AddressSanitizer: stack-overflow [@ MemcmpInterceptorCommon]
Categories
(Core :: Layout, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr140 | --- | unaffected |
| firefox147 | --- | unaffected |
| firefox148 | --- | unaffected |
| firefox149 | --- | verified |
People
(Reporter: jkratzer, Assigned: emilio)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: pernosco, regression, testcase, Whiteboard: [bugmon:bisected,confirmed], [wptsync upstream])
Crash Data
Attachments
(3 files)
Testcase found while fuzzing mozilla-central rev 08a9de1f821f (built with: --enable-address-sanitizer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework pipx --upgrade
$ python -m pipx ensurepath
$ fuzzfetch --build 08a9de1f821f --asan --fuzzing -n firefox
$ grizzly-replay-bugzilla ./firefox/firefox <bugid>
|
Reporter | |
Comment 1•1 month ago
|
||
|
|
Reporter | |
Comment 2•1 month ago
|
||
|
||
Comment 3•1 month ago
|
||
Verified bug as reproducible on mozilla-central 20260128094816-08a9de1f821f.
The bug appears to have been introduced in the following build range:
Start: 1a2bb6c3bf5d1545d6c2d8b36bc4867fa0363de5 (20260119110606)
End: 6bf16ff5cae339919373fddcf20a04121adb24fd (20260119122634)
Pushlog: https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=1a2bb6c3bf5d1545d6c2d8b36bc4867fa0363de5&tochange=6bf16ff5cae339919373fddcf20a04121adb24fd
|
||
Comment 4•1 month ago
|
||
Got a crash from the testcase on Nightly: https://crash-stats.mozilla.org/report/index/40d1a6c6-bc6d-4049-9738-7cae60260129
|
||
Comment 5•1 month ago
|
||
This bug has been marked as a regression. Setting status flag for Nightly to affected.
|
||
Comment 6•1 month ago
|
||
Testcase is using anchor positioning (bottom: anchor-size(--anchor-name_0);) and popover (cite.showPopover(...))
And the backtrace shows infinite recursion in FindScrollCompensatedAnchorShift.
That function was added by bug 1950251 which is in the regression range; flagging as regression from that. emilio, could you take a look when you get a chance?
|
|
||
Comment 7•1 month ago
|
||
(Tentatively triaging as S3, given that stack-exhaustion doesn't have security implications and given that we haven't yet hit this in the wild.)
|
|
||
Comment 8•1 month ago
|
||
Set release status flags based on info from the regressing bug 1950251
|
Assignee | |
Updated•1 month ago
|
|
||
Comment 9•1 month ago
|
||
(Drive-by)
cite.showPopover({"source": cite})
Hm, at a glance, spec doesn't handle setting itself as the source.
|
|
||
Comment 10•1 month ago
|
||
Successfully recorded a pernosco session. A link to the pernosco session will be added here shortly.
|
|
||
Comment 11•1 month ago
|
||
A pernosco session for this bug can be found here.
|
|
Assignee | |
Updated•1 month ago
|
|
|
Assignee | |
Comment 12•1 month ago
|
||
The invoker can be anywhere in the dom, have to confirm that it's an
acceptable anchor. I think pseudo elements should always pass this
check but worth doing regardless.
This also fixes bug 2013896, while at it, gotta add a test for that, if
this doesn't cause any progression.
|
||
Updated•1 month ago
|
|
||
Comment 13•1 month ago
|
||
|
||
Comment 15•1 month ago
|
||
| bugherder | ||
|
|
||
Comment 17•1 month ago
|
||
Verified bug as fixed on rev mozilla-central 20260207085912-a644f3faa9ba.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.
Description
•