Closed
Bug 1516737
Opened 6 years ago
Closed 6 years ago
use-after-poison in [@ nsLayoutUtils::IsProperAncestorFrame]
Categories
(Core :: Layout: Columns, defect, P2)
Core
Layout: Columns
Tracking
()
RESOLVED
DUPLICATE
of bug 1516739
| Tracking | Status | |
|---|---|---|
| firefox66 | --- | disabled |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-framepoisoning, testcase)
Attachments
(1 file)
|
314 bytes,
text/html
|
Details |
==3807==ERROR: AddressSanitizer: use-after-poison on address 0x625000213a48 at pc 0x7fde395eee15 bp 0x7ffe6e991310 sp 0x7ffe6e991308
READ of size 8 at 0x625000213a48 thread T0 (file:// Content)
#0 0x7fde395eee14 in GetParent src/layout/generic/nsIFrame.h:820:48
#1 0x7fde395eee14 in nsLayoutUtils::IsProperAncestorFrame(nsIFrame*, nsIFrame*, nsIFrame*) src/layout/base/nsLayoutUtils.cpp:1498
#2 0x7fde39b4f3af in nsPlaceholderFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsPlaceholderFrame.cpp:176:10
#3 0x7fde399b7359 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
#4 0x7fde3981f8d0 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:211:11
#5 0x7fde39aecd6d in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsLineBox.cpp:371:14
#6 0x7fde3981e824 in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsBlockFrame.cpp:332:3
#7 0x7fde39aecd6d in nsLineBox::DeleteLineList(nsPresContext*, nsLineList&, nsIFrame*, nsFrameList*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsLineBox.cpp:371:14
#8 0x7fde3981e824 in nsBlockFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsBlockFrame.cpp:332:3
#9 0x7fde399b7359 in nsFrameList::DestroyFramesFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsFrameList.cpp:51:12
#10 0x7fde3981f8d0 in nsContainerFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsContainerFrame.cpp:211:11
#11 0x7fde39873025 in nsBlockFrame::DoRemoveFrameInternal(nsIFrame*, unsigned int, mozilla::layout::PostFrameDestroyData&) src/layout/generic/nsBlockFrame.cpp:5768:20
#12 0x7fde39876889 in DoRemoveFrame src/layout/generic/nsBlockFrame.h:521:5
#13 0x7fde39876889 in nsBlockFrame::DeleteNextInFlowChild(nsIFrame*, bool) src/layout/generic/nsBlockFrame.cpp:5992
#14 0x7fde3985e6b6 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:338:35
#15 0x7fde3984fa1b in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3408:11
#16 0x7fde3984c895 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2788:5
#17 0x7fde3983dbb3 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2334:7
#18 0x7fde398314c6 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1207:3
#19 0x7fde398b2e30 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:883:14
#20 0x7fde398b05bf in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:731:5
#21 0x7fde398b2e30 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:883:14
#22 0x7fde399f56cd in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) src/layout/generic/nsGfxScrollFrame.cpp:571:3
#23 0x7fde399f723b in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:684:3
#24 0x7fde399fcca4 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1050:3
#25 0x7fde3980b226 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:922:14
#26 0x7fde39809ae6 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:314:7
#27 0x7fde39534daa in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:8548:11
#28 0x7fde39554adc in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:8714:24
#29 0x7fde39551f70 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4149:11
#30 0x7fde3678e191 in FlushPendingNotifications src/obj-firefox/dist/include/nsIPresShell.h:567:5
#31 0x7fde3678e191 in FlushPendingEvents src/dom/events/EventStateManager.cpp:5349
#32 0x7fde3678e191 in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) src/dom/events/EventStateManager.cpp:632
#33 0x7fde395866e3 in mozilla::PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) src/layout/base/PresShell.cpp:7294:19
#34 0x7fde3958153a in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) src/layout/base/PresShell.cpp:6937:17
#35 0x7fde38ce80fd in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) src/view/nsViewManager.cpp:763:14
#36 0x7fde38ce78e4 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) src/view/nsView.cpp:1059:9
#37 0x7fde38d8fcbd in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) src/widget/PuppetWidget.cpp:379:37
#38 0x7fde31f3b41a in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) src/gfx/layers/apz/util/APZCCallbackHelper.cpp:528:21
#39 0x7fde383c8b16 in DispatchWidgetEventViaAPZ src/dom/ipc/TabChild.cpp:1583:10
#40 0x7fde383c8b16 in mozilla::dom::TabChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/TabChild.cpp:1522
#41 0x7fde383c9d3f in mozilla::dom::TabChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/TabChild.cpp:1495:3
#42 0x7fde383ca030 in RecvSynthMouseMoveEvent src/dom/ipc/TabChild.cpp:1460:8
#43 0x7fde383ca030 in non-virtual thunk to mozilla::dom::TabChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/TabChild.cpp
#44 0x7fde30ad9dd7 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:3658:20
#45 0x7fde30008ac5 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PContentChild.cpp:5445:28
#46 0x7fde2fcc8dd9 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2159:21
#47 0x7fde2fcc475a in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2086:9
#48 0x7fde2fcc6961 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1935:3
#49 0x7fde2fcc7827 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1966:13
#50 0x7fde2ea025b5 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:299:32
#51 0x7fde2ea3f9f8 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1157:14
#52 0x7fde2ea487ad in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:468:10
#53 0x7fde2fcd221f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
#54 0x7fde2fbc478e in RunInternal src/ipc/chromium/src/base/message_loop.cc:314:10
#55 0x7fde2fbc478e in RunHandler src/ipc/chromium/src/base/message_loop.cc:307
#56 0x7fde2fbc478e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289
#57 0x7fde38de0b43 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#58 0x7fde3d88675e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:915:20
#59 0x7fde2fbc478e in RunInternal src/ipc/chromium/src/base/message_loop.cc:314:10
#60 0x7fde2fbc478e in RunHandler src/ipc/chromium/src/base/message_loop.cc:307
#61 0x7fde2fbc478e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289
#62 0x7fde3d8857ae in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:753:34
#63 0x55c14c1a2864 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
#64 0x55c14c1a2864 in main src/browser/app/nsBrowserApp.cpp:265
#65 0x7fde52419b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#66 0x55c14c0c7eec in _start (firefox+0x2deec)
0x625000213a48 is located 6472 bytes inside of 8192-byte region [0x625000212100,0x625000214100)
allocated by thread T0 (file:// Content) here:
#0 0x55c14c16fd93 in malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0x7fde2e9dcda0 in mozilla::ArenaAllocator<8192ul, 8ul>::AllocateChunk(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:171:15
#2 0x7fde2e9d2658 in InternalAllocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:205:25
#3 0x7fde2e9d2658 in Allocate src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:67
#4 0x7fde2e9d2658 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:71
#5 0x7fde397fcd5a in AllocateByFrameID src/layout/base/nsPresArena.h:39:12
#6 0x7fde397fcd5a in AllocateFrame src/layout/base/nsIPresShell.h:209
#7 0x7fde397fcd5a in operator new src/layout/generic/ViewportFrame.cpp:33
#8 0x7fde397fcd5a in NS_NewViewportFrame(nsIPresShell*, mozilla::ComputedStyle*) src/layout/generic/ViewportFrame.cpp:30
#9 0x7fde39607b03 in nsCSSFrameConstructor::ConstructRootFrame() src/layout/base/nsCSSFrameConstructor.cpp:2530:7
#10 0x7fde3952c942 in mozilla::PresShell::Initialize() src/layout/base/PresShell.cpp:1751:36
#11 0x7fde32daf811 in nsContentSink::StartLayout(bool) src/dom/base/nsContentSink.cpp:1209:26
#12 0x7fde31689092 in nsHtml5TreeOpExecutor::StartLayout(bool*) src/parser/html/nsHtml5TreeOpExecutor.cpp:644:18
#13 0x7fde316851f7 in nsHtml5TreeOperation::Perform(nsHtml5TreeOpExecutor*, nsIContent**, bool*, bool*) src/parser/html/nsHtml5TreeOperation.cpp:1109:17
#14 0x7fde31682167 in nsHtml5TreeOpExecutor::RunFlushLoop() src/parser/html/nsHtml5TreeOpExecutor.cpp:461:19
#15 0x7fde3168e72f in nsHtml5ExecutorReflusher::Run() src/parser/html/nsHtml5TreeOpExecutor.cpp:54:16
#16 0x7fde2ea025b5 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:299:32
#17 0x7fde2ea3f9f8 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1157:14
#18 0x7fde2ea487ad in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:468:10
#19 0x7fde2fcd221f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
#20 0x7fde2fbc478e in RunInternal src/ipc/chromium/src/base/message_loop.cc:314:10
#21 0x7fde2fbc478e in RunHandler src/ipc/chromium/src/base/message_loop.cc:307
#22 0x7fde2fbc478e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289
#23 0x7fde38de0b43 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
#24 0x7fde3d88675e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:915:20
#25 0x7fde2fbc478e in RunInternal src/ipc/chromium/src/base/message_loop.cc:314:10
#26 0x7fde2fbc478e in RunHandler src/ipc/chromium/src/base/message_loop.cc:307
#27 0x7fde2fbc478e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289
#28 0x7fde3d8857ae in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:753:34
Flags: in-testsuite?
|
||
Updated•6 years ago
|
Priority: -- → P2
|
||
Updated•6 years ago
|
Flags: needinfo?(aethanyc)
|
Reporter | |
Updated•6 years ago
|
Blocks: fuzzing-column-span
|
||
Comment 1•6 years ago
|
||
This won't crash if bug 1516739 is fixed, so I'll make it a dup. However, the test case exhibits another renedering issue. I've file bug 1520722 and provide more details there.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(aethanyc)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•