Closed Bug 1600207 Opened 4 years ago Closed 4 years ago

use-after-poison in [@ mozilla::ReflowInput::ReflowInput]

Categories

(Core :: Layout: Form Controls, defect, P3)

Product:
Core
Component:
Layout: Form Controls
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla73
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox71 --- unaffected
firefox72 --- fixed
firefox73 --- fixed

People

(Reporter: tsmith, Assigned: MatsPalmgren_bugz)

References

(Blocks 1 open bug, Regression)

Details

(5 keywords)

Crash Data

Attachments

(3 files)

testcase.html
99 bytes, text/html
Details
frame tree
2.81 KB, text/plain
Details
Bug 1600207 - Make GetInner()/GetLegend() robust also in presence of additional continuations on the principal child list. r=TYLin
47 bytes, text/x-phabricator-request
jcristau
: approval-mozilla-beta+
Details | Review
Attached file testcase.html

Reduced with m-c:
BuildID=20191125161209
SourceStamp=b4755981c1382cb88fed4e4fcff3ba73779b2080

==26665==ERROR: AddressSanitizer: use-after-poison on address 0x62500029e5ec at pc 0x7feeb2be8d08 bp 0x7ffe5cf0d140 sp 0x7ffe5cf0d138
READ of size 1 at 0x62500029e5ec thread T0 (file:// Content)
    #0 0x7feeb2be8d07 in GetWritingMode src/layout/generic/nsIFrame.h:906:56
    #1 0x7feeb2be8d07 in SizeComputationInput src/layout/generic/ReflowInput.h:181:30
    #2 0x7feeb2be8d07 in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int) src/layout/generic/ReflowInput.cpp:169:7
    #3 0x7feeb2fa1364 in nsFieldSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/forms/nsFieldSetFrame.cpp:566:17
    #4 0x7feeb2c59b5c in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:293:11
    #5 0x7feeb2c4fc52 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3694:11
    #6 0x7feeb2c4d2fb in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3039:5
    #7 0x7feeb2c42b4c in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2582:7
    #8 0x7feeb2c39c6d in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1325:3
    #9 0x7feeb2c90fa7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:910:14
    #10 0x7feeb2c95843 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) src/layout/generic/nsColumnSetFrame.cpp:796:7
    #11 0x7feeb2c9c0d2 in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:453:37
    #12 0x7feeb2c9c0d2 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1286:7
    #13 0x7feeb2c9c9fe in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1360:5
    #14 0x7feeb2c59b5c in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:293:11
    #15 0x7feeb2c4fc52 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3694:11
    #16 0x7feeb2c4d2fb in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3039:5
    #17 0x7feeb2c42b4c in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2582:7
    #18 0x7feeb2c39c6d in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1325:3
    #19 0x7feeb2c59b5c in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:293:11
    #20 0x7feeb2c4fc52 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3694:11
    #21 0x7feeb2c4d2fb in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3039:5
    #22 0x7feeb2c42b4c in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2582:7
    #23 0x7feeb2c39c6d in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1325:3
    #24 0x7feeb2c90fa7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:910:14
    #25 0x7feeb2c95843 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) src/layout/generic/nsColumnSetFrame.cpp:796:7
    #26 0x7feeb2c9c0d2 in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:453:37
    #27 0x7feeb2c9c0d2 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1286:7
    #28 0x7feeb2c9c9fe in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1360:5
    #29 0x7feeb2c59b5c in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:293:11
    #30 0x7feeb2c4fc52 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3694:11
    #31 0x7feeb2c4d2fb in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3039:5
    #32 0x7feeb2c42b4c in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2582:7
    #33 0x7feeb2c39c6d in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1325:3
    #34 0x7feeb2c90fa7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:910:14
    #35 0x7feeb2c8fad1 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:738:5
    #36 0x7feeb2c90fa7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:910:14
    #37 0x7feeb2d9c96b in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) src/layout/generic/nsGfxScrollFrame.cpp:649:3
    #38 0x7feeb2d9dd28 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:763:3
    #39 0x7feeb2da36c1 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1142:3
    #40 0x7feeb2c2628c in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:950:14
    #41 0x7feeb2c25451 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:299:7
    #42 0x7feeb29fa12f in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:9179:11
    #43 0x7feeb2a12be7 in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9352:24
    #44 0x7feeb2a1056a in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4111:11
    #45 0x7feeb29933ff in FlushPendingNotifications src/obj-firefox/dist/include/mozilla/PresShell.h:1452:5
    #46 0x7feeb29933ff in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2050:20
    #47 0x7feeb29a3ff1 in TickDriver src/layout/base/nsRefreshDriver.cpp:373:13
    #48 0x7feeb29a3ff1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:350:7
    #49 0x7feeb29a3b1b in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:367:5
    #50 0x7feeb29a2e63 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:819:5
    #51 0x7feeb29a2e63 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:739:16
    #52 0x7feeb29a2197 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:634:9
    #53 0x7feeb328c3f9 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
    #54 0x7feeab54626f in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:187:54
    #55 0x7feeaafb1cde in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:5876:32
    #56 0x7feeaa822df6 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2208:25
    #57 0x7feeaa81de11 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2130:9
    #58 0x7feeaa820381 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1972:3
    #59 0x7feeaa821247 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2003:13
    #60 0x7feea960affa in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1250:14
    #61 0x7feea96124a1 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #62 0x7feeaa82bfaf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #63 0x7feeaa735dd2 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #64 0x7feeaa735dd2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308:3
    #65 0x7feeaa735dd2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
    #66 0x7feeb24171e8 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #67 0x7feeb647e6b6 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:934:20
    #68 0x7feeaa735dd2 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #69 0x7feeaa735dd2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308:3
    #70 0x7feeaa735dd2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
    #71 0x7feeb647df04 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:769:34
    #72 0x55c6e3499c5c in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #73 0x55c6e3499c5c in main src/browser/app/nsBrowserApp.cpp:272:18
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/V9Ho6xnQ2ZlipuN2peetdg/index.html
It will expire in 7 days.

This happens after we support fragmenting <fieldset> in bug 471015.

Component: Layout: Columns → Layout: Form Controls
Flags: needinfo?(mats)
Keywords: regression
Regressed by: 471015
Attached file frame tree

It seems this fieldset was reflowed once and the inner frame was incomplete and thus we created a next-in-flow for it on the OverflowList, then we got another reflow before its next-in-flow picked it up, so DrainSelfOverflowList put it back on mFrames. This makes GetInner() confused since it only expects one inner frame.

Assignee: nobody → mats
Flags: needinfo?(mats)

Also, don't drain OverflowList unless we need to.
And make EnsureChildContinuation deal with continuations going from being
normal continuations to overflow-continuations (and vice versa) better.

Crash Signature: [@ mozilla::ReflowInput::ReflowInput]
Priority: -- → P3
Pushed by mpalmgren@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/8056d04a14bc
Make GetInner()/GetLegend() robust also in presence of additional continuations on the principal child list.  r=TYLin

https://hg.mozilla.org/mozilla-central/rev/8056d04a14bc

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox73: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla73

Should we uplift this to beta?

status-firefox71: --- → unaffected
status-firefox-esr68: --- → unaffected
Flags: needinfo?(mats)
Flags: in-testsuite?
Flags: in-testsuite+

Comment on attachment 9113183 [details]
Bug 1600207 - Make GetInner()/GetLegend() robust also in presence of additional continuations on the principal child list. r=TYLin

Beta/Release Uplift Approval Request

  • User impact if declined: possible crash with fieldset inside a column layout
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: Yes
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Medium
  • Why is the change risky/not risky? (and alternatives if risky): The change is non-trivial, but it only affects fragmented fieldsets, so it should have zero risk of causing regressions in other layout.
  • String changes made/needed:
Flags: needinfo?(mats)
Attachment #9113183 - Flags: approval-mozilla-beta?

Comment on attachment 9113183 [details]
Bug 1600207 - Make GetInner()/GetLegend() robust also in presence of additional continuations on the principal child list. r=TYLin

crash fix for 72.0b6

Attachment #9113183 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: