Closed Bug 981279 Opened 6 years ago Closed 6 years ago

Heap-use-after-free in nsHtml5TreeOperation::Reget

Categories

(Core :: HTML: Parser, defect, critical)

x86_64
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla30
Tracking Status
firefox29 --- unaffected
firefox30 + fixed
firefox-esr24 --- unaffected
b2g-v1.4 --- fixed

People

(Reporter: inferno, Assigned: hsivonen)

References

Details

(5 keywords, Whiteboard: [qa-])

Crash Data

Attachments

(3 files)

Attached file test.html
>==27424==ERROR: AddressSanitizer: heap-use-after-free on address 0x6040000b53d0 at pc 0x7fa383c70670 bp 0x7fffd92deeb0 sp 0x7fffd92deea8
>READ of size 8 at 0x6040000b53d0 thread T0
>    #0 0x7fa383c7066f in nsHtml5TreeOperation::Reget(nsIAtom*) parser/html/nsHtml5TreeOperation.h:110
>    #1 0x7fa383c72792 in nsHtml5TreeOperation::CreateElement(int, nsIAtom*, nsHtml5HtmlAttributes*, mozilla::dom::FromParser, nsHtml5DocumentBuilder*) parser/html/nsHtml5TreeOperation.cpp:425:7
>    #2 0x7fa383c35a8d in nsHtml5TreeBuilder::createElement(int, nsIAtom*, nsHtml5HtmlAttributes*) parser/html/nsHtml5TreeBuilderCppSupplement.h:79
>    #3 0x7fa383c4ddb6 in nsHtml5TreeBuilder::appendToCurrentNodeAndPushElementMayFoster(nsHtml5ElementName*, nsHtml5HtmlAttributes*) parser/html/nsHtml5TreeBuilder.cpp:3935
>    #4 0x7fa383bae67f in nsHtml5TreeBuilder::startTag(nsHtml5ElementName*, nsHtml5HtmlAttributes*, bool) parser/html/nsHtml5TreeBuilder.cpp:1386
>    #5 0x7fa383b9c21e in nsHtml5Tokenizer::emitCurrentTagToken(bool, int) parser/html/nsHtml5Tokenizer.cpp:315
>    #6 0x7fa383bf4ae8 in int nsHtml5Tokenizer::stateLoop<nsHtml5SilentPolicy>(int, char16_t, int, char16_t*, bool, int, int) parser/html/nsHtml5Tokenizer.cpp:838
>    #7 0x7fa383b7cd35 in nsHtml5Tokenizer::tokenizeBuffer(nsHtml5UTF16Buffer*) parser/html/nsHtml5Tokenizer.cpp:413
>    #8 0x7fa383b90c8f in nsHtml5StringParser::Tokenize(nsAString_internal const&, nsIDocument*, bool) parser/html/nsHtml5StringParser.cpp:112
>    #9 0x7fa383b8fc24 in nsHtml5StringParser::ParseFragment(nsAString_internal const&, nsIContent*, nsIAtom*, int, bool, bool) parser/html/nsHtml5StringParser.cpp:63
>    #10 0x7fa385c5217c in nsContentUtils::ParseFragmentHTML(nsAString_internal const&, nsIContent*, nsIAtom*, int, bool, bool) content/base/src/nsContentUtils.cpp:3990
>    #11 0x7fa385d85ea8 in mozilla::dom::FragmentOrElement::SetInnerHTMLInternal(nsAString_internal const&, mozilla::ErrorResult&) content/base/src/FragmentOrElement.cpp:2720
>    #12 0x7fa385d84d22 in mozilla::dom::Element::SetInnerHTML(nsAString_internal const&, mozilla::ErrorResult&) content/base/src/Element.cpp:2640
>    #13 0x7fa37fca3366 in mozilla::dom::ElementBinding::set_innerHTML(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitSetterCallArgs) objdir-ff-asan-sym/dom/bindings/./ElementBinding.cpp:1614
>    #14 0x7fa382897f5e in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) dom/bindings/BindingUtils.cpp:2239
>    #15 0x7fa3960e1f0f in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:239
>    #16 0x7fa3960e1f0f in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp:476
>    #17 0x7fa3960e679e in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:532
>    #18 0x7fa3960eb348 in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:604
>    #19 0x7fa3957d8a06 in js::Shape::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool, JS::MutableHandle<JS::Value>) js/src/vm/Shape-inl.h:95
>    #20 0x7fa395813e1c in bool js::baseops::SetPropertyHelper<(js::ExecutionMode)0>(js::ExecutionModeTraits<(js::ExecutionMode)0>::ContextType, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, unsigned int, JS::MutableHandle<JS::Value>, bool) js/src/jsobj.cpp:5017
>    #21 0x7fa39637aa81 in SetPropertyOperation(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) js/src/vm/Interpreter.cpp:335
>    #22 0x7fa3960b3271 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2450:10
>    #23 0x7fa396064891 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:423
>    #24 0x7fa3960ebe9d in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) js/src/vm/Interpreter.cpp:631
>    #25 0x7fa3960ee3ae in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) js/src/vm/Interpreter.cpp:667
>    #26 0x7fa39537e7fb in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, char16_t const*, unsigned long, JS::Value*) js/src/jsapi.cpp:4818
>    #27 0x7fa38423e610 in nsJSUtils::EvaluateString(JSContext*, nsAString_internal const&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions&, JS::Value*, void**) dom/base/nsJSUtils.cpp:228
>    #28 0x7fa383f87d22 in nsJSContext::EvaluateString(nsAString_internal const&, JS::Handle<JSObject*>, JS::CompileOptions&, bool, JS::Value*, void**) dom/base/nsJSEnvironment.cpp:910
>    #29 0x7fa383ea848a in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) dom/base/nsGlobalWindow.cpp:11762
>    #30 0x7fa383e4c656 in nsGlobalWindow::RunTimeout(nsTimeout*) dom/base/nsGlobalWindow.cpp:11992
>    #31 0x7fa383ea5dd5 in nsGlobalWindow::TimerCallback(nsITimer*, void*) dom/base/nsGlobalWindow.cpp:12238
>    #32 0x7fa378f49358 in nsTimerImpl::Fire() xpcom/threads/nsTimerImpl.cpp:551
>    #33 0x7fa378f4ae19 in nsTimerEvent::Run() xpcom/threads/nsTimerImpl.cpp:635
>    #34 0x7fa378f27d31 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:643
>    #35 0x7fa3789561a2 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:263
>    #36 0x7fa37adc36e9 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:95
>    #37 0x7fa37aba0a1d in MessageLoop::RunInternal() ipc/chromium/src/base/message_loop.cc:226
>    #38 0x7fa37aba0818 in MessageLoop::RunHandler() ipc/chromium/src/base/message_loop.cc:219
>    #39 0x7fa37aba069d in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:193
>    #40 0x7fa383038aa4 in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:164
>    #41 0x7fa38d33cb12 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:276
>    #42 0x7fa38ccf145e in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4008
>    #43 0x7fa38ccf630a in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4075
>    #44 0x7fa38ccf8a3d in XRE_main toolkit/xre/nsAppRunner.cpp:4285
>    #45 0x48eada in do_main(int, char**, nsIFile*) browser/app/nsBrowserApp.cpp:282
>    #46 0x48ba41 in main browser/app/nsBrowserApp.cpp:643
>    #47 0x7fa39f7d676c in __libc_start_main /build/buildd/eglibc-2.15/csu/libc-start.c:226
>    #48 0x48b1cc in _start
>
>0x6040000b53d0 is located 0 bytes inside of 40-byte region [0x6040000b53d0,0x6040000b53f8)
>freed by thread T0 here:
>    #0 0x473191 in __interceptor_free _asan_rtl_
>    #1 0x7fa39b395968 in moz_free memory/mozalloc/mozalloc.cpp:46
>    #2 0x7fa383a796b2 in operator delete(void*) objdir-ff-asan-sym/parser/html/../../dist/include/mozilla/mozalloc.h:225
>    #3 0x7fa383a796b2 in nsAutoPtr<nsHtml5Atom>::~nsAutoPtr() objdir-ff-asan-sym/parser/html/../../dist/include/nsAutoPtr.h:78
>    #4 0x7fa383a7948a in nsHtml5AtomEntry::~nsHtml5AtomEntry() parser/html/nsHtml5AtomTable.cpp:24
>    #5 0x7fa383b3c370 in nsTHashtable<nsHtml5AtomEntry>::s_ClearEntry(PLDHashTable*, PLDHashEntryHdr*) objdir-ff-asan-sym/parser/html/../../dist/include/nsTHashtable.h:449
>    #6 0x7fa37896f699 in PL_DHashTableRawRemove(PLDHashTable*, PLDHashEntryHdr*) xpcom/glue/pldhash.cpp:624
>    #7 0x7fa378970728 in PL_DHashTableEnumerate(PLDHashTable*, PLDHashOperator (*)(PLDHashTable*, PLDHashEntryHdr*, unsigned int, void*), void*) xpcom/glue/pldhash.cpp:652
>    #8 0x7fa383cc0f18 in nsTHashtable<nsHtml5AtomEntry>::Clear() objdir-ff-asan-sym/parser/html/../../dist/include/nsTHashtable.h:240
>    #9 0x7fa383b918f8 in nsHtml5AtomTable::Clear() parser/html/nsHtml5AtomTable.h:90
>    #10 0x7fa383b90e20 in nsHtml5StringParser::Tokenize(nsAString_internal const&, nsIDocument*, bool) parser/html/nsHtml5StringParser.cpp:122
>    #11 0x7fa383b8fc24 in nsHtml5StringParser::ParseFragment(nsAString_internal const&, nsIContent*, nsIAtom*, int, bool, bool) parser/html/nsHtml5StringParser.cpp:63
>    #12 0x7fa385c5217c in nsContentUtils::ParseFragmentHTML(nsAString_internal const&, nsIContent*, nsIAtom*, int, bool, bool) content/base/src/nsContentUtils.cpp:3990
>    #13 0x7fa385d85ea8 in mozilla::dom::FragmentOrElement::SetInnerHTMLInternal(nsAString_internal const&, mozilla::ErrorResult&) content/base/src/FragmentOrElement.cpp:2720
>    #14 0x7fa385d84d22 in mozilla::dom::Element::SetInnerHTML(nsAString_internal const&, mozilla::ErrorResult&) content/base/src/Element.cpp:2640
>    #15 0x7fa37fca3366 in mozilla::dom::ElementBinding::set_innerHTML(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitSetterCallArgs) objdir-ff-asan-sym/dom/bindings/./ElementBinding.cpp:1614
>    #16 0x7fa382897f5e in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) dom/bindings/BindingUtils.cpp:2239
>    #17 0x7fa3960e1f0f in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:239
>    #18 0x7fa3960e1f0f in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp:476
>    #19 0x7fa3960e679e in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:532
>    #20 0x7fa3960eb348 in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:604
>    #21 0x7fa3957d8a06 in js::Shape::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool, JS::MutableHandle<JS::Value>) js/src/vm/Shape-inl.h:95
>    #22 0x7fa395813e1c in bool js::baseops::SetPropertyHelper<(js::ExecutionMode)0>(js::ExecutionModeTraits<(js::ExecutionMode)0>::ContextType, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, unsigned int, JS::MutableHandle<JS::Value>, bool) js/src/jsobj.cpp:5017
>    #23 0x7fa39637aa81 in SetPropertyOperation(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) js/src/vm/Interpreter.cpp:335
>    #24 0x7fa3960b3271 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2450:10
>    #25 0x7fa396064891 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:423
>    #26 0x7fa3960ebe9d in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) js/src/vm/Interpreter.cpp:631
>    #27 0x7fa3960ee3ae in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) js/src/vm/Interpreter.cpp:667
>    #28 0x7fa39537e7fb in JS::Evaluate(JSContext*, JS::Handle<JSObject*>, JS::ReadOnlyCompileOptions const&, char16_t const*, unsigned long, JS::Value*) js/src/jsapi.cpp:4818
>    #29 0x7fa38423e610 in nsJSUtils::EvaluateString(JSContext*, nsAString_internal const&, JS::Handle<JSObject*>, JS::CompileOptions&, nsJSUtils::EvaluateOptions&, JS::Value*, void**) dom/base/nsJSUtils.cpp:228
>    #30 0x7fa383f87d22 in nsJSContext::EvaluateString(nsAString_internal const&, JS::Handle<JSObject*>, JS::CompileOptions&, bool, JS::Value*, void**) dom/base/nsJSEnvironment.cpp:910
>    #31 0x7fa383ea848a in nsGlobalWindow::RunTimeoutHandler(nsTimeout*, nsIScriptContext*) dom/base/nsGlobalWindow.cpp:11762
>
>previously allocated by thread T0 here:
>    #0 0x473391 in malloc _asan_rtl_
>    #1 0x7fa39b395afa in moz_xmalloc memory/mozalloc/mozalloc.cpp:52
>    #2 0x7fa383a78e87 in operator new(unsigned long) objdir-ff-asan-sym/parser/html/../../dist/include/mozilla/mozalloc.h:201
>    #3 0x7fa383a78e87 in nsHtml5AtomEntry::nsHtml5AtomEntry(nsAString_internal const*) parser/html/nsHtml5AtomTable.cpp:12
>    #4 0x7fa383b3c5ba in nsTHashtable<nsHtml5AtomEntry>::s_InitEntry(PLDHashTable*, PLDHashEntryHdr*, void const*) objdir-ff-asan-sym/parser/html/../../dist/include/nsTHashtable.h:458
>    #5 0x7fa37896b092 in PL_DHashTableOperate(PLDHashTable*, void const*, PLDHashOperator) xpcom/glue/pldhash.cpp:572
>    #6 0x7fa383b3bb64 in nsTHashtable<nsHtml5AtomEntry>::PutEntry(nsAString_internal const&, mozilla::fallible_t const&) objdir-ff-asan-sym/parser/html/../../dist/include/nsTHashtable.h:174
>    #7 0x7fa383a7a31b in nsTHashtable<nsHtml5AtomEntry>::PutEntry(nsAString_internal const&) objdir-ff-asan-sym/parser/html/../../dist/include/nsTHashtable.h:163
>    #8 0x7fa383a79fbd in nsHtml5AtomTable::GetAtom(nsAString_internal const&) parser/html/nsHtml5AtomTable.cpp:51
>    #9 0x7fa383b42809 in nsHtml5Portability::newLocalNameFromBuffer(char16_t*, int, int, nsHtml5AtomTable*) parser/html/nsHtml5Portability.cpp:15
>    #10 0x7fa383a7bbe2 in nsHtml5AttributeName::nameByBuffer(char16_t*, int, int, nsHtml5AtomTable*) parser/html/nsHtml5AttributeName.cpp:112
>    #11 0x7fa383bb4054 in nsHtml5Tokenizer::attributeNameComplete() parser/html/nsHtml5Tokenizer.cpp:331
>    #12 0x7fa383bf2190 in int nsHtml5Tokenizer::stateLoop<nsHtml5SilentPolicy>(int, char16_t, int, char16_t*, bool, int, int) parser/html/nsHtml5Tokenizer.cpp:658
>    #13 0x7fa383b7cd35 in nsHtml5Tokenizer::tokenizeBuffer(nsHtml5UTF16Buffer*) parser/html/nsHtml5Tokenizer.cpp:413
>    #14 0x7fa383b90c8f in nsHtml5StringParser::Tokenize(nsAString_internal const&, nsIDocument*, bool) parser/html/nsHtml5StringParser.cpp:112
>    #15 0x7fa383b8fc24 in nsHtml5StringParser::ParseFragment(nsAString_internal const&, nsIContent*, nsIAtom*, int, bool, bool) parser/html/nsHtml5StringParser.cpp:63
>    #16 0x7fa385c5217c in nsContentUtils::ParseFragmentHTML(nsAString_internal const&, nsIContent*, nsIAtom*, int, bool, bool) content/base/src/nsContentUtils.cpp:3990
>    #17 0x7fa385d85ea8 in mozilla::dom::FragmentOrElement::SetInnerHTMLInternal(nsAString_internal const&, mozilla::ErrorResult&) content/base/src/FragmentOrElement.cpp:2720
>    #18 0x7fa385d84d22 in mozilla::dom::Element::SetInnerHTML(nsAString_internal const&, mozilla::ErrorResult&) content/base/src/Element.cpp:2640
>    #19 0x7fa37fca3366 in mozilla::dom::ElementBinding::set_innerHTML(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitSetterCallArgs) objdir-ff-asan-sym/dom/bindings/./ElementBinding.cpp:1614
>    #20 0x7fa382897f5e in mozilla::dom::GenericBindingSetter(JSContext*, unsigned int, JS::Value*) dom/bindings/BindingUtils.cpp:2239
>    #21 0x7fa3960e1f0f in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) js/src/jscntxtinlines.h:239
>    #22 0x7fa3960e1f0f in js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) js/src/vm/Interpreter.cpp:476
>    #23 0x7fa3960e679e in js::Invoke(JSContext*, JS::Value const&, JS::Value const&, unsigned int, JS::Value const*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:532
>    #24 0x7fa3960eb348 in js::InvokeGetterOrSetter(JSContext*, JSObject*, JS::Value, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:604
>    #25 0x7fa3957d8a06 in js::Shape::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool, JS::MutableHandle<JS::Value>) js/src/vm/Shape-inl.h:95
>    #26 0x7fa395813e1c in bool js::baseops::SetPropertyHelper<(js::ExecutionMode)0>(js::ExecutionModeTraits<(js::ExecutionMode)0>::ContextType, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, unsigned int, JS::MutableHandle<JS::Value>, bool) js/src/jsobj.cpp:5017
>    #27 0x7fa39637aa81 in SetPropertyOperation(JSContext*, JS::Handle<JSScript*>, unsigned char*, JS::Handle<JS::Value>, JS::Handle<JS::Value>) js/src/vm/Interpreter.cpp:335
>    #28 0x7fa3960b3271 in Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:2450:10
>    #29 0x7fa396064891 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:423
>    #30 0x7fa3960ebe9d in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::ExecuteType, js::AbstractFramePtr, JS::Value*) js/src/vm/Interpreter.cpp:631
>    #31 0x7fa3960ee3ae in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) js/src/vm/Interpreter.cpp:667
>
>SUMMARY: AddressSanitizer: heap-use-after-free ??:0 ??
>Shadow bytes around the buggy address:
>  0x0c088000ea20: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
>  0x0c088000ea30: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
>  0x0c088000ea40: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
>  0x0c088000ea50: fa fa 00 00 00 00 00 00 fa fa fd fd fd fd fd fa
>  0x0c088000ea60: fa fa fd fd fd fd fd fa fa fa fd fd fd fd fd fa
>=>0x0c088000ea70: fa fa fd fd fd fd fd fa fa fa[fd]fd fd fd fd fa
>  0x0c088000ea80: fa fa fd fd fd fd fd fd fa fa fd fd fd fd fd fa
>  0x0c088000ea90: fa fa fd fd fd fd fd fd fa fa 00 00 00 00 00 00
>  0x0c088000eaa0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
>  0x0c088000eab0: fa fa 00 00 00 00 00 00 fa fa 00 00 00 00 00 00
>  0x0c088000eac0: fa fa fd fd fd fd fd fa fa fa 00 00 00 00 00 00
>Shadow byte legend (one shadow byte represents 8 application bytes):
>  Addressable:           00
>  Partially addressable: 01 02 03 04 05 06 07
>  Heap left redzone:       fa
>  Heap right redzone:      fb
>  Freed heap region:       fd
>  Stack left redzone:      f1
>  Stack mid redzone:       f2
>  Stack right redzone:     f3
>  Stack partial redzone:   f4
>  Stack after return:      f5
>  Stack use after scope:   f8
>  Global redzone:          f9
>  Global init order:       f6
>  Poisoned by user:        f7
>  Contiguous container OOB:fc
>  ASan internal:           fe
>==27424==ABORTING
>
>
I assume this is a recent regression.
Duplicate of this bug: 981424
Duplicate of this bug: 981413
If I comment out mAtomTable.Clear(); in nsHtml5StringParser.cpp, the crash goes away. Yet, nsTHashtable::Clear() should be so well tested by now that it seems unbelievable that it could be at fault.
It not about the hashtable. The problem persists with a fresh and different atom table impl. It has to be about the attribute holder not getting reset.
Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
I'm shocked that our existing test suite failed to trigger this crash.

This needs a minimized crashtest. (Not included in this patch.)
Attachment #8388406 - Flags: review?(bugs)
Blocks: 959150
(In reply to Olli Pettay [:smaug] from comment #1)
> I assume this is a recent regression.

Clearly caused by bug 959150.
Does a security bug introduced on trunk need sec-approval to land a fix on trunk?
Attached patch CrashtestSplinter Review
Attachment #8388418 - Flags: review?(bugs)
I'll be unavailable over the next couple of days. Please consider this checkin-needed once this get review (and approval if necessary; the bug got introduced late last week, so this doesn't affect users outside the Nightly channel).
Crash Signature: [@ nsHtml5TreeOperation::CreateElement(int, nsIAtom*, nsHtml5HtmlAttributes*, mozilla::dom::FromParser, nsHtml5DocumentBuilder*)]
(In reply to Henri Sivonen (:hsivonen) from comment #8)
> Does a security bug introduced on trunk need sec-approval to land a fix on trunk?
Trunk-only security bugs don't need sec-approval.
Attachment #8388418 - Flags: review?(bugs) → review+
Comment on attachment 8388406 [details] [diff] [review]
Reset attributes at the end of the parser when recycling the attribute holder

Ok, took some time to understand. This should be ok for now, but
we really should make nsHtml5Atoms sane. They make all atom usage error prone.
Attachment #8388406 - Flags: review?(bugs) → review+
Keywords: checkin-needed
(crash seen in thunderbird daily)
Severity: normal → critical
https://hg.mozilla.org/mozilla-central/rev/c8eea7d1e71a
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
Flags: sec-bounty?
Duplicate of this bug: 983429
Flags: sec-bounty? → sec-bounty+
I can't repro on an ASan build of Fx30 from 2014-03-01, and we aren't keeping ASan builds that date back to that time for me to get something closer to 2014-03-08, date of report. I don't have the time to make a custom build from that date right now. It doesn't appear to repro on latest Fx30 ASan for me, either.  Based on this, marking [qa-] due to inability to verify in the short-term.
Whiteboard: [qa-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.