Closed Bug 1585778 Opened 6 months ago Closed 6 months ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Document.h:1494:53 in GetBFCacheEntry

Categories

(Core :: Layout, defect, P1, critical)

defect

Tracking

()

VERIFIED FIXED
mozilla71
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- unaffected
firefox67 --- unaffected
firefox68 --- unaffected
firefox69 --- unaffected
firefox70 --- unaffected
firefox71 --- verified
firefox72 --- verified

People

(Reporter: jkratzer, Assigned: emilio)

References

(Blocks 2 open bugs, Regression)

Details

(Keywords: crash, regression, testcase)

Attachments

(3 files)

Attached file testcase.html

Testcase found while fuzzing mozilla-central rev cb9bbf38fa45. Testcase must be served via a local webserver in order to reproduce.

==4093==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fba9d434f46 bp 0x7ffea13bb1a0 sp 0x7ffea13bb000 T0)
==4093==The signal is caused by a WRITE memory access.
==4093==Hint: address points to the zero page.
    #0 0x7fba9d434f45 in GetBFCacheEntry /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/Document.h:1494:53
    #1 0x7fba9d434f45 in operator() /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1905
    #2 0x7fba9d434f45 in mozilla::PresShell::ResizeReflowIgnoreOverride(int, int, mozilla::ResizeReflowOptions) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1913
    #3 0x7fba9d56964b in nsDocumentViewer::GetContentSizeInternal(int*, int*, int, int) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:3179:28
    #4 0x7fba9d569ad8 in nsDocumentViewer::GetContentSize(int*, int*) /builds/worker/workspace/build/src/layout/base/nsDocumentViewer.cpp:3211:10
    #5 0x7fba9785ef3a in nsGlobalWindowOuter::SizeToContentOuter(mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.cpp:5326:16
    #6 0x7fba997cf9c2 in mozilla::dom::Window_Binding::sizeToContent(JSContext*, JS::Handle<JSObject*>, nsGlobalWindowInner*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/WindowBinding.cpp:5874:24
    #7 0x7fba9a3fdd2d in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::MaybeCrossOriginObjectThisPolicy, mozilla::dom::binding_detail::ThrowExceptions>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3250:13
    #8 0x7fbaa1066bac in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:458:13
    #9 0x7fbaa1066bac in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:551
    #10 0x7fbaa1069a09 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:637:8
    #11 0x7fbaa131a752 in js::ForwardingProxyHandler::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/Wrapper.cpp:162:10
    #12 0x7fbaa12a2341 in js::CrossCompartmentWrapper::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) const /builds/worker/workspace/build/src/js/src/proxy/CrossCompartmentWrapper.cpp:237:19
    #13 0x7fbaa12f9f6d in js::Proxy::call(JSContext*, JS::Handle<JSObject*>, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/proxy/Proxy.cpp:504:19
    #14 0x7fbaa1067db1 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:525:14
    #15 0x7fbaa104f230 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:624:10
    #16 0x7fbaa104f230 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3113
    #17 0x7fbaa1030a8f in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:424:10
    #18 0x7fbaa10676b6 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:592:13
    #19 0x7fbaa1069a09 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:637:8
    #20 0x7fbaa1c2710b in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2728:10
    #21 0x7fba99bbe7c0 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #22 0x7fba9ab97645 in HandleEvent<mozilla::dom::EventTarget *> /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #23 0x7fba9ab97645 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1033
    #24 0x7fba9ab990bb in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1231:17
    #25 0x7fba9ab7faca in HandleEvent /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/EventListenerManager.h:353:5
    #26 0x7fba9ab7faca in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:349
    #27 0x7fba9ab7e2e2 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:551:16
    #28 0x7fba9ab83cce in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1045:11
    #29 0x7fba9ab8afa0 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
    #30 0x7fba97d911fa in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1061:17
    #31 0x7fba9772a979 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:3977:28
    #32 0x7fba9772a743 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:3947:10
    #33 0x7fba97a7a4bc in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:7121:3
    #34 0x7fba97b622b4 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1124:12
    #35 0x7fba97b622b4 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1130
    #36 0x7fba97b622b4 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1176
    #37 0x7fba9386bc71 in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:295:32
    #38 0x7fba9389d439 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1225:14
    #39 0x7fba938a40a8 in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
    #40 0x7fba94ae109f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:88:21
    #41 0x7fba949d9f62 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #42 0x7fba949d9f62 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #43 0x7fba949d9f62 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #44 0x7fba9ce608c9 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #45 0x7fbaa0daf1df in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:934:20
    #46 0x7fba949d9f62 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #47 0x7fba949d9f62 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308
    #48 0x7fba949d9f62 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290
    #49 0x7fbaa0daea86 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:769:34
    #50 0x557401980bfa in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #51 0x557401980bfa in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:272
    #52 0x7fbab68b0b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
Flags: in-testsuite?

Bugbug thinks this bug is a regression, but please revert this change in case of error.

Keywords: regression

Testcase bisects to the following range:

Start: cbec1b8d83edf24146e48d6819dda24d9ab7a57b (20190913092859)
End: 6a36994d2e14869283ea43331eeeaedac5be9e7c (20190913154631)
Pushlog: https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=cbec1b8d83edf24146e48d6819dda24d9ab7a57b&tochange=6a36994d2e14869283ea43331eeeaedac5be9e7c

Probably bug 1577258 then, I'll take a look.

Flags: needinfo?(emilio)
Regressed by: 1577258

Hmm, I cannot reproduce. I can repro an assertion failure here because the <svg> is just very wide so that it matches our NS_UNCONSTRAINEDSIZE.

That'll probably cause badness, so we should probably sanity-check it the same way as the outerWidth setter or such, for example.

But I can't see anything more than that... Jason, any tips? Should I just try harder? :)

Flags: needinfo?(emilio) → needinfo?(jkratzer)

(If I uncomment that I hit the next one, which my patch added, which is probably what you're seeing, and crashes release builds of course... Maybe bad debug info?

(In reply to Emilio Cobos Álvarez (:emilio) from comment #4)

Hmm, I cannot reproduce. I can repro an assertion failure here because the <svg> is just very wide so that it matches our NS_UNCONSTRAINEDSIZE.

That'll probably cause badness, so we should probably sanity-check it the same way as the outerWidth setter or such, for example.

But I can't see anything more than that... Jason, any tips? Should I just try harder? :)

Have you accessed the testcase via a localwebserver? It appears to be required due to the XHR requests. I'll also go ahead and attach the prefs I'm using to reproduce.

Flags: needinfo?(jkratzer)
Attached file prefs-default-e10s.js

ni on Emilio to ensure you've seen comment 6.

Flags: needinfo?(emilio)

Ah, thanks, left the half-typed comment on the textarea :(

Yeah, I was accessing via the web server. I suspect this is just the assert, though this test-case depends on resolution and other stuff, so it may be that it doesn't repro on my machine.

Does it repro under rr? If so, could you upload a pernosco trace of some sort so I can look at it?

Flags: needinfo?(emilio) → needinfo?(jkratzer)

Emilio, sorry for the delay. Here's the pernosco trace:
https://pernos.co/debug/SJVLi_2nhEdT9Q73X35vew/index.html

Flags: needinfo?(jkratzer) → needinfo?(emilio)

Ah, cool, thanks! So yeah, this is the assertion I mentioned in comment 4.

Assertion failure: (wm.IsVertical() ? aHeight : aWidth) != nscoord((1 << 30) - 1) (unconstrained isize not allowed), at /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1954

I'll write a patch to handle this more gracefully, though it's not a new problem, it's just that my patch made the assert a DIAGNOSTIC_ASSERT rather than a regular MOZ_ASSERT.

Assignee: nobody → emilio
Flags: needinfo?(emilio)

For huge sizes we may end up with an unconstrained isize. Just avoid sizing the
window to that.

Pushed by ealvarez@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/979aa08cf02f
Validate the input of nsDocumentViewer::GetContentSize to not violate the precondition of PresShell::ResizeReflow. r=dholbert
Status: NEW → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
Flags: qe-verify+

Reproduced the initial issue on an asan build from 71.0a1 20191001041624, the tab with the testcase crashes with :

Assertion failure: mPresContext->GetVisibleArea().width != nscoord((1 << 30) - 1) (width should not be NS_UNCONSTRAINEDSIZE after reflow), at /builds/worker/workspace/build/src/layout/base/PresShell.cpp:1994

Proceeded onto verifying the testcase on on m-c-20191125042312-fuzzing-asan-opt:
the tab doesn't crash anymore, no asserting failure, however, I get an NS_Error_failure on line 17 in the testcase on tab.sizeToContent() -> XHR POST http://localhost:8000/1
[HTTP/1.0 501 Unsupported method ('POST')
Wonder if this is expected, :emilio, could you please advise?

Flags: needinfo?(emilio)

Yeah, that's expected. As long as the tab doesn't crash we're good.

Flags: needinfo?(emilio)

(In reply to Emilio Cobos Álvarez (:emilio) from comment #16)

Yeah, that's expected. As long as the tab doesn't crash we're good.

Cool, thanks for the prompt response.
Also verified it on a taskcluster fuzzing-asan-opt build 71.0b9 20191109004434.
Considering above + comment 15 & comment 16, marking as verified on Ubuntu 16.04x64.

Status: RESOLVED → VERIFIED
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.