Closed
Bug 1453670
Opened 6 years ago
Closed 6 years ago
SEGV in IncrementPaintCount
Categories
(Core :: Web Painting, defect, P1)
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox-esr52 | --- | unaffected |
| firefox-esr60 | --- | disabled |
| firefox60 | --- | disabled |
| firefox61 | --- | fixed |
| firefox62 | --- | fixed |
People
(Reporter: nils, Assigned: mikokm)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-nullptr, sec-low)
Attachments
(2 files)
The following testcase crashes the latest ASAN build of Firefox 61.0a1.
crash.html:
<script>
function spin () {
var x=new XMLHttpRequest();
x.open("POST","https://mozilla.org",false);
try{x.send("X");}catch(e){}
}
function start() {
o13=document.createElement('iframe');
o15=document.createRange();
document.documentElement.appendChild(o13);
o16=document.createElement('link');
document.documentElement.appendChild(o16);
o15.setStartBefore(o16);
o27=document.createElement('iframe');
o42=document.createElement('marquee');
o42.addEventListener('DOMAttrModified',fun0);
document.documentElement.appendChild(o27);
document.documentElement.style.display='flex';
o27.srcdoc='';
document.documentElement.style.display='block';
o15.surroundContents(o42);
o69=document.createElement('iframe');
}
function fun0() {
spin();
o13.remove();
document.documentElement.appendChild(o69);
spin();
}
</script>
<body onload="start()"></body>
ASAN output:
AddressSanitizer:DEADLYSIGNAL
=================================================================
==15312==ERROR: AddressSanitizer: SEGV on unknown address 0x000000001228 (pc 0x7f897136167b bp 0x7ffcd6b61bf0 sp 0x7ffcd6b61a20 T0)
==15312==The signal is caused by a WRITE memory access.
#0 0x7f897136167a in IncrementPaintCount /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:1356:32
#1 0x7f897136167a in IncrementPresShellPaintCount /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:1275
#2 0x7f897136167a in IncrementSubDocPresShellPaintCount /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:197
#3 0x7f897136167a in MergeState::ProcessOldNode(Index<OldListUnits>, nsTArray<Index<MergedListUnits> >&&) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:354
#4 0x7f897124e109 in MergeState::Finalize() /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:296:7
#5 0x7f897124bc93 in RetainedDisplayListBuilder::MergeDisplayLists(nsDisplayList*, RetainedDisplayList*, RetainedDisplayList*, mozilla::Maybe<mozilla::ActiveScrolledRoot const*>&) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:469:26
#6 0x7f897125431f in RetainedDisplayListBuilder::AttemptPartialUpdate(unsigned int, mozilla::DisplayListChecker*) /builds/worker/workspace/build/src/layout/painting/RetainedDisplayListBuilder.cpp:1075:7
#7 0x7f89709fa1d6 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3862:40
#8 0x7f89708e88bd in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6318:5
#9 0x7f897028728a in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19
#10 0x7f897028608c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33
#11 0x7f897028b6b6 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5
#12 0x7f897085ffff in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2053:11
#13 0x7f897086d620 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:337:13
#14 0x7f897086d620 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:307
#15 0x7f897086d1e6 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:329:5
#16 0x7f897086ff5e in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:770:5
#17 0x7f897086ff5e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:683
#18 0x7f897086fb5e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:584:9
#19 0x7f897112c26f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16
#20 0x7f8969c95719 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:156:20
#21 0x7f8969b6bbea in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1968:28
#22 0x7f896969c8ee in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2135:25
#23 0x7f8969699871 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2065:17
#24 0x7f896969b06c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1911:5
#25 0x7f896969b6c8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1944:15
#26 0x7f89687b3f18 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
#27 0x7f89687d0350 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
#28 0x7f89700617e9 in SpinEventLoopUntil<mozilla::ProcessFailureBehavior::ReportToCaller, (lambda at /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2926:31)> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:323:25
#29 0x7f89700617e9 in mozilla::dom::XMLHttpRequestMainThread::SendInternal(mozilla::dom::BodyExtractorBase const*) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2926
#30 0x7f897005fe11 in mozilla::dom::XMLHttpRequestMainThread::Send(JSContext*, mozilla::dom::Nullable<mozilla::dom::DocumentOrBlobOrArrayBufferViewOrArrayBufferOrFormDataOrURLSearchParamsOrUSVString> const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/xhr/XMLHttpRequestMainThread.cpp:2755:11
#31 0x7f896d4137f2 in mozilla::dom::XMLHttpRequestBinding::send(JSContext*, JS::Handle<JSObject*>, mozilla::dom::XMLHttpRequest*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/XMLHttpRequestBinding.cpp:1282:9
#32 0x7f896dfa7631 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3191:13
#33 0x7f89748bc927 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
#34 0x7f89748bc927 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
#35 0x7f89748a73e1 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:522:12
#36 0x7f89748a73e1 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3084
#37 0x7f897488d82a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
#38 0x7f89748bc6a5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
#39 0x7f89748bd922 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
#40 0x7f89753de84d in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:3003:12
#41 0x7f896d6f09df in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:51:8
#42 0x7f896e6dc3f1 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
#43 0x7f896e6dc3f1 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, nsIDOMEvent*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1104
#44 0x7f896e6ddcb5 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent**, mozilla::dom::EventTarget*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1276:20
#45 0x7f896e6c8347 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:559:14
#46 0x7f896e6cbde7 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, nsIDOMEvent*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:914:9
#47 0x7f896e6ce0fc in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, nsIDOMEvent*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:993:12
#48 0x7f896ba90ac8 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1084:5
#49 0x7f896e6ec963 in mozilla::dom::EventTarget::DispatchEvent(mozilla::dom::Event&) /builds/worker/workspace/build/src/dom/events/EventTarget.cpp:204:13
#50 0x7f896e6638bb in mozilla::AsyncEventDispatcher::Run() /builds/worker/workspace/build/src/dom/events/AsyncEventDispatcher.cpp:69:12
#51 0x7f896b5e40ff in nsContentUtils::RemoveScriptBlocker() /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5660:15
#52 0x7f896b9c0a07 in nsDocument::EndUpdate(unsigned int) /builds/worker/workspace/build/src/dom/base/nsDocument.cpp:5089:3
#53 0x7f896eac29cc in nsHTMLDocument::EndUpdate(unsigned int) /builds/worker/workspace/build/src/dom/html/nsHTMLDocument.cpp:2120:15
#54 0x7f89707d22ea in ~mozAutoDocConditionalContentUpdateBatch /builds/worker/workspace/build/src/dom/base/mozAutoDocUpdate.h:83:18
#55 0x7f89707d22ea in ModifyDeclaration<(lambda at /builds/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:318:5), (lambda at /builds/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:321:5)> /builds/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:308
#56 0x7f89707d22ea in nsDOMCSSDeclaration::ParsePropertyValue(nsCSSPropertyID, nsTSubstring<char16_t> const&, bool, nsIPrincipal*) /builds/worker/workspace/build/src/layout/style/nsDOMCSSDeclaration.cpp:316
#57 0x7f896bee8110 in SetMargin /builds/worker/workspace/build/src/layout/style/nsCSSPropList.h:2033:1
#58 0x7f896bee8110 in mozilla::dom::CSS2PropertiesBinding::set_margin(JSContext*, JS::Handle<JSObject*>, nsDOMCSSDeclaration*, JSJitSetterCallArgs) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/CSS2PropertiesBinding.cpp:17465
#59 0x7f896dfa4d03 in bool mozilla::dom::binding_detail::GenericSetter<mozilla::dom::binding_detail::NormalThisPolicy>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3135:8
#60 0x7f89748bc927 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:290:15
#61 0x7f89748bc927 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:467
#62 0x7f89748bf556 in InternalCall /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:516:12
#63 0x7f89748bf556 in Call /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535
#64 0x7f89748bf556 in js::CallSetter(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:664
#65 0x7f897588438b in SetExistingProperty(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<js::NativeObject*>, JS::Handle<JS::PropertyResult>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2786:10
#66 0x7f897587c1bf in bool js::NativeSetProperty<(js::QualifiedBool)1>(JSContext*, JS::Handle<js::NativeObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/vm/NativeObject.cpp:2814:20
#67 0x7f897548f2b5 in SetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1657:12
#68 0x7f897548f2b5 in js::SetPropertyIgnoringNamedGetter(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyDescriptor>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/proxy/BaseProxyHandler.cpp:182
#69 0x7f896dfcc815 in mozilla::dom::DOMProxyHandler::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) const /builds/worker/workspace/build/src/dom/bindings/DOMJSProxyHandler.cpp:220:10
#70 0x7f89754b47ce in setInternal /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:403:21
#71 0x7f89754b47ce in js::Proxy::set(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::ObjectOpResult&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:413
#72 0x7f897489f6ae in SetProperty /builds/worker/workspace/build/src/js/src/vm/NativeObject.h:1656:16
#73 0x7f897489f6ae in SetPropertyOperation /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:264
#74 0x7f897489f6ae in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:2881
#75 0x7f897488d82a in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:417:12
#76 0x7f89748bc6a5 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:489:15
#77 0x7f89748bd922 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:535:10
#78 0x7f89753db960 in JS_CallFunctionValue(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2944:12
#79 0x7f896fde3dd5 in Call /builds/worker/workspace/build/src/obj-firefox/dist/include/jsapi.h:3040:14
#80 0x7f896fde3dd5 in nsXBLProtoImplAnonymousMethod::Execute(nsIContent*, nsXBLPrototypeBinding const&) /builds/worker/workspace/build/src/dom/xbl/nsXBLProtoImplMethod.cpp:329
#81 0x7f896fdacafd in nsXBLBinding::ExecuteAttachedHandler() /builds/worker/workspace/build/src/dom/xbl/nsXBLBinding.cpp:625:19
#82 0x7f896fdac91b in nsBindingManager::ProcessAttachedQueueInternal(unsigned int) /builds/worker/workspace/build/src/dom/xbl/nsBindingManager.cpp:429:16
#83 0x7f89708ce433 in ProcessAttachedQueue /builds/worker/workspace/build/src/dom/xbl/nsBindingManager.h:106:5
#84 0x7f89708ce433 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4290
#85 0x7f8970dd7bde in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:583:5
#86 0x7f8970dd7bde in nsHideViewer::Run() /builds/worker/workspace/build/src/layout/generic/nsSubDocumentFrame.cpp:970
#87 0x7f896b5e40ff in nsContentUtils::RemoveScriptBlocker() /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:5660:15
#88 0x7f89708ce358 in ~nsAutoScriptBlocker /builds/worker/workspace/build/src/obj-firefox/dist/include/nsContentUtils.h:3555:5
#89 0x7f89708ce358 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4283
#90 0x7f897085e179 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/nsIPresShell.h:592:5
#91 0x7f897085e179 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1911
#92 0x7f897086d620 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:337:13
#93 0x7f897086d620 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:307
#94 0x7f897086d1e6 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:329:5
#95 0x7f897086ff5e in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:770:5
#96 0x7f897086ff5e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:683
#97 0x7f897086fb5e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:584:9
#98 0x7f897112c26f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:68:16
#99 0x7f8969c95719 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:156:20
#100 0x7f8969b6bbea in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1968:28
#101 0x7f896969c8ee in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2135:25
#102 0x7f8969699871 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2065:17
#103 0x7f896969b06c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1911:5
#104 0x7f896969b6c8 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1944:15
#105 0x7f89687b3f18 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1096:14
#106 0x7f89687d0350 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
#107 0x7f89696a445a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
#108 0x7f89695f4229 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#109 0x7f89695f4229 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#110 0x7f89695f4229 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#111 0x7f8970315eba in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:157:27
#112 0x7f89745d7edb in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:893:22
#113 0x7f89695f4229 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:326:10
#114 0x7f89695f4229 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:319
#115 0x7f89695f4229 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:299
#116 0x7f89745d78a2 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:719:34
#117 0x4f50dc in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#118 0x4f50dc in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:280
#119 0x7f89885e182f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#120 0x42476c in _start (/fuzzer3/firefox/firefox+0x42476c)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:1356:32 in IncrementPaintCount
==15312==ABORTING
|
||
Comment 2•6 years ago
|
||
write nearish zero in painting, is some object nulled out? But not that near so maybe it's an offset that would be user-controlled.
Flags: needinfo?(matt.woodrow)
|
||
Comment 3•6 years ago
|
||
Indeed, it's a nullptr crash, hits the assertion in IncrementSubDocPresShellPaintCount in a debug build. Miko, do you remember much about how the subdoc count code is supposed to work? It seems like if GetSubdocumentPresShellForPainting is not the same subdoc as nsDisplaySubDocument::mFrame (the viewport frame in the subdoc), then we probably shouldn't be reusing this item?
Flags: needinfo?(matt.woodrow) → needinfo?(mikokm)
|
Assignee | |
Comment 4•6 years ago
|
||
(In reply to Matt Woodrow (:mattwoodrow) from comment #3) > Indeed, it's a nullptr crash, hits the assertion in > IncrementSubDocPresShellPaintCount in a debug build. How did you reproduce this? I tried both normal debug build and ASAN debug build on OSX with no luck. > Miko, do you remember much about how the subdoc count code is supposed to > work? > > It seems like if GetSubdocumentPresShellForPainting is not the same subdoc > as nsDisplaySubDocument::mFrame (the viewport frame in the subdoc), then we > probably shouldn't be reusing this item? I think I found a one possible cause for this. In the original code, IncrementPresShellPaintCount() was called for |subdocRootFrame->PresShell()|, where |subdocRootFrame = nsSubDocumentFrame::GetSubdocumentPresShellForPainting()->GetRootFrame()|. This was done only when |subdocRootFrame| was non-null. In the new version of code, IncrementPresShellPaintCount() is called for the nsSubDocumentFrame::GetSubdocumentPresShellForPainting(). In the case of GetSubdocumentPresShellForPainting() == nullptr, we should probably not reuse the item (as we do not build anything with retained dl disabled).
Flags: needinfo?(mikokm)
|
|
||
Updated•6 years ago
|
Group: core-security → layout-core-security
|
|
||
Updated•6 years ago
|
Keywords: csectype-nullptr,
sec-low
|
|
||
Updated•6 years ago
|
Assignee: nobody → mikokm
Priority: -- → P1
|
||
Updated•6 years ago
|
Component: Layout → Layout: Web Painting
|
||
Updated•6 years ago
|
Flags: sec-bounty?
|
||
Updated•6 years ago
|
status-firefox60:
--- → disabled
status-firefox62:
--- → affected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → disabled
|
|
Assignee | |
Comment 5•6 years ago
|
||
I cannot reproduce this on Mac/Linux with the latest debug or ASAN build. Daniel, are you able to reproduce this?
Flags: needinfo?(dveditz)
|
||
Comment 6•6 years ago
|
||
I can not reproduce this with m-c: BuildID=20180517152849 SourceStamp=24bae072acb09114c367e6b9ffde9261b2ad8a58 Nils are you still seeing this?
Flags: needinfo?(dveditz) → needinfo?(nils)
|
||
Comment 7•6 years ago
|
||
I can still reproduce this on Ubuntu 16.04 (x64) with m-c rev 11ee70f24ea5 (20180518).
Flags: needinfo?(nils)
|
|
||
Comment 8•6 years ago
|
||
(In reply to Jason Kratzer [:jkratzer] from comment #7) > I can still reproduce this on Ubuntu 16.04 (x64) with m-c rev 11ee70f24ea5 > (20180518). This was a mistake on my part. I can't reproduce this either on the latest m-c. Re-adding NI for Nils.
Flags: needinfo?(nils)
Jason, I haven't seen this crash since 29-Apr-18 22:15:31 UTC. I am also unable to reproduce the issue on the latest ASAN build.
Flags: needinfo?(nils)
|
|
||
Updated•6 years ago
|
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
|
|
||
Updated•6 years ago
|
Flags: sec-bounty? → sec-bounty-
|
|
||
Updated•5 years ago
|
Group: layout-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•