Closed
Bug 1316884
Opened 8 years ago
Closed 2 years ago
[css-grid] AddressSanitizer: use-after-poison [@ StylePosition] with READ of size 8
Categories
(Core :: Layout, defect)
Tracking
()
People
(Reporter: truber, Unassigned)
References
(Blocks 1 open bug)
Details
(4 keywords)
Attachments
(5 files)
The attached testcase crashes mozilla-central d38d06f85ef5.
It looks like a poisoned frame based on the non-asan fault address (0x7ffffffff0dea7ff).
==24619==ERROR: AddressSanitizer: use-after-poison on address 0x625000ce2b90 at pc 0x7f2507fe59a2 bp 0x7fff5c033c20 sp 0x7fff5c033c18
READ of size 8 at 0x625000ce2b90 thread T0
#0 0x7f2507fe59a1 in StylePosition obj-firefox/dist/include/nsStyleStructList.h:87:1
#1 0x7f2507fe59a1 in MinSize(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, nsRenderingContext*, mozilla::WritingMode, mozilla::LogicalAxis, CachedIntrinsicSizes*) layout/generic/nsGridContainerFrame.cpp:3883
#2 0x7f2507fde3b4 in nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, int, SizingConstraint) layout/generic/nsGridContainerFrame.cpp:4427:21
#3 0x7f2507fced31 in nsGridContainerFrame::Tracks::CalculateSizes(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, SizingConstraint) layout/generic/nsGridContainerFrame.cpp:3938:3
#4 0x7f2507fcdee6 in nsGridContainerFrame::GridReflowInput::CalculateTrackSizes(nsGridContainerFrame::Grid const&, mozilla::LogicalSize&, SizingConstraint) layout/generic/nsGridContainerFrame.cpp:2583:3
#5 0x7f2507ff7f0d in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, unsigned int&) layout/generic/nsGridContainerFrame.cpp:6119:5
The debug log also includes soft assertions prior to segv:
###!!! ASSERTION: got BREAK_BEFORE again after growing the row?: 'Error', file /home/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp, line 5676
|
Reporter | |
Comment 1•8 years ago
|
||
|
|
Reporter | |
Comment 2•8 years ago
|
||
|
||
Updated•8 years ago
|
Blocks: css-grid
Component: CSS Parsing and Computation → Layout
Flags: needinfo?(mats)
Summary: AddressSanitizer: use-after-poison [@ StylePosition] with READ of size 8 → [css-grid] AddressSanitizer: use-after-poison [@ StylePosition] with READ of size 8
|
||
Comment 3•8 years ago
|
||
Too late for firefox 52, mass-wontfix.
|
|
Reporter | |
Comment 4•7 years ago
|
||
This still reproduces in m-c 20170901-a3585c77e2b1
==29725==ERROR: AddressSanitizer: use-after-poison on address 0x6250016889e0 at pc 0x7f632efad045 bp 0x7ffc09ce63b0 sp 0x7ffc09ce63a8
READ of size 8 at 0x6250016889e0 thread T0
#0 0x7f632efad044 in get /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:287:27
#1 0x7f632efad044 in operator-> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h:319
#2 0x7f632efad044 in StylePosition /builds/worker/workspace/build/src/obj-firefox/dist/include/nsStyleStructList.h:89
#3 0x7f632efad044 in nsGridContainerFrame::GridItemInfo::ShouldApplyAutoMinSize(mozilla::WritingMode, mozilla::LogicalAxis, int) const /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:618
#4 0x7f632efa36cf in nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, int, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:4189:18
#5 0x7f632ef95c85 in nsGridContainerFrame::Tracks::CalculateSizes(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3730:3
#6 0x7f632ef95646 in nsGridContainerFrame::GridReflowInput::CalculateTrackSizes(nsGridContainerFrame::Grid const&, mozilla::LogicalSize&, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:2348:9
#7 0x7f632efbb89f in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5971:21
|
||
Comment 5•7 years ago
|
||
INFO: Last good revision: 946ed22cad04431c75ab5093989dfedf1bae5a3e (2016-03-12)
INFO: First bad revision: d1d47ba19ce9d46222030d491f9fe28dbf80be12 (2016-03-13)
INFO: Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=946ed22cad04431c75ab5093989dfedf1bae5a3e&tochange=d1d47ba19ce9d46222030d491f9fe28dbf80be12
--> Bug 1144096 presumably.
On debug builds, the testcase also hits the following assert:
ASSERTION: got BREAK_BEFORE again after growing the row?: 'Error', file z:/build/build/src/layout/generic/nsGridContainerFrame.cpp, line 5522
Has Regression Range: --- → yes
status-firefox56:
--- → wontfix
status-firefox57:
--- → wontfix
status-firefox58:
--- → fix-optional
status-firefox-esr52:
--- → wontfix
Flags: in-testsuite?
Keywords: assertion
Version: Trunk → 48 Branch
|
||
Comment 6•7 years ago
|
||
status-firefox59:
--- → ?
| Comment hidden (Intermittent Failures Robot) |
|
||
Comment 8•2 years ago
|
||
Redirect a needinfo that is pending on an inactive user to the triage owner.
:dholbert, since the bug has high severity, could you have a look please?
For more information, please visit auto_nag documentation.
Flags: needinfo?(MatsPalmgren_bugz) → needinfo?(dholbert)
|
||
Updated•2 years ago
|
Severity: critical → S2
|
||
Comment 9•2 years ago
|
||
Here's the original testcase, with unprefixed column-fill styling (dropping -moz-) to make that style valid/recognized in current Firefox builds.
This testcase doesn't crash in a recent ASAN build, so I think this bug is WORKSFORME.
Flags: needinfo?(dholbert)
|
|
||
Updated•2 years ago
|
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
|
|
||
Comment 10•2 years ago
|
||
Depends on D160734
|
||
Comment 11•2 years ago
|
||
Pushed by dholbert@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e8ac27147434
Add crashtest for this no-longer-reproducible bug. (no review, crashtest-only)
|
||
Comment 12•2 years ago
|
||
| bugherder | ||
|
|
||
Comment 13•2 years ago
|
||
A patch has been attached on this bug, which was already closed. Filing a separate bug will ensure better tracking. If this was not by mistake and further action is needed, please alert the appropriate party. (Or: if the patch doesn't change behavior -- e.g. landing a test case, or fixing a typo -- then feel free to disregard this message)
You need to log in
before you can comment on or make changes to this bug.
Description
•