Open
Bug 1612963
Opened 4 years ago
Updated 11 months ago
AddressSanitizer: stack-overflow /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:26:3 in __asan_memset
Categories
(Core :: Layout: Grid, defect, P3)
Core
Layout: Grid
Tracking
()
NEW
| Tracking | Status | |
|---|---|---|
| firefox74 | --- | wontfix |
People
(Reporter: jkratzer, Unassigned, NeedInfo)
References
(Blocks 2 open bugs)
Details
(Keywords: crash, testcase, Whiteboard: [fuzzblocker])
Crash Data
Attachments
(3 files, 2 obsolete files)
Testcase found while fuzzing mozilla-central rev f4e3917a0fa1.
==5207==ERROR: AddressSanitizer: stack-overflow on address 0x7ffe43f6dbc8 (pc 0x55d2de64f54e bp 0x7ffe43f6e410 sp 0x7ffe43f6dbd0 T0)
#0 0x55d2de64f54d in __asan_memset /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:26:3
#1 0x7f25b32c1b44 in mozilla::CSSOrderAwareFrameIteratorT<nsFrameList::Iterator>::CSSOrderAwareFrameIteratorT(nsIFrame*, mozilla::layout::FrameChildListID, mozilla::CSSOrderAwareFrameIteratorT<nsFrameList::Iterator>::ChildFilter, mozilla::CSSOrderAwareFrameIteratorT<nsFrameList::Iterator>::OrderState, mozilla::CSSOrderAwareFrameIteratorT<nsFrameList::Iterator>::OrderingProperty) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/CSSOrderAwareFrameIterator.h:72:9
#2 0x7f25b3444e6f in nsGridContainerFrame::GridReflowInput::GridReflowInput(nsGridContainerFrame*, gfxContext&, mozilla::ReflowInput const*, nsStylePosition const*, mozilla::WritingMode const&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:2777:9
#3 0x7f25b33c151c in GridReflowInput /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:2504:9
#4 0x7f25b33c151c in nsGridContainerFrame::UsedTrackSizes::ResolveSubgridTrackSizesForAxis(nsGridContainerFrame*, mozilla::LogicalAxis, nsGridContainerFrame::Subgrid*, gfxContext&, int) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3339:19
#5 0x7f25b33c0da7 in nsGridContainerFrame::UsedTrackSizes::ResolveTrackSizesForAxis(nsGridContainerFrame*, mozilla::LogicalAxis, gfxContext&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3315:7
#6 0x7f25b33c0d15 in nsGridContainerFrame::UsedTrackSizes::ResolveTrackSizesForAxis(nsGridContainerFrame*, mozilla::LogicalAxis, gfxContext&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3312:16
#7 0x7f25b33c0d15 in nsGridContainerFrame::UsedTrackSizes::ResolveTrackSizesForAxis(nsGridContainerFrame*, mozilla::LogicalAxis, gfxContext&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3312:16
#8 0x7f25b33e8348 in ContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, mozilla::Maybe<mozilla::LogicalSize> const&, nsLayoutUtils::IntrinsicISizeType, int, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:4834:12
#9 0x7f25b33dfcb9 in MinContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, CachedIntrinsicSizes*) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:4957:15
#10 0x7f25b33decfa in nsGridContainerFrame::Tracks::ResolveIntrinsicSizeStep1(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::TrackSizingFunctions const&, int, SizingConstraint, nsGridContainerFrame::LineRange const&, nsGridContainerFrame::GridItemInfo const&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5125:13
#11 0x7f25b33d9f52 in nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, int, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5568:11
#12 0x7f25b33c4945 in nsGridContainerFrame::Tracks::CalculateSizes(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5066:3
#13 0x7f25b33c2b0b in nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3396:12
#14 0x7f25b33c1612 in nsGridContainerFrame::UsedTrackSizes::ResolveSubgridTrackSizesForAxis(nsGridContainerFrame*, mozilla::LogicalAxis, nsGridContainerFrame::Subgrid*, gfxContext&, int) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3344:9
#15 0x7f25b33c0eb0 in nsGridContainerFrame::UsedTrackSizes::ResolveTrackSizesForAxis(nsGridContainerFrame*, mozilla::LogicalAxis, gfxContext&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3331:5
#16 0x7f25b33e8348 in ContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, mozilla::Maybe<mozilla::LogicalSize> const&, nsLayoutUtils::IntrinsicISizeType, int, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:4834:12
#17 0x7f25b33dfcb9 in MinContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, CachedIntrinsicSizes*) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:4957:15
#18 0x7f25b33decfa in nsGridContainerFrame::Tracks::ResolveIntrinsicSizeStep1(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::TrackSizingFunctions const&, int, SizingConstraint, nsGridContainerFrame::LineRange const&, nsGridContainerFrame::GridItemInfo const&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5125:13
#19 0x7f25b33d9f52 in nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, int, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5568:11
#20 0x7f25b33c4945 in nsGridContainerFrame::Tracks::CalculateSizes(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5066:3
#21 0x7f25b33c2b0b in nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3396:12
#22 0x7f25b33c1612 in nsGridContainerFrame::UsedTrackSizes::ResolveSubgridTrackSizesForAxis(nsGridContainerFrame*, mozilla::LogicalAxis, nsGridContainerFrame::Subgrid*, gfxContext&, int) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3344:9
#23 0x7f25b33c0da7 in nsGridContainerFrame::UsedTrackSizes::ResolveTrackSizesForAxis(nsGridContainerFrame*, mozilla::LogicalAxis, gfxContext&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3315:7
#24 0x7f25b33c0d15 in nsGridContainerFrame::UsedTrackSizes::ResolveTrackSizesForAxis(nsGridContainerFrame*, mozilla::LogicalAxis, gfxContext&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3312:16
#25 0x7f25b33c0d15 in nsGridContainerFrame::UsedTrackSizes::ResolveTrackSizesForAxis(nsGridContainerFrame*, mozilla::LogicalAxis, gfxContext&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3312:16
#26 0x7f25b33e8348 in ContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, mozilla::Maybe<mozilla::LogicalSize> const&, nsLayoutUtils::IntrinsicISizeType, int, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:4834:12
#27 0x7f25b33dfcb9 in MinContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, CachedIntrinsicSizes*) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:4957:15
#28 0x7f25b33decfa in nsGridContainerFrame::Tracks::ResolveIntrinsicSizeStep1(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::TrackSizingFunctions const&, int, SizingConstraint, nsGridContainerFrame::LineRange const&, nsGridContainerFrame::GridItemInfo const&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5125:13
#29 0x7f25b33d9f52 in nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, int, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5568:11
#30 0x7f25b33c4945 in nsGridContainerFrame::Tracks::CalculateSizes(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5066:3
#31 0x7f25b33c2b0b in nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3396:12
#32 0x7f25b33c1612 in nsGridContainerFrame::UsedTrackSizes::ResolveSubgridTrackSizesForAxis(nsGridContainerFrame*, mozilla::LogicalAxis, nsGridContainerFrame::Subgrid*, gfxContext&, int) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3344:9
#33 0x7f25b33c0eb0 in nsGridContainerFrame::UsedTrackSizes::ResolveTrackSizesForAxis(nsGridContainerFrame*, mozilla::LogicalAxis, gfxContext&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3331:5
#34 0x7f25b33e8348 in ContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, mozilla::Maybe<mozilla::LogicalSize> const&, nsLayoutUtils::IntrinsicISizeType, int, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:4834:12
#35 0x7f25b33dfcb9 in MinContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, CachedIntrinsicSizes*) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:4957:15
#36 0x7f25b33decfa in nsGridContainerFrame::Tracks::ResolveIntrinsicSizeStep1(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::TrackSizingFunctions const&, int, SizingConstraint, nsGridContainerFrame::LineRange const&, nsGridContainerFrame::GridItemInfo const&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5125:13
#37 0x7f25b33d9f52 in nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, int, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5568:11
#38 0x7f25b33c4945 in nsGridContainerFrame::Tracks::CalculateSizes(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5066:3
#39 0x7f25b33c2b0b in nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3396:12
#40 0x7f25b33c1612 in nsGridContainerFrame::UsedTrackSizes::ResolveSubgridTrackSizesForAxis(nsGridContainerFrame*, mozilla::LogicalAxis, nsGridContainerFrame::Subgrid*, gfxContext&, int) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3344:9
#41 0x7f25b33c0da7 in nsGridContainerFrame::UsedTrackSizes::ResolveTrackSizesForAxis(nsGridContainerFrame*, mozilla::LogicalAxis, gfxContext&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3315:7
#42 0x7f25b33c0d15 in nsGridContainerFrame::UsedTrackSizes::ResolveTrackSizesForAxis(nsGridContainerFrame*, mozilla::LogicalAxis, gfxContext&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3312:16
#43 0x7f25b33c0d15 in nsGridContainerFrame::UsedTrackSizes::ResolveTrackSizesForAxis(nsGridContainerFrame*, mozilla::LogicalAxis, gfxContext&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3312:16
#44 0x7f25b33e8348 in ContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, mozilla::Maybe<mozilla::LogicalSize> const&, nsLayoutUtils::IntrinsicISizeType, int, unsigned int) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:4834:12
#45 0x7f25b33dfcb9 in MinContentContribution(nsGridContainerFrame::GridItemInfo const&, nsGridContainerFrame::GridReflowInput const&, gfxContext*, mozilla::WritingMode, mozilla::LogicalAxis, CachedIntrinsicSizes*) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:4957:15
#46 0x7f25b33decfa in nsGridContainerFrame::Tracks::ResolveIntrinsicSizeStep1(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::TrackSizingFunctions const&, int, SizingConstraint, nsGridContainerFrame::LineRange const&, nsGridContainerFrame::GridItemInfo const&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5125:13
#47 0x7f25b33d9f52 in nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, int, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5568:11
#48 0x7f25b33c4945 in nsGridContainerFrame::Tracks::CalculateSizes(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::*, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:5066:3
#49 0x7f25b33c2b0b in nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, SizingConstraint) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3396:12
#50 0x7f25b33c1612 in nsGridContainerFrame::UsedTrackSizes::ResolveSubgridTrackSizesForAxis(nsGridContainerFrame*, mozilla::LogicalAxis, nsGridContainerFrame::Subgrid*, gfxContext&, int) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:3344:9
...
SUMMARY: AddressSanitizer: stack-overflow /builds/worker/fetches/llvm-project/llvm/projects/compiler-rt/lib/asan/asan_interceptors_memintrinsics.cc:26:3 in __asan_memset
Flags: in-testsuite?
|
||
Updated•4 years ago
|
Component: Layout → Layout: Grid
|
||
Comment 1•4 years ago
|
||
Hi Mats! Looks like some Grid code is crashing here. Would you be able to take a look?
Flags: needinfo?(mats)
Priority: -- → P2
|
||
Updated•4 years ago
|
Blocks: asan-maintenance
|
||
Comment 2•4 years ago
|
||
FWIW: I was curious if this might've been fixed by some of Mats' crash fixes last week, but it's not -- I can still reproduce this in latest optimized ASAN build (linked from https://firefox-source-docs.mozilla.org/tools/sanitizer/asan.html ), version/datestamp 75.0a1 (2020-03-05) in the "about" window.
|
||
Comment 3•4 years ago
|
||
|
|
||
Comment 4•4 years ago
|
||
The case crashes for me with latest code.
|
|
||
Comment 5•4 years ago
|
||
Attachment #9131292 -
Attachment is obsolete: true
|
|
||
Comment 6•4 years ago
|
||
Attachment #9131301 -
Attachment is obsolete: true
|
|
||
Comment 7•4 years ago
|
||
(Pinging mats to sanity check this analysis...)
The issue seems to be caused by the nested subgrid containers with different writing modes. We get into infinite recursion trying to calculate sizes, I'll attached a portion of a stack trace of what this looks like.
I think the issue happens when we get to the child element of the second-level subgrid, here: https://searchfox.org/mozilla-central/rev/2fd8ffcf087bc59a8e5c962965bbb7bf230bcd28/layout/generic/nsGridContainerFrame.cpp#3305
At this point, ParentGridContainerForSubgrid will give us the parent of the grid item ( https://searchfox.org/mozilla-central/rev/2fd8ffcf087bc59a8e5c962965bbb7bf230bcd28/layout/generic/nsGridContainerFrame.cpp#7023 ), but I don't htink that's what we want. That parent is, itself, a subgrid child of the outermost grid container, and I think we need to be setting these track sizes on the containing grid itself. If we just go up one level, then we get into the inifinite recursion of going down to that subgrid container's item, and then going back up to the next parent again (which doesn't trigger the !subgrid terminal condition for this recursion, as it would in a subgrid that has a non-subgrid grid parent), and so on (flipping axes back and forth since the subgrid is orthogonal to the grid due to the differing writing modes).
I should have a patch and some wpt soon.
Flags: needinfo?(mats)
|
|
||
Comment 8•4 years ago
|
||
|
|
||
Updated•4 years ago
|
Flags: needinfo?(mats)
|
||
Comment 9•4 years ago
|
||
I think we need to be setting these track sizes on the containing grid itself
No, I don't think so. We want the parent subgrid sizes because it may be different than the top grid sizes due to having different gap sizes. If the parent sizes isn't resolved yet, the parent should ask its parent and so forth.
I guess the problem here is that to resolve some ancestor's track sizes we need some item's intrinsic size which needs a CB which needs the parent sizes. We need to break that cyclic dependence chain somehow...
IIRC, we have a "fallback sizes" mechanism for this, perhaps it's missing this case?
Flags: needinfo?(mats)
|
|
||
Comment 10•4 years ago
|
||
Nested orthogonal writing-mode subgrids is unlikely to be used anywhere on the web, and a crash from stack overflow isn't exploitable.
Severity: critical → normal
Priority: P2 → P3
|
|
||
Comment 11•4 years ago
•
|
||
Where is the "fallback sizes" mechanism? When is it supposed to be hit?
It also kind of seems like that shouldn't be necessary in this case, I don't think we have to do that without orthogonal writing modes, or without the single-child subgrid holding the second subgrid. I would have expected that at the very least the last case (removing the intermediate subgrid) should be equivalent to this case?
|
|
||
Comment 12•4 years ago
|
||
|
||
Updated•4 years ago
|
Crash Signature: [@ _chkstk | mozilla::CSSOrderAwareFrameIteratorT<T>::CSSOrderAwareFrameIteratorT ]
|
||
Updated•2 years ago
|
Severity: normal → S3
|
|
||
Updated•1 year ago
|
Crash Signature: [@ _chkstk | mozilla::CSSOrderAwareFrameIteratorT<T>::CSSOrderAwareFrameIteratorT ] → [@ _chkstk | mozilla::CSSOrderAwareFrameIteratorT<T>::CSSOrderAwareFrameIteratorT ]
[@ stackoverflow | IntrinsicSizeOffsets ]
|
|
||
Comment 14•11 months ago
|
||
Transferring [fuzzblocker] status from dupe bug 1665826.
Whiteboard: [fuzzblocker]
|
|
||
Comment 15•11 months ago
•
|
||
Here's a pernosco trace with my "testcase 2 (reduced)" from dupe bug 1665826:
https://pernos.co/debug/1geFB1WvwrqNED6PiWBNQw/index.html#f{m[D68e,AA_,t[0w,Al4P_,f{e[D68d,AoAwvw_,s{aVapdsuAA,bCfU,uBnJf,oBxGc___/
That testcase just looks like this (and it triggers a stack overflow):
<!DOCTYPE html>
<style>
#outer {
display: inline-grid;
}
#inner, optgroup {
display: grid;
grid-template-rows: subgrid;
}
</style>
<div id="outer">
<div id="inner">
<optgroup style="writing-mode: vertical-lr"></optgroup>
<optgroup></optgroup>
|
||
Comment 16•11 months ago
|
||
Copying crash signatures from duplicate bugs.
Crash Signature: [@ _chkstk | mozilla::CSSOrderAwareFrameIteratorT<T>::CSSOrderAwareFrameIteratorT ]
[@ stackoverflow | IntrinsicSizeOffsets ] → [@ _chkstk | mozilla::CSSOrderAwareFrameIteratorT<T>::CSSOrderAwareFrameIteratorT ]
[@ stackoverflow | IntrinsicSizeOffsets ]
[@ nsTArray_base<T>::InsertSlotsAt<T>]
|
|
||
Comment 17•11 months ago
|
||
Emily, maybe you could pick this back up again when you've got cycles to look at some grid stuff? Per bug 1665826 comment 5, the fuzzers seem to be tripping over this repeatedly.
Crash Signature: [@ _chkstk | mozilla::CSSOrderAwareFrameIteratorT<T>::CSSOrderAwareFrameIteratorT ]
[@ stackoverflow | IntrinsicSizeOffsets ]
[@ nsTArray_base<T>::InsertSlotsAt<T>] → [@ _chkstk | mozilla::CSSOrderAwareFrameIteratorT<T>::CSSOrderAwareFrameIteratorT ]
[@ stackoverflow | IntrinsicSizeOffsets ]
[@ nsTArray_base<T>::InsertSlotsAt<T>]
Flags: needinfo?(emcdonough)
|
||
Updated•11 months ago
|
|
|
||
Comment 18•11 months ago
|
||
This bug prevents fuzzing from making progress; however, it has low severity. It is important for fuzz blocker bugs to be addressed in a timely manner (see here why?).
:dholbert, could you consider increasing the severity?
For more information, please visit BugBot documentation.
Flags: needinfo?(dholbert)
You need to log in
before you can comment on or make changes to this bug.
Description
•