Firefox version 85.0a1 (2020-12-06) (64-bit)
Asan output:
==29886==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190002ce398 at pc 0x0001154ec20d bp 0x7ffee67aa8d0 sp 0x7ffee67aa8c8
READ of size 1 at 0x6190002ce398 thread T0
==29886==WARNING: failed to spawn external symbolizer (errno: 9)
==29886==WARNING: failed to spawn external symbolizer (errno: 9)
==29886==WARNING: failed to spawn external symbolizer (errno: 9)
==29886==WARNING: failed to spawn external symbolizer (errno: 9)
==29886==WARNING: failed to spawn external symbolizer (errno: 9)
==29886==WARNING: Failed to use and restart external symbolizer!
#0 0x1154ec20c in int mozilla::StyleGenericCalcNode<mozilla::StyleCalcLengthPercentageLeaf>::ResolveInternal<int, int (*)(float)>(int, int (*)(float)) const+0x66c (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaedb20c)
#1 0x1158a1c98 in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>)+0x27e8 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb290c98)
#2 0x1157ba61f in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType)+0x220f (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1a961f)
#3 0x1157b2ee6 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&)+0x5a6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1a1ee6)
#4 0x1157b4b40 in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>)+0x8c0 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1a3b40)
#5 0x1158a7bec in nsFlexContainerFrame::GenerateFlexItemForChild(nsFlexContainerFrame::FlexLine&, nsIFrame*, mozilla::ReflowInput const&, nsFlexContainerFrame::FlexboxAxisTracker const&, bool)+0x2ac (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb296bec)
#6 0x1158bc75b in nsFlexContainerFrame::GenerateFlexLines(mozilla::ReflowInput const&, int, nsTArray<nsFlexContainerFrame::StrutInfo> const&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, bool, nsTArray<nsIFrame*>&, nsTArray<nsFlexContainerFrame::FlexLine>&)+0x12fb (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb2ab75b)
#7 0x1158c4c81 in nsFlexContainerFrame::DoFlexLayout(mozilla::ReflowInput const&, int&, int&, int&, nsTArray<nsFlexContainerFrame::FlexLine>&, nsTArray<nsFlexContainerFrame::StrutInfo>&, nsTArray<nsIFrame*>&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, int, int, bool, ComputedFlexContainerInfo*)+0x161 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb2b3c81)
#8 0x1158c100c in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0xb2c (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb2b000c)
#9 0x115ae5bf9 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&)+0x1d49 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb4d4bf9)
#10 0x1158284b4 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*)+0x214 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb2174b4)
#11 0x115826da2 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool)+0x4a2 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb215da2)
#12 0x11581fc6d in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)+0x7fd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb20ec6d)
#13 0x115818d9c in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)+0x13c (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb207d9c)
#14 0x11580ca85 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&)+0x16b5 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1fba85)
#15 0x115804af3 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0x14c3 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1f3af3)
#16 0x11588239b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)+0x43b (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb27139b)
#17 0x11585861b in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0x122b (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb24761b)
#18 0x115919390 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*)+0x1420 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb308390)
#19 0x11591b490 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)+0x320 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb30a490)
#20 0x115927e6a in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0xd8a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb316e6a)
#21 0x115883345 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)+0x335 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb272345)
#22 0x1157f4b02 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0x642 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1e3b02)
#23 0x1155a66a4 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*)+0x1ac4 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf956a4)
#24 0x1155be1f8 in mozilla::PresShell::ProcessReflowCommands(bool)+0x478 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xafad1f8)
#25 0x1155bc258 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)+0x1ba8 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xafab258)
#26 0x11552e136 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)+0x2b36 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf1d136)
#27 0x115541903 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)+0x213 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf30903)
#28 0x1155415e8 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)+0xc8 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf305e8)
#29 0x115540a4c in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)+0x1cc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf2fa4c)
#30 0x11553fd1e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync()+0x76e (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf2ed1e)
#31 0x11553f302 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&)+0x92 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf2e302)
#32 0x1141fb81d in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&)+0x2cd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x9bea81d)
#33 0x10cc7cb92 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&)+0x4f2 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x266bb92)
#34 0x10c6dc9af in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&)+0x35f (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x20cb9af)
#35 0x10bf097f8 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)+0x1e8 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x18f87f8)
#36 0x10bf0471d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)+0x71d (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x18f371d)
#37 0x10bf06f36 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)+0x586 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x18f5f36)
#38 0x10bf07ca1 in mozilla::ipc::MessageChannel::MessageTask::Run()+0x101 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x18f6ca1)
#39 0x10a9b8177 in mozilla::RunnableTask::Run()+0x347 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a7177)
#40 0x10a9b343a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x107a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a243a)
#41 0x10a9b095e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0xae (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39f95e)
#42 0x10a9b0f67 in mozilla::TaskController::ProcessPendingMTTask(bool)+0xf7 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39ff67)
#43 0x10a9bf981 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run()+0x11 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3ae981)
#44 0x10a9e2d45 in nsThread::ProcessNextEvent(bool, bool*)+0x13d5 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3d1d45)
#45 0x10a9eee4d in NS_ProcessNextEvent(nsIThread*, bool)+0x11d (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3dde4d)
#46 0x10bf1496e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)+0x40e (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x190396e)
#47 0x10bdf3ec2 in MessageLoop::Run()+0x1d2 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x17e2ec2)
#48 0x114e343ff in nsBaseAppShell::Run()+0x4f (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xa8233ff)
#49 0x114f8d24c in nsAppShell::Run()+0x3cc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xa97c24c)
#50 0x118eaa71e in XRE_RunAppShell()+0x28e (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xe89971e)
#51 0x10bdf3ec2 in MessageLoop::Run()+0x1d2 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x17e2ec2)
#52 0x118ea9b94 in XRE_InitChildProcess(int, char**, XREChildData const*)+0xf94 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xe898b94)
#53 0x10944bd06 in main+0x1b6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container:x86_64+0x100000d06)
#54 0x7fff6d7a5cc8 in start+0x0 (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8)
0x6190002ce398 is located 280 bytes inside of 1024-byte region [0x6190002ce280,0x6190002ce680)
freed by thread T0 here:
#0 0x12ba47cd6 in wrap_free+0xa6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x46cd6)
#1 0x11b951387 in style::properties::cascade::cascade_rules::h088ae32ca5ec9019+0xf97 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x11340387)
#2 0x11b96b596 in style::stylist::Stylist::cascade_style_and_visited::h8d1d544df7954eb4+0x96 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x1135a596)
#3 0x11b9be1ab in Servo_ComputedValues_GetForAnonymousBox+0x3cb (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x113ad1ab)
#4 0x115442252 in mozilla::ServoStyleSet::ResolveInheritingAnonymousBoxStyle(mozilla::PseudoStyleType, mozilla::ComputedStyle*)+0x92 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xae31252)
#5 0x11565855c in nsCSSFrameConstructor::ConstructTable(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&)+0x1bc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb04755c)
#6 0x115670c95 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&)+0x3b5 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb05fc95)
#7 0x11567b5ed in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&)+0xcd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb06a5ed)
#8 0x1156597b6 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&)+0x2e6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb0487b6)
#9 0x11565a732 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*)+0xd02 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb049732)
#10 0x115671d9e in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&)+0x14be (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb060d9e)
#11 0x11567b5ed in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&)+0xcd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb06a5ed)
#12 0x1156597b6 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&)+0x2e6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb0487b6)
#13 0x11565a732 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*)+0xd02 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb049732)
#14 0x115664983 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*)+0x7f3 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb053983)
#15 0x115660842 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*)+0x2a92 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb04f842)
#16 0x11568331b in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind)+0x3eb (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb07231b)
#17 0x1155a145a in mozilla::PresShell::Initialize()+0x40a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf9045a)
#18 0x10f0f773c in nsContentSink::StartLayout(bool)+0x8bc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x4ae673c)
#19 0x10d768178 in nsHtml5TreeOpExecutor::StartLayout(bool*)+0x128 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3157178)
#20 0x10d7630ec in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)+0x1fcc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x31520ec)
#21 0x10d760269 in nsHtml5TreeOpExecutor::RunFlushLoop()+0x9f9 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x314f269)
#22 0x10d76d00f in nsHtml5ExecutorFlusher::Run()+0x3cf (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x315c00f)
#23 0x10a9aa1e0 in mozilla::SchedulerGroup::Runnable::Run()+0x80 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3991e0)
#24 0x10a9b8177 in mozilla::RunnableTask::Run()+0x347 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a7177)
#25 0x10a9b343a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x107a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a243a)
#26 0x10a9b0b6e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x2be (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39fb6e)
#27 0x10a9b0f67 in mozilla::TaskController::ProcessPendingMTTask(bool)+0xf7 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39ff67)
#28 0x10a9bf981 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run()+0x11 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3ae981)
#29 0x10a9e2d45 in nsThread::ProcessNextEvent(bool, bool*)+0x13d5 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3d1d45)
previously allocated by thread T0 here:
#0 0x12ba47b8d in wrap_malloc+0x9d (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x46b8d)
#1 0x11b94cc6e in smallvec::SmallVec$LT$A$GT$::push::ha7920bdc965a65bc+0x28e (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x1133bc6e)
#2 0x11b950cae in style::properties::cascade::cascade_rules::h088ae32ca5ec9019+0x8be (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x1133fcae)
#3 0x11b96b596 in style::stylist::Stylist::cascade_style_and_visited::h8d1d544df7954eb4+0x96 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x1135a596)
#4 0x11b9be1ab in Servo_ComputedValues_GetForAnonymousBox+0x3cb (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x113ad1ab)
#5 0x115442252 in mozilla::ServoStyleSet::ResolveInheritingAnonymousBoxStyle(mozilla::PseudoStyleType, mozilla::ComputedStyle*)+0x92 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xae31252)
#6 0x11565855c in nsCSSFrameConstructor::ConstructTable(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&)+0x1bc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb04755c)
#7 0x115670c95 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&)+0x3b5 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb05fc95)
#8 0x11567b5ed in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&)+0xcd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb06a5ed)
#9 0x1156597b6 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&)+0x2e6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb0487b6)
#10 0x11565a732 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*)+0xd02 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb049732)
#11 0x115671d9e in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&)+0x14be (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb060d9e)
#12 0x11567b5ed in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&)+0xcd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb06a5ed)
#13 0x1156597b6 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&)+0x2e6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb0487b6)
#14 0x11565a732 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*)+0xd02 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb049732)
#15 0x115664983 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*)+0x7f3 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb053983)
#16 0x115660842 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*)+0x2a92 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb04f842)
#17 0x11568331b in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind)+0x3eb (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb07231b)
#18 0x1155a145a in mozilla::PresShell::Initialize()+0x40a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf9045a)
#19 0x10f0f773c in nsContentSink::StartLayout(bool)+0x8bc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x4ae673c)
#20 0x10d768178 in nsHtml5TreeOpExecutor::StartLayout(bool*)+0x128 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3157178)
#21 0x10d7630ec in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)+0x1fcc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x31520ec)
#22 0x10d760269 in nsHtml5TreeOpExecutor::RunFlushLoop()+0x9f9 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x314f269)
#23 0x10d76d00f in nsHtml5ExecutorFlusher::Run()+0x3cf (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x315c00f)
#24 0x10a9aa1e0 in mozilla::SchedulerGroup::Runnable::Run()+0x80 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3991e0)
#25 0x10a9b8177 in mozilla::RunnableTask::Run()+0x347 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a7177)
#26 0x10a9b343a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x107a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a243a)
#27 0x10a9b0b6e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x2be (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39fb6e)
#28 0x10a9b0f67 in mozilla::TaskController::ProcessPendingMTTask(bool)+0xf7 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39ff67)
#29 0x10a9bf981 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run()+0x11 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3ae981)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaedb20c) in int mozilla::StyleGenericCalcNode<mozilla::StyleCalcLengthPercentageLeaf>::ResolveInternal<int, int (*)(float)>(int, int (*)(float)) const+0x66c
Shadow bytes around the buggy address:
0x1c3200059c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c3200059c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c3200059c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c3200059c70: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==29886==ABORTING
###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost
Bug 1681022 Comment 0 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Firefox version 85.0a1 (2020-12-06) (64-bit)
Asan output:
```
==29886==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190002ce398 at pc 0x0001154ec20d bp 0x7ffee67aa8d0 sp 0x7ffee67aa8c8
READ of size 1 at 0x6190002ce398 thread T0
==29886==WARNING: failed to spawn external symbolizer (errno: 9)
==29886==WARNING: failed to spawn external symbolizer (errno: 9)
==29886==WARNING: failed to spawn external symbolizer (errno: 9)
==29886==WARNING: failed to spawn external symbolizer (errno: 9)
==29886==WARNING: failed to spawn external symbolizer (errno: 9)
==29886==WARNING: Failed to use and restart external symbolizer!
#0 0x1154ec20c in int mozilla::StyleGenericCalcNode<mozilla::StyleCalcLengthPercentageLeaf>::ResolveInternal<int, int (*)(float)>(int, int (*)(float)) const+0x66c (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaedb20c)
#1 0x1158a1c98 in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>)+0x27e8 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb290c98)
#2 0x1157ba61f in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType)+0x220f (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1a961f)
#3 0x1157b2ee6 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&)+0x5a6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1a1ee6)
#4 0x1157b4b40 in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>)+0x8c0 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1a3b40)
#5 0x1158a7bec in nsFlexContainerFrame::GenerateFlexItemForChild(nsFlexContainerFrame::FlexLine&, nsIFrame*, mozilla::ReflowInput const&, nsFlexContainerFrame::FlexboxAxisTracker const&, bool)+0x2ac (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb296bec)
#6 0x1158bc75b in nsFlexContainerFrame::GenerateFlexLines(mozilla::ReflowInput const&, int, nsTArray<nsFlexContainerFrame::StrutInfo> const&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, bool, nsTArray<nsIFrame*>&, nsTArray<nsFlexContainerFrame::FlexLine>&)+0x12fb (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb2ab75b)
#7 0x1158c4c81 in nsFlexContainerFrame::DoFlexLayout(mozilla::ReflowInput const&, int&, int&, int&, nsTArray<nsFlexContainerFrame::FlexLine>&, nsTArray<nsFlexContainerFrame::StrutInfo>&, nsTArray<nsIFrame*>&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, int, int, bool, ComputedFlexContainerInfo*)+0x161 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb2b3c81)
#8 0x1158c100c in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0xb2c (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb2b000c)
#9 0x115ae5bf9 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&)+0x1d49 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb4d4bf9)
#10 0x1158284b4 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*)+0x214 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb2174b4)
#11 0x115826da2 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool)+0x4a2 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb215da2)
#12 0x11581fc6d in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)+0x7fd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb20ec6d)
#13 0x115818d9c in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)+0x13c (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb207d9c)
#14 0x11580ca85 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&)+0x16b5 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1fba85)
#15 0x115804af3 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0x14c3 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1f3af3)
#16 0x11588239b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)+0x43b (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb27139b)
#17 0x11585861b in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0x122b (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb24761b)
#18 0x115919390 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*)+0x1420 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb308390)
#19 0x11591b490 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)+0x320 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb30a490)
#20 0x115927e6a in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0xd8a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb316e6a)
#21 0x115883345 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)+0x335 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb272345)
#22 0x1157f4b02 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0x642 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1e3b02)
#23 0x1155a66a4 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*)+0x1ac4 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf956a4)
#24 0x1155be1f8 in mozilla::PresShell::ProcessReflowCommands(bool)+0x478 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xafad1f8)
#25 0x1155bc258 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)+0x1ba8 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xafab258)
#26 0x11552e136 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)+0x2b36 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf1d136)
#27 0x115541903 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)+0x213 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf30903)
#28 0x1155415e8 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)+0xc8 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf305e8)
#29 0x115540a4c in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)+0x1cc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf2fa4c)
#30 0x11553fd1e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync()+0x76e (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf2ed1e)
#31 0x11553f302 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&)+0x92 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf2e302)
#32 0x1141fb81d in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&)+0x2cd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x9bea81d)
#33 0x10cc7cb92 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&)+0x4f2 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x266bb92)
#34 0x10c6dc9af in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&)+0x35f (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x20cb9af)
#35 0x10bf097f8 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)+0x1e8 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x18f87f8)
#36 0x10bf0471d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)+0x71d (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x18f371d)
#37 0x10bf06f36 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)+0x586 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x18f5f36)
#38 0x10bf07ca1 in mozilla::ipc::MessageChannel::MessageTask::Run()+0x101 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x18f6ca1)
#39 0x10a9b8177 in mozilla::RunnableTask::Run()+0x347 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a7177)
#40 0x10a9b343a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x107a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a243a)
#41 0x10a9b095e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0xae (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39f95e)
#42 0x10a9b0f67 in mozilla::TaskController::ProcessPendingMTTask(bool)+0xf7 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39ff67)
#43 0x10a9bf981 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run()+0x11 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3ae981)
#44 0x10a9e2d45 in nsThread::ProcessNextEvent(bool, bool*)+0x13d5 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3d1d45)
#45 0x10a9eee4d in NS_ProcessNextEvent(nsIThread*, bool)+0x11d (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3dde4d)
#46 0x10bf1496e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)+0x40e (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x190396e)
#47 0x10bdf3ec2 in MessageLoop::Run()+0x1d2 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x17e2ec2)
#48 0x114e343ff in nsBaseAppShell::Run()+0x4f (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xa8233ff)
#49 0x114f8d24c in nsAppShell::Run()+0x3cc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xa97c24c)
#50 0x118eaa71e in XRE_RunAppShell()+0x28e (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xe89971e)
#51 0x10bdf3ec2 in MessageLoop::Run()+0x1d2 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x17e2ec2)
#52 0x118ea9b94 in XRE_InitChildProcess(int, char**, XREChildData const*)+0xf94 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xe898b94)
#53 0x10944bd06 in main+0x1b6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container:x86_64+0x100000d06)
#54 0x7fff6d7a5cc8 in start+0x0 (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8)
0x6190002ce398 is located 280 bytes inside of 1024-byte region [0x6190002ce280,0x6190002ce680)
freed by thread T0 here:
#0 0x12ba47cd6 in wrap_free+0xa6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x46cd6)
#1 0x11b951387 in style::properties::cascade::cascade_rules::h088ae32ca5ec9019+0xf97 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x11340387)
#2 0x11b96b596 in style::stylist::Stylist::cascade_style_and_visited::h8d1d544df7954eb4+0x96 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x1135a596)
#3 0x11b9be1ab in Servo_ComputedValues_GetForAnonymousBox+0x3cb (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x113ad1ab)
#4 0x115442252 in mozilla::ServoStyleSet::ResolveInheritingAnonymousBoxStyle(mozilla::PseudoStyleType, mozilla::ComputedStyle*)+0x92 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xae31252)
#5 0x11565855c in nsCSSFrameConstructor::ConstructTable(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&)+0x1bc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb04755c)
#6 0x115670c95 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&)+0x3b5 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb05fc95)
#7 0x11567b5ed in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&)+0xcd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb06a5ed)
#8 0x1156597b6 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&)+0x2e6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb0487b6)
#9 0x11565a732 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*)+0xd02 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb049732)
#10 0x115671d9e in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&)+0x14be (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb060d9e)
#11 0x11567b5ed in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&)+0xcd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb06a5ed)
#12 0x1156597b6 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&)+0x2e6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb0487b6)
#13 0x11565a732 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*)+0xd02 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb049732)
#14 0x115664983 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*)+0x7f3 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb053983)
#15 0x115660842 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*)+0x2a92 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb04f842)
#16 0x11568331b in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind)+0x3eb (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb07231b)
#17 0x1155a145a in mozilla::PresShell::Initialize()+0x40a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf9045a)
#18 0x10f0f773c in nsContentSink::StartLayout(bool)+0x8bc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x4ae673c)
#19 0x10d768178 in nsHtml5TreeOpExecutor::StartLayout(bool*)+0x128 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3157178)
#20 0x10d7630ec in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)+0x1fcc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x31520ec)
#21 0x10d760269 in nsHtml5TreeOpExecutor::RunFlushLoop()+0x9f9 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x314f269)
#22 0x10d76d00f in nsHtml5ExecutorFlusher::Run()+0x3cf (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x315c00f)
#23 0x10a9aa1e0 in mozilla::SchedulerGroup::Runnable::Run()+0x80 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3991e0)
#24 0x10a9b8177 in mozilla::RunnableTask::Run()+0x347 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a7177)
#25 0x10a9b343a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x107a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a243a)
#26 0x10a9b0b6e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x2be (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39fb6e)
#27 0x10a9b0f67 in mozilla::TaskController::ProcessPendingMTTask(bool)+0xf7 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39ff67)
#28 0x10a9bf981 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run()+0x11 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3ae981)
#29 0x10a9e2d45 in nsThread::ProcessNextEvent(bool, bool*)+0x13d5 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3d1d45)
previously allocated by thread T0 here:
#0 0x12ba47b8d in wrap_malloc+0x9d (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x46b8d)
#1 0x11b94cc6e in smallvec::SmallVec$LT$A$GT$::push::ha7920bdc965a65bc+0x28e (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x1133bc6e)
#2 0x11b950cae in style::properties::cascade::cascade_rules::h088ae32ca5ec9019+0x8be (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x1133fcae)
#3 0x11b96b596 in style::stylist::Stylist::cascade_style_and_visited::h8d1d544df7954eb4+0x96 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x1135a596)
#4 0x11b9be1ab in Servo_ComputedValues_GetForAnonymousBox+0x3cb (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x113ad1ab)
#5 0x115442252 in mozilla::ServoStyleSet::ResolveInheritingAnonymousBoxStyle(mozilla::PseudoStyleType, mozilla::ComputedStyle*)+0x92 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xae31252)
#6 0x11565855c in nsCSSFrameConstructor::ConstructTable(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&)+0x1bc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb04755c)
#7 0x115670c95 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&)+0x3b5 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb05fc95)
#8 0x11567b5ed in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&)+0xcd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb06a5ed)
#9 0x1156597b6 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&)+0x2e6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb0487b6)
#10 0x11565a732 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*)+0xd02 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb049732)
#11 0x115671d9e in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&)+0x14be (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb060d9e)
#12 0x11567b5ed in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&)+0xcd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb06a5ed)
#13 0x1156597b6 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&)+0x2e6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb0487b6)
#14 0x11565a732 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*)+0xd02 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb049732)
#15 0x115664983 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*)+0x7f3 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb053983)
#16 0x115660842 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*)+0x2a92 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb04f842)
#17 0x11568331b in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind)+0x3eb (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb07231b)
#18 0x1155a145a in mozilla::PresShell::Initialize()+0x40a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf9045a)
#19 0x10f0f773c in nsContentSink::StartLayout(bool)+0x8bc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x4ae673c)
#20 0x10d768178 in nsHtml5TreeOpExecutor::StartLayout(bool*)+0x128 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3157178)
#21 0x10d7630ec in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)+0x1fcc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x31520ec)
#22 0x10d760269 in nsHtml5TreeOpExecutor::RunFlushLoop()+0x9f9 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x314f269)
#23 0x10d76d00f in nsHtml5ExecutorFlusher::Run()+0x3cf (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x315c00f)
#24 0x10a9aa1e0 in mozilla::SchedulerGroup::Runnable::Run()+0x80 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3991e0)
#25 0x10a9b8177 in mozilla::RunnableTask::Run()+0x347 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a7177)
#26 0x10a9b343a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x107a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a243a)
#27 0x10a9b0b6e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x2be (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39fb6e)
#28 0x10a9b0f67 in mozilla::TaskController::ProcessPendingMTTask(bool)+0xf7 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39ff67)
#29 0x10a9bf981 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run()+0x11 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3ae981)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaedb20c) in int mozilla::StyleGenericCalcNode<mozilla::StyleCalcLengthPercentageLeaf>::ResolveInternal<int, int (*)(float)>(int, int (*)(float)) const+0x66c
Shadow bytes around the buggy address:
0x1c3200059c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c3200059c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c3200059c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c3200059c70: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==29886==ABORTING
###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost
```