Closed Bug 1795030 Opened 2 years ago Closed 2 years ago

AddressSanitizer: use-after-poison [@ GetColType] with READ of size 8

Categories

(Core :: Layout: Tables, defect)

Product:
Core
Component:
Layout: Tables
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
107 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox105 --- unaffected
firefox106 --- unaffected
firefox107 --- fixed

People

(Reporter: jkratzer, Assigned: TYLin)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(2 files)

Testcase
499 bytes, text/html
Details
Bug 1795030 - Add a crashtest. r?emilio
48 bytes, text/x-phabricator-request
Details | Review

Testcase found while fuzzing mozilla-central rev cbbf6a7e34a3 (built with: --enable-address-sanitizer --enable-fuzzing).

Testcase can be reproduced using the following commands:

$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build cbbf6a7e34a3 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html

AddressSanitizer: use-after-poison [@ GetColType] with READ of size 8

    =================================================================
    ==281129==ERROR: AddressSanitizer: use-after-poison on address 0x625000216048 at pc 0x7f3503ecbdae bp 0x7ffcb2065830 sp 0x7ffcb2065828
    READ of size 8 at 0x625000216048 thread T0 (Isolated Web Co)
        #0 0x7f3503ecbdad in GetColType /layout/tables/nsTableColFrame.cpp:53:28
        #1 0x7f3503ecbdad in nsTableFrame::InsertCol(nsTableColFrame&, int) /layout/tables/nsTableFrame.cpp:549:49
        #2 0x7f3503ecb764 in nsTableColGroupFrame::AddColsToTable(int, bool, nsFrameList::Slice const&) /layout/tables/nsTableColGroupFrame.cpp:82:17
        #3 0x7f3503ecc33f in nsTableFrame::AppendAnonymousColFrames(nsTableColGroupFrame*, int, nsTableColType, bool) /layout/tables/nsTableFrame.cpp:711:21
        #4 0x7f3503a5e498 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /layout/base/nsCSSFrameConstructor.cpp:7553:5
        #5 0x7f3503a53502 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /layout/base/nsCSSFrameConstructor.cpp:8505:7
        #6 0x7f35039e9891 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /layout/base/RestyleManager.cpp:1590:25
        #7 0x7f35039f2dc5 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /layout/base/RestyleManager.cpp:3160:9
        #8 0x7f35039ba156 in mozilla::RestyleManager::ProcessPendingRestyles() /layout/base/RestyleManager.cpp:3245:3
        #9 0x7f35039b8cb9 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4379:39
        #10 0x7f350393eb92 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2563:22
        #11 0x7f350394c6f7 in TickDriver /layout/base/nsRefreshDriver.cpp:375:13
        #12 0x7f350394c6f7 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /layout/base/nsRefreshDriver.cpp:353:7
        #13 0x7f350394c45d in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:369:5
        #14 0x7f350394bcc5 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:896:5
        #15 0x7f350394b38f in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:810:5
        #16 0x7f350394aaf9 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:731:5
        #17 0x7f350394a449 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /layout/base/nsRefreshDriver.cpp:594:14
        #18 0x7f3503949ff4 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:551:9
        #19 0x7f3502516dad in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncMainChild.cpp:68:15
        #20 0x7f350297f452 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
        #21 0x7f34fc08565b in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6267:32
        #22 0x7f34fbfdfd09 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1756:25
        #23 0x7f34fbfdcd77 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /ipc/glue/MessageChannel.cpp:1681:9
        #24 0x7f34fbfdd9c4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1481:3
        #25 0x7f34fbfdec52 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1579:14
        #26 0x7f34fa853962 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
        #27 0x7f34fa8141ad in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
        #28 0x7f34fa811318 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
        #29 0x7f34fa811a40 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
        #30 0x7f34fa85c891 in operator() /xpcom/threads/TaskController.cpp:187:37
        #31 0x7f34fa85c891 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #32 0x7f34fa8354e7 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1205:16
        #33 0x7f34fa83f964 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #34 0x7f34fbfe74cf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #35 0x7f34fbe64931 in RunInternal /ipc/chromium/src/base/message_loop.cc:381:10
        #36 0x7f34fbe64931 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #37 0x7f34fbe64931 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #38 0x7f3503348cd7 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
        #39 0x7f3508500d57 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:880:20
        #40 0x7f34fbe64931 in RunInternal /ipc/chromium/src/base/message_loop.cc:381:10
        #41 0x7f34fbe64931 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #42 0x7f34fbe64931 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #43 0x7f35084ffe43 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:739:34
        #44 0x5615e06286b5 in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
        #45 0x5615e0628b07 in main /browser/app/nsBrowserApp.cpp:357:18
        #46 0x7f3522d05d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
        #47 0x7f3522d05e3f in __libc_start_main csu/../csu/libc-start.c:392:3
        #48 0x5615e0568a19 in _start (/home/jkratzer/builds/m-c-20221012213343-fuzzing-asan-opt/firefox+0x7aa19) (BuildId: adbe1c096dab7bbb37beb0202c1905226ea2f6fc)
    
    0x625000216048 is located 5960 bytes inside of 8192-byte region [0x625000214900,0x625000216900)
    allocated by thread T0 (Isolated Web Co) here:
        #0 0x5615e05eaf3e in __interceptor_malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
        #1 0x7f34fa7ec250 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:170:15
        #2 0x7f3503af35bd in InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:204:25
        #3 0x7f3503af35bd in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:66:12
        #4 0x7f3503af35bd in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:70:15
        #5 0x7f3503b7871d in AllocateByObjectID /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:295:32
        #6 0x7f3503b7871d in AllocateFrame /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:287:12
        #7 0x7f3503b7871d in operator new /layout/generic/ViewportFrame.cpp:36:1
        #8 0x7f3503b7871d in NS_NewViewportFrame(mozilla::PresShell*, mozilla::ComputedStyle*) /layout/generic/ViewportFrame.cpp:33:10
        #9 0x7f3503a44bcb in nsCSSFrameConstructor::ConstructRootFrame() /layout/base/nsCSSFrameConstructor.cpp:2557:7
        #10 0x7f35039a3f94 in mozilla::PresShell::Initialize() /layout/base/PresShell.cpp:1882:36
        #11 0x7f34fddae2b9 in nsContentSink::StartLayout(bool) /dom/base/nsContentSink.cpp:562:30
        #12 0x7f34fc7fbe99 in nsHtml5TreeOpExecutor::StartLayout(bool*) /parser/html/nsHtml5TreeOpExecutor.cpp:881:18
        #13 0x7f34fc80bc74 in operator() /parser/html/nsHtml5TreeOperation.cpp:1190:17
        #14 0x7f34fc80bc74 in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 41ul, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&>(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:266:16
        #15 0x7f34fc80b4ad in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 40ul, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&>(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
        #16 0x7f34fc80ab3f in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 39ul, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&>(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
        #17 0x7f34fc80a6c5 in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 38ul, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&>(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
        #18 0x7f34fc809ff0 in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 37ul, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&>(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
        #19 0x7f34fc8096c9 in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 36ul, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&>(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
        #20 0x7f34fc809127 in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 32ul, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&>(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
        #21 0x7f34fc808267 in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 16ul, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&>(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
        #22 0x7f34fc7fa083 in match<TreeOperationMatcher> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:852:12
        #23 0x7f34fc7fa083 in Perform /parser/html/nsHtml5TreeOperation.cpp:1207:21
        #24 0x7f34fc7fa083 in nsHtml5TreeOpExecutor::RunFlushLoop() /parser/html/nsHtml5TreeOpExecutor.cpp:686:19
        #25 0x7f34fc801217 in nsHtml5ExecutorFlusher::Run() /parser/html/nsHtml5StreamParser.cpp:174:18
        #26 0x7f34fa80086f in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20
        #27 0x7f34fa853962 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
        #28 0x7f34fa8141ad in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
        #29 0x7f34fa811318 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
        #30 0x7f34fa811a40 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
        #31 0x7f34fa85c891 in operator() /xpcom/threads/TaskController.cpp:187:37
        #32 0x7f34fa85c891 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
        #33 0x7f34fa8354e7 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1205:16
        #34 0x7f34fa83f964 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
        #35 0x7f34fbfe74cf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
        #36 0x7f34fbe64931 in RunInternal /ipc/chromium/src/base/message_loop.cc:381:10
        #37 0x7f34fbe64931 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
        #38 0x7f34fbe64931 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
        #39 0x7f3503348cd7 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
        #40 0x7f3508500d57 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:880:20
    
    SUMMARY: AddressSanitizer: use-after-poison /layout/tables/nsTableColFrame.cpp:53:28 in GetColType
    Shadow bytes around the buggy address:
      0x0c4a8003abb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4a8003abc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4a8003abd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4a8003abe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4a8003abf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 f7
    =>0x0c4a8003ac00: f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7
      0x0c4a8003ac10: f7 f7 f7 f7 f7 00 00 00 00 00 00 00 00 00 00 00
      0x0c4a8003ac20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4a8003ac30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4a8003ac40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      0x0c4a8003ac50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    Shadow byte legend (one shadow byte represents 8 application bytes):
      Addressable:           00
      Partially addressable: 01 02 03 04 05 06 07 
      Heap left redzone:       fa
      Freed heap region:       fd
      Stack left redzone:      f1
      Stack mid redzone:       f2
      Stack right redzone:     f3
      Stack after return:      f5
      Stack use after scope:   f8
      Global redzone:          f9
      Global init order:       f6
      Poisoned by user:        f7
      Container overflow:      fc
      Array cookie:            ac
      Intra object redzone:    bb
      ASan internal:           fe
      Left alloca redzone:     ca
      Right alloca redzone:    cb
    ==281129==ABORTING
Attached file Testcase 

    
    

    
  
This looks like frame-poisoning, which isn't exploitable.


Group: core-security → layout-core-security

        Attachment #9298402 -
        Attachment mime type: text/plain → text/html

    
    

    
  
Bugmon Analysis

Verified bug as reproducible on mozilla-central 20221013100028-3662e18e5c43.

The bug appears to have been introduced in the following build range:




Start: cd243979744cb162120fc13c0fe9ed4eb62bb6fe (20221011201302)

End: 2796a36d754343ffbe7ecce367ae76a26bf45b96 (20221011222538)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=cd243979744cb162120fc13c0fe9ed4eb62bb6fe&tochange=2796a36d754343ffbe7ecce367ae76a26bf45b96




Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
Flags: needinfo?(aethanyc)
Regressed by: 1794456

    
    

    
  
Set release status flags based on info from the regressing bug 1794456



          status-firefox105:
          --- → unaffected

          status-firefox106:
          --- → unaffected

          status-firefox107:
          --- → affected

          status-firefox-esr102:
          --- → unaffected

    
    

    
  


  
Depends on D159354


Assignee: nobody → aethanyc
Status: NEW → ASSIGNED
Flags: needinfo?(aethanyc)
Depends on: 1795051

    
    

    
  
Bugmon Analysis

Testcase crashes using the initial build (mozilla-central 20221012213343-cbbf6a7e34a3) but not with tip (mozilla-central 20221014215500-0bf2cd2f9e73.)


The bug appears to have been fixed in the following build range:




Start: 639c1a648ed78031f92a6b5ae13ff0baebbded98 (20221014142314)

End: 3549afc9ae9392bd97f10982e0c3962d72d6a854 (20221014170630)

Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=639c1a648ed78031f92a6b5ae13ff0baebbded98&tochange=3549afc9ae9392bd97f10982e0c3962d72d6a854




TYLin, can you confirm that the above bisection range is responsible for fixing this issue?

Removing bugmon keyword as no further action possible.  Please review the bug and re-add the keyword for further analysis.


Flags: needinfo?(aethanyc)
Keywords: bugmon

    
    

    
  


Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=639c1a648ed78031f92a6b5ae13ff0baebbded98&tochange=3549afc9ae9392bd97f10982e0c3962d72d6a854

TYLin, can you confirm that the above bisection range is responsible for fixing this issue?




This bug is fixed by the patch in bug 1795051, which is in above range. The testcase in this bug is landed in https://hg.mozilla.org/mozilla-central/rev/bc31394ab288508274720246a762ab5c1a45c35b


Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(aethanyc)
Resolution: --- → FIXED
Group: layout-core-security → core-security-release

          status-firefox107:
          affectedfixed
Target Milestone: --- → 107 Branch
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: