1344288 - use-after-poison in [@ nsCellMapColumnIterator::GetNextFrame]

Status: RESOLVED DUPLICATE of bug 1344628

(Core :: Layout: Tables, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: log.txt

==15581==ERROR: AddressSanitizer: use-after-poison on address 0x625000cb8f80 at pc 0x7f8b0d43b652 bp 0x7ffe60d26f40 sp 0x7ffe60d26f38
READ of size 8 at 0x625000cb8f80 thread T0
    #0 0x7f8b0d43b651 in nsCellMapColumnIterator::GetNextFrame(int*, int*) /home/worker/workspace/build/src/layout/tables/nsCellMap.cpp:2704:18
    #1 0x7f8b0d43929b in BasicTableLayoutStrategy::ComputeColumnIntrinsicISizes(nsRenderingContext*) /home/worker/workspace/build/src/layout/tables/BasicTableLayoutStrategy.cpp:311:29
    #2 0x7f8b0d437e18 in BasicTableLayoutStrategy::ComputeIntrinsicISizes(nsRenderingContext*) /home/worker/workspace/build/src/layout/tables/BasicTableLayoutStrategy.cpp:429:5
    #3 0x7f8b0d437db9 in BasicTableLayoutStrategy::GetMinISize(nsRenderingContext*) /home/worker/workspace/build/src/layout/tables/BasicTableLayoutStrategy.cpp:48:9
    #4 0x7f8b0d486d04 in TableShrinkISizeToFit /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1772:22
    #5 0x7f8b0d486d04 in nsTableFrame::ComputeAutoSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1808
    #6 0x7f8b0d188898 in nsFrame::ComputeSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:4834:24
    #7 0x7f8b0d486ab2 in nsTableFrame::ComputeSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /home/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1739:5
    #8 0x7f8b0d4e10eb in nsTableWrapperFrame::ChildShrinkWrapISize(nsRenderingContext*, nsIFrame*, mozilla::WritingMode, mozilla::LogicalSize, int, int*) const /home/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:414:5
    #9 0x7f8b0d4e1ba0 in nsTableWrapperFrame::ComputeAutoSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /home/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:447:18
    #10 0x7f8b0d188898 in nsFrame::ComputeSize(nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:4834:24
...
see log.txt

Comment 1

[Tyson Smith [:tsmith]]

Attachment: test_case.html

Comment 2

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Seems to work for me.

I also wish the use-after-poison reports had the stack of when the poisoning happened...

Comment 3

[Tyson Smith [:tsmith]]

(In reply to David Baron :dbaron: ⌚️UTC-8 from comment #2)
> Seems to work for me.

This was just found on version 20170303-a793136c90bc. It does not seem to be reproducible even on builds from a few days ago. I have no issue reproducing this locally with a fresh profile.

> I also wish the use-after-poison reports had the stack of when the poisoning
> happened...

Not a bad idea, ASan feature request may be your best bet :)

Comment 4

[Mats Palmgren (inactive)]

If it's a very recent regression it might have been caused by bug 1285874?