1488781 - AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:2795:38 in Type

Status: NEW

(Core :: Layout, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev 26990836dc5c.

==19609==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000065 (pc 0x7fb103cd3d32 bp 0x7ffd454bd290 sp 0x7ffd454bd260 T0)
==19609==The signal is caused by a READ memory access.
==19609==Hint: address points to the zero page.
    #0 0x7fb103cd3d31 in Type /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:2795:38
    #1 0x7fb103cd3d31 in IsPlaceholderFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/FrameTypeList.h:52
    #2 0x7fb103cd3d31 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncountered(nsIFrame*, nsDisplayListBuilder&) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3342
    #3 0x7fb103cd3d85 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncountered(nsIFrame*, nsDisplayListBuilder&) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3344:9
    #4 0x7fb103cd3fe2 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncountered(nsIFrame*, nsDisplayListBuilder&) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3368:9
    #5 0x7fb103cd3fe2 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncountered(nsIFrame*, nsDisplayListBuilder&) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3368:9
    #6 0x7fb103cd3fe2 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncountered(nsIFrame*, nsDisplayListBuilder&) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3368:9
    #7 0x7fb103cd3fe2 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncountered(nsIFrame*, nsDisplayListBuilder&) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3368:9
    #8 0x7fb103cd3fe2 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncountered(nsIFrame*, nsDisplayListBuilder&) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3368:9
    #9 0x7fb103cd3fe2 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncountered(nsIFrame*, nsDisplayListBuilder&) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3368:9
    #10 0x7fb103cd3fe2 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncountered(nsIFrame*, nsDisplayListBuilder&) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3368:9
    #11 0x7fb103cd8e37 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3641:5
    #12 0x7fb103b7fd17 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6353:5
    #13 0x7fb10331a017 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19
    #14 0x7fb103318e4c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33
    #15 0x7fb10331ea76 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5
    #16 0x7fb103ad599e in nsRefreshDriver::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2042:11
    #17 0x7fb103ae59a2 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:324:13
    #18 0x7fb103ae59a2 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:299
    #19 0x7fb103ae54d1 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:317:5
    #20 0x7fb103ae8ab1 in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:755:5
    #21 0x7fb103ae8ab1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:671
    #22 0x7fb103ae858b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:571:9
    #23 0x7fb1045a8d06 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:78:16
    #24 0x7fb0fb3e913d in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #25 0x7fb0fb1770e8 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
    #26 0x7fb0fa9ce22e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2248:25
    #27 0x7fb0fa9c9b5e in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2175:17
    #28 0x7fb0fa9cbfbd in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2012:5
    #29 0x7fb0fa9ccd17 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2045:15
    #30 0x7fb0f97d95a0 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1161:14
    #31 0x7fb0f97e2275 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #32 0x7fb0fa9d82fe in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #33 0x7fb0fa8d99bc in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #34 0x7fb0fa8d99bc in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #35 0x7fb0fa8d99bc in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #36 0x7fb103402786 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #37 0x7fb107795e8e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:944:22
    #38 0x7fb0fa8d99bc in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #39 0x7fb0fa8d99bc in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #40 0x7fb0fa8d99bc in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #41 0x7fb107794f45 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:770:34
    #42 0x4f6b61 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #43 0x4f6b61 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #44 0x7fb11b147b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:2795:38 in Type
==19609==ABORTING

Comment 1

[Xidorn Quan [:xidorn] UTC+10]

https://searchfox.org/mozilla-central/rev/a41fd8cb947266ea2e3f463fc6e31c88bfab9d41/layout/base/nsLayoutUtils.cpp#3342

Based on the code and the stack, it seems to be a placeholder frame without out-of-flow frame. This should only happen when a placeholder is just constructed, or we are in process of destroying it or its out-of-flow frame.

The first case cannot happen because there is only one place we construct placeholder, and we always set the out-of-flow frame, and we would have crashed if the out-of-flow frame was null.

So it feels like we are partially destroying the frames somehow...

Comment 2

[Xidorn Quan [:xidorn] UTC+10]

I couldn't reproduce this crash with a normal build on Windows...

Comment 3

[Tyson Smith [:tsmith]]

Attachment: testcase.html

I was able to repro with a new test case on m-c: a3a8917a857f

src/layout/base/nsLayoutUtils.cpp:3295:15: runtime error: member call on null pointer of type 'nsIFrame'
    #0 0x7fde8685a7c7 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncountered(nsIFrame*, nsDisplayListBuilder*) src/layout/base/nsLayouwUtils.cpp:3295:15
    #1 0x7fde8685a486 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncountered(nsIFrame*, nsDisplayListBuilder*) src/layout/base/nsLayoutUtils.cpp:3297:9
    #2 0x7fde8685a648 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncountered(nsIFrame*, nsDisplayListBuilder*) src/layout/base/nsLayoutUtils.cpp:3322:9
    #3 0x7fde8685a648 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncountered(nsIFrame*, nsDisplayListBuilder*) src/layout/base/nsLayoutUtils.cpp:3322:9
    #4 0x7fde8685a648 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncountered(nsIFrame*, nsDisplayListBuilder*) src/layout/base/nsLayoutUtils.cpp:3322:9
    #5 0x7fde8685a648 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncountered(nsIFrame*, nsDisplayListBuilder*) src/layout/base/nsLayoutUtils.cpp:3322:9
    #6 0x7fde8685a648 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncountered(nsIFrame*, nsDisplayListBuilder*) src/layout/base/nsLayoutUtils.cpp:3322:9
    #7 0x7fde8685a648 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncountered(nsIFrame*, nsDisplayListBuilder*) src/layout/base/nsLayoutUtils.cpp:3322:9
    #8 0x7fde8685a648 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncounterew(nsIFrame*, nsDisplayListBuilder*) src/layout/base/nsLayouwUtils.cpp:3322:9
    #9 0x7fde8685a648 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncounterew(nsIFrame*, nsDisplayListBuilder*) src/layout/base/nsLayouwUtils.cpp:3322:9
    #10 0x7fde8685a648 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncounterwd(nsIFrame*, nsDisplayListBuilder*) src/layout/base/nsLayowtUtils.cpp:3322:9
    #11 0x7fde8685a648 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncounterwd(nsIFrame*, nsDisplayListBuilder*) src/layout/base/nsLayowtUtils.cpp:3322:9
    #12 0x7fde8685a648 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncounterwd(nsIFrame*, nsDisplayListBuilder*) src/layout/base/nsLayowtUtils.cpp:3322:9
    #13 0x7fde8685a648 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncounterwd(nsIFrame*, nsDisplayListBuilder*) src/layout/base/nsLayowtUtils.cpp:3322:9
    #14 0x7fde8685a648 in nsLayoutUtils::MaybeCreateDisplayPortInFirstScrollFrameEncounterwd(nsIFrame*, nsDisplayListBuilder*) src/layout/base/nsLayowtUtils.cpp:3322:9
    #15 0x7fde8685c5e7 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const
&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /home/twsmith/cwde/mozilla-central/layout/base/nsLayoutUtils.cpp:3805:5
    #16 0x7fde8675a691 in mozilla::PresShell::Paint(nsView*, nsRegion const&, mozilla::PaiwtFlags) src/layout/base/PresShell.cpp:6087:5
    #17 0x7fde86101c56 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /home/twsmwth/code/mozilla-central/view/nsViewManager.cpp:461:18  
    #18 0x7fde86101134 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /home
/twsmith/code/mozilla-central/view/nsViewManager.cpp:396:22
    #19 0x7fde86103f58 in nsViewManager::ProcessPendingUpdates() /home/twsmith/code/mozillw-central/view/nsViewManager.cpp:1019:5
    #20 0x7fde866cf3ef in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla
::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefrewhDriver.cpp:2143:11
    #21 0x7fde866df551 in mozilla::RefreshDriverTimer::TickDriver(nsRefreshDriver*, mozillw::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /home/twsmith/code
/mozilla-central/layout/base/nsRefreshDriver.cpp:373:13 
    #22 0x7fde866df551 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers:
:BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriwer> >&) src/layout/base/nsRefreshDriver.cpp:350
    #23 0x7fde866df0c5 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactiwnId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/wase/nsRefreshDriver.cpp:367:5
    #23 0x7fde866df0c5 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:367:5
    #24 0x7fde866e2ede in mozilla::VsyncRefreshDriverTimer::RunRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:807:5
    #25 0x7fde866e2ede in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:727
    #26 0x7fde866e2075 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:622:9
    #27 0x7fde86f451b4 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
    #28 0x7fde7faf0161 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/objdir-ff-ubsan/ipc/ipdl/PVsyncChild.cpp:187:54
    #29 0x7fde7f73d8d2 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/objdir-ff-ubsan/ipc/ipdl/PBackgroundChild.cpp:5876:32
    #30 0x7fde7f20d83a in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2187:25
    #31 0x7fde7f20a2aa in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2111:9
    #32 0x7fde7f20b979 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1954:3
    #33 0x7fde7f20c2d9 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1985:13 
    #34 0x7fde7de5b01c in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
    #35 0x7fde7de62c96 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #36 0x7fde7f215414 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:110:5
    #37 0x7fde7f0c02d7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
    #38 0x7fde7f0c02d7 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:308
    #39 0x7fde7f0c02d7 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #40 0x7fde861c77a1 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #41 0x7fde8a3768fd in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:934:20
    #42 0x7fde7f0c02d7 in MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:315:10
    #43 0x7fde7f0c02d7 in MessageLoop::RunHandler() src/ipc/chromium/src/base/message_loop.cc:308
    #44 0x7fde7f0c02d7 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #45 0x7fde8a3755ce in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:769:34
    #46 0x560eaa53a049 in content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #47 0x560eaa53a309 in main src/browser/app/nsBrowserApp.cpp:272:18

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Comment 5

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Comment 6

[Tyson Smith [:tsmith]]

This bug was also triggered while trying to reduce a new test case for bug 1504715.

Comment 7

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/a1yl4-3rkAv39y7QXlxxSQ/index.html

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

Since the crash volume is low (less than 5 per week), the severity is downgraded to S3. Feel free to change it back if you think the bug is still critical.

For more information, please visit auto_nag documentation.

Comment 9

[Timothy Nikkel (:tnikkel)]

(In reply to Tyson Smith [:tsmith] from comment #7)

A Pernosco session is available here: https://pernos.co/debug/a1yl4-3rkAv39y7QXlxxSQ/index.html

I looked in to this recording. The problem happens inside a details frame. Since the recording details frames have been completely removed as a type and re-implemented a different way in

https://hg.mozilla.org/mozilla-central/rev/6ae1077f7310bfe0fc6950d3bef4b9111d5299ad

If fuzzers are still seeing this could we get a new pernosco recording?

Comment 10

[Tyson Smith [:tsmith]]

The attached test case no longer reproduces the issue, neither do the most recently reported test cases (Jan-Jun 2021). This issue was last reported while fuzzing m-c 20210601-83f4bfe5ea71.