Closed Bug 1343937 Opened 3 years ago Closed 3 years ago

Crash [@HasFlag in nsWrapperCache.h]

Categories

(Core :: Layout, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla55
Tracking Status
firefox52 --- unaffected
firefox-esr52 --- unaffected
firefox53 --- unaffected
firefox54 --- fixed
firefox55 --- fixed

People

(Reporter: jkratzer, Assigned: bholley)

References

(Blocks 1 open bug)

Details

(4 keywords)

Attachments

(4 files)

Attached file testcase
Testcase found by fuzzing mozilla-central rev 20170302-d29f84406483.

ASAN:DEADLYSIGNAL
=================================================================
==20652==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000019 (pc 0x7fa9327a8b3d bp 0x7fffcd3d5370 sp 0x7fffcd3d5220 T0)
    #0 0x7fa9327a8b3c in HasFlag /home/worker/workspace/build/src/obj-firefox/dist/include/nsWrapperCache.h:217:15
    #1 0x7fa9327a8b3c in IsNativeAnonymous /home/worker/workspace/build/src/dom/base/nsINode.h:1199
    #2 0x7fa9327a8b3c in nsCSSFrameConstructor::AddFCItemsForAnonymousContent(nsFrameConstructorState&, nsContainerFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo>&, nsCSSFrameConstructor::FrameConstructionItemList&, unsigned int) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10816
    #3 0x7fa9327a7286 in nsCSSFrameConstructor::BeginBuildingScrollFrame(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, nsIAtom*, bool, nsContainerFrame*&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4578:5
    #4 0x7fa9327add7e in nsCSSFrameConstructor::ConstructScrollableBlockWithConstructor(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&, nsBlockFrame* (*)(nsIPresShell*, nsStyleContext*)) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4881:7
    #5 0x7fa9327b4937 in nsCSSFrameConstructor::ConstructScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4862:10
    #6 0x7fa9327b02f9 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:3881:7
    #7 0x7fa9327bc356 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6209:3
    #8 0x7fa93279d284 in ConstructFramesFromItemList /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10705:5
    #9 0x7fa93279d284 in nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, nsStyleContext*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10994
    #10 0x7fa9327a5d43 in nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, nsStyleContext*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:12004:3
    #11 0x7fa9327b4dc5 in ConstructNonScrollableBlockWithConstructor /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4950:3
    #12 0x7fa9327b4dc5 in nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:4914
    #13 0x7fa9327b02f9 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:3881:7
    #14 0x7fa9327bc356 in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6209:3
    #15 0x7fa9327ca74b in ConstructFramesFromItemList /home/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:10705:5
Flags: in-testsuite?
Seems likely to be a regression from bug 1331322.
Blocks: 1331322
Flags: needinfo?(bobbyholley)
Blocks: 1344261
MozReview-Commit-ID: 3xMjHnVO2Az
MozReview-Commit-ID: 8TbFkirYOy2
MozReview-Commit-ID: IgE5gMbcgc6
r? bz
Flags: needinfo?(bzbarsky)
Comment on attachment 8844339 [details] [diff] [review]
Part 1 - Implement and use GetInFlowParent. v1

You also need to change the GetParent() call in the IsNativeAnonymous() loop in GetCorrectedParent (in nsFrame.cpp).

r=me with that, and ideally with a testcase that catches it.
Attachment #8844339 - Flags: review+
Comment on attachment 8844340 [details] [diff] [review]
Part 2 - Exempt scrollbar NAC from the new NAC semantics. v1

r=me
Attachment #8844340 - Flags: review+
Comment on attachment 8844341 [details] [diff] [review]
Part 3 - Crashtest. v1

r=me, but again would be good to have a test that exercises the GetCorrectedParent codepath.
Flags: needinfo?(bzbarsky)
Attachment #8844341 - Flags: review+
Please request Aurora approval on this when you get a chance.
Assignee: nobody → bobbyholley
Flags: needinfo?(bobbyholley)
Flags: in-testsuite?
Flags: in-testsuite+
Comment on attachment 8844341 [details] [diff] [review]
Part 3 - Crashtest. v1

Approval request applies to all the patches in this bug.

Approval Request Comment
[Feature/Bug causing the regression]: bug 1331322
[User impact if declined]: crashes
[Is this code covered by automated tests?]: yes, mostly.
[Has the fix been verified in Nightly?]: No.
[Needs manual test from QE? If yes, steps to reproduce]: Crashtest in the bug should verify. 
[List of other uplifts needed for the feature/fix]: None
[Is the change risky?]: Given where we are in the cycle, no.
[Why is the change risky/not risky?]: Because we just branched to aurora.
[String changes made/needed]: None.
Flags: needinfo?(bobbyholley)
Attachment #8844341 - Flags: approval-mozilla-aurora?
Comment on attachment 8844341 [details] [diff] [review]
Part 3 - Crashtest. v1

Fix a crash. Aurora54+.
Attachment #8844341 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Duplicate of this bug: 1344261
You need to log in before you can comment on or make changes to this bug.