Closed Bug 1566672 Opened 5 years ago Closed 5 years ago

use-after-poison in [@ nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval]

Categories

(Core :: Layout: Columns, defect, P3)

Product:
Core
Component:
Layout: Columns
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- disabled
firefox68 --- disabled
firefox69 --- disabled
firefox70 --- fixed

People

(Reporter: tsmith, Assigned: TYLin)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-framepoisoning, testcase)

Attachments

(3 files)

testcase.html
580 bytes, text/html
Details
multicol-dynamic-add-001.html
1.42 KB, text/html
Details
Bug 1566672 - Handle the {ib}-split reframing in multicol subtree properly.
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Reduced with m-c:
BuildID=20190716001037
SourceStamp=57e096cabc296b897baec44b65ece648b54463c0

==48874==ERROR: AddressSanitizer: use-after-poison on address 0x625000220380 at pc 0x7fcda126b269 bp 0x7ffd7d8c6b70 sp 0x7ffd7d8c6b68
READ of size 8 at 0x625000220380 thread T0 (file:// Content)
    #0 0x7fcda126b268 in GetParent src/layout/generic/nsIFrame.h:856:48
    #1 0x7fcda126b268 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:8381
    #2 0x7fcda12654c3 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) src/layout/base/nsCSSFrameConstructor.cpp:7569:9
    #3 0x7fcda1172fa4 in mozilla::PresShell::ContentRemoved(nsIContent*, nsIContent*) src/layout/base/PresShell.cpp:4421:22
    #4 0x7fcd9a9396c4 in nsNodeUtils::ContentRemoved(nsINode*, nsIContent*, nsIContent*) src/dom/base/nsNodeUtils.cpp:208:3
    #5 0x7fcd9a8e7f63 in nsINode::RemoveChildNode(nsIContent*, bool) src/dom/base/nsINode.cpp:1799:5
    #6 0x7fcd9a8ea312 in nsINode::ReplaceOrInsertBefore(bool, nsINode*, nsINode*, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:2133:18
    #7 0x7fcd9b50f9c6 in InsertBefore src/dom/base/nsINode.h:1700:12
    #8 0x7fcd9b50f9c6 in AppendChild src/dom/base/nsINode.h:1703
    #9 0x7fcd9b50f9c6 in mozilla::dom::Node_Binding::appendChild(JSContext*, JS::Handle<JSObject*>, nsINode*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/NodeBinding.cpp:1019
    #10 0x7fcd9d9ff072 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3181:13
    #11 0x7fcda5348c77 in CallJSNative src/js/src/vm/Interpreter.cpp:448:13
    #12 0x7fcda5348c77 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:540
    #13 0x7fcda5329646 in CallFromStack src/js/src/vm/Interpreter.cpp:599:10
    #14 0x7fcda5329646 in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3089
    #15 0x7fcda531305f in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:425:10
    #16 0x7fcda534977f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:568:13
    #17 0x7fcda534b9a2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:611:8
    #18 0x7fcda5fe0568 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2658:10
    #19 0x7fcd9d367b86 in mozilla::dom::BlobCallback::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Blob*, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/HTMLCanvasElementBinding.cpp:88:8
    #20 0x7fcd9dbc48a2 in Call src/obj-firefox/dist/include/mozilla/dom/HTMLCanvasElementBinding.h:180:12
    #21 0x7fcd9dbc48a2 in mozilla::dom::CanvasRenderingContextHelper::ToBlob(JSContext*, nsIGlobalObject*, mozilla::dom::BlobCallback&, nsTSubstring<char16_t> const&, JS::Handle<JS::Value>, bool, mozilla::ErrorResult&)::EncodeCallback::ReceiveBlob(already_AddRefed<mozilla::dom::Blob>) src/dom/canvas/CanvasRenderingContextHelper.cpp:42
    #22 0x7fcd9a5fcce7 in mozilla::dom::EncodingCompleteEvent::Run() src/dom/base/ImageEncoder.cpp:108:22
    #23 0x7fcd95f6a91c in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
    #24 0x7fcd95f727a4 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #25 0x7fcd9739522f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #26 0x7fcd9725d6fe in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #27 0x7fcd9725d6fe in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #28 0x7fcd9725d6fe in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #29 0x7fcda09e5223 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #30 0x7fcda5069afe in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #31 0x7fcd9725d6fe in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #32 0x7fcd9725d6fe in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #33 0x7fcd9725d6fe in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #34 0x7fcda5068641 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:754:34
    #35 0x55e47d974113 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #36 0x55e47d974113 in main src/browser/app/nsBrowserApp.cpp:267
    #37 0x7fcdbb49a82f in __libc_start_main /build/glibc-LK5gWL/glibc-2.23/csu/../csu/libc-start.c:291
    #38 0x55e47d89564c in _start (/home/user/workspace/browsers/m-c-20190716001037-fuzzing-asan-opt/firefox+0x4564c)

0x625000220380 is located 6784 bytes inside of 8192-byte region [0x62500021e900,0x625000220900)
allocated by thread T0 (file:// Content) here:
    #0 0x55e47d941063 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
    #1 0x7fcda1350feb in AllocateChunk src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:171:15
    #2 0x7fcda1350feb in InternalAllocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:205
    #3 0x7fcda1350feb in Allocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:67
    #4 0x7fcda1350feb in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:71
    #5 0x7fcda171ec8b in AllocateByObjectID src/obj-firefox/dist/include/mozilla/PresShell.h:279:32
    #6 0x7fcda171ec8b in operator new src/layout/generic/nsLineBox.cpp:158
    #7 0x7fcda171ec8b in NS_NewLineBox(mozilla::PresShell*, nsLineBox*, nsIFrame*, int) src/layout/generic/nsLineBox.cpp:86
    #8 0x7fcda146ff9c in NewLineBox src/layout/generic/nsBlockFrame.h:440:12
    #9 0x7fcda146ff9c in nsBlockFrame::SplitLine(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:4544
    #10 0x7fcda146d39d in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:4413:7
    #11 0x7fcda146ad82 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:4105:5
    #12 0x7fcda145f48d in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3990:9
    #13 0x7fcda1455aeb in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2995:5
    #14 0x7fcda1447704 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2536:7
    #15 0x7fcda143b304 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1285:3
    #16 0x7fcda14ae7c2 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:894:14
    #17 0x7fcda14b558e in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) src/layout/generic/nsColumnSetFrame.cpp:766:7
    #18 0x7fcda14bd7b1 in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:448:37
    #19 0x7fcda14bd7b1 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1229
    #20 0x7fcda14678b4 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
    #21 0x7fcda14598a8 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3628:11
    #22 0x7fcda1455b55 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2992:5
    #23 0x7fcda1447704 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2536:7
    #24 0x7fcda143b304 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1285:3
    #25 0x7fcda14678b4 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
    #26 0x7fcda14598a8 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3628:11
Flags: in-testsuite?

NI myself to take a look at this.

Flags: needinfo?(aethanyc)

My test case exercises appending a block child into an empty inline container, which is under a multicol subtree. It's the operation that triggers the crash in the reporter's test case.

The should be a case to reframe, but our current code didn't do this because of this return false in the block that handles the reframing in multicol subtree. The frame tree just went wrong after the operation.

Flags: needinfo?(aethanyc)
Assignee: nobody → aethanyc
Status: NEW → ASSIGNED
Priority: -- → P3

Delete return false at the end of the if-statement block that handling
the multicol subtree reframing, and let it fall though the bottom of
WipeContainingBlock() where there is a complete logic for ib-split
reframing.

Pushed by aethanyc@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/e6d7a21d588c
Handle the {ib}-split reframing in multicol subtree properly. r=dholbert
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/17953 for changes under testing/web-platform/tests
Upstream web-platform-tests status checks passed, PR will merge once commit reaches central.

https://hg.mozilla.org/mozilla-central/rev/e6d7a21d588c

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox70: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70
status-firefox68: --- → disabled
status-firefox69: --- → disabled
status-firefox-esr60: --- → unaffected
status-firefox-esr68: --- → disabled
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: