Closed Bug 1438948 Opened 7 years ago Closed 5 years ago

UBSan: pointer index expression overflowed /layout/generic/nsTextFrame.cpp:882

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1468131

Tracking Flags:

Tracking

Status

firefox-esr60

---

wontfix

firefox-esr68

---

wontfix

firefox60

---

wontfix

firefox67

---

wontfix

firefox68

---

wontfix

firefox69

---

wontfix

firefox70

---

wontfix

firefox71

---

fixed

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-undefined)

Tyson Smith [:tsmith]

Reporter

Description

•

7 years ago

This seems to be triggered after a few minutes with regular browsing when built with -fsanitize=pointer-overflow BuildID=20180212162155 SourceStamp=6d8f470b2579e7570f14e3db557264dc075dd654 /layout/generic/nsTextFrame.cpp:882:38: runtime error: pointer index expression with base 0x000000000000 overflowed to 0xffffffffffffffff #0 0x7f23d75d9139 in GetTrimmableWhitespaceCount(nsTextFragment const*, int, int, int) /layout/generic/nsTextFrame.cpp:882:38 #1 0x7f23d75d8f63 in nsTextFrame::GetTrimmedOffsets(nsTextFragment const*, bool, bool) const /layout/generic/nsTextFrame.cpp:2971:7 #2 0x7f23d75f77f2 in nsTextFrame::GetRenderedText(unsigned int, unsigned int, nsIFrame::TextOffsetType, nsIFrame::TrailingWhitespace) /layout/generic/nsTextFrame.cpp:10089:20 #3 0x7f23d55fa5ca in nsRange::GetInnerTextNoFlush(mozilla::dom::DOMString&, mozilla::ErrorResult&, nsIContent*) /dom/base/nsRange.cpp:3895:44 #4 0x7f23d6442965 in nsGenericHTMLElement::GetInnerText(mozilla::dom::DOMString&, mozilla::ErrorResult&) /dom/html/nsGenericHTMLElement.cpp:3065:3 #5 0x7f23d5e76eb4 in mozilla::dom::HTMLElementBinding::get_innerText(JSContext*, JS::Handle<JSObject*>, nsGenericHTMLElement*, JSJitGetterCallArgs) /objdir-ff-ubsan/dom/bindings/HTMLElementBinding.cpp:296:9 #6 0x7f23d5fc9d74 in mozilla::dom::GenericBindingGetter(JSContext*, unsigned int, JS::Value*) /dom/bindings/BindingUtils.cpp:2904:13 #7 0x7f23db062a5c in CallJSNative /js/src/jscntxtinlines.h:291:15 #8 0x7f23db062a5c in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /js/src/vm/Interpreter.cpp:473 #9 0x7f23db063189 in InternalCall(JSContext*, js::AnyInvokeArgs const&) /js/src/vm/Interpreter.cpp:522:12 #10 0x7f23db063237 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:541:10 #11 0x7f23db06399b in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:656:12 #12 0x7f23db902d50 in CallGetter /js/src/vm/NativeObject.cpp:2145:16 #13 0x7f23db902d50 in GetExistingProperty<js::AllowGC::CanGC> /js/src/vm/NativeObject.cpp:2198 #14 0x7f23db902d50 in NativeGetPropertyInline<js::AllowGC::CanGC> /js/src/vm/NativeObject.cpp:2401 #15 0x7f23db902d50 in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.cpp:2437 #16 0x7f23dafff457 in js::GetProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<jsid>, JS::MutableHandle<JS::Value>) /js/src/vm/NativeObject.h:1630:12 #17 0x7f23db066588 in GetProperty /js/src/jsobj.h:822:12 #18 0x7f23db066588 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) /js/src/vm/Interpreter.cpp:4405 #19 0x7f23db054505 in GetPropertyOperation /js/src/vm/Interpreter.cpp:219:12 #20 0x7f23db054505 in Interpret(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:2815 #21 0x7f23db0469e6 in js::RunScript(JSContext*, js::RunState&) /js/src/vm/Interpreter.cpp:423:12 #22 0x7f23db063d07 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /js/src/vm/Interpreter.cpp:706:15 #23 0x7f23db08f9a5 in js::DirectEvalStringFromIon(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::Handle<JS::Value>, JS::Handle<JSString*>, unsigned char*, JS::MutableHandle<JS::Value>) /js/src/builtin/Eval.cpp:402:12 #24 0x3e4a981ce28a (<unknown module>)

Mats Palmgren (inactive)

Comment 1

•

7 years ago

This might have been fixed recently. Can you try updating and see if it still occurs please?

Tyson Smith [:tsmith]

Reporter

Comment 2

•

7 years ago

I can still reproduce it. Reproduced with mozilla-central changeset: 404376:d0d3693d9bef

Tyson Smith [:tsmith]

Reporter

Updated

•

7 years ago

Updated

•

7 years ago

Priority: -- → P3

Tyson Smith [:tsmith]

Reporter

Updated

•

5 years ago

Blocks: grizzly, ubsan

status-firefox60: affected → wontfix

status-firefox69: --- → wontfix

status-firefox70: --- → affected

status-firefox71: --- → affected

status-firefox-esr60: --- → affected

status-firefox-esr68: --- → affected

Tyson Smith [:tsmith]

Reporter

Comment 3

•

5 years ago

Marking as dup of bug 1468131 since it has a test case.

Status: NEW → RESOLVED

Closed: 5 years ago

Resolution: --- → DUPLICATE

Ryan VanderMeulen [:RyanVM]

Updated

•

5 years ago

status-firefox67: --- → wontfix

status-firefox68: --- → wontfix

status-firefox70: affected → wontfix

status-firefox71: affected → fixed

status-firefox-esr60: affected → wontfix

status-firefox-esr68: affected → wontfix

You need to log in before you can comment on or make changes to this bug.

Bugzilla

UBSan: pointer index expression overflowed /layout/generic/nsTextFrame.cpp:882

Categories

(Core :: Layout: Text and Fonts, defect, P3)

Tracking

()

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: csectype-undefined)

Crash Data

Security

(public)

User Story

Description

Comment 1

Comment 2

Updated

Updated

Updated

Comment 3

Updated