Closed
Bug 1692684
(CVE-2021-23983)
Opened 3 years ago
Closed 3 years ago
ASAN: runtime error: index out of bounds for type 'nsCSSPropertyIDSet::property_set_type const[6]'
Categories
(Core :: CSS Transitions and Animations, defect)
Core
CSS Transitions and Animations
Tracking
()
VERIFIED
FIXED
88 Branch
People
(Reporter: sourc7, Assigned: emilio)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, sec-moderate, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main87+])
Crash Data
Attachments
(3 files)
|
379 bytes,
text/html
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
tjr
:
approval-mozilla-beta+
tjr
:
sec-approval+
|
Details | Review |
|
285 bytes,
text/plain
|
Details |
After visit the testcase.html, the tab crashes immediately.
Interestingly ASAN shows runtime error: index 288230376151711743 out of bounds for type 'nsCSSPropertyIDSet::property_set_type const[6]' when attach with GDB I got SIGBUS signal with one of CPU register show 0x3ffffffffffffff (288230376151711743 decimal to hex).
On the debug build, it throw assertion failure as follow:
Assertion failure: false (MOZ_ASSERT_UNREACHABLE: Transition effect has unexpected shape), at /home/sourc7/git/gecko-dev-desktop/dom/animation/CSSTransition.cpp:332
Affected version:
- Firefox 87.0a1 (2021-02-12) (64-bit)
- Firefox 85.0.2 (64-bit)
Unaffected version:
- Firefox 78.7.1esr (64-bit)
AddressSanitizer output:
/builds/worker/workspace/obj-build/dist/include/nsCSSPropertyIDSet.h:65:13: runtime error: index 288230376151711743 out of bounds for type 'nsCSSPropertyIDSet::property_set_type const[6]'
#0 0x7f33732c2ba9 in nsCSSPropertyIDSet::HasProperty(nsCSSPropertyID) const /builds/worker/workspace/obj-build/dist/include/nsCSSPropertyIDSet.h:65:13
#1 0x7f3378663bda in nsTransitionManager::DoUpdateTransitions(nsStyleDisplay const&, mozilla::dom::Element*, mozilla::PseudoStyleType, mozilla::AnimationCollection<mozilla::dom::CSSTransition>*&, mozilla::ComputedStyle const&, mozilla::ComputedStyle const&) /builds/worker/checkouts/gecko/layout/style/nsTransitionManager.cpp:178:37
#2 0x7f33786635a5 in nsTransitionManager::UpdateTransitions(mozilla::dom::Element*, mozilla::PseudoStyleType, mozilla::ComputedStyle const&, mozilla::ComputedStyle const&) /builds/worker/checkouts/gecko/layout/style/nsTransitionManager.cpp:66:10
#3 0x7f3378592e6c in Gecko_UpdateAnimations /builds/worker/checkouts/gecko/layout/style/GeckoBindings.cpp:557:39
#4 0x7f337f357fb8 in _$LT$style..gecko..wrapper..GeckoElement$u20$as$u20$style..dom..TElement$GT$::update_animations::h706a661a2cc87be0 /builds/worker/checkouts/gecko/servo/components/style/gecko/wrapper.rs:1533:13
#5 0x7f337dacad80 in style::context::SequentialTask$LT$E$GT$::execute::hb77eddccbfe6f69a /builds/worker/checkouts/gecko/servo/components/style/context.rs:499:17
#6 0x7f337dacad80 in _$LT$style..context..SequentialTaskList$LT$E$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::ha99886dfdfd0ee66 /builds/worker/checkouts/gecko/servo/components/style/context.rs:627:13
#7 0x7f337dacad80 in core::ptr::drop_in_place::h72e47b2865f67285 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
#8 0x7f337dacad80 in core::ptr::drop_in_place::h34b976fde6975c35 /builds/worker/fetches/rustc/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
#9 0x7f337daba91b in style::driver::traverse_dom::hc09c3e623ef18d07 /builds/worker/checkouts/gecko/servo/components/style/driver.rs:193:1
#10 0x7f337dab3f5d in geckoservo::glue::traverse_subtree::hb212a434182b9665 /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:265:5
#11 0x7f337dab3257 in Servo_TraverseSubtree /builds/worker/checkouts/gecko/servo/ports/geckolib/glue.rs:325:5
#12 0x7f33785e8482 in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/style/ServoStyleSet.cpp:744:9
#13 0x7f3378736131 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:2981:20
#14 0x7f33786fced3 in ProcessPendingRestyles /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3111:3
#15 0x7f33786fced3 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4215:39
#16 0x7f3373ea9244 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1422:5
#17 0x7f3373ea9244 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10331:16
#18 0x7f3373ee7f58 in FlushPendingNotifications /builds/worker/checkouts/gecko/dom/base/Document.cpp:10252:3
#19 0x7f3373ee7f58 in GetPrimaryFrame /builds/worker/checkouts/gecko/dom/base/Element.cpp:250:10
#20 0x7f3373ee7f58 in mozilla::dom::Element::GetScrollFrame(nsIFrame**, mozilla::FlushType) /builds/worker/checkouts/gecko/dom/base/Element.cpp:620:21
#21 0x7f3373ee861c in mozilla::dom::Element::Scroll(mozilla::gfx::IntPointTyped<mozilla::CSSPixel> const&, mozilla::dom::ScrollOptions const&) /builds/worker/checkouts/gecko/dom/base/Element.cpp:746:28
#22 0x7f3373ee8834 in mozilla::dom::Element::Scroll(double, double) /builds/worker/checkouts/gecko/dom/base/Element.cpp:761:3
#23 0x7f337563fddc in mozilla::dom::Element_Binding::scroll(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/obj-build/dom/bindings/ElementBinding.cpp:3283:28
#24 0x7f3375a29d33 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/checkouts/gecko/dom/bindings/BindingUtils.cpp:3233:13
#25 0x7f337bbc64d6 in CallJSNative /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:435:13
#26 0x7f337bbc64d6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:520:12
#27 0x7f337bbc826e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
#28 0x7f337bbb155d in CallFromStack /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:584:10
#29 0x7f337bbb155d in Interpret(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:3243:16
#30 0x7f337bb952c3 in js::RunScript(JSContext*, js::RunState&) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:405:13
#31 0x7f337bbc6606 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:552:13
#32 0x7f337bbc826e in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:580:10
#33 0x7f337bbc84eb in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/checkouts/gecko/js/src/vm/Interpreter.cpp:597:8
#34 0x7f337c427bd2 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/checkouts/gecko/js/src/jsapi.cpp:2861:10
#35 0x7f33756791dc in mozilla::dom::EventHandlerNonNull::Call(mozilla::dom::BindingCallContext&, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /builds/worker/workspace/obj-build/dom/bindings/EventHandlerBinding.cpp:279:37
#36 0x7f33761dc721 in void mozilla::dom::EventHandlerNonNull::Call<nsCOMPtr<mozilla::dom::EventTarget> >(nsCOMPtr<mozilla::dom::EventTarget> const&, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/obj-build/dist/include/mozilla/dom/EventHandlerBinding.h:366:12
#37 0x7f33761daaac in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/dom/events/JSEventHandler.cpp:201:12
#38 0x7f33761a4a06 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1107:22
#39 0x7f33761a6097 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1298:17
#40 0x7f337619376e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:353:17
#41 0x7f3376191fe0 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:555:16
#42 0x7f33761962b5 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1098:11
#43 0x7f33787b6e5b in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:1103:7
#44 0x7f337af2dc50 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:6512:20
#45 0x7f337af2cfc8 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:5868:7
#46 0x7f337af2ed7f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
#47 0x7f3372d88a86 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:1332:3
#48 0x7f3372d877f5 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:938:14
#49 0x7f3372d8478c in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:757:9
#50 0x7f3372d865c0 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:640:5
#51 0x7f3372d8739c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp
#52 0x7f337146287b in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:616:22
#53 0x7f3371464fe3 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:523:10
#54 0x7f3373a903a5 in imgRequestProxy::RemoveFromLoadGroup() /builds/worker/checkouts/gecko/image/imgRequestProxy.cpp:371:15
#55 0x7f3373a96691 in imgRequestProxy::OnLoadComplete(bool) /builds/worker/checkouts/gecko/image/imgRequestProxy.cpp:1004:7
#56 0x7f3373a68fe7 in operator() /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:351:13
#57 0x7f3373a68fe7 in void mozilla::image::ImageObserverNotifier<mozilla::image::ObserverTable const*>::operator()<void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&)::'lambda5'(mozilla::image::IProgressObserver*)>(mozilla::image::ObserverTable const*) /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:281:9
#58 0x7f3373a6746f in void mozilla::image::SyncNotifyInternal<mozilla::image::ObserverTable const*>(mozilla::image::ObserverTable const* const&, bool, unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:350:5
#59 0x7f3373a190e7 in operator() /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:369:5
#60 0x7f3373a190e7 in Read<(lambda at /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:368:19)> /builds/worker/checkouts/gecko/image/CopyOnWrite.h:155:12
#61 0x7f3373a190e7 in mozilla::image::ProgressTracker::SyncNotifyProgress(unsigned int, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&) /builds/worker/checkouts/gecko/image/ProgressTracker.cpp:368:14
#62 0x7f3373a4a3d7 in mozilla::image::VectorImage::OnSVGDocumentLoaded() /builds/worker/checkouts/gecko/image/VectorImage.cpp:1445:23
#63 0x7f3373a54542 in mozilla::image::SVGLoadEventListener::HandleEvent(mozilla::dom::Event*) /builds/worker/checkouts/gecko/image/VectorImage.cpp:210:13
#64 0x7f33761a4a06 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1107:22
#65 0x7f33761a60e0 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/dom/events/EventListenerManager.cpp:1298:17
#66 0x7f337619376e in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:353:17
#67 0x7f3376191fe0 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:555:16
#68 0x7f33761962b5 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp:1098:11
#69 0x7f337619b8d9 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/checkouts/gecko/dom/events/EventDispatcher.cpp
#70 0x7f337413171a in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/checkouts/gecko/dom/base/nsINode.cpp:1331:17
#71 0x7f33761b27b3 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/checkouts/gecko/dom/events/EventTarget.cpp:177:13
#72 0x7f3376128d1c in mozilla::AsyncEventDispatcher::Run() /builds/worker/checkouts/gecko/dom/events/AsyncEventDispatcher.cpp:69:12
#73 0x7f337118fdf6 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:472:16
#74 0x7f337118c9b2 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:753:26
#75 0x7f337118a897 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:611:15
#76 0x7f337118aced in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:395:36
#77 0x7f3371197431 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:133:37
#78 0x7f3371197431 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534:5
#79 0x7f33711b28f4 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1158:16
#80 0x7f33711bc72c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
#81 0x7f337229309a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#82 0x7f33721be191 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#83 0x7f33721be191 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#84 0x7f33721be191 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#85 0x7f33781d91b7 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#86 0x7f337b99760f in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:902:20
#87 0x7f33721be191 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:335:10
#88 0x7f33721be191 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:328:3
#89 0x7f33721be191 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:310:3
#90 0x7f337b996d9c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:733:34
#91 0x55a7f500607d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#92 0x55a7f50064a1 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:306:18
#93 0x7f338cf52b24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
#94 0x55a7f4f59a3c in _start (/home/sourc7/Programs/firefox-asan/firefox+0x54a3c)
SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior /builds/worker/workspace/obj-build/dist/include/nsCSSPropertyIDSet.h:65:13 in
GDB output:
[ Legend: Modified register | Code | Heap | Stack | String ]
───────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$rax : 0xffffffffffffffff
$rbx : 0x1
$rcx : 0x3ffffffffffffff
$rdx : 0x0
$rsp : 0x00007fffffffadd0 → 0x00007fffab78a970 → 0x0000000000000001
$rbp : 0x00007fffffffaea0 → 0x00007fffffffaef0 → 0x00007fffffffaf90 → 0x00007fffffffafe0 → 0x00007fffffffb080 → 0x00007fffffffb0c0 → 0x00007fffffffb640 → 0x00007fffffffb760
$rsi : 0x2
$rdi : 0x00007fffa94b1800 → 0x00007ffff4c2d698 → 0x00007fffef5a6a70 → <mozilla::dom::Animation::QueryInterface(nsID+0> push rbp
$rip : 0x00007ffff12004e2 → <nsTransitionManager::DoUpdateTransitions(nsStyleDisplay+0> mov rcx, QWORD PTR [rbp+rcx*8-0x90]
$r8 : 0x00007fffab3c59d8 → 0x0000000100007f00
$r9 : 0x2
$r10 : 0x00007fffaa0f6e28 → 0x00007fffadb8f1f8 → 0x00007fffe8da3760 → 0x0000000000000054 ("T"?)
$r11 : 0x0
$r12 : 0x00007fffa94b1800 → 0x00007ffff4c2d698 → 0x00007fffef5a6a70 → <mozilla::dom::Animation::QueryInterface(nsID+0> push rbp
$r13 : 0x00007fffab391668 → 0x00007fffb01ce8c0 → 0x0000000300000002
$r14 : 0x00007fffab9ecb68 → 0x0000000100007f00
$r15 : 0x1ad
$eflags: [zero CARRY PARITY ADJUST sign trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0033 $ss: 0x002b $ds: 0x0000 $es: 0x0000 $fs: 0x0000 $gs: 0x0000
───────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0x00007fffffffadd0│+0x0000: 0x00007fffab78a970 → 0x0000000000000001 ← $rsp
0x00007fffffffadd8│+0x0008: 0x0000000000000001
0x00007fffffffade0│+0x0010: 0x00007fffa8c02700 → 0x00007ffff4dccda8 → 0x00007fffef7e43a0 → <nsStyledElement::QueryInterface(nsID+0> push rbp
0x00007fffffffade8│+0x0018: 0x00007fffae59a6a0 → 0x00007ffff4ea0918 → 0x00007ffff12baaf0 → <mozilla::CommonAnimationManager<mozilla::dom::CSSTransition>::~CommonAnimationManager()+0> push rbp
0x00007fffffffadf0│+0x0020: 0x00007fffffffaeb8 → 0x00007fffab391640 → 0x00007fffae59a6a8 → 0x00007fffab391640 → [loop detected]
0x00007fffffffadf8│+0x0028: 0x00000002ffffad70
0x00007fffffffae00│+0x0030: 0x00007fffffffad70 → 0xf8943c58872bf900
0x00007fffffffae08│+0x0038: 0x0000000000000000
─────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:64 ────
0x7ffff12004d8 <nsTransitionManager::DoUpdateTransitions(nsStyleDisplay+0> dec BYTE PTR [rax-0x68]
0x7ffff12004db <nsTransitionManager::DoUpdateTransitions(nsStyleDisplay+0> mov rcx, rax
0x7ffff12004de <nsTransitionManager::DoUpdateTransitions(nsStyleDisplay+0> shr rcx, 0x6
→ 0x7ffff12004e2 <nsTransitionManager::DoUpdateTransitions(nsStyleDisplay+0> mov rcx, QWORD PTR [rbp+rcx*8-0x90]
0x7ffff12004ea <nsTransitionManager::DoUpdateTransitions(nsStyleDisplay+0> bt rcx, rax
0x7ffff12004ee <nsTransitionManager::DoUpdateTransitions(nsStyleDisplay+0> jae 0x7ffff1200580 <nsTransitionManager::DoUpdateTransitions(nsStyleDisplay const&, mozilla::dom::Element*, mozilla::PseudoStyleType, mozilla::AnimationCollection<mozilla::dom::CSSTransition>*&, mozilla::ComputedStyle const&, mozilla::ComputedStyle const&)+1424>
0x7ffff12004f4 <nsTransitionManager::DoUpdateTransitions(nsStyleDisplay+0> mov rdi, r12
0x7ffff12004f7 <nsTransitionManager::DoUpdateTransitions(nsStyleDisplay+0> call 0x7fffef5b2f40 <mozilla::dom::CSSTransition::TransitionProperty() const>
0x7ffff12004fc <nsTransitionManager::DoUpdateTransitions(nsStyleDisplay+0> mov r14d, eax
────────────────────────────────────────────────────────────────────────────────────── source:/home/sourc7/gi[...].h+65 ────
60 }
61
62 bool HasProperty(nsCSSPropertyID aProperty) const {
63 AssertInSetRange(aProperty);
64 size_t p = aProperty;
→ 65 return (mProperties[p / kBitsInChunk] &
66 (property_set_type(1) << (p % kBitsInChunk))) != 0;
67 }
68
69 // Returns an nsCSSPropertyIDSet including all properties that can be run
70 // on the compositor.
─────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "firefox", stopped 0x7ffff12004e2 in nsCSSPropertyIDSet::HasProperty (), reason: SIGBUS
[#1] Id 3, Name: "gmain", stopped 0x7ffff7b8747f in poll (), reason: SIGBUS
[#2] Id 4, Name: "IPC I/O Parent", stopped 0x7ffff7b8cb9d in syscall (), reason: SIGBUS
[#3] Id 5, Name: "Timer", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#4] Id 6, Name: "Netlink Monitor", stopped 0x7ffff7b8747f in poll (), reason: SIGBUS
[#5] Id 7, Name: "Socket Thread", stopped 0x7ffff7b8747f in poll (), reason: SIGBUS
[#6] Id 8, Name: "Permission", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#7] Id 10, Name: "BHMgr Monitor", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#8] Id 11, Name: "BHMgr Processor", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#9] Id 13, Name: "JS Watchdog", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#10] Id 14, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#11] Id 15, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#12] Id 16, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#13] Id 17, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#14] Id 18, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#15] Id 19, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#16] Id 20, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#17] Id 21, Name: "JS Helper", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#18] Id 23, Name: "firefox:cs0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#19] Id 24, Name: "firefox:disk$0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#20] Id 25, Name: "firefox:disk$1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#21] Id 26, Name: "firefox:disk$2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#22] Id 27, Name: "firefox:disk$3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#23] Id 28, Name: "firefox:sh0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#24] Id 29, Name: "firefox:sh1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#25] Id 30, Name: "firefox:sh2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#26] Id 31, Name: "firefox:sh3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#27] Id 32, Name: "firefox:sh4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#28] Id 33, Name: "firefox:sh5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#29] Id 34, Name: "firefox:sh6", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#30] Id 35, Name: "firefox:sh7", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#31] Id 36, Name: "firefox:sh8", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#32] Id 37, Name: "firefox:shlo0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#33] Id 38, Name: "firefox:shlo1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#34] Id 39, Name: "firefox:shlo2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#35] Id 40, Name: "firefox:shlo3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#36] Id 41, Name: "GLXVsyncThread", stopped 0x7ffff7b8747f in poll (), reason: SIGBUS
[#37] Id 42, Name: "firefox:disk$0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#38] Id 43, Name: "firefox:disk$1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#39] Id 44, Name: "firefox:disk$2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#40] Id 45, Name: "firefox:disk$3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#41] Id 46, Name: "firefox:sh0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#42] Id 47, Name: "firefox:sh1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#43] Id 48, Name: "firefox:sh2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#44] Id 49, Name: "firefox:sh3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#45] Id 50, Name: "firefox:sh4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#46] Id 51, Name: "firefox:sh5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#47] Id 52, Name: "firefox:sh6", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#48] Id 53, Name: "firefox:sh7", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#49] Id 54, Name: "firefox:sh8", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#50] Id 55, Name: "firefox:shlo0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#51] Id 56, Name: "firefox:shlo1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#52] Id 57, Name: "firefox:shlo2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#53] Id 58, Name: "firefox:shlo3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#54] Id 59, Name: "firefox:gdrv0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#55] Id 60, Name: "Renderer", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#56] Id 61, Name: "WRWorker#0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#57] Id 62, Name: "WRWorker#1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#58] Id 63, Name: "WRWorker#2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#59] Id 64, Name: "WRWorker#3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#60] Id 65, Name: "WRWorker#4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#61] Id 66, Name: "WRWorker#5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#62] Id 67, Name: "WRWorker#6", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#63] Id 68, Name: "WRWorker#7", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#64] Id 69, Name: "WRWorkerLP#0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#65] Id 70, Name: "WRWorkerLP#1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#66] Id 71, Name: "WRWorkerLP#2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#67] Id 72, Name: "WRWorkerLP#3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#68] Id 73, Name: "WRWorkerLP#4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#69] Id 74, Name: "WRWorkerLP#5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#70] Id 75, Name: "WRWorkerLP#6", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#71] Id 76, Name: "WRWorkerLP#7", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#72] Id 77, Name: "Compositor", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#73] Id 78, Name: "ImageIO", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#74] Id 81, Name: "IPDL Background", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#75] Id 82, Name: "firefox", stopped 0x7ffff7fb65ad in recvmsg (), reason: SIGBUS
[#76] Id 83, Name: "IPC Launch", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#77] Id 84, Name: "TRR Background", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#78] Id 85, Name: "Cache2 I/O", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#79] Id 86, Name: "Cookie", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#80] Id 90, Name: "Worker Launcher", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#81] Id 91, Name: "threaded-ml", stopped 0x7ffff7b8747f in poll (), reason: SIGBUS
[#82] Id 92, Name: "ImageBridgeChld", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#83] Id 93, Name: "firefox:gdrv0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#84] Id 94, Name: "WRScene~ilder#1", stopped 0x7ffff7b8cb9d in syscall (), reason: SIGBUS
[#85] Id 95, Name: "WRScene~derLP#1", stopped 0x7ffff7b8cb9d in syscall (), reason: SIGBUS
[#86] Id 96, Name: "WRRende~ckend#1", stopped 0x7ffff7b8cb9d in syscall (), reason: SIGBUS
[#87] Id 97, Name: "FS Broker 16513", stopped 0x7ffff7fb65ad in recvmsg (), reason: SIGBUS
[#88] Id 98, Name: "QuotaManager IO", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#89] Id 100, Name: "DOM Worker", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#90] Id 101, Name: "StyleThread#0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#91] Id 102, Name: "StyleThread#1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#92] Id 103, Name: "StyleThread#2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#93] Id 104, Name: "StyleThread#3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#94] Id 105, Name: "StyleThread#4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#95] Id 106, Name: "StyleThread#5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#96] Id 108, Name: "TaskCon~read #0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#97] Id 109, Name: "TaskCon~read #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#98] Id 110, Name: "TaskCon~read #2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#99] Id 111, Name: "TaskCon~read #3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#100] Id 112, Name: "TaskCon~read #4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#101] Id 113, Name: "TaskCon~read #5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#102] Id 114, Name: "TaskCon~read #6", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#103] Id 115, Name: "TaskCon~read #7", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#104] Id 116, Name: "DOM Worker", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#105] Id 119, Name: "Backgro~Pool #2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#106] Id 120, Name: "dconf worker", stopped 0x7ffff7b8747f in poll (), reason: SIGBUS
[#107] Id 121, Name: "DNS Resolver #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#108] Id 122, Name: "gdbus", stopped 0x7ffff7b8747f in poll (), reason: SIGBUS
[#109] Id 123, Name: "Cache I/O", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#110] Id 124, Name: "BgIOThr~Pool #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#111] Id 127, Name: "HTML5 Parser", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#112] Id 128, Name: "mozStorage #1", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#113] Id 129, Name: "mozStorage #2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#114] Id 130, Name: "mozStorage #3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#115] Id 131, Name: "DNS Resolver #2", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#116] Id 132, Name: "firefox:gdrv0", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#117] Id 133, Name: "WRScene~ilder#2", stopped 0x7ffff7b8cb9d in syscall (), reason: SIGBUS
[#118] Id 134, Name: "WRScene~derLP#2", stopped 0x7ffff7b8cb9d in syscall (), reason: SIGBUS
[#119] Id 135, Name: "WRRende~ckend#2", stopped 0x7ffff7b8cb9d in syscall (), reason: SIGBUS
[#120] Id 138, Name: "DOM Worker", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#121] Id 141, Name: "StreamTrans #5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#122] Id 142, Name: "URL Classifier", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#123] Id 144, Name: "glean.dispatche", stopped 0x7ffff7b8cb9d in syscall (), reason: SIGBUS
[#124] Id 146, Name: "firefox", stopped 0x7ffff7b5a165 in clock_nanosleep@GLIBC_2.2.5 (), reason: SIGBUS
[#125] Id 150, Name: "StreamTrans #6", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#126] Id 151, Name: "mozStorage #4", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#127] Id 152, Name: "mozStorage #5", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#128] Id 154, Name: "DNS Resolver #3", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
[#129] Id 155, Name: "StreamTrans #7", stopped 0x7ffff7fb89ba in __futex_abstimed_wait_common64 (), reason: SIGBUS
───────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
[#0] 0x7ffff12004e2 → nsCSSPropertyIDSet::HasProperty(this=0x7fffffffae10, aProperty=<optimized out>)
[#1] 0x7ffff12004e2 → nsTransitionManager::DoUpdateTransitions(this=0x7fffae59a6a0, aDisp=<optimized out>, aElement=0x7fffa8c02700, aPseudoType=mozilla::PseudoStyleType::marker, aElementTransitions=@0x7fffffffaeb8, aOldStyle=<optimized out>, aNewStyle=@0x7fffab78a978)
[#2] 0x7ffff11fffbd → nsTransitionManager::UpdateTransitions(this=0x7fffae59a6a0, aElement=0x7fffa8c02700, aPseudoType=<optimized out>, aOldStyle=@0x7fffaa0f6e28, aNewStyle=@0x7fffab78a978)
[#3] 0x7ffff11b43e8 → Gecko_UpdateAnimations(aElement=0x7fffa8c02700, aOldComputedData=0x7fffaa0f6e28, aComputedData=<optimized out>, aTasks=mozilla::UpdateAnimationsTasks::CSSTransitions)
[#4] 0x7ffff4750351 → <style::gecko::wrapper::GeckoElement as style::dom::TElement>::update_animations(self=0x7fffffffb050, before_change_style={
<<variant>> = {
: 0x7fffaa0f6e20,
None: core::option::Option<servo_arc::Arc<style::gecko_properties::ComputedValues>>::None,
Some: core::option::Option<servo_arc::Arc<style::gecko_properties::ComputedValues>>::Some (
servo_arc::Arc<style::gecko_properties::ComputedValues> {
p: core::ptr::non_null::NonNull<servo_arc::ArcInner<style::gecko_properties::ComputedValues>> {
pointer: 0x7fffaa0f6e20
},
phantom: core::marker::PhantomData<style::gecko_properties::ComputedValues>
}
)
}
}, tasks=<optimized out>)
[#5] 0x7ffff4526480 → style::context::SequentialTask<E>::execute(self=<optimized out>)
[#6] 0x7ffff4526480 → <style::context::SequentialTaskList<E> as core::ops::drop::Drop>::drop(self=<optimized out>)
[#7] 0x7ffff4518065 → core::ptr::drop_in_place()
[#8] 0x7ffff4518065 → core::ptr::drop_in_place()
[#9] 0x7ffff4521393 → style::driver::traverse_dom(traversal=<optimized out>, token=<optimized out>, pool=<optimized out>)
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Flags: sec-bounty?
|
||
Updated•3 years ago
|
Group: firefox-core-security → layout-core-security
Type: task → defect
Component: Security → Layout
Product: Firefox → Core
|
Assignee | |
Updated•3 years ago
|
Assignee: nobody → emilio
Component: Layout → CSS Transitions and Animations
Flags: needinfo?(emilio)
|
|
Assignee | |
Updated•3 years ago
|
|
||
Updated•3 years ago
|
Has Regression Range: --- → yes
Keywords: regression
|
|
Assignee | |
Updated•3 years ago
|
Flags: needinfo?(emilio)
|
|
Assignee | |
Comment 1•3 years ago
|
||
The test-case in the bug does something interesting, where it causes a
transition on the parent by removing a CSS rule, and that causes us to
transition text-underline-offset on our ::marker, via the magic of
font-size-relative properties.
text-underline-offset, while it gets inherited from ::marker, is not a
valid CSS property to specify on marker per spec, so we trim it here:
And that causes us to create a transition with an empty effect and
everything goes downhill from here.
For now, just bail out in a nicer way than we were doing. I still need
to look into whether we should handle inherited transitions differently
from non-inherited one in this case...
I think our behavior after this patch would be correct for the test-case
(because text-underline-offset would transition on the parent and
::marker would inherit it). If you specify transition only on the marker
we'd refuse to transition (which I guess it is somewhat of a sensible
behavior).
|
|
Assignee | |
Comment 2•3 years ago
|
||
Really nice test-case, Irvan!
|
|
Assignee | |
Comment 3•3 years ago
|
||
Comment on attachment 9203081 [details]
Bug 1692684 - Don't create transitions for invalid ::marker properties. r=hiro,boris
Security Approval Request
- How easily could an exploit be constructed based on the patch?: Probably not too hard with enough motivation.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: Yes
- Which older supported branches are affected by this flaw?: 80+
- If not all supported branches, which bug introduced the flaw?: Bug 1692684
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Should apply cleanly-ish.
- How likely is this patch to cause regressions; how much testing does it need?: not much, pretty straight-forward patch.
Attachment #9203081 -
Flags: sec-approval?
|
||
Comment 4•3 years ago
|
||
Unless you strongly object Emilio, we are planning on letting this wait as we have already cut RC; and put it into the next release.
|
|
Assignee | |
Comment 5•3 years ago
|
||
It's a very trivial patch, but I'm ok with your call regarding this.
|
||
Updated•3 years ago
|
status-firefox85:
--- → wontfix
status-firefox86:
--- → wontfix
status-firefox87:
--- → affected
status-firefox-esr78:
--- → unaffected
tracking-firefox87:
--- → +
|
|
||
Comment 6•3 years ago
|
||
Emilio: the index in the reported crash is ridiculously large -- not actually useful for an overread. Is that value controllable? If it is, is the thing being referenced an object or just data?
Flags: needinfo?(emilio)
|
|
Assignee | |
Comment 7•3 years ago
|
||
The index is not controllable, it's size_t(eCSSProperty_Unknown) / kBitsInChunk, which is 0xffffffffffffffff / 64. And the thing being indexed is just a blob of bits.
Flags: needinfo?(emilio)
|
||
Updated•3 years ago
|
Crash Signature: [@ nsTransitionManager::UpdateTransitions ]
|
|
||
Comment 8•3 years ago
|
||
Comment on attachment 9203081 [details]
Bug 1692684 - Don't create transitions for invalid ::marker properties. r=hiro,boris
Approved to land and uplift
Attachment #9203081 -
Flags: sec-approval?
Attachment #9203081 -
Flags: sec-approval+
Attachment #9203081 -
Flags: approval-mozilla-beta+
|
||
Comment 9•3 years ago
|
||
Group: layout-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox88:
--- → fixed
tracking-firefox88:
--- → +
Resolution: --- → FIXED
Target Milestone: --- → 88 Branch
|
|
||
Comment 10•3 years ago
|
||
| uplift | ||
|
Reporter | |
Comment 11•3 years ago
|
||
When I build Firefox 32-bit with ASAN using Firefox Source Docs build configuration it show SEGV signal to address 0x1fd2b34c as follow:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==2841445==ERROR: AddressSanitizer: SEGV on unknown address 0x1fd2b34c (pc 0xe58aac3c bp 0xffd2b458 sp 0xffd2b2e0 T0)
==2841445==The signal is caused by a READ memory access.
#0 0xe58aac3c in HasProperty /home/sourc7/git/gecko-dev-32bit-asan/layout/style/nsCSSPropertyIDSet.h:65:13
#1 0xe58aac3c in nsTransitionManager::DoUpdateTransitions(nsStyleDisplay const&, mozilla::dom::Element*, mozilla::PseudoStyleType, mozilla::AnimationCollection<mozilla::dom::CSSTransition>*&, mozilla::ComputedStyle const&, mozilla::ComputedStyle const&) /home/sourc7/git/gecko-dev-32bit-asan/layout/style/nsTransitionManager.cpp:178:37
#2 0xe58aa4a3 in nsTransitionManager::UpdateTransitions(mozilla::dom::Element*, mozilla::PseudoStyleType, mozilla::ComputedStyle const&, mozilla::ComputedStyle const&) /home/sourc7/git/gecko-dev-32bit-asan/layout/style/nsTransitionManager.cpp:66:10
#3 0xe5750df9 in Gecko_UpdateAnimations /home/sourc7/git/gecko-dev-32bit-asan/layout/style/GeckoBindings.cpp:558:39
#4 0xef996673 in _$LT$style..gecko..wrapper..GeckoElement$u20$as$u20$style..dom..TElement$GT$::update_animations::h3d0c48f7f591915e /home/sourc7/git/gecko-dev-32bit-asan/servo/components/style/gecko/wrapper.rs:1533:13
#5 0xef7718d0 in style::context::SequentialTask$LT$E$GT$::execute::hbe2ed726e55e155c /home/sourc7/git/gecko-dev-32bit-asan/servo/components/style/context.rs:499:17
#6 0xef7718d0 in _$LT$style..context..SequentialTaskList$LT$E$GT$$u20$as$u20$core..ops..drop..Drop$GT$::drop::hb4592c101e5103a0 /home/sourc7/git/gecko-dev-32bit-asan/servo/components/style/context.rs:627:13
#7 0xef763597 in core::ptr::drop_in_place::hd7659e751d2dac6a /home/sourc7/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
#8 0xef763597 in core::ptr::drop_in_place::h3020d0bbf944274e /home/sourc7/.rustup/toolchains/stable-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:175:1
#9 0xef76c61f in style::driver::traverse_dom::hc86184ad0199193b /home/sourc7/git/gecko-dev-32bit-asan/servo/components/style/driver.rs:193:1
#10 0xef6e515c in geckoservo::glue::traverse_subtree::he1c56235247a0da7 /home/sourc7/git/gecko-dev-32bit-asan/servo/ports/geckolib/glue.rs:265:5
#11 0xef6e5245 in Servo_TraverseSubtree /home/sourc7/git/gecko-dev-32bit-asan/servo/ports/geckolib/glue.rs:325:5
#12 0xe57d809f in mozilla::ServoStyleSet::StyleDocument(mozilla::ServoTraversalFlags) /home/sourc7/git/gecko-dev-32bit-asan/layout/style/ServoStyleSet.cpp:738:9
#13 0xe5a1cbc5 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /home/sourc7/git/gecko-dev-32bit-asan/layout/base/RestyleManager.cpp:2982:20
#14 0xe59ba243 in ProcessPendingRestyles /home/sourc7/git/gecko-dev-32bit-asan/layout/base/RestyleManager.cpp:3112:3
#15 0xe59ba243 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /home/sourc7/git/gecko-dev-32bit-asan/layout/base/PresShell.cpp:4215:39
#16 0xe591344e in mozilla::PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /home/sourc7/git/gecko-dev-32bit-asan/objdir-ff-asan/dist/include/mozilla/PresShell.h:1422:5
#17 0xe58fb506 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /home/sourc7/git/gecko-dev-32bit-asan/layout/base/nsRefreshDriver.cpp:2196:22
#18 0xe591ab33 in TickDriver /home/sourc7/git/gecko-dev-32bit-asan/layout/base/nsRefreshDriver.cpp:357:13
#19 0xe591ab33 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /home/sourc7/git/gecko-dev-32bit-asan/layout/base/nsRefreshDriver.cpp:336:7
#20 0xe591a2bf in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /home/sourc7/git/gecko-dev-32bit-asan/layout/base/nsRefreshDriver.cpp:351:5
#21 0xe59188c1 in RunRefreshDrivers /home/sourc7/git/gecko-dev-32bit-asan/layout/base/nsRefreshDriver.cpp:799:5
#22 0xe59188c1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /home/sourc7/git/gecko-dev-32bit-asan/layout/base/nsRefreshDriver.cpp:722:16
#23 0xe59170fd in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /home/sourc7/git/gecko-dev-32bit-asan/layout/base/nsRefreshDriver.cpp:624:7
#24 0xe59164a1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /home/sourc7/git/gecko-dev-32bit-asan/layout/base/nsRefreshDriver.cpp:545:9
#25 0xe40eeaad in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /home/sourc7/git/gecko-dev-32bit-asan/dom/ipc/VsyncChild.cpp:68:15
#26 0xda9a1173 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /home/sourc7/git/gecko-dev-32bit-asan/objdir-ff-asan/ipc/ipdl/PVsyncChild.cpp:178:54
#27 0xda3b7e7b in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /home/sourc7/git/gecko-dev-32bit-asan/objdir-ff-asan/ipc/ipdl/PBackgroundChild.cpp:6243:32
#28 0xd9be3c50 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /home/sourc7/git/gecko-dev-32bit-asan/ipc/glue/MessageChannel.cpp:2153:25
#29 0xd9bde597 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /home/sourc7/git/gecko-dev-32bit-asan/ipc/glue/MessageChannel.cpp:2077:9
#30 0xd9be0f35 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /home/sourc7/git/gecko-dev-32bit-asan/ipc/glue/MessageChannel.cpp:1925:3
#31 0xd9be1f60 in mozilla::ipc::MessageChannel::MessageTask::Run() /home/sourc7/git/gecko-dev-32bit-asan/ipc/glue/MessageChannel.cpp:1956:13
#32 0xd7fd52d5 in mozilla::RunnableTask::Run() /home/sourc7/git/gecko-dev-32bit-asan/xpcom/threads/TaskController.cpp:472:16
#33 0xd7fc45d0 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /home/sourc7/git/gecko-dev-32bit-asan/xpcom/threads/TaskController.cpp:760:26
#34 0xd7fc071b in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /home/sourc7/git/gecko-dev-32bit-asan/xpcom/threads/TaskController.cpp:611:15
#35 0xd7fc0ebc in mozilla::TaskController::ProcessPendingMTTask(bool) /home/sourc7/git/gecko-dev-32bit-asan/xpcom/threads/TaskController.cpp:395:36
#36 0xd7fc7150 in operator() /home/sourc7/git/gecko-dev-32bit-asan/xpcom/threads/TaskController.cpp:133:37
#37 0xd7fc7150 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_3>::Run() /home/sourc7/git/gecko-dev-32bit-asan/xpcom/threads/nsThreadUtils.h:534:5
#38 0xd800822f in nsThread::ProcessNextEvent(bool, bool*) /home/sourc7/git/gecko-dev-32bit-asan/xpcom/threads/nsThread.cpp:1158:16
#39 0xd80195db in NS_ProcessNextEvent(nsIThread*, bool) /home/sourc7/git/gecko-dev-32bit-asan/xpcom/threads/nsThreadUtils.cpp:548:10
#40 0xd9befff3 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /home/sourc7/git/gecko-dev-32bit-asan/ipc/glue/MessagePump.cpp:87:21
#41 0xd9bf1c62 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /home/sourc7/git/gecko-dev-32bit-asan/ipc/glue/MessagePump.cpp:270:30
#42 0xd99f6e33 in RunInternal /home/sourc7/git/gecko-dev-32bit-asan/ipc/chromium/src/base/message_loop.cc:335:10
#43 0xd99f6e33 in RunHandler /home/sourc7/git/gecko-dev-32bit-asan/ipc/chromium/src/base/message_loop.cc:328:3
#44 0xd99f6e33 in MessageLoop::Run() /home/sourc7/git/gecko-dev-32bit-asan/ipc/chromium/src/base/message_loop.cc:310:3
#45 0xe5053fd2 in nsBaseAppShell::Run() /home/sourc7/git/gecko-dev-32bit-asan/widget/nsBaseAppShell.cpp:137:27
#46 0xeaa8d48a in XRE_RunAppShell() /home/sourc7/git/gecko-dev-32bit-asan/toolkit/xre/nsEmbedFunctions.cpp:902:20
#47 0xd99f6e33 in RunInternal /home/sourc7/git/gecko-dev-32bit-asan/ipc/chromium/src/base/message_loop.cc:335:10
#48 0xd99f6e33 in RunHandler /home/sourc7/git/gecko-dev-32bit-asan/ipc/chromium/src/base/message_loop.cc:328:3
#49 0xd99f6e33 in MessageLoop::Run() /home/sourc7/git/gecko-dev-32bit-asan/ipc/chromium/src/base/message_loop.cc:310:3
#50 0xeaa8be5e in XRE_InitChildProcess(int, char**, XREChildData const*) /home/sourc7/git/gecko-dev-32bit-asan/toolkit/xre/nsEmbedFunctions.cpp:733:34
#51 0xeaaa60d1 in mozilla::BootstrapImpl::XRE_InitChildProcess(int, char**, XREChildData const*) /home/sourc7/git/gecko-dev-32bit-asan/toolkit/xre/Bootstrap.cpp:67:12
#52 0x566bded4 in content_process_main /home/sourc7/git/gecko-dev-32bit-asan/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#53 0x566bded4 in main /home/sourc7/git/gecko-dev-32bit-asan/browser/app/nsBrowserApp.cpp:306:18
#54 0xf79d9a0c in __libc_start_main (/usr/lib32/libc.so.6+0x1ea0c)
#55 0x5660f294 in _start (/home/sourc7/git/gecko-dev-32bit-asan/objdir-ff-asan/dist/bin/firefox+0xa9294)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/sourc7/git/gecko-dev-32bit-asan/layout/style/nsCSSPropertyIDSet.h:65:13 in HasProperty
|
|
Reporter | |
Comment 12•3 years ago
|
||
Hereby my crash report reproduced on Firefox 32-bit (Windows 10), showing EXCEPTION_ACCESS_VIOLATION_READ at address 0x24f7cdac:
https://crash-stats.mozilla.org/report/index/7a939ddd-14f5-49c6-9634-1e2f10210225
|
|
||
Comment 13•3 years ago
|
||
And on 64 bit Mac I'm getting EXC_BAD_INSTRUCTION / EXC_I386_STKFLT at addresses like 0x107152aee: bp-dda426da-bcb9-4e18-8043-cb2df0210225
Keywords: sec-moderate
|
||
Updated•3 years ago
|
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify+
|
|
Reporter | |
Comment 14•3 years ago
|
||
Sorry, I forgot to mention in the comment 11 that I reproduced it on an older git branch (before the patch).
After the patch I can't reproduce the crash in Firefox Nightly 88.0a1 (2021-02-25) (32-bit and 64-bit). I verified this as fixed.
Status: RESOLVED → VERIFIED
|
||
Updated•3 years ago
|
Flags: sec-bounty? → sec-bounty+
|
|
||
Updated•3 years ago
|
QA Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][qa-triaged]
|
|
||
Comment 15•3 years ago
|
||
Also confirming that this issue is no longer reproducing using Nightly 88.0a1 (buildID 20210309094921) and Firefox 87.0b7 (buildID 20210307185839).
|
|
||
Updated•3 years ago
|
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][adv-main87+]
|
|
||
Comment 16•3 years ago
|
||
|
|
||
Updated•3 years ago
|
Alias: CVE-2021-23983
|
|
||
Updated•2 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•