Use-after-poison with -moz-column, fieldset

RESOLVED FIXED in Firefox 23

Status

()

Core
Layout
--
critical
RESOLVED FIXED
5 years ago
4 years ago

People

(Reporter: Jesse Ruderman, Assigned: mats)

Tracking

(Blocks: 2 bugs, 4 keywords)

Trunk
mozilla23
crash, csectype-framepoisoning, sec-other, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox21 wontfix, firefox22 affected, firefox23 fixed, firefox-esr17 wontfix, b2g18 wontfix)

Details

(Whiteboard: [adv-main23+], crash signature)

Attachments

(5 attachments, 1 obsolete attachment)

(Reporter)

Description

5 years ago
Created attachment 737793 [details]
testcase (crashes Firefox when loaded)

###!!! ASSERTION: this type of frame can't have overflow containers: '(aProperty != nsContainerFrame::OverflowContainersProperty() && aProperty != nsContainerFrame::ExcessOverflowContainersProperty()) || IsFrameOfType(nsIFrame::eCanContainOverflowContainers)', file /Users/jruderman/trees/mozilla-central/layout/generic/nsContainerFrame.cpp, line 1458

Crash with nsFieldSetFrame::GetIntrinsicWidth calling nsLayoutUtils::IntrinsicForContainer.

Nightly: bp-9f41ac48-8362-4f07-84aa-837992130416
(Reporter)

Comment 1

5 years ago
Created attachment 737794 [details]
stack (gdb)
(Reporter)

Updated

5 years ago
Crash Signature: [@ nsLayoutUtils::IntrinsicForContainer]
(Assignee)

Comment 2

5 years ago
Created attachment 738103 [details]
stack for destroying the frame

When we reflow a nsFieldSetFrame and its child frames are COMPLETE
their next-in-flows will be destroyed, by DeleteNextInFlowChild.
The problem is nsFieldSetFrame has frame pointer members mLegendFrame
and mContentFrame that isn't updated when such children are destroyed,
so when we reflow the nsFieldSetFrame's next-in-flow it will use
stale pointers.
(Assignee)

Updated

5 years ago
Keywords: sec-other
OS: Mac OS X → All
Hardware: x86_64 → All
(Assignee)

Comment 3

5 years ago
Created attachment 738107 [details] [diff] [review]
Make nsFieldSetFrame reflow overflow container children.
Assignee: nobody → matspal
(Assignee)

Comment 4

5 years ago
Created attachment 738216 [details] [diff] [review]
Make nsFieldSetFrame reflow and paint overflow container children.
Attachment #738107 - Attachment is obsolete: true
Attachment #738216 - Flags: review?(roc)
(Assignee)

Comment 5

5 years ago
Created attachment 738220 [details] [diff] [review]
Remove child frame members which may become stale and add accessors to get them from the child list instead.

https://tbpl.mozilla.org/?tree=Try&rev=ddd01ee1e9f2
Attachment #738220 - Flags: review?(roc)
Comment on attachment 738216 [details] [diff] [review]
Make nsFieldSetFrame reflow and paint overflow container children.

Review of attachment 738216 [details] [diff] [review]:
-----------------------------------------------------------------

I think we need a reftest here
Attachment #738216 - Flags: review?(roc) → review+
https://hg.mozilla.org/mozilla-central/rev/440634eef3f1
https://hg.mozilla.org/mozilla-central/rev/b064ea1f6af7
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox23: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
The ESR 17.0.5 version of this crash is also frame poisoning (as expected): bp-e40441a7-ca1c-4ba3-ad77-2f5032130503
status-b2g18: --- → wontfix
status-firefox21: --- → wontfix
status-firefox22: --- → affected
status-firefox-esr17: --- → wontfix
(Assignee)

Updated

5 years ago
Duplicate of this bug: 878719
Whiteboard: [adv-main23+]
(Assignee)

Comment 11

4 years ago
Landed a crashtest:
https://hg.mozilla.org/integration/mozilla-inbound/rev/0246c21cfc5c
Group: core-security
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.