1600367 - crash at null in [@ nsFieldSetFrame::GetNaturalBaselineBOffset]

Status: RESOLVED FIXED

(Core :: Layout: Form Controls, defect, P1)

Description

[Tyson Smith [:tsmith]]

Attachment: testcase.html

Reduced with m-c:
BuildID=20191129094247
SourceStamp=79c674504d23705095f572227f1f167dabede843

==58144==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fa842cb46b0 bp 0x7ffc1c1e7030 sp 0x7ffc1c1e7000 T0)
==58144==The signal is caused by a READ memory access.
==58144==Hint: address points to the zero page.
    #0 0x7fa842cb46af in nsFieldSetFrame::GetNaturalBaselineBOffset(mozilla::WritingMode, mozilla::BaselineSharingGroup, int*) const src/layout/forms/nsFieldSetFrame.cpp
    #1 0x7fa842cb3cbb in BaselineBOffset src/layout/generic/nsIFrameInlines.h:164:7
    #2 0x7fa842cb3cbb in nsFieldSetFrame::GetLogicalBaseline(mozilla::WritingMode) const src/layout/forms/nsFieldSetFrame.cpp:820:27
    #3 0x7fa842bce806 in PlaceFrame src/layout/generic/nsLineLayout.cpp:1367:35
    #4 0x7fa842bce806 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:1058:7
    #5 0x7fa842b79642 in nsInlineFrame::ReflowInlineFrame(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, nsIFrame*, nsReflowStatus&) src/layout/generic/nsInlineFrame.cpp:674:15
    #6 0x7fa842b781c1 in nsInlineFrame::ReflowFrames(nsPresContext*, mozilla::ReflowInput const&, nsInlineFrame::InlineReflowInput&, mozilla::ReflowOutput&, nsReflowStatus&) src/layout/generic/nsInlineFrame.cpp:548:7
    #7 0x7fa842b76d75 in nsInlineFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsInlineFrame.cpp:363:3
    #8 0x7fa842bcd6f1 in nsLineLayout::ReflowFrame(nsIFrame*, nsReflowStatus&, mozilla::ReflowOutput*, bool&) src/layout/generic/nsLineLayout.cpp:878:13
    #9 0x7fa84296b9c3 in nsBlockFrame::ReflowInlineFrame(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsIFrame*, LineReflowStatus*) src/layout/generic/nsBlockFrame.cpp:4376:15
    #10 0x7fa84296a2c3 in nsBlockFrame::DoReflowInlineFrames(mozilla::BlockReflowInput&, nsLineLayout&, nsLineList_iterator, nsFlowAreaRect&, int&, nsFloatManager::SavedState*, bool*, LineReflowStatus*, bool) src/layout/generic/nsBlockFrame.cpp:4178:5
    #11 0x7fa842962920 in nsBlockFrame::ReflowInlineFrames(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:4063:9
    #12 0x7fa84295b951 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3042:5
    #13 0x7fa8429512fc in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2582:7
    #14 0x7fa84294841d in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1325:3
    #15 0x7fa84296830c in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) src/layout/generic/nsBlockReflowContext.cpp:293:11
    #16 0x7fa84295e402 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3694:11
    #17 0x7fa84295baab in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) src/layout/generic/nsBlockFrame.cpp:3039:5
    #18 0x7fa8429512fc in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) src/layout/generic/nsBlockFrame.cpp:2582:7
    #19 0x7fa84294841d in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsBlockFrame.cpp:1325:3
    #20 0x7fa84299f757 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:910:14
    #21 0x7fa84299e281 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsCanvasFrame.cpp:738:5
    #22 0x7fa84299f757 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:910:14
    #23 0x7fa842aab11b in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) src/layout/generic/nsGfxScrollFrame.cpp:649:3
    #24 0x7fa842aac4d8 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) src/layout/generic/nsGfxScrollFrame.cpp:763:3
    #25 0x7fa842ab1e71 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/nsGfxScrollFrame.cpp:1142:3
    #26 0x7fa842934a3c in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) src/layout/generic/nsContainerFrame.cpp:950:14
    #27 0x7fa842933c01 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) src/layout/generic/ViewportFrame.cpp:299:7
    #28 0x7fa8427088df in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) src/layout/base/PresShell.cpp:9179:11
    #29 0x7fa842721397 in mozilla::PresShell::ProcessReflowCommands(bool) src/layout/base/PresShell.cpp:9352:24
    #30 0x7fa84271ed1a in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4111:11
    #31 0x7fa8426a1baf in FlushPendingNotifications src/obj-firefox/dist/include/mozilla/PresShell.h:1452:5
    #32 0x7fa8426a1baf in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:2050:20
    #33 0x7fa8426b27a1 in TickDriver src/layout/base/nsRefreshDriver.cpp:373:13
    #34 0x7fa8426b27a1 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) src/layout/base/nsRefreshDriver.cpp:350:7
    #35 0x7fa8426b22cb in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:367:5
    #36 0x7fa8426b1613 in RunRefreshDrivers src/layout/base/nsRefreshDriver.cpp:819:5
    #37 0x7fa8426b1613 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) src/layout/base/nsRefreshDriver.cpp:739:16
    #38 0x7fa8426b0947 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) src/layout/base/nsRefreshDriver.cpp:634:9
    #39 0x7fa842f9aba9 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) src/layout/ipc/VsyncChild.cpp:65:16
    #40 0x7fa83b2543df in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PVsyncChild.cpp:187:54
    #41 0x7fa83acbfe4e in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBackgroundChild.cpp:5876:32
    #42 0x7fa83a5300e6 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2208:25
    #43 0x7fa83a52b101 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2130:9
    #44 0x7fa83a52d671 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:1972:3
    #45 0x7fa83a52e537 in mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2003:13
    #46 0x7fa8393186fa in nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1250:14
    #47 0x7fa83931fba1 in NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:486:10
    #48 0x7fa83a53929f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:88:21
    #49 0x7fa83a4434d2 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #50 0x7fa83a4434d2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308:3
    #51 0x7fa83a4434d2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
    #52 0x7fa8421253c8 in nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:137:27
    #53 0x7fa84618ce76 in XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:934:20
    #54 0x7fa83a4434d2 in RunInternal src/ipc/chromium/src/base/message_loop.cc:315:10
    #55 0x7fa83a4434d2 in RunHandler src/ipc/chromium/src/base/message_loop.cc:308:3
    #56 0x7fa83a4434d2 in MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:290:3
    #57 0x7fa84618c6c4 in XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:769:34
    #58 0x55baa259dc5c in content_process_main src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #59 0x55baa259dc5c in main src/browser/app/nsBrowserApp.cpp:272:18

Comment 1

[Emilio Cobos Álvarez (:emilio)]

Mozregression points to bug 471015.

Comment 2

[Tyson Smith [:tsmith]]

A Pernosco session is available here: https://pernos.co/debug/j0Rucl05lqV3cIN-JgRk7w/index.html
It will expire in 7 days.

Comment 3

[Mats Palmgren (inactive)]

Right, we can have a null inner frame in fragmentation contexts now... I'll audit the code generally to make sure we handle that everywhere.

Comment 4

[Mats Palmgren (inactive)]

Attachment: Bug 1600367 - Check that the available space is constrained before setting Incomplete status. r=TYLin

The testcase doesn't have a fragmentainer at all so we should
never set Incomplete status in this case. I added an assertion
that would have caught this. I also made the baseline methods
deal with a null inner frame for good measure.

Comment 5

[Pulsebot]

Pushed by mpalmgren@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e7e3f263eeb3
Check that the available space is constrained before setting Incomplete status.  r=TYLin

Comment 6

[Stefan Hindli [:stefan_hindli]]

https://hg.mozilla.org/mozilla-central/rev/e7e3f263eeb3

Comment 7

[Mats Palmgren (inactive)]

Comment on attachment 9112760 [details]
Bug 1600367 - Check that the available space is constrained before setting Incomplete status. r=TYLin

Beta/Release Uplift Approval Request

• User impact if declined: null-pointer crash in pathological edge case
• Is this code covered by automated tests?: Yes
• Has the fix been verified in Nightly?: Yes
• Needs manual test from QE?: No
• If yes, steps to reproduce:
• List of other uplifts needed: None
• Risk to taking this patch: Low
• Why is the change risky/not risky? (and alternatives if risky): trivial fix
• String changes made/needed:

Comment 8

[Julien Cristau [:jcristau]]

Comment on attachment 9112760 [details]
Bug 1600367 - Check that the available space is constrained before setting Incomplete status. r=TYLin

approved for 72.0b2, thanks!

Comment 9

[Oana Pop-Rus]

https://hg.mozilla.org/releases/mozilla-beta/rev/1157109d1975