Closed
Bug 824719
Opened 12 years ago
Closed 12 years ago
Heap-use-after-free in nsINode::GetBoolFlag
Categories
(Core :: Layout: Text and Fonts, defect)
Tracking
()
VERIFIED
FIXED
mozilla20
| Tracking | Status | |
|---|---|---|
| firefox19 | --- | unaffected |
| firefox20 | + | verified |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: attekett, Assigned: smontagu)
References
Details
(4 keywords, Whiteboard: [asan][sg:dupe 819623][adv-main20-])
Recently there has been few other bugs with similar stack-trace. Bugs 815500, 816253 and 819014. Those three are currently "resolved fixed" and the patches should be applied, but this crash still occurs on my machines.
Tested on ASAN-build from https://people.mozilla.com/~choller/firefox/asan/20121226-mozilla-central-linux64-debug-5a1f68dbd885+asan.html
Repro-file:
<!DOCTYPE html>
<html>
<div id='console'></div>
<div id='parentDiv'>
<div id='right-to-left1' dir=auto class=testElement>
<input type=text value="a">a
</div>
<div id='right-to-left2' dir=auto class=testElement>
</div>
</div>
<script type="text/javascript">
document.getElementById("right-to-left2").appendChild(document.createElement("p"))
var test5=document.getElementById("right-to-left1")
var test6=document.getElementById("console").appendChild(document.createElement("dl"))
test6.appendChild(document.createElement("img"))
test5.parentNode.removeChild(test5)
test5.innerHTML=''
test5.appendChild(test6.cloneNode(true))
</script>
</body>
</html>
ASAN-report:
==17144== ERROR: AddressSanitizer heap-use-after-free on address 0x7f33ad6928ac at pc 0x7f33cae8a91d bp 0x7fff920c2290 sp 0x7fff920c2288
READ of size 4 at 0x7f33ad6928ac thread T0
#0 0x7f33cae8a91c in nsINode::GetBoolFlag(nsINode::BooleanFlag) const /builds/slave/try-lnx64-dbg/build/../../dist/include/nsINode.h:1343
#1 0x7f33cb52362d in nsINode::HasTextNodeDirectionalityMap() const /builds/slave/try-lnx64-dbg/build/../../../dist/include/nsINode.h:1426
#2 0x7f33cb522de1 in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap(nsINode*, mozilla::dom::Element*) /builds/slave/try-lnx64-dbg/build/content/base/src/DirectionalityUtils.cpp:532
#3 0x7f33cb5231c8 in mozilla::WalkAncestorsResetAutoDirection(mozilla::dom::Element*, bool) /builds/slave/try-lnx64-dbg/build/content/base/src/DirectionalityUtils.cpp:641
#4 0x7f33cb662589 in mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /builds/slave/try-lnx64-dbg/build/content/base/src/Element.cpp:1173
#5 0x7f33cb8904ea in nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) /builds/slave/try-lnx64-dbg/build/content/html/content/src/nsGenericHTMLElement.cpp:603
#6 0x7f33cb68a34c in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) /builds/slave/try-lnx64-dbg/build/content/base/src/nsINode.cpp:1322
#7 0x7f33cb68c2da in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/slave/try-lnx64-dbg/build/content/base/src/nsINode.cpp:1926
#8 0x7f33cd3ab3a7 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, unsigned int, JS::Value*) /builds/slave/try-lnx64-dbg/build/obj-firefox/dom/bindings/NodeBinding.cpp:549
#9 0x7f33cd3a8259 in mozilla::dom::NodeBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/try-lnx64-dbg/build/obj-firefox/dom/bindings/NodeBinding.cpp:1350
#10 0x7f33ce822e2b in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/try-lnx64-dbg/build/js/src/jscntxtinlines.h:373
.
.
.
freed by thread T0 here:
#0 0x43f1a0 in operator delete(void*) ??:0
#1 0x7f33cb6af45c in nsNodeUtils::LastRelease(nsINode*) /builds/slave/try-lnx64-dbg/build/content/base/src/nsNodeUtils.cpp:258
#2 0x7f33cb6787d7 in nsGenericDOMDataNode::Release() /builds/slave/try-lnx64-dbg/build/content/base/src/nsGenericDOMDataNode.cpp:117
#3 0x7f33cb6f43ae in nsTextNode::Release() /builds/slave/try-lnx64-dbg/build/content/base/src/nsTextNode.cpp:127
#4 0x7f33cb73ac80 in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) /builds/slave/try-lnx64-dbg/build/content/base/src/FragmentOrElement.cpp:890
#5 0x7f33cb66b093 in mozilla::dom::Element::SetInnerHTML(nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/try-lnx64-dbg/build/content/base/src/Element.cpp:3387
#6 0x7f33cd344b4f in mozilla::dom::ElementBinding::set_innerHTML(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JS::Value*) /builds/slave/try-lnx64-dbg/build/obj-firefox/dom/bindings/ElementBinding.cpp:1560
#7 0x7f33cd343785 in mozilla::dom::ElementBinding::genericSetter(JSContext*, unsigned int, JS::Value*) /builds/slave/try-lnx64-dbg/build/obj-firefox/dom/bindings/ElementBinding.cpp:1895
#8 0x7f33ce822e2b in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/try-lnx64-dbg/build/js/src/jscntxtinlines.h:373
#9 0x7f33ce822413 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/try-lnx64-dbg/build/js/src/jsinterp.cpp:391
#10 0x7f33ce6db299 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) /builds/slave/try-lnx64-dbg/build/js/src/jsinterp.h:112
.
.
.
Component: General → Layout: Text
Product: Firefox → Core
|
||
Comment 1•12 years ago
|
||
I'm going to go ahead and guess that this is another regression from bug 548206. Please update as appropriate if this turns out to not be the case.
|
||
Comment 2•12 years ago
|
||
There's a good chance this is the same issue as bug 815276 under the hood...
tracking-firefox20:
--- → ?
Depends on: 815276
|
Assignee | |
Comment 3•12 years ago
|
||
Fixed by the patch for bug 819623, but not duping for now so that it gets QA love.
Assignee: nobody → smontagu
Depends on: 819623
|
|
||
Updated•12 years ago
|
Whiteboard: [asan] → [asan][sg:dupe 819623]
|
||
Comment 4•12 years ago
|
||
What is the QA love you are wanting here since it isn't marked QA wanted or anything?
|
|
Assignee | |
Comment 6•12 years ago
|
||
Yes, but I wasn't going to add verifyme until 819623 is fixed. Right now there is nothing to verify in nightlies.
|
|
||
Comment 7•12 years ago
|
||
Sure, but I think QA doesn't look at things with verifyme until the are closed, so we can just leave the flag here until this is fixed.
|
||
Comment 8•12 years ago
|
||
QA love has arrived.
Linux ASan build from today still crashes on code snippet in comment 0.
http://people.mozilla.org/~choller/firefox/asan/20121231-mozilla-central-linux64-opt-0d771761b9b3+asan.html
Simon, would you mind taking a look? Thanks.
|
|
Assignee | |
Comment 9•12 years ago
|
||
Please read comments 6 and 7 again. This is expected to go on crashing until attachment 694559 [details] [diff] [review] from bug 819623 gets reviewed and checked in.
|
||
Updated•12 years ago
|
|
|
Assignee | |
Comment 10•12 years ago
|
||
Checked in the testcase, since it is reproducable on a standard build, unlike bug 819623.
https://hg.mozilla.org/integration/mozilla-inbound/rev/a1fd60b9fab0
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Is the status-firefox20 here still true? (I think not, but I'm not sure.)
|
|
||
Comment 12•12 years ago
|
||
QA, please verify that this is fixed since bug 819623 is marked fixed (might want to verify it too).
Flags: needinfo?(mwobensmith)
|
||
Comment 13•12 years ago
|
||
Flags: in-testsuite+
Target Milestone: --- → mozilla20
|
|
Assignee | |
Updated•12 years ago
|
|
|
||
Comment 14•12 years ago
|
||
Confirmed crash on central, ASan build 2012-12-26.
Confirmed fixed on central, ASan build 2012-01-10.
Confirmed fixed on central, release build 2012-01-10.
|
||
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox19:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Flags: sec-bounty-
|
|
||
Updated•12 years ago
|
Whiteboard: [asan][sg:dupe 819623] → [asan][sg:dupe 819623][adv-main20-]
|
|
||
Updated•11 years ago
|
Group: core-security
|
||
Updated•11 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•