Closed Bug 1438948 Opened 2 years ago Closed 7 months ago

UBSan: pointer index expression overflowed /layout/generic/nsTextFrame.cpp:882

Categories

(Core :: Layout: Text and Fonts, defect, P3)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1468131
Tracking Status
firefox-esr60 --- wontfix
firefox-esr68 --- wontfix
firefox60 --- wontfix
firefox67 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- wontfix
firefox71 --- fixed

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-undefined)

This seems to be triggered after a few minutes with regular browsing when built with -fsanitize=pointer-overflow

BuildID=20180212162155
SourceStamp=6d8f470b2579e7570f14e3db557264dc075dd654

/layout/generic/nsTextFrame.cpp:882:38: runtime error: pointer index expression with base 0x000000000000 overflowed to 0xffffffffffffffff
    #0 0x7f23d75d9139 in GetTrimmableWhitespaceCount(nsTextFragment const*, int, int, int) /layout/generic/nsTextFrame.cpp:882:38
    #1 0x7f23d75d8f63 in nsTextFrame::GetTrimmedOffsets(nsTextFragment const*, bool, bool) const /layout/generic/nsTextFrame.cpp:2971:7
    #2 0x7f23d75f77f2 in nsTextFrame::GetRenderedText(unsigned int, unsigned int, nsIFrame::TextOffsetType, nsIFrame::TrailingWhitespace) /layout/generic/nsTextFrame.cpp:10089:20
    #3 0x7f23d55fa5ca in nsRange::GetInnerTextNoFlush(mozilla::dom::DOMString&, mozilla::ErrorResult&, nsIContent*) /dom/base/nsRange.cpp:3895:44
    #4 0x7f23d6442965 in nsGenericHTMLElement::GetInnerText(mozilla::dom::DOMString&, mozilla::ErrorResult&) /dom/html/nsGenericHTMLElement.cpp:3065:3
    #5 0x7f23d5e76eb4 in mozilla::dom::HTMLElementBinding::get_innerText(JSContext*, JS::Handle<JSObject*>, nsGenericHTMLElement*, JSJitGetterCallArgs) /objdir-ff-ubsan/dom/bindings/HTMLElementBinding.cpp:296:9
    #6 0x7f23d5fc9d74 in mozilla::dom::GenericBindingGetter(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:2904:13
    #7 0x7f23db062a5c in CallJSNative /js/src/jscntxtinlines.h:291:15
    #8 0x7f23db062a5c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /js/src/vm/Interpreter.cpp:473
    #9 0x7f23db063189 in InternalCall(JSContext*, js::AnyInvokeArgs const&) /js/src/vm/Interpreter.cpp:522:12
    #10 0x7f23db063237 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:541:10
    #11 0x7f23db06399b in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:656:12
    #12 0x7f23db902d50 in CallGetter /js/src/vm/NativeObject.cpp:2145:16
    #13 0x7f23db902d50 in GetExistingProperty<js::AllowGC::CanGC> /js/src/vm/NativeObject.cpp:2198
    #14 0x7f23db902d50 in NativeGetPropertyInline<js::AllowGC::CanGC> /js/src/vm/NativeObject.cpp:2401
    #15 0x7f23db902d50 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2437
    #16 0x7f23dafff457 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.h:1630:12
    #17 0x7f23db066588 in GetProperty /js/src/jsobj.h:822:12
    #18 0x7f23db066588 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:4405
    #19 0x7f23db054505 in GetPropertyOperation /js/src/vm/Interpreter.cpp:219:12
    #20 0x7f23db054505 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2815
    #21 0x7f23db0469e6 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:423:12
    #22 0x7f23db063d07 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /js/src/vm/Interpreter.cpp:706:15
    #23 0x7f23db08f9a5 in js::DirectEvalStringFromIon(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Handle<JS::Value>, JS::Handle<JSString*>, unsigned char*, JS::MutableHandle<JS::Value>) /js/src/builtin/Eval.cpp:402:12
    #24 0x3e4a981ce28a  (<unknown module>)
This might have been fixed recently.  Can you try updating and see if it still occurs please?
I can still reproduce it. Reproduced with mozilla-central changeset: 404376:d0d3693d9bef
See Also: → 1468131
Priority: -- → P3

Marking as dup of bug 1468131 since it has a test case.

Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1468131
You need to log in before you can comment on or make changes to this bug.