Closed Bug 1513282 Opened 5 years ago Closed 5 years ago

Crash [@ MOZ_CrashOOL] near nsFrame::DoGetParentComputedStyle(nsIFrame**) const src/layout/generic/nsFrame.cpp:9972:13

Categories

(Core :: Layout, defect, P3)

Product:
Core
Component:
Layout
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- wontfix
firefox66 --- wontfix
firefox67 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- wontfix
firefox71 --- fixed

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase)

Attachments

(2 files)

testcase.html
277 bytes, text/html
Details
Bug 1513282 - Don't crash in some first-line + display: contents edge cases.
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html 
Testcase found while fuzzing mozilla-central rev 0132b59bb093.

==20807==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fda3548dc2e bp 0x7ffe25902b90 sp 0x7ffe25902b90 T0)
==20807==The signal is caused by a WRITE memory access.
==20807==Hint: address points to the zero page.
    #0 0x7fda3548dc2d in MOZ_CrashOOL(char const*, int, char const*) src/obj-firefox/dist/include/mozilla/Assertions.h:311:3
    #1 0x7fda3548dbea in GeckoCrashOOL src/toolkit/xre/nsAppRunner.cpp:5349:3
    #2 0x7fda3740274a in gkrust_shared::panic_hook::h577176513f96817f src/toolkit/library/rust/shared/lib.rs:234:8
    #3 0x7fda37402688 in core::ops::function::Fn::call::h82a5285a736af5e0 src/libcore/ops/function.rs:78:4
    #4 0x7fda37b4e758 in std::panicking::rust_panic_with_hook::h0e12cb2fc86d00fa /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:481:16
    #5 0x7fda37b4e54d in std::panicking::continue_panic_fmt::h141671b29fe0e27d /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:391:4
    #6 0x7fda37b50755 in rust_begin_unwind /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libstd/panicking.rs:326:4
    #7 0x7fda37b620bb in core::panicking::panic_fmt::h429a06507aba9228 /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libcore/panicking.rs:77:13
    #8 0x7fda37b621d1 in core::option::expect_failed::h4c79c3aae6612643 /rustc/da5f414c2c0bfe5198934493f04c676e2b23ff2e/src/libcore/option.rs:1000:4
    #9 0x7fda3783e5a3 in _$LT$core..option..Option$LT$T$GT$$GT$::expect::h13bd5ccc44bbd1c2 src/libcore/option.rs:312:20
    #10 0x7fda3783e5a3 in Servo_Element_IsDisplayContents src/servo/ports/geckolib/glue.rs:1301
    #11 0x7fda315ec4b6 in nsFrame::DoGetParentComputedStyle(nsIFrame**) const src/layout/generic/nsFrame.cpp:9972:13
    #12 0x7fda3121ebc0 in mozilla::RestyleManager::DoReparentComputedStyleForFirstLine(nsIFrame*, mozilla::ServoStyleSet&) src/layout/base/RestyleManager.cpp:3536:13
    #13 0x7fda314ec071 in nsBlockFrame::UpdatePseudoElementStyles(mozilla::ServoRestyleState&) src/layout/generic/nsBlockFrame.cpp:7631:16
    #14 0x7fda312177a3 in UpdateFramePseudoElementStyles src/layout/base/RestyleManager.cpp:2598:41
    #15 0x7fda312177a3 in mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::ServoRestyleState&, mozilla::ServoPostTraversalFlags) src/layout/base/RestyleManager.cpp:2914
    #16 0x7fda3121afaf in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3093:28
    #17 0x7fda311bb73a in ProcessPendingRestyles src/layout/base/RestyleManager.cpp:3187:3
    #18 0x7fda311bb73a in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4358
    #19 0x7fda2abc5ede in FlushPendingNotifications src/layout/base/nsIPresShell.h:591:5
    #20 0x7fda2abc5ede in nsIDocument::FlushPendingNotifications(mozilla::ChangesToFlush) src/dom/base/nsDocument.cpp:7790
    #21 0x7fda2918e27a in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:695:14
    #22 0x7fda2919116e in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:631:5
    #23 0x7fda291929f4 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp
    #24 0x7fda26aac1c7 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:628:28
    #25 0x7fda2abcc0d7 in DoUnblockOnload src/dom/base/nsDocument.cpp:8492:18
    #26 0x7fda2abcc0d7 in nsDocument::UnblockOnload(bool) src/dom/base/nsDocument.cpp:8414
    #27 0x7fda30fb491a in UnblockOnload src/layout/style/Loader.cpp:2679:16
    #28 0x7fda30fb491a in mozilla::css::SheetLoadData::FireLoadEvent(nsIThreadInternal*) src/layout/style/Loader.cpp:342
    #29 0x7fda30fb4c44 in AfterProcessNextEvent src/layout/style/Loader.cpp:317:3
    #30 0x7fda30fb4c44 in non-virtual thunk to mozilla::css::SheetLoadData::AfterProcessNextEvent(nsIThreadInternal*, bool) src/layout/style/Loader.cpp
    #31 0x7fda26824586 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1292:3
    #32 0x7fda2682c6dd in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:530:10
    #33 0x7fda27aa840f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
    #34 0x7fda2799fbae in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #35 0x7fda2799fbae in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #36 0x7fda2799fbae in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #37 0x7fda30a41fd3 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
    #38 0x7fda35494a5e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:951:22
    #39 0x7fda2799fbae in RunInternal src/ipc/chromium/src/base/message_loop.cc:325:10
    #40 0x7fda2799fbae in RunHandler src/ipc/chromium/src/base/message_loop.cc:318
    #41 0x7fda2799fbae in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298
    #42 0x7fda35493aae in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:777:34
    #43 0x55695e0d1864 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
    #44 0x55695e0d1864 in main src/browser/app/nsBrowserApp.cpp:287
    #45 0x7fda49edeb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
    #46 0x55695dff6eec in _start (/home/worker/firefox-asan/firefox+0x2deec)
Flags: in-testsuite?
Flags: needinfo?(emilio)
This is fundamentally the same issue as bug 1422838.
Depends on: 1465474
Flags: needinfo?(emilio)
Emilio -- Can we dup this to bug 1422838?
Flags: needinfo?(emilio)
Priority: -- → P3
We could, though then we'd need to remember to test this test-case as well when we fix it.

If we keep it as dependent we get an extra email notification which is nice, but I'm fine with duping it if you prefer, no strong opinion really.
Flags: needinfo?(emilio)

This test case is now hitting

Hit MOZ_CRASH(Invoking Servo_Element_IsDisplayContents on unstyled element) at src/libcore/option.rs:1034
#01: static void core::ops::function::Fn::call<fn(core::panic::PanicInfo*),(core::panic::PanicInfo*)>( * *, struct core::panic::PanicInfo *) [git:github.com/rust-lang/rust:src/libcore/ops/function.rs:eae3437dfe991621e8afdc82734f4a172d7ddf9b:69]
#02: void std::panicking::rust_panic_with_hook() [git:github.com/rust-lang/rust:src/libstd/panicking.rs:eae3437dfe991621e8afdc82734f4a172d7ddf9b:484]
#03: static void std::panicking::continue_panic_fmt() [git:github.com/rust-lang/rust:src/libstd/panicking.rs:eae3437dfe991621e8afdc82734f4a172d7ddf9b:384]
#04: void std::panicking::rust_begin_panic() [git:github.com/rust-lang/rust:src/libstd/panicking.rs:eae3437dfe991621e8afdc82734f4a172d7ddf9b:311]
#05: void core::panicking::panic_fmt() [git:github.com/rust-lang/rust:src/libcore/panicking.rs:eae3437dfe991621e8afdc82734f4a172d7ddf9b:85]
#06: void core::option::expect_failed() [git:github.com/rust-lang/rust:src/libcore/option.rs:eae3437dfe991621e8afdc82734f4a172d7ddf9b:1034]
#07: bool geckoservo::glue::Servo_Element_IsDisplayContents(struct style::gecko_bindings::structs::root::mozilla::dom::Element *) [servo/ports/geckolib/glue.rs:1279]
#08: nsFrame::DoGetParentComputedStyle(nsIFrame * *) [layout/generic/nsFrame.cpp:9915]
#09: mozilla::RestyleManager::DoReparentComputedStyleForFirstLine(nsIFrame *,mozilla::ServoStyleSet &) [layout/base/RestyleManager.cpp:3510]
#10: nsBlockFrame::UpdatePseudoElementStyles(mozilla::ServoRestyleState &) [layout/generic/nsBlockFrame.cpp:0]
#11: mozilla::RestyleManager::ProcessPostTraversal(mozilla::dom::Element *,mozilla::ComputedStyle *,mozilla::ServoRestyleState &,mozilla::ServoPostTraversalFlags) [layout/base/RestyleManager.cpp:2908]
#12: mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) [layout/base/RestyleManager.cpp:3087]
#13: mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) [layout/base/PresShell.cpp:4112]
#14: mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) [dom/base/Document.cpp:10033]
Flags: needinfo?(emilio)

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression
Assignee: nobody → emilio
Flags: needinfo?(emilio)

... where we've lost track of the display: contents style already since the
ancestor has become display: none, but the first-line belongs to a higher
ancestor that hasn't. Pretty nasty.

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6e2c380c58e7
Don't crash in some first-line + display: contents edge cases. r=heycam

https://hg.mozilla.org/mozilla-central/rev/6e2c380c58e7

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox71: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
No longer depends on: 1465474
See Also: → 1465474
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: