Closed Bug 1571598 Opened 8 months ago Closed 8 months ago

use-after-poison in [@ nsLineLayout::VerticalAlignFrames]

Categories

(Core :: Layout: Columns, defect, P3)

defect

Tracking

()

RESOLVED DUPLICATE of bug 1575106
Tracking Status
firefox70 --- disabled

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, csectype-framepoisoning, testcase)

Attachments

(1 file)

Attached file testcase.html

Found with m-c: 20190804-6e3e96412fd9

==72645==ERROR: AddressSanitizer: use-after-poison on address 0x6250001fbb00 at pc 0x7f2009f38fc8 bp 0x7ffd2547a190 sp 0x7ffd2547a188
READ of size 8 at 0x6250001fbb00 thread T0 (file:// Content)
    #0 0x7f2009f38fc7 in get src/obj-firefox/dist/include/mozilla/RefPtr.h:278:27
    #1 0x7f2009f38fc7 in operator-> src/obj-firefox/dist/include/mozilla/RefPtr.h:308
    #2 0x7f2009f38fc7 in StyleDisplay src/layout/style/nsStyleStructList.h:46
    #3 0x7f2009f38fc7 in nsLineLayout::VerticalAlignFrames(nsLineLayout::PerSpanData*) src/layout/generic/nsLineLayout.cpp:1964
    #4 0x7f2009f25a79 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:1063:9
    #5 0x7f2009d1b663 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:4331:15
    #6 0x7f2009d19f59 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:4133:5
    #7 0x7f2009d11aba in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:4018:9
    #8 0x7f2009d097d1 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3005:5
    #9 0x7f2009cfe9e3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2545:7
    #10 0x7f2009cf5e7a in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1285:3
    #11 0x7f2009d4e897 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:895:14
    #12 0x7f2009d52d18 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) src/layout/generic/nsColumnSetFrame.cpp:765:7
    #13 0x7f2009d588cd in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:448:37
    #14 0x7f2009d588cd in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1148
    #15 0x7f2009d59951 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1269:5
    #16 0x7f2009d1767a in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
    #17 0x7f2009d0c862 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3649:11
    #18 0x7f2009d0992b in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3002:5
    #19 0x7f2009cfe9e3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2545:7
    #20 0x7f2009cf5e7a in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1285:3
    #21 0x7f2009d1767a in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
    #22 0x7f2009d0c862 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3649:11
    #23 0x7f2009d0992b in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3002:5
    #24 0x7f2009cfe9e3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2545:7
    #25 0x7f2009cf5e7a in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1285:3
    #26 0x7f2009d4e897 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:895:14
    #27 0x7f2009d52d18 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) src/layout/generic/nsColumnSetFrame.cpp:765:7
    #28 0x7f2009d588cd in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:448:37
    #29 0x7f2009d588cd in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1148
    #30 0x7f2009d59951 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1269:5
    #31 0x7f2009d1767a in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
    #32 0x7f2009d0c862 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3649:11
    #33 0x7f2009d0992b in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3002:5
    #34 0x7f2009cfe9e3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2545:7
    #35 0x7f2009cf5e7a in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1285:3
    #36 0x7f2009d4e897 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:895:14
    #37 0x7f2009d4d22b in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:731:5
    #38 0x7f2009d4e897 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:895:14
    #39 0x7f2009e528fd in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) src/layout/generic/nsGfxScrollFrame.cpp:628:3
    #40 0x7f2009e53ab3 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:741:3
    #41 0x7f2009e5906d in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1143:3
    #42 0x7f2009ce308c in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:934:14
    #43 0x7f2009ce206c in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:309:7
    #44 0x7f2009ab5e64 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:9294:11
    #45 0x7f2009ad05a3 in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9464:24
    #46 0x7f2009acdcba in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4231:11
    #47 0x7f2009a557ac in FlushPendingNotifications src/obj-firefox/dist/include/mozilla/PresShell.h:1468:5
    #48 0x7f2009a557ac in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2016
    #49 0x7f2009a66c5f in TickDriver src/layout/base/nsRefreshDriver.cpp:372:13
    #50 0x7f2009a66c5f in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:349
    #51 0x7f2009a66620 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:366:5
    #52 0x7f2009a69ee3 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:814:5
    #53 0x7f2009a69ee3 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:734
    #54 0x7f2009a691ac in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:629:9
    #55 0x7f200a34780b in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
    #56 0x7f2002057095 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:187:54
    #57 0x7f2001bc26d1 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:5657:32
    #58 0x7f20014285a6 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2184:25
    #59 0x7f200142330b in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2108:9
    #60 0x7f20014258c7 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1955:3
    #61 0x7f2001426757 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1986:13
    #62 0x7f2000221950 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1224:14
    #63 0x7f2000227d68 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #64 0x7f200143198f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #65 0x7f200132ea32 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #66 0x7f200132ea32 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #67 0x7f200132ea32 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #68 0x7f20094d9199 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #69 0x7f200d3b8f4f in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #70 0x7f200132ea32 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #71 0x7f200132ea32 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #72 0x7f200132ea32 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #73 0x7f200d3b87f6 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:754:34
    #74 0x55d62f7cd173 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #75 0x55d62f7cd173 in main src/browser/app/nsBrowserApp.cpp:267
Flags: in-testsuite?

When loading the test in debug build, I saw assertions like

[Child 5620, Main Thread] ###!!! ASSERTION: We can't be complete AND have overflow frames!: '!aStatus.IsComplete() || !GetOverflowFrames()', file /home/tlin/Projects/gecko/layout/generic/nsInlineFrame.cpp, line 593
Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Frame property OverflowProperty should never be destroyed by the FrameProperties class), at /home/tlin/Projects/gecko/layout/generic/nsContainerFrame.h:453
Priority: -- → P3

This is fixed by bug 1575106, and the testcase is added as a crashtest in bug 1575106 Part 4.

Status: NEW → RESOLVED
Closed: 8 months ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1575106
You need to log in before you can comment on or make changes to this bug.