Closed Bug 1499413 Opened 6 years ago Closed 1 year ago

AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:1641:45 in GetNextSibling

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox64 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(1 file)

testcase.html
1.12 KB, text/html
Details
Attached file testcase.html 
Testcase found while fuzzing mozilla-central rev 9079bbe83718.

==14325==ERROR: AddressSanitizer: use-after-poison on address 0x625000280a08 at pc 0x7f54dfdb671f bp 0x7fffcc95e080 sp 0x7fffcc95e078
READ of size 8 at 0x625000280a08 thread T0 (file:// Content)
    #0 0x7f54dfdb671e in GetNextSibling /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:1641:45
    #1 0x7f54dfdb671e in RemoveFrame /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:82
    #2 0x7f54dfdb671e in RemoveFirstChild /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:129
    #3 0x7f54dfdb671e in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:58
    #4 0x7f54dfc2aadd in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:351:11
    #5 0x7f54dfdb66c9 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12
    #6 0x7f54dfc2bbf0 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:230:11
    #7 0x7f54dfdb66c9 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12
    #8 0x7f54dfc2bbf0 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:230:11
    #9 0x7f54dfdb66c9 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12
    #10 0x7f54dfc2aadd in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:351:11
    #11 0x7f54dfdb66c9 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12
    #12 0x7f54dfc2bbf0 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:230:11
    #13 0x7f54dfdb66c9 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12
    #14 0x7f54dfc2bbf0 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:230:11
    #15 0x7f54dfdb66c9 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12
    #16 0x7f54dfc2bbf0 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:230:11
    #17 0x7f54dfccc3fa in Destroy /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:672:5
    #18 0x7f54dfccc3fa in nsContainerFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:179
    #19 0x7f54dfa69345 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:124:18
    #20 0x7f54dfa51e08 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8985:5
    #21 0x7f54df9d3bbb in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:1551:25
    #22 0x7f54df9e4bf3 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:3056:9
    #23 0x7f54df9877ef in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:3133:3
    #24 0x7f54df9877ef in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4322
    #25 0x7f54dcd4b398 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:575:5
    #26 0x7f54dcd4b398 in FlushPendingEvents /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:5713
    #27 0x7f54dcd4b398 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /builds/worker/workspace/build/src/dom/events/EventStateManager.cpp:694
    #28 0x7f54df9ba385 in mozilla::PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:7657:19
    #29 0x7f54df9b5211 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:7302:17
    #30 0x7f54df14cead in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:812:14
    #31 0x7f54df14c666 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/worker/workspace/build/src/view/nsView.cpp:1141:9
    #32 0x7f54df1eed2a in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/worker/workspace/build/src/widget/PuppetWidget.cpp:409:35
    #33 0x7f54d86f99fa in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /builds/worker/workspace/build/src/gfx/layers/apz/util/APZCCallbackHelper.cpp:537:21
    #34 0x7f54de914732 in DispatchWidgetEventViaAPZ /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1761:10
    #35 0x7f54de914732 in mozilla::dom::TabChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1692
    #36 0x7f54de915c5f in mozilla::dom::TabChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1664:3
    #37 0x7f54de915f50 in RecvSynthMouseMoveEvent /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1625:8
    #38 0x7f54de915f50 in non-virtual thunk to mozilla::dom::TabChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp
    #39 0x7f54d73049dd in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:3582:20
    #40 0x7f54d6916171 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:5563:28
    #41 0x7f54d6636d75 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2248:25
    #42 0x7f54d66327c9 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2175:17
    #43 0x7f54d6634a7d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2012:5
    #44 0x7f54d66357f7 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2045:15
    #45 0x7f54d53e3a65 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #46 0x7f54d5420a86 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1252:14
    #47 0x7f54d54295ad in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
    #48 0x7f54d663fe23 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #49 0x7f54d6542a0c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #50 0x7f54d6542a0c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #51 0x7f54d6542a0c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #52 0x7f54df23f0f3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #53 0x7f54e36f819e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:939:22
    #54 0x7f54d6542a0c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #55 0x7f54d6542a0c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #56 0x7f54d6542a0c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #57 0x7f54e36f7243 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:765:34
    #58 0x5615494f1b91 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #59 0x5615494f1b91 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #60 0x7f54f745ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #61 0x561549420f3c in _start (/home/forb1dden/builds/mc-asan/firefox+0x2cf3c)

0x625000280a08 is located 2312 bytes inside of 8192-byte region [0x625000280100,0x625000282100)
allocated by thread T0 (file:// Content) here:
    #0 0x5615494c16b3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3
    #1 0x7f54d53bdfd0 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15
    #2 0x7f54d53b2ea8 in InternalAllocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228:25
    #3 0x7f54d53b2ea8 in Allocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75
    #4 0x7f54d53b2ea8 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80
    #5 0x7f54dff3ed0f in AllocateByFrameID /builds/worker/workspace/build/src/layout/base/nsPresArena.h:39:12
    #6 0x7f54dff3ed0f in AllocateFrame /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:207
    #7 0x7f54dff3ed0f in operator new /builds/worker/workspace/build/src/layout/generic/nsPlaceholderFrame.cpp:36
    #8 0x7f54dff3ed0f in NS_NewPlaceholderFrame(nsIPresShell*, mozilla::ComputedStyle*, nsFrameState) /builds/worker/workspace/build/src/layout/generic/nsPlaceholderFrame.cpp:33
    #9 0x7f54dfa20770 in nsCSSFrameConstructor::CreatePlaceholderFrameFor(nsIPresShell*, nsIContent*, nsIFrame*, nsContainerFrame*, nsIFrame*, nsFrameState) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2983:5
    #10 0x7f54dfa20b79 in nsFrameConstructorState::AddChild(nsIFrame*, nsFrameItems&, nsIContent*, nsContainerFrame*, bool, bool, bool, bool, nsIFrame*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:1276:7
    #11 0x7f54dfa351a5 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10970:10
    #12 0x7f54dfa47ddc in ConstructNonScrollableBlockWithConstructor /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4770:3
    #13 0x7f54dfa47ddc in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4734
    #14 0x7f54dfa42713 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:3794:7
    #15 0x7f54dfa507e6 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5952:3
    #16 0x7f54dfa2aaca in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9930:5
    #17 0x7f54dfa2bc32 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10103:3
    #18 0x7f54dfa35342 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10995:3
    #19 0x7f54dfa47ddc in ConstructNonScrollableBlockWithConstructor /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4770:3
    #20 0x7f54dfa47ddc in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4734
    #21 0x7f54dfa42713 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:3794:7
    #22 0x7f54dfa507e6 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5952:3
    #23 0x7f54dfa2aaca in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9930:5
    #24 0x7f54dfa2bc32 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10103:3
    #25 0x7f54dfa35342 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10995:3
    #26 0x7f54dfa31bc4 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*, nsILayoutHistoryState*) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2579:5
    #27 0x7f54dfa59984 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsILayoutHistoryState*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7317:9
    #28 0x7f54df9d3bbb in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:1551:25
    #29 0x7f54df9e4bf3 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:3056:9
    #30 0x7f54df9877ef in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:3133:3
    #31 0x7f54df9877ef in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4322
    #32 0x7f54d95aebda in FlushPendingNotifications /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:584:5
    #33 0x7f54d95aebda in nsIDocument::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:7649
    #34 0x7f54d92fca44 in GetPrimaryFrame /builds/worker/workspace/build/src/dom/base/Element.cpp:2376:10
    #35 0x7f54d92fca44 in mozilla::dom::Element::GetScrollFrame(nsIFrame**, mozilla::FlushType) /builds/worker/workspace/build/src/dom/base/Element.cpp:702
    #36 0x7f54d92ff84a in mozilla::dom::Element::SetScrollTop(int) /builds/worker/workspace/build/src/dom/base/Element.cpp:932:28
    #37 0x7f54dbcce7be in mozilla::dom::Element_Binding::set_scrollTop(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/ElementBinding.cpp:2874:9
    #38 0x7f54dc5dc31f in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3259:8
    #39 0x7f54e53e42bb in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:468:15
    #40 0x7f54e53e42bb in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:560

SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:1641:45 in GetNextSibling
Shadow bytes around the buggy address:
  0x0c4a800480f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 00 00 00 00
  0x0c4a80048100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80048110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80048120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80048130: 00 00 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7
=>0x0c4a80048140: f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a80048150: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a80048160: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a80048170: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a80048180: f7 f7 f7 f7 f7 f7 f7 00 00 00 00 00 00 00 00 00
  0x0c4a80048190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==14325==ABORTING
Flags: in-testsuite?
Group: core-security → layout-core-security
Keywords: sec-low
Priority: -- → P3
Severity: critical → S2

Dropping to S3 given this is mitigated by frame poisoning. Probably fine to un-hide, for the same reason. (Any objection?)

Also, jkratzer: I can't reproduce, including in a Nightly ASAN builds from the day that this bug was filed:

mozregression -B asan --launch 2018-10-16 --pref security.sandbox.content.level:0 -a /tmp/testcase.html

Can you still repro? Is there an additional step that I'm missing, or can we close this as WFM?

(I tried remoing -moz prefix from -moz-column-fill since we don't support prefixed column CSS these days; that didn't make a difference, in either old builds or recent builds.)

Severity: S2 → S3
Flags: needinfo?(jkratzer)

I cannot reproduce this either. I think we can safely close this as WFM.

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(jkratzer)
Resolution: --- → WORKSFORME
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: