Use-after-poison in nsLineLayout::RelativePositionFrames

RESOLVED FIXED in Firefox 29, Firefox OS v1.4

Status

()

Core
Layout
--
critical
RESOLVED FIXED
4 years ago
2 years ago

People

(Reporter: Atte Kettunen, Assigned: mats)

Tracking

(4 keywords)

unspecified
mozilla29
assertion, crash, csectype-framepoisoning, sec-other
Points:
---
Bug Flags:
sec-bounty -
in-testsuite +

Firefox Tracking Flags

(firefox27 wontfix, firefox28 wontfix, firefox29 fixed, firefox-esr24 wontfix, b2g18 wontfix, b2g-v1.1hd wontfix, b2g-v1.2 wontfix, b2g-v1.3 wontfix, b2g-v1.4 fixed)

Details

(Whiteboard: [reporter-external][asan][adv-main29-])

Attachments

(8 attachments, 2 obsolete attachments)

(Reporter)

Description

4 years ago
Created attachment 8343687 [details]
repro-file

Tested on

OS:Ubuntu 12.04

Firefox: ASAN opt-build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1386287170/

Reproducing the issue is little tricky. Best way to reproduce is to make a script that opens the repro-file in Firefox, waits few seconds and closes Firefox in a loop.

Something like:

while true; do 
  asan-firefox repro-file.html &
  sleep 5;
  pkill -9 firefox;
done

I hope you guys have better luck minimizing the file. The original size was around 13k lines of HTML/JS/CSS. My minimizer got it into 795 lines and then the repro-file got even more unstable.

ASAN-trace(opt-build):

==6011==ERROR: AddressSanitizer: use-after-poison on address 0x625000ea5548 at pc 0x7f28c0115990 bp 0x7fff94eed870 sp 0x7fff94eed868
READ of size 4 at 0x625000ea5548 thread T0
    #0 0x7f28c011598f in TopLeft /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/layout/generic/../../dist/include/mozilla/gfx/BaseRect.h:264:0
    #1 0x7f28c011598f in GetPosition /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsIFrame.h:882:0
    #2 0x7f28c011598f in nsLineLayout::RelativePositionFrames(nsLineLayout::PerSpanData*, nsOverflowAreas&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsLineLayout.cpp:2630:0
    #3 0x7f28c01151c2 in nsLineLayout::RelativePositionFrames(nsLineLayout::PerSpanData*, nsOverflowAreas&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsLineLayout.cpp:2658:0
    #4 0x7f28c015fe93 in nsBlockFrame::PlaceLine(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFloatManager::SavedState*, nsRect&, int&, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:4139:0
    #5 0x7f28c015e084 in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:3638:0
    #6 0x7f28c0157283 in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:3363:0
    #7 0x7f28c0149a57 in ReflowLine /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:2517:0
    #8 0x7f28c0149a57 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:2036:0
    #9 0x7f28c0142b82 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:1066:0
    #10 0x7f28c015b9d1 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockReflowContext.cpp:260:0
    #11 0x7f28c016af16 in nsBlockFrame::ReflowFloat(nsBlockReflowState&, nsRect const&, nsIFrame*, nsMargin&, nsMargin&, bool, unsigned int&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:5836:0
    #12 0x7f28c016d938 in nsBlockReflowState::FlowAndPlaceFloat(nsIFrame*) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockReflowState.cpp:767:0
    #13 0x7f28c017865b in nsBlockReflowState::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockReflowState.cpp:519:0
    #14 0x7f28c010ab5b in AddFloat /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsLineLayout.h:147:0
    #15 0x7f28c010ab5b in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsLineLayout.cpp:870:0
    #16 0x7f28c015ed7e in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:3708:0
    #17 0x7f28c015d793 in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:3505:0
    #18 0x7f28c0157283 in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:3363:0
    #19 0x7f28c0149a57 in ReflowLine /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:2517:0
    #20 0x7f28c0149a57 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:2036:0
    #21 0x7f28c0142b82 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:1066:0
    #22 0x7f28c015b9d1 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockReflowContext.cpp:260:0
    #23 0x7f28c016af16 in nsBlockFrame::ReflowFloat(nsBlockReflowState&, nsRect const&, nsIFrame*, nsMargin&, nsMargin&, bool, unsigned int&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:5836:0
    #24 0x7f28c016d938 in nsBlockReflowState::FlowAndPlaceFloat(nsIFrame*) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockReflowState.cpp:767:0
    #25 0x7f28c017865b in nsBlockReflowState::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockReflowState.cpp:519:0
    #26 0x7f28c010ab5b in AddFloat /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsLineLayout.h:147:0
    #27 0x7f28c010ab5b in nsLineLayout::ReflowFrame(nsIFrame*, unsigned int&, nsHTMLReflowMetrics*, bool&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsLineLayout.cpp:870:0
    #28 0x7f28c015ed7e in nsBlockFrame::ReflowInlineFrame(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:3708:0
    #29 0x7f28c015d793 in nsBlockFrame::DoReflowInlineFrames(nsBlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:3505:0
    #30 0x7f28c0157283 in nsBlockFrame::ReflowInlineFrames(nsBlockReflowState&, nsLineList_iterator, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:3363:0
    #31 0x7f28c0149a57 in ReflowLine /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:2517:0
    #32 0x7f28c0149a57 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:2036:0
    #33 0x7f28c0142b82 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:1066:0
    #34 0x7f28c015b9d1 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockReflowContext.cpp:260:0
    #35 0x7f28c0154442 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:3090:0
    #36 0x7f28c0149a7e in ReflowLine /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:2514:0
    #37 0x7f28c0149a7e in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:2036:0
    #38 0x7f28c0142b82 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:1066:0
    #39 0x7f28c015b9d1 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockReflowContext.cpp:260:0
    #40 0x7f28c0154442 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:3090:0
    #41 0x7f28c0149a7e in ReflowLine /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:2514:0
    #42 0x7f28c0149a7e in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:2036:0
    #43 0x7f28c0142b82 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:1066:0
    #44 0x7f28c015b9d1 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockReflowContext.cpp:260:0
    #45 0x7f28c0154442 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:3090:0
    #46 0x7f28c0149a7e in ReflowLine /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:2514:0
    #47 0x7f28c0149a7e in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:2036:0
    #48 0x7f28c0142b82 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:1066:0
    #49 0x7f28c015b9d1 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockReflowContext.cpp:260:0
    #50 0x7f28c0154442 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:3090:0
    #51 0x7f28c0149a7e in ReflowLine /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:2514:0
    #52 0x7f28c0149a7e in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:2036:0
    #53 0x7f28c0142b82 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:1066:0
    #54 0x7f28c015b9d1 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockReflowContext.cpp:260:0
    #55 0x7f28c0154442 in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:3090:0
    #56 0x7f28c0149a7e in ReflowLine /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:2514:0
    #57 0x7f28c0149a7e in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:2036:0
    #58 0x7f28c0142b82 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsBlockFrame.cpp:1066:0
    #59 0x7f28c0188e4d in ReflowChild /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsContainerFrame.cpp:961:0
    #60 0x7f28c0188e4d in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsCanvasFrame.cpp:520:0
    #61 0x7f28c0189d03 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsContainerFrame.cpp:961:0
    #62 0x7f28c020e79c in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsGfxScrollFrame.cpp:457:0
    #63 0x7f28c0210cad in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsGfxScrollFrame.cpp:557:0
    #64 0x7f28c0212f6e in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsGfxScrollFrame.cpp:795:0
    #65 0x7f28c0189d03 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsContainerFrame.cpp:961:0
    #66 0x7f28c0318637 in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/generic/nsViewportFrame.cpp:221:0
    #67 0x7f28bff23a67 in PresShell::DoReflow(nsIFrame*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/nsPresShell.cpp:8089:0
    #68 0x7f28bff35b9f in PresShell::ProcessReflowCommands(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/nsPresShell.cpp:8245:0
    #69 0x7f28bff35455 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/nsPresShell.cpp:4039:0
    #70 0x7f28bfef4370 in nsDocumentViewer::LoadComplete(tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/nsDocumentViewer.cpp:949:0
    #71 0x7f28c0b5eb2a in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/docshell/base/nsDocShell.cpp:6897:0
    #72 0x7f28c0b5bdb6 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/docshell/base/nsDocShell.cpp:6694:0
    #73 0x7f28c0b5c2fc in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/docshell/base/nsDocShell.cpp:6700:0
    #74 0x7f28bd06604f in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:1331:0
    #75 0x7f28bd0653a3 in nsDocLoader::doStopDocumentLoad(nsIRequest*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:865:0
    #76 0x7f28bd06303f in nsDocLoader::DocLoaderIsEmpty(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:755:0
    #77 0x7f28bd0645b8 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:639:0
    #78 0x7f28bd064e59 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/uriloader/base/Unified_cpp_uriloader_base0.cpp:642:0
    #79 0x7f28bc1a0459 in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/base/src/nsLoadGroup.cpp:689:0
    #80 0x7f28bc42d80f in mozilla::net::nsHttpChannel::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/protocol/http/nsHttpChannel.cpp:5189:0
    #81 0x7f28bc19b955 in nsInputStreamPump::OnStateStop() /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/base/src/nsInputStreamPump.cpp:703:0
    #82 0x7f28bc19a0b3 in nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/base/src/nsInputStreamPump.cpp:438:0
    #83 0x7f28bc0094d4 in nsInputStreamReadyEvent::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/io/nsStreamUtils.cpp:85:0
    #84 0x7f28bc03e256 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:612:0
    #85 0x7f28bbf1cba1 in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsThreadUtils.cpp:263:0
    #86 0x7f28bc831a31 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/glue/MessagePump.cpp:85:0
    #87 0x7f28bc7a4173 in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:222:0
    #88 0x7f28bc7a4173 in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:215:0
    #89 0x7f28bc7a4173 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:189:0
    #90 0x7f28be5a917c in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp:161:0
    #91 0x7f28c11d6436 in nsAppStartup::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/toolkit/components/startup/nsAppStartup.cpp:268:0
    #92 0x7f28c0ff08d5 in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-asan-000000000000000/build/toolkit/xre/nsAppRunner.cpp:3978:0
    #93 0x7f28c0ff180a in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-000000000000000/build/toolkit/xre/nsAppRunner.cpp:4046:0
    #94 0x7f28c0ff273b in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/toolkit/xre/nsAppRunner.cpp:4254:0
    #95 0x459dcd in do_main /builds/slave/m-cen-l64-asan-000000000000000/build/browser/app/nsBrowserApp.cpp:280:0
    #96 0x459dcd in main /builds/slave/m-cen-l64-asan-000000000000000/build/browser/app/nsBrowserApp.cpp:647:0
    #97 0x7f28cbe7b76c in ?? ??:0
    #98 0x45934c in _start ??:0
0x625000ea5548 is located 7240 bytes inside of 8192-byte region [0x625000ea3900,0x625000ea5900)
allocated by thread T0 here:
    #0 0x446395 in malloc _asan_rtl_:0
    #1 0x7f28c94a6d8d in PL_ArenaAllocate /builds/slave/m-cen-l64-asan-000000000000000/build/nsprpub/lib/ds/plarena.c:203:0
Shadow bytes around the buggy address:
  0x0c4a801cca50: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a801cca60: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a801cca70: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a801cca80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a801cca90: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
=>0x0c4a801ccaa0: f7 f7 f7 f7 f7 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7
  0x0c4a801ccab0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a801ccac0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a801ccad0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7
  0x0c4a801ccae0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a801ccaf0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap right redzone:    fb
  Freed heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==6011==ABORTING


on debug-build I didn't get a crash but I see bundle of these ASSERTs

[9599] ###!!! ASSERTION: We placed a float where there was no room!: 'psd->mX - mTrimmableWidth <= psd->mRightEdge', file /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/generic/nsLineLayout.cpp, line 321

On the ASAN-trace frames #2 and #3 are also from nsLineLayout.cpp so I would guess the assert is relevant.
Severity: normal → critical
Keywords: crash, testcase
Okay, successfully reproduced it.

Using "Math.random() * 1000" as timeout value for setTimeout() helped me in reproducing it better.
Flags: sec-bounty?
Whiteboard: [reporter-external]
(Assignee)

Updated

4 years ago
OS: Linux → All
Hardware: x86_64 → All
Whiteboard: [reporter-external] → [reporter-external][asan]
(Assignee)

Comment 2

4 years ago
Created attachment 8344202 [details]
stack + frame dump

The interesting part of the frame tree is the line I've marked up in
yellow.  In particalar the pink (0x625001389198) and cyan
(0x62500245a1e0) frames.  The PerFrameData for those two frames have
another PerFrameData in between which points to the destroyed frame
(marked red) which is causing the crash.  The PSD/PFD structures
appears to be alive, so I believe there used to be a span of three
frames here at some point during reflow, then the middle frame got
deleted for some reason and we failed to remove the PFD for it in
this PSD.  Note that the frame tree is correct and the line box
data too.

(I'm going to leave it in the debugger for an hour or so, in case
anyone have suggestions on other data that might be useful from
this debug session.)
(Assignee)

Comment 3

4 years ago
I've only succeeded in crashing it once in a Linux64 debug asan build
and it was quite hard.  So any help in making it more crashy and/or
reducing the test would be appreciated.
(Assignee)

Updated

4 years ago
Keywords: assertion, csectype-framepoisoning, sec-other
(Assignee)

Comment 4

4 years ago
Created attachment 8344275 [details]
stack + frame dump #2

Here's the exact moment when we delete that "middle of three" frames (red)
I was talking about in comment 2.  As I suspected it's a next-in-flow for
a frame that comes later in the line, so it's been reflowed already and
has a live PFD, reachable through the nsLineLayout object:
mRootSpan->mFirstFrame->mNext->mNext->mSpan->mFirstFrame->mNext

So this line contains a chain of static continuations, starting with
yellow, cyan ... blue, then that blue frame has a next-in-flow that
sits between yellow and cyan.  That doesn't look right to me.

I wonder how they ended up out-of-order like that - did bidi processing
go wrong?  or did we insert the next-in-flow in the wrong place?
(Assignee)

Comment 5

4 years ago
BTW, it's fairly easy to crash it in a Linux64 debug asan build if you start
with the test in many tabs, like so "firefox test.html test.html test.html ..."
and then wait while for the tabs to load and create frames, then switch between
tabs and occasionally delete a tab.
(In reply to Mats Palmgren (:mats) from comment #4)
> So this line contains a chain of static continuations, starting with
> yellow, cyan ... blue, then that blue frame has a next-in-flow that
> sits between yellow and cyan.  That doesn't look right to me.
> 
> I wonder how they ended up out-of-order like that - did bidi processing
> go wrong?  or did we insert the next-in-flow in the wrong place?

Sounds a bit like bug 942690. Does this have the same regression range? Or does the patch there fix it?
(Assignee)

Comment 7

4 years ago
Created attachment 8344329 [details]
frame dump #3

It's ResolveBidi() that causes the problem.  This is the relevant part
of the frame tree before and after bidi resolution.  I think bidi
resolution is confused by the overflow list.  It should probably move it
forward so that ends up on the last static continuation 0x6250006733f8.
Or, probably simpler, drain overflow on inlines during bidi resolution.
(Assignee)

Comment 8

4 years ago
(In reply to Simon Montagu :smontagu from comment #6)
> Sounds a bit like bug 942690. Does this have the same regression range? Or
> does the patch there fix it?

I can reproduce the crash with that patch, so it appears unrelated.
I don't know if this bug is a regression or not.
Keywords: regressionwindow-wanted
(Assignee)

Comment 9

4 years ago
Created attachment 8344330 [details] [diff] [review]
wip1

This seems to fix it for me...
Assignee: nobody → matspal
(Assignee)

Comment 10

4 years ago
Created attachment 8344504 [details]
frame dump with wip1

I think this is a frame tree that corresponds to the crashing one
(in dump #3 above) but with "wip1" applied so you can see the result.
(Assignee)

Comment 11

4 years ago
Created attachment 8344666 [details] [diff] [review]
part 1, implement DrainSelfOverflowList() for inlines

This patch just lifts the relevant code from nsInlineFrame::Reflow and
puts it in an internal helper method.  Then use that to implement
DrainSelfOverflowList() for nsInlineFrame, nsFirstLineFrame.
Attachment #8344330 - Attachment is obsolete: true
(Assignee)

Updated

4 years ago
Attachment #8344666 - Flags: review?(bzbarsky)
(Assignee)

Comment 12

4 years ago
Created attachment 8344670 [details] [diff] [review]
part 2, Drain the overflow list on inlines before traversing children for bidi processing.

https://tbpl.mozilla.org/?tree=Try&rev=da3d8da50c54
Attachment #8344670 - Flags: review?(smontagu)
Comment on attachment 8344670 [details] [diff] [review]
part 2, Drain the overflow list on inlines before traversing children for bidi processing.

Review of attachment 8344670 [details] [diff] [review]:
-----------------------------------------------------------------

::: layout/base/nsBidiPresUtils.cpp
@@ +976,5 @@
>      PRUnichar ch = 0;
>      if (frame->IsFrameOfType(nsIFrame::eBidiInlineContainer)) {
> +      if (!(frame->GetStateBits() & NS_FRAME_FIRST_REFLOW)) {
> +        nsContainerFrame* c = static_cast<nsContainerFrame*>(frame);
> +        MOZ_ASSERT(c = do_QueryFrame(frame));

Add a message here. r=me with that.
Attachment #8344670 - Flags: review?(smontagu) → review+

Comment 14

4 years ago
Mats, were you able to figure out what made it non-deterministic, and/or how to make a reliable testcase?
(Assignee)

Comment 15

4 years ago
I think it's timing dependent, you'd have to interrupt reflow at just the right
moment to leave behind a tree with the right overflow list, and then have the
block marked for bidi resolution.  It's apparently very rare.

I don't know how to make the testcase more reliable, sorry.

Comment 16

4 years ago
I tried some variants on the following env var set, but it didn't help me reproduce the bug.

GECKO_REFLOW_INTERRUPT_MODE=counter
GECKO_REFLOW_INTERRUPT_FREQUENCY=10
GECKO_REFLOW_INTERRUPT_CHECKS_TO_SKIP=0
GECKO_REFLOW_MIN_NOINTERRUPT_DURATION=0

Comment 17

4 years ago
Comment on attachment 8344670 [details] [diff] [review]
part 2, Drain the overflow list on inlines before traversing children for bidi processing.

> +        MOZ_ASSERT(c = do_QueryFrame(frame));

I don't like MOZ_ASSERT expressions that have side effects.  What is this for?

Comment 18

4 years ago
I had trouble with GECKO_REFLOW_INTERRUPT_* in bug 949294 too. If someone can help me figure out how to use it properly, that would be great ;)
Properly in what sense?  There are several modes, with somewhat different goals...

Comment 20

4 years ago
"Find as many deterministically-reproducible bugs as possible"
Ah.  The settings in comment 16 are what you want at the moment, in that case: that will deterministically interrupt every 10th check.

The problem is that determining what the right value is to use for the "10" there can be complicated.
Comment on attachment 8344666 [details] [diff] [review]
part 1, implement DrainSelfOverflowList() for inlines

Sorry for the lag.

This generally looked reasonable, but shouldn't draining the overflow list of an inline that's at the end of a first-line end up reparenting too?  We handle that in the Reflow() case, but not in general...

r=me with that sorted out
Attachment #8344666 - Flags: review?(bzbarsky) → review+
(Assignee)

Comment 23

4 years ago
Created attachment 8348218 [details] [diff] [review]
part 1, implement DrainSelfOverflowList() for inlines, v2

(In reply to Boris Zbarsky [:bz] from comment #22)
> This generally looked reasonable, but shouldn't draining the overflow list
> of an inline that's at the end of a first-line end up reparenting too?  We
> handle that in the Reflow() case, but not in general...

Maybe.  We don't do lazy parenting of nsFirstLineFrame children
though, so I'm not sure that's an issue.  But let's be conservative
and reparent style contexts for all inline overflow frames that
are descendants of a nsFirstLineFrame (which I think is what the
code in nsInlineFrame::Reflow amounts to).

Changes compared to last version:
1. reparent style contexts in nsInlineFrame::DrainSelfOverflowList
   if it's a ::first-line descendant.
2. s/eIsFirstLine/eInFirstLine/ for the flag to better reflect that
3. simplified nsFirstLineFrame::DrainSelfOverflowList to not do the
   frame reparenting stuff, since it doesn't do lazy parenting, 
   and made Reflow use this method too.
4. made nsFirstLineFrame MOZ_FINAL to avoid the vtbl lookup

I'm sceptical that we actually need to do the ReparentChildListStyle
for nsFirstLineFrame children on the overflow list.  It's been there
since the very first version of this class though (kipp, 1999-04-19)
so I'll leave it in for now:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/layout/generic/nsInlineFrame.cpp&rev=3.114&root=/cvsroot#1884
(without any corresponding bug, or explanation, unfortunately)

(Fwiw, I ran crashtests+reftests locally comparing the style context
before/after that call and it never changed.)
Attachment #8348218 - Flags: review?(bzbarsky)
(Assignee)

Comment 24

4 years ago
Created attachment 8348219 [details] [diff] [review]
part 2, Drain the overflow list on inlines before traversing children for bidi processing, v2

Fixed Simon's nit.

https://tbpl.mozilla.org/?tree=Try&rev=097bf2d5fa6d
Attachment #8344670 - Attachment is obsolete: true
Attachment #8348219 - Flags: review+
Comment on attachment 8348218 [details] [diff] [review]
part 1, implement DrainSelfOverflowList() for inlines, v2

r=me
Attachment #8348218 - Flags: review?(bzbarsky) → review+
(Assignee)

Comment 27

4 years ago
I'll mark this testcase-wanted since we want something more reproducible
for a crashtest.
Keywords: testcase → testcase-wanted
https://hg.mozilla.org/mozilla-central/rev/f3bcbf58111e
https://hg.mozilla.org/mozilla-central/rev/792397422883
Status: NEW → RESOLVED
Last Resolved: 4 years ago
status-b2g-v1.2: --- → ?
status-b2g-v1.3: --- → affected
status-firefox27: --- → ?
status-firefox28: --- → affected
status-firefox29: --- → fixed
status-firefox-esr24: --- → ?
Resolution: --- → FIXED
Target Milestone: --- → mozilla29

Comment 29

4 years ago
The bounty committee has decided not to pay on this bug given that it is a framepoisoning bug. We will continue to track it with the sec-other keyword and revisit the bug if framepoisioning is determined to be exploitable.
Flags: sec-bounty? → sec-bounty-
status-firefox-esr24: ? → wontfix
Do we want this on Aurora/Beta/b2g26?
Flags: needinfo?(matspal)
(Assignee)

Comment 31

4 years ago
I don't think so.  The crash is not exploitable, and it was quite hard to reproduce
so it seems unlikely to occur in normal use.
Flags: needinfo?(matspal)
wontfix on the branches per comment 31
status-b2g-v1.2: ? → wontfix
status-b2g-v1.3: affected → wontfix
status-b2g-v1.4: --- → fixed
status-firefox27: ? → wontfix
status-firefox28: affected → wontfix
status-b2g18: --- → wontfix
status-b2g-v1.1hd: --- → wontfix
Whiteboard: [reporter-external][asan] → [reporter-external][asan][adv-main29-]
(Assignee)

Comment 34

3 years ago
Landed the test wrapped in an iframe:
https://hg.mozilla.org/integration/mozilla-inbound/rev/a135f49fc628
Group: core-security
Flags: in-testsuite? → in-testsuite+
Removing regressionwindow-wanted since this has been resolved.
QA Whiteboard: [QAnalyst-Triage+]
Keywords: regressionwindow-wanted
Keywords: testcase-wanted
You need to log in before you can comment on or make changes to this bug.