Bugzilla

Reporter

Comment 1

•

3 years ago

Attached file asan.linux.txt — Details

Comment 2

•

3 years ago

Tyson thinks our fuzzers have logged this already. ni? to him to find it.

Flags: needinfo?(twsmith)

Tyson Smith [:tsmith]

Updated

•

3 years ago

Group: firefox-core-security → layout-core-security

Component: Security → Disability Access APIs

Flags: needinfo?(twsmith)

Product: Firefox → Core

Tyson Smith [:tsmith]

Comment 3

•

3 years ago

Jamie, Eitan: This looks similar to bug 1610088

Flags: needinfo?(jteh)

Flags: needinfo?(eitan)

Reporter

Comment 4

•

3 years ago

Attached file valgrind-bof-testcase.txt — Details

Reporter

Comment 5

•

3 years ago

Attached file valgrind-segv-testcase.txt — Details

Reporter

Comment 6

•

3 years ago

The crash occurs after checking out to commit Bug 1542807 part 1 - Create generated content and use normal box construction for list-style-type/list-style-image ::markers.

I confirmed it no longer crashed after commenting line of code aAddChild(child) on nsCSSFrameConstructor::CreateGeneratedContentFromListStyleType function as following:

void nsCSSFrameConstructor::CreateGeneratedContentFromListStyleType(
    nsFrameConstructorState& aState, const ComputedStyle& aPseudoStyle,
    const FunctionRef<void(nsIContent*)> aAddChild) {
  ...
  if (!needUseNode) {
    nsAutoString text;
    node->GetText(WritingMode(&aPseudoStyle), counterStyle, text);
    // Note that we're done with 'node' in this case.  It's not inserted into
    // any list so it's deleted when we return.
    RefPtr<nsIContent> child = CreateGenConTextNode(aState, text, nullptr);
    // aAddChild(child);
    return;
  }

  nsCounterList* counterList =
      mCounterManager.CounterListFor(nsGkAtoms::list_item);
  auto initializer = MakeUnique<nsGenConInitializer>(
      std::move(node), counterList, &nsCSSFrameConstructor::CountersDirty);
  RefPtr<nsIContent> child =
      CreateGenConTextNode(aState, EmptyString(), std::move(initializer));
  // aAddChild(child);
}

Reporter

Updated

•

3 years ago

Summary: AddressSanitizer: heap-buffer-overflow and SEGV in a11y::NotificationController::WillRefresh -> nsLineBox::GetChildCount() → AddressSanitizer: heap-buffer-overflow and SEGV in nsLineBox::GetChildCount()

Reporter

Comment 7

•

3 years ago

I found new testcase it can be triggered without Accesibility: Activated true or without screen reader, hereby the following ASan report:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==97526==ERROR: AddressSanitizer: SEGV on unknown address 0x0016ffff8014 (pc 0x7f2bd967faaf bp 0x7ffd1776abb0 sp 0x7ffd1776abb0 T0)
==97526==The signal is caused by a READ memory access.
    #0 0x7f2bd967faaf in EntryCount /builds/worker/workspace/obj-build/dist/include/PLDHashTable.h:434:40
    #1 0x7f2bd967faaf in Count /builds/worker/workspace/obj-build/dist/include/nsTHashtable.h:274:42
    #2 0x7f2bd967faaf in nsTBaseHashSet<nsPtrHashKey<nsIFrame> >::Count() const /builds/worker/workspace/obj-build/dist/include/nsTHashSet.h:53:55
    #3 0x7f2bd99d00a9 in BuildTextRuns /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:1517:28
    #4 0x7f2bd99d00a9 in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:2991:7
    #5 0x7f2bd9997dbc in nsTextFrame::RecomputeOverflow(nsIFrame*, bool) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:9771:31
    #6 0x7f2bd99974f5 in nsLineLayout::RelativePositionFrames(nsLineLayout::PerSpanData*, mozilla::OverflowAreas&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:3311:18
    #7 0x7f2bd99973b6 in nsLineLayout::RelativePositionFrames(nsLineLayout::PerSpanData*, mozilla::OverflowAreas&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:3295:7
    #8 0x7f2bd99973b6 in nsLineLayout::RelativePositionFrames(nsLineLayout::PerSpanData*, mozilla::OverflowAreas&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:3295:7
    #9 0x7f2bd9780c72 in RelativePositionFrames /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.h:117:5
    #10 0x7f2bd9780c72 in nsBlockFrame::PlaceLine(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFloatManager::SavedState*, nsFlowAreaRect&, int&, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4988:15
    #11 0x7f2bd977f128 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4477:12
    #12 0x7f2bd9777d6e in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4235:9
    #13 0x7f2bd9771519 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3215:5
    #14 0x7f2bd9768e70 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2749:7
    #15 0x7f2bd976206b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1380:3
    #16 0x7f2bd979b87f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1000:14
    #17 0x7f2bd9aeb945 in nsTableWrapperFrame::ReflowChild(nsPresContext*, nsIFrame*, mozilla::ReflowInput const&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/tables/nsTableWrapperFrame.cpp:848:21
    #18 0x7f2bd9aec660 in nsTableWrapperFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/tables/nsTableWrapperFrame.cpp:960:5
    #19 0x7f2bd977c693 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #20 0x7f2bd97746e2 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3871:11
    #21 0x7f2bd9771666 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3212:5
    #22 0x7f2bd9768e70 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2749:7
    #23 0x7f2bd976206b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1380:3
    #24 0x7f2bd977c693 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #25 0x7f2bd97746e2 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3871:11
    #26 0x7f2bd9771666 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3212:5
    #27 0x7f2bd9768e70 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2749:7
    #28 0x7f2bd976206b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1380:3
    #29 0x7f2bd977c693 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #30 0x7f2bd97746e2 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3871:11
    #31 0x7f2bd9771666 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3212:5
    #32 0x7f2bd9768e70 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2749:7
    #33 0x7f2bd976206b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1380:3
    #34 0x7f2bd977c693 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #35 0x7f2bd97746e2 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3871:11
    #36 0x7f2bd9771666 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3212:5
    #37 0x7f2bd9768e70 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2749:7
    #38 0x7f2bd976206b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1380:3
    #39 0x7f2bd977c693 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #40 0x7f2bd97746e2 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3871:11
    #41 0x7f2bd9771666 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3212:5
    #42 0x7f2bd9768e70 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2749:7
    #43 0x7f2bd976206b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1380:3
    #44 0x7f2bd979b87f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1000:14
    #45 0x7f2bd979a024 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:819:7
    #46 0x7f2bd979b87f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1000:14
    #47 0x7f2bd9824fad in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:758:3
    #48 0x7f2bd982682c in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:881:3
    #49 0x7f2bd982cb3e in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1300:3
    #50 0x7f2bd97521c6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1040:14
    #51 0x7f2bd9751806 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:374:7
    #52 0x7f2bd95946b4 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9573:11
    #53 0x7f2bd95a5567 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9744:24    #54 0x7f2bd95a3e71 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4230:11
    #55 0x7f2bd95331b7 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1411:5
    #56 0x7f2bd95331b7 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2328:20
    #57 0x7f2bd953f777 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:348:13
    #58 0x7f2bd953f777 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:326:7
    #59 0x7f2bd953f4dd in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:342:5
    #60 0x7f2bd953f265 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:775:5
    #61 0x7f2bd953e86f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:704:16
    #62 0x7f2bd953de2b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:617:7
    #63 0x7f2bd953d5a1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:538:9
    #64 0x7f2bd87dfbbf in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncChild.cpp:68:15
    #65 0x7f2bd370f2fc in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:178:54
    #66 0x7f2bd34c00cf in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6091:32
    #67 0x7f2bd30de7c6 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2085:25
    #68 0x7f2bd30dc2bc in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2012:9
    #69 0x7f2bd30dd4ce in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1860:3
    #70 0x7f2bd30ddc4b in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1891:13
    #71 0x7f2bd2009b92 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:502:16
    #72 0x7f2bd1fd66b0 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:805:26
    #73 0x7f2bd1fd3ef8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641:15
    #74 0x7f2bd1fd460d in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:425:36
    #75 0x7f2bd2013e71 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:37
    #76 0x7f2bd2013e71 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534:5
    #77 0x7f2bd1ff1008 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1152:16
    #78 0x7f2bd1ffbe4c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #79 0x7f2bd30e53fa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #80 0x7f2bd2ff1461 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #81 0x7f2bd2ff1461 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #82 0x7f2bd2ff1461 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #83 0x7f2bd9043c37 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #84 0x7f2bdcf39bef in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:910:20
    #85 0x7f2bd2ff1461 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #86 0x7f2bd2ff1461 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #87 0x7f2bd2ff1461 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #88 0x7f2bdcf395c4 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:34
    #89 0x55baf399642d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #90 0x55baf3996851 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
    #91 0x7f2bee87bb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
    #92 0x55baf38e774c in _start (/tmp/m-c-20210624093849-asan-opt/firefox+0x5674c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/PLDHashTable.h:434:40 in EntryCount
==97526==ABORTING

I'm currently minimizing the testcase. I'll attach the new testcase after the testcase is minimized.

Reporter

Comment 8

•

3 years ago

Attached file asan.segv.txt — Details

Reporter

Comment 9

•

3 years ago

Attached file testcase.new.html — Details

Hereby I attach the new testcase that trigger SEGV without accessibility or screen reader. Tested working on Firefox Nightly 91.0a1 (2021-06-24) (64-bit) and m-c-20210624093849-asan-opt.

The crash reasons occurred same as on comment 6, I think we can re-assign the component and mark this as Bug 1542807 regression.

Reporter

Comment 10

•

3 years ago

Attached file bof-universal.html — Details

Alright great! It turns out by adding CSS code from testcase.new.html (on comment 9) to bof-interesting.html (on comment 0) it can trigger the heap-buffer-overflow without require a11y accessibility.

ASan output:

==322466==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x62500020510c at pc 0x7fdadd75f919 bp 0x7ffcd670ea40 sp 0x7ffcd670ea38
READ of size 2 at 0x62500020510c thread T0 (file:// Content)
    #0 0x7fdadd75f918 in nsLineBox::GetChildCount() const /builds/worker/checkouts/gecko/layout/generic/nsLineBox.h:322:12
    #1 0x7fdaddab00a9 in BuildTextRuns /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:1517:28
    #2 0x7fdaddab00a9 in nsTextFrame::EnsureTextRun(nsTextFrame::TextRunType, mozilla::gfx::DrawTarget*, nsIFrame*, nsLineList_iterator const*, unsigned int*) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:2991:7
    #3 0x7fdadda77dbc in nsTextFrame::RecomputeOverflow(nsIFrame*, bool) /builds/worker/checkouts/gecko/layout/generic/nsTextFrame.cpp:9771:31
    #4 0x7fdadda774f5 in nsLineLayout::RelativePositionFrames(nsLineLayout::PerSpanData*, mozilla::OverflowAreas&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:3311:18
    #5 0x7fdadda773b6 in nsLineLayout::RelativePositionFrames(nsLineLayout::PerSpanData*, mozilla::OverflowAreas&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:3295:7
    #6 0x7fdadd860c72 in RelativePositionFrames /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.h:117:5
    #7 0x7fdadd860c72 in nsBlockFrame::PlaceLine(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFloatManager::SavedState*, nsFlowAreaRect&, int&, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4988:15
    #8 0x7fdadd85f128 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4477:12
    #9 0x7fdadd857d6e in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4235:9
    #10 0x7fdadd851519 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3215:5
    #11 0x7fdadd848e70 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2749:7
    #12 0x7fdadd84206b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1380:3
    #13 0x7fdadd85c693 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #14 0x7fdadd8546e2 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3871:11
    #15 0x7fdadd851666 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3212:5
    #16 0x7fdadd848e70 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2749:7
    #17 0x7fdadd84206b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1380:3
    #18 0x7fdadd85c693 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #19 0x7fdadd8546e2 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3871:11
    #20 0x7fdadd851666 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3212:5
    #21 0x7fdadd848e70 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2749:7
    #22 0x7fdadd84206b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1380:3
    #23 0x7fdadd85c693 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #24 0x7fdadd8546e2 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3871:11
    #25 0x7fdadd851666 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3212:5
    #26 0x7fdadd848e70 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2749:7
    #27 0x7fdadd84206b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1380:3
    #28 0x7fdadd85c693 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #29 0x7fdadd8546e2 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3871:11
    #30 0x7fdadd851666 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3212:5
    #31 0x7fdadd848e70 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2749:7
    #32 0x7fdadd84206b in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1380:3
    #33 0x7fdadd87b87f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1000:14
    #34 0x7fdadd87a024 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:819:7
    #35 0x7fdadd87b87f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1000:14
    #36 0x7fdadd904fad in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:758:3
    #37 0x7fdadd90682c in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:881:3
    #38 0x7fdadd90cb3e in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1300:3
    #39 0x7fdadd8321c6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1040:14
    #40 0x7fdadd831806 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:374:7
    #41 0x7fdadd6746b4 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9573:11
    #42 0x7fdadd685567 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9744:24
    #43 0x7fdadd683e71 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4230:11
    #44 0x7fdad8e3ddc7 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1411:5
    #45 0x7fdad8e3ddc7 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10594:16
    #46 0x7fdad7cf745c in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:732:14
    #47 0x7fdad7cfa159 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:670:5
    #48 0x7fdae058fe5f in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13515:23
    #49 0x7fdad63a61be in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:614:22
    #50 0x7fdad63a8983 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:518:10
    #51 0x7fdad8e43d10 in mozilla::dom::Document::DoUnblockOnload() /builds/worker/checkouts/gecko/dom/base/Document.cpp:11347:18
    #52 0x7fdad8dfff8e in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11277:9
    #53 0x7fdad8e223cf in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7785:3
    #54 0x7fdad8ede5af in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1150:12
    #55 0x7fdad8ede5af in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1156:12
    #56 0x7fdad8ede5af in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1203:13
    #57 0x7fdad60a5b4f in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:143:20
    #58 0x7fdad60e9b92 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:502:16
    #59 0x7fdad60b66b0 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:805:26
    #60 0x7fdad60b3ef8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641:15
    #61 0x7fdad60b460d in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:425:36
    #62 0x7fdad60f3e71 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:37
    #63 0x7fdad60f3e71 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534:5
    #64 0x7fdad60d1008 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1152:16
    #65 0x7fdad60dbe4c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #66 0x7fdad71c53fa in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #67 0x7fdad70d1461 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #68 0x7fdad70d1461 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #69 0x7fdad70d1461 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #70 0x7fdadd123c37 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #71 0x7fdae1019bef in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:910:20
    #72 0x7fdad70d1461 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #73 0x7fdad70d1461 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #74 0x7fdad70d1461 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #75 0x7fdae10195c4 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:34
    #76 0x562491ed642d in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #77 0x562491ed6851 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18
    #78 0x7fdaf295cb24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24)
    #79 0x562491e2774c in _start (/tmp/m-c-20210624093849-asan-opt/firefox+0x5674c)

0x62500020510c is located 12 bytes to the right of 8192-byte region [0x625000203100,0x625000205100)
allocated by thread T0 (file:// Content) here:
    #0 0x562491ea27ad in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x7fdad6092d20 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:170:15
    #2 0x7fdadd7b4dcd in InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:204:25
    #3 0x7fdadd7b4dcd in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:66:12
    #4 0x7fdadd7b4dcd in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:70:15
    #5 0x7fdadd82d965 in AllocateByObjectID /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:271:32
    #6 0x7fdadd82d965 in AllocateFrame /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:263:12
    #7 0x7fdadd82d965 in operator new /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:36:1
    #8 0x7fdadd82d965 in NS_NewViewportFrame(mozilla::PresShell*, mozilla::ComputedStyle*) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:33:10
    #9 0x7fdadd709ca2 in nsCSSFrameConstructor::ConstructRootFrame() /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:2486:7
    #10 0x7fdadd670e5e in mozilla::PresShell::Initialize() /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:1879:36
    #11 0x7fdad902e75b in nsContentSink::StartLayout(bool) /builds/worker/checkouts/gecko/dom/base/nsContentSink.cpp:871:30
    #12 0x7fdad7eb4d09 in nsHtml5TreeOpExecutor::StartLayout(bool*) /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:826:18
==322466==WARNING: Symbolizer buffer too small
    #13 0x7fdad7ebf8cb  (/tmp/m-c-20210624093849-asan-opt/libxul.so+0x54e98cb)
==322466==WARNING: Symbolizer buffer too small
    #14 0x7fdad7eb39de  (/tmp/m-c-20210624093849-asan-opt/libxul.so+0x54dd9de)
    #15 0x7fdad7eb2bb7 in umberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:278:14
    #16 0x7fdad7eb2bb7 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:278:14
    #17 0x7fdad7eb2bb7 in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 7ul, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&>(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:278:14
    #18 0x7fdad7eb9a76 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:278:14
    #19 0x7fdad7eb9a76 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:278:14
    #20 0x7fdad7eb9a76 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:278:14
    #21 0x7fdad7eb9a76 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:278:14
    #22 0x7fdad7eb9a76 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:278:14
    #23 0x7fdad7eb9a76 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:278:14
    #24 0x7fdad7eb9a76 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:278:14
    #25 0x7fdad7eb9a76 in match<TreeOperationMatcher> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:851:12
    #26 0x7fdad7eb9a76 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOperation.cpp:1213:21
    #27 0x7fdad60a5b4f in nsHtml5ExecutorFlusher::Run() /builds/worker/checkouts/gecko/parser/html/nsHtml5StreamParser.cpp:179:18
    #28 0x7fdad60e9b92 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:143:20
    #29 0x7fdad60b66b0 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:502:16
    #30 0x7fdad60b3ef8 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:805:26
    #31 0x7fdad60b460d in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:641:15
    #32 0x7fdad60f3e71 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:425:36
    #33 0x7fdad60d1008 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:135:37
    #34 0x7fdad60d1008 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:534:5
    #35 0x7fdad60dbe4c in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1152:16
    #36 0x7fdad71c53fa in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #37 0x7fdad70d1461 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #38 0x7fdadd123c37 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #39 0x7fdadd123c37 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #40 0x7fdadd123c37 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #41 0x7fdae1019bef in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
    #42 0x7fdad70d1461 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:910:20
    #43 0x7fdae10195c4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:331:10
    #44 0x7fdae10195c4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:324:3
    #45 0x7fdae10195c4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:306:3
    #46 0x562491ed642d in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:742:34
    #47 0x562491ed6851 in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #48 0x7fdaf295cb24 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:327:18

SUMMARY: AddressSanitizer: heap-buffer-overflow (/tmp/m-c-20210624093849-asan-opt/libxul.so+0xad89918) in __libc_start_main
Shadow bytes around the buggy address:
  0x0c4a800389d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a800389e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a800389f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80038a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80038a10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7
=>0x0c4a80038a20: fa[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80038a30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80038a40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80038a50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80038a60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c4a80038a70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
  Shadow gap:              cc
==322466==ABORTING

Reporter

Comment 11

•

3 years ago

Attached file asan.bof.txt — Details

Reporter

Comment 12

•

3 years ago

Hi Tyson, based on new comment above it no longer require a11y accessibility. Can this be re-assigned to Layout component? and marked this as regression for Bug 1542807?

Flags: needinfo?(twsmith)

Tyson Smith [:tsmith]

Updated

•

3 years ago

Type: task → defect

status-firefox91: --- → affected

Component: Disability Access APIs → Layout: Text and Fonts

Flags: needinfo?(twsmith) → in-testsuite?

Keywords: csectype-bounds, testcase

Eitan Isaacson [:eeejay]

Updated

•

3 years ago

Flags: needinfo?(eitan)

Comment 13

•

3 years ago

Mats, it sounds like this might be a regression from bug 1542807. Could you take a look? Thanks.

Flags: needinfo?(jteh) → needinfo?(mats)

Keywords: regression

Regressed by: 1542807

Comment 14

•

3 years ago

[Tracking Requested - why for this release]: possibly sec-high regression

tracking-firefox91: --- → ?

Assignee

Comment 15

•

3 years ago

Mats is on PTO, I'll try to poke.

Flags: needinfo?(emilio)

Updated

•

3 years ago

tracking-firefox91: ? → +

Assignee

Comment 16

•

3 years ago

So the main issue is that we have a <details> element with display: inline list-item, but we end up constructing a DetailsFrame, which is a block and tries to deal with outside list items in a way such as that it assumes it is a block.

Something like this already starts triggering some fishy NS_ASSERTIONs in inline layout:

<details style="display: inline list-item; list-style-position: outside"></details>

Which the final crash here is just a consequence of.

The outside list item is supposed to get blockified here, but of course <details> passes that check through because its computed display value is list-item.

I can think of two solutions, both of them are breaking changes but I think it should be pretty much fine since we're the only ones implementing display: inline list-item:

Always blockify list-style-position: outside markers (regardless of the display value). list-style-position: outside is already effectively ignored for display: inline list-item, and it should be ok. But perhaps this causes unfortunate IB splits, not sure.
Force list-style-position: inside for display: inline list-item. This is kind of unfortunate (in the "we need more style adjustments" sense), but might be an slightly less breaking change.

Maybe we can/should do both of those. I'll check on how many tests rely on the current behavior vs. the proposals above.

Or, perhaps we should unship display: inline list-item until this is solved with more working group feedback. Given all the different solutions to this problem we can do, it might be the best course of action... Thoughts Jonathan (given both Mats and Daniel are on PTO)?

Flags: needinfo?(jfkthame)

Assignee

Comment 17

•

3 years ago

Or we could just blockify at used-value time instead like we do for <legend> I guess. Not a fan of that code but...

Assignee: nobody → emilio

Flags: needinfo?(mats)

Flags: needinfo?(jfkthame)

Flags: needinfo?(emilio)

Assignee

Comment 18

•

3 years ago

Attached file Bug 1717922 - Blockify outside markers at used value time rather than at computed value time. r=jfkthame — Details

Trusting the display value in style_adjuster is wrong, as some elements
force a given kind of frame (like <details>).

Jonathan Kew [:jfkthame]

Comment 19

•

3 years ago

Yeah - it looks like we shipped inline list-item way back in Firefox 70, so given how long it's been there, I would be reluctant to (temporarily) unship it while seeking feedback/deciding on a way forward here. So I'd be more inclined to go with your suggestion above, even if it feels a bit ugly. Thanks!

Assignee

Comment 20

•

3 years ago

Comment on attachment 9230681 [details]
Bug 1717922 - Blockify outside markers at used value time rather than at computed value time. r=jfkthame

Security Approval Request

How easily could an exploit be constructed based on the patch?: Not super-easy.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
Which older supported branches are affected by this flaw?: I think all, actually, bug 1542807 just exposed this in more cases but the same codepath could be hit before using content
If not all supported branches, which bug introduced the flaw?: None
Do you have backports for the affected branches?: No
If not, how different, hard to create, and risky will they be?: I don't think it'd be hard.
How likely is this patch to cause regressions; how much testing does it need?: not very likely, reuses an existing codepath for <legend> in <fieldset>, and the bug is triggered when a css value that only Firefox implements is used, so I'd say that it is pretty hard for this to cause regressions in the wild.

Attachment #9230681 - Flags: sec-approval?

Updated

•

3 years ago

status-firefox90: --- → affected

status-firefox92: --- → affected

status-firefox-esr78: --- → affected

Updated

•

3 years ago

Keywords: regression

No longer regressed by: 1542807

Comment 21

•

3 years ago

Comment on attachment 9230681 [details]
Bug 1717922 - Blockify outside markers at used value time rather than at computed value time. r=jfkthame

Approved to land and uplift when there are patches

Attachment #9230681 - Flags: sec-approval? → sec-approval+

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Updated

•

3 years ago

Keywords: sec-moderate

Summary: AddressSanitizer: heap-buffer-overflow and SEGV in nsLineBox::GetChildCount() → AddressSanitizer: out-of-bounds read and SEGV in nsLineBox::GetChildCount()

Comment 22

•

3 years ago

Blockify outside markers at used value time rather than at computed value time. r=jfkthame
https://hg.mozilla.org/integration/autoland/rev/3b45a991147b12d55720854c57da73bd37d9de97
https://hg.mozilla.org/mozilla-central/rev/3b45a991147b

Group: layout-core-security → core-security-release

Status: NEW → RESOLVED

Closed: 3 years ago

status-firefox92: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → 92 Branch

Updated

•

3 years ago

status-firefox90: affected → wontfix

tracking-firefox-esr78: --- → 91+

Reporter

Comment 23

•

3 years ago

Attached file GetChildCount-0x4141.html — Details

Hi Dan, I think this one should be sec-high or sec-critical, I found the AV address is controllable through font-size value (e.g. AV to 0x41410002b88f or 0x42420002c3e3) on Windows 10.

Furthermore on Arch Linux with another testcase (which controlled through padding-top value) I also able to hit SEGV on unknown address 0x4141bfff8002 or 0x42425fff8002.

Flags: needinfo?(dveditz)

Reporter

Comment 24

•

3 years ago

Attached file asan-0x4141-windows.txt — Details

Comment 25

•

3 years ago

Emilio: on my nightly non-ASAN crash it looks like it's dereferencing an nsIFrame object. Why didn't frame-poisoning save us here?
bp-76f9de1a-5470-49af-91ea-73e2e0210720

Flags: needinfo?(dveditz) → needinfo?(emilio)

Keywords: sec-moderate → sec-high

Updated

•

3 years ago

Flags: sec-bounty? → sec-bounty+

BugBot [:suhaib / :marco/ :calixte]

Assignee

Comment 26

•

3 years ago

We're dereferencing an nsIFrame* pointer, but not a deleted one or anything. We're running past the end of a linebox iterator. On a debug build this assert fires: https://searchfox.org/mozilla-central/rev/699174544b058f13f02e7586b3c8fdbf438f084b/layout/generic/nsLineBox.h#760-761

Flags: needinfo?(emilio)

Comment 27

•

3 years ago

The patch landed in nightly and beta is affected.
:emilio, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(emilio)

Assignee

Comment 28

•

3 years ago

Comment on attachment 9230681 [details]
Bug 1717922 - Blockify outside markers at used value time rather than at computed value time. r=jfkthame

Beta/Release Uplift Approval Request

User impact if declined: Security issue.
Is this code covered by automated tests?: Yes
Has the fix been verified in Nightly?: Yes
Needs manual test from QE?: Yes
If yes, steps to reproduce: open test-case in comment 10
List of other uplifts needed: none
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky): Relatively straight-forward patch that prevents the wrong type of frame to be constructed.
String changes made/needed: none

Flags: needinfo?(emilio)

Attachment #9230681 - Flags: approval-mozilla-beta?

Assignee

Updated

•

3 years ago

Flags: qe-verify+

Assignee

Comment 29

•

3 years ago

Comment on attachment 9230681 [details]
Bug 1717922 - Blockify outside markers at used value time rather than at computed value time. r=jfkthame

Beta/Release Uplift Approval Request

User impact if declined: see above
Is this code covered by automated tests?: Yes
Has the fix been verified in Nightly?: Yes
Needs manual test from QE?: Yes
If yes, steps to reproduce: see above
List of other uplifts needed: none
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky): see above
String changes made/needed: none

Attachment #9230681 - Flags: approval-mozilla-release?

Assignee

Comment 30

•

3 years ago

Attached patch ESR patch (obsolete) — Details — Splinter Review

It needs some extra code that isn't on ESR but same patch other than that.

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined:
Fix Landed on Version:
Risk to taking this patch (and alternatives if risky): Relatively low-risk.

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.

Attachment #9232383 - Flags: approval-mozilla-esr78?

Assignee

Updated

•

3 years ago

Attachment #9232383 - Attachment is patch: true

Comment 31

•

3 years ago

Comment on attachment 9230681 [details]
Bug 1717922 - Blockify outside markers at used value time rather than at computed value time. r=jfkthame

let's skip this for release and let it ship with 91

Attachment #9230681 - Flags: approval-mozilla-release? → approval-mozilla-release-

Comment 32

•

3 years ago

Comment on attachment 9230681 [details]
Bug 1717922 - Blockify outside markers at used value time rather than at computed value time. r=jfkthame

Approved for 91 beta 6, thanks.

Attachment #9230681 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

https://hg.mozilla.org/releases/mozilla-beta/rev/50d267e852f6

Comment 33

•

3 years ago

uplift

status-firefox91: affected → fixed

BugBot [:suhaib / :marco/ :calixte]

Comment 34

•

3 years ago

As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.

Please visit this google form to reply.

Flags: needinfo?(emilio)

Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][sec-survey]

Assignee

Updated

•

3 years ago

Flags: needinfo?(emilio)

Comment 35

•

3 years ago

Comment on attachment 9232383 [details] [diff] [review]
ESR patch

approved for 78.13esr

Attachment #9232383 - Flags: approval-mozilla-esr78? → approval-mozilla-esr78+

https://hg.mozilla.org/releases/mozilla-esr78/rev/9490ae4af3b8

Comment 36

•

3 years ago

status-firefox-esr78: affected → fixed

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Comment 37

•

3 years ago

Backed out for causing wpt failures in marker-computed-size.html:

https://hg.mozilla.org/releases/mozilla-esr78/rev/cb47d9f70f81d05779825c53f40da20016668dda

Push with failures: https://treeherder.mozilla.org/jobs?repo=mozilla-esr78&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel%2Crunning%2Cpending%2Crunnable&revision=0d35cd18cdd357fb07e511ea5b922d95bdd3f812&selectedTaskRun=ErBKYSL8QI-mqs38wmKplA.0
Failure log: https://treeherder.mozilla.org/logviewer?job_id=346029548&repo=mozilla-esr78

Various fails and passes in the test.

status-firefox-esr78: fixed → affected

Flags: needinfo?(emilio)

Assignee

Comment 38

•

3 years ago

Attached patch ESR patch w/ fix for comment 37 (obsolete) — Details — Splinter Review

I left the style blockification there because the nsComputedDOMStyle code relies on it in ESR.

Flags: needinfo?(emilio) → needinfo?(aryx.bugmail)

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Assignee

Updated

•

3 years ago

Attachment #9233057 - Attachment is patch: true

Comment 39

•

3 years ago

Pascal will do the uplift tomorrow.

Flags: needinfo?(aryx.bugmail) → needinfo?(pascalc)

https://hg.mozilla.org/releases/mozilla-esr78/rev/4538308a7ec6

Comment 40

•

3 years ago

uplift

status-firefox-esr78: affected → fixed

Flags: needinfo?(pascalc)

Comment 41

•

3 years ago

Backed out changeset 4538308a7ec6 (Bug 1717922) for failures on marker-display-computed.html. a=backout
https://hg.mozilla.org/releases/mozilla-esr78/rev/73435f09e1d9e00fce7f31a66e060fef4c10ec58

Flags: needinfo?(emilio)

Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)

Updated

•

3 years ago

status-firefox-esr78: fixed → affected

Comment 42

•

3 years ago

failure log: https://treeherder.mozilla.org/logviewer?job_id=346449585&repo=mozilla-esr78&lineNumber=43250

[task 2021-07-27T11:00:23.091Z] 11:00:23     INFO - TEST-PASS | /css/css-pseudo/marker-display-computed.html | Computed 'display' for inside ::marker, variant content
[task 2021-07-27T11:00:23.091Z] 11:00:23     INFO - TEST-UNEXPECTED-PASS | /css/css-pseudo/marker-display-computed.html | Computed 'display' for outside ::marker, variant default - expected FAIL
[task 2021-07-27T11:00:23.091Z] 11:00:23     INFO - TEST-INFO | expected FAIL
[task 2021-07-27T11:00:23.091Z] 11:00:23     INFO -
[task 2021-07-27T11:00:23.091Z] 11:00:23     INFO - TEST-UNEXPECTED-PASS | /css/css-pseudo/marker-display-computed.html | Computed 'display' for outside ::marker, variant color - expected FAIL
[task 2021-07-27T11:00:23.091Z] 11:00:23     INFO - TEST-INFO | expected FAIL
[task 2021-07-27T11:00:23.092Z] 11:00:23     INFO -
[task 2021-07-27T11:00:23.092Z] 11:00:23     INFO - TEST-UNEXPECTED-PASS | /css/css-pseudo/marker-display-computed.html | Computed 'display' for outside ::marker, variant string - expected FAIL
[task 2021-07-27T11:00:23.092Z] 11:00:23     INFO - TEST-INFO | expected FAIL
[task 2021-07-27T11:00:23.092Z] 11:00:23     INFO -
[task 2021-07-27T11:00:23.092Z] 11:00:23     INFO - TEST-UNEXPECTED-PASS | /css/css-pseudo/marker-display-computed.html | Computed 'display' for outside ::marker, variant content - expected FAIL
[task 2021-07-27T11:00:23.092Z] 11:00:23     INFO - TEST-INFO | expected FAIL
[task 2021-07-27T11:00:23.092Z] 11:00:23     INFO - TEST-OK | /css/css-pseudo/marker-display-computed.html | took 681ms

Assignee

Comment 43

•

3 years ago

Attached file ESR patch, take 3 (just the expectation file removed) — Details

Gah, of course, if I leave the style blockification I don't need to remove add testing/web-platform/meta/css/css-pseudo/marker-display-computed.html.ini...

Attachment #9232383 - Attachment is obsolete: true

Attachment #9233057 - Attachment is obsolete: true

Flags: needinfo?(emilio) → needinfo?(pascalc)

https://hg.mozilla.org/releases/mozilla-esr78/rev/c3427a79e7df

Comment 44

•

3 years ago

uplift

status-firefox-esr78: affected → fixed

Flags: needinfo?(pascalc)

Mihai Boldan, Desktop QA [:mboldan]

Updated

•

3 years ago

QA Whiteboard: [qa-triaged]

Daniel Cicas [:dcicas], Release QA

Comment 45

•

3 years ago

Hello!

I can reproduce this issue on 91.0a1 (BuildID: 20210623214552).

I can confirm that this issue is fixed on Fx 91.0b8, Fx 92.0a1 (BuildID: 20210728215815) and Fx 78.13.0 (Treeherder build: https://treeherder.mozilla.org/jobs?repo=mozilla-esr78&selectedTaskRun=bJNT9PRKQdWCktCY9dGTrg.0 ) on Win 10, Ubuntu 18.04 and mac OS 11.4.

Daniel Cicas [:dcicas], Release QA

Updated

•

3 years ago

status-firefox91: fixed → verified

status-firefox92: fixed → verified

status-firefox-esr78: fixed → verified

Flags: qe-verify+

Updated

•

3 years ago

Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey] → [reporter-external] [client-bounty-form] [verif?][sec-survey][adv-main91+]

Comment 47

•

3 years ago

Attached file advisory.txt — Details

Updated

•

3 years ago

Alias: CVE-2021-29988

Updated

•

3 years ago

Whiteboard: [reporter-external] [client-bounty-form] [verif?][sec-survey][adv-main91+] → [reporter-external] [client-bounty-form] [verif?][sec-survey][adv-main91+][adv-esr78.13+]