1421053 - Null deref crash [@ nsFrameList::DestroyFrame]

Status: NEW

(Core :: Layout, defect, P3)

Description

[Jesse Schwartzentruber (:truber)]

Attachment: testcase.html

The attached testcase causes a null deref crash in m-c rev 20171127-cffc92876737.

==24702==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7f2f6c4b8896 bp 0x7fff18f87730 sp 0x7fff18f872c0 T0)
==24702==The signal is caused by a READ memory access.
==24702==Hint: address points to the zero page.
    #0 0x7f2f6c4b8895 in GetNextSibling /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:1664:45
    #1 0x7f2f6c4b8895 in RemoveFrame /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:82
    #2 0x7f2f6c4b8895 in nsFrameList::DestroyFrame(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsFrameList.cpp:139
    #3 0x7f2f6c4fb424 in RemoveFrame /builds/worker/workspace/build/src/layout/generic/nsAbsoluteContainingBlock.cpp:111:19
    #4 0x7f2f6c4fb424 in nsBlockFrame::DoRemoveOutOfFlowFrame(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:5530
    #5 0x7f2f6c4fa6b6 in nsBlockFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:5305:5
    #6 0x7f2f6c359d36 in nsFrameManager::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:535:18
    #7 0x7f2f6c6d2b4b in nsPlaceholderFrame::DestroyFrom(nsIFrame*, mozilla::layout::PostFrameDestroyData&) /builds/worker/workspace/build/src/layout/generic/nsPlaceholderFrame.cpp:194:11
    #8 0x7f2f6c53c2b4 in Destroy /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:695:5
    #9 0x7f2f6c53c2b4 in nsContainerFrame::RemoveFrame(mozilla::layout::FrameChildListID, nsIFrame*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:171
    #10 0x7f2f6c356ce1 in RemoveFrame /builds/worker/workspace/build/src/layout/base/nsFrameManager.cpp:535:18
    #11 0x7f2f6c356ce1 in nsCSSFrameConstructor::ContentRemoved(nsIContent*, nsIContent*, nsIContent*, nsCSSFrameConstructor::RemoveFlags) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:8696
    #12 0x7f2f6c341b99 in nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9896:7
    #13 0x7f2f6c25df5d in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:1523:25
    #14 0x7f2f6c2ddf43 in mozilla::ServoRestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1159:9
    #15 0x7f2f6c297428 in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/ServoRestyleManager.cpp:1235:3
    #16 0x7f2f6c297428 in ProcessPendingRestyles /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RestyleManagerInlines.h:44
    #17 0x7f2f6c297428 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4219

Comment 1

[Emilio Cobos Álvarez (:emilio)]

This is another instance of bug 1404324, that is, frame destruction code looking at the style of the frame and ::first-line restyling breaking assumptions about it...

I guess we can avoid reparenting out-of-flows for this and other cases, that would additionally match Blink and WebKit...

Comment 2

[Emilio Cobos Álvarez (:emilio)]

And the real fix for this I guess is bug 1404006, which makes the rule tree really immutable... That or rewriting ::first-line, of course...

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Since the crash volume is low (less than 5 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.