Closed Bug 1511442 Opened 6 years ago Closed 5 years ago

stack-overflow in [@ ScrollToShowRect]

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox64 --- wontfix
firefox65 --- wontfix

People

(Reporter: tsmith, Unassigned)

References

(Blocks 2 open bugs)

Details

(Keywords: crash, testcase)

Attachments

(3 files)

testcase.html
357 bytes, text/html
Details
prefs.js
262 bytes, application/x-javascript
Details
Bug 1511442 - A crash test by fuzzing. r?boris
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html 
==2462==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe8259fe58 (pc 0x5595c209946b bp 0x7ffe825a06b0 sp 0x7ffe8259fe60 T0)
    #0 0x5595c209946a in __asan_memmove /builds/worker/workspace/moz-toolchain/src/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:31:3
    #1 0x7f7091a3098d in move src/obj-firefox/dist/include/nsCharTraits.h:141:36
    #2 0x7f7091a3098d in nsTSubstring<char16_t>::StartBulkWriteImpl(unsigned int, unsigned int, bool, unsigned int, unsigned int, unsigned int) src/xpcom/string/nsTSubstring.cpp:240
    #3 0x7f7091a432fe in nsTSubstring<char16_t>::Assign(char16_t const*, unsigned int, std::nothrow_t const&) src/xpcom/string/nsTSubstring.cpp:442:12
    #4 0x7f7091a2c7f7 in nsTSubstring<char16_t>::Assign(char16_t const*, unsigned int) src/xpcom/string/nsTSubstring.cpp:410:7
    #5 0x7f7095dc8cab in mozilla::dom::Element::GetAttr(int, nsAtom const*, nsTSubstring<char16_t>&) const src/dom/base/Element.cpp:2912:7
    #6 0x7f709d0bd840 in GetIntegerAttribute src/layout/xul/nsSliderFrame.cpp:194:29
    #7 0x7f709d0bd840 in GetCurrentPosition src/layout/xul/nsSliderFrame.cpp:161
    #8 0x7f709d0bd840 in nsSliderFrame::CurrentPositionChanged() src/layout/xul/nsSliderFrame.cpp:763
    #9 0x7f709d0b801c in nsSliderFrame::AttributeChanged(int, nsAtom*, int) src/layout/xul/nsSliderFrame.cpp:215:6
    #10 0x7f709c70e2fc in mozilla::RestyleManager::AttributeChanged(mozilla::dom::Element*, int, nsAtom*, int, nsAttrValue const*) src/layout/base/RestyleManager.cpp:3450:19
    #11 0x7f709c70daad in mozilla::PresShell::AttributeChanged(mozilla::dom::Element*, int, nsAtom*, int, nsAttrValue const*) src/layout/base/PresShell.cpp:4520:37
    #12 0x7f70961f7a85 in nsNodeUtils::AttributeChanged(mozilla::dom::Element*, int, nsAtom*, int, nsAttrValue const*) src/dom/base/nsNodeUtils.cpp:170:3
    #13 0x7f7095dd98da in mozilla::dom::Element::SetAttrAndNotify(int, nsAtom*, nsAtom*, nsAttrValue const*, nsAttrValue&, nsIPrincipal*, unsigned char, bool, bool, bool, nsIDocument*, mozAutoDocUpdate const&) src/dom/base/Element.cpp:2749:5
    #14 0x7f7095dcf524 in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) src/dom/base/Element.cpp:2582:10
    #15 0x7f709d0b6231 in SetAttr src/obj-firefox/dist/include/mozilla/dom/Element.h:867:12
    #16 0x7f709d0b6231 in SetAttr src/obj-firefox/dist/include/mozilla/dom/Element.h:862
    #17 0x7f709d0b6231 in nsScrollbarFrame::UpdateChildrenAttributeValue(nsAtom*, bool) src/layout/xul/nsScrollbarFrame.cpp:466
    #18 0x7f709d0b5c29 in nsScrollbarFrame::AttributeChanged(int, nsAtom*, int) src/layout/xul/nsScrollbarFrame.cpp:99:3
    #19 0x7f709c70e2fc in mozilla::RestyleManager::AttributeChanged(mozilla::dom::Element*, int, nsAtom*, int, nsAttrValue const*) src/layout/base/RestyleManager.cpp:3450:19
    #20 0x7f709c70daad in mozilla::PresShell::AttributeChanged(mozilla::dom::Element*, int, nsAtom*, int, nsAttrValue const*) src/layout/base/PresShell.cpp:4520:37
    #21 0x7f70961f7a85 in nsNodeUtils::AttributeChanged(mozilla::dom::Element*, int, nsAtom*, int, nsAttrValue const*) src/dom/base/nsNodeUtils.cpp:170:3
    #22 0x7f7095dd98da in mozilla::dom::Element::SetAttrAndNotify(int, nsAtom*, nsAtom*, nsAttrValue const*, nsAttrValue&, nsIPrincipal*, unsigned char, bool, bool, bool, nsIDocument*, mozAutoDocUpdate const&) src/dom/base/Element.cpp:2749:5
    #23 0x7f7095dcf524 in mozilla::dom::Element::SetAttr(int, nsAtom*, nsAtom*, nsTSubstring<char16_t> const&, nsIPrincipal*, bool) src/dom/base/Element.cpp:2582:10
    #24 0x7f709cbeb302 in SetAttr src/obj-firefox/dist/include/mozilla/dom/Element.h:867:12
    #25 0x7f709cbeb302 in SetAttr src/obj-firefox/dist/include/mozilla/dom/Element.h:862
    #26 0x7f709cbeb302 in mozilla::ScrollFrameHelper::SetCoordAttribute(mozilla::dom::Element*, nsAtom*, int) src/layout/generic/nsGfxScrollFrame.cpp:6138
    #27 0x7f709cbcfa89 in mozilla::ScrollFrameHelper::UpdateScrollbarPosition() src/layout/generic/nsGfxScrollFrame.cpp:5002:5
    #28 0x7f709cbc4f3a in mozilla::ScrollFrameHelper::ScrollToImpl(nsPoint, nsRect const&, nsAtom*) src/layout/generic/nsGfxScrollFrame.cpp:3056:5
    #29 0x7f709cbc713e in mozilla::ScrollFrameHelper::CompleteAsyncScroll(nsRect const&, nsAtom*) src/layout/generic/nsGfxScrollFrame.cpp:2249:3
    #30 0x7f709cbc9bb3 in mozilla::ScrollFrameHelper::ScrollToWithOrigin(nsPoint, nsIScrollableFrame::ScrollMode, nsAtom*, nsRect const*, nsIScrollbarMediator::ScrollSnapMode) src/layout/generic/nsGfxScrollFrame.cpp:2386:5
    #31 0x7f709ccc6991 in ScrollTo src/layout/generic/nsGfxScrollFrame.cpp:2291:3
    #32 0x7f709ccc6991 in ScrollTo src/layout/generic/nsGfxScrollFrame.h:897
    #33 0x7f709ccc6991 in non-virtual thunk to nsHTMLScrollFrame::ScrollTo(nsPoint, nsIScrollableFrame::ScrollMode, nsRect const*, nsIScrollbarMediator::ScrollSnapMode) src/layout/generic/nsGfxScrollFrame.h
    #34 0x7f709c6ffaf1 in ScrollToShowRect src/layout/base/PresShell.cpp:3579:25
    #35 0x7f709c6ffaf1 in mozilla::PresShell::ScrollFrameRectIntoView(nsIFrame*, nsRect const&, nsIPresShell::ScrollAxis, nsIPresShell::ScrollAxis, unsigned int) src/layout/base/PresShell.cpp:3735
    #36 0x7f709c6fdf69 in mozilla::PresShell::DoScrollContentIntoView() src/layout/base/PresShell.cpp:3689:3
    #37 0x7f709c708b87 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4408:9
    #38 0x7f7096090f0e in FlushPendingNotifications src/layout/base/nsIPresShell.h:591:5
    #39 0x7f7096090f0e in nsIDocument::FlushPendingNotifications(mozilla::ChangesToFlush) src/dom/base/nsDocument.cpp:7790
    #40 0x7f709c6ae67e in FlushLayout src/layout/base/AccessibleCaretManager.cpp:978:12
    #41 0x7f709c6ae67e in mozilla::AccessibleCaretManager::UpdateCarets(mozilla::EnumSet<mozilla::AccessibleCaretManager::UpdateCaretsHint, unsigned char> const&) src/layout/base/AccessibleCaretManager.cpp:186
    #42 0x7f709c6b6e24 in mozilla::AccessibleCaretManager::OnScrollPositionChanged() src/layout/base/AccessibleCaretManager.cpp:670:7
    #43 0x7f709fb9344a in nsDocShell::NotifyScrollObservers() src/docshell/base/nsDocShell.cpp:2458:12
    #44 0x7f709fb937f7 in non-virtual thunk to nsDocShell::NotifyScrollObservers() src/docshell/base/nsDocShell.cpp
    #45 0x7f709cbc59d2 in mozilla::ScrollFrameHelper::ScrollToImpl(nsPoint, nsRect const&, nsAtom*) src/layout/generic/nsGfxScrollFrame.cpp:3075:15
    #46 0x7f709cbc713e in mozilla::ScrollFrameHelper::CompleteAsyncScroll(nsRect const&, nsAtom*) src/layout/generic/nsGfxScrollFrame.cpp:2249:3
    #47 0x7f709cbc9bb3 in mozilla::ScrollFrameHelper::ScrollToWithOrigin(nsPoint, nsIScrollableFrame::ScrollMode, nsAtom*, nsRect const*, nsIScrollbarMediator::ScrollSnapMode) src/layout/generic/nsGfxScrollFrame.cpp:2386:5
    #48 0x7f709ccc6991 in ScrollTo src/layout/generic/nsGfxScrollFrame.cpp:2291:3
    #49 0x7f709ccc6991 in ScrollTo src/layout/generic/nsGfxScrollFrame.h:897
Flags: in-testsuite?
Attached file prefs.js 

    
    

    
  
Individual transforms aren't enabled by default yet, so tentatively marking this P3.
Blocks: 1424900, individual-transform
Priority: -- → P3

    
    

    
  
Still no idea for this bug, for now. But obviously we have to fix this before landing Bug 1506939. :(
Blocks: 1506939
Flags: needinfo?(boris.chiou)
Flags: needinfo?(boris.chiou)
No longer blocks: 1506939

    
    

    
  
In prefs.js, I cannot find these two prefs:


    

  1. user_pref("layout.css.ruby.enabled", true);
    2. 

  2. user_pref("layout.css.vertical-text.enabled", true);
    3. 



Besides, I cannot reproduce this right now on the tip today with:


user_pref("layout.accessiblecaret.enabled", true);
user_pref("layout.css.font-variations.enabled", true);
user_pref("layout.css.individual-transform.enabled", true);



Tyson, could you please check this again? Thanks.


Flags: needinfo?(twsmith)

    
    

    
  
(In reply to Boris Chiou [:boris] from comment #4)




Tyson, could you please check this again? Thanks.




Prefs look good. This issue was hit by a fuzzer a few times daily until the beginning of January m-c 20190103-d4cbd7e2b418 then it seems to have only been hit once since in April m-c 20190407-1c0ed0456994. The attached test case no longer reproduces the issue.


Flags: needinfo?(twsmith)
No longer blocks: 1424900

    
    

    
  
Closing as per comment 3.


Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED

    
    

    
  
Should we land the testcase as a crashtest still?



          status-firefox64:
          affectedwontfix

          status-firefox65:
          affectedwontfix
Flags: needinfo?(hikezoe.birchill)
Resolution: FIXED → WORKSFORME
Flags: needinfo?(hikezoe.birchill)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: