Closed Bug 1904428 Opened 8 months ago Closed 8 months ago

use-after-poison in [@ nsContainerFrame::PositionChildViews]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1904409
Tracking Flags:
Tracking Status
firefox129 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-framepoisoning, regression, testcase, Whiteboard: [bugmon:bisected,confirmed])

Attachments

(1 file)

testcase.html
355 bytes, text/html
Details
Attached file testcase.html

Found while fuzzing 20240621-deea4a904a0d (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

==41214==ERROR: AddressSanitizer: use-after-poison on address 0x52500029c728 at pc 0x7f0f722c571c bp 0x7fff6126b330 sp 0x7fff6126b328
READ of size 8 at 0x52500029c728 thread T0 (Isolated Web Co)
    #0 0x7f0f722c571b in HasView /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:3129:36
    #1 0x7f0f722c571b in nsContainerFrame::PositionChildViews(nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:966:23
    #2 0x7f0f722c52f5 in nsContainerFrame::PositionChildViews(nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:969:9
    #3 0x7f0f722c52f5 in nsContainerFrame::PositionChildViews(nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:969:9
    #4 0x7f0f722c52f5 in nsContainerFrame::PositionChildViews(nsIFrame*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:969:9
    #5 0x7f0f722b4659 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:885:5
    #6 0x7f0f722af9e3 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:700:7
    #7 0x7f0f722b6d25 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1134:9
    #8 0x7f0f722b78fb in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1251:5
    #9 0x7f0f72273f34 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
    #10 0x7f0f7226baf8 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4369:11
    #11 0x7f0f7226941c in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3699:5
    #12 0x7f0f7225e68f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3208:29
    #13 0x7f0f722580f9 in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1902:35
    #14 0x7f0f7225514c in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1541:9
    #15 0x7f0f722b46a7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:889:14
    #16 0x7f0f722937bd in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:717:7
    #17 0x7f0f722b46a7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:889:14
    #18 0x7f0f721dc8df in mozilla::ScrollContainerFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:916:3
    #19 0x7f0f721deb89 in mozilla::ScrollContainerFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1051:3
    #20 0x7f0f721e377a in mozilla::ScrollContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1519:3
    #21 0x7f0f722c5b88 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:930:14
    #22 0x7f0f72244e8f in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:359:7
    #23 0x7f0f71fef41c in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9829:11
    #24 0x7f0f72031cf7 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10002:22
    #25 0x7f0f72001595 in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10049:10
    #26 0x7f0f72001595 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4355:9
    #27 0x7f0f6aebe5d7 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1455:5
    #28 0x7f0f6aebe5d7 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11014:16
    #29 0x7f0f6aebe4f4 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11010:22
    #30 0x7f0f7228b0bf in InsertAnonymousContentInContainer(mozilla::dom::Document&, mozilla::dom::Element&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:99:8
    #31 0x7f0f722aa077 in operator() /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:149:11
    #32 0x7f0f722aa077 in mozilla::detail::RunnableFunction<nsCanvasFrame::CreateAnonymousContent(nsTArray<nsIAnonymousContentCreator::ContentInfo>&)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
    #33 0x7f0f6aad3cff in nsContentUtils::RemoveScriptBlocker() /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:6259:17
    #34 0x7f0f720e7b99 in ~nsAutoScriptBlocker /builds/worker/workspace/obj-build/dist/include/nsContentUtils.h:3803:28
    #35 0x7f0f720e7b99 in nsDocumentViewer::Show() /builds/worker/checkouts/gecko/layout/base/nsDocumentViewer.cpp:2109:3
    #36 0x7f0f729fec00 in nsDocShell::SetVisibility(bool) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp
    #37 0x7f0f6b285508 in nsFrameLoader::Show(nsSubDocumentFrame*) /builds/worker/checkouts/gecko/dom/base/nsFrameLoader.cpp:1011:15
    #38 0x7f0f724adb1a in nsSubDocumentFrame::ShowViewer() /builds/worker/checkouts/gecko/layout/generic/nsSubDocumentFrame.cpp:198:38
    #39 0x7f0f72522484 in AsyncFrameInit::Run() /builds/worker/checkouts/gecko/layout/generic/nsSubDocumentFrame.cpp:110:60
    #40 0x7f0f6aad3cff in nsContentUtils::RemoveScriptBlocker() /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:6259:17
    #41 0x7f0f720014f6 in ~nsAutoScriptBlocker /builds/worker/checkouts/gecko/dom/base/nsContentUtils.h:3803:28
    #42 0x7f0f720014f6 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4347:3
    #43 0x7f0f6aebe5d7 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1455:5
    #44 0x7f0f6aebe5d7 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11014:16
    #45 0x7f0f6aed849d in FlushPendingNotifications /builds/worker/checkouts/gecko/dom/base/Document.cpp:10946:3
    #46 0x7f0f6aed849d in mozilla::dom::FragmentDirective::FindTextFragmentsInDocument() /builds/worker/checkouts/gecko/dom/base/FragmentDirective.cpp:100:14
    #47 0x7f0f6aed7a69 in mozilla::dom::Document::ScrollToRef() /builds/worker/checkouts/gecko/dom/base/Document.cpp:13188:26
    #48 0x7f0f6b1e1ad6 in nsContentSink::ScrollToRef() /builds/worker/checkouts/gecko/dom/base/nsContentSink.cpp:561:13
    #49 0x7f0f68a5ab16 in nsHtml5TreeOpExecutor::DidBuildModel(bool) /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:212:3
    #50 0x7f0f68a5d98e in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:729:7
    #51 0x7f0f68a6cde8 in nsHtml5ExecutorReflusher::Run() /builds/worker/checkouts/gecko/parser/html/nsHtml5TreeOpExecutor.cpp:83:16
    #52 0x7f0f668e582a in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:580:16
    #53 0x7f0f668d16ad in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26
    #54 0x7f0f668cec88 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:730:15
    #55 0x7f0f668cf2a6 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36
    #56 0x7f0f668eca51 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:234:37
    #57 0x7f0f668eca51 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #58 0x7f0f6690f06d in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
    #59 0x7f0f6691a358 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #60 0x7f0f681dc78e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #61 0x7f0f68029284 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #62 0x7f0f68029284 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #63 0x7f0f68029284 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #64 0x7f0f7186e559 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #65 0x7f0f71a22d8a in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
    #66 0x7f0f73922d2d in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:712:20
    #67 0x7f0f68029284 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #68 0x7f0f68029284 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #69 0x7f0f68029284 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #70 0x7f0f73922315 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:647:34
    #71 0x578904142430 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #72 0x578904142430 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:18
    #73 0x7f0f89429d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #74 0x7f0f89429e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #75 0x578904069a98 in _start (/home/user/workspace/browsers/m-c-20240624144542-fuzzing-asan-opt/firefox+0xd5a98) (BuildId: 882f225e6c534e7ee5a4e28c73a4b198f07d53a7)

0x52500029c728 is located 3624 bytes inside of 8192-byte region [0x52500029b900,0x52500029d900)
allocated by thread T0 (Isolated Web Co) here:
    #0 0x5789041025bf in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
    #1 0x7f0f668b857f in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:170:15
    #2 0x7f0f72158934 in InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:204:25
    #3 0x7f0f72158934 in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:66:12
    #4 0x7f0f72158934 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:70:15
    #5 0x7f0f7224da5e in AllocateByObjectID /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:283:32
    #6 0x7f0f7224da5e in AllocateFrame /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:275:12
    #7 0x7f0f7224da5e in operator new /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:432:1
    #8 0x7f0f7224da5e in NS_NewBlockFrame(mozilla::PresShell*, mozilla::ComputedStyle*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:429:10
    #9 0x7f0f720c1b6a in nsCSSFrameConstructor::CreateContinuingFrame(nsIFrame*, nsContainerFrame*, bool) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7853:16
    #10 0x7f0f722b02b0 in CreateNextInFlow /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1344:42
    #11 0x7f0f722b02b0 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:778:23
    #12 0x7f0f722b6d25 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1134:9
    #13 0x7f0f722b78fb in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1251:5
    #14 0x7f0f72273f34 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
    #15 0x7f0f7226baf8 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4369:11
    #16 0x7f0f7226941c in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3699:5
    #17 0x7f0f7225e68f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3208:29
    #18 0x7f0f722580f9 in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1902:35
    #19 0x7f0f7225514c in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1541:9
    #20 0x7f0f722b46a7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:889:14
    #21 0x7f0f722937bd in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:717:7
    #22 0x7f0f722b46a7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:889:14
    #23 0x7f0f721dc8df in mozilla::ScrollContainerFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:916:3
    #24 0x7f0f721deb89 in mozilla::ScrollContainerFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1051:3
    #25 0x7f0f721e377a in mozilla::ScrollContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1519:3
    #26 0x7f0f722c5b88 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:930:14
    #27 0x7f0f72244e8f in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:359:7
    #28 0x7f0f71fef41c in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9829:11
    #29 0x7f0f72031cf7 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10002:22
    #30 0x7f0f72001595 in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10049:10
    #31 0x7f0f72001595 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4355:9
    #32 0x7f0f6aebe5d7 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1455:5
    #33 0x7f0f6aebe5d7 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11014:16
    #34 0x7f0f6aebe4f4 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11010:22
    #35 0x7f0f7228b0bf in InsertAnonymousContentInContainer(mozilla::dom::Document&, mozilla::dom::Element&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:99:8
    #36 0x7f0f722aa077 in operator() /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:149:11
    #37 0x7f0f722aa077 in mozilla::detail::RunnableFunction<nsCanvasFrame::CreateAnonymousContent(nsTArray<nsIAnonymousContentCreator::ContentInfo>&)::$_0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:548:5
    #38 0x7f0f6aad3cff in nsContentUtils::RemoveScriptBlocker() /builds/worker/checkouts/gecko/dom/base/nsContentUtils.cpp:6259:17

SUMMARY: AddressSanitizer: use-after-poison /builds/worker/checkouts/gecko/layout/generic/nsIFrame.h:3129:36 in HasView
Shadow bytes around the buggy address:
  0x52500029c480: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x52500029c500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x52500029c580: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x52500029c600: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x52500029c680: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x52500029c700: f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x52500029c780: f7 f7 00 00 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x52500029c800: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 00 00 00
  0x52500029c880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x52500029c900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x52500029c980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
Flags: in-testsuite?

This is a duplicate of bug 1904409, and I've added the testcase in comment 0 in the proposed patch.

Status: NEW → RESOLVED
Closed: 8 months ago
Duplicate of bug: 1904409
Resolution: --- → DUPLICATE

Verified bug as reproducible on mozilla-central 20240624213429-fc0f7d3e6a3d.
The bug appears to have been introduced in the following build range:

Start: 03b945622bfdeb3e65f2d108ce19c66a501447a4 (20240619190318)
End: c2ba52894016007c3f5c4f21241f14d3cd7bd7a3 (20240619215332)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=03b945622bfdeb3e65f2d108ce19c66a501447a4&tochange=c2ba52894016007c3f5c4f21241f14d3cd7bd7a3

Keywords: regression
Whiteboard: [bugmon:bisected,confirmed]

No valid actions for resolution (DUPLICATE).
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: