Closed
Bug 1571239
Opened 6 years ago
Closed 6 years ago
use-after-poison in [@ mozilla::SVGObserverUtils::InvalidateRenderingObservers]
Categories
(Core :: Layout: Columns, defect, P3)
Core
Layout: Columns
Tracking
()
RESOLVED
DUPLICATE
of bug 1575106
| Tracking | Status | |
|---|---|---|
| firefox70 | --- | disabled |
People
(Reporter: tsmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-framepoisoning, testcase)
Attachments
(1 file)
|
294 bytes,
text/html
|
Details |
Found with m-c 20190802-37229cef2cc7
This testcase requires layout.css.column-span.enabled=true
==1850==ERROR: AddressSanitizer: use-after-poison on address 0x6250002b34f8 at pc 0x7f51b1c8f7db bp 0x7ffc86fd63c0 sp 0x7ffc86fd63b8
READ of size 8 at 0x6250002b34f8 thread T0 (file:// Content)
#0 0x7f51b1c8f7da in mozilla::SVGObserverUtils::InvalidateRenderingObservers(nsIFrame*) /src/layout/svg/SVGObserverUtils.cpp:1625:11
#1 0x7f51b16388f5 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /src/layout/base/RestyleManager.cpp:1629:9
#2 0x7f51b1645685 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /src/layout/base/RestyleManager.cpp:3108:9
#3 0x7f51b15f2e99 in ProcessPendingRestyles /src/layout/base/RestyleManager.cpp:3190:3
#4 0x7f51b15f2e99 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /src/layout/base/PresShell.cpp:4190
#5 0x7f51abcff9c9 in FlushPendingNotifications /src/obj-firefox/dist/include/mozilla/PresShell.h:1468:5
#6 0x7f51abcff9c9 in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /src/dom/base/Document.cpp:10048
#7 0x7f51abd48966 in FlushPendingNotifications /src/dom/base/Document.cpp:9978:3
#8 0x7f51abd48966 in nsIContent::GetPrimaryFrame(mozilla::FlushType) /src/dom/base/Element.cpp:229
#9 0x7f51b02976cc in GetSVGTextFrameForNonLayoutDependentQuery /src/dom/svg/SVGTextContentElement.cpp:45:21
#10 0x7f51b02976cc in mozilla::dom::SVGTextContentElement::GetNonLayoutDependentNumberOfChars() /src/dom/svg/SVGTextContentElement.cpp:73
#11 0x7f51b0297cf2 in mozilla::dom::SVGTextContentElement::GetNumberOfChars() /src/dom/svg/SVGTextContentElement.cpp:107:24
#12 0x7f51ad12ed2f in mozilla::dom::SVGTextContentElement_Binding::getNumberOfChars(JSContext*, JS::Handle<JSObject*>, mozilla::dom::SVGTextContentElement*, JSJitMethodCallArgs const&) /src/obj-firefox/dom/bindings/SVGTextContentElementBinding.cpp:111:39
#13 0x7f51ae648c8d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /src/dom/bindings/BindingUtils.cpp:3163:13
#14 0x7f51b5197897 in CallJSNative /src/js/src/vm/Interpreter.cpp:448:13
#15 0x7f51b5197897 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:540
#16 0x7f51b5180153 in CallFromStack /src/js/src/vm/Interpreter.cpp:599:10
#17 0x7f51b5180153 in Interpret(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:3084
#18 0x7f51b5161dbf in js::RunScript(JSContext*, js::RunState&) /src/js/src/vm/Interpreter.cpp:425:10
#19 0x7f51b519839f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /src/js/src/vm/Interpreter.cpp:568:13
#20 0x7f51b519a5c2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /src/js/src/vm/Interpreter.cpp:611:8
#21 0x7f51b5ca5348 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /src/js/src/jsapi.cpp:2659:10
#22 0x7f51adde6064 in mozilla::dom::EventHandlerNonNull::Call(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, JS::MutableHandle<JS::Value>, mozilla::ErrorResult&) /src/obj-firefox/dom/bindings/EventHandlerBinding.cpp:267:37
#23 0x7f51aee114e1 in Call<nsCOMPtr<mozilla::dom::EventTarget> > /src/obj-firefox/dist/include/mozilla/dom/EventHandlerBinding.h:363:12
#24 0x7f51aee114e1 in mozilla::JSEventHandler::HandleEvent(mozilla::dom::Event*) /src/dom/events/JSEventHandler.cpp:205
#25 0x7f51aedd5c9c in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /src/dom/events/EventListenerManager.cpp:1031:22
#26 0x7f51aedd75ab in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /src/dom/events/EventListenerManager.cpp:1223:17
#27 0x7f51aedbe35a in HandleEvent /src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
#28 0x7f51aedbe35a in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:349
#29 0x7f51aedbcb72 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /src/dom/events/EventDispatcher.cpp:551:16
#30 0x7f51aedc2545 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /src/dom/events/EventDispatcher.cpp:1047:11
#31 0x7f51aa818344 in nsHtml5SVGLoadDispatcher::Run() /src/parser/html/nsHtml5SVGLoadDispatcher.cpp:30:3
#32 0x7f51a7c78591 in mozilla::SchedulerGroup::Runnable::Run() /src/xpcom/threads/SchedulerGroup.cpp:295:32
#33 0x7f51a7caa4e0 in nsThread::ProcessNextEvent(bool, bool*) /src/xpcom/threads/nsThread.cpp:1224:14
#34 0x7f51a7cb08f8 in NS_ProcessNextEvent(nsIThread*, bool) /src/xpcom/threads/nsThreadUtils.cpp:486:10
#35 0x7f51a8e9a70f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /src/ipc/glue/MessagePump.cpp:88:21
#36 0x7f51a8d977b2 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
#37 0x7f51a8d977b2 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
#38 0x7f51a8d977b2 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
#39 0x7f51b1000099 in nsBaseAppShell::Run() /src/widget/nsBaseAppShell.cpp:137:27
#40 0x7f51b4edf59f in XRE_RunAppShell() /src/toolkit/xre/nsEmbedFunctions.cpp:919:20
#41 0x7f51a8d977b2 in RunInternal /src/ipc/chromium/src/base/message_loop.cc:315:10
#42 0x7f51a8d977b2 in RunHandler /src/ipc/chromium/src/base/message_loop.cc:308
#43 0x7f51a8d977b2 in MessageLoop::Run() /src/ipc/chromium/src/base/message_loop.cc:290
#44 0x7f51b4edee46 in XRE_InitChildProcess(int, char**, XREChildData const*) /src/toolkit/xre/nsEmbedFunctions.cpp:754:34
#45 0x55b61337b173 in content_process_main /src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#46 0x55b61337b173 in main /src/browser/app/nsBrowserApp.cpp:267
#47 0x7f51ca10db96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#48 0x55b61329c6ac in _start (/home/worker/builds/m-c-20190802215241-fuzzing-asan-opt/firefox+0x456ac)
0x6250002b34f8 is located 5112 bytes inside of 8192-byte region [0x6250002b2100,0x6250002b4100)
allocated by thread T0 (file:// Content) here:
#0 0x55b6133480c3 in __interceptor_malloc /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_malloc_linux.cc:146:3
#1 0x7f51b176b1f5 in AllocateChunk /src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:171:15
#2 0x7f51b176b1f5 in InternalAllocate /src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:205
#3 0x7f51b176b1f5 in Allocate /src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:67
#4 0x7f51b176b1f5 in mozilla::ArenaAllocator<8192ul, 8ul>::Allocate(unsigned long) /src/obj-firefox/dist/include/mozilla/ArenaAllocator.h:71
#5 0x7f51b1813356 in AllocateByObjectID /src/obj-firefox/dist/include/mozilla/PresShell.h:279:32
#6 0x7f51b1813356 in AllocateFrame /src/obj-firefox/dist/include/mozilla/PresShell.h:271
#7 0x7f51b1813356 in operator new /src/layout/generic/nsBlockFrame.cpp:298
#8 0x7f51b1813356 in NS_NewBlockFrame(mozilla::PresShell*, mozilla::ComputedStyle*) /src/layout/generic/nsBlockFrame.cpp:288
#9 0x7f51b16b8a5e in nsCSSFrameConstructor::CreateContinuingFrame(nsPresContext*, nsIFrame*, nsContainerFrame*, bool) /src/layout/base/nsCSSFrameConstructor.cpp:8074:16
#10 0x7f51b18798e0 in CreateNextInFlow /src/layout/generic/nsContainerFrame.cpp:1325:55
#11 0x7f51b18798e0 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /src/layout/generic/nsColumnSetFrame.cpp:833
#12 0x7f51b187ff84 in ReflowColumns /src/layout/generic/nsColumnSetFrame.cpp:448:37
#13 0x7f51b187ff84 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsColumnSetFrame.cpp:1262
#14 0x7f51b183db9f in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /src/layout/generic/nsBlockReflowContext.cpp:297:11
#15 0x7f51b1832d72 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3632:11
#16 0x7f51b182fe68 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:2994:5
#17 0x7f51b1824e38 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /src/layout/generic/nsBlockFrame.cpp:2538:7
#18 0x7f51b181c177 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsBlockFrame.cpp:1285:3
#19 0x7f51b183db9f in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /src/layout/generic/nsBlockReflowContext.cpp:297:11
#20 0x7f51b1832d72 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3632:11
#21 0x7f51b182fe68 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:2994:5
#22 0x7f51b1824e38 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /src/layout/generic/nsBlockFrame.cpp:2538:7
#23 0x7f51b181c177 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /src/layout/generic/nsBlockFrame.cpp:1285:3
#24 0x7f51b183db9f in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /src/layout/generic/nsBlockReflowContext.cpp:297:11
#25 0x7f51b1832d72 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:3632:11
#26 0x7f51b182fe68 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /src/layout/generic/nsBlockFrame.cpp:2994:5
#27 0x7f51b1824e38 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /src/layout/generic/nsBlockFrame.cpp:2538:7
Flags: in-testsuite?
|
||
Updated•6 years ago
|
Blocks: column-span
|
||
Updated•6 years ago
|
Flags: needinfo?(aethanyc)
|
|
||
Comment 1•6 years ago
|
||
This is fixed by bug 1575106, and the testcase is added as a crashtest in bug 1575106 Part 4.
(Remove this from blocking bug 616436. Blocking bug 1491723 is sufficient.)
No longer blocks: column-span
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(aethanyc)
Priority: -- → P3
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•