1419991 - Crash near null [@ mozilla::layout::FrameChildListIterator::FrameChildListIterator]

Status: RESOLVED FIXED

(Core :: Layout, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: trigger.html

Testcase found while fuzzing mozilla-central rev 960f50c2e0a9.

==9451==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fcb86579dd2 bp 0x7ffc0e240b90 sp 0x7ffc0e240b90 T0)
==9451==The signal is caused by a READ memory access.
==9451==Hint: address points to the zero page.
    #0 0x7fcb86579dd1 in mozilla::layout::FrameChildListIterator::FrameChildListIterator(nsIFrame const*) /builds/worker/workspace/build/src/layout/generic/FrameChildList.cpp:17:11
    #1 0x7fcb8646e5a5 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:599:31
    #2 0x7fcb8646e729 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:611:7
    #3 0x7fcb8646e729 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:611:7
    #4 0x7fcb8646e729 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:611:7
    #5 0x7fcb8646e729 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:611:7
    #6 0x7fcb8646e729 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:611:7
    #7 0x7fcb8646e729 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:611:7
    #8 0x7fcb8646e729 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:611:7
    #9 0x7fcb8646e729 in nsFrameManager::CaptureFrameState(nsIFrame*, nsILayoutHistoryState*) /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:611:7
    #10 0x7fcb863a424c in mozilla::PresShell::CaptureHistoryState(nsILayoutHistoryState**) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:3899:22
    #11 0x7fcb89801695 in nsDocShell::PersistLayoutHistoryState() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:13073:19
    #12 0x7fcb897aea58 in nsDocShell::Destroy() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6053:3
    #13 0x7fcb89801b5f in non-virtual thunk to nsDocShell::Destroy() /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #14 0x7fcb89d757c5 in nsWebBrowser::SetDocShell(nsIDocShell*) /builds/worker/workspace/build/src/toolkit/components/browser/nsWebBrowser.cpp:1711:23
    #15 0x7fcb89d74cbc in nsWebBrowser::InternalDestroy() /builds/worker/workspace/build/src/toolkit/components/browser/nsWebBrowser.cpp:94:3
    #16 0x7fcb89d83a52 in nsWebBrowser::Destroy() /builds/worker/workspace/build/src/toolkit/components/browser/nsWebBrowser.cpp:1305:3
    #17 0x7fcb89d83cbc in non-virtual thunk to nsWebBrowser::Destroy() /builds/worker/workspace/build/src/toolkit/components/browser/nsWebBrowser.cpp
    #18 0x7fcb8537f866 in mozilla::dom::TabChild::DestroyWindow() /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:1094:21
    #19 0x7fcb8539469c in mozilla::dom::TabChild::RecvDestroy() /builds/worker/workspace/build/src/dom/ipc/TabChild.cpp:2644:3
    #20 0x7fcb7ff0359b in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:4626:20
    #21 0x7fcb8008e2ac in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PContentChild.cpp:4930:28
    #22 0x7fcb7f85536e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2114:25
    #23 0x7fcb7f8523e7 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2044:17
    #24 0x7fcb7f853aec in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1890:5
    #25 0x7fcb7f854148 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1923:15
    #26 0x7fcb7e9b6444 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:396:25
    #27 0x7fcb7e9dcb44 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1037:14
    #28 0x7fcb7e9f86c0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:513:10
    #29 0x7fcb7f85d194 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:125:5
    #30 0x7fcb7f7b9bb9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #31 0x7fcb7f7b9bb9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #32 0x7fcb7f7b9bb9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #33 0x7fcb85b8f70a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:159:27
    #34 0x7fcb8a2bceab in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:877:22
    #35 0x7fcb7f7b9bb9 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #36 0x7fcb7f7b9bb9 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #37 0x7fcb7f7b9bb9 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #38 0x7fcb8a2bc8b7 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:703:34
    #39 0x4ee9f5 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:63:30
    #40 0x4ee9f5 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
    #41 0x7fcb9d7c082f in __libc_start_main /build/glibc-bfm8X4/glibc-2.23/csu/../csu/libc-start.c:291

Comment 1

[Tyson Smith [:tsmith]]

This test case also triggers:

Assertion failure: nullptr != aFrame && nullptr != aState (null parameters passed in), at /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:161

Comment 2

[Daniel Holbert [:dholbert]]

I think this has become WORKSFORME (and just needs its testcase to be checked in as a crashtest, if we can get it to a form that can be confirmed to crash when loaded in an affected build).

I can make the attached testcase crash in Nightly 2017-11-22 if I load the testcase and then reload. It never crashes for me on first load, though (I tried a few times). This might make it uncooperative as a useful crashtest (i.e. it might not reproduce the crash even in affected builds), but I'm not sure how much to hand-wring about that.

In any case: given that this is already fixed, the remaining work here isn't really severity:critical --> reclassifying this as S3.

Comment 3

[Daniel Holbert [:dholbert]]

Fix range is https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=3f72a81bd12cb6048f03a96e5b403621f7fac052&tochange=18ebd4ba014899c21b44a6312c8870d45a0cf0c2

In that range, this would probably have been "fixed" by:

Bug 1308636 Part 3 - Remove moz-prefixed aliases for column-gap and CSS multi-column properties.

...which is a hint that this may still be an issue and we just need an updated testcase without the -moz prefix...

Comment 4

[Daniel Holbert [:dholbert]]

Attachment: testcase 2 (with unprefixed 'column' styling added)

Comment 5

[Daniel Holbert [:dholbert]]

With the updated "testcase 2" (where I added unprefixed multicol styling), mozregression --find-fix gives me this fix range:
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=a812a52adea843ccf7986746c78923262b07d37d&tochange=f4b357295aa3b4c3f143bcfb52f719f966724a69

So this seems to have been fixed by Bug 1663232.

(Note: my STR here with the new testcase are: open a new tab, paste the testcase's URL into the URLbar, hit enter to load it once, and then reload with Ctrl+R. In affected builds, this gives me the tab-crashed UI. In fixed builds, the testcase just reloads as-expected. It's notably not necessarily sufficient to simply click on the testcase from e.g. this bug report, since that opens a new tab which then closes itself via the window.close() invocation in the testcase's JS; and that doesn't give you a chance to reload, which seems to be a requirement of the crash.)