Closed Bug 1454140 Opened 6 years ago Closed 6 years ago

crash at null in [@ nsStyleImageRequest::Resolve]

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla61
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox59 --- wontfix
firefox60 --- wontfix
firefox61 --- fixed

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(2 files)

testcase.html
59 bytes, text/html
Details
Bug 1454140: Invalid URLs with ref also exist.
59 bytes, text/x-review-board-request
heycam
: review+
Details
Attached file testcase.html 
==126750==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fbac1c6ee7f bp 0x7ffcc33a8300 sp 0x7ffcc33a81a0 T0)
==126750==The signal is caused by a READ memory access.
==126750==Hint: address points to the zero page.
    #0 0x7fbac1c6ee7e in nsStyleImageRequest::Resolve(nsPresContext*, nsStyleImageRequest const*) src/layout/style/nsStyleStruct.cpp:2178:15
    #1 0x7fbac1c8ac3a in ResolveImage src/obj-firefox/dist/include/nsStyleStruct.h:386:15
    #2 0x7fbac1c8ac3a in ResolveImage src/obj-firefox/dist/include/nsStyleStruct.h:703
    #3 0x7fbac1c8ac3a in nsStyleImageLayers::ResolveImages(nsPresContext*, nsStyleImageLayers const*) src/obj-firefox/dist/include/nsStyleStruct.h:758
    #4 0x7fbac1de3a1e in DoGetStyleBackground<true> src/layout/style/nsStyleStructList.h:44:1
    #5 0x7fbac1de3a1e in StyleBackground src/layout/style/nsStyleStructList.h:44
    #6 0x7fbac1de3a1e in StartBackgroundImageLoads src/obj-firefox/dist/include/mozilla/ComputedStyleInlines.h:88
    #7 0x7fbac1de3a1e in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:6065
    #8 0x7fbac1dc4025 in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:10155:5
    #9 0x7fbac1df10ae in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:7284:3
    #10 0x7fbac1d7f823 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1401:27
    #11 0x7fbac1d8cc55 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:2997:9
    #12 0x7fbac1d45c33 in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3073:3
    #13 0x7fbac1d45c33 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4283
    #14 0x7fbac1cd6056 in FlushPendingNotifications src/obj-firefox/dist/include/nsIPresShell.h:592:5
    #15 0x7fbac1cd6056 in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1911
    #16 0x7fbac1ce5310 in TickDriver src/layout/base/nsRefreshDriver.cpp:337:13
    #17 0x7fbac1ce5310 in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:307
    #18 0x7fbac1ce4ed6 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:329:5
    #19 0x7fbac1ce7c4e in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:770:5
    #20 0x7fbac1ce7c4e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:683
    #21 0x7fbac1ce784e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:584:9
    #22 0x7fbac258a44f in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16
    #23 0x7fbabb32d8c7 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:156:20
    #24 0x7fbabb20f73f in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1968:28
    #25 0x7fbabad78bde in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2135:25
    #26 0x7fbabad75ba6 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2065:17
    #27 0x7fbabad7735c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1911:5
    #28 0x7fbabad779b8 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1944:15
    #29 0x7fbab9e9bc89 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1096:14
    #30 0x7fbab9eb76c0 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #31 0x7fbabad8074a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #32 0x7fbabacd5289 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #33 0x7fbabacd5289 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #34 0x7fbabacd5289 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #35 0x7fbac1783d3a in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
    #36 0x7fbac5a2535b in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #37 0x7fbabacd5289 in RunInternal src/ipc/chromium/src/base/message_loop.cc:326:10
    #38 0x7fbabacd5289 in RunHandler src/ipc/chromium/src/base/message_loop.cc:319
    #39 0x7fbabacd5289 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:299
    #40 0x7fbac5a24d20 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #41 0x4f1875 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #42 0x4f1875 in main src/browser/app/nsBrowserApp.cpp:280
    #43 0x7fbad95b882f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #44 0x420f48 in _start (firefox+0x420f48)
Flags: in-testsuite?
Flags: needinfo?(emilio)
Assignee: nobody → emilio
Blocks: 1341667
Flags: needinfo?(emilio)
Comment on attachment 8967968 [details]
Bug 1454140: Invalid URLs with ref also exist.

https://reviewboard.mozilla.org/r/236654/#review242490
Attachment #8967968 - Flags: review?(cam) → review+
Pushed by ecoal95@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/484c9ddde7dd
Invalid URLs with ref also exist. r=heycam
https://hg.mozilla.org/mozilla-central/rev/484c9ddde7dd
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox61: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Looks like this *might* hit in the wild on occasion, but rarely enough that I don't think we need to worry about backport. Feel free to nominate it for Beta approval if you feel strongly otherwise, however.
Crash Signature: [@ nsStyleImageRequest::Resolve]
status-firefox59: --- → wontfix
status-firefox60: --- → wontfix
status-firefox-esr52: --- → unaffected
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: