AddressSanitizer: ABRT /build/glibc-OTsEL5/glibc-2.27/signal/../sysdeps/unix/sysv/linux/nptl-signals.h:80 in __libc_signal_restore_set

VERIFIED FIXED in Firefox 64

Status

()

defect
--
critical
VERIFIED FIXED
7 months ago
7 months ago

People

(Reporter: jkratzer, Assigned: emilio)

Tracking

(Blocks 1 bug, {crash, testcase})

Trunk
mozilla65
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr60 wontfix, firefox63 wontfix, firefox64 verified, firefox65 verified)

Details

(crash signature, )

Attachments

(2 attachments)

Reporter

Description

7 months ago
Posted file testcase.html
Testcase found while fuzzing mozilla-central rev b3da3f53f804.

==27653==ERROR: AddressSanitizer: ABRT on unknown address 0x03e800006c05 (pc 0x7f2a6e61ce97 bp 0x7ffe246b23d0 sp 0x7ffe246b20e0 T0)
    #0 0x7f2a6e61ce96 in __libc_signal_restore_set /build/glibc-OTsEL5/glibc-2.27/signal/../sysdeps/unix/sysv/linux/nptl-signals.h:80
    #1 0x7f2a6e61ce96 in gsignal /build/glibc-OTsEL5/glibc-2.27/signal/../sysdeps/unix/sysv/linux/raise.c:48
    #2 0x7f2a6e61e800 in abort /build/glibc-OTsEL5/glibc-2.27/stdlib/abort.c:79
    #3 0x7f2a6f41d8b6 in __strtof_l (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x8c8b6)
    #4 0x7f2a6f423a05  (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x92a05)
    #5 0x7f2a6f423a40 in std::terminate() (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x92a40)
    #6 0x7f2a6f42480e in __cxa_pure_virtual (/usr/lib/x86_64-linux-gnu/libstdc++.so.6+0x9380e)
    #7 0x7f2a5630dd99 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12
    #8 0x7f2a56171d53 in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:351:11
    #9 0x7f2a5630dd99 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12
    #10 0x7f2a56172e70 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:230:11
    #11 0x7f2a5630dd99 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12
    #12 0x7f2a56171d53 in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:351:11
    #13 0x7f2a5630dd99 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12
    #14 0x7f2a56172e70 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:230:11
    #15 0x7f2a5630dd99 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12
    #16 0x7f2a56172e70 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:230:11
    #17 0x7f2a5630dd99 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12
    #18 0x7f2a56172e70 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:230:11
    #19 0x7f2a5630dd99 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:59:12
    #20 0x7f2a56172e70 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:230:11
    #21 0x7f2a55fa66a6 in Destroy /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:635:5
    #22 0x7f2a55fa66a6 in Destroy /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:57
    #23 0x7f2a55fa66a6 in nsCSSFrameConstructor::WillDestroyFrameTree() /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8186
    #24 0x7f2a55e85525 in mozilla::PresShell::Destroy() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1373:22
    #25 0x7f2a55fe0dd1 in nsDocumentViewer::DestroyPresShell() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:4648:15
    #26 0x7f2a55fcbe6a in nsDocumentViewer::Destroy() /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1897:5
    #27 0x7f2a59003f06 in nsDocShell::Destroy() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:5319:21
    #28 0x7f2a5977f6fd in nsWebBrowser::SetDocShell(nsIDocShell*) /builds/worker/workspace/build/src/toolkit/components/browser/nsWebBrowser.cpp:1445:23
    #29 0x7f2a5977ee7c in nsWebBrowser::InternalDestroy() /builds/worker/workspace/build/src/toolkit/components/browser/nsWebBrowser.cpp:92:3
    #30 0x7f2a5978a282 in nsWebBrowser::Destroy() /builds/worker/workspace/build/src/toolkit/components/browser/nsWebBrowser.cpp:1061:3
    #31 0x7f2a5978a48c in non-virtual thunk to nsWebBrowser::Destroy() /builds/worker/workspace/build/src/toolkit/components/browser/nsWebBrowser.cpp
    #32 0x7f2a54e12c07 in mozilla::dom::TabChild::DestroyWindow() /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1024:21
    #33 0x7f2a54e2c1c7 in mozilla::dom::TabChild::RecvDestroy() /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:2481:3
    #34 0x7f2a4d783a88 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:4578:20
    #35 0x7f2a4cd6b609 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:5422:28
    #36 0x7f2a4ca82339 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2255:25
    #37 0x7f2a4ca7dcba in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2182:17
    #38 0x7f2a4ca7fec1 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2019:5
    #39 0x7f2a4ca80d87 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2052:15
    #40 0x7f2a4b7d36e5 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #41 0x7f2a4b810be1 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1246:14
    #42 0x7f2a4b81998d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
    #43 0x7f2a4ca8b694 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5
    #44 0x7f2a4c987b5e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #45 0x7f2a4c987b5e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #46 0x7f2a4c987b5e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #47 0x7f2a557589c3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #48 0x7f2a59e67e8e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:939:22
    #49 0x7f2a4c987b5e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #50 0x7f2a4c987b5e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #51 0x7f2a4c987b5e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #52 0x7f2a59e66eeb in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:765:34
    #53 0x557c73c9e864 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #54 0x557c73c9e864 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:301
    #55 0x7f2a6e5ffb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
Flags: in-testsuite?
Reporter

Comment 1

7 months ago
During reduction, the following use-after-poison signature was also identified:

==1534==ERROR: AddressSanitizer: use-after-poison on address 0x62500031c870 at pc 0x7f9247d5714c bp 0x7ffdcd3234f0 sp 0x7ffdcd3234e8
READ of size 8 at 0x62500031c870 thread T0 (file:// Content)
    #0 0x7f9247d5714b in HasAnyStateBits /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:2004:12
    #1 0x7f9247d5714b in nsIFrame::ClearInvalidationStateBits() /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7152
    #2 0x7f9247d56e9e in nsIFrame::ClearInvalidationStateBits() /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7160:28
    #3 0x7f9247d56e9e in nsIFrame::ClearInvalidationStateBits() /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7160:28
    #4 0x7f9247d56e9e in nsIFrame::ClearInvalidationStateBits() /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7160:28
    #5 0x7f9247d56e9e in nsIFrame::ClearInvalidationStateBits() /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7160:28
    #6 0x7f9247d56e9e in nsIFrame::ClearInvalidationStateBits() /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7160:28
    #7 0x7f9247d56e9e in nsIFrame::ClearInvalidationStateBits() /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7160:28
    #8 0x7f9247d56e9e in nsIFrame::ClearInvalidationStateBits() /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:7160:28
    #9 0x7f92485c4176 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2845:12
    #10 0x7f9247ad1c10 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3974:12
    #11 0x7f924796fcda in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6404:5
    #12 0x7f92470fb18c in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19
    #13 0x7f92470f9f8c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33
    #14 0x7f92470ffa26 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5
    #15 0x7f92478bc438 in nsRefreshDriver::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2049:11
    #16 0x7f92478ce153 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:326:13
    #17 0x7f92478ce153 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:301
    #18 0x7f92478cdb4c in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:319:5
    #19 0x7f92478d0ddf in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:760:5
    #20 0x7f92478d0ddf in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:676
    #21 0x7f92478d0712 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:573:9
    #22 0x7f92483d7208 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:76:16
    #23 0x7f923efa4f65 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #24 0x7f923ed301fd in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
    #25 0x7f923e518339 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2255:25
    #26 0x7f923e513cba in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2182:17
    #27 0x7f923e515ec1 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2019:5
    #28 0x7f923e516d87 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2052:15
    #29 0x7f923d2a6be1 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1246:14
    #30 0x7f923d2af98d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
    #31 0x7f923e52169f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #32 0x7f923e41db5e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #33 0x7f923e41db5e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #34 0x7f923e41db5e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #35 0x7f92471ee9c3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #36 0x7f924b8fde8e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:939:22
    #37 0x7f923e41db5e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #38 0x7f923e41db5e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #39 0x7f923e41db5e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #40 0x7f924b8fceeb in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:765:34
    #41 0x558d8d6c1864 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #42 0x558d8d6c1864 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:301
    #43 0x7f9260095b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #44 0x558d8d5e6eec in _start (/home/forb1dden/builds/mc-asan/firefox+0x2deec)

0x62500031c870 is located 6000 bytes inside of 8192-byte region [0x62500031b100,0x62500031d100)
allocated by thread T0 (file:// Content) here:
    #0 0x558d8d68ed93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x7f923d243e90 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15
    #2 0x7f923d239708 in InternalAllocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228:25
    #3 0x7f923d239708 in Allocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75
    #4 0x7f923d239708 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80
    #5 0x7f9247be5f3a in AllocateByFrameID /builds/worker/workspace/build/src/layout/base/nsPresArena.h:39:12
    #6 0x7f9247be5f3a in AllocateFrame /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:207
    #7 0x7f9247be5f3a in operator new /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:34
    #8 0x7f9247be5f3a in NS_NewViewportFrame(nsIPresShell*, mozilla::ComputedStyle*) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:31
    #9 0x7f92479ff373 in nsCSSFrameConstructor::ConstructRootFrame() /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2653:5
    #10 0x7f9247927a72 in mozilla::PresShell::Initialize() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1798:36
    #11 0x7f9241437371 in nsContentSink::StartLayout(bool) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1276:26
    #12 0x7f923fdb5532 in nsHtml5TreeOpExecutor::StartLayout(bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:677:18
    #13 0x7f923fdb0b6b in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOperation.cpp:1204:17
    #14 0x7f923fdada5a in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:493:17
    #15 0x7f923fdbab7f in nsHtml5ExecutorReflusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:59:16
    #16 0x7f923d2696e5 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
    #17 0x7f923d2a6be1 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1246:14
    #18 0x7f923d2af98d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
    #19 0x7f923e52169f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #20 0x7f923e41db5e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #21 0x7f923e41db5e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #22 0x7f923e41db5e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #23 0x7f92471ee9c3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #24 0x7f924b8fde8e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:939:22
    #25 0x7f923e41db5e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #26 0x7f923e41db5e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #27 0x7f923e41db5e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #28 0x7f924b8fceeb in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:765:34

SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:2004:12 in HasAnyStateBits
Shadow bytes around the buggy address:
  0x0c4a8005b8b0: 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a8005b8c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a8005b8d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a8005b8e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a8005b8f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c4a8005b900: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7
  0x0c4a8005b910: f7 f7 f7 f7 f7 f7 00 00 00 00 00 00 00 00 00 00
  0x0c4a8005b920: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a8005b930: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a8005b940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a8005b950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==1534==ABORTING
Reporter

Updated

7 months ago
Crash Signature: [@ HasAnyStateBits]
Reporter

Updated

7 months ago
Crash Signature: [@ HasAnyStateBits] → [@ HasAnyStateBits], [@ nsBlockFrame::DestroyFrom]
Reporter

Updated

7 months ago
Crash Signature: [@ HasAnyStateBits], [@ nsBlockFrame::DestroyFrom] → [@ HasAnyStateBits] [@ nsBlockFrame::DestroyFrom]
Assignee

Comment 2

7 months ago
Lovely, this has _everything_.

Thanks Jason, the test-case is amazing :)
Assignee

Updated

7 months ago
Flags: needinfo?(emilio)
Assignee

Comment 3

7 months ago
The first assertion that fails here, and which causes all the havoc later, is:

  https://dev.searchfox.org/mozilla-central/rev/6e0e603f4852b8e571e5b8ae133e772b18b6016e/layout/generic/BlockReflowInput.cpp#578

That happens because the float has been dynamically inserted directly under one
of the continuations of the column set, not under the first. So that assertion
doesn't really hold.

Properly steal the float if that happens.
Assignee

Updated

7 months ago
Assignee: nobody → emilio
Flags: needinfo?(emilio)

Comment 4

7 months ago
Pushed by emilio@crisal.io:
https://hg.mozilla.org/integration/autoland/rev/3d0711b3c764
Handle the case where a float is dynamically inserted inside a continuation. r=dbaron

Comment 5

7 months ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/3d0711b3c764
Status: NEW → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Flags: in-testsuite? → in-testsuite+
Emilio, is this worth uplifting to beta?
Flags: needinfo?(emilio)
Assignee

Comment 7

7 months ago
Comment on attachment 9023713 [details]
Bug 1505817 - Handle the case where a float is dynamically inserted inside a continuation.

[Beta/Release Uplift Approval Request]

Feature/Bug causing the regression: N/A

User impact if declined: Potential crashes.

Is this code covered by automated tests?: Yes

Has the fix been verified in Nightly?: Yes

Needs manual test from QE?: No

If yes, steps to reproduce: 

List of other uplifts needed: none

Risk to taking this patch: Low

Why is the change risky/not risky? (and alternatives if risky): one liner that fixes an edge case.

String changes made/needed:
Flags: needinfo?(emilio)
Attachment #9023713 - Flags: approval-mozilla-beta?
Comment on attachment 9023713 [details]
Bug 1505817 - Handle the case where a float is dynamically inserted inside a continuation.

crash fix, approved for 64.0b10
Attachment #9023713 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
I reproduced this issue using Fx 65.0a1 (2018-11-08), on Windows 10 x64.
I can confirm this issue is fixed, I verified using Fx 65.0a1(2018-11-15) and Fx 64.0b10, on Windows 10 x64, Ubuntu 16.04 LTS and macOS 10.14.1.
Status: RESOLVED → VERIFIED
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.