Closed Bug 1539159 Opened 8 months ago Closed 7 months ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/nsStyleCoord.h:343:12 in GetUnit

Categories

(Core :: Layout, defect, P3, critical)

defect

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox-esr60 --- wontfix
firefox67 --- wontfix
firefox68 --- fixed

People

(Reporter: jkratzer, Assigned: heycam)

References

(Blocks 1 open bug)

Details

(Keywords: crash, regression, testcase)

Attachments

(4 files)

Attached file index.html

Testcase found while fuzzing mozilla-central rev 4572f6055a6a.

To reproduce the following issue, place all three files in the same directory and navigate to index.html.

==23080==ERROR: AddressSanitizer: SEGV on unknown address 0x0000000000c8 (pc 0x7f8c95091863 bp 0x7ffc48301c10 sp 0x7ffc48301bf0 T0)
==23080==The signal is caused by a READ memory access.
==23080==Hint: address points to the zero page.
#0 0x7f8c95091862 in GetUnit /builds/worker/workspace/build/src/obj-firefox/dist/include/nsStyleCoord.h:343:12
#1 0x7f8c95091862 in nsImageFrame::GetIntrinsicImageSize(nsSize&) /builds/worker/workspace/build/src/layout/generic/nsImageFrame.cpp:2384
#2 0x7f8c951e3af8 in nsVideoFrame::GetVideoIntrinsicSize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsVideoFrame.cpp:678:9
#3 0x7f8c951e3444 in nsVideoFrame::ComputeSize(gfxContext*, mozilla::WritingMode, mozilla::LogicalSize const&, int, mozilla::LogicalSize const&, mozilla::LogicalSize const&, mozilla::LogicalSize const&, nsIFrame::ComputeSizeFlags) /builds/worker/workspace/build/src/layout/generic/nsVideoFrame.cpp:578:17
#4 0x7f8c94d903d7 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::LogicalSize const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType) /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2523:34
#5 0x7f8c94d84fbd in mozilla::ReflowInput::Init(nsPresContext*, mozilla::LogicalSize const*, nsMargin const*, nsMargin const*) /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:417:3
#6 0x7f8c950a7c3b in emplace<nsPresContext &, const mozilla::ReflowInput &, nsIFrame &, mozilla::LogicalSize &> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Maybe.h:526:32
#7 0x7f8c950a7c3b in nsLineLayout::ReflowFrame(nsIFrame
, nsReflowStatus&, mozilla::ReflowOutput
, bool&) /builds/worker/workspace/build/src/layout/generic/nsLineLayout.cpp:819
#8 0x7f8c94e213b0 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:4049:15
#9 0x7f8c94e1f571 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3852:5
#10 0x7f8c94e1456d in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3737:9
#11 0x7f8c94e0bc6b in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2794:5
#12 0x7f8c94dfe4e7 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2337:7
#13 0x7f8c94df2e94 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1197:3
#14 0x7f8c94e6312a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:890:14
#15 0x7f8c94e61138 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:731:5
#16 0x7f8c94e6312a in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:890:14
#17 0x7f8c94fb3d8b in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:584:3
#18 0x7f8c94fb56a8 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:697:3
#19 0x7f8c94fbd0c1 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1091:3
#20 0x7f8c94dd9c3f in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:929:14
#21 0x7f8c94dd8824 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:307:7
#22 0x7f8c94b11a7b in nsIPresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9145:11
#23 0x7f8c94b311d0 in nsIPresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9315:24
#24 0x7f8c94b2e27f in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4169:11
#25 0x7f8c94a96b89 in FlushPendingNotifications /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:580:5
#26 0x7f8c94a96b89 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:1913
#27 0x7f8c94aabb89 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:342:13
#28 0x7f8c94aabb89 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:319
#29 0x7f8c94aab478 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:336:5
#30 0x7f8c94aaf6bf in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:777:5
#31 0x7f8c94aaf6bf in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:697
#32 0x7f8c94aae87a in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:592:9
#33 0x7f8c955a6895 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:65:16
#34 0x7f8c8bc3bfdb in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:168:54
#35 0x7f8c8b7e9e77 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:2828:28
#36 0x7f8c8b028289 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2151:21
#37 0x7f8c8b023fca in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2078:9
#38 0x7f8c8b026207 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1937:3
#39 0x7f8c8b026f97 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1968:13
#40 0x7f8c89d525e1 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#41 0x7f8c89d5a9ed in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:482:10
#42 0x7f8c8b03168f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#43 0x7f8c8af07c5e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#44 0x7f8c8af07c5e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#45 0x7f8c8af07c5e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#46 0x7f8c943b5eb3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#47 0x7f8c989a6c7e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:933:20
#48 0x7f8c8af07c5e in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#49 0x7f8c8af07c5e in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#50 0x7f8c8af07c5e in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#51 0x7f8c989a5e0c in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:771:34
#52 0x55b819bcd834 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#53 0x55b819bcd834 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
#54 0x7f8cad668b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Flags: in-testsuite?
Attached file part_1.html
Attached file part_2.html
Component: Inspector: Layout → Layout
Product: DevTools → Core

This is a result of InspectorUtils modifying a UA sheet. I think we need some more comprehensive checks to prevent any kind of modifications to UA sheets than we have now.

Assignee: nobody → cam
Priority: -- → P3
Status: NEW → ASSIGNED

I get a TV failure when I push this to try but from the error message it sounds like it's a problem running devtools mochitests under TV?

https://treeherder.mozilla.org/#/jobs?repo=try&revision=afdcd6b19d2e249123d84fe05520f6caa616d0d5

Pushed by cmccormack@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ee37c856a47e
Prevent modification of UA style sheets. r=emilio
Status: ASSIGNED → RESOLVED
Closed: 7 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.