1343937 - Crash [@HasFlag in nsWrapperCache.h]

Status: RESOLVED FIXED

(Core :: Layout, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase

Testcase found by fuzzing mozilla-central rev 20170302-d29f84406483.

ASAN:DEADLYSIGNAL
=================================================================
==20652==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000019 (pc 0x7fa9327a8b3d bp 0x7fffcd3d5370 sp 0x7fffcd3d5220 T0)
    #0 0x7fa9327a8b3c in HasFlag /home/worker/workspace/build/src/obj-firefox/dist/include/nsWrapperCache.h:217:15
    #1 0x7fa9327a8b3c in IsNativeAnonymous /home/worker/workspace/build/src/dom/base/nsINode.h:1199
    #2 0x7fa9327a8b3c in nsCSSFrameConstructor::AddFCItemsForAnonymousContent(nsFrameConstructorState&, nsContainerFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&, nsCSSFrameConstructor::FrameConstructionItemList&, unsigned int) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10816
    #3 0x7fa9327a7286 in nsCSSFrameConstructor::BeginBuildingScrollFrame(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, nsIAtom*, bool, nsContainerFrame*&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4578:5
    #4 0x7fa9327add7e in nsCSSFrameConstructor::ConstructScrollableBlockWithConstructor(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&, nsBlockFrame* (*)(nsIPresShell*, nsStyleContext*)) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4881:7
    #5 0x7fa9327b4937 in nsCSSFrameConstructor::ConstructScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4862:10
    #6 0x7fa9327b02f9 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:3881:7
    #7 0x7fa9327bc356 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6209:3
    #8 0x7fa93279d284 in ConstructFramesFromItemList /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10705:5
    #9 0x7fa93279d284 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10994
    #10 0x7fa9327a5d43 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, nsStyleContext*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:12004:3
    #11 0x7fa9327b4dc5 in ConstructNonScrollableBlockWithConstructor /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4950:3
    #12 0x7fa9327b4dc5 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4914
    #13 0x7fa9327b02f9 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:3881:7
    #14 0x7fa9327bc356 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6209:3
    #15 0x7fa9327ca74b in ConstructFramesFromItemList /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10705:5

Comment 1

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Seems likely to be a regression from bug 1331322.

Comment 2

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

Regression range in linux nightlies is:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=6cefe01ca7744d6ac3960c69eac833e2e65f7f8ftochange=d11c29c1db3a1bc96ad5792ebf8a89b2fbadcf85
which agrees with that regression candidate.

Comment 3

[Bobby Holley (:bholley)]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=68ef46f989324348030d528661438c293b6a8362

Comment 4

[Bobby Holley (:bholley)]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=123ded95cf8ae7688a217d04c4eeda89f3f32917

Comment 5

[Bobby Holley (:bholley)]

Attachment: Part 1 - Implement and use GetInFlowParent. v1

MozReview-Commit-ID: 3xMjHnVO2Az

Comment 6

[Bobby Holley (:bholley)]

Attachment: Part 2 - Exempt scrollbar NAC from the new NAC semantics. v1

MozReview-Commit-ID: 8TbFkirYOy2

Comment 7

[Bobby Holley (:bholley)]

Attachment: Part 3 - Crashtest. v1

MozReview-Commit-ID: IgE5gMbcgc6

Comment 8

[Bobby Holley (:bholley)]

r? bz

Comment 9

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 8844339 [details] [diff] [review]
Part 1 - Implement and use GetInFlowParent. v1

You also need to change the GetParent() call in the IsNativeAnonymous() loop in GetCorrectedParent (in nsFrame.cpp).

r=me with that, and ideally with a testcase that catches it.

Comment 10

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 8844340 [details] [diff] [review]
Part 2 - Exempt scrollbar NAC from the new NAC semantics. v1

r=me

Comment 11

[Boris Zbarsky [:bzbarsky]]

Comment on attachment 8844341 [details] [diff] [review]
Part 3 - Crashtest. v1

r=me, but again would be good to have a test that exercises the GetCorrectedParent codepath.

Comment 12

[Pulsebot]

Pushed by bholley@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ea38b28d4a65
Implement and use GetInFlowParent. r=bz
https://hg.mozilla.org/integration/autoland/rev/3880ea31eac1
Exempt scrollbar NAC from the new NAC semantics. r=bz
https://hg.mozilla.org/integration/autoland/rev/e1a8167f17dd
Crashtest. r=bz

Comment 13

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/ea38b28d4a65
https://hg.mozilla.org/mozilla-central/rev/3880ea31eac1
https://hg.mozilla.org/mozilla-central/rev/e1a8167f17dd

Comment 14

[Ryan VanderMeulen [:RyanVM]]

Please request Aurora approval on this when you get a chance.

Comment 15

[Bobby Holley (:bholley)]

Comment on attachment 8844341 [details] [diff] [review]
Part 3 - Crashtest. v1

Approval request applies to all the patches in this bug.

Approval Request Comment
[Feature/Bug causing the regression]: bug 1331322
[User impact if declined]: crashes
[Is this code covered by automated tests?]: yes, mostly.
[Has the fix been verified in Nightly?]: No.
[Needs manual test from QE? If yes, steps to reproduce]: Crashtest in the bug should verify. 
[List of other uplifts needed for the feature/fix]: None
[Is the change risky?]: Given where we are in the cycle, no.
[Why is the change risky/not risky?]: Because we just branched to aurora.
[String changes made/needed]: None.

Comment 16

[Gerry Chang [:gchang]]

Comment on attachment 8844341 [details] [diff] [review]
Part 3 - Crashtest. v1

Fix a crash. Aurora54+.

Comment 17

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/releases/mozilla-aurora/rev/b0b722203146
https://hg.mozilla.org/releases/mozilla-aurora/rev/6f8a81f23256
https://hg.mozilla.org/releases/mozilla-aurora/rev/b9e3abb24bed