AddressSanitizer: use-after-poison [@ get] with READ of size 8
Categories
(Core :: Layout: Tables, defect)
Tracking
()
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug)
Details
(Keywords: crash, sec-high, testcase, Whiteboard: [bugmon:confirm][sec-survey][adv-main82+r][adv-esr78.4+r], [wptsync upstream])
Attachments
(5 files)
674 bytes,
text/html
|
Details | |
9.15 KB,
application/x-javascript
|
Details | |
47 bytes,
text/x-phabricator-request
|
tjr
:
approval-mozilla-beta+
RyanVM
:
approval-mozilla-esr78+
tjr
:
sec-approval+
|
Details | Review |
47 bytes,
text/x-phabricator-request
|
tjr
:
approval-mozilla-beta+
tjr
:
approval-mozilla-esr78+
tjr
:
sec-approval+
|
Details | Review |
47 bytes,
text/x-phabricator-request
|
Details | Review |
Found while fuzzing mozilla-central rev d4e11195e398. I'm currently reducing the testcase and will attach it once complete.
==15214==ERROR: AddressSanitizer: use-after-poison on address 0x625000b9ccc0 at pc 0x7f99e94147d0 bp 0x7fff961b3100 sp 0x7fff961b30f8
READ of size 8 at 0x625000b9ccc0 thread T0 (file:// Content)
#0 0x7f99e94147cf in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
#1 0x7f99e94147cf in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:316:12
#2 0x7f99e94147cf in nsIFrame::StyleDisplay() const /builds/worker/workspace/obj-build/dist/include/nsStyleStructList.h:46:1
#3 0x7f99ef248a1d in nsTableFrame::PageBreakAfter(nsIFrame*, nsIFrame*) /gecko/layout/tables/nsTableFrame.cpp:230:27
#4 0x7f99ef26146e in nsTableFrame::ReflowChildren(mozilla::TableReflowInput&, nsReflowStatus&, nsIFrame*&, nsOverflowAreas&) /gecko/layout/tables/nsTableFrame.cpp:3054:21
#5 0x7f99ef25d249 in nsTableFrame::ReflowTable(mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, nsIFrame*&, nsReflowStatus&) /gecko/layout/tables/nsTableFrame.cpp:2035:3
#6 0x7f99ef25b7a4 in nsTableFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/tables/nsTableFrame.cpp:1821:5
#7 0x7f99eef31847 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1075:14
#8 0x7f99ef2a25d5 in nsTableWrapperFrame::OuterDoReflowChild(nsPresContext*, nsIFrame*, mozilla::ReflowInput const&, mozilla::ReflowOutput&, nsReflowStatus&) /gecko/layout/tables/nsTableWrapperFrame.cpp:783:3
#9 0x7f99ef2a3ad6 in nsTableWrapperFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/tables/nsTableWrapperFrame.cpp:936:3
#10 0x7f99eef04970 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockReflowContext.cpp:294:11
#11 0x7f99eeefb9ad in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3833:11
#12 0x7f99eeef7f65 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3169:5
#13 0x7f99eeeeed54 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockFrame.cpp:2707:7
#14 0x7f99eeee6e56 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:1368:3
#15 0x7f99eef31847 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1075:14
#16 0x7f99eef3050e in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsCanvasFrame.cpp:749:5
#17 0x7f99eeed6c01 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1115:14
#18 0x7f99ef142304 in nsPageContentFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsPageContentFrame.cpp:63:5
#19 0x7f99eeed6c01 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1115:14
#20 0x7f99ef1437b8 in nsPageFrame::ReflowPageContent(nsPresContext*, mozilla::ReflowInput const&) /gecko/layout/generic/nsPageFrame.cpp:136:3
#21 0x7f99ef143d86 in nsPageFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsPageFrame.cpp:163:13
#22 0x7f99eef31847 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1075:14
#23 0x7f99eee98bb7 in mozilla::PrintedSheetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/PrintedSheetFrame.cpp:130:5
#24 0x7f99eeed6c01 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1115:14
#25 0x7f99ef14c352 in nsPageSequenceFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsPageSequenceFrame.cpp:287:5
#26 0x7f99eef31847 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1075:14
#27 0x7f99eefc0425 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /gecko/layout/generic/nsGfxScrollFrame.cpp:755:3
#28 0x7f99eefc1c9d in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /gecko/layout/generic/nsGfxScrollFrame.cpp:879:3
#29 0x7f99eefc8533 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsGfxScrollFrame.cpp:1277:3
#30 0x7f99eeed6c01 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1115:14
#31 0x7f99eeed6284 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/ViewportFrame.cpp:297:7
#32 0x7f99eecf6c4d in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /gecko/layout/base/PresShell.cpp:9643:11
#33 0x7f99eed09697 in mozilla::PresShell::ProcessReflowCommands(bool) /gecko/layout/base/PresShell.cpp:9816:24
#34 0x7f99eed08109 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /gecko/layout/base/PresShell.cpp:4239:11
#35 0x7f99ef637822 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1403:5
#36 0x7f99ef637822 in nsPrintJob::ReflowPrintObject(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&) /gecko/layout/printing/nsPrintJob.cpp:1888:14
#37 0x7f99ef63580a in nsPrintJob::ReflowDocList(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&, bool) /gecko/layout/printing/nsPrintJob.cpp:1478:3
#38 0x7f99ef62e22a in nsPrintJob::InitPrintDocConstruction(bool) /gecko/layout/printing/nsPrintJob.cpp:1510:3
#39 0x7f99ef63ba88 in nsPrintJob::Observe(nsISupports*, char const*, char16_t const*) /gecko/layout/printing/nsPrintJob.cpp:2646:17
#40 0x7f99f2408be9 in mozilla::embedding::PrintProgressDialogChild::RecvDialogOpened() /gecko/toolkit/components/printingui/ipc/PrintProgressDialogChild.cpp:37:18
#41 0x7f99e8261fc4 in mozilla::embedding::PPrintProgressDialogChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PPrintProgressDialogChild.cpp:228:28
#42 0x7f99e7da7ef1 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8796:32
#43 0x7f99e7b3cb1e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2150:25
#44 0x7f99e7b38ad4 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2074:9
#45 0x7f99e7b3a8d8 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1922:3
#46 0x7f99e7b3b3a8 in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1953:13
#47 0x7f99e6837ea9 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:242:16
#48 0x7f99e68343b7 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:512:26
#49 0x7f99e6832257 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:371:15
#50 0x7f99e68326ad in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:168:36
#51 0x7f99e6843ce4 in operator() /gecko/xpcom/threads/TaskController.cpp:86:37
#52 0x7f99e6843ce4 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_5>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:577:5
#53 0x7f99e6867d04 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1234:14
#54 0x7f99e687248c in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:513:10
#55 0x7f99e7b45744 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:109:5
#56 0x7f99e7a4a141 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
#57 0x7f99e7a4a141 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
#58 0x7f99e7a4a141 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
#59 0x7f99ee7ad6d7 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
#60 0x7f99f247583f in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:913:20
#61 0x7f99e7a4a141 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:334:10
#62 0x7f99e7a4a141 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:327:3
#63 0x7f99e7a4a141 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:309:3
#64 0x7f99f2474ddc in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:744:34
#65 0x5581422948dd in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#66 0x558142294d17 in main /gecko/browser/app/nsBrowserApp.cpp:303:18
#67 0x7f9a02d5e0b2 in __libc_start_main /build/glibc-YYA7BZ/glibc-2.31/csu/../csu/libc-start.c:308:16
#68 0x5581421e8279 in _start (/home/worker/builds/m-c-20200904033504-fuzzing-asan-opt/firefox+0x5c279)
0x625000b9ccc0 is located 960 bytes inside of 8192-byte region [0x625000b9c900,0x625000b9e900)
allocated by thread T0 (file:// Content) here:
#0 0x55814226210d in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
#1 0x7f99e681b5e0 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:171:15
#2 0x7f99eee51e4e in InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:205:25
#3 0x7f99eee51e4e in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:67:12
#4 0x7f99eee51e4e in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:71:15
#5 0x7f99ef29a525 in AllocateByObjectID /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:259:32
#6 0x7f99ef29a525 in AllocateFrame /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:251:12
#7 0x7f99ef29a525 in operator new /gecko/layout/tables/nsTableRowGroupFrame.cpp:1650:1
#8 0x7f99ef29a525 in NS_NewTableRowGroupFrame(mozilla::PresShell*, mozilla::ComputedStyle*) /gecko/layout/tables/nsTableRowGroupFrame.cpp:1646:10
#9 0x7f99eed8905e in nsCSSFrameConstructor::ConstructTableRowOrRowGroup(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:1951:16
#10 0x7f99eed97240 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:3611:16
#11 0x7f99eed9ecba in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:5652:3
#12 0x7f99eed87486 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:9438:5
#13 0x7f99eed88197 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /gecko/layout/base/nsCSSFrameConstructor.cpp:9603:3
#14 0x7f99eed86c5e in nsCSSFrameConstructor::ConstructTable(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:1893:5
#15 0x7f99eed97240 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:3611:16
#16 0x7f99eed9ecba in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:5652:3
#17 0x7f99eed87486 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /gecko/layout/base/nsCSSFrameConstructor.cpp:9438:5
#18 0x7f99eed88197 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /gecko/layout/base/nsCSSFrameConstructor.cpp:9603:3
#19 0x7f99eed8e2f8 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*) /gecko/layout/base/nsCSSFrameConstructor.cpp:10483:3
#20 0x7f99eed8bb21 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*) /gecko/layout/base/nsCSSFrameConstructor.cpp:2352:5
#21 0x7f99eeda3a3f in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind) /gecko/layout/base/nsCSSFrameConstructor.cpp:6956:9
#22 0x7f99eecf2e57 in mozilla::PresShell::Initialize() /gecko/layout/base/PresShell.cpp:1863:26
#23 0x7f99ef637726 in nsPrintJob::ReflowPrintObject(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&) /gecko/layout/printing/nsPrintJob.cpp:1883:3
#24 0x7f99ef63580a in nsPrintJob::ReflowDocList(mozilla::UniquePtr<nsPrintObject, mozilla::DefaultDelete<nsPrintObject> > const&, bool) /gecko/layout/printing/nsPrintJob.cpp:1478:3
SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27 in get
Shadow bytes around the buggy address:
0x0c4a8016b940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8016b950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8016b960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8016b970: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8016b980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a8016b990: 00 00 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7
0x0c4a8016b9a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 00 00
0x0c4a8016b9b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8016b9c0: 00 00 00 f7 f7 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8016b9d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8016b9e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==15214==ABORTING
Reporter | ||
Comment 1•4 years ago
|
||
Reporter | ||
Comment 2•4 years ago
|
||
Reporter | ||
Updated•4 years ago
|
Reporter | ||
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 3•4 years ago
|
||
Nice, so happy we can fuzz the printing code now!
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 4•4 years ago
|
||
This causes an assertion when printing the test-case, though it turns
out not to be the cause of the bug in the end. Still seems worth fixing,
and will be tested by the test in the following patch.
Assignee | ||
Comment 5•4 years ago
|
||
As the reflow may destroy the next-in-flow. See existing code.
Depends on D90145
Assignee | ||
Comment 6•4 years ago
|
||
Depends on D90146
Assignee | ||
Comment 7•4 years ago
|
||
Comment on attachment 9175594 [details]
Bug 1663439 - Re-order rowgroups if reflowing a tfoot with an already split next-in-flow. r=TYlin
Beta/Release Uplift Approval Request
- User impact if declined:
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky):
- String changes made/needed:
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined:
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky):
- String or UUID changes made by this patch:
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Not too easily, but not impossible either... This is mitigated by frame poisoning.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Fix should apply cleanly
- How likely is this patch to cause regressions; how much testing does it need?: not likely
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Updated•4 years ago
|
Comment 8•4 years ago
|
||
Comment on attachment 9175593 [details]
Bug 1663439 - Avoid negative avail bsizes in paginated table reflow. r=TYLin
Approved to land and uplift. I wonder if this should go to ESR also just to have consistency in the branches?
Comment 9•4 years ago
|
||
Comment on attachment 9175594 [details]
Bug 1663439 - Re-order rowgroups if reflowing a tfoot with an already split next-in-flow. r=TYlin
Approved to land and uplift
Assignee | ||
Comment 10•4 years ago
|
||
Comment on attachment 9175593 [details]
Bug 1663439 - Avoid negative avail bsizes in paginated table reflow. r=TYLin
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: See comment 8
- User impact if declined: Probably layout weirdness.
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Simple fix to avoid negative sizes during paged reflow.
- String or UUID changes made by this patch: none
Comment 11•4 years ago
|
||
https://hg.mozilla.org/integration/autoland/rev/c722cd6d2abbfefc60e3942599ebdfd20c5574ec
https://hg.mozilla.org/integration/autoland/rev/241b1e86821c0b36bda600380dcd22482041e5f3
https://hg.mozilla.org/mozilla-central/rev/c722cd6d2abb
https://hg.mozilla.org/mozilla-central/rev/241b1e86821c
Comment 12•4 years ago
|
||
uplift |
Updated•4 years ago
|
Updated•4 years ago
|
Comment 13•4 years ago
•
|
||
I was able to reproduce this crash by using the test case from comment 1, on an affected Nightly asan build from 2020-09-07.
The crash is not reproducing anymore with the attached test case, when hitting the print button, on the latest asan builds: Beta 82.0b2 (20200922141418) and 83.0a1 (20200923095909) running Ubuntu 18.04 x64.
Comment 14•4 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Updated•4 years ago
|
Comment 16•4 years ago
|
||
uplift |
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Comment 17•2 years ago
|
||
I don't think this test ever landed... (Sorry Emilio, I know I keep bugging you about ages-old things!)
Comment 19•2 years ago
|
||
Comment 21•2 years ago
|
||
Comment 22•2 years ago
|
||
bugherder |
Description
•