Open
Bug 1772592
Opened 2 years ago
Updated 2 years ago
AddressSanitizer: use-after-poison [@ nsBlockInFlowLineIterator::nsBlockInFlowLineIterator] with READ of size 8
Categories
(Core :: Disability Access APIs, defect)
Tracking
()
NEW
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-framepoisoning, regression, testcase, Whiteboard: [bugmon:bisected,confirmed][sg:dos])
Attachments
(1 file, 2 obsolete files)
|
11.46 KB,
application/zip
|
Details |
Testcase found while fuzzing mozilla-central rev 2f53c261903e (built with: --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 2f53c261903e --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.zip
AddressSanitizer: use-after-poison [@ nsBlockInFlowLineIterator::nsBlockInFlowLineIterator] with READ of size 8
=================================================================
==935416==ERROR: AddressSanitizer: use-after-poison on address 0x625000255dd8 at pc 0x7fa7857c8b81 bp 0x7ffe935d3cc0 sp 0x7ffe935d3cb8
READ of size 8 at 0x625000255dd8 thread T0 (Isolated Web Co)
#0 0x7fa7857c8b80 in nsBlockInFlowLineIterator::nsBlockInFlowLineIterator(nsBlockFrame*, nsIFrame*, bool*) /layout/generic/nsBlockFrame.cpp
#1 0x7fa785a52389 in LineStartsOrEndsAtHardLineBreak(nsTextFrame*, nsBlockFrame*, bool*, bool*) /layout/generic/nsTextFrame.cpp:10167:29
#2 0x7fa785a28176 in nsTextFrame::GetRenderedText(unsigned int, unsigned int, nsIFrame::TextOffsetType, nsIFrame::TrailingWhitespace) /layout/generic/nsTextFrame.cpp:10229:7
#3 0x7fa7893b59aa in nsTextEquivUtils::AppendTextEquivFromTextContent(nsIContent*, nsTSubstring<char16_t>*) /accessible/base/nsTextEquivUtils.cpp:111:46
#4 0x7fa7893b4f1c in nsTextEquivUtils::AppendFromAccessible(mozilla::a11y::Accessible*, nsTSubstring<char16_t>*) /accessible/base/nsTextEquivUtils.cpp:167:19
#5 0x7fa7893b4581 in AppendFromAccessibleChildren /accessible/base/nsTextEquivUtils.cpp:154:10
#6 0x7fa7893b4581 in nsTextEquivUtils::GetNameFromSubtree(mozilla::a11y::LocalAccessible const*, nsTSubstring<char16_t>&) /accessible/base/nsTextEquivUtils.cpp:41:7
#7 0x7fa7893d65a6 in mozilla::a11y::LocalAccessible::NativeName(nsTString<char16_t>&) const /accessible/generic/LocalAccessible.cpp:2430:5
#8 0x7fa789402409 in mozilla::a11y::HyperTextAccessible::NativeName(nsTString<char16_t>&) const /accessible/generic/HyperTextAccessible.cpp:2075:45
#9 0x7fa7893dd933 in mozilla::a11y::LocalAccessible::Name(nsTString<char16_t>&) const /accessible/generic/LocalAccessible.cpp:147:29
#10 0x7fa78935153d in mozilla::a11y::EventQueue::PushNameOrDescriptionChange(mozilla::a11y::LocalAccessible*) /accessible/base/EventQueue.cpp:78:43
#11 0x7fa789353bbf in mozilla::a11y::NotificationController::QueueMutationEvent(mozilla::a11y::AccTreeMutationEvent*) /accessible/base/NotificationController.cpp:213:9
#12 0x7fa789354a93 in mozilla::a11y::TreeMutation::BeforeRemoval(mozilla::a11y::LocalAccessible*, bool) /accessible/base/EventTree.cpp:87:21
#13 0x7fa7893e9e57 in mozilla::a11y::DocAccessible::ContentRemoved(mozilla::a11y::LocalAccessible*) /accessible/generic/DocAccessible.cpp:2057:6
#14 0x7fa7893e4185 in mozilla::a11y::DocAccessible::ContentRemoved(nsIContent*) /accessible/generic/DocAccessible.cpp:2086:5
#15 0x7fa7893ea2f1 in mozilla::a11y::DocAccessible::RecreateAccessible(nsIContent*) /accessible/generic/DocAccessible.cpp:1385:3
#16 0x7fa78593d1ca in nsImageFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsImageFrame.cpp:373:3
#17 0x7fa78583d54c in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsFrameList.cpp:50:12
#18 0x7fa78579df41 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsContainerFrame.cpp:227:11
#19 0x7fa78595a895 in nsInlineFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsInlineFrame.cpp:179:21
#20 0x7fa78583d54c in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsFrameList.cpp:50:12
#21 0x7fa78579df41 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsContainerFrame.cpp:227:11
#22 0x7fa78595a895 in nsInlineFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsInlineFrame.cpp:179:21
#23 0x7fa7859cae86 in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsLineBox.cpp:387:14
#24 0x7fa78579d6fa in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsBlockFrame.cpp:480:3
#25 0x7fa78583d54c in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsFrameList.cpp:50:12
#26 0x7fa78579df41 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsContainerFrame.cpp:227:11
#27 0x7fa78583d54c in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsFrameList.cpp:50:12
#28 0x7fa78579df41 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsContainerFrame.cpp:227:11
#29 0x7fa78583d54c in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsFrameList.cpp:50:12
#30 0x7fa78579df41 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsContainerFrame.cpp:227:11
#31 0x7fa78583d54c in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsFrameList.cpp:50:12
#32 0x7fa78579df41 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsContainerFrame.cpp:227:11
#33 0x7fa78583d54c in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsFrameList.cpp:50:12
#34 0x7fa78579df41 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsContainerFrame.cpp:227:11
#35 0x7fa78583d54c in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsFrameList.cpp:50:12
#36 0x7fa78579df41 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsContainerFrame.cpp:227:11
#37 0x7fa78595a895 in nsInlineFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /layout/generic/nsInlineFrame.cpp:179:21
#38 0x7fa7857e6639 in Destroy /layout/generic/nsIFrame.h:672:5
#39 0x7fa7857e6639 in nsContainerFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) /layout/generic/nsContainerFrame.cpp:181:19
#40 0x7fa78567ceb2 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /layout/base/nsCSSFrameConstructor.cpp:7735:5
#41 0x7fa785671082 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /layout/base/nsCSSFrameConstructor.cpp:8708:7
#42 0x7fa78567e5e3 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) /layout/base/nsCSSFrameConstructor.cpp
#43 0x7fa785671028 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /layout/base/nsCSSFrameConstructor.cpp:8697:16
#44 0x7fa7856047b1 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /layout/base/RestyleManager.cpp:1565:25
#45 0x7fa78560ddd5 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /layout/base/RestyleManager.cpp:3117:9
#46 0x7fa7855d5186 in mozilla::RestyleManager::ProcessPendingRestyles() /layout/base/RestyleManager.cpp:3197:3
#47 0x7fa7855d3984 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4320:39
#48 0x7fa78555c391 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2552:22
#49 0x7fa785569ed7 in TickDriver /layout/base/nsRefreshDriver.cpp:375:13
#50 0x7fa785569ed7 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /layout/base/nsRefreshDriver.cpp:353:7
#51 0x7fa785569c3d in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:369:5
#52 0x7fa7855694a5 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:896:5
#53 0x7fa785568b6f in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:810:5
#54 0x7fa7855682b9 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:731:5
#55 0x7fa785567be9 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /layout/base/nsRefreshDriver.cpp:594:14
#56 0x7fa785567794 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:551:9
#57 0x7fa7841a42ed in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncMainChild.cpp:68:15
#58 0x7fa7845f2432 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#59 0x7fa77e0e4a65 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6088:32
#60 0x7fa77e042db9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1781:25
#61 0x7fa77e03fe27 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /ipc/glue/MessageChannel.cpp:1706:9
#62 0x7fa77e040a74 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1506:3
#63 0x7fa77e041d02 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1604:14
#64 0x7fa77c8f94d2 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:475:16
#65 0x7fa77c8beb15 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:788:26
#66 0x7fa77c8bbcc8 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:620:15
#67 0x7fa77c8bc3f0 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:398:36
#68 0x7fa77c902104 in operator() /xpcom/threads/TaskController.cpp:127:37
#69 0x7fa77c902104 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_1>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#70 0x7fa77c8df8b7 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1180:16
#71 0x7fa77c8e9ce4 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#72 0x7fa77e04a574 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:107:5
#73 0x7fa77decab71 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10
#74 0x7fa77decab71 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
#75 0x7fa77decab71 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
#76 0x7fa784fc4197 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:137:27
#77 0x7fa789fd7d57 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:875:20
#78 0x7fa77decab71 in RunInternal /ipc/chromium/src/base/message_loop.cc:380:10
#79 0x7fa77decab71 in RunHandler /ipc/chromium/src/base/message_loop.cc:373:3
#80 0x7fa77decab71 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:355:3
#81 0x7fa789fd6ebf in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:734:34
#82 0x559235e7f6c5 in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#83 0x559235e7fa76 in main /browser/app/nsBrowserApp.cpp:338:18
#84 0x7fa7a3c3e082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#85 0x559235dbfb09 in _start (/home/jkratzer/builds/mc-asan/firefox+0x77b09) (BuildId: 09f49d8cb6a9ec3c101de986fdb69b53e1fe5daf)
0x625000255dd8 is located 1240 bytes inside of 8192-byte region [0x625000255900,0x625000257900)
allocated by thread T0 (Isolated Web Co) here:
#0 0x559235e4202e in __interceptor_malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x7fa77c8966f0 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:170:15
#2 0x7fa78571a53d in InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:204:25
#3 0x7fa78571a53d in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:66:12
#4 0x7fa78571a53d in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:70:15
#5 0x7fa785a2a2cd in AllocateByObjectID /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:280:32
#6 0x7fa785a2a2cd in AllocateFrame /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:272:12
#7 0x7fa785a2a2cd in operator new /layout/generic/nsTextFrame.cpp:4804:1
#8 0x7fa785a2a2cd in NS_NewTextFrame(mozilla::PresShell*, mozilla::ComputedStyle*) /layout/generic/nsTextFrame.cpp:4801:10
#9 0x7fa785667b0f in nsCSSFrameConstructor::ConstructTextFrame(nsCSSFrameConstructor::FrameConstructionData const*, nsFrameConstructorState&, nsIContent*, nsContainerFrame*, mozilla::ComputedStyle*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:3353:7
#10 0x7fa785670c58 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:5738:5
#11 0x7fa78565a295 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:9611:5
#12 0x7fa78566b80c in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:11062:3
#13 0x7fa785668f4b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:3731:16
#14 0x7fa785670a28 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:5751:3
#15 0x7fa78565a295 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:9611:5
#16 0x7fa78566b80c in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:11062:3
#17 0x7fa785668f4b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:3731:16
#18 0x7fa785670a28 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:5751:3
#19 0x7fa78565a295 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:9611:5
#20 0x7fa78566b80c in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:11062:3
#21 0x7fa785668f4b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:3731:16
#22 0x7fa785670a28 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:5751:3
#23 0x7fa78565a295 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:9611:5
#24 0x7fa78566b80c in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:11062:3
#25 0x7fa785668f4b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:3731:16
#26 0x7fa785670a28 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:5751:3
#27 0x7fa78565a295 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:9611:5
#28 0x7fa78565c7c8 in nsCSSFrameConstructor::ConstructTableCell(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:2258:5
#29 0x7fa785668f4b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:3731:16
#30 0x7fa785670a28 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:5751:3
#31 0x7fa78565a295 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:9611:5
#32 0x7fa78565aec3 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*) /layout/base/nsCSSFrameConstructor.cpp:9775:3
#33 0x7fa78565bd01 in nsCSSFrameConstructor::ConstructTableRowOrRowGroup(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:2163:5
#34 0x7fa785668f4b in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /layout/base/nsCSSFrameConstructor.cpp:3731:16
SUMMARY: AddressSanitizer: use-after-poison /layout/generic/nsBlockFrame.cpp in nsBlockInFlowLineIterator::nsBlockInFlowLineIterator(nsBlockFrame*, nsIFrame*, bool*)
Shadow bytes around the buggy address:
0x0c4a80042b60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80042b70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80042b80: f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 00 00 00 00 00
0x0c4a80042b90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80042ba0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a80042bb0: 00 00 00 00 00 00 00 00 00 00 f7[f7]f7 f7 f7 f7
0x0c4a80042bc0: f7 f7 f7 f7 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80042bd0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80042be0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x0c4a80042bf0: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a80042c00: 00 00 00 00 00 00 00 f7 f7 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==935416==ABORTING
|
Reporter | |
Comment 1•2 years ago
|
||
|
||
Comment 2•2 years ago
|
||
This poking at a text frame, allocated in a textFrame pool so it certainly matches the use-after-poison description and should, therefore, be just a stability issue. But none of the addresses reported by ASAN show any sign of the poisoning address (pointed at explicitly un-mapped memory) that would make a frame-related UAF safe. I don't know if this is a sec-high UAF or not!
Group: core-security → layout-core-security
|
||
Comment 3•2 years ago
|
||
Two possible solutions:
- Queue the RecreateAccessible call so it runs when it's safe.
- Similar to bug 1610088, have some state flag somewhere which says it's not safe to use layout and check that flag in relevant places.
|
|
||
Updated•2 years ago
|
Severity: -- → S3
|
|
||
Comment 4•2 years ago
|
||
[this code] matches the use-after-poison description and should, therefore, be just a stability issue. But none of the addresses reported by ASAN show any sign of the poisoning address (pointed at explicitly un-mapped memory) that would make a frame-related UAF safe.
This is because ASAN uses its own poison address. Running this test in a debug build should let us know if it's really frame-poisoning of not.
|
|
||
Comment 5•2 years ago
|
||
Tyson confirms this crash is really protected by our frame-poisoning mitigation, e.g. rdi: 0x7ffffffff0dea81b (and similar in a few other registers).
Group: layout-core-security
Keywords: csectype-framepoisoning
Whiteboard: [bugmon:confirm] → [bugmon:confirm][sg:dos]
|
||
Comment 6•2 years ago
|
||
Bugmon Analysis
Unable to reproduce bug 1772592 using build mozilla-central 20220603093350-2f53c261903e. Without a baseline, bugmon is unable to analyze this bug.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
|
Reporter | |
Updated•2 years ago
|
Flags: needinfo?(jkratzer)
|
|
Reporter | |
Comment 7•2 years ago
|
||
Attachment #9279660 -
Attachment is obsolete: true
Flags: needinfo?(jkratzer)
|
|
Reporter | |
Comment 8•2 years ago
|
||
Attachment #9292039 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 9•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20220829094551-ad01d1ce5556.
The bug appears to have been introduced in the following build range:
Start: 79a95b01b69d1517d1a4052a1137b14d1c0a9663 (20220526153457)
End: 111da7fafa00f6e16cad3bd9c5a30190fc8c549e (20220526170736)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=79a95b01b69d1517d1a4052a1137b14d1c0a9663&tochange=111da7fafa00f6e16cad3bd9c5a30190fc8c549e
Keywords: regression
Whiteboard: [bugmon:confirm][sg:dos] → [bugmon:bisected,confirmed][sg:dos]
|
|
||
Comment 10•2 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220603093350-2f53c261903e) but not with tip (mozilla-central 20220910094302-9acb1117b572.)
The bug appears to have been fixed in the following build range:
Start: a4ef3b241decd01f778448bb227cff3a91c674ec (20220903212426)
End: 08105e2d612c8a4b1f2b388dea58b6d70ff13e5a (20220903214428)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=a4ef3b241decd01f778448bb227cff3a91c674ec&tochange=08105e2d612c8a4b1f2b388dea58b6d70ff13e5a
jkratzer, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Flags: needinfo?(jkratzer)
Keywords: bugmon
|
|
Reporter | |
Comment 11•2 years ago
|
||
The fuzzers haven't seen this since 2022/06/06. :smaug, is it possible that this was fixed via bug 1788125?
Flags: needinfo?(jkratzer) → needinfo?(smaug)
|
||
Comment 12•2 years ago
|
||
No, that shouldn't fix anything like this. It might make triggering the issue harder though, if the test is using sync XHR.
Flags: needinfo?(smaug)
You need to log in
before you can comment on or make changes to this bug.
Description
•