heap-use-after-free on mozilla::StyleGenericCalcNode
Categories
(Core :: Layout: Flexbox, defect)
Tracking
()
People
(Reporter: ahihibughunter, Assigned: emilio)
References
(Regression)
Details
(Keywords: regression, sec-high, Whiteboard: [reporter-external] [client-bounty-form] [verif?][adv-main84+][sec-survey][adv-esr78.6+])
Attachments
(4 files, 1 obsolete file)
(deleted),
text/html
|
Details | |
(deleted),
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-release+
RyanVM
:
approval-mozilla-esr78+
tjr
:
sec-approval+
|
Details |
(deleted),
patch
|
Details | Diff | Splinter Review | |
(deleted),
text/plain
|
Details |
Firefox version 85.0a1 (2020-12-06) (64-bit)
Asan output:
==29886==ERROR: AddressSanitizer: heap-use-after-free on address 0x6190002ce398 at pc 0x0001154ec20d bp 0x7ffee67aa8d0 sp 0x7ffee67aa8c8
READ of size 1 at 0x6190002ce398 thread T0
==29886==WARNING: failed to spawn external symbolizer (errno: 9)
==29886==WARNING: failed to spawn external symbolizer (errno: 9)
==29886==WARNING: failed to spawn external symbolizer (errno: 9)
==29886==WARNING: failed to spawn external symbolizer (errno: 9)
==29886==WARNING: failed to spawn external symbolizer (errno: 9)
==29886==WARNING: Failed to use and restart external symbolizer!
#0 0x1154ec20c in int mozilla::StyleGenericCalcNode<mozilla::StyleCalcLengthPercentageLeaf>::ResolveInternal<int, int (*)(float)>(int, int (*)(float)) const+0x66c (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaedb20c)
#1 0x1158a1c98 in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>)+0x27e8 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb290c98)
#2 0x1157ba61f in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType)+0x220f (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1a961f)
#3 0x1157b2ee6 in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&)+0x5a6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1a1ee6)
#4 0x1157b4b40 in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>)+0x8c0 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1a3b40)
#5 0x1158a7bec in nsFlexContainerFrame::GenerateFlexItemForChild(nsFlexContainerFrame::FlexLine&, nsIFrame*, mozilla::ReflowInput const&, nsFlexContainerFrame::FlexboxAxisTracker const&, bool)+0x2ac (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb296bec)
#6 0x1158bc75b in nsFlexContainerFrame::GenerateFlexLines(mozilla::ReflowInput const&, int, nsTArray<nsFlexContainerFrame::StrutInfo> const&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, bool, nsTArray<nsIFrame*>&, nsTArray<nsFlexContainerFrame::FlexLine>&)+0x12fb (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb2ab75b)
#7 0x1158c4c81 in nsFlexContainerFrame::DoFlexLayout(mozilla::ReflowInput const&, int&, int&, int&, nsTArray<nsFlexContainerFrame::FlexLine>&, nsTArray<nsFlexContainerFrame::StrutInfo>&, nsTArray<nsIFrame*>&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, int, int, bool, ComputedFlexContainerInfo*)+0x161 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb2b3c81)
#8 0x1158c100c in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0xb2c (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb2b000c)
#9 0x115ae5bf9 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&)+0x1d49 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb4d4bf9)
#10 0x1158284b4 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*)+0x214 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb2174b4)
#11 0x115826da2 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool)+0x4a2 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb215da2)
#12 0x11581fc6d in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)+0x7fd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb20ec6d)
#13 0x115818d9c in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*)+0x13c (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb207d9c)
#14 0x11580ca85 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&)+0x16b5 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1fba85)
#15 0x115804af3 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0x14c3 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1f3af3)
#16 0x11588239b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)+0x43b (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb27139b)
#17 0x11585861b in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0x122b (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb24761b)
#18 0x115919390 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*)+0x1420 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb308390)
#19 0x11591b490 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&)+0x320 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb30a490)
#20 0x115927e6a in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0xd8a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb316e6a)
#21 0x115883345 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*)+0x335 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb272345)
#22 0x1157f4b02 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)+0x642 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb1e3b02)
#23 0x1155a66a4 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*)+0x1ac4 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf956a4)
#24 0x1155be1f8 in mozilla::PresShell::ProcessReflowCommands(bool)+0x478 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xafad1f8)
#25 0x1155bc258 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)+0x1ba8 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xafab258)
#26 0x11552e136 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)+0x2b36 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf1d136)
#27 0x115541903 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)+0x213 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf30903)
#28 0x1155415e8 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)+0xc8 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf305e8)
#29 0x115540a4c in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp)+0x1cc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf2fa4c)
#30 0x11553fd1e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyParentProcessVsync()+0x76e (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf2ed1e)
#31 0x11553f302 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&)+0x92 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf2e302)
#32 0x1141fb81d in mozilla::dom::VsyncChild::RecvNotify(mozilla::VsyncEvent const&, float const&)+0x2cd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x9bea81d)
#33 0x10cc7cb92 in mozilla::dom::PVsyncChild::OnMessageReceived(IPC::Message const&)+0x4f2 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x266bb92)
#34 0x10c6dc9af in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&)+0x35f (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x20cb9af)
#35 0x10bf097f8 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&)+0x1e8 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x18f87f8)
#36 0x10bf0471d in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)+0x71d (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x18f371d)
#37 0x10bf06f36 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)+0x586 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x18f5f36)
#38 0x10bf07ca1 in mozilla::ipc::MessageChannel::MessageTask::Run()+0x101 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x18f6ca1)
#39 0x10a9b8177 in mozilla::RunnableTask::Run()+0x347 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a7177)
#40 0x10a9b343a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x107a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a243a)
#41 0x10a9b095e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0xae (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39f95e)
#42 0x10a9b0f67 in mozilla::TaskController::ProcessPendingMTTask(bool)+0xf7 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39ff67)
#43 0x10a9bf981 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run()+0x11 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3ae981)
#44 0x10a9e2d45 in nsThread::ProcessNextEvent(bool, bool*)+0x13d5 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3d1d45)
#45 0x10a9eee4d in NS_ProcessNextEvent(nsIThread*, bool)+0x11d (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3dde4d)
#46 0x10bf1496e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)+0x40e (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x190396e)
#47 0x10bdf3ec2 in MessageLoop::Run()+0x1d2 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x17e2ec2)
#48 0x114e343ff in nsBaseAppShell::Run()+0x4f (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xa8233ff)
#49 0x114f8d24c in nsAppShell::Run()+0x3cc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xa97c24c)
#50 0x118eaa71e in XRE_RunAppShell()+0x28e (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xe89971e)
#51 0x10bdf3ec2 in MessageLoop::Run()+0x1d2 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x17e2ec2)
#52 0x118ea9b94 in XRE_InitChildProcess(int, char**, XREChildData const*)+0xf94 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xe898b94)
#53 0x10944bd06 in main+0x1b6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container:x86_64+0x100000d06)
#54 0x7fff6d7a5cc8 in start+0x0 (/usr/lib/system/libdyld.dylib:x86_64+0x1acc8)
0x6190002ce398 is located 280 bytes inside of 1024-byte region [0x6190002ce280,0x6190002ce680)
freed by thread T0 here:
#0 0x12ba47cd6 in wrap_free+0xa6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x46cd6)
#1 0x11b951387 in style::properties::cascade::cascade_rules::h088ae32ca5ec9019+0xf97 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x11340387)
#2 0x11b96b596 in style::stylist::Stylist::cascade_style_and_visited::h8d1d544df7954eb4+0x96 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x1135a596)
#3 0x11b9be1ab in Servo_ComputedValues_GetForAnonymousBox+0x3cb (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x113ad1ab)
#4 0x115442252 in mozilla::ServoStyleSet::ResolveInheritingAnonymousBoxStyle(mozilla::PseudoStyleType, mozilla::ComputedStyle*)+0x92 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xae31252)
#5 0x11565855c in nsCSSFrameConstructor::ConstructTable(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&)+0x1bc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb04755c)
#6 0x115670c95 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&)+0x3b5 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb05fc95)
#7 0x11567b5ed in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&)+0xcd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb06a5ed)
#8 0x1156597b6 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&)+0x2e6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb0487b6)
#9 0x11565a732 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*)+0xd02 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb049732)
#10 0x115671d9e in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&)+0x14be (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb060d9e)
#11 0x11567b5ed in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&)+0xcd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb06a5ed)
#12 0x1156597b6 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&)+0x2e6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb0487b6)
#13 0x11565a732 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*)+0xd02 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb049732)
#14 0x115664983 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*)+0x7f3 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb053983)
#15 0x115660842 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*)+0x2a92 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb04f842)
#16 0x11568331b in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind)+0x3eb (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb07231b)
#17 0x1155a145a in mozilla::PresShell::Initialize()+0x40a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf9045a)
#18 0x10f0f773c in nsContentSink::StartLayout(bool)+0x8bc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x4ae673c)
#19 0x10d768178 in nsHtml5TreeOpExecutor::StartLayout(bool*)+0x128 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3157178)
#20 0x10d7630ec in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)+0x1fcc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x31520ec)
#21 0x10d760269 in nsHtml5TreeOpExecutor::RunFlushLoop()+0x9f9 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x314f269)
#22 0x10d76d00f in nsHtml5ExecutorFlusher::Run()+0x3cf (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x315c00f)
#23 0x10a9aa1e0 in mozilla::SchedulerGroup::Runnable::Run()+0x80 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3991e0)
#24 0x10a9b8177 in mozilla::RunnableTask::Run()+0x347 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a7177)
#25 0x10a9b343a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x107a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a243a)
#26 0x10a9b0b6e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x2be (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39fb6e)
#27 0x10a9b0f67 in mozilla::TaskController::ProcessPendingMTTask(bool)+0xf7 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39ff67)
#28 0x10a9bf981 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run()+0x11 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3ae981)
#29 0x10a9e2d45 in nsThread::ProcessNextEvent(bool, bool*)+0x13d5 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3d1d45)
previously allocated by thread T0 here:
#0 0x12ba47b8d in wrap_malloc+0x9d (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/libclang_rt.asan_osx_dynamic.dylib:x86_64+0x46b8d)
#1 0x11b94cc6e in smallvec::SmallVec$LT$A$GT$::push::ha7920bdc965a65bc+0x28e (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x1133bc6e)
#2 0x11b950cae in style::properties::cascade::cascade_rules::h088ae32ca5ec9019+0x8be (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x1133fcae)
#3 0x11b96b596 in style::stylist::Stylist::cascade_style_and_visited::h8d1d544df7954eb4+0x96 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x1135a596)
#4 0x11b9be1ab in Servo_ComputedValues_GetForAnonymousBox+0x3cb (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x113ad1ab)
#5 0x115442252 in mozilla::ServoStyleSet::ResolveInheritingAnonymousBoxStyle(mozilla::PseudoStyleType, mozilla::ComputedStyle*)+0x92 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xae31252)
#6 0x11565855c in nsCSSFrameConstructor::ConstructTable(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&)+0x1bc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb04755c)
#7 0x115670c95 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&)+0x3b5 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb05fc95)
#8 0x11567b5ed in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&)+0xcd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb06a5ed)
#9 0x1156597b6 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&)+0x2e6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb0487b6)
#10 0x11565a732 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*)+0xd02 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb049732)
#11 0x115671d9e in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&)+0x14be (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb060d9e)
#12 0x11567b5ed in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&)+0xcd (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb06a5ed)
#13 0x1156597b6 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&)+0x2e6 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb0487b6)
#14 0x11565a732 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameList&, bool, nsIFrame*)+0xd02 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb049732)
#15 0x115664983 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameList&, nsIFrame*)+0x7f3 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb053983)
#16 0x115660842 in nsCSSFrameConstructor::ConstructDocElementFrame(mozilla::dom::Element*)+0x2a92 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb04f842)
#17 0x11568331b in nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsCSSFrameConstructor::InsertionKind)+0x3eb (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xb07231b)
#18 0x1155a145a in mozilla::PresShell::Initialize()+0x40a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaf9045a)
#19 0x10f0f773c in nsContentSink::StartLayout(bool)+0x8bc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x4ae673c)
#20 0x10d768178 in nsHtml5TreeOpExecutor::StartLayout(bool*)+0x128 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3157178)
#21 0x10d7630ec in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)+0x1fcc (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x31520ec)
#22 0x10d760269 in nsHtml5TreeOpExecutor::RunFlushLoop()+0x9f9 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x314f269)
#23 0x10d76d00f in nsHtml5ExecutorFlusher::Run()+0x3cf (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x315c00f)
#24 0x10a9aa1e0 in mozilla::SchedulerGroup::Runnable::Run()+0x80 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3991e0)
#25 0x10a9b8177 in mozilla::RunnableTask::Run()+0x347 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a7177)
#26 0x10a9b343a in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x107a (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3a243a)
#27 0x10a9b0b6e in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&)+0x2be (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39fb6e)
#28 0x10a9b0f67 in mozilla::TaskController::ProcessPendingMTTask(bool)+0xf7 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x39ff67)
#29 0x10a9bf981 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_4>::Run()+0x11 (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0x3ae981)
SUMMARY: AddressSanitizer: heap-use-after-free (/Users/zx/Documents/GitHub/codeql/codeql_cpp/chrome/browser/firefox/Nightly.app/Contents/MacOS/XUL:x86_64+0xaedb20c) in int mozilla::StyleGenericCalcNode<mozilla::StyleCalcLengthPercentageLeaf>::ResolveInternal<int, int (*)(float)>(int, int (*)(float)) const+0x66c
Shadow bytes around the buggy address:
0x1c3200059c20: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c3200059c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x1c3200059c50: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059c60: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
=>0x1c3200059c70: fd fd fd[fd]fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059c80: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059c90: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059ca0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059cb0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
0x1c3200059cc0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==29886==ABORTING
###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 1•4 years ago
|
||
This is a bad cast in Layout. In a debug build I get:
Assertion failure: IsSize(), at /home/emilio/src/moz/gecko-4/obj-debug/dist/include/mozilla/ServoStyleConsts.h:6835
#17 0x00007fb6308abc5a in MOZ_ReportAssertionFailure(char const*, char const*, int)
(aStr=0x74 <error: Cannot access memory at address 0x74>, aFilename=0xffffffffffffffff <error: Cannot access memory at address 0xffffffffffffffff>, aLine=0)
at /home/emilio/src/moz/gecko-4/obj-debug/dist/include/mozilla/Assertions.h:106
#18 0x00007fb630939b22 in mozilla::StyleGenericFlexBasis<mozilla::StyleGenericSize<mozilla::StyleLengthPercentageUnion> >::AsSize() const (this=this@entry=0x7fb615fa3a58)
at /home/emilio/src/moz/gecko-4/obj-debug/dist/include/mozilla/ServoStyleConsts.h:6835
#19 0x00007fb6308b9d8d in nsIFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>)
(this=<optimized out>, aRenderingContext=0x7fb615f97e00, aWM=..., aCBSize=<optimized out>, aAvailableISize=368720264, aMargin=<optimized out>, aBorderPadding=..., aFlags=mozilla::ComputeSizeFlags = {...})
at /home/emilio/src/moz/gecko-4/layout/generic/nsIFrame.cpp:6193
#20 0x00007fb630868372 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::LayoutFrameType) (this=<optimized out>, this@entry=0x7ffca90f8fd8, aPresContext=aPresContext@entry=0x7fb617c71c00, aContainingBlockSize=<optimized out>, aBorder=..., aPadding=..., aFrameType=mozilla::LayoutFrameType::None,
aFrameType@entry=mozilla::LayoutFrameType::TableWrapper) at /home/emilio/src/moz/gecko-4/layout/generic/ReflowInput.cpp:2430
#21 0x00007fb630865b8f in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::Maybe<mozilla::LogicalMargin> const&, mozilla::Maybe<mozilla::LogicalMargin> const&) (
this=this@entry=0x7ffca90f8fd8, aPresContext=0x7fb617c71c00, aContainingBlockSize=..., aBorder=..., aPadding=...) at /home/emilio/src/moz/gecko-4/layout/generic/ReflowInput.cpp:357
#22 0x00007fb630866286 in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, mozilla::EnumSet<mozilla::ReflowInput::InitFlag, unsigned char>, mozilla::EnumSet<mozilla::ComputeSizeFlag, unsigned char>)
(this=0x7ffca90f8fd8, aPresContext=0x7ffca90f6950, aParentReflowInput=<optimized out>, aFrame=0x7fb615fa1c48, aAvailableSpace=..., aContainingBlockSize=..., aFlags=mozilla::ReflowInput::InitFlags = {...}, aComputeSizeFlags=mozilla::ComputeSizeFlags = {...}) at /home/emilio/src/moz/gecko-4/layout/generic/ReflowInput.cpp:216
#23 0x00007fb6308bcef5 in nsFlexContainerFrame::GenerateFlexItemForChild(nsFlexContainerFrame::FlexLine&, nsIFrame*, mozilla::ReflowInput const&, nsFlexContainerFrame::FlexboxAxisTracker const&, bool)
(this=this@entry=0x7fb615fa1b98, aLine=..., aChildFrame=0x7fb615fa1c48, aParentReflowInput=..., aAxisTracker=..., aHasLineClampEllipsis=false) at /home/emilio/src/moz/gecko-4/layout/generic/nsFlexContainerFrame.cpp:1285
#24 0x00007fb6308c200a in nsFlexContainerFrame::GenerateFlexLines(mozilla::ReflowInput const&, int, nsTArray<nsFlexContainerFrame::StrutInfo> const&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, bool, nsTArray<nsIFrame*>&, nsTArray<nsFlexContainerFrame::FlexLine>&)
(this=0x7fb615fa1b98, aReflowInput=<optimized out>, aContentBoxMainSize=<optimized out>, aStruts=const nsTArray<nsFlexContainerFrame::StrutInfo> &, aAxisTracker=..., aMainGapSize=0, aHasLineClampEllipsis=<optimized out>, aPlaceholders=nsTArray<nsIFrame*> &, aLines=nsTArray<nsFlexContainerFrame::FlexLine> & = {...}) at /home/emilio/src/moz/gecko-4/layout/generic/nsFlexContainerFrame.cpp:4004
#25 0x00007fb6308c3fec in nsFlexContainerFrame::DoFlexLayout(mozilla::ReflowInput const&, int&, int&, int&, nsTArray<nsFlexContainerFrame::FlexLine>&, nsTArray<nsFlexContainerFrame::StrutInfo>&, nsTArray<nsIFrame*>&, nsFlexContainerFrame::FlexboxAxisTracker const&, int, int, int, bool, ComputedFlexContainerInfo*)
(this=this@entry=0x7fb615fa1b98, aReflowInput=..., aContentBoxMainSize=@0x7ffca90f9688: 1073741823, aContentBoxCrossSize=@0x7ffca90f9684: -1431655766, aFlexContainerAscent=@0x7ffca90f9680: -1431655766, aLines=nsTArray<nsFlexContainerFrame::FlexLine> & = {...}, aStruts=nsTArray<nsFlexContainerFrame::StrutInfo> &, aPlaceholders=nsTArray<nsIFrame*> &, aAxisTracker=..., aMainGapSize=0, aCrossGapSize=0, aConsumedBSize=0, aHasLineClampEllipsis=<optimized out>, aContainerInfo=0x0) at /home/emilio/src/moz/gecko-4/layout/generic/nsFlexContainerFrame.cpp:4920
#26 0x00007fb6308c3178 in nsFlexContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&)
(this=0x7fb615fa1b98, aPresContext=0x7fb617c71c00, aReflowOutput=..., aReflowInput=<optimized out>, aStatus=<optimized out>) at /home/emilio/src/moz/gecko-4/layout/generic/nsFlexContainerFrame.cpp:4430
#27 0x00007fb630968a30 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) (this=0x7ffca90f9c18, aFrame=<optimized out>, aReflowStatus=..., aMetrics=0x0, aPushedFrame=@0x7ffca90f9a1b: false)
at /home/emilio/src/moz/gecko-4/layout/generic/nsLineLayout.cpp:875
#28 0x00007fb630890375 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*)
(this=this@entry=0x7fb615fa1ad0, aState=..., aLineLayout=..., aLine=..., aFrame=aFrame@entry=0x7fb615fa1b98, aLineReflowStatus=0x7ffca90f9afc) at /home/emilio/src/moz/gecko-4/layout/generic/nsBlockFrame.cpp
Assignee | ||
Comment 2•4 years ago
|
||
The logic has been wrong here all the way since bug 1455976, but it probably didn't cause issues until bug 1527410, which changed how we represent flex-basis values.
Quite scary that our fuzzers haven't found this before...
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 3•4 years ago
|
||
Assignee | ||
Comment 4•4 years ago
|
||
Comment on attachment 9191593 [details]
Bug 1681022 - Ignore flex-basis: content on a table wrapper. r=dholbert
Beta/Release Uplift Approval Request
- User impact if declined: sec-high/crit, probably
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: open test-case
- List of other uplifts needed: none
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Simple fix to a bad type cast when some CSS is applied to a table.
- String changes made/needed: none
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration:
- User impact if declined: see above
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): see above
- String or UUID changes made by this patch: none
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 5•4 years ago
|
||
Comment on attachment 9191593 [details]
Bug 1681022 - Ignore flex-basis: content on a table wrapper. r=dholbert
Security Approval Request
- How easily could an exploit be constructed based on the patch?: somewhat easily I suspect.
- Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?: No
- Which older supported branches are affected by this flaw?: all
- If not all supported branches, which bug introduced the flaw?: None
- Do you have backports for the affected branches?: Yes
- If not, how different, hard to create, and risky will they be?: Should apply cleanly modulo file moves or what not.
- How likely is this patch to cause regressions; how much testing does it need?: Fix is trivial.
Comment 6•4 years ago
|
||
Comment on attachment 9191593 [details]
Bug 1681022 - Ignore flex-basis: content on a table wrapper. r=dholbert
approved to land if we can take it in the RC, otherwise we should probably wait until January to land.
Updated•4 years ago
|
Comment 7•4 years ago
|
||
Comment 8•4 years ago
|
||
Comment on attachment 9191593 [details]
Bug 1681022 - Ignore flex-basis: content on a table wrapper. r=dholbert
Approved for 84.0rc1 and 78.6esr.
Comment 9•4 years ago
|
||
uplift |
Assignee | ||
Comment 10•4 years ago
|
||
Comment 11•4 years ago
|
||
uplift |
Comment 12•4 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9ecb4b649c1f
https://hg.mozilla.org/mozilla-central/rev/4bb72f41a1dd
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Comment 13•4 years ago
|
||
I've reproduced this bug using the testcase from comment 0, on an affected Nightly build 85.0a1 (2020-12-06).
The crash is not reproducing anymore on the latest asan builds: ESR 78.6, RC1 84.0 and latest Nightly 85.0a1. This was tested on Ubuntu 18.04 x84.
Comment 14•4 years ago
|
||
As part of a security bug pattern analysis, we are requesting your help with a high level analysis of this bug. It is our hope to develop static analysis (or potentially runtime/dynamic analysis) in the future to identify classes of bugs.
Please visit this google form to reply.
Assignee | ||
Comment 16•4 years ago
|
||
Ok, Jason and I did a bit more digging to see why our fuzzers hadn't triggered this.
Turns out that even though the logic bug is there since forever, this is a relatively recent regression, from bug 1673006, after all, which made this codepath possible.
Now, release builds have a different regression range where it bisects to bug 1680172. So it looks like:
- Logic bug is ancient, but...
- Only bug 1673006 allows it to happen (content can't access the selector tweaked in that bug), and...
- Before bug 1680172, Rust was initializing the values differently, somehow, in a way that it didn't trigger an exploitable crash...
Updated•4 years ago
|
Comment 17•4 years ago
|
||
Note that 1.48 changed things wrt uninitialized memory.
Updated•4 years ago
|
Comment 18•4 years ago
|
||
Comment 19•4 years ago
|
||
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Updated•3 years ago
|
Description
•