Closed
Bug 1506880
Opened 6 years ago
Closed 6 years ago
AddressSanitizer: stack-overflow /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:27:3 in __asan_memset
Categories
(Core :: Layout: Columns, defect, P2)
Core
Layout: Columns
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox63 | --- | unaffected |
| firefox64 | --- | unaffected |
| firefox65 | - | disabled |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, regression, testcase)
Attachments
(1 file)
|
(deleted),
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev f6df375b8698.
==15556==ERROR: AddressSanitizer: stack-overflow on address 0x7fff37225e98 (pc 0x560e4b39e27e bp 0x7fff372266f0 sp 0x7fff37225ea0 T0)
#0 0x560e4b39e27d in __asan_memset /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:27:3
#1 0x7fde726264aa in mozilla::dom::ExplicitChildIterator::ExplicitChildIterator(nsIContent const*, bool) /builds/worker/workspace/build/src/dom/base/ChildIterator.cpp:24:5
#2 0x7fde78e96b5d in FlattenedChildIterator /builds/worker/workspace/build/src/dom/base/ChildIterator.h:175:7
#3 0x7fde78e96b5d in AllChildrenIterator /builds/worker/workspace/build/src/dom/base/ChildIterator.h:207
#4 0x7fde78e96b5d in StyleChildrenIterator /builds/worker/workspace/build/src/dom/base/ChildIterator.h:309
#5 0x7fde78e96b5d in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7866
#6 0x7fde78e96d7a in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7871:11
#7 0x7fde78e7ca72 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9089:5
#8 0x7fde78e9b282 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h
#9 0x7fde78e970ea in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7887:9
#10 0x7fde78e96d7a in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7871:11
#11 0x7fde78e7ca72 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9089:5
#12 0x7fde78e9b282 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h
#13 0x7fde78e970ea in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7887:9
#14 0x7fde78e96d7a in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7871:11
#15 0x7fde78e7ca72 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9089:5
#16 0x7fde78e9b282 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h
#17 0x7fde78e970ea in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7887:9
#18 0x7fde78e96d7a in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7871:11
#19 0x7fde78e7ca72 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9089:5
#20 0x7fde78e9b282 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h
#21 0x7fde78e970ea in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7887:9
#22 0x7fde78e96d7a in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7871:11
#23 0x7fde78e7ca72 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9089:5
#24 0x7fde78e9b282 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h
#25 0x7fde78e970ea in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7887:9
#26 0x7fde78e96d7a in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:7871:11
#27 0x7fde78e7ca72 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9089:5
#28 0x7fde78e9b282 in nsCSSFrameConstructor::MaybeRecreateContainerForFrameRemoval(nsIFrame*) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsCOMPtr.h
[...truncated...]
Flags: in-testsuite?
|
||
Updated•6 years ago
|
status-firefox63:
--- → unaffected
status-firefox64:
--- → unaffected
status-firefox-esr60:
--- → unaffected
tracking-firefox65:
--- → +
|
||
Comment 1•6 years ago
|
||
Testcase has "column-span: all".
Component: Layout → Layout: Columns
Flags: needinfo?(aethanyc)
OS: Unspecified → All
Priority: -- → P2
Hardware: Unspecified → All
|
|
||
Comment 2•6 years ago
|
||
We don't need to track this for 65 since it's behind a pref.
|
||
Comment 3•6 years ago
|
||
I cannot reproduce this bug on 2018-12-20 fuzzing asan opt build [1] with prefs [2] having layout.css.column-span.enabled=true. Close as WORKSFORME.
[1] https://tools.taskcluster.net/index/gecko.v2.mozilla-central.latest.firefox/linux64-fuzzing-asan-opt
[2] https://github.com/MozillaSecurity/fuzzdata/blob/00d671853af1bea93bae22f5e052138c7a8f269d/settings/firefox/prefs-default.js
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(aethanyc)
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•