==18754== ERROR: AddressSanitizer: heap-use-after-free on address 0x7fe1a3eff8c0 at pc 0x7fe1bd5c3f18 bp 0x7ffface44c30 sp 0x7ffface44c28 READ of size 8 at 0x7fe1a3eff8c0 thread T0 #0 0x7fe1bd5c3f17 in nsFrameList::InsertFrames(nsIFrame*, nsIFrame*, nsFrameList&) src/layout/generic/nsFrameList.cpp:200 #1 0x7fe1bcc4c32f in nsFrameList::InsertFrame(nsIFrame*, nsIFrame*, nsIFrame*) src/layout/xul/base/src/../../../generic/nsFrameList.h:184 #2 0x7fe1bd4cf344 in nsOverflowContinuationTracker::Insert(nsIFrame*, unsigned int&) src/layout/generic/nsContainerFrame.cpp:1675 #3 0x7fe1bd4cd7cf in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, nsHTMLReflowState const&, nsOverflowAreas&, unsigned int, unsigned int&) src/layout/generic/nsContainerFrame.cpp:1169 #4 0x7fe1bd3dc1bf in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1016 #5 0x7fe1bd4c8efc in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:952 #6 0x7fe1bd4cc6d0 in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, nsHTMLReflowState const&, nsOverflowAreas&, unsigned int, unsigned int&) src/layout/generic/nsContainerFrame.cpp:1132 #7 0x7fe1bd3dc1bf in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1016 #8 0x7fe1bd4c8efc in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:952 #9 0x7fe1bd4aa363 in nsColumnSetFrame::ReflowChildren(nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) src/layout/generic/nsColumnSetFrame.cpp:649 #10 0x7fe1bd4b071b in nsColumnSetFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsColumnSetFrame.cpp:928 #11 0x7fe1bd46ac20 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) src/layout/generic/nsBlockReflowContext.cpp:268 #12 0x7fe1bd40d6ad in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3099 #13 0x7fe1bd4023f9 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2478 #14 0x7fe1bd3e9507 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) src/layout/generic/nsBlockFrame.cpp:1998 #15 0x7fe1bd3dc753 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1041 #16 0x7fe1bd46ac20 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) src/layout/generic/nsBlockReflowContext.cpp:268 #17 0x7fe1bd40d6ad in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3099 #18 0x7fe1bd4023f9 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2478 #19 0x7fe1bd3e9507 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) src/layout/generic/nsBlockFrame.cpp:1998 #20 0x7fe1bd3dc753 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1041 #21 0x7fe1bd46ac20 in nsBlockReflowContext::ReflowBlock(nsRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, nsHTMLReflowState&, unsigned int&, nsBlockReflowState&) src/layout/generic/nsBlockReflowContext.cpp:268 #22 0x7fe1bd40d6ad in nsBlockFrame::ReflowBlockFrame(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3099 #23 0x7fe1bd4023f9 in nsBlockFrame::ReflowLine(nsBlockReflowState&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2478 #24 0x7fe1bd3e9507 in nsBlockFrame::ReflowDirtyLines(nsBlockReflowState&) src/layout/generic/nsBlockFrame.cpp:1998 #25 0x7fe1bd3dc753 in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1041 #26 0x7fe1bd4c8efc in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:952 #27 0x7fe1bd6989c6 in nsCanvasFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsCanvasFrame.cpp:472 #28 0x7fe1bd4c8efc in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:952 #29 0x7fe1bd60fd28 in nsHTMLScrollFrame::ReflowScrolledFrame(ScrollReflowState*, bool, bool, nsHTMLReflowMetrics*, bool) src/layout/generic/nsGfxScrollFrame.cpp:433 #30 0x7fe1bd614886 in nsHTMLScrollFrame::ReflowContents(ScrollReflowState*, nsHTMLReflowMetrics const&) src/layout/generic/nsGfxScrollFrame.cpp:533 #31 0x7fe1bd618f20 in nsHTMLScrollFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsGfxScrollFrame.cpp:774 #32 0x7fe1bd4c8efc in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:952 #33 0x7fe1bda07faa in ViewportFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsViewportFrame.cpp:202 #34 0x7fe1bd13d80b in PresShell::DoReflow(nsIFrame*, bool) src/layout/base/nsPresShell.cpp:7532 #35 0x7fe1bd16cbdd in PresShell::ProcessReflowCommands(bool) src/layout/base/nsPresShell.cpp:7673 #36 0x7fe1bd16b72e in PresShell::FlushPendingNotifications(mozFlushType) src/layout/base/nsPresShell.cpp:3885 #37 0x7fe1bd211954 in nsRefreshDriver::Notify(nsITimer*) src/layout/base/nsRefreshDriver.cpp:406 #38 0x7fe1c9cf3103 in nsTimerImpl::Fire() src/xpcom/threads/nsTimerImpl.cpp:485 #39 0x7fe1c9cf44a1 in nsTimerEvent::Run() src/xpcom/threads/nsTimerImpl.cpp:565 #40 0x7fe1c9cb714e in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:627 #41 0x7fe1c992d0ff in NS_ProcessNextEvent_P(nsIThread*, bool) src/objdir-ff-asan-sym/xpcom/build/nsThreadUtils.cpp:221 #42 0x7fe1c7b482e6 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:82 #43 0x7fe1c9fa2c6e in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:215 #44 0x7fe1c9fa2ab5 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:208 #45 0x7fe1c9fa299b in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:182 #46 0x7fe1c6f45d54 in nsBaseAppShell::Run() src/widget/xpwidgets/nsBaseAppShell.cpp:163 #47 0x7fe1c5a83142 in nsAppStartup::Run() src/toolkit/components/startup/nsAppStartup.cpp:291 #48 0x7fe1bae95b24 in XREMain::XRE_mainRun() src/toolkit/xre/nsAppRunner.cpp:3824 #49 0x7fe1bae9b7f9 in XREMain::XRE_main(int, char**, nsXREAppData const*) src/toolkit/xre/nsAppRunner.cpp:3891 #50 0x7fe1bae9e570 in XRE_main src/toolkit/xre/nsAppRunner.cpp:4089 #51 0x40c2c6 in do_main(int, char**) src/browser/app/nsBrowserApp.cpp:174 #52 0x409b00 in main src/browser/app/nsBrowserApp.cpp:279 #53 0x7fe1da2df76c in 0x7fe1a3eff8c0 is located 0 bytes inside of 16-byte region [0x7fe1a3eff8c0,0x7fe1a3eff8d0) freed by thread T0 here: #0 0x4c3960 in free #1 0x7fe1db2ef4b5 in moz_free src/memory/mozalloc/mozalloc.cpp:48 #2 0x7fe1bd4d12e8 in operator delete(void*) src/../../dist/include/mozilla/mozalloc.h:224 #3 0x7fe1bd4d12e8 in nsContainerFrame::RemovePropTableFrame(nsPresContext*, nsIFrame*, mozilla::FramePropertyDescriptor const*) src/layout/generic/nsContainerFrame.cpp:1422 #4 0x7fe1bd4d0783 in nsContainerFrame::StealFrame(nsPresContext*, nsIFrame*, bool) src/layout/generic/nsContainerFrame.cpp:1212 #5 0x7fe1bd4485bc in nsBlockFrame::StealFrame(nsPresContext*, nsIFrame*, bool) src/layout/generic/nsBlockFrame.cpp:5540 #6 0x7fe1bd4d2dac in nsContainerFrame::DeleteNextInFlowChild(nsPresContext*, nsIFrame*, bool) src/layout/generic/nsContainerFrame.cpp:1359 #7 0x7fe1bd44a440 in nsBlockFrame::DeleteNextInFlowChild(nsPresContext*, nsIFrame*, bool) src/layout/generic/nsBlockFrame.cpp:5627 #8 0x7fe1bd4c938b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:964 #9 0x7fe1bd4cc6d0 in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, nsHTMLReflowState const&, nsOverflowAreas&, unsigned int, unsigned int&) src/layout/generic/nsContainerFrame.cpp:1132 #10 0x7fe1bd3dc1bf in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1016 #11 0x7fe1bd4c8efc in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:952 #12 0x7fe1bd4cc6d0 in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, nsHTMLReflowState const&, nsOverflowAreas&, unsigned int, unsigned int&) src/layout/generic/nsContainerFrame.cpp:1132 #13 0x7fe1bd3dc1bf in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1016 #14 0x7fe1bd4c8efc in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:952 #15 0x7fe1bd4aa363 in nsColumnSetFrame::ReflowChildren(nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) src/layout/generic/nsColumnSetFrame.cpp:649 previously allocated by thread T0 here: #0 0x4c3a20 in malloc #1 0x7fe1db2ef5f1 in moz_xmalloc src/memory/mozalloc/mozalloc.cpp:54 #2 0x7fe1bd4cec9f in operator new(unsigned long) src/../../dist/include/mozilla/mozalloc.h:200 #3 0x7fe1bd4cec9f in nsOverflowContinuationTracker::Insert(nsIFrame*, unsigned int&) src/layout/generic/nsContainerFrame.cpp:1664 #4 0x7fe1bd4cd7cf in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, nsHTMLReflowState const&, nsOverflowAreas&, unsigned int, unsigned int&) src/layout/generic/nsContainerFrame.cpp:1169 #5 0x7fe1bd3dc1bf in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1016 #6 0x7fe1bd4c8efc in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:952 #7 0x7fe1bd4cc6d0 in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, nsHTMLReflowState const&, nsOverflowAreas&, unsigned int, unsigned int&) src/layout/generic/nsContainerFrame.cpp:1132 #8 0x7fe1bd3dc1bf in nsBlockFrame::Reflow(nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, unsigned int&) src/layout/generic/nsBlockFrame.cpp:1016 #9 0x7fe1bd4c8efc in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, nsHTMLReflowMetrics&, nsHTMLReflowState const&, int, int, unsigned int, unsigned int&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:952 Shadow byte and word: 0x1ffc347dff18: fd 0x1ffc347dff18: fd fd fd fd fd fd fd fd More shadow bytes: 0x1ffc347dfef8: fd fd fd fd fd fd fd fd 0x1ffc347dff00: fa fa fa fa fa fa fa fa 0x1ffc347dff08: fd fd fd fd fd fd fd fd 0x1ffc347dff10: fa fa fa fa fa fa fa fa =>0x1ffc347dff18: fd fd fd fd fd fd fd fd 0x1ffc347dff20: fa fa fa fa fa fa fa fa 0x1ffc347dff28: 00 00 00 00 fb fb fb fb 0x1ffc347dff30: fa fa fa fa fa fa fa fa 0x1ffc347dff38: 00 00 fb fb fb fb fb fb Stats: 248M malloced (227M for red zones) by 335899 calls Stats: 46M realloced by 17937 calls Stats: 223M freed by 225009 calls Stats: 189M really freed by 165935 calls Stats: 229M (58700 full pages) mmaped in 435 calls mmaps by size class: 7:106470; 8:42987; 9:14322; 10:6132; 11:7650; 12:1280; 13:832; 14:512; 15:224; 16:720; 17:464; 18:34; 19:35; 20:21; mallocs by size class: 7:194636; 8:82680; 9:23231; 10:8865; 11:17593; 12:2266; 13:1768; 14:1596; 15:403; 16:1333; 17:1396; 18:70; 19:40; 20:22; frees by size class: 7:123292; 8:55530; 9:17070; 10:5819; 11:15789; 12:1532; 13:1552; 14:1415; 15:281; 16:1234; 17:1381; 18:57; 19:38; 20:19; rfrees by size class: 7:92112; 8:41051; 9:12619; 10:2922; 11:11468; 12:1026; 13:983; 14:1253; 15:219; 16:863; 17:1314; 18:49; 19:37; 20:19; Stats: malloc large: 3264 small slow: 4711 ==18754== ABORTING

Isn't frame-poisoning supposed to protect us from this kind of thing? Or does that not apply to nsFrameLists?

Mats, can you help this one get love?

Mats, ping.

The testcase doesn't crash for me (m-c ASan debug Linux64), but I do get this: ###!!! ASSERTION: overflow container must not have computedHeightLeftOver: '!( IS_TRUE_OVERFLOW_CONTAINER(this) && computedHeightLeftOver )', file layout/generic/nsBlockFrame.cpp, line 1353 With my tentative fix for bug 812893 the assertion does not occur, so I think it's the same underlying bug.

Abhishek: is this fixed by the patch in bug 812893?

(In reply to Daniel Veditz [:dveditz] from comment #5) > Abhishek: is this fixed by the patch in bug 812893? Verified on trunk with patch from 812893 that the crash does not reproduce anymore.