1398581 - heap-use-after-free in nsFirstLetterFrame::CreateContinuationForFloatingParent (Stylo)

Status: VERIFIED FIXED

Description

[Nils]

Attachment: ASAN output

The following testcase crashes the latest ASAN build of Firefox (BuildID=20170910080726)

crash.html:
<script>
function start() {
	o3=document.createElement('div');
	document.body.appendChild(o3);
	o14=document.createElement('style');
	document.documentElement.appendChild(o14);
	o18=document.createElement('style');
	o14.appendChild(o18);
	s4=unescape('%u06A10');
	o3.appendChild(document.createTextNode(s4));
	o59=document.createTextNode("{}:first-letter{ all: inherit;'x'}\n*{ float: left}:first-line{");
	o18['before'](o18,-1,o59);
	document.documentElement.offsetHeight;
	o3.appendChild(document.createTextNode("x"));
}
</script>
<body onload="start()"></body>

ASAN output:
=================================================================
==19480==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7f550e065aa8 at pc 0x7f5504d81bf8 bp 0x7ffc82e060f0 sp 0x7ffc82e060e8
READ of size 8 at 0x7f550e065aa8 thread T0 (file:// Content)
    #0 0x7f5504d81bf7 in Equals /builds/worker/workspace/build/src/layout/base/FrameProperties.h:398:16
    #1 0x7f5504d81bf7 in IndexOf<const mozilla::FramePropertyDescriptorUntyped *, mozilla::FrameProperties::PropertyComparator> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1176
    #2 0x7f5504d81bf7 in GetInternal /builds/worker/workspace/build/src/layout/base/FrameProperties.h:412
    #3 0x7f5504d81bf7 in Get<nsPlaceholderFrame> /builds/worker/workspace/build/src/layout/base/FrameProperties.h:234
    #4 0x7f5504d81bf7 in GetProperty<nsPlaceholderFrame> /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:3498
    #5 0x7f5504d81bf7 in GetPlaceholderFrame /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:875
    #6 0x7f5504d81bf7 in nsFirstLetterFrame::CreateContinuationForFloatingParent(nsPresContext*, nsIFrame*, nsIFrame**, bool) /builds/worker/workspace/build/src/layout/generic/nsFirstLetterFrame.cpp:317
    #7 0x7f5504b6d4fd in CreateContinuation(nsIFrame*, nsIFrame**, bool) /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:649:23
    #8 0x7f5504b6ac50 in EnsureBidiContinuation /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:1870:10
    #9 0x7f5504b6ac50 in nsBidiPresUtils::ResolveParagraph(BidiParagraphData*) /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:929
    #10 0x7f5504b655d2 in nsBidiPresUtils::Resolve(nsBlockFrame*) /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:767:10
    #11 0x7f5504d04d5c in ResolveBidi /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:7564:10
    #12 0x7f5504d04d5c in nsBlockFrame::GetMinISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:732
    #13 0x7f5504c2e95e in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:5302:26
    #14 0x7f5504c32866 in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, unsigned int) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:5435:10
    #15 0x7f5504ee33a5 in nsPlaceholderFrame::AddInlineMinISize(gfxContext*, nsIFrame::InlineMinISizeData*) /builds/worker/workspace/build/src/layout/generic/nsPlaceholderFrame.cpp:78:7
    #16 0x7f5504d75e1f in nsContainerFrame::DoInlineIntrinsicISize(gfxContext*, nsIFrame::InlineIntrinsicISizeData*, nsLayoutUtils::IntrinsicISizeType) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:798:14
    #17 0x7f5504d050fe in nsBlockFrame::GetMinISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:770:16
    #18 0x7f5504d76507 in ShrinkWidthToFit /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:5800:22
    #19 0x7f5504d76507 in nsContainerFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:843
    #20 0x7f5504d7ceb1 in nsFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:5059:24
    #21 0x7f5504caf5ee in FloatMarginISize(mozilla::ReflowInput const&, int, nsIFrame*, mozilla::SizeComputationInput const&) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:694:13
    #22 0x7f5504cabb16 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:759:30
    #23 0x7f5504caac38 in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:629:14
    #24 0x7f5504ebed81 in AddFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.h:183:22
    #25 0x7f5504ebed81 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:962
    #26 0x7f5504ebcb62 in nsInlineFrame::ReflowInlineFrame(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, nsIFrame*, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:797:15
    #27 0x7f5504ebafd6 in nsInlineFrame::ReflowFrames(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:680:7
    #28 0x7f5504ec3763 in nsFirstLineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:1212:3
    #29 0x7f5504ebe9a9 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:921:13
    #30 0x7f5504d2e384 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4218:15
    #31 0x7f5504d2cf98 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4014:5
    #32 0x7f5504d24a59 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3888:9
    #33 0x7f5504d1e658 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2871:5
    #34 0x7f5504d1415f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2407:7
    #35 0x7f5504d0af12 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1233:3
    #36 0x7f5504d6707a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14
    #37 0x7f5504d65966 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:753:5
    #38 0x7f5504d6707a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14
    #39 0x7f5504e24be8 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:548:3
    #40 0x7f5504e2629e in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:660:3
    #41 0x7f5504e29449 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1036:3
    #42 0x7f5504cf1f63 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:976:14
    #43 0x7f5504cf088a in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:332:7
    #44 0x7f5504af2b47 in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9404:11
    #45 0x7f5504b06b01 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9577:24
    #46 0x7f5504b05da0 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4205:11
    #47 0x7f550288aefd in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:557:5
    #48 0x7f550288aefd in FlushPendingEvents /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:5175
    #49 0x7f550288aefd in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:735
    #50 0x7f5504b2d34c in mozilla::PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:8153:19
    #51 0x7f5504b2f097 in mozilla::PresShell::HandlePositionedEvent(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:7951:10
    #52 0x7f5504b2a381 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*, nsIContent**) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:7748:12
    #53 0x7f550431aaee in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:803:14
    #54 0x7f550431a313 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/worker/workspace/build/src/view/nsView.cpp:1140:9
    #55 0x7f5504375044 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/worker/workspace/build/src/widget/PuppetWidget.cpp:395:35
    #56 0x7f54fffca9b3 in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /builds/worker/workspace/build/src/gfx/layers/apz/util/APZCCallbackHelper.cpp:498:21
    #57 0x7f5503c104fb in DispatchWidgetEventViaAPZ /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1755:10
    #58 0x7f5503c104fb in mozilla::dom::TabChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1694
    #59 0x7f5503c10d84 in RecvSynthMouseMoveEvent /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1645:8
    #60 0x7f5503c10d84 in non-virtual thunk to mozilla::dom::TabChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1641
    #61 0x7f54ff25333c in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:3444:20
    #62 0x7f54ff3a8ee1 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:5194:28
    #63 0x7f54fec7cf59 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2119:25
    #64 0x7f54fec79d34 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2045:17
    #65 0x7f54fec7b544 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1891:5
    #66 0x7f54fec7bb98 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1924:15
    #67 0x7f54fdeb3e10 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
    #68 0x7f54fdedadcd in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
    #69 0x7f54fdee0af8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:521:10
    #70 0x7f54fec84b21 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #71 0x7f54febe586b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #72 0x7f54febe586b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #73 0x7f54febe586b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #74 0x7f550439da5f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #75 0x7f55086deb47 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:866:22
    #76 0x7f54febe586b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #77 0x7f54febe586b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #78 0x7f54febe586b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #79 0x7f55086de5b0 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:691:34
    #80 0x4eb873 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #81 0x4eb873 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:285
    #82 0x7f551b51682f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #83 0x41d1c8 in _start (/fuzzer3/firefox/firefox+0x41d1c8)

0x7f550e065aa8 is located 56 bytes to the left of global variable 'tPath' defined in '/builds/worker/workspace/build/src/xpcom/io/SpecialSystemDirectory.cpp:504:26' (0x7f550e065ae0) of size 8
0x7f550e065aa8 is located 0 bytes to the right of global variable 'nsTArrayHeader::sEmptyHdr' defined in '/builds/worker/workspace/build/src/xpcom/ds/nsTArray.cpp:14:32' (0x7f550e065aa0) of size 8
SUMMARY: AddressSanitizer: global-buffer-overflow /builds/worker/workspace/build/src/layout/base/FrameProperties.h:398:16 in Equals
Shadow bytes around the buggy address:
  0x0feb21c04b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0feb21c04b10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9
  0x0feb21c04b20: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0feb21c04b30: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
  0x0feb21c04b40: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x0feb21c04b50: 00 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0feb21c04b60: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0feb21c04b70: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0feb21c04b80: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0feb21c04b90: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0feb21c04ba0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19480==ABORTING
[Parent 19443] WARNING: pipe error (39): Connection reset by peer: file /builds/worker/workspace/build/src/ipc/chromium/src/chrome/common/ipc_channel_posix.cc, line 353

###!!! [Parent][MessageChannel] Error: (msgtype=0x150069,name=PBrowser::Msg_SynthMouseMoveEvent) Channel error: cannot send/recv


###!!! [Parent][MessageChannel] Error: (msgtype=0x24001E,name=PContent::Msg_NotifyVisited) Channel error: cannot send/recv


###!!! [Parent][MessageChannel] Error: (msgtype=0x150001,name=PBrowser::Msg_AsyncMessage) Channel error: cannot send/recv


###!!! [Parent][MessageChannel] Error: (msgtype=0x150001,name=PBrowser::Msg_AsyncMessage) Channel error: cannot send/recv


###!!! [Parent][MessageChannel] Error: (msgtype=0x150081,name=PBrowser::Msg_Destroy) Channel error: cannot send/recv

=================================================================
==19551==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fd3ccc73aa8 at pc 0x7fd3c398fbf8 bp 0x7ffc9e1390f0 sp 0x7ffc9e1390e8
READ of size 8 at 0x7fd3ccc73aa8 thread T0 (Web Content)
    #0 0x7fd3c398fbf7 in Equals /builds/worker/workspace/build/src/layout/base/FrameProperties.h:398:16
    #1 0x7fd3c398fbf7 in IndexOf<const mozilla::FramePropertyDescriptorUntyped *, mozilla::FrameProperties::PropertyComparator> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1176
    #2 0x7fd3c398fbf7 in GetInternal /builds/worker/workspace/build/src/layout/base/FrameProperties.h:412
    #3 0x7fd3c398fbf7 in Get<nsPlaceholderFrame> /builds/worker/workspace/build/src/layout/base/FrameProperties.h:234
    #4 0x7fd3c398fbf7 in GetProperty<nsPlaceholderFrame> /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:3498
    #5 0x7fd3c398fbf7 in GetPlaceholderFrame /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:875
    #6 0x7fd3c398fbf7 in nsFirstLetterFrame::CreateContinuationForFloatingParent(nsPresContext*, nsIFrame*, nsIFrame**, bool) /builds/worker/workspace/build/src/layout/generic/nsFirstLetterFrame.cpp:317
    #7 0x7fd3c377b4fd in CreateContinuation(nsIFrame*, nsIFrame**, bool) /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:649:23
    #8 0x7fd3c3778c50 in EnsureBidiContinuation /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:1870:10
    #9 0x7fd3c3778c50 in nsBidiPresUtils::ResolveParagraph(BidiParagraphData*) /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:929
    #10 0x7fd3c37735d2 in nsBidiPresUtils::Resolve(nsBlockFrame*) /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:767:10
    #11 0x7fd3c3912d5c in ResolveBidi /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:7564:10
    #12 0x7fd3c3912d5c in nsBlockFrame::GetMinISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:732
    #13 0x7fd3c383c95e in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:5302:26
    #14 0x7fd3c3840866 in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, nsLayoutUtils::IntrinsicISizeType, unsigned int) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:5435:10
    #15 0x7fd3c3af13a5 in nsPlaceholderFrame::AddInlineMinISize(gfxContext*, nsIFrame::InlineMinISizeData*) /builds/worker/workspace/build/src/layout/generic/nsPlaceholderFrame.cpp:78:7
    #16 0x7fd3c3983e1f in nsContainerFrame::DoInlineIntrinsicISize(gfxContext*, nsIFrame::InlineIntrinsicISizeData*, nsLayoutUtils::IntrinsicISizeType) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:798:14
    #17 0x7fd3c39130fe in nsBlockFrame::GetMinISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:770:16
    #18 0x7fd3c3984507 in ShrinkWidthToFit /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:5800:22
    #19 0x7fd3c3984507 in nsContainerFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:843
    #20 0x7fd3c398aeb1 in nsFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:5059:24
    #21 0x7fd3c38bd5ee in FloatMarginISize(mozilla::ReflowInput const&, int, nsIFrame*, mozilla::SizeComputationInput const&) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:694:13
    #22 0x7fd3c38b9b16 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:759:30
    #23 0x7fd3c38b8c38 in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:629:14
    #24 0x7fd3c3accd81 in AddFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.h:183:22
    #25 0x7fd3c3accd81 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:962
    #26 0x7fd3c3acab62 in nsInlineFrame::ReflowInlineFrame(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, nsIFrame*, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:797:15
    #27 0x7fd3c3ac8fd6 in nsInlineFrame::ReflowFrames(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:680:7
    #28 0x7fd3c3ad1763 in nsFirstLineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:1212:3
    #29 0x7fd3c3acc9a9 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:921:13
    #30 0x7fd3c393c384 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4218:15
    #31 0x7fd3c393af98 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4014:5
    #32 0x7fd3c3932a59 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3888:9
    #33 0x7fd3c392c658 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2871:5
    #34 0x7fd3c392215f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2407:7
    #35 0x7fd3c3918f12 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1233:3
    #36 0x7fd3c397507a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14
    #37 0x7fd3c3973966 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:753:5
    #38 0x7fd3c397507a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14
    #39 0x7fd3c3a32be8 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:548:3
    #40 0x7fd3c3a3429e in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:660:3
    #41 0x7fd3c3a37449 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1036:3
    #42 0x7fd3c38fff63 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:976:14
    #43 0x7fd3c38fe88a in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:332:7
    #44 0x7fd3c3700b47 in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9404:11
    #45 0x7fd3c3714b01 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9577:24
    #46 0x7fd3c3713da0 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4205:11
    #47 0x7fd3c368ad94 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:566:5
    #48 0x7fd3c368ad94 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1956
    #49 0x7fd3c3699a2f in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:337:13
    #50 0x7fd3c3699a2f in mozilla::InactiveRefreshDriverTimer::TickOne() /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:958
    #51 0x7fd3bcb07756 in nsTimerImpl::Fire(int) /builds/worker/workspace/build/src/xpcom/threads/nsTimerImpl.cpp:514:7
    #52 0x7fd3bcada0f6 in nsTimerEvent::Run() /builds/worker/workspace/build/src/xpcom/threads/TimerThread.cpp:286:11
    #53 0x7fd3bcae8dcd in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
    #54 0x7fd3bcaeeaf8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:521:10
    #55 0x7fd3bd892b16 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5
    #56 0x7fd3bd7f386b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #57 0x7fd3bd7f386b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #58 0x7fd3bd7f386b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #59 0x7fd3c2faba5f in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #60 0x7fd3c72ecb47 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:866:22
    #61 0x7fd3bd7f386b in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #62 0x7fd3bd7f386b in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #63 0x7fd3bd7f386b in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #64 0x7fd3c72ec5b0 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:691:34
    #65 0x4eb873 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #66 0x4eb873 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:285
    #67 0x7fd3da12482f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
    #68 0x41d1c8 in _start (/fuzzer3/firefox/firefox+0x41d1c8)

0x7fd3ccc73aa8 is located 56 bytes to the left of global variable 'tPath' defined in '/builds/worker/workspace/build/src/xpcom/io/SpecialSystemDirectory.cpp:504:26' (0x7fd3ccc73ae0) of size 8
0x7fd3ccc73aa8 is located 0 bytes to the right of global variable 'nsTArrayHeader::sEmptyHdr' defined in '/builds/worker/workspace/build/src/xpcom/ds/nsTArray.cpp:14:32' (0x7fd3ccc73aa0) of size 8
SUMMARY: AddressSanitizer: global-buffer-overflow /builds/worker/workspace/build/src/layout/base/FrameProperties.h:398:16 in Equals
Shadow bytes around the buggy address:
  0x0ffaf9986700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffaf9986710: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9
  0x0ffaf9986720: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ffaf9986730: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9
  0x0ffaf9986740: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
=>0x0ffaf9986750: 00 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ffaf9986760: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ffaf9986770: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ffaf9986780: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ffaf9986790: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
  0x0ffaf99867a0: f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==19551==ABORTING

Comment 1

[Nils]

Attachment: crash.html (minimised testcases)

Comment 2

[Nils]

Attachment: crash.html (minimised testcase)

Wrong testcase

Comment 3

[Nils]

Attachment: ASAN output

Wrong ASAN output

Comment 4

[Ryan VanderMeulen [:RyanVM]]

INFO: Last good revision: 77865d6f19c17d0a16c86fb2511d85091007315f
INFO: First bad revision: 63ebcdc4d3ab1ef3f2a70590f04a41291253f536
INFO: Pushlog:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=77865d6f19c17d0a16c86fb2511d85091007315f&tochange=63ebcdc4d3ab1ef3f2a70590f04a41291253f536

Comment 5

[Xidorn Quan [:xidorn] UTC+10]

When I run open the test page in a debug build, it asserts with "HasAnyStateBits(NS_FRAME_OUT_OF_FLOW)" inside GetPlaceholderFrame(), so this is a first-letter frame which has float but doesn't have NS_FRAME_OUT_OF_FLOW bit set, which sounds wrong.

Comment 6

[Emilio Cobos Álvarez (:emilio)]

(In reply to Xidorn Quan [:xidorn] UTC+10 from comment #5)
> When I run open the test page in a debug build, it asserts with
> "HasAnyStateBits(NS_FRAME_OUT_OF_FLOW)" inside GetPlaceholderFrame(), so
> this is a first-letter frame which has float but doesn't have
> NS_FRAME_OUT_OF_FLOW bit set, which sounds wrong.

Yeah, and this is because we try to reparent an in-flow first-letter frame style, and it ends up inheriting the float value from our parent due to the all: inherit rule.

Comment 7

[Emilio Cobos Álvarez (:emilio)]

Now, changing from float: none to float: left on the parent should've reframed it...

Comment 8

[Emilio Cobos Álvarez (:emilio)]

So, this is because when creating the first-letter frame, we end up unconditionally inheriting from the first-line (non-floated), not from the block (which is floated).

When we reparent the style context we (correctly) use newParentIgnoringFirstLine.

So I think we need to move that logic to the "create a first-letter" bit.

Comment 9

[Emilio Cobos Álvarez (:emilio)]

Attachment: Patch

Comment 10

[Emilio Cobos Álvarez (:emilio)]

Boris, maybe you could review this?

See the commit message, I think this is the less disruptive patch (and a first-letter inheriting from a first-line is already uncommon).

But let me know if you want me to pass the parent style ignoring first-line around instead or what not.

Comment 11

[Emilio Cobos Álvarez (:emilio)]

Comment on attachment 8906511 [details] [diff] [review]
Patch

Well, cam reviewed bug 1385656, so presumably he can review this as well, and he has the review queue open.

Comment 12

[Emilio Cobos Álvarez (:emilio)]

I wonder if we could revert bug bug 1385656 after this patch...

Comment 13

[Cameron McCormack (:heycam)]

Comment on attachment 8906511 [details] [diff] [review]
Patch

Review of attachment 8906511 [details] [diff] [review]:
-----------------------------------------------------------------

I think this is OK.  It is kind of unfortunate that we need to go through a ReparentStyleContext rather than some other function that can give us a correctly inherited style context to begin with, but it's probably not a big deal.

Comment 14

[Emilio Cobos Álvarez (:emilio)]

So, cam mentioned that we were not doing the same in nsBlockFrame::UpdateFirstLetterStyle. I think it's correct because of the reparenting we do when updating first-line styles afterwards.

However, the fact that we compute change hints for it means that we'll compute the change hint with the floating style, and thus reframe unnecessarily. I think it's not a huge deal though, maybe worth filing a followup after this lands.

Comment 15

[Emilio Cobos Álvarez (:emilio)]

remote:   https://hg.mozilla.org/integration/mozilla-inbound/rev/56e721e30ceeb603152186df7b23f2a60fec38eb

Comment 16

[Boris Zbarsky [PTO through Aug 25, :bzbarsky, bz on IRC]]

Emilio, thank you for picking this up!

I have two nits about the patch:

1)  I believe the block at http://searchfox.org/mozilla-central/rev/00fa5dacedb925022f53d025121f1a919508e7ce/layout/base/nsCSSFrameConstructor.cpp#12259-12270 can go away now.

2)  The aNewLayoutParent to ReparentStyleContext should be parentStyleContext->AsServo(), not parentStyleIgnoringFirstLine.  I use "should" in the loosest possible sense, because the interaction of all this stuff with display:contents in the spec is at best "unspecified".

Comment 17

[Daniel Veditz [:dveditz]]

This crashes opt builds as well: bp-0b230792-cb70-4db7-aa64-102100170911

Comment 18

[Emilio Cobos Álvarez (:emilio)]

Followups and crashtest:

  remote:   https://hg.mozilla.org/integration/mozilla-inbound/rev/d5a9ae0983b8f2111b131bdf2480ea77ceb264e7
  remote:   https://hg.mozilla.org/integration/mozilla-inbound/rev/a0075a30bc7f657f5896c77f7ea5b7da081ec1c4

Comment 19

[Wes Kocher (:KWierso)]

https://hg.mozilla.org/mozilla-central/rev/56e721e30cee
https://hg.mozilla.org/mozilla-central/rev/d5a9ae0983b8
https://hg.mozilla.org/mozilla-central/rev/a0075a30bc7f

Comment 21

[Matt Wobensmith [:mwobensmith][:matt:]]

Confirmed on Fx57.0a1, 2017-09-10
Verified fixed on Fx57.0a1, 2017-09-14