Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#16495 closed defect (fixed)

Tor Browser 5.0a3 crashes with security level set to "High"

Reported by: gk Owned by: mcs
Priority: Very High Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords: tbb-crash, TorBrowserTeam201507R, tbb-5.0a4
Cc: mcs, brade, mikeperry, saint, mabahas@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

If I load nytimes.com on 32bit Linux machines and on Windows it crashes right away if I have security slider set to "High". On a test machine I get the following stack trace:

Program received signal SIGSEGV, Segmentation fault.
0xb3d62e2a in nsAttrValue::Type() const ()
    at /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.h:455
455	/home/ubuntu/build/tor-browser/dom/base/nsAttrValue.h: Datei oder Verzeichnis nicht gefunden.
(gdb) bt
#0  0xb3d62e2a in nsAttrValue::Type() const ()
    at /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.h:455
#1  0xb3d62f45 in nsAttrValue::GetAtomCount() const ()
    at /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.cpp:807
#2  0xb476c61e in RuleHash::EnumerateAllRules(mozilla::dom::Element*, ElementDependentRuleProcessorData*, NodeMatchContext&) ()
    at /home/ubuntu/build/tor-browser/layout/style/nsCSSRuleProcessor.cpp:677
#3  0xb476ddb9 in nsCSSRuleProcessor::RulesMatching(ElementRuleProcessorData*)
    ()
    at /home/ubuntu/build/tor-browser/layout/style/nsCSSRuleProcessor.cpp:2551
#4  0xb47bff07 in bool EnumRulesMatching<ElementRuleProcessorData>(nsIStyleRuleProcessor*, void*) ()
    at /home/ubuntu/build/tor-browser/layout/style/nsStyleSet.cpp:719
#5  0xb47cbbb5 in nsStyleSet::FileRules(bool (*)(nsIStyleRuleProcessor*, void*), RuleProcessorData*, mozilla::dom::Element*, nsRuleWalker*) ()
    at /home/ubuntu/build/tor-browser/layout/style/nsStyleSet.cpp:1026
#6  0xb47d0947 in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) ()
    at /home/ubuntu/build/tor-browser/layout/style/nsStyleSet.cpp:1265
#7  0xb481c70e in nsCSSFrameConstructor::ResolveStyleContext(nsStyleContext*, nsIContent*, nsFrameConstructorState*) ()
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:4831
#8  0x9b98d7f0 in ?? ()
#9  0x9a308aa0 in ?? ()
Backtrace stopped: previous frame inner to this frame (corrupt stack?)

Child Tickets

Attachments (1)

bug16495.backtrace.txt (44.3 KB) - added by mikeperry 4 years ago.
Github user page crash stacktrace.

Download all attachments as: .zip

Change History (24)

comment:1 Changed 4 years ago by gk

Keywords: tbb-crash added

While I have no problem to reproduce the crash on 32bit systems it seems to work on 64bit ones.

comment:2 Changed 4 years ago by mcs

I can sometimes (but not always) reproduce this on an old 32-bit Linux system. I wonder if different content is loaded when certain exit nodes are used, leading to the "sometimes it crashes, sometimes it doesn't" behavior we are seeing?

Like other people, I have not been able to get the separate debug symbol method to work at all (https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#UsingDebugSymbols)

gk's stack does not look familiar to me. It is deep in CSS and unfortunately gdb was not able to produce a complete stack.

Kathy and I will not have much of an opportunity to debug this over the next few days, so I hope someone else has time. Does it make sense to toggle the prefs. that are tied to the security slider one at a time to see which pref. (and therefore perhaps which patch) is the culprit? My bet is on the SVG patch again but I do not know if any SVG content is involved.

comment:3 in reply to:  2 Changed 4 years ago by gk

Replying to mcs:

I can sometimes (but not always) reproduce this on an old 32-bit Linux system. I wonder if different content is loaded when certain exit nodes are used, leading to the "sometimes it crashes, sometimes it doesn't" behavior we are seeing?

Like other people, I have not been able to get the separate debug symbol method to work at all (https://trac.torproject.org/projects/tor/wiki/doc/TorBrowser/Hacking#UsingDebugSymbols)

Creating a .debug directory in tor-browser_en-US/Browser and copying the contents of Debug/Browser into it is giving me symbols. Curiously just attaching gdb to Tor Browser just freezes Tor Browser on every machine I tried. Might be yet another thing to look at.

gk's stack does not look familiar to me. It is deep in CSS and unfortunately gdb was not able to produce a complete stack.

Kathy and I will not have much of an opportunity to debug this over the next few days, so I hope someone else has time. Does it make sense to toggle the prefs. that are tied to the security slider one at a time to see which pref. (and therefore perhaps which patch) is the culprit? My bet is on the SVG patch again but I do not know if any SVG content is involved.

Toggling the SVG related pref fixes the issue.

comment:4 Changed 4 years ago by gk

After building a recent GDB I got a better stacktrace:

Program received signal SIGSEGV, Segmentation fault.
0xb3d62e2a in BaseType (this=0x5a5a5a5a)
    at /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.h:455
455	/home/ubuntu/build/tor-browser/dom/base/nsAttrValue.h: Datei oder Verzeichnis nicht gefunden.
(gdb) bt
#0  0xb3d62e2a in BaseType (this=0x5a5a5a5a)
    at /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.h:455
#1  nsAttrValue::Type (this=0x5a5a5a5a)
    at /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.cpp:186
#2  0xb3d62f45 in nsAttrValue::GetAtomCount (this=0x5a5a5a5a)
    at /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.cpp:807
#3  0xb476c61e in RuleHash::EnumerateAllRules (this=0x97ecea80, aElement=0x9a1d01a0, 
    aData=0xbfffbbcc, aNodeContext=...)
    at /home/ubuntu/build/tor-browser/layout/style/nsCSSRuleProcessor.cpp:677
#4  0xb476ddb9 in nsCSSRuleProcessor::RulesMatching (this=0x9a9c4160, 
    aData=0xbfffbbcc)
    at /home/ubuntu/build/tor-browser/layout/style/nsCSSRuleProcessor.cpp:2551
#5  0xb47bff07 in EnumRulesMatching<ElementRuleProcessorData> (aProcessor=0x9a9c4160, 
    aData=0xbfffbbcc)
    at /home/ubuntu/build/tor-browser/layout/style/nsStyleSet.cpp:719
#6  0xb47cbbb5 in nsStyleSet::FileRules (this=0x93d97aa0, 
    aCollectorFunc=0xb47bfef6 <EnumRulesMatching<ElementRuleProcessorData>(nsIStyleRuleProcessor*, void*)>, aData=0xbfffbbcc, aElement=0x9a1d01a0, aRuleWalker=0xbfffbbc0)
    at /home/ubuntu/build/tor-browser/layout/style/nsStyleSet.cpp:1026
#7  0xb47d0947 in nsStyleSet::ResolveStyleFor (this=0x93d97aa0, aElement=0x9a1d01a0, 
    aParentContext=0x92f88238, aTreeMatchContext=...)
    at /home/ubuntu/build/tor-browser/layout/style/nsStyleSet.cpp:1265
#8  0xb481c70e in nsCSSFrameConstructor::ResolveStyleContext (this=0x96ad4c80, 
    aParentStyleContext=0x92f88238, aContent=0x9a1d01a0, aState=0xbfffd6e0)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:4831
#9  0xb4839988 in nsCSSFrameConstructor::BuildInlineChildItems (this=0x96ad4c80, 
    aState=..., aParentItem=..., aItemIsWithinSVGText=false, 
    aItemAllowsTextPathChild=false)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:11734
#10 0xb4838aa9 in nsCSSFrameConstructor::AddFrameConstructionItemsInternal (
    this=0x96ad4c80, aState=..., aContent=0x9a80bb70, aParentFrame=0x92f89308, aTag=
    0xb108a5e0, aNameSpaceID=3, aSuppressWhiteSpaceOptimizations=false, 
    aStyleContext=0x92f88238, aFlags=3, aAnonChildren=0x0, aItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:5726
#11 0xb483955e in nsCSSFrameConstructor::DoAddFrameConstructionItems (
    this=0x96ad4c80, aState=..., aContent=0x9a80bb70, aStyleContext=0x92f88238, 
    aSuppressWhiteSpaceOptimizations=false, aParentFrame=0x92f89308, 
    aAnonChildren=0x0, aItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:5401
#12 0xb48395cc in nsCSSFrameConstructor::AddFrameConstructionItems (this=0x96ad4c80, 
    aState=..., aContent=0x9a80bb70, aSuppressWhiteSpaceOptimizations=false, 
    aInsertion=..., aItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:5419
#13 0xb483d122 in nsCSSFrameConstructor::ProcessChildren (this=0x96ad4c80, 
    aState=..., aContent=0x9a1d00b0, aStyleContext=0x92f871c8, aFrame=0x92f89308, 
    aCanHaveGeneratedContent=true, aFrameItems=..., aAllowBlockStyles=true, 
    aPendingBinding=0x0, aPossiblyLeafFrame=0x92f89308)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:10409
#14 0xb48403a6 in nsCSSFrameConstructor::ConstructBlock (this=0x96ad4c80, aState=..., 
    aDisplay=0x92f87258, aContent=0x9a1d00b0, aParentFrame=0x92f86870, 
    aContentParentFrame=0x92f86870, aStyleContext=0x92f871c8, aNewFrame=0xbfffc09c, 
    aFrameItems=..., aPositionedFrameForAbsPosContainer=0x0, aPendingBinding=0x0)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:11445
#15 0xb4840688 in nsCSSFrameConstructor::ConstructNonScrollableBlock (
    this=0x96ad4c80, aState=..., aItem=..., aParentFrame=0x92f86870, 
    aDisplay=0x92f87258, aFrameItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:4742
#16 0xb483d5a0 in nsCSSFrameConstructor::ConstructFrameFromItemInternal (
    this=0x96ad4c80, aItem=..., aState=..., aParentFrame=0x92f86870, aFrameItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:3746
#17 0xb483dd52 in nsCSSFrameConstructor::ConstructFramesFromItem (this=0x96ad4c80, 
    aState=..., aIter=..., aParentFrame=0x92f86870, aFrameItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:5920
#18 0xb4853f58 in nsCSSFrameConstructor::ConstructFramesFromItemList (
    this=0x96ad4c80, aState=..., aItems=..., aParentFrame=0x92f86870, aFrameItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:10227
#19 0xb483d1bc in nsCSSFrameConstructor::ProcessChildren (this=0x96ad4c80, 
    aState=..., aContent=0x9a1cfc40, aStyleContext=0x93bf0898, aFrame=0x92f86870, 
    aCanHaveGeneratedContent=true, aFrameItems=..., aAllowBlockStyles=true, 
    aPendingBinding=0x0, aPossiblyLeafFrame=0x92f86870)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:10426
#20 0xb48403a6 in nsCSSFrameConstructor::ConstructBlock (this=0x96ad4c80, aState=..., 
    aDisplay=0x93bf0928, aContent=0x9a1cfc40, aParentFrame=0x93bf0198, 
    aContentParentFrame=0x93bf0198, aStyleContext=0x93bf0898, aNewFrame=0xbfffc4ec, 
    aFrameItems=..., aPositionedFrameForAbsPosContainer=0x92f86870, 
    aPendingBinding=0x0)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:11445
#21 0xb4840688 in nsCSSFrameConstructor::ConstructNonScrollableBlock (
    this=0x96ad4c80, aState=..., aItem=..., aParentFrame=0x93bf0198, 
    aDisplay=0x93bf0928, aFrameItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:4742
#22 0xb483d5a0 in nsCSSFrameConstructor::ConstructFrameFromItemInternal (
    this=0x96ad4c80, aItem=..., aState=..., aParentFrame=0x93bf0198, aFrameItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:3746
#23 0xb483dd52 in nsCSSFrameConstructor::ConstructFramesFromItem (this=0x96ad4c80, 
    aState=..., aIter=..., aParentFrame=0x93bf0198, aFrameItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:5920
#24 0xb4853f58 in nsCSSFrameConstructor::ConstructFramesFromItemList (
    this=0x96ad4c80, aState=..., aItems=..., aParentFrame=0x93bf0198, aFrameItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:10227
#25 0xb483d1bc in nsCSSFrameConstructor::ProcessChildren (this=0x96ad4c80, 
    aState=..., aContent=0x9a1cf600, aStyleContext=0x93bef7e0, aFrame=0x93bf0198, 
    aCanHaveGeneratedContent=true, aFrameItems=..., aAllowBlockStyles=true, 
    aPendingBinding=0x0, aPossiblyLeafFrame=0x93bf0198)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:10426
#26 0xb48403a6 in nsCSSFrameConstructor::ConstructBlock (this=0x96ad4c80, aState=..., 
    aDisplay=0x93bef870, aContent=0x9a1cf600, aParentFrame=0x93bef6d8, 
    aContentParentFrame=0x93bef6d8, aStyleContext=0x93bef7e0, aNewFrame=0xbfffc93c, 
    aFrameItems=..., aPositionedFrameForAbsPosContainer=0x93bf0198, 
    aPendingBinding=0x0)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:11445
#27 0xb4840688 in nsCSSFrameConstructor::ConstructNonScrollableBlock (
    this=0x96ad4c80, aState=..., aItem=..., aParentFrame=0x93bef6d8, 
    aDisplay=0x93bef870, aFrameItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:4742
#28 0xb483d5a0 in nsCSSFrameConstructor::ConstructFrameFromItemInternal (
    this=0x96ad4c80, aItem=..., aState=..., aParentFrame=0x93bef6d8, aFrameItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:3746
#29 0xb483dd52 in nsCSSFrameConstructor::ConstructFramesFromItem (this=0x96ad4c80, 
    aState=..., aIter=..., aParentFrame=0x93bef6d8, aFrameItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:5920
#30 0xb4853f58 in nsCSSFrameConstructor::ConstructFramesFromItemList (
    this=0x96ad4c80, aState=..., aItems=..., aParentFrame=0x93bef6d8, aFrameItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:10227
#31 0xb483d1bc in nsCSSFrameConstructor::ProcessChildren (this=0x96ad4c80, 
    aState=..., aContent=0x9a1cf560, aStyleContext=0x93bef4b0, aFrame=0x93bef6d8, 
    aCanHaveGeneratedContent=true, aFrameItems=..., aAllowBlockStyles=true, 
    aPendingBinding=0x0, aPossiblyLeafFrame=0x93bef6d8)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:10426
#32 0xb48403a6 in nsCSSFrameConstructor::ConstructBlock (this=0x96ad4c80, aState=..., 
    aDisplay=0x93bef540, aContent=0x9a1cf560, aParentFrame=0x93bef158, 
    aContentParentFrame=0x93bef158, aStyleContext=0x93bef4b0, aNewFrame=0xbfffcd8c, 
    aFrameItems=..., aPositionedFrameForAbsPosContainer=0x93bef6d8, 
    aPendingBinding=0x0)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:11445
#33 0xb4840688 in nsCSSFrameConstructor::ConstructNonScrollableBlock (
    this=0x96ad4c80, aState=..., aItem=..., aParentFrame=0x93bef158, 
    aDisplay=0x93bef540, aFrameItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:4742
#34 0xb483d5a0 in nsCSSFrameConstructor::ConstructFrameFromItemInternal (
    this=0x96ad4c80, aItem=..., aState=..., aParentFrame=0x93bef158, aFrameItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:3746
#35 0xb483dd52 in nsCSSFrameConstructor::ConstructFramesFromItem (this=0x96ad4c80, 
    aState=..., aIter=..., aParentFrame=0x93bef158, aFrameItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:5920
#36 0xb4853f58 in nsCSSFrameConstructor::ConstructFramesFromItemList (
    this=0x96ad4c80, aState=..., aItems=..., aParentFrame=0x93bef158, aFrameItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:10227
#37 0xb483d1bc in nsCSSFrameConstructor::ProcessChildren (this=0x96ad4c80, 
    aState=..., aContent=0x93b5add0, aStyleContext=0x92f2ff10, aFrame=0x93bef158, 
    aCanHaveGeneratedContent=true, aFrameItems=..., aAllowBlockStyles=true, 
    aPendingBinding=0x0, aPossiblyLeafFrame=0x93bef158)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:10426
#38 0xb48403a6 in nsCSSFrameConstructor::ConstructBlock (this=0x96ad4c80, aState=..., 
    aDisplay=0x9a0a58a8, aContent=0x93b5add0, aParentFrame=0x92f2faf0, 
    aContentParentFrame=0x92f2faf0, aStyleContext=0x92f2ff10, aNewFrame=0xbfffd1dc, 
    aFrameItems=..., aPositionedFrameForAbsPosContainer=0x0, aPendingBinding=0x0)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:11445
#39 0xb4840688 in nsCSSFrameConstructor::ConstructNonScrollableBlock (
    this=0x96ad4c80, aState=..., aItem=..., aParentFrame=0x92f2faf0, 
    aDisplay=0x9a0a58a8, aFrameItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:4742
#40 0xb483d5a0 in nsCSSFrameConstructor::ConstructFrameFromItemInternal (
    this=0x96ad4c80, aItem=..., aState=..., aParentFrame=0x92f2faf0, aFrameItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:3746
#41 0xb483dd52 in nsCSSFrameConstructor::ConstructFramesFromItem (this=0x96ad4c80, 
    aState=..., aIter=..., aParentFrame=0x92f2faf0, aFrameItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:5920
#42 0xb4853f58 in nsCSSFrameConstructor::ConstructFramesFromItemList (
    this=0x96ad4c80, aState=..., aItems=..., aParentFrame=0x92f2faf0, aFrameItems=...)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:10227
#43 0xb483d1bc in nsCSSFrameConstructor::ProcessChildren (this=0x96ad4c80, 
    aState=..., aContent=0x9a2ef6a0, aStyleContext=0x92f2fa88, aFrame=0x92f2faf0, 
    aCanHaveGeneratedContent=true, aFrameItems=..., aAllowBlockStyles=true, 
    aPendingBinding=0x0, aPossiblyLeafFrame=0x92f2faf0)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:10426
#44 0xb48403a6 in nsCSSFrameConstructor::ConstructBlock (this=0x96ad4c80, aState=..., 
    aDisplay=0x9a0a5618, aContent=0x9a2ef6a0, aParentFrame=0x9a0a59f8, 
    aContentParentFrame=0x9a0a59f8, aStyleContext=0x92f2fa88, aNewFrame=0xbfffd62c, 
    aFrameItems=..., aPositionedFrameForAbsPosContainer=0x0, aPendingBinding=0x0)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:11445
#45 0xb4840aea in nsCSSFrameConstructor::ConstructDocElementFrame (this=0x96ad4c80, 
    aDocElement=0x9a2ef6a0, aFrameState=0x0)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:2608
#46 0xb48410c0 in nsCSSFrameConstructor::ContentRangeInserted (this=0x96ad4c80, 
    aContainer=0x0, aStartChild=0x9a2ef6a0, aEndChild=0x0, aFrameState=0x0, 
    aAllowLazyConstruction=false)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:7469
#47 0xb48418c2 in nsCSSFrameConstructor::ContentInserted (this=0x96ad4c80, 
    aContainer=0x0, aChild=0x9a2ef6a0, aFrameState=0x0, aAllowLazyConstruction=false)
    at /home/ubuntu/build/tor-browser/layout/base/nsCSSFrameConstructor.cpp:7358
#48 0xb485ee79 in PresShell::Initialize (this=0x947e70e0, aWidth=60000, aHeight=42000)
    at /home/ubuntu/build/tor-browser/layout/base/nsPresShell.cpp:1911
#49 0xb3d68774 in nsContentSink::StartLayout (this=0x93e32de0, 
    aIgnorePendingSheets=false)
    at /home/ubuntu/build/tor-browser/dom/base/nsContentSink.cpp:1171
#50 0xb3d73be1 in nsContentSink::StyleSheetLoaded (this=0x93e32de0, 
    aSheet=0x9a36f940, aWasAlternate=false, aStatus=nsresult::NS_OK)
    at /home/ubuntu/build/tor-browser/dom/base/nsContentSink.cpp:231
#51 0xb47869f5 in mozilla::css::Loader::SheetComplete (this=0x96acabe0, 
    aLoadData=0x9a0da9b0, aStatus=nsresult::NS_OK)
    at /home/ubuntu/build/tor-browser/layout/style/Loader.cpp:1791
#52 0xb4786ed0 in mozilla::css::Loader::HandleLoadEvent (this=0x96acabe0, 
    aEvent=0x9a0da9b0) at /home/ubuntu/build/tor-browser/layout/style/Loader.cpp:2424
#53 0xb4786efe in mozilla::css::SheetLoadData::Run (this=0x9a0da9b0)
    at /home/ubuntu/build/tor-browser/layout/style/Loader.cpp:431
#54 0xb36f73c7 in nsThread::ProcessNextEvent (this=0xb7af2cf0, aMayWait=false, 
    aResult=0xbfffdc2f)
    at /home/ubuntu/build/tor-browser/xpcom/threads/nsThread.cpp:855
#55 0xb370ca73 in NS_ProcessNextEvent (aThread=<optimized out>, aMayWait=false)
    at /home/ubuntu/build/tor-browser/xpcom/glue/nsThreadUtils.cpp:265
#56 0xb38a38a4 in mozilla::ipc::MessagePump::Run (this=0xb1008730, 
    aDelegate=0xb7a6e100)
    at /home/ubuntu/build/tor-browser/ipc/glue/MessagePump.cpp:99
#57 0xb388d2c6 in MessageLoop::RunInternal (this=0xb7a6e100)
    at /home/ubuntu/build/tor-browser/ipc/chromium/src/base/message_loop.cc:233
#58 0xb388d400 in RunHandler (this=0xb7a6e100)
    at /home/ubuntu/build/tor-browser/ipc/chromium/src/base/message_loop.cc:226
#59 MessageLoop::Run (this=0xb7a6e100)
    at /home/ubuntu/build/tor-browser/ipc/chromium/src/base/message_loop.cc:200
#60 0xb46b6411 in nsBaseAppShell::Run (this=0xaca3e3d0)
    at /home/ubuntu/build/tor-browser/widget/nsBaseAppShell.cpp:164
#61 0xb4aff699 in nsAppStartup::Run (this=0xacaad8e0)
    at /home/ubuntu/build/tor-browser/toolkit/components/startup/nsAppStartup.cpp:281
#62 0xb4b31b4c in XREMain::XRE_mainRun (this=0xbfffde78)
    at /home/ubuntu/build/tor-browser/toolkit/xre/nsAppRunner.cpp:4432
#63 0xb4b31e08 in XREMain::XRE_main (this=0xbfffde78, argc=3, argv=0xbffff1a4, 
    aAppData=0xbfffdfcc)
    at /home/ubuntu/build/tor-browser/toolkit/xre/nsAppRunner.cpp:4512
#64 0xb4b32034 in XRE_main (argc=3, argv=0xbffff1a4, aAppData=0xbfffdfcc, aFlags=0)
    at /home/ubuntu/build/tor-browser/toolkit/xre/nsAppRunner.cpp:4731
#65 0x80003c50 in do_main (argc=3, argv=0xbffff1a4, xreDirectory=0xb7a2c280)
    at /home/ubuntu/build/tor-browser/browser/app/nsBrowserApp.cpp:294
#66 0x80003460 in main (argc=3, argv=0xbffff1a4)
    at /home/ubuntu/build/tor-browser/browser/app/nsBrowserApp.cpp:667

comment:5 in reply to:  4 Changed 4 years ago by mcs

Replying to gk:

After building a recent GDB I got a better stacktrace:

Program received signal SIGSEGV, Segmentation fault.
0xb3d62e2a in BaseType (this=0x5a5a5a5a)
    at /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.h:455
455    /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.h: Datei oder Verzeichnis nicht gefunden.
(gdb) bt
#0  0xb3d62e2a in BaseType (this=0x5a5a5a5a)
    at /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.h:455
#1  nsAttrValue::Type (this=0x5a5a5a5a)
    at /home/ubuntu/build/tor-browser/dom/base/nsAttrValue.cpp:186
#2  0xb3d62f45 in nsAttrValue::GetAtomCount (this=0x5a5a5a5a)

The new stacktrace is much better.
The "this=0x5a5a5a5a" indicates a UAF. Now the question is "How did we get to that state?"
Maybe look at aElement within RuleHash::EnumerateAllRules() or higher in the call stack to see if the entire element has been freed?

I was hoping that a debug build might shed more light on this crash, but I foolishly picked Win32 instead of Linux32 because I know my old Linux system has hopelessly old tools (not good for compiling or debugging)... and of course my non-Gitian Windows build has failed a couple of times so far (at the moment I am stuck on unresolved symbols when trying to link libxul).

Unfortunately, Kathy and I are traveling this weekend (starting in an hour or so) and will only have sporadic access to the net. So someone else will need to debug this, or we will look at it on Monday. Sorry for the bad timing :(

I did encounter one compile error that has an obvious fix while trying to complete a Windows debug build; I opened #16497 for that.

comment:6 Changed 4 years ago by mcs

We found the cause of the crash. The nsIContent::DoGetClasses() implementation uses static_cast to obtain an nsSVGElement pointer, but if SVG is disabled the object is a regular XML element... so the cast results in bad news. The code is here:
http://mxr.mozilla.org/mozilla-esr38/source/dom/base/Element.cpp#155

Kathy and I are working on a fix. We are also looking for other places where similar casts are used. Our current thinking is that we will change IsSVG() to return false if SVG is disabled. It would be better to avoid the cast entirely, but we do not see an easy way to do so (if someone were to change the svg.in-content.enabled pref. during page load, there is a chance that the code mentioned above will go down the wrong path even after we put a fix in place).

comment:7 Changed 4 years ago by mcs

Cc: mikeperry added
Owner: changed from tbb-team to mcs
Status: newassigned

comment:8 Changed 4 years ago by mikeperry

I have also noticed an SVG-related crash happening reliably with 5.0a3 on 64bit Linux systems. Visiting any github user page (ie https://github.com/david415) with svg.in-content.enabled set to false will cause a crash every time for me.

Changed 4 years ago by mikeperry

Attachment: bug16495.backtrace.txt added

Github user page crash stacktrace.

comment:9 Changed 4 years ago by mcs

I think the Github user page crash has the same root cause, but I am not 100% sure. Near the top of the backtrace, layout/style/nsCSSRuleProcessor.cpp:3725 appears and the code there is using a value returned by aElement->GetClasses(), which is the same call that causes trouble in the NYT test case.

With my 32-bit debug build, I actually encounter an assertion failure inside JS::AutoAssertOnGC::VerifyIsSafeToGC() before I reach the point of crashing due to SVG (even with SVG enabled). I am not sure why that is, but if I comment that out (living dangerously), I can reproduce the SVG-related crash when loading a github user page. But my stack actually looks more like the one from comment:4.

Unfortunately, Kathy and I are running out of time to work on this for now, but I will post an in-progress patch and link to it here so those who are interested can take an early look. I believe it avoids crashes for both test cases mentioned in this ticket, but with static_cast thrown about in the code it is difficult to know if we fixed all possible cases that would lead to a crash :(

comment:12 Changed 4 years ago by saint

Cc: saint added

comment:13 Changed 4 years ago by mbauer

Cc: mabahas@… added

comment:14 Changed 4 years ago by gk

#16550 is a duplicate of this one.

comment:15 Changed 4 years ago by gk

Summary: Tor Browser 5.0a3 crashes on nytimes.com with security level set to "High"Tor Browser 5.0a3 crashes with security level set to "High"

comment:16 in reply to:  14 ; Changed 4 years ago by mcs

Replying to gk:

#16550 is a duplicate of this one.

Did you mean #16560?

comment:17 in reply to:  16 Changed 4 years ago by gk

Replying to mcs:

Replying to gk:

#16550 is a duplicate of this one.

Did you mean #16560?

Yes, indeed.

comment:18 Changed 4 years ago by mikeperry

Keywords: tbb-5.0a4 added; tbb-5.0a removed

Tag some 5.0a4 goals.

comment:19 Changed 4 years ago by mcs

Status: assignedneeds_review

Here is a revised patch that is ready for review:
https://gitweb.torproject.org/user/brade/tor-browser.git/commit/?h=bug16495-02&id=9e59dae7fdb9527f688b03fa314e917712024d4b

It fixes all of the crashes that were reported and adds protection in other places too.
Unfortunately, it is difficult to be 100% certain that we found all the places where Bad Things can happen due to use of static_cast or negligence to check for failed QI's. If we keep finding more crashes due to our SVG blocking patches, we may need to adopt a different approach (but hopefully this patch is sufficient).

Once are happy with this for TB 5.0, we can rebase for TB 4.5.x if needed.

comment:20 Changed 4 years ago by mcs

Keywords: TorBrowserTeam201507R added; TorBrowserTeam201507 removed

comment:21 Changed 4 years ago by mikeperry

Resolution: fixed
Status: needs_reviewclosed

Hrmm. Yes, this is deeply concerning. The patch looked OK to me on the surface so I merged it, but I agree that it seems impossible to be sure all of these conditions are met.

It may be the case that we decide that disabling SVG increases the vulnerability surface more than leaving it enabled. Given that there were at least 3 explicitly named SVG vulns since Firefox 31 (and an known number of SVG-related "memory safety hazards") in the Mozilla security advisories, I don't think we're there yet, especially since this is the first UAF issue for us.

If we hit another crash though, it might be time to reconsider. I spoke with Giorgio some time ago about this, and he did think there might be a way to do this via NoScript thanks to new web platform APIs, but I am also doubtful that would be substantially cleaner.

comment:22 Changed 4 years ago by gk

Just one additional thing (nit):
s/needed to to pick/needed to pick/

comment:23 in reply to:  22 Changed 4 years ago by mcs

Replying to gk:

Just one additional thing (nit):
s/needed to to pick/needed to pick/

Ugh. We had fixed this at the last moment in our working tree, but forgot to 'git add' before committing. In any case, thanks. We pushed a fix as commit 11ae3936ba9ff583f06e3b25585443fe01d8cee3.

Note: See TracTickets for help on using tickets.