1061027 - Type confusion in ComputeBorderOverflow

Status: RESOLVED FIXED

(Core :: MathML, defect)

Description

[Abhishek Arya]

Attachment: Testcase

Build with latest clang with ubsan vptr (-fsanitize=vptr support and enable rtti (ac_add_options --enable-cpp-rtti, ignore startup false positives). Incorrect type can be checked in regular build as well. UBSAN vptr build is just useful for fuzzing. 

layout/mathml/nsMathMLmtableFrame.cpp:240:5: runtime error: downcast of address 0x62500131d348 which does not point to an object of type nsMathMLmtableFrame
0x62500131d348: note: object is of type nsTableFrame
 ff ff ff 7f  90 4e 66 ab d6 7f 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  40 8f 1d 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for nsTableFrame
    #0 0x7fd6a519b135 in ComputeBorderOverflow(nsMathMLmtdFrame*, nsStyleBorder) layout/mathml/nsMathMLmtableFrame.cpp:240:39
    #1 0x7fd6a519a231 in nsMathMLmtdFrame::GetBorderOverflow() layout/mathml/nsMathMLmtableFrame.cpp:1242:23
    #2 0x7fd6a4d45560 in nsTableCellFrame::VerticallyAlignChild(int) layout/tables/nsTableCellFrame.cpp:630:20
    #3 0x7fd6a4dc7f2c in nsTableRowFrame::DidResize() layout/tables/nsTableRowFrame.cpp:341:7
    #4 0x7fd6a4dde230 in nsTableRowGroupFrame::DidResizeRows(nsHTMLReflowMetrics&) layout/tables/nsTableRowGroupFrame.cpp:524:5
    #5 0x7fd6a4de2039 in nsTableRowGroupFrame::CalculateRowHeights(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&) layout/tables/nsTableRowGroupFrame.cpp:808:3
    #6 0x7fd6a4ddd47b in nsTableRowGroupFrame::ReflowChildren(nsPresContext*, nsHTMLReflowMetrics&, nsRowGroupReflowState&, unsigned int&, bool*) layout/tables/nsTableRowGroupFrame.cpp:471:5
    #7 0x7fd6a4de7cbf in nsTableRowGroupFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/tables/nsTableRowGroupFrame.cpp:1318:3
    #8 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #9 0x7fd6a4d84e5c in nsTableFrame::ReflowChildren(nsTableReflowState&, unsigned int&, nsIFrame*&, nsOverflowAreas&) layout/tables/nsTableFrame.cpp:2978:7
    #10 0x7fd6a4d7ec87 in nsTableFrame::ReflowTable(nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, nsIFrame*&, unsigned int&) layout/tables/nsTableFrame.cpp:1997:3
    #11 0x7fd6a4d7c804 in nsTableFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/tables/nsTableFrame.cpp:1823:5
    #12 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #13 0x7fd6a4db84bc in nsTableOuterFrame::OuterDoReflowChild(nsPresContext*, nsIFrame*, nsHTMLReflowState const&, nsHTMLReflowMetrics&, unsigned int&) layout/tables/nsTableOuterFrame.cpp:851:3
    #14 0x7fd6a4dba0a3 in nsTableOuterFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/tables/nsTableOuterFrame.cpp:1008:3
    #15 0x7fd6a4969fe8 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp:284:3
    #16 0x7fd6a495ea3c in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3196:5
    #17 0x7fd6a494f421 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp:2150:7
    #18 0x7fd6a4942584 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp:1136:3
    #19 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #20 0x7fd6a49ac263 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsCanvasFrame.cpp:567:5
    #21 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #22 0x7fd6a4a8545f in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) layout/generic/nsGfxScrollFrame.cpp:454:3
    #23 0x7fd6a4a8a579 in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) layout/generic/nsGfxScrollFrame.cpp:563:3
    #24 0x7fd6a4a8e2ab in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsGfxScrollFrame.cpp:797:3
    #25 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #26 0x7fd6a4c757c4 in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsViewportFrame.cpp:216:7
    #27 0x7fd6a45b1cc9 in PresShell::DoReflow(nsIFrame*, bool) layout/base/nsPresShell.cpp:8814:3
    #28 0x7fd6a45d5e97 in PresShell::ProcessReflowCommands(bool) layout/base/nsPresShell.cpp:8971:24
    #29 0x7fd6a45d3a46 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) layout/base/nsPresShell.cpp:4260:11
    #30 0x7fd6a45537c0 in nsDocumentViewer::LoadComplete(tag_nsresult) layout/base/nsDocumentViewer.cpp:948:5
    #31 0x7fd6a59e3246 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, tag_nsresult) docshell/base/nsDocShell.cpp:7072:9
    #32 0x7fd6a59deb3c in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) docshell/base/nsDocShell.cpp:6890:13
    #33 0x7fd6a59df6cf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) docshell/base/nsDocShell.cpp:6897:1
    #34 0x7fd69fd3636a in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, tag_nsresult) uriloader/base/nsDocLoader.cpp:1269:3
    #35 0x7fd69fd35069 in nsDocLoader::doStopDocumentLoad(nsIRequest*, tag_nsresult) uriloader/base/nsDocLoader.cpp:850:5
    #36 0x7fd69fd3098c in nsDocLoader::DocLoaderIsEmpty(bool) uriloader/base/nsDocLoader.cpp:740:9
    #37 0x7fd69fd33856 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) uriloader/base/nsDocLoader.cpp:624:5
    #38 0x7fd69fd348cc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) uriloader/base/nsDocLoader.cpp:628:1
    #39 0x7fd69e1d9fbc in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, tag_nsresult) netwerk/base/src/nsLoadGroup.cpp:689:18
    #40 0x7fd6a2e2b81b in nsDocument::DoUnblockOnload() content/base/src/nsDocument.cpp:8740:7
    #41 0x7fd6a2e2af55 in nsDocument::UnblockOnload(bool) content/base/src/nsDocument.cpp:8668:9
    #42 0x7fd6a29a57d5 in nsBindingManager::DoProcessAttachedQueue() dom/xbl/nsBindingManager.cpp:418:5
    #43 0x7fd6a2a31648 in nsRunnableMethodImpl<void (nsBindingManager::*)(), void, true>::Run() objdir-ff-asan/dom/xbl/../../dist/include/nsThreadUtils.h:391:7
    #44 0x7fd69df62c8a in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:770:7
    #45 0x7fd69dfd75b2 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:265:10
    #46 0x7fd69ec0dd44 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:99:21
    #47 0x7fd69eb9d930 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:229:3
    #48 0x7fd6a2c38992 in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:164:3
    #49 0x7fd6a6352242 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:278:19
    #50 0x7fd6a64861d9 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4024:10
    #51 0x7fd6a64872f2 in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4095:8
    #52 0x7fd6a648828c in XRE_main toolkit/xre/nsAppRunner.cpp:4309:16
    #53 0x4bfacd in main browser/app/nsBrowserApp.cpp:282:12
    #54 0x7fd6b26d6de4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260
    #55 0x4bf01c in _start

layout/mathml/nsMathMLmtableFrame.cpp:243:21: runtime error: member call on address 0x62500131d348 which does not point to an object of type nsMathMLmtableFrame
0x62500131d348: note: object is of type nsTableFrame
 ff ff ff 7f  90 4e 66 ab d6 7f 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  40 8f 1d 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for nsTableFrame
    #0 0x7fd6a519b234 in ComputeBorderOverflow(nsMathMLmtdFrame*, nsStyleBorder) layout/mathml/nsMathMLmtableFrame.cpp:243:21
    #1 0x7fd6a519a231 in nsMathMLmtdFrame::GetBorderOverflow() layout/mathml/nsMathMLmtableFrame.cpp:1242:23
    #2 0x7fd6a4d45560 in nsTableCellFrame::VerticallyAlignChild(int) layout/tables/nsTableCellFrame.cpp:630:20
    #3 0x7fd6a4dc7f2c in nsTableRowFrame::DidResize() layout/tables/nsTableRowFrame.cpp:341:7
    #4 0x7fd6a4dde230 in nsTableRowGroupFrame::DidResizeRows(nsHTMLReflowMetrics&) layout/tables/nsTableRowGroupFrame.cpp:524:5
    #5 0x7fd6a4de2039 in nsTableRowGroupFrame::CalculateRowHeights(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&) layout/tables/nsTableRowGroupFrame.cpp:808:3
    #6 0x7fd6a4ddd47b in nsTableRowGroupFrame::ReflowChildren(nsPresContext*, nsHTMLReflowMetrics&, nsRowGroupReflowState&, unsigned int&, bool*) layout/tables/nsTableRowGroupFrame.cpp:471:5
    #7 0x7fd6a4de7cbf in nsTableRowGroupFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/tables/nsTableRowGroupFrame.cpp:1318:3
    #8 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #9 0x7fd6a4d84e5c in nsTableFrame::ReflowChildren(nsTableReflowState&, unsigned int&, nsIFrame*&, nsOverflowAreas&) layout/tables/nsTableFrame.cpp:2978:7
    #10 0x7fd6a4d7ec87 in nsTableFrame::ReflowTable(nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, nsIFrame*&, unsigned int&) layout/tables/nsTableFrame.cpp:1997:3
    #11 0x7fd6a4d7c804 in nsTableFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/tables/nsTableFrame.cpp:1823:5
    #12 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #13 0x7fd6a4db84bc in nsTableOuterFrame::OuterDoReflowChild(nsPresContext*, nsIFrame*, nsHTMLReflowState const&, nsHTMLReflowMetrics&, unsigned int&) layout/tables/nsTableOuterFrame.cpp:851:3
    #14 0x7fd6a4dba0a3 in nsTableOuterFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/tables/nsTableOuterFrame.cpp:1008:3
    #15 0x7fd6a4969fe8 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp:284:3
    #16 0x7fd6a495ea3c in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3196:5
    #17 0x7fd6a494f421 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp:2150:7
    #18 0x7fd6a4942584 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp:1136:3
    #19 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #20 0x7fd6a49ac263 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsCanvasFrame.cpp:567:5
    #21 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #22 0x7fd6a4a8545f in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) layout/generic/nsGfxScrollFrame.cpp:454:3
    #23 0x7fd6a4a8a579 in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) layout/generic/nsGfxScrollFrame.cpp:563:3
    #24 0x7fd6a4a8e2ab in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsGfxScrollFrame.cpp:797:3
    #25 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #26 0x7fd6a4c757c4 in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsViewportFrame.cpp:216:7
    #27 0x7fd6a45b1cc9 in PresShell::DoReflow(nsIFrame*, bool) layout/base/nsPresShell.cpp:8814:3
    #28 0x7fd6a45d5e97 in PresShell::ProcessReflowCommands(bool) layout/base/nsPresShell.cpp:8971:24
    #29 0x7fd6a45d3a46 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) layout/base/nsPresShell.cpp:4260:11
    #30 0x7fd6a45537c0 in nsDocumentViewer::LoadComplete(tag_nsresult) layout/base/nsDocumentViewer.cpp:948:5
    #31 0x7fd6a59e3246 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, tag_nsresult) docshell/base/nsDocShell.cpp:7072:9
    #32 0x7fd6a59deb3c in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) docshell/base/nsDocShell.cpp:6890:13
    #33 0x7fd6a59df6cf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) docshell/base/nsDocShell.cpp:6897:1
    #34 0x7fd69fd3636a in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, tag_nsresult) uriloader/base/nsDocLoader.cpp:1269:3
    #35 0x7fd69fd35069 in nsDocLoader::doStopDocumentLoad(nsIRequest*, tag_nsresult) uriloader/base/nsDocLoader.cpp:850:5
    #36 0x7fd69fd3098c in nsDocLoader::DocLoaderIsEmpty(bool) uriloader/base/nsDocLoader.cpp:740:9
    #37 0x7fd69fd33856 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) uriloader/base/nsDocLoader.cpp:624:5
    #38 0x7fd69fd348cc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) uriloader/base/nsDocLoader.cpp:628:1
    #39 0x7fd69e1d9fbc in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, tag_nsresult) netwerk/base/src/nsLoadGroup.cpp:689:18
    #40 0x7fd6a2e2b81b in nsDocument::DoUnblockOnload() content/base/src/nsDocument.cpp:8740:7
    #41 0x7fd6a2e2af55 in nsDocument::UnblockOnload(bool) content/base/src/nsDocument.cpp:8668:9
    #42 0x7fd6a29a57d5 in nsBindingManager::DoProcessAttachedQueue() dom/xbl/nsBindingManager.cpp:418:5
    #43 0x7fd6a2a31648 in nsRunnableMethodImpl<void (nsBindingManager::*)(), void, true>::Run() objdir-ff-asan/dom/xbl/../../dist/include/nsThreadUtils.h:391:7
    #44 0x7fd69df62c8a in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:770:7
    #45 0x7fd69dfd75b2 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:265:10
    #46 0x7fd69ec0dd44 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:99:21
    #47 0x7fd69eb9d930 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:229:3
    #48 0x7fd6a2c38992 in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:164:3
    #49 0x7fd6a6352242 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:278:19
    #50 0x7fd6a64861d9 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4024:10
    #51 0x7fd6a64872f2 in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4095:8
    #52 0x7fd6a648828c in XRE_main toolkit/xre/nsAppRunner.cpp:4309:16
    #53 0x4bfacd in main browser/app/nsBrowserApp.cpp:282:12
    #54 0x7fd6b26d6de4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260
    #55 0x4bf01c in _start

layout/mathml/nsMathMLmtableFrame.cpp:244:22: runtime error: member call on address 0x62500131d348 which does not point to an object of type nsMathMLmtableFrame
0x62500131d348: note: object is of type nsTableFrame
 ff ff ff 7f  90 4e 66 ab d6 7f 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  40 8f 1d 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for nsTableFrame
    #0 0x7fd6a519b255 in ComputeBorderOverflow(nsMathMLmtdFrame*, nsStyleBorder) layout/mathml/nsMathMLmtableFrame.cpp:244:22
    #1 0x7fd6a519a231 in nsMathMLmtdFrame::GetBorderOverflow() layout/mathml/nsMathMLmtableFrame.cpp:1242:23
    #2 0x7fd6a4d45560 in nsTableCellFrame::VerticallyAlignChild(int) layout/tables/nsTableCellFrame.cpp:630:20
    #3 0x7fd6a4dc7f2c in nsTableRowFrame::DidResize() layout/tables/nsTableRowFrame.cpp:341:7
    #4 0x7fd6a4dde230 in nsTableRowGroupFrame::DidResizeRows(nsHTMLReflowMetrics&) layout/tables/nsTableRowGroupFrame.cpp:524:5
    #5 0x7fd6a4de2039 in nsTableRowGroupFrame::CalculateRowHeights(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&) layout/tables/nsTableRowGroupFrame.cpp:808:3
    #6 0x7fd6a4ddd47b in nsTableRowGroupFrame::ReflowChildren(nsPresContext*, nsHTMLReflowMetrics&, nsRowGroupReflowState&, unsigned int&, bool*) layout/tables/nsTableRowGroupFrame.cpp:471:5
    #7 0x7fd6a4de7cbf in nsTableRowGroupFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/tables/nsTableRowGroupFrame.cpp:1318:3
    #8 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #9 0x7fd6a4d84e5c in nsTableFrame::ReflowChildren(nsTableReflowState&, unsigned int&, nsIFrame*&, nsOverflowAreas&) layout/tables/nsTableFrame.cpp:2978:7
    #10 0x7fd6a4d7ec87 in nsTableFrame::ReflowTable(nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, nsIFrame*&, unsigned int&) layout/tables/nsTableFrame.cpp:1997:3
    #11 0x7fd6a4d7c804 in nsTableFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/tables/nsTableFrame.cpp:1823:5
    #12 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #13 0x7fd6a4db84bc in nsTableOuterFrame::OuterDoReflowChild(nsPresContext*, nsIFrame*, nsHTMLReflowState const&, nsHTMLReflowMetrics&, unsigned int&) layout/tables/nsTableOuterFrame.cpp:851:3
    #14 0x7fd6a4dba0a3 in nsTableOuterFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/tables/nsTableOuterFrame.cpp:1008:3
    #15 0x7fd6a4969fe8 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp:284:3
    #16 0x7fd6a495ea3c in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3196:5
    #17 0x7fd6a494f421 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp:2150:7
    #18 0x7fd6a4942584 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp:1136:3
    #19 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #20 0x7fd6a49ac263 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsCanvasFrame.cpp:567:5
    #21 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #22 0x7fd6a4a8545f in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) layout/generic/nsGfxScrollFrame.cpp:454:3
    #23 0x7fd6a4a8a579 in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) layout/generic/nsGfxScrollFrame.cpp:563:3
    #24 0x7fd6a4a8e2ab in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsGfxScrollFrame.cpp:797:3
    #25 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #26 0x7fd6a4c757c4 in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsViewportFrame.cpp:216:7
    #27 0x7fd6a45b1cc9 in PresShell::DoReflow(nsIFrame*, bool) layout/base/nsPresShell.cpp:8814:3
    #28 0x7fd6a45d5e97 in PresShell::ProcessReflowCommands(bool) layout/base/nsPresShell.cpp:8971:24
    #29 0x7fd6a45d3a46 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) layout/base/nsPresShell.cpp:4260:11
    #30 0x7fd6a45537c0 in nsDocumentViewer::LoadComplete(tag_nsresult) layout/base/nsDocumentViewer.cpp:948:5
    #31 0x7fd6a59e3246 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, tag_nsresult) docshell/base/nsDocShell.cpp:7072:9
    #32 0x7fd6a59deb3c in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) docshell/base/nsDocShell.cpp:6890:13
    #33 0x7fd6a59df6cf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) docshell/base/nsDocShell.cpp:6897:1
    #34 0x7fd69fd3636a in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, tag_nsresult) uriloader/base/nsDocLoader.cpp:1269:3
    #35 0x7fd69fd35069 in nsDocLoader::doStopDocumentLoad(nsIRequest*, tag_nsresult) uriloader/base/nsDocLoader.cpp:850:5
    #36 0x7fd69fd3098c in nsDocLoader::DocLoaderIsEmpty(bool) uriloader/base/nsDocLoader.cpp:740:9
    #37 0x7fd69fd33856 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) uriloader/base/nsDocLoader.cpp:624:5
    #38 0x7fd69fd348cc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) uriloader/base/nsDocLoader.cpp:628:1
    #39 0x7fd69e1d9fbc in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, tag_nsresult) netwerk/base/src/nsLoadGroup.cpp:689:18
    #40 0x7fd6a2e2b81b in nsDocument::DoUnblockOnload() content/base/src/nsDocument.cpp:8740:7
    #41 0x7fd6a2e2af55 in nsDocument::UnblockOnload(bool) content/base/src/nsDocument.cpp:8668:9
    #42 0x7fd6a29a57d5 in nsBindingManager::DoProcessAttachedQueue() dom/xbl/nsBindingManager.cpp:418:5
    #43 0x7fd6a2a31648 in nsRunnableMethodImpl<void (nsBindingManager::*)(), void, true>::Run() objdir-ff-asan/dom/xbl/../../dist/include/nsThreadUtils.h:391:7
    #44 0x7fd69df62c8a in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:770:7
    #45 0x7fd69dfd75b2 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:265:10
    #46 0x7fd69ec0dd44 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:99:21
    #47 0x7fd69eb9d930 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:229:3
    #48 0x7fd6a2c38992 in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:164:3
    #49 0x7fd6a6352242 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:278:19
    #50 0x7fd6a64861d9 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4024:10
    #51 0x7fd6a64872f2 in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4095:8
    #52 0x7fd6a648828c in XRE_main toolkit/xre/nsAppRunner.cpp:4309:16
    #53 0x4bfacd in main browser/app/nsBrowserApp.cpp:282:12
    #54 0x7fd6b26d6de4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260
    #55 0x4bf01c in _start

layout/mathml/nsMathMLmtableFrame.cpp:253:20: runtime error: member call on address 0x62500131d348 which does not point to an object of type nsMathMLmtableFrame
0x62500131d348: note: object is of type nsTableFrame
 ff ff ff 7f  90 4e 66 ab d6 7f 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  40 8f 1d 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for nsTableFrame
    #0 0x7fd6a519b276 in ComputeBorderOverflow(nsMathMLmtdFrame*, nsStyleBorder) layout/mathml/nsMathMLmtableFrame.cpp:253:20
    #1 0x7fd6a519a231 in nsMathMLmtdFrame::GetBorderOverflow() layout/mathml/nsMathMLmtableFrame.cpp:1242:23
    #2 0x7fd6a4d45560 in nsTableCellFrame::VerticallyAlignChild(int) layout/tables/nsTableCellFrame.cpp:630:20
    #3 0x7fd6a4dc7f2c in nsTableRowFrame::DidResize() layout/tables/nsTableRowFrame.cpp:341:7
    #4 0x7fd6a4dde230 in nsTableRowGroupFrame::DidResizeRows(nsHTMLReflowMetrics&) layout/tables/nsTableRowGroupFrame.cpp:524:5
    #5 0x7fd6a4de2039 in nsTableRowGroupFrame::CalculateRowHeights(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&) layout/tables/nsTableRowGroupFrame.cpp:808:3
    #6 0x7fd6a4ddd47b in nsTableRowGroupFrame::ReflowChildren(nsPresContext*, nsHTMLReflowMetrics&, nsRowGroupReflowState&, unsigned int&, bool*) layout/tables/nsTableRowGroupFrame.cpp:471:5
    #7 0x7fd6a4de7cbf in nsTableRowGroupFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/tables/nsTableRowGroupFrame.cpp:1318:3
    #8 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #9 0x7fd6a4d84e5c in nsTableFrame::ReflowChildren(nsTableReflowState&, unsigned int&, nsIFrame*&, nsOverflowAreas&) layout/tables/nsTableFrame.cpp:2978:7
    #10 0x7fd6a4d7ec87 in nsTableFrame::ReflowTable(nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, nsIFrame*&, unsigned int&) layout/tables/nsTableFrame.cpp:1997:3
    #11 0x7fd6a4d7c804 in nsTableFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/tables/nsTableFrame.cpp:1823:5
    #12 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #13 0x7fd6a4db84bc in nsTableOuterFrame::OuterDoReflowChild(nsPresContext*, nsIFrame*, nsHTMLReflowState const&, nsHTMLReflowMetrics&, unsigned int&) layout/tables/nsTableOuterFrame.cpp:851:3
    #14 0x7fd6a4dba0a3 in nsTableOuterFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/tables/nsTableOuterFrame.cpp:1008:3
    #15 0x7fd6a4969fe8 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp:284:3
    #16 0x7fd6a495ea3c in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3196:5
    #17 0x7fd6a494f421 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp:2150:7
    #18 0x7fd6a4942584 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp:1136:3
    #19 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #20 0x7fd6a49ac263 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsCanvasFrame.cpp:567:5
    #21 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #22 0x7fd6a4a8545f in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) layout/generic/nsGfxScrollFrame.cpp:454:3
    #23 0x7fd6a4a8a579 in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) layout/generic/nsGfxScrollFrame.cpp:563:3
    #24 0x7fd6a4a8e2ab in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsGfxScrollFrame.cpp:797:3
    #25 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #26 0x7fd6a4c757c4 in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsViewportFrame.cpp:216:7
    #27 0x7fd6a45b1cc9 in PresShell::DoReflow(nsIFrame*, bool) layout/base/nsPresShell.cpp:8814:3
    #28 0x7fd6a45d5e97 in PresShell::ProcessReflowCommands(bool) layout/base/nsPresShell.cpp:8971:24
    #29 0x7fd6a45d3a46 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) layout/base/nsPresShell.cpp:4260:11
    #30 0x7fd6a45537c0 in nsDocumentViewer::LoadComplete(tag_nsresult) layout/base/nsDocumentViewer.cpp:948:5
    #31 0x7fd6a59e3246 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, tag_nsresult) docshell/base/nsDocShell.cpp:7072:9
    #32 0x7fd6a59deb3c in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) docshell/base/nsDocShell.cpp:6890:13
    #33 0x7fd6a59df6cf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) docshell/base/nsDocShell.cpp:6897:1
    #34 0x7fd69fd3636a in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, tag_nsresult) uriloader/base/nsDocLoader.cpp:1269:3
    #35 0x7fd69fd35069 in nsDocLoader::doStopDocumentLoad(nsIRequest*, tag_nsresult) uriloader/base/nsDocLoader.cpp:850:5
    #36 0x7fd69fd3098c in nsDocLoader::DocLoaderIsEmpty(bool) uriloader/base/nsDocLoader.cpp:740:9
    #37 0x7fd69fd33856 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) uriloader/base/nsDocLoader.cpp:624:5
    #38 0x7fd69fd348cc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) uriloader/base/nsDocLoader.cpp:628:1
    #39 0x7fd69e1d9fbc in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, tag_nsresult) netwerk/base/src/nsLoadGroup.cpp:689:18
    #40 0x7fd6a2e2b81b in nsDocument::DoUnblockOnload() content/base/src/nsDocument.cpp:8740:7
    #41 0x7fd6a2e2af55 in nsDocument::UnblockOnload(bool) content/base/src/nsDocument.cpp:8668:9
    #42 0x7fd6a29a57d5 in nsBindingManager::DoProcessAttachedQueue() dom/xbl/nsBindingManager.cpp:418:5
    #43 0x7fd6a2a31648 in nsRunnableMethodImpl<void (nsBindingManager::*)(), void, true>::Run() objdir-ff-asan/dom/xbl/../../dist/include/nsThreadUtils.h:391:7
    #44 0x7fd69df62c8a in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:770:7
    #45 0x7fd69dfd75b2 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:265:10
    #46 0x7fd69ec0dd44 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:99:21
    #47 0x7fd69eb9d930 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:229:3
    #48 0x7fd6a2c38992 in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:164:3
    #49 0x7fd6a6352242 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:278:19
    #50 0x7fd6a64861d9 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4024:10
    #51 0x7fd6a64872f2 in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4095:8
    #52 0x7fd6a648828c in XRE_main toolkit/xre/nsAppRunner.cpp:4309:16
    #53 0x4bfacd in main browser/app/nsBrowserApp.cpp:282:12
    #54 0x7fd6b26d6de4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260
    #55 0x4bf01c in _start
layout/mathml/nsMathMLmtableFrame.cpp:254:23: runtime error: member call on address 0x62500131d348 which does not point to an object of type nsMathMLmtableFrame
0x62500131d348: note: object is of type nsTableFrame
 ff ff ff 7f  90 4e 66 ab d6 7f 00 00  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  40 8f 1d 00
              ^~~~~~~~~~~~~~~~~~~~~~~
              vptr for nsTableFrame
    #0 0x7fd6a519b29a in ComputeBorderOverflow(nsMathMLmtdFrame*, nsStyleBorder) layout/mathml/nsMathMLmtableFrame.cpp:254:23
    #1 0x7fd6a519a231 in nsMathMLmtdFrame::GetBorderOverflow() layout/mathml/nsMathMLmtableFrame.cpp:1242:23
    #2 0x7fd6a4d45560 in nsTableCellFrame::VerticallyAlignChild(int) layout/tables/nsTableCellFrame.cpp:630:20
    #3 0x7fd6a4dc7f2c in nsTableRowFrame::DidResize() layout/tables/nsTableRowFrame.cpp:341:7
    #4 0x7fd6a4dde230 in nsTableRowGroupFrame::DidResizeRows(nsHTMLReflowMetrics&) layout/tables/nsTableRowGroupFrame.cpp:524:5
    #5 0x7fd6a4de2039 in nsTableRowGroupFrame::CalculateRowHeights(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&) layout/tables/nsTableRowGroupFrame.cpp:808:3
    #6 0x7fd6a4ddd47b in nsTableRowGroupFrame::ReflowChildren(nsPresContext*, nsHTMLReflowMetrics&, nsRowGroupReflowState&, unsigned int&, bool*) layout/tables/nsTableRowGroupFrame.cpp:471:5
    #7 0x7fd6a4de7cbf in nsTableRowGroupFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/tables/nsTableRowGroupFrame.cpp:1318:3
    #8 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #9 0x7fd6a4d84e5c in nsTableFrame::ReflowChildren(nsTableReflowState&, unsigned int&, nsIFrame*&, nsOverflowAreas&) layout/tables/nsTableFrame.cpp:2978:7
    #10 0x7fd6a4d7ec87 in nsTableFrame::ReflowTable(nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, nsIFrame*&, unsigned int&) layout/tables/nsTableFrame.cpp:1997:3
    #11 0x7fd6a4d7c804 in nsTableFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/tables/nsTableFrame.cpp:1823:5
    #12 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #13 0x7fd6a4db84bc in nsTableOuterFrame::OuterDoReflowChild(nsPresContext*, nsIFrame*, nsHTMLReflowState const&, nsHTMLReflowMetrics&, unsigned int&) layout/tables/nsTableOuterFrame.cpp:851:3
    #14 0x7fd6a4dba0a3 in nsTableOuterFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/tables/nsTableOuterFrame.cpp:1008:3
    #15 0x7fd6a4969fe8 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) layout/generic/nsBlockReflowContext.cpp:284:3
    #16 0x7fd6a495ea3c in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) layout/generic/nsBlockFrame.cpp:3196:5
    #17 0x7fd6a494f421 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) layout/generic/nsBlockFrame.cpp:2150:7
    #18 0x7fd6a4942584 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsBlockFrame.cpp:1136:3
    #19 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #20 0x7fd6a49ac263 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsCanvasFrame.cpp:567:5
    #21 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #22 0x7fd6a4a8545f in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) layout/generic/nsGfxScrollFrame.cpp:454:3
    #23 0x7fd6a4a8a579 in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) layout/generic/nsGfxScrollFrame.cpp:563:3
    #24 0x7fd6a4a8e2ab in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsGfxScrollFrame.cpp:797:3
    #25 0x7fd6a49ae049 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) layout/generic/nsContainerFrame.cpp:938:3
    #26 0x7fd6a4c757c4 in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) layout/generic/nsViewportFrame.cpp:216:7
    #27 0x7fd6a45b1cc9 in PresShell::DoReflow(nsIFrame*, bool) layout/base/nsPresShell.cpp:8814:3
    #28 0x7fd6a45d5e97 in PresShell::ProcessReflowCommands(bool) layout/base/nsPresShell.cpp:8971:24
    #29 0x7fd6a45d3a46 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) layout/base/nsPresShell.cpp:4260:11
    #30 0x7fd6a45537c0 in nsDocumentViewer::LoadComplete(tag_nsresult) layout/base/nsDocumentViewer.cpp:948:5
    #31 0x7fd6a59e3246 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, tag_nsresult) docshell/base/nsDocShell.cpp:7072:9
    #32 0x7fd6a59deb3c in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) docshell/base/nsDocShell.cpp:6890:13
    #33 0x7fd6a59df6cf in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) docshell/base/nsDocShell.cpp:6897:1
    #34 0x7fd69fd3636a in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, tag_nsresult) uriloader/base/nsDocLoader.cpp:1269:3
    #35 0x7fd69fd35069 in nsDocLoader::doStopDocumentLoad(nsIRequest*, tag_nsresult) uriloader/base/nsDocLoader.cpp:850:5
    #36 0x7fd69fd3098c in nsDocLoader::DocLoaderIsEmpty(bool) uriloader/base/nsDocLoader.cpp:740:9
    #37 0x7fd69fd33856 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) uriloader/base/nsDocLoader.cpp:624:5
    #38 0x7fd69fd348cc in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) uriloader/base/nsDocLoader.cpp:628:1
    #39 0x7fd69e1d9fbc in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, tag_nsresult) netwerk/base/src/nsLoadGroup.cpp:689:18
    #40 0x7fd6a2e2b81b in nsDocument::DoUnblockOnload() content/base/src/nsDocument.cpp:8740:7
    #41 0x7fd6a2e2af55 in nsDocument::UnblockOnload(bool) content/base/src/nsDocument.cpp:8668:9
    #42 0x7fd6a29a57d5 in nsBindingManager::DoProcessAttachedQueue() dom/xbl/nsBindingManager.cpp:418:5
    #43 0x7fd6a2a31648 in nsRunnableMethodImpl<void (nsBindingManager::*)(), void, true>::Run() objdir-ff-asan/dom/xbl/../../dist/include/nsThreadUtils.h:391:7
    #44 0x7fd69df62c8a in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:770:7
    #45 0x7fd69dfd75b2 in NS_ProcessNextEvent(nsIThread*, bool) xpcom/glue/nsThreadUtils.cpp:265:10
    #46 0x7fd69ec0dd44 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:99:21
    #47 0x7fd69eb9d930 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:229:3
    #48 0x7fd6a2c38992 in nsBaseAppShell::Run() widget/xpwidgets/nsBaseAppShell.cpp:164:3
    #49 0x7fd6a6352242 in nsAppStartup::Run() toolkit/components/startup/nsAppStartup.cpp:278:19
    #50 0x7fd6a64861d9 in XREMain::XRE_mainRun() toolkit/xre/nsAppRunner.cpp:4024:10
    #51 0x7fd6a64872f2 in XREMain::XRE_main(int, char**, nsXREAppData const*) toolkit/xre/nsAppRunner.cpp:4095:8
    #52 0x7fd6a648828c in XRE_main toolkit/xre/nsAppRunner.cpp:4309:16
    #53 0x4bfacd in main browser/app/nsBrowserApp.cpp:282:12
    #54 0x7fd6b26d6de4 in __libc_start_main /build/buildd/eglibc-2.17/csu/libc-start.c:260
    #55 0x4bf01c in _start

Comment 1

[Mats Palmgren (inactive)]

The methods called on the table frame in ComputeBorderOverflow are:
GetColCount
GetRowCount
GetCellSpacingX
GetCellSpacingY

http://hg.mozilla.org/mozilla-central/annotate/532b5fb77ba1/layout/mathml/nsMathMLmtableFrame.cpp#l233

The first two are non-virtual, and only implemented on nsTableFrame
and they aren't a problem afaict.  The latter two are virtual and
overridden by nsMathMLmtableFrame.  In my local debug build (Linux64
compiled with clang), the correct virtual method is called
(nsTableFrame::GetCellSpacingX/Y).  The nsMathMLmtableFrame class
is not marked final.  So maybe this is harmless?

Comment 2

[Mats Palmgren (inactive)]

Attachment: fix

The static_cast isn't actually needed here.

Comment 3

[Mats Palmgren (inactive)]

If I add MOZ_FINAL on nsMathMLmtableFrame then nsMathMLmtableFrame::GetCellSpacingX
is called instead and it crashes.

Comment 4

[Mats Palmgren (inactive)]

Comment on attachment 8482390 [details] [diff] [review]
fix

I should audit the other casts that bug added first...

Comment 5

[Abhishek Arya]

(In reply to Mats Palmgren (:mats) from comment #3)
> If I add MOZ_FINAL on nsMathMLmtableFrame then
> nsMathMLmtableFrame::GetCellSpacingX
> is called instead and it crashes.

I think that makes it access the variables out-of-bounds the allocation size for nsTableFrame.

private:
164   nsTArray<nscoord> mColSpacing;
165   nsTArray<nscoord> mRowSpacing;
166   nscoord mFrameSpacingX;
167   nscoord mFrameSpacingY;
168   bool mUseCSSSpacing;
169 }; // class nsMathMLmtableFrame

Comment 6

[Mats Palmgren (inactive)]

Comment on attachment 8482390 [details] [diff] [review]
fix

The other two casts (in nsDisplaymtdBorder::GetBounds/Paint) are
correct because the constructor takes a nsMathMLmtdFrame*:
http://hg.mozilla.org/mozilla-central/annotate/532b5fb77ba1/layout/mathml/nsMathMLmtableFrame.cpp#l272

(I looked through all static_cast<nsMathML* and C-style casts too,
and they looked OK to me.)

Comment 7

[Mats Palmgren (inactive)]

(In reply to Abhishek Arya from comment #5)
> (In reply to Mats Palmgren (:mats) from comment #3)
> > If I add MOZ_FINAL on nsMathMLmtableFrame then
> > nsMathMLmtableFrame::GetCellSpacingX
> > is called instead and it crashes.
> 
> I think that makes it access the variables out-of-bounds the allocation size
> for nsTableFrame.

Yeah, calling nsMathMLmtableFrame::GetCellSpacingX with and
nsTableFrame instance might be unsafe.  My point above is
that unless the class is marked "final" the compiler isn't
allowed to do that; it must lookup the method to use in
the vtbl on the instance.  I'm not a compiler expert though,
so it would be good if others can confirm this.

Comment 8

[Mats Palmgren (inactive)]

I have also tested a MSVC 2012 Express build, with optimization and PGO enabled.
nsTableFrame::GetCellSpacingX is called there too, so I believe the bogus cast
is harmless in this case (non-final classes).

Comment 9

[Mats Palmgren (inactive)]

https://tbpl.mozilla.org/?tree=Try&rev=9c3dff1b08d2
https://tbpl.mozilla.org/?tree=Try&rev=ace5f4c3b47f

Comment 10

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/18ec1157a217

Comment 11

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/18ec1157a217

Comment 12

[Mats Palmgren (inactive)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/dec70e182c47

Comment 13

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/dec70e182c47