1560397 - MozCrash near [@ ToPositionAndLength]

Status: RESOLVED FIXED

(Core :: Layout: Grid, defect, P3)

Description

[Jason Kratzer [:jkratzer]]

Attachment: testcase.html

Testcase found while fuzzing mozilla-central rev 19cf79b6f07d.

==17772==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fe0e4ff2117 bp 0x7ffd25f06980 sp 0x7ffd25f06980 T0)
==17772==The signal is caused by a WRITE memory access.
==17772==Hint: address points to the zero page.
    #0 0x7fe0e4ff2116 in MOZ_Crash /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Assertions.h:313:3
    #1 0x7fe0e4ff2116 in InvalidArrayIndex_CRASH(unsigned long, unsigned long) /builds/worker/workspace/build/src/xpcom/ds/nsTArray.cpp:27
    #2 0x7fe0f0823f1c in ElementAt /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1045:7
    #3 0x7fe0f0823f1c in operator[] /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1074
    #4 0x7fe0f0823f1c in ToPositionAndLength /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5819
    #5 0x7fe0f0823f1c in nsGridContainerFrame::LineRange::ToPositionAndLengthForAbsPos(nsGridContainerFrame::Tracks const&, int, int*, int*) const /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5860
    #6 0x7fe0f08324e7 in ContainingBlockForAbsPos /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5941:15
    #7 0x7fe0f08324e7 in nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:6789
    #8 0x7fe0f0835f33 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:7145:11
    #9 0x7fe0f05a9112 in nsAbsoluteContainingBlock::ReflowAbsoluteFrame(nsIFrame*, nsPresContext*, mozilla::ReflowInput const&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsIFrame*, nsReflowStatus&, nsOverflowAreas*) /builds/worker/workspace/build/src/layout/generic/nsAbsoluteContainingBlock.cpp:702:14
    #10 0x7fe0f05a4b3c in nsAbsoluteContainingBlock::Reflow(nsContainerFrame*, nsPresContext*, mozilla::ReflowInput const&, nsReflowStatus&, nsRect const&, nsAbsoluteContainingBlock::AbsPosReflowFlags, nsOverflowAreas*) /builds/worker/workspace/build/src/layout/generic/nsAbsoluteContainingBlock.cpp:161:7
    #11 0x7fe0f05a258e in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:350:35
    #12 0x7fe0f02d8d92 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9285:11
    #13 0x7fe0f02f9b40 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9455:24
    #14 0x7fe0f02f6c22 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4233:11
    #15 0x7fe0f04226a7 in FlushPendingNotifications /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/PresShell.h:1459:5
    #16 0x7fe0f04226a7 in nsDocumentViewer::LoadComplete(nsresult) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:1016
    #17 0x7fe0f32bfaf3 in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6682:20
    #18 0x7fe0f32bec0c in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp:6482:7
    #19 0x7fe0f32c4617 in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) /builds/worker/workspace/build/src/docshell/base/nsDocShell.cpp
    #20 0x7fe0e7d7dcd5 in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:1337:3
    #21 0x7fe0e7d7c8ca in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:896:14
    #22 0x7fe0e7d76f10 in nsDocLoader::DocLoaderIsEmpty(bool) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:730:9
    #23 0x7fe0e7d7a785 in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp:618:5
    #24 0x7fe0e7d7c414 in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) /builds/worker/workspace/build/src/uriloader/base/nsDocLoader.cpp
    #25 0x7fe0e54c0721 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) /builds/worker/workspace/build/src/netwerk/base/nsLoadGroup.cpp:568:22
    #26 0x7fe0e9655ac8 in DoUnblockOnload /builds/worker/workspace/build/src/dom/base/Document.cpp:10536:18
    #27 0x7fe0e9655ac8 in mozilla::dom::Document::UnblockOnload(bool) /builds/worker/workspace/build/src/dom/base/Document.cpp:10468
    #28 0x7fe0e968afd5 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:6983:3
    #29 0x7fe0e97a33ab in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
    #30 0x7fe0e97a33ab in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130
    #31 0x7fe0e97a33ab in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176
    #32 0x7fe0e5179b33 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1215:14
    #33 0x7fe0e51818f4 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #34 0x7fe0e658ab7f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #35 0x7fe0e6461ace in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #36 0x7fe0e6461ace in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #37 0x7fe0e6461ace in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #38 0x7fe0efb73563 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #39 0x7fe0f3e71b40 in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:276:30
    #40 0x7fe0f41b17fa in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4639:22
    #41 0x7fe0f41b4064 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4778:8
    #42 0x7fe0f41b5a59 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4859:21
    #43 0x557fdc78bb14 in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:213:22
    #44 0x557fdc78bb14 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:295
    #45 0x7fe109e8ab96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/Assertions.h:313:3 in MOZ_Crash

Comment 1

[BugBot [:suhaib / :marco/ :calixte]]

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Comment 2

[BugBot [:suhaib / :marco/ :calixte]]

The priority flag is not set for this bug.
:mats, could you have a look please?

For more information, please visit auto_nag documentation.

Comment 3

[Mats Palmgren (inactive)]

In a DEBUG build I get:
Assertion failure: !mHasRepeatAuto || (mExpandedTracks.Length() >= 1 && mRepeatAutoStart < mExpandedTracks.Length()), at layout/generic/nsGridContainerFrame.cpp:941

The testcase has repeat(auto-fill/fit, ...) in the style value with more than the maximum number of tracks preceding it. When we clamp the grid we still have mHasRepeatAuto=true which then violates the invariant above.

Comment 5

[Mats Palmgren (inactive)]

Attachment: Bug 1560397 - [css-grid] If a repeat(auto-fill/fit) track starts outside the clamped grid then treat it as not having a auto-fill/fit at all. r=emilio

Comment 6

[Pulsebot]

Pushed by mpalmgren@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/2ecf303ec887
[css-grid] If a repeat(auto-fill/fit) track starts outside the clamped grid then treat it as not having a auto-fill/fit at all.  r=emilio

Comment 7

[Daniel Varga [:dvarga]]

https://hg.mozilla.org/mozilla-central/rev/2ecf303ec887

Comment 8

[Ryan VanderMeulen [:RyanVM]]

Is there a user impact which justifies backport consideration or can this fix ride Fx71 to release?

Comment 9

[Mats Palmgren (inactive)]

No, this is an extreme edge case that doesn't affect normal usage of CSS Grid.