Closed
Bug 1504715
Opened 6 years ago
Closed 3 years ago
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:2795:38 in Type
Categories
(Core :: Layout: Text and Fonts, defect, P4)
Core
Layout: Text and Fonts
Tracking
()
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase)
Crash Data
Attachments
(1 file)
715 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev d2963b5a2897. SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:2795:38 in Type ==6194==ABORTING ================================================================= ==7133==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000065 (pc 0x7fd33e51b8bf bp 0x7ffd18639f50 sp 0x7ffd18639ba0 T0) ==7133==The signal is caused by a READ memory access. ==7133==Hint: address points to the zero page. #0 0x7fd33e51b8be in Type /builds/worker/workspace/build/src/layout/generic/nsIFrame.h:2795:38 #1 0x7fd33e51b8be in IsLetterFrame /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/FrameTypeList.h:41 #2 0x7fd33e51b8be in nsBidiPresUtils::TraverseFrames(nsBlockInFlowLineIterator*, nsIFrame*, BidiParagraphData*) /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:1080 #3 0x7fd33e519c77 in nsBidiPresUtils::Resolve(nsBlockFrame*) /builds/worker/workspace/build/src/layout/base/nsBidiPresUtils.cpp:755:5 #4 0x7fd33e75c742 in ResolveBidi /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:7591:10 #5 0x7fd33e75c742 in nsBlockFrame::GetMinISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:812 #6 0x7fd33e7f3b0e in nsColumnSetFrame::GetMinISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:526:35 #7 0x7fd33e93265e in nsHTMLScrollFrame::GetMinISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:868:44 #8 0x7fd33e7fea4f in ShrinkWidthToFit /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:6415:22 #9 0x7fd33e7fea4f in nsContainerFrame::ComputeAutoSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:862 #10 0x7fd33e8077f6 in nsFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:5658:24 #11 0x7fd33e6d9ce9 in FloatMarginISize(mozilla::ReflowInput const&, int, nsIFrame*, mozilla::SizeComputationInput const&) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:692:13 #12 0x7fd33e6d3dd3 in mozilla::BlockReflowInput::FlowAndPlaceFloat(nsIFrame*) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:808:30 #13 0x7fd33e6d2b8a in mozilla::BlockReflowInput::AddFloat(nsLineLayout*, nsIFrame*, int) /builds/worker/workspace/build/src/layout/generic/BlockReflowInput.cpp:627:14 #14 0x7fd33ea17a39 in AddFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.h:181:22 #15 0x7fd33ea17a39 in TryToPlaceFloat /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:1553 #16 0x7fd33ea17a39 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:975 #17 0x7fd33e798f9d in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4271:15 #18 0x7fd33e796fb3 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4071:5 #19 0x7fd33e78b4b4 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3944:9 #20 0x7fd33e781f9b in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2926:5 #21 0x7fd33e773333 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2460:7 #22 0x7fd33e766ce6 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1294:3 #23 0x7fd33e7e7c60 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #24 0x7fd33e7ef26b in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool, nsCollapsingMargin*, nsColumnSetFrame::ColumnBalanceData&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:804:7 #25 0x7fd33e7f7e8f in ReflowColumns /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:487:19 #26 0x7fd33e7f7e8f in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1244 #27 0x7fd33e7e7c60 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #28 0x7fd33e7e53ef in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:803:5 #29 0x7fd33e7e7c60 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:951:14 #30 0x7fd33e92e41d in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*, bool) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:606:3 #31 0x7fd33e92ff8e in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:730:3 #32 0x7fd33e9357d5 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1120:3 #33 0x7fd33e7407e6 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:995:14 #34 0x7fd33e73ee9c in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:338:7 #35 0x7fd33e48373e in mozilla::PresShell::DoReflow(nsIFrame*, bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9057:11 #36 0x7fd33e49f8dc in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9230:24 #37 0x7fd33e49d92a in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4387:11 #38 0x7fd33e40fb42 in FlushPendingNotifications /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:591:5 #39 0x7fd33e40fb42 in nsRefreshDriver::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1932 #40 0x7fd33e422593 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:326:13 #41 0x7fd33e422593 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:301 #42 0x7fd33e422261 in mozilla::RefreshDriverTimer::Tick(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:319:5 #43 0x7fd33e42521f in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:760:5 #44 0x7fd33e42521f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:676 #45 0x7fd33e424b52 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:573:9 #46 0x7fd33ef224d8 in mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:76:16 #47 0x7fd33592f237 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:167:20 #48 0x7fd3356b376d in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2280:28 #49 0x7fd334ec1b79 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2255:25 #50 0x7fd334ebd4fa in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2182:17 #51 0x7fd334ebf701 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2019:5 #52 0x7fd334ec05c7 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2052:15 #53 0x7fd333c5bbd1 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1246:14 #54 0x7fd333c6491d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:530:10 #55 0x7fd334ecaedf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:97:21 #56 0x7fd334dc723e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10 #57 0x7fd334dc723e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318 #58 0x7fd334dc723e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298 #59 0x7fd33dd3d953 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:158:27 #60 0x7fd342440bee in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:939:22 #61 0x7fd334dc723e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:325:10 #62 0x7fd334dc723e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:318 #63 0x7fd334dc723e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:298 #64 0x7fd34243fc1a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:765:34 #65 0x5587947e8864 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30 #66 0x5587947e8864 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:301 #67 0x7fd356d3db96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
Flags: in-testsuite?
Comment 1•6 years ago
|
||
A placeholder frame is visited by bidi but it has no corresponding oof frame: https://searchfox.org/mozilla-central/rev/7c848ac7630df5baf1314b0c03e015683599efb9/layout/base/nsBidiPresUtils.cpp#1080 This SEGV itself doesn't sound too terrible as it's reading the zero page. But it would be interesting to know why there is a placeholder frame without oof frame during reflow...
Priority: -- → P4
Updated•3 years ago
|
Crash Signature: [@ nsBidiPresUtils::TraverseFrames]
status-firefox83:
--- → wontfix
status-firefox84:
--- → affected
status-firefox85:
--- → affected
status-firefox-esr78:
--- → affected
Comment 2•3 years ago
|
||
Hey Jason,
Please update the resolution or the affected flags for this issue when you have the time. Thank you!
Flags: needinfo?(jkratzer)
Reporter | ||
Comment 3•3 years ago
|
||
I am unable to reproduce this issue using the testcase attached here on either mozilla-central rev 3d42785f84cb (tip) or mozilla-central rev 28cf163158a6 (oldest available build). I think we can safely close this issue.
Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(jkratzer)
Resolution: --- → WORKSFORME
Updated•3 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•