Closed
Bug 1613210
Opened 5 years ago
Closed 5 years ago
AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:485:32 in Hdr
Categories
(Core :: Layout: Grid, defect, P2)
Core
Layout: Grid
Tracking
()
RESOLVED
FIXED
mozilla76
People
(Reporter: jkratzer, Assigned: MatsPalmgren_bugz)
References
(Blocks 1 open bug)
Details
(Keywords: crash, testcase)
Attachments
(2 files)
Testcase found while fuzzing mozilla-central rev b95921676bb4.
==15842==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fd72f6340a6 bp 0x7ffc08220150 sp 0x7ffc08220140 T0)
==15842==The signal is caused by a READ memory access.
==15842==Hint: address points to the zero page.
#0 0x7fd72f6340a5 in Hdr /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:485:32
#1 0x7fd72f6340a5 in Elements /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:1050:47
#2 0x7fd72f6340a5 in nsTArray_Impl<nsGridContainerFrame::GridItemInfo, nsTArrayInfallibleAllocator>::operator=(nsTArray_Impl<nsGridContainerFrame::GridItemInfo, nsTArrayInfallibleAllocator> const&) /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:966:45
#3 0x7fd72f5ded4a in operator= /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:2517:16
#4 0x7fd72f5ded4a in nsGridContainerFrame::IntrinsicISize(gfxContext*, nsLayoutUtils::IntrinsicISizeType) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:7976:22
#5 0x7fd72f5df2b3 in nsGridContainerFrame::GetPrefISize(gfxContext*) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:8017:30
#6 0x7fd72f51e993 in nsIFrame::ComputeISizeValue(gfxContext*, int, int, int, mozilla::StyleExtremumLength, nsIFrame::ComputeSizeFlags) /builds/worker/workspace/build/src/layout/generic/nsFrame.cpp:6604:16
#7 0x7fd72f3fd4ac in ComputeISizeValue<mozilla::StyleGenericSize<mozilla::StyleLengthPercentageUnion> > /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:237:18
#8 0x7fd72f3fd4ac in int mozilla::SizeComputationInput::ComputeISizeValue<mozilla::StyleGenericSize<mozilla::StyleLengthPercentageUnion> >(int, mozilla::StyleBoxSizing, mozilla::StyleGenericSize<mozilla::StyleLengthPercentageUnion> const&) const /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:254:10
#9 0x7fd72f3fc8a5 in mozilla::ReflowInput::ComputeMinMaxValues(mozilla::LogicalSize const&) /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2978:26
#10 0x7fd72f3edc86 in mozilla::ReflowInput::InitConstraints(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*, mozilla::LayoutFrameType) /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:2324:5
#11 0x7fd72f3e7e2a in mozilla::ReflowInput::Init(nsPresContext*, mozilla::Maybe<mozilla::LogicalSize> const&, nsMargin const*, nsMargin const*) /builds/worker/workspace/build/src/layout/generic/ReflowInput.cpp:355:3
#12 0x7fd72f5c98d4 in nsGridContainerFrame::ReflowInFlowChild(nsIFrame*, nsGridContainerFrame::GridItemInfo const*, nsSize, mozilla::Maybe<int> const&, nsGridContainerFrame::Fragmentainer const*, nsGridContainerFrame::GridReflowInput const&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:6408:15
#13 0x7fd72f5ce1db in nsGridContainerFrame::ReflowRowsInFragmentainer(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&, nsGridContainerFrame::Fragmentainer&, nsSize const&, nsTArray<nsGridContainerFrame::GridItemInfo const*> const&, unsigned int, unsigned int, int, int) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:6818:5
#14 0x7fd72f5cce6d in nsGridContainerFrame::ReflowInFragmentainer(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&, nsGridContainerFrame::Fragmentainer&, nsSize const&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:6727:10
#15 0x7fd72f5d169f in nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:7058:13
#16 0x7fd72f5d3261 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGridContainerFrame.cpp:7454:11
#17 0x7fd72f482914 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:908:14
#18 0x7fd72f43a35d in nsContainerFrame::ReflowOverflowContainerChildren(nsPresContext*, mozilla::ReflowInput const&, nsOverflowAreas&, nsIFrame::ReflowChildFlags, nsReflowStatus&, void (*)(nsFrameList&, nsFrameList&, nsContainerFrame*)) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:1176:7
#19 0x7fd72f435053 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1365:5
#20 0x7fd72f482914 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:908:14
#21 0x7fd72f487128 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:732:7
#22 0x7fd72f485ff2 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig&, bool) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:454:10
#23 0x7fd72f48b559 in nsColumnSetFrame::FindBestBalanceBSize(mozilla::ReflowInput const&, nsPresContext*, nsColumnSetFrame::ReflowConfig&, nsColumnSetFrame::ColumnBalanceData, mozilla::ReflowOutput&, bool, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1179:5
#24 0x7fd72f48be93 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1244:5
#25 0x7fd72f452aa8 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:293:11
#26 0x7fd72f4490e9 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3796:11
#27 0x7fd72f445967 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3143:5
#28 0x7fd72f43ca09 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2686:7
#29 0x7fd72f435354 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1398:3
#30 0x7fd72f452aa8 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:293:11
#31 0x7fd72f4490e9 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3796:11
#32 0x7fd72f445967 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3143:5
#33 0x7fd72f43ca09 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2686:7
#34 0x7fd72f435354 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1398:3
#35 0x7fd72f482914 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:908:14
#36 0x7fd72f487128 in nsColumnSetFrame::ReflowChildren(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig const&, bool) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:732:7
#37 0x7fd72f485f28 in nsColumnSetFrame::ReflowColumns(mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&, nsColumnSetFrame::ReflowConfig&, bool) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:442:37
#38 0x7fd72f48be16 in nsColumnSetFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsColumnSetFrame.cpp:1237:37
#39 0x7fd72f452aa8 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockReflowContext.cpp:293:11
#40 0x7fd72f4490e9 in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3796:11
#41 0x7fd72f445967 in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:3143:5
#42 0x7fd72f43ca09 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:2686:7
#43 0x7fd72f435354 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsBlockFrame.cpp:1398:3
#44 0x7fd72f482914 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:908:14
#45 0x7fd72f48198b in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsCanvasFrame.cpp:741:5
#46 0x7fd72f482914 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:908:14
#47 0x7fd72f563888 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:650:3
#48 0x7fd72f565115 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:764:3
#49 0x7fd72f569072 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/nsGfxScrollFrame.cpp:1143:3
#50 0x7fd72f425421 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/workspace/build/src/layout/generic/nsContainerFrame.cpp:948:14
#51 0x7fd72f4249c0 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/workspace/build/src/layout/generic/ViewportFrame.cpp:299:7
#52 0x7fd72f2462b9 in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9241:11
#53 0x7fd72f259547 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:9414:24
#54 0x7fd72f257dbd in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:4121:11
#55 0x7fd72f1e7bd9 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:2056:20
#56 0x7fd72f1f6b06 in TickDriver /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:374:13
#57 0x7fd72f1f6b06 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:351:7
#58 0x7fd72f1f668a in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:367:5
#59 0x7fd72f1f56b0 in RunRefreshDrivers /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:820:5
#60 0x7fd72f1f56b0 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:740:16
#61 0x7fd72f1f2d61 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::ParentProcessVsyncNotifier::Run() /builds/worker/workspace/build/src/layout/base/nsRefreshDriver.cpp:538:20
#62 0x7fd726b5da18 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
#63 0x7fd726b6882c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:486:10
#64 0x7fd727db6cdf in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:87:21
#65 0x7fd727cb0c47 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
#66 0x7fd727cb0c47 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
#67 0x7fd727cb0c47 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
#68 0x7fd72ed70a08 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
#69 0x7fd732667b1b in nsAppStartup::Run() /builds/worker/workspace/build/src/toolkit/components/startup/nsAppStartup.cpp:272:30
#70 0x7fd73287b7e0 in XREMain::XRE_mainRun() /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4560:22
#71 0x7fd73287d6e6 in XREMain::XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4695:8
#72 0x7fd73287e3c3 in XRE_main(int, char**, mozilla::BootstrapConfig const&) /builds/worker/workspace/build/src/toolkit/xre/nsAppRunner.cpp:4746:21
#73 0x561d4dc4c8ef in do_main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:217:22
#74 0x561d4dc4c8ef in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:339:16
#75 0x7fd7495a2b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/obj-firefox/dist/include/nsTArray.h:485:32 in Hdr
Flags: in-testsuite?
|
||
Comment 1•5 years ago
|
||
Hi Mats! Looks like some Grid code is crashing here. Would you be able to take a look?
Flags: needinfo?(mats)
Priority: -- → P2
|
Assignee | |
Comment 2•5 years ago
•
|
||
We're reflowing a fragmented subgrid; when setting up the ReflowInput for the 2nd fragment we call GetPrefISize on it and crash when trying to use the Subgrid frame property here (it's a null-pointer since only the the first continuation has that property):
https://searchfox.org/mozilla-central/rev/13b081a62d3f3e3e3120f95564529257b0bf451c/layout/generic/nsGridContainerFrame.cpp#7983
Assignee: nobody → mats
Flags: needinfo?(mats)
|
|
Assignee | |
Comment 3•5 years ago
|
||
|
|
Assignee | |
Comment 4•5 years ago
|
||
|
||
Comment 5•5 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Keywords: regression
|
||
Updated•5 years ago
|
status-firefox75:
--- → affected
|
||
Comment 6•5 years ago
|
||
Mats, your patch got r+ a while ago. Are you planning to land it?
Flags: needinfo?(mats)
|
|
Assignee | |
Comment 7•5 years ago
|
||
Oh I thought I did... thanks for the reminder!
Flags: needinfo?(mats)
Pushed by mpalmgren@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/addbfd1a6e72
Delegate intrinsic size calls to the first continuation for nsGridContainerFrames. r=dholbert
|
||
Comment 9•5 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox76:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
|
||
Updated•5 years ago
|
status-firefox-esr68:
--- → wontfix
Flags: in-testsuite? → in-testsuite+
|
|
||
Comment 10•5 years ago
|
||
The patch landed in nightly and beta is affected.
:mats, is this bug important enough to require an uplift?
If not please set status_beta to wontfix.
For more information, please visit auto_nag documentation.
Flags: needinfo?(mats)
|
||
Comment 11•5 years ago
|
||
I guess this can ride the trains at this point.
You need to log in
before you can comment on or make changes to this bug.
Description
•