Closed Bug 845093 Opened 11 years ago Closed 11 years ago

Remaining dir=auto use after frees: the sequel

Categories

(Core :: Layout: Text and Fonts, defect)

Product:
Core
Component:
Layout: Text and Fonts
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla22
Tracking Flags:
Tracking Status
firefox19 --- unaffected
firefox20 + disabled
firefox21 + fixed
firefox22 + verified
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: dveditz, Assigned: smontagu)

References

Details

(5 keywords, Whiteboard: [asan][adv-main21+])

Attachments

(8 files)

Testcase #1 from related bug
409 bytes, text/html
Details
Testcase #2 from related bug
262 bytes, text/html
Details
First testcase for checkin
1.19 KB, patch
Details | Diff | Splinter Review
Second testcase for checkin
1.05 KB, patch
Details | Diff | Splinter Review
Patch #1
4.35 KB, patch
ehsan.akhgari
: review+
bajaj
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Patch #2
9.37 KB, patch
ehsan.akhgari
: review+
bajaj
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Testcase #3
949 bytes, text/html
Details
Testcase #4
1018 bytes, text/html
Details 
+++ This bug was initially created as a clone of Bug #838489 +++

After bug 838489 was patched Abhishek reported two more variants in bug 838489 comment 9 and bug 838489 comment 10. Filing a new bug for clarity so they don't get lost
Flags: sec-bounty?
Summary: Remaining dir=auto use after frees → Remaining dir=auto use after frees: the sequel
needinfo?Matt to create testcase attachments from the comments in the other bug. Thanks Matt!
tracking-firefox22: --- → +
Flags: needinfo?(mwobensmith)
Call stack from ASan build of 2013-02-25:

ERROR: AddressSanitizer: heap-use-after-free on address 0x00017fd8f76c at pc 0x1041f249d bp 0x7fff5fbeb5a0 sp 0x7fff5fbeb598
READ of size 4 at 0x00017fd8f76c thread T0
    #0 0x1041f249c in nsINode::GetBoolFlag(nsINode::BooleanFlag) const (in XUL) + 60
    #1 0x1048d26fd in nsINode::HasTextNodeDirectionalityMap() const (in XUL) + 13
    #2 0x1048d2661 in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap(nsINode*, mozilla::dom::Element*) (in XUL) + 17
    #3 0x1048d12a4 in mozilla::WalkAncestorsResetAutoDirection(mozilla::dom::Element*, bool) (in XUL) + 100
    #4 0x1048d2107 in mozilla::SetDirOnBind(mozilla::dom::Element*, nsIContent*) (in XUL) + 199
    #5 0x104a23608 in mozilla::dom::Element::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) (in XUL) + 2328
    #6 0x104c88167 in nsGenericHTMLElement::BindToTree(nsIDocument*, nsIContent*, nsIContent*, bool) (in XUL) + 119
    #7 0x104a4fc0e in nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&) (in XUL) + 718
    #8 0x104a51c16 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) (in XUL) + 5030
    #9 0x1054367d1 in InsertElementTxn::DoTransaction() (in XUL) + 721
    #10 0x105df7508 in nsTransactionManager::BeginTransaction(nsITransaction*, nsISupports*) (in XUL) + 312
    #11 0x105df42f4 in nsTransactionManager::DoTransaction(nsITransaction*) (in XUL) + 372
    #12 0x1053ecdfa in nsEditor::DoTransaction(nsITransaction*) (in XUL) + 1162
    #13 0x1053f208a in nsEditor::InsertNode(nsIDOMNode*, nsIDOMNode*, int) (in XUL) + 682
    #14 0x105516215 in nsHTMLEditor::InsertNodeAtPoint(nsIDOMNode*, nsCOMPtr<nsIDOMNode>*, int*, bool) (in XUL) + 1125
    #15 0x1054f0f88 in nsHTMLEditor::DoInsertHTMLWithContext(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, nsIDOMDocument*, nsIDOMNode*, int, bool, bool) (in XUL) + 10440
    #16 0x1054ee6ad in nsHTMLEditor::InsertHTMLWithContext(nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, nsAString_internal const&, nsIDOMDocument*, nsIDOMNode*, int, bool) (in XUL) + 45
    #17 0x1054ee635 in nsHTMLEditor::InsertHTML(nsAString_internal const&) (in XUL) + 117
    #18 0x105f882aa in nsInsertHTMLCommand::DoCommandParams(char const*, nsICommandParams*, nsISupports*) (in XUL) + 362
    #19 0x105d9490f in nsControllerCommandTable::DoCommandParams(char const*, nsICommandParams*, nsISupports*) (in XUL) + 351
    #20 0x105d8ad85 in nsBaseCommandController::DoCommandWithParams(char const*, nsICommandParams*) (in XUL) + 357
    #21 0x105d90202 in nsCommandManager::DoCommand(char const*, nsICommandParams*, nsIDOMWindow*) (in XUL) + 450
    #22 0x104e987c4 in nsHTMLDocument::ExecCommand(nsAString_internal const&, bool, nsAString_internal const&, mozilla::ErrorResult&) (in XUL) + 2164
    #23 0x106985479 in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, unsigned int, JS::Value*) (in XUL) + 697
    #24 0x106982e93 in mozilla::dom::HTMLDocumentBinding::genericMethod(JSContext*, unsigned int, JS::Value*) (in XUL) + 915
    #25 0x10810597b in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (in XUL) + 955
    #26 0x1080f4c3e in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (in XUL) + 84718
    #27 0x1085c976c in js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (in XUL) + 860
    #28 0x1085c9cdb in CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) (in XUL) + 299
    #29 0x1085c9aee in js::mjit::JaegerShot(JSContext*, bool) (in XUL) + 414
    #30 0x1080dfed7 in js::RunScript(JSContext*, js::StackFrame*) (in XUL) + 935
    #31 0x108764762 in UncachedInlineCall(js::VMFrame&, js::InitialFrameFlags, void**, bool*, unsigned int) (in XUL) + 4338
    #32 0x108765948 in js::mjit::stubs::UncachedCallHelper(js::VMFrame&, unsigned int, bool, js::mjit::stubs::UncachedCallResult&) (in XUL) + 744
    #33 0x10871bfe6 in js::mjit::CallCompiler::update() (in XUL) + 726
    #34 0x108718bce in js::mjit::ic::Call(js::VMFrame&, js::mjit::ic::CallICInfo*) (in XUL) + 126
    #35 0x1085c8e1e in throwpoline_exit (in XUL) + 25
    #36 0x1085c96ce in js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (in XUL) + 702
    #37 0x1085c9cdb in CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) (in XUL) + 299
    #38 0x1085c9aee in js::mjit::JaegerShot(JSContext*, bool) (in XUL) + 414
    #39 0x1080dfed7 in js::RunScript(JSContext*, js::StackFrame*) (in XUL) + 935
    #40 0x108108998 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) (in XUL) + 824
    #41 0x108108f0a in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) (in XUL) + 826
    #42 0x107f26bba in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::CompileOptions, unsigned short const*, unsigned long, JS::Value*) (in XUL) + 1514
    #43 0x1050377b4 in nsJSContext::EvaluateString(nsAString_internal const&, JSObject&, JS::CompileOptions&, bool, JS::Value*) (in XUL) + 1924
    #44 0x1050a318e in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) (in XUL) + 1710
    #45 0x105091051 in nsGlobalWindow::RunTimeout(nsTimeout*) (in XUL) + 1857
    #46 0x1050a2878 in nsGlobalWindow::TimerCallback(nsITimer*, void*) (in XUL) + 152
    #47 0x106e1d655 in nsTimerImpl::Fire() (in XUL) + 2277
    #48 0x106e1dde6 in nsTimerEvent::Run() (in XUL) + 486
    #49 0x106e109db in nsThread::ProcessNextEvent(bool, bool*) (in XUL) + 2139
    #50 0x106d51a3e in NS_ProcessPendingEvents_P(nsIThread*, unsigned int) (in XUL) + 254
    #51 0x1062dc1c3 in nsBaseAppShell::NativeEventCallback() (in XUL) + 451
    #52 0x10625901a in nsAppShell::ProcessGeckoEvents(void*) (in XUL) + 490
    #53 0x7fff85bfc100 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (in CoreFoundation) + 16
    #54 0x7fff85bfba24 in __CFRunLoopDoSources0 (in CoreFoundation) + 244
    #55 0x7fff85c1edc4 in __CFRunLoopRun (in CoreFoundation) + 788
    #56 0x7fff85c1e6b1 in CFRunLoopRunSpecific (in CoreFoundation) + 289
    #57 0x7fff8295a0a3 in RunCurrentEventLoopInMode (in HIToolbox) + 208
    #58 0x7fff82959e41 in ReceiveNextEventCommon (in HIToolbox) + 355
    #59 0x7fff82959cd2 in BlockUntilNextEventMatchingListInMode (in HIToolbox) + 61
    #60 0x7fff88131612 in _DPSNextEvent (in AppKit) + 684
    #61 0x7fff88130ed1 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127
    #62 0x106257865 in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in XUL) + 245
    #63 0x7fff88128282 in -[NSApplication run] (in AppKit) + 516
    #64 0x106259bf9 in nsAppShell::Run() (in XUL) + 185
    #65 0x105e0c587 in nsAppStartup::Run() (in XUL) + 311
    #66 0x103be309f in XREMain::XRE_mainRun() (in XUL) + 4287
    #67 0x103be4057 in XREMain::XRE_main(int, char**, nsXREAppData const*) (in XUL) + 599
    #68 0x103be4512 in XRE_main (in XUL) + 146
    #69 0x1000028a8 in 0x2000028a8
    #70 0x100001abd in 0x200001abd
    #71 0x100001043 in 0x200001043
    #72 0x0 in 0x0000000100000000 (in firefox-bin)
0x00017fd8f76c is located 44 bytes inside of 128-byte region [0x00017fd8f740,0x00017fd8f7c0)
freed by thread T0 here:
    #0 0x10000ef88 in 0x20000ef88
    #1 0x10000e602 in 0x20000e602
    #2 0x104a7e32a in nsNodeUtils::LastRelease(nsINode*) (in XUL) + 1162
    #3 0x104a3cb46 in nsGenericDOMDataNode::Release() (in XUL) + 790
    #4 0x104ac740e in nsTextNode::Release() (in XUL) + 14
    #5 0x1054393e4 in JoinElementTxn::~JoinElementTxn() (in XUL) + 100
    #6 0x1054392cd in JoinElementTxn::~JoinElementTxn() (in XUL) + 13
    #7 0x105427133 in EditTxn::Release() (in XUL) + 851
    #8 0x10542a2c7 in nsTArray_Impl<nsRefPtr<EditTxn>, nsTArrayInfallibleAllocator>::DestructRange(unsigned int, unsigned int) (in XUL) + 55
    #9 0x10542a15a in nsTArray_Impl<nsRefPtr<EditTxn>, nsTArrayInfallibleAllocator>::RemoveElementsAt(unsigned int, unsigned int) (in XUL) + 90
    #10 0x10542a0cd in nsTArray_Impl<nsRefPtr<EditTxn>, nsTArrayInfallibleAllocator>::~nsTArray_Impl() (in XUL) + 13
    #11 0x10542a054 in EditAggregateTxn::~EditAggregateTxn() (in XUL) + 100
    #12 0x10542979d in PlaceholderTxn::~PlaceholderTxn() (in XUL) + 13
    #13 0x105427133 in EditTxn::Release() (in XUL) + 851
    #14 0x105432dbe in EditAggregateTxn::Release() (in XUL) + 14
previously allocated by thread T0 here:
    #0 0x10000ed7c in 0x20000ed7c
    #1 0x7fff8bc26152 in malloc_zone_malloc (in libsystem_c.dylib) + 70
    #2 0x7fff8bc26ba6 in malloc (in libsystem_c.dylib) + 40
    #3 0x1025d1577 in moz_xmalloc (in libmozalloc.dylib) + 39
    #4 0x104ac74f5 in nsTextNode::CloneDataNode(nsINodeInfo*, bool) const (in XUL) + 133
    #5 0x1048cee73 in nsGenericDOMDataNode::Clone(nsINodeInfo*, nsINode**) const (in XUL) + 67
    #6 0x104a7f6ce in nsNodeUtils::CloneAndAdopt(nsINode*, bool, bool, nsNodeInfoManager*, JSContext*, JSObject*, nsCOMArray<nsINode>&, nsINode*, nsINode**) (in XUL) + 1582
Shadow byte and word:
  0x10002ffb1eed: fd
  0x10002ffb1ee8: fd fd fd fd fd fd fd fd
long double restrictunsigned __int128::* shadow bytes:
  0x10002ffb1ec8: 00 00 00 00 00 00 00 00
  0x10002ffb1ed0: 00 00 00 fb fb fb fb fb
  0x10002ffb1ed8: fa fa fa fa fa fa fa fa
  0x10002ffb1ee0: fa fa fa fa fa fa fa fa
=>0x10002ffb1ee8: fd fd fd fd fd fd fd fd
  0x10002ffb1ef0: fd fd fd fd fd fd fd fd
  0x10002ffb1ef8: fa fa fa fa fa fa fa fa
  0x10002ffb1f00: fa fa fa fa fa fa fa fa
  0x10002ffb1f08: fd fd fd fd fd fd fd fd
Stats: 1081M malloced (742M for red zones) by 1491223 calls
Stats: 161M realloced by 67494 calls
Stats: 998M freed by 1122812 calls
Stats: 944M really freed by 1060995 calls
Stats: 480M (122904 full pages) mmaped in 762 calls
  mmaps   by size class: 7:323505; 8:120773; 9:26598; 10:12264; 11:9690; 12:4864; 13:2304; 14:1312; 15:912; 16:1208; 17:464; 18:36; 19:39; 20:19; 21:11; 22:5; 23:3; 24:2;
  mallocs by size class: 7:973145; 8:273405; 9:75111; 10:64395; 11:51299; 12:20749; 13:13417; 14:7008; 15:7080; 16:3250; 17:2015; 18:148; 19:98; 20:43; 21:29; 22:14; 23:8; 24:10;
  frees   by size class: 7:701629; 8:203439; 9:60096; 10:58668; 11:48951; 12:19003; 13:12581; 14:6461; 15:6868; 16:2843; 17:1974; 18:127; 19:78; 20:37; 21:27; 22:13; 23:7; 24:10;
  rfrees  by size class: 7:660859; 8:192077; 9:56553; 10:55753; 11:47429; 12:18218; 13:12159; 14:6313; 15:6669; 16:2750; 17:1922; 18:127; 19:74; 20:37; 21:27; 22:13; 23:7; 24:8;
Stats: malloc large: 12794 small slow: 21931
Flags: needinfo?(mwobensmith)
ASan call stack from same build as other test case:

==11136== ERROR: AddressSanitizer: heap-use-after-free on address 0x00013aa0576c at pc 0x1041f249d bp 0x7fff5fbee760 sp 0x7fff5fbee758
READ of size 4 at 0x00013aa0576c thread T0
    #0 0x1041f249c in nsINode::GetBoolFlag(nsINode::BooleanFlag) const (in XUL) + 60
    #1 0x1048d26fd in nsINode::HasTextNodeDirectionalityMap() const (in XUL) + 13
    #2 0x1048d2661 in mozilla::nsTextNodeDirectionalityMap::RemoveElementFromMap(nsINode*, mozilla::dom::Element*) (in XUL) + 17
    #3 0x1048d2160 in mozilla::ResetDir(mozilla::dom::Element*) (in XUL) + 48
    #4 0x104a246d9 in mozilla::dom::Element::UnbindFromTree(bool, bool) (in XUL) + 1001
    #5 0x104c884bf in nsGenericHTMLElement::UnbindFromTree(bool, bool) (in XUL) + 335
    #6 0x104a507de in nsINode::doRemoveChildAt(unsigned int, bool, nsIContent*, nsAttrAndChildArray&) (in XUL) + 558
    #7 0x104b14798 in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) (in XUL) + 296
    #8 0x104a50d23 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) (in XUL) + 1203
    #9 0x106a90160 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, unsigned int, JS::Value*) (in XUL) + 704
    #10 0x106a886d6 in mozilla::dom::NodeBinding::genericMethod(JSContext*, unsigned int, JS::Value*) (in XUL) + 918
    #11 0x10810597b in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (in XUL) + 955
    #12 0x1080f4c3e in js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (in XUL) + 84718
    #13 0x1085c976c in js::mjit::EnterMethodJIT(JSContext*, js::StackFrame*, void*, JS::Value*, bool) (in XUL) + 860
    #14 0x1085c9cdb in CheckStackAndEnterMethodJIT(JSContext*, js::StackFrame*, void*, bool) (in XUL) + 299
    #15 0x1085c9aee in js::mjit::JaegerShot(JSContext*, bool) (in XUL) + 414
    #16 0x1080dfed7 in js::RunScript(JSContext*, js::StackFrame*) (in XUL) + 935
    #17 0x108105af1 in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (in XUL) + 1329
    #18 0x1082deaf1 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) (in XUL) + 65
    #19 0x108106b91 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (in XUL) + 1089
    #20 0x107f29596 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) (in XUL) + 678
    #21 0x105b1af1e in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) (in XUL) + 8366
    #22 0x105b09982 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) (in XUL) + 306
    #23 0x106e540b9 in PrepareAndDispatch (in XUL) + 1945
    #24 0x106e529aa in SharedStub (in XUL) + 90
    #25 0x104bf3dd7 in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, nsIDOMEventListener*, nsIDOMEvent*, nsIDOMEventTarget*, nsCxPusher*) (in XUL) + 359
    #26 0x104bf4263 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, nsIDOMEventTarget*, nsEventStatus*, nsCxPusher*) (in XUL) + 1043
    #27 0x104c4365b in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, bool, nsCxPusher*) (in XUL) + 523
    #28 0x104c4089e in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, nsDispatchingCallback*, bool, nsCxPusher*) (in XUL) + 942
    #29 0x104c41f7a in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<nsIDOMEventTarget>*) (in XUL) + 3930
    #30 0x104c4279d in nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) (in XUL) + 573
    #31 0x104a4f340 in nsINode::DispatchEvent(nsIDOMEvent*, bool*) (in XUL) + 352
    #32 0x10493d720 in nsContentUtils::DispatchEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool, bool*) (in XUL) + 512
    #33 0x10493d50d in nsContentUtils::DispatchTrustedEvent(nsIDocument*, nsISupports*, nsAString_internal const&, bool, bool, bool*) (in XUL) + 29
    #34 0x1049b28a4 in nsDocument::DispatchContentLoadedEvents() (in XUL) + 372
    #35 0x1049e92e9 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() (in XUL) + 137
    #36 0x106e109db in nsThread::ProcessNextEvent(bool, bool*) (in XUL) + 2139
    #37 0x106d51a3e in NS_ProcessPendingEvents_P(nsIThread*, unsigned int) (in XUL) + 254
    #38 0x1062dc1c3 in nsBaseAppShell::NativeEventCallback() (in XUL) + 451
    #39 0x10625901a in nsAppShell::ProcessGeckoEvents(void*) (in XUL) + 490
    #40 0x7fff85bfc100 in __CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ (in CoreFoundation) + 16
    #41 0x7fff85bfba24 in __CFRunLoopDoSources0 (in CoreFoundation) + 244
    #42 0x7fff85c1edc4 in __CFRunLoopRun (in CoreFoundation) + 788
    #43 0x7fff85c1e6b1 in CFRunLoopRunSpecific (in CoreFoundation) + 289
    #44 0x7fff8295a0a3 in RunCurrentEventLoopInMode (in HIToolbox) + 208
    #45 0x7fff82959d83 in ReceiveNextEventCommon (in HIToolbox) + 165
    #46 0x7fff82959cd2 in BlockUntilNextEventMatchingListInMode (in HIToolbox) + 61
    #47 0x7fff88131612 in _DPSNextEvent (in AppKit) + 684
    #48 0x7fff88130ed1 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in AppKit) + 127
    #49 0x106257865 in -[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] (in XUL) + 245
    #50 0x7fff88128282 in -[NSApplication run] (in AppKit) + 516
    #51 0x106259bf9 in nsAppShell::Run() (in XUL) + 185
    #52 0x105e0c587 in nsAppStartup::Run() (in XUL) + 311
    #53 0x103be309f in XREMain::XRE_mainRun() (in XUL) + 4287
    #54 0x103be4057 in XREMain::XRE_main(int, char**, nsXREAppData const*) (in XUL) + 599
    #55 0x103be4512 in XRE_main (in XUL) + 146
    #56 0x1000028a8 in 0x2000028a8
    #57 0x100001abd in 0x200001abd
    #58 0x100001043 in 0x200001043
    #59 0x0 in 0x0000000100000000 (in firefox-bin)
0x00013aa0576c is located 44 bytes inside of 128-byte region [0x00013aa05740,0x00013aa057c0)
freed by thread T0 here:
    #0 0x10000ef88 in 0x20000ef88
    #1 0x10000e602 in 0x20000e602
    #2 0x104a7e32a in nsNodeUtils::LastRelease(nsINode*) (in XUL) + 1162
    #3 0x104a3cb46 in nsGenericDOMDataNode::Release() (in XUL) + 790
    #4 0x104ac740e in nsTextNode::Release() (in XUL) + 14
    #5 0x104b147a0 in mozilla::dom::FragmentOrElement::RemoveChildAt(unsigned int, bool) (in XUL) + 304
    #6 0x104941e55 in nsContentUtils::SetNodeTextContent(nsIContent*, nsAString_internal const&, bool) (in XUL) + 837
    #7 0x104b1482f in mozilla::dom::FragmentOrElement::SetTextContentInternal(nsAString_internal const&, mozilla::ErrorResult&) (in XUL) + 15
    #8 0x106a83aa3 in mozilla::dom::NodeBinding::set_textContent(JSContext*, JS::Handle<JSObject*>, nsINode*, JS::Value*) (in XUL) + 275
    #9 0x106a81f46 in mozilla::dom::NodeBinding::genericSetter(JSContext*, unsigned int, JS::Value*) (in XUL) + 934
    #10 0x10810597b in js::InvokeKernel(JSContext*, JS::CallArgs, js::MaybeConstruct) (in XUL) + 955
    #11 0x1082deaf1 in js::Invoke(JSContext*, js::InvokeArgsGuard&, js::MaybeConstruct) (in XUL) + 65
    #12 0x108106b91 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (in XUL) + 1089
    #13 0x1081085fe in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) (in XUL) + 254
    #14 0x10819f8e2 in js::Shape::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool, JS::MutableHandle<JS::Value>) (in XUL) + 850
previously allocated by thread T0 here:
    #0 0x10000ed7c in 0x20000ed7c
    #1 0x7fff8bc26152 in malloc_zone_malloc (in libsystem_c.dylib) + 70
    #2 0x7fff8bc26ba6 in malloc (in libsystem_c.dylib) + 40
    #3 0x1025d1577 in moz_xmalloc (in libmozalloc.dylib) + 39
    #4 0x104ac71e1 in NS_NewTextNode(nsIContent**, nsNodeInfoManager*) (in XUL) + 305
    #5 0x1054a8519 in nsHtml5TreeOperation::AppendText(unsigned short const*, unsigned int, nsIContent*, nsHtml5TreeOpExecutor*) (in XUL) + 393
    #6 0x1054ac965 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**) (in XUL) + 16277
Shadow byte and word:
  0x100027540aed: fd
  0x100027540ae8: fd fd fd fd fd fd fd fd
long double restrictunsigned __int128::* shadow bytes:
  0x100027540ac8: 00 00 00 00 00 00 00 00
  0x100027540ad0: 00 fb fb fb fb fb fb fb
  0x100027540ad8: fa fa fa fa fa fa fa fa
  0x100027540ae0: fa fa fa fa fa fa fa fa
=>0x100027540ae8: fd fd fd fd fd fd fd fd
  0x100027540af0: fd fd fd fd fd fd fd fd
  0x100027540af8: fa fa fa fa fa fa fa fa
  0x100027540b00: fa fa fa fa fa fa fa fa
  0x100027540b08: 00 00 00 00 00 00 00 00
Stats: 926M malloced (671M for red zones) by 1213895 calls
Stats: 127M realloced by 54241 calls
Stats: 852M freed by 955125 calls
Stats: 816M really freed by 873151 calls
Stats: 458M (117283 full pages) mmaped in 759 calls
  mmaps   by size class: 7:315315; 8:106444; 9:28644; 10:12264; 11:7905; 12:5248; 13:2944; 14:1152; 15:832; 16:1288; 17:468; 18:36; 19:39; 20:19; 21:10; 22:4; 23:3; 24:1;
  mallocs by size class: 7:744710; 8:245831; 9:72239; 10:58044; 11:46601; 12:18295; 13:11656; 14:5796; 15:5300; 16:2916; 17:2159; 18:140; 19:102; 20:51; 21:30; 22:11; 23:9; 24:5;
  frees   by size class: 7:581886; 8:176750; 9:56954; 10:52661; 11:44092; 12:16376; 13:10920; 14:5324; 15:5108; 16:2632; 17:2122; 18:122; 19:83; 20:45; 21:28; 22:10; 23:8; 24:5;
  rfrees  by size class: 7:528361; 8:156634; 9:53434; 10:50849; 11:42907; 12:15477; 13:10470; 14:5192; 15:4953; 16:2492; 17:2092; 18:120; 19:78; 20:43; 21:28; 22:10; 23:6; 24:5;
Stats: malloc large: 10838 small slow: 18963
==11136== ABORTING
Attached patch Patch #1Splinter Review 
This fixes a problem in the patch for bug 828054: because we call ResetTextNodeDirection before the contents of the text node actually change, WalkDescendantsSetDirectionFromText can return the same text node after that patch. This makes us pass in the old text node as before and skip over it in the walk.
Attachment #722314 - Flags: review?(ehsan)
Attached patch Patch #2Splinter Review 
More complications with <bdi>! I'll just copy the comment from the patch:

+    // N.B: For elements other than <bdi> it would be enough to test that the
+    //      current value of dir was "auto" in BeforeSetAttr to know that we
+    //      were unsetting dir="auto". For <bdi> things are more complicated,
+    //      since it behaves like dir="auto" whenever the dir attribute is
+    //      empty or invalid, so we would have to check whether the old value
+    //      was not either "ltr" or "rtl", and the new value was either "ltr"
+    //      or "rtl". Element::HasDirAuto() encapsulates all that, so doing it
+    //      here [i.e. in OnSetDirAttr] is simpler.
Attachment #722319 - Flags: review?(ehsan)
Attachment #722314 - Flags: review?(ehsan) → review+
Comment on attachment 722319 [details] [diff] [review]
Patch #2

Review of attachment 722319 [details] [diff] [review]:
-----------------------------------------------------------------

Nice!
Attachment #722319 - Flags: review?(ehsan) → review+
https://hg.mozilla.org/mozilla-central/rev/9f15cf555746
https://hg.mozilla.org/mozilla-central/rev/ac291d349daa
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox22: affectedfixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Attached file Testcase #3 
Looks like this one would need another sequel, enclosing testcases
Attached file Testcase #4 

    
    

    
  
New security bugs are filed for new testcases #3, #4 that are reproducing even after fix. I have cced Simon.

    
    

    
  
Thanks for filing bug 849727 and bug 849732 :)

    
    

    
  
Comment on attachment 722314 [details] [diff] [review]
Patch #1

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 828054 (follow-up to bug 548206)
User impact if declined: use-after-free vulnerability
Testing completed (on m-c, etc.): baked on m-c since 2013-03-07
Risk to taking this patch (and alternatives if risky): some risk of regressions in pages with dir=auto
String or UUID changes made by this patch: none

        Attachment #722314 -
        Flags: approval-mozilla-beta?

        Attachment #722314 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Comment on attachment 722319 [details] [diff] [review]
Patch #2

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 548206 or one of its followups
User impact if declined: use-after-free vulnerability
Testing completed (on m-c, etc.): baked on m-c since 2013-03-07
Risk to taking this patch (and alternatives if risky): some risk of regressions on pages with dir=auto
String or UUID changes made by this patch: none

I'm nominating these two patches even though more follow-ups have been filed. I currently have fixes for bug 849727 and bug 849732 going through tryserver, and they seem to be unrelated issues, not regressions caused by these patches.

        Attachment #722319 -
        Flags: approval-mozilla-beta?

        Attachment #722319 -
        Flags: approval-mozilla-aurora?

    
  
Flags: sec-bounty? → sec-bounty+

    
    

    
  
(In reply to Simon Montagu from comment #16)
> Comment on attachment 722314 [details] [diff] [review]
> Patch #1
> 
> [Approval Request Comment]
> Bug caused by (feature/regressing bug #): Bug 828054 (follow-up to bug
> 548206)
> User impact if declined: use-after-free vulnerability
> Testing completed (on m-c, etc.): baked on m-c since 2013-03-07
> Risk to taking this patch (and alternatives if risky): some risk of
> regressions in pages with dir=auto

Is bug 828054 critical for FF20's release of the new dirauto functionality, especially given the feature's penetration? We should be weighing the risk of regression against the user impact of that bug. I know the case can be made for getting our first release of the feature perfect, but we need to be pragmatic.

    
    

    
  
Comment on attachment 722314 [details] [diff] [review]
Patch #1

Removing beta nominations because of bug 850069

        Attachment #722314 -
        Flags: approval-mozilla-beta?

    
  

        Attachment #722319 -
        Flags: approval-mozilla-beta?

    
    

    
  
Reproduced crash in comment 3 above.
Using yesterday's m-c ASan build - 2013-03-11 - no crash.
Marking verified for this release.

          status-firefox22:
          fixeddisabled

    
    

    
  
Comment on attachment 722314 [details] [diff] [review]
Patch #1

Approving the fwd fix for this sec-crit regression for aurora to get more testing as Fx21 may be the first release with the new dirauto functionality(Chk Bug 850069 for status on Fx20)

        Attachment #722314 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

        Attachment #722319 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

    
    

    
  
We'll track the backout/disabling of this in bug 850069 for FF20

          status-firefox20:
          affectedwontfix
Whiteboard: [asan] → [asan][adv-main21+]

    
  
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: