1906768 - use-after-poison in [@ nsBlockFrame::ReflowPushedFloats]

Tyson Smith [:tsmith]

Reporter

Description

•

6 months ago

Attached file testcase.html — Details

Found while fuzzing 20240629-ca0abc9ab05e (--enable-address-sanitizer --enable-fuzzing)

To reproduce via Grizzly Replay:

$ pip install fuzzfetch grizzly-framework --upgrade
$ python -m fuzzfetch -a --fuzzing -n firefox
$ python -m grizzly.replay.bugzilla ./firefox/firefox <bugid>

==73487==ERROR: AddressSanitizer: use-after-poison on address 0x525000320410 at pc 0x73052ac24c9e bp 0x7ffc8644c8d0 sp 0x7ffc8644c8c8
READ of size 8 at 0x525000320410 thread T0 (Isolated Web Co)
    #0 0x73052ac24c9d in IsEmpty /builds/worker/checkouts/gecko/layout/generic/nsFrameList.h:276:44
    #1 0x73052ac24c9d in nsBlockFrame::ReflowPushedFloats(mozilla::BlockReflowState&, mozilla::OverflowAreas&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7380:19
    #2 0x73052ac20cd6 in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1876:3
    #3 0x73052ac1df9c in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1541:9
    #4 0x73052ac79ee7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:889:14
    #5 0x73052ac75223 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:700:7
    #6 0x73052ac7cc59 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1191:5
    #7 0x73052ac7d13b in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1251:5
    #8 0x73052ac3b484 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
    #9 0x73052ac335a8 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4376:11
    #10 0x73052ac310ac in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3706:5
    #11 0x73052ac26f7f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3215:29
    #12 0x73052ac20ea9 in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1902:35
    #13 0x73052ac1df9c in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1541:9
    #14 0x73052ac3b484 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
    #15 0x73052ac335a8 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4376:11
    #16 0x73052ac310ac in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3706:5
    #17 0x73052ac26f7f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3215:29
    #18 0x73052ac20ea9 in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1902:35
    #19 0x73052ac1df9c in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1541:9
    #20 0x73052ac79ee7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:889:14
    #21 0x73052ac75223 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:700:7
    #22 0x73052ac7c565 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1134:9
    #23 0x73052ac7d13b in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1251:5
    #24 0x73052ac3b484 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
    #25 0x73052ac335a8 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4376:11
    #26 0x73052ac310ac in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3706:5
    #27 0x73052ac26f7f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3215:29
    #28 0x73052ac20ea9 in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1902:35
    #29 0x73052ac1df9c in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1541:9
    #30 0x73052ac79ee7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:889:14
    #31 0x73052ac59aed in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:717:7
    #32 0x73052ac79ee7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:889:14
    #33 0x73052abac18f in mozilla::ScrollContainerFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:916:3
    #34 0x73052abae261 in mozilla::ScrollContainerFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1085:7
    #35 0x73052abb28ca in mozilla::ScrollContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ScrollContainerFrame.cpp:1519:3
    #36 0x73052ac8af58 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:930:14
    #37 0x73052ac0e643 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:365:7
    #38 0x73052a9d1994 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9824:11
    #39 0x73052aa12d37 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9997:22
    #40 0x73052a9e3775 in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:10044:10
    #41 0x73052a9e3775 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4359:9
    #42 0x7305268fece2 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1446:5
    #43 0x7305268fece2 in mozilla::EventStateManager::FlushLayout(nsPresContext*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:6660:16
    #44 0x7305268f6915 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/dom/events/EventStateManager.cpp:1132:7
    #45 0x73052aa092d7 in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8449:39
    #46 0x73052aa007b0 in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:8417:17
    #47 0x73052a9ff5f8 in mozilla::PresShell::EventHandler::HandleEventUsingCoordinates(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*, bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7240:30
    #48 0x73052a9fdaa8 in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:7044:12
    #49 0x73052a9fc142 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:6987:23
    #50 0x73052a1d59dc in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/worker/checkouts/gecko/view/nsViewManager.cpp:652:18
    #51 0x73052a1d547c in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/worker/checkouts/gecko/view/nsView.cpp:1066:9
    #52 0x73052a260c49 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/worker/checkouts/gecko/widget/PuppetWidget.cpp:349:37
    #53 0x730522b5f096 in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /builds/worker/checkouts/gecko/gfx/layers/apz/util/APZCCallbackHelper.cpp:508:21
    #54 0x730529401fea in DispatchWidgetEventViaAPZ /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1688:10
    #55 0x730529401fea in mozilla::dom::BrowserChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1645:3
    #56 0x7305294044e4 in mozilla::dom::BrowserChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1598:3
    #57 0x7305294046b8 in mozilla::dom::BrowserChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /builds/worker/checkouts/gecko/dom/ipc/BrowserChild.cpp:1563:8
    #58 0x7305295ff66b in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:5420:80
    #59 0x7305296d34ef in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8167:32
    #60 0x730521ad0c95 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1820:25
    #61 0x730521accc3f in mozilla::ipc::MessageChannel::DispatchMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::UniquePtr<IPC::Message, mozilla::DefaultDelete<IPC::Message>>) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1739:9
    #62 0x730521acdb61 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::ActorLifecycleProxy*, mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1530:3
    #63 0x730521acf0b3 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1630:14
    #64 0x7305205347fa in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:580:16
    #65 0x730520520b3d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:907:26
    #66 0x73052051e388 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:730:15
    #67 0x73052051e9a6 in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:516:36
    #68 0x73052053ba21 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:234:37
    #69 0x73052053ba21 in mozilla::detail::RunnableFunction<mozilla::TaskController::TaskController()::$_0>::Run() /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.h:548:5
    #70 0x73052055c7bd in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
    #71 0x730520567588 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:480:10
    #72 0x730521ad8c3e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #73 0x7305219bcbe4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #74 0x7305219bcbe4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #75 0x7305219bcbe4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #76 0x73052a2b4709 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:148:27
    #77 0x73052a452afa in nsAppShell::Run() /builds/worker/checkouts/gecko/widget/gtk/nsAppShell.cpp:469:33
    #78 0x73052c0c7d8d in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:714:20
    #79 0x7305219bcbe4 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:370:10
    #80 0x7305219bcbe4 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:363:3
    #81 0x7305219bcbe4 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:345:3
    #82 0x73052c0c7375 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:649:34
    #83 0x615a0f2083b0 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #84 0x615a0f2083b0 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:378:18
    #85 0x73053fa29d8f in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
    #86 0x73053fa29e3f in __libc_start_main csu/../csu/libc-start.c:392:3
    #87 0x615a0f12fa18 in _start (/home/user/workspace/browsers/m-c-20240708220117-fuzzing-asan-opt/firefox+0xd5a18) (BuildId: 656d828dbee976f81ef3cf4261214929eff1e7cd)

0x525000320410 is located 784 bytes inside of 8192-byte region [0x525000320100,0x525000322100)
allocated by thread T0 (Isolated Web Co) here:
    #0 0x615a0f1c853f in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:68:3
    #1 0x73052050a51f in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:170:15
    #2 0x73052ab2e9d4 in InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:204:25
    #3 0x73052ab2e9d4 in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:66:12
    #4 0x73052ab2e9d4 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:70:15
    #5 0x73052ac728e5 in AllocateByObjectID /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:283:32
    #6 0x73052ac728e5 in AllocateFrame /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:275:12
    #7 0x73052ac728e5 in operator new /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:119:1
    #8 0x73052ac728e5 in NS_NewColumnSetFrame(mozilla::PresShell*, mozilla::ComputedStyle*, nsFrameState) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:114:7
    #9 0x73052aa9e59e in nsCSSFrameConstructor::CreateContinuingFrame(nsIFrame*, nsContainerFrame*, bool) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7862:16
    #10 0x73052ac34d9f in CreateContinuationFor /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:5200:42
    #11 0x73052ac34d9f in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4550:35
    #12 0x73052ac310ac in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3706:5
    #13 0x73052ac26f7f in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3215:29
    #14 0x73052ac20ea9 in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1902:35
    #15 0x73052ac1df9c in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1541:9
    #16 0x73052ac3b484 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
    #17 0x73052ac49f6c in nsBlockFrame::ReflowFloat(mozilla::BlockReflowState&, mozilla::ReflowInput&, nsIFrame*, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7284:9
    #18 0x73052ab6d3a6 in mozilla::BlockReflowState::FlowAndPlaceFloat(nsIFrame*, mozilla::Maybe<int>) /builds/worker/checkouts/gecko/layout/generic/BlockReflowState.cpp:836:13
    #19 0x73052ac2491d in nsBlockFrame::ReflowPushedFloats(mozilla::BlockReflowState&, mozilla::OverflowAreas&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:7395:16
    #20 0x73052ac20cd6 in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1876:3
    #21 0x73052ac1df9c in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1541:9
    #22 0x73052ac79ee7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:889:14
    #23 0x73052ac75223 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:700:7
    #24 0x73052ac7cc59 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1191:5
    #25 0x73052ac7d13b in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1251:5
    #26 0x73052ac79ee7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:889:14
    #27 0x73052ac8c444 in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, mozilla::ReflowInput const&, mozilla::OverflowAreas&, nsIFrame::ReflowChildFlags, nsReflowStatus&, void (*)(nsFrameList&, nsFrameList&, nsContainerFrame*), mozilla::Maybe<nsSize>) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1173:7
    #28 0x73052ac20c6b in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1863:5
    #29 0x73052ac1df9c in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1541:9
    #30 0x73052ac79ee7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:889:14
    #31 0x73052ac8c444 in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, mozilla::ReflowInput const&, mozilla::OverflowAreas&, nsIFrame::ReflowChildFlags, nsReflowStatus&, void (*)(nsFrameList&, nsFrameList&, nsContainerFrame*), mozilla::Maybe<nsSize>) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1173:7
    #32 0x73052ac20c6b in nsBlockFrame::TrialReflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsBlockFrame::TrialReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1863:5
    #33 0x73052ac1df9c in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1541:9
    #34 0x73052ac79ee7 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:889:14
    #35 0x73052ac75223 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:700:7

SUMMARY: AddressSanitizer: use-after-poison /builds/worker/checkouts/gecko/layout/generic/nsFrameList.h:276:44 in IsEmpty
Shadow bytes around the buggy address:
  0x525000320180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x525000320200: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x525000320280: 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7 f7 f7
  0x525000320300: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00
  0x525000320380: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x525000320400: 00 00[f7]f7 00 00 00 00 00 00 00 00 00 00 00 00
  0x525000320480: 00 00 00 00 00 00 00 00 00 00 f7 f7 00 00 00 00
  0x525000320500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x525000320580: 00 00 f7 f7 00 00 00 00 00 00 00 00 00 00 00 00
  0x525000320600: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x525000320680: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb

Flags: in-testsuite?

Mayank Bansal

Comment 1

•

6 months ago

Got a crash from the testcase: https://crash-stats.mozilla.org/report/index/e100547d-fbd4-4a24-a9da-b6a8e0240709

Crash Signature: [@ nsIFrame::HasAnyStateBits ]

Mayank Bansal

Updated

•

6 months ago

Comment 2

•

6 months ago

Bisection:
Bug 1903141 Part 3 - Store floats list in a frame property rather than in nsBlockFrame::mFloats. r=dholbert
Differential Revision: https://phabricator.services.mozilla.com/D214046

Keywords: regression

Regressed by: 1903141

BugBot [:suhaib / :marco/ :calixte]

Comment 3

•

6 months ago

:TYLin, since you are the author of the regressor, bug 1903141, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

Flags: needinfo?(aethanyc)

Daniel Holbert [:dholbert]

Updated

•

6 months ago

Keywords: pernosco-wanted

Ting-Yu Lin [:TYLin] (PST, UTC-8)

Assignee

Comment 4

•

6 months ago

Attached file Bug 1906768 - Get floats list again after calling AppendPushedFloatChain(). r?dholbert,#layout — Details

Phabricator Automation

Updated

•

6 months ago

Assignee: nobody → aethanyc

Status: NEW → ASSIGNED

Ting-Yu Lin [:TYLin] (PST, UTC-8)

Assignee

Updated

•

6 months ago

Severity: -- → S3

Flags: needinfo?(aethanyc)

Bugmon [:jkratzer for issues]

Comment 5

•

6 months ago

Verified bug as reproducible on mozilla-central 20240708220117-162448b8b7cd.
The bug appears to have been introduced in the following build range:

Start: 03b945622bfdeb3e65f2d108ce19c66a501447a4 (20240619190318)
End: c2ba52894016007c3f5c4f21241f14d3cd7bd7a3 (20240619215332)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=03b945622bfdeb3e65f2d108ce19c66a501447a4&tochange=c2ba52894016007c3f5c4f21241f14d3cd7bd7a3

Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.

Keywords: pernosco-wanted → pernosco

Whiteboard: [bugmon:bisected,confirmed]

Donal Meehan [:dmeehan]

Updated

•

6 months ago

status-firefox128: --- → unaffected

status-firefox-esr115: --- → unaffected

status-firefox-esr128: --- → unaffected

Pulsebot

Comment 6

•

6 months ago

Pushed by aethanyc@gmail.com: https://hg.mozilla.org/integration/autoland/rev/9a0e6453ea8f Get floats list again after calling AppendPushedFloatChain(). r=layout-reviewers,emilio

Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)

Comment 7

•

6 months ago

Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/47060 for changes under testing/web-platform/tests

Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)

Updated

•

6 months ago

Whiteboard: [bugmon:bisected,confirmed] → [bugmon:bisected,confirmed], [wptsync upstream]

Serban Stanca [:SerbanS]

Comment 8

•

6 months ago

Backed out for causing android wpt failures.

Backout link
Push with failures
Failure Log
Failure line: PROCESS-CRASH | MOZ_ASSERT(list->NotEmpty()) (Someone forgot to delete the list when it is empty!) [@ nsBlockFrame::GetFloats] | /css/CSS2/floats/crashtests/firefox-bug-1904428.html

Flags: needinfo?(aethanyc)

Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)

Comment 9

•

6 months ago

Upstream PR was closed without merging

Pulsebot

Comment 10

•

6 months ago

Backout by sstanca@mozilla.com: https://hg.mozilla.org/mozilla-central/rev/33c9a6ddad02 Backed out changeset 9a0e6453ea8f for causing android wpt failures. CLOSED TREE

Pulsebot

Comment 11

•

6 months ago

Pushed by aethanyc@gmail.com: https://hg.mozilla.org/integration/autoland/rev/ca0c38301aaa Get floats list again after calling AppendPushedFloatChain(). r=layout-reviewers,emilio

tszentpeteri

Comment 12

•

6 months ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/ca0c38301aaa

Status: ASSIGNED → RESOLVED

Closed: 6 months ago

status-firefox130: affected → fixed

Resolution: --- → FIXED

Target Milestone: --- → 130 Branch

Web Platform Test Sync Bot [:wpt-sync] (Matrix: #interop:mozilla.org)

Comment 13

•

6 months ago

Upstream PR merged by moz-wptsync-bot

Ting-Yu Lin [:TYLin] (PST, UTC-8)

Assignee

Comment 14

•

6 months ago

Comment on attachment 9411679 [details]
Bug 1906768 - Get floats list again after calling AppendPushedFloatChain(). r?dholbert,#layout

Beta/Release Uplift Approval Request

User impact if declined: Tab crashes when loading the testcase.
Is this code covered by automated tests?: Yes
Has the fix been verified in Nightly?: Yes
Needs manual test from QE?: No
If yes, steps to reproduce:
List of other uplifts needed: None
Risk to taking this patch: Low
Why is the change risky/not risky? (and alternatives if risky): It is not risky because the code path is not commonly encountered on real webpages. It requires a float element in a very narrow multi-column width (e.g. the testcase uses a 0px column width).
String changes made/needed: none
Is Android affected?: Yes

Flags: needinfo?(aethanyc)

Attachment #9411679 - Flags: approval-mozilla-beta?

Bugmon [:jkratzer for issues]

Comment 15

•

6 months ago

Verified bug as fixed on rev mozilla-central 20240712041551-a52fa2f14d1d.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Status: RESOLVED → VERIFIED

status-firefox130: fixed → verified

Keywords: bugmon

Donal Meehan [:dmeehan]

Comment 16

•

6 months ago

Comment on attachment 9411679 [details]
Bug 1906768 - Get floats list again after calling AppendPushedFloatChain(). r?dholbert,#layout

Approved for 129.0b4

Attachment #9411679 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

Pulsebot

Comment 17

•

6 months ago

uplift

https://hg.mozilla.org/releases/mozilla-beta/rev/270422ba4529

Donal Meehan [:dmeehan]

Updated

•

6 months ago

status-firefox129: affected → fixed

testcase.html 6 months ago Tyson Smith [:tsmith] 201 bytes, text/html		Details
Bug 1906768 - Get floats list again after calling AppendPushedFloatChain(). r?dholbert,#layout 6 months ago Ting-Yu Lin [:TYLin] (PST, UTC-8) 48 bytes, text/x-phabricator-request	dmeehan : approval-mozilla-beta+	Details \| Review