1493710 - SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/WritingModes.h:244:38 in IsVertical

Status: RESOLVED FIXED

(Core :: Layout, defect)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev 095ec59a8800.

==30963==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000011 (pc 0x7f2f5ccdb7f2 bp 0x7ffc37dbd7f0 sp 0x7ffc37dbd460 T0)
==30963==The signal is caused by a READ memory access.
==30963==Hint: address points to the zero page.
    #0 0x7f2f5ccdb7f1 in IsVertical /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/WritingModes.h:244:38
    #1 0x7f2f5ccdb7f1 in IsOrthogonalTo /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/WritingModes.h:595
    #2 0x7f2f5ccdb7f1 in IsBResizeForWM /builds/worker/workspace/build/src/layout/generic/ReflowInput.h:639
    #3 0x7f2f5ccdb7f1 in mozilla::ReflowInput::InitResizeFlags(nsPresContext*, mozilla::LayoutFrameType) /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:720
    #4 0x7f2f5d1a7acd in nsTextControlFrame::ReflowTextControlChild(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, mozilla::ReflowOutput&) /builds/worker/workspace/build/src/layout/forms/nsTextControlFrame.cpp:685:18
    #5 0x7f2f5d1a7202 in nsTextControlFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/forms/nsTextControlFrame.cpp:655:5
    #6 0x7f2f5cd34603 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, nsOverflowAreas*) /builds/worker/workspace/build/src/layout/generic/nsAbsoluteContainingBlock.cpp:745:14
    #7 0x7f2f5cd2d785 in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsOverflowAreas*) /builds/worker/workspace/build/src/layout/generic/nsAbsoluteContainingBlock.cpp:168:7
    #8 0x7f2f5ce795a8 in nsFrame::ReflowAbsoluteFrames(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, bool) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:6444:24
    #9 0x7f2f5cdcecae in FinishReflowWithAbsoluteFrames /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:6411:3
    #10 0x7f2f5cdcecae in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:882
    #11 0x7f2f5cdd044b in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
    #12 0x7f2f5cf0861b in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:606:3
    #13 0x7f2f5cf0a189 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:730:3
    #14 0x7f2f5cf0f710 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1120:3
    #15 0x7f2f5cd2c058 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:995:14
    #16 0x7f2f5cd2a77b in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:338:7
    #17 0x7f2f5ca8046b in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9016:11
    #18 0x7f2f5ca9b248 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9189:24
    #19 0x7f2f5ca9936c in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4342:11
    #20 0x7f2f5ca0f747 in FlushPendingNotifications /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:577:5
    #21 0x7f2f5ca0f747 in nsRefreshDriver::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1930
    #22 0x7f2f5ca21441 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:325:13
    #23 0x7f2f5ca21441 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:300
    #24 0x7f2f5ca20f61 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:318:5
    #25 0x7f2f5ca24241 in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:756:5
    #26 0x7f2f5ca24241 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:672
    #27 0x7f2f5ca23998 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:572:9
    #28 0x7f2f5d4eada8 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:78:16
    #29 0x7f2f541d708b in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #30 0x7f2f53f4de60 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
    #31 0x7f2f53738685 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2248:25
    #32 0x7f2f537343b9 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2175:17
    #33 0x7f2f537364fd in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2012:5
    #34 0x7f2f53737227 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2045:15
    #35 0x7f2f52527897 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1166:14
    #36 0x7f2f52530415 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:519:10
    #37 0x7f2f53741d03 in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #38 0x7f2f5364473c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #39 0x7f2f5364473c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #40 0x7f2f5364473c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #41 0x7f2f5c3311a3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #42 0x7f2f607f62ee in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:939:22
    #43 0x7f2f5364473c in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #44 0x7f2f5364473c in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #45 0x7f2f5364473c in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #46 0x7f2f607f5413 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:765:34
    #47 0x558b0e6d0b91 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #48 0x558b0e6d0b91 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:287
    #49 0x7f2f74482b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Comment 1

[Mats Palmgren (inactive)]

Hmm, the frame tree here is a bit surprising to me:
(rr) call this->DumpFrameTreeLimited()
nsTextControlFrame@62500075b8e8<
  Placeholder(div)(-1)@62500075b350 parent=62500075b8e8 outOfFlowFrame=HTMLScroll(div)(-1)@62500075b9c8
>
AbsoluteList 602000353e30 <
  HTMLScroll(div)(-1)@62500075b9c8<
    Block(div)(-1)@62500075b448<
      line 62500075b568: count=1 <
        Text(0)""@62500075bbe8
      >
    >
  >
>

I wasn't aware that one could use custom elements + shadow DOM
to create frame trees for replaced elements like this...

Anyway, it's a valid bug all the same.  We're failing to
initialize ReflowInput::mCBReflowInput in this case because
we early return for placeholders here:
https://searchfox.org/mozilla-central/rev/0640ea80fbc8d48f8b197cd363e2535c95a15eb3/layout/generic/ReflowInput.cpp#403,411
and later use it to query its mWritingMode per the stack above.

Comment 2

[Mats Palmgren (inactive)]

https://treeherder.mozilla.org/#/jobs?repo=try&revision=097f0377188f4a9d6f35ef4a7f81adfb81d9e7bd

Comment 3

[Emilio Cobos Álvarez (:emilio)]

Hmm, hold on, I'm not sure that's totally expected... Let me look at how the DOM looks like in that test-case.

Comment 4

[Emilio Cobos Álvarez (:emilio)]

Yeah, the shadow rules should not affect the NAC here. That's a bug.

Comment 5

[Emilio Cobos Álvarez (:emilio)]

This is a regression from bug 1487856.

Comment 6

[Emilio Cobos Álvarez (:emilio)]

Let me steal this. I think your patch looks fine as well, but I have a patch for the root cause of the issue.

I think we should uplift the real fix for the underlying issue to beta given we plan to ship Shadow DOM and the regressing bug slipped through beta.

Comment 7

[Emilio Cobos Álvarez (:emilio)]

Attachment: Don't apply containing shadow-host rules to NAC.

This is a regression from bug 1487856.

Comment 8

[Emilio Cobos Álvarez (:emilio)]

Comment on attachment 9011590 [details]
Don't apply containing shadow-host rules to NAC.

Approval Request Comment
[Feature/Bug causing the regression]: bug 1487856
[User impact if declined]: Wrong rules may be applied to internal elements, which may cause crashes since we assume we're in control of those.
[Is this code covered by automated tests?]: yes (included in the patch)
[Has the fix been verified in Nightly?]: not yet
[Needs manual test from QE? If yes, steps to reproduce]: not really
[List of other uplifts needed for the feature/fix]: none
[Is the change risky?]: not risky
[Why is the change risky/not risky?]: It just wraps a bit of code in a condition to preserve the behavior from before bug 1487856.
[String changes made/needed]: none

Comment 9

[Mats Palmgren (inactive)]

I spawned off bug 1493805 for adding the missing initialization
of ReflowInput::mCBReflowInput.

Comment 10

[Mats Palmgren (inactive)]

Comment on attachment 9011590 [details]
Don't apply containing shadow-host rules to NAC.

Mats Palmgren (:mats) has approved the revision.

Comment 11

[Pulsebot]

Pushed by emilio@crisal.io:
https://hg.mozilla.org/integration/autoland/rev/73a8628576e4
Don't apply containing shadow-host rules to NAC. r=mats

Comment 12

[Natalia Csoregi [:nataliaCs]]

Backed out for failures on layout/reftests/forms/input/shadow-rules.html

It affects the subsequent pushes as well, especially https://treeherder.mozilla.org/#/jobs?repo=autoland&searchStr=reftest&group_state=expanded&revision=f629b66a235fdf3f37646dc55bf4e2e8e188a48a

backout:  https://hg.mozilla.org/integration/autoland/rev/2fa7c04b9118285082959c0873d47e198e9be150

push with failures: https://treeherder.mozilla.org/#/jobs?repo=autoland&searchStr=reftest&group_state=expanded&revision=73a8628576e4e6e6361065044d1dd8ee4296b10c&selectedJob=201308352

failure log: https://treeherder.mozilla.org/logviewer.html#?job_id=201308352&repo=autoland&lineNumber=38613

00:38:10     INFO - REFTEST TEST-START | file:///Z:/task_1537833696/build/tests/reftest/tests/layout/reftests/forms/input/shadow-rules.html == file:///Z:/task_1537833696/build/tests/reftest/tests/layout/reftests/forms/input/shadow-rules-ref.html
00:38:10     INFO - REFTEST TEST-LOAD | file:///Z:/task_1537833696/build/tests/reftest/tests/layout/reftests/forms/input/shadow-rules.html | 2 / 3 (66%)
00:43:10     INFO - REFTEST TEST-UNEXPECTED-FAIL | file:///Z:/task_1537833696/build/tests/reftest/tests/layout/reftests/forms/input/shadow-rules.html == file:///Z:/task_1537833696/build/tests/reftest/tests/layout/reftests/forms/input/shadow-rules-ref.html | load failed: timed out after 300000 ms waiting for 'load' event for file:///Z:/task_1537833696/build/tests/reftest/tests/layout/reftests/forms/input/shadow-rules.html
00:43:10     INFO - REFTEST INFO | Saved log: START file:///Z:/task_1537833696/build/tests/reftest/tests/layout/reftests/forms/input/shadow-rules.html
00:43:10     INFO - REFTEST TEST-END | file:///Z:/task_1537833696/build/tests/reftest/tests/layout/reftests/forms/input/shadow-rules.html == file:///Z:/task_1537833696/build/tests/reftest/tests/layout/reftests/forms/input/shadow-rules-ref.html
00:43:10     INFO - REFTEST INFO | Slowest test took 46ms (file:///Z:/task_1537833696/build/tests/reftest/tests/layout/reftests/forms/input/selector-read-write-type-change-002.html)
00:43:10     INFO - REFTEST INFO | Total canvas count = 2
00:43:10     INFO - [Parent 4188, Gecko_IOThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 346
00:43:10     INFO - [Child 1108, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 346
00:43:10     INFO - [Child 1108, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 346
00:43:10     INFO - JavaScript error: resource://reftest/reftest.jsm, line 1546: NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIPropertyBag2.getPropertyAsAString]
00:43:10     INFO - [Parent 4188, Gecko_IOThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 346
00:43:10     INFO - [Child 5572, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 346
00:43:10     INFO - [Child 5572, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 346
00:43:10     INFO - JavaScript error: resource://reftest/reftest.jsm, line 1546: NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIPropertyBag2.getPropertyAsAString]
00:43:10     INFO - [Parent 4188, Gecko_IOThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 346
00:43:10     INFO - [Child 4432, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 346
00:43:10     INFO - [Child 4432, Chrome_ChildThread] WARNING: pipe error: 109: file z:/build/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 346
00:43:10     INFO - JavaScript error: resource://reftest/reftest.jsm, line 1546: NS_ERROR_NOT_AVAILABLE: Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsIPropertyBag2.getPropertyAsAString]
00:43:11     INFO - 1537836190969	Marionette	DEBUG	Received observer notification xpcom-will-shutdown
00:43:11     INFO - 1537836190969	Marionette	INFO	Stopped listening on port 2828
00:43:11     INFO - 1537836190969	Marionette	DEBUG	Remote service is inactive
00:43:11     INFO - [GPU 1848,
00:43:11     INFO - ###!!! [Child][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost
00:43:11     INFO -  Chrome_ChildThread] WARNING: pipe error: 109: file z:/bu

Comment 13

[Mats Palmgren (inactive)]

The manifest file layout/reftests/forms/input/reftest.list doesn't match
where the test was added (under text/).  My bad, I should've caught that
in the review...

Comment 15

[Pulsebot]

Pushed by emilio@crisal.io:
https://hg.mozilla.org/integration/autoland/rev/c5e55282c2d1
Don't apply containing shadow-host rules to NAC. r=mats

Comment 16

[Eliza Balazs [:ebalazs_]]

https://hg.mozilla.org/mozilla-central/rev/c5e55282c2d1

Comment 17

[Pascal Chevrel:pascalc]

Comment on attachment 9011590 [details]
Don't apply containing shadow-host rules to NAC.

Emilio, could you request the approval on the updated patch? Thanks

Comment 18

[Julien Cristau [:jcristau]]

Comment on attachment 9011590 [details]
Don't apply containing shadow-host rules to NAC.

emilio updated the patch

Comment 19

[Pascal Chevrel:pascalc]

Comment on attachment 9011590 [details]
Don't apply containing shadow-host rules to NAC.

Uplift approved for 63 beta 10, thanks!

Comment 20

[Dorel Luca [:dluca]]

When trying to graft this bug for uplift I got a conflict on servo/components/style/stylist.rs.

emilio: Can you please take a look ?

Comment 21

[Emilio Cobos Álvarez (:emilio)]

Attachment: Rebased patch.

They were only formatting changes since the style system was rustfmt'd.

Comment 22

[Andreea Pavel [:apavel]]

https://hg.mozilla.org/releases/mozilla-beta/rev/7a888f0923ee