Closed Bug 1332071 Opened 7 years ago Closed 7 years ago

AddressSanitizer: use-after-poison in nsRuleNode::Transition with READ of size 8

Categories

(Core :: DOM: Animation, defect)

Product:
Core
Component:
DOM: Animation
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1331704
Tracking Flags:
Tracking Status
firefox50 --- unaffected
firefox51 --- unaffected
firefox52 --- unaffected
firefox53 --- affected

People

(Reporter: truber, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-framepoisoning, testcase)

Attachments

(1 file)

testcase.html
975 bytes, text/html
Details
Attached file testcase.html 
The attached testcase crashes in mozilla-central rev b3774461acc6

==20792==ERROR: AddressSanitizer: use-after-poison on address 0x6250009cbe68 at pc 0x7fd0e7224bdc bp 0x7ffe12a24890 sp 0x7ffe12a24888
READ of size 8 at 0x6250009cbe68 thread T0
    #0 0x7fd0e7224bdb in HaveChildren /home/worker/workspace/build/src/layout/style/nsRuleNode.h:493:22
    #1 0x7fd0e7224bdb in nsRuleNode::Transition(nsIStyleRule*, mozilla::SheetType, bool) /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:1751
    #2 0x7fd0e3003f0c in DoForward /home/worker/workspace/build/src/layout/style/nsRuleWalker.h:31:16
    #3 0x7fd0e3003f0c in Forward /home/worker/workspace/build/src/layout/style/nsRuleWalker.h:39
    #4 0x7fd0e3003f0c in mozilla::EffectCompositor::AnimationStyleRuleProcessor::RulesMatching(ElementRuleProcessorData*) /home/worker/workspace/build/src/dom/animation/EffectCompositor.cpp:1015
    #5 0x7fd0e72cb0cc in _ZL17EnumRulesMatchingI24ElementRuleProcessorDataEbP21nsIStyleRuleProcessorPv /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:804:3
    #6 0x7fd0e72c82f0 in nsStyleSet::FileRules(bool (*)(nsIStyleRuleProcessor*, void*), RuleProcessorData*, mozilla::dom::Element*, nsRuleWalker*) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1196:3
    #7 0x7fd0e72cacc1 in nsStyleSet::ResolveStyleForInternal(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&, nsStyleSet::AnimationFlag) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1367:3
    #8 0x7fd0e72ca8c0 in nsStyleSet::ResolveStyleFor(mozilla::dom::Element*, nsStyleContext*, TreeMatchContext&) /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:1403:10
    #9 0x7fd0e745d3c7 in ResolveStyleFor /home/worker/workspace/build/src/layout/style/nsStyleSet.h:135:12
    #10 0x7fd0e745d3c7 in ResolveStyleFor /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StyleSetHandleInlines.h:94
    #11 0x7fd0e745d3c7 in nsCSSFrameConstructor::ResolveStyleContext(nsStyleContext*, nsIContent*, nsFrameConstructorState*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5048
    #12 0x7fd0e7461969 in nsCSSFrameConstructor::BuildInlineChildItems(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, bool, bool) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:12202:9
Regression from bug 1305325.
Blocks: 1305325
status-firefox50: --- → unaffected
status-firefox51: --- → unaffected
status-firefox52: --- → unaffected
Flags: needinfo?(hikezoe)
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(hikezoe)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: