Closed
Bug 1414999
Opened 7 years ago
Closed 7 years ago
stylo: AddressSanitizer: heap-use-after-free [@ PresShell] with READ of size 8
Categories
(Core :: CSS Parsing and Computation, defect, P2)
Core
CSS Parsing and Computation
Tracking
()
RESOLVED
FIXED
mozilla59
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 2 open bugs)
Details
(4 keywords)
Attachments
(3 files)
(deleted),
text/html
|
Details | |
(deleted),
patch
|
Details | Diff | Splinter Review | |
(deleted),
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
Found while fuzzing mozilla-central rev 4ea775c267be. Will update with testcase once reduction completes.
==13899==ERROR: AddressSanitizer: heap-use-after-free on address 0x61a0002c8ea8 at pc 0x7f931d5a09e0 bp 0x7ffd429ae5e0 sp 0x7ffd429ae5d8
READ of size 8 at 0x61a0002c8ea8 thread T0
#0 0x7f931d5a09df in PresShell /builds/worker/workspace/build/src/obj-firefox/dist/include/nsPresContext.h:172:12
#1 0x7f931d5a09df in nsStyleContext::Arena() /builds/worker/workspace/build/src/layout/style/nsStyleContext.cpp:454
#2 0x7f931d4fb6dd in void mozilla::ArenaRefPtr<nsStyleContext>::assignFrom<nsStyleContext*>(nsStyleContext*&) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaRefPtr.h:153:13
#3 0x7f931d401c0c in assign /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaRefPtr.h:137:26
#4 0x7f931d401c0c in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaRefPtr.h:94
#5 0x7f931d401c0c in SetResolvedStyleContext /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:888
#6 0x7f931d401c0c in nsComputedDOMStyle::UpdateCurrentStyleSources(bool) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:1072
#7 0x7f931d402a91 in nsComputedDOMStyle::GetPropertyCSSValue(nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:1160:3
#8 0x7f931d4005d8 in nsComputedDOMStyle::GetPropertyValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t>&) /builds/worker/workspace/build/src/layout/style/nsComputedDOMStyle.cpp:479:26
#9 0x7f931d04ab8a in mozilla::CSSEditUtils::GetCSSInlinePropertyBase(nsINode*, nsAtom*, nsTSubstring<char16_t>&, mozilla::CSSEditUtils::StyleType) /builds/worker/workspace/build/src/editor/libeditor/CSSEditUtils.cpp:541:5
#10 0x7f931d0ae1c4 in GetComputedProperty /builds/worker/workspace/build/src/editor/libeditor/CSSEditUtils.cpp:520:10
#11 0x7f931d0ae1c4 in mozilla::HTMLEditor::GetAbsolutelyPositionedSelectionContainer(nsINode**) /builds/worker/workspace/build/src/editor/libeditor/HTMLAbsPositionEditor.cpp:107
#12 0x7f931d0adcd7 in mozilla::HTMLEditor::GetAbsolutelyPositionedSelectionContainer(nsIDOMElement**) /builds/worker/workspace/build/src/editor/libeditor/HTMLAbsPositionEditor.cpp:85:5
#13 0x7f931d0bc44c in mozilla::HTMLEditor::CheckSelectionStateForAnonymousButtons(nsISelection*) /builds/worker/workspace/build/src/editor/libeditor/HTMLAnonymousNodeEditor.cpp:362:7
#14 0x7f931d179143 in mozilla::HTMLEditor::EndUpdateViewBatch() /builds/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:4585:10
#15 0x7f931d06f9c6 in mozilla::EditorBase::EndPlaceholderTransaction() /builds/worker/workspace/build/src/editor/libeditor/EditorBase.cpp:1007:5
#16 0x7f931d152657 in ~AutoPlaceholderBatch /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EditorUtils.h:172:20
#17 0x7f931d152657 in mozilla::HTMLEditor::Indent(nsTSubstring<char16_t> const&) /builds/worker/workspace/build/src/editor/libeditor/HTMLEditor.cpp:2247
#18 0x7f931d23587a in nsIndentCommand::DoCommand(char const*, nsISupports*) /builds/worker/workspace/build/src/editor/composer/nsComposerCommands.cpp:503:22
#19 0x7f931b3ca4b5 in nsControllerCommandTable::DoCommand(char const*, nsISupports*) /builds/worker/workspace/build/src/dom/commandhandler/nsControllerCommandTable.cpp:147:26
#20 0x7f931b3c119e in nsBaseCommandController::DoCommand(char const*) /builds/worker/workspace/build/src/dom/commandhandler/nsBaseCommandController.cpp:136:25
#21 0x7f931b3c77a4 in nsCommandManager::DoCommand(char const*, nsICommandParams*, mozIDOMWindowProxy*) /builds/worker/workspace/build/src/dom/commandhandler/nsCommandManager.cpp:212:22
#22 0x7f931b8f7172 in nsHTMLDocument::ExecCommand(nsTSubstring<char16_t> const&, bool, nsTSubstring<char16_t> const&, nsIPrincipal&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:3349:18
#23 0x7f931ae0afe0 in mozilla::dom::HTMLDocumentBinding::execCommand(JSContext*, JS::Handle<JSObject*>, nsHTMLDocument*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLDocumentBinding.cpp:891:21
#24 0x7f931b0fc120 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3040:13
#25 0x7f93214f3ba0 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#26 0x7f93214f3ba0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472
#27 0x7f93214f4b92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540:10
#28 0x7f93221dd53e in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:176:12
#29 0x7f9322192fd5 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:358:23
#30 0x7f93221bd1e3 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:511:21
#31 0x7f93221bf8c7 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:770:12
#32 0x7f93214f3f1f in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#33 0x7f93214f3f1f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:454
#34 0x7f93214df42b in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:527:12
#35 0x7f93214df42b in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3061
#36 0x7f93214c700a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12
#37 0x7f93214f6ac3 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:705:15
#38 0x7f93214f7302 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:737:12
#39 0x7f9321f4c5e9 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4721:12
#40 0x7f931969c899 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:268:8
#41 0x7f931cdd95e3 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2255:25
#42 0x7f931cdd4a26 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1895:10
#43 0x7f931cdb853a in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1596:10
#44 0x7f931cdb4a28 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:147:18
#45 0x7f931859ca17 in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:231:18
#46 0x7f931859ca17 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:728
#47 0x7f931859637b in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:532:7
#48 0x7f93185a244f in nsHtml5ExecutorReflusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:56:18
#49 0x7f9316782b36 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
#50 0x7f931679cff8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
#51 0x7f931756ecf1 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#52 0x7f93174cf34b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#53 0x7f93174cf34b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#54 0x7f93174cf34b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#55 0x7f931cf3b8cf in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#56 0x7f932104aad1 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
#57 0x7f93212427ab in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4675:22
#58 0x7f9321244375 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4837:8
#59 0x7f9321245726 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4932:21
#60 0x4ec4ec in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
#61 0x4ec4ec in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
#62 0x7f933468c82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#63 0x41dbc8 in _start (/home/forb1dden/builds/mc-asan/firefox+0x41dbc8)
0x61a0002c8ea8 is located 40 bytes inside of 1384-byte region [0x61a0002c8e80,0x61a0002c93e8)
freed by thread T0 here:
#0 0x4bc0fb in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
#1 0x7f931661e437 in SnowWhiteKiller::~SnowWhiteKiller() /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2729:25
#2 0x7f9316625adb in FreeSnowWhite /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:2917:3
#3 0x7f9316625adb in nsCycleCollector::BeginCollection(ccType, nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3925
#4 0x7f9316624ff3 in nsCycleCollector::Collect(ccType, js::SliceBudget&, nsICycleCollectorListener*, bool) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:3746:9
#5 0x7f9316628e40 in nsCycleCollector_collect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/xpcom/base/nsCycleCollector.cpp:4315:21
#6 0x7f9319686add in nsJSContext::CycleCollectNow(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsJSEnvironment.cpp:1479:3
#7 0x7f93191cb77b in nsDOMWindowUtils::CycleCollect(nsICycleCollectorListener*) /builds/worker/workspace/build/src/dom/base/nsDOMWindowUtils.cpp:1437:3
#8 0x7f93167ad1c1 in NS_InvokeByIndex /builds/worker/workspace/build/src/xpcom/reflect/xptcall/md/unix/xptcinvoke_asm_x86_64_unix.S:129
#9 0x7f9317fb1740 in Invoke /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1996:12
#10 0x7f9317fb1740 in Call /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1315
#11 0x7f9317fb1740 in XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNative.cpp:1282
#12 0x7f9317fb84cf in XPC_WN_CallMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/XPCWrappedNativeJSOps.cpp:929:12
#13 0x7f93214f3ba0 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#14 0x7f93214f3ba0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472
#15 0x7f93214df42b in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:527:12
#16 0x7f93214df42b in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3061
#17 0x7f93214c700a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12
#18 0x7f93214f3c9f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:494:15
#19 0x7f93214f4b92 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540:10
#20 0x7f9321f38f13 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2973:12
#21 0x7f9317ed0c1b in xpc::FunctionForwarder(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/xpconnect/src/ExportHelpers.cpp:315:18
#22 0x7f93214f3ba0 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#23 0x7f93214f3ba0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472
#24 0x7f93214df42b in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:527:12
#25 0x7f93214df42b in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3061
#26 0x7f93214c700a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12
#27 0x7f93214f6ac3 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:705:15
#28 0x7f93214f7302 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:737:12
#29 0x7f9321f4c5e9 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4721:12
#30 0x7f931969c899 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:268:8
#31 0x7f931cdd95e3 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2255:25
#32 0x7f931cdd4a26 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1895:10
#33 0x7f931cdb853a in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1596:10
#34 0x7f931cdb4a28 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:147:18
#35 0x7f931859ca17 in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:231:18
#36 0x7f931859ca17 in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:728
#37 0x7f931859637b in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:532:7
previously allocated by thread T0 here:
#0 0x4bc44c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
#1 0x4ed85d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
#2 0x7f931d78d26a in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:206:12
#3 0x7f931d78d26a in CreatePresContext /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:801
#4 0x7f931d78d26a in nsDocumentViewer::InitInternal(nsIWidget*, nsISupports*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, bool, bool, bool) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:853
#5 0x7f931d78cf97 in nsDocumentViewer::Init(nsIWidget*, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:659:10
#6 0x7f932082ebab in nsDocShell::SetupNewViewer(nsIContentViewer*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9557:7
#7 0x7f932082d56c in nsDocShell::Embed(nsIContentViewer*, char const*, nsISupports*) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7381:17
#8 0x7f93207c62d5 in nsDocShell::CreateContentViewer(nsTSubstring<char> const&, nsIRequest*, nsIStreamListener**) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:9364:3
#9 0x7f93207c3be0 in nsDSURIContentListener::DoContent(nsTSubstring<char> const&, bool, nsIRequest*, nsIStreamListener**, bool*) /builds/worker/workspace/build/src/docshell/base/nsDSURIContentListener.cpp:196:21
#10 0x7f93183d0dea in nsDocumentOpenInfo::TryContentListener(nsIURIContentListener*, nsIChannel*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:739:28
#11 0x7f93183ce593 in nsDocumentOpenInfo::DispatchContent(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:417:30
#12 0x7f93183ccfbb in nsDocumentOpenInfo::OnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/uriloader/base/nsURILoader.cpp:295:8
#13 0x7f93168de387 in nsBaseChannel::OnStartRequest(nsIRequest*, nsISupports*) /builds/worker/workspace/build/src/netwerk/base/nsBaseChannel.cpp:859:25
#14 0x7f931692b242 in nsInputStreamPump::OnStateStart() /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:518:25
#15 0x7f931692a8ce in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/worker/workspace/build/src/netwerk/base/nsInputStreamPump.cpp:421:25
#16 0x7f931671bcad in nsInputStreamReadyEvent::Run() /builds/worker/workspace/build/src/xpcom/io/nsStreamUtils.cpp:97:20
#17 0x7f9316782b36 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
#18 0x7f931679cff8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
#19 0x7f93208f711f in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/xpfe/appshell/nsXULWindow.cpp:2003:24)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
#20 0x7f93208f711f in nsXULWindow::CreateNewContentWindow(int, nsITabParent*, mozIDOMWindowProxy*, unsigned long, nsIXULWindow**) /builds/worker/workspace/build/src/xpfe/appshell/nsXULWindow.cpp:2003
#21 0x7f932104caff in nsAppStartup::CreateChromeWindow2(nsIWebBrowserChrome*, unsigned int, nsITabParent*, mozIDOMWindowProxy*, unsigned long, bool*, nsIWebBrowserChrome**) /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:661:18
#22 0x7f93211ac634 in nsWindowWatcher::CreateChromeWindow(nsTSubstring<char> const&, nsIWebBrowserChrome*, unsigned int, nsITabParent*, mozIDOMWindowProxy*, unsigned long, nsIWebBrowserChrome**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:496:21
#23 0x7f93211aa12f in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:965:14
#24 0x7f93211ac35f in OpenWindow2 /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:444:10
#25 0x7f93211ac35f in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, nsIDocShellLoadInfo*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:416
#26 0x7f93192707b5 in nsGlobalWindow::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsIDocShellLoadInfo*, bool, nsPIDOMWindowOuter**) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:12915:21
#27 0x7f931926ed8f in OpenJS /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8970:10
#28 0x7f931926ed8f in nsGlobalWindow::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8932
#29 0x7f931926f21d in nsGlobalWindow::Open(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindow.cpp:8941:3
#30 0x7f931a86c513 in mozilla::dom::WindowBinding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindow*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:2192:56
#31 0x7f931a86a875 in mozilla::dom::WindowBinding::genericMethod(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:15335:13
#32 0x7f93214f3ba0 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:291:15
#33 0x7f93214f3ba0 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:472
#34 0x7f93214df42b in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:527:12
#35 0x7f93214df42b in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3061
#36 0x7f93214c700a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:422:12
SUMMARY: AddressSanitizer: heap-use-after-free /builds/worker/workspace/build/src/obj-firefox/dist/include/nsPresContext.h:172:12 in PresShell
Shadow bytes around the buggy address:
0x0c3480051180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c3480051190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c34800511a0: 00 00 00 00 fa fa fa fa fa fa fa fa fa fa fa fa
0x0c34800511b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c34800511c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c34800511d0: fd fd fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd
0x0c34800511e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c34800511f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480051200: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480051210: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x0c3480051220: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==13899==ABORTING
Reporter | ||
Updated•7 years ago
|
Group: core-security
Reporter | ||
Comment 1•7 years ago
|
||
Reporter | ||
Comment 2•7 years ago
|
||
The attached testcase requires the fuzzPriv extension which can be found at:
https://github.com/MozillaSecurity/domfuzz/tree/master/dom/extension
The testcase also requires the following prefs:
// Enable web components
user_pref("dom.webcomponents.enabled", true);
user_pref("dom.webcomponents.customelements.enabled", true);
Comment 3•7 years ago
|
||
Only reproduces with Stylo enabled.
INFO: Last good revision: a6aaaf9cb7d3a4f3baa430cfa88671f0acabed6c
INFO: First bad revision: da7f10ba43442e258c8ffafbd3b20ae5b2e1f805
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a6aaaf9cb7d3a4f3baa430cfa88671f0acabed6c&tochange=da7f10ba43442e258c8ffafbd3b20ae5b2e1f805
Blocks: 1409079
Group: core-security → layout-core-security
Has Regression Range: --- → yes
status-firefox56:
--- → unaffected
status-firefox57:
--- → unaffected
status-firefox58:
--- → affected
status-firefox-esr52:
--- → unaffected
Summary: AddressSanitizer: heap-use-after-free [@ PresShell] with READ of size 8 → stylo: AddressSanitizer: heap-use-after-free [@ PresShell] with READ of size 8
Version: 52 Branch → Trunk
Assignee | ||
Comment 4•7 years ago
|
||
This looks like the ArenaRefPtr stuff... Manish, any chance you can have a look? Please let me know if you can't quickly, I can try to get to this this week otherwise.
Flags: needinfo?(manishearth)
Assignee | ||
Comment 5•7 years ago
|
||
I took a look at this, but haven't been able to repro so far. I suspect this may be a dupe of bug 1414692. Can you try to repro again Ryan just to confirm?
Flags: needinfo?(ryanvm)
Assignee | ||
Comment 7•7 years ago
|
||
Uhh, I suspect this may be the reason of the funny hashmap crashes. This is very very bad.
Assignee | ||
Updated•7 years ago
|
tracking-firefox57:
--- → ?
tracking-firefox58:
--- → ?
Assignee | ||
Comment 8•7 years ago
|
||
This is very very bad. The pres context may be well dead by then, but we're playing with it. Further more, the hashmaps in the stylist clobber the memory that used to be taken by the pres context, which may explain fun stuff.
Assignee: nobody → emilio
Flags: needinfo?(manishearth)
Assignee | ||
Comment 9•7 years ago
|
||
Ok, just for the record, I think 57 may not be affected, and this may genuinely be a web components + stylo issue. In particular, what I'm working on right now in bug 1415013.
However, given nothing prevents the flat tree from changing while the document is in the bfcache, I think even with that fixed this may need a deeper fix.
Assignee | ||
Updated•7 years ago
|
Assignee | ||
Comment 10•7 years ago
|
||
Ok, yeah, I'm pretty sure this is bug 1415013.
In short, what's happening here is that when the shadow root is created, the <body> element gets out of the flat tree, but we don't clear the data associated with it.
When the doc comes back from the bfcache, we clear the stale Servo data from the flat tree, but of course the <body> is not part of it, so we never reach it.
Assignee | ||
Comment 11•7 years ago
|
||
This doesn't yet fix the test-case, but prevent similar but nastier issues once bug 1415013 is fixed.
There's nothing preventing the flat tree from changing while the document doesn't have a shell. In that case, we really really don't want to lose track of elements with stale style data, since then we'll mess up.
Attachment #8926929 -
Flags: review?(bzbarsky)
Assignee | ||
Comment 12•7 years ago
|
||
There's the other question of what should getComputedStyle return for something that is not in the flat tree...
Updated•7 years ago
|
Updated•7 years ago
|
Updated•7 years ago
|
Updated•7 years ago
|
Priority: -- → P2
Comment 13•7 years ago
|
||
Comment on attachment 8926929 [details] [diff] [review]
Synchronously clean style data from the DOM tree when the shell goes away.
I don't see how the bfcache-related changes make sense. When going into bfcache, DeleteShell() is _not_ called.
Flags: needinfo?(emilio)
Assignee | ||
Comment 14•7 years ago
|
||
Hmm, indeed.
Reading https://developer.mozilla.org/en-US/docs/Working_with_BFCache (I don't know how accurate that may be), it looks like we have the guarantee that the document doesn't run scripts while in the bfcache, is that right?
If so, then this patch should be fine as-is, and the only problematic bit would be "iframe going to display: none, touch shadow dom, iframe coming back".
I suspect that's fine because otherwise we'd have the same problem when the flattened tree changes but we still have frames lying around in the bfcache.
Does that make sense?
Flags: needinfo?(bzbarsky)
Comment 15•7 years ago
|
||
The document itself does not run scripts while in bfcache, but other documents can be running scripts and have access to nodes from the bfcached document, unfortunately.
Flags: needinfo?(bzbarsky)
Comment 16•7 years ago
|
||
Comment on attachment 8926929 [details] [diff] [review]
Synchronously clean style data from the DOM tree when the shell goes away.
Please document in the commit message why the new bfcache setup is ok.
>+++ b/servo/components/style/lib.rs
I assume this chunk shouldn't be in here, right?
Attachment #8926929 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Comment 17•7 years ago
|
||
remote: View your change here:
remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/d4fa112c3acd46f16c387c5d0532c87598fd1a91
remote:
remote: Follow the progress of your build on Treeherder:
remote: https://treeherder.mozilla.org/#/jobs?repo=mozilla-inbound&revision=d4fa112c3acd46f16c387c5d0532c87598fd1a91
Flags: needinfo?(emilio)
Comment 18•7 years ago
|
||
This was backed out for failures across multiple suites.
https://hg.mozilla.org/integration/mozilla-inbound/rev/dca8caef56e168fd94d809eca6fafb48eb4bf25d
https://treeherder.mozilla.org/logviewer.html#?job_id=145125366&repo=mozilla-inbound
https://treeherder.mozilla.org/logviewer.html#?job_id=145125879&repo=mozilla-inbound
Flags: needinfo?(emilio)
Assignee | ||
Comment 19•7 years ago
|
||
I relanded it with an assertion fix. The pres context can be different if you getComputedStyle on an element in a doc in the bfcache (but with a shell).
Flags: needinfo?(emilio)
Assignee | ||
Comment 20•7 years ago
|
||
Assignee | ||
Comment 21•7 years ago
|
||
Aand self-backout, because I didn't see the second assertion, and I can't reproduce it but looks scary and I don't know a fix off-hand...
Flags: needinfo?(emilio)
Assignee | ||
Comment 22•7 years ago
|
||
Backout is:
remote: View your change here:
remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/ac9bd5ff89bc7a9b9c64655542e1ff5038c494b6
Updated•7 years ago
|
Assignee | ||
Comment 23•7 years ago
|
||
Flags: needinfo?(emilio)
Comment 24•7 years ago
|
||
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla59
Updated•7 years ago
|
Group: layout-core-security → core-security-release
Updated•7 years ago
|
Group: core-security-release
Updated•5 years ago
|
Blocks: asan-maintenance
You need to log in
before you can comment on or make changes to this bug.
Description
•