Closed
Bug 1341319
Opened 8 years ago
Closed 7 years ago
Crash [@nsStyleBorder::Destroy]
Categories
(Core :: Layout, defect, P3)
Core
Layout
Tracking
()
RESOLVED
DUPLICATE
of bug 1340248
mozilla56
People
(Reporter: jkratzer, Assigned: heycam)
References
(Blocks 1 open bug)
Details
(4 keywords)
Attachments
(1 file)
|
834 bytes,
text/html
|
Details |
Testcase found by fuzzing on mozilla-central rev 20170216-a9ec72f82299.
ASAN:DEADLYSIGNAL
=================================================================
==11082==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6212841d64 bp 0x7ffed51d49b0 sp 0x7ffed51d4990 T0)
#0 0x7f6212841d63 in nsStyleBorder::~nsStyleBorder() /home/worker/workspace/build/src/layout/style/nsStyleStruct.cpp:387:7
#1 0x7f6212842961 in nsStyleBorder::Destroy(nsPresContext*) /home/worker/workspace/build/src/layout/style/nsStyleStruct.cpp:434:3
#2 0x7f6212812e23 in nsConditionalResetStyleData::Destroy(unsigned long, nsPresContext*) /home/worker/workspace/build/src/obj-firefox/layout/style/nsStyleStructList.h:124:1
#3 0x7f621278730a in Destroy /home/worker/workspace/build/src/layout/style/nsRuleNode.h:334:7
#4 0x7f621278730a in nsRuleNode::~nsRuleNode() /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:1734
#5 0x7f621278665d in nsRuleNode::Destroy() /home/worker/workspace/build/src/layout/style/nsRuleNode.cpp:1677:3
#6 0x7f6212836b46 in GCRuleTrees /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:2289:5
#7 0x7f6212836b46 in nsStyleSet::Shutdown() /home/worker/workspace/build/src/layout/style/nsStyleSet.cpp:2268
#8 0x7f621290f106 in Shutdown /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StyleSetHandleInlines.h:52:3
#9 0x7f621290f106 in mozilla::PresShell::Destroy() /home/worker/workspace/build/src/layout/base/PresShell.cpp:1411
#10 0x7f6212a0cfb6 in nsDocumentViewer::DestroyPresShell() /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:4585:3
#11 0x7f6212a0320f in nsDocumentViewer::Hide() /home/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:2187:3
#12 0x7f6214eb5d89 in SetVisibility /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6479:5
#13 0x7f6214eb5d89 in non-virtual thunk to nsDocShell::SetVisibility(bool) /home/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6469
#14 0x7f620eaa58c3 in nsFrameLoader::Hide() /home/worker/workspace/build/src/dom/base/nsFrameLoader.cpp:1299:3
#15 0x7f6212decdd8 in nsHideViewer::Run() /home/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:928:7
Flags: in-testsuite?
|
||
Updated•7 years ago
|
Priority: -- → P3
|
||
Comment 1•7 years ago
|
||
This was also hitting the below assertion when it was file:
Assertion failure: !(mConditionalBits & GetBitForSID(aSID)) (rule node should not have unconditional and conditional style data for a given struct), at c:\builds\moz2_slave\m-in-w64-d-0000000000000000000\build\src\layout\style\nsRuleNode.h:190
However, it appears to have been fixed by bug 1353312 along the way.
INFO: First good revision: c5507f94e8fee7a8c91210d228826cbc3e8eb698
INFO: Last bad revision: f433b516c2d83f8fa93915a8860a9e4e338fb1ea
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f433b516c2d83f8fa93915a8860a9e4e338fb1ea&tochange=c5507f94e8fee7a8c91210d228826cbc3e8eb698
Cam, same question as the other bug. Is it worth landing the testcase here still?
Assignee: nobody → cam
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox55:
--- → fixed
status-firefox56:
--- → fixed
status-firefox-esr52:
--- → fixed
Depends on: CVE-2017-7753
Flags: needinfo?(cam)
Keywords: assertion
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
|
Assignee | |
Comment 2•7 years ago
|
||
Duping this to bug 1340248, just to avoid fragmenting discussion on what was really the same bug.
Flags: needinfo?(cam)
Resolution: FIXED → DUPLICATE
|
|
Assignee | |
Updated•7 years ago
|
Group: core-security
|
||
Updated•7 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•