Open
Bug 1493957
Opened 6 years ago
Updated 1 year ago
SUMMARY: AddressSanitizer: stack-overflow near [@ AddAndRemoveImageAssociations]
Categories
(Core :: Layout, defect, P3)
Core
Layout
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox64 | --- | affected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, testcase)
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev c5a9878baf35.
==4609==ERROR: AddressSanitizer: stack-overflow on address 0x7ffca18ccdc8 (pc 0x557451e9363f bp 0x7ffca18cd610 sp 0x7ffca18ccdc0 T0)
#0 0x557451e9363e in BufferedStackTrace /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/../sanitizer_common/sanitizer_stacktrace.h:94:37
#1 0x557451e9363e in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88
#2 0x557451ec4aad in moz_xmalloc /builds/worker/workspace/build/src/memory/mozalloc/mozalloc.cpp:70:17
#3 0x7efdab930118 in operator new /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/mozalloc.h:139:12
#4 0x7efdab930118 in _M_init_functor /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/functional:1955
#5 0x7efdab930118 in _M_init_functor /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/functional:1926
#6 0x7efdab930118 in function<(lambda at /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:904:5), void> /builds/worker/workspace/build/src/clang/bin/../lib/gcc/x86_64-unknown-linux-gnu/4.9.4/../../../../include/c++/4.9.4/functional:2427
#7 0x7efdab930118 in AddAndRemoveImageAssociations /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:904
#8 0x7efdab930118 in nsFrame::DidSetComputedStyle(mozilla::ComputedStyle*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:1081
#9 0x7efdab927583 in nsFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:707:3
#10 0x7efdabbf5522 in nsSplittableFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsSplittableFrame.cpp:23:12
#11 0x7efdab924678 in Init /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:59:22
#12 0x7efdab924678 in nsBlockFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:7080
#13 0x7efdab6d513b in InitAndRestoreFrame /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4778:14
#14 0x7efdab6d513b in nsCSSFrameConstructor::InitAndWrapInColumnSetFrameIfNeeded(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10940
#15 0x7efdab6ccab6 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10977:5
#16 0x7efdab6dee7c in ConstructNonScrollableBlockWithConstructor /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4758:3
#17 0x7efdab6dee7c in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4722
#18 0x7efdab6d98d2 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:3788:7
...truncated...
Flags: in-testsuite?
|
Reporter | |
Comment 1•6 years ago
|
||
|
||
Comment 3•6 years ago
|
||
Hmm... I'm not quite sure this is different than what you could do without custom elements... I'll take a look.
Flags: needinfo?(emilio)
|
|
||
Comment 4•6 years ago
|
||
So this is a huge frame constructor stack (but still below the current hard limit, which is 400) mixed with a huge JS stack caused by the constructor being called synchronously from itself via innerHTML...
Olli, do you have any idea of what to make out of this other than trying to reduce stack limits on one of the two places?
Flags: needinfo?(emilio) → needinfo?(bugs)
|
||
Comment 5•6 years ago
|
||
nope. hsivonen was talking about some tree depth limitation thing in parser recently.
Flags: needinfo?(bugs)
|
||
Comment 6•4 years ago
|
||
Hey Jason,
Can you still reproduce this issue or should we close it?
Flags: needinfo?(jkratzer)
|
|
Reporter | |
Comment 7•4 years ago
|
||
(In reply to Andrei Purice from comment #6)
Hey Jason,
Can you still reproduce this issue or should we close it?
Andrei, this issue still reproduces on mozilla-central rev 152fdda295bb (built with --enable-address-sanitzer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 152fdda295bb --asan --fuzzing -n build
$ python -m grizzly.replay ./build/firefox ./testcase.html
Flags: needinfo?(jkratzer)
|
|
||
Updated•3 years ago
|
QA Whiteboard: [qa-not-actionable]
|
||
Updated•3 years ago
|
Blocks: asan-maintenance
|
||
Updated•2 years ago
|
Severity: critical → S2
|
||
Comment 8•2 years ago
|
||
Based on analysis in Comment 4, this sounds more like S3 than S2. (Seems like stack exhaustion, i.e. a safe crash, with a fuzzer testcase.)
Severity: S2 → S3
|
|
||
Comment 9•2 years ago
|
||
I captured a pernosco trace, too (in an -enable-address-sanitzer --enable-fuzzing debug+opt build): https://pernos.co/debug/z94E8jSHc4MGkCcGX-7Igw/index.html
|
||
Updated•1 year ago
|
Priority: P1 → P3
You need to log in
before you can comment on or make changes to this bug.
Description
•