[first-letter][bidi] SEGV in GetWritingMode from nsLineLayout::NewPerFrameData()
Categories
(Core :: Layout: Block and Inline, defect, P3)
Tracking
()
People
(Reporter: tarafans7, Unassigned)
References
(Blocks 2 open bugs)
Details
(4 keywords, Whiteboard: [bugmon:bisected,confirmed])
Crash Data
Attachments
(4 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Steps to reproduce:
A crash is found by fuzzing Nightly build.
I used ffpuppet with the official ASAN nightly build on Mar 25.
PoC and ASAN log are attached.
From some study, I suspect this is a regression.
Updated•4 years ago
|
Comment 2•4 years ago
|
||
HI reporter, do you have a regression range? I tried with mozregression but asan-debug builds there don't go back that far. I checked a 2019-07-01 build and could still reproduce.
This is a null pointer dereference so I'm not sure it needs to be a sec bug.
Hi,
Sorry, I am not clear in fact.
I said that simply because I saw this: https://bugzilla.mozilla.org/show_bug.cgi?id=1493775
But that is a too old one...that's why I still report as a new bug here.
Thanks.
Comment 4•4 years ago
|
||
Both the original test and this reduced testcase crashes ~50% of the time on load (on Linux). After reloading a few times it always crashes though, so it can probably be made more reliable.
Comment 5•4 years ago
|
||
Here's a frame dump when we crash. The indicated (red) nsFirstLetterFrame has no children but we assume it always have child in Reflow:
https://searchfox.org/mozilla-central/rev/8526066f548af9ec3ebb462ff73c47ccc183f533/layout/generic/nsFirstLetterFrame.cpp#226
https://searchfox.org/mozilla-central/rev/8526066f548af9ec3ebb462ff73c47ccc183f533/layout/generic/nsLineLayout.cpp#749
https://searchfox.org/mozilla-central/rev/8526066f548af9ec3ebb462ff73c47ccc183f533/layout/generic/nsLineLayout.cpp#637
Comment 6•4 years ago
•
|
||
The empty nsFirstLetterFrame comes from nsBidiPresUtils::ResolveParagraph. As you can see in the frame dump above, it's a bidi-continuation. I can think of a few ways to fix this:
- when creating nsFirstLetterFrame bidi-continuations, always insert a text frame continuation too if it's missing
- make nsFirstLetterFrame::Reflow deal with having no children
- handle nsFirstLetterFrame as non-splittable in nsBidiPresUtils somehow
(I think 3 might lead to wrong bidi layout in some cases though, so it's probably not a good long term solution.)
Comment 7•4 years ago
|
||
Making the bug public since I'm pretty sure this always results in a safe null-pointer crash at worst.
Setting the priority to P3 since it seems unlikely this will affect many real web sites.
Comment 8•4 years ago
|
||
BTW, this is very likely the same underlying issue as bug 1493775, although I can't reproduce that bug so I can't say for sure. I'm marking that bug depend on this for now, since this is reproducible.
Comment 9•4 years ago
|
||
Bugbug thinks this bug is a regression, but please revert this change in case of error.
Comment 10•4 years ago
|
||
Because this bug's Severity has not been changed from the default since it was filed, and it's Priority is P3
(Backlog,) indicating it has been triaged, the bug's Severity is being updated to S3
(normal.)
Updated•3 years ago
|
Comment 11•3 years ago
|
||
Bugmon Analysis
Verified bug as reproducible on mozilla-central 20210810094908-efefbf74d3fc.
Failed to bisect testcase (Testcase reproduces on start build!):
Start: 5d63045bb341739c7eff24fc3bac085ab873c4b5 (20200811214738)
End: 5d63045bb341739c7eff24fc3bac085ab873c4b5 (20200811214738)
BuildFlags: BuildFlags(asan=False, tsan=False, debug=False, fuzzing=False, coverage=False, valgrind=False, no_opt=False, fuzzilli=False)
Updated•3 years ago
|
Updated•1 year ago
|
Description
•