Closed Bug 1562105 Opened 5 months ago Closed 5 months ago

crash near null in [@ IsSmoothScroll]

Categories

(Core :: Layout: Scrolling and Overflow, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla69
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox68 --- unaffected
firefox69 --- fixed

People

(Reporter: tsmith, Assigned: hiro)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: crash, testcase, Whiteboard: [fuzzblocker])

Crash Data

Attachments

(2 files)

Attached file testcase.html

Reduced with m-c:
BuildID=20190627214735
SourceStamp=7ffabb358c4255897db3ceb09cad21a4731cb0ae

First hit by fuzzers with 20190627-9ee669c657c7 and have been hitting it frequently since.

==95726==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000020 (pc 0x7f14cc02287f bp 0x7fff29e130b0 sp 0x7fff29e13090 T0)
==95726==The signal is caused by a READ memory access.
==95726==Hint: address points to the zero page.
    #0 0x7f14cc02287e in get src/obj-firefox/dist/include/mozilla/RefPtr.h:268:27
    #1 0x7f14cc02287e in operator-> src/obj-firefox/dist/include/mozilla/RefPtr.h:298
    #2 0x7f14cc02287e in StyleDisplay src/layout/style/nsStyleStructList.h:46
    #3 0x7f14cc02287e in IsSmoothScroll src/layout/generic/nsGfxScrollFrame.cpp:7166
    #4 0x7f14cc02287e in IsSmoothScroll src/layout/generic/nsGfxScrollFrame.h:1201
    #5 0x7f14cc02287e in non-virtual thunk to nsHTMLScrollFrame::IsSmoothScroll(mozilla::dom::ScrollBehavior) const src/layout/generic/nsGfxScrollFrame.h
    #6 0x7f14c4b2afb0 in nsGlobalWindowInner::ScrollBy(mozilla::dom::ScrollToOptions const&) src/dom/base/nsGlobalWindowInner.cpp:3690:33
    #7 0x7f14c4b2a62d in nsGlobalWindowInner::ScrollBy(double, double) src/dom/base/nsGlobalWindowInner.cpp:3673:5
    #8 0x7f14c739b9c8 in mozilla::dom::Window_Binding::scrollBy(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitMethodCallArgs const&) src/obj-firefox/dom/bindings/WindowBinding.cpp:4721:28
    #9 0x7f14c82f13c8 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeGlobalThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) src/dom/bindings/BindingUtils.cpp:3171:13
    #10 0x7f14cfbf79b7 in CallJSNative src/js/src/vm/Interpreter.cpp:448:13
    #11 0x7f14cfbf79b7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:540
    #12 0x7f14cfbd7fce in CallFromStack src/js/src/vm/Interpreter.cpp:599:10
    #13 0x7f14cfbd7fce in Interpret(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:3088
    #14 0x7f14cfbc1898 in js::RunScript(JSContext*, js::RunState&) src/js/src/vm/Interpreter.cpp:425:10
    #15 0x7f14cfbf84bf in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) src/js/src/vm/Interpreter.cpp:568:13
    #16 0x7f14cfbfa6e2 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) src/js/src/vm/Interpreter.cpp:611:8
    #17 0x7f14d0876a88 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) src/js/src/jsapi.cpp:2660:10
    #18 0x7f14c78ce309 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #19 0x7f14c8b84374 in HandleEvent<mozilla::dom::EventTarget *> src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #20 0x7f14c8b84374 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) src/dom/events/EventListenerManager.cpp:1024
    #21 0x7f14c8b86297 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) src/dom/events/EventListenerManager.cpp:1222:17
    #22 0x7f14c8b66bb1 in HandleEvent src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #23 0x7f14c8b66bb1 in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:349
    #24 0x7f14c8b64de6 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) src/dom/events/EventDispatcher.cpp:551:16
    #25 0x7f14c8b6bb54 in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) src/dom/events/EventDispatcher.cpp:1047:11
    #26 0x7f14c8b7389b in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) src/dom/events/EventDispatcher.cpp
    #27 0x7f14c51e95d4 in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) src/dom/base/nsINode.cpp:1030:17
    #28 0x7f14c4a25656 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) src/dom/base/nsContentUtils.cpp:3968:28
    #29 0x7f14c4a253ce in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) src/dom/base/nsContentUtils.cpp:3938:10
    #30 0x7f14c4dfe8e2 in mozilla::dom::Document::DispatchContentLoadedEvents() src/dom/base/Document.cpp:7039:3
    #31 0x7f14c4f197ab in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
    #32 0x7f14c4f197ab in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> src/obj-firefox/dist/include/nsThreadUtils.h:1130
    #33 0x7f14c4f197ab in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() src/obj-firefox/dist/include/nsThreadUtils.h:1176
    #34 0x7f14c08a2e25 in mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:295:32
    #35 0x7f14c08e3e91 in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1225:14
    #36 0x7f14c08ebc64 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #37 0x7f14c1ceaaff in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #38 0x7f14c1bbe44e in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #39 0x7f14c1bbe44e in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #40 0x7f14c1bbe44e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #41 0x7f14cb2bbc73 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #42 0x7f14cf91d97e in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:919:20
    #43 0x7f14c1bbe44e in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #44 0x7f14c1bbe44e in RunHandler src/ipc/chromium/src/base/message_loop.cc:308
    #45 0x7f14c1bbe44e in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290
    #46 0x7f14cf91c4c1 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:754:34
    #47 0x5583350b3f13 in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #48 0x5583350b3f13 in main src/browser/app/nsBrowserApp.cpp:267
Flags: in-testsuite?
Flags: needinfo?(hikezoe)
Assignee: nobody → hikezoe
Status: NEW → ASSIGNED
Flags: needinfo?(hikezoe)
Pushed by hikezoe@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/f770099a60cb
Bail out if the style frame for the scrollable frame is null in ScrollFrameHelper::IsSmoothScroll. r=botond
Status: ASSIGNED → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla69
Duplicate of this bug: 1562227
Flags: in-testsuite? → in-testsuite+
Crash Signature: [@ nsHTMLScrollFrame::IsSmoothScroll]
You need to log in before you can comment on or make changes to this bug.