Closed Bug 830924 Opened 10 years ago Closed 10 years ago

segfault with translate3d

Categories

(Core :: Layout, defect)

x86
Linux
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 830192
Tracking Status
firefox19 --- unaffected
firefox20 --- fixed
firefox21 --- fixed
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: miaubiz, Unassigned)

Details

(4 keywords, Whiteboard: [sg:dupe 830192])

Attachments

(2 files)

Attached file repro case
when I load:

<html>
  <head>
    <style>
      #el0 {
        display: table-row;
        -moz-transform:translate3d(0,0,0);
      } 
      #el8 {
        position: fixed;
      } 
    </style>
    <script>
      onload = function() {
        el0=document.createElement('div')
        el0.setAttribute('id','el0')
        document.body.appendChild(el0)
        el0.appendChild(document.createElement('div'))
        el8=document.createElement('div')
        el0.appendChild(el8)
        el0.appendChild(document.createElement('div'))
        document.body.offsetTop
        el8.setAttribute('id','el8')
      }
    </script>
  </head>
  <body>
  </body>
</html>


I get:

=================================================================
==17691== ERROR: AddressSanitizer crashed on unknown address 0x120000000000 (pc 0x7fffecb9a14f sp 0x7fffffff7240 bp 0x7fffffff7390 T0)
AddressSanitizer can not provide additional info.
    #0 0x7fffecb9a14e in nsIFrame::GetNextInFlow() const /builds/slave/try-lnx64/build/layout/generic/nsIFrame.h:1510
    #1 0x7fffecf56a7f in nsCellMap::GetRowSpanForNewCell(nsTableCellFrame*, int, bool&) const /builds/slave/try-lnx64/build/layout/tables/nsCellMap.cpp:2082
    #2 0x7fffecf568c8 in nsTableCellMap::AppendCell(nsTableCellFrame&, int, bool, nsIntRect&) /builds/slave/try-lnx64/build/layout/tables/nsCellMap.cpp:562
    #3 0x7fffecfb4ddf in nsTableRowFrame::AppendFrames(mozilla::layout::FrameChildListID, nsFrameList&) /builds/slave/try-lnx64/build/layout/tables/nsTableRowFrame.cpp:184


depending on the styles the segfault is at different addresses.
Attached file asan log linux
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
Group: core-security
Whiteboard: [sg:dupe 830192]
You need to log in before you can comment on or make changes to this bug.