Closed Bug 830924 Opened 11 years ago Closed 11 years ago

segfault with translate3d

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 830192
Tracking Flags:
Tracking Status
firefox19 --- unaffected
firefox20 --- fixed
firefox21 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: miaubiz, Unassigned)

Details

(4 keywords, Whiteboard: [sg:dupe 830192])

Attachments

(2 files)

repro case
649 bytes, text/plain
Details
asan log linux
5.38 KB, text/plain
Details
Attached file repro case 
when I load:

<html>
  <head>
    <style>
      #el0 {
        display: table-row;
        -moz-transform:translate3d(0,0,0);
      } 
      #el8 {
        position: fixed;
      } 
    </style>
    <script>
      onload = function() {
        el0=document.createElement('div')
        el0.setAttribute('id','el0')
        document.body.appendChild(el0)
        el0.appendChild(document.createElement('div'))
        el8=document.createElement('div')
        el0.appendChild(el8)
        el0.appendChild(document.createElement('div'))
        document.body.offsetTop
        el8.setAttribute('id','el8')
      }
    </script>
  </head>
  <body>
  </body>
</html>


I get:

=================================================================
==17691== ERROR: AddressSanitizer crashed on unknown address 0x120000000000 (pc 0x7fffecb9a14f sp 0x7fffffff7240 bp 0x7fffffff7390 T0)
AddressSanitizer can not provide additional info.
    #0 0x7fffecb9a14e in nsIFrame::GetNextInFlow() const /builds/slave/try-lnx64/build/layout/generic/nsIFrame.h:1510
    #1 0x7fffecf56a7f in nsCellMap::GetRowSpanForNewCell(nsTableCellFrame*, int, bool&) const /builds/slave/try-lnx64/build/layout/tables/nsCellMap.cpp:2082
    #2 0x7fffecf568c8 in nsTableCellMap::AppendCell(nsTableCellFrame&, int, bool, nsIntRect&) /builds/slave/try-lnx64/build/layout/tables/nsCellMap.cpp:562
    #3 0x7fffecfb4ddf in nsTableRowFrame::AppendFrames(mozilla::layout::FrameChildListID, nsFrameList&) /builds/slave/try-lnx64/build/layout/tables/nsTableRowFrame.cpp:184


depending on the styles the segfault is at different addresses.
Attached file asan log linux 
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Group: core-security

          status-b2g18:
          --- → unaffected

          status-firefox19:
          --- → unaffected

          status-firefox20:
          --- → fixed

          status-firefox21:
          --- → fixed

          status-firefox-esr17:
          --- → unaffected
Keywords: crash, 
          
            csec-uaf, 
          
            sec-critical, 
          
            testcase
Whiteboard: [sg:dupe 830192]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: