1513625 - crash near null in [@ nsBlockFrame::ComputeFinalSize]

Status: RESOLVED WORKSFORME

(Core :: Layout: Block and Inline, defect, P3)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Reduced with m-c:
BuildID=20181212163058
SourceStamp=418b19d4ba3df62a52a0e2fdafa1205e563f8eeb

==23873==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000010 (pc 0x7f692348a0c6 bp 0x7fff1378e5b0 sp 0x7fff1378e460 T0)
==23873==The signal is caused by a READ memory access.
==23873==Hint: address points to the zero page.
    #0 0x7f692348a0c5 in IsVertical src/layout/generic/WritingModes.h:222:39
    #1 0x7f692348a0c5 in AvailableBSize src/obj-firefox/dist/include/mozilla/ReflowInput.h:421
    #2 0x7f692348a0c5 in nsBlockFrame::ComputeFinalSize(mozilla::ReflowInput const&, mozilla::BlockReflowInput&, mozilla::ReflowOutput&, int*) src/layout/generic/nsBlockFrame.cpp:1573
    #3 0x7f692347806c in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1307:3
    #4 0x7f692318180a in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:8532:11
    #5 0x7f69231a13cc in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:8698:24
    #6 0x7f692319e860 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4136:11
    #7 0x7f691cad961e in FlushPendingNotifications src/layout/base/nsIPresShell.h:575:5
    #8 0x7f691cad961e in nsIDocument::FlushPendingNotifications(mozilla::ChangesToFlush) src/dom/base/nsDocument.cpp:7154
    #9 0x7f692303f07f in nsComputedDOMStyle::UpdateCurrentStyleSources(bool) src/layout/style/nsComputedDOMStyle.cpp:805:15
    #10 0x7f692303e0e2 in nsComputedDOMStyle::GetPropertyValue(nsTSubstring<char16_t> const&, nsTSubstring<char16_t>&) src/layout/style/nsComputedDOMStyle.cpp:410:3
    #11 0x7f692303dc50 in nsComputedDOMStyle::GetPropertyValue(nsCSSPropertyID, nsTSubstring<char16_t>&) src/layout/style/nsComputedDOMStyle.cpp:356:10
    #12 0x7f691d1879b7 in GetWidth src/obj-firefox/dist/include/mozilla/ServoCSSPropList.h:335:1
    #13 0x7f691d1879b7 in mozilla::dom::CSS2Properties_Binding::get_width(JSContext*, JS::Handle<JSObject*>, nsDOMCSSDeclaration*, JSJitGetterCallArgs) src/obj-firefox/dom/bindings/CSS2PropertiesBinding.cpp:25486
    #14 0x7f691fc553d0 in bool mozilla::dom::binding_detail::GenericGetter<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:2958:13
    #15 0x7f6927763c9d in CallJSNative src/js/src/vm/Interpreter.cpp:443:13
    #16 0x7f6927763c9d in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:535
    #17 0x7f69277662c2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:606:8
    #18 0x7f69282d81b6 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2649:10
    #19 0x7f691a90544d in Call src/obj-firefox/dist/include/jsapi.h:2703:10
    #20 0x7f691a90544d in xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::DOMXrayTraits>::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) const src/js/xpconnect/wrappers/XrayWrapper.cpp:2167
    #21 0x7f692838bdd0 in getInternal src/js/src/proxy/Proxy.cpp:372:19
    #22 0x7f692838bdd0 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) src/js/src/proxy/Proxy.cpp:380
    #23 0x7f692838c028 in GetProperty src/js/src/vm/ObjectOperations-inl.h:114:12
    #24 0x7f692838c028 in getInternal src/js/src/proxy/Proxy.cpp:368
    #25 0x7f692838c028 in js::Proxy::get(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, JS::Handle<JS::PropertyKey>, JS::MutableHandle<JS::Value>) src/js/src/proxy/Proxy.cpp:380
    #26 0x7f6927771c1f in GetProperty src/js/src/vm/ObjectOperations-inl.h:114:12
    #27 0x7f6927771c1f in GetProperty src/js/src/vm/ObjectOperations-inl.h:124
    #28 0x7f6927771c1f in js::GetProperty(JSContext*, JS::Handle<JS::Value>, JS::Handle<js::PropertyName*>, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:4739
    #29 0x7f692774efbe in GetPropertyOperation src/js/src/vm/Interpreter.cpp:215:10
    #30 0x7f692774efbe in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3021
    #31 0x7f6927730346 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:423:10
    #32 0x7f6927764641 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:563:13
    #33 0x7f69277662c2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:606:8
    #34 0x7f69282d81b6 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2649:10
    #35 0x7f691f26a699 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #36 0x7f69204b1b82 in HandleEvent<mozilla::dom::EventTarget *> src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #37 0x7f69204b1b82 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1040
    #38 0x7f69204b4211 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1239:17
    #39 0x7f6920494b86 in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:350:5
    #40 0x7f6920494b86 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:346
    #41 0x7f6920492e08 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:548:16
    #42 0x7f6920499860 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1038:11
    #43 0x7f69232c742e in nsDocumentViewer::LoadComplete(nsresult) src/layout/base/nsDocumentViewer.cpp:1102:7
    #44 0x7f69266884f3 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) src/docshell/base/nsDocShell.cpp:6726:21
    #45 0x7f6926683d20 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp:6525:7
    #46 0x7f692668cb17 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) src/docshell/base/nsDocShell.cpp
    #47 0x7f691b09e195 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) src/uriloader/base/nsDocLoader.cpp:1235:3
    #48 0x7f691b09cd7c in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) src/uriloader/base/nsDocLoader.cpp:794:14
    #49 0x7f691b0986c8 in nsDocLoader::DocLoaderIsEmpty(bool) src/uriloader/base/nsDocLoader.cpp:693:9
    #50 0x7f691b09b01e in nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp:589:5
    #51 0x7f691b09c8a4 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsISupports*, nsresult) src/uriloader/base/nsDocLoader.cpp
    #52 0x7f6918959757 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) src/netwerk/base/nsLoadGroup.cpp:586:22
    #53 0x7f691cadf817 in DoUnblockOnload src/dom/base/nsDocument.cpp:7801:18
    #54 0x7f691cadf817 in nsDocument::UnblockOnload(bool) src/dom/base/nsDocument.cpp:7733
    #55 0x7f691cab93e9 in nsIDocument::DispatchContentLoadedEvents() src/dom/base/nsDocument.cpp:4893:3
    #56 0x7f691cc199eb in applyImpl<nsIDocument, void (nsIDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1106:12
    #57 0x7f691cc199eb in apply<nsIDocument, void (nsIDocument::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1112
    #58 0x7f691cc199eb in mozilla::detail::RunnableMethodImpl<nsIDocument*, void (nsIDocument::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1158
    #59 0x7f69186916e5 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:299:32
    #60 0x7f69186ceb28 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1157:14
    #61 0x7f69186d78dd in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:468:10
    #62 0x7f691995ca9f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #63 0x7f691984f8ce in RunInternal src/ipc/chromium/src/base/message_loop.cc:314:10
    #64 0x7f691984f8ce in RunHandler src/ipc/chromium/src/base/message_loop.cc:307
    #65 0x7f691984f8ce in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289
    #66 0x7f6922a25b83 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #67 0x7f692749492e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:915:20
    #68 0x7f691984f8ce in RunInternal src/ipc/chromium/src/base/message_loop.cc:314:10
    #69 0x7f691984f8ce in RunHandler src/ipc/chromium/src/base/message_loop.cc:307
    #70 0x7f691984f8ce in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:289
    #71 0x7f692749397e in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:753:34
    #72 0x555bc8ecf864 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:49:28
    #73 0x555bc8ecf864 in main src/browser/app/nsBrowserApp.cpp:265
    #74 0x7f693c66b82f in __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
    #75 0x555bc8df4eec in _start (firefox+0x2deec)

Comment 1

[Tyson Smith [:tsmith]]

The attached test case no longer reproduces the issue and the last report from the fuzzers is from March 2019. Assuming this has been fixed elsewhere.