Closed Bug 1524382 Opened 6 years ago Closed 5 years ago

use-after-poison in [@ nsFrameConstructorState::ProcessFrameInsertions]

Categories

(Core :: Layout: Columns, defect, P3)

Product:
Core
Component:
Layout: Columns
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- unaffected
firefox66 --- unaffected
firefox67 --- fixed

People

(Reporter: tsmith, Assigned: TYLin)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(3 files)

testcase.html
124 bytes, text/html
Details
Callstack on debug build
5.21 KB, text/plain
Details
Bug 1524382 - Flush all out-of-flow frames before destroying the frame list when reframing multicol container.
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Reduced with m-c:
BuildID=20190131093752
SourceStamp=9ee54a21a22ab5beab264bcabe3c8039a27a32e8

==3100==ERROR: AddressSanitizer: use-after-poison on address 0x625000645d10 at pc 0x7f34b0cc7261 bp 0x7ffc2ba60d10 sp 0x7ffc2ba60d08
READ of size 8 at 0x625000645d10 thread T0 (file:// Content)
    #0 0x7f34b0cc7260 in nsFrameConstructorState::ProcessFrameInsertions(nsAbsoluteItems&, mozilla::layout::FrameChildListID) src/layout/base/nsCSSFrameConstructor.cpp:1296:51
    #1 0x7f34b0cc5610 in nsFrameConstructorState::~nsFrameConstructorState() src/layout/base/nsCSSFrameConstructor.cpp:972:3
    #2 0x7f34b0d12dec in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:6903:1
    #3 0x7f34b0c78837 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1447:27
    #4 0x7f34b0c8b033 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3073:9
    #5 0x7f34b0c24c6b in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3145:3
    #6 0x7f34b0c24c6b in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4140
    #7 0x7f34ade04d20 in FlushPendingNotifications src/obj-firefox/dist/include/nsIPresShell.h:587:5
    #8 0x7f34ade04d20 in FlushPendingEvents src/dom/events/EventStateManager.cpp:5354
    #9 0x7f34ade04d20 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) src/dom/events/EventStateManager.cpp:635
    #10 0x7f34b0c5ce14 in mozilla::PresShell::EventHandler::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) src/layout/base/PresShell.cpp:7438:19
    #11 0x7f34b0c57256 in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) src/layout/base/PresShell.cpp:6972:32
    #12 0x7f34b0c51295 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) src/layout/base/PresShell.cpp:6456:23
    #13 0x7f34b03a4b2f in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) src/view/nsViewManager.cpp:763:14
    #14 0x7f34b03a4324 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) src/view/nsView.cpp:1059:9
    #15 0x7f34b044d15d in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) src/widget/PuppetWidget.cpp:379:37
    #16 0x7f34a95b29ca in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) src/gfx/layers/apz/util/APZCCallbackHelper.cpp:528:21
    #17 0x7f34afa636e6 in DispatchWidgetEventViaAPZ src/dom/ipc/TabChild.cpp:1606:10
    #18 0x7f34afa636e6 in mozilla::dom::TabChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/TabChild.cpp:1545
    #19 0x7f34afa6490f in mozilla::dom::TabChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/TabChild.cpp:1518:3
    #20 0x7f34afa64c00 in RecvSynthMouseMoveEvent src/dom/ipc/TabChild.cpp:1483:8
    #21 0x7f34afa64c00 in non-virtual thunk to mozilla::dom::TabChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/TabChild.cpp
    #22 0x7f34a8138403 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:3670:20
    #23 0x7f34a7612310 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PContentChild.cpp:5565:28
    #24 0x7f34a72d2549 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2160:21
    #25 0x7f34a72cdeca in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2087:9
    #26 0x7f34a72d00d1 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1936:3
    #27 0x7f34a72d0f97 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1967:13
    #28 0x7f34a5fd1395 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:299:32
    #29 0x7f34a6011716 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14
    #30 0x7f34a60194dd in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:474:10
    #31 0x7f34a72db95f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #32 0x7f34a71c84ce in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #33 0x7f34a71c84ce in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #34 0x7f34a71c84ce in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #35 0x7f34b049ec33 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #36 0x7f34b5055fae in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:908:20
    #37 0x7f34a71c84ce in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #38 0x7f34a71c84ce in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #39 0x7f34a71c84ce in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #40 0x7f34b5055103 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:746:34
    #41 0x561423515874 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
    #42 0x561423515874 in main src/browser/app/nsBrowserApp.cpp:265
    #43 0x7f34ca2ff82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #44 0x56142343aefc in _start (/home/ubuntu/firefox/firefox+0x2defc)

0x625000645d10 is located 3088 bytes inside of 8192-byte region [0x625000645100,0x625000647100)
allocated by thread T0 (file:// Content) here:
    #0 0x5614234e2da3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x7f34a5fbc28a in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:171:15
    #2 0x7f34a5fa9382 in InternalAllocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:205:25
    #3 0x7f34a5fa9382 in Allocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:67
    #4 0x7f34a5fa9382 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:71
    #5 0x7f34b0edb55a in AllocateByFrameID src/layout/base/nsPresArena.h:39:12
    #6 0x7f34b0edb55a in AllocateFrame src/layout/base/nsIPresShell.h:223
    #7 0x7f34b0edb55a in operator new src/layout/generic/ViewportFrame.cpp:33
    #8 0x7f34b0edb55a in NS_NewViewportFrame(nsIPresShell*, mozilla::ComputedStyle*) src/layout/generic/ViewportFrame.cpp:30
    #9 0x7f34b0ce10c3 in nsCSSFrameConstructor::ConstructRootFrame() src/layout/base/nsCSSFrameConstructor.cpp:2523:7
    #10 0x7f34b0c0063e in mozilla::PresShell::Initialize() src/layout/base/PresShell.cpp:1749:36
    #11 0x7f34aa555ada in nsContentSink::StartLayout(bool) src/dom/base/nsContentSink.cpp:1200:26
    #12 0x7f34a8ce814d in nsHtml5TreeOpExecutor::StartLayout(bool*) src/parser/html/nsHtml5TreeOpExecutor.cpp:666:18
    #13 0x7f34a8ce22d6 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) src/parser/html/nsHtml5TreeOperation.cpp:1115:17
    #14 0x7f34a8ce0bc7 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:483:19
    #15 0x7f34a8cedbcf in nsHtml5ExecutorReflusher::Run() src/parser/html/nsHtml5TreeOpExecutor.cpp:68:16
    #16 0x7f34a5fd1395 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:299:32
    #17 0x7f34a6011716 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14
    #18 0x7f34a60194dd in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:474:10
    #19 0x7f34a72db95f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #20 0x7f34a71c84ce in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #21 0x7f34a71c84ce in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #22 0x7f34a71c84ce in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #23 0x7f34b049ec33 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #24 0x7f34b5055fae in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:908:20
    #25 0x7f34a71c84ce in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #26 0x7f34a71c84ce in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #27 0x7f34a71c84ce in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #28 0x7f34b5055103 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:746:34
Flags: in-testsuite?

This crash happens after bug 1504053. I'll take a look.

Assignee: nobody → aethanyc
Blocks: 1504053
Status: NEW → ASSIGNED

When we decide to reframe multicol container, we destroy the frame list in [1]. However, the frame list contains placeholders whose out-of-flow frames are still in nsFrameConstructorState, not being inserted to their parent's frame list yet. So nsPlaceholderFrame::DestroyFrom() cannot destroy them properly.

[1] https://searchfox.org/mozilla-central/rev/00c0d068ece99717bea7475f7dc07e61f7f35984/layout/base/nsCSSFrameConstructor.cpp#10916

This is the callstack on debug build.

Priority: -- → P3

aFrameList can contain placeholder frames. If we decide to nuke
aFrameList, we need to destroy the out-of-flow frames gracefully.

In this case, out-of-flow frames are still in nsFrameConstructorState's
absolute item lists. To rely on nsPlaceholderFrame::DestroyFrom() to
remove its out-of-flow frame properly, we manually flush all the frame
insertions for all the lists in aState before destroying aFrameList.

Pushed by aethanyc@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/1634e9d35178
Flush all out-of-flow frames before destroying the frame list when reframing multicol container. r=dbaron

https://hg.mozilla.org/mozilla-central/rev/1634e9d35178

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: