Closed Bug 1472257 Opened 6 years ago Closed 6 years ago

crash near null in [@ mozilla::TextNodeCorrespondenceRecorder::TraverseAndRecord]

Categories

(Core :: SVG, defect, P2)

Product:
Core
Component:
SVG
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1504918
Tracking Flags:
Tracking Status
firefox62 --- affected
firefox63 --- affected

People

(Reporter: tsmith, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Attachments

(1 file)

testcase.html
317 bytes, text/html
Details
Attached file testcase.html 
Reduced with m-c:
BuildID=20180628100518
SourceStamp=b429b9fb68f1a954c4a9f8dba8e845cf7f569a56

==128993==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc66a0a05b4 bp 0x7ffe1d18c3e0 sp 0x7ffe1d18c380 T0)
==128993==The signal is caused by a READ memory access.
==128993==Hint: address points to the zero page.
    #0 0x7fc66a0a05b3 in mozilla::TextNodeCorrespondenceRecorder::TraverseAndRecord(nsIFrame*) src/layout/svg/SVGTextFrame.cpp:1517:47
    #1 0x7fc66a0a03b6 in mozilla::TextNodeCorrespondenceRecorder::TraverseAndRecord(nsIFrame*) src/layout/svg/SVGTextFrame.cpp:1458:7
    #2 0x7fc66a0a03b6 in mozilla::TextNodeCorrespondenceRecorder::TraverseAndRecord(nsIFrame*) src/layout/svg/SVGTextFrame.cpp:1458:7
    #3 0x7fc66a0a03b6 in mozilla::TextNodeCorrespondenceRecorder::TraverseAndRecord(nsIFrame*) src/layout/svg/SVGTextFrame.cpp:1458:7
    #4 0x7fc66a0a0026 in mozilla::TextNodeCorrespondenceRecorder::Record(SVGTextFrame*) src/layout/svg/SVGTextFrame.cpp:1414:3
    #5 0x7fc66a09fde5 in mozilla::TextNodeCorrespondenceRecorder::RecordCorrespondence(SVGTextFrame*) src/layout/svg/SVGTextFrame.cpp:1399:14
    #6 0x7fc66a0b1c1f in MaybeReflowAnonymousBlockChild src/layout/svg/SVGTextFrame.cpp:5492:5
    #7 0x7fc66a0b1c1f in SVGTextFrame::ReflowSVG() src/layout/svg/SVGTextFrame.cpp:3775
    #8 0x7fc66a0b2d79 in nsSVGDisplayContainerFrame::ReflowSVG() src/layout/svg/nsSVGContainerFrame.cpp:349:17
    #9 0x7fc66a11dbd8 in nsSVGOuterSVGFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/svg/nsSVGOuterSVGFrame.cpp:456:14
    #10 0x7fc669e69a38 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:922:13
    #11 0x7fc669c954fd in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:4158:15
    #12 0x7fc669c93e77 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:3958:5
    #13 0x7fc669c8aad1 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3832:9
    #14 0x7fc669c82c62 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2816:5
    #15 0x7fc669c784d0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2352:7
    #16 0x7fc669c6fc14 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1225:3
    #17 0x7fc669c9144b in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:306:11
    #18 0x7fc669c85026 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3463:11
    #19 0x7fc669c82db4 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2813:5
    #20 0x7fc669c784d0 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2352:7
    #21 0x7fc669c6fc14 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1225:3
    #22 0x7fc669cd18f6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:951:14
    #23 0x7fc669cd013e in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:713:5
    #24 0x7fc669cd18f6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:951:14
    #25 0x7fc669dbede5 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) src/layout/generic/nsGfxScrollFrame.cpp:580:3
    #26 0x7fc669dc0324 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:703:3
    #27 0x7fc669dc42ec in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1080:3
    #28 0x7fc669c53a6e in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:995:14
    #29 0x7fc669c525f3 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:338:7
    #30 0x7fc669a3d9a1 in mozilla::PresShell::DoReflow(nsIFrame*, bool) src/layout/base/PresShell.cpp:8983:11
    #31 0x7fc669a53540 in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9156:24
    #32 0x7fc669a5198d in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4337:11
    #33 0x7fc66775f88c in FlushPendingNotifications src/obj-firefox/dist/include/nsIPresShell.h:566:5
    #34 0x7fc66775f88c in FlushPendingEvents src/dom/events/EventStateManager.cpp:5514
    #35 0x7fc66775f88c in mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) src/dom/events/EventStateManager.cpp:689
    #36 0x7fc669a78d11 in mozilla::PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) src/layout/base/PresShell.cpp:7607:19
    #37 0x7fc669a74f93 in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) src/layout/base/PresShell.cpp:7252:17
    #38 0x7fc6693e8591 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) src/view/nsViewManager.cpp:812:14
    #39 0x7fc6693e7d66 in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) src/view/nsView.cpp:1141:9
    #40 0x7fc6694513a5 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) src/widget/PuppetWidget.cpp:413:35
    #41 0x7fc664094b00 in mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) src/gfx/layers/apz/util/APZCCallbackHelper.cpp:500:21
    #42 0x7fc668d12288 in DispatchWidgetEventViaAPZ src/dom/ipc/TabChild.cpp:1796:10
    #43 0x7fc668d12288 in mozilla::dom::TabChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/TabChild.cpp:1727
    #44 0x7fc668d132de in mozilla::dom::TabChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/TabChild.cpp:1699:3
    #45 0x7fc668d134b4 in RecvSynthMouseMoveEvent src/dom/ipc/TabChild.cpp:1660:8
    #46 0x7fc668d134b4 in non-virtual thunk to mozilla::dom::TabChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/TabChild.cpp
    #47 0x7fc663077b56 in mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:3523:20
    #48 0x7fc662abf1d4 in mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PContentChild.cpp:5316:28
    #49 0x7fc66295e1be in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2134:25
    #50 0x7fc66295b0d4 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2064:17
    #51 0x7fc66295c92c in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1910:5
    #52 0x7fc66295cf88 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1943:15
    #53 0x7fc661a4292e in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
    #54 0x7fc661a6ea39 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1051:14
    #55 0x7fc661a75818 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
    #56 0x7fc662965e7a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #57 0x7fc6628bab8c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #58 0x7fc6628bab8c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #59 0x7fc6628bab8c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #60 0x7fc66947bd6a in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #61 0x7fc66d72f73f in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:896:22
    #62 0x7fc6628bab8c in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #63 0x7fc6628bab8c in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #64 0x7fc6628bab8c in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #65 0x7fc66d72f0f6 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:722:34
    #66 0x4f1cb4 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #67 0x4f1cb4 in main src/browser/app/nsBrowserApp.cpp:287
    #68 0x7fc68148782f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #69 0x4210e8 in _start (firefox+0x4210e8)
Flags: in-testsuite?
Hi Sean -- Can you find someone to look at this?
Flags: needinfo?(svoisen)
Priority: -- → P2
jwatt: SVGTextFrame in the stack. Do you have any insight into this crash?
Flags: needinfo?(svoisen) → needinfo?(jwatt)
This is TextNodeIterator / TextNodeCorrespondenceRecorder making really bogus assumptions about the frame tree to dom tree relationship. That code should be rewritten to understand display: contents or shadow DOM, or disappear.

We already don't render this stuff because of these bogus assumptions:

  https://searchfox.org/mozilla-central/rev/aff5d4ad5d7fb2919d267cbc23b1d87ae3cf0110/layout/base/nsCSSFrameConstructor.cpp#3421

But this case slips through because this is building inline items, and there's no parent frame at all here.

Looks to me that all this complexity comes from us trying to do stuff with undisplayed characters. Reading the chromium source it doesn't look they deal with them. Part of it is to implement GetSubstringLength. Other parts are for measuring text it looks like... GetSubstringLength in chromium definitely doesn't try to deal with display: none stuff.

Does anybody know how interoperable this is? Can we avoid all the TextNodeCorrespondence complexity? I can extend our wallpaper so that it works for svg text as well, but that sucks even more :(
(In reply to Emilio Cobos Álvarez (:emilio) from comment #3)
> Looks to me that all this complexity comes from us trying to do stuff with
> undisplayed characters. Reading the chromium source it doesn't look they
> deal with them. Part of it is to implement GetSubstringLength. Other parts
> are for measuring text it looks like... GetSubstringLength in chromium
> definitely doesn't try to deal with display: none stuff.

We do that because the spec requires it, and because authors can get poor results if we don't. I'm surprised Chrome doesn't handle it because from (rusty) memory I thought we implemented this stuff for compat too. At any rate, I'd prefer not to remove that.

> Does anybody know how interoperable this is? Can we avoid all the
> TextNodeCorrespondence complexity? I can extend our wallpaper so that it
> works for svg text as well, but that sucks even more :(

It does suck, but `display: contents` and shadow DOM in SVG text isn't exactly our highest priority right now. I think the pragmatic way forward is just to wallpaper this and add a big comment to TextNodeIterator/TextNodeCorrespondenceRecorder about them sucking.
Flags: needinfo?(jwatt) → needinfo?(emilio)
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(emilio)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: