1452277 - Crash near null [@ Type | nsInlineFrame::ReflowFrames]

Status: RESOLVED WORKSFORME

(Core :: Layout, defect, P2)

Description

[Jesse Schwartzentruber (:truber)]

Attachment: testcase.html

The attached testcase crashes in m-c rev 20180406-be12f52d2f95

==25401==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000065 (pc 0x7f2abb5b4edb bp 0x7ffd05a58510 sp 0x7ffd05a58380 T0)
==25401==The signal is caused by a READ memory access.
==25401==Hint: address points to the zero page.
    #0 0x7f2abb5b4eda in Type /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:2801:38
    #1 0x7f2abb5b4eda in IsLetterFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/FrameTypeList.h:40
    #2 0x7f2abb5b4eda in nsInlineFrame::ReflowFrames(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.c
pp:575
    #3 0x7f2abb5b411c in nsInlineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsInlineFrame.cpp:407:3
    #4 0x7f2abb5b92ef in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:924:13
    #5 0x7f2abb3ed15d in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4156:15
    #6 0x7f2abb3ebb07 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/
src/layout/generic/nsBlockFrame.cpp:3956:5
    #7 0x7f2abb3e2829 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3830:9
    #8 0x7f2abb3da760 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2814:5
    #9 0x7f2abb3cffe0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2350:7
    #10 0x7f2abb3c7505 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1223:3
    #11 0x7f2abb3e9087 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/s
rc/layout/generic/nsBlockReflowContext.cpp:306:11
    #12 0x7f2abb3dcf73 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3461:11
    #13 0x7f2abb3da8b5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2811:5
    #14 0x7f2abb3cffe0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2350:7
    #15 0x7f2abb3c7505 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1223:3
    #16 0x7f2abb3e9087 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/s
rc/layout/generic/nsBlockReflowContext.cpp:306:11
    #17 0x7f2abb3dcf73 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3461:11
    #18 0x7f2abb3da8b5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2811:5
    #19 0x7f2abb3cffe0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2350:7
    #20 0x7f2abb3c7505 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1223:3
    #21 0x7f2abb3e9087 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/s
rc/layout/generic/nsBlockReflowContext.cpp:306:11
    #22 0x7f2abb3dcf73 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3461:11
    #23 0x7f2abb3da8b5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2811:5
    #24 0x7f2abb3cffe0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2350:7
    #25 0x7f2abb3c7505 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1223:3
    #26 0x7f2abb3e9087 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/s
rc/layout/generic/nsBlockReflowContext.cpp:306:11
    #27 0x7f2abb3dcf73 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3461:11
    #28 0x7f2abb3da8b5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2811:5
    #29 0x7f2abb3cffe0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2350:7
    #30 0x7f2abb3c7505 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1223:3
    #31 0x7f2abb3e9087 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/s
rc/layout/generic/nsBlockReflowContext.cpp:306:11
    #32 0x7f2abb3dcf73 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3461:11
    #33 0x7f2abb3da8b5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2811:5
    #34 0x7f2abb3d25dd in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2635:11
    #35 0x7f2abb3c7505 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1223:3
    #36 0x7f2abb42b3d6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&
, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
    #37 0x7f2abb42fb7e in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) /build
s/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:767:7
    #38 0x7f2abb4354bf in ReflowColumns /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:464:19
    #39 0x7f2abb4354bf in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1202
    #40 0x7f2abb42b3d6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&
, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
    #41 0x7f2abb429c22 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:713:5
    #42 0x7f2abb42b3d6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&
, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
    #43 0x7f2abb50b628 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:554:3
    #44 0x7f2abb50cf08 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:711:7
    #45 0x7f2abb510a28 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1054:3
    #46 0x7f2abb3ab35e in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build
/src/layout/generic/nsContainerFrame.cpp:995:14
    #47 0x7f2abb3a9ede in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:335:7
    #48 0x7f2abb1832b1 in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:8825:11
    #49 0x7f2abb198db0 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:8998:24
    #50 0x7f2abb1971d3 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4327:11
    #51 0x7f2abb1263bd in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:592:5
    #52 0x7f2abb1263bd in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1938
    #53 0x7f2abb125a07 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1883:12
    #54 0x7f2abb1307c4 in nsRefreshDriver::FinishedWaitingForTransaction() /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2162:5
    #55 0x7f2ab57b4173 in mozilla::layers::ClientLayerManager::DidComposite(unsigned long, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /builds/worker/workspace/build/src/gfx/layers/client/ClientLayerManager.cpp:532:32
    #56 0x7f2ab58d0da3 in mozilla::layers::CompositorBridgeChild::RecvDidComposite(mozilla::layers::LayersId const&, unsigned long const&, mozilla::TimeStamp const&, mozilla::TimeStamp const&) /builds/worker/workspace/build/src/gfx/layers/
ipc/CompositorBridgeChild.cpp:544:8
    #57 0x7f2ab47a454a in mozilla::layers::PCompositorBridgeChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PCompositorBridgeChild.cpp:1402:20
    #58 0x7f2ab3f567fe in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2135:25
    #59 0x7f2ab3f53781 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2065:17
    #60 0x7f2ab3f54f7c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1911:5
    #61 0x7f2ab3f555d8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1944:15
    #62 0x7f2ab306f378 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
    #63 0x7f2ab308b7b0 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #64 0x7f2ab3f5e36a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #65 0x7f2ab3eae139 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
    #66 0x7f2ab3eae139 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
    #67 0x7f2ab3eae139 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
    #68 0x7f2ababdd32a in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
    #69 0x7f2abec8f43b in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:290:30
    #70 0x7f2abee9a5cc in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4834:22
    #71 0x7f2abee9d70d in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4979:8
    #72 0x7f2abee9ebd4 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:5071:21
    #73 0x4f4ef5 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:231:22
    #74 0x4f4ef5 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:304
    #75 0x7f2ad233df49 in __libc_start_main (/usr/lib/libc.so.6+0x20f49)
    #76 0x42476c in _start (/home/truber/builds/m-c-1523047894-fuzzing-asan-opt/firefox+0x42476c)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:2801:38 in Type

Comment 1

[Xidorn Quan [:xidorn] UTC+11]

Sounds like we fail to get the out-of-flow frame of a placeholder at https://searchfox.org/mozilla-central/rev/c5ba0f076697d8a6f4548f821b1d97c267ad207c/layout/generic/nsInlineFrame.cpp#575

Comment 2

[Gerald Squelart (he/him) (not at Mozilla since 2022-09-15)]

Attachment: test_case_1452277-short.html

With great help from :heycam, this is the smallest subset of attachment 8965861 [details] that still crashes, but with hopefully fewer red herrings.

Note that the crash was at a different spot but for the same apparent reason (dangling placeholder). So once a fix is available, it should be tested against both test files, in case they actually reveal different issues!

Comment 3

[Gerald Squelart (he/him) (not at Mozilla since 2022-09-15)]

Attachment: 1452277-analysis.txt

Here's as much information as I could gather, using attachment 8971154 [details] in a Linux VM.
Captured in rr, so I can easily come back to it and get more information as requested.

I've summarized 4 major steps leading to the crash: (I'll use the last 4 hex digit of object addresses to identify them)
1. Before reflow. We have a small frame tree, with placeholder 80e8 pointing at oof div 8038.
2. Reflow created some columns, but now it's about to destroy column 3, which contains the oof div 8038!
3. The oof div 8038 is gone, placeholder 80e8 points at nothing.
4. A bit later during the paint, the oof div 8038 is accessed without checking that it's there -> Crash.

I was thinking that the placeholder was not correctly removed as it should be, there's a comment in the code about that (which I can't find anymore right now).

:heycam suggested that the problem may be the decision to destroy the column; maybe it didn't take into account the presence of the oof div?

I'd be happy to keep digging, but I would appreciate some help in directing my search. Or someone who knows better may just take over if that makes more sense. TIA.

Comment 4

[Gerald Squelart (he/him) (not at Mozilla since 2022-09-15)]

David, :heycam suggested I ask you about this, if you can help or find someone else who could.

Would you have any suggestion on how to continue debugging?
Maybe: What you would expect to happen with OOF frames across columns?

Comment 5

[David Baron :dbaron: (⌚️UTC-4, no longer working on Mozilla)]

I think there's more to talk about here than I can fit in a bugzilla comment, and we should probably find a half an hour to chat sometime -- preferably today (i.e., in about 2-3 hours, given our timezones) or tomorrow (24 hours later than that).

Comment 6

[Gerald Squelart (he/him) (not at Mozilla since 2022-09-15)]

For curious followers of this bug:
I've discussed with David (and Cameron), he's given good information about reflow around columns/pages, and debugging tips, so I'll continue the bug hunt...

Comment 7

[Gerald Squelart (he/him) (not at Mozilla since 2022-09-15)]

Didn't get it done, sorry.
Someone better acquainted should take a look. Assigning to Sean for triage.

Comment 8

[Andrei Purice]

Following the reporter's steps I am able to confirm that the issues doesn't happen anymore on Windows 10 and MacOs 10.15 on any of the current versions of Firefox Nightly 87.0a1 (2021-02-16), beta 86.0 and release 85.0.2. The example test cases don't crash Firefox anymore.

Closing this issue as Resolved > Worksforme.
Feel free to re-open or file a new bug if this issue reoccurs again.