1344210 - Crash [@nsStyleBorder::CalcDifference]

Status: RESOLVED FIXED

(Core :: Layout, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase

Testcase found by fuzzing on mozilla-central rev 20170302-d29f84406483.

This may be related to bug 1341319.

ASAN:DEADLYSIGNAL
=================================================================
==29908==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f37e51b9cfa bp 0x7fff76ddc650 sp 0x7fff76ddc540 T0)
    #0 0x7f37e51b9cf9 in nsStyleBorder::CalcDifference(nsStyleBorder const&) const /home/worker/workspace/build/src/layout/style/nsStyleStruct.cpp:449:34
    #1 0x7f37e5187dae in nsChangeHint nsStyleContext::CalcStyleDifferenceInternal<nsStyleContext>(nsStyleContext*, nsChangeHint, unsigned int*, unsigned int*) /home/worker/workspace/build/src/layout/style/nsStyleContext.cpp:1140:3
    #2 0x7f37e526814d in mozilla::ElementRestyler::CaptureChange(nsStyleContext*, nsStyleContext*, nsChangeHint, unsigned int*, unsigned int*) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1266:5
    #3 0x7f37e5270811 in mozilla::ElementRestyler::RestyleSelf(nsIFrame*, nsRestyleHint, unsigned int*, nsTArray<mozilla::ElementRestyler::SwapInstruction>&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2653:7
    #4 0x7f37e526c557 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1807:7
    #5 0x7f37e5276fb7 in mozilla::ElementRestyler::RestyleContentChildren(nsIFrame*, nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3407:13
    #6 0x7f37e52741cd in mozilla::ElementRestyler::RestyleChildren(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:2928:7
    #7 0x7f37e526cdd8 in mozilla::ElementRestyler::Restyle(nsRestyleHint) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:1961:5
    #8 0x7f37e5279b64 in mozilla::ElementRestyler::ComputeStyleChangeFor(nsIFrame*, nsStyleChangeList*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&, nsTArray<mozilla::ElementRestyler::ContextToClear>&, nsTArray<RefPtr<nsStyleContext> >&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3071:7
    #9 0x7f37e5261d24 in mozilla::GeckoRestyleManager::ComputeAndProcessStyleChange(nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:3482:3
    #10 0x7f37e5261214 in mozilla::GeckoRestyleManager::RestyleElement(mozilla::dom::Element*, nsIFrame*, nsChangeHint, mozilla::RestyleTracker&, nsRestyleHint, mozilla::RestyleHintData const&) /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:152:5
    #11 0x7f37e52ee16e in ProcessOneRestyle /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:95:5
    #12 0x7f37e52ee16e in mozilla::RestyleTracker::DoProcessRestyles() /home/worker/workspace/build/src/layout/base/RestyleTracker.cpp:262
    #13 0x7f37e526551f in ProcessRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/GeckoRestyleManager.h:386:7
    #14 0x7f37e526551f in mozilla::GeckoRestyleManager::ProcessPendingRestyles() /home/worker/workspace/build/src/layout/base/GeckoRestyleManager.cpp:505
    #15 0x7f37e52b1c10 in ProcessPendingRestyles /home/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44:3

Comment 1

[Ryan VanderMeulen [:RyanVM]]

Fixed by bug 1353312.

Comment 2

[Pulsebot]

Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/65efa871564c
Add crashtest. r=me

Comment 3

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/65efa871564c