Closed Bug 995636 Opened 11 years ago Closed 11 years ago

SEGV in in HasProperty

Categories

(Core :: CSS Parsing and Computation, defect)

Product:
Core
Component:
CSS Parsing and Computation
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 992333

People

(Reporter: attekett, Unassigned)

Details

(Keywords: crash, testcase, Whiteboard: [asan])

Attachments

(2 files)

repro-file
18.25 KB, text/html
Details
patch
3.83 KB, patch
Details | Diff | Splinter Review
Attached file repro-file
Tested on: OS: Ubuntu 12.04 Firefox: ASAN debug-build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan-debug/1397298157/ Debug-build reports: [6022] ###!!! ABORT: out of range: '0 <= aProperty && aProperty < eCSSProperty_COUNT', file /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/style/nsCSSProps.h, line 302 UNKNOWN [/home/attekett/Downloads/firefox/libxul.so +0x0507A35A] UNKNOWN [/home/attekett/Downloads/firefox/libxul.so +0x051350C7] UNKNOWN [/home/attekett/Downloads/firefox/libxul.so +0x051340C7] . . . [6022] ###!!! ABORT: out of range: '0 <= aProperty && aProperty < eCSSProperty_COUNT', file /builds/slave/m-cen-l64-asan-d-0000000000000/build/layout/style/nsCSSProps.h, line 302 Hit MOZ_CRASH() at /builds/slave/m-cen-l64-asan-d-0000000000000/build/memory/mozalloc/mozalloc_abort.cpp:30 Program /firefox/firefox (pid = 6022) received signal 11. . . . Firefox: ASAN opt-build from https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-linux64-asan/1397298157/ ASAN-report: ==6145==ERROR: AddressSanitizer: SEGV on unknown address 0x7ffff6bf1938 (pc 0x7f7c097db902 sp 0x7ffff6b095a0 bp 0x7ffff6b097d0 T0) #0 0x7f7c097db901 in HasProperty /builds/slave/m-cen-l64-asan-000000000000000/build/layout/style/nsCSSPropertySet.h:51:0 #1 0x7f7c097db901 in nsTransitionManager::ConsiderStartingTransition(nsCSSProperty, nsTransition const&, mozilla::dom::Element*, ElementTransitions*&, nsStyleContext*, nsStyleContext*, bool*, nsCSSPropertySet*) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/style/nsTransitionManager.cpp:542:0 #2 0x7f7c097dab88 in nsTransitionManager::StyleContextChanged(mozilla::dom::Element*, nsStyleContext*, nsStyleContext*) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/style/nsTransitionManager.cpp:404:0 #3 0x7f7c098c2778 in GetContent /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:1712:0 #4 0x7f7c098c2778 in mozilla::ElementRestyler::RestyleSelf(nsIFrame*, nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:2453:0 #5 0x7f7c098c0d9d in mozilla::ElementRestyler::Restyle(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:2275:0 #6 0x7f7c098c6b46 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:2811:0 #7 0x7f7c098c3bc0 in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:2546:0 #8 0x7f7c098c0e22 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:2279:0 #9 0x7f7c098c6b46 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:2811:0 #10 0x7f7c098c3bc0 in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:2546:0 #11 0x7f7c098c0e22 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:2279:0 #12 0x7f7c098c6b46 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:2811:0 #13 0x7f7c098c3bc0 in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:2546:0 #14 0x7f7c098c0e22 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:2279:0 #15 0x7f7c098c6b46 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:2811:0 #16 0x7f7c098c3bc0 in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:2546:0 #17 0x7f7c098c0e22 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:2279:0 #18 0x7f7c098c6b46 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:2811:0 #19 0x7f7c098c3bc0 in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:2546:0 #20 0x7f7c098c0e22 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:2279:0 #21 0x7f7c098b9f5d in mozilla::RestyleManager::ComputeStyleChangeFor(nsIFrame*, nsStyleChangeList*, nsChangeHint, mozilla::RestyleTracker&, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:2925:0 #22 0x7f7c098b8f1a in mozilla::RestyleManager::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:838:0 #23 0x7f7c098c902f in ProcessOneRestyle /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleTracker.cpp:121:0 #24 0x7f7c098c902f in mozilla::RestyleTracker::DoProcessRestyles() /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleTracker.cpp:205:0 #25 0x7f7c098be283 in ProcessRestyles /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleTracker.h:246:0 #26 0x7f7c098be283 in mozilla::RestyleManager::ProcessPendingRestyles() /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/RestyleManager.cpp:1411:0 #27 0x7f7c09837c16 in PresShell::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/slave/m-cen-l64-asan-000000000000000/build/layout/base/nsPresShell.cpp:4048:0 #28 0x7f7c0888df31 in nsDocument::FlushPendingNotifications(mozFlushType) /builds/slave/m-cen-l64-asan-000000000000000/build/content/base/src/nsDocument.cpp:7841:0 #29 0x7f7c06444140 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:707:0 #30 0x7f7c06445bb2 in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/uriloader/base/nsDocLoader.cpp:637:0 #31 0x7f7c0644637c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/uriloader/base/Unified_cpp_uriloader_base0.cpp:641:0 #32 0x7f7c053d5cb7 in nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, tag_nsresult) /builds/slave/m-cen-l64-asan-000000000000000/build/netwerk/base/src/nsLoadGroup.cpp:689:0 #33 0x7f7c0889493c in nsDocument::DoUnblockOnload() /builds/slave/m-cen-l64-asan-000000000000000/build/content/base/src/nsDocument.cpp:8713:0 #34 0x7f7c088945ea in nsDocument::UnblockOnload(bool) /builds/slave/m-cen-l64-asan-000000000000000/build/content/base/src/nsDocument.cpp:8641:0 #35 0x7f7c088696e8 in nsDocument::DispatchContentLoadedEvents() /builds/slave/m-cen-l64-asan-000000000000000/build/content/base/src/nsDocument.cpp:4935:0 #36 0x7f7c088ba090 in nsRunnableMethodImpl<void (nsDocument::*)(), void, true>::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/obj-firefox/content/base/src/../../../dist/include/nsThreadUtils.h:383:0 #37 0x7f7c05268820 in nsThread::ProcessNextEvent(bool, bool*) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/threads/nsThread.cpp:699:0 #38 0x7f7c0512e12a in NS_ProcessNextEvent(nsIThread*, bool) /builds/slave/m-cen-l64-asan-000000000000000/build/xpcom/glue/nsThreadUtils.cpp:263:0 #39 0x7f7c05a3c159 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/glue/MessagePump.cpp:95:0 #40 0x7f7c059e65e0 in RunInternal /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:226:0 #41 0x7f7c059e65e0 in RunHandler /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:219:0 #42 0x7f7c059e65e0 in MessageLoop::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/ipc/chromium/src/base/message_loop.cc:193:0 #43 0x7f7c07c6ba97 in nsBaseAppShell::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/widget/xpwidgets/nsBaseAppShell.cpp:164:0 #44 0x7f7c0aa9eab8 in nsAppStartup::Run() /builds/slave/m-cen-l64-asan-000000000000000/build/toolkit/components/startup/nsAppStartup.cpp:277:0 #45 0x7f7c0a904583 in XREMain::XRE_mainRun() /builds/slave/m-cen-l64-asan-000000000000000/build/toolkit/xre/nsAppRunner.cpp:4019:0 #46 0x7f7c0a90546d in XREMain::XRE_main(int, char**, nsXREAppData const*) /builds/slave/m-cen-l64-asan-000000000000000/build/toolkit/xre/nsAppRunner.cpp:4088:0 #47 0x7f7c0a9062bd in XRE_main /builds/slave/m-cen-l64-asan-000000000000000/build/toolkit/xre/nsAppRunner.cpp:4300:0 #48 0x48a247 in do_main /builds/slave/m-cen-l64-asan-000000000000000/build/browser/app/nsBrowserApp.cpp:282:0 #49 0x48a247 in main /builds/slave/m-cen-l64-asan-000000000000000/build/browser/app/nsBrowserApp.cpp:643:0 #50 0x7f7c139ca76c in ?? ??:0 #51 0x4896ac in _start ??:0:0 AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV ??:0 ?? ==6145==ABORTING
Severity: normal → critical
Component: General → CSS Parsing and Computation
Keywords: crash, testcase
Whiteboard: [asan]
Attached patch patchSplinter Review
We crash on nsCSSProps::IsShorthand(eCSSPropertyExtra_variable). Just attaching this patch to point out there are two places (at least) that needs fixing. I suspect it's NOT the right fix.
I think it is the right fix, and that's what I added in bug 992333. Neglected to land the patch though...
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: