833895 - UAF with backfaceVisibility='hidden' and position=fixed

Status: RESOLVED DUPLICATE of bug 830192

(Core :: Layout, defect)

Description

[Nils]

Attachment: testcase (crashes firefox)

The attached testcase crashes in the latest nightly in the cycle collection. Requires Jesse's Quitter extensions (https://www.squarefree.com/extensions/quitter.xpi).

Debugger output on linux:
Program received signal SIGSEGV, Segmentation fault.
nsFrameSelection::cycleCollection::TraverseImpl (that=<optimised out>, p=0x7fffddb07600, cb=...) at /home/fred/codereader/src/layout/generic/nsSelection.cpp:5665
5665	}
(gdb) info reg
rax            0x20002000200020	9007336695791648
rbx            0x7fffffff1d48	140737488297288
rcx            0x1	1
rdx            0x7ffff45c4cb1	140737293077681
rsi            0xb	11
rdi            0x0	0
rbp            0x7fffddb07600	0x7fffddb07600
rsp            0x7fffffff1cb0	0x7fffffff1cb0
r8             0x7fffdde83380	140736916370304
r9             0x7fffdde83380	140736916370304
r10            0x7fffcfbce510	140736678651152
r11            0x7fffcfbce510	140736678651152
r12            0x7fffd090cde8	140736692538856
r13            0x4d3f91dc0a500	1358966806324480
r14            0x0	0
r15            0x36e	878
rip            0x7ffff32553b4	0x7ffff32553b4 <nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)+86>
eflags         0x10202	[ IF RF ]
cs             0x33	51
ss             0x2b	43
ds             0x0	0
es             0x0	0
fs             0x0	0
gs             0x0	0
(gdb) x/10i $rip
=> 0x7ffff32553b4 <nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)+86>:	mov    0x1bc(%rax),%eax
   0x7ffff32553ba <nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)+92>:	xor    %r12d,%r12d
   0x7ffff32553bd <nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)+95>:	test   %eax,%eax
   0x7ffff32553bf <nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)+97>:	
    je     0x7ffff32553dd <nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)+127>
   0x7ffff32553c1 <nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)+99>:	
    cmp    0x21bc381(%rip),%eax        # 0x7ffff5411748 <_ZN23nsCCUncollectableMarker11sGenerationE>
   0x7ffff32553c7 <nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)+105>:	
    jne    0x7ffff32553dd <nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)+127>
   0x7ffff32553c9 <nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)+107>:	testb  $0x2,0x8(%rbx)
   0x7ffff32553cd <nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)+111>:	mov    $0x460002,%eax
   0x7ffff32553d2 <nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)+116>:	
    je     0x7ffff32554d9 <nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)+379>
   0x7ffff32553d8 <nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)+122>:	
    jmp    0x7ffff32553dd <nsFrameSelection::cycleCollection::TraverseImpl(nsFrameSelection::cycleCollection*, void*, nsCycleCollectionTraversalCallback&)+127>
(gdb) bt 20#
Invalid character '#' in expression.
(gdb) bt 20
#0  nsFrameSelection::cycleCollection::TraverseImpl (that=<optimised out>, p=0x7fffddb07600, cb=...) at /home/fred/codereader/src/layout/generic/nsSelection.cpp:5665
#1  0x00007ffff3c48a73 in Traverse (cb=..., p=<optimised out>, this=<optimised out>) at ../../dist/include/nsCycleCollectionParticipant.h:201
#2  GCGraphBuilder::Traverse (this=<optimised out>, aPtrInfo=0x7fffd090cde8) at /home/fred/codereader/src/xpcom/base/nsCycleCollector.cpp:1875
#3  0x00007ffff3c48cb7 in nsCycleCollector::MarkRoots (this=0x7fffe8db6000, builder=...) at /home/fred/codereader/src/xpcom/base/nsCycleCollector.cpp:2187
#4  0x00007ffff3c4983c in BeginCollection (aListener=0x0, aMergeCompartments=<optimised out>, this=0x7fffe8db6000) at /home/fred/codereader/src/xpcom/base/nsCycleCollector.cpp:2971
#5  nsCycleCollector::BeginCollection (this=0x7fffe8db6000, aMergeCompartments=<optimised out>, aListener=0x0) at /home/fred/codereader/src/xpcom/base/nsCycleCollector.cpp:2923
#6  0x00007ffff3c4a730 in nsCycleCollectorRunner::Collect (this=0x7fffe8d21650, aMergeCompartments=false, aResults=0x7fffffff9c54, aListener=0x0)
    at /home/fred/codereader/src/xpcom/base/nsCycleCollector.cpp:3308
#7  0x00007ffff3c4a919 in nsCycleCollector_collect (aMergeCompartments=false, aResults=0x7fffffff9c54, aListener=<optimised out>)
    at /home/fred/codereader/src/xpcom/base/nsCycleCollector.cpp:3403
#8  0x00007ffff352d086 in CycleCollectNow (aForced=true, aExtraForgetSkippableCalls=<optimised out>, aListener=0x0) at /home/fred/codereader/src/dom/base/nsJSEnvironment.cpp:2822
#9  nsJSContext::CycleCollectNow (aListener=0x0, aExtraForgetSkippableCalls=<optimised out>, aForced=true) at /home/fred/codereader/src/dom/base/nsJSEnvironment.cpp:2779
#10 0x00007ffff3522cda in nsDOMWindowUtils::GarbageCollect (this=<optimised out>, aListener=0x0, aExtraForgetSkippableCalls=0)
    at /home/fred/codereader/src/dom/base/nsDOMWindowUtils.cpp:1123
#11 0x00007ffff3c4f66a in NS_InvokeByIndex_P (that=<optimised out>, methodIndex=<optimised out>, paramCount=<optimised out>, params=<optimised out>)
    at /home/fred/codereader/src/xpcom/reflect/xptcall/src/md/unix/xptcinvoke_x86_64_unix.cpp:164
#12 0x00007ffff37e9e1d in Invoke (this=0x7fffffff9f10) at /home/fred/codereader/src/js/xpconnect/src/XPCWrappedNative.cpp:3084
#13 Call (this=0x7fffffff9f10) at /home/fred/codereader/src/js/xpconnect/src/XPCWrappedNative.cpp:2418
#14 XPCWrappedNative::CallMethod (ccx=..., mode=<optimised out>) at /home/fred/codereader/src/js/xpconnect/src/XPCWrappedNative.cpp:2384
#15 0x00007ffff37eedb3 in XPC_WN_CallMethod (cx=0x7fffd4587b20, argc=0, vp=0x7fffe0100290) at /home/fred/codereader/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:1488
#16 0x00007ffff41342e0 in CallJSNative (args=..., native=<optimised out>, cx=0x7fffd4587b20) at /home/fred/codereader/src/js/src/jscntxtinlines.h:353
#17 js::InvokeKernel (cx=0x7fffd4587b20, args=..., construct=js::NO_CONSTRUCT) at /home/fred/codereader/src/js/src/jsinterp.cpp:391
#18 0x00007ffff412d0dd in js::Interpret (cx=0x7fffd4587b20, entryFrame=0x7fffe0100228, interpMode=js::JSINTERP_NORMAL) at /home/fred/codereader/src/js/src/jsinterp.cpp:2385
#19 0x00007ffff4133f4b in js::RunScript (cx=0x7fffd4587b20, script=..., fp=0x7fffe0100228) at /home/fred/codereader/src/js/src/jsinterp.cpp:348
(More stack frames follow...)

Comment 1

[Nils]

ASAN output:

=================================================================
==2759== ERROR: AddressSanitizer heap-use-after-free on address 0x7f5f247a5488 at pc 0x7f5f1a619517 bp 0x7fffe6f56860 sp 0x7fffe6f56858
READ of size 8 at 0x7f5f247a5488 thread T0
    #0 0x7f5f1a619516 in _ZNK12nsIPresShell11GetDocumentEv /builds/slave/try-lnx64/build/../../dist/include/nsIPresShell.h:273
0x7f5f247a5488 is located 8 bytes inside of 448-byte region [0x7f5f247a5480,0x7f5f247a5640)
freed by thread T0 here:
    #0 0x4359e0 in free ??:0
    #1 0x7f5f1a40da62 in _ZN9PresShell7ReleaseEv /builds/slave/try-lnx64/build/layout/base/nsPresShell.cpp:751
previously allocated by thread T0 here:
    #0 0x435aa0 in __interceptor_malloc ??:0
    #1 0x7f5f21a76288 in moz_xmalloc /builds/slave/try-lnx64/build/memory/mozalloc/mozalloc.cpp:54
    #2 0x7f5f1a399580 in _ZN16nsDocumentViewer21InitPresentationStuffEb /builds/slave/try-lnx64/build/layout/base/nsDocumentViewer.cpp:702
    #3 0x7f5f1a398df4 in _ZN16nsDocumentViewer12InitInternalEP9nsIWidgetP11nsISupportsRK9nsIntRectbbb /builds/slave/try-lnx64/build/layout/base/nsDocumentViewer.cpp:949
    #4 0x7f5f1a397d30 in _ZN16nsDocumentViewer4InitEP9nsIWidgetRK9nsIntRect /builds/slave/try-lnx64/build/layout/base/nsDocumentViewer.cpp:683
    #5 0x7f5f1c38567a in _ZN10nsDocShell5EmbedEP16nsIContentViewerPKcP11nsISupports /builds/slave/try-lnx64/build/docshell/base/nsDocShell.cpp:6181
    #6 0x7f5f1c3981c8 in _ZN10nsDocShell19CreateContentViewerEPKcP10nsIRequestPP17nsIStreamListener /builds/slave/try-lnx64/build/docshell/base/nsDocShell.cpp:7911
    #7 0x7f5f1c3cb8e4 in _ZN22nsDSURIContentListener9DoContentEPKcbP10nsIRequestPP17nsIStreamListenerPb /builds/slave/try-lnx64/build/docshell/base/nsDSURIContentListener.cpp:122
    #8 0x7f5f1c3de1dc in _ZN18nsDocumentOpenInfo18TryContentListenerEP21nsIURIContentListenerP10nsIChannel /builds/slave/try-lnx64/build/uriloader/base/nsURILoader.cpp:658
    #9 0x7f5f1c3dbedf in _ZN18nsDocumentOpenInfo15DispatchContentEP10nsIRequestP11nsISupports /builds/slave/try-lnx64/build/uriloader/base/nsURILoader.cpp:360
    #10 0x7f5f1c3db5eb in _ZN18nsDocumentOpenInfo14OnStartRequestEP10nsIRequestP11nsISupports /builds/slave/try-lnx64/build/uriloader/base/nsURILoader.cpp:252
    #11 0x7f5f19ba4728 in _ZN13nsBaseChannel14OnStartRequestEP10nsIRequestP11nsISupports /builds/slave/try-lnx64/build/netwerk/base/src/nsBaseChannel.cpp:720
Shadow byte and word:
  0x1febe48f4a91: fd
  0x1febe48f4a90: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1febe48f4a70: fa fa fa fa fa fa fa fa
  0x1febe48f4a78: fa fa fa fa fa fa fa fa
  0x1febe48f4a80: fa fa fa fa fa fa fa fa
  0x1febe48f4a88: fa fa fa fa fa fa fa fa
=>0x1febe48f4a90: fd fd fd fd fd fd fd fd
  0x1febe48f4a98: fd fd fd fd fd fd fd fd
  0x1febe48f4aa0: fd fd fd fd fd fd fd fd
  0x1febe48f4aa8: fd fd fd fd fd fd fd fd
  0x1febe48f4ab0: fd fd fd fd fd fd fd fd
Stats: 1822M malloced (1992M for red zones) by 2029322 calls
Stats: 76M realloced by 154978 calls
Stats: 1791M freed by 1872347 calls
Stats: 1665M really freed by 1742770 calls
Stats: 620M (158834 full pages) mmaped in 155 calls
  mmaps   by size class: 8:344043; 9:57337; 10:20475; 11:16376; 12:4096; 13:3072; 14:1280; 15:384; 16:1536; 17:1280; 18:80; 19:72; 20:68; 21:2;
  mallocs by size class: 8:1600412; 9:177735; 10:97318; 11:82362; 12:20724; 13:21726; 14:6441; 15:2653; 16:14955; 17:2616; 18:798; 19:793; 20:788; 21:1;
  frees   by size class: 8:1469032; 9:162628; 10:92462; 11:78896; 12:19385; 13:21336; 14:6222; 15:2553; 16:14862; 17:2605; 18:789; 19:790; 20:787;
  rfrees  by size class: 8:1368322; 9:151364; 10:85449; 11:73105; 12:17989; 13:19832; 14:5852; 15:2372; 16:13775; 17:2526; 18:729; 19:730; 20:725;
Stats: malloc large: 4997 small slow: 16943
==2759== ABORTING

Comment 2

[Daniel Veditz [:dveditz]]

Calling this sec-critical based on the stack in comment 1. Recent regression?

Comment 3

[Mats Palmgren (inactive)]

It's very likely a dupe of bug 830192.  backfaceVisibility='hidden' counts as
having a transform:
http://mxr.mozilla.org/mozilla-central/source/layout/style/nsStyleStruct.h#1698

Comment 4

[Jesse Ruderman]

Doesn't crash for me with a non-ASan mozilla-central build, and the testcase updated to work with https://www.squarefree.com/extensions/domFuzzLite3.xpi.

Nils, can you confirm that this is fixed for you, now that bug 830192 is fixed?

Comment 5

[Nils]

Yes, tried the latest ASAN mozilla-central build and it does not crash anymore.

Comment 7

[Mats Palmgren (inactive)]

Testcase requires extension and this was a dupe anyway, so in-testsuite-.