Closed
Bug 1795053
Opened 2 years ago
Closed 2 years ago
AddressSanitizer: use-after-poison [@ nsTableColFrame::ResetIntrinsics] with WRITE of size 4
Categories
(Core :: Layout: Tables, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1795030
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression, testcase, Whiteboard: [bugmon:bisected,confirmed])
Attachments
(1 file)
|
630 bytes,
text/plain
|
Details |
Testcase found while fuzzing mozilla-central rev cbbf6a7e34a3 (built with: --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build cbbf6a7e34a3 --asan --fuzzing -n firefox
$ python -m grizzly.replay ./firefox/firefox testcase.html
AddressSanitizer: use-after-poison [@ nsTableColFrame::ResetIntrinsics] with WRITE of size 4
=================================================================
==295247==ERROR: AddressSanitizer: use-after-poison on address 0x6250002163d8 at pc 0x7fd258830afb bp 0x7ffe6b0d0fa0 sp 0x7ffe6b0d0f98
WRITE of size 4 at 0x6250002163d8 thread T0 (Isolated Web Co)
#0 0x7fd258830afa in nsTableColFrame::ResetIntrinsics() /layout/tables/nsTableColFrame.h:119:15
#1 0x7fd25882ff12 in BasicTableLayoutStrategy::ComputeColumnIntrinsicISizes(gfxContext*) /layout/tables/BasicTableLayoutStrategy.cpp:258:15
#2 0x7fd25882f628 in BasicTableLayoutStrategy::ComputeIntrinsicISizes(gfxContext*) /layout/tables/BasicTableLayoutStrategy.cpp:400:3
#3 0x7fd25882f5c9 in BasicTableLayoutStrategy::GetMinISize(gfxContext*) /layout/tables/BasicTableLayoutStrategy.cpp:42:5
#4 0x7fd25844e79c in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /layout/base/nsLayoutUtils.cpp
#5 0x7fd258452984 in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, unsigned int) /layout/base/nsLayoutUtils.cpp:5187:10
#6 0x7fd25889feca in nsTableWrapperFrame::GetMinISize(gfxContext*) /layout/tables/nsTableWrapperFrame.cpp:244:19
#7 0x7fd25844e79c in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /layout/base/nsLayoutUtils.cpp
#8 0x7fd258452984 in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, unsigned int) /layout/base/nsLayoutUtils.cpp:5187:10
#9 0x7fd25850c264 in nsBlockFrame::GetMinISize(gfxContext*) /layout/generic/nsBlockFrame.cpp:832:29
#10 0x7fd258549da1 in nsColumnSetFrame::GetMinISize(gfxContext*) /layout/generic/nsColumnSetFrame.cpp:410:35
#11 0x7fd2584b72d7 in mozilla::ColumnSetWrapperFrame::GetMinISize(gfxContext*) /layout/generic/ColumnSetWrapperFrame.cpp:188:34
#12 0x7fd25844e79c in nsLayoutUtils::IntrinsicForAxis(mozilla::PhysicalAxis, gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int, int) /layout/base/nsLayoutUtils.cpp
#13 0x7fd258452984 in nsLayoutUtils::IntrinsicForContainer(gfxContext*, nsIFrame*, mozilla::IntrinsicISizeType, unsigned int) /layout/base/nsLayoutUtils.cpp:5187:10
#14 0x7fd25850c264 in nsBlockFrame::GetMinISize(gfxContext*) /layout/generic/nsBlockFrame.cpp:832:29
#15 0x7fd258549da1 in nsColumnSetFrame::GetMinISize(gfxContext*) /layout/generic/nsColumnSetFrame.cpp:410:35
#16 0x7fd2584b72d7 in mozilla::ColumnSetWrapperFrame::GetMinISize(gfxContext*) /layout/generic/ColumnSetWrapperFrame.cpp:188:34
#17 0x7fd25868fea1 in nsIFrame::ComputeISizeValue(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, nsIFrame::ExtremumLength, mozilla::Maybe<int>, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/generic/nsIFrame.cpp:6687:15
#18 0x7fd2584e127d in nsIFrame::ISizeComputationResult nsIFrame::ComputeISizeValue<mozilla::StyleGenericMaxSize<mozilla::StyleLengthPercentageUnion> >(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, mozilla::StyleGenericMaxSize<mozilla::StyleLengthPercentageUnion> const&, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/generic/nsIFrame.h:4853:12
#19 0x7fd2584e0ed3 in int mozilla::SizeComputationInput::ComputeISizeValue<mozilla::StyleGenericMaxSize<mozilla::StyleLengthPercentageUnion> >(mozilla::WritingMode, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, mozilla::StyleGenericMaxSize<mozilla::StyleLengthPercentageUnion> const&) const /layout/generic/ReflowInput.cpp:229:9
#20 0x7fd2584d5d7b in int mozilla::SizeComputationInput::ComputeISizeValue<mozilla::StyleGenericMaxSize<mozilla::StyleLengthPercentageUnion> >(mozilla::LogicalSize const&, mozilla::StyleBoxSizing, mozilla::StyleGenericMaxSize<mozilla::StyleLengthPercentageUnion> const&) const /layout/generic/ReflowInput.cpp:248:10
#21 0x7fd2584d1a75 in mozilla::ReflowInput::ComputeMinMaxValues(mozilla::LogicalSize const&) /layout/generic/ReflowInput.cpp:2975:9
#22 0x7fd2584c33e2 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType) /layout/generic/ReflowInput.cpp:2286:5
#23 0x7fd2584be621 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&) /layout/generic/ReflowInput.cpp:364:3
#24 0x7fd2584bf754 in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::StyleSizeOverrides const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>) /layout/generic/ReflowInput.cpp:219:5
#25 0x7fd258545521 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsCanvasFrame.cpp:782:19
#26 0x7fd25854717d in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1023:14
#27 0x7fd2585cfe85 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /layout/generic/nsGfxScrollFrame.cpp:838:3
#28 0x7fd2585d19c0 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /layout/generic/nsGfxScrollFrame.cpp:974:3
#29 0x7fd2585d7417 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/nsGfxScrollFrame.cpp:1398:3
#30 0x7fd2584fe984 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /layout/generic/nsContainerFrame.cpp:1063:14
#31 0x7fd2584fdfd2 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /layout/generic/ViewportFrame.cpp:375:7
#32 0x7fd258329e61 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /layout/base/PresShell.cpp:9627:11
#33 0x7fd258363667 in mozilla::PresShell::ProcessReflowCommands(bool) /layout/base/PresShell.cpp:9799:24
#34 0x7fd25833addf in DoFlushLayout /layout/base/PresShell.cpp:9869:10
#35 0x7fd25833addf in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /layout/base/PresShell.cpp:4396:11
#36 0x7fd2582c0ef4 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsRefreshDriver::IsExtraTick) /layout/base/nsRefreshDriver.cpp:2597:20
#37 0x7fd2582ce6f7 in TickDriver /layout/base/nsRefreshDriver.cpp:375:13
#38 0x7fd2582ce6f7 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /layout/base/nsRefreshDriver.cpp:353:7
#39 0x7fd2582ce45d in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:369:5
#40 0x7fd2582cdcc5 in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:896:5
#41 0x7fd2582cd38f in mozilla::VsyncRefreshDriverTimer::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /layout/base/nsRefreshDriver.cpp:810:5
#42 0x7fd2582ccaf9 in mozilla::VsyncRefreshDriverTimer::NotifyVsyncOnMainThread(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:731:5
#43 0x7fd2582cc449 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsyncTimerOnMainThread() /layout/base/nsRefreshDriver.cpp:594:14
#44 0x7fd2582cbff4 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /layout/base/nsRefreshDriver.cpp:551:9
#45 0x7fd256e98dad in mozilla::dom::VsyncMainChild::RecvNotify(mozilla::VsyncEvent const&, float const&) /dom/ipc/VsyncMainChild.cpp:68:15
#46 0x7fd257301452 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:220:78
#47 0x7fd250a0765b in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:6267:32
#48 0x7fd250961d09 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /ipc/glue/MessageChannel.cpp:1756:25
#49 0x7fd25095ed77 in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message> >) /ipc/glue/MessageChannel.cpp:1681:9
#50 0x7fd25095f9c4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /ipc/glue/MessageChannel.cpp:1481:3
#51 0x7fd250960c52 in mozilla::ipc::MessageChannel::MessageTask::Run() /ipc/glue/MessageChannel.cpp:1579:14
#52 0x7fd24f1d5962 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
#53 0x7fd24f1961ad in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
#54 0x7fd24f193318 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
#55 0x7fd24f193a40 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
#56 0x7fd24f1de891 in operator() /xpcom/threads/TaskController.cpp:187:37
#57 0x7fd24f1de891 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#58 0x7fd24f1b74e7 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1205:16
#59 0x7fd24f1c1964 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#60 0x7fd2509694cf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#61 0x7fd2507e6931 in RunInternal /ipc/chromium/src/base/message_loop.cc:381:10
#62 0x7fd2507e6931 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#63 0x7fd2507e6931 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#64 0x7fd257ccacd7 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
#65 0x7fd25ce82d57 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:880:20
#66 0x7fd2507e6931 in RunInternal /ipc/chromium/src/base/message_loop.cc:381:10
#67 0x7fd2507e6931 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#68 0x7fd2507e6931 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#69 0x7fd25ce81e43 in XRE_InitChildProcess(int, char**, XREChildData const*) /toolkit/xre/nsEmbedFunctions.cpp:739:34
#70 0x55e6c07db6b5 in content_process_main(mozilla::Bootstrap*, int, char**) /browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
#71 0x55e6c07dbb07 in main /browser/app/nsBrowserApp.cpp:357:18
#72 0x7fd277685d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#73 0x7fd277685e3f in __libc_start_main csu/../csu/libc-start.c:392:3
#74 0x55e6c071ba19 in _start (/home/jkratzer/builds/m-c-20221012213343-fuzzing-asan-opt/firefox+0x7aa19) (BuildId: adbe1c096dab7bbb37beb0202c1905226ea2f6fc)
0x6250002163d8 is located 6872 bytes inside of 8192-byte region [0x625000214900,0x625000216900)
allocated by thread T0 (Isolated Web Co) here:
#0 0x55e6c079df3e in __interceptor_malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
#1 0x7fd24f16e250 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:170:15
#2 0x7fd2584755bd in InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:204:25
#3 0x7fd2584755bd in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:66:12
#4 0x7fd2584755bd in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:70:15
#5 0x7fd2584fa71d in AllocateByObjectID /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:295:32
#6 0x7fd2584fa71d in AllocateFrame /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:287:12
#7 0x7fd2584fa71d in operator new /layout/generic/ViewportFrame.cpp:36:1
#8 0x7fd2584fa71d in NS_NewViewportFrame(mozilla::PresShell*, mozilla::ComputedStyle*) /layout/generic/ViewportFrame.cpp:33:10
#9 0x7fd2583c6bcb in nsCSSFrameConstructor::ConstructRootFrame() /layout/base/nsCSSFrameConstructor.cpp:2557:7
#10 0x7fd258325f94 in mozilla::PresShell::Initialize() /layout/base/PresShell.cpp:1882:36
#11 0x7fd2527302b9 in nsContentSink::StartLayout(bool) /dom/base/nsContentSink.cpp:562:30
#12 0x7fd25117de99 in nsHtml5TreeOpExecutor::StartLayout(bool*) /parser/html/nsHtml5TreeOpExecutor.cpp:881:18
#13 0x7fd25118dc74 in operator() /parser/html/nsHtml5TreeOperation.cpp:1190:17
#14 0x7fd25118dc74 in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 41ul, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&>(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:266:16
#15 0x7fd25118d4ad in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 40ul, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&>(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
#16 0x7fd25118cb3f in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 39ul, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&>(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
#17 0x7fd25118c6c5 in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 38ul, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&>(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
#18 0x7fd25118bff0 in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 37ul, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&>(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
#19 0x7fd25118b6c9 in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 36ul, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&>(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
#20 0x7fd25118b127 in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 32ul, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&>(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
#21 0x7fd25118a267 in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 16ul, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&>(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opUpdateCharsetSource, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:279:14
#22 0x7fd25117c083 in match<TreeOperationMatcher> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:852:12
#23 0x7fd25117c083 in Perform /parser/html/nsHtml5TreeOperation.cpp:1207:21
#24 0x7fd25117c083 in nsHtml5TreeOpExecutor::RunFlushLoop() /parser/html/nsHtml5TreeOpExecutor.cpp:686:19
#25 0x7fd251183217 in nsHtml5ExecutorFlusher::Run() /parser/html/nsHtml5StreamParser.cpp:174:18
#26 0x7fd24f18286f in mozilla::SchedulerGroup::Runnable::Run() /xpcom/threads/SchedulerGroup.cpp:140:20
#27 0x7fd24f1d5962 in mozilla::RunnableTask::Run() /xpcom/threads/TaskController.cpp:538:16
#28 0x7fd24f1961ad in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:851:26
#29 0x7fd24f193318 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /xpcom/threads/TaskController.cpp:683:15
#30 0x7fd24f193a40 in mozilla::TaskController::ProcessPendingMTTask(bool) /xpcom/threads/TaskController.cpp:461:36
#31 0x7fd24f1de891 in operator() /xpcom/threads/TaskController.cpp:187:37
#32 0x7fd24f1de891 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:531:5
#33 0x7fd24f1b74e7 in nsThread::ProcessNextEvent(bool, bool*) /xpcom/threads/nsThread.cpp:1205:16
#34 0x7fd24f1c1964 in NS_ProcessNextEvent(nsIThread*, bool) /xpcom/threads/nsThreadUtils.cpp:465:10
#35 0x7fd2509694cf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /ipc/glue/MessagePump.cpp:85:21
#36 0x7fd2507e6931 in RunInternal /ipc/chromium/src/base/message_loop.cc:381:10
#37 0x7fd2507e6931 in RunHandler /ipc/chromium/src/base/message_loop.cc:374:3
#38 0x7fd2507e6931 in MessageLoop::Run() /ipc/chromium/src/base/message_loop.cc:356:3
#39 0x7fd257ccacd7 in nsBaseAppShell::Run() /widget/nsBaseAppShell.cpp:150:27
#40 0x7fd25ce82d57 in XRE_RunAppShell() /toolkit/xre/nsEmbedFunctions.cpp:880:20
SUMMARY: AddressSanitizer: use-after-poison /layout/tables/nsTableColFrame.h:119:15 in nsTableColFrame::ResetIntrinsics()
Shadow bytes around the buggy address:
0x0c4a8003ac20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8003ac30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8003ac40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8003ac50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8003ac60: 00 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7
=>0x0c4a8003ac70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7
0x0c4a8003ac80: f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8003ac90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8003aca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8003acb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c4a8003acc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==295247==ABORTING
|
Reporter | |
Comment 1•2 years ago
|
||
|
||
Comment 2•2 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20221013100028-3662e18e5c43.
The bug appears to have been introduced in the following build range:
Start: cd243979744cb162120fc13c0fe9ed4eb62bb6fe (20221011201302)
End: 2796a36d754343ffbe7ecce367ae76a26bf45b96 (20221011222538)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=cd243979744cb162120fc13c0fe9ed4eb62bb6fe&tochange=2796a36d754343ffbe7ecce367ae76a26bf45b96
Keywords: regression
Whiteboard: [bugmon:confirm] → [bugmon:bisected,confirmed]
|
||
Updated•2 years ago
|
Group: core-security → layout-core-security
|
||
Comment 3•2 years ago
|
||
In that range, it'd be a regression from the refactoring in bug 1794456.
Looks like that bug has another ASAN regression already filed, bug 1795030; maybe this is a dupe or similar?
Flags: needinfo?(aethanyc)
Regressed by: 1794456
|
||
Comment 4•2 years ago
|
||
Yes, this is a dup of bug 1795030. I've verified that with the patch in bug 1795051, the testcase no longer triggers the use-after-poison. We've added testcases in bug 1795030 and bug 1795051, so the test coverage should be sufficient.
Status: NEW → RESOLVED
Closed: 2 years ago
Flags: needinfo?(aethanyc)
Resolution: --- → DUPLICATE
|
|
||
Comment 5•2 years ago
|
||
No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Keywords: bugmon
|
||
Updated•19 days ago
|
Group: layout-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•