Closed Bug 1625051 Opened 4 years ago Closed 4 years ago

MOZ_Crash in nsGridContainerFrame::Tracks::ResolveIntrinsicSizeStep1()

Categories

(Core :: Layout: Grid, defect, P1)

Product:
Core
Component:
Layout: Grid
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla76
Tracking Flags:
Tracking Status
thunderbird_esr60 --- unaffected
thunderbird_esr68 --- unaffected
firefox-esr68 --- unaffected
firefox74 --- unaffected
firefox75 --- unaffected
firefox76 --- fixed

People

(Reporter: tarafans7, Assigned: alaskanemily)

References

(Regression)

Details

(Keywords: regression)

Attachments

(4 files)

poc.html
1.05 KB, text/html
Details
Reduced testcase
216 bytes, text/html
Details
Bug 1625051 Part 1 - Fix calculation of maximum repeat count for grid repeat(auto)
47 bytes, text/x-phabricator-request
Details | Review
Bug 1625051 Part 2 - Tests for max number of repeats in a grid template
47 bytes, text/x-phabricator-request
Details | Review
Attached file poc.html

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36

Steps to reproduce:

A bug found in Nightly by fuzzing. Here I use the mozilla-central optimized Nightly builds on Mar 25.

Actual results:

Crash log:

=================================================================
==35001==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fbad9edd080 bp 0x7ffd29f424a0 sp 0x7ffd29f424a0 T0)
==35001==The signal is caused by a WRITE memory access.
==35001==Hint: address points to the zero page.
#0 0x7fbad9edd07f in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:332:3
#1 0x7fbad9edd07f in InvalidArrayIndex_CRASH(unsigned long, unsigned long) /builds/worker/checkouts/gecko/xpcom/ds/nsTArray.cpp:27:3
#2 0x7fbae192074f in nsTArray_Impl<nsGridContainerFrame::TrackSize, nsTArrayInfallibleAllocator>::ElementAt(unsigned long) /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1196:7
#3 0x7fbae18a90f1 in operator[] /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1232:53
#4 0x7fbae18a90f1 in nsGridContainerFrame::Tracks::ResolveIntrinsicSizeStep1(nsGridContainerFrame::GridReflowInput&, nsGridContainerFrame::TrackSizingFunctions const&, int, SizingConstraint, nsGridContainerFrame::LineRange const&, nsGridContainerFrame::GridItemInfo const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5168:19
#5 0x7fbae18a4620 in nsGridContainerFrame::Tracks::ResolveIntrinsicSize(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::, int, SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5629:11
#6 0x7fbae188e035 in nsGridContainerFrame::Tracks::CalculateSizes(nsGridContainerFrame::GridReflowInput&, nsTArray<nsGridContainerFrame::GridItemInfo>&, nsGridContainerFrame::TrackSizingFunctions const&, int, nsGridContainerFrame::LineRange nsGridContainerFrame::GridArea::, SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:5127:3
#7 0x7fbae188c467 in nsGridContainerFrame::GridReflowInput::CalculateTrackSizesForAxis(mozilla::LogicalAxis, nsGridContainerFrame::Grid const&, int, SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3457:12
#8 0x7fbae18902cc in nsGridContainerFrame::GridReflowInput::CalculateTrackSizes(nsGridContainerFrame::Grid const&, mozilla::LogicalSize const&, SizingConstraint) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3493:3
#9 0x7fbae18c02af in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:7447:21
#10 0x7fbae1768fb4 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:906:14
#11 0x7fbae18b6c2b in nsGridContainerFrame::ReflowInFlowChild(nsIFrame*, nsGridContainerFrame::GridItemInfo const*, nsSize, mozilla::Maybe<int> const&, nsGridContainerFrame::Fragmentainer const*, nsGridContainerFrame::GridReflowInput const&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:6540:3
#12 0x7fbae18be53e in nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:7128:7
#13 0x7fbae18c09a1 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:7514:11
#14 0x7fbae1768fb4 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:906:14
#15 0x7fbae18b6c2b in nsGridContainerFrame::ReflowInFlowChild(nsIFrame*, nsGridContainerFrame::GridItemInfo const*, nsSize, mozilla::Maybe<int> const&, nsGridContainerFrame::Fragmentainer const*, nsGridContainerFrame::GridReflowInput const&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:6540:3
#16 0x7fbae18be53e in nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:7128:7
#17 0x7fbae18c09a1 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:7514:11
#18 0x7fbae1768fb4 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:906:14
#19 0x7fbae18b6c2b in nsGridContainerFrame::ReflowInFlowChild(nsIFrame*, nsGridContainerFrame::GridItemInfo const*, nsSize, mozilla::Maybe<int> const&, nsGridContainerFrame::Fragmentainer const*, nsGridContainerFrame::GridReflowInput const&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:6540:3
#20 0x7fbae18be53e in nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:7128:7
#21 0x7fbae18c09a1 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:7514:11
#22 0x7fbae1768fb4 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:906:14
#23 0x7fbae18b6c2b in nsGridContainerFrame::ReflowInFlowChild(nsIFrame*, nsGridContainerFrame::GridItemInfo const*, nsSize, mozilla::Maybe<int> const&, nsGridContainerFrame::Fragmentainer const*, nsGridContainerFrame::GridReflowInput const&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:6540:3
#24 0x7fbae18be53e in nsGridContainerFrame::ReflowChildren(nsGridContainerFrame::GridReflowInput&, mozilla::LogicalRect const&, mozilla::ReflowOutput&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:7128:7
#25 0x7fbae18c09a1 in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:7514:11
#26 0x7fbae1768fb4 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:906:14
#27 0x7fbae17680f4 in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:750:5
#28 0x7fbae1768fb4 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:906:14
#29 0x7fbae184ee49 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:653:3
#30 0x7fbae18508c5 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:767:3
#31 0x7fbae1854618 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1154:3
#32 0x7fbae170b831 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:946:14
#33 0x7fbae170ae58 in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:299:7
#34 0x7fbae152c19e in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9314:11
#35 0x7fbae153eca7 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9487:24
#36 0x7fbae153d552 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4158:11
#37 0x7fbae14ccbf3 in FlushPendingNotifications /builds/worker/workspace/obj-build/dist/include/mozilla/PresShell.h:1453:5
#38 0x7fbae14ccbf3 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2070:20
#39 0x7fbae14db7d6 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:374:13
#40 0x7fbae14db7d6 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
#41 0x7fbae14db36c in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:5
#42 0x7fbae14da352 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:828:5
#43 0x7fbae14da352 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:746:16
#44 0x7fbae14d9448 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:645:9
#45 0x7fbae1c58c89 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/ipc/VsyncChild.cpp:55:16
#46 0x7fbadb66b138 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:187:54
#47 0x7fbadb3e629b in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5970:32
#48 0x7fbadb077aec in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2187:25
#49 0x7fbadb074bf7 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2111:9
#50 0x7fbadb07605f in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1959:3
#51 0x7fbadb07686e in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1990:13
#52 0x7fbada00cece in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1220:14
#53 0x7fbada01795c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
#54 0x7fbadb07f86a in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#55 0x7fbadafac3f7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#56 0x7fbadafac3f7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#57 0x7fbadafac3f7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#58 0x7fbae104ef08 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#59 0x7fbae47feec6 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:909:20
#60 0x7fbadafac3f7 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#61 0x7fbadafac3f7 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#62 0x7fbadafac3f7 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#63 0x7fbae47fe581 in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:740:34
#64 0x556ee75a3fbb in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#65 0x556ee75a3fbb in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
#66 0x7fbaf8c95b96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#67 0x556ee74f9998 in _start (/home/wen/firefox/firefox+0x9d998)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:332:3 in MOZ_Crash
==35001==ABORTING

Found by Wen Xu from sslab, gatech.

Group: firefox-core-security → layout-core-security
Component: Untriaged → Layout
Flags: needinfo?(emilio)
Product: Firefox → Core
Status: UNCONFIRMED → NEW
Component: Layout → Layout: Grid
Ever confirmed: true
Flags: needinfo?(emilio) → needinfo?(mats)
Attached file Reduced testcase
Flags: needinfo?(mats)

In a local build on Linux I get this regression range:
good: 4db022e14a60
bad: 3d385f974d44
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=4db022e14a60&tochange=3d385f974d44
which points to bug 1341507... I'll try to narrow that down more to confirm.

Flags: needinfo?(emcdonough)
Keywords: regression
Priority: -- → P1
Regressed by: 1341507
Has Regression Range: --- → yes

Confirmed. rev dc36babfbd534a7238bd363b397c7019c06c5cd6 is good. It's the rev immediately before bug 1341507 landed.
https://hg.mozilla.org/integration/autoland/pushloghtml?fromchange=dc36babfbd534a7238bd363b397c7019c06c5cd6&tochange=3d385f974d44

Yeah, nothing else in that range really looked like it would make sense here. I'll take a look.

Assignee: nobody → emcdonough
Status: NEW → ASSIGNED

Fix and crashtest in review now.

Flags: needinfo?(emcdonough)
Attachment #9136196 - Attachment description: Bug 1625051 - Fix calculation of maximum repeat count for grid repeat(auto) → Bug 1625051 Part 1 - Fix calculation of maximum repeat count for grid repeat(auto)

AFAICT, the bug always fails in a nsTArray array bounds check, which intentionally triggers a safe crash, so this isn't a security issue. I think we can unhide this bug.

Group: layout-core-security
Pushed by shindli@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/9d55c65d9354
Part 1 - Fix calculation of maximum repeat count for grid repeat(auto) r=mats

https://hg.mozilla.org/mozilla-central/rev/9d55c65d9354

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox76: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla76
Pushed by shindli@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e50e1f2ebf16
Part 2 - Tests for max number of repeats in a grid template r=mats
Regressions: 1633737
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: