Closed Bug 1556289 Opened 5 years ago Closed 5 years ago

use-after-poison in [@ RemoveFirstLine]

Categories

(Core :: Layout: Columns, defect, P5)

Product:
Core
Component:
Layout: Columns
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox69 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-framepoisoning, testcase)

Attachments

(2 files)

testcase.html
365 bytes, text/html
Details
full_log.txt
19.96 KB, text/plain
Details
Attached file testcase.html

Found with m-c 20190601-c143aa387e91

Currently I am only able to reproduce this consistently on Linux with Xvfb using a screen res of 1280x1024... no idea why.

This testcase requires layout.css.column-span.enabled=true

==115987==ERROR: AddressSanitizer: use-after-poison on address 0x6250018fb8e8 at pc 0x7f946af18504 bp 0x7fff68e780f0 sp 0x7fff68e780e8
READ of size 8 at 0x6250018fb8e8 thread T0 (file:// Content)
    #0 0x7f946af18503 in RemoveFirstLine /src/layout/generic/nsBlockFrame.cpp:673:25
    #1 0x7f946af18503 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /src/layout/generic/nsBlockFrame.cpp:2828
    #2 0x7f946af077c4 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsBlockFrame.cpp:1334:3
    #3 0x7f946af7a512 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /src/layout/generic/nsContainerFrame.cpp:893:14
    #4 0x7f946af8158f in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /src/layout/generic/nsColumnSetFrame.cpp:762:7
    #5 0x7f946af883c5 in ReflowColumns /src/layout/generic/nsColumnSetFrame.cpp:452:37
    #6 0x7f946af883c5 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) /src/layout/generic/nsColumnSetFrame.cpp:1109
    #7 0x7f946af89818 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsColumnSetFrame.cpp:1208:5
    #8 0x7f946af33cd4 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /src/layout/generic/nsBlockReflowContext.cpp:297:11
    #9 0x7f946af25f38 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3660:11
    #10 0x7f946af22425 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3052:5
    #11 0x7f946af13c6d in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /src/layout/generic/nsBlockFrame.cpp:2594:7
    #12 0x7f946af077c4 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsBlockFrame.cpp:1334:3
    #13 0x7f946af33cd4 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /src/layout/generic/nsBlockReflowContext.cpp:297:11
    #14 0x7f946af25f38 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3660:11
    #15 0x7f946af22425 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3052:5
    #16 0x7f946af13c6d in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /src/layout/generic/nsBlockFrame.cpp:2594:7
    #17 0x7f946af077c4 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsBlockFrame.cpp:1334:3
    #18 0x7f946af7a512 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /src/layout/generic/nsContainerFrame.cpp:893:14
    #19 0x7f946af8158f in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /src/layout/generic/nsColumnSetFrame.cpp:762:7
    #20 0x7f946af89675 in ReflowColumns /src/layout/generic/nsColumnSetFrame.cpp:452:37
    #21 0x7f946af89675 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsColumnSetFrame.cpp:1201
    #22 0x7f946af33cd4 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /src/layout/generic/nsBlockReflowContext.cpp:297:11
    #23 0x7f946af25f38 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3660:11
    #24 0x7f946af22425 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3052:5
    #25 0x7f946af13c6d in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /src/layout/generic/nsBlockFrame.cpp:2594:7
    #26 0x7f946af077c4 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsBlockFrame.cpp:1334:3
    #27 0x7f946af7a512 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /src/layout/generic/nsContainerFrame.cpp:893:14
    #28 0x7f946af783c7 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsCanvasFrame.cpp:730:5
    #29 0x7f946af7a512 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /src/layout/generic/nsContainerFrame.cpp:893:14
    #30 0x7f946b0ce2d9 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /src/layout/generic/nsGfxScrollFrame.cpp:562:3
    #31 0x7f946b0cfc47 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /src/layout/generic/nsGfxScrollFrame.cpp:675:3
    #32 0x7f946b0d7fa4 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsGfxScrollFrame.cpp:1077:3
    #33 0x7f946aeedfd3 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /src/layout/generic/nsContainerFrame.cpp:932:14
    #34 0x7f946aeecb98 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/ViewportFrame.cpp:307:7
    #35 0x7f946ac22c4f in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /src/layout/base/PresShell.cpp:9292:11
    #36 0x7f946ac43b40 in mozilla::PresShell::ProcessReflowCommands(bool) /src/layout/base/PresShell.cpp:9462:24
    #37 0x7f946ac40c50 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /src/layout/base/PresShell.cpp:4231:11
    #38 0x7f9463fdf240 in FlushPendingNotifications /src/obj-firefox/dist/include/mozilla/PresShell.h:1468:5
    #39 0x7f9463fdf240 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /src/dom/base/Document.cpp:9357
    #40 0x7f946403cf1a in FlushPendingNotifications /src/dom/base/Document.cpp:9287:3
    #41 0x7f946403cf1a in GetPrimaryFrame /src/dom/base/Element.cpp:230
    ...
Flags: in-testsuite?
Attached file full_log.txt

I have no luck to reproduce this by setting my Linux desktop to 1280x1024, or by resizing the browser window. Set P5 for now.

Priority: -- → P5

(In reply to Ting-Yu Lin [:TYLin] (UTC-7) from comment #2)

I have no luck to reproduce this by setting my Linux desktop to 1280x1024, or by resizing the browser window. Set P5 for now.

I had the same issue. The only way I could repro was with Xvfb (maybe bit depth was also a factor?).

To repro consistently you can use ffpuppet[1] that is what we use in our fuzzing automation.
python -m ffpuppet -d -u testcase.html -p prefs.js --xvfb <firefox-bin>

[1] https://github.com/MozillaSecurity/ffpuppet

I try to use ffpuppet with both lastest linux64-asan-opt [1] and linux64-asan-debug [2] (2019-08-27) builds with the pref.js in fuzzdata's master branch [3]. Sadly, Firefox won't start-up with --xvfb, but both builds without --xvfb open the test case normally without any issue.

I don't see any particular CSS properties in the testcase that might affect by Xvfb and screen resolution of 1280x1024. Given it was reproduced with such unusual prerequisites, and the testcase loads normally in lastest nightly. I decide to mark this as works for me. If this still happens, please file a new bug. Thanks.

[1] https://tools.taskcluster.net/index/gecko.v2.mozilla-central.latest.firefox/linux64-asan-opt
[2] https://tools.taskcluster.net/index/gecko.v2.mozilla-central.latest.firefox/linux64-asan-debug
[3] https://github.com/MozillaSecurity/fuzzdata/commit/78068375dcd7aeea0a39dfcbbd027a5c5180f5b0

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: