Closed Bug 1382213 Opened 3 years ago Closed 2 years ago

Use-after-poison in [@nsLayoutUtils::GetFloatContainingBlock(nsIFrame*)]

Categories

(Core :: Layout, defect, P2, critical)

33 Branch
defect

Tracking

()

RESOLVED FIXED
mozilla58
Tracking Status
firefox-esr52 --- wontfix
firefox55 --- wontfix
firefox56 --- wontfix
firefox57 + wontfix
firefox58 + fixed

People

(Reporter: jkratzer, Assigned: mats)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-framepoisoning, sec-other, testcase, Whiteboard: [adv-main58-][post-critsmash-triage])

Attachments

(4 files, 1 obsolete file)

Attached file prefs-servo.js (obsolete) —
Found while fuzzing mozilla-inbound rev 20170718-1f8946e2012d using the attached prefs.  Testcase would not reproduce.

==23870==ERROR: AddressSanitizer: use-after-poison on address 0x6250020ce9f8 at pc 0x7f84bdc9f4e6 bp 0x7fffe1fd8540 sp 0x7fffe1fd8538
READ of size 8 at 0x6250020ce9f8 thread T0
    #0 0x7f84bdc9f4e5 in nsLayoutUtils::GetFloatContainingBlock(nsIFrame*) /home/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:9179:33
    #1 0x7f84bdf066ea in ReparentFloatsForInlineChild /home/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:313:30
    #2 0x7f84bdf066ea in nsInlineFrame::DrainSelfOverflowListInternal(nsInlineFrame::DrainFlags, nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:504
    #3 0x7f84bdf0648c in nsInlineFrame::DestroyFrom(nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:197:5
    #4 0x7f84bdd8089d in Destroy /home/worker/workspace/build/src/layout/generic/nsIFrame.h:655:20
    #5 0x7f84bdd8089d in nsBlockFrame::DoRemoveFrame(nsIFrame*, unsigned int) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6016
    #6 0x7f84bdf0cc3b in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:1063:11
    #7 0x7f84bdd78504 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4220:15
    #8 0x7f84bdd76fab in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4016:5
    #9 0x7f84bdd6e419 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3890:9
    #10 0x7f84bdd68358 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2873:5
    #11 0x7f84bdd5f670 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2694:11
    #12 0x7f84bdd546d4 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1233:3
    #13 0x7f84bddafe2a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:935:14
    #14 0x7f84bddb50f5 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) /home/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:807:7
    #15 0x7f84bddb9a20 in ReflowColumns /home/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:505:19
    #16 0x7f84bddb9a20 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData&, mozilla::ReflowOutput&, nsCollapsingMargin&, bool&, bool&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1143
    #17 0x7f84bddbab79 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1252:5
    #18 0x7f84bdd743ad in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11
    #19 0x7f84bdd6a5d6 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3521:11
    #20 0x7f84bdd684c2 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2870:5
    #21 0x7f84bdd5db60 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2409:7
    #22 0x7f84bdd546d4 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1233:3
    #23 0x7f84bddafe2a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:935:14
    #24 0x7f84bddb50f5 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) /home/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:807:7
    #25 0x7f84bddb9a20 in ReflowColumns /home/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:505:19
    #26 0x7f84bddb9a20 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData&, mozilla::ReflowOutput&, nsCollapsingMargin&, bool&, bool&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1143
    #27 0x7f84bddbab79 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1252:5
    #28 0x7f84bdd743ad in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11
    #29 0x7f84bdd8681f in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6393:9
    #30 0x7f84bdcf33c8 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /home/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:911:13
    #31 0x7f84bdcf1618 in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /home/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:629:14
    #32 0x7f84bdf0c5e1 in AddFloat /home/worker/workspace/build/src/layout/generic/nsLineLayout.h:190:22
    #33 0x7f84bdf0c5e1 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:962
    #34 0x7f84bdd78504 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4220:15
    #35 0x7f84bdd76fab in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4016:5
    #36 0x7f84bdd6e419 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3890:9
    #37 0x7f84bdd68358 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2873:5
    #38 0x7f84bdd5db60 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2409:7
    #39 0x7f84bdd546d4 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1233:3
    #40 0x7f84bddafe2a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:935:14
    #41 0x7f84bddb50f5 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) /home/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:807:7
    #42 0x7f84bddb9a20 in ReflowColumns /home/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:505:19
    #43 0x7f84bddb9a20 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData&, mozilla::ReflowOutput&, nsCollapsingMargin&, bool&, bool&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1143
    #44 0x7f84bddbab79 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1252:5
    #45 0x7f84bddafe2a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:935:14
    #46 0x7f84bddae767 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:752:5
    #47 0x7f84bddafe2a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:935:14
    #48 0x7f84bde7111e in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:549:3
    #49 0x7f84bde7289e in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:661:3
    #50 0x7f84bde75cea in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1037:3
    #51 0x7f84bdd3aba3 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:979:14
    #52 0x7f84bdd3952a in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:329:7
    #53 0x7f84bdb454cc in mozilla::PresShell::DoReflow(nsIFrame*, bool) /home/worker/workspace/build/src/layout/base/PresShell.cpp:9340:11
    #54 0x7f84bdb59121 in mozilla::PresShell::ProcessReflowCommands(bool) /home/worker/workspace/build/src/layout/base/PresShell.cpp:9513:24
    #55 0x7f84bdb581a4 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/worker/workspace/build/src/layout/base/PresShell.cpp:4230:11
    #56 0x7f84b9b162b0 in FlushPendingNotifications /home/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:578:5
    #57 0x7f84b9b162b0 in nsDocument::FlushPendingNotifications(mozilla::FlushType) /home/worker/workspace/build/src/dom/base/nsDocument.cpp:8089
    #58 0x7f84b9c66074 in nsRange::CollectClientRectsAndText(nsLayoutUtils::RectCallback*, mozilla::dom::Sequence<nsString>*, nsRange*, nsINode*, int, nsINode*, int, bool, bool) /home/worker/workspace/build/src/dom/base/nsRange.cpp:3119:34
    #59 0x7f84b9c68e07 in nsRange::GetBoundingClientRect(bool, bool) /home/worker/workspace/build/src/dom/base/nsRange.cpp:3201:3
    #60 0x7f84ba5ab866 in mozilla::dom::RangeBinding::getBoundingClientRect(JSContext*, JS::Handle<JSObject*>, nsRange*, JSJitMethodCallArgs const&) /home/worker/workspace/build/src/obj-firefox/dom/bindings/RangeBinding.cpp:1438:59
    #61 0x7f84bb59df80 in mozilla::dom::GenericBindingMethod(JSContext*, unsigned int, JS::Value*) /home/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3060:13
    #62 0x7f84c1b94f74 in CallJSNative /home/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
    #63 0x7f84c1b94f74 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:470
    #64 0x7f84c1b7dceb in CallFromStack /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:521:12
    #65 0x7f84c1b7dceb in Interpret(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3066
    #66 0x7f84c1b647e8 in js::RunScript(JSContext*, js::RunState&) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:410:12
    #67 0x7f84c1b97887 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /home/worker/workspace/build/src/js/src/vm/Interpreter.cpp:699:15
    #68 0x7f84c1be7aae in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/builtin/Eval.cpp:327:12
    #69 0x7f84c1be86fe in js::DirectEval(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/builtin/Eval.cpp:438:12
    #70 0x7f84c1db9b82 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /home/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2538:14
    #71 0x20254ceb0106  (<unknown module>)

0x6250020ce9f8 is located 4344 bytes inside of 8192-byte region [0x6250020cd900,0x6250020cf900)
allocated by thread T0 here:
    #0 0x4bb9ec in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x7f84b6e37c5f in AllocateChunk /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:179:15
    #2 0x7f84b6e37c5f in InternalAllocate /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:214
    #3 0x7f84b6e37c5f in Allocate /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:72
    #4 0x7f84b6e37c5f in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:77
    #5 0x7f84bdf045df in AllocateByFrameID /home/worker/workspace/build/src/layout/base/nsPresArena.h:38:12
    #6 0x7f84bdf045df in AllocateFrame /home/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:217
    #7 0x7f84bdf045df in operator new /home/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:45
    #8 0x7f84bdf045df in NS_NewInlineFrame(nsIPresShell*, nsStyleContext*) /home/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:42
    #9 0x7f84bdc08c1b in nsCSSFrameConstructor::CreateContinuingFrame(nsPresContext*, nsIFrame*, nsContainerFrame*, bool) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9265:16
    #10 0x7f84bdbb292a in SplitInlineAncestors(nsContainerFrame*, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:549:9
    #11 0x7f84bdbb33a9 in CreateContinuation(nsIFrame*, nsIFrame**, bool) /home/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:662:10
    #12 0x7f84bdbb0990 in EnsureBidiContinuation /home/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:1868:10
    #13 0x7f84bdbb0990 in nsBidiPresUtils::ResolveParagraph(BidiParagraphData*) /home/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:927
    #14 0x7f84bdbb3622 in nsBidiPresUtils::ResolveParagraphWithinBlock(BidiParagraphData*) /home/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:1350:3
    #15 0x7f84bdbae7e4 in nsBidiPresUtils::TraverseFrames(nsBlockInFlowLineIterator*, nsIFrame*, BidiParagraphData*) /home/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:1247:9
    #16 0x7f84bdbad7bf in nsBidiPresUtils::TraverseFrames(nsBlockInFlowLineIterator*, nsIFrame*, BidiParagraphData*) /home/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:1267:9
    #17 0x7f84bdbab145 in nsBidiPresUtils::Resolve(nsBlockFrame*) /home/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:752:5
    #18 0x7f84bdd4df49 in ResolveBidi /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:7567:10
    #19 0x7f84bdd4df49 in nsBlockFrame::GetMinISize(gfxContext*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:732
    #20 0x7f84bdc78803 in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /home/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:5262:26
    #21 0x7f84bdc7cc76 in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, unsigned int) /home/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:5395:10
    #22 0x7f84bdd4e363 in nsBlockFrame::GetMinISize(gfxContext*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:750:29
    #23 0x7f84bddbfd4b in ShrinkWidthToFit /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:5802:22
    #24 0x7f84bddbfd4b in nsContainerFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:846
    #25 0x7f84bddc69cc in nsFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:5063:24
    #26 0x7f84bdcf5c0e in FloatMarginISize(mozilla::ReflowInput const&, int, nsIFrame*, mozilla::SizeComputationInput const&) /home/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:694:13
    #27 0x7f84bdcf2566 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /home/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:759:30
    #28 0x7f84bdcf1618 in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /home/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:629:14
    #29 0x7f84bdf0c5e1 in AddFloat /home/worker/workspace/build/src/layout/generic/nsLineLayout.h:190:22
    #30 0x7f84bdf0c5e1 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:962
    #31 0x7f84bdd78504 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4220:15
    #32 0x7f84bdd76fab in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4016:5
    #33 0x7f84bdd6e419 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3890:9
    #34 0x7f84bdd68358 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2873:5
    #35 0x7f84bdd5db60 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2409:7
    #36 0x7f84bdd546d4 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1233:3
    #37 0x7f84bddafe2a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:935:14
    #38 0x7f84bddb50f5 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) /home/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:807:7
    #39 0x7f84bddbaa2f in ReflowColumns /home/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:505:19
    #40 0x7f84bddbaa2f in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1244

SUMMARY: AddressSanitizer: use-after-poison /home/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:9179:33 in nsLayoutUtils::GetFloatContainingBlock(nsIFrame*)
Shadow bytes around the buggy address:
  0x0c4a80411ce0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80411cf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80411d00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80411d10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80411d20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a80411d30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f7]
  0x0c4a80411d40: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a80411d50: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80411d60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80411d70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80411d80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==23870==ABORTING
[Exit code: -6]
Group: core-security → layout-core-security
Jason: any way to get a testcase or repro? Not a lot to go on here.
Flags: needinfo?(jkratzer)
Unfortunately not.  The crash only occurred once and that test case was not reproducible.  I've set a watch to be notified if another crash matching that signature occurs.
Flags: needinfo?(jkratzer)
Triage: marking as incomplete. Please re-open if it comes up again and you get more data.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
Status: RESOLVED → REOPENED
Resolution: INCOMPLETE → ---
Attached file Testcase
Reproducible testcase found to work with mozilla-central rev 20170905-3ecda4678c49.

==12302==ERROR: AddressSanitizer: use-after-poison on address 0x625001467a98 at pc 0x7fad747658f6 bp 0x7ffe0791ce80 sp 0x7ffe0791ce78
READ of size 8 at 0x625001467a98 thread T0
    #0 0x7fad747658f5 in nsLayoutUtils::GetFloatContainingBlock(nsIFrame*) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:9285:33
    #1 0x7fad749c8079 in ReparentFloatsForInlineChild /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:312:30
    #2 0x7fad749c8079 in nsInlineFrame::DrainSelfOverflowListInternal(nsInlineFrame::DrainFlags, nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:503
    #3 0x7fad749c7dec in nsInlineFrame::DestroyFrom(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:197:5
    #4 0x7fad74845e9d in Destroy /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:660:20
    #5 0x7fad74845e9d in nsBlockFrame::DoRemoveFrame(nsIFrame*, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6014
    #6 0x7fad749ce551 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:1063:11
    #7 0x7fad7483d904 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4218:15
    #8 0x7fad7483c518 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4014:5
    #9 0x7fad74833fd9 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3888:9
    #10 0x7fad7482dbd8 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2871:5
    #11 0x7fad7482511d in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2692:11
    #12 0x7fad7481a452 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1233:3
    #13 0x7fad748766aa in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14
    #14 0x7fad7487b7c2 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:806:7
    #15 0x7fad74880c8f in ReflowColumns /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:504:19
    #16 0x7fad74880c8f in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1243
    #17 0x7fad7483989d in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11
    #18 0x7fad7484ca6f in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6391:9
    #19 0x7fad747bbe0d in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:911:13
    #20 0x7fad747ba0b8 in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:629:14
    #21 0x7fad749cdf01 in AddFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.h:183:22
    #22 0x7fad749cdf01 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:962
    #23 0x7fad7483d904 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4218:15
    #24 0x7fad7483c518 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4014:5
    #25 0x7fad74833fd9 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3888:9
    #26 0x7fad7482dbd8 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2871:5
    #27 0x7fad7482369f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2407:7
    #28 0x7fad7481a452 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1233:3
    #29 0x7fad748766aa in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14
    #30 0x7fad7487b7c2 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:806:7
    #31 0x7fad7487fd70 in ReflowColumns /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:504:19
    #32 0x7fad7487fd70 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData&, mozilla::ReflowOutput&, nsCollapsingMargin&, bool&, bool&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1142
    #33 0x7fad74880dd9 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1251:5
    #34 0x7fad748766aa in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14
    #35 0x7fad74874f96 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:753:5
    #36 0x7fad748766aa in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14
    #37 0x7fad74933e68 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:548:3
    #38 0x7fad7493551e in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:660:3
    #39 0x7fad749386d0 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1036:3
    #40 0x7fad74801473 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:976:14
    #41 0x7fad747ffd9a in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:332:7
    #42 0x7fad74603627 in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9387:11
    #43 0x7fad74617701 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9560:24
    #44 0x7fad746169a0 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4228:11
    #45 0x7fad7458d484 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:571:5
    #46 0x7fad7458d484 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1956
    #47 0x7fad7459b95b in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:337:13
    #48 0x7fad7459b95b in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:307
    #49 0x7fad7459b644 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:328:5
    #50 0x7fad7459dc6b in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:770:5
    #51 0x7fad7459dc6b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:683
    #52 0x7fad74599297 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:529:20
    #53 0x7fad6da1333d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
    #54 0x7fad6da18978 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:521:10
    #55 0x7fad6e7b7821 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #56 0x7fad6e717b0b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #57 0x7fad6e717b0b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #58 0x7fad6e717b0b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #59 0x7fad73ea90ff in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #60 0x7fad77fed431 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
    #61 0x7fad781cebb1 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4643:22
    #62 0x7fad781d07a8 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4807:8
    #63 0x7fad781d1bdb in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4902:21
    #64 0x4eb673 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:236:22
    #65 0x4eb673 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:309
    #66 0x7fad8b72c82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
    #67 0x41d1c8 in _start (/home/forb1dden/builds/mc-asan/firefox+0x41d1c8)

0x625001467a98 is located 4504 bytes inside of 8192-byte region [0x625001466900,0x625001468900)
allocated by thread T0 here:
    #0 0x4bba4c in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
    #1 0x7fad6d9c5e9f in AllocateChunk /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:179:15
    #2 0x7fad6d9c5e9f in InternalAllocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:214
    #3 0x7fad6d9c5e9f in Allocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:72
    #4 0x7fad6d9c5e9f in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:77
    #5 0x7fad744989a7 in AllocateByObjectID /builds/worker/workspace/build/src/layout/base/nsPresArena.h:51:12
    #6 0x7fad744989a7 in AllocateByObjectID /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:223
    #7 0x7fad744989a7 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/nsStyleStruct.h:2680
    #8 0x7fad744989a7 in nsRuleNode::ComputeDisplayData(void*, nsRuleData const*, mozilla::GeckoStyleContext*, nsRuleNode*, nsRuleNode::RuleDetail, mozilla::RuleNodeCacheConditions) /builds/worker/workspace/build/src/layout/style/nsRuleNode.cpp:5622
    #9 0x7fad74473dfe in nsRuleNode::WalkRuleTree(nsStyleStructID, mozilla::GeckoStyleContext*) /builds/worker/workspace/build/src/layout/style/nsRuleNode.cpp:2832:10
    #10 0x7fad6fa47eb7 in nsStyleDisplay const* nsRuleNode::GetStyleDisplay<true>(mozilla::GeckoStyleContext*) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsStyleStructList.h:100:1
    #11 0x7fad7422ed43 in StyleDisplay /builds/worker/workspace/build/src/obj-firefox/layout/style/nsStyleStructList.h:100:1
    #12 0x7fad7422ed43 in mozilla::GeckoStyleContext::SetStyleBits() /builds/worker/workspace/build/src/layout/style/GeckoStyleContext.cpp:655
    #13 0x7fad74229c2a in FinishConstruction /builds/worker/workspace/build/src/layout/style/GeckoStyleContext.cpp:644:3
    #14 0x7fad74229c2a in mozilla::GeckoStyleContext::GeckoStyleContext(mozilla::GeckoStyleContext*, nsIAtom*, mozilla::CSSPseudoElementType, already_AddRefed<nsRuleNode>, bool) /builds/worker/workspace/build/src/layout/style/GeckoStyleContext.cpp:71
    #15 0x7fad74500e62 in NS_NewStyleContext(mozilla::GeckoStyleContext*, nsIAtom*, mozilla::CSSPseudoElementType, nsRuleNode*, bool) /builds/worker/workspace/build/src/layout/style/nsStyleContext.cpp:451:5
    #16 0x7fad7450de54 in nsStyleSet::GetContext(mozilla::GeckoStyleContext*, nsRuleNode*, nsRuleNode*, nsIAtom*, mozilla::CSSPseudoElementType, mozilla::dom::Element*, unsigned int) /builds/worker/workspace/build/src/layout/style/nsStyleSet.cpp:936:14
    #17 0x7fad745198ee in nsStyleSet::ResolveInheritingAnonymousBoxStyle(nsIAtom*, mozilla::GeckoStyleContext*) /builds/worker/workspace/build/src/layout/style/nsStyleSet.cpp:2138:10
    #18 0x7fad746a08df in ResolveInheritingAnonymousBoxStyle /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/StyleSetHandleInlines.h:146:3
    #19 0x7fad746a08df in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, nsStyleContext*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:12399
    #20 0x7fad746a8eb4 in nsCSSFrameConstructor::ConstructNonScrollableBlockWithConstructor(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&, nsBlockFrame* (*)(nsIPresShell*, nsStyleContext*)) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5107:3
    #21 0x7fad746afce7 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5071:10
    #22 0x7fad746aba36 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4018:7
    #23 0x7fad746b7960 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6408:3
    #24 0x7fad74696f86 in ConstructFramesFromItemList /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11041:5
    #25 0x7fad74696f86 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11355
    #26 0x7fad746a0c12 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, nsStyleContext*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:12438:3
    #27 0x7fad7469caf2 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2757:5
    #28 0x7fad746bfede in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsIContent*, nsILayoutHistoryState*, bool, bool, TreeMatchContext*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8100:9
    #29 0x7fad746be87e in ContentRangeInserted /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.h:274:5
    #30 0x7fad746be87e in nsCSSFrameConstructor::ContentInserted(nsIContent*, nsIContent*, nsILayoutHistoryState*, bool) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7987
    #31 0x7fad745fd06c in mozilla::PresShell::Initialize(int, int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1817:26
    #32 0x7fad704df4c0 in nsContentSink::StartLayout(bool) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1286:26
    #33 0x7fad6f5b705c in nsHtml5TreeOpExecutor::StartLayout(bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:633:18
    #34 0x7fad6f5b2be2 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOperation.cpp:1148:17
    #35 0x7fad6f5afb32 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:466:27
    #36 0x7fad6f5b9e9b in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:128:20
    #37 0x7fad6da1333d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
    #38 0x7fad6da18978 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:521:10
    #39 0x7fad6e7b7821 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #40 0x7fad6e717b0b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #41 0x7fad6e717b0b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #42 0x7fad6e717b0b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299

SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:9285:33 in nsLayoutUtils::GetFloatContainingBlock(nsIFrame*)
Shadow bytes around the buggy address:
  0x0c4a80284f00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80284f10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80284f20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80284f30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80284f40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a80284f50: 00 00 00[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a80284f60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00
  0x0c4a80284f70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80284f80: 00 00 00 00 00 f7 f7 f7 00 00 00 00 00 00 00 00
  0x0c4a80284f90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80284fa0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==12302==ABORTING
Attached file prefs.js
Attachment #8887923 - Attachment is obsolete: true
Priority: -- → P2
INFO: Last good revision: 5ba7199ef8388481eff4f519c84ec2f61619bd01
INFO: First bad revision: 030533bed090ea932ca32d6af60ba22bde4345a8
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=5ba7199ef8388481eff4f519c84ec2f61619bd01&tochange=030533bed090ea932ca32d6af60ba22bde4345a8

Based on the testcase, that points to bug 1358018. Not sure if the insertRule usage in the testcase could be modified to make it reproduce further back, though.
Blocks: 1358018
Has Regression Range: --- → yes
Version: unspecified → 55 Branch
> Not sure if the insertRule usage in the testcase could be modified to make it reproduce further back, though.

It can.  Just pass `0` as the second arg.  Worth re-bisecting with that change to the testcase?
Flags: needinfo?(ryanvm)
Yep, that and a little -moz-columns love for bug 1300895 worked.

INFO: Last good revision: 829d3be6ba648b838ee1953fdfa1a477dace752f (2016-05-24)
INFO: First bad revision: d6d4e8417d2fd71fdf47c319b7a217f6ace9d5a5 (2016-05-25)
INFO: Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=829d3be6ba648b838ee1953fdfa1a477dace752f&tochange=d6d4e8417d2fd71fdf47c319b7a217f6ace9d5a5
Flags: needinfo?(ryanvm)
Version: 55 Branch → 49 Branch
Looks like we're in the middle of nsInlineFrame::DestroyFrom and we call nsInlineFrame::DrainSelfOverflowListInternal.  The first frame on the overflow list is a textframe whose parent is already gone and poisoned.

The fundamental problem is that we ended up with a situation where a textframe is on the OverflowList of an inline but its parent is the inline's prev-continuation.  Then we destroy that prev-continuation, and have a dangling paint pointer.  Then we go to destroy the inline that has the textframe on its overflow list and fail.

OK, so how did we get there?  I think it started with nsInlineFrame::Reflow grabbing the prevOverflowFrames from its prev-in-flow.  There's comments in there about the lazilySetParentPointer optimization, which is relevant.  We set lazilySetParentPointer to true.

Then we went to do ReflowFrames.  We had three of them that matter: a textframe, brframe, another textframe.  We set the parent of the first textframe to ourselves, reflowed it.  Then we did the same with the brframe.  As part of this we ended up doing nsInlineFrame::PushFrames and put the second textframe on our OverflowList.  After that back in ReflowFrames aStatus.IsInlineBreak() is true, so we set "done" to true.  Now we have this bit of code, if irs.mSetParentPointer (which is true in this case):

        // Keep reparenting the remaining siblings, but don't reflow them.
        nsFrameList* pushedFrames = GetOverflowFrames();
        if (pushedFrames && pushedFrames->FirstChild() == frame) {
          // Don't bother if |frame| was pushed to our overflow list.
          break;
        }

In this case, pushedFrame->FirstChild() is the second textframe.  "frame" is the brframe.  So we don't take the break.  But then we do:

    frame = frame->GetNextSibling();

and that returns null, because of course we pushed frame's next sibling to the overflow list.  So we never end up fixing up the parent on the overflow list.  I don't understand how the overflow list is supposed to get reparented here.  Which is bad, because I reviewed that code when it landed initially, in bug 765409...

Maybe the idea was that if things are going on our OverflowList then we don't need to worry about them too much, because our next-in-flow will pick them up and either set itself as parent or push them along.  But it looks like in this case that's not happening before we start deleting some continuations.

In particular, it looks like we push the stuff after the brframe to a new line in the block (makes sense).  Then back in nsBlockFrame::ReflowDirtyLines we have keepGoing false (maybe because we're not fitting already?), then we unwind back to the columnset, etc.

Anyway, mostly I don't know what the actual invariants are here....  Should the overflow list get reparented to the frame it's hanging off of?
Flags: needinfo?(mats)
Oh, and that regression range from comment 8?  That's when support for "overflow-wrap: break-word" (used in the testcase) landed.  I bet using "word-wrap: break-word" instead would let us go even further back in history, possibly all the way to bug 765409.
Blocks: 765409
Oh, bug 955857 was overflow-wrap support.
This looks very similar to bug 1403117. These two may actually just duplicate.
(In reply to Boris Zbarsky [:bz] (still digging out from vacation mail) from comment #9)
> Maybe the idea was that if things are going on our OverflowList then we
> don't need to worry about them too much, because our next-in-flow will pick
> them up and either set itself as parent or push them along.

Yes, IIUC this is an important part of the lazy re-parenting optimization.

> But it looks
> like in this case that's not happening before we start deleting some
> continuations.

nsInlineFrame::DestroyFrom is supposed to deal with this though:
http://searchfox.org/mozilla-central/rev/f54c1723befe6bcc7229f005217d5c681128fcad/layout/generic/nsInlineFrame.cpp#193

> Anyway, mostly I don't know what the actual invariants are here....  Should
> the overflow list get reparented to the frame it's hanging off of?

No, the invariants are that frames on the principal list have the right
parent, except temporarily during reflow.  The OverflowList however may
have frames with a stale parent pointer.  I think, but may be wrong,
that those pointers should always be one of our prev-in-flows when
they are stale though, and since nsContainerFrame::DeleteNextInFlowChild
destroys frames in reverse order:
http://searchfox.org/mozilla-central/rev/f54c1723befe6bcc7229f005217d5c681128fcad/layout/generic/nsContainerFrame.cpp#1410
we should never see a child in nsInlineFrame::DestroyFrom that has its
parent destroyed, but clearly some of that doesn't hold here.

I haven't debugged this yet though -- I'll take a look...
Assignee: nobody → mats
Flags: needinfo?(mats)
> and since nsContainerFrame::DeleteNextInFlowChild
> destroys frames in reverse order

nsBlockFrame::DoRemoveFrame doesn't do that though, so it's probably not
something we should depend on in general.  And in this case, it appears
the parent is indeed destroyed through nsBlockFrame::DoRemoveFrame.
tracking as sec-high.
Duplicate of this bug: 1403117
Frame-poisoning should prevent this from being exploitable.

The regression range in bug 1403117 comment 11 seems accurate to me.
Bug 1001994 made nsInlineFrame::DestroyFrom depend on ancestors
(at least up to the nearest block) being alive at that point, which
doesn't hold due to lazy reparenting.
Blocks: 1001994
No longer blocks: 765409
OS: Unspecified → All
Hardware: Unspecified → All
Version: 49 Branch → 33 Branch
Attached patch fixSplinter Review
I think the solution here is "don't do that".

So, floats can be pushed in two ways, either from nsBlockFrame::PushLines
which collects the floats for any placeholders in those lines and puts
them on the OverflowOutOfFlowList:
http://searchfox.org/mozilla-central/rev/1033bfa26f6d42c1ef48621909f04e734a7ed8a3/layout/generic/nsBlockFrame.cpp#4806,4815-4817
Those floats are then picked up (and reparented) by the block continuation,
in Reflow -> DrainOverflowLines:
http://searchfox.org/mozilla-central/rev/1033bfa26f6d42c1ef48621909f04e734a7ed8a3/layout/generic/nsBlockFrame.cpp#4896,4907-4908

They can also be pushed by nsBlockFrame::SplitFloat/ReflowPushedFloats
to the PushedFloat list, through BlockReflowInput::AppendPushedFloatChain.
http://searchfox.org/mozilla-central/rev/1033bfa26f6d42c1ef48621909f04e734a7ed8a3/layout/generic/BlockReflowInput.cpp#462-463
which are picked up (and reparented) by the block continuation in
Reflow -> DrainPushedFloats:
http://searchfox.org/mozilla-central/rev/1033bfa26f6d42c1ef48621909f04e734a7ed8a3/layout/generic/nsBlockFrame.cpp#5059

So, on a Reflow path, all floats that comes from overflow lists should already
have the correct parent.  The only case were nsInlineFrame needs to handle
this (by calling ReparentFloatsForInlineChild) is when it *pulls* frames
from a next-in-flow, because then the blocks aren't involved and we may
pull a placeholder through a block continuation boundary.

The ReparentFloatsForInlineChild stuff dates back a decade to bug 368863.
As you can see here:
https://hg.mozilla.org/mozilla-central/rev/7c197dc39adb#l6.101
it added a call also in nsInlineFrame::Reflow, as well as in ReflowFrames
for pulled frames.  I believe only the latter was ever needed, but the former
(for pushed frames*) has been copied to all code that fixes up lazy-reparenting
ever since.  That's why it was added to DestroyFrom.

So, I think most ReparentFloatsForInlineChild calls in nsInlineFrame are
unnecessary -- it's only needed when we pull up frames.
I'll remove those in a follow-up bug to minimize risk for v57, assuming
we want to uplift the fix here.

(*) I don't know why we added it for both cases; bug 368863 comment 5 only
mentions PullOneFrame as the culprit, but then bug 368863 comment 6 says
"to ensure that whenever child frames get pushed or pulled, we reparent
the floats associated with any placeholders that may be moving", but
that shouldn't be necessary since nsInlineFrame doesn't "pull" frames
from its prev-in-flows.  Perhaps it was mostly "for symmetry"?
Attachment #8916647 - Flags: review?(dholbert)
This removes the other unnecessary ReparentFloatsForInlineChild calls,
leaving only one call, for the pull case.  I'll do this part in
a follow-up bug.
Fwiw, all tests pass with both these patches.
@dholbert: FYI, there's another crash analysis with frame dumps
in bug 1403117 comment 14.
Observation, as I familiarize myself with this stuff: it looks like the main patch here is revising/removing chunks of code that were all added in mozilla-central changeset a5d6027756ae , from bug 1001994 (which makes sense, given comment 17).

(specifically: the main patch tweaks nsInlineFrame::DestroyFrom, the condition for doReparentSC, and the "eForDestroy" DrainFlags value)
Comment on attachment 8916647 [details] [diff] [review]
fix

Review of attachment 8916647 [details] [diff] [review]:
-----------------------------------------------------------------

I think this makes sense -- it seems reasonable to expect that child frames (in the overflow child-list) would be expected to have their GetParent() return "this".

(I don't know much about the lazy-parent mechanism you're describing.  It sounds like the parent pointer can't be trusted, for as long as these frames are in the overflow list? And whoever removes the frames from the overflow list is responsible for setting the frames' parent pointer, or something like that?  But anyway, I can see the laziness becoming moot when we start destroying stale parent frames that are being pointed at.  So, bottom line, it seems sensible to enforce the child<->parent relationship should be symmetrical when we're destroying.)

r=me
Attachment #8916647 - Flags: review?(dholbert) → review+
(In reply to Mats Palmgren (:mats) from comment #18)
> I'll remove those in a follow-up bug to minimize risk for v57, assuming
> we want to uplift the fix here.

I'd probably lean against a 57 uplift here, since we're weeks away from a 57 release, and the risk/reward threshold for 57 is pretty strict.

My view of the risk/reward for uplift of this particular bug:
 - the risk is nonzero, since tweaks to frame destruction code can be tricky and can introduce new crashes (like this very bug).
 - the reward isn't too huge -- it's good to fix a crash, but this isn't a recent regression, so release users are already affected by this.  And it's not a crash signature that's spiking in the wild (AFAICT), so there may not be many (any?) affected users in the wild.  And it's unlikely to be exploitable (comment 17), so there's no strong security need to get this to users.
Yeah, I agree with that.
Should we wontfix for esr52 as well?
https://hg.mozilla.org/mozilla-central/rev/3d92004f2c02
Status: REOPENED → RESOLVED
Closed: 3 years ago2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Group: layout-core-security → core-security-release
Whiteboard: [adv-main58-]
Flags: qe-verify-
Whiteboard: [adv-main58-] → [adv-main58-][post-critsmash-triage]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.