Closed Bug 1467239 Opened 6 years ago Closed 6 years ago

crash near null in [@ GridItemInfo]

Categories

(Core :: Layout, defect, P2)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla62
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox60 --- unaffected
firefox61 --- unaffected
firefox62 --- fixed

People

(Reporter: tsmith, Assigned: MatsPalmgren_bugz)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(2 files)

testcase.html
165 bytes, text/html
Details
[css-grid] Null-check GetContentInsertionFrame() return value
2.01 KB, patch
emilio
: review+
Details | Diff | Splinter Review
Attached file testcase.html 
Reduced with m-c:
BuildID=20180606093723
SourceStamp=cec4a3cecc29ff97860198969b6fdff24b9e93bb

==28680==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000065 (pc 0x7f8a0731fbde bp 0x7fff7f26b090 sp 0x7fff7f26ab80 T0)
==28680==The signal is caused by a READ memory access.
==28680==Hint: address points to the zero page.
    #0 0x7f8a0731fbdd in Type src/layout/generic/nsIFrame.h:2800:38
    #1 0x7f8a0731fbdd in IsGridContainerFrame src/obj-firefox/dist/include/mozilla/FrameTypeList.h:30
    #2 0x7f8a0731fbdd in GridItemInfo src/layout/generic/nsGridContainerFrame.cpp:560
    #3 0x7f8a0731fbdd in nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&) src/layout/generic/nsGridContainerFrame.cpp:3215
    #4 0x7f8a0734773f in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGridContainerFrame.cpp:6004:10
    #5 0x7f8a071acfa7 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:306:11
    #6 0x7f8a071a0bb9 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3463:11
    #7 0x7f8a0719e9b5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2813:5
    #8 0x7f8a07193f90 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2352:7
    #9 0x7f8a0718b624 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1225:3
    #10 0x7f8a071acfa7 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:306:11
    #11 0x7f8a071a0bb9 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3463:11
    #12 0x7f8a0719e9b5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2813:5
    #13 0x7f8a07193f90 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2352:7
    #14 0x7f8a0718b624 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1225:3
    #15 0x7f8a071ed1f6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:951:14
    #16 0x7f8a071eba2f in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:713:5
    #17 0x7f8a071ed1f6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:951:14
    #18 0x7f8a072dae18 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) src/layout/generic/nsGfxScrollFrame.cpp:555:3
    #19 0x7f8a072dc25d in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:678:3
    #20 0x7f8a072e0238 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1055:3
    #21 0x7f8a0716f15e in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:995:14
    #22 0x7f8a0716dcdc in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:335:7
    #23 0x7f8a06f5405e in mozilla::PresShell::DoReflow(nsIFrame*, bool) src/layout/base/PresShell.cpp:8943:11
    #24 0x7f8a06f69af0 in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9116:24
    #25 0x7f8a06f67f3c in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4335:11
    #26 0x7f8a06ef8fbd in FlushPendingNotifications src/layout/base/nsIPresShell.h:575:5
    #27 0x7f8a06ef8fbd in nsRefreshDriver::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1923
    #28 0x7f8a06f0824b in TickDriver src/layout/base/nsRefreshDriver.cpp:328:13
    #29 0x7f8a06f0824b in mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:301
    #30 0x7f8a06f07e29 in mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:320:5
    #31 0x7f8a06f0a96e in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:760:5
    #32 0x7f8a06f0a96e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:673
    #33 0x7f8a06f0a56e in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:574:9
    #34 0x7f8a077c0edf in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) src/layout/ipc/VsyncChild.cpp:68:16
    #35 0x7f8a0053e844 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #36 0x7f8a004164c3 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:1988:28
    #37 0x7f89fff83a1e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2134:25
    #38 0x7f89fff80962 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2064:17
    #39 0x7f89fff8219c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1910:5
    #40 0x7f89fff827f8 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1943:15
    #41 0x7f89ff08ab36 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1088:14
    #42 0x7f89ff0a6d50 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #43 0x7f89fff8b6ba in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #44 0x7f89ffee05e9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #45 0x7f89ffee05e9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #46 0x7f89ffee05e9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #47 0x7f8a069a311a in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:157:27
    #48 0x7f8a0ac274db in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:893:22
    #49 0x7f89ffee05e9 in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #50 0x7f89ffee05e9 in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #51 0x7f89ffee05e9 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #52 0x7f8a0ac26ea0 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:719:34
    #53 0x4f16e5 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #54 0x4f16e5 in main src/browser/app/nsBrowserApp.cpp:282
    #55 0x7f8a1e91482f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #56 0x420db8 in _start (firefox+0x420db8)
Flags: in-testsuite?
Assignee: nobody → mats
Priority: -- → P2
Attachment #8983914 - Flags: review?(emilio) → review+
Pushed by mpalmgren@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/ce75d57cebaf
[css-grid] Null-check GetContentInsertionFrame() return value.  r=emilio
Flags: in-testsuite? → in-testsuite+
https://hg.mozilla.org/mozilla-central/rev/ce75d57cebaf
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox62: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla62
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: