Closed Bug 1616915 Opened 4 years ago Closed 4 years ago

AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.h:884:23 in SetHasStorageAccess

Categories

(Core :: DOM: Web Payments, defect, P2)

Product:
Core
Component:
DOM: Web Payments
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla75
Tracking Flags:
Tracking Status
firefox-esr68 --- wontfix
firefox73 --- wontfix
firefox74 --- wontfix
firefox75 --- fixed

People

(Reporter: jkratzer, Assigned: baku)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: assertion, crash, regression)

Attachments

(2 files)

testcase.html
783 bytes, text/html
Details
Bug 1616915 - Document.requestStorageAccess should work only if the document has an inner and an outer window, r?ehsan
47 bytes, text/x-phabricator-request
Details | Review
Attached file testcase.html

Testcase found while fuzzing mozilla-central rev b532be9d2719. Testcase must be served via HTTP and a build with --enable-fuzzing is required.

==11345==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000149 (pc 0x7f83cf169405 bp 0x7fff738ee3d0 sp 0x7fff738ee040 T0)
==11345==The signal is caused by a WRITE memory access.
==11345==Hint: address points to the zero page.
    #0 0x7f83cf169404 in SetHasStorageAccess /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.h:884:23
    #1 0x7f83cf169404 in mozilla::dom::Document::RequestStorageAccess(mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/Document.cpp:15774:10
    #2 0x7f83d0897ec1 in requestStorageAccess /builds/worker/workspace/build/src/obj-firefox/dom/bindings/DocumentBinding.cpp:7915:60
    #3 0x7f83d0897ec1 in mozilla::dom::Document_Binding::requestStorageAccess_promiseWrapper(JSContext*, JS::Handle<JSObject*>, void*, JSJitMethodCallArgs const&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/DocumentBinding.cpp:7929:13
    #4 0x7f83d0d2dcd8 in bool mozilla::dom::binding_detail::GenericMethod<mozilla::dom::binding_detail::NormalThisPolicy, mozilla::dom::binding_detail::ConvertExceptionsToPromises>(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/dom/bindings/BindingUtils.cpp:3170:13
    #5 0x7f83d71ebb53 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:13
    #6 0x7f83d71ebb53 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:569:12
    #7 0x7f83d71ed94a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:632:10
    #8 0x7f83d71d2475 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:636:10
    #9 0x7f83d71d2475 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3049:16
    #10 0x7f83d71b5ad1 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:449:10
    #11 0x7f83d71ebc35 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:604:13
    #12 0x7f83d71ed94a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:632:10
    #13 0x7f83d71edc26 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:649:8
    #14 0x7f83d756f534 in js::PromiseObject::create(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, bool) /builds/worker/workspace/build/src/js/src/builtin/Promise.cpp:2426:15
    #15 0x7f83d75b6bef in PromiseConstructor(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/js/src/builtin/Promise.cpp:2347:7
    #16 0x7f83d71ee570 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:13
    #17 0x7f83d71ee570 in CallJSNativeConstructor /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:493:8
    #18 0x7f83d71ee570 in InternalConstruct(JSContext*, js::AnyConstructArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:676:14
    #19 0x7f83d71edeb4 in js::ConstructFromStack(JSContext*, JS::CallArgs const&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:722:10
    #20 0x7f83d71c69a9 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3039:16
    #21 0x7f83d71b5ad1 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:449:10
    #22 0x7f83d71ebc35 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:604:13
    #23 0x7f83d71ed94a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:632:10
    #24 0x7f83d71edc26 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:649:8
    #25 0x7f83d7384912 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2797:10
    #26 0x7f83d0946820 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #27 0x7f83d13f1b9b in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #28 0x7f83d13f15d4 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1073:43
    #29 0x7f83d13f2c36 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1271:17
    #30 0x7f83d13e091f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:356:17
    #31 0x7f83d13dee71 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:558:16
    #32 0x7f83d13e392b in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1055:11
    #33 0x7f83d397ff51 in mozilla::PresShell::EventHandler::DispatchEventToDOM(mozilla::WidgetEvent*, nsEventStatus*, nsPresShellEventCB*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:8282:7
    #34 0x7f83d397d0f0 in mozilla::PresShell::EventHandler::DispatchEvent(mozilla::EventStateManager*, mozilla::WidgetEvent*, bool, nsEventStatus*, nsIContent*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:7828:7
    #35 0x7f83d3975a80 in mozilla::PresShell::EventHandler::HandleEventWithCurrentEventInfo(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:7760:17
    #36 0x7f83d39763fa in mozilla::PresShell::EventHandler::HandleEventAtFocusedContent(mozilla::WidgetGUIEvent*, nsEventStatus*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:7489:7
    #37 0x7f83d3972f27 in mozilla::PresShell::EventHandler::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6533:12
    #38 0x7f83d3971c5c in mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) /builds/worker/workspace/build/src/layout/base/PresShell.cpp:6433:23
    #39 0x7f83d33b9130 in nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) /builds/worker/workspace/build/src/view/nsViewManager.cpp:751:18
    #40 0x7f83d33b8cfb in nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) /builds/worker/workspace/build/src/view/nsView.cpp:1134:9
    #41 0x7f83d34389b0 in mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) /builds/worker/workspace/build/src/widget/PuppetWidget.cpp:381:37
    #42 0x7f83d3446f34 in mozilla::widget::TextEventDispatcher::DispatchInputEvent(nsIWidget*, mozilla::WidgetInputEvent&, nsEventStatus&) /builds/worker/workspace/build/src/widget/TextEventDispatcher.cpp:257:18
    #43 0x7f83d3448ed1 in mozilla::widget::TextEventDispatcher::DispatchKeyboardEventInternal(mozilla::EventMessage, mozilla::WidgetKeyboardEvent const&, nsEventStatus&, void*, unsigned int, bool) /builds/worker/workspace/build/src/widget/TextEventDispatcher.cpp:653:3
    #44 0x7f83d3449a1f in mozilla::widget::TextEventDispatcher::MaybeDispatchKeypressEvents(mozilla::WidgetKeyboardEvent const&, nsEventStatus&, void*, bool) /builds/worker/workspace/build/src/widget/TextEventDispatcher.cpp:683:10
    #45 0x7f83cf2cb2dc in mozilla::TextInputProcessor::KeydownInternal(mozilla::WidgetKeyboardEvent const&, unsigned int, bool, unsigned int&) /builds/worker/workspace/build/src/dom/base/TextInputProcessor.cpp:1108:24
    #46 0x7f83cf2cfecd in mozilla::TextInputProcessor::Keydown(mozilla::WidgetKeyboardEvent const&, unsigned int, unsigned int*) /builds/worker/workspace/build/src/dom/base/TextInputProcessor.cpp:1045:10
    #47 0x7f83cf1b43d2 in mozilla::dom::FuzzingFunctions::SynthesizeKeyboardEvents(mozilla::dom::GlobalObject const&, nsTSubstring<char16_t> const&, mozilla::dom::KeyboardEventInit const&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/FuzzingFunctions.cpp:320:29
    #48 0x7f83d0a4482f in mozilla::dom::FuzzingFunctions_Binding::synthesizeKeyboardEvents(JSContext*, unsigned int, JS::Value*) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/FuzzingFunctionsBinding.cpp:131:3
    #49 0x7f83d71ebb53 in CallJSNative /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:477:13
    #50 0x7f83d71ebb53 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:569:12
    #51 0x7f83d71ed94a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:632:10
    #52 0x7f83d71d2475 in CallFromStack /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:636:10
    #53 0x7f83d71d2475 in Interpret(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:3049:16
    #54 0x7f83d71b5ad1 in js::RunScript(JSContext*, js::RunState&) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:449:10
    #55 0x7f83d71ebc35 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:604:13
    #56 0x7f83d71ed94a in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:632:10
    #57 0x7f83d71edc26 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>, js::CallReason) /builds/worker/workspace/build/src/js/src/vm/Interpreter.cpp:649:8
    #58 0x7f83d7384912 in JS::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, JS::HandleValueArray const&, JS::MutableHandle<JS::Value>) /builds/worker/workspace/build/src/js/src/jsapi.cpp:2797:10
    #59 0x7f83d0946820 in mozilla::dom::EventListener::HandleEvent(JSContext*, JS::Handle<JS::Value>, mozilla::dom::Event&, mozilla::ErrorResult&) /builds/worker/workspace/build/src/obj-firefox/dom/bindings/EventListenerBinding.cpp:52:8
    #60 0x7f83d13f1b9b in void mozilla::dom::EventListener::HandleEvent<mozilla::dom::EventTarget*>(mozilla::dom::EventTarget* const&, mozilla::dom::Event&, mozilla::ErrorResult&, char const*, mozilla::dom::CallbackObject::ExceptionHandling, JS::Realm*) /builds/worker/workspace/build/src/obj-firefox/dist/include/mozilla/dom/EventListenerBinding.h:66:12
    #61 0x7f83d13f15d4 in mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener*, mozilla::dom::Event*, mozilla::dom::EventTarget*) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1073:43
    #62 0x7f83d13f2c36 in mozilla::EventListenerManager::HandleEventInternal(nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event**, mozilla::dom::EventTarget*, nsEventStatus*, bool) /builds/worker/workspace/build/src/dom/events/EventListenerManager.cpp:1271:17
    #63 0x7f83d13e091f in mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor&, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:356:17
    #64 0x7f83d13dee71 in mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem>&, mozilla::EventChainPostVisitor&, mozilla::EventDispatchingCallback*, mozilla::ELMCreationDetector&) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:558:16
    #65 0x7f83d13e392b in mozilla::EventDispatcher::Dispatch(nsISupports*, nsPresContext*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsEventStatus*, mozilla::EventDispatchingCallback*, nsTArray<mozilla::dom::EventTarget*>*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp:1055:11
    #66 0x7f83d13e8899 in mozilla::EventDispatcher::DispatchDOMEvent(nsISupports*, mozilla::WidgetEvent*, mozilla::dom::Event*, nsPresContext*, nsEventStatus*) /builds/worker/workspace/build/src/dom/events/EventDispatcher.cpp
    #67 0x7f83cf3f0b8e in nsINode::DispatchEvent(mozilla::dom::Event&, mozilla::dom::CallerType, mozilla::ErrorResult&) /builds/worker/workspace/build/src/dom/base/nsINode.cpp:1269:17
    #68 0x7f83cee4f5c7 in nsContentUtils::DispatchEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, mozilla::Trusted, bool*, mozilla::ChromeOnlyDispatch) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4077:28
    #69 0x7f83cee4f303 in nsContentUtils::DispatchTrustedEvent(mozilla::dom::Document*, nsISupports*, nsTSubstring<char16_t> const&, mozilla::CanBubble, mozilla::Cancelable, mozilla::Composed, bool*) /builds/worker/workspace/build/src/dom/base/nsContentUtils.cpp:4047:10
    #70 0x7f83cf114075 in mozilla::dom::Document::DispatchContentLoadedEvents() /builds/worker/workspace/build/src/dom/base/Document.cpp:7249:3
    #71 0x7f83cf1e0d64 in applyImpl<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1160:12
    #72 0x7f83cf1e0d64 in apply<mozilla::dom::Document, void (mozilla::dom::Document::*)()> /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1166:12
    #73 0x7f83cf1e0d64 in mozilla::detail::RunnableMethodImpl<mozilla::dom::Document*, void (mozilla::dom::Document::*)(), true, (mozilla::RunnableKind)0>::Run() /builds/worker/workspace/build/src/obj-firefox/dist/include/nsThreadUtils.h:1212:13
    #74 0x7f83cb194c1d in mozilla::SchedulerGroup::Runnable::Run() /builds/worker/workspace/build/src/xpcom/threads/SchedulerGroup.cpp:282:20
    #75 0x7f83cb1c93a8 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/workspace/build/src/xpcom/threads/nsThread.cpp:1220:14
    #76 0x7f83cb1d420c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/workspace/build/src/xpcom/threads/nsThreadUtils.cpp:481:10
    #77 0x7f83cc43138f in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/workspace/build/src/ipc/glue/MessagePump.cpp:87:21
    #78 0x7f83cc323ef7 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #79 0x7f83cc323ef7 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #80 0x7f83cc323ef7 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #81 0x7f83d3461198 in nsBaseAppShell::Run() /builds/worker/workspace/build/src/widget/nsBaseAppShell.cpp:137:27
    #82 0x7f83d6f85d06 in XRE_RunAppShell() /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:943:20
    #83 0x7f83cc323ef7 in RunInternal /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:315:10
    #84 0x7f83cc323ef7 in RunHandler /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:308:3
    #85 0x7f83cc323ef7 in MessageLoop::Run() /builds/worker/workspace/build/src/ipc/chromium/src/base/message_loop.cc:290:3
    #86 0x7f83d6f85350 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/workspace/build/src/toolkit/xre/nsEmbedFunctions.cpp:778:34
    #87 0x557e8c8c0433 in content_process_main /builds/worker/workspace/build/src/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
    #88 0x557e8c8c0433 in main /builds/worker/workspace/build/src/browser/app/nsBrowserApp.cpp:303:18
    #89 0x7f83edd03b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/build/src/dom/base/nsGlobalWindowOuter.h:884:23 in SetHasStorageAccess
Component: DOM: Core & HTML → DOM: Web Payments
Priority: -- → P2

AFAICT in nsIDocument::RequestStorageAccess outer can be null if inner is null, and we don't seem to null-check outer before calling SetHasStorageAccess on it. It is weird that inner is null, but we do null-check it earlier before trying to get outer from it.

Flags: needinfo?(ehsan)
Flags: needinfo?(amarchesini)
Regressed by: 1490811
Has Regression Range: --- → yes

Let me add a nullptr check.

Flags: needinfo?(amarchesini)
Assignee: nobody → amarchesini
Status: NEW → ASSIGNED
Pushed by amarchesini@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/da929c510360
Document.requestStorageAccess should work only if the document has an inner and an outer window, r=Ehsan

https://hg.mozilla.org/mozilla-central/rev/da929c510360

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox75: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
Flags: in-testsuite?
status-firefox73: --- → wontfix
status-firefox74: --- → wontfix
status-firefox-esr68: --- → wontfix
Flags: needinfo?(ehsan)
Flags: in-testsuite?
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: