Closed Bug 1504715 Opened 6 years ago Closed 3 years ago

SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:2795:38 in Type

Categories

(Core :: Layout: Text and Fonts, defect, P4)

defect

Tracking

()

RESOLVED WORKSFORME
Tracking Status
firefox-esr78 --- wontfix
firefox65 --- wontfix
firefox83 --- wontfix
firefox84 --- wontfix
firefox85 --- wontfix

People

(Reporter: jkratzer, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

Attached file testcase.html
Testcase found while fuzzing mozilla-central rev d2963b5a2897.

SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:2795:38 in Type
==6194==ABORTING
=================================================================
==7133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000065 (pc 0x7fd33e51b8bf bp 0x7ffd18639f50 sp 0x7ffd18639ba0 T0)
==7133==The signal is caused by a READ memory access.
==7133==Hint: address points to the zero page.
    #0 0x7fd33e51b8be in Type /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:2795:38
    #1 0x7fd33e51b8be in IsLetterFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/FrameTypeList.h:41
    #2 0x7fd33e51b8be in nsBidiPresUtils::TraverseFrames(nsBlockInFlowLineIterator*, nsIFrame*, BidiParagraphData*) /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:1080
    #3 0x7fd33e519c77 in nsBidiPresUtils::Resolve(nsBlockFrame*) /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:755:5
    #4 0x7fd33e75c742 in ResolveBidi /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:7591:10
    #5 0x7fd33e75c742 in nsBlockFrame::GetMinISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:812
    #6 0x7fd33e7f3b0e in nsColumnSetFrame::GetMinISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:526:35
    #7 0x7fd33e93265e in nsHTMLScrollFrame::GetMinISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:868:44
    #8 0x7fd33e7fea4f in ShrinkWidthToFit /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:6415:22
    #9 0x7fd33e7fea4f in nsContainerFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:862
    #10 0x7fd33e8077f6 in nsFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:5658:24
    #11 0x7fd33e6d9ce9 in FloatMarginISize(mozilla::ReflowInput const&, int, nsIFrame*, mozilla::SizeComputationInput const&) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:692:13
    #12 0x7fd33e6d3dd3 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:808:30
    #13 0x7fd33e6d2b8a in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:627:14
    #14 0x7fd33ea17a39 in AddFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.h:181:22
    #15 0x7fd33ea17a39 in TryToPlaceFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:1553
    #16 0x7fd33ea17a39 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:975
    #17 0x7fd33e798f9d in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4271:15
    #18 0x7fd33e796fb3 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4071:5
    #19 0x7fd33e78b4b4 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3944:9
    #20 0x7fd33e781f9b in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2926:5
    #21 0x7fd33e773333 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2460:7
    #22 0x7fd33e766ce6 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1294:3
    #23 0x7fd33e7e7c60 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
    #24 0x7fd33e7ef26b in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:804:7
    #25 0x7fd33e7f7e8f in ReflowColumns /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:487:19
    #26 0x7fd33e7f7e8f in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1244
    #27 0x7fd33e7e7c60 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
    #28 0x7fd33e7e53ef in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:803:5
    #29 0x7fd33e7e7c60 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14
    #30 0x7fd33e92e41d in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:606:3
    #31 0x7fd33e92ff8e in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:730:3
    #32 0x7fd33e9357d5 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1120:3
    #33 0x7fd33e7407e6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:995:14
    #34 0x7fd33e73ee9c in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:338:7
    #35 0x7fd33e48373e in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9057:11
    #36 0x7fd33e49f8dc in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9230:24
    #37 0x7fd33e49d92a in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4387:11
    #38 0x7fd33e40fb42 in FlushPendingNotifications /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:591:5
    #39 0x7fd33e40fb42 in nsRefreshDriver::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1932
    #40 0x7fd33e422593 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:326:13
    #41 0x7fd33e422593 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:301
    #42 0x7fd33e422261 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:319:5
    #43 0x7fd33e42521f in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:760:5
    #44 0x7fd33e42521f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:676
    #45 0x7fd33e424b52 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:573:9
    #46 0x7fd33ef224d8 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:76:16
    #47 0x7fd33592f237 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20
    #48 0x7fd3356b376d in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28
    #49 0x7fd334ec1b79 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2255:25
    #50 0x7fd334ebd4fa in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2182:17
    #51 0x7fd334ebf701 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2019:5
    #52 0x7fd334ec05c7 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2052:15
    #53 0x7fd333c5bbd1 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1246:14
    #54 0x7fd333c6491d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10
    #55 0x7fd334ecaedf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21
    #56 0x7fd334dc723e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #57 0x7fd334dc723e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #58 0x7fd334dc723e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #59 0x7fd33dd3d953 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27
    #60 0x7fd342440bee in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:939:22
    #61 0x7fd334dc723e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10
    #62 0x7fd334dc723e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318
    #63 0x7fd334dc723e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298
    #64 0x7fd34243fc1a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:765:34
    #65 0x5587947e8864 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #66 0x5587947e8864 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:301
    #67 0x7fd356d3db96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
Flags: in-testsuite?
A placeholder frame is visited by bidi but it has no corresponding oof frame: https://searchfox.org/mozilla-central/rev/7c848ac7630df5baf1314b0c03e015683599efb9/layout/base/nsBidiPresUtils.cpp#1080

This SEGV itself doesn't sound too terrible as it's reading the zero page. But it would be interesting to know why there is a placeholder frame without oof frame during reflow...
Priority: -- → P4
See Also: → 1488781
Crash Signature: [@ nsBidiPresUtils::TraverseFrames]

Hey Jason,
Please update the resolution or the affected flags for this issue when you have the time. Thank you!

Flags: needinfo?(jkratzer)

I am unable to reproduce this issue using the testcase attached here on either mozilla-central rev 3d42785f84cb (tip) or mozilla-central rev 28cf163158a6 (oldest available build). I think we can safely close this issue.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(jkratzer)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: