Closed Bug 828903 Opened 8 years ago Closed 8 years ago

UAF in xul!mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap

Categories

(Core :: Layout, defect)

21 Branch
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 827190
Tracking Status
firefox20 - affected
firefox21 - affected

People

(Reporter: nils, Assigned: mwobensmith)

Details

(4 keywords, Whiteboard: [asan][sg:dupe 827190])

Attachments

(1 file)

Crashes current nightly. Testcase attached.

Asan output:
==686== ERROR: AddressSanitizer heap-use-after-free on address 0x7fee9b85adac at pc 0x7feee320c52b bp 0x7fff53c95fc0 sp 0x7fff53c95fb8
READ of size 4 at 0x7fee9b85adac thread T0
    #0 0x7feee320c52a in _ZN7mozilla27nsTextNodeDirectionalityMap20RemoveElementFromMapEP7nsINodePNS_3dom7ElementE /builds/slave/try-lnx64/build/../../../dist/include/nsINode.h:1343
    #1 0x7feee36a5b2c in _ZN20nsGenericHTMLElement14UnbindFromTreeEbb /builds/slave/try-lnx64/build/content/html/content/src/nsGenericHTMLElement.cpp:657
    #2 0x7feee33a479e in _ZN7mozilla3dom7Element14UnbindFromTreeEbb /builds/slave/try-lnx64/build/content/base/src/Element.cpp:1372
    #3 0x7feee36a5b2c in _ZN20nsGenericHTMLElement14UnbindFromTreeEbb /builds/slave/try-lnx64/build/content/html/content/src/nsGenericHTMLElement.cpp:657
    #4 0x7feee33a479e in _ZN7mozilla3dom7Element14UnbindFromTreeEbb /builds/slave/try-lnx64/build/content/base/src/Element.cpp:1372
    #5 0x7feee36a5b2c in _ZN20nsGenericHTMLElement14UnbindFromTreeEbb /builds/slave/try-lnx64/build/content/html/content/src/nsGenericHTMLElement.cpp:657
    #6 0x7feee38a9212 in _ZN19nsHTMLSharedElement14UnbindFromTreeEbb /builds/slave/try-lnx64/build/content/html/content/src/nsHTMLSharedElement.cpp:438
    #7 0x7feee399a9a8 in _ZN14nsHTMLDocument15cycleCollection10UnlinkImplEPv /builds/slave/try-lnx64/build/content/html/document/src/nsHTMLDocument.cpp:224
    #8 0x7feee5dea36d in _ZN16nsCycleCollector16FinishCollectionEP25nsICycleCollectorListener /builds/slave/try-lnx64/build/xpcom/base/nsCycleCollector.cpp:2935
    #9 0x7feee5de972e in _Z24nsCycleCollector_collectbP23nsCycleCollectorResultsP25nsICycleCollectorListener /builds/slave/try-lnx64/build/xpcom/base/nsCycleCollector.cpp:3394
    #10 0x7feee3bc264e in _ZN11nsJSContext15CycleCollectNowEP25nsICycleCollectorListenerib /builds/slave/try-lnx64/build/dom/base/nsJSEnvironment.cpp:3138
    #11 0x7feee3bd7184 in _ZL12CCTimerFiredP8nsITimerPv /builds/slave/try-lnx64/build/dom/base/nsJSEnvironment.cpp:3345
0x7fee9b85adac is located 44 bytes inside of 120-byte region [0x7fee9b85ad80,0x7fee9b85adf8)
freed by thread T0 here:
    #0 0x435a70 in free ??:0
    #1 0x7feee3419b01 in _ZN11nsNodeUtils11LastReleaseEP7nsINode /builds/slave/try-lnx64/build/content/base/src/nsNodeUtils.cpp:258
    #2 0x7feee33c2853 in _ZN20nsGenericDOMDataNode7ReleaseEv /builds/slave/try-lnx64/build/content/base/src/nsGenericDOMDataNode.cpp:117
previously allocated by thread T0 here:
    #0 0x435b30 in __interceptor_malloc ??:0
    #1 0x7feeea148288 in moz_xmalloc /builds/slave/try-lnx64/build/memory/mozalloc/mozalloc.cpp:54
Shadow byte and word:
  0x1ffdd370b5b5: fd
  0x1ffdd370b5b0: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ffdd370b590: fd fd fd fd fd fd fd fd
  0x1ffdd370b598: fd fd fd fd fd fd fd fd
  0x1ffdd370b5a0: fa fa fa fa fa fa fa fa
  0x1ffdd370b5a8: fa fa fa fa fa fa fa fa
=>0x1ffdd370b5b0: fd fd fd fd fd fd fd fd
  0x1ffdd370b5b8: fd fd fd fd fd fd fd fd
  0x1ffdd370b5c0: fa fa fa fa fa fa fa fa
  0x1ffdd370b5c8: fa fa fa fa fa fa fa fa
  0x1ffdd370b5d0: fd fd fd fd fd fd fd fd
Stats: 647M malloced (753M for red zones) by 1469696 calls
Stats: 74M realloced by 141425 calls
Stats: 603M freed by 1255258 calls
Stats: 484M really freed by 929922 calls
Stats: 668M (171116 full pages) mmaped in 167 calls
  mmaps   by size class: 8:491490; 9:65528; 10:32760; 11:26611; 12:8192; 13:7168; 14:1536; 15:640; 16:1152; 17:1280; 18:48; 19:40; 20:32; 21:2;
  mallocs by size class: 8:1165638; 9:134355; 10:66159; 11:61224; 12:14307; 13:16535; 14:4379; 15:1501; 16:3165; 17:2292; 18:48; 19:47; 20:45; 21:1;
  frees   by size class: 8:987285; 9:112653; 10:59399; 11:56561; 12:12524; 13:15998; 14:4118; 15:1355; 16:2972; 17:2264; 18:40; 19:44; 20:45;
  rfrees  by size class: 8:732657; 9:83599; 10:42577; 11:42385; 12:8391; 13:11468; 14:3347; 15:1038; 16:2268; 17:2066; 18:39; 19:44; 20:43;
Stats: malloc large: 2434 small slow: 8410
==686== ABORTING

Stack on windows:
00325a30 7189336f xul!nsINode::GetProperty(class nsIAtom * aPropertyName = 0x03f479a0, tag_nsresult * aStatus = 0x00000000)+0xd
00325a44 71b765dc xul!mozilla::nsTextNodeDirectionalityMap::GetDirectionalityMap(class nsINode * aTextNode = 0x05731bc0)+0x21
00325a54 716d8d36 xul!mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap(class nsINode * aTextNode = 0x05731bc0, class mozilla::dom::Element * aElement = 0x06c22ce0)+0x1a
00325a88 713d6814 xul!mozilla::dom::Element::UnbindFromTree+0x3024f6
00325aa4 713d6a37 xul!nsGenericHTMLElement::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x44
00325ad8 713d6814 xul!mozilla::dom::Element::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x1f7
00325af4 7130678b xul!nsGenericHTMLElement::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x44
00325b10 71500f59 xul!nsGenericHTMLFormElement::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x45
00325b24 713d6a37 xul!nsHTMLSelectElement::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x11
00325b58 71ebe00d xul!mozilla::dom::Element::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x1f7
00325b70 713d6a37 xul!nsSVGSVGElement::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x27
00325ba4 713d6a37 xul!mozilla::dom::Element::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x1f7
00325bd8 713d6814 xul!mozilla::dom::Element::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x1f7
00325bf4 712ebf0c xul!nsGenericHTMLElement::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x44
00325c08 713d6a37 xul!mozilla::dom::HTMLBodyElement::UnbindFromTree(bool aDeep = true, bool aNullParent = false)+0x1a
00325c3c 713d6814 xul!mozilla::dom::Element::UnbindFromTree(bool aDeep = true, bool aNullParent = true)+0x1f7
00325c58 713173a2 xul!nsGenericHTMLElement::UnbindFromTree(bool aDeep = true, bool aNullParent = true)+0x44
00325c70 7138dd22 xul!nsHTMLSharedElement::UnbindFromTree(bool aDeep = true, bool aNullParent = true)+0x1e
00325c90 714c9d2a xul!nsDocument::cycleCollection::UnlinkImpl(void * p = 0x058e5000)+0xa2
00325ca4 7140a9e8 xul!nsHTMLDocument::cycleCollection::UnlinkImpl(void * p = 0x058e5000)+0xe
00325cd8 714da399 xul!nsCycleCollector::CollectWhite(class nsICycleCollectorListener * aListener = 0x00000000)+0x1e8
00325cec 714da2d8 xul!nsCycleCollector::FinishCollection(class nsICycleCollectorListener * aListener = 0x00000000)+0xf
Attachment #700288 - Attachment mime type: text/plain → text/html
Whiteboard: [asan]
Not getting a crash running the attached test case in my current (today) trunk ASAN build on OS X.
->Layout, that is where the other nsTextNodeDirectionality bugs have been handled.
Component: DOM: Other → Layout
Looks like a dupe of bug 827190 which should be fixed in Nightly in a day or so.
Since we're tracking 827190, i'm removing tracking noms on this dupe.
Does this still occur in the latest ASan Nightly?
Flags: in-testsuite?
Let's see if Matt can take a look.
Assignee: nobody → mwobensmith
No crash for me in today's ASan build on Mac.

Went to Ubuntu 12.04 and saw the above crash on an ASan build from 2013-01-10. Tried it again on that config with today's ASan build - no crash.

So I guess the next step is for Nils to rerun the test on any affected configs with the latest build, and let us know if it still happens.
Nils, please reopen if you can still reproduce this
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 827190
Whiteboard: [asan] → [asan][sg:dupe 827190]
Landed a crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/5783ad837a10
Group: core-security
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.