1419794 - Assertion failure: mPreloadPictureDepth >= 0, at /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9971

Status: NEW

(Core :: DOM: Core & HTML, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: trigger.html

Testcase found while fuzzing mozilla-central rev 5378dcb45044.

==24382==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f6b5a761780 bp 0x7ffefe6db930 sp 0x7ffefe6db930 T0)
==24382==The signal is caused by a WRITE memory access.
==24382==Hint: address points to the zero page.
    #0 0x7f6b5a76177f in nsDocument::PreloadPictureClosed() /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9971:5
    #1 0x7f6b59971b28 in nsHtml5SpeculativeLoad::Perform(nsHtml5TreeOpExecutor*) /builds/worker/workspace/build/src/parser/html/nsHtml5SpeculativeLoad.cpp:49:18
    #2 0x7f6b599c137b in nsHtml5TreeOpExecutor::RunFlushLoop() /builds/worker/workspace/build/src/parser/html/nsHtml5TreeOpExecutor.cpp:436:15
    #3 0x7f6b599cadb4 in nsHtml5ExecutorFlusher::Run() /builds/worker/workspace/build/src/parser/html/nsHtml5StreamParser.cpp:130:20
    #4 0x7f6b57ff8689 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
    #5 0x7f6b5802d47f in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #6 0x7f6b5804e8a0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #7 0x7f6b58bf9305 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #8 0x7f6b58b4b257 in MessageLoop::RunInternal() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #9 0x7f6b58b4b0e9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299:3
    #10 0x7f6b5d86969a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:159:27
    #11 0x7f6b60c0abf6 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
    #12 0x7f6b58bf9f25 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:269:9
    #13 0x7f6b58b4b257 in MessageLoop::RunInternal() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #14 0x7f6b58b4b0e9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299:3
    #15 0x7f6b60c0a3d8 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
    #16 0x4ec36e in content_process_main(mozilla::Bootstrap*, int, char**) /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #17 0x4ec5c9 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280:18
    #18 0x7f6b7738882f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:9971:5 in nsDocument::PreloadPictureClosed()

Comment 1

[Andrew Overholt [:overholt]]

Maybe Edgar knows what's up here?

Comment 2

[Edgar Chen [:edgar]]

Look like the speculative load for <picture> doesn't handle some corner cases well, I will take a look.

Comment 4

[Edgar Chen [:edgar]]

The problem here is that: In the test case, the picture is from document.writeln which is parsed in main thread, so the mSpeculativeLoadStage is null, we don't init the picture to mSpeculativeLoadQueue [1]. But we try to pop it later.

[1] https://searchfox.org/mozilla-central/rev/55da592d85c2baf8d8818010c41d9738c97013d2/parser/html/nsHtml5TreeBuilderCppSupplement.h#1001

Comment 5

[Edgar Chen [:edgar]]

(not actively working on this)

Comment 6

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/rDl-6B3BWow6N2rkILiP7A/index.html