Closed Bug 1549867 Opened 5 years ago Closed 5 years ago

crash near null in [@ nsBidiPresUtils::GetFirstLeaf]

Categories

(Core :: Layout: Text and Fonts, defect, P3)

Product:
Core
Component:
Layout: Text and Fonts
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla69
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox67 --- disabled
firefox68 --- disabled
firefox69 --- fixed
firefox70 --- verified

People

(Reporter: tsmith, Assigned: TYLin)

References

(Blocks 1 open bug)

Details

(Keywords: crash, sec-high, testcase, Whiteboard: [post-critsmash-triage])

Attachments

(2 files)

testcase.html
240 bytes, text/html
Details
Bug 1549867 - Add a crashtest. r=jfkthame
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Reduced with m-c:
BuildID=20190506130308
SourceStamp=df3eadfa74a8061f4c88496404d51baf47e21070

Marking as s-s as a precaution based on https://bugzilla.mozilla.org/show_bug.cgi?id=1343606#c22

Requires "layout.css.column-span.enabled=true"

==8988==ERROR: AddressSanitizer: SEGV on unknown address 0x00000000006d (pc 0x7f0c180aafe4 bp 0x7ffdbcd77290 sp 0x7ffdbcd77260 T0)
==8988==The signal is caused by a READ memory access.
==8988==Hint: address points to the zero page.
    #0 0x7f0c180aafe3 in Type src/layout/generic/nsIFrame.h:2795:38
    #1 0x7f0c180aafe3 in IsLetterFrame src/obj-firefox/dist/include/mozilla/FrameTypeList.h:41
    #2 0x7f0c180aafe3 in nsBidiPresUtils::GetFirstLeaf(nsIFrame*) src/layout/base/nsBidiPresUtils.cpp:1338
    #3 0x7f0c180a821c in GetFrameBidiData src/layout/base/nsBidiPresUtils.cpp:1344:10
    #4 0x7f0c180a821c in BidiLineData::BidiLineData(nsIFrame*, int) src/layout/base/nsBidiPresUtils.cpp:379
    #5 0x7f0c180a7e19 in nsBidiPresUtils::ReorderFrames(nsIFrame*, int, mozilla::WritingMode, nsSize const&, int) src/layout/base/nsBidiPresUtils.cpp:1329:16
    #6 0x7f0c185ce4a9 in nsLineLayout::TextAlignLine(nsLineBox*, bool) src/layout/generic/nsLineLayout.cpp:3187:5
    #7 0x7f0c1830615d in nsBlockFrame::PlaceLine(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFloatManager::SavedState*, nsFlowAreaRect&, int&, bool*) src/layout/generic/nsBlockFrame.cpp:4517:15
    #8 0x7f0c18303834 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:4011:12
    #9 0x7f0c182f6f0d in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3769:9
    #10 0x7f0c182edc4b in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2809:5
    #11 0x7f0c182e03fd in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2351:7
    #12 0x7f0c182d3fcd in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1202:3
    #13 0x7f0c182ff274 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
    #14 0x7f0c182f1578 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3406:11
    #15 0x7f0c182edcb5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2806:5
    #16 0x7f0c182e03fd in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2351:7
    #17 0x7f0c182d3fcd in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1202:3
    #18 0x7f0c18348a62 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:893:14
    #19 0x7f0c1834fb8f in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) src/layout/generic/nsColumnSetFrame.cpp:761:7
    #20 0x7f0c18357065 in ReflowColumns src/layout/generic/nsColumnSetFrame.cpp:456:37
    #21 0x7f0c18357065 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1108
    #22 0x7f0c183584b8 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsColumnSetFrame.cpp:1207:5
    #23 0x7f0c182ff274 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
    #24 0x7f0c182f1578 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3406:11
    #25 0x7f0c182edcb5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2806:5
    #26 0x7f0c182e03fd in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2351:7
    #27 0x7f0c182d3fcd in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1202:3
    #28 0x7f0c182ff274 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
    #29 0x7f0c182f1578 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3406:11
    #30 0x7f0c182edcb5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2806:5
    #31 0x7f0c182e03fd in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2351:7
    #32 0x7f0c182d3fcd in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1202:3
    #33 0x7f0c182ff274 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:297:11
    #34 0x7f0c182f1578 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3406:11
    #35 0x7f0c182edcb5 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:2806:5
    #36 0x7f0c182e03fd in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2351:7
    #37 0x7f0c182d3fcd in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1202:3
    #38 0x7f0c18348a62 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:893:14
    #39 0x7f0c18346917 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:729:5
    #40 0x7f0c18348a62 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:893:14
    #41 0x7f0c184a4599 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) src/layout/generic/nsGfxScrollFrame.cpp:562:3
    #42 0x7f0c184a5f07 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:675:3
    #43 0x7f0c184ae14e in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1076:3
    #44 0x7f0c182bab43 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, unsigned int, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:932:14
    #45 0x7f0c182b9708 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:307:7
    #46 0x7f0c17ff4d9f in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:9172:11
    #47 0x7f0c18015b90 in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9342:24
    #48 0x7f0c18012ca0 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4185:11
    #49 0x7f0c17f7930c in FlushPendingNotifications src/obj-firefox/dist/include/mozilla/PresShell.h:1442:5
    #50 0x7f0c17f7930c in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:1949
    #51 0x7f0c17f8e209 in TickDriver src/layout/base/nsRefreshDriver.cpp:348:13
    #52 0x7f0c17f8e209 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:325
    #53 0x7f0c17f8daa2 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:342:5
    #54 0x7f0c17f91f5f in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:788:5
    #55 0x7f0c17f91f5f in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:708
    #56 0x7f0c17f91026 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:603:9
    #57 0x7f0c18b07cf5 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
    #58 0x7f0c0ef5a33f in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:168:54
    #59 0x7f0c0eaa946b in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:4061:28
    #60 0x7f0c0e2b229c in mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2151:21
    #61 0x7f0c0e2adf80 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2078:9
    #62 0x7f0c0e2b0297 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1937:3
    #63 0x7f0c0e2b1027 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:1968:13
    #64 0x7f0c0cf400ba in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1180:14
    #65 0x7f0c0cf47d14 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #66 0x7f0c0e2bb6cf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #67 0x7f0c0e19161e in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #68 0x7f0c0e19161e in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #69 0x7f0c0e19161e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #70 0x7f0c1789b693 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #71 0x7f0c1beb743e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #72 0x7f0c0e19161e in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #73 0x7f0c0e19161e in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #74 0x7f0c0e19161e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #75 0x7f0c1beb65ac in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:757:34
    #76 0x55b850a0b72e in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #77 0x55b850a0b72e in main src/browser/app/nsBrowserApp.cpp:263
Flags: in-testsuite?
Summary: crash near null in [@ nsSplittableFrame::GetNextInFlow] → crash near null in [@ nsBidiPresUtils::GetFirstLeaf]

The signature changed during reduction maybe this is not that similar to bug 1343606

Flags: needinfo?(aethanyc)

Jonathan: any guesses whether this is a safe null-deref or a symptom of something more involved like bug 1343606?

Component: Layout → Layout: Text and Fonts
Flags: needinfo?(jfkthame)

Debug output just prior to crash:

[15604, Main Thread] ###!!! ASSERTION: frame tree not empty, but caller reported complete status: 'aSubtreeRoot->GetPrevInFlow()', file /builds/worker/workspace/build/src/layout/base/nsLayoutUtils.cpp, line 7689
[15604, Main Thread] ###!!! ASSERTION: Placeholder relationship should have been torn down already; this might mean we have a stray placeholder in the tree.: '!placeholder || nsLayoutUtils::IsProperAncestorFrame( aDestructRoot, placeholder)', file /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp, line 779
[15604, Main Thread] ###!!! ASSERTION: Null out-of-flow for placeholder?: 'outOfFlow', file /builds/worker/workspace/build/src/layout/generic/nsPlaceholderFrame.h, line 186
ExceptionHandler::GenerateDump cloned child ExceptionHandler::WaitForContinueSignal waiting for continue signal...
15764
ExceptionHandler::SendContinueSignalToChild sent continue signal to child

Yeh, I saw the same assertions as in comment 3 in my local debug build.

So some fixed continuations created by column-span split are deleted by bidi resolution. Apparently, fixing bug 1520722 isn't enough. A proper fix to bug 1524431 should prevent this kind of issues.

layout.css.column-span.enabled is still false on Nightly, so this crash won't be seen by the users for now.

Depends on: 1524431
Flags: needinfo?(jfkthame)

layout.css.column-span.enabled is still false on Nightly, so this crash won't be seen by the users for now.

--> Let's call this P3 for now, then (and this should probably block us enabling layout.css.column-span.enabled by default, at least in release versions)

Priority: -- → P3

Yes, seems like this should block releasing column-span; it looks like we're ending up with a broken/inconsistent frame tree, which could lead to... well, I'm not sure what, but it sounds bad. I don't think we can assume it'd just be a safe crash.

Sounds like :TYLin has a good idea where to start on this.

Keywords: sec-high

This test no longer crashes after fixing bug 1524431.

https://hg.mozilla.org/integration/autoland/rev/35bafe8477f8f7f880584f69e10e872c1f41f7ac
https://hg.mozilla.org/mozilla-central/rev/35bafe8477f8

Group: layout-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox69: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
Flags: needinfo?(aethanyc)
Assignee: nobody → aethanyc
status-firefox67: --- → disabled
status-firefox68: affecteddisabled
status-firefox-esr60: --- → unaffected
Flags: in-testsuite? → in-testsuite+
Flags: qe-verify+
Whiteboard: [post-critsmash-triage]

I have attempted to reproduce this issue with asan reporter build ID: 20190506130308 on Windows 10 but I could not; These were my steps:

  1. Launch browser.
  2. Open the test case: https://bugzilla.mozilla.org/attachment.cgi?id=9063366
  3. Observe the logs;
  • Bug reproduces: AddressSanitizer error is displayed;
  • Actual result: No AddressSanitizer error is displayed.
    What was displayed:
    "*** You are running in chaos test mode. See ChaosMode.h. ***
    [Parent 2600, Gecko_IOThread] WARNING: pipe error: 109: file z:/task_1557146290/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
    [GPU 13352, Chrome_ChildThread] WARNING: pipe error: 109: file z:/task_1557146290/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
    [GPU 13352, Chrome_ChildTh
    ###!!! [Parent][RunMessage] Error: Channel closing: too late to send/recv, messages will be lost

read] WARNING: pipe error: 109: file z:/task_1557146290/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[GPU 13352, Chrome_ChildThread] WARNING: pipe error: 109: file z:/task_1557146290/build/src/ipc/chromium/src/chrome/com[monP/ipca_crent han2ne6l_0w0,in.cc, lGinee 341c
ko_I[GPOU 1Thread3352, Chrome_Ch]ildThread] WWARARNINNG:I NpiGpe erro:r: 109: fpile iz:/pteask error: 109: fi_l155e714 629z0/b:uil/taskd/s_r1c/i5pc5/chro7mium1/sr4c/c6hr2ome/common9/ipc_channel0_win.c/c,b uliinled/src 341/
ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[Parent 2600, Gecko_IOThread] WARNING: pipe error: 109: file z:/task_1557146290/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341
[Parent 2600, Gecko_IOThread] WARNING: pipe error: 109: file z:/task_1557146290/build/src/ipc/chromium/src/chrome/common/ipc_channel_win.cc, line 341"

What am I supposed to do to reproduce the issue correctly?

Flags: needinfo?(aethanyc)

You'll need to turn the pref layout.css.column-span.enabled on. All the bugs blocking fuzzing-column-span require column-span.

Flags: needinfo?(aethanyc)

I have managed to reproduce it with the steps in comment 9 and the addition in comment 10 on Nightly v68.0a1 (2019-05-06) on Windows 10.
I have managed to verify the fix on Nightly v70.0a1 (2019-07-11).

However, I could not find a Beta v69 asan reporter to verify firefox69 branch on Windows 10.
Furthermore, there could be found a Beta v69 asan reporter for linux in task cluster, but this issue could not be reproduced on linux (on Nightly v68.0a1 (2019-05-06), the affected build.

So, unfortunately, verifying it on the Nightly channel should suffice. Thanks.

Status: RESOLVED → VERIFIED
status-firefox70: --- → verified
Flags: qe-verify+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: