Closed
Bug 1267132
Opened 8 years ago
Closed 8 years ago
AddressSanitizer: global-buffer-overflow [@ nsGridContainerFrame::TrackSize::Initialize] with READ of size 1
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
DUPLICATE
of bug 1248227
Tracking | Status | |
---|---|---|
firefox48 | --- | affected |
People
(Reporter: jruderman, Unassigned)
References
Details
(Keywords: crash, testcase)
Attachments
(2 files)
Debug: same assertion as in bug 1248227 Assertion failure: !mHasRepeatAuto || (mMinSizingFunctions.Length() >= 1 && mRepeatAutoStart < mMinSizingFunctions.Length()), at /builds/slave/m-cen-m64-d-000000000000000000/build/src/layout/generic/nsGridContainerFrame.cpp:825 ASan: memory safety error near some globals related to hash tables AddressSanitizer: global-buffer-overflow [@ nsGridContainerFrame::TrackSize::Initialize] with READ of size 1
Reporter | ||
Comment 1•8 years ago
|
||
Mats, could you have a look at this one?
Flags: needinfo?(mats)
Comment 3•8 years ago
|
||
It's a dupe of bug 1248227. I think you can safely assume that any combination of 'subgrid' and 'auto-fill/fit' is bug 1248227 if you see the above assertion in a debug build.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(mats)
Resolution: --- → DUPLICATE
Comment 4•8 years ago
|
||
I think this bug was focused on the ASAN memory-safety issue, though -- are you confident that that part is also the same underlying cause as bug 1248227?
Flags: needinfo?(mats)
Comment 5•8 years ago
|
||
Yeah, it's the same underlying issue. The reason the test in bug 1248227 doesn't crash with ASAN is that it doesn't have an item, so we don't reach the code that does the array access. Just adding an item to that test leads to the same crash. It's the same root cause, which is what the assertion is about.
Flags: needinfo?(mats)
Updated•2 years ago
|
Group: layout-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•