1628804 - use-after-poison in [@ RemoveFirstLine]

Status: VERIFIED FIXED

(Core :: Layout, defect)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Reduced with m-c 20200409-93bdbca5399c

==8401==ERROR: AddressSanitizer: use-after-poison on address 0x625000308d10 at pc 0x7f14e2b6b5ad bp 0x7ffd2cfa7e90 sp 0x7ffd2cfa7e88
READ of size 8 at 0x625000308d10 thread T0 (Web Content)
    #0 0x7f14e2b6b5ac in RemoveFirstLine(nsLineList&, nsFrameList&, nsLineBox**, nsFrameList*) gecko/layout/generic/nsBlockFrame.cpp:730:25
    #1 0x7f14e2b632e9 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) gecko/layout/generic/nsBlockFrame.cpp:2924:13
    #2 0x7f14e2b5a8d1 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) gecko/layout/generic/nsBlockFrame.cpp:1402:3
    #3 0x7f14e2ba6a54 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) gecko/layout/generic/nsContainerFrame.cpp:906:14
    #4 0x7f14e2baadb8 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) gecko/layout/generic/nsColumnSetFrame.cpp:702:7
    #5 0x7f14e2ba9bc2 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig&, bool) gecko/layout/generic/nsColumnSetFrame.cpp:412:37
    #6 0x7f14e2baeb32 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) gecko/layout/generic/nsColumnSetFrame.cpp:1095:9
    #7 0x7f14e2bafac3 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) gecko/layout/generic/nsColumnSetFrame.cpp:1220:5
    #8 0x7f14e2b77595 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) gecko/layout/generic/nsBlockReflowContext.cpp:293:11
    #9 0x7f14e2b6e34d in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) gecko/layout/generic/nsBlockFrame.cpp:3805:11
    #10 0x7f14e2b6acbb in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) gecko/layout/generic/nsBlockFrame.cpp:3152:5
    #11 0x7f14e2b61b84 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) gecko/layout/generic/nsBlockFrame.cpp:2690:7
    #12 0x7f14e2b5a8d1 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) gecko/layout/generic/nsBlockFrame.cpp:1402:3
    #13 0x7f14e2ba6a54 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) gecko/layout/generic/nsContainerFrame.cpp:906:14
    #14 0x7f14e2e40d64 in nsHTMLButtonControlFrame::ReflowButtonContents(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsIFrame*) gecko/layout/forms/nsHTMLButtonControlFrame.cpp:238:3
    #15 0x7f14e2e404e6 in nsHTMLButtonControlFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) gecko/layout/forms/nsHTMLButtonControlFrame.cpp:184:3
    #16 0x7f14e2d7738e in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) gecko/layout/generic/nsLineLayout.cpp:878:13
    #17 0x7f14e2b7b14b in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) gecko/layout/generic/nsBlockFrame.cpp:4487:15
    #18 0x7f14e2b79c34 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) gecko/layout/generic/nsBlockFrame.cpp:4289:5
    #19 0x7f14e2b7214b in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) gecko/layout/generic/nsBlockFrame.cpp:4174:9
    #20 0x7f14e2b6aa83 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) gecko/layout/generic/nsBlockFrame.cpp:3155:5
    #21 0x7f14e2b61b84 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) gecko/layout/generic/nsBlockFrame.cpp:2690:7
    #22 0x7f14e2b5a8d1 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) gecko/layout/generic/nsBlockFrame.cpp:1402:3
    #23 0x7f14e2b77595 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) gecko/layout/generic/nsBlockReflowContext.cpp:293:11
    #24 0x7f14e2b6e34d in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) gecko/layout/generic/nsBlockFrame.cpp:3805:11
    #25 0x7f14e2b6acbb in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) gecko/layout/generic/nsBlockFrame.cpp:3152:5
    #26 0x7f14e2b61b84 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) gecko/layout/generic/nsBlockFrame.cpp:2690:7
    #27 0x7f14e2b5a8d1 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) gecko/layout/generic/nsBlockFrame.cpp:1402:3
    #28 0x7f14e2ba6a54 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) gecko/layout/generic/nsContainerFrame.cpp:906:14
    #29 0x7f14e2ba583d in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) gecko/layout/generic/nsCanvasFrame.cpp:750:5
    #30 0x7f14e2ba6a54 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) gecko/layout/generic/nsContainerFrame.cpp:906:14
    #31 0x7f14e2c8b041 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) gecko/layout/generic/nsGfxScrollFrame.cpp:654:3
    #32 0x7f14e2c8c875 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) gecko/layout/generic/nsGfxScrollFrame.cpp:768:3
    #33 0x7f14e2c907c8 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) gecko/layout/generic/nsGfxScrollFrame.cpp:1155:3
    #34 0x7f14e2b4b0a1 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) gecko/layout/generic/nsContainerFrame.cpp:946:14
    #35 0x7f14e2b4a70b in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) gecko/layout/generic/ViewportFrame.cpp:299:7
    #36 0x7f14e2971ae9 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) gecko/layout/base/PresShell.cpp:9345:11
    #37 0x7f14e29845e7 in mozilla::PresShell::ProcessReflowCommands(bool) gecko/layout/base/PresShell.cpp:9518:24
    #38 0x7f14e298305d in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) gecko/layout/base/PresShell.cpp:4203:11
    #39 0x7f14e2913627 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) gecko/layout/base/nsRefreshDriver.cpp:2071:20
    #40 0x7f14e2921f56 in TickDriver gecko/layout/base/nsRefreshDriver.cpp:374:13
    #41 0x7f14e2921f56 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) gecko/layout/base/nsRefreshDriver.cpp:351:7
    #42 0x7f14e2921b55 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) gecko/layout/base/nsRefreshDriver.cpp:368:5
    #43 0x7f14e2920c02 in RunRefreshDrivers gecko/layout/base/nsRefreshDriver.cpp:828:5
    #44 0x7f14e2920c02 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) gecko/layout/base/nsRefreshDriver.cpp:746:16
    #45 0x7f14e291fd81 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) gecko/layout/base/nsRefreshDriver.cpp:645:9
    #46 0x7f14e3086529 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) gecko/layout/ipc/VsyncChild.cpp:55:16
    #47 0x7f14dbfc18d0 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:187:54
    #48 0x7f14dba80d90 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5970:32
    #49 0x7f14db3a1920 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) gecko/ipc/glue/MessageChannel.cpp:2187:25
    #50 0x7f14db39c2b7 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) gecko/ipc/glue/MessageChannel.cpp:2111:9
    #51 0x7f14db39e7b4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) gecko/ipc/glue/MessageChannel.cpp:1959:3
    #52 0x7f14db39f690 in mozilla::ipc::MessageChannel::MessageTask::Run() gecko/ipc/glue/MessageChannel.cpp:1990:13
    #53 0x7f14da0c2086 in nsThread::ProcessNextEvent(bool, bool*) gecko/xpcom/threads/nsThread.cpp:1200:14
    #54 0x7f14da0ccedc in NS_ProcessNextEvent(nsIThread*, bool) gecko/xpcom/threads/nsThreadUtils.cpp:481:10
    #55 0x7f14db3ad5df in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) gecko/ipc/glue/MessagePump.cpp:87:21
    #56 0x7f14db29b0e7 in RunInternal gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #57 0x7f14db29b0e7 in RunHandler gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #58 0x7f14db29b0e7 in MessageLoop::Run() gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #59 0x7f14e247cd68 in nsBaseAppShell::Run() gecko/widget/nsBaseAppShell.cpp:137:27
    #60 0x7f14e5fe0946 in XRE_RunAppShell() gecko/toolkit/xre/nsEmbedFunctions.cpp:909:20
    #61 0x7f14db29b0e7 in RunInternal gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #62 0x7f14db29b0e7 in RunHandler gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #63 0x7f14db29b0e7 in MessageLoop::Run() gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #64 0x7f14e5fdfffa in XRE_InitChildProcess(int, char**, XREChildData const*) gecko/toolkit/xre/nsEmbedFunctions.cpp:740:34
    #65 0x55ca42fe6ff3 in content_process_main gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #66 0x55ca42fe6ff3 in main gecko/browser/app/nsBrowserApp.cpp:303:18

0x625000308d10 is located 7184 bytes inside of 8192-byte region [0x625000307100,0x625000309100)
allocated by thread T0 (Web Content) here:
    #0 0x55ca42fb431d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
    #1 0x7f14da077cc0 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:171:15
    #2 0x7f14e2aac91d in InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:205:25
    #3 0x7f14e2aac91d in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:67:12
    #4 0x7f14e2aac91d in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:71:15
    #5 0x7f14e2b536b5 in AllocateByObjectID /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:280:32
    #6 0x7f14e2b536b5 in AllocateFrame /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:272:12
    #7 0x7f14e2b536b5 in operator new gecko/layout/generic/nsBlockFrame.cpp:411:1
    #8 0x7f14e2b536b5 in NS_NewBlockFrame(mozilla::PresShell*, mozilla::ComputedStyle*) gecko/layout/generic/nsBlockFrame.cpp:401:10
    #9 0x7f14e2a21cc8 in nsCSSFrameConstructor::CreateContinuingFrame(nsIFrame*, nsContainerFrame*, bool) gecko/layout/base/nsCSSFrameConstructor.cpp:7956:16
    #10 0x7f14e2bae30d in nsContainerFrame::CreateNextInFlow(nsIFrame*) gecko/layout/generic/nsContainerFrame.cpp:1343:42
    #11 0x7f14e2bab32a in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) gecko/layout/generic/nsColumnSetFrame.cpp:772:23
    #12 0x7f14e2ba9bc2 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig&, bool) gecko/layout/generic/nsColumnSetFrame.cpp:412:37
    #13 0x7f14e2baf14d in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) gecko/layout/generic/nsColumnSetFrame.cpp:1153:5
    #14 0x7f14e2bafac3 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) gecko/layout/generic/nsColumnSetFrame.cpp:1220:5
    #15 0x7f14e2ba6a54 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) gecko/layout/generic/nsContainerFrame.cpp:906:14
    #16 0x7f14e2b5f58e in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, mozilla::ReflowInput const&, nsOverflowAreas&, nsIFrame::ReflowChildFlags, nsReflowStatus&, void (*)(nsFrameList&, nsFrameList&, nsContainerFrame*)) gecko/layout/generic/nsContainerFrame.cpp:1161:7
    #17 0x7f14e2b5a5d6 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) gecko/layout/generic/nsBlockFrame.cpp:1369:5
    #18 0x7f14e2ba6a54 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) gecko/layout/generic/nsContainerFrame.cpp:906:14
    #19 0x7f14e2b5f58e in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, mozilla::ReflowInput const&, nsOverflowAreas&, nsIFrame::ReflowChildFlags, nsReflowStatus&, void (*)(nsFrameList&, nsFrameList&, nsContainerFrame*)) gecko/layout/generic/nsContainerFrame.cpp:1161:7
    #20 0x7f14e2b5a5d6 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) gecko/layout/generic/nsBlockFrame.cpp:1369:5
    #21 0x7f14e2ba6a54 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) gecko/layout/generic/nsContainerFrame.cpp:906:14
    #22 0x7f14e2baadb8 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) gecko/layout/generic/nsColumnSetFrame.cpp:702:7
    #23 0x7f14e2ba9bc2 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig&, bool) gecko/layout/generic/nsColumnSetFrame.cpp:412:37
    #24 0x7f14e2baeb32 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) gecko/layout/generic/nsColumnSetFrame.cpp:1095:9

Comment 1

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/5i2jO7IJ4fyiao0VPKxtjQ/index.html

Comment 2

[Daniel Holbert [:dholbert]]

Regression range:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a7034ea760bd316e65ae703efaa040170fe71bc0&tochange=d2cd2c812a9559058ed5c66e966856c1dd1562d7

--> regression from bug 1624514 . TYLin, mind taking a look?

Comment 3

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as reproducible on mozilla-central 20200410100829-280c84604ac0.
The bug appears to have been introduced in the following build range:
> Start: c5112a7573ac8a9d388e6253e3305061654b123e (20200325164049)
> End: b3c3f7d0f044c92c774a6f2ec53385f3b3f2ee0c (20200325213906)
> Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=c5112a7573ac8a9d388e6253e3305061654b123e&tochange=b3c3f7d0f044c92c774a6f2ec53385f3b3f2ee0c

Comment 4

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

Re comment 2:

--> regression from bug 1624514 . TYLin, mind taking a look?

Sure. I'll post a patch to fix this today.

I made a mistake in bug 1624514 by not keeping the inline-size and block-size returning by ContentSize() non-negative. The old ContentBSize() or the callsites using GetContentRectRelativeToSelf() (which calls nsRect::Deflate()) all ensure their returned sizes is non-negative.

Comment 5

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

Attachment: Bug 1628804 - Ensure nsIFrame::ContentSize() returning non-negative sizes.

Comment 6

[Daniel Holbert [:dholbert]]

It looks like this is mitigated by frame-poisoning, given use-after-poison in description & comment 0. So we can probably assume this is just a denial-of-service & we don't need to worry about embargoing the testcase or bothering with sec-approval process, I think.

But we should definitely be sure to get beta uplift approval & get this uplifted in the near term.

Comment 7

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

But we should definitely be sure to get beta uplift approval & get this uplifted in the near term.

Yes, we should. NI myself as a reminder to request beta uplift after my patch is landed on nightly.

Comment 8

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/integration/autoland/rev/452a284c8d8afab3f43dd2e28ef2126fd0bf6ecc
https://hg.mozilla.org/mozilla-central/rev/452a284c8d8a

Comment 9

[Ting-Yu Lin [:TYLin] (PDT, UTC-7)]

Comment on attachment 9139857 [details]
Bug 1628804 - Ensure nsIFrame::ContentSize() returning non-negative sizes.

Beta/Release Uplift Approval Request

• User impact if declined: Crash due to use-after-poison.
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): Low risk because it fixed a logic flaw (a helper method should return non-negative sizes) for bug 1624514 that is a simple refactoring bug without altering layout behavior.
• String changes made/needed: None

Comment 10

[Ryan VanderMeulen [:RyanVM]]

Comment on attachment 9139857 [details]
Bug 1628804 - Ensure nsIFrame::ContentSize() returning non-negative sizes.

Approved for 76.0b5.

Comment 11

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/releases/mozilla-beta/rev/54eb3dcca5cb

Comment 12

[Jason Kratzer [:jkratzer]]

Bugmon Analysis:
Verified bug as fixed on rev mozilla-central 20200423145559-03626342f6e6.
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.