Closed Bug 1516606 Opened 1 year ago Closed 1 year ago

AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:1961:46 in GetStateBits

Categories

(Core :: Layout: Columns, defect, P3, critical)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1520722
Tracking Status
firefox66 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, csectype-framepoisoning, testcase)

Attachments

(2 files)

Testcase found while fuzzing mozilla-central rev e16b548dc14c.

==10852==ERROR: AddressSanitizer: use-after-poison on address 0x625000957d20 at pc 0x7f26ca7add4c bp 0x7ffdae93a8b0 sp 0x7ffdae93a8a8
READ of size 8 at 0x625000957d20 thread T0 (file:// Content)
    #0 0x7f26ca7add4b in GetStateBits /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:1961:46
    #1 0x7f26ca7add4b in nsBlockFrame::UpdateFirstLetterStyle(mozilla::ServoRestyleState&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:5434
    #2 0x7f26ca7c7638 in nsBlockFrame::UpdatePseudoElementStyles(mozilla::ServoRestyleState&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:7195:5
    #3 0x7f26ca8cf6dd in nsIFrame::UpdateStyleOfChildAnonBox(nsIFrame*, mozilla::ServoRestyleState&) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:10107:12
    #4 0x7f26ca8d342d in nsIFrame::DoUpdateStyleOfOwnedAnonBoxes(mozilla::ServoRestyleState&) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:10475:7
    #5 0x7f26ca8cf680 in UpdateStyleOfOwnedAnonBoxes /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:3334:7
    #6 0x7f26ca8cf680 in nsIFrame::UpdateStyleOfChildAnonBox(nsIFrame*, mozilla::ServoRestyleState&) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:10097
    #7 0x7f26ca8d342d in nsIFrame::DoUpdateStyleOfOwnedAnonBoxes(mozilla::ServoRestyleState&) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:10475:7
    #8 0x7f26ca4ecf98 in UpdateStyleOfOwnedAnonBoxes /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:3334:7
    #9 0x7f26ca4ecf98 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:2783
    #10 0x7f26ca4f096f in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:2957:28
    #11 0x7f26ca49033a in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:3046:3
    #12 0x7f26ca49033a in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4101
    #13 0x7f26ca3fc3be in FlushPendingNotifications /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:575:5
    #14 0x7f26ca3fc3be in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1776
    #15 0x7f26ca410289 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:327:13
    #16 0x7f26ca410289 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:304
    #17 0x7f26ca40fc57 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:321:5
    #18 0x7f26ca4130cf in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:726:5
    #19 0x7f26ca4130cf in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:646
    #20 0x7f26ca41297b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:546:9
    #21 0x7f26caf2f9d5 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:65:16
    #22 0x7f26c179c0ab in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #23 0x7f26c139ee7a in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2788:28
    #24 0x7f26c0c11579 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2159:21
    #25 0x7f26c0c0cefa in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2086:9
    #26 0x7f26c0c0f101 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1935:3
    #27 0x7f26c0c0ffc7 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1966:13
    #28 0x7f26bf9899f8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1157:14
    #29 0x7f26bf9927ad in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:468:10
    #30 0x7f26c920bde4 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1095:24)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:335:25
    #31 0x7f26c920bde4 in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::TabChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, nsDocShellLoadState*, bool*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1095
    #32 0x7f26c9301d25 in mozilla::dom::TabChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, nsDocShellLoadState*, bool*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:909:14
    #33 0x7f26ce70eefd in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsDocShellLoadState*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:752:24
    #34 0x7f26ce7119d3 in OpenWindow2 /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:364:10
    #35 0x7f26ce7119d3 in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, nsDocShellLoadState*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp
    #36 0x7f26c39c81dd in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, nsPIDOMWindowOuter**) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:6686:21
    #37 0x7f26c39c6d36 in OpenJS /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5258:10
    #38 0x7f26c39c6d36 in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5234
    #39 0x7f26c5fba6bc in mozilla::dom::Window_Binding::open(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:2685:56
    #40 0x7f26c6f5a551 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeGlobalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3062:13
    #41 0x7f26ceaa302d in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:443:13
    #42 0x7f26ceaa302d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535
    #43 0x7f26cea8e052 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:594:10
    #44 0x7f26cea8e052 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3320
    #45 0x7f26cea6f446 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:423:10
    #46 0x7f26ceaa88e5 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value const&, js::AbstractFramePtr, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:782:13
    #47 0x7f26ceaa90c6 in js::Execute(JSContext*, JS::Handle<JSScript*>, JSObject&, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:815:10
    #48 0x7f26ced0bd9c in ExecuteScript(JSContext*, JS::AutoVector<JSObject*>&, JS::Handle<JSScript*>, JS::Value*) /builds/worker/workspace/build/src/js/src/vm/CompilationAndEvaluation.cpp:489:10
    #49 0x7f26c3eebdcd in nsJSUtils::ExecutionContext::CompileAndExec(JS::CompileOptions&, JS::SourceText<char16_t>&, JS::MutableHandle<JSScript*>) /builds/worker/workspace/build/src/dom/base/nsJSUtils.cpp:244:8
    #50 0x7f26c98da019 in mozilla::dom::ScriptLoader::EvaluateScript(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:2347:29
    #51 0x7f26c98d2743 in mozilla::dom::ScriptLoader::ProcessRequest(mozilla::dom::ScriptLoadRequest*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1980:10
    #52 0x7f26c98cdd84 in mozilla::dom::ScriptLoader::ProcessInlineScript(nsIScriptElement*, mozilla::dom::ScriptKind) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1563:10
    #53 0x7f26c98a4b47 in mozilla::dom::ScriptLoader::ProcessScriptElement(nsIScriptElement*) /builds/worker/workspace/build/src/dom/script/ScriptLoader.cpp:1286:10
    #54 0x7f26c98a37dc in mozilla::dom::ScriptElement::MaybeProcessScript() /builds/worker/workspace/build/src/dom/script/ScriptElement.cpp:117:18
    #55 0x7f26c25d170b in AttemptToExecute /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIScriptElement.h:224:18
    #56 0x7f26c25d170b in nsHtml5TreeOpExecutor::RunScript(nsIContent*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:705
    #57 0x7f26c25cbca7 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:508:7
    #58 0x7f26c25d737b in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:118:18
    #59 0x7f26bf94c5b5 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:299:32
    #60 0x7f26bf9899f8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1157:14
    #61 0x7f26bf9927ad in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:468:10
    #62 0x7f26c0c1a9bf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #63 0x7f26c0b0cf2e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:314:10
    #64 0x7f26c0b0cf2e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:307
    #65 0x7f26c0b0cf2e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:289
    #66 0x7f26c9d219a3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #67 0x7f26ce7c337e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:915:20
    #68 0x7f26c0b0cf2e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:314:10
    #69 0x7f26c0b0cf2e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:307
    #70 0x7f26c0b0cf2e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:289
    #71 0x7f26ce7c23ce in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:753:34
    #72 0x56093e755864 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
    #73 0x56093e755864 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:265
    #74 0x7f26e3381b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #75 0x56093e67aeec in _start (/home/forb1dden/builds/mc-asan/firefox+0x2deec)

0x625000957d20 is located 7200 bytes inside of 8192-byte region [0x625000956100,0x625000958100)
allocated by thread T0 (file:// Content) here:
    #0 0x56093e722d93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x7f26bf926da0 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:171:15
    #2 0x7f26bf91c658 in InternalAllocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:205:25
    #3 0x7f26bf91c658 in Allocate /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:67
    #4 0x7f26bf91c658 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:71
    #5 0x7f26ca73b2aa in AllocateByFrameID /builds/worker/workspace/build/src/layout/base/nsPresArena.h:39:12
    #6 0x7f26ca73b2aa in AllocateFrame /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:209
    #7 0x7f26ca73b2aa in operator new /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:33
    #8 0x7f26ca73b2aa in NS_NewViewportFrame(nsIPresShell*, mozilla::ComputedStyle*) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:30
    #9 0x7f26ca546333 in nsCSSFrameConstructor::ConstructRootFrame() /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:2530:7
    #10 0x7f26ca46bbe2 in mozilla::PresShell::Initialize() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1750:36
    #11 0x7f26c3cef2b1 in nsContentSink::StartLayout(bool) /builds/worker/workspace/build/src/dom/base/nsContentSink.cpp:1209:26
    #12 0x7f26c25d2a22 in nsHtml5TreeOpExecutor::StartLayout(bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:644:18
    #13 0x7f26c25ceb87 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOperation.cpp:1109:17
    #14 0x7f26c25cbaf7 in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:461:19
    #15 0x7f26c25d737b in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:118:18
    #16 0x7f26bf94c5b5 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:299:32
    #17 0x7f26bf9899f8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1157:14
    #18 0x7f26bf9927ad in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:468:10
    #19 0x7f26c920bde4 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1095:24)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:335:25
    #20 0x7f26c920bde4 in mozilla::dom::ContentChild::ProvideWindowCommon(mozilla::dom::TabChild*, mozIDOMWindowProxy*, bool, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, nsDocShellLoadState*, bool*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/dom/ipc/ContentChild.cpp:1095
    #21 0x7f26c9301d25 in mozilla::dom::TabChild::ProvideWindow(mozIDOMWindowProxy*, unsigned int, bool, bool, bool, nsIURI*, nsTSubstring<char16_t> const&, nsTSubstring<char> const&, bool, nsDocShellLoadState*, bool*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:909:14
    #22 0x7f26ce70eefd in nsWindowWatcher::OpenWindowInternal(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsIArray*, bool, bool, nsDocShellLoadState*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:752:24
    #23 0x7f26ce7119d3 in OpenWindow2 /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp:364:10
    #24 0x7f26ce7119d3 in non-virtual thunk to nsWindowWatcher::OpenWindow2(mozIDOMWindowProxy*, char const*, char const*, char const*, bool, bool, bool, nsISupports*, bool, bool, nsDocShellLoadState*, mozIDOMWindowProxy**) /builds/worker/workspace/build/src/toolkit/components/windowwatcher/nsWindowWatcher.cpp
    #25 0x7f26c39c81dd in nsGlobalWindowOuter::OpenInternal(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, bool, bool, bool, bool, bool, nsIArray*, nsISupports*, nsDocShellLoadState*, bool, nsPIDOMWindowOuter**) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:6686:21
    #26 0x7f26c39c6d36 in OpenJS /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5258:10
    #27 0x7f26c39c6d36 in nsGlobalWindowOuter::OpenOuter(nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, nsTSubstring<char16_t> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5234

SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:1961:46 in GetStateBits
Shadow bytes around the buggy address:
  0x0c4a80122f50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a80122f60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a80122f70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a80122f80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a80122f90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c4a80122fa0: f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a80122fb0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a80122fc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a80122fd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a80122fe0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a80122ff0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==10852==ABORTING
Flags: in-testsuite?
Attached file index.html
Attached file test_0051.html
In order to reproduce this issue, both index.html and test_0051.html must live in the same directory.  Then use Firefox to request the index.html file.
Group: core-security → layout-core-security
Priority: -- → P1
Unhiding because it looks like frame poisoning.
Group: layout-core-security
column-span: all
Component: Layout: Block and Inline → Layout: Columns
Priority: P1 → P3
Flags: needinfo?(aethanyc)

I can reproduce the crash by opening test_0051.html directly on debug Firefox. The test will crash no more with the patch in bug 1520722, but there's still one warning.

###!!! ASSERTION: NS_BLOCK_HAS_FIRST_LETTER_STYLE state out of sync: 'haveFirstLetterStyle == ((mState & NS_BLOCK_HAS_FIRST_LETTER_STYLE) != 0)', file /home/tlin/Projects/gecko/layout/generic/nsBlockFrame.cpp, line 6768

We need to revisit this bug later.

:TYLin, since this issue is no longer reproducible can this bug be closed and a new bug opened for the above assertion?

See Also: → 1527725

(In reply to Tyson Smith [:tsmith] from comment #6)

:TYLin, since this issue is no longer reproducible can this bug be closed and a new bug opened for the above assertion?

OK. Filed bug 1527725.

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(aethanyc)
Resolution: --- → DUPLICATE
Duplicate of bug: 1520722
You need to log in before you can comment on or make changes to this bug.