[css-grid] AddressSanitizer: use-after-poison [@ StylePosition] with READ of size 8

NEW
Unassigned
(NeedInfo from)

Status

()

Core
Layout
--
critical
a year ago
a month ago

People

(Reporter: truber, Unassigned, NeedInfo)

Tracking

(Blocks: 2 bugs, 4 keywords)

48 Branch
assertion, crash, csectype-framepoisoning, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox52 wontfix, firefox-esr52 wontfix, firefox56 wontfix, firefox57 wontfix, firefox58 fix-optional)

Details

Attachments

(3 attachments)

(Reporter)

Description

a year ago
Created attachment 8809850 [details]
testcase.html

The attached testcase crashes mozilla-central d38d06f85ef5.
It looks like a poisoned frame based on the non-asan fault address (0x7ffffffff0dea7ff).

==24619==ERROR: AddressSanitizer: use-after-poison on address 0x625000ce2b90 at pc 0x7f2507fe59a2 bp 0x7fff5c033c20 sp 0x7fff5c033c18
READ of size 8 at 0x625000ce2b90 thread T0
    #0 0x7f2507fe59a1 in StylePosition obj-firefox/dist/include/nsStyleStructList.h:87:1
    #1 0x7f2507fe59a1 in MinSize(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalAxis, CachedIntrinsicSizes*) layout/generic/nsGridContainerFrame.cpp:3883
    #2 0x7f2507fde3b4 in nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, int, SizingConstraint) layout/generic/nsGridContainerFrame.cpp:4427:21
    #3 0x7f2507fced31 in nsGridContainerFrame::Tracks::CalculateSizes(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, SizingConstraint) layout/generic/nsGridContainerFrame.cpp:3938:3
    #4 0x7f2507fcdee6 in nsGridContainerFrame::GridReflowInput::CalculateTrackSizes(nsGridContainerFrame::Grid const&, mozilla::LogicalSize&, SizingConstraint) layout/generic/nsGridContainerFrame.cpp:2583:3
    #5 0x7f2507ff7f0d in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, unsigned int&) layout/generic/nsGridContainerFrame.cpp:6119:5

The debug log also includes soft assertions prior to segv:
###!!! ASSERTION: got BREAK_BEFORE again after growing the row?: 'Error', file /home/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp, line 5676
(Reporter)

Comment 1

a year ago
Created attachment 8809856 [details]
log.txt
(Reporter)

Comment 2

a year ago
Created attachment 8809857 [details]
log-dbg.txt
Blocks: 616605
Component: CSS Parsing and Computation → Layout
Flags: needinfo?(mats)
Summary: AddressSanitizer: use-after-poison [@ StylePosition] with READ of size 8 → [css-grid] AddressSanitizer: use-after-poison [@ StylePosition] with READ of size 8
Too late for firefox 52, mass-wontfix.
status-firefox52: affected → wontfix
(Reporter)

Comment 4

3 months ago
This still reproduces in m-c 20170901-a3585c77e2b1

==29725==ERROR: AddressSanitizer: use-after-poison on address 0x6250016889e0 at pc 0x7f632efad045 bp 0x7ffc09ce63b0 sp 0x7ffc09ce63a8
READ of size 8 at 0x6250016889e0 thread T0
    #0 0x7f632efad044 in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:287:27
    #1 0x7f632efad044 in operator-> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:319
    #2 0x7f632efad044 in StylePosition /builds/worker/workspace/build/src/obj-firefox/dist/include/nsStyleStructList.h:89
    #3 0x7f632efad044 in nsGridContainerFrame::GridItemInfo::ShouldApplyAutoMinSize(mozilla::WritingMode, mozilla::LogicalAxis, int) const /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:618
    #4 0x7f632efa36cf in nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, int, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:4189:18
    #5 0x7f632ef95c85 in nsGridContainerFrame::Tracks::CalculateSizes(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3730:3
    #6 0x7f632ef95646 in nsGridContainerFrame::GridReflowInput::CalculateTrackSizes(nsGridContainerFrame::Grid const&, mozilla::LogicalSize&, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:2348:9
    #7 0x7f632efbb89f in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5971:21
INFO: Last good revision: 946ed22cad04431c75ab5093989dfedf1bae5a3e (2016-03-12)
INFO: First bad revision: d1d47ba19ce9d46222030d491f9fe28dbf80be12 (2016-03-13)
INFO: Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=946ed22cad04431c75ab5093989dfedf1bae5a3e&tochange=d1d47ba19ce9d46222030d491f9fe28dbf80be12

--> Bug 1144096 presumably.

On debug builds, the testcase also hits the following assert:
ASSERTION: got BREAK_BEFORE again after growing the row?: 'Error', file z:/build/build/src/layout/generic/nsGridContainerFrame.cpp, line 5522
Has Regression Range: --- → yes
status-firefox56: --- → wontfix
status-firefox57: --- → wontfix
status-firefox58: --- → fix-optional
status-firefox-esr52: --- → wontfix
Flags: in-testsuite?
Keywords: assertion
Version: Trunk → 48 Branch
You need to log in before you can comment on or make changes to this bug.