Closed Bug 1491718 Opened 6 years ago Closed 5 years ago

use-after-poison in [@ SetListItemOrdinal]

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla68
Tracking Flags:
Tracking Status
firefox-esr60 --- wontfix
firefox-esr68 --- fixed
firefox64 --- wontfix
firefox68 --- fixed

People

(Reporter: tsmith, Assigned: MatsPalmgren_bugz)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(1 file)

testcase.html
2.67 KB, text/html
Details
Attached file testcase.html 
Found with m-c 20180915-e088bb62f286

The attached testcase seems to be sensitive to the size of the window. I used Xvfb with a size of width=1280 height=1024. I am willing to test or verify patches if needed.

==126155==ERROR: AddressSanitizer: use-after-poison on address 0x6250002a4c20 at pc 0x7f9a38a4304c bp 0x7fff86b7e000 sp 0x7fff86b7dff8
READ of size 4 at 0x6250002a4c20 thread T0 (file:// Content)
    #0 0x7f9a38a4304b in SetListItemOrdinal src/layout/generic/nsBulletFrame.cpp:876:24
    #1 0x7f9a38a4304b in nsContainerFrame::RenumberFrameAndDescendants(int*, int, int, bool) src/layout/generic/nsContainerFrame.cpp:1914
    #2 0x7f9a389fd4ef in nsBlockFrame::RenumberChildFrames(int*, int, int, bool) src/layout/generic/nsBlockFrame.cpp:7259:14
    #3 0x7f9a389a3672 in nsContainerFrame::RenumberList() src/layout/generic/nsContainerFrame.cpp:1866:15
    #4 0x7f9a389aaaab in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1247:7
    #5 0x7f9a389d62db in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:309:11
    #6 0x7f9a389c7eeb in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3571:11
    #7 0x7f9a389c4d1f in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2921:5
    #8 0x7f9a389b6e4d in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2458:7
    #9 0x7f9a389aae89 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1292:3
    #10 0x7f9a389d62db in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:309:11
    #11 0x7f9a389c7eeb in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3571:11
    #12 0x7f9a389c4d1f in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2921:5
    #13 0x7f9a389b9110 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2745:11
    #14 0x7f9a389aae89 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1292:3
    #15 0x7f9a38a28b2b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:951:14
    #16 0x7f9a38a2f1aa in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) src/layout/generic/nsColumnSetFrame.cpp:783:7
    #17 0x7f9a38a36737 in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:473:19
    #18 0x7f9a38a36737 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1223
    #19 0x7f9a389d62db in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:309:11
    #20 0x7f9a389c7eeb in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3571:11
    #21 0x7f9a389c4d1f in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2921:5
    #22 0x7f9a389b6e4d in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2458:7
    #23 0x7f9a389aae89 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1292:3
    #24 0x7f9a389d62db in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:309:11
    #25 0x7f9a389c7eeb in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3571:11
    #26 0x7f9a389c4d1f in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2921:5
    #27 0x7f9a389b6e4d in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2458:7
    #28 0x7f9a389aae89 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1292:3
    #29 0x7f9a38a28b2b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:951:14
    #30 0x7f9a38a2632e in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:803:5
    #31 0x7f9a38a28b2b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:951:14
    #32 0x7f9a38b5be7b in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) src/layout/generic/nsGfxScrollFrame.cpp:606:3
    #33 0x7f9a38b5d9cc in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:730:3
    #34 0x7f9a38b62db7 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1120:3
    #35 0x7f9a389862f8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:995:14
    #36 0x7f9a38984a1b in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:338:7
    #37 0x7f9a386dadf1 in mozilla::PresShell::DoReflow(nsIFrame*, bool) src/layout/base/PresShell.cpp:9020:11
    #38 0x7f9a386f5a68 in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9193:24
    #39 0x7f9a386f3bde in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4351:11
    #40 0x7f9a386683ea in FlushPendingNotifications src/layout/base/nsIPresShell.h:577:5
    #41 0x7f9a386683ea in nsRefreshDriver::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1930
    #42 0x7f9a3867b182 in TickDriver src/layout/base/nsRefreshDriver.cpp:325:13
    #43 0x7f9a3867b182 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:300
    #44 0x7f9a3867acb1 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:318:5
    #45 0x7f9a3867df51 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:756:5
    #46 0x7f9a3867df51 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:672
    #47 0x7f9a3867da2b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:572:9
    #48 0x7f9a39139df6 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:78:16
    #49 0x7f9a2feeebad in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #50 0x7f9a2fc7c398 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
    #51 0x7f9a2f4ce91e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2248:25
    #52 0x7f9a2f4ca20a in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2175:17
    #53 0x7f9a2f4cc66d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:2012:5
    #54 0x7f9a2f4cd3c7 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2045:15
    #55 0x7f9a2e2be1a0 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14
    #56 0x7f9a2e2c6f45 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #57 0x7f9a2f4d89c4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:125:5
    #58 0x7f9a2f3d972c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #59 0x7f9a2f3d972c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #60 0x7f9a2f3d972c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #61 0x7f9a37f91006 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #62 0x7f9a3c4255ce in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:944:22
    #63 0x7f9a2f3d972c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #64 0x7f9a2f3d972c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #65 0x7f9a2f3d972c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #66 0x7f9a3c424685 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:770:34
    #67 0x555cd4e08ba1 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #68 0x555cd4e08ba1 in main src/browser/app/nsBrowserApp.cpp:287
    #69 0x7f9a5057382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #70 0x555cd4d37f4c in _start (firefox+0x2cf4c)

0x6250002a4c20 is located 6944 bytes inside of 8192-byte region [0x6250002a3100,0x6250002a5100)
allocated by thread T0 (file:// Content) here:
    #0 0x555cd4dd86c3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x7f9a2e250a2f in AllocateChunk src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15
    #2 0x7f9a2e250a2f in InternalAllocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228
    #3 0x7f9a2e250a2f in Allocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75
    #4 0x7f9a2e250a2f in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80
    #5 0x7f9a3897869a in AllocateByFrameID src/layout/base/nsPresArena.h:39:12
    #6 0x7f9a3897869a in AllocateFrame src/layout/base/nsIPresShell.h:206
    #7 0x7f9a3897869a in operator new src/layout/generic/ViewportFrame.cpp:34
    #8 0x7f9a3897869a in NS_NewViewportFrame(nsIPresShell*, mozilla::ComputedStyle*) src/layout/generic/ViewportFrame.cpp:31
    #9 0x7f9a387a41ee in nsCSSFrameConstructor::ConstructRootFrame() src/layout/base/nsCSSFrameConstructor.cpp:2661:5
    #10 0x7f9a386d2e51 in mozilla::PresShell::Initialize() src/layout/base/PresShell.cpp:1799:36
    #11 0x7f9a322c8777 in nsContentSink::StartLayout(bool) src/dom/base/nsContentSink.cpp:1274:26
    #12 0x7f9a30cc1102 in nsHtml5TreeOpExecutor::StartLayout(bool*) src/parser/html/nsHtml5TreeOpExecutor.cpp:673:18
    #13 0x7f9a30cbc54e in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) src/parser/html/nsHtml5TreeOperation.cpp:1204:17
    #14 0x7f9a30cb9486 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:489:17
    #15 0x7f9a30cc5abb in nsHtml5ExecutorFlusher::Run() src/parser/html/nsHtml5StreamParser.cpp:123:18
    #16 0x7f9a2e280465 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
    #17 0x7f9a2e2be1a0 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14
    #18 0x7f9a2e2c6f45 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #19 0x7f9a2f4d89de in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #20 0x7f9a2f3d972c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #21 0x7f9a2f3d972c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #22 0x7f9a2f3d972c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #23 0x7f9a37f91006 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #24 0x7f9a3c4255ce in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:944:22
    #25 0x7f9a2f3d972c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #26 0x7f9a2f3d972c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #27 0x7f9a2f3d972c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #28 0x7f9a3c424685 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:770:34
    #29 0x555cd4e08ba1 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #30 0x555cd4e08ba1 in main src/browser/app/nsBrowserApp.cpp:287
Flags: in-testsuite?
Group: layout-core-security
Keywords: csectype-framepoisoning, sec-low
Priority: -- → P3

The fuzzers are no longer hitting this issue and the attached testcase no long reproduces the issue.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED

This was fixed in bug 288704.

Depends on: 288704
Assignee: nobody → mats
status-firefox64: affectedwontfix
status-firefox68: --- → fixed
status-firefox-esr60: --- → wontfix
status-firefox-esr68: --- → fixed
Target Milestone: --- → mozilla68
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: