNode::Release() /builds/slave/try-lnx64-dbg/build/content/base/src/nsTextNode.cpp:127
    #4 0x7fd4cf3109f0 in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) /builds/slave/try-lnx64-dbg/build/content/base/src/FragmentOrElement.cpp:890
    #5 0x7fd4cf471393 in nsGenericHTMLElement::SetInnerHTML(nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/try-lnx64-dbg/build/content/html/content/src/nsGenericHTMLElement.cpp:1208
.
.
.
OK, I got me an ASAN build and reproduced the error, and it does seem to be fixed by bug 815500
Depends on: 815500
Duping as per comment 10
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → DUPLICATE
I'd like to get this verified (by QA or the reporter) after bug 815500 lands before duping it.
Status: RESOLVED → REOPENED
Flags: sec-bounty- → sec-bounty?
Resolution: DUPLICATE → ---
Whiteboard: [asan][sg:dupe 816253] → [asan][sg:dupe 816253 and/or 815500]
Let me know when all the patches related to this bug are in m-c. The two minimized repro-files don't cause crash anymore but the original unminimized repro-file still causes crash on new ASAN build from m-c.
I'm not clear which testcases are crashing and which are not. If the original unminimized repro-file isn't one of the attachments on this bug, can you attach it?
The reason why I didn't attach this file originally is that it is huge and during the minimization the behavior of the crash didn't change much.
Attached patch Possible patch (obsolete) — Splinter Review 
<braindump>
So this patch prevents the crash, but I suspect it's just wallpaper. I think that what I need to do is identify how the DOM gets into a state where this added condition is necessary: either some ancestor of the text node is getting modified in such a way that the NodeAffectsDirAutoAncestor() test returns false, even though it was true at the time that the text node set the direction of an ancestor; or it was never true and the text node was wrongly allowed to set direction.

Finding out the exact problem will be a lot more work, though, and a "correct" patch will most likely involve some amount tree walking and be less performant.
</braindump>

Ehsan, does this all make sense?
Attachment #693846 - Flags: feedback?(ehsan)
Attached patch Better patchSplinter Review 
(In reply to myself from comment #16)
> either some ancestor of the text node is
> getting modified in such a way that the NodeAffectsDirAutoAncestor() test
> returns false, even though it was true at the time that the text node set
> the direction of an ancestor; or it was never true and the text node was
> wrongly allowed to set direction.

The second alternative is correct: this patch prevents a text node which would return false from NodeAffectsDirAutoAncestor from setting the direction of its ancestor. Waiting for try results before I ask review, and I'll try to re-minimize the test case to catch the issue.
Attachment #693846 - Attachment is obsolete: true
Attachment #693846 - Flags: feedback?(ehsan)
Minimized testcase.

I don't want to change [sg:] whiteboard stuff, but it's now clear that this isn't a dupe of bug 816253 or bug 815500.
Attachment #694285 - Flags: review?(ehsan)
Attachment #694011 - Flags: review?(ehsan) → review+
Comment on attachment 694285 [details] [diff] [review]
Minimized testcase

Review of attachment 694285 [details] [diff] [review]:
-----------------------------------------------------------------

r=me but remember to not land the test case until the bug is opened up.  Thanks!
Attachment #694285 - Flags: review?(ehsan) → review+
(In reply to Ehsan Akhgari [:ehsan] (Mostly away until Jan 2) from comment #20)
> r=me but remember to not land the test case until the bug is opened up. 

Do we really need to worry about that when the bug is only in nightly?
https://hg.mozilla.org/mozilla-central/rev/4aee8b87bea8
Status: REOPENED → RESOLVED
Closed: 12 years ago12 years ago
status-firefox20: --- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → Firefox 20
This ended up not being a dupe, but a distinct problem.

Judging by the patch, it looks like this is a regression from bug 548206, like the others, and should only affect 20.
Blocks: DirAuto
Component: General → Layout: Text
Keywords: csec-uaf, regression, sec-critical
Product: Firefox → Core
Whiteboard: [asan][sg:dupe 816253 and/or 815500] → [asan]
Target Milestone: Firefox 20 → ---
Target Milestone: --- → mozilla20
Flags: sec-bounty? → sec-bounty+
Whiteboard: [asan] → [asan][adv-main20+]
Whiteboard: [asan][adv-main20+] → [asan][adv-main20-]
Group: core-security
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: