Closed Bug 883313 (CVE-2013-1704) Opened 11 years ago Closed 11 years ago

ASAN heap-use-after-free in nsINode::GetParentNode

Categories

(Core :: DOM: Core & HTML, defect)

x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla25
Tracking Status
firefox22 --- wontfix
firefox23 + fixed
firefox24 + fixed
firefox25 + fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: nils, Assigned: peterv)

References

Details

(Keywords: csectype-uaf, regression, sec-critical, Whiteboard: [asan][adv-main23+])

Attachments

(2 files)

The attached testcase crashes the ASAN build of Firefox nightly.

Asan output:
==58460== ERROR: AddressSanitizer: heap-use-after-free on address 0x7f9328660368 at pc 0x7f934b907d3b bp 0x7fff6226ffe0 sp 0x7fff6226ffd8
READ of size 8 at 0x7f9328660368 thread T0
    #0 0x7f934b907d3a in nsINode::GetParentNode() const /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/../../dist/include/nsINode.h:760:0
    #1 0x7f934c802df6 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsINode.cpp:1663:0
    #2 0x7f934cbd1707 in nsHTMLDocument::SetBody(nsGenericHTMLElement*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/html/document/src/nsHTMLDocument.cpp:1132:0
    #3 0x7f934e4ff309 in mozilla::dom::HTMLDocumentBinding::set_body(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitSetterCallArgs) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:201:0
    #4 0x7f934e4fbeb5 in mozilla::dom::HTMLDocumentBinding::genericSetter(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:1468:0
    #5 0x7f934fdf5c48 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jscntxtinlines.h:349:0
    #6 0x7f934fdf5395 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:381:0
    #7 0x7f934fdf61f6 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:434:0
    #8 0x7f934fdf729c in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:505:0
    #9 0x7f93500fd3aa in js::CallSetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, int, JS::MutableHandle<JS::Value>), unsigned int, unsigned int, int, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jscntxtinlines.h:452:0
    #10 0x7f93501409f6 in js::BaseProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, bool, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:240:0
    #11 0x7f935015b600 in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, bool, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:2544:0
    #12 0x7f935015f29e in proxy_SetGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, int) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:2856:0
    #13 0x7f93500e8a68 in JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, int) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsobj.cpp:1657:0
    #14 0x7f934fdae1b1 in JSObject::setGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, int) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsobjinlines.h:83:0
    #15 0x7f9350145a72 in js::DirectProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, bool, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:611:0
    #16 0x7f9350282514 in js::CrossCompartmentWrapper::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, bool, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jswrapper.cpp:323:0
    #17 0x7f935015b600 in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, bool, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:2544:0
    #18 0x7f935015f29e in proxy_SetGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, int) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:2856:0
    #19 0x7f93500e8a68 in JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, int) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsobj.cpp:1657:0
    #20 0x7f934fdae1b1 in JSObject::setGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, int) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsobjinlines.h:83:0
    #21 0x7f934fe026e5 in js::SetPropertyOperation(JSContext*, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter-inl.h:365:0
    #22 0x7f934fdead7a in
    #23 0x7f934fde3adc in js::RunScript(JSContext*, js::StackFrame*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:345:0
    #24 0x7f934fdf5423 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:401:0
    #25 0x7f934fdf61f6 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:434:0
    #26 0x7f93501436f1 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:479:0
    #27 0x7f93502836bb in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jswrapper.cpp:447:0
    #28 0x7f935015c1de in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:2616:0
    #29 0x7f9350160d00 in proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:3180:0
    #30 0x7f934fdf5c48 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jscntxtinlines.h:349:0
    #31 0x7f934fdf5395 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:381:0
    #32 0x7f934fdf61f6 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:434:0
    #33 0x7f934ff79461 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsapi.cpp:5885:0
    #34 0x7f934d7b730c in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/XPCWrappedJSClass.cpp:1437:0
    #35 0x7f934d7aa1b8 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/XPCWrappedJS.cpp:589:0
    #36 0x7f934eb723e9 in PrepareAndDispatch /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122:0
    #37 0x7f934eb71276 in
    #38 0x7f934c9a204c in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener> const&, nsIDOMEvent*, mozilla::dom::EventTarget*, nsCxPusher*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventListenerManager.cpp:937:0
    #39 0x7f934c9a27b1 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*, nsCxPusher*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventListenerManager.cpp:1008:0
    #40 0x7f934c999e2b in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, bool, nsCxPusher*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventDispatcher.cpp:201:0
    #41 0x7f934c999795 in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, nsDispatchingCallback*, bool, nsCxPusher*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventDispatcher.cpp:350:0
    #42 0x7f934c99b212 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventDispatcher.cpp:632:0
    #43 0x7f934c99ba6b in nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventDispatcher.cpp:695:0
    #44 0x7f934c80143e in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsINode.cpp:1148:0
    #45 0x7f934c94e1a0 in nsAsyncDOMEvent::Run() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsAsyncDOMEvent.cpp:48:0
    #46 0x7f934c708c3b in nsContentUtils::RemoveScriptBlocker() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsContentUtils.cpp:4803:0
    #47 0x7f934c77480b in nsDocument::EndUpdate(unsigned int) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsDocument.cpp:4392:0
    #48 0x7f934cbd9bff in nsHTMLDocument::EndUpdate(unsigned int) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/html/document/src/nsHTMLDocument.cpp:2545:0
    #49 0x7f934c47d1c1 in mozAutoDocConditionalContentUpdateBatch::~mozAutoDocConditionalContentUpdateBatch() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/layout/style/../../content/base/src/mozAutoDocUpdate.h:81:0
    #50 0x7f934c47c8d0 in nsDOMCSSDeclaration::SetCssText(nsAString_internal const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/layout/style/nsDOMCSSDeclaration.cpp:108:0
    #51 0x7f934e3d3029 in nsICSSDeclaration::SetCssText(nsAString_internal const&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/layout/style/nsICSSDeclaration.h:105:0
    #52 0x7f934e3d2d4b in mozilla::dom::CSSStyleDeclarationBinding::set_cssText(JSContext*, JS::Handle<JSObject*>, nsICSSDeclaration*, JSJitSetterCallArgs) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/obj-firefox/dom/bindings/CSSStyleDeclarationBinding.cpp:43:0
    #53 0x7f934e3d1d75 in mozilla::dom::CSSStyleDeclarationBinding::genericSetter(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/obj-firefox/dom/bindings/CSSStyleDeclarationBinding.cpp:424:0
    #54 0x7f934fdf5c48 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jscntxtinlines.h:349:0
    #55 0x7f934fdf5395 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:381:0
    #56 0x7f934fdf61f6 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:434:0
    #57 0x7f934fdf729c in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:505:0
    #58 0x7f93500fd3aa in js::CallSetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, int, JS::MutableHandle<JS::Value>), unsigned int, unsigned int, int, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jscntxtinlines.h:452:0
    #59 0x7f93501409f6 in js::BaseProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, bool, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:240:0
    #60 0x7f935015b600 in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, bool, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:2544:0
    #61 0x7f935015f29e in proxy_SetGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, int) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:2856:0
    #62 0x7f93500e8a68 in JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, int) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsobj.cpp:1657:0
    #63 0x7f934fdae1b1 in JSObject::setGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, int) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsobjinlines.h:83:0
    #64 0x7f9350145a72 in js::DirectProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, bool, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:611:0
    #65 0x7f9350282514 in js::CrossCompartmentWrapper::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, bool, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jswrapper.cpp:323:0
    #66 0x7f935015b600 in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, bool, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:2544:0
    #67 0x7f935015f29e in proxy_SetGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, int) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:2856:0
    #68 0x7f93500e8a68 in JSObject::nonNativeSetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, int) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsobj.cpp:1657:0
    #69 0x7f934fdae1b1 in JSObject::setGeneric(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>, int) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsobjinlines.h:83:0
    #70 0x7f934fe026e5 in js::SetPropertyOperation(JSContext*, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter-inl.h:365:0
    #71 0x7f934fdead7a in
    #72 0x7f934fde3adc in js::RunScript(JSContext*, js::StackFrame*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:345:0
    #73 0x7f934fdf5423 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:401:0
    #74 0x7f934fdf61f6 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:434:0
    #75 0x7f93501436f1 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:479:0
    #76 0x7f93502836bb in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jswrapper.cpp:447:0
    #77 0x7f935015c1de in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:2616:0
    #78 0x7f9350160d00 in proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:3180:0
    #79 0x7f934fdf5c48 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jscntxtinlines.h:349:0
    #80 0x7f934fdf5395 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:381:0
    #81 0x7f934fdf61f6 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:434:0
    #82 0x7f934ff79461 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsapi.cpp:5885:0
    #83 0x7f934d7b730c in nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS*, unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/XPCWrappedJSClass.cpp:1437:0
    #84 0x7f934d7aa1b8 in nsXPCWrappedJS::CallMethod(unsigned short, XPTMethodDescriptor const*, nsXPTCMiniVariant*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/xpconnect/src/XPCWrappedJS.cpp:589:0
    #85 0x7f934eb723e9 in PrepareAndDispatch /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/xpcom/reflect/xptcall/src/md/unix/xptcstubs_x86_64_linux.cpp:122:0
    #86 0x7f934eb71276 in
    #87 0x7f934c9a204c in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener> const&, nsIDOMEvent*, mozilla::dom::EventTarget*, nsCxPusher*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventListenerManager.cpp:937:0
    #88 0x7f934c9a27b1 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*, nsCxPusher*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventListenerManager.cpp:1008:0
    #89 0x7f934c999e2b in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, bool, nsCxPusher*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventDispatcher.cpp:201:0
    #90 0x7f934c999795 in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, nsDispatchingCallback*, bool, nsCxPusher*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventDispatcher.cpp:350:0
    #91 0x7f934c99b212 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventDispatcher.cpp:632:0
    #92 0x7f934c99ba6b in nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventDispatcher.cpp:695:0
    #93 0x7f934c80143e in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsINode.cpp:1148:0
    #94 0x7f934c94e1a0 in nsAsyncDOMEvent::Run() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsAsyncDOMEvent.cpp:48:0
    #95 0x7f934c708c3b in nsContentUtils::RemoveScriptBlocker() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsContentUtils.cpp:4803:0
    #96 0x7f934c77480b in nsDocument::EndUpdate(unsigned int) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsDocument.cpp:4392:0
    #97 0x7f934cbd9bff in nsHTMLDocument::EndUpdate(unsigned int) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/html/document/src/nsHTMLDocument.cpp:2545:0
    #98 0x7f934c2dbb6f in mozAutoDocUpdate::~mozAutoDocUpdate() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/xul/templates/src/../../../base/src/mozAutoDocUpdate.h:38:0
    #99 0x7f934c803f35 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsINode.cpp:2000:0
    #100 0x7f934e68e486 in mozilla::dom::NodeBinding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/obj-firefox/dom/bindings/NodeBinding.cpp:579:0
    #101 0x7f934e68a07d in mozilla::dom::NodeBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/obj-firefox/dom/bindings/NodeBinding.cpp:1333:0
    #102 0x7f934fdf5c48 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jscntxtinlines.h:349:0
    #103 0x7f934fdf5395 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:381:0
    #104 0x7f934fdf61f6 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:434:0
    #105 0x7f93501436f1 in js::DirectProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:479:0
    #106 0x7f93502836bb in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jswrapper.cpp:447:0
    #107 0x7f935015c1de in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:2616:0
    #108 0x7f9350160d00 in proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsproxy.cpp:3180:0
    #109 0x7f934fdf5c48 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jscntxtinlines.h:349:0
    #110 0x7f934fdf5395 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:381:0
    #111 0x7f934fdef7fa in
    #112 0x7f934fde3adc in js::RunScript(JSContext*, js::StackFrame*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:345:0
    #113 0x7f934fdf5423 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:401:0
    #114 0x7f934fdf61f6 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:434:0
    #115 0x7f934ff79461 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsapi.cpp:5885:0
    #116 0x7f934e474b67 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JSObject*>, nsDOMEvent&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/obj-firefox/dom/bindings/EventHandlerBinding.cpp:41:0
    #117 0x7f934d037253 in JS::Value mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, nsDOMEvent&, mozilla::ErrorResult&, mozilla::dom::CallbackObject::ExceptionHandling) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/../../../dist/include/mozilla/dom/EventHandlerBinding.h:58:0
    #118 0x7f934d035f2e in nsJSEventListener::HandleEvent(nsIDOMEvent*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/dom/src/events/nsJSEventListener.cpp:247:0
    #119 0x7f934c9a204c in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener> const&, nsIDOMEvent*, mozilla::dom::EventTarget*, nsCxPusher*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventListenerManager.cpp:937:0
    #120 0x7f934c9a27b1 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*, nsCxPusher*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventListenerManager.cpp:1008:0
    #121 0x7f934c999e2b in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, bool, nsCxPusher*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventDispatcher.cpp:201:0
    #122 0x7f934c9995bb in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, nsDispatchingCallback*, bool, nsCxPusher*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventDispatcher.cpp:326:0
    #123 0x7f934c99b212 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventDispatcher.cpp:632:0
    #124 0x7f934c99ba6b in nsEventDispatcher::DispatchDOMEvent(nsISupports*, nsEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventDispatcher.cpp:695:0
    #125 0x7f934c80143e in nsINode::DispatchEvent(nsIDOMEvent*, bool*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsINode.cpp:1148:0
    #126 0x7f934c814aac in mozilla::dom::EventTarget::DispatchEvent(nsDOMEvent&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsINode.cpp:2456:0
    #127 0x7f934e480fce in mozilla::dom::EventTargetBinding::dispatchEvent(JSContext*, JS::Handle<JSObject*>, mozilla::dom::EventTarget*, JSJitMethodCallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/obj-firefox/dom/bindings/EventTargetBinding.cpp:242:0
    #128 0x7f934e480a5d in mozilla::dom::EventTargetBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/obj-firefox/dom/bindings/EventTargetBinding.cpp:408:0
    #129 0x7f934fdf5c48 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jscntxtinlines.h:349:0
    #130 0x7f934fdf5395 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:381:0
    #131 0x7f934fdef7fa in
    #132 0x7f934fde3adc in js::RunScript(JSContext*, js::StackFrame*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:345:0
    #133 0x7f934fdf5423 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:401:0
    #134 0x7f934fdf61f6 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:434:0
    #135 0x7f934ff79461 in JS_CallFunctionValue(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jsapi.cpp:5885:0
    #136 0x7f934e474b67 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JSObject*>, nsDOMEvent&, mozilla::ErrorResult&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/obj-firefox/dom/bindings/EventHandlerBinding.cpp:41:0
    #137 0x7f934d037253 in JS::Value mozilla::dom::EventHandlerNonNull::Call<nsISupports*>(nsISupports* const&, nsDOMEvent&, mozilla::ErrorResult&, mozilla::dom::CallbackObject::ExceptionHandling) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/../../../dist/include/mozilla/dom/EventHandlerBinding.h:58:0
    #138 0x7f934d035f2e in nsJSEventListener::HandleEvent(nsIDOMEvent*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/dom/src/events/nsJSEventListener.cpp:247:0
    #139 0x7f934c9a204c in nsEventListenerManager::HandleEventSubType(nsListenerStruct*, mozilla::dom::CallbackObjectHolder<mozilla::dom::EventListener, nsIDOMEventListener> const&, nsIDOMEvent*, mozilla::dom::EventTarget*, nsCxPusher*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventListenerManager.cpp:937:0
    #140 0x7f934c9a27b1 in nsEventListenerManager::HandleEventInternal(nsPresContext*, nsEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*, nsCxPusher*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventListenerManager.cpp:1008:0
    #141 0x7f934c999e2b in nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor&, bool, nsCxPusher*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventDispatcher.cpp:201:0
    #142 0x7f934c9995bb in nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor&, nsDispatchingCallback*, bool, nsCxPusher*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventDispatcher.cpp:326:0
    #143 0x7f934c99b212 in nsEventDispatcher::Dispatch(nsISupports*, nsPresContext*, nsEvent*, nsIDOMEvent*, nsEventStatus*, nsDispatchingCallback*, nsCOMArray<mozilla::dom::EventTarget>*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/events/src/nsEventDispatcher.cpp:632:0
    #144 0x7f934c1462b9 in nsDocumentViewer::LoadComplete(tag_nsresult) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/layout/base/nsDocumentViewer.cpp:1035:0
    #145 0x7f934d8beed4 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, tag_nsresult) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/docshell/base/nsDocShell.cpp:6657:0
    #146 0x7f934d8bca0b in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/docshell/base/nsDocShell.cpp:6454:0
    #147 0x7f934d8bce5f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/docshell/base/nsDocShell.cpp:6461:0
    #148 0x7f934d8f7f95 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, tag_nsresult) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/uriloader/base/nsDocLoader.cpp:1323:0
    #149 0x7f934d8f769b in nsDocLoader::doStopDocumentLoad(nsIRequest*, tag_nsresult) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/uriloader/base/nsDocLoader.cpp:865:0
    #150 0x7f934d8f5a12 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/uriloader/base/nsDocLoader.cpp:755:0
    #151 0x7f934d8f6eab in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/uriloader/base/nsDocLoader.cpp:639:0
    #152 0x7f934d8f73dc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/uriloader/base/nsDocLoader.cpp:643:0
    #153 0x7f934ba6585e in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/netwerk/base/src/nsLoadGroup.cpp:684:0
    #154 0x7f934c78c544 in nsDocument::DoUnblockOnload() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsDocument.cpp:7953:0
    #155 0x7f934c78c2c1 in nsDocument::UnblockOnload(bool) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsDocument.cpp:7881:0
    #156 0x7f934c775c18 in nsDocument::DispatchContentLoadedEvents() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsDocument.cpp:4625:0
    #157 0x7f934c7aaa49 in nsRunnableMethodImpl<void (nsDocument::*)(), true>::Run() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/../../../dist/include/nsThreadUtils.h:350:0
    #158 0x7f934eb3828b in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/xpcom/threads/nsThread.cpp:626:0
    #159 0x7f934ea84931 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/obj-firefox/xpcom/build/nsThreadUtils.cpp:238:0
    #160 0x7f934e03405b in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/ipc/glue/MessagePump.cpp:82:0
    #161 0x7f934ebe5051 in MessageLoop::RunInternal() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/ipc/chromium/src/base/message_loop.cc:219:0
    #162 0x7f934ebe4f4e in MessageLoop::Run() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/ipc/chromium/src/base/message_loop.cc:186:0
    #163 0x7f934de87851 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/widget/xpwidgets/nsBaseAppShell.cpp:163:0
    #164 0x7f934da2c67f in nsAppStartup::Run() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/toolkit/components/startup/nsAppStartup.cpp:269:0
    #165 0x7f934b805a39 in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/toolkit/xre/nsAppRunner.cpp:3851:0
    #166 0x7f934b806d77 in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/toolkit/xre/nsAppRunner.cpp:3919:0
    #167 0x7f934b807701 in XRE_main /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/toolkit/xre/nsAppRunner.cpp:4121:0
    #168 0x40c7e6 in do_main(int, char**, nsIFile*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/browser/app/nsBrowserApp.cpp:272:0
    #169 0x40bd0f in main /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/browser/app/nsBrowserApp.cpp:632:0
    #170 0x7f9358620ea4 in ?? ??:0
0x7f9328660368 is located 40 bytes inside of 144-byte region [0x7f9328660340,0x7f93286603d0)
freed by thread T0 here:
    #0 0x43b0e0 in __interceptor_free ??:?
    #1 0x7f934c831bc3 in nsNodeUtils::LastRelease(nsINode*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsNodeUtils.cpp:259:0
    #2 0x7f934c695710 in mozilla::dom::FragmentOrElement::Release() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/FragmentOrElement.cpp:1709:0
    #3 0x7f934c9e9c2e in mozilla::dom::HTMLBodyElement::Release() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/html/content/src/HTMLBodyElement.cpp:203:0
    #4 0x7f934b93cf94 in nsEvent::~nsEvent() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/../../dist/include/nsGUIEvent.h:659:0
    #5 0x7f934c703251 in nsContentUtils::MaybeFireNodeRemoved(nsINode*, nsINode*, nsIDocument*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsContentUtils.cpp:3698:0
    #6 0x7f934c802db3 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/base/src/nsINode.cpp:1646:0
    #7 0x7f934cbd1707 in nsHTMLDocument::SetBody(nsGenericHTMLElement*, mozilla::ErrorResult&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/html/document/src/nsHTMLDocument.cpp:1132:0
    #8 0x7f934e4ff309 in mozilla::dom::HTMLDocumentBinding::set_body(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitSetterCallArgs) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:201:0
    #9 0x7f934e4fbeb5 in mozilla::dom::HTMLDocumentBinding::genericSetter(JSContext*, unsigned int, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:1468:0
    #10 0x7f934fdf5c48 in js::CallJSNative(JSContext*, int (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jscntxtinlines.h:349:0
    #11 0x7f934fdf5395 in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:381:0
    #12 0x7f934fdf61f6 in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:434:0
    #13 0x7f934fdf729c in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value const&, unsigned int, JS::Value*, JS::Value*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/vm/Interpreter.cpp:505:0
    #14 0x7f93500fd3aa in js::CallSetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, int (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, int, JS::MutableHandle<JS::Value>), unsigned int, unsigned int, int, JS::MutableHandle<JS::Value>) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/js/src/jscntxtinlines.h:452:0
previously allocated by thread T0 here:
    #0 0x43b1a0 in malloc ??:?
    #1 0x7f935693a417 in moz_xmalloc /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/memory/mozalloc/mozalloc.cpp:54:0
    #2 0x7f934c9e89b3 in operator new(unsigned long) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/../../../../dist/include/mozilla/mozalloc.h:201:0
    #3 0x7f934c9e89b3 in nsGenericHTMLElement* mozilla::dom::NewHTMLElementHelper::Create<nsHTMLBodyElement, mozilla::dom::HTMLBodyElement>(already_AddRefed<nsINodeInfo>, mozilla::dom::NewHTMLElementHelper::SFINAE<bool (*)(nsIDocument*), mozilla::dom::HTMLBodyElement::InNavQuirksMode>*) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/content/html/content/src/nsGenericHTMLElement.h:1755:0
    #4 0x7f934c04230f in nsContentDLF::CreateBlankDocument(nsILoadGroup*, nsIPrincipal*, nsIDocument**) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/layout/build/nsContentDLF.cpp:339:0
    #5 0x7f934d8c16a5 in nsDocShell::CreateAboutBlankContentViewer(nsIPrincipal*, nsIURI*, bool) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/docshell/base/nsDocShell.cpp:7029:0
    #6 0x7f934d8c0bbe in nsDocShell::EnsureContentViewer() /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/docshell/base/nsDocShell.cpp:6931:0
    #7 0x7f934d8982ec in nsDocShell::GetInterface(nsID const&, void**) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/docshell/base/nsDocShell.cpp:953:0
    #8 0x7f934ea7e49a in nsGetInterface::operator()(nsID const&, void**) const /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/obj-firefox/xpcom/build/nsIInterfaceRequestorUtils.cpp:19:0
    #9 0x7f934c042f22 in nsCOMPtr<nsIDocument>::assign_from_helper(nsCOMPtr_helper const&, nsID const&) /builds/slave/m-cen-l64-dbg-asan-ntly-000000/build/../../../dist/include/nsCOMPtr.h:1279:0
Shadow byte and word:
  0x1ff2650cc06d: fd
  0x1ff2650cc068: fd fd fd fd fd fd fd fd
More shadow bytes:
  0x1ff2650cc048: 00 00 00 00 00 00 00 00
  0x1ff2650cc050: 00 00 00 00 00 00 00 00
  0x1ff2650cc058: 00 fb fb fb fb fb fb fb
  0x1ff2650cc060: fa fa fa fa fa fa fa fa
=>0x1ff2650cc068: fd fd fd fd fd fd fd fd
  0x1ff2650cc070: fd fd fd fd fd fd fd fd
  0x1ff2650cc078: fd fd fd fd fd fd fd fd
  0x1ff2650cc080: fa fa fa fa fa fa fa fa
  0x1ff2650cc088: 00 00 00 00 00 00 00 00
Stats: 228M malloced (209M for red zones) by 275886 calls
Stats: 34M realloced by 15658 calls
Stats: 198M freed by 138643 calls
Stats: 158M really freed by 111109 calls
Stats: 225M (57663 full pages) mmaped in 424 calls
  mmaps   by size class: 7:102375; 8:42987; 9:14322; 10:8176; 11:7395; 12:1280; 13:960; 14:512; 15:192; 16:656; 17:452; 18:26; 19:36; 20:21; 21:1;
  mallocs by size class: 7:155185; 8:57875; 9:24083; 10:17401; 11:12951; 12:2170; 13:1907; 14:1418; 15:338; 16:1097; 17:1361; 18:35; 19:41; 20:22; 21:2;
  frees   by size class: 7:69290; 8:21120; 9:16026; 10:14649; 11:11095; 12:1319; 13:1259; 14:1254; 15:231; 16:964; 17:1347; 18:30; 19:37; 20:21; 21:1;
  rfrees  by size class: 7:56513; 8:16977; 9:10445; 10:12104; 11:9578; 12:1021; 13:994; 14:1137; 15:180; 16:803; 17:1323; 18:27; 19:5; 20:1; 21:1;
Stats: malloc large: 2896 small slow: 4308
==58460== ABORTING
Whiteboard: [asan]
Could you take a look, Peter? The UAF stack involves HTMLDocumentBinding.
I bet this is a bug in SetBody.
Assignee: nobody → peterv
Status: NEW → ASSIGNED
Like needing to hold a strong ref to currentBody, say?
I'm coming to think we may want to invent some sort of handle-like system for passing things around (e.g. PassRefPtr in webkit or the Handle stuff JS engine uses) that we can use to make sure callers are holding strong refs to stuff...
Possibly. That would mean we need JS-like stack-only Rooted, since strong member variables
of heap objects aren't enough.

(SnowWhite+JS-like-Rooted would be enough to keep cycle collectable objects alive without
addreffing, but Rooted isn't totally free either.)

But I'd say nsHTMLDocument::SetBody is just clearly buggy. Doing DOM modifications without
keeping stuff alive.
> But I'd say nsHTMLDocument::SetBody is just clearly buggy.

Sure; the question is whether we can make it harder to write such buggy code...
Attached patch v1Splinter Review
Peter, is this ready for review?

It looks a regression from bug 819239, which landed in 20.
Blocks: 819239
Keywords: regression
Flags: needinfo?(peterv)
Attachment #764129 - Flags: review?(bugs)
I tried to make a simpler testcase but didn't fine one yet. This one only crashes in an ASAN build.
Flags: needinfo?(peterv)
Attachment #764129 - Flags: review?(bugs) → review+
Comment on attachment 764129 [details] [diff] [review]
v1

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

I think not too easily. The bug was detected with a fuzzer.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

The problem is caused by a missing nsCOMPtr, that's a fairly obvious cause for use-after-free.

Which older supported branches are affected by this flaw?

Goes back to FF 20.

If not all supported branches, which bug introduced the flaw?

Bug bug 819239.

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

Should be identical.

How likely is this patch to cause regressions; how much testing does it need?

Unlikely to cause regressions.
Attachment #764129 - Flags: sec-approval?
Comment on attachment 764129 [details] [diff] [review]
v1

sec-approval+ for trunk. This seems trivial enough. Please nominate for branch (and prepare branch patches) after it is on trunk.
Attachment #764129 - Flags: sec-approval? → sec-approval+
Comment on attachment 764129 [details] [diff] [review]
v1

Adding branch approval per discussion with Dveditz.
Attachment #764129 - Flags: approval-mozilla-beta+
Attachment #764129 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/mozilla-central/rev/fef3ab6511b4

Can we land the test for this at some point?
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Whiteboard: [asan] → [asan][adv-main23+]
Alias: CVE-2013-1704
Attachment #762838 - Attachment mime type: text/plain → text/html
Group: core-security
You need to log in before you can comment on or make changes to this bug.