Closed
Bug 878719
Opened 12 years ago
Closed 12 years ago
use-after-poison in nsLineList::empty()
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 862185
People
(Reporter: aki.helin, Unassigned)
Details
Attachments
(1 file)
|
390 bytes,
text/plain
|
Details |
Opening ff_nsLineList-empty_poison.html in recent beta ASan build (137723:3656aeb1a150) causes the following error to be reported:
==18525== ERROR: AddressSanitizer use-after-poison on address 0x7f433ad6c770 at pc 0x7f435676c427 bp 0x7fffeff6e5f0 sp 0x7fffeff6e5e8
READ of size 8 at 0x7f433ad6c770 thread T0
#0 0x7f435676c426 in nsLineList::empty() const /home/aki/src/mozilla-beta/layout/generic/nsLineBox.h:1305
#1 0x7f4356765243 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /home/aki/src/mozilla-beta/layout/generic/nsBlockFrame.cpp:1075
#2 0x7f435679ec2e in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) /home/aki/src/mozilla-beta/layout/generic/nsContainerFrame.cpp:968
0x7f433ad6c770 is located 5872 bytes inside of 8192-byte region [0x7f433ad6b080,0x7f433ad6d080)
allocated by thread T0 here:
#0 0x431560 in __interceptor_malloc ??:0
#1 0x7f435ef5bcd6 in PL_ArenaAllocate /home/aki/src/mozilla-beta/nsprpub/lib/ds/plarena.c:200
Shadow byte and word:
0x1fe8675ad8ee: f7
0x1fe8675ad8e8: f7 f7 f7 f7 f7 f7 f7 f7
More shadow bytes:
0x1fe8675ad8c8: f7 f7 f7 f7 f7 f7 f7 f7
0x1fe8675ad8d0: f7 f7 f7 f7 f7 f7 f7 f7
0x1fe8675ad8d8: f7 f7 f7 f7 f7 f7 f7 f7
0x1fe8675ad8e0: f7 f7 f7 f7 f7 f7 f7 f7
=>0x1fe8675ad8e8: f7 f7 f7 f7 f7 f7 f7 f7
0x1fe8675ad8f0: f7 f7 f7 f7 f7 f7 f7 f7
0x1fe8675ad8f8: f7 f7 00 00 00 00 00 00
0x1fe8675ad900: 00 00 00 00 00 00 00 00
0x1fe8675ad908: 00 00 00 00 00 00 00 00
Stats: 93M malloced (115M for red zones) by 248146 calls
Stats: 3M realloced by 11375 calls
Stats: 60M freed by 120180 calls
Stats: 0M really freed by 0 calls
Stats: 236M (60452 full pages) mmaped in 59 calls
mmaps by size class: 8:229362; 9:24573; 10:8190; 11:8188; 12:2048; 13:1536; 14:512; 15:384; 16:1216; 17:96; 18:32; 19:8; 20:4;
mallocs by size class: 8:209305; 9:20874; 10:6465; 11:6591; 12:1661; 13:1253; 14:409; 15:267; 16:1209; 17:84; 18:18; 19:6; 20:4;
frees by size class: 8:97584; 9:11180; 10:3445; 11:4984; 12:855; 13:820; 14:261; 15:162; 16:797; 17:75; 18:11; 19:3; 20:3;
rfrees by size class:
Stats: malloc large: 112 small slow: 1559
==18525== ABORTING
There are also other use-after-poison traces caused by similar files. IIRC there was a bug with a similar repro but another trace about a week ago, but I can't seem to find it now.
|
||
Comment 1•12 years ago
|
||
Crash mozilla-beta Linux64 debug build:
Program received signal SIGSEGV, Segmentation fault.
0x00007ffff1ce9081 in nsLineList::erase (this=0x7fffbc1f7968, position=...) at layout/generic/nsLineBox.h:1409
1409 position->_mPrev->_mNext = position->_mNext;
(gdb) p position
$1 = {
mCurrent = 0x7ffffffff0dea7ff,
mListLink = 0x7fffbc1f7968
}
There's a bunch of assertions leading up to that, the first one being:
ASSERTION: this type of frame can't have overflow containers: '(aProperty != nsContainerFrame::OverflowContainersProperty() && aProperty != nsContainerFrame::ExcessOverflowContainersProperty()) || IsFrameOfType(nsIFrame::eCanContainOverflowContainers)', file layout/generic/nsContainerFrame.cpp, line 1461
The frame in question is a FieldSetFrame.
The testcase does not crash mozilla-aurora or trunk.
So I'm pretty sure this is a duplicate of bug 862185.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•