Closed Bug 1904409 Opened 3 months ago Closed 3 months ago

use-after-poison in [@ nsFrameList::InsertFrames]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
129 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox-esr128 --- unaffected
firefox127 --- unaffected
firefox128 --- unaffected
firefox129 --- fixed

People

(Reporter: tsmith, Assigned: TYLin)

References

(Blocks 1 open bug, Regression)

Details

(4 keywords, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])

Attachments

(2 files)

testcase.html
163 bytes, text/html
Details
Bug 1904409 - Call StartRemoveFrame() before calling ContinueRemoveFrame() in nsBlockFrame::RemoveFloat(). r?dholbert,#layout
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Found while fuzzing 20240620-ac120cec791e (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

==28677==ERROR: AddressSanitizer: use-after-poison on address 0x5250002ec3b8 at pc 0x7c565c4b661d bp 0x7ffd02d6abb0 sp 0x7ffd02d6aba8
READ of size 8 at 0x5250002ec3b8 thread T0 (Isolated Web Co)
    #0 0x7c565c4b661c in GetNextSibling /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:1834:45
    #1 0x7c565c4b661c in nsFrameList::InsertFrames(nsContainerFrame*, nsIFrame*, nsFrameList&&) /builds/worker/checkouts/gecko/layout/generic/nsFrameList.cpp:134:33
    #2 0x7c565c39a589 in AppendFrames /builds/worker/checkouts/gecko/layout/generic/nsFrameList.h:141:12
    #3 0x7c565c39a589 in AppendFrame /builds/worker/checkouts/gecko/layout/generic/nsFrameList.h:149:5
    #4 0x7c565c39a589 in mozilla::BlockReflowState::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/checkouts/gecko/layout/generic/BlockReflowState.cpp:539:29
    #5 0x7c565c66381d in AddFloat /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.h:163:22
    #6 0x7c565c66381d in TryToPlaceFloat /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:1512:36
    #7 0x7c565c66381d in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:937:23
    #8 0x7c565c477a7d in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:5074:15
    #9 0x7c565c475f05 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4876:5
    #10 0x7c565c46f111 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4734:9
    #11 0x7c565c4693d2 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3702:24
    #12 0x7c565c45e68f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3208:29
    #13 0x7c565c4580f9 in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1902:35
    #14 0x7c565c45514c in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1541:9
    #15 0x7c565c4b46a7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:889:14
    #16 0x7c565c4af9e3 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:700:7
    #17 0x7c565c4b7419 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1191:5
    #18 0x7c565c4b78fb in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1251:5
    #19 0x7c565c473f34 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
    #20 0x7c565c46baf8 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4369:11
    #21 0x7c565c46941c in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3699:5
    #22 0x7c565c45e68f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3208:29
    #23 0x7c565c4580f9 in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1902:35
    #24 0x7c565c45514c in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1541:9
    #25 0x7c565c473f34 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
    #26 0x7c565c4831ec in nsBlockFrame::ReflowFloat(mozilla::BlockReflowState&, mozilla::ReflowInput&, nsIFrame*, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7265:9
    #27 0x7c565c39c156 in mozilla::BlockReflowState::FlowAndPlaceFloat(nsIFrame*, mozilla::Maybe<int>) /builds/worker/checkouts/gecko/layout/generic/BlockReflowState.cpp:836:13
    #28 0x7c565c39a8d1 in mozilla::BlockReflowState::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/checkouts/gecko/layout/generic/BlockReflowState.cpp:567:9
    #29 0x7c565c66381d in AddFloat /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.h:163:22
    #30 0x7c565c66381d in TryToPlaceFloat /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:1512:36
    #31 0x7c565c66381d in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:937:23
    #32 0x7c565c477a7d in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:5074:15
    #33 0x7c565c475f05 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4876:5
    #34 0x7c565c46f111 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4734:9
    #35 0x7c565c4693d2 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3702:24
    #36 0x7c565c45e68f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3208:29
    #37 0x7c565c4580f9 in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1902:35
    #38 0x7c565c45514c in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1541:9
    #39 0x7c565c4b46a7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:889:14
    #40 0x7c565c4af9e3 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:700:7
    #41 0x7c565c4b6d25 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1134:9
    #42 0x7c565c4b78fb in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1251:5
    #43 0x7c565c473f34 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
    #44 0x7c565c46baf8 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4369:11
    #45 0x7c565c46941c in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3699:5
    #46 0x7c565c45e68f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3208:29
    #47 0x7c565c4580f9 in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1902:35
    #48 0x7c565c45514c in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1541:9
    #49 0x7c565c4b46a7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:889:14
    #50 0x7c565c4937bd in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:717:7
    #51 0x7c565c4b46a7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:889:14
    #52 0x7c565c3dc8df in mozilla::ScrollContainerFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:916:3
    #53 0x7c565c3deb89 in mozilla::ScrollContainerFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1051:3
    #54 0x7c565c3e377a in mozilla::ScrollContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1519:3
    #55 0x7c565c4c5b88 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:930:14
    #56 0x7c565c444e8f in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:359:7
    #57 0x7c565c1ef41c in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9829:11
    #58 0x7c565c231cf7 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10002:22
    #59 0x7c565c201595 in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10049:10
    #60 0x7c565c201595 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4355:9
    #61 0x7c56550be5d7 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1455:5
    #62 0x7c56550be5d7 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11014:16
    #63 0x7c56528f75a9 in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:729:14
    #64 0x7c56528fa46e in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:667:5
    #65 0x7c565cc53884 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13745:23
    #66 0x7c5650e428a3 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:632:22
    #67 0x7c5650e45213 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:536:10
    #68 0x7c5655070ee2 in DoUnblockOnload /builds/worker/checkouts/gecko/dom/base/Document.cpp:11804:18
    #69 0x7c5655070ee2 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11742:9
    #70 0x7c565509e609 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:8228:3
    #71 0x7c56551b416b in operator()<> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1085:18
    #72 0x7c56551b416b in __invoke_impl<void, (lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:60:14
    #73 0x7c56551b416b in __invoke<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9)> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/bits/invoke.h:95:14
    #74 0x7c56551b416b in __apply_impl<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1678:14
    #75 0x7c56551b416b in apply<(lambda at /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1084:9), std::tuple<> &> /builds/worker/fetches/sysroot-x86_64-linux-gnu/usr/lib/gcc/x86_64-linux-gnu/8/../../../../include/c++/8/tuple:1687:14
    #76 0x7c56551b416b in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1083:12
    #77 0x7c56551b416b in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1134:13
    #78 0x7c5650ae582a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:580:16
    #79 0x7c5650ad16ad in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26
    #80 0x7c5650acec88 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:730:15
    #81 0x7c5650acf2a6 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36
    #82 0x7c5650aeca51 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:234:37
    #83 0x7c5650aeca51 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #84 0x7c5650b0f06d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
    #85 0x7c5650b1a358 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #86 0x7c56523dc78e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #87 0x7c5652229284 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #88 0x7c5652229284 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #89 0x7c5652229284 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #90 0x7c565ba6e559 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #91 0x7c565bc22d8a in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
    #92 0x7c565db22d2d in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
    #93 0x7c5652229284 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #94 0x7c5652229284 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #95 0x7c5652229284 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #96 0x7c565db22315 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
    #97 0x5d6456711430 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #98 0x5d6456711430 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:18
    #99 0x7c5673829d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #100 0x7c5673829e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #101 0x5d6456638a98 in _start (/home/user/workspace/browsers/m-c-20240624144542-fuzzing-asan-opt/firefox+0xd5a98) (BuildId: 882f225e6c534e7ee5a4e28c73a4b198f07d53a7)

0x5250002ec3b8 is located 2744 bytes inside of 8192-byte region [0x5250002eb900,0x5250002ed900)
allocated by thread T0 (Isolated Web Co) here:
    #0 0x5d64566d15bf in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
    #1 0x7c5650ab857f in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:170:15
    #2 0x7c565c358934 in InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:204:25
    #3 0x7c565c358934 in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:66:12
    #4 0x7c565c358934 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:70:15
    #5 0x7c565c44da5e in AllocateByObjectID /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:283:32
    #6 0x7c565c44da5e in AllocateFrame /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:275:12
    #7 0x7c565c44da5e in operator new /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:432:1
    #8 0x7c565c44da5e in NS_NewBlockFrame(mozilla::PresShell*, mozilla::ComputedStyle*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:429:10
    #9 0x7c565c2c1b6a in nsCSSFrameConstructor::CreateContinuingFrame(nsIFrame*, nsContainerFrame*, bool) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7853:16
    #10 0x7c565c4b02b0 in CreateNextInFlow /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1344:42
    #11 0x7c565c4b02b0 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:778:23
    #12 0x7c565c4b6d25 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1134:9
    #13 0x7c565c4b78fb in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1251:5
    #14 0x7c565c473f34 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
    #15 0x7c565c46baf8 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4369:11
    #16 0x7c565c46941c in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3699:5
    #17 0x7c565c45e68f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3208:29
    #18 0x7c565c4580f9 in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1902:35
    #19 0x7c565c45514c in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1541:9
    #20 0x7c565c473f34 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
    #21 0x7c565c4831ec in nsBlockFrame::ReflowFloat(mozilla::BlockReflowState&, mozilla::ReflowInput&, nsIFrame*, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7265:9
    #22 0x7c565c39c156 in mozilla::BlockReflowState::FlowAndPlaceFloat(nsIFrame*, mozilla::Maybe<int>) /builds/worker/checkouts/gecko/layout/generic/BlockReflowState.cpp:836:13
    #23 0x7c565c39a8d1 in mozilla::BlockReflowState::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/checkouts/gecko/layout/generic/BlockReflowState.cpp:567:9
    #24 0x7c565c66381d in AddFloat /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.h:163:22
    #25 0x7c565c66381d in TryToPlaceFloat /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:1512:36
    #26 0x7c565c66381d in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:937:23
    #27 0x7c565c477a7d in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:5074:15
    #28 0x7c565c475f05 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4876:5
    #29 0x7c565c46f111 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4734:9
    #30 0x7c565c4693d2 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3702:24
    #31 0x7c565c45e68f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3208:29
    #32 0x7c565c4580f9 in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1902:35
    #33 0x7c565c45514c in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1541:9
    #34 0x7c565c4b46a7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:889:14
    #35 0x7c565c4af9e3 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:700:7
    #36 0x7c565c4b789d in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1244:37
    #37 0x7c565c473f34 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11

SUMMARY: AddressSanitizer: use-after-poison /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:1834:45 in GetNextSibling
Shadow bytes around the buggy address:
  0x5250002ec100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x5250002ec180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x5250002ec200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x5250002ec280: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x5250002ec300: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 f7
=>0x5250002ec380: f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7
  0x5250002ec400: f7 f7 f7 f7 f7 f7 00 00 00 00 00 00 00 00 00 00
  0x5250002ec480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x5250002ec500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x5250002ec580: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x5250002ec600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Flags: in-testsuite?

I would bet this has something to do with TYLin's recent work (either in bug 1903141 RE floats, or in the various bugs on the first-continuation cache)... TYLin, mind taking a look?

Flags: needinfo?(aethanyc)
Keywords: pernosco-wanted
See Also: → 1904421
See Also: → 1904419

Of course. I'll take a look.

A local mozregression finds this bug is a regression of bug 1903141 .

Assignee: nobody → aethanyc
Severity: -- → S3
Status: NEW → ASSIGNED
Flags: needinfo?(aethanyc)
Keywords: regression
Regressed by: 1903141

Set release status flags based on info from the regressing bug 1903141

status-firefox127: --- → unaffected
status-firefox128: --- → unaffected
status-firefox-esr115: --- → unaffected

After Bug 1903141 Part 3 [1], StartRemoveFrame() does not get called when there
is no float list. We need to make sure StartRemoveFrame() is called before
calling ContinueRemoveFrame().

[1] https://hg.mozilla.org/mozilla-central/rev/c2ba52894016007c3f5c4f21241f14d3cd7bd7a3

Duplicate of this bug: 1904419
See Also: 1904419
Duplicate of this bug: 1904421
See Also: 1904421
Duplicate of this bug: 1904428

Verified bug as reproducible on mozilla-central 20240624213429-fc0f7d3e6a3d.
The bug appears to have been introduced in the following build range:

Start: 03b945622bfdeb3e65f2d108ce19c66a501447a4 (20240619190318)
End: c2ba52894016007c3f5c4f21241f14d3cd7bd7a3 (20240619215332)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=03b945622bfdeb3e65f2d108ce19c66a501447a4&tochange=c2ba52894016007c3f5c4f21241f14d3cd7bd7a3

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Keywords: pernosco-wantedpernosco
Whiteboard: [bugmon:bisected,confirmed]

A pernosco session for this bug can be found here.

FWIW, when loading the testcase in a debug build, it triggers the assertion Forgot to call StartRemoveFrame? at https://searchfox.org/mozilla-central/rev/9fcc11127fbfbdc88cbf37489dac90542e141c77/layout/generic/nsIFrame.h#5642-5643

Pushed by aethanyc@gmail.com: https://hg.mozilla.org/integration/autoland/rev/82e42849ba92 Call StartRemoveFrame() before calling ContinueRemoveFrame() in nsBlockFrame::RemoveFloat(). r=dholbert
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/46920 for changes under testing/web-platform/tests
Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]

https://hg.mozilla.org/mozilla-central/rev/82e42849ba92

Status: ASSIGNED → RESOLVED
Closed: 3 months ago
status-firefox129: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 129 Branch
Upstream PR merged by moz-wptsync-bot

Verified bug as fixed on rev mozilla-central 20240627153716-cbd5b84c31a5.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED
Keywords: bugmon

Set release status flags based on info from the regressing bug 1903141

status-firefox-esr128: --- → unaffected
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: