Closed
Bug 1576169
Opened 5 years ago
Closed 3 years ago
AddressSanitizer: stack-overflow [@ nsBlockReflowContext::ComputeCollapsedBStartMargin]
Categories
(Core :: Layout: Block and Inline, defect, P3)
Core
Layout: Block and Inline
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox70 | --- | affected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase)
Attachments
(1 file)
|
489 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 5df00af5913e.
==10988==ERROR: AddressSanitizer: stack-overflow on address 0x7fff74cc0e78 (pc 0x55e7683be1b1 bp 0x7fff74cc16d0 sp 0x7fff74cc0e80 T0)
#0 0x55e7683be1b0 in __asan_memset /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:27:3
#1 0x7f430df2c372 in BaseMargin /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/gfx/BaseMargin.h:65:26
#2 0x7f430df2c372 in IntMarginTyped /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/gfx/Rect.h:37
#3 0x7f430df2c372 in mozilla::SizeComputationInput::InitOffsets(mozilla::WritingMode, int, mozilla::LayoutFrameType, mozilla::SizeComputationInput::ReflowInputFlags, nsMargin const*, nsMargin const*, nsStyleDisplay const*) /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2536
#4 0x7f430df314c4 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType) /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2246:5
#5 0x7f430df2afe9 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*) /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:353:3
#6 0x7f430df9c072 in nsBlockReflowContext::ComputeCollapsedBStartMargin(mozilla::ReflowInput const&, nsCollapsingMargin*, nsIFrame*, bool*, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:164:25
#7 0x7f430df9c208 in nsBlockReflowContext::ComputeCollapsedBStartMargin(mozilla::ReflowInput const&, nsCollapsingMargin*, nsIFrame*, bool*, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:172:17
#8 0x7f430df9c208 in nsBlockReflowContext::ComputeCollapsedBStartMargin(mozilla::ReflowInput const&, nsCollapsingMargin*, nsIFrame*, bool*, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:172:17
#9 0x7f430df9c208 in nsBlockReflowContext::ComputeCollapsedBStartMargin(mozilla::ReflowInput const&, nsCollapsingMargin*, nsIFrame*, bool*, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:172:17
#10 0x7f430df9c208 in nsBlockReflowContext::ComputeCollapsedBStartMargin(mozilla::ReflowInput const&, nsCollapsingMargin*, nsIFrame*, bool*, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:172:17
...truncated...
Flags: in-testsuite?
|
Reporter | |
Comment 1•5 years ago
|
||
Testcase must be served via a web server in order to reproduce.
|
|
Reporter | |
Comment 2•5 years ago
|
||
Bisection could not be performed as testcase triggers back further than a year.
|
||
Updated•5 years ago
|
Priority: -- → P3
|
||
Comment 3•3 years ago
|
||
I could not reproduce this crash by opening the attached test case in the latest Firefox Nightly 91.0a1, served via simpleHTTP server. Closing it as resolved:worksforme. Please re-open this if it is still reproducible on any of the latest Firefox versions. Thanks!
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•