1346454 - Null deref [@ nsContainerFrame::RenumberFrameAndDescendants]

Status: RESOLVED FIXED

(Core :: Layout, defect, P3)

Description

[Jesse Schwartzentruber (:truber)]

Attachment: testcase.html

The attached test case crashes in mozilla-central rev 92c5b7bcd598.

==17367==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f3989461d58 bp 0x7ffdcc141690 sp 0x7ffdcc141630 T0)
    #0 0x7f3989461d57 in nsContainerFrame::RenumberFrameAndDescendants(int*, int, int, bool) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:1920:15
    #1 0x7f398942b2d5 in nsBlockFrame::RenumberChildFrames(int*, int, int, bool) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:7093:9
    #2 0x7f39893e06bf in nsContainerFrame::RenumberList() /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:1859:10
    #3 0x7f39893e5a82 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:11
92:7

Comment 1

[Jesse Schwartzentruber (:truber)]

Attachment: log.txt

Comment 2

[Ryan VanderMeulen [:RyanVM]]

Regression range:
INFO: Last good revision: 840cfd5bc971 (2015-03-24)
INFO: First bad revision: 5330c6f461a4 (2015-03-25)
INFO: Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=840cfd5bc971&tochange=5330c6f461a4

Fix range:
INFO: First good revision: d6bf703c5deaf1e328babd03d5e68ff2a4ffe10e
INFO: Last bad revision: e6e712904806da25a9c8f48ea4533abe7c6ea8f4
INFO: Pushlog:
https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=e6e712904806da25a9c8f48ea4533abe7c6ea8f4&tochange=d6bf703c5deaf1e328babd03d5e68ff2a4ffe10e

Fixed by bug 1308876. NI myself to land a crashtest.

Comment 3

[Pulsebot]

Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/be4d5678923c
Add crashtest. r=me

Comment 4

[Ryan VanderMeulen [:RyanVM]]

Bah, this actually still fails intermittently. Backing out and reopening the bug :(
https://treeherder.mozilla.org/logviewer.html#?job_id=136236648&repo=try

Comment 5

[Pulsebot]

Backout by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/f2b1253de1e6
Backed out changeset be4d5678923c for intermittent crashes.

Comment 6

[Jesse Schwartzentruber (:truber)]

Attachment: testcase2.html

Another simpler testcase.

Comment 7

[Ryan VanderMeulen [:RyanVM]]

Testcase #2 indeed does reproduce more reliably.

Regression range:
INFO: Last good revision: 179e29a23c56 (2013-05-11)
INFO: First bad revision: d68224f5325b (2013-05-12)
INFO: Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=179e29a23c56&tochange=d68224f5325b

Bug 828312 looks like the culprit. On builds from around the time of the initial regression, the crash is on a line touched by part 2 specifically.

Comment 8

[Firefox Bug Husbandry Bot]

https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Move_fix-optionals

Comment 9

[Darkspirit]

attachment 8846200 [details] = bp-52fe6ee3-c34c-4dd2-bc52-c11200180609
attachment 8919860 [details] = bp-6a32ae17-42da-4b02-a24b-d0b210180609

Comment 10

[Brian Carpenter [:geeknik]]

While fuzzing Firefox 63.0.3 on Windows 10, I encountered this crash. I verified that it still happens in Firefox Nightly (Build ID 20181210095504):

=================================================================
==6620==ERROR: AddressSanitizer: access-violation on unknown address 0x000000000000 (pc 0x7ffecd978dfc bp 0x0000000002a0 sp 0x0012f43f4920 T0)
==6620==The signal is caused by a READ memory access.
==6620==Hint: address points to the zero page.
    #0 0x7ffecd978dfb in nsContainerFrame::RenumberFrameAndDescendants(int *,int,int,bool) z:\build\build\src\layout\generic\nsContainerFrame.cpp:1795
    #1 0x7ffecd937885 in nsBlockFrame::RenumberChildFrames(int *,int,int,bool) z:\build\build\src\layout\generic\nsBlockFrame.cpp:6845
    #2 0x7ffecd8e4368 in nsContainerFrame::RenumberList(void) z:\build\build\src\layout\generic\nsContainerFrame.cpp:1734
    #3 0x7ffecd90e910 in nsBlockFrame::AttributeChanged(int,class nsAtom *,int) z:\build\build\src\layout\generic\nsBlockFrame.cpp:2996
    #4 0x7ffecd65b3b7 in mozilla::RestyleManager::AttributeChanged(class mozilla::dom::Element *,int,class nsAtom *,int,class nsAttrValue const *) z:\build\build\src\layout\base\RestyleManager.cpp:3280
    #5 0x7ffecd65adc0 in mozilla::PresShell::AttributeChanged(class mozilla::dom::Element *,int,class nsAtom *,int,class nsAttrValue const *) z:\build\build\src\layout\base\PresShell.cpp:4182
    #6 0x7ffec6c7787b in nsNodeUtils::AttributeChanged(class mozilla::dom::Element *,int,class nsAtom *,int,class nsAttrValue const *) z:\build\build\src\dom\base\nsNodeUtils.cpp:157
    #7 0x7ffec68bada0 in mozilla::dom::Element::SetAttrAndNotify(int,class nsAtom *,class nsAtom *,class nsAttrValue const *,class nsAttrValue &,class nsIPrincipal *,unsigned char,bool,bool,bool,class nsIDocument *,class mozAutoDocUpdate const &) z:\build\build\src\dom\base\Element.cpp:2474
    #8 0x7ffec68b0f51 in mozilla::dom::Element::SetAttr(int,class nsAtom *,class nsAtom *,class nsTSubstring<UNKNOWN> const &,class nsIPrincipal *,bool) z:\build\build\src\dom\base\Element.cpp:2321
    #9 0x7ffec9defaf8 in mozilla::dom::HTMLLIElement_Binding::set_value z:\build\build\src\obj-firefox\dom\bindings\HTMLLIElementBinding.cpp:63
    #10 0x7ffeca34cf27 in mozilla::dom::binding_detail::GenericSetter<struct mozilla::dom::binding_detail::NormalThisPolicy>(struct JSContext *,unsigned int,union JS::Value *) z:\build\build\src\dom\bindings\BindingUtils.cpp:3015
    #11 0x7ffed1a9a501 in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:535
    #12 0x7ffed1aa064f in js::CallSetter(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>) z:\build\build\src\js\src\vm\Interpreter.cpp:744
    #13 0x7ffed211fdd9 in SetExistingProperty z:\build\build\src\js\src\vm\NativeObject.cpp:2945
    #14 0x7ffed20e4f84 in js::NativeSetProperty<1>(struct JSContext *,class JS::Handle<class js::NativeObject *>,class JS::Handle<struct JS::PropertyKey>,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class JS::ObjectOpResult &) z:\build\build\src\js\src\vm\NativeObject.cpp:2974
    #15 0x7ffed1a6558b in Interpret z:\build\build\src\js\src\vm\Interpreter.cpp:3098
    #16 0x7ffed1a5d80c in js::RunScript(struct JSContext *,class js::RunState &) z:\build\build\src\js\src\vm\Interpreter.cpp:423
    #17 0x7ffed1a9ae4e in js::InternalCallOrConstruct(struct JSContext *,class JS::CallArgs const &,enum js::MaybeConstruct) z:\build\build\src\js\src\vm\Interpreter.cpp:563
    #18 0x7ffed1a9d365 in InternalCall z:\build\build\src\js\src\vm\Interpreter.cpp:590
    #19 0x7ffed1a9d596 in js::Call(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class js::AnyInvokeArgs const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\vm\Interpreter.cpp:606
    #20 0x7ffed2645cca in JS::Call(struct JSContext *,class JS::Handle<union JS::Value>,class JS::Handle<union JS::Value>,class JS::HandleValueArray const &,class JS::MutableHandle<union JS::Value>) z:\build\build\src\js\src\jsapi.cpp:2651
    #21 0x7ffec950848f in mozilla::dom::EventHandlerNonNull::Call(struct JSContext *,class JS::Handle<union JS::Value>,class mozilla::dom::Event &,class JS::MutableHandle<union JS::Value>,class mozilla::ErrorResult &) z:\build\build\src\obj-firefox\dom\bindings\EventHandlerBinding.cpp:265
    #22 0x7ffecabf443e in mozilla::dom::EventHandlerNonNull::Call<class nsISupports *>(class nsISupports * const &,class mozilla::dom::Event &,class JS::MutableHandle<union JS::Value>,class mozilla::ErrorResult &,char const *,enum mozilla::dom::CallbackObject::ExceptionHandling,class JS::Realm *) z:\build\build\src\obj-firefox\dist\include\mozilla\dom\EventHandlerBinding.h:363
    #23 0x7ffecabf14de in mozilla::JSEventHandler::HandleEvent(class mozilla::dom::Event *) z:\build\build\src\dom\events\JSEventHandler.cpp:205
    #24 0x7ffecabb07bf in mozilla::EventListenerManager::HandleEventSubType(struct mozilla::EventListenerManager::Listener *,class mozilla::dom::Event *,class mozilla::dom::EventTarget *) z:\build\build\src\dom\events\EventListenerManager.cpp:1044
    #25 0x7ffecabb27c5 in mozilla::EventListenerManager::HandleEventInternal(class nsPresContext *,class mozilla::WidgetEvent *,class mozilla::dom::Event * *,class mozilla::dom::EventTarget *,enum nsEventStatus *,bool) z:\build\build\src\dom\events\EventListenerManager.cpp:1238
    #26 0x7ffecab950e2 in mozilla::EventTargetChainItem::HandleEvent(class mozilla::EventChainPostVisitor &,class mozilla::ELMCreationDetector &) z:\build\build\src\dom\events\EventDispatcher.cpp:346
    #27 0x7ffecab9332a in mozilla::EventTargetChainItem::HandleEventTargetChain(class nsTArray<class mozilla::EventTargetChainItem> &,class mozilla::EventChainPostVisitor &,class mozilla::EventDispatchingCallback *,class mozilla::ELMCreationDetector &) z:\build\build\src\dom\events\EventDispatcher.cpp:548
    #28 0x7ffecab98a90 in mozilla::EventDispatcher::Dispatch(class nsISupports *,class nsPresContext *,class mozilla::WidgetEvent *,class mozilla::dom::Event *,enum nsEventStatus *,class mozilla::EventDispatchingCallback *,class nsTArray<class mozilla::dom::EventTarget *> *) z:\build\build\src\dom\events\EventDispatcher.cpp:1038
    #29 0x7ffecd769577 in nsDocumentViewer::LoadComplete(enum nsresult) z:\build\build\src\layout\base\nsDocumentViewer.cpp:1102
    #30 0x7ffed0b486cd in nsDocShell::EndPageLoad(class nsIWebProgress *,class nsIChannel *,enum nsresult) z:\build\build\src\docshell\base\nsDocShell.cpp:6726
    #31 0x7ffed0b439ba in nsDocShell::OnStateChange(class nsIWebProgress *,class nsIRequest *,unsigned int,enum nsresult) z:\build\build\src\docshell\base\nsDocShell.cpp:6525
    #32 0x7ffec5166779 in nsDocLoader::DoFireOnStateChange(class nsIWebProgress * const,class nsIRequest * const,int &,enum nsresult) z:\build\build\src\uriloader\base\nsDocLoader.cpp:1235
    #33 0x7ffec516557c in nsDocLoader::doStopDocumentLoad(class nsIRequest *,enum nsresult) z:\build\build\src\uriloader\base\nsDocLoader.cpp:794
    #34 0x7ffec51616e0 in nsDocLoader::DocLoaderIsEmpty(bool) z:\build\build\src\uriloader\base\nsDocLoader.cpp:693
    #35 0x7ffec5163c2e in nsDocLoader::OnStopRequest(class nsIRequest *,class nsISupports *,enum nsresult) z:\build\build\src\uriloader\base\nsDocLoader.cpp:589
    #36 0x7ffec30a61fc in mozilla::net::nsLoadGroup::RemoveRequest(class nsIRequest *,class nsISupports *,enum nsresult) z:\build\build\src\netwerk\base\nsLoadGroup.cpp:586
    #37 0x7ffec6b342b2 in nsDocument::UnblockOnload(bool) z:\build\build\src\dom\base\nsDocument.cpp:7733
    #38 0x7ffecab1a464 in mozilla::LoadBlockingAsyncEventDispatcher::~LoadBlockingAsyncEventDispatcher(void) z:\build\build\src\dom\events\AsyncEventDispatcher.cpp:117
    #39 0x7ffec67c4d8f in mozilla::LoadBlockingAsyncEventDispatcher::`scalar deleting destructor'(unsigned int) z:\build\build\src\obj-firefox\dist\include\mozilla\AsyncEventDispatcher.h:153
    #40 0x7ffec2e4c7af in mozilla::net::AltSvcOverride::Release(void) z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:49
    #41 0x7ffec2e0bb87 in mozilla::SchedulerGroup::Runnable::Run(void) z:\build\build\src\xpcom\threads\SchedulerGroup.cpp:303
    #42 0x7ffec2e3b685 in nsThread::ProcessNextEvent(bool,bool *) z:\build\build\src\xpcom\threads\nsThread.cpp:1157
    #43 0x7ffec2e43f68 in NS_ProcessNextEvent(class nsIThread *,bool) z:\build\build\src\xpcom\threads\nsThreadUtils.cpp:468
    #44 0x7ffec3eff979 in mozilla::ipc::MessagePump::Run(class base::MessagePump::Delegate *) z:\build\build\src\ipc\glue\MessagePump.cpp:88
    #45 0x7ffec3e5face in MessageLoop::RunHandler(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:307
    #46 0x7ffec3e5f856 in MessageLoop::Run(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:289
    #47 0x7ffecce6d9ea in nsBaseAppShell::Run(void) z:\build\build\src\widget\nsBaseAppShell.cpp:137
    #48 0x7ffeccffd9b7 in nsAppShell::Run(void) z:\build\build\src\widget\windows\nsAppShell.cpp:409
    #49 0x7ffed17cec9d in XRE_RunAppShell(void) z:\build\build\src\toolkit\xre\nsEmbedFunctions.cpp:915
    #50 0x7ffec3e5face in MessageLoop::RunHandler(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:307
    #51 0x7ffec3e5f856 in MessageLoop::Run(void) z:\build\build\src\ipc\chromium\src\base\message_loop.cc:289
    #52 0x7ffed17cdf44 in XRE_InitChildProcess(int,char * * const,struct XREChildData const *) z:\build\build\src\toolkit\xre\nsEmbedFunctions.cpp:753
    #53 0x7ff6a14c1f11  (C:\Program Files\Mozilla Developer Preview\firefox.exe+0x140001f11)
    #54 0x7ff6a14c14a1  (C:\Program Files\Mozilla Developer Preview\firefox.exe+0x1400014a1)
    #55 0x7ff6a14d0adb  (C:\Program Files\Mozilla Developer Preview\firefox.exe+0x140010adb)
    #56 0x7fff1a2d3033  (C:\Windows\System32\KERNEL32.DLL+0x180013033)
    #57 0x7fff1c621470  (C:\Windows\SYSTEM32\ntdll.dll+0x180071470)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: access-violation z:\build\build\src\layout\generic\nsContainerFrame.cpp:1795 in nsContainerFrame::RenumberFrameAndDescendants(int *,int,int,bool)
==6620==ABORTING

Comment 11

[Brian Carpenter [:geeknik]]

Attachment: My non-minimized testcase created by Domato

Comment 12

[Emilio Cobos Álvarez (:emilio)]

Could you file a different bug for that please? A minimized test-case would be ideal, but not required.

Comment 13

[Liz Henry (:lizzard) (relman/hg->git project)]

Happy to take a patch in nightly 67, or potentially, in beta 66 for this.
I'm marking it fix-optional to remove it from weekly regression triage, since it has a priority assigned.

Comment 14

[Pulsebot]

Pushed by mpalmgren@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/459f39031f71
Add a couple of crashtests.  r=mats DONTBUILD

Comment 15

[Mats Palmgren (inactive)]

The crashing code was removed by bug 288704 so this should be fixed.

Comment 16

[Raul Gurzau (:RaulG)]

https://hg.mozilla.org/mozilla-central/rev/459f39031f71