Closed Bug 1716644 Opened 3 years ago Closed 1 year ago

use-after-poison in [@ InvalidateRenderingObservers]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
118 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- wontfix
firefox-esr102 --- wontfix
firefox-esr115 --- wontfix
firefox90 --- wontfix
firefox91 --- wontfix
firefox96 --- wontfix
firefox97 --- wontfix
firefox98 --- wontfix
firefox117 --- fixed
firefox118 --- fixed

People

(Reporter: tsmith, Assigned: longsonr)

References

(Blocks 1 open bug, Regression)

Details

(5 keywords, Whiteboard: [bugmon:bisected,confirmed])

Crash Data

Attachments

(1 file)

testcase.html
(deleted), text/html
Details
Attached file testcase.html (deleted) —

Found while fuzzing m-c 20210613-f531f12e5c35 (--enable-address-sanitizer --enable-fuzzing)

==6247==ERROR: AddressSanitizer: use-after-poison on address 0x62500023be30 at pc 0x7fa00bad918e bp 0x7ffe75f3e130 sp 0x7ffe75f3e128
READ of size 8 at 0x62500023be30 thread T0 (Isolated Web Co)
    #0 0x7fa00bad918d in HasAnyStateBits /gecko/layout/generic/nsIFrame.h:2377:59
    #1 0x7fa00bad918d in InvalidateRenderingObservers(nsIFrame*, nsIFrame*, bool) /gecko/layout/generic/nsIFrame.cpp:7142:19
    #2 0x7fa00b9a86d2 in SchedulePaint /gecko/layout/generic/nsIFrame.cpp:7416:3
    #3 0x7fa00b9a86d2 in nsIFrame::SetParent(nsContainerFrame*) /gecko/layout/generic/nsIFrame.cpp:11045:5
    #4 0x7fa00b99f1da in ApplySetParent /gecko/layout/generic/nsFrameList.cpp:280:8
    #5 0x7fa00b99f1da in nsFrameList::InsertFrames(nsContainerFrame*, nsIFrame*, nsFrameList&) /gecko/layout/generic/nsFrameList.cpp:130:16
    #6 0x7fa00bb11194 in nsFirstLineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsInlineFrame.cpp:1004:19
    #7 0x7fa00bb7e16d in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /gecko/layout/generic/nsLineLayout.cpp:875:13
    #8 0x7fa00b967b21 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /gecko/layout/generic/nsBlockFrame.cpp:4541:15
    #9 0x7fa00b966b10 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /gecko/layout/generic/nsBlockFrame.cpp:4343:5
    #10 0x7fa00b95fcce in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:4228:9
    #11 0x7fa00b9594f9 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3208:5
    #12 0x7fa00b951010 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockFrame.cpp:2742:7
    #13 0x7fa00b94bc25 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:1373:3
    #14 0x7fa00bd75029 in mozilla::SVGTextFrame::DoReflow() /gecko/layout/svg/SVGTextFrame.cpp:5118:8
    #15 0x7fa00bd64f7e in mozilla::SVGTextFrame::MaybeReflowAnonymousBlockChild() /gecko/layout/svg/SVGTextFrame.cpp:5059:5
    #16 0x7fa00bd40a18 in mozilla::SVGTextFrame::ReflowSVG() /gecko/layout/svg/SVGTextFrame.cpp:3294:3
    #17 0x7fa00bd0a02f in mozilla::SVGDisplayContainerFrame::ReflowSVG() /gecko/layout/svg/SVGContainerFrame.cpp:320:17
    #18 0x7fa00bd4bdd7 in mozilla::SVGOuterSVGFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/svg/SVGOuterSVGFrame.cpp:453:14
    #19 0x7fa00bb7e16d in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /gecko/layout/generic/nsLineLayout.cpp:875:13
    #20 0x7fa00b967b21 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /gecko/layout/generic/nsBlockFrame.cpp:4541:15
    #21 0x7fa00b966b10 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /gecko/layout/generic/nsBlockFrame.cpp:4343:5
    #22 0x7fa00b95fcce in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:4228:9
    #23 0x7fa00b9594f9 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3208:5
    #24 0x7fa00b951010 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockFrame.cpp:2742:7
    #25 0x7fa00b94bc25 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:1373:3
    #26 0x7fa00b9645e3 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #27 0x7fa00b95c642 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3864:11
    #28 0x7fa00b959646 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3205:5
    #29 0x7fa00b951010 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockFrame.cpp:2742:7
    #30 0x7fa00b94bc25 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:1373:3
    #31 0x7fa00b9645e3 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockReflowContext.cpp:288:11
    #32 0x7fa00b95c642 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3864:11
    #33 0x7fa00b959646 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /gecko/layout/generic/nsBlockFrame.cpp:3205:5
    #34 0x7fa00b951010 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /gecko/layout/generic/nsBlockFrame.cpp:2742:7
    #35 0x7fa00b94bc25 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsBlockFrame.cpp:1373:3
    #36 0x7fa00b9ac24f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #37 0x7fa00b98a797 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsCanvasFrame.cpp:819:7
    #38 0x7fa00b9ac24f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1001:14
    #39 0x7fa00ba20c01 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /gecko/layout/generic/nsGfxScrollFrame.cpp:758:3
    #40 0x7fa00ba2257c in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /gecko/layout/generic/nsGfxScrollFrame.cpp:881:3
    #41 0x7fa00ba2886e in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/nsGfxScrollFrame.cpp:1300:3
    #42 0x7fa00b9ac996 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /gecko/layout/generic/nsContainerFrame.cpp:1041:14
    #43 0x7fa00b93eb7d in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /gecko/layout/generic/ViewportFrame.cpp:374:7
    #44 0x7fa00b783d07 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /gecko/layout/base/PresShell.cpp:9593:11
    #45 0x7fa00b794bd7 in mozilla::PresShell::ProcessReflowCommands(bool) /gecko/layout/base/PresShell.cpp:9764:24
    #46 0x7fa00b7934d7 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /gecko/layout/base/PresShell.cpp:4234:11
    #47 0x7fa00b78506b in mozilla::PresShell::DidDoReflow(bool) /gecko/layout/base/PresShell.cpp:9392:3
    #48 0x7fa00b794d08 in mozilla::PresShell::ProcessReflowCommands(bool) /gecko/layout/base/PresShell.cpp:9784:7
    #49 0x7fa00b7934d7 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /gecko/layout/base/PresShell.cpp:4234:11
    #50 0x7fa0090013d6 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1402:5
    #51 0x7fa0090013d6 in mozilla::EventStateManager::FlushLayout(nsPresContext*) /gecko/dom/events/EventStateManager.cpp:5775:16
    #52 0x7fa008ffa2c0 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) /gecko/dom/events/EventStateManager.cpp:724:7
    #53 0x7fa00b7b2fad in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /gecko/layout/base/PresShell.cpp:8212:39
    #54 0x7fa00b7acf91 in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /gecko/layout/base/PresShell.cpp:8181:17
    #55 0x7fa00b7ac4e3 in mozilla::PresShell::EventHandler::HandleEventUsingCoordinates(nsIFrame*, mozilla::WidgetGUIEvent*, nsEventStatus*, bool) /gecko/layout/base/PresShell.cpp:7101:30
    #56 0x7fa00b7aabba in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /gecko/layout/base/PresShell.cpp:6904:12
    #57 0x7fa00b7a97a1 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /gecko/layout/base/PresShell.cpp:6829:23
    #58 0x7fa00b17f5a7 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /gecko/view/nsViewManager.cpp:704:18
    #59 0x7fa00b17f255 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /gecko/view/nsView.cpp:1136:9
    #60 0x7fa00b1ff9a1 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /gecko/widget/PuppetWidget.cpp:377:37
    #61 0x7fa0062eceb9 in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) /gecko/gfx/layers/apz/util/APZCCallbackHelper.cpp:517:21
    #62 0x7fa00a9aea3d in DispatchWidgetEventViaAPZ /gecko/dom/ipc/BrowserChild.cpp:1780:10
    #63 0x7fa00a9aea3d in mozilla::dom::BrowserChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /gecko/dom/ipc/BrowserChild.cpp:1743:3
    #64 0x7fa00a9b07db in mozilla::dom::BrowserChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /gecko/dom/ipc/BrowserChild.cpp:1710:3
    #65 0x7fa00a9b09c9 in mozilla::dom::BrowserChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) /gecko/dom/ipc/BrowserChild.cpp:1675:8
    #66 0x7fa00567e2ae in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBrowserChild.cpp:5114:56
    #67 0x7fa004cf53cb in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PContentChild.cpp:8322:32
    #68 0x7fa004a6841a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /gecko/ipc/glue/MessageChannel.cpp:2155:25
    #69 0x7fa004a64b48 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /gecko/ipc/glue/MessageChannel.cpp:2079:9
    #70 0x7fa004a664a5 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /gecko/ipc/glue/MessageChannel.cpp:1924:3
    #71 0x7fa004a6700b in mozilla::ipc::MessageChannel::MessageTask::Run() /gecko/ipc/glue/MessageChannel.cpp:1955:13
    #72 0x7fa00388c592 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:479:16
    #73 0x7fa003859200 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:782:26
    #74 0x7fa003856a48 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:618:15
    #75 0x7fa00385715d in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:402:36
    #76 0x7fa0038965d1 in operator() /gecko/xpcom/threads/TaskController.cpp:135:37
    #77 0x7fa0038965d1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:534:5
    #78 0x7fa003873978 in nsThread::ProcessNextEvent(bool, bool*) /gecko/xpcom/threads/nsThread.cpp:1159:16
    #79 0x7fa00387e6bc in NS_ProcessNextEvent(nsIThread*, bool) /gecko/xpcom/threads/nsThreadUtils.cpp:548:10
    #80 0x7fa004a6fb9f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /gecko/ipc/glue/MessagePump.cpp:85:21
    #81 0x7fa004977031 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #82 0x7fa004977031 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #83 0x7fa004977031 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #84 0x7fa00b234037 in nsBaseAppShell::Run() /gecko/widget/nsBaseAppShell.cpp:137:27
    #85 0x7fa00f4a16af in XRE_RunAppShell() /gecko/toolkit/xre/nsEmbedFunctions.cpp:910:20
    #86 0x7fa004977031 in RunInternal /gecko/ipc/chromium/src/base/message_loop.cc:335:10
    #87 0x7fa004977031 in RunHandler /gecko/ipc/chromium/src/base/message_loop.cc:328:3
    #88 0x7fa004977031 in MessageLoop::Run() /gecko/ipc/chromium/src/base/message_loop.cc:310:3
    #89 0x7fa00f4a1088 in XRE_InitChildProcess(int, char**, XREChildData const*) /gecko/toolkit/xre/nsEmbedFunctions.cpp:742:34
    #90 0x559aa2a0e74d in content_process_main(mozilla::Bootstrap*, int, char**) /gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #91 0x559aa2a0eb7d in main /gecko/browser/app/nsBrowserApp.cpp:313:18
    #92 0x7fa0252910b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #93 0x559aa295fa49 in _start (/home/worker/builds/m-c-20210613214113-fuzzing-asan-opt/firefox+0x5ba49)

0x62500023be30 is located 7472 bytes inside of 8192-byte region [0x62500023a100,0x62500023c100)
allocated by thread T0 (Isolated Web Co) here:
    #0 0x559aa29daabd in malloc /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cpp:145:3
    #1 0x7fa003835460 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:170:15
    #2 0x7fa00b8c1a1d in InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:204:25
    #3 0x7fa00b8c1a1d in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:66:12
    #4 0x7fa00b8c1a1d in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:70:15
    #5 0x7fa00b93ad75 in AllocateByObjectID /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:271:32
    #6 0x7fa00b93ad75 in AllocateFrame /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:263:12
    #7 0x7fa00b93ad75 in operator new /gecko/layout/generic/ViewportFrame.cpp:36:1
    #8 0x7fa00b93ad75 in NS_NewViewportFrame(mozilla::PresShell*, mozilla::ComputedStyle*) /gecko/layout/generic/ViewportFrame.cpp:33:10
    #9 0x7fa00b8177b2 in nsCSSFrameConstructor::ConstructRootFrame() /gecko/layout/base/nsCSSFrameConstructor.cpp:2421:7
    #10 0x7fa00b780481 in mozilla::PresShell::Initialize() /gecko/layout/base/PresShell.cpp:1884:36
    #11 0x7fa006f35d7b in nsContentSink::StartLayout(bool) /gecko/dom/base/nsContentSink.cpp:871:30
    #12 0x7fa005bf3389 in nsHtml5TreeOpExecutor::StartLayout(bool*) /gecko/parser/html/nsHtml5TreeOpExecutor.cpp:826:18
==6247==WARNING: Symbolizer buffer too small
    #13 0x7fa005bfdefb  (/home/worker/builds/m-c-20210613214113-fuzzing-asan-opt/libxul.so+0x764aefb)
==6247==WARNING: Symbolizer buffer too small
    #14 0x7fa005bf205e  (/home/worker/builds/m-c-20210613214113-fuzzing-asan-opt/libxul.so+0x763f05e)
    #15 0x7fa005bf1237 in umberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:278:14
    #16 0x7fa005bf1237 in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:278:14
    #17 0x7fa005bf1237 in decltype(auto) mozilla::detail::VariantImplementation<unsigned char, 7ul, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>::match<nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&>(nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*)::TreeOperationMatcher&&, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu>&) /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:278:14
    #18 0x7fa005bfb0ad in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:278:14
    #19 0x7fa005bfb0ad in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:278:14
    #20 0x7fa005bfb0ad in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:278:14
    #21 0x7fa005bfb0ad in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:278:14
    #22 0x7fa005bfb0ad in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:278:14
    #23 0x7fa005bfb0ad in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:278:14
    #24 0x7fa005bfb0ad in match<TreeOperationMatcher, mozilla::Variant<uninitialized, opAppend, opDetach, opAppendChildrenToNewParent, opFosterParent, opAppendToDocument, opAddAttributes, nsHtml5DocumentMode, opCreateHTMLElement, opCreateSVGElement, opCreateMathMLElement, opSetFormElement, opAppendText, opFosterParentText, opAppendComment, opAppendCommentToDocument, opAppendDoctypeToDocument, opGetDocumentFragmentForTemplate, opGetFosterParent, opMarkAsBroken, opRunScript, opRunScriptAsyncDefer, opPreventScriptExecution, opDoneAddingChildren, opDoneCreatingElement, opSetDocumentCharset, opCharsetSwitchTo, opUpdateStyleSheet, opProcessOfflineManifest, opMarkMalformedIfScript, opStreamEnded, opSetStyleLineNumber, opSetScriptLineNumberAndFreeze, opSvgLoad, opMaybeComplainAboutCharset, opMaybeComplainAboutDeepTree, opAddClass, opAddViewSourceHref, opAddViewSourceBase, opAddErrorType, opAddLineNumberId, opStartLayout, opEnableEncodingMenu> &> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:278:14
    #25 0x7fa005bfb0ad in match<TreeOperationMatcher> /builds/worker/workspace/obj-build/dist/include/mozilla/Variant.h:851:12
    #26 0x7fa005bfb0ad in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) /gecko/parser/html/nsHtml5TreeOperation.cpp:1213:21
    #27 0x7fa00384863f in nsHtml5TreeOpExecutor::RunFlushLoop() /gecko/parser/html/nsHtml5TreeOpExecutor.cpp:645:19
    #28 0x7fa00388c592 in nsHtml5ExecutorReflusher::Run() /gecko/parser/html/nsHtml5TreeOpExecutor.cpp:78:16
    #29 0x7fa003859200 in mozilla::SchedulerGroup::Runnable::Run() /gecko/xpcom/threads/SchedulerGroup.cpp:143:20
    #30 0x7fa003856a48 in mozilla::RunnableTask::Run() /gecko/xpcom/threads/TaskController.cpp:479:16
    #31 0x7fa00385715d in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:782:26
    #32 0x7fa0038965d1 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /gecko/xpcom/threads/TaskController.cpp:618:15
    #33 0x7fa003873978 in mozilla::TaskController::ProcessPendingMTTask(bool) /gecko/xpcom/threads/TaskController.cpp:402:36
    #34 0x7fa00387e6bc in operator() /gecko/xpcom/threads/TaskController.cpp:135:37
    #35 0x7fa00387e6bc in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_0>::Run() /gecko/xpcom/threads/nsThreadUtils.h:534:5
Severity: -- → S2
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/7K0XSBb9VRH5iTVnl2rolQ/index.html

Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210708154614-ab46ef66acce.
The bug appears to have been introduced in the following build range:

Start: 6c32d769ff9a1ad140d62f94dc4f7af97fa3f696 (20210213095234)
End: 5b9dcbcbcd9c4f2602ea267b69b66009db2ec0a6 (20210213110627)
Pushlog: https://hg.mozilla.org/mozilla-unified/pushloghtml?fromchange=6c32d769ff9a1ad140d62f94dc4f7af97fa3f696&tochange=5b9dcbcbcd9c4f2602ea267b69b66009db2ec0a6

Whiteboard: [bugmon:bisected,confirmed]
Flags: needinfo?(longsonr)
Regressed by: 1691659
Has Regression Range: --- → yes
Keywords: regression

Daniel, could you reassess the severity of this bug since it appears to be sec-low?

Flags: needinfo?(dholbert)

Agreed, use-after-poison (& hence assumed non-exploitable) fuzzer bugs feel S3-level.

Severity: S2 → S3
Flags: needinfo?(dholbert)

Bugmon was unable reproduce this issue.
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

A change to the Taskcluster build definitions over the weekend caused Bugmon to fail when reproducing issues. This issue has been corrected. Re-enabling bugmon.

Keywords: bugmon

Testcase crashes using the initial build (mozilla-central 20220903093211-070c2bc9f813) but not with tip (mozilla-central 20230901154021-bf57203fdaf0.)

The bug appears to have been fixed in the following build range:

Start: bee27401511bf375891968a9ca78d7ef74d19962 (20230817082455)
End: a6c91cd0d909c83e7f1f4d8c3b79b31d5de33825 (20230817150115)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=bee27401511bf375891968a9ca78d7ef74d19962&tochange=a6c91cd0d909c83e7f1f4d8c3b79b31d5de33825

tsmith, can you confirm that the above bisection range is responsible for fixing this issue?
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Flags: needinfo?(longsonr) → needinfo?(twsmith)
Keywords: bugmon

`fixed by bug 1848851

Status: NEW → RESOLVED
Closed: 1 year ago
Depends on: 1848851
Resolution: --- → FIXED
Assignee: nobody → longsonr
status-firefox98: fix-optionalwontfix
status-firefox-esr102: --- → wontfix
status-firefox-esr115: --- → wontfix
status-firefox-esr91: affectedwontfix
Flags: needinfo?(twsmith)
Target Milestone: --- → 118 Branch

Is it worth landing this testcase still?

Flags: needinfo?(longsonr)

As far as I can see they seem pretty similar so I'm not sure it's worth bothering with.

Flags: needinfo?(longsonr)
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: