Closed Bug 1520798 Opened 7 years ago Closed 7 years ago

Crash in mozilla::layout::ScrollAnchorContainer::InvalidateAnchor

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Platform:
Unspecified
Windows 10
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla66
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox64 --- unaffected
firefox65 --- unaffected
firefox66 --- fixed

People

(Reporter: marcia, Assigned: dholbert)

Details

(Keywords: crash, regression)

Crash Data

Attachments

(2 files)

Bug 1520798: Null-check the result of ScrollAnchorContainer::FindFor, in DidSetComputedStyle. r?rhunt
47 bytes, text/x-phabricator-request
Details | Review
reduced testcase 1 (warning, may crash your content process)
252 bytes, text/html
Details

This bug is for crash report bp-b7dfce6e-aa59-41ab-8b3c-15ec90190117.

Seen while looking at nightly crash stats - crashes started in 20190117095319: https://bit.ly/2RvtI3q. 9 crashes/2 installs so far.

Code was touched in Bug 1305957. ni on rhunt

Top 10 frames of crashing thread:

0 xul.dll mozilla::layout::ScrollAnchorContainer::InvalidateAnchor layout/generic/ScrollAnchorContainer.cpp:224
1 xul.dll nsFrame::DidSetComputedStyle layout/generic/nsFrame.cpp:1101
2 xul.dll bool mozilla::RestyleManager::ProcessPostTraversal layout/base/RestyleManager.cpp:2772
3 xul.dll bool mozilla::RestyleManager::ProcessPostTraversal layout/base/RestyleManager.cpp:2818
4 xul.dll bool mozilla::RestyleManager::ProcessPostTraversal layout/base/RestyleManager.cpp:2818
5 xul.dll bool mozilla::RestyleManager::ProcessPostTraversal layout/base/RestyleManager.cpp:2818
6 xul.dll bool mozilla::RestyleManager::ProcessPostTraversal layout/base/RestyleManager.cpp:2818
7 xul.dll bool mozilla::RestyleManager::ProcessPostTraversal layout/base/RestyleManager.cpp:2818
8 xul.dll bool mozilla::RestyleManager::ProcessPostTraversal layout/base/RestyleManager.cpp:2818
9 xul.dll bool mozilla::RestyleManager::ProcessPostTraversal layout/base/RestyleManager.cpp:2818
Flags: needinfo?(rhunt)

We seem to be crashing on a null-deref, when checking the value of a member variable ("mAnchorNode"), inside of this call:

ScrollAnchorContainer::FindFor(this)->InvalidateAnchor();

I suspect this indicates that "FindFor" is returning null here.

And ScrollAnchorContainer::FindFor() does absolutely have some cases where it returns null, so yeah, I think we need to be null-checking its return value before we dereference it.

(sorry for not catching this in review)

I'm currently trying to come up with a testcase that triggers the crash, BTW.

Flags: needinfo?(rhunt)
Pushed by dholbert@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/b5270d03a6d8 Null-check the result of ScrollAnchorContainer::FindFor, in DidSetComputedStyle. r=rhunt

I included a XUL testcase to trigger the "no scrollarea for viewport" scenario, but I suspect the users hitting this crash aren't using XUL to trigger it...

It'd be great to (privately) see some of the URLs that triggered the issue, to perhaps construct a non-XUL regression test.

(ni=marcia in case she can help with comment 7)

Flags: needinfo?(mozillamarcia.knous)

Here are the other URLs I see in these crashes:

Flags: needinfo?(mozillamarcia.knous)

(In reply to Marcia Knous [:marcia - needinfo? me] from comment #9)

Here are the other URLs I see in these crashes:

  • file:///tmp/scroll-test.xul

That one is me. :D

OK - for HTML, the necessary scenario for the crash is for the mutation to happen inside of a "position:fixed" element.

By default, the position:fixed element is parented on the viewport frame, without an ancestor scrollport. So ScrollAnchorContainer::FindFor on its descendant ends up returning nullptr, because nsLayoutUtils::GetNearestScrollableFrame returns nullptr.

(The nsLayoutUtils function accepts "SCROLLABLE_FIXEDPOS_FINDS_ROOT" as an optional flag to avoid returning null in this scenario, but we don't (& probably shouldn't) pass it that flag, so that clause doesn't help.)

https://hg.mozilla.org/mozilla-central/rev/b5270d03a6d8

Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox66: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla66

(In reply to Daniel Holbert [:dholbert] from comment #11)

OK - for HTML, the necessary scenario for the crash is for the mutation to
happen inside of a "position:fixed" element.

By default, the position:fixed element is parented on the viewport frame,
without an ancestor scrollport. So ScrollAnchorContainer::FindFor on its
descendant ends up returning nullptr, because
nsLayoutUtils::GetNearestScrollableFrame returns nullptr.

(The nsLayoutUtils function accepts "SCROLLABLE_FIXEDPOS_FINDS_ROOT" as an
optional flag to avoid returning null in this scenario, but we don't (&
probably shouldn't) pass it that flag, so that clause doesn't help.)

Thanks for looking into this! That makes total sense.

Assignee: nobody → dholbert
status-firefox64: --- → unaffected
status-firefox-esr60: --- → unaffected
Pushed by dholbert@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/b2ed817b7523 followup: add HTML crashtest for this bug (on top of earlier XUL crashtest). no review, testonly

Landed that^ crashtest followup with the HTML testcase that I attached earlier.

I verified that it passes in a build with this bug's fix, and fails (crashes) in the harness in a build with the fix reverted.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: