Closed Bug 1544060 Opened 4 months ago Closed 4 months ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h in StylePadding

Categories

(Core :: Layout: Scrolling and Overflow, defect, P1, critical)

defect

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
firefox-esr60 --- unaffected
firefox66 --- unaffected
firefox67 --- unaffected
firefox68 --- fixed

People

(Reporter: jkratzer, Assigned: hiro)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, regression, testcase)

Attachments

(3 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev a632dfa60af6.

==4435==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f35e1093ccd bp 0x7fff32b7e410 sp 0x7fff32b7e3d0 T0)
==4435==The signal is caused by a READ memory access.
==4435==Hint: address points to the zero page.
#0 0x7f35e1093ccc in StylePadding /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/RefPtr.h
#1 0x7f35e1093ccc in mozilla::ScrollFrameHelper::GetScrollPadding() const /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:6790
#2 0x7f35e1095522 in mozilla::ScrollFrameHelper::ComputeScrollSnapInfo(mozilla::Maybe<nsPoint> const&) const /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:6828:30
#3 0x7f35e116608c in GetScrollSnapInfo /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:6860:10
#4 0x7f35e116608c in GetScrollSnapInfo /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.h:1195
#5 0x7f35e116608c in non-virtual thunk to nsHTMLScrollFrame::GetScrollSnapInfo() const /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.h
#6 0x7f35e0d79823 in nsLayoutUtils::ComputeScrollMetadata(nsIFrame*, nsIFrame*, nsIContent*, nsIFrame const*, mozilla::layers::LayerManager*, unsigned long, nsRect const&, mozilla::Maybe<nsRect> const&, bool, mozilla::Maybe<mozilla::ContainerLayerParameters> const&) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:8900:43
#7 0x7f35e107e9ec in mozilla::ScrollFrameHelper::ComputeScrollMetadata(mozilla::layers::LayerManager*, nsIFrame const*, mozilla::Maybe<mozilla::ContainerLayerParameters> const&, mozilla::DisplayItemClip const*) const /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:3981:15
#8 0x7f35e116565c in ComputeScrollMetadata /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.h:1091:20
#9 0x7f35e116565c in non-virtual thunk to nsHTMLScrollFrame::ComputeScrollMetadata(mozilla::layers::LayerManager*, nsIFrame const*, mozilla::Maybe<mozilla::ContainerLayerParameters> const&, mozilla::DisplayItemClip const*) const /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.h
#10 0x7f35e17cf8fc in mozilla::ContainerState::SetupScrollingMetadata(mozilla::NewLayerEntry*) /builds/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:5726:31
#11 0x7f35e17d2eec in mozilla::ContainerState::PostprocessRetainedLayers(mozilla::gfx::IntRegionTyped<mozilla::gfx::UnknownUnits>) /builds/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:5785:5
#12 0x7f35e17d63a3 in mozilla::ContainerState::Finish(unsigned int
, mozilla::gfx::IntRectTyped<mozilla::gfx::UnknownUnits> const&, nsDisplayList*) /builds/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:5877:5
#13 0x7f35e17dabf5 in mozilla::FrameLayerBuilder::BuildContainerLayerFor(nsDisplayListBuilder*, mozilla::layers::LayerManager*, nsIFrame*, nsDisplayItem*, nsDisplayList*, mozilla::ContainerLayerParameters const&, mozilla::gfx::Matrix4x4Typed<mozilla::gfx::UnknownUnits, mozilla::gfx::UnknownUnits, float> const*, unsigned int) /builds/worker/workspace/build/src/layout/painting/FrameLayerBuilder.cpp:6258:9
#14 0x7f35e1895cba in nsDisplayList::BuildLayers(nsDisplayListBuilder*, mozilla::layers::LayerManager*, unsigned int, bool) /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2624:28
#15 0x7f35e1899748 in nsDisplayList::PaintRoot(nsDisplayListBuilder*, gfxContext*, unsigned int) /builds/worker/workspace/build/src/layout/painting/nsDisplayList.cpp:2840:9
#16 0x7f35e0d3b6c1 in nsLayoutUtils::PaintFrame(gfxContext*, nsIFrame*, nsRegion const&, unsigned int, nsDisplayListBuilderMode, nsLayoutUtils::PaintFrameFlags) /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp:3905:12
#17 0x7f35e0bcfbd3 in mozilla::PresShell::Paint(nsView*, nsRegion const&, unsigned int) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6065:5
#18 0x7f35e032c64e in nsViewManager::ProcessPendingUpdatesPaint(nsIWidget*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:461:19
#19 0x7f35e032aff5 in nsViewManager::ProcessPendingUpdatesForView(nsView*, bool) /builds/worker/workspace/build/src/view/nsViewManager.cpp:396:33
#20 0x7f35e03323ed in nsViewManager::ProcessPendingUpdates() /builds/worker/workspace/build/src/view/nsViewManager.cpp:1022:5
#21 0x7f35e0b15797 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2057:11
#22 0x7f35e0b27b49 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:348:13
#23 0x7f35e0b27b49 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:325
#24 0x7f35e0b27411 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:342:5
#25 0x7f35e0b2b8af in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:788:5
#26 0x7f35e0b2b8af in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:708
#27 0x7f35e0b2a96c in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:603:9
#28 0x7f35e1680895 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/workspace/build/src/layout/ipc/VsyncChild.cpp:65:16
#29 0x7f35d7bc763b in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:168:54
#30 0x7f35d77468c7 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/build/src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:3941:28
#31 0x7f35d6f35f99 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2151:21
#32 0x7f35d6f31c4c in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:2078:9
#33 0x7f35d6f33f17 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1937:3
#34 0x7f35d6f34ca7 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/workspace/build/src/ipc/glue/MessageChannel.cpp:1968:13
#35 0x7f35d5bd64b6 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1180:14
#36 0x7f35d5bde17d in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#37 0x7f35d6f3f3ff in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
#38 0x7f35d6e14ede in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#39 0x7f35d6e14ede in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#40 0x7f35d6e14ede in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#41 0x7f35e042c903 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#42 0x7f35e49edb3e in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:919:20
#43 0x7f35d6e14ede in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#44 0x7f35d6e14ede in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
#45 0x7f35d6e14ede in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
#46 0x7f35e49ecccc in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:757:34
#47 0x5569c17fd834 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#48 0x5569c17fd834 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:263
#49 0x7f35f9a92b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

Flags: in-testsuite?

GetScrollSnapInfo

Flags: needinfo?(hikezoe)

Thanks fuzzer. :)

Assignee: nobody → hikezoe
Status: NEW → ASSIGNED
Flags: needinfo?(hikezoe)
Priority: -- → P1
See Also: → 1544198

Now the spec cleary says that we don't need to propagate body's
scroll-padding value to the document viewport since
https://github.com/w3c/csswg-drafts/issues/3740, so we don't need to care about
GetViewportScrollStylesOverrideElement() at all.

This change fixes the crash test case in this commit, but it's not sufficient.
In the next patch, we will fix another crash case.

Pushed by hikezoe@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9bf188c86f9c
Use the root element's primary frame to get scroll-padding value. r=botond
https://hg.mozilla.org/integration/autoland/rev/a7c8897aea6f
Bail out from ScrollFrameHelper::GetScrollPadding in the case where no corresponding frame exists. r=botond
Status: ASSIGNED → RESOLVED
Closed: 4 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Flags: in-testsuite? → in-testsuite+
Regressed by: 1534070
You need to log in before you can comment on or make changes to this bug.