Closed Bug 1506163 Opened 6 years ago Closed 6 years ago

AddressSanitizer: heap-use-after-free src/obj-firefox/dist/include/mozilla/RefPtr.h:307:27 in get

Categories

(Core :: Layout: Columns, defect, P2)

Product:
Core
Component:
Layout: Columns
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla65
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox63 --- unaffected
firefox64 --- unaffected
firefox65 + fixed

People

(Reporter: jkratzer, Assigned: TYLin)

References

(Blocks 2 open bugs)

Details

(4 keywords, Whiteboard: [fuzzblocker])

Attachments

(2 files)

testcase.html
146 bytes, text/html
Details
Bug 1506163 - Do not span column-span:all element across all columns if it's under different block formatting context.
47 bytes, text/x-phabricator-request
Details | Review 
Testcase found while fuzzing mozilla-central rev 5e7636ec12c5.  I'm currently reducing the testcase and will update once complete.

==15304==ERROR: AddressSanitizer: heap-use-after-free on address 0x6250004c9dc0 at pc 0x7f32c7e191c1 bp 0x7ffedb09c690 sp 0x7ffedb09c688
READ of size 8 at 0x6250004c9dc0 thread T0 (file:// Content)
    #0 0x7f32c7e191c0 in get src/obj-firefox/dist/include/mozilla/RefPtr.h:307:27
    #1 0x7f32c7e191c0 in operator mozilla::ComputedStyle * src/obj-firefox/dist/include/mozilla/RefPtr.h:320
    #2 0x7f32c7e191c0 in Style src/layout/generic/nsIFrame.h:739
    #3 0x7f32c7e191c0 in PresContext src/layout/generic/nsIFrame.h:587
    #4 0x7f32c7e191c0 in mozilla::LayerActivityTracker::NotifyExpired(mozilla::LayerActivity*) src/layout/painting/ActiveLayerTracker.cpp:194
    #5 0x7f32c80109e9 in ExpirationTrackerImpl<mozilla::LayerActivity, 4u, detail::PlaceholderLock, detail::PlaceholderAutoLock>::AgeOneGenerationLocked(detail::PlaceholderAutoLock const&) src/obj-firefox/dist/include/nsExpirationTracker.h:262:7
    #6 0x7f32c8010481 in HandleTimeout src/obj-firefox/dist/include/nsExpirationTracker.h:430:7
    #7 0x7f32c8010481 in ExpirationTrackerImpl<mozilla::LayerActivity, 4u, detail::PlaceholderLock, detail::PlaceholderAutoLock>::TimerCallback(nsITimer*, void*) src/obj-firefox/dist/include/nsExpirationTracker.h:444
    #8 0x7f32bcc7db7a in nsTimerImpl::Fire(int) src/xpcom/threads/nsTimerImpl.cpp:684:7
    #9 0x7f32bcc36787 in nsTimerEvent::Run() src/xpcom/threads/TimerThread.cpp:297:11
    #10 0x7f32bcc10685 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
    #11 0x7f32bcc4db81 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1246:14
    #12 0x7f32bcc5692d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
    #13 0x7f32bdec762f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #14 0x7f32bddc3aee in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #15 0x7f32bddc3aee in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #16 0x7f32bddc3aee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #17 0x7f32c6b8b003 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #18 0x7f32cb45ae3e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:954:22
    #19 0x7f32bddc3aee in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #20 0x7f32bddc3aee in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #21 0x7f32bddc3aee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #22 0x7f32cb459e9b in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:780:34
    #23 0x55ca42fe3864 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #24 0x55ca42fe3864 in main src/browser/app/nsBrowserApp.cpp:287
    #25 0x7f32e02dd82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #26 0x55ca42f08eec in _start (/home/ubuntu/firefox/firefox+0x2deec)

0x6250004c9dc0 is located 3264 bytes inside of 8192-byte region [0x6250004c9100,0x6250004cb100)
freed by thread T0 (file:// Content) here:
    #0 0x55ca42fb0a12 in __interceptor_free /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:124:3
    #1 0x7f32c74caaaa in Clear src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:101:7
    #2 0x7f32c74caaaa in ~ArenaAllocator src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:64
    #3 0x7f32c74caaaa in nsPresArena::~nsPresArena() src/layout/base/nsPresArena.cpp:43
    #4 0x7f32c72b94e8 in nsIPresShell::~nsIPresShell() src/layout/base/nsIPresShell.h:169:7
    #5 0x7f32c72b4fe7 in Release src/layout/base/PresShell.cpp:865:1
    #6 0x7f32c72b4fe7 in non-virtual thunk to mozilla::PresShell::Release() src/layout/base/PresShell.cpp
    #7 0x7f32c700f59c in ~nsCOMPtr_base src/obj-firefox/dist/include/nsCOMPtr.h:371:7
    #8 0x7f32c700f59c in mozilla::TextServicesDocument::~TextServicesDocument() src/editor/spellchecker/TextServicesDocument.cpp:86
    #9 0x7f32c700f75d in mozilla::TextServicesDocument::~TextServicesDocument() src/editor/spellchecker/TextServicesDocument.cpp:84:1
    #10 0x7f32bca79f88 in MaybeKillObject src/xpcom/base/nsCycleCollector.cpp:2754:29
    #11 0x7f32bca79f88 in SnowWhiteKiller::Visit(nsPurpleBuffer&, nsPurpleBufferEntry*) src/xpcom/base/nsCycleCollector.cpp:2785
    #12 0x7f32bca4d5c5 in void nsPurpleBuffer::VisitEntries<SnowWhiteKiller>(SnowWhiteKiller&) src/xpcom/base/nsCycleCollector.cpp:1091:23
    #13 0x7f32bca4eda8 in nsCycleCollector::FreeSnowWhiteWithBudget(js::SliceBudget&) src/xpcom/base/nsCycleCollector.cpp:2983:14
    #14 0x7f32bef0e539 in AsyncFreeSnowWhite::Run() src/js/xpconnect/src/XPCJSRuntime.cpp:139:9
    #15 0x7f32bcc6cc62 in IdleRunnableWrapper::Run() src/xpcom/threads/nsThreadUtils.cpp:354:22
    #16 0x7f32bcc4db81 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1246:14
    #17 0x7f32bcc5692d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
    #18 0x7f32bdec762f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #19 0x7f32bddc3aee in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #20 0x7f32bddc3aee in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #21 0x7f32bddc3aee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #22 0x7f32c6b8b003 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #23 0x7f32cb45ae3e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:954:22
    #24 0x7f32bddc3aee in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #25 0x7f32bddc3aee in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #26 0x7f32bddc3aee in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #27 0x7f32cb459e9b in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:780:34
    #28 0x55ca42fe3864 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #29 0x55ca42fe3864 in main src/browser/app/nsBrowserApp.cpp:287

previously allocated by thread T0 (file:// Content) here:
    #0 0x55ca42fb0d93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x7f32bcbeae30 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15
    #2 0x7f32bcbe06a8 in InternalAllocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228:25
    #3 0x7f32bcbe06a8 in Allocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75
    #4 0x7f32bcbe06a8 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80
    #5 0x7f32c7c9432a in AllocateByFrameID src/layout/base/nsPresArena.h:39:12
    #6 0x7f32c7c9432a in AllocateFrame src/layout/base/nsIPresShell.h:207
    #7 0x7f32c7c9432a in operator new src/layout/xul/nsScrollbarFrame.cpp:39
    #8 0x7f32c7c9432a in NS_NewScrollbarFrame(nsIPresShell*, mozilla::ComputedStyle*) src/layout/xul/nsScrollbarFrame.cpp:36
    #9 0x7f32c73aa8a9 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3861:7
    #10 0x7f32c73b89c9 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:6002:3
    #11 0x7f32c7390c3a in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:10034:5
    #12 0x7f32c739ebff in nsCSSFrameConstructor::BeginBuildingScrollFrame(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, nsAtom*, bool, nsContainerFrame*&) src/layout/base/nsCSSFrameConstructor.cpp:4438:5
    #13 0x7f32c73a72a1 in nsCSSFrameConstructor::ConstructScrollableBlockWithConstructor(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&, nsBlockFrame* (*)(nsIPresShell*, mozilla::ComputedStyle*)) src/layout/base/nsCSSFrameConstructor.cpp:4751:7
    #14 0x7f32c73af13f in nsCSSFrameConstructor::ConstructScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:4732:10
    #15 0x7f32c73aaa3e in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3855:7
    #16 0x7f32c73b89c9 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:6002:3
    #17 0x7f32c7390c3a in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:10034:5
    #18 0x7f32c7391db2 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:10207:3
    #19 0x7f32c738fdb3 in nsCSSFrameConstructor::ConstructTable(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:2172:5
    #20 0x7f32c73aaa3e in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3855:7
    #21 0x7f32c73b89c9 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:6002:3
    #22 0x7f32c7390c3a in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:10034:5
    #23 0x7f32c7391db2 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:10207:3
    #24 0x7f32c739c240 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) src/layout/base/nsCSSFrameConstructor.cpp:11191:3

SUMMARY: AddressSanitizer: heap-use-after-free src/obj-firefox/dist/include/mozilla/RefPtr.h:307:27 in get
Shadow bytes around the buggy address:
  0x0c4a80091360: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80091370: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80091380: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80091390: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a800913a0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x0c4a800913b0: fd fd fd fd fd fd fd fd[fd]fd fd fd fd fd fd fd
  0x0c4a800913c0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a800913d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a800913e0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a800913f0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
  0x0c4a80091400: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==15304==ABORTING
Component: Canvas: WebGL → Layout
Group: core-security → layout-core-security
Attached file testcase.html 
Flags: in-testsuite?
Keywords: testcase-wantedcsectype-uaf, 
          
            testcase

    
    

    
  
This test case also triggers:

Assertion failure: blockItem.OnlyChild() == scrolledFrame (Scrollframe's frameItems should be exactly the scrolled frame!), at src/layout/base/nsCSSFrameConstructor.cpp:4771

#0 nsCSSFrameConstructor::ConstructScrollableBlockWithConstructor(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&, nsBlockFrame* (*)(nsIPresShell*, mozilla::ComputedStyle*)) src/layout/base/nsCSSFrameConstructor.cpp:4770:3
#1 nsCSSFrameConstructor::ConstructScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:4732:10
#2 nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3855:7
#3 nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:6002:3
#4 nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:10034:5
#5 nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:10207:3
#6 nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) src/layout/base/nsCSSFrameConstructor.cpp:11191:3
#7 nsCSSFrameConstructor::ConstructNonScrollableBlockWithConstructor(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&, nsBlockFrame* (*)(nsIPresShell*, mozilla::ComputedStyle*)) src/layout/base/nsCSSFrameConstructor.cpp:4820:3
#8 nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:4784:10
#9 nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3855:7
#10 nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:6002:3
#11 nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:10034:5
#12 nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:7198:3
#13 mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1443:27
#14 mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3065:9
#15 mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4359:39
#16 nsIDocument::FlushPendingNotifications(mozilla::ChangesToFlush) src/dom/base/nsDocument.cpp:7815:12
#17 nsIDocument::FlushPendingNotifications(mozilla::FlushType) src/dom/base/nsDocument.cpp:7754:3
#18 nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:694:14
#19 nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:630:5
#20 non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp
#21 mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:630:28
#22 mozilla::net::nsLoadGroup::Cancel(nsresult) src/netwerk/base/nsLoadGroup.cpp:259:15
#23 nsDocLoader::Stop() src/uriloader/base/nsDocLoader.cpp:244:22
#24 nsDocShell::Stop(unsigned int) src/docshell/base/nsDocShell.cpp:4980:5
#25 nsDocShell::CharsetChangeStopDocumentLoad() src/docshell/base/nsDocShell.cpp:13517:5
#26 nsHtml5TreeOpExecutor::NeedsCharsetSwitchTo(mozilla::NotNull<mozilla::Encoding const*>, int, unsigned int) src/parser/html/nsHtml5TreeOpExecutor.cpp:783:7
#27 nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) src/parser/html/nsHtml5TreeOperation.cpp:1001:17
#28 nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:493:17
#29 nsHtml5ExecutorFlusher::Run() src/parser/html/nsHtml5StreamParser.cpp:123:18
#30 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1246:14
#31 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
#32 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#33 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:325:10
#34 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298:3
#35 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
#36 nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:290:30
#37 XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4789:22
#38 XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4934:8
#39 XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:5026:21
#40 do_main(int, char**, char**) src/browser/app/nsBrowserApp.cpp:233:22
#41 main src/browser/app/nsBrowserApp.cpp:315:16
#42 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#43 _start (firefox+0x329f4)

    
    

    
  
Assertion failure: blockItem.OnlyChild() == scrolledFrame (Scrollframe's frameItems should be exactly the scrolled frame!), at src/layout/base/nsCSSFrameConstructor.cpp:4771

This assertion happens because bug 1421105 didn't consider that an element with an "overflow" property has a "column-span:all" child in a multi-column subtree.
Assignee: nobody → aethanyc
Status: NEW → ASSIGNED
Component: Layout → Layout: Columns
Depends on: 1421105
Priority: -- → P2

    
    

    
  
> an element with an "overflow" property has a "column-span:all" child in a multi-column subtree.

Well, what is the specced behavior in that case?

    
  
Whiteboard: [fuzzblocker]

    
    

    
  
(In reply to Boris Zbarsky [:bzbarsky, bz on IRC] from comment #4)
> > an element with an "overflow" property has a "column-span:all" child in a multi-column subtree.
> 
> Well, what is the specced behavior in that case?

I don't find anything specced in CSS Multi-column Layout Module Level 1.

But In CSS Fragmentation Module Level 3, 4.1. Possible Break Points https://drafts.csswg.org/css-break/#possible-breaks, it says

"In addition to any content which is not generally fragmentable, UAs may consider as monolithic any elements with overflow set to auto or scroll and any elements with overflow: hidden and a non-auto logical height (and no specified maximum logical height)."

I think we should prevent any "column-span:all" element from spanning across columns (just ignore it) if the column-span:all element has a non-fragmentable ancestor in the same multi-column formatting context. Does it make sense?
Flags: needinfo?(dbaron)
Flags: needinfo?(bzbarsky)

    
    

    
  
So I thought (not checking the spec, have a meeting in one minute) that column-span:all only worked if it's in the block formatting context established by the multicol, and wouldn't work if there was a new block formatting context in between.  I'd think that would cover the overflow != visible case.  Are there any cases of something that's not fragmentable, but also doesn't establish a new formatting context?
Flags: needinfo?(dbaron)

    
    

    
  
That's a good question.  If a column spanner is inside an inline-block, inside the columnset, what happens?
Flags: needinfo?(bzbarsky)

    
    

    
  
https://drafts.csswg.org/css-multicol/#column-span is pretty clear on that (although it doesn't explicitly specify the negative, but I think it's pretty obviously implied):

# all
#     The element spans across all columns of the nearest multicol ancestor in the same block formatting context.

and later:

# A spanning element may be lower than the first level of descendants as long as they are part of the same formatting context.

Basically (although this is the part that's implied), if the element is in a different BFC, then 'all' should just act like 'none'.

    
    

    
  
Re comment 5:

> Are there any cases of something that's not fragmentable, but
> also doesn't establish a new formatting context?

I cannot think of any element that's not fragmentable, but also doesn't establish a new BFC.

Re comment 8:
> Basically (although this is the part that's implied), if the element is in a
> different BFC, then 'all' should just act like 'none'.

David, you're right. In bug 1421105, I only considered clearing the NS_FRAME_HAS_MULTI_COLUMN_ANCESTOR bit [1] when the block is a column spanner, but we should really clear it whenever we construct a new BFC.

[1] https://searchfox.org/mozilla-central/rev/d850d799a0009f851b5535580e0a8b4bb2c591d7/layout/base/nsCSSFrameConstructor.cpp#11184-11186

    
    

    
  
The patch has landed.
https://hg.mozilla.org/mozilla-central/rev/a5e00e5b4635
Status: ASSIGNED → RESOLVED
Closed: 6 years ago

          status-firefox65:
          affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Group: layout-core-security → core-security-release
Flags: in-testsuite? → in-testsuite+

    
    

    
  
I don't see the wpt test added in this bug get sync to upstream. James, can we retrigger the wpt-sync bot?
Flags: needinfo?(james)

    
    

    
  
Oh. The test has just merged to upstream a few hours ago. https://github.com/web-platform-tests/wpt/pull/14134
Flags: needinfo?(james)
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: