Open Bug 1668046 Opened 4 years ago Updated 2 years ago

stack-overflow in [@ nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval]

Categories

(Core :: Layout, defect)

defect

Tracking

()

Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 --- affected
firefox83 --- wontfix
firefox104 --- wontfix
firefox105 --- wontfix
firefox106 --- affected

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [bugmon:confirmed])

Attachments

(1 file, 1 obsolete file)

Attached file testcase.zip (obsolete) —

Testcase found while fuzzing mozilla-central rev 5f3283738794.

==13017==ERROR: UndefinedBehaviorSanitizer: stack-overflow on address 0x7ffcc6577ff8 (pc 0x7f5de59c0b0f bp 0x7ffcc6578090 sp 0x7ffcc6578000 T13017)
    #0 0x7f5de59c0b0f in operator nsIStatefulFrame *<nsIStatefulFrame> /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp
    #1 0x7f5de59c0b0f in nsFrameManager::CaptureFrameStateFor(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:133:37
    #2 0x7f5de59a9520 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:163:3
    #3 0x7f5de59a960a in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:175:7
    #4 0x7f5de59a61fd in CaptureStateForFramesOf /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8193:5
    #5 0x7f5de59a61fd in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7455:7
    #6 0x7f5de59a6187 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7441:31
    #7 0x7f5de599e92c in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8567:7
    #8 0x7f5de59a71f4 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp

SUMMARY: UndefinedBehaviorSanitizer: stack-overflow /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp in operator nsIStatefulFrame *<nsIStatefulFrame>
==13017==ABORTING
Flags: in-testsuite?

Bugmon Analysis:
Unable to reproduce bug using the following builds:

mozilla-central 20200929153831-324ea565091e
mozilla-central 20200929153831-324ea565091e
Removing bugmon keyword as no further action possible.
Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
Whiteboard: [bugmon:confirm] → [bugmon:confirmed]
Attached file testcase.html

Updated test case.

Attachment #9178488 - Attachment is obsolete: true
Severity: normal → S3

Simplifying bug summary to steal the clearer/more-concise summary from the dupe bug (bug 1753132). (The bug here isn't really that we're triggering undefined behavior, but rather that we're hitting a stack overflow.)

Summary: UndefinedBehaviorSanitizer: stack-overflow /builds/worker/checkouts/gecko/layout/base/nsFrameManager.cpp:163:3 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) → stack-overflow in [@ nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: