828903 - UAF in xul!mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap

Status: RESOLVED DUPLICATE of bug 827190

(Core :: Layout, defect)

Description

[Nils]

Attachment: testcase (crashes firefox)

Crashes current nightly. Testcase attached.

Asan output:
==686== ERROR: AddressSanitizer heap-use-after-free on address 0x7fee9b85adac at pc 0x7feee320c52b bp 0x7fff53c95fc0 sp 0x7fff53c95fb8
READ of size 4 at 0x7fee9b85adac thread T0
    #0 0x7feee320c52a in _ZN7mozilla27nsTextNodeDirectionalityMap20RemoveElementFromMapEP7nsINodePNS_3dom7ElementE /builds/slave/try-lnx64/build/../../../dist/include/nsINode.h:1343
    #1 0x7feee36a5b2c in _ZN20nsGenericHTMLElement14UnbindFromTreeEbb /builds/slave/try-lnx64/build/content/html/content/src/nsGenericHTMLElement.cpp:657
    #2 0x7feee33a479e in _ZN7mozilla3dom7Element14UnbindFromTreeEbb /builds/slave/try-lnx64/build/content/base/src/Element.cpp:1372
    #3 0x7feee36a5b2c in _ZN20nsGenericHTMLElement14UnbindFromTreeEbb /builds/slave/try-lnx64/build/content/html/content/src/nsGenericHTMLElement.cpp:657
    #4 0x7feee33a479e in _ZN7mozilla3dom7Element14UnbindFromTreeEbb /builds/slave/try-lnx64/build/content/base/src/Element.cpp:1372
    #5 0x7feee36a5b2c in _ZN20nsGenericHTMLElement14UnbindFromTreeEbb /builds/slave/try-lnx64/build/content/html/content/src/nsGenericHTMLElement.cpp:657
    #6 0x7feee38a9212 in _ZN19nsHTMLSharedElement14UnbindFromTreeEbb /builds/slave/try-lnx64/build/content/html/content/src/nsHTMLSharedElement.cpp:438
    #7 0x7feee399a9a8 in _ZN14nsHTMLDocument15cycleCollection10UnlinkImplEPv /builds/slave/try-lnx64/build/content/html/document/src/nsHTMLDocument.cpp:224
    #8 0x7feee5dea36d in _ZN16nsCycleCollector16FinishCollectionEP25nsICycleCollectorListener /builds/slave/try-lnx64/build/xpcom/base/nsCycleCollector.cpp:2935
    #9 0x7feee5de972e in _Z24nsCycleCollector_collectbP23nsCycleCollectorResultsP25nsICycleCollectorListener /builds/slave/try-lnx64/build/xpcom/base/nsCycleCollector.cpp:3394
    #10 0x7feee3bc264e in _ZN11nsJSContext15CycleCollectNowEP25nsICycleCollectorListenerib /builds/slave/try-lnx64/build/dom/base/nsJSEnvironment.cpp:3138
    #11 0x7feee3bd7184 in _ZL12CCTimerFiredP8nsITimerPv /builds/slave/try-lnx64/build/dom/base/nsJSEnvironment.cpp:3345
0x7fee9b85adac is located 44 bytes inside of 120-byte region [0x7fee9b85ad80,0x7fee9b85adf8)
freed by thread T0 here:
    #0 0x435a70 in free ??:0
    #1 0x7feee3419b01 in _ZN11nsNodeUtils11LastReleaseEP7nsINode /builds/slave/try-lnx64/build/content/base/src/nsNodeUtils.cpp:258
    #2 0x7feee33c2853 in _ZN20nsGenericDOMDataNode7ReleaseEv /builds/slave/try-lnx64/build/content/base/src/nsGenericDOMDataNode.cpp:117
previously allocated by thread T0 here:
    #0 0x435b30 in __interceptor_malloc ??:0
    #1 0x7feeea148288 in moz_xmalloc /builds/slave/try-lnx64/build/memory/mozalloc/mozalloc.cpp:54
Shadow byte and word:
  0x1ffdd370b5b5: fd
  0x1ffdd370b5b0: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ffdd370b590: fd fd fd fd fd fd fd fd
  0x1ffdd370b598: fd fd fd fd fd fd fd fd
  0x1ffdd370b5a0: fa fa fa fa fa fa fa fa
  0x1ffdd370b5a8: fa fa fa fa fa fa fa fa
=>0x1ffdd370b5b0: fd fd fd fd fd fd fd fd
  0x1ffdd370b5b8: fd fd fd fd fd fd fd fd
  0x1ffdd370b5c0: fa fa fa fa fa fa fa fa
  0x1ffdd370b5c8: fa fa fa fa fa fa fa fa
  0x1ffdd370b5d0: fd fd fd fd fd fd fd fd
Stats: 647M malloced (753M for red zones) by 1469696 calls
Stats: 74M realloced by 141425 calls
Stats: 603M freed by 1255258 calls
Stats: 484M really freed by 929922 calls
Stats: 668M (171116 full pages) mmaped in 167 calls
  mmaps   by size class: 8:491490; 9:65528; 10:32760; 11:26611; 12:8192; 13:7168; 14:1536; 15:640; 16:1152; 17:1280; 18:48; 19:40; 20:32; 21:2;
  mallocs by size class: 8:1165638; 9:134355; 10:66159; 11:61224; 12:14307; 13:16535; 14:4379; 15:1501; 16:3165; 17:2292; 18:48; 19:47; 20:45; 21:1;
  frees   by size class: 8:987285; 9:112653; 10:59399; 11:56561; 12:12524; 13:15998; 14:4118; 15:1355; 16:2972; 17:2264; 18:40; 19:44; 20:45;
  rfrees  by size class: 8:732657; 9:83599; 10:42577; 11:42385; 12:8391; 13:11468; 14:3347; 15:1038; 16:2268; 17:2066; 18:39; 19:44; 20:43;
Stats: malloc large: 2434 small slow: 8410
==686== ABORTING

Stack on windows:
00325a30 7189336f xul!nsINode::GetProperty(class nsIAtom * aPropertyName = 0x03f479a0, tag_nsresult * aStatus = 0x00000000)+0xd
00325a44 71b765dc xul!mozilla::nsTextNodeDirectionalityMap::GetDirectionalityMap(class nsINode * aTextNode = 0x05731bc0)+0x21
00325a54 716d8d36 xul!mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap(class nsINode * aTextNode = 0x05731bc0, class mozilla::dom::Element * aElement = 0x06c22ce0)+0x1a
00325a88 713d6814 xul!mozilla::dom::Element::UnbindFromTree+0x3024f6
00325aa4 713d6a37 xul!nsGenericHTMLElement::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x44
00325ad8 713d6814 xul!mozilla::dom::Element::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x1f7
00325af4 7130678b xul!nsGenericHTMLElement::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x44
00325b10 71500f59 xul!nsGenericHTMLFormElement::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x45
00325b24 713d6a37 xul!nsHTMLSelectElement::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x11
00325b58 71ebe00d xul!mozilla::dom::Element::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x1f7
00325b70 713d6a37 xul!nsSVGSVGElement::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x27
00325ba4 713d6a37 xul!mozilla::dom::Element::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x1f7
00325bd8 713d6814 xul!mozilla::dom::Element::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x1f7
00325bf4 712ebf0c xul!nsGenericHTMLElement::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x44
00325c08 713d6a37 xul!mozilla::dom::HTMLBodyElement::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x1a
00325c3c 713d6814 xul!mozilla::dom::Element::UnbindFromTree(bool aDeep = true, bool aNullParent = true)+0x1f7
00325c58 713173a2 xul!nsGenericHTMLElement::UnbindFromTree(bool aDeep = true, bool aNullParent = true)+0x44
00325c70 7138dd22 xul!nsHTMLSharedElement::UnbindFromTree(bool aDeep = true, bool aNullParent = true)+0x1e
00325c90 714c9d2a xul!nsDocument::cycleCollection::UnlinkImpl(void * p = 0x058e5000)+0xa2
00325ca4 7140a9e8 xul!nsHTMLDocument::cycleCollection::UnlinkImpl(void * p = 0x058e5000)+0xe
00325cd8 714da399 xul!nsCycleCollector::CollectWhite(class nsICycleCollectorListener * aListener = 0x00000000)+0x1e8
00325cec 714da2d8 xul!nsCycleCollector::FinishCollection(class nsICycleCollectorListener * aListener = 0x00000000)+0xf

Comment 1

[Al Billings [:abillings - ex-MoCo]]

Not getting a crash running the attached test case in my current (today) trunk ASAN build on OS X.

Comment 2

[Olli Pettay [:smaug][bugs@pettay.fi]]

->Layout, that is where the other nsTextNodeDirectionality bugs have been handled.

Comment 3

[Mats Palmgren (inactive)]

Looks like a dupe of bug 827190 which should be fixed in Nightly in a day or so.

Comment 4

[Lukas Blakk [:lsblakk] use ?needinfo]

Since we're tracking 827190, i'm removing tracking noms on this dupe.

Comment 5

[Mats Palmgren (inactive)]

Does this still occur in the latest ASan Nightly?

Comment 6

[David Bolter [:davidb] (NeedInfo me for attention)]

Let's see if Matt can take a look.

Comment 7

[Matt Wobensmith [:mwobensmith][:matt:]]

No crash for me in today's ASan build on Mac.

Went to Ubuntu 12.04 and saw the above crash on an ASan build from 2013-01-10. Tried it again on that config with today's ASan build - no crash.

So I guess the next step is for Nils to rerun the test on any affected configs with the latest build, and let us know if it still happens.

Comment 8

[Mats Palmgren (inactive)]

Nils, please reopen if you can still reproduce this

Comment 9

[Mats Palmgren (inactive)]

Landed a crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/5783ad837a10

Comment 10

[Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)]

https://hg.mozilla.org/mozilla-central/rev/5783ad837a10