Closed
Bug 1340248
Opened 9 years ago
Closed 8 years ago
Crash [@nsFrame::DidSetStyleContext]
Categories
(Core :: Layout, defect, P2)
Core
Layout
Tracking
()
RESOLVED
FIXED
mozilla56
People
(Reporter: jkratzer, Assigned: heycam)
References
(Blocks 1 open bug)
Details
(Keywords: crash, csectype-nullptr, testcase)
Attachments
(1 file)
|
553 bytes,
text/html
|
Details |
Testcase found by fuzzing on mozilla-central rev 20170215-ec3ef9f77a52.
ASAN:DEADLYSIGNAL
=================================================================
==18074==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f20bf782fed bp 0x7ffd11c864b0 sp 0x7ffd11c86360 T0)
#0 0x7f20bf782fec in GetType /home/worker/workspace/build/src/layout/style/nsStyleStruct.h:447:12
#1 0x7f20bf782fec in GetBorderImageRequest /home/worker/workspace/build/src/layout/style/nsStyleStruct.h:1386
#2 0x7f20bf782fec in nsFrame::DidSetStyleContext(nsStyleContext*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:892
#3 0x7f20bf77bfe1 in nsFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsFrame.cpp:606:3
#4 0x7f20bf970191 in nsSplittableFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsSplittableFrame.cpp:22:3
#5 0x7f20bf779ce1 in nsContainerFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:58:3
#6 0x7f20bf8dfcad in nsFirstLineFrame::Init(nsIContent*, nsContainerFrame*, nsIFrame*) /home/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:1039:3
#7 0x7f20bf5a92d6 in nsCSSFrameConstructor::InitAndRestoreFrame(nsFrameConstructorState const&, nsIContent*, nsContainerFrame*, nsIFrame*, bool) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4966:3
#8 0x7f20bf5ebd76 in nsCSSFrameConstructor::WrapFramesInFirstLineFrame(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsFirstLineFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11007:5
#9 0x7f20bf5aaee5 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10900:5
#10 0x7f20bf5b38d3 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, nsStyleContext*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11901:3
#11 0x7f20bf5c26a5 in ConstructNonScrollableBlockWithConstructor /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4943:3
#12 0x7f20bf5c26a5 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4907
#13 0x7f20bf5bdb74 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:3880:7
#14 0x7f20bf5c9986 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6189:3
#15 0x7f20bf5aae18 in ConstructFramesFromItemList /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10685:5
Flags: in-testsuite?
|
Reporter | |
Updated•9 years ago
|
|
||
Comment 1•9 years ago
|
||
In a debug build I get this:
Assertion failure: !(mConditionalBits & GetBitForSID(aSID)) (rule node should not have unconditional and conditional style data for a given struct), at layout/style/nsRuleNode.h:190
Perhaps we could fix this by fixing bug 759996?
OS: Unspecified → All
Priority: -- → P2
Hardware: Unspecified → All
|
||
Comment 2•8 years ago
|
||
This appears to have been fixed by bug 1353312. Was that expected, Cam? If so, would it be worth landing the testcase here as a crashtest still?
INFO: First good revision: c5507f94e8fee7a8c91210d228826cbc3e8eb698
INFO: Last bad revision: f433b516c2d83f8fa93915a8860a9e4e338fb1ea
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f433b516c2d83f8fa93915a8860a9e4e338fb1ea&tochange=c5507f94e8fee7a8c91210d228826cbc3e8eb698
Assignee: nobody → cam
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox55:
--- → fixed
status-firefox56:
--- → fixed
status-firefox-esr52:
--- → fixed
Depends on: CVE-2017-7753
Flags: needinfo?(cam)
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
|
Assignee | |
Comment 3•8 years ago
|
||
Yes, given the assertion Mats mentions in comment 1 it makes sense that this was fixed by bug 1353312. Landing the test sounds like a good idea.
Flags: needinfo?(cam)
|
|
||
Updated•8 years ago
|
Flags: needinfo?(ryanvm)
|
|
Assignee | |
Comment 4•8 years ago
|
||
Since bug 1353312 hasn't been opened up yet, and we didn't land a crashtest there yet, I wonder if we should hold off.
Group: core-security
|
||
Updated•8 years ago
|
Group: core-security → core-security-release
|
|
||
Updated•8 years ago
|
Group: core-security-release
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/47ce033ef46a
Add crashtest. r=me
|
|
||
Updated•6 years ago
|
Flags: needinfo?(ryanvm)
Flags: in-testsuite?
Flags: in-testsuite+
|
||
Comment 7•6 years ago
|
||
| bugherder | ||
You need to log in
before you can comment on or make changes to this bug.
Description
•