Closed Bug 881090 Opened 11 years ago Closed 11 years ago

use-after-poison in nsFrameList::FirstChild()

Categories

(Core :: Layout, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 863935
Tracking Status
firefox-esr17 --- unaffected
firefox-esr24 --- unaffected
b2g18 --- unaffected

People

(Reporter: aki.helin, Assigned: MatsPalmgren_bugz)

References

Details

(5 keywords)

Attachments

(2 files)

Attached file repro (deleted) —
Address sanitizer spots the following error when the attached web page is opened at least on some 64-bit Linux machines. Reducing the testcase seems to make it less reliable. I'm not sure yet what is the required part, but decided to file it as such because this also crashes release version and beta-channel asan build reports the same error. This does not seem to reproduce on all machines. My guess is that this is related to display drivers. The error occurs for me at least with free radeon driver, remote X and Xvfb, but does not happen with proprietary AMD driver. If you have trouble reproducing, try: $ sudo apt-get install xvfb $ Xvfb :1 & $ DISPLAY=:1 your-asan-firefox ff-uap-framelist.html Xlib: extension "RANDR" missing on display ":1". ================================================================= ==7666== ERROR: AddressSanitizer use-after-poison on address 0x7f5911800ea8 at pc 0x7f59326fc913 bp 0x7fff6a7e7b10 sp 0x7fff6a7e7b08 READ of size 8 at 0x7f5911800ea8 thread T0 #0 0x7f59326fc912 in nsFrameList::FirstChild() const /home/aki/src/mozilla-aurora/layout/generic/nsFrameList.h:221 0x7f5911800ea8 is located 3624 bytes inside of 8192-byte region [0x7f5911800080,0x7f5911802080) allocated by thread T0 here: #0 0x43db50 in __interceptor_malloc ??:0 #1 0x7f593b389d9f in PL_ArenaAllocate /home/aki/src/mozilla-aurora/nsprpub/lib/ds/plarena.c:202 Shadow byte and word: 0x1feb223001d5: f7 0x1feb223001d0: f7 f7 f7 f7 f7 f7 f7 f7 More shadow bytes: 0x1feb223001b0: f7 f7 00 00 f7 f7 f7 f7 0x1feb223001b8: f7 f7 f7 f7 f7 f7 f7 f7 0x1feb223001c0: f7 f7 f7 f7 f7 f7 f7 f7 0x1feb223001c8: f7 f7 f7 f7 f7 f7 f7 f7 =>0x1feb223001d0: f7 f7 f7 f7 f7 f7 f7 f7 0x1feb223001d8: f7 f7 f7 f7 f7 f7 f7 f7 0x1feb223001e0: f7 f7 f7 f7 f7 f7 f7 f7 0x1feb223001e8: f7 f7 f7 f7 f7 f7 f7 f7 0x1feb223001f0: f7 f7 f7 f7 f7 f7 f7 f7 Stats: 87M malloced (133M for red zones) by 391947 calls Stats: 3M realloced by 14057 calls Stats: 57M freed by 151559 calls Stats: 0M really freed by 0 calls Stats: 244M (62491 full pages) mmaped in 61 calls mmaps by size class: 8:360426; 9:32764; 10:12285; 11:10235; 12:2048; 13:1536; 14:768; 15:256; 16:704; 17:96; 18:16; 19:8; 20:4; mallocs by size class: 8:341354; 9:26262; 10:10584; 11:9100; 12:1713; 13:1385; 14:539; 15:246; 16:653; 17:84; 18:16; 19:7; 20:4; frees by size class: 8:118552; 9:15453; 10:7261; 11:7402; 12:918; 13:913; 14:327; 15:141; 16:499; 17:76; 18:11; 19:3; 20:3; rfrees by size class: Stats: malloc large: 111 small slow: 1650 ==7666== ABORTING
Attached file frame dump + stack (deleted) —
aState.mOverflowTracker.mPrevOverflowCont is a next-in-flow that is about to be destroyed by DeleteNextInFlowChild. Finish() fails to reset it. This is a known issue, bug 863935.
Assignee: nobody → matspal
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Depends on: 863935
Fixed by bug 863935.
Flags: in-testsuite?
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
How far back does this problem go?
Is the fix already in aurora? The attached repro no longer works, but my test machine still hits a bug with the same trace in aurora built today (changeset 138727:e33bd71d1e01).
It's mitigated by frame poisoning in 23 and 22 so it's wontfix on those branches.
Flags: sec-bounty-
Resolution: FIXED → DUPLICATE
Bug 863935 landed a test and the test in this bug hangs with 100% CPU in nsBlockFrame::RenumberListsInBlock / RenumberListsFor (bug 3246?).
Group: core-security
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: