InvalidArrayIndex_CRASH @ nsGridContainerFrame::LineNameMap::GetLineNamesAt
Categories
(Core :: Layout: Grid, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox75 | --- | wontfix |
firefox76 | --- | wontfix |
firefox77 | --- | fixed |
firefox78 | --- | fixed |
People
(Reporter: marcin.noga, Assigned: alaskanemily)
References
(Regression)
Details
(Keywords: crash, regression, testcase)
Crash Data
Attachments
(3 files, 1 obsolete file)
1.02 KB,
text/html
|
Details | |
12.31 KB,
text/plain
|
Details | |
47 bytes,
text/x-phabricator-request
|
pascalc
:
approval-mozilla-beta+
|
Details | Review |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36
Steps to reproduce:
Load attached Grid_layout_GetLineNamesAt.html file in firefox.
Actual results:
AddressSanitizer:DEADLYSIGNAL
==40594==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000001 (pc 0x7fca22015520 bp 0x7ffe3280fc20 sp 0x7ffe3280fc20 T0)
==40594==The signal is caused by a WRITE memory access.
==40594==Hint: address points to the zero page.
#0 0x7fca2201551f in MOZ_Crash /builds/worker/workspace/obj-build/dist/include/mozilla/Assertions.h:332:3
#1 0x7fca2201551f in InvalidArrayIndex_CRASH(unsigned long, unsigned long) /builds/worker/checkouts/gecko/xpcom/ds/nsTArray.cpp:27:3
#2 0x7fca2acf5a59 in nsTArray_Impl<mozilla::SmallPointerArray<mozilla::StyleOwnedSlice<mozilla::StyleCustomIdent> const>, nsTArrayInfallibleAllocator>::ElementAt(unsigned long) const /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1208:7
#3 0x7fca2acf05c6 in operator[] /builds/worker/workspace/obj-build/dist/include/nsTArray.h:1237:12
#4 0x7fca2acf05c6 in nsGridContainerFrame::LineNameMap::GetLineNamesAt(unsigned int) const /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:1804:29
#5 0x7fca2acf0324 in nsGridContainerFrame::LineNameMap::HasNameAt(unsigned int, nsAtom*) const /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:1752:28
#6 0x7fca2acf0218 in nsGridContainerFrame::LineNameMap::Contains(unsigned int, nsAtom*) const /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:1726:51
#7 0x7fca2acef8e8 in nsGridContainerFrame::LineNameMap::FindLine(nsAtom*, int*, unsigned int, nsTArray<unsigned int> const&) const /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:1661:11
#8 0x7fca2ac7432a in nsGridContainerFrame::LineNameMap::FindNamedLine(nsAtom*, int*, unsigned int, nsTArray<unsigned int> const&) const /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:1517:14
#9 0x7fca2ac734e2 in nsGridContainerFrame::Grid::ResolveLine(mozilla::StyleGenericGridLine<int> const&, int, unsigned int, nsGridContainerFrame::LineNameMap const&, mozilla::LogicalSide, unsigned int, nsStylePosition const*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3800:23
#10 0x7fca2ac74681 in nsGridContainerFrame::Grid::ResolveLineRangeHelper(mozilla::StyleGenericGridLine<int> const&, mozilla::StyleGenericGridLine<int> const&, nsGridContainerFrame::LineNameMap const&, mozilla::LogicalAxis, unsigned int, nsStylePosition const*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3879:13
#11 0x7fca2ac74e2c in nsGridContainerFrame::Grid::ResolveLineRange(mozilla::StyleGenericGridLine<int> const&, mozilla::StyleGenericGridLine<int> const&, nsGridContainerFrame::LineNameMap const&, mozilla::LogicalAxis, unsigned int, nsStylePosition const*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3923:16
#12 0x7fca2ac7510a in nsGridContainerFrame::Grid::PlaceDefinite(nsIFrame*, nsGridContainerFrame::LineNameMap const&, nsGridContainerFrame::LineNameMap const&, nsStylePosition const*) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:3951:7
#13 0x7fca2ac7a7dc in nsGridContainerFrame::Grid::PlaceGridItems(nsGridContainerFrame::GridReflowInput&, RepeatTrackSizingInput const&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:4381:9
#14 0x7fca2ac9de5b in nsGridContainerFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGridContainerFrame.cpp:7438:12
#15 0x7fca2ab1e5a5 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:293:11
#16 0x7fca2ab1535d in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3804:11
#17 0x7fca2ab11ccb in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3151:5
#18 0x7fca2ab08b94 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2689:7
#19 0x7fca2ab01951 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1401:3
#20 0x7fca2ab1e5a5 in nsBlockReflowContext::ReflowBlock(mozilla::LogicalRect const&, bool, nsCollapsingMargin&, int, bool, nsLineBox*, mozilla::ReflowInput&, nsReflowStatus&, mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockReflowContext.cpp:293:11
#21 0x7fca2ab1535d in nsBlockFrame::ReflowBlockFrame(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3804:11
#22 0x7fca2ab11ccb in nsBlockFrame::ReflowLine(mozilla::BlockReflowInput&, nsLineList_iterator, bool*) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:3151:5
#23 0x7fca2ab08b94 in nsBlockFrame::ReflowDirtyLines(mozilla::BlockReflowInput&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:2689:7
#24 0x7fca2ab01951 in nsBlockFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsBlockFrame.cpp:1401:3
#25 0x7fca2ab4daf4 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:906:14
#26 0x7fca2ab4c8dd in nsCanvasFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsCanvasFrame.cpp:750:5
#27 0x7fca2ab4daf4 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, mozilla::WritingMode const&, mozilla::LogicalPoint const&, nsSize const&, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:906:14
#28 0x7fca2ac31f71 in nsHTMLScrollFrame::ReflowScrolledFrame(mozilla::ScrollReflowInput*, bool, bool, mozilla::ReflowOutput*) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:653:3
#29 0x7fca2ac337a5 in nsHTMLScrollFrame::ReflowContents(mozilla::ScrollReflowInput*, mozilla::ReflowOutput const&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:767:3
#30 0x7fca2ac376f8 in nsHTMLScrollFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/nsGfxScrollFrame.cpp:1154:3
#31 0x7fca2aaf2121 in nsContainerFrame::ReflowChild(nsIFrame*, nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, int, int, nsIFrame::ReflowChildFlags, nsReflowStatus&, nsOverflowContinuationTracker*) /builds/worker/checkouts/gecko/layout/generic/nsContainerFrame.cpp:946:14
#32 0x7fca2aaf178b in mozilla::ViewportFrame::Reflow(nsPresContext*, mozilla::ReflowOutput&, mozilla::ReflowInput const&, nsReflowStatus&) /builds/worker/checkouts/gecko/layout/generic/ViewportFrame.cpp:299:7
#33 0x7fca2a918e4c in mozilla::PresShell::DoReflow(nsIFrame*, bool, mozilla::OverflowChangedTracker*) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9308:11
#34 0x7fca2a92b957 in mozilla::PresShell::ProcessReflowCommands(bool) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:9481:24
#35 0x7fca2a92a3d3 in mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) /builds/worker/checkouts/gecko/layout/base/PresShell.cpp:4158:11
#36 0x7fca2a8bb2a7 in nsRefreshDriver::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:2071:20
#37 0x7fca2a8c9be6 in TickDriver /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:374:13
#38 0x7fca2a8c9be6 in mozilla::RefreshDriverTimer::TickRefreshDrivers(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:351:7
#39 0x7fca2a8c97e5 in mozilla::RefreshDriverTimer::Tick(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:368:5
#40 0x7fca2a8c8812 in RunRefreshDrivers /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:828:5
#41 0x7fca2a8c8812 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::layers::BaseTransactionId<mozilla::VsyncIdType>, mozilla::TimeStamp) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:746:16
#42 0x7fca2a8c7991 in mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/base/nsRefreshDriver.cpp:645:9
#43 0x7fca2b02c389 in mozilla::layout::VsyncChild::RecvNotify(mozilla::VsyncEvent const&) /builds/worker/checkouts/gecko/layout/ipc/VsyncChild.cpp:55:16
#44 0x7fca24025dc0 in mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PVsyncChild.cpp:187:54
#45 0x7fca23ae7870 in mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) /builds/worker/workspace/obj-build/ipc/ipdl/PBackgroundChild.cpp:5970:32
#46 0x7fca233fe1c0 in mozilla::ipc::MessageChannel::DispatchAsyncMessage(mozilla::ipc::ActorLifecycleProxy*, IPC::Message const&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2187:25
#47 0x7fca233f9376 in mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:2111:9
#48 0x7fca233fb8c4 in mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1959:3
#49 0x7fca233fc7a0 in mozilla::ipc::MessageChannel::MessageTask::Run() /builds/worker/checkouts/gecko/ipc/glue/MessageChannel.cpp:1990:13
#50 0x7fca2213aaf0 in nsThread::ProcessNextEvent(bool, bool*) /builds/worker/checkouts/gecko/xpcom/threads/nsThread.cpp:1220:14
#51 0x7fca2214591c in NS_ProcessNextEvent(nsIThread*, bool) /builds/worker/checkouts/gecko/xpcom/threads/nsThreadUtils.cpp:481:10
#52 0x7fca23409dff in mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) /builds/worker/checkouts/gecko/ipc/glue/MessagePump.cpp:87:21
#53 0x7fca232fce27 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#54 0x7fca232fce27 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#55 0x7fca232fce27 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#56 0x7fca2a42a528 in nsBaseAppShell::Run() /builds/worker/checkouts/gecko/widget/nsBaseAppShell.cpp:137:27
#57 0x7fca2df7c076 in XRE_RunAppShell() /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:909:20
#58 0x7fca232fce27 in RunInternal /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:315:10
#59 0x7fca232fce27 in RunHandler /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:308:3
#60 0x7fca232fce27 in MessageLoop::Run() /builds/worker/checkouts/gecko/ipc/chromium/src/base/message_loop.cc:290:3
#61 0x7fca2df7b72a in XRE_InitChildProcess(int, char**, XREChildData const*) /builds/worker/checkouts/gecko/toolkit/xre/nsEmbedFunctions.cpp:740:34
#62 0x55bfba2949d3 in content_process_main /builds/worker/checkouts/gecko/browser/app/../../ipc/contentproc/plugin-container.cpp:56:28
#63 0x55bfba2949d3 in main /builds/worker/checkouts/gecko/browser/app/nsBrowserApp.cpp:303:18
#64 0x7fca450dbb96 in __libc_start_main /build/glibc-OTsEL5/glibc-2.27/csu/../csu/libc-start.c:310
#65 0x55bfba1ea37c in _start (/home/icewall/tools/fuzzing/browsers/firefox/firefox+0x9c37c)
Expected results:
.
$ hg id -i
da2b1829e1fd
$ uname -a
Linux ubuntu 4.15.0-96-generic #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
Updated•4 years ago
|
Comment 3•4 years ago
|
||
Probably a regression from bug 1341507 given that the testcase uses multiple track values inside a repeat(auto-fill)
.
Updated•4 years ago
|
Assignee | ||
Comment 4•4 years ago
|
||
This only occurred when a grid with a repeat with multiple values was used.
Updated•4 years ago
|
Comment 5•4 years ago
|
||
Resetting severity to default of --
.
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Assignee | ||
Comment 7•4 years ago
|
||
This only occurred when a grid with a repeat with multiple values was used.
Also Add crashetests for this case, and update some comments on LineNameMap's
fields while we are here.
Pushed by csabou@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/0c1494c8c04a Fix incorrect grid template size in the line name map r=mats
Updated•4 years ago
|
Comment 9•4 years ago
|
||
Backed out changeset 0c1494c8c04a (bug 1629575) by alaskanemily's request
Backout link: https://hg.mozilla.org/integration/autoland/rev/6da1d9c3a9c2822cf85de9c559d58cce81a167ef
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Comment 10•4 years ago
|
||
Pushed by rmaries@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/594bfcb374fd [css-grid] Initialize LineNameMap::mTemplateLinesEnd correctly also when a repeat(auto-fill/fit) has more than one track. r=mats
Comment 11•4 years ago
|
||
bugherder |
Assignee | ||
Comment 12•4 years ago
|
||
Comment on attachment 9141120 [details]
Bug 1629575 - [css-grid] Initialize LineNameMap::mTemplateLinesEnd correctly also when a repeat(auto-fill/fit) has more than one track.
Beta/Release Uplift Approval Request
- User impact if declined: CSS grids with a template that has a repeat(auto-fill/fit) of more than one track, and that has a grid item with a line name not present in the grid template will crash.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The change is relatively small, and the area of code is covered by existing web platform tests and now additional crashtests
- String changes made/needed:
Comment 13•4 years ago
|
||
Comment on attachment 9141120 [details]
Bug 1629575 - [css-grid] Initialize LineNameMap::mTemplateLinesEnd correctly also when a repeat(auto-fill/fit) has more than one track.
Fix for a 76 regression, the number of crashes is small but almost all the signatures are on 77 and it also adds tests. Let's take it in Beta while we are still early in the cycle, thanks.
Comment 14•4 years ago
|
||
bugherder uplift |
Description
•