Closed
Bug 1491718
Opened 6 years ago
Closed 5 years ago
use-after-poison in [@ SetListItemOrdinal]
Categories
(Core :: Layout, defect, P3)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla68
People
(Reporter: tsmith, Assigned: MatsPalmgren_bugz)
References
(Blocks 1 open bug)
Details
(4 keywords)
Attachments
(1 file)
(deleted),
text/html
|
Details |
Found with m-c 20180915-e088bb62f286 The attached testcase seems to be sensitive to the size of the window. I used Xvfb with a size of width=1280 height=1024. I am willing to test or verify patches if needed. ==126155==ERROR: AddressSanitizer: use-after-poison on address 0x6250002a4c20 at pc 0x7f9a38a4304c bp 0x7fff86b7e000 sp 0x7fff86b7dff8 READ of size 4 at 0x6250002a4c20 thread T0 (file:// Content) #0 0x7f9a38a4304b in SetListItemOrdinal src/layout/generic/nsBulletFrame.cpp:876:24 #1 0x7f9a38a4304b in nsContainerFrame::RenumberFrameAndDescendants(int*, int, int, bool) src/layout/generic/nsContainerFrame.cpp:1914 #2 0x7f9a389fd4ef in nsBlockFrame::RenumberChildFrames(int*, int, int, bool) src/layout/generic/nsBlockFrame.cpp:7259:14 #3 0x7f9a389a3672 in nsContainerFrame::RenumberList() src/layout/generic/nsContainerFrame.cpp:1866:15 #4 0x7f9a389aaaab in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1247:7 #5 0x7f9a389d62db in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:309:11 #6 0x7f9a389c7eeb in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3571:11 #7 0x7f9a389c4d1f in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2921:5 #8 0x7f9a389b6e4d in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2458:7 #9 0x7f9a389aae89 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1292:3 #10 0x7f9a389d62db in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:309:11 #11 0x7f9a389c7eeb in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3571:11 #12 0x7f9a389c4d1f in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2921:5 #13 0x7f9a389b9110 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2745:11 #14 0x7f9a389aae89 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1292:3 #15 0x7f9a38a28b2b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:951:14 #16 0x7f9a38a2f1aa in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) src/layout/generic/nsColumnSetFrame.cpp:783:7 #17 0x7f9a38a36737 in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:473:19 #18 0x7f9a38a36737 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1223 #19 0x7f9a389d62db in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:309:11 #20 0x7f9a389c7eeb in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3571:11 #21 0x7f9a389c4d1f in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2921:5 #22 0x7f9a389b6e4d in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2458:7 #23 0x7f9a389aae89 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1292:3 #24 0x7f9a389d62db in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:309:11 #25 0x7f9a389c7eeb in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3571:11 #26 0x7f9a389c4d1f in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2921:5 #27 0x7f9a389b6e4d in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2458:7 #28 0x7f9a389aae89 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1292:3 #29 0x7f9a38a28b2b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:951:14 #30 0x7f9a38a2632e in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:803:5 #31 0x7f9a38a28b2b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:951:14 #32 0x7f9a38b5be7b in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) src/layout/generic/nsGfxScrollFrame.cpp:606:3 #33 0x7f9a38b5d9cc in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:730:3 #34 0x7f9a38b62db7 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1120:3 #35 0x7f9a389862f8 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:995:14 #36 0x7f9a38984a1b in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:338:7 #37 0x7f9a386dadf1 in mozilla::PresShell::DoReflow(nsIFrame*, bool) src/layout/base/PresShell.cpp:9020:11 #38 0x7f9a386f5a68 in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9193:24 #39 0x7f9a386f3bde in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4351:11 #40 0x7f9a386683ea in FlushPendingNotifications src/layout/base/nsIPresShell.h:577:5 #41 0x7f9a386683ea in nsRefreshDriver::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1930 #42 0x7f9a3867b182 in TickDriver src/layout/base/nsRefreshDriver.cpp:325:13 #43 0x7f9a3867b182 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:300 #44 0x7f9a3867acb1 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:318:5 #45 0x7f9a3867df51 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:756:5 #46 0x7f9a3867df51 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:672 #47 0x7f9a3867da2b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:572:9 #48 0x7f9a39139df6 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:78:16 #49 0x7f9a2feeebad in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20 #50 0x7f9a2fc7c398 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28 #51 0x7f9a2f4ce91e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2248:25 #52 0x7f9a2f4ca20a in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2175:17 #53 0x7f9a2f4cc66d in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:2012:5 #54 0x7f9a2f4cd3c7 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2045:15 #55 0x7f9a2e2be1a0 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14 #56 0x7f9a2e2c6f45 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #57 0x7f9a2f4d89c4 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:125:5 #58 0x7f9a2f3d972c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #59 0x7f9a2f3d972c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #60 0x7f9a2f3d972c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #61 0x7f9a37f91006 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27 #62 0x7f9a3c4255ce in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:944:22 #63 0x7f9a2f3d972c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #64 0x7f9a2f3d972c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #65 0x7f9a2f3d972c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #66 0x7f9a3c424685 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:770:34 #67 0x555cd4e08ba1 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #68 0x555cd4e08ba1 in main src/browser/app/nsBrowserApp.cpp:287 #69 0x7f9a5057382f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291 #70 0x555cd4d37f4c in _start (firefox+0x2cf4c) 0x6250002a4c20 is located 6944 bytes inside of 8192-byte region [0x6250002a3100,0x6250002a5100) allocated by thread T0 (file:// Content) here: #0 0x555cd4dd86c3 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:88:3 #1 0x7f9a2e250a2f in AllocateChunk src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:193:15 #2 0x7f9a2e250a2f in InternalAllocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:228 #3 0x7f9a2e250a2f in Allocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:75 #4 0x7f9a2e250a2f in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:80 #5 0x7f9a3897869a in AllocateByFrameID src/layout/base/nsPresArena.h:39:12 #6 0x7f9a3897869a in AllocateFrame src/layout/base/nsIPresShell.h:206 #7 0x7f9a3897869a in operator new src/layout/generic/ViewportFrame.cpp:34 #8 0x7f9a3897869a in NS_NewViewportFrame(nsIPresShell*, mozilla::ComputedStyle*) src/layout/generic/ViewportFrame.cpp:31 #9 0x7f9a387a41ee in nsCSSFrameConstructor::ConstructRootFrame() src/layout/base/nsCSSFrameConstructor.cpp:2661:5 #10 0x7f9a386d2e51 in mozilla::PresShell::Initialize() src/layout/base/PresShell.cpp:1799:36 #11 0x7f9a322c8777 in nsContentSink::StartLayout(bool) src/dom/base/nsContentSink.cpp:1274:26 #12 0x7f9a30cc1102 in nsHtml5TreeOpExecutor::StartLayout(bool*) src/parser/html/nsHtml5TreeOpExecutor.cpp:673:18 #13 0x7f9a30cbc54e in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) src/parser/html/nsHtml5TreeOperation.cpp:1204:17 #14 0x7f9a30cb9486 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:489:17 #15 0x7f9a30cc5abb in nsHtml5ExecutorFlusher::Run() src/parser/html/nsHtml5StreamParser.cpp:123:18 #16 0x7f9a2e280465 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32 #17 0x7f9a2e2be1a0 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1161:14 #18 0x7f9a2e2c6f45 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10 #19 0x7f9a2f4d89de in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21 #20 0x7f9a2f3d972c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #21 0x7f9a2f3d972c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #22 0x7f9a2f3d972c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #23 0x7f9a37f91006 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27 #24 0x7f9a3c4255ce in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:944:22 #25 0x7f9a2f3d972c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10 #26 0x7f9a2f3d972c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318 #27 0x7f9a2f3d972c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298 #28 0x7f9a3c424685 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:770:34 #29 0x555cd4e08ba1 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #30 0x555cd4e08ba1 in main src/browser/app/nsBrowserApp.cpp:287
Flags: in-testsuite?
Reporter | ||
Updated•6 years ago
|
Group: layout-core-security
Keywords: csectype-framepoisoning,
sec-low
Updated•6 years ago
|
Priority: -- → P3
Reporter | ||
Comment 1•5 years ago
|
||
The fuzzers are no longer hitting this issue and the attached testcase no long reproduces the issue.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Updated•5 years ago
|
Assignee: nobody → mats
status-firefox68:
--- → fixed
status-firefox-esr60:
--- → wontfix
status-firefox-esr68:
--- → fixed
Target Milestone: --- → mozilla68
You need to log in
before you can comment on or make changes to this bug.
Description
•