Closed Bug 878719 Opened 12 years ago Closed 12 years ago

use-after-poison in nsLineList::empty()

Categories

(Core :: Layout, defect)

22 Branch
x86_64
Linux
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 862185

People

(Reporter: aki.helin, Unassigned)

Details

Attachments

(1 file)

390 bytes, text/plain
Details
Attached file repro
Opening ff_nsLineList-empty_poison.html in recent beta ASan build (137723:3656aeb1a150) causes the following error to be reported: ==18525== ERROR: AddressSanitizer use-after-poison on address 0x7f433ad6c770 at pc 0x7f435676c427 bp 0x7fffeff6e5f0 sp 0x7fffeff6e5e8 READ of size 8 at 0x7f433ad6c770 thread T0 #0 0x7f435676c426 in nsLineList::empty() const /home/aki/src/mozilla-beta/layout/generic/nsLineBox.h:1305 #1 0x7f4356765243 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /home/aki/src/mozilla-beta/layout/generic/nsBlockFrame.cpp:1075 #2 0x7f435679ec2e in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) /home/aki/src/mozilla-beta/layout/generic/nsContainerFrame.cpp:968 0x7f433ad6c770 is located 5872 bytes inside of 8192-byte region [0x7f433ad6b080,0x7f433ad6d080) allocated by thread T0 here: #0 0x431560 in __interceptor_malloc ??:0 #1 0x7f435ef5bcd6 in PL_ArenaAllocate /home/aki/src/mozilla-beta/nsprpub/lib/ds/plarena.c:200 Shadow byte and word: 0x1fe8675ad8ee: f7 0x1fe8675ad8e8: f7 f7 f7 f7 f7 f7 f7 f7 More shadow bytes: 0x1fe8675ad8c8: f7 f7 f7 f7 f7 f7 f7 f7 0x1fe8675ad8d0: f7 f7 f7 f7 f7 f7 f7 f7 0x1fe8675ad8d8: f7 f7 f7 f7 f7 f7 f7 f7 0x1fe8675ad8e0: f7 f7 f7 f7 f7 f7 f7 f7 =>0x1fe8675ad8e8: f7 f7 f7 f7 f7 f7 f7 f7 0x1fe8675ad8f0: f7 f7 f7 f7 f7 f7 f7 f7 0x1fe8675ad8f8: f7 f7 00 00 00 00 00 00 0x1fe8675ad900: 00 00 00 00 00 00 00 00 0x1fe8675ad908: 00 00 00 00 00 00 00 00 Stats: 93M malloced (115M for red zones) by 248146 calls Stats: 3M realloced by 11375 calls Stats: 60M freed by 120180 calls Stats: 0M really freed by 0 calls Stats: 236M (60452 full pages) mmaped in 59 calls mmaps by size class: 8:229362; 9:24573; 10:8190; 11:8188; 12:2048; 13:1536; 14:512; 15:384; 16:1216; 17:96; 18:32; 19:8; 20:4; mallocs by size class: 8:209305; 9:20874; 10:6465; 11:6591; 12:1661; 13:1253; 14:409; 15:267; 16:1209; 17:84; 18:18; 19:6; 20:4; frees by size class: 8:97584; 9:11180; 10:3445; 11:4984; 12:855; 13:820; 14:261; 15:162; 16:797; 17:75; 18:11; 19:3; 20:3; rfrees by size class: Stats: malloc large: 112 small slow: 1559 ==18525== ABORTING There are also other use-after-poison traces caused by similar files. IIRC there was a bug with a similar repro but another trace about a week ago, but I can't seem to find it now.
Crash mozilla-beta Linux64 debug build: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff1ce9081 in nsLineList::erase (this=0x7fffbc1f7968, position=...) at layout/generic/nsLineBox.h:1409 1409 position->_mPrev->_mNext = position->_mNext; (gdb) p position $1 = { mCurrent = 0x7ffffffff0dea7ff, mListLink = 0x7fffbc1f7968 } There's a bunch of assertions leading up to that, the first one being: ASSERTION: this type of frame can't have overflow containers: '(aProperty != nsContainerFrame::OverflowContainersProperty() && aProperty != nsContainerFrame::ExcessOverflowContainersProperty()) || IsFrameOfType(nsIFrame::eCanContainOverflowContainers)', file layout/generic/nsContainerFrame.cpp, line 1461 The frame in question is a FieldSetFrame. The testcase does not crash mozilla-aurora or trunk. So I'm pretty sure this is a duplicate of bug 862185.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: