1375595 - Crash [@GetWritingMode]

Status: RESOLVED WORKSFORME

(Core :: Layout, defect, P2)

Description

[Jason Kratzer [:jkratzer]]

Attachment: trigger.html

Testcase found while fuzzing mozilla-central rev 20170621-2b07ef4f3381.

ASAN:DEADLYSIGNAL
=================================================================
==2011==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000064 (pc 0x7f5a84b2e3a9 bp 0x7ffebb836510 sp 0x7ffebb836040 T0)
==2011==The signal is caused by a READ memory access.
==2011==Hint: address points to the zero page.
    #0 0x7f5a84b2e3a8 in GetWritingMode /home/worker/workspace/build/src/layout/generic/nsIFrame.h:874:56
    #1 0x7f5a84b2e3a8 in NewPerFrameData /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:666
    #2 0x7f5a84b2e3a8 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:792
    #3 0x7f5a849ed4fe in nsFirstLetterFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsFirstLetterFrame.cpp:245:9
    #4 0x7f5a84b2fbbe in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:921:13
    #5 0x7f5a84b2db32 in nsInlineFrame::ReflowInlineFrame(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, nsIFrame*, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:798:15
    #6 0x7f5a84b2bf76 in nsInlineFrame::ReflowFrames(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, mozilla::ReflowOutput&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:681:7
    #7 0x7f5a84b342e6 in nsFirstLineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:1209:3
    #8 0x7f5a84b2fbbe in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /home/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:921:13
    #9 0x7f5a8499c5f4 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4218:15
    #10 0x7f5a8499b08b in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4014:5
    #11 0x7f5a84992649 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3888:9
    #12 0x7f5a8498bc08 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2874:5
    #13 0x7f5a84982cfc in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2695:11
    #14 0x7f5a84977db0 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1231:3
    #15 0x7f5a849d40da in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /home/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:932:14
    #16 0x7f5a849d910b in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) /home/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:772:7
    #17 0x7f5a849dd695 in ReflowColumns /home/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:476:19
    #18 0x7f5a849dd695 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData&, mozilla::ReflowOutput&, nsCollapsingMargin&, bool&, bool&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1108
    #19 0x7f5a849de779 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /home/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1217:5
    #20 0x7f5a8499848d in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /home/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:306:11

Comment 1

[Mats Palmgren (inactive)]

WFM, using a local Linux64 Asan Opt build.  I see the assertion reported
in bug 407550 in a debug build, but no crash.

Comment 2

[Astley Chen (inactive)]

Tested on Windows 10/macOS/Linux builds and see no crash.