Closed Bug 1606485 Opened 4 years ago Closed 4 years ago

crash near null in [@ mozilla::ReflowInput::InitConstraints]

Categories

(Core :: Layout: Grid, defect, P3)

Product:
Core
Component:
Layout: Grid
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla74
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox72 --- wontfix
firefox73 --- wontfix
firefox74 --- fixed

People

(Reporter: tsmith, Assigned: alaskanemily)

References

(Blocks 1 open bug)

Details

(Keywords: crash, csectype-nullptr, testcase)

Crash Data

Attachments

(3 files)

testcase.html
322 bytes, text/html
Details
Bug 1606485 - Check containing parent frames for 'contain:layout/paint' in grid container frames.
47 bytes, text/x-phabricator-request
Details | Review
Bug 1606485 - Add crash testcases for nested subgrids with contain: strict
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Reduced with m-c: 20191230-03ed5ed6cba7

layout/generic/ReflowInput.cpp:2243:17: runtime error: member access within null pointer of type 'const mozilla::ReflowInput'
    #0 0x7fdee1c91996 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType) layout/generic/ReflowInput.cpp:2243:17
    #1 0x7fdee1c8b01f in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*) layout/generic/ReflowInput.cpp:355:3
    #2 0x7fdee1c8cc6f in mozilla::ReflowInput::ReflowInput(nsPresContext*, mozilla::ReflowInput const&, nsIFrame*, mozilla::LogicalSize const&, mozilla::Maybe<mozilla::LogicalSize> const&, unsigned int) layout/generic/ReflowInput.cpp:229:5
    #3 0x7fdee1e0765f in MeasuringReflow(nsIFrame*, mozilla::ReflowInput const*, gfxContext*, mozilla::LogicalSize const&, mozilla::LogicalSize const&, int, int) layout/generic/nsGridContainerFrame.cpp:4641:15
    #4 0x7fdee1e0c0b8 in ContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, mozilla::Maybe<mozilla::LogicalSize> const&, nsLayoutUtils::IntrinsicISizeType, int, unsigned int) layout/generic/nsGridContainerFrame.cpp:4887:14
    #5 0x7fdee1e05e26 in MinContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, CachedIntrinsicSizes*) layout/generic/nsGridContainerFrame.cpp:4938:15
    #6 0x7fdee1e05276 in nsGridContainerFrame::Tracks::ResolveIntrinsicSizeStep1(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::TrackSizingFunctions const&, int, SizingConstraint, nsGridContainerFrame::LineRange const&, nsGridContainerFrame::GridItemInfo const&) layout/generic/nsGridContainerFrame.cpp:5106:13
    #7 0x7fdee1e01f0e in nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, int, SizingConstraint) layout/generic/nsGridContainerFrame.cpp:5558:11
    #8 0x7fdee1df57fa in nsGridContainerFrame::Tracks::CalculateSizes(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, SizingConstraint) layout/generic/nsGridContainerFrame.cpp:5047:3
    #9 0x7fdee1df4e78 in nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, SizingConstraint) layout/generic/nsGridContainerFrame.cpp:3370:12
    #10 0x7fdee1e162cd in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) layout/generic/nsGridContainerFrame.cpp:7386:21
    #11 0x7fdee1ae95af in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) layout/base/PresShell.cpp:9159:11
    #12 0x7fdee1af7c31 in mozilla::PresShell::ProcessReflowCommands(bool) layout/base/PresShell.cpp:9332:24
    #13 0x7fdee1af6f75 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) layout/base/PresShell.cpp:4114:11
    #14 0x7fdee1af6389 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::FlushType) layout/base/PresShell.cpp:3892:3
    #15 0x7fdee1ba988c in nsDocumentViewer::LoadComplete(nsresult) layout/base/nsDocumentViewer.cpp:1004:16
    #16 0x7fdee4d6765b in nsDocShell::EndPageLoad(nsIWebProgress*, nsIChannel*, nsresult) docshell/base/nsDocShell.cpp:6116:20
    #17 0x7fdee4d66a72 in nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) docshell/base/nsDocShell.cpp:5899:7
    #18 0x7fdee4d6922f in non-virtual thunk to nsDocShell::OnStateChange(nsIWebProgress*, nsIRequest*, unsigned int, nsresult) docshell/base/nsDocShell.cpp
    #19 0x7fdedbcff36d in nsDocLoader::DoFireOnStateChange(nsIWebProgress*, nsIRequest*, int&, nsresult) uriloader/base/nsDocLoader.cpp:1347:3
    #20 0x7fdedbcfe6b2 in nsDocLoader::doStopDocumentLoad(nsIRequest*, nsresult) uriloader/base/nsDocLoader.cpp:906:14
    #21 0x7fdedbcfbc57 in nsDocLoader::DocLoaderIsEmpty(bool) uriloader/base/nsDocLoader.cpp:726:9
    #22 0x7fdedbcfd94d in nsDocLoader::OnStopRequest(nsIRequest*, nsresult) uriloader/base/nsDocLoader.cpp:614:5
    #23 0x7fdedbcfe49c in non-virtual thunk to nsDocLoader::OnStopRequest(nsIRequest*, nsresult) uriloader/base/nsDocLoader.cpp
    #24 0x7fded91607a7 in mozilla::net::nsLoadGroup::NotifyRemovalObservers(nsIRequest*, nsresult) netwerk/base/nsLoadGroup.cpp:594:22
    #25 0x7fded9162a66 in mozilla::net::nsLoadGroup::RemoveRequest(nsIRequest*, nsISupports*, nsresult) netwerk/base/nsLoadGroup.cpp:501:10
    #26 0x7fdedd4018ad in mozilla::dom::Document::DoUnblockOnload() dom/base/Document.cpp:10663:18
    #27 0x7fdedd3d56a2 in mozilla::dom::Document::UnblockOnload(bool) dom/base/Document.cpp:10595:9
    #28 0x7fdedd3ea14a in mozilla::dom::Document::DispatchContentLoadedEvents() dom/base/Document.cpp:7272:3
    #29 0x7fdedd4c706a in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() objdir-ff-ubsan/dist/include/nsThreadUtils.h:1217:13
    #30 0x7fded8eab81c in mozilla::SchedulerGroup::Runnable::Run() xpcom/threads/SchedulerGroup.cpp:282:20
    #31 0x7fded8eddf54 in nsThread::ProcessNextEvent(bool, bool*) xpcom/threads/nsThread.cpp:1241:14
    #32 0x7fded8ee4a7e in NS_ProcessNextEvent(nsIThread*, bool) xpcom/threads/nsThreadUtils.cpp:486:10
    #33 0x7fdeda2e3a9e in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:87:21
    #34 0x7fdeda125c54 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:290:3
    #35 0x7fdee169c18a in nsBaseAppShell::Run() widget/nsBaseAppShell.cpp:137:27
    #36 0x7fdee5797269 in XRE_RunAppShell() toolkit/xre/nsEmbedFunctions.cpp:946:20
    #37 0x7fdeda2e50b1 in mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) ipc/glue/MessagePump.cpp:237:9
    #38 0x7fdeda125c54 in MessageLoop::Run() ipc/chromium/src/base/message_loop.cc:290:3
    #39 0x7fdee57966b7 in XRE_InitChildProcess(int, char**, XREChildData const*) toolkit/xre/nsEmbedFunctions.cpp:781:34
    #40 0x563d53d7c1c5 in content_process_main(mozilla::Bootstrap*, int, char**) browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #41 0x563d53d7c3ef in main browser/app/nsBrowserApp.cpp:303:18
Flags: in-testsuite?

A Pernosco session is available here: https://pernos.co/debug/lZdKCHzcILBpe8KO7KZNJA/index.html

Crash Signature: [@ mozilla::ReflowInput::Init ]

Emily, is this similar to the other fuzzer bug you were looking at?

Component: Layout → Layout: Grid
Flags: needinfo?(emcdonough)
Priority: -- → P3

I'll investigate. I'm not too sure, since the other fuzzer bug required an absolute block nested in another absolute block.

This prevents grid container frames from being considered subgrid (even when
they have contain:layout/paint) when they are themselves a grid item of a
contain grid.

Assignee: nobody → emcdonough
Status: NEW → ASSIGNED

Should be taken care of shortly.

Flags: needinfo?(emcdonough)
Pushed by rmaries@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b3591e00dc30
Add crash testcases for nested subgrids with contain: strict r=emilio
Created web-platform-tests PR https://github.com/web-platform-tests/wpt/pull/21154 for changes under testing/web-platform/tests
Upstream web-platform-tests status checks passed, PR will merge once commit reaches central.
Pushed by malexandru@mozilla.com:
https://hg.mozilla.org/mozilla-central/rev/a89ab01aec47
Check containing parent frames for 'contain:layout/paint' in grid container frames. r=emilio

https://hg.mozilla.org/mozilla-central/rev/b3591e00dc30
https://hg.mozilla.org/mozilla-central/rev/a89ab01aec47

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox74: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla74
Upstream PR merged by moz-wptsync-bot

I don't see any obvious signs of this crash in the wild, so I think we can let this fix ride with Fx74 to release. Feel free to nominate for Beta approval if you feel strongly otherwise that Fx73 should also have it.

status-firefox72: --- → wontfix
status-firefox73: affectedwontfix
status-firefox-esr68: --- → unaffected
Flags: in-testsuite? → in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: