1488910 - AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:4133:43 in MayHaveWillChangeBudget

Status: NEW

(Core :: Layout, defect, P3, critical)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev 26990836dc5c.

==9398==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000066 (pc 0x7f4ca8158828 bp 0x7ffe1de3c250 sp 0x7ffe1de3c220 T0)
==9398==The signal is caused by a READ memory access.
==9398==Hint: address points to the zero page.
    #0 0x7f4ca8158827 in MayHaveWillChangeBudget /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:4133:43
    #1 0x7f4ca8158827 in nsDisplayListBuilder::ClearWillChangeBudget(nsIFrame*) /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2175
    #2 0x7f4ca77b0719 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3597:15
    #3 0x7f4ca7831ee0 in DisplayLine(nsDisplayListBuilder*, nsRect const&, nsLineList_iterator&, int, int&, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6765:13
    #4 0x7f4ca782eeec in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6860:7
    #5 0x7f4ca77b415c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3784:14
    #6 0x7f4ca78731ba in nsColumnSetFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1271:5
    #7 0x7f4ca77b43fd in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3806:12
    #8 0x7f4ca7831ee0 in DisplayLine(nsDisplayListBuilder*, nsRect const&, nsLineList_iterator&, int, int&, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6765:13
    #9 0x7f4ca782eeec in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6860:7
    #10 0x7f4ca77b43fd in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3806:12
    #11 0x7f4ca785e4fa in nsCanvasFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:651:5
    #12 0x7f4ca77b415c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3784:14
    #13 0x7f4ca79cbee2 in mozilla::ScrollFrameHelper::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:3696:15
    #14 0x7f4ca77b415c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3784:14
    #15 0x7f4ca77aef19 in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:66:5
    #16 0x7f4ca78eaada in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3080:5
    #17 0x7f4ca76a3e54 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3724:17
    #18 0x7f4ca7549d17 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6353:5
    #19 0x7f4ca6ce4017 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19
    #20 0x7f4ca6ce2e4c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33
    #21 0x7f4ca6ce8a76 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5
    #22 0x7f4ca749f99e in nsRefreshDriver::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2042:11
    #23 0x7f4ca74af9a2 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:324:13
    #24 0x7f4ca74af9a2 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:299
    #25 0x7f4ca74af4d1 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:317:5
    #26 0x7f4ca74b2ab1 in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:755:5
    #27 0x7f4ca74b2ab1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:671
    #28 0x7f4ca74b258b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:571:9
    #29 0x7f4ca7f72d06 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:78:16
    #30 0x7f4c9edb313d in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #31 0x7f4c9eb410e8 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
    #32 0x7f4c9e39822e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2248:25
    #33 0x7f4c9e393b5e in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2175:17
    #34 0x7f4c9e395fbd in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2012:5
    #35 0x7f4c9e396d17 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2045:15
    #36 0x7f4c9d1a35a0 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1161:14
    #37 0x7f4c9d1ac275 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #38 0x7f4c9e3a22fe in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #39 0x7f4c9e2a39bc in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #40 0x7f4c9e2a39bc in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #41 0x7f4c9e2a39bc in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #42 0x7f4ca6dcc786 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #43 0x7f4cab15fe8e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:944:22
    #44 0x7f4c9e2a39bc in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #45 0x7f4c9e2a39bc in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #46 0x7f4c9e2a39bc in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #47 0x7f4cab15ef45 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:770:34
    #48 0x4f6b61 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #49 0x4f6b61 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #50 0x7f4cbeb11b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Comment 1

[Xidorn Quan [:xidorn] UTC+11]

This seems to also be a case where a placeholder has no out-of-flow frame which leads to crash during painting, so I strongly suspect this is the same underlying issue as bug 1488781.

Comment 2

[Xidorn Quan [:xidorn] UTC+11]

As a record, the null frame is passed from here: https://searchfox.org/mozilla-central/rev/a41fd8cb947266ea2e3f463fc6e31c88bfab9d41/layout/generic/nsFrame.cpp#3597

Comment 3

[Pulsebot]

Pushed by bballo@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/1f67a586878d
Rename remaining uses of "SPCSPS" to "visual viewport size". r=botond

Comment 4

[Botond Ballo [:botond]]

(In reply to Pulsebot from comment #3)
> Pushed by bballo@mozilla.com:
> https://hg.mozilla.org/integration/mozilla-inbound/rev/1f67a586878d
> Rename remaining uses of "SPCSPS" to "visual viewport size". r=botond

Oops, that was a wrong bug number, please ignore.

Comment 5

[Bogdan Tara[:bogdan_tara | bogdant]]

https://hg.mozilla.org/mozilla-central/rev/1f67a586878d