Closed Bug 1539017 Opened 2 years ago Closed 2 years ago

use-after-poison in [@ nsIFrame::GetDepthInFrameTree]

Categories

(Core :: Layout: Columns, defect, P3)

defect

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- unaffected
firefox68 --- fixed

People

(Reporter: tsmith, Assigned: mats)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-framepoisoning, testcase)

Attachments

(2 files)

Attached file testcase.html

Found with m-c 20190325-3d5cd10cb1b2

==17465==ERROR: AddressSanitizer: use-after-poison on address 0x625000834150 at pc 0x7f8e0c0082bf bp 0x7fffaf14c940 sp 0x7fffaf14c938
READ of size 8 at 0x625000834150 thread T0
    #0 0x7f8e0c0082be in nsIFrame::GetDepthInFrameTree() const src/layout/generic/nsFrame.cpp
    #1 0x7f8e0bdd2a27 in mozilla::OverflowChangedTracker::RemoveFrame(nsIFrame*) src/obj-firefox/dist/include/mozilla/OverflowChangedTracker.h:80:30
    #2 0x7f8e0bc73202 in NotifyDestroyingFrame src/obj-firefox/dist/include/mozilla/RestyleManager.h:222:29
    #3 0x7f8e0bc73202 in nsCSSFrameConstructor::NotifyDestroyingFrame(nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:1571
    #4 0x7f8e0bbb275b in nsIPresShell::NotifyDestroyingFrame(nsIFrame*) src/layout/base/PresShell.cpp:2090:24
    #5 0x7f8e0bf87037 in nsFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrame.cpp:818:10
    #6 0x7f8e0bedee47 in nsBulletFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsBulletFrame.cpp:88:12
    #7 0x7f8e0be83d6c in SafelyDestroyFrameListProp src/layout/generic/nsContainerFrame.cpp:192:14
    #8 0x7f8e0be83d6c in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsBlockFrame.cpp:350
    #9 0x7f8e0c018689 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
    #10 0x7f8e0be84622 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:211:11
    #11 0x7f8e0c14fe6d in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsLineBox.cpp:371:14
    #12 0x7f8e0be8376a in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsBlockFrame.cpp:326:3
    #13 0x7f8e0c018689 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
    #14 0x7f8e0be84622 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:211:11
    #15 0x7f8e0c018689 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
    #16 0x7f8e0be84622 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:211:11
    #17 0x7f8e0c018689 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
    #18 0x7f8e0be84622 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:211:11
    #19 0x7f8e0c018689 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
    #20 0x7f8e0be84622 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:211:11
    #21 0x7f8e0c018689 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
    #22 0x7f8e0be84622 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:211:11
    #23 0x7f8e0c14fe6d in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsLineBox.cpp:371:14
    #24 0x7f8e0be8376a in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsBlockFrame.cpp:326:3
    #25 0x7f8e0c018689 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
    #26 0x7f8e0be836f8 in DestroyFrames src/layout/generic/nsAbsoluteContainingBlock.cpp:349:19
    #27 0x7f8e0be836f8 in DestroyAbsoluteFrames src/layout/generic/nsContainerFrame.cpp:177
    #28 0x7f8e0be836f8 in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsBlockFrame.cpp:322
    #29 0x7f8e0becb322 in nsBlockFrame::DoRemoveFrameInternal(nsIFrame*, unsigned int, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsBlockFrame.cpp:5729:20
    #30 0x7f8e0bec5b84 in DoRemoveFrame src/layout/generic/nsBlockFrame.h:520:5
    #31 0x7f8e0bec5b84 in nsBlockFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) src/layout/generic/nsBlockFrame.cpp:5107
    #32 0x7f8e0bcc0e95 in RemoveFrame src/layout/base/nsFrameManager.cpp:116:18
    #33 0x7f8e0bcc0e95 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7720
    #34 0x7f8e0bca5e0d in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:8755:7
    #35 0x7f8e0bcbd0f2 in nsCSSFrameConstructor::WipeContainingBlock(nsFrameConstructorState&, nsIFrame*, nsIFrame*, nsCSSFrameConstructor::FrameConstructionItemList&, bool, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp
    #36 0x7f8e0bcb0b69 in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsILayoutHistoryState*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:7323:7
    #37 0x7f8e0bc24155 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1574:25
    #38 0x7f8e0bc35253 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3101:9
    #39 0x7f8e0bbc9a09 in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3173:3
    #40 0x7f8e0bbc9a09 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4122
    #41 0x7f8e05175d23 in FlushPendingNotifications src/layout/base/nsIPresShell.h:580:5
    #42 0x7f8e05175d23 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) src/dom/base/Document.cpp:7103
    #43 0x7f8e051cfaff in FlushPendingNotifications src/dom/base/Document.cpp:7034:3
    #44 0x7f8e051cfaff in GetPrimaryFrame src/dom/base/Element.cpp:227
    #45 0x7f8e051cfaff in mozilla::dom::Element::GetScrollFrame(nsIFrame**, mozilla::FlushType) src/dom/base/Element.cpp:668
    #46 0x7f8e051d262d in mozilla::dom::Element::ScrollLeft() src/dom/base/Element.cpp:895:28
    #47 0x7f8e07cf3351 in mozilla::dom::Element_Binding::get_scrollLeft(JSContext*, JS::Handle<JSObject*>, mozilla::dom::Element*, JSJitGetterCallArgs) src/obj-firefox/dom/bindings/ElementBinding.cpp:3020:24
    #48 0x7f8e0859eaf0 in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3040:13
    #49 0x7f8e0fd22307 in CallJSNative src/js/src/vm/Interpreter.cpp:442:13
    #50 0x7f8e0fd22307 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:534
    #51 0x7f8e0fd26bc0 in InternalCall src/js/src/vm/Interpreter.cpp:589:10
    #52 0x7f8e0fd26bc0 in Call src/js/src/vm/Interpreter.cpp:605
    #53 0x7f8e0fd26bc0 in js::CallGetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:729
    #54 0x7f8e1035622a in CallGetter src/js/src/vm/NativeObject.cpp:2215:12
    #55 0x7f8e1035622a in GetExistingProperty<js::CanGC> src/js/src/vm/NativeObject.cpp:2267
    #56 0x7f8e1035622a in NativeGetPropertyInline<js::CanGC> src/js/src/vm/NativeObject.cpp:2516
    #57 0x7f8e1035622a in js::NativeGetProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) src/js/src/vm/NativeObject.cpp:2553
    #58 0x7f8e0fd2f2a7 in GetProperty src/js/src/vm/ObjectOperations-inl.h:117:10
    #59 0x7f8e0fd2f2a7 in GetProperty src/js/src/vm/ObjectOperations-inl.h:124
    #60 0x7f8e0fd2f2a7 in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:4485
    #61 0x7f8e0fd0ae16 in GetPropertyOperation src/js/src/vm/Interpreter.cpp:215:10
    #62 0x7f8e0fd0ae16 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:2762
    #63 0x7f8e0fcec748 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:422:10
    #64 0x7f8e0fd22c76 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:562:13
    #65 0x7f8e0fd248c2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:605:8
    #66 0x7f8e10909ed9 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2621:10
    #67 0x7f8e07baa919 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:266:37
    #68 0x7f8e08e6ef92 in Call<nsCOMPtr<mozilla::dom::EventTarget> > src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
    #69 0x7f8e08e6ef92 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) src/dom/events/JSEventHandler.cpp:205
    #70 0x7f8e08e2129a in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1044:22
    #71 0x7f8e08e23873 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1239:17
    #72 0x7f8e08e03930 in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:355:5
    #73 0x7f8e08e03930 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:351
    #74 0x7f8e08e01b58 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:553:16
    #75 0x7f8e08e087a3 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1048:11
    #76 0x7f8e0bcf9238 in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1102:7
    #77 0x7f8e0ebb9a7c in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6596:21
    #78 0x7f8e0ebb8ba8 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6397:7
    #79 0x7f8e0ebbe717 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
    #80 0x7f8e038d9b55 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1312:3
    #81 0x7f8e038d873c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:871:14
    #82 0x7f8e038d2d71 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:709:9
    #83 0x7f8e038d2d89 in ChildDoneWithOnload src/uriloader/base/nsDocLoader.h:203:5
    #84 0x7f8e038d2d89 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:712
    #85 0x7f8e038d6990 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:597:5
    #86 0x7f8e038d8264 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp
    #87 0x7f8e0109e5a7 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:568:22
    #88 0x7f8e0515365a in DoUnblockOnload src/dom/base/Document.cpp:7743:18
    #89 0x7f8e0515365a in mozilla::dom::Document::UnblockOnload(bool) src/dom/base/Document.cpp:7675
    #90 0x7f8e051520bf in mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:4816:3
    #91 0x7f8e05256bdb in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
    #92 0x7f8e05256bdb in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1128
    #93 0x7f8e05256bdb in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1174
    #94 0x7f8e00e03511 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1180:14
    #95 0x7f8e00e0b91d in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:482:10
    #96 0x7f8e020d804f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #97 0x7f8e01faddbe in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #98 0x7f8e01faddbe in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #99 0x7f8e01faddbe in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #100 0x7f8e0b452563 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #101 0x7f8e0f73b120 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:271:30
    #102 0x7f8e0fa38b0a in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:4589:22
    #103 0x7f8e0fa3b538 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4727:8
    #104 0x7f8e0fa3cdc9 in XRE_main(int, char**, mozilla::BootstrapConfig const&) src/toolkit/xre/nsAppRunner.cpp:4811:21
    #105 0x55672f3d464c in do_main src/browser/app/nsBrowserApp.cpp:212:22
    #106 0x55672f3d464c in main src/browser/app/nsBrowserApp.cpp:291
Flags: in-testsuite?
Priority: -- → P3

This is a regression from the recent bullet changes, and no column-span is involved.

Blocks: 205202
No longer blocks: fuzzing-column-span
Flags: needinfo?(mats)

Fwiw, it doesn't crash unless you enable the column-span pref though.

Assignee: nobody → mats
Flags: needinfo?(mats)

I guess we could do a StyleSet::ReparentComputedStyle too, but I don't
think it should be necessary in this case given that it's a wrapper
frame for the same content. WDYT?

https://treeherder.mozilla.org/#/jobs?repo=try&revision=59185afe090fc67a232f423485413320e82aa38b
It appears "TV" on android-em-4-3-armv7-api16-pgo times out
after running the added crashtest, but that's tier-2 and I'll
assume it's just noise.

I commented on the Phab revision, but just in case phabricator goes away at some point:

(In reply to Mats Palmgren (:mats) from comment #4)

I guess we could do a StyleSet::ReparentComputedStyle too, but I don't
think it should be necessary in this case given that it's a wrapper
frame for the same content. WDYT?

There's no need for style reparenting. The style of the marker doesn't depend on the box it's placed in.

Thanks for fixing this Mats :)

Pushed by mpalmgren@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f0c1c9808c58
Update the parent for the outside ::marker frame in case we moved it to a ColumnSetWrapperFrame ancestor.  r=emilio
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Flags: in-testsuite? → in-testsuite+
Duplicate of this bug: 1539303
You need to log in before you can comment on or make changes to this bug.