Closed Bug 1645718 Opened 4 years ago Closed 4 years ago

use-after-poison in [@ nsContainerFrame::NormalizeChildLists]

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1666592
Tracking Flags:
Tracking Status
firefox79 --- wontfix

People

(Reporter: tsmith, Assigned: TYLin)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(1 file, 1 obsolete file)

testcase.html
182 bytes, text/html
Details
Attached file testcase.html (obsolete) —

This does not seem to be caught by frame poisoning. I can only reproduce it with an ASan build.

==117298==ERROR: AddressSanitizer: use-after-poison on address 0x62500035d828 at pc 0x7ff9ab798c7d bp 0x7ffd5ef41130 sp 0x7ffd5ef41128
READ of size 8 at 0x62500035d828 thread T0 (file:// Content)
    #0 0x7ff9ab798c7c in IsEmpty /gecko/layout/generic/nsFrameList.h:269:44
    #1 0x7ff9ab798c7c in nsContainerFrame::NormalizeChildLists() /gecko/layout/generic/nsContainerFrame.cpp:1884:24
    #2 0x7ff9ab7b6ae4 in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsFlexContainerFrame.cpp:4275:3
    #3 0x7ff9ab758275 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockReflowContext.cpp:293:11
    #4 0x7ff9ab7681ae in nsBlockFrame::ReflowFloat(mozilla::BlockReflowInput&, mozilla::LogicalRect const&, nsIFrame*, mozilla::LogicalMargin&, mozilla::LogicalMargin&, bool, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:6569:9
    #5 0x7ff9ab6e2bd2 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /gecko/layout/generic/BlockReflowInput.cpp:875:13
    #6 0x7ff9ab740deb in nsBlockFrame::ReflowPushedFloats(mozilla::BlockReflowInput&, nsOverflowAreas&, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:6689:12
    #7 0x7ff9ab73b398 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:1354:3
    #8 0x7ff9ab785964 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1074:14
    #9 0x7ff9ab789cc8 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /gecko/layout/generic/nsColumnSetFrame.cpp:702:7
    #10 0x7ff9ab788ad2 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig&, bool) /gecko/layout/generic/nsColumnSetFrame.cpp:412:37
    #11 0x7ff9ab78e075 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) /gecko/layout/generic/nsColumnSetFrame.cpp:1153:5
    #12 0x7ff9ab78e9e7 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsColumnSetFrame.cpp:1220:5
    #13 0x7ff9ab758275 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockReflowContext.cpp:293:11
    #14 0x7ff9ab74f0b4 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3768:11
    #15 0x7ff9ab74b7cb in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3121:5
    #16 0x7ff9ab742724 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockFrame.cpp:2660:7
    #17 0x7ff9ab73b50d in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:1374:3
    #18 0x7ff9ab758275 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockReflowContext.cpp:293:11
    #19 0x7ff9ab74f0b4 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3768:11
    #20 0x7ff9ab74b7cb in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3121:5
    #21 0x7ff9ab742724 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockFrame.cpp:2660:7
    #22 0x7ff9ab73b50d in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:1374:3
    #23 0x7ff9ab785964 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1074:14
    #24 0x7ff9ab789cc8 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /gecko/layout/generic/nsColumnSetFrame.cpp:702:7
    #25 0x7ff9ab788ad2 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig&, bool) /gecko/layout/generic/nsColumnSetFrame.cpp:412:37
    #26 0x7ff9ab78da42 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) /gecko/layout/generic/nsColumnSetFrame.cpp:1095:9
    #27 0x7ff9ab78e9e7 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsColumnSetFrame.cpp:1220:5
    #28 0x7ff9ab758275 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockReflowContext.cpp:293:11
    #29 0x7ff9ab74f0b4 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3768:11
    #30 0x7ff9ab74b7cb in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3121:5
    #31 0x7ff9ab742724 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockFrame.cpp:2660:7
    #32 0x7ff9ab73b50d in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:1374:3
    #33 0x7ff9ab785964 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1074:14
    #34 0x7ff9ab78474d in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsCanvasFrame.cpp:750:5
    #35 0x7ff9ab785964 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1074:14
    #36 0x7ff9ab86b851 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /gecko/layout/generic/nsGfxScrollFrame.cpp:661:3
    #37 0x7ff9ab86d085 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /gecko/layout/generic/nsGfxScrollFrame.cpp:775:3
    #38 0x7ff9ab87126a in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsGfxScrollFrame.cpp:1161:3
    #39 0x7ff9ab72b201 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1114:14
    #40 0x7ff9ab72a86b in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/ViewportFrame.cpp:296:7
    #41 0x7ff9ab548d6e in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /gecko/layout/base/PresShell.cpp:9588:11
    #42 0x7ff9ab55b627 in mozilla::PresShell::ProcessReflowCommands(bool) /gecko/layout/base/PresShell.cpp:9761:24
    #43 0x7ff9ab55a09d in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /gecko/layout/base/PresShell.cpp:4241:11
    #44 0x7ff9ab4e9157 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:2068:20
    #45 0x7ff9ab4f6a96 in TickDriver /gecko/layout/base/nsRefreshDriver.cpp:373:13
    #46 0x7ff9ab4f6a96 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /gecko/layout/base/nsRefreshDriver.cpp:350:7
    #47 0x7ff9ab4f6695 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:367:5
    #48 0x7ff9ab505a32 in RunRefreshDrivers /gecko/layout/base/nsRefreshDriver.cpp:819:5
    #49 0x7ff9ab505a32 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:737:16
    #50 0x7ff9ab50500f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /gecko/layout/base/nsRefreshDriver.cpp:639:7
    #51 0x7ff9ab4f3a82 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /gecko/layout/base/nsRefreshDriver.cpp:538:20
    #52 0x7ff9a2a3a2e7 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1238:14
    #53 0x7ff9a2a452fc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:501:10
    #54 0x7ff9a3dd171f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:87:21
    #55 0x7ff9a3caec37 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #56 0x7ff9a3caec37 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #57 0x7ff9a3caec37 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #58 0x7ff9ab04ed38 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #59 0x7ff9aec06746 in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
    #60 0x7ff9a3caec37 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:315:10
    #61 0x7ff9a3caec37 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:308:3
    #62 0x7ff9a3caec37 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:290:3
    #63 0x7ff9aec05d2f in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
    #64 0x55e287cd7823 in content_process_main /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #65 0x55e287cd7823 in main /gecko/browser/app/nsBrowserApp.cpp:303:18
    #66 0x7ff9c69bfb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #67 0x55e287c2c189 in _start (/home/worker/builds/m-c-20200613093747-fuzzing-asan-opt/firefox+0xa3189)

0x62500035d828 is located 5928 bytes inside of 8192-byte region [0x62500035c100,0x62500035e100)
allocated by thread T0 (file:// Content) here:
    #0 0x55e287ca4b3d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:145:3
    #1 0x7ff9a29ec340 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:171:15
    #2 0x7ff9ab6a6bed in InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:205:25
    #3 0x7ff9ab6a6bed in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:67:12
    #4 0x7ff9ab6a6bed in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:71:15
    #5 0x7ff9ab733b65 in AllocateByObjectID /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:280:32
    #6 0x7ff9ab733b65 in AllocateFrame /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:272:12
    #7 0x7ff9ab733b65 in operator new /gecko/layout/generic/nsBlockFrame.cpp:407:1
    #8 0x7ff9ab733b65 in NS_NewBlockFrame(mozilla::PresShell*, mozilla::ComputedStyle*) /gecko/layout/generic/nsBlockFrame.cpp:397:10
    #9 0x7ff9ab733cd8 in NS_NewBlockFormattingContext(mozilla::PresShell*, mozilla::ComputedStyle*) /gecko/layout/generic/nsBlockFrame.cpp:402:30
    #10 0x7ff9ab5e8d29 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:3643:26
    #11 0x7ff9ab5f036f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:5616:3
    #12 0x7ff9ab5d88d6 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:9397:5
    #13 0x7ff9ab5e32ab in nsCSSFrameConstructor::ConstructSelectFrame(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:2863:5
    #14 0x7ff9ab5e8a32 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:3575:16
    #15 0x7ff9ab5f036f in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:5616:3
    #16 0x7ff9ab5d88d6 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:9397:5
    #17 0x7ff9ab5f7c74 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) /gecko/layout/base/nsCSSFrameConstructor.cpp:6755:3
    #18 0x7ff9ab58dc50 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /gecko/layout/base/RestyleManager.cpp:1378:27
    #19 0x7ff9ab5985fc in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /gecko/layout/base/RestyleManager.cpp:3035:9
    #20 0x7ff9ab559c81 in ProcessPendingRestyles /gecko/layout/base/RestyleManager.cpp:3114:3
    #21 0x7ff9ab559c81 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /gecko/layout/base/PresShell.cpp:4198:39
    #22 0x7ff9ab4e95cf in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:2038:22
    #23 0x7ff9ab4f6a96 in TickDriver /gecko/layout/base/nsRefreshDriver.cpp:373:13
    #24 0x7ff9ab4f6a96 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /gecko/layout/base/nsRefreshDriver.cpp:350:7
    #25 0x7ff9ab4f6695 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:367:5
    #26 0x7ff9ab505a32 in RunRefreshDrivers /gecko/layout/base/nsRefreshDriver.cpp:819:5
    #27 0x7ff9ab505a32 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /gecko/layout/base/nsRefreshDriver.cpp:737:16
Flags: in-testsuite?
Flags: needinfo?(aethanyc)

A Pernosco session is available here: https://pernos.co/debug/ySkO1G2dN_hTE9rGLVuCaQ/index.html

Spoke with Ting-Yu, and he is planning to take a look at this .

Assignee: nobody → aethanyc
Severity: -- → S2
Priority: -- → P2

Hi Tyson,

This testcase is tricky to reproduce. I see no assertions or crashes in my local debug build, nor in the ASan build (2020-07-02) [1] with prefs generated via python -m prefpicker browser-fuzzing.yml prefs.js [2]. I run the command like

python3 -m ffpuppet ~/Downloads/firefox-asan/firefox-bin -p prefs.js -d -u ~/Downloads/1645718.html

Could you let me know whether you could still reproduce this? I was hoping this is fixed by my recent patches in bug 1645549 and bug 1648577.

[1] https://firefox-source-docs.mozilla.org/tools/sanitizer/asan.html#downloading-artifact-builds
[2] https://github.com/MozillaSecurity/prefpicker

Flags: needinfo?(aethanyc) → needinfo?(twsmith)

I am able to reproduce the issue but with another test case found via the fuzzers. I will reduce it and attach it when it is complete.

Attached file testcase.html

Give this testcase a try. Seems to be 100% reliable for me but it does require an ASan build.

Attachment #9156601 - Attachment is obsolete: true
Flags: needinfo?(twsmith) → needinfo?(aethanyc)

Thank you! I can reproduce with the latest testcase on a ASan build.

On my local debug build, I also see this assertion. Something fishy there

[Child 11945, Main Thread] ###!!! ASSERTION: overflow containers must be zero-block-size: 'finalSize.BSize(wm) == 0', file /home/aethanyc/Projects/gecko/layout/generic/nsBlockFrame.cpp, line 1945
Flags: needinfo?(aethanyc)

This bug has the same signature as bug 1666592, and I cannot reproduce this on Firefox Asan build 2020-10-01. The assertion in comment 6 is an existing issue (bug 574889)

Status: NEW → RESOLVED
Closed: 4 years ago
Keywords: csectype-uaf, sec-highcsectype-framepoisoning, sec-other
Resolution: --- → DUPLICATE
Group: layout-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: