Closed Bug 1802782 Opened 2 years ago Closed 2 years ago

use after poison in nsFloatManager::GetFlowArea

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1703999
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox107 --- wontfix
firefox108 --- wontfix
firefox109 --- wontfix

People

(Reporter: springsec, Unassigned)

References

(Regression)

Details

(Keywords: regression, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Crash Data

Attachments

(1 file)

poc0.html
(deleted), text/html
Details
Attached file poc0.html (deleted) —

run asan build of firefox with the attached poc
Tested on asan firefox version: 109.0a1 ,
Os version: Ubuntu20.04.1 64 bit

Asan log:

==93353==ERROR: AddressSanitizer: use-after-poison on address 0x6250001e63c0 at pc 0x7f98e5c75fe7 bp 0x7fffb71fa2f0 sp 0x7fffb71fa2e8
READ of size 8 at 0x6250001e63c0 thread T0 (file:// Content)
    #0 0x7f98e5c75fe6 in get /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27
    #1 0x7f98e5c75fe6 in operator-> /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:316:12
    #2 0x7f98e5c75fe6 in StyleDisplay /builds/worker/checkouts/gecko/layout/style/nsStyleStructList.h:46:1
    #3 0x7f98e5c75fe6 in nsFloatManager::GetFlowArea(mozilla::WritingMode, int, int, nsFloatManager::BandInfoType, nsFloatManager::ShapeType, mozilla::LogicalRect, nsFloatManager::SavedState*, nsSize const&) const /builds/worker/checkouts/gecko/layout/generic/nsFloatManager.cpp:198:42
    #4 0x7f98e5b54e86 in GetFloatAvailableSpaceWithState /builds/worker/checkouts/gecko/layout/generic/BlockReflowState.cpp:320:43
    #5 0x7f98e5b54e86 in GetFloatAvailableSpace /builds/worker/checkouts/gecko/layout/generic/BlockReflowState.h:127:12
    #6 0x7f98e5b54e86 in mozilla::BlockReflowState::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/checkouts/gecko/layout/generic/BlockReflowState.cpp:591:36
    #7 0x7f98e5e943ab in AddFloat /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.h:156:22
    #8 0x7f98e5e943ab in TryToPlaceFloat /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:1458:36
    #9 0x7f98e5e943ab in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:912:23
    #10 0x7f98e5e28a28 in nsInlineFrame::ReflowInlineFrame(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, nsIFrame*, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsInlineFrame.cpp:669:15
    #11 0x7f98e5e27913 in nsInlineFrame::ReflowFrames(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsInlineFrame.cpp:543:7
    #12 0x7f98e5e26ab5 in nsInlineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsInlineFrame.cpp:359:3
    #13 0x7f98e5e93b64 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/checkouts/gecko/layout/generic/nsLineLayout.cpp:870:13
    #14 0x7f98e5bf39b3 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4719:15
    #15 0x7f98e5bf1856 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowState&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4521:5
    #16 0x7f98e5bea184 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4395:9
    #17 0x7f98e5be2462 in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3381:5
    #18 0x7f98e5bd5494 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2895:9
    #19 0x7f98e5bcc4e7 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1470:3
    #20 0x7f98e5bef8b0 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
    #21 0x7f98e5be5b2b in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4032:11
    #22 0x7f98e5be25cb in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3378:5
    #23 0x7f98e5bd5494 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2895:9
    #24 0x7f98e5bcc4e7 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1470:3
    #25 0x7f98e5c173c9 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1029:14
    #26 0x7f98e5c1ba99 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:664:7
    #27 0x7f98e5c20f1f in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1202:37
    #28 0x7f98e5bef8b0 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
    #29 0x7f98e5be5b2b in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4032:11
    #30 0x7f98e5be25cb in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3378:5
    #31 0x7f98e5bd5494 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2895:9
    #32 0x7f98e5bcc4e7 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1470:3
    #33 0x7f98e5bef8b0 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
    #34 0x7f98e5be5b2b in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4032:11
    #35 0x7f98e5be25cb in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3378:5
    #36 0x7f98e5bd5494 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2895:9
    #37 0x7f98e5bcc4e7 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1470:3
    #38 0x7f98e5c173c9 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1029:14
    #39 0x7f98e5c1ba99 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:664:7
    #40 0x7f98e5c20455 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1098:9
    #41 0x7f98e5c20fb1 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1209:5
    #42 0x7f98e5bef8b0 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
    #43 0x7f98e5be5b2b in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4032:11
    #44 0x7f98e5be25cb in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3378:5
    #45 0x7f98e5bd5494 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2895:9
    #46 0x7f98e5bcc4e7 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1470:3
    #47 0x7f98e5c173c9 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1029:14
    #48 0x7f98e5c156a8 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:755:7
    #49 0x7f98e5c173c9 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1029:14
    #50 0x7f98e5cc3c94 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput&, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:841:3
    #51 0x7f98e5cc6b64 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput&, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:977:3
    #52 0x7f98e5cd2760 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1404:3
    #53 0x7f98e5bb6665 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1069:14
    #54 0x7f98e5bb5374 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:383:7
    #55 0x7f98e5965125 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9667:11
    #56 0x7f98e59b25de in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9839:24
    #57 0x7f98e597c396 in DoFlushLayout /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9909:10
    #58 0x7f98e597c396 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4420:11
    #59 0x7f98de54f53e in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1461:5
    #60 0x7f98de54f53e in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/dom/base/Document.cpp:10722:16
    #61 0x7f98dced60ea in nsDocLoader::DocLoaderIsEmpty(bool, mozilla::Maybe<nsresult> const&) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:742:14
    #62 0x7f98dced92e1 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/uriloader/base/nsDocLoader.cpp:680:5
    #63 0x7f98e963fee9 in nsDocShell::OnStopRequest(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/docshell/base/nsDocShell.cpp:13863:23
    #64 0x7f98db3bb9a0 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:628:22
    #65 0x7f98db3beb04 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/checkouts/gecko/netwerk/base/nsLoadGroup.cpp:532:10
    #66 0x7f98de5026ae in DoUnblockOnload /builds/worker/checkouts/gecko/dom/base/Document.cpp:11503:18
    #67 0x7f98de5026ae in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/checkouts/gecko/dom/base/Document.cpp:11441:9
    #68 0x7f98de52f547 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/checkouts/gecko/dom/base/Document.cpp:7968:3
    #69 0x7f98de635d5f in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1162:12
    #70 0x7f98de635d5f in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1168:12
    #71 0x7f98de635d5f in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:1215:13
    #72 0x7f98dafca54f in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/checkouts/gecko/xpcom/threads/SchedulerGroup.cpp:140:20
    #73 0x7f98dafe3590 in mozilla::RunnableTask::Run() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:538:16
    #74 0x7f98dafd5fd1 in mozilla::TaskController::DoExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:851:26
    #75 0x7f98dafd2e05 in mozilla::TaskController::ExecuteNextTaskOnlyMainThreadInternal(mozilla::detail::BaseAutoLock<mozilla::Mutex&> const&) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:683:15
    #76 0x7f98dafd365c in mozilla::TaskController::ProcessPendingMTTask(bool) /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:461:36
    #77 0x7f98dafe88b1 in operator() /builds/worker/checkouts/gecko/xpcom/threads/TaskController.cpp:187:37
    #78 0x7f98dafe88b1 in mozilla::detail::RunnableFunction<mozilla::TaskController::InitializeInternal()::$_2>::Run() /builds/worker/workspace/obj-build/dist/include/nsThreadUtils.h:546:5
    #79 0x7f98db012067 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1204:16
    #80 0x7f98db01f872 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:474:10
    #81 0x7f98dc964463 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:85:21
    #82 0x7f98dc7bcb50 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #83 0x7f98dc7bcb50 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #84 0x7f98dc7bcb50 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #85 0x7f98e5084cac in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:150:27
    #86 0x7f98ea7e68a0 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:884:20
    #87 0x7f98dc7bcb50 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:381:10
    #88 0x7f98dc7bcb50 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:374:3
    #89 0x7f98dc7bcb50 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:356:3
    #90 0x7f98ea7e54c4 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:743:34
    #91 0x558ad62707d8 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:57:28
    #92 0x558ad62707d8 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:359:18
    #93 0x7f98f4107082 in __libc_start_main /build/glibc-SzIz7B/glibc-2.31/csu/../csu/libc-start.c:308:16
    #94 0x558ad61ae748 in _start (/home/aviv/Downloads/firefox/firefox-bin+0xac748) (BuildId: 6fea42bc50853b2ab2ef0f9185c9c6ef01e903d1)

0x6250001e63c0 is located 4800 bytes inside of 8192-byte region [0x6250001e5100,0x6250001e7100)
allocated by thread T0 (file:// Content) here:
    #0 0x558ad623311e in malloc /builds/worker/fetches/llvm-project/compiler-rt/lib/asan/asan_malloc_linux.cpp:69:3
    #1 0x7f98e5b1342f in AllocateChunk /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:170:15
    #2 0x7f98e5b1342f in InternalAllocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:204:25
    #3 0x7f98e5b1342f in Allocate /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:66:12
    #4 0x7f98e5b1342f in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /builds/worker/workspace/obj-build/dist/include/mozilla/ArenaAllocator.h:70:15
    #5 0x7f98e5b5d0dd in AllocateByObjectID /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:282:32
    #6 0x7f98e5b5d0dd in AllocateFrame /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:274:12
    #7 0x7f98e5b5d0dd in operator new /builds/worker/checkouts/gecko/layout/generic/ColumnSetWrapperFrame.cpp:30:1
    #8 0x7f98e5b5d0dd in NS_NewColumnSetWrapperFrame(mozilla::PresShell*, mozilla::ComputedStyle*, nsFrameState) /builds/worker/checkouts/gecko/layout/generic/ColumnSetWrapperFrame.cpp:20:34
    #9 0x7f98e5a5f46b in nsCSSFrameConstructor::CreateContinuingFrame(nsIFrame*, nsContainerFrame*, bool) /builds/worker/checkouts/gecko/layout/base/nsCSSFrameConstructor.cpp:7968:9
    #10 0x7f98e5bf70da in nsBlockFrame::SplitFloat(mozilla::BlockReflowState&, nsIFrame*, nsReflowStatus const&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4870:42
    #11 0x7f98e5b58007 in mozilla::BlockReflowState::FlowAndPlaceFloat(nsIFrame*, mozilla::Maybe<int>) /builds/worker/checkouts/gecko/layout/generic/BlockReflowState.cpp:961:13
    #12 0x7f98e5bd369d in nsBlockFrame::ReflowPushedFloats(mozilla::BlockReflowState&, mozilla::OverflowAreas&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:6868:16
    #13 0x7f98e5bcc0a0 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1450:3
    #14 0x7f98e5c173c9 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1029:14
    #15 0x7f98e5bd2208 in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, mozilla::ReflowInput const&, mozilla::OverflowAreas&, nsIFrame::ReflowChildFlags, nsReflowStatus&, void (*)(nsFrameList&, nsFrameList&, nsContainerFrame*), mozilla::Maybe<nsSize>) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1296:7
    #16 0x7f98e5bcbfac in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1437:5
    #17 0x7f98e5c173c9 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:1029:14
    #18 0x7f98e5c1ba99 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:664:7
    #19 0x7f98e5c20abe in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1153:5
    #20 0x7f98e5c20fb1 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsColumnSetFrame.cpp:1209:5
    #21 0x7f98e5bef8b0 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:290:11
    #22 0x7f98e5be5b2b in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:4032:11
    #23 0x7f98e5be25cb in nsBlockFrame::ReflowLine(mozilla::BlockReflowState&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3378:5
    #24 0x7f98e5bd5494 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowState&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2895:9
    #25 0x7f98e5bcc4e7 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1470:3

SUMMARY: AddressSanitizer: use-after-poison /builds/worker/workspace/obj-build/dist/include/mozilla/RefPtr.h:286:27 in get
Shadow bytes around the buggy address:
  0x0c4a80034c20: 00 00 00 00 00 00 00 00 00 00 f7 f7 f7 f7 f7 f7
  0x0c4a80034c30: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
  0x0c4a80034c40: f7 f7 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80034c50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80034c60: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c4a80034c70: 00 00 00 00 f7 f7 f7 f7[f7]f7 f7 f7 f7 f7 f7 f7
  0x0c4a80034c80: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 00 00 00 00
  0x0c4a80034c90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80034ca0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c4a80034cb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f7 f7
  0x0c4a80034cc0: f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7 f7
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==93353==ABORTING
Flags: sec-bounty?
Group: firefox-core-security → layout-core-security
Component: Security → Layout
Product: Firefox → Core

Regressed by bug 793686, Ting-Yu, can you poke?

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(aethanyc)
Regressed by: 793686

Set release status flags based on info from the regressing bug 793686

status-firefox107: --- → affected
status-firefox108: --- → affected
status-firefox109: --- → affected
status-firefox-esr102: --- → unaffected
Keywords: regression
Summary: use after poision in nsFloatManager::GetFlowArea → use after poison in nsFloatManager::GetFlowArea

I can reproduce the crash with a non-asan debug build. Keeping the NI as a reminder.

Crash Signature: [@ ServoComputedData::GetStyleDisplay ]
Group: layout-core-security
Status: NEW → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1703999
Resolution: --- → DUPLICATE
Flags: sec-bounty? → sec-bounty-

I posted some thoughts in bug 1703999 comment 9.

Flags: needinfo?(aethanyc)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: