Closed Bug 1457307 Opened 7 years ago Closed 7 years ago

heap-buffer-overflow in nsFloatManager::ImageShapeInfo::ImageShapeInfo

Categories

(Core :: Layout: Floats, defect)

Product:
Core
Component:
Layout: Floats
Version:
61 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1457288
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox61 --- fixed

People

(Reporter: nils, Assigned: bradwerth)

References

Details

(6 keywords)

Attachments

(3 files)

ASAN output
53.06 KB, text/plain
Details
crash.html (minimised testcase)
780 bytes, text/html
Details
ASAN (SEGV) output
10.17 KB, text/plain
Details
Attached file ASAN output
A buffer overflow exists in the lastest ASAN build of Firefox nightly. My fuzzer has triggered the following ASAN crash and I am currently minimizing the large testcase. However, I think the root cause is clear from the crash report. I suspect the size calculation here can wrap and result in a too small buffer to be allocated: https://dxr.mozilla.org/mozilla-central/source/layout/generic/nsFloatManager.cpp#1624 ================================================================= ==14512==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f5aee6f61f4 at pc 0x7f5b693d088e bp 0x7ffc99a3a210 sp 0x7ffc99a3a208 WRITE of size 2 at 0x7f5aee6f61f4 thread T0 (Web Content) #0 0x7f5b693d088d in nsFloatManager::ImageShapeInfo::ImageShapeInfo(unsigned char*, int, mozilla::gfx::IntSizeTyped<mozilla::LayoutDevicePixel> const&, int, float, int, nsRect const&, nsRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp #1 0x7f5b693d2fea in MakeUnique<nsFloatManager::ImageShapeInfo, unsigned char *&, int &, mozilla::gfx::IntSizeTyped<mozilla::LayoutDevicePixel> &, int &, float &, int &, nsRect &, nsRect &, mozilla::WritingMode &, const nsSize &> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:680:27 #2 0x7f5b693d2fea in nsFloatManager::ShapeInfo::CreateImageShape(mozilla::UniquePtr<nsStyleImage, mozilla::DefaultDelete<nsStyleImage> > const&, float, int, nsIFrame*, mozilla::LogicalRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:2431 #3 0x7f5b693d1a3d in nsFloatManager::FloatInfo::FloatInfo(nsIFrame*, int, int, mozilla::LogicalRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:1975:20 #4 0x7f5b6936913f in nsFloatManager::AddFloat(nsIFrame*, mozilla::LogicalRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:260:13 #5 0x7f5b692c829b in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:994:19 #6 0x7f5b692c55ef in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:627:14 #7 0x7f5b69521711 in AddFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.h:182:22 #8 0x7f5b69521711 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:966 #9 0x7f5b693570bd in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4158:15 #10 0x7f5b69355a67 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3958:5 #11 0x7f5b6934c789 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3832:9 #12 0x7f5b69344ce0 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2816:5 #13 0x7f5b6933a560 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2352:7 #14 0x7f5b69331d74 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1225:3 #15 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #16 0x7f5b696aa004 in nsTableCellFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableCellFrame.cpp:938:3 #17 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #18 0x7f5b69708cb6 in nsTableRowFrame::ReflowChildren(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsTableFrame&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowFrame.cpp:882:9 #19 0x7f5b6970ca7f in nsTableRowFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowFrame.cpp:1074:3 #20 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #21 0x7f5b69713291 in nsTableRowGroupFrame::ReflowChildren(nsPresContext*, mozilla::ReflowOutput&, mozilla::TableRowGroupReflowInput&, nsReflowStatus&, bool*) /builds/worker/workspace/build/src/layout/tables/nsTableRowGroupFrame.cpp:425:7 #22 0x7f5b6971f496 in nsTableRowGroupFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowGroupFrame.cpp:1383:3 #23 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #24 0x7f5b696d9b73 in nsTableFrame::ReflowChildren(mozilla::TableReflowInput&, nsReflowStatus&, nsIFrame*&, nsOverflowAreas&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:3381:7 #25 0x7f5b696d50d3 in nsTableFrame::ReflowTable(mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, nsIFrame*&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:2326:3 #26 0x7f5b696d38f4 in nsTableFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:2111:5 #27 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #28 0x7f5b6972bfba in OuterDoReflowChild /builds/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:840:3 #29 0x7f5b6972bfba in nsTableWrapperFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:998 #30 0x7f5b69352fe7 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11 #31 0x7f5b69347063 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3463:11 #32 0x7f5b69344e35 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2813:5 #33 0x7f5b6933a560 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2352:7 #34 0x7f5b69331d74 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1225:3 #35 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #36 0x7f5b696aa004 in nsTableCellFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableCellFrame.cpp:938:3 #37 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #38 0x7f5b69708cb6 in nsTableRowFrame::ReflowChildren(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsTableFrame&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowFrame.cpp:882:9 #39 0x7f5b6970ca7f in nsTableRowFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowFrame.cpp:1074:3 #40 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #41 0x7f5b69713291 in nsTableRowGroupFrame::ReflowChildren(nsPresContext*, mozilla::ReflowOutput&, mozilla::TableRowGroupReflowInput&, nsReflowStatus&, bool*) /builds/worker/workspace/build/src/layout/tables/nsTableRowGroupFrame.cpp:425:7 #42 0x7f5b6971f496 in nsTableRowGroupFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowGroupFrame.cpp:1383:3 #43 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #44 0x7f5b696d9b73 in nsTableFrame::ReflowChildren(mozilla::TableReflowInput&, nsReflowStatus&, nsIFrame*&, nsOverflowAreas&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:3381:7 #45 0x7f5b696d50d3 in nsTableFrame::ReflowTable(mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, nsIFrame*&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:2326:3 #46 0x7f5b696d38f4 in nsTableFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:2111:5 #47 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #48 0x7f5b6972bfba in OuterDoReflowChild /builds/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:840:3 #49 0x7f5b6972bfba in nsTableWrapperFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:998 #50 0x7f5b69352fe7 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11 #51 0x7f5b69347063 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3463:11 #52 0x7f5b69344e35 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2813:5 #53 0x7f5b6933a560 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2352:7 #54 0x7f5b69331d74 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1225:3 #55 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #56 0x7f5b696aa004 in nsTableCellFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableCellFrame.cpp:938:3 #57 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #58 0x7f5b69708cb6 in nsTableRowFrame::ReflowChildren(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsTableFrame&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowFrame.cpp:882:9 #59 0x7f5b6970ca7f in nsTableRowFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowFrame.cpp:1074:3 #60 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #61 0x7f5b69713291 in nsTableRowGroupFrame::ReflowChildren(nsPresContext*, mozilla::ReflowOutput&, mozilla::TableRowGroupReflowInput&, nsReflowStatus&, bool*) /builds/worker/workspace/build/src/layout/tables/nsTableRowGroupFrame.cpp:425:7 #62 0x7f5b6971f496 in nsTableRowGroupFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowGroupFrame.cpp:1383:3 #63 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #64 0x7f5b696d9b73 in nsTableFrame::ReflowChildren(mozilla::TableReflowInput&, nsReflowStatus&, nsIFrame*&, nsOverflowAreas&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:3381:7 #65 0x7f5b696d50d3 in nsTableFrame::ReflowTable(mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, nsIFrame*&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:2326:3 #66 0x7f5b696d38f4 in nsTableFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:2111:5 #67 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #68 0x7f5b6972bfba in OuterDoReflowChild /builds/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:840:3 #69 0x7f5b6972bfba in nsTableWrapperFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:998 #70 0x7f5b69352fe7 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11 #71 0x7f5b69347063 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3463:11 #72 0x7f5b69344e35 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2813:5 #73 0x7f5b6933a560 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2352:7 #74 0x7f5b69331d74 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1225:3 #75 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #76 0x7f5b696aa004 in nsTableCellFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableCellFrame.cpp:938:3 #77 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #78 0x7f5b69708cb6 in nsTableRowFrame::ReflowChildren(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsTableFrame&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowFrame.cpp:882:9 #79 0x7f5b6970ca7f in nsTableRowFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowFrame.cpp:1074:3 #80 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #81 0x7f5b69713291 in nsTableRowGroupFrame::ReflowChildren(nsPresContext*, mozilla::ReflowOutput&, mozilla::TableRowGroupReflowInput&, nsReflowStatus&, bool*) /builds/worker/workspace/build/src/layout/tables/nsTableRowGroupFrame.cpp:425:7 #82 0x7f5b6971f496 in nsTableRowGroupFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowGroupFrame.cpp:1383:3 #83 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #84 0x7f5b696d9b73 in nsTableFrame::ReflowChildren(mozilla::TableReflowInput&, nsReflowStatus&, nsIFrame*&, nsOverflowAreas&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:3381:7 #85 0x7f5b696d50d3 in nsTableFrame::ReflowTable(mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, nsIFrame*&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:2326:3 #86 0x7f5b696d38f4 in nsTableFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:2111:5 #87 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #88 0x7f5b6972bfba in OuterDoReflowChild /builds/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:840:3 #89 0x7f5b6972bfba in nsTableWrapperFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:998 #90 0x7f5b69352fe7 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11 #91 0x7f5b69347063 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3463:11 #92 0x7f5b69344e35 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2813:5 #93 0x7f5b6933a560 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2352:7 #94 0x7f5b69331d74 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1225:3 #95 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #96 0x7f5b696aa004 in nsTableCellFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableCellFrame.cpp:938:3 #97 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #98 0x7f5b69708cb6 in nsTableRowFrame::ReflowChildren(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsTableFrame&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowFrame.cpp:882:9 #99 0x7f5b6970ca7f in nsTableRowFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowFrame.cpp:1074:3 #100 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #101 0x7f5b69713291 in nsTableRowGroupFrame::ReflowChildren(nsPresContext*, mozilla::ReflowOutput&, mozilla::TableRowGroupReflowInput&, nsReflowStatus&, bool*) /builds/worker/workspace/build/src/layout/tables/nsTableRowGroupFrame.cpp:425:7 #102 0x7f5b6971f496 in nsTableRowGroupFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowGroupFrame.cpp:1383:3 #103 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #104 0x7f5b696d9b73 in nsTableFrame::ReflowChildren(mozilla::TableReflowInput&, nsReflowStatus&, nsIFrame*&, nsOverflowAreas&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:3381:7 #105 0x7f5b696d50d3 in nsTableFrame::ReflowTable(mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, nsIFrame*&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:2326:3 #106 0x7f5b696d38f4 in nsTableFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:2111:5 #107 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #108 0x7f5b6972bfba in OuterDoReflowChild /builds/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:840:3 #109 0x7f5b6972bfba in nsTableWrapperFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:998 #110 0x7f5b69352fe7 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11 #111 0x7f5b69347063 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3463:11 #112 0x7f5b69344e35 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2813:5 #113 0x7f5b6933a560 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2352:7 #114 0x7f5b69331d74 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1225:3 #115 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #116 0x7f5b696aa004 in nsTableCellFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableCellFrame.cpp:938:3 #117 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #118 0x7f5b69708cb6 in nsTableRowFrame::ReflowChildren(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsTableFrame&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowFrame.cpp:882:9 #119 0x7f5b6970ca7f in nsTableRowFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowFrame.cpp:1074:3 #120 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #121 0x7f5b69713291 in nsTableRowGroupFrame::ReflowChildren(nsPresContext*, mozilla::ReflowOutput&, mozilla::TableRowGroupReflowInput&, nsReflowStatus&, bool*) /builds/worker/workspace/build/src/layout/tables/nsTableRowGroupFrame.cpp:425:7 #122 0x7f5b6971f496 in nsTableRowGroupFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowGroupFrame.cpp:1383:3 #123 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #124 0x7f5b696d9b73 in nsTableFrame::ReflowChildren(mozilla::TableReflowInput&, nsReflowStatus&, nsIFrame*&, nsOverflowAreas&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:3381:7 #125 0x7f5b696d50d3 in nsTableFrame::ReflowTable(mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, nsIFrame*&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:2326:3 #126 0x7f5b696d38f4 in nsTableFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:2111:5 #127 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #128 0x7f5b6972bfba in OuterDoReflowChild /builds/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:840:3 #129 0x7f5b6972bfba in nsTableWrapperFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:998 #130 0x7f5b69352fe7 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11 #131 0x7f5b69347063 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3463:11 #132 0x7f5b69344e35 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2813:5 #133 0x7f5b6933a560 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2352:7 #134 0x7f5b69331d74 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1225:3 #135 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #136 0x7f5b696aa004 in nsTableCellFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableCellFrame.cpp:938:3 #137 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #138 0x7f5b69708cb6 in nsTableRowFrame::ReflowChildren(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsTableFrame&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowFrame.cpp:882:9 #139 0x7f5b6970ca7f in nsTableRowFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowFrame.cpp:1074:3 #140 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #141 0x7f5b69713291 in nsTableRowGroupFrame::ReflowChildren(nsPresContext*, mozilla::ReflowOutput&, mozilla::TableRowGroupReflowInput&, nsReflowStatus&, bool*) /builds/worker/workspace/build/src/layout/tables/nsTableRowGroupFrame.cpp:425:7 #142 0x7f5b6971f496 in nsTableRowGroupFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowGroupFrame.cpp:1383:3 #143 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #144 0x7f5b696d9b73 in nsTableFrame::ReflowChildren(mozilla::TableReflowInput&, nsReflowStatus&, nsIFrame*&, nsOverflowAreas&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:3381:7 #145 0x7f5b696d50d3 in nsTableFrame::ReflowTable(mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, nsIFrame*&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:2326:3 #146 0x7f5b696d38f4 in nsTableFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:2111:5 #147 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #148 0x7f5b6972bfba in OuterDoReflowChild /builds/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:840:3 #149 0x7f5b6972bfba in nsTableWrapperFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:998 #150 0x7f5b693b143c in ReflowChild /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:995:14 #151 0x7f5b693b143c in nsFlexContainerFrame::MeasureAscentAndBSizeForFlexItem(nsFlexContainerFrame::FlexItem&, nsPresContext*, mozilla::ReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsFlexContainerFrame.cpp:1739 #152 0x7f5b693c06a9 in SizeItemInCrossAxis /builds/worker/workspace/build/src/layout/generic/nsFlexContainerFrame.cpp:4105:5 #153 0x7f5b693c06a9 in nsFlexContainerFrame::DoFlexLayout(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, int, int, nsTArray<nsFlexContainerFrame::StrutInfo>&, nsFlexContainerFrame::FlexboxAxisTracker const&) /builds/worker/workspace/build/src/layout/generic/nsFlexContainerFrame.cpp:4624 #154 0x7f5b693be9f7 in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsFlexContainerFrame.cpp:4236:3 #155 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #156 0x7f5b69390a82 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:713:5 #157 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #158 0x7f5b69478c98 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:555:3 #159 0x7f5b6947a0b9 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:678:3 #160 0x7f5b6947e098 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1055:3 #161 0x7f5b693160ce in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:995:14 #162 0x7f5b69314c4e in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:335:7 #163 0x7f5b690fa7f0 in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:8963:11 #164 0x7f5b69110280 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9136:24 #165 0x7f5b6910e689 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4344:11 #166 0x7f5b6439ffd8 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:592:5 #167 0x7f5b6439ffd8 in nsIDocument::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:7590 #168 0x7f5b69106b15 in mozilla::PresShell::ScrollContentIntoView(nsIContent*, nsIPresShell::ScrollAxis, nsIPresShell::ScrollAxis, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:3589:16 #169 0x7f5b643ef076 in ScrollIntoView /builds/worker/workspace/build/src/dom/base/nsFocusManager.cpp:2282:17 #170 0x7f5b643ef076 in nsFocusManager::SetFocusInner(nsIContent*, int, bool, bool) /builds/worker/workspace/build/src/dom/base/nsFocusManager.cpp:1427 #171 0x7f5b643f0cfa in nsFocusManager::SetFocus(nsIDOMElement*, unsigned int) /builds/worker/workspace/build/src/dom/base/nsFocusManager.cpp:523:3 #172 0x7f5b6417c460 in mozilla::dom::Element::Focus(mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/Element.cpp:350:20 #173 0x7f5b663316f2 in mozilla::dom::HTMLElementBinding::focus(JSContext*, JS::Handle<JSObject*>, nsGenericHTMLElement*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/HTMLElementBinding.cpp:540:9 #174 0x7f5b667f1831 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3248:13 #175 0x7f5b6d0aead7 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15 #176 0x7f5b6d0aead7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467 #177 0x7f5b6d0afad2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10 #178 0x7f5b6dcc19c5 in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:176:12 #179 0x7f5b6dc87203 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:358:23 #180 0x7f5b6dc9c7f1 in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:510:21 #181 0x7f5b6dc9f5b4 in js::proxy_Call(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:769:12 #182 0x7f5b6d0af220 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:280:15 #183 0x7f5b6d0af220 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:449 #184 0x7f5b6d0995c8 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12 #185 0x7f5b6d0995c8 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084 #186 0x7f5b6d07fcb7 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12 #187 0x7f5b6d0b1f74 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:700:15 #188 0x7f5b6d14b58e in EvalKernel(JSContext*, JS::Handle<JS::Value>, EvalType, js::AbstractFramePtr, JS::Handle<JSObject*>, unsigned char*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:322:12 #189 0x7f5b6d14d37f in js::DirectEval(JSContext*, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/builtin/Eval.cpp:433:12 #190 0x7f5b6d28c888 in js::jit::DoCallFallback(JSContext*, js::jit::BaselineFrame*, js::jit::ICCall_Fallback*, unsigned int, JS::Value*, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jit/BaselineIC.cpp:2364:14 #191 0x7f5b1a8942f7 (<unknown module>) 0x7f5aee6f61f4 is located 0 bytes to the right of 557734388-byte region [0x7f5acd310800,0x7f5aee6f61f4) allocated by thread T0 (Web Content) here: #0 0x4c54b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x7f5b693cf4e7 in operator new[] /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:174:12 #2 0x7f5b693cf4e7 in MakeUniqueFallible<unsigned short []> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtrExtensions.h:33 #3 0x7f5b693cf4e7 in nsFloatManager::ImageShapeInfo::ImageShapeInfo(unsigned char*, int, mozilla::gfx::IntSizeTyped<mozilla::LayoutDevicePixel> const&, int, float, int, nsRect const&, nsRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:1624 #4 0x7f5b693d2fea in MakeUnique<nsFloatManager::ImageShapeInfo, unsigned char *&, int &, mozilla::gfx::IntSizeTyped<mozilla::LayoutDevicePixel> &, int &, float &, int &, nsRect &, nsRect &, mozilla::WritingMode &, const nsSize &> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/UniquePtr.h:680:27 #5 0x7f5b693d2fea in nsFloatManager::ShapeInfo::CreateImageShape(mozilla::UniquePtr<nsStyleImage, mozilla::DefaultDelete<nsStyleImage> > const&, float, int, nsIFrame*, mozilla::LogicalRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:2431 #6 0x7f5b693d1a3d in nsFloatManager::FloatInfo::FloatInfo(nsIFrame*, int, int, mozilla::LogicalRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:1975:20 #7 0x7f5b6936913f in nsFloatManager::AddFloat(nsIFrame*, mozilla::LogicalRect const&, mozilla::WritingMode, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp:260:13 #8 0x7f5b692c829b in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:994:19 #9 0x7f5b692c55ef in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:627:14 #10 0x7f5b69521711 in AddFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.h:182:22 #11 0x7f5b69521711 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:966 #12 0x7f5b693570bd in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4158:15 #13 0x7f5b69355a67 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3958:5 #14 0x7f5b6934c789 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3832:9 #15 0x7f5b69344ce0 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2816:5 #16 0x7f5b6933a560 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2352:7 #17 0x7f5b69331d74 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1225:3 #18 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #19 0x7f5b696aa004 in nsTableCellFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableCellFrame.cpp:938:3 #20 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #21 0x7f5b69708cb6 in nsTableRowFrame::ReflowChildren(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsTableFrame&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowFrame.cpp:882:9 #22 0x7f5b6970ca7f in nsTableRowFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowFrame.cpp:1074:3 #23 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #24 0x7f5b69713291 in nsTableRowGroupFrame::ReflowChildren(nsPresContext*, mozilla::ReflowOutput&, mozilla::TableRowGroupReflowInput&, nsReflowStatus&, bool*) /builds/worker/workspace/build/src/layout/tables/nsTableRowGroupFrame.cpp:425:7 #25 0x7f5b6971f496 in nsTableRowGroupFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableRowGroupFrame.cpp:1383:3 #26 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #27 0x7f5b696d9b73 in nsTableFrame::ReflowChildren(mozilla::TableReflowInput&, nsReflowStatus&, nsIFrame*&, nsOverflowAreas&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:3381:7 #28 0x7f5b696d50d3 in nsTableFrame::ReflowTable(mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, nsIFrame*&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:2326:3 #29 0x7f5b696d38f4 in nsTableFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:2111:5 #30 0x7f5b69392236 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #31 0x7f5b6972bfba in OuterDoReflowChild /builds/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:840:3 #32 0x7f5b6972bfba in nsTableWrapperFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/tables/nsTableWrapperFrame.cpp:998 #33 0x7f5b69352fe7 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11 #34 0x7f5b69347063 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3463:11 SUMMARY: AddressSanitizer: heap-buffer-overflow /builds/worker/workspace/build/src/layout/generic/nsFloatManager.cpp in nsFloatManager::ImageShapeInfo::ImageShapeInfo(unsigned char*, int, mozilla::gfx::IntSizeTyped<mozilla::LayoutDevicePixel> const&, int, float, int, nsRect const&, nsRect const&, mozilla::WritingMode, nsSize const&) Shadow bytes around the buggy address: 0x0febddcd6be0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0febddcd6bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0febddcd6c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0febddcd6c10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0febddcd6c20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0febddcd6c30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[04]fa 0x0febddcd6c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0febddcd6c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0febddcd6c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0febddcd6c70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0febddcd6c80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==14512==ABORTING
This is the minimized testcases. ASAN only detects a SEGV, however I believe the root cause is the same.
Attached file ASAN (SEGV) output
(In reply to Nils from comment #1) > This is the minimized testcases. [...] I believe the root cause is the same. Have you preserved the un-minimized testcase in case it isn't?
Group: core-security → layout-core-security
Keywords: csectype-bounds, sec-high
I'm guessing this bug is caused by our shape-margin / shape-outside layout code. Brad / Ting-Yu, you're working on that, right?
Flags: needinfo?(bwerth)
Flags: needinfo?(aethanyc)
The patches for Bug 1457288 also attempt to resolve this issue for ImageShapeInfo. When those patches land, this should also be resolved.
Depends on: 1457288
Flags: needinfo?(bwerth)
Assignee: nobody → bwerth
The patch for Bug 1457288 resolves this.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(aethanyc)
Resolution: --- → DUPLICATE
Flags: sec-bounty?
Flags: sec-bounty? → sec-bounty-
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: