Closed
Bug 1791811
Opened 3 years ago
Closed 3 years ago
use-after-poison /layout/generic/nsIFrame.cpp:617 in nsIFrame::IsRenderedLegend
Categories
(Core :: Layout, defect)
Core
Layout
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox105 | --- | unaffected |
| firefox106 | --- | wontfix |
| firefox107 | --- | fixed |
| firefox108 | --- | fixed |
People
(Reporter: m.cooolie, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: csectype-framepoisoning, regression, reporter-external, Whiteboard: [reporter-external] [client-bounty-form] [verif?][bugmon:confirmed,bisected])
Attachments
(4 files, 1 obsolete file)
#TestOn
Firefox:107.0a1 (2022-09-19) (64-bit)
Windows NT 10.0; Win64; x64
#Reproduce
python -m ffpuppet firefox.exe -p prefs.js -d -u poc.html
Type of crash
render tab
#Analysis
Come soon
#Patch
Not yet
#asan
=================================================================
==4180==ERROR: AddressSanitizer: use-after-poison on address 0x1220fc4c3f75 at pc 0x7ffb3e605f36 bp 0x00cd0adf6760 sp 0x00cd0adf67a8
READ of size 1 at 0x1220fc4c3f75 thread T0
#0 0x7ffb3e605f35 in nsIFrame::IsRenderedLegend /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:617
#1 0x7ffb3e29d732 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8315
#2 0x7ffb3e29c2a5 in nsCSSFrameConstructor::ContentRemoved /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7497
#3 0x7ffb3e29bf75 in nsCSSFrameConstructor::ContentRemoved /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7476
#4 0x7ffb3e29bf75 in nsCSSFrameConstructor::ContentRemoved /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7476
#5 0x7ffb3e28a532 in nsCSSFrameConstructor::RecreateFramesForContent /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:8553
#6 0x7ffb3e2007b5 in mozilla::RestyleManager::ProcessRestyledFrames /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:1590
#7 0x7ffb3e20ca9b in mozilla::RestyleManager::DoProcessPendingRestyles /builds/worker/checkouts/gecko/layout/base/RestyleManager.cpp:3149
#8 0x7ffb3e1bad0e in mozilla::PresShell::DoFlushPendingNotifications /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4392
#9 0x7ffb3e119fc2 in nsRefreshDriver::Tick /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2565
#10 0x7ffb3e132de3 in mozilla::RefreshDriverTimer::TickRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353
#11 0x7ffb3e1329e3 in mozilla::RefreshDriverTimer::Tick /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:369
#12 0x7ffb3e132083 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:896
#13 0x7ffb3e130a7b in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:810
#14 0x7ffb3e12f920 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:731
#15 0x7ffb3e12ef9b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:594
#16 0x7ffb3e12ea6d in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:551
#17 0x7ffb3c865bba in mozilla::dom::VsyncMainChild::RecvNotify /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:68
#18 0x7ffb3cc8386e in mozilla::dom::PVsyncChild::OnMessageReceived /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220
#19 0x7ffb35541668 in mozilla::ipc::PBackgroundChild::OnMessageReceived /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6267
#20 0x7ffb354be1e2 in mozilla::ipc::MessageChannel::DispatchAsyncMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1756
#21 0x7ffb354bb526 in mozilla::ipc::MessageChannel::DispatchMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1681
#22 0x7ffb354bc624 in mozilla::ipc::MessageChannel::RunMessage /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1481
#23 0x7ffb354bce56 in mozilla::ipc::MessageChannel::MessageTask::Run /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1579
#24 0x7ffb33e7bf3d in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538
#25 0x7ffb33e2a192 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851
#26 0x7ffb33e2659c in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683
#27 0x7ffb33e26f7e in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461
#28 0x7ffb33e84d91 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:190:7'>::Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531
#29 0x7ffb33e56e35 in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205
#30 0x7ffb33e662ec in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465
#31 0x7ffb354c6b81 in mozilla::ipc::MessagePump::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:107
#32 0x7ffb353e0b65 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
#33 0x7ffb353e0935 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
#34 0x7ffb3d83cb1a in nsBaseAppShell::Run /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150
#35 0x7ffb3da47c9e in nsAppShell::Run /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:614
#36 0x7ffb423dad64 in XRE_RunAppShell /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:880
#37 0x7ffb353e0b65 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
#38 0x7ffb353e0935 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
#39 0x7ffb423d9f28 in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:739
#40 0x7ff7cf832bbf in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359
#41 0x7ff7cf8317bf in wmain /builds/worker/checkouts/gecko/toolkit/xre/nsWindowsWMain.cpp:167
#42 0x7ff7cf926047 in __scrt_common_main_seh d:\agent\_work\2\s\src\vctools\crt\vcstartup\src\startup\exe_common.inl:288
#43 0x7ffbaa2e7033 in BaseThreadInitThunk+0x13 (C:\WINDOWS\System32\KERNEL32.DLL+0x180017033)
#44 0x7ffbaa422650 in RtlUserThreadStart+0x20 (C:\WINDOWS\SYSTEM32\ntdll.dll+0x180052650)
0x1220fc4c3f75 is located 5749 bytes inside of 8192-byte region [0x1220fc4c2900,0x1220fc4c4900)
allocated by thread T0 here:
#0 0x7ffb61e2e02b in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_win.cpp:98
#1 0x7ffb3e38864c in mozilla::ArenaAllocator<8192,8>::Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:70
#2 0x7ffb3e3fd070 in NS_NewViewportFrame /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:33
#3 0x7ffb3e2739ef in nsCSSFrameConstructor::ConstructRootFrame /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:2578
#4 0x7ffb3e19e3c8 in mozilla::PresShell::Initialize /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:1881
#5 0x7ffb373b95c9 in nsContentSink::StartLayout /builds/worker/checkouts/gecko/dom/base/nsContentSink.cpp:564
#6 0x7ffb35d390c0 in nsHtml5TreeOpExecutor::StartLayout /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:881
#7 0x7ffb35d347cb in nsHtml5TreeOperation::Perform /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOperation.cpp:1207
#8 0x7ffb35d31fe0 in nsHtml5TreeOpExecutor::RunFlushLoop /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:685
#9 0x7ffb35d3ffc7 in nsHtml5ExecutorFlusher::Run /builds/worker/checkouts/gecko/parser/html/nsHtml5StreamParser.cpp:174
#10 0x7ffb33e112f6 in mozilla::SchedulerGroup::Runnable::Run /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140
#11 0x7ffb33e7bf3d in mozilla::RunnableTask::Run /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538
#12 0x7ffb33e2a192 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851
#13 0x7ffb33e2659c in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683
#14 0x7ffb33e26f7e in mozilla::TaskController::ProcessPendingMTTask /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461
#15 0x7ffb33e84d71 in mozilla::detail::RunnableFunction<`lambda at /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:7'>::Run /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531
#16 0x7ffb33e56e35 in nsThread::ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205
#17 0x7ffb33e662ec in NS_ProcessNextEvent /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465
#18 0x7ffb354c6a07 in mozilla::ipc::MessagePump::Run /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85
#19 0x7ffb353e0b65 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
#20 0x7ffb353e0935 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
#21 0x7ffb3d83cb1a in nsBaseAppShell::Run /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150
#22 0x7ffb3da47c9e in nsAppShell::Run /builds/worker/checkouts/gecko/widget/windows/nsAppShell.cpp:614
#23 0x7ffb423dad64 in XRE_RunAppShell /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:880
#24 0x7ffb353e0b65 in MessageLoop::RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374
#25 0x7ffb353e0935 in MessageLoop::Run /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356
#26 0x7ffb423d9f28 in XRE_InitChildProcess /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:739
#27 0x7ff7cf832bbf in NS_internal_main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359
SUMMARY: AddressSanitizer: use-after-poison /builds/worker/checkouts/gecko/layout/generic/nsIFrame.cpp:617 in nsIFrame::IsRenderedLegend
Shadow bytes around the buggy address:
0x041b1bc98790: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x041b1bc987a0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x041b1bc987b0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x041b1bc987c0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x041b1bc987d0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x041b1bc987e0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7
0x041b1bc987f0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x041b1bc98800: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x041b1bc98810: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x041b1bc98820: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
0x041b1bc98830: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==4180==ABORTING
For bugmon: (--enable-address-sanitizer --enable-fuzzing)
Flags: sec-bounty?
|
||
Updated•3 years ago
|
Group: firefox-core-security → layout-core-security
Component: Security → Layout
Product: Firefox → Core
|
||
Comment 3•3 years ago
|
||
This looks like safe framepoisoning, but we're having trouble reproducing to be sure. Tyson is going to reduce the testcase if we can just to be sure.
Flags: needinfo?(twsmith)
|
||
Comment 4•3 years ago
|
||
I am unable to reproduce the issue with the attached test case. I tried on both Windows and Linux with the included prefs.js file using m-c 20220921-5ad292b847e4 (ASan).
m.cooolie is the attached test case reliable for you? If not do you have a more reliable test case?
Flags: needinfo?(twsmith) → needinfo?(m.cooolie)
Sorry, I uploaded the wrong poc before, try this~
Flags: needinfo?(m.cooolie)
|
|
||
Comment 6•3 years ago
|
||
(In reply to m.cooolie from comment #5)
Sorry, I uploaded the wrong poc before, try this~
Thank you, that one works for me.
Running with a debug build gives me the following assertion:
Assertion failure: !HasProperty(aProperty) (Shouldn't update an existing nsFrameList property!), at /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:4173
#0 0x7ff1bd1b6dce in SetProperty<nsFrameList> /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:4172:7
#1 0x7ff1bd1b6dce in nsContainerFrame::SetOverflowFrames(nsFrameList&&) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.h:639:5
#2 0x7ff1bd1bded0 in nsContainerFrame::PushChildrenToOverflow(nsIFrame*, nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1513:3
#3 0x7ff1bd28b2e6 in nsInlineFrame::PushFrames(nsPresContext*, nsIFrame*, nsIFrame*, nsInlineFrame::InlineReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsInlineFrame.cpp:782:3
#4 0x7ff1bd28ad79 in nsInlineFrame::ReflowInlineFrame(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, nsIFrame*, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsInlineFrame.cpp
#5 0x7ff1bd28a427 in nsInlineFrame::ReflowFrames(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsInlineFrame.cpp:543:7
#6 0x7ff1bd289bcd in nsInlineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsInlineFrame.cpp:359:3
#7 0x7ff1bd2b909a in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:870:13
#8 0x7ff1bd1a559f in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4720:15
#9 0x7ff1bd1a4cab in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4522:5
#10 0x7ff1bd1a1055 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4405:9
#11 0x7ff1bd19d4b7 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3382:5
#12 0x7ff1bd197385 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2896:9
#13 0x7ff1bd192865 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1472:3
#14 0x7ff1bd1a3976 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
#15 0x7ff1bd19fdb7 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4033:11
#16 0x7ff1bd19d56e in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3379:5
#17 0x7ff1bd197385 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2896:9
#18 0x7ff1bd192865 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1472:3
#19 0x7ff1bd1b6ac5 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1005:14
#20 0x7ff1bd1b5bbd in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:794:7
#21 0x7ff1bd1b6ac5 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1005:14
#22 0x7ff1bd1fff69 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:838:3
#23 0x7ff1bd200b5f in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:974:3
#24 0x7ff1bd204eb6 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1399:3
#25 0x7ff1bd1873d6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1045:14
#26 0x7ff1bd186b3c in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:375:7
#27 0x7ff1bd082ce9 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9647:11
#28 0x7ff1bd0a64bf in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9819:24
#29 0x7ff1bd08c4c4 in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9889:10
#30 0x7ff1bd08c4c4 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4409:11
#31 0x7ff1bd051273 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1470:5
#32 0x7ff1bd051273 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2599:20
#33 0x7ff1bd059ef0 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:375:13
#34 0x7ff1bd059ef0 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:353:7
#35 0x7ff1bd059df3 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:369:5
#36 0x7ff1bd059ac0 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:896:5
#37 0x7ff1bd05912a in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:810:5
#38 0x7ff1bd058b15 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:731:5
#39 0x7ff1bd05874a in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:594:14
#40 0x7ff1bd05835c in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:551:9
#41 0x7ff1bc5265ab in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /builds/worker/checkouts/gecko/dom/ipc/VsyncMainChild.cpp:68:15
#42 0x7ff1bc7b3336 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#43 0x7ff1b899e8e4 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6267:32
#44 0x7ff1b89329c1 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1756:25
#45 0x7ff1b892f515 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1681:9
#46 0x7ff1b89300b6 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1481:3
#47 0x7ff1b8931441 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1579:14
#48 0x7ff1b7d6480e in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
#49 0x7ff1b7d3cd29 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
#50 0x7ff1b7d3b8b3 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
#51 0x7ff1b7d3bb23 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
#52 0x7ff1b7d680b6 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
#53 0x7ff1b7d680b6 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#54 0x7ff1b7d5197f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1205:16
#55 0x7ff1b7d57f8d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:465:10
#56 0x7ff1b8938446 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
#57 0x7ff1b885daa7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#58 0x7ff1b885d9b2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#59 0x7ff1b885d9b2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#60 0x7ff1bcd18428 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
#61 0x7ff1bef0f4ab in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:880:20
#62 0x7ff1b893933a in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:235:9
#63 0x7ff1b885daa7 in MessageLoop::RunInternal() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
#64 0x7ff1b885d9b2 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
#65 0x7ff1b885d9b2 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
#66 0x7ff1bef0e9c3 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:739:34
#67 0x5607f98c4b39 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#68 0x5607f98c4b39 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
#69 0x7ff1d07dd082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
#70 0x5607f989a8dc in _start (/home/user/workspace/browsers/m-c-20220919155806-fuzzing-debug/firefox-bin+0x168dc) (BuildId: d1d9e85a5aaf7d54fd4cb10025d19739f09674b2)
|
|
||
Updated•3 years ago
|
Attachment #9295612 -
Attachment is obsolete: true
|
|
||
Comment 7•3 years ago
|
||
I was able to further reduce the test case.
|
|
||
Updated•3 years ago
|
status-firefox107:
--- → affected
Keywords: bugmon
|
|
||
Comment 8•3 years ago
|
||
A Pernosco session is available here: https://pernos.co/debug/mH5czOodlP8LNYTLdBonuQ/index.html
|
||
Comment 9•3 years ago
|
||
The bug appears to have been introduced in the following build range:
Start: 94b83f6cb22235b36d0b3d013707478d1f9c7766 (20220915203016)
End: dc01248b58a81fa6b10e8a308829fafd7c453cbe (20220915222604)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=94b83f6cb22235b36d0b3d013707478d1f9c7766&tochange=dc01248b58a81fa6b10e8a308829fafd7c453cbe
Whiteboard: [reporter-external] [client-bounty-form] [verif?] → [reporter-external] [client-bounty-form] [verif?][bugmon:confirmed,bisected]
|
||
Updated•3 years ago
|
status-firefox105:
--- → unaffected
status-firefox106:
--- → affected
status-firefox-esr102:
--- → unaffected
|
||
Comment 10•3 years ago
|
||
:mrobinson, since you are the author of the regressor, bug 1789255, could you take a look? Also, could you set the severity field?
For more information, please visit auto_nag documentation.
Flags: needinfo?(mrobinson)
|
||
Updated•3 years ago
|
Blocks: css-content-visibility
|
||
Comment 12•3 years ago
|
||
There seem to be two things going on here:
- The non-block anonymous box text child of the
<body>tag is being reflowed (because it's anonymous) which triggers reflow (somehow) of the rest of the body contents. This layout doesn't need to happen because the work-around for anonymous children from bug 1789255 is really only useful for anonymous block children. - This triggers some fairly wacky stuff to happen because of another bug which is that the
NS_FRAME_IN_REFLOWandNS_FRAME_FIRST_REFLOWstate bits are not cleared for skipped children that are only partially reflowed.
I will open a new bug to address the performance issue #1 and fix #2 in the same commit without mentioning it in the commit message.
|
||
Comment 13•3 years ago
|
||
Bugmon Analysis
Testcase crashes using the initial build (mozilla-central 20220921035608-fb7ca98a6881) but not with tip (mozilla-central 20221014215500-0bf2cd2f9e73.)
The bug appears to have been fixed in the following build range:
Start: 5cbd3d92a78c54b324b6009a25d196adaa8a669b (20221011093208)
End: 75c1403f58f79d1abd43d33fdd1beb36db9367c6 (20221011075004)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=5cbd3d92a78c54b324b6009a25d196adaa8a669b&tochange=75c1403f58f79d1abd43d33fdd1beb36db9367c6
m.cooolie, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Flags: needinfo?(m.cooolie)
Keywords: bugmon
|
Reporter | |
Comment 14•3 years ago
|
||
The latest version no longer reproduces.
Namespace
gecko.v2.mozilla-central.latest.firefox.win64-fuzzing-asan-opt
Rank
1665912703
Created
18 hours ago
Flags: needinfo?(m.cooolie)
|
|
||
Comment 15•3 years ago
|
||
Set release status flags based on info from the regressing bug 1789255
status-firefox108:
--- → affected
Keywords: regression
|
|
||
Updated•3 years ago
|
Group: layout-core-security
Keywords: csectype-framepoisoning
|
||
Comment 16•3 years ago
|
||
Per comment 13 and comment 14, this has been fixed via bug 1794415 (thanks, Martin!), which landed already for 107; updating flags accordingly.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
|
||
Updated•3 years ago
|
|
|
||
Comment 17•3 years ago
|
||
ASAN reports use-after-poison for objects allocated from pools. It's essentially equivalent to a use-after-free, but in the specific case of nsIFrame family of objects we have a mitigation called "frame poisoning" that make these unexploitable.
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•