Closed
Bug 1491718
Opened 7 years ago
Closed 6 years ago
use-after-poison in [@ SetListItemOrdinal]
Categories
(Core :: Layout, defect, P3)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla68
People
(Reporter: tsmith, Assigned: MatsPalmgren_bugz)
References
(Blocks 1 open bug)
Details
(4 keywords)
Attachments
(1 file)
|
2.67 KB,
text/html
|
Details |
Found with m-c 20180915-e088bb62f286
The attached testcase seems to be sensitive to the size of the window. I used Xvfb with a size of width=1280 height=1024. I am willing to test or verify patches if needed.
==126155==ERROR: AddressSanitizer: use-after-poison on address 0x6250002a4c20 at pc 0x7f9a38a4304c bp 0x7fff86b7e000 sp 0x7fff86b7dff8
READ of size 4 at 0x6250002a4c20 thread T0 (file:// Content)
#0 0x7f9a38a4304b in SetListItemOrdinal src/layout/generic/nsBulletFrame.cpp:876:24
#1 0x7f9a38a4304b in nsContainerFrame::RenumberFrameAndDescendants(int*, int, int, bool) src/layout/generic/nsContainerFrame.cpp:1914
#2 0x7f9a389fd4ef in nsBlockFrame::RenumberChildFrames(int*, int, int, bool) src/layout/generic/nsBlockFrame.cpp:7259:14
#3 0x7f9a389a3672 in nsContainerFrame::RenumberList() src/layout/generic/nsContainerFrame.cpp:1866:15
#4 0x7f9a389aaaab in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1247:7
#5 0x7f9a389d62db in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:309:11
#6 0x7f9a389c7eeb in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3571:11
#7 0x7f9a389c4d1f in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2921:5
#8 0x7f9a389b6e4d in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2458:7
#9 0x7f9a389aae89 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1292:3
#10 0x7f9a389d62db in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:309:11
#11 0x7f9a389c7eeb in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3571:11
#12 0x7f9a389c4d1f in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2921:5
#13 0x7f9a389b9110 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2745:11
#14 0x7f9a389aae89 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1292:3
#15 0x7f9a38a28b2b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:951:14
#16 0x7f9a38a2f1aa in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) src/layout/generic/nsColumnSetFrame.cpp:783:7
#17 0x7f9a38a36737 in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:473:19
#18 0x7f9a38a36737 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1223
#19 0x7f9a389d62db in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:309:11
#20 0x7f9a389c7eeb in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3571:11
#21 0x7f9a389c4d1f in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2921:5
#22 0x7f9a389b6e4d in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2458:7
#23 0x7f9a389aae89 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1292:3
#24 0x7f9a389d62db in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:309:11
#25 0x7f9a389c7eeb in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3571:11
#26 0x7f9a389c4d1f in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2921:5
#27 0x7f9a389b6e4d in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2458:7
#28 0x7f9a389aae89 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1292:3
#29 0x7f9a38a28b2b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:951:14
#30 0x7f9a38a2632e in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:803:5
#31 0x7f9a38a28b2b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:951:14
#32 0x7f9a38b5be7b in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) src/layout/generic/nsGfxScrollFrame.cpp:606:3
#33 0x7f9a38b5d9cc in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:730:3
#34 0x7f9a38b62db7 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1120:3
#35 0x7f9a389862f8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:995:14
#36 0x7f9a38984a1b in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:338:7
#37 0x7f9a386dadf1 in mozilla::PresShell::DoReflow(nsIFrame*, bool) src/layout/base/PresShell.cpp:9020:11
#38 0x7f9a386f5a68 in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9193:24
#39 0x7f9a386f3bde in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4351:11
#40 0x7f9a386683ea in FlushPendingNotifications src/layout/base/nsIPresShell.h:577:5
#41 0x7f9a386683ea in nsRefreshDriver::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1930
#42 0x7f9a3867b182 in TickDriver src/layout/base/nsRefreshDriver.cpp:325:13
#43 0x7f9a3867b182 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:300
#44 0x7f9a3867acb1 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:318:5
#45 0x7f9a3867df51 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:756:5
#46 0x7f9a3867df51 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:672
#47 0x7f9a3867da2b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:572:9
#48 0x7f9a39139df6 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:78:16
#49 0x7f9a2feeebad in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
#50 0x7f9a2fc7c398 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
#51 0x7f9a2f4ce91e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2248:25
#52 0x7f9a2f4ca20a in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2175:17
#53 0x7f9a2f4cc66d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:2012:5
#54 0x7f9a2f4cd3c7 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2045:15
#55 0x7f9a2e2be1a0 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14
#56 0x7f9a2e2c6f45 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
#57 0x7f9a2f4d89c4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:125:5
#58 0x7f9a2f3d972c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
#59 0x7f9a2f3d972c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
#60 0x7f9a2f3d972c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
#61 0x7f9a37f91006 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
#62 0x7f9a3c4255ce in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:944:22
#63 0x7f9a2f3d972c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
#64 0x7f9a2f3d972c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
#65 0x7f9a2f3d972c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
#66 0x7f9a3c424685 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:770:34
#67 0x555cd4e08ba1 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#68 0x555cd4e08ba1 in main src/browser/app/nsBrowserApp.cpp:287
#69 0x7f9a5057382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#70 0x555cd4d37f4c in _start (firefox+0x2cf4c)
0x6250002a4c20 is located 6944 bytes inside of 8192-byte region [0x6250002a3100,0x6250002a5100)
allocated by thread T0 (file:// Content) here:
#0 0x555cd4dd86c3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
#1 0x7f9a2e250a2f in AllocateChunk src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15
#2 0x7f9a2e250a2f in InternalAllocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228
#3 0x7f9a2e250a2f in Allocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75
#4 0x7f9a2e250a2f in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80
#5 0x7f9a3897869a in AllocateByFrameID src/layout/base/nsPresArena.h:39:12
#6 0x7f9a3897869a in AllocateFrame src/layout/base/nsIPresShell.h:206
#7 0x7f9a3897869a in operator new src/layout/generic/ViewportFrame.cpp:34
#8 0x7f9a3897869a in NS_NewViewportFrame(nsIPresShell*, mozilla::ComputedStyle*) src/layout/generic/ViewportFrame.cpp:31
#9 0x7f9a387a41ee in nsCSSFrameConstructor::ConstructRootFrame() src/layout/base/nsCSSFrameConstructor.cpp:2661:5
#10 0x7f9a386d2e51 in mozilla::PresShell::Initialize() src/layout/base/PresShell.cpp:1799:36
#11 0x7f9a322c8777 in nsContentSink::StartLayout(bool) src/dom/base/nsContentSink.cpp:1274:26
#12 0x7f9a30cc1102 in nsHtml5TreeOpExecutor::StartLayout(bool*) src/parser/html/nsHtml5TreeOpExecutor.cpp:673:18
#13 0x7f9a30cbc54e in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) src/parser/html/nsHtml5TreeOperation.cpp:1204:17
#14 0x7f9a30cb9486 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:489:17
#15 0x7f9a30cc5abb in nsHtml5ExecutorFlusher::Run() src/parser/html/nsHtml5StreamParser.cpp:123:18
#16 0x7f9a2e280465 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
#17 0x7f9a2e2be1a0 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14
#18 0x7f9a2e2c6f45 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
#19 0x7f9a2f4d89de in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#20 0x7f9a2f3d972c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
#21 0x7f9a2f3d972c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
#22 0x7f9a2f3d972c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
#23 0x7f9a37f91006 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
#24 0x7f9a3c4255ce in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:944:22
#25 0x7f9a2f3d972c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
#26 0x7f9a2f3d972c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
#27 0x7f9a2f3d972c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
#28 0x7f9a3c424685 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:770:34
#29 0x555cd4e08ba1 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#30 0x555cd4e08ba1 in main src/browser/app/nsBrowserApp.cpp:287
Flags: in-testsuite?
|
Reporter | |
Updated•7 years ago
|
Group: layout-core-security
Keywords: csectype-framepoisoning,
sec-low
|
||
Updated•7 years ago
|
Priority: -- → P3
|
|
Reporter | |
Comment 1•6 years ago
|
||
The fuzzers are no longer hitting this issue and the attached testcase no long reproduces the issue.
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
|
||
Updated•6 years ago
|
Assignee: nobody → mats
status-firefox68:
--- → fixed
status-firefox-esr60:
--- → wontfix
status-firefox-esr68:
--- → fixed
Target Milestone: --- → mozilla68
You need to log in
before you can comment on or make changes to this bug.
Description
•