1281102 - use-after-poison in nsCellMapColumnIterator::GetNextFrame

Status: RESOLVED FIXED

(Core :: Layout: Tables, defect)

Description

[Nils]

The testcase crashes the latest asan build of Firefox (BuildID=20160617030217) as follows.

<script>
function start() {
        o46=(new DOMParser()).parseFromString("<menu><li></li>a a",'text/html');
        document.replaceChild(o46.documentElement,document.documentElement);
        o66=document.createElement('form');
        o100=document.createElement('table');
        o119=document.createElement('iframe');
        o66.appendChild(o119);
        o135=document.createElement('tfoot');
        o100.appendChild(o135);
        document.body.appendChild(o100);
        o66.style.display='grid';
        o281=document.createElement('table');
        o135.appendChild(o281);
        o310=document.createTextNode("{ }");
        o119.style.pageBreakBefore='left';
        o418=document.createElement('th');
        o100.appendChild(o310);
        o281.appendChild(o418);
        o135.style.display='table-row-group';
        document.documentElement.style.MozColumnCount='59';
        setTimeout(f2, 4);
}
function f2() {
        o100.setAttribute('style'," transition-delay: 128ms; padding-right: 5rem");
        o418.appendChild(o66);
        setTimeout("location.reload()",800);
}
</script>
<body onload="start()"></body>

Asan ouput:

=================================================================
==6648==ERROR: AddressSanitizer: use-after-poison on address 0x6250002e43f0 at pc 0x7fd330aa8a6a bp 0x7fff6ed76000 sp 0x7fff6ed75ff8
READ of size 8 at 0x6250002e43f0 thread T0 (Web Content)
    #0 0x7fd330aa8a69 in nsCellMapColumnIterator::GetNextFrame(int*, int*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/tables/nsCellMap.cpp:2704:18
    #1 0x7fd330aa680b in BasicTableLayoutStrategy::ComputeColumnIntrinsicISizes(nsRenderingContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/tables/BasicTableLayoutStrategy.cpp:325:29
    #2 0x7fd330aa53a8 in BasicTableLayoutStrategy::ComputeIntrinsicISizes(nsRenderingContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/tables/BasicTableLayoutStrategy.cpp:443:5
    #3 0x7fd330aa5349 in BasicTableLayoutStrategy::GetMinISize(nsRenderingContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/tables/BasicTableLayoutStrategy.cpp:48:9
    #4 0x7fd330aef904 in TableShrinkISizeToFit /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/tables/nsTableFrame.cpp:1633:22
    #5 0x7fd330aef904 in nsTableFrame::ComputeAutoSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/tables/nsTableFrame.cpp:1669
    #6 0x7fd330810436 in nsFrame::ComputeSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsFrame.cpp:4649:24
    #7 0x7fd330aef68c in nsTableFrame::ComputeSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/tables/nsTableFrame.cpp:1600:5
    #8 0x7fd330b46878 in ChildShrinkWrapISize(nsRenderingContext*, nsIFrame*, mozilla::WritingMode, mozilla::LogicalSize, int, int*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/tables/nsTableWrapperFrame.cpp:387:5
    #9 0x7fd330b45e4b in nsTableWrapperFrame::ComputeAutoSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/tables/nsTableWrapperFrame.cpp:420:18
    #10 0x7fd330810436 in nsFrame::ComputeSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsFrame.cpp:4649:24
    #11 0x7fd33091ff83 in nsHTMLReflowState::InitConstraints(nsPresContext*, mozilla::LogicalSize const&, nsMargin const*, nsMargin const*, nsIAtom*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsHTMLReflowState.cpp:2395:9
    #12 0x7fd33091789f in nsHTMLReflowState::Init(nsPresContext*, mozilla::LogicalSize const*, nsMargin const*, nsMargin const*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsHTMLReflowState.cpp:406:3
    #13 0x7fd3307aa5c2 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:3219:25
    #14 0x7fd33079f190 in ReflowLine /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:2751:5
    #15 0x7fd33079f190 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:2290
    #16 0x7fd3307983b6 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:1171:3
    #17 0x7fd3307b49bc in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockReflowContext.cpp:306:3
    #18 0x7fd3307ab196 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:3392:7
    #19 0x7fd33079f190 in ReflowLine /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:2751:5
    #20 0x7fd33079f190 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:2290
    #21 0x7fd3307983b6 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsBlockFrame.cpp:1171:3
    #22 0x7fd3307f2948 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, unsigned int&, nsOverflowContinuationTracker*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsContainerFrame.cpp:1022:3
    #23 0x7fd3307f910e in nsColumnSetFrame::ReflowChildren(nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsColumnSetFrame.cpp:647:7
    #24 0x7fd3307feddc in ReflowColumns /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsColumnSetFrame.cpp:353:19
    #25 0x7fd3307feddc in nsColumnSetFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsColumnSetFrame.cpp:1084
    #26 0x7fd3307f2948 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, unsigned int&, nsOverflowContinuationTracker*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsContainerFrame.cpp:1022:3
    #27 0x7fd3307f10c4 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsCanvasFrame.cpp:644:5
    #28 0x7fd33088c335 in ReflowChild /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsContainerFrame.cpp:1022:3
    #29 0x7fd33088c335 in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsGfxScrollFrame.cpp:540
    #30 0x7fd33088dadd in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsGfxScrollFrame.cpp:652:3
    #31 0x7fd33088fe70 in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsGfxScrollFrame.cpp:886:3
    #32 0x7fd330807f6d in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsContainerFrame.cpp:1065:3
    #33 0x7fd330a2db7f in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/generic/nsViewportFrame.cpp:314:7
    #34 0x7fd3306d73b9 in PresShell::DoReflow(nsIFrame*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:9578:3
    #35 0x7fd3306ea8f0 in PresShell::ProcessReflowCommands(bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:9751:24
    #36 0x7fd3306e9a83 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresShell.cpp:4123:11
    #37 0x7fd330412f45 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:1797:9
    #38 0x7fd33041f18c in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:251:7
    #39 0x7fd33041ee59 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:270:5
    #40 0x7fd3304209a4 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsRefreshDriver.cpp:430:9
    #41 0x7fd330d54a64 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/ipc/VsyncChild.cpp:64:5
    #42 0x7fd32a9fb92a in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:240:20
    #43 0x7fd32a504d3d in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1963:16
    #44 0x7fd32a44c627 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1658:14
    #45 0x7fd32a44942b in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1596:17
    #46 0x7fd32a437137 in mozilla::ipc::MessageChannel::OnMaybeDequeueOne() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessageChannel.cpp:1563:5
    #47 0x7fd32a467382 in applyImpl<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()> /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:722:12
    #48 0x7fd32a467382 in apply<mozilla::ipc::MessageChannel, bool (mozilla::ipc::MessageChannel::*)()> /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:728
    #49 0x7fd32a467382 in nsRunnableMethodImpl<bool (mozilla::ipc::MessageChannel::*)(), false, true>::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/nsThreadUtils.h:756
    #50 0x7fd32a46692f in Run /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/ipc/MessageChannel.h:476:22
    #51 0x7fd32a46692f in mozilla::ipc::MessageChannel::DequeueTask::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/ipc/MessageChannel.h:495
    #52 0x7fd32966fe58 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/threads/nsThread.cpp:1029:7
    #53 0x7fd3296ee67c in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/xpcom/glue/nsThreadUtils.cpp:290:10
    #54 0x7fd32a4539f4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/glue/MessagePump.cpp:132:5
    #55 0x7fd32a3c1df8 in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:235:3
    #56 0x7fd32a3c1df8 in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:228
    #57 0x7fd32a3c1df8 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:208
    #58 0x7fd32fd8d9af in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/widget/nsBaseAppShell.cpp:156:3
    #59 0x7fd331e10bf7 in XRE_RunAppShell /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:834:12
    #60 0x7fd32a3c1df8 in RunInternal /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:235:3
    #61 0x7fd32a3c1df8 in RunHandler /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:228
    #62 0x7fd32a3c1df8 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/chromium/src/base/message_loop.cc:208
    #63 0x7fd331e10262 in XRE_InitChildProcess /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/toolkit/xre/nsEmbedFunctions.cpp:664:7
    #64 0x4e2bc5 in content_process_main(int, char**) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/ipc/app/../contentproc/plugin-container.cpp:224:19
    #65 0x7fd32675a82f in __libc_start_main /build/glibc-GKVZIf/glibc-2.23/csu/../csu/libc-start.c:291
    #66 0x41e778 in _start (/home/nils/fuzzer3/firefox/plugin-container+0x41e778)

0x6250002e43f0 is located 752 bytes inside of 8192-byte region [0x6250002e4100,0x6250002e6100)
allocated by thread T0 (Web Content) here:
    #0 0x4b51eb in __interceptor_malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:52:3
    #1 0x7fd33796ddd6 in PL_ArenaAllocate /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/nsprpub/lib/ds/plarena.c:210:27
    #2 0x7fd33040a959 in nsPresArena::Allocate(unsigned int, unsigned long) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresArena.cpp:165:3
    #3 0x7fd33033efbe in AllocateByObjectID /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsPresArena.h:65:12
    #4 0x7fd33033efbe in AllocateByObjectID /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsIPresShell.h:250
    #5 0x7fd33033efbe in operator new /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/style/nsRuleNode.h:88
    #6 0x7fd33033efbe in SetStyle /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/style/nsStyleContext.cpp:572
    #7 0x7fd33033efbe in nsRuleNode::ComputeDisplayData(void*, nsRuleData const*, nsStyleContext*, nsRuleNode*, nsRuleNode::RuleDetail, mozilla::RuleNodeCacheConditions) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/style/nsRuleNode.cpp:6392
    #8 0x7fd33030a38e in nsRuleNode::WalkRuleTree(nsStyleStructID, nsStyleContext*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/style/nsRuleNode.cpp:2491:10
    #9 0x7fd3303fd51f in GetStyleDisplay<true> /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/layout/style/nsStyleStructList.h:98:1
    #10 0x7fd3303fd51f in nsStyleDisplay const* nsStyleContext::DoGetStyleDisplay<true>() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/layout/style/nsStyleStructList.h:98
    #11 0x7fd330385cfb in StyleDisplay /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/layout/style/nsStyleStructList.h:98:1
    #12 0x7fd330385cfb in nsStyleContext::SetStyleBits() /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/style/nsStyleContext.cpp:687
    #13 0x7fd330385a86 in FinishConstruction /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/style/nsStyleContext.cpp:163:3
    #14 0x7fd330385a86 in nsStyleContext::nsStyleContext(nsStyleContext*, nsIAtom*, mozilla::CSSPseudoElementType, already_AddRefed<nsRuleNode>, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/style/nsStyleContext.cpp:121
    #15 0x7fd3303a8aec in NS_NewStyleContext(nsStyleContext*, nsIAtom*, mozilla::CSSPseudoElementType, nsRuleNode*, bool) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/style/nsStyleContext.cpp:1316:5
    #16 0x7fd3303b42ae in nsStyleSet::GetContext(nsStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, mozilla::CSSPseudoElementType, mozilla::dom::Element*, unsigned int) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/style/nsStyleSet.cpp:918:14
    #17 0x7fd3303b91b3 in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/style/nsStyleSet.cpp:1366:10
    #18 0x7fd33052c1b2 in ResolveStyleFor /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/obj-firefox/dist/include/mozilla/StyleSetHandleInlines.h:93:3
    #19 0x7fd33052c1b2 in nsCSSFrameConstructor::ResolveStyleContext(nsStyleContext*, nsIContent*, nsFrameConstructorState*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:4959
    #20 0x7fd3305281d0 in ResolveStyleContext /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:4928:10
    #21 0x7fd3305281d0 in ResolveStyleContext /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:4944
    #22 0x7fd3305281d0 in nsCSSFrameConstructor::AddFrameConstructionItems(nsFrameConstructorState&, nsIContent*, bool, nsCSSFrameConstructor::InsertionPoint const&, nsCSSFrameConstructor::FrameConstructionItemList&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:5574
    #23 0x7fd33050edd3 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10685:9
    #24 0x7fd33050d404 in nsCSSFrameConstructor::ConstructTable(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:2130:5
    #25 0x7fd330524a09 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3857:7
    #26 0x7fd3305313ec in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:6085:3
    #27 0x7fd330512833 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10502:5
    #28 0x7fd330512833 in nsCSSFrameConstructor::ConstructTableCell(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:2330
    #29 0x7fd330524a09 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3857:7
    #30 0x7fd3305313ec in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:6085:3
    #31 0x7fd330510da9 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10502:5
    #32 0x7fd330510da9 in nsCSSFrameConstructor::ConstructTableRowOrRowGroup(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:2210
    #33 0x7fd330524a09 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3857:7
    #34 0x7fd3305313ec in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:6085:3
    #35 0x7fd33050f2b0 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10502:5
    #36 0x7fd33050f2b0 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10703
    #37 0x7fd330510c8c in nsCSSFrameConstructor::ConstructTableRowOrRowGroup(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:2213:5
    #38 0x7fd330524a09 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3857:7
    #39 0x7fd3305313ec in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:6085:3
    #40 0x7fd33050f2b0 in ConstructFramesFromItemList /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10502:5
    #41 0x7fd33050f2b0 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:10703
    #42 0x7fd33050d404 in nsCSSFrameConstructor::ConstructTable(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:2130:5
    #43 0x7fd330524a09 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/base/nsCSSFrameConstructor.cpp:3857:7

SUMMARY: AddressSanitizer: use-after-poison /builds/slave/m-cen-l64-asan-ntly-0000000000/build/src/layout/tables/nsCellMap.cpp:2704:18 in nsCellMapColumnIterator::GetNextFrame(int*, int*)
Shadow bytes around the buggy address:
  0x0c4a80054820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80054830: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80054840: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80054850: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80054860: 00 00 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7
=>0x0c4a80054870: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7
  0x0c4a80054880: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a80054890: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a800548a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a800548b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a800548c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==6648==ABORTING

Comment 1

[Daniel Veditz [:dveditz]]

Also crashes Nightly so it should be easy to nail down a regression range
bp-4db7dafa-9818-488c-ba39-343b32160622

In a debug build I get 4x

[Child 4155] ###!!! ASSERTION: Shouldn't be incomplete if availableBSize is UNCONSTRAINED.: 'aReflowState.AvailableBSize() != NS_UNCONSTRAINEDSIZE', file /builds/slave/m-cen-m64-d-000000000000000000/build/src/layout/generic/nsBlockFrame.cpp, line 1592

then 5 of

[Child 4155] ###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file /builds/slave/m-cen-m64-d-000000000000000000/build/src/layout/base/nsLayoutUtils.cpp, line 7666

followed by

[Child 4155] ###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'start == end || IsInLetterFrame(aSubtreeRoot)', file /builds/slave/m-cen-m64-d-000000000000000000/build/src/layout/base/nsLayoutUtils.cpp, line 7680
[Child 4155] ###!!! ASSERTION: Shouldn't be incomplete if availableBSize is UNCONSTRAINED.: 'aReflowState.AvailableBSize() != NS_UNCONSTRAINEDSIZE', file /builds/slave/m-cen-m64-d-000000000000000000/build/src/layout/generic/nsBlockFrame.cpp, line 1592
[Child 4155] ###!!! ASSERTION: Shouldn't be incomplete if availableBSize is UNCONSTRAINED.: 'aReflowState.AvailableBSize() != NS_UNCONSTRAINEDSIZE', file /builds/slave/m-cen-m64-d-000000000000000000/build/src/layout/generic/nsBlockFrame.cpp, line 1592
[Child 4155] ###!!! ASSERTION: should not be trying to restyle this frame separately: '!GetPrevContinuationWithSameStyle(mFrame)', file /builds/slave/m-cen-m64-d-000000000000000000/build/src/layout/base/RestyleManager.cpp, line 3239

###!!! [Parent][MessageChannel] Error: (msgtype=0x2C007B,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv


Probably unrelated, but when loading the testcase in e10s I don't get the opportunity to submit the tab crash (I did once). It appears to be the same crash in non-e10s.

Comment 2

[Daniel Veditz [:dveditz]]

Attachment: testcase from comment 0

Comment 3

[Daniel Veditz [:dveditz]]

reproduced in Aurora (49) but not 48, 47, or ESR-45

Comment 4

[Daniel Veditz [:dveditz]]

Although I didn't reproduce in a "Beta" 48 build, it reproduced in 48.0a debug Nightlies.

good:
https://hg.mozilla.org/mozilla-central/rev/b8efc6dc729ea6b1b5de4e6aca866ee52d7dccf9

crashes in debug:
https://hg.mozilla.org/mozilla-central/rev/d1d47ba19ce9d46222030d491f9fe28dbf80be12

commits in that range:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b8efc6dc729e&tochange=d1d47ba19ce9

There's a lot in that range but throwing to Mats as a first guess because his 26-patch fix for bug 1144096 (css-grid) was the first thing that caught my eye and did happen to touch CellMap

Comment 5

[Mats Palmgren (inactive)]

>  bug 1144096 (css-grid) was the first thing that caught my eye and did happen to touch CellMap

FTR, that CellMap is a grid only thing and has nothing to do with a table nsCellMap.

I suspect bug 1144096 (which added fragmentation support for grid) changed
the behavior for this particular test to make it crash, though I'm quite
sure the underlying (table) bug has pretty much always existed.

The bug is that nsTableFrame::mCellMap on the first-in-flow nsTableFrame is
a linked list of nsCellMap (one per nsTableRowGroupFrame) for the entire
nsTableFrame continuation chain.  However, when a continuation is removed
the nsCellMap chain isn't updated AFAICT.  I can't find any code that is
even attempting to do that.  The nsCellMap contains pointers to frames -
the nsTableRowGroupFrame and some descendants (table cells) of it.

So, we're crashing at using a destroyed frame from a nsCellMap associated
with a nsTableFrame continuation that is destroyed.  The nsCellMap struct
isn't deleted though (AFAICT) so it appears it's a non-exploitable
frame-poisoning crash.

Comment 6

[Mats Palmgren (inactive)]

Do you know if leaving the nsCellMap around without deleting it when
the corresponding frame is destroyed is some kind of wallpaper?

To fix this we should probably make nsTable*Frame::DestroyFrom
unhook themselves from the nsCellMap(s?) they occur in.
And nsTableRowGroupFrame::DestroyFrom should probably unlink
and delete the nsCellMap, assuming it's not a wallpaper for
nastier crashes.

Comment 7

[Boris Zbarsky [:bzbarsky]]

> However, when a continuation is removed

What continuation is removed?  Table frames should never have dynamic changes to their continuation chain.  They are all sorts of broken if you do that (starting with their handling of headers and footers, for example).  We basically only support creating table continuations during printing.  In particular, we very explicitly do NOT fragment tables inside a columnset.  See http://searchfox.org/mozilla-central/source/layout/generic/nsColumnSetFrame.cpp#612 for example.

So whatever code can lead to table frames having a continuation in any context other than printing needs to be fixed to not do that.

Comment 8

[Mats Palmgren (inactive)]

Oh, I thought we added support for fragmenting tables in columns at some
point, but I probably confused that with floats.

I'll look into why we're creating a table fragment here...

Comment 9

[Mats Palmgren (inactive)]

What happens in the testcase is that the grid item overflows the columnset
and the grid container has no break opportunities before its first row so
it returns a BREAK_BEFORE reflow state (per spec).
The table cell/row/group frames propagates this state up to nsTableFrame
that willingly creates a continuation for the row-group:
http://searchfox.org/mozilla-central/rev/970569ad57ac4436ff31aa2ac63f38ed3ee2932d/layout/tables/nsTableFrame.cpp#3228
and again propagates an incomplete reflow state...

The thing that governs whether a BREAK_BEFORE reflow state is allowed
is mIsTopOfPage:
http://searchfox.org/mozilla-central/rev/970569ad57ac4436ff31aa2ac63f38ed3ee2932d/layout/generic/nsFrame.h#443
but there is nothing to prevent mIsTopOfPage from being set to false
as soon as we have reflowed a line or whatnot, so the "fix" for
bug 362275 seems rather lame in this regard.

Comment 10

[Mats Palmgren (inactive)]

Attachment: fix

The nsTableFrame change fixes the crash, but there are still a bunch
of non-fatal assertions.  The nsGridContainerFrame change fixes those
for this particular testcase, although I suspect using
page-break-inside:avoid instead could still trigger those.

Comment 11

[Mats Palmgren (inactive)]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=6664f06836a8

Comment 12

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 8764864 [details] [diff] [review]
fix

I really don't remember how all this stuff works well enough to review this patch in a sane amount of time.  Please find someone more familiar with our current layout, fragmentation, and grid code.

In particular, it's not clear to me why this is a problem for grid but not for blocks inside tables or whatnot, when those don't fit.

Comment 13

[Mats Palmgren (inactive)]

Attachment: fix

This is a better fix on the Grid side.  The reason we're getting an
unconstrained available height here is this:
http://searchfox.org/mozilla-central/rev/970569ad57ac4436ff31aa2ac63f38ed3ee2932d/layout/tables/nsTableRowGroupFrame.cpp#334-338

I still like to keep the table frame fix as well - in case someone else
returns an incomplete status in the future.  It's keeping with the intent
of the wallpaper in bug 362275.

https://treeherder.mozilla.org/#/jobs?repo=try&revision=2d8ae23eb184

Comment 14

[Daniel Holbert [:dholbert]]

(In reply to Mats Palmgren (vacation) from comment #13)
> I still like to keep the table frame fix as well - in case someone else
> returns an incomplete status in the future.  It's keeping with the intent
> of the wallpaper in bug 362275.

Perhaps we should add an assertion to catch those cases? (since they'll indicate that we're leaving some content un-reflowed/undisplayed, I think, and we'd probably want to fix whatever child frame-class is making us incomplete, similarly to how you're fixing grid here)

e.g.
  MOZ_ASSERT(!NS_FRAME_IS_NOT_COMPLETE(aStatus) || isPaginated,
             "Table contents should only fragment in paginated contexts");

Comment 15

[Daniel Holbert [:dholbert]]

Comment on attachment 8765050 [details] [diff] [review]
fix

Review of attachment 8765050 [details] [diff] [review]:
-----------------------------------------------------------------

r=me, though consider adding an assertion just before the line of table code that you're changing, per previous comment.

Comment 16

[Daniel Holbert [:dholbert]]

Marking this as "disabled" for Firefox 47 & 48, because this bug depends on CSS Grid, which is currently only enabled in prerelease builds [Nightly/Aurora], and Firefox 47 and 48 are past that point so they've got grid disabled.  (This explains dveditz' observations in comment 3 / comment 4 here.)

The Firefox 49 status flag should perhaps/eventually set to "disabled" too, since I don't think we intend to ship grid past prerelease release builds until version 50 or later. But for the moment (on Aurora), 49 has grid enabled, so I'll leave its status flag alone.

Comment 17

[Daniel Holbert [:dholbert]]

(Actually, esr45 and firefox 47 should probably be marked as "unaffected" [/me makes it so], since this specifically depends on *grid fragmentation* which didn't land until Firefox 48, in bug 1144096.  I think mats marked the older releases as "affected" while thinking there were likely more ways to trigger this in all supported builds, purely with table code & multicol (no grid).  But IIUC bz relaxed that fear in comment 7.)

Comment 18

[Gerry Chang [:gchang]]

Hi Daniel,
CSS Grid is only enabled in RELEASE_BUILD, so is 49 (beta now) also disabled?

Comment 19

[Daniel Holbert [:dholbert]]

Correct. Marking as such.

Comment 20

[Daniel Veditz [:dveditz]]

Mats: what's the plan for landing this fix? Are we waiting on anything?

Comment 21

[Daniel Veditz [:dveditz]]

Are we sure this is "frame poisoning"? I didn't think those came up as "use-after-poison" in ASAN builds (which are usually UAF bugs in an arena). In a non-ASAN build I crash on a null-deref, which is also not typical for a true "frame poisoning" crash. Is it always going to be a safe null?

bp-41a7178f-52ff-4d85-a0d6-a0d8f2160822

Comment 22

[Mats Palmgren (inactive)]

> Are we sure this is "frame poisoning"?

Yes, at least on Linux where I tested.  This code is cross-platform so I'd be surprised
if OSX is different.

> I didn't think those came up as "use-after-poison" in ASAN builds

They do for me in a local Linux ASAN build.

(I'll report back with OSX results if I can get my local builds going
there again.)

Comment 23

[Mats Palmgren (inactive)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/02765e63d9075e8650e02447f9d4430cf595b776

Comment 24

[Mats Palmgren (inactive)]

> In a non-ASAN build I crash on a null-deref ...

See bug 1162024 comment 4 and 5 regarding crashes on OSX.

Comment 25

[Mats Palmgren (inactive)]

> bp-41a7178f-52ff-4d85-a0d6-a0d8f2160822

Looking at the register values in the raw dump data:
                    "rax": "0x7ffffffff0dea7ff",
which looks like a frame-poison value (it's identical to the poison value
I have locally on Linux).

Comment 26

[Mats Palmgren (inactive)]

I've conformed that a local OSX debug build crashes on frame-poisoning
in the same place as on Linux.

Comment 27

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/02765e63d907

Please request Aurora approval on this when you get a chance.

Comment 28

[Mats Palmgren (inactive)]

Comment on attachment 8765050 [details] [diff] [review]
fix

Approval Request Comment
[Feature/regressing bug #]: bug 1144096 most likely.
[User impact if declined]: crash
[Describe test coverage new/current, TreeHerder]:
[Risks and why]: low risk, trivial change
[String/UUID change made/needed]: none

Comment 29

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/e3325d199202

Comment 30

[Daniel Veditz [:dveditz]]

(In reply to Mats Palmgren (:mats) from comment #25)
> > bp-41a7178f-52ff-4d85-a0d6-a0d8f2160822
> 
> Looking at the register values in the raw dump data:
>                     "rax": "0x7ffffffff0dea7ff",

I forgot to check the raw values :-(   You're quite right, this is unexploitable.

Comment 31

[Pulsebot]

Pushed by mpalmgren@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/074dd92c2bec
Crashtest.

Comment 32

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/074dd92c2bec