Closed Bug 1571460 Opened 5 years ago Closed 5 years ago

AddressSanitizer: global-buffer-overflow [@ Equals] with READ of size 8

Categories

(Core :: CSS Parsing and Computation, defect, P2)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla70
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- fixed

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: crash, regression, testcase)

Attachments

(3 files, 1 obsolete file)

testcase.html
851 bytes, text/html
Details
image.bmp
1.26 KB, image/bmp
Details
Bug 1571460 - Set prev-in-flow before calling nsFrame::Init. r=TYLin
47 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev d681969e4480.

I'm currently in the process of reducing the testcase and will update once complete.

==66745==ERROR: AddressSanitizer: global-buffer-overflow on address 0x7fedea9460e8 at pc 0x7feddf266fe9 bp 0x7ffc2d059550 sp 0x7ffc2d059548
READ of size 8 at 0x7fedea9460e8 thread T0
    #0 0x7feddf266fe8 in Equals /src/layout/base/FrameProperties.h:361:16
    #1 0x7feddf266fe8 in Equals<const mozilla::FrameProperties::PropertyValue, const mozilla::FramePropertyDescriptorUntyped *const> /src/obj-firefox/dist/include/nsTArray.h:819
    #2 0x7feddf266fe8 in ApplyIf<const mozilla::FramePropertyDescriptorUntyped *, mozilla::FrameProperties::PropertyComparator, (lambda at /builds/worker/workspace/build/src/layout/base/FrameProperties.h:374:7), (lambda at /builds/worker/workspace/build/src/layout/base/FrameProperties.h:380:7)> /src/obj-firefox/dist/include/nsTArray.h:1939
    #3 0x7feddf266fe8 in GetInternal /src/layout/base/FrameProperties.h:372
    #4 0x7feddf266fe8 in Get<nsPlaceholderFrame> /src/layout/base/FrameProperties.h:213
    #5 0x7feddf266fe8 in GetProperty<nsPlaceholderFrame> /src/obj-firefox/dist/include/nsIFrame.h:3597
    #6 0x7feddf266fe8 in GetInFlowParent /src/layout/generic/nsIFrameInlines.h:157
    #7 0x7feddf266fe8 in mozilla::css::ImageLoader::RequestReflowOnFrame(mozilla::css::ImageLoader::FrameWithFlags*, imgIRequest*) /src/layout/style/ImageLoader.cpp:605
    #8 0x7feddf266375 in mozilla::css::ImageLoader::AssociateRequestToFrame(imgIRequest*, nsIFrame*, unsigned int) /src/layout/style/ImageLoader.cpp:155:11
    #9 0x7feddf6de48b in nsFrame::DidSetComputedStyle(mozilla::ComputedStyle*) /src/layout/generic/nsFrame.cpp:1300:20
    #10 0x7feddf6d8341 in nsFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /src/layout/generic/nsFrame.cpp:751:3
    #11 0x7feddf8c3a81 in nsSplittableFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /src/layout/generic/nsSplittableFrame.cpp:20:12
    #12 0x7feddf655a75 in Init /src/layout/generic/nsContainerFrame.cpp:54:22
    #13 0x7feddf655a75 in nsBlockFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /src/layout/generic/nsBlockFrame.cpp:7032
    #14 0x7feddf5c180d in mozilla::ColumnSetWrapperFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /src/layout/generic/ColumnSetWrapperFrame.cpp:43:17
    #15 0x7feddf4b7d10 in nsCSSFrameConstructor::CreateContinuingFrame(nsPresContext*, nsIFrame*, nsContainerFrame*, bool) /src/layout/base/nsCSSFrameConstructor.cpp
    #16 0x7feddf643575 in nsBlockFrame::SplitFloat(mozilla::BlockReflowInput&, nsIFrame*, nsReflowStatus const&) /src/layout/generic/nsBlockFrame.cpp:4488:24
    #17 0x7feddf5bd7fd in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /src/layout/generic/BlockReflowInput.cpp:1025:13
    #18 0x7feddf5ba585 in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /src/layout/generic/BlockReflowInput.cpp:602:14
    #19 0x7feddf84a50b in AddFloat /src/layout/generic/nsLineLayout.h:156:22
    #20 0x7feddf84a50b in TryToPlaceFloat /src/layout/generic/nsLineLayout.cpp:1472
    #21 0x7feddf84a50b in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /src/layout/generic/nsLineLayout.cpp:921
    #22 0x7feddf640373 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /src/layout/generic/nsBlockFrame.cpp:4331:15
    #23 0x7feddf63ec69 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /src/layout/generic/nsBlockFrame.cpp:4133:5
    #24 0x7feddf6367ca in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:4018:9
    #25 0x7feddf62e4e1 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3005:5
    #26 0x7feddf6236f3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /src/layout/generic/nsBlockFrame.cpp:2545:7
    #27 0x7feddf61ab8a in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsBlockFrame.cpp:1285:3
    #28 0x7feddf6735a7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /src/layout/generic/nsContainerFrame.cpp:895:14
    #29 0x7feddf677a28 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /src/layout/generic/nsColumnSetFrame.cpp:765:7
    #30 0x7feddf67e514 in ReflowColumns /src/layout/generic/nsColumnSetFrame.cpp:448:37
    #31 0x7feddf67e514 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsColumnSetFrame.cpp:1262
    #32 0x7feddf63c38a in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /src/layout/generic/nsBlockReflowContext.cpp:297:11
    #33 0x7feddf631572 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3649:11
    #34 0x7feddf62e63b in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3002:5
    #35 0x7feddf6236f3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /src/layout/generic/nsBlockFrame.cpp:2545:7
    #36 0x7feddf61ab8a in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsBlockFrame.cpp:1285:3
    #37 0x7feddf63c38a in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /src/layout/generic/nsBlockReflowContext.cpp:297:11
    #38 0x7feddf64e01b in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /src/layout/generic/nsBlockFrame.cpp:6436:9
    #39 0x7feddf5bc30f in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /src/layout/generic/BlockReflowInput.cpp:918:13
    #40 0x7feddf5ba585 in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /src/layout/generic/BlockReflowInput.cpp:602:14
    #41 0x7feddf84a50b in AddFloat /src/layout/generic/nsLineLayout.h:156:22
    #42 0x7feddf84a50b in TryToPlaceFloat /src/layout/generic/nsLineLayout.cpp:1472
    #43 0x7feddf84a50b in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /src/layout/generic/nsLineLayout.cpp:921
    #44 0x7feddf640373 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /src/layout/generic/nsBlockFrame.cpp:4331:15
    #45 0x7feddf63ec69 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /src/layout/generic/nsBlockFrame.cpp:4133:5
    #46 0x7feddf6367ca in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:4018:9
    #47 0x7feddf62e4e1 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3005:5
    #48 0x7feddf6236f3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /src/layout/generic/nsBlockFrame.cpp:2545:7
    #49 0x7feddf61ab8a in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsBlockFrame.cpp:1285:3
    #50 0x7feddf6735a7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /src/layout/generic/nsContainerFrame.cpp:895:14
    #51 0x7feddf677a28 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /src/layout/generic/nsColumnSetFrame.cpp:765:7
    #52 0x7feddf67d5dd in ReflowColumns /src/layout/generic/nsColumnSetFrame.cpp:448:37
    #53 0x7feddf67d5dd in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) /src/layout/generic/nsColumnSetFrame.cpp:1148
    #54 0x7feddf67e661 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsColumnSetFrame.cpp:1269:5
    #55 0x7feddf63c38a in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /src/layout/generic/nsBlockReflowContext.cpp:297:11
    #56 0x7feddf631572 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3649:11
    #57 0x7feddf62e63b in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3002:5
    #58 0x7feddf6236f3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /src/layout/generic/nsBlockFrame.cpp:2545:7
    #59 0x7feddf61ab8a in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsBlockFrame.cpp:1285:3
    #60 0x7feddf6735a7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /src/layout/generic/nsContainerFrame.cpp:895:14
    #61 0x7feddf671f3b in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsCanvasFrame.cpp:731:5
    #62 0x7feddf6735a7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /src/layout/generic/nsContainerFrame.cpp:895:14
    #63 0x7feddf77760d in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /src/layout/generic/nsGfxScrollFrame.cpp:628:3
    #64 0x7feddf7787c3 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /src/layout/generic/nsGfxScrollFrame.cpp:741:3
    #65 0x7feddf77dd7d in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsGfxScrollFrame.cpp:1143:3
    #66 0x7feddf607d9c in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /src/layout/generic/nsContainerFrame.cpp:934:14
    #67 0x7feddf606d7c in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/ViewportFrame.cpp:309:7
    #68 0x7feddf3dacf4 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /src/layout/base/PresShell.cpp:9301:11
    #69 0x7feddf3f52b3 in mozilla::PresShell::ProcessReflowCommands(bool) /src/layout/base/PresShell.cpp:9471:24
    #70 0x7feddf3f29ca in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /src/layout/base/PresShell.cpp:4238:11
    #71 0x7feddf37a43c in FlushPendingNotifications /src/obj-firefox/dist/include/mozilla/PresShell.h:1468:5
    #72 0x7feddf37a43c in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:2016
    #73 0x7feddf38b8ef in TickDriver /src/layout/base/nsRefreshDriver.cpp:372:13
    #74 0x7feddf38b8ef in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /src/layout/base/nsRefreshDriver.cpp:349
    #75 0x7feddf38b29e in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:365:5
    #76 0x7feddf38eb73 in RunRefreshDrivers /src/layout/base/nsRefreshDriver.cpp:814:5
    #77 0x7feddf38eb73 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /src/layout/base/nsRefreshDriver.cpp:734
    #78 0x7feddf389218 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /src/layout/base/nsRefreshDriver.cpp:532:20
    #79 0x7fedd5abb120 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1224:14
    #80 0x7fedd5ac1538 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
    #81 0x7fedd6cab34f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:88:21
    #82 0x7fedd6ba83f2 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
    #83 0x7fedd6ba83f2 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
    #84 0x7fedd6ba83f2 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
    #85 0x7feddedfde29 in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:137:27
    #86 0x7fede2a2e000 in nsAppStartup::Run() /src/toolkit/components/startup/nsAppStartup.cpp:276:30
    #87 0x7fede2cd7e43 in XREMain::XRE_mainRun() /src/toolkit/xre/nsAppRunner.cpp:4631:22
    #88 0x7fede2cd9f60 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4766:8
    #89 0x7fede2cdb96e in XRE_main(int, char**, mozilla::BootstrapConfig const&) /src/toolkit/xre/nsAppRunner.cpp:4847:21
    #90 0x5605aa1c7dd4 in do_main /src/browser/app/nsBrowserApp.cpp:213:22
    #91 0x5605aa1c7dd4 in main /src/browser/app/nsBrowserApp.cpp:295
    #92 0x7fedf72c0b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #93 0x5605aa0e96ac in _start (/home/worker/builds/m-c-20190803221448-fuzzing-asan-opt/firefox+0x456ac)

0x7fedea9460e8 is located 0 bytes to the right of global variable 'sEmptyTArrayHeader' defined in '/builds/worker/workspace/build/src/xpcom/ds/nsTArray.cpp:17:27' (0x7fedea9460e0) of size 8
SUMMARY: AddressSanitizer: global-buffer-overflow /src/layout/base/FrameProperties.h:361:16 in Equals
Shadow bytes around the buggy address:
  0x0ffe3d520bc0: 00 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
  0x0ffe3d520bd0: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9
  0x0ffe3d520be0: 00 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9
  0x0ffe3d520bf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ffe3d520c00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f9
=>0x0ffe3d520c10: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00[f9]f9 f9
  0x0ffe3d520c20: f9 f9 f9 f9 00 00 00 00 01 f9 f9 f9 f9 f9 f9 f9
  0x0ffe3d520c30: 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ffe3d520c40: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ffe3d520c50: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
  0x0ffe3d520c60: 00 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==66745==ABORTING
Group: core-security → layout-core-security

Smells like column-span.

Flags: needinfo?(aethanyc)
Attached file testcase.html (obsolete) —

The attached testcase must be served via a local webserver in order to reproduce due to the url() value.

Attached file testcase.html

Previously attached the wrong testcase.

Attachment #9083323 - Attachment is obsolete: true
Attached image image.bmp
Flags: in-testsuite?
Keywords: testcase-wantedtestcase

I can take a look since the testcase repros with or without column-span enabled.

Assignee: nobody → emilio

This is a regression from bug 1570726, but it is a null dereference. ASAN seems confused.

It's the same issue that https://phabricator.services.mozilla.com/D40245 fixes really, which is that from Init() we may have code that calls into GetInFlowParent(), and since our prev-in-flow pointer is not set up yet, we don't find a placeholder.

Regressed by: 1570726
Keywords: regression
Priority: -- → P2

Parts of nsFrame::Init or code called by it should be able to rely on the
invariant that, if the frame has the NS_FRAME_OUT_OF_FLOW bit, the first-in-flow
frame has a placeholder property.

Alternatively to this patch, the NS_FRAME_OUT_OF_FLOW frame bit could be
propagated later, as it used to be.

Landed but was backed out in https://hg.mozilla.org/integration/autoland/rev/70e9b7a17a9f. Seems like the test-case asserts harder than locally on some platforms in automation, which is great. I guess.

The issue is that the shape image loading code requests a reflow when creating a continuation because of the sync image callback. I'm not sure how shape image is supposed to work with fragmented floats...

Flags: needinfo?(emilio)
Blocks: 1572114

I verified the assertions for which I got backed out happen before the patch and before the regressing bug. So I'll fix in a separate bug and I relanded it with an skip-if(debug).

Flags: needinfo?(emilio)

https://hg.mozilla.org/integration/autoland/rev/d649cff4234211f78f7e5f2c309d07029b99fb7b
https://hg.mozilla.org/mozilla-central/rev/d649cff42342

Group: layout-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox70: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

Thanks for fixing this, emilio!

Flags: needinfo?(aethanyc)
status-firefox68: --- → unaffected
status-firefox69: --- → unaffected
status-firefox-esr60: --- → unaffected
status-firefox-esr68: --- → unaffected
Flags: in-testsuite? → in-testsuite+
Group: core-security-release
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: