Closed
Bug 1344288
Opened 7 years ago
Closed 7 years ago
use-after-poison in [@ nsCellMapColumnIterator::GetNextFrame]
Categories
(Core :: Layout: Tables, defect)
Core
Layout: Tables
Tracking
()
RESOLVED
DUPLICATE
of bug 1344628
Tracking | Status | |
---|---|---|
firefox54 | --- | affected |
People
(Reporter: tsmith, Assigned: neerja)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-framepoisoning, regressionwindow-wanted, testcase)
Attachments
(2 files)
==15581==ERROR: AddressSanitizer: use-after-poison on address 0x625000cb8f80 at pc 0x7f8b0d43b652 bp 0x7ffe60d26f40 sp 0x7ffe60d26f38 READ of size 8 at 0x625000cb8f80 thread T0 #0 0x7f8b0d43b651 in nsCellMapColumnIterator::GetNextFrame(int*, int*) /home/worker/workspace/build/src/layout/tables/nsCellMap.cpp:2704:18 #1 0x7f8b0d43929b in BasicTableLayoutStrategy::ComputeColumnIntrinsicISizes(nsRenderingContext*) /home/worker/workspace/build/src/layout/tables/BasicTableLayoutStrategy.cpp:311:29 #2 0x7f8b0d437e18 in BasicTableLayoutStrategy::ComputeIntrinsicISizes(nsRenderingContext*) /home/worker/workspace/build/src/layout/tables/BasicTableLayoutStrategy.cpp:429:5 #3 0x7f8b0d437db9 in BasicTableLayoutStrategy::GetMinISize(nsRenderingContext*) /home/worker/workspace/build/src/layout/tables/BasicTableLayoutStrategy.cpp:48:9 #4 0x7f8b0d486d04 in TableShrinkISizeToFit /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1772:22 #5 0x7f8b0d486d04 in nsTableFrame::ComputeAutoSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1808 #6 0x7f8b0d188898 in nsFrame::ComputeSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:4834:24 #7 0x7f8b0d486ab2 in nsTableFrame::ComputeSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1739:5 #8 0x7f8b0d4e10eb in nsTableWrapperFrame::ChildShrinkWrapISize(nsRenderingContext*, nsIFrame*, mozilla::WritingMode, mozilla::LogicalSize, int, int*) const /home/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:414:5 #9 0x7f8b0d4e1ba0 in nsTableWrapperFrame::ComputeAutoSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /home/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:447:18 #10 0x7f8b0d188898 in nsFrame::ComputeSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:4834:24 ... see log.txt
Reporter | ||
Comment 1•7 years ago
|
||
Reporter | ||
Updated•7 years ago
|
Flags: in-testsuite?
Seems to work for me. I also wish the use-after-poison reports had the stack of when the poisoning happened...
Reporter | ||
Comment 3•7 years ago
|
||
(In reply to David Baron :dbaron: ⌚️UTC-8 from comment #2) > Seems to work for me. This was just found on version 20170303-a793136c90bc. It does not seem to be reproducible even on builds from a few days ago. I have no issue reproducing this locally with a fresh profile. > I also wish the use-after-poison reports had the stack of when the poisoning > happened... Not a bad idea, ASan feature request may be your best bet :)
Comment 4•7 years ago
|
||
If it's a very recent regression it might have been caused by bug 1285874?
Keywords: regressionwindow-wanted
Assignee | ||
Updated•7 years ago
|
Assignee: nobody → npancholi
Assignee | ||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Updated•4 years ago
|
Group: layout-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•