Closed
Bug 1506720
Opened 4 years ago
Closed 4 years ago
AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7912:33 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags)
Categories
(Core :: Layout: Columns, defect, P2)
Core
Layout: Columns
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox63 | --- | unaffected |
| firefox64 | --- | unaffected |
| firefox65 | - | disabled |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(5 keywords)
Attachments
(1 file)
|
527 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 5e7636ec12c5.
==11345==ERROR: AddressSanitizer: use-after-poison on address 0x62500026dd90 at pc 0x7fe803153dca bp 0x7ffd392f47b0 sp 0x7ffd392f47a8
READ of size 8 at 0x62500026dd90 thread T0 (file:// Content)
#0 0x7fe803153dc9 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7912:33
#1 0x7fe80306dff4 in mozilla::PresShell::ContentRemoved(nsIContent*, nsIContent*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4612:22
#2 0x7fe7fcd90cf6 in nsNodeUtils::ContentRemoved(nsINode*, nsIContent*, nsIContent*) /builds/worker/workspace/build/src/dom/base/nsNodeUtils.cpp:230:3
#3 0x7fe7fcbff840 in nsINode::RemoveChildNode(nsIContent*, bool) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:2042:5
#4 0x7fe7fc6e8b2e in nsContentUtils::SetNodeTextContent(nsIContent*, nsTSubstring<char16_t> const&, bool) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5253:17
#5 0x7fe7fc9be1a7 in mozilla::dom::FragmentOrElement::SetTextContentInternal(nsTSubstring<char16_t> const&, nsIPrincipal*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/FragmentOrElement.cpp:1277:12
#6 0x7fe7fd95d4e3 in SetTextContent /builds/worker/workspace/build/src/obj-firefox/dist/include/nsINode.h:1348:5
#7 0x7fe7fd95d4e3 in mozilla::dom::Node_Binding::set_textContent(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/NodeBinding.cpp:846
#8 0x7fe7ffc7a0f0 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3318:8
#9 0x7fe808f023fd in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:468:15
#10 0x7fe808f023fd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:560
#11 0x7fe808f07485 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:614:12
#12 0x7fe808f07485 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:633
#13 0x7fe808f07485 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:775
#14 0x7fe8079f1aed in SetExistingProperty(JSContext*, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:3016:10
#15 0x7fe8079e90d5 in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:3046:20
#16 0x7fe808ee249e in SetProperty /builds/worker/workspace/build/src/js/src/vm/ObjectOperations-inl.h:298:12
#17 0x7fe808ee249e in SetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:277
#18 0x7fe808ee249e in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3240
#19 0x7fe808ecf486 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447:12
#20 0x7fe808f02da1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:587:15
#21 0x7fe808f04ff5 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:664:14
#22 0x7fe808f06761 in js::Construct(JSContext*, JS::Handle<JS::Value>, js::AnyConstructArgs const&, JS::Handle<JS::Value>, JS::MutableHandle<JSObject*>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:720:10
#23 0x7fe807fa52a8 in JS::Construct(JSContext*, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JSObject*>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3023:12
#24 0x7fe7fc8f8ab6 in mozilla::dom::CustomElementConstructor::Construct(char const*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/CustomElementRegistry.cpp:186:8
#25 0x7fe7fc8fdcd4 in DoUpgrade /builds/worker/workspace/build/src/dom/base/CustomElementRegistry.cpp:1193:19
#26 0x7fe7fc8fdcd4 in mozilla::dom::CustomElementRegistry::Upgrade(mozilla::dom::Element*, mozilla::dom::CustomElementDefinition*, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/CustomElementRegistry.cpp:1260
#27 0x7fe7fc90a1e1 in mozilla::dom::CustomElementReactionsStack::InvokeReactions(AutoTArray<RefPtr<mozilla::dom::Element>, 3ul>*, nsIGlobalObject*) /builds/worker/workspace/build/src/dom/base/CustomElementRegistry.cpp:1466:19
#28 0x7fe7fc90993c in mozilla::dom::CustomElementReactionsStack::PopAndInvokeElementQueue() /builds/worker/workspace/build/src/dom/base/CustomElementRegistry.cpp:1353:5
#29 0x7fe7fb4d2c41 in mozilla::dom::CustomElementReactionsStack::LeaveCEReactions(JSContext*, bool) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/CustomElementRegistry.h:313:7
#30 0x7fe7ff148b2d in ~AutoCEReaction /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/CustomElementRegistry.h:630:24
#31 0x7fe7ff148b2d in reset /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:489
#32 0x7fe7ff148b2d in ~Maybe /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:184
#33 0x7fe7ff148b2d in mozilla::dom::CustomElementRegistry_Binding::define(JSContext*, JS::Handle<JSObject*>, mozilla::dom::CustomElementRegistry*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CustomElementRegistryBinding.cpp:271
#34 0x7fe7ffc7d6a4 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3374:13
#35 0x7fe808f023fd in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:468:15
#36 0x7fe808f023fd in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:560
#37 0x7fe808eebc1a in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:620:12
#38 0x7fe808eebc1a in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3461
#39 0x7fe808ecf486 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:447:12
#40 0x7fe808f02da1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:587:15
#41 0x7fe808f04a22 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:633:10
#42 0x7fe807fa2ea6 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2975:12
#43 0x7fe7ff2a3189 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
#44 0x7fe8004c23f2 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#45 0x7fe8004c23f2 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1104
#46 0x7fe8004c4a47 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1309:15
#47 0x7fe8004a65d6 in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:390:5
#48 0x7fe8004a65d6 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:425
#49 0x7fe8004a4858 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:642:16
#50 0x7fe8004ab2b0 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1164:11
#51 0x7fe80318fe9e in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1167:7
#52 0x7fe8063ec5c3 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:7050:21
#53 0x7fe8063e7de9 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6841:7
#54 0x7fe8063f0bf7 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
#55 0x7fe7fb2ab1d5 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1309:3
#56 0x7fe7fb2a9dbc in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:852:14
#57 0x7fe7fb2a56f8 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:741:9
#58 0x7fe7fb2a804e in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:630:5
#59 0x7fe7fb2a98e4 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
#60 0x7fe7f8c51d67 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:630:28
#61 0x7fe7fcc35a07 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8517:18
#62 0x7fe7fcc35a07 in nsDocument::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:8439
#63 0x7fe7fcc0fab2 in nsIDocument::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5332:3
#64 0x7fe7fcd6f9cb in applyImpl<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1191:12
#65 0x7fe7fcd6f9cb in apply<nsIDocument, void (nsIDocument::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1197
#66 0x7fe7fcd6f9cb in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1242
#67 0x7fe7f898e685 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#68 0x7fe7f89cbb81 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1246:14
#69 0x7fe7f89d492d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#70 0x7fe7f9c4562f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#71 0x7fe7f9b41aee in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
#72 0x7fe7f9b41aee in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
#73 0x7fe7f9b41aee in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
#74 0x7fe802909003 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#75 0x7fe8071d8e3e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:954:22
#76 0x7fe7f9b41aee in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
#77 0x7fe7f9b41aee in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
#78 0x7fe7f9b41aee in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
#79 0x7fe8071d7e9b in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:780:34
#80 0x5563f4d65864 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#81 0x5563f4d65864 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
#82 0x7fe81b9ccb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#83 0x5563f4c8aeec in _start (/home/forb1dden/builds/mc-asan/firefox+0x2deec)
0x62500026dd90 is located 7312 bytes inside of 8192-byte region [0x62500026c100,0x62500026e100)
allocated by thread T0 (file:// Content) here:
#0 0x5563f4d32d93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0x7fe7f8968e30 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15
#2 0x7fe7f895e6a8 in InternalAllocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228:25
#3 0x7fe7f895e6a8 in Allocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75
#4 0x7fe7f895e6a8 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80
#5 0x7fe803308a7a in AllocateByFrameID /builds/worker/workspace/build/src/layout/base/nsPresArena.h:39:12
#6 0x7fe803308a7a in AllocateFrame /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:207
#7 0x7fe803308a7a in operator new /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:34
#8 0x7fe803308a7a in NS_NewViewportFrame(nsIPresShell*, mozilla::ComputedStyle*) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:31
#9 0x7fe80311c013 in nsCSSFrameConstructor::ConstructRootFrame() /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2712:5
#10 0x7fe8030420e2 in mozilla::PresShell::Initialize() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1798:36
#11 0x7fe7fcb4ff71 in nsContentSink::StartLayout(bool) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1276:26
#12 0x7fe7fb4ccd22 in nsHtml5TreeOpExecutor::StartLayout(bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:677:18
#13 0x7fe7fb4c835b in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOperation.cpp:1204:17
#14 0x7fe7fb4c524a in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:493:17
#15 0x7fe7fb4d15db in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:123:18
#16 0x7fe7f898e685 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:337:32
#17 0x7fe7f89cbb81 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1246:14
#18 0x7fe7f89d492d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
#19 0x7fe7f9c4562f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#20 0x7fe7f9b41aee in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
#21 0x7fe7f9b41aee in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
#22 0x7fe7f9b41aee in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
#23 0x7fe802909003 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
#24 0x7fe8071d8e3e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:954:22
#25 0x7fe7f9b41aee in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
#26 0x7fe7f9b41aee in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
#27 0x7fe7f9b41aee in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
#28 0x7fe8071d7e9b in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:780:34
SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7912:33 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags)
Shadow bytes around the buggy address:
0x0c4a80045b60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80045b70: 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80045b80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80045b90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80045ba0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c4a80045bb0: f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80045bc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80045bd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80045be0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80045bf0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80045c00: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==11345==ABORTINGFlags: in-testsuite?
|
Reporter | |
Updated•4 years ago
|
Component: Canvas: WebGL → Layout
|
||
Updated•4 years ago
|
Group: core-security → layout-core-security
|
||
Updated•4 years ago
|
status-firefox63:
--- → unaffected
status-firefox64:
--- → unaffected
status-firefox-esr60:
--- → unaffected
tracking-firefox65:
--- → +
|
|
||
Updated•4 years ago
|
Keywords: csectype-framepoisoning,
sec-low
|
||
Comment 1•4 years ago
|
||
Testcase has "-moz-column-span: all" so I'm guessing this is related to the other column-span bugs filed recently?
Component: Layout → Layout: Columns
Flags: needinfo?(aethanyc)
OS: Unspecified → All
Priority: -- → P2
Hardware: Unspecified → All
|
|
||
Comment 2•4 years ago
|
||
We don't need to track this for 65 since it's sec-low and behind a pref.
|
||
Comment 3•4 years ago
|
||
I cannot reproduce this bug on 2018-12-20 fuzzing asan opt build [1] with prefs [2] having layout.css.column-span.enabled=true. Close as WORKSFORME. [1] https://tools.taskcluster.net/index/gecko.v2.mozilla-central.latest.firefox/linux64-fuzzing-asan-opt [2] https://github.com/MozillaSecurity/fuzzdata/blob/00d671853af1bea93bae22f5e052138c7a8f269d/settings/firefox/prefs-default.js
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(aethanyc)
Resolution: --- → WORKSFORME
|
|
||
Updated•3 years ago
|
Group: layout-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•