Closed
Bug 1543094
Opened 5 years ago
Closed 2 years ago
AddressSanitizer: SEGV /builds/worker/workspace/build/src/xpcom/base/nsDebugImpl.cpp:604:3 in NS_ABORT_OOM(unsigned long)
Categories
(Core :: Layout: Tables, defect, P5)
Core
Layout: Tables
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox68 | --- | affected |
People
(Reporter: jkratzer, Unassigned)
References
(Blocks 3 open bugs)
Details
(Keywords: crash, testcase, Whiteboard: [fuzzblocker], qa-not-sctionable)
Attachments
(1 file)
|
577 bytes,
text/html
|
Details |
Testcase found while fuzzing mozilla-central rev 98b223de0543. Testcase takes 30-60 seconds to trigger.
==29143==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7f736fae25cf bp 0x7fffd3a37660 sp 0x7fffd3a37660 T0)
==29143==The signal is caused by a WRITE memory access.
==29143==Hint: address points to the zero page.
#0 0x7f736fae25ce in NS_ABORT_OOM(unsigned long) /builds/worker/workspace/build/src/xpcom/base/nsDebugImpl.cpp:604:3
#1 0x7f736fbba46f in PLDHashTable::Add(void const*) /builds/worker/workspace/build/src/xpcom/ds/PLDHashTable.cpp
#2 0x7f737b4cb3c0 in PutEntry /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTHashtable.h:152:43
#3 0x7f737b4cb3c0 in PutEntry /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTHashtable.h:531
#4 0x7f737b4cb3c0 in RecordAlloc /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:1624
#5 0x7f737b4cb3c0 in AllocateByObjectID /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:242
#6 0x7f737b4cb3c0 in nsCellMap::AllocCellData(nsTableCellFrame*) /builds/worker/workspace/build/src/layout/tables/nsCellMap.cpp:2398
#7 0x7f737b4bda69 in nsCellMap::AppendCell(nsTableCellMap&, nsTableCellFrame*, int, bool, int, mozilla::TableArea&, int*) /builds/worker/workspace/build/src/layout/tables/nsCellMap.cpp:1392:22
#8 0x7f737b4c8d6e in nsCellMap::ExpandWithRows(nsTableCellMap&, nsTArray<nsTableRowFrame*>&, int, int, mozilla::TableArea&) /builds/worker/workspace/build/src/layout/tables/nsCellMap.cpp:1587:9
#9 0x7f737b4bb4dc in nsTableCellMap::InsertRows(nsTableRowGroupFrame*, nsTArray<nsTableRowFrame*>&, int, bool, mozilla::TableArea&) /builds/worker/workspace/build/src/layout/tables/nsCellMap.cpp:427:16
#10 0x7f737b4f6859 in nsTableFrame::InsertRows(nsTableRowGroupFrame*, nsTArray<nsTableRowFrame*>&, int, bool) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:868:14
#11 0x7f737b4f1b45 in nsTableFrame::InsertRowGroups(nsFrameList::Slice const&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:1092:13
#12 0x7f737b4f0492 in nsTableFrame::SetInitialChildList(mozilla::layout::FrameChildListID, nsFrameList&) /builds/worker/workspace/build/src/layout/tables/nsTableFrame.cpp:347:5
#13 0x7f737adfba13 in nsCSSFrameConstructor::ConstructTable(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:1971:15
#14 0x7f737ae16fa9 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:3585:16
#15 0x7f737ae23c5a in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5669:3
#16 0x7f737adfc52a in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9562:5
#17 0x7f737ae1cb1a in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11041:3
#18 0x7f737ae16fa9 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:3585:16
#19 0x7f737ae23c5a in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5669:3
#20 0x7f737adfc52a in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9562:5
#21 0x7f737ae1cb1a in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11041:3
#22 0x7f737ae16fa9 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:3585:16
#23 0x7f737ae23c5a in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5669:3
#24 0x7f737adfc52a in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9562:5
#25 0x7f737ae1cb1a in nsCSSFrameConstructor::ConstructInline(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameList&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:11041:3
#26 0x7f737ae16fa9 in nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameList&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:3585:16
#27 0x7f737ae23c5a in nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameList&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:5669:3
#28 0x7f737adfc52a in nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameList&) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:9562:5
#29 0x7f737ae35040 in nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) /builds/worker/workspace/build/src/layout/base/nsCSSFrameConstructor.cpp:6830:3
#30 0x7f737ada30d7 in mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:1448:27
#31 0x7f737adb4ba3 in mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:3110:9
#32 0x7f737ad48dbe in ProcessPendingRestyles /builds/worker/workspace/build/src/layout/base/RestyleManager.cpp:3182:3
#33 0x7f737ad48dbe in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4110
#34 0x7f737422bb5f in FlushPendingNotifications /builds/worker/workspace/build/src/layout/base/nsIPresShell.h:571:5
#35 0x7f737422bb5f in mozilla::dom::Document::FlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/dom/base/Document.cpp:7190
#36 0x7f737295ddbe in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:659:14
#37 0x7f7372961f65 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:598:5
#38 0x7f7372963844 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
#39 0x7f73700306f2 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:568:22
#40 0x7f737420975a in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/Document.cpp:7831:18
#41 0x7f737420975a in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:7763
#42 0x7f73742081bf in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:4891:3
#43 0x7f737430ceeb in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1122:12
#44 0x7f737430ceeb in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1128
#45 0x7f737430ceeb in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1174
#46 0x7f736fd47915 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
#47 0x7f736fd87956 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#48 0x7f736fd8f61d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#49 0x7f73710f255f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#50 0x7f7370fc78de in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#51 0x7f7370fc78de in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#52 0x7f7370fc78de in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#53 0x7f737a5beea3 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#54 0x7f737eb8404e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
#55 0x7f7370fc78de in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#56 0x7f7370fc78de in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#57 0x7f7370fc78de in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#58 0x7f737eb831dc in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:757:34
#59 0x55ba28259834 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#60 0x55ba28259834 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
#61 0x7f7393a1fb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
Flags: in-testsuite?
|
||
Comment 1•5 years ago
|
||
We abort because we exceed the maximum number of entries
we can keep in a hashtable. RecordAlloc is a diagnostic
feature though (MOZ_DIAGNOSTIC_ASSERT_ENABLED), which
is only enabled in Nightly/Beta builds (and true DEBUG builds).
https://searchfox.org/mozilla-central/rev/dd7e27f4a805e4115d0dbee70e1220b23b23c567/layout/base/nsIPresShell.h#1621-1626
https://searchfox.org/mozilla-central/rev/dd7e27f4a805e4115d0dbee70e1220b23b23c567/mfbt/Assertions.h#479,483
So this particular abort shouldn't affect release builds.
The testcase has:
o4.setAttribute('colspan', 1000)
o4.rowSpan = 100663045
which may or may not cause a regular OOM in a release-
build for some users, but I think that's normal.
So, as far as I can tell, this is working as intended.
Priority: -- → P5
|
Reporter | |
Comment 2•3 years ago
|
||
This bug is triggered frequently enough that it has started to affect overall fuzzing performance. Would it be possible to disable this assert in --enable-fuzzing builds? If not, I will have to disable testing of [row|column]span attributes.
Flags: needinfo?(mats)
Whiteboard: [fuzzblocker]
|
|
||
Comment 3•3 years ago
|
||
I don't think that's possible. I think this assert needs to be fatal or you'll get very weird crashes instead. Maybe we can just limit the colspan/rowspan values to something reasonable in the fuzzer, like say max 1000?
Flags: needinfo?(mats)
|
||
Comment 4•3 years ago
|
||
The proper way to move forward here is to annotate this assertion with [unhandlable oom] so the fuzzing automation can ignore it. We can do this for fuzzing builds only if it is otherwise a problem. The JS engine already does this for all OOM-related forced crashes.
|
||
Comment 5•3 years ago
|
||
Hey Jason,
Can you still reproduce this issue or should we close it?
Flags: needinfo?(jkratzer)
|
|
Reporter | |
Comment 6•3 years ago
|
||
(In reply to Andrei Purice from comment #5)
Hey Jason,
Can you still reproduce this issue or should we close it?
Andrei, this issue still reproduces on mozilla-central rev 152fdda295bb (built with --enable-address-sanitzer --enable-fuzzing).
Testcase can be reproduced using the following commands:
$ pip install fuzzfetch grizzly-framework
$ python -m fuzzfetch --build 152fdda295bb --asan --fuzzing -n build
$ python -m grizzly.replay ./build/firefox ./testcase.html
Flags: needinfo?(jkratzer)
|
||
Updated•3 years ago
|
Whiteboard: [fuzzblocker] → [fuzzblocker], qa-not-sctionable
|
||
Updated•2 years ago
|
Blocks: asan-maintenance
|
||
Comment 7•2 years ago
|
||
The attached test case no longer reproduces the issue and the fuzzers are no longer reporting it.
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•