Closed
Bug 1404772
Opened 7 years ago
Closed 7 years ago
AddressSanitizer: heap-buffer-overflow [@ TextContainsLineBreakerWhiteSpace] with READ of size 1 at layout/generic/nsTextFrame.cpp:1214:36
Categories
(Core :: Layout: Text and Fonts, defect)
Core
Layout: Text and Fonts
Tracking
()
RESOLVED
DUPLICATE
of bug 1402036
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase)
Found while fuzzing mozilla-central rev 76a26ef7c493. Will update with a reduced testcase shortly.
==23451==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020003e4e4e at pc 0x7f83e96995aa bp 0x7ffc282e4930 sp 0x7ffc282e4928
READ of size 1 at 0x6020003e4e4e thread T0
#0 0x7f83e96995a9 in TextContainsLineBreakerWhiteSpace /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1214:36
#1 0x7f83e96995a9 in BuildTextRunsScanner::FindBoundaries(nsIFrame*, BuildTextRunsScanner::FindBoundaryState*) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1393
#2 0x7f83e9699ab4 in BuildTextRunsScanner::FindBoundaries(nsIFrame*, BuildTextRunsScanner::FindBoundaryState*) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1411:33
#3 0x7f83e96abf4e in BuildTextRuns /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1557:19
#4 0x7f83e96abf4e in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:2878
#5 0x7f83e96edfd6 in nsTextFrame::ReflowText(nsLineLayout&, int, mozilla::gfx::DrawTarget*, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:9495:5
#6 0x7f83e962791c in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:924:7
#7 0x7f83e9625bf4 in nsInlineFrame::ReflowInlineFrame(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, nsIFrame*, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:756:15
#8 0x7f83e962404d in nsInlineFrame::ReflowFrames(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:638:7
#9 0x7f83e9623298 in nsInlineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:417:3
#10 0x7f83e9627a79 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:921:13
#11 0x7f83e9496ac4 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4220:15
#12 0x7f83e94956d8 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4016:5
#13 0x7f83e948d169 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3890:9
#14 0x7f83e9486d98 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2873:5
#15 0x7f83e947c89f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2409:7
#16 0x7f83e9473652 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1235:3
#17 0x7f83e94cf47a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14
#18 0x7f83e94d4606 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:807:7
#19 0x7f83e94d9a5e in ReflowColumns /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:504:19
#20 0x7f83e94d9a5e in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1242
#21 0x7f83e94cf47a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14
#22 0x7f83e94cddb1 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:752:5
#23 0x7f83e94cf47a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14
#24 0x7f83e958f278 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:550:3
#25 0x7f83e959092e in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:662:3
#26 0x7f83e9593ad9 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1039:3
#27 0x7f83e945a733 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:976:14
#28 0x7f83e9459095 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:330:7
#29 0x7f83e9257acc in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:8936:11
#30 0x7f83e926bb01 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9109:24
#31 0x7f83e926ad67 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4182:11
#32 0x7f83e51c2760 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:557:5
#33 0x7f83e51c2760 in nsDocument::FlushPendingNotifications(mozilla::FlushType, mozilla::FlushTarget) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8499
#34 0x7f83e4f79113 in GetPrimaryFrame /builds/worker/workspace/build/src/dom/base/Element.cpp:2303:10
#35 0x7f83e4f79113 in mozilla::dom::Element::GetStyledFrame() /builds/worker/workspace/build/src/dom/base/Element.cpp:666
#36 0x7f83e74676ab in nsGenericHTMLElement::GetOffsetRect(mozilla::gfx::IntRectTyped<mozilla::CSSPixel>&) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:282:21
#37 0x7f83e69ef5f5 in OffsetLeft /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.h:221:5
#38 0x7f83e69ef5f5 in mozilla::dom::HTMLElementBinding::get_offsetLeft(JSContext*, JS::Handle<JSObject*>, nsGenericHTMLElement*, JSJitGetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLElementBinding.cpp:1052
#39 0x7f83e6cb9ee6 in mozilla::dom::GenericBindingGetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2922:13
#40 0x7f83ed104714 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#41 0x7f83ed104714 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
#42 0x7f83ed10614f in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540:12
#43 0x7f83ed10614f in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559
#44 0x7f83ed10614f in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:674
#45 0x7f83ee0a60b3 in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2122:16
#46 0x7f83ee0a60b3 in GetExistingProperty<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2175
#47 0x7f83ee0a60b3 in NativeGetPropertyInline<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2378
#48 0x7f83ee0a60b3 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2414
#49 0x7f83ed10eb48 in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1600:12
#50 0x7f83ed10eb48 in GetProperty /builds/worker/workspace/build/src/js/src/jsobj.h:813
#51 0x7f83ed10eb48 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:4426
#52 0x7f83ed0f1430 in GetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:218:12
#53 0x7f83ed0f1430 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2803
#54 0x7f83ed0d5939 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
#55 0x7f83ed107027 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:724:15
#56 0x7f83ed107892 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:756:12
#57 0x7f83edb57d09 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4667:12
#58 0x7f83e52bfde9 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:265:8
#59 0x7f83e899e7d8 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2244:25
#60 0x7f83e8999c0c in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1884:10
#61 0x7f83e897d465 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1585:10
#62 0x7f83e89799c8 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:149:18
#63 0x7f83e41de17f in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:225:18
#64 0x7f83e41de17f in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:700
#65 0x7f83e41d7c2a in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:501:7
#66 0x7f83e41e299f in nsHtml5ExecutorReflusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:55:18
#67 0x7f83e2439722 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
#68 0x7f83e24533f8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:524:10
#69 0x7f83e31e3541 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#70 0x7f83e31458ab in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#71 0x7f83e31458ab in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#72 0x7f83e31458ab in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#73 0x7f83e8affbbf in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#74 0x7f83ecc5c191 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:288:30
#75 0x7f83ece4d15b in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4701:22
#76 0x7f83ece4ed78 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4865:8
#77 0x7f83ece501ab in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4960:21
#78 0x4ebfe3 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
#79 0x4ebfe3 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
#80 0x7f84001ce82f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291
#81 0x41db38 in _start (/home/forb1dden/builds/mc-asan/firefox+0x41db38)
0x6020003e4e4e is located 2 bytes to the left of 16-byte region [0x6020003e4e50,0x6020003e4e60)
freed by thread T0 here:
#0 0x4bc06b in __interceptor_free /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:47:3
#1 0x7f83e21f76e1 in Free /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:200:34
#2 0x7f83e21f76e1 in nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::ShrinkCapacity(unsigned long, unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray-inl.h:230
#3 0x7f83e4d34539 in ShiftData<nsTArrayInfallibleAllocator> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray-inl.h:261:5
#4 0x7f83e4d34539 in RemoveElementsAt /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2061
#5 0x7f83e4d34539 in Clear /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1738
#6 0x7f83e4d34539 in ~nsTArray_Impl /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:885
#7 0x7f83e4d34539 in mozilla::EffectCompositor::UpdateCascadeResults(mozilla::StyleBackendType, mozilla::EffectSet&, mozilla::dom::Element*, mozilla::CSSPseudoElementType, nsStyleContext*) /builds/worker/workspace/build/src/dom/animation/EffectCompositor.cpp:965
#8 0x7f83e4d37714 in MaybeUpdateCascadeResults /builds/worker/workspace/build/src/dom/animation/EffectCompositor.cpp:686:3
#9 0x7f83e4d37714 in mozilla::EffectCompositor::PreTraverseInSubtree(mozilla::ServoTraversalFlags, mozilla::dom::Element*) /builds/worker/workspace/build/src/dom/animation/EffectCompositor.cpp:1080
#10 0x7f83e8ef234c in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:1010:41
#11 0x7f83e92aa7e9 in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1100:20
#12 0x7f83e926a910 in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1187:3
#13 0x7f83e926a910 in ProcessPendingRestyles /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44
#14 0x7f83e926a910 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4145
#15 0x7f83e51c2760 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:557:5
#16 0x7f83e51c2760 in nsDocument::FlushPendingNotifications(mozilla::FlushType, mozilla::FlushTarget) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8499
#17 0x7f83e4f79113 in GetPrimaryFrame /builds/worker/workspace/build/src/dom/base/Element.cpp:2303:10
#18 0x7f83e4f79113 in mozilla::dom::Element::GetStyledFrame() /builds/worker/workspace/build/src/dom/base/Element.cpp:666
#19 0x7f83e74676ab in nsGenericHTMLElement::GetOffsetRect(mozilla::gfx::IntRectTyped<mozilla::CSSPixel>&) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:282:21
#20 0x7f83e69ef5f5 in OffsetLeft /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.h:221:5
#21 0x7f83e69ef5f5 in mozilla::dom::HTMLElementBinding::get_offsetLeft(JSContext*, JS::Handle<JSObject*>, nsGenericHTMLElement*, JSJitGetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLElementBinding.cpp:1052
#22 0x7f83e6cb9ee6 in mozilla::dom::GenericBindingGetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2922:13
#23 0x7f83ed104714 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#24 0x7f83ed104714 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
#25 0x7f83ed10614f in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540:12
#26 0x7f83ed10614f in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559
#27 0x7f83ed10614f in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:674
#28 0x7f83ee0a60b3 in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2122:16
#29 0x7f83ee0a60b3 in GetExistingProperty<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2175
#30 0x7f83ee0a60b3 in NativeGetPropertyInline<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2378
#31 0x7f83ee0a60b3 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2414
#32 0x7f83ed10eb48 in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1600:12
#33 0x7f83ed10eb48 in GetProperty /builds/worker/workspace/build/src/js/src/jsobj.h:813
#34 0x7f83ed10eb48 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:4426
#35 0x7f83ed0f1430 in GetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:218:12
#36 0x7f83ed0f1430 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2803
#37 0x7f83ed0d5939 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
#38 0x7f83ed107027 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:724:15
#39 0x7f83ed107892 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:756:12
#40 0x7f83edb57d09 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4667:12
#41 0x7f83e52bfde9 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:265:8
#42 0x7f83e899e7d8 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2244:25
#43 0x7f83e8999c0c in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1884:10
#44 0x7f83e897d465 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1585:10
#45 0x7f83e89799c8 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:149:18
#46 0x7f83e41de17f in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:225:18
#47 0x7f83e41de17f in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:700
#48 0x7f83e41d7c2a in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:501:7
#49 0x7f83e41e299f in nsHtml5ExecutorReflusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:55:18
#50 0x7f83e2439722 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1039:14
previously allocated by thread T0 here:
#0 0x4bc3bc in malloc /builds/slave/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:64:3
#1 0x4eda4d in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:84:17
#2 0x7f83e21f8924 in Malloc /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:209:46
#3 0x7f83e21f8924 in nsTArrayInfallibleAllocator::ResultTypeProxy nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::EnsureCapacity<nsTArrayInfallibleAllocator>(unsigned long, unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray-inl.h:136
#4 0x7f83e4d33645 in SetCapacity<nsTArrayInfallibleAllocator> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1820:47
#5 0x7f83e4d33645 in nsTArray_Impl /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:896
#6 0x7f83e4d33645 in nsTArray /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2242
#7 0x7f83e4d33645 in mozilla::EffectCompositor::UpdateCascadeResults(mozilla::StyleBackendType, mozilla::EffectSet&, mozilla::dom::Element*, mozilla::CSSPseudoElementType, nsStyleContext*) /builds/worker/workspace/build/src/dom/animation/EffectCompositor.cpp:856
#8 0x7f83e4d37714 in MaybeUpdateCascadeResults /builds/worker/workspace/build/src/dom/animation/EffectCompositor.cpp:686:3
#9 0x7f83e4d37714 in mozilla::EffectCompositor::PreTraverseInSubtree(mozilla::ServoTraversalFlags, mozilla::dom::Element*) /builds/worker/workspace/build/src/dom/animation/EffectCompositor.cpp:1080
#10 0x7f83e8ef234c in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/style/ServoStyleSet.cpp:1010:41
#11 0x7f83e92aa7e9 in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1100:20
#12 0x7f83e926a910 in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1187:3
#13 0x7f83e926a910 in ProcessPendingRestyles /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44
#14 0x7f83e926a910 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4145
#15 0x7f83e51c2760 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:557:5
#16 0x7f83e51c2760 in nsDocument::FlushPendingNotifications(mozilla::FlushType, mozilla::FlushTarget) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8499
#17 0x7f83e4f79113 in GetPrimaryFrame /builds/worker/workspace/build/src/dom/base/Element.cpp:2303:10
#18 0x7f83e4f79113 in mozilla::dom::Element::GetStyledFrame() /builds/worker/workspace/build/src/dom/base/Element.cpp:666
#19 0x7f83e74676ab in nsGenericHTMLElement::GetOffsetRect(mozilla::gfx::IntRectTyped<mozilla::CSSPixel>&) /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.cpp:282:21
#20 0x7f83e69ef5f5 in OffsetLeft /builds/worker/workspace/build/src/dom/html/nsGenericHTMLElement.h:221:5
#21 0x7f83e69ef5f5 in mozilla::dom::HTMLElementBinding::get_offsetLeft(JSContext*, JS::Handle<JSObject*>, nsGenericHTMLElement*, JSJitGetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLElementBinding.cpp:1052
#22 0x7f83e6cb9ee6 in mozilla::dom::GenericBindingGetter(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:2922:13
#23 0x7f83ed104714 in CallJSNative /builds/worker/workspace/build/src/js/src/jscntxtinlines.h:293:15
#24 0x7f83ed104714 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:495
#25 0x7f83ed10614f in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:540:12
#26 0x7f83ed10614f in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:559
#27 0x7f83ed10614f in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:674
#28 0x7f83ee0a60b3 in CallGetter /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2122:16
#29 0x7f83ee0a60b3 in GetExistingProperty<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2175
#30 0x7f83ee0a60b3 in NativeGetPropertyInline<js::AllowGC::CanGC> /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2378
#31 0x7f83ee0a60b3 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2414
#32 0x7f83ed10eb48 in GetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1600:12
#33 0x7f83ed10eb48 in GetProperty /builds/worker/workspace/build/src/js/src/jsobj.h:813
#34 0x7f83ed10eb48 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:4426
#35 0x7f83ed0f1430 in GetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:218:12
#36 0x7f83ed0f1430 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2803
#37 0x7f83ed0d5939 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:435:12
#38 0x7f83ed107027 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:724:15
#39 0x7f83ed107892 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:756:12
#40 0x7f83edb57d09 in ExecuteScript(JSContext*, JS::AutoObjectVector&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/jsapi.cpp:4667:12
#41 0x7f83e52bfde9 in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceBufferHolder&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:265:8
#42 0x7f83e899e7d8 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2244:25
#43 0x7f83e8999c0c in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1884:10
#44 0x7f83e897d465 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1585:10
#45 0x7f83e89799c8 in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:149:18
#46 0x7f83e41de17f in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:225:18
#47 0x7f83e41de17f in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:700
#48 0x7f83e41d7c2a in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:501:7
#49 0x7f83e41e299f in nsHtml5ExecutorReflusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:55:18
SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/build/src/layout/generic/nsTextFrame.cpp:1214:36 in TextContainsLineBreakerWhiteSpace
Shadow bytes around the buggy address:
0x0c0480074970: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
0x0c0480074980: fa fa fd fd fa fa fd fd fa fa fd fa fa fa fd fd
0x0c0480074990: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
0x0c04800749a0: fa fa fd fd fa fa fd fa fa fa fd fd fa fa fd fd
0x0c04800749b0: fa fa fd fa fa fa fd fd fa fa fd fd fa fa fd fd
=>0x0c04800749c0: fa fa fd fd fa fa fd fd fa[fa]fd fd fa fa fd fd
0x0c04800749d0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fd
0x0c04800749e0: fa fa fd fd fa fa fd fd fa fa fd fd fa fa 00 00
0x0c04800749f0: fa fa fd fa fa fa 00 00 fa fa fd fa fa fa fd fd
0x0c0480074a00: fa fa 00 00 fa fa 00 00 fa fa fd fd fa fa fd fd
0x0c0480074a10: fa fa 00 00 fa fa fd fa fa fa fd fd fa fa 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==23451==ABORTING
Flags: in-testsuite?
|
Reporter | |
Comment 1•7 years ago
|
||
This looks to be a duplicate of bug 1402036.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
|
||
Updated•4 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•