Closed Bug 1488910 Opened 5 years ago Closed 2 months ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:4133:43 in MayHaveWillChangeBudget

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jkratzer, Assigned: dholbert)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase, Whiteboard: qa-not-actionable)

Attachments

(3 files)

testcase.html
630 bytes, text/html
Details
testcase 2 (same as original, but with unprefixed column styling)
625 bytes, text/html
Details
Bug 1488910: Add crashtests for this no-longer-reproducible bug. (no review, crashtest-only)
48 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html 
Testcase found while fuzzing mozilla-central rev 26990836dc5c.

==9398==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000066 (pc 0x7f4ca8158828 bp 0x7ffe1de3c250 sp 0x7ffe1de3c220 T0)
==9398==The signal is caused by a READ memory access.
==9398==Hint: address points to the zero page.
    #0 0x7f4ca8158827 in MayHaveWillChangeBudget /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:4133:43
    #1 0x7f4ca8158827 in nsDisplayListBuilder::ClearWillChangeBudget(nsIFrame*) /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2175
    #2 0x7f4ca77b0719 in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3597:15
    #3 0x7f4ca7831ee0 in DisplayLine(nsDisplayListBuilder*, nsRect const&, nsLineList_iterator&, int, int&, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6765:13
    #4 0x7f4ca782eeec in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6860:7
    #5 0x7f4ca77b415c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3784:14
    #6 0x7f4ca78731ba in nsColumnSetFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1271:5
    #7 0x7f4ca77b43fd in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3806:12
    #8 0x7f4ca7831ee0 in DisplayLine(nsDisplayListBuilder*, nsRect const&, nsLineList_iterator&, int, int&, nsDisplayListSet const&, nsBlockFrame*, mozilla::css::TextOverflow*, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6765:13
    #9 0x7f4ca782eeec in nsBlockFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:6860:7
    #10 0x7f4ca77b43fd in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3806:12
    #11 0x7f4ca785e4fa in nsCanvasFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:651:5
    #12 0x7f4ca77b415c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3784:14
    #13 0x7f4ca79cbee2 in mozilla::ScrollFrameHelper::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:3696:15
    #14 0x7f4ca77b415c in nsIFrame::BuildDisplayListForChild(nsDisplayListBuilder*, nsIFrame*, nsDisplayListSet const&, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3784:14
    #15 0x7f4ca77aef19 in mozilla::ViewportFrame::BuildDisplayList(nsDisplayListBuilder*, nsDisplayListSet const&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:66:5
    #16 0x7f4ca78eaada in nsIFrame::BuildDisplayListForStackingContext(nsDisplayListBuilder*, nsDisplayList*, bool*) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:3080:5
    #17 0x7f4ca76a3e54 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3724:17
    #18 0x7f4ca7549d17 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6353:5
    #19 0x7f4ca6ce4017 in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:480:19
    #20 0x7f4ca6ce2e4c in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:412:33
    #21 0x7f4ca6ce8a76 in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1102:5
    #22 0x7f4ca749f99e in nsRefreshDriver::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2042:11
    #23 0x7f4ca74af9a2 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:324:13
    #24 0x7f4ca74af9a2 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:299
    #25 0x7f4ca74af4d1 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:317:5
    #26 0x7f4ca74b2ab1 in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:755:5
    #27 0x7f4ca74b2ab1 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:671
    #28 0x7f4ca74b258b in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:571:9
    #29 0x7f4ca7f72d06 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:78:16
    #30 0x7f4c9edb313d in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #31 0x7f4c9eb410e8 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
    #32 0x7f4c9e39822e in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2248:25
    #33 0x7f4c9e393b5e in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2175:17
    #34 0x7f4c9e395fbd in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2012:5
    #35 0x7f4c9e396d17 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2045:15
    #36 0x7f4c9d1a35a0 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1161:14
    #37 0x7f4c9d1ac275 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #38 0x7f4c9e3a22fe in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #39 0x7f4c9e2a39bc in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #40 0x7f4c9e2a39bc in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #41 0x7f4c9e2a39bc in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #42 0x7f4ca6dcc786 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #43 0x7f4cab15fe8e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:944:22
    #44 0x7f4c9e2a39bc in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #45 0x7f4c9e2a39bc in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #46 0x7f4c9e2a39bc in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #47 0x7f4cab15ef45 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:770:34
    #48 0x4f6b61 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #49 0x4f6b61 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #50 0x7f4cbeb11b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
Flags: in-testsuite?
This seems to also be a case where a placeholder has no out-of-flow frame which leads to crash during painting, so I strongly suspect this is the same underlying issue as bug 1488781.
Priority: -- → P3
See Also: → 1488781
Status: RESOLVED → REOPENED
status-firefox64: fixed → ---
Resolution: FIXED → ---
Target Milestone: mozilla64 → ---
Status: REOPENED → NEW
Whiteboard: qa-not-actionable
Severity: critical → S2

This might be WFM? The testcase doesn't reproduce the crash for me anymore, in recent Nightlies, though it does repro in Nigthlies from around when this bug was filed.

Regular Nightlies (old ones via mozregression) are sufficient; they don't need to be ASAN builds. Though I do sometime have to reload a couple times to trigger the crash.

Here's a testcase with unprefixed column styling, to remove that variable (since we dropped support for prefixed column styling at some point). Old/affected nightlies crash with this testcase, while recent Nightlies do not.

Dropping severity to S3 given this was a safe (null-deref, i.e. near-null pointer access) crash, with a fuzzer testcase, not known to affect any particular content in the wild.

Severity: S2 → S3

(In reply to Daniel Holbert [:dholbert] from comment #6)

The testcase doesn't reproduce the crash for me anymore, in recent Nightlies, though it does repro in Nigthlies from around when this bug was filed.

Fix range:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=12cc80a0e9968ade961879ee07effb815da691f0&tochange=d3d642b624886729636c3690a806f38b4d737731

Looking in that range, this probably would've been an incidental fix that fell out from the changes in bug 1421105 (which was multi-column-related). Calling fixed with a dependency on that bug.

Status: NEW → RESOLVED
Closed: 5 years ago2 months ago
Depends on: 1421105
Resolution: --- → FIXED
Pushed by dholbert@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/aa8c8323ef48
Add crashtests for this no-longer-reproducible bug. (no review, crashtest-only)
Assignee: nobody → dholbert
You need to log in before you can comment on or make changes to this bug.