Closed Bug 1499413 Opened 7 years ago Closed 3 years ago

AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:1641:45 in GetNextSibling

Tracking

()

Status:

RESOLVED WORKSFORME

Tracking Flags:

Tracking

Status

firefox64

---

affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(1 file)

testcase.html 7 years ago Jason Kratzer [:jkratzer] 1.12 KB, text/html		Details

Jason Kratzer [:jkratzer]

Reporter

Description

•

7 years ago

Attached file testcase.html — Details

Testcase found while fuzzing mozilla-central rev 9079bbe83718. ==14325==ERROR: AddressSanitizer: use-after-poison on address 0x625000280a08 at pc 0x7f54dfdb671f bp 0x7fffcc95e080 sp 0x7fffcc95e078 READ of size 8 at 0x625000280a08 thread T0 (file:// Content) #0 0x7f54dfdb671e in GetNextSibling /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:1641:45 #1 0x7f54dfdb671e in RemoveFrame /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:82 #2 0x7f54dfdb671e in RemoveFirstChild /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:129 #3 0x7f54dfdb671e in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:58 #4 0x7f54dfc2aadd in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:351:11 #5 0x7f54dfdb66c9 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12 #6 0x7f54dfc2bbf0 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:230:11 #7 0x7f54dfdb66c9 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12 #8 0x7f54dfc2bbf0 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:230:11 #9 0x7f54dfdb66c9 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12 #10 0x7f54dfc2aadd in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:351:11 #11 0x7f54dfdb66c9 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12 #12 0x7f54dfc2bbf0 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:230:11 #13 0x7f54dfdb66c9 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12 #14 0x7f54dfc2bbf0 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:230:11 #15 0x7f54dfdb66c9 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12 #16 0x7f54dfc2bbf0 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:230:11 #17 0x7f54dfccc3fa in Destroy /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:672:5 #18 0x7f54dfccc3fa in nsContainerFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:179 #19 0x7f54dfa69345 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:124:18 #20 0x7f54dfa51e08 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8985:5 #21 0x7f54df9d3bbb in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:1551:25 #22 0x7f54df9e4bf3 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:3056:9 #23 0x7f54df9877ef in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:3133:3 #24 0x7f54df9877ef in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4322 #25 0x7f54dcd4b398 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:575:5 #26 0x7f54dcd4b398 in FlushPendingEvents /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:5713 #27 0x7f54dcd4b398 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:694 #28 0x7f54df9ba385 in mozilla::PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:7657:19 #29 0x7f54df9b5211 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:7302:17 #30 0x7f54df14cead in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:812:14 #31 0x7f54df14c666 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/worker/workspace/build/src/view/nsView.cpp:1141:9 #32 0x7f54df1eed2a in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/worker/workspace/build/src/widget/PuppetWidget.cpp:409:35 #33 0x7f54d86f99fa in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /builds/worker/workspace/build/src/gfx/layers/apz/util/APZCCallbackHelper.cpp:537:21 #34 0x7f54de914732 in DispatchWidgetEventViaAPZ /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1761:10 #35 0x7f54de914732 in mozilla::dom::TabChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1692 #36 0x7f54de915c5f in mozilla::dom::TabChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1664:3 #37 0x7f54de915f50 in RecvSynthMouseMoveEvent /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1625:8 #38 0x7f54de915f50 in non-virtual thunk to mozilla::dom::TabChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp #39 0x7f54d73049dd in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:3582:20 #40 0x7f54d6916171 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:5563:28 #41 0x7f54d6636d75 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2248:25 #42 0x7f54d66327c9 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2175:17 #43 0x7f54d6634a7d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2012:5 #44 0x7f54d66357f7 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2045:15 #45 0x7f54d53e3a65 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32 #46 0x7f54d5420a86 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1252:14 #47 0x7f54d54295ad in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10 #48 0x7f54d663fe23 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #49 0x7f54d6542a0c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10 #50 0x7f54d6542a0c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318 #51 0x7f54d6542a0c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298 #52 0x7f54df23f0f3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27 #53 0x7f54e36f819e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:939:22 #54 0x7f54d6542a0c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10 #55 0x7f54d6542a0c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318 #56 0x7f54d6542a0c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298 #57 0x7f54e36f7243 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:765:34 #58 0x5615494f1b91 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #59 0x5615494f1b91 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287 #60 0x7f54f745ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310 #61 0x561549420f3c in _start (/home/forb1dden/builds/mc-asan/firefox+0x2cf3c) 0x625000280a08 is located 2312 bytes inside of 8192-byte region [0x625000280100,0x625000282100) allocated by thread T0 (file:// Content) here: #0 0x5615494c16b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x7f54d53bdfd0 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15 #2 0x7f54d53b2ea8 in InternalAllocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228:25 #3 0x7f54d53b2ea8 in Allocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75 #4 0x7f54d53b2ea8 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80 #5 0x7f54dff3ed0f in AllocateByFrameID /builds/worker/workspace/build/src/layout/base/nsPresArena.h:39:12 #6 0x7f54dff3ed0f in AllocateFrame /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:207 #7 0x7f54dff3ed0f in operator new /builds/worker/workspace/build/src/layout/generic/nsPlaceholderFrame.cpp:36 #8 0x7f54dff3ed0f in NS_NewPlaceholderFrame(nsIPresShell*, mozilla::ComputedStyle*, nsFrameState) /builds/worker/workspace/build/src/layout/generic/nsPlaceholderFrame.cpp:33 #9 0x7f54dfa20770 in nsCSSFrameConstructor::CreatePlaceholderFrameFor(nsIPresShell*, nsIContent*, nsIFrame*, nsContainerFrame*, nsIFrame*, nsFrameState) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2983:5 #10 0x7f54dfa20b79 in nsFrameConstructorState::AddChild(nsIFrame*, nsFrameItems&, nsIContent*, nsContainerFrame*, bool, bool, bool, bool, nsIFrame*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:1276:7 #11 0x7f54dfa351a5 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10970:10 #12 0x7f54dfa47ddc in ConstructNonScrollableBlockWithConstructor /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4770:3 #13 0x7f54dfa47ddc in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4734 #14 0x7f54dfa42713 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:3794:7 #15 0x7f54dfa507e6 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5952:3 #16 0x7f54dfa2aaca in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9930:5 #17 0x7f54dfa2bc32 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10103:3 #18 0x7f54dfa35342 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10995:3 #19 0x7f54dfa47ddc in ConstructNonScrollableBlockWithConstructor /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4770:3 #20 0x7f54dfa47ddc in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4734 #21 0x7f54dfa42713 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:3794:7 #22 0x7f54dfa507e6 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5952:3 #23 0x7f54dfa2aaca in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9930:5 #24 0x7f54dfa2bc32 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10103:3 #25 0x7f54dfa35342 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10995:3 #26 0x7f54dfa31bc4 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2579:5 #27 0x7f54dfa59984 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsILayoutHistoryState*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7317:9 #28 0x7f54df9d3bbb in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:1551:25 #29 0x7f54df9e4bf3 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:3056:9 #30 0x7f54df9877ef in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:3133:3 #31 0x7f54df9877ef in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4322 #32 0x7f54d95aebda in FlushPendingNotifications /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:584:5 #33 0x7f54d95aebda in nsIDocument::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:7649 #34 0x7f54d92fca44 in GetPrimaryFrame /builds/worker/workspace/build/src/dom/base/Element.cpp:2376:10 #35 0x7f54d92fca44 in mozilla::dom::Element::GetScrollFrame(nsIFrame**, mozilla::FlushType) /builds/worker/workspace/build/src/dom/base/Element.cpp:702 #36 0x7f54d92ff84a in mozilla::dom::Element::SetScrollTop(int) /builds/worker/workspace/build/src/dom/base/Element.cpp:932:28 #37 0x7f54dbcce7be in mozilla::dom::Element_Binding::set_scrollTop(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:2874:9 #38 0x7f54dc5dc31f in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3259:8 #39 0x7f54e53e42bb in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:468:15 #40 0x7f54e53e42bb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:560 SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:1641:45 in GetNextSibling Shadow bytes around the buggy address: 0x0c4a800480f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 00 00 00 00 0x0c4a80048100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a80048110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a80048120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c4a80048130: 00 00 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 =>0x0c4a80048140: f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c4a80048150: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c4a80048160: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c4a80048170: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 0x0c4a80048180: f7 f7 f7 f7 f7 f7 f7 00 00 00 00 00 00 00 00 00 0x0c4a80048190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==14325==ABORTING

Flags: in-testsuite?

Ryan VanderMeulen [:RyanVM]

Updated

•

7 years ago

Group: core-security → layout-core-security

Daniel Veditz [:dveditz]

Updated

•

7 years ago

Keywords: sec-low

Sean Voisen (:svoisen)

Updated

•

7 years ago

Priority: -- → P3

BMO Automation

Updated

•

3 years ago

Severity: critical → S2

Daniel Holbert [:dholbert]

Comment 1

•

3 years ago

Dropping to S3 given this is mitigated by frame poisoning. Probably fine to un-hide, for the same reason. (Any objection?)

Also, jkratzer: I can't reproduce, including in a Nightly ASAN builds from the day that this bug was filed:

mozregression -B asan --launch 2018-10-16 --pref security.sandbox.content.level:0 -a /tmp/testcase.html

Can you still repro? Is there an additional step that I'm missing, or can we close this as WFM?

(I tried remoing -moz prefix from -moz-column-fill since we don't support prefixed column CSS these days; that didn't make a difference, in either old builds or recent builds.)

Severity: S2 → S3

Flags: needinfo?(jkratzer)

Jason Kratzer [:jkratzer]

Reporter

Comment 2

•

3 years ago

I cannot reproduce this either. I think we can safely close this as WFM.

Status: NEW → RESOLVED

Closed: 3 years ago

Flags: needinfo?(jkratzer)

Resolution: --- → WORKSFORME

Daniel Veditz [:dveditz]

Updated

•

2 years ago

Group: layout-core-security

You need to log in before you can comment on or make changes to this bug.

Bugzilla

AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:1641:45 in GetNextSibling

Categories

(Core :: Layout, defect, P3)

Tracking

()

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Updated

Updated

Updated

Comment 1

Comment 2

Updated

Attachment

General

Description

File Name

Content Type